From 92ddfef0af6af5889ec244fc6b35354a8d7a82b9 Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Sun, 16 Mar 2025 23:04:03 -0400
Subject: [PATCH] nixos/tests/systemd-ssh-proxy: Use container instead of
 nested virt and ISO

---
 nixos/tests/systemd-ssh-proxy.nix | 41 +++++++++++--------------------
 1 file changed, 14 insertions(+), 27 deletions(-)

diff --git a/nixos/tests/systemd-ssh-proxy.nix b/nixos/tests/systemd-ssh-proxy.nix
index 7f19cfcce09d..6ccdc0012b4f 100644
--- a/nixos/tests/systemd-ssh-proxy.nix
+++ b/nixos/tests/systemd-ssh-proxy.nix
@@ -6,29 +6,12 @@
 }:
 # This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with:
 # - a local unix socket on the same system
-# - a vsock socket inside a vm
+# - a unix socket inside a container
 let
   inherit (import ./ssh-keys.nix pkgs)
     snakeOilEd25519PrivateKey
     snakeOilEd25519PublicKey
     ;
-  qemu = config.nodes.virthost.virtualisation.qemu.package;
-  iso =
-    (import ../lib/eval-config.nix {
-      inherit (pkgs.stdenv.hostPlatform) system;
-      modules = [
-        ../modules/installer/cd-dvd/iso-image.nix
-        {
-          services.openssh = {
-            enable = true;
-            settings.PermitRootLogin = "prohibit-password";
-          };
-          isoImage.isoBaseName = lib.mkForce "nixos";
-          isoImage.makeBiosBootable = true;
-          system.stateVersion = lib.trivial.release;
-        }
-      ];
-    }).config.system.build.isoImage;
 in
 {
   name = "systemd-ssh-proxy";
@@ -46,24 +29,28 @@ in
           isNormalUser = true;
         };
       };
-      systemd.services.test-vm = {
-        script = "${lib.getExe qemu} --nographic -smp 1 -m 512 -cdrom ${iso}/iso/nixos.iso -device vhost-vsock-pci,guest-cid=3 -smbios type=11,value=\"io.systemd.credential:ssh.authorized_keys.root=${snakeOilEd25519PublicKey}\"";
+      containers.guest = {
+        autoStart = true;
+        config = {
+          users.users.root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];
+          services.openssh = {
+            enable = true;
+            settings.PermitRootLogin = "prohibit-password";
+          };
+          system.stateVersion = lib.trivial.release;
+        };
       };
     };
   };
 
   testScript = ''
-    virthost.systemctl("start test-vm.service")
-
     virthost.succeed("mkdir -p ~/.ssh")
     virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519")
     virthost.succeed("chmod 600 ~/.ssh/id_ed25519")
 
-    with subtest("ssh into a vm with vsock"):
-      virthost.wait_until_succeeds("systemctl is-active test-vm.service")
-      virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 echo meow | grep meow")
-      virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 shutdown now")
-      virthost.wait_until_succeeds("! systemctl is-active test-vm.service")
+    with subtest("ssh into a container with AF_UNIX"):
+      virthost.wait_for_unit("container@guest.service")
+      virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 unix/run/systemd/nspawn/unix-export/guest/ssh echo meow | grep meow")
 
     with subtest("elevate permissions using local ssh socket"):
       virthost.wait_for_unit("sshd-unix-local.socket")