diff options
-rw-r--r-- | default.nix | 2 | ||||
-rw-r--r-- | example/luks-lvm.nix | 78 | ||||
-rw-r--r-- | tests/luks-lvm.nix | 39 |
3 files changed, 118 insertions, 1 deletions
diff --git a/default.nix b/default.nix index 567324c..39e455a 100644 --- a/default.nix +++ b/default.nix @@ -151,7 +151,7 @@ let recursiveUpdate (mount-f { device = "/dev/mapper/${x.name}"; } x.content) {luks.${q.device} = '' - cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""} + cryptsetup status ${x.name} >/dev/null 2>/dev/null || cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""} '';} ); diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix new file mode 100644 index 0000000..d0b4d26 --- /dev/null +++ b/example/luks-lvm.nix @@ -0,0 +1,78 @@ +{ + type = "devices"; + content = { + vdb = { + type = "table"; + format = "gpt"; + partitions = [ + { + type = "partition"; + part-type = "ESP"; + start = "1MiB"; + end = "100MiB"; + fs-type = "FAT32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + options = [ + "defaults" + ]; + }; + } + { + type = "partition"; + part-type = "primary"; + start = "100MiB"; + end = "100%"; + content = { + type = "luks"; + algo = "aes-xts..."; + name = "crypted"; + keyfile = "/tmp/secret.key"; + extraArgs = [ + "--hash sha512" + "--iter-time 5000" + ]; + content = { + type = "lvm"; + name = "pool"; + lvs = { + root = { + type = "lv"; + size = "100M"; + mountpoint = "/"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + options = [ + "defaults" + ]; + }; + }; + home = { + type = "lv"; + size = "10M"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/home"; + }; + }; + raw = { + type = "lv"; + size = "10M"; + content = { + type = "noop"; + }; + }; + }; + }; + }; + } + ]; + }; + }; +} diff --git a/tests/luks-lvm.nix b/tests/luks-lvm.nix new file mode 100644 index 0000000..3e2c5f2 --- /dev/null +++ b/tests/luks-lvm.nix @@ -0,0 +1,39 @@ +{ makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix> +, pkgs ? (import <nixpkgs> {}) +}: +let + makeTest' = args: + makeTest args { + inherit pkgs; + inherit (pkgs) system; + }; + disko-config = import ../example/luks-lvm.nix; + tsp-create = pkgs.writeScript "create" ((pkgs.callPackage ../. {}).create disko-config); + tsp-mount = pkgs.writeScript "mount" ((pkgs.callPackage ../. {}).mount disko-config); +in makeTest' { + name = "disko"; + + nodes.machine = + { config, pkgs, modulesPath, ... }: + + { + imports = [ + (modulesPath + "/profiles/installation-device.nix") + (modulesPath + "/profiles/base.nix") + ]; + + # speed-up eval + documentation.enable = false; + + virtualisation.emptyDiskImages = [ 512 ]; + }; + + testScript = '' + machine.succeed("echo 'secret' > /tmp/secret.key"); + machine.succeed("${tsp-create}"); + machine.succeed("${tsp-mount}"); + machine.succeed("${tsp-mount}"); # verify that the command is idempotent + machine.succeed("cryptsetup isLuks /dev/vdb2"); + machine.succeed("grep -qs '/mnt/home' /proc/mounts"); + ''; +} |