-
-
Notifications
You must be signed in to change notification settings - Fork 18.6k
initrd secrets should be per-generation #85563
Copy link
Copy link
Open
Labels
2.status: stalehttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.mdhttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOSIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Description
Metadata
Metadata
Assignees
Labels
2.status: stalehttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.mdhttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOSIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Fields
Give feedbackNo fields configured for issues without a type.
Currently, secrets are copied into initrds for every generation on every rebuild. This means that if you rotate initrd SSH host keys or change the layout of your initrd secrets directory, rollbacks are effectively broken.
I think that secrets should be copied into
/var/lib/initrd-secrets/<generation-id>(where<generation-id>is some stable identifier for the system; generation number might be good enough here) on thenixos-rebuildof that generation, and the bootloader modules would copy from the corresponding secrets generation. This would also let us handle remapping the paths to the initrd form, adjusting permissions, etc. in one place, reducing code duplication and making it easier to fix #85000.cc @lopsided98; what do you think of this design? If people agree that this is a good direction to take then I might look into drafting an implementation.