SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 17:49:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

tests/infrastructure: Add second client to test client to client ssh connections

Browse source
This commit is contained in:
SebastianStork 2026-02-16 19:34:02 +01:00
parent 5478fafd6f
commit 8450cabd86
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
14 changed files with 103 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

101
tests/infrastructure/default.nix
View file

@ -5,6 +5,8 @@
... ...
}: }:
{ {
node.specialArgs = { inherit inputs self; };
defaults = defaults =
{ nodes, config, ... }: { nodes, config, ... }:
{ {
@ -17,10 +19,19 @@
users.seb = { users.seb = {
isNormalUser = true; isNormalUser = true;
password = "seb"; password = "seb";
extraGroups = [ "wheel" ]; openssh.authorizedKeys.keyFiles = lib.mkIf config.custom.services.sshd.enable [
./keys/server-ssh.pub
./keys/client1-ssh.pub
./keys/client2-ssh.pub
];
}; };
}; };
environment.etc."ssh-key" = lib.mkIf (lib.pathExists ./keys/${config.networking.hostName}-ssh) {
source = ./keys/${config.networking.hostName}-ssh;
mode = "0600";
};
custom.services.nebula = { custom.services.nebula = {
caCertificatePath = ./keys/ca.crt; caCertificatePath = ./keys/ca.crt;
certificatePath = ./keys/${config.networking.hostName}.crt; certificatePath = ./keys/${config.networking.hostName}.crt;
@ -30,8 +41,6 @@
services.resolved.dnssec = lib.mkForce "false"; services.resolved.dnssec = lib.mkForce "false";
}; };
node.specialArgs = { inherit inputs self; };
nodes = { nodes = {
lighthouse = { lighthouse = {
custom = { custom = {
@ -68,30 +77,41 @@
services.sshd.enable = true; services.sshd.enable = true;
}; };
users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/client-ssh.pub ];
environment.etc."ssh-key" = {
source = ./keys/server-ssh;
mode = "0600";
};
}; };
client = { client1 =
custom.networking = { { pkgs, ... }:
overlay = { {
address = "10.254.250.3"; custom = {
role = "client"; networking = {
}; overlay = {
underlay = { address = "10.254.250.3";
interface = "eth1"; role = "client";
cidr = "192.168.0.3/16"; };
underlay = {
interface = "eth1";
cidr = "192.168.0.3/16";
};
};
}; };
environment.systemPackages = [ pkgs.openssh ];
}; };
users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/server-ssh.pub ]; client2 = {
environment.etc."ssh-key" = { custom = {
source = ./keys/client-ssh; networking = {
mode = "0600"; overlay = {
address = "10.254.250.4";
role = "client";
};
underlay = {
interface = "eth1";
cidr = "192.168.0.4/16";
};
};
services.sshd.enable = true;
}; };
}; };
}; };
@ -99,31 +119,42 @@
testScript = testScript =
{ nodes, ... }: { nodes, ... }:
let let
lighthouseNetCfg = nodes.lighthouse.custom.networking.overlay; lighthouseNetCfg = nodes.lighthouse.custom.networking;
serverNetCfg = nodes.server.custom.networking.overlay; serverNetCfg = nodes.server.custom.networking;
clientNetCfg = nodes.client.custom.networking.overlay; client1NetCfg = nodes.client1.custom.networking;
client2NetCfg = nodes.client2.custom.networking;
sshOptions = "-i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; sshOptions = "-i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
in in
'' ''
start_all() start_all()
lighthouse.wait_for_unit("${lighthouseNetCfg.systemdUnit}") lighthouse.wait_for_unit("${lighthouseNetCfg.overlay.systemdUnit}")
server.wait_for_unit("${serverNetCfg.systemdUnit}") server.wait_for_unit("${serverNetCfg.overlay.systemdUnit}")
client.wait_for_unit("${clientNetCfg.systemdUnit}") client1.wait_for_unit("${client1NetCfg.overlay.systemdUnit}")
client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}")
lighthouse.wait_for_unit("unbound.service") lighthouse.wait_for_unit("unbound.service")
lighthouse.wait_for_open_port(53, "${lighthouseNetCfg.overlay.address}")
server.wait_for_unit("sshd.service") server.wait_for_unit("sshd.service")
client2.wait_for_unit("sshd.service")
server.wait_for_open_port(22, "${serverNetCfg.overlay.address}")
client2.wait_for_open_port(22, "${client2NetCfg.overlay.address}")
with subtest("Overlay connectivity between nodes"): with subtest("Overlay connectivity between nodes"):
client.succeed("ping -c 1 ${serverNetCfg.address}") client1.succeed("ping -c 1 ${serverNetCfg.overlay.address}")
server.succeed("ping -c 1 ${clientNetCfg.address}") client1.succeed("ping -c 1 ${client2NetCfg.overlay.address}")
server.succeed("ping -c 1 ${client1NetCfg.overlay.address}")
with subtest("DNS resolution of overlay hostnames"): with subtest("DNS resolution of FQDNs"):
client.succeed("ping -c 1 ${serverNetCfg.fqdn}") client1.succeed("ping -c 1 ${serverNetCfg.overlay.fqdn}")
server.succeed("ping -c 1 ${clientNetCfg.fqdn}") client1.succeed("ping -c 1 ${client2NetCfg.overlay.fqdn}")
server.succeed("ping -c 1 ${client1NetCfg.overlay.fqdn}")
with subtest("SSH access restricted by role"): with subtest("SSH access restricted by role"):
client.succeed("ssh ${sshOptions} seb@${serverNetCfg.fqdn} 'echo Hello'") client1.succeed("ssh ${sshOptions} seb@${serverNetCfg.overlay.fqdn} 'echo Hello'")
server.fail("ssh ${sshOptions} seb@${clientNetCfg.fqdn} 'echo Hello'") client1.succeed("ssh ${sshOptions} seb@${client2NetCfg.overlay.fqdn} 'echo Hello'")
server.fail("ssh ${sshOptions} seb@${client2NetCfg.overlay.fqdn} 'echo Hello'")
''; '';
} }

7
tests/infrastructure/keys/client-ssh
View file

@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQAAAJCrUHOSq1Bz
kgAAAAtzc2gtZWQyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQ
AAAEB7OMxyFWm+GuvQA/GCdLPPXwkqC9rhPKdrLQU5PRt1fiWAxmeZWndQUxKb/xD+uG07
DeKgXualoFTK9cXCYGQxAAAACnNlYkBsYXB0b3ABAgM=
-----END OPENSSH PRIVATE KEY-----

1
tests/infrastructure/keys/client-ssh.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWAxmeZWndQUxKb/xD+uG07DeKgXualoFTK9cXCYGQx seb@laptop

6
tests/infrastructure/keys/client.crt
View file

@ -1,6 +0,0 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGwoEqABmNsaWVudKEHBAUK/voDGKMIDAZjbGllbnSFBGmTH3CGBQElh0qDhyA8
ckeBMU2fPOMFe8cEQoAZW3a1/xd+hPuJgkRptJYkIIIgkqGANOljLGTOy02go6Sb
5QuDE12UT7NScZq8xd/6N0SDQCerRL9iT4lQY18Jx6Ov0vYnCgDpi9md7HfaeW7J
6liZCxssEzBf6NtISsFHVBhv/GKMzHTLSFuC3JKF80SByw4=
-----END NEBULA CERTIFICATE V2-----

7
tests/infrastructure/keys/client1-ssh Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFgAAAJCAcH2jgHB9
owAAAAtzc2gtZWQyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFg
AAAEBx+5aMJMDgA3XGHed323x23kW88ZFWkjINlZMLFKC3ORcdu/j8OV+GeLusD8B9XTvU
XWjiawiZ2fJ52cxNSicWAAAAC3NlYkBjbGllbnQxAQI=
-----END OPENSSH PRIVATE KEY-----

1
tests/infrastructure/keys/client1-ssh.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcdu/j8OV+GeLusD8B9XTvUXWjiawiZ2fJ52cxNSicW seb@client1

6
tests/infrastructure/keys/client1.crt Normal file
View file

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGxoEuAB2NsaWVudDGhBwQFCv76AxijCAwGY2xpZW50hQRpky8ohgUBJYdKg4cg
PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCICL2t3327ET/1zujIeUW
8G0h0BA94zAcfxvTqOgWuPJ8g0CLA4/lalqM7DfvqVHCuR+yYYl8D4aNf0QrfgAT
DTbJIFCt3HA9O5KLt7XU7eEYPVGHdNUqT/uQkBBxzZ/H/dkE
-----END NEBULA CERTIFICATE V2-----

2
tests/infrastructure/keys/client.key → tests/infrastructure/keys/client1.key
View file

@ -1,3 +1,3 @@
-----BEGIN NEBULA X25519 PRIVATE KEY----- -----BEGIN NEBULA X25519 PRIVATE KEY-----
C6+KrKj/MfoupP/yt5CKLjDqFmFcGlN9Hb3gCaz8uy8= 0UBKU2IZtS7em4buXCKLcsH28Z/fJMCxovMjNugXpG0=
-----END NEBULA X25519 PRIVATE KEY----- -----END NEBULA X25519 PRIVATE KEY-----

7
tests/infrastructure/keys/client2-ssh Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCgAAAJCP3fl0j935
dAAAAAtzc2gtZWQyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCg
AAAECu3BbBFWxE5ue1CTpF9uASFn7VMsw9VY8eQCfXsqeGCGsjBqWMJu09QIn+WhCALDcB
JqcatIMgiQQhljWlUxUKAAAAC3NlYkBjbGllbnQyAQI=
-----END OPENSSH PRIVATE KEY-----

1
tests/infrastructure/keys/client2-ssh.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsjBqWMJu09QIn+WhCALDcBJqcatIMgiQQhljWlUxUK seb@client2

6
tests/infrastructure/keys/client2.crt Normal file
View file

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGxoEuAB2NsaWVudDKhBwQFCv76BBijCAwGY2xpZW50hQRpky85hgUBJYdKg4cg
PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCIDFcdaKsilxpoBFbFeTP
IYBAeIJL0d1QBw7nbJRh8Ax5g0DZ5EH8e/OcvasElLnbNOpzqV0NeEtAsmAXLcup
q+jfc9QVXEXROiJ1T+0XSk940L86flvBilQaTAXDqWXlMTUJ
-----END NEBULA CERTIFICATE V2-----

3
tests/infrastructure/keys/client2.key Normal file
View file

@ -0,0 +1,3 @@
-----BEGIN NEBULA X25519 PRIVATE KEY-----
+0xEqrapinodioti3P4NYKmDXTakkM+1A8Htaibz/8U=
-----END NEBULA X25519 PRIVATE KEY-----

8
tests/infrastructure/keys/server-ssh
View file

@ -1,7 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY----- -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWgAAAJCyC2p+sgtq QyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pgAAAJCtMVIVrTFS
fgAAAAtzc2gtZWQyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWg FQAAAAtzc2gtZWQyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pg
AAAED6j1Y/BoQsyvxtApUWipiCHCT1SiVyXf3NgmSsAjHAZknZ+rVDShrmhmwRm7OcCK7H AAAEDYW2eLhd09R5lY4cdoxguSr+Gc4Ggp/oiRQbs6IyYzZxaoQeo+p6GbdRKalG401mVB
k4MRLp8C+2qY6KIQGTFaAAAACnNlYkBsYXB0b3ABAgM= jCjJTvAhcqXp4mkFab6mAAAACnNlYkBzZXJ2ZXIBAgM=
-----END OPENSSH PRIVATE KEY----- -----END OPENSSH PRIVATE KEY-----

2
tests/infrastructure/keys/server-ssh.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnZ+rVDShrmhmwRm7OcCK7Hk4MRLp8C+2qY6KIQGTFa seb@laptop ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaoQeo+p6GbdRKalG401mVBjCjJTvAhcqXp4mkFab6m seb@server