mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-22 21:18:44 +08:00
modules.system.fileSystems.luks: split
This commit is contained in:
parent
8faa50a427
commit
bab49afeb3
@ -24,7 +24,7 @@ inputs:
|
||||
};
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices =
|
||||
|
@ -13,7 +13,7 @@ inputs:
|
||||
vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
|
||||
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
decrypt.auto =
|
||||
luks.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
|
||||
"/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
|
||||
@ -41,7 +41,7 @@ inputs:
|
||||
# SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
|
||||
"alderlake"
|
||||
];
|
||||
remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" "srv1-node0" "srv1-node1" ]; };
|
||||
remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
|
||||
githubToken.enable = true;
|
||||
};
|
||||
nixpkgs =
|
||||
|
@ -14,7 +14,7 @@ inputs:
|
||||
vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
|
||||
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
decrypt.auto =
|
||||
luks.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
|
||||
"/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
|
||||
|
@ -16,7 +16,7 @@ inputs:
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
|
||||
|
@ -16,7 +16,7 @@ inputs:
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
|
||||
|
@ -16,7 +16,7 @@ inputs:
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.manual =
|
||||
luks.manual =
|
||||
{
|
||||
enable = true;
|
||||
devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
|
||||
|
@ -1,5 +1,6 @@
|
||||
inputs:
|
||||
{
|
||||
imports = inputs.localLib.findModules ./.;
|
||||
options.nixos.system.fileSystems = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
mount =
|
||||
@ -9,41 +10,6 @@ inputs:
|
||||
# device.subvol = mountPoint;
|
||||
btrfs = mkOption { type = types.attrsOf (types.attrsOf types.nonEmptyStr); default = {}; };
|
||||
};
|
||||
decrypt =
|
||||
{
|
||||
auto = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule
|
||||
{
|
||||
options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
manual =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
devices = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule
|
||||
{
|
||||
options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
keyFile = mkOption
|
||||
{ type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; };
|
||||
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
};
|
||||
# generate using: sudo mdadm --examine --scan
|
||||
mdadm = mkOption { type = types.nullOr types.lines; default = null; };
|
||||
swap = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
@ -117,87 +83,6 @@ inputs:
|
||||
)
|
||||
(attrsToList fileSystems.mount.btrfs)));
|
||||
}
|
||||
# decrypt.auto
|
||||
(
|
||||
mkIf (fileSystems.decrypt.auto != null)
|
||||
{
|
||||
boot.initrd =
|
||||
{
|
||||
luks.devices = (listToAttrs (map
|
||||
(
|
||||
device:
|
||||
{
|
||||
name = device.value.mapper;
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
allowDiscards = device.value.ssd;
|
||||
bypassWorkqueues = device.value.ssd;
|
||||
crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
|
||||
};
|
||||
}
|
||||
)
|
||||
(attrsToList fileSystems.decrypt.auto)));
|
||||
systemd.services =
|
||||
let
|
||||
createService = device:
|
||||
{
|
||||
name = "systemd-cryptsetup@${device.value.mapper}";
|
||||
value =
|
||||
{
|
||||
before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
|
||||
overrideStrategy = "asDropin";
|
||||
};
|
||||
};
|
||||
in
|
||||
listToAttrs (map createService
|
||||
(builtins.filter (device: device.value.before != null) (attrsToList fileSystems.decrypt.auto)));
|
||||
};
|
||||
}
|
||||
)
|
||||
# decrypt.manual
|
||||
(
|
||||
mkIf (fileSystems.decrypt.manual.enable)
|
||||
{
|
||||
boot.initrd =
|
||||
{
|
||||
luks.forceLuksSupportInInitrd = true;
|
||||
systemd =
|
||||
{
|
||||
extraBin =
|
||||
{
|
||||
cryptsetup = "${inputs.pkgs.cryptsetup.bin}/bin/cryptsetup";
|
||||
usbip = "${inputs.config.boot.kernelPackages.usbip}/bin/usbip";
|
||||
sed = "${inputs.pkgs.gnused}/bin/sed";
|
||||
awk = "${inputs.pkgs.gawk}/bin/awk";
|
||||
decrypt = inputs.pkgs.writeShellScript "decrypt"
|
||||
''
|
||||
modprobe vhci-hcd
|
||||
busid=$(usbip list -r 127.0.0.1 | head -n4 | tail -n1 | awk '{print $1}' | sed 's/://')
|
||||
usbip attach -r 127.0.0.1 -b $busid
|
||||
${concatStringsSep "\n" (map
|
||||
(device: ''systemd-cryptsetup attach ${device.value.mapper} ${device.name} "" fido2-device=auto''
|
||||
+ (if device.value.ssd then ",discard" else ""))
|
||||
(attrsToList fileSystems.decrypt.manual.devices))}
|
||||
'';
|
||||
};
|
||||
services.wait-manual-decrypt =
|
||||
{
|
||||
wantedBy = [ "initrd-root-fs.target" ];
|
||||
before = [ "roll-rootfs.service" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = concatStringsSep "\n" (map
|
||||
(device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
|
||||
(attrsToList fileSystems.decrypt.manual.devices));
|
||||
};
|
||||
};
|
||||
};
|
||||
fileSystems = listToAttrs (map
|
||||
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
|
||||
fileSystems.decrypt.manual.delayedMount);
|
||||
}
|
||||
)
|
||||
# mdadm
|
||||
(
|
||||
mkIf (fileSystems.mdadm != null)
|
||||
|
80
modules/system/fileSystems/luks/default.nix
Normal file
80
modules/system/fileSystems/luks/default.nix
Normal file
@ -0,0 +1,80 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.system.fileSystems.luks = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
auto = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
manual =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
devices = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
mapper = mkOption { type = types.nonEmptyStr; };
|
||||
ssd = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.system.fileSystems) luks; in inputs.lib.mkMerge
|
||||
[
|
||||
(inputs.lib.mkIf (luks.auto != null) { boot.initrd =
|
||||
{
|
||||
luks.devices = (builtins.listToAttrs (builtins.map
|
||||
(device:
|
||||
{
|
||||
name = device.value.mapper;
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
allowDiscards = device.value.ssd;
|
||||
bypassWorkqueues = device.value.ssd;
|
||||
crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList luks.auto)));
|
||||
systemd.services = builtins.listToAttrs (builtins.map
|
||||
(device:
|
||||
{
|
||||
name = "systemd-cryptsetup@${device.value.mapper}";
|
||||
value =
|
||||
{
|
||||
before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
|
||||
overrideStrategy = "asDropin";
|
||||
};
|
||||
})
|
||||
(builtins.filter (device: device.value.before != null) (inputs.localLib.attrsToList luks.auto)));
|
||||
};})
|
||||
(inputs.lib.mkIf luks.manual.enable
|
||||
{
|
||||
boot.initrd =
|
||||
{
|
||||
luks.forceLuksSupportInInitrd = true;
|
||||
systemd.services.wait-manual-decrypt =
|
||||
{
|
||||
wantedBy = [ "initrd-root-fs.target" ];
|
||||
before = [ "roll-rootfs.service" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = builtins.concatStringsSep "\n" (builtins.map
|
||||
(device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
|
||||
(inputs.localLib.attrsToList luks.manual.devices));
|
||||
};
|
||||
};
|
||||
fileSystems = builtins.listToAttrs (builtins.map
|
||||
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
|
||||
luks.manual.delayedMount);
|
||||
})
|
||||
];
|
||||
}
|
@ -56,7 +56,7 @@ inputs:
|
||||
(system:
|
||||
{
|
||||
name = system.config.nixos.system.networking.hostname;
|
||||
value = system.config.nixos.system.fileSystems.decrypt.manual;
|
||||
value = system.config.nixos.system.fileSystems.luks.manual;
|
||||
})
|
||||
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
|
||||
cat = "${inputs.pkgs.coreutils}/bin/cat";
|
||||
@ -68,7 +68,8 @@ inputs:
|
||||
(builtins.map (system: builtins.concatStringsSep "\n"
|
||||
[
|
||||
"decrypt-${system.name}() {"
|
||||
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
|
||||
" key=$(${cat} ${inputs.topInputs.self}/modules/system/fileSystems/luks/${system.name}.key \\"
|
||||
" | ${gpg} --decrypt)"
|
||||
(builtins.concatStringsSep "\n" (builtins.map
|
||||
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
|
||||
+ (if device.value.ssd then "--allow-discards " else "")
|
||||
|
Loading…
Reference in New Issue
Block a user