talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixosTests.wireguard: handleTest -> runTest

Browse Source 
(cherry picked from commit 71d0e1c8b5ffc0a4e8b6a85ce85b1a32d2dbcf8a)
This commit is contained in:
Sizhe Zhao 2025-07-13 23:06:35 +08:00
parent 0ba7638e25
commit ef29596a75
No known key found for this signature in database
GPG Key ID: ED1807251A7DA08F
11 changed files with 532 additions and 534 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/tests/all-tests.nix
View File

@ -1553,7 +1553,10 @@ in
whoogle-search = runTest ./whoogle-search.nix;
wiki-js = runTest ./wiki-js.nix;
wine = handleTest ./wine.nix { };
wireguard = handleTest ./wireguard { };
wireguard = import ./wireguard {
inherit pkgs runTest;
inherit (pkgs) lib;
};
wg-access-server = runTest ./wg-access-server.nix;
without-nix = runTest ./without-nix.nix;
wmderland = runTest ./wmderland.nix;

211
nixos/tests/wireguard/amneziawg-quick.nix
View File

@ -1,125 +1,120 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
nftables ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix { inherit lib; };
commonConfig = {
boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;
{
lib,
kernelPackages ? null,
nftables ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
commonConfig =
{ pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.nftables.enable = nftables;
# Make sure iptables doesn't work with nftables enabled
boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];
};
extraOptions = {
Jc = 5;
Jmin = 10;
Jmax = 42;
S1 = 60;
S2 = 90;
};
in
{
name = "amneziawg-quick";
meta = with pkgs.lib.maintainers; {
maintainers = [
averyanalex
azahi
];
};
extraOptions = {
Jc = 5;
Jmin = 10;
Jmax = 42;
S1 = 60;
S2 = 90;
};
in
{
name = "amneziawg-quick";
meta.maintainers = with lib.maintainers; [
averyanalex
azahi
];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = lib.mkMerge [
commonConfig
{
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
type = "amneziawg";
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
imports = [ commonConfig ];
address = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
type = "amneziawg";
inherit (wg-snakeoil-keys.peer0) privateKey;
address = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer0) privateKey;
inherit (wg-snakeoil-keys.peer1) publicKey;
};
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
dns = [
"10.23.42.2"
"fc00::2"
"wg0"
];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
inherit extraOptions;
};
}
];
};
dns = [
"10.23.42.2"
"fc00::2"
"wg0"
];
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = lib.mkMerge [
commonConfig
{
networking.useNetworkd = true;
networking.wg-quick.interfaces.wg0 = {
type = "amneziawg";
address = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
dns = [
"10.23.42.1"
"fc00::1"
"wg0"
];
inherit extraOptions;
};
}
];
inherit extraOptions;
};
};
};
testScript = ''
start_all()
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
imports = [ commonConfig ];
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
networking.useNetworkd = true;
networking.wg-quick.interfaces.wg0 = {
type = "amneziawg";
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}
)
address = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
dns = [
"10.23.42.1"
"fc00::1"
"wg0"
];
inherit extraOptions;
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}

101
nixos/tests/wireguard/amneziawg.nix
View File

@ -1,36 +1,34 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = (import ./make-peer.nix) { inherit lib; };
extraOptions = {
Jc = 5;
Jmin = 10;
Jmax = 42;
S1 = 60;
S2 = 90;
};
in
{
name = "amneziawg";
meta = with pkgs.lib.maintainers; {
maintainers = [
averyanalex
azahi
];
};
{
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
extraOptions = {
Jc = 5;
Jmin = 10;
Jmax = 42;
S1 = 60;
S2 = 90;
};
in
{
name = "amneziawg";
meta.maintainers = with lib.maintainers; [
averyanalex
azahi
];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
type = "amneziawg";
@ -54,13 +52,15 @@ import ../make-test-python.nix (
inherit extraOptions;
};
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
type = "amneziawg";
ips = [
@ -85,27 +85,26 @@ import ../make-test-python.nix (
postSetup =
let
inherit (pkgs) iproute2;
ip = lib.getExe' pkgs.iproute2 "ip";
in
''
${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0
${iproute2}/bin/ip route replace fc00::1/128 dev wg0
${ip} route replace 10.23.42.1/32 dev wg0
${ip} route replace fc00::1/128 dev wg0
'';
inherit extraOptions;
};
};
};
};
};
testScript = ''
start_all()
testScript = ''
start_all()
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}
)
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}

