diff options
| author | Kovacsics Robert (NixOS) <kovirobi@gmail.com> | 2015-09-21 20:02:27 +0100 |
|---|---|---|
| committer | Kovacsics Robert (NixOS) <kovirobi@gmail.com> | 2015-09-22 09:49:28 +0100 |
| commit | 70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025 (patch) | |
| tree | cff7ebac9385b76854ce110e9d698f451a29dfac /nixos/modules/tasks/encrypted-devices.nix | |
| parent | 3e9e2d99fa21600d57d927a48e15dc3b76f6b11d (diff) | |
| download | nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.tar nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.tar.gz nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.tar.bz2 nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.tar.lz nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.tar.xz nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.tar.zst nixpkgs-70fd4b4b025a5f5aa5d0a0f565aa73e1c684a025.zip | |
encrypted-devices service: Fix keyed mount, clarify descriptions.
Not enough arguments were supplied to cryptsetup when a key-file was specified. Also don't try to unlock keyedEncDevs with a password.
Diffstat (limited to 'nixos/modules/tasks/encrypted-devices.nix')
| -rw-r--r-- | nixos/modules/tasks/encrypted-devices.nix | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index 8b5dd22fd38..331531cee15 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -6,6 +6,7 @@ let fileSystems = attrValues config.fileSystems ++ config.swapDevices; encDevs = filter (dev: dev.encrypted.enable) fileSystems; keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; + keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs; isIn = needle: haystack: filter (p: p == needle) haystack != []; anyEncrypted = fold (j: v: v || j.encrypted.enable) false encDevs; @@ -29,15 +30,15 @@ let label = mkOption { default = null; example = "rootfs"; - type = types.nullOr types.str; - description = "Label of the backing encrypted device."; + type = types.uniq (types.nullOr types.str); + description = "Label of the unlocked encrypted device. Set <literal>fileSystems.<name?>.device</literal> to <literal>/dev/mapper/<label></literal> to mount the unlocked device."; }; keyFile = mkOption { default = null; example = "/root/.swapkey"; type = types.nullOr types.str; - description = "File system location of keyfile."; + description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>."; }; }; }; @@ -58,11 +59,11 @@ in boot.initrd = { luks = { devices = - map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs; + map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs; cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; }; postMountCommands = - concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs; + concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; }; }; } |