diff options
author | Shea Levy <shea@shealevy.com> | 2017-04-02 15:35:45 -0400 |
---|---|---|
committer | Shea Levy <shea@shealevy.com> | 2017-04-02 16:33:37 -0400 |
commit | 3a26d09e1542494770ff2f3f571d3b0e94d21218 (patch) | |
tree | e21a2f8a019969588cb468155d41fb5719a91ca8 /nixos/modules/system/boot/initrd-ssh.nix | |
parent | b09490a3229dd5ac4169248ee38ca22e357c0aa2 (diff) | |
download | nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.tar nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.tar.gz nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.tar.bz2 nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.tar.lz nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.tar.xz nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.tar.zst nixlib-3a26d09e1542494770ff2f3f571d3b0e94d21218.zip |
initrd-ssh: Use initrd secrets for host keys
Diffstat (limited to 'nixos/modules/system/boot/initrd-ssh.nix')
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 59ecaf8d5a6d..d78775c27582 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -44,9 +44,10 @@ in description = '' RSA SSH private key file in the Dropbear format. - WARNING: This key is contained insecurely in the global Nix store. Do NOT - use your regular SSH host private keys for this purpose or you'll expose - them to regular users! + WARNING: Unless your bootloader supports initrd secrets, this key is + contained insecurely in the global Nix store. Do NOT use your regular + SSH host private keys for this purpose or you'll expose them to + regular users! ''; }; @@ -56,9 +57,10 @@ in description = '' DSS SSH private key file in the Dropbear format. - WARNING: This key is contained insecurely in the global Nix store. Do NOT - use your regular SSH host private keys for this purpose or you'll expose - them to regular users! + WARNING: Unless your bootloader supports initrd secrets, this key is + contained insecurely in the global Nix store. Do NOT use your regular + SSH host private keys for this purpose or you'll expose them to + regular users! ''; }; @@ -68,9 +70,10 @@ in description = '' ECDSA SSH private key file in the Dropbear format. - WARNING: This key is contained insecurely in the global Nix store. Do NOT - use your regular SSH host private keys for this purpose or you'll expose - them to regular users! + WARNING: Unless your bootloader supports initrd secrets, this key is + contained insecurely in the global Nix store. Do NOT use your regular + SSH host private keys for this purpose or you'll expose them to + regular users! ''; }; @@ -97,10 +100,6 @@ in boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib - - ${optionalString (cfg.hostRSAKey != null) "install -D ${cfg.hostRSAKey} $out/etc/dropbear/dropbear_rsa_host_key"} - ${optionalString (cfg.hostDSSKey != null) "install -D ${cfg.hostDSSKey} $out/etc/dropbear/dropbear_dss_host_key"} - ${optionalString (cfg.hostECDSAKey != null) "install -D ${cfg.hostECDSAKey} $out/etc/dropbear/dropbear_ecdsa_host_key"} ''; boot.initrd.extraUtilsCommandsTest = '' @@ -116,9 +115,6 @@ in touch /var/log/lastlog mkdir -p /etc/dropbear - ${optionalString (cfg.hostRSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key"} - ${optionalString (cfg.hostDSSKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_dss_host_key /etc/dropbear/dropbear_dss_host_key"} - ${optionalString (cfg.hostECDSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_ecdsa_host_key /etc/dropbear/dropbear_ecdsa_host_key"} mkdir -p /root/.ssh ${concatStrings (map (key: '' @@ -128,6 +124,11 @@ in dropbear -s -j -k -E -m -p ${toString cfg.port} ''; + boot.initrd.secrets = + (optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) // + (optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) // + (optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; }); + }; } |