sorki/wireguard-nat.nix

## wireguard-nat.nix
{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import <nixpkgs> { inherit system config; }
, lib ? pkgs.lib
}:

let
  inherit (import "${pkgs.path}/nixos/lib/testing-python.nix" { inherit system pkgs; }) makeTest;
  #wg-snakeoil-keys = import <nixpkgs/nixos/tests/wireguard/snakeoil-keys.nix>;
  #peer = (import <nixpkgs/nixos/tests/wireguard/make-peer.nix>) { inherit lib; };
  peer = (import ./lib/make-peer.nix) { inherit lib; };
  wg-snakeoil-keys = import ./lib/wg-snakeoil-keys.nix;
  # XXX
  unstable = import /etc/nixpkgs {};
in
  makeTest {
    name = "wireguard-nat";
    meta = with pkgs.stdenv.lib.maintainers; {
      maintainers = [ sorki ];
    };

    nodes = {
      # wireguard server / router
      peer0 = peer {
        ip4 = "192.168.0.1";
        ip6 = "fd00::1";
        extraConfig = {
          networking.nat.enable = true;
          networking.nat.externalInterface = "eth1";
          networking.nat.internalInterfaces = [ "wg0" ];

          networking.firewall.allowedUDPPorts = [ 23542 ];
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.1/32" "fc00::1/128" ];
            listenPort = 23542;

            inherit (wg-snakeoil-keys.peer0) privateKey;

            /*
            postSetup = ''
              ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -j MASQUERADE
            '';

            postShutdown = ''
              ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.23.42.0/24 -j MASQUERADE
            '';
            */

            peers = [
            { allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
              inherit (wg-snakeoil-keys.peer1) publicKey;
            }

            { allowedIPs = [ "10.23.42.3/32" "fc00::3/128" ];
              inherit (wg-snakeoil-keys.peer2) publicKey;
            }
            ];
          };
        };
      };

      # peer with nixos container
      peer1 = peer {
        ip6 = "fd00::2";
        extraConfig = {
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.2/32" "fc00::2/128" ];
            allowedIPsAsRoutes = true;

            inherit (wg-snakeoil-keys.peer1) privateKey;

            peers = lib.singleton {
              allowedIPs = [ "0.0.0.0/0" ];
              endpoint = "[fd00::1]:23542";
              persistentKeepalive = 25;

              inherit (wg-snakeoil-keys.peer0) publicKey;
            };
          };

          # XXX
          environment.systemPackages = [ unstable.cntr ];

          networking.nat.enable = true;
          networking.nat.externalInterface = "wg0";
          networking.nat.internalInterfaces = [ "ve-+" ];

          containers.test = {
            autoStart = true;
            privateNetwork = true;
            hostAddress = "172.16.0.1";
            localAddress = "172.16.0.2";
            config = {};
          };
        };
      };

      # docker
      peer2 = peer {
        ip6 = "fd00::3";
        extraConfig = {
          networking.wireguard.interfaces.wg0 = {
            ips = [ "10.23.42.3/32" "fc00::3/128" ];
            allowedIPsAsRoutes = true;

            inherit (wg-snakeoil-keys.peer2) privateKey;

            peers = lib.singleton {
              allowedIPs = [ "0.0.0.0/0" ];
              endpoint = "[fd00::1]:23542";
              persistentKeepalive = 25;

              inherit (wg-snakeoil-keys.peer0) publicKey;
            };
          };

          # XXX
          environment.systemPackages = [ unstable.cntr ];

          virtualisation.oci-containers = {
            backend = "docker";
            containers.nginx = {
              image = "nginx-container";
              imageFile = pkgs.dockerTools.examples.nginx;
              ports = ["8181:80"];
            };
          };
        };
      };


      # only part of hosts network, no wireguard peering
      external = peer {
        ip4 = "192.168.0.10";
        ip6 = "fd00::10";
        extraConfig = { };
      };
    };

    testScript = ''
      start_all()

      peer0.wait_for_unit("wireguard-wg0.service")
      peer1.wait_for_unit("wireguard-wg0.service")
      peer2.wait_for_unit("wireguard-wg0.service")

      print("Peer 0")
      print(peer0.succeed("ip a"))
      print(peer0.succeed("ip r"))
      print(peer0.succeed("wg"))

      print("Peer 1")
      print(peer1.succeed("ip a"))
      print(peer1.succeed("ip r"))
      print(peer1.succeed("wg"))
      # peer1.succeed("ping -c5 fc00::1")
      peer1.succeed("ping -c5 fd00::1")
      peer1.succeed("ping -c5 10.23.42.1")

      # we can reach external via wg
      peer1.succeed("ping -c5 192.168.0.10")
      print(peer1.succeed("ls -l $( which cntr )"))
      peer1.wait_for_unit("container@test.service")
      peer1.succeed("cntr attach test sh -- -c 'ping -c1 10.23.42.1'")
      peer1.succeed("cntr attach test sh -- -c 'ping -c1 192.168.0.10'")

      peer2.succeed("ping -c5 fd00::1")
      peer2.succeed("ping -c5 10.23.42.1")
      peer2.succeed("ping -c5 fd00::2")
      peer2.succeed("ping -c5 10.23.42.2")
      peer2.succeed("cntr attach -t docker nginx sh -- -c 'ping -c1 192.168.0.10'")
    '';
}
	{ system ? builtins.currentSystem
	, config ? {}
	, pkgs ? import <nixpkgs> { inherit system config; }
	, lib ? pkgs.lib
	}:

