diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix
index 5a334e690568..60760487a1d2 100644
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@@ -55,7 +55,7 @@ in
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
- # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
+ # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
index 9e3ee5cf0a3a..dfd158e2d75f 100644
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -137,6 +137,8 @@ let
''}
# Copy secrets if needed.
+ #
+ # TODO: move out to a separate script; see #85000.
${optionalString (!config.boot.loader.supportsInitrdSecrets)
(concatStringsSep "\n" (mapAttrsToList (dest: source:
let source' = if source == null then dest else source; in
@@ -579,6 +581,25 @@ in
message = "boot.resumeDevice has to be an absolute path."
+ " Old \"x:y\" style is no longer supported.";
}
+ # TODO: remove when #85000 is fixed
+ { assertion = !config.boot.loader.supportsInitrdSecrets ->
+ all (source:
+ builtins.isPath source ||
+ (builtins.isString source && hasPrefix source builtins.storeDir))
+ (attrValues config.boot.initrd.secrets);
+ message = ''
+ boot.loader.initrd.secrets values must be unquoted paths when
+ using a bootloader that doesn't natively support initrd
+ secrets, e.g.:
+
+ boot.initrd.secrets = {
+ "/etc/secret" = /path/to/secret;
+ };
+
+ Note that this will result in all secrets being stored
+ world-readable in the Nix store!
+ '';
+ }
];
system.build =