Skip to content

Instantly share code, notes, and snippets.

@JayRovacsek

JayRovacsek/nixos.md

Forked from martijnvermaat/nixos.md
Last active April 16, 2022 04:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save JayRovacsek/58e0c3efb1d8c67077d730c6b60c479b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save JayRovacsek/58e0c3efb1d8c67077d730c6b60c479b to your computer and use it in GitHub Desktop.
Download ZIP
Installation of NixOS with encrypted root
Raw
nixos.md

Installation of NixOS with encrypted root

This is forked from martijnvermaat and modified to reflect my recent application of the same process.

My use-case here is to have a FDE setup that also supports grub os-prober - until I can find time to sort LookingGlass as a declarative config also.

Most of this is scrambled from the following pages:

Partitioning

We create a 500MB EFI boot partition (/dev/sda1) and the rest will be our LUKS encrypted physical volume for LVM (/dev/sda2).

$ dfisk /dev/sda
  • n (create new empty partition table)
  • t (add partition, 500M, type EFI)
  • n (add partition, remaining space, type LVM)
  • w (write partition table and exit)

Setup the encrypted LUKS partition and open it:

$ cryptsetup luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 enc-pv

We create two logical volumes, a 8GB swap parition and the rest will be our root filesystem

$ pvcreate /dev/mapper/enc-pv
$ vgcreate vg /dev/mapper/enc-pv
$ lvcreate -L 8G -n swap vg
$ lvcreate -l '100%FREE' -n root vg

Format the partitions:

$ mkfs.fat /dev/sda1
$ mkfs.ext4 -L root /dev/vg/root
$ mkswap -L swap /dev/vg/swap

Installing NixOS

We mount the partitions we just created under /mnt so we can install NixOS on them.

$ mount /dev/vg/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap

Optional for Wireless Hosts

Configure WPA supplicant so we can use WIFI:

$ cat > /etc/wpa_supplicant.conf
network={
  ssid="****"
  psk="****"
}
^D
$ systemctl start wpa_supplicant

Create Config

Now generate a NixOS configuration and modify it to our liking. The following is the configuration I started with.

$ nixos-generate-config --root /mnt
$ cat > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.enableCryptodisk = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.efi.canTouchEfiVariables = true;

  boot.initrd.luks.devices.crypted = {
      # the below should be a UUID as reported by `blkid`
      device = "/dev/disk/by-uuid/MYUUID";
      preLVM = true;
  };
}

If we're happy with the configuration, install NixOS and reboot.

$ nixos-install
$ reboot

Troubleshooting

If for whatever reason the system doesn't boot, we can go back to the installation environment by booting from the installation media and remounting all partitions:

$ cryptsetup luksOpen /dev/sda2 enc-pv
$ lvchange -a y /dev/vg/swap
$ lvchange -a y /dev/vg/root
$ mount /dev/vg/root /mnt
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap
$ cp /mnt/etc/wpa_supplicant.conf /etc
$ systemctl start wpa_supplicant

We can now make further modifications to the configuration and try again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment