pyrox.dev / nixpkgs
lol
fork atom

systemd-initrd: Support secrets when boot loader doesn't

initrd-secrets: Fix service config with systemd-stage-1

Will Fancher fef26d88 71983a6e

options
unified split
Changed files
+5 -7
nixos
modules
system
boot
systemd
initrd-secrets.nix
virtualisation
qemu-vm.nix
tests
initrd-network-openvpn
default.nix
initrd-network-ssh
default.nix
+2 -2
nixos/modules/system/boot/systemd/initrd-secrets.nix 
···

       
19

       
 

       
      # drop this service, we'd mount the /run tmpfs over the secret, making it


     

       
20

       
 

       
      # invisible in stage 2.


     

       
21

       
 

       
      script = ''


     

       
22

       
-

       
        for secret in $(cd /.initrd-secrets; find . -type f); do


     

       
23

       
 

       
          mkdir -p "$(dirname "/$secret")"


     

       
24

       
 

       
          cp "/.initrd-secrets/$secret" "/$secret"


     

       
25

       
 

       
        done


     

       
26

       
 

       
      '';


     

       
27

       
 

       



     

       
28

       
-

       
      unitConfig = {


     

       
29

       
 

       
        Type = "oneshot";


     

       
30

       
 

       
        RemainAfterExit = true;


     

       
31

       
 

       
      };


     
···

       
19

       
 

       
      # drop this service, we'd mount the /run tmpfs over the secret, making it


     

       
20

       
 

       
      # invisible in stage 2.


     

       
21

       
 

       
      script = ''


     

       
22

       
+

       
        for secret in $(cd /.initrd-secrets; find . -type f -o -type l); do


     

       
23

       
 

       
          mkdir -p "$(dirname "/$secret")"


     

       
24

       
 

       
          cp "/.initrd-secrets/$secret" "/$secret"


     

       
25

       
 

       
        done


     

       
26

       
 

       
      '';


     

       
27

       
 

       



     

       
28

       
+

       
      serviceConfig = {


     

       
29

       
 

       
        Type = "oneshot";


     

       
30

       
 

       
        RemainAfterExit = true;


     

       
31

       
 

       
      };
+2
nixos/modules/virtualisation/qemu-vm.nix 
···

       
880

       
 

       



     

       
881

       
 

       
    boot.initrd.kernelModules = optionals (cfg.useNixStoreImage && !cfg.writableStore) [ "erofs" ];


     

       
882

       
 

       



     

       

       

       
     

       

       

       
     

       
883

       
 

       
    boot.initrd.extraUtilsCommands = lib.mkIf (cfg.useDefaultFilesystems && !config.boot.initrd.systemd.enable)


     

       
884

       
 

       
      ''


     

       
885

       
 

       
        # We need mke2fs in the initrd.


     
···

       
880

       
 

       



     

       
881

       
 

       
    boot.initrd.kernelModules = optionals (cfg.useNixStoreImage && !cfg.writableStore) [ "erofs" ];


     

       
882

       
 

       



     

       
883

       
+

       
    boot.loader.supportsInitrdSecrets = mkIf (!cfg.useBootLoader) (mkVMOverride false);


     

       
884

       
+

       



     

       
885

       
 

       
    boot.initrd.extraUtilsCommands = lib.mkIf (cfg.useDefaultFilesystems && !config.boot.initrd.systemd.enable)


     

       
886

       
 

       
      ''


     

       
887

       
 

       
        # We need mke2fs in the initrd.
+1 -1
nixos/tests/initrd-network-openvpn/default.nix 
···

       
26

       
 

       
            enable = true;


     

       
27

       
 

       
            openvpn = {


     

       
28

       
 

       
              enable = true;


     

       
29

       
-

       
              configuration = "/dev/null";


     

       
30

       
 

       
            };


     

       
31

       
 

       
          };


     

       
32

       
 

       
        };


     
···

       
26

       
 

       
            enable = true;


     

       
27

       
 

       
            openvpn = {


     

       
28

       
 

       
              enable = true;


     

       
29

       
+

       
              configuration = builtins.toFile "initrd.ovpn" "";


     

       
30

       
 

       
            };


     

       
31

       
 

       
          };


     

       
32

       
 

       
        };
-4
nixos/tests/initrd-network-ssh/default.nix 
···

       
22

       
 

       
            hostKeys = [ ./ssh_host_ed25519_key ];


     

       
23

       
 

       
          };


     

       
24

       
 

       
        };


     

       
25

       
-

       
        boot.initrd.extraUtilsCommands = ''


     

       
26

       
-

       
          mkdir -p $out/secrets/etc/ssh


     

       
27

       
-

       
          cat "${./ssh_host_ed25519_key}" > $out/secrets/etc/ssh/sh_host_ed25519_key


     

       
28

       
-

       
        '';


     

       
29

       
 

       
        boot.initrd.preLVMCommands = ''


     

       
30

       
 

       
          while true; do


     

       
31

       
 

       
            if [ -f fnord ]; then


     
···

       
22

       
 

       
            hostKeys = [ ./ssh_host_ed25519_key ];


     

       
23

       
 

       
          };


     

       
24

       
 

       
        };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
25

       
 

       
        boot.initrd.preLVMCommands = ''


     

       
26

       
 

       
          while true; do


     

       
27

       
 

       
            if [ -f fnord ]; then