diff options
author | Camille Mondon <camillemondon@free.fr> | 2023-11-18 19:37:56 +0000 |
---|---|---|
committer | Julien Malka <julien@malka.sh> | 2023-12-02 11:55:47 +0000 |
commit | 27493b4d49b6d92f4baa049424cbb2fa48b4c948 (patch) | |
tree | 2b6f983b61f29ec542efbf8ae666a2f4f9081e74 /nixos/modules/tasks/filesystems | |
parent | bea9ec6d4ae820ee21bb1f8c37fd073678423180 (diff) | |
download | nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.tar nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.tar.gz nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.tar.bz2 nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.tar.lz nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.tar.xz nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.tar.zst nixlib-27493b4d49b6d92f4baa049424cbb2fa48b4c948.zip |
nixos/clevis: init
Co-Authored-By: Julien Malka <julien@malka.sh>
Diffstat (limited to 'nixos/modules/tasks/filesystems')
-rw-r--r-- | nixos/modules/tasks/filesystems/bcachefs.nix | 10 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 13 |
2 files changed, 20 insertions, 3 deletions
diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index f28fd5cde9c1..639ff87841b6 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -57,7 +57,15 @@ let # bcachefs does not support mounting devices with colons in the path, ergo we don't (see #49671) firstDevice = fs: lib.head (lib.splitString ":" fs.device); - openCommand = name: fs: '' + openCommand = name: fs: if config.boot.initrd.clevis.enable && (lib.hasAttr (firstDevice fs) config.boot.initrd.clevis.devices) then '' + if clevis decrypt < /etc/clevis/${firstDevice fs}.jwe | bcachefs unlock ${firstDevice fs} + then + printf "unlocked ${name} using clevis\n" + else + printf "falling back to interactive unlocking...\n" + tryUnlock ${name} ${firstDevice fs} + fi + '' else '' tryUnlock ${name} ${firstDevice fs} ''; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 72bc79f31b68..fd92a0014002 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -17,6 +17,9 @@ let cfgZED = config.services.zfs.zed; selectModulePackage = package: config.boot.kernelPackages.${package.kernelModuleAttribute}; + clevisDatasets = map (e: e.device) (filter (e: (hasAttr e.device config.boot.initrd.clevis.devices) && e.fsType == "zfs" && (fsNeededForBoot e)) config.system.build.fileSystems); + + inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; @@ -120,12 +123,12 @@ let # but don't *require* it, because mounts shouldn't be killed if it's stopped. # In the future, hopefully someone will complete this: # https://github.com/zfsonlinux/zfs/pull/4943 - wants = [ "systemd-udev-settle.service" ]; + wants = [ "systemd-udev-settle.service" ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target"; after = [ "systemd-udev-settle.service" "systemd-modules-load.service" "systemd-ask-password-console.service" - ]; + ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target"; requiredBy = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; before = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; unitConfig = { @@ -154,6 +157,9 @@ let poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. fi if poolImported "${pool}"; then + ${concatMapStringsSep "\n" (elem: "clevis decrypt < /etc/clevis/${elem}.jwe | zfs load-key ${elem} || true ") (filter (p: (elemAt (splitString "/" p) 0) == pool) clevisDatasets)} + + ${optionalString keyLocations.hasKeys '' ${keyLocations.command} | while IFS=$'\t' read ds kl ks; do { @@ -623,6 +629,9 @@ in fi poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. fi + + ${concatMapStringsSep "\n" (elem: "clevis decrypt < /etc/clevis/${elem}.jwe | zfs load-key ${elem}") (filter (p: (elemAt (splitString "/" p) 0) == pool) clevisDatasets)} + ${if isBool cfgZfs.requestEncryptionCredentials then optionalString cfgZfs.requestEncryptionCredentials '' zfs load-key -a |