mirror of
https://github.com/NixOS/nix
synced 2025-06-25 06:31:14 +02:00
49 lines
1.1 KiB
Nix
49 lines
1.1 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
nixpkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
pkgs = config.nodes.machine.nixpkgs.pkgs;
|
|
pkgA = pkgs.hello;
|
|
pkgB = pkgs.cowsay;
|
|
in
|
|
{
|
|
name = "chroot-store";
|
|
|
|
nodes = {
|
|
machine =
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
virtualisation.writableStore = true;
|
|
virtualisation.additionalPaths = [ pkgA ];
|
|
environment.systemPackages = [ pkgB ];
|
|
nix.extraOptions = "experimental-features = nix-command";
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
{ nodes }:
|
|
''
|
|
# fmt: off
|
|
start_all()
|
|
|
|
machine.succeed("nix copy --no-check-sigs --to /tmp/nix ${pkgA}")
|
|
|
|
machine.succeed("nix shell --store /tmp/nix ${pkgA} --command hello >&2")
|
|
|
|
# Test that /nix/store is available via an overlayfs mount.
|
|
machine.succeed("nix shell --store /tmp/nix ${pkgA} --command cowsay foo >&2")
|
|
|
|
# Building in /tmp should fail for security reasons.
|
|
err = machine.fail("nix build --offline --store /tmp/nix --expr 'builtins.derivation { name = \"foo\"; system = \"x86_64-linux\"; builder = \"/foo\"; }' 2>&1")
|
|
assert "is world-writable" in err
|
|
'';
|
|
}
|