commit 0589bd307d50db0dc416055d4f4cf979d1b75ea8 · pyrox.dev/nixpkgs

+52 -11

nixos/modules/services/networking/wg-quick.nix

···

       11
       11
        
         interfaceOpts = { ... }: {

     

       12
       12
        
           options = {

     

       13
       13
        
       

     

       14
       14
       +
             type = mkOption {

     

       15
       15
       +
               example = "amneziawg";

     

       16
       16
       +
               default = "wireguard";

     

       17
       17
       +
               type = types.enum ["wireguard" "amneziawg"];

     

       18
       18
       +
               description = ''

     

       19
       19
       +
                 The type of the interface. Currently only "wireguard" and "amneziawg" are supported.

     

       20
       20
       +
               '';

     

       21
       21
       +
             };

     

       22
       22
       +
       

     

       14
       23
        
             configFile = mkOption {

     

       15
       24
        
               example = "/secret/wg0.conf";

     

       16
       25
        
               default = null;

     
···

       151
       160
        
               description = "Peers linked to the interface.";

     

       152
       161
        
               type = with types; listOf (submodule peerOpts);

     

       153
       162
        
             };

     

       163
       163
       +
       

     

       164
       164
       +
             extraOptions = mkOption {

     

       165
       165
       +
               type = with types; attrsOf (oneOf [ str int ]);

     

       166
       166
       +
               default = { };

     

       167
       167
       +
               example = {

     

       168
       168
       +
                 Jc = 5;

     

       169
       169
       +
                 Jmin = 10;

     

       170
       170
       +
                 Jmax = 42;

     

       171
       171
       +
                 S1 = 60;

     

       172
       172
       +
                 S2 = 90;

     

       173
       173
       +
                 H4 = 12345;

     

       174
       174
       +
               };

     

       175
       175
       +
               description = ''

     

       176
       176
       +
                 Extra options to append to the interface section. Can be used to define AmneziaWG-specific options.

     

       177
       177
       +
               '';

     

       178
       178
       +
             };

     

       154
       179
        
           };

     

       155
       180
        
         };

     

       156
       181
        
       

     
···

       230
       255
        
       

     

       231
       256
        
         writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}");

     

       232
       257
        
       

     

       233
       233
       -
         generatePrivateKeyScript = privateKeyFile: ''

     

       258
       258
       +
         generatePrivateKeyScript = privateKeyFile: wgBin: ''

     

       234
       259
        
           set -e

     

       235
       260
        
       

     

       236
       261
        
           # If the parent dir does not already exist, create it.

     
···

       239
       264
        
       

     

       240
       265
        
           if [ ! -f "${privateKeyFile}" ]; then

     

       241
       266
        
             # Write private key file with atomically-correct permissions.

     

       242
       242
       -
             (set -e; umask 077; wg genkey > "${privateKeyFile}")

     

       267
       267
       +
             (set -e; umask 077; ${wgBin} genkey > "${privateKeyFile}")

     

       243
       268
        
           fi

     

       244
       269
        
         '';

     

       245
       270
        
       

     
···

       247
       272
        
           assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set";

     

       248
       273
        
           assert assertMsg (values.generatePrivateKeyFile == false || values.privateKeyFile != null) "generatePrivateKeyFile requires privateKeyFile to be set";

     

       249
       274
        
           let

     

       250
       250
       -
             generateKeyScriptFile = if values.generatePrivateKeyFile then writeScriptFile "generatePrivateKey.sh" (generatePrivateKeyScript values.privateKeyFile) else null;

     

       275
       275
       +
             wgBin = {

     

       276
       276
       +
               wireguard = "wg";

     

       277
       277
       +
               amneziawg = "awg";

     

       278
       278
       +
             }.${values.type};

     

       279
       279
       +
             generateKeyScriptFile =

     

       280
       280
       +
               if values.generatePrivateKeyFile then

     

       281
       281
       +
                 writeScriptFile "generatePrivateKey.sh" (generatePrivateKeyScript values.privateKeyFile wgBin)

     

       282
       282
       +
               else

     

       283
       283
       +
                 null;

