nixos/tests/initrd-secrets: Use systemd stage 1

2026-06-05 21:03:40 +00:00 · 2025-08-15 15:43:01 -04:00
parent 94a06492e2
commit 61305d1414
2 changed files with 23 additions and 13 deletions
--- a/nixos/tests/initrd-secrets-changing.nix
+++ b/nixos/tests/initrd-secrets-changing.nix
@@ -24,14 +24,19 @@ testing.makeTest {

      boot.initrd.secrets = {
        "/test" = secret1InStore;
-        "/run/keys/test" = secret1InStore;
+        "/run/test" = secret1InStore;
+      };
+      boot.initrd.systemd = {
+        enable = true;
+        tmpfiles.settings."00-copy-secret" = {
+          "/sysroot/secret-from-initramfs".C.argument = "/test";
+        };
      };
-      boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";

      specialisation.secrets2System.configuration = {
        boot.initrd.secrets = lib.mkForce {
          "/test" = secret2InStore;
-          "/run/keys/test" = secret2InStore;
+          "/run/test" = secret2InStore;
        };
      };
    };
@@ -40,21 +45,23 @@ testing.makeTest {
    start_all()

    machine.wait_for_unit("multi-user.target")
-    print(machine.succeed("cat /run/keys/test"))
+    print(machine.succeed("cat /run/test"))
    machine.succeed(
        "cmp ${secret1InStore} /secret-from-initramfs",
-        "cmp ${secret1InStore} /run/keys/test",
+        "cmp ${secret1InStore} /run/test",
    )
    # Select the second boot entry corresponding to the specialisation secrets2System.
    machine.succeed("grub-reboot 1")
+    # Remove the rootfs secret so tmpfiles will copy the new one next time
+    machine.succeed("rm /secret-from-initramfs")
    machine.shutdown()

    with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
        machine.wait_for_unit("multi-user.target")
-        print(machine.succeed("cat /run/keys/test"))
+        print(machine.succeed("cat /run/test"))
        machine.succeed(
            "cmp ${secret2InStore} /secret-from-initramfs",
-            "cmp ${secret2InStore} /run/keys/test",
+            "cmp ${secret2InStore} /run/test",
        )
        machine.shutdown()
  '';
--- a/nixos/tests/initrd-secrets.nix
+++ b/nixos/tests/initrd-secrets.nix
@@ -24,12 +24,15 @@ let
          boot.initrd.secrets = {
            "/test" = secretInStore;

-            # This should *not* need to be copied in postMountCommands
-            "/run/keys/test" = secretInStore;
+            # This should *not* need to be copied
+            "/run/test" = secretInStore;
+          };
+          boot.initrd.systemd = {
+            enable = true;
+            tmpfiles.settings."00-copy-secret" = {
+              "/sysroot/secret-from-initramfs".C.argument = "/test";
+            };
          };
-          boot.initrd.postMountCommands = ''
-            cp /test /mnt-root/secret-from-initramfs
-          '';
          boot.initrd.compressor = compressor;
          # zstd compression is only supported from 5.9 onwards. Remove when 5.10 becomes default.
          boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -40,7 +43,7 @@ let
        machine.wait_for_unit("multi-user.target")
        machine.succeed(
            "cmp ${secretInStore} /secret-from-initramfs",
-            "cmp ${secretInStore} /run/keys/test",
+            "cmp ${secretInStore} /run/test",
        )
      '';
    };