public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

change swap.randomEncryption config option to "coercedTo" for backwards compatibility

Browse Source
This commit is contained in:
Martin Wohlert 2017-05-28 14:46:18 +02:00 committed by Nikolay Amiantov
parent c3d5cfdc3c
commit 9be26f81ca
1 changed files with 55 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
nixos/modules/config/swap.nix
View File

@ -5,6 +5,52 @@ with lib;
let let
randomEncryptionCoerce = enable: { inherit enable; };
randomEncryptionOpts = { ... }: {
options = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Encrypt swap device with a random key. This way you won't have a persistent swap device.
WARNING: Don't try to hibernate when you have at least one swap partition with
this option enabled! We have no way to set the partition into which hibernation image
is saved, so if your image ends up on an encrypted one you would lose it!
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
when using randomEncryption as the UUIDs and labels will get erased on every boot when
the partition is encrypted. Best to use /dev/disk/by-partuuid/
'';
};
cipher = mkOption {
default = "aes-xts-plain64";
example = "serpent-xts-plain64";
type = types.str;
description = ''
Use specified cipher for randomEncryption.
Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
'';
};
source = mkOption {
default = "/dev/urandom";
example = "/dev/random";
type = types.str;
description = ''
Define the source of randomness to obtain a random key for encryption.
'';
};
};
};
swapCfg = {config, options, ...}: { swapCfg = {config, options, ...}: {
options = { options = {
@ -45,12 +91,19 @@ let
''; '';
}; };
randomEncryption.enable = mkOption { randomEncryption = mkOption {
default = false; default = false;
type = types.bool; example = {
enable = true;
cipher = "serpent-xts-plain64";
source = "/dev/random";
};
type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);
description = '' description = ''
Encrypt swap device with a random key. This way you won't have a persistent swap device. Encrypt swap device with a random key. This way you won't have a persistent swap device.
HINT: run "cryptsetup benchmark" to test cipher performance on your machine.
WARNING: Don't try to hibernate when you have at least one swap partition with WARNING: Don't try to hibernate when you have at least one swap partition with
this option enabled! We have no way to set the partition into which hibernation image this option enabled! We have no way to set the partition into which hibernation image
is saved, so if your image ends up on an encrypted one you would lose it! is saved, so if your image ends up on an encrypted one you would lose it!
@ -61,26 +114,6 @@ let
''; '';
}; };
randomEncryption.cipher = mkOption {
default = "aes-xts-plain64";
example = "serpent-xts-plain64";
type = types.str;
description = ''
Use specified cipher for randomEncryption.
Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
'';
};
randomEncryption.source = mkOption {
default = "/dev/urandom";
example = "/dev/random";
type = types.str;
description = ''
Define the source of randomness to obtain a random key for encryption.
'';
};
deviceName = mkOption { deviceName = mkOption {
type = types.str; type = types.str;
internal = true; internal = true;