Consider enabling systemd in stage1 when network is used

nix-community / srvos

NixOS profiles for servers [maintainer=@numtide]

https://nix-community.github.io/srvos

MIT License

496 stars 24 forks source link

Consider enabling systemd in stage1 when network is used #298

Closed SuperSandro2000 closed 9 months ago

SuperSandro2000 commented 10 months ago

Stage 1 networking and systemd should work since https://github.com/NixOS/nixpkgs/pull/169116

SuperSandro2000 commented 10 months ago

I've just noticed that people might have been using the following

boot.initrd.network.postCommands = ''
  cat <<EOF > /root/.profile
  cryptsetup-askpass
  EOF
'';

which can be replaced with

boot.initrd.systemd.contents."/root/.profile".text = ''
  cryptsetup-askpass
'';

but I still need to verify that

zimbatm commented 10 months ago

Looking for opinion from @flokli

flokli commented 10 months ago

I'd probably follow nixpkgs defaults, it's fairly recently gotten out of "experimental" and there might still be some rough edges.

Mic92 commented 10 months ago

Will test and see on my hetzner machine. Not sure if nixpkgs's default are always the best to rely on looking at what we do with networking configuration for example.

Mic92 commented 10 months ago

See https://github.com/nix-community/srvos/pull/312

SuperSandro2000 commented 9 months ago

boot.initrd.systemd.contents."/root/.profile".text = ''
  cryptsetup-askpass
'';

It turns out that the script no longer exists in the systemd based luks initrd but I could replace it with the following

boot.initrd.systemd = {
  contents."/root/.profile".text = ''
    for device in "$(cat /etc/crypttab)"; do
      systemd-cryptsetup attach $device
    done
  '';
  # fails fast and requires manual input even after unlocking disk via ssh
  services."systemd-ask-password-console".enable = false;
};

and that requires the following PR https://github.com/NixOS/nixpkgs/pull/274398 otherwise the .profile is not read.

Disabling systemd-ask-password-console in initrd is generating an error but things continue to boot anyway.

phaer commented 9 months ago

Closing this as systemd-in-stage1 is enabled even with networkd since #312 and this seems to be about nixpkgs, not srvos? Otherwise we can still re-open :)

Disabling systemd-ask-password-console in initrd is generating an error

That error would IMO be more interesting than trying to re-implement the logic manually. Might point at a problem in nixpkgs implementation.

fwiw systemd-ask-password as well as systemctl default work well for me via SSH when using systemd-in-stage1 and zfs encryption.

SuperSandro2000 commented 9 months ago

That error would IMO be more interesting than trying to re-implement the logic manually. Might point at a problem in nixpkgs implementation.

I've just updated my kernel to 6.6.7 and enabled the unit again and couldn't produce the bug anymore. Maybe it is some race condition.

System package diff:
cpupower: 6.6.6 → 6.6.7
initrd-linux: 6.6.6 → 6.6.7, -11.9 KiB
linux: 6.6.6, 6.6.6-modules → 6.6.7, 6.6.7-modules, +12.0 KiB
unit-systemd-network-generator.service: ε → ∅
unit-systemd-networkd-wait-online.service: ε → ∅
unit-systemd-tmpfiles-setup-dev.service: ε → ∅
zfs-kernel: 2.2.2-6.6.6 → 2.2.2-6.6.7