Activation as user service

[gkleen]

Description

I manage a system that has it's root fs on tmpfs and mounts user homes on login via pam_mount over cifs.
I use the nixos module to manage user environments.

The home-manager-${userName}.service units seem to run on boot, far before any user has logged in and their home directory becomes available.

It would be helpful if there was a builtin way to have home-manager activation occur as a systemd user service as early as possible, probably before/as a part of basic.target?
Maybe that should even be the default way to do activation for the nixos module?

[gkleen]

Currently I'm doing the following, which seems to work:

    systemd.services = mapAttrs' (userName: _: nameValuePair "home-manager-${userName}" { enable = mkForce false; }) config.home-manager.users;

    systemd.user.services."home-manager" = let
      cfg = config.home-manager;
    in {
      description = "Home Manager environment";
      wantedBy = [ "basic.target" ];
      before = [ "basic.target" ];

      environment = optionalAttrs (cfg.backupFileExtension != null) {
        HOME_MANAGER_BACKUP_EXT = cfg.backupFileExtension;
      } // optionalAttrs cfg.verbose { VERBOSE = "1"; };

      stopIfChanged = false;

      unitConfig.DefaultDependencies = false;

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = "yes";
        TimeoutStartSec = 90;
        SyslogIdentifier = "hm-activate";

        ExecStart = pkgs.writeScript "hm-activate" ''
          #! ${pkgs.runtimeShell} -el

          case $USER in
            ${concatStringsSep "\n  " (mapAttrsToList (_: usercfg: builtins.replaceStrings ["\n"] ["\n  "] ''
              ${usercfg.home.username})
                ${usercfg.home.activationPackage}/activate
                systemctl --user daemon-reload
              ;;
            '') cfg.users)}
            *) exit 0; ;;
          esac
        '';
      };
    };

[Aleksanaa]

Also need this. I'm using pam_mount with luks encrypted user home partition and home-manager-${user}.service started too early.

[ncfavier]

There's a PR at #2548, @Aleksanaa could you try that?

Out of curiosity, why not mount your LUKS partition at boot? Does using pam_mount mean that you don't have to type your password twice?

[Aleksanaa]

There's a PR at #2548, @Aleksanaa could you try that?

Out of curiosity, why not mount your LUKS partition at boot? Does using pam_mount mean that you don't have to type your password twice?

Thanks so much.

The reason is that some fedora, archlinux and gentoo users like to have two separate encrypted partitions, one for root and another for user home.

The first one is decrypted by cryptenroll which intergrates with tpm, and tpm can be set to make sure the secure boot state is enforced and firmware and signatures have not been tampered with, and we often call it trusted boot.

The second is decrypted by pam modules when login, and the user's passphrase is the same with the partition's, so we don't have to input twice.

These two measures ensure data security and avoid cold start attacks to a certain degree, while still not sacrificing convenience. Another advantage is if you share your computer with another user, both of you can easily protect your files from watching by each other.

There are already plenty of personal blog, wiki and forum posts about it on those distros, even with silverblue they've done it. Surprisingly, I see no document with nixos on this. And I'm a new nixer trying to move all my archlinux config onto nixos, so I encountered this problem 🥲

[ncfavier]

That makes sense. Yeah, I think we're still very much figuring these things out in NixOS, e.g. secure boot is very recent work in progress.

[Aleksanaa]

There's a PR at #2548, @Aleksanaa could you try that?

Out of curiosity, why not mount your LUKS partition at boot? Does using pam_mount mean that you don't have to type your password twice?

Anyway, is there an easy way of applying a pr? I'm using flake and home-manager as nixos module.
Do I have to specify inputs to that branch?

[ncfavier]

Yeah, add inputs.home-manager.url = "github:pasqui23/home-manager/nixos-late-start"; to your flake.nix

[Aleksanaa]

Yeah, add inputs.home-manager.url = "github:pasqui23/home-manager/nixos-late-start"; to your flake.nix

Everything works flawlessly for me!

[gkleen]

#2548 seems like the way to go, thanks!

[stale]

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

• If this is resolved, please consider closing it so that the maintainers know not to focus on this.
• If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

If you are not the original author of the issue

• If you are also experiencing this issue, please add details of your situation to help with the debugging process.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

[Aleksanaa]

This is still very important for us. Without activation as user service, we can't easily handle more complicated situations of home directory.

[stale]

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

• If this is resolved, please consider closing it so that the maintainers know not to focus on this.
• If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

If you are not the original author of the issue

• If you are also experiencing this issue, please add details of your situation to help with the debugging process.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

[gkleen]

My situation wrt. to this issue hasn't changed
I'm currently having to do extra work whenever I want to upgrade my systems because I can't track home-manager releases and/or master
Would love to see #2548 merged

[stale]

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

• If this is resolved, please consider closing it so that the maintainers know not to focus on this.
• If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

If you are not the original author of the issue

• If you are also experiencing this issue, please add details of your situation to help with the debugging process.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/encrypted-root-with-single-password-prompt/17054/9

[stale]

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

• If this is resolved, please consider closing it so that the maintainers know not to focus on this.
• If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

If you are not the original author of the issue

• If you are also experiencing this issue, please add details of your situation to help with the debugging process.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

[Aleksanaa]

?