81
nixos/tests/wireguard/basic.nix
View File

@ -1,26 +1,24 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = (import ./make-peer.nix) { inherit lib; };
in
{
name = "wireguard";
meta = with pkgs.lib.maintainers; {
maintainers = [ ma27 ];
};
{
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
in
{
name = "wireguard";
meta.maintainers = with lib.maintainers; [ ma27 ];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
ips = [
@ -41,13 +39,15 @@ import ../make-test-python.nix (
};
};
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
ips = [
"10.23.42.2/32"
@ -71,25 +71,24 @@ import ../make-test-python.nix (
postSetup =
let
inherit (pkgs) iproute2;
ip = lib.getExe' pkgs.iproute2 "ip";
in
''
${iproute2}/bin/ip route replace 10.23.42.1/32 dev wg0
${iproute2}/bin/ip route replace fc00::1/128 dev wg0
${ip} route replace 10.23.42.1/32 dev wg0
${ip} route replace fc00::1/128 dev wg0
'';
};
};
};
};
};
testScript = ''
start_all()
testScript = ''
start_all()
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}
)
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}

35
nixos/tests/wireguard/default.nix
View File

@ -1,46 +1,49 @@
{
system ? builtins.currentSystem,
config ? { },
pkgs ? import ../../.. { inherit system config; },
runTest,
lib,
pkgs,
# Test current default (LTS) and latest kernel
kernelVersionsToTest ? [
(pkgs.lib.versions.majorMinor pkgs.linuxPackages.kernel.version)
(lib.versions.majorMinor pkgs.linuxPackages.kernel.version)
"latest"
],
}:
with pkgs.lib;
let
tests =
let
callTest = p: args: import p ({ inherit system pkgs; } // args);
callTest =
p: args:
runTest {
imports = [ p ];
_module = { inherit args; };
};
in
{
basic = callTest ./basic.nix;
amneziawg = callTest ./amneziawg.nix;
namespaces = callTest ./namespaces.nix;
networkd = callTest ./networkd.nix;
wg-quick = callTest ./wg-quick.nix;
wg-quick = args: callTest ./wg-quick.nix ({ nftables = false; } // args);
wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args);
amneziawg-quick = callTest ./amneziawg-quick.nix;
amneziawg-quick = args: callTest ./amneziawg-quick.nix ({ nftables = false; } // args);
generated = callTest ./generated.nix;
dynamic-refresh = callTest ./dynamic-refresh.nix;
dynamic-refresh = args: callTest ./dynamic-refresh.nix ({ useNetworkd = false; } // args);
dynamic-refresh-networkd = args: callTest ./dynamic-refresh.nix ({ useNetworkd = true; } // args);
};
in
listToAttrs (
flip concatMap kernelVersionsToTest (
lib.listToAttrs (
lib.flip lib.concatMap kernelVersionsToTest (
version:
let
v' = replaceStrings [ "." ] [ "_" ] version;
v' = lib.replaceString "." "_" version;
in
flip mapAttrsToList tests (
lib.flip lib.mapAttrsToList tests (
name: test:
nameValuePair "wireguard-${name}-linux-${v'}" (test {
lib.nameValuePair "wireguard-${name}-linux-${v'}" (test {
kernelPackages =
if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";
pkgs: if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";
})
)
)

138
nixos/tests/wireguard/dynamic-refresh.nix
View File

@ -1,27 +1,25 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
useNetworkd ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
in
{
name = "wireguard-dynamic-refresh";
meta = with lib.maintainers; {
maintainers = [ majiir ];
};
{
lib,
kernelPackages ? null,
useNetworkd ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
in
{
name = "wireguard-dynamic-refresh";
meta.maintainers = with lib.maintainers; [ majiir ];
nodes = {
server = {
nodes = {
server =
{ lib, pkgs, ... }:
{
virtualisation.vlans = [
1
2
];
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.useDHCP = false;
networking.wireguard.useNetworkd = useNetworkd;
@ -40,66 +38,70 @@ import ../make-test-python.nix (
};
};
client =
{ nodes, ... }:
{
virtualisation.vlans = [
1
2
];
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
networking.useDHCP = false;
networking.wireguard.useNetworkd = useNetworkd;
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.2/32" ];
client =
{
nodes,
lib,
pkgs,
...
}:
{
virtualisation.vlans = [
1
2
];
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.useDHCP = false;
networking.wireguard.useNetworkd = useNetworkd;
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.2/32" ];
# !!! Don't do this with real keys. The /nix store is world-readable!
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
# !!! Don't do this with real keys. The /nix store is world-readable!
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
dynamicEndpointRefreshSeconds = 2;
dynamicEndpointRefreshSeconds = 2;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "server:23542";
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "server:23542";
inherit (wg-snakeoil-keys.peer0) publicKey;
};
};
specialisation.update-hosts.configuration = {
networking.extraHosts =
let
testCfg = nodes.server.virtualisation.test;
in
lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
inherit (wg-snakeoil-keys.peer0) publicKey;
};
};
};
testScript =
{ nodes, ... }:
''
start_all()
specialisation.update-hosts.configuration = {
networking.extraHosts =
let
testCfg = nodes.server.virtualisation.test;
in
lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
};
};
};
server.systemctl("start network-online.target")
server.wait_for_unit("network-online.target")
testScript =
{ nodes, ... }:
''
start_all()
client.systemctl("start network-online.target")
client.wait_for_unit("network-online.target")
server.systemctl("start network-online.target")
server.wait_for_unit("network-online.target")
client.succeed("ping -n -w 1 -c 1 10.23.42.1")
client.systemctl("start network-online.target")
client.wait_for_unit("network-online.target")
client.succeed("ip link set down eth1")
client.succeed("ping -n -w 1 -c 1 10.23.42.1")
client.fail("ping -n -w 1 -c 1 10.23.42.1")
client.succeed("ip link set down eth1")
with client.nested("update hosts file"):
client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
client.fail("ping -n -w 1 -c 1 10.23.42.1")
client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
'';
}
)
with client.nested("update hosts file"):
client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
'';
}

95
nixos/tests/wireguard/generated.nix
View File

@ -1,22 +1,20 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
...
}:
{
name = "wireguard-generated";
meta = with pkgs.lib.maintainers; {
maintainers = [
ma27
grahamc
];
};
{
lib,
kernelPackages ? null,
...
}:
{
name = "wireguard-generated";
meta.maintainers = with lib.maintainers; [
ma27
grahamc
];
nodes = {
peer1 = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
nodes = {
peer1 =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 12345 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.10.10.1/24" ];
@ -27,8 +25,10 @@ import ../make-test-python.nix (
};
};
peer2 = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
peer2 =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 12345 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.10.10.2/24" ];
@ -37,38 +37,37 @@ import ../make-test-python.nix (
generatePrivateKeyFile = true;
};
};
};
};
testScript = ''
start_all()
testScript = ''
start_all()
peer1.wait_for_unit("wireguard-wg0.service")
peer2.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer2.wait_for_unit("wireguard-wg0.service")
retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")
if retcode != 0:
raise Exception("Could not read public key from peer1")
retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")
if retcode != 0:
raise Exception("Could not read public key from peer1")
retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")
if retcode != 0:
raise Exception("Could not read public key from peer2")
retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")
if retcode != 0:
raise Exception("Could not read public key from peer2")
peer1.succeed(
"wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(
peer2pubkey.strip()
)
)
peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")
peer1.succeed(
"wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(
peer2pubkey.strip()
)
)
peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")
peer2.succeed(
"wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(
peer1pubkey.strip()
)
)
peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")
peer2.succeed(
"wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(
peer1pubkey.strip()
)
)
peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")
peer1.succeed("ping -c1 10.10.10.2")
peer2.succeed("ping -c1 10.10.10.1")
'';
}
)
peer1.succeed("ping -c1 10.10.10.2")
peer2.succeed("ping -c1 10.10.10.1")
'';
}

53
nixos/tests/wireguard/make-peer.nix
View File

@ -1,32 +1,33 @@
{ lib, ... }:
{
ip4,
ip6,
extraConfig,
}:
lib.mkMerge [
{
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
{
imports = [
{
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = ip6;
prefixLength = 64;
}
];
};
}
extraConfig
]
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = ip6;
prefixLength = 64;
}
];
};
}
extraConfig
];
}

87
nixos/tests/wireguard/namespaces.nix
View File

@ -1,3 +1,8 @@
{
lib,
kernelPackages ? null,
...
}:
let
listenPort = 12345;
socketNamespace = "foo";
@ -10,27 +15,18 @@ let
generatePrivateKeyFile = true;
};
};
in
{
name = "wireguard-with-namespaces";
meta.maintainers = with lib.maintainers; [ asymmetric ];
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
...
}:
{
name = "wireguard-with-namespaces";
meta = with pkgs.lib.maintainers; {
maintainers = [ asymmetric ];
};
nodes = {
# interface should be created in the socketNamespace
# and not moved from there
peer0 = pkgs.lib.attrsets.recursiveUpdate node {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
nodes = {
# interface should be created in the socketNamespace
# and not moved from there
peer0 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${socketNamespace}
@ -38,10 +34,12 @@ import ../make-test-python.nix (
inherit socketNamespace;
};
};
# interface should be created in the init namespace
# and moved to the interfaceNamespace
peer1 = pkgs.lib.attrsets.recursiveUpdate node {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
# interface should be created in the init namespace
# and moved to the interfaceNamespace
peer1 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${interfaceNamespace}
@ -50,10 +48,12 @@ import ../make-test-python.nix (
inherit interfaceNamespace;
};
};
# interface should be created in the socketNamespace
# and moved to the interfaceNamespace
peer2 = pkgs.lib.attrsets.recursiveUpdate node {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
# interface should be created in the socketNamespace
# and moved to the interfaceNamespace
peer2 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${socketNamespace}
@ -62,10 +62,12 @@ import ../make-test-python.nix (
inherit socketNamespace interfaceNamespace;
};
};
# interface should be created in the socketNamespace
# and moved to the init namespace
peer3 = pkgs.lib.attrsets.recursiveUpdate node {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
# interface should be created in the socketNamespace
# and moved to the init namespace
peer3 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${socketNamespace}
@ -74,18 +76,17 @@ import ../make-test-python.nix (
interfaceNamespace = "init";
};
};
};
};
testScript = ''
start_all()
testScript = ''
start_all()
for machine in peer0, peer1, peer2, peer3:
machine.wait_for_unit("wireguard-wg0.service")
for machine in peer0, peer1, peer2, peer3:
machine.wait_for_unit("wireguard-wg0.service")
peer0.succeed("ip -n ${socketNamespace} link show wg0")
peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
peer3.succeed("ip link show wg0")
'';
}
)
peer0.succeed("ip -n ${socketNamespace} link show wg0")
peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
peer3.succeed("ip link show wg0")
'';
}

85
nixos/tests/wireguard/networkd.nix
View File

@ -1,26 +1,24 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = (import ./make-peer.nix) { inherit lib; };
in
{
name = "wireguard-networkd";
meta = with pkgs.lib.maintainers; {
maintainers = [ majiir ];
};
{
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
in
{
name = "wireguard-networkd";
meta.maintainers = with lib.maintainers; [ majiir ];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.useNetworkd = true;
networking.wireguard.interfaces.wg0 = {
@ -46,13 +44,15 @@ import ../make-test-python.nix (
};
};
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.useNetworkd = true;
networking.wireguard.interfaces.wg0 = {
ips = [
@ -79,24 +79,23 @@ import ../make-test-python.nix (
};
};
};
};
};
};
testScript = ''
start_all()
testScript = ''
start_all()
peer0.systemctl("start network-online.target")
peer0.wait_for_unit("network-online.target")
peer0.systemctl("start network-online.target")
peer0.wait_for_unit("network-online.target")
peer1.systemctl("start network-online.target")
peer1.wait_for_unit("network-online.target")
peer1.systemctl("start network-online.target")
peer1.wait_for_unit("network-online.target")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
with subtest("Has PSK set"):
peer0.succeed("wg | grep 'preshared key'")
peer1.succeed("wg | grep 'preshared key'")
'';
}
)
with subtest("Has PSK set"):
peer0.succeed("wg | grep 'preshared key'")
peer1.succeed("wg | grep 'preshared key'")
'';
}

175
nixos/tests/wireguard/wg-quick.nix
View File

@ -1,104 +1,101 @@
import ../make-test-python.nix (
{
pkgs,
lib,
kernelPackages ? null,
nftables ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix { inherit lib; };
commonConfig = {
boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;
{
lib,
kernelPackages ? null,
nftables ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
commonConfig =
{ pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.nftables.enable = nftables;
# Make sure iptables doesn't work with nftables enabled
boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];
};
in
{
name = "wg-quick";
in
{
name = "wg-quick";
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = lib.mkMerge [
commonConfig
{
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
address = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
imports = [ commonConfig ];
inherit (wg-snakeoil-keys.peer0) privateKey;
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
address = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer0) privateKey;
inherit (wg-snakeoil-keys.peer1) publicKey;
};
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
dns = [
"10.23.42.2"
"fc00::2"
"wg0"
];
};
}
];
};
inherit (wg-snakeoil-keys.peer1) publicKey;
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = lib.mkMerge [
commonConfig
{
networking.useNetworkd = true;
networking.wg-quick.interfaces.wg0 = {
address = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
dns = [
"10.23.42.1"
"fc00::1"
"wg0"
];
};
}
];
dns = [
"10.23.42.2"
"fc00::2"
"wg0"
];
};
};
};
testScript = ''
start_all()
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
imports = [ commonConfig ];
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
networking.useNetworkd = true;
networking.wg-quick.interfaces.wg0 = {
address = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) privateKey;
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}
)
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
dns = [
"10.23.42.1"
"fc00::1"
"wg0"
];
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}