nixpkgs/modules/system/boot/luksroot.nix

{pkgs, config, ...}:

with pkgs.lib;

let
  luksRoot = config.boot.initrd.luksRoot;
in
{

  options = {

    boot.initrd.luksRoot = mkOption {
      default = "";
      example = "/dev/sda3";
      description = '';
        The device that should be decrypted using LUKS before trying to mount the
        root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.
         
        Make sure that initrd has the crypto modules needed for decryption.

        The decrypted device name is /dev/mapper/luksroot.
      '';
    };

  };


  config = mkIf (luksRoot != "") {

    boot.initrd.extraUtilsCommands = ''
      cp -r ${pkgs.cryptsetup}/lib/* $out/lib/
      cp -r ${pkgs.popt}/lib/* $out/lib
      cp ${pkgs.cryptsetup}/sbin/* $out/bin
    '';

    boot.initrd.postDeviceCommands = ''
      cryptsetup luksOpen ${luksRoot} luksroot
      lvm vgscan
      lvm vgchange -ay
    '';

  };

}
Encrypted root support via LUKS svn path=/nixos/trunk/; revision=24459 2010-10-25 00:57:30 +00:00			`{pkgs, config, ...}:`

			`with pkgs.lib;`

			`let`
			`luksRoot = config.boot.initrd.luksRoot;`
			`in`
			`{`

			`options = {`

			`boot.initrd.luksRoot = mkOption {`
* Fix evaluation of the luksroot module when luksRoot == null. The problem is that configuration values below a mkIf are evaluated strictly even if the condition is false. Thus "${luksRoot}" causes an evaluation error. As a workaround, use the empty string instead of `null' as the default value. However, we should really fix the laziness of mkIf. It's likely that NixOS evaluation would be much faster if it didn't have to evaluate disabled configuration values. svn path=/nixos/trunk/; revision=24477 2010-10-25 22:21:51 +00:00			`default = "";`
Encrypted root support via LUKS svn path=/nixos/trunk/; revision=24459 2010-10-25 00:57:30 +00:00			`example = "/dev/sda3";`
			`description = '';`
			`The device that should be decrypted using LUKS before trying to mount the`
			`root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.`

			`Make sure that initrd has the crypto modules needed for decryption.`

			`The decrypted device name is /dev/mapper/luksroot.`
			`'';`
			`};`

			`};`



* Fix evaluation of the luksroot module when luksRoot == null. The problem is that configuration values below a mkIf are evaluated strictly even if the condition is false. Thus "${luksRoot}" causes an evaluation error. As a workaround, use the empty string instead of `null' as the default value. However, we should really fix the laziness of mkIf. It's likely that NixOS evaluation would be much faster if it didn't have to evaluate disabled configuration values. svn path=/nixos/trunk/; revision=24477 2010-10-25 22:21:51 +00:00			`config = mkIf (luksRoot != "") {`
Encrypted root support via LUKS svn path=/nixos/trunk/; revision=24459 2010-10-25 00:57:30 +00:00
			`boot.initrd.extraUtilsCommands = ''`
			`cp -r ${pkgs.cryptsetup}/lib/* $out/lib/`
			`cp -r ${pkgs.popt}/lib/* $out/lib`
			`cp ${pkgs.cryptsetup}/sbin/* $out/bin`
			`'';`

			`boot.initrd.postDeviceCommands = ''`
			`cryptsetup luksOpen ${luksRoot} luksroot`
			`lvm vgscan`
			`lvm vgchange -ay`
			`'';`

			`};`

			`}`