ZFS is loaded *before* LUKS decryption... or how could I modify a module

Help
1

Hello,

I would love to have a set of partitions which are compressed, such that some of them are encrypted (and decryptable with multiple keys), and such that I can easily add new partitions if I have that requirement later. So I decided to go for a partitionning which is LVM(LUKS(ZFS)), i.e. I will put in a LVM volume a LUKS encrypted partition that contains a ZFS partition (which contains my home and root partition).

The problem is that when I install my system, the ZFS code runs before the LUKS decryption… Which fails of course.

So I tried to look at the code to understand the reason behind that, and I saw that both ZFS and LUKS edit a variable boot.initrd.postDeviceCommands that is executed in stage 1, after devices are loaded. However, the problem is that the strings are not concatenated in the right order, so ZFS is loaded before the actual decryption…

People told me that I could use lib.mkBefore to change the order of the strings… but I don’t know how I could modify the string boot.initrd.postDeviceCommands defined in in /nixos/modules/system/boot/luksroot.nix without maintaining a parallel version of the nixpkgs repository. Ideally, I’d love a syntax like:

overrideModule "/nixos/modules/system/boot/luksroot" "boot.initrd.postDeviceCommands" = lib.mkBefore (getOldModuleValue "/nixos/modules/system/boot/luksroot" "boot.initrd.postDeviceCommands");

What solution do I have?

Thanks!

1 Like
2

You can replace a single module of Nixpkgs with your own. This way you still need to maintain one file though.

Check this out: NixOS 23.11 manual | Nix & NixOS

1 Like
3

I see, thanks. It’s too bad NixOs can’t provide a generic way to apply,a simple change to override a module. One could even imagine to drop a warning when the code of the module changes.

4

This probably should be fixed in nixpkgs. It used to work before however I stopped using it when zfs got native encryption.

5

I use 20.03 and I’m able to boot with ZFS over LUKS. I do not use LVM however, and I know that using LVM and LUKS together modifies the order of things in stage 1, so maybe that’s your issue.

Honestly, there’s not much point in LVM under ZFS anyway.

6

Yes, it’s indeed possible to unlock LUKS devices before lvm, so if you don’t have lvm then this solution works. But indeed I realized that ZFS over LVM is not very useful, because it’s impossible to shrink a zfs pool… so I guess it’s equivalent to create zfs outside of lvm.

People told me to do that for BTRFS so I was thinking the same could apply to ZFS but apparently not ^^ Too bat BTRFS is not very efficient.

Anyway, thanks everybody for the help !