diff options
| -rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 19ca2a2c1bd6..a5581b2bdc49 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -45,13 +45,15 @@ let ${optionalString (header != null) "--header=${header}"} \ > /.luksopen_args ${optionalString (keyFile != null) '' - if [ -e ${keyFile} ]; then + ${optionalString fallback "if [ -e ${keyFile} ]; then"} echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ >> /.luksopen_args + ${optionalString fallback '' else echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" fi ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -330,6 +332,16 @@ in ''; }; + fallback = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' |