Rebuilding system on fresh install spawns emergency shell

So I set up NixOS for the first time, and I had a configuration I was happy with. I realized I had forgotten to enable disk encryption, so I pushed /etc/nixos/ to a git repo and re-installed NixOS with encryption enabled. I booted it up, cloned the repo, and rebuilt. It spawned me into an emergency shell where I had to reboot, and then GRUB complained about not being able to find /mnt/root (or something like that).

What could have gone wrong? Do I manually need to edit hardware-configuration.nix to account for the new partition scheme? I had enabled boot.loader.grub.enableCryptodisk in configuration.nix.

Thanks!

Yes, you would need changes to hardware-configuration.nix. But if you just did a reinstall and only copied your old configuration.nix and not your old hardware-configuration.nix, then the new install’s hardware-configuration.nix should be fine.

If you used the GUI installer and are booting with legacy BIOS instead of UEFI, then the GUI installer will unfortunately put some extra stuff that’s necessary for encryption in configuration.nix. In particular, it adds

boot.initrd.secrets = {
  "/boot/crypto_keyfile.bin" = null;
};
boot.loader.grub.enableCryptodisk = true;
boot.initrd.luks.devices."{}".keyFile = "/boot/crypto_keyfile.bin";

NOTE: This is only done by the GUI installer (not the manual installation instructions in the manual), and only on legacy BIOS systems. Replicating this config if your system is not configured exactly how the GUI installer would have configured it for encryption on legacy BIOS will leak your disk encryption keys.

If the system is UEFI, you should just be able to use the new hardware-configuration.nix and call it a day.

Ah, I assumed hardware-configuration.nix was re-generated when you rebuilt the system. I guess there was really no reason for me to assume so. But yeah, the reason it failed was because the old hardware-configuration.nix was part of my git repo that I cloned. Running sudo nixos-generate-config and then rebuilding solved the problem.

Thank you!

In fact that file is simply a regular file that’s part of your config, so you’re free to modify its contents and move bits of it elsewhere if needed (if you plan to organise your config a certain way).
But yeah outside of n-g-c it doesn’t really get touched unless you edit it.