mirror of
https://github.com/nix-community/disko
synced 2024-11-10 06:14:14 +00:00
feat(luks): Add settings submodule
The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings.
This commit is contained in:
parent
aeebdc1156
commit
68eb09b183
3 changed files with 40 additions and 14 deletions
|
@ -31,9 +31,9 @@
|
|||
content = {
|
||||
type = "luks";
|
||||
name = "crypted1";
|
||||
keyFile = "/tmp/secret.key";
|
||||
settings.keyFile = "/tmp/secret.key";
|
||||
extraFormatArgs = [
|
||||
"--iter-time 1"
|
||||
"--iter-time 1" # unsecure but fast for tests
|
||||
];
|
||||
content = {
|
||||
type = "lvm_pv";
|
||||
|
@ -56,9 +56,9 @@
|
|||
content = {
|
||||
type = "luks";
|
||||
name = "crypted2";
|
||||
keyFile = "/tmp/secret.key";
|
||||
settings.keyFile = "/tmp/secret.key";
|
||||
extraFormatArgs = [
|
||||
"--iter-time 1"
|
||||
"--iter-time 1" # unsecure but fast for tests
|
||||
];
|
||||
content = {
|
||||
type = "lvm_pv";
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
extraOpenArgs = [ "--allow-discards" ];
|
||||
# if you want to use the key for interactive login be sure there is no trailing newline
|
||||
# for example use `echo -n "password" > /tmp/secret.key`
|
||||
keyFile = "/tmp/secret.key";
|
||||
settings.keyFile = "/tmp/secret.key";
|
||||
content = {
|
||||
type = "lvm_pv";
|
||||
vg = "pool";
|
||||
|
|
|
@ -1,4 +1,16 @@
|
|||
{ config, options, lib, diskoLib, parent, device, ... }:
|
||||
let
|
||||
keyFile = if lib.hasAttr "keyFile" config.settings
|
||||
then config.settings.keyFile
|
||||
else if config.keyFile != null
|
||||
then lib.warn "The option `keyFile` is deprecated. See the `settings` option." config.keyFile
|
||||
else null;
|
||||
keyFileArgs = ''\
|
||||
${lib.optionalString (keyFile != null) "--key-file ${keyFile}"} \
|
||||
${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${config.settings.keyFileSize}"} \
|
||||
${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${config.settings.keyFileOffset}"}
|
||||
'';
|
||||
in
|
||||
{
|
||||
options = {
|
||||
type = lib.mkOption {
|
||||
|
@ -21,6 +33,17 @@
|
|||
description = "Path to the key for encryption";
|
||||
example = "/tmp/disk.key";
|
||||
};
|
||||
settings = lib.mkOption {
|
||||
default = { };
|
||||
description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
|
||||
example = ''{
|
||||
keyFile = "/tmp/disk.key";
|
||||
keyFileSize = 2048;
|
||||
keyFileOffset = 1024;
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
'';
|
||||
};
|
||||
initrdUnlock = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
|
@ -54,10 +77,11 @@
|
|||
_create = diskoLib.mkCreateOption {
|
||||
inherit config options;
|
||||
default = ''
|
||||
cryptsetup -q luksFormat ${config.device} ${diskoLib.maybeStr config.keyFile} ${toString config.extraFormatArgs}
|
||||
cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} \
|
||||
${keyFileArgs}
|
||||
cryptsetup luksOpen ${config.device} ${config.name} \
|
||||
${toString config.extraOpenArgs} \
|
||||
${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"}
|
||||
${keyFileArgs}
|
||||
${lib.optionalString (config.content != null) config.content._create}
|
||||
'';
|
||||
};
|
||||
|
@ -70,7 +94,8 @@
|
|||
{
|
||||
dev = ''
|
||||
cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
|
||||
cryptsetup luksOpen ${config.device} ${config.name} ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"}
|
||||
cryptsetup luksOpen ${config.device} ${config.name} \
|
||||
${keyFileArgs}
|
||||
${lib.optionalString (config.content != null) contentMount.dev or ""}
|
||||
'';
|
||||
fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
|
||||
|
@ -81,12 +106,13 @@
|
|||
readOnly = true;
|
||||
default = [ ]
|
||||
# If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
|
||||
++ (lib.optional config.initrdUnlock [{
|
||||
++ (lib.optional config.initrdUnlock [
|
||||
{
|
||||
boot.initrd.luks.devices.${config.name} = {
|
||||
inherit (config) device keyFile;
|
||||
};
|
||||
}])
|
||||
++ (lib.optional (config.content != null) config.content._config);
|
||||
inherit (config) device;
|
||||
} // config.settings;
|
||||
}
|
||||
]) ++ (lib.optional (config.content != null) config.content._config);
|
||||
description = "NixOS configuration";
|
||||
};
|
||||
_pkgs = lib.mkOption {
|
||||
|
|
Loading…
Reference in a new issue