diff --git a/example/complex.nix b/example/complex.nix index 7a3d924..13fba12 100644 --- a/example/complex.nix +++ b/example/complex.nix @@ -31,7 +31,7 @@ content = { type = "luks"; name = "crypted1"; - keyFile = "/tmp/secret.key"; + settings.keyFile = "/tmp/secret.key"; extraFormatArgs = [ "--iter-time 1" ]; @@ -56,7 +56,7 @@ content = { type = "luks"; name = "crypted2"; - keyFile = "/tmp/secret.key"; + settings.keyFile = "/tmp/secret.key"; extraFormatArgs = [ "--iter-time 1" ]; diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix index ad07902..3d4d857 100644 --- a/example/luks-lvm.nix +++ b/example/luks-lvm.nix @@ -32,7 +32,7 @@ extraOpenArgs = [ "--allow-discards" ]; # if you want to use the key for interactive login be sure there is no trailing newline # for example use `echo -n "password" > /tmp/secret.key` - keyFile = "/tmp/secret.key"; + settings.keyFile = "/tmp/secret.key"; content = { type = "lvm_pv"; vg = "pool"; diff --git a/lib/types/luks.nix b/lib/types/luks.nix index e834684..a307891 100644 --- a/lib/types/luks.nix +++ b/lib/types/luks.nix @@ -1,4 +1,11 @@ { config, options, lib, diskoLib, parent, device, ... }: +let + keyFileArgs = ''\ + ${lib.optionalString (lib.hasAttr "keyFile" config.settings) "--key-file ${config.settings.keyFile}"} \ + ${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${config.settings.keyFileSize}"} \ + ${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${config.settings.keyFileOffset}"} + ''; +in { options = { type = lib.mkOption { @@ -15,11 +22,16 @@ type = lib.types.str; description = "Name of the LUKS"; }; - keyFile = lib.mkOption { - type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname; - default = null; - description = "Path to the key for encryption"; - example = "/tmp/disk.key"; + settings = lib.mkOption { + default = { }; + description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.)"; + example = ''{ + keyFile = "/tmp/disk.key"; + keyFileSize = 2048; + keyFileOffset = 1024; + fallbackToPassword = true; + }; + ''; }; initrdUnlock = lib.mkOption { type = lib.types.bool; @@ -53,13 +65,14 @@ }; _create = diskoLib.mkCreateOption { inherit config options; - default = '' - cryptsetup -q luksFormat ${config.device} ${diskoLib.maybeStr config.keyFile} ${toString config.extraFormatArgs} - cryptsetup luksOpen ${config.device} ${config.name} \ - ${toString config.extraOpenArgs} \ - ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"} - ${lib.optionalString (config.content != null) config.content._create} - ''; + default = + '' + cryptsetup -q luksFormat ${config.device} ${keyFileArgs} ${toString config.extraFormatArgs} + cryptsetup luksOpen ${config.device} ${config.name} \ + ${toString config.extraOpenArgs} \ + ${keyFileArgs} + ${lib.optionalString (config.content != null) config.content._create} + ''; }; _mount = diskoLib.mkMountOption { inherit config options; @@ -70,7 +83,8 @@ { dev = '' cryptsetup status ${config.name} >/dev/null 2>/dev/null || - cryptsetup luksOpen ${config.device} ${config.name} ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"} + cryptsetup luksOpen ${config.device} ${config.name} \ + ${keyFileArgs} ${lib.optionalString (config.content != null) contentMount.dev or ""} ''; fs = lib.optionalAttrs (config.content != null) contentMount.fs or { }; @@ -81,12 +95,13 @@ readOnly = true; default = [ ] # If initrdUnlock is true, then add a device entry to the initrd.luks.devices config. - ++ (lib.optional config.initrdUnlock [{ - boot.initrd.luks.devices.${config.name} = { - inherit (config) device keyFile; - }; - }]) - ++ (lib.optional (config.content != null) config.content._config); + ++ (lib.optional config.initrdUnlock [ + { + boot.initrd.luks.devices.${config.name} = { + inherit (config) device; + } // config.settings; + } + ]) ++ (lib.optional (config.content != null) config.content._config); description = "NixOS configuration"; }; _pkgs = lib.mkOption {