I’m trying to apply a system configuration on an SD card I created myself from this configuration which boots fine(despite agenix decryption errors due to new host private key) but for some reason I cannot switch to the correct config.
When I try to build my flake config as root it fails:
root@leliel:/etc/nixos/ > nixos-rebuild boot --flake /etc/nixos#leliel --impure
error:
… while updating the lock file of flake 'git+file:///etc/nixos?ref=refs/heads/master&rev=55618b80277b8eaf012d542bad8472a1f5f55c9b'
error: path '/nix/store/84ab7r04568279h0d0vll47a7h6bky42-source' is a symlink
But when I switch the same system as non-root it at least builds:
jakubgs@leliel:~/nixos/ > nixos-rebuild build --flake .\#leliel --impure
building the system configuration...
warning: Git tree '/home/jakubgs/nixos' is dirty
jakubgs@leliel:~/nixos/ > readlink result
/nix/store/3wqqp6hgj8kzmdynglpf0qvd8p1z9crl-nixos-system-leliel-24.11.20241205.4dc2fc4
But when I try to switch or boot as root:
jakubgs@leliel:~/nixos/ > sudo /nix/store/3wqqp6hgj8kzmdynglpf0qvd8p1z9crl-nixos-system-leliel-24.11.20241205.4dc2fc4/bin/switch-to-configuration switch
activating the configuration...
[agenix] creating new generation in /run/agenix.d/3
[agenix] decrypting secrets...
decrypting '/nix/store/dkbvl1cnzax9l1l27hd4683xwlxzp672-pass-hash.age' to '/run/agenix.d/3/hosts/users/jakubgs/pass-hash'...
decrypting '/nix/store/227pcd2wirc246h4lmavs979idvzqbzm-server.key.age' to '/run/agenix.d/3/service/landing/server.key'...
decrypting '/nix/store/xbv4alprw01pspj1qrdl4r3aqvgxjbyh-wifi.age' to '/run/agenix.d/3/service/wifi'...
decrypting '/nix/store/mqrmp9cjbgznvw4qfcjwqlvs4yc2myr5-magi.age' to '/run/agenix.d/3/service/zerotier/magi'...
[agenix] symlinking new secrets to /run/agenix (generation 3)...
[agenix] removing old secrets (generation 2)...
[agenix] chowning...
setting up /etc...
reloading user units for jakubgs...
restarting sysinit-reactivation.target
I don’t see the system generation added to the profile folder:
jakubgs@leliel:~/nixos/ > sudo ls -l /nix/var/nix/profiles/
total 8
lrwxrwxrwx 1 root root 43 Dec 13 2024 default -> /nix/var/nix/profiles/per-user/root/profile
drwxr-xr-x 3 root root 4096 Jan 1 1970 per-user
lrwxrwxrwx 1 root root 13 Jan 1 1970 system -> system-1-link
lrwxrwxrwx 1 root root 86 Jan 1 1970 system-1-link -> /nix/store/akx2159g42w6swq0894rpwfz6w9ajl8l-nixos-system-leliel-24.11.20241205.4dc2fc4
Notice the different hash, and no system-2-link. I’m a bit confused as to how I’m supposed to make this work. This used to work fine on 24.05.
I wish I could just make the SD card image myself, but I can’t since I can’t know the host private key in advance which means I can’t re-encrypt agenix secrets in advance for the SD card image. I don’t get how to square that circle.
Before I used boot.loader.generic-extlinux-compatible config without issues, but since this PR was merged and is part of NixOS 24.11:
It is recommended to use boot.loader.generic-extlinux-compatible, which I did, but now I can’t properly boot into a new system config. I’m really confused.
That’s true, but I wish I could provide the private key via NixOS config rather than by manually modifying the image after it has been built, but it does seem simpler than booting the broken image and then fixing it afterwards.
Considering that the default entry is the same as nixos-2-default maybe a bootloader setting is funny (or the extlinux.conf doesn’t DEFAULT to nixos-default).
For reference my /boot looks like this
ls /boot
╭───┬────────────────┬──────┬─────────┬─────────────╮
│ # │ name │ type │ size │ modified │
├───┼────────────────┼──────┼─────────┼─────────────┤
│ 0 │ /boot/nixos │ dir │ 4.0 KiB │ a month ago │
│ 1 │ /boot/extlinux │ dir │ 4.0 KiB │ 2 hours ago │
╰───┴────────────────┴──────┴─────────┴─────────────╯
Now the question is, do I even need the vfat partition with firmware? If the kernel and system is loaded directly from the root partition? If it is necessary does it ever have to be mounted or not?
If you flashed the new bootloader to the EEPROM, which is u-boot since some time (before they had a rpi specific way to doing things IIRC) then no you don’t as u-boot can read ext4 without issues.
EDIT: i still have the firmware on a separate FAT partition but don’t use it as /boot, not entirely sure if u-boot still needs it for the firmware blobs though.