nixpkgs/nixos/modules/tasks/encrypted-devices.nix

{ config, lib, ... }:

with lib;

let
  fileSystems = config.system.build.fileSystems ++ config.swapDevices;
  encDevs = filter (dev: dev.encrypted.enable) fileSystems;
  keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
  keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs;
  anyEncrypted =
    fold (j: v: v || j.encrypted.enable) false encDevs;

  encryptedFSOptions = {

    options.encrypted = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry.";
      };

      blkDev = mkOption {
        default = null;
        example = "/dev/sda1";
        type = types.nullOr types.str;
        description = "Location of the backing encrypted device.";
      };

      label = mkOption {
        default = null;
        example = "rootfs";
        type = types.nullOr types.str;
        description = "Label of the unlocked encrypted device. Set <literal>fileSystems.&lt;name?&gt;.device</literal> to <literal>/dev/mapper/&lt;label&gt;</literal> to mount the unlocked device.";
      };

      keyFile = mkOption {
        default = null;
        example = "/mnt-root/root/.swapkey";
        type = types.nullOr types.str;
        description = ''
          Path to a keyfile used to unlock the backing encrypted
          device. At the time this keyfile is accessed, the
          <literal>neededForBoot</literal> filesystems (see
          <literal>fileSystems.&lt;name?&gt;.neededForBoot</literal>)
          will have been mounted under <literal>/mnt-root</literal>,
          so the keyfile path should usually start with "/mnt-root/".
        '';
      };
    };
  };
in

{

  options = {
    fileSystems = mkOption {
      type = with lib.types; attrsOf (submodule encryptedFSOptions);
    };
    swapDevices = mkOption {
      type = with lib.types; listOf (submodule encryptedFSOptions);
    };
  };

  config = mkIf anyEncrypted {
    assertions = map (dev: {
      assertion = dev.encrypted.label != null;
      message = ''
        The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set
      '';
    }) encDevs;

    boot.initrd = {
      luks = {
        devices =
          builtins.listToAttrs (map (dev: {
            name = dev.encrypted.label;
            value = { device = dev.encrypted.blkDev; };
          }) keylessEncDevs);
        forceLuksSupportInInitrd = true;
      };
      postMountCommands =
        concatMapStrings (dev:
          "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
        ) keyedEncDevs;
    };
  };
}
Get all lib functions from lib, not pkgs.lib, in modules 2014-05-05 14:58:51 -04:00			`{ config, lib, ... }:`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00
Get all lib functions from lib, not pkgs.lib, in modules 2014-05-05 14:58:51 -04:00			`with lib;`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00
			`let`
nixos: apply toposort to fileSystems to support bind and move mounts And use new `config.system.build.fileSystems` property everywhere. 2015-11-25 19:09:09 +00:00			`fileSystems = config.system.build.fileSystems ++ config.swapDevices;`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`encDevs = filter (dev: dev.encrypted.enable) fileSystems;`
			`keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;`
encrypted-devices service: Fix keyed mount, clarify descriptions. Not enough arguments were supplied to cryptsetup when a key-file was specified. Also don't try to unlock keyedEncDevs with a password. 2015-09-21 20:02:27 +01:00			`keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs;`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`anyEncrypted =`
			`fold (j: v: v \|\| j.encrypted.enable) false encDevs;`

			`encryptedFSOptions = {`

types.optionSet: deprecate and remove last usages 2019-01-26 21:44:05 +02:00			`options.encrypted = {`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`enable = mkOption {`
			`default = false;`
			`type = types.bool;`
nixos: add some missing '.' in option descriptions 2014-06-24 21:23:14 +02:00			`description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry.";`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`

nixos/tasks/encrypted-devices: fix regression from #54637 27982b408e465554b8831f492362bc87ed0ec02a introduced a bug when refactoring the encrypted-devices module, causing some encrypted filesystem options to not be recognized anymore. See e.g. https://hydra.nixos.org/build/88145490 2019-02-02 17:31:31 +01:00			`blkDev = mkOption {`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`default = null;`
			`example = "/dev/sda1";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.nullOr types.str;`
nixos: add some missing '.' in option descriptions 2014-06-24 21:23:14 +02:00			`description = "Location of the backing encrypted device.";`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`

