pyrox.dev / nixpkgs
lol
fork atom

nixos/modules/system/boot/luksroot.nix: allow for LUKS devices with detached header

Marcin Falkiewicz c1becad3 d9428578

options
unified split
Changed files
+12 -1
nixos
modules
system
boot
luksroot.nix
+12 -1
nixos/modules/system/boot/luksroot.nix 
···

       
5

       
5

       
 

       
let


     

       
6

       
6

       
 

       
  luks = config.boot.initrd.luks;


     

       
7

       
7

       
 

       



     

       
8

       

       
-

       
  openCommand = { name, device, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''


     

       

       
8

       
+

       
  openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''


     

       
9

       
9

       
 

       
    # Wait for luksRoot to appear, e.g. if on a usb drive.


     

       
10

       
10

       
 

       
    # XXX: copied and adapted from stage-1-init.sh - should be


     

       
11

       
11

       
 

       
    # available as a function.


     
···

       
33

       
33

       
 

       



     

       
34

       
34

       
 

       
    open_normally() {


     

       
35

       
35

       
 

       
        cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \


     

       

       
36

       
+

       
          ${optionalString (header != null) "--header=${header}"} \


     

       
36

       
37

       
 

       
          ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"}


     

       
37

       
38

       
 

       
    }


     

       
38

       
39

       
 

       



     
···

       
249

       
250

       
 

       
          example = "/dev/sda2";


     

       
250

       
251

       
 

       
          type = types.string;


     

       
251

       
252

       
 

       
          description = "Path of the underlying block device.";


     

       

       
253

       
+

       
        };


     

       

       
254

       
+

       



     

       

       
255

       
+

       
        header = mkOption {


     

       

       
256

       
+

       
          default = null;


     

       

       
257

       
+

       
          example = "/root/header.img";


     

       

       
258

       
+

       
          type = types.nullOr types.string;


     

       

       
259

       
+

       
          description = ''


     

       

       
260

       
+

       
            The name of the file or block device that


     

       

       
261

       
+

       
            should be used as header for the encrypted device.


     

       

       
262

       
+

       
          '';


     

       
252

       
263

       
 

       
        };


     

       
253

       
264

       
 

       



     

       
254

       
265

       
 

       
        keyFile = mkOption {