| 28 Apr 2023 |
 @elvishjerricco:matrix.org | My initrd is now maximally complicated. Two different LUKS volume, one TPM2 unlocked, both on ZFS zvols, one ZFS encryptionroot, custom ZFS import service, and networking with SSH and tailscale.
I can't imagine the nightmare that would have been without systemd-initrd. | 04:12:38 |
 @aktaboot:tchncs.de | In reply to @elvishjerricco:matrix.org
My initrd is now maximally complicated. Two different LUKS volume, one TPM2 unlocked, both on ZFS zvols, one ZFS encryptionroot, custom ZFS import service, and networking with SSH and tailscale.
I can't imagine the nightmare that would have been without systemd-initrd. may I ask whats your usecase for the networking part ? | 07:14:55 |
| @elvishjerricco:matrix.org | To unlock the the encrypted file system remotely over tailscale | 07:15:41 |
 @uep:matrix.org | I assume the LUKS-on-zvol are relatively small? basically key or config containers with relatively static filesystems, as a way of bootstrapping to the final zfs load-key? | 22:23:32 |
| @uep:matrix.org | (for example, to run the ssh service out of) | 22:24:35 |
| @elvishjerricco:matrix.org | uep: Exactly. The first volume, the tpm2 locked one, contains my ssh host keys and tailscale state directory. That way I can log in remotely, and the presence of correct host keys informs me that the tpm is happy with the boot measurements. The second volume is unlocked manually and contains the zfs key file | 22:24:41 |
| @uep:matrix.org | yup | 22:25:05 |
| @uep:matrix.org | why a second volume with file, rather than a passphrase directly, since you're logging in manually regardless? | 22:25:34 |
| @uep:matrix.org | (would make perfect sense as a multi-factor case, but you can't currently mix them without even more customisation) | 22:26:18 |
| @elvishjerricco:matrix.org | to get all the other nice luks-y things. Like I want to have the second volume unlocked with tpm2+pin (currently having a bug with that one), with a recovery key backup slot. | 22:26:37 |
| @uep:matrix.org | seems like a great topic for a write-up, either once you get the kinks ironed out, or even including the ironing process | 22:28:00 |
| @elvishjerricco:matrix.org | there's a bunch of stuff I need to write about :P I've been putting off writing a blog post about systemd-in-initrd for actual years lol | 22:28:31 |
| @uep:matrix.org | This is The Way | 22:38:23 |
| 29 Apr 2023 |
 @sigmasquadron:matrix.org | This is The Way. | 00:24:02 |
 @hexa:lossy.network | Redacted or Malformed Event | 10:20:12 |
 @janne.hess:helsinki-systems.de | c | 10:21:53 |
| @aktaboot:tchncs.de | ElvishJerricco Is there a reason remove_old_entries is called on rebuild and not hooked to garbage collection ? | 17:41:16 |
| @aktaboot:tchncs.de | * ElvishJerricco Is there a reason systemd-boot remove_old_entries() is called on rebuild and not hooked to garbage collection ? | 17:41:30 |
| @elvishjerricco:matrix.org | aktaboot: There's no such thing as "hooked to garbage collection" | 17:41:48 |
| @aktaboot:tchncs.de | garbage collection is only related to the nix store, but I guessed we could also delete older boot entries and kernel/initrd at garbage collection time as well | 17:42:52 |
| @aktaboot:tchncs.de | I guess that's the only place where this can be handled differently since it's not tied to the nix-store directly | 17:44:14 |
| @aktaboot:tchncs.de | the problem I encountered was that efi partition was full, so I could not rebuild, and therefore I also could not empty the efi | 17:45:16 |
| @aktaboot:tchncs.de | * the problem I encountered was that efi partition was full, so I could not rebuild, and therefore I also could not empty the efi with nix tooling | 17:45:22 |
| @aktaboot:tchncs.de | * the problem I encountered was that efi partition was full, so I could not rebuild, and therefore I also could not empty the efi with nix tooling, cleaning the efi manually isn't very user friendly or desirable | 17:52:48 |
| @elvishjerricco:matrix.org | systemd-boot-builder.py is supposed to clear old generations before it adds new ones, so running out of space isn't supposed to be a problem if you've garbage collected | 17:53:51 |
| @elvishjerricco:matrix.org | (in actuality it deletes the entire nixos folder in the ESP before recreating it, because of a bug, but the effect is the same) | 17:54:53 |
| 30 Apr 2023 |
| @janne.hess:helsinki-systems.de | ElvishJerricco: what do you think about a single option that disables timeout behaviour for crypto? I wouldn't want to enable it by default but I think it's not as uncommon to have issues as-is. For example, I reboot my computer and go fetch a coffee while it does it's thing, just to see that it rebooted and timed out into a recovery shell | 11:30:54 |
 oddlama | I just ran into this, too. I'd love an option to disable the timeout. | 13:58:58 |
| oddlama | Also not sure if this is related, but sometimes when I am in the middle of entering the password via ssh and systemd-tty-ask-password-agent, the agent seems to be reset and the prompt exits. | 14:02:05 |
| @elvishjerricco:matrix.org | Janne Heß: By default, JobTimeoutSec is set to 0 for crypttab stuff. So there should already be no timeout | 20:01:20 |
