nixos/bcachefs-unlock: init

NixOS · Sep 29, 2024 · e106ca6 · e106ca6
1 parent 424d921
commit e106ca6
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 46 deletions.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -1658,6 +1658,7 @@
   ./tasks/filesystems.nix
   ./tasks/filesystems/apfs.nix
   ./tasks/filesystems/bcachefs.nix
+  ./tasks/filesystems/bcachefs-unlock.nix
   ./tasks/filesystems/btrfs.nix
   ./tasks/filesystems/cifs.nix
   ./tasks/filesystems/ecryptfs.nix

diff --git a/nixos/modules/tasks/filesystems/bcachefs-unlock.nix b/nixos/modules/tasks/filesystems/bcachefs-unlock.nix
@@ -0,0 +1,38 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  options.bcachefs-unlock.enable =
+    lib.mkEnableOption "unlocking bcachefs file systems with a systemd generator."
+    // {
+      default = config.boot.supportedFilesystems.bcachefs || config.boot.initrd.supportedFilesystems.bcachefs;
+      defaultText = "boot.supportedFilesystems.bcachefs || boot.initrd.supportedFilesystems.bcachefs";
+    };
+
+  config = lib.mkIf config.bcachefs-unlock.enable {
+    boot.initrd.systemd.contents."/etc/systemd/system-generators/bcachefs-fstab-generator".source = "${pkgs.bcachefs-fstab-generator}/bin/bcachefs-fstab-generator";
+
+    boot.initrd.systemd.services."bcachefs-unlock@" = {
+      overrideStrategy = "asDropin";
+      path = [
+        pkgs.bcachefs-tools
+        config.boot.initrd.systemd.package
+      ];
+      serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.bcachefs-tools ];
+    };
+
+    systemd.generators.bcachefs-fstab-generator = "${pkgs.bcachefs-fstab-generator}/bin/bcachefs-fstab-generator";
+
+    systemd.services."bcachefs-unlock@" = {
+      overrideStrategy = "asDropin";
+      path = [
+        pkgs.bcachefs-tools
+        config.systemd.package
+      ];
+      serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.bcachefs-tools ];
+    };
+  };
+}
diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix
@@ -71,46 +71,6 @@ let
     tryUnlock ${name} ${firstDevice fs}
   '';
 
-  mkUnits = prefix: name: fs: let
-    mountUnit = "${utils.escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint))}.mount";
-    device = firstDevice fs;
-    deviceUnit = "${utils.escapeSystemdPath device}.device";
-  in {
-    name = "unlock-bcachefs-${utils.escapeSystemdPath fs.mountPoint}";
-    value = {
-      description = "Unlock bcachefs for ${fs.mountPoint}";
-      requiredBy = [ mountUnit ];
-      after = [ deviceUnit ];
-      before = [ mountUnit "shutdown.target" ];
-      bindsTo = [ deviceUnit ];
-      conflicts = [ "shutdown.target" ];
-      unitConfig.DefaultDependencies = false;
-      serviceConfig = {
-        Type = "oneshot";
-        ExecCondition = "${pkgs.bcachefs-tools}/bin/bcachefs unlock -c \"${device}\"";
-        Restart = "on-failure";
-        RestartMode = "direct";
-        # Ideally, this service would lock the key on stop.
-        # As is, RemainAfterExit doesn't accomplish anything.
-        RemainAfterExit = true;
-      };
-      script = let
-        unlock = ''${pkgs.bcachefs-tools}/bin/bcachefs unlock "${device}"'';
-        unlockInteractively = ''${config.boot.initrd.systemd.package}/bin/systemd-ask-password --timeout=0 "enter passphrase for ${name}" | exec ${unlock}'';
-      in if useClevis fs then ''
-        if ${config.boot.initrd.clevis.package}/bin/clevis decrypt < "/etc/clevis/${device}.jwe" | ${unlock}
-        then
-          printf "unlocked ${name} using clevis\n"
-        else
-          printf "falling back to interactive unlocking...\n"
-          ${unlockInteractively}
-        fi
-      '' else ''
-        ${unlockInteractively}
-      '';
-    };
-  };
-
   assertions = [
     {
       assertion = let
@@ -140,10 +100,7 @@ in
       boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
       services.udev.packages = [ pkgs.bcachefs-tools ];
 
-      systemd = {
-        packages = [ pkgs.bcachefs-tools ];
-        services = lib.mapAttrs' (mkUnits "") (lib.filterAttrs (n: fs: (fs.fsType == "bcachefs") && (!utils.fsNeededForBoot fs)) config.fileSystems);
-      };
+      systemd.packages = [ pkgs.bcachefs-tools ];
     }
 
     (lib.mkIf ((config.boot.initrd.supportedFilesystems.bcachefs or false) || (bootFs != {})) {
@@ -164,8 +121,6 @@ in
       '';
 
       boot.initrd.postDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + lib.concatStrings (lib.mapAttrsToList openCommand bootFs));
-
-      boot.initrd.systemd.services = lib.mapAttrs' (mkUnits "/sysroot") bootFs;
     })
   ]);
 }