This was made before native encryption in ZFS existed (pre OpenZFS 2.0), and last updated in August of 2017. Feel free to fork and improve :)
After some effort (and asking for help on the nix-dev mailing list) I installed ZFS on an encrypted partition. The relevant configuration is below.
I do not have a custom iso yet, so you'll need two USBs. One for the NixOS iso, and one for these files. You'll have to mount the second stick manually.
- Boot into the nixos environment and find the uuid or id of the disk you want to install to. Do not use
/dev/sdabut/dev/disk/by-..., uselsblkandblkid. - export it to the environment as
rootdisk:
# whole disk please, no partition
export rootdisk="/dev/disk/by-id/ata-Some-Storage-Device"- use keyfile and/or configure passphrase usage (see sections below)
- run it:
bash /path/to/automated_install.shIt is possible to use a keyfile (e.g. on a usb stick). If you want a keyfile and not have a passphrase for backup, see Configure without passphrase below.
# part of step 3
export keyfile="/dev/disk/by-id/usb-Some-Usb-Stick"
# optional, default is 4096
export keysize="8192"It is possible to pass the passphrase in an environment variable to make the install fully automated. This is generally unwise, but since we are in a temporary live enviorment I consider it safe enough. You can also put it as passphrase="your passphrase here" in automated_install.sh on line 16 instead.
If you add a keyfile as well, both are added.
# part of step 3
export passphrase="your passphrase here"If you only want to add a keyfile and not set a passphrase, set use_passphrase to no. This is not recommended.
# part of step 3
export use_passphrase="no"
# see Use keyfile above
export keyfile="/path/to/keyfile"I always run these command right after booting the install usb.
# I use programmer dvorak instead of qwerty
loadkeys dvorak-programmer- use nixos-rebuild to make an iso containing the files
- customise the iso with ZFS support and these files
- find the location of
automated_install.shin the built iso. - update Readme :-P
I used the following resources:
- https://nixos.org/wiki/ZFS_on_NixOS#How_to_install_NixOS_on_a_ZFS_root_filesystem
- https://nixos.org/wiki/Encrypted_Root_on_NixOS
- http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
- https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF
- https://github.com/zfsonlinux/zfs/wiki/Ubuntu-16.10-Root-on-ZFS
use this version of the files: old version. All text below is about those versions, not the ones you see here.
The commands in init.sh I run manually, (so no sed :-P)
The zfscreate.sh is used to set up a single-disk ZFS root filesystem inside of an encrypted LUKS container.
The two *.nix files have the minimum config needed for this (compare them with the generated ones in /mnt/etc/nixos/); The UUIDs should be filled-in by nixos-generate-config;
the "usb_storage" addition is not needed for everyone, just like the keyfile options; the other important changes
are the hostId, which is required by ZFS; and the boot.supportedFilesystems which I'm not even sure of if that's necessary