Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
starts two VMs: - one with dropbear listening from initrd, waiting for a file - another connecting via ssh, creating the file
- Loading branch information
Showing
2 changed files
with
75 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
import ./make-test.nix ({ pkgs, lib, ... }: | ||
|
||
let | ||
keys = pkgs.runCommand "gen-keys" { | ||
outputs = [ "out" "dbPub" "dbPriv" "sshPub" "sshPriv" ]; | ||
buildInputs = with pkgs; [ dropbear openssh ]; | ||
} | ||
'' | ||
touch $out | ||
dropbearkey -t rsa -f $dbPriv -s 4096 | sed -n 2p > $dbPub | ||
ssh-keygen -q -t rsa -b 4096 -N "" -f client | ||
mv client $sshPriv | ||
mv client.pub $sshPub | ||
''; | ||
|
||
in { | ||
name = "initrd-network-ssh"; | ||
meta = with lib.maintainers; { | ||
maintainers = [ willibutz ]; | ||
}; | ||
|
||
nodes = with lib; rec { | ||
server = | ||
{ config, pkgs, ... }: | ||
{ | ||
boot.kernelParams = [ | ||
"ip=${ | ||
(head config.networking.interfaces.eth1.ip4).address | ||
}:::255.255.255.0::eth1:none" | ||
]; | ||
boot.initrd.network = { | ||
enable = true; | ||
ssh = { | ||
enable = true; | ||
authorizedKeys = [ "${readFile keys.sshPub}" ]; | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. |
||
port = 22; | ||
hostRSAKey = keys.dbPriv; | ||
}; | ||
}; | ||
boot.initrd.preLVMCommands = '' | ||
while true; do | ||
if [ -f fnord ]; then | ||
poweroff | ||
fi | ||
sleep 1 | ||
done | ||
''; | ||
}; | ||
|
||
client = | ||
{ config, pkgs, ... }: | ||
{ | ||
environment.etc.knownHosts = { | ||
text = concatStrings [ | ||
"server," | ||
"${toString (head (splitString " " ( | ||
toString (elemAt (splitString "\n" config.networking.extraHosts) 2) | ||
)))} " | ||
"${readFile keys.dbPub}" | ||
]; | ||
}; | ||
}; | ||
}; | ||
|
||
testScript = '' | ||
startAll; | ||
$client->waitForUnit("network.target"); | ||
$client->copyFileFromHost("${keys.sshPriv}","/etc/sshKey"); | ||
$client->succeed("chmod 0600 /etc/sshKey"); | ||
$client->waitUntilSucceeds("ping -c 1 server"); | ||
$client->succeed("ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"); | ||
$client->shutdown; | ||
''; | ||
}) |
Just a heads up, this causes building during evaluation, which we try to avoid on Hydra and in Nixpkgs. I'm going to change this to use a key embedded in this test.