nixpkgs/nixos/modules/system/boot/systemd/initrd-secrets.nix

{
  config,
  pkgs,
  lib,
  ...
}:

{
  config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) {
    # Copy secrets into the initrd if they cannot be appended
    boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets) (
      lib.mapAttrs' (
        dest: source:
        lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }
      ) config.boot.initrd.secrets
    );

    # Copy secrets to their respective locations
    boot.initrd.systemd.services.initrd-nixos-copy-secrets =
      lib.mkIf (config.boot.initrd.secrets != { })
        {
          description = "Copy secrets into place";
          # Run as early as possible
          wantedBy = [ "sysinit.target" ];
          before = [
            "cryptsetup-pre.target"
            "shutdown.target"
          ];
          conflicts = [ "shutdown.target" ];
          unitConfig.DefaultDependencies = false;

          # We write the secrets to /.initrd-secrets and move them because this allows
          # secrets to be written to /run. If we put the secret directly to /run and
          # drop this service, we'd mount the /run tmpfs over the secret, making it
          # invisible in stage 2.
          script = ''
            for secret in $(cd /.initrd-secrets; find . -type f -o -type l); do
              mkdir -p "$(dirname "/$secret")"
              cp "/.initrd-secrets/$secret" "/$secret"
            done
          '';

          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
          };
        };
    # The script needs this
    boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find";
  };
}
nixos/systemd-stage-1: Add initrd secrets support 2022-04-24 15:45:02 +01:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`

			`{`
			`config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) {`
			`# Copy secrets into the initrd if they cannot be appended`
			`boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets) (`
			`lib.mapAttrs' (`
			`dest: source:`
			`lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }`
			`) config.boot.initrd.secrets`
			`);`

			`# Copy secrets to their respective locations`
			`boot.initrd.systemd.services.initrd-nixos-copy-secrets =`
			`lib.mkIf (config.boot.initrd.secrets != { })`
			`{`
			`description = "Copy secrets into place";`
			`# Run as early as possible`
			`wantedBy = [ "sysinit.target" ];`
nixos/initrd-secrets: ensure correct ordering w.r.t. shutdown.target 2023-11-30 15:18:23 -08:00			`before = [`
			`"cryptsetup-pre.target"`
			`"shutdown.target"`
			`];`
			`conflicts = [ "shutdown.target" ];`
nixos/systemd-stage-1: Add initrd secrets support 2022-04-24 15:45:02 +01:00			`unitConfig.DefaultDependencies = false;`

			`# We write the secrets to /.initrd-secrets and move them because this allows`
			`# secrets to be written to /run. If we put the secret directly to /run and`
			`# drop this service, we'd mount the /run tmpfs over the secret, making it`
			`# invisible in stage 2.`
			`script = ''`
systemd-initrd: Support secrets when boot loader doesn't initrd-secrets: Fix service config with systemd-stage-1 2022-08-08 19:09:37 -04:00			`for secret in $(cd /.initrd-secrets; find . -type f -o -type l); do`
nixos/systemd-stage-1: Add initrd secrets support 2022-04-24 15:45:02 +01:00			`mkdir -p "$(dirname "/$secret")"`
			`cp "/.initrd-secrets/$secret" "/$secret"`
			`done`
			`'';`

systemd-initrd: Support secrets when boot loader doesn't initrd-secrets: Fix service config with systemd-stage-1 2022-08-08 19:09:37 -04:00			`serviceConfig = {`
nixos/systemd-stage-1: Add initrd secrets support 2022-04-24 15:45:02 +01:00			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`};`
			`};`
			`# The script needs this`
			`boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find";`
			`};`
			`}`