1165 words

6 minutes

全盘加密安装NixOS

2026-01-12

Linux

/

NixOS

/

Filesystem

/

Encryption

安装前#

联网#

生成 wifi 配置文件

1
wpa_passphrase "WiFi_SSID" "WiFi_PASSWORD" | tee /etc/whatever.conf

查看设备名

1
ip a

用刚刚列出的设备通过配置文件连接 wifi

1
wpa_supplicant -B -i "devicename" -c /etc/whatever.conf

代理#

仅作参考

1
nix-shell -p xray
2
xray run -c /path/to/config.json
3
export http_proxy=http://127.0.0.1:port
4
export https_proxy=http://127.0.0.1:port
5
export ALL_PROXY=socks5h://127.0.0.1:port

无休眠系统安装 (不使用 LVM)#

格式化+分区#

1.创建 gpt 分区表#

1
parted /dev/sdX mklabel gpt

2.创建 UEFI FAT32 分区 (以下表示为/dev/sdXY)#

1
parted /dev/sdX mkpart esp fat32 1MiB 512MiB
2
parted /dev/sdX set 1 esp on
3
parted /dev/sdX set 1 boot on
4
mkfs.fat -F 32 -n UEFI /dev/sdXY

3.创建 SWAP 分区 (以下表示为/dev/sdXW)#

1
parted /dev/sdX mkpart swap linux-swap 512MiB 4.5GiB
2
mkswap -L SWAP /dev/sdXW

4.创建 NIXOS BTRFS 加密分区 (以下表示为/dev/sdXZ)#

1
parted /dev/sdX mkpart nixos btrfs 4.5GiB 100%
2
cryptsetup --verify-passphrase -v luksFormat /dev/sdXZ
3
cryptsetup open /dev/sdXZ enc
4
mkfs.btrfs -L NIXOS /dev/mapper/enc

设置 BTRFS 子卷#

1.挂载 NIXOS 分区#

1
mount -t btrfs /dev/mapper/enc /mnt

2.创建 NIX 子卷#

1
btrfs subvolume create /mnt/@nix

3.创建 HOME 子卷#

1
btrfs subvolume create /mnt/@home

4.创建 snapshots 子卷 (用于 snapper 自动快照)#

1
btrfs subvolume create /mnt/@home/.snapshots

5.卸载 NIXOS 分区#

1
umount /mnt

挂载分区#

1.挂载 ROOT 分区 (in-ram)#

1
mount -t tmpfs -o noatime,mode=755 none /mnt

2.创建挂载点#

1
mkdir /mnt/{boot,nix,home}
2
mkdir /mnt/home/.snapshots

3.挂载 UEFI 分区#

1
mount -t vfat -o defaults,noatime,fmask=0077,dmask=0077 /dev/sdXY /mnt/boot

4.挂载 NIX 子卷#

1
mount -t btrfs -o noatime,compress=zstd,subvol=@nix /dev/mapper/enc /mnt/nix

5.挂载 HOME 子卷#

1
mount -t btrfs -o noatime,compress=zstd,subvol=@home /dev/mapper/enc mnt/home

6.挂载 snapshots 子卷#

1
mount -t btrfs -o noatime,compress=zstd,subvol=@home/.snapshots /dev/mapper/enc /mnt/home/.snapshots

7.挂载 SWAP 分区#

1
swapon /dev/sdXW

生成 NixOS 配置文件并安装#

1.让 NixOS 生成初始配置文件#

1
nixos-generate-config --root /mnt

2.确保 hardware-configuration.nix 里的挂载点和之前的挂载步骤一致#

1
vim /mnt/etc/nixos/hardware-configuration.nix

示例

1
  fileSystems."/boot" = {
2
    device = "/dev/disk/by-uuid/XXX";
3
    fsType = "vfat";
4
    options = [
5
      "fmask=0077"
6
      "dmask=0077"
7
    ];
8
  };
9

10
  boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/XXX";
11

12
  fileSystems."/nix" = {
13
    device = "/dev/disk/by-uuid/XXX";
14
    fsType = "btrfs";
15
    options = [
16
      "subvol=@nix"
17
      "compress=zstd"
18
      "noatime"
19
    ];
20
  };
21

22
  fileSystems."/home" = {
23
    device = "/dev/disk/by-uuid/XXX";
24
    fsType = "btrfs";
25
    options = [
26
      "subvol=@home"
27
      "compress=zstd"
28
      "noatime"
29
    ];
30
  };
31

32
  fileSystems."/home/.snapshots" = {
33
    device = "/dev/disk/by-uuid/XXX";
34
    fsType = "btrfs";
35
    options = [
36
      "subvol=@home/.snapshots"
37
      "compress=zstd"
38
      "noatime"
39
    ];
40
  };
41

42
  swapDevices = [
43
    {
44
      device = "/dev/disk/by-partuuid/XXX";
45
      randomEncryption.enable = true;
46
    }
47
  ];

NOTE
如果有 swap 启用了 randomEncryption, 不要使用休眠！！！对于启用了 randomEncryption 的 swap, 不要使用 /dev/disk/by-uuid/… 或者 /dev/disk/by-label/… , 应该使用 /dev/disk/by-partuuid/…

3.编辑 configuration.nix#

1
vim /mnt/etc/nixos/configuration.nix

禁用可变用户

1
users.mutableUsers = false;

添加用户密码(hashed): (在另一个终端输入: nix-shell --run 'mkpasswd -m SHA-512 -s' -p mkpasswd)

1
users.users.<USERNAME>.initialHashedPassword = "<HASHED_PASSWORD>";

4.安装 NixOS#

1
nixos-install --no-root-passwd
2
reboot

带休眠系统安装 (使用 LVM)#

格式化并分区#

1.创建 GPT 分区表#

1
parted /dev/sdX mklabel gpt

2.创建 UEFI FAT32 分区 (以下表示为/dev/sdXY)#

1
parted /dev/sdX mkpart esp fat32 1MiB 512MiB
2
parted /dev/sdX set 1 esp on
3
parted /dev/sdX set 1 boot on
4
mkfs.fat -F 32 -n UEFI /dev/sdXY

3.为 LVM 创建加密分区 (以下表示为/dev/sdXZ)#

1
parted /dev/sdX mkpart primary 512MiB 100%
2
parted /dev/sdX set 2 lvm on
3
cryptsetup --verify-passphrase -v luksFormat /dev/sdXZ

4.创建 LVM 逻辑卷#

1
cryptsetup open /dev/sdXZ enc
2
pvcreate /dev/mapper/enc
3
vgcreate vg0 /dev/mapper/enc

5.创建 swap 卷 (以下表示为/dev/vg0/swap)#

1
lvcreate -L 48G -n swap vg0
2
mkswap -L SWAP /dev/vg0/swap

6.创建 NixOS Btrfs 卷 (以下表示为/dev/vg0/main)#

1
lvcreate -l 100%FREE -n main vg0
2
mkfs.btrfs -L NIXOS /dev/vg0/main

设置 BTRFS 子卷#

1.挂载 NIXOS 卷#

1
mount -t btrfs /dev/vg0/main /mnt

2.创建 NIX 子卷#

1
btrfs subvolume create /mnt/@nix

3.创建 HOME 子卷#

1
btrfs subvolume create /mnt/@home

4.创建 snapshots 子卷 (用于 snapper 自动快照)#

1
btrfs subvolume create /mnt/@home/.snapshots

5.卸载 NIXOS 卷#

1
umount /mnt

挂载分区#

1.挂载 ROOT 分区 (in-ram)#

1
mount -t tmpfs -o noatime,mode=755 none /mnt

2.创建挂载点#

1
mkdir /mnt/{boot,nix,home}
2
mkdir /mnt/home/.snapshots

3.挂载 UEFI 分区#

1
mount -t vfat -o defaults,noatime,fmask=0077,dmask=0077 /dev/sdXY /mnt/boot

4.挂载 NIX 子卷#

1
mount -t btrfs -o noatime,compress=zstd,subvol=@nix /dev/vg0/main /mnt/nix

5.挂载 HOME 子卷#

1
mount -t btrfs -o noatime,compress=zstd,subvol=@home /dev/vg0/main /mnt/home

6.挂载 snapshots 子卷#

1
mount -t btrfs -o noatime,compress=zstd,subvol=@home/.snapshots /dev/vg0/main /mnt/home/.snapshots

