nixos/options.nix

   1 { lib, config, hostName, ... }:
   2 with lib;
   3 {
   4   options = {
   5     security.initrd = {
   6       secrets = lib.mkOption {
   7         type = types.attrsOf types.str;
   8         default = { };
   9         description = ''
  10           Map some secrets for the initrd.
  11         '';
  12       };
  13       install = lib.mkOption {
  14         type = types.str;
  15         default = "";
  16         description = ''
  17           Script to decrypt and send some secrets for the initrd.
  18         '';
  19       };
  20       stage1Dir = lib.mkOption {
  21         type = types.str;
  22         default = "/run/secrets";
  23         description = ''
  24           Where to store the secrets in the stage1
  25           for `boot.initrd.secrets` to install them in the initrd.
  26         '';
  27       };
  28       stage2Dir = lib.mkOption {
  29         type = types.str;
  30         default = "/root/initrd";
  31         description = ''
  32           Where to store the secrets in the stage2
  33           for `boot.initrd.secrets` to retrieve them when rebuilding the system.
  34         '';
  35       };
  36     };
  37   };
  38   config = {
  39     security.initrd.install =
  40       lib.concatStringsSep "\n" (lib.mapAttrsToList
  41         (dst: src: ''
  42           gpg --decrypt "${src}" |
  43           ssh "${config.install.target}" \
  44             install -D -m 400 -o root -g root /dev/stdin "${config.security.initrd.stage2Dir}/${dst}"
  45         '')
  46         config.security.initrd.secrets
  47       );
  48     boot.initrd.secrets = mapAttrs'
  49       (dst: src:
  50         nameValuePair
  51           "${config.security.initrd.stage1Dir}/${dst}"
  52           "${config.security.initrd.stage2Dir}/${dst}"
  53       )
  54       config.security.initrd.secrets;
  55   };
  56 }