From 0f05321d784fdd9e6b3a80aabe292a32d28e96c1 Mon Sep 17 00:00:00 2001 From: Albert Peschar Date: Tue, 18 Apr 2023 17:44:25 +0300 Subject: [PATCH] zfs: enable keylocation=http:// When ZFS is built with cURL, it allows retrieving encryption keys from URLs automatically. --- nixos/tests/zfs.nix | 26 ++++++++++++++++++++++++-- pkgs/os-specific/linux/zfs/default.nix | 4 ++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/nixos/tests/zfs.nix b/nixos/tests/zfs.nix index bcb9d9bcfd60..ce2796b67da4 100644 --- a/nixos/tests/zfs.nix +++ b/nixos/tests/zfs.nix @@ -80,6 +80,11 @@ let fsType = "zfs"; options = [ "noauto" ]; }; + virtualisation.fileSystems."/manual/httpkey" = { + device = "manual/httpkey"; + fsType = "zfs"; + options = [ "noauto" ]; + }; }; specialisation.forcepool.configuration = { @@ -92,6 +97,19 @@ let options = [ "noauto" ]; }; }; + + services.nginx = { + enable = true; + virtualHosts = { + localhost = { + locations = { + "/zfskey" = { + return = ''200 "httpkeyabc"''; + }; + }; + }; + }; + }; }; testScript = '' @@ -130,6 +148,8 @@ let "zpool create -O mountpoint=legacy manual /dev/vdd1", "echo otherpass | zfs create " + "-o encryption=aes-256-gcm -o keyformat=passphrase manual/encrypted", + "zfs create -o encryption=aes-256-gcm -o keyformat=passphrase " + + "-o keylocation=http://localhost/zfskey manual/httpkey", "bootctl set-default nixos-generation-1-specialisation-encryption.conf", "sync", "zpool export automatic", @@ -141,10 +161,12 @@ let machine.send_console("password\n") machine.wait_for_unit("multi-user.target") machine.succeed( - "zfs get keystatus manual/encrypted | grep unavailable", + "zfs get -Ho value keystatus manual/encrypted | grep -Fx unavailable", "echo otherpass | zfs load-key manual/encrypted", "systemctl start manual-encrypted.mount", - "umount /automatic /manual/encrypted /manual", + "zfs load-key manual/httpkey", + "systemctl start manual-httpkey.mount", + "umount /automatic /manual/encrypted /manual/httpkey /manual", "zpool destroy automatic", "zpool destroy manual", ) diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 8655bd2ed323..7476a0c845fe 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -10,6 +10,7 @@ , gawk, gnugrep, gnused, systemd , smartmontools, enableMail ? false , sysstat, pkg-config +, curl # Kernel dependencies , kernel ? null @@ -76,6 +77,8 @@ let nfs-utils.override (old: { enablePython = old.enablePython or true && enablePython; }) }/bin/exportfs" substituteInPlace ./lib/libshare/smb.h --replace "/usr/bin/net" "${samba}/bin/net" + # Disable dynamic loading of libcurl + substituteInPlace ./config/user-libfetch.m4 --replace "curl-config --built-shared" "true" substituteInPlace ./config/user-systemd.m4 --replace "/usr/lib/modules-load.d" "$out/etc/modules-load.d" substituteInPlace ./config/zfs-build.m4 --replace "\$sysconfdir/init.d" "$out/etc/init.d" \ --replace "/etc/default" "$out/etc/default" @@ -111,6 +114,7 @@ let ++ optional buildUser pkg-config; buildInputs = optionals buildUser [ zlib libuuid attr libtirpc ] ++ optional buildUser openssl + ++ optional buildUser curl ++ optional (buildUser && enablePython) python3; # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work