commit a905c3a544a422b92db99758489e20d84ed755cb · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #262854 from ElvishJerricco/systemd-stage-1-bcachefs-decryption

systemd-stage-1: bcachefs decryption

authored by Ryan Lahfa and committed by GitHub 2 years ago a905c3a5 707696cc

+46 -10

3 changed files

expand all

unified split

nixos

modules

tasks

filesystems

bcachefs.nix

tests

installer-systemd-stage-1.nix

installer.nix

+40 -10

nixos/modules/tasks/filesystems/bcachefs.nix

··· 34 34 } 35 35 ''; 36 36 37 - openCommand = name: fs: 38 - let 39 - # we need only unlock one device manually, and cannot pass multiple at once 40 - # remove this adaptation when bcachefs implements mounting by filesystem uuid 41 - # also, implement automatic waiting for the constituent devices when that happens 42 - # bcachefs does not support mounting devices with colons in the path, ergo we don't (see #49671) 43 - firstDevice = head (splitString ":" fs.device); 44 - in 45 - '' 46 - tryUnlock ${name} ${firstDevice} 37 + # we need only unlock one device manually, and cannot pass multiple at once 38 + # remove this adaptation when bcachefs implements mounting by filesystem uuid 39 + # also, implement automatic waiting for the constituent devices when that happens 40 + # bcachefs does not support mounting devices with colons in the path, ergo we don't (see #49671) 41 + firstDevice = fs: head (splitString ":" fs.device); 42 + 43 + openCommand = name: fs: '' 44 + tryUnlock ${name} ${firstDevice fs} 45 + ''; 46 + 47 + mkUnits = prefix: name: fs: let 48 + mountUnit = "${utils.escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint))}.mount"; 49 + device = firstDevice fs; 50 + deviceUnit = "${utils.escapeSystemdPath device}.device"; 51 + in { 52 + name = "unlock-bcachefs-${utils.escapeSystemdPath fs.mountPoint}"; 53 + value = { 54 + description = "Unlock bcachefs for ${fs.mountPoint}"; 55 + requiredBy = [ mountUnit ]; 56 + before = [ mountUnit ]; 57 + bindsTo = [ deviceUnit ]; 58 + after = [ deviceUnit ]; 59 + unitConfig.DefaultDependencies = false; 60 + serviceConfig = { 61 + Type = "oneshot"; 62 + ExecCondition = "${pkgs.bcachefs-tools}/bin/bcachefs unlock -c \"${device}\""; 63 + Restart = "on-failure"; 64 + RestartMode = "direct"; 65 + # Ideally, this service would lock the key on stop. 66 + # As is, RemainAfterExit doesn't accomplish anything. 67 + RemainAfterExit = true; 68 + }; 69 + script = '' 70 + ${config.boot.initrd.systemd.package}/bin/systemd-ask-password --timeout=0 "enter passphrase for ${name}" | exec ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${device}" 47 71 ''; 72 + }; 73 + }; 48 74 49 75 in 50 76 ··· 59 85 60 86 # use kernel package with bcachefs support until it's in mainline 61 87 boot.kernelPackages = pkgs.linuxPackages_testing_bcachefs; 88 + 89 + systemd.services = lib.mapAttrs' (mkUnits "") (lib.filterAttrs (n: fs: (fs.fsType == "bcachefs") && (!utils.fsNeededForBoot fs)) config.fileSystems); 62 90 } 63 91 64 92 (mkIf ((elem "bcachefs" config.boot.initrd.supportedFilesystems) || (bootFs != {})) { ··· 79 107 ''; 80 108 81 109 boot.initrd.postDeviceCommands = commonFunctions + concatStrings (mapAttrsToList openCommand bootFs); 110 + 111 + boot.initrd.systemd.services = lib.mapAttrs' (mkUnits "/sysroot") bootFs; 82 112 }) 83 113 ]); 84 114 }

nixos/tests/installer-systemd-stage-1.nix

··· 8 8 # them when fixed. 9 9 inherit (import ./installer.nix { inherit system config pkgs; systemdStage1 = true; }) 10 10 # bcache 11 + bcachefsSimple 12 + bcachefsEncrypted 11 13 btrfsSimple 12 14 btrfsSubvolDefault 13 15 btrfsSubvolEscape

nixos/tests/installer.nix

··· 937 937 enableOCR = true; 938 938 preBootCommands = '' 939 939 machine.start() 940 + # Enter it wrong once 941 + machine.wait_for_text("enter passphrase for ") 942 + machine.send_chars("wrong\n") 943 + # Then enter it right. 940 944 machine.wait_for_text("enter passphrase for ") 941 945 machine.send_chars("password\n") 942 946 '';