+1

nixos/modules/services/networking/nebula.nix

··· 175 175 relay = { 176 176 am_relay = netCfg.isRelay; 177 177 relays = netCfg.relays; 178 178 + use_relays = true; 178 179 }; 179 180 listen = { 180 181 host = netCfg.listen.host;

+82

nixos/tests/nebula.nix

··· 37 37 38 38 services.nebula.networks.smoke = { 39 39 isLighthouse = true; 40 40 + isRelay = true; 40 41 firewall = { 41 42 outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; 42 43 inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; ··· 55 56 staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; 56 57 isLighthouse = false; 57 58 lighthouses = [ "10.0.100.1" ]; 59 59 + relays = [ "10.0.100.1" ]; 58 60 firewall = { 59 61 outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; 60 62 inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; ··· 73 75 staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; 74 76 isLighthouse = false; 75 77 lighthouses = [ "10.0.100.1" ]; 78 78 + relays = [ "10.0.100.1" ]; 76 79 firewall = { 77 80 outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; 78 81 inbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ]; ··· 92 95 staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; 93 96 isLighthouse = false; 94 97 lighthouses = [ "10.0.100.1" ]; 98 98 + relays = [ "10.0.100.1" ]; 95 99 firewall = { 96 100 outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ]; 97 101 inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; ··· 111 115 staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; 112 116 isLighthouse = false; 113 117 lighthouses = [ "10.0.100.1" ]; 118 118 + relays = [ "10.0.100.1" ]; 114 119 firewall = { 115 120 outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ]; 116 121 inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; ··· 159 164 ) 160 165 ''; 161 166 167 167 + getPublicIp = node: '' 168 168 + ${node}.succeed("ip --brief addr show eth1 | awk '{print $3}' | tail -n1 | cut -d/ -f1").strip() 169 169 + ''; 170 170 + 171 171 + # Never do this for anything security critical! (Thankfully it's just a test.) 172 172 + # Restart Nebula right after the mutual block and/or restore so the state is fresh. 173 173 + blockTrafficBetween = nodeA: nodeB: '' 174 174 + node_a = ${getPublicIp nodeA} 175 175 + node_b = ${getPublicIp nodeB} 176 176 + ${nodeA}.succeed("iptables -I INPUT -s " + node_b + " -j DROP") 177 177 + ${nodeB}.succeed("iptables -I INPUT -s " + node_a + " -j DROP") 178 178 + ${nodeA}.systemctl("restart nebula@smoke.service") 179 179 + ${nodeB}.systemctl("restart nebula@smoke.service") 180 180 + ''; 181 181 + allowTrafficBetween = nodeA: nodeB: '' 182 182 + node_a = ${getPublicIp nodeA} 183 183 + node_b = ${getPublicIp nodeB} 184 184 + ${nodeA}.succeed("iptables -D INPUT -s " + node_b + " -j DROP") 185 185 + ${nodeB}.succeed("iptables -D INPUT -s " + node_a + " -j DROP") 186 186 + ${nodeA}.systemctl("restart nebula@smoke.service") 187 187 + ${nodeB}.systemctl("restart nebula@smoke.service") 188 188 + ''; 162 189 in '' 163 190 # Create the certificate and sign the lighthouse's keys. 164 191 ${setUpPrivateKey "lighthouse"} ··· 210 237 node3.succeed("ping -c3 10.0.100.1") 211 238 node3.succeed("ping -c3 10.0.100.2") 212 239 240 240 + # block node3 <-> node2, and node3 -> node2 should still work. 241 241 + ${blockTrafficBetween "node3" "node2"} 242 242 + node3.succeed("ping -c10 10.0.100.2") 243 243 + ${allowTrafficBetween "node3" "node2"} 244 244 + node3.succeed("ping -c10 10.0.100.2") 245 245 + 213 246 # node4 can ping the lighthouse but not node2 or node3 214 247 node4.succeed("ping -c3 10.0.100.1") 215 248 node4.fail("ping -c3 10.0.100.2") ··· 217 250 218 251 # node2 can ping node3 now that node3 pinged it first 219 252 node2.succeed("ping -c3 10.0.100.3") 253 253 + 254 254 + # block node2 <-> node3, and node2 -> node3 should still work. 255 255 + ${blockTrafficBetween "node2" "node3"} 256 256 + node3.succeed("ping -c10 10.0.100.2") 257 257 + node2.succeed("ping -c10 10.0.100.3") 258 258 + ${allowTrafficBetween "node2" "node3"} 259 259 + node3.succeed("ping -c10 10.0.100.2") 260 260 + node2.succeed("ping -c10 10.0.100.3") 261 261 + 220 262 # node4 can ping node2 if node2 pings it first 263 263 + node2.succeed("ping -c3 10.0.100.4") 264 264 + node4.succeed("ping -c3 10.0.100.2") 265 265 + 266 266 + # block node4 <-> node2, and node2 <-> node4 should still work. 267 267 + ${blockTrafficBetween "node2" "node4"} 268 268 + node2.succeed("ping -c10 10.0.100.4") 269 269 + node4.succeed("ping -c10 10.0.100.2") 270 270 + ${allowTrafficBetween "node2" "node4"} 271 271 + node2.succeed("ping -c10 10.0.100.4") 272 272 + node4.succeed("ping -c10 10.0.100.2") 273 273 + 274 274 + # block lighthouse <-> node3 and node2 <-> node3; node3 won't get to node2 275 275 + ${blockTrafficBetween "node3" "lighthouse"} 276 276 + ${blockTrafficBetween "node3" "node2"} 277 277 + node3.fail("ping -c3 10.0.100.2") 278 278 + ${allowTrafficBetween "node3" "lighthouse"} 279 279 + ${allowTrafficBetween "node3" "node2"} 280 280 + node3.succeed("ping -c3 10.0.100.2") 281 281 + 282 282 + # block lighthouse <-> node2, node2 <-> node3, and node2 <-> node4; it won't get to node3 or node4 283 283 + ${blockTrafficBetween "node2" "lighthouse"} 284 284 + ${blockTrafficBetween "node2" "node3"} 285 285 + ${blockTrafficBetween "node2" "node4"} 286 286 + node3.fail("ping -c3 10.0.100.2") 287 287 + node2.fail("ping -c3 10.0.100.3") 288 288 + node2.fail("ping -c3 10.0.100.4") 289 289 + ${allowTrafficBetween "node2" "lighthouse"} 290 290 + ${allowTrafficBetween "node2" "node3"} 291 291 + ${allowTrafficBetween "node2" "node4"} 292 292 + node3.succeed("ping -c3 10.0.100.2") 293 293 + node2.succeed("ping -c3 10.0.100.3") 294 294 + node2.succeed("ping -c3 10.0.100.4") 295 295 + 296 296 + # block lighthouse <-> node4 and node4 <-> node2; it won't get to node2 297 297 + ${blockTrafficBetween "node4" "lighthouse"} 298 298 + ${blockTrafficBetween "node4" "node2"} 299 299 + node2.fail("ping -c3 10.0.100.4") 300 300 + node4.fail("ping -c3 10.0.100.2") 301 301 + ${allowTrafficBetween "node4" "lighthouse"} 302 302 + ${allowTrafficBetween "node4" "node2"} 221 303 node2.succeed("ping -c3 10.0.100.4") 222 304 node4.succeed("ping -c3 10.0.100.2") 223 305 '';

+3 -1

pkgs/tools/networking/nebula/default.nix

··· 17 17 18 18 ldflags = [ "-X main.Build=${version}" ]; 19 19 20 20 - passthru.tests.nebula = nixosTests.nebula; 20 20 + passthru.tests = { 21 21 + inherit (nixosTests) nebula; 22 22 + }; 21 23 22 24 meta = with lib; { 23 25 description = "A scalable overlay networking tool with a focus on performance, simplicity and security";