[Nix-dev] NixOS UEFI+LUKS+LVM or UEFI+LUKS+ZFS

Tomasz Czyż tomasz.czyz at gmail.com
Wed Sep 28 00:32:36 CEST 2016 

I have zfs on top of luks (I also have another installtion where I have zfs
on top of luks and boot partitation on top of mdadm/raid0).

My disk layout is, 100M boot partition + second partition for luks+zfs.
I created luks first, on top of luks I did create ZFS.

My config is:

boot.loader.grub.devices = [
    "/dev/disk/by-id/RAW-DISK-ID" # like  /dev/sda
  ];

  boot.initrd.luks.devices = [
    { device = "/dev/disk/by-uuid/LUKS_PARTITION_ID"; # second partition id
(luks disk), like /dev/sda2
      name="enc_root"; }
  ];

  fileSystems."/" =
    { device = "zeppelin-new";
      fsType = "zfs";
    };
  # ZFS is detected automatically after I enter the password for luks



2016-09-27 20:20 GMT+01:00 Bas van Dijk <v.dijk.bas at gmail.com>:

> Your installation steps look very similar to the following how-to I use
> when setting up a new system. The most significant difference seems to be
> that you're calling mkfs.jfs while I'm calling mkfs.ext4:
>
> # See:
> #
> # * https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_
> an_entire_system#LVM_on_LUKS
> #
> # * http://nixos.org/nixos/manual/sec-installation.html#sec-
> uefi-installation
> #
> #
> # gdisk /dev/sda
> # o       # create a new empty GUID partition table (GPT)
> # Y       # This option deletes all partitions and created a new
> protective MBR. Proceed Y/N?
> # n       # add a new partition
> #         # Partition number, default 1
> #         # First sector
> # +512M   # Last sector
> # EF00    # GUID (EFI System)
> # n       # add a new partition
> #         # Partition number, default 2
> #         # First sector
> #         # Last sector
> # 8E00    # GUID (Linux LVM)
> # w       # write table to disk and exit
> # Y       # Do you want to proceed Y/N?
> #
> # cryptsetup luksFormat /dev/sda2
> # YES
> # <passphrase>
> # <passphrase>
> #
> # mkfs.vfat /dev/sda1 -n BOOT
> #
> # cryptsetup open --type luks /dev/sda2 lvm
> # <passphrase>
> #
> # # # To activate an existing volume:
> # # pvscan
> # # vgchange -ay MyStorage
> #
> # pvcreate /dev/mapper/lvm
> #
> # vgcreate MyStorage /dev/mapper/lvm
> #
> # lvcreate -L 16G MyStorage -n swapvol
> # lvcreate -l +100%FREE MyStorage -n rootvol
> #
> # mkfs.ext4 /dev/mapper/MyStorage-rootvol -L root
> # mkswap    /dev/mapper/MyStorage-swapvol -L swap
> #
> # swapon /dev/disk/by-label/swap
> #
> # mount /dev/disk/by-label/root /mnt
> #
> # mkdir /mnt/boot
> #
> # mount /dev/disk/by-label/BOOT /mnt/boot
> #
> # nixos-generate-config --root /mnt
> #
> # nix-env -i emacs
> #
> # emacs -nw /mnt/etc/nixos/configuration.nix
> # Set:
> # boot.loader.grub.device = "/dev/sda";
> # boot.initrd.kernelModules = [ "fbcon" ];
> #
> # services.openssh = {
> #   enable = true;
> #   permitRootLogin = "yes";
> # };
> #
> # boot.initrd.luks.devices = [
> #   { name = "lvm";
> #     device = "/dev/sda2";
> #   }
> # ];
> #
> # nixos-install
> # <root password>
> # <root password>
> #
> # reboot
>
>
> On 27 September 2016 at 21:02, Mark Gardner <mkg at vt.edu> wrote:
>
>> I am new to NixOS. I definitely like what I have seen so far. Thank you.
>>
>> I would like to encrypt the root partition with LUKS upon which LVM or
>> ZFS would provide /, swap, /home etc. I used
>> https://nixos.org/wiki/Encrypted_Root_on_NixOS and
>> https://bluishcoder.co.nz/2014/05/14/installing-nixos-with-e
>> ncrypted-root-on-thinkpad-w540.html as inspiration in my experiments in
>> Vbox. Here is how I set up the disk for the UEFI+LUKS+LVM case:
>>
>> parted /dev/sda mktable gpt
>> sgdisk -n1:1M:+1M   -t1:EF02 -c1:GRUB /dev/sda
>> sgdisk -n2:2M:+512M -t2:EF00 -c2:BOOT /dev/sda
>> sgdisk -n3:0:0      -t3:8E00 -c3:LUKS /dev/sda
>>
>> cryptsetup luksFormat /dev/sda3
>> cryptsetup luksOpen /dev/sda3 enc-pv
>>
>> pvcreate /dev/mapper/enc-pv
>> vgcreate vg /dev/mapper/enc-pv
>> lvcreate -L 1G -n swap vg
>> lvcreate -l 1662 -n root vg  # lvcreate -L 40G vg -> 1662 extents
>>
>> mkfs.msdos -F32 -n BOOT /dev/sda2
>> mkfs.jfs -L ROOT /dev/vg/root
>> mkswap -L SWAP /dev/vg/swap
>>
>> mount /dev/vg/root /mnt
>> mount /dev/sda2 /mnt/boot
>> swapon /dev/vg/swap
>>
>> Here is my configuration.nix:
>> { config, pkgs, ... }:
>>
>> {
>>   imports =
>>     [ # Include the results of the hardware scan.
>>       ./hardware-configuration.nix
>>     ];
>>
>>   boot.loader.grub.enable = true;
>>   boot.loader.grub.version = 2;
>>   boot.loader.grub.device = "/dev/sda";
>>   boot.initrd.luks.devices = [
>>     {
>>       name = "luksroot";
>>       device = "/dev/sda3";
>>       preLVM = true;
>>     }
>>   ];
>>
>>   networking.hostName = "nixos";
>>
>>   system.stateVersion = "16.03";
>> }
>>
>> When I rebooted after installation, it seems to hang after prompting for
>> the LUKS password. I have searched the mailing list archives and can't find
>> anything that indicates where it is going wrong.
>>
>> Does anyone have a configuration.nix that combines LUKS with LVM? Or with
>> ZFS? (Ultimately, I want to use ZFS. I am only using LVM to figure out
>> where the problem lies. Apparently the problem is related to LUKS.)
>>
>> Mark
>> --
>> Mark Gardner
>> --
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160927/084efd7a/attachment.html>

More information about the nix-dev mailing list