nixos/wireguard: test against multiple kernel versions

When testing WireGuard updates, I usually run the VM-tests with different kernels to make sure we're not introducing accidental regressions for e.g. older kernels. I figured that we should automate this process to ensure continuously that WireGuard works fine on several kernels. For now I decided to test the latest LTS version (5.4) and the latest kernel (currently 5.6). We can add more kernels in the future, however this seems to significantly slow down evaluation and time. The list can be customized by running a command like this: nix-build nixos/tests/wireguard --arg kernelVersionsToTest '["4.19"]' The `kernelPackages` argument in the tests is null by default to make sure that it's still possible to invoke the test-files directly. In that case the default kernel of NixOS (currently 5.4) is used.
2020-04-26 14:24:18 +02:00 · 2020-04-26 14:24:18 +02:00 · 41bd6d2614
commit 41bd6d2614
parent f56459f7ec
7 changed files with 113 additions and 75 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -324,10 +324,7 @@ in
  vault = handleTest ./vault.nix {};
  victoriametrics = handleTest ./victoriametrics.nix {};
  virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
  wg-quick = handleTest ./wireguard/wg-quick.nix {};
  wireguard = handleTest ./wireguard {};
  wireguard-generated = handleTest ./wireguard/generated.nix {};
  wireguard-namespaces = handleTest ./wireguard/namespaces.nix {};
  wordpress = handleTest ./wordpress.nix {};
  xandikos = handleTest ./xandikos.nix {};
  xautolock = handleTest ./xautolock.nix {};
--- a/nixos/tests/wireguard/basic.nix
+++ b/nixos/tests/wireguard/basic.nix
@ -0,0 +1,74 @@
 { kernelPackages ? null }:
 import ../make-test-python.nix ({ pkgs, lib, ...} :
  let
    wg-snakeoil-keys = import ./snakeoil-keys.nix;
    peer = (import ./make-peer.nix) { inherit lib; };
  in
  {
    name = "wireguard";
    meta = with pkgs.stdenv.lib.maintainers; {
      maintainers = [ ma27 ];
    };
    nodes = {
      peer0 = peer {
        ip4 = "192.168.0.1";
        ip6 = "fd00::1";
        extraConfig = {
          boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
          networking.firewall.allowedUDPPorts = [ 23542 ];
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.1/32" "fc00::1/128" ];
            listenPort = 23542;
            inherit (wg-snakeoil-keys.peer0) privateKey;
            peers = lib.singleton {
              allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
              inherit (wg-snakeoil-keys.peer1) publicKey;
            };
          };
        };
      };
      peer1 = peer {
        ip4 = "192.168.0.2";
        ip6 = "fd00::2";
        extraConfig = {
          boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.2/32" "fc00::2/128" ];
            listenPort = 23542;
            allowedIPsAsRoutes = false;
            inherit (wg-snakeoil-keys.peer1) privateKey;
            peers = lib.singleton {
              allowedIPs = [ "0.0.0.0/0" "::/0" ];
              endpoint = "192.168.0.1:23542";
              persistentKeepalive = 25;
              inherit (wg-snakeoil-keys.peer0) publicKey;
            };
            postSetup = let inherit (pkgs) iproute; in ''
              ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
              ${iproute}/bin/ip route replace fc00::1/128 dev wg0
            '';
          };
        };
      };
    };
    testScript = ''
      start_all()
      peer0.wait_for_unit("wireguard-wg0.service")
      peer1.wait_for_unit("wireguard-wg0.service")
      peer1.succeed("ping -c5 fc00::1")
      peer1.succeed("ping -c5 10.23.42.1")
    '';
  }
 )
--- a/nixos/tests/wireguard/default.nix
+++ b/nixos/tests/wireguard/default.nix
@ -1,71 +1,27 @@
-import ../make-test-python.nix ({ pkgs, lib, ...} :
+{ system ? builtins.currentSystem
-  let
+, config ? { }
-    wg-snakeoil-keys = import ./snakeoil-keys.nix;
+, pkgs ? import ../../.. { inherit system config; }
-    peer = (import ./make-peer.nix) { inherit lib; };
+, kernelVersionsToTest ? [ "5.4" "latest" ]
-  in
+}:
  {
    name = "wireguard";
    meta = with pkgs.stdenv.lib.maintainers; {
      maintainers = [ ma27 ];
    };
-    nodes = {
+with pkgs.lib;
      peer0 = peer {
        ip4 = "192.168.0.1";
        ip6 = "fd00::1";
        extraConfig = {
          networking.firewall.allowedUDPPorts = [ 23542 ];
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.1/32" "fc00::1/128" ];
            listenPort = 23542;
-            inherit (wg-snakeoil-keys.peer0) privateKey;
+let
  tests = let callTest = p: flip (import p) { inherit system pkgs; }; in {
    basic = callTest ./basic.nix;
    namespaces = callTest ./namespaces.nix;
    wg-quick = callTest ./wg-quick.nix;
    generated = callTest ./generated.nix;
  };
 in
-            peers = lib.singleton {
+listToAttrs (
-              allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
+  flip concatMap kernelVersionsToTest (version:
-
+    let
-              inherit (wg-snakeoil-keys.peer1) publicKey;
+      v' = replaceStrings [ "." ] [ "_" ] version;
-            };
+    in
-          };
