nixosTests.systemd-ssh-proxy: init

2025-06-09 19:13:26 +03:00 · 2024-09-18 16:01:09 +02:00 · 2024-09-18 16:01:09 +02:00 · 8a641ddffe
commit 8a641ddffe
parent 0ea1aedc4d
2 changed files with 77 additions and 0 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -1067,6 +1067,7 @@ in {
  systemd-portabled = handleTest ./systemd-portabled.nix {};
  systemd-repart = handleTest ./systemd-repart.nix {};
  systemd-resolved = handleTest ./systemd-resolved.nix {};
+  systemd-ssh-proxy = runTest ./systemd-ssh-proxy.nix;
  systemd-shutdown = handleTest ./systemd-shutdown.nix {};
  systemd-sysupdate = runTest ./systemd-sysupdate.nix;
  systemd-sysusers-mutable = runTest ./systemd-sysusers-mutable.nix;
--- a/nixos/tests/systemd-ssh-proxy.nix
+++ b/nixos/tests/systemd-ssh-proxy.nix
@ -0,0 +1,76 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+# This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with:
+# - a local unix socket on the same system
+# - a vsock socket inside a vm
+let
+  inherit (import ./ssh-keys.nix pkgs)
+    snakeOilEd25519PrivateKey
+    snakeOilEd25519PublicKey
+    ;
+  qemu = config.nodes.virthost.virtualisation.qemu.package;
+  iso =
+    (import ../lib/eval-config.nix {
+      inherit (pkgs.stdenv.hostPlatform) system;
+      modules = [
+        ../modules/installer/cd-dvd/iso-image.nix
+        {
+          services.openssh = {
+            enable = true;
+            settings.PermitRootLogin = "prohibit-password";
+          };
+          isoImage.isoBaseName = lib.mkForce "nixos";
+          isoImage.makeBiosBootable = true;
+          system.stateVersion = lib.trivial.release;
+        }
+      ];
+    }).config.system.build.isoImage;
+in
+{
+  name = "systemd-ssh-proxy";
+  meta.maintainers = with pkgs.lib.maintainers; [ marie ];
+
+  nodes = {
+    virthost = {
+      services.openssh = {
+        enable = true;
+        settings.PermitRootLogin = "prohibit-password";
+      };
+      users.users = {
+        root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];
+        nixos = {
+          isNormalUser = true;
+        };
+      };
+      systemd.services.test-vm = {
+        script = "${lib.getExe qemu} --nographic -smp 1 -m 512 -cdrom ${iso}/iso/nixos.iso -device vhost-vsock-pci,guest-cid=3 -smbios type=11,value=\"io.systemd.credential:ssh.authorized_keys.root=${snakeOilEd25519PublicKey}\"";
+      };
+    };
+  };
+
+  testScript = ''
+    virthost.systemctl("start test-vm.service")
+
+    virthost.succeed("mkdir -p ~/.ssh")
+    virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519")
+    virthost.succeed("chmod 600 ~/.ssh/id_ed25519")
+
+    with subtest("ssh into a vm with vsock"):
+      virthost.wait_until_succeeds("systemctl is-active test-vm.service")
+      virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 echo meow | grep meow")
+      virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 shutdown now")
+      virthost.wait_until_succeeds("! systemctl is-active test-vm.service")
+
+    with subtest("elevate permissions using local ssh socket"):
+      virthost.wait_for_unit("sshd-unix-local.socket")
+      virthost.succeed("sudo --user=nixos mkdir -p /home/nixos/.ssh")
+      virthost.succeed("cp ~/.ssh/id_ed25519 /home/nixos/.ssh/id_ed25519")
+      virthost.succeed("chmod 600 /home/nixos/.ssh/id_ed25519")
+      virthost.succeed("chown nixos /home/nixos/.ssh/id_ed25519")
+      virthost.succeed("sudo --user=nixos ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /home/nixos/.ssh/id_ed25519 root@.host whoami | grep root")
+  '';
+}