Forked from walkermalling/luks-encrypted-root-on-nixos.org
Created
June 13, 2021 15:58
-
-
Save bast/8657b5dac41ae580c0e7fd19ad8c8d14 to your computer and use it in GitHub Desktop.
Revisions
-
walkermalling revised this gist
Jun 10, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -195,5 +195,5 @@ Login to root, and add add user: #+begin_src sh useradd -c 'Me' -m me passwd me #+end_src -
Jun 8, 2020 . 1 changed file with 9 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,8 @@ Here are my working notes on getting a system up and running. WARNING: You can run into a hidden problem that will prevent a correct partition setup and =/etc/nixos/configuration.nix= from working: if you are setting up a UEFI system, then you need to make sure you boot into the NixOS installation from the UEFI partition of the bootable media. You may have to enter your BIOS boot selection menu to verify this. For example, if you setup a NixOS installer image on a flash drive, your BIOS menu may display several boot options from that flash drive: choose the one explicitly labeled with "UEFI". ** References I used these resources: @@ -127,7 +129,6 @@ sudo nixos-generate-config --root /mnt Edit configuration. Here is the part pertinent to luks setup: #+begin_src nix { config, pkgs, ... }: { @@ -141,7 +142,6 @@ Edit configuration. Here is the part pertinent to luks setup: # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # grub boot.loader.grub = { @@ -154,10 +154,9 @@ Edit configuration. Here is the part pertinent to luks setup: # luks boot.initrd.luks.devices = { crypted = { device = "/dev/disk/by-uuid/<the uuid of /dev/sda2 in this example>"; preLVM = true; }; }; @@ -177,6 +176,11 @@ Note the line =boot.loader.grub.device = "nodev";= this is a special value: http "The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed." Note the absence of =boot.loader.efi.efiSysMountPoint = "/boot/efi"=; my installation would not succeed if I specified this. Note that the name of the encrypted filesystem in =boot.initrd.luks.devices= is the name used in =cryptsetup luksOpen= and in =vgcreate=. ** Install NixOs Run the install -
Jun 8, 2020 . 1 changed file with 8 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -144,17 +144,17 @@ Edit configuration. Here is the part pertinent to luks setup: boot.loader.efi.efiSysMountPoint = "/boot/efi"; # grub boot.loader.grub = { enable = true; version = 2; efiSupport = true; enableCryptodisk = true; device = "nodev"; }; # luks boot.initrd.luks.devices = { nixos = { device = "/dev/disk/by-uuid/2ecabe39-02d5-4cec-bff6-8f20ccd566d1"; preLVM = true; # allowDiscard = true; -
Jun 8, 2020 . 1 changed file with 25 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,7 +38,7 @@ Create the boot partition at the beginning of the disk #+begin_src sh sudo parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB sudo parted /dev/sda -- set 1 boot on #+end_src Create primary partition @@ -61,10 +61,10 @@ sudo cryptsetup luksOpen /dev/sda2 crypted Map the physical, encrypted volume, then create a new volume group and logical volumes in that group for our nixos root and our swap. #+begin_src sh sudo pvcreate /dev/mapper/crypted sudo vgcreate vg /dev/mapper/crypted sudo lvcreate -L 8G -n swap vg sudo lvcreate -l '100%FREE' -n nixos vg #+end_src ** Format Disks @@ -73,7 +73,7 @@ The boot volume will be fat32. The filesystem will be ext4. Also creating a swap #+begin_src sh sudo mkfs.fat -F 32 -n boot /dev/sda1 sudo mkfs.ext4 -L nixos /dev/vg/nixos sudo mkswap -L swap /dev/vg/swap #+end_src @@ -89,8 +89,8 @@ sudo mount /dev/disk/by-label/nixos /mnt Mount the boot file system on /mnt/boot for UEFI boot #+begin_src sh sudo mkdir -p /mnt/boot sudo mount /dev/disk/by-label/boot /mnt/boot #+end_src Activate swap @@ -104,14 +104,14 @@ sudo swapon /dev/vg/swap Expect the following result: #+begin_src txt NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 1.1G 1 loop /nix/.ro-store sda 8:0 0 232.9G 0 disk ├─sda1 8:1 0 511M 0 part /mnt/boot └─sda2 8:2 0 232.4G 0 part └─crypted 254:0 0 232.4G 0 crypt ├─vg-swap 254:1 0 8G 0 lvm [SWAP] └─vg-nixos 254:2 0 224.4G 0 lvm /mnt #+end_src @@ -126,9 +126,6 @@ sudo nixos-generate-config --root /mnt Edit configuration. Here is the part pertinent to luks setup: #+begin_src nix { config, pkgs, ... }: @@ -147,19 +144,20 @@ Edit configuration. Here is the part pertinent to luks setup: boot.loader.efi.efiSysMountPoint = "/boot/efi"; # grub # boot.loader.grub = { # enable = true; # version = 2; # efiSupport = true; # enableCryptodisk = true; # device = "nodev"; # }; # luks boot.initrd.luks.devices = { nixos { device = "/dev/disk/by-uuid/2ecabe39-02d5-4cec-bff6-8f20ccd566d1"; preLVM = true; # allowDiscard = true; }; }; -
