NixOS on encrypted ZFS
I wouldn’t call myself a distro hopper. The decision of distribution is solely based on requirements. I have requirements and I want the distribution to fulfill them as much as possible. After 15 years, I know what I want and I go and find it.
In this case, an unexpected project caught my eye. The idea is so radically different that I wasn’t actually searching for it this time. It is one of those times where it found me first.
After looking into Nix and NixOS, I decided it is going to be my distribution of choice on the desktop. I will use that as my test bed before migrating all the serious work there. That’s how I got my first taste of NixOS outside of the deterministic virtualization layer and into the wild.
Requirements
Before installing any new system, I draftdown a list of requirements I would need this system to run. These are things that are very hard to change on the fly in the future without some serious work. Also, things that simply need to be there in this day and age.
Filesystem
I’m a big fan of zfs
. I’ve been running it on Linux, since the openzfs
project successfully ported it, with no issues. It’s a solid choice for a
filesystem and I don’t see a reason not to choose it.
Is it really a requirement ?
Well, yes. By now, openzfs
should be accessible to all distributions but my
choice of distribution is not usually for the beginner user. I need to know
it’s supported and documented. I can figure out the rest from there.
Encryption
This is the first requirement, I always want encryption. The reason why I put it
second in the list is that I needed to talk about zfs
first.
The zfs
filesystem offers encryption. Unfortunately, my research have shown
that zfs
might not encrypt some metadata. This might not be a big deal but the
choice of using Luks is there as well.
With Luks, we can encrypt the whole drive. So let’s do that; Luks with zfs
on top.
NixOS
NixOS utilizes Nix to build you an OS from a configuration file. This
configuration file is written in the nix
language. It is very analogous to
written an Ansible
playbook but it builds an OS instead.
The idea sounded appealing to me. A good friend of mine, setkeh, gave me a quick and
dirty overview, at first. That pushed me into doing more research of my own
where I found out that I can spawn off a nix-shell
with whatever dependencies
I want without having them installed on my system. What a great concept for
development or even running applications you don’t really want to run. Java
stuff for example.
Anyway, for all of these different reasons I have chosen NixOS to be the OS of choice to go on the desktop.
Installation
After testing NixOS in a VM a few times, I got setkeh
on a conference
session and we dug into this.
Filesystem partitioning
For the filesystem, we’re going to create two partitions. We need one, vfat
,
for the boot and another, zfs
, for the rest of the filesystem.
Note
The assumption is that we’re installing NixOS on an EFI
enabled system.
We can start by creating the first partition of 1GB
.
sgdisk -n3:1M:+1024M -t3:EF00 /dev/disk/by-id/VENDOR-ID
Followed by the rest of the filesystem.
sgdisk -n1:0:0 -t1:BF01 /dev/disk/by-id/VENDOR-ID
Note
It is usually easier to do the partitioning using GParted
. Make sure that the
partitions are unformatted, if you do so.
Warning
Do NOT forget to enable the boot flag on the first partition or your system will not boot.
Filesystem formatting
Now that we got our partitions creates, let’s go ahead and format them properly.
Starting with the boot
partition first.
mkfs.vfat /dev/disk/by-id/VENDOR-ID-part1
Warning
At this sage, you’re formatting a partition. Make sure you’re pointing to the partition and not your whole disk as in the previous section.
Then our zfs
partition, but we need to encrypt it first. So, we create the
Luks partition.
cryptsetup luksFormat /dev/disk/by-id/VENDOR-ID-part2
At this stage, stage we are done with the filesystem formatting and we need to
create the zfs
pool. To do so, we need to mount the encrypted root
filesystem; Luks.
cryptsetup open --type luks /dev/disk/by-id/VENDOR-ID-part2 crypt
This mounts the filesystem in /dev/mapper/crypt
. We’ll use that to create the pool.
zpool create -O mountpoint=none rpool /dev/mapper/crypt
zfs create -o mountpoint=legacy rpool/root
zfs create -o mountpoint=legacy rpool/root/nixos
zfs create -o mountpoint=legacy rpool/home
Filesystem mounting
After creating the filesystem, let’s mount everything.
# Mounting filesystem
mount -t zfs rpool/root/nixos /mnt
mkdir /mnt/home
mkdir /mnt/boot
# Mounting home directory
mount -t zfs rpool/home /mnt/home
# Mounting boot partition
mount /dev/disk/by-id/VENDOR-ID-part1 /mnt/boot
Generating NixOS configuration
At this stage, we need a nix
configuration to build our system from. I didn’t
have any configuration to start from so I generated one.
nixos-generate-config --root /mnt
NixOS configuration
Due to the weird configuration we’ve had, we need to make a few adjustements to the suggested configuration layed out in the docs.
The required configuration bits to be added to
/mnt/etc/nixos/configuration.nix
are:
boot.supportedFilesystems = [ "zfs" ];
# Make sure you set the networking.hostId option, which ZFS requires:
networking.hostId = "<random 8-digit hex string>";
# See https://nixos.org/nixos/manual/options.html#opt-networking.hostId for more.
# Use the GRUB 2 boot loader.
boot.loader.grub = {
enable = true;
version =2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/VENDOR-UUID-part2"; ## Use blkid to find this UUID
# Required even if we're not using LVM
preLVM = true;
};
};
NixOS installation
If we’re done with all of the configuration as described above, we should be able to build a bootable system. Let’s try that out by installing NixOS.
nixos-install
Conclusion
It took a bit of trial and error, and a loooooooot of mounting over and over again. At the end, though, it wasn’t as bad as I thought it would be. I’m still trying to get myself familiarised with NixOS and the new way of doing things. All in all, I would recommend trying NixOS, or the very least Nix.