| 30 Jan 2025 |
 ElvishJerricco | The main way I keep track of everything is in the github "project" https://github.com/orgs/NixOS/projects/66 | 11:44:48 |
| ElvishJerricco | though admittedly that doesn't track which ones I would consider blockers | 11:45:04 |
| ElvishJerricco | Aren't smartcards basically just a marketing term for pkcs#11? Because systemd-cryptenroll / systemd-cryptsetup do support pkcs#11 tokens | 11:46:05 |
 eyJhb | Yeah, I think we discussed this before. But basically, it's a Yubikey with a GPG key on it, so it won't enroll into cryptenroll | 11:47:43 |
| eyJhb | So systemd-cryptenroll, wouldn't support the current workflow | 11:48:09 |
| eyJhb | I shouldn't have used the term smartcard, gpgCard? If that makes any more sense? | 11:48:37 |
| ElvishJerricco | Right.... The correct solution would probably be to add support in systemd for it. | 11:48:44 |
| ElvishJerricco | * Right.... The correct solution would probably be to add support in upstream systemd for it. | 11:48:53 |
| ElvishJerricco | Of course that's more difficult though, what with it being a C codebase and having more serious automated testing standards than nixos in general does. | 11:50:19 |
| ElvishJerricco | (IIRC; I might be wrong about the testing thing) | 11:50:59 |
| eyJhb | I actually uploaded my jankness here https://gist.github.com/eyJhb/2152a51856b463da410a259970cd573e | 11:52:42 |
| eyJhb | Yeah, I don't think I would be able to handle to upstream it to systemd. But maybe one could make an issue for it. | 11:52:59 |
| eyJhb | * Yeah, I don't think I would be able to handle to upstream it to systemd. But maybe one could make a(n)/ issue for it. | 11:53:03 |
| eyJhb | * Yeah, I don't think I would be able to handle to upstream it to systemd. But maybe one could make a(n)? issue for it. | 11:53:07 |
| eyJhb | (keep in mind, this doesn't respect the current setup, at all, it would need to be modified) | 11:54:19 |
| ElvishJerricco | This is the sort of stuff I'm very hesitant about. The reason is a combination of this being a bespoke scheme that no one else in the world uses besides us and the fact that it's just a big pile of code that doesn't receive the same level of security review as upstream systemd. | 12:01:10 |
| ElvishJerricco | Like that's why I'm kinda unhappy with our clevis stuff. It'd be better if it was based on systemd credentials, just because systemd does handle those with quite a bit of care. But I tried to implement that a while ago and it was... a tad tricky so I haven't tried to finish it yet. | 12:03:36 |
| eyJhb | I fully understand that, and I have absolutely zero reason to push for the above. I'm happy if I can just run it myself. It's as you say, very niche | 12:10:31 |
 gdamjan | which one is it exactly? I think all that have GPG support have pkcs too? | 13:12:16 |
| eyJhb | Yes, they have pkcs support (AFAIK), but that can't be used in my setup, as I have more than 1 yubikey, which have identical GPG keys on them. So I can use any of them, to unlock my system | 13:13:37 |
| ElvishJerricco | You could enroll multiple key slots, one for each yubikey. Course that's rather inconvenient if you expect to be replacing yubikeys with new ones often | 13:16:12 |
| ElvishJerricco | but that seems like an unlikely concern eyJhb :P | 13:16:46 |
| eyJhb | Not often, but I don't want to forget about it, and be shit out of luck :D | 13:17:13 |
| eyJhb | It's all about your threat model, and in theory, mine should be "shits and giggles" | 13:17:38 |
 Rayane Nakib (ريّان نقيب) | Hello, I need help setting up impermanence with the option initrd.systemd.enable enabled, The option boot.initrd.PostDeviceCommands does not work. | 20:35:22 |
| Rayane Nakib (ريّان نقيب) | 
Download This is the config that I have right now, But it's giving me an error when I try to rebuild my system. | 20:35:34 |
| Rayane Nakib (ريّان نقيب) | 
Download This is the error that I am getting. | 20:35:48 |
| eyJhb | Rayane Nakib (ريان نقيب): have you seen this? https://discourse.nixos.org/t/devices-not-visable-using-initrd-systemd-with-btrfs/42871 | 20:39:59 |
| eyJhb | Or this https://www.reddit.com/r/NixOS/comments/1d3iwy0/rollback_script_for_luksencrypted_btrfs_system/ | 20:41:10 |
| eyJhb | But would be nice if impermanence updated that part of the readme, to be ready for systemd-initrd | 20:41:23 |
