From 8a37c3dd1a83da3138da455560fd25c102d2a2bd Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sat, 11 Apr 2020 16:19:48 +0100
Subject: [PATCH 1/2] nixos/initrd-ssh: fix typo in docs

---
 nixos/modules/system/boot/initrd-ssh.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix
index 5a334e69056..60760487a1d 100644
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@@ -55,7 +55,7 @@ in
 
         <screen>
         <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
-        <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
+        <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
         </screen>
 
         <warning>

From 91c6809946438a935714e85e510399b494994c6b Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sat, 11 Apr 2020 16:24:55 +0100
Subject: [PATCH 2/2] nixos/stage-1: check secret paths before copying

Fixes #84976.
---
 nixos/modules/system/boot/stage-1.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
index 9e3ee5cf0a3..dfd158e2d75 100644
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -137,6 +137,8 @@ let
       ''}
 
       # Copy secrets if needed.
+      #
+      # TODO: move out to a separate script; see #85000.
       ${optionalString (!config.boot.loader.supportsInitrdSecrets)
           (concatStringsSep "\n" (mapAttrsToList (dest: source:
              let source' = if source == null then dest else source; in
@@ -579,6 +581,25 @@ in
         message = "boot.resumeDevice has to be an absolute path."
           + " Old \"x:y\" style is no longer supported.";
       }
+      # TODO: remove when #85000 is fixed
+      { assertion = !config.boot.loader.supportsInitrdSecrets ->
+          all (source:
+            builtins.isPath source ||
+            (builtins.isString source && hasPrefix source builtins.storeDir))
+          (attrValues config.boot.initrd.secrets);
+        message = ''
+          boot.loader.initrd.secrets values must be unquoted paths when
+          using a bootloader that doesn't natively support initrd
+          secrets, e.g.:
+
+            boot.initrd.secrets = {
+              "/etc/secret" = /path/to/secret;
+            };
+
+          Note that this will result in all secrets being stored
+          world-readable in the Nix store!
+        '';
+      }
     ];
 
     system.build =