disko/lib/types/luks.nix

{ config, options, lib, diskoLib, parent, device, ... }:
let
  keyFile =
    if config.settings ? "keyFile"
    then config.settings.keyFile
    else if config.askPassword
    then ''<(set +x; echo -n "$password"; set -x)''
    else if config.passwordFile != null
    # do not print the password to the console
    then ''<(set +x; echo -n "$(cat ${config.passwordFile})"; set -x)''
    else if config.keyFile != null
    then
      lib.warn
        ("The option `keyFile` is deprecated."
          + "Use passwordFile instead if you want to use interactive login or settings.keyFile if you want to use key file login")
        config.keyFile
    else null;
  keyFileArgs = ''
    ${lib.optionalString (keyFile != null) "--key-file ${keyFile}"} \
    ${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${builtins.toString config.settings.keyFileSize}"} \
    ${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${builtins.toString config.settings.keyFileOffset}"} \
  '';
  cryptsetupOpen = ''
    cryptsetup open ${config.device} ${config.name} \
      ${lib.optionalString (config.settings.allowDiscards or false) "--allow-discards"} \
      ${lib.optionalString (config.settings.bypassWorkqueues or false) "--perf-no_read_workqueue --perf-no_write_workqueue"} \
      ${toString config.extraOpenArgs} \
      ${keyFileArgs} \
  '';
in
{
  options = {
    type = lib.mkOption {
      type = lib.types.enum [ "luks" ];
      internal = true;
      description = "Type";
    };
    device = lib.mkOption {
      type = lib.types.str;
      description = "Device to encrypt";
      default = device;
    };
    name = lib.mkOption {
      type = lib.types.str;
      description = "Name of the LUKS";
    };
    keyFile = lib.mkOption {
      type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;
      default = null;
      description = "DEPRECATED use passwordFile or settings.keyFile. Path to the key for encryption";
      example = "/tmp/disk.key";
    };
    passwordFile = lib.mkOption {
      type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;
      default = null;
      description = "Path to the file which contains the password for initial encryption";
      example = "/tmp/disk.key";
    };
    askPassword = lib.mkOption {
      type = lib.types.bool;
      default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile");
      description = "Whether to ask for a password for initial encryption";
    };
    settings = lib.mkOption {
      default = { };
      description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
      example = ''{
          keyFile = "/tmp/disk.key";
          keyFileSize = 2048;
          keyFileOffset = 1024;
          fallbackToPassword = true;
          allowDiscards = true;
        };
      '';
    };
    additionalKeyFiles = lib.mkOption {
      type = lib.types.listOf diskoLib.optionTypes.absolute-pathname;
      default = [ ];
      description = "Path to additional key files for encryption";
      example = [ "/tmp/disk2.key" ];
    };
    initrdUnlock = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "Whether to add a boot.initrd.luks.devices entry for the specified disk.";
    };
    extraFormatArgs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Extra arguments to pass to `cryptsetup luksFormat` when formatting";
      example = [ "--pbkdf argon2id" ];
    };
    extraOpenArgs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Extra arguments to pass to `cryptsetup luksOpen` when opening";
      example = [ "--timeout 10" ];
    };
    content = diskoLib.deviceType { parent = config; device = "/dev/mapper/${config.name}"; };
    _parent = lib.mkOption {
      internal = true;
      default = parent;
    };
    _meta = lib.mkOption {
      internal = true;
      readOnly = true;
      type = lib.types.functionTo diskoLib.jsonType;
      default = dev:
        lib.optionalAttrs (config.content != null) (config.content._meta dev);
      description = "Metadata";
    };
    _create = diskoLib.mkCreateOption {
      inherit config options;
      default = ''
        ${lib.optionalString config.askPassword ''
          set +x
          askPassword() {
            echo "Enter password for ${config.device}: "
            IFS= read -r -s password
            echo "Enter password for ${config.device} again to be safe: "
            IFS= read -r -s password_check
            export password
            [ "$password" = "$password_check" ]
          }
          until askPassword; do
            echo "Passwords did not match, please try again."
