I have a raspberry pi 4 which I managed to setup with NixOS after a lot of work by reading resources like this and this. As in the blog post, I built the image with
nix run nixpkgs#nixos-generators -- -f sd-aarch64 --flake .#raspberrypi --system aarch64-linux -o ./raspberrypi.sd
and dd
’ed into the SD card. With the image already inplace and the OS working, updates to the configuration are done directly via ssh
and nixos-rebuild
.
The problem is that I’m trying to mount an encrypted external storage using a keyfile present in the filesystem. It’s not the most secure approach but it’s what it’s worth for me right now. I used something like this in my hardware configuration:
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
environment.etc.crypttab.text = ''
backup UUID=bad5f4b7-fcdc-4b36-8887-357a629d7c00 /root/mykeyfile
'';
fileSystems."/mnt/backup" = {
device = "/dev/mapper/backup";
};
fileSystems."/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
options = [ "nofail" "noauto" ];
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
swapDevices = [{ device = "/swapfile"; size = 128; }];
But when the system reboots I see logs in journalctl like this and the drive never mounts:
Mar 27 17:05:23 raspberrypi systemd[1]: Starting Cryptography Setup for backup...
Mar 27 17:05:23 raspberrypi systemd-cryptsetup[13088]: Volume backup already active.
Mar 27 17:05:23 raspberrypi systemd[1]: Finished Cryptography Setup for backup.
I’m not entirely sure but I believe when I used the same configuration in a different machine the external storage was succesfully mounted which leads me to think that is something related to the raspberry pi boot. This is the relevant part of my configuration:
hardware = {
enableRedistributableFirmware = true;
raspberry-pi."4".apply-overlays-dtmerge.enable = true;
deviceTree = {
enable = true;
filter = "*rpi-4-*.dtb";
};
};
console.enable = true;
boot = {
# https://docs.syncthing.net/users/faq.html#inotify-limits
kernel.sysctl = {
"fs.inotify.max_user_watches" = 204800;
};
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
kernelParams = [
"usb-storage.quirks=152d:0562:u,152d:2329:u,14cd:1212"
"cgroup_enable=cpuset" "cgroup_enable=memory" "cgroup_memory=1" "swapaccount=1"
];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
Any thoughts or ideas?