ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
nixos/tests/wireguard/amneziawg-quick.nix Normal file
View File

@@ -0,0 +1,120 @@
{
lib,
kernelPackages ? null,
nftables ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
commonConfig =
{ pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.nftables.enable = nftables;
# Make sure iptables doesn't work with nftables enabled
boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];
};
extraOptions = {
Jc = 5;
Jmin = 10;
Jmax = 42;
S1 = 60;
S2 = 90;
};
in
{
name = "amneziawg-quick";
meta.maintainers = with lib.maintainers; [
averyanalex
azahi
];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
imports = [ commonConfig ];
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
type = "amneziawg";
address = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
inherit (wg-snakeoil-keys.peer0) privateKey;
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
dns = [
"10.23.42.2"
"fc00::2"
"wg0"
];
inherit extraOptions;
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
imports = [ commonConfig ];
networking.useNetworkd = true;
networking.wg-quick.interfaces.wg0 = {
type = "amneziawg";
address = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
dns = [
"10.23.42.1"
"fc00::1"
"wg0"
];
inherit extraOptions;
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}

110
nixos/tests/wireguard/amneziawg.nix Normal file
View File

@@ -0,0 +1,110 @@
{
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
extraOptions = {
Jc = 5;
Jmin = 10;
Jmax = 42;
S1 = 60;
S2 = 90;
};
in
{
name = "amneziawg";
meta.maintainers = with lib.maintainers; [
averyanalex
azahi
];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
type = "amneziawg";
ips = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
inherit (wg-snakeoil-keys.peer0) privateKey;
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
inherit extraOptions;
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
type = "amneziawg";
ips = [
"10.23.42.2/32"
"fc00::2/128"
];
listenPort = 23542;
allowedIPsAsRoutes = false;
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
postSetup =
let
ip = lib.getExe' pkgs.iproute2 "ip";
in
''
${ip} route replace 10.23.42.1/32 dev wg0
${ip} route replace fc00::1/128 dev wg0
'';
inherit extraOptions;
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}

94
nixos/tests/wireguard/basic.nix Normal file
View File

@@ -0,0 +1,94 @@
{
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
in
{
name = "wireguard";
meta.maintainers = with lib.maintainers; [ ma27 ];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
ips = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
inherit (wg-snakeoil-keys.peer0) privateKey;
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
ips = [
"10.23.42.2/32"
"fc00::2/128"
];
listenPort = 23542;
allowedIPsAsRoutes = false;
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
postSetup =
let
ip = lib.getExe' pkgs.iproute2 "ip";
in
''
${ip} route replace 10.23.42.1/32 dev wg0
${ip} route replace fc00::1/128 dev wg0
'';
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}

50
nixos/tests/wireguard/default.nix Normal file
View File

@@ -0,0 +1,50 @@
{
runTest,
lib,
pkgs,
# Test current default (LTS) and latest kernel
kernelVersionsToTest ? [
(lib.versions.majorMinor pkgs.linuxPackages.kernel.version)
"latest"
],
}:
let
tests =
let
callTest =
p: args:
runTest {
imports = [ p ];
_module = { inherit args; };
};
in
{
basic = callTest ./basic.nix;
amneziawg = callTest ./amneziawg.nix;
namespaces = callTest ./namespaces.nix;
networkd = callTest ./networkd.nix;
wg-quick = args: callTest ./wg-quick.nix ({ nftables = false; } // args);
wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args);
amneziawg-quick = args: callTest ./amneziawg-quick.nix ({ nftables = false; } // args);
generated = callTest ./generated.nix;
dynamic-refresh = args: callTest ./dynamic-refresh.nix ({ useNetworkd = false; } // args);
dynamic-refresh-networkd = args: callTest ./dynamic-refresh.nix ({ useNetworkd = true; } // args);
};
in
lib.listToAttrs (
lib.flip lib.concatMap kernelVersionsToTest (
version:
let
v' = lib.replaceString "." "_" version;
in
lib.flip lib.mapAttrsToList tests (
name: test:
lib.nameValuePair "wireguard-${name}-linux-${v'}" (test {
kernelPackages =
pkgs: if v' == "latest" then pkgs.linuxPackages_latest else pkgs.linuxKernel.packages."linux_${v'}";
})
)
)
)

