summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2022-08-25 13:14:07 +0200
committerlassulus <lassulus@lassul.us>2022-08-25 15:32:09 +0200
commitdd99e29edc994056d5f700e24a75406115e98dff (patch)
tree10709b66fec84d7412ccbc9d12d2d42a7d06850c
parent1237ac36db1a457ae561134d191d2924a9ce5ffc (diff)
fix cryptsetup luksOpen idempotency, add luks-lvm test
-rw-r--r--default.nix2
-rw-r--r--example/luks-lvm.nix78
-rw-r--r--tests/luks-lvm.nix39
3 files changed, 118 insertions, 1 deletions
diff --git a/default.nix b/default.nix
index 567324c..39e455a 100644
--- a/default.nix
+++ b/default.nix
@@ -151,7 +151,7 @@ let
recursiveUpdate
(mount-f { device = "/dev/mapper/${x.name}"; } x.content)
{luks.${q.device} = ''
- cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""}
+ cryptsetup status ${x.name} >/dev/null 2>/dev/null || cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""}
'';}
);
diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix
new file mode 100644
index 0000000..d0b4d26
--- /dev/null
+++ b/example/luks-lvm.nix
@@ -0,0 +1,78 @@
+{
+ type = "devices";
+ content = {
+ vdb = {
+ type = "table";
+ format = "gpt";
+ partitions = [
+ {
+ type = "partition";
+ part-type = "ESP";
+ start = "1MiB";
+ end = "100MiB";
+ fs-type = "FAT32";
+ bootable = true;
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ options = [
+ "defaults"
+ ];
+ };
+ }
+ {
+ type = "partition";
+ part-type = "primary";
+ start = "100MiB";
+ end = "100%";
+ content = {
+ type = "luks";
+ algo = "aes-xts...";
+ name = "crypted";
+ keyfile = "/tmp/secret.key";
+ extraArgs = [
+ "--hash sha512"
+ "--iter-time 5000"
+ ];
+ content = {
+ type = "lvm";
+ name = "pool";
+ lvs = {
+ root = {
+ type = "lv";
+ size = "100M";
+ mountpoint = "/";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ options = [
+ "defaults"
+ ];
+ };
+ };
+ home = {
+ type = "lv";
+ size = "10M";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/home";
+ };
+ };
+ raw = {
+ type = "lv";
+ size = "10M";
+ content = {
+ type = "noop";
+ };
+ };
+ };
+ };
+ };
+ }
+ ];
+ };
+ };
+}
diff --git a/tests/luks-lvm.nix b/tests/luks-lvm.nix
new file mode 100644
index 0000000..3e2c5f2
--- /dev/null
+++ b/tests/luks-lvm.nix
@@ -0,0 +1,39 @@
+{ makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>
+, pkgs ? (import <nixpkgs> {})
+}:
+let
+ makeTest' = args:
+ makeTest args {
+ inherit pkgs;
+ inherit (pkgs) system;
+ };
+ disko-config = import ../example/luks-lvm.nix;
+ tsp-create = pkgs.writeScript "create" ((pkgs.callPackage ../. {}).create disko-config);
+ tsp-mount = pkgs.writeScript "mount" ((pkgs.callPackage ../. {}).mount disko-config);
+in makeTest' {
+ name = "disko";
+
+ nodes.machine =
+ { config, pkgs, modulesPath, ... }:
+
+ {
+ imports = [
+ (modulesPath + "/profiles/installation-device.nix")
+ (modulesPath + "/profiles/base.nix")
+ ];
+
+ # speed-up eval
+ documentation.enable = false;
+
+ virtualisation.emptyDiskImages = [ 512 ];
+ };
+
+ testScript = ''
+ machine.succeed("echo 'secret' > /tmp/secret.key");
+ machine.succeed("${tsp-create}");
+ machine.succeed("${tsp-mount}");
+ machine.succeed("${tsp-mount}"); # verify that the command is idempotent
+ machine.succeed("cryptsetup isLuks /dev/vdb2");
+ machine.succeed("grep -qs '/mnt/home' /proc/mounts");
+ '';
+}