commit ef29596a75e167a624212aad78cbf4346880679e · pyrox.dev/nixpkgs

+4 -1

nixos/tests/all-tests.nix

···

       1553
       1553
        
         whoogle-search = runTest ./whoogle-search.nix;

     

       1554
       1554
        
         wiki-js = runTest ./wiki-js.nix;

     

       1555
       1555
        
         wine = handleTest ./wine.nix { };

     

       1556
       1556
       -
         wireguard = handleTest ./wireguard { };

     

       1556
       1556
       +
         wireguard = import ./wireguard {

     

       1557
       1557
       +
           inherit pkgs runTest;

     

       1558
       1558
       +
           inherit (pkgs) lib;

     

       1559
       1559
       +
         };

     

       1557
       1560
        
         wg-access-server = runTest ./wg-access-server.nix;

     

       1558
       1561
        
         without-nix = runTest ./without-nix.nix;

     

       1559
       1562
        
         wmderland = runTest ./wmderland.nix;

+97 -102

nixos/tests/wireguard/amneziawg-quick.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           nftables ? false,

     

       7
       7
       -
           ...

     

       8
       8
       -
         }:

     

       9
       9
       -
         let

     

       10
       10
       -
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       11
       11
       -
           peer = import ./make-peer.nix { inherit lib; };

     

       12
       12
       -
           commonConfig = {

     

       13
       13
       -
             boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         nftables ? false,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       7
       7
       +
       let

     

       8
       8
       +
         wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       9
       9
       +
         peer = import ./make-peer.nix;

     

       10
       10
       +
         commonConfig =

     

       11
       11
       +
           { pkgs, ... }:

     

       12
       12
       +
           {

     

       13
       13
       +
             boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       14
       14
        
             networking.nftables.enable = nftables;

     

       15
       15
        
             # Make sure iptables doesn't work with nftables enabled

     

       16
       16
        
             boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];

     

       17
       17
        
           };

     

       18
       18
       -
           extraOptions = {

     

       19
       19
       -
             Jc = 5;

     

       20
       20
       -
             Jmin = 10;

     

       21
       21
       -
             Jmax = 42;

     

       22
       22
       -
             S1 = 60;

     

       23
       23
       -
             S2 = 90;

     

       24
       24
       -
           };

     

       25
       25
       -
         in

     

       26
       26
       -
         {

     

       27
       27
       -
           name = "amneziawg-quick";

     

       28
       28
       -
           meta = with pkgs.lib.maintainers; {

     

       29
       29
       -
             maintainers = [

     

       30
       30
       -
               averyanalex

     

       31
       31
       -
               azahi

     

       32
       32
       -
             ];

     

       33
       33
       -
           };

     

       18
       18
       +
         extraOptions = {

     

       19
       19
       +
           Jc = 5;

     

       20
       20
       +
           Jmin = 10;

     

       21
       21
       +
           Jmax = 42;

     

       22
       22
       +
           S1 = 60;

     

       23
       23
       +
           S2 = 90;

     

       24
       24
       +
         };

     

       25
       25
       +
       in

     

       26
       26
       +
       {

     

       27
       27
       +
         name = "amneziawg-quick";

     

       28
       28
       +
         meta.maintainers = with lib.maintainers; [

     

       29
       29
       +
           averyanalex

     

       30
       30
       +
           azahi

     

       31
       31
       +
         ];

     

       34
       32
        
       

     

       35
       35
       -
           nodes = {

     

       36
       36
       -
             peer0 = peer {

     

       37
       37
       -
               ip4 = "192.168.0.1";

     

       38
       38
       -
               ip6 = "fd00::1";

     

       39
       39
       -
               extraConfig = lib.mkMerge [

     

       40
       40
       -
                 commonConfig

     

       41
       41
       -
                 {

     

       42
       42
       -
                   networking.firewall.allowedUDPPorts = [ 23542 ];

     

       43
       43
       -
                   networking.wg-quick.interfaces.wg0 = {

     

       44
       44
       -
                     type = "amneziawg";

     

       33
       33
       +
         nodes = {

     

       34
       34
       +
           peer0 = peer {

     

       35
       35
       +
             ip4 = "192.168.0.1";

     

       36
       36
       +
             ip6 = "fd00::1";

     

       37
       37
       +
             extraConfig = {

     

       38
       38
       +
               imports = [ commonConfig ];

     

       45
       39
        
       

     

       46
       46
       -
                     address = [

     

       47
       47
       -
                       "10.23.42.1/32"

     

       48
       48
       -
                       "fc00::1/128"

     

       49
       49
       -
                     ];

     

       50
       50
       -
                     listenPort = 23542;

     

       40
       40
       +
               networking.firewall.allowedUDPPorts = [ 23542 ];

     

       41
       41
       +
               networking.wg-quick.interfaces.wg0 = {

     

       42
       42
       +
                 type = "amneziawg";

     

       43
       43
       +
       

     

       44
       44
       +
                 address = [

     

       45
       45
       +
                   "10.23.42.1/32"

     

       46
       46
       +
                   "fc00::1/128"

     

       47
       47
       +
                 ];

     

       48
       48
       +
                 listenPort = 23542;

     

       51
       49
        
       

     

       52
       52
       -
                     inherit (wg-snakeoil-keys.peer0) privateKey;

     

       50
       50
       +
                 inherit (wg-snakeoil-keys.peer0) privateKey;

     

       53
       51
        
       

     

       54
       54
       -
                     peers = lib.singleton {

     

       55
       55
       -
                       allowedIPs = [

     

       56
       56
       -
                         "10.23.42.2/32"

     

       57
       57
       -
                         "fc00::2/128"

     

       58
       58
       -
                       ];

     

       52
       52
       +
                 peers = lib.singleton {

     

       53
       53
       +
                   allowedIPs = [

     

       54
       54
       +
                     "10.23.42.2/32"

     

       55
       55
       +
                     "fc00::2/128"

     

       56
       56
       +
                   ];

     

       59
       57
        
       

     

       60
       60
       -
                       inherit (wg-snakeoil-keys.peer1) publicKey;

     

       61
       61
       -
                     };

     

       58
       58
       +
                   inherit (wg-snakeoil-keys.peer1) publicKey;

     

       59
       59
       +
                 };

     

       62
       60
        
       

     

       63
       63
       -
                     dns = [

     

       64
       64
       -
                       "10.23.42.2"

     

       65
       65
       -
                       "fc00::2"

     

       66
       66
       -
                       "wg0"

     

       67
       67
       -
                     ];

     

       61
       61
       +
                 dns = [

     

       62
       62
       +
                   "10.23.42.2"

     

       63
       63
       +
                   "fc00::2"

     

       64
       64
       +
                   "wg0"

     

       65
       65
       +
                 ];

     

       68
       66
        
       

     

       69
       69
       -
                     inherit extraOptions;

     

       70
       70
       -
                   };

     

       71
       71
       -
                 }

     

       72
       72
       -
               ];

     

       67
       67
       +
                 inherit extraOptions;

     

       68
       68
       +
               };

     

       73
       69
        
             };

     

       70
       70
       +
           };

     

       74
       71
        
       

     

       75
       75
       -
             peer1 = peer {

     

       76
       76
       -
               ip4 = "192.168.0.2";

     

       77
       77
       -
               ip6 = "fd00::2";

     

       78
       78
       -
               extraConfig = lib.mkMerge [

     

       79
       79
       -
                 commonConfig

     

       80
       80
       -
                 {

     

       81
       81
       -
                   networking.useNetworkd = true;

     

       82
       82
       -
                   networking.wg-quick.interfaces.wg0 = {

     

       83
       83
       -
                     type = "amneziawg";

     

       72
       72
       +
           peer1 = peer {

     

       73
       73
       +
             ip4 = "192.168.0.2";

     

       74
       74
       +
             ip6 = "fd00::2";

     

       75
       75
       +
             extraConfig = {

     

       76
       76
       +
               imports = [ commonConfig ];

