Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add a NixOS test for setting a user's passwordFile with agenix; and some features/fixes this required #40

Merged
merged 3 commits into from
May 10, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions example/passwordfile-user1.age
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
-> V'v(/u$-grease em/Vgf 2qDuk
7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
�'K�ƷY&�7G�O��Fj�k�X�BnuJ��:9�(���X�#�A����ڧj�,�_���?�Z��v��V�96]oks~%�c �e^C�%JQ5�<H�z}�C�,�p��*!W���A���҅dC�K)��-�y
1 change: 1 addition & 0 deletions example/secrets.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ in
{
"secret1.age".publicKeys = [ user1 system1 ];
"secret2.age".publicKeys = [ user1 ];
"passwordfile-user1.age".publicKeys = [ user1 system1 ];
}
13 changes: 8 additions & 5 deletions modules/age.nix
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,13 @@ let
mv -f "$TMP_FILE" '${secretType.path}'
'';

rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
isNotRootSecret = st: !(isRootSecret st);

rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));

nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));

secretType = types.submodule ({ config, ... }: {
Expand Down Expand Up @@ -62,14 +65,14 @@ let
};
owner = mkOption {
type = types.str;
default = "root";
default = "0";
description = ''
User of the file.
'';
};
group = mkOption {
type = types.str;
default = users.${config.owner}.group;
default = users.${config.owner}.group or "0";
description = ''
Group of the file.
'';
Expand Down Expand Up @@ -105,7 +108,7 @@ in

# Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = installRootOwnedSecrets;
system.activationScripts.agenixRoot.text = installRootOwnedSecrets;
system.activationScripts.users.deps = [ "agenixRoot" ];

# Other secrets need to wait for users and groups to exist.
Expand Down
15 changes: 15 additions & 0 deletions test/install_ssh_host_keys.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Do not copy this! It is insecure. This is only okay because we are testing.
{
system.activationScripts.agenixRoot.deps = [ "installSSHHostKeys" ];

system.activationScripts.installSSHHostKeys.text = ''
mkdir -p /etc/ssh
(umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub)
(
umask u=rw,g=,o=
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
touch /etc/ssh/ssh_host_rsa_key
)

'';
}
58 changes: 58 additions & 0 deletions test/integration.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
nixpkgs ? <nixpkgs>,
pkgs ? import <nixpkgs> { inherit system; config = {}; },
system ? builtins.currentSystem
} @args:

import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
name = "agenix-integration";

nodes.system1 = { config, lib, ... }: {

imports = [
../modules/age.nix
./install_ssh_host_keys.nix
];

services.openssh.enable = true;

age.secrets.passwordfile-user1 = {
file = ../example/passwordfile-user1.age;
};

users = {
mutableUsers = false;

users = {
user1 = {
isNormalUser = true;
passwordFile = config.age.secrets.passwordfile-user1.path;
};
};
};

};

testScript =
let
user = "user1";
password = "password1234";
in ''
system1.wait_for_unit("multi-user.target")
system1.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
system1.sleep(2)
system1.send_key("alt-f2")
system1.wait_until_succeeds(f"[ $(fgconsole) = 2 ]")
system1.wait_for_unit(f"getty@tty2.service")
system1.wait_until_succeeds(f"pgrep -f 'agetty.*tty2'")
system1.wait_until_tty_matches(2, "login: ")
system1.send_chars("${user}\n")
system1.wait_until_tty_matches(2, "login: ${user}")
system1.wait_until_succeeds("pgrep login")
system1.sleep(2)
system1.send_chars("${password}\n")
system1.send_chars("whoami > /tmp/1\n")
system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1")
'';
}) args