···

       
46
       
46
       
 
       
    SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd"

     

       
47
       
47
       
 
       
  '';

     

       
48
       
48
       
 
       


     

       
49
       
49
       
+
       
  nixosInitrdRules = ''

     

       
50
       
50
       
+
       
    # Mark dm devices as db_persist so that they are kept active after switching root

     

       
51
       
51
       
+
       
    SUBSYSTEM=="block", KERNEL=="dm-[0-9]*", ACTION=="add|change", OPTIONS+="db_persist"

     

       
52
       
52
       
+
       
  '';

     

       
53
       
53
       
+
       


     

       
49
       
54
       
 
       
  # Perform substitutions in all udev rules files.

     

       
50
       
55
       
 
       
  udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name

     

       
51
       
56
       
 
       
    { preferLocalBuild = true;

     
···

       
364
       
369
       
 
       
        EOF

     

       
365
       
370
       
 
       
      '';

     

       
366
       
371
       
 
       


     

       
372
       
372
       
+
       
    boot.initrd.services.udev.rules = nixosInitrdRules;

     

       
373
       
373
       
+
       


     

       
367
       
374
       
 
       
    boot.initrd.systemd.additionalUpstreamUnits = [

     

       
368
       
368
       
-
       
      # TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953

     

       
375
       
375
       
+
       
      "initrd-udevadm-cleanup-db.service"

     

       
369
       
376
       
 
       
      "systemd-udevd-control.socket"

     

       
370
       
377
       
 
       
      "systemd-udevd-kernel.socket"

     

       
371
       
378
       
 
       
      "systemd-udevd.service"

     

···

       
23
       
23
       
 
       
        cryptroot2.device = "/dev/vdd";

     

       
24
       
24
       
 
       
      };

     

       
25
       
25
       
 
       
      virtualisation.bootDevice = "/dev/mapper/cryptroot";

     

       
26
       
26
       
+
       
      # test mounting device unlocked in initrd after switching root

     

       
27
       
27
       
+
       
      virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";

     

       
26
       
28
       
 
       
    };

     

       
27
       
29
       
 
       
  };

     

       
28
       
30
       
 
       


     
···

       
31
       
33
       
 
       
    machine.wait_for_unit("multi-user.target")

     

       
32
       
34
       
 
       
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")

     

       
33
       
35
       
 
       
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -")

     

       
36
       
36
       
+
       
    machine.succeed("echo -n supersecret | cryptsetup luksOpen   -q               /dev/vdd cryptroot2")

     

       
37
       
37
       
+
       
    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")

     

       
34
       
38
       
 
       


     

       
35
       
39
       
 
       
    # Boot from the encrypted disk

     

       
36
       
40
       
 
       
    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")

     
···

       
44
       
48
       
 
       
    machine.wait_for_unit("multi-user.target")

     

       
45
       
49
       
 
       


     

       
46
       
50
       
 
       
    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")

     

       
51
       
51
       
+
       
    assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount")

     

       
47
       
52
       
 
       
  '';

     

       
48
       
53
       
 
       
})