nixpkgs/nixos/tests/nix-store-veritysetup.nix

{ lib, ... }:
{

  name = "nix-store-veritysetup";

  meta.maintainers = with lib.maintainers; [ nikstur ];

  nodes.machine =
    { config, modulesPath, ... }:
    {

      imports = [
        "${modulesPath}/image/repart.nix"
      ];

      image.repart = {
        name = "nix-store";
        partitions = {
          "nix-store" = {
            storePaths = [ config.system.build.toplevel ];
            stripNixStorePrefix = true;
            repartConfig = {
              Type = "linux-generic";
              Label = "nix-store";
              Format = "erofs";
              Minimize = "best";
              Verity = "data";
              VerityMatchKey = "nix-store";
            };
          };
          "nix-store-verity" = {
            repartConfig = {
              Type = "linux-generic";
              Label = "nix-store-verity";
              Verity = "hash";
              VerityMatchKey = "nix-store";
              Minimize = "best";
            };
          };
        };
      };

      boot.initrd = {
        systemd = {
          enable = true;
          dmVerity.enable = true;
        };
        nix-store-veritysetup.enable = true;
      };

      virtualisation = {
        mountHostNixStore = false;
        qemu.drives = [
          {
            name = "nix-store";
            file = ''"$NIX_STORE"'';
          }
        ];
        fileSystems = {
          "/nix/store" = {
            fsType = "erofs";
            device = "/dev/mapper/nix-store";
          };
        };
      };

    };

  testScript =
    { nodes, ... }:
    ''
      import os
      import json
      import subprocess
      import tempfile

      with open("${nodes.machine.system.build.image}/repart-output.json") as f:
        data = json.load(f)

      storehash = data[0]["roothash"]

      os.environ["QEMU_KERNEL_PARAMS"] = f"storehash={storehash}"

      tmp_disk_image = tempfile.NamedTemporaryFile()

      subprocess.run([
        "${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
        "create",
        "-f",
        "qcow2",
        "-b",
        "${nodes.machine.system.build.image}/${nodes.machine.image.repart.imageFile}",
        "-F",
        "raw",
        tmp_disk_image.name,
      ])

      os.environ["NIX_STORE"] = tmp_disk_image.name

      machine.start()

      print(machine.succeed("findmnt"))
      print(machine.succeed("dmsetup info nix-store"))

      machine.wait_for_unit("multi-user.target")
    '';

}
nixos/nix-store-veritysetup: init 2025-06-14 21:44:46 +02:00			`{ lib, ... }:`
			`{`

			`name = "nix-store-veritysetup";`

			`meta.maintainers = with lib.maintainers; [ nikstur ];`

			`nodes.machine =`
			`{ config, modulesPath, ... }:`
			`{`

			`imports = [`
			`"${modulesPath}/image/repart.nix"`
			`];`

			`image.repart = {`
			`name = "nix-store";`
			`partitions = {`
			`"nix-store" = {`
			`storePaths = [ config.system.build.toplevel ];`
			`stripNixStorePrefix = true;`
			`repartConfig = {`
			`Type = "linux-generic";`
			`Label = "nix-store";`
			`Format = "erofs";`
			`Minimize = "best";`
			`Verity = "data";`
			`VerityMatchKey = "nix-store";`
			`};`
			`};`
			`"nix-store-verity" = {`
			`repartConfig = {`
			`Type = "linux-generic";`
			`Label = "nix-store-verity";`
			`Verity = "hash";`
			`VerityMatchKey = "nix-store";`
			`Minimize = "best";`
			`};`
			`};`
			`};`
			`};`

			`boot.initrd = {`
			`systemd = {`
			`enable = true;`
			`dmVerity.enable = true;`
			`};`
			`nix-store-veritysetup.enable = true;`
			`};`

			`virtualisation = {`
			`mountHostNixStore = false;`
			`qemu.drives = [`
			`{`
			`name = "nix-store";`
			`file = ''"$NIX_STORE"'';`
			`}`
			`];`
			`fileSystems = {`
			`"/nix/store" = {`
			`fsType = "erofs";`
			`device = "/dev/mapper/nix-store";`
			`};`
			`};`
			`};`

			`};`

			`testScript =`
			`{ nodes, ... }:`
			`''`
			`import os`
			`import json`
			`import subprocess`
			`import tempfile`

			`with open("${nodes.machine.system.build.image}/repart-output.json") as f:`
			`data = json.load(f)`

			`storehash = data[0]["roothash"]`

			`os.environ["QEMU_KERNEL_PARAMS"] = f"storehash={storehash}"`

			`tmp_disk_image = tempfile.NamedTemporaryFile()`

			`subprocess.run([`
			`"${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",`
			`"create",`
			`"-f",`
			`"qcow2",`
			`"-b",`
			`"${nodes.machine.system.build.image}/${nodes.machine.image.repart.imageFile}",`
			`"-F",`
			`"raw",`
			`tmp_disk_image.name,`
			`])`

			`os.environ["NIX_STORE"] = tmp_disk_image.name`

			`machine.start()`

			`print(machine.succeed("findmnt"))`
			`print(machine.succeed("dmsetup info nix-store"))`

			`machine.wait_for_unit("multi-user.target")`
			`'';`

			`}`