NixOS encrypted boot pool not working

[ghost]

Currently configuring encrypted boot pool on nixos will result in error:

nixos-install -v --show-trace --no-root-passwd --root /mnt
# omitted error output

A further command completes the installation:

nixos-enter --root /mnt -- nixos-rebuild boot

Should be added to the guide.

[winterqt]

This should not be needed. Mind sharing the error that's thrown?

[ghost]

Some related details: NixOS/nixpkgs#157989

In the guide LUKS encryption is used in two ways:

• encrypted /boot
• encrypted /boot and encrypted swap for hibernation

These were working perfectly as recent as the 21.11 release.

But in mid-Jan 2022, after updating the system, encrypted swap stopped working; encrypted /boot works on installed systems and fails with new installations, requiring the above fix to work.

[ghost]

as recent as the 21.11 release.

Clarification: 21.11 initial release in Nov 2021.

[ghost]

The above description is still convoluted, I admit. Will post the exact configuration that works with 21.05 but not 21.11 shortly.

[ghost]

To control variables and to test boot.initrd.secrets alone, I will do the following:

• Boot VM from live CD, with one empty virtual disk attached.
• Partition the disk with GPT, add one ext4 for /.
• Mount / at /mnt, generate config with nixos-generate-config.
• echo key > /mnt/etc/key1; cp /mnt/etc/key1 /mnt/etc/key2
• Use boot.initrd.secrets to embed the keys, do not touch any other options
• nixos-install, save any error message
• inspect if /mnt/boot/kernels/*secrets contains two keys.

[ghost]

[root@nixos:~]# nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.103, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.16`
 - channels(root): `"nixos-21.11.336361.9b1c7ba3237"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

D=/dev/vdb
sgdisk -Z $D
sgdisk -a1 -n1:24K:1000K -t1:ef02 $D
sgdisk -n2:0:0 $D
mkfs.ext4 ${D}2
mount  ${D}2 /mnt
nixos-generate-config --root /mnt
echo key > /mnt/etc/key1; cp /mnt/etc/key1 /mnt/etc/key2
nano /mnt/etc/nixos/configuration.nix

  boot.initrd.secrets = {
    "/etc/key1" = "/key1";
    "/etc/key2" = "/key2";
  };

nixos-install -v --show-trace --no-root-passwd --root /mnt

Output:

installing the boot loader...
setting up /etc...
/etc/tmpfiles.d/journal-nocow.conf:26: Failed to resolve specifier: uninitialized /etc detected, skipping
All rules containing unresolvable specifiers will be skipped.
updating GRUB 2 menu...
mktemp: failed to create directory via template ‘/mnt/tmp.coRUoqzl1P/initrd-secrets.XXXXXXXXXX’: No such file or directory
failed to create initrd secrets: No such file or directory