2019-11-25 10:47:31 +01:00
|
|
|
let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
|
2019-06-24 17:36:08 +02:00
|
|
|
imports = [ common/user-account.nix ];
|
|
|
|
|
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
|
|
|
|
|
networking.useNetworkd = true;
|
2019-09-23 16:37:58 +02:00
|
|
|
networking.useDHCP = false;
|
2019-06-24 17:36:08 +02:00
|
|
|
networking.firewall.enable = false;
|
|
|
|
|
virtualisation.vlans = [ 1 ];
|
|
|
|
|
environment.systemPackages = with pkgs; [ wireguard-tools ];
|
|
|
|
|
boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
|
2019-11-25 10:47:31 +01:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
|
"f /run/wg_priv 0640 root systemd-network - ${privk}"
|
|
|
|
|
];
|
2019-06-24 17:36:08 +02:00
|
|
|
systemd.network = {
|
|
|
|
|
enable = true;
|
|
|
|
|
netdevs = {
|
|
|
|
|
"90-wg0" = {
|
|
|
|
|
netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
|
|
|
|
|
wireguardConfig = {
|
2019-11-25 10:47:31 +01:00
|
|
|
PrivateKeyFile = "/run/wg_priv";
|
2019-06-24 17:36:08 +02:00
|
|
|
ListenPort = 51820;
|
|
|
|
|
FwMark = 42;
|
|
|
|
|
};
|
|
|
|
|
wireguardPeers = [ {wireguardPeerConfig={
|
|
|
|
|
Endpoint = "192.168.1.${peerId}:51820";
|
|
|
|
|
PublicKey = pubk;
|
|
|
|
|
PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU=";
|
|
|
|
|
AllowedIPs = [ "10.0.0.${peerId}/32" ];
|
|
|
|
|
PersistentKeepalive = 15;
|
|
|
|
|
};}];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
networks = {
|
|
|
|
|
"99-nope" = {
|
|
|
|
|
matchConfig.Name = "eth*";
|
|
|
|
|
linkConfig.Unmanaged = true;
|
|
|
|
|
};
|
|
|
|
|
"90-wg0" = {
|
|
|
|
|
matchConfig = { Name = "wg0"; };
|
|
|
|
|
address = [ "10.0.0.${nodeId}/32" ];
|
|
|
|
|
routes = [
|
|
|
|
|
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
|
|
|
|
|
];
|
|
|
|
|
};
|
2020-02-29 19:34:48 +01:00
|
|
|
"30-eth1" = {
|
2019-06-24 17:36:08 +02:00
|
|
|
matchConfig = { Name = "eth1"; };
|
2020-02-29 19:34:48 +01:00
|
|
|
address = [
|
|
|
|
|
"192.168.1.${nodeId}/24"
|
|
|
|
|
"fe80::${nodeId}/64"
|
|
|
|
|
];
|
|
|
|
|
routingPolicyRules = [
|
|
|
|
|
{ routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; };}
|
|
|
|
|
{ routingPolicyRuleConfig = { Table = 20; OutgoingInterface = "eth1"; };}
|
|
|
|
|
{ routingPolicyRuleConfig = { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; };}
|
|
|
|
|
{ routingPolicyRuleConfig = { Table = 40; IPProtocol = "tcp"; InvertRule = true; };}
|
|
|
|
|
{ routingPolicyRuleConfig = { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; };}
|
|
|
|
|
];
|
2019-06-24 17:36:08 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2019-11-18 18:56:00 +01:00
|
|
|
in import ./make-test-python.nix ({pkgs, ... }: {
|
2020-02-29 19:34:48 +01:00
|
|
|
name = "networkd";
|
2019-06-24 17:36:08 +02:00
|
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
|
|
|
maintainers = [ ninjatrappeur ];
|
|
|
|
|
};
|
|
|
|
|
nodes = {
|
|
|
|
|
node1 = { pkgs, ... }@attrs:
|
|
|
|
|
let localConf = {
|
2019-11-25 10:47:31 +01:00
|
|
|
privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
|
2019-06-24 17:36:08 +02:00
|
|
|
pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
|
|
|
|
|
nodeId = "1";
|
|
|
|
|
peerId = "2";
|
|
|
|
|
};
|
|
|
|
|
in generateNodeConf (attrs // localConf);
|
|
|
|
|
|
|
|
|
|
node2 = { pkgs, ... }@attrs:
|
|
|
|
|
let localConf = {
|
2019-11-25 10:47:31 +01:00
|
|
|
privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
|
2019-06-24 17:36:08 +02:00
|
|
|
pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
|
|
|
|
|
nodeId = "2";
|
|
|
|
|
peerId = "1";
|
|
|
|
|
};
|
|
|
|
|
in generateNodeConf (attrs // localConf);
|
|
|
|
|
};
|
|
|
|
|
testScript = ''
|
2019-11-18 18:56:00 +01:00
|
|
|
start_all()
|
|
|
|
|
node1.wait_for_unit("systemd-networkd-wait-online.service")
|
|
|
|
|
node2.wait_for_unit("systemd-networkd-wait-online.service")
|
2020-02-29 19:34:48 +01:00
|
|
|
|
|
|
|
|
# ================================
|
|
|
|
|
# Wireguard
|
|
|
|
|
# ================================
|
2019-11-18 18:56:00 +01:00
|
|
|
node1.succeed("ping -c 5 10.0.0.2")
|
|
|
|
|
node2.succeed("ping -c 5 10.0.0.1")
|
2019-06-24 17:36:08 +02:00
|
|
|
# Is the fwmark set?
|
2019-11-18 18:56:00 +01:00
|
|
|
node2.succeed("wg | grep -q 42")
|
2020-02-29 19:34:48 +01:00
|
|
|
|
|
|
|
|
# ================================
|
|
|
|
|
# Routing Policies
|
|
|
|
|
# ================================
|
|
|
|
|
# Testing all the routingPolicyRuleConfig members:
|
|
|
|
|
# Table + IncomingInterface
|
|
|
|
|
node1.succeed("sudo ip rule | grep 'from all iif eth1 lookup 10'")
|
|
|
|
|
# OutgoingInterface
|
|
|
|
|
node1.succeed("sudo ip rule | grep 'from all oif eth1 lookup 20'")
|
|
|
|
|
# From + To + SourcePort + DestinationPort
|
|
|
|
|
node1.succeed(
|
|
|
|
|
"sudo ip rule | grep 'from 192.168.1.1 to 192.168.1.2 sport 666 dport 667 lookup 30'"
|
|
|
|
|
)
|
|
|
|
|
# IPProtocol + InvertRule
|
|
|
|
|
node1.succeed("sudo ip rule | grep 'not from all ipproto tcp lookup 40'")
|
2019-06-24 17:36:08 +02:00
|
|
|
'';
|
|
|
|
|
})
|
