nixpkgs/modules/system/boot/luksroot.nix
Florian Friesdorf dd8e725d7d copy only cryptsetup deps to stage-1 and test cryptsetup
popt-0.16 and cryptsetup-1.4.1 both generated pkgconfig (in contrast
to older versions). The pkgconfig files (popt.pc and cryptsetup.pc)
contain references into the store that are not removed by patchelf and
stage-1 fails with errors like: "output is not allowed to refer to
path `/nix/store/qccjhn063cfv171rcaxvxh0yk96zf7l2-cryptsetup-1.4.1'".

Now, only the cryptsetup binaries and its dependencies are copied,
determined by ldd. In addition the cryptsetup binary and lvm are
tested after patchelf has adjusted the library paths.

Thanks to Peter Simons and Eelco Dolstra for giving the rights hints.

svn path=/nixos/trunk/; revision=31128
2011-12-28 21:46:40 +00:00

56 lines
1.3 KiB
Nix

{pkgs, config, ...}:
with pkgs.lib;
let
luksRoot = config.boot.initrd.luksRoot;
in
{
options = {
boot.initrd.luksRoot = mkOption {
default = "";
example = "/dev/sda3";
description = '';
The device that should be decrypted using LUKS before trying to mount the
root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.
Make sure that initrd has the crypto modules needed for decryption.
The decrypted device name is /dev/mapper/luksroot.
'';
};
};
config = mkIf (luksRoot != "") {
# copy the cryptsetup binary and it's dependencies
boot.initrd.extraUtilsCommands = ''
cp -pdv ${pkgs.cryptsetup}/sbin/cryptsetup $out/bin
# XXX: do we have a function that does this?
for lib in $(ldd $out/bin/cryptsetup |grep '=>' |grep /nix/store/ |cut -d' ' -f3); do
cp -pdvn $lib $out/lib
cp -pvn $(readlink -f $lib) $out/lib
done
'';
boot.initrd.extraUtilsCommandsTest = ''
$out/bin/cryptsetup --version
$out/bin/lvm vgscan --version
$out/bin/lvm vgchange --version
'';
boot.initrd.postDeviceCommands = ''
cryptsetup luksOpen ${luksRoot} luksroot
lvm vgscan
lvm vgchange -ay
'';
};
}