configuration.tmpfsroot.zfscrypt.template.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{

################################################################################
# System 
################################################################################

  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
    
  # Default nixPath.  Uncomment and modify to specify non-default nixPath
  # https://search.nixos.org/options?query=nix.nixPath
  #nix.nixPath =
  #  [
  #    "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
  #    "nixos-config=/persist/etc/nixos/configuration.nix"
  #    "/nix/var/nix/profiles/per-user/root/channels"
  #  ];
  
  # Enable non-free packages (Nvidia driver, etc)
  # Reboot after rebuilding to prevent possible clash with other kernel modules
  nixpkgs.config = {
    allowUnfree = true;
  };

  # Make nixos-rebuild snapshot the current configuration.nix to 
  # /run/current-system/configuration.nix
  # With this enabled, every new system profile contains the configuration.nix
  # that created it.  Useful in troubleshooting broken build, just diff 
  # current vs prior working configurion.nix.  This will only copy configuration.nix
  # and no other imported files, so put all config in this file.  
  # Configuration.nix should have no imports besides hardware-configuration.nix.
  # https://search.nixos.org/options?query=system.copySystemConfiguration
  system.copySystemConfiguration = true;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
  
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };
  
  time.timeZone = "America/Los_Angeles";

################################################################################
# Boot
################################################################################

  # import /persist into initial ramdisk so that tmpfs can access persisted data like user passwords
  # https://www.reddit.com/r/NixOS/comments/o1er2p/tmpfs_as_root_but_without_hardcoding_your/h22f1b9/
  # https://search.nixos.org/options?channel=21.05&show=fileSystems.%3Cname%3E.neededForBoot&query=fileSystems.%3Cname%3E.neededForBoot
  fileSystems."/persist".neededForBoot = true;
  
  # Use EFI boot loader with Grub.
  # https://nixos.org/manual/nixos/stable/index.html#sec-installation-partitioning-UEFI
  boot = {
	supportedFilesystems = [ "vfat" "zfs" ];
	loader = {
      systemd-boot.enable = true;
      efi = {
      	#canTouchEfiVariables = true;  # must be disabled if efiInstallAsRemovable=true
      	#efiSysMountPoint = "/boot/efi";  # using the default /boot for this config
      };
      grub = {
      	enable = true;
      	efiSupport = true;
      	efiInstallAsRemovable = true;  # grub will use efibootmgr 
      	zfsSupport = true;
 	  	copyKernels = true;  # https://nixos.wiki/wiki/NixOS_on_ZFS
      	device = "nodev";  # "/dev/sdx", or "nodev" for efi only
      };
    };
  };

################################################################################
# ZFS
################################################################################

  # Set the disk’s scheduler to none. ZFS takes this step automatically 
  # if it controls the entire disk, but since it doesn't control the /boot 
  # partition we must set this explicitly.
  # source: https://grahamc.com/blog/nixos-on-zfs
  boot.kernelParams = [ "elevator=none" ];

  boot.zfs = {
    requestEncryptionCredentials = true; # enable if using ZFS encryption, ZFS will prompt for password during boot
  };

  services.zfs = {
    autoScrub.enable = true;
    autoSnapshot.enable = true;
    # TODO: autoReplication
  };

################################################################################
# Networking
################################################################################

  networking = {
    #hostId = "$(head -c 8 /etc/machine-id)";  # required by zfs. hardware-specific so should be set in hardware-configuration.nix
    hostName = "z11pa-d8";  # Any arbitrary hostname.
    #wireless.enable = true;  # Wireless via wpa_supplicant. Unecessary with Gnome.

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
    useDHCP = false;
    interfaces = {
      eno1.useDHCP = true;
      eno2.useDHCP = true;
      eno3.useDHCP = true;
      eno4.useDHCP = true;
      wlp175s0.useDHCP = true;
    };
  };
  
################################################################################
# Persisted Artifacts
################################################################################

  #Erase Your Darlings & Tmpfs as Root:
  # config/secrets/etc to be persisted across tmpfs reboots and rebuilds.  setup
  # soft-links from /persist/<loc on root> to their expected location on /<loc on root>
  # https://github.com/barrucadu/nixfiles/blob/master/hosts/nyarlathotep/configuration.nix
  # https://grahamc.com/blog/erase-your-darlings
  # https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
  
  environment.etc = {

  	# /etc/nixos: requires /persist/etc/nixos 
  	"nixos".source = "/persist/etc/nixos";
  	
        #NetworkManager/system-connections: requires /persist/etc/NetworkManager/system-connections
  	"NetworkManager/system-connections".source = "/persist/etc/NetworkManager/system-connections/";
  	
