nixos/tests/wireguard/dynamic-refresh.nix

   1 import ../make-test-python.nix (
   2   {
   3     pkgs,
   4     lib,
   5     kernelPackages ? null,
   6     useNetworkd ? false,
   7     ...
   8   }:
   9   let
  10     wg-snakeoil-keys = import ./snakeoil-keys.nix;
  11   in
  12   {
  13     name = "wireguard-dynamic-refresh";
  14     meta = with lib.maintainers; {
  15       maintainers = [ majiir ];
  16     };
  17
  18     nodes = {
  19       server = {
  20         virtualisation.vlans = [
  21           1
  22           2
  23         ];
  24         boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
  25         networking.firewall.allowedUDPPorts = [ 23542 ];
  26         networking.useDHCP = false;
  27         networking.wireguard.useNetworkd = useNetworkd;
  28         networking.wireguard.interfaces.wg0 = {
  29           ips = [ "10.23.42.1/32" ];
  30           listenPort = 23542;
  31
  32           # !!! Don't do this with real keys. The /nix store is world-readable!
  33           privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer0.privateKey);
  34
  35           peers = lib.singleton {
  36             allowedIPs = [ "10.23.42.2/32" ];
  37
  38             inherit (wg-snakeoil-keys.peer1) publicKey;
  39           };
  40         };
  41       };
  42
  43       client =
  44         { nodes, ... }:
  45         {
  46           virtualisation.vlans = [
  47             1
  48             2
  49           ];
  50           boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
  51           networking.useDHCP = false;
  52           networking.wireguard.useNetworkd = useNetworkd;
  53           networking.wireguard.interfaces.wg0 = {
  54             ips = [ "10.23.42.2/32" ];
  55
  56             # !!! Don't do this with real keys. The /nix store is world-readable!
  57             privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
  58
  59             dynamicEndpointRefreshSeconds = 2;
  60
  61             peers = lib.singleton {
  62               allowedIPs = [
  63                 "0.0.0.0/0"
  64                 "::/0"
  65               ];
  66               endpoint = "server:23542";
  67
  68               inherit (wg-snakeoil-keys.peer0) publicKey;
  69             };
  70           };
  71
  72           specialisation.update-hosts.configuration = {
  73             networking.extraHosts =
  74               let
  75                 testCfg = nodes.server.virtualisation.test;
  76               in
  77               lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
  78           };
  79         };
  80     };
  81
  82     testScript =
  83       { nodes, ... }:
  84       ''
  85         start_all()
  86
  87         server.systemctl("start network-online.target")
  88         server.wait_for_unit("network-online.target")
  89
  90         client.systemctl("start network-online.target")
  91         client.wait_for_unit("network-online.target")
  92
  93         client.succeed("ping -n -w 1 -c 1 10.23.42.1")
  94
  95         client.succeed("ip link set down eth1")
  96
  97         client.fail("ping -n -w 1 -c 1 10.23.42.1")
  98
  99         with client.nested("update hosts file"):
 100           client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
 101
 102         client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
 103       '';
 104   }
 105 )