Jun 7, 2020 . 1 changed file with 35 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,18 @@ * Setting up NixOs with LUKS encrypted root Here are my working notes on getting a system up and running. ** References I used these resources: - Nixos manual https://nixos.org/nixos/manual/index.html#sec-installation - Nixos wiki on full disk encryption https://nixos.wiki/wiki/Full_Disk_Encryption - martijnvermaat's gist from 2016 https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 - luks FAQ https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup - ** Prep Disk Start by taking a look at block devices and identify the name of the device you're setting up. Note that adding the =--fs= flag will show the UUID of each device. @@ -19,6 +26,8 @@ Wipe existing fs. on my machine the primary disk is /dev/sda, but it may be diff sudo wipefs -a /dev/sda #+end_src ** Partition Create a new partition table #+begin_src sh @@ -40,6 +49,8 @@ sudo parted /dev/sda -- mkpart primary 512MiB 100% Now =/dev/sda1= is our boot partition, and =/dev/sda2= is our primary. ** Encrypt Primary Disk Setup luks on sda2 (=crypted= is the label). This will prompt for creating a password. #+begin_src sh @@ -56,15 +67,18 @@ lvcreate -L 8G -n swap vg lvcreate -l '100%FREE' -n root vg #+end_src ** Format Disks The boot volume will be fat32. The filesystem will be ext4. Also creating a swap. #+begin_src sh sudo mkfs.fat -F 32 -n boot /dev/sda1 sudo mkfs.ext4 -L nixos /dev/vg/root sudo mkswap -L swap /dev/vg/swap #+end_src ** Mount Mount the target file system to /mnt @@ -79,7 +93,15 @@ mkdir -p /mnt/boot mount /dev/disk/by-label/boot /mnt/boot #+end_src Activate swap #+begin_src sh sudo swapon /dev/vg/swap #+end_src ** Resulting Disk Expect the following result: #+begin_src txt NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT @@ -92,23 +114,19 @@ sda 8:0 0 232.9G 0 disk └─vg-root 254:2 0 224.4G 0 lvm /mnt #+end_src ** Configure boot generate configuration #+begin_src sh sudo nixos-generate-config --root /mnt #+end_src Edit configuration. Here is the part pertinent to luks setup: #+begin_src nix @@ -157,6 +175,11 @@ Edit configuration. Here is the part pertinent to luks setup: } #+end_src Note the line =boot.loader.grub.device = "nodev";= this is a special value: https://nixos.org/nixos/manual/options.html#opt-boot.loader.grub.device "The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed." ** Install NixOs Run the install -
Jun 7, 2020 . 1 changed file with 85 additions and 33 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,57 +1,53 @@ I used these resources: - Nixos manual https://nixos.org/nixos/manual/index.html#sec-installation - Nixos wixi on full disk encryption https://nixos.wiki/wiki/Full_Disk_Encryption - martijnvermaat's gist from 2016 https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 - luks FAQ https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup Start by taking a look at block devices and identify the name of the device you're setting up. Note that adding the =--fs= flag will show the UUID of each device. #+begin_src sh lsblk #+end_src Wipe existing fs. on my machine the primary disk is /dev/sda, but it may be different on different machines. Note that Cryptsetup FAQ suggests we use =cat /dev/zero > [device target]= #+begin_src sh sudo wipefs -a /dev/sda #+end_src Create a new partition table #+begin_src sh sudo parted /dev/sda -- mklabel gpt #+end_src Create the boot partition at the beginning of the disk #+begin_src sh sudo parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB sudo parted /dev/sda -- set 3 boot on #+end_src Create primary partition #+begin_src sh sudo parted /dev/sda -- mkpart primary 512MiB 100% #+end_src Now =/dev/sda1= is our boot partition, and =/dev/sda2= is our primary. Setup luks on sda2 (=crypted= is the label). This will prompt for creating a password. #+begin_src sh sudo cryptsetup luksFormat /dev/sda2 sudo cryptsetup luksOpen /dev/sda2 crypted #+end_src Map the physical, encrypted volume, then create a new volume group and logical volumes in that group for our nixos root and our swap. #+begin_src sh pvcreate /dev/mapper/crypted @@ -60,34 +56,46 @@ lvcreate -L 8G -n swap vg lvcreate -l '100%FREE' -n root vg #+end_src Format disks. #+begin_src sh sudo mkfs -F 32 -n boot /dev/sda1 sudo mkfs.ext4 -L nixos /dev/vg/root sudo mkswap -L swap /dev/vg/swap #+end_src Installing Mount the target file system to /mnt #+begin_src sh sudo mount /dev/disk/by-label/nixos /mnt #+end_src Mount the boot file system on /mnt/boot for UEFI boot #+begin_src sh mkdir -p /mnt/boot mount /dev/disk/by-label/boot /mnt/boot #+end_src The result should be the following: #+begin_src txt NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 1.1G 1 loop /nix/.ro-store sda 8:0 0 232.9G 0 disk ├─sda1 8:1 0 511M 0 part /mnt/boot └─sda2 8:2 0 232.4G 0 part └─crypted 254:0 0 232.4G 0 crypt ├─vg-swap 254:1 0 8G 0 lvm [SWAP] └─vg-root 254:2 0 224.4G 0 lvm /mnt #+end_src Activate swap #+begin_src sh sudo swapon /dev/vg/swap #+end_src generate configuration @@ -96,27 +104,71 @@ sudo nixos-generate-config --root /mnt #+end_src Edit configuration. Here is the part pertinent to luks setup: =boot.loader.grub.device = "nodev";= is a special value: https://nixos.org/nixos/manual/options.html#opt-boot.loader.grub.device "The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed." #+begin_src nix { config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; nixpkgs.config.allowUnfree = true; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; # grub boot.loader.grub = { enable = true; version = 2; efiSupport = true; enableCryptodisk = true; device = "nodev"; }; # luks boot.initrd.luks.devices = { nixos = { device = "/dev/disk/by-uuid/2ecabe39-02d5-4cec-bff6-8f20ccd566d1"; preLVM = true; }; }; boot.kernelParams = [ "processor.max_cstate=4" "amd_iomu=soft" "idle=nomwait"]; boot.kernelPackages = pkgs.linuxPackages_latest; boot.extraModulePackages = [ config.boot.kernelPackages.nvidia_x11 ]; ## # ... ## system.stateVersion = "20.03"; } #+end_src Run the install #+begin_src sh sudo nixos-install #+end_src If install is successful, you'll be prompted to set password for root user. Then =reboot=, and remove installation media. Login to root, and add add user: #+begin_src sh useradd -c 'Me' -m me passwd blah #+end_src -
Jun 7, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,122 @@ https://nixos.org/nixos/manual/index.html#sec-installation https://nixos.wiki/wiki/Full_Disk_Encryption https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup look at block devices and identify the name of the device you're setting up. note that adding the =--fs= flag will show the UUID of each device. #+begin_src sh lsblk #+end_src wipe existing fs. on my machine the primary disk is /dev/sda, but it may be different on different machines. Note that Cryptsetup FAQ suggests we use =cat /dev/zero > /dev/sda=, but I did not have permission to perform that in the context of the nixos installer; unsure why. #+begin_src sh sudo wipefs -a /dev/sda #+end_src create a new partition table #+begin_src sh sudo parted /dev/sda -- mklabel gpt #+end_src create the boot partition at the beginning of the disk #+begin_src sh sudo parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB sudo parted /dev/sda -- set 3 boot on #+end_src create primary partition #+begin_src sh sudo parted /dev/sda -- mkpart primary 512MiB 100% #+end_src Now it should read #+begin_src sh sda - sda1 - sda2 #+end_src Setup luks on sda2 (=crypted= is the label) #+begin_src sh sudo cryptsetup luksFormat /dev/sda2 sudo cryptsetup luksOpen /dev/sda2 crypted #+end_src create logical volume #+begin_src sh pvcreate /dev/mapper/crypted vgcreate vg /dev/mapper/crypted lvcreate -L 8G -n swap vg lvcreate -l '100%FREE' -n root vg #+end_src format disks #+begin_src sh sudo mkfs -F 32 -n boot /dev/sda1 sudo mkfs.ext4 -L nixos /dev/vg/root sudo mkswap -L swap /dev/vg/swap #+end_src Installing Mount the target file system to /mnt #+begin_src sh sudo mount /dev/disk/by-label/nixos /mnt #+end_src mount the boot file system on /mnt/boot for UEFI boot #+begin_src sh mkdir -p /mnt/boot mount /dev/disk/by-label/boot /mnt/boot #+end_src activate swap #+begin_src sh swapon /dev/vg/swap #+end_src generate configuration #+begin_src sh sudo nixos-generate-config --root /mnt #+end_src copy configuration.nix over from flash drive sudo nixos-install (failed assertion "You must set the option 'boot.loader.grub.devices' or 'boot.loader.grub.mirroredBoots'; I set 'boot.loader.grub.device = "nodev"') https://nixos.org/nixos/manual/options.html#opt-boot.loader.grub.device "The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed." set password for root user (at end of install) reboot login to root add user #+begin_src sh useradd -c 'Walker' -m walker passwd blah #+end_src