mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-09 06:23:36 +00:00
1619 lines
58 KiB
Nix
1619 lines
58 KiB
Nix
{ system ? builtins.currentSystem,
|
|
config ? {},
|
|
pkgs ? import ../.. { inherit system config; },
|
|
systemdStage1 ? false
|
|
}:
|
|
|
|
with import ../lib/testing-python.nix { inherit system pkgs; };
|
|
with pkgs.lib;
|
|
|
|
let
|
|
|
|
# The configuration to install.
|
|
makeConfig = { bootLoader, grubDevice, grubIdentifier, grubUseEfi
|
|
, extraConfig, forceGrubReinstallCount ? 0, withTestInstrumentation ? true
|
|
, clevisTest
|
|
}:
|
|
pkgs.writeText "configuration.nix" ''
|
|
{ config, lib, pkgs, modulesPath, ... }:
|
|
|
|
{ imports =
|
|
[ ./hardware-configuration.nix
|
|
${if !withTestInstrumentation
|
|
then "" # Still included, but via installer/flake.nix
|
|
else "<nixpkgs/nixos/modules/testing/test-instrumentation.nix>"}
|
|
];
|
|
|
|
networking.hostName = "thatworked";
|
|
|
|
documentation.enable = false;
|
|
|
|
# To ensure that we can rebuild the grub configuration on the nixos-rebuild
|
|
system.extraDependencies = with pkgs; [ stdenvNoCC ];
|
|
|
|
${optionalString systemdStage1 "boot.initrd.systemd.enable = true;"}
|
|
|
|
${optionalString (bootLoader == "grub") ''
|
|
boot.loader.grub.extraConfig = "serial; terminal_output serial";
|
|
${if grubUseEfi then ''
|
|
boot.loader.grub.device = "nodev";
|
|
boot.loader.grub.efiSupport = true;
|
|
boot.loader.grub.efiInstallAsRemovable = true; # XXX: needed for OVMF?
|
|
'' else ''
|
|
boot.loader.grub.device = "${grubDevice}";
|
|
boot.loader.grub.fsIdentifier = "${grubIdentifier}";
|
|
''}
|
|
|
|
boot.loader.grub.configurationLimit = 100 + ${toString forceGrubReinstallCount};
|
|
''}
|
|
|
|
${optionalString (bootLoader == "systemd-boot") ''
|
|
boot.loader.systemd-boot.enable = true;
|
|
''}
|
|
|
|
boot.initrd.secrets."/etc/secret" = "/etc/nixos/secret";
|
|
|
|
${optionalString clevisTest ''
|
|
boot.kernelParams = [ "console=tty0" "ip=192.168.1.1:::255.255.255.0::eth1:none" ];
|
|
boot.initrd = {
|
|
availableKernelModules = [ "tpm_tis" ];
|
|
clevis = { enable = true; useTang = true; };
|
|
network.enable = true;
|
|
};
|
|
''}
|
|
|
|
users.users.alice = {
|
|
isNormalUser = true;
|
|
home = "/home/alice";
|
|
description = "Alice Foobar";
|
|
};
|
|
|
|
hardware.enableAllFirmware = lib.mkForce false;
|
|
|
|
${replaceStrings ["\n"] ["\n "] extraConfig}
|
|
}
|
|
'';
|
|
|
|
|
|
# The test script boots a NixOS VM, installs NixOS on an empty hard
|
|
# disk, and then reboot from the hard disk. It's parameterized with
|
|
# a test script fragment `createPartitions', which must create
|
|
# partitions and filesystems.
|
|
testScriptFun = { bootLoader, createPartitions, grubDevice, grubUseEfi, grubIdentifier
|
|
, postInstallCommands, postBootCommands, extraConfig
|
|
, testSpecialisationConfig, testFlakeSwitch, testByAttrSwitch, clevisTest, clevisFallbackTest
|
|
, disableFileSystems
|
|
}:
|
|
let
|
|
startTarget = ''
|
|
${optionalString clevisTest "tpm.start()"}
|
|
target.start()
|
|
${postBootCommands}
|
|
target.wait_for_unit("multi-user.target")
|
|
'';
|
|
in ''
|
|
${optionalString clevisTest ''
|
|
import os
|
|
import subprocess
|
|
|
|
tpm_folder = os.environ['NIX_BUILD_TOP']
|
|
|
|
class Tpm:
|
|
def __init__(self):
|
|
self.start()
|
|
|
|
def start(self):
|
|
self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm",
|
|
"socket",
|
|
"--tpmstate", f"dir={tpm_folder}/swtpm",
|
|
"--ctrl", f"type=unixio,path={tpm_folder}/swtpm-sock",
|
|
"--tpm2"
|
|
])
|
|
|
|
# Check whether starting swtpm failed
|
|
try:
|
|
exit_code = self.proc.wait(timeout=0.2)
|
|
if exit_code is not None and exit_code != 0:
|
|
raise Exception("failed to start swtpm")
|
|
except subprocess.TimeoutExpired:
|
|
pass
|
|
|
|
"""Check whether the swtpm process exited due to an error"""
|
|
def check(self):
|
|
exit_code = self.proc.poll()
|
|
if exit_code is not None and exit_code != 0:
|
|
raise Exception("swtpm process died")
|
|
|
|
|
|
os.mkdir(f"{tpm_folder}/swtpm")
|
|
tpm = Tpm()
|
|
tpm.check()
|
|
''}
|
|
|
|
installer.start()
|
|
${optionalString clevisTest ''
|
|
tang.start()
|
|
tang.wait_for_unit("sockets.target")
|
|
tang.systemctl("start network-online.target")
|
|
tang.wait_for_unit("network-online.target")
|
|
installer.systemctl("start network-online.target")
|
|
installer.wait_for_unit("network-online.target")
|
|
''}
|
|
installer.wait_for_unit("multi-user.target")
|
|
|
|
with subtest("Assert readiness of login prompt"):
|
|
installer.succeed("echo hello")
|
|
|
|
with subtest("Wait for hard disks to appear in /dev"):
|
|
installer.succeed("udevadm settle")
|
|
|
|
${createPartitions}
|
|
|
|
with subtest("Create the NixOS configuration"):
|
|
installer.succeed("nixos-generate-config ${optionalString disableFileSystems "--no-filesystems"} --root /mnt")
|
|
installer.succeed("cat /mnt/etc/nixos/hardware-configuration.nix >&2")
|
|
installer.copy_from_host(
|
|
"${ makeConfig {
|
|
inherit bootLoader grubDevice grubIdentifier
|
|
grubUseEfi extraConfig clevisTest;
|
|
}
|
|
}",
|
|
"/mnt/etc/nixos/configuration.nix",
|
|
)
|
|
installer.copy_from_host("${pkgs.writeText "secret" "secret"}", "/mnt/etc/nixos/secret")
|
|
|
|
${optionalString clevisTest ''
|
|
with subtest("Create the Clevis secret with Tang"):
|
|
installer.systemctl("start network-online.target")
|
|
installer.wait_for_unit("network-online.target")
|
|
installer.succeed('echo -n password | clevis encrypt sss \'{"t": 2, "pins": {"tpm2": {}, "tang": {"url": "http://192.168.1.2"}}}\' -y > /mnt/etc/nixos/clevis-secret.jwe')''}
|
|
|
|
${optionalString clevisFallbackTest ''
|
|
with subtest("Shutdown Tang to check fallback to interactive prompt"):
|
|
tang.shutdown()
|
|
''}
|
|
|
|
with subtest("Perform the installation"):
|
|
installer.succeed("nixos-install < /dev/null >&2")
|
|
|
|
with subtest("Do it again to make sure it's idempotent"):
|
|
installer.succeed("nixos-install < /dev/null >&2")
|
|
|
|
with subtest("Check that we can build things in nixos-enter"):
|
|
installer.succeed(
|
|
"""
|
|
nixos-enter -- nix-build --option substitute false -E 'derivation {
|
|
name = "t";
|
|
builder = "/bin/sh";
|
|
args = ["-c" "echo nixos-enter build > $out"];
|
|
system = builtins.currentSystem;
|
|
preferLocalBuild = true;
|
|
}'
|
|
"""
|
|
)
|
|
|
|
${postInstallCommands}
|
|
|
|
with subtest("Shutdown system after installation"):
|
|
installer.succeed("umount -R /mnt")
|
|
installer.succeed("sync")
|
|
installer.shutdown()
