Skip to content

Instantly share code, notes, and snippets.

@davegallant

davegallant/nixos.md

Forked from martijnvermaat/nixos.md
Created May 2, 2021 17:50
Show Gist options
  • Save davegallant/510dee65f1d4705e1317fedb978435d7 to your computer and use it in GitHub Desktop.
Save davegallant/510dee65f1d4705e1317fedb978435d7 to your computer and use it in GitHub Desktop.
Download ZIP
Installation of NixOS with encrypted root
Raw
tipi.md

Installation of NixOS with encrypted root

These are my notes on instaling NixOS 16.03 on a Lenovo ThinkPad X1 Carbon (4th generation) with an encrypted root file system using UEFI.

Most of this is scrambled from the following pages:

Preparing installation media

I installed from a USB stick using the NixOS minimal ISO (this one to be precise).

$ dd bs=4M if=nixos-minimal-16.03.678.2597f52-x86_64-linux.iso of=/dev/sdb

Booting the installer

  • Disable Secure Boot Control
  • Disable USB legacy boot
  • Enable Launch CSM

Due to this kernel bug, we have to boot with the following kernel parameter: intel_pstate=no_hwp. Seems like this will be fixed soon.

Partitioning

We create a 500MB EFI boot partition (/dev/sda1) and the rest will be our LUKS encrypted physical volume for LVM (/dev/sda2).

$ gdisk /dev/sda
  • o (create new empty partition table)
  • n (add partition, 500M, type ef00 EFI)
  • n (add partition, remaining space, type 8300 Linux LVM)
  • w (write partition table and exit)

Setup the encrypted LUKS partition and open it:

$ cryptsetup luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 enc-pv

We create two logical volumes, a 8GB swap parition and the rest will be our root filesystem

$ pvcreate /dev/mapper/enc-pv
$ vgcreate vg /dev/mapper/enc-pv
$ lvcreate -L 8G -n swap vg
$ lvcreate -l '100%FREE' -n root vg

Format the partitions:

$ mkfs.fat /dev/sda1
$ mkfs.ext4 -L root /dev/vg/root
$ mkswap -L swap /dev/vg/swap

Installing NixOS

We mount the partitions we just created under /mnt so we can install NixOS on them.

$ mount /dev/vg/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap

Configure WPA supplicant so we can use WIFI:

$ cat /etc/wpa_supplicant.conf
network={
  ssid="****"
  psk="****"
}
$ systemctl start wpa_supplicant

nixos-generate-config --root /mnt

/etc/nixos/hardware-configuration.nix:

# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:

{
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d59fd1c1-e017-4dfa-bbf3-369e76f67172";
      fsType = "ext4";
      options = "noatime,nodiratime,discard";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/D799-64D0";
      fsType = "vfat";
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/f5506d12-f12c-4477-b376-186401420869"; }
    ];

  nix.maxJobs = lib.mkDefault 4;
}

/mnt/etc/nixos/configuration.nix:

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # Define on which hard drive you want to install Grub.
  # boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport = true;

  boot.initrd.luks.devices = [
    {
      name = "root";
      device = "/dev/sda2";
      preLVM = true;
      allowDiscards = true;
    }
  ];

  # networking.hostName = "nixos"; # Define your hostname.
  networking.hostName = "tipi";
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.wireless.enable = true;

  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };

  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";

  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  # environment.systemPackages = with pkgs; [
  #   wget
  # ];

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";

  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.kdm.enable = true;
  # services.xserver.desktopManager.kde4.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.extraUsers.guest = {
  #   isNormalUser = true;
  #   uid = 1000;
  # };

  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "16.03";

}

If we reboot, we can get back to this state with:

cryptsetup luksOpen /dev/sda2 enc-pv
lvchange -a y /dev/vg/swap
lvchange -a y /dev/vg/root
mount /dev/vg/root /mnt
mount /dev/sda1 /mnt/boot
swapon /dev/vg/swap
cp /mnt/etc/wpa_supplicant.conf /etc
systemctl start wpa_supplicant

nixos-install
reboot

warning: passing a comma-separated string for filesystem options is deprecated; use a list of strings instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment