pyrox.dev / nixpkgs
lol
fork atom

(pkgs, nixos)/unl0kr - update to accomodate upstream changes (#362825)

authored by Will Fancher and committed by GitHub 08b6cf54 8430d0d1

+116 -185
unified split
+17 -63
nixos/modules/system/boot/unl0kr.nix
··· 15 description = ''Whether to enable the unl0kr on-screen keyboard in initrd to unlock LUKS.''; 16 }; 17 18 - package = lib.mkPackageOption pkgs "unl0kr" { }; 19 20 allowVendorDrivers = lib.mkEnableOption "load optional drivers" // { 21 description = ''Whether to load additional drivers for certain vendors (I.E: Wacom, Intel, etc.)''; ··· 27 28 See `unl0kr.conf(5)` for supported values. 29 30 - Alternatively, visit `https://gitlab.com/postmarketOS/buffybox/-/blob/unl0kr-2.0.0/unl0kr.conf` 31 ''; 32 33 example = lib.literalExpression '' 34 { 35 general.animations = true; 36 theme = { 37 default = "pmos-dark"; 38 alternate = "pmos-light"; ··· 51 assertion = cfg.enable -> config.boot.initrd.systemd.enable; 52 message = "boot.initrd.unl0kr is only supported with boot.initrd.systemd."; 53 } 54 - { 55 - assertion = !config.boot.plymouth.enable; 56 - message = "unl0kr will not work if plymouth is enabled."; 57 - } 58 - { 59 - assertion = !config.hardware.amdgpu.initrd.enable; 60 - message = "unl0kr has issues with video drivers that are loaded on stage 1."; 61 - } 62 ]; 63 64 boot.initrd.availableKernelModules = ··· 83 boot.initrd.systemd = { 84 contents."/etc/unl0kr.conf".source = settingsFormat.generate "unl0kr.conf" cfg.settings; 85 storePaths = with pkgs; [ 86 - "${pkgs.gnugrep}/bin/grep" 87 libinput 88 xkeyboard_config 89 - "${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password" 90 (lib.getExe' cfg.package "unl0kr") 91 ]; 92 - services = { 93 - unl0kr-ask-password = { 94 - description = "Forward Password Requests to unl0kr"; 95 - conflicts = [ 96 - "emergency.service" 97 - "initrd-switch-root.target" 98 - "shutdown.target" 99 - ]; 100 - unitConfig.DefaultDependencies = false; 101 - after = [ 102 - "systemd-vconsole-setup.service" 103 - "udev.service" 104 - ]; 105 - before = [ "shutdown.target" ]; 106 - script = '' 107 - # This script acts as a Password Agent: https://systemd.io/PASSWORD_AGENTS/ 108 109 - DIR=/run/systemd/ask-password/ 110 - # If a user has multiple encrypted disks, the requests might come in different times, 111 - # so make sure to answer as many requests as we can. Once boot succeeds, other 112 - # password agents will be responsible for watching for requests. 113 - while [ -d $DIR ] && [ "$(ls -A $DIR/ask.*)" ]; 114 - do 115 - for file in `ls $DIR/ask.*`; do 116 - socket="$(cat "$file" | ${pkgs.gnugrep}/bin/grep "Socket=" | cut -d= -f2)" 117 - ${lib.getExe' cfg.package "unl0kr"} -v -C "/etc/unl0kr.conf" | ${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password 1 "$socket" 118 - done 119 - done 120 - ''; 121 - }; 122 - }; 123 124 - paths = { 125 - unl0kr-ask-password = { 126 - description = "Forward Password Requests to unl0kr"; 127 - conflicts = [ 128 - "emergency.service" 129 - "initrd-switch-root.target" 130 - "shutdown.target" 131 - ]; 132 - unitConfig.DefaultDependencies = false; 133 - before = [ 134 - "shutdown.target" 135 - "paths.target" 136 - "cryptsetup.target" 137 - ]; 138 - wantedBy = [ "sysinit.target" ]; 139 - pathConfig = { 140 - DirectoryNotEmpty = "/run/systemd/ask-password"; 141 - MakeDirectory = true; 142 - }; 143 - }; 144 - }; 145 }; 146 }; 147 }
