Merge pull request #290 from nix-community/luks-keyFiles

types luks: pass keyFile to nixos config
2024-09-20 05:51:54 +00:00 · 2023-07-12 10:07:09 +01:00 · 2023-07-12 10:07:09 +01:00 · 610e337bb2
commit 610e337bb2
parent fc3c3817c9 b6840cdf55
9 changed files with 13 additions and 30 deletions
--- a/.mergify.yml
+++ b/.mergify.yml
@ -28,7 +28,6 @@ queue_rules:
      - check-success=package default [x86_64-linux]
      - check-success=package disko [x86_64-linux]
      - check-success=package disko-doc [x86_64-linux]
-      - check-success=package linux-bcachefs [x86_64-linux]
 defaults:
  actions:
    queue:
--- a/example/zfs.nix
+++ b/example/zfs.nix
@ -95,9 +95,10 @@
              keyformat = "passphrase";
              keylocation = "file:///tmp/secret.key";
            };
-            postCreateHook = ''
-              zfs set keylocation="prompt" "zroot/$name";
-            '';
+            # use this to read the key during boot
+            # postCreateHook = ''
+            #   zfs set keylocation="prompt" "zroot/$name";
+            # '';
          };
          "encrypted/test" = {
            type = "zfs_fs";
--- a/lib/types/luks.nix
+++ b/lib/types/luks.nix
@ -81,7 +81,11 @@
      readOnly = true;
      default = [ ]
        # If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
-        ++ (lib.optional config.initrdUnlock [{ boot.initrd.luks.devices.${config.name}.device = config.device; }])
+        ++ (lib.optional config.initrdUnlock [{
+          boot.initrd.luks.devices.${config.name} = {
+            inherit (config) device keyFile;
+          };
+        }])
        ++ (lib.optional (config.content != null) config.content._config);
      description = "NixOS configuration";
    };
--- a/tests/cli.nix
+++ b/tests/cli.nix
@ -18,10 +18,6 @@ makeDiskoTest {
    machine.succeed("mountpoint /ext4onzfs");
    machine.succeed("mountpoint /ext4_on_lvm");
  '';
-  bootCommands = ''
-    machine.wait_for_console_text("vda")
-    machine.send_console("secretsecret\n")
-  '';
  extraConfig = {
    boot.kernelModules = [ "dm-raid" "dm-mirror" ];
  };
--- a/tests/complex.nix
+++ b/tests/complex.nix
@ -17,10 +17,6 @@ makeDiskoTest {
    machine.succeed("mountpoint /ext4onzfs");
    machine.succeed("mountpoint /ext4_on_lvm");
  '';
-  bootCommands = ''
-    machine.wait_for_console_text("vda")
-    machine.send_console("secretsecret\n")
-  '';
  extraConfig = {
    boot.kernelModules = [ "dm-raid" "dm-mirror" ];
  };
--- a/tests/lib.nix
+++ b/tests/lib.nix
@ -12,7 +12,6 @@
    , extraConfig ? { }
    , grub-devices ? [ "nodev" ]
    , efi ? true
-    , enableOCR ? false
    , postDisko ? ""
    , testMode ? "module" # can be one of direct module cli
    , testBoot ? true # if we actually want to test booting or just create/mount
@ -55,8 +54,10 @@
        documentation.enable = false;
        hardware.enableAllFirmware = lib.mkForce false;
        networking.hostId = "8425e349"; # from profiles/base.nix, needed for zfs
-        boot.kernelParams = lib.mkIf enableOCR [ "console=tty0" ]; # needed for OCR
        boot.zfs.devNodes = "/dev/disk/by-uuid"; # needed because /dev/disk/by-id is empty in qemu-vms
+        boot.initrd.preDeviceCommands = ''
+          echo -n 'secretsecret' > /tmp/secret.key
+        '';

        boot.consoleLogLevel = lib.mkForce 100;
        boot.loader.grub = {
@ -75,7 +76,6 @@
    makeTest' {
      name = "disko-${name}";

-      inherit enableOCR;
      nodes.machine = { pkgs, modulesPath, ... }: {
        imports = [
          (lib.optionalAttrs (testMode == "module") {
--- a/tests/luks-lvm.nix
+++ b/tests/luks-lvm.nix
@ -4,12 +4,9 @@
 makeDiskoTest {
  name = "luks-lvm";
  disko-config = ../example/luks-lvm.nix;
+  extraConfig.boot.initrd.luks.devices.crypted.preLVM = false;
  extraTestScript = ''
    machine.succeed("cryptsetup isLuks /dev/vda2");
    machine.succeed("mountpoint /home");
  '';
-  bootCommands = ''
-    machine.wait_for_console_text("vda")
-    machine.send_console("secretsecret\n")
-  '';
 }
--- a/tests/module.nix
+++ b/tests/module.nix
@ -18,10 +18,6 @@ makeDiskoTest {
    machine.succeed("mountpoint /ext4onzfs");
    machine.succeed("mountpoint /ext4_on_lvm");
  '';
-  bootCommands = ''
-    machine.wait_for_console_text("vda")
-    machine.send_console("secretsecret\n")
-  '';
  extraConfig = {
    boot.kernelModules = [ "dm-raid" "dm-mirror" ];
  };
--- a/tests/zfs.nix
+++ b/tests/zfs.nix
@ -8,11 +8,6 @@ makeDiskoTest {
    fileSystems."/zfs_legacy_fs".options = [ "nofail" ]; # TODO find out why we need this!
    boot.zfs.requestEncryptionCredentials = true;
  };
-  enableOCR = true;
-  bootCommands = ''
-    machine.wait_for_text("passphrase for")
-    machine.send_chars("secretsecret\n")
-  '';
  extraTestScript = ''
    machine.succeed("test -b /dev/zvol/zroot/zfs_testvolume");

@ -29,7 +24,6 @@ makeDiskoTest {
    assert_property("zroot/zfs_testvolume", "volsize", "10M")
    assert_property("zroot/zfs_unmounted_fs", "mountpoint", "none")

-    assert_property("zroot/encrypted", "keylocation", "prompt")
    machine.succeed("zfs get name zroot@blank")

    machine.succeed("mountpoint /zfs_fs");