mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-22 17:50:48 +03:00
commit
de657061b1
2 changed files with 29 additions and 9 deletions
|
@ -3,13 +3,17 @@
|
||||||
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
|
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
|
||||||
|
|
||||||
system.activationScripts.installSSHHostKeys.text = ''
|
system.activationScripts.installSSHHostKeys.text = ''
|
||||||
mkdir -p /etc/ssh
|
mkdir -p /etc/ssh /home/user1/.ssh
|
||||||
(umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub)
|
(
|
||||||
|
umask u=rw,g=r,o=r
|
||||||
|
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
|
||||||
|
)
|
||||||
(
|
(
|
||||||
umask u=rw,g=,o=
|
umask u=rw,g=,o=
|
||||||
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
|
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
|
||||||
|
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
|
||||||
touch /etc/ssh/ssh_host_rsa_key
|
touch /etc/ssh/ssh_host_rsa_key
|
||||||
)
|
)
|
||||||
|
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,13 +6,12 @@
|
||||||
config = {};
|
config = {};
|
||||||
},
|
},
|
||||||
system ? builtins.currentSystem,
|
system ? builtins.currentSystem,
|
||||||
} @ args:
|
}:
|
||||||
import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
|
pkgs.nixosTest {
|
||||||
name = "agenix-integration";
|
name = "agenix-integration";
|
||||||
|
|
||||||
nodes.system1 = {
|
nodes.system1 = {
|
||||||
config,
|
config,
|
||||||
lib,
|
pkgs,
|
||||||
options,
|
options,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
|
@ -29,6 +28,10 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
|
||||||
|
|
||||||
age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
|
age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
(pkgs.callPackage ../pkgs/agenix.nix {})
|
||||||
|
];
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
mutableUsers = false;
|
mutableUsers = false;
|
||||||
|
|
||||||
|
@ -61,6 +64,19 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
|
||||||
system1.send_chars("whoami > /tmp/1\n")
|
system1.send_chars("whoami > /tmp/1\n")
|
||||||
system1.wait_for_file("/tmp/1")
|
system1.wait_for_file("/tmp/1")
|
||||||
assert "${user}" in system1.succeed("cat /tmp/1")
|
assert "${user}" in system1.succeed("cat /tmp/1")
|
||||||
|
|
||||||
|
system1.succeed('cp -a "${../example}/." /tmp/secrets')
|
||||||
|
system1.succeed('chmod u+w /tmp/secrets/*.age')
|
||||||
|
|
||||||
|
before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
||||||
|
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
|
||||||
|
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
||||||
|
|
||||||
|
# Ensure we actually have hashes
|
||||||
|
for h in [before_hash, after_hash]:
|
||||||
|
assert len(h) == 2, "hash should be [hash, filename]"
|
||||||
|
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
||||||
|
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
||||||
|
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
||||||
'';
|
'';
|
||||||
})
|
}
|
||||||
args
|
|
||||||
|
|
Loading…
Reference in a new issue