diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-04-23 16:00:52 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-04-23 16:00:52 +0000 |
| commit | 9b7e1e27e7d57307300cf9eaaec535472697a8e0 (patch) | |
| tree | eafe3fa698a3784f59eed7d72268d2f9c5e59a98 /run | |
| parent | 9ddd70ad09f3f3e5d4dc275aeee96c1f8ae5ba1a (diff) | |
| download | infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.tar infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.tar.gz infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.tar.bz2 infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.tar.lz infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.tar.xz infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.tar.zst infra-9b7e1e27e7d57307300cf9eaaec535472697a8e0.zip | |
run: encrypt swap
The Nix process (or the / tmpfs) containing the key file could end up being swapped out, so it's a good idea to encrypt the swap so the key material won't accidentally persist. Signed-off-by: Alyssa Ross <hi@alyssa.is>
Diffstat (limited to 'run')
| -rw-r--r-- | run | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/run b/run index 47b05bf..2bbcffd 100644 --- a/run +++ b/run @@ -5,8 +5,9 @@ set -uexo pipefail export PATH=/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin -mkswap /dev/vda -swapon /dev/vda +cryptsetup create -d /dev/random create swap /dev/vda +mkswap /dev/mapper/swap +swapon /dev/mapper/swap for o in $(</proc/cmdline); do case $o in |