ryan
/
wirenix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

make tests better

Browse Source
release
Matthew Salerno 1 year ago
parent d61f6edaa9
commit 4307607c64
12 changed files with 64 additions and 21 deletions
Show Stats Download Patch File Download Diff File

5
configurers/networkd.nix
Unescape Escape View File

@ -29,9 +29,10 @@ with getKeyProviderFuncs keyProviders inputs intermediateConfig localPeerName;
Name = "${shortName subnetName}"; Name = "${shortName subnetName}";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = getPrivKeyFile;
ListenPort = subnetConnection.listenPort; ListenPort = subnetConnection.listenPort;
} // (if getPrivKeyFile != null then {} else {privateKey = getPrivKey;}); # *PLEASE* do not use getPrivKeyfor anything but testing
PrivateKeyFile = getPrivKeyFile;
};
wireguardPeers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: { wireguardPeers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: {
wireguardPeerConfig = { wireguardPeerConfig = {
Endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}"; Endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}";

1
configurers/static.nix
Unescape Escape View File

@ -27,7 +27,6 @@ with getKeyProviderFuncs keyProviders inputs intermediateConfig localPeerName;
ips = subnetConnection.ipAddresses; ips = subnetConnection.ipAddresses;
listenPort = subnetConnection.listenPort; listenPort = subnetConnection.listenPort;
privateKeyFile = getPrivKeyFile; privateKeyFile = getPrivKeyFile;
privateKey = getPrivKey;
peers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: peers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection:
{ {
name = remotePeerName; name = remotePeerName;

1
key-providers/acl.nix
Unescape Escape View File

@ -10,6 +10,5 @@ with builtins;
{ {
getPeerPubKey = remotePeerName: attrByPath [remotePeerName "publicKey"] null intermediateConfig.peers; getPeerPubKey = remotePeerName: attrByPath [remotePeerName "publicKey"] null intermediateConfig.peers;
getPrivKeyFile = attrByPath [localPeerName "privateKeyFile"] null intermediateConfig.peers; getPrivKeyFile = attrByPath [localPeerName "privateKeyFile"] null intermediateConfig.peers;
getPrivKey = attrByPath [localPeerName "privateKey"] null intermediateConfig.peers;
getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets; getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets;
} }

1
key-providers/agenix-rekey.nix
Unescape Escape View File

@ -35,6 +35,5 @@ with builtins;
}; };
getPeerPubKey = remotePeerName: builtins.readFile (config.wirenix.secretsDir + /wirenix-peer-${remotePeerName}.pub); getPeerPubKey = remotePeerName: builtins.readFile (config.wirenix.secretsDir + /wirenix-peer-${remotePeerName}.pub);
getPrivKeyFile = config.age.secrets."wirenix-peer-${localPeerName}".path; getPrivKeyFile = config.age.secrets."wirenix-peer-${localPeerName}".path;
getPrivKey = null;
getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path; getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path;
} }

4
lib.nix
Unescape Escape View File

@ -116,13 +116,11 @@ rec {
let let
keyProviders = map (x: x inputs intermediateConfig peerName) keyProvidersUninitialized; keyProviders = map (x: x inputs intermediateConfig peerName) keyProvidersUninitialized;
in in
rec { {
getPeerPubKey = otherPeerName: findFirst (x: x != null) (throw ("Wirenix: Could not find public key for " + otherPeerName)) getPeerPubKey = otherPeerName: findFirst (x: x != null) (throw ("Wirenix: Could not find public key for " + otherPeerName))
(map (provider: provider.getPeerPubKey otherPeerName) keyProviders); (map (provider: provider.getPeerPubKey otherPeerName) keyProviders);
getPrivKeyFile = findFirst (x: x != null) (if getPrivKey == null then throw ("Wirenix: Could not find private key file for " + peerName) else null) getPrivKeyFile = findFirst (x: x != null) (if getPrivKey == null then throw ("Wirenix: Could not find private key file for " + peerName) else null)
(map (provider: provider.getPrivKeyFile) keyProviders); (map (provider: provider.getPrivKeyFile) keyProviders);
getPrivKey = findFirst (x: x != null) (null)
(map (provider: provider.getPrivKey) keyProviders);
getSubnetPSKFile = subnetName: findFirst (x: x != null) (null) getSubnetPSKFile = subnetName: findFirst (x: x != null) (null)
(map (provider: provider.getSubnetPSKFile subnetName) keyProviders); (map (provider: provider.getSubnetPSKFile subnetName) keyProviders);
getProviderConfig = foldl' (x: y: x // y) {} (map (provider: if provider ? config then provider.config else {}) keyProviders); getProviderConfig = foldl' (x: y: x // y) {} (map (provider: if provider ? config then provider.config else {}) keyProviders);

8
tests/acls/mesh.nix
Unescape Escape View File

@ -24,7 +24,7 @@
}; };
}; };
publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE=";
privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -40,7 +40,7 @@
}; };
}; };
publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE=";
privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -57,7 +57,7 @@
}; };
}; };
publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4="; publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4=";
privateKey = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g="; # path is relative to the machine privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -73,7 +73,7 @@
}; };
}; };
publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA="; publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA=";
privateKey = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E="; privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any

8
tests/acls/ring.nix
Unescape Escape View File

@ -24,7 +24,7 @@
}; };
}; };
publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE=";
privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -40,7 +40,7 @@
}; };
}; };
publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE=";
privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -57,7 +57,7 @@
}; };
}; };
publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4="; publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4=";
privateKey = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g="; # path is relative to the machine privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -73,7 +73,7 @@
}; };
}; };
publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA="; publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA=";
privateKey = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E="; privateKeyFile = "/etc/wg-key";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any

