nixpkgs/nixos/tests/rush.nix

{ pkgs, ... }:
let
  inherit (import ./ssh-keys.nix pkgs) snakeOilEd25519PrivateKey snakeOilEd25519PublicKey;
  username = "nix-remote-builder";
in
{
  name = "rush";
  meta = { inherit (pkgs.rush.meta) maintainers platforms; };

  nodes = {
    client =
      { ... }:
      {
        nix.settings.extra-experimental-features = [ "nix-command" ];
      };

    server =
      { config, ... }:
      {
        nix.settings.trusted-users = [ "${username}" ];

        programs.rush = {
          enable = true;
          global = "debug 1";

          rules = {
            daemon = ''
              match $# == 2
              match $0 == "nix-daemon"
              match $1 == "--stdio"
              match $user == "${username}"
              chdir "${config.nix.package}/bin"
            '';

            whoami = ''
              match $# == 1
              match $0 == "whoami"
              match $user == "${username}"
              chdir "${dirOf config.environment.usrbinenv}"
            '';
          };
        };

        services.openssh = {
          enable = true;

          extraConfig = ''
            Match User ${username}
              AllowAgentForwarding no
              AllowTcpForwarding no
              PermitTTY no
              PermitTunnel no
              X11Forwarding no
            Match All
          '';
        };

        users = {
          groups."${username}" = { };

          users."${username}" = {
            inherit (config.programs.rush) shell;
            group = "${username}";
            isSystemUser = true;
            openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];
          };
        };
      };
  };

  testScript = ''
    start_all()

    client.succeed("mkdir -m 700 /root/.ssh")
    client.succeed("cat '${snakeOilEd25519PrivateKey}' | tee /root/.ssh/id_ed25519")
    client.succeed("chmod 600 /root/.ssh/id_ed25519")

    server.wait_for_unit("sshd")

    client.succeed("ssh-keyscan -H server | tee -a /root/.ssh/known_hosts")

    client.succeed("ssh ${username}@server -- whoami")
    client.succeed("nix store info --store 'ssh-ng://${username}@server'")

    client.fail("ssh ${username}@server -- date")
    client.fail("nix store info --store 'ssh://${username}@server'")
  '';
}
nixos/rush: init module 2025-04-14 01:17:22 +02:00			`{ pkgs, ... }:`
			`let`
			`inherit (import ./ssh-keys.nix pkgs) snakeOilEd25519PrivateKey snakeOilEd25519PublicKey;`
			`username = "nix-remote-builder";`
			`in`
			`{`
			`name = "rush";`
			`meta = { inherit (pkgs.rush.meta) maintainers platforms; };`

			`nodes = {`
			`client =`
			`{ ... }:`
			`{`
			`nix.settings.extra-experimental-features = [ "nix-command" ];`
			`};`

			`server =`
			`{ config, ... }:`
			`{`
			`nix.settings.trusted-users = [ "${username}" ];`

			`programs.rush = {`
			`enable = true;`
			`global = "debug 1";`

			`rules = {`
			`daemon = ''`
			`match $# == 2`
			`match $0 == "nix-daemon"`
			`match $1 == "--stdio"`
			`match $user == "${username}"`
			`chdir "${config.nix.package}/bin"`
			`'';`

			`whoami = ''`
			`match $# == 1`
			`match $0 == "whoami"`
			`match $user == "${username}"`
			`chdir "${dirOf config.environment.usrbinenv}"`
			`'';`
			`};`
			`};`

			`services.openssh = {`
			`enable = true;`

			`extraConfig = ''`
			`Match User ${username}`
			`AllowAgentForwarding no`
			`AllowTcpForwarding no`
			`PermitTTY no`
			`PermitTunnel no`
			`X11Forwarding no`
			`Match All`
			`'';`
			`};`

			`users = {`
			`groups."${username}" = { };`

			`users."${username}" = {`
			`inherit (config.programs.rush) shell;`
			`group = "${username}";`
			`isSystemUser = true;`
			`openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];`
			`};`
			`};`
			`};`
			`};`

			`testScript = ''`
			`start_all()`

			`client.succeed("mkdir -m 700 /root/.ssh")`
			`client.succeed("cat '${snakeOilEd25519PrivateKey}' \| tee /root/.ssh/id_ed25519")`
			`client.succeed("chmod 600 /root/.ssh/id_ed25519")`

			`server.wait_for_unit("sshd")`

			`client.succeed("ssh-keyscan -H server \| tee -a /root/.ssh/known_hosts")`

			`client.succeed("ssh ${username}@server -- whoami")`
			`client.succeed("nix store info --store 'ssh-ng://${username}@server'")`

			`client.fail("ssh ${username}@server -- date")`
			`client.fail("nix store info --store 'ssh://${username}@server'")`
			`'';`
			`}`