chore(rosenpass): Add integration tests for basic connectivity, backwards compatability and multi-peer connectivity

2026-02-27 22:13:12 -08:00 · 2025-07-07 12:19:44 +02:00
parent b5ef5842d9
commit dddadb67b8
12 changed files with 1082 additions and 0 deletions
--- a/tests/integration/rp-key-sync.nix
+++ b/tests/integration/rp-key-sync.nix
@@ -0,0 +1,85 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+
+let
+  cfg = config.services.rosenpassKeySync;
+  servicePrefix = "rp-key-sync-";
+  timerPrefix = "rp-key-sync-timer-";
+  rpKeySyncOpts =
+    { name, ... }:
+    {
+      # Each instance of ths service is defined by the following information:
+      options = {
+        enable = lib.mkEnableOption "RP Keysync for ${name}";
+
+        wgInterface = lib.mkOption {
+          type = lib.types.str;
+          description = "Wireguard interface name";
+        };
+
+        rpHost = lib.mkOption {
+          type = lib.types.str;
+          description = "network address of the host that runs rosenpass";
+        };
+
+        peerPubkey = lib.mkOption {
+          type = lib.types.str;
+          description = "Public key of wireguard peer";
+        };
+
+        remoteKeyPath = lib.mkOption {
+          type = lib.types.path;
+          description = "Location of the .osk file on the key exchange server";
+        };
+      };
+    };
+in
+{
+  options.services.rosenpassKeySync = {
+    instances = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule rpKeySyncOpts);
+      default = { };
+      description = "RP key sync instances";
+    };
+  };
+
+  config = {
+    systemd.services = lib.mapAttrs' (instanceName: instanceCfg: {
+      name = "${servicePrefix}${instanceName}";
+      value = {
+        description = "Rosenpass Key Downloader ${instanceName}";
+        wantedBy = [ "multi-user.target" ];
+        requires = [ "network-online.target" ];
+        # The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer.
+        script = ''
+          set -euo pipefail
+          ${pkgs.openssh}/bin/ssh ${instanceCfg.rpHost} "cat ${instanceCfg.remoteKeyPath}" \
+            | ${pkgs.wireguard-tools}/bin/wg \
+              set ${instanceCfg.wgInterface} \
+              peer ${instanceCfg.peerPubkey} \
+              preshared-key /dev/stdin
+        '';
+        serviceConfig = {
+          Restart = "always";
+          RestartSec = 10;
+        };
+      };
+    }) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd service (as above) per configured instance.
+
+    systemd.timers = lib.mapAttrs' (instanceName: instanceCfg: {
+      name = "${timerPrefix}${instanceName}";
+      value = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          requires = [ "network-online.target" ];
+          OnUnitActiveSec = "1m";
+          Unit = "${servicePrefix}${instanceName}.service";
+        };
+      };
+    }) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd time (as above) per configured instance.
+  };
+}