diff options
author | Graham Christensen <graham@grahamc.com> | 2019-04-23 22:30:05 -0400 |
---|---|---|
committer | Graham Christensen <graham@grahamc.com> | 2019-04-24 07:46:01 -0400 |
commit | f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c (patch) | |
tree | d38b114b2f010850398ecf2759a8a0bfa304414f /nixos/tests/wireguard | |
parent | 359facc3d318bb623401df4942d81c8e5e404381 (diff) | |
download | nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.tar nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.tar.gz nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.tar.bz2 nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.tar.lz nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.tar.xz nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.tar.zst nixpkgs-f57fc6c881ffe9acaaddfa8739b50f9bb7fa260c.zip |
wireguard: add generatePrivateKeyFile option + test
Ideally, private keys never leave the host they're generated on - like SSH. Setting generatePrivateKeyFile to true causes the PK to be generate automatically.
Diffstat (limited to 'nixos/tests/wireguard')
-rw-r--r-- | nixos/tests/wireguard/generated.nix | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/nixos/tests/wireguard/generated.nix b/nixos/tests/wireguard/generated.nix new file mode 100644 index 00000000000..897feafe3ff --- /dev/null +++ b/nixos/tests/wireguard/generated.nix @@ -0,0 +1,57 @@ +import ../make-test.nix ({ pkgs, ...} : { + name = "wireguard-generated"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ma27 grahamc ]; + }; + + nodes = { + peer1 = { + networking.firewall.allowedUDPPorts = [ 12345 ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.10.10.1/24" ]; + listenPort = 12345; + privateKeyFile = "/etc/wireguard/private"; + generatePrivateKeyFile = true; + + }; + }; + + peer2 = { + networking.firewall.allowedUDPPorts = [ 12345 ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.10.10.2/24" ]; + listenPort = 12345; + privateKeyFile = "/etc/wireguard/private"; + generatePrivateKeyFile = true; + }; + }; + }; + + testScript = '' + startAll; + + $peer1->waitForUnit("wireguard-wg0.service"); + $peer2->waitForUnit("wireguard-wg0.service"); + + my ($retcode, $peer1pubkey) = $peer1->execute("wg pubkey < /etc/wireguard/private"); + $peer1pubkey =~ s/\s+$//; + if ($retcode != 0) { + die "Could not read public key from peer1"; + } + + my ($retcode, $peer2pubkey) = $peer2->execute("wg pubkey < /etc/wireguard/private"); + $peer2pubkey =~ s/\s+$//; + if ($retcode != 0) { + die "Could not read public key from peer2"; + } + + $peer1->succeed("wg set wg0 peer $peer2pubkey allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1"); + $peer1->succeed("ip route replace 10.10.10.2/32 dev wg0 table main"); + + $peer2->succeed("wg set wg0 peer $peer1pubkey allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1"); + $peer2->succeed("ip route replace 10.10.10.1/32 dev wg0 table main"); + + $peer1->succeed("ping -c1 10.10.10.2"); + $peer2->succeed("ping -c1 10.10.10.1"); + ''; +}) |