     

       251
       284
        
             preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null;

     

       252
       285
        
             postUp =

     

       253
       253
       -
                   optional (values.privateKeyFile != null) "wg set ${name} private-key <(cat ${values.privateKeyFile})" ++

     

       254
       254
       -
                   (concatMap (peer: optional (peer.presharedKeyFile != null) "wg set ${name} peer ${peer.publicKey} preshared-key <(cat ${peer.presharedKeyFile})") values.peers) ++

     

       286
       286
       +
                   optional (values.privateKeyFile != null) "${wgBin} set ${name} private-key <(cat ${values.privateKeyFile})" ++

     

       287
       287
       +
                   (concatMap (peer: optional (peer.presharedKeyFile != null) "${wgBin} set ${name} peer ${peer.publicKey} preshared-key <(cat ${peer.presharedKeyFile})") values.peers) ++

     

       255
       288
        
                   optional (values.postUp != "") values.postUp;

     

       256
       289
        
             postUpFile = if postUp != [] then writeScriptFile "postUp.sh" (concatMapStringsSep "\n" (line: line) postUp) else null;

     

       257
       290
        
             preDownFile = if values.preDown != "" then writeScriptFile "preDown.sh" values.preDown else null;

     
···

       279
       312
        
               optionalString (postUpFile != null) "PostUp = ${postUpFile}\n" +

     

       280
       313
        
               optionalString (preDownFile != null) "PreDown = ${preDownFile}\n" +

     

       281
       314
        
               optionalString (postDownFile != null) "PostDown = ${postDownFile}\n" +

     

       315
       315
       +
               concatLines (mapAttrsToList (n: v: "${n} = ${toString v}") values.extraOptions) +

     

       282
       316
        
               concatMapStringsSep "\n" (peer:

     

       283
       317
        
                 assert assertMsg (!((peer.presharedKeyFile != null) && (peer.presharedKey != null))) "Only one of presharedKey or presharedKeyFile may be set";

     

       284
       318
        
                 "[Peer]\n" +

     
···

       304
       338
        
               wantedBy = optional values.autostart "multi-user.target";

     

       305
       339
        
               environment.DEVICE = name;

     

       306
       340
        
               path = [

     

       307
       307
       -
                 pkgs.wireguard-tools

     

       341
       341
       +
                 {

     

       342
       342
       +
                   wireguard = pkgs.wireguard-tools;

     

       343
       343
       +
                   amneziawg = pkgs.amneziawg-tools;

     

       344
       344
       +
                 }.${values.type}

     

       308
       345
        
                 config.networking.firewall.package   # iptables or nftables

     

       309
       346
        
                 config.networking.resolvconf.package # openresolv or systemd

     

       310
       347
        
               ];

     
···

       315
       352
        
               };

     

       316
       353
        
       

     

       317
       354
        
               script = ''

     

       318
       318
       -
                 ${optionalString (!config.boot.isContainer) "${pkgs.kmod}/bin/modprobe wireguard"}

     

       355
       355
       +
                 ${optionalString (!config.boot.isContainer) "${pkgs.kmod}/bin/modprobe ${values.type}"}

     

       319
       356
        
                 ${optionalString (values.configFile != null) ''

     

       320
       357
        
                   cp ${values.configFile} ${configPath}

     

       321
       358
        
                 ''}

     

       322
       322
       -
                 wg-quick up ${configPath}

     

       359
       359
       +
                 ${wgBin}-quick up ${configPath}

     

       323
       360
        
               '';

     

       324
       361
        
       

     

       325
       362
        
               serviceConfig = {

     
···

       328
       365
        
               };

     

       329
       366
        
       

     

       330
       367
        
               preStop = ''

     

       331
       331
       -
                 wg-quick down ${configPath}

     

       368
       368
       +
                 ${wgBin}-quick down ${configPath}

     

       332
       369
        
               '';

     

       333
       370
        
             };

     

       334
       371
        
       in {

     
···

       360
       397
        
         ###### implementation

     

       361
       398
        
       

     

       362
       399
        
         config = mkIf (cfg.interfaces != {}) {

     

