2014-04-14 16:26:48 +02:00
{ config , lib , pkgs , utils , . . . }:
2009-10-12 18:36:19 +02:00
2014-04-14 16:26:48 +02:00
with lib ;
2012-10-12 23:32:36 +02:00
with utils ;
2006-12-21 15:22:40 +01:00
2012-03-15 14:54:23 +01:00
let
2017-02-15 13:22:48 +01:00
addCheckDesc = desc : elemType : check : types . addCheck elemType check
// { description = " ${ elemType . description } ( w i t h c h e c k : ${ desc } ) " ; } ;
2020-08-14 08:25:50 +02:00
isNonEmpty = s : ( builtins . match " [ \t \n ] * " s ) == null ;
nonEmptyStr = addCheckDesc " n o n - e m p t y " types . str isNonEmpty ;
2017-02-15 13:22:48 +01:00
2015-11-25 20:09:09 +01:00
fileSystems' = toposort fsBefore ( attrValues config . fileSystems ) ;
2019-08-13 23:52:01 +02:00
fileSystems = if fileSystems' ? result
2015-11-25 20:09:09 +01:00
then # use topologically sorted fileSystems everywhere
fileSystems' . result
else # the assertion below will catch this,
# but we fall back to the original order
# anyway so that other modules could check
# their assertions too
( attrValues config . fileSystems ) ;
2012-11-02 18:02:12 +01:00
2016-09-17 12:43:37 +02:00
specialFSTypes = [ " p r o c " " s y s f s " " t m p f s " " r a m f s " " d e v t m p f s " " d e v p t s " ] ;
2016-08-27 12:29:38 +02:00
2016-08-31 15:45:19 +02:00
coreFileSystemOpts = { name , config , . . . }: {
2012-11-02 18:02:12 +01:00
options = {
mountPoint = mkOption {
example = " / m n t / u s b " ;
2020-08-14 08:25:50 +02:00
type = addCheckDesc " n o n - e m p t y w i t h o u t t r a i l i n g s l a s h " types . str
( s : isNonEmpty s && ( builtins . match " . + / " s ) == null ) ;
2012-11-02 18:02:12 +01:00
description = " L o c a t i o n o f t h e m o u n t e d t h e f i l e s y s t e m . " ;
} ;
device = mkOption {
default = null ;
example = " / d e v / s d a " ;
2017-02-15 13:22:48 +01:00
type = types . nullOr nonEmptyStr ;
2012-11-02 18:02:12 +01:00
description = " L o c a t i o n o f t h e d e v i c e . " ;
} ;
fsType = mkOption {
default = " a u t o " ;
example = " e x t 3 " ;
2017-02-15 13:22:48 +01:00
type = nonEmptyStr ;
2012-11-02 18:02:12 +01:00
description = " T y p e o f t h e f i l e s y s t e m . " ;
} ;
options = mkOption {
2015-10-21 19:37:14 +02:00
default = [ " d e f a u l t s " ] ;
example = [ " d a t a = j o u r n a l " ] ;
2012-11-02 18:02:12 +01:00
description = " O p t i o n s u s e d t o m o u n t t h e f i l e s y s t e m . " ;
2017-02-15 13:22:48 +01:00
type = types . listOf nonEmptyStr ;
2016-09-01 11:18:33 +02:00
} ;
2012-11-02 18:02:12 +01:00
2016-08-31 15:45:19 +02:00
} ;
config = {
mountPoint = mkDefault name ;
device = mkIf ( elem config . fsType specialFSTypes ) ( mkDefault config . fsType ) ;
} ;
} ;
fileSystemOpts = { config , . . . }: {
options = {
label = mkOption {
default = null ;
example = " r o o t - p a r t i t i o n " ;
2017-02-15 13:22:48 +01:00
type = types . nullOr nonEmptyStr ;
2016-08-31 15:45:19 +02:00
description = " L a b e l o f t h e d e v i c e ( i f a n y ) . " ;
} ;
2012-11-02 18:02:12 +01:00
autoFormat = mkOption {
default = false ;
type = types . bool ;
description = ''
If the device does not currently contain a filesystem ( as
determined by <command> blkid < /command > , then automatically
format it with the filesystem type specified in
<option> fsType < /option > . Use with caution .
