commit 9be26f81caf167f32c6af5cb876f48d7fad7d2c3 · pyrox.dev/nixpkgs

+55 -22
nixos/modules/config/swap.nix
···

       5
       5
        
       

     

       6
       6
        
       let

     

       7
       7
        
       

     

       8
       8
       +
         randomEncryptionCoerce = enable: { inherit enable; };

     

       9
       9
       +
       

     

       10
       10
       +
         randomEncryptionOpts = { ... }: {

     

       11
       11
       +
       

     

       12
       12
       +
           options = {

     

       13
       13
       +
       

     

       14
       14
       +
             enable = mkOption {

     

       15
       15
       +
               default = false;

     

       16
       16
       +
               type = types.bool;

     

       17
       17
       +
               description = ''

     

       18
       18
       +
                 Encrypt swap device with a random key. This way you won't have a persistent swap device.

     

       19
       19
       +
       

     

       20
       20
       +
                 WARNING: Don't try to hibernate when you have at least one swap partition with

     

       21
       21
       +
                 this option enabled! We have no way to set the partition into which hibernation image

     

       22
       22
       +
                 is saved, so if your image ends up on an encrypted one you would lose it!

     

       23
       23
       +
       

     

       24
       24
       +
                 WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device

     

       25
       25
       +
                 when using randomEncryption as the UUIDs and labels will get erased on every boot when

     

       26
       26
       +
                 the partition is encrypted. Best to use /dev/disk/by-partuuid/…

     

       27
       27
       +
               '';

     

       28
       28
       +
             };

     

       29
       29
       +
       

     

       30
       30
       +
             cipher = mkOption {

     

       31
       31
       +
               default = "aes-xts-plain64";

     

       32
       32
       +
               example = "serpent-xts-plain64";

     

       33
       33
       +
               type = types.str;

     

       34
       34
       +
               description = ''

     

       35
       35
       +
                 Use specified cipher for randomEncryption.

     

       36
       36
       +
       

     

       37
       37
       +
                 Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.

     

       38
       38
       +
               '';

     

       39
       39
       +
             };

     

       40
       40
       +
       

     

       41
       41
       +
             source = mkOption {

     

       42
       42
       +
               default = "/dev/urandom";

     

       43
       43
       +
               example = "/dev/random";

     

       44
       44
       +
               type = types.str;

     

       45
       45
       +
               description = ''

     

       46
       46
       +
                 Define the source of randomness to obtain a random key for encryption.

     

       47
       47
       +
               '';

     

       48
       48
       +
             };

     

       49
       49
       +
       

     

       50
       50
       +
           };

     

       51
       51
       +
       

     

       52
       52
       +
         };

     

       53
       53
       +
       

     

       8
       54
        
         swapCfg = {config, options, ...}: {

     

       9
       55
        
       

     

       10
       56
        
           options = {

     
···

       45
       91
        
               '';

     

       46
       92
        
             };

     

       47
       93
        
       

     

       48
       48
       -
             randomEncryption.enable = mkOption {

     

       94
       94
       +
             randomEncryption = mkOption {

     

       49
       95
        
               default = false;

     

       50
       50
       -
               type = types.bool;

     

       96
       96
       +
               example = {

     

       97
       97
       +
                 enable = true;

     

       98
       98
       +
                 cipher = "serpent-xts-plain64";

     

       99
       99
       +
                 source = "/dev/random";

     

       100
       100
       +
               };

     

       101
       101
       +
               type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);

     

       51
       102
        
               description = ''

     

       52
       103
        
                 Encrypt swap device with a random key. This way you won't have a persistent swap device.

     

       104
       104
       +
       

     

       105
       105
       +
                 HINT: run "cryptsetup benchmark" to test cipher performance on your machine.

     

       53
       106
        
       

     

       54
       107
        
                 WARNING: Don't try to hibernate when you have at least one swap partition with

     

       55
       108
        
                 this option enabled! We have no way to set the partition into which hibernation image

     
···

       58
       111
        
                 WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device

     

       59
       112
        
                 when using randomEncryption as the UUIDs and labels will get erased on every boot when

     

       60
       113
        
                 the partition is encrypted. Best to use /dev/disk/by-partuuid/…

     

       61
       61
       -
               '';

     

       62
       62
       -
             };

     

       63
       63
       -
       

     

       64
       64
       -
             randomEncryption.cipher = mkOption {

     

       65
       65
       -
               default = "aes-xts-plain64";

     

       66
       66
       -
               example = "serpent-xts-plain64";

     

       67
       67
       -
               type = types.str;

     

       68
       68
       -
               description = ''

     

       69
       69
       -
                 Use specified cipher for randomEncryption.

     

       70
       70
       -
       

     

       71
       71
       -
                 Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.

     

       72
       72
       -
               '';

     

       73
       73
       -
             };

     

       74
       74
       -
       

     

       75
       75
       -
             randomEncryption.source = mkOption {

     

       76
       76
       -
               default = "/dev/urandom";

     

       77
       77
       -
               example = "/dev/random";

     

       78
       78
       -
               type = types.str;

     

       79
       79
       -
               description = ''

     

       80
       80
       -
                 Define the source of randomness to obtain a random key for encryption.

     

       81
       114
        
               '';

     

       82
       115
        
             };

     

       83
       116