nixos/systemd-stage-1: Add basic LUKS support #168554
Conversation
dasJ
requested review from
arianvp,
ajs124,
ElvishJerricco,
bobvanderlinden and
lovesegfault
github-actions
bot
added
6.topic: nixos
dasJ
force-pushed
the
feat/systemd-stage-1-luks
branch
from
27a34ef
to
97b43ee
Compare
ofborg
bot
added
10.rebuild-darwin: 0
| "remote-cryptsetup.target" | ||
| ]; | ||
| storePaths = [ | ||
| "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup" |
There was a problem hiding this comment.
This is covered by the extraBin, right? Not that it really matters technically.
dasJ
force-pushed
the
feat/systemd-stage-1-luks
branch
from
97b43ee
to
c481bb1
Compare
| { assertion = config.boot.initrd.systemd.enable -> all (dev: !dev.fallbackToPassword) (attrValues luks.devices); | ||
| message = "boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1."; | ||
| } | ||
| { assertion = config.boot.initrd.systemd.enable -> all (dev: dev.preLVM) (attrValues luks.devices); | ||
| message = "boot.initrd.luks.devices.<name>.preLVM is not used by systemd stage 1."; | ||
| } | ||
| { assertion = config.boot.initrd.systemd.enable -> options.boot.initrd.luks.reusePassphrases.highestPrio == defaultPrio; | ||
| message = "boot.initrd.luks.reusePassphrases has no effect with systemd stage 1."; | ||
| } |
There was a problem hiding this comment.
Should these three be warnings?
There was a problem hiding this comment.
I imagine the rationale is that these don't break anything if set when systemd stage 1 is enabled, and therefore they should be warnings as opposed to assertions.
I'm uncertain whether that is correct though, since setting something that should affect boot but doesn't might break your boot, even if it didn't break the config eval :)
There was a problem hiding this comment.
FWIW, having preLVM or reusePassphrases set won't break your expectations, as systemd stage 1 does the correct thing either way so it will do what you wanted without regard for those options. Disabling fallbackToPassword would have unexpected results if we didn't error the eval though.
I don't particularly care one way or the other about warnings vs assertions for preLVM and reusePassphrases though
There was a problem hiding this comment.
Yeah, that's exactly the motivation. If you set something that is not processed by the new initrd, it might prevent your system from booting.
There was a problem hiding this comment.
"need" was too strong a word. I don't think we really need to worry about this concern very much in the first place TBH.
There was a problem hiding this comment.
@andersk I'm suggesting that if a user writes
fallbackToPassword = false;in their nixos configuration, we need that to be an error, not a warning, because it will not behave as expected.
That would be a reasonable check. It is not, however, the check performed by this code. This code throws an error on fallbackToPassword = true.
There was a problem hiding this comment.
What if people did fallbackToPassword = lib.mkIf (!config.boot.initrd.systemd.enable) false?
There was a problem hiding this comment.
Keeping this an assertion makes sure there are no issues. Making it a warning might cause issues.
Let's please land this and revisit before making the options public. Assertion failures when switching stage-1 implementations are to be expected, especially at this stage.
We do not need to tackle the distinction between what should be a warning or an assertion right now.
Let's first make it work, then we can worry about making it good, and finally, we can make it easy :)
There was a problem hiding this comment.
dasJ
force-pushed
the
feat/systemd-stage-1-luks
branch
from
c481bb1
to
76f3903
Compare
|
I tried this on my local system and it's working. LGTM |
|
Does this address #74281 at all? |
dasJ
force-pushed
the
feat/systemd-stage-1-luks
branch
from
76f3903
to
28c7721
Compare
|
CI failure unrelated. Comes from #124019 |
|
The tests don't succeed much on Hydra: https://hydra.nixos.org/eval/1757428#tabs-new |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Description of changes
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes