mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-25 03:17:13 +00:00
4f0dadbf38
After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-builda08b3a4d19
.tar.gz \ --argstr baseRevb32a094368
result/bin/apply-formatting $NIXPKGS_PATH
114 lines
3.8 KiB
Nix
114 lines
3.8 KiB
Nix
{
|
|
system ? builtins.currentSystem,
|
|
config ? { },
|
|
pkgs ? import ../.. { inherit system config; },
|
|
systemdStage1 ? false,
|
|
}:
|
|
import ./make-test-python.nix (
|
|
{ lib, pkgs, ... }:
|
|
let
|
|
|
|
keyfile = pkgs.writeText "luks-keyfile" ''
|
|
MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2
|
|
gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6
|
|
FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC
|
|
'';
|
|
|
|
in
|
|
{
|
|
name = "initrd-luks-empty-passphrase";
|
|
|
|
nodes.machine =
|
|
{ pkgs, ... }:
|
|
{
|
|
imports = lib.optionals (!systemdStage1) [ ./common/auto-format-root-device.nix ];
|
|
|
|
virtualisation = {
|
|
emptyDiskImages = [ 512 ];
|
|
useBootLoader = true;
|
|
useEFIBoot = true;
|
|
# This requires to have access
|
|
# to a host Nix store as
|
|
# the new root device is /dev/vdb
|
|
# an empty 512MiB drive, containing no Nix store.
|
|
mountHostNixStore = true;
|
|
fileSystems."/".autoFormat = lib.mkIf systemdStage1 true;
|
|
};
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.initrd.systemd = lib.mkIf systemdStage1 {
|
|
enable = true;
|
|
emergencyAccess = true;
|
|
};
|
|
environment.systemPackages = with pkgs; [ cryptsetup ];
|
|
|
|
specialisation.boot-luks-wrong-keyfile.configuration = {
|
|
boot.initrd.luks.devices = lib.mkVMOverride {
|
|
cryptroot = {
|
|
device = "/dev/vdb";
|
|
keyFile = "/etc/cryptroot.key";
|
|
tryEmptyPassphrase = true;
|
|
fallbackToPassword = !systemdStage1;
|
|
};
|
|
};
|
|
virtualisation.rootDevice = "/dev/mapper/cryptroot";
|
|
boot.initrd.secrets."/etc/cryptroot.key" = keyfile;
|
|
};
|
|
|
|
specialisation.boot-luks-missing-keyfile.configuration = {
|
|
boot.initrd.luks.devices = lib.mkVMOverride {
|
|
cryptroot = {
|
|
device = "/dev/vdb";
|
|
keyFile = "/etc/cryptroot.key";
|
|
tryEmptyPassphrase = true;
|
|
fallbackToPassword = !systemdStage1;
|
|
};
|
|
};
|
|
virtualisation.rootDevice = "/dev/mapper/cryptroot";
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
# Encrypt key with empty key so boot should try keyfile and then fallback to empty passphrase
|
|
|
|
|
|
def grub_select_boot_luks_wrong_key_file():
|
|
"""
|
|
Selects "boot-luks" from the GRUB menu
|
|
to trigger a login request.
|
|
"""
|
|
machine.send_monitor_command("sendkey down")
|
|
machine.send_monitor_command("sendkey down")
|
|
machine.send_monitor_command("sendkey ret")
|
|
|
|
def grub_select_boot_luks_missing_key_file():
|
|
"""
|
|
Selects "boot-luks" from the GRUB menu
|
|
to trigger a login request.
|
|
"""
|
|
machine.send_monitor_command("sendkey down")
|
|
machine.send_monitor_command("sendkey ret")
|
|
|
|
# Create encrypted volume
|
|
machine.wait_for_unit("multi-user.target")
|
|
machine.succeed("echo "" | cryptsetup luksFormat /dev/vdb --batch-mode")
|
|
machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-wrong-keyfile.conf")
|
|
machine.succeed("sync")
|
|
machine.crash()
|
|
|
|
# Check if rootfs is on /dev/mapper/cryptroot
|
|
machine.wait_for_unit("multi-user.target")
|
|
assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
|
|
|
|
# Choose boot-luks-missing-keyfile specialisation
|
|
machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-missing-keyfile.conf")
|
|
machine.succeed("sync")
|
|
machine.crash()
|
|
|
|
# Check if rootfs is on /dev/mapper/cryptroot
|
|
machine.wait_for_unit("multi-user.target")
|
|
assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
|
|
'';
|
|
}
|
|
)
|