       363
       363
       -
           boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;

     

       364
       364
       -
           environment.systemPackages = [ pkgs.wireguard-tools ];

     

       400
       400
       +
           boot.extraModulePackages =

     

       401
       401
       +
             optional (any (x: x.type == "wireguard") (attrValues cfg.interfaces) && (versionOlder kernel.kernel.version "5.6")) kernel.wireguard

     

       402
       402
       +
             ++ optional (any (x: x.type == "amneziawg") (attrValues cfg.interfaces)) kernel.amneziawg;

     

       403
       403
       +
           environment.systemPackages =

     

       404
       404
       +
             optional (any (x: x.type == "wireguard") (attrValues cfg.interfaces)) pkgs.wireguard-tools

     

       405
       405
       +
             ++ optional (any (x: x.type == "amneziawg") (attrValues cfg.interfaces)) pkgs.amneziawg-tools;

     

       365
       406
        
           systemd.services = mapAttrs' generateUnit cfg.interfaces;

     

       366
       407
        
       

     

       367
       408
        
           # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend).

nixos/modules/services/networking/wireguard-networkd.nix

···

       189
       189
        
                   assertion = interface.interfaceNamespace == null;

     

       190
       190
        
                   message = "networking.wireguard.interfaces.${name}.interfaceNamespace cannot be used with networkd.";

     

       191
       191
        
                 }

     

       192
       192
       +
                 {

     

       193
       193
       +
                   assertion = interface.type == "wireguard";

     

       194
       194
       +
                   message = "networking.wireguard.interfaces.${name}.type value must be \"wireguard\" when used with networkd.";

     

       195
       195
       +
                 }

     

       192
       196
        
               ]

     

       193
       197
        
               ++ flip concatMap interface.ips (ip: [

     

       194
       198
        
                 # IP assertions

+52 -11

nixos/modules/services/networking/wireguard.nix

···

       15
       15
        
       

     

       16
       16
        
           options = {

     

       17
       17
        
       

     

       18
       18
       +
             type = mkOption {

     

       19
       19
       +
               example = "amneziawg";

     

       20
       20
       +
               default = "wireguard";

     

       21
       21
       +
               type = types.enum ["wireguard" "amneziawg"];

     

       22
       22
       +
               description = ''

     

       23
       23
       +
                 The type of the interface. Currently only "wireguard" and "amneziawg" are supported.

     

       24
       24
       +
               '';

     

       25
       25
       +
             };

     

       26
       26
       +
       

     

       18
       27
        
             ips = mkOption {

     

       19
       28
        
               example = [ "192.168.2.1/24" ];

     

       20
       29
        
               default = [];

     
···

       206
       215
        
                 :::

     

       207
       216
        
               '';

     

       208
       217
        
             };

     

       218
       218
       +
       

     

       219
       219
       +
             extraOptions = mkOption {

     

       220
       220
       +
               type = with types; attrsOf (oneOf [ str int ]);

     

       221
       221
       +
               default = { };

     

       222
       222
       +
               example = {

     

       223
       223
       +
                 Jc = 5;

     

       224
       224
       +
                 Jmin = 10;

     

       225
       225
       +
                 Jmax = 42;

     

       226
       226
       +
                 S1 = 60;

     

       227
       227
       +
                 S2 = 90;

     

       228
       228
       +
                 H4 = 12345;

     

       229
       229
       +
               };

     

       230
       230
       +
               description = ''

     

       231
       231
       +
                 Extra options to append to the interface section. Can be used to define AmneziaWG-specific options.

     

       232
       232
       +
               '';

     

       233
       233
       +
             };

     

       209
       234
        
           };

     

       210
       235
        
       

     

       211
       236
        
         };

     
···

       346
       371
        
       

     

       347
       372
        
         };

     

       348
       373
        
       

     

       374
       374
       +
         wgBins = {

     

       375
       375
       +
           wireguard = "wg";

     

       376
       376
       +
           amneziawg = "awg";

     

       377
       377
       +
         };

     

       378
       378
       +
       

     

       379
       379
       +
         wgPackages = {

     

       380
       380
       +
           wireguard = pkgs.wireguard-tools;

     

       381
       381
       +
           amneziawg = pkgs.amneziawg-tools;

     

       382
       382
       +
         };

     

       383
       383
       +
       

     

       349
       384
        
         generateKeyServiceUnit = name: values:

     

       350
       385
        
           assert values.generatePrivateKeyFile;

     

       351
       386
        
           nameValuePair "wireguard-${name}-key"

     
···

       354
       389
        
               wantedBy = [ "wireguard-${name}.service" ];

     

       355
       390
        
               requiredBy = [ "wireguard-${name}.service" ];

     

       356
       391
        
               before = [ "wireguard-${name}.service" ];

     

       357
       357
       -
               path = with pkgs; [ wireguard-tools ];

     

       392
       392
       +
               path = [ wgPackages.${values.type} ];

     

       358
       393
        
       

     

       359
       394
        
               serviceConfig = {

     

       360
       395
        
                 Type = "oneshot";

     
···

       370
       405
        
       

     

       371
       406
        
                 if [ ! -f "${values.privateKeyFile}" ]; then

     

       372
       407
        
                   # Write private key file with atomically-correct permissions.

     

       373
       373
       -
                   (set -e; umask 077; wg genkey > "${values.privateKeyFile}")

     

       408
       408
       +
                   (set -e; umask 077; ${wgBins.${values.type}} genkey > "${values.privateKeyFile}")

     

       374
       409
        
                 fi

     

       375
       410
        
               '';

     

       376
       411
        
             };

     
···

       395
       430
        
             src = interfaceCfg.socketNamespace;

     

       396
       431
        
             dst = interfaceCfg.interfaceNamespace;

     

       397
       432
        
             ip = nsWrap "ip" src dst;

     

       398
       398
       -
             wg = nsWrap "wg" src dst;

     

       433
       433
       +
             wg = nsWrap wgBins.${interfaceCfg.type} src dst;

     

       399
       434
        
             dynamicEndpointRefreshSeconds = dynamicRefreshSeconds interfaceCfg peer;

     

       400
       435
        
             dynamicRefreshEnabled = dynamicEndpointRefreshSeconds != 0;

     

       401
       436
        
             # We generate a different name (a `-refresh` suffix) when `dynamicEndpointRefreshSeconds`

     
···

       412
       447
        
               wantedBy = [ "wireguard-${interfaceName}.service" ];

     

       413
       448
        
               environment.DEVICE = interfaceName;

     

       414
       449
        
               environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";

     

       415
       415
       -
               path = with pkgs; [ iproute2 wireguard-tools ];

     

       450
       450
       +
               path = with pkgs; [ iproute2 wgPackages.${interfaceCfg.type} ];

     

       416
       451
        
       

     

       417
       452
        
               serviceConfig =

     

       418
       453
        
                 if !dynamicRefreshEnabled

     
···

       501
       536
        
               dst = values.interfaceNamespace;

     

       502
       537
        
               ipPreMove  = nsWrap "ip" src null;

     

       503
       538
        
               ipPostMove = nsWrap "ip" src dst;

     

       504
       504
       -
               wg = nsWrap "wg" src dst;

     

       539
       539
       +
               wg = nsWrap wgBins.${values.type} src dst;

     

       505
       540
        
               ns = if dst == "init" then "1" else dst;

     

       506
       541
        
       

     

       507
       542
        
           in

     
···

       512
       547
        
               wants = [ "network.target" ];

     

       513
       548
        
               before = [ "network.target" ];

     

       514
       549
        
               environment.DEVICE = name;

     

       515
       515
       -
               path = with pkgs; [ kmod iproute2 wireguard-tools ];

     

       550
       550
       +
               path = with pkgs; [ kmod iproute2 wgPackages.${values.type} ];

     

       516
       551
        
       

     

       517
       552
        
               serviceConfig = {

     

       518
       553
        
                 Type = "oneshot";

     
···

       520
       555
        
               };

     

       521
       556
        
       

     

       522
       557
        
               script = concatStringsSep "\n" (

     

       523
       523
       -
                 optional (!config.boot.isContainer) "modprobe wireguard || true"

     

       558
       558
       +
                 optional (!config.boot.isContainer) "modprobe ${values.type} || true"

     

       524
       559
        
                 ++ [

     

       525
       560
        
                   values.preSetup

     

       526
       526
       -
                   ''${ipPreMove} link add dev "${name}" type wireguard''

     

       561
       561
       +
                   ''${ipPreMove} link add dev "${name}" type ${values.type}''

     

       527
       562
        
                 ]

     

       528
       563
        
                 ++ optional (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''

     

       529
       564
        
                 ++ optional (values.mtu != null) ''${ipPostMove} link set "${name}" mtu ${toString values.mtu}''

     
···

       535
       570
        
                   [ ''${wg} set "${name}" private-key "${privKey}"'' ]

     

       536
       571
        
                   ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''

     

       537
       572
        
                   ++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"''

     

       573
       573
       +
                   ++ mapAttrsToList (k: v: ''${toLower k} "${toString v}"'') values.extraOptions

     

       538
       574
        
                   ))

     

       539
       575
        
                   ''${ipPostMove} link set up dev "${name}"''

     

       540
       576
        
                   values.postSetup

     
···

       554
       590
        
             ns = last nsList;

     

       555
       591
        
           in

     

       556
       592
        
             if (length nsList > 0 && ns != "init") then ''ip netns exec "${ns}" "${cmd}"'' else cmd;

     

       593
       593
       +
       

     

       594
       594
       +
         usingWg = any (x: x.type == "wireguard") (attrValues cfg.interfaces);

     

       595
       595
       +
         usingAwg = any (x: x.type == "amneziawg") (attrValues cfg.interfaces);

     

       557
       596
        
       in

     

       558
       597
        
       

     

       559
       598
        
       {

     
···

       628
       667
        
                 message = "networking.wireguard.interfaces.${interfaceName} peer «${peer.publicKey}» has both presharedKey and presharedKeyFile set, but only one can be used.";

     

       629
       668
        
               }) all_peers;

     

       630
       669
        
       

     

       631
       631
       -
           boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;

     

       632
       632
       -
           boot.kernelModules = [ "wireguard" ];

     

       633
       633
       -
           environment.systemPackages = [ pkgs.wireguard-tools ];

     

       670
       670
       +
           boot.extraModulePackages =

     

       671
       671
       +
             optional (usingWg && (versionOlder kernel.kernel.version "5.6")) kernel.wireguard

     

       672
       672
       +
             ++ optional usingAwg kernel.amneziawg;

     

       673
       673
       +
           boot.kernelModules = optional usingWg "wireguard" ++ optional usingAwg "amneziawg";

     

       674
       674
       +
           environment.systemPackages = optional usingWg pkgs.wireguard-tools ++ optional usingAwg pkgs.amneziawg-tools;

     

       634
       675
        
       

     

       635
       676
        
           systemd.services = mkIf (!cfg.useNetworkd) (

     

       636
       677
        
             (mapAttrs' generateInterfaceUnit cfg.interfaces)

+125

nixos/tests/wireguard/amneziawg-quick.nix

···

       1
       1
       +
       import ../make-test-python.nix (

     

       2
       2
       +
         {

     

       3
       3
       +
           pkgs,

     

       4
       4
       +
           lib,

     

       5
       5
       +
           kernelPackages ? null,

     

       6
       6
       +
           nftables ? false,

     

       7
       7
       +
           ...

     

       8
       8
       +
         }:

     

       9
       9
       +
         let

     

       10
       10
       +
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       11
       11
       +
           peer = import ./make-peer.nix { inherit lib; };

     

       12
       12
       +
           commonConfig = {

     

       13
       13
       +
             boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;

     

       14
       14
       +
             networking.nftables.enable = nftables;

     

       15
       15
       +
             # Make sure iptables doesn't work with nftables enabled

     

       16
       16
       +
             boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];

     

       17
       17
       +
           };

     

       18
       18
       +
           extraOptions = {

     

       19
       19
       +
             Jc = 5;

     

       20
       20
       +
             Jmin = 10;

     

       21
       21
       +
             Jmax = 42;

     

       22
       22
       +
             S1 = 60;

     

       23
       23
       +
             S2 = 90;

     

       24
       24
       +
           };

     

       25
       25
       +
         in

     

       26
       26
       +
         {

     

       27
       27
       +
           name = "amneziawg-quick";

     

       28
       28
       +
           meta = with pkgs.lib.maintainers; {

     

       29
       29
       +
             maintainers = [

     

       30
       30
       +
               averyanalex

     

       31
       31
       +
               azahi

     

       32
       32
       +
             ];

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           nodes = {

     

       36
       36
       +
             peer0 = peer {

     

       37
       37
       +
               ip4 = "192.168.0.1";

     

       38
       38
       +
               ip6 = "fd00::1";

     

       39
       39
       +
               extraConfig = lib.mkMerge [

     

       40
       40
       +
                 commonConfig

     

       41
       41
       +
                 {

     

       42
       42
       +
                   networking.firewall.allowedUDPPorts = [ 23542 ];

     

       43
       43
       +
                   networking.wg-quick.interfaces.wg0 = {

     

       44
       44
       +
                     type = "amneziawg";

     

       45
       45
       +
       

     

       46
       46
       +
                     address = [

     

       47
       47
       +
                       "10.23.42.1/32"

     

       48
       48
       +
                       "fc00::1/128"

     

       49
       49
       +
                     ];

     

       50
       50
       +
                     listenPort = 23542;

     

       51
       51
       +
       

     

       52
       52
       +
                     inherit (wg-snakeoil-keys.peer0) privateKey;

     

       53
       53
       +
       

     

       54
       54
       +
                     peers = lib.singleton {

     

       55
       55
       +
                       allowedIPs = [

     

       56
       56
       +
                         "10.23.42.2/32"

     

       57
       57
       +
                         "fc00::2/128"

     

       58
       58
       +
                       ];

     

       59
       59
       +
       

     

       60
       60
       +
                       inherit (wg-snakeoil-keys.peer1) publicKey;

     

       61
       61
       +
                     };

     

       62
       62
       +
       

     

       63
       63
       +
                     dns = [

     

       64
       64
       +
                       "10.23.42.2"

     

       65
       65
       +
                       "fc00::2"

     

       66
       66
       +
                       "wg0"

     

       67
       67
       +
                     ];

     

       68
       68
       +
       

     

       69
       69
       +
                     inherit extraOptions;

     

       70
       70
       +
                   };

     

       71
       71
       +
                 }

     

       72
       72
       +
               ];

     

       73
       73
       +
             };

     

       74
       74
       +
       

     

       75
       75
       +
             peer1 = peer {

     

       76
       76
       +
               ip4 = "192.168.0.2";

     

       77
       77
       +
               ip6 = "fd00::2";

     

       78
       78
       +
               extraConfig = lib.mkMerge [

     

       79
       79
       +
                 commonConfig

     

       80
       80
       +
                 {

     

       81
       81
       +
                   networking.useNetworkd = true;

     

       82
       82
       +
                   networking.wg-quick.interfaces.wg0 = {

     

       83
       83
       +
                     type = "amneziawg";

     

       84
       84
       +
       

     

       85
       85
       +
                     address = [

     

       86
       86
       +
                       "10.23.42.2/32"

     

       87
       87
       +
                       "fc00::2/128"

     

       88
       88
       +
                     ];

     

       89
       89
       +
                     inherit (wg-snakeoil-keys.peer1) privateKey;

     

       90
       90
       +
       

     

       91
       91
       +
                     peers = lib.singleton {

     

       92
       92
       +
                       allowedIPs = [

     

       93
       93
       +
                         "0.0.0.0/0"

     

       94
       94
       +
                         "::/0"

     

       95
       95
       +
                       ];

     

       96
       96
       +
                       endpoint = "192.168.0.1:23542";

     

       97
       97
       +
                       persistentKeepalive = 25;

     

