pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / pam / zfs-key.nix
at 23.11-pre 3.2 kB view raw
1import ../make-test-python.nix ({ ... }: 2 3 let 4 userPassword = "password"; 5 mismatchPass = "mismatch"; 6 in 7 { 8 name = "pam-zfs-key"; 9 10 nodes.machine = 11 { ... }: { 12 boot.supportedFilesystems = [ "zfs" ]; 13 14 networking.hostId = "12345678"; 15 16 security.pam.zfs.enable = true; 17 18 users.users = { 19 alice = { 20 isNormalUser = true; 21 password = userPassword; 22 }; 23 bob = { 24 isNormalUser = true; 25 password = userPassword; 26 }; 27 }; 28 }; 29 30 testScript = { nodes, ... }: 31 let 32 homes = nodes.machine.security.pam.zfs.homes; 33 pool = builtins.head (builtins.split "/" homes); 34 in 35 '' 36 machine.wait_for_unit("multi-user.target") 37 machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") 38 39 with subtest("Create encrypted ZFS datasets"): 40 machine.succeed("truncate -s 64M /testpool.img") 41 machine.succeed("zpool create -O canmount=off '${pool}' /testpool.img") 42 machine.succeed("zfs create -o canmount=off -p '${homes}'") 43 machine.succeed("echo ${userPassword} | zfs create -o canmount=noauto -o encryption=on -o keyformat=passphrase '${homes}/alice'") 44 machine.succeed("zfs unload-key '${homes}/alice'") 45 machine.succeed("echo ${mismatchPass} | zfs create -o canmount=noauto -o encryption=on -o keyformat=passphrase '${homes}/bob'") 46 machine.succeed("zfs unload-key '${homes}/bob'") 47 48 with subtest("Switch to tty2"): 49 machine.fail("pgrep -f 'agetty.*tty2'") 50 machine.send_key("alt-f2") 51 machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") 52 machine.wait_for_unit("getty@tty2.service") 53 machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") 54 55 with subtest("Log in as user with home locked by login password"): 56 machine.wait_until_tty_matches("2", "login: ") 57 machine.send_chars("alice\n") 58 machine.wait_until_tty_matches("2", "login: alice") 59 machine.wait_until_succeeds("pgrep login") 60 machine.wait_until_tty_matches("2", "Password: ") 61 machine.send_chars("${userPassword}\n") 62 machine.wait_until_succeeds("pgrep -u alice bash") 63 machine.succeed("mount | grep ${homes}/alice") 64 65 with subtest("Switch to tty3"): 66 machine.fail("pgrep -f 'agetty.*tty3'") 67 machine.send_key("alt-f3") 68 machine.wait_until_succeeds("[ $(fgconsole) = 3 ]") 69 machine.wait_for_unit("getty@tty3.service") 70 machine.wait_until_succeeds("pgrep -f 'agetty.*tty3'") 71 72 with subtest("Log in as user with home locked by password different from login"): 73 machine.wait_until_tty_matches("3", "login: ") 74 machine.send_chars("bob\n") 75 machine.wait_until_tty_matches("3", "login: bob") 76 machine.wait_until_succeeds("pgrep login") 77 machine.wait_until_tty_matches("3", "Password: ") 78 machine.send_chars("${userPassword}\n") 79 machine.wait_until_succeeds("pgrep -u bob bash") 80 machine.fail("mount | grep ${homes}/bob") 81 ''; 82 } 83)