Note, this is all about non-root zpools, for which adding this to the initrd would be inappropriate (especially since the key to open the devices comprising the zpool is stored on the root fs -- and with the initrd being stored in the EFI system partition, it's not safe to put the key there.)
I have populated a /etc/crypttab and created cryptsetup services via
systemd.generator-packages = [
pkgs.systemd-cryptsetup-generator
];
environment.etc = {
"crypttab" = {
enable = true;
text = ''
<name> UUID=<uuid> /etc/crypttab-key luks
...
'';
};
};
}
This will unlock the devices fine upon boot, however the zfs-import-w.service created based on my boot.zfs.extraPools = [ "w" ]; runs before it is done and fails.
It seems like to imitate what is done with the zfsonlinux.org packages for Fedora or Ubuntu, for example, the zfs-import-w.service needs to have cryptsetup.target in its "After" specification. I've tried that, but there is no cryptsetup.target on NixOS -- I believe because of @edolstra's commit b06cb35, which drops the cryptsetup dependancy in the systemd build.
I have verified that the cyclic dependency still exists:
while evaluating ‘check’ at /etc/nixos/nixpkgs/lib/types.nix:170:15, called from /etc/nixos/nixpkgs/lib/modules.nix:340:10:
while evaluating the attribute ‘buildInputs’ of the derivation ‘systemd-234’ at /etc/nixos/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:98:11:
while evaluating the attribute ‘buildInputs’ of the derivation ‘cryptsetup-1.7.5’ at /etc/nixos/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:98:11:
while evaluating the attribute ‘buildInputs’ of the derivation ‘lvm2-2.02.173’ at /etc/nixos/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:98:11:
infinite recursion encountered, at undefined position
I'm content to continue trying to figure this out when I have free time and will submit a PR if I do, but I'm interested in any pointers as to solving this or discussion about more practical ways to do this.
Technical details
- System:
- Nix version: 17.09.git.777443c (Hummingbird)
- Nixpkgs version: "17.09.git.777443c726M"
- Sandboxing enabled: false
(versions may be a little funny since I have my patch to attempt modifying the After on top of 17.09-small)
Note, this is all about non-root zpools, for which adding this to the initrd would be inappropriate (especially since the key to open the devices comprising the zpool is stored on the root fs -- and with the initrd being stored in the EFI system partition, it's not safe to put the key there.)
I have populated a /etc/crypttab and created cryptsetup services via
This will unlock the devices fine upon boot, however the zfs-import-w.service created based on my
boot.zfs.extraPools = [ "w" ];runs before it is done and fails.It seems like to imitate what is done with the zfsonlinux.org packages for Fedora or Ubuntu, for example, the zfs-import-w.service needs to have cryptsetup.target in its "After" specification. I've tried that, but there is no cryptsetup.target on NixOS -- I believe because of @edolstra's commit b06cb35, which drops the cryptsetup dependancy in the systemd build.
I have verified that the cyclic dependency still exists:
I'm content to continue trying to figure this out when I have free time and will submit a PR if I do, but I'm interested in any pointers as to solving this or discussion about more practical ways to do this.
Technical details
(versions may be a little funny since I have my patch to attempt modifying the After on top of 17.09-small)