Some of my .nix files
The configurations have been adapted to use flakes now, so some of the call flows have been abstracted and reversed to allow for the stateless/reproduceability requirements of flakes.
In order to maintain some sensitive data outside the repo, the NixOS flake is designed to be called into by another minimal flake. For convenience, there is a template for this flake in this repo:
$ nix flake init -t $NIXFILES_PATH/templates#nixos-device
Rough sketch of the expected disk layout with full-disk encryption.
Some changes to the sketch for a more realistic scenario:
- Swap partition should be at least as big as the machine's RAM to support hibernate-to-disk. Otherwise, it can be omitted altogether in place of a swapfile.
- Boot partition can be made bigger to support an embedded recovery image (4-6 GB).
NOTE: If trying in a VM, make sure to use a SCSI virtual disk (instead of HDA) and UEFI enabled.
# Setup partition layout
# Swap should be >RAM size if you're going to use hibernate
parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart ESP fat32 1MB 512MB # boot
parted /dev/sda -- set 1 boot on
parted /dev/sda -- mkpart primary 512MB -1GB # root
parted /dev/sda -- mkpart primary linux-swap -1GB 100% # swap
# Encrypt the partitions
# Swap partition is also encrypted, so our hibernate state is encrypted.
# We use luks1 (instead of luks2) because grub2 only supports luks1 for now.
# Follow: https://github.com/NixOS/nixpkgs/issues/65375 for LUKS2 on Grub
# To convert, see: https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
cryptsetup luksFormat --type luks1 /dev/sda2 # Enter password
cryptsetup luksFormat --type luks1 /dev/sda3 # Enter the same password
# Good time to add a key file, if we want to do that:
# dd if=/dev/urandom of=cryptroot.key bs=1 count=4096
# chmod 0400 cryptroot.key
# cryptsetup luksAddKey /dev/sda2 cryptroot.key
# cryptsetup luksAddKey /dev/sda3 cryptroot.key
# Open the encrypted partitions
cryptsetup open /dev/sda2 cryptroot
cryptsetup open /dev/sda3 cryptswap
# Format the underlying partitions
mkfs.fat -F 32 -n EFI /dev/sda1 # Unencrypted EFI partition
mkswap /dev/mapper/cryptswap
mkfs.btrfs /dev/mapper/cryptroot
mount -o defaults,noatime,compress=lzo,autodefrag /dev/mapper/cryptroot /mnt
# Create volumes on the btrfs root
btrfs subvolume create /mnt/@rootnix
btrfs subvolume create /mnt/@home
# Remount with new volumes
umount /mnt
mount -o compress=lzo,subvol=@rootnix /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot /mnt/home
mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi
# Enable swap if you're using nixos-generate-config to auto-detect mounts
swapon /dev/mapper/cryptswap
Resume an existing disk setup:
cryptsetup open /dev/sda2 cryptroot # Enter password
cryptsetup open /dev/sda3 cryptswap # Enter password
mount -o compress=lzo,subvol=@rootnix /dev/mapper/cryptroot /mnt
mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home
mount /dev/sda1 /mnt/boot/efi
If you're installing from inside another distro, you can use these instructions: https://nixos.org/nixos/manual/index.html#sec-installing-from-other-distro
In Arch, using the aur/nix package does not work.
If we need to add hardware-specific configuration imports, we'll need nixos-hardware (setup instructions). The nix environment activator only includes the nixpkgs channel in the NIX_PATH by default, so we'll need to add that too.
# Activate the nix environment
. $HOME/.nix-profile/etc/profile.d/nix.sh
# Add the nixos-hardware channel
nix-channel --add https://github.com/NixOS/nixos-hardware/archive/master.tar.gz nixos-hardware
nix-channel --update nixos-hardware
# Add the new channel to our NIX_PATH
export NIX_PATH=${NIX_PATH}:${NIX_PATH//nixpkgs/nixos-hardware}
Some other notes for installing from another distro (doesn't apply for a normal install):
${disk.efi}
should be mounted to/mnt/boot/efi
(or whatever the root prefix is).
After that, off we go:
sudo groupadd -g 30000 nixbld
sudo useradd -u 30000 -g nixbld -G nixbld nixbld
sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt
curl -Ls "https://github.com/shazow/nixfiles/archive/master.zip" -o nixfiles.zip
unzip nixfiles.zip
mkdir /mnt/etc
mv nixfiles-master /mnt/etc/nixos
cd /mnt/etc/nixos
echo \"$(mkpasswd -m sha-512)\" > .hashedPassword.nix
chmod 400 .hashedPassword.nix
cat > disk.nix << EOF
{
cryptroot = "/dev/sda2";
cryptswap = "/dev/sda3";
efi = "/dev/sda1";
}
EOF
cp hosts/example.nix configuration.nix
echo "Edit configuration.nix ... Some of the paths are wrong here, need to fix."
nixos-install --root /mnt
Big thanks to my friend group of NixOS pioneers who paved through the unknowns, and answered many questions along the way.
- @arilotter and https://github.com/arilotter/dotfiles
- @attente and https://github.com/attente/dotfiles
- Bonus shoutout to @jpf for checking out NixOS long before it was cool