diff options
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 9e3ee5cf0a3a..dfd158e2d75f 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -137,6 +137,8 @@ let ''} # Copy secrets if needed. + # + # TODO: move out to a separate script; see #85000. ${optionalString (!config.boot.loader.supportsInitrdSecrets) (concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else source; in @@ -579,6 +581,25 @@ in message = "boot.resumeDevice has to be an absolute path." + " Old \"x:y\" style is no longer supported."; } + # TODO: remove when #85000 is fixed + { assertion = !config.boot.loader.supportsInitrdSecrets -> + all (source: + builtins.isPath source || + (builtins.isString source && hasPrefix source builtins.storeDir)) + (attrValues config.boot.initrd.secrets); + message = '' + boot.loader.initrd.secrets values must be unquoted paths when + using a bootloader that doesn't natively support initrd + secrets, e.g.: + + boot.initrd.secrets = { + "/etc/secret" = /path/to/secret; + }; + + Note that this will result in all secrets being stored + world-readable in the Nix store! + ''; + } ]; system.build = |