|
|
|
|
# We're actually the same machine, just booting differently this time.
|
|
target.state_dir = installer.state_dir
|
|
|
|
# Now see if we can boot the installation.
|
|
${startTarget}
|
|
|
|
with subtest("Assert that /boot get mounted"):
|
|
target.wait_for_unit("local-fs.target")
|
|
${if bootLoader == "grub"
|
|
then ''target.succeed("test -e /boot/grub")''
|
|
else ''target.succeed("test -e /boot/loader/loader.conf")''
|
|
}
|
|
|
|
with subtest("Check whether /root has correct permissions"):
|
|
assert "700" in target.succeed("stat -c '%a' /root")
|
|
|
|
with subtest("Assert swap device got activated"):
|
|
# uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved
|
|
target.wait_for_unit("swap.target")
|
|
target.succeed("cat /proc/swaps | grep -q /dev")
|
|
|
|
with subtest("Check that the store is in good shape"):
|
|
target.succeed("nix-store --verify --check-contents >&2")
|
|
|
|
with subtest("Check whether the channel works"):
|
|
target.succeed("nix-env -iA nixos.procps >&2")
|
|
assert ".nix-profile" in target.succeed("type -tP ps | tee /dev/stderr")
|
|
|
|
with subtest(
|
|
"Check that the daemon works, and that non-root users can run builds "
|
|
"(this will build a new profile generation through the daemon)"
|
|
):
|
|
target.succeed("su alice -l -c 'nix-env -iA nixos.procps' >&2")
|
|
|
|
with subtest("Configure system with writable Nix store on next boot"):
|
|
# we're not using copy_from_host here because the installer image
|
|
# doesn't know about the host-guest sharing mechanism.
|
|
target.copy_from_host_via_shell(
|
|
"${ makeConfig {
|
|
inherit bootLoader grubDevice grubIdentifier
|
|
grubUseEfi extraConfig clevisTest;
|
|
forceGrubReinstallCount = 1;
|
|
}
|
|
}",
|
|
"/etc/nixos/configuration.nix",
|
|
)
|
|
|
|
with subtest("Check whether nixos-rebuild works"):
|
|
target.succeed("nixos-rebuild switch >&2")
|
|
|
|
with subtest("Test nixos-option"):
|
|
kernel_modules = target.succeed("nixos-option boot.initrd.kernelModules")
|
|
assert "virtio_console" in kernel_modules
|
|
assert "List of modules" in kernel_modules
|
|
assert "qemu-guest.nix" in kernel_modules
|
|
|
|
target.shutdown()
|
|
|
|
# Check whether a writable store build works
|
|
${startTarget}
|
|
|
|
# we're not using copy_from_host here because the installer image
|
|
# doesn't know about the host-guest sharing mechanism.
|
|
target.copy_from_host_via_shell(
|
|
"${ makeConfig {
|
|
inherit bootLoader grubDevice grubIdentifier
|
|
grubUseEfi extraConfig clevisTest;
|
|
forceGrubReinstallCount = 2;
|
|
}
|
|
}",
|
|
"/etc/nixos/configuration.nix",
|
|
)
|
|
target.succeed("nixos-rebuild boot >&2")
|
|
target.shutdown()
|
|
|
|
# And just to be sure, check that the target still boots after "nixos-rebuild switch".
|
|
${startTarget}
|
|
target.wait_for_unit("network.target")
|
|
|
|
# Sanity check, is it the configuration.nix we generated?
|
|
hostname = target.succeed("hostname").strip()
|
|
assert hostname == "thatworked"
|
|
|
|
target.shutdown()
|
|
|
|
# Tests for validating clone configuration entries in grub menu
|
|
''
|
|
+ optionalString testSpecialisationConfig ''
|
|
# Reboot target
|
|
${startTarget}
|
|
|
|
with subtest("Booted configuration name should be 'Home'"):
|
|
# This is not the name that shows in the grub menu.
|
|
# The default configuration is always shown as "Default"
|
|
target.succeed("cat /run/booted-system/configuration-name >&2")
|
|
assert "Home" in target.succeed("cat /run/booted-system/configuration-name")
|
|
|
|
with subtest("We should **not** find a file named /etc/gitconfig"):
|
|
target.fail("test -e /etc/gitconfig")
|
|
|
|
with subtest("Set grub to boot the second configuration"):
|
|
target.succeed("grub-reboot 1")
|
|
|
|
target.shutdown()
|
|
|
|
# Reboot target
|
|
${startTarget}
|
|
|
|
with subtest("Booted configuration name should be Work"):
|
|
target.succeed("cat /run/booted-system/configuration-name >&2")
|
|
assert "Work" in target.succeed("cat /run/booted-system/configuration-name")
|
|
|
|
with subtest("We should find a file named /etc/gitconfig"):
|
|
target.succeed("test -e /etc/gitconfig")
|
|
|
|
target.shutdown()
|
|
''
|
|
+ optionalString testByAttrSwitch ''
|
|
with subtest("Configure system with attribute set"):
|
|
target.succeed("""
|
|
mkdir /root/my-config
|
|
mv /etc/nixos/hardware-configuration.nix /root/my-config/
|
|
rm /etc/nixos/configuration.nix
|
|
""")
|
|
target.copy_from_host_via_shell(
|
|
"${makeConfig {
|
|
inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest;
|
|
forceGrubReinstallCount = 1;
|
|
withTestInstrumentation = false;
|
|
}}",
|
|
"/root/my-config/configuration.nix",
|
|
)
|
|
target.copy_from_host_via_shell(
|
|
"${./installer/byAttrWithChannel.nix}",
|
|
"/root/my-config/default.nix",
|
|
)
|
|
with subtest("Switch to attribute set based config with channels"):
|
|
target.succeed("nixos-rebuild switch --file /root/my-config/default.nix")
|
|
|
|
target.shutdown()
|
|
|
|
${startTarget}
|
|
|
|
target.succeed("""
|
|
rm /root/my-config/default.nix
|
|
""")
|
|
target.copy_from_host_via_shell(
|
|
"${./installer/byAttrNoChannel.nix}",
|
|
"/root/my-config/default.nix",
|
|
)
|
|
|
|
target.succeed("""
|
|
pkgs=$(readlink -f /nix/var/nix/profiles/per-user/root/channels)/nixos
|
|
if ! [[ -e $pkgs/pkgs/top-level/default.nix ]]; then
|
|
echo 1>&2 "$pkgs does not seem to be a nixpkgs source. Please fix the test so that pkgs points to a nixpkgs source.";
|
|
exit 1;
|
|
fi
|
|
sed -e s^@nixpkgs@^$pkgs^ -i /root/my-config/default.nix
|
|
|
|
""")
|
|
|
|
with subtest("Switch to attribute set based config without channels"):
|
|
target.succeed("nixos-rebuild switch --file /root/my-config/default.nix")
|
|
|
|
target.shutdown()
|
|
|
|
${startTarget}
|
|
|
|
with subtest("nix-channel command is not available anymore"):
|
|
target.succeed("! which nix-channel")
|
|
|
|
with subtest("builtins.nixPath is now empty"):
|
|
target.succeed("""
|
|
[[ "[ ]" == "$(nix-instantiate builtins.nixPath --eval --expr)" ]]
|
|
""")
|
|
|
|
with subtest("<nixpkgs> does not resolve"):
|
|
target.succeed("""
|
|
! nix-instantiate '<nixpkgs>' --eval --expr
|
|
""")
|
|
|
|
with subtest("Evaluate attribute set based config in fresh env without nix-channel"):
|
|
target.succeed("nixos-rebuild switch --file /root/my-config/default.nix")
|
|
|
|
with subtest("Evaluate attribute set based config in fresh env without channel profiles"):
|
|
target.succeed("""
|
|
(
|
|
exec 1>&2
|
|
mkdir -p /root/restore
|
|
mv -v /root/.nix-channels /root/restore/
|
|
mv -v ~/.nix-defexpr /root/restore/
|
|
mkdir -p /root/restore/channels
|
|
mv -v /nix/var/nix/profiles/per-user/root/channels* /root/restore/channels/
|
|
)
|
|
""")
|
|
target.succeed("nixos-rebuild switch --file /root/my-config/default.nix")
|
|
''
|
|
+ optionalString (testByAttrSwitch && testFlakeSwitch) ''
|
|
with subtest("Restore channel profiles"):
|
|
target.succeed("""
|
|
(
|
|
exec 1>&2
|
|
mv -v /root/restore/.nix-channels /root/
|
|
mv -v /root/restore/.nix-defexpr ~/.nix-defexpr
|
|
mv -v /root/restore/channels/* /nix/var/nix/profiles/per-user/root/
|
|
rm -vrf /root/restore
|
|
)
|
|
""")
|
|
|
|
with subtest("Restore /etc/nixos"):
|
|
target.succeed("""
|
|
mv -v /root/my-config/hardware-configuration.nix /etc/nixos/
|
|
""")
|
|
target.copy_from_host_via_shell(
|
|
"${makeConfig {
|
|
inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest;
|
|
forceGrubReinstallCount = 1;
|
|
}}",
|
|
"/etc/nixos/configuration.nix",
|
|
)
|
|
|
|
with subtest("Restore /root/my-config"):
|
|
target.succeed("""
|
|
rm -vrf /root/my-config
|
|
""")
|
|
|
|
''
|
|
+ optionalString (testByAttrSwitch && !testFlakeSwitch) ''
|
|
target.shutdown()
|
|
''
|
|
+ optionalString testFlakeSwitch ''
|
|
${startTarget}
|
|
|
|
with subtest("Configure system with flake"):