  	# machine-id is used by systemd for the journal, if you don't persist this 
  	# file you won't be able to easily use journalctl to look at journals for 
  	# previous boots.
  	"machine-id".source = "/persist/etc/machine-id";
  	
  	# if you want to run an openssh daemon, you may want to store the host keys 
  	# across reboots.
        "ssh/ssh_host_rsa_key".source = "/persist/etc/ssh/ssh_host_rsa_key";
	"ssh/ssh_host_rsa_key.pub".source = "/persist/etc/ssh/ssh_host_rsa_key.pub";
	"ssh/ssh_host_ed25519_key".source = "/persist/etc/ssh/ssh_host_ed25519_key";
	"ssh/ssh_host_ed25519_key.pub".source = "/persist/etc/ssh/ssh_host_ed25519_key.pub";

  };
  
  #2. Wireguard:  requires /persist/etc/wireguard/
  networking.wireguard.interfaces.wg0 = {
    generatePrivateKeyFile = true;
    privateKeyFile = "/persist/etc/wireguard/wg0";
  };
  
  #3. Bluetooth: requires /persist/var/lib/bluetooth
  #4. ACME certificates: requires /persist/var/lib/acme  
  systemd.tmpfiles.rules = [
    "L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
    "L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth" 
    "L /var/lib/acme - - - - /persist/var/lib/acme"
  ];

################################################################################
# GnuPG & SSH
################################################################################

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    passwordAuthentication = true;
    hostKeys =
      [
        {
          path = "/persist/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
        {
          path = "/persist/etc/ssh/ssh_host_rsa_key";
          type = "rsa";
          bits = 4096;
        }
      ];
  };
  
  # Enable GnuPG Agent
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };

################################################################################
# XServer & Drivers
################################################################################
  
  hardware.opengl = {
  	driSupport = true;  # install and enable Vulkan: https://nixos.org/manual/nixos/unstable/index.html#sec-gpu-accel
  	#extraPackages = [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ];  # only if using Intel graphics
  };
  
  # Enable X11 + Nvidia
  # https://nixos.org/manual/nixos/unstable/index.html#sec-gnome-gdm
  services.xserver = {
    enable = true;  # enable X11
    layout = "us";
    xkbOptions = "eurosign:e";
    #videoDrivers = [ "nvidia" ];  # seems unecessary if nixpkgs.config.allowUnfree=true (above in System section);
  };
  
################################################################################
# Window Managers & Desktop Environment
################################################################################

  # Enable gdm + GNOME
  services.xserver = {
    desktopManager.gnome.enable = true;
    displayManager.gdm.enable = true;
  };
  #services.gnome.core-developer-tools.enable = true;
    
################################################################################
# Print
################################################################################

  # Enable CUPS to print documents.
  services.printing.enable = true;
  
################################################################################
# Sound
################################################################################
  
  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;

################################################################################
# Input
################################################################################

  # Enable touchpad support (enabled by default in most desktopManagers).
  # services.xserver.libinput.enable = true;

################################################################################
# Users
################################################################################

  # When using a password file via users.users.<name>.passwordFile, put the 
  # passwordFile in the specified location *before* rebooting, or you will be 
  # locked out of the system.  To create this file, make a single file with only 
  # a password hash in it, compatible with `chpasswd -e`.  Or you can copy-paste 
  # your password hash from `/etc/shadow` if you first built the system with 
  # `password=`, `hashedPassword=`, initialPassword-, or initialHashedPassword=.
  # `sudo cat /etc/shadow` will show all hashed user passwords.
  # More info:  https://search.nixos.org/options?channel=21.05&show=users.users.%3Cname%3E.passwordFile&query=users.users.%3Cname%3E.passwordFile
  
  users = {
    mutableUsers = false;
    defaultUserShell = "/var/run/current-system/sw/bin/zsh";
    users = {
      root = {
      	# disable root login here, and also when installing nix by running nixos-install --no-root-passwd
        # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
        hashedPassword = "!";  # disable root logins, nothing hashes to !
      };
      test = {
      	isNormalUser = true;
      	description = "Non-sudo account for testing new config options that could break login.  If need sudo for testing, add 'wheel' to extraGroups and rebuild.";
        initialPassword = "password";
        #passwordFile = "/persist/etc/users/test";
	extraGroups = [ "networkmanager" ];
        #openssh.authorizedKeys.keys = [ "${AUTHORIZED_SSH_KEY}" ];
      };
      me = {
      	isNormalUser = true;
      	description = "Me Myself and I";
        passwordFile = "/persist/etc/users/me";  
	extraGroups = [ "wheel" "networkmanager" ];
        #openssh.authorizedKeys.keys = [ "${AUTHORIZED_SSH_KEY}" ];
      };
    };
  };

################################################################################
# Applications
################################################################################

  # List packages installed in system profile. To search, run:
  # $ nix search <packagename>
  environment.systemPackages = with pkgs; [
  	
  	# system core (useful for a minimal first install)
  	nix-index 
	efibootmgr 
  	parted gparted gptfdisk 
	pciutils uutils-coreutils wget  
    	openssh ssh-copy-id ssh-import-id fail2ban sshguard
	git git-extras 
  	zsh oh-my-zsh 
    	firefox irssi 
  	screen tmux
	vim emacs  
  	htop ncdu 
   	
  ];

################################################################################
# Program Config
################################################################################

  programs.zsh = {
    enable = true;  
    ohMyZsh = {
      enable = true;
      plugins = [ "colored-man-pages" "colorize" "command-not-found" "emacs" "git" "git-extras" "history" "man" "rsync" "safe-paste" "scd" "screen" "systemd" "tmux" "urltools" "vi-mode" "z" "zsh-interactive-cd" ]; 
      theme = "juanghurtado";
      #theme = "jonathan"; 
      # themes displaying commit hash: jonathan juanghurtado peepcode simonoff smt sunrise sunaku theunraveler 
      # cool themes: linuxonly agnoster blinks crcandy crunch essembeh flazz frisk gozilla itchy gallois eastwood dst clean bureau bira avit nanotech nicoulaj rkj-repos ys darkblood fox 
    };
  };

  # ACME certificates: https://nixos.org/manual/nixos/unstable/index.html#module-security-acme
  security.acme = {
  	acceptTerms = true;
  	email = "[email protected]";
  };

}

hardware-configuration.tmpfsroot.zfscrypt.template.nix

# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

{
  # defaults
  imports =
    [ (modulesPath + "/hardware/network/broadcom-43xx.nix")
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  
  # defaults
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  # https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/#step-4-1-configure-disks
  # need permissions set to 755 or some software like openssh will complain.
  # Tmpfs size can be whatever you want it to be, based on your available RAM. 
  # A fresh install of NixOS + Gnome4 uses just over 200MB in Tmpfs, so 
  # size=512M is sufficient, or 1GB or 2GB if you may need more headroom. 
  fileSystems."/" =
    { device = "tmpfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=2G" "mode=755" ];
    };

  fileSystems."/nix" =
    { device = "rpool/local/nix";
      fsType = "zfs";
    };

  fileSystems."/home" =
    { device = "rpool/safe/home";
      fsType = "zfs";
    };

  fileSystems."/persist" =
    { device = "rpool/safe/persist";
      fsType = "zfs";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B5A3-648C";
      fsType = "vfat";
    };

  # I avoid swap files these days if at all possible. Partly to avoid the wear 
  # on my SSDs, partly b/c RAM is cheap enough to not need it, and partly b/c
  # it's not a good idea to put swap on ZFS.  If you must have swap, put 
  # it on a separate non-ZFS partition.  More info here:
  # https://nixos.wiki/wiki/NixOS_on_ZFS#Caveats
  swapDevices = [ ];

  # default
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  
  # The NixOS docs put these properties in configuration.nix, but I prefer to 
  # put all machine-specific properties in hardware-configuration.nix instead,
  # to keep configuration.nix maximally portable across different machines.
  networking.hostId = "6b36ccc6";
  boot.zfs.devNodes = "/dev/disk/by-id/ata-WDC_WDS100T2B0B-00YS70_1831C1810345-part2";
  
