This was made before native encryption in ZFS existed (pre OpenZFS 2.0), and last updated in August of 2017. Feel free to fork and improve :)
After some effort (and asking for help on the nix-dev mailing list) I installed ZFS on an encrypted partition. The relevant configuration is below.
I do not have a custom iso yet, so you'll need two USBs. One for the NixOS iso, and one for these files. You'll have to mount the second stick manually.
- Boot into the nixos environment and find the uuid or id of the disk you want to install to. Do not use
/dev/sda
but/dev/disk/by-...
, uselsblk
andblkid
. - export it to the environment as
rootdisk
:
# whole disk please, no partition
export rootdisk="/dev/disk/by-id/ata-Some-Storage-Device"
- use keyfile and/or configure passphrase usage (see sections below)
- run it:
bash /path/to/automated_install.sh
It is possible to use a keyfile (e.g. on a usb stick). If you want a keyfile and not have a passphrase for backup, see Configure without passphrase below.
# part of step 3
export keyfile="/dev/disk/by-id/usb-Some-Usb-Stick"
# optional, default is 4096
export keysize="8192"
It is possible to pass the passphrase in an environment variable to make the install fully automated. This is generally unwise, but since we are in a temporary live enviorment I consider it safe enough. You can also put it as passphrase="your passphrase here"
in automated_install.sh
on line 16
instead.
If you add a keyfile as well, both are added.
# part of step 3
export passphrase="your passphrase here"
If you only want to add a keyfile and not set a passphrase, set use_passphrase
to no
. This is not recommended.
# part of step 3
export use_passphrase="no"
# see Use keyfile above
export keyfile="/path/to/keyfile"
I always run these command right after booting the install usb.
# I use programmer dvorak instead of qwerty
loadkeys dvorak-programmer
- use nixos-rebuild to make an iso containing the files
- customise the iso with ZFS support and these files
- find the location of
automated_install.sh
in the built iso. - update Readme :-P
I used the following resources:
- https://nixos.org/wiki/ZFS_on_NixOS#How_to_install_NixOS_on_a_ZFS_root_filesystem
- https://nixos.org/wiki/Encrypted_Root_on_NixOS
- http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
- https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF
- https://github.com/zfsonlinux/zfs/wiki/Ubuntu-16.10-Root-on-ZFS
use this version of the files: old version. All text below is about those versions, not the ones you see here.
The commands in init.sh
I run manually, (so no sed :-P)
The zfscreate.sh
is used to set up a single-disk ZFS root filesystem inside of an encrypted LUKS container.
The two *.nix
files have the minimum config needed for this (compare them with the generated ones in /mnt/etc/nixos/
); The UUIDs should be filled-in by nixos-generate-config
;
the "usb_storage"
addition is not needed for everyone, just like the keyfile
options; the other important changes
are the hostId
, which is required by ZFS; and the boot.supportedFilesystems
which I'm not even sure of if that's necessary