nixos/boot: some documentation improvements

- Give a more accurate description of how fileSystems.<name/>.neededForBoot
  works

- Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile
  works
This commit is contained in:
Keshav Kini 2020-07-26 17:05:21 -07:00
parent ea1287110f
commit 5e86bba082
3 changed files with 26 additions and 11 deletions

View File

@ -2,9 +2,11 @@ pkgs: with pkgs.lib;
rec {
# Check whenever fileSystem is needed for boot
fsNeededForBoot = fs: fs.neededForBoot
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
# Check whenever fileSystem is needed for boot. NOTE: Make sure
# pathsNeededForBoot is closed under the parent relationship, i.e. if /a/b/c
# is in the list, put /a and /a/b in as well.
pathsNeededForBoot = [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
fsNeededForBoot = fs: fs.neededForBoot || elem fs.mountPoint pathsNeededForBoot;
# Check whenever `b` depends on `a` as a fileSystem
fsBefore = a: b: a.mountPoint == b.device

View File

@ -559,10 +559,12 @@ in
default = false;
type = types.bool;
description = ''
If set, this file system will be mounted in the initial
ramdisk. By default, this applies to the root file system
and to the file system containing
<filename>/nix/store</filename>.
If set, this file system will be mounted in the initial ramdisk.
Note that the file system will always be mounted in the initial
ramdisk if its mount point is one of the following:
${concatStringsSep ", " (
forEach utils.pathsNeededForBoot (i: "<filename>${i}</filename>")
)}.
'';
};
});

View File

@ -37,7 +37,14 @@ let
default = null;
example = "/mnt-root/root/.swapkey";
type = types.nullOr types.str;
description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>.";
description = ''
Path to a keyfile used to unlock the backing encrypted
device. At the time this keyfile is accessed, the
<literal>neededForBoot</literal> filesystems (see
<literal>fileSystems.&lt;name?&gt;.neededForBoot</literal>)
will have been mounted under <literal>/mnt-root</literal>,
so the keyfile path should usually start with "/mnt-root/".
'';
};
};
};
@ -65,12 +72,16 @@ in
boot.initrd = {
luks = {
devices =
builtins.listToAttrs (map (dev: { name = dev.encrypted.label; value = { device = dev.encrypted.blkDev; }; }) keylessEncDevs);
builtins.listToAttrs (map (dev: {
name = dev.encrypted.label;
value = { device = dev.encrypted.blkDev; };
}) keylessEncDevs);
forceLuksSupportInInitrd = true;
};
postMountCommands =
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
concatMapStrings (dev:
"cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
) keyedEncDevs;
};
};
}