commit 1b7b89c4efc7e7338cc68eb0e34db94a43bd2200 · pyrox.dev/nixpkgs

-2

nixos/doc/manual/release-notes/rl-2411.section.md

···

       933
       933
        
       

     

       934
       934
        
       - `buildNimSbom` was added as an alternative to `buildNimPackage`. `buildNimSbom` uses [SBOMs](https://cyclonedx.org/) to generate packages whereas `buildNimPackage` uses a custom JSON lockfile format.

     

       935
       935
        
       

     

       936
       936
       -
       - `services.syncthing.folders.<name>.devices` now accepts an `attrset`, allowing to set `encryptionPassword` file for a device.

     

       937
       937
       -
       

     

       938
       936
        
       ## Detailed Migration Information {#sec-release-24.11-migration}

     

       939
       937
        
       

     

       940
       938
        
       ### `sound` options removal {#sec-release-24.11-migration-sound}

+99 -82

nixos/modules/services/networking/syncthing.nix

···

       59
       59
        
                   let

     

       60
       60
        
                     folderDevices = folder.devices;

     

       61
       61
        
                   in

     

       62
       62
       -
                   if builtins.isList folderDevices then

     

       63
       63
       -
                     map (

     

       64
       64
       -
                       device:

     

       65
       65
       -
                       if builtins.isString device then { deviceId = cfg.settings.devices.${device}.id; } else device

     

       66
       66
       -
                     ) folderDevices

     

       67
       67
       -
                   else if builtins.isAttrs folderDevices then

     

       68
       68
       -
                     mapAttrsToList (

     

       69
       69
       -
                       deviceName: deviceValue: deviceValue // { deviceId = cfg.settings.devices.${deviceName}.id; }

     

       70
       70
       -
                     ) folderDevices

     

       71
       71
       -
                   else

     

       72
       72
       -
                     throw "Invalid type for devices in folder '${folderName}'; expected list or attrset.";

     

       62
       62
       +
                   map (

     

       63
       63
       +
                     device:

     

       64
       64
       +
                     if builtins.isString device then

     

       65
       65
       +
                       { deviceId = cfg.settings.devices.${device}.id; }

     

       66
       66
       +
                     else if builtins.isAttrs device then

     

       67
       67
       +
                       { deviceId = cfg.settings.devices.${device.name}.id; } // device

     

       68
       68
       +
                     else

     

       69
       69
       +
                       throw "Invalid type for devices in folder '${folderName}'; expected list or attrset."

     

       70
       70
       +
                   ) folderDevices;

     

       73
       71
        
               }

     

       74
       72
        
         ) (filterAttrs (_: folder: folder.enable) cfg.settings.folders);

     

       75
       73
        
       

     
···

       142
       140
        
                     (map (

     

       143
       141
        
                       new_cfg:

     

       144
       142
        
                       let

     

       145
       145
       -
                         isSecret = attr: value: builtins.isString value && attr == "encryptionPassword";

     

       146
       146
       -
       

     

       147
       147
       -
                         resolveSecrets =

     

       148
       148
       -
                           attr: value:

     

       149
       149
       -
                           if builtins.isAttrs value then

     

       150
       150
       -
                             # Attribute set: process each attribute

     

       151
       151
       -
                             builtins.mapAttrs (name: val: resolveSecrets name val) value

     

       152
       152
       -
                           else if builtins.isList value then

     

       153
       153
       -
                             # List: process each element

     

       154
       154
       -
                             map (item: resolveSecrets "" item) value

     

       155
       155
       -
                           else if isSecret attr value then

     

       156
       156
       -
                             # String that looks like a path: replace with placeholder

     

       157
       157
       -
                             let

     

       158
       158
       -
                               varName = "secret_${builtins.hashString "sha256" value}";

     

       159
       159
       -
                             in

     

       160
       160
       -
                             "\${${varName}}"

     

       161
       161
       -
                           else

     

       162
       162
       -
                             # Other types: return as is

     

       163
       163
       -
                             value;

     

       164
       164
       -
       

     

       165
       165
       -
                         # Function to collect all file paths from the configuration

     

       166
       166
       -
                         collectPaths =

     

       167
       167
       -
                           attr: value:

     

       168
       168
       -
                           if builtins.isAttrs value then

     

       169
       169
       -
                             concatMap (name: collectPaths name value.${name}) (builtins.attrNames value)

     

       170
       170
       -
                           else if builtins.isList value then

     

       171
       171
       -
                             concatMap (name: collectPaths "" name) value

     

       172
       172
       -
                           else if isSecret attr value then

     

       173
       173
       -
                             [ value ]

     

       174
       174
       -
                           else

     

       175
       175
       -
                             [ ];

     

       176
       176
       -
       

     

       177
       177
       -
                         # Function to generate variable assignments for the secrets

     

       178
       178
       -
                         generateSecretVars =

     

       179
       179
       -
                           paths:

     

       180
       180
       -
                           concatStringsSep "\n" (

     

       181
       181
       -
                             map (

     

       182
       182
       -
                               path:

     

       143
       143
       +
                         jsonPreSecretsFile = pkgs.writeTextFile {

     

       144
       144
       +
                           name = "${conf_type}-${new_cfg.id}-conf-pre-secrets.json";

     

       145
       145
       +
                           text = builtins.toJSON new_cfg;

     

       146
       146
       +
                         };

     

       147
       147
       +
                         injectSecretsJqCmd =

     

       148
       148
       +
                           {

     

       149
       149
       +
                             # There are no secrets in `devs`, so no massaging needed.

     

       150
       150
       +
                             "devs" = "${jq} .";

     

       151
       151
       +
                             "dirs" =

     

       183
       152
        
                               let

     

       184
       184
       -
                                 varName = "secret_${builtins.hashString "sha256" path}";

     

       153
       153
       +
                                 folder = new_cfg;

     

       154
       154
       +
                                 devicesWithSecrets = lib.pipe folder.devices [

     

       155
       155
       +
                                   (lib.filter (device: (builtins.isAttrs device) && device ? encryptionPasswordFile))

     

       156
       156
       +
                                   (map (device: {

     

       157
       157
       +
                                     deviceId = device.deviceId;

     

       158
       158
       +
                                     variableName = "secret_${builtins.hashString "sha256" device.encryptionPasswordFile}";

     

       159
       159
       +
                                     secretPath = device.encryptionPasswordFile;

     

       160
       160
       +
                                   }))

     

       161
       161
       +
                                 ];

     

       162
       162
       +
                                 # At this point, `jsonPreSecretsFile` looks something like this:

     

       163
       163
       +
                                 #

     

       164
       164
       +
                                 #   {

     

       165
       165
       +
                                 #     ...,

     

       166
       166
       +
                                 #     "devices": [

     

       167
       167
       +
                                 #       {

     

       168
       168
       +
                                 #         "deviceId": "id1",

     

       169
       169
       +
                                 #         "encryptionPasswordFile": "/etc/bar-encryption-password",

     

       170
       170
       +
                                 #         "name": "..."

     

       171
       171
       +
                                 #       }

     

       172
       172
       +
                                 #     ],

     

       173
       173
       +
                                 #   }

     

       174
       174
       +
                                 #

     

       175
       175
       +
                                 # We now generate a `jq` command that can replace those

     

       176
       176
       +
                                 # `encryptionPasswordFile`s with `encryptionPassword`.

     

       177
       177
       +
                                 # The `jq` command ends up looking like this:

     

       178
       178
       +
                                 #

     

       179
       179
       +
                                 #   jq --rawfile secret_DEADBEEF /etc/bar-encryption-password '

     

       180
       180
       +
                                 #     .devices[] |= (

     

       181
       181
       +
                                 #       if .deviceId == "id1" then

     

       182
       182
       +
                                 #         del(.encryptionPasswordFile) |

     

       183
       183
       +
                                 #         .encryptionPassword = $secret_DEADBEEF

     

       184
       184
       +
                                 #       else

     

       185
       185
       +
                                 #         .

     

       186
       186
       +
                                 #       end

     

       187
       187
       +
                                 #     )

     

       188
       188
       +
                                 #   '

     

       189
       189
       +
                                 jqUpdates = map (device: ''

     

       190
       190
       +
                                   .devices[] |= (

     

       191
       191
       +
                                     if .deviceId == "${device.deviceId}" then

     

       192
       192
       +
                                       del(.encryptionPasswordFile) |

     

       193
       193
       +
                                       .encryptionPassword = ''$${device.variableName}

     

       194
       194
       +
                                     else

     

       195
       195
       +
                                       .

     

       196
       196
       +
                                     end

     

       197
       197
       +
                                   )

     

       198
       198
       +
                                 '') devicesWithSecrets;

     

       199
       199
       +
                                 jqRawFiles = map (

     

       200
       200
       +
                                   device: "--rawfile ${device.variableName} ${lib.escapeShellArg device.secretPath}"

     

       201
       201
       +
                                 ) devicesWithSecrets;

     

       185
       202
        
                               in

     

       186
       186
       -
                               ''

     

       187
       187
       -
                                 if [ ! -r ${path} ]; then

     

       188
       188
       -
                                   echo "${path} does not exist"

     

       189
       189
       -
                                   exit 1

     

       190
       190
       -
                                 fi

     

       191
       191
       -
                                 ${varName}=$(<${path})

     

       192
       192
       -
                               ''

     

       193
       193
       -
                             ) paths

     

       194
       194
       -
                           );

     

       195
       195
       -
       

     

       196
       196
       -
                         resolved_cfg = resolveSecrets "" new_cfg;

     

       197
       197
       -
                         secretPaths = collectPaths "" new_cfg;

     

       198
       198
       -
                         secretVarsScript = generateSecretVars secretPaths;

     

       199
       199
       -
       

     

       200
       200
       -
                         jsonString = builtins.toJSON resolved_cfg;

     

       201
       201
       -
                         escapedJson = builtins.replaceStrings [ "\"" ] [ "\\\"" ] jsonString;

     

       203
       203
       +
                               "${jq} ${lib.concatStringsSep " " jqRawFiles} ${

     

       204
       204
       +
                                 lib.escapeShellArg (lib.concatStringsSep "|" ([ "." ] ++ jqUpdates))

     

       205
       205
       +
                               }";

     

       206
       206
       +
                           }

     

       207
       207
       +
                           .${conf_type};

     

       202
       208
        
                       in

     

       203
       209
        
                       ''

     

       204
       204
       -
                         ${secretVarsScript}

     

       205
       205
       -
       

     

       206
       206
       -
                         curl -d "${escapedJson}" -X POST ${s.baseAddress}

     

       210
       210
       +
                         ${injectSecretsJqCmd} ${jsonPreSecretsFile} | curl --json @- -X POST ${s.baseAddress}

     

       207
       211
        
                       ''

     

       208
       212
        
                     ))

     

       209
       213
        
                     (lib.concatStringsSep "\n")

     
···

       513
       517
        
                             };

     

       514
       518
        
       

     

       515
       519
        
                             devices = mkOption {

     

       516
       516
       -
                               type = types.oneOf [

     

       517
       517
       -
                                 (types.listOf types.str)

     

       518
       518
       -
                                 (types.attrsOf (

     

       519
       519
       -
                                   types.submodule (

     

       520
       520
       -
                                     { name, ... }:

     

       520
       520
       +
                               type = types.listOf (

     

       521
       521
       +
                                 types.oneOf [

     

       522
       522
       +
                                   types.str

     

       523
       523
       +
                                   (types.submodule (

     

       524
       524
       +
                                     { ... }:

     

       521
       525
        
                                     {

     

       522
       526
        
                                       freeformType = settingsFormat.type;

     

       523
       527
        
                                       options = {

     

       524
       524
       -
                                         encryptionPassword = mkOption {

     

       525
       525
       -
                                           type = types.nullOr types.str;

     

       528
       528
       +
                                         name = mkOption {

     

       529
       529
       +
                                           type = types.str;

     

       530
       530
       +
                                           default = null;

     

       531
       531
       +
                                           description = ''

     

       532
       532
       +
                                             The name of a device defined in the

     

       533
       533
       +
                                             [devices](#opt-services.syncthing.settings.devices)

     

       534
       534
       +
                                             option.

     

       535
       535
       +
                                           '';

     

       536
       536
       +
                                         };

     

       537
       537
       +
                                         encryptionPasswordFile = mkOption {

     

       538
       538
       +
                                           type = types.nullOr (

     

       539
       539
       +
                                             types.pathWith {

     

       540
       540
       +
                                               inStore = false;

     

       541
       541
       +
                                               absolute = true;

     

       542
       542
       +
                                             }

     

       543
       543
       +
                                           );

     

       526
       544
        
                                           default = null;

     

       527
       545
        
                                           description = ''

     

       528
       546
        
                                             Path to encryption password. If set, the file will be read during

     
···

       531
       549
        
                                         };

     

       532
       550
        
                                       };

     

       533
       551
        
                                     }

     

       534
       534
       -
                                   )

     

       535
       535
       -
                                 ))

     

       536
       536
       -
                               ];

     

       552
       552
       +
                                   ))

     

       553
       553
       +
                                 ]

     

       554
       554
       +
                               );

     

       537
       555
        
                               default = [ ];

     

       538
       556
        
                               description = ''

     

       539
       557
        
                                 The devices this folder should be shared with. Each device must

     

       540
       558
        
                                 be defined in the [devices](#opt-services.syncthing.settings.devices) option.

