3
0
Fork 0
forked from mirrors/nixpkgs

Merge pull request #85004 from emilazy/add-initrd-secrets-path-assertion

nixos/stage-1: check secret paths before copying
This commit is contained in:
Yegor Timoshenko 2020-04-16 17:42:40 +03:00 committed by GitHub
commit 8262ecd369
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 1 deletions

View file

@ -55,7 +55,7 @@ in
<screen>
<prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
</screen>
<warning>

View file

@ -137,6 +137,8 @@ let
''}
# Copy secrets if needed.
#
# TODO: move out to a separate script; see #85000.
${optionalString (!config.boot.loader.supportsInitrdSecrets)
(concatStringsSep "\n" (mapAttrsToList (dest: source:
let source' = if source == null then dest else source; in
@ -579,6 +581,25 @@ in
message = "boot.resumeDevice has to be an absolute path."
+ " Old \"x:y\" style is no longer supported.";
}
# TODO: remove when #85000 is fixed
{ assertion = !config.boot.loader.supportsInitrdSecrets ->
all (source:
builtins.isPath source ||
(builtins.isString source && hasPrefix source builtins.storeDir))
(attrValues config.boot.initrd.secrets);
message = ''
boot.loader.initrd.secrets values must be unquoted paths when
using a bootloader that doesn't natively support initrd
secrets, e.g.:
boot.initrd.secrets = {
"/etc/secret" = /path/to/secret;
};
Note that this will result in all secrets being stored
world-readable in the Nix store!
'';
}
];
system.build =