mirror of
https://github.com/rosenpass/rosenpass.git
synced 2025-12-12 07:40:30 -08:00
chore(test): Move the wireguard key generation in the integration tests to the test script to make the derivations deterministc while keeping random keys
This commit is contained in:
David Niehues
@@ -32,8 +32,8 @@ let
|
||||
description = "network address of the host that runs rosenpass";
|
||||
};
|
||||
|
||||
peerPubkey = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
peerPubkeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Public key of wireguard peer";
|
||||
};
|
||||
|
||||
@@ -73,10 +73,11 @@ in
|
||||
# The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer.
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
PEER_PUB_KEY=$(cat ${instanceCfg.peerPubkeyFile})
|
||||
${pkgs.openssh}/bin/ssh ${instanceCfg.rpHost} "cat ${instanceCfg.remoteKeyPath}" \
|
||||
| ${pkgs.wireguard-tools}/bin/wg \
|
||||
set ${instanceCfg.wgInterface} \
|
||||
peer ${instanceCfg.peerPubkey} \
|
||||
peer $PEER_PUB_KEY \
|
||||
endpoint ${instanceCfg.endpoint} \
|
||||
allowed-ips ${instanceCfg.allowedIps} \
|
||||
preshared-key /dev/stdin
|
||||
|
||||
@@ -10,6 +10,7 @@ let
|
||||
rpPort = 51821;
|
||||
|
||||
rosenpassKeyFolder = "/var/secrets";
|
||||
wireguardKeyFolder = "/var/wgKeys";
|
||||
keyExchangePathAB = "/root/peer-ab.osk";
|
||||
keyExchangePathBA = "/root/peer-ba.osk";
|
||||
keyExchangePathAC = "/root/peer-ac.osk";
|
||||
@@ -32,33 +33,12 @@ let
|
||||
peerBConfigFileVersion = getConfigFileVersion pkgs.rosenpass-peer-b;
|
||||
peerCConfigFileVersion = if multiPeer then getConfigFileVersion pkgs.rosenpass-peer-c else null;
|
||||
|
||||
generateWgKeys =
|
||||
name: sk:
|
||||
let
|
||||
# The trailing line break that is generated by `wg genkey` and `wg pubkey` breaks the script rp-key-sync.nix to copy the preshared keys.
|
||||
# We therefore remove the trailing spaces here.
|
||||
privateKey = pkgs.runCommand "wg-private-${name}" { } ''
|
||||
echo ${sk} > $out
|
||||
'';
|
||||
publicKey = pkgs.runCommand "wg-public-${name}" { } ''
|
||||
cat ${privateKey} | ${pkgs.wireguard-tools}/bin/wg pubkey > $out
|
||||
'';
|
||||
in
|
||||
{
|
||||
inherit privateKey publicKey;
|
||||
};
|
||||
|
||||
peerAWgKeys = generateWgKeys "peerA" "EMeaSKGSSWQFuA8xhca+potK7B43hPsJ9XkUXtfaNF0=";
|
||||
peerBWgKeys = generateWgKeys "peerB" "ANLij+xiMYmxpFjYcOTt4z8pX1a91Gsg4ZLpcCrjGVg=";
|
||||
peerCWgKeys =
|
||||
if multiPeer then generateWgKeys "peerC" "COOk7sSt34r3xtwCvOdqQiv2Pf4auKI+Btgyce2fw1w=" else null;
|
||||
|
||||
staticConfig =
|
||||
{
|
||||
peerA = {
|
||||
innerIp = "10.100.0.1";
|
||||
privateKey = lib.removeSuffix "\n" (builtins.readFile peerAWgKeys.privateKey);
|
||||
publicKey = lib.removeSuffix "\n" (builtins.readFile peerAWgKeys.publicKey);
|
||||
wgPrivateKeyFile = "${wireguardKeyFolder}/peerA.sk";
|
||||
wgPublicKeyFile = "${wireguardKeyFolder}/peerA.pk";
|
||||
rosenpassConfig = builtins.toFile "peer-a.toml" (
|
||||
''
|
||||
public_key = "${rosenpassKeyFolder}/self.pk"
|
||||
@@ -81,8 +61,8 @@ let
|
||||
};
|
||||
peerB = {
|
||||
innerIp = "10.100.0.2";
|
||||
privateKey = lib.removeSuffix "\n" (builtins.readFile peerBWgKeys.privateKey);
|
||||
publicKey = lib.removeSuffix "\n" (builtins.readFile peerBWgKeys.publicKey);
|
||||
wgPrivateKeyFile = "${wireguardKeyFolder}/peerB.sk";
|
||||
wgPublicKeyFile = "${wireguardKeyFolder}/peerB.pk";
|
||||
rosenpassConfig = builtins.toFile "peer-b.toml" (
|
||||
''
|
||||
public_key = "${rosenpassKeyFolder}/self.pk"
|
||||
@@ -108,8 +88,8 @@ let
|
||||
# peerC is only defined if we are in a multiPeer context.
|
||||
peerC = {
|
||||
innerIp = "10.100.0.3";
|
||||
privateKey = lib.removeSuffix "\n" (builtins.readFile peerCWgKeys.privateKey);
|
||||
publicKey = lib.removeSuffix "\n" (builtins.readFile peerCWgKeys.publicKey);
|
||||
wgPrivateKeyFile = "${wireguardKeyFolder}/peerC.sk";
|
||||
wgPublicKeyFile = "${wireguardKeyFolder}/peerC.pk";
|
||||
rosenpassConfig = builtins.toFile "peer-c.toml" ''
|
||||
public_key = "${rosenpassKeyFolder}/self.pk"
|
||||
secret_key = "${rosenpassKeyFolder}/self.sk"
|
||||
@@ -157,27 +137,6 @@ in
|
||||
{
|
||||
# peerA and peerB are the only neccessary peers unless we are in the multiPeer test.
|
||||
peerA = {
|
||||
networking.wireguard.interfaces.${wgInterface} = {
|
||||
listenPort = wgPort;
|
||||
ips = [ "${staticConfig.peerA.innerIp}/32" ];
|
||||
inherit (staticConfig.peerA) privateKey;
|
||||
peers =
|
||||
[
|
||||
{
|
||||
inherit (staticConfig.peerB) publicKey;
|
||||
allowedIPs = [ "${staticConfig.peerB.innerIp}/32" ];
|
||||
endpoint = "peerB:${builtins.toString wgPort}";
|
||||
presharedKey = "AR/yvSvMAzW6eS27PsRHUMWwC8cLhaD96t42cysxrb0=";
|
||||
} # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
|
||||
]
|
||||
++ (lib.optional multiPeer {
|
||||
inherit (staticConfig.peerC) publicKey;
|
||||
allowedIPs = [ "${staticConfig.peerC.innerIp}/32" ];
|
||||
endpoint = "peerC:${builtins.toString wgPort}";
|
||||
presharedKey = "LfWvJCN8h7NhS+JWRG7GMIY20JxUV4WUs7MJ45ZGoCE=";
|
||||
} # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
|
||||
);
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ wgPort ];
|
||||
|
||||
# Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
|
||||
@@ -188,7 +147,7 @@ in
|
||||
enable = false;
|
||||
inherit wgInterface;
|
||||
rpHost = "peerakeyexchanger";
|
||||
peerPubkey = staticConfig.peerB.publicKey;
|
||||
peerPubkeyFile = staticConfig.peerB.wgPublicKeyFile;
|
||||
remoteKeyPath = keyExchangePathAB;
|
||||
endpoint = "peerB:${builtins.toString wgPort}";
|
||||
allowedIps = "${staticConfig.peerB.innerIp}/32";
|
||||
@@ -200,7 +159,7 @@ in
|
||||
enable = false;
|
||||
inherit wgInterface;
|
||||
rpHost = "peerakeyexchanger";
|
||||
peerPubkey = staticConfig.peerC.publicKey;
|
||||
peerPubkeyFile = staticConfig.peerC.wgPublicKeyFile;
|
||||
remoteKeyPath = keyExchangePathAC;
|
||||
endpoint = "peerC:${builtins.toString wgPort}";
|
||||
allowedIps = "${staticConfig.peerC.innerIp}/32";
|
||||
@@ -208,28 +167,6 @@ in
|
||||
};
|
||||
};
|
||||
peerB = {
|
||||
networking.wireguard.interfaces.${wgInterface} = {
|
||||
listenPort = wgPort;
|
||||
ips = [ "${staticConfig.peerB.innerIp}/32" ];
|
||||
inherit (staticConfig.peerB) privateKey;
|
||||
peers =
|
||||
[
|
||||
{
|
||||
inherit (staticConfig.peerA) publicKey;
|
||||
allowedIPs = [ "${staticConfig.peerA.innerIp}/32" ];
|
||||
endpoint = "peerA:${builtins.toString wgPort}";
|
||||
presharedKey = "o25fjoIOI623cnRyhvD4YEGtuSY4BFRZmY3UHvZ0BCA=";
|
||||
# NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
|
||||
}
|
||||
]
|
||||
++ (lib.optional multiPeer {
|
||||
inherit (staticConfig.peerC) publicKey;
|
||||
allowedIPs = [ "${staticConfig.peerC.innerIp}/32" ];
|
||||
endpoint = "peerC:${builtins.toString wgPort}";
|
||||
presharedKey = "GsYTUd/4Ph7wMy5r+W1no9yGe0UeZlmCPeiyu4tb6yM=";
|
||||
# NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
|
||||
});
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ wgPort ];
|
||||
|
||||
# Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
|
||||
@@ -240,7 +177,7 @@ in
|
||||
enable = false;
|
||||
inherit wgInterface;
|
||||
rpHost = "peerbkeyexchanger";
|
||||
peerPubkey = staticConfig.peerA.publicKey;
|
||||
peerPubkeyFile = staticConfig.peerA.wgPublicKeyFile;
|
||||
remoteKeyPath = keyExchangePathBA;
|
||||
endpoint = "peerA:${builtins.toString wgPort}";
|
||||
allowedIps = "${staticConfig.peerA.innerIp}/32";
|
||||
@@ -252,7 +189,7 @@ in
|
||||
enable = false;
|
||||
inherit wgInterface;
|
||||
rpHost = "peerbkeyexchanger";
|
||||
peerPubkey = staticConfig.peerC.publicKey;
|
||||
peerPubkeyFile = staticConfig.peerC.wgPublicKeyFile;
|
||||
remoteKeyPath = keyExchangePathBC;
|
||||
endpoint = "peerC:${builtins.toString wgPort}";
|
||||
allowedIps = "${staticConfig.peerC.innerIp}/32";
|
||||
@@ -291,25 +228,6 @@ in
|
||||
}
|
||||
// lib.optionalAttrs multiPeer {
|
||||
peerC = {
|
||||
networking.wireguard.interfaces.${wgInterface} = {
|
||||
listenPort = wgPort;
|
||||
ips = [ "${staticConfig.peerC.innerIp}/32" ];
|
||||
inherit (staticConfig.peerC) privateKey;
|
||||
peers = [
|
||||
{
|
||||
inherit (staticConfig.peerA) publicKey;
|
||||
allowedIPs = [ "${staticConfig.peerA.innerIp}/32" ];
|
||||
endpoint = "peerA:${builtins.toString wgPort}";
|
||||
presharedKey = "s9aIG1pY6nj2lH6p61tP8WRETNgQvoTfgel5BmVjYeI=";
|
||||
} # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
|
||||
{
|
||||
inherit (staticConfig.peerB) publicKey;
|
||||
allowedIPs = [ "${staticConfig.peerB.innerIp}/32" ];
|
||||
endpoint = "peerB:${builtins.toString wgPort}";
|
||||
presharedKey = "DYlFqWg/M6EfnMolBO+b4DFNrRyS6YWr4lM/2xRE1FQ=";
|
||||
} # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
|
||||
];
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ wgPort ];
|
||||
|
||||
# Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
|
||||
@@ -319,7 +237,7 @@ in
|
||||
enable = false;
|
||||
inherit wgInterface;
|
||||
rpHost = "peerckeyexchanger";
|
||||
peerPubkey = staticConfig.peerA.publicKey;
|
||||
peerPubkeyFile = staticConfig.peerA.wgPublicKeyFile;
|
||||
remoteKeyPath = keyExchangePathCA;
|
||||
endpoint = "peerA:${builtins.toString wgPort}";
|
||||
allowedIps = "${staticConfig.peerA.innerIp}/32";
|
||||
@@ -329,7 +247,7 @@ in
|
||||
enable = false;
|
||||
inherit wgInterface;
|
||||
rpHost = "peerckeyexchanger";
|
||||
peerPubkey = staticConfig.peerB.publicKey;
