88 lines
2.7 KiB
Nix
88 lines
2.7 KiB
Nix
{ config, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
fileSystems = config.system.build.fileSystems ++ config.swapDevices;
|
|
encDevs = filter (dev: dev.encrypted.enable) fileSystems;
|
|
keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
|
|
keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs;
|
|
anyEncrypted =
|
|
fold (j: v: v || j.encrypted.enable) false encDevs;
|
|
|
|
encryptedFSOptions = {
|
|
|
|
options.encrypted = {
|
|
enable = mkOption {
|
|
default = false;
|
|
type = types.bool;
|
|
description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry.";
|
|
};
|
|
|
|
blkDev = mkOption {
|
|
default = null;
|
|
example = "/dev/sda1";
|
|
type = types.nullOr types.str;
|
|
description = "Location of the backing encrypted device.";
|
|
};
|
|
|
|
label = mkOption {
|
|
default = null;
|
|
example = "rootfs";
|
|
type = types.nullOr types.str;
|
|
description = "Label of the unlocked encrypted device. Set <literal>fileSystems.<name?>.device</literal> to <literal>/dev/mapper/<label></literal> to mount the unlocked device.";
|
|
};
|
|
|
|
keyFile = mkOption {
|
|
default = null;
|
|
example = "/mnt-root/root/.swapkey";
|
|
type = types.nullOr types.str;
|
|
description = ''
|
|
Path to a keyfile used to unlock the backing encrypted
|
|
device. At the time this keyfile is accessed, the
|
|
<literal>neededForBoot</literal> filesystems (see
|
|
<literal>fileSystems.<name?>.neededForBoot</literal>)
|
|
will have been mounted under <literal>/mnt-root</literal>,
|
|
so the keyfile path should usually start with "/mnt-root/".
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
fileSystems = mkOption {
|
|
type = with lib.types; attrsOf (submodule encryptedFSOptions);
|
|
};
|
|
swapDevices = mkOption {
|
|
type = with lib.types; listOf (submodule encryptedFSOptions);
|
|
};
|
|
};
|
|
|
|
config = mkIf anyEncrypted {
|
|
assertions = map (dev: {
|
|
assertion = dev.encrypted.label != null;
|
|
message = ''
|
|
The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set
|
|
'';
|
|
}) encDevs;
|
|
|
|
boot.initrd = {
|
|
luks = {
|
|
devices =
|
|
builtins.listToAttrs (map (dev: {
|
|
name = dev.encrypted.label;
|
|
value = { device = dev.encrypted.blkDev; };
|
|
}) keylessEncDevs);
|
|
forceLuksSupportInInitrd = true;
|
|
};
|
|
postMountCommands =
|
|
concatMapStrings (dev:
|
|
"cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
|
|
) keyedEncDevs;
|
|
};
|
|
};
|
|
}
|