··· 15 description = ''Whether to enable the unl0kr on-screen keyboard in initrd to unlock LUKS.''; 16 }; 17 18 + package = lib.mkPackageOption pkgs "buffybox" { }; 19 20 allowVendorDrivers = lib.mkEnableOption "load optional drivers" // { 21 description = ''Whether to load additional drivers for certain vendors (I.E: Wacom, Intel, etc.)''; ··· 27 28 See `unl0kr.conf(5)` for supported values. 29 30 + Alternatively, visit `https://gitlab.postmarketos.org/postmarketOS/buffybox/-/blob/3.2.0/unl0kr/unl0kr.conf` 31 ''; 32 33 example = lib.literalExpression '' 34 { 35 general.animations = true; 36 + general.backend = "drm"; 37 theme = { 38 default = "pmos-dark"; 39 alternate = "pmos-light"; ··· 52 assertion = cfg.enable -> config.boot.initrd.systemd.enable; 53 message = "boot.initrd.unl0kr is only supported with boot.initrd.systemd."; 54 } 55 + ]; 56 + 57 + warnings = lib.mkMerge [ 58 + (lib.mkIf (config.hardware.amdgpu.initrd.enable) [ 59 + ''Use early video loading at your risk. It's not guaranteed to work with unl0kr.'' 60 + ]) 61 + (lib.mkIf (config.boot.plymouth.enable) [ 62 + ''Upstream clearly intends unl0kr to not run with Plymouth. Good luck'' 63 + ]) 64 ]; 65 66 boot.initrd.availableKernelModules = ··· 85 boot.initrd.systemd = { 86 contents."/etc/unl0kr.conf".source = settingsFormat.generate "unl0kr.conf" cfg.settings; 87 storePaths = with pkgs; [ 88 libinput 89 xkeyboard_config 90 (lib.getExe' cfg.package "unl0kr") 91 + "${cfg.package}/libexec/unl0kr-agent" 92 ]; 93 94 + packages = [ 95 + pkgs.buffybox 96 + ]; 97 98 + paths.unl0kr-agent.wantedBy = [ "local-fs-pre.target" ]; 99 }; 100 }; 101 }
+98 -64
nixos/tests/systemd-initrd-luks-unl0kr.nix
··· 1 - import ./make-test-python.nix ({ lib, pkgs, ... }: let 2 - passphrase = "secret"; 3 - in { 4 - name = "systemd-initrd-luks-unl0kr"; 5 - meta = { 6 - maintainers = []; 7 - }; 8 9 - enableOCR = true; 10 11 - nodes.machine = { pkgs, ... }: { 12 - virtualisation = { 13 - emptyDiskImages = [ 512 512 ]; 14 - useBootLoader = true; 15 - mountHostNixStore = true; 16 - useEFIBoot = true; 17 - qemu.options = [ 18 - "-vga virtio" 19 - ]; 20 }; 21 - boot.loader.systemd-boot.enable = true; 22 23 - boot.initrd.availableKernelModules = [ 24 - "evdev" # for entering pw 25 - "bochs" 26 - ]; 27 28 - environment.systemPackages = with pkgs; [ cryptsetup ]; 29 - boot.initrd = { 30 - systemd = { 31 - enable = true; 32 - emergencyAccess = true; 33 - }; 34 - unl0kr.enable = true; 35 - }; 36 37 - specialisation.boot-luks.configuration = { 38 - boot.initrd.luks.devices = lib.mkVMOverride { 39 - # We have two disks and only type one password - key reuse is in place 40 - cryptroot.device = "/dev/vdb"; 41 - cryptroot2.device = "/dev/vdc"; 42 }; 43 - virtualisation.rootDevice = "/dev/mapper/cryptroot"; 44 - virtualisation.fileSystems."