diff options
author | Edward Tjörnhammar <ed@cflags.cc> | 2015-09-27 12:42:08 +0200 |
---|---|---|
committer | Edward Tjörnhammar <ed@cflags.cc> | 2015-09-27 12:42:08 +0200 |
commit | a0918e2e6266e10602c797d97444181514a241bd (patch) | |
tree | 9a0af661c6950dc1fb96933794b6b54734b8134e /nixos/modules/tasks | |
parent | 136f452107c81511791088485a17de76aae99e0f (diff) | |
parent | 70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025 (diff) | |
download | nixlib-a0918e2e6266e10602c797d97444181514a241bd.tar nixlib-a0918e2e6266e10602c797d97444181514a241bd.tar.gz nixlib-a0918e2e6266e10602c797d97444181514a241bd.tar.bz2 nixlib-a0918e2e6266e10602c797d97444181514a241bd.tar.lz nixlib-a0918e2e6266e10602c797d97444181514a241bd.tar.xz nixlib-a0918e2e6266e10602c797d97444181514a241bd.tar.zst nixlib-a0918e2e6266e10602c797d97444181514a241bd.zip |
Merge pull request #9982 from KoviRobi/fix-encrypted-non-root-devices
encrypted-devices service: Fix keyed mount, clarify descriptions.
Diffstat (limited to 'nixos/modules/tasks')
-rw-r--r-- | nixos/modules/tasks/encrypted-devices.nix | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index 8b5dd22fd380..331531cee151 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -6,6 +6,7 @@ let fileSystems = attrValues config.fileSystems ++ config.swapDevices; encDevs = filter (dev: dev.encrypted.enable) fileSystems; keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; + keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs; isIn = needle: haystack: filter (p: p == needle) haystack != []; anyEncrypted = fold (j: v: v || j.encrypted.enable) false encDevs; @@ -29,15 +30,15 @@ let label = mkOption { default = null; example = "rootfs"; - type = types.nullOr types.str; - description = "Label of the backing encrypted device."; + type = types.uniq (types.nullOr types.str); + description = "Label of the unlocked encrypted device. Set <literal>fileSystems.<name?>.device</literal> to <literal>/dev/mapper/<label></literal> to mount the unlocked device."; }; keyFile = mkOption { default = null; example = "/root/.swapkey"; type = types.nullOr types.str; - description = "File system location of keyfile."; + description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>."; }; }; }; @@ -58,11 +59,11 @@ in boot.initrd = { luks = { devices = - map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs; + map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs; cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; }; postMountCommands = - concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs; + concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; }; }; } |