pyrox.dev
Merge: nixosTests.wireguard: handleTest -> runTest (#424856)
authored by Maximilian Bosch and committed by GitHub abfc98e2 ec4d28eb
+4
-1
nixos/tests/all-tests.nix
+4
-1
nixos/tests/all-tests.nix
···
1553
1553
whoogle-search = runTest ./whoogle-search.nix;
1554
1554
wiki-js = runTest ./wiki-js.nix;
1555
1555
wine = handleTest ./wine.nix { };
1556
-
wireguard = handleTest ./wireguard { };
1556
+
wireguard = import ./wireguard {
1557
+
inherit pkgs runTest;
1558
+
inherit (pkgs) lib;
1559
+
};
1557
1560
wg-access-server = runTest ./wg-access-server.nix;
1558
1561
without-nix = runTest ./without-nix.nix;
1559
1562
wmderland = runTest ./wmderland.nix;
+97
-102
nixos/tests/wireguard/amneziawg-quick.nix
+97
-102
nixos/tests/wireguard/amneziawg-quick.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
nftables ? false,
7
-
...
8
-
}:
9
-
let
10
-
wg-snakeoil-keys = import ./snakeoil-keys.nix;
11
-
peer = import ./make-peer.nix { inherit lib; };
12
-
commonConfig = {
13
-
boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
nftables ? false,
5
+
...
6
+
}:
7
+
let
8
+
wg-snakeoil-keys = import ./snakeoil-keys.nix;
9
+
peer = import ./make-peer.nix;
10
+
commonConfig =
11
+
{ pkgs, ... }:
12
+
{
13
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
14
14
networking.nftables.enable = nftables;
15
15
# Make sure iptables doesn't work with nftables enabled
16
16
boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];
17
17
};
18
-
extraOptions = {
19
-
Jc = 5;
20
-
Jmin = 10;
21
-
Jmax = 42;
22
-
S1 = 60;
23
-
S2 = 90;
24
-
};
25
-
in
26
-
{
27
-
name = "amneziawg-quick";
28
-
meta = with pkgs.lib.maintainers; {
29
-
maintainers = [
30
-
averyanalex
31
-
azahi
32
-
];
33
-
};
18
+
extraOptions = {
19
+
Jc = 5;
20
+
Jmin = 10;
21
+
Jmax = 42;
22
+
S1 = 60;
23
+
S2 = 90;
24
+
};
25
+
in
26
+
{
27
+
name = "amneziawg-quick";
28
+
meta.maintainers = with lib.maintainers; [
29
+
averyanalex
30
+
azahi
31
+
];
34
32
35
-
nodes = {
36
-
peer0 = peer {
37
-
ip4 = "192.168.0.1";
38
-
ip6 = "fd00::1";
39
-
extraConfig = lib.mkMerge [
40
-
commonConfig
41
-
{
42
-
networking.firewall.allowedUDPPorts = [ 23542 ];
43
-
networking.wg-quick.interfaces.wg0 = {
44
-
type = "amneziawg";
33
+
nodes = {
34
+
peer0 = peer {
35
+
ip4 = "192.168.0.1";
36
+
ip6 = "fd00::1";
37
+
extraConfig = {
38
+
imports = [ commonConfig ];
45
39
46
-
address = [
47
-
"10.23.42.1/32"
48
-
"fc00::1/128"
49
-
];
50
-
listenPort = 23542;
40
+
networking.firewall.allowedUDPPorts = [ 23542 ];
41
+
networking.wg-quick.interfaces.wg0 = {
42
+
type = "amneziawg";
43
+
44
+
address = [
45
+
"10.23.42.1/32"
46
+
"fc00::1/128"
47
+
];
48
+
listenPort = 23542;
51
49
52
-
inherit (wg-snakeoil-keys.peer0) privateKey;
50
+
inherit (wg-snakeoil-keys.peer0) privateKey;
53
51
54
-
peers = lib.singleton {
55
-
allowedIPs = [
56
-
"10.23.42.2/32"
57
-
"fc00::2/128"
58
-
];
52
+
peers = lib.singleton {
53
+
allowedIPs = [
54
+
"10.23.42.2/32"
55
+
"fc00::2/128"
56
+
];
59
57
60
-
inherit (wg-snakeoil-keys.peer1) publicKey;
61
-
};
58
+
inherit (wg-snakeoil-keys.peer1) publicKey;
59
+
};
62
60
63
-
dns = [
64
-
"10.23.42.2"
65
-
"fc00::2"
66
-
"wg0"
67
-
];
61
+
dns = [
62
+
"10.23.42.2"
63
+
"fc00::2"
64
+
"wg0"
65
+
];
68
66
69
-
inherit extraOptions;
70
-
};
71
-
}
72
-
];
67
+
inherit extraOptions;
68
+
};
73
69
};
70
+
};
74
71
75
-
peer1 = peer {
76
-
ip4 = "192.168.0.2";
77
-
ip6 = "fd00::2";
78
-
extraConfig = lib.mkMerge [
79
-
commonConfig
80
-
{
81
-
networking.useNetworkd = true;
82
-
networking.wg-quick.interfaces.wg0 = {
83
-
type = "amneziawg";
72
+
peer1 = peer {
73
+
ip4 = "192.168.0.2";
74
+
ip6 = "fd00::2";
75
+
extraConfig = {
76
+
imports = [ commonConfig ];
77
+
78
+
networking.useNetworkd = true;
79
+
networking.wg-quick.interfaces.wg0 = {
80
+
type = "amneziawg";
84
81
85
-
address = [
86
-
"10.23.42.2/32"
87
-
"fc00::2/128"
88
-
];
89
-
inherit (wg-snakeoil-keys.peer1) privateKey;
82
+
address = [
83
+
"10.23.42.2/32"
84
+
"fc00::2/128"
85
+
];
86
+
inherit (wg-snakeoil-keys.peer1) privateKey;
90
87
91
-
peers = lib.singleton {
92
-
allowedIPs = [
93
-
"0.0.0.0/0"
94
-
"::/0"
95
-
];
96
-
endpoint = "192.168.0.1:23542";
97
-
persistentKeepalive = 25;
88
+
peers = lib.singleton {
89
+
allowedIPs = [
90
+
"0.0.0.0/0"
91
+
"::/0"
92
+
];
93
+
endpoint = "192.168.0.1:23542";
94
+
persistentKeepalive = 25;
98
95
99
-
inherit (wg-snakeoil-keys.peer0) publicKey;
100
-
};
96
+
inherit (wg-snakeoil-keys.peer0) publicKey;
97
+
};
101
98
102
-
dns = [
103
-
"10.23.42.1"
104
-
"fc00::1"
105
-
"wg0"
106
-
];
99
+
dns = [
100
+
"10.23.42.1"
101
+
"fc00::1"
102
+
"wg0"
103
+
];
107
104
108
-
inherit extraOptions;
109
-
};
110
-
}
111
-
];
105
+
inherit extraOptions;
106
+
};
112
107
};
113
108
};
109
+
};
114
110
115
-
testScript = ''
116
-
start_all()
111
+
testScript = ''
112
+
start_all()
117
113
118
-
peer0.wait_for_unit("wg-quick-wg0.service")
119
-
peer1.wait_for_unit("wg-quick-wg0.service")
114
+
peer0.wait_for_unit("wg-quick-wg0.service")
115
+
peer1.wait_for_unit("wg-quick-wg0.service")
120
116
121
-
peer1.succeed("ping -c5 fc00::1")
122
-
peer1.succeed("ping -c5 10.23.42.1")
123
-
'';
124
-
}
125
-
)
117
+
peer1.succeed("ping -c5 fc00::1")
118
+
peer1.succeed("ping -c5 10.23.42.1")
119
+
'';
120
+
}
+50
-51
nixos/tests/wireguard/amneziawg.nix
+50
-51
nixos/tests/wireguard/amneziawg.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
...
7
-
}:
8
-
let
9
-
wg-snakeoil-keys = import ./snakeoil-keys.nix;
10
-
peer = (import ./make-peer.nix) { inherit lib; };
11
-
extraOptions = {
12
-
Jc = 5;
13
-
Jmin = 10;
14
-
Jmax = 42;
15
-
S1 = 60;
16
-
S2 = 90;
17
-
};
18
-
in
19
-
{
20
-
name = "amneziawg";
21
-
meta = with pkgs.lib.maintainers; {
22
-
maintainers = [
23
-
averyanalex
24
-
azahi
25
-
];
26
-
};
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
...
5
+
}:
6
+
let
7
+
wg-snakeoil-keys = import ./snakeoil-keys.nix;
8
+
peer = import ./make-peer.nix;
9
+
extraOptions = {
10
+
Jc = 5;
11
+
Jmin = 10;
12
+
Jmax = 42;
13
+
S1 = 60;
14
+
S2 = 90;
15
+
};
16
+
in
17
+
{
18
+
name = "amneziawg";
19
+
meta.maintainers = with lib.maintainers; [
20
+
averyanalex
21
+
azahi
22
+
];
27
23
28
-
nodes = {
29
-
peer0 = peer {
30
-
ip4 = "192.168.0.1";
31
-
ip6 = "fd00::1";
32
-
extraConfig = {
33
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
24
+
nodes = {
25
+
peer0 = peer {
26
+
ip4 = "192.168.0.1";
27
+
ip6 = "fd00::1";
28
+
extraConfig =
29
+
{ lib, pkgs, ... }:
30
+
{
31
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
34
32
networking.firewall.allowedUDPPorts = [ 23542 ];
35
33
networking.wireguard.interfaces.wg0 = {
36
34
type = "amneziawg";
···
54
52
inherit extraOptions;
55
53
};
56
54
};
57
-
};
55
+
};
58
56
59
-
peer1 = peer {
60
-
ip4 = "192.168.0.2";
61
-
ip6 = "fd00::2";
62
-
extraConfig = {
63
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
57
+
peer1 = peer {
58
+
ip4 = "192.168.0.2";
59
+
ip6 = "fd00::2";
60
+
extraConfig =
61
+
{ lib, pkgs, ... }:
62
+
{
63
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
64
64
networking.wireguard.interfaces.wg0 = {
65
65
type = "amneziawg";
66
66
ips = [
···
85
85
86
86
postSetup =
87
87
let
88
-
inherit (pkgs) iproute2;
88
+
ip = lib.getExe' pkgs.iproute2 "ip";
89
89
in
90
90
''
91
-
${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0
92
-
${iproute2}/bin/ip route replace fc00::1/128 dev wg0
91
+
${ip} route replace 10.23.42.1/32 dev wg0
92
+
${ip} route replace fc00::1/128 dev wg0
93
93
'';
94
94
95
95
inherit extraOptions;
96
96
};
97
97
};
98
-
};
99
98
};
99
+
};
100
100
101
-
testScript = ''
102
-
start_all()
101
+
testScript = ''
102
+
start_all()
103
103
104
-
peer0.wait_for_unit("wireguard-wg0.service")
105
-
peer1.wait_for_unit("wireguard-wg0.service")
104
+
peer0.wait_for_unit("wireguard-wg0.service")
105
+
peer1.wait_for_unit("wireguard-wg0.service")
106
106
107
-
peer1.succeed("ping -c5 fc00::1")
108
-
peer1.succeed("ping -c5 10.23.42.1")
109
-
'';
110
-
}
111
-
)
107
+
peer1.succeed("ping -c5 fc00::1")
108
+
peer1.succeed("ping -c5 10.23.42.1")
109
+
'';
110
+
}
+40
-41
nixos/tests/wireguard/basic.nix
+40
-41
nixos/tests/wireguard/basic.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
...
