4 Oct 2024 |
ElvishJerricco | oh | 01:08:30 |
ElvishJerricco | no | 01:08:31 |
ElvishJerricco | I'm just silly | 01:08:33 |
ElvishJerricco | and did my test badly | 01:08:40 |
mjm | so it might still just be that? | 01:11:16 |
ElvishJerricco | mjm: definitely was. Pushed a fix to the nixpkgs branch. Give it a try | 01:14:07 |
mjm | okay yeah that fixed that issue, thanks! once i finish making dinner i need to try the credential thing | 01:36:03 |
ElvishJerricco | nice | 01:36:11 |
ElvishJerricco | mjm: I'm actually really curious if that will work for you. I actually have no idea how / if it's going to delay to find the TPM to decrypt the credential | 01:36:42 |
ElvishJerricco | hm it might actually just... not | 01:38:07 |
ElvishJerricco | but I think it would fallback to password in that case | 01:38:18 |
ElvishJerricco | (but also it would be a race condition) | 01:38:26 |
mjm | we shall see | 01:38:29 |
mjm | no luck so far, it's falling back to prompting. i might be able to introduce dependencies to get it to wait for the tpm? | 02:21:57 |
ElvishJerricco | In reply to @mjm:midna.dev no luck so far, it's falling back to prompting. i might be able to introduce dependencies to get it to wait for the tpm? Yea, you should be able to do
boot.initrd.systemd.services."bcachefs-unlock@" = {
overrideStrategy = "asDropin";
after = ["tpm2.target"];
};
| 02:27:30 |
mjm | alright let me give that a shot | 02:27:44 |
mjm | i wonder why clevis doesn't need that? | 02:27:49 |
ElvishJerricco | mjm: also how do you have the secret placed in the initrd? | 02:28:07 |
mjm | i'm putting it in /etc/credstore.encrypted/bcachefs-sysroot-persist with boot.initrd.systemd.contents | 02:28:37 |
ElvishJerricco | mjm: the file needs a .mount suffix | 02:29:04 |
ElvishJerricco | (I should maybe not do that...) | 02:29:11 |
mjm | oh you're right, i see | 02:30:06 |
mjm | ElvishJerricco: it's failing pretty catastrophically, and I can't really tell why. emergency mode says my root account is locked, do you know what i can do to make it work? | 02:41:11 |
ElvishJerricco | mjm: boot.initrd.systemd.emergencyAccess . You can set it to a hashed password or true for no password. Or you can add rd.systemd.debug_shell to the kernel params to get a shell on tty9 | 02:42:07 |
mjm | oh i might have found it | 02:42:07 |
mjm | thanks, yeah i literally just found the option :) | 02:42:25 |
mjm | just gonna set it to true for now while figuring this out | 02:42:58 |
mjm | I’m dumb, need to regenerate the credential with the right name, with the .mount suffix | 02:47:51 |
ElvishJerricco | oh, I completely forgot the name is important when generating these things | 02:48:17 |
ElvishJerricco | that's slightly frustrating but I totally get why they do it, and it makes perfect sense | 02:48:32 |