Skip to content

Instantly share code, notes, and snippets.

@klDen

klDen/nixos.md

Forked from martijnvermaat/nixos.md
Last active November 26, 2022 19:49
Show Gist options
  • Save klDen/ece65f697aa4c3da2fe7133f216f554a to your computer and use it in GitHub Desktop.
Save klDen/ece65f697aa4c3da2fe7133f216f554a to your computer and use it in GitHub Desktop.
Download ZIP
Installation of NixOS with encrypted root
Raw
nixos.md

Installation of NixOS with encrypted root

These are my notes on instaling NixOS 22.11 on a Lenovo ThinkPad X1 Extreme (4th generation) with an encrypted root file system using UEFI.

Most of this is scrambled from the following pages:

Preparing installation media

I installed from a USB stick using the NixOS minimal ISO (this one to be precise).

$ dd bs=4M if=nixos-minimal-22.11beta196.e22d9c397e5-x86_64-linux.iso of=/dev/sdb

Booting the installer

  • Disable Secure Boot Control
  • Disable USB legacy boot
  • Enable Launch CSM

Partitioning

We create a 500MB EFI boot partition (/dev/nvme0n1p1) and the rest will be our LUKS encrypted physical volume for LVM (/dev/nvme0n1p2).

$ gdisk /dev/nvme0n1
  • o (create new empty partition table)
  • n (add partition, 500M, type ef00 EFI)
  • n (add partition, remaining space, type 8300 Linux LVM)
  • w (write partition table and exit)

Setup the encrypted LUKS partition and open it:

$ cryptsetup luksFormat /dev/nvme0n1p2
$ cryptsetup luksOpen /dev/nvme0n1p2 enc-pv

We create two logical volumes, a 8GB swap parition and the rest will be our root filesystem

$ pvcreate /dev/mapper/enc-pv
$ vgcreate vg /dev/mapper/enc-pv
$ lvcreate -L 8G -n swap vg
$ lvcreate -l '100%FREE' -n root vg

Format the partitions:

$ mkfs.fat /dev/nvme0n1p1
$ mkfs.ext4 -L root /dev/vg/root
$ mkswap -L swap /dev/vg/swap

Installing NixOS

We mount the partitions we just created under /mnt so we can install NixOS on them.

$ mount /dev/vg/root /mnt
$ mkdir /mnt/boot
$ mount /dev/nvme0n1p1 /mnt/boot
$ swapon /dev/vg/swap

Configure WPA supplicant so we can use WIFI:

# wpa_cli -i wlan0
wpa_cli v2.9
[...]
Interactive mode

> add_network
0
> set_network 0 ssid "your_ssid"
> set_network 0 psk "your_pass"
> enable_network 0
OK
<3>SME: Trying to authenticate with 12:34:56:78:9a:bc (SSID='Guest' freq=2437 MHz)
<3>Trying to associate with 12:34:56:78:9a:bc (SSID='Guest' freq=2437 MHz)
<3>Associated with 12:34:56:78:9a:bc
<3>CTRL-EVENT-CONNECTED - Connection to 12:34:56:78:9a:bc completed [id=0 id_str=]
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
[...]

Now generate a NixOS configuration and modify it to our liking. The following is the configuration I started with.

# backup generated UUID disks
mv /mnt/etc/nixos/hardware-configuration.nix /tmp

# clone our configs
rm -rf /mnt/etc/nixos
git clone https://gitlab.com/klden/nixos-conf.git /mnt/etc/nixos

# use generated configs by nixos-generate-config
cat /tmp/hardware-configuration.nix >> /mnt/etc/nixos/hosts/<YOUR_HOST>.nix

# update duplicate configs accordingly if necessary
vim /mnt/etc/nixos/hosts/<YOUR_HOST>.nix

If we're happy with the configuration, install NixOS and reboot.

$ nixos-install --impure --flake /mnt/flake#<YOUR_HOST>
$ reboot

Troubleshooting

If for whatever reason the system doesn't boot, we can go back to the installation environment by booting from the installation media and remounting all partitions:

$ cryptsetup luksOpen /dev/nvme0n1p2 enc-pv
$ lvchange -a y /dev/vg/swap
$ lvchange -a y /dev/vg/root
$ mount /dev/vg/root /mnt
$ mount /dev/nvme0n1p1 /mnt/boot
$ swapon /dev/vg/swap
$ wpa_cli ...
$ systemctl start wpa_supplicant

We can now make further modifications to the configuration and try again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment