Merge pull request #90307 from eyJhb/luks-pre-post

boot.initrd.luks.devices: add preOpenCommands and postOpenCommands
2025-04-17 19:38:39 +00:00 · 2020-07-08 03:02:29 -04:00 · 2020-07-08 03:02:29 -04:00 · dfe59e0ab2
commit dfe59e0ab2
parent c54edfed06 7279428096
1 changed files with 31 additions and 1 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -140,7 +140,7 @@ let
    umount /crypt-ramfs 2>/dev/null
  '';

-  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, ... }: assert name' == name;
+  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, preOpenCommands, postOpenCommands,... }: assert name' == name;
  let
    csopen   = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
    cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@ -412,11 +412,17 @@ let
    }
    ''}

+    # commands to run right before we mount our device
+    ${preOpenCommands}
+
    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) then ''
    open_with_hardware
    '' else ''
    open_normally
    ''}
+
+    # commands to run right after we mounted our device
+    ${postOpenCommands}
  '';

  askPass = pkgs.writeScriptBin "cryptsetup-askpass" ''
@ -735,6 +741,30 @@ in
              };
            });
          };
+
+          preOpenCommands = mkOption {
+            type = types.lines;
+            default = "";
+            example = ''
+              mkdir -p /tmp/persistent
+              mount -t zfs rpool/safe/persistent /tmp/persistent
+            '';
+            description = ''
+              Commands that should be run right before we try to mount our LUKS device.
+              This can be useful, if the keys needed to open the drive is on another partion.
+            '';
+          };
+
+          postOpenCommands = mkOption {
+            type = types.lines;
+            default = "";
+            example = ''
+              umount /tmp/persistent
+            '';
+            description = ''
+              Commands that should be run right after we have mounted our LUKS device.
+            '';
+          };
        };
      }));
    };