| 27 Nov 2022 |
 Arian | Which is probably too late | 22:37:34 |
 @me:linj.tech | In reply to @janne.hess:helsinki-systems.de
you probably want cryptsetup.target in that before Mounting /sysroot/nix... is before Reached target Local Encrypted Volumes., so before = [ "cryptsetup.target" ] is not enough I think | 22:39:03 |
| Arian | `unitConfig.DefaultDependencies=false` | 22:39:09 |
 @elvishjerricco:matrix.org | linj: as I understand it, preDeviceCommands in the old initrd basically means pre-udev. That is extremely early. | 22:56:59 |
| @me:linj.tech | Arian: your trick works!
pre-device-command = {
description = "pre device command";
wantedBy = [ "cryptsetup.target" ];
wants = [ "cryptsetup-pre.target" ];
before = [ "cryptsetup-pre.target" ];
unitConfig.DefaultDependencies = false;
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
script = ''
echo pre-device-command-start
echo pre-device-command-end
'';
};
| 23:01:17 |
| Arian | Great | 23:01:46 |
| @elvishjerricco:matrix.org | linj: I'm very curious what you're trying to achieve | 23:01:51 |
| @me:linj.tech | emm, what I want is somewhat weird: generate a keyfile on the fly for luks without storing that keyfile in initrd | 23:03:52 |
| @me:linj.tech | on a vps | 23:04:23 |
| @me:linj.tech | another question: the before = [ "" ] does not seem to work: 59:50 localhost systemd[1]: Reached target Local Encrypted Volumes (Pre). is before 59:50 localhost systemd[1]: pre-device-command.service: Deactivated successfully. in journal | 23:06:13 |
| @me:linj.tech | * another question: the before = [ "cryptsetup-pre.target" ] does not seem to work: 59:50 localhost systemd[1]: Reached target Local Encrypted Volumes (Pre). is before 59:50 localhost systemd[1]: pre-device-command.service: Deactivated successfully. in journal | 23:06:25 |
| @me:linj.tech | In reply to @me:linj.tech
another question: the before = [ "cryptsetup-pre.target" ] does not seem to work: 59:50 localhost systemd[1]: Reached target Local Encrypted Volumes (Pre). is before 59:50 localhost systemd[1]: pre-device-command.service: Deactivated successfully. in journal oneshot does not change this | 23:06:55 |
| Arian | there's an easier way to do that I think | 23:10:25 |
| Arian | pretty sure you can do this with systemd-repart | 23:16:51 |
| Arian | (Using /dev/urandom as the keyfile) | 23:17:12 |
| @me:linj.tech | my keyfile has a pre-defined key in it | 23:18:19 |
| @me:linj.tech | not random | 23:18:29 |
| @me:linj.tech | In reply to @me:linj.tech
oneshot does not change this well, oneshot does make sure my service is before cryptsetup-pre.target. I confirm it with sleep 10 | 23:20:40 |
| @me:linj.tech | thanks | 23:20:53 |
| @me:linj.tech | It's weird that my pre-device-command.service and cryptsetup-pre.target stops after finishing running nixos activation script.
from man systemd.special:
this target (cryptsetup-pre.target) is particularly useful to ensure that a service is shut down only after all encrypted block devices are fully stopped.
| 23:27:01 |
| @me:linj.tech | guess our initrd is not the same as what systemd's manual says | 23:28:06 |
| @elvishjerricco:matrix.org | How is that not in line with the manual? | 23:28:25 |
| @me:linj.tech | I think what the manual says is that cryptsetup-pre.target should be stopped when the system is shutdown | 23:29:44 |
| @me:linj.tech | but now, it is stopped after stage 2 | 23:29:54 |
| @elvishjerricco:matrix.org | That's not quite accurate | 23:30:22 |
| @elvishjerricco:matrix.org | Stage 1 has two big systemd transactions. First is initrd.target, and after that there's a service called initrd-cleanup.service that does systemctl isolate initrd-switch-root.target, which is the second transaction. This causes everything else to be stopped | 23:31:49 |
| @elvishjerricco:matrix.org | So that second transaction is in some ways very similar to system shutdown | 23:32:08 |
| @elvishjerricco:matrix.org | Any services in initrd that aren't supposed to be stopped by this (e.g. plymouth) need to either be wanted by initrd-switch-root.target, or have IgnoreOnIsolate=true | 23:33:37 |
| Arian | In reply to @me:linj.tech
my keyfile has a pre-defined key in it Then don't use /dev/urandom | 23:34:18 |
| Arian | But the keyfile :) | 23:35:03 |
