From 8450cabd867f5b3ff4ad7b69e2892cf34e878ddc Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 16 Feb 2026 19:34:02 +0100
Subject: [PATCH] tests/infrastructure: Add second client to test client to
 client ssh connections

---
 tests/infrastructure/default.nix              | 101 ++++++++++++------
 tests/infrastructure/keys/client-ssh          |   7 --
 tests/infrastructure/keys/client-ssh.pub      |   1 -
 tests/infrastructure/keys/client.crt          |   6 --
 tests/infrastructure/keys/client1-ssh         |   7 ++
 tests/infrastructure/keys/client1-ssh.pub     |   1 +
 tests/infrastructure/keys/client1.crt         |   6 ++
 .../keys/{client.key => client1.key}          |   2 +-
 tests/infrastructure/keys/client2-ssh         |   7 ++
 tests/infrastructure/keys/client2-ssh.pub     |   1 +
 tests/infrastructure/keys/client2.crt         |   6 ++
 tests/infrastructure/keys/client2.key         |   3 +
 tests/infrastructure/keys/server-ssh          |   8 +-
 tests/infrastructure/keys/server-ssh.pub      |   2 +-
 14 files changed, 103 insertions(+), 55 deletions(-)
 delete mode 100644 tests/infrastructure/keys/client-ssh
 delete mode 100644 tests/infrastructure/keys/client-ssh.pub
 delete mode 100644 tests/infrastructure/keys/client.crt
 create mode 100644 tests/infrastructure/keys/client1-ssh
 create mode 100644 tests/infrastructure/keys/client1-ssh.pub
 create mode 100644 tests/infrastructure/keys/client1.crt
 rename tests/infrastructure/keys/{client.key => client1.key} (64%)
 create mode 100644 tests/infrastructure/keys/client2-ssh
 create mode 100644 tests/infrastructure/keys/client2-ssh.pub
 create mode 100644 tests/infrastructure/keys/client2.crt
 create mode 100644 tests/infrastructure/keys/client2.key

diff --git a/tests/infrastructure/default.nix b/tests/infrastructure/default.nix
index 1d27ac4..226187e 100644
--- a/tests/infrastructure/default.nix
+++ b/tests/infrastructure/default.nix
@@ -5,6 +5,8 @@
   ...
 }:
 {
+  node.specialArgs = { inherit inputs self; };
+
   defaults =
     { nodes, config, ... }:
     {
@@ -17,10 +19,19 @@
         users.seb = {
           isNormalUser = true;
           password = "seb";
-          extraGroups = [ "wheel" ];
+          openssh.authorizedKeys.keyFiles = lib.mkIf config.custom.services.sshd.enable [
+            ./keys/server-ssh.pub
+            ./keys/client1-ssh.pub
+            ./keys/client2-ssh.pub
+          ];
         };
       };
 
+      environment.etc."ssh-key" = lib.mkIf (lib.pathExists ./keys/${config.networking.hostName}-ssh) {
+        source = ./keys/${config.networking.hostName}-ssh;
+        mode = "0600";
+      };
+
       custom.services.nebula = {
         caCertificatePath = ./keys/ca.crt;
         certificatePath = ./keys/${config.networking.hostName}.crt;
@@ -30,8 +41,6 @@
       services.resolved.dnssec = lib.mkForce "false";
     };
 
-  node.specialArgs = { inherit inputs self; };
-
   nodes = {
     lighthouse = {
       custom = {
@@ -68,30 +77,41 @@
 
         services.sshd.enable = true;
       };
-
-      users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/client-ssh.pub ];
-      environment.etc."ssh-key" = {
-        source = ./keys/server-ssh;
-        mode = "0600";
-      };
     };
 
-    client = {
-      custom.networking = {
-        overlay = {
-          address = "10.254.250.3";
-          role = "client";
-        };
-        underlay = {
-          interface = "eth1";
-          cidr = "192.168.0.3/16";
+    client1 =
+      { pkgs, ... }:
+      {
+        custom = {
+          networking = {
+            overlay = {
+              address = "10.254.250.3";
+              role = "client";
+            };
+            underlay = {
+              interface = "eth1";
+              cidr = "192.168.0.3/16";
+            };
+          };
         };
+
+        environment.systemPackages = [ pkgs.openssh ];
       };
 
