nixosTests.syncthing: create encrypted device test

2024-09-19 16:51:11 +01:00 · 2024-09-19 16:51:11 +01:00 · b7f1fd5caa
commit b7f1fd5caa
parent a8cd913df2
1 changed files with 57 additions and 6 deletions
--- a/nixos/tests/syncthing-folders.nix
+++ b/nixos/tests/syncthing-folders.nix
@ -10,6 +10,8 @@ import ../make-test-python.nix (
      '';
    idA = genNodeId "a";
    idB = genNodeId "b";
+    idC = genNodeId "c";
+    testPasswordFile = pkgs.writeText "syncthing-test-password" "it's a secret";
  in
  {
    name = "syncthing";
@ -23,13 +25,16 @@ import ../make-test-python.nix (
          cert = "${idA}/cert.pem";
          key = "${idA}/key.pem";
          settings = {
-            devices.b = {
-              id = lib.fileContents "${idB}/id";
-            };
+            devices.b.id = lib.fileContents "${idB}/id";
+            devices.c.id = lib.fileContents "${idC}/id";
            folders.foo = {
              path = "/var/lib/syncthing/foo";
              devices = [ "b" ];
            };
+            folders.bar = {
+              path = "/var/lib/syncthing/bar";
+              devices.c.encryptionPassword = "${testPasswordFile}";
+            };
          };
        };
      };
@ -40,13 +45,36 @@ import ../make-test-python.nix (
          cert = "${idB}/cert.pem";
          key = "${idB}/key.pem";
          settings = {
-            devices.a = {
-              id = lib.fileContents "${idA}/id";
-            };
+            devices.a.id = lib.fileContents "${idA}/id";
+            devices.c.id = lib.fileContents "${idC}/id";
            folders.foo = {
              path = "/var/lib/syncthing/foo";
              devices = [ "a" ];
            };
+            folders.bar = {
+              path = "/var/lib/syncthing/bar";
+              devices.c.encryptionPassword = "${testPasswordFile}";
+            };
+          };
+        };
+      };
+      c = {
+        services.syncthing = {
+          enable = true;
+          openDefaultPorts = true;
+          cert = "${idC}/cert.pem";
+          key = "${idC}/key.pem";
+          settings = {
+            devices.a.id = lib.fileContents "${idA}/id";
+            devices.b.id = lib.fileContents "${idB}/id";
+            folders.bar = {
+              path = "/var/lib/syncthing/bar";
+              devices = [
+                "a"
+                "b"
+              ];
+              type = "receiveencrypted";
+            };
          };
        };
      };
@ -54,16 +82,39 @@ import ../make-test-python.nix (

    testScript = ''
      start_all()
+
      a.wait_for_unit("syncthing.service")
      b.wait_for_unit("syncthing.service")
+      c.wait_for_unit("syncthing.service")
      a.wait_for_open_port(22000)
      b.wait_for_open_port(22000)
+      c.wait_for_open_port(22000)
+
+      # Test foo
+
      a.wait_for_file("/var/lib/syncthing/foo")
      b.wait_for_file("/var/lib/syncthing/foo")
+
      a.succeed("echo a2b > /var/lib/syncthing/foo/a2b")
      b.succeed("echo b2a > /var/lib/syncthing/foo/b2a")
+
      a.wait_for_file("/var/lib/syncthing/foo/b2a")
      b.wait_for_file("/var/lib/syncthing/foo/a2b")
+
+      # Test bar
+
+      a.wait_for_file("/var/lib/syncthing/bar")
+      b.wait_for_file("/var/lib/syncthing/bar")
+      c.wait_for_file("/var/lib/syncthing/bar")
+
+      a.succeed("echo plaincontent > /var/lib/syncthing/bar/plainname")
+
+      # B should be able to decrypt, check that content of file matches
+      b.wait_for_file("/var/lib/syncthing/bar/plainname")
+      b.succeed("grep plaincontent /var/lib/syncthing/bar/plainname")
+
+      # Bar on C is untrusted, check that content is not in cleartext
+      c.fail("grep -R plaincontent /var/lib/syncthing/bar")
    '';
  }
 )