diff options
author | Alyssa Ross <hi@alyssa.is> | 2024-04-10 20:43:08 +0200 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2024-04-10 20:43:08 +0200 |
commit | 69bfdf2484041b9d242840c4e5017b4703383bb0 (patch) | |
tree | d8bdaa69e7990d7d6f09b594b3c425f742acd2d0 /nixpkgs/nixos/modules/system/boot | |
parent | c8aee4b4363b6bf905a521b05b7476960e8286c8 (diff) | |
parent | d8fe5e6c92d0d190646fb9f1056741a229980089 (diff) | |
download | nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.tar nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.tar.gz nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.tar.bz2 nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.tar.lz nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.tar.xz nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.tar.zst nixlib-69bfdf2484041b9d242840c4e5017b4703383bb0.zip |
Merge commit 'd8fe5e6c'
Conflicts: nixpkgs/pkgs/build-support/go/module.nix
Diffstat (limited to 'nixpkgs/nixos/modules/system/boot')
-rw-r--r-- | nixpkgs/nixos/modules/system/boot/clevis.md | 12 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/system/boot/initrd-ssh.nix | 30 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/system/boot/plymouth.nix | 6 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/system/boot/systemd/initrd.nix | 5 |
4 files changed, 41 insertions, 12 deletions
diff --git a/nixpkgs/nixos/modules/system/boot/clevis.md b/nixpkgs/nixos/modules/system/boot/clevis.md index dcbf55de60a8..39edc0fc38df 100644 --- a/nixpkgs/nixos/modules/system/boot/clevis.md +++ b/nixpkgs/nixos/modules/system/boot/clevis.md @@ -39,13 +39,17 @@ For more complete documentation on how to generate a secret with clevis, see the In order to activate unattended decryption of a resource at boot, enable the `clevis` module: -``` -boot.initrd.clevis.enable = true; +```nix +{ + boot.initrd.clevis.enable = true; +} ``` Then, specify the device you want to decrypt using a given clevis secret. Clevis will automatically try to decrypt the device at boot and will fallback to interactive unlocking if the decryption policy is not fulfilled. -``` -boot.initrd.clevis.devices."/dev/nvme0n1p1".secretFile = ./nvme0n1p1.jwe; +```nix +{ + boot.initrd.clevis.devices."/dev/nvme0n1p1".secretFile = ./nvme0n1p1.jwe; +} ``` Only `bcachefs`, `zfs` and `luks` encrypted devices are supported at this time. diff --git a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix index 61e61f32bc5e..43da2496d16c 100644 --- a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix @@ -93,6 +93,21 @@ in defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; description = lib.mdDoc '' Authorized keys for the root user on initrd. + You can combine the `authorizedKeys` and `authorizedKeyFiles` options. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + + authorizedKeyFiles = mkOption { + type = types.listOf types.path; + default = config.users.users.root.openssh.authorizedKeys.keyFiles; + defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keyFiles"; + description = lib.mdDoc '' + Authorized keys taken from files for the root user on initrd. + You can combine the `authorizedKeyFiles` and `authorizedKeys` options. ''; }; @@ -152,7 +167,7 @@ in in mkIf enabled { assertions = [ { - assertion = cfg.authorizedKeys != []; + assertion = cfg.authorizedKeys != [] || cfg.authorizedKeyFiles != []; message = "You should specify at least one authorized key for initrd SSH"; } @@ -206,6 +221,9 @@ in ${concatStrings (map (key: '' echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} + ${concatStrings (map (keyFile: '' + cat ${keyFile} >> /root/.ssh/authorized_keys + '') cfg.authorizedKeyFiles)} ${flip concatMapStrings cfg.hostKeys (path: '' # keys from Nix store are world-readable, which sshd doesn't like @@ -236,9 +254,13 @@ in users.root.shell = mkIf (config.boot.initrd.network.ssh.shell != null) config.boot.initrd.network.ssh.shell; - contents."/etc/ssh/authorized_keys.d/root".text = - concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys; - contents."/etc/ssh/sshd_config".text = sshdConfig; + contents = { + "/etc/ssh/sshd_config".text = sshdConfig; + "/etc/ssh/authorized_keys.d/root".text = + concatStringsSep "\n" ( + config.boot.initrd.network.ssh.authorizedKeys ++ + (map (file: lib.fileContents file) config.boot.initrd.network.ssh.authorizedKeyFiles)); + }; storePaths = ["${package}/bin/sshd"]; services.sshd = { diff --git a/nixpkgs/nixos/modules/system/boot/plymouth.nix b/nixpkgs/nixos/modules/system/boot/plymouth.nix index 16bca40993ae..85f0fd4622df 100644 --- a/nixpkgs/nixos/modules/system/boot/plymouth.nix +++ b/nixpkgs/nixos/modules/system/boot/plymouth.nix @@ -4,7 +4,6 @@ with lib; let - inherit (pkgs) nixos-icons; plymouth = pkgs.plymouth.override { systemd = config.boot.initrd.systemd.package; }; @@ -97,8 +96,8 @@ in logo = mkOption { type = types.path; # Dimensions are 48x48 to match GDM logo - default = "${nixos-icons}/share/icons/hicolor/48x48/apps/nix-snowflake-white.png"; - defaultText = literalExpression ''"''${nixos-icons}/share/icons/hicolor/48x48/apps/nix-snowflake-white.png"''; + default = "${pkgs.nixos-icons}/share/icons/hicolor/48x48/apps/nix-snowflake-white.png"; + defaultText = literalExpression ''"''${pkgs.nixos-icons}/share/icons/hicolor/48x48/apps/nix-snowflake-white.png"''; example = literalExpression '' pkgs.fetchurl { url = "https://nixos.org/logo/nixos-hires.png"; @@ -107,6 +106,7 @@ in ''; description = lib.mdDoc '' Logo which is displayed on the splash screen. + Currently supports PNG file format only. ''; }; diff --git a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix index e4f61db0cd02..06359f273846 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix @@ -392,7 +392,10 @@ in { boot.kernelParams = [ "root=${config.boot.initrd.systemd.root}" - ] ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}"; + ] ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}" + # `systemd` mounts root in initrd as read-only unless "rw" is on the kernel command line. + # For NixOS activation to succeed, we need to have root writable in initrd. + ++ lib.optional (config.boot.initrd.systemd.root == "gpt-auto") "rw"; boot.initrd.systemd = { initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package]; |