mirror of https://github.com/ryantm/agenix.git
Ryan Mulligan
GitHub
commit
de657061b1
|
|
@ -3,13 +3,17 @@
|
|||
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
|
||||
|
||||
system.activationScripts.installSSHHostKeys.text = ''
|
||||
mkdir -p /etc/ssh
|
||||
(umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub)
|
||||
mkdir -p /etc/ssh /home/user1/.ssh
|
||||
(
|
||||
umask u=rw,g=r,o=r
|
||||
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
|
||||
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
|
||||
)
|
||||
(
|
||||
umask u=rw,g=,o=
|
||||
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
|
||||
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
|
||||
touch /etc/ssh/ssh_host_rsa_key
|
||||
)
|
||||
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,13 +6,12 @@
|
|||
config = {};
|
||||
},
|
||||
system ? builtins.currentSystem,
|
||||
} @ args:
|
||||
import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
|
||||
}:
|
||||
pkgs.nixosTest {
|
||||
name = "agenix-integration";
|
||||
|
||||
nodes.system1 = {
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
options,
|
||||
...
|
||||
}: {
|
||||
|
|
@ -29,6 +28,10 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
|
|||
|
||||
age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.callPackage ../pkgs/agenix.nix {})
|
||||
];
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
|
||||
|
|
@ -61,6 +64,19 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
|
|||
system1.send_chars("whoami > /tmp/1\n")
|
||||
system1.wait_for_file("/tmp/1")
|
||||
assert "${user}" in system1.succeed("cat /tmp/1")
|
||||
|
||||
system1.succeed('cp -a "${../example}/." /tmp/secrets')
|
||||
system1.succeed('chmod u+w /tmp/secrets/*.age')
|
||||
|
||||
before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
||||
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
|
||||
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
||||
|
||||
# Ensure we actually have hashes
|
||||
for h in [before_hash, after_hash]:
|
||||
assert len(h) == 2, "hash should be [hash, filename]"
|
||||
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
||||
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
||||
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
||||
'';
|
||||
})
|
||||
args
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue