diff options
| author | Edward Tjörnhammar <ed@cflags.cc> | 2014-04-26 23:26:23 +0200 |
|---|---|---|
| committer | Edward Tjörnhammar <ed@cflags.cc> | 2014-04-26 23:26:23 +0200 |
| commit | 22f73bfd85f7dc5d458fe65439b6ad967e1ec75a (patch) | |
| tree | 399fe16329717b826a1c0d5470371ab9911e68ad /nixos/modules/tasks/encrypted-devices.nix | |
| parent | 9a77b8e64f41cbfe682dc2bdaa8635ee01d41013 (diff) | |
Enable encrypted backing devices in fileystem configurations
Diffstat (limited to 'nixos/modules/tasks/encrypted-devices.nix')
| -rw-r--r-- | nixos/modules/tasks/encrypted-devices.nix | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix new file mode 100644 index 0000000000000..e80762a170c44 --- /dev/null +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -0,0 +1,69 @@ +{ config, pkgs, modulesPath, ... }: + +with pkgs.lib; + +let + fileSystems = attrValues config.fileSystems ++ config.swapDevices; + encDevs = filter (dev: dev.encrypted.enable) fileSystems; + keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; + isIn = needle: haystack: filter (p: p == needle) haystack != []; + anyEncrypted = + fold (j: v: v || j.encrypted.enable) false encDevs; + + encryptedFSOptions = { + + encrypted = { + enable = mkOption { + default = false; + type = types.bool; + description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry"; + }; + + blkDev = mkOption { + default = null; + example = "/dev/sda1"; + type = types.uniq (types.nullOr types.string); + description = "Location of the backing encrypted device"; + }; + + label = mkOption { + default = null; + example = "rootfs"; + type = types.uniq (types.nullOr types.string); + description = "Label of the backing encrypted device"; + }; + + keyFile = mkOption { + default = null; + example = "/root/.swapkey"; + type = types.uniq (types.nullOr types.string); + description = "File system location of keyfile"; + }; + }; + }; +in + +{ + + options = { + fileSystems = mkOption { + options = [encryptedFSOptions]; + }; + swapDevices = mkOption { + options = [encryptedFSOptions]; + }; + }; + + config = mkIf anyEncrypted { + boot.initrd = { + luks = { + devices = + map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs; + cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; + }; + postMountCommands = + concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs; + }; + }; +} + |