     

       77
       77
       +
       

     

       78
       78
       +
               networking.useNetworkd = true;

     

       79
       79
       +
               networking.wg-quick.interfaces.wg0 = {

     

       80
       80
       +
                 type = "amneziawg";

     

       84
       81
        
       

     

       85
       85
       -
                     address = [

     

       86
       86
       -
                       "10.23.42.2/32"

     

       87
       87
       -
                       "fc00::2/128"

     

       88
       88
       -
                     ];

     

       89
       89
       -
                     inherit (wg-snakeoil-keys.peer1) privateKey;

     

       82
       82
       +
                 address = [

     

       83
       83
       +
                   "10.23.42.2/32"

     

       84
       84
       +
                   "fc00::2/128"

     

       85
       85
       +
                 ];

     

       86
       86
       +
                 inherit (wg-snakeoil-keys.peer1) privateKey;

     

       90
       87
        
       

     

       91
       91
       -
                     peers = lib.singleton {

     

       92
       92
       -
                       allowedIPs = [

     

       93
       93
       -
                         "0.0.0.0/0"

     

       94
       94
       -
                         "::/0"

     

       95
       95
       -
                       ];

     

       96
       96
       -
                       endpoint = "192.168.0.1:23542";

     

       97
       97
       -
                       persistentKeepalive = 25;

     

       88
       88
       +
                 peers = lib.singleton {

     

       89
       89
       +
                   allowedIPs = [

     

       90
       90
       +
                     "0.0.0.0/0"

     

       91
       91
       +
                     "::/0"

     

       92
       92
       +
                   ];

     

       93
       93
       +
                   endpoint = "192.168.0.1:23542";

     

       94
       94
       +
                   persistentKeepalive = 25;

     

       98
       95
        
       

     

       99
       99
       -
                       inherit (wg-snakeoil-keys.peer0) publicKey;

     

       100
       100
       -
                     };

     

       96
       96
       +
                   inherit (wg-snakeoil-keys.peer0) publicKey;

     

       97
       97
       +
                 };

     

       101
       98
        
       

     

       102
       102
       -
                     dns = [

     

       103
       103
       -
                       "10.23.42.1"

     

       104
       104
       -
                       "fc00::1"

     

       105
       105
       -
                       "wg0"

     

       106
       106
       -
                     ];

     

       99
       99
       +
                 dns = [

     

       100
       100
       +
                   "10.23.42.1"

     

       101
       101
       +
                   "fc00::1"

     

       102
       102
       +
                   "wg0"

     

       103
       103
       +
                 ];

     

       107
       104
        
       

     

       108
       108
       -
                     inherit extraOptions;

     

       109
       109
       -
                   };

     

       110
       110
       -
                 }

     

       111
       111
       -
               ];

     

       105
       105
       +
                 inherit extraOptions;

     

       106
       106
       +
               };

     

       112
       107
        
             };

     

       113
       108
        
           };

     

       109
       109
       +
         };

     

       114
       110
        
       

     

       115
       115
       -
           testScript = ''

     

       116
       116
       -
             start_all()

     

       111
       111
       +
         testScript = ''

     

       112
       112
       +
           start_all()

     

       117
       113
        
       

     

       118
       118
       -
             peer0.wait_for_unit("wg-quick-wg0.service")

     

       119
       119
       -
             peer1.wait_for_unit("wg-quick-wg0.service")

     

       114
       114
       +
           peer0.wait_for_unit("wg-quick-wg0.service")

     

       115
       115
       +
           peer1.wait_for_unit("wg-quick-wg0.service")

     

       120
       116
        
       

     

       121
       121
       -
             peer1.succeed("ping -c5 fc00::1")

     

       122
       122
       -
             peer1.succeed("ping -c5 10.23.42.1")

     

       123
       123
       -
           '';

     

       124
       124
       -
         }

     

       125
       125
       -
       )

     

       117
       117
       +
           peer1.succeed("ping -c5 fc00::1")

     

       118
       118
       +
           peer1.succeed("ping -c5 10.23.42.1")

     

       119
       119
       +
         '';

     

       120
       120
       +
       }

+50 -51

nixos/tests/wireguard/amneziawg.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           ...

     

       7
       7
       -
         }:

     

       8
       8
       -
         let

     

       9
       9
       -
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       10
       10
       -
           peer = (import ./make-peer.nix) { inherit lib; };

     

       11
       11
       -
           extraOptions = {

     

       12
       12
       -
             Jc = 5;

     

       13
       13
       -
             Jmin = 10;

     

       14
       14
       -
             Jmax = 42;

     

       15
       15
       -
             S1 = 60;

     

       16
       16
       -
             S2 = 90;

     

       17
       17
       -
           };

     

       18
       18
       -
         in

     

       19
       19
       -
         {

     

       20
       20
       -
           name = "amneziawg";

     

       21
       21
       -
           meta = with pkgs.lib.maintainers; {

     

       22
       22
       -
             maintainers = [

     

       23
       23
       -
               averyanalex

     

       24
       24
       -
               azahi

     

       25
       25
       -
             ];

     

       26
       26
       -
           };

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       let

     

       7
       7
       +
         wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       8
       8
       +
         peer = import ./make-peer.nix;

     

       9
       9
       +
         extraOptions = {

     

       10
       10
       +
           Jc = 5;

     

       11
       11
       +
           Jmin = 10;

     

       12
       12
       +
           Jmax = 42;

     

       13
       13
       +
           S1 = 60;

     

       14
       14
       +
           S2 = 90;

     

       15
       15
       +
         };

     

       16
       16
       +
       in

     

       17
       17
       +
       {

     

       18
       18
       +
         name = "amneziawg";

     

       19
       19
       +
         meta.maintainers = with lib.maintainers; [

     

       20
       20
       +
           averyanalex

     

       21
       21
       +
           azahi

     

       22
       22
       +
         ];

     

       27
       23
        
       

     

       28
       28
       -
           nodes = {

     

       29
       29
       -
             peer0 = peer {

     

       30
       30
       -
               ip4 = "192.168.0.1";

     

       31
       31
       -
               ip6 = "fd00::1";

     

       32
       32
       -
               extraConfig = {

     

       33
       33
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       24
       24
       +
         nodes = {

     

       25
       25
       +
           peer0 = peer {

     

       26
       26
       +
             ip4 = "192.168.0.1";

     

       27
       27
       +
             ip6 = "fd00::1";

     

       28
       28
       +
             extraConfig =

     

       29
       29
       +
               { lib, pkgs, ... }:

     

       30
       30
       +
               {

     

       31
       31
       +
                 boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       34
       32
        
                 networking.firewall.allowedUDPPorts = [ 23542 ];

     

       35
       33
        
                 networking.wireguard.interfaces.wg0 = {

     

       36
       34
        
                   type = "amneziawg";

     
···

       54
       52
        
                   inherit extraOptions;

     

       55
       53
        
                 };

     

       56
       54
        
               };

     

       57
       57
       -
             };

     

       55
       55
       +
           };

     

       58
       56
        
       

     

       59
       59
       -
             peer1 = peer {

     

       60
       60
       -
               ip4 = "192.168.0.2";

     

       61
       61
       -
               ip6 = "fd00::2";

     

       62
       62
       -
               extraConfig = {

     

       63
       63
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       57
       57
       +
           peer1 = peer {

     

       58
       58
       +
             ip4 = "192.168.0.2";

     

       59
       59
       +
             ip6 = "fd00::2";

     

       60
       60
       +
             extraConfig =

     

       61
       61
       +
               { lib, pkgs, ... }:

     

       62
       62
       +
               {

     

       63
       63
       +
                 boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       64
       64
        
                 networking.wireguard.interfaces.wg0 = {

     

       65
       65
        
                   type = "amneziawg";

     

       66
       66
        
                   ips = [

     
···

       85
       85
        
       

     

       86
       86
        
                   postSetup =

     

       87
       87
        
                     let

     

       88
       88
       -
                       inherit (pkgs) iproute2;

     

       88
       88
       +
                       ip = lib.getExe' pkgs.iproute2 "ip";

     

       89
       89
        
                     in

     

       90
       90
        
                     ''

     

       91
       91
       -
                       ${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0

     

       92
       92
       -
                       ${iproute2}/bin/ip route replace fc00::1/128 dev wg0

     

       91
       91
       +
                       ${ip} route replace 10.23.42.1/32 dev wg0

     

       92
       92
       +
                       ${ip} route replace fc00::1/128 dev wg0

     

       93
       93
        
                     '';

     

       94
       94
        
       

     

       95
       95
        
                   inherit extraOptions;

     

       96
       96
        
                 };

     

       97
       97
        
               };

     

       98
       98
       -
             };

     

       99
       98
        
           };

     

       99
       99
       +
         };

     

       100
       100
        
       

     

       101
       101
       -
           testScript = ''

     

       102
       102
       -
             start_all()

     

       101
       101
       +
         testScript = ''

     

       102
       102
       +
           start_all()

     

       103
       103
        
       

     

       104
       104
       -
             peer0.wait_for_unit("wireguard-wg0.service")

     

       105
       105
       -
             peer1.wait_for_unit("wireguard-wg0.service")

     

       104
       104
       +
           peer0.wait_for_unit("wireguard-wg0.service")

     

       105
       105
       +
           peer1.wait_for_unit("wireguard-wg0.service")

     

       106
       106
        
       

     

       107
       107
       -
             peer1.succeed("ping -c5 fc00::1")

     

       108
       108
       -
             peer1.succeed("ping -c5 10.23.42.1")

     

       109
       109
       -
           '';

     

       110
       110
       -
         }

     

       111
       111
       -
       )

     

       107
       107
       +
           peer1.succeed("ping -c5 fc00::1")

     

       108
       108
       +
           peer1.succeed("ping -c5 10.23.42.1")

     

       109
       109
       +
         '';

     

       110
       110
       +
       }

+40 -41

nixos/tests/wireguard/basic.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           ...

     

       7
       7
       -
         }:

     

       8
       8
       -
         let

     

       9
       9
       -
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       10
       10
       -
           peer = (import ./make-peer.nix) { inherit lib; };

     

       11
       11
       -
         in

     

       12
       12
       -
         {

     

       13
       13
       -
           name = "wireguard";

     

       14
       14
       -
           meta = with pkgs.lib.maintainers; {

     

       15
       15
       -
             maintainers = [ ma27 ];

     

       16
       16
       -
           };

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       let

     

       7
       7
       +
         wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       8
       8
       +
         peer = import ./make-peer.nix;

     

       9
       9
       +
       in

     

       10
       10
       +
       {

     

       11
       11
       +
         name = "wireguard";

     

       12
       12
       +
         meta.maintainers = with lib.maintainers; [ ma27 ];

     

       17
       13
        
       

     

       18
       18
       -
           nodes = {

     

       19
       19
       -
             peer0 = peer {

     

       20
       20
       -
               ip4 = "192.168.0.1";

     

       21
       21
       -
               ip6 = "fd00::1";

     

       22
       22
       -
               extraConfig = {

     

       23
       23
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       14
       14
       +
         nodes = {

     

       15
       15
       +
           peer0 = peer {

     

       16
       16
       +
             ip4 = "192.168.0.1";

     

       17
       17
       +
             ip6 = "fd00::1";

     

       18
       18
       +
             extraConfig =

     

       19
       19
       +
               { lib, pkgs, ... }:

     

       20
       20
       +
               {

     

       21
       21
       +
                 boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       24
       22
        
                 networking.firewall.allowedUDPPorts = [ 23542 ];

     

       25
       23
        
                 networking.wireguard.interfaces.wg0 = {

     

       26
       24
        
                   ips = [

     
···

       41
       39
        
                   };

     

       42
       40
        
                 };

     

       43
       41
        
               };

     

       44
       44
       -
             };

     

       42
       42
       +
           };

     

       45
       43
        
       

     

       46
       46
       -
             peer1 = peer {

     

       47
       47
       -
               ip4 = "192.168.0.2";

     

       48
       48
       -
               ip6 = "fd00::2";

     

       49
       49
       -
               extraConfig = {

     

       50
       50
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       44
       44
       +
           peer1 = peer {

     

       45
       45
       +
             ip4 = "192.168.0.2";

     

       46
       46
       +
             ip6 = "fd00::2";

     

       47
       47
       +
             extraConfig =

     

       48
       48
       +
               { lib, pkgs, ... }:

     

       49
       49
       +
               {

     

       50
       50
       +
                 boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       51
       51
        
                 networking.wireguard.interfaces.wg0 = {

     

       52
       52
        
                   ips = [

     

       53
       53
        
                     "10.23.42.2/32"

     
···

       71
       71
        
       

     

       72
       72
        
                   postSetup =

     

       73
       73
        
                     let

     

       74
       74
       -
                       inherit (pkgs) iproute2;

     

       74
       74
       +
                       ip = lib.getExe' pkgs.iproute2 "ip";

     

       75
       75
        
                     in

     

       76
       76
        
                     ''

     

       77
       77
       -
                       ${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0

     

       78
       78
       -
                       ${iproute2}/bin/ip route replace fc00::1/128 dev wg0

     

       77
       77
       +
                       ${ip} route replace 10.23.42.1/32 dev wg0

     

       78
       78
       +
                       ${ip} route replace fc00::1/128 dev wg0

     

       79
       79
        
                     '';

     

       80
       80
        
                 };

     

       81
       81
        
               };

     

       82
       82
       -
             };

     

       83
       82
        
           };

     

       83
       83
       +
         };

     

       84
       84
        
       

     

       85
       85
       -
           testScript = ''

     

       86
       86
       -
             start_all()

     

       85
       85
       +
         testScript = ''

     

       86
       86
       +
           start_all()

     

       87
       87
        
       

     

       88
       88
       -
             peer0.wait_for_unit("wireguard-wg0.service")

     

       89
       89
       -
             peer1.wait_for_unit("wireguard-wg0.service")

     

       88
       88
       +
           peer0.wait_for_unit("wireguard-wg0.service")

     

       89
       89
       +
           peer1.wait_for_unit("wireguard-wg0.service")

     

       90
       90
        
       

     

       91
       91
       -
             peer1.succeed("ping -c5 fc00::1")

     

       92
       92
       -
             peer1.succeed("ping -c5 10.23.42.1")

     

       93
       93
       -
           '';

     

       94
       94
       -
         }

     

       95
       95
       -
       )

     

       91
       91
       +
           peer1.succeed("ping -c5 fc00::1")

     

       92
       92
       +
           peer1.succeed("ping -c5 10.23.42.1")

     

       93
       93
       +
         '';

     

       94
       94
       +
       }

+19 -16

nixos/tests/wireguard/default.nix

···

       1
       1
        
       {

     

       2
       2
       -
         system ? builtins.currentSystem,

     

       3
       3
       -
         config ? { },

     

       4
       4
       -
         pkgs ? import ../../.. { inherit system config; },

     

       2
       2
       +
         runTest,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         pkgs,

     

       5
       5
        
         # Test current default (LTS) and latest kernel

     

       6
       6
        
         kernelVersionsToTest ? [

     

       7
       7
       -
           (pkgs.lib.versions.majorMinor pkgs.linuxPackages.kernel.version)

     

       7
       7
       +
           (lib.versions.majorMinor pkgs.linuxPackages.kernel.version)

     

       8
       8
        
           "latest"

     

       9
       9
        
         ],

     

       10
       10
        
       }:

     

       11
       11
        
       

     

       12
       12
       -
       with pkgs.lib;

     

       13
       13
       -
       

     

       14
       12
        
       let

     

       15
       13
        
         tests =

     

       16
       14
        
           let

     

       17
       17
       -
             callTest = p: args: import p ({ inherit system pkgs; } // args);

