forked from mirrors/nixpkgs
Merge pull request #85004 from emilazy/add-initrd-secrets-path-assertion
nixos/stage-1: check secret paths before copying
This commit is contained in:
commit
8262ecd369
|
@ -55,7 +55,7 @@ in
|
|||
|
||||
<screen>
|
||||
<prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
|
||||
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
|
||||
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
|
||||
</screen>
|
||||
|
||||
<warning>
|
||||
|
|
|
@ -137,6 +137,8 @@ let
|
|||
''}
|
||||
|
||||
# Copy secrets if needed.
|
||||
#
|
||||
# TODO: move out to a separate script; see #85000.
|
||||
${optionalString (!config.boot.loader.supportsInitrdSecrets)
|
||||
(concatStringsSep "\n" (mapAttrsToList (dest: source:
|
||||
let source' = if source == null then dest else source; in
|
||||
|
@ -579,6 +581,25 @@ in
|
|||
message = "boot.resumeDevice has to be an absolute path."
|
||||
+ " Old \"x:y\" style is no longer supported.";
|
||||
}
|
||||
# TODO: remove when #85000 is fixed
|
||||
{ assertion = !config.boot.loader.supportsInitrdSecrets ->
|
||||
all (source:
|
||||
builtins.isPath source ||
|
||||
(builtins.isString source && hasPrefix source builtins.storeDir))
|
||||
(attrValues config.boot.initrd.secrets);
|
||||
message = ''
|
||||
boot.loader.initrd.secrets values must be unquoted paths when
|
||||
using a bootloader that doesn't natively support initrd
|
||||
secrets, e.g.:
|
||||
|
||||
boot.initrd.secrets = {
|
||||
"/etc/secret" = /path/to/secret;
|
||||
};
|
||||
|
||||
Note that this will result in all secrets being stored
|
||||
world-readable in the Nix store!
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
system.build =
|
||||
|
|
Loading…
Reference in a new issue