pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / userborn-immutable-users.nix
at master 1.9 kB view raw
1{ lib, ... }: 2 3let 4 normaloHashedPassword = "$y$j9T$IEWqhKtWg.r.8fVkSEF56.$iKNxdMC6hOAQRp6eBtYvBk4c7BGpONXeZMqc8I/LM46"; 5 6 common = { 7 services.userborn.enable = true; 8 users.mutableUsers = false; 9 }; 10in 11 12{ 13 14 name = "userborn-immutable-users"; 15 16 meta.maintainers = with lib.maintainers; [ nikstur ]; 17 18 nodes.machine = 19 { config, ... }: 20 { 21 imports = [ common ]; 22 23 users = { 24 users = { 25 normalo = { 26 isNormalUser = true; 27 hashedPassword = normaloHashedPassword; 28 }; 29 }; 30 }; 31 32 specialisation.new-generation = { 33 inheritParentConfig = false; 34 configuration = { 35 nixpkgs = { 36 inherit (config.nixpkgs) hostPlatform; 37 }; 38 imports = [ common ]; 39 40 users.users = { 41 new-normalo = { 42 isNormalUser = true; 43 }; 44 }; 45 }; 46 }; 47 }; 48 49 testScript = '' 50 machine.wait_for_unit("userborn.service") 51 52 with subtest("normalo user is created"): 53 assert "${normaloHashedPassword}" in machine.succeed("getent shadow normalo"), "normalo user password is not correct" 54 55 with subtest("Fail to add new user manually"): 56 machine.fail("useradd manual-normalo") 57 58 with subtest("Fail to add delete user manually"): 59 machine.fail("userdel normalo") 60 61 62 machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch") 63 64 65 with subtest("normalo user is disabled"): 66 print(machine.succeed("getent shadow normalo")) 67 assert "!*" in machine.succeed("getent shadow normalo"), "normalo user is not disabled" 68 69 with subtest("new-normalo user is created after switching to new generation"): 70 print(machine.succeed("getent passwd new-normalo")) 71 72 with subtest("Still fail to add new user manually"): 73 machine.fail("useradd again-normalo") 74 ''; 75}