pyrox.dev / nixpkgs
lol
fork atom

zfs: add option to use kernel keyring for encryption credentials

Shawn8901 9a1d8f09 f90d0a33

options
unified split
Changed files
+3 -1
nixos
modules
tasks
filesystems
zfs.nix
+3 -1
nixos/modules/tasks/filesystems/zfs.nix 
···

       
233

       
 

       
                    tries=3


     

       
234

       
 

       
                    success=false


     

       
235

       
 

       
                    while [[ $success != true ]] && [[ $tries -gt 0 ]]; do


     

       
236

       
-

       
                      ${systemd}/bin/systemd-ask-password --timeout=${toString cfgZfs.passwordTimeout} "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \


     

       
237

       
 

       
                        && success=true \


     

       
238

       
 

       
                        || tries=$((tries - 1))


     

       
239

       
 

       
                    done


     
···

       
402

       
 

       
          an interactive prompt (keylocation=prompt) and from a file (keylocation=file://).


     

       
403

       
 

       
        '';


     

       
404

       
 

       
      };


     

       

       

       
     

       

       

       
     

       
405

       
 

       



     

       
406

       
 

       
      passwordTimeout = lib.mkOption {


     

       
407

       
 

       
        type = lib.types.int;


     
···

       
233

       
 

       
                    tries=3


     

       
234

       
 

       
                    success=false


     

       
235

       
 

       
                    while [[ $success != true ]] && [[ $tries -gt 0 ]]; do


     

       
236

       
+

       
                      ${systemd}/bin/systemd-ask-password ${lib.optionalString cfgZfs.useKeyringForCredentials ("--keyname=zfs-$ds")} --timeout=${toString cfgZfs.passwordTimeout} "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \


     

       
237

       
 

       
                        && success=true \


     

       
238

       
 

       
                        || tries=$((tries - 1))


     

       
239

       
 

       
                    done


     
···

       
402

       
 

       
          an interactive prompt (keylocation=prompt) and from a file (keylocation=file://).


     

       
403

       
 

       
        '';


     

       
404

       
 

       
      };


     

       
405

       
+

       



     

       
406

       
+

       
      useKeyringForCredentials = lib.mkEnableOption "Uses the kernel keyring for encryption credentials with keyname=zfs-<poolname>";


     

       
407

       
 

       



     

       
408

       
 

       
      passwordTimeout = lib.mkOption {


     

       
409

       
 

       
        type = lib.types.int;