       98
       98
       +
       

     

       99
       99
       +
                       inherit (wg-snakeoil-keys.peer0) publicKey;

     

       100
       100
       +
                     };

     

       101
       101
       +
       

     

       102
       102
       +
                     dns = [

     

       103
       103
       +
                       "10.23.42.1"

     

       104
       104
       +
                       "fc00::1"

     

       105
       105
       +
                       "wg0"

     

       106
       106
       +
                     ];

     

       107
       107
       +
       

     

       108
       108
       +
                     inherit extraOptions;

     

       109
       109
       +
                   };

     

       110
       110
       +
                 }

     

       111
       111
       +
               ];

     

       112
       112
       +
             };

     

       113
       113
       +
           };

     

       114
       114
       +
       

     

       115
       115
       +
           testScript = ''

     

       116
       116
       +
             start_all()

     

       117
       117
       +
       

     

       118
       118
       +
             peer0.wait_for_unit("wg-quick-wg0.service")

     

       119
       119
       +
             peer1.wait_for_unit("wg-quick-wg0.service")

     

       120
       120
       +
       

     

       121
       121
       +
             peer1.succeed("ping -c5 fc00::1")

     

       122
       122
       +
             peer1.succeed("ping -c5 10.23.42.1")

     

       123
       123
       +
           '';

     

       124
       124
       +
         }

     

       125
       125
       +
       )

+111

nixos/tests/wireguard/amneziawg.nix

···

       1
       1
       +
       import ../make-test-python.nix (

     

       2
       2
       +
         {

     

       3
       3
       +
           pkgs,

     

       4
       4
       +
           lib,

     

       5
       5
       +
           kernelPackages ? null,

     

       6
       6
       +
           ...

     

       7
       7
       +
         }:

     

       8
       8
       +
         let

     

       9
       9
       +
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       10
       10
       +
           peer = (import ./make-peer.nix) { inherit lib; };

     

       11
       11
       +
           extraOptions = {

     

       12
       12
       +
             Jc = 5;

     

       13
       13
       +
             Jmin = 10;

     

       14
       14
       +
             Jmax = 42;

     

       15
       15
       +
             S1 = 60;

     

       16
       16
       +
             S2 = 90;

     

       17
       17
       +
           };

     

       18
       18
       +
         in

     

       19
       19
       +
         {

     

       20
       20
       +
           name = "amneziawg";

     

       21
       21
       +
           meta = with pkgs.lib.maintainers; {

     

       22
       22
       +
             maintainers = [

     

       23
       23
       +
               averyanalex

     

       24
       24
       +
               azahi

     

       25
       25
       +
             ];

     

       26
       26
       +
           };

     

       27
       27
       +
       

     

       28
       28
       +
           nodes = {

     

       29
       29
       +
             peer0 = peer {

     

       30
       30
       +
               ip4 = "192.168.0.1";

     

       31
       31
       +
               ip6 = "fd00::1";

     

       32
       32
       +
               extraConfig = {

     

       33
       33
       +
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       34
       34
       +
                 networking.firewall.allowedUDPPorts = [ 23542 ];

     

       35
       35
       +
                 networking.wireguard.interfaces.wg0 = {

     

       36
       36
       +
                   type = "amneziawg";

     

       37
       37
       +
                   ips = [

     

       38
       38
       +
                     "10.23.42.1/32"

     

       39
       39
       +
                     "fc00::1/128"

     

       40
       40
       +
                   ];

     

       41
       41
       +
                   listenPort = 23542;

     

       42
       42
       +
       

     

       43
       43
       +
                   inherit (wg-snakeoil-keys.peer0) privateKey;

     

       44
       44
       +
       

     

       45
       45
       +
                   peers = lib.singleton {

     

       46
       46
       +
                     allowedIPs = [

     

       47
       47
       +
                       "10.23.42.2/32"

     

       48
       48
       +
                       "fc00::2/128"

     

       49
       49
       +
                     ];

     

       50
       50
       +
       

     

       51
       51
       +
                     inherit (wg-snakeoil-keys.peer1) publicKey;

     

       52
       52
       +
                   };

     

       53
       53
       +
       

     

       54
       54
       +
                   inherit extraOptions;

     

       55
       55
       +
                 };

     

       56
       56
       +
               };

     

       57
       57
       +
             };

     

       58
       58
       +
       

     

       59
       59
       +
             peer1 = peer {

     

       60
       60
       +
               ip4 = "192.168.0.2";

     

       61
       61
       +
               ip6 = "fd00::2";

     

       62
       62
       +
               extraConfig = {

     

       63
       63
       +
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       64
       64
       +
                 networking.wireguard.interfaces.wg0 = {

     

       65
       65
       +
                   type = "amneziawg";

     

       66
       66
       +
                   ips = [

     

       67
       67
       +
                     "10.23.42.2/32"

     

       68
       68
       +
                     "fc00::2/128"

     

       69
       69
       +
                   ];

     

       70
       70
       +
                   listenPort = 23542;

     

       71
       71
       +
                   allowedIPsAsRoutes = false;

     

       72
       72
       +
       

     

       73
       73
       +
                   inherit (wg-snakeoil-keys.peer1) privateKey;

     

       74
       74
       +
       

     

       75
       75
       +
                   peers = lib.singleton {

     

       76
       76
       +
                     allowedIPs = [

     

       77
       77
       +
                       "0.0.0.0/0"

     

       78
       78
       +
                       "::/0"

     

       79
       79
       +
                     ];

     

       80
       80
       +
                     endpoint = "192.168.0.1:23542";

     

       81
       81
       +
                     persistentKeepalive = 25;

     

       82
       82
       +
       

     

       83
       83
       +
                     inherit (wg-snakeoil-keys.peer0) publicKey;

     

       84
       84
       +
                   };

     

       85
       85
       +
       

     

       86
       86
       +
                   postSetup =

     

       87
       87
       +
                     let

     

       88
       88
       +
                       inherit (pkgs) iproute2;

     

       89
       89
       +
                     in

     

       90
       90
       +
                     ''

     

       91
       91
       +
                       ${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0

     

       92
       92
       +
                       ${iproute2}/bin/ip route replace fc00::1/128 dev wg0

     

       93
       93
       +
                     '';

     

       94
       94
       +
       

     

       95
       95
       +
                   inherit extraOptions;

     

       96
       96
       +
                 };

     

       97
       97
       +
               };

     

       98
       98
       +
             };

     

       99
       99
       +
           };

     

       100
       100
       +
       

     

       101
       101
       +
           testScript = ''

     

       102
       102
       +
             start_all()

     

       103
       103
       +
       

     

       104
       104
       +
             peer0.wait_for_unit("wireguard-wg0.service")

     

       105
       105
       +
             peer1.wait_for_unit("wireguard-wg0.service")

     

       106
       106
       +
       

     

       107
       107
       +
             peer1.succeed("ping -c5 fc00::1")

     

       108
       108
       +
             peer1.succeed("ping -c5 10.23.42.1")

     

       109
       109
       +
           '';

     

       110
       110
       +
         }

     

       111
       111
       +
       )

nixos/tests/wireguard/default.nix

···

       10
       10
        
       let

     

       11
       11
        
         tests = let callTest = p: args: import p ({ inherit system pkgs; } // args); in {

     

       12
       12
        
           basic = callTest ./basic.nix;

     

       13
       13
       +
           amneziawg = callTest ./amneziawg.nix;

     

       13
       14
        
           namespaces = callTest ./namespaces.nix;

     

       14
       15
        
           networkd = callTest ./networkd.nix;

     

       15
       16
        
           wg-quick = callTest ./wg-quick.nix;

     

       16
       17
        
           wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args);

     

       18
       18
       +
           amneziawg-quick = callTest ./amneziawg-quick.nix;

     

       17
       19
        
           generated = callTest ./generated.nix;

     

       18
       20
        
           dynamic-refresh = callTest ./dynamic-refresh.nix;

     

       19
       21
        
           dynamic-refresh-networkd = args: callTest ./dynamic-refresh.nix ({ useNetworkd = true; } // args);