Using immutable users with impermanence on LUKS?

kiara · April 15, 2024, 10:15pm

i use impermanence on LUKS, and recently came across the users.mutableUsers option.
making this immutable makes sense to me, but i’ve yet to really make this work.

specifically, in this setup i couldn’t get the ephemeral rollback script to work by either:

initrd (boot.initrd.postDeviceCommands): due to error systemd stage 1 does not support 'boot.initrd.${name}'. Please convert it to analogous systemd units in 'boot.initrd.systemd'.
systemd (boot.initrd.systemd): triggers before disk decryption, i.e. when there isn’t a disk to wipe yet.

has anyone figured out how to get this combination to work? am i looking in the wrong direction?

ElvishJerricco · April 15, 2024, 10:23pm

You have to order your systemd service after the device you want to wipe. e.g.

boot.initrd.systemd.services.wipe-my-fs = {
  requires = ["dev-mapper-foo.device"];
  after = ["dev-mapper-foo.device"];
  wantedBy = ["initrd.target"];
  script = ''
    ...
  '';
};