···
2
-
common = { pkgs, ... }: {
1
+
import ./make-test-python.nix {
4
+
nodes.machine = { pkgs, ... }: {
security.dhparams.enable = true;
environment.systemPackages = [ pkgs.openssl ];
7
-
in import ./make-test-python.nix {
9
+
gen1.configuration = { config, ... }: {
10
+
security.dhparams.params = {
11
+
# Use low values here because we don't want the test to run for ages.
13
+
# Also use the old format to make sure the type is coerced in the right
10
-
nodes.generation1 = { pkgs, config, ... }: {
11
-
imports = [ common ];
12
-
security.dhparams.params = {
13
-
# Use low values here because we don't want the test to run for ages.
15
-
# Also use the old format to make sure the type is coerced in the right
18
+
systemd.services.foo = {
19
+
description = "Check systemd Ordering";
20
+
wantedBy = [ "multi-user.target" ];
22
+
# This is to make sure that the dhparams generation of foo occurs
23
+
# before this service so we need this service to start as early as
24
+
# possible to provoke a race condition.
25
+
DefaultDependencies = false;
20
-
systemd.services.foo = {
21
-
description = "Check systemd Ordering";
22
-
wantedBy = [ "multi-user.target" ];
24
-
# This is to make sure that the dhparams generation of foo occurs
25
-
# before this service so we need this service to start as early as
26
-
# possible to provoke a race condition.
27
-
DefaultDependencies = false;
29
-
# We check later whether the service has been started or not.
30
-
ConditionPathExists = config.security.dhparams.params.foo.path;
27
+
# We check later whether the service has been started or not.
28
+
ConditionPathExists = config.security.dhparams.params.foo.path;
30
+
serviceConfig.Type = "oneshot";
31
+
serviceConfig.RemainAfterExit = true;
32
+
# The reason we only provide an ExecStop here is to ensure that we don't
33
+
# accidentally trigger an error because a file system is not yet ready
34
+
# during very early startup (we might not even have the Nix store
35
+
# available, for example if future changes in NixOS use systemd mount
36
+
# units to do early file system initialisation).
37
+
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
32
-
serviceConfig.Type = "oneshot";
33
-
serviceConfig.RemainAfterExit = true;
34
-
# The reason we only provide an ExecStop here is to ensure that we don't
35
-
# accidentally trigger an error because a file system is not yet ready
36
-
# during very early startup (we might not even have the Nix store
37
-
# available, for example if future changes in NixOS use systemd mount
38
-
# units to do early file system initialisation).
39
-
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
40
+
gen2.configuration = {
41
+
security.dhparams.params.foo.bits = 1026;
43
+
gen3.configuration = {};
44
+
gen4.configuration = {
45
+
security.dhparams.stateful = false;
46
+
security.dhparams.params.foo2.bits = 1027;
47
+
security.dhparams.params.bar2.bits = 1028;
49
+
gen5.configuration = {
50
+
security.dhparams.defaultBitSize = 1029;
51
+
security.dhparams.params.foo3 = {};
52
+
security.dhparams.params.bar3 = {};
43
-
nodes.generation2 = {
44
-
imports = [ common ];
45
-
security.dhparams.params.foo.bits = 18;
48
-
nodes.generation3 = common;
50
-
nodes.generation4 = {
51
-
imports = [ common ];
52
-
security.dhparams.stateful = false;
53
-
security.dhparams.params.foo2.bits = 18;
54
-
security.dhparams.params.bar2.bits = 19;
57
-
nodes.generation5 = {
58
-
imports = [ common ];
59
-
security.dhparams.defaultBitSize = 30;
60
-
security.dhparams.params.foo3 = {};
61
-
security.dhparams.params.bar3 = {};
testScript = { nodes, ... }: let
getParamPath = gen: name: let
66
-
node = "generation${toString gen}";
67
-
in nodes.${node}.config.security.dhparams.params.${name}.path;
59
+
node = "gen${toString gen}";
60
+
in nodes.machine.config.specialisation.${node}.configuration.security.dhparams.params.${name}.path;
switchToGeneration = gen: let
70
-
node = "generation${toString gen}";
71
-
inherit (nodes.${node}.config.system.build) toplevel;
72
-
switchCmd = "${toplevel}/bin/switch-to-configuration test";
63
+
switchCmd = "${nodes.machine.config.system.build.toplevel}/specialisation/gen${toString gen}/bin/switch-to-configuration test";
with machine.nested("switch to generation ${toString gen}"):
66
+
machine.succeed("${switchCmd}")
···
if match[1] != str(bits):
raise Exception(f"bit size should be {bits} but it is {match[1]} instead.")
96
-
machine = generation1
machine.wait_for_unit("multi-user.target")
84
+
${switchToGeneration 1}
with subtest("verify startup order"):
machine.succeed("systemctl is-active foo.service")
with subtest("check bit sizes of dhparam files"):
104
-
assert_param_bits("${getParamPath 1 "foo"}", 16)
105
-
assert_param_bits("${getParamPath 1 "bar"}", 17)
90
+
assert_param_bits("${getParamPath 1 "foo"}", 1024)
91
+
assert_param_bits("${getParamPath 1 "bar"}", 1025)
with subtest("check whether bit size has changed"):
110
-
assert_param_bits("${getParamPath 2 "foo"}", 18)
96
+
assert_param_bits("${getParamPath 2 "foo"}", 1026)
with subtest("ensure that dhparams file for 'bar' was deleted"):
machine.fail("test -e ${getParamPath 1 "bar"}")
···
with subtest("ensure that 'security.dhparams.path' has been deleted"):
118
-
machine.fail("test -e ${nodes.generation3.config.security.dhparams.path}")
104
+
machine.fail("test -e ${nodes.machine.config.specialisation.gen3.configuration.security.dhparams.path}")
with subtest("check bit sizes dhparam files"):
124
-
"${getParamPath 4 "foo2"}", 18
110
+
"${getParamPath 4 "foo2"}", 1027
127
-
"${getParamPath 4 "bar2"}", 19
113
+
"${getParamPath 4 "bar2"}", 1028
with subtest("check whether dhparam files are in the Nix store"):
···
with subtest("check whether defaultBitSize works as intended"):
139
-
assert_param_bits("${getParamPath 5 "foo3"}", 30)
140
-
assert_param_bits("${getParamPath 5 "bar3"}", 30)
125
+
assert_param_bits("${getParamPath 5 "foo3"}", 1029)
126
+
assert_param_bits("${getParamPath 5 "bar3"}", 1029)
pyrox.dev