7
-
}:
8
-
let
9
-
wg-snakeoil-keys = import ./snakeoil-keys.nix;
10
-
peer = (import ./make-peer.nix) { inherit lib; };
11
-
in
12
-
{
13
-
name = "wireguard";
14
-
meta = with pkgs.lib.maintainers; {
15
-
maintainers = [ ma27 ];
16
-
};
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
...
5
+
}:
6
+
let
7
+
wg-snakeoil-keys = import ./snakeoil-keys.nix;
8
+
peer = import ./make-peer.nix;
9
+
in
10
+
{
11
+
name = "wireguard";
12
+
meta.maintainers = with lib.maintainers; [ ma27 ];
17
13
18
-
nodes = {
19
-
peer0 = peer {
20
-
ip4 = "192.168.0.1";
21
-
ip6 = "fd00::1";
22
-
extraConfig = {
23
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
14
+
nodes = {
15
+
peer0 = peer {
16
+
ip4 = "192.168.0.1";
17
+
ip6 = "fd00::1";
18
+
extraConfig =
19
+
{ lib, pkgs, ... }:
20
+
{
21
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
24
22
networking.firewall.allowedUDPPorts = [ 23542 ];
25
23
networking.wireguard.interfaces.wg0 = {
26
24
ips = [
···
41
39
};
42
40
};
43
41
};
44
-
};
42
+
};
45
43
46
-
peer1 = peer {
47
-
ip4 = "192.168.0.2";
48
-
ip6 = "fd00::2";
49
-
extraConfig = {
50
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
44
+
peer1 = peer {
45
+
ip4 = "192.168.0.2";
46
+
ip6 = "fd00::2";
47
+
extraConfig =
48
+
{ lib, pkgs, ... }:
49
+
{
50
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
51
51
networking.wireguard.interfaces.wg0 = {
52
52
ips = [
53
53
"10.23.42.2/32"
···
71
71
72
72
postSetup =
73
73
let
74
-
inherit (pkgs) iproute2;
74
+
ip = lib.getExe' pkgs.iproute2 "ip";
75
75
in
76
76
''
77
-
${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0
78
-
${iproute2}/bin/ip route replace fc00::1/128 dev wg0
77
+
${ip} route replace 10.23.42.1/32 dev wg0
78
+
${ip} route replace fc00::1/128 dev wg0
79
79
'';
80
80
};
81
81
};
82
-
};
83
82
};
83
+
};
84
84
85
-
testScript = ''
86
-
start_all()
85
+
testScript = ''
86
+
start_all()
87
87
88
-
peer0.wait_for_unit("wireguard-wg0.service")
89
-
peer1.wait_for_unit("wireguard-wg0.service")
88
+
peer0.wait_for_unit("wireguard-wg0.service")
89
+
peer1.wait_for_unit("wireguard-wg0.service")
90
90
91
-
peer1.succeed("ping -c5 fc00::1")
92
-
peer1.succeed("ping -c5 10.23.42.1")
93
-
'';
94
-
}
95
-
)
91
+
peer1.succeed("ping -c5 fc00::1")
92
+
peer1.succeed("ping -c5 10.23.42.1")
93
+
'';
94
+
}
+19
-16
nixos/tests/wireguard/default.nix
+19
-16
nixos/tests/wireguard/default.nix
···
1
1
{
2
-
system ? builtins.currentSystem,
3
-
config ? { },
4
-
pkgs ? import ../../.. { inherit system config; },
2
+
runTest,
3
+
lib,
4
+
pkgs,
5
5
# Test current default (LTS) and latest kernel
6
6
kernelVersionsToTest ? [
7
-
(pkgs.lib.versions.majorMinor pkgs.linuxPackages.kernel.version)
7
+
(lib.versions.majorMinor pkgs.linuxPackages.kernel.version)
8
8
"latest"
9
9
],
10
10
}:
11
11
12
-
with pkgs.lib;
13
-
14
12
let
15
13
tests =
16
14
let
17
-
callTest = p: args: import p ({ inherit system pkgs; } // args);
15
+
callTest =
16
+
p: args:
17
+
runTest {
18
+
imports = [ p ];
19
+
_module = { inherit args; };
20
+
};
18
21
in
19
22
{
20
23
basic = callTest ./basic.nix;
21
24
amneziawg = callTest ./amneziawg.nix;
22
25
namespaces = callTest ./namespaces.nix;
23
26
networkd = callTest ./networkd.nix;
24
-
wg-quick = callTest ./wg-quick.nix;
27
+
wg-quick = args: callTest ./wg-quick.nix ({ nftables = false; } // args);
25
28
wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args);
26
-
amneziawg-quick = callTest ./amneziawg-quick.nix;
29
+
amneziawg-quick = args: callTest ./amneziawg-quick.nix ({ nftables = false; } // args);
27
30
generated = callTest ./generated.nix;
28
-
dynamic-refresh = callTest ./dynamic-refresh.nix;
31
+
dynamic-refresh = args: callTest ./dynamic-refresh.nix ({ useNetworkd = false; } // args);
29
32
dynamic-refresh-networkd = args: callTest ./dynamic-refresh.nix ({ useNetworkd = true; } // args);
30
33
};
31
34
in
32
35
33
-
listToAttrs (
34
-
flip concatMap kernelVersionsToTest (
36
+
lib.listToAttrs (
37
+
lib.flip lib.concatMap kernelVersionsToTest (
35
38
version:
36
39
let
37
-
v' = replaceStrings [ "." ] [ "_" ] version;
40
+
v' = lib.replaceString "." "_" version;
38
41
in
39
-
flip mapAttrsToList tests (
42
+
lib.flip lib.mapAttrsToList tests (
40
43
name: test:
41
-
nameValuePair "wireguard-${name}-linux-${v'}" (test {
44
+
lib.nameValuePair "wireguard-${name}-linux-${v'}" (test {
42
45
kernelPackages =
43
-
if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";
46
+
pkgs: if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";
44
47
})
45
48
)
46
49
)
+69
-67
nixos/tests/wireguard/dynamic-refresh.nix
+69
-67
nixos/tests/wireguard/dynamic-refresh.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
useNetworkd ? false,
7
-
...
8
-
}:
9
-
let
10
-
wg-snakeoil-keys = import ./snakeoil-keys.nix;
11
-
in
12
-
{
13
-
name = "wireguard-dynamic-refresh";
14
-
meta = with lib.maintainers; {
15
-
maintainers = [ majiir ];
16
-
};
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
useNetworkd ? false,
5
+
...
6
+
}:
7
+
let
8
+
wg-snakeoil-keys = import ./snakeoil-keys.nix;
9
+
in
10
+
{
11
+
name = "wireguard-dynamic-refresh";
12
+
meta.maintainers = with lib.maintainers; [ majiir ];
17
13
18
-
nodes = {
19
-
server = {
14
+
nodes = {
15
+
server =
16
+
{ lib, pkgs, ... }:
17
+
{
20
18
virtualisation.vlans = [
21
19
1
22
20
2
23
21
];
24
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
22
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
25
23
networking.firewall.allowedUDPPorts = [ 23542 ];
26
24
networking.useDHCP = false;
27
25
networking.wireguard.useNetworkd = useNetworkd;
···
40
38
};
41
39
};
42
40
43
-
client =
44
-
{ nodes, ... }:
45
-
{
46
-
virtualisation.vlans = [
47
-
1
48
-
2
49
-
];
50
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
51
-
networking.useDHCP = false;
52
-
networking.wireguard.useNetworkd = useNetworkd;
53
-
networking.wireguard.interfaces.wg0 = {
54
-
ips = [ "10.23.42.2/32" ];
41
+
client =
42
+
{
43
+
nodes,
44
+
lib,
45
+
pkgs,
46
+
...
47
+
}:
48
+
{
49
+
virtualisation.vlans = [
50
+
1
51
+
2
52
+
];
53
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
54
+
networking.useDHCP = false;
55
+
networking.wireguard.useNetworkd = useNetworkd;
56
+
networking.wireguard.interfaces.wg0 = {
57
+
ips = [ "10.23.42.2/32" ];
55
58
56
-
# !!! Don't do this with real keys. The /nix store is world-readable!
57
-
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
59
+
# !!! Don't do this with real keys. The /nix store is world-readable!
60
+
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
58
61
59
-
dynamicEndpointRefreshSeconds = 2;
62
+
dynamicEndpointRefreshSeconds = 2;
60
63
61
-
peers = lib.singleton {
62
-
allowedIPs = [
63
-
"0.0.0.0/0"
64
-
"::/0"
65
-
];
66
-
endpoint = "server:23542";
64
+
peers = lib.singleton {
65
+
allowedIPs = [
66
+
"0.0.0.0/0"
67
+
"::/0"
68
+
];
69
+
endpoint = "server:23542";
67
70
68
-
inherit (wg-snakeoil-keys.peer0) publicKey;
69
-
};
71
+
inherit (wg-snakeoil-keys.peer0) publicKey;
70
72
};
73
+
};
71
74
72
-
specialisation.update-hosts.configuration = {
73
-
networking.extraHosts =
74
-
let
75
-
testCfg = nodes.server.virtualisation.test;
76
-
in
77
-
lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
78
-
};
75
+
specialisation.update-hosts.configuration = {
76
+
networking.extraHosts =
77
+
let
78
+
testCfg = nodes.server.virtualisation.test;
79
+
in
80
+
lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
79
81
};
80
-
};
82
+
};
83
+
};
81
84
82
-
testScript =
83
-
{ nodes, ... }:
84
-
''
85
-
start_all()
85
+
testScript =
86
+
{ nodes, ... }:
87
+
''
88
+
start_all()
86
89
87
-
server.systemctl("start network-online.target")
88
-
server.wait_for_unit("network-online.target")
90
+
server.systemctl("start network-online.target")
91
+
server.wait_for_unit("network-online.target")
89
92
90
-
client.systemctl("start network-online.target")
91
-
client.wait_for_unit("network-online.target")
93
+
client.systemctl("start network-online.target")
94
+
client.wait_for_unit("network-online.target")
92
95
93
-
client.succeed("ping -n -w 1 -c 1 10.23.42.1")
96
+
client.succeed("ping -n -w 1 -c 1 10.23.42.1")
94
97
95
-
client.succeed("ip link set down eth1")
98
+
client.succeed("ip link set down eth1")
96
99
97
-
client.fail("ping -n -w 1 -c 1 10.23.42.1")
100
+
client.fail("ping -n -w 1 -c 1 10.23.42.1")
98
101
99
-
with client.nested("update hosts file"):
100
-
client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
102
+
with client.nested("update hosts file"):
103
+
client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
101
104
102
-
client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
103
-
'';
104
-
}
105
-
)
105
+
client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
106
+
'';
107
+
}
+47
-48
nixos/tests/wireguard/generated.nix
+47
-48
nixos/tests/wireguard/generated.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
...
7
-
}:
8
-
{
9
-
name = "wireguard-generated";
10
-
meta = with pkgs.lib.maintainers; {
11
-
maintainers = [
12
-
ma27
13
-
grahamc
14
-
];
15
-
};
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
...
5
+
}:
6
+
{
7
+
name = "wireguard-generated";
8
+
meta.maintainers = with lib.maintainers; [
9
+
ma27
10
+
grahamc
11
+
];
16
12
17
-
nodes = {
18
-
peer1 = {
19
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
13
+
nodes = {
14
+
peer1 =
15
+
{ lib, pkgs, ... }:
16
+
{
17
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
20
18
networking.firewall.allowedUDPPorts = [ 12345 ];
21
19
networking.wireguard.interfaces.wg0 = {
22
20
ips = [ "10.10.10.1/24" ];
···
27
25
};
28
26
};
29
27
30
-
peer2 = {
31
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
28
+
peer2 =
29
+
{ lib, pkgs, ... }:
30
+
{
31
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
32
32
networking.firewall.allowedUDPPorts = [ 12345 ];
33
33
networking.wireguard.interfaces.wg0 = {
34
34
ips = [ "10.10.10.2/24" ];
···
37
37
generatePrivateKeyFile = true;
38
38
};
39
39
};
40
-
};
40
+
};
41
41
42
-
testScript = ''
43
-
start_all()
42
+
testScript = ''
43
+
start_all()
44
44
45
-
peer1.wait_for_unit("wireguard-wg0.service")
46
-
peer2.wait_for_unit("wireguard-wg0.service")
45
+
peer1.wait_for_unit("wireguard-wg0.service")
46
+
peer2.wait_for_unit("wireguard-wg0.service")
47
47
48
-
retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")
49
-
if retcode != 0:
50
-
raise Exception("Could not read public key from peer1")
48
+
retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")
49
+
if retcode != 0:
50
+
raise Exception("Could not read public key from peer1")
51
51
52
-
retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")
53
-
if retcode != 0:
54
-
raise Exception("Could not read public key from peer2")
52
+
retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")
53
+
if retcode != 0:
54
+
raise Exception("Could not read public key from peer2")
55
55
56
-
peer1.succeed(
57
-
"wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(
58
-
peer2pubkey.strip()
59
-
)
60
-
)
61
-
peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")
56
+
peer1.succeed(
57
+
"wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(
58
+
peer2pubkey.strip()
59
+
)
60
+
)
61
+
peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")
62
62
63
-
peer2.succeed(
64
-
"wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(
65
-
peer1pubkey.strip()
66
-
)
67
-
)
68
-
peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")
63
+
peer2.succeed(
64
+
"wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(
65
+
peer1pubkey.strip()
66
+
)
67
+
)
68
+
peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")
69
69
70
-
peer1.succeed("ping -c1 10.10.10.2")
71
-
peer2.succeed("ping -c1 10.10.10.1")
72
-
'';
73
-
}
74
-
)
70
+
peer1.succeed("ping -c1 10.10.10.2")
71
+
peer2.succeed("ping -c1 10.10.10.1")
72
+
'';
73
+
}
+27
-26
nixos/tests/wireguard/make-peer.nix
+27
-26
nixos/tests/wireguard/make-peer.nix
···
1
-
{ lib, ... }:
2
1
{
3
2
ip4,
4
3
ip6,
5
4
extraConfig,
6
5
}:
7
-
lib.mkMerge [
8
-
{
9
-
boot.kernel.sysctl = {
10
-
"net.ipv6.conf.all.forwarding" = "1";
11
-
"net.ipv6.conf.default.forwarding" = "1";
12
-
"net.ipv4.ip_forward" = "1";
13
-
};
6
+
{
7
+
imports = [
8
+
{
9
+
boot.kernel.sysctl = {
10
+
"net.ipv6.conf.all.forwarding" = "1";
11
+
"net.ipv6.conf.default.forwarding" = "1";
12
+
"net.ipv4.ip_forward" = "1";
13
+
};
14
14
15
-
networking.useDHCP = false;
16
-
networking.interfaces.eth1 = {
17
-
ipv4.addresses = [
18
-
{
19
-
address = ip4;
20
-
prefixLength = 24;
21
-
}
22
-
];
23
-
ipv6.addresses = [
24
-
{
25
-
address = ip6;
26
-
prefixLength = 64;
27
-
}
28
-
];
29
-
};
30
-
}
31
-
extraConfig
32
-
]
15
+
networking.useDHCP = false;
16
+
networking.interfaces.eth1 = {
17
+
ipv4.addresses = [
18
+
{
19
+
address = ip4;
20
+
prefixLength = 24;
21
+
}
22
+
];
23
+
ipv6.addresses = [
24
+
{
25
+
address = ip6;
26
+
prefixLength = 64;
27
+
}
28
+
];
29
+
};
30
+
}
31
+
extraConfig
32
+
];
33
+
}
+44
-43
nixos/tests/wireguard/namespaces.nix
+44
-43
nixos/tests/wireguard/namespaces.nix
···
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
...
5
+
}:
1
6
let
2
7
listenPort = 12345;
3
8
socketNamespace = "foo";
···
10
15
generatePrivateKeyFile = true;
11
16
};
12
17
};
13
-
14
18
in
15
-
16
-
import ../make-test-python.nix (
17
-
{
18
-
pkgs,
19
-
lib,
20
-
kernelPackages ? null,
21
-
...
22
-
}:
23
-
{
24
-
name = "wireguard-with-namespaces";
25
-
meta = with pkgs.lib.maintainers; {
26
-
maintainers = [ asymmetric ];
27
-
};
19
+
{
20
+
name = "wireguard-with-namespaces";
21
+
meta.maintainers = with lib.maintainers; [ asymmetric ];
28
22
29
-
nodes = {
30
-
# interface should be created in the socketNamespace
31
-
# and not moved from there
32
-
peer0 = pkgs.lib.attrsets.recursiveUpdate node {
33
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
23
+
nodes = {
24
+
# interface should be created in the socketNamespace
25
+
# and not moved from there
26
+
peer0 =
27
+
{ lib, pkgs, ... }:
28
+
lib.attrsets.recursiveUpdate node {
29
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
34
30
networking.wireguard.interfaces.wg0 = {
35
31
preSetup = ''
36
32
ip netns add ${socketNamespace}
···
38
34
inherit socketNamespace;
39
35
};
40
36
};
41
-
# interface should be created in the init namespace
42
-
# and moved to the interfaceNamespace
43
-
peer1 = pkgs.lib.attrsets.recursiveUpdate node {
44
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
37
+
# interface should be created in the init namespace
38
+
# and moved to the interfaceNamespace
39
+
peer1 =
40
+
{ lib, pkgs, ... }:
41
+
lib.attrsets.recursiveUpdate node {
42
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
45
43
networking.wireguard.interfaces.wg0 = {
46
44
preSetup = ''
47
45
ip netns add ${interfaceNamespace}
···
50
48
inherit interfaceNamespace;
51
49
};
52
50
};
53
-
# interface should be created in the socketNamespace
54
-
# and moved to the interfaceNamespace
55
-
peer2 = pkgs.lib.attrsets.recursiveUpdate node {
56
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
51
+
# interface should be created in the socketNamespace
52
+
# and moved to the interfaceNamespace
53
+
peer2 =
54
+
{ lib, pkgs, ... }:
55
+
lib.attrsets.recursiveUpdate node {
56
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
57
57
networking.wireguard.interfaces.wg0 = {
58
58
preSetup = ''
59
59
ip netns add ${socketNamespace}
···
62
62
inherit socketNamespace interfaceNamespace;
63
63
};
64
64
};
65
-
# interface should be created in the socketNamespace
66
-
# and moved to the init namespace
67
-
peer3 = pkgs.lib.attrsets.recursiveUpdate node {
68
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
65
+
# interface should be created in the socketNamespace
66
+
# and moved to the init namespace
67
+
peer3 =
68
+
{ lib, pkgs, ... }:
69
+
lib.attrsets.recursiveUpdate node {
70
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
69
71
networking.wireguard.interfaces.wg0 = {
70
72
preSetup = ''
71
73
ip netns add ${socketNamespace}
···
74
76
interfaceNamespace = "init";
75
77
};
76
78
};
77
-
};
79
+
};
78
80
79
-
testScript = ''
80
-
start_all()
81
+
testScript = ''
82
+
start_all()
81
83
82
-
for machine in peer0, peer1, peer2, peer3:
83
-
machine.wait_for_unit("wireguard-wg0.service")
84
+
for machine in peer0, peer1, peer2, peer3:
85
+
machine.wait_for_unit("wireguard-wg0.service")
84
86
85
-
peer0.succeed("ip -n ${socketNamespace} link show wg0")
86
-
peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
87
-
peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
88
-
peer3.succeed("ip link show wg0")
89
-
'';
90
-
}
91
-
)
87
+
peer0.succeed("ip -n ${socketNamespace} link show wg0")
88
+
peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
89
+
peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
90
+
peer3.succeed("ip link show wg0")
91
+
'';
92
+
}
+42
-43
nixos/tests/wireguard/networkd.nix
+42
-43
nixos/tests/wireguard/networkd.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
...