107
nixos/tests/wireguard/dynamic-refresh.nix Normal file
View File

@@ -0,0 +1,107 @@
{
lib,
kernelPackages ? null,
useNetworkd ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
in
{
name = "wireguard-dynamic-refresh";
meta.maintainers = with lib.maintainers; [ majiir ];
nodes = {
server =
{ lib, pkgs, ... }:
{
virtualisation.vlans = [
1
2
];
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.useDHCP = false;
networking.wireguard.useNetworkd = useNetworkd;
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.1/32" ];
listenPort = 23542;
# !!! Don't do this with real keys. The /nix store is world-readable!
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer0.privateKey);
peers = lib.singleton {
allowedIPs = [ "10.23.42.2/32" ];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
};
};
client =
{
nodes,
lib,
pkgs,
...
}:
{
virtualisation.vlans = [
1
2
];
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.useDHCP = false;
networking.wireguard.useNetworkd = useNetworkd;
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.2/32" ];
# !!! Don't do this with real keys. The /nix store is world-readable!
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
dynamicEndpointRefreshSeconds = 2;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "server:23542";
inherit (wg-snakeoil-keys.peer0) publicKey;
};
};
specialisation.update-hosts.configuration = {
networking.extraHosts =
let
testCfg = nodes.server.virtualisation.test;
in
lib.mkForce "192.168.2.${toString testCfg.nodeNumber} ${testCfg.nodeName}";
};
};
};
testScript =
{ nodes, ... }:
''
start_all()
server.systemctl("start network-online.target")
server.wait_for_unit("network-online.target")
client.systemctl("start network-online.target")
client.wait_for_unit("network-online.target")
client.succeed("ping -n -w 1 -c 1 10.23.42.1")
client.succeed("ip link set down eth1")
client.fail("ping -n -w 1 -c 1 10.23.42.1")
with client.nested("update hosts file"):
client.succeed("${nodes.client.system.build.toplevel}/specialisation/update-hosts/bin/switch-to-configuration test")
client.succeed("sleep 5 && ping -n -w 1 -c 1 10.23.42.1")
'';
}

73
nixos/tests/wireguard/generated.nix Normal file
View File

@@ -0,0 +1,73 @@
{
lib,
kernelPackages ? null,
...
}:
{
name = "wireguard-generated";
meta.maintainers = with lib.maintainers; [
ma27
grahamc
];
nodes = {
peer1 =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 12345 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.10.10.1/24" ];
listenPort = 12345;
privateKeyFile = "/etc/wireguard/private";
generatePrivateKeyFile = true;
};
};
peer2 =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 12345 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.10.10.2/24" ];
listenPort = 12345;
privateKeyFile = "/etc/wireguard/private";
generatePrivateKeyFile = true;
};
};
};
testScript = ''
start_all()
peer1.wait_for_unit("wireguard-wg0.service")
peer2.wait_for_unit("wireguard-wg0.service")
retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")
if retcode != 0:
raise Exception("Could not read public key from peer1")
retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")
if retcode != 0:
raise Exception("Could not read public key from peer2")
peer1.succeed(
"wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(
peer2pubkey.strip()
)
)
peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")
peer2.succeed(
"wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(
peer1pubkey.strip()
)
)
peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")
peer1.succeed("ping -c1 10.10.10.2")
peer2.succeed("ping -c1 10.10.10.1")
'';
}

33
nixos/tests/wireguard/make-peer.nix Normal file
View File

@@ -0,0 +1,33 @@
{
ip4,
ip6,
extraConfig,
}:
{
imports = [
{
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = ip6;
prefixLength = 64;
}
];
};
}
extraConfig
];
}

92
nixos/tests/wireguard/namespaces.nix Normal file
View File

@@ -0,0 +1,92 @@
{
lib,
kernelPackages ? null,
...
}:
let
listenPort = 12345;
socketNamespace = "foo";
interfaceNamespace = "bar";
node = {
networking.wireguard.interfaces.wg0 = {
listenPort = listenPort;
ips = [ "10.10.10.1/24" ];
privateKeyFile = "/etc/wireguard/private";
generatePrivateKeyFile = true;
};
};
in
{
name = "wireguard-with-namespaces";
meta.maintainers = with lib.maintainers; [ asymmetric ];
nodes = {
# interface should be created in the socketNamespace
# and not moved from there
peer0 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${socketNamespace}
'';
inherit socketNamespace;
};
};
# interface should be created in the init namespace
# and moved to the interfaceNamespace
peer1 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${interfaceNamespace}
'';
mtu = 1280;
inherit interfaceNamespace;
};
};
# interface should be created in the socketNamespace
# and moved to the interfaceNamespace
peer2 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${socketNamespace}
ip netns add ${interfaceNamespace}
'';
inherit socketNamespace interfaceNamespace;
};
};
# interface should be created in the socketNamespace
# and moved to the init namespace
peer3 =
{ lib, pkgs, ... }:
lib.attrsets.recursiveUpdate node {
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.interfaces.wg0 = {
preSetup = ''
ip netns add ${socketNamespace}
'';
inherit socketNamespace;
interfaceNamespace = "init";
};
};
};
testScript = ''
start_all()
for machine in peer0, peer1, peer2, peer3:
machine.wait_for_unit("wireguard-wg0.service")
peer0.succeed("ip -n ${socketNamespace} link show wg0")
peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
peer3.succeed("ip link show wg0")
'';
}

