nixos/luksroot.nix: add option boot.initrd.luks.devices.<name?>.fallback

This option, if set to true, enables fallbacking to an interactive
passphrase prompt when the specified keyFile is not found.

The default is false, which is compatible with previous behavior and
doesn't prevent unattended boot.

nixos/modules/system/boot/luksroot.nix

@@ -5,7 +5,7 @@ with lib;
 let
   luks = config.boot.initrd.luks;
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
+  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; ''
 
     # Wait for a target (e.g. device, keyFile, header, ...) to appear.
     wait_target() {
@@ -45,13 +45,15 @@ let
           ${optionalString (header != null) "--header=${header}"} \
           > /.luksopen_args
         ${optionalString (keyFile != null) ''
-        if [ -e ${keyFile} ]; then
+        ${optionalString fallback "if [ -e ${keyFile} ]; then"}
             echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \
               >> /.luksopen_args
+        ${optionalString fallback ''
         else
             echo "keyfile ${keyFile} not found -- fallback to interactive unlocking"
         fi
         ''}
+        ''}
         cryptsetup-askpass
         rm /.luksopen_args
     }
@@ -330,6 +332,16 @@ in
             '';
           };
 
+          fallback = mkOption {
+            default = false;
+            type = types.bool;
+            description = ''
+              Whether to fallback to interactive passphrase prompt if the keyfile
+              cannot be found. This will prevent unattended boot should the keyfile
+              go missing.
+            '';
+          };
+
           yubikey = mkOption {
             default = null;
             description = ''