So I’ve set up my laptop with full disk encryption (including /boot) and up to this point everything works flawlessly. However, when I suspend it, it does just that: suspend and nothing more. I often carry my laptop in suspended state, and would like to have the disk locked when doing so.
Searching the internet has revealed some sources that more or less successfully got this working with Archlinux and/or some other distros (Archlinux (copies binaries to unencrypted /boot), BSD, Linux (explanation on how to do this), Archlinux). Now, before I try porting these solutions to Nixos, I would like to verify, if there is already something existing out there or if I am on my own. So:
Is there already code to luksSuspend my disks on suspend?
Could someone at least answer a “no” if there is no such thing, please?
It is extremely difficult to give a definite “no” answer to that question. I guess that no answer here means that no-one that read your query has any idea if it exists or not. No more no less.
Looking at the history of luks-related files in nixos may help identifying knowledgeable users, but looking here[1] it seems quite heterogeneous.
Asking on IRC may get you on track. You could obtain less definite answers, and find people remotely interested in luks but willing to help.
You probably could construct a chroot environment containing cryptsetup and systemctl with something like nix --store /run/suspend-chroot build nixpkgs.cryptsetup nixpkgs.systemd and then use a script that will chroot into that environment, bind-mounting /run, suspending LUKS devices and then suspending the computer.
I have now put something like this together: Fetch Port of Debian's cryptsetup-suspend to NixOS · GitHub and save it as /etc/nixos/safe-suspend.nix, then in your /etc/nixos/configuration.nix, put ./safe-suspend.nix in your imports declaration.
This is a simplified (less clever) port of Debian’s cryptsetup-suspend. It only supports a single encrypted container and does not run sleep pre- and post-hooks (which in Debian are located at /lib/systemd/system-sleep). It also always reserves 1 GiB of memory to ensure that unlocking will not run into OOM issues, instead of calculating the precise amount of memory needed.
Eventually we could tidy this up and then add it to NixOS, but first let’s gather feedback.
I like my screen to be completely black when entering the resume passphrase. To avoid this idiosyncrasy, remove the three lines calling setterm.