From caf6f41e2e1b05525e127f5ab5eb2c335ae40a91 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:02:28 +0200 Subject: [PATCH 01/11] nixosTests.initrd-luks-empty-passphrase: mount the host nix store This is necessary because this test relies on switching the root fs to an empty one which does not have a Nix store available in stage 1, therefore, we have to make this test host-store only. A better fix in the long term is to evaluate whether this is worth to enable a proper Nix store image for it with EROFS? --- nixos/tests/initrd-luks-empty-passphrase.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nixos/tests/initrd-luks-empty-passphrase.nix b/nixos/tests/initrd-luks-empty-passphrase.nix index d2805f2f173..521456e7e0b 100644 --- a/nixos/tests/initrd-luks-empty-passphrase.nix +++ b/nixos/tests/initrd-luks-empty-passphrase.nix @@ -18,6 +18,11 @@ in { emptyDiskImages = [ 512 ]; useBootLoader = true; useEFIBoot = true; + # This requires to have access + # to a host Nix store as + # the new root device is /dev/vdb + # an empty 512MiB drive, containing no Nix store. + mountHostNixStore = true; }; boot.loader.systemd-boot.enable = true; From 955a77e1c4ad08c1b5952718d1ef16b8bbbdbd60 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:05:03 +0200 Subject: [PATCH 02/11] nixosTests.systemd-initrd-btrfs-raid: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-btrfs-raid.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-btrfs-raid.nix b/nixos/tests/systemd-initrd-btrfs-raid.nix index c9cdf0060b1..9196033789c 100644 --- a/nixos/tests/systemd-initrd-btrfs-raid.nix +++ b/nixos/tests/systemd-initrd-btrfs-raid.nix @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { virtualisation = { emptyDiskImages = [ 512 512 ]; useBootLoader = true; + # Booting off the BTRFS RAID requires an available init script from the Nix store + mountHostNixStore = true; useEFIBoot = true; }; boot.loader.systemd-boot.enable = true; From de7f3cb2fa53380da6ef3da5c74e5b6a25e3e3c9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:06:38 +0200 Subject: [PATCH 03/11] nixosTests.systemd-initrd-luks-fido2: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-luks-fido2.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-luks-fido2.nix b/nixos/tests/systemd-initrd-luks-fido2.nix index e80d95f79c7..32c79b731d8 100644 --- a/nixos/tests/systemd-initrd-luks-fido2.nix +++ b/nixos/tests/systemd-initrd-luks-fido2.nix @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { virtualisation = { emptyDiskImages = [ 512 ]; useBootLoader = true; + # Booting off the encrypted disk requires having a Nix store available for the init script + mountHostNixStore = true; useEFIBoot = true; qemu.package = lib.mkForce (pkgs.qemu_test.override { canokeySupport = true; }); qemu.options = [ "-device canokey,file=/tmp/canokey-file" ]; From db811f12eb5393c4a1113139713d4a4937209c22 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:07:08 +0200 Subject: [PATCH 04/11] nixosTests.systemd-initrd-swraid: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-swraid.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-swraid.nix b/nixos/tests/systemd-initrd-swraid.nix index d201ba99a20..0d5a1c6354d 100644 --- a/nixos/tests/systemd-initrd-swraid.nix +++ b/nixos/tests/systemd-initrd-swraid.nix @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { virtualisation = { emptyDiskImages = [ 512 512 ]; useBootLoader = true; + # Booting off the RAID requires an available init script + mountHostNixStore = true; useEFIBoot = true; }; boot.loader.systemd-boot.enable = true; From e190364fd72815d636bc2c7a48752155643f75fc Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:07:40 +0200 Subject: [PATCH 05/11] nixosTests.systemd-initrd-networkd-ssh: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-networkd-ssh.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-networkd-ssh.nix b/nixos/tests/systemd-initrd-networkd-ssh.nix index 943552613be..526aa16efdd 100644 --- a/nixos/tests/systemd-initrd-networkd-ssh.nix +++ b/nixos/tests/systemd-initrd-networkd-ssh.nix @@ -10,6 +10,8 @@ import ./make-test-python.nix ({ lib, ... }: { virtualisation = { emptyDiskImages = [ 4096 ]; useBootLoader = true; + # Booting off the encrypted disk requires an available init script from the Nix store + mountHostNixStore = true; useEFIBoot = true; }; From efe64826c9a9a7feb6148c60c888d7ce9d882011 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:07:54 +0200 Subject: [PATCH 06/11] nixosTests.systemd-initrd-luks-tpm2: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-luks-tpm2.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-luks-tpm2.nix b/nixos/tests/systemd-initrd-luks-tpm2.nix index 734ef38579f..73aa190ad62 100644 --- a/nixos/tests/systemd-initrd-luks-tpm2.nix +++ b/nixos/tests/systemd-initrd-luks-tpm2.nix @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { virtualisation = { emptyDiskImages = [ 512 ]; useBootLoader = true; + # Booting off the TPM2-encrypted device requires an available init script + mountHostNixStore = true; useEFIBoot = true; qemu.options = ["-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"]; }; From bbfedea0a147acc3593fe948cb5ac77fed7a0d51 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:08:19 +0200 Subject: [PATCH 07/11] nixosTests.systemd-initrd-luks-password: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-luks-password.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-luks-password.nix b/nixos/tests/systemd-initrd-luks-password.nix index 2dd3f304e82..a90a59feed6 100644 --- a/nixos/tests/systemd-initrd-luks-password.nix +++ b/nixos/tests/systemd-initrd-luks-password.nix @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { virtualisation = { emptyDiskImages = [ 512 512 ]; useBootLoader = true; + # Booting off the encrypted disk requires an available init script + mountHostNixStore = true; useEFIBoot = true; }; boot.loader.systemd-boot.enable = true; From c1f0de6e2006b0c60f0fae602e073415574fd0eb Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:10:16 +0200 Subject: [PATCH 08/11] nixosTests.systemd-initrd-luks-keyfile: mount the host Nix store Same rationale as caf6f41e2e1. --- nixos/tests/systemd-initrd-luks-keyfile.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/systemd-initrd-luks-keyfile.nix b/nixos/tests/systemd-initrd-luks-keyfile.nix index 257243d92a1..5ca0f48c333 100644 --- a/nixos/tests/systemd-initrd-luks-keyfile.nix +++ b/nixos/tests/systemd-initrd-luks-keyfile.nix @@ -14,6 +14,8 @@ in { virtualisation = { emptyDiskImages = [ 512 ]; useBootLoader = true; + # Necessary to boot off the encrypted disk because it requires a init script coming from the Nix store + mountHostNixStore = true; useEFIBoot = true; }; boot.loader.systemd-boot.enable = true; From 59891e405d1e6ac03d41d0ccc711fe6c0da7d192 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 25 May 2023 19:10:44 +0200 Subject: [PATCH 09/11] nixosTests.systemd-initrd-networkd-ssh: bootDevice -> rootDevice Missed deprecation fixup during the bootDisk PR. --- nixos/tests/systemd-initrd-networkd-ssh.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/tests/systemd-initrd-networkd-ssh.nix b/nixos/tests/systemd-initrd-networkd-ssh.nix index 526aa16efdd..46dbdf53739 100644 --- a/nixos/tests/systemd-initrd-networkd-ssh.nix +++ b/nixos/tests/systemd-initrd-networkd-ssh.nix @@ -16,9 +16,9 @@ import ./make-test-python.nix ({ lib, ... }: { }; specialisation.encrypted-root.configuration = { - virtualisation.bootDevice = "/dev/mapper/root"; + virtualisation.rootDevice = "/dev/mapper/root"; boot.initrd.luks.devices = lib.mkVMOverride { - root.device = "/dev/vdc"; + root.device = "/dev/vdb"; }; boot.initrd.systemd.enable = true; boot.initrd.network = { @@ -63,7 +63,7 @@ import ./make-test-python.nix ({ lib, ... }: { server.wait_for_unit("multi-user.target") server.succeed( - "echo somepass | cryptsetup luksFormat --type=luks2 /dev/vdc", + "echo somepass | cryptsetup luksFormat --type=luks2 /dev/vdb", "bootctl set-default nixos-generation-1-specialisation-encrypted-root.conf", "sync", ) From ff3936e14b727d3a29d1a3212d6919055ac61804 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 26 May 2023 17:17:35 +0200 Subject: [PATCH 10/11] nixos/tests/lvm2/systemd-stage-1: mount the host Nix store Same rationale as in caf6f41e2e1. --- nixos/tests/lvm2/systemd-stage-1.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/lvm2/systemd-stage-1.nix b/nixos/tests/lvm2/systemd-stage-1.nix index b711cd22d7f..b581f2b2350 100644 --- a/nixos/tests/lvm2/systemd-stage-1.nix +++ b/nixos/tests/lvm2/systemd-stage-1.nix @@ -65,6 +65,8 @@ in import ../make-test-python.nix ({ pkgs, ... }: { emptyDiskImages = [ 8192 8192 ]; useBootLoader = true; useEFIBoot = true; + # To boot off the LVM disk, we need to have a init script which comes from the Nix store. + mountHostNixStore = true; }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; From 89952f7bb678de4c51dcc8f42110fe9ad1f52260 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 8 Jun 2023 16:18:58 +0200 Subject: [PATCH 11/11] nixosTests.luks: mount the host Nix store Same rationale as in caf6f41e2e1. --- nixos/tests/luks.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/luks.nix b/nixos/tests/luks.nix index c2b95c6a95f..d5ac550a3c5 100644 --- a/nixos/tests/luks.nix +++ b/nixos/tests/luks.nix @@ -7,6 +7,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { emptyDiskImages = [ 512 512 ]; useBootLoader = true; useEFIBoot = true; + # To boot off the encrypted disk, we need to have a init script which comes from the Nix store + mountHostNixStore = true; }; boot.loader.systemd-boot.enable = true;