nixpkgs/nixos/tests/ifstate/initrd-wireguard.nix

let
  mkNodeIfStateConfig =
    {
      pkgs,
      id,
      wgPriv,
      wgPeerPubKey,
      wgPeerId,
    }:
    {
      enable = true;
      settings = {
        namespaces.outside.interfaces.eth1 = {
          addresses = [ "2001:0db8:a::${builtins.toString id}/64" ];
          link = {
            state = "up";
            kind = "physical";
          };
        };
        interfaces = {
          wg0 = {
            addresses = [ "2001:0db8:b::${builtins.toString id}/64" ];
            link = {
              state = "up";
              kind = "wireguard";
              bind_netns = "outside";
            };
            wireguard = {
              private_key = "!include ${pkgs.writeText "wg_priv.key" wgPriv}";
              listen_port = 51820;
              peers."${wgPeerPubKey}" = {
                endpoint = "[2001:0db8:a::${builtins.toString wgPeerId}]:51820";
                allowedips = [ "::/0" ];
              };
            };
          };
        };
        routing.routes = [
          {
            to = "2001:0db8:b::/64";
            dev = "wg0";
          }
        ];
      };
    };
in
{
  name = "ifstate-initrd-wireguard";

  nodes = {
    foo =
      { pkgs, ... }:
      {
        imports = [ ../../modules/profiles/minimal.nix ];

        virtualisation.interfaces.eth1.vlan = 1;

        # Initrd IfState enforces stage 2 ifstate using assertion.
        networking.ifstate = {
          enable = true;
          settings.interfaces = { };
        };

        boot.initrd = {
          network = {
            enable = true;
            ifstate =
              mkNodeIfStateConfig {
                inherit pkgs;
                id = 1;
                wgPriv = "6KmLyTyrN9OZIOCkdpiAwoVoeSiwvyI+mtn1wooKSEU=";
                wgPeerPubKey = "olFuE7u5pVwSeWLFtrXSvD8+aCDBiKNKCLjLb/dgXiA=";
                wgPeerId = 2;
              }
              // {
                package = pkgs.ifstate.override {
                  withConfigValidation = false;
                };
                allowIfstateToDrasticlyIncreaseInitrdSize = true;
              };
          };
          systemd = {
            enable = true;
            network.enable = false;
            services.boot-blocker = {
              before = [ "initrd.target" ];
              wantedBy = [ "initrd.target" ];
              script = "sleep infinity";
              serviceConfig.Type = "oneshot";
            };
          };
        };
      };

    bar =
      { pkgs, ... }:
      {
        imports = [ ../../modules/profiles/minimal.nix ];

        virtualisation.interfaces.eth1.vlan = 1;

        networking = {
          ifstate = mkNodeIfStateConfig {
            inherit pkgs;
            id = 2;
            wgPriv = "QN89cvFD0C8z1MSpUaJa1YBXt2MaIQegVkEYROi71Fg=";
            wgPeerPubKey = "5qeKbAGc7wh9Xg0MoMXqXCSmp9TawmtI1bVk/vp3Cn4=";
            wgPeerId = 1;
          };
        };
      };
  };
  testScript = # python
    ''
      start_all()

      bar.wait_for_unit("default.target")

      bar.wait_until_succeeds("ping -c 1 2001:0db8:b::1")
    '';
}