or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
 | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
xxxxxxxxxx
NixOs native flake deployment with LUKS drive encryption and LVM
In this series of tutorials, I will not cover nix or NixOs. You can probably find many tutorials with detailed descriptions of the advantages of using nix declarative, functional configuration management language.
I will tackle a specific problem I was trying to solve, and as a result, I can share and expand on potential options available.
Some time back, I was looking to reinstall my nixos “that I was running for the past four years” with a new nix feature like a flake and make it more flexible from a storage management standpoint “using LVM” and to secure with full disk encryption “using LUKS.”
Flake
Flakes are a new feature in the Nix ecosystem. Flakes replace stateful channels and introduce a more intuitive and consistent CLI interface.
LVM
A Linux, Logical Volume Manager (LVM) is a device mapper framework that provides logical volume management for the Linux kernel. The main advantage is using LVM multiple Disk management becomes very easy, and adding new disk storage is a breeze. A good description for LVM you can find in Chris Titus Blog Post
LUKS
LUKS stands for ”Linux Unified Key Setup.” I will use cryptsetup to use to encrypt the entire disk using LUKS2. For more information on specification for LUKS2
Before you start a good recommendation, use hypervisor VirtualBox or QEMU/KVM to get familiarised with the setup and available options. In the below example, I am using QEMU/KVM.
Installation
Prerequisites
Download latest nixos iso image Download min Minimal ISO image.
Make sure you have a git repository with all configuration files. In the below example, I will use my Github systst repository.
Setup virtualization with QEMU/KVM
1st step is to create a Virtual Machine that will install NixOS using nix flakes.
Download min Minimal ISO image.
Note: Adjust
--cdrom
and-disk path
locations. Feel free to adjust--ram
and--vcpus
accommodate underlying hardware.Hard Drive preparation
Once VM is up and running, we will need to identify the drive nixos will be installed by running;
Note: we will use vda disk that was provisioned with 30 G of free storage.
Note: Good proactive to have a minimum of 20 G of storage due to the nature of NixOs to create derivation for recovery.
Drive partitioning
Once we know on what drive we will use, install nixos is time to create the necessary partitions. Will become root for easier access to the resources requiring root access.
Note: I am installing the nixos on UEFI partition type
fat32
with 512 Mib of the allocated storage. The rest of the storage is allocated for the root partition.Note: except partitioning the disk I labeled the partition
/dev/vda1
asboot
and/dev/vda1
asroot
that will help us later in the system setup.Partition encryption
The next step is to encrypt root partition. I will use
cryptsetup
withluksFormat
.Note: Make sure you use a secure password
Open encrypted partition
Setting up LVM
System readout of volumes and partitions
Create a physical volume from /dev/mapper/root that is mapped to /dev/vda2
Create a volume group from /dev/mapper/root
Create a 4 GB logical volume on volume group vg that will be used for swap partition
Create a logical volume on volume group vg using all the rest of the storage space that will be used for root partition.
View volumes and partitions created
Partition formatting
Formatting the boot partition with FAT32
Formattring the root partition with EXT4 file system
Formatting the swap partition
Mounting newly created partitions and swap activation
NixOS Installation
Installation options
We have a few available options to use nix flake.
Base example
Bellow, you can find the most basic example where you can use flake and ingest configuration.nix as a module.
Home Manager integration
If you are a single user for underlying hardware and want to have a single management workspace, you can integrate the system config with the home manager config under the same nix flake.
Full flake integration
Another option is to get rid of configuration.nix and add all entries into flake.nix.
Note: full example can be found at the Link
Mix and Match
In the below example, I am using a combination of available options.
The reason is to have a structure to allow for multi-user support. Some users may not have root access but should manage the user packages using a separate implementation of the Home Manager that will cover in a separate tutorial.
Note: I added nixpkgs.overlays to allow some packages to be installed selected from the unstable branch.
*.nix dissected
hardware-configuration.nix
The only change in hardware-configuration.nix is the device from by-uuid to by-label that adds portability and add swap device to the mix.
configuration.nix
fileSystems
fileSystems SSD optimization for EXT4
boot.loader
Adding latest Linux kernel with kernelPackages = pkgs.linuxPackages_latest;
Allowing groub support for UEFi and Luks encryption
networking
Please change to your desired hostname and correct the interface name.
console and fonts
I am adding default system-wide encoding and adding additional fonts, useful for the modern shell.
services
We are enabling ssh on port 2022 but disabling root login and password authentication.
virtualisation
Adding docker as an example
nix optimisations
Allowing unfree
allowUnfree = true;
packages like Nvidia drivers etc.Make nix compatible with flakes
pkgs.nixFlakes;
Garbage collection and optimization
gc
andoptimise
system
Configure system auto-update compatible with flakes you will need to change Github repo to point to your repo location.
Note: Complete content of the configuration.nix file can be found in Github
packages.nix
System wide packages
With
environment.systemPackages
we specify packages that will be installed for all users.shellAliases
We can specify system-wide shell aliases for all users.
programs
We specify native nix application to be installed and/or enable/disable. We can add package-specific configurations for all users like nano editor.
users
To manage multiple users, I decided to segregate admin users having root access with non-admin users. The only difference is in the
wheel
group allocation.You can specify packages that will install only for the user and add ssh public keys and generate the password.
Prerequisites
Before starting the installation, we need to use git nf Flakes that we cat use nix-shell that allows us to use binaries that are not installed in the system.
Repo clone
Now we can clone the repository where we have out configuration files needed for the nixos flake installation.
NixOs flake installation
nixos-install script supports native nixos flake installation.
Post-installation
Once installation is completed, we can reboot the OS and login as a user we declared in our configuration files.
System update and management
Once we have our system up and running is a good practice te keep the system up to date.
System update requires a two-step process
Following the below steps will keep you system up to date
In the following tutorial, we will cover home manager installation and configuration using native flake implementation.