Like systemd-veritysetup-generator but for the Nix Store.
Reads the storehash= argument from the kernel commandline and dynamically
creates a service that sets up the verity protected device as
dev/mapper/nix-store.
If no storehash= argument on the kernel commandline is provided, nothing
happens.
Only works with the systemd initrd (boot.initrd.systemd.enable = true;).
Expects the UUIDs of the verity partitions to be set to the the first 128 bits
of the verity root hash for the data partition and the last 128 bits for the
hash partition. The easiest way to achieve this is by creating the partitions
with image.repart
(which does the correct thing by default).
The get an idea of how to implement this, look at the test. An easier way to build an appliance image that contains a verity protected Nix Store needs a few more abstractions that I plan on building but that do not exist yet.
The plan is to eventually upstream this into Nixpkgs.