From 22f73bfd85f7dc5d458fe65439b6ad967e1ec75a Mon Sep 17 00:00:00 2001
From: Edward Tjörnhammar <ed@cflags.cc>
Date: Sat, 26 Apr 2014 23:26:23 +0200
Subject: Enable encrypted backing devices in fileystem configurations

---
 nixos/modules/module-list.nix             |  1 +
 nixos/modules/tasks/encrypted-devices.nix | 69 +++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 nixos/modules/tasks/encrypted-devices.nix

(limited to 'nixos/modules')

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index a769914499d1..58d3478afb40 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -311,6 +311,7 @@
   ./tasks/filesystems/vfat.nix
   ./tasks/filesystems/xfs.nix
   ./tasks/filesystems/zfs.nix
+  ./tasks/encrypted-devices.nix
   ./tasks/kbd.nix
   ./tasks/lvm.nix
   ./tasks/network-interfaces.nix
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix
new file mode 100644
index 000000000000..e80762a170c4
--- /dev/null
+++ b/nixos/modules/tasks/encrypted-devices.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, modulesPath, ... }:
+
+with pkgs.lib;
+
+let
+  fileSystems = attrValues config.fileSystems ++ config.swapDevices;
+  encDevs = filter (dev: dev.encrypted.enable) fileSystems;
+  keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
+  isIn = needle: haystack: filter (p: p == needle) haystack != [];
+  anyEncrypted =
+    fold (j: v: v || j.encrypted.enable) false encDevs;
+
+  encryptedFSOptions = {
+
+    encrypted = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry";
+      };
+
+      blkDev = mkOption {
+        default = null;
+        example = "/dev/sda1";
+        type = types.uniq (types.nullOr types.string);
+        description = "Location of the backing encrypted device";
+      };
+
+      label = mkOption {
+        default = null;
+        example = "rootfs";
+        type = types.uniq (types.nullOr types.string);
+        description = "Label of the backing encrypted device";
+      };
+
+      keyFile = mkOption {
+        default = null;
+        example = "/root/.swapkey";
+        type = types.uniq (types.nullOr types.string);
+        description = "File system location of keyfile";
+      };
+    };
+  };
+in
+
+{
+
+  options = {
+    fileSystems = mkOption {
+      options = [encryptedFSOptions];
+    };
+    swapDevices = mkOption {
+      options = [encryptedFSOptions];
+    };
+  };
+
+  config = mkIf anyEncrypted {
+    boot.initrd = {
+      luks = {
+        devices =
+          map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs;
+        cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
+      };
+      postMountCommands =
+        concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs;
+    };
+  };
+}
+
-- 
cgit 1.4.1