diff options
Diffstat (limited to 'sys/boot/detached-luks.nix')
| -rw-r--r-- | sys/boot/detached-luks.nix | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix new file mode 100644 index 0000000..a7b1bc9 --- /dev/null +++ b/sys/boot/detached-luks.nix @@ -0,0 +1,73 @@ +{ config, lib, pkgs, ... }: +with lib; let + cfg = config.local.boot.detachedLuks; +in +{ + options.local.boot.detachedLuks = { + enable = mkEnableOption "detached LUKS header in initrd"; + + headerFromBoot = mkOption { + type = types.str; + }; + + crypt = mkOption { + type = types.str; + }; + + target = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + boot.initrd = + let + headerPath = "/initrd-boot/${cfg.headerFromBoot}"; + in + { + preDeviceCommands = + let + headerPathEscaped = escapeShellArg headerPath; + in + '' + mkdir -p `dirname ${headerPathEscaped}` + touch ${headerPathEscaped} + ''; + + postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) '' + # Set the system time from the hardware clock to work around a + # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised + # to the *boot time* of the host). + hwclock -s + ''; + + #FIXME: Demasiado vulgar + preLVMCommands = optionalString (config.local.boot.efi.enable && config.local.boot.efi.removable) '' + sleep 2 + ''; + + luks.devices.${cfg.target} = { + device = cfg.crypt; + header = headerPath; + preLVM = false; + + preOpenCommands = + let + boot = config.fileSystems."/boot"; + in + '' + mount -o ro -t ${boot.fsType} ${boot.device} /initrd-boot + ''; + + postOpenCommands = mkBefore '' + umount /initrd-boot + ''; + }; + }; + + local.boot.stack = { + btrfsToplevelMultidrive.toplevel.device = "/dev/mapper/${cfg.target}"; + luksExt4FscryptImpermanence = { inherit (cfg) target; }; + }; + }; +} |