Created
March 20, 2021 16:59
-
-
Save biosan/044f8622aa47082c97229c4fd5861cb6 to your computer and use it in GitHub Desktop.
NixOS + ZFS (w/ native encryption) Bootstrap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Always use the by-id aliases for devices, otherwise ZFS can choke on imports. | |
| DISK=/dev/disk/by-id/... | |
| POOL=tank | |
| ROOT=root | |
| ######################### | |
| ### Disk partitioning ### | |
| ######################### | |
| # Wipe disk partitions | |
| sgdisk --zap-all $DISK | |
| # Creat an EFI partition at the end of the disk | |
| sgdisk -n3:1M:+512M -t3:EF00 $DISK | |
| # Partition 1 will be the main ZFS partition, using up the remaining space on the drive. | |
| sgdisk -n1:0:0 -t1:BF01 $DISK | |
| sleep 2s | |
| ################################## | |
| ### ZFS & boot partition setup ### | |
| ################################## | |
| ### Create the pool. | |
| # | |
| # options description: | |
| # -O atime=off # disable writing access times | |
| # -O compression=lz4 # enable filesystem compression | |
| # -O xattr=sa # improve performance of certain extended attributes | |
| # -O acltype=posixacl # for systemd-journald posixacls are required | |
| # -O encryption=aes-256-gcm # enable encryption and specify algorithm | |
| # -O keyformat=passphrase # use a simple passphrase as encryption key (default keylocation is `prompt`) | |
| # -o ashift=12 # specify that your drive uses 4K sectors | |
| # | |
| # The 'mountpoint=none' option disables ZFS's automount machinery; we'll use the | |
| # normal fstab-based mounting machinery in Linux. | |
| # '-R /mnt' is not a persistent property of the FS, it'll just be used while we're installing. | |
| # | |
| zpool create -O mountpoint=none -O atime=off -O compression=lz4 -O xattr=sa -O acltype=posixacl -O encryption=aes-256-gcm -O keyformat=passphrase -o ashift=12 $POOL $DISK-part1 | |
| ### Create UEFI partition | |
| mkfs.vfat $DISK-part3 | |
| ### Create datasets | |
| zfs create -o mountpoint=legacy $POOL/nix | |
| zfs create -o mountpoint=legacy $POOL/$ROOT | |
| zfs create -o mountpoint=legacy $POOL/$ROOT/home | |
| ### Mounting filesystems/partitions (root, boot, nix & home) | |
| # The nixos installer will detect these mountpoints and save them to /mnt/nixos/hardware-configuration.nix during the install process. | |
| mount -t zfs $POOL/$ROOT /mnt | |
| mkdir /mnt/{boot,home,nix} | |
| mount -t zfs $POOL/nix /mnt/nix | |
| mount -t zfs $POOL/$ROOT/home /mnt/home | |
| mount $DISK-part3 /mnt/boot | |
| #################### | |
| ### Next steps.. ### | |
| #################### | |
| # | |
| # Generate the NixOS configuration, as per the NixOS manual. | |
| # nixos-generate-config --root /mnt | |
| # | |
| # Edit /mnt/etc/nixos/configuration.nix and add the following line: | |
| ## ------------------------------- | |
| # | |
| # boot.supportedFilesystems = [ "zfs" ]; | |
| # boot.zfs.requestEncryptionCredentials = true; | |
| # networking.hostId = "<random 8-digit hex string>"; | |
| # | |
| # users.users.<USERNAME> = { | |
| # isNormalUser = true; | |
| # extraGroups = [ "wheel" ]; | |
| # # Computed with `nix-shell -p mkpasswd --command "mkpasswd -m sha-512 <PASSWORD>"` | |
| # hashedPassword = "<HASHED_PASSWORD>" | |
| # }; | |
| # | |
| ## ------------------------------- | |
| # See https://nixos.org/nixos/manual/options.html#opt-networking.hostId for more. | |
| # | |
| # Continue with installation! | |
| # nixos-install; | |
| # |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment