diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 86bd81d781a..b0828a923de 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -25,7 +25,7 @@ let "nss-lookup.target" "nss-user-lookup.target" "time-sync.target" - #"cryptsetup.target" + "cryptsetup.target" "sigpwr.target" "timers.target" "paths.target" diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index a653932fb37..9d21f9158f3 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine = { lib, ... }: { imports = [ common/user-account.nix common/x11.nix ]; - virtualisation.emptyDiskImages = [ 512 ]; + virtualisation.emptyDiskImages = [ 512 512 ]; + virtualisation.memorySize = 1024; + + environment.systemPackages = [ pkgs.cryptsetup ]; fileSystems = lib.mkVMOverride { "/test-x-initrd-mount" = { @@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: { assert "RuntimeWatchdogUSec=30s" in output assert "RebootWatchdogUSec=10m" in output assert "KExecWatchdogUSec=5m" in output + + # Test systemd cryptsetup support + with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"): + # create a luks volume and put a filesystem on it + machine.succeed( + "echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -", + "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo", + "mkfs.ext3 /dev/mapper/foo", + ) + + # create a keyfile and /etc/crypttab + machine.succeed("echo -n supersecret > /var/lib/luks-keyfile") + machine.succeed("chmod 600 /var/lib/luks-keyfile") + machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab") + + # after a reboot, systemd should unlock the volume and we should be able to mount it + machine.shutdown() + machine.succeed("systemctl status systemd-cryptsetup@luks1.service") + machine.succeed("mkdir -p /tmp/luks1") + machine.succeed("mount /dev/mapper/luks1 /tmp/luks1") ''; }) diff --git a/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix b/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix deleted file mode 100644 index 3fd8ff07f42..00000000000 --- a/pkgs/os-specific/linux/systemd/cryptsetup-generator.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ systemd, cryptsetup }: - -systemd.overrideAttrs (p: { - version = p.version; - name = "systemd-cryptsetup-generator-${p.version}"; - - buildInputs = p.buildInputs ++ [ cryptsetup ]; - outputs = [ "out" ]; - - buildPhase = '' - ninja systemd-cryptsetup systemd-cryptsetup-generator - ''; - - # As ninja install is not used here, the rpath needs to be manually fixed. - # Otherwise the resulting binary doesn't properly link against systemd-shared.so - postFixup = '' - for prog in `find $out -type f -executable`; do - (patchelf --print-needed $prog | grep 'libsystemd-shared-.*\.so' > /dev/null) && ( - patchelf --set-rpath `patchelf --print-rpath $prog`:"$out/lib/systemd" $prog - ) || true - done - # test it's OK - "$out"/lib/systemd/systemd-cryptsetup - ''; - - installPhase = '' - mkdir -p $out/lib/systemd/ - cp systemd-cryptsetup $out/lib/systemd/systemd-cryptsetup - cp src/shared/*.so $out/lib/systemd/ - - mkdir -p $out/lib/systemd/system-generators/ - cp systemd-cryptsetup-generator $out/lib/systemd/system-generators/systemd-cryptsetup-generator - ''; -}) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index c6edbfe6764..c0163dcafe6 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -1,5 +1,5 @@ -{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap -, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, utillinux, libffi +{ stdenv, lib, fetchFromGitHub, pkgconfig, intltool, gperf, libcap +, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, e2fsprogs, utillinux, libffi , glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor , audit, lz4, bzip2, pcre2 , linuxHeaders ? stdenv.cc.libc.linuxHeaders @@ -9,6 +9,7 @@ , patchelf , substituteAll , getent +, cryptsetup, lvm2 , buildPackages , perl , withSelinux ? false, libselinux @@ -30,6 +31,7 @@ let gnupg-minimal = gnupg.override { zlib = null; bzip2 = null; }; + in stdenv.mkDerivation { version = "245.7"; pname = "systemd"; @@ -89,7 +91,7 @@ in stdenv.mkDerivation { ]; buildInputs = [ linuxHeaders libcap curl.dev kmod xz pam acl - /* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2 + cryptsetup libuuid glib libgcrypt libgpgerror libidn2 pcre2 ] ++ stdenv.lib.optional withKexectools kexectools ++ stdenv.lib.optional withLibseccomp libseccomp ++ @@ -176,12 +178,28 @@ in stdenv.mkDerivation { export LC_ALL="en_US.UTF-8"; # FIXME: patch this in systemd properly (and send upstream). # already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount - for i in src/remount-fs/remount-fs.c src/core/mount.c src/core/swap.c src/fsck/fsck.c units/emergency.service.in units/rescue.service.in src/journal/cat.c src/shutdown/shutdown.c src/nspawn/nspawn.c src/shared/generator.c units/systemd-logind.service.in units/systemd-nspawn@.service.in; do + for i in \ + src/core/mount.c \ + src/core/swap.c \ + src/cryptsetup/cryptsetup-generator.c \ + src/fsck/fsck.c \ + src/journal/cat.c \ + src/nspawn/nspawn.c \ + src/remount-fs/remount-fs.c \ + src/shared/generator.c \ + src/shutdown/shutdown.c \ + units/emergency.service.in \ + units/rescue.service.in \ + units/systemd-logind.service.in \ + units/systemd-nspawn@.service.in; \ + do test -e $i substituteInPlace $i \ --replace /usr/bin/getent ${getent}/bin/getent \ + --replace /sbin/mkswap ${lib.getBin utillinux}/sbin/mkswap \ --replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \ --replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \ + --replace /sbin/mke2fs ${lib.getBin e2fsprogs}/sbin/mke2fs \ --replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \ --replace /bin/echo ${coreutils}/bin/echo \ --replace /bin/cat ${coreutils}/bin/cat \ diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 5bc4021ea08..8737435654a 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -546,6 +546,7 @@ mapAliases ({ surf-webkit2 = surf; # added 2017-04-02 sup = throw "deprecated in 2019-09-10: abandoned by upstream"; system_config_printer = system-config-printer; # added 2016-01-03 + systemd-cryptsetup-generator = throw "systemd-cryptsetup-generator is now included in the systemd package"; # added 2020-07-12 systemd_with_lvm2 = throw "obsolete, enabled by default via the lvm module"; # added 2020-07-12 systool = sysfsutils; # added 2018-04-25 tahoelafs = tahoe-lafs; # added 2018-03-26 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c02d7e8b041..628dd599b57 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16953,7 +16953,11 @@ in criu = callPackage ../os-specific/linux/criu { }; - cryptsetup = callPackage ../os-specific/linux/cryptsetup { }; + cryptsetup = callPackage ../os-specific/linux/cryptsetup { + # cryptsetup only really needs the devmapper component of cryptsetup + # but itself is used as a library in systemd (=udev) + lvm2 = lvm2.override { udev = null; }; + }; cramfsswap = callPackage ../os-specific/linux/cramfsswap { }; @@ -18003,9 +18007,6 @@ in }; udev = systemd; # TODO: move to aliases.nix - # standalone cryptsetup generator for systemd - systemd-cryptsetup-generator = callPackage ../os-specific/linux/systemd/cryptsetup-generator.nix { }; - systemd-wait = callPackage ../os-specific/linux/systemd-wait { }; sysvinit = callPackage ../os-specific/linux/sysvinit { };