tjh.dev / nixpkgs
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / nixos / tests / installer.nix
at fix-function-merge 1610 lines 59 kB view raw
1{ system ? builtins.currentSystem, 2 config ? {}, 3 pkgs ? import ../.. { inherit system config; }, 4 systemdStage1 ? false 5}: 6 7with import ../lib/testing-python.nix { inherit system pkgs; }; 8with pkgs.lib; 9 10let 11 12 # The configuration to install. 13 makeConfig = { bootLoader, grubDevice, grubIdentifier, grubUseEfi 14 , extraConfig, forceGrubReinstallCount ? 0, withTestInstrumentation ? true 15 , clevisTest 16 }: 17 pkgs.writeText "configuration.nix" '' 18 { config, lib, pkgs, modulesPath, ... }: 19 20 { imports = 21 [ ./hardware-configuration.nix 22 ${if !withTestInstrumentation 23 then "" # Still included, but via installer/flake.nix 24 else "<nixpkgs/nixos/modules/testing/test-instrumentation.nix>"} 25 ]; 26 27 networking.hostName = "thatworked"; 28 29 documentation.enable = false; 30 31 # To ensure that we can rebuild the grub configuration on the nixos-rebuild 32 system.extraDependencies = with pkgs; [ stdenvNoCC ]; 33 34 ${optionalString systemdStage1 "boot.initrd.systemd.enable = true;"} 35 36 ${optionalString (bootLoader == "grub") '' 37 boot.loader.grub.extraConfig = "serial; terminal_output serial"; 38 ${if grubUseEfi then '' 39 boot.loader.grub.device = "nodev"; 40 boot.loader.grub.efiSupport = true; 41 boot.loader.grub.efiInstallAsRemovable = true; # XXX: needed for OVMF? 42 '' else '' 43 boot.loader.grub.device = "${grubDevice}"; 44 boot.loader.grub.fsIdentifier = "${grubIdentifier}"; 45 ''} 46 47 boot.loader.grub.configurationLimit = 100 + ${toString forceGrubReinstallCount}; 48 ''} 49 50 ${optionalString (bootLoader == "systemd-boot") '' 51 boot.loader.systemd-boot.enable = true; 52 ''} 53 54 boot.initrd.secrets."/etc/secret" = "/etc/nixos/secret"; 55 56 ${optionalString clevisTest '' 57 boot.kernelParams = [ "console=tty0" "ip=192.168.1.1:::255.255.255.0::eth1:none" ]; 58 boot.initrd = { 59 availableKernelModules = [ "tpm_tis" ]; 60 clevis = { enable = true; useTang = true; }; 61 network.enable = true; 62 }; 63 ''} 64 65 users.users.alice = { 66 isNormalUser = true; 67 home = "/home/alice"; 68 description = "Alice Foobar"; 69 }; 70 71 hardware.enableAllFirmware = lib.mkForce false; 72 73 ${replaceStrings ["\n"] ["\n "] extraConfig} 74 } 75 ''; 76 77 78 # The test script boots a NixOS VM, installs NixOS on an empty hard 79 # disk, and then reboot from the hard disk. It's parameterized with 80 # a test script fragment `createPartitions', which must create 81 # partitions and filesystems. 82 testScriptFun = { bootLoader, createPartitions, grubDevice, grubUseEfi, grubIdentifier 83 , postInstallCommands, postBootCommands, extraConfig 84 , testSpecialisationConfig, testFlakeSwitch, testByAttrSwitch, clevisTest, clevisFallbackTest 85 , disableFileSystems 86 }: 87 let 88 startTarget = '' 89 ${optionalString clevisTest "tpm.start()"} 90 target.start() 91 ${postBootCommands} 92 target.wait_for_unit("multi-user.target") 93 ''; 94 in '' 95 ${optionalString clevisTest '' 96 import os 97 import subprocess 98 99 tpm_folder = os.environ['NIX_BUILD_TOP'] 100 101 class Tpm: 102 def __init__(self): 103 self.start() 104 105 def start(self): 106 self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", 107 "socket", 108 "--tpmstate", f"dir={tpm_folder}/swtpm", 109 "--ctrl", f"type=unixio,path={tpm_folder}/swtpm-sock", 110 "--tpm2" 111 ]) 112 113 # Check whether starting swtpm failed 114 try: 115 exit_code = self.proc.wait(timeout=0.2) 116 if exit_code is not None and exit_code != 0: 117 raise Exception("failed to start swtpm") 118 except subprocess.TimeoutExpired: 119 pass 120 121 """Check whether the swtpm process exited due to an error""" 122 def check(self): 123 exit_code = self.proc.poll() 124 if exit_code is not None and exit_code != 0: 125 raise Exception("swtpm process died") 126 127 128 os.mkdir(f"{tpm_folder}/swtpm") 129 tpm = Tpm() 130 tpm.check() 131 ''} 132 133 installer.start() 134 ${optionalString clevisTest '' 135 tang.start() 136 tang.wait_for_unit("sockets.target") 137 tang.systemctl("start network-online.target") 138 tang.wait_for_unit("network-online.target") 139 installer.systemctl("start network-online.target") 140 installer.wait_for_unit("network-online.target") 141 ''} 142 installer.wait_for_unit("multi-user.target") 143 144 with subtest("Assert readiness of login prompt"): 145 installer.succeed("echo hello") 146 147 with subtest("Wait for hard disks to appear in /dev"): 148 installer.succeed("udevadm settle") 149 150 ${createPartitions} 151 152 with subtest("Create the NixOS configuration"): 153 installer.succeed("nixos-generate-config ${optionalString disableFileSystems "--no-filesystems"} --root /mnt") 154 installer.succeed("cat /mnt/etc/nixos/hardware-configuration.nix >&2") 155 installer.copy_from_host( 156 "${ makeConfig { 157 inherit bootLoader grubDevice grubIdentifier 158 grubUseEfi extraConfig clevisTest; 159 } 160 }", 161 "/mnt/etc/nixos/configuration.nix", 162 ) 163 installer.copy_from_host("${pkgs.writeText "secret" "secret"}", "/mnt/etc/nixos/secret") 164 165 ${optionalString clevisTest '' 166 with subtest("Create the Clevis secret with Tang"): 167 installer.systemctl("start network-online.target") 168 installer.wait_for_unit("network-online.target") 169 installer.succeed('echo -n password | clevis encrypt sss \'{"t": 2, "pins": {"tpm2": {}, "tang": {"url": "http://192.168.1.2"}}}\' -y > /mnt/etc/nixos/clevis-secret.jwe')''} 170 171 ${optionalString clevisFallbackTest '' 172 with subtest("Shutdown Tang to check fallback to interactive prompt"): 173 tang.shutdown() 174 ''} 175 176 with subtest("Perform the installation"): 177 installer.succeed("nixos-install < /dev/null >&2") 178 179 with subtest("Do it again to make sure it's idempotent"): 180 installer.succeed("nixos-install < /dev/null >&2") 181 182 with subtest("Check that we can build things in nixos-enter"): 183 installer.succeed( 184 """ 185 nixos-enter -- nix-build --option substitute false -E 'derivation { 186 name = "t"; 187 builder = "/bin/sh"; 188 args = ["-c" "echo nixos-enter build > $out"]; 189 system = builtins.currentSystem; 190 preferLocalBuild = true; 191 }' 192 """ 193 ) 194 195 ${postInstallCommands} 196 197 with subtest("Shutdown system after installation"): 198 installer.succeed("umount -R /mnt") 199 installer.succeed("sync") 200 installer.shutdown() 201 202 # We're actually the same machine, just booting differently this time. 203 target.state_dir = installer.state_dir 204 205 # Now see if we can boot the installation. 206 ${startTarget} 207 208 with subtest("Assert that /boot get mounted"): 209 target.wait_for_unit("local-fs.target") 210 ${if bootLoader == "grub" 211 then ''target.succeed("test -e /boot/grub")'' 212 else ''target.succeed("test -e /boot/loader/loader.conf")'' 213 } 214 215 with subtest("Check whether /root has correct permissions"): 216 assert "700" in target.succeed("stat -c '%a' /root") 217 218 with subtest("Assert swap device got activated"): 219 # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved 220 target.wait_for_unit("swap.target") 221 target.succeed("cat /proc/swaps | grep -q /dev") 222 223 with subtest("Check that the store is in good shape"): 224 target.succeed("nix-store --verify --check-contents >&2") 225 226 with subtest("Check whether the channel works"): 227 target.succeed("nix-env -iA nixos.procps >&2") 228 assert ".nix-profile" in target.succeed("type -tP ps | tee /dev/stderr") 229 230 with subtest( 231 "Check that the daemon works, and that non-root users can run builds " 232 "(this will build a new profile generation through the daemon)" 233 ): 234 target.succeed("su alice -l -c 'nix-env -iA nixos.procps' >&2") 235 236 with subtest("Configure system with writable Nix store on next boot"): 237 # we're not using copy_from_host here because the installer image 238 # doesn't know about the host-guest sharing mechanism. 239 target.copy_from_host_via_shell( 240 "${ makeConfig { 241 inherit bootLoader grubDevice grubIdentifier 242 grubUseEfi extraConfig clevisTest; 243 forceGrubReinstallCount = 1; 244 } 245 }", 246 "/etc/nixos/configuration.nix", 247 ) 248 249 with subtest("Check whether nixos-rebuild works"): 250 target.succeed("nixos-rebuild switch >&2") 251 252 with subtest("Test nixos-option"): 253 kernel_modules = target.succeed("nixos-option boot.initrd.kernelModules") 254 assert "virtio_console" in kernel_modules 255 assert "List of modules" in kernel_modules 256 assert "qemu-guest.nix" in kernel_modules 257 258 target.shutdown() 259 260 # Check whether a writable store build works 261 ${startTarget} 262 263 # we're not using copy_from_host here because the installer image 264 # doesn't know about the host-guest sharing mechanism. 265 target.copy_from_host_via_shell( 266 "${ makeConfig { 267 inherit bootLoader grubDevice grubIdentifier 268 grubUseEfi extraConfig clevisTest; 269 forceGrubReinstallCount = 2; 270 } 271 }", 272 "/etc/nixos/configuration.nix", 273 ) 274 target.succeed("nixos-rebuild boot >&2") 275 target.shutdown() 276 277 # And just to be sure, check that the target still boots after "nixos-rebuild switch". 278 ${startTarget} 279 target.wait_for_unit("network.target") 280 281 # Sanity check, is it the configuration.nix we generated? 282 hostname = target.succeed("hostname").strip() 283 assert hostname == "thatworked" 284 285 target.shutdown() 286 287 # Tests for validating clone configuration entries in grub menu 288 '' 289 + optionalString testSpecialisationConfig '' 290 # Reboot target 291 ${startTarget} 292 293 with subtest("Booted configuration name should be 'Home'"): 294 # This is not the name that shows in the grub menu. 295 # The default configuration is always shown as "Default" 296 target.succeed("cat /run/booted-system/configuration-name >&2") 297 assert "Home" in target.succeed("cat /run/booted-system/configuration-name") 298 299 with subtest("We should **not** find a file named /etc/gitconfig"): 300 target.fail("test -e /etc/gitconfig") 301 302 with subtest("Set grub to boot the second configuration"): 303 target.succeed("grub-reboot 1") 304 305 target.shutdown() 306 307 # Reboot target 308 ${startTarget} 309 310 with subtest("Booted configuration name should be Work"): 311 target.succeed("cat /run/booted-system/configuration-name >&2") 312 assert "Work" in target.succeed("cat /run/booted-system/configuration-name") 313 314 with subtest("We should find a file named /etc/gitconfig"): 315 target.succeed("test -e /etc/gitconfig") 316 317 target.shutdown() 318 '' 319 + optionalString testByAttrSwitch '' 320 with subtest("Configure system with attribute set"): 321 target.succeed(""" 322 mkdir /root/my-config 323 mv /etc/nixos/hardware-configuration.nix /root/my-config/ 324 rm /etc/nixos/configuration.nix 325 """) 326 target.copy_from_host_via_shell( 327 "${makeConfig { 328 inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest; 329 forceGrubReinstallCount = 1; 330 withTestInstrumentation = false; 331 }}", 332 "/root/my-config/configuration.nix", 333 ) 334 target.copy_from_host_via_shell( 335 "${./installer/byAttrWithChannel.nix}", 336 "/root/my-config/default.nix", 337 ) 338 with subtest("Switch to attribute set based config with channels"): 339 target.succeed("nixos-rebuild switch --file /root/my-config/default.nix") 340 341 target.shutdown() 342 343 ${startTarget} 344 345 target.succeed(""" 346 rm /root/my-config/default.nix 347 """) 348 target.copy_from_host_via_shell( 349 "${./installer/byAttrNoChannel.nix}", 350 "/root/my-config/default.nix", 351 ) 352 353 target.succeed(""" 354 pkgs=$(readlink -f /nix/var/nix/profiles/per-user/root/channels)/nixos 355 if ! [[ -e $pkgs/pkgs/top-level/default.nix ]]; then 356 echo 1>&2 "$pkgs does not seem to be a nixpkgs source. Please fix the test so that pkgs points to a nixpkgs source."; 357 exit 1; 358 fi 359 sed -e s^@nixpkgs@^$pkgs^ -i /root/my-config/default.nix 360 361 """) 362 363 with subtest("Switch to attribute set based config without channels"): 364 target.succeed("nixos-rebuild switch --file /root/my-config/default.nix") 365 366 target.shutdown() 367 368 ${startTarget} 369 370 with subtest("nix-channel command is not available anymore"): 371 target.succeed("! which nix-channel") 372 373 with subtest("builtins.nixPath is now empty"): 374 target.succeed(""" 375 [[ "[ ]" == "$(nix-instantiate builtins.nixPath --eval --expr)" ]] 376 """) 377 378 with subtest("<nixpkgs> does not resolve"): 379 target.succeed(""" 380 ! nix-instantiate '<nixpkgs>' --eval --expr 381 """) 382 383 with subtest("Evaluate attribute set based config in fresh env without nix-channel"): 384 target.succeed("nixos-rebuild switch --file /root/my-config/default.nix") 385 386 with subtest("Evaluate attribute set based config in fresh env without channel profiles"): 387 target.succeed(""" 388 ( 389 exec 1>&2 390 mkdir -p /root/restore 391 mv -v /root/.nix-channels /root/restore/ 392 mv -v ~/.nix-defexpr /root/restore/ 393 mkdir -p /root/restore/channels 394 mv -v /nix/var/nix/profiles/per-user/root/channels* /root/restore/channels/ 395 ) 396 """) 397 target.succeed("nixos-rebuild switch --file /root/my-config/default.nix") 398 '' 399 + optionalString (testByAttrSwitch && testFlakeSwitch) '' 400 with subtest("Restore channel profiles"): 401 target.succeed(""" 402 ( 403 exec 1>&2 404 mv -v /root/restore/.nix-channels /root/ 405 mv -v /root/restore/.nix-defexpr ~/.nix-defexpr 406 mv -v /root/restore/channels/* /nix/var/nix/profiles/per-user/root/ 407 rm -vrf /root/restore 408 ) 409 """) 410 411 with subtest("Restore /etc/nixos"): 412 target.succeed(""" 413 mv -v /root/my-config/hardware-configuration.nix /etc/nixos/ 414 """) 415 target.copy_from_host_via_shell( 416 "${makeConfig { 417 inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest; 418 forceGrubReinstallCount = 1; 419 }}", 420 "/etc/nixos/configuration.nix", 421 ) 422 423 with subtest("Restore /root/my-config"): 424 target.succeed(""" 425 rm -vrf /root/my-config 426 """) 427 428 '' 429 + optionalString (testByAttrSwitch && !testFlakeSwitch) '' 430 target.shutdown() 431 '' 432 + optionalString testFlakeSwitch '' 433 ${startTarget} 434 435 with subtest("Configure system with flake"): 436 # TODO: evaluate as user? 437 target.succeed(""" 438 mkdir /root/my-config 439 mv /etc/nixos/hardware-configuration.nix /root/my-config/ 440 rm /etc/nixos/configuration.nix 441 """) 442 target.copy_from_host_via_shell( 443 "${makeConfig { 444 inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest; 445 forceGrubReinstallCount = 1; 446 withTestInstrumentation = false; 447 }}", 448 "/root/my-config/configuration.nix", 449 ) 450 target.copy_from_host_via_shell( 451 "${./installer/flake.nix}", 452 "/root/my-config/flake.nix", 453 ) 454 target.succeed(""" 455 # for some reason the image does not have `pkgs.path`, so 456 # we use readlink to find a Nixpkgs source. 457 pkgs=$(readlink -f /nix/var/nix/profiles/per-user/root/channels)/nixos 458 if ! [[ -e $pkgs/pkgs/top-level/default.nix ]]; then 459 echo 1>&2 "$pkgs does not seem to be a nixpkgs source. Please fix the test so that pkgs points to a nixpkgs source."; 460 exit 1; 461 fi 462 sed -e s^@nixpkgs@^$pkgs^ -i /root/my-config/flake.nix 463 """) 464 465 with subtest("Switch to flake based config"): 466 target.succeed("nixos-rebuild switch --flake /root/my-config#xyz 2>&1 | tee activation-log >&2") 467 468 target.succeed(""" 469 cat -n activation-log >&2 470 """) 471 472 target.succeed(""" 473 grep -F '/root/.nix-defexpr/channels exists, but channels have been disabled.' activation-log 474 """) 475 target.succeed(""" 476 grep -F '/nix/var/nix/profiles/per-user/root/channels exists, but channels have been disabled.' activation-log 477 """) 478 target.succeed(""" 479 grep -F '/root/.nix-defexpr/channels exists, but channels have been disabled.' activation-log 480 """) 481 target.succeed(""" 482 grep -F 'Due to https://github.com/NixOS/nix/issues/9574, Nix may still use these channels when NIX_PATH is unset.' activation-log 483 """) 484 target.succeed("rm activation-log") 485 486 # Perform the suggested cleanups we've just seen in the log 487 # TODO after https://github.com/NixOS/nix/issues/9574: don't remove them yet 488 target.succeed(""" 489 rm -rf /root/.nix-defexpr/channels /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels 490 """) 491 492 493 target.shutdown() 494 495 ${startTarget} 496 497 with subtest("nix-channel command is not available anymore"): 498 target.succeed("! which nix-channel") 499 500 # Note that the channel profile is still present on disk, but configured 501 # not to be used. 502 # TODO after issue https://github.com/NixOS/nix/issues/9574: re-enable this assertion 503 # I believe what happens is 504 # - because of the issue, we've removed the `nix-path =` line from nix.conf 505 # - the "backdoor" shell is not a proper session and does not have `NIX_PATH=""` set 506 # - seeing no nix path settings at all, Nix loads its hardcoded default value, 507 # which is unfortunately non-empty 508 # Or maybe it's the new default NIX_PATH?? :( 509 # with subtest("builtins.nixPath is now empty"): 510 # target.succeed(""" 511 # ( 512 # set -x; 513 # [[ "[ ]" == "$(nix-instantiate builtins.nixPath --eval --expr)" ]]; 514 # ) 515 # """) 516 517 with subtest("<nixpkgs> does not resolve"): 518 target.succeed(""" 519 ! nix-instantiate '<nixpkgs>' --eval --expr 520 """) 521 522 with subtest("Evaluate flake config in fresh env without nix-channel"): 523 target.succeed("nixos-rebuild switch --flake /root/my-config#xyz") 524 525 with subtest("Evaluate flake config in fresh env without channel profiles"): 526 target.succeed(""" 527 ( 528 exec 1>&2 529 rm -vf /root/.nix-channels 530 rm -vrf ~/.nix-defexpr 531 rm -vrf /nix/var/nix/profiles/per-user/root/channels* 532 ) 533 """) 534 target.succeed("nixos-rebuild switch --flake /root/my-config#xyz | tee activation-log >&2") 535 target.succeed("cat -n activation-log >&2") 536 target.succeed("! grep -F '/root/.nix-defexpr/channels' activation-log") 537 target.succeed("! grep -F 'but channels have been disabled' activation-log") 538 target.succeed("! grep -F 'https://github.com/NixOS/nix/issues/9574' activation-log") 539 540 target.shutdown() 541 ''; 542 543 544 makeInstallerTest = name: 545 { createPartitions 546 , postInstallCommands ? "", postBootCommands ? "" 547 , extraConfig ? "" 548 , extraInstallerConfig ? {} 549 , bootLoader ? "grub" # either "grub" or "systemd-boot" 550 , grubDevice ? "/dev/vda", grubIdentifier ? "uuid", grubUseEfi ? false 551 , enableOCR ? false, meta ? {} 552 , testSpecialisationConfig ? false 553 , testFlakeSwitch ? false 554 , testByAttrSwitch ? false 555 , clevisTest ? false 556 , clevisFallbackTest ? false 557 , disableFileSystems ? false 558 }: 559 let 560 isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi); 561 in makeTest { 562 inherit enableOCR; 563 name = "installer-" + name; 564 meta = { 565 # put global maintainers here, individuals go into makeInstallerTest fkt call 566 maintainers = (meta.maintainers or []); 567 # non-EFI tests can only run on x86 568 platforms = if isEfi then platforms.linux else [ "x86_64-linux" "i686-linux" ]; 569 }; 570 nodes = let 571 commonConfig = { 572 # builds stuff in the VM, needs more juice 573 virtualisation.diskSize = 8 * 1024; 574 virtualisation.cores = 8; 575 virtualisation.memorySize = 2048; 576 577 # both installer and target need to use the same drive 578 virtualisation.diskImage = "./target.qcow2"; 579 580 # and the same TPM options 581 virtualisation.qemu.options = mkIf (clevisTest) [ 582 "-chardev socket,id=chrtpm,path=$NIX_BUILD_TOP/swtpm-sock" 583 "-tpmdev emulator,id=tpm0,chardev=chrtpm" 584 "-device tpm-tis,tpmdev=tpm0" 585 ]; 586 }; 587 in { 588 # The configuration of the system used to run "nixos-install". 589 installer = { 590 imports = [ 591 commonConfig 592 ../modules/profiles/installation-device.nix 593 ../modules/profiles/base.nix 594 extraInstallerConfig 595 ./common/auto-format-root-device.nix 596 ]; 597 598 # In systemdStage1, also automatically format the device backing the 599 # root filesystem. 600 virtualisation.fileSystems."/".autoFormat = systemdStage1; 601 602 boot.initrd.systemd.enable = systemdStage1; 603 604 # Use a small /dev/vdb as the root disk for the 605 # installer. This ensures the target disk (/dev/vda) is 606 # the same during and after installation. 