diff --git a/tests/infrastructure/default.nix b/tests/infrastructure/default.nix index d23febb..1d27ac4 100644 --- a/tests/infrastructure/default.nix +++ b/tests/infrastructure/default.nix @@ -5,8 +5,6 @@ ... }: { - node.specialArgs = { inherit inputs self; }; - defaults = { nodes, config, ... }: { @@ -19,29 +17,21 @@ users.seb = { isNormalUser = true; password = "seb"; - openssh.authorizedKeys.keyFiles = lib.mkIf config.custom.services.sshd.enable [ - ./keys/server-ssh.pub - ./keys/client1-ssh.pub - ./keys/client2-ssh.pub - ]; + extraGroups = [ "wheel" ]; }; }; - environment.etc."ssh-key" = lib.mkIf (lib.pathExists ./keys/${config.networking.hostName}-ssh) { - source = ./keys/${config.networking.hostName}-ssh; - mode = "0600"; - }; - custom.services.nebula = { caCertificatePath = ./keys/ca.crt; certificatePath = ./keys/${config.networking.hostName}.crt; privateKeyPath = ./keys/${config.networking.hostName}.key; }; - networking.extraHosts = lib.mkForce ""; services.resolved.dnssec = lib.mkForce "false"; }; + node.specialArgs = { inherit inputs self; }; + nodes = { lighthouse = { custom = { @@ -78,41 +68,30 @@ services.sshd.enable = true; }; + + users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/client-ssh.pub ]; + environment.etc."ssh-key" = { + source = ./keys/server-ssh; + mode = "0600"; + }; }; - client1 = - { pkgs, ... }: - { - custom = { - networking = { - overlay = { - address = "10.254.250.3"; - role = "client"; - }; - underlay = { - interface = "eth1"; - cidr = "192.168.0.3/16"; - }; - }; + client = { + custom.networking = { + overlay = { + address = "10.254.250.3"; + role = "client"; + }; + underlay = { + interface = "eth1"; + cidr = "192.168.0.3/16"; }; - - environment.systemPackages = [ pkgs.openssh ]; }; - client2 = { - custom = { - networking = { - overlay = { - address = "10.254.250.4"; - role = "client"; - }; - underlay = { - interface = "eth1"; - cidr = "192.168.0.4/16"; - }; - }; - - services.sshd.enable = true; + users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/server-ssh.pub ]; + environment.etc."ssh-key" = { + source = ./keys/client-ssh; + mode = "0600"; }; }; }; @@ -120,50 +99,31 @@ testScript = { nodes, ... }: let - lighthouseNetCfg = nodes.lighthouse.custom.networking; - serverNetCfg = nodes.server.custom.networking; - client1NetCfg = nodes.client1.custom.networking; - client2NetCfg = nodes.client2.custom.networking; + lighthouseNetCfg = nodes.lighthouse.custom.networking.overlay; + serverNetCfg = nodes.server.custom.networking.overlay; + clientNetCfg = nodes.client.custom.networking.overlay; sshOptions = "-i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; in '' start_all() - lighthouse.wait_for_unit("${lighthouseNetCfg.overlay.systemdUnit}") - server.wait_for_unit("${serverNetCfg.overlay.systemdUnit}") - client1.wait_for_unit("${client1NetCfg.overlay.systemdUnit}") - client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}") - + lighthouse.wait_for_unit("${lighthouseNetCfg.systemdUnit}") + server.wait_for_unit("${serverNetCfg.systemdUnit}") + client.wait_for_unit("${clientNetCfg.systemdUnit}") lighthouse.wait_for_unit("unbound.service") - lighthouse.wait_for_open_port(53, "${lighthouseNetCfg.overlay.address}") - server.wait_for_unit("sshd.service") - client2.wait_for_unit("sshd.service") - server.wait_for_open_port(22, "${serverNetCfg.overlay.address}") - client2.wait_for_open_port(22, "${client2NetCfg.overlay.address}") with subtest("Overlay connectivity between nodes"): - client1.succeed("ping -c 1 ${serverNetCfg.overlay.address}") - client1.succeed("ping -c 1 ${client2NetCfg.overlay.address}") - server.succeed("ping -c 1 ${client2NetCfg.overlay.address}") + client.succeed("ping -c 1 ${serverNetCfg.address}") + server.succeed("ping -c 1 ${clientNetCfg.address}") - with subtest("DNS resolution of FQDNs"): - client1.succeed("ping -c 1 ${serverNetCfg.overlay.fqdn}") - client1.succeed("ping -c 1 ${client2NetCfg.overlay.fqdn}") - server.succeed("ping -c 1 ${client2NetCfg.overlay.fqdn}") - - with subtest("DNS resolution of unqualified hostnames"): - client1.succeed("ping -c 1 server") - client1.succeed("ping -c 1 client2") - server.succeed("ping -c 1 client2") + with subtest("DNS resolution of overlay hostnames"): + client.succeed("ping -c 1 ${serverNetCfg.fqdn}") + server.succeed("ping -c 1 ${clientNetCfg.fqdn}") with subtest("SSH access restricted by role"): - client1.succeed("ssh ${sshOptions} seb@server 'echo Hello'") - client1.succeed("ssh ${sshOptions} seb@client2 'echo Hello'") - server.fail("ssh ${sshOptions} seb@client2 'echo Hello'") - - with subtest("SSH not reachable on underlay"): - client1.fail("ssh ${sshOptions} seb@${serverNetCfg.underlay.address} 'echo Hello'") + client.succeed("ssh ${sshOptions} seb@${serverNetCfg.fqdn} 'echo Hello'") + server.fail("ssh ${sshOptions} seb@${clientNetCfg.fqdn} 'echo Hello'") ''; } diff --git a/tests/infrastructure/keys/client-ssh b/tests/infrastructure/keys/client-ssh new file mode 100644 index 0000000..125085e --- /dev/null +++ b/tests/infrastructure/keys/client-ssh @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQAAAJCrUHOSq1Bz +kgAAAAtzc2gtZWQyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQ +AAAEB7OMxyFWm+GuvQA/GCdLPPXwkqC9rhPKdrLQU5PRt1fiWAxmeZWndQUxKb/xD+uG07 +DeKgXualoFTK9cXCYGQxAAAACnNlYkBsYXB0b3ABAgM= +-----END OPENSSH PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client-ssh.pub b/tests/infrastructure/keys/client-ssh.pub new file mode 100644 index 0000000..7cedc52 --- /dev/null +++ b/tests/infrastructure/keys/client-ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWAxmeZWndQUxKb/xD+uG07DeKgXualoFTK9cXCYGQx seb@laptop diff --git a/tests/infrastructure/keys/client.crt b/tests/infrastructure/keys/client.crt new file mode 100644 index 0000000..d0fbf6e --- /dev/null +++ b/tests/infrastructure/keys/client.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE V2----- +MIGwoEqABmNsaWVudKEHBAUK/voDGKMIDAZjbGllbnSFBGmTH3CGBQElh0qDhyA8 +ckeBMU2fPOMFe8cEQoAZW3a1/xd+hPuJgkRptJYkIIIgkqGANOljLGTOy02go6Sb +5QuDE12UT7NScZq8xd/6N0SDQCerRL9iT4lQY18Jx6Ov0vYnCgDpi9md7HfaeW7J +6liZCxssEzBf6NtISsFHVBhv/GKMzHTLSFuC3JKF80SByw4= +-----END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/client2.key b/tests/infrastructure/keys/client.key similarity index 64% rename from tests/infrastructure/keys/client2.key rename to tests/infrastructure/keys/client.key index d775ce9..fd45d9a 100644 --- a/tests/infrastructure/keys/client2.key +++ b/tests/infrastructure/keys/client.key @@ -1,3 +1,3 @@ -----BEGIN NEBULA X25519 PRIVATE KEY----- -+0xEqrapinodioti3P4NYKmDXTakkM+1A8Htaibz/8U= +C6+KrKj/MfoupP/yt5CKLjDqFmFcGlN9Hb3gCaz8uy8= -----END NEBULA X25519 PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client1-ssh b/tests/infrastructure/keys/client1-ssh deleted file mode 100644 index 4e61ecf..0000000 --- a/tests/infrastructure/keys/client1-ssh +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFgAAAJCAcH2jgHB9 -owAAAAtzc2gtZWQyNTUxOQAAACAXHbv4/Dlfhni7rA/AfV071F1o4msImdnyednMTUonFg -AAAEBx+5aMJMDgA3XGHed323x23kW88ZFWkjINlZMLFKC3ORcdu/j8OV+GeLusD8B9XTvU -XWjiawiZ2fJ52cxNSicWAAAAC3NlYkBjbGllbnQxAQI= ------END OPENSSH PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client1-ssh.pub