Add configuration option to use tmpfs in place of ramfs (#355)

allow use of tmpfs via option configuration * Tabs vs Spaces * Update modules/sops/default.nix * Update modules/sops/default.nix
2025-12-26 14:14:58 +08:00 · 2023-07-24 11:15:10 +00:00 · 2023-07-24 11:15:10 +00:00 · 339a559402
commit 339a559402
parent 1c673ba105
3 changed files with 34 additions and 4 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -126,6 +126,7 @@ let
      sshKeyPaths = cfg.gnupg.sshKeyPaths;
      ageKeyFile = cfg.age.keyFile;
      ageSshKeyPaths = cfg.age.sshKeyPaths;
+      useTmpfs = cfg.useTmpfs;
      userMode = false;
      logging = {
        keyImport = builtins.elem "keyImport" cfg.log;
@ -242,6 +243,26 @@ in {
      '';
    };

+    useTmpfs = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mkDoc ''
+        Use tmpfs in place of ramfs for secrets storage.
+
+        *WARNING*
+        Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary.
+        
+        When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option
+        
+        ```
+        swapDevices = [{
+          device = "/dev/sdXY";
+          randomEncryption.enable = true; 
+        }];
+        ```
+      '';
+    };
+
    age = {
      keyFile = mkOption {
        type = types.nullOr types.path;