-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnix-store-veritysetup-generator.nix
104 lines (86 loc) · 2.35 KB
/
nix-store-veritysetup-generator.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{ lib, ... }:
{
name = "nix-store-veritysetup-generator";
meta.maintainers = with lib.maintainers; [ nikstur ];
nodes.machine =
{ config, modulesPath, ... }:
{
imports = [
"${modulesPath}/image/repart.nix"
];
image.repart = {
name = "nix-store";
partitions = {
"nix-store" = {
storePaths = [ config.system.build.toplevel ];
stripNixStorePrefix = true;
repartConfig = {
Type = "linux-generic";
Label = "nix-store";
Format = "erofs";
Minimize = "best";
Verity = "data";
VerityMatchKey = "nix-store";
};
};
"nix-store-verity" = {
repartConfig = {
Type = "linux-generic";
Label = "nix-store-verity";
Verity = "hash";
VerityMatchKey = "nix-store";
Minimize = "best";
};
};
};
};
boot.initrd.systemd = {
enable = true;
verity.enable = true;
nix-store-veritysetup-generator.enable = true;
};
virtualisation = {
mountHostNixStore = false;
qemu.drives = [
{
name = "nix-store";
file = ''"$NIX_STORE"'';
}
];
fileSystems = {
"/nix/store" = {
fsType = "erofs";
device = "/dev/mapper/nix-store";
};
};
};
};
testScript =
{ nodes, ... }:
''
import os
import json
import subprocess
import tempfile
with open("${nodes.machine.system.build.image}/repart-output.json") as f:
data = json.load(f)
storehash = data[0]["roothash"]
os.environ["QEMU_KERNEL_PARAMS"] = f"storehash={storehash}"
tmp_disk_image = tempfile.NamedTemporaryFile()
subprocess.run([
"${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
"create",
"-f",
"qcow2",
"-b",
"${nodes.machine.system.build.image}/${nodes.machine.image.repart.imageFile}",
"-F",
"raw",
tmp_disk_image.name,
])
os.environ["NIX_STORE"] = tmp_disk_image.name
machine.start()
print(machine.succeed("findmnt"))
print(machine.succeed("dmsetup info nix-store"))
'';
}