From bac2a891b78aed2876261a6a7c690497969096ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
Date: Sat, 13 Nov 2021 14:17:51 +0100
Subject: [PATCH] Fix user passwords disappearing

Also add a test case for this.
Closes #137
---
 modules/sops/default.nix                 |  2 +-
 pkgs/sops-install-secrets/nixos-test.nix | 11 ++++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index aecf795..076d5dc 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -127,7 +127,7 @@ let
 
   manifest = manifestFor "" regularSecrets {};
   manifestForUsers = manifestFor "-for-users" secretsForUsers {
-    secretsMountPoint = "/run/secrets.d/users";
+    secretsMountPoint = "/run/secrets-for-users.d";
     symlinkPath = "/run/secrets-for-users";
   };
 
diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix
index eed8d57..3862ff0 100644
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@@ -25,7 +25,7 @@
 
   user-passwords = makeTest {
     name = "sops-user-passwords";
-    machine = {
+    machine = { config, ... }: {
       imports = [ ../../modules/sops ];
       sops = {
         age.keyFile = ./test-assets/age-keys.txt;
@@ -36,7 +36,7 @@
 
       users.users.example-user = {
         isNormalUser = true;
-        passwordFile = "/run/secrets-for-users/test_key";
+        passwordFile = config.sops.secrets.test_key.path;
       };
     };
 
@@ -44,7 +44,12 @@
       start_all()
       machine.succeed("getent shadow example-user | grep -q :test_value:")  # password was set
       machine.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")  # regular secrets work...
-      machine.succeed("[ $(stat -c%U /run/secrets/nested/test/file) = example-user ]")  # ...and are owned
+      machine.succeed("[ $(stat -c%U /run/secrets/nested/test/file) = example-user ]")  # ...and are owned...
+      machine.succeed("cat /run/secrets-for-users/test_key | grep -q 'test_value'")  # the user password still exists
+
+      machine.succeed("/run/current-system/bin/switch-to-configuration test")
+      machine.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")  # the regular secrets still work after a switch
+      machine.succeed("cat /run/secrets-for-users/test_key | grep -q 'test_value'")  # the user password is still present after a switch
     '';
   } {
     inherit pkgs;