nixos/tests/luks.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / luks.nix
at master 2.4 kB view raw
 1{ lib, pkgs, ... }:
 2{
 3  name = "luks";
 4
 5  nodes.machine =
 6    { pkgs, ... }:
 7    {
 8      imports = [ ./common/auto-format-root-device.nix ];
 9
10      # Use systemd-boot
11      virtualisation = {
12        emptyDiskImages = [
13          512
14          512
15        ];
16        useBootLoader = true;
17        useEFIBoot = true;
18        # To boot off the encrypted disk, we need to have a init script which comes from the Nix store
19        mountHostNixStore = true;
20      };
21      boot.loader.systemd-boot.enable = true;
22
23      boot.kernelParams = lib.mkOverride 5 [ "console=tty1" ];
24
25      environment.systemPackages = with pkgs; [ cryptsetup ];
26
27      specialisation = rec {
28        boot-luks.configuration = {
29          boot.initrd.luks.devices = lib.mkVMOverride {
30            # We have two disks and only type one password - key reuse is in place
31            cryptroot.device = "/dev/vdb";
32            cryptroot2.device = "/dev/vdc";
33          };
34          virtualisation.rootDevice = "/dev/mapper/cryptroot";
35        };
36        boot-luks-custom-keymap.configuration = lib.mkMerge [
37          boot-luks.configuration
38          {
39            console.keyMap = "neo";
40          }
41        ];
42      };
43    };
44
45  enableOCR = true;
46
47  testScript = ''
48    # Create encrypted volume
49    machine.wait_for_unit("multi-user.target")
50    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
51    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
52
53    # Boot from the encrypted disk
54    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
55    machine.succeed("sync")
56    machine.crash()
57
58    # Boot and decrypt the disk
59    machine.start()
60    machine.wait_for_text("Passphrase for")
61    machine.send_chars("supersecret\n")
62    machine.wait_for_unit("multi-user.target")
63
64    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
65
66    # Boot from the encrypted disk with custom keymap
67    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-custom-keymap.conf")
68    machine.succeed("sync")
69    machine.crash()
70
71    # Boot and decrypt the disk
72    machine.start()
73    machine.wait_for_text("Passphrase for")
74    machine.send_chars("havfkhfrkfl\n")
75    machine.wait_for_unit("multi-user.target")
76
77    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
78  '';
79}