607 virtualisation.emptyDiskImages = [ 512 ]; 608 virtualisation.rootDevice = "/dev/vdb"; 609 610 hardware.enableAllFirmware = mkForce false; 611 612 # The test cannot access the network, so any packages we 613 # need must be included in the VM. 614 system.extraDependencies = with pkgs; [ 615 bintools 616 brotli 617 brotli.dev 618 brotli.lib 619 desktop-file-utils 620 docbook5 621 docbook_xsl_ns 622 kbd.dev 623 kmod.dev 624 libarchive.dev 625 libxml2.bin 626 libxslt.bin 627 nixos-artwork.wallpapers.simple-dark-gray-bottom 628 ntp 629 perlPackages.ListCompare 630 perlPackages.XMLLibXML 631 # make-options-doc/default.nix 632 (python3.withPackages (p: [ p.mistune ])) 633 shared-mime-info 634 sudo 635 texinfo 636 unionfs-fuse 637 xorg.lndir 638 639 # add curl so that rather than seeing the test attempt to download 640 # curl's tarball, we see what it's trying to download 641 curl 642 ] 643 ++ optionals (bootLoader == "grub") (let 644 zfsSupport = extraInstallerConfig.boot.supportedFilesystems.zfs or false; 645 in [ 646 (pkgs.grub2.override { inherit zfsSupport; }) 647 (pkgs.grub2_efi.override { inherit zfsSupport; }) 648 ]) 649 ++ optionals (bootLoader == "systemd-boot") [ 650 pkgs.zstd.bin 651 pkgs.mypy 652 pkgs.bootspec 653 ] 654 ++ optionals clevisTest [ pkgs.klibc ]; 655 656 nix.settings = { 657 substituters = mkForce []; 658 hashed-mirrors = null; 659 connect-timeout = 1; 660 }; 661 }; 662 663 target = { 664 imports = [ commonConfig ]; 665 virtualisation.useBootLoader = true; 666 virtualisation.useEFIBoot = isEfi; 667 virtualisation.useDefaultFilesystems = false; 668 virtualisation.efi.keepVariables = false; 669 670 virtualisation.fileSystems."/" = { 671 device = "/dev/disk/by-label/this-is-not-real-and-will-never-be-used"; 672 fsType = "ext4"; 673 }; 674 }; 675 } // optionalAttrs clevisTest { 676 tang = { 677 services.tang = { 678 enable = true; 679 listenStream = [ "80" ]; 680 ipAddressAllow = [ "192.168.1.0/24" ]; 681 }; 682 networking.firewall.allowedTCPPorts = [ 80 ]; 683 }; 684 }; 685 686 testScript = testScriptFun { 687 inherit bootLoader createPartitions postInstallCommands postBootCommands 688 grubDevice grubIdentifier grubUseEfi extraConfig 689 testSpecialisationConfig testFlakeSwitch testByAttrSwitch clevisTest clevisFallbackTest 690 disableFileSystems; 691 }; 692 }; 693 694 makeLuksRootTest = name: luksFormatOpts: makeInstallerTest name { 695 createPartitions = '' 696 installer.succeed( 697 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 698 + " mkpart primary ext2 1M 100MB" # /boot 699 + " mkpart primary linux-swap 100M 1024M" 700 + " mkpart primary 1024M -1s", # LUKS 701 "udevadm settle", 702 "mkswap /dev/vda2 -L swap", 703 "swapon -L swap", 704 "modprobe dm_mod dm_crypt", 705 "echo -n supersecret | cryptsetup luksFormat ${luksFormatOpts} -q /dev/vda3 -", 706 "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda3 cryptroot", 707 "mkfs.ext3 -L nixos /dev/mapper/cryptroot", 708 "mount LABEL=nixos /mnt", 709 "mkfs.ext3 -L boot /dev/vda1", 710 "mkdir -p /mnt/boot", 711 "mount LABEL=boot /mnt/boot", 712 ) 713 ''; 714 extraConfig = '' 715 boot.kernelParams = lib.mkAfter [ "console=tty0" ]; 716 ''; 717 enableOCR = true; 718 postBootCommands = '' 719 target.wait_for_text("[Pp]assphrase for") 720 target.send_chars("supersecret\n") 721 ''; 722 }; 723 724 # The (almost) simplest partitioning scheme: a swap partition and 725 # one big filesystem partition. 726 simple-test-config = { 727 createPartitions = '' 728 installer.succeed( 729 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 730 + " mkpart primary linux-swap 1M 1024M" 731 + " mkpart primary ext2 1024M -1s", 732 "udevadm settle", 733 "mkswap /dev/vda1 -L swap", 734 "swapon -L swap", 735 "mkfs.ext3 -L nixos /dev/vda2", 736 "mount LABEL=nixos /mnt", 737 ) 738 ''; 739 }; 740 741 simple-test-config-flake = simple-test-config // { 742 testFlakeSwitch = true; 743 }; 744 745 simple-test-config-by-attr = simple-test-config // { 746 testByAttrSwitch = true; 747 }; 748 749 simple-test-config-from-by-attr-to-flake = simple-test-config // { 750 testByAttrSwitch = true; 751 testFlakeSwitch = true; 752 }; 753 754 simple-uefi-grub-config = { 755 createPartitions = '' 756 installer.succeed( 757 "flock /dev/vda parted --script /dev/vda -- mklabel gpt" 758 + " mkpart ESP fat32 1M 100MiB" # /boot 759 + " set 1 boot on" 760 + " mkpart primary linux-swap 100MiB 1024MiB" 761 + " mkpart primary ext2 1024MiB -1MiB", # / 762 "udevadm settle", 763 "mkswap /dev/vda2 -L swap", 764 "swapon -L swap", 765 "mkfs.ext3 -L nixos /dev/vda3", 766 "mount LABEL=nixos /mnt", 767 "mkfs.vfat -n BOOT /dev/vda1", 768 "mkdir -p /mnt/boot", 769 "mount LABEL=BOOT /mnt/boot", 770 ) 771 ''; 772 bootLoader = "grub"; 773 grubUseEfi = true; 774 }; 775 776 specialisation-test-extraconfig = { 777 extraConfig = '' 778 environment.systemPackages = [ pkgs.grub2 ]; 779 boot.loader.grub.configurationName = "Home"; 780 specialisation.work.configuration = { 781 boot.loader.grub.configurationName = lib.mkForce "Work"; 782 783 environment.etc = { 784 "gitconfig".text = " 785 [core] 786 gitproxy = none for work.com 787 "; 788 }; 789 }; 790 ''; 791 testSpecialisationConfig = true; 792 }; 793 # disable zfs so we can support latest kernel if needed 794 no-zfs-module = { 795 nixpkgs.overlays = [(final: super: { 796 zfs = super.zfs.overrideAttrs(_: {meta.platforms = [];});} 797 )]; 798 }; 799 800 mkClevisBcachefsTest = { fallback ? false }: makeInstallerTest "clevis-bcachefs${optionalString fallback "-fallback"}" { 801 clevisTest = true; 802 clevisFallbackTest = fallback; 803 enableOCR = fallback; 804 extraInstallerConfig = { 805 imports = [ no-zfs-module ]; 806 boot.supportedFilesystems = [ "bcachefs" ]; 807 environment.systemPackages = with pkgs; [ keyutils clevis ]; 808 }; 809 createPartitions = '' 810 installer.succeed( 811 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 812 + " mkpart primary ext2 1M 100MB" 813 + " mkpart primary linux-swap 100M 1024M" 814 + " mkpart primary 1024M -1s", 815 "udevadm settle", 816 "mkswap /dev/vda2 -L swap", 817 "swapon -L swap", 818 "keyctl link @u @s", 819 "echo -n password | mkfs.bcachefs -L root --encrypted /dev/vda3", 820 "echo -n password | bcachefs unlock /dev/vda3", 821 "echo -n password | mount -t bcachefs /dev/vda3 /mnt", 822 "mkfs.ext3 -L boot /dev/vda1", 823 "mkdir -p /mnt/boot", 824 "mount LABEL=boot /mnt/boot", 825 "udevadm settle") 826 ''; 827 extraConfig = '' 828 boot.initrd.clevis.devices."/dev/vda3".secretFile = "/etc/nixos/clevis-secret.jwe"; 829 830 # We override what nixos-generate-config has generated because we do 831 # not know the UUID in advance. 832 fileSystems."