| 22 Dec 2024 |
 waltmck | I'm not using luks, I'm using zfs native encryption | 00:27:10 |
| waltmck | but I set keylocation="prompt", I'll see if that works | 00:27:45 |
| waltmck | Do you see anything obviously stupid in my config? | 00:28:06 |
| waltmck | (I separated the datasets part into a different file from the vdev part) | 00:28:46 |
 Enzime | oh... I'm not sure if we've implemented any ZFS encryption password handling code | 00:28:57 |
| Enzime | is there a particular reason you want to use ZFS native encryption? | 00:29:26 |
| waltmck | So that I can zfs send incremental encrypted backups to an offsite server, primarily | 00:29:55 |
| Enzime | just wanted to make sure you have an actual usecase as I still see a lot of people recommending to avoid ZFS native encryption | 00:31:02 |
| waltmck | yeah, I know there are some pitfalls | 00:31:27 |
| Enzime | In reply to @waltmck:matrix.org
but I set keylocation="prompt", I'll see if that works I think it should work | 00:33:17 |
| Enzime | https://github.com/nix-community/disko/blob/master/lib/types/zfs_volume.nix#L71-L75 | 00:33:23 |
| Enzime | there is some code for ZFS native encryption support in disko already | 00:33:36 |
| Enzime | In reply to @waltmck:matrix.org
Do you see anything obviously stupid in my config? it looks fine to me | 00:35:01 |
| Enzime | is there a reason you have enc/state/root if you have sys as well | 00:35:23 |
| Enzime | as an immutable root? | 00:35:25 |
| waltmck | sys is unencrypted | 00:35:37 |
| Enzime | why not just encrypt it all? | 00:36:19 |
| Enzime | I'm not sure if you already have code to auto-rollback the root on each boot, you should be able to do something like:
https://github.com/Enzime/dotfiles-nix/blob/main/hosts/sigma/hardware-configuration.nix#L57-L59
https://github.com/Enzime/dotfiles-nix/blob/main/modules/impermanence.nix#L20-L31 | 00:37:16 |
| waltmck | That would also be reasonable. I don't see why it would necessarily be better than encrypting just the mutable parts | 00:37:16 |
| Enzime | In reply to @waltmck:matrix.org
That would also be reasonable. I don't see why it would necessarily be better than encrypting just the mutable parts I guess it would just simplify because you could make sys your rootfs dataset and have one less dataset | 00:37:43 |
| waltmck | In reply to @enzime:nixos.dev
I'm not sure if you already have code to auto-rollback the root on each boot, you should be able to do something like:
https://github.com/Enzime/dotfiles-nix/blob/main/hosts/sigma/hardware-configuration.nix#L57-L59
https://github.com/Enzime/dotfiles-nix/blob/main/modules/impermanence.nix#L20-L31 yeah, I do that on my laptop. I think it's more inconvenience than it's worth so I'm planning on scrapping it | 00:37:44 |
| waltmck | I have ran into terrible issues where impermanence fails to mount something and it prevents a usable system from booting | 00:38:19 |
| waltmck | In reply to @enzime:nixos.dev
I guess it would just simplify because you could make sys your rootfs dataset and have one less dataset One reason is that I am using dedup on my /nix partition, so it has to be a separate dataset anyway. dedup on root would be ill-advised | 00:39:00 |
| waltmck | In reply to @enzime:nixos.dev
I guess it would just simplify because you could make sys your rootfs dataset and have one less dataset * One reason is that I am using dedup on my /nix dataset, so it has to be a separate dataset anyway. dedup on root would be ill-advised | 00:39:18 |
| Enzime | I'm not too familiar with dedup, sys and sys/nix are separate-ish datasets no? | 00:40:06 |
| Enzime | In reply to @waltmck:matrix.org
I have ran into terrible issues where impermanence fails to mount something and it prevents a usable system from booting I haven't had a chance to try it but I heard this is better than impermanence | 00:40:20 |
| Enzime | https://github.com/willibutz/preservation | 00:40:22 |
| Enzime | In reply to @waltmck:matrix.org
I have ran into terrible issues where impermanence fails to mount something and it prevents a usable system from booting * I haven't had a chance to try it but I've heard this is better than impermanence | 00:40:28 |
| waltmck | In reply to @enzime:nixos.dev
https://github.com/willibutz/preservation I'll take a look at that! | 00:41:17 |
| waltmck | In reply to @enzime:nixos.dev
I'm not too familiar with dedup, sys and sys/nix are separate-ish datasets no? ah I see what you mean here. Yeah, root could be mounted on sys (if I encrypted sys) | 00:41:41 |
