4.2 KiB
This guide provides an example setup for a single-disk ZFS system with native encryption, accessible for decryption remotely.
!!! Warning
This configuration only applies to systemd-boot enabled systems and requires UEFI booting.
Replace the highlighted lines with your own disk-id. You can find our your disk-id by executing:
lsblk --output NAME,ID-LINK,FSTYPE,SIZE,MOUNTPOINT
=== "Single Disk"
Below is the configuration for disko.nix
nix hl_lines="13 53" --8<-- "docs/code-examples/disko-single-disk.nix"
=== "Raid 1"
Below is the configuration for disko.nix
nix hl_lines="13 53 54" --8<-- "docs/code-examples/disko-raid.nix"
Below is the configuration for initrd.nix.
Replace <yourkey> with your ssh public key.
Replace kernelModules with the ethernet module loaded one on your target machine.
{config, pkgs, ...}:
{
boot.initrd.systemd = {
enable = true;
};
# uncomment this if you want to be asked for the decryption password on login
#users.root.shell = "/bin/systemd-tty-ask-password-agent";
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 7172;
authorizedKeys = [ "<yourkey>" ];
hostKeys = [
"/var/lib/initrd_host_ed25519_key"
"/var/lib/initrd_host_rsa_key"
];
};
};
boot.initrd.availableKernelModules = [
"xhci_pci"
];
# Find out the required network card driver by running `lspci -k` on the target machine
boot.initrd.kernelModules = [ "r8169" ];
}
Copying SSH Public Key
Before starting the installation process, ensure that the SSH public key is copied to the NixOS installer.
- Copy your public SSH key to the installer, if it has not been copied already:
ssh-copy-id -o PreferredAuthentications=password -o PubkeyAuthentication=no root@nixos-installer.local
Prepare Secret Key and Partition Disks
- Access the installer using SSH:
ssh root@nixos-installer.local
- Create a
secret.keyfile in/tmpusingnanoor another text editor:
nano /tmp/secret.key
- Discard the old disk partition data:
blkdiscard /dev/disk/by-id/<installdisk>
- Run
clanmachines install, only running kexec and disko, with the following command:
clan machines install gchq-local --target-host root@nixos-installer --phases kexec,disko
ZFS Pool Import and System Installation
- SSH into the installer once again:
ssh root@nixos-installer.local
- Run the following command on the remote installation environment:
zfs set keylocation=prompt zroot/root
- Disconnect from the SSH session:
CTRL+D
- Locally generate ssh host keys. You only need to generate ones for the algorithms you're using in
authorizedKeys.
ssh-keygen -q -N "" -C "" -t ed25519 -f ./initrd_host_ed25519_key
ssh-keygen -q -N "" -C "" -t rsa -b 4096 -f ./initrd_host_rsa_key
- Securely copy your local initrd ssh host keys to the installer's
/mntdirectory:
scp ./initrd_host* root@nixos-installer.local:/mnt/var/lib/
- Install nixos to the mounted partitions
clan machines install gchq-local --target-host root@nixos-installer --phases install
- After the installation process, unmount
/mnt/boot, change the ZFS mountpoints and unmount all the ZFS volumes by exporting the zpool:
umount /mnt/boot
cd /
zfs set -u mountpoint=/ zroot/root/nixos
zfs set -u mountpoint=/tmp zroot/root/tmp
zfs set -u mountpoint=/home zroot/root/home
zpool export zroot
- Perform a reboot of the machine and remove the USB installer.
Accessing the Initial Ramdisk (initrd) Environment
- SSH into the initrd environment using the
initrd_rsa_keyand provided port:
ssh -p 7172 root@192.168.178.141
- Run the
systemd-tty-ask-password-agentutility to query a password:
systemd-tty-ask-password-agent
After completing these steps, your NixOS should be successfully installed and ready for use.
Note: Replace root@nixos-installer.local and 192.168.178.141 with the appropriate user and IP addresses for your setup. Also, adjust <SYS_PATH> to reflect the correct system path for your environment.