2014-05-05 19:58:51 +01:00
|
|
|
{ config, lib, ... }:
|
2014-04-26 22:26:23 +01:00
|
|
|
|
2014-05-05 19:58:51 +01:00
|
|
|
with lib;
|
2014-04-26 22:26:23 +01:00
|
|
|
|
|
|
|
let
|
2015-11-25 19:09:09 +00:00
|
|
|
fileSystems = config.system.build.fileSystems ++ config.swapDevices;
|
2014-04-26 22:26:23 +01:00
|
|
|
encDevs = filter (dev: dev.encrypted.enable) fileSystems;
|
2023-10-23 22:40:34 +01:00
|
|
|
|
|
|
|
# With scripted initrd, devices with a keyFile have to be opened
|
|
|
|
# late, after file systems are mounted, because that could be where
|
|
|
|
# the keyFile is located. With systemd initrd, each individual
|
|
|
|
# systemd-cryptsetup@ unit has RequiresMountsFor= to delay until all
|
|
|
|
# the mount units for the key file are done; i.e. no special
|
|
|
|
# treatment is needed.
|
|
|
|
lateEncDevs =
|
|
|
|
if config.boot.initrd.systemd.enable
|
|
|
|
then { }
|
|
|
|
else filter (dev: dev.encrypted.keyFile != null) encDevs;
|
|
|
|
earlyEncDevs =
|
|
|
|
if config.boot.initrd.systemd.enable
|
|
|
|
then encDevs
|
|
|
|
else filter (dev: dev.encrypted.keyFile == null) encDevs;
|
|
|
|
|
2014-04-26 22:26:23 +01:00
|
|
|
anyEncrypted =
|
2021-01-25 06:57:48 +00:00
|
|
|
foldr (j: v: v || j.encrypted.enable) false encDevs;
|
2014-04-26 22:26:23 +01:00
|
|
|
|
|
|
|
encryptedFSOptions = {
|
|
|
|
|
2019-01-26 19:44:05 +00:00
|
|
|
options.encrypted = {
|
2014-04-26 22:26:23 +01:00
|
|
|
enable = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
2022-07-19 14:05:45 +01:00
|
|
|
description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry.";
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
|
2019-02-02 16:31:31 +00:00
|
|
|
blkDev = mkOption {
|
2014-04-26 22:26:23 +01:00
|
|
|
default = null;
|
|
|
|
example = "/dev/sda1";
|
2015-08-17 18:52:45 +01:00
|
|
|
type = types.nullOr types.str;
|
2022-07-19 14:05:45 +01:00
|
|
|
description = "Location of the backing encrypted device.";
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
|
2019-02-02 16:31:31 +00:00
|
|
|
label = mkOption {
|
2014-04-26 22:26:23 +01:00
|
|
|
default = null;
|
|
|
|
example = "rootfs";
|
2015-11-26 14:40:31 +00:00
|
|
|
type = types.nullOr types.str;
|
2022-07-19 14:05:45 +01:00
|
|
|
description = "Label of the unlocked encrypted device. Set `fileSystems.<name?>.device` to `/dev/mapper/<label>` to mount the unlocked device.";
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
|
2019-02-02 16:31:31 +00:00
|
|
|
keyFile = mkOption {
|
2014-04-26 22:26:23 +01:00
|
|
|
default = null;
|
2017-10-16 16:46:46 +01:00
|
|
|
example = "/mnt-root/root/.swapkey";
|
2015-08-17 18:52:45 +01:00
|
|
|
type = types.nullOr types.str;
|
2022-07-19 14:05:45 +01:00
|
|
|
description = ''
|
2020-07-27 01:05:21 +01:00
|
|
|
Path to a keyfile used to unlock the backing encrypted
|
2023-10-23 22:40:34 +01:00
|
|
|
device. When systemd stage 1 is not enabled, at the time
|
|
|
|
this keyfile is accessed, the `neededForBoot` filesystems
|
|
|
|
(see `utils.fsNeededForBoot`) will have been mounted under
|
|
|
|
`/mnt-root`, so the keyfile path should usually start with
|
|
|
|
"/mnt-root/". When systemd stage 1 is enabled,
|
|
|
|
`fsNeededForBoot` file systems will be mounted as needed
|
|
|
|
under `/sysroot`, and the keyfile will not be accessed until
|
|
|
|
its requisite mounts are done.
|
2020-07-27 01:05:21 +01:00
|
|
|
'';
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
options = {
|
|
|
|
fileSystems = mkOption {
|
2020-08-23 00:28:45 +01:00
|
|
|
type = with lib.types; attrsOf (submodule encryptedFSOptions);
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
swapDevices = mkOption {
|
2019-01-26 19:44:05 +00:00
|
|
|
type = with lib.types; listOf (submodule encryptedFSOptions);
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf anyEncrypted {
|
2023-10-23 22:40:34 +01:00
|
|
|
assertions = concatMap (dev: [
|
|
|
|
{
|
|
|
|
assertion = dev.encrypted.label != null;
|
|
|
|
message = ''
|
|
|
|
The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion =
|
|
|
|
config.boot.initrd.systemd.enable -> (
|
|
|
|
dev.encrypted.keyFile == null
|
|
|
|
|| !lib.any (x: lib.hasPrefix x dev.encrypted.keyFile) ["/mnt-root" "$targetRoot"]
|
|
|
|
);
|
|
|
|
message = ''
|
|
|
|
Bad use of '/mnt-root' or '$targetRoot` in 'keyFile'.
|
|
|
|
|
|
|
|
When 'boot.initrd.systemd.enable' is enabled, file systems
|
|
|
|
are mounted at '/sysroot' instead of '/mnt-root'.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
]) encDevs;
|
2017-09-23 19:02:16 +01:00
|
|
|
|
2014-04-26 22:26:23 +01:00
|
|
|
boot.initrd = {
|
|
|
|
luks = {
|
|
|
|
devices =
|
2020-07-27 01:05:21 +01:00
|
|
|
builtins.listToAttrs (map (dev: {
|
|
|
|
name = dev.encrypted.label;
|
2023-10-23 22:40:34 +01:00
|
|
|
value = { device = dev.encrypted.blkDev; inherit (dev.encrypted) keyFile; };
|
|
|
|
}) earlyEncDevs);
|
2017-09-14 03:44:14 +01:00
|
|
|
forceLuksSupportInInitrd = true;
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
2023-04-22 15:39:30 +01:00
|
|
|
# TODO: systemd stage 1
|
|
|
|
postMountCommands = lib.mkIf (!config.boot.initrd.systemd.enable)
|
|
|
|
(concatMapStrings (dev:
|
2020-07-27 01:05:21 +01:00
|
|
|
"cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
|
2023-04-22 15:39:30 +01:00
|
|
|
) lateEncDevs);
|
2014-04-26 22:26:23 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|