	let
	inherit (import "${pkgs.path}/nixos/lib/testing-python.nix" { inherit system pkgs; }) makeTest;
	#wg-snakeoil-keys = import <nixpkgs/nixos/tests/wireguard/snakeoil-keys.nix>;
	#peer = (import <nixpkgs/nixos/tests/wireguard/make-peer.nix>) { inherit lib; };
	peer = (import ./lib/make-peer.nix) { inherit lib; };
	wg-snakeoil-keys = import ./lib/wg-snakeoil-keys.nix;
	# XXX
	unstable = import /etc/nixpkgs {};
	in
	makeTest {
	name = "wireguard-nat";
	meta = with pkgs.stdenv.lib.maintainers; {
	maintainers = [ sorki ];
	};

	nodes = {
	# wireguard server / router
	peer0 = peer {
	ip4 = "192.168.0.1";
	ip6 = "fd00::1";
	extraConfig = {
	networking.nat.enable = true;
	networking.nat.externalInterface = "eth1";
	networking.nat.internalInterfaces = [ "wg0" ];

	networking.firewall.allowedUDPPorts = [ 23542 ];
	networking.wireguard.interfaces.wg0 = {
	ips = [ "10.23.42.1/32" "fc00::1/128" ];
	listenPort = 23542;

	inherit (wg-snakeoil-keys.peer0) privateKey;

	/*
	postSetup = ''
	${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -j MASQUERADE
	'';

	postShutdown = ''
	${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.23.42.0/24 -j MASQUERADE
	'';
	*/

	peers = [
	{ allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
	inherit (wg-snakeoil-keys.peer1) publicKey;
	}

	{ allowedIPs = [ "10.23.42.3/32" "fc00::3/128" ];
	inherit (wg-snakeoil-keys.peer2) publicKey;
	}
	];
	};
	};
	};

	# peer with nixos container
	peer1 = peer {
	ip6 = "fd00::2";
	extraConfig = {
	networking.wireguard.interfaces.wg0 = {
	ips = [ "10.23.42.2/32" "fc00::2/128" ];
	allowedIPsAsRoutes = true;

	inherit (wg-snakeoil-keys.peer1) privateKey;

	peers = lib.singleton {
	allowedIPs = [ "0.0.0.0/0" ];
	endpoint = "[fd00::1]:23542";
	persistentKeepalive = 25;

	inherit (wg-snakeoil-keys.peer0) publicKey;
	};
	};

	# XXX
	environment.systemPackages = [ unstable.cntr ];

	networking.nat.enable = true;
	networking.nat.externalInterface = "wg0";
	networking.nat.internalInterfaces = [ "ve-+" ];

	containers.test = {
	autoStart = true;
	privateNetwork = true;
	hostAddress = "172.16.0.1";
	localAddress = "172.16.0.2";
	config = {};
	};
	};
	};

	# docker
	peer2 = peer {
	ip6 = "fd00::3";
	extraConfig = {
	networking.wireguard.interfaces.wg0 = {
	ips = [ "10.23.42.3/32" "fc00::3/128" ];
	allowedIPsAsRoutes = true;

	inherit (wg-snakeoil-keys.peer2) privateKey;

	peers = lib.singleton {
	allowedIPs = [ "0.0.0.0/0" ];
	endpoint = "[fd00::1]:23542";
	persistentKeepalive = 25;

	inherit (wg-snakeoil-keys.peer0) publicKey;
	};
	};

	# XXX
	environment.systemPackages = [ unstable.cntr ];

	virtualisation.oci-containers = {
	backend = "docker";
	containers.nginx = {
	image = "nginx-container";
	imageFile = pkgs.dockerTools.examples.nginx;
	ports = ["8181:80"];
	};
	};
	};
	};


	# only part of hosts network, no wireguard peering
	external = peer {
	ip4 = "192.168.0.10";
	ip6 = "fd00::10";
	extraConfig = { };
	};
	};

	testScript = ''
	start_all()

	peer0.wait_for_unit("wireguard-wg0.service")
	peer1.wait_for_unit("wireguard-wg0.service")
	peer2.wait_for_unit("wireguard-wg0.service")

	print("Peer 0")
	print(peer0.succeed("ip a"))
	print(peer0.succeed("ip r"))
	print(peer0.succeed("wg"))

	print("Peer 1")
	print(peer1.succeed("ip a"))
	print(peer1.succeed("ip r"))
	print(peer1.succeed("wg"))
	# peer1.succeed("ping -c5 fc00::1")
	peer1.succeed("ping -c5 fd00::1")
	peer1.succeed("ping -c5 10.23.42.1")

	# we can reach external via wg
	peer1.succeed("ping -c5 192.168.0.10")
	print(peer1.succeed("ls -l $( which cntr )"))
	peer1.wait_for_unit("container@test.service")
	peer1.succeed("cntr attach test sh -- -c 'ping -c1 10.23.42.1'")
	peer1.succeed("cntr attach test sh -- -c 'ping -c1 192.168.0.10'")

	peer2.succeed("ping -c5 fd00::1")
	peer2.succeed("ping -c5 10.23.42.1")
	peer2.succeed("ping -c5 fd00::2")
	peer2.succeed("ping -c5 10.23.42.2")
	peer2.succeed("cntr attach -t docker nginx sh -- -c 'ping -c1 192.168.0.10'")
	'';
	}