Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bcachefs unlock generator #345207

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Bcachefs unlock generator #345207

wants to merge 2 commits into from
+65 −46

Conversation

ElvishJerricco
Copy link
Contributor

@ElvishJerricco ElvishJerricco commented Sep 29, 2024
edited
Loading

Description of changes

This systemd generator creates units that unlock your encrypted bcachefs file systems, based on the fstab file. It parses the fs_spec field and orders generated units after the necessary device.

I need to write an installer test for this. The original repo has tests that prove it works but that needs to be migrated into here.

I also need to have it respect the x-systemd.* FS options. e.g. x-systemd.requires is used to order a multi-device bcachefs mount after the requisite devices.

Requesting review from known bcachefs users, among others.

Closes #317901

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Sep 29, 2024
@ElvishJerricco
Copy link
Contributor Author

Also, the package depends on the crates fstab, libsystemd-sys, and systemd. This is largely unnecessary and I intend to remove these dependencies. They just made life easier during development. They should be removed before merging. Help is welcome.

@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch 4 times, most recently from e106ca6 to c1f3ac6 Compare September 29, 2024 01:04
@h7x4 h7x4 added the 8.has: module (new) This PR adds a module in `nixos/` label Sep 29, 2024
@kraftnix
Copy link

Thanks for this, I just tested it on a native encrypted bcachefs 2 drive mirror and it works perfectly! So I can remove my hacky systemd units to unlock.

I am still having issues with systemd-remount-fs trying to unlock the bcachefs disk every rebuild and failing as it has no passphrase, but I had that previously (using a different hacky systemd unit to unlock and mount the bcachefs encrypted mirror).

@mjm
Copy link
Contributor

mjm commented Sep 30, 2024

I don't really want to use this yet because it breaks Clevis. I'm not personally attached to Clevis specifically (though maybe someone is), but rather I want some mechanism to use TPM to provide the passphrase. A systemd credential could also work for that if the generator supported it. I suppose I could override the unit to add the credential and change the ExecStart to use it, but that's a little more invasive than I'd like to be.

Do you have plans for automatic unlock?

@ElvishJerricco
Copy link
Contributor Author

@mjm Yea, I'm debugging some issues with the generator on my test system, but my intention is to add the --credential option to the systemd-ask-password call so that it can work pretty seamlessly with the TPM.

@mjm
Copy link
Contributor

mjm commented Oct 1, 2024

Awesome, once that's ready, I'll test it on my bcachefs machine.

@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch 7 times, most recently from 5c4012b to 07f0c3c Compare October 5, 2024 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjm mjm Awaiting requested review from mjm

@philiptaron philiptaron Awaiting requested review from philiptaron

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius

@K900 K900 Awaiting requested review from K900

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bcachefs: unlock-bcachefs-*.service fails with device = "UUID=..."
4 participants
@ElvishJerricco @kraftnix @mjm @h7x4