あいむaimu/霊夢と魔理沙
563 words
3 minutes
Install NixOS with encrypted Btrfs and a IN-RAM root (without hibernation)
0. Pre-installation
1.Connect to the internet
- Generate configuration file
wpa_passphrase "WiFi_SSID" "WiFi_PASSWORD" | tee /etc/whatever.conf- Check the device name
ip a- Connect to the network
wpa_supplicant -B -i "devicename" -c /etc/whatever.conf2.Proxy (optional)
nix-shell -p xrayxray run -c /path/to/config.jsonexport http_proxy=http://127.0.0.1:portexport https_proxy=http://127.0.0.1:portexport ALL_PROXY=socks5h://127.0.0.1:port1. Format and partition
1.Create the GPT partition table
parted /dev/sdX mklabel gpt2.Create the UEFI FAT32 partition (which will be /dev/sdXY)
parted /dev/sdX mkpart esp fat32 1MiB 512MiBparted /dev/sdX set 1 esp onparted /dev/sdX set 1 boot onmkfs.fat -F 32 -n UEFI /dev/sdXY3.Create the SWAP partition (which will be /dev/sdXW) (optional)
parted /dev/sdX mkpart swap linux-swap 512MiB 4.5GiBmkswap -L SWAP /dev/sdXW4.Create the NIXOS BTRFS partition with encryption (which will be /dev/sdXZ)
parted /dev/sdX mkpart nixos btrfs 4.5GiB 100%cryptsetup --verify-passphrase -v luksFormat /dev/sdXZcryptsetup open /dev/sdXZ encmkfs.btrfs -L NIXOS /dev/mapper/enc2. Setup BTRFS subvolumes
1.Mount the NIXOS partition
mount -t btrfs /dev/mapper/enc /mnt2.Create the NIX partition subvolume
btrfs subvolume create /mnt/@nix3.Create the HOME partition subvolume
btrfs subvolume create /mnt/@home4.Create the snapshots subvolume
btrfs subvolume create /mnt/@home/.snapshots5.Unmount the NIXOS partition
umount /mnt3. Mount the partitions for installation
1.Mount the in-ram ROOT partition
mount -t tmpfs -o noatime,mode=755 none /mnt2.Create persistent directories on which to mount partitions
mkdir /mnt/{boot,nix,home}mkdir /mnt/home/.snapshots3.Mount the UEFI partition
mount -t vfat -o defaults,noatime,fmask=0077,dmask=0077 /dev/sdXY /mnt/boot4.Mount the NIX partition subvolume
mount -t btrfs -o noatime,compress=zstd,subvol=@nix /dev/mapper/enc /mnt/nix5.Mount the HOME partition subvolume
mount -t btrfs -o noatime,compress=zstd,subvol=@home /dev/mapper/enc mnt/home6.Mount the SNAPSHOTS partition subvolume
mount -t btrfs -o noatime,compress=zstd,subvol=@home/.snapshots /dev/mapper/enc /mnt/home/.snapshots7.Mount the SWAP partition (optional)
swapon /dev/sdXW4. Generate NixOS configs & install
1.Let NixOS generate template configurations
nixos-generate-config --root /mnt2.Make sure all mount points in hardware-configuration.nix are identical to the previous section
vim /mnt/etc/nixos/hardware-configuration.nix- Example
fileSystems."/boot" = { device = "/dev/disk/by-uuid/XXX"; fsType = "vfat"; options = [ "fmask=0077" "dmask=0077" ]; };
boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/XXX";
fileSystems."/nix" = { device = "/dev/disk/by-uuid/XXX"; fsType = "btrfs"; options = [ "subvol=@nix" "compress=zstd" "noatime" ]; };
fileSystems."/home" = { device = "/dev/disk/by-uuid/XXX"; fsType = "btrfs"; options = [ "subvol=@home" "compress=zstd" "noatime" ]; };
fileSystems."/home/.snapshots" = { device = "/dev/disk/by-uuid/XXX"; fsType = "btrfs"; options = [ "subvol=@home/.snapshots" "compress=zstd" "noatime" ]; };
swapDevices = [ { device = "/dev/disk/by-partuuid/XXX"; randomEncryption.enable = true; } ];NOTEDon’t try to hibernate when you have at least one swap partition with randomEncryption enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it!
Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…
3.Edit the configuration.nix file as needed
vim /mnt/etc/nixos/configuration.nix- Disable users mutability:
users.mutableUsers = false;- Add user (hashed) password:
(In another console:
nix-shell --run 'mkpasswd -m SHA-512 -s' -p mkpasswd)
users.users.<USERNAME>.initialHashedPassword = "<HASHED_PASSWORD>";4.Start the installer
nixos-install --no-root-passwdreboot5. Post-installation
1.Keep nixos folder
mkdir /mnt/nix/persist/etccp -r /etc/nixos /mnt/nix/persist/etc/2.Use impermanence to persist necessary files
- Add to flake.nix inputs
impermanence.url = "github:nix-community/impermanence";- configuration.nix
{ inputs, config, pkgs, lib, ...}:{ # persist imports = [ inputs.impermanence.nixosModules.impermanence ]; environment.persistence."/nix/persist" = { hideMounts = true; directories = ( [ "/var/log" "/var/lib/nixos" "/var/lib/systemd/coredump" "/var/lib/systemd/timers" "/var/lib/bluetooth" "/etc/nixos" "/etc/NetworkManager/system-connections" { directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; } ] ++ lib.optional config.virtualisation.libvirtd.enable "/var/lib/libvirt" ); files = ( [ "/etc/machine-id" { file = "/etc/nix/id_rsa"; parentDirectory = { mode = "u=rwx,g=rx,o=rx"; }; } ] ++ lib.optionals config.services.openssh.enable [ "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" ] ); }; security.sudo.extraConfig = '' Defaults lecture = never '';}Reference:
Install NixOS with encrypted Btrfs and a IN-RAM root (without hibernation)
https://blog.randomneet.me/posts/linux/nixos-install-nohibernate/