nixos/tests/wireguard/networkd.nix

   1 import ../make-test-python.nix (
   2   {
   3     pkgs,
   4     lib,
   5     kernelPackages ? null,
   6     ...
   7   }:
   8   let
   9     wg-snakeoil-keys = import ./snakeoil-keys.nix;
  10     peer = (import ./make-peer.nix) { inherit lib; };
  11   in
  12   {
  13     name = "wireguard-networkd";
  14     meta = with pkgs.lib.maintainers; {
  15       maintainers = [ majiir ];
  16     };
  17
  18     nodes = {
  19       peer0 = peer {
  20         ip4 = "192.168.0.1";
  21         ip6 = "fd00::1";
  22         extraConfig = {
  23           boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
  24           networking.firewall.allowedUDPPorts = [ 23542 ];
  25           networking.wireguard.useNetworkd = true;
  26           networking.wireguard.interfaces.wg0 = {
  27             ips = [
  28               "10.23.42.1/32"
  29               "fc00::1/128"
  30             ];
  31             listenPort = 23542;
  32
  33             # !!! Don't do this with real keys. The /nix store is world-readable!
  34             privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer0.privateKey);
  35
  36             peers = lib.singleton {
  37               allowedIPs = [
  38                 "10.23.42.2/32"
  39                 "fc00::2/128"
  40               ];
  41
  42               # !!! Don't do this with real keys. The /nix store is world-readable!
  43               presharedKeyFile = toString (pkgs.writeText "presharedKey" wg-snakeoil-keys.presharedKey);
  44
  45               inherit (wg-snakeoil-keys.peer1) publicKey;
  46             };
  47           };
  48         };
  49       };
  50
  51       peer1 = peer {
  52         ip4 = "192.168.0.2";
  53         ip6 = "fd00::2";
  54         extraConfig = {
  55           boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
  56           networking.wireguard.useNetworkd = true;
  57           networking.wireguard.interfaces.wg0 = {
  58             ips = [
  59               "10.23.42.2/32"
  60               "fc00::2/128"
  61             ];
  62             listenPort = 23542;
  63
  64             # !!! Don't do this with real keys. The /nix store is world-readable!
  65             privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
  66
  67             peers = lib.singleton {
  68               allowedIPs = [
  69                 "0.0.0.0/0"
  70                 "::/0"
  71               ];
  72               endpoint = "192.168.0.1:23542";
  73               persistentKeepalive = 25;
  74
  75               # !!! Don't do this with real keys. The /nix store is world-readable!
  76               presharedKeyFile = toString (pkgs.writeText "presharedKey" wg-snakeoil-keys.presharedKey);
  77
  78               inherit (wg-snakeoil-keys.peer0) publicKey;
  79             };
  80           };
  81         };
  82       };
  83     };
  84
  85     testScript = ''
  86       start_all()
  87
  88       peer0.systemctl("start network-online.target")
  89       peer0.wait_for_unit("network-online.target")
  90
  91       peer1.systemctl("start network-online.target")
  92       peer1.wait_for_unit("network-online.target")
  93
  94       peer1.succeed("ping -c5 fc00::1")
  95       peer1.succeed("ping -c5 10.23.42.1")
  96
  97       with subtest("Has PSK set"):
  98         peer0.succeed("wg | grep 'preshared key'")
  99         peer1.succeed("wg | grep 'preshared key'")
 100     '';
 101   }
 102 )