nix: fix indentation of checks attribute

2022-11-26 16:42:20 +01:00 · 2022-11-26 16:42:20 +01:00 · b37ffd19d6
parent 85de5d52d0
commit b37ffd19d6
1 changed files with 37 additions and 37 deletions
--- a/flake.nix
+++ b/flake.nix
@ -159,54 +159,54 @@
          '';
        };
      in
-      {
+        {
-        # TODO: user mode: OK
+          # TODO: user mode: OK
-        # TODO: how to get in: {deployed, audited} mode ?
+          # TODO: how to get in: {deployed, audited} mode ?
-        lanzaboote-boot = mkSecureBootTest {
+          lanzaboote-boot = mkSecureBootTest {
-          name = "signed-files-boot-under-secureboot";
+            name = "signed-files-boot-under-secureboot";
-          testScript = ''
+            testScript = ''
            machine.start()
            assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
          '';
-        };
+          };
-        # So, this is the responsibility of the lanzatool install
+          # So, this is the responsibility of the lanzatool install
-        # to run the append-initrd-secret script
+          # to run the append-initrd-secret script
-        # This test assert that lanzatool still do the right thing
+          # This test assert that lanzatool still do the right thing
-        # preDeviceCommands should not have any root filesystem mounted
+          # preDeviceCommands should not have any root filesystem mounted
-        # so it should not be able to find /etc/iamasecret, other than the
+          # so it should not be able to find /etc/iamasecret, other than the
-        # initrd's one.
+          # initrd's one.
-        # which should exist IF lanzatool do the right thing.
+          # which should exist IF lanzatool do the right thing.
-        lanzaboote-with-initrd-secrets = mkSecureBootTest {
+          lanzaboote-with-initrd-secrets = mkSecureBootTest {
-          name = "signed-files-boot-with-secrets-under-secureboot";
+            name = "signed-files-boot-with-secrets-under-secureboot";
-          machine = { ... }: {
+            machine = { ... }: {
-            boot.initrd.secrets = {
+              boot.initrd.secrets = {
-              "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
+                "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
-            };
+              };
-            boot.initrd.preDeviceCommands = ''
+              boot.initrd.preDeviceCommands = ''
              grep "this is a very secure secret" /etc/iamasecret
            '';
-          };
+            };
-          testScript = ''
+            testScript = ''
            machine.start()
            assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
          '';
        };
        is-initrd-secured = mkUnsignedTest {
          name = "unsigned-initrd-do-not-boot-under-secureboot";
          path = {
            src = "extract_bspec_attr('initrd')";
            dst = "convert_to_esp(extract_bspec_attr('initrd'))";
          };
-        };
+          is-initrd-secured = mkUnsignedTest {
-        is-kernel-secured = mkUnsignedTest {
+            name = "unsigned-initrd-do-not-boot-under-secureboot";
-          name = "unsigned-kernel-do-not-boot-under-secureboot";
+            path = {
-          path = {
+              src = "extract_bspec_attr('initrd')";
-            src = "extract_bspec_attr('kernel')";
+              dst = "convert_to_esp(extract_bspec_attr('initrd'))";
-            dst = "convert_to_esp(extract_bspec_attr('kernel'))";
+            };
          };
          is-kernel-secured = mkUnsignedTest {
            name = "unsigned-kernel-do-not-boot-under-secureboot";
            path = {
              src = "extract_bspec_attr('kernel')";
              dst = "convert_to_esp(extract_bspec_attr('kernel'))";
            };
          };
        };
-      };
+        };
    };
 }