NixOS systemd

Sender	Message	Time
12 Oct 2024
ElvishJerricco	hexa: So, I will say, when things get inexplicably confusing, my first guess is usually that there's a problem with unit ordering. What does your impermanence service look like?	19:51:32
hexa	ok, funny. the machine I posted last doesn't have impermanence 🙂	21:31:16
hexa	{ config, ... }: { boot.loader.systemd-boot.enable = false; boot.loader.efi.canTouchEfiVariables = true; boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.loader.grub = { enable = true; efiSupport = true; devices = [ ]; mirroredBoots = [ { devices = [ "nodev" ]; path = "/boot/a"; } { devices = [ "nodev" ]; path = "/boot/b"; } ]; extraConfig = " serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 terminal_input serial terminal_output serial "; }; age.secrets."initrd-ssh-hostkey".file = ../../agenix/${config.networking.hostName}-initrd-ssh-hostkey.age; boot.initrd = { kernelModules = [ "ipv6" "8021q" ]; systemd = { enable = true; network = { enable = true; netdevs = { "20-vlan100" = { netdevConfig = { Kind = "vlan"; Name = "vlan100"; Description = "LAN Access"; }; vlanConfig.Id = 100; }; }; networks = { "30-eno2" = { matchConfig.Name = "enp38s0"; networkConfig.LinkLocalAddressing = "no"; vlan = [ "vlan100" ]; }; "40-vlan100" = { matchConfig.Name = "vlan100"; networkConfig = { DHCP = "no"; IPv6AcceptRA = false; }; address = [ "fd42:23:42:b864::72:2/64" ]; gateway = [ "fe80::1" ]; }; }; }; }; network = { ssh = { enable = true; hostKeys = [ config.age.secrets."initrd-ssh-hostkey".path ]; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; }; }; }; }	21:32:14
hexa	this is all the boot.* config for that machine	21:32:33
hexa	except for like hardware-configuration and boot.initrd.luks.devices	21:32:56
hexa	the machine boots from a btrfs root, i think sigh	21:33:36
ElvishJerricco	Yea I can't see anything wrong with that (well, except I'm not sure that agenix thing works exactly how you want but that's clearly unrelated)	21:35:56
ElvishJerricco	(basically agenix decryption has to be happening before the install-bootloader step for you to be getting the secret properly, and I'm not sure whether that happens in that order)	21:36:42
ElvishJerricco	(I'm pretty sure it doesn't because I'm pretty sure the boot loader stuff and therefore the append-initrd-secrets script happens before activation, and activation is when agenix takes effect)	21:39:13
hexa	the agenix secret is decrypted to a volatile location on the host after before activation	21:49:08
hexa	but whatever, it gives me a stable ssh hostkey in the initrd, so it must be working	21:49:40
ElvishJerricco	In reply to @hexa:lossy.network the agenix secret is decrypted to a volatile location on the host after before activation "after before"? Not sure you could have made that more confusing :P	21:51:05
hexa	lol 😄	21:51:14
ElvishJerricco	I thought it was during activation	21:51:15
hexa	yeah, before activation finishes	21:51:22
hexa	so before services that need it are started/restarted	21:51:40
ElvishJerricco	yea so probably the reason it works is because you've already got the secret from the previous configuration when you run `nixos-rebuild` or your equivalent	21:51:44
ElvishJerricco	which basically means your initrds are getting last gen's secret	21:52:04
ElvishJerricco	which is bad in the event of rotation	21:52:09
hexa	possibly	21:52:18
hexa	but very much a sidequest right now 😛	21:52:32
ElvishJerricco	Indeed!	21:52:43
ElvishJerricco	yea I'm at a loss as for what's causing those confusions on your system	21:52:56
ElvishJerricco	Does the system completely fail to boot?	21:53:02
hexa	no, it boots just fine	21:53:09
ElvishJerricco	or are you able to mess with it to get it to boot?	21:53:12
ElvishJerricco	oh	21:53:17
hexa	it just spews those messages	21:53:17
hexa	which is completely non-sense 😄	21:53:24
ElvishJerricco	right that's extremely confusing	21:53:31

hexa: So, I will say, when things get inexplicably confusing, my first guess is usually that there's a problem with unit ordering. What does your impermanence service look like?