Mount a ramfs on /run/keys for safe key storage for nixops

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-05 08:00:19 -05:00 · 2014-02-05 08:00:19 -05:00 · bfc682ea37
commit bfc682ea37
parent 1e0352f801
1 changed files with 9 additions and 0 deletions
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@ -131,6 +131,15 @@ if ! mountpoint -q /run; then
    mount -t tmpfs -o "mode=0755,size=@runSize@" none /run
 fi

+# Create a ramfs on /run/keys to hold secrets that shouldn't
+# be written to disk (generally used for nixops, harmless
+# elsehwere)
+if ! mountpoint -q /run/keys; then
+    rm -rf /run/keys
+    mkdir -m 0700 /run/keys
+    mount -t ramfs none /run/keys
+fi
+
 mkdir -m 0755 -p /run/lock