public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable two-factor authentication by default. Add proper descriptions to attributes.

Browse Source
This commit is contained in:
Moritz Maxeiner 2014-01-28 23:45:16 +01:00
parent 45b1ffb8db
commit cce9712331
1 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nixos/modules/system/boot/luksroot.nix
View File

@ -53,7 +53,7 @@ let
} }
drop() { drop() {
local c=$1 local c="$1"
shift shift
if [ -e "$1" ]; then if [ -e "$1" ]; then
cat "$1" | ( dd of=/dev/null bs="$c" count=1 2>/dev/null ; dd 2>/dev/null ) cat "$1" | ( dd of=/dev/null bs="$c" count=1 2>/dev/null ; dd 2>/dev/null )
@ -286,48 +286,57 @@ in
yubikey = mkOption { yubikey = mkOption {
default = null; default = null;
type = types.nullOr types.optionSet; type = types.nullOr types.optionSet;
description = "TODO"; description = ''
The options to use for this LUKS device in Yubikey-PBA.
If null (the default), Yubikey-PBA will be disabled for this device.
'';
options = { options = {
twoFactor = mkOption { twoFactor = mkOption {
default = false; default = true;
type = types.bool; type = types.bool;
description = "TODO"; description = "Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false)";
}; };
slot = mkOption { slot = mkOption {
default = 2; default = 2;
type = types.int; type = types.int;
description = "TODO"; description = "Which slot on the Yubikey to challenge";
}; };
storage = mkOption { storage = mkOption {
type = types.optionSet; type = types.optionSet;
description = "TODO"; description = "Options related to the authentication record";
options = { options = {
device = mkOption { device = mkOption {
default = /dev/sda1; default = /dev/sda1;
type = types.path; type = types.path;
description = "TODO"; description = ''
An unencrypted device that will temporarily be mounted in stage-1.
Must contain the authentication record for this LUKS device.
'';
}; };
fsType = mkOption { fsType = mkOption {
default = "vfat"; default = "vfat";
type = types.string; type = types.string;
description = "TODO"; description = "The filesystem of the unencrypted device";
}; };
mountPoint = mkOption { mountPoint = mkOption {
default = "/crypt-storage"; default = "/crypt-storage";
type = types.string; type = types.string;
description = "TODO"; description = "Path where the unencrypted device will be mounted in stage-1";
}; };
path = mkOption { path = mkOption {
default = "/crypt-storage/default"; default = "/crypt-storage/default";
type = types.string; type = types.string;
description = "TODO"; description = ''
Absolute path of the authentication record on the unencrypted device with
that device's root directory as "/".
'';
}; };
}; };
}; };
@ -340,7 +349,11 @@ in
boot.initrd.luks.yubikeySupport = mkOption { boot.initrd.luks.yubikeySupport = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
description = "TODO"; description = ''
Enables support for authenticating with a Yubikey on LUKS devices.
See the NixOS wiki for information on how to properly setup a LUKS device
and a Yubikey to work with this feature.
'';
}; };
}; };