From 99e488e2df09d13142d76e771a36e7c09b76659a Mon Sep 17 00:00:00 2001 From: matthewcroughan Date: Sun, 24 Mar 2024 21:03:03 +0000 Subject: [PATCH 1/3] nixos/scion: init --- nixos/modules/module-list.nix | 5 + .../networking/scion/scion-control.nix | 69 +++++++ .../networking/scion/scion-daemon.nix | 64 +++++++ .../networking/scion/scion-dispatcher.nix | 74 ++++++++ .../networking/scion/scion-router.nix | 49 +++++ .../services/networking/scion/scion.nix | 39 ++++ nixos/tests/all-tests.nix | 1 + .../scion/freestanding-deployment/README.rst | 12 ++ .../scion/freestanding-deployment/default.nix | 172 ++++++++++++++++++ .../freestanding-deployment/topology1.json | 51 ++++++ .../freestanding-deployment/topology2.json | 51 ++++++ .../freestanding-deployment/topology3.json | 60 ++++++ .../freestanding-deployment/topology4.json | 40 ++++ .../freestanding-deployment/topology5.json | 40 ++++ 14 files changed, 727 insertions(+) create mode 100644 nixos/modules/services/networking/scion/scion-control.nix create mode 100644 nixos/modules/services/networking/scion/scion-daemon.nix create mode 100644 nixos/modules/services/networking/scion/scion-dispatcher.nix create mode 100644 nixos/modules/services/networking/scion/scion-router.nix create mode 100644 nixos/modules/services/networking/scion/scion.nix create mode 100644 nixos/tests/scion/freestanding-deployment/README.rst create mode 100644 nixos/tests/scion/freestanding-deployment/default.nix create mode 100644 nixos/tests/scion/freestanding-deployment/topology1.json create mode 100644 nixos/tests/scion/freestanding-deployment/topology2.json create mode 100644 nixos/tests/scion/freestanding-deployment/topology3.json create mode 100644 nixos/tests/scion/freestanding-deployment/topology4.json create mode 100644 nixos/tests/scion/freestanding-deployment/topology5.json diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 439341f44357..d45675d2a392 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1107,6 +1107,11 @@ ./services/networking/rpcbind.nix ./services/networking/rxe.nix ./services/networking/sabnzbd.nix + ./services/networking/scion/scion.nix + ./services/networking/scion/scion-control.nix + ./services/networking/scion/scion-daemon.nix + ./services/networking/scion/scion-dispatcher.nix + ./services/networking/scion/scion-router.nix ./services/networking/seafile.nix ./services/networking/searx.nix ./services/networking/shadowsocks.nix diff --git a/nixos/modules/services/networking/scion/scion-control.nix b/nixos/modules/services/networking/scion/scion-control.nix new file mode 100644 index 000000000000..fdf3a9ba3cc1 --- /dev/null +++ b/nixos/modules/services/networking/scion/scion-control.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.scion.scion-control; + toml = pkgs.formats.toml { }; + defaultConfig = { + general = { + id = "cs"; + config_dir = "/etc/scion"; + reconnect_to_dispatcher = true; + }; + beacon_db = { + connection = "/var/lib/scion-control/control.beacon.db"; + }; + path_db = { + connection = "/var/lib/scion-control/control.path.db"; + }; + trust_db = { + connection = "/var/lib/scion-control/control.trust.db"; + }; + log.console = { + level = "info"; + }; + }; + configFile = toml.generate "scion-control.toml" (defaultConfig // cfg.settings); +in +{ + options.services.scion.scion-control = { + enable = mkEnableOption (lib.mdDoc "the scion-control service"); + settings = mkOption { + default = { }; + type = toml.type; + example = literalExpression '' + { + path_db = { + connection = "/var/lib/scion-control/control.path.db"; + }; + log.console = { + level = "info"; + }; + } + ''; + description = lib.mdDoc '' + scion-control configuration. Refer to + + for details on supported values. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.scion-control = { + description = "SCION Control Service"; + after = [ "network-online.target" "scion-dispatcher.service" ]; + wants = [ "network-online.target" "scion-dispatcher.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + Group = if (config.services.scion.scion-dispatcher.enable == true) then "scion" else null; + ExecStart = "${pkgs.scion}/bin/scion-control --config ${configFile}"; + DynamicUser = true; + Restart = "on-failure"; + BindPaths = [ "/dev/shm:/run/shm" ]; + StateDirectory = "scion-control"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/scion/scion-daemon.nix b/nixos/modules/services/networking/scion/scion-daemon.nix new file mode 100644 index 000000000000..0bcc18771fc3 --- /dev/null +++ b/nixos/modules/services/networking/scion/scion-daemon.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.scion.scion-daemon; + toml = pkgs.formats.toml { }; + defaultConfig = { + general = { + id = "sd"; + config_dir = "/etc/scion"; + reconnect_to_dispatcher = true; + }; + path_db = { + connection = "/var/lib/scion-daemon/sd.path.db"; + }; + trust_db = { + connection = "/var/lib/scion-daemon/sd.trust.db"; + }; + log.console = { + level = "info"; + }; + }; + configFile = toml.generate "scion-daemon.toml" (defaultConfig // cfg.settings); +in +{ + options.services.scion.scion-daemon = { + enable = mkEnableOption (lib.mdDoc "the scion-daemon service"); + settings = mkOption { + default = { }; + type = toml.type; + example = literalExpression '' + { + path_db = { + connection = "/var/lib/scion-daemon/sd.path.db"; + }; + log.console = { + level = "info"; + }; + } + ''; + description = lib.mdDoc '' + scion-daemon configuration. Refer to + + for details on supported values. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.scion-daemon = { + description = "SCION Daemon"; + after = [ "network-online.target" "scion-dispatcher.service" ]; + wants = [ "network-online.target" "scion-dispatcher.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.scion}/bin/scion-daemon --config ${configFile}"; + Restart = "on-failure"; + DynamicUser = true; + StateDirectory = "scion-daemon"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/scion/scion-dispatcher.nix b/nixos/modules/services/networking/scion/scion-dispatcher.nix new file mode 100644 index 000000000000..bab1ec0a989b --- /dev/null +++ b/nixos/modules/services/networking/scion/scion-dispatcher.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.scion.scion-dispatcher; + toml = pkgs.formats.toml { }; + defaultConfig = { + dispatcher = { + id = "dispatcher"; + socket_file_mode = "0770"; + application_socket = "/dev/shm/dispatcher/default.sock"; + }; + log.console = { + level = "info"; + }; + }; + configFile = toml.generate "scion-dispatcher.toml" (defaultConfig // cfg.settings); +in +{ + options.services.scion.scion-dispatcher = { + enable = mkEnableOption (lib.mdDoc "the scion-dispatcher service"); + settings = mkOption { + default = { }; + type = toml.type; + example = literalExpression '' + { + dispatcher = { + id = "dispatcher"; + socket_file_mode = "0770"; + application_socket = "/dev/shm/dispatcher/default.sock"; + }; + log.console = { + level = "info"; + }; + } + ''; + description = lib.mdDoc '' + scion-dispatcher configuration. Refer to + + for details on supported values. + ''; + }; + }; + config = mkIf cfg.enable { + # Needed for group ownership of the dispatcher socket + users.groups.scion = {}; + + # scion programs hardcode path to dispatcher in /run/shm, and is not + # configurable at runtime upstream plans to obsolete the dispatcher in + # favor of an SCMP daemon, at which point this can be removed. + system.activationScripts.scion-dispatcher = '' + ln -sf /dev/shm /run/shm + ''; + + systemd.services.scion-dispatcher = { + description = "SCION Dispatcher"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + Group = "scion"; + DynamicUser = true; + BindPaths = [ "/dev/shm:/run/shm" ]; + ExecStartPre = "${pkgs.coreutils}/bin/rm -rf /run/shm/dispatcher"; + ExecStart = "${pkgs.scion}/bin/scion-dispatcher --config ${configFile}"; + Restart = "on-failure"; + StateDirectory = "scion-dispatcher"; + }; + }; + }; +} + diff --git a/nixos/modules/services/networking/scion/scion-router.nix b/nixos/modules/services/networking/scion/scion-router.nix new file mode 100644 index 000000000000..cbe83c6dbf8d --- /dev/null +++ b/nixos/modules/services/networking/scion/scion-router.