Hi!

This is a follow-up to
https://lists.gnu.org/archive/html/guix-devel/2020-04/msg00017.html.

I'm actually trying to set up a system that asks for the password once.

I've opted for the unencrypted /boot partition strategy.
The following does not work:

--8<---------------cut here---------------start------------->8---
(define drive-mapping
  (list (mapped-device
         ;; The UUID is that returned by 'cryptsetup luksUUID'.
         (source (uuid "b29cb68b-b154-4228-a131-34e9c474b0bd")) 
         (target "guix")
         (type luks-device-mapping))))

(define root-partition
  (file-system
    (device (file-system-label "guix"))
    (mount-point "/")
    (type "btrfs")
    (options "subvol=rootfs,compress=zstd")
    (dependencies drive-mapping)))

(operating-system
 ;; ...
 (file-systems (cons* root-partition
                      (file-system
                        (device (file-system-label "boot"))
                        (mount-point "/boot")
                        (type "ext4")
                        ;; (needed-for-boot? #t)
                        ;; (dependencies (list root-partition))
                        )
                      (file-system
                        (device (uuid "4E30-891F" 'fat))
                        (mount-point "/boot/efi")
                        (type "vfat"))
                      %base-file-systems))
--8<---------------cut here---------------end--------------->8---

GRUB starts without prompting for password (success!) but without theme
(oops!) and then it's unable to boot the Guix entry, complaining it
cannot find the "guix" partition.

If I remove the "boot" file system entry, then run "guix system init ..." without
mounting "boot", it works.

I tried with the

--8<---------------cut here---------------start------------->8---
(dependencies (list root-partition))
--8<---------------cut here---------------end--------------->8---

but then the image does not even build, complaining

--8<---------------cut here---------------start------------->8---
guix system: error: service 'file-system-/boot' requires 'file-system-/', which is not provided by any service
--8<---------------cut here---------------end--------------->8---

I haven't tried 'needed-for-boot?' field, maybe it could help here.

The generated /boot/grub/grub.cfg does not have any encryption-related
lines (as in
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Configuring_the_boot_loader
for instance).  Does our GRUB generation support unlocking LUKS
partitions that are not the same as the one where GRUB is installed?

Any idea?

-- 
Pierre Neidhardt
https://ambrevar.xyz/