|
||||
peerPubkeyFile = staticConfig.peerB.wgPublicKeyFile;
|
||||
remoteKeyPath = keyExchangePathCB;
|
||||
endpoint = "peerB:${builtins.toString wgPort}";
|
||||
allowedIps = "${staticConfig.peerB.innerIp}/32";
|
||||
@@ -420,15 +338,128 @@ in
|
||||
m.wait_for_unit("network-online.target")
|
||||
''}
|
||||
|
||||
# Generate the normal wireguard key pairs
|
||||
peerA.succeed("mkdir ${wireguardKeyFolder}")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerA.wgPrivateKeyFile}")
|
||||
peerA.succeed("cat ${staticConfig.peerA.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerA.wgPublicKeyFile}")
|
||||
peerAWgSk = peerA.succeed("cat ${staticConfig.peerA.wgPrivateKeyFile} | tr -d '\n'")
|
||||
peerAWgPk = peerA.succeed("cat ${staticConfig.peerA.wgPublicKeyFile} | tr -d '\n'")
|
||||
peerA.succeed("echo -n AR/yvSvMAzW6eS27PsRHUMWwC8cLhaD96t42cysxrb0= > ${wireguardKeyFolder}/peerB.psk")
|
||||
|
||||
peerB.succeed("mkdir ${wireguardKeyFolder}")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerB.wgPrivateKeyFile}")
|
||||
peerB.succeed("cat ${staticConfig.peerB.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerB.wgPublicKeyFile}")
|
||||
peerBWgSk = peerB.succeed("cat ${staticConfig.peerB.wgPrivateKeyFile} | tr -d '\n'")
|
||||
peerBWgPk = peerB.succeed("cat ${staticConfig.peerB.wgPublicKeyFile} | tr -d '\n'")
|
||||
peerB.succeed("echo -n o25fjoIOI623cnRyhvD4YEGtuSY4BFRZmY3UHvZ0BCA= > ${wireguardKeyFolder}/peerA.psk")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("mkdir ${wireguardKeyFolder}")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerC.wgPrivateKeyFile}")
|
||||
peerC.succeed("cat ${staticConfig.peerC.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerC.wgPublicKeyFile}")
|
||||
peerCWgSk = peerC.succeed("cat ${staticConfig.peerC.wgPrivateKeyFile} | tr -d '\n'")
|
||||
peerCWgPk = peerC.succeed("cat ${staticConfig.peerC.wgPublicKeyFile} | tr -d '\n'")
|
||||
peerA.succeed("echo -n LfWvJCN8h7NhS+JWRG7GMIY20JxUV4WUs7MJ45ZGoCE= > ${wireguardKeyFolder}/peerC.psk")
|
||||
peerB.succeed("echo -n GsYTUd/4Ph7wMy5r+W1no9yGe0UeZlmCPeiyu4tb6yM= > ${wireguardKeyFolder}/peerC.psk")
|
||||
peerC.succeed("echo -n s9aIG1pY6nj2lH6p61tP8WRETNgQvoTfgel5BmVjYeI= > ${wireguardKeyFolder}/peerA.psk")
|
||||
peerC.succeed("echo -n DYlFqWg/M6EfnMolBO+b4DFNrRyS6YWr4lM/2xRE1FQ= > ${wireguardKeyFolder}/peerB.psk")
|
||||
''}
|
||||
|
||||
# Distribute the respective public keys
|
||||
peerA.succeed(f"echo -n {peerBWgPk} > ${wireguardKeyFolder}/peerB.pk")
|
||||
peerB.succeed(f"echo -n {peerAWgPk} > ${wireguardKeyFolder}/peerA.pk")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerA.succeed(f"echo -n {peerCWgPk} > ${wireguardKeyFolder}/peerC.pk")
|
||||
peerB.succeed(f"echo -n {peerCWgPk} > ${wireguardKeyFolder}/peerC.pk")
|
||||
peerC.succeed(f"echo -n {peerAWgPk} > ${wireguardKeyFolder}/peerA.pk")
|
||||
peerC.succeed(f"echo -n {peerBWgPk} > ${wireguardKeyFolder}/peerB.pk")
