nixos/tests/systemd-sysusers-mutable.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-sysusers-mutable.nix
at 25.11-pre 2.9 kB view raw
 1{ lib, ... }:
 2
 3let
 4  rootPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
 5  sysuserPassword = "hello";
 6  newSysuserPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
 7in
 8
 9{
10
11  name = "activation-sysusers-mutable";
12
13  meta.maintainers = with lib.maintainers; [ nikstur ];
14
15  nodes.machine =
16    { pkgs, ... }:
17    {
18      systemd.sysusers.enable = true;
19      users.mutableUsers = true;
20
21      # Prerequisites
22      system.etc.overlay.enable = true;
23      boot.initrd.systemd.enable = true;
24      boot.kernelPackages = pkgs.linuxPackages_latest;
25
26      # Override the empty root password set by the test instrumentation
27      users.users.root.hashedPasswordFile = lib.mkForce null;
28      users.users.root.initialHashedPassword = rootPassword;
29      users.users.sysuser = {
30        isSystemUser = true;
31        group = "wheel";
32        home = "/sysuser";
33        initialPassword = sysuserPassword;
34      };
35
36      specialisation.new-generation.configuration = {
37        users.users.new-sysuser = {
38          isSystemUser = true;
39          group = "wheel";
40          home = "/new-sysuser";
41          initialHashedPassword = newSysuserPassword;
42        };
43      };
44    };
45
46  testScript = ''
47    machine.wait_for_unit("systemd-sysusers.service")
48
49    with subtest("systemd-sysusers.service contains the credentials"):
50      sysusers_service = machine.succeed("systemctl cat systemd-sysusers.service")
51      print(sysusers_service)
52      assert "SetCredential=passwd.plaintext-password.sysuser:${sysuserPassword}" in sysusers_service
53
54    with subtest("Correct mode on the password files"):
55      assert machine.succeed("stat -c '%a' /etc/passwd") == "644\n"
56      assert machine.succeed("stat -c '%a' /etc/group") == "644\n"
57      assert machine.succeed("stat -c '%a' /etc/shadow") == "0\n"
58      assert machine.succeed("stat -c '%a' /etc/gshadow") == "0\n"
59
60    with subtest("root user has correct password"):
61      print(machine.succeed("getent passwd root"))
62      assert "${rootPassword}" in machine.succeed("getent shadow root"), "root user password is not correct"
63
64    with subtest("sysuser user is created"):
65      print(machine.succeed("getent passwd sysuser"))
66      assert machine.succeed("stat -c '%U' /sysuser") == "sysuser\n"
67
68    with subtest("Manually add new user"):
69      machine.succeed("useradd manual-sysuser")
70
71
72    machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch")
73
74
75    with subtest("new-sysuser user is created after switching to new generation"):
76      print(machine.succeed("getent passwd new-sysuser"))
77      assert machine.succeed("stat -c '%U' /new-sysuser") == "new-sysuser\n"
78      assert "${newSysuserPassword}" in machine.succeed("getent shadow new-sysuser"), "new-sysuser user password is not correct"
79  '';
80}