diff --git a/tests/integration/flake.lock b/tests/integration/flake.lock index 4d2b183..3b75f65 100644 --- a/tests/integration/flake.lock +++ b/tests/integration/flake.lock @@ -100,16 +100,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } diff --git a/tests/integration/rp-key-exchange.nix b/tests/integration/rp-key-exchange.nix index 082da9d..97832b5 100644 --- a/tests/integration/rp-key-exchange.nix +++ b/tests/integration/rp-key-exchange.nix @@ -10,7 +10,12 @@ let in { options.services.rosenpassKeyExchange = { - enable = lib.mkEnableOption "rosenpass key-exchange"; + create = lib.mkEnableOption "rosenpass key-exchange"; + enable = lib.mkOption { + type = lib.types.bool; + description = "Should the service be enabled"; + default = true; + }; config = lib.mkOption { type = lib.types.path; description = "Path to rosenpass configuration"; @@ -21,10 +26,10 @@ in }; }; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.create { systemd.services.rp-exchange = { description = "Rosenpass Key Exchanger"; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ ] ++ lib.optional cfg.enable "multi-user.target"; # If we set enable to this, then the service will be masked and cannot be enabled. Doing it this way allows us to enable it. requires = [ "network-online.target" ]; script = '' ${cfg.rosenpassVersion}/bin/rosenpass exchange-config ${cfg.config} diff --git a/tests/integration/rp-key-sync.nix b/tests/integration/rp-key-sync.nix index a761fae..127d2a4 100644 --- a/tests/integration/rp-key-sync.nix +++ b/tests/integration/rp-key-sync.nix @@ -14,7 +14,13 @@ let { # Each instance of ths service is defined by the following information: options = { - enable = lib.mkEnableOption "RP Keysync for ${name}"; + create = lib.mkEnableOption "RP Keysync for ${name}"; + + enable = lib.mkOption { + type = lib.types.bool; + description = "Should the service be enabled"; + default = true; + }; wgInterface = lib.mkOption { type = lib.types.str; @@ -52,7 +58,7 @@ in name = "${servicePrefix}${instanceName}"; value = { description = "Rosenpass Key Downloader ${instanceName}"; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ ] ++ lib.optional instanceCfg.enable "multi-user.target"; # If we set enable to this, then the service will be masked and cannot be enabled. Doing it this way allows us to enable it. requires = [ "network-online.target" ]; # The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer. script = '' @@ -68,7 +74,7 @@ in RestartSec = 10; }; }; - }) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd service (as above) per configured instance. + }) (lib.filterAttrs (_: cfg: cfg.create) cfg.instances); # this creates one systemd service (as above) per configured instance. systemd.timers = lib.mapAttrs' (instanceName: instanceCfg: { name = "${timerPrefix}${instanceName}"; @@ -80,6 +86,6 @@ in Unit = "${servicePrefix}${instanceName}.service"; }; }; - }) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd time (as above) per configured instance. + }) (lib.filterAttrs (_: cfg: cfg.create) cfg.instances); # this creates one systemd timer (as above) per configured instance. }; } diff --git a/tests/integration/rpsc-test.nix b/tests/integration/rpsc-test.nix index 46ec256..dbd8938 100644 --- a/tests/integration/rpsc-test.nix +++ b/tests/integration/rpsc-test.nix @@ -198,7 +198,8 @@ in services.rosenpassKeySync.instances = { AB = { - enable = true; + create = true; + enable = false; inherit wgInterface; rpHost = "peerakeyexchanger"; peerPubkey = staticConfig.peerB.publicKey; @@ -207,7 +208,8 @@ in } // lib.optionalAttrs multiPeer { AC = { - enable = true; + create = true; + enable = false; inherit wgInterface; rpHost = "peerakeyexchanger"; peerPubkey = staticConfig.peerC.publicKey; @@ -243,7 +245,8 @@ in services.rosenpassKeySync.instances = { BA = { - enable = true; + create = true; + enable = false; inherit wgInterface; rpHost = "peerbkeyexchanger"; peerPubkey = staticConfig.peerA.publicKey; @@ -252,7 +255,8 @@ in } // lib.optionalAttrs multiPeer { BC = { - enable = true; + create = true; + enable = false; inherit wgInterface; rpHost = "peerbkeyexchanger"; peerPubkey = staticConfig.peerC.publicKey; @@ -269,7 +273,8 @@ in networking.firewall.allowedUDPPorts = [ rpPort ]; services.rosenpassKeyExchange = { - enable = true; + create = true; + enable = false; config = staticConfig.peerA.rosenpassConfig; rosenpassVersion = pkgs.rosenpass-peer-a; }; @@ -282,7 +287,8 @@ in users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; services.rosenpassKeyExchange = { - enable = true; + create = true; + enable = false; config = staticConfig.peerB.rosenpassConfig; rosenpassVersion = pkgs.rosenpass-peer-b; }; @@ -314,14 +320,16 @@ in # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel. services.rosenpassKeySync.instances = { CA = { - enable = true; + create = true; + enable = false; inherit wgInterface; rpHost = "peerckeyexchanger"; peerPubkey = staticConfig.peerA.publicKey; remoteKeyPath = keyExchangePathCA; }; CB = { - enable = true; + create = true; + enable = false; inherit wgInterface; rpHost = "peerckeyexchanger"; peerPubkey = staticConfig.peerB.publicKey; @@ -338,7 +346,8 @@ in networking.firewall.allowedUDPPorts = [ rpPort ]; services.rosenpassKeyExchange = { - enable = true; + create = true; + enable = false; config = staticConfig.peerC.rosenpassConfig; rosenpassVersion = pkgs.rosenpass-peer-c; }; @@ -484,12 +493,20 @@ in ) ''} - # Until now, the services must have failed due to lack of keys - peerakeyexchanger.succeed("systemctl restart rp-exchange.service") - peerbkeyexchanger.succeed("systemctl restart rp-exchange.service") + # Until now, the services were disbaled and didn't start (using the enable option of the services) + peerakeyexchanger.succeed("systemctl start rp-exchange.service") + peerbkeyexchanger.succeed("systemctl start rp-exchange.service") ${lib.optionalString multiPeer '' - peerckeyexchanger.succeed("systemctl restart rp-exchange.service") + peerckeyexchanger.succeed("systemctl start rp-exchange.service") + ''} + + # Wait for the service to have started. + for m in [peerbkeyexchanger, peerakeyexchanger]: + m.wait_for_unit("rp-exchange.service") + + ${lib.optionalString multiPeer '' + peerckeyexchanger.wait_for_unit("rp-exchange.service") ''} @@ -514,11 +531,15 @@ in peerC.succeed("wg show all preshared-keys 1>&2") ''} - for m in [peerbkeyexchanger, peerakeyexchanger]: - m.wait_for_unit("rp-exchange.service") + # Start key sync services and wait for them to start. + peerA.succeed("systemctl start rp-key-sync-AB.service") + peerB.succeed("systemctl start rp-key-sync-BA.service") ${lib.optionalString multiPeer '' - peerckeyexchanger.wait_for_unit("rp-exchange.service") + peerA.succeed("systemctl start rp-key-sync-AC.service") + peerB.succeed("systemctl start rp-key-sync-BC.service") + peerC.succeed("systemctl start rp-key-sync-CA.service") + peerC.succeed("systemctl start rp-key-sync-CB.service") ''} peerA.wait_for_unit("rp-key-sync-AB.service")