path: root/nixos/tests/teleport.nix



{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
}:

with import ../lib/testing-python.nix { inherit system pkgs; };

let
  minimal = { config, ... }: {
    services.teleport.enable = true;
  };

  client = { config, ... }: {
    services.teleport = {
      enable = true;
      settings = {
        teleport = {
          nodename = "client";
          advertise_ip = "192.168.1.20";
          auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
          auth_servers = [ "192.168.1.10:3025" ];
          log.severity = "DEBUG";
        };
        ssh_service = {
          enabled = true;
          labels = {
            role = "client";
          };
        };
        proxy_service.enabled = false;
        auth_service.enabled = false;
      };
    };
    networking.interfaces.eth1.ipv4.addresses = [{
      address = "192.168.1.20";
      prefixLength = 24;
    }];
  };

  server = { config, ... }: {
    services.teleport = {
      enable = true;
      settings = {
        teleport = {
          nodename = "server";
          advertise_ip = "192.168.1.10";
        };
        ssh_service.enabled = true;
        proxy_service.enabled = true;
        auth_service = {
          enabled = true;
          tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
        };
      };
      diag.enable = true;
      insecure.enable = true;
    };
    networking = {
      firewall.allowedTCPPorts = [ 3025 ];
      interfaces.eth1.ipv4.addresses = [{
        address = "192.168.1.10";
        prefixLength = 24;
      }];
    };
  };
in
{
  minimal = makeTest {
    # minimal setup should always work
    name = "teleport-minimal-setup";
    meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
    nodes = { inherit minimal; };

    testScript = ''
      minimal.wait_for_open_port("3025")
      minimal.wait_for_open_port("3080")
      minimal.wait_for_open_port("3022")
    '';
  };

  basic = makeTest {
    # basic server and client test
    name = "teleport-server-client";
    meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
    nodes = { inherit server client; };

    testScript = ''
      with subtest("teleport ready"):
          server.wait_for_open_port("3025")
          client.wait_for_open_port("3022")

      with subtest("check applied configuration"):
          server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
          server.wait_for_open_port("3000")
          client.succeed("journalctl -u teleport.service --grep='DEBU'")
          server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
    '';
  };
}
{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
}:

with import ../lib/testing-python.nix { inherit system pkgs; };

let
  minimal = { config, ... }: {
    services.teleport.enable = true;
  };

  client = { config, ... }: {
    services.teleport = {
      enable = true;
      settings = {
        teleport = {
          nodename = "client";
          advertise_ip = "192.168.1.20";
          auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
          auth_servers = [ "192.168.1.10:3025" ];
          log.severity = "DEBUG";
        };
        ssh_service = {
          enabled = true;
          labels = {
            role = "client";
          };
        };
        proxy_service.enabled = false;
        auth_service.enabled = false;
      };
    };
    networking.interfaces.eth1.ipv4.addresses = [{
      address = "192.168.1.20";
      prefixLength = 24;
    }];
  };

  server = { config, ... }: {
    services.teleport = {
      enable = true;
      settings = {
        teleport = {
          nodename = "server";
          advertise_ip = "192.168.1.10";
        };
        ssh_service.enabled = true;
        proxy_service.enabled = true;
        auth_service = {
          enabled = true;
          tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
        };
      };
      diag.enable = true;
      insecure.enable = true;
    };
    networking = {
      firewall.allowedTCPPorts = [ 3025 ];
      interfaces.eth1.ipv4.addresses = [{
        address = "192.168.1.10";
        prefixLength = 24;
      }];
    };
  };
in
{
  minimal = makeTest {
    # minimal setup should always work
    name = "teleport-minimal-setup";
    meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
    nodes = { inherit minimal; };

    testScript = ''
      minimal.wait_for_open_port("3025")
      minimal.wait_for_open_port("3080")
      minimal.wait_for_open_port("3022")
    '';
  };

  basic = makeTest {
    # basic server and client test
    name = "teleport-server-client";
    meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
    nodes = { inherit server client; };

    testScript = ''
      with subtest("teleport ready"):
          server.wait_for_open_port("3025")
          client.wait_for_open_port("3022")

      with subtest("check applied configuration"):
          server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
          server.wait_for_open_port("3000")
          client.succeed("journalctl -u teleport.service --grep='DEBU'")
          server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
    '';
  };
}