diff options
| author | Janne Heß <janne@hess.ooo> | 2022-04-13 22:27:58 +0100 |
|---|---|---|
| committer | Janne Heß <janne@hess.ooo> | 2022-04-18 11:42:47 +0100 |
| commit | 28c7721aa3caaeb84742250a911d951a7d817688 (patch) | |
| tree | 1891cd76a94f55fcfc7fbb97895c1149669396c2 /nixos | |
| parent | 1bea49d3bf339a708dc8724a9f2ebd3047e212b5 (diff) | |
| download | nixlib-28c7721aa3caaeb84742250a911d951a7d817688.tar nixlib-28c7721aa3caaeb84742250a911d951a7d817688.tar.gz nixlib-28c7721aa3caaeb84742250a911d951a7d817688.tar.bz2 nixlib-28c7721aa3caaeb84742250a911d951a7d817688.tar.lz nixlib-28c7721aa3caaeb84742250a911d951a7d817688.tar.xz nixlib-28c7721aa3caaeb84742250a911d951a7d817688.tar.zst nixlib-28c7721aa3caaeb84742250a911d951a7d817688.zip | |
nixos/stage-1-systemd: Add a test for LUKS keyfiles
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/systemd-initrd-luks-keyfile.nix | 53 |
2 files changed, 54 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 3f3e672d6fd5..5158bc681e08 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -524,6 +524,7 @@ in systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-escaping = handleTest ./systemd-escaping.nix {}; + systemd-initrd-luks-keyfile = handleTest ./systemd-initrd-luks-keyfile.nix {}; systemd-initrd-luks-password = handleTest ./systemd-initrd-luks-password.nix {}; systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; }; systemd-initrd-simple = handleTest ./systemd-initrd-simple.nix {}; diff --git a/nixos/tests/systemd-initrd-luks-keyfile.nix b/nixos/tests/systemd-initrd-luks-keyfile.nix new file mode 100644 index 000000000000..970163c36a4f --- /dev/null +++ b/nixos/tests/systemd-initrd-luks-keyfile.nix @@ -0,0 +1,53 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: let + + keyfile = pkgs.writeText "luks-keyfile" '' + MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2 + gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6 + FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC + ''; + +in { + name = "systemd-initrd-luks-keyfile"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + boot.initrd.systemd = { + enable = true; + emergencyAccess = true; + }; + + specialisation.boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + cryptroot = { + device = "/dev/vdc"; + keyFile = "/etc/cryptroot.key"; + }; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + boot.initrd.systemd.contents."/etc/cryptroot.key".source = keyfile; + }; + }; + + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("cryptsetup luksFormat -q --iter-time=1 -d ${keyfile} /dev/vdc") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.wait_for_unit("multi-user.target") + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) |