nixos/modules/system/boot/systemd/initrd-secrets.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / system / boot / systemd / initrd-secrets.nix

at 23.05-pre 1.5 kB view raw

 1{ config, pkgs, lib, ... }:
 2
 3{
 4  config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) {
 5    # Copy secrets into the initrd if they cannot be appended
 6    boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets)
 7      (lib.mapAttrs' (dest: source: lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }) config.boot.initrd.secrets);
 8
 9    # Copy secrets to their respective locations
10    boot.initrd.systemd.services.initrd-nixos-copy-secrets = lib.mkIf (config.boot.initrd.secrets != {}) {
11      description = "Copy secrets into place";
12      # Run as early as possible
13      wantedBy = [ "sysinit.target" ];
14      before = [ "cryptsetup-pre.target" ];
15      unitConfig.DefaultDependencies = false;
16
17      # We write the secrets to /.initrd-secrets and move them because this allows
18      # secrets to be written to /run. If we put the secret directly to /run and
19      # drop this service, we'd mount the /run tmpfs over the secret, making it
20      # invisible in stage 2.
21      script = ''
22        for secret in $(cd /.initrd-secrets; find . -type f); do
23          mkdir -p "$(dirname "/$secret")"
24          cp "/.initrd-secrets/$secret" "/$secret"
25        done
26      '';
27
28      unitConfig = {
29        Type = "oneshot";
30        RemainAfterExit = true;
31      };
32    };
33    # The script needs this
34    boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find";
35  };
36}