I am playing around with an image based NixOS setup, inspired by GitHub - msanft/reproducible-immutable-nixos: Building reproducible and immutable NixOS images. Accompanying repository for my All Systems Go 2024 talk., GitHub - blitz/sysupdate-playground: Examples for systemd-sysupdate, GitHub - systemd/particleos etc.
It has the following features:
- A/B updates via systemd-sysupdate
- dd-able installation image and partition expansion on first boot (systemd-repart)
- base OS is immutable and integrity protected via dm-verity, / is a tempfs
- LUKS encrypted mutable partition with TPM unlock
- secure boot to secure the above, with a custom key
With this setup, some steps need to be applied to the generated config.system.boot.loader.ukiFile (and the UKI which gets baked into the install image), in particular setting the root hash for dm-verity, and signing the UKI for secure boot.
In the end, this means I do not have a nixosConfigurations.X module which I could pass to runNixOSTest { nodes = {...} }. Instead, I have a .raw disk image.
Also, I need to adapt the Qemu machine to support secure boot and install my keys.
Currently however, there seems to be no way in the integration test framework to define nodes with custom disks, correct? Any ideas how to make this work while still being able to profit from the nice features of the NixOS integration test framework?