pyrox.dev / nixpkgs
lol
fork atom

nixos/systemd-stage-1: Add initrd secrets support

Janne Heß fa2c9b41 f678ad7c

options
unified split
Changed files
+39 -2
nixos
modules
module-list.nix
system
boot
systemd
initrd-secrets.nix
tests
systemd-initrd-luks-keyfile.nix
+2 -1
nixos/modules/module-list.nix 
···

       
1183

       
1183

       
 

       
  ./system/boot/stage-2.nix


     

       
1184

       
1184

       
 

       
  ./system/boot/systemd.nix


     

       
1185

       
1185

       
 

       
  ./system/boot/systemd/coredump.nix


     

       

       
1186

       
+

       
  ./system/boot/systemd/initrd-secrets.nix


     

       

       
1187

       
+

       
  ./system/boot/systemd/initrd.nix


     

       
1186

       
1188

       
 

       
  ./system/boot/systemd/journald.nix


     

       
1187

       
1189

       
 

       
  ./system/boot/systemd/logind.nix


     

       
1188

       
1190

       
 

       
  ./system/boot/systemd/nspawn.nix


     

       
1189

       
1191

       
 

       
  ./system/boot/systemd/shutdown.nix


     

       
1190

       
1192

       
 

       
  ./system/boot/systemd/tmpfiles.nix


     

       
1191

       
1193

       
 

       
  ./system/boot/systemd/user.nix


     

       
1192

       

       
-

       
  ./system/boot/systemd/initrd.nix


     

       
1193

       
1194

       
 

       
  ./system/boot/timesyncd.nix


     

       
1194

       
1195

       
 

       
  ./system/boot/tmp.nix


     

       
1195

       
1196

       
 

       
  ./system/etc/etc-activation.nix
+36
nixos/modules/system/boot/systemd/initrd-secrets.nix 
···

       

       
1

       
+

       
{ config, pkgs, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) {


     

       

       
5

       
+

       
    # Copy secrets into the initrd if they cannot be appended


     

       

       
6

       
+

       
    boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets)


     

       

       
7

       
+

       
      (lib.mapAttrs' (dest: source: lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }) config.boot.initrd.secrets);


     

       

       
8

       
+

       



     

       

       
9

       
+

       
    # Copy secrets to their respective locations


     

       

       
10

       
+

       
    boot.initrd.systemd.services.initrd-nixos-copy-secrets = lib.mkIf (config.boot.initrd.secrets != {}) {


     

       

       
11

       
+

       
      description = "Copy secrets into place";


     

       

       
12

       
+

       
      # Run as early as possible


     

       

       
13

       
+

       
      wantedBy = [ "sysinit.target" ];


     

       

       
14

       
+

       
      before = [ "cryptsetup-pre.target" ];


     

       

       
15

       
+

       
      unitConfig.DefaultDependencies = false;


     

       

       
16

       
+

       



     

       

       
17

       
+

       
      # We write the secrets to /.initrd-secrets and move them because this allows


     

       

       
18

       
+

       
      # secrets to be written to /run. If we put the secret directly to /run and


     

       

       
19

       
+

       
      # drop this service, we'd mount the /run tmpfs over the secret, making it


     

       

       
20

       
+

       
      # invisible in stage 2.


     

       

       
21

       
+

       
      script = ''


     

       

       
22

       
+

       
        for secret in $(cd /.initrd-secrets; find . -type f); do


     

       

       
23

       
+

       
          mkdir -p "$(dirname "/$secret")"


     

       

       
24

       
+

       
          cp "/.initrd-secrets/$secret" "/$secret"


     

       

       
25

       
+

       
        done


     

       

       
26

       
+

       
      '';


     

       

       
27

       
+

       



     

       

       
28

       
+

       
      unitConfig = {


     

       

       
29

       
+

       
        Type = "oneshot";


     

       

       
30

       
+

       
        RemainAfterExit = true;


     

       

       
31

       
+

       
      };


     

       

       
32

       
+

       
    };


     

       

       
33

       
+

       
    # The script needs this


     

       

       
34

       
+

       
    boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find";


     

       

       
35

       
+

       
  };


     

       

       
36

       
+

       
}
+1 -1
nixos/tests/systemd-initrd-luks-keyfile.nix 
···

       
32

       
32

       
 

       
        };


     

       
33

       
33

       
 

       
      };


     

       
34

       
34

       
 

       
      virtualisation.bootDevice = "/dev/mapper/cryptroot";


     

       
35

       

       
-

       
      boot.initrd.systemd.contents."/etc/cryptroot.key".source = keyfile;


     

       

       
35

       
+

       
      boot.initrd.secrets."/etc/cryptroot.key" = keyfile;


     

       
36

       
36

       
 

       
    };


     

       
37

       
37

       
 

       
  };


     

       
38

       
38