          done
          set -x
        ''}
        cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} ${keyFileArgs}
        ${cryptsetupOpen} --persistent
        ${toString (lib.forEach config.additionalKeyFiles (keyFile: ''
          cryptsetup luksAddKey ${config.device} ${keyFile} ${keyFileArgs}
        ''))}
        ${lib.optionalString (config.content != null) config.content._create}
      '';
    };
    _mount = diskoLib.mkMountOption {
      inherit config options;
      default =
        let
          contentMount = config.content._mount;
        in
        {
          dev = ''
            if ! cryptsetup status ${config.name} >/dev/null 2>/dev/null; then
              ${lib.optionalString config.askPassword ''
                set +x
                echo "Enter password for ${config.device}"
                IFS= read -r -s password
                export password
                set -x
              ''}
              ${cryptsetupOpen}
            fi
            ${lib.optionalString (config.content != null) contentMount.dev or ""}
          '';
          fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
        };
    };
    _config = lib.mkOption {
      internal = true;
      readOnly = true;
      default = [ ]
        # If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
        ++ (lib.optional config.initrdUnlock [
        {
          boot.initrd.luks.devices.${config.name} = {
            inherit (config) device;
          } // config.settings;
        }
      ]) ++ (lib.optional (config.content != null) config.content._config);
      description = "NixOS configuration";
    };
    _pkgs = lib.mkOption {
      internal = true;
      readOnly = true;
      type = lib.types.functionTo (lib.types.listOf lib.types.package);
      default = pkgs: [ pkgs.cryptsetup ] ++ (lib.optionals (config.content != null) (config.content._pkgs pkgs));
      description = "Packages";
    };
  };
}
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`{ config, options, lib, diskoLib, parent, device, ... }:`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`let`
apply treefmt 2023-08-11 09:11:01 +03:00			`keyFile =`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`if config.settings ? "keyFile"`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`then config.settings.keyFile`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`else if config.askPassword`
			`then ''<(set +x; echo -n "$password"; set -x)''`
Rename keyFile to passwordFile and dedeprecate 2023-08-13 20:32:15 +03:00			`else if config.passwordFile != null`
luks: don't leak secret in debug logs 2023-09-25 17:51:25 +03:00			`# do not print the password to the console`
			`then ''<(set +x; echo -n "$(cat ${config.passwordFile})"; set -x)''`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`else if config.keyFile != null`
run nix-fmt 2023-09-02 19:08:33 +03:00			`then`
			`lib.warn`
			("The option `keyFile` is deprecated."
			`+ "Use passwordFile instead if you want to use interactive login or settings.keyFile if you want to use key file login")`
			`config.keyFile`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`else null;`
luks: apply flags set in `config.settings` 2023-12-31 09:43:53 +03:00			`keyFileArgs = ''`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`${lib.optionalString (keyFile != null) "--key-file ${keyFile}"} \`
fix(luks): type error with keyfile size/offset 2023-07-22 00:11:32 +03:00			`${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${builtins.toString config.settings.keyFileSize}"} \`
luks: apply flags set in `config.settings` 2023-12-31 09:43:53 +03:00			`${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${builtins.toString config.settings.keyFileOffset}"} \`
			`'';`
			`cryptsetupOpen = ''`
			`cryptsetup open ${config.device} ${config.name} \`
			`${lib.optionalString (config.settings.allowDiscards or false) "--allow-discards"} \`
			`${lib.optionalString (config.settings.bypassWorkqueues or false) "--perf-no_read_workqueue --perf-no_write_workqueue"} \`
			`${toString config.extraOpenArgs} \`
			`${keyFileArgs} \`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`'';`
			`in`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`{`
			`options = {`
			`type = lib.mkOption {`
			`type = lib.types.enum [ "luks" ];`
			`internal = true;`
			`description = "Type";`
			`};`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`device = lib.mkOption {`
			`type = lib.types.str;`
			`description = "Device to encrypt";`
			`default = device;`
			`};`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`name = lib.mkOption {`
			`type = lib.types.str;`
			`description = "Name of the LUKS";`
			`};`
			`keyFile = lib.mkOption {`
types: refactor into diskoLib 2023-05-16 14:40:03 +03:00			`type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`default = null;`
