Skip to content

Instantly share code, notes, and snippets.

@reyman
Last active August 29, 2020 19:38
Show Gist options
  • Save reyman/65ed5de52bef3f2230825f68b0b831c6 to your computer and use it in GitHub Desktop.
Save reyman/65ed5de52bef3f2230825f68b0b831c6 to your computer and use it in GitHub Desktop.
#!/bin/bash
set -eux
hostname="xxx"
password="xxx"
diskdev=/dev/sda
rootpart=/dev/sda2
# -o clear
# -g convert to gpt disk
# -n new partition num:start:end +size
# ef00 EFI / 8300 linux fs
sgdisk -o -g -n 1::+5M -t 1:ef02 -n 2:: -t 2:8300 $diskdev
# LVM part
echo "$password" | cryptsetup luksFormat --type luks1 -h sha512 $rootpart
echo "$password" | cryptsetup luksOpen $rootpart enc-pv
pvcreate /dev/mapper/enc-pv
vgcreate vg0 /dev/mapper/enc-pv
lvcreate -L 8G -n swap vg0
lvcreate -L 40G -n nixos vg0
lvcreate -l '100%FREE' -n home vg0
# format disk
mkfs.ext4 -L root /dev/vg0/nixos
mkfs.ext4 -L home /dev/vg0/home
mkswap -L swap /dev/vg0/swap
swapon /dev/vg0/swap
mount /dev/vg0/nixos /mnt
nix-channel --add https://nixos.org/channels/nixos-unstable nixos
nix-channel --update
nixos-generate-config --root /mnt
for uuid in /dev/disk/by-uuid/*
do
if test $(readlink -f $uuid) = $rootpart
then
luksuuid=$uuid
break
fi
done
cat << EOF > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.grub.devices = [ "/dev/sda" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.enableCryptodisk = true;
boot.loader.supportsInitrdSecrets = true;
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.initrd.availableKernelModules = ["virtio-pci"];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = ["ssh-rsa xxx"];
hostKeys = [ "/host_ecdsa_key" ];
};
};
boot.initrd.luks.devices = [
{
name = "enc-pv";
preLVM = true;
device = "$luksuuid";
allowDiscards = true;
}
];
boot.initrd.secrets = {
"/host_ecdsa_key" = "/host_ecdsa_key";
};
boot.cleanTmpDir = true;
boot.kernelModules = [ "dm-snapshot" ];
nixpkgs.config.allowUnfree = true;
users.users.root.initialHashedPassword = "";
services.openssh.permitRootLogin = "prohibit-password";
networking.hostName = "$hostname";
time.timeZone = "Europe/Paris";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = ["ssh-rsa xxx"];
system.stateVersion = "20.03";
}
EOF
ssh-keygen -t ecdsa -N "" -f host_ecdsa_key
cp host_ecdsa_key /mnt/
nixos-install --no-root-passwd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment