commit 99d925807a25b2ce4ef2dfd87f53329ca84c7e16 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixos/nix-store-veritysetup: init (#397621)

authored by WilliButz and committed by GitHub 7 months ago 99d92580 c7b4aaf8

+151

6 changed files

expand all

unified split

nixos

doc

manual

release-notes

rl-2511.section.md

modules

module-list.nix

system

boot

nix-store-veritysetup.nix

tests

all-tests.nix

nix-store-veritysetup.nix

pkgs

by-name

nix-store-veritysetup-generator

package.nix

nixos/doc/manual/release-notes/rl-2511.section.md

··· 34 34 35 35 - [Szurubooru](https://github.com/rr-/szurubooru), an image board engine inspired by services such as Danbooru, dedicated for small and medium communities. Available as [services.szurubooru](#opt-services.szurubooru.enable). 36 36 37 + - [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable). 38 + 37 39 - [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable). 38 40 39 41 [dwl](https://codeberg.org/dwl/dwl), a compact, hackable compositor for Wayland based on wlroots. Available as [programs.dwl](#opt-programs.dwl.enable).

nixos/modules/module-list.nix

··· 1786 1786 ./system/boot/luksroot.nix 1787 1787 ./system/boot/modprobe.nix 1788 1788 ./system/boot/networkd.nix 1789 + ./system/boot/nix-store-veritysetup.nix 1789 1790 ./system/boot/plymouth.nix 1790 1791 ./system/boot/resolved.nix 1791 1792 ./system/boot/shutdown.nix

+38

nixos/modules/system/boot/nix-store-veritysetup.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + 8 + let 9 + cfg = config.boot.initrd.nix-store-veritysetup; 10 + in 11 + { 12 + meta.maintainers = with lib.maintainers; [ nikstur ]; 13 + 14 + options.boot.initrd.nix-store-veritysetup = { 15 + enable = lib.mkEnableOption "nix-store-veritysetup"; 16 + }; 17 + 18 + config = lib.mkIf cfg.enable { 19 + assertions = [ 20 + { 21 + assertion = config.boot.initrd.systemd.dmVerity.enable; 22 + message = "nix-store-veritysetup requires dm-verity in the systemd initrd."; 23 + } 24 + ]; 25 + 26 + boot.initrd.systemd = { 27 + contents = { 28 + "/etc/systemd/system-generators/nix-store-veritysetup-generator".source = 29 + "${lib.getExe pkgs.nix-store-veritysetup-generator}"; 30 + }; 31 + 32 + storePaths = [ 33 + "${config.boot.initrd.systemd.package}/bin/systemd-escape" 34 + ]; 35 + }; 36 + 37 + }; 38 + }

nixos/tests/all-tests.nix

··· 938 938 nix-required-mounts = runTest ./nix-required-mounts; 939 939 nix-serve = runTest ./nix-serve.nix; 940 940 nix-serve-ssh = runTest ./nix-serve-ssh.nix; 941 + nix-store-veritysetup = runTest ./nix-store-veritysetup.nix; 941 942 nixops = handleTest ./nixops/default.nix { }; 942 943 nixos-generate-config = runTest ./nixos-generate-config.nix; 943 944 nixos-rebuild-install-bootloader = handleTestOn [

+108

nixos/tests/nix-store-veritysetup.nix

··· 1 + { lib, ... }: 2 + { 3 + 4 + name = "nix-store-veritysetup"; 5 + 6 + meta.maintainers = with lib.maintainers; [ nikstur ]; 7 + 8 + nodes.machine = 9 + { config, modulesPath, ... }: 10 + { 11 + 12 + imports = [ 13 + "${modulesPath}/image/repart.nix" 14 + ]; 15 + 16 + image.repart = { 17 + name = "nix-store"; 18 + partitions = { 19 + "nix-store" = { 20 + storePaths = [ config.system.build.toplevel ]; 21 + stripNixStorePrefix = true; 22 + repartConfig = { 23 + Type = "linux-generic"; 24 + Label = "nix-store"; 25 + Format = "erofs"; 26 + Minimize = "best"; 27 + Verity = "data"; 28 + VerityMatchKey = "nix-store"; 29 + }; 30 + }; 31 + "nix-store-verity" = { 32 + repartConfig = { 33 + Type = "linux-generic"; 34 + Label = "nix-store-verity"; 35 + Verity = "hash"; 36 + VerityMatchKey = "nix-store"; 37 + Minimize = "best"; 38 + }; 39 + }; 40 + }; 41 + }; 42 + 43 + boot.initrd = { 44 + systemd = { 45 + enable = true; 46 + dmVerity.enable = true; 47 + }; 48 + nix-store-veritysetup.enable = true; 49 + }; 50 + 51 + virtualisation = { 52 + mountHostNixStore = false; 53 + qemu.drives = [ 54 + { 55 + name = "nix-store"; 56 + file = ''"$NIX_STORE"''; 57 + } 58 + ]; 59 + fileSystems = { 60 + "/nix/store" = { 61 + fsType = "erofs"; 62 + device = "/dev/mapper/nix-store"; 63 + }; 64 + }; 65 + }; 66 + 67 + }; 68 + 69 + testScript = 70 + { nodes, ... }: 71 + '' 72 + import os 73 + import json 74 + import subprocess 75 + import tempfile 76 + 77 + with open("${nodes.machine.system.build.image}/repart-output.json") as f: 78 + data = json.load(f) 79 + 80 + storehash = data[0]["roothash"] 81 + 82 + os.environ["QEMU_KERNEL_PARAMS"] = f"storehash={storehash}" 83 + 84 + tmp_disk_image = tempfile.NamedTemporaryFile() 85 + 86 + subprocess.run([ 87 + "${nodes.machine.virtualisation.qemu.package}/bin/qemu-img", 88 + "create", 89 + "-f", 90 + "qcow2", 91 + "-b", 92 + "${nodes.machine.system.build.image}/${nodes.machine.image.repart.imageFile}", 93 + "-F", 94 + "raw", 95 + tmp_disk_image.name, 96 + ]) 97 + 98 + os.environ["NIX_STORE"] = tmp_disk_image.name 99 + 100 + machine.start() 101 + 102 + print(machine.succeed("findmnt")) 103 + print(machine.succeed("dmsetup info nix-store")) 104 + 105 + machine.wait_for_unit("multi-user.target") 106 + ''; 107 + 108 + }

pkgs/by-name/ni/nix-store-veritysetup-generator/package.nix

··· 40 40 homepage = "https://github.com/nikstur/nix-store-veritysetup-generator"; 41 41 license = licenses.mit; 42 42 maintainers = with lib.maintainers; [ nikstur ]; 43 + mainProgram = "nix-store-veritysetup-generator"; 43 44 }; 44 45 }