nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 06:53:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/networkd: test systemd-creds in WireGuard

Browse Source
This commit is contained in:
James Atkins 2024-10-06 22:27:21 -05:00
parent 42f5ecde9d
commit 68483a7bad
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/tests/systemd-networkd.nix
View File

@ -1,4 +1,4 @@
let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { let generateNodeConf = { lib, pkgs, config, privk, pubk, systemdCreds, peerId, nodeId, ...}: {
imports = [ common/user-account.nix ]; imports = [ common/user-account.nix ];
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
networking.useNetworkd = true; networking.useNetworkd = true;
@ -6,6 +6,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
networking.firewall.enable = false; networking.firewall.enable = false;
virtualisation.vlans = [ 1 ]; virtualisation.vlans = [ 1 ];
environment.systemPackages = with pkgs; [ wireguard-tools ]; environment.systemPackages = with pkgs; [ wireguard-tools ];
environment.etc."credstore/network.wireguard.private" = lib.mkIf systemdCreds { text = privk; };
systemd.network = { systemd.network = {
enable = true; enable = true;
config = { config = {
@ -15,11 +16,14 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
"90-wg0" = { "90-wg0" = {
netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
wireguardConfig = { wireguardConfig = {
# Test storing wireguard private key using systemd credentials.
PrivateKey = lib.mkIf systemdCreds "@network.wireguard.private";
# NOTE: we're storing the wireguard private key in the # NOTE: we're storing the wireguard private key in the
# store for this test. Do not do this in the real # store for this test. Do not do this in the real
# world. Keep in mind the nix store is # world. Keep in mind the nix store is
# world-readable. # world-readable.
PrivateKeyFile = pkgs.writeText "wg0-priv" privk; PrivateKeyFile = lib.mkIf (!systemdCreds) (pkgs.writeText "wg0-priv" privk);
ListenPort = 51820; ListenPort = 51820;
FirewallMark = 42; FirewallMark = 42;
}; };
@ -74,6 +78,7 @@ in import ./make-test-python.nix ({pkgs, ... }: {
let localConf = { let localConf = {
privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE="; pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
systemdCreds = false;
nodeId = "1"; nodeId = "1";
peerId = "2"; peerId = "2";
}; };
@ -83,6 +88,7 @@ in import ./make-test-python.nix ({pkgs, ... }: {
let localConf = { let localConf = {
privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
systemdCreds = true;
nodeId = "2"; nodeId = "2";
peerId = "1"; peerId = "1";
}; };