5ee6467bd3
Co-authored-by: nikstur <nikstur@outlook.com> Co-authored-by: WilliButz <willibutz@posteo.de>
62 lines
1.5 KiB
Nix
62 lines
1.5 KiB
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.boot.initrd.systemd.dmVerity;
|
|
in
|
|
{
|
|
options = {
|
|
boot.initrd.systemd.dmVerity = {
|
|
enable = lib.mkEnableOption "dm-verity" // {
|
|
description = ''
|
|
Mount verity-protected block devices in the initrd.
|
|
|
|
Enabling this option allows to use `systemd-veritysetup` and
|
|
`systemd-veritysetup-generator` in the initrd.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = config.boot.initrd.systemd.enable;
|
|
message = ''
|
|
'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.
|
|
'';
|
|
}
|
|
];
|
|
|
|
boot.initrd = {
|
|
availableKernelModules = [
|
|
"dm_mod"
|
|
"dm_verity"
|
|
];
|
|
|
|
# dm-verity needs additional udev rules from LVM to work.
|
|
services.lvm.enable = true;
|
|
|
|
# The additional targets and store paths allow users to integrate verity-protected devices
|
|
# through the systemd tooling.
|
|
systemd = {
|
|
additionalUpstreamUnits = [
|
|
"veritysetup-pre.target"
|
|
"veritysetup.target"
|
|
"remote-veritysetup.target"
|
|
];
|
|
|
|
storePaths = [
|
|
"${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
|
|
"${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
meta.maintainers = with lib.maintainers; [
|
|
msanft
|
|
nikstur
|
|
willibutz
|
|
];
|
|
}
|