'' ;
} ;
2015-10-04 03:14:53 +02:00
formatOptions = mkOption {
default = " " ;
type = types . str ;
description = ''
If <option> autoFormat < /option > option is set specifies
extra options passed to mkfs .
'' ;
} ;
2015-09-24 18:13:14 +02:00
autoResize = mkOption {
default = false ;
type = types . bool ;
description = ''
If set , the filesystem is grown to its maximum size before
being mounted . ( This is typically the size of the containing
partition . ) This is currently only supported for ext2/3/4
filesystems that are mounted during early boot .
'' ;
} ;
2012-11-02 18:02:12 +01:00
noCheck = mkOption {
default = false ;
type = types . bool ;
description = " D i s a b l e r u n n i n g f s c k o n t h i s f i l e s y s t e m . " ;
} ;
} ;
2017-10-12 04:35:31 +02:00
config = let
defaultFormatOptions =
# -F needed to allow bare block device without partitions
if ( builtins . substring 0 3 config . fsType ) == " e x t " then " - F "
# -q needed for non-interactive operations
else if config . fsType == " j f s " then " - q "
# (same here)
else if config . fsType == " r e i s e r f s " then " - q "
else null ;
in {
2016-03-14 17:24:36 +01:00
options = mkIf config . autoResize [ " x - n i x o s . a u t o r e s i z e " ] ;
2017-10-12 04:35:31 +02:00
formatOptions = mkIf ( defaultFormatOptions != null ) ( mkDefault defaultFormatOptions ) ;
2012-11-02 18:02:12 +01:00
} ;
} ;
2016-08-27 12:29:38 +02:00
# Makes sequence of `specialMount device mountPoint options fsType` commands.
# `systemMount` should be defined in the sourcing script.
makeSpecialMounts = mounts :
pkgs . writeText " m o u n t s . s h " ( concatMapStringsSep " \n " ( mount : ''
specialMount " ${ mount . device } " " ${ mount . mountPoint } " " ${ concatStringsSep " , " mount . options } " " ${ mount . fsType } "
'' ) m o u n t s ) ;
2012-03-15 14:54:23 +01:00
in
2012-10-12 23:32:36 +02:00
2009-10-12 18:36:19 +02:00
{
###### interface
2009-05-28 01:14:38 +02:00
options = {
2009-06-11 18:03:57 +02:00
fileSystems = mkOption {
2013-11-18 16:26:39 +01:00
default = { } ;
2016-06-19 09:02:24 +02:00
example = literalExample ''
{
" / " . device = " / d e v / h d a 1 " ;
" / d a t a " = {
device = " / d e v / h d a 2 " ;
fsType = " e x t 3 " ;
options = [ " d a t a = j o u r n a l " ] ;
} ;
" / b i g d i s k " . label = " b i g d i s k " ;
}
'' ;
2020-08-23 01:28:45 +02:00
type = types . attrsOf ( types . submodule [ coreFileSystemOpts fileSystemOpts ] ) ;
2012-03-09 15:37:58 +01:00
description = ''
2009-05-28 01:14:38 +02:00
The file systems to be mounted . It must include an entry for
2013-10-28 13:36:45 +01:00
the root directory ( <literal> mountPoint = " / " < /literal > ) . Each
2009-05-28 01:14:38 +02:00
entry in the list is an attribute set with the following fields :
<literal> mountPoint < /literal > , <literal> device < /literal > ,
<literal> fsType < /literal > ( a file system type recognised by
<command> mount < /command > ; defaults to
2013-10-28 13:36:45 +01:00
<literal> " a u t o " < /literal > ) , and <literal> options < /literal >
2009-05-28 01:14:38 +02:00
( the mount options passed to <command> mount < /command > using the
2015-10-21 19:37:14 +02:00
<option> - o < /option > flag ; defaults to <literal> [ " d e f a u l t s " ] < /literal > ) .
2009-05-28 01:14:38 +02:00
Instead of specifying <literal> device < /literal > , you can also
specify a volume label ( <literal> label < /literal > ) for file
systems that support it , such as ext2/ext3 ( see <command> mke2fs
- L < /command > ) .
2012-03-09 15:37:58 +01:00
'' ;
2009-05-28 01:14:38 +02:00
} ;
2011-09-14 20:20:50 +02:00
2012-03-09 15:37:58 +01:00
system . fsPackages = mkOption {
2009-05-28 01:14:38 +02:00
internal = true ;
2012-03-09 15:37:58 +01:00
default = [ ] ;
description = " P a c k a g e s s u p p l y i n g f i l e s y s t e m m o u n t e r s a n d c h e c k e r s . " ;
} ;
boot . supportedFilesystems = mkOption {
default = [ ] ;
example = [ " b t r f s " ] ;
2015-06-15 18:18:46 +02:00
type = types . listOf types . str ;
2012-03-09 15:37:58 +01:00
description = " N a m e s o f s u p p o r t e d f i l e s y s t e m t y p e s . " ;
} ;
2016-08-31 15:45:19 +02:00
boot . specialFileSystems = mkOption {
default = { } ;
2020-08-23 01:28:45 +02:00
type = types . attrsOf ( types . submodule coreFileSystemOpts ) ;
2016-08-31 15:45:19 +02:00
internal = true ;
description = ''
Special filesystems that are mounted very early during boot .
'' ;
} ;
2009-05-28 01:14:38 +02:00
} ;
2009-10-12 18:36:19 +02:00
###### implementation
2009-05-28 01:14:38 +02:00
2009-10-12 18:36:19 +02:00
config = {
2009-05-28 01:14:38 +02:00
2015-11-25 20:09:09 +01:00
assertions = let
ls = sep : concatMapStringsSep sep ( x : x . mountPoint ) ;
2019-03-16 12:51:18 +01:00
notAutoResizable = fs : fs . autoResize && ! ( hasPrefix " e x t " fs . fsType || fs . fsType == " f 2 f s " ) ;
2015-11-25 20:09:09 +01:00
in [
2019-08-13 23:52:01 +02:00
{ assertion = ! ( fileSystems' ? cycle ) ;
2015-11-25 20:09:09 +01:00
message = " T h e ‘ f i l e S y s t e m s ’ o p t i o n c a n ' t b e t o p o l o g i c a l l y s o r t e d : m o u n t p o i n t d e p e n d e n c y p a t h ${ ls " - > " fileSystems' . cycle } l o o p s t o ${ ls " , " fileSystems' . loops } " ;
}
2019-03-16 12:51:18 +01:00
{ assertion = ! ( any notAutoResizable fileSystems ) ;
message = let
fs = head ( filter notAutoResizable fileSystems ) ;
in
" M o u n t p o i n t ' ${ fs . mountPoint } ' : ' a u t o R e s i z e = t r u e ' i s n o t s u p p o r t e d f o r ' f s T y p e = \" ${ fs . fsType } \" ' : ${ if fs . fsType == " a u t o " then " f s T y p e h a s t o b e e x p l i c i t l y s e t a n d " else " " } o n l y t h e e x t f i l e s y s t e m s a n d f 2 f s s u p p o r t i t . " ;
}
2015-11-25 20:09:09 +01:00
] ;
# Export for use in other modules
system . build . fileSystems = fileSystems ;
2016-08-31 15:45:19 +02:00
system . build . earlyMountScript = makeSpecialMounts ( toposort fsBefore ( attrValues config . boot . specialFileSystems ) ) . result ;
2015-11-25 20:09:09 +01:00
2012-11-02 18:02:12 +01:00
boot . supportedFilesystems = map ( fs : fs . fsType ) fileSystems ;
2012-03-09 15:37:58 +01:00
2009-10-12 18:36:19 +02:00
# Add the mount helpers to the system path so that `mount' can find them.
2012-03-09 15:37:58 +01:00
system . fsPackages = [ pkgs . dosfstools ] ;
2012-10-12 23:32:36 +02:00
2017-08-19 18:50:53 +02:00
environment . systemPackages = with pkgs ; [ fuse3 fuse ] ++ config . system . fsPackages ;
2011-09-14 20:20:50 +02:00
2013-02-03 14:12:49 +01:00
environment . etc . fstab . text =
2014-12-29 02:53:37 +01:00
let
2017-04-06 13:35:25 +02:00
fsToSkipCheck = [ " n o n e " " b i n d f s " " b t r f s " " z f s " " t m p f s " " n f s " " v b o x s f " " g l u s t e r f s " ] ;
2014-12-29 02:53:37 +01:00
skipCheck = fs : fs . noCheck || fs . device == " n o n e " || builtins . elem fs . fsType fsToSkipCheck ;
2018-09-07 23:49:38 +02:00
# https://wiki.archlinux.org/index.php/fstab#Filepath_spaces
2019-02-03 14:33:31 +01:00
escape = string : builtins . replaceStrings [ " " " \t " ] [ " \\ 0 4 0 " " \\ 0 1 1 " ] string ;
2021-02-22 17:56:27 +01:00
swapOptions = sw : " d e f a u l t s "
+ optionalString ( sw . priority != null ) " , p r i = ${ toString sw . priority } " ;
2014-12-29 02:53:37 +01:00
in ''
2013-02-03 14:12:49 +01:00
# This is a generated file. Do not edit!
2016-08-24 20:37:21 +02:00
#
# To make changes, edit the fileSystems and swapDevices NixOS options
# in your /etc/nixos/configuration.nix file.
2013-02-03 14:12:49 +01:00
# Filesystems.
2015-11-25 20:09:09 +01:00
$ { concatMapStrings ( fs :
2018-09-07 23:49:38 +02:00
( if fs . device != null then escape fs . device
else if fs . label != null then " / d e v / d i s k / b y - l a b e l / ${ escape fs . label } "
2014-07-30 13:10:03 +02:00
else throw " N o d e v i c e s p e c i f i e d f o r m o u n t p o i n t ‘ ${ fs . mountPoint } ’ . " )
2018-09-07 23:49:38 +02:00
+ " " + escape fs . mountPoint
2013-02-03 14:12:49 +01:00
+ " " + fs . fsType
2015-10-21 19:37:14 +02:00
+ " " + builtins . concatStringsSep " , " fs . options
2013-02-03 14:12:49 +01:00
+ " 0 "
2014-12-29 02:53:37 +01:00
+ " " + ( if skipCheck fs then " 0 " else
2013-02-03 14:12:49 +01:00
if fs . mountPoint == " / " then " 1 " else " 2 " )
+ " \n "
2016-08-31 15:45:19 +02:00
) fileSystems }
2013-02-03 14:12:49 +01:00
# Swap devices.
$ { flip concatMapStrings config . swapDevices ( sw :
2021-02-22 17:56:27 +01:00
" ${ sw . realDevice } n o n e s w a p ${ swapOptions sw } \n "
2013-02-03 14:12:49 +01:00
) }
'' ;
2010-06-04 16:22:11 +02:00
2012-10-12 21:08:44 +02:00
# Provide a target that pulls in all filesystems.
2013-01-16 12:33:18 +01:00
systemd . targets . fs =
2012-10-12 21:08:44 +02:00
{ description = " A l l F i l e S y s t e m s " ;
wants = [ " l o c a l - f s . t a r g e t " " r e m o t e - f s . t a r g e t " ] ;
} ;
2013-01-16 12:33:18 +01:00
systemd . services =
2012-10-12 23:32:36 +02:00
2020-12-02 00:52:54 +01:00
# Emit systemd services to format requested filesystems.
let
2012-10-12 23:32:36 +02:00
formatDevice = fs :
let
2015-11-25 20:09:43 +01:00
mountPoint' = " ${ escapeSystemdPath fs . mountPoint } . m o u n t " ;
device' = escapeSystemdPath fs . device ;
2016-09-30 15:03:33 +02:00
device'' = " ${ device' } . d e v i c e " ;
2012-10-12 23:32:36 +02:00
in nameValuePair " m k f s - ${ device' } "
{ description = " I n i t i a l i s a t i o n o f F i l e s y s t e m ${ fs . device } " ;
2015-11-25 20:09:43 +01:00
wantedBy = [ mountPoint' ] ;
before = [ mountPoint' " s y s t e m d - f s c k @ ${ device' } . s e r v i c e " ] ;
requires = [ device'' ] ;
after = [ device'' ] ;
2020-11-24 16:29:28 +01:00
path = [ pkgs . util-linux ] ++ config . system . fsPackages ;
2012-10-12 23:32:36 +02:00
script =
''
if ! [ - e " ${ fs . device } " ] ; then exit 1 ; fi
# FIXME: this is scary. The test could be more robust.
2012-05-16 02:03:44 +02:00
type = $ ( blkid - p - s TYPE - o value " ${ fs . device } " || true )
if [ - z " $ t y p e " ] ; then
echo " c r e a t i n g ${ fs . fsType } f i l e s y s t e m o n ${ fs . device } . . . "
2015-10-04 03:14:53 +02:00
mkfs . ${ fs . fsType } $ { fs . formatOptions } " ${ fs . device } "
2012-05-16 02:03:44 +02:00
fi
2012-10-12 23:32:36 +02:00
'' ;
unitConfig . RequiresMountsFor = [ " ${ dirOf fs . device } " ] ;
unitConfig . DefaultDependencies = false ; # needed to prevent a cycle
serviceConfig . Type = " o n e s h o t " ;
} ;
2020-12-02 00:52:54 +01:00
in listToAttrs ( map formatDevice ( filter ( fs : fs . autoFormat ) fileSystems ) ) // {
# Mount /sys/fs/pstore for evacuating panic logs and crashdumps from persistent storage onto the disk using systemd-pstore.
# This cannot be done with the other special filesystems because the pstore module (which creates the mount point) is not loaded then.
# Since the pstore filesystem is usually empty right after mounting because the backend isn't registered yet, and a path unit cannot detect files inside of it, the same service waits for that to happen. systemd's restart mechanism can't be used here because the first failure also fails all dependent units.
" m o u n t - p s t o r e " = {
serviceConfig = {
Type = " o n e s h o t " ;
2021-05-17 14:47:57 +02:00
ExecStart = " ${ pkgs . util-linux } / b i n / m o u n t - t p s t o r e - o n o s u i d , n o e x e c , n o d e v p s t o r e / s y s / f s / p s t o r e " ;
2020-12-02 00:52:54 +01:00
ExecStartPost = pkgs . writeShellScript " w a i t - f o r - p s t o r e . s h " ''
set - eu
TRIES = 0
while [ $ TRIES - lt 20 ] && [ " $ ( c a t / s y s / m o d u l e / p s t o r e / p a r a m e t e r s / b a c k e n d ) " = " ( n u l l ) " ] ; do
sleep 0 .1
TRIES = $ ( ( TRIES + 1 ) )
done
'' ;
RemainAfterExit = true ;
} ;
unitConfig = {
2021-05-21 17:49:19 +02:00
ConditionPathIsMountPoint = " ! / s y s / f s / p s t o r e " ;
2020-12-02 00:52:54 +01:00
ConditionVirtualization = " ! c o n t a i n e r " ;
DefaultDependencies = false ; # needed to prevent a cycle
} ;
after = [ " m o d p r o b e @ p s t o r e . s e r v i c e " ] ;
requires = [ " m o d p r o b e @ p s t o r e . s e r v i c e " ] ;
before = [ " s y s t e m d - p s t o r e . s e r v i c e " ] ;
wantedBy = [ " s y s t e m d - p s t o r e . s e r v i c e " ] ;
} ;
} ;
2006-12-21 15:22:40 +01:00
nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.
We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.
However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.
This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.
This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.
This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).
In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.
Fixes #42344
[1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269
2020-02-05 01:53:26 +01:00
systemd . tmpfiles . rules = [
2020-02-11 21:41:04 +01:00
" d / r u n / k e y s 0 7 5 0 r o o t ${ toString config . ids . gids . keys } "
" z / r u n / k e y s 0 7 5 0 r o o t ${ toString config . ids . gids . keys } "
nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.
We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.
However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.
This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.
This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.
This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).
In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.
Fixes #42344
[1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269
2020-02-05 01:53:26 +01:00
] ;
2016-08-27 12:29:38 +02:00
# Sync mount options with systemd's src/core/mount-setup.c: mount_table.
2016-08-31 15:45:19 +02:00
boot . specialFileSystems = {
2016-08-27 12:29:38 +02:00
" / p r o c " = { fsType = " p r o c " ; options = [ " n o s u i d " " n o e x e c " " n o d e v " ] ; } ;
2017-02-18 18:06:09 +01:00
" / r u n " = { fsType = " t m p f s " ; options = [ " n o s u i d " " n o d e v " " s t r i c t a t i m e " " m o d e = 7 5 5 " " s i z e = ${ config . boot . runSize } " ] ; } ;
2016-08-27 12:29:38 +02:00
" / d e v " = { fsType = " d e v t m p f s " ; options = [ " n o s u i d " " s t r i c t a t i m e " " m o d e = 7 5 5 " " s i z e = ${ config . boot . devSize } " ] ; } ;
" / d e v / s h m " = { fsType = " t m p f s " ; options = [ " n o s u i d " " n o d e v " " s t r i c t a t i m e " " m o d e = 1 7 7 7 " " s i z e = ${ config . boot . devShmSize } " ] ; } ;
2017-08-30 01:50:29 +02:00
" / d e v / p t s " = { fsType = " d e v p t s " ; options = [ " n o s u i d " " n o e x e c " " m o d e = 6 2 0 " " p t m x m o d e = 0 6 6 6 " " g i d = ${ toString config . ids . gids . tty } " ] ; } ;
2016-09-17 12:43:37 +02:00
nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.
We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.
However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.
This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.
This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.
This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).
In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.
Fixes #42344
[1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269
2020-02-05 01:53:26 +01:00
# To hold secrets that shouldn't be written to disk
" / r u n / k e y s " = { fsType = " r a m f s " ; options = [ " n o s u i d " " n o d e v " " m o d e = 7 5 0 " ] ; } ;
2016-09-07 01:55:26 +02:00
} // optionalAttrs ( ! config . boot . isContainer ) {
# systemd-nspawn populates /sys by itself, and remounting it causes all
# kinds of weird issues (most noticeably, waiting for host disk device
# nodes).
" / s y s " = { fsType = " s y s f s " ; options = [ " n o s u i d " " n o e x e c " " n o d e v " ] ; } ;
2016-08-27 12:29:38 +02:00
} ;
2009-03-06 13:27:33 +01:00
} ;
2009-08-11 23:10:33 +02:00
2006-12-21 15:22:40 +01:00
}