nixpkgs/nixos/tests/wireguard/namespaces.nix

let
  listenPort = 12345;
  socketNamespace = "foo";
  interfaceNamespace = "bar";
  node = {
    networking.wireguard.interfaces.wg0 = {
      listenPort = listenPort;
      ips = [ "10.10.10.1/24" ];
      privateKeyFile = "/etc/wireguard/private";
      generatePrivateKeyFile = true;
    };
  };

in

import ../make-test-python.nix ({ pkgs, ...} : {
  name = "wireguard-with-namespaces";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ asymmetric ];
  };

  nodes = {
    # interface should be created in the socketNamespace
    # and not moved from there
    peer0 = pkgs.lib.attrsets.recursiveUpdate node {
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${socketNamespace}
        '';
        inherit socketNamespace;
      };
    };
    # interface should be created in the init namespace
    # and moved to the interfaceNamespace
    peer1 = pkgs.lib.attrsets.recursiveUpdate node {
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${interfaceNamespace}
        '';
        inherit interfaceNamespace;
      };
    };
    # interface should be created in the socketNamespace
    # and moved to the interfaceNamespace
    peer2 = pkgs.lib.attrsets.recursiveUpdate node {
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${socketNamespace}
          ip netns add ${interfaceNamespace}
        '';
        inherit socketNamespace interfaceNamespace;
      };
    };
    # interface should be created in the socketNamespace
    # and moved to the init namespace
    peer3 = pkgs.lib.attrsets.recursiveUpdate node {
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${socketNamespace}
        '';
        inherit socketNamespace;
        interfaceNamespace = "init";
      };
    };
  };

  testScript = ''
    start_all()

    for machine in peer0, peer1, peer2, peer3:
        machine.wait_for_unit("wireguard-wg0.service")

    peer0.succeed("ip -n ${socketNamespace} link show wg0")
    peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
    peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
    peer3.succeed("ip link show wg0")
  '';
})
wireguard: add creation and destination namespaces The two new options make it possible to create the interface in one namespace and move it to a different one, as explained at https://www.wireguard.com/netns/. 2019-09-19 22:54:38 +02:00			`let`
			`listenPort = 12345;`
			`socketNamespace = "foo";`
			`interfaceNamespace = "bar";`
			`node = {`
			`networking.wireguard.interfaces.wg0 = {`
			`listenPort = listenPort;`
			`ips = [ "10.10.10.1/24" ];`
			`privateKeyFile = "/etc/wireguard/private";`
			`generatePrivateKeyFile = true;`
			`};`
			`};`

			`in`

nixosTests.wireguard.namespaces: Port test to python 2019-12-15 15:10:09 +01:00			`import ../make-test-python.nix ({ pkgs, ...} : {`
wireguard: add creation and destination namespaces The two new options make it possible to create the interface in one namespace and move it to a different one, as explained at https://www.wireguard.com/netns/. 2019-09-19 22:54:38 +02:00			`name = "wireguard-with-namespaces";`
			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ asymmetric ];`
			`};`

			`nodes = {`
			`# interface should be created in the socketNamespace`
			`# and not moved from there`
			`peer0 = pkgs.lib.attrsets.recursiveUpdate node {`
			`networking.wireguard.interfaces.wg0 = {`
			`preSetup = ''`
			`ip netns add ${socketNamespace}`
			`'';`
			`inherit socketNamespace;`
			`};`
			`};`
			`# interface should be created in the init namespace`
			`# and moved to the interfaceNamespace`
			`peer1 = pkgs.lib.attrsets.recursiveUpdate node {`
			`networking.wireguard.interfaces.wg0 = {`
			`preSetup = ''`
			`ip netns add ${interfaceNamespace}`
			`'';`
			`inherit interfaceNamespace;`
			`};`
			`};`
			`# interface should be created in the socketNamespace`
			`# and moved to the interfaceNamespace`
			`peer2 = pkgs.lib.attrsets.recursiveUpdate node {`
			`networking.wireguard.interfaces.wg0 = {`
			`preSetup = ''`
			`ip netns add ${socketNamespace}`
			`ip netns add ${interfaceNamespace}`
			`'';`
			`inherit socketNamespace interfaceNamespace;`
			`};`
			`};`
			`# interface should be created in the socketNamespace`
			`# and moved to the init namespace`
			`peer3 = pkgs.lib.attrsets.recursiveUpdate node {`
			`networking.wireguard.interfaces.wg0 = {`
			`preSetup = ''`
			`ip netns add ${socketNamespace}`
			`'';`
			`inherit socketNamespace;`
			`interfaceNamespace = "init";`
			`};`
			`};`
			`};`

			`testScript = ''`
nixosTests.wireguard.namespaces: Port test to python 2019-12-15 15:10:09 +01:00			`start_all()`
wireguard: add creation and destination namespaces The two new options make it possible to create the interface in one namespace and move it to a different one, as explained at https://www.wireguard.com/netns/. 2019-09-19 22:54:38 +02:00
nixosTests.wireguard.namespaces: Port test to python 2019-12-15 15:10:09 +01:00			`for machine in peer0, peer1, peer2, peer3:`
			`machine.wait_for_unit("wireguard-wg0.service")`
wireguard: add creation and destination namespaces The two new options make it possible to create the interface in one namespace and move it to a different one, as explained at https://www.wireguard.com/netns/. 2019-09-19 22:54:38 +02:00
nixosTests.wireguard.namespaces: Port test to python 2019-12-15 15:10:09 +01:00			`peer0.succeed("ip -n ${socketNamespace} link show wg0")`
			`peer1.succeed("ip -n ${interfaceNamespace} link show wg0")`
			`peer2.succeed("ip -n ${interfaceNamespace} link show wg0")`
			`peer3.succeed("ip link show wg0")`
wireguard: add creation and destination namespaces The two new options make it possible to create the interface in one namespace and move it to a different one, as explained at https://www.wireguard.com/netns/. 2019-09-19 22:54:38 +02:00			`'';`
			`})`