mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-24 20:02:58 +03:00
Merge pull request #9982 from KoviRobi/fix-encrypted-non-root-devices
encrypted-devices service: Fix keyed mount, clarify descriptions.
This commit is contained in:
commit
a0918e2e62
@ -6,6 +6,7 @@ let
|
|||||||
fileSystems = attrValues config.fileSystems ++ config.swapDevices;
|
fileSystems = attrValues config.fileSystems ++ config.swapDevices;
|
||||||
encDevs = filter (dev: dev.encrypted.enable) fileSystems;
|
encDevs = filter (dev: dev.encrypted.enable) fileSystems;
|
||||||
keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
|
keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
|
||||||
|
keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs;
|
||||||
isIn = needle: haystack: filter (p: p == needle) haystack != [];
|
isIn = needle: haystack: filter (p: p == needle) haystack != [];
|
||||||
anyEncrypted =
|
anyEncrypted =
|
||||||
fold (j: v: v || j.encrypted.enable) false encDevs;
|
fold (j: v: v || j.encrypted.enable) false encDevs;
|
||||||
@ -29,15 +30,15 @@ let
|
|||||||
label = mkOption {
|
label = mkOption {
|
||||||
default = null;
|
default = null;
|
||||||
example = "rootfs";
|
example = "rootfs";
|
||||||
type = types.nullOr types.str;
|
type = types.uniq (types.nullOr types.str);
|
||||||
description = "Label of the backing encrypted device.";
|
description = "Label of the unlocked encrypted device. Set <literal>fileSystems.<name?>.device</literal> to <literal>/dev/mapper/<label></literal> to mount the unlocked device.";
|
||||||
};
|
};
|
||||||
|
|
||||||
keyFile = mkOption {
|
keyFile = mkOption {
|
||||||
default = null;
|
default = null;
|
||||||
example = "/root/.swapkey";
|
example = "/root/.swapkey";
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
description = "File system location of keyfile.";
|
description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>.";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -58,11 +59,11 @@ in
|
|||||||
boot.initrd = {
|
boot.initrd = {
|
||||||
luks = {
|
luks = {
|
||||||
devices =
|
devices =
|
||||||
map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs;
|
map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;
|
||||||
cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
|
cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
|
||||||
};
|
};
|
||||||
postMountCommands =
|
postMountCommands =
|
||||||
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs;
|
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user