diff --git a/tests/integration/rp-key-sync.nix b/tests/integration/rp-key-sync.nix index f4a3087..1900e49 100644 --- a/tests/integration/rp-key-sync.nix +++ b/tests/integration/rp-key-sync.nix @@ -32,8 +32,8 @@ let description = "network address of the host that runs rosenpass"; }; - peerPubkey = lib.mkOption { - type = lib.types.str; + peerPubkeyFile = lib.mkOption { + type = lib.types.path; description = "Public key of wireguard peer"; }; @@ -73,10 +73,11 @@ in # The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer. script = '' set -euo pipefail + PEER_PUB_KEY=$(cat ${instanceCfg.peerPubkeyFile}) ${pkgs.openssh}/bin/ssh ${instanceCfg.rpHost} "cat ${instanceCfg.remoteKeyPath}" \ | ${pkgs.wireguard-tools}/bin/wg \ set ${instanceCfg.wgInterface} \ - peer ${instanceCfg.peerPubkey} \ + peer $PEER_PUB_KEY \ endpoint ${instanceCfg.endpoint} \ allowed-ips ${instanceCfg.allowedIps} \ preshared-key /dev/stdin diff --git a/tests/integration/rpsc-test.nix b/tests/integration/rpsc-test.nix index 5f1d5eb..376c7f9 100644 --- a/tests/integration/rpsc-test.nix +++ b/tests/integration/rpsc-test.nix @@ -10,6 +10,7 @@ let rpPort = 51821; rosenpassKeyFolder = "/var/secrets"; + wireguardKeyFolder = "/var/wgKeys"; keyExchangePathAB = "/root/peer-ab.osk"; keyExchangePathBA = "/root/peer-ba.osk"; keyExchangePathAC = "/root/peer-ac.osk"; @@ -32,33 +33,12 @@ let peerBConfigFileVersion = getConfigFileVersion pkgs.rosenpass-peer-b; peerCConfigFileVersion = if multiPeer then getConfigFileVersion pkgs.rosenpass-peer-c else null; - generateWgKeys = - name: sk: - let - # The trailing line break that is generated by `wg genkey` and `wg pubkey` breaks the script rp-key-sync.nix to copy the preshared keys. - # We therefore remove the trailing spaces here. - privateKey = pkgs.runCommand "wg-private-${name}" { } '' - echo ${sk} > $out - ''; - publicKey = pkgs.runCommand "wg-public-${name}" { } '' - cat ${privateKey} | ${pkgs.wireguard-tools}/bin/wg pubkey > $out - ''; - in - { - inherit privateKey publicKey; - }; - - peerAWgKeys = generateWgKeys "peerA" "EMeaSKGSSWQFuA8xhca+potK7B43hPsJ9XkUXtfaNF0="; - peerBWgKeys = generateWgKeys "peerB" "ANLij+xiMYmxpFjYcOTt4z8pX1a91Gsg4ZLpcCrjGVg="; - peerCWgKeys = - if multiPeer then generateWgKeys "peerC" "COOk7sSt34r3xtwCvOdqQiv2Pf4auKI+Btgyce2fw1w=" else null; - staticConfig = { peerA = { innerIp = "10.100.0.1"; - privateKey = lib.removeSuffix "\n" (builtins.readFile peerAWgKeys.privateKey); - publicKey = lib.removeSuffix "\n" (builtins.readFile peerAWgKeys.publicKey); + wgPrivateKeyFile = "${wireguardKeyFolder}/peerA.sk"; + wgPublicKeyFile = "${wireguardKeyFolder}/peerA.pk"; rosenpassConfig = builtins.toFile "peer-a.toml" ( '' public_key = "${rosenpassKeyFolder}/self.pk" @@ -81,8 +61,8 @@ let }; peerB = { innerIp = "10.100.0.2"; - privateKey = lib.removeSuffix "\n" (builtins.readFile peerBWgKeys.privateKey); - publicKey = lib.removeSuffix "\n" (builtins.readFile peerBWgKeys.publicKey); + wgPrivateKeyFile = "${wireguardKeyFolder}/peerB.sk"; + wgPublicKeyFile = "${wireguardKeyFolder}/peerB.pk"; rosenpassConfig = builtins.toFile "peer-b.toml" ( '' public_key = "${rosenpassKeyFolder}/self.pk" @@ -108,8 +88,8 @@ let # peerC is only defined if we are in a multiPeer context. peerC = { innerIp = "10.100.0.3"; - privateKey = lib.removeSuffix "\n" (builtins.readFile peerCWgKeys.privateKey); - publicKey = lib.removeSuffix "\n" (builtins.readFile peerCWgKeys.publicKey); + wgPrivateKeyFile = "${wireguardKeyFolder}/peerC.sk"; + wgPublicKeyFile = "${wireguardKeyFolder}/peerC.pk"; rosenpassConfig = builtins.toFile "peer-c.toml" '' public_key = "${rosenpassKeyFolder}/self.pk" secret_key = "${rosenpassKeyFolder}/self.sk" @@ -157,27 +137,6 @@ in { # peerA and peerB are the only neccessary peers unless we are in the multiPeer test. peerA = { - networking.wireguard.interfaces.