pyrox.dev
1{ lib, pkgs, ... }:
2let
3
4 keyfile = pkgs.writeText "luks-keyfile" ''
5 MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2
6 gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6
7 FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC
8 '';
9
10in
11{
12 name = "systemd-initrd-luks-keyfile";
13
14 nodes.machine =
15 { pkgs, ... }:
16 {
17 # Use systemd-boot
18 virtualisation = {
19 emptyDiskImages = [ 512 ];
20 useBootLoader = true;
21 # Necessary to boot off the encrypted disk because it requires a init script coming from the Nix store
22 mountHostNixStore = true;
23 useEFIBoot = true;
24 };
25 boot.loader.systemd-boot.enable = true;
26
27 environment.systemPackages = with pkgs; [ cryptsetup ];
28 boot.initrd.systemd = {
29 enable = true;
30 emergencyAccess = true;
31 };
32
33 specialisation.boot-luks.configuration = {
34 boot.initrd.luks.devices = lib.mkVMOverride {
35 cryptroot = {
36 device = "/dev/vdb";
37 keyFile = "/etc/cryptroot.key";
38 };
39 };
40 virtualisation.rootDevice = "/dev/mapper/cryptroot";
41 virtualisation.fileSystems."/".autoFormat = true;
42 boot.initrd.secrets."/etc/cryptroot.key" = keyfile;
43 };
44 };
45
46 testScript = ''
47 # Create encrypted volume
48 machine.wait_for_unit("multi-user.target")
49 machine.succeed("cryptsetup luksFormat -q --iter-time=1 -d ${keyfile} /dev/vdb")
50
51 # Boot from the encrypted disk
52 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
53 machine.succeed("sync")
54 machine.crash()
55
56 # Boot and decrypt the disk
57 machine.wait_for_unit("multi-user.target")
58 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
59 '';
60}