Skip to content

Instantly share code, notes, and snippets.

@hmenke

hmenke/nixos-encrypted-zfs.sh

Last active August 1, 2024 09:05
Show Gist options
  • Save hmenke/dc27a17eb0119d0639c2e8a8c5b63134 to your computer and use it in GitHub Desktop.
Save hmenke/dc27a17eb0119d0639c2e8a8c5b63134 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nixos-encrypted-zfs.sh
#!/usr/bin/env bash
set -eux
DEVICE="/dev/vda"
sgdisk -og "${DEVICE}"
sgdisk -n 0:0:+2048M -t 0:ef00 "${DEVICE}"
sgdisk -n 0:0:+64M -t 0:8309 "${DEVICE}"
sgdisk -n 0:0:+8192M -t 0:8309 "${DEVICE}"
sgdisk -n 0:0:0 -t 0:a504 "${DEVICE}"
# Format boot
mkfs.vfat -F32 -n BOOT "${DEVICE}1"
# Format and open cryptkey
cryptsetup luksFormat "${DEVICE}2"
cryptsetup open "${DEVICE}2" cryptkey
# Generate key
echo "" > newline
dd if=/dev/zero bs=1 count=1 seek=1 of=newline
dd if=/dev/urandom bs=32 count=1 | od -A none -t x | tr -d '[:space:]' | cat - newline > hdd.key
dd if=hdd.key of=/dev/mapper/cryptkey
dd if=/dev/mapper/cryptkey bs=64 count=1
# Format and open swap
cryptsetup luksFormat --key-file=/dev/mapper/cryptkey --keyfile-size=64 "${DEVICE}3"
cryptsetup open --key-file=/dev/mapper/cryptkey --keyfile-size=64 "${DEVICE}3" cryptswap
mkswap /dev/mapper/cryptswap
swapon /dev/mapper/cryptswap
# Format and open root
zpool create -f \
-o ashift=12 \
-O compression=zstd-3 \
-O encryption=aes-256-gcm \
-O keyformat=hex \
-O keylocation=file:///dev/mapper/cryptkey \
-O mountpoint=none \
-O acltype=posixacl \
-O xattr=sa \
-O atime=off \
-R /mnt rpool "${DEVICE}4"
# Make datasets
mount -t tmpfs none -o defaults,size=8G,mode=755 /mnt
mkdir -pv /mnt/{boot,nix,root,home,persist,opt,scratch,var/lib,var/log}
mount -o umask=077 "${DEVICE}1" /mnt/boot/
zfs create -p -o mountpoint=legacy rpool/local/nix
mount -t zfs rpool/local/nix /mnt/nix
zfs create -p -o mountpoint=legacy rpool/local/home
mount -t zfs rpool/local/home /mnt/home
zfs create -p -o mountpoint=legacy rpool/local/root
mount -t zfs rpool/local/root /mnt/root
zfs create -p -o mountpoint=legacy rpool/local/persist
mount -t zfs rpool/local/persist /mnt/persist
zfs create -p -o mountpoint=legacy rpool/local/opt
mount -t zfs rpool/local/opt /mnt/opt
zfs create -p -o mountpoint=legacy rpool/local/scratch
mount -t zfs rpool/local/scratch /mnt/scratch
zfs create -p -o mountpoint=legacy rpool/local/var/lib
mount -t zfs rpool/local/var/lib /mnt/var/lib
zfs create -p -o mountpoint=legacy rpool/local/var/log
mount -t zfs rpool/local/var/log /mnt/var/log
# Generate config
nixos-generate-config --root /mnt
CRYPTKEY="$(blkid -o export "${DEVICE}2" | grep "^UUID=")"
CRYPTKEY="${CRYPTKEY#UUID=*}"
CRYPTSWAP="$(blkid -o export "${DEVICE}3" | grep "^UUID=")"
CRYPTSWAP="${CRYPTSWAP#UUID=*}"
HOSTID="$(dd if=/dev/urandom bs=4 count=1 | od -A none -t x | tr -d '[:space:]')"
cat > /mnt/etc/nixos/luks-configuration.nix <<EOF
{ lib, ... }:
{
boot.initrd.availableKernelModules = [ "aesni_intel" "cryptd" ];
networking.hostId = "$HOSTID";
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/disk/by-partuuid";
boot.initrd.luks.devices = {
cryptkey = {
device = "/dev/disk/by-uuid/$CRYPTKEY";
};
cryptswap = {
device = "/dev/disk/by-uuid/$CRYPTSWAP";
keyFile = "/dev/mapper/cryptkey";
keyFileSize = 64;
};
};
boot.initrd.postMountCommands = ''
# Don't keep the cryptkey available all the time.
cryptsetup close /dev/mapper/cryptkey
'';
fileSystems."/var/log".neededForBoot = true;
users.mutableUsers = false;
users.users.root.initialHashedPassword = "";
}
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment