diff options
author | Yureka <yuka@yuka.dev> | 2023-02-20 08:19:02 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-20 08:19:02 +0100 |
commit | ced929a2d02672e23f5c528829b9b99988476c16 (patch) | |
tree | bfb7aa57f566ca90a6e167f3d76222cce8d8b701 /nixos/tests | |
parent | fbf9888d266bc8e956af8dc25d719569331f2f0c (diff) |
nixos/tests: add test for luksroot and initrd keymaps (#189725)
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/luks.nix | 69 |
2 files changed, 70 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 86dd096afc0b0..ac15ecdad6b86 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -368,6 +368,7 @@ in { login = handleTest ./login.nix {}; logrotate = handleTest ./logrotate.nix {}; loki = handleTest ./loki.nix {}; + luks = handleTest ./luks.nix {}; lvm2 = handleTest ./lvm2 {}; lxd = handleTest ./lxd.nix {}; lxd-nftables = handleTest ./lxd-nftables.nix {}; diff --git a/nixos/tests/luks.nix b/nixos/tests/luks.nix new file mode 100644 index 0000000000000..82f5095cb2602 --- /dev/null +++ b/nixos/tests/luks.nix @@ -0,0 +1,69 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "luks"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 512 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + + boot.kernelParams = lib.mkOverride 5 [ "console=tty1" ]; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + + specialisation = rec { + boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + # We have two disks and only type one password - key reuse is in place + cryptroot.device = "/dev/vdc"; + cryptroot2.device = "/dev/vdd"; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + }; + boot-luks-custom-keymap.configuration = lib.mkMerge [ + boot-luks.configuration + { + console.keyMap = "neo"; + } + ]; + }; + }; + + enableOCR = true; + + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.start() + machine.wait_for_text("Passphrase for") + machine.send_chars("supersecret\n") + machine.wait_for_unit("multi-user.target") + + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + + # Boot from the encrypted disk with custom keymap + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-custom-keymap.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.start() + machine.wait_for_text("Passphrase for") + machine.send_chars("havfkhfrkfl\n") + machine.wait_for_unit("multi-user.target") + + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) |