nixos/tests/wireguard/dynamic-refresh.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / wireguard / dynamic-refresh.nix
at 25.11-pre 3.0 kB view raw
  1import ../make-test-python.nix (
  2  {
  3    pkgs,
  4    lib,
  5    kernelPackages ? null,
  6    useNetworkd ? false,
  7    ...
  8  }:
  9  let
 10    wg-snakeoil-keys = import ./snakeoil-keys.nix;
 11  in
 12  {
 13    name = "wireguard-dynamic-refresh";
 14    meta = with lib.maintainers; {
 15      maintainers = [ majiir ];
 16    };
 17
 18    nodes = {
 19      server = {
 20        virtualisation.vlans = [
 21          1
 22          2
 23        ];
 24        boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
 25        networking.firewall.allowedUDPPorts = [ 23542 ];
 26        networking.useDHCP = false;
 27        networking.wireguard.useNetworkd = useNetworkd;
 28        networking.wireguard.interfaces.wg0 = {
 29          ips = [ "10.23.42.1/32" ];
 30          listenPort = 23542;
 31
 32          # !!! Don't do this with real keys. The /nix store is world-readable!
 33          privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer0.privateKey);
 34
 35          peers = lib.singleton {
 36            allowedIPs = [ "10.23.42.2/32" ];
 37
 38            inherit (wg-snakeoil-keys.peer1) publicKey;
 39          };
 40        };
 41      };
 42
 43      client =
 44        { nodes, ... }:
 45        {
 46          virtualisation.vlans = [
 47            1
 48            2
 49          ];
 50          boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
 51          networking.useDHCP = false;
 52          networking.wireguard.useNetworkd = useNetworkd;
 53          networking.wireguard.interfaces.wg0 = {
 54            ips = [ "10.23.42.2/32" ];
 55
 56            # !!! Don't do this with real keys. The /nix store is world-readable!
 57            privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
 58
 59            dynamicEndpointRefreshSeconds = 2;
 60
 61            peers = lib.singleton {
 62              allowedIPs = [
 63                "0.0.0.0/0"
 64                "::/0"
 65              ];
 66              endpoint = "server:23542";
 67
 68              inherit (wg-snakeoil-keys.peer0) publicKey;
 69            };
 70          };
 71
 72          specialisation.update-hosts.configuration = {
 73            networking.extraHosts =
 74              let
 75                testCfg = nodes.server.virtualisation.test;
 76              in
 77              lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
 78          };
 79        };
 80    };
 81
 82    testScript =
 83      { nodes, ... }:
 84      ''
 85        start_all()
 86
 87        server.systemctl("start network-online.target")
 88        server.wait_for_unit("network-online.target")
 89
 90        client.systemctl("start network-online.target")
 91        client.wait_for_unit("network-online.target")
 92
 93        client.succeed("ping -n -w 1 -c 1 10.23.42.1")
 94
 95        client.succeed("ip link set down eth1")
 96
 97        client.fail("ping -n -w 1 -c 1 10.23.42.1")
 98
 99        with client.nested("update hosts file"):
100          client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
101
102        client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
103      '';
104  }
105)