types luks: add password prompt

2024-09-17 09:37:17 +03:00 · 2023-09-20 22:16:38 +02:00 · 2023-09-20 22:16:38 +02:00 · 0d39ae5a5b
commit 0d39ae5a5b
parent f02d818e55
1 changed files with 26 additions and 3 deletions
--- a/lib/types/luks.nix
+++ b/lib/types/luks.nix
@ -1,8 +1,10 @@
 { config, options, lib, diskoLib, parent, device, ... }:
 let
  keyFile =
-    if lib.hasAttr "keyFile" config.settings
+    if config.settings ? "keyFile"
    then config.settings.keyFile
+    else if config.askPassword
+    then ''<(set +x; echo -n "$password"; set -x)''
    else if config.passwordFile != null
    # do not print the password to the console
    then ''<(set +x; echo -n "$(cat ${config.passwordFile})"; set -x)''
@ -47,6 +49,11 @@ in
      description = "Path to the file which contains the password for initial encryption";
      example = "/tmp/disk.key";
    };
+    askPassword = lib.mkOption {
+      type = lib.types.bool;
+      default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile");
+      description = "Whether to ask for a password for initial encryption";
+    };
    settings = lib.mkOption {
      default = { };
      description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
@ -97,9 +104,24 @@ in
    _create = diskoLib.mkCreateOption {
      inherit config options;
      default = ''
+        ${lib.optionalString config.askPassword ''
+          set +x
+          askPassword() {
+            echo "Enter password for ${config.device}: "
+            read -s password
+            echo "Enter password for ${config.device} again to be safe: "
+            read -s password_check
+            export password
+            [ "$password" = "$password_check" ]
+          }
+          until askPassword; do
+            echo "Passwords did not match, please try again."
+          done
+          set -x
+        ''}
        cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} \
          ${keyFileArgs}
-        cryptsetup luksOpen ${config.device} ${config.name} \
+        cryptsetup open ${config.device} ${config.name} \
          ${toString config.extraOpenArgs} \
          ${keyFileArgs}
        ${toString (lib.lists.forEach config.additionalKeyFiles (x: "cryptsetup luksAddKey ${config.device} ${x} ${keyFileArgs}"))}
@ -114,9 +136,10 @@ in
        in
        {
          dev = ''
-            cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
+            if ! cryptsetup status ${config.name} >/dev/null 2>/dev/null; then
              cryptsetup open ${config.device} ${config.name} \
              ${keyFileArgs}
+            fi
            ${lib.optionalString (config.content != null) contentMount.dev or ""}
          '';
          fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };