colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
efbc75c932
nixpkgs/nixos/tests/systemd-initrd-luks-fido2.nix
Alyssa Ross aa0ce1a26e qemu: enable canokey by default 
Given that we were overriding qemu_test to enable this anyway,
enabling this by default saves Hydra a QEMU build.

There's also clear demand from users[1] for this feature, so our
alternatives are:

 - Offer a qemu-canokey attribute.  I don't want to do this, because I
   don't think there's any reason to make Hydra build an extra QEMU.

 - Enable it only for qemu_test.  I don't want to do this, because it
   will lead to users using qemu_test without understanding its
   subtleties.

 - Force users to build from source.  I don't think there's any reason
   to do this when it's unlikely to hurt anybody having it enabled by
   default.  There's no reason to single out canokey to be disabled by
   default in spite of users' needs given that we enable so many other
   optional QEMU features.

[1]: https://github.com/canokeys/canokey-qemu/issues/6
2024-05-22 18:26:30 +02:00

48 lines
1.6 KiB
Nix
Raw Blame History

import ./make-test-python.nix ({ lib, pkgs, ... }: {
name = "systemd-initrd-luks-fido2";
nodes.machine = { pkgs, config, ... }: {
# Use systemd-boot
virtualisation = {
emptyDiskImages = [ 512 ];
useBootLoader = true;
# Booting off the encrypted disk requires having a Nix store available for the init script
mountHostNixStore = true;
useEFIBoot = true;
qemu.options = [ "-device canokey,file=/tmp/canokey-file" ];
};
boot.loader.systemd-boot.enable = true;
boot.initrd.systemd.enable = true;
environment.systemPackages = with pkgs; [ cryptsetup ];
specialisation.boot-luks.configuration = {
boot.initrd.luks.devices = lib.mkVMOverride {
cryptroot = {
device = "/dev/vdb";
crypttabExtraOpts = [ "fido2-device=auto" ];
};
};
virtualisation.rootDevice = "/dev/mapper/cryptroot";
virtualisation.fileSystems."/".autoFormat = true;
};
};
testScript = ''
# Create encrypted volume
machine.wait_for_unit("multi-user.target")
machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --fido2-device=auto /dev/vdb |& systemd-cat")
# Boot from the encrypted disk
machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
machine.succeed("sync")
machine.crash()
# Boot and decrypt the disk
machine.wait_for_unit("multi-user.target")
assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
'';
})
Reference in New Issue View Git Blame Copy Permalink