nixos/tests/wireguard/namespaces.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / wireguard / namespaces.nix
at 25.11-pre 2.7 kB view raw
 1let
 2  listenPort = 12345;
 3  socketNamespace = "foo";
 4  interfaceNamespace = "bar";
 5  node = {
 6    networking.wireguard.interfaces.wg0 = {
 7      listenPort = listenPort;
 8      ips = [ "10.10.10.1/24" ];
 9      privateKeyFile = "/etc/wireguard/private";
10      generatePrivateKeyFile = true;
11    };
12  };
13
14in
15
16import ../make-test-python.nix (
17  {
18    pkgs,
19    lib,
20    kernelPackages ? null,
21    ...
22  }:
23  {
24    name = "wireguard-with-namespaces";
25    meta = with pkgs.lib.maintainers; {
26      maintainers = [ asymmetric ];
27    };
28
29    nodes = {
30      # interface should be created in the socketNamespace
31      # and not moved from there
32      peer0 = pkgs.lib.attrsets.recursiveUpdate node {
33        boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
34        networking.wireguard.interfaces.wg0 = {
35          preSetup = ''
36            ip netns add ${socketNamespace}
37          '';
38          inherit socketNamespace;
39        };
40      };
41      # interface should be created in the init namespace
42      # and moved to the interfaceNamespace
43      peer1 = pkgs.lib.attrsets.recursiveUpdate node {
44        boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
45        networking.wireguard.interfaces.wg0 = {
46          preSetup = ''
47            ip netns add ${interfaceNamespace}
48          '';
49          mtu = 1280;
50          inherit interfaceNamespace;
51        };
52      };
53      # interface should be created in the socketNamespace
54      # and moved to the interfaceNamespace
55      peer2 = pkgs.lib.attrsets.recursiveUpdate node {
56        boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
57        networking.wireguard.interfaces.wg0 = {
58          preSetup = ''
59            ip netns add ${socketNamespace}
60            ip netns add ${interfaceNamespace}
61          '';
62          inherit socketNamespace interfaceNamespace;
63        };
64      };
65      # interface should be created in the socketNamespace
66      # and moved to the init namespace
67      peer3 = pkgs.lib.attrsets.recursiveUpdate node {
68        boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
69        networking.wireguard.interfaces.wg0 = {
70          preSetup = ''
71            ip netns add ${socketNamespace}
72          '';
73          inherit socketNamespace;
74          interfaceNamespace = "init";
75        };
76      };
77    };
78
79    testScript = ''
80      start_all()
81
82      for machine in peer0, peer1, peer2, peer3:
83          machine.wait_for_unit("wireguard-wg0.service")
84
85      peer0.succeed("ip -n ${socketNamespace} link show wg0")
86      peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
87      peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
88      peer3.succeed("ip link show wg0")
89    '';
90  }
91)