nixpkgs/nixos/tests/wireguard/generated.nix

import ../make-test.nix ({ pkgs, ...} : {
  name = "wireguard-generated";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ ma27 grahamc ];
  };

  nodes = {
    peer1 = {
      networking.firewall.allowedUDPPorts = [ 12345 ];
      networking.wireguard.interfaces.wg0 = {
        ips = [ "10.10.10.1/24" ];
        listenPort = 12345;
        privateKeyFile = "/etc/wireguard/private";
        generatePrivateKeyFile = true;

      };
    };

    peer2 = {
      networking.firewall.allowedUDPPorts = [ 12345 ];
      networking.wireguard.interfaces.wg0 = {
        ips = [ "10.10.10.2/24" ];
        listenPort = 12345;
        privateKeyFile = "/etc/wireguard/private";
        generatePrivateKeyFile = true;
      };
    };
  };

  testScript = ''
    startAll;

    $peer1->waitForUnit("wireguard-wg0.service");
    $peer2->waitForUnit("wireguard-wg0.service");

    my ($retcode, $peer1pubkey) = $peer1->execute("wg pubkey < /etc/wireguard/private");
    $peer1pubkey =~ s/\s+$//;
    if ($retcode != 0) {
      die "Could not read public key from peer1";
    }

    my ($retcode, $peer2pubkey) = $peer2->execute("wg pubkey < /etc/wireguard/private");
    $peer2pubkey =~ s/\s+$//;
    if ($retcode != 0) {
      die "Could not read public key from peer2";
    }

    $peer1->succeed("wg set wg0 peer $peer2pubkey allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1");
    $peer1->succeed("ip route replace 10.10.10.2/32 dev wg0 table main");

    $peer2->succeed("wg set wg0 peer $peer1pubkey allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1");
    $peer2->succeed("ip route replace 10.10.10.1/32 dev wg0 table main");

    $peer1->succeed("ping -c1 10.10.10.2");
    $peer2->succeed("ping -c1 10.10.10.1");
  '';
})
wireguard: add generatePrivateKeyFile option + test Ideally, private keys never leave the host they're generated on - like SSH. Setting generatePrivateKeyFile to true causes the PK to be generate automatically. 2019-04-23 22:30:05 -04:00			`import ../make-test.nix ({ pkgs, ...} : {`
			`name = "wireguard-generated";`
			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ ma27 grahamc ];`
			`};`

			`nodes = {`
			`peer1 = {`
			`networking.firewall.allowedUDPPorts = [ 12345 ];`
			`networking.wireguard.interfaces.wg0 = {`
			`ips = [ "10.10.10.1/24" ];`
			`listenPort = 12345;`
			`privateKeyFile = "/etc/wireguard/private";`
			`generatePrivateKeyFile = true;`

			`};`
			`};`

			`peer2 = {`
			`networking.firewall.allowedUDPPorts = [ 12345 ];`
			`networking.wireguard.interfaces.wg0 = {`
			`ips = [ "10.10.10.2/24" ];`
			`listenPort = 12345;`
			`privateKeyFile = "/etc/wireguard/private";`
			`generatePrivateKeyFile = true;`
			`};`
			`};`
			`};`

			`testScript = ''`
			`startAll;`

			`$peer1->waitForUnit("wireguard-wg0.service");`
			`$peer2->waitForUnit("wireguard-wg0.service");`

			`my ($retcode, $peer1pubkey) = $peer1->execute("wg pubkey < /etc/wireguard/private");`
			`$peer1pubkey =~ s/\s+$//;`
			`if ($retcode != 0) {`
			`die "Could not read public key from peer1";`
			`}`

			`my ($retcode, $peer2pubkey) = $peer2->execute("wg pubkey < /etc/wireguard/private");`
			`$peer2pubkey =~ s/\s+$//;`
			`if ($retcode != 0) {`
			`die "Could not read public key from peer2";`
			`}`

			`$peer1->succeed("wg set wg0 peer $peer2pubkey allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1");`
			`$peer1->succeed("ip route replace 10.10.10.2/32 dev wg0 table main");`

			`$peer2->succeed("wg set wg0 peer $peer1pubkey allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1");`
			`$peer2->succeed("ip route replace 10.10.10.1/32 dev wg0 table main");`

			`$peer1->succeed("ping -c1 10.10.10.2");`
			`$peer2->succeed("ping -c1 10.10.10.1");`
			`'';`
			`})`