Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env bash
- #
- # Installs nixos with full disk encrypted root partition.
- #
- # - Prompts for password initially, after that no interaction should
- # be required.
- # - At the end it will prompt for a root password, could not make
- # echo-ing it into nixos-install work.
- # - Reserves 550MB for boot partition, rest for the root volume.
- # - After booting, log in as root user and set password for normal user.
- # - Removed LVM on Luks due to terrible (only 20%) write performance (???)
- #
- # USAGE:
- # 1. Fill in variables on top.
- # 2. $bash install.sh
- #
- set -euo pipefail
- DISK="/dev/sda"
- BOOT="/dev/sda1"
- ROOT="/dev/sda2"
- NIXOS_USER=""
- HOSTNAME=""
- NIXOS_VERSION="19.03"
- CONSOLE_KEYMAP="us" # the default
- XKB_VARIANT="" # the default
- CRYPT_VOLUME="/dev/mapper/crypted-nixos"
- ########################################################
- # No need to edit anything below for normal usage. #
- ########################################################
- read -s -p "DISK Password: " PASSWORD
- echo
- read -s -p "Confirm: " CONFIRMATION
- echo
- if [ ! "$PASSWORD" = "$CONFIRMATION" ]; then
- echo "Didn't match. Try again."
- exit 1
- fi
- echo "Creating partition table."
- (echo o # new table
- echo Y # yes
- echo n # new part
- echo # number 1
- echo # start
- echo '+550M' # end
- echo 'ef00' # EFI
- echo n # new part
- echo # number 2
- echo # start
- echo # end
- echo # linux
- echo w # write
- echo Y # yes
- ) | gdisk $DISK
- echo "Setting up LUKS."
- echo $PASSWORD | cryptsetup luksFormat $ROOT
- echo "Opening crypt volume."
- echo $PASSWORD | cryptsetup luksOpen $ROOT crypted-nixos
- echo "Formatting partitions."
- mkfs.fat -F 32 $BOOT
- mkfs.ext4 -L root $CRYPT_VOLUME
- echo "Mounting partitions."
- mount $CRYPT_VOLUME /mnt
- mkdir -p /mnt/boot
- mount $BOOT /mnt/boot
- nixos-generate-config --root /mnt
- cat > /mnt/etc/nixos/configuration.nix <<EOF
- { config, pkgs, ... }:
- {
- imports = [ ./hardware-configuration.nix ];
- boot.loader.systemd-boot.enable = true;
- boot.loader.efi.canTouchEfiVariables = true;
- networking.hostName = "$HOSTNAME";
- networking.networkmanager.enable = true;
- virtualisation.docker.enable = true;
- services.openssh.enable = true;
- services.haveged.enable = true;
- services.avahi.enable = true;
- services.avahi.nssmdns = true;
- services.avahi.publish.enable = true;
- services.avahi.publish.addresses = true;
- services.xserver.enable = true;
- services.xserver.displayManager.sddm.enable = true;
- services.xserver.desktopManager.plasma5.enable = true;
- services.xserver.libinput.enable = true;
- i18n = {
- consoleKeyMap = "$CONSOLE_KEYMAP";
- defaultLocale = "en_US.UTF-8";
- };
- nixpkgs.config = {
- allowUnfree = true;
- };
- nix.autoOptimiseStore = true;
- nix.useSandbox = true;
- security.pam.loginLimits = [
- { domain = "*"; type = "soft"; item = "nofile"; value = "65536"; }
- { domain = "*"; type = "hard"; item = "nofile"; value = "200000"; }
- { domain = "*"; type = "-"; item = "nproc"; value = "20000"; }
- ];
- time.timeZone = "Asia/Hong_Kong";
- environment.systemPackages = with pkgs; [
- git
- wget vim gzip
- firefox
- gnupg
- gparted
- ];
- # Some programs need SUID wrappers, can be configured further or are
- # started in user sessions.
- programs.bash.enableCompletion = true;
- programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
- programs.fish.enable = true;
- # Define a user account. Don't forget to set a password with ‘passwd’.
- users.extraUsers.$NIXOS_USER = {
- isNormalUser = true;
- uid = 1000;
- shell = pkgs.fish;
- extraGroups = [ "wheel" "networkmanager" "docker" ];
- };
- system.stateVersion = "$NIXOS_VERSION"; # Did you read the comment?
- }
- EOF
- nixos-install
- echo "Reboot now, good luck!"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
