depot/nixos/tests/initrd-secrets-changing.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

57 lines
1.6 KiB
Nix

{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
, testing ? import ../lib/testing-python.nix { inherit system pkgs; }
}:
let
secret1InStore = pkgs.writeText "topsecret" "iamasecret1";
secret2InStore = pkgs.writeText "topsecret" "iamasecret2";
in
testing.makeTest {
name = "initrd-secrets-changing";
nodes.machine = { ... }: {
virtualisation.useBootLoader = true;
boot.loader.grub.device = "/dev/vda";
boot.initrd.secrets = {
"/test" = secret1InStore;
"/run/keys/test" = secret1InStore;
};
boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";
specialisation.secrets2System.configuration = {
boot.initrd.secrets = lib.mkForce {
"/test" = secret2InStore;
"/run/keys/test" = secret2InStore;
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("multi-user.target")
print(machine.succeed("cat /run/keys/test"))
machine.succeed(
"cmp ${secret1InStore} /secret-from-initramfs",
"cmp ${secret1InStore} /run/keys/test",
)
# Select the second boot entry corresponding to the specialisation secrets2System.
machine.succeed("grub-reboot 1")
machine.shutdown()
with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
machine.wait_for_unit("multi-user.target")
print(machine.succeed("cat /run/keys/test"))
machine.succeed(
"cmp ${secret2InStore} /secret-from-initramfs",
"cmp ${secret2InStore} /run/keys/test",
)
machine.shutdown()
'';
}