ragusa-it/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

install setup

Browse Source
This commit is contained in:
Melvin Ragusa
2026-02-03 01:14:55 +01:00
parent 1a7e86e99e
commit 8e3ceb76ec
3 changed files with 318 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
configuration.nix
View File

@@ -32,8 +32,14 @@
# ═══════════════════════════════════════════════════════════════ # ═══════════════════════════════════════════════════════════════
# BOOT # BOOT
# ═══════════════════════════════════════════════════════════════ # ═══════════════════════════════════════════════════════════════
boot.loader.systemd-boot.enable = true;
# ─── Bootloader: Limine with Secure Boot ───
boot.loader.systemd-boot.enable = false; # Disabled - using Limine
boot.loader.limine.enable = true;
boot.loader.limine.secureBoot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# ─── Kernel ───
boot.kernelPackages = pkgs.cachyosKernels.linuxPackages-cachyos-latest-x86_64-v3; boot.kernelPackages = pkgs.cachyosKernels.linuxPackages-cachyos-latest-x86_64-v3;
# Kernel parameters (consolidated from modules) # Kernel parameters (consolidated from modules)
@@ -42,6 +48,28 @@
"amdgpu.ppfeaturemask=0xffffffff" # Full AMD GPU power features (from gpu-amd.nix) "amdgpu.ppfeaturemask=0xffffffff" # Full AMD GPU power features (from gpu-amd.nix)
]; ];
# ─── Full Disk Encryption (LUKS) ───
boot.initrd.luks.devices = {
"cryptroot" = {
device = "/dev/disk/by-label/cryptroot";
allowDiscards = true; # Enable TRIM for SSD performance
};
"cryptswap" = {
device = "/dev/disk/by-label/cryptswap";
allowDiscards = true;
keyFile = "/swap.key"; # Auto-unlock with keyfile after root is decrypted
};
};
# Include swap keyfile in initrd (encrypted, only accessible during boot)
boot.initrd.secrets = {
"/swap.key" = /var/lib/secrets/swap.key;
};
# ─── Hibernation ───
boot.resumeDevice = "/dev/mapper/cryptswap";
# ─── Scheduler ───
# sched-ext scheduler for gaming performance # sched-ext scheduler for gaming performance
services.scx.enable = true; services.scx.enable = true;
services.scx.scheduler = "scx_lavd"; # Low-latency scheduler, good for gaming services.scx.scheduler = "scx_lavd"; # Low-latency scheduler, good for gaming
@@ -184,6 +212,9 @@
wget wget
curl curl
# Secure Boot management
sbctl
# Nix tools # Nix tools
nil # Nix LSP nil # Nix LSP
nixd nixd

