-
-
Save pseud0n/e55a6a822498ee39f472850cc76cff08 to your computer and use it in GitHub Desktop.
How I installed Encrypted ZFS root on NixOS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| disk=sda | |
| bootpart=1 | |
| mainpart=2 | |
| # sda1 for boot, sda2 for main, may vary if doing a dual boot | |
| # FIRST STOP THE zfs-zed SERVICE | |
| systemctl stop zfs-zed | |
| # FORCE UNLOAD ZFS KERNEL MODULES | |
| lsmod | grep zfs | cut -d' ' -f1 | xargs rmmod -f | |
| # NOW ADD THE FOLLOWING TO /etc/nixos/configuration.nix | |
| # | |
| # boot.supportedFilesystems = [ "zfs" ]; | |
| # boot.zfs.enableUnstable = true; | |
| # | |
| # AND REBUILD | |
| nixos-rebuild switch --upgrade | |
| # PARTITON DISK: 1 512MB EFI & REST ZFS | |
| # You can find sector size with `fdisk -l` as root | |
| # On a dual boot, start & end show the values in sectors. | |
| # The start (in sectors) of your 2 new partitions should be multiples of 2048 | |
| # (You will get a warning if not) | |
| # `mklabel gpt` will erase the whole disk! | |
| # https://www.gnu.org/software/parted/manual/html_node/mklabel.html | |
| # You can write sectors like `mkpart esp fat32 1408768000s 1409816576s` if you have alignment warnings | |
| # 1MiB is 2^20 (1 048 576) bytes. | |
| parted --script /dev/$disk -- \ | |
| mklabel gpt \ | |
| mkpart esp fat32 1MiB 512MiB \ | |
| mkpart primary 512MiB 100% \ | |
| set $bootpart boot on | |
| # CREATE AN ENCRYPTED ZFS POOL | |
| zpool create -f \ | |
| -o ashift=12 \ | |
| -O encryption=on \ | |
| -O keyformat=passphrase \ | |
| -O mountpoint=none \ | |
| rpool \ | |
| /dev/$disk$mainpart | |
| # CREATE A SWAP PARTITION | |
| # Rule of thumb, swap = RAM | |
| # getconf PAGESIZE was too small for me, needed 8192 instead of 4096 | |
| # The following 3 commands are for virtual memory if needed | |
| zfs create \ | |
| -V 8G \ | |
| -b $(getconf PAGESIZE) \ | |
| -o compression=zle \ | |
| -o logbias=throughput \ | |
| -o sync=always \ | |
| -o primarycache=metadata \ | |
| -o secondarycache=none \ | |
| -o com.sun:auto-snapshot=false \ | |
| rpool/swap | |
| mkswap -f /dev/zvol/rpool/swap | |
| swapon /dev/zvol/rpool/swap | |
| # CREATE A ROOT PARTITION | |
| zfs create \ | |
| -o mountpoint=legacy \ | |
| rpool/root | |
| mkdir -p /mnt | |
| mount -t zfs rpool/root /mnt | |
| # CREATE A HOME PARTITION | |
| zfs create \ | |
| -o mountpoint=legacy \ | |
| -o compression=on \ | |
| rpool/home | |
| mkdir -p /mnt/home | |
| mount -t zfs rpool/home /mnt/home | |
| # CREATE A BOOT PARTITON | |
| mkfs.fat -F 32 -n BOOT /dev/$disk$bootpart | |
| mkdir -p /mnt/boot | |
| mount -t vfat /dev/$disk$bootpart /mnt/boot | |
| # NOW GENERATE NIXOS CONFIG FOR /mnt | |
| nixos-generate-config --root /mnt | |
| # NOW ADD THE FOLLOWING TO /mnt/etc/nixos/configuration.nix | |
| # there is a requirement for hostId to be used with ZFS, 8 hex digits | |
| # | |
| # boot.initrd.supportedFilesystems = [ "zfs" ]; | |
| # boot.supportedFilesystems = [ "zfs" ]; | |
| # boot.zfs.enableUnstable = true; | |
| # services.zfs.autoScrub.enable = true; | |
| # | |
| # network.hostName = "pants"; | |
| # network.hostId = "abcdef01"; | |
| # | |
| # NOW INSTALL NIXOS | |
| nixos-install | |
| # NOW CLEANUP & REBOOT | |
| umount /mnt/{home,boot,} | |
| swapoff -a | |
| zpool export -a | |
| reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment