These are my notes on instaling NixOS 16.03 on a Lenovo ThinkPad X1 Carbon (4th generation) with an encrypted root file system using UEFI.
Most of this is scrambled from the following pages:
- Encrypted Root on NixOS - Nix Wiki
- Installing NixOS - Chris Martin
- Linux administration and use - Earl Douglas
- Installing NixOS on a ThinkPad W540 with encrypted root - Bluish Coder
I installed from a USB stick using the NixOS minimal ISO (this one to be precise).
$ dd bs=4M if=nixos-minimal-16.03.678.2597f52-x86_64-linux.iso of=/dev/sdb
- Disable Secure Boot Control
- Disable USB legacy boot
- Enable Launch CSM
Due to this kernel bug, we have to boot with the following kernel parameter: intel_pstate=no_hwp
. Seems like this will be fixed soon.
We create a 500MB EFI boot partition (/dev/sda1
) and the rest will be our LUKS encrypted physical volume for LVM (/dev/sda2
).
$ gdisk /dev/sda
o
(create new empty partition table)n
(add partition, 500M, type ef00 EFI)n
(add partition, remaining space, type 8300 Linux LVM)w
(write partition table and exit)
Setup the encrypted LUKS partition and open it:
$ cryptsetup luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 enc-pv
We create two logical volumes, a 8GB swap parition and the rest will be our root filesystem
$ pvcreate /dev/mapper/enc-pv
$ vgcreate vg /dev/mapper/enc-pv
$ lvcreate -L 8G -n swap vg
$ lvcreate -l '100%FREE' -n root vg
Format the partitions:
$ mkfs.fat /dev/sda1
$ mkfs.ext4 -L root /dev/vg/root
$ mkswap -L swap /dev/vg/swap
We mount the partitions we just created under /mnt
so we can install NixOS on them.
$ mount /dev/vg/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap
Configure WPA supplicant so we can use WIFI:
$ cat > /etc/wpa_supplicant.conf
network={
ssid="****"
psk="****"
}
^D
$ systemctl start wpa_supplicant
Now generate a NixOS configuration and modify it to our liking. The following is the configuration I started with.
$ nixos-generate-config --root /mnt
$ cat > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# https://bugzilla.kernel.org/show_bug.cgi?id=110941
boot.kernelParams = [ "intel_pstate=no_hwp" ];
# Supposedly better for the SSD.
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "nodev";
boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true;
# Grub menu is painted really slowly on HiDPI, so we lower the
# resolution. Unfortunately, scaling to 1280x720 (keeping aspect
# ratio) doesn't seem to work, so we just pick another low one.
boot.loader.grub.gfxmodeEfi = "1024x768";
boot.initrd.luks.devices = [
{
name = "root";
device = "/dev/disk/by-uuid/06e7d974-9549-4be1-8ef2-f013efad727e";
preLVM = true;
allowDiscards = true;
}
];
# Enables wireless support via wpa_supplicant.
networking.wireless.enable = true;
# Etcetera ...
}
If we're happy with the configuration, install NixOS and reboot.
$ nixos-install
$ reboot
If for whatever reason the system doesn't boot, we can go back to the installation environment by booting from the installation media and remounting all partitions:
$ cryptsetup luksOpen /dev/sda2 enc-pv
$ lvchange -a y /dev/vg/swap
$ lvchange -a y /dev/vg/root
$ mount /dev/vg/root /mnt
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap
$ cp /mnt/etc/wpa_supplicant.conf /etc
$ systemctl start wpa_supplicant
We can now make further modifications to the configuration and try again.
If you have problems installing nixos with a 18.09 image, then try to install it using a 17.09 image instead and then upgrade to 18.09 post installation.
I used many hours this weekend trying to install nixos on my machine using a 18.09 image. I had no problems installing it, and the boot loader worked fine, but after that I just got a black screen. I tried many permutations of nixos-configurations and BIOS-configurations. Nothing seemed to work. Not even a plain installation with no luks encryption. At last I downloaded a 17.09 image and performed the installation with no trouble at all. Today I upgraded my system from 17.09 to 18.09 smoothly with no problems as well (change the nixos nix-channel to 18.09 and do the usual nixos-rebuild switch).
I could not find any 'official' nixos site with old images, so I downloaded it from distrowatch https://distrowatch.com/?newsid=09979
Hope this helps some other poor soul, so that my countless wasted hours haven't been wasted for nothing :)