From 5e86bba0827a96388bff25ae85d4e163a12016f1 Mon Sep 17 00:00:00 2001 From: Keshav Kini Date: Sun, 26 Jul 2020 17:05:21 -0700 Subject: [PATCH] nixos/boot: some documentation improvements - Give a more accurate description of how fileSystems..neededForBoot works - Give a more detailed description of how fileSystems..encrypted.keyFile works --- nixos/lib/utils.nix | 8 +++++--- nixos/modules/system/boot/stage-1.nix | 10 ++++++---- nixos/modules/tasks/encrypted-devices.nix | 19 +++++++++++++++---- 3 files changed, 26 insertions(+), 11 deletions(-) diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index 21f4c7c6988..543c8a8882e 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -2,9 +2,11 @@ pkgs: with pkgs.lib; rec { - # Check whenever fileSystem is needed for boot - fsNeededForBoot = fs: fs.neededForBoot - || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ]; + # Check whenever fileSystem is needed for boot. NOTE: Make sure + # pathsNeededForBoot is closed under the parent relationship, i.e. if /a/b/c + # is in the list, put /a and /a/b in as well. + pathsNeededForBoot = [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ]; + fsNeededForBoot = fs: fs.neededForBoot || elem fs.mountPoint pathsNeededForBoot; # Check whenever `b` depends on `a` as a fileSystem fsBefore = a: b: a.mountPoint == b.device diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 63005b26f6f..7f13f67e8ef 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -559,10 +559,12 @@ in default = false; type = types.bool; description = '' - If set, this file system will be mounted in the initial - ramdisk. By default, this applies to the root file system - and to the file system containing - /nix/store. + If set, this file system will be mounted in the initial ramdisk. + Note that the file system will always be mounted in the initial + ramdisk if its mount point is one of the following: + ${concatStringsSep ", " ( + forEach utils.pathsNeededForBoot (i: "${i}") + )}. ''; }; }); diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index bc0933f16fe..9c3f2d8fccb 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -37,7 +37,14 @@ let default = null; example = "/mnt-root/root/.swapkey"; type = types.nullOr types.str; - description = "File system location of keyfile. This unlocks the drive after the root has been mounted to /mnt-root."; + description = '' + Path to a keyfile used to unlock the backing encrypted + device. At the time this keyfile is accessed, the + neededForBoot filesystems (see + fileSystems.<name?>.neededForBoot) + will have been mounted under /mnt-root, + so the keyfile path should usually start with "/mnt-root/". + ''; }; }; }; @@ -65,12 +72,16 @@ in boot.initrd = { luks = { devices = - builtins.listToAttrs (map (dev: { name = dev.encrypted.label; value = { device = dev.encrypted.blkDev; }; }) keylessEncDevs); + builtins.listToAttrs (map (dev: { + name = dev.encrypted.label; + value = { device = dev.encrypted.blkDev; }; + }) keylessEncDevs); forceLuksSupportInInitrd = true; }; postMountCommands = - concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; + concatMapStrings (dev: + "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n" + ) keyedEncDevs; }; }; } -