Add an option to cipher swap partitions.
! Not tested yet: cryptsetup depends on a missing ! udev binary. svn path=/nixos/trunk/; revision=19131
This commit is contained in:
parent
c0c4d575d2
commit
246dae96fe
@ -4,10 +4,8 @@ with pkgs.lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
inherit (pkgs) utillinux;
|
inherit (pkgs) cryptsetup utillinux;
|
||||||
|
|
||||||
toPath = x: if x.device != null then x.device else "/dev/disk/by-label/${x.label}";
|
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
@ -35,24 +33,65 @@ in
|
|||||||
|
|
||||||
type = types.list types.optionSet;
|
type = types.list types.optionSet;
|
||||||
|
|
||||||
options = {
|
options = {config, options, ...}: {
|
||||||
|
|
||||||
device = mkOption {
|
options = {
|
||||||
default = null;
|
device = mkOption {
|
||||||
example = "/dev/sda3";
|
example = "/dev/sda3";
|
||||||
type = types.nullOr types.string;
|
type = types.string;
|
||||||
description = ''
|
description = ''
|
||||||
Path of the device.
|
Path of the device.
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
label = mkOption {
|
||||||
|
example = "swap";
|
||||||
|
type = types.string;
|
||||||
|
description = "
|
||||||
|
Label of the device. Can be used instead of <varname>device</varname>.
|
||||||
|
";
|
||||||
|
};
|
||||||
|
|
||||||
|
cipher = mkOption {
|
||||||
|
default = false;
|
||||||
|
example = true;
|
||||||
|
type = types.bool;
|
||||||
|
description = "
|
||||||
|
Cipher the swap device to protect swapped data.
|
||||||
|
";
|
||||||
|
};
|
||||||
|
|
||||||
|
command = mkOption {
|
||||||
|
description = "
|
||||||
|
Command used to activate the swap device.
|
||||||
|
";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
label = mkOption {
|
config = {
|
||||||
default = null;
|
device =
|
||||||
example = "swap";
|
if options.label.isDefined then
|
||||||
type = types.nullOr types.string;
|
"/dev/disk/by-label/${config.label}"
|
||||||
description = "
|
else
|
||||||
Label of the device. Can be used instead of <varname>device</varname>.
|
mkNotdef;
|
||||||
";
|
|
||||||
|
command = ''
|
||||||
|
if test -e "${config.device}"; then
|
||||||
|
${if config.cipher then ''
|
||||||
|
# swap labels could be preserved by using --skip (PAGE_SIZE / key size)
|
||||||
|
# The current settings won't work on system with a PAGE_SIZE != 4096.
|
||||||
|
oldDevice="${config.device}"
|
||||||
|
device="crypt$(echo "$oldDevice" | sed -e 's,/,.,')"
|
||||||
|
${cryptsetup}/sbin/cryptsetup --skip 16 -c blowfish -s 256 -d /dev/urandom create "$device" "$oldDevice"
|
||||||
|
${utillinux}/sbin/swapon "/dev/mapper/$newDevice" || true
|
||||||
|
''
|
||||||
|
else ''
|
||||||
|
device="${config.device}"
|
||||||
|
${utillinux}/sbin/swapon "${config.device}" || true
|
||||||
|
''}
|
||||||
|
swapDevices="$swapDevices $device"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
@ -72,12 +111,8 @@ in
|
|||||||
startOn = ["startup" "new-devices"];
|
startOn = ["startup" "new-devices"];
|
||||||
|
|
||||||
script =
|
script =
|
||||||
''
|
''
|
||||||
swapDevices=${toString (map toPath config.swapDevices)}
|
${toString (map (x: x.command) config.swapDevices)}
|
||||||
|
|
||||||
for device in $swapDevices; do
|
|
||||||
${utillinux}/sbin/swapon "$device" || true
|
|
||||||
done
|
|
||||||
|
|
||||||
# Remove swap devices not listed in swapDevices.
|
# Remove swap devices not listed in swapDevices.
|
||||||
for used in $(cat /proc/swaps | grep '^/' | sed 's/ .*//'); do
|
for used in $(cat /proc/swaps | grep '^/' | sed 's/ .*//'); do
|
||||||
|
Loading…
Reference in New Issue
Block a user