7
-
}:
8
-
let
9
-
wg-snakeoil-keys = import ./snakeoil-keys.nix;
10
-
peer = (import ./make-peer.nix) { inherit lib; };
11
-
in
12
-
{
13
-
name = "wireguard-networkd";
14
-
meta = with pkgs.lib.maintainers; {
15
-
maintainers = [ majiir ];
16
-
};
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
...
5
+
}:
6
+
let
7
+
wg-snakeoil-keys = import ./snakeoil-keys.nix;
8
+
peer = import ./make-peer.nix;
9
+
in
10
+
{
11
+
name = "wireguard-networkd";
12
+
meta.maintainers = with lib.maintainers; [ majiir ];
17
13
18
-
nodes = {
19
-
peer0 = peer {
20
-
ip4 = "192.168.0.1";
21
-
ip6 = "fd00::1";
22
-
extraConfig = {
23
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
14
+
nodes = {
15
+
peer0 = peer {
16
+
ip4 = "192.168.0.1";
17
+
ip6 = "fd00::1";
18
+
extraConfig =
19
+
{ lib, pkgs, ... }:
20
+
{
21
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
24
22
networking.firewall.allowedUDPPorts = [ 23542 ];
25
23
networking.wireguard.useNetworkd = true;
26
24
networking.wireguard.interfaces.wg0 = {
···
46
44
};
47
45
};
48
46
};
49
-
};
47
+
};
50
48
51
-
peer1 = peer {
52
-
ip4 = "192.168.0.2";
53
-
ip6 = "fd00::2";
54
-
extraConfig = {
55
-
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
49
+
peer1 = peer {
50
+
ip4 = "192.168.0.2";
51
+
ip6 = "fd00::2";
52
+
extraConfig =
53
+
{ lib, pkgs, ... }:
54
+
{
55
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
56
56
networking.wireguard.useNetworkd = true;
57
57
networking.wireguard.interfaces.wg0 = {
58
58
ips = [
···
79
79
};
80
80
};
81
81
};
82
-
};
83
82
};
83
+
};
84
84
85
-
testScript = ''
86
-
start_all()
85
+
testScript = ''
86
+
start_all()
87
87
88
-
peer0.systemctl("start network-online.target")
89
-
peer0.wait_for_unit("network-online.target")
88
+
peer0.systemctl("start network-online.target")
89
+
peer0.wait_for_unit("network-online.target")
90
90
91
-
peer1.systemctl("start network-online.target")
92
-
peer1.wait_for_unit("network-online.target")
91
+
peer1.systemctl("start network-online.target")
92
+
peer1.wait_for_unit("network-online.target")
93
93
94
-
peer1.succeed("ping -c5 fc00::1")
95
-
peer1.succeed("ping -c5 10.23.42.1")
94
+
peer1.succeed("ping -c5 fc00::1")
95
+
peer1.succeed("ping -c5 10.23.42.1")
96
96
97
-
with subtest("Has PSK set"):
98
-
peer0.succeed("wg | grep 'preshared key'")
99
-
peer1.succeed("wg | grep 'preshared key'")
100
-
'';
101
-
}
102
-
)
97
+
with subtest("Has PSK set"):
98
+
peer0.succeed("wg | grep 'preshared key'")
99
+
peer1.succeed("wg | grep 'preshared key'")
100
+
'';
101
+
}
+82
-85
nixos/tests/wireguard/wg-quick.nix
+82
-85
nixos/tests/wireguard/wg-quick.nix
···
1
-
import ../make-test-python.nix (
2
-
{
3
-
pkgs,
4
-
lib,
5
-
kernelPackages ? null,
6
-
nftables ? false,
7
-
...
8
-
}:
9
-
let
10
-
wg-snakeoil-keys = import ./snakeoil-keys.nix;
11
-
peer = import ./make-peer.nix { inherit lib; };
12
-
commonConfig = {
13
-
boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;
1
+
{
2
+
lib,
3
+
kernelPackages ? null,
4
+
nftables ? false,
5
+
...
