dd8e725d7d
popt-0.16 and cryptsetup-1.4.1 both generated pkgconfig (in contrast to older versions). The pkgconfig files (popt.pc and cryptsetup.pc) contain references into the store that are not removed by patchelf and stage-1 fails with errors like: "output is not allowed to refer to path `/nix/store/qccjhn063cfv171rcaxvxh0yk96zf7l2-cryptsetup-1.4.1'". Now, only the cryptsetup binaries and its dependencies are copied, determined by ldd. In addition the cryptsetup binary and lvm are tested after patchelf has adjusted the library paths. Thanks to Peter Simons and Eelco Dolstra for giving the rights hints. svn path=/nixos/trunk/; revision=31128
55 lines
1.3 KiB
Nix
55 lines
1.3 KiB
Nix
{pkgs, config, ...}:
|
|
|
|
with pkgs.lib;
|
|
|
|
let
|
|
luksRoot = config.boot.initrd.luksRoot;
|
|
in
|
|
{
|
|
|
|
options = {
|
|
|
|
boot.initrd.luksRoot = mkOption {
|
|
default = "";
|
|
example = "/dev/sda3";
|
|
description = '';
|
|
The device that should be decrypted using LUKS before trying to mount the
|
|
root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.
|
|
|
|
Make sure that initrd has the crypto modules needed for decryption.
|
|
|
|
The decrypted device name is /dev/mapper/luksroot.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf (luksRoot != "") {
|
|
|
|
# copy the cryptsetup binary and it's dependencies
|
|
boot.initrd.extraUtilsCommands = ''
|
|
cp -pdv ${pkgs.cryptsetup}/sbin/cryptsetup $out/bin
|
|
# XXX: do we have a function that does this?
|
|
for lib in $(ldd $out/bin/cryptsetup |grep '=>' |grep /nix/store/ |cut -d' ' -f3); do
|
|
cp -pdvn $lib $out/lib
|
|
cp -pvn $(readlink -f $lib) $out/lib
|
|
done
|
|
'';
|
|
|
|
boot.initrd.extraUtilsCommandsTest = ''
|
|
$out/bin/cryptsetup --version
|
|
$out/bin/lvm vgscan --version
|
|
$out/bin/lvm vgchange --version
|
|
'';
|
|
|
|
boot.initrd.postDeviceCommands = ''
|
|
cryptsetup luksOpen ${luksRoot} luksroot
|
|
lvm vgscan
|
|
lvm vgchange -ay
|
|
'';
|
|
|
|
};
|
|
|
|
}
|