NixOS initrd secrets fallback support shouldn't run as part of a build #85000
Labels
0.kind: bug
Something is broken
6.topic: nixos
Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Comments
This was referenced Apr 11, 2020
veprbl
added
the
6.topic: nixos
10 tasks
|
What about copying the secrets to /boot, not encrypted? |
This was referenced Sep 12, 2020
This comment was marked as off-topic.
This comment was marked as off-topic.
stale
bot
added
the
2.status: stale
This comment was marked as off-topic.
This comment was marked as off-topic.
stale
bot
removed
the
2.status: stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The script that packs secrets into initrd is run as part of
nixos-rebuildwhen the bootloader supporst initrd secrets, but as part of the system build when it doesn't. This means that sandboxing affects the ability to set options likeboot.initrd.ssh.hostKeys = [ "/root/..." ];that aren't accessible from within the sandbox.The handling should probably be split up so that it runs separately to the Nix build process regardless of bootloader support, since ideally the Nix builders won't have access to serets.
I believe this is part of the cause for #84976.
The text was updated successfully, but these errors were encountered: