nixos/tests/teleport.nix

   1 { system ? builtins.currentSystem
   2 , config ? { }
   3 , pkgs ? import ../.. { inherit system config; }
   4 , lib ? pkgs.lib
   5 }:
   6
   7 with import ../lib/testing-python.nix { inherit system pkgs; };
   8
   9 let
  10   packages = with pkgs; {
  11     "default" = teleport;
  12     "15" = teleport_15;
  13   };
  14
  15   minimal = package: {
  16     services.teleport = {
  17       enable = true;
  18       inherit package;
  19     };
  20   };
  21
  22   client = package: {
  23     services.teleport = {
  24       enable = true;
  25       inherit package;
  26       settings = {
  27         teleport = {
  28           nodename = "client";
  29           advertise_ip = "192.168.1.20";
  30           auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
  31           auth_servers = [ "192.168.1.10:3025" ];
  32           log.severity = "DEBUG";
  33         };
  34         ssh_service = {
  35           enabled = true;
  36           labels = {
  37             role = "client";
  38           };
  39         };
  40         proxy_service.enabled = false;
  41         auth_service.enabled = false;
  42       };
  43     };
  44     networking.interfaces.eth1.ipv4.addresses = [{
  45       address = "192.168.1.20";
  46       prefixLength = 24;
  47     }];
  48   };
  49
  50   server = package: {
  51     services.teleport = {
  52       enable = true;
  53       inherit package;
  54       settings = {
  55         teleport = {
  56           nodename = "server";
  57           advertise_ip = "192.168.1.10";
  58         };
  59         ssh_service.enabled = true;
  60         proxy_service.enabled = true;
  61         auth_service = {
  62           enabled = true;
  63           tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
  64         };
  65       };
  66       diag.enable = true;
  67       insecure.enable = true;
  68     };
  69     networking = {
  70       firewall.allowedTCPPorts = [ 3025 ];
  71       interfaces.eth1.ipv4.addresses = [{
  72         address = "192.168.1.10";
  73         prefixLength = 24;
  74       }];
  75     };
  76   };
  77 in
  78 lib.concatMapAttrs
  79   (name: package: {
  80     "minimal_${name}" = makeTest {
  81       # minimal setup should always work
  82       name = "teleport-minimal-setup";
  83       meta.maintainers = with pkgs.lib.maintainers; [ justinas ];
  84       nodes.minimal = minimal package;
  85
  86       testScript = ''
  87         minimal.wait_for_open_port(3025)
  88         minimal.wait_for_open_port(3080)
  89         minimal.wait_for_open_port(3022)
  90       '';
  91     };
  92
  93     "basic_${name}" = makeTest {
  94       # basic server and client test
  95       name = "teleport-server-client";
  96       meta.maintainers = with pkgs.lib.maintainers; [ justinas ];
  97       nodes = {
  98         server = server package;
  99         client = client package;
 100       };
 101
 102       testScript = ''
 103         with subtest("teleport ready"):
 104             server.wait_for_open_port(3025)
 105             client.wait_for_open_port(3022)
 106
 107         with subtest("check applied configuration"):
 108             server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
 109             server.wait_for_open_port(3000)
 110             client.succeed("journalctl -u teleport.service --grep='DEBU'")
 111             server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
 112       '';
 113     };
 114   })
 115   packages