boot.initrd.luks.devices: Change into an attribute set

This allows setting options for the same LUKS device in different modules. For example, the auto-generated hardware-configuration.nix can contain boot.initrd.luks.devices.crypted.device = "/dev/disk/..."; while configuration.nix can add boot.initrd.luks.devices.crypted.allowDiscards = true; Also updated the examples/docs to use /disk/disk/by-uuid instead of /dev/sda, since we shouldn't promote the use of the latter.
author: Eelco Dolstra <eelco.dolstra@logicblox.com> 2016-05-25 13:23:32 +0200
committer: Eelco Dolstra <eelco.dolstra@logicblox.com> 2016-05-25 18:04:21 +0200
commit: 845c9b50bf7137c3e21f443e70ebcb16510f4e68 (patch)
tree: 0eddfbc8f8cf4140c392a1765966d543db3a8f6d /nixos/modules
parent: bf2aaeb0f670d845821c9d50726b2cbf4a70e4e9 (diff)
2 files changed, 22 insertions, 22 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index 77a82547031a..400293d0e2e9 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -5,7 +5,7 @@ with lib;
 let
   luks = config.boot.initrd.luks;
 
-  openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''
+  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
     # Wait for luksRoot to appear, e.g. if on a usb drive.
     # XXX: copied and adapted from stage-1-init.sh - should be
     # available as a function.
@@ -192,9 +192,8 @@ let
     ''}
   '';
 
-  isPreLVM = f: f.preLVM;
-  preLVM = filter isPreLVM luks.devices;
-  postLVM = filter (f: !(isPreLVM f)) luks.devices;
+  preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
+  postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;
 
 in
 {
@@ -228,31 +227,31 @@ in
     };
 
     boot.initrd.luks.devices = mkOption {
-      default = [ ];
-      example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]'';
+      default = { };
+      example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
       description = ''
-        The list of devices that should be decrypted using LUKS before trying to mount the
-        root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.
-
-        The devices are decrypted to the device mapper names defined.
-
-        Make sure that initrd has the crypto modules needed for decryption.
+        The encrypted disk that should be opened before the root
+        filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM
+        setups are sypported. The unencrypted devices can be accessed as
+        <filename>/dev/mapper/<replaceable>name</replaceable></filename>.
       '';
 
-      type = types.listOf types.optionSet;
+      type = types.loaOf types.optionSet;
 
-      options = {
+      options = { name, ... }: { options = {
 
         name = mkOption {
+          visible = false;
+          default = name;
           example = "luksroot";
           type = types.str;
-          description = "Named to be used for the generated device in /dev/mapper.";
+          description = "Name of the unencrypted device in <filename>/dev/mapper</filename>.";
         };
 
         device = mkOption {
-          example = "/dev/sda2";
+          example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
           type = types.str;
-          description = "Path of the underlying block device.";
+          description = "Path of the underlying encrypted block device.";
         };
 
         header = mkOption {
@@ -289,6 +288,7 @@ in
           '';
         };
 
+        # FIXME: get rid of this option.
         preLVM = mkOption {
           default = true;
           type = types.bool;
@@ -394,7 +394,7 @@ in
           };
         };
 
-      };
+      }; };
     };
 
     boot.initrd.luks.yubikeySupport = mkOption {
@@ -408,7 +408,7 @@ in
     };
   };
 
-  config = mkIf (luks.devices != []) {
+  config = mkIf (luks.devices != {}) {
 
     # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
     boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
@@ -463,8 +463,8 @@ in
       ''}
     '';
 
-    boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM;
-    boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM;
+    boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM);
+    boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM);
 
     environment.systemPackages = [ pkgs.cryptsetup ];
   };
diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix
index 8aa643687557..9d9b725a805d 100644
--- a/nixos/modules/virtualisation/qemu-vm.nix
+++ b/nixos/modules/virtualisation/qemu-vm.nix
@@ -465,7 +465,7 @@ in
       });
 
     swapDevices = mkVMOverride [ ];
-    boot.initrd.luks.devices = mkVMOverride [];
+    boot.initrd.luks.devices = mkVMOverride {};
 
     # Don't run ntpd in the guest.  It should get the correct time from KVM.
     services.ntp.enable = false;
author	Eelco Dolstra <eelco.dolstra@logicblox.com>	2016-05-25 13:23:32 +0200
committer	Eelco Dolstra <eelco.dolstra@logicblox.com>	2016-05-25 18:04:21 +0200
commit	845c9b50bf7137c3e21f443e70ebcb16510f4e68 (patch)
tree	0eddfbc8f8cf4140c392a1765966d543db3a8f6d /nixos/modules
parent	bf2aaeb0f670d845821c9d50726b2cbf4a70e4e9 (diff)