nixos/modules/system/boot/systemd/dm-verity.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / system / boot / systemd / dm-verity.nix

at 25.11-pre 1.5 kB view raw

 1{ config, lib, ... }:
 2
 3let
 4  cfg = config.boot.initrd.systemd.dmVerity;
 5in
 6{
 7  options = {
 8    boot.initrd.systemd.dmVerity = {
 9      enable = lib.mkEnableOption "dm-verity" // {
10        description = ''
11          Mount verity-protected block devices in the initrd.
12
13          Enabling this option allows to use `systemd-veritysetup` and
14          `systemd-veritysetup-generator` in the initrd.
15        '';
16      };
17    };
18  };
19
20  config = lib.mkIf cfg.enable {
21    assertions = [
22      {
23        assertion = config.boot.initrd.systemd.enable;
24        message = ''
25          'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.
26        '';
27      }
28    ];
29
30    boot.initrd = {
31      availableKernelModules = [
32        "dm_mod"
33        "dm_verity"
34      ];
35
36      # dm-verity needs additional udev rules from LVM to work.
37      services.lvm.enable = true;
38
39      # The additional targets and store paths allow users to integrate verity-protected devices
40      # through the systemd tooling.
41      systemd = {
42        additionalUpstreamUnits = [
43          "veritysetup-pre.target"
44          "veritysetup.target"
45          "remote-veritysetup.target"
46        ];
47
48        storePaths = [
49          "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
50          "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
51        ];
52      };
53    };
54  };
55
56  meta.maintainers = with lib.maintainers; [
57    msanft
58    nikstur
59    willibutz
60  ];
61}