161
scripts/install-fde.sh Executable file
View File

@@ -0,0 +1,161 @@
#!/usr/bin/env bash
# NixOS Installation Script - Full Disk Encryption with Limine
# Target: /dev/nvme0n1
# Layout: 1GB EFI + 34GB encrypted swap + remaining encrypted root
# Filesystems: FAT32 (EFI), XFS (root), swap
set -euo pipefail
# ═══════════════════════════════════════════════════════════════
# CONFIGURATION
# ═══════════════════════════════════════════════════════════════
DISK="/dev/nvme0n1"
EFI_PART="${DISK}p1"
SWAP_PART="${DISK}p2"
ROOT_PART="${DISK}p3"
EFI_SIZE="1GiB"
SWAP_SIZE="35GiB" # 1GiB + 34GiB = 35GiB end point
# ═══════════════════════════════════════════════════════════════
# SAFETY CHECK
# ═══════════════════════════════════════════════════════════════
echo "WARNING: This will DESTROY all data on ${DISK}"
echo ""
echo "Partition layout:"
echo " ${EFI_PART} - 1GB EFI System Partition (FAT32)"
echo " ${SWAP_PART} - 34GB Encrypted swap (LUKS2)"
echo " ${ROOT_PART} - Rest Encrypted root (LUKS2 + XFS)"
echo ""
read -p "Type 'YES' to continue: " confirm
if [[ "$confirm" != "YES" ]]; then
echo "Aborted."
exit 1
fi
# ═══════════════════════════════════════════════════════════════
# PHASE 1: PARTITIONING
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 1: Partitioning ${DISK} ═══"
parted "${DISK}" -- mklabel gpt
parted "${DISK}" -- mkpart ESP fat32 1MiB "${EFI_SIZE}"
parted "${DISK}" -- set 1 esp on
parted "${DISK}" -- mkpart swap "${EFI_SIZE}" "${SWAP_SIZE}"
parted "${DISK}" -- mkpart root "${SWAP_SIZE}" 100%
echo "Partitioning complete."
sleep 1
# ═══════════════════════════════════════════════════════════════
# PHASE 2: FORMAT EFI
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 2: Formatting EFI partition ═══"
mkfs.fat -F 32 -n BOOT "${EFI_PART}"
echo "EFI partition formatted."
# ═══════════════════════════════════════════════════════════════
# PHASE 3: LUKS ENCRYPTION
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 3: Setting up LUKS encryption ═══"
echo ""
echo "─── Encrypting ROOT partition (${ROOT_PART}) ───"
echo "You will be prompted to create a passphrase."
cryptsetup luksFormat --type luks2 --label cryptroot "${ROOT_PART}"
cryptsetup open "${ROOT_PART}" cryptroot
echo ""
echo "─── Encrypting SWAP partition (${SWAP_PART}) ───"
echo "You will be prompted to create a passphrase (can be same as root)."
cryptsetup luksFormat --type luks2 --label cryptswap "${SWAP_PART}"
cryptsetup open "${SWAP_PART}" cryptswap
echo "LUKS encryption configured."
# ═══════════════════════════════════════════════════════════════
# PHASE 4: GENERATE SWAP KEYFILE
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 4: Generating swap keyfile ═══"
dd bs=4096 count=1 if=/dev/random of=/tmp/swap.key iflag=fullblock
chmod 600 /tmp/swap.key
echo "Adding keyfile to swap LUKS volume..."
cryptsetup luksAddKey "${SWAP_PART}" /tmp/swap.key
echo "Keyfile generated and added to swap."
# ═══════════════════════════════════════════════════════════════
# PHASE 5: FORMAT ENCRYPTED VOLUMES
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 5: Formatting encrypted volumes ═══"
mkfs.xfs -L nixos /dev/mapper/cryptroot
mkswap -L swap /dev/mapper/cryptswap
echo "Filesystems created."
# ═══════════════════════════════════════════════════════════════
# PHASE 6: MOUNT
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 6: Mounting filesystems ═══"
mount /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot
mkdir -p /mnt/var/lib/secrets
mount "${EFI_PART}" /mnt/boot
swapon /dev/mapper/cryptswap
# Store keyfile securely
mv /tmp/swap.key /mnt/var/lib/secrets/swap.key
chmod 600 /mnt/var/lib/secrets/swap.key
chown root:root /mnt/var/lib/secrets/swap.key
echo "Filesystems mounted."
echo ""
echo "Mount layout:"
lsblk -o NAME,SIZE,TYPE,MOUNTPOINT "${DISK}"
# ═══════════════════════════════════════════════════════════════
# PHASE 7: GENERATE HARDWARE CONFIG
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══ Phase 7: Generating NixOS hardware configuration ═══"
nixos-generate-config --root /mnt
echo "Hardware configuration generated at /mnt/etc/nixos/"
# ═══════════════════════════════════════════════════════════════
# NEXT STEPS
# ═══════════════════════════════════════════════════════════════
echo ""
echo "═══════════════════════════════════════════════════════════════"
echo " DISK SETUP COMPLETE!"
echo "═══════════════════════════════════════════════════════════════"
echo ""
echo "Next steps:"
echo ""
echo "1. Copy your NixOS configuration to /mnt/etc/nixos/"
echo " Example: cp -r ~/nixos/* /mnt/etc/nixos/"
echo ""
echo "2. IMPORTANT: Verify hardware-configuration.nix has correct mounts:"
echo " - fileSystems.\"/\" = { device = \"/dev/mapper/cryptroot\"; fsType = \"xfs\"; }"
echo " - fileSystems.\"/boot\" = { device = \"/dev/disk/by-label/BOOT\"; fsType = \"vfat\"; }"
echo " - swapDevices = [ { device = \"/dev/mapper/cryptswap\"; } ]"
echo ""
echo "3. Run the installation:"
echo " nixos-install --flake /mnt/etc/nixos#nixos"
echo ""
echo "4. After reboot, run the Secure Boot setup script."
echo ""

