pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / pam / zfs-key.nix
at 25.11-pre 3.2 kB view raw
1import ../make-test-python.nix ( 2 { ... }: 3 4 let 5 userPassword = "password"; 6 mismatchPass = "mismatch"; 7 in 8 { 9 name = "pam-zfs-key"; 10 11 nodes.machine = 12 { ... }: 13 { 14 boot.supportedFilesystems = [ "zfs" ]; 15 16 networking.hostId = "12345678"; 17 18 security.pam.zfs.enable = true; 19 20 users.users = { 21 alice = { 22 isNormalUser = true; 23 password = userPassword; 24 }; 25 bob = { 26 isNormalUser = true; 27 password = userPassword; 28 }; 29 }; 30 }; 31 32 testScript = 33 { nodes, ... }: 34 let 35 homes = nodes.machine.security.pam.zfs.homes; 36 pool = builtins.head (builtins.split "/" homes); 37 in 38 '' 39 machine.wait_for_unit("multi-user.target") 40 machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") 41 42 with subtest("Create encrypted ZFS datasets"): 43 machine.succeed("truncate -s 64M /testpool.img") 44 machine.succeed("zpool create -O canmount=off '${pool}' /testpool.img") 45 machine.succeed("zfs create -o canmount=off -p '${homes}'") 46 machine.succeed("echo ${userPassword} | zfs create -o canmount=noauto -o encryption=on -o keyformat=passphrase '${homes}/alice'") 47 machine.succeed("zfs unload-key '${homes}/alice'") 48 machine.succeed("echo ${mismatchPass} | zfs create -o canmount=noauto -o encryption=on -o keyformat=passphrase '${homes}/bob'") 49 machine.succeed("zfs unload-key '${homes}/bob'") 50 51 with subtest("Switch to tty2"): 52 machine.fail("pgrep -f 'agetty.*tty2'") 53 machine.send_key("alt-f2") 54 machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") 55 machine.wait_for_unit("getty@tty2.service") 56 machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") 57 58 with subtest("Log in as user with home locked by login password"): 59 machine.wait_until_tty_matches("2", "login: ") 60 machine.send_chars("alice\n") 61 machine.wait_until_tty_matches("2", "login: alice") 62 machine.wait_until_succeeds("pgrep login") 63 machine.wait_until_tty_matches("2", "Password: ") 64 machine.send_chars("${userPassword}\n") 65 machine.wait_until_succeeds("pgrep -u alice bash") 66 machine.succeed("mount | grep ${homes}/alice") 67 68 with subtest("Switch to tty3"): 69 machine.fail("pgrep -f 'agetty.*tty3'") 70 machine.send_key("alt-f3") 71 machine.wait_until_succeeds("[ $(fgconsole) = 3 ]") 72 machine.wait_for_unit("getty@tty3.service") 73 machine.wait_until_succeeds("pgrep -f 'agetty.*tty3'") 74 75 with subtest("Log in as user with home locked by password different from login"): 76 machine.wait_until_tty_matches("3", "login: ") 77 machine.send_chars("bob\n") 78 machine.wait_until_tty_matches("3", "login: bob") 79 machine.wait_until_succeeds("pgrep login") 80 machine.wait_until_tty_matches("3", "Password: ") 81 machine.send_chars("${userPassword}\n") 82 machine.wait_until_succeeds("pgrep -u bob bash") 83 machine.fail("mount | grep ${homes}/bob") 84 ''; 85 } 86)