|
|
# TODO: evaluate as user?
|
|
target.succeed("""
|
|
mkdir /root/my-config
|
|
mv /etc/nixos/hardware-configuration.nix /root/my-config/
|
|
rm /etc/nixos/configuration.nix
|
|
""")
|
|
target.copy_from_host_via_shell(
|
|
"${makeConfig {
|
|
inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest;
|
|
forceGrubReinstallCount = 1;
|
|
withTestInstrumentation = false;
|
|
}}",
|
|
"/root/my-config/configuration.nix",
|
|
)
|
|
target.copy_from_host_via_shell(
|
|
"${./installer/flake.nix}",
|
|
"/root/my-config/flake.nix",
|
|
)
|
|
target.succeed("""
|
|
# for some reason the image does not have `pkgs.path`, so
|
|
# we use readlink to find a Nixpkgs source.
|
|
pkgs=$(readlink -f /nix/var/nix/profiles/per-user/root/channels)/nixos
|
|
if ! [[ -e $pkgs/pkgs/top-level/default.nix ]]; then
|
|
echo 1>&2 "$pkgs does not seem to be a nixpkgs source. Please fix the test so that pkgs points to a nixpkgs source.";
|
|
exit 1;
|
|
fi
|
|
sed -e s^@nixpkgs@^$pkgs^ -i /root/my-config/flake.nix
|
|
""")
|
|
|
|
with subtest("Switch to flake based config"):
|
|
target.succeed("nixos-rebuild switch --flake /root/my-config#xyz 2>&1 | tee activation-log >&2")
|
|
|
|
target.succeed("""
|
|
cat -n activation-log >&2
|
|
""")
|
|
|
|
target.succeed("""
|
|
grep -F '/root/.nix-defexpr/channels exists, but channels have been disabled.' activation-log
|
|
""")
|
|
target.succeed("""
|
|
grep -F '/nix/var/nix/profiles/per-user/root/channels exists, but channels have been disabled.' activation-log
|
|
""")
|
|
target.succeed("""
|
|
grep -F '/root/.nix-defexpr/channels exists, but channels have been disabled.' activation-log
|
|
""")
|
|
target.succeed("""
|
|
grep -F 'Due to https://github.com/NixOS/nix/issues/9574, Nix may still use these channels when NIX_PATH is unset.' activation-log
|
|
""")
|
|
target.succeed("rm activation-log")
|
|
|
|
# Perform the suggested cleanups we've just seen in the log
|
|
# TODO after https://github.com/NixOS/nix/issues/9574: don't remove them yet
|
|
target.succeed("""
|
|
rm -rf /root/.nix-defexpr/channels /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels
|
|
""")
|
|
|
|
|
|
target.shutdown()
|
|
|
|
${startTarget}
|
|
|
|
with subtest("nix-channel command is not available anymore"):
|
|
target.succeed("! which nix-channel")
|
|
|
|
# Note that the channel profile is still present on disk, but configured
|
|
# not to be used.
|
|
# TODO after issue https://github.com/NixOS/nix/issues/9574: re-enable this assertion
|
|
# I believe what happens is
|
|
# - because of the issue, we've removed the `nix-path =` line from nix.conf
|
|
# - the "backdoor" shell is not a proper session and does not have `NIX_PATH=""` set
|
|
# - seeing no nix path settings at all, Nix loads its hardcoded default value,
|
|
# which is unfortunately non-empty
|
|
# Or maybe it's the new default NIX_PATH?? :(
|
|
# with subtest("builtins.nixPath is now empty"):
|
|
# target.succeed("""
|
|
# (
|
|
# set -x;
|
|
# [[ "[ ]" == "$(nix-instantiate builtins.nixPath --eval --expr)" ]];
|
|
# )
|
|
# """)
|
|
|
|
with subtest("<nixpkgs> does not resolve"):
|
|
target.succeed("""
|
|
! nix-instantiate '<nixpkgs>' --eval --expr
|
|
""")
|
|
|
|
with subtest("Evaluate flake config in fresh env without nix-channel"):
|
|
target.succeed("nixos-rebuild switch --flake /root/my-config#xyz")
|
|
|
|
with subtest("Evaluate flake config in fresh env without channel profiles"):
|
|
target.succeed("""
|
|
(
|
|
exec 1>&2
|
|
rm -vf /root/.nix-channels
|
|
rm -vrf ~/.nix-defexpr
|
|
rm -vrf /nix/var/nix/profiles/per-user/root/channels*
|
|
)
|
|
""")
|
|
target.succeed("nixos-rebuild switch --flake /root/my-config#xyz | tee activation-log >&2")
|
|
target.succeed("cat -n activation-log >&2")
|
|
target.succeed("! grep -F '/root/.nix-defexpr/channels' activation-log")
|
|
target.succeed("! grep -F 'but channels have been disabled' activation-log")
|
|
target.succeed("! grep -F 'https://github.com/NixOS/nix/issues/9574' activation-log")
|
|
|
|
target.shutdown()
|
|
'';
|
|
|
|
|
|
makeInstallerTest = name:
|
|
{ createPartitions
|
|
, postInstallCommands ? "", postBootCommands ? ""
|
|
, extraConfig ? ""
|
|
, extraInstallerConfig ? {}
|
|
, bootLoader ? "grub" # either "grub" or "systemd-boot"
|
|
, grubDevice ? "/dev/vda", grubIdentifier ? "uuid", grubUseEfi ? false
|
|
, enableOCR ? false, meta ? {}
|
|
, testSpecialisationConfig ? false
|
|
, testFlakeSwitch ? false
|
|
, testByAttrSwitch ? false
|
|
, clevisTest ? false
|
|
, clevisFallbackTest ? false
|
|
, disableFileSystems ? false
|
|
}:
|
|
let
|
|
isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi);
|
|
in makeTest {
|
|
inherit enableOCR;
|
|
name = "installer-" + name;
|
|
meta = {
|
|
# put global maintainers here, individuals go into makeInstallerTest fkt call
|
|
maintainers = (meta.maintainers or []);
|
|
# non-EFI tests can only run on x86
|
|
platforms = if isEfi then platforms.linux else [ "x86_64-linux" "i686-linux" ];
|
|
};
|
|
nodes = let
|
|
commonConfig = {
|
|
# builds stuff in the VM, needs more juice
|
|
virtualisation.diskSize = 8 * 1024;
|
|
virtualisation.cores = 8;
|
|
virtualisation.memorySize = 2048;
|
|
|
|
# both installer and target need to use the same drive
|
|
virtualisation.diskImage = "./target.qcow2";
|
|
|
|
# and the same TPM options
|
|
virtualisation.qemu.options = mkIf (clevisTest) [
|
|
"-chardev socket,id=chrtpm,path=$NIX_BUILD_TOP/swtpm-sock"
|
|
"-tpmdev emulator,id=tpm0,chardev=chrtpm"
|
|
"-device tpm-tis,tpmdev=tpm0"
|
|
];
|
|
};