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.scion.scion-router; + toml = pkgs.formats.toml { }; + defaultConfig = { + general = { + id = "br"; + config_dir = "/etc/scion"; + }; + }; + configFile = toml.generate "scion-router.toml" (defaultConfig // cfg.settings); +in +{ + options.services.scion.scion-router = { + enable = mkEnableOption (lib.mdDoc "the scion-router service"); + settings = mkOption { + default = { }; + type = toml.type; + example = literalExpression '' + { + general.id = "br"; + } + ''; + description = lib.mdDoc '' + scion-router configuration. Refer to + + for details on supported values. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.scion-router = { + description = "SCION Router"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.scion}/bin/scion-router --config ${configFile}"; + Restart = "on-failure"; + DynamicUser = true; + StateDirectory = "scion-router"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/scion/scion.nix b/nixos/modules/services/networking/scion/scion.nix new file mode 100644 index 000000000000..704f942b5d9e --- /dev/null +++ b/nixos/modules/services/networking/scion/scion.nix @@ -0,0 +1,39 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.services.scion; +in +{ + options.services.scion = { + enable = mkEnableOption (lib.mdDoc "all of the scion components and services"); + bypassBootstrapWarning = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + bypass Nix warning about SCION PKI bootstrapping + ''; + }; + }; + config = mkIf cfg.enable { + services.scion = { + scion-dispatcher.enable = true; + scion-daemon.enable = true; + scion-router.enable = true; + scion-control.enable = true; + }; + assertions = [ + { assertion = cfg.bypassBootstrapWarning == true; + message = '' + SCION is a routing protocol and requires bootstrapping with a manual, imperative key signing ceremony. You may want to join an existing Isolation Domain (ISD) such as scionlab.org, or bootstrap your own. If you have completed and configured the public key infrastructure for SCION and are sure this process is complete, then add the following to your configuration: + + services.scion.bypassBootstrapWarning = true; + + refer to docs.scion.org for more information + ''; + } + ]; + }; +} + diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index fd1f884c8c28..9eff7149308a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -791,6 +791,7 @@ in { sanoid = handleTest ./sanoid.nix {}; scaphandre = handleTest ./scaphandre.nix {}; schleuder = handleTest ./schleuder.nix {}; + scion-freestanding-deployment = handleTest ./scion/freestanding-deployment {}; scrutiny = handleTest ./scrutiny.nix {}; sddm = handleTest ./sddm.nix {}; seafile = handleTest ./seafile.nix {}; diff --git a/nixos/tests/scion/freestanding-deployment/README.rst b/nixos/tests/scion/freestanding-deployment/README.rst new file mode 100644 index 000000000000..b2448a2dc9ad --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/README.rst @@ -0,0 +1,12 @@ +This NixOS VM test implements the network topology outlined in https://github.com/scionproto/scion/blob/27983125bccac6b84d1f96f406853aab0e460405/doc/tutorials/deploy.rst#sample-scion-demo-topology, below is an excerpt from that document + +Sample SCION Demo Topology +.......................... + +The topology of the ISD includes the inter-AS connections to neighboring ASes, and defines the underlay IP/UDP addresses of services and routers running in this AS. This is specified in topology files - this guide later explains how to configure these files. A following graphic depicts the topology on a high level. + +.. figure:: https://github.com/scionproto/scion/raw/27983125bccac6b84d1f96f406853aab0e460405/doc/tutorials/deploy/SCION-deployment-guide.drawio.png + :width: 95 % + :figwidth: 100 % + + *Figure 1 - Topology of the sample SCION demo environment. It consists of 1 ISD, 3 core ASes and 2 non-core ASes.* diff --git a/nixos/tests/scion/freestanding-deployment/default.nix b/nixos/tests/scion/freestanding-deployment/default.nix new file mode 100644 index 000000000000..0c9686fbfbad --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/default.nix @@ -0,0 +1,172 @@ +# implements https://github.com/scionproto/scion/blob/27983125bccac6b84d1f96f406853aab0e460405/doc/tutorials/deploy.rst +import ../../make-test-python.nix ({ pkgs, ... }: +let + trust-root-configuration-keys = pkgs.runCommand "generate-trc-keys.sh" { + buildInputs = [ + pkgs.scion + ]; + } '' + set -euo pipefail + + mkdir /tmp/tutorial-scion-certs && cd /tmp/tutorial-scion-certs + mkdir AS{1..5} + + # Create voting and root keys and (self-signed) certificates for core ASes + pushd AS1 + scion-pki certificate create --not-after=3650d --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key + scion-pki certificate create --not-after=3650d --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key + scion-pki certificate create --not-after=3650d --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key + popd + + pushd AS2 + scion-pki certificate create --not-after=3650d --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key + popd + + pushd AS3 + scion-pki certificate create --not-after=3650d --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key + scion-pki certificate create --not-after=3650d --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key + popd + + # Create the TRC (Trust Root Configuration) + mkdir tmp + echo ' + isd = 42 + description = "Demo ISD 42" + serial_version = 1 + base_version = 1 + voting_quorum = 2 + + core_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"] + authoritative_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"] + cert_files = ["AS1/sensitive-voting.pem", "AS1/regular-voting.pem", "AS1/cp-root.pem", "AS2/cp-root.pem", "AS3/sensitive-voting.pem", "AS3/regular-voting.pem"] + + [validity] + not_before = '$(date +%s)' + validity = "365d"' \ + > trc-B1-S1-pld.tmpl + + scion-pki trc payload --out=tmp/ISD42-B1-S1.pld.der --template trc-B1-S1-pld.tmpl + rm trc-B1-S1-pld.tmpl + + # Sign and bundle the TRC + scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-sensitive.trc + scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-regular.trc + scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-sensitive.trc + scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-regular.trc + + scion-pki trc combine tmp/ISD42-B1-S1.AS{1,3}-{sensitive,regular}.trc --payload tmp/ISD42-B1-S1.pld.der --out ISD42-B1-S1.trc + rm tmp -r + + # Create CA key and certificate for issuing ASes + pushd AS1 + scion-pki certificate create --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key + popd + pushd AS2 + scion-pki certificate create --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key + popd + + # Create AS key and certificate chains + scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle + scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle + scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle + scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle + scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle + + for i in {1..5} + do + mkdir -p $out/AS$i + cp AS$i/cp-as.{key,pem} $out/AS$i + done + + mv *.trc $out + ''; + imports = hostId: [ + ({ + services.scion = { + enable = true; + bypassBootstrapWarning = true; + }; + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks."01-eth1" = { + name = "eth1"; + networkConfig.Address = "192.168.1.${toString hostId}/24"; + }; + environment.etc = { + "scion/topology.json".source = ./topology${toString hostId}.json; + "scion/crypto/as".source = trust-root-configuration-keys + "/AS${toString hostId}"; + "scion/certs/ISD42-B1-S1.trc".source = trust-root-configuration-keys + "/ISD42-B1-S1.trc"; + "scion/keys/master0.key".text = "U${toString hostId}v4k23ZXjGDwDofg/Eevw=="; + "scion/keys/master1.key".text = "dBMko${toString hostId}qMS8DfrN/zP2OUdA=="; + }; + environment.systemPackages = [ + pkgs.scion + ]; + }) + ]; +in +{ + name = "scion-test"; + nodes = { + scion01 = { ... }: { + imports = (imports 1); + }; + scion02 = { ... }: { + imports = (imports 2); + }; + scion03 = { ... }: { + imports = (imports 3); + }; + scion04 = { ... }: { + imports = (imports 4); + }; + scion05 = { ... }: { + imports = (imports 5); + }; + }; + testScript = let + pingAll = pkgs.writeShellScript "ping-all-scion.sh" '' + addresses="42-ffaa:1:1 42-ffaa:1:2 42-ffaa:1:3 42-ffaa:1:4 42-ffaa:1:5" + timeout=100 + wait_for_all() { + for as in "$@" + do + scion showpaths $as --no-probe > /dev/null + return 1 + done + return 0 + } + ping_all() { + for as in "$@" + do + scion ping "$as,127.0.0.1" -c 3 + done + return 0 + } + for i in $(seq 0 $timeout); do + wait_for_all $addresses && exit 0 + ping_all $addresses && exit 0 + sleep 1 + done + ''; + in + '' + # List of AS instances + machines = [scion01, scion02, scion03, scion04, scion05] + + # Wait for scion-control.service on all instances + for i in machines: + i.wait_for_unit("scion-control.service") + + # Execute pingAll command on all instances + for i in machines: + i.succeed("${pingAll} >&2") + + # Restart scion-dispatcher and ping again to test robustness + for i in machines: + i.succeed("systemctl restart scion-dispatcher >&2") + i.succeed("${pingAll} >&2") + ''; +}) diff --git a/nixos/tests/scion/freestanding-deployment/topology1.json b/nixos/tests/scion/freestanding-deployment/topology1.json new file mode 100644 index 000000000000..de51515eebc2 --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/topology1.json @@ -0,0 +1,51 @@ +{ + "attributes": [ + "core" + ], + "isd_as": "42-ffaa:1:1", + "mtu": 1472, + "control_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "discovery_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "border_routers": { + "br": { + "internal_addr": "127.0.0.1:31002", + "interfaces": { + "1": { + "underlay": { + "public": "192.168.1.1:50014", + "remote": "192.168.1.4:50014" + }, + "isd_as": "42-ffaa:1:4", + "link_to": "child", + "mtu": 1472 + }, + "2": { + "underlay": { + "public": "192.168.1.1:50012", + "remote": "192.168.1.2:50012" + }, + "isd_as": "42-ffaa:1:2", + "link_to": "core", + "mtu": 1472 + }, + "3": { + "underlay": { + "public": "192.168.1.1:50013", + "remote": "192.168.1.3:50013" + }, + "isd_as": "42-ffaa:1:3", + "link_to": "core", + "mtu": 1472 + } + } + } + } +} diff --git a/nixos/tests/scion/freestanding-deployment/topology2.json b/nixos/tests/scion/freestanding-deployment/topology2.json new file mode 100644 index 000000000000..f8e10d5d1f75 --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/topology2.json @@ -0,0 +1,51 @@ +{ + "attributes": [ + "core" + ], + "isd_as": "42-ffaa:1:2", + "mtu": 1472, + "control_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "discovery_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "border_routers": { + "br": { + "internal_addr": "127.0.0.1:31002", + "interfaces": { + "1": { + "underlay": { + "public": "192.168.1.2:50012", + "remote": "192.168.1.1:50012" + }, + "isd_as": "42-ffaa:1:1", + "link_to": "core", + "mtu": 1472 + }, + "2": { + "underlay": { + "public": "192.168.1.2:50023", + "remote": "192.168.1.3:50023" + }, + "isd_as": "42-ffaa:1:3", + "link_to": "core", + "mtu": 1472 + }, + "3": { + "underlay": { + "public": "192.168.1.2:50025", + "remote": "192.168.1.5:50025" + }, + "isd_as": "42-ffaa:1:5", + "link_to": "child", + "mtu": 1472 + } + } + } + } +} diff --git a/nixos/tests/scion/freestanding-deployment/topology3.json b/nixos/tests/scion/freestanding-deployment/topology3.json new file mode 100644 index 000000000000..53cee431885b --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/topology3.json @@ -0,0 +1,60 @@ +{ + "attributes": [ + "core" + ], + "isd_as": "42-ffaa:1:3", + "mtu": 1472, + "control_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "discovery_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "border_routers": { + "br": { + "internal_addr": "127.0.0.1:31002", + "interfaces": { + "1": { + "underlay": { + "public": "192.168.1.3:50013", + "remote": "192.168.1.1:50013" + }, + "isd_as": "42-ffaa:1:1", + "link_to": "core", + "mtu": 1472 + }, + "2": { + "underlay": { + "public": "192.168.1.3:50023", + "remote": "192.168.1.2:50023" + }, + "isd_as": "42-ffaa:1:2", + "link_to": "core", + "mtu": 1472 + }, + "3": { + "underlay": { + "public": "192.168.1.3:50034", + "remote": "192.168.1.4:50034" + }, + "isd_as": "42-ffaa:1:4", + "link_to": "child", + "mtu": 1472 + }, + "4": { + "underlay": { + "public": "192.168.1.3:50035", + "remote": "192.168.1.5:50035" + }, + "isd_as": "42-ffaa:1:5", + "link_to": "child", + "mtu": 1472 + } + } + } + } +} diff --git a/nixos/tests/scion/freestanding-deployment/topology4.json b/nixos/tests/scion/freestanding-deployment/topology4.json new file mode 100644 index 000000000000..03c507a4daf5 --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/topology4.json @@ -0,0 +1,40 @@ +{ + "attributes": [], + "isd_as": "42-ffaa:1:4", + "mtu": 1472, + "control_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "discovery_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "border_routers": { + "br": { + "internal_addr": "127.0.0.1:31002", + "interfaces": { + "1": { + "underlay": { + "public": "192.168.1.4:50014", + "remote": "192.168.1.1:50014" + }, + "isd_as": "42-ffaa:1:1", + "link_to": "parent", + "mtu": 1472 + }, + "2": { + "underlay": { + "public": "192.168.1.4:50034", + "remote": "192.168.1.3:50034" + }, + "isd_as": "42-ffaa:1:3", + "link_to": "parent", + "mtu": 1472 + } + } + } + } +} diff --git a/nixos/tests/scion/freestanding-deployment/topology5.json b/nixos/tests/scion/freestanding-deployment/topology5.json new file mode 100644 index 000000000000..6114c1f73c2a --- /dev/null +++ b/nixos/tests/scion/freestanding-deployment/topology5.json @@ -0,0 +1,40 @@ +{ + "attributes": [], + "isd_as": "42-ffaa:1:5", + "mtu": 1472, + "control_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "discovery_service": { + "cs": { + "addr": "127.0.0.1:31000" + } + }, + "border_routers": { + "br": { + "internal_addr": "127.0.0.1:31002", + "interfaces": { + "1": { + "underlay": { + "public": "192.168.1.5:50025", + "remote": "192.168.1.2:50025" + }, + "isd_as": "42-ffaa:1:2", + "link_to": "parent", + "mtu": 1472 + }, + "2": { + "underlay": { + "public": "192.168.1.5:50035", + "remote": "192.168.1.3:50035" + }, + "isd_as": "42-ffaa:1:3", + "link_to": "parent", + "mtu": 1472 + } + } + } + } +} From 716f10c176d468ea4d9c4e6c48cbc26ea3bc6bef Mon Sep 17 00:00:00 2001 From: matthewcroughan Date: Sun, 24 Mar 2024 21:04:12 +0000 Subject: [PATCH 2/3] scion: rename binaries These are the names of the binaries as they are distributed in some places. Upstream systemd services even depend upon these names, it is going to be helpful to keep this naming consistent, for bootstrapping --- pkgs/by-name/sc/scion/package.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/by-name/sc/scion/package.nix b/pkgs/by-name/sc/scion/package.nix index 4ded8b2d98e1..af9b92d1cfd2 100644 --- a/pkgs/by-name/sc/scion/package.nix +++ b/pkgs/by-name/sc/scion/package.nix @@ -42,6 +42,16 @@ buildGoModule { ${skipTest 1 "TestOpensslCompatible" "scion-pki/trcs/sign_test.go"} ''; + postInstall = '' + set +e + mv $out/bin/gateway $out/bin/scion-ip-gateway + mv $out/bin/dispatcher $out/bin/scion-dispatcher + mv $out/bin/router $out/bin/scion-router + mv $out/bin/control $out/bin/scion-control + mv $out/bin/daemon $out/bin/scion-daemon + set -e + ''; + doCheck = true; patches = [ From 43310164e47bc4fb45dcbf9506689bcbbb9dcb53 Mon Sep 17 00:00:00 2001 From: matthewcroughan Date: Wed, 27 Mar 2024 08:02:52 +0000 Subject: [PATCH 3/3] scion: add passthru.tests --- pkgs/by-name/sc/scion/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/sc/scion/package.nix b/pkgs/by-name/sc/scion/package.nix index af9b92d1cfd2..67321aaa01ff 100644 --- a/pkgs/by-name/sc/scion/package.nix +++ b/pkgs/by-name/sc/scion/package.nix @@ -2,6 +2,7 @@ , buildGoModule , fetchFromGitHub , fetchpatch2 +, nixosTests }: let version = "0.10.0"; @@ -61,6 +62,10 @@ buildGoModule { }) ]; + passthru.tests = { + inherit (nixosTests) scion-freestanding-deployment; + }; + meta = with lib; { description = "A future Internet architecture utilizing path-aware networking"; homepage = "https://scion-architecture.net/";