| blob | 887d2d312eb7cec780b2755a52bab706f2be0f4c |
1 { lib, ... }:
3 let
4 normaloHashedPassword = "$y$j9T$IEWqhKtWg.r.8fVkSEF56.$iKNxdMC6hOAQRp6eBtYvBk4c7BGpONXeZMqc8I/LM46";
6 common = {
7 services.userborn.enable = true;
8 users.mutableUsers = false;
9 };
10 in
12 {
14 name = "userborn-immutable-users";
16 meta.maintainers = with lib.maintainers; [ nikstur ];
18 nodes.machine =
19 { config, ... }:
20 {
21 imports = [ common ];
23 users = {
24 users = {
25 normalo = {
26 isNormalUser = true;
27 hashedPassword = normaloHashedPassword;
28 };
29 };
30 };
32 specialisation.new-generation = {
33 inheritParentConfig = false;
34 configuration = {
35 nixpkgs = {
36 inherit (config.nixpkgs) hostPlatform;
37 };
38 imports = [ common ];
40 users.users = {
41 new-normalo = {
42 isNormalUser = true;
43 };
44 };
45 };
46 };
47 };
49 testScript = ''
50 machine.wait_for_unit("userborn.service")
52 with subtest("normalo user is created"):
53 assert "${normaloHashedPassword}" in machine.succeed("getent shadow normalo"), "normalo user password is not correct"
55 with subtest("Fail to add new user manually"):
56 machine.fail("useradd manual-normalo")
58 with subtest("Fail to add delete user manually"):
59 machine.fail("userdel normalo")
62 machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch")
65 with subtest("normalo user is disabled"):
66 print(machine.succeed("getent shadow normalo"))
67 assert "!*" in machine.succeed("getent shadow normalo"), "normalo user is not disabled"
69 with subtest("new-normalo user is created after switching to new generation"):
70 print(machine.succeed("getent passwd new-normalo"))
72 with subtest("Still fail to add new user manually"):
73 machine.fail("useradd again-normalo")
74 '';
75 }