-      users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/server-ssh.pub ];
-      environment.etc."ssh-key" = {
-        source = ./keys/client-ssh;
-        mode = "0600";
+    client2 = {
+      custom = {
+        networking = {
+          overlay = {
+            address = "10.254.250.4";
+            role = "client";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.4/16";
+          };
+        };
+
+        services.sshd.enable = true;
       };
     };
   };
@@ -99,31 +119,42 @@
   testScript =
     { nodes, ... }:
     let
-      lighthouseNetCfg = nodes.lighthouse.custom.networking.overlay;
-      serverNetCfg = nodes.server.custom.networking.overlay;
-      clientNetCfg = nodes.client.custom.networking.overlay;
+      lighthouseNetCfg = nodes.lighthouse.custom.networking;
+      serverNetCfg = nodes.server.custom.networking;
+      client1NetCfg = nodes.client1.custom.networking;
+      client2NetCfg = nodes.client2.custom.networking;
 
       sshOptions = "-i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
     in
     ''
       start_all()
 
-      lighthouse.wait_for_unit("${lighthouseNetCfg.systemdUnit}")
-      server.wait_for_unit("${serverNetCfg.systemdUnit}")
-      client.wait_for_unit("${clientNetCfg.systemdUnit}")
+      lighthouse.wait_for_unit("${lighthouseNetCfg.overlay.systemdUnit}")
+      server.wait_for_unit("${serverNetCfg.overlay.systemdUnit}")
+      client1.wait_for_unit("${client1NetCfg.overlay.systemdUnit}")
+      client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}")
+
       lighthouse.wait_for_unit("unbound.service")
+      lighthouse.wait_for_open_port(53, "${lighthouseNetCfg.overlay.address}")
+
       server.wait_for_unit("sshd.service")
+      client2.wait_for_unit("sshd.service")
+      server.wait_for_open_port(22, "${serverNetCfg.overlay.address}")
+      client2.wait_for_open_port(22, "${client2NetCfg.overlay.address}")
 
       with subtest("Overlay connectivity between nodes"):
-        client.succeed("ping -c 1 ${serverNetCfg.address}")
-        server.succeed("ping -c 1 ${clientNetCfg.address}")
+        client1.succeed("ping -c 1 ${serverNetCfg.overlay.address}")
+        client1.succeed("ping -c 1 ${client2NetCfg.overlay.address}")
+        server.succeed("ping -c 1 ${client1NetCfg.overlay.address}")
 
-      with subtest("DNS resolution of overlay hostnames"):
-        client.succeed("ping -c 1 ${serverNetCfg.fqdn}")
-        server.succeed("ping -c 1 ${clientNetCfg.fqdn}")
+      with subtest("DNS resolution of FQDNs"):
+        client1.succeed("ping -c 1 ${serverNetCfg.overlay.fqdn}")
+        client1.succeed("ping -c 1 ${client2NetCfg.overlay.fqdn}")
+        server.succeed("ping -c 1 ${client1NetCfg.overlay.fqdn}")
 
