diff options
author | Keshav Kini <keshav.kini@gmail.com> | 2020-07-26 17:05:21 -0700 |
---|---|---|
committer | Keshav Kini <keshav.kini@gmail.com> | 2020-07-29 14:39:21 -0700 |
commit | 5e86bba0827a96388bff25ae85d4e163a12016f1 (patch) | |
tree | 5e9c1696834f95884527548d5844bb0a41d61341 /nixos/modules/tasks/encrypted-devices.nix | |
parent | ea1287110f3fa124d31e59520f5c248029bd74da (diff) | |
download | nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.gz nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.bz2 nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.lz nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.xz nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.zst nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.zip |
nixos/boot: some documentation improvements
- Give a more accurate description of how fileSystems.<name/>.neededForBoot works - Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile works
Diffstat (limited to 'nixos/modules/tasks/encrypted-devices.nix')
-rw-r--r-- | nixos/modules/tasks/encrypted-devices.nix | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index bc0933f16fe..9c3f2d8fccb 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -37,7 +37,14 @@ let default = null; example = "/mnt-root/root/.swapkey"; type = types.nullOr types.str; - description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>."; + description = '' + Path to a keyfile used to unlock the backing encrypted + device. At the time this keyfile is accessed, the + <literal>neededForBoot</literal> filesystems (see + <literal>fileSystems.<name?>.neededForBoot</literal>) + will have been mounted under <literal>/mnt-root</literal>, + so the keyfile path should usually start with "/mnt-root/". + ''; }; }; }; @@ -65,12 +72,16 @@ in boot.initrd = { luks = { devices = - builtins.listToAttrs (map (dev: { name = dev.encrypted.label; value = { device = dev.encrypted.blkDev; }; }) keylessEncDevs); + builtins.listToAttrs (map (dev: { + name = dev.encrypted.label; + value = { device = dev.encrypted.blkDev; }; + }) keylessEncDevs); forceLuksSupportInInitrd = true; }; postMountCommands = - concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; + concatMapStrings (dev: + "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n" + ) keyedEncDevs; }; }; } - |