nixos/tasks/encrypted-devices: fix regression from #54637 27982b408e465554b8831f492362bc87ed0ec02a introduced a bug when refactoring the encrypted-devices module, causing some encrypted filesystem options to not be recognized anymore. See e.g. https://hydra.nixos.org/build/88145490 2019-02-02 17:31:31 +01:00			`label = mkOption {`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`default = null;`
			`example = "rootfs";`
Revert part of #9982 to be in line with #9925 When creating PR #9982, I undid a line of PR #9925, that was some cleanups and fixes, so this undoes that damage. 2015-11-26 14:40:31 +00:00			`type = types.nullOr types.str;`
encrypted-devices service: Fix keyed mount, clarify descriptions. Not enough arguments were supplied to cryptsetup when a key-file was specified. Also don't try to unlock keyedEncDevs with a password. 2015-09-21 20:02:27 +01:00			`description = "Label of the unlocked encrypted device. Set <literal>fileSystems.<name?>.device</literal> to <literal>/dev/mapper/<label></literal> to mount the unlocked device.";`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`

nixos/tasks/encrypted-devices: fix regression from #54637 27982b408e465554b8831f492362bc87ed0ec02a introduced a bug when refactoring the encrypted-devices module, causing some encrypted filesystem options to not be recognized anymore. See e.g. https://hydra.nixos.org/build/88145490 2019-02-02 17:31:31 +01:00			`keyFile = mkOption {`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`default = null;`
encrypted devices: provide working example 2017-10-16 17:46:46 +02:00			`example = "/mnt-root/root/.swapkey";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.nullOr types.str;`
nixos/boot: some documentation improvements - Give a more accurate description of how fileSystems.<name/>.neededForBoot works - Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile works 2020-07-26 17:05:21 -07:00			`description = ''`
			`Path to a keyfile used to unlock the backing encrypted`
			`device. At the time this keyfile is accessed, the`
			`<literal>neededForBoot</literal> filesystems (see`
			`<literal>fileSystems.<name?>.neededForBoot</literal>)`
			`will have been mounted under <literal>/mnt-root</literal>,`
			`so the keyfile path should usually start with "/mnt-root/".`
			`'';`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`
			`};`
			`};`
			`in`

			`{`

			`options = {`
			`fileSystems = mkOption {`
treewide: completely remove types.loaOf 2020-08-23 01:28:45 +02:00			`type = with lib.types; attrsOf (submodule encryptedFSOptions);`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`
			`swapDevices = mkOption {`
types.optionSet: deprecate and remove last usages 2019-01-26 21:44:05 +02:00			`type = with lib.types; listOf (submodule encryptedFSOptions);`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`
			`};`

			`config = mkIf anyEncrypted {`
encrypted devices: add label set assertion (#29651) 2017-09-23 20:02:16 +02:00			`assertions = map (dev: {`
assertion should check for encrypted.label of the defined fileSystem 2017-09-25 00:45:52 +02:00			`assertion = dev.encrypted.label != null;`
encrypted devices: add label set assertion (#29651) 2017-09-23 20:02:16 +02:00			`message = ''`
			`The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set`
			`'';`
			`}) encDevs;`

Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`boot.initrd = {`
			`luks = {`
			`devices =`
nixos/boot: some documentation improvements - Give a more accurate description of how fileSystems.<name/>.neededForBoot works - Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile works 2020-07-26 17:05:21 -07:00			`builtins.listToAttrs (map (dev: {`
			`name = dev.encrypted.label;`
			`value = { device = dev.encrypted.blkDev; };`
			`}) keylessEncDevs);`
nixos/fileystems: Fix boot fails with encrypted fs Boot fails when a keyfile is configured for all encrypted filesystems and no other luks devices are configured. This is because luks support is only enabled in the initrd, when boot.initrd.luks.devices has entries. When a fileystem has a keyfile configured though, it is setup by a custom command, not by boot.initrd.luks. This commit adds an internal config flag to enable luks support in the initrd file, even if there are no luks devices configured. 2017-09-14 04:44:14 +02:00			`forceLuksSupportInInitrd = true;`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`
			`postMountCommands =`
nixos/boot: some documentation improvements - Give a more accurate description of how fileSystems.<name/>.neededForBoot works - Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile works 2020-07-26 17:05:21 -07:00			`concatMapStrings (dev:`
			`"cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"`
			`) keyedEncDevs;`
Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00			`};`
			`};`
			`}`