41bd6d2614
When testing WireGuard updates, I usually run the VM-tests with different kernels to make sure we're not introducing accidental regressions for e.g. older kernels. I figured that we should automate this process to ensure continuously that WireGuard works fine on several kernels. For now I decided to test the latest LTS version (5.4) and the latest kernel (currently 5.6). We can add more kernels in the future, however this seems to significantly slow down evaluation and time. The list can be customized by running a command like this: nix-build nixos/tests/wireguard --arg kernelVersionsToTest '["4.19"]' The `kernelPackages` argument in the tests is null by default to make sure that it's still possible to invoke the test-files directly. In that case the default kernel of NixOS (currently 5.4) is used.
64 lines
2 KiB
Nix
64 lines
2 KiB
Nix
{ kernelPackages ? null }:
|
|
import ../make-test-python.nix ({ pkgs, lib, ... } : {
|
|
name = "wireguard-generated";
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
maintainers = [ ma27 grahamc ];
|
|
};
|
|
|
|
nodes = {
|
|
peer1 = {
|
|
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
|
|
networking.firewall.allowedUDPPorts = [ 12345 ];
|
|
networking.wireguard.interfaces.wg0 = {
|
|
ips = [ "10.10.10.1/24" ];
|
|
listenPort = 12345;
|
|
privateKeyFile = "/etc/wireguard/private";
|
|
generatePrivateKeyFile = true;
|
|
|
|
};
|
|
};
|
|
|
|
peer2 = {
|
|
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
|
|
networking.firewall.allowedUDPPorts = [ 12345 ];
|
|
networking.wireguard.interfaces.wg0 = {
|
|
ips = [ "10.10.10.2/24" ];
|
|
listenPort = 12345;
|
|
privateKeyFile = "/etc/wireguard/private";
|
|
generatePrivateKeyFile = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
|
|
peer1.wait_for_unit("wireguard-wg0.service")
|
|
peer2.wait_for_unit("wireguard-wg0.service")
|
|
|
|
retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private")
|
|
if retcode != 0:
|
|
raise Exception("Could not read public key from peer1")
|
|
|
|
retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private")
|
|
if retcode != 0:
|
|
raise Exception("Could not read public key from peer2")
|
|
|
|
peer1.succeed(
|
|
"wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format(
|
|
peer2pubkey.strip()
|
|
)
|
|
)
|
|
peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main")
|
|
|
|
peer2.succeed(
|
|
"wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format(
|
|
peer1pubkey.strip()
|
|
)
|
|
)
|
|
peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main")
|
|
|
|
peer1.succeed("ping -c1 10.10.10.2")
|
|
peer2.succeed("ping -c1 10.10.10.1")
|
|
'';
|
|
})
|