|
|
in {
|
|
# The configuration of the system used to run "nixos-install".
|
|
installer = {
|
|
imports = [
|
|
commonConfig
|
|
../modules/profiles/installation-device.nix
|
|
../modules/profiles/base.nix
|
|
extraInstallerConfig
|
|
./common/auto-format-root-device.nix
|
|
];
|
|
|
|
# In systemdStage1, also automatically format the device backing the
|
|
# root filesystem.
|
|
virtualisation.fileSystems."/".autoFormat = systemdStage1;
|
|
|
|
boot.initrd.systemd.enable = systemdStage1;
|
|
|
|
# Use a small /dev/vdb as the root disk for the
|
|
# installer. This ensures the target disk (/dev/vda) is
|
|
# the same during and after installation.
|
|
virtualisation.emptyDiskImages = [ 512 ];
|
|
virtualisation.rootDevice = "/dev/vdb";
|
|
|
|
hardware.enableAllFirmware = mkForce false;
|
|
|
|
# The test cannot access the network, so any packages we
|
|
# need must be included in the VM.
|
|
system.extraDependencies = with pkgs; [
|
|
bintools
|
|
brotli
|
|
brotli.dev
|
|
brotli.lib
|
|
desktop-file-utils
|
|
docbook5
|
|
docbook_xsl_ns
|
|
kbd.dev
|
|
kmod.dev
|
|
libarchive.dev
|
|
libxml2.bin
|
|
libxslt.bin
|
|
nixos-artwork.wallpapers.simple-dark-gray-bottom
|
|
ntp
|
|
perlPackages.ConfigIniFiles
|
|
perlPackages.FileSlurp
|
|
perlPackages.JSON
|
|
perlPackages.ListCompare
|
|
perlPackages.XMLLibXML
|
|
# make-options-doc/default.nix
|
|
(python3.withPackages (p: [ p.mistune ]))
|
|
shared-mime-info
|
|
sudo
|
|
switch-to-configuration-ng
|
|
texinfo
|
|
unionfs-fuse
|
|
xorg.lndir
|
|
|
|
# add curl so that rather than seeing the test attempt to download
|
|
# curl's tarball, we see what it's trying to download
|
|
curl
|
|
]
|
|
++ optionals (bootLoader == "grub") (let
|
|
zfsSupport = extraInstallerConfig.boot.supportedFilesystems.zfs or false;
|
|
in [
|
|
(pkgs.grub2.override { inherit zfsSupport; })
|
|
(pkgs.grub2_efi.override { inherit zfsSupport; })
|
|
pkgs.nixos-artwork.wallpapers.simple-dark-gray-bootloader
|
|
pkgs.perlPackages.FileCopyRecursive
|
|
pkgs.perlPackages.XMLSAX
|
|
pkgs.perlPackages.XMLSAXBase
|
|
])
|
|
++ optionals (bootLoader == "systemd-boot") [
|
|
pkgs.zstd.bin
|
|
pkgs.mypy
|
|
pkgs.bootspec
|
|
]
|
|
++ optionals clevisTest [ pkgs.klibc ];
|
|
|
|
nix.settings = {
|
|
substituters = mkForce [];
|
|
hashed-mirrors = null;
|
|
connect-timeout = 1;
|
|
};
|
|
};
|
|
|
|
target = {
|
|
imports = [ commonConfig ];
|
|
virtualisation.useBootLoader = true;
|
|
virtualisation.useEFIBoot = isEfi;
|
|
virtualisation.useDefaultFilesystems = false;
|
|
virtualisation.efi.keepVariables = false;
|
|
|
|
virtualisation.fileSystems."/" = {
|
|
device = "/dev/disk/by-label/this-is-not-real-and-will-never-be-used";
|
|
fsType = "ext4";
|
|
};
|
|
};
|
|
} // optionalAttrs clevisTest {
|
|
tang = {
|
|
services.tang = {
|
|
enable = true;
|
|
listenStream = [ "80" ];
|
|
ipAddressAllow = [ "192.168.1.0/24" ];
|
|
};
|
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
};
|
|
};
|
|
|
|
testScript = testScriptFun {
|
|
inherit bootLoader createPartitions postInstallCommands postBootCommands
|
|
grubDevice grubIdentifier grubUseEfi extraConfig
|
|
testSpecialisationConfig testFlakeSwitch testByAttrSwitch clevisTest clevisFallbackTest
|
|
disableFileSystems;
|
|
};
|
|
};
|
|
|
|
makeLuksRootTest = name: luksFormatOpts: makeInstallerTest name {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100M 1024M"
|
|
+ " mkpart primary 1024M -1s", # LUKS
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"modprobe dm_mod dm_crypt",
|
|
"echo -n supersecret | cryptsetup luksFormat ${luksFormatOpts} -q /dev/vda3 -",
|
|
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda3 cryptroot",
|
|
"mkfs.ext3 -L nixos /dev/mapper/cryptroot",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
)
|
|
'';
|
|
extraConfig = ''
|
|
boot.kernelParams = lib.mkAfter [ "console=tty0" ];
|
|
'';
|
|
enableOCR = true;
|
|
postBootCommands = ''
|
|
target.wait_for_text("[Pp]assphrase for")
|
|
target.send_chars("supersecret\n")
|
|
'';
|
|
};
|
|
|
|
# The (almost) simplest partitioning scheme: a swap partition and
|
|
# one big filesystem partition.
|
|
simple-test-config = {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary linux-swap 1M 1024M"
|
|
+ " mkpart primary ext2 1024M -1s",
|
|
"udevadm settle",
|
|
"mkswap /dev/vda1 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/vda2",
|
|
"mount LABEL=nixos /mnt",
|
|
)
|
|
'';
|
|
};
|
|
|
|
simple-test-config-flake = simple-test-config // {
|
|
testFlakeSwitch = true;
|
|
};
|
|
|
|
simple-test-config-by-attr = simple-test-config // {
|
|
testByAttrSwitch = true;
|
|
};
|
|
|
|
simple-test-config-from-by-attr-to-flake = simple-test-config // {
|
|
testByAttrSwitch = true;
|
|
testFlakeSwitch = true;
|
|
};
|
|
|
|
simple-uefi-grub-config = {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel gpt"
|
|
+ " mkpart ESP fat32 1M 100MiB" # /boot
|
|
+ " set 1 boot on"
|
|
+ " mkpart primary linux-swap 100MiB 1024MiB"
|
|
+ " mkpart primary ext2 1024MiB -1MiB", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/vda3",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.vfat -n BOOT /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=BOOT /mnt/boot",
|
|
)
|
|
'';
|
|
bootLoader = "grub";
|
|
grubUseEfi = true;
|
|
};
|
|
|
|
specialisation-test-extraconfig = {
|
|
extraConfig = ''
|
|
environment.systemPackages = [ pkgs.grub2 ];
|
|
boot.loader.grub.configurationName = "Home";
|
|
specialisation.work.configuration = {
|
|
boot.loader.grub.configurationName = lib.mkForce "Work";
|
|
|
|
environment.etc = {
|
|
"gitconfig".text = "
|
|
[core]
|
|
gitproxy = none for work.com
|
|
";
|
|
};
|
|
};
|
|
'';
|
|
testSpecialisationConfig = true;
|
|
};
|
|
# disable zfs so we can support latest kernel if needed
|
|
no-zfs-module = {
|
|
nixpkgs.overlays = [(final: super: {
|
|
zfs = super.zfs.overrideAttrs(_: {meta.platforms = [];});}
|
|
)];
|
|
};
|
|
|
|
mkClevisBcachefsTest = { fallback ? false }: makeInstallerTest "clevis-bcachefs${optionalString fallback "-fallback"}" {
|
|
clevisTest = true;
|
|
clevisFallbackTest = fallback;
|
|
enableOCR = fallback;
|
|
extraInstallerConfig = {
|
|
imports = [ no-zfs-module ];
|
|
boot.supportedFilesystems = [ "bcachefs" ];
|
|
environment.systemPackages = with pkgs; [ keyutils clevis ];
|
|
};
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB"
|
|
+ " mkpart primary linux-swap 100M 1024M"
|
|
+ " mkpart primary 1024M -1s",
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"keyctl link @u @s",
|
|
"echo -n password | mkfs.bcachefs -L root --encrypted /dev/vda3",
|
|
"echo -n password | bcachefs unlock /dev/vda3",
|
|
"echo -n password | mount -t bcachefs /dev/vda3 /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
"udevadm settle")
|
|
'';
|
|
extraConfig = ''
|
|
boot.initrd.clevis.devices."/dev/vda3".secretFile = "/etc/nixos/clevis-secret.jwe";
|
|
|
|
# We override what nixos-generate-config has generated because we do
|
|
# not know the UUID in advance.
|
|
fileSystems."/" = lib.mkForce { device = "/dev/vda3"; fsType = "bcachefs"; };
|
|
'';
|
|
postBootCommands = optionalString fallback ''
|
|
target.wait_for_text("enter passphrase for")
|
|
target.send_chars("password\n")
|
|
'';
|
|
};
|
|
|
|
mkClevisLuksTest = { fallback ? false }: makeInstallerTest "clevis-luks${optionalString fallback "-fallback"}" {
|
|
clevisTest = true;
|
|
clevisFallbackTest = fallback;
|
|
enableOCR = fallback;
|
|
extraInstallerConfig = {
|
|
environment.systemPackages = with pkgs; [ clevis ];
|
|
};
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB"
|
|
+ " mkpart primary linux-swap 100M 1024M"
|
|
+ " mkpart primary 1024M -1s",
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"modprobe dm_mod dm_crypt",
|
|
"echo -n password | cryptsetup luksFormat -q /dev/vda3 -",
|
|
"echo -n password | cryptsetup luksOpen --key-file - /dev/vda3 crypt-root",
|
|
"mkfs.ext3 -L nixos /dev/mapper/crypt-root",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
"udevadm settle")
|
|
'';
|
|
extraConfig = ''
|
|
boot.initrd.clevis.devices."crypt-root".secretFile = "/etc/nixos/clevis-secret.jwe";
|
|
'';
|
|
postBootCommands = optionalString fallback ''
|
|
${if systemdStage1 then ''
|
|
target.wait_for_text("Please enter")
|
|
'' else ''
|
|
target.wait_for_text("Passphrase for")
|
|
''}
|
|
target.send_chars("password\n")
|
|
'';
|
|
};
|
|
|
|
mkClevisZfsTest = { fallback ? false, parentDataset ? false }: makeInstallerTest "clevis-zfs${optionalString parentDataset "-parent-dataset"}${optionalString fallback "-fallback"}" {
|
|
clevisTest = true;
|
|
clevisFallbackTest = fallback;
|
|
enableOCR = fallback;
|
|
extraInstallerConfig = {
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
environment.systemPackages = with pkgs; [ clevis ];
|
|
};
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB"
|
|
+ " mkpart primary linux-swap 100M 1024M"
|
|
+ " mkpart primary 1024M -1s",
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
'' + optionalString (!parentDataset) ''
|
|
"zpool create -O mountpoint=legacy rpool /dev/vda3",
|
|
"echo -n password | zfs create"
|
|
+ " -o encryption=aes-256-gcm -o keyformat=passphrase rpool/root",
|
|
'' + optionalString (parentDataset) ''
|
|
"echo -n password | zpool create -O mountpoint=none -O encryption=on -O keyformat=passphrase rpool /dev/vda3",
|
|
"zfs create -o mountpoint=legacy rpool/root",
|
|
'' +
|
|
''
|
|
"mount -t zfs rpool/root /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
"udevadm settle")
|
|
'';
|
|
extraConfig = optionalString (!parentDataset) ''
|
|
boot.initrd.clevis.devices."rpool/root".secretFile = "/etc/nixos/clevis-secret.jwe";
|
|
'' + optionalString (parentDataset) ''
|
|
boot.initrd.clevis.devices."rpool".secretFile = "/etc/nixos/clevis-secret.jwe";
|
|
'' +
|
|
''
|
|
boot.zfs.requestEncryptionCredentials = true;
|
|
|
|
|
|
# Using by-uuid overrides the default of by-id, and is unique
|
|
# to the qemu disks, as they don't produce by-id paths for
|
|
# some reason.
|
|
boot.zfs.devNodes = "/dev/disk/by-uuid/";
|
|
networking.hostId = "00000000";
|
|
'';
|
|
postBootCommands = optionalString fallback ''
|
|
${if systemdStage1 then ''
|
|
target.wait_for_text("Enter key for rpool/root")
|
|
'' else ''
|
|
target.wait_for_text("Key load error")
|
|
''}
|
|
target.send_chars("password\n")
|
|
'';
|
|
};
|
|
|
|
in {
|
|
|
|
# !!! `parted mkpart' seems to silently create overlapping partitions.
|
|
|
|
|
|
# The (almost) simplest partitioning scheme: a swap partition and
|
|
# one big filesystem partition.
|
|
simple = makeInstallerTest "simple" simple-test-config;
|
|
|
|
switchToFlake = makeInstallerTest "switch-to-flake" simple-test-config-flake;
|
|
|
|
switchToByAttr = makeInstallerTest "switch-to-by-attr" simple-test-config-by-attr;
|
|
|
|
switchFromByAttrToFlake = makeInstallerTest "switch-from-by-attr-to-flake" simple-test-config-from-by-attr-to-flake;
|
|
|
|
# Test cloned configurations with the simple grub configuration
|
|
simpleSpecialised = makeInstallerTest "simpleSpecialised" (simple-test-config // specialisation-test-extraconfig);
|
|
|
|
# Simple GPT/UEFI configuration using systemd-boot with 3 partitions: ESP, swap & root filesystem
|
|
simpleUefiSystemdBoot = makeInstallerTest "simpleUefiSystemdBoot" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel gpt"
|
|
+ " mkpart ESP fat32 1M 100MiB" # /boot
|
|
+ " set 1 boot on"
|
|
+ " mkpart primary linux-swap 100MiB 1024MiB"
|
|
+ " mkpart primary ext2 1024MiB -1MiB", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/vda3",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.vfat -n BOOT /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=BOOT /mnt/boot",
|
|
)
|
|
'';
|
|
bootLoader = "systemd-boot";
|
|
};
|
|
|
|
simpleUefiGrub = makeInstallerTest "simpleUefiGrub" simple-uefi-grub-config;
|
|
|
|
# Test cloned configurations with the uefi grub configuration
|
|
simpleUefiGrubSpecialisation = makeInstallerTest "simpleUefiGrubSpecialisation" (simple-uefi-grub-config // specialisation-test-extraconfig);
|
|
|
|
# Same as the previous, but now with a separate /boot partition.
|
|
separateBoot = makeInstallerTest "separateBoot" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100MB 1024M"
|
|
+ " mkpart primary ext2 1024M -1s", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/vda3",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Same as the previous, but with fat32 /boot.
|
|
separateBootFat = makeInstallerTest "separateBootFat" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100MB 1024M"
|
|
+ " mkpart primary ext2 1024M -1s", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/vda3",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.vfat -n BOOT /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=BOOT /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Same as the previous, but with ZFS /boot.
|
|
separateBootZfs = makeInstallerTest "separateBootZfs" {
|
|
extraInstallerConfig = {
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
};
|
|
|
|
extraConfig = ''
|
|
# Using by-uuid overrides the default of by-id, and is unique
|
|
# to the qemu disks, as they don't produce by-id paths for
|
|
# some reason.
|
|
boot.zfs.devNodes = "/dev/disk/by-uuid/";
|
|
networking.hostId = "00000000";
|
|
'';
|
|
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 256MB" # /boot
|
|
+ " mkpart primary linux-swap 256MB 1280M"
|
|
+ " mkpart primary ext2 1280M -1s", # /
|
|
"udevadm settle",
|
|
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
|
|
"mkfs.ext4 -L nixos /dev/vda3",
|
|
"mount LABEL=nixos /mnt",
|
|
|
|
# Use as many ZFS features as possible to verify that GRUB can handle them
|
|
"zpool create"
|
|
" -o compatibility=grub2"
|
|
" -O utf8only=on"
|
|
" -O normalization=formD"
|
|
" -O compression=lz4" # Activate the lz4_compress feature
|
|
" -O xattr=sa"
|
|
" -O acltype=posixacl"
|
|
" bpool /dev/vda1",
|
|
"zfs create"
|
|
" -o recordsize=1M" # Prepare activating the large_blocks feature
|
|
" -o mountpoint=legacy"
|
|
" -o relatime=on"
|
|
" -o quota=1G"
|
|
" -o filesystem_limit=100" # Activate the filesystem_limits features
|
|
" bpool/boot",
|
|
|
|
# Snapshotting the top-level dataset would trigger a bug in GRUB2: https://github.com/openzfs/zfs/issues/13873
|
|
"zfs snapshot bpool/boot@snap-1", # Prepare activating the livelist and bookmarks features
|
|
"zfs clone bpool/boot@snap-1 bpool/test", # Activate the livelist feature
|
|
"zfs bookmark bpool/boot@snap-1 bpool/boot#bookmark", # Activate the bookmarks feature
|
|
"zpool checkpoint bpool", # Activate the zpool_checkpoint feature
|
|
"mkdir -p /mnt/boot",
|
|
"mount -t zfs bpool/boot /mnt/boot",
|
|
"touch /mnt/boot/empty", # Activate zilsaxattr feature
|
|
"dd if=/dev/urandom of=/mnt/boot/test bs=1M count=1", # Activate the large_blocks feature
|
|
|
|
# Print out all enabled and active ZFS features (and some other stuff)
|
|
"sync /mnt/boot",
|
|
"zpool get all bpool >&2",
|
|
|
|
# Abort early if GRUB2 doesn't like the disks
|
|
"grub-probe --target=device /mnt/boot >&2",
|
|
)
|
|
'';
|
|
|
|
# umount & export bpool before shutdown
|
|
# this is a fix for "cannot import 'bpool': pool was previously in use from another system."
|
|
postInstallCommands = ''
|
|
installer.succeed("umount /mnt/boot")
|
|
installer.succeed("zpool export bpool")
|
|
'';
|
|
};
|
|
|
|
# zfs on / with swap
|
|
zfsroot = makeInstallerTest "zfs-root" {
|
|
extraInstallerConfig = {
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
};
|
|
|
|
extraConfig = ''
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
|
|
# Using by-uuid overrides the default of by-id, and is unique
|
|
# to the qemu disks, as they don't produce by-id paths for
|
|
# some reason.
|
|
boot.zfs.devNodes = "/dev/disk/by-uuid/";
|
|
networking.hostId = "00000000";
|
|
'';
|
|
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100M 1024M"
|
|
+ " mkpart primary 1024M -1s", # rpool
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"zpool create rpool /dev/vda3",
|
|
"zfs create -o mountpoint=legacy rpool/root",
|
|
"mount -t zfs rpool/root /mnt",
|
|
"zfs create -o mountpoint=legacy rpool/root/usr",
|
|
"mkdir /mnt/usr",
|
|
"mount -t zfs rpool/root/usr /mnt/usr",
|
|
"mkfs.vfat -n BOOT /dev/vda1",
|
|
"mkdir /mnt/boot",
|
|
"mount LABEL=BOOT /mnt/boot",
|
|
"udevadm settle",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Create two physical LVM partitions combined into one volume group
|
|
# that contains the logical swap and root partitions.
|
|
lvm = makeInstallerTest "lvm" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary 1M 2048M" # PV1
|
|
+ " set 1 lvm on"
|
|
+ " mkpart primary 2048M -1s" # PV2
|
|
+ " set 2 lvm on",
|
|
"udevadm settle",
|
|
"pvcreate /dev/vda1 /dev/vda2",
|
|
"vgcreate MyVolGroup /dev/vda1 /dev/vda2",
|
|
"lvcreate --size 1G --name swap MyVolGroup",
|
|
"lvcreate --size 6G --name nixos MyVolGroup",
|
|
"mkswap -f /dev/MyVolGroup/swap -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.xfs -L nixos /dev/MyVolGroup/nixos",
|
|
"mount LABEL=nixos /mnt",
|
|
)
|
|
'';
|
|
extraConfig = optionalString systemdStage1 ''
|
|
boot.initrd.services.lvm.enable = true;
|
|
'';
|
|
};
|
|
|
|
# Boot off an encrypted root partition with the default LUKS header format
|
|
luksroot = makeLuksRootTest "luksroot-format1" "";
|
|
|
|
# Boot off an encrypted root partition with LUKS1 format
|
|
luksroot-format1 = makeLuksRootTest "luksroot-format1" "--type=LUKS1";
|
|
|
|
# Boot off an encrypted root partition with LUKS2 format
|
|
luksroot-format2 = makeLuksRootTest "luksroot-format2" "--type=LUKS2";
|
|
|
|
# Test whether opening encrypted filesystem with keyfile
|
|
# Checks for regression of missing cryptsetup, when no luks device without
|
|
# keyfile is configured
|
|
encryptedFSWithKeyfile = makeInstallerTest "encryptedFSWithKeyfile" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100M 1024M"
|
|
+ " mkpart primary 1024M 1280M" # LUKS with keyfile
|
|
+ " mkpart primary 1280M -1s",
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/vda4",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
"modprobe dm_mod dm_crypt",
|
|
"echo -n supersecret > /mnt/keyfile",
|
|
"cryptsetup luksFormat -q /dev/vda3 --key-file /mnt/keyfile",
|
|
"cryptsetup luksOpen --key-file /mnt/keyfile /dev/vda3 crypt",
|
|
"mkfs.ext3 -L test /dev/mapper/crypt",
|
|
"cryptsetup luksClose crypt",
|
|
"mkdir -p /mnt/test",
|
|
)
|
|
'';
|
|
extraConfig = ''
|
|
fileSystems."/test" = {
|
|
device = "/dev/disk/by-label/test";
|
|
fsType = "ext3";
|
|
encrypted.enable = true;
|
|
encrypted.blkDev = "/dev/vda3";
|
|
encrypted.label = "crypt";
|
|
encrypted.keyFile = "/${if systemdStage1 then "sysroot" else "mnt-root"}/keyfile";
|
|
};
|
|
'';
|
|
};
|
|
|
|
# Full disk encryption (root, kernel and initrd encrypted) using GRUB, GPT/UEFI,
|
|
# LVM-on-LUKS and a keyfile in initrd.secrets to enter the passphrase once
|
|
fullDiskEncryption = makeInstallerTest "fullDiskEncryption" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel gpt"
|
|
+ " mkpart ESP fat32 1M 100MiB" # /boot/efi
|
|
+ " set 1 boot on"
|
|
+ " mkpart primary ext2 1024MiB -1MiB", # LUKS
|
|
"udevadm settle",
|
|
"modprobe dm_mod dm_crypt",
|
|
"dd if=/dev/random of=luks.key bs=256 count=1",
|
|
"echo -n supersecret | cryptsetup luksFormat -q --pbkdf-force-iterations 1000 --type luks1 /dev/vda2 -",
|
|
"echo -n supersecret | cryptsetup luksAddKey -q --pbkdf-force-iterations 1000 --key-file - /dev/vda2 luks.key",
|
|
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda2 crypt",
|
|
"pvcreate /dev/mapper/crypt",
|
|
"vgcreate crypt /dev/mapper/crypt",
|
|
"lvcreate -L 100M -n swap crypt",
|
|
"lvcreate -l '100%FREE' -n nixos crypt",
|
|
"mkfs.vfat -n efi /dev/vda1",
|
|
"mkfs.ext4 -L nixos /dev/crypt/nixos",
|
|
"mkswap -L swap /dev/crypt/swap",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkdir -p /mnt/{etc/nixos,boot/efi}",
|
|
"mount LABEL=efi /mnt/boot/efi",
|
|
"swapon -L swap",
|
|
"mv luks.key /mnt/etc/nixos/"
|
|
)
|
|
'';
|
|
bootLoader = "grub";
|
|
grubUseEfi = true;
|
|
extraConfig = ''
|
|
boot.loader.grub.enableCryptodisk = true;
|
|
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
|
|
|
boot.initrd.secrets."/luks.key" = "/etc/nixos/luks.key";
|
|
boot.initrd.luks.devices.crypt =
|
|
{ device = "/dev/vda2";
|
|
keyFile = "/luks.key";
|
|
};
|
|
'';
|
|
enableOCR = true;
|
|
postBootCommands = ''
|
|
target.wait_for_text("Enter passphrase for")
|
|
target.send_chars("supersecret\n")
|
|
'';
|
|
};
|
|
|
|
swraid = makeInstallerTest "swraid" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda --"
|
|
+ " mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart extended 100M -1s"
|
|
+ " mkpart logical 102M 3102M" # md0 (root), first device
|
|
+ " mkpart logical 3103M 6103M" # md0 (root), second device
|
|
+ " mkpart logical 6104M 6360M" # md1 (swap), first device
|
|
+ " mkpart logical 6361M 6617M", # md1 (swap), second device
|
|
"udevadm settle",
|
|
"ls -l /dev/vda* >&2",
|
|
"cat /proc/partitions >&2",
|
|
"udevadm control --stop-exec-queue",
|
|
"mdadm --create --force /dev/md0 --metadata 1.2 --level=raid1 "
|
|
+ "--raid-devices=2 /dev/vda5 /dev/vda6",
|
|
"mdadm --create --force /dev/md1 --metadata 1.2 --level=raid1 "
|
|
+ "--raid-devices=2 /dev/vda7 /dev/vda8",
|
|
"udevadm control --start-exec-queue",
|
|
"udevadm settle",
|
|
"mkswap -f /dev/md1 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext3 -L nixos /dev/md0",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
"udevadm settle",
|
|
)
|
|
'';
|
|
postBootCommands = ''
|
|
target.fail("dmesg | grep 'immediate safe mode'")
|
|
'';
|
|
};
|
|
|
|
bcache = makeInstallerTest "bcache" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda --"
|
|
+ " mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary 100MB 512MB " # swap
|
|
+ " mkpart primary 512MB 1024MB" # Cache (typically SSD)
|
|
+ " mkpart primary 1024MB -1s ", # Backing device (typically HDD)
|
|
"modprobe bcache",
|
|
"udevadm settle",
|
|
"make-bcache -B /dev/vda4 -C /dev/vda3",
|
|
"udevadm settle",
|
|
"mkfs.ext3 -L nixos /dev/bcache0",
|
|
"mount LABEL=nixos /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir /mnt/boot",
|
|
"mount LABEL=boot /mnt/boot",
|
|
"mkswap -f /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
)
|
|
'';
|
|
};
|
|
|
|
bcachefsSimple = makeInstallerTest "bcachefs-simple" {
|
|
extraInstallerConfig = {
|
|
boot.supportedFilesystems = [ "bcachefs" ];
|
|
imports = [ no-zfs-module ];
|
|
};
|
|
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100M 1024M" # swap
|
|
+ " mkpart primary 1024M -1s", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.bcachefs -L root /dev/vda3",
|
|
"mount -t bcachefs /dev/vda3 /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount /dev/vda1 /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
bcachefsEncrypted = makeInstallerTest "bcachefs-encrypted" {
|
|
extraInstallerConfig = {
|
|
boot.supportedFilesystems = [ "bcachefs" ];
|
|
|
|
# disable zfs so we can support latest kernel if needed
|
|
imports = [ no-zfs-module ];
|
|
|
|
environment.systemPackages = with pkgs; [ keyutils ];
|
|
};
|
|
|
|
extraConfig = ''
|
|
boot.kernelParams = lib.mkAfter [ "console=tty0" ];
|
|
'';
|
|
|
|
enableOCR = true;
|
|
postBootCommands = ''
|
|
# Enter it wrong once
|
|
target.wait_for_text("enter passphrase for ")
|
|
target.send_chars("wrong\n")
|
|
# Then enter it right.
|
|
target.wait_for_text("enter passphrase for ")
|
|
target.send_chars("password\n")
|
|
'';
|
|
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100M 1024M" # swap
|
|
+ " mkpart primary 1024M -1s", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"echo password | mkfs.bcachefs -L root --encrypted /dev/vda3",
|
|
"echo password | bcachefs unlock -k session /dev/vda3",
|
|
"echo password | mount -t bcachefs /dev/vda3 /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount /dev/vda1 /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
bcachefsMulti = makeInstallerTest "bcachefs-multi" {
|
|
extraInstallerConfig = {
|
|
boot.supportedFilesystems = [ "bcachefs" ];
|
|
|
|
# disable zfs so we can support latest kernel if needed
|
|
imports = [ no-zfs-module ];
|
|
};
|
|
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"flock /dev/vda parted --script /dev/vda -- mklabel msdos"
|
|
+ " mkpart primary ext2 1M 100MB" # /boot
|
|
+ " mkpart primary linux-swap 100M 1024M" # swap
|
|
+ " mkpart primary 1024M 4096M" # /
|
|
+ " mkpart primary 4096M -1s", # /
|
|
"udevadm settle",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.bcachefs -L root --metadata_replicas 2 --foreground_target ssd --promote_target ssd --background_target hdd --label ssd /dev/vda3 --label hdd /dev/vda4",
|
|
"mount -t bcachefs /dev/vda3:/dev/vda4 /mnt",
|
|
"mkfs.ext3 -L boot /dev/vda1",
|
|
"mkdir -p /mnt/boot",
|
|
"mount /dev/vda1 /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Test using labels to identify volumes in grub
|
|
simpleLabels = makeInstallerTest "simpleLabels" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk -Z /dev/vda",
|
|
"sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext4 -L root /dev/vda3",
|
|
"mount LABEL=root /mnt",
|
|
)
|
|
'';
|
|
grubIdentifier = "label";
|
|
};
|
|
|
|
# Test using the provided disk name within grub
|
|
# TODO: Fix udev so the symlinks are unneeded in /dev/disks
|
|
simpleProvided = makeInstallerTest "simpleProvided" {
|
|
createPartitions = ''
|
|
uuid = "$(blkid -s UUID -o value /dev/vda2)"
|
|
installer.succeed(
|
|
"sgdisk -Z /dev/vda",
|
|
"sgdisk -n 1:0:+1M -n 2:0:+100M -n 3:0:+1G -N 4 -t 1:ef02 -t 2:8300 "
|
|
+ "-t 3:8200 -t 4:8300 -c 2:boot -c 4:root /dev/vda",
|
|
"mkswap /dev/vda3 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext4 -L boot /dev/vda2",
|
|
"mkfs.ext4 -L root /dev/vda4",
|
|
)
|
|
installer.execute(f"ln -s ../../vda2 /dev/disk/by-uuid/{uuid}")
|
|
installer.execute("ln -s ../../vda4 /dev/disk/by-label/root")
|
|
installer.succeed(
|
|
"mount /dev/disk/by-label/root /mnt",
|
|
"mkdir /mnt/boot",
|
|
f"mount /dev/disk/by-uuid/{uuid} /mnt/boot",
|
|
)
|
|
'';
|
|
grubIdentifier = "provided";
|
|
};
|
|
|
|
# Simple btrfs grub testing
|
|
btrfsSimple = makeInstallerTest "btrfsSimple" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk -Z /dev/vda",
|
|
"sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.btrfs -L root /dev/vda3",
|
|
"mount LABEL=root /mnt",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Test to see if we can detect /boot and /nix on subvolumes
|
|
btrfsSubvols = makeInstallerTest "btrfsSubvols" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk -Z /dev/vda",
|
|
"sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.btrfs -L root /dev/vda3",
|
|
"btrfs device scan",
|
|
"mount LABEL=root /mnt",
|
|
"btrfs subvol create /mnt/boot",
|
|
"btrfs subvol create /mnt/nixos",
|
|
"btrfs subvol create /mnt/nixos/default",
|
|
"umount /mnt",
|
|
"mount -o defaults,subvol=nixos/default LABEL=root /mnt",
|
|
"mkdir /mnt/boot",
|
|
"mount -o defaults,subvol=boot LABEL=root /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Test to see if we can detect default and aux subvolumes correctly
|
|
btrfsSubvolDefault = makeInstallerTest "btrfsSubvolDefault" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk -Z /dev/vda",
|
|
"sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.btrfs -L root /dev/vda3",
|
|
"btrfs device scan",
|
|
"mount LABEL=root /mnt",
|
|
"btrfs subvol create /mnt/badpath",
|
|
"btrfs subvol create /mnt/badpath/boot",
|
|
"btrfs subvol create /mnt/nixos",
|
|
"btrfs subvol set-default "
|
|
+ "$(btrfs subvol list /mnt | grep 'nixos' | awk '{print $2}') /mnt",
|
|
"umount /mnt",
|
|
"mount -o defaults LABEL=root /mnt",
|
|
"mkdir -p /mnt/badpath/boot", # Help ensure the detection mechanism
|
|
# is actually looking up subvolumes
|
|
"mkdir /mnt/boot",
|
|
"mount -o defaults,subvol=badpath/boot LABEL=root /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
|
|
# Test to see if we can deal with subvols that need to be escaped in fstab
|
|
btrfsSubvolEscape = makeInstallerTest "btrfsSubvolEscape" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk -Z /dev/vda",
|
|
"sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.btrfs -L root /dev/vda3",
|
|
"btrfs device scan",
|
|
"mount LABEL=root /mnt",
|
|
"btrfs subvol create '/mnt/nixos in space'",
|
|
"btrfs subvol create /mnt/boot",
|
|
"umount /mnt",
|
|
"mount -o 'defaults,subvol=nixos in space' LABEL=root /mnt",
|
|
"mkdir /mnt/boot",
|
|
"mount -o defaults,subvol=boot LABEL=root /mnt/boot",
|
|
)
|
|
'';
|
|
};
|
|
} // {
|
|
clevisBcachefs = mkClevisBcachefsTest { };
|
|
clevisBcachefsFallback = mkClevisBcachefsTest { fallback = true; };
|
|
clevisLuks = mkClevisLuksTest { };
|
|
clevisLuksFallback = mkClevisLuksTest { fallback = true; };
|
|
clevisZfs = mkClevisZfsTest { };
|
|
clevisZfsFallback = mkClevisZfsTest { fallback = true; };
|
|
clevisZfsParentDataset = mkClevisZfsTest { parentDataset = true; };
|
|
clevisZfsParentDatasetFallback = mkClevisZfsTest { parentDataset = true; fallback = true; };
|
|
} // optionalAttrs systemdStage1 {
|
|
stratisRoot = makeInstallerTest "stratisRoot" {
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk --zap-all /dev/vda",
|
|
"sgdisk --new=1:0:+100M --typecode=0:ef00 /dev/vda", # /boot
|
|
"sgdisk --new=2:0:+1G --typecode=0:8200 /dev/vda", # swap
|
|
"sgdisk --new=3:0:+5G --typecode=0:8300 /dev/vda", # /
|
|
"udevadm settle",
|
|
|
|
"mkfs.vfat /dev/vda1",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"stratis pool create my-pool /dev/vda3",
|
|
"stratis filesystem create my-pool nixos",
|
|
"udevadm settle",
|
|
|
|
"mount /dev/stratis/my-pool/nixos /mnt",
|
|
"mkdir -p /mnt/boot",
|
|
"mount /dev/vda1 /mnt/boot"
|
|
)
|
|
'';
|
|
bootLoader = "systemd-boot";
|
|
extraInstallerConfig = { modulesPath, ...}: {
|
|
config = {
|
|
services.stratis.enable = true;
|
|
environment.systemPackages = [
|
|
pkgs.stratis-cli
|
|
pkgs.thin-provisioning-tools
|
|
pkgs.lvm2.bin
|
|
pkgs.stratisd.initrd
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
gptAutoRoot = let
|
|
rootPartType = {
|
|
ia32 = "44479540-F297-41B2-9AF7-D131D5F0458A";
|
|
x64 = "4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709";
|
|
arm = "69DAD710-2CE4-4E3C-B16C-21A1D49ABED3";
|
|
aa64 = "B921B045-1DF0-41C3-AF44-4C6F280D3FAE";
|
|
}.${pkgs.stdenv.hostPlatform.efiArch};
|
|
in makeInstallerTest "gptAutoRoot" {
|
|
disableFileSystems = true;
|
|
createPartitions = ''
|
|
installer.succeed(
|
|
"sgdisk --zap-all /dev/vda",
|
|
"sgdisk --new=1:0:+100M --typecode=0:ef00 /dev/vda", # /boot
|
|
"sgdisk --new=2:0:+1G --typecode=0:8200 /dev/vda", # swap
|
|
"sgdisk --new=3:0:+5G --typecode=0:${rootPartType} /dev/vda", # /
|
|
"udevadm settle",
|
|
|
|
"mkfs.vfat /dev/vda1",
|
|
"mkswap /dev/vda2 -L swap",
|
|
"swapon -L swap",
|
|
"mkfs.ext4 -L root /dev/vda3",
|
|
"udevadm settle",
|
|
|
|
"mount /dev/vda3 /mnt",
|
|
"mkdir -p /mnt/boot",
|
|
"mount /dev/vda1 /mnt/boot"
|
|
)
|
|
'';
|
|
bootLoader = "systemd-boot";
|
|
extraConfig = ''
|
|
boot.initrd.systemd.root = "gpt-auto";
|
|
boot.initrd.supportedFilesystems = ["ext4"];
|
|
'';
|
|
};
|
|
}
|