GRUB MirroredBoot Volumes Think They're Encrypted

smissingham · December 19, 2024, 4:35pm

Thankyou! Got it working with a combination of both your feedback.

Key notes:

Putting the boot partitions at /bootX indeed takes them out of the encrypted root FS
Bind mounting one of them to /boot was required to satisfy grubs desire for that default
“devices” is required in the grub mirroredBoots definition (I tried to remove it but it threw errors)
enableCryptoDisk=true does not work, it lands in a grub rescue shell. See previously linked post. TLDR, LUKS & GRUB encryption don’t play nice together

For record keeping

Here is my hardware-configuration.nix on Github
Here is the partition creation / mounting script that runs during install
I’ll paste below snapshots of how they look today in case the above links change in future

Partition Creation Script

#### CREATE PARTITIONS ON BLANK DISKS ####
for drive in /dev/nvme{0..3}n1; do
		
	# Create GPT partition tables
	parted -s "$drive" mklabel gpt
	
	# Create 2GB EFI partition
	parted -s "$drive" mkpart EFI fat32 1MiB 2049MiB
	parted -s "$drive" set 1 boot on

 	# Create Primary partition on remainder of disk
	parted -s "$drive" mkpart primary 2049MiB 100%

 	# Write a FAT32 FS to the EFI partition
	mkfs.fat -F 32 "$drive"p1
 
done

#### CREATE LINUX MD RAID 10 ARRAY ####
mdadm --create --verbose /dev/md0 --level=10 --raid-devices=4 /dev/nvme{0..3}n1p2
echo "Waiting for raid array to initialize"
while [ "$(cat /proc/mdstat | grep -c "resync = ")" -eq 0 ]; do
	sleep 3
done
echo "Array initialized"

#### PRINT RESULTS TO SCREEN ####
lsblk
cat /proc/mdstat

#### CREATE ENCRYPTED LUKS VOLUME ####
cryptsetup --verbose --verify-passphrase luksFormat /dev/md0
cryptsetup luksOpen /dev/md0 luksraid

#### PUT FILESYSTEM ON LUKS AND MOUNT IT TO MNT ROOT ####
mkfs.ext4 /dev/mapper/luksraid
mkdir /mnt
mount /dev/mapper/luksraid /mnt

#### MOUNT BOOT PARTITIONS ####
for i in {0..3}; do
	mkdir -p /mnt/boot$((i+1))
 	mount /dev/nvme"$i"n1p1 /mnt/boot$((i+1))
done

#### BIND MOUNT FIRST BOOT PARTITION TO DEFAULT /BOOT ####
mkdir /mnt/boot
mount --bind /mnt/boot1 /mnt/boot

#### PRINT MOUNTS TO SCREEN ####
df -h | grep /mnt

hardware-config.nix

{
  config,
  lib,
  pkgs,
  modulesPath,
  ...
}: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

  boot.loader = {
    grub = {
      enable = true;
      device = "nodev";
      efiSupport = true;
      mirroredBoots = [
        {
          path = "/boot1";
          devices = ["/dev/nvme0n1p1"];
        }
        {
          path = "/boot2";
          devices = ["/dev/nvme1n1p1"];
        }
        {
          path = "/boot3";
          devices = ["/dev/nvme2n1p1"];
        }
        {
          path = "/boot4";
          devices = ["/dev/nvme3n1p1"];
        }
      ];
    };
    efi = {
      canTouchEfiVariables = true;
    };
  };

  # Setup RAID
  boot.swraid = {
    enable = true;
    mdadmConf = ''
      MAILADDR nixosconfignotificat.flaccid440@passmail.net
      DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2 /dev/nvme2n1p2 /dev/nvme3n1p2
      ARRAY /dev/md0 metadata=1.2 UUID=ARRAYUUID
    '';
  };

  # define encrypted root filesystem on linux md raid array
  fileSystems."/" = {
    device = "/dev/mapper/luksraid";
    fsType = "ext4";
  };

  # define redundant boot partitions
  fileSystems."/boot1" = {
    device = "/dev/nvme0n1p1";
    fsType = "vfat";
  };
  fileSystems."/boot2" = {
    device = "/dev/nvme1n1p1";
    fsType = "vfat";
  };
  fileSystems."/boot3" = {
    device = "/dev/nvme2n1p1";
    fsType = "vfat";
  };
  fileSystems."/boot4" = {
    device = "/dev/nvme3n1p1";
    fsType = "vfat";
  };

  # bind mount one to /boot where grub expects there must be a folder
  fileSystems."/boot" = {
    depends = [
      "/boot1"
    ];
    device = "/boot1";
    fsType = "vfat";
    options = [
      "bind"
    ];
  };

  # Ensure necessary kernel modules are available in initrd
  boot.initrd = {
    kernelModules = [
    ];
    availableKernelModules = [
      "dm-mod"
      "xhci_pci"
      "ahci"
      "usbhid"
      "usb_storage"
      "sd_mod"
      "nvme"
      "md"
      "raid10"
      "md-mod"
    ];
    luks.devices = {
      "luksraid" = {
        device = "/dev/disk/by-id/md-uuid-ARRAYUUID";
        preLVM = false; # If LUKS is on top of LVM, set this to true
        allowDiscards = true; # Optional, enables TRIM if supported by your SSD
      };
    };
  };

  swapDevices = [];
  boot.kernelModules = ["kvm-intel"];
  boot.kernelParams = ["boot.shell_on_fail"];
  boot.extraModulePackages = [];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

  # #### NVIDIA CONFIG ####
  hardware.graphics.enable = true; # Enable OpenGL
  services.xserver.videoDrivers = ["nvidia"]; # Nvidia graphics driver
  hardware.nvidia-container-toolkit.enable = true; # Nvidia CDI support for docker/podman
  hardware.nvidia = {
    modesetting.enable = true;
    powerManagement.enable = false;
    powerManagement.finegrained = false;
    open = false;
    nvidiaSettings = true;
  };
}