From cf07ac9e15fc92d78e3a51cd4b58ce7764d23c74 Mon Sep 17 00:00:00 2001
From: Tim Van Baak <tim.vanbaak@gmail.com>
Date: Sat, 27 Sep 2025 21:04:23 -0700
Subject: [PATCH] nixos/nebula: add test for reloadable configuration

---
 nixos/tests/all-tests.nix          |  1 +
 nixos/tests/nebula/reload.nix      | 92 ++++++++++++++++++++++++++++++
 pkgs/by-name/ne/nebula/package.nix |  5 +-
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 nixos/tests/nebula/reload.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 4ade52acb47c..f37373c70cee 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -1012,6 +1012,7 @@ in
   };
   ndppd = runTest ./ndppd.nix;
   nebula.connectivity = runTest ./nebula/connectivity.nix;
+  nebula.reload = runTest ./nebula/reload.nix;
   neo4j = runTest ./neo4j.nix;
   netbird = runTest ./netbird.nix;
   netbox-upgrade = runTest ./web-apps/netbox-upgrade.nix;
diff --git a/nixos/tests/nebula/reload.nix b/nixos/tests/nebula/reload.nix
new file mode 100644
index 000000000000..b1a8bdc75745
--- /dev/null
+++ b/nixos/tests/nebula/reload.nix
@@ -0,0 +1,92 @@
+{ pkgs, lib, ... }:
+let
+
+  inherit (import ../ssh-keys.nix pkgs)
+    snakeOilPrivateKey
+    snakeOilPublicKey
+    ;
+
+in
+{
+  name = "nebula";
+
+  nodes = {
+    lighthouse =
+      {
+        pkgs,
+        lib,
+        config,
+        ...
+      }:
+      {
+        environment.systemPackages = [ pkgs.nebula ];
+        environment.etc."nebula-key" = {
+          user = "nebula-smoke";
+          group = "nebula-smoke";
+          source = snakeOilPrivateKey;
+          mode = "0600";
+        };
+
+        services.nebula.networks.smoke = {
+          # Note that these paths won't exist when the machine is first booted.
+          ca = "/etc/nebula/ca.crt";
+          cert = "/etc/nebula/lighthouse.crt";
+          key = "/etc/nebula/lighthouse.key";
+          isLighthouse = true;
+          listen = {
+            host = "0.0.0.0";
+            port = 4242;
+          };
+          enableReload = true;
+          settings.sshd = {
+            enabled = true;
+            listen = "127.0.0.1:2222";
+            host_key = "/etc/nebula-key";
+          };
+        };
+
+        # We will test that nebula is reloaded by switching specialisations.
+        specialisation.sshd-off.configuration = {
+          services.nebula.networks.smoke.settings.sshd.enabled = lib.mkForce false;
+        };
+        specialisation.sshd-on.configuration = {
+          services.nebula.networks.smoke.settings.sshd.enabled = lib.mkForce true;
+        };
+      };
+  };
+
+  testScript =
+    { nodes, ... }:
+    let
+      sshd-on = "${nodes.lighthouse.system.build.toplevel}/specialisation/sshd-on";
+      sshd-off = "${nodes.lighthouse.system.build.toplevel}/specialisation/sshd-off";
+    in
+    ''
+      # Create the certificate and sign the lighthouse's keys.
+      lighthouse.succeed(
+          "mkdir -p /etc/nebula",
+          'nebula-cert ca -duration $((10*365*24*60))m -name "Smoke Test" -out-crt /etc/nebula/ca.crt -out-key /etc/nebula/ca.key',
+          'nebula-cert sign -duration $((365*24*60))m -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt /etc/nebula/lighthouse.crt -out-key /etc/nebula/lighthouse.key',
+          'chown -R nebula-smoke:nebula-smoke /etc/nebula'
+      )
+
+      # Restart nebula to pick up the keys.
+      lighthouse.systemctl("restart nebula@smoke.service")
+      lighthouse.succeed("ping -c5 10.0.100.1")
+
+      # Verify that nebula's ssh interface is up.
+      lighthouse.succeed("${pkgs.nmap}/bin/nmap 127.0.0.1 | grep 2222/tcp")
+
+      # Switch configuration, verify nebula was reloaded and not restarted.
+      lighthouse.succeed("${sshd-off}/bin/switch-to-configuration test 2>&1 | grep 'nebula' | grep 'reload'")
+
+      # Verify that nebula's ssh interface is no longer up.
+      lighthouse.fail("${pkgs.nmap}/bin/nmap 127.0.0.1 | grep 2222/tcp")
+
+      # Switch configuration, verify reload again.
+      lighthouse.succeed("${sshd-on}/bin/switch-to-configuration test 2>&1 | grep 'nebula' | grep 'reload'")
+
+      # Verify that ssh is back.
+      lighthouse.succeed("${pkgs.nmap}/bin/nmap 127.0.0.1 | grep 2222/tcp")
+    '';
+}
diff --git a/pkgs/by-name/ne/nebula/package.nix b/pkgs/by-name/ne/nebula/package.nix
index 3ddad20ac370..80ce794aec44 100644
--- a/pkgs/by-name/ne/nebula/package.nix
+++ b/pkgs/by-name/ne/nebula/package.nix
@@ -26,7 +26,10 @@ buildGoModule rec {
   ldflags = [ "-X main.Build=${version}" ];
 
   passthru.tests = {
-    inherit (nixosTests.nebula) connectivity;
+    inherit (nixosTests.nebula)
+      connectivity
+      reload
+      ;
   };
 
   meta = {