nixos/tests/iodine.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / iodine.nix
at 25.11-pre 1.6 kB view raw
 1import ./make-test-python.nix (
 2  { pkgs, ... }:
 3  let
 4    domain = "whatever.example.com";
 5    password = "false;foo;exit;withspecialcharacters";
 6  in
 7  {
 8    name = "iodine";
 9    nodes = {
10      server =
11        { ... }:
12
13        {
14          networking.firewall = {
15            allowedUDPPorts = [ 53 ];
16            trustedInterfaces = [ "dns0" ];
17          };
18          boot.kernel.sysctl = {
19            "net.ipv4.ip_forward" = 1;
20            "net.ipv6.ip_forward" = 1;
21          };
22
23          services.iodine.server = {
24            enable = true;
25            ip = "10.53.53.1/24";
26            passwordFile = "${builtins.toFile "password" password}";
27            inherit domain;
28          };
29
30          # test resource: accessible only via tunnel
31          services.openssh = {
32            enable = true;
33            openFirewall = false;
34          };
35        };
36
37      client =
38        { ... }:
39        {
40          services.iodine.clients.testClient = {
41            # test that ProtectHome is "read-only"
42            passwordFile = "/root/pw";
43            relay = "server";
44            server = domain;
45          };
46          systemd.tmpfiles.rules = [
47            "f /root/pw 0666 root root - ${password}"
48          ];
49          environment.systemPackages = [
50            pkgs.nagiosPluginsOfficial
51          ];
52        };
53
54    };
55
56    testScript = ''
57      start_all()
58
59      server.wait_for_unit("sshd")
60      server.wait_for_unit("iodined")
61      client.wait_for_unit("iodine-testClient")
62
63      client.succeed("check_ssh -H 10.53.53.1")
64    '';
65  }
66)