mesh test

1 year ago · d5fcc01f9c
parent aebef85ff6
commit d5fcc01f9c
11 changed files with 187 additions and 43 deletions
--- a/flake.nix
+++ b/flake.nix
@ -24,6 +24,7 @@
      # import our test
      null = import ./tests/null.nix checkArgs;
      simple = import ./tests/simple.nix checkArgs;
+      mesh = import ./tests/mesh.nix checkArgs;
    });
  };
 }
--- a/tests/acls/mesh.nix
+++ b/tests/acls/mesh.nix
@ -0,0 +1,91 @@
+{
+  version = "v1";
+  subnets = [
+    {
+      name = "mesh";
+      endpoints = [
+        {
+          # No match mean match any
+          port = 51820;
+        }
+      ];
+    }
+  ];
+  groups = [
+    # groups field is expected, but can be empty
+  ];
+  peers = [
+    {
+      name = "node1";
+      subnets = {
+        mesh = {
+          listenPort = 51820;
+          # empty ipAddresses will auto generate an IPv6 address
+        };
+      };
+      publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE=";
+      privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=";  # path is relative to the machine
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node1";
+        }
+      ];
+    }
+    {
+      name = "node2";
+      subnets = {
+        mesh = {
+          listenPort = 51820;
+        };
+      };
+      publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE=";
+      privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=";
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node2";
+        }
+      ];
+    }
+    {
+      name = "node3";
+      subnets = {
+        mesh = {
+          listenPort = 51820;
+          # empty ipAddresses will auto generate an IPv6 address
+        };
+      };
+      publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4=";
+      privateKey = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g=";  # path is relative to the machine
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node3";
+        }
+      ];
+    }
+    {
+      name = "node4";
+      subnets = {
+        mesh = {
+          listenPort = 51820;
+        };
+      };
+      publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA=";
+      privateKey = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E=";
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node4";
+        }
+      ];
+    }
+  ];
+  connections = [
+    {
+      a = [{type= "subnet"; rule = "is"; value = "mesh";}];
+      b = [{type= "subnet"; rule = "is"; value = "mesh";}];
+    }
+  ];
+}
--- a/tests/acls/simple.nix
+++ b/tests/acls/simple.nix
@ -16,7 +16,7 @@
  ];
  peers = [
    {
-      name = "peer1";
+      name = "node1";
      subnets = {
        simple = {
          listenPort = 51820;
@ -28,12 +28,12 @@
      endpoints = [
        {
          # no match can be any
-          ip = "192.168.1.2";
+          ip = "node1";
        }
      ];
    }
    {
-      name = "peer2";
+      name = "node2";
      subnets = {
        simple = {
          listenPort = 51820;
@ -44,7 +44,7 @@
      endpoints = [
        {
          # no match can be any
-          ip = "192.168.1.3";
+          ip = "node2";
        }
      ];
    }
--- a/tests/keys/testKey1
+++ b/tests/keys/testKey1
@ -1 +0,0 @@
-MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=
--- a/tests/keys/testKey2
+++ b/tests/keys/testKey2
@ -1 +0,0 @@
-yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=
--- a/tests/keys/testKey3
+++ b/tests/keys/testKey3
@ -1 +0,0 @@
-mAk4v/O2y3mFwQqsZow52iwOlcfR3wPtd9cVBwS+vVg=
--- a/tests/keys/testKey4
+++ b/tests/keys/testKey4
@ -1 +0,0 @@
-aKOVgooO5npcsTrDb2lKXEiOH+XhJTs3/GHICplKmHE=
--- a/tests/keys/testKey5
+++ b/tests/keys/testKey5
@ -1 +0,0 @@
-aPMW0ePlRmh3HZ075ArvUHIotrGTGE+nRvqKPtwXClc=
--- a/tests/keys/testKey6
+++ b/tests/keys/testKey6
@ -1 +0,0 @@
-IDpYI54t9nGxmj84KUpRaFUnzaD74LVm1y38rGeIVVg=
--- a/tests/mesh.nix
+++ b/tests/mesh.nix
@ -0,0 +1,74 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+(import ./lib.nix)
+{
+  name = "mesh connection";
+  nodes = {
+    # `self` here is set by using specialArgs in `lib.nix`
+    node1 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        aclConfig = import ./acls/mesh.nix;
+      };
+      networking.firewall.enable = false;
+    };
+    
+    node2 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        keyProviders = ["acl"];
+        aclConfig = import ./acls/mesh.nix;
+      };
+      networking.firewall.enable = false;
+    };
+    
+    node3 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        keyProviders = ["acl"];
+        peerName = "node3";
+        aclConfig = import ./acls/mesh.nix;
+      };
+      networking.firewall.enable = false;
+    };
+    
+    node4 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        keyProviders = ["acl"];
+        peerName = "node4";
+        aclConfig = import ./acls/mesh.nix;
+      };
+      networking.firewall.enable = false;
+    };
+  };
+  # This is the test code that will check if our service is running correctly:
+  testScript = ''
+    start_all()
+    nodes = {
+      "node1": node1,
+      "node2": node2,
+      "node3": node3,
+      "node4": node4
+    }
+    for local_name, local_node in nodes.items():
+      for remote_node in set(nodes.keys()) - set([local_name]):
+        local_node.wait_for_unit(f"wireguard-mesh-peer-{remote_node}")
+    for local_name, local_node in nodes.items():
+      local_node.succeed("wg show >&2")
+      for remote_name in set(nodes.keys()) - set([local_name]):
+        local_node.succeed(f"ping -c 1 {remote_name} >&2")
+        local_node.succeed(f"ping -c 1 {remote_name}.mesh >&2")
+  '';
+}
--- a/tests/simple.nix
+++ b/tests/simple.nix
@ -3,61 +3,45 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/.
