import ./make-test-python.nix (
  { lib, pkgs, ... }:
  {
    name = "luks";

    nodes.machine =
      { pkgs, ... }:
      {
        imports = [ ./common/auto-format-root-device.nix ];

        # Use systemd-boot
        virtualisation = {
          emptyDiskImages = [
            512
            512
          ];
          useBootLoader = true;
          useEFIBoot = true;
          # To boot off the encrypted disk, we need to have a init script which comes from the Nix store
          mountHostNixStore = true;
        };
        boot.loader.systemd-boot.enable = true;

        boot.kernelParams = lib.mkOverride 5 [ "console=tty1" ];

        environment.systemPackages = with pkgs; [ cryptsetup ];

        specialisation = rec {
          boot-luks.configuration = {
            boot.initrd.luks.devices = lib.mkVMOverride {
              # We have two disks and only type one password - key reuse is in place
              cryptroot.device = "/dev/vdb";
              cryptroot2.device = "/dev/vdc";
            };
            virtualisation.rootDevice = "/dev/mapper/cryptroot";
          };
          boot-luks-custom-keymap.configuration = lib.mkMerge [
            boot-luks.configuration
            {
              console.keyMap = "neo";
            }
          ];
        };
      };

    enableOCR = true;

    testScript = ''
      # Create encrypted volume
      machine.wait_for_unit("multi-user.target")
      machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
      machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")

      # Boot from the encrypted disk
      machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
      machine.succeed("sync")
      machine.crash()

      # Boot and decrypt the disk
      machine.start()
      machine.wait_for_text("Passphrase for")
      machine.send_chars("supersecret\n")
      machine.wait_for_unit("multi-user.target")

      assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")

      # Boot from the encrypted disk with custom keymap
      machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-custom-keymap.conf")
      machine.succeed("sync")
      machine.crash()

      # Boot and decrypt the disk
      machine.start()
      machine.wait_for_text("Passphrase for")
      machine.send_chars("havfkhfrkfl\n")
      machine.wait_for_unit("multi-user.target")

      assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
    '';
  }
)