2014-05-05 20:58:51 +02:00
|
|
|
{ config, lib, ... }:
|
2014-04-26 23:26:23 +02:00
|
|
|
|
2014-05-05 20:58:51 +02:00
|
|
|
with lib;
|
2014-04-26 23:26:23 +02:00
|
|
|
|
|
|
|
let
|
|
|
|
fileSystems = attrValues config.fileSystems ++ config.swapDevices;
|
|
|
|
encDevs = filter (dev: dev.encrypted.enable) fileSystems;
|
|
|
|
keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
|
|
|
|
isIn = needle: haystack: filter (p: p == needle) haystack != [];
|
|
|
|
anyEncrypted =
|
|
|
|
fold (j: v: v || j.encrypted.enable) false encDevs;
|
|
|
|
|
|
|
|
encryptedFSOptions = {
|
|
|
|
|
|
|
|
encrypted = {
|
|
|
|
enable = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
2014-06-24 21:23:14 +02:00
|
|
|
description = "The block device is backed by an encrypted one, adds this device as a initrd luks entry.";
|
2014-04-26 23:26:23 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
blkDev = mkOption {
|
|
|
|
default = null;
|
|
|
|
example = "/dev/sda1";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.nullOr types.str;
|
2014-06-24 21:23:14 +02:00
|
|
|
description = "Location of the backing encrypted device.";
|
2014-04-26 23:26:23 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
label = mkOption {
|
|
|
|
default = null;
|
|
|
|
example = "rootfs";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.nullOr types.str;
|
2014-06-24 21:23:14 +02:00
|
|
|
description = "Label of the backing encrypted device.";
|
2014-04-26 23:26:23 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
keyFile = mkOption {
|
|
|
|
default = null;
|
|
|
|
example = "/root/.swapkey";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.nullOr types.str;
|
2014-06-24 21:23:14 +02:00
|
|
|
description = "File system location of keyfile.";
|
2014-04-26 23:26:23 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
options = {
|
|
|
|
fileSystems = mkOption {
|
|
|
|
options = [encryptedFSOptions];
|
|
|
|
};
|
|
|
|
swapDevices = mkOption {
|
|
|
|
options = [encryptedFSOptions];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf anyEncrypted {
|
|
|
|
boot.initrd = {
|
|
|
|
luks = {
|
|
|
|
devices =
|
|
|
|
map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs;
|
|
|
|
cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
|
|
|
|
};
|
|
|
|
postMountCommands =
|
|
|
|
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|