parent
f678ad7c7a
commit
fa2c9b41d4
@ -0,0 +1,36 @@ |
||||
{ config, pkgs, lib, ... }: |
||||
|
||||
{ |
||||
config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) { |
||||
# Copy secrets into the initrd if they cannot be appended |
||||
boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets) |
||||
(lib.mapAttrs' (dest: source: lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }) config.boot.initrd.secrets); |
||||
|
||||
# Copy secrets to their respective locations |
||||
boot.initrd.systemd.services.initrd-nixos-copy-secrets = lib.mkIf (config.boot.initrd.secrets != {}) { |
||||
description = "Copy secrets into place"; |
||||
# Run as early as possible |
||||
wantedBy = [ "sysinit.target" ]; |
||||
before = [ "cryptsetup-pre.target" ]; |
||||
unitConfig.DefaultDependencies = false; |
||||
|
||||
# We write the secrets to /.initrd-secrets and move them because this allows |
||||
# secrets to be written to /run. If we put the secret directly to /run and |
||||
# drop this service, we'd mount the /run tmpfs over the secret, making it |
||||
# invisible in stage 2. |
||||
script = '' |
||||
for secret in $(cd /.initrd-secrets; find . -type f); do |
||||
mkdir -p "$(dirname "/$secret")" |
||||
cp "/.initrd-secrets/$secret" "/$secret" |
||||
done |
||||
''; |
||||
|
||||
unitConfig = { |
||||
Type = "oneshot"; |
||||
RemainAfterExit = true; |
||||
}; |
||||
}; |
||||
# The script needs this |
||||
boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find"; |
||||
}; |
||||
} |
Loading…
Reference in new issue