How to configure and encrypted filesystem, not available at boot

Hello all. I am trying to add a fileSystem to my nixos config that will only be mounted when I want it to, i.e. not at boot. I tried this:

  fileSystems."/export/backup2" =
    { device = "/dev/mapper/backup2";
      fsType = "xfs";
      encrypted.enable = true;
      encrypted.blkDev = "/dev/disk/by-uuid/86b0f66d-abab-49f6-acf6-5679d7ad8672";
      encrypted.label = "backup2";
    };

but it broke the system immediately and I had to boot a previous generation.

The configuration I am looking for would allow me to mount this encrypted disk on the command line when I need it using a normal mount command on the mount point, like:

# mount /export/backup2

I would of course provide the password manually at the point. Can someone point me in the right direction?

Thanks!

You should probably just use /etc/crypttab instead of fileSystems.<name>.encrypted.*. There, you can set the noauto option for the crypttab device, and you can also add noauto to the file system’s options, so systemd won’t try and start the decryption service or mount the file system automatically. I believe then you can do systemctl start export-backup2.mount and it’ll run through the necessary systemd dependencies to mount with a password prompt for decryption (which a regular mount command wouldn’t do).

@ElvishJerricco Thanks for the reply! I will give that a try…but won’t the fileSystems module clobber any changes I make there? Experimentation will tell for sure. Thanks again!

Well, what I’m saying is that instead of this:

You could do this:

  fileSystems."/export/backup2" = {
    device = "/dev/mapper/backup2";
    fsType = "xfs";
    options = ["defaults" "noauto"];
  };

  environment.etc.crypttab.text = ''
    backup2 UUID=86b0f66d-abab-49f6-acf6-5679d7ad8672 - noauto
  '';

Not sure how your first post flew right over my head. Thanks a bunch! That’s exactly what I’m looking for.