diff options
author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2022-09-11 08:43:51 +0200 |
---|---|---|
committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2022-09-11 08:43:51 +0200 |
commit | a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe (patch) | |
tree | 18dc1da93f7fb885a3f3e116288412c51c00150b /nixos | |
parent | b6caee49dcfe12caf6f5ce07cc1461ed34b8955a (diff) | |
parent | 0fcee2222d74c1482f087d99cf786c552dd3fa78 (diff) | |
download | nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.tar nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.tar.gz nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.tar.bz2 nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.tar.lz nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.tar.xz nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.tar.zst nixlib-a3d7dfe8a3f90e8d328286a71d326b20d48d5ffe.zip |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/databases/influxdb.nix | 6 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 18 |
2 files changed, 17 insertions, 7 deletions
diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix index 9b3922c70af3..b3361d2014ca 100644 --- a/nixos/modules/services/databases/influxdb.nix +++ b/nixos/modules/services/databases/influxdb.nix @@ -96,10 +96,8 @@ let }; } cfg.extraConfig; - configFile = pkgs.runCommandLocal "config.toml" { - nativeBuildInputs = [ pkgs.remarshal ]; - } '' - remarshal -if json -of toml \ + configFile = pkgs.runCommandLocal "config.toml" { } '' + ${pkgs.buildPackages.remarshal}/bin/remarshal -if json -of toml \ < ${pkgs.writeText "config.json" (builtins.toJSON configOptions)} \ > $out ''; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index a076ea24a422..38f8b6fd87c2 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -148,6 +148,7 @@ let + optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue" + optionalString (dev.header != null) " --header=${dev.header}"; cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}"; + fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential; in '' # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g. # if on a USB drive. @@ -417,7 +418,7 @@ let } ''} - ${optionalString (luks.fido2Support && (dev.fido2.credential != null)) '' + ${optionalString (luks.fido2Support && fido2luksCredentials != []) '' open_with_hardware() { local passsphrase @@ -433,7 +434,7 @@ let echo "Please move your mouse to create needed randomness." ''} echo "Waiting for your FIDO2 device..." - fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} ${dev.fido2.credential} --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase + fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} "${builtins.concatStringsSep "," fido2luksCredentials}" --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase if [ $? -ne 0 ]; then echo "No FIDO2 key found, falling back to normal open procedure" open_normally @@ -444,7 +445,7 @@ let # commands to run right before we mount our device ${dev.preOpenCommands} - ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && (dev.fido2.credential != null)) then '' + ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && fido2luksCredentials != []) then '' open_with_hardware '' else '' open_normally @@ -695,6 +696,17 @@ in description = lib.mdDoc "The FIDO2 credential ID."; }; + credentials = mkOption { + default = []; + example = [ "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2" ]; + type = types.listOf types.str; + description = lib.mdDoc '' + List of FIDO2 credential IDs. + + Use this if you have multiple FIDO2 keys you want to use for the same luks device. + ''; + }; + gracePeriod = mkOption { default = 10; type = types.int; |