diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
| commit | d7ac88762db111a7962c4e14b5f4e37ab85ccac7 (patch) | |
| tree | 0c2c8c4383bef74215e3b7c48a2f6b0117f084bc /sys/boot/detached-luks.nix | |
| parent | 504589d1035f27b766bd33040b415b2725ece4ca (diff) | |
tree-wide: reformat using alejandra after enabling trivionomicon
Diffstat (limited to 'sys/boot/detached-luks.nix')
| -rw-r--r-- | sys/boot/detached-luks.nix | 91 |
1 files changed, 48 insertions, 43 deletions
diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix index 8be7de1..78ae35c 100644 --- a/sys/boot/detached-luks.nix +++ b/sys/boot/detached-luks.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.detachedLuks; @@ -6,8 +11,7 @@ with lib; let tpmInitrd = config.local.boot.tpm.initrd.enable; pcrList = concatStringsSep "," (map toString config.local.boot.tpm.initrd.pcrs); -in -{ +in { options.local.boot.detachedLuks = { enable = mkEnableOption "detached LUKS header in initrd"; @@ -30,43 +34,43 @@ in }; config = mkIf cfg.enable { - boot.initrd = - let - headerPath = "/initrd-boot/${cfg.headerFromBoot}"; - headerPathEscaped = escapeShellArg headerPath; - - tpmPath = escapeShellArg "/initrd-boot/${cfg.tpmStorageFromBoot}"; - hardwareKeyPath = "/tpm/unsealed.luks-key"; - in - { - preDeviceCommands = '' - mkdir -p `dirname ${headerPathEscaped}` - touch ${headerPathEscaped} - ''; - - postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) '' - # Set the system time from the hardware clock to work around a - # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised - # to the *boot time* of the host). - hwclock -s - ''; - - #FIXME: Demasiado vulgar - preLVMCommands = optionalString (config.local.boot.efi.enable && config.local.boot.efi.removable) '' - sleep 2 - ''; - - luks.devices.${cfg.target} = { - device = cfg.crypt; - header = headerPath; - preLVM = false; - - keyFile = mkIf tpmInitrd hardwareKeyPath; - fallbackToPassword = tpmInitrd; - - preOpenCommands = '' + boot.initrd = let + headerPath = "/initrd-boot/${cfg.headerFromBoot}"; + headerPathEscaped = escapeShellArg headerPath; + + tpmPath = escapeShellArg "/initrd-boot/${cfg.tpmStorageFromBoot}"; + hardwareKeyPath = "/tpm/unsealed.luks-key"; + in { + preDeviceCommands = '' + mkdir -p `dirname ${headerPathEscaped}` + touch ${headerPathEscaped} + ''; + + postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) '' + # Set the system time from the hardware clock to work around a + # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised + # to the *boot time* of the host). + hwclock -s + ''; + + #FIXME: Demasiado vulgar + preLVMCommands = optionalString (config.local.boot.efi.enable && config.local.boot.efi.removable) '' + sleep 2 + ''; + + luks.devices.${cfg.target} = { + device = cfg.crypt; + header = headerPath; + preLVM = false; + + keyFile = mkIf tpmInitrd hardwareKeyPath; + fallbackToPassword = tpmInitrd; + + preOpenCommands = + '' mount -o ro -t ${bootFs.fsType} ${bootFs.device} /initrd-boot - '' + optionalString tpmInitrd '' + '' + + optionalString tpmInitrd '' mkdir /tpm touch ${escapeShellArg hardwareKeyPath} @@ -92,18 +96,19 @@ in unseal_tpm_key ''; - postOpenCommands = mkBefore ('' + postOpenCommands = mkBefore ('' umount /initrd-boot - '' + optionalString tpmInitrd '' + '' + + optionalString tpmInitrd '' rm -r /tpm ''); - }; }; + }; local.boot = { stack = { btrfsToplevelMultidrive.toplevel.device = "/dev/mapper/${cfg.target}"; - luksExt4FscryptImpermanence = { inherit (cfg) target; }; + luksExt4FscryptImpermanence = {inherit (cfg) target;}; }; tpm.initrd.enable = mkDefault config.local.boot.tpm.enable; |