diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix
index 21f4c7c6988..543c8a8882e 100644
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@@ -2,9 +2,11 @@ pkgs: with pkgs.lib;
rec {
- # Check whenever fileSystem is needed for boot
- fsNeededForBoot = fs: fs.neededForBoot
- || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
+ # Check whenever fileSystem is needed for boot. NOTE: Make sure
+ # pathsNeededForBoot is closed under the parent relationship, i.e. if /a/b/c
+ # is in the list, put /a and /a/b in as well.
+ pathsNeededForBoot = [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
+ fsNeededForBoot = fs: fs.neededForBoot || elem fs.mountPoint pathsNeededForBoot;
# Check whenever `b` depends on `a` as a fileSystem
fsBefore = a: b: a.mountPoint == b.device
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
index 63005b26f6f..7f13f67e8ef 100644
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -559,10 +559,12 @@ in
default = false;
type = types.bool;
description = ''
- If set, this file system will be mounted in the initial
- ramdisk. By default, this applies to the root file system
- and to the file system containing
- /nix/store.
+ If set, this file system will be mounted in the initial ramdisk.
+ Note that the file system will always be mounted in the initial
+ ramdisk if its mount point is one of the following:
+ ${concatStringsSep ", " (
+ forEach utils.pathsNeededForBoot (i: "${i}")
+ )}.
'';
};
});
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix
index bc0933f16fe..9c3f2d8fccb 100644
--- a/nixos/modules/tasks/encrypted-devices.nix
+++ b/nixos/modules/tasks/encrypted-devices.nix
@@ -37,7 +37,14 @@ let
default = null;
example = "/mnt-root/root/.swapkey";
type = types.nullOr types.str;
- description = "File system location of keyfile. This unlocks the drive after the root has been mounted to /mnt-root.";
+ description = ''
+ Path to a keyfile used to unlock the backing encrypted
+ device. At the time this keyfile is accessed, the
+ neededForBoot filesystems (see
+ fileSystems.<name?>.neededForBoot)
+ will have been mounted under /mnt-root,
+ so the keyfile path should usually start with "/mnt-root/".
+ '';
};
};
};
@@ -65,12 +72,16 @@ in
boot.initrd = {
luks = {
devices =
- builtins.listToAttrs (map (dev: { name = dev.encrypted.label; value = { device = dev.encrypted.blkDev; }; }) keylessEncDevs);
+ builtins.listToAttrs (map (dev: {
+ name = dev.encrypted.label;
+ value = { device = dev.encrypted.blkDev; };
+ }) keylessEncDevs);
forceLuksSupportInInitrd = true;
};
postMountCommands =
- concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
+ concatMapStrings (dev:
+ "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n"
+ ) keyedEncDevs;
};
};
}
-