Last active
March 19, 2021 13:20
-
-
Save hmenke/dc27a17eb0119d0639c2e8a8c5b63134 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eux | |
| DEVICE="/dev/nvme0n1" | |
| sgdisk -og "${DEVICE}" | |
| sgdisk -n 0:0:+2048M -t 0:ef00 "${DEVICE}" | |
| sgdisk -n 0:0:+64M -t 0:8309 "${DEVICE}" | |
| sgdisk -n 0:0:-8192M -t 0:a504 "${DEVICE}" | |
| sgdisk -n 0:0:0 -t 0:8309 "${DEVICE}" | |
| # Format boot | |
| mkfs.vfat -F32 -n BOOT "${DEVICE}p1" | |
| # Format and open cryptkey | |
| cryptsetup luksFormat "${DEVICE}p2" | |
| cryptsetup open "${DEVICE}p2" cryptkey | |
| # Generate key | |
| echo "" > newline | |
| dd if=/dev/zero bs=1 count=1 seek=1 of=newline | |
| dd if=/dev/urandom bs=32 count=1 | od -A none -t x | tr -d '[:space:]' | cat - newline > hdd.key | |
| dd if=hdd.key of=/dev/mapper/cryptkey | |
| dd if=/dev/mapper/cryptkey bs=64 count=1 | |
| # Format and open swap | |
| cryptsetup luksFormat --key-file=/dev/mapper/cryptkey --keyfile-size=64 "${DEVICE}p4" | |
| cryptsetup open --key-file=/dev/mapper/cryptkey --keyfile-size=64 "${DEVICE}p4" cryptswap | |
| mkswap /dev/mapper/cryptswap | |
| swapon /dev/mapper/cryptswap | |
| # Format and open root | |
| zpool create -f \ | |
| -o ashift=12 \ | |
| -O encryption=aes-256-gcm \ | |
| -O keyformat=hex \ | |
| -O keylocation=file:///dev/mapper/cryptkey \ | |
| -O mountpoint=none \ | |
| -O acltype=posixacl \ | |
| -O xattr=sa \ | |
| -O atime=off \ | |
| -R /mnt rpool "${DEVICE}p3" | |
| USER=henri | |
| # Make datasets | |
| zfs create -p -o mountpoint=legacy rpool/local/root | |
| zfs snapshot rpool/local/root@blank | |
| mount -t zfs rpool/local/root /mnt | |
| mkdir -pv /mnt/{boot,nix,root,home/$USER,persist,var/lib,var/log} | |
| mount "${DEVICE}p1" /mnt/boot/ | |
| zfs create -p -o mountpoint=legacy rpool/local/nix | |
| mount -t zfs rpool/local/nix /mnt/nix | |
| zfs create -p -o mountpoint=legacy rpool/local/home/$USER | |
| mount -t zfs rpool/local/home/$USER /mnt/home/$USER | |
| zfs create -p -o mountpoint=legacy rpool/local/home/root | |
| mount -t zfs rpool/local/home/root /mnt/root | |
| zfs create -p -o mountpoint=legacy rpool/local/persist | |
| mount -t zfs rpool/local/persist /mnt/persist | |
| zfs create -p -o mountpoint=legacy rpool/local/var/lib | |
| mount -t zfs rpool/local/var/lib /mnt/var/lib | |
| zfs create -p -o mountpoint=legacy rpool/local/var/log | |
| mount -t zfs rpool/local/var/log /mnt/var/log | |
| # Generate config | |
| nixos-generate-config --root /mnt | |
| CRYPTKEY="$(blkid -o export "${DEVICE}p2" | grep "^UUID=")" | |
| CRYPTKEY="${CRYPTKEY#UUID=*}" | |
| CRYPTSWAP="$(blkid -o export "${DEVICE}p4" | grep "^UUID=")" | |
| CRYPTSWAP="${CRYPTSWAP#UUID=*}" | |
| HOSTID="$(dd if=/dev/urandom bs=4 count=1 | od -A none -t x | tr -d '[:space:]')" | |
| cat > /mnt/etc/nixos/luks-configuration.nix <<EOF | |
| { lib, ... }: | |
| { | |
| boot.initrd.availableKernelModules = [ "aesni_intel" "cryptd" ]; | |
| networking.hostId = "$HOSTID"; | |
| boot.initrd.luks.devices = { | |
| cryptkey = { | |
| device = "/dev/disk/by-uuid/$CRYPTKEY"; | |
| }; | |
| cryptswap = { | |
| device = "/dev/disk/by-uuid/$CRYPTSWAP"; | |
| keyFile = "/dev/mapper/cryptkey"; | |
| keyFileSize = 64; | |
| }; | |
| }; | |
| #boot.initrd.postMountCommands = '' | |
| # # Don't keep the cryptkey available all the time. | |
| # cryptsetup close /dev/mapper/cryptkey | |
| #''; | |
| #boot.initrd.postDeviceCommands = lib.mkAfter '' | |
| # zfs rollback -r rpool/local/root@blank | |
| #''; | |
| #users.mutableUsers = false; | |
| #users.users.root.initialHashedPassword = "..."; | |
| fileSystems."/var/log".neededForBoot = true; | |
| } | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment