From 075a0747ae9a13bade9deb637c9faaa8532d5cc7 Mon Sep 17 00:00:00 2001 From: hustlerone Date: Wed, 11 Dec 2024 12:19:49 +0100 Subject: [PATCH] nixos/unl0kr: match the password agent with upstream --- nixos/modules/system/boot/unl0kr.nix | 82 +++++++++++----------- nixos/tests/systemd-initrd-luks-unl0kr.nix | 2 +- 2 files changed, 43 insertions(+), 41 deletions(-) diff --git a/nixos/modules/system/boot/unl0kr.nix b/nixos/modules/system/boot/unl0kr.nix index b18f9f064ec46..1e92914e75f9a 100644 --- a/nixos/modules/system/boot/unl0kr.nix +++ b/nixos/modules/system/boot/unl0kr.nix @@ -51,15 +51,13 @@ in assertion = cfg.enable -> config.boot.initrd.systemd.enable; message = "boot.initrd.unl0kr is only supported with boot.initrd.systemd."; } - { - assertion = !config.boot.plymouth.enable; - message = "unl0kr will not work if plymouth is enabled."; - } ]; warnings = if config.hardware.amdgpu.initrd.enable then [ ''Use early video loading at your risk. It's not guaranteed to work with unl0kr.'' ] + else if config.boot.plymouth.enable then + [ ''Plymouth **might** cause issues'' ] else [ ]; @@ -84,60 +82,64 @@ in boot.initrd.systemd = { contents."/etc/unl0kr.conf".source = settingsFormat.generate "unl0kr.conf" cfg.settings; - storePaths = with pkgs; [ - "${pkgs.gnugrep}/bin/grep" - libinput - xkeyboard_config - "${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password" - (lib.getExe' cfg.package "unl0kr") - ]; + storePaths = + (with pkgs; [ + "${pkgs.gnugrep}/bin/grep" + libinput + xkeyboard_config + "${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password" + (lib.getExe' cfg.package "unl0kr") + + ]) + ++ ([ + "${cfg.package}/libexec/unl0kr-agent" + ]); services = { - unl0kr-ask-password = { - description = "Forward Password Requests to unl0kr"; + unl0kr-agent = { + description = "Dispatch Password Requests to unl0kr"; + + unitConfig.DefaultDependencies = false; + unitConfig.ConditionPathExists = "!/run/plymouth/pid"; + + after = [ + "plymouth-start.service" + ]; conflicts = [ "emergency.service" - "initrd-switch-root.target" "shutdown.target" + "initrd-switch-root.target" ]; - unitConfig.DefaultDependencies = false; - after = [ - "systemd-vconsole-setup.service" - "udev.service" + before = [ + "emergency.service" + "shutdown.target" + "initrd-switch-root.target" ]; - before = [ "shutdown.target" ]; - script = '' - # This script acts as a Password Agent: https://systemd.io/PASSWORD_AGENTS/ - - DIR=/run/systemd/ask-password/ - # If a user has multiple encrypted disks, the requests might come in different times, - # so make sure to answer as many requests as we can. Once boot succeeds, other - # password agents will be responsible for watching for requests. - while [ -d $DIR ] && [ "$(ls -A $DIR/ask.*)" ]; - do - for file in `ls $DIR/ask.*`; do - socket="$(cat "$file" | ${pkgs.gnugrep}/bin/grep "Socket=" | cut -d= -f2)" - ${lib.getExe' cfg.package "unl0kr"} -v -C "/etc/unl0kr.conf" | ${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password 1 "$socket" - done - done - ''; + + serviceConfig.ExecStart = "${cfg.package}/libexec/unl0kr-agent"; }; }; paths = { - unl0kr-ask-password = { - description = "Forward Password Requests to unl0kr"; + unl0kr-agent = { + description = "Dispatch Password Requests to unl0kr Directory Watch"; + + unitConfig.DefaultDependencies = false; + unitConfig.ConditionPathExists = "!/run/plymouth/pid"; + + after = [ + "plymouth-start.service" + ]; conflicts = [ "emergency.service" - "initrd-switch-root.target" "shutdown.target" ]; - unitConfig.DefaultDependencies = false; before = [ - "shutdown.target" "paths.target" "cryptsetup.target" + "emergency.service" + "shutdown.target" ]; - wantedBy = [ "sysinit.target" ]; + pathConfig = { DirectoryNotEmpty = "/run/systemd/ask-password"; MakeDirectory = true; diff --git a/nixos/tests/systemd-initrd-luks-unl0kr.nix b/nixos/tests/systemd-initrd-luks-unl0kr.nix index 2f5c4b3dacedc..d0b5922673e29 100644 --- a/nixos/tests/systemd-initrd-luks-unl0kr.nix +++ b/nixos/tests/systemd-initrd-luks-unl0kr.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ( passphrase = "secret"; in { - name = "systemd-initrd-luks-unl0kr"; + name = "systemd-initrd-luks-unl0kr"; # How to run an interactive test: `nix run .#nixosTests.systemd-initrd-luks-unl0kr.driverInteractive' meta = { maintainers = [ ]; };