Remove trialing newline in passwordFile 2023-08-15 00:16:20 +03:00			`description = "DEPRECATED use passwordFile or settings.keyFile. Path to the key for encryption";`
Rename keyFile to passwordFile and dedeprecate 2023-08-13 20:32:15 +03:00			`example = "/tmp/disk.key";`
			`};`
			`passwordFile = lib.mkOption {`
			`type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;`
			`default = null;`
Remove trialing newline in passwordFile 2023-08-15 00:16:20 +03:00			`description = "Path to the file which contains the password for initial encryption";`
add examples to luks-options 2023-04-19 00:19:53 +03:00			`example = "/tmp/disk.key";`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`};`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`askPassword = lib.mkOption {`
			`type = lib.types.bool;`
			`default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile");`
			`description = "Whether to ask for a password for initial encryption";`
			`};`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`settings = lib.mkOption {`
			`default = { };`
			`description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";`
			`example = ''{`
			`keyFile = "/tmp/disk.key";`
			`keyFileSize = 2048;`
			`keyFileOffset = 1024;`
			`fallbackToPassword = true;`
luks: use allowDiscards option 2023-11-04 14:54:07 +03:00			`allowDiscards = true;`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`};`
			`'';`
			`};`
add additionalKeyFiles option to luks 2023-07-06 21:33:44 +03:00			`additionalKeyFiles = lib.mkOption {`
			`type = lib.types.listOf diskoLib.optionTypes.absolute-pathname;`
apply treefmt 2023-08-11 09:11:01 +03:00			`default = [ ];`
add additionalKeyFiles option to luks 2023-07-06 21:33:44 +03:00			`description = "Path to additional key files for encryption";`
apply treefmt 2023-08-11 09:11:01 +03:00			`example = [ "/tmp/disk2.key" ];`
add additionalKeyFiles option to luks 2023-07-06 21:33:44 +03:00			`};`
luks: add initrdUnlock option to luks type (#233) 2023-05-13 10:10:13 +03:00			`initrdUnlock = lib.mkOption {`
			`type = lib.types.bool;`
			`default = true;`
			`description = "Whether to add a boot.initrd.luks.devices entry for the specified disk.";`
			`};`
luks: rename extraArgs to extraFormatArgs, add extraOpenArgs 2023-03-21 21:41:39 +03:00			`extraFormatArgs = lib.mkOption {`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`type = lib.types.listOf lib.types.str;`
			`default = [ ];`
luks: rename extraArgs to extraFormatArgs, add extraOpenArgs 2023-03-21 21:41:39 +03:00			description = "Extra arguments to pass to `cryptsetup luksFormat` when formatting";
add examples to luks-options 2023-04-19 00:19:53 +03:00			`example = [ "--pbkdf argon2id" ];`
luks: rename extraArgs to extraFormatArgs, add extraOpenArgs 2023-03-21 21:41:39 +03:00			`};`
			`extraOpenArgs = lib.mkOption {`
			`type = lib.types.listOf lib.types.str;`
			`default = [ ];`
			description = "Extra arguments to pass to `cryptsetup luksOpen` when opening";
luks: use allowDiscards option 2023-11-04 14:54:07 +03:00			`example = [ "--timeout 10" ];`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`};`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`content = diskoLib.deviceType { parent = config; device = "/dev/mapper/${config.name}"; };`
types: pass parent node to all subTypes 2023-06-07 14:42:39 +03:00			`_parent = lib.mkOption {`
			`internal = true;`
			`default = parent;`
			`};`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`_meta = lib.mkOption {`
			`internal = true;`
			`readOnly = true;`
			`type = lib.types.functionTo diskoLib.jsonType;`
			`default = dev:`
style: Apply nixpkgs-fmt and fix Apply standard formatting and some statix conventions using; ```sh nixpkgs-fmt **.nix && statix fix . ``` With the intent of making contribution a bit easier and reducing mental load in hand formatting (in the same vein as [black]). [black]: https://github.com/psf/black#the-uncompromising-code-formatter 2023-02-06 17:24:34 +03:00			`lib.optionalAttrs (config.content != null) (config.content._meta dev);`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`description = "Metadata";`
			`};`
			`_create = diskoLib.mkCreateOption {`
			`inherit config options;`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`default = ''`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`${lib.optionalString config.askPassword ''`
			`set +x`
			`askPassword() {`
			`echo "Enter password for ${config.device}: "`
Fix read shellcheck warning SC2162 Use `-r` to avoid mangling backslashes, use `IFS=` to not discard leading and trailing whitespace. 2023-10-22 19:32:40 +03:00			`IFS= read -r -s password`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`echo "Enter password for ${config.device} again to be safe: "`
Fix read shellcheck warning SC2162 Use `-r` to avoid mangling backslashes, use `IFS=` to not discard leading and trailing whitespace. 2023-10-22 19:32:40 +03:00			`IFS= read -r -s password_check`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`export password`
			`[ "$password" = "$password_check" ]`
			`}`
			`until askPassword; do`
			`echo "Passwords did not match, please try again."`
			`done`
			`set -x`
			`''}`
luks: apply flags set in `config.settings` 2023-12-31 09:43:53 +03:00			`cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} ${keyFileArgs}`
			`${cryptsetupOpen} --persistent`
			`${toString (lib.forEach config.additionalKeyFiles (keyFile: ''`
			`cryptsetup luksAddKey ${config.device} ${keyFile} ${keyFileArgs}`
			`''))}`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`${lib.optionalString (config.content != null) config.content._create}`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`'';`
			`};`
			`_mount = diskoLib.mkMountOption {`
			`inherit config options;`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`default =`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`let`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`contentMount = config.content._mount;`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`in`
			`{`
			`dev = ''`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`if ! cryptsetup status ${config.name} >/dev/null 2>/dev/null; then`
luks: fix interactive mount Before that it was only attempted to unlock luks with the key from `$password`, however that variable didn't exist before. 2023-10-13 13:32:19 +03:00			`${lib.optionalString config.askPassword ''`
			`set +x`
			`echo "Enter password for ${config.device}"`
Fix read shellcheck warning SC2162 Use `-r` to avoid mangling backslashes, use `IFS=` to not discard leading and trailing whitespace. 2023-10-22 19:32:40 +03:00			`IFS= read -r -s password`
luks: fix interactive mount Before that it was only attempted to unlock luks with the key from `$password`, however that variable didn't exist before. 2023-10-13 13:32:19 +03:00			`export password`
			`set -x`
			`''}`
luks: apply flags set in `config.settings` 2023-12-31 09:43:53 +03:00			`${cryptsetupOpen}`
types luks: add password prompt 2023-09-20 23:16:38 +03:00			`fi`
style: Apply nixpkgs-fmt and fix Apply standard formatting and some statix conventions using; ```sh nixpkgs-fmt **.nix && statix fix . ``` With the intent of making contribution a bit easier and reducing mental load in hand formatting (in the same vein as [black]). [black]: https://github.com/psf/black#the-uncompromising-code-formatter 2023-02-06 17:24:34 +03:00			`${lib.optionalString (config.content != null) contentMount.dev or ""}`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`'';`
style: Apply nixpkgs-fmt and fix Apply standard formatting and some statix conventions using; ```sh nixpkgs-fmt **.nix && statix fix . ``` With the intent of making contribution a bit easier and reducing mental load in hand formatting (in the same vein as [black]). [black]: https://github.com/psf/black#the-uncompromising-code-formatter 2023-02-06 17:24:34 +03:00			`fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`};`
			`};`
			`_config = lib.mkOption {`
			`internal = true;`
			`readOnly = true;`
lib.types: turn _create, _mount and _config into values 2023-07-01 20:02:01 +03:00			`default = [ ]`
luks: add initrdUnlock option to luks type (#233) 2023-05-13 10:10:13 +03:00			`# If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.`
feat(luks): Add settings submodule The settings submodule mirrors the options which can be set for boot.initrd.luks.devices.<name>. The keyFile option is now deprecated and should be declared under settings. 2023-07-10 18:23:05 +03:00			`++ (lib.optional config.initrdUnlock [`
apply treefmt 2023-08-11 09:11:01 +03:00			`{`
			`boot.initrd.luks.devices.${config.name} = {`
			`inherit (config) device;`
			`} // config.settings;`
			`}`
			`]) ++ (lib.optional (config.content != null) config.content._config);`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`description = "NixOS configuration";`
			`};`
			`_pkgs = lib.mkOption {`
			`internal = true;`
			`readOnly = true;`
			`type = lib.types.functionTo (lib.types.listOf lib.types.package);`
style: Apply nixpkgs-fmt and fix Apply standard formatting and some statix conventions using; ```sh nixpkgs-fmt **.nix && statix fix . ``` With the intent of making contribution a bit easier and reducing mental load in hand formatting (in the same vein as [black]). [black]: https://github.com/psf/black#the-uncompromising-code-formatter 2023-02-06 17:24:34 +03:00			`default = pkgs: [ pkgs.cryptsetup ] ++ (lib.optionals (config.content != null) (config.content._pkgs pkgs));`
split disko type into multiple files 2023-01-28 18:19:13 +03:00			`description = "Packages";`
			`};`
			`};`
			`}`