From dd99e29edc994056d5f700e24a75406115e98dff Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 25 Aug 2022 13:14:07 +0200 Subject: fix cryptsetup luksOpen idempotency, add luks-lvm test --- default.nix | 2 +- example/luks-lvm.nix | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/luks-lvm.nix | 39 ++++++++++++++++++++++++++ 3 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 example/luks-lvm.nix create mode 100644 tests/luks-lvm.nix diff --git a/default.nix b/default.nix index 567324c..39e455a 100644 --- a/default.nix +++ b/default.nix @@ -151,7 +151,7 @@ let recursiveUpdate (mount-f { device = "/dev/mapper/${x.name}"; } x.content) {luks.${q.device} = '' - cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""} + cryptsetup status ${x.name} >/dev/null 2>/dev/null || cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""} '';} ); diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix new file mode 100644 index 0000000..d0b4d26 --- /dev/null +++ b/example/luks-lvm.nix @@ -0,0 +1,78 @@ +{ + type = "devices"; + content = { + vdb = { + type = "table"; + format = "gpt"; + partitions = [ + { + type = "partition"; + part-type = "ESP"; + start = "1MiB"; + end = "100MiB"; + fs-type = "FAT32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + options = [ + "defaults" + ]; + }; + } + { + type = "partition"; + part-type = "primary"; + start = "100MiB"; + end = "100%"; + content = { + type = "luks"; + algo = "aes-xts..."; + name = "crypted"; + keyfile = "/tmp/secret.key"; + extraArgs = [ + "--hash sha512" + "--iter-time 5000" + ]; + content = { + type = "lvm"; + name = "pool"; + lvs = { + root = { + type = "lv"; + size = "100M"; + mountpoint = "/"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + options = [ + "defaults" + ]; + }; + }; + home = { + type = "lv"; + size = "10M"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/home"; + }; + }; + raw = { + type = "lv"; + size = "10M"; + content = { + type = "noop"; + }; + }; + }; + }; + }; + } + ]; + }; + }; +} diff --git a/tests/luks-lvm.nix b/tests/luks-lvm.nix new file mode 100644 index 0000000..3e2c5f2 --- /dev/null +++ b/tests/luks-lvm.nix @@ -0,0 +1,39 @@ +{ makeTest ? import +, pkgs ? (import {}) +}: +let + makeTest' = args: + makeTest args { + inherit pkgs; + inherit (pkgs) system; + }; + disko-config = import ../example/luks-lvm.nix; + tsp-create = pkgs.writeScript "create" ((pkgs.callPackage ../. {}).create disko-config); + tsp-mount = pkgs.writeScript "mount" ((pkgs.callPackage ../. {}).mount disko-config); +in makeTest' { + name = "disko"; + + nodes.machine = + { config, pkgs, modulesPath, ... }: + + { + imports = [ + (modulesPath + "/profiles/installation-device.nix") + (modulesPath + "/profiles/base.nix") + ]; + + # speed-up eval + documentation.enable = false; + + virtualisation.emptyDiskImages = [ 512 ]; + }; + + testScript = '' + machine.succeed("echo 'secret' > /tmp/secret.key"); + machine.succeed("${tsp-create}"); + machine.succeed("${tsp-mount}"); + machine.succeed("${tsp-mount}"); # verify that the command is idempotent + machine.succeed("cryptsetup isLuks /dev/vdb2"); + machine.succeed("grep -qs '/mnt/home' /proc/mounts"); + ''; +} -- cgit v1.2.3