chore(test): Move the wireguard key generation in the integration tests to the test script to make the derivations deterministc while keeping random keys

2026-02-27 22:13:12 -08:00 · 2025-08-28 12:03:50 +02:00
parent 7d4ae23db9
commit 48e9dd2a86
2 changed files with 154 additions and 122 deletions
--- a/tests/integration/rp-key-sync.nix
+++ b/tests/integration/rp-key-sync.nix
@@ -32,8 +32,8 @@ let
          description = "network address of the host that runs rosenpass";
        };

-        peerPubkey = lib.mkOption {
-          type = lib.types.str;
+        peerPubkeyFile = lib.mkOption {
+          type = lib.types.path;
          description = "Public key of wireguard peer";
        };

@@ -73,10 +73,11 @@ in
        # The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer.
        script = ''
          set -euo pipefail
+          PEER_PUB_KEY=$(cat ${instanceCfg.peerPubkeyFile})
          ${pkgs.openssh}/bin/ssh ${instanceCfg.rpHost} "cat ${instanceCfg.remoteKeyPath}" \
            | ${pkgs.wireguard-tools}/bin/wg \
              set ${instanceCfg.wgInterface} \
-              peer ${instanceCfg.peerPubkey} \
+              peer $PEER_PUB_KEY \
              endpoint ${instanceCfg.endpoint} \
              allowed-ips ${instanceCfg.allowedIps} \
              preshared-key /dev/stdin