dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/boot.initrd.clevis: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-28 21:19:12 +02:00 committed by Jörg Thalheim
parent 1cd7970bb8
commit 91cb7594d0
1 changed files with 17 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
nixos/modules/system/boot/clevis.nix
View File

@ -1,54 +1,51 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
cfg = config.boot.initrd.clevis; cfg = config.boot.initrd.clevis;
systemd = config.boot.initrd.systemd; systemd = config.boot.initrd.systemd;
supportedFs = [ "zfs" "bcachefs" ]; supportedFs = [ "zfs" "bcachefs" ];
in in
{ {
meta.maintainers = with maintainers; [ julienmalka camillemndn ]; meta.maintainers = with lib.maintainers; [ julienmalka camillemndn ];
meta.doc = ./clevis.md; meta.doc = ./clevis.md;
options = { options = {
boot.initrd.clevis.enable = mkEnableOption "Clevis in initrd"; boot.initrd.clevis.enable = lib.mkEnableOption "Clevis in initrd";
boot.initrd.clevis.package = mkOption { boot.initrd.clevis.package = lib.mkOption {
type = types.package; type = lib.types.package;
default = pkgs.clevis; default = pkgs.clevis;
defaultText = "pkgs.clevis"; defaultText = "pkgs.clevis";
description = "Clevis package"; description = "Clevis package";
}; };
boot.initrd.clevis.devices = mkOption { boot.initrd.clevis.devices = lib.mkOption {
description = "Encrypted devices that need to be unlocked at boot using Clevis"; description = "Encrypted devices that need to be unlocked at boot using Clevis";
default = { }; default = { };
type = types.attrsOf (types.submodule ({ type = lib.types.attrsOf (lib.types.submodule ({
options.secretFile = mkOption { options.secretFile = lib.mkOption {
description = "Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS)."; description = "Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS).";
type = types.path; type = lib.types.path;
}; };
})); }));
}; };
boot.initrd.clevis.useTang = mkOption { boot.initrd.clevis.useTang = lib.mkOption {
description = "Whether the Clevis JWE file used to decrypt the devices uses a Tang server as a pin."; description = "Whether the Clevis JWE file used to decrypt the devices uses a Tang server as a pin.";
default = false; default = false;
type = types.bool; type = lib.types.bool;
}; };
}; };
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Implementation of clevis unlocking for the supported filesystems are located directly in the respective modules. # Implementation of clevis unlocking for the supported filesystems are located directly in the respective modules.
assertions = (attrValues (mapAttrs assertions = (lib.attrValues (lib.mapAttrs
(device: _: { (device: _: {
assertion = (any (fs: fs.device == device && (elem fs.fsType supportedFs) || (fs.fsType == "zfs" && hasPrefix "${device}/" fs.device)) config.system.build.fileSystems) || (hasAttr device config.boot.initrd.luks.devices); assertion = (lib.any (fs: fs.device == device && (lib.elem fs.fsType supportedFs) || (fs.fsType == "zfs" && lib.hasPrefix "${device}/" fs.device)) config.system.build.fileSystems) || (lib.hasAttr device config.boot.initrd.luks.devices);
message = '' message = ''
No filesystem or LUKS device with the name ${device} is declared in your configuration.''; No filesystem or LUKS device with the name ${device} is declared in your configuration.'';
}) })
@ -61,7 +58,7 @@ in
else [ ]; else [ ];
boot.initrd = { boot.initrd = {
extraUtilsCommands = mkIf (!systemd.enable) '' extraUtilsCommands = lib.mkIf (!systemd.enable) ''
copy_bin_and_libs ${pkgs.jose}/bin/jose copy_bin_and_libs ${pkgs.jose}/bin/jose
copy_bin_and_libs ${pkgs.curl}/bin/curl copy_bin_and_libs ${pkgs.curl}/bin/curl
copy_bin_and_libs ${pkgs.bash}/bin/bash copy_bin_and_libs ${pkgs.bash}/bin/bash
@ -84,15 +81,15 @@ in
sed -i $out/bin/clevis-decrypt-tpm2 -e 's,tpm2_,tpm2 ,' sed -i $out/bin/clevis-decrypt-tpm2 -e 's,tpm2_,tpm2 ,'
''; '';
secrets = lib.mapAttrs' (name: value: nameValuePair "/etc/clevis/${name}.jwe" value.secretFile) cfg.devices; secrets = lib.mapAttrs' (name: value: lib.nameValuePair "/etc/clevis/${name}.jwe" value.secretFile) cfg.devices;
systemd = { systemd = {
extraBin = mkIf systemd.enable { extraBin = lib.mkIf systemd.enable {
clevis = "${cfg.package}/bin/clevis"; clevis = "${cfg.package}/bin/clevis";
curl = "${pkgs.curl}/bin/curl"; curl = "${pkgs.curl}/bin/curl";
}; };
storePaths = mkIf systemd.enable [ storePaths = lib.mkIf systemd.enable [
cfg.package cfg.package
"${pkgs.jose}/bin/jose" "${pkgs.jose}/bin/jose"
"${pkgs.curl}/bin/curl" "${pkgs.curl}/bin/curl"