Open ghost opened 8 months ago
It's possible to use netboot-minimal as a UKI to generate a usable nixos image that fits in a single file on the EFI system partition. From there, you can use pretty much whatever method you want to decrypt and mount your main partition and then kexec into a generation and profile of choice that's on that partition.
I'm currently experimenting with something like this and it's been pretty promising. It may even be possible to skip systemd-boot altogether and boot directly into the intermediate image and autorun some kind of boot menu. (Since it'd be a nixos image, the menu wouldn't even need to worry about mounting, since you can just specify that in the config like any other NixOS installation.)
Do share the repo you're working on. I'd be very interested in observing it.
Issue description
/boot/efi
is often a partition that's only 512MB. That gets filled very quickly nowadays with one or two entries and makesnixos-rebuild
fail #23926 . For unencrypted root partitions (or those encrypted with LUKS1), switching to grub is an alternative. For other encryption methods (LUKS2 and others), there is no other option but to force a single boot entry (boot.loader.systemd-boot.configurationLimit = 1;
) and hope the/boot/efi/EFI/nixos/*.efi
doesn't get bigger than 512MB.Approach
The arch-wiki describes how to boot from another disk or partition. It doesn't include how to decrypt another partition before accessing the required file, but maybe
systemd-boot
has some way of doing so, just like GRUB2.Although, the EFI shell commands seem quite sparse maybe it might be possible to have a generic initrd that mounts the encrypted partitions and starts another initrd from the decrypted partition. Maybe that's possible with
kexec
? The archwiki a page on it.The process would then be something like
/boot/efi/EFI/nixos
minimalKernel
withminimalInitRD
with following optionstargetKernel
andtargetInitRD
targetKernel
targetInitRD
kexec $targetKernel --initrd $targetInitRD
Technical details
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result."x86_64-linux"
Linux 6.1.69, NixOS, 23.11 (Tapir), 23.11.2217.d02d818f22c7
yes
yes
nix-env (Nix) 2.18.1
/nix/var/nix/profiles/per-user/root/channels/nixos