pyrox.dev
1{
2 pkgs,
3 lib,
4 config,
5 ...
6}:
7# This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with:
8# - a local unix socket on the same system
9# - a unix socket inside a container
10let
11 inherit (import ./ssh-keys.nix pkgs)
12 snakeOilEd25519PrivateKey
13 snakeOilEd25519PublicKey
14 ;
15in
16{
17 name = "systemd-ssh-proxy";
18 meta.maintainers = with pkgs.lib.maintainers; [ marie ];
19
20 nodes = {
21 virthost = {
22 services.openssh = {
23 enable = true;
24 settings.PermitRootLogin = "prohibit-password";
25 };
26 users.users = {
27 root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];
28 nixos = {
29 isNormalUser = true;
30 };
31 };
32 containers.guest = {
33 autoStart = true;
34 config = {
35 users.users.root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];
36 services.openssh = {
37 enable = true;
38 settings.PermitRootLogin = "prohibit-password";
39 };
40 system.stateVersion = lib.trivial.release;
41 };
42 };
43 };
44 };
45
46 testScript = ''
47 virthost.succeed("mkdir -p ~/.ssh")
48 virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519")
49 virthost.succeed("chmod 600 ~/.ssh/id_ed25519")
50
51 with subtest("ssh into a container with AF_UNIX"):
52 virthost.wait_for_unit("container@guest.service")
53 virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 unix/run/systemd/nspawn/unix-export/guest/ssh echo meow | grep meow")
54
55 with subtest("elevate permissions using local ssh socket"):
56 virthost.wait_for_unit("sshd-unix-local.socket")
57 virthost.succeed("sudo --user=nixos mkdir -p /home/nixos/.ssh")
58 virthost.succeed("cp ~/.ssh/id_ed25519 /home/nixos/.ssh/id_ed25519")
59 virthost.succeed("chmod 600 /home/nixos/.ssh/id_ed25519")
60 virthost.succeed("chown nixos /home/nixos/.ssh/id_ed25519")
61 virthost.succeed("sudo --user=nixos ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /home/nixos/.ssh/id_ed25519 root@.host whoami | grep root")
62 '';
63}