     

       541
       559
        
       

     

       542
       542
       -
                                 Either a list of strings, or an attribute set, where keys are defined in the

     

       543
       543
       -
                                 [devices](#opt-services.syncthing.settings.devices) option, and values are

     

       544
       544
       -
                                 device configurations.

     

       560
       560
       +
                                 A list of either strings or attribute sets, where values

     

       561
       561
       +
                                 are device names or device configurations.

     

       545
       562
        
                               '';

     

       546
       563
        
                             };

     

       547
       564

+1 -1

nixos/tests/all-tests.nix

···

       1219
       1219
        
         syncthing-no-settings = handleTest ./syncthing-no-settings.nix { };

     

       1220
       1220
        
         syncthing-init = handleTest ./syncthing-init.nix { };

     

       1221
       1221
        
         syncthing-many-devices = handleTest ./syncthing-many-devices.nix { };

     

       1222
       1222
       -
         syncthing-folders = handleTest ./syncthing-folders.nix { };

     

       1222
       1222
       +
         syncthing-folders = runTest ./syncthing-folders.nix;

     

       1223
       1223
        
         syncthing-relay = handleTest ./syncthing-relay.nix { };

     

       1224
       1224
        
         sysinit-reactivation = runTest ./sysinit-reactivation.nix;

     

       1225
       1225
        
         systemd = handleTest ./systemd.nix { };

+83 -68

nixos/tests/syncthing-folders.nix

···

       1
       1
       -
       import ../make-test-python.nix (

     

       2
       2
       -
         { lib, pkgs, ... }:

     

       3
       3
       -
         let

     

       4
       4
       -
           genNodeId =

     

       5
       5
       -
             name:

     

       6
       6
       -
             pkgs.runCommand "syncthing-test-certs-${name}" { } ''

     

       7
       7
       -
               mkdir -p $out

     

       8
       8
       -
               ${pkgs.syncthing}/bin/syncthing generate --config=$out

     

       9
       9
       -
               ${pkgs.libxml2}/bin/xmllint --xpath 'string(configuration/device/@id)' $out/config.xml > $out/id

     

       10
       10
       -
             '';

     

       11
       11
       -
           idA = genNodeId "a";

     

       12
       12
       -
           idB = genNodeId "b";

     

       13
       13
       -
           idC = genNodeId "c";

     

       14
       14
       -
           testPasswordFile = pkgs.writeText "syncthing-test-password" "it's a secret";

     

       15
       15
       -
         in

     

       16
       16
       -
         {

     

       17
       17
       -
           name = "syncthing";

     

       18
       18
       -
           meta.maintainers = with pkgs.lib.maintainers; [ zarelit ];

     

       1
       1
       +
       { lib, pkgs, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         genNodeId =

     

       4
       4
       +
           name:

     

       5
       5
       +
           pkgs.runCommand "syncthing-test-certs-${name}" { } ''

     

       6
       6
       +
             mkdir -p $out

     

       7
       7
       +
             ${pkgs.syncthing}/bin/syncthing generate --config=$out

     

       8
       8
       +
             ${pkgs.libxml2}/bin/xmllint --xpath 'string(configuration/device/@id)' $out/config.xml > $out/id

     

       9
       9
       +
           '';

     

       10
       10
       +
         idA = genNodeId "a";

     

       11
       11
       +
         idB = genNodeId "b";

     

       12
       12
       +
         idC = genNodeId "c";

     

       13
       13
       +
         testPassword = "it's a secret";

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         name = "syncthing";

     

       17
       17
       +
         meta.maintainers = with pkgs.lib.maintainers; [ zarelit ];

     

       19
       18
        
       

     

       20
       20
       -
           nodes = {

     

       21
       21
       -
             a = {

     

       19
       19
       +
         nodes = {

     

       20
       20
       +
           a =

     

       21
       21
       +
             { config, ... }:

     

       22
       22
       +
             {

     

       23
       23
       +
               environment.etc.bar-encryption-password.text = testPassword;

     

       22
       24
        
               services.syncthing = {

     

       23
       25
        
                 enable = true;

     

       24
       26
        
                 openDefaultPorts = true;

     
···

       33
       35
        
                   };

     

       34
       36
        
                   folders.bar = {

     

       35
       37
        
                     path = "/var/lib/syncthing/bar";

     

       36
       36
       -
                     devices.c.encryptionPassword = "${testPasswordFile}";

     

       38
       38
       +
                     devices = [

     

       39
       39
       +
                       {

     

       40
       40
       +
                         name = "c";

     

       41
       41
       +
                         encryptionPasswordFile = "/etc/${config.environment.etc.bar-encryption-password.target}";

     

       42
       42
       +
                       }

     

       43
       43
       +
                     ];

     

       37
       44
        
                   };

     

       38
       45
        
                 };

     

       39
       46
        
               };

     

       40
       47
        
             };

     

       41
       41
       -
             b = {

     

       48
       48
       +
           b =

     

       49
       49
       +
             { config, ... }:

     

       50
       50
       +
             {

     

       51
       51
       +
               environment.etc.bar-encryption-password.text = testPassword;

     

       42
       52
        
               services.syncthing = {

     

       43
       53
        
                 enable = true;

     

       44
       54
        
                 openDefaultPorts = true;

     
···

       53
       63
        
                   };

     

       54
       64
        
                   folders.bar = {

     

       55
       65
        
                     path = "/var/lib/syncthing/bar";

     

       56
       56
       -
                     devices.c.encryptionPassword = "${testPasswordFile}";

     

       66
       66
       +
                     devices = [

     

       67
       67
       +
                       {

     

       68
       68
       +
                         name = "c";

     

       69
       69
       +
                         encryptionPasswordFile = "/etc/${config.environment.etc.bar-encryption-password.target}";

     

       70
       70
       +
                       }

     

       71
       71
       +
                     ];

     

       57
       72
        
                   };

     

       58
       73
        
                 };

     

       59
       74
        
               };

     

       60
       75
        
             };

     

       61
       61
       -
             c = {

     

       62
       62
       -
               services.syncthing = {

     

       63
       63
       -
                 enable = true;

     

       64
       64
       -
                 openDefaultPorts = true;

     

       65
       65
       -
                 cert = "${idC}/cert.pem";

     

       66
       66
       -
                 key = "${idC}/key.pem";

     

       67
       67
       -
                 settings = {

     

       68
       68
       -
                   devices.a.id = lib.fileContents "${idA}/id";

     

       69
       69
       -
                   devices.b.id = lib.fileContents "${idB}/id";

     

       70
       70
       -
                   folders.bar = {

     

       71
       71
       -
                     path = "/var/lib/syncthing/bar";

     

       72
       72
       -
                     devices = [

     

       73
       73
       -
                       "a"

     

       74
       74
       -
                       "b"

     

       75
       75
       -
                     ];

     

       76
       76
       -
                     type = "receiveencrypted";

     

       77
       77
       -
                   };

     

       76
       76
       +
           c = {

     

       77
       77
       +
             services.syncthing = {

     

       78
       78
       +
               enable = true;

     

       79
       79
       +
               openDefaultPorts = true;

     

       80
       80
       +
               cert = "${idC}/cert.pem";

     

       81
       81
       +
               key = "${idC}/key.pem";

     

       82
       82
       +
               settings = {

     

       83
       83
       +
                 devices.a.id = lib.fileContents "${idA}/id";

     

       84
       84
       +
                 devices.b.id = lib.fileContents "${idB}/id";

     

       85
       85
       +
                 folders.bar = {

     

       86
       86
       +
                   path = "/var/lib/syncthing/bar";

     

       87
       87
       +
                   devices = [

     

       88
       88
       +
                     "a"

     

       89
       89
       +
                     "b"

     

       90
       90
       +
                   ];

     

       91
       91
       +
                   type = "receiveencrypted";

     

       78
       92
        
                 };

     

       79
       93
        
               };

     

       80
       94
        
             };

     

       81
       95
        
           };

     

       96
       96
       +
         };

     

       82
       97
        
       

     

       83
       83
       -
           testScript = ''

     

       84
       84
       -
             start_all()

     

       98
       98
       +
         testScript = ''

     

       99
       99
       +
           start_all()

     

       85
       100
        
       

     

       86
       86
       -
             a.wait_for_unit("syncthing.service")

     

       87
       87
       -
             b.wait_for_unit("syncthing.service")

