nixpkgs/nixos/tests/rosenpass.nix
Maximilian Bosch c4fd7cf16d
nixos/networkd: get rid of *Config attributes in lists
This patch is about removing `wireguardPeerConfig`,
`dhcpServerStaticLeaseConfig` - a.k.a. the
AbstractSingletonProxyFactoryBean of nixpkgs - and friends.

As a former colleague said

> worst abstraction ever

I second that. I've written enough networkd config for NixOS systems so
far to have a strong dislike. In fact, these don't even make sense:
`netdevs.wireguardPeers._.wireguardPeerConfig` will be rendered into
the key `[WireGuardPeer]` and every key from `wireguardPeerConfig` is in
there. Since it's INI, there's no place where sections on the same level
as wireguardPeerConfig fit into. Hence, get rid of it all.

For the transition, using the old way is still allowed, but gives a
warning. I think we could drop this after one release.

The tests of rosenpass and systemd-networkd-dhcpserver-static-leases
were broken on the rev before, hence they were updated, but are still
not building.
2024-05-20 17:26:42 +02:00

214 lines
6.5 KiB
Nix

import ./make-test-python.nix ({ pkgs, ... }:
let
deviceName = "rp0";
server = {
ip = "fe80::1";
wg = {
public = "mQufmDFeQQuU/fIaB2hHgluhjjm1ypK4hJr1cW3WqAw=";
secret = "4N5Y1dldqrpsbaEiY8O0XBUGUFf8vkvtBtm8AoOX7Eo=";
listen = 10000;
};
};
client = {
ip = "fe80::2";
wg = {
public = "Mb3GOlT7oS+F3JntVKiaD7SpHxLxNdtEmWz/9FMnRFU=";
secret = "uC5dfGMv7Oxf5UDfdPkj6rZiRZT2dRWp5x8IQxrNcUE=";
};
};
in
{
name = "rosenpass";
nodes =
let
shared = peer: { config, modulesPath, ... }: {
imports = [ "${modulesPath}/services/networking/rosenpass.nix" ];
boot.kernelModules = [ "wireguard" ];
services.rosenpass = {
enable = true;
defaultDevice = deviceName;
settings = {
verbosity = "Verbose";
public_key = "/etc/rosenpass/pqpk";
secret_key = "/etc/rosenpass/pqsk";
};
};
networking.firewall.allowedUDPPorts = [ 9999 ];
systemd.network = {
enable = true;
networks."rosenpass" = {
matchConfig.Name = deviceName;
networkConfig.IPForward = true;
address = [ "${peer.ip}/64" ];
};
netdevs."10-rp0" = {
netdevConfig = {
Kind = "wireguard";
Name = deviceName;
};
wireguardConfig.PrivateKeyFile = "/etc/wireguard/wgsk";
};
};
environment.etc."wireguard/wgsk" = {
text = peer.wg.secret;
user = "systemd-network";
group = "systemd-network";
};
};
in
{
server = {
imports = [ (shared server) ];
networking.firewall.allowedUDPPorts = [ server.wg.listen ];
systemd.network.netdevs."10-${deviceName}" = {
wireguardConfig.ListenPort = server.wg.listen;
wireguardPeers = [
{
AllowedIPs = [ "::/0" ];
PublicKey = client.wg.public;
}
];
};
services.rosenpass.settings = {
listen = [ "0.0.0.0:9999" ];
peers = [
{
public_key = "/etc/rosenpass/peers/client/pqpk";
peer = client.wg.public;
}
];
};
};
client = {
imports = [ (shared client) ];
systemd.network.netdevs."10-${deviceName}".wireguardPeers = [
{
AllowedIPs = [ "::/0" ];
PublicKey = server.wg.public;
Endpoint = "server:${builtins.toString server.wg.listen}";
}
];
services.rosenpass.settings.peers = [
{
public_key = "/etc/rosenpass/peers/server/pqpk";
endpoint = "server:9999";
peer = server.wg.public;
}
];
};
};
testScript = { ... }: ''
from os import system
# Full path to rosenpass in the store, to avoid fiddling with `$PATH`.
rosenpass = "${pkgs.rosenpass}/bin/rosenpass"
# Path in `/etc` where keys will be placed.
etc = "/etc/rosenpass"
start_all()
for machine in [server, client]:
machine.wait_for_unit("multi-user.target")
# Gently stop Rosenpass to avoid crashes during key generation/distribution.
for machine in [server, client]:
machine.execute("systemctl stop rosenpass.service")
for (name, machine, remote) in [("server", server, client), ("client", client, server)]:
pk, sk = f"{name}.pqpk", f"{name}.pqsk"
system(f"{rosenpass} gen-keys --force --secret-key {sk} --public-key {pk}")
machine.copy_from_host(sk, f"{etc}/pqsk")
machine.copy_from_host(pk, f"{etc}/pqpk")
remote.copy_from_host(pk, f"{etc}/peers/{name}/pqpk")
for machine in [server, client]:
machine.execute("systemctl start rosenpass.service")
for machine in [server, client]:
machine.wait_for_unit("rosenpass.service")
with subtest("ping"):
client.succeed("ping -c 2 -i 0.5 ${server.ip}%${deviceName}")
with subtest("preshared-keys"):
# Rosenpass works by setting the WireGuard preshared key at regular intervals.
# Thus, if it is not active, then no key will be set, and the output of `wg show` will contain "none".
# Otherwise, if it is active, then the key will be set and "none" will not be found in the output of `wg show`.
for machine in [server, client]:
machine.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5)
'';
# NOTE: Below configuration is for "interactive" (=developing/debugging) only.
interactive.nodes =
let
inherit (import ./ssh-keys.nix pkgs) snakeOilPublicKey snakeOilPrivateKey;
sshAndKeyGeneration = {
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
environment.systemPackages = [
(pkgs.writeShellApplication {
name = "gen-keys";
runtimeInputs = [ pkgs.rosenpass ];
text = ''
HOST="$(hostname)"
if [ "$HOST" == "server" ]
then
PEER="client"
else
PEER="server"
fi
# Generate keypair.
mkdir -vp /etc/rosenpass/peers/$PEER
rosenpass gen-keys --force --secret-key /etc/rosenpass/pqsk --public-key /etc/rosenpass/pqpk
# Set up SSH key.
mkdir -p /root/.ssh
cp ${snakeOilPrivateKey} /root/.ssh/id_ecdsa
chmod 0400 /root/.ssh/id_ecdsa
# Copy public key to other peer.
# shellcheck disable=SC2029
ssh -o StrictHostKeyChecking=no $PEER "mkdir -pv /etc/rosenpass/peers/$HOST"
scp /etc/rosenpass/pqpk "$PEER:/etc/rosenpass/peers/$HOST/pqpk"
'';
})
];
};
# Use kmscon <https://www.freedesktop.org/wiki/Software/kmscon/>
# to provide a slightly nicer console, and while we're at it,
# also use a nice font.
# With kmscon, we can for example zoom in/out using [Ctrl] + [+]
# and [Ctrl] + [-]
niceConsoleAndAutologin.services.kmscon = {
enable = true;
autologinUser = "root";
fonts = [{
name = "Fira Code";
package = pkgs.fira-code;
}];
};
in
{
server = sshAndKeyGeneration // niceConsoleAndAutologin;
client = sshAndKeyGeneration // niceConsoleAndAutologin;
};
})