diff options
| author | Alyssa Ross <hi@alyssa.is> | 2020-04-27 21:04:56 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-04-27 21:04:56 +0000 |
| commit | a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e (patch) | |
| tree | 47950e79183035018882419c4eff5047d1537b99 /nixpkgs/nixos/modules/system/boot/stage-1.nix | |
| parent | 5b00523fb58512232b819a301c4309f579c7f09c (diff) | |
| parent | 22a3bf9fb9edad917fb6cd1066d58b5e426ee975 (diff) | |
| download | nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.gz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.bz2 nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.lz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.xz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.zst nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.zip | |
Merge commit '22a3bf9fb9edad917fb6cd1066d58b5e426ee975'
Diffstat (limited to 'nixpkgs/nixos/modules/system/boot/stage-1.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/system/boot/stage-1.nix | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/nixpkgs/nixos/modules/system/boot/stage-1.nix b/nixpkgs/nixos/modules/system/boot/stage-1.nix index 93cd801ef803..dfd158e2d75f 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-1.nix @@ -137,12 +137,17 @@ let ''} # Copy secrets if needed. + # + # TODO: move out to a separate script; see #85000. ${optionalString (!config.boot.loader.supportsInitrdSecrets) (concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else source; in '' mkdir -p $(dirname "$out/secrets/${dest}") - cp -a ${source'} "$out/secrets/${dest}" + # Some programs (e.g. ssh) doesn't like secrets to be + # symlinks, so we use `cp -L` here to match the + # behaviour when secrets are natively supported. + cp -Lr ${source'} "$out/secrets/${dest}" '' ) config.boot.initrd.secrets)) } @@ -576,6 +581,25 @@ in message = "boot.resumeDevice has to be an absolute path." + " Old \"x:y\" style is no longer supported."; } + # TODO: remove when #85000 is fixed + { assertion = !config.boot.loader.supportsInitrdSecrets -> + all (source: + builtins.isPath source || + (builtins.isString source && hasPrefix source builtins.storeDir)) + (attrValues config.boot.initrd.secrets); + message = '' + boot.loader.initrd.secrets values must be unquoted paths when + using a bootloader that doesn't natively support initrd + secrets, e.g.: + + boot.initrd.secrets = { + "/etc/secret" = /path/to/secret; + }; + + Note that this will result in all secrets being stored + world-readable in the Nix store! + ''; + } ]; system.build = |