1 { lib, config, hostName, ... }:
6 secrets = lib.mkOption {
7 type = types.attrsOf types.str;
10 Map some secrets for the initrd.
13 install = lib.mkOption {
17 Script to decrypt and send some secrets for the initrd.
20 stage1Dir = lib.mkOption {
22 default = "/run/secrets";
24 Where to store the secrets in the stage1
25 for `boot.initrd.secrets` to install them in the initrd.
28 stage2Dir = lib.mkOption {
30 default = "/root/initrd";
32 Where to store the secrets in the stage2
33 for `boot.initrd.secrets` to retrieve them when rebuilding the system.
39 security.initrd.install =
40 lib.concatStringsSep "\n" (lib.mapAttrsToList
42 gpg --decrypt "${src}" |
43 ssh "${config.install.target}" \
44 install -D -m 400 -o root -g root /dev/stdin "${config.security.initrd.stage2Dir}/${dst}"
46 config.security.initrd.secrets
48 boot.initrd.secrets = mapAttrs'
51 "${config.security.initrd.stage1Dir}/${dst}"
52 "${config.security.initrd.stage2Dir}/${dst}"
54 config.security.initrd.secrets;