  # Note - since this file can potentially be overwritten by future invocations,
  # keep a master copy somewhere safe.  Always work on the master, then copy it
  # to /etc/nixos/hardware-configuration.nix when ready to rebuild.  Same with
  # configuration.nix.
}

nixos-genconfig-with-tmpfsroot-zfscrypt.sh

#!/usr/bin/env bash

# A NixOS partition scheme with UEFI boot, root on tmpfs, everything else 
# on encrypted ZFS datasets, and no swap.
# This script wipes and formats the selected disk, and creates the following:
# 1. 1GB FAT32 UEFI boot partition (each Nix generation consumes about 20MB on 
#    /boot, so size this based on how many generations you want to store)
# 2. Encrypted ZFS pool comprising all remaining disk space - rpool
# 3. Tmpfs root - /
# 4. ZFS datasets - rpool/local/nix, rpool/safe/[home,persist], rpool/reserved
# 5. mounts all of the above (except rpool/reserved which should never be mounted)
# 6. generates hardware-configuration.nix customized to this machine and tmpfs
# 7. generates a generic default configuration.nix replace-able with a custom one
#
# https://www.reddit.com/r/NixOS/comments/o1er2p/tmpfs_as_root_but_without_hardcoding_your/
# https://www.reddit.com/r/NixOS/comments/g9wks6/root_on_tmpfs/
# https://grahamc.com/blog/nixos-on-zfs
# https://grahamc.com/blog/erase-your-darlings
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
# https://elis.nu/blog/2020/06/nixos-tmpfs-as-home/
# 
# Disk Partitions:
# sda
# ├─sda1            /boot EFI BOOT
# └─sda2            rpool ZFS POOL
#
# Mount Layout:
# /		    tmpfs
# ├─/boot           /dev/sda1
# ├─/nix	    rpool/local/nix
# ├─/home	    rpool/safe/home
# └─/persist	    rpool/safe/persist

#useful commands
# mount -l | grep sda
# findmnt | grep zfs
# lsblk
# ncdu -x /
# zpool list
# zfs list -o name,mounted,mountpoint
# zfs mount (only usable with non-legacy datasets)
# zfs unmount -a (unmount everything, only usable with non-legacy datasets)
# umount -R /mnt (unmount everything in /mnt recursively, required for legacy zfs datasets)
# zpool export $POOL (disconnects the pool)
# zpool remove $POOL sda1 (removes the disk from your zpool)
# zpool destroy $POOL (this destroys the pool and it's gone and rather difficult to retrieve)

# Some ZFS properties cannot be changed after the pool and/or datasets are created.  Some discussion on this:
# https://www.reddit.com/r/zfs/comments/nsc235/what_are_all_the_properties_that_cant_be_modified/
# `ashift` is one of these properties, but is easy to determine.  Use the following commands:
# disk logical blocksize:  `$ sudo blockdev --getbsz /dev/sdX` (ashift)
# disk physical blocksize: `$ sudo blockdev --getpbsz /dev/sdX` (not ashift but interesting)

#set -euo pipefail
set -e

pprint () {
    local cyan="\e[96m"
    local default="\e[39m"
    # ISO8601 timestamp + ms
    local timestamp
    timestamp=$(date +%FT%T.%3NZ)
    echo -e "${cyan}${timestamp} $1${default}" 1>&2
}

# Select DISK to format and install to
echo # move to a new line
pprint "> Select installation disk: "
select ENTRY in $(ls /dev/disk/by-id/);
do
    DISK="/dev/disk/by-id/$ENTRY"
    echo "Installing system on $ENTRY."
    break
done

# Set ZFS pool name
read -p "> Name your ZFS pool: " POOL
read -p "> You entered '$POOL'.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1

# Confirm wipe hdd
read -p "> Do you want to wipe all data on $ENTRY ?" -n 1 -r
echo # move to a new line
if [[ "$REPLY" =~ ^[Yy]$ ]]
then
    # Clear disk (sometimes need to run wipefs twice when deleting ZFS pools)
    # May also need to `umount -R /mnt`
    pprint "Wiping $DISK. If errors occur, make sure all $DISK partitions are umounted and ZFS Pools are exported and/or destroyed."
    pprint "To do so, run 'findmnt' to see all current mounts, umount /dev/sdX to unmount, and zpool export <poolname>." 
    wipefs -af "$DISK"
    sleep 1
    wipefs -af "$DISK"
    sgdisk -Zo "$DISK"
fi

