commit 21b6bec0ff14f55c37a655529d6ad2e81f1c4212 · pyrox.dev/nixpkgs

+20

nixos/doc/manual/release-notes/rl-2305.section.md

···

       363
        
       

     

       364
        
       - `nextcloud` has an option to enable SSE-C in S3.

     

       365
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       366
        
       - `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.

     

       367
        
         Before upgrading, read the release notes for PeerTube:

     

       368
        
           - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)

···

       363
        
       

     

       364
        
       - `nextcloud` has an option to enable SSE-C in S3.

     

       365
        
       

     

       366
       +
       - NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to setup the plain encryption device over the

     

       367
       +
         underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:

     

       368
       +
       

     

       369
       +
         ```nix

     

       370
       +
         {

     

       371
       +
           swapDevices = [

     

       372
       +
             {

     

       373
       +
               device = "/dev/disk/by-partlabel/swapspace";

     

       374
       +
       

     

       375
       +
               randomEncryption = {

     

       376
       +
                 enable = true;

     

       377
       +
                 cipher = "aes-xts-plain64";

     

       378
       +
                 keySize = 512;

     

       379
       +
                 sectorSize = 4096;

     

       380
       +
               };

     

       381
       +
             }

     

       382
       +
           ];

     

       383
       +
         }

     

       384
       +
         ```

     

       385
       +
       

     

       386
        
       - `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.

     

       387
        
         Before upgrading, read the release notes for PeerTube:

     

       388
        
           - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)

+36 -3

nixos/modules/config/swap.nix

···

       38
        
               '';

     

       39
        
             };

     

       40
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       41
        
             source = mkOption {

     

       42
        
               default = "/dev/urandom";

     

       43
        
               example = "/dev/random";

     
···

       157
        
       

     

       158
        
           };

     

       159
        
       

     

       160
       -
           config = rec {

     

       161
        
             device = mkIf options.label.isDefined

     

       162
        
               "/dev/disk/by-label/${config.label}";

     

       163
        
             deviceName = lib.replaceStrings ["\\"] [""] (escapeSystemdPath config.device);

     

       164
       -
             realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;

     

       165
        
           };

     

       166
        
       

     

       167
        
         };

     
···

       247
        
                       ''}

     

       248
        
                       ${optionalString sw.randomEncryption.enable ''

     

       249
        
                         cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} \

     

       250
       -
                           ${optionalString sw.randomEncryption.allowDiscards "--allow-discards"} ${sw.device} ${sw.deviceName}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       251
        
                         mkswap ${sw.realDevice}

     

       252
        
                       ''}

     

       253
        
                     '';

···

       38
        
               '';

     

       39
        
             };

     

       40
        
       

     

       41
       +
             keySize = mkOption {

     

       42
       +
               default = null;

     

       43
       +
               example = "512";

     

       44
       +
               type = types.nullOr types.int;

     

       45
       +
               description = lib.mdDoc ''

     

       46
       +
                 Set the encryption key size for the plain device.

     

       47
       +
       

     

       48
       +
                 If not specified, the amount of data to read from `source` will be

     

       49
       +
                 determined by cryptsetup.

     

       50
       +
       

     

       51
       +
                 See `cryptsetup-open(8)` for details.

     

       52
       +
               '';

     

       53
       +
             };

     

       54
       +
       

     

       55
       +
             sectorSize = mkOption {

     

       56
       +
               default = null;

     

       57
       +
               example = "4096";

     

       58
       +
               type = types.nullOr types.int;

     

       59
       +
               description = lib.mdDoc ''

     

       60
       +
                 Set the sector size for the plain encrypted device type.

     

       61
       +
       

     

       62
       +
                 If not specified, the default sector size is determined from the

     

       63
       +
                 underlying block device.

     

       64
       +
       

     

       65
       +
                 See `cryptsetup-open(8)` for details.

     

       66
       +
               '';

     

       67
       +
             };

     

       68
       +
       

     

       69
        
             source = mkOption {

     

       70
        
               default = "/dev/urandom";

     

       71
        
               example = "/dev/random";

     
···

       185
        
       

     

       186
        
           };

     

       187
        
       

     

       188
       +
           config = {

     

       189
        
             device = mkIf options.label.isDefined

     

       190
        
               "/dev/disk/by-label/${config.label}";

     

       191
        
             deviceName = lib.replaceStrings ["\\"] [""] (escapeSystemdPath config.device);

     

       192
       +
             realDevice = if config.randomEncryption.enable then "/dev/mapper/${config.deviceName}" else config.device;

     

       193
        
           };

     

       194
        
       

     

       195
        
         };

     
···

       275
        
                       ''}

     

       276
        
                       ${optionalString sw.randomEncryption.enable ''

     

       277
        
                         cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} \

     

       278
       +
                       '' + concatLines (filter (s: s != "") [

     

       279
       +
                           (optionalString (sw.randomEncryption.sectorSize != null) "--sector-size=${toString sw.randomEncryption.sectorSize} \\")

     

       280
       +
                           (optionalString (sw.randomEncryption.keySize != null) "--key-size=${toString sw.randomEncryption.keySize} \\")

     

       281
       +
                           (optionalString sw.randomEncryption.allowDiscards "--allow-discards \\")

     

       282
       +
                         ]) + ''

     

       283
       +
                           ${sw.device} ${sw.deviceName}

     

       284
        
                         mkswap ${sw.realDevice}

     

       285
        
                       ''}

     

       286
        
                     '';

nixos/tests/all-tests.nix

···

       667
        
         sudo = handleTest ./sudo.nix {};

     

       668
        
         swap-file-btrfs = handleTest ./swap-file-btrfs.nix {};

     

       669
        
         swap-partition = handleTest ./swap-partition.nix {};

     

       0
        
       
     

       670
        
         sway = handleTest ./sway.nix {};

     

       671
        
         switchTest = handleTest ./switch-test.nix {};

     

       672
        
         sympa = handleTest ./sympa.nix {};

···

       667
        
         sudo = handleTest ./sudo.nix {};

     

       668
        
         swap-file-btrfs = handleTest ./swap-file-btrfs.nix {};

     

       669
        
         swap-partition = handleTest ./swap-partition.nix {};

     

       670
       +
         swap-random-encryption = handleTest ./swap-random-encryption.nix {};

     

       671
        
         sway = handleTest ./sway.nix {};

     

       672
        
         switchTest = handleTest ./switch-test.nix {};

     

       673
        
         sympa = handleTest ./sympa.nix {};

+80

nixos/tests/swap-random-encryption.nix

···

       1
       +
       import ./make-test-python.nix ({ lib, pkgs, ... }:

     

       2
       +
       {

     

       3
       +
         name = "swap-random-encryption";

     

       4
       +
       

     

       5
       +
         nodes.machine =

     

       6
       +
           { config, pkgs, lib, ... }:

     

       7
       +
           {

     

       8
       +
             environment.systemPackages = [ pkgs.cryptsetup ];

     

       9
       +
       

     

       10
       +
             virtualisation.useDefaultFilesystems = false;

     

       11
       +
       

     

       12
       +
             virtualisation.rootDevice = "/dev/vda1";

     

       13
       +
       

     

       14
       +
             boot.initrd.postDeviceCommands = ''

     

       15
       +
               if ! test -b /dev/vda1; then

     

       16
       +
                 ${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos

     

       17
       +
                 ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB

     

       18
       +
                 ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%

     

       19
       +
                 sync

     

       20
       +
               fi

     

       21
       +
       

     

       22
       +
               FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)

     

       23
       +
               if test -z "$FSTYPE"; then

     

       24
       +
                 ${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1

     

       25
       +
               fi

     

       26
       +
             '';

     

       27
       +
       

     

       28
       +
             virtualisation.fileSystems = {

     

       29
       +
               "/" = {

     

       30
       +
                 device = "/dev/disk/by-label/root";

     

       31
       +
                 fsType = "ext4";

     

       32
       +
               };

     

       33
       +
             };

     

       34
       +
       

     

       35
       +
             swapDevices = [

     

       36
       +
               {

     

       37
       +
                 device = "/dev/vda2";

     

       38
       +
       

     

       39
       +
                 randomEncryption = {

     

       40
       +
                   enable = true;

     

       41
       +
                   cipher = "aes-xts-plain64";

     

       42
       +
                   keySize = 512;

     

       43
       +
                   sectorSize = 4096;

     

       44
       +
                 };

     

       45
       +
               }

     

       46
       +
             ];

     

       47
       +
           };

     

       48
       +
       

     

       49
       +
         testScript = ''

     

       50
       +
           machine.wait_for_unit("multi-user.target")

     

       51
       +
       

     

       52
       +
           with subtest("Swap is active"):

     

       53
       +
             # Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.

     

       54
       +
             machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")

     

       55
       +
       

     

       56
       +
           with subtest("Swap device has 4k sector size"):

     

       57
       +
             import json

     

       58
       +
             result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))

     

       59
       +
             block_devices = result["blockdevices"]

     

       60
       +
             if len(block_devices) != 1:

     

       61
       +
               raise Exception ("lsblk output did not report exactly one block device")

     

       62
       +
       

     

       63
       +
             swapDevice = block_devices[0];

     

       64
       +
             if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):

     

       65
       +
               raise Exception ("swap device does not have the sector size specified in the configuration")

     

       66
       +
       

     

       67
       +
           with subtest("Swap encrypt has assigned cipher and keysize"):

     

       68
       +
             import re

     

       69
       +
       

     

       70
       +
             results = machine.succeed("cryptsetup status dev-vda2").splitlines()

     

       71
       +
       

     

       72
       +
             cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")

     

       73
       +
             if not any(cipher_pattern.fullmatch(line) for line in results):

     

       74
       +
               raise Exception ("swap device encryption does not use the cipher specified in the configuration")

     

       75
       +
       

     

       76
       +
             key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")

     

       77
       +
             if not any(key_size_pattern.fullmatch(line) for line in results):

     

       78
       +
               raise Exception ("swap device encryption does not use the key size specified in the configuration")

     

       79
       +
         '';

     

       80
       +
       })