6
tests/acls/simple.nix
Unescape Escape View File

@ -24,7 +24,8 @@
}; };
}; };
publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE="; publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE=";
privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine privateKeyFile = "/etc/wg-key";
#privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI="; # path is relative to the machine
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any
@ -40,7 +41,8 @@
}; };
}; };
publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE="; publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE=";
privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M="; privateKeyFile = "/etc/wg-key";
#privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=";
endpoints = [ endpoints = [
{ {
# no match can be any # no match can be any

27
tests/mesh.nix
Unescape Escape View File

@ -15,6 +15,9 @@
enable = true; enable = true;
aclConfig = import ./acls/mesh.nix; aclConfig = import ./acls/mesh.nix;
}; };
environment.etc."wg-key" = {
text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
@ -26,30 +29,51 @@
keyProviders = ["acl"]; keyProviders = ["acl"];
aclConfig = import ./acls/mesh.nix; aclConfig = import ./acls/mesh.nix;
}; };
environment.etc."wg-key" = {
text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
node3 = { self, pkgs, ... }: { node3 = { self, pkgs, ... }: {
virtualisation.vlans = [ 1 ]; virtualisation.vlans = [ 1 ];
imports = [ self.nixosModules.default ]; imports = [ self.nixosModules.default ];
systemd.network.enable = true;
wirenix = { wirenix = {
enable = true; enable = true;
configurer = "networkd";
keyProviders = ["acl"]; keyProviders = ["acl"];
peerName = "node3"; peerName = "node3";
aclConfig = import ./acls/mesh.nix; aclConfig = import ./acls/mesh.nix;
}; };
environment.etc."wg-key" = {
text = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g=";
mode = "0640";
user = "root";
group = "systemd-network";
};
environment.systemPackages = [pkgs.wireguard-tools];
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
node4 = { self, pkgs, ... }: { node4 = { self, pkgs, ... }: {
virtualisation.vlans = [ 1 ]; virtualisation.vlans = [ 1 ];
imports = [ self.nixosModules.default ]; imports = [ self.nixosModules.default ];
systemd.network.enable = true;
wirenix = { wirenix = {
enable = true; enable = true;
configurer = "networkd";
keyProviders = ["acl"]; keyProviders = ["acl"];
peerName = "node4"; peerName = "node4";
aclConfig = import ./acls/mesh.nix; aclConfig = import ./acls/mesh.nix;
}; };
environment.etc."wg-key" = {
text = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E=";
mode = "0640";
user = "root";
group = "systemd-network";
};
environment.systemPackages = [pkgs.wireguard-tools];
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
}; };
@ -63,8 +87,11 @@
"node4": node4 "node4": node4
} }
for local_name, local_node in nodes.items(): for local_name, local_node in nodes.items():
if local_name == "node1" or local_name == "node2":
for remote_node in set(nodes.keys()) - set([local_name]): for remote_node in set(nodes.keys()) - set([local_name]):
local_node.wait_for_unit(f"wireguard-mesh-peer-{remote_node}") local_node.wait_for_unit(f"wireguard-mesh-peer-{remote_node}")
node3.wait_for_unit("systemd-networkd-wait-online")
node4.wait_for_unit("systemd-networkd-wait-online")
for local_name, local_node in nodes.items(): for local_name, local_node in nodes.items():
local_node.succeed("wg show >&2") local_node.succeed("wg show >&2")
for remote_name in set(nodes.keys()) - set([local_name]): for remote_name in set(nodes.keys()) - set([local_name]):

2
tests/null.nix
Unescape Escape View File

@ -4,7 +4,7 @@
* file, You can obtain one at https://mozilla.org/MPL/2.0/. * file, You can obtain one at https://mozilla.org/MPL/2.0/.
*/ */
(import ./lib.nix) { (import ./lib.nix) {
name = "Null test, should always pass"; name = "null test";
nodes = { nodes = {
# `self` here is set by using specialArgs in `lib.nix` # `self` here is set by using specialArgs in `lib.nix`
node1 = { self, pkgs, ... }: { node1 = { self, pkgs, ... }: {

12
tests/ring.nix
Unescape Escape View File

@ -15,6 +15,9 @@
enable = true; enable = true;
aclConfig = import ./acls/ring.nix; aclConfig = import ./acls/ring.nix;
}; };
environment.etc."wg-key" = {
text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
@ -26,6 +29,9 @@
keyProviders = ["acl"]; keyProviders = ["acl"];
aclConfig = import ./acls/ring.nix; aclConfig = import ./acls/ring.nix;
}; };
environment.etc."wg-key" = {
text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
@ -38,6 +44,9 @@
peerName = "node3"; peerName = "node3";
aclConfig = import ./acls/ring.nix; aclConfig = import ./acls/ring.nix;
}; };
environment.etc."wg-key" = {
text = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
@ -50,6 +59,9 @@
peerName = "node4"; peerName = "node4";
aclConfig = import ./acls/ring.nix; aclConfig = import ./acls/ring.nix;
}; };
environment.etc."wg-key" = {
text = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
}; };

6
tests/simple.nix
Unescape Escape View File

@ -17,6 +17,9 @@
peerName = "node1"; peerName = "node1";
aclConfig = import ./acls/simple.nix; aclConfig = import ./acls/simple.nix;
}; };
environment.etc."wg-key" = {
text = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
@ -29,6 +32,9 @@
peerName = "node2"; peerName = "node2";
aclConfig = import ./acls/simple.nix; aclConfig = import ./acls/simple.nix;
}; };
environment.etc."wg-key" = {
text = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=";
};
networking.firewall.enable = false; networking.firewall.enable = false;
}; };
}; };

Write Preview
Loading…
Cancel
Save