From b4bd586ea977ace439c633387a460d0fafa7e5eb Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Sat, 28 Sep 2024 20:22:48 -0400 Subject: [PATCH 1/2] bcachefs-fstab-generator: init --- .../bc/bcachefs-fstab-generator/package.nix | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 pkgs/by-name/bc/bcachefs-fstab-generator/package.nix diff --git a/pkgs/by-name/bc/bcachefs-fstab-generator/package.nix b/pkgs/by-name/bc/bcachefs-fstab-generator/package.nix new file mode 100644 index 0000000000000..762d4dbfd6a55 --- /dev/null +++ b/pkgs/by-name/bc/bcachefs-fstab-generator/package.nix @@ -0,0 +1,23 @@ +{ + rustPlatform, + pkg-config, + systemd, + fetchFromGitHub, +}: + +rustPlatform.buildRustPackage { + pname = "bcachefs-fstab-generator"; + version = "0.1.0-unstable-2024-11-02"; + + src = fetchFromGitHub { + owner = "ElvishJerricco"; + repo = "bcachefs-fstab-generator"; + rev = "c98b7dd19a1ffda0e3137e417822e3d79e208f5f"; + hash = "sha256-WeZZ96fq9aQ+OMfpj5yqk2X+qthLJGgITg9cV7VOD7o="; + }; + + cargoHash = "sha256-yiB0iPMQ/gUEUi9/QSIiAVfcwYtXW5PEKPv/vapr4qM="; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ systemd ]; +} From d4df5883612af135b0f1732a163290c164fff858 Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Sat, 28 Sep 2024 20:36:39 -0400 Subject: [PATCH 2/2] nixos/bcachefs-unlock: init --- nixos/modules/module-list.nix | 1 + .../tasks/filesystems/bcachefs-unlock.nix | 40 ++++++++++++++++ nixos/modules/tasks/filesystems/bcachefs.nix | 47 +------------------ 3 files changed, 42 insertions(+), 46 deletions(-) create mode 100644 nixos/modules/tasks/filesystems/bcachefs-unlock.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d05bafae4a231..4b339de3bdf3c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1672,6 +1672,7 @@ ./tasks/filesystems.nix ./tasks/filesystems/apfs.nix ./tasks/filesystems/bcachefs.nix + ./tasks/filesystems/bcachefs-unlock.nix ./tasks/filesystems/btrfs.nix ./tasks/filesystems/cifs.nix ./tasks/filesystems/ecryptfs.nix diff --git a/nixos/modules/tasks/filesystems/bcachefs-unlock.nix b/nixos/modules/tasks/filesystems/bcachefs-unlock.nix new file mode 100644 index 0000000000000..1d336838ddf49 --- /dev/null +++ b/nixos/modules/tasks/filesystems/bcachefs-unlock.nix @@ -0,0 +1,40 @@ +{ + lib, + config, + pkgs, + ... +}: +{ + options.bcachefs-unlock.enable = + lib.mkEnableOption "unlocking bcachefs file systems with a systemd generator." + // { + default = + (config.boot.supportedFilesystems.bcachefs or false) + || (config.boot.initrd.supportedFilesystems.bcachefs or false); + defaultText = "boot.supportedFilesystems.bcachefs || boot.initrd.supportedFilesystems.bcachefs"; + }; + + config = lib.mkIf config.bcachefs-unlock.enable { + boot.initrd.systemd.contents."/etc/systemd/system-generators/bcachefs-fstab-generator".source = "${pkgs.bcachefs-fstab-generator}/bin/bcachefs-fstab-generator"; + + boot.initrd.systemd.services."bcachefs-unlock@" = { + overrideStrategy = "asDropin"; + path = [ + pkgs.bcachefs-tools + config.boot.initrd.systemd.package + ]; + serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.bcachefs-tools ]; + }; + + systemd.generators.bcachefs-fstab-generator = "${pkgs.bcachefs-fstab-generator}/bin/bcachefs-fstab-generator"; + + systemd.services."bcachefs-unlock@" = { + overrideStrategy = "asDropin"; + path = [ + pkgs.bcachefs-tools + config.systemd.package + ]; + serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.bcachefs-tools ]; + }; + }; +} diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index d7e83464391c4..61d12c61a7afd 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -71,46 +71,6 @@ let tryUnlock ${name} ${firstDevice fs} ''; - mkUnits = prefix: name: fs: let - mountUnit = "${utils.escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint))}.mount"; - device = firstDevice fs; - deviceUnit = "${utils.escapeSystemdPath device}.device"; - in { - name = "unlock-bcachefs-${utils.escapeSystemdPath fs.mountPoint}"; - value = { - description = "Unlock bcachefs for ${fs.mountPoint}"; - requiredBy = [ mountUnit ]; - after = [ deviceUnit ]; - before = [ mountUnit "shutdown.target" ]; - bindsTo = [ deviceUnit ]; - conflicts = [ "shutdown.target" ]; - unitConfig.DefaultDependencies = false; - serviceConfig = { - Type = "oneshot"; - ExecCondition = "${pkgs.bcachefs-tools}/bin/bcachefs unlock -c \"${device}\""; - Restart = "on-failure"; - RestartMode = "direct"; - # Ideally, this service would lock the key on stop. - # As is, RemainAfterExit doesn't accomplish anything. - RemainAfterExit = true; - }; - script = let - unlock = ''${pkgs.bcachefs-tools}/bin/bcachefs unlock "${device}"''; - unlockInteractively = ''${config.boot.initrd.systemd.package}/bin/systemd-ask-password --timeout=0 "enter passphrase for ${name}" | exec ${unlock}''; - in if useClevis fs then '' - if ${config.boot.initrd.clevis.package}/bin/clevis decrypt < "/etc/clevis/${device}.jwe" | ${unlock} - then - printf "unlocked ${name} using clevis\n" - else - printf "falling back to interactive unlocking...\n" - ${unlockInteractively} - fi - '' else '' - ${unlockInteractively} - ''; - }; - }; - assertions = [ { assertion = let @@ -140,10 +100,7 @@ in boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; services.udev.packages = [ pkgs.bcachefs-tools ]; - systemd = { - packages = [ pkgs.bcachefs-tools ]; - services = lib.mapAttrs' (mkUnits "") (lib.filterAttrs (n: fs: (fs.fsType == "bcachefs") && (!utils.fsNeededForBoot fs)) config.fileSystems); - }; + systemd.packages = [ pkgs.bcachefs-tools ]; } (lib.mkIf ((config.boot.initrd.supportedFilesystems.bcachefs or false) || (bootFs != {})) { @@ -164,8 +121,6 @@ in ''; boot.initrd.postDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + lib.concatStrings (lib.mapAttrsToList openCommand bootFs)); - - boot.initrd.systemd.services = lib.mapAttrs' (mkUnits "/sysroot") bootFs; }) ]); }