test(archsetup): migrate bare-metal runner to key auth + Testinfra

run-test-baremetal.sh SSHed to the target as root by password throughout, which archsetup's sshd hardening (PermitRootLogin prohibit-password) kills mid-install, the same break the VM runner already fixed. It also still called the validation.sh shell sweep (run_all_validations, validate_all_services, validate_zfs_services), the last caller keeping those functions alive.

It now mirrors the VM runner. After the first SSH, and after any genesis rollback so the key survives it, inject_root_key authorizes a throwaway root key, and every later ssh_cmd plus the raw scp transfers and log-copies thread SSH_KEY_OPT to survive the hardening. The shell sweep is replaced with run_testinfra_validation, now the authoritative validator on both runners. A --port option, threaded through every SSH and scp, lets the runner target a test VM on 2222 instead of only real hardware on 22.

inject_root_key now authorizes root@$VM_IP instead of root@localhost, so one helper serves both runners (the VM runner sets VM_IP=localhost).

Validated against the ZFS VM (--validate-only, localhost:2222): connectivity, the ZFS check, key authorization, and the Testinfra sweep all connect and run over the key-based ssh-config. A green bare-metal install still needs real ZFS hardware.

2 files changed, 40 insertions, 16 deletions

diff --git a/scripts/testing/lib/vm-utils.sh b/scripts/testing/lib/vm-utils.sh
index 6d9f6f6..10c0ca5 100755
--- a/scripts/testing/lib/vm-utils.sh
+++ b/scripts/testing/lib/vm-utils.sh
@@ -433,6 +433,8 @@ copy_from_vm() {
 # PermitRootLogin prohibit-password and reloads sshd partway through, which kills
 # root *password* login. Without a key in place first, every SSH after that step
 # fails and the run aborts before any validation. Key auth survives the hardening.
+# Targets root@$VM_IP on $SSH_PORT so it works for both the local VM runner
+# (VM_IP=localhost, port 2222) and the bare-metal runner (VM_IP=host, port 22).
 inject_root_key() {
     local key="$1"
     rm -f "$key" "$key.pub"
@@ -440,7 +442,7 @@ inject_root_key() {
         warn "Root key generation failed - run may break at sshd hardening"
         return 1
     fi
-    if sshpass -p "$ROOT_PASSWORD" ssh $SSH_OPTS -p "$SSH_PORT" root@localhost \
+    if sshpass -p "$ROOT_PASSWORD" ssh $SSH_OPTS -p "$SSH_PORT" "root@${VM_IP:-localhost}" \
         "mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys" \
         < "$key.pub" >> "$LOGFILE" 2>&1; then
         SSH_KEY_OPT="-i $key"
diff --git a/scripts/testing/run-test-baremetal.sh b/scripts/testing/run-test-baremetal.sh
index ae88316..d040768 100755
--- a/scripts/testing/run-test-baremetal.sh
+++ b/scripts/testing/run-test-baremetal.sh
@@ -20,13 +20,16 @@ PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 
 # Source utilities
 source "$SCRIPT_DIR/lib/logging.sh"
-source "$SCRIPT_DIR/lib/validation.sh"
+source "$SCRIPT_DIR/lib/validation.sh"   # live helpers: ssh_cmd, capture_*_state, analyze_log_diff, generate_issue_report
+source "$SCRIPT_DIR/lib/vm-utils.sh"     # inject_root_key + SSH_OPTS/SSH_KEY_OPT for key auth
+source "$SCRIPT_DIR/lib/testinfra.sh"    # run_testinfra_validation (authoritative validator)
 
 # Parse arguments
 ROLLBACK_FIRST=false
 ROLLBACK_AFTER=false
 TARGET_HOST=""
 ROOT_PASSWORD=""
+PORT="22"
 
 usage() {
     echo "Usage: $0 --host <hostname> --password <root_password> [options]"
@@ -36,6 +39,7 @@ usage() {
     echo "  --password <password>   Root password for SSH"
     echo ""
     echo "Options:"
+    echo "  --port <port>           SSH port (default 22; use 2222 to target a test VM)"
     echo "  --rollback-first        Roll back to genesis snapshots before running"
     echo "  --rollback-after        Roll back to genesis snapshots after test (cleanup)"
     echo "  --validate-only         Skip archsetup, only run validation checks"
@@ -55,6 +59,10 @@ while [[ $# -gt 0 ]]; do
             ROOT_PASSWORD="${2:?--password requires a value}"
             shift 2
             ;;
+        --port)
+            PORT="${2:?--port requires a value}"
+            shift 2
+            ;;
         --rollback-first)
             ROLLBACK_FIRST=true
             shift
@@ -94,9 +102,16 @@ cleanup_baremetal() {
 }
 trap cleanup_baremetal EXIT
 
