Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make-disk-image: allow pre/post format files in vm #778

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

make-disk-image: allow pre/post format files in vm #778

wants to merge 1 commit into from

Conversation

phaer
Copy link
Member

@phaer phaer commented Sep 18, 2024

...via disko.imageBuilder.preFormatFiles and disko.imageBuilder.postFormatFiles.

This enables users to add secrets to their diskoVMs.

diskoImageScripts does include --pre-format-files, but diskoImages didn't support
the same feature so far - making it harder to pre-generate encrypted disk images or to test such images in a VM.

@phaer phaer requested review from Lassulus and Enzime September 28, 2024 20:50
Enzime
Enzime reviewed Sep 29, 2024
View reviewed changes
Copy link
Member

@Enzime Enzime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add some tests for this?

@phaer phaer mentioned this pull request Jan 6, 2025
Open
Mic92
Mic92 reviewed Jan 7, 2025
View reviewed changes
module.nix
type = lib.types.attrsOf (lib.types.either lib.types.str lib.types.path);
description = ''
Files to copy into the image builder VM before disko is run.
This is useful to provide secrets like LUKS keys, or other files you need for formatting.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we not have a disclaimer, that this leaks secrets into the nix store?
For image builder that runs outside of the nix store, we have a parameter that can be used instead.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A warning that it could leak is probably a good idea.

But the second variant of passing a shell snippet should be usable without leaking secrets into the store? i.e.

preFormatFiles."/tmp/secret" = "cat /my-secret-out-side-nix store > $out" shouldn't leak. $out is just a tempfile here, see prepareFiles above.

phaer
phaer commented Jan 7, 2025
View reviewed changes
module.nix
example = lib.literalExpression ''
{
"/tmp/pre/file" = pkgs.writeText "foo" "bar";
"/tmp/pre/script" = "mkdir -p $out/foo; echo bar > $out/foo";
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"/tmp/pre/script" = "mkdir -p $out/foo; echo bar > $out/foo";
"/tmp/pre/script" = "mkdir -p $out; echo bar > $out/foo";

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Enzime Enzime Enzime left review comments

@Mic92 Mic92 Mic92 left review comments

@Lassulus Lassulus Awaiting requested review from Lassulus

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@phaer @Mic92 @Enzime