···
environment.systemPackages = [ pkgs.nebula ];
users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
services.openssh.enable = true;
13
+
networking.interfaces.eth1.useDHCP = false;
services.nebula.networks.smoke = {
# Note that these paths won't exist when the machine is first booted.
···
lighthouse = { ... } @ args:
makeNebulaNode args "lighthouse" {
33
-
networking.interfaces.eth1.ipv4.addresses = [{
34
+
networking.interfaces.eth1.ipv4.addresses = lib.mkForce [{
services.nebula.networks.smoke = {
outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
47
-
node2 = { ... } @ args:
48
-
makeNebulaNode args "node2" {
49
-
networking.interfaces.eth1.ipv4.addresses = [{
49
+
allowAny = { ... } @ args:
50
+
makeNebulaNode args "allowAny" {
51
+
networking.interfaces.eth1.ipv4.addresses = lib.mkForce [{
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
60
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
65
-
node3 = { ... } @ args:
66
-
makeNebulaNode args "node3" {
67
-
networking.interfaces.eth1.ipv4.addresses = [{
68
+
allowFromLighthouse = { ... } @ args:
69
+
makeNebulaNode args "allowFromLighthouse" {
70
+
networking.interfaces.eth1.ipv4.addresses = lib.mkForce [{
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
79
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
inbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
···
83
-
node4 = { ... } @ args:
84
-
makeNebulaNode args "node4" {
85
-
networking.interfaces.eth1.ipv4.addresses = [{
87
+
allowToLighthouse = { ... } @ args:
88
+
makeNebulaNode args "allowToLighthouse" {
89
+
networking.interfaces.eth1.ipv4.addresses = lib.mkForce [{
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
99
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
102
-
node5 = { ... } @ args:
103
-
makeNebulaNode args "node5" {
104
-
networking.interfaces.eth1.ipv4.addresses = [{
107
+
disabled = { ... } @ args:
108
+
makeNebulaNode args "disabled" {
109
+
networking.interfaces.eth1.ipv4.addresses = lib.mkForce [{
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
119
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
setUpPrivateKey = name: ''
127
-
"mkdir -p /root/.ssh",
128
-
"chown 700 /root/.ssh",
129
-
"cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil",
130
-
"chown 600 /root/.ssh/id_snakeoil",
134
+
"mkdir -p /root/.ssh",
135
+
"chown 700 /root/.ssh",
136
+
"cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil",
137
+
"chown 600 /root/.ssh/id_snakeoil",
# From what I can tell, StrictHostKeyChecking=no is necessary for ssh to work between machines.
···
"nebula-cert keygen -out-key /etc/nebula/${name}.key -out-pub /etc/nebula/${name}.pub",
149
-
"scp ${sshOpts} /etc/nebula/${name}.pub 192.168.1.1:/tmp/${name}.pub",
157
+
"scp ${sshOpts} /etc/nebula/${name}.pub root@192.168.1.1:/root/${name}.pub",
152
-
'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "${name}" -groups "${name}" -ip "${ip}" -in-pub /tmp/${name}.pub -out-crt /tmp/${name}.crt',
160
+
'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "${name}" -groups "${name}" -ip "${ip}" -in-pub /root/${name}.pub -out-crt /root/${name}.crt'
155
-
"scp ${sshOpts} 192.168.1.1:/tmp/${name}.crt /etc/nebula/${name}.crt",
156
-
"scp ${sshOpts} 192.168.1.1:/etc/nebula/ca.crt /etc/nebula/ca.crt",
163
+
"scp ${sshOpts} root@192.168.1.1:/root/${name}.crt /etc/nebula/${name}.crt",
164
+
"scp ${sshOpts} root@192.168.1.1:/etc/nebula/ca.crt /etc/nebula/ca.crt",
165
+
'(id nebula-smoke >/dev/null && chown -R nebula-smoke:nebula-smoke /etc/nebula) || true'
169
+
getPublicIp = node: ''
170
+
${node}.succeed("ip --brief addr show eth1 | awk '{print $3}' | tail -n1 | cut -d/ -f1").strip()
173
+
# Never do this for anything security critical! (Thankfully it's just a test.)
174
+
# Restart Nebula right after the mutual block and/or restore so the state is fresh.
175
+
blockTrafficBetween = nodeA: nodeB: ''
176
+
node_a = ${getPublicIp nodeA}
177
+
node_b = ${getPublicIp nodeB}
178
+
${nodeA}.succeed("iptables -I INPUT -s " + node_b + " -j DROP")
179
+
${nodeB}.succeed("iptables -I INPUT -s " + node_a + " -j DROP")
180
+
${nodeA}.systemctl("restart nebula@smoke.service")
181
+
${nodeB}.systemctl("restart nebula@smoke.service")
183
+
allowTrafficBetween = nodeA: nodeB: ''
184
+
node_a = ${getPublicIp nodeA}
185
+
node_b = ${getPublicIp nodeB}
186
+
${nodeA}.succeed("iptables -D INPUT -s " + node_b + " -j DROP")
187
+
${nodeB}.succeed("iptables -D INPUT -s " + node_a + " -j DROP")
188
+
${nodeA}.systemctl("restart nebula@smoke.service")
189
+
${nodeB}.systemctl("restart nebula@smoke.service")
