nixos/options.nix

   1 { lib, config, hostName, ... }:
   2 with lib;
   3 {
   4   options = {
   5     security.initrd = {
   6       secrets = lib.mkOption {
   7         type = types.attrsOf types.str;
   8         default = { };
   9         description = ''
  10           Map some secrets for the initrd.
  11         '';
  12       };
  13       install = lib.mkOption {
  14         type = types.str;
  15         default = "";
  16         description = ''
  17           Script to decrypt and send some secrets for the initrd.
  18         '';
  19       };
  20       stage1Dir = lib.mkOption {
  21         type = types.str;
  22         default = "/run/initrd-secrets";
  23         description = ''
  24           Where to store the secrets in the stage1
  25           for `boot.initrd.secrets` to install them in the initrd.
  26         '';
  27       };
  28       # Alas, nixos/modules/system/boot/initrd-ssh.nix
  29       # forces stage2Dir == stage1Dir
  30       stage2Dir = lib.mkOption {
  31         type = types.str;
  32         default = "/run/initrd-secrets";
  33         description = ''
  34           Where to store the secrets in the stage2
  35           for `boot.initrd.secrets` to retrieve them when rebuilding the system.
  36         '';
  37       };
  38     };
  39   };
  40   config = {
  41     security.initrd.install =
  42       lib.concatStringsSep "\n" (lib.mapAttrsToList
  43         (dst: src: ''
  44           gpg --decrypt "${src}" |
  45           ssh "${config.install.target}" \
  46             install -D -m 400 -o root -g root /dev/stdin "${config.security.initrd.stage2Dir}/${dst}"
  47         '')
  48         config.security.initrd.secrets
  49       );
  50     boot.initrd.secrets = mapAttrs'
  51       (dst: src:
  52         nameValuePair
  53           "${config.security.initrd.stage1Dir}/${dst}"
  54           "${config.security.initrd.stage2Dir}/${dst}"
  55       )
  56       config.security.initrd.secrets;
  57   };
  58 }