systemd-networkd: add tests

(cherry picked from commit ec073e41a0)
2025-07-13 21:50:33 +03:00 · 2019-06-24 17:36:08 +02:00 · 2019-06-24 17:36:08 +02:00 · 0528816570
commit 0528816570
parent 7fd91a898b
3 changed files with 114 additions and 9 deletions
--- a/nixos/modules/system/boot/networkd.nix
+++ b/nixos/modules/system/boot/networkd.nix
@ -55,18 +55,25 @@ let
    (assertMacAddress "MACAddress")
  ];

+  # NOTE The PrivateKey directive is missing on purpose here, please
+  # do not add it to this list. The nix store is world-readable let's
+  # refrain ourselves from providing a footgun.
  checkWireGuard = checkUnitConfig "WireGuard" [
    (assertOnlyFields [
-      "PrivateKey" "PrivateKeyFile" "ListenPort" "FwMark"
+      "PrivateKeyFile" "ListenPort" "FwMark"
    ])
-    #(assertRange "ListenPort" 1 65535) # Or "auto"
+    (assertRange "FwMark" 1 4294967295)
  ];

+  # NOTE The PresharedKey directive is missing on purpose here, please
+  # do not add it to this list. The nix store is world-readable,let's
+  # refrain ourselves from providing a footgun.
  checkWireGuardPeer = checkUnitConfig "WireGuardPeer" [
    (assertOnlyFields [
-      "PublicKey" "PresharedKey" "AllowedIPs" "Endpoint" "PersistentKeepalive"
+      "PublicKey" "PresharedKeyFile" "AllowedIPs"
+      "Endpoint" "PersistentKeepalive"
    ])
-    # (assertRange "PersistentKeepalive" 1 65535) # defined as "nullOr int"
+    (assertRange "PersistentKeepalive" 1 65535)
  ];

  checkVlan = checkUnitConfig "VLAN" [
@ -336,24 +343,41 @@ let

    wireguardConfig = mkOption {
      default = {};
-      example = { ListenPort="auto"; };
+      example = {
+        PrivateKeyFile = "/etc/wireguard/secret.key";
+        ListenPort = 51820;
+        FwMark = 42;
+      };
      type = types.addCheck (types.attrsOf unitOption) checkWireGuard;
      description = ''
        Each attribute in this set specifies an option in the
-        <literal>[WireGuard]</literal> section of the unit.  See
+        <literal>[WireGuard]</literal> section of the unit. See
        <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
        <manvolnum>5</manvolnum></citerefentry> for details.
+        Use <literal>PrivateKeyFile</literal> instead of
+        <literal>PrivateKey</literal>: the nix store is
+        world-readable.
      '';
    };

    wireguardPeers = mkOption {
-      default = [ ];
+      default = [];
+      example = [ { wireguardPeerConfig={
+        Endpoint = "192.168.1.1:51820";
+        PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
+        PresharedKeyFile = "/etc/wireguard/psk.key";
+        AllowedIPs = [ "10.0.0.1/32" ];
+        PersistentKeepalive = 15;
+      };}];
      type = with types; listOf (submodule wireguardPeerOptions);
      description = ''
-        Each attribute in this set specifies an option in the
-        <literal>[WireGuardPeer]</literal> section of the unit.  See
+        Each item in this array specifies an option in the
+        <literal>[WireGuardPeer]</literal> section of the unit. See
        <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
        <manvolnum>5</manvolnum></citerefentry> for details.
+        Use <literal>PresharedKeyFile</literal> instead of
+        <literal>PresharedKey</literal>: the nix store is
+        world-readable.
      '';
    };