talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/nix-store-veritysetup: init

Browse Source
This commit is contained in:
nikstur 2025-06-14 21:44:46 +02:00
parent be55c6c4e5
commit 50d0a81800
4 changed files with 148 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/module-list.nix
View File

@ -1786,6 +1786,7 @@
./system/boot/luksroot.nix
./system/boot/modprobe.nix
./system/boot/networkd.nix
./system/boot/nix-store-veritysetup.nix
./system/boot/plymouth.nix
./system/boot/resolved.nix
./system/boot/shutdown.nix

38
nixos/modules/system/boot/nix-store-veritysetup.nix Normal file
View File

@ -0,0 +1,38 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.boot.initrd.nix-store-veritysetup;
in
{
meta.maintainers = with lib.maintainers; [ nikstur ];
options.boot.initrd.nix-store-veritysetup = {
enable = lib.mkEnableOption "nix-store-veritysetup";
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = config.boot.initrd.systemd.dmVerity.enable;
message = "nix-store-veritysetup requires dm-verity in the systemd initrd.";
}
];
boot.initrd.systemd = {
contents = {
"/etc/systemd/system-generators/nix-store-veritysetup-generator".source =
"${lib.getExe pkgs.nix-store-veritysetup-generator}";
};
storePaths = [
"${config.boot.initrd.systemd.package}/bin/systemd-escape"
];
};
};
}

1
nixos/tests/all-tests.nix
View File

@ -938,6 +938,7 @@ in
nix-required-mounts = runTest ./nix-required-mounts;
nix-serve = runTest ./nix-serve.nix;
nix-serve-ssh = runTest ./nix-serve-ssh.nix;
nix-store-veritysetup = runTest ./nix-store-veritysetup.nix;
nixops = handleTest ./nixops/default.nix { };
nixos-generate-config = runTest ./nixos-generate-config.nix;
nixos-rebuild-install-bootloader = handleTestOn [

108
nixos/tests/nix-store-veritysetup.nix Normal file
View File

@ -0,0 +1,108 @@
{ lib, ... }:
{
name = "nix-store-veritysetup";
meta.maintainers = with lib.maintainers; [ nikstur ];
nodes.machine =
{ config, modulesPath, ... }:
{
imports = [
"${modulesPath}/image/repart.nix"
];
image.repart = {
name = "nix-store";
partitions = {
"nix-store" = {
storePaths = [ config.system.build.toplevel ];
stripNixStorePrefix = true;
repartConfig = {
Type = "linux-generic";
Label = "nix-store";
Format = "erofs";
Minimize = "best";
Verity = "data";
VerityMatchKey = "nix-store";
};
};
"nix-store-verity" = {
repartConfig = {
Type = "linux-generic";
Label = "nix-store-verity";
Verity = "hash";
VerityMatchKey = "nix-store";
Minimize = "best";
};
};
};
};
boot.initrd = {
systemd = {
enable = true;
dmVerity.enable = true;
};
nix-store-veritysetup.enable = true;
};
virtualisation = {
mountHostNixStore = false;
qemu.drives = [
{
name = "nix-store";
file = ''"$NIX_STORE"'';
}
];
fileSystems = {
"/nix/store" = {
fsType = "erofs";
device = "/dev/mapper/nix-store";
};
};
};
};
testScript =
{ nodes, ... }:
''
import os
import json
import subprocess
import tempfile
with open("${nodes.machine.system.build.image}/repart-output.json") as f:
data = json.load(f)
storehash = data[0]["roothash"]
os.environ["QEMU_KERNEL_PARAMS"] = f"storehash={storehash}"
tmp_disk_image = tempfile.NamedTemporaryFile()
subprocess.run([
"${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
"create",
"-f",
"qcow2",
"-b",
"${nodes.machine.system.build.image}/${nodes.machine.image.repart.imageFile}",
"-F",
"raw",
tmp_disk_image.name,
])
os.environ["NIX_STORE"] = tmp_disk_image.name
machine.start()
print(machine.succeed("findmnt"))
print(machine.succeed("dmsetup info nix-store"))
machine.wait_for_unit("multi-user.target")
'';
}