nixos/tests/iodine.nix

   1 import ./make-test-python.nix (
   2   { pkgs, ... }: let
   3     domain = "whatever.example.com";
   4     password = "false;foo;exit;withspecialcharacters";
   5   in
   6     {
   7       name = "iodine";
   8       nodes = {
   9         server =
  10           { ... }:
  11
  12             {
  13               networking.firewall = {
  14                 allowedUDPPorts = [ 53 ];
  15                 trustedInterfaces = [ "dns0" ];
  16               };
  17               boot.kernel.sysctl = {
  18                 "net.ipv4.ip_forward" = 1;
  19                 "net.ipv6.ip_forward" = 1;
  20               };
  21
  22               services.iodine.server = {
  23                 enable = true;
  24                 ip = "10.53.53.1/24";
  25                 passwordFile = "${builtins.toFile "password" password}";
  26                 inherit domain;
  27               };
  28
  29               # test resource: accessible only via tunnel
  30               services.openssh = {
  31                 enable = true;
  32                 openFirewall = false;
  33               };
  34             };
  35
  36         client =
  37           { ... }: {
  38             services.iodine.clients.testClient = {
  39               # test that ProtectHome is "read-only"
  40               passwordFile = "/root/pw";
  41               relay = "server";
  42               server = domain;
  43             };
  44             systemd.tmpfiles.rules = [
  45               "f /root/pw 0666 root root - ${password}"
  46             ];
  47             environment.systemPackages = [
  48               pkgs.nagiosPluginsOfficial
  49             ];
  50           };
  51
  52       };
  53
  54       testScript = ''
  55         start_all()
  56
  57         server.wait_for_unit("sshd")
  58         server.wait_for_unit("iodined")
  59         client.wait_for_unit("iodine-testClient")
  60
  61         client.succeed("check_ssh -H 10.53.53.1")
  62       '';
  63     }
  64 )