diff options
| author | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2017-10-23 22:22:26 +0200 |
|---|---|---|
| committer | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2017-10-23 22:22:26 +0200 |
| commit | 601fc20248d7c1b4cd3c33209fbc419af8ae0c04 (patch) | |
| tree | bdc04c8bba9037a6c4d283442e2fcf5fb08683ab /nixos/modules/system | |
| parent | 8158cd6d5e6464adaea135ada586f11b9dfca766 (diff) | |
| download | nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.gz nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.bz2 nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.lz nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.xz nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.zst nixlib-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.zip | |
nixos/luksroot.nix: add option boot.initrd.luks.devices.<name?>.fallback
This option, if set to true, enables fallbacking to an interactive passphrase prompt when the specified keyFile is not found. The default is false, which is compatible with previous behavior and doesn't prevent unattended boot.
Diffstat (limited to 'nixos/modules/system')
| -rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 19ca2a2c1bd6..a5581b2bdc49 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -45,13 +45,15 @@ let ${optionalString (header != null) "--header=${header}"} \ > /.luksopen_args ${optionalString (keyFile != null) '' - if [ -e ${keyFile} ]; then + ${optionalString fallback "if [ -e ${keyFile} ]; then"} echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ >> /.luksopen_args + ${optionalString fallback '' else echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" fi ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -330,6 +332,16 @@ in ''; }; + fallback = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' |