|
||||
''}
|
||||
|
||||
# Make the wireguard public keys readable for the key-sync service.
|
||||
peerA.succeed("chmod -R 0555 ${wireguardKeyFolder}")
|
||||
peerB.succeed("chmod -R 0555 ${wireguardKeyFolder}")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("chmod -R 0555 ${wireguardKeyFolder}")
|
||||
''}
|
||||
|
||||
# Set up wireguard on peerA
|
||||
peerA.succeed("ip link add ${wgInterface} type wireguard")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerA.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}")
|
||||
peerA.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerBWgPk} allowed-ips ${staticConfig.peerB.innerIp}/32 endpoint peerB:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerB.psk")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerA.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerCWgPk} allowed-ips ${staticConfig.peerC.innerIp}/32 endpoint peerC:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerC.psk")
|
||||
''}
|
||||
peerA.succeed("ip addr add ${staticConfig.peerA.innerIp}/32 dev ${wgInterface}")
|
||||
peerA.succeed("ip link set ${wgInterface} up")
|
||||
peerA.succeed("ip route add ${staticConfig.peerB.innerIp} dev ${wgInterface} scope link")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerA.succeed("ip route add ${staticConfig.peerC.innerIp} dev ${wgInterface} scope link")
|
||||
''}
|
||||
|
||||
# Set up wireguard on peerB
|
||||
peerB.succeed("ip link add ${wgInterface} type wireguard")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerB.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}")
|
||||
peerB.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerAWgPk} allowed-ips ${staticConfig.peerA.innerIp}/32 endpoint peerA:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerA.psk")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerB.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerCWgPk} allowed-ips ${staticConfig.peerC.innerIp}/32 endpoint peerC:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerC.psk")
|
||||
''}
|
||||
peerB.succeed("ip addr add ${staticConfig.peerB.innerIp}/32 dev ${wgInterface}")
|
||||
peerB.succeed("ip link set ${wgInterface} up")
|
||||
peerB.succeed("ip route add ${staticConfig.peerA.innerIp} dev ${wgInterface} scope link")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerB.succeed("ip route add ${staticConfig.peerC.innerIp} dev ${wgInterface} scope link")
|
||||
''}
|
||||
|
||||
# Set up wireguard on peerC
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("ip link add ${wgInterface} type wireguard")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerC.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}")
|
||||
peerC.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerAWgPk} allowed-ips ${staticConfig.peerA.innerIp}/32 endpoint peerA:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerA.psk")
|
||||
peerC.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerBWgPk} allowed-ips ${staticConfig.peerB.innerIp}/32 endpoint peerB:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerB.psk")
|
||||
peerC.succeed("ip addr add ${staticConfig.peerC.innerIp}/32 dev ${wgInterface}")
|
||||
peerC.succeed("ip link set ${wgInterface} up")
|
||||
peerC.succeed("ip route add ${staticConfig.peerA.innerIp} dev ${wgInterface} scope link")
|
||||
peerC.succeed("ip route add ${staticConfig.peerB.innerIp} dev ${wgInterface} scope link")
|
||||
''}
|
||||
|
||||
# Dump current state of WireGuard tunnels
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
''}
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
''}
|
||||
|
||||
# Dump current network config
|
||||
peerA.succeed("ip addr 1>&2")
|
||||
peerA.succeed("ip route 1>&2")
|
||||
peerakeyexchanger.succeed("ip addr 1>&2")
|
||||
peerakeyexchanger.succeed("ip route 1>&2")
|
||||
|
||||
peerB.succeed("ip addr 1>&2")
|
||||
peerB.succeed("ip route 1>&2")
|
||||
peerbkeyexchanger.succeed("ip addr 1>&2")
|
||||
peerbkeyexchanger.succeed("ip route 1>&2")
|
||||
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("ip addr 1>&2")
|
||||
peerC.succeed("ip route 1>&2")
|
||||
peerckeyexchanger.succeed("ip addr 1>&2")
|
||||
peerckeyexchanger.succeed("ip route 1>&2")
