NixOS Fully Encrypted ZFS Install Guide

6 minute read

I have been using NixOS for about 2 months now and a good friend Armageddon has been wanting to try it out for some time so i figured i would use my knowledge i have learned so far and help him generate a config for his new workstation in a VM.

One of the Issues we ran into is that ZFS does not encryopt metadata and we wanted to solve that problem with Luks and encrypt the entire volume so this is how we managed to do it.

First Steps

Im going to Assume you have a NixOS liveCD and you have created a virtual machine or prepared you host for installation.

Obviously boot into the NixOS live environment and open yourself a shell or you can use GParted to create two Partitions one 500MB for /boot and one thats the rest of the size of the Disk.

Partitioning

As i said in the {#FistSteps} you can use GParted to create two partitions for your install make sure you select unformatted when you do as we will be formatting them later GUI is no fun though so lets talk Terminal partitioning.

Im going to assume you are using GPT partition layout and not MBR (as i have not tested MBR so this may or may not work with MBR)

First lets create our /boot partition and EFI setup

sgdisk -n3:1M:+512M -t3:EF00 /dev/disk/by-id/ata-VENDOR-ID-OF-THE-DRIVE

And now lets create a partition to fill the rest of the Disk as that will end up being our Encrypted volume with ZFS for /root and /home and /root/nixos

sgdisk -n1:0:0 -t1:BF01 /dev/disk/by-id/ata-VENDOR-ID-OF-THE-DRIVE

Ok that has the partitions created now we need to format them

First lets format the EFI /boot partition

mkfs.vfat /dev/disk/by-id/ata-VENDOR-ID-OF-THE-DRIVE-part1

And now we format the Luks partition

cryptsetup luksFormat /dev/disk/by-id/ata-VENDOR-ID-OF-THE-DRIVE-part2

Creating The Pool

First things first now the Luks partition is created we need to decrypt it and create a device mapper for the unencrypted volume.

cryptsetup open --type luks /dev/disk/by-id/ata-VENDOR-ID-OF-THE-DRIVE-part2 crypt

This has created a device in /dev/mapper/crypt from her on out this is bassically the whole disk except for /boot

Now we can create the ZFS pool

zpool create -O mountpoint=none rpool /dev/mapper/crypt

And now we can create the ZFS Pools for Root /root/nixos and /home

zfs create -o mountpoint=legacy rpool/root
zfs create -o mountpoint=legacy rpool/root/nixos
zfs create -o mountpoint=legacy rpool/home

Now we can mount the ZFS pool volumes

mount -t zfs rpool/root/nixos /mnt
mkdir /mnt/{boot,home}
mount -t zfs rpool/home /mnt/home
mount /dev/disk/by-id/ata-VENDOR-ID-OF-THE-DRIVE-part1 /mnt/boot

Configuration

Now all the File Systems are created we can generate a basic config using the NixOS config tool.

nixos-generate-config --root /mnt

Now we need to modify the config to support our ZFS setup im not going to go into too much detail here im going to use an exerpt from the NixOS Wiki for the main part.

# Edit /mnt/etc/nixos/configuration.nix and add the following line:
## ---8<-------------------------8<---
  boot.supportedFilesystems = [ "zfs" ];
## ---8<-------------------------8<---

# Also, make sure you set the networking.hostId option, which ZFS requires:
## ---8<-------------------------8<---
  networking.hostId = "<random 8-digit hex string>";
## ---8<-------------------------8<---
# See https://nixos.org/nixos/manual/options.html#opt-networking.hostId for more.

There is one extra bit we need to configure for Grub to be able to decrypt the Luks volume.

# Use the GRUB 2 boot loader.
  boot.loader.grub = {
    enable = true;
    version =2;
    device = "nodev";
    efiSupport = true;
    enableCryptodisk = true;
  };
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.initrd.luks.devices = {
   root = {
     device = "/dev/disk/by-uuid/THE-UUID-OF-ata-VENDOR-ID-OF-THE-DRIVE-part2"; ## Use blkid to find this UUID
     preLVM = true;
   };
  };

Now you should be able to apply anything else to your configuration.nix to complete your install to you prefrence and away you go.

Here is a Super Basic configuration.nix that has the basics for Luks and ZFS

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Boot ZFS Config
  boot.supportedFilesystems = [ "zfs" ];

  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostId = "<random 8-digit hex string>";

  # Use the GRUB 2 boot loader.
  boot.loader.grub = {
    enable = true;
    version =2;
    device = "nodev";
    efiSupport = true;
    enableCryptodisk = true;
  };
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.initrd.luks.devices = {
   root = {
     device = "/dev/disk/by-uuid/THE-UUID-OF-ata-VENDOR-ID-OF-THE-DRIVE-part2"; ## Use blkid to find this UUID
     preLVM = true;
   };
  };
  #boot.loader.grub.enable = true;
  #boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

  networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

  # Set your time zone.
  time.timeZone = "Europe/Amsterdam";

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.enp1s0.useDHCP = true;

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  # };

  # Enable the X11 windowing system.
  services.xserver.enable = true;


  # Enable the Plasma 5 Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;
  

  # Configure keymap in X11
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;

  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.jane = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  # };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  # environment.systemPackages = with pkgs; [
  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
  #   wget
  #   firefox
  # ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?

}

Finally you can run

nixos-install

Conclusion

If everything has gone to plan hopefully now you should have a fully setup NixOS install with ZFS partitions that you can customise to your hearts content.

Thanks for reading i hope this helps you out and good luck on your Nix adventure.