/".autoFormat = true; 45 - # test mounting device unlocked in initrd after switching root 46 - virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2"; 47 - }; 48 - }; 49 50 - testScript = '' 51 - # Create encrypted volume 52 - machine.wait_for_unit("multi-user.target") 53 - machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -") 54 - machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") 55 - machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen -q /dev/vdc cryptroot2") 56 - machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2") 57 58 - # Boot from the encrypted disk 59 - machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") 60 - machine.succeed("sync") 61 - machine.crash() 62 63 - # Boot and decrypt the disk 64 - machine.start() 65 - machine.wait_for_text("Password required for booting") 66 - machine.screenshot("prompt") 67 - machine.send_chars("${passphrase}") 68 - machine.screenshot("pw") 69 - machine.send_chars("\n") 70 - machine.wait_for_unit("multi-user.target") 71 72 - assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list" 73 - assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount") 74 - ''; 75 - })
··· 1 + import ./make-test-python.nix ( 2 + { lib, pkgs, ... }: 3 + let 4 + passphrase = "secret"; 5 6 + debugPackages = with pkgs; [ 7 + coreutils-prefixed 8 + toybox 9 10 + micro 11 + nano 12 + ]; 13 + in 14 + { 15 + name = "systemd-initrd-luks-unl0kr"; 16 + meta = { 17 + maintainers = [ ]; 18 }; 19 + 20 + # TODO: Fix OCR: #302965 21 + # enableOCR = true; 22 23 + nodes.machine = 24 + { pkgs, ... }: 25 + { 26 + virtualisation = { 27 + emptyDiskImages = [ 28 + 512 29 + 512 30 + ]; 31 + useBootLoader = true; 32 + mountHostNixStore = true; 33 + useEFIBoot = true; 34 + qemu.options = [ 35 + "-vga virtio" 36 + ]; 37 + }; 38 + boot.loader.systemd-boot.enable = true; 39 40 + boot.kernelParams = [ 41 + "rd.systemd.debug_shell" 42 + ]; 43 44 + environment.systemPackages = 45 + with pkgs; 46 + [ 47 + cryptsetup 48 + ] 49 + ++ debugPackages; 50 + boot.initrd = { 51 + systemd = { 52 + enable = true; 53 + emergencyAccess = true; 54 + 55 + storePaths = debugPackages; 56 + }; 57 + unl0kr = { 58 + enable = true; 59 + 60 + settings = { 61 + general.backend = "drm"; 62 + # TODO: Fix OCR. See above. 63 + # theme.default = "adwaita-dark"; # Improves contrast quite a bit, helpful for OCR. 64 + }; 65 + }; 66 + }; 67 + 68 + specialisation.boot-luks.configuration = { 69 + testing.initrdBackdoor = true; 70 + boot.initrd.luks.devices = lib.mkVMOverride { 71 + # We have two disks and only type one password - key reuse is in place 72 + cryptroot.device = "/dev/vdb"; 73 + cryptroot2.device = "/dev/vdc"; 74 + }; 75 + virtualisation.rootDevice = "/dev/mapper/cryptroot"; 76 + virtualisation.fileSystems."/".autoFormat = true; 77 + # test mounting device unlocked in initrd after switching root 78 + virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2"; 79 + }; 80 }; 81 82 + testScript = '' 83 + # Create encrypted volume 84 + machine.wait_for_unit("multi-user.target") 85 + machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -") 86 + machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") 87 + machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen -q /dev/vdc cryptroot2") 88 + machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2") 89 90 + # Boot from the encrypted disk 91 + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") 92 + machine.succeed("sync") 93 + machine.crash() 94 95 + # Boot and decrypt the disk. This part of the test is SLOW. 96 + machine.start() 97 + machine.wait_for_unit("unl0kr-agent.service") 98 + machine.screenshot("prompt") 99 + machine.send_chars("${passphrase}") 100 + machine.screenshot("pw") 101 + machine.send_chars("\n") 102 + machine.switch_root() 103 + machine.wait_for_unit("multi-user.target") 104 105 + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list" 106 + assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount") 107 + ''; 108 + } 109 + )
-58
pkgs/by-name/un/unl0kr/package.nix
··· 1 - { lib 2 - , nixosTests 3 - , stdenv 4 - , fetchFromGitLab 5 - , inih 6 - , libdrm 7 - , libinput 8 - , libxkbcommon 9 - , meson 10 - , ninja 11 - , pkg-config 12 - , scdoc 13 - }: 14 - 15 - stdenv.mkDerivation (finalAttrs: { 16 - pname = "unl0kr"; 17 - version = "2.0.0"; 18 - 19 - src = fetchFromGitLab { 20 - domain = "gitlab.com"; 21 - owner = "cherrypicker"; 22 - repo = "unl0kr"; 23 - rev = finalAttrs.version; 24 - fetchSubmodules = true; 25 - hash = "sha256-KPP4Ol1GCAWqdQYlNtKQD/jx8A/xuHdvKjcocPMqWa0="; 26 - }; 27 - 28 - nativeBuildInputs = [ 29 - meson 30 - ninja 31 - pkg-config 32 - scdoc 33 - ]; 34 - 35 - buildInputs = [ 36 - inih 37 - libdrm 38 - libinput 39 - libxkbcommon 40 - ]; 41 - 42 - propagatedBuildInputs = [ 43 - libxkbcommon 44 - ]; 45 - 46 - passthru = { 47 - tests.unl0kr = nixosTests.systemd-initrd-luks-unl0kr; 48 - }; 49 - 50 - meta = with lib; { 51 - description = "Framebuffer-based disk unlocker for the initramfs based on LVGL"; 52 - mainProgram = "unl0kr"; 53 - homepage = "https://gitlab.com/cherrypicker/unl0kr"; 54 - license = licenses.gpl3Plus; 55 - maintainers = with maintainers; [ hustlerone ]; 56 - platforms = platforms.linux; 57 - }; 58 - })
···
+1
pkgs/top-level/aliases.nix
··· 1347 unifi8 = unifi; # Added 2024-11-15 1348 unifiLTS = throw "'unifiLTS' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Added 2024-04-11 1349 unifiStable = throw "'unifiStable' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Converted to throw 2024-04-11 1350 untrunc = throw "'untrunc' has been renamed to/replaced by 'untrunc-anthwlock'"; # Converted to throw 2024-10-17 1351 urxvt_autocomplete_all_the_things = throw "'urxvt_autocomplete_all_the_things' has been renamed to/replaced by 'rxvt-unicode-plugins.autocomplete-all-the-things'"; # Converted to throw 2024-10-17 1352 urxvt_bidi = throw "'urxvt_bidi' has been renamed to/replaced by 'rxvt-unicode-plugins.bidi'"; # Converted to throw 2024-10-17
··· 1347 unifi8 = unifi; # Added 2024-11-15 1348 unifiLTS = throw "'unifiLTS' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Added 2024-04-11 1349 unifiStable = throw "'unifiStable' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Converted to throw 2024-04-11 1350 + unl0kr = throw "'unl0kr' is now included with buffybox. Use `pkgs.buffybox` instead."; # Removed 2024-12-20 1351 untrunc = throw "'untrunc' has been renamed to/replaced by 'untrunc-anthwlock'"; # Converted to throw 2024-10-17 1352 urxvt_autocomplete_all_the_things = throw "'urxvt_autocomplete_all_the_things' has been renamed to/replaced by 'rxvt-unicode-plugins.autocomplete-all-the-things'"; # Converted to throw 2024-10-17 1353 urxvt_bidi = throw "'urxvt_bidi' has been renamed to/replaced by 'rxvt-unicode-plugins.bidi'"; # Converted to throw 2024-10-17