nixos/tests/bootspec: test initrd and initrdSecrets a bit stricter

We will now ensure that no `initrdSecrets` leaks under no initrd secrets
and that `initrdSecrets` are there if we do have initrd secrets.
This commit is contained in:
Raito Bezarius 2024-01-04 02:42:29 +01:00
parent 7c6f64914f
commit 861431f282

View file

@ -112,10 +112,39 @@ in
bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json"))
assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled"
assert 'initrd' in bootspec, "Bootspec should contain initrd field when initrd is enabled"
assert 'initrdSecrets' not in bootspec, "Bootspec should not contain initrdSecrets when there's no initrdSecrets"
'';
};
# Check that initrd secrets create corresponding entries in bootspec.
initrd-secrets = makeTest {
name = "bootspec-with-initrd-secrets";
meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ];
nodes.machine = {
imports = [ standard ];
environment.systemPackages = [ pkgs.jq ];
# It's probably the case, but we want to make it explicit here.
boot.initrd.enable = true;
boot.initrd.secrets."/some/example" = pkgs.writeText "example-secret" "test";
};
testScript = ''
import json
machine.start()
machine.wait_for_unit("multi-user.target")
machine.succeed("test -e /run/current-system/boot.json")
bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json"))
assert 'initrdSecrets' in bootspec, "Bootspec should contain an 'initrdSecrets' field given there's an initrd secret"
'';
};
# Check that specialisations create corresponding entries in bootspec.
specialisation = makeTest {
name = "bootspec-with-specialisation";