/" = lib.mkForce { device = "/dev/vda3"; fsType = "bcachefs"; }; 833 ''; 834 postBootCommands = optionalString fallback '' 835 target.wait_for_text("enter passphrase for") 836 target.send_chars("password\n") 837 ''; 838 }; 839 840 mkClevisLuksTest = { fallback ? false }: makeInstallerTest "clevis-luks${optionalString fallback "-fallback"}" { 841 clevisTest = true; 842 clevisFallbackTest = fallback; 843 enableOCR = fallback; 844 extraInstallerConfig = { 845 environment.systemPackages = with pkgs; [ clevis ]; 846 }; 847 createPartitions = '' 848 installer.succeed( 849 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 850 + " mkpart primary ext2 1M 100MB" 851 + " mkpart primary linux-swap 100M 1024M" 852 + " mkpart primary 1024M -1s", 853 "udevadm settle", 854 "mkswap /dev/vda2 -L swap", 855 "swapon -L swap", 856 "modprobe dm_mod dm_crypt", 857 "echo -n password | cryptsetup luksFormat -q /dev/vda3 -", 858 "echo -n password | cryptsetup luksOpen --key-file - /dev/vda3 crypt-root", 859 "mkfs.ext3 -L nixos /dev/mapper/crypt-root", 860 "mount LABEL=nixos /mnt", 861 "mkfs.ext3 -L boot /dev/vda1", 862 "mkdir -p /mnt/boot", 863 "mount LABEL=boot /mnt/boot", 864 "udevadm settle") 865 ''; 866 extraConfig = '' 867 boot.initrd.clevis.devices."crypt-root".secretFile = "/etc/nixos/clevis-secret.jwe"; 868 ''; 869 postBootCommands = optionalString fallback '' 870 ${if systemdStage1 then '' 871 target.wait_for_text("Please enter") 872 '' else '' 873 target.wait_for_text("Passphrase for") 874 ''} 875 target.send_chars("password\n") 876 ''; 877 }; 878 879 mkClevisZfsTest = { fallback ? false, parentDataset ? false }: makeInstallerTest "clevis-zfs${optionalString parentDataset "-parent-dataset"}${optionalString fallback "-fallback"}" { 880 clevisTest = true; 881 clevisFallbackTest = fallback; 882 enableOCR = fallback; 883 extraInstallerConfig = { 884 boot.supportedFilesystems = [ "zfs" ]; 885 environment.systemPackages = with pkgs; [ clevis ]; 886 }; 887 createPartitions = '' 888 installer.succeed( 889 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 890 + " mkpart primary ext2 1M 100MB" 891 + " mkpart primary linux-swap 100M 1024M" 892 + " mkpart primary 1024M -1s", 893 "udevadm settle", 894 "mkswap /dev/vda2 -L swap", 895 "swapon -L swap", 896 '' + optionalString (!parentDataset) '' 897 "zpool create -O mountpoint=legacy rpool /dev/vda3", 898 "echo -n password | zfs create" 899 + " -o encryption=aes-256-gcm -o keyformat=passphrase rpool/root", 900 '' + optionalString (parentDataset) '' 901 "echo -n password | zpool create -O mountpoint=none -O encryption=on -O keyformat=passphrase rpool /dev/vda3", 902 "zfs create -o mountpoint=legacy rpool/root", 903 '' + 904 '' 905 "mount -t zfs rpool/root /mnt", 906 "mkfs.ext3 -L boot /dev/vda1", 907 "mkdir -p /mnt/boot", 908 "mount LABEL=boot /mnt/boot", 909 "udevadm settle") 910 ''; 911 extraConfig = optionalString (!parentDataset) '' 912 boot.initrd.clevis.devices."rpool/root".secretFile = "/etc/nixos/clevis-secret.jwe"; 913 '' + optionalString (parentDataset) '' 914 boot.initrd.clevis.devices."rpool".secretFile = "/etc/nixos/clevis-secret.jwe"; 915 '' + 916 '' 917 boot.zfs.requestEncryptionCredentials = true; 918 919 920 # Using by-uuid overrides the default of by-id, and is unique 921 # to the qemu disks, as they don't produce by-id paths for 922 # some reason. 923 boot.zfs.devNodes = "/dev/disk/by-uuid/"; 924 networking.hostId = "00000000"; 925 ''; 926 postBootCommands = optionalString fallback '' 927 ${if systemdStage1 then '' 928 target.wait_for_text("Enter key for rpool/root") 929 '' else '' 930 target.wait_for_text("Key load error") 931 ''} 932 target.send_chars("password\n") 933 ''; 934 }; 935 936in { 937 938 # !!! `parted mkpart' seems to silently create overlapping partitions. 939 940 941 # The (almost) simplest partitioning scheme: a swap partition and 942 # one big filesystem partition. 943 simple = makeInstallerTest "simple" simple-test-config; 944 945 switchToFlake = makeInstallerTest "switch-to-flake" simple-test-config-flake; 946 947 switchToByAttr = makeInstallerTest "switch-to-by-attr" simple-test-config-by-attr; 948 949 switchFromByAttrToFlake = makeInstallerTest "switch-from-by-attr-to-flake" simple-test-config-from-by-attr-to-flake; 950 951 # Test cloned configurations with the simple grub configuration 952 simpleSpecialised = makeInstallerTest "simpleSpecialised" (simple-test-config // specialisation-test-extraconfig); 953 954 # Simple GPT/UEFI configuration using systemd-boot with 3 partitions: ESP, swap & root filesystem 955 simpleUefiSystemdBoot = makeInstallerTest "simpleUefiSystemdBoot" { 956 createPartitions = '' 957 installer.succeed( 958 "flock /dev/vda parted --script /dev/vda -- mklabel gpt" 959 + " mkpart ESP fat32 1M 100MiB" # /boot 960 + " set 1 boot on" 961 + " mkpart primary linux-swap 100MiB 1024MiB" 962 + " mkpart primary ext2 1024MiB -1MiB", # / 963 "udevadm settle", 964 "mkswap /dev/vda2 -L swap", 965 "swapon -L swap", 966 "mkfs.ext3 -L nixos /dev/vda3", 967 "mount LABEL=nixos /mnt", 968 "mkfs.vfat -n BOOT /dev/vda1", 969 "mkdir -p /mnt/boot", 970 "mount LABEL=BOOT /mnt/boot", 971 ) 972 ''; 973 bootLoader = "systemd-boot"; 974 }; 975 976 simpleUefiGrub = makeInstallerTest "simpleUefiGrub" simple-uefi-grub-config; 977 978 # Test cloned configurations with the uefi grub configuration 979 simpleUefiGrubSpecialisation = makeInstallerTest "simpleUefiGrubSpecialisation" (simple-uefi-grub-config // specialisation-test-extraconfig); 980 981 # Same as the previous, but now with a separate /boot partition. 982 separateBoot = makeInstallerTest "separateBoot" { 983 createPartitions = '' 984 installer.succeed( 985 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 986 + " mkpart primary ext2 1M 100MB" # /boot 987 + " mkpart primary linux-swap 100MB 1024M" 988 + " mkpart primary ext2 1024M -1s", # / 989 "udevadm settle", 990 "mkswap /dev/vda2 -L swap", 991 "swapon -L swap", 992 "mkfs.ext3 -L nixos /dev/vda3", 993 "mount LABEL=nixos /mnt", 994 "mkfs.ext3 -L boot /dev/vda1", 995 "mkdir -p /mnt/boot", 996 "mount LABEL=boot /mnt/boot", 997 ) 998 ''; 999 }; 1000 1001 # Same as the previous, but with fat32 /boot. 1002 separateBootFat = makeInstallerTest "separateBootFat" { 1003 createPartitions = '' 1004 installer.succeed( 1005 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1006 + " mkpart primary ext2 1M 100MB" # /boot 1007 + " mkpart primary linux-swap 100MB 1024M" 1008 + " mkpart primary ext2 1024M -1s", # / 1009 "udevadm settle", 1010 "mkswap /dev/vda2 -L swap", 1011 "swapon -L swap", 1012 "mkfs.ext3 -L nixos /dev/vda3", 1013 "mount LABEL=nixos /mnt", 1014 "mkfs.vfat -n BOOT /dev/vda1", 1015 "mkdir -p /mnt/boot", 1016 "mount LABEL=BOOT /mnt/boot", 1017 ) 1018 ''; 1019 }; 1020 1021 # Same as the previous, but with ZFS /boot. 1022 separateBootZfs = makeInstallerTest "separateBootZfs" { 1023 extraInstallerConfig = { 1024 boot.supportedFilesystems = [ "zfs" ]; 1025 }; 1026 1027 extraConfig = '' 1028 # Using by-uuid overrides the default of by-id, and is unique 1029 # to the qemu disks, as they don't produce by-id paths for 1030 # some reason. 