Mirrors/disko
2
0
Fork 0
mirror of https://github.com/nix-community/disko synced 2024-09-20 05:51:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat(luks): Add settings submodule

Browse source 
The settings submodule mirrors the options which can be set for
boot.initrd.luks.devices.<name>.

In particular, the keyFile option is now under settings.
This commit is contained in:
rogarb 2023-07-10 17:23:05 +02:00 committed by lassulus
parent 610e337bb2
commit 2daced7d67
3 changed files with 37 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
example/complex.nix
View file

@ -31,7 +31,7 @@
content = { content = {
type = "luks"; type = "luks";
name = "crypted1"; name = "crypted1";
keyFile = "/tmp/secret.key"; settings.keyFile = "/tmp/secret.key";
extraFormatArgs = [ extraFormatArgs = [
"--iter-time 1" "--iter-time 1"
]; ];
@ -56,7 +56,7 @@
content = { content = {
type = "luks"; type = "luks";
name = "crypted2"; name = "crypted2";
keyFile = "/tmp/secret.key"; settings.keyFile = "/tmp/secret.key";
extraFormatArgs = [ extraFormatArgs = [
"--iter-time 1" "--iter-time 1"
]; ];

2
example/luks-lvm.nix
View file

@ -32,7 +32,7 @@
extraOpenArgs = [ "--allow-discards" ]; extraOpenArgs = [ "--allow-discards" ];
# if you want to use the key for interactive login be sure there is no trailing newline # if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key` # for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key"; settings.keyFile = "/tmp/secret.key";
content = { content = {
type = "lvm_pv"; type = "lvm_pv";
vg = "pool"; vg = "pool";

53
lib/types/luks.nix
View file

@ -1,4 +1,11 @@
{ config, options, lib, diskoLib, parent, device, ... }: { config, options, lib, diskoLib, parent, device, ... }:
let
keyFileArgs = ''\
${lib.optionalString (lib.hasAttr "keyFile" config.settings) "--key-file ${config.settings.keyFile}"} \
${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${config.settings.keyFileSize}"} \
${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${config.settings.keyFileOffset}"}
'';
in
{ {
options = { options = {
type = lib.mkOption { type = lib.mkOption {
@ -15,11 +22,16 @@
type = lib.types.str; type = lib.types.str;
description = "Name of the LUKS"; description = "Name of the LUKS";
}; };
keyFile = lib.mkOption { settings = lib.mkOption {
type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname; default = { };
default = null; description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
description = "Path to the key for encryption"; example = ''{
example = "/tmp/disk.key"; keyFile = "/tmp/disk.key";
keyFileSize = 2048;
keyFileOffset = 1024;
fallbackToPassword = true;
};
'';
}; };
initrdUnlock = lib.mkOption { initrdUnlock = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
@ -53,13 +65,14 @@
}; };
_create = diskoLib.mkCreateOption { _create = diskoLib.mkCreateOption {
inherit config options; inherit config options;
default = '' default =
cryptsetup -q luksFormat ${config.device} ${diskoLib.maybeStr config.keyFile} ${toString config.extraFormatArgs} ''
cryptsetup luksOpen ${config.device} ${config.name} \ cryptsetup -q luksFormat ${config.device} ${keyFileArgs} ${toString config.extraFormatArgs}
${toString config.extraOpenArgs} \ cryptsetup luksOpen ${config.device} ${config.name} \
${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"} ${toString config.extraOpenArgs} \
${lib.optionalString (config.content != null) config.content._create} ${keyFileArgs}
''; ${lib.optionalString (config.content != null) config.content._create}
'';
}; };
_mount = diskoLib.mkMountOption { _mount = diskoLib.mkMountOption {
inherit config options; inherit config options;
@ -70,7 +83,8 @@
{ {
dev = '' dev = ''
cryptsetup status ${config.name} >/dev/null 2>/dev/null || cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
cryptsetup luksOpen ${config.device} ${config.name} ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"} cryptsetup luksOpen ${config.device} ${config.name} \
${keyFileArgs}
${lib.optionalString (config.content != null) contentMount.dev or ""} ${lib.optionalString (config.content != null) contentMount.dev or ""}
''; '';
fs = lib.optionalAttrs (config.content != null) contentMount.fs or { }; fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
@ -81,12 +95,13 @@
readOnly = true; readOnly = true;
default = [ ] default = [ ]
# If initrdUnlock is true, then add a device entry to the initrd.luks.devices config. # If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
++ (lib.optional config.initrdUnlock [{ ++ (lib.optional config.initrdUnlock [
boot.initrd.luks.devices.${config.name} = { {
inherit (config) device keyFile; boot.initrd.luks.devices.${config.name} = {
}; inherit (config) device;
}]) } // config.settings;
++ (lib.optional (config.content != null) config.content._config); }
]) ++ (lib.optional (config.content != null) config.content._config);
description = "NixOS configuration"; description = "NixOS configuration";
}; };
_pkgs = lib.mkOption { _pkgs = lib.mkOption {