diff options
author | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2017-10-23 22:22:26 +0200 |
---|---|---|
committer | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2017-10-23 22:22:26 +0200 |
commit | 601fc20248d7c1b4cd3c33209fbc419af8ae0c04 (patch) | |
tree | bdc04c8bba9037a6c4d283442e2fcf5fb08683ab /nixos/modules/system/boot/luksroot.nix | |
parent | 8158cd6d5e6464adaea135ada586f11b9dfca766 (diff) | |
download | nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.gz nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.bz2 nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.lz nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.xz nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.tar.zst nixpkgs-601fc20248d7c1b4cd3c33209fbc419af8ae0c04.zip |
nixos/luksroot.nix: add option boot.initrd.luks.devices.<name?>.fallback
This option, if set to true, enables fallbacking to an interactive passphrase prompt when the specified keyFile is not found. The default is false, which is compatible with previous behavior and doesn't prevent unattended boot.
Diffstat (limited to 'nixos/modules/system/boot/luksroot.nix')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 19ca2a2c1bd..a5581b2bdc4 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -45,13 +45,15 @@ let ${optionalString (header != null) "--header=${header}"} \ > /.luksopen_args ${optionalString (keyFile != null) '' - if [ -e ${keyFile} ]; then + ${optionalString fallback "if [ -e ${keyFile} ]; then"} echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ >> /.luksopen_args + ${optionalString fallback '' else echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" fi ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -330,6 +332,16 @@ in ''; }; + fallback = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' |