depot/nixos/tests/systemd-sysusers-mutable.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

78 lines
2.7 KiB
Nix

{ lib, ... }:
let
rootPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
sysuserPassword = "hello";
newSysuserPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
in
{
name = "activation-sysusers-mutable";
meta.maintainers = with lib.maintainers; [ nikstur ];
nodes.machine = { pkgs, ... }: {
systemd.sysusers.enable = true;
users.mutableUsers = true;
# Prerequisites
system.etc.overlay.enable = true;
boot.initrd.systemd.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# Override the empty root password set by the test instrumentation
users.users.root.hashedPasswordFile = lib.mkForce null;
users.users.root.initialHashedPassword = rootPassword;
users.users.sysuser = {
isSystemUser = true;
group = "wheel";
home = "/sysuser";
initialPassword = sysuserPassword;
};
specialisation.new-generation.configuration = {
users.users.new-sysuser = {
isSystemUser = true;
group = "wheel";
home = "/new-sysuser";
initialHashedPassword = newSysuserPassword;
};
};
};
testScript = ''
machine.wait_for_unit("systemd-sysusers.service")
with subtest("systemd-sysusers.service contains the credentials"):
sysusers_service = machine.succeed("systemctl cat systemd-sysusers.service")
print(sysusers_service)
assert "SetCredential=passwd.plaintext-password.sysuser:${sysuserPassword}" in sysusers_service
with subtest("Correct mode on the password files"):
assert machine.succeed("stat -c '%a' /etc/passwd") == "644\n"
assert machine.succeed("stat -c '%a' /etc/group") == "644\n"
assert machine.succeed("stat -c '%a' /etc/shadow") == "0\n"
assert machine.succeed("stat -c '%a' /etc/gshadow") == "0\n"
with subtest("root user has correct password"):
print(machine.succeed("getent passwd root"))
assert "${rootPassword}" in machine.succeed("getent shadow root"), "root user password is not correct"
with subtest("sysuser user is created"):
print(machine.succeed("getent passwd sysuser"))
assert machine.succeed("stat -c '%U' /sysuser") == "sysuser\n"
with subtest("Manually add new user"):
machine.succeed("useradd manual-sysuser")
machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch")
with subtest("new-sysuser user is created after switching to new generation"):
print(machine.succeed("getent passwd new-sysuser"))
assert machine.succeed("stat -c '%U' /new-sysuser") == "new-sysuser\n"
assert "${newSysuserPassword}" in machine.succeed("getent shadow new-sysuser"), "new-sysuser user password is not correct"
'';
}