diff options
author | Martin Wohlert <martin@b-root-force.de> | 2017-05-22 20:07:04 +0200 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2017-07-26 20:57:10 +0300 |
commit | c3d5cfdc3ca709a9c5081b1a11bca533bc4788af (patch) | |
tree | fdb842d855be305a8ce94529aee3e97aa21cd8e0 /nixos/modules | |
parent | 81e998bf0c723c8d0ebb3d1bf8615c88b46bccc8 (diff) | |
download | nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.gz nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.bz2 nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.lz nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.xz nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.tar.zst nixlib-c3d5cfdc3ca709a9c5081b1a11bca533bc4788af.zip |
swap: extend randomEncryption to plainOpen and ability to select cipher
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/swap.nix | 42 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 2 |
2 files changed, 32 insertions, 12 deletions
diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 5d47b09ded99..769029e1b045 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -45,7 +45,7 @@ let ''; }; - randomEncryption = mkOption { + randomEncryption.enable = mkOption { default = false; type = types.bool; description = '' @@ -61,6 +61,26 @@ let ''; }; + randomEncryption.cipher = mkOption { + default = "aes-xts-plain64"; + example = "serpent-xts-plain64"; + type = types.str; + description = '' + Use specified cipher for randomEncryption. + + Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine. + ''; + }; + + randomEncryption.source = mkOption { + default = "/dev/urandom"; + example = "/dev/random"; + type = types.str; + description = '' + Define the source of randomness to obtain a random key for encryption. + ''; + }; + deviceName = mkOption { type = types.str; internal = true; @@ -77,7 +97,7 @@ let device = mkIf options.label.isDefined "/dev/disk/by-label/${config.label}"; deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device); - realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device; + realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device; }; }; @@ -125,14 +145,14 @@ in createSwapDevice = sw: assert sw.device != ""; - assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid" sw.device); - assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device); + assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid" sw.device); + assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device); let realDevice' = escapeSystemdPath sw.realDevice; in nameValuePair "mkswap-${sw.deviceName}" { description = "Initialisation of swap device ${sw.device}"; wantedBy = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ]; - path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup; + path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup; script = '' @@ -145,11 +165,11 @@ in truncate --size "${toString sw.size}M" "${sw.device}" fi chmod 0600 ${sw.device} - ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"} + ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"} fi ''} - ${optionalString sw.randomEncryption '' - cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom + ${optionalString sw.randomEncryption.enable '' + cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName} mkswap ${sw.realDevice} ''} ''; @@ -157,12 +177,12 @@ in unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ]; unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = sw.randomEncryption; - serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; + serviceConfig.RemainAfterExit = sw.randomEncryption.enable; + serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; restartIfChanged = false; }; - in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices)); + in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices)); }; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 02870878c0f3..d6e3e3a87d01 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -207,7 +207,7 @@ let preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules; resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}") - (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption + (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable # Don't include zram devices && !(hasPrefix "/dev/zram" sd.device) ) config.swapDevices); |