diff --git a/tests/acls/disjointed-meshes.nix b/tests/acls/disjointed-meshes.nix new file mode 100644 index 0000000..bff34f2 --- /dev/null +++ b/tests/acls/disjointed-meshes.nix @@ -0,0 +1,90 @@ +{ + version = "v1"; + subnets = [ + { + name = "disjoint1"; + endpoints = [ + { + # No match mean match any + port = 51820; + } + ]; + } + { + name = "disjoint2"; + endpoints = [ + { + # No match mean match any + port = 51821; + } + ]; + } + ]; + groups = [ + # groups field is expected, but can be empty + ]; + peers = [ + { + name = "node1"; + subnets = { + disjoint1 = { + listenPort = 51820; + # empty ipAddresses will auto generate an IPv6 address + }; + }; + publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; + privateKeyFile = "/etc/wg-key"; + endpoints = [ + { + # no match can be any + ip = "node1"; + } + ]; + } + { + name = "node2"; + subnets = { + disjoint1 = { + listenPort = 51820; + }; + disjoint2 = { + listenPort = 51821; + }; + }; + publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; + privateKeyFile = "/etc/wg-key"; + endpoints = [ + { + # no match can be any + ip = "node2"; + } + ]; + } + { + name = "node3"; + subnets = { + disjoint2 = { + listenPort = 51821; + }; + }; + publicKey = "VR5SILc/2MkWSeGOVAJ/0Ru5H4DFheNvNUiT0fPtgiI="; + privateKeyFile = "/etc/wg-key"; + endpoints = [ + { + # no match can be any + ip = "node3"; + } + ]; + } + ]; + connections = [ + { + a = [{type= "subnet"; rule = "is"; value = "disjoint1";}]; + b = [{type= "subnet"; rule = "is"; value = "disjoint1";}]; + } + { + a = [{type= "subnet"; rule = "is"; value = "disjoint2";}]; + b = [{type= "subnet"; rule = "is"; value = "disjoint2";}]; + } + ]; +} \ No newline at end of file diff --git a/tests/disjointed-meshes.nix b/tests/disjointed-meshes.nix new file mode 100644 index 0000000..6079c3c --- /dev/null +++ b/tests/disjointed-meshes.nix @@ -0,0 +1,78 @@ +/* + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ +(import ./lib.nix) ({wnlib}: +{ + name = "disjointed-meshes connection"; + nodes = { + # `self` here is set by using specialArgs in `lib.nix` + node1 = { self, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + imports = [ self.nixosModules.default ]; + wirenix = { + enable = true; + keyProviders = ["acl"]; + peerName = "node1"; + aclConfig = import ./acls/disjointed-meshes.nix; + }; + # Don't do this! This is for testing only! + environment.etc."wg-key" = { + text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; + }; + networking.firewall.enable = false; + }; + + node2 = { self, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + imports = [ self.nixosModules.default ]; + wirenix = { + enable = true; + keyProviders = ["acl"]; + peerName = "node2"; + aclConfig = import ./acls/disjointed-meshes.nix; + }; + environment.etc."wg-key" = { + text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + }; + networking.firewall.enable = false; + }; + + node3 = { self, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + imports = [ self.nixosModules.default ]; + wirenix = { + enable = true; + keyProviders = ["acl"]; + peerName = "node3"; + aclConfig = import ./acls/disjointed-meshes.nix; + }; + environment.etc."wg-key" = { + text = "MFsj7nmb2efBFNwON8RxZf+MHbopTY9P3+/xhiqJFlM="; + }; + networking.firewall.enable = false; + }; + }; + # This is the test code that will check if our service is running correctly: + testScript = '' + start_all() + node1.wait_for_unit("wireguard-disjoint1-peer-node2") + node2.wait_for_unit("wireguard-disjoint1-peer-node1") + node2.wait_for_unit("wireguard-disjoint2-peer-node3") + node3.wait_for_unit("wireguard-disjoint2-peer-node2") + + node1.succeed("wg show >&2") + node2.succeed("wg show >&2") + node3.succeed("wg show >&2") + + node1.succeed("ping -c 1 node2.disjoint1") + node1.fail("ping -c 1 node3.disjoint2") + + node2.succeed("ping -c 1 node1.disjoint1") + node2.succeed("ping -c 1 node3.disjoint2") + + node3.fail("ping -c 1 node1.disjoint1") + node3.succeed("ping -c 1 node2.disjoint2") + ''; +}) \ No newline at end of file