1031 boot.zfs.devNodes = "/dev/disk/by-uuid/"; 1032 networking.hostId = "00000000"; 1033 ''; 1034 1035 createPartitions = '' 1036 installer.succeed( 1037 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1038 + " mkpart primary ext2 1M 256MB" # /boot 1039 + " mkpart primary linux-swap 256MB 1280M" 1040 + " mkpart primary ext2 1280M -1s", # / 1041 "udevadm settle", 1042 1043 "mkswap /dev/vda2 -L swap", 1044 "swapon -L swap", 1045 1046 "mkfs.ext4 -L nixos /dev/vda3", 1047 "mount LABEL=nixos /mnt", 1048 1049 # Use as many ZFS features as possible to verify that GRUB can handle them 1050 "zpool create" 1051 " -o compatibility=grub2" 1052 " -O utf8only=on" 1053 " -O normalization=formD" 1054 " -O compression=lz4" # Activate the lz4_compress feature 1055 " -O xattr=sa" 1056 " -O acltype=posixacl" 1057 " bpool /dev/vda1", 1058 "zfs create" 1059 " -o recordsize=1M" # Prepare activating the large_blocks feature 1060 " -o mountpoint=legacy" 1061 " -o relatime=on" 1062 " -o quota=1G" 1063 " -o filesystem_limit=100" # Activate the filesystem_limits features 1064 " bpool/boot", 1065 1066 # Snapshotting the top-level dataset would trigger a bug in GRUB2: https://github.com/openzfs/zfs/issues/13873 1067 "zfs snapshot bpool/boot@snap-1", # Prepare activating the livelist and bookmarks features 1068 "zfs clone bpool/boot@snap-1 bpool/test", # Activate the livelist feature 1069 "zfs bookmark bpool/boot@snap-1 bpool/boot#bookmark", # Activate the bookmarks feature 1070 "zpool checkpoint bpool", # Activate the zpool_checkpoint feature 1071 "mkdir -p /mnt/boot", 1072 "mount -t zfs bpool/boot /mnt/boot", 1073 "touch /mnt/boot/empty", # Activate zilsaxattr feature 1074 "dd if=/dev/urandom of=/mnt/boot/test bs=1M count=1", # Activate the large_blocks feature 1075 1076 # Print out all enabled and active ZFS features (and some other stuff) 1077 "sync /mnt/boot", 1078 "zpool get all bpool >&2", 1079 1080 # Abort early if GRUB2 doesn't like the disks 1081 "grub-probe --target=device /mnt/boot >&2", 1082 ) 1083 ''; 1084 1085 # umount & export bpool before shutdown 1086 # this is a fix for "cannot import 'bpool': pool was previously in use from another system." 1087 postInstallCommands = '' 1088 installer.succeed("umount /mnt/boot") 1089 installer.succeed("zpool export bpool") 1090 ''; 1091 }; 1092 1093 # zfs on / with swap 1094 zfsroot = makeInstallerTest "zfs-root" { 1095 extraInstallerConfig = { 1096 boot.supportedFilesystems = [ "zfs" ]; 1097 }; 1098 1099 extraConfig = '' 1100 boot.supportedFilesystems = [ "zfs" ]; 1101 1102 # Using by-uuid overrides the default of by-id, and is unique 1103 # to the qemu disks, as they don't produce by-id paths for 1104 # some reason. 1105 boot.zfs.devNodes = "/dev/disk/by-uuid/"; 1106 networking.hostId = "00000000"; 1107 ''; 1108 1109 createPartitions = '' 1110 installer.succeed( 1111 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1112 + " mkpart primary 1M 100MB" # /boot 1113 + " mkpart primary linux-swap 100M 1024M" 1114 + " mkpart primary 1024M -1s", # rpool 1115 "udevadm settle", 1116 "mkswap /dev/vda2 -L swap", 1117 "swapon -L swap", 1118 "zpool create rpool /dev/vda3", 1119 "zfs create -o mountpoint=legacy rpool/root", 1120 "mount -t zfs rpool/root /mnt", 1121 "zfs create -o mountpoint=legacy rpool/root/usr", 1122 "mkdir /mnt/usr", 1123 "mount -t zfs rpool/root/usr /mnt/usr", 1124 "mkfs.vfat -n BOOT /dev/vda1", 1125 "mkdir /mnt/boot", 1126 "mount LABEL=BOOT /mnt/boot", 1127 "udevadm settle", 1128 ) 1129 ''; 1130 }; 1131 1132 # Create two physical LVM partitions combined into one volume group 1133 # that contains the logical swap and root partitions. 1134 lvm = makeInstallerTest "lvm" { 1135 createPartitions = '' 1136 installer.succeed( 1137 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1138 + " mkpart primary 1M 2048M" # PV1 1139 + " set 1 lvm on" 1140 + " mkpart primary 2048M -1s" # PV2 1141 + " set 2 lvm on", 1142 "udevadm settle", 1143 "pvcreate /dev/vda1 /dev/vda2", 1144 "vgcreate MyVolGroup /dev/vda1 /dev/vda2", 1145 "lvcreate --size 1G --name swap MyVolGroup", 1146 "lvcreate --size 6G --name nixos MyVolGroup", 1147 "mkswap -f /dev/MyVolGroup/swap -L swap", 1148 "swapon -L swap", 1149 "mkfs.xfs -L nixos /dev/MyVolGroup/nixos", 1150 "mount LABEL=nixos /mnt", 1151 ) 1152 ''; 1153 extraConfig = optionalString systemdStage1 '' 1154 boot.initrd.services.lvm.enable = true; 1155 ''; 1156 }; 1157 1158 # Boot off an encrypted root partition with the default LUKS header format 1159 luksroot = makeLuksRootTest "luksroot-format1" ""; 1160 1161 # Boot off an encrypted root partition with LUKS1 format 1162 luksroot-format1 = makeLuksRootTest "luksroot-format1" "--type=LUKS1"; 1163 1164 # Boot off an encrypted root partition with LUKS2 format 1165 luksroot-format2 = makeLuksRootTest "luksroot-format2" "--type=LUKS2"; 1166 1167 # Test whether opening encrypted filesystem with keyfile 1168 # Checks for regression of missing cryptsetup, when no luks device without 1169 # keyfile is configured 1170 encryptedFSWithKeyfile = makeInstallerTest "encryptedFSWithKeyfile" { 1171 createPartitions = '' 1172 installer.succeed( 1173 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1174 + " mkpart primary ext2 1M 100MB" # /boot 1175 + " mkpart primary linux-swap 100M 1024M" 1176 + " mkpart primary 1024M 1280M" # LUKS with keyfile 1177 + " mkpart primary 1280M -1s", 1178 "udevadm settle", 1179 "mkswap /dev/vda2 -L swap", 1180 "swapon -L swap", 1181 "mkfs.ext3 -L nixos /dev/vda4", 1182 "mount LABEL=nixos /mnt", 1183 "mkfs.ext3 -L boot /dev/vda1", 1184 "mkdir -p /mnt/boot", 1185 "mount LABEL=boot /mnt/boot", 1186 "modprobe dm_mod dm_crypt", 1187 "echo -n supersecret > /mnt/keyfile", 1188 "cryptsetup luksFormat -q /dev/vda3 --key-file /mnt/keyfile", 1189 "cryptsetup luksOpen --key-file /mnt/keyfile /dev/vda3 crypt", 1190 "mkfs.ext3 -L test /dev/mapper/crypt", 1191 "cryptsetup luksClose crypt", 1192 "mkdir -p /mnt/test", 1193 ) 1194 ''; 1195 extraConfig = '' 1196 fileSystems."