nixos/tests/initrd-secrets.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
, testing ? import ../lib/testing-python.nix { inherit system pkgs; }
}:
let
  secretInStore = pkgs.writeText "topsecret" "iamasecret";
  testWithCompressor = compressor: testing.makeTest {
    name = "initrd-secrets-${compressor}";

    meta.maintainers = [ lib.maintainers.lheckemann ];

    machine = { ... }: {
      virtualisation.useBootLoader = true;
      boot.initrd.secrets."/test" = secretInStore;
      boot.initrd.postMountCommands = ''
        cp /test /mnt-root/secret-from-initramfs
      '';
      boot.initrd.compressor = compressor;
      # zstd compression is only supported from 5.9 onwards. Remove when 5.10 becomes default.
      boot.kernelPackages = pkgs.linuxPackages_latest;
    };

    testScript = ''
      start_all()
      machine.wait_for_unit("multi-user.target")
      machine.succeed(
          "cmp ${secretInStore} /secret-from-initramfs"
      )
    '';
  };
in lib.flip lib.genAttrs testWithCompressor [
  "cat" "gzip" "bzip2" "xz" "lzma" "lzop" "pigz" "pixz" "zstd"
]