commit c684398c6afaf90d9dc86466ca36e4ea3263d77f · pyrox.dev/nixpkgs

nixos/modules/module-list.nix

···

       937
        
         ./system/boot/grow-partition.nix

     

       938
        
         ./system/boot/initrd-network.nix

     

       939
        
         ./system/boot/initrd-ssh.nix

     

       0
        
       
     

       940
        
         ./system/boot/kernel.nix

     

       941
        
         ./system/boot/kexec.nix

     

       942
        
         ./system/boot/loader/efi.nix

···

       937
        
         ./system/boot/grow-partition.nix

     

       938
        
         ./system/boot/initrd-network.nix

     

       939
        
         ./system/boot/initrd-ssh.nix

     

       940
       +
         ./system/boot/initrd-openvpn.nix

     

       941
        
         ./system/boot/kernel.nix

     

       942
        
         ./system/boot/kexec.nix

     

       943
        
         ./system/boot/loader/efi.nix

+81

nixos/modules/system/boot/initrd-openvpn.nix

···

       1
       +
       { config, lib, pkgs, ... }:

     

       2
       +
       

     

       3
       +
       with lib;

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
       

     

       7
       +
         cfg = config.boot.initrd.network.openvpn;

     

       8
       +
         

     

       9
       +
       in

     

       10
       +
       

     

       11
       +
       {

     

       12
       +
       

     

       13
       +
         options = {

     

       14
       +
       

     

       15
       +
           boot.initrd.network.openvpn.enable = mkOption {

     

       16
       +
             type = types.bool;

     

       17
       +
             default = false;

     

       18
       +
             description = ''

     

       19
       +
               Starts an OpenVPN client during initrd boot. It can be used to e.g. 

     

       20
       +
               remotely accessing the SSH service controlled by 

     

       21
       +
               <option>boot.initrd.network.ssh</option> or other network services 

     

       22
       +
               included. Service is killed when stage-1 boot is finished.

     

       23
       +
             '';

     

       24
       +
           };

     

       25
       +
           

     

       26
       +
           boot.initrd.network.openvpn.configuration = mkOption {

     

       27
       +
             type = types.path; # Same type as boot.initrd.secrets

     

       28
       +
             description = ''

     

       29
       +
               The configuration file for OpenVPN. 

     

       30
       +
       

     

       31
       +
               <warning>

     

       32
       +
                 <para>

     

       33
       +
                   Unless your bootloader supports initrd secrets, this configuration

     

       34
       +
                   is stored insecurely in the global Nix store.

     

       35
       +
                 </para>

     

       36
       +
               </warning>

     

       37
       +
             '';

     

       38
       +
             example = "./configuration.ovpn";

     

       39
       +
           };

     

       40
       +
       

     

       41
       +
         };

     

       42
       +
       

     

       43
       +
         config = mkIf (config.boot.initrd.network.enable && cfg.enable) {

     

       44
       +
           assertions = [

     

       45
       +
             {

     

       46
       +
               assertion = cfg.configuration != null;

     

       47
       +
               message = "You should specify a configuration for initrd OpenVPN";

     

       48
       +
             }

     

       49
       +
           ];

     

       50
       +
           

     

       51
       +
           # Add kernel modules needed for OpenVPN

     

       52
       +
           boot.initrd.kernelModules = [ "tun" "tap" ];

     

       53
       +
       

     

       54
       +
           # Add openvpn and ip binaries to the initrd

     

       55
       +
           # The shared libraries are required for DNS resolution

     

       56
       +
           boot.initrd.extraUtilsCommands = ''

     

       57
       +
             copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn

     

       58
       +
             copy_bin_and_libs ${pkgs.iproute}/bin/ip

     

       59
       +
       

     

       60
       +
             cp -pv ${pkgs.glibc}/lib/libresolv.so.2 $out/lib

     

       61
       +
             cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib

     

       62
       +
           '';

     

       63
       +
           

     

       64
       +
           boot.initrd.secrets = {

     

       65
       +
             "/etc/initrd.ovpn" = cfg.configuration;

     

       66
       +
           };

     

       67
       +
           

     

       68
       +
           # openvpn --version would exit with 1 instead of 0

     

       69
       +
           boot.initrd.extraUtilsCommandsTest = ''

     

       70
       +
             $out/bin/openvpn --show-gateway

     

       71
       +
           '';

     

       72
       +
       

     

       73
       +
           # Add `iproute /bin/ip` to the config, to ensure that openvpn

     

       74
       +
           # is able to set the routes

     

       75
       +
           boot.initrd.network.postCommands = ''

     

       76
       +
             (cat /etc/initrd.ovpn; echo -e '\niproute /bin/ip') | \

     

       77
       +
               openvpn /dev/stdin &

     

       78
       +
           '';

     

       79
       +
         };

     

       80
       +
       

     

       81
       +
       }

nixos/tests/all-tests.nix

···

       150
        
         incron = handleTest ./incron.nix {};

     

       151
        
         influxdb = handleTest ./influxdb.nix {};

     

       152
        
         initrd-network-ssh = handleTest ./initrd-network-ssh {};

     

       0
        
       
     

       153
        
         initrdNetwork = handleTest ./initrd-network.nix {};

     

       154
        
         installer = handleTest ./installer.nix {};

     

       155
        
         iodine = handleTest ./iodine.nix {};

···

       150
        
         incron = handleTest ./incron.nix {};

     

       151
        
         influxdb = handleTest ./influxdb.nix {};

     

       152
        
         initrd-network-ssh = handleTest ./initrd-network-ssh {};

     

       153
       +
         initrd-network-openvpn = handleTest ./initrd-network-openvpn {};

     

       154
        
         initrdNetwork = handleTest ./initrd-network.nix {};

     

       155
        
         installer = handleTest ./installer.nix {};

     

       156
        
         iodine = handleTest ./iodine.nix {};

+145

nixos/tests/initrd-network-openvpn/default.nix

···

       1
       +
       import ../make-test-python.nix ({ lib, ...}:

     

       2
       +
       

     

       3
       +
       {

     

       4
       +
         name = "initrd-network-openvpn";

     

       5
       +
       

     

       6
       +
         nodes =

     

       7
       +
           let

     

       8
       +
       

     

       9
       +
             # Inlining of the shared secret for the

     

       10
       +
             # OpenVPN server and client

     

       11
       +
             secretblock = ''

     

       12
       +
               secret [inline]

     

       13
       +
               <secret>

     

       14
       +
               ${lib.readFile ./shared.key}

     

       15
       +
               </secret>

     

       16
       +
               '';

     

       17
       +
       

     

       18
       +
           in

     

       19
       +
           {

     

       20
       +
       

     

       21
       +
             # Minimal test case to check a successful boot, even with invalid config

     

       22
       +
             minimalboot =

     

       23
       +
               { ... }:

     

       24
       +
               {

     

       25
       +
                 boot.initrd.network = {

     

       26
       +
                   enable = true;

     

       27
       +
                   openvpn = {

     

       28
       +
                     enable = true;

     

       29
       +
                     configuration = "/dev/null";

     

       30
       +
                   };

     

       31
       +
                 };

     

       32
       +
               };

     

       33
       +
       

     

       34
       +
             # initrd VPN client

     

       35
       +
             ovpnclient =

     

       36
       +
               { ... }:

     

       37
       +
               {

     

       38
       +
                 virtualisation.useBootLoader = true;

     

       39
       +
                 virtualisation.vlans = [ 1 ];

     

       40
       +
       

     

       41
       +
                 boot.initrd = {

     

       42
       +
                   # This command does not fork to keep the VM in the state where

     

       43
       +
                   # only the initramfs is loaded

     

       44
       +
                   preLVMCommands =

     

       45
       +
                   ''

     

       46
       +
                     /bin/nc -p 1234 -lke /bin/echo TESTVALUE

     

       47
       +
                   '';

     

       48
       +
       

     

       49
       +
                   network = {

     

       50
       +
                     enable = true;

     

       51
       +
       

     

       52
       +
                     # Work around udhcpc only getting a lease on eth0

     

       53
       +
                     postCommands = ''

     

       54
       +
                       /bin/ip addr add 192.168.1.2/24 dev eth1

     

       55
       +
                     '';

     

