mirror of
https://github.com/nix-community/disko.git
synced 2024-09-17 09:37:17 +03:00
types luks: add password prompt
This commit is contained in:
parent
f02d818e55
commit
0d39ae5a5b
@ -1,8 +1,10 @@
|
||||
{ config, options, lib, diskoLib, parent, device, ... }:
|
||||
let
|
||||
keyFile =
|
||||
if lib.hasAttr "keyFile" config.settings
|
||||
if config.settings ? "keyFile"
|
||||
then config.settings.keyFile
|
||||
else if config.askPassword
|
||||
then ''<(set +x; echo -n "$password"; set -x)''
|
||||
else if config.passwordFile != null
|
||||
# do not print the password to the console
|
||||
then ''<(set +x; echo -n "$(cat ${config.passwordFile})"; set -x)''
|
||||
@ -47,6 +49,11 @@ in
|
||||
description = "Path to the file which contains the password for initial encryption";
|
||||
example = "/tmp/disk.key";
|
||||
};
|
||||
askPassword = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile");
|
||||
description = "Whether to ask for a password for initial encryption";
|
||||
};
|
||||
settings = lib.mkOption {
|
||||
default = { };
|
||||
description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
|
||||
@ -97,9 +104,24 @@ in
|
||||
_create = diskoLib.mkCreateOption {
|
||||
inherit config options;
|
||||
default = ''
|
||||
${lib.optionalString config.askPassword ''
|
||||
set +x
|
||||
askPassword() {
|
||||
echo "Enter password for ${config.device}: "
|
||||
read -s password
|
||||
echo "Enter password for ${config.device} again to be safe: "
|
||||
read -s password_check
|
||||
export password
|
||||
[ "$password" = "$password_check" ]
|
||||
}
|
||||
until askPassword; do
|
||||
echo "Passwords did not match, please try again."
|
||||
done
|
||||
set -x
|
||||
''}
|
||||
cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} \
|
||||
${keyFileArgs}
|
||||
cryptsetup luksOpen ${config.device} ${config.name} \
|
||||
cryptsetup open ${config.device} ${config.name} \
|
||||
${toString config.extraOpenArgs} \
|
||||
${keyFileArgs}
|
||||
${toString (lib.lists.forEach config.additionalKeyFiles (x: "cryptsetup luksAddKey ${config.device} ${x} ${keyFileArgs}"))}
|
||||
@ -114,9 +136,10 @@ in
|
||||
in
|
||||
{
|
||||
dev = ''
|
||||
cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
|
||||
if ! cryptsetup status ${config.name} >/dev/null 2>/dev/null; then
|
||||
cryptsetup open ${config.device} ${config.name} \
|
||||
${keyFileArgs}
|
||||
fi
|
||||
${lib.optionalString (config.content != null) contentMount.dev or ""}
|
||||
'';
|
||||
fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
|
||||
|
Loading…
Reference in New Issue
Block a user