types luks: add password prompt

nix-community · Oct 2, 2023 · 0d39ae5 · 0d39ae5
1 parent f02d818
commit 0d39ae5
Showing 1 changed file with 26 additions and 3 deletions.
diff --git a/lib/types/luks.nix b/lib/types/luks.nix
@@ -1,8 +1,10 @@
 { config, options, lib, diskoLib, parent, device, ... }:
 let
   keyFile =
-    if lib.hasAttr "keyFile" config.settings
+    if config.settings ? "keyFile"
     then config.settings.keyFile
+    else if config.askPassword
+    then ''<(set +x; echo -n "$password"; set -x)''
     else if config.passwordFile != null
     # do not print the password to the console
     then ''<(set +x; echo -n "$(cat ${config.passwordFile})"; set -x)''
@@ -47,6 +49,11 @@ in
       description = "Path to the file which contains the password for initial encryption";
       example = "/tmp/disk.key";
     };
+    askPassword = lib.mkOption {
+      type = lib.types.bool;
+      default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile");
+      description = "Whether to ask for a password for initial encryption";
+    };
     settings = lib.mkOption {
       default = { };
       description = "LUKS settings (as defined in configuration.nix in boot.initrd.luks.devices.<name>)";
@@ -97,9 +104,24 @@ in
     _create = diskoLib.mkCreateOption {
       inherit config options;
       default = ''
+        ${lib.optionalString config.askPassword ''
+          set +x
+          askPassword() {
+            echo "Enter password for ${config.device}: "
+            read -s password
+            echo "Enter password for ${config.device} again to be safe: "
+            read -s password_check
+            export password
+            [ "$password" = "$password_check" ]
+          }
+          until askPassword; do
+            echo "Passwords did not match, please try again."
+          done
+          set -x
+        ''}
         cryptsetup -q luksFormat ${config.device} ${toString config.extraFormatArgs} \
           ${keyFileArgs}
-        cryptsetup luksOpen ${config.device} ${config.name} \
+        cryptsetup open ${config.device} ${config.name} \
           ${toString config.extraOpenArgs} \
           ${keyFileArgs}
         ${toString (lib.lists.forEach config.additionalKeyFiles (x: "cryptsetup luksAddKey ${config.device} ${x} ${keyFileArgs}"))}
@@ -114,9 +136,10 @@ in
         in
         {
           dev = ''
-            cryptsetup status ${config.name} >/dev/null 2>/dev/null ||
+            if ! cryptsetup status ${config.name} >/dev/null 2>/dev/null; then
               cryptsetup open ${config.device} ${config.name} \
               ${keyFileArgs}
+            fi
             ${lib.optionalString (config.content != null) contentMount.dev or ""}
           '';
           fs = lib.optionalAttrs (config.content != null) contentMount.fs or { };