| blob | 0e4c3e5f3999af1b52985acfd42443629144db99 |
1 { hostPkgs, ... }: {
2 name = "nixos-rebuild-target-host";
4 # TODO: remove overlay from nixos/modules/profiles/installation-device.nix
5 # make it a _small package instead, then remove pkgsReadOnly = false;.
6 node.pkgsReadOnly = false;
8 nodes = {
9 deployer = { lib, pkgs, ... }: let
10 inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
11 in {
12 imports = [ ../modules/profiles/installation-device.nix ];
14 nix.settings = {
15 substituters = lib.mkForce [ ];
16 hashed-mirrors = null;
17 connect-timeout = 1;
18 };
20 environment.systemPackages = [ pkgs.passh ];
22 system.includeBuildDependencies = true;
24 virtualisation = {
25 cores = 2;
26 memorySize = 2048;
27 };
29 system.build.privateKey = snakeOilPrivateKey;
30 system.build.publicKey = snakeOilPublicKey;
31 # We don't switch on `deployer`, but we need it to have the dependencies
32 # available, to be picked up by system.includeBuildDependencies above.
33 system.switch.enable = true;
34 };
36 target = { nodes, lib, ... }: let
37 targetConfig = {
38 documentation.enable = false;
39 services.openssh.enable = true;
41 users.users.root.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
42 users.users.alice.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
43 users.users.bob.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
45 users.users.alice.extraGroups = [ "wheel" ];
46 users.users.bob.extraGroups = [ "wheel" ];
48 # Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo`
49 security.sudo.extraRules = lib.mkForce [
50 { groups = [ "wheel" ]; commands = [ { command = "ALL"; } ]; }
51 { users = [ "alice" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
52 ];
54 nix.settings.trusted-users = [ "@wheel" ];
55 };
56 in {
57 imports = [ ./common/user-account.nix ];
59 config = lib.mkMerge [
60 targetConfig
61 {
62 system.build = {
63 inherit targetConfig;
64 };
65 system.switch.enable = true;
67 networking.hostName = "target";
68 }
69 ];
70 };
71 };
73 testScript = { nodes, ... }:
74 let
75 sshConfig = builtins.toFile "ssh.conf" ''
76 UserKnownHostsFile=/dev/null
77 StrictHostKeyChecking=no
78 '';
80 targetConfigJSON = hostPkgs.writeText "target-configuration.json"
81 (builtins.toJSON nodes.target.system.build.targetConfig);
83 targetNetworkJSON = hostPkgs.writeText "target-network.json"
84 (builtins.toJSON nodes.target.system.build.networkConfig);
86 configFile = hostname: hostPkgs.writeText "configuration.nix" ''
87 { lib, modulesPath, ... }: {
88 imports = [
89 (modulesPath + "/virtualisation/qemu-vm.nix")
90 (modulesPath + "/testing/test-instrumentation.nix")
91 (modulesPath + "/../tests/common/user-account.nix")
92 (lib.modules.importJSON ./target-configuration.json)
93 (lib.modules.importJSON ./target-network.json)
94 ./hardware-configuration.nix
95 ];
97 boot.loader.grub = {
98 enable = true;
99 device = "/dev/vda";
100 forceInstall = true;
101 };
103 # this will be asserted
104 networking.hostName = "${hostname}";
105 }
106 '';
107 in
108 ''
109 start_all()
110 target.wait_for_open_port(22)
112 deployer.wait_until_succeeds("ping -c1 target")
113 deployer.succeed("install -Dm 600 ${nodes.deployer.system.build.privateKey} ~root/.ssh/id_ecdsa")
114 deployer.succeed("install ${sshConfig} ~root/.ssh/config")
116 target.succeed("nixos-generate-config")
117 deployer.succeed("scp alice@target:/etc/nixos/hardware-configuration.nix /root/hardware-configuration.nix")
119 deployer.copy_from_host("${configFile "config-1-deployed"}", "/root/configuration-1.nix")
120 deployer.copy_from_host("${configFile "config-2-deployed"}", "/root/configuration-2.nix")
121 deployer.copy_from_host("${configFile "config-3-deployed"}", "/root/configuration-3.nix")
122 deployer.copy_from_host("${targetNetworkJSON}", "/root/target-network.json")
123 deployer.copy_from_host("${targetConfigJSON}", "/root/target-configuration.json")
125 # Ensure sudo is disabled for root
126 target.fail("sudo true")
128 # This test also ensures that sudo is not called without --use-remote-sudo
129 with subtest("Deploy to root@target"):
130 deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
131 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
132 assert target_hostname == "config-1-deployed", f"{target_hostname=}"
134 with subtest("Deploy to alice@target with passwordless sudo"):
135 deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console")
136 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
137 assert target_hostname == "config-2-deployed", f"{target_hostname=}"
139 with subtest("Deploy to bob@target with password based sudo"):
140 deployer.succeed("passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P \"\[sudo\] password\" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console")
141 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
142 assert target_hostname == "config-3-deployed", f"{target_hostname=}"
144 with subtest("Deploy works with very long TMPDIR"):
145 tmp_dir = "/var/folder/veryveryveryveryverylongpathnamethatdoesnotworkwithcontrolpath"
146 deployer.succeed(f"mkdir -p {tmp_dir}")
147 deployer.succeed(f"TMPDIR={tmp_dir} nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
148 '';
149 }