nixos/misc: warn when someone is using the nixops autoLuks module

The autoLuks module is not really compatible with the updated systemd
version anymore. We started dropping NixOS specific patches that caused
unwanted side effects that we had to work around otherwise.

This change points users towards the relevant PR and spits out a bit of
information on how to deal with the situation.

nixos/doc/manual/release-notes/rl-1909.xml

@@ -114,6 +114,30 @@
       </link> of the setting.
      </para>
    </listitem>
+   <listitem>
+    <para>
+      As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works
+      with our systemd version without manual intervention.
+    </para>
+    <para>
+      Whenever the usage of the module is detected the evaluation will fail with a message
+      explaining why and how to deal with the situation.
+    </para>
+    <para>
+      A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal>
+      has been introduced to disable the eval failure and to acknowledge the notice was received and read.
+      If you plan on using the feature please note that it might break with subsequent updates.
+    </para>
+    <para>
+      Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block
+      devices provided by the autoLuks module. Not doing this might render the system in a
+      state where it doesn't boot anymore.
+    </para>
+    <para>
+      If you are actively using the <literal>autoLuks</literal> module please let us know in
+      <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>.
+    </para>
+  </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/misc/nixops-autoluks.nix

@@ -0,0 +1,44 @@
+{ config, options, lib, ... }:
+let
+  path = [ "deployment" "autoLuks" ];
+  hasAutoLuksOption = lib.hasAttrByPath path options;
+  hasAutoLuksConfig = lib.hasAttrByPath path config && (lib.attrByPath path {} config) != {};
+
+  inherit (config.nixops) enableDeprecatedAutoLuks;
+in {
+  options.nixops.enableDeprecatedAutoLuks = lib.mkEnableOption "Enable the deprecated NixOps AutoLuks module";
+
+  config = {
+    assertions = [
+      {
+        assertion = if hasAutoLuksConfig then hasAutoLuksConfig && enableDeprecatedAutoLuks else true;
+        message = ''
+          ⚠️  !!! WARNING !!! ⚠️
+
+            NixOps autoLuks is deprecated. The feature was never widely used and the maintenance did outgrow the benefit.
+            If you still want to use the module:
+              a) Please raise your voice in the issue tracking usage of the module:
+                 https://github.com/NixOS/nixpkgs/issues/62211
+              b) make sure you set the `_netdev` option for each of the file
+                 systems referring to block devices provided by the autoLuks module.
+
+                 ⚠️ If you do not set the option your system will not boot anymore! ⚠️
+
+                  {
+                    fileSystems."/secret" = { options = [ "_netdev" ]; };
+                  }
+
+              b) set the option >nixops.enableDeprecatedAutoLuks = true< to remove this error.
+
+
+            For more details read through the following resources:
+              - https://github.com/NixOS/nixops/pull/1156
+              - https://github.com/NixOS/nixpkgs/issues/47550
+              - https://github.com/NixOS/nixpkgs/issues/62211
+              - https://github.com/NixOS/nixpkgs/pull/61321
+        '';
+      }
+    ];
+  };
+
+}

nixos/modules/module-list.nix

@@ -84,6 +84,7 @@
   ./misc/nixpkgs.nix
   ./misc/passthru.nix
   ./misc/version.nix
+  ./misc/nixops-autoluks.nix
   ./programs/adb.nix
   ./programs/atop.nix
   ./programs/autojump.nix