       with subtest("SSH access restricted by role"):
-        client.succeed("ssh ${sshOptions} seb@${serverNetCfg.fqdn} 'echo Hello'")
-        server.fail("ssh ${sshOptions} seb@${clientNetCfg.fqdn} 'echo Hello'")
+        client1.succeed("ssh ${sshOptions} seb@${serverNetCfg.overlay.fqdn} 'echo Hello'")
+        client1.succeed("ssh ${sshOptions} seb@${client2NetCfg.overlay.fqdn} 'echo Hello'")
+        server.fail("ssh ${sshOptions} seb@${client2NetCfg.overlay.fqdn} 'echo Hello'")
     '';
 }
diff --git a/tests/infrastructure/keys/client-ssh b/tests/infrastructure/keys/client-ssh
deleted file mode 100644
index 125085e..0000000
--- a/tests/infrastructure/keys/client-ssh
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQAAAJCrUHOSq1Bz
-kgAAAAtzc2gtZWQyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQ
-AAAEB7OMxyFWm+GuvQA/GCdLPPXwkqC9rhPKdrLQU5PRt1fiWAxmeZWndQUxKb/xD+uG07
-DeKgXualoFTK9cXCYGQxAAAACnNlYkBsYXB0b3ABAgM=
------END OPENSSH PRIVATE KEY-----
diff --git a/tests/infrastructure/keys/client-ssh.pub b/tests/infrastructure/keys/client-ssh.pub
deleted file mode 100644
index 7cedc52..0000000
--- a/tests/infrastructure/keys/client-ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWAxmeZWndQUxKb/xD+uG07DeKgXualoFTK9cXCYGQx seb@laptop
diff --git a/tests/infrastructure/keys/client.crt b/tests/infrastructure/keys/client.crt
deleted file mode 100644
index d0fbf6e..0000000
--- a/tests/infrastructure/keys/client.crt
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN NEBULA CERTIFICATE V2-----
-MIGwoEqABmNsaWVudKEHBAUK/voDGKMIDAZjbGllbnSFBGmTH3CGBQElh0qDhyA8
-ckeBMU2fPOMFe8cEQoAZW3a1/xd+hPuJgkRptJYkIIIgkqGANOljLGTOy02go6Sb
-5QuDE12UT7NScZq8xd/6N0SDQCerRL9iT4lQY18Jx6Ov0vYnCgDpi9md7HfaeW7J
-6liZCxssEzBf6NtISsFHVBhv/GKMzHTLSFuC3JKF80SByw4=
------END NEBULA CERTIFICATE V2-----
diff --git a/tests/infrastructure/keys/client1-ssh b/tests/infrastructure/keys/client1-ssh
new file mode 100644
index 0000000..4e61ecf
--- /dev/null
+++ b/tests/infrastructure/keys/client1-ssh
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFgAAAJCAcH2jgHB9
+owAAAAtzc2gtZWQyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFg
+AAAEBx+5aMJMDgA3XGHed323x23kW88ZFWkjINlZMLFKC3ORcdu/j8OV+GeLusD8B9XTvU
+XWjiawiZ2fJ52cxNSicWAAAAC3NlYkBjbGllbnQxAQI=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/infrastructure/keys/client1-ssh.pub b/tests/infrastructure/keys/client1-ssh.pub
new file mode 100644
index 0000000..809a9c3
--- /dev/null
+++ b/tests/infrastructure/keys/client1-ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcdu/j8OV+GeLusD8B9XTvUXWjiawiZ2fJ52cxNSicW seb@client1
diff --git a/tests/infrastructure/keys/client1.crt b/tests/infrastructure/keys/client1.crt
new file mode 100644
index 0000000..c4611c8
--- /dev/null
+++ b/tests/infrastructure/keys/client1.crt
@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGxoEuAB2NsaWVudDGhBwQFCv76AxijCAwGY2xpZW50hQRpky8ohgUBJYdKg4cg
+PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCICL2t3327ET/1zujIeUW
+8G0h0BA94zAcfxvTqOgWuPJ8g0CLA4/lalqM7DfvqVHCuR+yYYl8D4aNf0QrfgAT
+DTbJIFCt3HA9O5KLt7XU7eEYPVGHdNUqT/uQkBBxzZ/H/dkE
+-----END NEBULA CERTIFICATE V2-----
diff --git a/tests/infrastructure/keys/client.key b/tests/infrastructure/keys/client1.key
similarity index 64%
