4.2 KiB
This guide provides an example setup for a single-disk ZFS system with native encryption, accessible for decryption remotely.
!!! Warning
This configuration only applies to systemd-boot enabled systems and requires UEFI booting.
Replace the highlighted lines with your own disk-id. You can find our your disk-id by executing:
lsblk --output NAME,ID-LINK,FSTYPE,SIZE,MOUNTPOINT
=== "Single Disk"
Below is the configuration for disko.nix
nix hl_lines="17 48" --8<-- "docs/code-examples/disko-single-disk.nix"
=== "Raid 1"
Below is the configuration for disko.nix
nix hl_lines="17 48 49" --8<-- "docs/code-examples/disko-raid.nix"
Below is the configuration for initrd.nix.
Replace <yourkey> with your ssh public key.
Replace kernelModules with the ethernet module loaded one on your target machine.
{config, pkgs, ...}:
{
boot.initrd.systemd = {
enable = true;
};
# uncomment this if you want to be asked for the decryption password on login
#users.root.shell = "/bin/systemd-tty-ask-password-agent";
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 7172;
authorizedKeys = [ "<yourkey>" ];
hostKeys = [
"/var/lib/initrd-ssh-key"
];
};
};
boot.initrd.availableKernelModules = [
"xhci_pci"
];
# Find out the required network card driver by running `lspci -k` on the target machine
boot.initrd.kernelModules = [ "r8169" ];
}
Step 1: Copying SSH Public Key
Before starting the installation process, ensure that the SSH public key is copied to the NixOS installer.
- Copy your public SSH key to the installer, if it has not been copied already:
ssh-copy-id -o PreferredAuthentications=password -o PubkeyAuthentication=no root@nixos-installer.local
Step 1.5: Prepare Secret Key and Clear Disk Data
- Access the installer using SSH:
ssh root@nixos-installer.local
- Create a
secret.keyfile in/tmpusingnanoor another text editor:
nano /tmp/secret.key
- Discard the old disk partition data:
blkdiscard /dev/disk/by-id/nvme-eui.002538b931b59865
- Run the
clanmachine installation with the following command:
clan machines install gchq-local --target-host root@nixos-installer --yes --no-reboot
Step 2: ZFS Pool Import and System Installation
- SSH into the installer once again:
ssh root@nixos-installer.local
- Perform the following commands on the remote installation environment:
zpool import zroot
zfs set keylocation=prompt zroot/root
zfs load-key zroot/root
zfs set mountpoint=/mnt zroot/root/nixos
mount /dev/nvme0n1p2 /mnt/boot
- Disconnect from the SSH session:
CTRL+D
- Securely copy your local
initrd_rsa_keyto the installer's/mntdirectory:
scp ~/.ssh/initrd_rsa_key root@nixos-installer.local:/mnt/var/lib/initrd-ssh-key
- SSH back into the installer:
ssh root@nixos-installer.local
- Navigate to the
/mntdirectory, enter thenixos-enterenvironment, and then exit:
cd /mnt
nixos-enter
realpath /run/current-system
exit
- Run the
nixos-installcommand with the appropriate system path<SYS_PATH>:
nixos-install --no-root-passwd --no-channel-copy --root /mnt --system <SYS_PATH>
- After the installation process, unmount
/mnt/boot, change the ZFS mountpoint, and reboot the system:
umount /mnt/boot
cd /
zfs set mountpoint=/ zroot/root/nixos
reboot
- Perform a hard reboot of the machine and remove the USB stick.
Step 3: Accessing the Initial Ramdisk (initrd) Environment
- SSH into the initrd environment using the
initrd_rsa_keyand provided port:
ssh -p 7172 root@192.168.178.141
- Run the
systemd-tty-ask-password-agentutility to query a password:
systemd-tty-ask-password-agent --query
After completing these steps, your NixOS should be successfully installed and ready for use.
Note: Replace root@nixos-installer.local and 192.168.178.141 with the appropriate user and IP addresses for your setup. Also, adjust <SYS_PATH> to reflect the correct system path for your environment.