nixos/luksroot.nix: add option boot.initrd.luks.devices.<name?>.fallback

This option, if set to true, enables fallbacking to an interactive
passphrase prompt when the specified keyFile is not found.

The default is false, which is compatible with previous behavior and
doesn't prevent unattended boot.
This commit is contained in:
Symphorien Gibol 2017-10-23 22:22:26 +02:00
parent 8158cd6d5e
commit 601fc20248

View File

@ -5,7 +5,7 @@ with lib;
let
luks = config.boot.initrd.luks;
openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; ''
# Wait for a target (e.g. device, keyFile, header, ...) to appear.
wait_target() {
@ -45,13 +45,15 @@ let
${optionalString (header != null) "--header=${header}"} \
> /.luksopen_args
${optionalString (keyFile != null) ''
if [ -e ${keyFile} ]; then
${optionalString fallback "if [ -e ${keyFile} ]; then"}
echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \
>> /.luksopen_args
${optionalString fallback ''
else
echo "keyfile ${keyFile} not found -- fallback to interactive unlocking"
fi
''}
''}
cryptsetup-askpass
rm /.luksopen_args
}
@ -330,6 +332,16 @@ in
'';
};
fallback = mkOption {
default = false;
type = types.bool;
description = ''
Whether to fallback to interactive passphrase prompt if the keyfile
cannot be found. This will prevent unattended boot should the keyfile
go missing.
'';
};
yubikey = mkOption {
default = null;
description = ''