reyman/nixos-install.sh

## nixos-install.sh
#!/bin/bash
set -eux

hostname="xxx"
password="xxx"

diskdev=/dev/sda
rootpart=/dev/sda2

# -o clear
# -g convert to gpt disk
# -n new partition num:start:end +size
# ef00 EFI / 8300 linux fs
sgdisk -o -g -n 1::+5M -t 1:ef02 -n 2:: -t 2:8300 $diskdev

# LVM part
echo "$password" | cryptsetup luksFormat --type luks1 -h sha512 $rootpart
echo "$password" | cryptsetup luksOpen $rootpart enc-pv

pvcreate /dev/mapper/enc-pv
vgcreate vg0 /dev/mapper/enc-pv
lvcreate -L 8G -n swap vg0
lvcreate -L 40G -n nixos vg0
lvcreate -l '100%FREE' -n home vg0

# format disk
mkfs.ext4 -L root /dev/vg0/nixos
mkfs.ext4 -L home /dev/vg0/home
mkswap -L swap /dev/vg0/swap

swapon /dev/vg0/swap
mount /dev/vg0/nixos /mnt

nix-channel --add https://nixos.org/channels/nixos-unstable nixos
nix-channel --update

nixos-generate-config --root /mnt

for uuid in /dev/disk/by-uuid/*
do
	if test $(readlink -f $uuid) = $rootpart
	then
		luksuuid=$uuid
		break
	fi
done

cat << EOF > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:
{
imports =
        [ # Include the results of the hardware scan.
          ./hardware-configuration.nix
        ];

                boot.loader.grub.devices = [ "/dev/sda" ];
                boot.loader.grub.enable = true;
                boot.loader.grub.version = 2;
                boot.loader.grub.enableCryptodisk = true;
                boot.loader.supportsInitrdSecrets = true;

                boot.initrd.kernelModules = [ "dm-snapshot" ];
                boot.initrd.availableKernelModules = ["virtio-pci"];
                boot.initrd.network = {
                  enable = true;
                  ssh = {
                    enable = true;
                    port = 2222;
                    authorizedKeys = ["ssh-rsa xxx"];
                    hostKeys = [ "/host_ecdsa_key" ];
                    };
                };

                boot.initrd.luks.devices = [
                  {
                    name = "enc-pv";
                    preLVM = true;
                    device = "$luksuuid";
                    allowDiscards = true;
                  }
                ];

                boot.initrd.secrets = {
                  "/host_ecdsa_key" = "/host_ecdsa_key";
                  };


        boot.cleanTmpDir = true;
        boot.kernelModules = [ "dm-snapshot" ];

        nixpkgs.config.allowUnfree = true;
        users.users.root.initialHashedPassword = "";
        services.openssh.permitRootLogin = "prohibit-password";
        networking.hostName = "$hostname";
        time.timeZone = "Europe/Paris";
        services.openssh.enable = true;
        users.users.root.openssh.authorizedKeys.keys = ["ssh-rsa xxx"];
        system.stateVersion = "20.03";
}
EOF

ssh-keygen -t ecdsa -N "" -f host_ecdsa_key

cp host_ecdsa_key /mnt/

nixos-install --no-root-passwd
	#!/bin/bash
	set -eux

	hostname="xxx"
	password="xxx"

	diskdev=/dev/sda
	rootpart=/dev/sda2

	# -o clear
	# -g convert to gpt disk
	# -n new partition num:start:end +size
	# ef00 EFI / 8300 linux fs
	sgdisk -o -g -n 1::+5M -t 1:ef02 -n 2:: -t 2:8300 $diskdev

	# LVM part
	echo "$password" \| cryptsetup luksFormat --type luks1 -h sha512 $rootpart
	echo "$password" \| cryptsetup luksOpen $rootpart enc-pv

	pvcreate /dev/mapper/enc-pv
	vgcreate vg0 /dev/mapper/enc-pv
	lvcreate -L 8G -n swap vg0
	lvcreate -L 40G -n nixos vg0
	lvcreate -l '100%FREE' -n home vg0

	# format disk
	mkfs.ext4 -L root /dev/vg0/nixos
	mkfs.ext4 -L home /dev/vg0/home
	mkswap -L swap /dev/vg0/swap

	swapon /dev/vg0/swap
	mount /dev/vg0/nixos /mnt

	nix-channel --add https://nixos.org/channels/nixos-unstable nixos
	nix-channel --update

	nixos-generate-config --root /mnt

	for uuid in /dev/disk/by-uuid/*
	do
	if test $(readlink -f $uuid) = $rootpart
	then
	luksuuid=$uuid
	break
	fi
	done

	cat << EOF > /mnt/etc/nixos/configuration.nix
	{ config, pkgs, ... }:
	{
	imports =
	[ # Include the results of the hardware scan.
	./hardware-configuration.nix
	];

	boot.loader.grub.devices = [ "/dev/sda" ];
	boot.loader.grub.enable = true;
	boot.loader.grub.version = 2;
	boot.loader.grub.enableCryptodisk = true;
	boot.loader.supportsInitrdSecrets = true;

	boot.initrd.kernelModules = [ "dm-snapshot" ];
	boot.initrd.availableKernelModules = ["virtio-pci"];
	boot.initrd.network = {
	enable = true;
	ssh = {
	enable = true;
	port = 2222;
	authorizedKeys = ["ssh-rsa xxx"];
	hostKeys = [ "/host_ecdsa_key" ];
	};
	};

	boot.initrd.luks.devices = [
	{
	name = "enc-pv";
	preLVM = true;
	device = "$luksuuid";
	allowDiscards = true;
	}
	];

	boot.initrd.secrets = {
	"/host_ecdsa_key" = "/host_ecdsa_key";
	};


	boot.cleanTmpDir = true;
	boot.kernelModules = [ "dm-snapshot" ];

	nixpkgs.config.allowUnfree = true;
	users.users.root.initialHashedPassword = "";
	services.openssh.permitRootLogin = "prohibit-password";
	networking.hostName = "$hostname";
	time.timeZone = "Europe/Paris";
	services.openssh.enable = true;
	users.users.root.openssh.authorizedKeys.keys = ["ssh-rsa xxx"];
	system.stateVersion = "20.03";
	}
	EOF

	ssh-keygen -t ecdsa -N "" -f host_ecdsa_key

	cp host_ecdsa_key /mnt/

	nixos-install --no-root-passwd