diff options
author | Julien Malka <julien@malka.sh> | 2024-01-04 23:45:39 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-04 23:45:39 +0100 |
commit | 7afe9bc384ce9f8832e77f8b72157ab50b656aa8 (patch) | |
tree | 672fd39db2f59061624311a8ac0a251e9001aa2f /nixos | |
parent | 958a633270ff4c1e2ea4afb0c4cc60662622cc0a (diff) | |
parent | 861431f2824867ccc3dd48dba670b771e6d15a45 (diff) | |
download | nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.tar nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.tar.gz nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.tar.bz2 nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.tar.lz nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.tar.xz nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.tar.zst nixlib-7afe9bc384ce9f8832e77f8b72157ab50b656aa8.zip |
Merge pull request #278609 from RaitoBezarius/initrd-secrets
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/activation/bootspec.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 7 | ||||
-rw-r--r-- | nixos/tests/bootspec.nix | 31 |
3 files changed, 35 insertions, 5 deletions
diff --git a/nixos/modules/system/activation/bootspec.nix b/nixos/modules/system/activation/bootspec.nix index 98c234bc340d..2ed6964b2a6a 100644 --- a/nixos/modules/system/activation/bootspec.nix +++ b/nixos/modules/system/activation/bootspec.nix @@ -11,6 +11,7 @@ let cfg = config.boot.bootspec; children = lib.mapAttrs (childName: childConfig: childConfig.configuration.system.build.toplevel) config.specialisation; + hasAtLeastOneInitrdSecret = lib.length (lib.attrNames config.boot.initrd.secrets) > 0; schemas = { v1 = rec { filename = "boot.json"; @@ -27,6 +28,7 @@ let label = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"; } // lib.optionalAttrs config.boot.initrd.enable { initrd = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}"; + } // lib.optionalAttrs hasAtLeastOneInitrdSecret { initrdSecrets = "${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets"; }; })); diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index e2e7ffe59dcd..6cd46f30373b 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -20,13 +20,13 @@ from dataclasses import dataclass class BootSpec: init: str initrd: str - initrdSecrets: str kernel: str kernelParams: List[str] label: str system: str toplevel: str specialisations: Dict[str, "BootSpec"] + initrdSecrets: str | None = None @@ -131,9 +131,8 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None specialisation=" (%s)" % specialisation if specialisation else "") try: - subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)]) - except FileNotFoundError: - pass + if bootspec.initrdSecrets is not None: + subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)]) except subprocess.CalledProcessError: if current: print("failed to create initrd secrets!", file=sys.stderr) diff --git a/nixos/tests/bootspec.nix b/nixos/tests/bootspec.nix index 9295500422a9..14928b220625 100644 --- a/nixos/tests/bootspec.nix +++ b/nixos/tests/bootspec.nix @@ -112,10 +112,39 @@ in bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json")) - assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled" + assert 'initrd' in bootspec, "Bootspec should contain initrd field when initrd is enabled" + assert 'initrdSecrets' not in bootspec, "Bootspec should not contain initrdSecrets when there's no initrdSecrets" ''; }; + # Check that initrd secrets create corresponding entries in bootspec. + initrd-secrets = makeTest { + name = "bootspec-with-initrd-secrets"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + imports = [ standard ]; + environment.systemPackages = [ pkgs.jq ]; + # It's probably the case, but we want to make it explicit here. + boot.initrd.enable = true; + boot.initrd.secrets."/some/example" = pkgs.writeText "example-secret" "test"; + }; + + testScript = '' + import json + + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/boot.json") + + bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json")) + + assert 'initrdSecrets' in bootspec, "Bootspec should contain an 'initrdSecrets' field given there's an initrd secret" + ''; + }; + + # Check that specialisations create corresponding entries in bootspec. specialisation = makeTest { name = "bootspec-with-specialisation"; |