summary refs log tree commit diff
path: root/nixos/modules/tasks/encrypted-devices.nix
diff options
context:
space:
mode:
authorKeshav Kini <keshav.kini@gmail.com>2020-07-26 17:05:21 -0700
committerKeshav Kini <keshav.kini@gmail.com>2020-07-29 14:39:21 -0700
commit5e86bba0827a96388bff25ae85d4e163a12016f1 (patch)
tree5e9c1696834f95884527548d5844bb0a41d61341 /nixos/modules/tasks/encrypted-devices.nix
parentea1287110f3fa124d31e59520f5c248029bd74da (diff)
downloadnixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar
nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.gz
nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.bz2
nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.lz
nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.xz
nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.tar.zst
nixpkgs-5e86bba0827a96388bff25ae85d4e163a12016f1.zip
nixos/boot: some documentation improvements
- Give a more accurate description of how fileSystems.<name/>.neededForBoot
  works

- Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile
  works
Diffstat (limited to 'nixos/modules/tasks/encrypted-devices.nix')
-rw-r--r--nixos/modules/tasks/encrypted-devices.nix19
1 files changed, 15 insertions, 4 deletions
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix
index bc0933f16fe..9c3f2d8fccb 100644
--- a/nixos/modules/tasks/encrypted-devices.nix
+++ b/nixos/modules/tasks/encrypted-devices.nix
@@ -37,7 +37,14 @@ let
         default = null;
         example = "/mnt-root/root/.swapkey";
         type = types.nullOr types.str;
-        description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>.";
+        description = ''
+          Path to a keyfile used to unlock the backing encrypted
+          device. At the time this keyfile is accessed, the
+          <literal>neededForBoot</literal> filesystems (see
+          <literal>fileSystems.&lt;name?&gt;.neededForBoot</literal>)
+          will have been mounted under <literal>/mnt-root</literal>,
+          so the keyfile path should usually start with "/mnt-root/".
+        '';
       };
     };
   };
@@ -65,12 +72,16 @@ in
     boot.initrd = {
       luks = {
         devices =
-          builtins.listToAttrs (map (dev: { name = dev.encrypted.label; value = { device = dev.encrypted.blkDev; }; }) keylessEncDevs);
+          builtins.listToAttrs (map (dev: {
+            name = dev.encrypted.label;
+            value = { device = dev.encrypted.blkDev; };
+          }) keylessEncDevs);
         forceLuksSupportInInitrd = true;
       };
       postMountCommands =
-        concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
+        concatMapStrings (dev:
+          "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
+        ) keyedEncDevs;
     };
   };
 }
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-20 14:24:39 +0000