 */
-let 
-  sharedConfig = {
-    wirenix = {
-      enable = true;
-      keyProviders = ["acl"];
-      aclConfig = import ./acls/simple.nix;
-    };
-  };
-in
 (import ./lib.nix)
 {
-  name = "Null test, should always pass";
+  name = "simple connection";
  nodes = {
    # `self` here is set by using specialArgs in `lib.nix`
-    node1 = { self, pkgs, ... }: sharedConfig // {
+    node1 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
      imports = [ self.nixosModules.default ];      
      wirenix = {
        enable = true;
        keyProviders = ["acl"];
-        peerName = "peer1";
+        peerName = "node1";
        aclConfig = import ./acls/simple.nix;
      };
-      networking.interfaces.eth1.ipv4.addresses = [
-        {
-          address = "192.168.1.2";
-          prefixLength = 24;
-        }
-      ];
-      environment.systemPackages = [ pkgs.curl ];
+      networking.firewall.enable = false;
    };
    
-    node2 = { self, pkgs, ... }: sharedConfig // {
+    node2 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
      imports = [ self.nixosModules.default ];      
      wirenix = {
        enable = true;
        keyProviders = ["acl"];
-        peerName = "peer2";
+        peerName = "node2";
        aclConfig = import ./acls/simple.nix;
      };
-      networking.interfaces.eth1.ipv4.addresses = [
-        {
-          address = "192.168.1.3";
-          prefixLength = 24;
-        }
-      ];
-      environment.systemPackages = [ pkgs.curl ];
+      networking.firewall.enable = false;
    };
  };
  # This is the test code that will check if our service is running correctly:
  testScript = ''
    start_all()
-    node1.wait_for_unit("wireguard-simple")
-    node2.wait_for_unit("wireguard-simple")
-    output = node1.succeed("ping -c 1 peer2.simple")
-    # Check if our webserver returns the expected result
-    assert "Hello world" in output, f"'{output}' does not contain 'Hello world'"
+    node1.wait_for_unit("wireguard-simple-peer-node2")
+    node2.wait_for_unit("wireguard-simple-peer-node1")
+    node1.succeed("ping -c 1 node2 >&2")
+    node1.succeed("wg show >&2")
+    node2.succeed("ping -c 1 node1 >&2")
+    node2.succeed("wg show >&2")
+    node1.succeed("ping -c 1 node2.simple")
+    node2.succeed("ping -c 1 node1.simple")
  '';
 }
				`@ -1 +0,0 @@`
				`MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=`
				`@ -1 +0,0 @@`
				`yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=`
				`@ -1 +0,0 @@`
				`mAk4v/O2y3mFwQqsZow52iwOlcfR3wPtd9cVBwS+vVg=`
				`@ -1 +0,0 @@`
				`aKOVgooO5npcsTrDb2lKXEiOH+XhJTs3/GHICplKmHE=`
				`@ -1 +0,0 @@`
				`aPMW0ePlRmh3HZ075ArvUHIotrGTGE+nRvqKPtwXClc=`
				`@ -1 +0,0 @@`
				`IDpYI54t9nGxmj84KUpRaFUnzaD74LVm1y38rGeIVVg=`