# if you're new to sgdisk, see these guides by its developer:
# https://www.rodsbooks.com/gdisk/
# https://www.rodsbooks.com/gdisk/walkthrough.html
pprint "Creating boot (EFI) partition ..."
sgdisk -n 0:0:+954M -t 0:EF00 -c 0:efiboot $DISK
BOOT="$DISK-part1"

pprint "Creating ZFS partition ..."
sgdisk -n 0:0:0 -t 0:BF01 -c 0:zfspool $DISK
ZFS="$DISK-part2"

# Inform kernel
partprobe "$DISK"
sleep 1

pprint "Formatting BOOT partition $BOOT as FAT32 ... "
mkfs.vfat -F 32 "$BOOT"

# Inform kernel
partprobe "$DISK"
sleep 1

pprint "Creating ZFS pool on $ZFS ..."
# -f force
# -m none (mountpoint), canmount=off.  ZFS datasets on this pool unmountable 
# unless explicitly specified otherwise in 'zfs create'.
# Use blockdev --getbsz /dev/sdX to find correct ashift for your disk.
# acltype=posix, xattr=sa required
# atime=off and relatime=on for performance
# recordsize depends on usage, 16k for database server or similar, 1M for home media server with large files
# normalization=formD for max compatility
# secondarycache=none to disable L2ARC which is not needed
# more info on pool properties:
# https://nixos.wiki/wiki/NixOS_on_ZFS#Dataset_Properties
# https://jrs-s.net/2018/08/17/zfs-tuning-cheat-sheet/
zpool create -f	-m none	-R /mnt	\
	-o ashift=12				\
	-o listsnapshots=on			\
	-O acltype=posix			\
	-O compression=lz4			\
	-O encryption=on			\
	-O keylocation=prompt		\
	-O keyformat=passphrase 	\
	-O canmount=off				\
	-O atime=off				\
	-O relatime=on 				\
	-O recordsize=1M			\
	-O dnodesize=auto			\
	-O xattr=sa					\
	-O normalization=formD		\
	$POOL $ZFS

pprint "Creating ZFS datasets nix, opt, home, persist, reserved ..."
zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/nix
zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/safe/home
zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/safe/persist
# create an unused, unmounted 2GB dataset.  In case the rest of the pool runs out 
# of space required for ZFS operations (even deletions require disk space in a 
# copy-on-write filesystem), shrink or delete this pool to free enough
# space to continue ZFS operations.
# https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
zfs create -o refreservation=2G -o primarycache=none -o secondarycache=none -o mountpoint=none ${POOL}/reserved

pprint "Enabling auto-snapshotting for ${POOL}/safe/[home,persist] datasets ..."
zfs set com.sun:auto-snapshot=true ${POOL}/safe

pprint "Mounting Tmpfs and ZFS datasets ..."
mkdir -p /mnt
mount -t tmpfs tmpfs /mnt
mkdir -p /mnt/nix
mount -t zfs ${POOL}/local/nix /mnt/nix
mkdir -p /mnt/home
mount -t zfs ${POOL}/safe/home /mnt/home
mkdir -p /mnt/persist
mount -t zfs ${POOL}/safe/persist /mnt/persist
mkdir -p /mnt/boot
mount -t vfat "$BOOT" /mnt/boot

pprint "Making /mnt/persist/ subdirectories for persisted artifacts ..."
mkdir -p /mnt/persist/etc/ssh
mkdir -p /mnt/persist/etc/users
mkdir -p /mnt/persist/etc/nixos
mkdir -p /mnt/persist/etc/wireguard/
mkdir -p /mnt/persist/etc/NetworkManager/system-connections
mkdir -p /mnt/persist/var/lib/bluetooth
mkdir -p /mnt/persist/var/lib/acme

pprint "Generating NixOS configuration ..."
nixos-generate-config --force --root /mnt

# Specify machine-specific properties for hardware-configuration.nix
HOSTID=$(head -c8 /etc/machine-id)

HARDWARE_CONFIG=$(mktemp)
cat <<CONFIG > "$HARDWARE_CONFIG"
  networking.hostId = "$HOSTID";
  boot.zfs.devNodes = "$ZFS";
CONFIG

