summary refs log tree commit diff
path: root/nixos/modules/config/swap.nix
diff options
context:
space:
mode:
authorMartin Wohlert <martin@b-root-force.de>2017-05-22 20:07:04 +0200
committerNikolay Amiantov <ab@fmap.me>2017-07-26 20:57:10 +0300
commitc3d5cfdc3ca709a9c5081b1a11bca533bc4788af (patch)
treefdb842d855be305a8ce94529aee3e97aa21cd8e0 /nixos/modules/config/swap.nix
parent81e998bf0c723c8d0ebb3d1bf8615c88b46bccc8 (diff)
downloadnixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar
nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.gz
nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.bz2
nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.lz
nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.xz
nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.zst
nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.zip
swap: extend randomEncryption to plainOpen and ability to select cipher
Diffstat (limited to 'nixos/modules/config/swap.nix')
-rw-r--r--nixos/modules/config/swap.nix42


1 files changed, 31 insertions, 11 deletions
diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix
index 5d47b09ded99..769029e1b045 100644
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@@ -45,7 +45,7 @@ let
         '';
       };
 
-      randomEncryption = mkOption {
+      randomEncryption.enable = mkOption {
         default = false;
         type = types.bool;
         description = ''
@@ -61,6 +61,26 @@ let
         '';
       };
 
+      randomEncryption.cipher = mkOption {
+        default = "aes-xts-plain64";
+        example = "serpent-xts-plain64";
+        type = types.str;
+        description = ''
+          Use specified cipher for randomEncryption.
+
+          Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
+        '';
+      };
+
+      randomEncryption.source = mkOption {
+        default = "/dev/urandom";
+        example = "/dev/random";
+        type = types.str;
+        description = ''
+          Define the source of randomness to obtain a random key for encryption.
+        '';
+      };
+
       deviceName = mkOption {
         type = types.str;
         internal = true;
@@ -77,7 +97,7 @@ let
       device = mkIf options.label.isDefined
         "/dev/disk/by-label/${config.label}";
       deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
-      realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;
+      realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;
     };
 
   };
@@ -125,14 +145,14 @@ in
 
         createSwapDevice = sw:
           assert sw.device != "";
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);
+          assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
+          assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device);
           let realDevice' = escapeSystemdPath sw.realDevice;
           in nameValuePair "mkswap-${sw.deviceName}"
           { description = "Initialisation of swap device ${sw.device}";
             wantedBy = [ "${realDevice'}.swap" ];
             before = [ "${realDevice'}.swap" ];
-            path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup;
+            path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
 
             script =
               ''
@@ -145,11 +165,11 @@ in
                       truncate --size "${toString sw.size}M" "${sw.device}"
                     fi
                     chmod 0600 ${sw.device}
-                    ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
+                    ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"}
                   fi
                 ''}
-                ${optionalString sw.randomEncryption ''
-                  cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom
+                ${optionalString sw.randomEncryption.enable ''
+                  cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName}
                   mkswap ${sw.realDevice}
                 ''}
               '';
@@ -157,12 +177,12 @@ in
             unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];
             unitConfig.DefaultDependencies = false; # needed to prevent a cycle
             serviceConfig.Type = "oneshot";
-            serviceConfig.RemainAfterExit = sw.randomEncryption;
-            serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
+            serviceConfig.RemainAfterExit = sw.randomEncryption.enable;
+            serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
             restartIfChanged = false;
           };
 
-      in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices));
+      in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices));
 
   };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-03 07:48:50 +0000