b/tests/infrastructure/keys/client1-ssh.pub deleted file mode 100644 index 809a9c3..0000000 --- a/tests/infrastructure/keys/client1-ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcdu/j8OV+GeLusD8B9XTvUXWjiawiZ2fJ52cxNSicW seb@client1 diff --git a/tests/infrastructure/keys/client1.crt b/tests/infrastructure/keys/client1.crt deleted file mode 100644 index c4611c8..0000000 --- a/tests/infrastructure/keys/client1.crt +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MIGxoEuAB2NsaWVudDGhBwQFCv76AxijCAwGY2xpZW50hQRpky8ohgUBJYdKg4cg -PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCICL2t3327ET/1zujIeUW -8G0h0BA94zAcfxvTqOgWuPJ8g0CLA4/lalqM7DfvqVHCuR+yYYl8D4aNf0QrfgAT -DTbJIFCt3HA9O5KLt7XU7eEYPVGHdNUqT/uQkBBxzZ/H/dkE ------END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/client1.key b/tests/infrastructure/keys/client1.key deleted file mode 100644 index f9e9a97..0000000 --- a/tests/infrastructure/keys/client1.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN NEBULA X25519 PRIVATE KEY----- -0UBKU2IZtS7em4buXCKLcsH28Z/fJMCxovMjNugXpG0= ------END NEBULA X25519 PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client2-ssh b/tests/infrastructure/keys/client2-ssh deleted file mode 100644 index b852011..0000000 --- a/tests/infrastructure/keys/client2-ssh +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCgAAAJCP3fl0j935 -dAAAAAtzc2gtZWQyNTUxOQAAACBrIwaljCbtPUCJ/loQgCw3ASanGrSDIIkEIZY1pVMVCg -AAAECu3BbBFWxE5ue1CTpF9uASFn7VMsw9VY8eQCfXsqeGCGsjBqWMJu09QIn+WhCALDcB -JqcatIMgiQQhljWlUxUKAAAAC3NlYkBjbGllbnQyAQI= ------END OPENSSH PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client2-ssh.pub b/tests/infrastructure/keys/client2-ssh.pub deleted file mode 100644 index 4725641..0000000 --- a/tests/infrastructure/keys/client2-ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsjBqWMJu09QIn+WhCALDcBJqcatIMgiQQhljWlUxUK seb@client2 diff --git a/tests/infrastructure/keys/client2.crt b/tests/infrastructure/keys/client2.crt deleted file mode 100644 index 0b7ee48..0000000 --- a/tests/infrastructure/keys/client2.crt +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MIGxoEuAB2NsaWVudDKhBwQFCv76BBijCAwGY2xpZW50hQRpky85hgUBJYdKg4cg -PHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCIDFcdaKsilxpoBFbFeTP -IYBAeIJL0d1QBw7nbJRh8Ax5g0DZ5EH8e/OcvasElLnbNOpzqV0NeEtAsmAXLcup -q+jfc9QVXEXROiJ1T+0XSk940L86flvBilQaTAXDqWXlMTUJ ------END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/server-ssh b/tests/infrastructure/keys/server-ssh index 76e4c33..ced4abf 100644 --- a/tests/infrastructure/keys/server-ssh +++ b/tests/infrastructure/keys/server-ssh @@ -1,7 +1,7 @@ -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pgAAAJCtMVIVrTFS -FQAAAAtzc2gtZWQyNTUxOQAAACAWqEHqPqehm3USmpRuNNZlQYwoyU7wIXKl6eJpBWm+pg -AAAEDYW2eLhd09R5lY4cdoxguSr+Gc4Ggp/oiRQbs6IyYzZxaoQeo+p6GbdRKalG401mVB -jCjJTvAhcqXp4mkFab6mAAAACnNlYkBzZXJ2ZXIBAgM= +QyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWgAAAJCyC2p+sgtq +fgAAAAtzc2gtZWQyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWg +AAAED6j1Y/BoQsyvxtApUWipiCHCT1SiVyXf3NgmSsAjHAZknZ+rVDShrmhmwRm7OcCK7H +k4MRLp8C+2qY6KIQGTFaAAAACnNlYkBsYXB0b3ABAgM= -----END OPENSSH PRIVATE KEY----- diff --git a/tests/infrastructure/keys/server-ssh.pub b/tests/infrastructure/keys/server-ssh.pub index e6b3243..b591f07 100644 --- a/tests/infrastructure/keys/server-ssh.pub +++ b/tests/infrastructure/keys/server-ssh.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaoQeo+p6GbdRKalG401mVBjCjJTvAhcqXp4mkFab6m seb@server +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnZ+rVDShrmhmwRm7OcCK7Hk4MRLp8C+2qY6KIQGTFa seb@laptop