nixos/modules/system/boot/systemd/initrd-secrets.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / system / boot / systemd / initrd-secrets.nix

at 24.11-pre 1.5 kB view raw

 1{ config, pkgs, lib, ... }:
 2
 3{
 4  config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) {
 5    # Copy secrets into the initrd if they cannot be appended
 6    boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets)
 7      (lib.mapAttrs' (dest: source: lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }) config.boot.initrd.secrets);
 8
 9    # Copy secrets to their respective locations
10    boot.initrd.systemd.services.initrd-nixos-copy-secrets = lib.mkIf (config.boot.initrd.secrets != {}) {
11      description = "Copy secrets into place";
12      # Run as early as possible
13      wantedBy = [ "sysinit.target" ];
14      before = [ "cryptsetup-pre.target" "shutdown.target" ];
15      conflicts = [ "shutdown.target" ];
16      unitConfig.DefaultDependencies = false;
17
18      # We write the secrets to /.initrd-secrets and move them because this allows
19      # secrets to be written to /run. If we put the secret directly to /run and
20      # drop this service, we'd mount the /run tmpfs over the secret, making it
21      # invisible in stage 2.
22      script = ''
23        for secret in $(cd /.initrd-secrets; find . -type f -o -type l); do
24          mkdir -p "$(dirname "/$secret")"
25          cp "/.initrd-secrets/$secret" "/$secret"
26        done
27      '';
28
29      serviceConfig = {
30        Type = "oneshot";
31        RemainAfterExit = true;
32      };
33    };
34    # The script needs this
35    boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find";
36  };
37}