75 lines
1.8 KiB
Nix
75 lines
1.8 KiB
Nix
# Makes it a little easier to configure luks partitions for boot
|
|
# Additionally, this solves a circular dependency between kexec luks
|
|
# and NixOS's luks module.
|
|
|
|
{ config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.luks;
|
|
|
|
deviceCount = builtins.length cfg.devices;
|
|
|
|
deviceMap = lib.imap
|
|
(i: item: {
|
|
device = item;
|
|
name =
|
|
if deviceCount == 1 then "enc-pv"
|
|
else "enc-pv${builtins.toString (i + 1)}";
|
|
})
|
|
cfg.devices;
|
|
in
|
|
{
|
|
options.luks = {
|
|
devices = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
};
|
|
|
|
allowDiscards = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
};
|
|
|
|
fallbackToPassword = lib.mkEnableOption
|
|
"Fallback to interactive passphrase prompt if the cannot be found.";
|
|
|
|
disableKeyring = lib.mkEnableOption
|
|
"When opening LUKS2 devices, don't use the kernel keyring";
|
|
|
|
# set automatically, don't touch
|
|
deviceNames = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
};
|
|
};
|
|
|
|
config = lib.mkMerge [
|
|
{
|
|
assertions = [
|
|
{
|
|
assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
|
|
message = ''
|
|
All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
|
|
'';
|
|
}
|
|
];
|
|
}
|
|
(lib.mkIf (deviceCount != 0) {
|
|
luks.deviceNames = builtins.map (device: device.name) deviceMap;
|
|
|
|
boot.initrd.luks.devices = lib.listToAttrs (
|
|
builtins.map
|
|
(item:
|
|
{
|
|
name = item.name;
|
|
value = {
|
|
device = item.device;
|
|
allowDiscards = cfg.allowDiscards;
|
|
fallbackToPassword = cfg.fallbackToPassword;
|
|
disableKeyring = cfg.disableKeyring;
|
|
};
|
|
})
|
|
deviceMap);
|
|
})
|
|
];
|
|
}
|