From a058d9ecb06af7e224c2b7508ccc1e7a345fe902 Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Tue, 30 Dec 2025 09:45:29 -0600 Subject: [PATCH] update reboot sequence and refator --- hosts/juni/hardware-mounts.nix | 149 +++++++++++++++++---------------- hosts/lio/flake.lock | 8 +- 2 files changed, 83 insertions(+), 74 deletions(-) diff --git a/hosts/juni/hardware-mounts.nix b/hosts/juni/hardware-mounts.nix index 8079d01f..da7a3428 100644 --- a/hosts/juni/hardware-mounts.nix +++ b/hosts/juni/hardware-mounts.nix @@ -11,9 +11,10 @@ let SWAP = "/dev/disk/by-uuid/ad0311e2-7eb1-47af-bc4b-6311968cbccf"; - USB_KEY = null; - IMPERMANENCE = true; + ENCRYPTED = true; + + USB_KEY = null; primaryDeviceUnit = "${utils.escapeSystemdPath PRIMARY}.device"; in @@ -93,9 +94,9 @@ lib.mkMerge [ (lib.mapAttrs' (k: disableFs) bcacheBoots); } ) - { + (lib.mkIf IMPERMANENCE { # Impermanence fix for working with custom unlock and reset with root bcache - boot.initrd.systemd.services.create-needed-for-boot-dirs = { + boot.initrd.systemd.services.create-needed-for-boot-dirs = lib.mkIf ENCRYPTED { after = [ "unlock-bcachefs-custom.service" "bcachefs-reset-root.service" @@ -106,9 +107,81 @@ lib.mkMerge [ ]; serviceConfig.KeyringMode = "shared"; }; - } + + boot.initrd.systemd.services.bcachefs-reset-root = { + description = "Reset bcachefs root subvolume before pivot"; + + after = [ + "initrd-root-device.target" + "cryptsetup.target" + "unlock-bcachefs-custom.service" + ]; + requires = [ + primaryDeviceUnit + "unlock-bcachefs-custom.service" + ]; + + before = [ + "sysroot.mount" + ]; + wantedBy = [ + "initrd-root-fs.target" + "sysroot.mount" + "initrd.target" + ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + KeyringMode = "shared"; + }; + + script = '' + cleanup() { + if [[ ! -e /primary_tmp/@root ]]; then + echo "Cleanup: Creating new @root" + bcachefs subvolume create /primary_tmp/@root + fi + echo "Cleanup: Unmounting /primary_tmp" + umount /primary_tmp || true + } + trap cleanup EXIT + + mkdir -p /primary_tmp + + echo "Mounting ${PRIMARY}..." + if ! mount "${PRIMARY}" /primary_tmp; then + echo "Mount failed. Cannot reset root." + exit 1 + fi + + if [[ -e /primary_tmp/@root ]]; then + mkdir -p /primary_tmp/@snapshots/old_roots + + # Use safe timestamp format (dashes instead of colons) + timestamp=$(date "+%Y-%m-%d_%H-%M-%S") + snap="/primary_tmp/@snapshots/old_roots/$timestamp" + echo "Snapshotting @root to $snap" + bcachefs subvolume snapshot /primary_tmp/@root "$snap" + + echo "Deleting current @root" + bcachefs subvolume delete /primary_tmp/@root + fi + + # Trap handles creating new root and unmount + ''; + }; + }) + + # If you mess up decruption password this reboots for retry instead of getting stuck + (lib.mkIf ENCRYPTED { + boot.kernelParams = [ + "rd.shell=0" + "rd.emergency=reboot" + ]; + }) # Bcachefs auto decryption - (lib.mkIf (USB_KEY != null) { + (lib.mkIf (ENCRYPTED && USB_KEY != null) { boot.supportedFilesystems = [ "bcachefs" ]; @@ -185,69 +258,5 @@ lib.mkMerge [ ''; }; }) - (lib.mkIf IMPERMANENCE { - boot.initrd.systemd.services.bcachefs-reset-root = { - description = "Reset bcachefs root subvolume before pivot"; - after = [ - "initrd-root-device.target" - "cryptsetup.target" - "unlock-bcachefs-custom.service" - ]; - requires = [ - primaryDeviceUnit - "unlock-bcachefs-custom.service" - ]; - - before = [ - "sysroot.mount" - ]; - wantedBy = [ - "initrd-root-fs.target" - "sysroot.mount" - "initrd.target" - ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - KeyringMode = "shared"; - }; - - script = '' - cleanup() { - if [[ ! -e /primary_tmp/@root ]]; then - echo "Cleanup: Creating new @root" - bcachefs subvolume create /primary_tmp/@root - fi - echo "Cleanup: Unmounting /primary_tmp" - umount /primary_tmp || true - } - trap cleanup EXIT - - mkdir -p /primary_tmp - - echo "Mounting ${PRIMARY}..." - if ! mount "${PRIMARY}" /primary_tmp; then - echo "Mount failed. Cannot reset root." - exit 1 - fi - - if [[ -e /primary_tmp/@root ]]; then - mkdir -p /primary_tmp/@snapshots/old_roots - - # Use safe timestamp format (dashes instead of colons) - timestamp=$(date "+%Y-%m-%d_%H-%M-%S") - snap="/primary_tmp/@snapshots/old_roots/$timestamp" - echo "Snapshotting @root to $snap" - bcachefs subvolume snapshot /primary_tmp/@root "$snap" - - echo "Deleting current @root" - bcachefs subvolume delete /primary_tmp/@root - fi - - # Trap handles creating new root and unmount - ''; - }; - }) ] diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index c7bbfea4..dd156ada 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -64,11 +64,11 @@ "common": { "locked": { "dir": "flakes/common", - "lastModified": 1767105946, - "narHash": "sha256-IRgl+mna4n7jDyVw0hPSwE2VnbXj0wnuyDaUwmhE/YU=", + "lastModified": 1767108596, + "narHash": "sha256-G24jIpfoSg3e4yUtAJnJsA6Mw+INLd3g85JzLWj+1j8=", "ref": "refs/heads/master", - "rev": "f25a2e5dc61a7b10f7c26d491eed3a53a5b47854", - "revCount": 1002, + "rev": "31f2ef23a0382b3149866ee3665a64843870d7a6", + "revCount": 1007, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" },