commit f1054a79c85b9d3668193b44429036577e7d9a0c · pyrox.dev/nixpkgs

+65
nixos/tests/systemd-repart.nix
···

       115
       115
        
             '';

     

       116
       116
        
         };

     

       117
       117
        
       

     

       118
       118
       +
         encrypt-tpm2 = makeTest {

     

       119
       119
       +
           name = "systemd-repart-encrypt-tpm2";

     

       120
       120
       +
           meta.maintainers = with maintainers; [ flokli ];

     

       121
       121
       +
       

     

       122
       122
       +
           nodes.machine =

     

       123
       123
       +
             {

     

       124
       124
       +
               config,

     

       125
       125
       +
               pkgs,

     

       126
       126
       +
               lib,

     

       127
       127
       +
               ...

     

       128
       128
       +
             }:

     

       129
       129
       +
             {

     

       130
       130
       +
               imports = [ common ];

     

       131
       131
       +
       

     

       132
       132
       +
               boot.initrd.systemd.enable = true;

     

       133
       133
       +
       

     

       134
       134
       +
               boot.initrd.availableKernelModules = [ "dm_crypt" ];

     

       135
       135
       +
               boot.initrd.luks.devices = lib.mkVMOverride {

     

       136
       136
       +
                 created-crypt = {

     

       137
       137
       +
                   device = "/dev/disk/by-partlabel/created-crypt";

     

       138
       138
       +
                   crypttabExtraOpts = [ "tpm2-device=auto" ];

     

       139
       139
       +
                 };

     

       140
       140
       +
               };

     

       141
       141
       +
               boot.initrd.systemd.repart.enable = true;

     

       142
       142
       +
               boot.initrd.systemd.repart.extraArgs = [

     

       143
       143
       +
                 "--tpm2-pcrs=7"

     

       144
       144
       +
               ];

     

       145
       145
       +
               systemd.repart.partitions = {

     

       146
       146
       +
                 "10-root" = {

     

       147
       147
       +
                   Type = "linux-generic";

     

       148
       148
       +
                 };

     

       149
       149
       +
                 "10-crypt" = {

     

       150
       150
       +
                   Type = "var";

     

       151
       151
       +
                   Label = "created-crypt";

     

       152
       152
       +
                   Format = "ext4";

     

       153
       153
       +
                   Encrypt = "tpm2";

     

       154
       154
       +
                 };

     

       155
       155
       +
               };

     

       156
       156
       +
               virtualisation.tpm.enable = true;

     

       157
       157
       +
               virtualisation.fileSystems = {

     

       158
       158
       +
                 "/var" = {

     

       159
       159
       +
                   device = "/dev/mapper/created-crypt";

     

       160
       160
       +
                   fsType = "ext4";

     

       161
       161
       +
                 };

     

       162
       162
       +
               };

     

       163
       163
       +
             };

     

       164
       164
       +
       

     

       165
       165
       +
           testScript =

     

       166
       166
       +
             { nodes, ... }:

     

       167
       167
       +
             ''

     

       168
       168
       +
               ${useDiskImage {

     

       169
       169
       +
                 inherit (nodes) machine;

     

       170
       170
       +
                 sizeDiff = "+100M";

     

       171
       171
       +
               }}

     

       172
       172
       +
       

     

       173
       173
       +
               machine.start()

     

       174
       174
       +
               machine.wait_for_unit("multi-user.target")

     

       175
       175
       +
       

     

       176
       176
       +
               systemd_repart_logs = machine.succeed("journalctl --boot --unit systemd-repart.service")

     

       177
       177
       +
               assert "Encrypting future partition 2" in systemd_repart_logs

     

       178
       178
       +
       

     

       179
       179
       +
               assert "/dev/mapper/created-crypt" in machine.succeed("mount")

     

       180
       180
       +
             '';

     

       181
       181
       +
         };

     

       182
       182
       +
       

     

       118
       183
        
         after-initrd = makeTest {

     

       119
       184
        
           name = "systemd-repart-after-initrd";

     

       120
       185
        
           meta.maintainers = with maintainers; [ nikstur ];