pyrox.dev / nixpkgs
lol
fork atom

nixos/bcachefs: support unlock with clevis in systemd stage 1

Matt Moriarity 10035ed5 04c145b5

options
unified split
Changed files
+16 -3
nixos
modules
tasks
filesystems
bcachefs.nix
+16 -3
nixos/modules/tasks/filesystems/bcachefs.nix 
···

       
57

       
57

       
 

       
  # bcachefs does not support mounting devices with colons in the path, ergo we don't (see #49671)


     

       
58

       
58

       
 

       
  firstDevice = fs: lib.head (lib.splitString ":" fs.device);


     

       
59

       
59

       
 

       



     

       
60

       

       
-

       
  openCommand = name: fs: if config.boot.initrd.clevis.enable && (lib.hasAttr (firstDevice fs) config.boot.initrd.clevis.devices) then ''


     

       

       
60

       
+

       
  useClevis = fs: config.boot.initrd.clevis.enable && (lib.hasAttr (firstDevice fs) config.boot.initrd.clevis.devices);


     

       

       
61

       
+

       



     

       

       
62

       
+

       
  openCommand = name: fs: if useClevis fs then ''


     

       
61

       
63

       
 

       
    if clevis decrypt < /etc/clevis/${firstDevice fs}.jwe | bcachefs unlock ${firstDevice fs}


     

       
62

       
64

       
 

       
    then


     

       
63

       
65

       
 

       
      printf "unlocked ${name} using clevis\n"


     
···

       
92

       
94

       
 

       
        # As is, RemainAfterExit doesn't accomplish anything.


     

       
93

       
95

       
 

       
        RemainAfterExit = true;


     

       
94

       
96

       
 

       
      };


     

       
95

       

       
-

       
      script = ''


     

       
96

       

       
-

       
        ${config.boot.initrd.systemd.package}/bin/systemd-ask-password --timeout=0 "enter passphrase for ${name}" | exec ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${device}"


     

       

       
97

       
+

       
      script = let


     

       

       
98

       
+

       
        unlock = ''${pkgs.bcachefs-tools}/bin/bcachefs unlock "${device}"'';


     

       

       
99

       
+

       
        unlockInteractively = ''${config.boot.initrd.systemd.package}/bin/systemd-ask-password --timeout=0 "enter passphrase for ${name}" | exec ${unlock}'';


     

       

       
100

       
+

       
      in if useClevis fs then ''


     

       

       
101

       
+

       
        if ${config.boot.initrd.clevis.package}/bin/clevis decrypt < "/etc/clevis/${device}.jwe" | ${unlock}


     

       

       
102

       
+

       
        then


     

       

       
103

       
+

       
          printf "unlocked ${name} using clevis\n"


     

       

       
104

       
+

       
        else


     

       

       
105

       
+

       
          printf "falling back to interactive unlocking...\n"


     

       

       
106

       
+

       
          ${unlockInteractively}


     

       

       
107

       
+

       
        fi


     

       

       
108

       
+

       
      '' else ''


     

       

       
109

       
+

       
        ${unlockInteractively}


     

       
97

       
110

       
 

       
      '';


     

       
98

       
111

       
 

       
    };


     

       
99

       
112

       
 

       
  };