     

       15
       15
       +
             callTest =

     

       16
       16
       +
               p: args:

     

       17
       17
       +
               runTest {

     

       18
       18
       +
                 imports = [ p ];

     

       19
       19
       +
                 _module = { inherit args; };

     

       20
       20
       +
               };

     

       18
       21
        
           in

     

       19
       22
        
           {

     

       20
       23
        
             basic = callTest ./basic.nix;

     

       21
       24
        
             amneziawg = callTest ./amneziawg.nix;

     

       22
       25
        
             namespaces = callTest ./namespaces.nix;

     

       23
       26
        
             networkd = callTest ./networkd.nix;

     

       24
       24
       -
             wg-quick = callTest ./wg-quick.nix;

     

       27
       27
       +
             wg-quick = args: callTest ./wg-quick.nix ({ nftables = false; } // args);

     

       25
       28
        
             wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args);

     

       26
       26
       -
             amneziawg-quick = callTest ./amneziawg-quick.nix;

     

       29
       29
       +
             amneziawg-quick = args: callTest ./amneziawg-quick.nix ({ nftables = false; } // args);

     

       27
       30
        
             generated = callTest ./generated.nix;

     

       28
       28
       -
             dynamic-refresh = callTest ./dynamic-refresh.nix;

     

       31
       31
       +
             dynamic-refresh = args: callTest ./dynamic-refresh.nix ({ useNetworkd = false; } // args);

     

       29
       32
        
             dynamic-refresh-networkd = args: callTest ./dynamic-refresh.nix ({ useNetworkd = true; } // args);

     

       30
       33
        
           };

     

       31
       34
        
       in

     

       32
       35
        
       

     

       33
       33
       -
       listToAttrs (

     

       34
       34
       -
         flip concatMap kernelVersionsToTest (

     

       36
       36
       +
       lib.listToAttrs (

     

       37
       37
       +
         lib.flip lib.concatMap kernelVersionsToTest (

     

       35
       38
        
           version:

     

       36
       39
        
           let

     

       37
       37
       -
             v' = replaceStrings [ "." ] [ "_" ] version;

     

       40
       40
       +
             v' = lib.replaceString "." "_" version;

     

       38
       41
        
           in

     

       39
       39
       -
           flip mapAttrsToList tests (

     

       42
       42
       +
           lib.flip lib.mapAttrsToList tests (

     

       40
       43
        
             name: test:

     

       41
       41
       -
             nameValuePair "wireguard-${name}-linux-${v'}" (test {

     

       44
       44
       +
             lib.nameValuePair "wireguard-${name}-linux-${v'}" (test {

     

       42
       45
        
               kernelPackages =

     

       43
       43
       -
                 if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";

     

       46
       46
       +
                 pkgs: if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";

     

       44
       47
        
             })

     

       45
       48
        
           )

     

       46
       49
        
         )

+69 -67

nixos/tests/wireguard/dynamic-refresh.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           useNetworkd ? false,

     

       7
       7
       -
           ...

     

       8
       8
       -
         }:

     

       9
       9
       -
         let

     

       10
       10
       -
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       11
       11
       -
         in

     

       12
       12
       -
         {

     

       13
       13
       -
           name = "wireguard-dynamic-refresh";

     

       14
       14
       -
           meta = with lib.maintainers; {

     

       15
       15
       -
             maintainers = [ majiir ];

     

       16
       16
       -
           };

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         useNetworkd ? false,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       7
       7
       +
       let

     

       8
       8
       +
         wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       9
       9
       +
       in

     

       10
       10
       +
       {

     

       11
       11
       +
         name = "wireguard-dynamic-refresh";

     

       12
       12
       +
         meta.maintainers = with lib.maintainers; [ majiir ];

     

       17
       13
        
       

     

       18
       18
       -
           nodes = {

     

       19
       19
       -
             server = {

     

       14
       14
       +
         nodes = {

     

       15
       15
       +
           server =

     

       16
       16
       +
             { lib, pkgs, ... }:

     

       17
       17
       +
             {

     

       20
       18
        
               virtualisation.vlans = [

     

       21
       19
        
                 1

     

       22
       20
        
                 2

     

       23
       21
        
               ];

     

       24
       24
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       22
       22
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       25
       23
        
               networking.firewall.allowedUDPPorts = [ 23542 ];

     

       26
       24
        
               networking.useDHCP = false;

     

       27
       25
        
               networking.wireguard.useNetworkd = useNetworkd;

     
···

       40
       38
        
               };

     

       41
       39
        
             };

     

       42
       40
        
       

     

       43
       43
       -
             client =

     

       44
       44
       -
               { nodes, ... }:

     

       45
       45
       -
               {

     

       46
       46
       -
                 virtualisation.vlans = [

     

       47
       47
       -
                   1

     

       48
       48
       -
                   2

     

       49
       49
       -
                 ];

     

       50
       50
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       51
       51
       -
                 networking.useDHCP = false;

     

       52
       52
       -
                 networking.wireguard.useNetworkd = useNetworkd;

     

       53
       53
       -
                 networking.wireguard.interfaces.wg0 = {

     

       54
       54
       -
                   ips = [ "10.23.42.2/32" ];

     

       41
       41
       +
           client =

     

       42
       42
       +
             {

     

       43
       43
       +
               nodes,

     

       44
       44
       +
               lib,

     

       45
       45
       +
               pkgs,

     

       46
       46
       +
               ...

     

       47
       47
       +
             }:

     

       48
       48
       +
             {

     

       49
       49
       +
               virtualisation.vlans = [

     

       50
       50
       +
                 1

     

       51
       51
       +
                 2

     

       52
       52
       +
               ];

     

       53
       53
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       54
       54
       +
               networking.useDHCP = false;

     

       55
       55
       +
               networking.wireguard.useNetworkd = useNetworkd;

     

       56
       56
       +
               networking.wireguard.interfaces.wg0 = {

     

       57
       57
       +
                 ips = [ "10.23.42.2/32" ];

     

       55
       58
        
       

     

       56
       56
       -
                   # !!! Don't do this with real keys. The /nix store is world-readable!

     

       57
       57
       -
                   privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);

     

       59
       59
       +
                 # !!! Don't do this with real keys. The /nix store is world-readable!

     

       60
       60
       +
                 privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);

     

       58
       61
        
       

     

       59
       59
       -
                   dynamicEndpointRefreshSeconds = 2;

     

       62
       62
       +
                 dynamicEndpointRefreshSeconds = 2;

     

       60
       63
        
       

     

       61
       61
       -
                   peers = lib.singleton {

     

       62
       62
       -
                     allowedIPs = [

     

       63
       63
       -
                       "0.0.0.0/0"

     

       64
       64
       -
                       "::/0"

     

       65
       65
       -
                     ];

     

       66
       66
       -
                     endpoint = "server:23542";

     

       64
       64
       +
                 peers = lib.singleton {

     

       65
       65
       +
                   allowedIPs = [

     

       66
       66
       +
                     "0.0.0.0/0"

     

       67
       67
       +
                     "::/0"

     

       68
       68
       +
                   ];

     

       69
       69
       +
                   endpoint = "server:23542";

     

       67
       70
        
       

     

       68
       68
       -
                     inherit (wg-snakeoil-keys.peer0) publicKey;

     

       69
       69
       -
                   };

     

       71
       71
       +
                   inherit (wg-snakeoil-keys.peer0) publicKey;

     

       70
       72
        
                 };

     

       73
       73
       +
               };

     

       71
       74
        
       

     

       72
       72
       -
                 specialisation.update-hosts.configuration = {

     

       73
       73
       -
                   networking.extraHosts =

     

       74
       74
       -
                     let

     

       75
       75
       -
                       testCfg = nodes.server.virtualisation.test;

     

       76
       76
       -
                     in

     

       77
       77
       -
                     lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";

     

       78
       78
       -
                 };

     

       75
       75
       +
               specialisation.update-hosts.configuration = {

     

       76
       76
       +
                 networking.extraHosts =

     

       77
       77
       +
                   let

     

       78
       78
       +
                     testCfg = nodes.server.virtualisation.test;

     

       79
       79
       +
                   in

     

       80
       80
       +
                   lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";

     

       79
       81
        
               };

     

       80
       80
       -
           };

     

       82
       82
       +
             };

     

       83
       83
       +
         };

     

       81
       84
        
       

     

       82
       82
       -
           testScript =

     

       83
       83
       -
             { nodes, ... }:

     

       84
       84
       -
             ''

     

       85
       85
       -
               start_all()

     

       85
       85
       +
         testScript =

     

       86
       86
       +
           { nodes, ... }:

     

       87
       87
       +
           ''

     

       88
       88
       +
             start_all()

     

       86
       89
        
       

     

       87
       87
       -
               server.systemctl("start network-online.target")

     

       88
       88
       -
               server.wait_for_unit("network-online.target")

     

       90
       90
       +
             server.systemctl("start network-online.target")

     

       91
       91
       +
             server.wait_for_unit("network-online.target")

     

       89
       92
        
       

     

       90
       90
       -
               client.systemctl("start network-online.target")

     

       91
       91
       -
               client.wait_for_unit("network-online.target")

     

       93
       93
       +
             client.systemctl("start network-online.target")

     

       94
       94
       +
             client.wait_for_unit("network-online.target")

     

       92
       95
        
       

     

       93
       93
       -
               client.succeed("ping -n -w 1 -c 1 10.23.42.1")

     

       96
       96
       +
             client.succeed("ping -n -w 1 -c 1 10.23.42.1")

     

       94
       97
        
       

     

       95
       95
       -
               client.succeed("ip link set down eth1")

     

       98
       98
       +
             client.succeed("ip link set down eth1")

     

       96
       99
        
       

     

       97
       97
       -
               client.fail("ping -n -w 1 -c 1 10.23.42.1")

     

       100
       100
       +
             client.fail("ping -n -w 1 -c 1 10.23.42.1")

     

       98
       101
        
       

     

       99
       99
       -
               with client.nested("update hosts file"):

     

       100
       100
       -
                 client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")

     

       102
       102
       +
             with client.nested("update hosts file"):

     

       103
       103
       +
               client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")

     

       101
       104
        
       

     

       102
       102
       -
               client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")

     

       103
       103
       -
             '';

     

       104
       104
       -
         }

     

       105
       105
       -
       )

     

       105
       105
       +
             client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")

     

       106
       106
       +
           '';

     

       107
       107
       +
       }

+47 -48

nixos/tests/wireguard/generated.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           ...

     

       7
       7
       -
         }:

     

       8
       8
       -
         {

     

       9
       9
       -
           name = "wireguard-generated";

     

       10
       10
       -
           meta = with pkgs.lib.maintainers; {

     

       11
       11
       -
             maintainers = [

     

       12
       12
       -
               ma27

     

       13
       13
       -
               grahamc

     

       14
       14
       -
             ];

     

       15
       15
       -
           };

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       {

     

       7
       7
       +
         name = "wireguard-generated";

     

       8
       8
       +
         meta.maintainers = with lib.maintainers; [

     

       9
       9
       +
           ma27

     

       10
       10
       +
           grahamc

     

       11
       11
       +
         ];

     

       16
       12
        
       

     

       17
       17
       -
           nodes = {

     

       18
       18
       -
             peer1 = {

     

       19
       19
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       13
       13
       +
         nodes = {

     

       14
       14
       +
           peer1 =

     

       15
       15
       +
             { lib, pkgs, ... }:

     

       16
       16
       +
             {

     

       17
       17
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       20
       18
        
               networking.firewall.allowedUDPPorts = [ 12345 ];

     

       21
       19
        
               networking.wireguard.interfaces.wg0 = {

     

       22
       20
        
                 ips = [ "10.10.10.1/24" ];

     
···

       27
       25
        
               };

     

       28
       26
        
             };

     

       29
       27
        
       

     

       30
       30
       -
             peer2 = {

     

       31
       31
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       28
       28
       +
           peer2 =

     

       29
       29
       +
             { lib, pkgs, ... }:

     

       30
       30
       +
             {

     

       31
       31
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       32
       32
        
               networking.firewall.allowedUDPPorts = [ 12345 ];

     

       33
       33
        
               networking.wireguard.interfaces.wg0 = {

     

       34
       34
        
                 ips = [ "10.10.10.2/24" ];

     
···

       37
       37
        
                 generatePrivateKeyFile = true;

     

       38
       38
        
               };

     

       39
       39
        
             };

     

       40
       40
       -
           };

     

       40
       40
       +
         };

     

       41
       41
        
       

     

       42
       42
       -
           testScript = ''

     

       43
       43
       -
             start_all()

     

       42
       42
       +
         testScript = ''

     

       43
       43
       +
           start_all()

     

       44
       44
        
       

     

       45
       45
       -
             peer1.wait_for_unit("wireguard-wg0.service")

     

       46
       46
       -
             peer2.wait_for_unit("wireguard-wg0.service")

     

       45
       45
       +
           peer1.wait_for_unit("wireguard-wg0.service")

     

       46
       46
       +
           peer2.wait_for_unit("wireguard-wg0.service")

     

       47
       47
        
       

     

       48
       48
       -
             retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")

     

       49
       49
       -
             if retcode != 0:

     

       50
       50
       -
                 raise Exception("Could not read public key from peer1")

     

       48
       48
       +
           retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")

     

       49
       49
       +
           if retcode != 0:

     

       50
       50
       +
               raise Exception("Could not read public key from peer1")

     

       51
       51
        
       

     

       52
       52
       -
             retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")

     

       53
       53
       -
             if retcode != 0:

     

       54
       54
       -
                 raise Exception("Could not read public key from peer2")

     

       52
       52
       +
           retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")

     

       53
       53
       +
           if retcode != 0:

     

       54
       54
       +
               raise Exception("Could not read public key from peer2")

     

       55
       55
        
       

     

       56
       56
       -
             peer1.succeed(

     

       57
       57
       -
                 "wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(

     

       58
       58
       -
                     peer2pubkey.strip()

     

       59
       59
       -
                 )

     

       60
       60
       -
             )

     

       61
       61
       -
             peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")

     

       56
       56
       +
           peer1.succeed(

     

       57
       57
       +
               "wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(

     

       58
       58
       +
                   peer2pubkey.strip()

     

       59
       59
       +
               )

     

       60
       60
       +
           )

     

       61
       61
       +
           peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")

     

       62
       62
        
       

     

       63
       63
       -
             peer2.succeed(

     

       64
       64
       -
                 "wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(

     

       65
       65
       -
                     peer1pubkey.strip()

     

       66
       66
       -
                 )

     

       67
       67
       -
             )

     

       68
       68
       -
             peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")

     

       63
       63
       +
           peer2.succeed(

     

       64
       64
       +
               "wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(

     

       65
       65
       +
                   peer1pubkey.strip()

     

       66
       66
       +
               )

     

       67
       67
       +
           )

     

       68
       68
       +
           peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")

     

       69
       69
        
       

     

       70
       70
       -
             peer1.succeed("ping -c1 10.10.10.2")

     

       71
       71
       -
             peer2.succeed("ping -c1 10.10.10.1")

     

       72
       72
       -
           '';

     

       73
       73
       -
         }

     

       74
       74
       -
       )

     

       70
       70
       +
           peer1.succeed("ping -c1 10.10.10.2")

     

       71
       71
       +
           peer2.succeed("ping -c1 10.10.10.1")

     

       72
       72
       +
         '';

     

       73
       73
       +
       }

+27 -26

nixos/tests/wireguard/make-peer.nix

···

       1
       1
       -
       { lib, ... }:

     

       2
       1
        
       {

     

       3
       2
        
         ip4,

     

       4
       3
        
         ip6,

     

       5
       4
        
         extraConfig,

     

       6
       5
        
       }:

     

       7
       7
       -
       lib.mkMerge [

     

       8
       8
       -
         {

     

       9
       9
       -
           boot.kernel.sysctl = {

     

       10
       10
       -
             "net.ipv6.conf.all.forwarding" = "1";

     

       11
       11
       -
             "net.ipv6.conf.default.forwarding" = "1";

     

       12
       12
       -
             "net.ipv4.ip_forward" = "1";

     

       13
       13
       -
           };

     

       6
       6
       +
       {

     

       7
       7
       +
         imports = [

     

       8
       8
       +
           {

     

       9
       9
       +
             boot.kernel.sysctl = {

     

       10
       10
       +
               "net.ipv6.conf.all.forwarding" = "1";

     

       11
       11
       +
               "net.ipv6.conf.default.forwarding" = "1";

     

       12
       12
       +
               "net.ipv4.ip_forward" = "1";

     

       13
       13
       +
             };

     

       14
       14
        
       

     

       15
       15
       -
           networking.useDHCP = false;

     

       16
       16
       -
           networking.interfaces.eth1 = {

     

       17
       17
       -
             ipv4.addresses = [

     

       18
       18
       -
               {

     

       19
       19
       -
                 address = ip4;

     

       20
       20
       -
                 prefixLength = 24;

     

       21
       21
       -
               }

     

       22
       22
       -
             ];

     

       23
       23
       -
             ipv6.addresses = [

     

       24
       24
       -
               {

     

       25
       25
       -
                 address = ip6;

     

       26
       26
       -
                 prefixLength = 64;

     

       27
       27
       -
               }

     

       28
       28
       -
             ];

     

       29
       29
       -
           };

     

       30
       30
       -
         }

     

       31
       31
       -
         extraConfig

     

       32
       32
       -
       ]

     

       15
       15
       +
             networking.useDHCP = false;

     

       16
       16
       +
             networking.interfaces.eth1 = {

     

       17
       17
       +
               ipv4.addresses = [

     

       18
       18
       +
                 {

     

       19
       19
       +
                   address = ip4;

     

       20
       20
       +
                   prefixLength = 24;

     

       21
       21
       +
                 }

     

       22
       22
       +
               ];

     

       23
       23
       +
               ipv6.addresses = [

     

       24
       24
       +
                 {

     

       25
       25
       +
                   address = ip6;

     

       26
       26
       +
                   prefixLength = 64;

     

       27
       27
       +
                 }

     

       28
       28
       +
               ];

     

       29
       29
       +
             };

     

       30
       30
       +
           }

     

       31
       31
       +
           extraConfig

     

       32
       32
       +
         ];

     

       33
       33
       +
       }

+44 -43

nixos/tests/wireguard/namespaces.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       1
       6
        
       let

     

       2
       7
        
         listenPort = 12345;

     

       3
       8
        
         socketNamespace = "foo";

     
···

       10
       15
        
             generatePrivateKeyFile = true;

     

       11
       16
        
           };

     

       12
       17
        
         };

     

       13
       13
       -
       

     

       14
       18
        
       in

     

       15
       15
       -
       

     

       16
       16
       -
       import ../make-test-python.nix (

     

       17
       17
       -
         {

     

       18
       18
       -
           pkgs,

     

       19
       19
       -
           lib,

     

       20
       20
       -
           kernelPackages ? null,

     

       21
       21
       -
           ...

     

       22
       22
       -
         }:

     

       23
       23
       -
         {

     

       24
       24
       -
           name = "wireguard-with-namespaces";

     

       25
       25
       -
           meta = with pkgs.lib.maintainers; {

     

       26
       26
       -
             maintainers = [ asymmetric ];

     

       27
       27
       -
           };

     

       19
       19
       +
       {

     

       20
       20
       +
         name = "wireguard-with-namespaces";

     

       21
       21
       +
         meta.maintainers = with lib.maintainers; [ asymmetric ];

     

       28
       22
        
       

     

       29
       29
       -
           nodes = {

     

       30
       30
       -
             # interface should be created in the socketNamespace

     

       31
       31
       -
             # and not moved from there

     

       32
       32
       -
             peer0 = pkgs.lib.attrsets.recursiveUpdate node {

     

       33
       33
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       23
       23
       +
         nodes = {

     

       24
       24
       +
           # interface should be created in the socketNamespace

     

       25
       25
       +
           # and not moved from there

     

       26
       26
       +
           peer0 =

     

       27
       27
       +
             { lib, pkgs, ... }:

     

       28
       28
       +
             lib.attrsets.recursiveUpdate node {

     

       29
       29
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       34
       30
        
               networking.wireguard.interfaces.wg0 = {

     

       35
       31
        
                 preSetup = ''

     

       36
       32
        
                   ip netns add ${socketNamespace}

     
···

       38
       34
        
                 inherit socketNamespace;

     

       39
       35
        
               };

     

       40
       36
        
             };

     

       41
       41
       -
             # interface should be created in the init namespace

     

       42
       42
       -
             # and moved to the interfaceNamespace

     

       43
       43
       -
             peer1 = pkgs.lib.attrsets.recursiveUpdate node {

     

       44
       44
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       37
       37
       +
           # interface should be created in the init namespace

     

       38
       38
       +
           # and moved to the interfaceNamespace

     

       39
       39
       +
           peer1 =

     

       40
       40
       +
             { lib, pkgs, ... }:

     

       41
       41
       +
             lib.attrsets.recursiveUpdate node {

     

       42
       42
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       45
       43
        
               networking.wireguard.interfaces.wg0 = {

     

       46
       44
        
                 preSetup = ''

     

       47
       45
        
                   ip netns add ${interfaceNamespace}

     
···

       50
       48
        
                 inherit interfaceNamespace;

     

       51
       49
        
               };

     

       52
       50
        
             };

     

       53
       53
       -
             # interface should be created in the socketNamespace

     

       54
       54
       -
             # and moved to the interfaceNamespace

     

       55
       55
       -
             peer2 = pkgs.lib.attrsets.recursiveUpdate node {

     

       56
       56
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       51
       51
       +
           # interface should be created in the socketNamespace

     

       52
       52
       +
           # and moved to the interfaceNamespace

     

       53
       53
       +
           peer2 =

     

       54
       54
       +
             { lib, pkgs, ... }:

     

       55
       55
       +
             lib.attrsets.recursiveUpdate node {

     

       56
       56
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       57
       57
        
               networking.wireguard.interfaces.wg0 = {

     

       58
       58
        
                 preSetup = ''

     

       59
       59
        
                   ip netns add ${socketNamespace}

     
···

       62
       62
        
                 inherit socketNamespace interfaceNamespace;

     

       63
       63
        
               };

     

       64
       64
        
             };

     

       65
       65
       -
             # interface should be created in the socketNamespace

     

       66
       66
       -
             # and moved to the init namespace

     

       67
       67
       -
             peer3 = pkgs.lib.attrsets.recursiveUpdate node {

     

       68
       68
       -
               boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       65
       65
       +
           # interface should be created in the socketNamespace

     

       66
       66
       +
           # and moved to the init namespace

     

       67
       67
       +
           peer3 =

     

       68
       68
       +
             { lib, pkgs, ... }:

     

       69
       69
       +
             lib.attrsets.recursiveUpdate node {

     

       70
       70
       +
               boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       69
       71
        
               networking.wireguard.interfaces.wg0 = {

     

       70
       72
        
                 preSetup = ''

     

       71
       73
        
                   ip netns add ${socketNamespace}

     
···

       74
       76
        
                 interfaceNamespace = "init";

     

       75
       77
        
               };

     

       76
       78
        
             };

     

       77
       77
       -
           };

     

       79
       79
       +
         };

     

       78
       80
        
       

     

       79
       79
       -
           testScript = ''

     

       80
       80
       -
             start_all()

     

       81
       81
       +
         testScript = ''

     

       82
       82
       +
           start_all()

     

       81
       83
        
       

     

       82
       82
       -
             for machine in peer0, peer1, peer2, peer3:

     

       83
       83
       -
                 machine.wait_for_unit("wireguard-wg0.service")

     

       84
       84
       +
           for machine in peer0, peer1, peer2, peer3:

     

       85
       85
       +
               machine.wait_for_unit("wireguard-wg0.service")

     

       84
       86
        
       

     

       85
       85
       -
             peer0.succeed("ip -n ${socketNamespace} link show wg0")

     

       86
       86
       -
             peer1.succeed("ip -n ${interfaceNamespace} link show wg0")

     

       87
       87
       -
             peer2.succeed("ip -n ${interfaceNamespace} link show wg0")

     

       88
       88
       -
             peer3.succeed("ip link show wg0")

     

       89
       89
       -
           '';

     

       90
       90
       -
         }

     

       91
       91
       -
       )

     

       87
       87
       +
           peer0.succeed("ip -n ${socketNamespace} link show wg0")

     

       88
       88
       +
           peer1.succeed("ip -n ${interfaceNamespace} link show wg0")

     

       89
       89
       +
           peer2.succeed("ip -n ${interfaceNamespace} link show wg0")

     

       90
       90
       +
           peer3.succeed("ip link show wg0")

     

       91
       91
       +
         '';

     

       92
       92
       +
       }

+42 -43

nixos/tests/wireguard/networkd.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           ...

     

       7
       7
       -
         }:

     

       8
       8
       -
         let

     

       9
       9
       -
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       10
       10
       -
           peer = (import ./make-peer.nix) { inherit lib; };

     

       11
       11
       -
         in

     

       12
       12
       -
         {

     

       13
       13
       -
           name = "wireguard-networkd";

     

       14
       14
       -
           meta = with pkgs.lib.maintainers; {

     

       15
       15
       -
             maintainers = [ majiir ];

     

       16
       16
       -
           };

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       let

     

       7
       7
       +
         wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       8
       8
       +
         peer = import ./make-peer.nix;

     

       9
       9
       +
       in

     

       10
       10
       +
       {

     

       11
       11
       +
         name = "wireguard-networkd";

     

       12
       12
       +
         meta.maintainers = with lib.maintainers; [ majiir ];

     

       17
       13
        
       

     

       18
       18
       -
           nodes = {

     

       19
       19
       -
             peer0 = peer {

     

       20
       20
       -
               ip4 = "192.168.0.1";

     

       21
       21
       -
               ip6 = "fd00::1";

     

       22
       22
       -
               extraConfig = {

     

       23
       23
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       14
       14
       +
         nodes = {

     

       15
       15
       +
           peer0 = peer {

     

       16
       16
       +
             ip4 = "192.168.0.1";

     

       17
       17
       +
             ip6 = "fd00::1";

     

       18
       18
       +
             extraConfig =

     

       19
       19
       +
               { lib, pkgs, ... }:

     

       20
       20
       +
               {

     

       21
       21
       +
                 boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       24
       22
        
                 networking.firewall.allowedUDPPorts = [ 23542 ];

     

       25
       23
        
                 networking.wireguard.useNetworkd = true;

     

       26
       24
        
                 networking.wireguard.interfaces.wg0 = {

     
···

       46
       44
        
                   };

     

       47
       45
        
                 };

     

       48
       46
        
               };

     

       49
       49
       -
             };

     

       47
       47
       +
           };

     

       50
       48
        
       

     

       51
       51
       -
             peer1 = peer {

     

       52
       52
       -
               ip4 = "192.168.0.2";

     

       53
       53
       -
               ip6 = "fd00::2";

     

       54
       54
       -
               extraConfig = {

     

       55
       55
       -
                 boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };

     

       49
       49
       +
           peer1 = peer {

     

       50
       50
       +
             ip4 = "192.168.0.2";

     

       51
       51
       +
             ip6 = "fd00::2";

     

       52
       52
       +
             extraConfig =

     

       53
       53
       +
               { lib, pkgs, ... }:

     

       54
       54
       +
               {

     

       55
       55
       +
                 boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       56
       56
        
                 networking.wireguard.useNetworkd = true;

     

       57
       57
        
                 networking.wireguard.interfaces.wg0 = {

     

       58
       58
        
                   ips = [

     
···

       79
       79
        
                   };

     

       80
       80
        
                 };

     

       81
       81
        
               };

     

       82
       82
       -
             };

     

       83
       82
        
           };

     

       83
       83
       +
         };

     

       84
       84
        
       

     

       85
       85
       -
           testScript = ''

     

       86
       86
       -
             start_all()

     

       85
       85
       +
         testScript = ''

     

       86
       86
       +
           start_all()

     

       87
       87
        
       

     

       88
       88
       -
             peer0.systemctl("start network-online.target")

     

       89
       89
       -
             peer0.wait_for_unit("network-online.target")

     

       88
       88
       +
           peer0.systemctl("start network-online.target")

     

       89
       89
       +
           peer0.wait_for_unit("network-online.target")

     

       90
       90
        
       

     

       91
       91
       -
             peer1.systemctl("start network-online.target")

     

       92
       92
       -
             peer1.wait_for_unit("network-online.target")

     

       91
       91
       +
           peer1.systemctl("start network-online.target")

     

       92
       92
       +
           peer1.wait_for_unit("network-online.target")

     

       93
       93
        
       

     

       94
       94
       -
             peer1.succeed("ping -c5 fc00::1")

     

       95
       95
       -
             peer1.succeed("ping -c5 10.23.42.1")

     

       94
       94
       +
           peer1.succeed("ping -c5 fc00::1")

     

       95
       95
       +
           peer1.succeed("ping -c5 10.23.42.1")

     

       96
       96
        
       

     

       97
       97
       -
             with subtest("Has PSK set"):

     

       98
       98
       -
               peer0.succeed("wg | grep 'preshared key'")

     

       99
       99
       -
               peer1.succeed("wg | grep 'preshared key'")

     

       100
       100
       -
           '';

     

       101
       101
       -
         }

     

       102
       102
       -
       )

     

       97
       97
       +
           with subtest("Has PSK set"):

     

       98
       98
       +
             peer0.succeed("wg | grep 'preshared key'")

     

       99
       99
       +
             peer1.succeed("wg | grep 'preshared key'")

     

       100
       100
       +
         '';

     

       101
       101
       +
       }

+82 -85

nixos/tests/wireguard/wg-quick.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         {

     

       3
       3
       -
           pkgs,

     

       4
       4
       -
           lib,

     

       5
       5
       -
           kernelPackages ? null,

     

       6
       6
       -
           nftables ? false,

     

       7
       7
       -
           ...

     

       8
       8
       -
         }:

     

       9
       9
       -
         let

     

       10
       10
       -
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       11
       11
       -
           peer = import ./make-peer.nix { inherit lib; };

     

       12
       12
       -
           commonConfig = {

     

       13
       13
       -
             boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;

     

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         kernelPackages ? null,

     

       4
       4
       +
         nftables ? false,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       7
       7
       +
       let

     

       8
       8
       +
         wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       9
       9
       +
         peer = import ./make-peer.nix;

     

       10
       10
       +
         commonConfig =

     

       11
       11
       +
           { pkgs, ... }:

     

       12
       12
       +
           {

     

       13
       13
       +
             boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);

     

       14
       14
        
             networking.nftables.enable = nftables;

     

       15
       15
        
             # Make sure iptables doesn't work with nftables enabled

     

       16
       16
        
             boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];

     

       17
       17
        
           };

     

       18
       18
       -
         in

     

       19
       19
       -
         {

     

       20
       20
       -
           name = "wg-quick";

     

       18
       18
       +
       in

     

       19
       19
       +
       {

     

       20
       20
       +
         name = "wg-quick";

     

       21
       21
        
       

     

       22
       22
       -
           nodes = {

     

       23
       23
       -
             peer0 = peer {

     

