zfs: enable keylocation=http://

When ZFS is built with cURL, it allows retrieving encryption keys from URLs automatically.
2023-04-18 17:44:25 +03:00 · 2023-04-18 17:44:25 +03:00 · 0f05321d78
parent 75c131fc1b
commit 0f05321d78
2 changed files with 28 additions and 2 deletions
--- a/nixos/tests/zfs.nix
+++ b/nixos/tests/zfs.nix
@ -80,6 +80,11 @@ let
            fsType = "zfs";
            options = [ "noauto" ];
          };
+          virtualisation.fileSystems."/manual/httpkey" = {
+            device = "manual/httpkey";
+            fsType = "zfs";
+            options = [ "noauto" ];
+          };
        };

        specialisation.forcepool.configuration = {
@ -92,6 +97,19 @@ let
            options = [ "noauto" ];
          };
        };
+
+        services.nginx = {
+          enable = true;
+          virtualHosts = {
+            localhost = {
+              locations = {
+                "/zfskey" = {
+                  return = ''200 "httpkeyabc"'';
+                };
+              };
+            };
+          };
+        };
      };

      testScript = ''
@ -130,6 +148,8 @@ let
                "zpool create -O mountpoint=legacy manual /dev/vdd1",
                "echo otherpass | zfs create "
                + "-o encryption=aes-256-gcm -o keyformat=passphrase manual/encrypted",
+                "zfs create -o encryption=aes-256-gcm -o keyformat=passphrase "
+                + "-o keylocation=http://localhost/zfskey manual/httpkey",
                "bootctl set-default nixos-generation-1-specialisation-encryption.conf",
                "sync",
                "zpool export automatic",
@ -141,10 +161,12 @@ let
            machine.send_console("password\n")
            machine.wait_for_unit("multi-user.target")
            machine.succeed(
-                "zfs get keystatus manual/encrypted | grep unavailable",
+                "zfs get -Ho value keystatus manual/encrypted | grep -Fx unavailable",
                "echo otherpass | zfs load-key manual/encrypted",
                "systemctl start manual-encrypted.mount",
-                "umount /automatic /manual/encrypted /manual",
+                "zfs load-key manual/httpkey",
+                "systemctl start manual-httpkey.mount",
+                "umount /automatic /manual/encrypted /manual/httpkey /manual",
                "zpool destroy automatic",
                "zpool destroy manual",
            )
--- a/pkgs/os-specific/linux/zfs/default.nix
+++ b/pkgs/os-specific/linux/zfs/default.nix
@ -10,6 +10,7 @@
 , gawk, gnugrep, gnused, systemd
 , smartmontools, enableMail ? false
 , sysstat, pkg-config
+, curl

 # Kernel dependencies
 , kernel ? null
@ -76,6 +77,8 @@ let
          nfs-utils.override (old: { enablePython = old.enablePython or true && enablePython; })
        }/bin/exportfs"
        substituteInPlace ./lib/libshare/smb.h        --replace "/usr/bin/net"            "${samba}/bin/net"
+        # Disable dynamic loading of libcurl
+        substituteInPlace ./config/user-libfetch.m4   --replace "curl-config --built-shared" "true"
        substituteInPlace ./config/user-systemd.m4    --replace "/usr/lib/modules-load.d" "$out/etc/modules-load.d"
        substituteInPlace ./config/zfs-build.m4       --replace "\$sysconfdir/init.d"     "$out/etc/init.d" \
                                                      --replace "/etc/default"            "$out/etc/default"
@ -111,6 +114,7 @@ let
        ++ optional buildUser pkg-config;
      buildInputs = optionals buildUser [ zlib libuuid attr libtirpc ]
        ++ optional buildUser openssl
+        ++ optional buildUser curl
        ++ optional (buildUser && enablePython) python3;

      # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work