diff options
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/installer.nix | 8 | ||||
-rw-r--r-- | nixos/tests/nar-serve.nix | 2 | ||||
-rw-r--r-- | nixos/tests/snapcast.nix | 1 | ||||
-rw-r--r-- | nixos/tests/systemd-initrd-luks-keyfile.nix | 53 | ||||
-rw-r--r-- | nixos/tests/systemd-initrd-luks-password.nix | 48 |
6 files changed, 113 insertions, 1 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 57c17508aab..5158bc681e0 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -524,6 +524,8 @@ in systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-escaping = handleTest ./systemd-escaping.nix {}; + systemd-initrd-luks-keyfile = handleTest ./systemd-initrd-luks-keyfile.nix {}; + systemd-initrd-luks-password = handleTest ./systemd-initrd-luks-password.nix {}; systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; }; systemd-initrd-simple = handleTest ./systemd-initrd-simple.nix {}; systemd-initrd-swraid = handleTest ./systemd-initrd-swraid.nix {}; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 30a5b5c45b3..ea2b2d04ed1 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -299,6 +299,13 @@ let virtualisation.qemu.diskInterface = if grubVersion == 1 then "scsi" else "virtio"; + # We don't want to have any networking in the guest whatsoever. + # Also, if any vlans are enabled, the guest will reboot + # (with a different configuration for legacy reasons), + # and spend 5 minutes waiting for the vlan interface to show up + # (which will never happen). + virtualisation.vlans = []; + boot.loader.systemd-boot.enable = mkIf (bootLoader == "systemd-boot") true; hardware.enableAllFirmware = mkForce false; @@ -313,6 +320,7 @@ let docbook5 docbook_xsl_ns kmod.dev + libarchive.dev libxml2.bin libxslt.bin nixos-artwork.wallpapers.simple-dark-gray-bottom diff --git a/nixos/tests/nar-serve.nix b/nixos/tests/nar-serve.nix index 9ee738ffb17..bb95ccb3691 100644 --- a/nixos/tests/nar-serve.nix +++ b/nixos/tests/nar-serve.nix @@ -31,7 +31,7 @@ import ./make-test-python.nix ( # Create a fake cache with Nginx service the static files server.succeed( - "nix copy --to file:///var/www ${pkgs.hello}" + "nix --experimental-features nix-command copy --to file:///var/www ${pkgs.hello}" ) server.wait_for_unit("nginx.service") server.wait_for_open_port(80) diff --git a/nixos/tests/snapcast.nix b/nixos/tests/snapcast.nix index 30b8343e2ff..9b62e4724e7 100644 --- a/nixos/tests/snapcast.nix +++ b/nixos/tests/snapcast.nix @@ -19,6 +19,7 @@ in { port = port; tcp.port = tcpPort; http.port = httpPort; + openFirewall = true; buffer = bufferSize; streams = { mpd = { diff --git a/nixos/tests/systemd-initrd-luks-keyfile.nix b/nixos/tests/systemd-initrd-luks-keyfile.nix new file mode 100644 index 00000000000..970163c36a4 --- /dev/null +++ b/nixos/tests/systemd-initrd-luks-keyfile.nix @@ -0,0 +1,53 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: let + + keyfile = pkgs.writeText "luks-keyfile" '' + MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2 + gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6 + FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC + ''; + +in { + name = "systemd-initrd-luks-keyfile"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + boot.initrd.systemd = { + enable = true; + emergencyAccess = true; + }; + + specialisation.boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + cryptroot = { + device = "/dev/vdc"; + keyFile = "/etc/cryptroot.key"; + }; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + boot.initrd.systemd.contents."/etc/cryptroot.key".source = keyfile; + }; + }; + + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("cryptsetup luksFormat -q --iter-time=1 -d ${keyfile} /dev/vdc") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.wait_for_unit("multi-user.target") + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) diff --git a/nixos/tests/systemd-initrd-luks-password.nix b/nixos/tests/systemd-initrd-luks-password.nix new file mode 100644 index 00000000000..e8e651f7b35 --- /dev/null +++ b/nixos/tests/systemd-initrd-luks-password.nix @@ -0,0 +1,48 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "systemd-initrd-luks-password"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 512 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + boot.initrd.systemd = { + enable = true; + emergencyAccess = true; + }; + + specialisation.boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + # We have two disks and only type one password - key reuse is in place + cryptroot.device = "/dev/vdc"; + cryptroot2.device = "/dev/vdd"; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + }; + }; + + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.start() + machine.wait_for_console_text("Please enter passphrase for disk cryptroot") + machine.send_console("supersecret\n") + machine.wait_for_unit("multi-user.target") + + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) |