101
nixos/tests/wireguard/networkd.nix Normal file
View File

@@ -0,0 +1,101 @@
{
lib,
kernelPackages ? null,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
in
{
name = "wireguard-networkd";
meta.maintainers = with lib.maintainers; [ majiir ];
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.useNetworkd = true;
networking.wireguard.interfaces.wg0 = {
ips = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
# !!! Don't do this with real keys. The /nix store is world-readable!
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer0.privateKey);
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
# !!! Don't do this with real keys. The /nix store is world-readable!
presharedKeyFile = toString (pkgs.writeText "presharedKey" wg-snakeoil-keys.presharedKey);
inherit (wg-snakeoil-keys.peer1) publicKey;
};
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig =
{ lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.wireguard.useNetworkd = true;
networking.wireguard.interfaces.wg0 = {
ips = [
"10.23.42.2/32"
"fc00::2/128"
];
listenPort = 23542;
# !!! Don't do this with real keys. The /nix store is world-readable!
privateKeyFile = toString (pkgs.writeText "privateKey" wg-snakeoil-keys.peer1.privateKey);
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
# !!! Don't do this with real keys. The /nix store is world-readable!
presharedKeyFile = toString (pkgs.writeText "presharedKey" wg-snakeoil-keys.presharedKey);
inherit (wg-snakeoil-keys.peer0) publicKey;
};
};
};
};
};
testScript = ''
start_all()
peer0.systemctl("start network-online.target")
peer0.wait_for_unit("network-online.target")
peer1.systemctl("start network-online.target")
peer1.wait_for_unit("network-online.target")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
with subtest("Has PSK set"):
peer0.succeed("wg | grep 'preshared key'")
peer1.succeed("wg | grep 'preshared key'")
'';
}

14
nixos/tests/wireguard/snakeoil-keys.nix Normal file
View File

@@ -0,0 +1,14 @@
{
presharedKey = "7myEJlGAWLTg83y7Py29pp7REQBVmZfI4xcawjcZpjg=";
peer0 = {
privateKey = "OPuVRS2T0/AtHDp3PXkNuLQYDiqJaBEEnYe42BSnJnQ=";
publicKey = "IujkG119YPr2cVQzJkSLYCdjpHIDjvr/qH1w1tdKswY=";
};
peer1 = {
privateKey = "uO8JVo/sanx2DOM0L9GUEtzKZ82RGkRnYgpaYc7iXmg=";
# readFile'd keys may have trailing newlines, emulate this
publicKey = "Ks9yRJIi/0vYgRmn14mIOQRwkcUGBujYINbMpik2SBI=\n";
};
}

101
nixos/tests/wireguard/wg-quick.nix Normal file
View File

@@ -0,0 +1,101 @@
{
lib,
kernelPackages ? null,
nftables ? false,
...
}:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = import ./make-peer.nix;
commonConfig =
{ pkgs, ... }:
{
boot.kernelPackages = lib.mkIf (kernelPackages != null) (kernelPackages pkgs);
networking.nftables.enable = nftables;
# Make sure iptables doesn't work with nftables enabled
boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];
};
in
{
name = "wg-quick";
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
imports = [ commonConfig ];
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
address = [
"10.23.42.1/32"
"fc00::1/128"
];
listenPort = 23542;
inherit (wg-snakeoil-keys.peer0) privateKey;
peers = lib.singleton {
allowedIPs = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
dns = [
"10.23.42.2"
"fc00::2"
"wg0"
];
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
imports = [ commonConfig ];
networking.useNetworkd = true;
networking.wg-quick.interfaces.wg0 = {
address = [
"10.23.42.2/32"
"fc00::2/128"
];
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
dns = [
"10.23.42.1"
"fc00::1"
"wg0"
];
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}