${wgInterface} = { - listenPort = wgPort; - ips = [ "${staticConfig.peerA.innerIp}/32" ]; - inherit (staticConfig.peerA) privateKey; - peers = - [ - { - inherit (staticConfig.peerB) publicKey; - allowedIPs = [ "${staticConfig.peerB.innerIp}/32" ]; - endpoint = "peerB:${builtins.toString wgPort}"; - presharedKey = "AR/yvSvMAzW6eS27PsRHUMWwC8cLhaD96t42cysxrb0="; - } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded. - ] - ++ (lib.optional multiPeer { - inherit (staticConfig.peerC) publicKey; - allowedIPs = [ "${staticConfig.peerC.innerIp}/32" ]; - endpoint = "peerC:${builtins.toString wgPort}"; - presharedKey = "LfWvJCN8h7NhS+JWRG7GMIY20JxUV4WUs7MJ45ZGoCE="; - } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded. - ); - }; networking.firewall.allowedUDPPorts = [ wgPort ]; # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel. @@ -188,7 +147,7 @@ in enable = false; inherit wgInterface; rpHost = "peerakeyexchanger"; - peerPubkey = staticConfig.peerB.publicKey; + peerPubkeyFile = staticConfig.peerB.wgPublicKeyFile; remoteKeyPath = keyExchangePathAB; endpoint = "peerB:${builtins.toString wgPort}"; allowedIps = "${staticConfig.peerB.innerIp}/32"; @@ -200,7 +159,7 @@ in enable = false; inherit wgInterface; rpHost = "peerakeyexchanger"; - peerPubkey = staticConfig.peerC.publicKey; + peerPubkeyFile = staticConfig.peerC.wgPublicKeyFile; remoteKeyPath = keyExchangePathAC; endpoint = "peerC:${builtins.toString wgPort}"; allowedIps = "${staticConfig.peerC.innerIp}/32"; @@ -208,28 +167,6 @@ in }; }; peerB = { - networking.wireguard.interfaces.${wgInterface} = { - listenPort = wgPort; - ips = [ "${staticConfig.peerB.innerIp}/32" ]; - inherit (staticConfig.peerB) privateKey; - peers = - [ - { - inherit (staticConfig.peerA) publicKey; - allowedIPs = [ "${staticConfig.peerA.innerIp}/32" ]; - endpoint = "peerA:${builtins.toString wgPort}"; - presharedKey = "o25fjoIOI623cnRyhvD4YEGtuSY4BFRZmY3UHvZ0BCA="; - # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded. - } - ] - ++ (lib.optional multiPeer { - inherit (staticConfig.peerC) publicKey; - allowedIPs = [ "${staticConfig.peerC.innerIp}/32" ]; - endpoint = "peerC:${builtins.toString wgPort}"; - presharedKey = "GsYTUd/4Ph7wMy5r+W1no9yGe0UeZlmCPeiyu4tb6yM="; - # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded. - }); - }; networking.firewall.allowedUDPPorts = [ wgPort ]; # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel. @@ -240,7 +177,7 @@ in enable = false; inherit wgInterface; rpHost = "peerbkeyexchanger"; - peerPubkey = staticConfig.peerA.publicKey; + peerPubkeyFile = staticConfig.peerA.wgPublicKeyFile; remoteKeyPath = keyExchangePathBA; endpoint = "peerA:${builtins.toString wgPort}"; allowedIps = "${staticConfig.peerA.innerIp}/32"; @@ -252,7 +189,7 @@ in enable = false; inherit wgInterface; rpHost = "peerbkeyexchanger"; - peerPubkey = staticConfig.peerC.publicKey; + peerPubkeyFile = staticConfig.peerC.wgPublicKeyFile; remoteKeyPath = keyExchangePathBC; endpoint = "peerC:${builtins.toString wgPort}"; allowedIps = "${staticConfig.peerC.innerIp}/32"; @@ -291,25 +228,6 @@ in } // lib.optionalAttrs multiPeer { peerC = { - networking.wireguard.interfaces.${wgInterface} = { - listenPort = wgPort; - ips = [ "${staticConfig.peerC.innerIp}/32" ]; - inherit (staticConfig.peerC) privateKey; - peers = [ - { - inherit (staticConfig.peerA) publicKey; - allowedIPs = [ "${staticConfig.peerA.innerIp}/32" ]; - endpoint = "peerA:${builtins.toString wgPort}"; - presharedKey = "s9aIG1pY6nj2lH6p61tP8WRETNgQvoTfgel5BmVjYeI="; - } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded. - { - inherit (staticConfig.peerB) publicKey; - allowedIPs = [ "${staticConfig.peerB.innerIp}/32" ]; - endpoint = "peerB:${builtins.toString wgPort}"; - presharedKey = "DYlFqWg/M6EfnMolBO+b4DFNrRyS6YWr4lM/2xRE1FQ="; - } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded. - ]; - }; networking.firewall.allowedUDPPorts = [ wgPort ]; # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel. @@ -319,7 +237,7 @@ in enable = false; inherit wgInterface; rpHost = "peerckeyexchanger"; - peerPubkey = staticConfig.peerA.publicKey; + peerPubkeyFile = staticConfig.peerA.wgPublicKeyFile; remoteKeyPath = keyExchangePathCA; endpoint = "peerA:${builtins.toString wgPort}"; allowedIps = "${staticConfig.peerA.innerIp}/32"; @@ -329,7 +247,7 @@ in enable = false; inherit wgInterface; rpHost = "peerckeyexchanger"; - peerPubkey = staticConfig.peerB.publicKey; + peerPubkeyFile = staticConfig.peerB.wgPublicKeyFile; remoteKeyPath = keyExchangePathCB; endpoint = "peerB:${builtins.toString wgPort}"; allowedIps = "${staticConfig.peerB.innerIp}/32"; @@ -420,15 +338,128 @@ in m.wait_for_unit("network-online.target") ''} + # Generate the normal wireguard key pairs + peerA.succeed("mkdir ${wireguardKeyFolder}") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerA.wgPrivateKeyFile}") + peerA.succeed("cat ${staticConfig.peerA.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerA.wgPublicKeyFile}") + peerAWgSk = peerA.succeed("cat ${staticConfig.peerA.wgPrivateKeyFile} | tr -d '\n'") + peerAWgPk = peerA.succeed("cat ${staticConfig.peerA.wgPublicKeyFile} | tr -d '\n'") + peerA.succeed("echo -n AR/yvSvMAzW6eS27PsRHUMWwC8cLhaD96t42cysxrb0= > ${wireguardKeyFolder}/peerB.psk") + + peerB.succeed("mkdir ${wireguardKeyFolder}") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerB.wgPrivateKeyFile}") + peerB.succeed("cat ${staticConfig.peerB.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerB.wgPublicKeyFile}") + peerBWgSk = peerB.succeed("cat ${staticConfig.peerB.wgPrivateKeyFile} | tr -d '\n'") + peerBWgPk = peerB.succeed("cat ${staticConfig.peerB.wgPublicKeyFile} | tr -d '\n'") + peerB.succeed("echo -n o25fjoIOI623cnRyhvD4YEGtuSY4BFRZmY3UHvZ0BCA= > ${wireguardKeyFolder}/peerA.psk") + ${lib.optionalString multiPeer '' + peerC.succeed("mkdir ${wireguardKeyFolder}") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerC.wgPrivateKeyFile}") + peerC.succeed("cat ${staticConfig.peerC.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerC.wgPublicKeyFile}") + peerCWgSk = peerC.succeed("cat ${staticConfig.peerC.wgPrivateKeyFile} | tr -d '\n'") + peerCWgPk = peerC.succeed("cat ${staticConfig.peerC.wgPublicKeyFile} | tr -d '\n'") + peerA.succeed("echo -n LfWvJCN8h7NhS+JWRG7GMIY20JxUV4WUs7MJ45ZGoCE= > ${wireguardKeyFolder}/peerC.psk") + peerB.succeed("echo -n GsYTUd/4Ph7wMy5r+W1no9yGe0UeZlmCPeiyu4tb6yM= > ${wireguardKeyFolder}/peerC.psk") + peerC.succeed("echo -n s9aIG1pY6nj2lH6p61tP8WRETNgQvoTfgel5BmVjYeI= > ${wireguardKeyFolder}/peerA.psk") + peerC.succeed("echo -n DYlFqWg/M6EfnMolBO+b4DFNrRyS6YWr4lM/2xRE1FQ= > ${wireguardKeyFolder}/peerB.psk") + ''} + + # Distribute the respective public keys + peerA.succeed(f"echo -n {peerBWgPk} > ${wireguardKeyFolder}/peerB.pk") + peerB.succeed(f"echo -n {peerAWgPk} > ${wireguardKeyFolder}/peerA.pk") + ${lib.optionalString multiPeer '' + peerA.succeed(f"echo -n {peerCWgPk} > ${wireguardKeyFolder}/peerC.pk") + peerB.succeed(f"echo -n {peerCWgPk} > ${wireguardKeyFolder}/peerC.pk") + peerC.succeed(f"echo -n {peerAWgPk} > ${wireguardKeyFolder}/peerA.pk") + peerC.succeed(f"echo -n {peerBWgPk} > ${wireguardKeyFolder}/peerB.pk") + ''} + + # Make the wireguard public keys readable for the key-sync service. + peerA.succeed("chmod -R 0555 ${wireguardKeyFolder}") + peerB.succeed("chmod -R 0555 ${wireguardKeyFolder}") + ${lib.optionalString multiPeer '' + peerC.succeed("chmod -R 0555 ${wireguardKeyFolder}") + ''} + + # Set up wireguard on peerA + peerA.succeed("ip link add ${wgInterface} type wireguard") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerA.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}") + peerA.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerBWgPk} allowed-ips ${staticConfig.peerB.innerIp}/32 endpoint peerB:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerB.psk") + ${lib.optionalString multiPeer '' + peerA.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerCWgPk} allowed-ips ${staticConfig.peerC.innerIp}/32 endpoint peerC:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerC.psk") + ''} + peerA.succeed("ip addr add ${staticConfig.peerA.innerIp}/32 dev ${wgInterface}") + peerA.succeed("ip link set ${wgInterface} up") + peerA.succeed("ip route add ${staticConfig.peerB.innerIp} dev ${wgInterface} scope link") + ${lib.optionalString multiPeer '' + peerA.succeed("ip route add ${staticConfig.peerC.innerIp} dev ${wgInterface} scope link") + ''} + + # Set up wireguard on peerB + peerB.succeed("ip link add ${wgInterface} type wireguard") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerB.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}") + peerB.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerAWgPk} allowed-ips ${staticConfig.peerA.innerIp}/32 endpoint peerA:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerA.psk") + ${lib.optionalString multiPeer '' + peerB.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerCWgPk} allowed-ips ${staticConfig.peerC.innerIp}/32 endpoint peerC:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerC.psk") + ''} + peerB.succeed("ip addr add ${staticConfig.peerB.innerIp}/32 dev ${wgInterface}") + peerB.succeed("ip link set ${wgInterface} up") + peerB.succeed("ip route add ${staticConfig.peerA.innerIp} dev ${wgInterface} scope link") + ${lib.optionalString multiPeer '' + peerB.succeed("ip route add ${staticConfig.peerC.innerIp} dev ${wgInterface} scope link") + ''} + + # Set up wireguard on peerC + ${lib.optionalString multiPeer '' + peerC.succeed("ip link add ${wgInterface} type wireguard") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerC.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}") + peerC.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerAWgPk} allowed-ips ${staticConfig.peerA.innerIp}/32 endpoint peerA:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerA.psk") + peerC.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerBWgPk} allowed-ips ${staticConfig.peerB.innerIp}/32 endpoint peerB:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerB.psk") + peerC.succeed("ip addr add ${staticConfig.peerC.innerIp}/32 dev ${wgInterface}") + peerC.succeed("ip link set ${wgInterface} up") + peerC.succeed("ip route add ${staticConfig.peerA.innerIp} dev ${wgInterface} scope link") + peerC.succeed("ip route add ${staticConfig.peerB.innerIp} dev ${wgInterface} scope link") + ''} + + # Dump current state of WireGuard tunnels + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") + ${lib.optionalString multiPeer '' + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") + ''} + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") + ${lib.optionalString multiPeer '' + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") + ''} + + # Dump current network config + peerA.succeed("ip addr 1>&2") + peerA.succeed("ip route 1>&2") + peerakeyexchanger.succeed("ip addr 1>&2") + peerakeyexchanger.succeed("ip route 1>&2") + + peerB.succeed("ip addr 1>&2") + peerB.succeed("ip route 1>&2") + peerbkeyexchanger.succeed("ip addr 1>&2") + peerbkeyexchanger.succeed("ip route 1>&2") + + ${lib.optionalString multiPeer '' + peerC.succeed("ip addr 1>&2") + peerC.succeed("ip route 1>&2") + peerckeyexchanger.succeed("ip addr 1>&2") + peerckeyexchanger.succeed("ip route 1>&2") + ''} + # The wireguard connection can't work because the sync services fail on # non-recognized SSH host keys, we didn't deploy the secrets and because the preshared keyes don't match. - peerB.fail("ping -c 1 ${staticConfig.peerA.innerIp}") - peerA.fail("ping -c 1 ${staticConfig.peerB.innerIp}") + peerB.fail("ping -W 2 -c 1 ${staticConfig.peerA.innerIp}") + peerA.fail("ping -W 2 -c 1 ${staticConfig.peerB.innerIp}") ${lib.optionalString multiPeer '' - peerA.fail("ping -c 1 ${staticConfig.peerC.innerIp}") - peerB.fail("ping -c 1 ${staticConfig.peerC.innerIp}") - peerC.fail("ping -c 1 ${staticConfig.peerA.innerIp}") - peerC.fail("ping -c 1 ${staticConfig.peerB.innerIp}") + peerA.fail("ping -W 2 -c 1 ${staticConfig.peerC.innerIp}") + peerB.fail("ping -W 2 -c 1 ${staticConfig.peerC.innerIp}") + peerC.fail("ping -W 2 -c 1 ${staticConfig.peerA.innerIp}") + peerC.fail("ping -W 2 -c 1 ${staticConfig.peerB.innerIp}") ''} # In admin-reality, this should be done with your favorite secret @@ -518,15 +549,15 @@ in ''} # Dump current state of WireGuard tunnels - peerA.succeed("wg show all 1>&2") - peerB.succeed("wg show all 1>&2") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") ${lib.optionalString multiPeer '' - peerC.succeed("wg show all 1>&2") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") ''} - peerA.succeed("wg show all preshared-keys 1>&2") - peerB.succeed("wg show all preshared-keys 1>&2") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") ${lib.optionalString multiPeer '' - peerC.succeed("wg show all preshared-keys 1>&2") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") ''} # Start key sync services and wait for them to start. @@ -569,15 +600,15 @@ in ''} # Dump current state of WireGuard tunnels - peerA.succeed("wg show all 1>&2") - peerB.succeed("wg show all 1>&2") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") ${lib.optionalString multiPeer '' - peerC.succeed("wg show all 1>&2") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") ''} - peerA.succeed("wg show all preshared-keys 1>&2") - peerB.succeed("wg show all preshared-keys 1>&2") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") ${lib.optionalString multiPeer '' - peerC.succeed("wg show all preshared-keys 1>&2") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") ''} # Voila! @@ -591,15 +622,15 @@ in peerA.succeed("ping -c 1 -W 10 ${staticConfig.peerB.innerIp}") # Dump current state of WireGuard tunnels - peerA.succeed("wg show all 1>&2") - peerB.succeed("wg show all 1>&2") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") ${lib.optionalString multiPeer '' - peerC.succeed("wg show all 1>&2") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2") ''} - peerA.succeed("wg show all preshared-keys 1>&2") - peerB.succeed("wg show all preshared-keys 1>&2") + peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") + peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") ${lib.optionalString multiPeer '' - peerC.succeed("wg show all preshared-keys 1>&2") + peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2") ''} '');