nixos/networkd: test systemd-creds in WireGuard
This commit is contained in:
parent
42f5ecde9d
commit
68483a7bad
@ -1,4 +1,4 @@
|
|||||||
let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
|
let generateNodeConf = { lib, pkgs, config, privk, pubk, systemdCreds, peerId, nodeId, ...}: {
|
||||||
imports = [ common/user-account.nix ];
|
imports = [ common/user-account.nix ];
|
||||||
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
|
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
@ -6,6 +6,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
|
|||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
virtualisation.vlans = [ 1 ];
|
virtualisation.vlans = [ 1 ];
|
||||||
environment.systemPackages = with pkgs; [ wireguard-tools ];
|
environment.systemPackages = with pkgs; [ wireguard-tools ];
|
||||||
|
environment.etc."credstore/network.wireguard.private" = lib.mkIf systemdCreds { text = privk; };
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = {
|
config = {
|
||||||
@ -15,11 +16,14 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
|
|||||||
"90-wg0" = {
|
"90-wg0" = {
|
||||||
netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
|
netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
|
# Test storing wireguard private key using systemd credentials.
|
||||||
|
PrivateKey = lib.mkIf systemdCreds "@network.wireguard.private";
|
||||||
|
|
||||||
# NOTE: we're storing the wireguard private key in the
|
# NOTE: we're storing the wireguard private key in the
|
||||||
# store for this test. Do not do this in the real
|
# store for this test. Do not do this in the real
|
||||||
# world. Keep in mind the nix store is
|
# world. Keep in mind the nix store is
|
||||||
# world-readable.
|
# world-readable.
|
||||||
PrivateKeyFile = pkgs.writeText "wg0-priv" privk;
|
PrivateKeyFile = lib.mkIf (!systemdCreds) (pkgs.writeText "wg0-priv" privk);
|
||||||
ListenPort = 51820;
|
ListenPort = 51820;
|
||||||
FirewallMark = 42;
|
FirewallMark = 42;
|
||||||
};
|
};
|
||||||
@ -74,6 +78,7 @@ in import ./make-test-python.nix ({pkgs, ... }: {
|
|||||||
let localConf = {
|
let localConf = {
|
||||||
privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
|
privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
|
||||||
pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
|
pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
|
||||||
|
systemdCreds = false;
|
||||||
nodeId = "1";
|
nodeId = "1";
|
||||||
peerId = "2";
|
peerId = "2";
|
||||||
};
|
};
|
||||||
@ -83,6 +88,7 @@ in import ./make-test-python.nix ({pkgs, ... }: {
|
|||||||
let localConf = {
|
let localConf = {
|
||||||
privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
|
privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
|
||||||
pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
|
pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
|
||||||
|
systemdCreds = true;
|
||||||
nodeId = "2";
|
nodeId = "2";
|
||||||
peerId = "1";
|
peerId = "1";
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user