[Feature Request] Support systemd-boot files on encrypted partition

[ghost]

Issue description

/boot/efi is often a partition that's only 512MB. That gets filled very quickly nowadays with one or two entries and makes nixos-rebuild fail #23926 . For unencrypted root partitions (or those encrypted with LUKS1), switching to grub is an alternative. For other encryption methods (LUKS2 and others), there is no other option but to force a single boot entry (boot.loader.systemd-boot.configurationLimit = 1;) and hope the /boot/efi/EFI/nixos/*.efi doesn't get bigger than 512MB.

Approach

The arch-wiki describes how to boot from another disk or partition. It doesn't include how to decrypt another partition before accessing the required file, but maybe systemd-boot has some way of doing so, just like GRUB2.

Although, the EFI shell commands seem quite sparse maybe it might be possible to have a generic initrd that mounts the encrypted partitions and starts another initrd from the decrypted partition. Maybe that's possible with kexec ? The archwiki a page on it.

The process would then be something like

• put a single, minimalistic kernel and a single initrd (or initramfs?) into /boot/efi/EFI/nixos
• boot into minimalKernel with minimalInitRD with following options
  • partition containing targetKernel and targetInitRD
  • path to targetKernel
  • path to targetInitRD
• decrypt partition if necessary
• mount partition
• kexec $targetKernel --initrd $targetInitRD

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

• system: "x86_64-linux"
• host os: Linux 6.1.69, NixOS, 23.11 (Tapir), 23.11.2217.d02d818f22c7
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.18.1
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[boomshroom]

It's possible to use netboot-minimal as a UKI to generate a usable nixos image that fits in a single file on the EFI system partition. From there, you can use pretty much whatever method you want to decrypt and mount your main partition and then kexec into a generation and profile of choice that's on that partition.

I'm currently experimenting with something like this and it's been pretty promising. It may even be possible to skip systemd-boot altogether and boot directly into the intermediate image and autorun some kind of boot menu. (Since it'd be a nixos image, the menu wouldn't even need to worry about mounting, since you can just specify that in the config like any other NixOS installation.)

[ghost]

Do share the repo you're working on. I'd be very interested in observing it.