diff options
Diffstat (limited to 'nixpkgs/nixos/modules/tasks/filesystems/zfs.nix')
-rw-r--r-- | nixpkgs/nixos/modules/tasks/filesystems/zfs.nix | 51 |
1 files changed, 39 insertions, 12 deletions
diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 71eed4d6f1a..9ca7c6fb343 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -191,15 +191,14 @@ in }; requestEncryptionCredentials = mkOption { - type = types.bool; + type = types.either types.bool (types.listOf types.str); default = true; + example = [ "tank" "data" ]; description = '' - Request encryption keys or passwords for all encrypted datasets on import. - For root pools the encryption key can be supplied via both an - interactive prompt (keylocation=prompt) and from a file - (keylocation=file://). Note that for data pools the encryption key can - be only loaded from a file and not via interactive prompt since the - import is processed in a background systemd service. + If true on import encryption keys or passwords for all encrypted datasets + are requested. To only decrypt selected datasets supply a list of dataset + names instead. For root pools the encryption key can be supplied via both + an interactive prompt (keylocation=prompt) and from a file (keylocation=file://). ''; }; @@ -421,9 +420,13 @@ in fi poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. fi - ${lib.optionalString cfgZfs.requestEncryptionCredentials '' - zfs load-key -a - ''} + ${if isBool cfgZfs.requestEncryptionCredentials + then optionalString cfgZfs.requestEncryptionCredentials '' + zfs load-key -a + '' + else concatMapStrings (fs: '' + zfs load-key ${fs} + '') cfgZfs.requestEncryptionCredentials} '') rootPools)); }; @@ -490,7 +493,11 @@ in description = "Import ZFS pool \"${pool}\""; # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged requires = [ "systemd-udev-settle.service" ]; - after = [ "systemd-udev-settle.service" "systemd-modules-load.service" ]; + after = [ + "systemd-udev-settle.service" + "systemd-modules-load.service" + "systemd-ask-password-console.service" + ]; wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ]; before = (getPoolMounts pool) ++ [ "local-fs.target" ]; unitConfig = { @@ -515,7 +522,27 @@ in done poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. if poolImported "${pool}"; then - ${optionalString cfgZfs.requestEncryptionCredentials "\"${packages.zfsUser}/sbin/zfs\" load-key -r \"${pool}\""} + ${optionalString (if isBool cfgZfs.requestEncryptionCredentials + then cfgZfs.requestEncryptionCredentials + else cfgZfs.requestEncryptionCredentials != []) '' + ${packages.zfsUser}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do + (${optionalString (!isBool cfgZfs.requestEncryptionCredentials) '' + if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then + continue + fi + ''} + case "$kl" in + none ) + ;; + prompt ) + ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${packages.zfsUser}/sbin/zfs load-key "$ds" + ;; + * ) + ${packages.zfsUser}/sbin/zfs load-key "$ds" + ;; + esac) < /dev/null # To protect while read ds kl in case anything reads stdin + done + ''} echo "Successfully imported ${pool}" else exit 1 |