     

       88
       88
       -
             c.wait_for_unit("syncthing.service")

     

       89
       89
       -
             a.wait_for_open_port(22000)

     

       90
       90
       -
             b.wait_for_open_port(22000)

     

       91
       91
       -
             c.wait_for_open_port(22000)

     

       101
       101
       +
           a.wait_for_unit("syncthing.service")

     

       102
       102
       +
           b.wait_for_unit("syncthing.service")

     

       103
       103
       +
           c.wait_for_unit("syncthing.service")

     

       104
       104
       +
           a.wait_for_open_port(22000)

     

       105
       105
       +
           b.wait_for_open_port(22000)

     

       106
       106
       +
           c.wait_for_open_port(22000)

     

       92
       107
        
       

     

       93
       93
       -
             # Test foo

     

       108
       108
       +
           # Test foo

     

       94
       109
        
       

     

       95
       95
       -
             a.wait_for_file("/var/lib/syncthing/foo")

     

       96
       96
       -
             b.wait_for_file("/var/lib/syncthing/foo")

     

       110
       110
       +
           a.wait_for_file("/var/lib/syncthing/foo")

     

       111
       111
       +
           b.wait_for_file("/var/lib/syncthing/foo")

     

       97
       112
        
       

     

       98
       98
       -
             a.succeed("echo a2b > /var/lib/syncthing/foo/a2b")

     

       99
       99
       -
             b.succeed("echo b2a > /var/lib/syncthing/foo/b2a")

     

       113
       113
       +
           a.succeed("echo a2b > /var/lib/syncthing/foo/a2b")

     

       114
       114
       +
           b.succeed("echo b2a > /var/lib/syncthing/foo/b2a")

     

       100
       115
        
       

     

       101
       101
       -
             a.wait_for_file("/var/lib/syncthing/foo/b2a")

     

       102
       102
       -
             b.wait_for_file("/var/lib/syncthing/foo/a2b")

     

       116
       116
       +
           a.wait_for_file("/var/lib/syncthing/foo/b2a")

     

       117
       117
       +
           b.wait_for_file("/var/lib/syncthing/foo/a2b")

     

       103
       118
        
       

     

       104
       104
       -
             # Test bar

     

       119
       119
       +
           # Test bar

     

       105
       120
        
       

     

       106
       106
       -
             a.wait_for_file("/var/lib/syncthing/bar")

     

       107
       107
       -
             b.wait_for_file("/var/lib/syncthing/bar")

     

       108
       108
       -
             c.wait_for_file("/var/lib/syncthing/bar")

     

       121
       121
       +
           a.wait_for_file("/var/lib/syncthing/bar")

     

       122
       122
       +
           b.wait_for_file("/var/lib/syncthing/bar")

     

       123
       123
       +
           c.wait_for_file("/var/lib/syncthing/bar")

     

       109
       124
        
       

     

       110
       110
       -
             a.succeed("echo plaincontent > /var/lib/syncthing/bar/plainname")

     

       125
       125
       +
           a.succeed("echo plaincontent > /var/lib/syncthing/bar/plainname")

     

       111
       126
        
       

     

       112
       112
       -
             # B should be able to decrypt, check that content of file matches

     

       113
       113
       -
             b.wait_for_file("/var/lib/syncthing/bar/plainname")

     

       114
       114
       -
             b.succeed("grep plaincontent /var/lib/syncthing/bar/plainname")

     

       127
       127
       +
           # B should be able to decrypt, check that content of file matches

     

       128
       128
       +
           b.wait_for_file("/var/lib/syncthing/bar/plainname")

     

       129
       129
       +
           file_contents = b.succeed("cat /var/lib/syncthing/bar/plainname")

     

       130
       130
       +
           assert "plaincontent\n" == file_contents, f"Unexpected file contents: {file_contents=}"

     

       115
       131
        
       

     

       116
       116
       -
             # Bar on C is untrusted, check that content is not in cleartext

     

       117
       117
       -
             c.fail("grep -R plaincontent /var/lib/syncthing/bar")

     

       118
       118
       -
           '';

     

       119
       119
       -
         }

     

       120
       120
       -
       )

     

       132
       132
       +
           # Bar on C is untrusted, check that content is not in cleartext

     

       133
       133
       +
           c.fail("grep -R plaincontent /var/lib/syncthing/bar")

     

       134
       134
       +
         '';

     

       135
       135
       +
       }