I'm not sure I understand this correctly. Do you want to put keys into the initrd?
2016-05-08 20:54 GMT+01:00 Игорь Пашев <pashev.i...@gmail.com>: > Simple way to keep the keys on reboot. > /run/keys is mounted somewhere in initrd, > thus just a couple of services > (I was thinking about on-disk /run/keys) > > { config, lib, pkgs, ... }: > let > > inherit (builtins) attrNames; > inherit (lib) mkIf concatMapStringsSep; > inherit (config.deployment) keys; > > store = "/root/keys"; > runkeys = "/run/keys"; > > load = pkgs.writeBashScript "nixops-load-keys" '' > set -euo pipefail > if [ -e '${store}/done' ] && [ ! -e '${runkeys}/done' ]; then > cd '${store}' > cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \ > '${runkeys}/' || exit 0 > touch -r '${store}/done' '${runkeys}/done' > fi > ''; > > save = pkgs.writeBashScript "nixops-save-keys" '' > set -euo pipefail > while true; do > if [ -e '${runkeys}/done' ]; then > if [ ! -e '${store}/done' ] || [ '${runkeys}/done' -nt > '${store}/done' ] ; then > rm -rf '${store}' > mkdir -p '${store}' > chown --reference='${runkeys}' -- '${store}' > chmod --reference='${runkeys}' -- '${store}' > cd '${runkeys}' > cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames > keys)} \ > '${store}/' || continue > touch -r '${runkeys}/done' '${store}/done' > touch -r '${runkeys}' '${store}' > fi > fi > sleep 1m > done > ''; > > in { > config = mkIf (keys != {}) { > systemd.services.nixops-load-keys = { > description = "Re-load nixops keys after reboot"; > before = [ "nixops-keys.service" ]; > wantedBy = [ "keys.target" ]; > unitConfig.RequiresMountsFor = [ runkeys store ]; > serviceConfig = { > ExecStart = load; > Type = "oneshot"; > RemainAfterExit = false; > }; > }; > > systemd.services.nixops-save-keys = { > description = "Save nixops keys to re-load after reboot"; > after = [ "keys.target" ]; > wantedBy = [ "keys.target" ]; > serviceConfig = { > ExecStart = save; > Restart = "always"; > }; > }; > }; > } > > > P. S. writeBashScript: > { bash, writeScript, haskellPackages, runCommand }: > > name: text: > let > f = writeScript name '' > #!${bash}/bin/bash > ${text} > ''; > in > runCommand name { } '' > ${haskellPackages.ShellCheck}/bin/shellcheck ${f} > cp -a ${f} $out > '' > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev