Merge branch 'master' into nginx-update

1 files changed, 24 insertions, 1 deletions

diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix
index a653932fb37..9d21f9158f3 100644
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
   machine = { lib, ... }: {
     imports = [ common/user-account.nix common/x11.nix ];
 
-    virtualisation.emptyDiskImages = [ 512 ];
+    virtualisation.emptyDiskImages = [ 512 512 ];
+    virtualisation.memorySize = 1024;
+
+    environment.systemPackages = [ pkgs.cryptsetup ];
 
     fileSystems = lib.mkVMOverride {
       "/test-x-initrd-mount" = {
@@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         assert "RuntimeWatchdogUSec=30s" in output
         assert "RebootWatchdogUSec=10m" in output
         assert "KExecWatchdogUSec=5m" in output
+
+    # Test systemd cryptsetup support
+    with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
+        # create a luks volume and put a filesystem on it
+        machine.succeed(
+            "echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
+            "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
+            "mkfs.ext3 /dev/mapper/foo",
+        )
+
+        # create a keyfile and /etc/crypttab
+        machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
+        machine.succeed("chmod 600 /var/lib/luks-keyfile")
+        machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
+
+        # after a reboot, systemd should unlock the volume and we should be able to mount it
+        machine.shutdown()
+        machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
+        machine.succeed("mkdir -p /tmp/luks1")
+        machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
   '';
 })