From 66e4c2103dc89d78456a4d001d7450c0d96cfe10 Mon Sep 17 00:00:00 2001 From: hustlerone Date: Sat, 7 Dec 2024 21:02:05 +0100 Subject: [PATCH] pkgs/unl0kr: superseded by pkgs.buffybox nixos/unl0kr: accomodate for the future --- nixos/modules/system/boot/unl0kr.nix | 80 +++------- nixos/tests/systemd-initrd-luks-unl0kr.nix | 162 +++++++++++++-------- pkgs/by-name/un/unl0kr/package.nix | 58 -------- pkgs/top-level/aliases.nix | 1 + 4 files changed, 116 insertions(+), 185 deletions(-) delete mode 100644 pkgs/by-name/un/unl0kr/package.nix diff --git a/nixos/modules/system/boot/unl0kr.nix b/nixos/modules/system/boot/unl0kr.nix index 35dbaa030cb99..318090047b3a9 100644 --- a/nixos/modules/system/boot/unl0kr.nix +++ b/nixos/modules/system/boot/unl0kr.nix @@ -15,7 +15,7 @@ in description = ''Whether to enable the unl0kr on-screen keyboard in initrd to unlock LUKS.''; }; - package = lib.mkPackageOption pkgs "unl0kr" { }; + package = lib.mkPackageOption pkgs "buffybox" { }; allowVendorDrivers = lib.mkEnableOption "load optional drivers" // { description = ''Whether to load additional drivers for certain vendors (I.E: Wacom, Intel, etc.)''; @@ -27,12 +27,13 @@ in See `unl0kr.conf(5)` for supported values. - Alternatively, visit `https://gitlab.com/postmarketOS/buffybox/-/blob/unl0kr-2.0.0/unl0kr.conf` + Alternatively, visit `https://gitlab.postmarketos.org/postmarketOS/buffybox/-/blob/3.2.0/unl0kr/unl0kr.conf` ''; example = lib.literalExpression '' { general.animations = true; + general.backend = "drm"; theme = { default = "pmos-dark"; alternate = "pmos-light"; @@ -51,14 +52,15 @@ in assertion = cfg.enable -> config.boot.initrd.systemd.enable; message = "boot.initrd.unl0kr is only supported with boot.initrd.systemd."; } - { - assertion = !config.boot.plymouth.enable; - message = "unl0kr will not work if plymouth is enabled."; - } - { - assertion = !config.hardware.amdgpu.initrd.enable; - message = "unl0kr has issues with video drivers that are loaded on stage 1."; - } + ]; + + warnings = lib.mkMerge [ + (lib.mkIf (config.hardware.amdgpu.initrd.enable) [ + ''Use early video loading at your risk. It's not guaranteed to work with unl0kr.'' + ]) + (lib.mkIf (config.boot.plymouth.enable) [ + ''Upstream clearly intends unl0kr to not run with Plymouth. Good luck'' + ]) ]; boot.initrd.availableKernelModules = @@ -83,65 +85,17 @@ in boot.initrd.systemd = { contents."/etc/unl0kr.conf".source = settingsFormat.generate "unl0kr.conf" cfg.settings; storePaths = with pkgs; [ - "${pkgs.gnugrep}/bin/grep" libinput xkeyboard_config - "${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password" (lib.getExe' cfg.package "unl0kr") + "${cfg.package}/libexec/unl0kr-agent" ]; - services = { - unl0kr-ask-password = { - description = "Forward Password Requests to unl0kr"; - conflicts = [ - "emergency.service" - "initrd-switch-root.target" - "shutdown.target" - ]; - unitConfig.DefaultDependencies = false; - after = [ - "systemd-vconsole-setup.service" - "udev.service" - ]; - before = [ "shutdown.target" ]; - script = '' - # This script acts as a Password Agent: https://systemd.io/PASSWORD_AGENTS/ - DIR=/run/systemd/ask-password/ - # If a user has multiple encrypted disks, the requests might come in different times, - # so make sure to answer as many requests as we can. Once boot succeeds, other - # password agents will be responsible for watching for requests. - while [ -d $DIR ] && [ "$(ls -A $DIR/ask.*)" ]; - do - for file in `ls $DIR/ask.