125
scripts/setup-secureboot.sh Executable file
View File

@@ -0,0 +1,125 @@
#!/usr/bin/env bash
# Secure Boot Setup Script for NixOS with Limine
# Run this AFTER first successful boot into NixOS
set -euo pipefail
echo "═══════════════════════════════════════════════════════════════"
echo " NixOS Secure Boot Setup"
echo "═══════════════════════════════════════════════════════════════"
echo ""
# ═══════════════════════════════════════════════════════════════
# CHECK PREREQUISITES
# ═══════════════════════════════════════════════════════════════
if [[ $EUID -ne 0 ]]; then
echo "ERROR: This script must be run as root (use sudo)"
exit 1
fi
if ! command -v sbctl &> /dev/null; then
echo "ERROR: sbctl not found. Ensure your NixOS config includes it."
echo "Add to configuration.nix: environment.systemPackages = [ pkgs.sbctl ];"
exit 1
fi
# ═══════════════════════════════════════════════════════════════
# STEP 1: CHECK CURRENT STATUS
# ═══════════════════════════════════════════════════════════════
echo "─── Step 1: Checking current Secure Boot status ───"
echo ""
sbctl status || true
echo ""
# ═══════════════════════════════════════════════════════════════
# STEP 2: CREATE SECURE BOOT KEYS
# ═══════════════════════════════════════════════════════════════
echo "─── Step 2: Creating Secure Boot keys ───"
echo ""
if [[ -d /etc/secureboot/keys ]]; then
echo "Keys already exist at /etc/secureboot/keys"
read -p "Regenerate keys? (y/N): " regen
if [[ "$regen" == "y" || "$regen" == "Y" ]]; then
sbctl create-keys
fi
else
sbctl create-keys
fi
echo ""
echo "Keys created successfully."
# ═══════════════════════════════════════════════════════════════
# STEP 3: VERIFY WHAT NEEDS SIGNING
# ═══════════════════════════════════════════════════════════════
echo ""
echo "─── Step 3: Checking files that need signing ───"
echo ""
sbctl verify
echo ""
# ═══════════════════════════════════════════════════════════════
# STEP 4: ENROLL KEYS
# ═══════════════════════════════════════════════════════════════
echo ""
echo "─── Step 4: Enrolling Secure Boot keys ───"
echo ""
echo "IMPORTANT: Before this step, you must:"
echo " 1. Reboot into UEFI/BIOS settings"
echo " 2. Find Secure Boot settings"
echo " 3. Clear existing keys OR put Secure Boot in 'Setup Mode'"
echo " 4. Save and boot back to NixOS"
echo ""
read -p "Have you put Secure Boot in Setup Mode? (y/N): " setup_mode
if [[ "$setup_mode" != "y" && "$setup_mode" != "Y" ]]; then
echo ""
echo "Please reboot into UEFI and enable Setup Mode first."
echo "Then run this script again."
exit 0
fi
echo ""
echo "Enrolling keys with Microsoft keys included (for hardware compatibility)..."
sbctl enroll-keys -m
echo ""
echo "Keys enrolled successfully."
# ═══════════════════════════════════════════════════════════════
# STEP 5: REBUILD NIXOS TO SIGN EVERYTHING
# ═══════════════════════════════════════════════════════════════
echo ""
echo "─── Step 5: Rebuilding NixOS to sign bootloader and kernel ───"
echo ""
nixos-rebuild switch --flake ~/nixos#nixos
echo ""
echo "NixOS rebuilt with signed binaries."
# ═══════════════════════════════════════════════════════════════
# STEP 6: FINAL VERIFICATION
# ═══════════════════════════════════════════════════════════════
echo ""
echo "─── Step 6: Final verification ───"
echo ""
sbctl verify
echo ""
echo "═══════════════════════════════════════════════════════════════"
echo " SECURE BOOT SETUP COMPLETE!"
echo "═══════════════════════════════════════════════════════════════"
echo ""
echo "Next steps:"
echo " 1. Reboot into UEFI/BIOS"
echo " 2. Enable Secure Boot"
echo " 3. Save and boot"
echo ""
echo "After reboot, verify with: sbctl status"
echo ""