Skip to content

Bcachefs unlock generator #345207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Bcachefs unlock generator #345207

wants to merge 2 commits into from
+67 −46

Conversation

ElvishJerricco
Copy link
Contributor

@ElvishJerricco ElvishJerricco commented Sep 29, 2024
edited
Loading

Description of changes

This systemd generator creates units that unlock your encrypted bcachefs file systems, based on the fstab file. It parses the fs_spec field and orders generated units after the necessary device.

I need to write an installer test for this. The original repo has tests that prove it works but that needs to be migrated into here.

It also respects the x-systemd.* FS options. e.g. x-systemd.requires is used to order a multi-device bcachefs mount after the requisite devices.

It also uses systemd credentials named bcachefs$(systemd-escape $mountpoint).mount, so file systems can be unlocked via keyfile, potentially encrypted with the TPM2.

Requesting review from known bcachefs users, among others.

Closes #317901

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Sep 29, 2024
@ElvishJerricco
Copy link
Contributor Author

Also, the package depends on the crates fstab, libsystemd-sys, and systemd. This is largely unnecessary and I intend to remove these dependencies. They just made life easier during development. They should be removed before merging. Help is welcome.

@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch 4 times, most recently from e106ca6 to c1f3ac6 Compare September 29, 2024 01:04
@h7x4 h7x4 added the 8.has: module (new) This PR adds a module in `nixos/` label Sep 29, 2024
@kraftnix
Copy link
Contributor

Thanks for this, I just tested it on a native encrypted bcachefs 2 drive mirror and it works perfectly! So I can remove my hacky systemd units to unlock.

I am still having issues with systemd-remount-fs trying to unlock the bcachefs disk every rebuild and failing as it has no passphrase, but I had that previously (using a different hacky systemd unit to unlock and mount the bcachefs encrypted mirror).

@mjm
Copy link
Contributor

mjm commented Sep 30, 2024

I don't really want to use this yet because it breaks Clevis. I'm not personally attached to Clevis specifically (though maybe someone is), but rather I want some mechanism to use TPM to provide the passphrase. A systemd credential could also work for that if the generator supported it. I suppose I could override the unit to add the credential and change the ExecStart to use it, but that's a little more invasive than I'd like to be.

Do you have plans for automatic unlock?

@ElvishJerricco
Copy link
Contributor Author

@mjm Yea, I'm debugging some issues with the generator on my test system, but my intention is to add the --credential option to the systemd-ask-password call so that it can work pretty seamlessly with the TPM.

@mjm
Copy link
Contributor

mjm commented Oct 1, 2024

Awesome, once that's ready, I'll test it on my bcachefs machine.

@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch 7 times, most recently from 5c4012b to 07f0c3c Compare October 5, 2024 01:07
@ofborg ofborg bot added 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Oct 5, 2024
@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch 2 times, most recently from cd14cf3 to d4df588 Compare November 2, 2024 21:08
mjm
mjm reviewed Feb 8, 2025
View reviewed changes
@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch from d4df588 to 9606f6b Compare February 13, 2025 03:08
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. and removed 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. labels Feb 13, 2025
@ElvishJerricco ElvishJerricco force-pushed the bcachefs-unlock-generator branch from 9606f6b to 84073de Compare February 13, 2025 06:26
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Apr 2, 2025
@ElvishJerricco ElvishJerricco mentioned this pull request Jun 25, 2025
Merged
13 tasks
@nixpkgs-ci nixpkgs-ci bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philiptaron philiptaron Awaiting requested review from philiptaron

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius

@K900 K900 Awaiting requested review from K900

1 more reviewer

@mjm mjm mjm left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bcachefs: unlock-bcachefs-*.service fails with device = "UUID=..."
5 participants
@ElvishJerricco @kraftnix @mjm @wegank @h7x4