From 68eb09b1833301d729ae6e89583173b6ceaade1c Mon Sep 17 00:00:00 2001
From: rogarb <rogarb@rgarbage.fr>
Date: Mon, 10 Jul 2023 17:23:05 +0200
Subject: [PATCH] feat(luks): Add settings submodule

The settings submodule mirrors the options which can be set for
boot.initrd.luks.devices.<name>.

The keyFile option is now deprecated and should be declared under settings.
---
 example/complex.nix  |  8 ++++----
 example/luks-lvm.nix |  2 +-
 lib/types/luks.nix   | 44 +++++++++++++++++++++++++++++++++++---------
 3 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/example/complex.nix b/example/complex.nix
index 7a3d924..9f317c2 100644
--- a/example/complex.nix
+++ b/example/complex.nix
@@ -31,9 +31,9 @@
               content = {
                 type = "luks";
                 name = "crypted1";
-                keyFile = "/tmp/secret.key";
+                settings.keyFile = "/tmp/secret.key";
                 extraFormatArgs = [
-                  "--iter-time 1"
+                  "--iter-time 1" # unsecure but fast for tests
                 ];
                 content = {
                   type = "lvm_pv";
@@ -56,9 +56,9 @@
               content = {
                 type = "luks";
                 name = "crypted2";
-                keyFile = "/tmp/secret.key";
+                settings.keyFile = "/tmp/secret.key";
                 extraFormatArgs = [
-                  "--iter-time 1"
+                  "--iter-time 1" # unsecure but fast for tests
                 ];
                 content = {
                   type = "lvm_pv";
diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix
index ad07902..3d4d857 100644
--- a/example/luks-lvm.nix
+++ b/example/luks-lvm.nix
@@ -32,7 +32,7 @@
                 extraOpenArgs = [ "--allow-discards" ];
                 # if you want to use the key for interactive login be sure there is no trailing newline
                 # for example use `echo -n "password" > /tmp/secret.key`
-                keyFile = "/tmp/secret.key";
+                settings.keyFile = "/tmp/secret.key";
                 content = {
                   type = "lvm_pv";
                   vg = "pool";
diff --git a/lib/types/luks.nix b/lib/types/luks.nix
index e834684..c5833f6 100644
--- a/lib/types/luks.nix
+++ b/lib/types/luks.nix
@@ -1,4 +1,16 @@
 { config, options, lib, diskoLib, parent, device, ... }:
+let
+  keyFile = if lib.hasAttr "keyFile" config.settings
+    then config.settings.keyFile
+    else if config.keyFile != null
+    then lib.warn "The option `keyFile` is deprecated. See the `settings` option." config.keyFile
+    else null;
+  keyFileArgs = ''\
+    ${lib.optionalString (keyFile != null) "--key-file ${keyFile}"} \
+    ${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${config.settings.keyFileSize}"} \
+    ${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${config.settings.keyFileOffset}"}
+  '';
+in
 {
   options = {
     type = lib.mkOption {
@@ -21,6 +33,17 @@
       description = "Path to the key for encryption";
       example = "/tmp/disk.key";
     };
+    settings = lib.mkOption {
+      default = { };
+      description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
+      example = ''{
+          keyFile = "/tmp/disk.key";
+          keyFileSize = 2048;
+          keyFileOffset = 1024;
+          fallbackToPassword = true;
+        };
+      '';
+    };
     initrdUnlock = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -54,10 +77,11 @@
     _create = diskoLib.mkCreateOption {
       inherit config options;
       default = ''
-        cryptsetup -q luksFormat ${config.device} ${diskoLib.maybeStr config.keyFile} ${toString config.extraFormatArgs}
+        cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} \
+          ${keyFileArgs}
         cryptsetup luksOpen ${config.device} ${config.name} \
           ${toString config.extraOpenArgs} \
-          ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"}
+          ${keyFileArgs}
         ${lib.optionalString (config.content != null) config.content._create}
       '';
     };
@@ -70,7 +94,8 @@
         {
           dev = ''
             cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
-              cryptsetup luksOpen ${config.device} ${config.name} ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"}
+              cryptsetup luksOpen ${config.device} ${config.name} \
+              ${keyFileArgs}
             ${lib.optionalString (config.content != null) contentMount.dev or ""}
           '';
           fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
@@ -81,12 +106,13 @@
       readOnly = true;
       default = [ ]
         # If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
-        ++ (lib.optional config.initrdUnlock [{
-          boot.initrd.luks.devices.${config.name} = {
-            inherit (config) device keyFile;
-          };
-        }])
-        ++ (lib.optional (config.content != null) config.content._config);
+        ++ (lib.optional config.initrdUnlock [
+          {
+            boot.initrd.luks.devices.${config.name} = {
+              inherit (config) device;
+            } // config.settings;
+          }
+        ]) ++ (lib.optional (config.content != null) config.content._config);
       description = "NixOS configuration";
     };
     _pkgs = lib.mkOption {