*`; do - socket="$(cat "$file" | ${pkgs.gnugrep}/bin/grep "Socket=" | cut -d= -f2)" - ${lib.getExe' cfg.package "unl0kr"} -v -C "/etc/unl0kr.conf" | ${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password 1 "$socket" - done - done - ''; - }; - }; + packages = [ + pkgs.buffybox + ]; - paths = { - unl0kr-ask-password = { - description = "Forward Password Requests to unl0kr"; - conflicts = [ - "emergency.service" - "initrd-switch-root.target" - "shutdown.target" - ]; - unitConfig.DefaultDependencies = false; - before = [ - "shutdown.target" - "paths.target" - "cryptsetup.target" - ]; - wantedBy = [ "sysinit.target" ]; - pathConfig = { - DirectoryNotEmpty = "/run/systemd/ask-password"; - MakeDirectory = true; - }; - }; - }; + paths.unl0kr-agent.wantedBy = [ "local-fs-pre.target" ]; }; }; } diff --git a/nixos/tests/systemd-initrd-luks-unl0kr.nix b/nixos/tests/systemd-initrd-luks-unl0kr.nix index 83b52646d112d..5a9af4949cc92 100644 --- a/nixos/tests/systemd-initrd-luks-unl0kr.nix +++ b/nixos/tests/systemd-initrd-luks-unl0kr.nix @@ -1,75 +1,109 @@ -import ./make-test-python.nix ({ lib, pkgs, ... }: let - passphrase = "secret"; -in { - name = "systemd-initrd-luks-unl0kr"; - meta = { - maintainers = []; - }; +import ./make-test-python.nix ( + { lib, pkgs, ... }: + let + passphrase = "secret"; - enableOCR = true; + debugPackages = with pkgs; [ + coreutils-prefixed + toybox - nodes.machine = { pkgs, ... }: { - virtualisation = { - emptyDiskImages = [ 512 512 ]; - useBootLoader = true; - mountHostNixStore = true; - useEFIBoot = true; - qemu.options = [ - "-vga virtio" - ]; + micro + nano + ]; + in + { + name = "systemd-initrd-luks-unl0kr"; + meta = { + maintainers = [ ]; }; - boot.loader.systemd-boot.enable = true; - boot.initrd.availableKernelModules = [ - "evdev" # for entering pw - "bochs" - ]; + # TODO: Fix OCR: #302965 + # enableOCR = true; - environment.systemPackages = with pkgs; [ cryptsetup ]; - boot.initrd = { - systemd = { - enable = true; - emergencyAccess = true; - }; - unl0kr.enable = true; - }; + nodes.machine = + { pkgs, ... }: + { + virtualisation = { + emptyDiskImages = [ + 512 + 512 + ]; + useBootLoader = true; + mountHostNixStore = true; + useEFIBoot = true; + qemu.options = [ + "-vga virtio" + ]; + }; + boot.loader.systemd-boot.enable = true; + + boot.kernelParams = [ + "rd.systemd.debug_shell" + ]; - specialisation.boot-luks.configuration = { - boot.initrd.luks.devices = lib.mkVMOverride { - # We have two disks and only type one password - key reuse is in place - cryptroot.device = "/dev/vdb"; - cryptroot2.device = "/dev/vdc"; + environment.systemPackages = + with pkgs; + [ + cryptsetup + ] + ++ debugPackages; + boot.initrd = { + systemd = { + enable = true; + emergencyAccess = true; + + storePaths = debugPackages; + }; + unl0kr = { + enable = true; + + settings = { + general.backend = "drm"; + # TODO: Fix OCR. See above. + # theme.default = "adwaita-dark"; # Improves contrast quite a bit, helpful for OCR. + }; + }; + }; + + specialisation.boot-luks.configuration = { + testing.initrdBackdoor = true; + boot.initrd.luks.devices = lib.mkVMOverride { + # We have two disks and only type one password - key reuse is in place + cryptroot.device = "/dev/vdb"; + cryptroot2.device = "/dev/vdc"; + }; + virtualisation.rootDevice = "/dev/mapper/cryptroot"; + virtualisation.fileSystems."/".autoFormat = true; + # test mounting device unlocked in initrd after switching root + virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2"; + }; }; - virtualisation.rootDevice = "/dev/mapper/cryptroot"; - virtualisation.fileSystems."/".autoFormat = true; - # test mounting device unlocked in initrd after switching root - virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2"; - }; - }; - testScript = '' - # Create encrypted volume - machine.wait_for_unit("multi-user.target") - machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -") - machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") - machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen -q /dev/vdc cryptroot2") - machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2") + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -") + machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") + machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen -q /dev/vdc cryptroot2") + machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2") - # Boot from the encrypted disk - machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") - machine.succeed("sync") - machine.crash() + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() - # Boot and decrypt the disk - machine.start() - machine.wait_for_text("Password required for booting") - machine.screenshot("prompt") - machine.send_chars("${passphrase}") - machine.screenshot("pw") - machine.send_chars("\n") - machine.wait_for_unit("multi-user.target") + # Boot and decrypt the disk. This part of the test is SLOW. + machine.start() + machine.wait_for_unit("unl0kr-agent.service") + machine.screenshot("prompt") + machine.send_chars("${passphrase}") + machine.screenshot("pw") + machine.send_chars("\n") + machine.switch_root() + machine.wait_for_unit("multi-user.target") - assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list" - assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount") - ''; -}) + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list" + assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount") + ''; + } +) diff --git a/pkgs/by-name/un/unl0kr/package.nix b/pkgs/by-name/un/unl0kr/package.nix deleted file mode 100644 index 8bedd9fc689fd..0000000000000 --- a/pkgs/by-name/un/unl0kr/package.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ lib -, nixosTests -, stdenv -, fetchFromGitLab -, inih -, libdrm -, libinput -, libxkbcommon -, meson -, ninja -, pkg-config -, scdoc -}: - -stdenv.mkDerivation (finalAttrs: { - pname = "unl0kr"; - version = "2.0.0"; - - src = fetchFromGitLab { - domain = "gitlab.com"; - owner = "cherrypicker"; - repo = "unl0kr"; - rev = finalAttrs.version; - fetchSubmodules = true; - hash = "sha256-KPP4Ol1GCAWqdQYlNtKQD/jx8A/xuHdvKjcocPMqWa0="; - }; - - nativeBuildInputs = [ - meson - ninja - pkg-config - scdoc - ]; - - buildInputs = [ - inih - libdrm - libinput - libxkbcommon - ]; - - propagatedBuildInputs = [ - libxkbcommon - ]; - - passthru = { - tests.unl0kr = nixosTests.systemd-initrd-luks-unl0kr; - }; - - meta = with lib; { - description = "Framebuffer-based disk unlocker for the initramfs based on LVGL"; - mainProgram = "unl0kr"; - homepage = "https://gitlab.com/cherrypicker/unl0kr"; - license = licenses.gpl3Plus; - maintainers = with maintainers; [ hustlerone ]; - platforms = platforms.linux; - }; -}) diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index f5d8760db83b5..b3240083f228b 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1325,6 +1325,7 @@ mapAliases { unifi8 = unifi; # Added 2024-11-15 unifiLTS = throw "'unifiLTS' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Added 2024-04-11 unifiStable = throw "'unifiStable' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Converted to throw 2024-04-11 + unl0kr = throw "'unl0kr' is now included with buffybox. Use `pkgs.buffybox` instead."; # Removed 2024-12-20 untrunc = throw "'untrunc' has been renamed to/replaced by 'untrunc-anthwlock'"; # Converted to throw 2024-10-17 urxvt_autocomplete_all_the_things = throw "'urxvt_autocomplete_all_the_things' has been renamed to/replaced by 'rxvt-unicode-plugins.autocomplete-all-the-things'"; # Converted to throw 2024-10-17 urxvt_bidi = throw "'urxvt_bidi' has been renamed to/replaced by 'rxvt-unicode-plugins.bidi'"; # Converted to throw 2024-10-17