       56
       +
       

     

       57
       +
                     # Example configuration for OpenVPN

     

       58
       +
                     # This is the main reason for this test

     

       59
       +
                     openvpn = {

     

       60
       +
                       enable = true;

     

       61
       +
                       configuration = "${./initrd.ovpn}";

     

       62
       +
                     };

     

       63
       +
                   };

     

       64
       +
                 };

     

       65
       +
               };

     

       66
       +
       

     

       67
       +
             # VPN server and gateway for ovpnclient between vlan 1 and 2

     

       68
       +
             ovpnserver =

     

       69
       +
               { ... }:

     

       70
       +
               {

     

       71
       +
                 virtualisation.vlans = [ 1 2 ];

     

       72
       +
       

     

       73
       +
                 # Enable NAT and forward port 12345 to port 1234

     

       74
       +
                 networking.nat = {

     

       75
       +
                   enable = true;

     

       76
       +
                   internalInterfaces = [ "tun0" ];

     

       77
       +
                   externalInterface = "eth2";

     

       78
       +
                   forwardPorts = [ { destination = "10.8.0.2:1234";

     

       79
       +
                                      sourcePort = 12345; } ];

     

       80
       +
                 };

     

       81
       +
       

     

       82
       +
                 # Trust tun0 and allow the VPN Server to be reached

     

       83
       +
                 networking.firewall = {

     

       84
       +
                   trustedInterfaces = [ "tun0" ];

     

       85
       +
                   allowedUDPPorts = [ 1194 ];

     

       86
       +
                 };

     

       87
       +
       

     

       88
       +
                 # Minimal OpenVPN server configuration

     

       89
       +
                 services.openvpn.servers.testserver =

     

       90
       +
                 {

     

       91
       +
                   config = ''

     

       92
       +
                     dev tun0

     

       93
       +
                     ifconfig 10.8.0.1 10.8.0.2

     

       94
       +
                     ${secretblock}

     

       95
       +
                   '';

     

       96
       +
                 };

     

       97
       +
               };

     

       98
       +
       

     

       99
       +
             # Client that resides in the "external" VLAN

     

       100
       +
             testclient =

     

       101
       +
               { ... }:

     

       102
       +
               {

     

       103
       +
                 virtualisation.vlans = [ 2 ];

     

       104
       +
               };

     

       105
       +
         };

     

       106
       +
       

     

       107
       +
       

     

       108
       +
         testScript =

     

       109
       +
           ''

     

       110
       +
             # Minimal test case, checks whether enabling (with invalid config) harms

     

       111
       +
             # the boot process

     

       112
       +
             with subtest("Check for successful boot with broken openvpn config"):

     

       113
       +
                 minimalboot.start()

     

       114
       +
                 # If we get to multi-user.target, we booted successfully

     

       115
       +
                 minimalboot.wait_for_unit("multi-user.target")

     

       116
       +
                 minimalboot.shutdown()

     

       117
       +
       

     

       118
       +
             # Elaborated test case where the ovpnclient (where this module is used)

     

       119
       +
             # can be reached by testclient only over ovpnserver.

     

       120
       +
             # This is an indirect test for success.

     

       121
       +
             with subtest("Check for connection from initrd VPN client, config as file"):

     

       122
       +
                 ovpnserver.start()

     

       123
       +
                 testclient.start()

     

       124
       +
                 ovpnclient.start()

     

       125
       +
       

     

       126
       +
                 # Wait until the OpenVPN Server is available

     

       127
       +
                 ovpnserver.wait_for_unit("openvpn-testserver.service")

     

       128
       +
                 ovpnserver.succeed("ping -c 1 10.8.0.1")

     

       129
       +
       

     

       130
       +
                 # Wait for the client to connect

     

       131
       +
                 ovpnserver.wait_until_succeeds("ping -c 1 10.8.0.2")

     

       132
       +
       

     

       133
       +
                 # Wait until the testclient has network

     

       134
       +
                 testclient.wait_for_unit("network.target")

     

       135
       +
       

     

       136
       +
                 # Check that ovpnclient is reachable over vlan 1

     

       137
       +
                 ovpnserver.succeed("nc -w 2 192.168.1.2 1234 | grep -q TESTVALUE")

     

       138
       +
       

     

       139
       +
                 # Check that ovpnclient is reachable over tun0

     

       140
       +
                 ovpnserver.succeed("nc -w 2 10.8.0.2 1234 | grep -q TESTVALUE")

     

       141
       +
       

     

       142
       +
                 # Check that ovpnclient is reachable from testclient over the gateway

     

       143
       +
                 testclient.succeed("nc -w 2 192.168.2.3 12345 | grep -q TESTVALUE")

     

       144
       +
           '';

     

       145
       +
       })

+29

nixos/tests/initrd-network-openvpn/initrd.ovpn

···

       1
       +
       remote 192.168.1.3

     

       2
       +
       dev tun

     

       3
       +
       ifconfig 10.8.0.2 10.8.0.1

     

       4
       +
       # Only force VLAN 2 through the VPN

     

       5
       +
       route 192.168.2.0 255.255.255.0 10.8.0.1

     

       6
       +
       secret [inline]

     

       7
       +
       <secret>

     

       8
       +
       #

     

       9
       +
       # 2048 bit OpenVPN static key

     

       10
       +
       #

     

       11
       +
       -----BEGIN OpenVPN Static key V1-----

     

       12
       +
       553aabe853acdfe51cd6fcfea93dcbb0

     

       13
       +
       c8797deadd1187606b1ea8f2315eb5e6

     

       14
       +
       67c0d7e830f50df45686063b189d6c6b

     

       15
       +
       aab8bb3430cc78f7bb1f78628d5c3742

     

       16
       +
       0cef4f53a5acab2894905f4499f95d8e

     

       17
       +
       e69b7b6748b17016f89e19e91481a9fd

     

       18
       +
       bf8c10651f41a1d4fdf5f438925a6733

     

       19
       +
       13cec8f04701eb47b8f7ffc48bc3d7af

     

       20
       +
       65f07bce766015b87c3db4d668c655ff

     

       21
       +
       be5a69522a8e60ccb217f8521681b45d

     

       22
       +
       27c0b70bdfbfbb426c7646d80adf7482

     

       23
       +
       3ddac58b25cb1c1bb100de974478b4c6

     

       24
       +
       8b45a94261a2405e99810cb2b3abd49f

     

       25
       +
       21b3198ada87ff3c4e656a008e540a8d

     

       26
       +
       e7811584363597599cce2040a68ac00e

     

       27
       +
       f2125540e0f7f4adc37cb3f0d922eeb7

     

       28
       +
       -----END OpenVPN Static key V1-----

     

       29
       +
       </secret>

+21

nixos/tests/initrd-network-openvpn/shared.key

···

       1
       +
       #

     

       2
       +
       # 2048 bit OpenVPN static key

     

       3
       +
       #

     

       4
       +
       -----BEGIN OpenVPN Static key V1-----

     

       5
       +
       553aabe853acdfe51cd6fcfea93dcbb0

     

       6
       +
       c8797deadd1187606b1ea8f2315eb5e6

     

       7
       +
       67c0d7e830f50df45686063b189d6c6b

     

       8
       +
       aab8bb3430cc78f7bb1f78628d5c3742

     

       9
       +
       0cef4f53a5acab2894905f4499f95d8e

     

       10
       +
       e69b7b6748b17016f89e19e91481a9fd

     

       11
       +
       bf8c10651f41a1d4fdf5f438925a6733

     

       12
       +
       13cec8f04701eb47b8f7ffc48bc3d7af

     

       13
       +
       65f07bce766015b87c3db4d668c655ff

     

       14
       +
       be5a69522a8e60ccb217f8521681b45d

     

       15
       +
       27c0b70bdfbfbb426c7646d80adf7482

     

       16
       +
       3ddac58b25cb1c1bb100de974478b4c6

     

       17
       +
       8b45a94261a2405e99810cb2b3abd49f

     

       18
       +
       21b3198ada87ff3c4e656a008e540a8d

     

       19
       +
       e7811584363597599cce2040a68ac00e

     

       20
       +
       f2125540e0f7f4adc37cb3f0d922eeb7

     

       21
       +
       -----END OpenVPN Static key V1-----