# Create the certificate and sign the lighthouse's keys.
${setUpPrivateKey "lighthouse"}
'nebula-cert ca -name "Smoke Test" -out-crt /etc/nebula/ca.crt -out-key /etc/nebula/ca.key',
'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt /etc/nebula/lighthouse.crt -out-key /etc/nebula/lighthouse.key',
198
+
'chown -R nebula-smoke:nebula-smoke /etc/nebula'
# Reboot the lighthouse and verify that the nebula service comes up on boot.
···
lighthouse.wait_for_unit("nebula@smoke.service")
lighthouse.succeed("ping -c5 10.0.100.1")
178
-
# Create keys for node2's nebula service and test that it comes up.
179
-
${setUpPrivateKey "node2"}
180
-
${signKeysFor "node2" "10.0.100.2/24"}
181
-
${restartAndCheckNebula "node2" "10.0.100.2"}
208
+
# Create keys for allowAny's nebula service and test that it comes up.
209
+
${setUpPrivateKey "allowAny"}
210
+
${signKeysFor "allowAny" "10.0.100.2/24"}
211
+
${restartAndCheckNebula "allowAny" "10.0.100.2"}
183
-
# Create keys for node3's nebula service and test that it comes up.
184
-
${setUpPrivateKey "node3"}
185
-
${signKeysFor "node3" "10.0.100.3/24"}
186
-
${restartAndCheckNebula "node3" "10.0.100.3"}
213
+
# Create keys for allowFromLighthouse's nebula service and test that it comes up.
214
+
${setUpPrivateKey "allowFromLighthouse"}
215
+
${signKeysFor "allowFromLighthouse" "10.0.100.3/24"}
216
+
${restartAndCheckNebula "allowFromLighthouse" "10.0.100.3"}
188
-
# Create keys for node4's nebula service and test that it comes up.
189
-
${setUpPrivateKey "node4"}
190
-
${signKeysFor "node4" "10.0.100.4/24"}
191
-
${restartAndCheckNebula "node4" "10.0.100.4"}
218
+
# Create keys for allowToLighthouse's nebula service and test that it comes up.
219
+
${setUpPrivateKey "allowToLighthouse"}
220
+
${signKeysFor "allowToLighthouse" "10.0.100.4/24"}
221
+
${restartAndCheckNebula "allowToLighthouse" "10.0.100.4"}
193
-
# Create keys for node4's nebula service and test that it does not come up.
194
-
${setUpPrivateKey "node5"}
195
-
${signKeysFor "node5" "10.0.100.5/24"}
196
-
node5.fail("systemctl status nebula@smoke.service")
197
-
node5.fail("ping -c5 10.0.100.5")
223
+
# Create keys for disabled's nebula service and test that it does not come up.
224
+
${setUpPrivateKey "disabled"}
225
+
${signKeysFor "disabled" "10.0.100.5/24"}
226
+
disabled.fail("systemctl status nebula@smoke.service")
227
+
disabled.fail("ping -c5 10.0.100.5")
199
-
# The lighthouse can ping node2 and node3 but not node5
229
+
# The lighthouse can ping allowAny and allowFromLighthouse but not disabled
lighthouse.succeed("ping -c3 10.0.100.2")
lighthouse.succeed("ping -c3 10.0.100.3")
lighthouse.fail("ping -c3 10.0.100.5")
204
-
# node2 can ping the lighthouse, but not node3 because of its inbound firewall
205
-
node2.succeed("ping -c3 10.0.100.1")
206
-
node2.fail("ping -c3 10.0.100.3")
234
+
# allowAny can ping the lighthouse, but not allowFromLighthouse because of its inbound firewall
235
+
allowAny.succeed("ping -c3 10.0.100.1")
236
+
allowAny.fail("ping -c3 10.0.100.3")
208
-
# node3 can ping the lighthouse and node2
209
-
node3.succeed("ping -c3 10.0.100.1")
210
-
node3.succeed("ping -c3 10.0.100.2")
238
+
# allowFromLighthouse can ping the lighthouse and allowAny
239
+
allowFromLighthouse.succeed("ping -c3 10.0.100.1")
240
+
allowFromLighthouse.succeed("ping -c3 10.0.100.2")
