I was trying to run nixos vm ( nixos-rebuild build-vm
) on my main nixos and I encountered this error:
error:
Failed assertions:
- boot.loader.initrd.secrets values must be unquoted paths when
using a bootloader that doesn't natively support initrd
secrets, e.g.:
boot.initrd.secrets = {
"/etc/secret" = /path/to/secret;
};
Note that this will result in all secrets being stored
world-readable in the Nix store!
My hardware-configuration it looks like this:
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "uas" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3CAB-A6C5";
fsType = "vfat";
};
##################### ROOT ##########################
#Physical partition
boot.initrd.luks.devices."luks-<uuid-of-physical-root>" = {
device = "/dev/disk/by-uuid/<uuid-of-physical-root>";
allowDiscards = true;
bypassWorkqueues = true;
};
# Mapped partition
fileSystems."/" =
{ device = "/dev/disk/by-uuid/<uuid-of-mapped-root>";
fsType = "ext4";
};
##################### SWAP ##########################
#Physical partition
# Setup keyfile
boot.initrd.secrets = {
"/crypto_keyfile.bin" = null;
};
# Enable swap on luks
boot.initrd.luks.devices."luks-<uuid-of-physical-swap>" = {
device = "/dev/disk/by-uuid/<uuid-of-physical-swap>";
keyFile = "/crypto_keyfile.bin";
# allowDiscards = true;
# bypassWorkqueues = true;
};
# Mapped partition
swapDevices =
[ { device = "/dev/disk/by-uuid/<uuid-of-mapped-swap>"; }
];
#####################################################
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
This made me question why “/crypto_keyfile.bin” is being set to null when it is being assigned the path when swap is being initilized:
boot.initrd.luks.devices."luks-<uuid-of-physical-swap>" = {
device = "/dev/disk/by-uuid/<uuid-of-physical-swap>";
keyFile = "/crypto_keyfile.bin";
# allowDiscards = true;
# bypassWorkqueues = true;
};
Would it be safe to delete? It appears to be auto generated by nixos:
boot.initrd.secrets = {
"/crypto_keyfile.bin" = null;
};