diff options
author | Emily <vcs@emily.moe> | 2020-04-11 16:24:55 +0100 |
---|---|---|
committer | Emily <vcs@emily.moe> | 2020-04-11 16:42:47 +0100 |
commit | 91c6809946438a935714e85e510399b494994c6b (patch) | |
tree | bdd5afedc2065d9f1f25b8d09da52ada53bbb84f /nixos/modules | |
parent | 8a37c3dd1a83da3138da455560fd25c102d2a2bd (diff) | |
download | nixlib-91c6809946438a935714e85e510399b494994c6b.tar nixlib-91c6809946438a935714e85e510399b494994c6b.tar.gz nixlib-91c6809946438a935714e85e510399b494994c6b.tar.bz2 nixlib-91c6809946438a935714e85e510399b494994c6b.tar.lz nixlib-91c6809946438a935714e85e510399b494994c6b.tar.xz nixlib-91c6809946438a935714e85e510399b494994c6b.tar.zst nixlib-91c6809946438a935714e85e510399b494994c6b.zip |
nixos/stage-1: check secret paths before copying
Fixes #84976.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 9e3ee5cf0a3a..dfd158e2d75f 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -137,6 +137,8 @@ let ''} # Copy secrets if needed. + # + # TODO: move out to a separate script; see #85000. ${optionalString (!config.boot.loader.supportsInitrdSecrets) (concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else source; in @@ -579,6 +581,25 @@ in message = "boot.resumeDevice has to be an absolute path." + " Old \"x:y\" style is no longer supported."; } + # TODO: remove when #85000 is fixed + { assertion = !config.boot.loader.supportsInitrdSecrets -> + all (source: + builtins.isPath source || + (builtins.isString source && hasPrefix source builtins.storeDir)) + (attrValues config.boot.initrd.secrets); + message = '' + boot.loader.initrd.secrets values must be unquoted paths when + using a bootloader that doesn't natively support initrd + secrets, e.g.: + + boot.initrd.secrets = { + "/etc/secret" = /path/to/secret; + }; + + Note that this will result in all secrets being stored + world-readable in the Nix store! + ''; + } ]; system.build = |