Skip to content

Instantly share code, notes, and snippets.

@davegallant

davegallant/nixos.md

Forked from martijnvermaat/nixos.md
Created May 2, 2021 17:50
Show Gist options
  • Save davegallant/510dee65f1d4705e1317fedb978435d7 to your computer and use it in GitHub Desktop.
Save davegallant/510dee65f1d4705e1317fedb978435d7 to your computer and use it in GitHub Desktop.
Download ZIP
Installation of NixOS with encrypted root
Raw
tipi.md

Windows license: EULAID:T1C_2R_1_ED_CC_O_en-us

http://chris-martin.org/2015/installing-nixos https://earldouglas.com/notes/linux.html https://bluishcoder.co.nz/2014/05/14/installing-nixos-with-encrypted-root-on-thinkpad-w540.html

https://nixos.org/releases/nixos/16.03/nixos-16.03.678.2597f52/nixos-minimal-16.03.678.2597f52-x86_64-linux.iso

sudo dd bs=4M if=nixos-minimal-16.03.678.2597f52-x86_64-linux.iso of=/dev/sdb

Enable USB legacy boot (instead of or in addition to UEFI)

https://bugzilla.kernel.org/show_bug.cgi?id=110941

Boot with kernel parameter intel_pstate=no_hwp

gdisk /dev/sda
  o (create new empty partition table)
  n (add partition, 500M, type ef00 EFI)
  n (add partition, remaining space, type 8300 Linux LVM)
  w (write partition table and exit)

cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 enc-pv
pvcreate /dev/mapper/enc-pv
vgcreate vg /dev/mapper/enc-pv
lvcreate -L 8G -n swap vg
lvcreate -l '100%FREE' -n root vg

mkfs.fat /dev/sda1
mkfs.ext4 -L root /dev/vg/root
mkswap -L swap /dev/vg/swap

mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
swapon /dev/vg/swap

Create /etc/wpa_supplicant.conf:

network={
  ssid="****"
  psk="****"
}

Then systemctl start wpa_supplicant

nixos-generate-config --root /mnt

/etc/nixos/hardware-configuration.nix:

# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:

{
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d59fd1c1-e017-4dfa-bbf3-369e76f67172";
      fsType = "ext4";
      options = "noatime,nodiratime,discard";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/D799-64D0";
      fsType = "vfat";
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/f5506d12-f12c-4477-b376-186401420869"; }
    ];

  nix.maxJobs = lib.mkDefault 4;
}

/mnt/etc/nixos/configuration.nix:

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # Define on which hard drive you want to install Grub.
  # boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport = true;

  boot.initrd.luks.devices = [
    {
      name = "root";
      device = "/dev/sda2";
      preLVM = true;
      allowDiscards = true;
    }
  ];

  # networking.hostName = "nixos"; # Define your hostname.
  networking.hostName = "tipi";
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.wireless.enable = true;

  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };

  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";

  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  # environment.systemPackages = with pkgs; [
  #   wget
  # ];

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";

  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.kdm.enable = true;
  # services.xserver.desktopManager.kde4.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.extraUsers.guest = {
  #   isNormalUser = true;
  #   uid = 1000;
  # };

  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "16.03";

}

If we reboot, we can get back to this state with:

cryptsetup luksOpen /dev/sda2 enc-pv
lvchange -a y /dev/vg/swap
lvchange -a y /dev/vg/root
mount /dev/vg/root /mnt
mount /dev/sda1 /mnt/boot
swapon /dev/vg/swap
cp /mnt/etc/wpa_supplicant.conf /etc
systemctl start wpa_supplicant

nixos-install
reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment