Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/grub-install: execute prepare commands earlier #99618

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

@andir
Copy link
Member

@andir andir commented Oct 5, 2020

Motivation for this change

Previously the extraPrepareConfig commands where exectued after the grub
entries were generated. With this new location we can run commands
before the initrd appender scripts is executed. This is especially
helpful with the recent change to the sshd host keys of openssh in the
initrd. In the old setup you did not have to provision host keys (and
you might not even have cared about them) but with the new setup you
must always provide host keys even if you do not care about them.

In my personal setup I have everything encrypted except that initrd. The
initrd is basically public knowledge as anyone (on the hosting provider)
will be able to read that key from the initrd.

cc @mweinelt #98100

Previously the extraPrepareConfig commands where exectued after the grub
entries were generated. With this new location we can run commands
before the initrd appender scripts is executed. This is especially
helpful with the recent change to the sshd host keys of openssh in the
initrd. In the old setup you did not have to provision host keys (and
you might not even have cared about them) but with the new setup you
must always provide host keys even if you do not care about them.

In my personal setup I have everything encrypted except that initrd. The
initrd is basically public knowledge as anyone (on the hosting provider)
will be able to read that key from the initrd.
@stale
Copy link

@stale stale bot commented Jun 4, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale label Jun 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant