tests/overlay: Rename from infrastructure

tests/overlay/default.nix

@@ -0,0 +1,170 @@
+{
+  inputs,
+  self,
+  lib,
+  ...
+}:
+{
+  node.specialArgs = { inherit inputs self; };
+
+  defaults =
+    { nodes, config, ... }:
+    {
+      imports = [ self.nixosModules.default ];
+
+      _module.args.allHosts = nodes |> lib.mapAttrs (_: node: { config = node; });
+
+      users = {
+        mutableUsers = false;
+        users.seb = {
+          isNormalUser = true;
+          password = "seb";
+          openssh.authorizedKeys.keyFiles = lib.mkIf config.custom.services.sshd.enable [
+            ./keys/server-ssh.pub
+            ./keys/client1-ssh.pub
+            ./keys/client2-ssh.pub
+          ];
+        };
+      };
+
+      environment.etc."ssh-key" = lib.mkIf (lib.pathExists ./keys/${config.networking.hostName}-ssh) {
+        source = ./keys/${config.networking.hostName}-ssh;
+        mode = "0600";
+      };
+
+      custom.services.nebula = {
+        caCertificateFile = ./keys/ca.crt;
+        certificateFile = ./keys/${config.networking.hostName}.crt;
+        privateKeyFile = ./keys/${config.networking.hostName}.key;
+      };
+
+      networking.extraHosts = lib.mkForce "";
+      services.resolved.dnssec = lib.mkForce "false";
+    };
+
+  nodes = {
+    lighthouse = {
+      custom = {
+        networking = {
+          overlay = {
+            address = "10.254.250.1";
+            isLighthouse = true;
+            role = "server";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.1/16";
+            isPublic = true;
+          };
+        };
+
+        services = {
+          recursive-nameserver.enable = true;
+          private-nameserver.enable = true;
+        };
+      };
+    };
+
+    server = {
+      custom = {
+        networking = {
+          overlay = {
+            address = "10.254.250.2";
+            role = "server";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.2/16";
+            isPublic = true;
+          };
+        };
+
+        services.sshd.enable = true;
+      };
+    };
+
+    client1 =
+      { pkgs, ... }:
+      {
+        custom.networking = {
+          overlay = {
+            address = "10.254.250.3";
+            role = "client";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.3/16";
+          };
+        };
+
+        environment.systemPackages = [ pkgs.openssh ];
+      };
+
+    client2 = {
+      custom = {
+        networking = {
+          overlay = {
+            address = "10.254.250.4";
+            role = "client";
+          };
+          underlay = {
+            interface = "eth1";
+            cidr = "192.168.0.4/16";
+          };
+        };
+
+        services.sshd.enable = true;
+      };
+    };
+  };
+
+  testScript =
+    { nodes, ... }:
+    let
+      lighthouseNetCfg = nodes.lighthouse.custom.networking;
+      serverNetCfg = nodes.server.custom.networking;
+      client1NetCfg = nodes.client1.custom.networking;
+      client2NetCfg = nodes.client2.custom.networking;
+
+      ssh = "timeout 5 ssh -i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
+    in
+    ''
+      start_all()
+
+      lighthouse.wait_for_unit("${lighthouseNetCfg.overlay.systemdUnit}")
+      server.wait_for_unit("${serverNetCfg.overlay.systemdUnit}")
+      client1.wait_for_unit("${client1NetCfg.overlay.systemdUnit}")
+      client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}")
+
+      lighthouse.wait_for_unit("unbound.service")
+      lighthouse.wait_for_open_port(53, "${lighthouseNetCfg.overlay.address}")
+
+      server.wait_for_unit("sshd.service")
+      client2.wait_for_unit("sshd.service")
+      server.wait_for_open_port(22, "${serverNetCfg.overlay.address}")
+      client2.wait_for_open_port(22, "${client2NetCfg.overlay.address}")
+
+      with subtest("Overlay connectivity between nodes"):
+        client1.succeed("ping -c 1 ${serverNetCfg.overlay.address}")
+        client1.succeed("ping -c 1 ${client2NetCfg.overlay.address}")
+        server.succeed("ping -c 1 ${client2NetCfg.overlay.address}")
+
+      with subtest("DNS resolution of FQDNs"):
+        client1.succeed("ping -c 1 ${serverNetCfg.overlay.fqdn}")
+        client1.succeed("ping -c 1 ${client2NetCfg.overlay.fqdn}")
+        server.succeed("ping -c 1 ${client2NetCfg.overlay.fqdn}")
+
+      with subtest("DNS resolution of unqualified hostnames"):
+        client1.succeed("ping -c 1 server")
+        client1.succeed("ping -c 1 client2")
+        server.succeed("ping -c 1 client2")
+
+      with subtest("SSH access restricted by role"):
+        client1.succeed("${ssh} seb@server 'echo Hello'")
+        client1.succeed("${ssh} seb@client2 'echo Hello'")
+        server.fail("${ssh} seb@client2 'echo Hello'")
+
+      with subtest("SSH not reachable on underlay"):
+        client1.fail("${ssh} seb@${serverNetCfg.underlay.address} 'echo Hello'")
+    '';
+}

tests/overlay/keys/ca.crt

@@ -0,0 +1,5 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MHygFoAEdGVzdIQB/4UEaY8shIYFASWHSoSCIM0af4sq7VnPAySG5h9fwiq/XHvD
+a0Ssbk1+KVWFpR71g0DaZP8qR35Zut2z9i9D2bCDuagQNvvxCrkZ3JcF0gMvWu3u
+uzKQMKzJSqipppgL/n3iQwwsBAoHYrx1XAY6zXgE
+-----END NEBULA CERTIFICATE V2-----

