ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-11-15 03:15:56 +03:00
Code Issues Projects Releases Wiki Activity

swap: extend randomEncryption to plainOpen and ability to select cipher

Browse Source
This commit is contained in:
Martin Wohlert 2017-05-22 20:07:04 +02:00 committed by Nikolay Amiantov
parent 81e998bf0c
commit c3d5cfdc3c
2 changed files with 32 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
nixos/modules/config/swap.nix
View File

@ -45,7 +45,7 @@ let
''; '';
}; };
randomEncryption = mkOption { randomEncryption.enable = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
description = '' description = ''
@ -61,6 +61,26 @@ let
''; '';
}; };
randomEncryption.cipher = mkOption {
default = "aes-xts-plain64";
example = "serpent-xts-plain64";
type = types.str;
description = ''
Use specified cipher for randomEncryption.
Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
'';
};
randomEncryption.source = mkOption {
default = "/dev/urandom";
example = "/dev/random";
type = types.str;
description = ''
Define the source of randomness to obtain a random key for encryption.
'';
};
deviceName = mkOption { deviceName = mkOption {
type = types.str; type = types.str;
internal = true; internal = true;
@ -77,7 +97,7 @@ let
device = mkIf options.label.isDefined device = mkIf options.label.isDefined
"/dev/disk/by-label/${config.label}"; "/dev/disk/by-label/${config.label}";
deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device); deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device; realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;
}; };
}; };
@ -125,14 +145,14 @@ in
createSwapDevice = sw: createSwapDevice = sw:
assert sw.device != ""; assert sw.device != "";
assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid" sw.device); assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid" sw.device);
assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device); assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device);
let realDevice' = escapeSystemdPath sw.realDevice; let realDevice' = escapeSystemdPath sw.realDevice;
in nameValuePair "mkswap-${sw.deviceName}" in nameValuePair "mkswap-${sw.deviceName}"
{ description = "Initialisation of swap device ${sw.device}"; { description = "Initialisation of swap device ${sw.device}";
wantedBy = [ "${realDevice'}.swap" ]; wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ];
path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup; path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
script = script =
'' ''
@ -145,11 +165,11 @@ in
truncate --size "${toString sw.size}M" "${sw.device}" truncate --size "${toString sw.size}M" "${sw.device}"
fi fi
chmod 0600 ${sw.device} chmod 0600 ${sw.device}
${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"} ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"}
fi fi
''} ''}
${optionalString sw.randomEncryption '' ${optionalString sw.randomEncryption.enable ''
cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName}
mkswap ${sw.realDevice} mkswap ${sw.realDevice}
''} ''}
''; '';
@ -157,12 +177,12 @@ in
unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ]; unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];
unitConfig.DefaultDependencies = false; # needed to prevent a cycle unitConfig.DefaultDependencies = false; # needed to prevent a cycle
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = sw.randomEncryption; serviceConfig.RemainAfterExit = sw.randomEncryption.enable;
serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
restartIfChanged = false; restartIfChanged = false;
}; };
in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices)); in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices));
}; };

2
nixos/modules/system/boot/stage-1.nix
View File

@ -207,7 +207,7 @@ let
preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules; preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;
resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}") resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")
(filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable
# Don't include zram devices # Don't include zram devices
&& !(hasPrefix "/dev/zram" sd.device) && !(hasPrefix "/dev/zram" sd.device)
) config.swapDevices); ) config.swapDevices);