diff options
| author | Nicolas Pierron <nicolas.b.pierron@gmail.com> | 2009-12-26 16:20:00 +0000 |
|---|---|---|
| committer | Nicolas Pierron <nicolas.b.pierron@gmail.com> | 2009-12-26 16:20:00 +0000 |
| commit | 246dae96fe55a9da9513cc35e0258a58ae422405 (patch) | |
| tree | 28480fca5fa9d3580e302c46bec6dfe789fa3fb3 /modules | |
| parent | c0c4d575d2eec96191f90d3d8a8ace33d2b2a98d (diff) | |
| download | nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.tar nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.tar.gz nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.tar.bz2 nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.tar.lz nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.tar.xz nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.tar.zst nixpkgs-246dae96fe55a9da9513cc35e0258a58ae422405.zip | |
Add an option to cipher swap partitions.
! Not tested yet: cryptsetup depends on a missing ! udev binary. svn path=/nixos/trunk/; revision=19131
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/tasks/swap.nix | 85 |
1 files changed, 60 insertions, 25 deletions
diff --git a/modules/tasks/swap.nix b/modules/tasks/swap.nix index ad9d94f8ea6..af8cac45f82 100644 --- a/modules/tasks/swap.nix +++ b/modules/tasks/swap.nix @@ -4,10 +4,8 @@ with pkgs.lib; let - inherit (pkgs) utillinux; + inherit (pkgs) cryptsetup utillinux; - toPath = x: if x.device != null then x.device else "/dev/disk/by-label/${x.label}"; - in { @@ -35,24 +33,65 @@ in type = types.list types.optionSet; - options = { - - device = mkOption { - default = null; - example = "/dev/sda3"; - type = types.nullOr types.string; - description = '' - Path of the device. - ''; + options = {config, options, ...}: { + + options = { + device = mkOption { + example = "/dev/sda3"; + type = types.string; + description = '' + Path of the device. + ''; + }; + + label = mkOption { + example = "swap"; + type = types.string; + description = " + Label of the device. Can be used instead of <varname>device</varname>. + "; + }; + + cipher = mkOption { + default = false; + example = true; + type = types.bool; + description = " + Cipher the swap device to protect swapped data. + "; + }; + + command = mkOption { + description = " + Command used to activate the swap device. + "; + }; }; - label = mkOption { - default = null; - example = "swap"; - type = types.nullOr types.string; - description = " - Label of the device. Can be used instead of <varname>device</varname>. - "; + config = { + device = + if options.label.isDefined then + "/dev/disk/by-label/${config.label}" + else + mkNotdef; + + command = '' + if test -e "${config.device}"; then + ${if config.cipher then '' + # swap labels could be preserved by using --skip (PAGE_SIZE / key size) + # The current settings won't work on system with a PAGE_SIZE != 4096. + oldDevice="${config.device}" + device="crypt$(echo "$oldDevice" | sed -e 's,/,.,')" + ${cryptsetup}/sbin/cryptsetup --skip 16 -c blowfish -s 256 -d /dev/urandom create "$device" "$oldDevice" + ${utillinux}/sbin/swapon "/dev/mapper/$newDevice" || true + '' + else '' + device="${config.device}" + ${utillinux}/sbin/swapon "${config.device}" || true + ''} + swapDevices="$swapDevices $device" + fi + ''; }; }; @@ -72,12 +111,8 @@ in startOn = ["startup" "new-devices"]; script = - '' - swapDevices=${toString (map toPath config.swapDevices)} - - for device in $swapDevices; do - ${utillinux}/sbin/swapon "$device" || true - done + '' + ${toString (map (x: x.command) config.swapDevices)} # Remove swap devices not listed in swapDevices. for used in $(cat /proc/swaps | grep '^/' | sed 's/ .*//'); do |