diff options
Diffstat (limited to 'nixos/modules/system/boot')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 6 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/initrd.nix | 16 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/logind.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/nspawn.nix | 4 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/tmpfiles.nix | 1 |
6 files changed, 28 insertions, 4 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 02b020b61eb60..03d03cb348e82 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -905,9 +905,11 @@ in { assertion = config.boot.initrd.systemd.enable -> !luks.gpgSupport; message = "systemd stage 1 does not support GPG smartcards yet."; } - # TODO { assertion = config.boot.initrd.systemd.enable -> !luks.fido2Support; - message = "systemd stage 1 does not support FIDO2 yet."; + message = '' + systemd stage 1 does not support configuring FIDO2 unlocking through `boot.initrd.luks.devices.<name>.fido2`. + Use systemd-cryptenroll(1) to configure FIDO2 support. + ''; } # TODO { assertion = config.boot.initrd.systemd.enable -> !luks.yubikeySupport; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 8f2044a0985eb..d28e6ed0e2770 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -151,6 +151,9 @@ let ] ++ optionals cfg.package.withHostnamed [ "dbus-org.freedesktop.hostname1.service" "systemd-hostnamed.service" + ] ++ optionals cfg.package.withPortabled [ + "dbus-org.freedesktop.portable1.service" + "systemd-portabled.service" ] ++ [ "systemd-exit.service" "systemd-update-done.service" diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 03f94c426cb09..31702499b0f14 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -332,7 +332,10 @@ in { config = mkIf (config.boot.initrd.enable && cfg.enable) { system.build = { inherit initialRamdisk; }; - boot.initrd.availableKernelModules = [ "autofs4" ]; # systemd needs this for some features + boot.initrd.availableKernelModules = [ + "autofs4" # systemd needs this for some features + "tpm-tis" "tpm-crb" # systemd-cryptenroll + ]; boot.initrd.systemd = { initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages; @@ -403,6 +406,17 @@ in { # so NSS can look up usernames "${pkgs.glibc}/lib/libnss_files.so.2" + ] ++ optionals cfg.package.withCryptsetup [ + # tpm2 support + "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so" + pkgs.tpm2-tss + + # fido2 support + "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so" + "${pkgs.libfido2}/lib/libfido2.so.1" + + # the unwrapped systemd-cryptsetup executable + "${cfg.package}/lib/systemd/.systemd-cryptsetup-wrapped" ] ++ jobScripts; targets.initrd.aliases = ["default.target"]; diff --git a/nixos/modules/system/boot/systemd/logind.nix b/nixos/modules/system/boot/systemd/logind.nix index 5980160321367..b0c927f19f9d7 100644 --- a/nixos/modules/system/boot/systemd/logind.nix +++ b/nixos/modules/system/boot/systemd/logind.nix @@ -82,6 +82,8 @@ in "dbus-org.freedesktop.import1.service" ] ++ optionals config.systemd.package.withMachined [ "dbus-org.freedesktop.machine1.service" + ] ++ optionals config.systemd.package.withPortabled [ + "dbus-org.freedesktop.portable1.service" ] ++ [ "dbus-org.freedesktop.login1.service" "user@.service" diff --git a/nixos/modules/system/boot/systemd/nspawn.nix b/nixos/modules/system/boot/systemd/nspawn.nix index d9e42ad5b26b1..cbc89554c9fd9 100644 --- a/nixos/modules/system/boot/systemd/nspawn.nix +++ b/nixos/modules/system/boot/systemd/nspawn.nix @@ -45,7 +45,9 @@ let ]; instanceOptions = { - options = sharedOptions // { + options = + (getAttrs [ "enable" ] sharedOptions) + // { execConfig = mkOption { default = {}; example = { Parameters = "/bin/sh"; }; diff --git a/nixos/modules/system/boot/systemd/tmpfiles.nix b/nixos/modules/system/boot/systemd/tmpfiles.nix index e990e953b0572..32b9b275d3587 100644 --- a/nixos/modules/system/boot/systemd/tmpfiles.nix +++ b/nixos/modules/system/boot/systemd/tmpfiles.nix @@ -79,6 +79,7 @@ in ln -s "${systemd}/example/tmpfiles.d/home.conf" ln -s "${systemd}/example/tmpfiles.d/journal-nocow.conf" + ln -s "${systemd}/example/tmpfiles.d/portables.conf" ln -s "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf" ln -s "${systemd}/example/tmpfiles.d/systemd.conf" ln -s "${systemd}/example/tmpfiles.d/systemd-nologin.conf" |