tests/overlay/keys/ca.key

@@ -0,0 +1,4 @@
+-----BEGIN NEBULA ED25519 PRIVATE KEY-----
+8kwpb4GZIphJmamXx0ZrLm5TxPZ7G88L44mrdT2dQp3NGn+LKu1ZzwMkhuYfX8Iq
+v1x7w2tErG5NfilVhaUe9Q==
+-----END NEBULA ED25519 PRIVATE KEY-----

tests/overlay/keys/client1-ssh

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFgAAAJCAcH2jgHB9
+owAAAAtzc2gtZWQyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFg
+AAAEBx+5aMJMDgA3XGHed323x23kW88ZFWkjINlZMLFKC3ORcdu/j8OV+GeLusD8B9XTvU
+XWjiawiZ2fJ52cxNSicWAAAAC3NlYkBjbGllbnQxAQI=
+-----END OPENSSH PRIVATE KEY-----

tests/overlay/keys/client1-ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcdu/j8OV+GeLusD8B9XTvUXWjiawiZ2fJ52cxNSicW seb@client1

tests/overlay/keys/client1.crt

@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGxoEuAB2NsaWVudDGhBwQFCv76AxijCAwGY2xpZW50hQRpky8ohgUBJYdKg4cg
+PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCICL2t3327ET/1zujIeUW
+8G0h0BA94zAcfxvTqOgWuPJ8g0CLA4/lalqM7DfvqVHCuR+yYYl8D4aNf0QrfgAT
+DTbJIFCt3HA9O5KLt7XU7eEYPVGHdNUqT/uQkBBxzZ/H/dkE
+-----END NEBULA CERTIFICATE V2-----

tests/overlay/keys/client1.key

@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PRIVATE KEY-----
+0UBKU2IZtS7em4buXCKLcsH28Z/fJMCxovMjNugXpG0=
+-----END NEBULA X25519 PRIVATE KEY-----

tests/overlay/keys/client2-ssh

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCgAAAJCP3fl0j935
+dAAAAAtzc2gtZWQyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCg
+AAAECu3BbBFWxE5ue1CTpF9uASFn7VMsw9VY8eQCfXsqeGCGsjBqWMJu09QIn+WhCALDcB
+JqcatIMgiQQhljWlUxUKAAAAC3NlYkBjbGllbnQyAQI=
+-----END OPENSSH PRIVATE KEY-----

tests/overlay/keys/client2-ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsjBqWMJu09QIn+WhCALDcBJqcatIMgiQQhljWlUxUK seb@client2

tests/overlay/keys/client2.crt

@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGxoEuAB2NsaWVudDKhBwQFCv76BBijCAwGY2xpZW50hQRpky85hgUBJYdKg4cg
+PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCIDFcdaKsilxpoBFbFeTP
+IYBAeIJL0d1QBw7nbJRh8Ax5g0DZ5EH8e/OcvasElLnbNOpzqV0NeEtAsmAXLcup
+q+jfc9QVXEXROiJ1T+0XSk940L86flvBilQaTAXDqWXlMTUJ
+-----END NEBULA CERTIFICATE V2-----

tests/overlay/keys/client2.key

@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PRIVATE KEY-----
++0xEqrapinodioti3P4NYKmDXTakkM+1A8Htaibz/8U=
+-----END NEBULA X25519 PRIVATE KEY-----

tests/overlay/keys/lighthouse.crt

@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIG0oE6ACmxpZ2h0aG91c2WhBwQFCv76ARijCAwGc2VydmVyhQRpkx+UhgUBJYdK
+g4cgPHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCICWnesCSyPXq2G/y
+J6Gf8Ul8H380b87GOD6nmhjq0q41g0BD5XmYzKqP3ISC0u9/xjgH3CjD0mHTRriD
+nOgSkJoWoBTqg6LfNzDR6a/c9stLZanqfGLm6e2/EQgoxEWI0twE
+-----END NEBULA CERTIFICATE V2-----

tests/overlay/keys/lighthouse.key

@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PRIVATE KEY-----
+87z9BoiuyOIrKBUzLslX93dNJWq38gIbSJciSEUQsiM=
+-----END NEBULA X25519 PRIVATE KEY-----

tests/overlay/keys/server-ssh

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pgAAAJCtMVIVrTFS
+FQAAAAtzc2gtZWQyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pg
+AAAEDYW2eLhd09R5lY4cdoxguSr+Gc4Ggp/oiRQbs6IyYzZxaoQeo+p6GbdRKalG401mVB
+jCjJTvAhcqXp4mkFab6mAAAACnNlYkBzZXJ2ZXIBAgM=
+-----END OPENSSH PRIVATE KEY-----

tests/overlay/keys/server-ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaoQeo+p6GbdRKalG401mVBjCjJTvAhcqXp4mkFab6m seb@server

tests/overlay/keys/server.crt

@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGwoEqABnNlcnZlcqEHBAUK/voCGKMIDAZzZXJ2ZXKFBGmTH0GGBQElh0qDhyA8
+ckeBMU2fPOMFe8cEQoAZW3a1/xd+hPuJgkRptJYkIIIghcIHfvMJd45kvlvzqnyU
+INvf22cE/ClUtVRCnUn2Bm+DQB7IemcArOhjJUg9iY5hsfsCmrQe8I8uGAcm4GXu
+MHw5Rpz5Sfv4mfozWEGJ8qnQDuYKk3Rc0C6BUW+hLrJZ9QM=
+-----END NEBULA CERTIFICATE V2-----

tests/overlay/keys/server.key

@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PRIVATE KEY-----
+LO3MF3zX4em6yerztMmYalkNs5fFgoDbecAoIkSYntU=
+-----END NEBULA X25519 PRIVATE KEY-----