# Add extra Tmpfs config options to the / mount section in hardware-configuration.nix
# mode=755: required for some software like openssh, or will complain about permissions
# size=2G: Tmpfs size. A fresh NixOS + Gnome4 install can use 30MB - 230MB on tmpfs.
# size=512M is sufficient, or larger if you have enough RAM and want more headroom.
# backing up original to /mnt/etc/nixos/hardware-configuration.nix.original.
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/#step-4-1-configure-disks
pprint "Adding Tmpfs options to hardware-configuration.nix ..."
sed --in-place=.original '/fsType = "tmpfs";/a\      options = [ "defaults" "size=2G" "mode=755" ];' /mnt/etc/nixos/hardware-configuration.nix

pprint "Appending machine-specific properties to hardware-configuration.nix ..."
sed -i "\$e cat $HARDWARE_CONFIG" /mnt/etc/nixos/hardware-configuration.nix

pprint "Configuration complete.  To install, run 'nixos-install --no-root-passwd'."
#if install fails, try the install script below:

# ---- install script ---- 
# #!/usr/bin/env bash
# install NixOS with no root password
#set -e
# If nixos-install fails, may need to prepend this nixos-build line to install script:
# https://github.com/NixOS/nixpkgs/issues/126141#issuecomment-861720372
#nix-build -v '<nixpkgs/nixos>' -A config.system.build.toplevel -I nixos-config=/mnt/etc/nixos/configuration.nix
# install NixOS with no root password.  Must use `passwd` on first use to set user password.
#nixos-install -v --show-trace --no-root-passwd
# ---- /install script ----

hi,
I tried the script and it failed with this message
any idea what went wrong?

cannot open 'rpool/safe': dataset does not exist

Hey, I used “rpool” for my pool name and it looks like I accidentally hard-coded “rpool” in place of what should be the pool name variable “${POOL}”. I’ll try to update this later, but it’s an easy fix, just search and replace “rpool” with “${POOL}” (minus the quotation marks.

Edit: just fixed it, forgot you can fix gists in the website without having to git pull/edit/push.

thanks.. that was the issue :D I think with a clear head it would see it too..

the script worked.
now I have the next error when I try to install.. (I modified your configuration)

copying channel...
installing the boot loader...
setting up /etc...
/etc/nixos directory contains user files. Symlinking may fail. at /nix/store/vn1xs9s2akf79y1pbya2qldydbf2b22m-setup-etc.pl line 99.
Warning: something's wrong at /nix/store/vn1xs9s2akf79y1pbya2qldydbf2b22m-setup-etc.pl line 120.
/etc/tmpfiles.d/journal-nocow.conf:26: Failed to resolve specifier: uninitialized /etc detected, skipping
All rules containing unresolvable specifiers will be skipped.
updating GRUB 2 menu...
installing the GRUB 2 EFI boot loader into /boot...
Installing for x86_64-efi platform.
/nix/store/vdpz7w02wl6nqgw8b7b0w4ii18k3r6f8-grub-2.06/sbin/grub-install: warning: cannot open directory `/nix/store/vdpz7w02wl6nqgw8b7b0w4ii18k3r6f8-grub-2.06/share/locale': No such file or directory.
Installation finished. No error reported.
installation finished!

I will try to figure it out myself

funny that you had the same issue :D https://discourse.nixos.org/t/installation-error-symlinking-to-mnt-etc/14027
edit:
I tried to boot and it worked.. but /etc/nixos/ is empty. is this intended?
I copied the files back and it looks like it works so far

I don't recall how I made that error stop, but it did. It may just happen on the first install, and not on subsequent rebuilds, not sure.

And /etc/nixos/ shouldn't be empty normally, but maybe it is on first boot. Try making a minor modification to configuration.nix, copying it into /etc/nixos/, and doing a rebuild. The files should persist in /etc/nixos across rebuilds.

Also take note of whether you're softlinking /persist/etc/nixos/ to /etc/nixos/, as I do. If you're doing that too, then copy configuration.nix into /persist/etc/nixos/ instead and then do the reboot. It should automatically update /etc/nixos/configuration.nix.

yeah after the first rebuild after the reboot the error was gone.
about the configs..
i dont remember where i copied the files .. but they have been in /etc/nixos and after the reboot they have been gone..
thanks a lot for your script it helped me a lot to set everything up. when i'm satisfied i will try to enhance my homefolder with impersistence

If you don't have a backup copy of configuration.nix, there should be one in /run/current-system/configuration.nix. That's what system.copySystemConfiguration = true; does.