Systemd hook compatibility about archlinux-initrd-ssh-cryptsetup HOT 3 OPEN

This hook is only compatible with the legacy way of doing things.
systemd hooks work in a different manner. Basically legacy initrd loads the hook as a script and executes its run_hook function, while systemd is - as usual - relying on service units and the likes. Hence even if you add this hook to the list, while in systemd mode its script is not executed.

I'm not sure how much work is needed to make this compatible with systemd: can the script be called as-is through a systemd unit ? would dropbear need to be handled in a dedicated unit ? ...
Up to now I did not have to make it work with systemd - I actually did not know/remember there was a systemd-way of doing this. I'm still interested to take a look at it, but depending on the difficulty and how much time I can - and am willing to - spend on it, it may take a while before it is done (if at all possible).

from archlinux-initrd-ssh-cryptsetup.

As an alternative, you can also try what is documented as Remote unlocking of the root (or other) partition.
Seems like there already are systemd tools for each necessary step (network, ssh, cryptsetup).

If it works as described, I guess there is even no need for me to update my hook.
Maybe even the other hooks mentionned (netconf, dropbear, ...) are so that what my hook do can be done as easily with those. The original legacy dropbear_initrd_encrypt AUR package, which was later split in those new hooks (as mentioned here), was not so easy to use at the time (which was one of the reasons that made me code my hook based on it).

from archlinux-initrd-ssh-cryptsetup.

So I did a quick test with mkinitcpio-systemd-tool, and it should meet your needs.

Basically I

• added the systemd-tool hook, which comes with necessary systemd units etc
  • enabled the systemd initrd-network, initrd-cryptsetup and initrd-dropbear units (edit: the systemd units do not need to be enabled)
  • (on fresh install) had to manually create the systemd-network and systemd-resolve users/groups ^(*)
  • added the authorized public key in /etc/dropbear/authorized_keys
• added the sd-encrypt hook ^(**)
  • a few tests showed that it needs to be placed after systemd-tool
  • copied /etc/crypttab to /etc/crypttab.initramfs (the latter if present is included as /etc/crypttab inside the initramfs)
• re-generated the initramfs
• rebooted

The boot sequence now displays a prompt to enter the password:

secret>

The same prompt is displayed when connecting through SSH.


^(*) In systemd 2.39, those users are dynamic and not created in /etc/passwd and /etc/group, and this prevents the network service from properly starting (at least inside initrd). See mkinitcpio-systemd-tool ticket #17.
^(**) This makes initrd wait for partitions to be unlocked before continuing. Otherwise (in my test, I encrypt a partition that is not the system root) if the boot sequence reaches the point where sysroot is mounted (no password needed), it continues from the real root system and systemd-tool units are stopped (and later, after intrd, the password for such partitions is asked).
According to the boot sequence I would say it is because the initrd target was reached at which point we leave this state (and thus systemd-tool units are stopped because they only run within initrd).

from archlinux-initrd-ssh-cryptsetup.