From bfc682ea372d04049994d679ae1cce3fa3aeff4a Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Wed, 5 Feb 2014 08:00:19 -0500
Subject: [PATCH] Mount a ramfs on /run/keys for safe key storage for nixops

Signed-off-by: Shea Levy <shea@shealevy.com>
---
 nixos/modules/system/boot/stage-2-init.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index 2fadd3de1f0f..e0ff258c0eec 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -131,6 +131,15 @@ if ! mountpoint -q /run; then
     mount -t tmpfs -o "mode=0755,size=@runSize@" none /run
 fi
 
+# Create a ramfs on /run/keys to hold secrets that shouldn't
+# be written to disk (generally used for nixops, harmless
+# elsehwere)
+if ! mountpoint -q /run/keys; then
+    rm -rf /run/keys
+    mkdir -m 0700 /run/keys
+    mount -t ramfs none /run/keys
+fi
+
 mkdir -m 0755 -p /run/lock