6
+
}:
7
+
let
8
+
wg-snakeoil-keys = import ./snakeoil-keys.nix;
9
+
peer = import ./make-peer.nix;
10
+
commonConfig =
11
+
{ pkgs, ... }:
12
+
{
13
+
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
14
14
networking.nftables.enable = nftables;
15
15
# Make sure iptables doesn't work with nftables enabled
16
16
boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];
17
17
};
18
-
in
19
-
{
20
-
name = "wg-quick";
18
+
in
19
+
{
20
+
name = "wg-quick";
21
21
22
-
nodes = {
23
-
peer0 = peer {
24
-
ip4 = "192.168.0.1";
25
-
ip6 = "fd00::1";
26
-
extraConfig = lib.mkMerge [
27
-
commonConfig
28
-
{
29
-
networking.firewall.allowedUDPPorts = [ 23542 ];
30
-
networking.wg-quick.interfaces.wg0 = {
31
-
address = [
32
-
"10.23.42.1/32"
33
-
"fc00::1/128"
34
-
];
35
-
listenPort = 23542;
22
+
nodes = {
23
+
peer0 = peer {
24
+
ip4 = "192.168.0.1";
25
+
ip6 = "fd00::1";
26
+
extraConfig = {
27
+
imports = [ commonConfig ];
36
28
37
-
inherit (wg-snakeoil-keys.peer0) privateKey;
29
+
networking.firewall.allowedUDPPorts = [ 23542 ];
30
+
networking.wg-quick.interfaces.wg0 = {
31
+
address = [
32
+
"10.23.42.1/32"
33
+
"fc00::1/128"
34
+
];
35
+
listenPort = 23542;
38
36
39
-
peers = lib.singleton {
40
-
allowedIPs = [
41
-
"10.23.42.2/32"
42
-
"fc00::2/128"
43
-
];
37
+
inherit (wg-snakeoil-keys.peer0) privateKey;
38
+
39
+
peers = lib.singleton {
40
+
allowedIPs = [
41
+
"10.23.42.2/32"
42
+
"fc00::2/128"
43
+
];
44
44
45
-
inherit (wg-snakeoil-keys.peer1) publicKey;
46
-
};
45
+
inherit (wg-snakeoil-keys.peer1) publicKey;
46
+
};
47
47
48
-
dns = [
49
-
"10.23.42.2"
50
-
"fc00::2"
51
-
"wg0"
52
-
];
53
-
};
54
-
}
55
-
];
48
+
dns = [
49
+
"10.23.42.2"
50
+
"fc00::2"
51
+
"wg0"
52
+
];
53
+
};
56
54
};
55
+
};
57
56
58
-
peer1 = peer {
59
-
ip4 = "192.168.0.2";
60
-
ip6 = "fd00::2";
61
-
extraConfig = lib.mkMerge [
62
-
commonConfig
63
-
{
64
-
networking.useNetworkd = true;
65
-
networking.wg-quick.interfaces.wg0 = {
66
-
address = [
67
-
"10.23.42.2/32"
68
-
"fc00::2/128"
69
-
];
70
-
inherit (wg-snakeoil-keys.peer1) privateKey;
57
+
peer1 = peer {
58
+
ip4 = "192.168.0.2";
59
+
ip6 = "fd00::2";
60
+
extraConfig = {
61
+
imports = [ commonConfig ];
71
62
72
-
peers = lib.singleton {
73
-
allowedIPs = [
74
-
"0.0.0.0/0"
75
-
"::/0"
76
-
];
77
-
endpoint = "192.168.0.1:23542";
78
-
persistentKeepalive = 25;
63
+
networking.useNetworkd = true;
64
+
networking.wg-quick.interfaces.wg0 = {
65
+
address = [
66
+
"10.23.42.2/32"
67
+
"fc00::2/128"
68
+
];
69
+
inherit (wg-snakeoil-keys.peer1) privateKey;
70
+
71
+
peers = lib.singleton {
72
+
allowedIPs = [
73
+
"0.0.0.0/0"
74
+
"::/0"
75
+
];
76
+
endpoint = "192.168.0.1:23542";
77
+
persistentKeepalive = 25;
79
78
80
-
inherit (wg-snakeoil-keys.peer0) publicKey;
81
-
};
79
+
inherit (wg-snakeoil-keys.peer0) publicKey;
80
+
};
82
81
83
-
dns = [
84
-
"10.23.42.1"
85
-
"fc00::1"
86
-
"wg0"
87
-
];
88
-
};
89
-
}
90
-
];
82
+
dns = [
83
+
"10.23.42.1"
84
+
"fc00::1"
85
+
"wg0"
86
+
];
87
+
};
91
88
};
92
89
};
90
+
};
93
91
94
-
testScript = ''
95
-
start_all()
92
+
testScript = ''
93
+
start_all()
96
94
97
-
peer0.wait_for_unit("wg-quick-wg0.service")
98
-
peer1.wait_for_unit("wg-quick-wg0.service")
95
+
peer0.wait_for_unit("wg-quick-wg0.service")
96
+
peer1.wait_for_unit("wg-quick-wg0.service")
99
97
100
-
peer1.succeed("ping -c5 fc00::1")
101
-
peer1.succeed("ping -c5 10.23.42.1")
102
-
'';
103
-
}
104
-
)
98
+
peer1.succeed("ping -c5 fc00::1")
99
+
peer1.succeed("ping -c5 10.23.42.1")
100
+
'';
101
+
}