install-encrypted.sh at darwin · hyl.st/helm

hyl.st / helm
nix config
helm / install-encrypted.sh
at darwin 4.2 kB view raw
  1# Setup
  2# Presumes pre-formatted harddrives 
  3BOOT=/dev/sda1
  4DISK=/dev/sda2
  5
  6dd if=/dev/urandom of=./keyfile0.bin bs=1024 count=4
  7dd if=/dev/urandom of=./keyfile1.bin bs=1024 count=4
  8
  9echo "Creating LUKS partitions..."
 10# Enter the passphrase which is used to unlock disk. You will enter this in grub on every boot
 11cryptsetup luksFormat --type luks1 -c aes-xts-plain64 -s 256 -h sha512 $DISK
 12# Add a second key which will be used by nixos. You will need to enter the pasphrase from previous step
 13cryptsetup luksAddKey $DISK keyfile0.bin
 14cryptsetup luksOpen $DISK crypted-nixos -d keyfile0.bin
 15
 16# Create the LVM
 17echo "Creating LVM partitions..."
 18pvcreate /dev/mapper/crypted-nixos
 19vgcreate vg /dev/mapper/crypted-nixos
 20lvcreate -L 4G -n swap vg
 21lvcreate -l '100%FREE' -n root vg
 22
 23# Format the disks
 24echo "Formatting disks..."
 25mkfs.fat -F 32 $BOOT
 26mkswap -L swap /dev/vg/swap
 27mkfs.ext4 -L root /dev/vg/root
 28# mkfs.ext4 -L data /dev/mapper/crypted-data
 29
 30echo "Mounting drives..."
 31mount /dev/vg/root /mnt
 32mkdir -p /mnt/boot/efi
 33mount $BOOT /mnt/boot/efi
 34swapon /dev/vg/swap
 35
 36# Copy the keys
 37
 38mkdir -p /mnt/etc/secrets/initrd/
 39cp keyfile0.bin keyfile1.bin /mnt/etc/secrets/initrd
 40chmod 000 /mnt/etc/secrets/initrd/keyfile*.bin
 41
 42# Generate and edit configuration
 43
 44echo "Generating NixOS config..."
 45nixos-generate-config --root /mnt
 46
 47# TODO:  neds to get the uuid of each of the disks 
 48# UUID=$(blkid) 
 49echo "Extending NixOS config..."
 50cat >> /mnt/etc/nixos/configuration.nix <<'endmsg'
 51  boot.loader.efi.canTouchEfiVariables = true;
 52  boot.loader.efi.efiSysMountPoint = "/boot/efi";
 53  boot.loader.grub = {
 54    enable = true;
 55    device = "nodev";
 56    version = 2;
 57    efiSupport = true;
 58    enableCryptodisk = true;
 59  };
 60  
 61  boot.initrd = {
 62    luks.devices."root" = {
 63			# UPDATE ME
 64      device = "/dev/disk/by-uuid/a8b302cf-5296-4a2e-a7ba-707e6fa75123"; # UUID for /dev/nvme01np2 
 65      preLVM = true;
 66      keyFile = "/keyfile0.bin";
 67      allowDiscards = true;
 68    };
 69    secrets = {
 70      # Create /mnt/etc/secrets/initrd directory and copy keys to it
 71      "keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin";
 72      "keyfile1.bin" = "/etc/secrets/initrd/keyfile1.bin";
 73    };
 74	};
 75
 76  # Data mount
 77	# This is all wrong for box for now
 78  # fileSystems."/data" = {
 79  #   device = "/dev/disk/by-uuid/79630267-5766-4c7d-85a5-1d5f1dcd58ad"; # UUID for /dev/mapper/crypted-data
 80  #   encrypted = {
 81  #     enable = true;
 82  #     label = "crypted-data";
 83  #     blkDev = "/dev/disk/by-uuid/3476cb09-b3c4-4301-9ec9-84f60f32828a"; # UUID for /dev/sda1
 84  #     keyFile = "/keyfile1.bin";
 85  #   };
 86  # };
 87
 88  time.timeZone = "Australia/Brisbane";
 89
 90  networking.useDHCP = false;
 91
 92  nix = {
 93    package = pkgs.nixUnstable;
 94    extraOptions = ''
 95      experimental-features = nix-command flakes
 96    '';
 97  };
 98
 99  users.users.anish = {
100    isNormalUser = true;
101    hashedPassword = "MVHHpy9gbe3ow";
102    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
103    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM0Zvei46x/yZl/IeBCq6+IYQQ0avulzVyBysF9cPigZMCybWRV7IEU+E3k9t6JrbdbdGfJkcZIWmsWDdKS8W8mBnZpVoT0ffLynu8JQ/TKdGm4Qv6bgUeKNrGsNv0ZPs2CDaGSLj0oJfRF7Ko10tcLP0vW+yujrh+y6TH/vVzJioaV4TGvtCUpn+wEQah9ROwPQLUUofsSWdnRsDJ/gp37zXWs4l5wyjSKtP3O9RZUP7kBekbSqEgSXiTk0oUQSVqIWl9NDiP6onk/gSOjXsR/JPqsSN/XI/c/yj6gyY0f51Ru2D7iBxuMJIJcWV+rU6coIj+ULcQWLzt/7TI8jq5AOOzI/ll4zbL24Eo84Rz+TP9tvMMhDZ0VaMN22AJ8qQEjc5P09tWKsX7Jg39XelyV1jHXncE4yvIE9F4RSCHzWCeKeXakizQNuzSaxTxIExRFYHjNW5bR6+3MTGwVrEIXU+qML+0yFTR86MT+tdY5AreAJQLwbog79O1NupeXJE= anish@curve" ];
104  };
105  security.sudo.wheelNeedsPassword = false; # needed for deploy-rs
106
107  services.openssh.enable = true;
108
109  # This value determines the NixOS release from which the default
110  # settings for stateful data, like file locations and database versions
111  # on your system were taken. It‘s perfectly fine and recommended to leave
112  # this value at the release version of the first install of this system.
113  # Before changing this value read the documentation for this option
114  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
115  system.stateVersion = "22.11"; # Did you read the comment?
116}
117
118endmsg
119
120
121# sudo nixos-install