Unverified Commit 64481a1a authored by Mark Ellis's avatar Mark Ellis
Browse files

zfs: clevis support for all filesystems, not just those needed for boot 

load zfs key from clevis for any dataset that is configured, not just
those needed for boot

also works for dual keys, e.g. those with a clevis key, and a zfs
keylocation of `file:///` (previously it would error if the zfs
keylocation was not `prompt`)
parent 0fc6414b

nixos/modules/tasks/filesystems/zfs.nix

+2 −5
Original line number Diff line number Diff line
@@ -24,10 +24,7 @@ let 
    lib.filterAttrs (

      device: _:

      lib.any (

        e:

        e.fsType == "zfs"

        && (utils.fsNeededForBoot e)

        && (e.device == device || lib.hasPrefix "${device}/" e.device)

        e: e.fsType == "zfs" && (e.device == device || lib.hasPrefix "${device}/" e.device)

      ) config.system.build.fileSystems

    ) config.boot.initrd.clevis.devices

  );
@@ -217,7 +214,7 @@ let 
          if poolImported "${pool}"; then

          ${lib.optionalString config.boot.initrd.clevis.enable (

            lib.concatMapStringsSep "\n" (

              elem: "clevis decrypt < /etc/clevis/${elem}.jwe | zfs load-key ${elem} || true "

              elem: "clevis decrypt < /etc/clevis/${elem}.jwe | zfs load-key -L prompt ${elem} || true "

            ) (lib.filter (p: (lib.elemAt (lib.splitString "/" p) 0) == pool) clevisDatasets)

          )}