add a NixOS test for setting a user's passwordFile with agenix; and some features/fixes this required

example/passwordfile-user1.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
+nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
+-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
+FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
+-> V'v(/u$-grease em/Vgf 2qDuk
+7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
+--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
+�'K�ƷY&�7G�O��Fj
�k�X�BnuJ��:9�(���X�#�A����ڧj�,�_���?�Z��v��V�96]oks~%�c �e^C�%JQ5�<H�z}�C�,�p��*!W���A���҅dC�K)��-�y

example/secrets.nix

@@ -5,4 +5,5 @@ in
 {
  "secret1.age".publicKeys = [ user1 system1 ];
  "secret2.age".publicKeys = [ user1 ];
+ "passwordfile-user1.age".publicKeys = [ user1 system1 ];
 }

modules/age.nix

@@ -25,10 +25,13 @@ let
  mv -f "$TMP_FILE" '${secretType.path}'
  '';
 
- rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
+ isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
+ isNotRootSecret = st: !(isRootSecret st);
+
+ rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
  installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
 
- nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
+ nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
  installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
 
  secretType = types.submodule ({ config, ... }: {
@@ -62,14 +65,14 @@ let
  };
  owner = mkOption {
  type = types.str;
- default = "root";
+ default = "0";
  description = ''
  User of the file.
  '';
  };
  group = mkOption {
  type = types.str;
- default = users.${config.owner}.group;
+ default = users.${config.owner}.group or "0";
  description = ''
  Group of the file.
  '';
@@ -105,7 +108,7 @@ in
 
  # Secrets with root owner and group can be installed before users
  # exist. This allows user password files to be encrypted.
- system.activationScripts.agenixRoot = installRootOwnedSecrets;
+ system.activationScripts.agenixRoot.text = installRootOwnedSecrets;
  system.activationScripts.users.deps = [ "agenixRoot" ];
 
  # Other secrets need to wait for users and groups to exist.

test/install_ssh_host_keys.nix

@@ -0,0 +1,15 @@
+# Do not copy this! It is insecure. This is only okay because we are testing.
+{
+ system.activationScripts.agenixRoot.deps = [ "installSSHHostKeys" ];
+
+ system.activationScripts.installSSHHostKeys.text = ''
+ mkdir -p /etc/ssh
+ (umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub)
+ (
+ umask u=rw,g=,o=
+ cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
+ touch /etc/ssh/ssh_host_rsa_key
+ )
+
+ '';
+}

test/integration.nix

@@ -0,0 +1,58 @@
+{
+nixpkgs ? <nixpkgs>,
+pkgs ? import <nixpkgs> { inherit system; config = {}; },
+system ? builtins.currentSystem
+} @args:
+
+import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
+ name = "agenix-integration";
+
+ nodes.system1 = { config, lib, ... }: {
+
+ imports = [
+ ../modules/age.nix
+ ./install_ssh_host_keys.nix
+ ];
+
+ services.openssh.enable = true;
+
+ age.secrets.passwordfile-user1 = {
+ file = ../example/passwordfile-user1.age;
+ };
+
+ users = {
+ mutableUsers = false;
+
+ users = {
+ user1 = {
+ isNormalUser = true;
+ passwordFile = config.age.secrets.passwordfile-user1.path;
+ };
+ };
+ };
+
+ };
+
+ testScript =
+ let
+ user = "user1";
+ password = "password1234";
+ in ''
+ system1.wait_for_unit("multi-user.target")
+ system1.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
+ system1.sleep(2)
+ system1.send_key("alt-f2")
+ system1.wait_until_succeeds(f"[ $(fgconsole) = 2 ]")
+ system1.wait_for_unit(f"[email protected]")
+ system1.wait_until_succeeds(f"pgrep -f 'agetty.*tty2'")
+ system1.wait_until_tty_matches(2, "login: ")
+ system1.send_chars("${user}\n")
+ system1.wait_until_tty_matches(2, "login: ${user}")
+ system1.wait_until_succeeds("pgrep login")
+ system1.sleep(2)
+ system1.send_chars("${password}\n")
+ system1.send_chars("whoami > /tmp/1\n")
+ system1.wait_for_file("/tmp/1")
+ assert "${user}" in system1.succeed("cat /tmp/1")
+ '';
+}) args