7.挂载 swap#

1
swapon /dev/vg0/swap

生成 NixOS 配置文件并安装#

1.让 NixOS 生成初始配置文件#

1
nixos-generate-config --root /mnt

2.确保 hardware-configuration.nix 里的挂载点和之前的挂载步骤一致#

1
vim /mnt/etc/nixos/hardware-configuration.nix

示例

1
  fileSystems."/" = {
2
    device = "none";
3
    fsType = "tmpfs";
4
    options = [
5
      "noatime"
6
      "size=3G"
7
      "mode=755"
8
    ];
9
  };
10

11
  fileSystems."/boot" = {
12
    device = "/dev/disk/by-uuid/XXX";
13
    fsType = "vfat";
14
    options = [
15
      "fmask=0077"
16
      "dmask=0077"
17
    ];
18
  };
19

20
  boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/XXX";
21

22
  fileSystems."/nix" = {
23
    device = "/dev/disk/by-uuid/XXX";
24
    fsType = "btrfs";
25
    options = [
26
      "subvol=@nix"
27
      "compress=zstd"
28
      "noatime"
29
    ];
30
  };
31

32
  fileSystems."/home" = {
33
    device = "/dev/disk/by-uuid/XXX";
34
    fsType = "btrfs";
35
    options = [
36
      "subvol=@home"
37
      "compress=zstd"
38
      "noatime"
39
    ];
40
  };
41

42
  fileSystems."/home/.snapshots" = {
43
    device = "/dev/disk/by-uuid/XXX";
44
    fsType = "btrfs";
45
    options = [
46
      "subvol=@home/.snapshots"
47
      "compress=zstd"
48
      "noatime"
49
    ];
50
  };
51

52
  swapDevices = [
53
    { device = "/dev/disk/by-uuid/XXX"; }
54
  ];

NOTE
手动添加以下内容:
1
boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/XXX";
用实际 UUID (终端输入 blkid /dev/sdXZ 查看) 代替 XXX

3.编辑 configuration.nix#

1
vim /mnt/etc/nixos/configuration.nix

禁用可变用户

1
users.mutableUsers = false;

添加用户密码(hashed): (在另一个终端输入: nix-shell --run 'mkpasswd -m SHA-512 -s' -p mkpasswd)

1
users.users.<USERNAME>.initialHashedPassword = "<HASHED_PASSWORD>";

4.安装 NixOS#

1
nixos-install --no-root-passwd
2
reboot

安装后#

1.保存 nixos 文件夹#

1
mkdir /mnt/nix/persist/etc
2
cp -r /etc/nixos /mnt/nix/persist/etc/

2.使用 impermanence 来保存需要的文件#

添加到 flake.nix inputs

1
impermanence.url = "github:nix-community/impermanence";

configuration.nix

1
{
2
  inputs,
3
  config,
4
  pkgs,
5
  lib,
6
  ...
7
}:
8
{
9
  # persist
10
  imports = [ inputs.impermanence.nixosModules.impermanence ];
11
  environment.persistence."/nix/persist" = {
12
    hideMounts = true;
13
    directories = (
14
      [
15
        "/var/log"
16
        "/var/lib/nixos"
17
        "/var/lib/systemd/coredump"
18
        "/var/lib/systemd/timers"
19
        "/var/lib/bluetooth"
20
        "/etc/nixos"
21
        "/etc/NetworkManager/system-connections"
22
        {
23
          directory = "/var/lib/colord";
24
          user = "colord";
25
          group = "colord";
26
          mode = "u=rwx,g=rx,o=";
27
        }
28
      ]
29
      ++ lib.optional config.virtualisation.libvirtd.enable "/var/lib/libvirt"
30
    );
31
    files = (
32
      [
33
        "/etc/machine-id"
34
        {
35
          file = "/etc/nix/id_rsa";
36
          parentDirectory = {
37
            mode = "u=rwx,g=rx,o=rx";
38
          };
39
        }
40
      ]
41
      ++ lib.optionals config.services.openssh.enable [
42
        "/etc/ssh/ssh_host_rsa_key"
43
        "/etc/ssh/ssh_host_rsa_key.pub"
44
        "/etc/ssh/ssh_host_ed25519_key"
45
        "/etc/ssh/ssh_host_ed25519_key.pub"
46
      ]
47
    );
48
  };
49
  security.sudo.extraConfig = ''
50
    Defaults lecture = never
51
  '';
52
}

参考:

全盘加密安装NixOS

https://blog.randomneet.me/posts/linux/install-nixos/

Author

RandomNEET

Published at

2026-01-12

License

CC BY-NC-SA 4.0

2.使用 impermanence 来保存需要的文件