nixos: add support for dm-verity

Co-authored-by: nikstur <nikstur@outlook.com>
Co-authored-by: WilliButz <willibutz@posteo.de>

nixos/modules/system/boot/systemd/dm-verity.nix

@@ -0,0 +1,61 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.boot.initrd.systemd.dmVerity;
+in
+{
+  options = {
+    boot.initrd.systemd.dmVerity = {
+      enable = lib.mkEnableOption "dm-verity" // {
+        description = ''
+          Mount verity-protected block devices in the initrd.
+
+          Enabling this option allows to use `systemd-veritysetup` and
+          `systemd-veritysetup-generator` in the initrd.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.boot.initrd.systemd.enable;
+        message = ''
+          'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.
+        '';
+      }
+    ];
+
+    boot.initrd = {
+      availableKernelModules = [
+        "dm_mod"
+        "dm_verity"
+      ];
+
+      # dm-verity needs additional udev rules from LVM to work.
+      services.lvm.enable = true;
+
+      # The additional targets and store paths allow users to integrate verity-protected devices
+      # through the systemd tooling.
+      systemd = {
+        additionalUpstreamUnits = [
+          "veritysetup-pre.target"
+          "veritysetup.target"
+          "remote-veritysetup.target"
+        ];
+
+        storePaths = [
+          "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
+          "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
+        ];
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [
+    msanft
+    nikstur
+    willibutz
+  ];
+}