# This strongswan-swanctl test is based on:
# https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html
# https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4
#
# The roadwarrior carol sets up a connection to gateway moon. The authentication
# is based on pre-shared keys and IPv4 addresses. Upon the successful
# establishment of the IPsec tunnels, the specified updown script automatically
# inserts iptables-based firewall rules that let pass the tunneled traffic. In
# order to test both tunnel and firewall, carol pings the client alice behind
# the gateway moon.
#
#     alice                       moon                        carol
#      eth1------vlan_0------eth1        eth2------vlan_1------eth1
#   192.168.0.1         192.168.0.3  192.168.1.3           192.168.1.2
#
# See the NixOS manual for how to run this test:
# https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively

import ./make-test-python.nix ({ pkgs, ...} :

let
  allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT";

  # Shared VPN settings:
  vlan0         = "192.168.0.0/24";
  carolIp       = "192.168.1.2";
  moonIp        = "192.168.1.3";
  version       = 2;
  secret        = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx";
  esp_proposals = [ "aes128gcm128-x25519" ];
  proposals     = [ "aes128-sha256-x25519" ];
in {
  name = "strongswan-swanctl";
  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ basvandijk ];
  nodes = {

    alice = { ... } : {
      virtualisation.vlans = [ 0 ];
      networking = {
        dhcpcd.enable = false;
        defaultGateway = "192.168.0.3";
      };
    };

    moon = { config, ...} :
      let strongswan = config.services.strongswan-swanctl.package;
      in {
        virtualisation.vlans = [ 0 1 ];
        networking = {
          dhcpcd.enable = false;
          firewall = {
            allowedUDPPorts = [ 4500 500 ];
            extraCommands = allowESP;
          };
          nat = {
            enable             = true;
            internalIPs        = [ vlan0 ];
            internalInterfaces = [ "eth1" ];
            externalIP         = moonIp;
            externalInterface  = "eth2";
          };
        };
        environment.systemPackages = [ strongswan ];
        services.strongswan-swanctl = {
          enable = true;
          swanctl = {
            connections = {
              rw = {
                local_addrs = [ moonIp ];
                local.main = {
                  auth = "psk";
                };
                remote.main = {
                  auth = "psk";
                };
                children = {
                  net = {
                    local_ts = [ vlan0 ];
                    updown = "${strongswan}/libexec/ipsec/_updown iptables";
                    inherit esp_proposals;
                  };
                };
                inherit version;
                inherit proposals;
              };
            };
            secrets = {
              ike.carol = {
                id.main = carolIp;
                inherit secret;
              };
            };
          };
        };
      };

    carol = { config, ...} :
      let strongswan = config.services.strongswan-swanctl.package;
      in {
        virtualisation.vlans = [ 1 ];
        networking = {
          dhcpcd.enable = false;
          firewall.extraCommands = allowESP;
        };
        environment.systemPackages = [ strongswan ];
        services.strongswan-swanctl = {
          enable = true;
          swanctl = {
            connections = {
              home = {
                local_addrs = [ carolIp ];
                remote_addrs = [ moonIp ];
                local.main = {
                  auth = "psk";
                  id = carolIp;
                };
                remote.main = {
                  auth = "psk";
                  id = moonIp;
                };
                children = {
                  home = {
                    remote_ts = [ vlan0 ];
                    start_action = "trap";
                    updown = "${strongswan}/libexec/ipsec/_updown iptables";
                    inherit esp_proposals;
                  };
                };
                inherit version;
                inherit proposals;
              };
            };
            secrets = {
              ike.moon = {
                id.main = moonIp;
                inherit secret;
              };
            };
          };
        };
      };

  };
  testScript = ''
    start_all()
    carol.wait_until_succeeds("ping -c 1 alice")
  '';
})