|
||||
''}
|
||||
|
||||
# The wireguard connection can't work because the sync services fail on
|
||||
# non-recognized SSH host keys, we didn't deploy the secrets and because the preshared keyes don't match.
|
||||
peerB.fail("ping -c 1 ${staticConfig.peerA.innerIp}")
|
||||
peerA.fail("ping -c 1 ${staticConfig.peerB.innerIp}")
|
||||
peerB.fail("ping -W 2 -c 1 ${staticConfig.peerA.innerIp}")
|
||||
peerA.fail("ping -W 2 -c 1 ${staticConfig.peerB.innerIp}")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerA.fail("ping -c 1 ${staticConfig.peerC.innerIp}")
|
||||
peerB.fail("ping -c 1 ${staticConfig.peerC.innerIp}")
|
||||
peerC.fail("ping -c 1 ${staticConfig.peerA.innerIp}")
|
||||
peerC.fail("ping -c 1 ${staticConfig.peerB.innerIp}")
|
||||
peerA.fail("ping -W 2 -c 1 ${staticConfig.peerC.innerIp}")
|
||||
peerB.fail("ping -W 2 -c 1 ${staticConfig.peerC.innerIp}")
|
||||
peerC.fail("ping -W 2 -c 1 ${staticConfig.peerA.innerIp}")
|
||||
peerC.fail("ping -W 2 -c 1 ${staticConfig.peerB.innerIp}")
|
||||
''}
|
||||
|
||||
# In admin-reality, this should be done with your favorite secret
|
||||
@@ -518,15 +549,15 @@ in
|
||||
''}
|
||||
|
||||
# Dump current state of WireGuard tunnels
|
||||
peerA.succeed("wg show all 1>&2")
|
||||
peerB.succeed("wg show all 1>&2")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("wg show all 1>&2")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
''}
|
||||
peerA.succeed("wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("wg show all preshared-keys 1>&2")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("wg show all preshared-keys 1>&2")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
''}
|
||||
|
||||
# Start key sync services and wait for them to start.
|
||||
@@ -569,15 +600,15 @@ in
|
||||
''}
|
||||
|
||||
# Dump current state of WireGuard tunnels
|
||||
peerA.succeed("wg show all 1>&2")
|
||||
peerB.succeed("wg show all 1>&2")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("wg show all 1>&2")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
''}
|
||||
peerA.succeed("wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("wg show all preshared-keys 1>&2")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("wg show all preshared-keys 1>&2")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
''}
|
||||
|
||||
# Voila!
|
||||
@@ -591,15 +622,15 @@ in
|
||||
peerA.succeed("ping -c 1 -W 10 ${staticConfig.peerB.innerIp}")
|
||||
|
||||
# Dump current state of WireGuard tunnels
|
||||
peerA.succeed("wg show all 1>&2")
|
||||
peerB.succeed("wg show all 1>&2")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("wg show all 1>&2")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
|
||||
''}
|
||||
peerA.succeed("wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("wg show all preshared-keys 1>&2")
|
||||
peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
${lib.optionalString multiPeer ''
|
||||
peerC.succeed("wg show all preshared-keys 1>&2")
|
||||
peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
|
||||
''}
|
||||
|
||||
'');
|
||||
|
||||
Reference in New Issue
Block a user