Mirrors/disko
2
0
Fork 0
mirror of https://github.com/nix-community/disko synced 2024-11-10 06:14:14 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat(luks): Add settings submodule

Browse source 
The settings submodule mirrors the options which can be set for
boot.initrd.luks.devices.<name>.

In particular, the keyFile option is now under settings.
This commit is contained in:
rogarb 2023-07-10 17:23:05 +02:00 committed by lassulus
parent 610e337bb2
commit 2daced7d67
3 changed files with 37 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
example/complex.nix
View file

@ -31,7 +31,7 @@
content = {
type = "luks";
name = "crypted1";
keyFile = "/tmp/secret.key";
settings.keyFile = "/tmp/secret.key";
extraFormatArgs = [
"--iter-time 1"
];
@ -56,7 +56,7 @@
content = {
type = "luks";
name = "crypted2";
keyFile = "/tmp/secret.key";
settings.keyFile = "/tmp/secret.key";
extraFormatArgs = [
"--iter-time 1"
];

2
example/luks-lvm.nix
View file

@ -32,7 +32,7 @@
extraOpenArgs = [ "--allow-discards" ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
settings.keyFile = "/tmp/secret.key";
content = {
type = "lvm_pv";
vg = "pool";

43
lib/types/luks.nix
View file

@ -1,4 +1,11 @@
{ config, options, lib, diskoLib, parent, device, ... }:
let
keyFileArgs = ''\
${lib.optionalString (lib.hasAttr "keyFile" config.settings) "--key-file ${config.settings.keyFile}"} \
${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${config.settings.keyFileSize}"} \
${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${config.settings.keyFileOffset}"}
'';
in
{
options = {
type = lib.mkOption {
@ -15,11 +22,16 @@
type = lib.types.str;
description = "Name of the LUKS";
};
keyFile = lib.mkOption {
type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;
default = null;
description = "Path to the key for encryption";
example = "/tmp/disk.key";
settings = lib.mkOption {
default = { };
description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
example = ''{
keyFile = "/tmp/disk.key";
keyFileSize = 2048;
keyFileOffset = 1024;
fallbackToPassword = true;
};
'';
};
initrdUnlock = lib.mkOption {
type = lib.types.bool;
@ -53,11 +65,12 @@
};
_create = diskoLib.mkCreateOption {
inherit config options;
default = ''
cryptsetup -q luksFormat ${config.device} ${diskoLib.maybeStr config.keyFile} ${toString config.extraFormatArgs}
default =
''
cryptsetup -q luksFormat ${config.device} ${keyFileArgs} ${toString config.extraFormatArgs}
cryptsetup luksOpen ${config.device} ${config.name} \
${toString config.extraOpenArgs} \
${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"}
${keyFileArgs}
${lib.optionalString (config.content != null) config.content._create}
'';
};
@ -70,7 +83,8 @@
{
dev = ''
cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
cryptsetup luksOpen ${config.device} ${config.name} ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"}
cryptsetup luksOpen ${config.device} ${config.name} \
${keyFileArgs}
${lib.optionalString (config.content != null) contentMount.dev or ""}
'';
fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
@ -81,12 +95,13 @@
readOnly = true;
default = [ ]
# If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
++ (lib.optional config.initrdUnlock [{
++ (lib.optional config.initrdUnlock [
{
boot.initrd.luks.devices.${config.name} = {
inherit (config) device keyFile;
};
}])
++ (lib.optional (config.content != null) config.content._config);
inherit (config) device;
} // config.settings;
}
]) ++ (lib.optional (config.content != null) config.content._config);
description = "NixOS configuration";
};
_pkgs = lib.mkOption {