nixos-anywhere/tests/from-nixos-with-sudo.nix

(import ./lib/test-base.nix) {
  name = "from-nixos-with-sudo";
  nodes = {
    installer = ./modules/installer.nix;
    installed = {
      services.openssh.enable = true;
      virtualisation.memorySize = 4096;

      users.users.nixos = {
        isNormalUser = true;
        openssh.authorizedKeys.keyFiles = [ ./modules/ssh-keys/ssh.pub ];
        extraGroups = [ "wheel" ];
      };
      security.sudo.enable = true;
      security.sudo.wheelNeedsPassword = false;
    };
  };
  testScript = ''
    start_all()
    installer.succeed("echo super-secret > /tmp/disk-1.key")
    output = installer.succeed("""
      nixos-anywhere \
        --debug \
        --kexec /etc/nixos-anywhere/kexec-installer \
        --stop-after-disko \
        --disk-encryption-keys /tmp/disk-1.key /tmp/disk-1.key \
        --disk-encryption-keys /tmp/disk-2.key <(echo another-secret) \
        --store-paths /etc/nixos-anywhere/disko /etc/nixos-anywhere/system-to-install \
        nixos@installed >&2
      echo "disk-1.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
        root@installed cat /tmp/disk-1.key)'"
      echo "disk-2.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
        root@installed cat /tmp/disk-2.key)'"
    """)

    assert "disk-1.key: 'super-secret'" in output, f"output does not contain expected values: {output}"
    assert "disk-2.key: 'another-secret'" in output, f"output does not contain expected values: {output}"
  '';
}
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`(import ./lib/test-base.nix) {`
unique test names 2022-12-31 15:34:50 +03:00			`name = "from-nixos-with-sudo";`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`nodes = {`
			`installer = ./modules/installer.nix;`
nixos-remote.sh: generate temporary ssh-key we use this so the code has less branches for different ssh-key usecases 2023-01-12 23:23:45 +03:00			`installed = {`
			`services.openssh.enable = true;`
			`virtualisation.memorySize = 4096;`

			`users.users.nixos = {`
			`isNormalUser = true;`
			`openssh.authorizedKeys.keyFiles = [ ./modules/ssh-keys/ssh.pub ];`
			`extraGroups = [ "wheel" ];`
			`};`
			`security.sudo.enable = true;`
			`security.sudo.wheelNeedsPassword = false;`
			`};`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`};`
			`testScript = ''`
			`start_all()`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`installer.succeed("echo super-secret > /tmp/disk-1.key")`
test --disk-encryption-keys in sudo test 2022-12-31 15:34:37 +03:00			`output = installer.succeed("""`
rename nixos-remote to nixos-anywhere 2023-02-01 21:49:46 +03:00			`nixos-anywhere \`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`--debug \`
rename nixos-remote to nixos-anywhere 2023-02-01 21:49:46 +03:00			`--kexec /etc/nixos-anywhere/kexec-installer \`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`--stop-after-disko \`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`--disk-encryption-keys /tmp/disk-1.key /tmp/disk-1.key \`
			`--disk-encryption-keys /tmp/disk-2.key <(echo another-secret) \`
rename nixos-remote to nixos-anywhere 2023-02-01 21:49:46 +03:00			`--store-paths /etc/nixos-anywhere/disko /etc/nixos-anywhere/system-to-install \`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`nixos@installed >&2`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`echo "disk-1.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \`
			`root@installed cat /tmp/disk-1.key)'"`
			`echo "disk-2.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \`
			`root@installed cat /tmp/disk-2.key)'"`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`""")`
test --disk-encryption-keys in sudo test 2022-12-31 15:34:37 +03:00
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`assert "disk-1.key: 'super-secret'" in output, f"output does not contain expected values: {output}"`
			`assert "disk-2.key: 'another-secret'" in output, f"output does not contain expected values: {output}"`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`'';`
			`}`