Merge pull request #229767 from mberndt123/mberndt123/stratis-rootfs

- `boot.initrd.luks.device.<name>` has a new `tryEmptyPassphrase` option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase

- there is a new `boot/stratisroot.nix` module that enables booting from a volume managed by the Stratis storage management daemon. Use `fileSystems.<name>.stratis.poolUuid` to configure the pool containing the fs.

- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.

- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility).

    my $st = stat($dev) or return $dev;

    foreach my $dev2 (glob("/dev/disk/by-uuid/*"), glob("/dev/mapper/*"), glob("/dev/disk/by-label/*")) {

    foreach my $dev2 (glob("/dev/stratis/*/*"), glob("/dev/disk/by-uuid/*"), glob("/dev/mapper/*"), glob("/dev/disk/by-label/*")) {

        my $st2 = stat($dev2) or next;

        return $dev2 if $st->rdev == $st2->rdev;

    }

        }

    }

    # is this a stratis fs?

    my $stableDevPath = findStableDevPath $device;

    my $stratisPool;

    if ($stableDevPath =~ qr#/dev/stratis/(.*)/.*#) {

        my $poolName = $1;

        my ($header, @lines) = split "\n", qx/stratis pool list/;

        my $uuidIndex = index $header, 'UUID';

        my ($line) = grep /^$poolName /, @lines;

        $stratisPool = substr $line, $uuidIndex - 32, 36;

    }

    # Don't emit tmpfs entry for /tmp, because it most likely comes from the

    # boot.tmp.useTmpfs option in configuration.nix (managed declaratively).

    next if ($mountPoint eq "/tmp" && $fsType eq "tmpfs");

    # Emit the filesystem.

    $fileSystems .= <<EOF;

  fileSystems.\"$mountPoint\" =

    { device = \"${\(findStableDevPath $device)}\";

    { device = \"$stableDevPath\";

      fsType = \"$fsType\";

EOF

EOF

    }

    if ($stratisPool) {

        $fileSystems .= <<EOF;

      stratis.poolUuid = "$stratisPool";

EOF

    }

    $fileSystems .= <<EOF;

    };

  ./system/boot/loader/raspberrypi/raspberrypi.nix

  ./system/boot/loader/systemd-boot/systemd-boot.nix

  ./system/boot/luksroot.nix

  ./system/boot/stratisroot.nix

  ./system/boot/modprobe.nix

  ./system/boot/networkd.nix

  ./system/boot/plymouth.nix

{ config, lib, pkgs, utils, ... }:

let

  requiredStratisFilesystems = lib.attrsets.filterAttrs (_: x: utils.fsNeededForBoot x && x.stratis.poolUuid != null) config.fileSystems;

in

{

  options = {};

  config = lib.mkIf (requiredStratisFilesystems != {}) {

    assertions = [

      {

        assertion = config.boot.initrd.systemd.enable;

        message = "stratis root fs requires systemd stage 1";

      }

    ];

    boot.initrd = {

      systemd = {

        storePaths = [

          "${pkgs.stratisd}/lib/udev/stratis-base32-decode"

          "${pkgs.stratisd}/lib/udev/stratis-str-cmp"

          "${pkgs.lvm2.bin}/bin/dmsetup"

          "${pkgs.stratisd}/libexec/stratisd-min"

          "${pkgs.stratisd.initrd}/bin/stratis-rootfs-setup"

        ];

        packages = [pkgs.stratisd.initrd];

        extraBin = {

          thin_check = "${pkgs."thin-provisioning-tools"}/bin/thin_check";

          thin_repair = "${pkgs."thin-provisioning-tools"}/bin/thin_repair";

          thin_metadata_size = "${pkgs."thin-provisioning-tools"}/bin/thin_metadata_size";

          stratis-min = "${pkgs.stratisd}/bin/stratis-min";

        };

        services =

          lib.attrsets.mapAttrs' (

            mountPoint: fileSystem: {

              name = "stratis-setup-${fileSystem.stratis.poolUuid}";

              value = {

                description = "setup for Stratis root filesystem";

                unitConfig.DefaultDependencies = "no";

                conflicts = [ "shutdown.target" "initrd-switch-root.target" ];

                onFailure = [ "emergency.target" ];

                unitConfig.OnFailureJobMode = "isolate";

                wants = [ "stratisd-min.service" "plymouth-start.service" ];

                wantedBy = [ "initrd.target" ];

                after = [ "paths.target" "plymouth-start.service" "stratisd-min.service" ];

                before = [ "initrd.target" "shutdown.target" "initrd-switch-root.target" ];

                environment.STRATIS_ROOTFS_UUID = fileSystem.stratis.poolUuid;

                serviceConfig = {

                  Type = "oneshot";

                  ExecStart = "${pkgs.stratisd.initrd}/bin/stratis-rootfs-setup";

                  RemainAfterExit = "yes";

                };

              };

            }

          ) requiredStratisFilesystems;

      };

      availableKernelModules = [ "dm-thin-pool" "dm-crypt" ] ++ [ "aes" "aes_generic" "blowfish" "twofish"

        "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512"

        "af_alg" "algif_skcipher"

      ];

      services.udev.packages = [

        pkgs.stratisd.initrd

        pkgs.lvm2

      ];

    };

  };

}

        description = lib.mdDoc "Location of the mounted file system.";

      };

      stratis.poolUuid = lib.mkOption {

        type = types.uniq (types.nullOr types.str);

        description = lib.mdDoc ''

          UUID of the stratis pool that the fs is located in

        '';

        example = "04c68063-90a5-4235-b9dd-6180098a20d9";

        default = null;

      };

      device = mkOption {

        default = null;

        example = "/dev/sda";