nixos/systemd-stage-1: follow systemd /run propagation (#405687)

nixos/modules/system/boot/systemd/initrd.nix

@@ -642,7 +642,7 @@ in
         {
           where = "/sysroot/run";
           what = "/run";
-          options = "bind";
+          options = "rbind";
           unitConfig = {
             # See the comment on the mount unit for /run/etc-metadata
             DefaultDependencies = false;

nixos/tests/all-tests.nix

@@ -1302,6 +1302,7 @@ in
   systemd-escaping = runTest ./systemd-escaping.nix;
   systemd-initrd-bridge = runTest ./systemd-initrd-bridge.nix;
   systemd-initrd-btrfs-raid = runTest ./systemd-initrd-btrfs-raid.nix;
+  systemd-initrd-credentials = runTest ./systemd-initrd-credentials.nix;
   systemd-initrd-luks-fido2 = runTest ./systemd-initrd-luks-fido2.nix;
   systemd-initrd-luks-keyfile = runTest ./systemd-initrd-luks-keyfile.nix;
   systemd-initrd-luks-empty-passphrase = runTest {

nixos/tests/systemd-initrd-credentials.nix

@@ -0,0 +1,32 @@
+{ lib, pkgs, ... }:
+{
+  name = "systemd-initrd-credentials";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      virtualisation = {
+        qemu.options = [
+          "-smbios type=11,value=io.systemd.credential:cred-smbios=secret-smbios"
+        ];
+      };
+
+      boot.initrd.availableKernelModules = [ "dmi_sysfs" ];
+
+      boot.kernelParams = [ "systemd.set_credential=cred-cmdline:secret-cmdline" ];
+
+      boot.initrd.systemd = {
+        enable = true;
+      };
+    };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+
+    # Check credential passed via kernel command line
+    assert "secret-cmdline" in machine.succeed("systemd-creds --system cat cred-cmdline")
+
+    # Check credential passed via SMBIOS
+    assert "secret-smbios" in machine.succeed("systemd-creds --system cat cred-smbios")
+  '';
+}