systemd: Wrap in LUKS2 tokens

Update pkgs/os-specific/linux/systemd/default.nix Co-authored-by: Janne Heß <janne@hess.ooo> Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com> Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2022-09-23 15:47:05 -06:00 · 2022-09-23 15:47:05 -06:00 · 570824e102
parent f42cdfe227
commit 570824e102
2 changed files with 13 additions and 1 deletions
--- a/nixos/modules/system/boot/systemd/initrd.nix
+++ b/nixos/modules/system/boot/systemd/initrd.nix
@ -403,6 +403,9 @@ in {

        # so NSS can look up usernames
        "${pkgs.glibc}/lib/libnss_files.so.2"
+      ] ++ optionals cfg.package.withCryptsetup [
+        # the unwrapped systemd-cryptsetup executable
+        "${cfg.package}/lib/systemd/.systemd-cryptsetup-wrapped"
      ] ++ jobScripts;

      targets.initrd.aliases = ["default.target"];
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@ -7,6 +7,7 @@
 , fetchpatch
 , fetchzip
 , buildPackages
+, makeBinaryWrapper
 , ninja
 , meson
 , m4
@ -332,6 +333,7 @@ stdenv.mkDerivation {
  nativeBuildInputs =
    [
      pkg-config
+      makeBinaryWrapper
      gperf
      ninja
      meson
@ -666,7 +668,14 @@ stdenv.mkDerivation {
  preFixup = lib.optionalString withEfi ''
    mv $out/lib/systemd/boot/efi $out/dont-strip-me
  '';
-  postFixup = lib.optionalString withEfi ''
+
+  # Wrap in the correct path for LUKS2 tokens.
+  postFixup = lib.optionalString withCryptsetup ''
+    for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
+      # This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so`
+      wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
+    done
+  '' + lib.optionalString withEfi ''
    mv $out/dont-strip-me $out/lib/systemd/boot/efi
  '';