nixos/tests/teleport.nix

   1 { system ? builtins.currentSystem
   2 , config ? { }
   3 , pkgs ? import ../.. { inherit system config; }
   4 , lib ? pkgs.lib
   5 }:
   6
   7 with import ../lib/testing-python.nix { inherit system pkgs; };
   8
   9 let
  10   packages = with pkgs; {
  11     "default" = teleport;
  12     "14" = teleport_14;
  13     "15" = teleport_15;
  14   };
  15
  16   minimal = package: {
  17     services.teleport = {
  18       enable = true;
  19       inherit package;
  20     };
  21   };
  22
  23   client = package: {
  24     services.teleport = {
  25       enable = true;
  26       inherit package;
  27       settings = {
  28         teleport = {
  29           nodename = "client";
  30           advertise_ip = "192.168.1.20";
  31           auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
  32           auth_servers = [ "192.168.1.10:3025" ];
  33           log.severity = "DEBUG";
  34         };
  35         ssh_service = {
  36           enabled = true;
  37           labels = {
  38             role = "client";
  39           };
  40         };
  41         proxy_service.enabled = false;
  42         auth_service.enabled = false;
  43       };
  44     };
  45     networking.interfaces.eth1.ipv4.addresses = [{
  46       address = "192.168.1.20";
  47       prefixLength = 24;
  48     }];
  49   };
  50
  51   server = package: {
  52     services.teleport = {
  53       enable = true;
  54       inherit package;
  55       settings = {
  56         teleport = {
  57           nodename = "server";
  58           advertise_ip = "192.168.1.10";
  59         };
  60         ssh_service.enabled = true;
  61         proxy_service.enabled = true;
  62         auth_service = {
  63           enabled = true;
  64           tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
  65         };
  66       };
  67       diag.enable = true;
  68       insecure.enable = true;
  69     };
  70     networking = {
  71       firewall.allowedTCPPorts = [ 3025 ];
  72       interfaces.eth1.ipv4.addresses = [{
  73         address = "192.168.1.10";
  74         prefixLength = 24;
  75       }];
  76     };
  77   };
  78 in
  79 lib.concatMapAttrs
  80   (name: package: {
  81     "minimal_${name}" = makeTest {
  82       # minimal setup should always work
  83       name = "teleport-minimal-setup";
  84       meta.maintainers = with pkgs.lib.maintainers; [ justinas ];
  85       nodes.minimal = minimal package;
  86
  87       testScript = ''
  88         minimal.wait_for_open_port(3025)
  89         minimal.wait_for_open_port(3080)
  90         minimal.wait_for_open_port(3022)
  91       '';
  92     };
  93
  94     "basic_${name}" = makeTest {
  95       # basic server and client test
  96       name = "teleport-server-client";
  97       meta.maintainers = with pkgs.lib.maintainers; [ justinas ];
  98       nodes = {
  99         server = server package;
 100         client = client package;
 101       };
 102
 103       testScript = ''
 104         with subtest("teleport ready"):
 105             server.wait_for_open_port(3025)
 106             client.wait_for_open_port(3022)
 107
 108         with subtest("check applied configuration"):
 109             server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
 110             server.wait_for_open_port(3000)
 111             client.succeed("journalctl -u teleport.service --grep='DEBU'")
 112             server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
 113       '';
 114     };
 115   })
 116   packages