import ./make-test-python.nix (
  { lib, pkgs, ... }:
  {
    name = "swap-random-encryption";

    nodes.machine =
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        environment.systemPackages = [ pkgs.cryptsetup ];

        virtualisation.useDefaultFilesystems = false;

        virtualisation.rootDevice = "/dev/vda1";

        boot.initrd.postDeviceCommands = ''
          if ! test -b /dev/vda1; then
            ${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
            ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
            ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
            sync
          fi

          FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
          if test -z "$FSTYPE"; then
            ${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
          fi
        '';

        virtualisation.fileSystems = {
          "/" = {
            device = "/dev/disk/by-label/root";
            fsType = "ext4";
          };
        };

        swapDevices = [
          {
            device = "/dev/vda2";

            randomEncryption = {
              enable = true;
              cipher = "aes-xts-plain64";
              keySize = 512;
              sectorSize = 4096;
            };
          }
        ];
      };

    testScript = ''
      machine.wait_for_unit("multi-user.target")

      with subtest("Swap is active"):
        # Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
        machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")

      with subtest("Swap device has 4k sector size"):
        import json
        result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
        block_devices = result["blockdevices"]
        if len(block_devices) != 1:
          raise Exception ("lsblk output did not report exactly one block device")

        swapDevice = block_devices[0];
        if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
          raise Exception ("swap device does not have the sector size specified in the configuration")

      with subtest("Swap encrypt has assigned cipher and keysize"):
        import re

        results = machine.succeed("cryptsetup status dev-vda2").splitlines()

        cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
        if not any(cipher_pattern.fullmatch(line) for line in results):
          raise Exception ("swap device encryption does not use the cipher specified in the configuration")

        key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
        if not any(key_size_pattern.fullmatch(line) for line in results):
          raise Exception ("swap device encryption does not use the key size specified in the configuration")
    '';
  }
)