diff options
author | Yegor Timoshenko <yegortimoshenko@riseup.net> | 2020-04-16 17:42:40 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-16 17:42:40 +0300 |
commit | 8262ecd369c40be522ba31d9da6306006010fbf1 (patch) | |
tree | 22dd4fdae45956b373f6cb46f83f4087518662b6 /nixos | |
parent | b4c36fe4366b3ec2694fbdab96d48cfde17c36fb (diff) | |
parent | 91c6809946438a935714e85e510399b494994c6b (diff) | |
download | nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.tar nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.tar.gz nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.tar.bz2 nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.tar.lz nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.tar.xz nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.tar.zst nixlib-8262ecd369c40be522ba31d9da6306006010fbf1.zip |
Merge pull request #85004 from emilazy/add-initrd-secrets-path-assertion
nixos/stage-1: check secret paths before copying
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 21 |
2 files changed, 22 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 5a334e690568..60760487a1d2 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -55,7 +55,7 @@ in <screen> <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key - <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key + <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key </screen> <warning> diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 9e3ee5cf0a3a..dfd158e2d75f 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -137,6 +137,8 @@ let ''} # Copy secrets if needed. + # + # TODO: move out to a separate script; see #85000. ${optionalString (!config.boot.loader.supportsInitrdSecrets) (concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else source; in @@ -579,6 +581,25 @@ in message = "boot.resumeDevice has to be an absolute path." + " Old \"x:y\" style is no longer supported."; } + # TODO: remove when #85000 is fixed + { assertion = !config.boot.loader.supportsInitrdSecrets -> + all (source: + builtins.isPath source || + (builtins.isString source && hasPrefix source builtins.storeDir)) + (attrValues config.boot.initrd.secrets); + message = '' + boot.loader.initrd.secrets values must be unquoted paths when + using a bootloader that doesn't natively support initrd + secrets, e.g.: + + boot.initrd.secrets = { + "/etc/secret" = /path/to/secret; + }; + + Note that this will result in all secrets being stored + world-readable in the Nix store! + ''; + } ]; system.build = |