thohlt/thiloho.github.io
1
0
Fork 0
mirror of https://github.com/thiloho/thiloho.github.io.git synced 2025-11-22 02:11:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
67fe3181bac58d9239fa0e73b0b031f9d6e0554a
thiloho.github.io/src/content/blog/nixos-with-ext4-and-luks/index.md
thiloho 67fe3181ba Add meaningful text for SEO meta tags
2025-04-27 04:31:59 +02:00

136 lines
2.8 KiB
Markdown
Raw Blame History

---
title: "Steps to install NixOS on a system with ext4 and LUKS"
description: "A guide to installing NixOS with full disk encryption using LUKS and LVM, showing the complete process from disk partitioning to system configuration."
pubDate: "2025-01-04"
---
## Disk layout
```sh
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 233.8G 0 disk
├─sda1 8:1 0 500M 0 part /boot # Unencrypted EFI partition
└─sda2 8:2 0 233.3G 0 part # Encrypted partition
└─cryptroot 254:0 0 233.3G 0 crypt # LUKS container
├─vg-swap 254:1 0 8G 0 lvm [SWAP] # LVM swap volume
└─vg-root 254:2 0 225.3G 0 lvm / # LVM root volume
```
## Partitioning
```
parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart ESP fat32 1MB 512MB
parted /dev/sda -- mkpart primary 512MB 100%
parted /dev/sda -- set 1 esp on
```
## Setting up Encryption
```
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 cryptroot
```
## Setting up LVM
```
pvcreate /dev/mapper/cryptroot
vgcreate vg /dev/mapper/cryptroot
lvcreate -L 8G vg -n swap
lvcreate -l 100%FREE vg -n root
```
## Creating Filesystems
```
mkfs.fat -F 32 -n boot /dev/sda1
mkfs.ext4 -L root /dev/vg/root
mkswap -L swap /dev/vg/swap
```
## Mounting Filesystems
```
mount /dev/vg/root /mnt
mkdir -p /mnt/boot
mount -o umask=077 /dev/sda1 /mnt/boot
swapon /dev/vg/swap
```
## NixOS configuration
```sh
nixos-generate-config --root /mnt
# Get UUID of encrypted partition (needed for configuration)
blkid -s UUID /dev/sda2
```
Edit `/mnt/etc/nixos/configuration.nix`:
```nix
{ config, lib, pkgs, ... }:
{
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Encryption configuration
initrd = {
luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/UUID-OF-SDA2"; # Replace with your UUID
};
};
};
};
# ...
}
```
## Installation
```
nixos-install
reboot
```
## How it works
1. **UEFI Phase**
- The UEFI firmware loads systemd-boot from the unencrypted /boot partition
- systemd-boot loads the NixOS kernel and initrd
2. **Early boot**
- Kernel starts and loads initrd
- initrd asks for LUKS passphrase
- after entering correct passphrase, /dev/sda2 will be decrypted
3. **LVM setup**
- LVM volumes are available after decryption
- System can now access root and swap volumes
4. **System start**
- Root file system is mounted
- Control handed over to systemd
- regular boot process continues
## Change of encryption password
To make this step as easy as possible, I recommend using [GNOME Disks](https://apps.gnome.org/DiskUtility).
![Linux disk management window showing a 2TB Samsung SSD with partition details and management options](./change-of-encryption-password.png)
Reference in New Issue View Git Blame Copy Permalink