mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-19 11:23:29 +00:00
aa0ce1a26e
Given that we were overriding qemu_test to enable this anyway, enabling this by default saves Hydra a QEMU build. There's also clear demand from users[1] for this feature, so our alternatives are: - Offer a qemu-canokey attribute. I don't want to do this, because I don't think there's any reason to make Hydra build an extra QEMU. - Enable it only for qemu_test. I don't want to do this, because it will lead to users using qemu_test without understanding its subtleties. - Force users to build from source. I don't think there's any reason to do this when it's unlikely to hurt anybody having it enabled by default. There's no reason to single out canokey to be disabled by default in spite of users' needs given that we enable so many other optional QEMU features. [1]: https://github.com/canokeys/canokey-qemu/issues/6
48 lines
1.6 KiB
Nix
48 lines
1.6 KiB
Nix
import ./make-test-python.nix ({ lib, pkgs, ... }: {
|
|
name = "systemd-initrd-luks-fido2";
|
|
|
|
nodes.machine = { pkgs, config, ... }: {
|
|
# Use systemd-boot
|
|
virtualisation = {
|
|
emptyDiskImages = [ 512 ];
|
|
useBootLoader = true;
|
|
# Booting off the encrypted disk requires having a Nix store available for the init script
|
|
mountHostNixStore = true;
|
|
useEFIBoot = true;
|
|
qemu.options = [ "-device canokey,file=/tmp/canokey-file" ];
|
|
};
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
boot.initrd.systemd.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [ cryptsetup ];
|
|
|
|
specialisation.boot-luks.configuration = {
|
|
boot.initrd.luks.devices = lib.mkVMOverride {
|
|
cryptroot = {
|
|
device = "/dev/vdb";
|
|
crypttabExtraOpts = [ "fido2-device=auto" ];
|
|
};
|
|
};
|
|
virtualisation.rootDevice = "/dev/mapper/cryptroot";
|
|
virtualisation.fileSystems."/".autoFormat = true;
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
# Create encrypted volume
|
|
machine.wait_for_unit("multi-user.target")
|
|
machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
|
|
machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --fido2-device=auto /dev/vdb |& systemd-cat")
|
|
|
|
# Boot from the encrypted disk
|
|
machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
|
|
machine.succeed("sync")
|
|
machine.crash()
|
|
|
|
# Boot and decrypt the disk
|
|
machine.wait_for_unit("multi-user.target")
|
|
assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
|
|
'';
|
|
})
|