nixos/tests/luks.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / luks.nix
at 25.11-pre 2.6 kB view raw
 1import ./make-test-python.nix (
 2  { lib, pkgs, ... }:
 3  {
 4    name = "luks";
 5
 6    nodes.machine =
 7      { pkgs, ... }:
 8      {
 9        imports = [ ./common/auto-format-root-device.nix ];
10
11        # Use systemd-boot
12        virtualisation = {
13          emptyDiskImages = [
14            512
15            512
16          ];
17          useBootLoader = true;
18          useEFIBoot = true;
19          # To boot off the encrypted disk, we need to have a init script which comes from the Nix store
20          mountHostNixStore = true;
21        };
22        boot.loader.systemd-boot.enable = true;
23
24        boot.kernelParams = lib.mkOverride 5 [ "console=tty1" ];
25
26        environment.systemPackages = with pkgs; [ cryptsetup ];
27
28        specialisation = rec {
29          boot-luks.configuration = {
30            boot.initrd.luks.devices = lib.mkVMOverride {
31              # We have two disks and only type one password - key reuse is in place
32              cryptroot.device = "/dev/vdb";
33              cryptroot2.device = "/dev/vdc";
34            };
35            virtualisation.rootDevice = "/dev/mapper/cryptroot";
36          };
37          boot-luks-custom-keymap.configuration = lib.mkMerge [
38            boot-luks.configuration
39            {
40              console.keyMap = "neo";
41            }
42          ];
43        };
44      };
45
46    enableOCR = true;
47
48    testScript = ''
49      # Create encrypted volume
50      machine.wait_for_unit("multi-user.target")
51      machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
52      machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
53
54      # Boot from the encrypted disk
55      machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
56      machine.succeed("sync")
57      machine.crash()
58
59      # Boot and decrypt the disk
60      machine.start()
61      machine.wait_for_text("Passphrase for")
62      machine.send_chars("supersecret\n")
63      machine.wait_for_unit("multi-user.target")
64
65      assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
66
67      # Boot from the encrypted disk with custom keymap
68      machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-custom-keymap.conf")
69      machine.succeed("sync")
70      machine.crash()
71
72      # Boot and decrypt the disk
73      machine.start()
74      machine.wait_for_text("Passphrase for")
75      machine.send_chars("havfkhfrkfl\n")
76      machine.wait_for_unit("multi-user.target")
77
78      assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
79    '';
80  }
81)