Merge pull request #9982 from KoviRobi/fix-encrypted-non-root-devices

encrypted-devices service: Fix keyed mount, clarify descriptions.
This commit is contained in:
Edward Tjörnhammar 2015-09-27 12:42:08 +02:00
commit a0918e2e62

View File

@ -6,6 +6,7 @@ let
fileSystems = attrValues config.fileSystems ++ config.swapDevices; fileSystems = attrValues config.fileSystems ++ config.swapDevices;
encDevs = filter (dev: dev.encrypted.enable) fileSystems; encDevs = filter (dev: dev.encrypted.enable) fileSystems;
keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs;
isIn = needle: haystack: filter (p: p == needle) haystack != []; isIn = needle: haystack: filter (p: p == needle) haystack != [];
anyEncrypted = anyEncrypted =
fold (j: v: v || j.encrypted.enable) false encDevs; fold (j: v: v || j.encrypted.enable) false encDevs;
@ -29,15 +30,15 @@ let
label = mkOption { label = mkOption {
default = null; default = null;
example = "rootfs"; example = "rootfs";
type = types.nullOr types.str; type = types.uniq (types.nullOr types.str);
description = "Label of the backing encrypted device."; description = "Label of the unlocked encrypted device. Set <literal>fileSystems.&lt;name?&gt;.device</literal> to <literal>/dev/mapper/&lt;label&gt;</literal> to mount the unlocked device.";
}; };
keyFile = mkOption { keyFile = mkOption {
default = null; default = null;
example = "/root/.swapkey"; example = "/root/.swapkey";
type = types.nullOr types.str; type = types.nullOr types.str;
description = "File system location of keyfile."; description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>.";
}; };
}; };
}; };
@ -58,11 +59,11 @@ in
boot.initrd = { boot.initrd = {
luks = { luks = {
devices = devices =
map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs; map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;
cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
}; };
postMountCommands = postMountCommands =
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs; concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
}; };
}; };
} }