From 8158cd6d5e6464adaea135ada586f11b9dfca766 Mon Sep 17 00:00:00 2001
From: Symphorien Gibol <symphorien+git@xlumurb.eu>
Date: Sat, 14 Oct 2017 18:08:25 +0200
Subject: [PATCH 1/3] nixos/luksroot.nix: fallback to interactive password
 entry when no keyfile found

---
 nixos/modules/system/boot/luksroot.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index 06f004fb06ec..19ca2a2c1bd6 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -43,8 +43,15 @@ let
     open_normally() {
         echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \
           ${optionalString (header != null) "--header=${header}"} \
-          ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \
           > /.luksopen_args
+        ${optionalString (keyFile != null) ''
+        if [ -e ${keyFile} ]; then
+            echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \
+              >> /.luksopen_args
+        else
+            echo "keyfile ${keyFile} not found -- fallback to interactive unlocking"
+        fi
+        ''}
         cryptsetup-askpass
         rm /.luksopen_args
     }

From 601fc20248d7c1b4cd3c33209fbc419af8ae0c04 Mon Sep 17 00:00:00 2001
From: Symphorien Gibol <symphorien+git@xlumurb.eu>
Date: Mon, 23 Oct 2017 22:22:26 +0200
Subject: [PATCH 2/3] nixos/luksroot.nix: add option
 boot.initrd.luks.devices.<name?>.fallback

This option, if set to true, enables fallbacking to an interactive
passphrase prompt when the specified keyFile is not found.

The default is false, which is compatible with previous behavior and
doesn't prevent unattended boot.
---
 nixos/modules/system/boot/luksroot.nix | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index 19ca2a2c1bd6..a5581b2bdc49 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -5,7 +5,7 @@ with lib;
 let
   luks = config.boot.initrd.luks;
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
+  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; ''
 
     # Wait for a target (e.g. device, keyFile, header, ...) to appear.
     wait_target() {
@@ -45,13 +45,15 @@ let
           ${optionalString (header != null) "--header=${header}"} \
           > /.luksopen_args
         ${optionalString (keyFile != null) ''
-        if [ -e ${keyFile} ]; then
+        ${optionalString fallback "if [ -e ${keyFile} ]; then"}
             echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \
               >> /.luksopen_args
+        ${optionalString fallback ''
         else
             echo "keyfile ${keyFile} not found -- fallback to interactive unlocking"
         fi
         ''}
+        ''}
         cryptsetup-askpass
         rm /.luksopen_args
     }
@@ -330,6 +332,16 @@ in
             '';
           };
 
+          fallback = mkOption {
+            default = false;
+            type = types.bool;
+            description = ''
+              Whether to fallback to interactive passphrase prompt if the keyfile
+              cannot be found. This will prevent unattended boot should the keyfile
+              go missing.
+            '';
+          };
+
           yubikey = mkOption {
             default = null;
             description = ''

From b8a85fccd9db8f0fd9ac555605c728ca731b788e Mon Sep 17 00:00:00 2001
From: Symphorien Gibol <symphorien+git@xlumurb.eu>
Date: Thu, 14 Dec 2017 13:43:14 +0100
Subject: [PATCH 3/3] luksroot.nix: rename fallback to fallbackToPassword

---
 nixos/modules/system/boot/luksroot.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index a5581b2bdc49..a23e0c60de98 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -5,7 +5,7 @@ with lib;
 let
   luks = config.boot.initrd.luks;
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; ''
+  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; ''
 
     # Wait for a target (e.g. device, keyFile, header, ...) to appear.
     wait_target() {
@@ -45,10 +45,10 @@ let
           ${optionalString (header != null) "--header=${header}"} \
           > /.luksopen_args
         ${optionalString (keyFile != null) ''
-        ${optionalString fallback "if [ -e ${keyFile} ]; then"}
+        ${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"}
             echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \
               >> /.luksopen_args
-        ${optionalString fallback ''
+        ${optionalString fallbackToPassword ''
         else
             echo "keyfile ${keyFile} not found -- fallback to interactive unlocking"
         fi
@@ -332,7 +332,7 @@ in
             '';
           };
 
-          fallback = mkOption {
+          fallbackToPassword = mkOption {
             default = false;
             type = types.bool;
             description = ''