nixpkgs/nixos/tests/nixos-rebuild-target-host.nix
r-vdp c30b2c06d9
nixos-rebuild-ng: add --elevate=run0
Locally this just prefixes activation commands with `run0 --`, so the
user's normal polkit agent (graphical or pkttyagent) handles auth.

For --target-host, run0 would need a controlling terminal, which we
deliberately do not allocate over SSH. Instead the equivalent
`systemd-run --uid=0 --pipe --wait ...` form is used. Without
--ask-elevate-password this relies on a polkit rule on the target
granting the deploying user `org.freedesktop.systemd1.manage-units`.
With --ask-elevate-password the command is wrapped in
polkit-stdin-agent, which registers a per-process polkit agent for the
child and answers the PAM conversation from stdin.

A transient unit does not inherit the SSH login environment. On NixOS
the unit's PATH is just the systemd store path, so neither `env` nor
`nix-env` would be found inside it. Elevator.wrap_remote() therefore
now takes the env mapping and the command, and returns the full remote
argv: sudo keeps the existing `/bin/sh -c 'exec /usr/bin/env -i ...'`
wrapper inside itself, while run0 puts the shell wrapper *around*
systemd-run and forwards the resolved values into the unit via
--setenv. The Arg/Args/EnvValue/PRESERVE_ENV types and the env-shell
helper move from process.py into elevate.py to avoid a circular import,
and callers are updated to import them from there.

polkit-stdin-agent is resolved on the machine doing the elevation
rather than baked in as a host-arch store path, which would be wrong
for --no-reexec, cross-arch deploys (re-exec hits ENOEXEC and falls
back), --rollback/--store-path, and Darwin deployers. Locally that is
PATH. Remotely, Elevator.for_target_config() binds the elevator to the
toplevel just placed on the target, and a small /bin/sh picker tries
<toplevel>/sw/bin/polkit-stdin-agent (target-arch, in the copied
closure) then PATH, exiting with an actionable error pointing at
system.tools.nixos-rebuild.enableRun0Elevation when neither resolves.
That option (added here) puts the agent in environment.systemPackages
and asserts security.polkit.enable.

A nixos-rebuild-target-host subtest exercises the full remote run0
path (polkit-stdin-agent + systemd-run + activation) end-to-end.

Drop the now-unused stdenv argument from package.nix while here.

Closes #507054.
2026-05-29 00:22:19 +03:00

198 lines
7.9 KiB
Nix

{ hostPkgs, ... }:
{
name = "nixos-rebuild-target-host";
# TODO: remove overlay from nixos/modules/profiles/installation-device.nix
# make it a _small package instead, then remove pkgsReadOnly = false;.
node.pkgsReadOnly = false;
nodes = {
deployer =
{ lib, pkgs, ... }:
let
inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
in
{
imports = [ ../modules/profiles/installation-device.nix ];
nix.settings = {
substituters = lib.mkForce [ ];
hashed-mirrors = null;
connect-timeout = 1;
};
system.includeBuildDependencies = true;
# Needed so the offline build of the target config succeeds.
system.extraDependencies = [ pkgs.polkit-stdin-agent ];
virtualisation = {
cores = 2;
memorySize = 3072;
};
system.build.privateKey = snakeOilPrivateKey;
system.build.publicKey = snakeOilPublicKey;
system.switch.enable = true;
services.getty.autologinUser = lib.mkForce "root";
};
target =
{ nodes, lib, ... }:
let
targetConfig = {
documentation.enable = false;
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
users.users.alice.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
users.users.bob.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
users.users.alice.extraGroups = [ "wheel" ];
users.users.bob.extraGroups = [ "wheel" ];
# Needed for --elevate=run0. NixOS's default polkit admin rule is
# `unix-group:wheel`, so bob (in wheel) can authenticate with his
# own password via polkit-stdin-agent.
system.tools.nixos-rebuild.enableRun0Elevation = true;
# Disable sudo for root to ensure sudo isn't called without `--sudo`
security.sudo.extraRules = lib.mkForce [
{
groups = [ "wheel" ];
commands = [ { command = "ALL"; } ];
}
{
users = [ "alice" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
nix.settings.trusted-users = [ "@wheel" ];
};
in
{
imports = [ ./common/user-account.nix ];
config = lib.mkMerge [
targetConfig
{
system.build = {
inherit targetConfig;
};
system.switch.enable = true;
networking.hostName = "target";
}
];
};
};
testScript =
{ nodes, ... }:
let
sshConfig = builtins.toFile "ssh.conf" ''
UserKnownHostsFile=/dev/null
StrictHostKeyChecking=no
'';
targetConfigJSON = hostPkgs.writeText "target-configuration.json" (
builtins.toJSON nodes.target.system.build.targetConfig
);
targetNetworkJSON = hostPkgs.writeText "target-network.json" (
builtins.toJSON nodes.target.system.build.networkConfig
);
configFile =
hostname:
hostPkgs.writeText "configuration.nix" # nix
''
{ lib, modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/qemu-vm.nix")
(modulesPath + "/testing/test-instrumentation.nix")
(modulesPath + "/../tests/common/user-account.nix")
(lib.modules.importJSON ./target-configuration.json)
(lib.modules.importJSON ./target-network.json)
./hardware-configuration.nix
];
boot.loader.grub = {
enable = true;
device = "/dev/vda";
forceInstall = true;
};
# this will be asserted
networking.hostName = "${hostname}";
}
'';
in
# python
''
start_all()
target.wait_for_open_port(22)
deployer.wait_until_succeeds("ping -c1 target")
deployer.succeed("install -Dm 600 ${nodes.deployer.system.build.privateKey} ~root/.ssh/id_ecdsa")
deployer.succeed("install ${sshConfig} ~root/.ssh/config")
target.succeed("nixos-generate-config")
deployer.succeed("scp alice@target:/etc/nixos/hardware-configuration.nix /root/hardware-configuration.nix")
deployer.copy_from_host("${configFile "config-1-deployed"}", "/root/configuration-1.nix")
deployer.copy_from_host("${configFile "config-2-deployed"}", "/root/configuration-2.nix")
deployer.copy_from_host("${configFile "config-3-deployed"}", "/root/configuration-3.nix")
deployer.copy_from_host("${configFile "config-4-deployed"}", "/root/configuration-4.nix")
deployer.copy_from_host("${targetNetworkJSON}", "/root/target-network.json")
deployer.copy_from_host("${targetConfigJSON}", "/root/target-configuration.json")
# Ensure sudo is disabled for root
target.fail("sudo true")
# This test also ensures that sudo is not called without --sudo
with subtest("Deploy to root@target"):
deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-1-deployed", f"{target_hostname=}"
with subtest("Deploy to alice@target with passwordless sudo"):
deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --sudo &>/dev/console")
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-2-deployed", f"{target_hostname=}"
with subtest("Deploy to bob@target with password-based sudo"):
deployer.wait_for_unit("multi-user.target")
deployer.send_chars("nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --ask-sudo-password\n")
deployer.wait_until_tty_matches("1", "password for bob")
deployer.send_chars("${nodes.target.users.users.bob.password}\n")
deployer.wait_until_tty_matches("1", "Done. The new configuration is /nix/store/.*config-3-deployed")
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-3-deployed", f"{target_hostname=}"
with subtest("Deploy to bob@target with run0 and password"):
# polkit-stdin-agent registers an agent for systemd-run on the
# target and answers the PAM conversation with the password we
# supply locally. The agent is resolved on the target from
# <toplevel>/sw/bin (see Run0Elevator._remote_agent_argv).
deployer.send_chars("nixos-rebuild switch -I nixos-config=/root/configuration-4.nix --target-host bob@target --elevate=run0 --ask-elevate-password\n")
deployer.wait_until_tty_matches("1", "\\[run0\\] password for bob@target")
deployer.send_chars("${nodes.target.users.users.bob.password}\n")
deployer.wait_until_tty_matches("1", "Done. The new configuration is /nix/store/.*config-4-deployed")
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-4-deployed", f"{target_hostname=}"
# The target-arch agent is reachable at the stable sw/bin path.
target.succeed("test -x /run/current-system/sw/bin/polkit-stdin-agent")
with subtest("Deploy works with very long TMPDIR"):
tmp_dir = "/var/folder/veryveryveryveryverylongpathnamethatdoesnotworkwithcontrolpath"
deployer.succeed(f"mkdir -p {tmp_dir}")
deployer.succeed(f"TMPDIR={tmp_dir} nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
'';
}