commit - f8331f38a176b3044ee7e8fa76286ae02ff20350
commit + 2795aaf6e38a45020b88100557d09e20cb573e0d
blob - /dev/null
blob + 2de6bb14f9e58c23a9d41e97ff031d432bd44418 (mode 644)
--- /dev/null
+++ art/019.install_nixos+zfs+encrypted_home.txt
+Title: Install NixOS with ZFS and encrypted /home
+Author: Alexander Arkhipov <aa@manpager.org>
+Created: 2025-01-09
+Modified: 2025-01-09
+
+I recently bought a ThinkPad L430 specifically with the purpose of
+running a Linux distro on it (rather than my usual choice of OS,
+OpenBSD). After some thought I decided to install NixOS with ZFS root,
+and encrypted home dataset.
+
+This turned out to be a somewhat less explored area than I thought it
+might be, so here's my how-to guide for such installation.
+
+
+BOOT INTO INSTALLATION ENVIRONMENT
+
+I assume you know how to do this. If not, refer to the [NixOS Manual].
+For the purposes of this guide, I used a non-graphical installer. You
+should be able to use an XFCE/KDE ISO, but you'll have to install the OS
+manually anyway.
+
+
+FIRST THINGS FIRST
+
+$ sudo su -
+# loadkeys dvorak
+
+Ahhh... much better. Also, make sure you network's alright.
+
+# ping nixos.org
+
+
+DISK SETUP
+
+Partition the disk as you normally would, creating a boot partition,
+swap and a single root partition. Then create the zfs pool, datasets
+and the swap partition. For zpool it is much better to use /dev/disk/by-id/*
+than plain /dev/*.
+
+# zpool create -O compression=zstd -O mountpoint=none -O xattr=sa \
+> -O acltype=posixacl -o ashift=12 zroot /dev/disk/by-id/ata-MY_DISK_ID-part3
+# zfs create zroot/ROOT
+# zfs create zroot/nix
+# zfs create zroot/var
+# zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt \
+> zroot/home
+
+You can use zpool status and zfs list for double checking.
+
+Mount the zfs datasets.
+
+# mkdir -p /mnt
+# mount -t zfs zroot/ROOT /mnt -o zfsutil
+# (cd /mnt && mkdir nix var home)
+# for d in nix var home; do mount -t zfs zroot/$d /mnt/$d -o zfsutil; done
+
+And finally, mount the boot partition and enable swap.
+
+# mkfs.fat -F 32 -n BOOT /dev/disk/by-id/ata-MY_DISK_ID-part1
+# mkdir /mnt/boot
+# mount -o umask=077 /dev/disk/by-id/ata-MY_DISK_ID-part1 /mnt/boot
+# mkswap -L swap /dev/disk/by-id/ata-MY_DISK_ID-part2
+# swapon /dev/disk/by-id/ata-MY_DISK_ID-part2
+
+
+INSTALLING NIXOS
+
+Generate the config as normal:
+
+# nixos-generate-config --root /mnt
+
+We need to edit /mnt/etc/nixos/hardware-configuration.nix:
+
+1. Add options = [ "zfsutils" ]; for zfs mounts.
+2. Add randomEncryption = true; in swapDevices.
+
+Like so:
+
+
+ fileSystems."/" = {
+ device = "zroot/ROOT";
+ fsType = "zfs";
+ options = [ "zfsutil" ]; # HERE
+ };
+
+ fileSystems."/nix" = {
+ device = "zroot/nix";
+ fsType = "zfs";
+ options = [ "zfsutil" ]; # AND HERE
+ };
+
+ fileSystems."/var" = {
+ device = "zroot/var";
+ fsType = "zfs";
+ options = [ "zfsutil" ]; # HERE TOO
+ };
+
+ fileSystems."/home" = {
+ device = "zroot/home";
+ fsType = "zfs";
+ options = [ "zfsutil" ]; # YOU GUESSED IT
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-id/ata-MY_DISK_ID-part1";
+ fsType = "vfat";
+ };
+
+ # Make sure to use /dev/disk/by-id/ if enabling encryption
+ swapDevices = [{
+ device = "/dev/disk/by-id/ata-MY_DISK_ID-part2";
+ randomEncryption = true;
+ }];
+
+
+In /mnt/etc/nixos/configuration.nix make sure to set:
+
+ boot.zfs.devNodes = "/dev/disk/by-id";
+ # Generate hostid with: head -c4 /dev/urandom | od -A none -t x4
+ # (or whichever method you prefer)
+ networking.hostId = "01234567";
+
+And finally, run:
+
+# nixos-install
+# nixos-enter --root /mnt -c 'passwd myuser'
+# umount /mnt/boot && zpool export -a # Don't forget that if you want to boot
+# reboot
+
+
+[NixOS Manual] https://nixos.org/manual/nixos/stable/
blob - /dev/null
blob + b04da0bcd1e268fef747bfd4ed20efccd30d4035 (mode 644)
--- /dev/null
+++ plan/2024.txt
+News:
+Entry: 2024-02-26
+
+A couple of new additions:
+
+1. art/012.backups_on_unix.txt
+2. thoughts/240226.after_a_month_in_georgia.txt
+
+
+Entry: 2024-03-08
+
+Wanted to write an article on using locales and wchar_t in C, but ended
+up writing two:
+
+1. https://manpager.org/usr/aa/art/013.from_ascii_to_unicode.txt
+ gopher://manpager.org/0/usr/aa/art/013.from_ascii_to_unicode.txt
+ gemini://manpager.org/usr/aa/art/013.from_ascii_to_unicode.txt
+2. https://manpager.org/usr/aa/art/014.locales_in_c.txt
+ gopher://manpager.org/0/usr/aa/art/014.locales_in_c.txt
+ gemini://manpager.org/usr/aa/art/014.locales_in_c.txt
+
+
+Entry: 2024-04-27
+
+- wrote an about.txt (root directory of the web/gopher/gemini site)
+- archived previous year's ~/.plan entries (still can be viewed via
+ the web/gopher/gemini)
+- added thoughts/240427.my_new_habits.txt
+
+
+Entry: 2024-05-05
+
+I wrote a new article in thoughts/240505.youth_sucks.txt, called
+"Youth sucks (but adulthood and beyond don't have to)". It's pretty
+short and to the point, as usual, but it is something I wanted to write
+about for a long time. Enjoy!
+
+
+Entry: 2024-06-07
+
+Hello, friends. Something very tragic has happened recently. I don't
+know if I'll manage to keep the site updated, but I will try, since it
+seems to help a bit.
+
+I added a new article in art/015.cron_tricks.txt
+
+
+Entry: 2024-06-18
+
+Made a mastodon (@aa@bsd.cafe)
+
+
+Entry: 2024-06-25
+
+New article (a bit of a short one this time):
+art/016.notes_on_dot-forward.txt
+
+
+entry: 2024-07-22
+
+Wrote a quick little article on installing Alpine Linux under
+OpenBSD VMM: art/017.how_to_install_alpine_on_vmm.txt
+
+
+Entry: 2024-11-19
+
+gpass 0.6 and gpm 0.3 released.
+
+
+Entry: 2024-12-29
+
+Wayland on OpenBSD (2024): art/018.wayland_on_openbsd_2024.txt
+
+
+Entry: 2025-01-09
+
+Install NixOS with ZFS and encrypted /home:
+art/019.install_nixos+zfs+encrypted_home.txt
blob - ebed5ed371d087e9a76e4c8874aa226095bb58ee
blob + 335c8485c06fb2fccc653248697100d1d59de924
--- plan.txt
+++ plan.txt
Now:
-2024-10-17
+2025-01-09
-Having finally *e*mmigrated, trying to figure out *i*mmigration. At this
-point I really don't know where it'll go, get back to me in 2030.
+Love Georgia. Staying here for the next year too.
-Trying to put some of my skills to where the money is at. So far, so
-good.
-At last, focusing on libre software development.
-
-
News:
-Entry: 2024-02-26
+Entry: 2025-01-09
-A couple of new additions:
-
-1. art/012.backups_on_unix.txt
-2. thoughts/240226.after_a_month_in_georgia.txt
-
-
-Entry: 2024-03-08
-
-Wanted to write an article on using locales and wchar_t in C, but ended
-up writing two:
-
-1. https://manpager.org/usr/aa/art/013.from_ascii_to_unicode.txt
- gopher://manpager.org/0/usr/aa/art/013.from_ascii_to_unicode.txt
- gemini://manpager.org/usr/aa/art/013.from_ascii_to_unicode.txt
-2. https://manpager.org/usr/aa/art/014.locales_in_c.txt
- gopher://manpager.org/0/usr/aa/art/014.locales_in_c.txt
- gemini://manpager.org/usr/aa/art/014.locales_in_c.txt
-
-
-Entry: 2024-04-27
-
-- wrote an about.txt (root directory of the web/gopher/gemini site)
-- archived previous year's ~/.plan entries (still can be viewed via
- the web/gopher/gemini)
-- added thoughts/240427.my_new_habits.txt
-
-
-Entry: 2024-05-05
-
-I wrote a new article in thoughts/240505.youth_sucks.txt, called
-"Youth sucks (but adulthood and beyond don't have to)". It's pretty
-short and to the point, as usual, but it is something I wanted to write
-about for a long time. Enjoy!
-
-
-Entry: 2024-06-07
-
-Hello, friends. Something very tragic has happened recently. I don't
-know if I'll manage to keep the site updated, but I will try, since it
-seems to help a bit.
-
-I added a new article in art/015.cron_tricks.txt
-
-
-Entry: 2024-06-18
-
-Made a mastodon (@aa@bsd.cafe)
-
-
-Entry: 2024-06-25
-
-New article (a bit of a short one this time):
-art/016.notes_on_dot-forward.txt
-
-
-entry: 2024-07-22
-
-Wrote a quick little article on installing Alpine Linux under
-OpenBSD VMM: art/017.how_to_install_alpine_on_vmm.txt
-
-
-Entry: 2024-11-19
-
-gpass 0.6 and gpm 0.3 released.
-
-
-Entry: 2024-12-29
-
-Wayland on OpenBSD (2024): art/018.wayland_on_openbsd_2024.txt
+Install NixOS with ZFS and encrypted /home:
+art/019.install_nixos+zfs+encrypted_home.txt
