summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/system/boot/systemd.nix2
-rw-r--r--nixos/tests/systemd.nix25
2 files changed, 25 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 96304ff6cec..b215392f250 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -25,7 +25,7 @@ let
       "nss-lookup.target"
       "nss-user-lookup.target"
       "time-sync.target"
-      #"cryptsetup.target"
+      "cryptsetup.target"
       "sigpwr.target"
       "timers.target"
       "paths.target"
diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix
index a653932fb37..9d21f9158f3 100644
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
   machine = { lib, ... }: {
     imports = [ common/user-account.nix common/x11.nix ];
 
-    virtualisation.emptyDiskImages = [ 512 ];
+    virtualisation.emptyDiskImages = [ 512 512 ];
+    virtualisation.memorySize = 1024;
+
+    environment.systemPackages = [ pkgs.cryptsetup ];
 
     fileSystems = lib.mkVMOverride {
       "/test-x-initrd-mount" = {
@@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         assert "RuntimeWatchdogUSec=30s" in output
         assert "RebootWatchdogUSec=10m" in output
         assert "KExecWatchdogUSec=5m" in output
+
+    # Test systemd cryptsetup support
+    with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
+        # create a luks volume and put a filesystem on it
+        machine.succeed(
+            "echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
+            "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
+            "mkfs.ext3 /dev/mapper/foo",
+        )
+
+        # create a keyfile and /etc/crypttab
+        machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
+        machine.succeed("chmod 600 /var/lib/luks-keyfile")
+        machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
+
+        # after a reboot, systemd should unlock the volume and we should be able to mount it
+        machine.shutdown()
+        machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
+        machine.succeed("mkdir -p /tmp/luks1")
+        machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
   '';
 })
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-10 22:00:38 +0000