nixos/tests/initrd-secrets-changing.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / initrd-secrets-changing.nix
at 23.11-pre 1.7 kB view raw
 1{ system ? builtins.currentSystem
 2, config ? {}
 3, pkgs ? import ../.. { inherit system config; }
 4, lib ? pkgs.lib
 5, testing ? import ../lib/testing-python.nix { inherit system pkgs; }
 6}:
 7
 8let
 9  secret1InStore = pkgs.writeText "topsecret" "iamasecret1";
10  secret2InStore = pkgs.writeText "topsecret" "iamasecret2";
11in
12
13testing.makeTest {
14  name = "initrd-secrets-changing";
15
16  nodes.machine = { ... }: {
17    virtualisation.useBootLoader = true;
18
19    boot.loader.grub.device = "/dev/vda";
20
21    boot.initrd.secrets = {
22      "/test" = secret1InStore;
23      "/run/keys/test" = secret1InStore;
24    };
25    boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";
26
27    specialisation.secrets2System.configuration = {
28      boot.initrd.secrets = lib.mkForce {
29        "/test" = secret2InStore;
30        "/run/keys/test" = secret2InStore;
31      };
32    };
33  };
34
35  testScript = ''
36    start_all()
37
38    machine.wait_for_unit("multi-user.target")
39    print(machine.succeed("cat /run/keys/test"))
40    machine.succeed(
41        "cmp ${secret1InStore} /secret-from-initramfs",
42        "cmp ${secret1InStore} /run/keys/test",
43    )
44    # Select the second boot entry corresponding to the specialisation secrets2System.
45    machine.succeed("grub-reboot 1")
46    machine.shutdown()
47
48    with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
49        machine.wait_for_unit("multi-user.target")
50        print(machine.succeed("cat /run/keys/test"))
51        machine.succeed(
52            "cmp ${secret2InStore} /secret-from-initramfs",
53            "cmp ${secret2InStore} /run/keys/test",
54        )
55        machine.shutdown()
56  '';
57}