pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / nixos-rebuild-target-host.nix
at 24.11-pre 5.7 kB view raw
1import ./make-test-python.nix ({ pkgs, ... }: { 2 name = "nixos-rebuild-target-host"; 3 4 nodes = { 5 deployer = { lib, ... }: let 6 inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; 7 in { 8 imports = [ ../modules/profiles/installation-device.nix ]; 9 10 nix.settings = { 11 substituters = lib.mkForce [ ]; 12 hashed-mirrors = null; 13 connect-timeout = 1; 14 }; 15 16 environment.systemPackages = [ pkgs.passh ]; 17 18 system.includeBuildDependencies = true; 19 20 virtualisation = { 21 cores = 2; 22 memorySize = 2048; 23 }; 24 25 system.build.privateKey = snakeOilPrivateKey; 26 system.build.publicKey = snakeOilPublicKey; 27 }; 28 29 target = { nodes, lib, ... }: let 30 targetConfig = { 31 documentation.enable = false; 32 services.openssh.enable = true; 33 34 users.users.root.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ]; 35 users.users.alice.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ]; 36 users.users.bob.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ]; 37 38 users.users.alice.extraGroups = [ "wheel" ]; 39 users.users.bob.extraGroups = [ "wheel" ]; 40 41 # Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo` 42 security.sudo.extraRules = lib.mkForce [ 43 { groups = [ "wheel" ]; commands = [ { command = "ALL"; } ]; } 44 { users = [ "alice" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } 45 ]; 46 47 nix.settings.trusted-users = [ "@wheel" ]; 48 }; 49 in { 50 imports = [ ./common/user-account.nix ]; 51 52 config = lib.mkMerge [ 53 targetConfig 54 { 55 system.build = { 56 inherit targetConfig; 57 }; 58 59 networking.hostName = "target"; 60 } 61 ]; 62 }; 63 }; 64 65 testScript = { nodes, ... }: 66 let 67 sshConfig = builtins.toFile "ssh.conf" '' 68 UserKnownHostsFile=/dev/null 69 StrictHostKeyChecking=no 70 ''; 71 72 targetConfigJSON = pkgs.writeText "target-configuration.json" 73 (builtins.toJSON nodes.target.system.build.targetConfig); 74 75 targetNetworkJSON = pkgs.writeText "target-network.json" 76 (builtins.toJSON nodes.target.system.build.networkConfig); 77 78 configFile = hostname: pkgs.writeText "configuration.nix" '' 79 { lib, modulesPath, ... }: { 80 imports = [ 81 (modulesPath + "/virtualisation/qemu-vm.nix") 82 (modulesPath + "/testing/test-instrumentation.nix") 83 (modulesPath + "/../tests/common/user-account.nix") 84 (lib.modules.importJSON ./target-configuration.json) 85 (lib.modules.importJSON ./target-network.json) 86 ./hardware-configuration.nix 87 ]; 88 89 boot.loader.grub = { 90 enable = true; 91 device = "/dev/vda"; 92 forceInstall = true; 93 }; 94 95 # this will be asserted 96 networking.hostName = "${hostname}"; 97 } 98 ''; 99 in 100 '' 101 start_all() 102 target.wait_for_open_port(22) 103 104 deployer.wait_until_succeeds("ping -c1 target") 105 deployer.succeed("install -Dm 600 ${nodes.deployer.system.build.privateKey} ~root/.ssh/id_ecdsa") 106 deployer.succeed("install ${sshConfig} ~root/.ssh/config") 107 108 target.succeed("nixos-generate-config") 109 deployer.succeed("scp alice@target:/etc/nixos/hardware-configuration.nix /root/hardware-configuration.nix") 110 111 deployer.copy_from_host("${configFile "config-1-deployed"}", "/root/configuration-1.nix") 112 deployer.copy_from_host("${configFile "config-2-deployed"}", "/root/configuration-2.nix") 113 deployer.copy_from_host("${configFile "config-3-deployed"}", "/root/configuration-3.nix") 114 deployer.copy_from_host("${targetNetworkJSON}", "/root/target-network.json") 115 deployer.copy_from_host("${targetConfigJSON}", "/root/target-configuration.json") 116 117 # Ensure sudo is disabled for root 118 target.fail("sudo true") 119 120 # This test also ensures that sudo is not called without --use-remote-sudo 121 with subtest("Deploy to root@target"): 122 deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console") 123 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() 124 assert target_hostname == "config-1-deployed", f"{target_hostname=}" 125 126 with subtest("Deploy to alice@target with passwordless sudo"): 127 deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console") 128 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() 129 assert target_hostname == "config-2-deployed", f"{target_hostname=}" 130 131 with subtest("Deploy to bob@target with password based sudo"): 132 deployer.succeed("passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P \"\[sudo\] password\" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console") 133 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() 134 assert target_hostname == "config-3-deployed", f"{target_hostname=}" 135 136 with subtest("Deploy works with very long TMPDIR"): 137 tmp_dir = "/var/folder/veryveryveryveryverylongpathnamethatdoesnotworkwithcontrolpath" 138 deployer.succeed(f"mkdir -p {tmp_dir}") 139 deployer.succeed(f"TMPDIR={tmp_dir} nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console") 140 ''; 141})