| 30 Jan 2025 |
 eyJhb | * When was it that systemd initrd would become the default in NixOS? | 11:25:44 |
 K900 | We were hoping for 24.11 | 11:36:39 |
| K900 | But there's still a few weird bugs | 11:36:45 |
| K900 | @ElvishJerricco knows more | 11:36:48 |
 ElvishJerricco | I had been hoping to get it enabled by default on unstable very early in the 24.11 cycle, so that it would be in 25.05 with a fair amount of real world testing by the broader nixos-unstable userbase, but life has very much been in the way of me accomplishing that so far | 11:38:45 |
| ElvishJerricco | the main issue is that we don't have the ISO using it yet, because of highly obscure bugs that disproportionately affect the ISO (which I've been struggling to solve for a good while now) | 11:39:57 |
| ElvishJerricco | The other main thing is that LUKS devices often timeout waiting for a password when they shouldn't, which happens because nixos-generate-config does the wrong thing and uses the UUID link instead of the mapper link. | 11:41:02 |
| ElvishJerricco | there's a number of other very minor odds and ends, but nothing serious enough to be a blocker IIRC | 11:41:34 |
| eyJhb | Is there a tracking issue for all this? | 11:43:31 |
| eyJhb | I somewhat want to upstream my LUKS GPG smartcard module as well, so that we don't have to drop support for boot.initrd.luks.devices.<name>.gpgCard as well | 11:44:01 |
| ElvishJerricco | The main way I keep track of everything is in the github "project" https://github.com/orgs/NixOS/projects/66 | 11:44:48 |
| ElvishJerricco | though admittedly that doesn't track which ones I would consider blockers | 11:45:04 |
| ElvishJerricco | Aren't smartcards basically just a marketing term for pkcs#11? Because systemd-cryptenroll / systemd-cryptsetup do support pkcs#11 tokens | 11:46:05 |
| eyJhb | Yeah, I think we discussed this before. But basically, it's a Yubikey with a GPG key on it, so it won't enroll into cryptenroll | 11:47:43 |
| eyJhb | So systemd-cryptenroll, wouldn't support the current workflow | 11:48:09 |
| eyJhb | I shouldn't have used the term smartcard, gpgCard? If that makes any more sense? | 11:48:37 |
| ElvishJerricco | Right.... The correct solution would probably be to add support in systemd for it. | 11:48:44 |
| ElvishJerricco | * Right.... The correct solution would probably be to add support in upstream systemd for it. | 11:48:53 |
| ElvishJerricco | Of course that's more difficult though, what with it being a C codebase and having more serious automated testing standards than nixos in general does. | 11:50:19 |
| ElvishJerricco | (IIRC; I might be wrong about the testing thing) | 11:50:59 |
| eyJhb | I actually uploaded my jankness here https://gist.github.com/eyJhb/2152a51856b463da410a259970cd573e | 11:52:42 |
| eyJhb | Yeah, I don't think I would be able to handle to upstream it to systemd. But maybe one could make an issue for it. | 11:52:59 |
| eyJhb | * Yeah, I don't think I would be able to handle to upstream it to systemd. But maybe one could make a(n)/ issue for it. | 11:53:03 |
| eyJhb | * Yeah, I don't think I would be able to handle to upstream it to systemd. But maybe one could make a(n)? issue for it. | 11:53:07 |
| eyJhb | (keep in mind, this doesn't respect the current setup, at all, it would need to be modified) | 11:54:19 |
| ElvishJerricco | This is the sort of stuff I'm very hesitant about. The reason is a combination of this being a bespoke scheme that no one else in the world uses besides us and the fact that it's just a big pile of code that doesn't receive the same level of security review as upstream systemd. | 12:01:10 |
| ElvishJerricco | Like that's why I'm kinda unhappy with our clevis stuff. It'd be better if it was based on systemd credentials, just because systemd does handle those with quite a bit of care. But I tried to implement that a while ago and it was... a tad tricky so I haven't tried to finish it yet. | 12:03:36 |
| eyJhb | I fully understand that, and I have absolutely zero reason to push for the above. I'm happy if I can just run it myself. It's as you say, very niche | 12:10:31 |
 gdamjan | which one is it exactly? I think all that have GPG support have pkcs too? | 13:12:16 |
| eyJhb | Yes, they have pkcs support (AFAIK), but that can't be used in my setup, as I have more than 1 yubikey, which have identical GPG keys on them. So I can use any of them, to unlock my system | 13:13:37 |
