peterromfeldhk · April 25, 2019 05:34
diff --git a/nixos-install-encrypted-root.sh b/nixos-install-encrypted-root.sh
 #!/usr/bin/env bash
 #
 #   Installs nixos with full disk encrypted root partition.
 #
 #   - Prompts for password initially, after that no interaction should
 #     be required.
 #   - At the end it will prompt for a root password, could not make
 #     echo-ing it into nixos-install work.
 #   - Reserves 550MB for boot partition, rest for the root volume.
 #   - After booting, log in as root user and set password for normal user.
 #   - Removed LVM on Luks due to terrible (only 20%) write performance (???)
 #
 #  USAGE:
 #   1. Fill in variables on top.
 #   2. $bash install.sh
 #
 set -euo pipefail

 DISK="/dev/sda"
 BOOT="/dev/sda1"
 ROOT="/dev/sda2"
 NIXOS_USER=""
 HOSTNAME=""
 NIXOS_VERSION="19.03"
 # CONSOLE_KEYMAP="us"  # the default
 CONSOLE_KEYMAP="colemak/en-latin9"
 # XKB_VARIANT=""       # the default
 XKB_VARIANT="colemak"
 CRYPT_VOLUME="/dev/mapper/crypted-nixos"

 ########################################################
 #  No need to edit anything below for normal usage.    #
 ########################################################

 read -s -p "DISK Password: " PASSWORD
 echo
 read -s -p "Confirm: " CONFIRMATION
 echo
 if [ ! "$PASSWORD" = "$CONFIRMATION" ]; then
    echo "Didn't match. Try again."
    exit 1
 fi

 echo "Creating partition table."
 (echo o         # new table
 echo Y         # yes
 echo n         # new part
 echo           # number 1
 echo           # start
 echo '+550M'   # end
 echo 'ef00'    # EFI
 echo n         # new part
 echo           # number 2
 echo           # start
 echo           # end
 echo           # linux
 echo w         # write
 echo Y         # yes
 ) | gdisk $DISK

 echo "Setting up LUKS."
 echo $PASSWORD |  cryptsetup luksFormat $ROOT
 echo "Opening crypt volume."
 echo $PASSWORD | cryptsetup luksOpen $ROOT crypted-nixos

 echo "Formatting partitions."
 mkfs.fat -F 32 $BOOT
 mkfs.ext4 -L root $CRYPT_VOLUME

 echo "Mounting partitions."
 mount $CRYPT_VOLUME /mnt
 mkdir -p /mnt/boot
 mount $BOOT /mnt/boot

 nixos-generate-config --root /mnt

 cat > /mnt/etc/nixos/configuration.nix <<EOF
 { config, pkgs, ... }:

 {

  imports = [ ./hardware-configuration.nix ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "$HOSTNAME";
  networking.networkmanager.enable = true;

  i18n = {
     consoleKeyMap = "$CONSOLE_KEYMAP";
     defaultLocale = "en_US.UTF-8";
  };

  time.timeZone = "Asia/Hong_Kong";

  environment.systemPackages = with pkgs; [
    git
    vim
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.bash.enableCompletion = true;
  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

  services.openssh.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.$NIXOS_USER = {
     isNormalUser = true;
     uid = 1000;
     extraGroups = [ "wheel" ];
  };

  system.stateVersion = "$NIXOS_VERSION"; # Did you read the comment?
 }
 EOF

 nixos-install

 echo "Reboot now, good luck!"
	#!/usr/bin/env bash
	#
	# Installs nixos with full disk encrypted root partition.
	#
	# - Prompts for password initially, after that no interaction should
	# be required.
	# - At the end it will prompt for a root password, could not make
	# echo-ing it into nixos-install work.
	# - Reserves 550MB for boot partition, rest for the root volume.
	# - After booting, log in as root user and set password for normal user.
	# - Removed LVM on Luks due to terrible (only 20%) write performance (???)
	#
	# USAGE:
	# 1. Fill in variables on top.
	# 2. $bash install.sh
	#
	set -euo pipefail

	DISK="/dev/sda"
	BOOT="/dev/sda1"
	ROOT="/dev/sda2"
	NIXOS_USER=""
	HOSTNAME=""
	NIXOS_VERSION="19.03"
	# CONSOLE_KEYMAP="us" # the default
	CONSOLE_KEYMAP="colemak/en-latin9"
	# XKB_VARIANT="" # the default
	XKB_VARIANT="colemak"
	CRYPT_VOLUME="/dev/mapper/crypted-nixos"

	########################################################
	# No need to edit anything below for normal usage. #
	########################################################

	read -s -p "DISK Password: " PASSWORD
	echo
	read -s -p "Confirm: " CONFIRMATION
	echo
	if [ ! "$PASSWORD" = "$CONFIRMATION" ]; then
	echo "Didn't match. Try again."
	exit 1
	fi

	echo "Creating partition table."
	(echo o # new table
	echo Y # yes
	echo n # new part
	echo # number 1
	echo # start
	echo '+550M' # end
	echo 'ef00' # EFI
	echo n # new part
	echo # number 2
	echo # start
	echo # end
	echo # linux
	echo w # write
	echo Y # yes
	) \| gdisk $DISK

	echo "Setting up LUKS."
	echo $PASSWORD \| cryptsetup luksFormat $ROOT
	echo "Opening crypt volume."
	echo $PASSWORD \| cryptsetup luksOpen $ROOT crypted-nixos

	echo "Formatting partitions."
	mkfs.fat -F 32 $BOOT
	mkfs.ext4 -L root $CRYPT_VOLUME

	echo "Mounting partitions."
	mount $CRYPT_VOLUME /mnt
	mkdir -p /mnt/boot
	mount $BOOT /mnt/boot

	nixos-generate-config --root /mnt

	cat > /mnt/etc/nixos/configuration.nix <<EOF
	{ config, pkgs, ... }:

	{

	imports = [ ./hardware-configuration.nix ];

	boot.loader.systemd-boot.enable = true;
	boot.loader.efi.canTouchEfiVariables = true;

	networking.hostName = "$HOSTNAME";
	networking.networkmanager.enable = true;

	i18n = {
	consoleKeyMap = "$CONSOLE_KEYMAP";
	defaultLocale = "en_US.UTF-8";
	};

	time.timeZone = "Asia/Hong_Kong";

	environment.systemPackages = with pkgs; [
	git
	vim
	];

	# Some programs need SUID wrappers, can be configured further or are
	# started in user sessions.
	programs.bash.enableCompletion = true;
	programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

	services.openssh.enable = true;

	# Define a user account. Don't forget to set a password with ‘passwd’.
	users.extraUsers.$NIXOS_USER = {
	isNormalUser = true;
	uid = 1000;
	extraGroups = [ "wheel" ];
	};

	system.stateVersion = "$NIXOS_VERSION"; # Did you read the comment?
	}
	EOF

	nixos-install

	echo "Reboot now, good luck!"