/test" = { 1197 device = "/dev/disk/by-label/test"; 1198 fsType = "ext3"; 1199 encrypted.enable = true; 1200 encrypted.blkDev = "/dev/vda3"; 1201 encrypted.label = "crypt"; 1202 encrypted.keyFile = "/${if systemdStage1 then "sysroot" else "mnt-root"}/keyfile"; 1203 }; 1204 ''; 1205 }; 1206 1207 # Full disk encryption (root, kernel and initrd encrypted) using GRUB, GPT/UEFI, 1208 # LVM-on-LUKS and a keyfile in initrd.secrets to enter the passphrase once 1209 fullDiskEncryption = makeInstallerTest "fullDiskEncryption" { 1210 createPartitions = '' 1211 installer.succeed( 1212 "flock /dev/vda parted --script /dev/vda -- mklabel gpt" 1213 + " mkpart ESP fat32 1M 100MiB" # /boot/efi 1214 + " set 1 boot on" 1215 + " mkpart primary ext2 1024MiB -1MiB", # LUKS 1216 "udevadm settle", 1217 "modprobe dm_mod dm_crypt", 1218 "dd if=/dev/random of=luks.key bs=256 count=1", 1219 "echo -n supersecret | cryptsetup luksFormat -q --pbkdf-force-iterations 1000 --type luks1 /dev/vda2 -", 1220 "echo -n supersecret | cryptsetup luksAddKey -q --pbkdf-force-iterations 1000 --key-file - /dev/vda2 luks.key", 1221 "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda2 crypt", 1222 "pvcreate /dev/mapper/crypt", 1223 "vgcreate crypt /dev/mapper/crypt", 1224 "lvcreate -L 100M -n swap crypt", 1225 "lvcreate -l '100%FREE' -n nixos crypt", 1226 "mkfs.vfat -n efi /dev/vda1", 1227 "mkfs.ext4 -L nixos /dev/crypt/nixos", 1228 "mkswap -L swap /dev/crypt/swap", 1229 "mount LABEL=nixos /mnt", 1230 "mkdir -p /mnt/{etc/nixos,boot/efi}", 1231 "mount LABEL=efi /mnt/boot/efi", 1232 "swapon -L swap", 1233 "mv luks.key /mnt/etc/nixos/" 1234 ) 1235 ''; 1236 bootLoader = "grub"; 1237 grubUseEfi = true; 1238 extraConfig = '' 1239 boot.loader.grub.enableCryptodisk = true; 1240 boot.loader.efi.efiSysMountPoint = "/boot/efi"; 1241 1242 boot.initrd.secrets."/luks.key" = "/etc/nixos/luks.key"; 1243 boot.initrd.luks.devices.crypt = 1244 { device = "/dev/vda2"; 1245 keyFile = "/luks.key"; 1246 }; 1247 ''; 1248 enableOCR = true; 1249 postBootCommands = '' 1250 target.wait_for_text("Enter passphrase for") 1251 target.send_chars("supersecret\n") 1252 ''; 1253 }; 1254 1255 swraid = makeInstallerTest "swraid" { 1256 createPartitions = '' 1257 installer.succeed( 1258 "flock /dev/vda parted --script /dev/vda --" 1259 + " mklabel msdos" 1260 + " mkpart primary ext2 1M 100MB" # /boot 1261 + " mkpart extended 100M -1s" 1262 + " mkpart logical 102M 3102M" # md0 (root), first device 1263 + " mkpart logical 3103M 6103M" # md0 (root), second device 1264 + " mkpart logical 6104M 6360M" # md1 (swap), first device 1265 + " mkpart logical 6361M 6617M", # md1 (swap), second device 1266 "udevadm settle", 1267 "ls -l /dev/vda* >&2", 1268 "cat /proc/partitions >&2", 1269 "udevadm control --stop-exec-queue", 1270 "mdadm --create --force /dev/md0 --metadata 1.2 --level=raid1 " 1271 + "--raid-devices=2 /dev/vda5 /dev/vda6", 1272 "mdadm --create --force /dev/md1 --metadata 1.2 --level=raid1 " 1273 + "--raid-devices=2 /dev/vda7 /dev/vda8", 1274 "udevadm control --start-exec-queue", 1275 "udevadm settle", 1276 "mkswap -f /dev/md1 -L swap", 1277 "swapon -L swap", 1278 "mkfs.ext3 -L nixos /dev/md0", 1279 "mount LABEL=nixos /mnt", 1280 "mkfs.ext3 -L boot /dev/vda1", 1281 "mkdir /mnt/boot", 1282 "mount LABEL=boot /mnt/boot", 1283 "udevadm settle", 1284 ) 1285 ''; 1286 postBootCommands = '' 1287 target.fail("dmesg | grep 'immediate safe mode'") 1288 ''; 1289 }; 1290 1291 bcache = makeInstallerTest "bcache" { 1292 createPartitions = '' 1293 installer.succeed( 1294 "flock /dev/vda parted --script /dev/vda --" 1295 + " mklabel msdos" 1296 + " mkpart primary ext2 1M 100MB" # /boot 1297 + " mkpart primary 100MB 512MB " # swap 1298 + " mkpart primary 512MB 1024MB" # Cache (typically SSD) 1299 + " mkpart primary 1024MB -1s ", # Backing device (typically HDD) 1300 "modprobe bcache", 1301 "udevadm settle", 1302 "make-bcache -B /dev/vda4 -C /dev/vda3", 1303 "udevadm settle", 1304 "mkfs.ext3 -L nixos /dev/bcache0", 1305 "mount LABEL=nixos /mnt", 1306 "mkfs.ext3 -L boot /dev/vda1", 1307 "mkdir /mnt/boot", 1308 "mount LABEL=boot /mnt/boot", 1309 "mkswap -f /dev/vda2 -L swap", 1310 "swapon -L swap", 1311 ) 1312 ''; 1313 }; 1314 1315 bcachefsSimple = makeInstallerTest "bcachefs-simple" { 1316 extraInstallerConfig = { 1317 boot.supportedFilesystems = [ "bcachefs" ]; 1318 imports = [ no-zfs-module ]; 1319 }; 1320 1321 createPartitions = '' 1322 installer.succeed( 1323 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1324 + " mkpart primary ext2 1M 100MB" # /boot 1325 + " mkpart primary linux-swap 100M 1024M" # swap 1326 + " mkpart primary 1024M -1s", # / 1327 "udevadm settle", 1328 "mkswap /dev/vda2 -L swap", 1329 "swapon -L swap", 1330 "mkfs.bcachefs -L root /dev/vda3", 1331 "mount -t bcachefs /dev/vda3 /mnt", 1332 "mkfs.ext3 -L boot /dev/vda1", 1333 "mkdir -p /mnt/boot", 1334 "mount /dev/vda1 /mnt/boot", 1335 ) 1336 ''; 1337 }; 1338 1339 bcachefsEncrypted = makeInstallerTest "bcachefs-encrypted" { 1340 extraInstallerConfig = { 1341 boot.supportedFilesystems = [ "bcachefs" ]; 1342 1343 # disable zfs so we can support latest kernel if needed 1344 imports = [ no-zfs-module ]; 1345 1346 environment.systemPackages = with pkgs; [ keyutils ]; 1347 }; 1348 1349 extraConfig = '' 1350 boot.kernelParams = lib.mkAfter [ "console=tty0" ]; 1351 ''; 1352 1353 enableOCR = true; 1354 postBootCommands = '' 1355 # Enter it wrong once 1356 target.wait_for_text("enter passphrase for ") 1357 target.send_chars("wrong\n") 1358 # Then enter it right. 1359 target.wait_for_text("enter passphrase for ") 1360 target.send_chars("password\n") 1361 ''; 1362 1363 createPartitions = '' 1364 installer.succeed( 1365 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1366 + " mkpart primary ext2 1M 100MB" # /boot 1367 + " mkpart primary linux-swap 100M 1024M" # swap 1368 + " mkpart primary 1024M -1s", # / 1369 "udevadm settle", 1370 "mkswap /dev/vda2 -L swap", 1371 "swapon -L swap", 1372 "echo password | mkfs.bcachefs -L root --encrypted /dev/vda3", 1373 "echo password | bcachefs unlock -k session /dev/vda3", 1374 "echo password | mount -t bcachefs /dev/vda3 /mnt", 1375 "mkfs.ext3 -L boot /dev/vda1", 1376 "mkdir -p /mnt/boot", 1377 "mount /dev/vda1 /mnt/boot", 1378 ) 1379 ''; 1380 }; 1381 1382 bcachefsMulti = makeInstallerTest "bcachefs-multi" { 1383 extraInstallerConfig = { 1384 boot.supportedFilesystems = [ "bcachefs" ]; 1385 1386 # disable zfs so we can support latest kernel if needed 1387 imports = [ no-zfs-module ]; 1388 }; 1389 1390 createPartitions = '' 1391 installer.succeed( 1392 "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 1393 + " mkpart primary ext2 1M 100MB" # /boot 1394 + " mkpart primary linux-swap 100M 1024M" # swap 1395 + " mkpart primary 1024M 4096M" # / 1396 + " mkpart primary 4096M -1s", # / 1397 "udevadm settle", 1398 "mkswap /dev/vda2 -L swap", 1399 "swapon -L swap", 1400 "mkfs.bcachefs -L root --metadata_replicas 2 --foreground_target ssd --promote_target ssd --background_target hdd --label ssd /dev/vda3 --label hdd /dev/vda4", 1401 "mount -t bcachefs /dev/vda3:/dev/vda4 /mnt", 1402 "mkfs.ext3 -L boot /dev/vda1", 1403 "mkdir -p /mnt/boot", 1404 "mount /dev/vda1 /mnt/boot", 1405 ) 1406 ''; 1407 }; 1408 1409 # Test using labels to identify volumes in grub 1410 simpleLabels = makeInstallerTest "simpleLabels" { 1411 createPartitions = '' 1412 installer.succeed( 1413 "sgdisk -Z /dev/vda", 1414 "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", 1415 "mkswap /dev/vda2 -L swap", 1416 "swapon -L swap", 1417 "mkfs.ext4 -L root /dev/vda3", 1418 "mount LABEL=root /mnt", 1419 ) 1420 ''; 1421 grubIdentifier = "label"; 1422 }; 1423 1424 # Test using the provided disk name within grub 1425 # TODO: Fix udev so the symlinks are unneeded in /dev/disks 1426 simpleProvided = makeInstallerTest "simpleProvided" { 1427 createPartitions = '' 1428 uuid = "$(blkid -s UUID -o value /dev/vda2)" 1429 installer.succeed( 1430 "sgdisk -Z /dev/vda", 1431 "sgdisk -n 1:0:+1M -n 2:0:+100M -n 3:0:+1G -N 4 -t 1:ef02 -t 2:8300 " 1432 + "-t 3:8200 -t 4:8300 -c 2:boot -c 4:root /dev/vda", 1433 "mkswap /dev/vda3 -L swap", 1434 "swapon -L swap", 1435 "mkfs.ext4 -L boot /dev/vda2", 1436 "mkfs.ext4 -L root /dev/vda4", 1437 ) 1438 installer.execute(f"ln -s ../../vda2 /dev/disk/by-uuid/{uuid}") 1439 installer.execute("ln -s ../../vda4 /dev/disk/by-label/root") 1440 installer.succeed( 1441 "mount /dev/disk/by-label/root /mnt", 1442 "mkdir /mnt/boot", 1443 f"mount /dev/disk/by-uuid/{uuid} /mnt/boot", 1444 ) 1445 ''; 1446 grubIdentifier = "provided"; 1447 }; 1448 1449 # Simple btrfs grub testing 1450 btrfsSimple = makeInstallerTest "btrfsSimple" { 1451 createPartitions = '' 1452 installer.succeed( 1453 "sgdisk -Z /dev/vda", 1454 "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", 1455 "mkswap /dev/vda2 -L swap", 1456 "swapon -L swap", 1457 "mkfs.btrfs -L root /dev/vda3", 1458 "mount LABEL=root /mnt", 1459 ) 1460 ''; 1461 }; 1462 1463 # Test to see if we can detect /boot and /nix on subvolumes 1464 btrfsSubvols = makeInstallerTest "btrfsSubvols" { 1465 createPartitions = '' 1466 installer.succeed( 1467 "sgdisk -Z /dev/vda", 1468 "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", 1469 "mkswap /dev/vda2 -L swap", 1470 "swapon -L swap", 1471 "mkfs.btrfs -L root /dev/vda3", 1472 "btrfs device scan", 1473 "mount LABEL=root /mnt", 1474 "btrfs subvol create /mnt/boot", 1475 "btrfs subvol create /mnt/nixos", 1476 "btrfs subvol create /mnt/nixos/default", 1477 "umount /mnt", 1478 "mount -o defaults,subvol=nixos/default LABEL=root /mnt", 1479 "mkdir /mnt/boot", 1480 "mount -o defaults,subvol=boot LABEL=root /mnt/boot", 1481 ) 1482 ''; 1483 }; 1484 1485 # Test to see if we can detect default and aux subvolumes correctly 1486 btrfsSubvolDefault = makeInstallerTest "btrfsSubvolDefault" { 1487 createPartitions = '' 1488 installer.succeed( 1489 "sgdisk -Z /dev/vda", 1490 "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", 1491 "mkswap /dev/vda2 -L swap", 1492 "swapon -L swap", 1493 "mkfs.btrfs -L root /dev/vda3", 1494 "btrfs device scan", 1495 "mount LABEL=root /mnt", 1496 "btrfs subvol create /mnt/badpath", 1497 "btrfs subvol create /mnt/badpath/boot", 1498 "btrfs subvol create /mnt/nixos", 1499 "btrfs subvol set-default " 1500 + "$(btrfs subvol list /mnt | grep 'nixos' | awk '{print $2}') /mnt", 1501 "umount /mnt", 1502 "mount -o defaults LABEL=root /mnt", 1503 "mkdir -p /mnt/badpath/boot", # Help ensure the detection mechanism 1504 # is actually looking up subvolumes 1505 "mkdir /mnt/boot", 1506 "mount -o defaults,subvol=badpath/boot LABEL=root /mnt/boot", 1507 ) 1508 ''; 1509 }; 1510 1511 # Test to see if we can deal with subvols that need to be escaped in fstab 1512 btrfsSubvolEscape = makeInstallerTest "btrfsSubvolEscape" { 1513 createPartitions = '' 1514 installer.succeed( 1515 "sgdisk -Z /dev/vda", 1516 "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", 1517 "mkswap /dev/vda2 -L swap", 1518 "swapon -L swap", 1519 "mkfs.btrfs -L root /dev/vda3", 1520 "btrfs device scan", 1521 "mount LABEL=root /mnt", 1522 "btrfs subvol create '/mnt/nixos in space'", 1523 "btrfs subvol create /mnt/boot", 1524 "umount /mnt", 1525 "mount -o 'defaults,subvol=nixos in space' LABEL=root /mnt", 1526 "mkdir /mnt/boot", 1527 "mount -o defaults,subvol=boot LABEL=root /mnt/boot", 1528 ) 1529 ''; 1530 }; 1531} // { 1532 clevisBcachefs = mkClevisBcachefsTest { }; 1533 clevisBcachefsFallback = mkClevisBcachefsTest { fallback = true; }; 1534 clevisLuks = mkClevisLuksTest { }; 1535 clevisLuksFallback = mkClevisLuksTest { fallback = true; }; 1536 clevisZfs = mkClevisZfsTest { }; 1537 clevisZfsFallback = mkClevisZfsTest { fallback = true; }; 1538 clevisZfsParentDataset = mkClevisZfsTest { parentDataset = true; }; 1539 clevisZfsParentDatasetFallback = mkClevisZfsTest { parentDataset = true; fallback = true; }; 1540} // optionalAttrs systemdStage1 { 1541 stratisRoot = makeInstallerTest "stratisRoot" { 1542 createPartitions = '' 1543 installer.succeed( 1544 "sgdisk --zap-all /dev/vda", 1545 "sgdisk --new=1:0:+100M --typecode=0:ef00 /dev/vda", # /boot 1546 "sgdisk --new=2:0:+1G --typecode=0:8200 /dev/vda", # swap 1547 "sgdisk --new=3:0:+5G --typecode=0:8300 /dev/vda", # / 1548 "udevadm settle", 1549 1550 "mkfs.vfat /dev/vda1", 1551 "mkswap /dev/vda2 -L swap", 1552 "swapon -L swap", 1553 "stratis pool create my-pool /dev/vda3", 1554 "stratis filesystem create my-pool nixos", 1555 "udevadm settle", 1556 1557 "mount /dev/stratis/my-pool/nixos /mnt", 1558 "mkdir -p /mnt/boot", 1559 "mount /dev/vda1 /mnt/boot" 1560 ) 1561 ''; 1562 bootLoader = "systemd-boot"; 1563 extraInstallerConfig = { modulesPath, ...}: { 1564 config = { 1565 services.stratis.enable = true; 1566 environment.systemPackages = [ 1567 pkgs.stratis-cli 1568 pkgs.thin-provisioning-tools 1569 pkgs.lvm2.bin 1570 pkgs.stratisd.initrd 1571 ]; 1572 }; 1573 }; 1574 }; 1575 1576 gptAutoRoot = let 1577 rootPartType = { 1578 ia32 = "44479540-F297-41B2-9AF7-D131D5F0458A"; 1579 x64 = "4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709"; 1580 arm = "69DAD710-2CE4-4E3C-B16C-21A1D49ABED3"; 1581 aa64 = "B921B045-1DF0-41C3-AF44-4C6F280D3FAE"; 1582 }.${pkgs.stdenv.hostPlatform.efiArch}; 1583 in makeInstallerTest "gptAutoRoot" { 1584 disableFileSystems = true; 1585 createPartitions = '' 1586 installer.succeed( 1587 "sgdisk --zap-all /dev/vda", 1588 "sgdisk --new=1:0:+100M --typecode=0:ef00 /dev/vda", # /boot 1589 "sgdisk --new=2:0:+1G --typecode=0:8200 /dev/vda", # swap 1590 "sgdisk --new=3:0:+5G --typecode=0:${rootPartType} /dev/vda", # / 1591 "udevadm settle", 1592 1593 "mkfs.vfat /dev/vda1", 1594 "mkswap /dev/vda2 -L swap", 1595 "swapon -L swap", 1596 "mkfs.ext4 -L root /dev/vda3", 1597 "udevadm settle", 1598 1599 "mount /dev/vda3 /mnt", 1600 "mkdir -p /mnt/boot", 1601 "mount /dev/vda1 /mnt/boot" 1602 ) 1603 ''; 1604 bootLoader = "systemd-boot"; 1605 extraConfig = '' 1606 boot.initrd.systemd.root = "gpt-auto"; 1607 boot.initrd.supportedFilesystems = ["ext4"]; 1608 ''; 1609 }; 1610}