change swap.randomEncryption config option to "coercedTo" for backwards compatibility

2024-11-23 15:33:13 +00:00 · 2017-05-28 14:46:18 +02:00 · 2017-05-28 14:46:18 +02:00 · 9be26f81ca
commit 9be26f81ca
parent c3d5cfdc3c
1 changed files with 55 additions and 22 deletions
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@ -5,6 +5,52 @@ with lib;

 let

+  randomEncryptionCoerce = enable: { inherit enable; };
+
+  randomEncryptionOpts = { ... }: {
+
+    options = {
+
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Encrypt swap device with a random key. This way you won't have a persistent swap device.
+
+          WARNING: Don't try to hibernate when you have at least one swap partition with
+          this option enabled! We have no way to set the partition into which hibernation image
+          is saved, so if your image ends up on an encrypted one you would lose it!
+
+          WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
+          when using randomEncryption as the UUIDs and labels will get erased on every boot when
+          the partition is encrypted. Best to use /dev/disk/by-partuuid/…
+        '';
+      };
+
+      cipher = mkOption {
+        default = "aes-xts-plain64";
+        example = "serpent-xts-plain64";
+        type = types.str;
+        description = ''
+          Use specified cipher for randomEncryption.
+
+          Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
+        '';
+      };
+
+      source = mkOption {
+        default = "/dev/urandom";
+        example = "/dev/random";
+        type = types.str;
+        description = ''
+          Define the source of randomness to obtain a random key for encryption.
+        '';
+      };
+
+    };
+
+  };
+
  swapCfg = {config, options, ...}: {

    options = {
@ -45,12 +91,19 @@ let
        '';
      };

-      randomEncryption.enable = mkOption {
+      randomEncryption = mkOption {
        default = false;
-        type = types.bool;
+        example = {
+          enable = true;
+          cipher = "serpent-xts-plain64";
+          source = "/dev/random";
+        };
+        type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);
        description = ''
          Encrypt swap device with a random key. This way you won't have a persistent swap device.

+          HINT: run "cryptsetup benchmark" to test cipher performance on your machine.
+
          WARNING: Don't try to hibernate when you have at least one swap partition with
          this option enabled! We have no way to set the partition into which hibernation image
          is saved, so if your image ends up on an encrypted one you would lose it!
@ -61,26 +114,6 @@ let
        '';
      };

-      randomEncryption.cipher = mkOption {
-        default = "aes-xts-plain64";
-        example = "serpent-xts-plain64";
-        type = types.str;
-        description = ''
-          Use specified cipher for randomEncryption.
-
-          Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
-        '';
-      };
-
-      randomEncryption.source = mkOption {
-        default = "/dev/urandom";
-        example = "/dev/random";
-        type = types.str;
-        description = ''
-          Define the source of randomness to obtain a random key for encryption.
-        '';
-      };
-
      deviceName = mkOption {
        type = types.str;
        internal = true;