242
+
# block allowFromLighthouse <-> allowAny, and allowFromLighthouse -> allowAny should still work.
243
+
${blockTrafficBetween "allowFromLighthouse" "allowAny"}
244
+
allowFromLighthouse.succeed("ping -c10 10.0.100.2")
245
+
${allowTrafficBetween "allowFromLighthouse" "allowAny"}
246
+
allowFromLighthouse.succeed("ping -c10 10.0.100.2")
248
+
# allowToLighthouse can ping the lighthouse but not allowAny or allowFromLighthouse
249
+
allowToLighthouse.succeed("ping -c3 10.0.100.1")
250
+
allowToLighthouse.fail("ping -c3 10.0.100.2")
251
+
allowToLighthouse.fail("ping -c3 10.0.100.3")
212
-
# node4 can ping the lighthouse but not node2 or node3
213
-
node4.succeed("ping -c3 10.0.100.1")
214
-
node4.fail("ping -c3 10.0.100.2")
215
-
node4.fail("ping -c3 10.0.100.3")
253
+
# allowAny can ping allowFromLighthouse now that allowFromLighthouse pinged it first
254
+
allowAny.succeed("ping -c3 10.0.100.3")
217
-
# node2 can ping node3 now that node3 pinged it first
218
-
node2.succeed("ping -c3 10.0.100.3")
219
-
# node4 can ping node2 if node2 pings it first
220
-
node2.succeed("ping -c3 10.0.100.4")
221
-
node4.succeed("ping -c3 10.0.100.2")
256
+
# block allowAny <-> allowFromLighthouse, and allowAny -> allowFromLighthouse should still work.
257
+
${blockTrafficBetween "allowAny" "allowFromLighthouse"}
258
+
allowFromLighthouse.succeed("ping -c10 10.0.100.2")
259
+
allowAny.succeed("ping -c10 10.0.100.3")
260
+
${allowTrafficBetween "allowAny" "allowFromLighthouse"}
261
+
allowFromLighthouse.succeed("ping -c10 10.0.100.2")
262
+
allowAny.succeed("ping -c10 10.0.100.3")
264
+
# allowToLighthouse can ping allowAny if allowAny pings it first
265
+
allowAny.succeed("ping -c3 10.0.100.4")
266
+
allowToLighthouse.succeed("ping -c3 10.0.100.2")
268
+
# block allowToLighthouse <-> allowAny, and allowAny <-> allowToLighthouse should still work.
269
+
${blockTrafficBetween "allowAny" "allowToLighthouse"}
270
+
allowAny.succeed("ping -c10 10.0.100.4")
271
+
allowToLighthouse.succeed("ping -c10 10.0.100.2")
272
+
${allowTrafficBetween "allowAny" "allowToLighthouse"}
273
+
allowAny.succeed("ping -c10 10.0.100.4")
274
+
allowToLighthouse.succeed("ping -c10 10.0.100.2")
276
+
# block lighthouse <-> allowFromLighthouse and allowAny <-> allowFromLighthouse; allowFromLighthouse won't get to allowAny
277
+
${blockTrafficBetween "allowFromLighthouse" "lighthouse"}
278
+
${blockTrafficBetween "allowFromLighthouse" "allowAny"}
279
+
allowFromLighthouse.fail("ping -c3 10.0.100.2")
280
+
${allowTrafficBetween "allowFromLighthouse" "lighthouse"}
281
+
${allowTrafficBetween "allowFromLighthouse" "allowAny"}
282
+
allowFromLighthouse.succeed("ping -c3 10.0.100.2")
284
+
# block lighthouse <-> allowAny, allowAny <-> allowFromLighthouse, and allowAny <-> allowToLighthouse; it won't get to allowFromLighthouse or allowToLighthouse
285
+
${blockTrafficBetween "allowAny" "lighthouse"}
286
+
${blockTrafficBetween "allowAny" "allowFromLighthouse"}
287
+
${blockTrafficBetween "allowAny" "allowToLighthouse"}
288
+
allowFromLighthouse.fail("ping -c3 10.0.100.2")
289
+
allowAny.fail("ping -c3 10.0.100.3")
290
+
allowAny.fail("ping -c3 10.0.100.4")
291
+
${allowTrafficBetween "allowAny" "lighthouse"}
292
+
${allowTrafficBetween "allowAny" "allowFromLighthouse"}
293
+
${allowTrafficBetween "allowAny" "allowToLighthouse"}
294
+
allowFromLighthouse.succeed("ping -c3 10.0.100.2")
295
+
allowAny.succeed("ping -c3 10.0.100.3")
296
+
allowAny.succeed("ping -c3 10.0.100.4")
298
+
# block lighthouse <-> allowToLighthouse and allowToLighthouse <-> allowAny; it won't get to allowAny
299
+
${blockTrafficBetween "allowToLighthouse" "lighthouse"}
300
+
${blockTrafficBetween "allowToLighthouse" "allowAny"}
301
+
allowAny.fail("ping -c3 10.0.100.4")
302
+
allowToLighthouse.fail("ping -c3 10.0.100.2")
303
+
${allowTrafficBetween "allowToLighthouse" "lighthouse"}
304
+
${allowTrafficBetween "allowToLighthouse" "allowAny"}
305
+
allowAny.succeed("ping -c3 10.0.100.4")
306
+
allowToLighthouse.succeed("ping -c3 10.0.100.2")
pyrox.dev