From 61305d14147e05b60c6bad4e7c8d91dfcc7a6e37 Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Fri, 15 Aug 2025 15:43:01 -0400
Subject: [PATCH] nixos/tests/initrd-secrets: Use systemd stage 1

---
 nixos/tests/initrd-secrets-changing.nix | 21 ++++++++++++++-------
 nixos/tests/initrd-secrets.nix          | 15 +++++++++------
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/nixos/tests/initrd-secrets-changing.nix b/nixos/tests/initrd-secrets-changing.nix
index f0d6bc4c28b4..1ff8a9aabdcb 100644
--- a/nixos/tests/initrd-secrets-changing.nix
+++ b/nixos/tests/initrd-secrets-changing.nix
@@ -24,14 +24,19 @@ testing.makeTest {
 
       boot.initrd.secrets = {
         "/test" = secret1InStore;
-        "/run/keys/test" = secret1InStore;
+        "/run/test" = secret1InStore;
+      };
+      boot.initrd.systemd = {
+        enable = true;
+        tmpfiles.settings."00-copy-secret" = {
+          "/sysroot/secret-from-initramfs".C.argument = "/test";
+        };
       };
-      boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";
 
       specialisation.secrets2System.configuration = {
         boot.initrd.secrets = lib.mkForce {
           "/test" = secret2InStore;
-          "/run/keys/test" = secret2InStore;
+          "/run/test" = secret2InStore;
         };
       };
     };
@@ -40,21 +45,23 @@ testing.makeTest {
     start_all()
 
     machine.wait_for_unit("multi-user.target")
-    print(machine.succeed("cat /run/keys/test"))
+    print(machine.succeed("cat /run/test"))
     machine.succeed(
         "cmp ${secret1InStore} /secret-from-initramfs",
-        "cmp ${secret1InStore} /run/keys/test",
+        "cmp ${secret1InStore} /run/test",
     )
     # Select the second boot entry corresponding to the specialisation secrets2System.
     machine.succeed("grub-reboot 1")
+    # Remove the rootfs secret so tmpfiles will copy the new one next time
+    machine.succeed("rm /secret-from-initramfs")
     machine.shutdown()
 
     with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
         machine.wait_for_unit("multi-user.target")
-        print(machine.succeed("cat /run/keys/test"))
+        print(machine.succeed("cat /run/test"))
         machine.succeed(
             "cmp ${secret2InStore} /secret-from-initramfs",
-            "cmp ${secret2InStore} /run/keys/test",
+            "cmp ${secret2InStore} /run/test",
         )
         machine.shutdown()
   '';
diff --git a/nixos/tests/initrd-secrets.nix b/nixos/tests/initrd-secrets.nix
index e19ac4d6f3dc..ce0a54dac6c0 100644
--- a/nixos/tests/initrd-secrets.nix
+++ b/nixos/tests/initrd-secrets.nix
@@ -24,12 +24,15 @@ let
           boot.initrd.secrets = {
             "/test" = secretInStore;
 
-            # This should *not* need to be copied in postMountCommands
-            "/run/keys/test" = secretInStore;
+            # This should *not* need to be copied
+            "/run/test" = secretInStore;
+          };
+          boot.initrd.systemd = {
+            enable = true;
+            tmpfiles.settings."00-copy-secret" = {
+              "/sysroot/secret-from-initramfs".C.argument = "/test";
+            };
           };
-          boot.initrd.postMountCommands = ''
-            cp /test /mnt-root/secret-from-initramfs
-          '';
           boot.initrd.compressor = compressor;
           # zstd compression is only supported from 5.9 onwards. Remove when 5.10 becomes default.
           boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -40,7 +43,7 @@ let
         machine.wait_for_unit("multi-user.target")
         machine.succeed(
             "cmp ${secretInStore} /secret-from-initramfs",
-            "cmp ${secretInStore} /run/keys/test",
+            "cmp ${secretInStore} /run/test",
         )
       '';
     };