commit c3d5cfdc3ca709a9c5081b1a11bca533bc4788af · pyrox.dev/nixpkgs

+31 -11

nixos/modules/config/swap.nix

···

       45
        
               '';

     

       46
        
             };

     

       47
        
       

     

       48
       -
             randomEncryption = mkOption {

     

       49
        
               default = false;

     

       50
        
               type = types.bool;

     

       51
        
               description = ''

     
···

       61
        
               '';

     

       62
        
             };

     

       63
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       64
        
             deviceName = mkOption {

     

       65
        
               type = types.str;

     

       66
        
               internal = true;

     
···

       77
        
             device = mkIf options.label.isDefined

     

       78
        
               "/dev/disk/by-label/${config.label}";

     

       79
        
             deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);

     

       80
       -
             realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;

     

       81
        
           };

     

       82
        
       

     

       83
        
         };

     
···

       125
        
       

     

       126
        
               createSwapDevice = sw:

     

       127
        
                 assert sw.device != "";

     

       128
       -
                 assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);

     

       129
       -
                 assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);

     

       130
        
                 let realDevice' = escapeSystemdPath sw.realDevice;

     

       131
        
                 in nameValuePair "mkswap-${sw.deviceName}"

     

       132
        
                 { description = "Initialisation of swap device ${sw.device}";

     

       133
        
                   wantedBy = [ "${realDevice'}.swap" ];

     

       134
        
                   before = [ "${realDevice'}.swap" ];

     

       135
       -
                   path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup;

     

       136
        
       

     

       137
        
                   script =

     

       138
        
                     ''

     
···

       145
        
                             truncate --size "${toString sw.size}M" "${sw.device}"

     

       146
        
                           fi

     

       147
        
                           chmod 0600 ${sw.device}

     

       148
       -
                           ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}

     

       149
        
                         fi

     

       150
        
                       ''}

     

       151
       -
                       ${optionalString sw.randomEncryption ''

     

       152
       -
                         cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom

     

       153
        
                         mkswap ${sw.realDevice}

     

       154
        
                       ''}

     

       155
        
                     '';

     
···

       157
        
                   unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];

     

       158
        
                   unitConfig.DefaultDependencies = false; # needed to prevent a cycle

     

       159
        
                   serviceConfig.Type = "oneshot";

     

       160
       -
                   serviceConfig.RemainAfterExit = sw.randomEncryption;

     

       161
       -
                   serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";

     

       162
        
                   restartIfChanged = false;

     

       163
        
                 };

     

       164
        
       

     

       165
       -
             in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices));

     

       166
        
       

     

       167
        
         };

     

       168

···

       45
        
               '';

     

       46
        
             };

     

       47
        
       

     

       48
       +
             randomEncryption.enable = mkOption {

     

       49
        
               default = false;

     

       50
        
               type = types.bool;

     

       51
        
               description = ''

     
···

       61
        
               '';

     

       62
        
             };

     

       63
        
       

     

       64
       +
             randomEncryption.cipher = mkOption {

     

       65
       +
               default = "aes-xts-plain64";

     

       66
       +
               example = "serpent-xts-plain64";

     

       67
       +
               type = types.str;

     

       68
       +
               description = ''

     

       69
       +
                 Use specified cipher for randomEncryption.

     

       70
       +
       

     

       71
       +
                 Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.

     

       72
       +
               '';

     

       73
       +
             };

     

       74
       +
       

     

       75
       +
             randomEncryption.source = mkOption {

     

       76
       +
               default = "/dev/urandom";

     

       77
       +
               example = "/dev/random";

     

       78
       +
               type = types.str;

     

       79
       +
               description = ''

     

       80
       +
                 Define the source of randomness to obtain a random key for encryption.

     

       81
       +
               '';

     

       82
       +
             };

     

       83
       +
       

     

       84
        
             deviceName = mkOption {

     

       85
        
               type = types.str;

     

       86
        
               internal = true;

     
···

       97
        
             device = mkIf options.label.isDefined

     

       98
        
               "/dev/disk/by-label/${config.label}";

     

       99
        
             deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);

     

       100
       +
             realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;

     

       101
        
           };

     

       102
        
       

     

       103
        
         };

     
···

       145
        
       

     

       146
        
               createSwapDevice = sw:

     

       147
        
                 assert sw.device != "";

     

       148
       +
                 assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);

     

       149
       +
                 assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device);

     

       150
        
                 let realDevice' = escapeSystemdPath sw.realDevice;

     

       151
        
                 in nameValuePair "mkswap-${sw.deviceName}"

     

       152
        
                 { description = "Initialisation of swap device ${sw.device}";

     

       153
        
                   wantedBy = [ "${realDevice'}.swap" ];

     

       154
        
                   before = [ "${realDevice'}.swap" ];

     

       155
       +
                   path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;

     

       156
        
       

     

       157
        
                   script =

     

       158
        
                     ''

     
···

       165
        
                             truncate --size "${toString sw.size}M" "${sw.device}"

     

       166
        
                           fi

     

       167
        
                           chmod 0600 ${sw.device}

     

       168
       +
                           ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"}

     

       169
        
                         fi

     

       170
        
                       ''}

     

       171
       +
                       ${optionalString sw.randomEncryption.enable ''

     

       172
       +
                         cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName}

     

       173
        
                         mkswap ${sw.realDevice}

     

       174
        
                       ''}

     

       175
        
                     '';

     
···

       177
        
                   unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];

     

       178
        
                   unitConfig.DefaultDependencies = false; # needed to prevent a cycle

     

       179
        
                   serviceConfig.Type = "oneshot";

     

       180
       +
                   serviceConfig.RemainAfterExit = sw.randomEncryption.enable;

     

       181
       +
                   serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";

     

       182
        
                   restartIfChanged = false;

     

       183
        
                 };

     

       184
        
       

     

       185
       +
             in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices));

     

       186
        
       

     

       187
        
         };

     

       188

+1 -1

nixos/modules/system/boot/stage-1.nix

···

       207
        
             preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;

     

       208
        
       

     

       209
        
           resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")

     

       210
       -
                           (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption

     

       211
        
                                    # Don't include zram devices

     

       212
        
                                    && !(hasPrefix "/dev/zram" sd.device)

     

       213
        
                                   ) config.swapDevices);

···

       207
        
             preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;

     

       208
        
       

     

       209
        
           resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")

     

       210
       +
                           (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable

     

       211
        
                                    # Don't include zram devices

     

       212
        
                                    && !(hasPrefix "/dev/zram" sd.device)

     

       213
        
                                   ) config.swapDevices);