4 Oct 2024 |
mjm | i'm putting it in /etc/credstore.encrypted/bcachefs-sysroot-persist with boot.initrd.systemd.contents | 02:28:37 |
ElvishJerricco | mjm: the file needs a .mount suffix | 02:29:04 |
ElvishJerricco | (I should maybe not do that...) | 02:29:11 |
mjm | oh you're right, i see | 02:30:06 |
mjm | ElvishJerricco: it's failing pretty catastrophically, and I can't really tell why. emergency mode says my root account is locked, do you know what i can do to make it work? | 02:41:11 |
ElvishJerricco | mjm: boot.initrd.systemd.emergencyAccess . You can set it to a hashed password or true for no password. Or you can add rd.systemd.debug_shell to the kernel params to get a shell on tty9 | 02:42:07 |
mjm | oh i might have found it | 02:42:07 |
mjm | thanks, yeah i literally just found the option :) | 02:42:25 |
mjm | just gonna set it to true for now while figuring this out | 02:42:58 |
mjm | I’m dumb, need to regenerate the credential with the right name, with the .mount suffix | 02:47:51 |
ElvishJerricco | oh, I completely forgot the name is important when generating these things | 02:48:17 |
ElvishJerricco | that's slightly frustrating but I totally get why they do it, and it makes perfect sense | 02:48:32 |
mjm | yeah so did i | 02:48:31 |
mjm | it works! | 02:53:50 |
mjm | automatic unlock, no clevis | 02:53:56 |
ElvishJerricco | fantastic! | 02:54:49 |
ElvishJerricco | Did it need the after = ["tpm2.target"]; thing? | 02:55:01 |
mjm | i'll need to test without it | 02:55:22 |
mjm | which i'll do shortly | 02:55:36 |
ElvishJerricco | cool, thanks for test :) | 02:55:49 |
ElvishJerricco | * cool, thanks for testing :) | 02:56:24 |
mjm | yeah np | 02:56:51 |
mjm | i think there may be something else weird here with impermanence, it makes this create-needed-for-boot-dirs service in initrd that is failing, not sure why yet. it's possible it was failing before though, since it doesn't seem to be blocking boot | 02:58:09 |
ElvishJerricco | hm, yea I can't imagine why this would have any effect on that | 02:59:10 |
ElvishJerricco | if clevis didn't | 02:59:14 |
mjm | true | 03:00:13 |
mjm | okay after = ["tpm2.target"] does not appear to be necessary | 03:03:00 |
mjm | works fine without it | 03:03:05 |
ElvishJerricco | interesting | 03:03:06 |
ElvishJerricco | I wonder if systemd is actually making sure to wait for the TPM or if you're just winning the race | 03:03:21 |