| 4 Oct 2024 |
 ElvishJerricco | oh | 01:08:30 |
| ElvishJerricco | no | 01:08:31 |
| ElvishJerricco | I'm just silly | 01:08:33 |
| ElvishJerricco | and did my test badly | 01:08:40 |
 mjm | so it might still just be that? | 01:11:16 |
| ElvishJerricco | mjm: definitely was. Pushed a fix to the nixpkgs branch. Give it a try | 01:14:07 |
| mjm | okay yeah that fixed that issue, thanks! once i finish making dinner i need to try the credential thing | 01:36:03 |
| ElvishJerricco | nice | 01:36:11 |
| ElvishJerricco | mjm: I'm actually really curious if that will work for you. I actually have no idea how / if it's going to delay to find the TPM to decrypt the credential | 01:36:42 |
| ElvishJerricco | hm it might actually just... not | 01:38:07 |
| ElvishJerricco | but I think it would fallback to password in that case | 01:38:18 |
| ElvishJerricco | (but also it would be a race condition) | 01:38:26 |
| mjm | we shall see | 01:38:29 |
| mjm | no luck so far, it's falling back to prompting. i might be able to introduce dependencies to get it to wait for the tpm? | 02:21:57 |
| ElvishJerricco | In reply to @mjm:midna.dev
no luck so far, it's falling back to prompting. i might be able to introduce dependencies to get it to wait for the tpm? Yea, you should be able to do
boot.initrd.systemd.services."bcachefs-unlock@" = {
overrideStrategy = "asDropin";
after = ["tpm2.target"];
};
| 02:27:30 |
| mjm | alright let me give that a shot | 02:27:44 |
| mjm | i wonder why clevis doesn't need that? | 02:27:49 |
| ElvishJerricco | mjm: also how do you have the secret placed in the initrd? | 02:28:07 |
| mjm | i'm putting it in /etc/credstore.encrypted/bcachefs-sysroot-persist with boot.initrd.systemd.contents | 02:28:37 |
| ElvishJerricco | mjm: the file needs a .mount suffix | 02:29:04 |
| ElvishJerricco | (I should maybe not do that...) | 02:29:11 |
| mjm | oh you're right, i see | 02:30:06 |
| mjm | ElvishJerricco: it's failing pretty catastrophically, and I can't really tell why. emergency mode says my root account is locked, do you know what i can do to make it work? | 02:41:11 |
| ElvishJerricco | mjm: boot.initrd.systemd.emergencyAccess. You can set it to a hashed password or true for no password. Or you can add rd.systemd.debug_shell to the kernel params to get a shell on tty9 | 02:42:07 |
| mjm | oh i might have found it | 02:42:07 |
| mjm | thanks, yeah i literally just found the option :) | 02:42:25 |
| mjm | just gonna set it to true for now while figuring this out | 02:42:58 |
| mjm | I’m dumb, need to regenerate the credential with the right name, with the .mount suffix | 02:47:51 |
| ElvishJerricco | oh, I completely forgot the name is important when generating these things | 02:48:17 |
| ElvishJerricco | that's slightly frustrating but I totally get why they do it, and it makes perfect sense | 02:48:32 |
