fix cryptsetup luksOpen idempotency, add luks-lvm test

This commit is contained in:
lassulus 2022-08-25 13:14:07 +02:00
parent 1237ac36db
commit dd99e29edc
3 changed files with 118 additions and 1 deletions

View file

@ -151,7 +151,7 @@ let
recursiveUpdate recursiveUpdate
(mount-f { device = "/dev/mapper/${x.name}"; } x.content) (mount-f { device = "/dev/mapper/${x.name}"; } x.content)
{luks.${q.device} = '' {luks.${q.device} = ''
cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""} cryptsetup status ${x.name} >/dev/null 2>/dev/null || cryptsetup luksOpen ${q.device} ${x.name} ${if builtins.hasAttr "keyfile" x then "--key-file " + x.keyfile else ""}
'';} '';}
); );

78
example/luks-lvm.nix Normal file
View file

@ -0,0 +1,78 @@
{
type = "devices";
content = {
vdb = {
type = "table";
format = "gpt";
partitions = [
{
type = "partition";
part-type = "ESP";
start = "1MiB";
end = "100MiB";
fs-type = "FAT32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
options = [
"defaults"
];
};
}
{
type = "partition";
part-type = "primary";
start = "100MiB";
end = "100%";
content = {
type = "luks";
algo = "aes-xts...";
name = "crypted";
keyfile = "/tmp/secret.key";
extraArgs = [
"--hash sha512"
"--iter-time 5000"
];
content = {
type = "lvm";
name = "pool";
lvs = {
root = {
type = "lv";
size = "100M";
mountpoint = "/";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
options = [
"defaults"
];
};
};
home = {
type = "lv";
size = "10M";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/home";
};
};
raw = {
type = "lv";
size = "10M";
content = {
type = "noop";
};
};
};
};
};
}
];
};
};
}

39
tests/luks-lvm.nix Normal file
View file

@ -0,0 +1,39 @@
{ makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>
, pkgs ? (import <nixpkgs> {})
}:
let
makeTest' = args:
makeTest args {
inherit pkgs;
inherit (pkgs) system;
};
disko-config = import ../example/luks-lvm.nix;
tsp-create = pkgs.writeScript "create" ((pkgs.callPackage ../. {}).create disko-config);
tsp-mount = pkgs.writeScript "mount" ((pkgs.callPackage ../. {}).mount disko-config);
in makeTest' {
name = "disko";
nodes.machine =
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/installation-device.nix")
(modulesPath + "/profiles/base.nix")
];
# speed-up eval
documentation.enable = false;
virtualisation.emptyDiskImages = [ 512 ];
};
testScript = ''
machine.succeed("echo 'secret' > /tmp/secret.key");
machine.succeed("${tsp-create}");
machine.succeed("${tsp-mount}");
machine.succeed("${tsp-mount}"); # verify that the command is idempotent
machine.succeed("cryptsetup isLuks /dev/vdb2");
machine.succeed("grep -qs '/mnt/home' /proc/mounts");
'';
}