diff --git a/modules/module-list.nix b/modules/module-list.nix index 5e6ed0095f2e..1364b28182d1 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -146,6 +146,7 @@ ./system/activation/activation-script.nix ./system/activation/top-level.nix ./system/boot/kernel.nix + ./system/boot/luksroot.nix ./system/boot/modprobe.nix ./system/boot/stage-1.nix ./system/boot/stage-2.nix diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix new file mode 100644 index 000000000000..f345db459f0f --- /dev/null +++ b/modules/system/boot/luksroot.nix @@ -0,0 +1,45 @@ +{pkgs, config, ...}: + +with pkgs.lib; + +let + luksRoot = config.boot.initrd.luksRoot; +in +{ + + options = { + + boot.initrd.luksRoot = mkOption { + default = null; + example = "/dev/sda3"; + description = ''; + The device that should be decrypted using LUKS before trying to mount the + root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. + + Make sure that initrd has the crypto modules needed for decryption. + + The decrypted device name is /dev/mapper/luksroot. + ''; + }; + + }; + + + + config = mkIf (luksRoot != null) { + + boot.initrd.extraUtilsCommands = '' + cp -r ${pkgs.cryptsetup}/lib/* $out/lib/ + cp -r ${pkgs.popt}/lib/* $out/lib + cp ${pkgs.cryptsetup}/sbin/* $out/bin + ''; + + boot.initrd.postDeviceCommands = '' + cryptsetup luksOpen ${luksRoot} luksroot + lvm vgscan + lvm vgchange -ay + ''; + + }; + +} \ No newline at end of file