-# Override VM_IP for validation.sh ssh_cmd function
-# shellcheck disable=SC2034  # consumed by the sourced validation.sh
+# Connection globals consumed by ssh_cmd (validation.sh), inject_root_key
+# (vm-utils.sh), and run_testinfra_validation (testinfra.sh).
+# shellcheck disable=SC2034  # consumed by the sourced libraries
 VM_IP="$TARGET_HOST"
+# shellcheck disable=SC2034
+SSH_PORT="$PORT"
+# Test-user source for testinfra (reads USERNAME); the bare-metal user is the
+# archsetup default, cjennings, same as the VM conf.
+# shellcheck disable=SC2034
+ARCHSETUP_VM_CONF="$SCRIPT_DIR/archsetup-vm.conf"
 
 # Initialize logging
 mkdir -p "$TEST_RESULTS_DIR"
@@ -109,8 +124,8 @@ info "Target: $TARGET_HOST"
 # Test SSH connectivity
 step "Testing SSH connectivity to $TARGET_HOST"
 if ! sshpass -p "$ROOT_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-       -o ConnectTimeout=10 "root@$TARGET_HOST" "echo connected" &>/dev/null; then
-    fatal "Cannot connect to $TARGET_HOST via SSH"
+       -o ConnectTimeout=10 -p "$PORT" "root@$TARGET_HOST" "echo connected" &>/dev/null; then
+    fatal "Cannot connect to $TARGET_HOST:$PORT via SSH"
 fi
 success "SSH connection OK"
 
@@ -147,6 +162,15 @@ if $ROLLBACK_FIRST; then
     success "Reconnected"
 fi
 
+# Authorize a throwaway root key before archsetup hardens sshd. archsetup sets
+# PermitRootLogin prohibit-password and reloads sshd partway through, which kills
+# root *password* SSH; key auth survives it, so every later ssh_cmd and the
+# Testinfra sweep keep working. Placed after any genesis rollback so the key
+# isn't rolled away. Best-effort: a failure only risks the post-hardening steps.
+step "Authorizing throwaway root key (survives sshd hardening)"
+inject_root_key "$TEST_RESULTS_DIR/root_key" || \
+    warn "Continuing without an injected root key — SSH may fail after archsetup hardens sshd"
+
 if ! $VALIDATE_ONLY; then
     # Capture pre-install state
     capture_pre_install_state "$TEST_RESULTS_DIR"
@@ -161,7 +185,7 @@ if ! $VALIDATE_ONLY; then
     step "Transferring to $TARGET_HOST"
     ssh_cmd "rm -rf /tmp/archsetup-test && mkdir -p /tmp/archsetup-test"
     sshpass -p "$ROOT_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-        "$BUNDLE_FILE" "root@$TARGET_HOST:/tmp/archsetup.bundle" >> "$LOGFILE" 2>&1
+        ${SSH_KEY_OPT:-} -P "$PORT" "$BUNDLE_FILE" "root@$TARGET_HOST:/tmp/archsetup.bundle" >> "$LOGFILE" 2>&1
 
     step "Extracting on target"
     ssh_cmd "cd /tmp && git clone /tmp/archsetup.bundle archsetup-test && rm /tmp/archsetup.bundle" >> "$LOGFILE" 2>&1
@@ -223,12 +247,12 @@ if ! $VALIDATE_ONLY; then
 
     step "Copying archsetup log"
     sshpass -p "$ROOT_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-        "root@$TARGET_HOST:/var/log/archsetup-*.log" "$TEST_RESULTS_DIR/" 2>> "$LOGFILE" || \
+        ${SSH_KEY_OPT:-} -P "$PORT" "root@$TARGET_HOST:/var/log/archsetup-*.log" "$TEST_RESULTS_DIR/" 2>> "$LOGFILE" || \
         warn "Could not copy archsetup log"
 
     step "Copying archsetup output"
     sshpass -p "$ROOT_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-        "root@$TARGET_HOST:$REMOTE_LOG" "$TEST_RESULTS_DIR/archsetup-output.log" 2>> "$LOGFILE" || \
+        ${SSH_KEY_OPT:-} -P "$PORT" "root@$TARGET_HOST:$REMOTE_LOG" "$TEST_RESULTS_DIR/archsetup-output.log" 2>> "$LOGFILE" || \
         warn "Could not copy output log"
 
     # Capture post-install state
@@ -239,13 +263,11 @@ else
     mkdir -p "$TEST_RESULTS_DIR/pre-install" "$TEST_RESULTS_DIR/post-install"
 fi
 
-# Run validations
-run_all_validations
-validate_all_services
-
-# Additional ZFS-specific validations
-section "ZFS-Specific Validations"
-validate_zfs_services
+# Run validations. Testinfra is the authoritative validator (same as the VM
+# runner); its ZFS-conditional pytest checks cover what validate_zfs_services
+# used to. It surfaces pass/fail through the VALIDATION_* counters the
+# TEST_PASSED check below reads, and connects over the key authorized above.
+run_testinfra_validation "$TEST_RESULTS_DIR"
 
 # Analyze logs if we ran archsetup
 if ! $VALIDATE_ONLY; then