From 4307607c64583189077bd07901a2889ce2dd8ea8 Mon Sep 17 00:00:00 2001 From: Matthew Salerno Date: Sun, 20 Aug 2023 00:01:59 -0400 Subject: [PATCH] make tests better --- configurers/networkd.nix | 5 +++-- configurers/static.nix | 1 - key-providers/acl.nix | 1 - key-providers/agenix-rekey.nix | 1 - lib.nix | 4 +--- tests/acls/mesh.nix | 8 ++++---- tests/acls/ring.nix | 8 ++++---- tests/acls/simple.nix | 6 ++++-- tests/mesh.nix | 31 +++++++++++++++++++++++++++++-- tests/null.nix | 2 +- tests/ring.nix | 12 ++++++++++++ tests/simple.nix | 6 ++++++ 12 files changed, 64 insertions(+), 21 deletions(-) diff --git a/configurers/networkd.nix b/configurers/networkd.nix index cda8011..73ff735 100644 --- a/configurers/networkd.nix +++ b/configurers/networkd.nix @@ -29,9 +29,10 @@ with getKeyProviderFuncs keyProviders inputs intermediateConfig localPeerName; Name = "${shortName subnetName}"; }; wireguardConfig = { - PrivateKeyFile = getPrivKeyFile; ListenPort = subnetConnection.listenPort; - } // (if getPrivKeyFile != null then {} else {privateKey = getPrivKey;}); + # *PLEASE* do not use getPrivKeyfor anything but testing + PrivateKeyFile = getPrivKeyFile; + }; wireguardPeers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: { wireguardPeerConfig = { Endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}"; diff --git a/configurers/static.nix b/configurers/static.nix index 3e72477..e8e571d 100644 --- a/configurers/static.nix +++ b/configurers/static.nix @@ -27,7 +27,6 @@ with getKeyProviderFuncs keyProviders inputs intermediateConfig localPeerName; ips = subnetConnection.ipAddresses; listenPort = subnetConnection.listenPort; privateKeyFile = getPrivKeyFile; - privateKey = getPrivKey; peers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: { name = remotePeerName; diff --git a/key-providers/acl.nix b/key-providers/acl.nix index 1872235..6e16f38 100644 --- a/key-providers/acl.nix +++ b/key-providers/acl.nix @@ -10,6 +10,5 @@ with builtins; { getPeerPubKey = remotePeerName: attrByPath [remotePeerName "publicKey"] null intermediateConfig.peers; getPrivKeyFile = attrByPath [localPeerName "privateKeyFile"] null intermediateConfig.peers; - getPrivKey = attrByPath [localPeerName "privateKey"] null intermediateConfig.peers; getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets; } \ No newline at end of file diff --git a/key-providers/agenix-rekey.nix b/key-providers/agenix-rekey.nix index 29e74b6..7acc383 100644 --- a/key-providers/agenix-rekey.nix +++ b/key-providers/agenix-rekey.nix @@ -35,6 +35,5 @@ with builtins; }; getPeerPubKey = remotePeerName: builtins.readFile (config.wirenix.secretsDir + /wirenix-peer-${remotePeerName}.pub); getPrivKeyFile = config.age.secrets."wirenix-peer-${localPeerName}".path; - getPrivKey = null; getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path; } \ No newline at end of file diff --git a/lib.nix b/lib.nix index 182c4cc..5834391 100644 --- a/lib.nix +++ b/lib.nix @@ -116,13 +116,11 @@ rec { let keyProviders = map (x: x inputs intermediateConfig peerName) keyProvidersUninitialized; in - rec { + { getPeerPubKey = otherPeerName: findFirst (x: x != null) (throw ("Wirenix: Could not find public key for " + otherPeerName)) (map (provider: provider.getPeerPubKey otherPeerName) keyProviders); getPrivKeyFile = findFirst (x: x != null) (if getPrivKey == null then throw ("Wirenix: Could not find private key file for " + peerName) else null) (map (provider: provider.getPrivKeyFile) keyProviders); - getPrivKey = findFirst (x: x != null) (null) - (map (provider: provider.getPrivKey) keyProviders); getSubnetPSKFile = subnetName: findFirst (x: x != null) (null) (map (provider: provider.getSubnetPSKFile subnetName) keyProviders); getProviderConfig = foldl' (x: y: x // y) {} (map (provider: if provider ? config then provider.config else {}) keyProviders); diff --git a/tests/acls/mesh.nix b/tests/acls/mesh.nix index 61c960c..b051be1 100644 --- a/tests/acls/mesh.nix +++ b/tests/acls/mesh.nix @@ -24,7 +24,7 @@ }; }; publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; - privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any @@ -40,7 +40,7 @@ }; }; publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; - privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any @@ -57,7 +57,7 @@ }; }; publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4="; - privateKey = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g="; # path is relative to the machine + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any @@ -73,7 +73,7 @@ }; }; publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA="; - privateKey = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E="; + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any diff --git a/tests/acls/ring.nix b/tests/acls/ring.nix index 2ca597b..5eceaab 100644 --- a/tests/acls/ring.nix +++ b/tests/acls/ring.nix @@ -24,7 +24,7 @@ }; }; publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; - privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any @@ -40,7 +40,7 @@ }; }; publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; - privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any @@ -57,7 +57,7 @@ }; }; publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4="; - privateKey = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g="; # path is relative to the machine + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any @@ -73,7 +73,7 @@ }; }; publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA="; - privateKey = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E="; + privateKeyFile = "/etc/wg-key"; endpoints = [ { # no match can be any diff --git a/tests/acls/simple.nix b/tests/acls/simple.nix index 097eb9c..0436bbf 100644 --- a/tests/acls/simple.nix +++ b/tests/acls/simple.nix @@ -24,7 +24,8 @@ }; }; publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; - privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine + privateKeyFile = "/etc/wg-key"; + #privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine endpoints = [ { # no match can be any @@ -40,7 +41,8 @@ }; }; publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; - privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + privateKeyFile = "/etc/wg-key"; + #privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; endpoints = [ { # no match can be any diff --git a/tests/mesh.nix b/tests/mesh.nix index b161af8..41fccb5 100644 --- a/tests/mesh.nix +++ b/tests/mesh.nix @@ -15,6 +15,9 @@ enable = true; aclConfig = import ./acls/mesh.nix; }; + environment.etc."wg-key" = { + text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; + }; networking.firewall.enable = false; }; @@ -26,30 +29,51 @@ keyProviders = ["acl"]; aclConfig = import ./acls/mesh.nix; }; + environment.etc."wg-key" = { + text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + }; networking.firewall.enable = false; }; node3 = { self, pkgs, ... }: { virtualisation.vlans = [ 1 ]; imports = [ self.nixosModules.default ]; + systemd.network.enable = true; wirenix = { enable = true; + configurer = "networkd"; keyProviders = ["acl"]; peerName = "node3"; aclConfig = import ./acls/mesh.nix; }; + environment.etc."wg-key" = { + text = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g="; + mode = "0640"; + user = "root"; + group = "systemd-network"; + }; + environment.systemPackages = [pkgs.wireguard-tools]; networking.firewall.enable = false; }; node4 = { self, pkgs, ... }: { virtualisation.vlans = [ 1 ]; imports = [ self.nixosModules.default ]; + systemd.network.enable = true; wirenix = { enable = true; + configurer = "networkd"; keyProviders = ["acl"]; peerName = "node4"; aclConfig = import ./acls/mesh.nix; }; + environment.etc."wg-key" = { + text = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E="; + mode = "0640"; + user = "root"; + group = "systemd-network"; + }; + environment.systemPackages = [pkgs.wireguard-tools]; networking.firewall.enable = false; }; }; @@ -63,8 +87,11 @@ "node4": node4 } for local_name, local_node in nodes.items(): - for remote_node in set(nodes.keys()) - set([local_name]): - local_node.wait_for_unit(f"wireguard-mesh-peer-{remote_node}") + if local_name == "node1" or local_name == "node2": + for remote_node in set(nodes.keys()) - set([local_name]): + local_node.wait_for_unit(f"wireguard-mesh-peer-{remote_node}") + node3.wait_for_unit("systemd-networkd-wait-online") + node4.wait_for_unit("systemd-networkd-wait-online") for local_name, local_node in nodes.items(): local_node.succeed("wg show >&2") for remote_name in set(nodes.keys()) - set([local_name]): diff --git a/tests/null.nix b/tests/null.nix index b954345..850ec46 100644 --- a/tests/null.nix +++ b/tests/null.nix @@ -4,7 +4,7 @@ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ (import ./lib.nix) { - name = "Null test, should always pass"; + name = "null test"; nodes = { # `self` here is set by using specialArgs in `lib.nix` node1 = { self, pkgs, ... }: { diff --git a/tests/ring.nix b/tests/ring.nix index 85114c2..afaf4a2 100644 --- a/tests/ring.nix +++ b/tests/ring.nix @@ -15,6 +15,9 @@ enable = true; aclConfig = import ./acls/ring.nix; }; + environment.etc."wg-key" = { + text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; + }; networking.firewall.enable = false; }; @@ -26,6 +29,9 @@ keyProviders = ["acl"]; aclConfig = import ./acls/ring.nix; }; + environment.etc."wg-key" = { + text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + }; networking.firewall.enable = false; }; @@ -38,6 +44,9 @@ peerName = "node3"; aclConfig = import ./acls/ring.nix; }; + environment.etc."wg-key" = { + text = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g="; + }; networking.firewall.enable = false; }; @@ -50,6 +59,9 @@ peerName = "node4"; aclConfig = import ./acls/ring.nix; }; + environment.etc."wg-key" = { + text = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E="; + }; networking.firewall.enable = false; }; }; diff --git a/tests/simple.nix b/tests/simple.nix index 6c9ca9e..6ede5f3 100644 --- a/tests/simple.nix +++ b/tests/simple.nix @@ -17,6 +17,9 @@ peerName = "node1"; aclConfig = import ./acls/simple.nix; }; + environment.etc."wg-key" = { + text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; + }; networking.firewall.enable = false; }; @@ -29,6 +32,9 @@ peerName = "node2"; aclConfig = import ./acls/simple.nix; }; + environment.etc."wg-key" = { + text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; + }; networking.firewall.enable = false; }; };