rename from tests/infrastructure/keys/client.key
rename to tests/infrastructure/keys/client1.key
index fd45d9a..f9e9a97 100644
--- a/tests/infrastructure/keys/client.key
+++ b/tests/infrastructure/keys/client1.key
@@ -1,3 +1,3 @@
 -----BEGIN NEBULA X25519 PRIVATE KEY-----
-C6+KrKj/MfoupP/yt5CKLjDqFmFcGlN9Hb3gCaz8uy8=
+0UBKU2IZtS7em4buXCKLcsH28Z/fJMCxovMjNugXpG0=
 -----END NEBULA X25519 PRIVATE KEY-----
diff --git a/tests/infrastructure/keys/client2-ssh b/tests/infrastructure/keys/client2-ssh
new file mode 100644
index 0000000..b852011
--- /dev/null
+++ b/tests/infrastructure/keys/client2-ssh
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCgAAAJCP3fl0j935
+dAAAAAtzc2gtZWQyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCg
+AAAECu3BbBFWxE5ue1CTpF9uASFn7VMsw9VY8eQCfXsqeGCGsjBqWMJu09QIn+WhCALDcB
+JqcatIMgiQQhljWlUxUKAAAAC3NlYkBjbGllbnQyAQI=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/infrastructure/keys/client2-ssh.pub b/tests/infrastructure/keys/client2-ssh.pub
new file mode 100644
index 0000000..4725641
--- /dev/null
+++ b/tests/infrastructure/keys/client2-ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsjBqWMJu09QIn+WhCALDcBJqcatIMgiQQhljWlUxUK seb@client2
diff --git a/tests/infrastructure/keys/client2.crt b/tests/infrastructure/keys/client2.crt
new file mode 100644
index 0000000..0b7ee48
--- /dev/null
+++ b/tests/infrastructure/keys/client2.crt
@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGxoEuAB2NsaWVudDKhBwQFCv76BBijCAwGY2xpZW50hQRpky85hgUBJYdKg4cg
+PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCIDFcdaKsilxpoBFbFeTP
+IYBAeIJL0d1QBw7nbJRh8Ax5g0DZ5EH8e/OcvasElLnbNOpzqV0NeEtAsmAXLcup
+q+jfc9QVXEXROiJ1T+0XSk940L86flvBilQaTAXDqWXlMTUJ
+-----END NEBULA CERTIFICATE V2-----
diff --git a/tests/infrastructure/keys/client2.key b/tests/infrastructure/keys/client2.key
new file mode 100644
index 0000000..d775ce9
--- /dev/null
+++ b/tests/infrastructure/keys/client2.key
@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PRIVATE KEY-----
++0xEqrapinodioti3P4NYKmDXTakkM+1A8Htaibz/8U=
+-----END NEBULA X25519 PRIVATE KEY-----
diff --git a/tests/infrastructure/keys/server-ssh b/tests/infrastructure/keys/server-ssh
index ced4abf..76e4c33 100644
--- a/tests/infrastructure/keys/server-ssh
+++ b/tests/infrastructure/keys/server-ssh
@@ -1,7 +1,7 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWgAAAJCyC2p+sgtq
-fgAAAAtzc2gtZWQyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWg
-AAAED6j1Y/BoQsyvxtApUWipiCHCT1SiVyXf3NgmSsAjHAZknZ+rVDShrmhmwRm7OcCK7H
-k4MRLp8C+2qY6KIQGTFaAAAACnNlYkBsYXB0b3ABAgM=
+QyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pgAAAJCtMVIVrTFS
+FQAAAAtzc2gtZWQyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pg
+AAAEDYW2eLhd09R5lY4cdoxguSr+Gc4Ggp/oiRQbs6IyYzZxaoQeo+p6GbdRKalG401mVB
+jCjJTvAhcqXp4mkFab6mAAAACnNlYkBzZXJ2ZXIBAgM=
 -----END OPENSSH PRIVATE KEY-----
diff --git a/tests/infrastructure/keys/server-ssh.pub b/tests/infrastructure/keys/server-ssh.pub
index b591f07..e6b3243 100644
--- a/tests/infrastructure/keys/server-ssh.pub
+++ b/tests/infrastructure/keys/server-ssh.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnZ+rVDShrmhmwRm7OcCK7Hk4MRLp8C+2qY6KIQGTFa seb@laptop
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaoQeo+p6GbdRKalG401mVBjCjJTvAhcqXp4mkFab6m seb@server