tests: Add infrastructure-test

tests/infrastructure/default.nix

@@ -0,0 +1,132 @@
+{
+  inputs,
+  self,
+  lib,
+  ...
+}:
+{
+  defaults =
+    { nodes, config, ... }:
+    {
+      imports = [ self.nixosModules.default ];
+
+      _module.args.allHosts = nodes |> lib.mapAttrs (_: node: { config = node; });
+
+      users = {
+        mutableUsers = false;
+        users.seb = {
+          isNormalUser = true;
+          password = "seb";
+          extraGroups = [ "wheel" ];
+        };
+      };
+
+      custom = {
+        networking.overlay.networkCidr = lib.mkForce "10.10.10.0/24";
+        services.nebula = {
+          caCertificatePath = ./keys/ca.crt;
+          certificatePath = ./keys/${config.networking.hostName}.crt;
+          privateKeyPath = ./keys/${config.networking.hostName}.key;
+        };
+      };
+
+      services.resolved.dnssec = lib.mkForce "false";
+    };
+
+  node.specialArgs = { inherit inputs self; };
+
+  nodes = {
+    lighthouse = {
+      custom = {
+        networking = {
+          overlay = {
+            address = "10.10.10.1";
+            isLighthouse = true;
+            role = "server";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.1/16";
+            isPublic = true;
+          };
+        };
+
+        services.dns.enable = true;
+      };
+    };
+
+    server = {
+      custom = {
+        networking = {
+          overlay = {
+            address = "10.10.10.2";
+            role = "server";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.2/16";
+            isPublic = true;
+          };
+        };
+
+        services.sshd.enable = true;
+      };
+
+      users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/client-ssh.pub ];
+      environment.etc."ssh-key" = {
+        source = ./keys/server-ssh;
+        mode = "0600";
+      };
+    };
+
+    client = {
+      custom.networking = {
+        overlay = {
+          address = "10.10.10.3";
+          role = "client";
+        };
+        underlay = {
+          interface = "eth1";
+          cidr = "192.168.0.3/16";
+        };
+      };
+
+      users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/server-ssh.pub ];
+      environment.etc."ssh-key" = {
+        source = ./keys/client-ssh;
+        mode = "0600";
+      };
+    };
+  };
+
+  testScript =
+    { nodes, ... }:
+    let
+      lighthouseNetCfg = nodes.lighthouse.custom.networking.overlay;
+      serverNetCfg = nodes.server.custom.networking.overlay;
+      clientNetCfg = nodes.client.custom.networking.overlay;
+
+      sshOptions = "-i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
+    in
+    ''
+      start_all()
+
+      lighthouse.wait_for_unit("${lighthouseNetCfg.systemdUnit}")
+      server.wait_for_unit("${serverNetCfg.systemdUnit}")
+      client.wait_for_unit("${clientNetCfg.systemdUnit}")
+      lighthouse.wait_for_unit("unbound.service")
+      server.wait_for_unit("sshd.service")
+
+      with subtest("Overlay connectivity between nodes"):
+        client.succeed("ping -c 1 ${serverNetCfg.address}")
+        server.succeed("ping -c 1 ${clientNetCfg.address}")
+
+      with subtest("DNS resolution of overlay hostnames"):
+        client.succeed("ping -c 1 ${serverNetCfg.fqdn}")
+        server.succeed("ping -c 1 ${clientNetCfg.fqdn}")
+
+      with subtest("SSH access restricted by role"):
+        client.succeed("ssh ${sshOptions} seb@${serverNetCfg.fqdn} 'echo Hello'")
+        server.fail("ssh ${sshOptions} seb@${clientNetCfg.fqdn} 'echo Hello'")
+    '';
+}