+    flip mapAttrsToList tests (name: test:
-        };
+      nameValuePair "wireguard-${name}-linux-${v'}" (test { kernelPackages = pkgs."linuxPackages_${v'}"; })
-      };
+    )
-
+  )
      peer1 = peer {
        ip4 = "192.168.0.2";
        ip6 = "fd00::2";
        extraConfig = {
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.2/32" "fc00::2/128" ];
            listenPort = 23542;
            allowedIPsAsRoutes = false;
            inherit (wg-snakeoil-keys.peer1) privateKey;
            peers = lib.singleton {
              allowedIPs = [ "0.0.0.0/0" "::/0" ];
              endpoint = "192.168.0.1:23542";
              persistentKeepalive = 25;
              inherit (wg-snakeoil-keys.peer0) publicKey;
            };
            postSetup = let inherit (pkgs) iproute; in ''
              ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
              ${iproute}/bin/ip route replace fc00::1/128 dev wg0
            '';
          };
        };
      };
    };
    testScript = ''
      start_all()
      peer0.wait_for_unit("wireguard-wg0.service")
      peer1.wait_for_unit("wireguard-wg0.service")
      peer1.succeed("ping -c5 fc00::1")
      peer1.succeed("ping -c5 10.23.42.1")
    '';
  }
 )
--- a/nixos/tests/wireguard/generated.nix
+++ b/nixos/tests/wireguard/generated.nix
@ -1,4 +1,5 @@
-import ../make-test-python.nix ({ pkgs, ...} : {
+{ kernelPackages ? null }:
 import ../make-test-python.nix ({ pkgs, lib, ... } : {
  name = "wireguard-generated";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ ma27 grahamc ];
@ -6,6 +7,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
  nodes = {
    peer1 = {
      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
      networking.firewall.allowedUDPPorts = [ 12345 ];
      networking.wireguard.interfaces.wg0 = {
        ips = [ "10.10.10.1/24" ];
@ -17,6 +19,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
    };
    peer2 = {
      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
      networking.firewall.allowedUDPPorts = [ 12345 ];
      networking.wireguard.interfaces.wg0 = {
        ips = [ "10.10.10.2/24" ];
--- a/nixos/tests/wireguard/namespaces.nix
+++ b/nixos/tests/wireguard/namespaces.nix
@ -1,3 +1,5 @@
 { kernelPackages ? null }:
 let
  listenPort = 12345;
  socketNamespace = "foo";
@ -13,7 +15,7 @@ let
 in
-import ../make-test-python.nix ({ pkgs, ...} : {
+import ../make-test-python.nix ({ pkgs, lib, ... } : {
  name = "wireguard-with-namespaces";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ asymmetric ];
@ -23,6 +25,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
    # interface should be created in the socketNamespace
    # and not moved from there
    peer0 = pkgs.lib.attrsets.recursiveUpdate node {
      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${socketNamespace}
@ -33,6 +36,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
    # interface should be created in the init namespace
    # and moved to the interfaceNamespace
    peer1 = pkgs.lib.attrsets.recursiveUpdate node {
      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${interfaceNamespace}
@ -43,6 +47,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
    # interface should be created in the socketNamespace
    # and moved to the interfaceNamespace
    peer2 = pkgs.lib.attrsets.recursiveUpdate node {
      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${socketNamespace}
@ -54,6 +59,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
    # interface should be created in the socketNamespace
    # and moved to the init namespace
    peer3 = pkgs.lib.attrsets.recursiveUpdate node {
      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
      networking.wireguard.interfaces.wg0 = {
        preSetup = ''
          ip netns add ${socketNamespace}
--- a/nixos/tests/wireguard/wg-quick.nix
+++ b/nixos/tests/wireguard/wg-quick.nix
@ -1,3 +1,5 @@
 { kernelPackages ? null }:
 import ../make-test-python.nix ({ pkgs, lib, ... }:
  let
    wg-snakeoil-keys = import ./snakeoil-keys.nix;
@ -14,6 +16,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }:
        ip4 = "192.168.0.1";
        ip6 = "fd00::1";
        extraConfig = {
          boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
          networking.firewall.allowedUDPPorts = [ 23542 ];
          networking.wg-quick.interfaces.wg0 = {
            address = [ "10.23.42.1/32" "fc00::1/128" ];
@ -34,6 +37,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }:
        ip4 = "192.168.0.2";
        ip6 = "fd00::2";
        extraConfig = {
          boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
          networking.wg-quick.interfaces.wg0 = {
            address = [ "10.23.42.2/32" "fc00::2/128" ];
            inherit (wg-snakeoil-keys.peer1) privateKey;
--- a/pkgs/tools/networking/wireguard-tools/default.nix
+++ b/pkgs/tools/networking/wireguard-tools/default.nix
@ -49,9 +49,7 @@ stdenv.mkDerivation rec {
  passthru = {
    updateScript = ./update.sh;
-    tests = {
+    tests = nixosTests.wireguard;
      inherit (nixosTests) wireguard wg-quick wireguard-generated wireguard-namespaces;
    };
  };
  meta = {