nixos/tests: fix luks tests to not rely on autoFormat

This was testing something very odd where we created an empty luks volume and only created a fs inside the luks volume on first boot when opening it. This in fact is not possible without patching systemd and indeed it shouldn't be. This change makes the creation of the luks volumes more "normal" by also opening them and creating an fs inside. This will allow us to drop systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
2026-06-08 22:33:52 +00:00 · 2026-02-02 23:49:00 +01:00
parent f4449f3f22
commit b13891782f
6 changed files with 19 additions and 8 deletions
--- a/nixos/tests/initrd-luks-empty-passphrase.nix
+++ b/nixos/tests/initrd-luks-empty-passphrase.nix
@@ -19,8 +19,6 @@ in
  nodes.machine =
    { pkgs, ... }:
    {
-      imports = lib.optionals (!systemdStage1) [ ./common/auto-format-root-device.nix ];
-
      virtualisation = {
        emptyDiskImages = [ 512 ];
        useBootLoader = true;
@@ -30,7 +28,6 @@ in
        # the new root device is /dev/vdb
        # an empty 512MiB drive, containing no Nix store.
        mountHostNixStore = true;
-        fileSystems."/".autoFormat = lib.mkIf systemdStage1 true;
      };

      boot.loader.systemd-boot.enable = true;
@@ -90,6 +87,8 @@ in
    # Create encrypted volume
    machine.wait_for_unit("multi-user.target")
    machine.succeed("echo "" | cryptsetup luksFormat /dev/vdb --batch-mode")
+    machine.succeed("echo "" | cryptsetup luksOpen /dev/vdb cryptroot")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot")
    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-wrong-keyfile.conf")
    machine.succeed("sync")
    machine.crash()
--- a/nixos/tests/luks.nix
+++ b/nixos/tests/luks.nix
@@ -5,7 +5,6 @@
  nodes.machine =
    { pkgs, ... }:
    {
-      imports = [ ./common/auto-format-root-device.nix ];

      # Use systemd-boot
      virtualisation = {
@@ -48,7 +47,12 @@
    # Create encrypted volume
    machine.wait_for_unit("multi-user.target")
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
+    machine.succeed("echo -n supersecret | cryptsetup luksOpen -q /dev/vdb cryptroot")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot")
+
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
+    machine.succeed("echo -n supersecret | cryptsetup luksOpen -q /dev/vdc cryptroot2")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")

    # Boot from the encrypted disk
    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
--- a/nixos/tests/systemd-initrd-luks-keyfile.nix
+++ b/nixos/tests/systemd-initrd-luks-keyfile.nix
@@ -38,7 +38,6 @@ in
          };
        };
        virtualisation.rootDevice = "/dev/mapper/cryptroot";
-        virtualisation.fileSystems."/".autoFormat = true;
        boot.initrd.secrets."/etc/cryptroot.key" = keyfile;
      };
    };
@@ -47,6 +46,8 @@ in
    # Create encrypted volume
    machine.wait_for_unit("multi-user.target")
    machine.succeed("cryptsetup luksFormat -q --iter-time=1 -d ${keyfile} /dev/vdb")
+    machine.succeed("cryptsetup luksOpen --key-file ${keyfile} /dev/vdb cryptroot")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot")

    # Boot from the encrypted disk
    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
--- a/nixos/tests/systemd-initrd-luks-password.nix
+++ b/nixos/tests/systemd-initrd-luks-password.nix
@@ -31,7 +31,6 @@
          cryptroot2.device = "/dev/vdc";
        };
        virtualisation.rootDevice = "/dev/mapper/cryptroot";
-        virtualisation.fileSystems."/".autoFormat = true;
        # test mounting device unlocked in initrd after switching root
        virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";
      };
@@ -40,7 +39,11 @@
  testScript = ''
    # Create encrypted volume
    machine.wait_for_unit("multi-user.target")
+
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
+    machine.succeed("echo -n supersecret | cryptsetup luksOpen   -q               /dev/vdb cryptroot")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot")
+
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
    machine.succeed("echo -n supersecret | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")
--- a/nixos/tests/systemd-initrd-luks-tpm2.nix
+++ b/nixos/tests/systemd-initrd-luks-tpm2.nix
@@ -32,7 +32,6 @@
          };
        };
        virtualisation.rootDevice = "/dev/mapper/cryptroot";
-        virtualisation.fileSystems."/".autoFormat = true;
      };
    };

@@ -40,6 +39,8 @@
    # Create encrypted volume
    machine.wait_for_unit("multi-user.target")
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
+    machine.succeed("echo -n supersecret | cryptsetup luksOpen -q /dev/vdb cryptroot")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot")
    machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --tpm2-pcrs= --tpm2-device=auto /dev/vdb |& systemd-cat")

    # Boot from the encrypted disk
--- a/nixos/tests/systemd-initrd-luks-unl0kr.nix
+++ b/nixos/tests/systemd-initrd-luks-unl0kr.nix
@@ -79,9 +79,12 @@ in
    };

  testScript = ''
-    # Create encrypted volume
    machine.wait_for_unit("multi-user.target")
+
    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
+    machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdb cryptroot")
+    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot")
+
    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
    machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")