nixos/modules/system/boot/systemd/initrd-secrets.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / system / boot / systemd / initrd-secrets.nix
at master 1.7 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7
 8{
 9  config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) {
10    # Copy secrets into the initrd if they cannot be appended
11    boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets) (
12      lib.mapAttrs' (
13        dest: source:
14        lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }
15      ) config.boot.initrd.secrets
16    );
17
18    # Copy secrets to their respective locations
19    boot.initrd.systemd.services.initrd-nixos-copy-secrets =
20      lib.mkIf (config.boot.initrd.secrets != { })
21        {
22          description = "Copy secrets into place";
23          # Run as early as possible
24          wantedBy = [ "sysinit.target" ];
25          before = [
26            "cryptsetup-pre.target"
27            "shutdown.target"
28          ];
29          conflicts = [ "shutdown.target" ];
30          unitConfig.DefaultDependencies = false;
31
32          # We write the secrets to /.initrd-secrets and move them because this allows
33          # secrets to be written to /run. If we put the secret directly to /run and
34          # drop this service, we'd mount the /run tmpfs over the secret, making it
35          # invisible in stage 2.
36          script = ''
37            for secret in $(cd /.initrd-secrets; find . -type f -o -type l); do
38              mkdir -p "$(dirname "/$secret")"
39              cp "/.initrd-secrets/$secret" "/$secret"
40            done
41          '';
42
43          serviceConfig = {
44            Type = "oneshot";
45            RemainAfterExit = true;
46          };
47        };
48    # The script needs this
49    boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find";
50  };
51}