diff options
author | Janne Heß <janne@hess.ooo> | 2022-04-13 19:45:29 +0100 |
---|---|---|
committer | Janne Heß <janne@hess.ooo> | 2022-04-18 11:42:45 +0100 |
commit | 1bea49d3bf339a708dc8724a9f2ebd3047e212b5 (patch) | |
tree | e87876df76d851946dc784bb38026f169f669569 /nixos/tests/systemd-initrd-luks-password.nix | |
parent | 33cf95ef36d9e2e7aec511297de9a845d6b729fe (diff) |
nixos/stage-1-systemd: Add LUKS w/ password support
Diffstat (limited to 'nixos/tests/systemd-initrd-luks-password.nix')
-rw-r--r-- | nixos/tests/systemd-initrd-luks-password.nix | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/nixos/tests/systemd-initrd-luks-password.nix b/nixos/tests/systemd-initrd-luks-password.nix new file mode 100644 index 0000000000000..e8e651f7b35f8 --- /dev/null +++ b/nixos/tests/systemd-initrd-luks-password.nix @@ -0,0 +1,48 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "systemd-initrd-luks-password"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 512 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + boot.initrd.systemd = { + enable = true; + emergencyAccess = true; + }; + + specialisation.boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + # We have two disks and only type one password - key reuse is in place + cryptroot.device = "/dev/vdc"; + cryptroot2.device = "/dev/vdd"; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + }; + }; + + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.start() + machine.wait_for_console_text("Please enter passphrase for disk cryptroot") + machine.send_console("supersecret\n") + machine.wait_for_unit("multi-user.target") + + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) |