       24
       24
       -
               ip4 = "192.168.0.1";

     

       25
       25
       -
               ip6 = "fd00::1";

     

       26
       26
       -
               extraConfig = lib.mkMerge [

     

       27
       27
       -
                 commonConfig

     

       28
       28
       -
                 {

     

       29
       29
       -
                   networking.firewall.allowedUDPPorts = [ 23542 ];

     

       30
       30
       -
                   networking.wg-quick.interfaces.wg0 = {

     

       31
       31
       -
                     address = [

     

       32
       32
       -
                       "10.23.42.1/32"

     

       33
       33
       -
                       "fc00::1/128"

     

       34
       34
       -
                     ];

     

       35
       35
       -
                     listenPort = 23542;

     

       22
       22
       +
         nodes = {

     

       23
       23
       +
           peer0 = peer {

     

       24
       24
       +
             ip4 = "192.168.0.1";

     

       25
       25
       +
             ip6 = "fd00::1";

     

       26
       26
       +
             extraConfig = {

     

       27
       27
       +
               imports = [ commonConfig ];

     

       36
       28
        
       

     

       37
       37
       -
                     inherit (wg-snakeoil-keys.peer0) privateKey;

     

       29
       29
       +
               networking.firewall.allowedUDPPorts = [ 23542 ];

     

       30
       30
       +
               networking.wg-quick.interfaces.wg0 = {

     

       31
       31
       +
                 address = [

     

       32
       32
       +
                   "10.23.42.1/32"

     

       33
       33
       +
                   "fc00::1/128"

     

       34
       34
       +
                 ];

     

       35
       35
       +
                 listenPort = 23542;

     

       38
       36
        
       

     

       39
       39
       -
                     peers = lib.singleton {

     

       40
       40
       -
                       allowedIPs = [

     

       41
       41
       -
                         "10.23.42.2/32"

     

       42
       42
       -
                         "fc00::2/128"

     

       43
       43
       -
                       ];

     

       37
       37
       +
                 inherit (wg-snakeoil-keys.peer0) privateKey;

     

       38
       38
       +
       

     

       39
       39
       +
                 peers = lib.singleton {

     

       40
       40
       +
                   allowedIPs = [

     

       41
       41
       +
                     "10.23.42.2/32"

     

       42
       42
       +
                     "fc00::2/128"

     

       43
       43
       +
                   ];

     

       44
       44
        
       

     

       45
       45
       -
                       inherit (wg-snakeoil-keys.peer1) publicKey;

     

       46
       46
       -
                     };

     

       45
       45
       +
                   inherit (wg-snakeoil-keys.peer1) publicKey;

     

       46
       46
       +
                 };

     

       47
       47
        
       

     

       48
       48
       -
                     dns = [

     

       49
       49
       -
                       "10.23.42.2"

     

       50
       50
       -
                       "fc00::2"

     

       51
       51
       -
                       "wg0"

     

       52
       52
       -
                     ];

     

       53
       53
       -
                   };

     

       54
       54
       -
                 }

     

       55
       55
       -
               ];

     

       48
       48
       +
                 dns = [

     

       49
       49
       +
                   "10.23.42.2"

     

       50
       50
       +
                   "fc00::2"

     

       51
       51
       +
                   "wg0"

     

       52
       52
       +
                 ];

     

       53
       53
       +
               };

     

       56
       54
        
             };

     

       55
       55
       +
           };

     

       57
       56
        
       

     

       58
       58
       -
             peer1 = peer {

     

       59
       59
       -
               ip4 = "192.168.0.2";

     

       60
       60
       -
               ip6 = "fd00::2";

     

       61
       61
       -
               extraConfig = lib.mkMerge [

     

       62
       62
       -
                 commonConfig

     

       63
       63
       -
                 {

     

       64
       64
       -
                   networking.useNetworkd = true;

     

       65
       65
       -
                   networking.wg-quick.interfaces.wg0 = {

     

       66
       66
       -
                     address = [

     

       67
       67
       -
                       "10.23.42.2/32"

     

       68
       68
       -
                       "fc00::2/128"

     

       69
       69
       -
                     ];

     

       70
       70
       -
                     inherit (wg-snakeoil-keys.peer1) privateKey;

     

       57
       57
       +
           peer1 = peer {

     

       58
       58
       +
             ip4 = "192.168.0.2";

     

       59
       59
       +
             ip6 = "fd00::2";

     

       60
       60
       +
             extraConfig = {

     

       61
       61
       +
               imports = [ commonConfig ];

     

       71
       62
        
       

     

       72
       72
       -
                     peers = lib.singleton {

     

       73
       73
       -
                       allowedIPs = [

     

       74
       74
       -
                         "0.0.0.0/0"

     

       75
       75
       -
                         "::/0"

     

       76
       76
       -
                       ];

     

       77
       77
       -
                       endpoint = "192.168.0.1:23542";

     

       78
       78
       -
                       persistentKeepalive = 25;

     

       63
       63
       +
               networking.useNetworkd = true;

     

       64
       64
       +
               networking.wg-quick.interfaces.wg0 = {

     

       65
       65
       +
                 address = [

     

       66
       66
       +
                   "10.23.42.2/32"

     

       67
       67
       +
                   "fc00::2/128"

     

       68
       68
       +
                 ];

     

       69
       69
       +
                 inherit (wg-snakeoil-keys.peer1) privateKey;

     

       70
       70
       +
       

     

       71
       71
       +
                 peers = lib.singleton {

     

       72
       72
       +
                   allowedIPs = [

     

       73
       73
       +
                     "0.0.0.0/0"

     

       74
       74
       +
                     "::/0"

     

       75
       75
       +
                   ];

     

       76
       76
       +
                   endpoint = "192.168.0.1:23542";

     

       77
       77
       +
                   persistentKeepalive = 25;

     

       79
       78
        
       

     

       80
       80
       -
                       inherit (wg-snakeoil-keys.peer0) publicKey;

     

       81
       81
       -
                     };

     

       79
       79
       +
                   inherit (wg-snakeoil-keys.peer0) publicKey;

     

       80
       80
       +
                 };

     

       82
       81
        
       

     

       83
       83
       -
                     dns = [

     

       84
       84
       -
                       "10.23.42.1"

     

       85
       85
       -
                       "fc00::1"

     

       86
       86
       -
                       "wg0"

     

       87
       87
       -
                     ];

     

       88
       88
       -
                   };

     

       89
       89
       -
                 }

     

       90
       90
       -
               ];

     

       82
       82
       +
                 dns = [

     

       83
       83
       +
                   "10.23.42.1"

     

       84
       84
       +
                   "fc00::1"

     

       85
       85
       +
                   "wg0"

     

       86
       86
       +
                 ];

     

       87
       87
       +
               };

     

       91
       88
        
             };

     

       92
       89
        
           };

     

       90
       90
       +
         };

     

       93
       91
        
       

     

       94
       94
       -
           testScript = ''

     

       95
       95
       -
             start_all()

     

       92
       92
       +
         testScript = ''

     

       93
       93
       +
           start_all()

     

       96
       94
        
       

     

       97
       97
       -
             peer0.wait_for_unit("wg-quick-wg0.service")

     

       98
       98
       -
             peer1.wait_for_unit("wg-quick-wg0.service")

     

       95
       95
       +
           peer0.wait_for_unit("wg-quick-wg0.service")

     

       96
       96
       +
           peer1.wait_for_unit("wg-quick-wg0.service")

     

       99
       97
        
       

     

       100
       100
       -
             peer1.succeed("ping -c5 fc00::1")

     

       101
       101
       -
             peer1.succeed("ping -c5 10.23.42.1")

     

       102
       102
       -
           '';

     

       103
       103
       -
         }

     

       104
       104
       -
       )

     

       98
       98
       +
           peer1.succeed("ping -c5 fc00::1")

     

       99
       99
       +
           peer1.succeed("ping -c5 10.23.42.1")

     

       100
       100
       +
         '';

     

       101
       101
       +
       }