mirror of
https://github.com/nix-community/disko.git
synced 2026-01-14 02:08:26 +01:00
251 lines
8.3 KiB
Nix
251 lines
8.3 KiB
Nix
{
|
|
config,
|
|
options,
|
|
lib,
|
|
diskoLib,
|
|
parent,
|
|
device,
|
|
...
|
|
}:
|
|
let
|
|
keyFile =
|
|
if config.settings ? "keyFile" then
|
|
config.settings.keyFile
|
|
else if config.askPassword then
|
|
''<(set +x; echo -n "$password"; set -x)''
|
|
else if
|
|
config.passwordFile != null
|
|
# do not print the password to the console
|
|
then
|
|
''<(set +x; echo -n "$(cat ${config.passwordFile})"; set -x)''
|
|
else if config.keyFile != null then
|
|
lib.warn (
|
|
"The option `keyFile` is deprecated."
|
|
+ "Use passwordFile instead if you want to use interactive login or settings.keyFile if you want to use key file login"
|
|
) config.keyFile
|
|
else
|
|
null;
|
|
keyFileArgs = ''
|
|
${lib.optionalString (keyFile != null) "--key-file ${keyFile}"} \
|
|
${lib.optionalString (lib.hasAttr "keyFileSize" config.settings) "--keyfile-size ${builtins.toString config.settings.keyFileSize}"} \
|
|
${lib.optionalString (lib.hasAttr "keyFileOffset" config.settings) "--keyfile-offset ${builtins.toString config.settings.keyFileOffset}"} \
|
|
'';
|
|
cryptsetupOpen = ''
|
|
cryptsetup open "${config.device}" "${config.name}" \
|
|
${lib.optionalString (config.settings.allowDiscards or false) "--allow-discards"} \
|
|
${
|
|
lib.optionalString (config.settings.bypassWorkqueues or false
|
|
) "--perf-no_read_workqueue --perf-no_write_workqueue"
|
|
} \
|
|
${toString config.extraOpenArgs} \
|
|
${keyFileArgs} \
|
|
'';
|
|
in
|
|
{
|
|
options = {
|
|
type = lib.mkOption {
|
|
type = lib.types.enum [ "luks" ];
|
|
internal = true;
|
|
description = "Type";
|
|
};
|
|
device = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Device to encrypt";
|
|
default = device;
|
|
};
|
|
name = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Name of the LUKS";
|
|
};
|
|
keyFile = lib.mkOption {
|
|
type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;
|
|
default = null;
|
|
description = "DEPRECATED use passwordFile or settings.keyFile. Path to the key for encryption";
|
|
example = "/tmp/disk.key";
|
|
};
|
|
passwordFile = lib.mkOption {
|
|
type = lib.types.nullOr diskoLib.optionTypes.absolute-pathname;
|
|
default = null;
|
|
description = "Path to the file which contains the password for initial encryption";
|
|
example = "/tmp/disk.key";
|
|
};
|
|
askPassword = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = config.keyFile == null && config.passwordFile == null && (!config.settings ? "keyFile");
|
|
defaultText = "true if neither keyFile nor passwordFile are set";
|
|
description = "Whether to ask for a password for initial encryption";
|
|
};
|
|
settings = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.anything;
|
|
default = { };
|
|
description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
|
|
example = ''
|
|
{
|
|
keyFile = "/tmp/disk.key";
|
|
keyFileSize = 2048;
|
|
keyFileOffset = 1024;
|
|
fallbackToPassword = true;
|
|
allowDiscards = true;
|
|
};
|
|
'';
|
|
};
|
|
additionalKeyFiles = lib.mkOption {
|
|
type = lib.types.listOf diskoLib.optionTypes.absolute-pathname;
|
|
default = [ ];
|
|
description = "Path to additional key files for encryption";
|
|
example = [ "/tmp/disk2.key" ];
|
|
};
|
|
initrdUnlock = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = "Whether to add a boot.initrd.luks.devices entry for the specified disk.";
|
|
};
|
|
extraFormatArgs = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
description = "Extra arguments to pass to `cryptsetup luksFormat` when formatting";
|
|
example = [ "--pbkdf argon2id" ];
|
|
};
|
|
extraOpenArgs = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
description = "Extra arguments to pass to `cryptsetup luksOpen` when opening";
|
|
example = [ "--timeout 10" ];
|
|
};
|
|
content = diskoLib.deviceType {
|
|
parent = config;
|
|
device = "/dev/mapper/${config.name}";
|
|
};
|
|
_parent = lib.mkOption {
|
|
internal = true;
|
|
default = parent;
|
|
};
|
|
_meta = lib.mkOption {
|
|
internal = true;
|
|
readOnly = true;
|
|
type = lib.types.functionTo diskoLib.jsonType;
|
|
default = dev: lib.optionalAttrs (config.content != null) (config.content._meta dev);
|
|
description = "Metadata";
|
|
};
|
|
_create = diskoLib.mkCreateOption {
|
|
inherit config options;
|
|
default = ''
|
|
if ! blkid "${config.device}" >/dev/null || ! cryptsetup isLuks "${config.device}"; then
|
|
${lib.optionalString config.askPassword ''
|
|
promptSecret() {
|
|
prompt=$1
|
|
var=$2
|
|
|
|
echo -n "$prompt"
|
|
IFS= read -r -s "$var"
|
|
echo
|
|
}
|
|
|
|
askPassword() {
|
|
if [ -z ''${IN_DISKO_TEST+x} ]; then
|
|
set +x
|
|
promptSecret "Enter password for ${config.device}: " password
|
|
promptSecret "Enter password for ${config.device} again to be safe: " password_check
|
|
export password
|
|
if [ "$password" != "$password_check" ]; then
|
|
exit 1
|
|
fi
|
|
set -x
|
|
else
|
|
export password=disko
|
|
fi
|
|
}
|
|
until askPassword; do
|
|
echo "Passwords did not match, please try again."
|
|
done
|
|
''}
|
|
cryptsetup -q luksFormat "${config.device}" ${toString config.extraFormatArgs} ${keyFileArgs}
|
|
fi
|
|
|
|
if ! cryptsetup status "${config.name}" >/dev/null; then
|
|
${cryptsetupOpen} --persistent
|
|
fi
|
|
${toString (
|
|
lib.forEach config.additionalKeyFiles (keyFile: ''
|
|
cryptsetup luksAddKey "${config.device}" ${keyFile} ${keyFileArgs}
|
|
'')
|
|
)}
|
|
|
|
${lib.optionalString (config.content != null) config.content._create}
|
|
'';
|
|
};
|
|
_mount = diskoLib.mkMountOption {
|
|
inherit config options;
|
|
default =
|
|
let
|
|
contentMount = config.content._mount;
|
|
in
|
|
{
|
|
dev = ''
|
|
if ! cryptsetup status "${config.name}" >/dev/null 2>/dev/null; then
|
|
${lib.optionalString config.askPassword ''
|
|
if [ -z ''${IN_DISKO_TEST+x} ]; then
|
|
set +x
|
|
echo "Enter password for ${config.device}"
|
|
IFS= read -r -s password
|
|
export password
|
|
set -x
|
|
else
|
|
export password=disko
|
|
fi
|
|
''}
|
|
${cryptsetupOpen}
|
|
fi
|
|
${lib.optionalString (config.content != null) contentMount.dev or ""}
|
|
'';
|
|
fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };
|
|
};
|
|
};
|
|
_unmount = diskoLib.mkUnmountOption {
|
|
inherit config options;
|
|
default =
|
|
let
|
|
contentUnmount = config.content._unmount;
|
|
in
|
|
{
|
|
dev = ''
|
|
${lib.optionalString (config.content != null) contentUnmount.dev or ""}
|
|
if cryptsetup status "${config.name}" >/dev/null 2>/dev/null; then
|
|
cryptsetup close "${config.name}"
|
|
fi
|
|
'';
|
|
fs = lib.optionalAttrs (config.content != null) contentUnmount.fs or { };
|
|
};
|
|
};
|
|
_config = lib.mkOption {
|
|
internal = true;
|
|
readOnly = true;
|
|
default =
|
|
[ ]
|
|
# If initrdUnlock is true, then add a device entry to the initrd.luks.devices config.
|
|
++ (lib.optional config.initrdUnlock [
|
|
{
|
|
boot.initrd.luks.devices.${config.name} = {
|
|
inherit (config) device;
|
|
}
|
|
// config.settings;
|
|
}
|
|
])
|
|
++ (lib.optional (config.content != null) config.content._config);
|
|
description = "NixOS configuration";
|
|
};
|
|
_pkgs = lib.mkOption {
|
|
internal = true;
|
|
readOnly = true;
|
|
type = lib.types.functionTo (lib.types.listOf lib.types.package);
|
|
default =
|
|
pkgs:
|
|
[
|
|
pkgs.gnugrep
|
|
pkgs.cryptsetup
|
|
]
|
|
++ (lib.optionals (config.content != null) (config.content._pkgs pkgs));
|
|
description = "Packages";
|
|
};
|
|
};
|
|
}
|