nix-community
diff --git a/‎example/bcachefs-tpm2-edge-cases.nix‎
Lines changed: 12 additions & 12 deletions b/‎example/bcachefs-tpm2-edge-cases.nix‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎example/bcachefs-tpm2-fallback.nix‎
Lines changed: 3 additions & 3 deletions b/‎example/bcachefs-tpm2-fallback.nix‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎example/bcachefs-tpm2-performance.nix‎
Lines changed: 3 additions & 3 deletions b/‎example/bcachefs-tpm2-performance.nix‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎example/bcachefs-tpm2.nix‎
Lines changed: 3 additions & 3 deletions b/‎example/bcachefs-tpm2.nix‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎flake.nix‎
Lines changed: 10 additions & 1 deletion b/‎flake.nix‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎lib/default.nix‎
Lines changed: 4 additions & 0 deletions b/‎lib/default.nix‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/types/bcachefs.nix‎
Lines changed: 25 additions & 0 deletions b/‎lib/types/bcachefs.nix‎
Lines changed: 25 additions & 0 deletions
@@ -26,7 +26,7 @@
                 label = "edge-empty.vdb2";
               };
             };
-            
+
             vdb3 = {
               size = "25%";
               content = {
@@ -35,7 +35,7 @@
                 label = "edge-corrupted.vdb3";
               };
             };
-            
+
             vdb4 = {
               size = "25%";
               content = {
@@ -44,7 +44,7 @@
                 label = "edge-missing.vdb4";
               };
             };
-            
+
             vdb5 = {
               size = "25%";
               content = {
@@ -56,7 +56,7 @@
           };
         };
       };
-      
+
       vdc = {
         device = "/dev/vdc";
         type = "disk";
@@ -74,7 +74,7 @@
           };
         };
       };
-      
+
       vdd = {
         device = "/dev/vdd";
         type = "disk";
@@ -101,10 +101,10 @@
         passwordFile = "/tmp/secret.key";
         unlock = {
           enable = true;
-          secretFiles = [];
+          secretFiles = [ ];
         };
       };
-      
+
       # Test 2: Corrupted JWE file
       corrupted_test = {
         type = "bcachefs_filesystem";
@@ -114,7 +114,7 @@
           secretFiles = [ ./secrets/corrupted.jwe ];
         };
       };
-      
+
       # Test 3: Missing secret files directory (unlock disabled)
       missing_test = {
         type = "bcachefs_filesystem";
@@ -123,7 +123,7 @@
           enable = false;
         };
       };
-      
+
       # Test 4: Multiple valid keys
       multi_test = {
         type = "bcachefs_filesystem";
@@ -138,7 +138,7 @@
           extraPackages = [ ];
         };
       };
-      
+
       # Test 5: Malformed JWE files
       malformed_test = {
         type = "bcachefs_filesystem";
@@ -148,7 +148,7 @@
           secretFiles = [ ./secrets/invalid.jwe ];
         };
       };
-      
+
       # Test 6: Single device configuration
       single_device_test = {
         type = "bcachefs_filesystem";
@@ -160,4 +160,4 @@
       };
     };
   };
-}
+}
@@ -63,7 +63,7 @@
           "--compression=lz4"
           "--background_compression=lz4"
         ];
-        
+
         # TPM2 unlocking configuration (will fail due to missing TPM2 device)
         unlock = {
           enable = true;
@@ -73,7 +73,7 @@
           ];
           extraPackages = [ ];
         };
-        
+
         subvolumes = {
           "subvolumes/root" = {
             mountpoint = "/";
@@ -89,4 +89,4 @@
       };
     };
   };
-}
+}
@@ -43,7 +43,7 @@
           "--compression=lz4"
           "--background_compression=lz4"
         ];
-        
+
         # Performance test configuration with multiple keys
         unlock = {
           enable = true;
@@ -54,7 +54,7 @@
           ];
           extraPackages = [ ];
         };
-        
+
         subvolumes = {
           "subvolumes/root" = {
             mountpoint = "/";
@@ -70,4 +70,4 @@
       };
     };
   };
-}
+}
@@ -63,7 +63,7 @@
           "--compression=lz4"
           "--background_compression=lz4"
         ];
-        
+
         # TPM2 unlocking configuration
         unlock = {
           enable = true;
@@ -73,7 +73,7 @@
           ];
           extraPackages = [ ];
         };
-        
+
         subvolumes = {
           "subvolumes/root" = {
             mountpoint = "/";
@@ -89,4 +89,4 @@
       };
     };
   };
-}
+}
@@ -61,6 +61,15 @@
         system:
         let
           pkgs = nixpkgs.legacyPackages.${system};
+
+          # Import diskoLib for this system
+          diskoLibForSystem = import ./lib {
+            lib = pkgs.lib;
+            makeTest = import (nixpkgs + "/nixos/tests/make-test-python.nix");
+            eval-config = import (nixpkgs + "/nixos/lib/eval-config.nix");
+            qemu-common = import (nixpkgs + "/nixos/lib/qemu-common.nix");
+          };
+
           # FIXME: aarch64-linux seems to hang on boot
           nixosTests = lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 (
             import ./tests {
@@ -84,7 +93,7 @@
 
           jsonTypes = pkgs.writeTextFile {
             name = "jsonTypes";
-            text = (builtins.toJSON diskoLib.jsonTypes);
+            text = (builtins.toJSON diskoLibForSystem.jsonTypes);
           };
 
           treefmt = pkgs.runCommand "treefmt" { } ''
 
@@ -1117,6 +1117,8 @@ let
           description = option.description or null;
           default = option.defaultText or option.default or null;
         };
+        literalExpression = str: str;
+        literalMD = str: str;
         types = {
           attrsOf = subType: {
             type = "attrsOf";
@@ -1146,6 +1148,8 @@ let
             inherit choices;
           };
           anything = "anything";
+          package = "package";
+          path = "path";
           nonEmptyStr = "str";
           strMatching = _: "str";
           str = "str";
 
@@ -89,6 +89,31 @@
       default = { };
       description = "NixOS configuration.";
     };
+    unlock = lib.mkOption {
+      type = lib.types.submodule (
+        { ... }:
+        {
+          options = {
+            enable = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+              description = "Enable Clevis-based unlocking for encrypted bcachefs filesystems.";
+            };
+            secretFiles = lib.mkOption {
+              type = lib.types.listOf diskoLib.optionTypes.absolute-pathname;
+              default = [ ];
+              description = "List of JWE token files for automatic unlock (TPM2, FIDO2, Tang).";
+              example = [
+                "/path/to/secrets/tpm.jwe"
+                "/path/to/secrets/yubi.jwe"
+              ];
+            };
+          };
+        }
+      );
+      default = { };
+      description = "Clevis-based unlocking configuration for encrypted bcachefs.";
+    };
     _pkgs = lib.mkOption {
       internal = true;
       readOnly = true;