nixos/boot: some documentation improvements
- Give a more accurate description of how fileSystems.<name/>.neededForBoot works - Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile works
This commit is contained in:
parent
ea1287110f
commit
5e86bba082
|
@ -2,9 +2,11 @@ pkgs: with pkgs.lib;
|
|||
|
||||
rec {
|
||||
|
||||
# Check whenever fileSystem is needed for boot
|
||||
fsNeededForBoot = fs: fs.neededForBoot
|
||||
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
|
||||
# Check whenever fileSystem is needed for boot. NOTE: Make sure
|
||||
# pathsNeededForBoot is closed under the parent relationship, i.e. if /a/b/c
|
||||
# is in the list, put /a and /a/b in as well.
|
||||
pathsNeededForBoot = [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
|
||||
fsNeededForBoot = fs: fs.neededForBoot || elem fs.mountPoint pathsNeededForBoot;
|
||||
|
||||
# Check whenever `b` depends on `a` as a fileSystem
|
||||
fsBefore = a: b: a.mountPoint == b.device
|
||||
|
|
|
@ -559,10 +559,12 @@ in
|
|||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
If set, this file system will be mounted in the initial
|
||||
ramdisk. By default, this applies to the root file system
|
||||
and to the file system containing
|
||||
<filename>/nix/store</filename>.
|
||||
If set, this file system will be mounted in the initial ramdisk.
|
||||
Note that the file system will always be mounted in the initial
|
||||
ramdisk if its mount point is one of the following:
|
||||
${concatStringsSep ", " (
|
||||
forEach utils.pathsNeededForBoot (i: "<filename>${i}</filename>")
|
||||
)}.
|
||||
'';
|
||||
};
|
||||
});
|
||||
|
|
|
@ -37,7 +37,14 @@ let
|
|||
default = null;
|
||||
example = "/mnt-root/root/.swapkey";
|
||||
type = types.nullOr types.str;
|
||||
description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>.";
|
||||
description = ''
|
||||
Path to a keyfile used to unlock the backing encrypted
|
||||
device. At the time this keyfile is accessed, the
|
||||
<literal>neededForBoot</literal> filesystems (see
|
||||
<literal>fileSystems.<name?>.neededForBoot</literal>)
|
||||
will have been mounted under <literal>/mnt-root</literal>,
|
||||
so the keyfile path should usually start with "/mnt-root/".
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -65,12 +72,16 @@ in
|
|||
boot.initrd = {
|
||||
luks = {
|
||||
devices =
|
||||
builtins.listToAttrs (map (dev: { name = dev.encrypted.label; value = { device = dev.encrypted.blkDev; }; }) keylessEncDevs);
|
||||
builtins.listToAttrs (map (dev: {
|
||||
name = dev.encrypted.label;
|
||||
value = { device = dev.encrypted.blkDev; };
|
||||
}) keylessEncDevs);
|
||||
forceLuksSupportInInitrd = true;
|
||||
};
|
||||
postMountCommands =
|
||||
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
|
||||
concatMapStrings (dev:
|
||||
"cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
|
||||
) keyedEncDevs;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue