dhl/nixos-install-encrypted-root.sh

## nixos-install-encrypted-root.sh
#!usr/bin/env bash
#
#   Installs nixos with full disk encrypted root partition.
#
#   - Prompts for password initially, after that no interaction should
#     be required.
#   - At the end it will prompt for a root password, could not make
#     echo-ing it into nixos-install work.
#   - Reserves 550MB for boot partition, rest for the root volume.
#   - After booting, log in as root user and set password for normal user.
#   - Removed LVM on Luks due to terrible (only 20%) write performance (???)
#
#  USAGE:
#   1. Fill in variables on top.
#   2. $bash install.sh
#
set -euo pipefail

DISK="/dev/sda"
BOOT="/dev/sda1"
ROOT="/dev/sda2"
NIXOS_USER=""
HOSTNAME=""
NIXOS_VERSION="19.03"
# CONSOLE_KEYMAP="us"  # the default
CONSOLE_KEYMAP="colemak/en-latin9"
# XKB_VARIANT=""       # the default
XKB_VARIANT="colemak"
CRYPT_VOLUME="/dev/mapper/crypted-nixos"

########################################################
#  No need to edit anything below for normal usage.    #
########################################################

read -s -p "DISK Password: " PASSWORD
echo
read -s -p "Confirm: " CONFIRMATION
echo
if [ ! "$PASSWORD" = "$CONFIRMATION" ]; then
    echo "Didn't match. Try again."
    exit 1
fi

echo "Creating partition table."
(echo o         # new table
 echo Y         # yes
 echo n         # new part
 echo           # number 1
 echo           # start
 echo '+550M'   # end
 echo 'ef00'    # EFI
 echo n         # new part
 echo           # number 2
 echo           # start
 echo           # end
 echo           # linux
 echo w         # write
 echo Y         # yes
) | gdisk $DISK

echo "Setting up LUKS."
echo $PASSWORD |  cryptsetup luksFormat $ROOT
echo "Opening crypt volume."
echo $PASSWORD | cryptsetup luksOpen $ROOT crypted-nixos

echo "Formatting partitions."
mkfs.fat -F 32 $BOOT
mkfs.ext4 -L root $CRYPT_VOLUME

echo "Mounting partitions."
mount $CRYPT_VOLUME /mnt
mkdir -p /mnt/boot
mount $BOOT /mnt/boot

nixos-generate-config --root /mnt

cat > /mnt/etc/nixos/configuration.nix <<EOF
{ config, pkgs, ... }:

{

  imports = [ ./hardware-configuration.nix ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "$HOSTNAME";
  networking.networkmanager.enable = true;

  i18n = {
     consoleKeyMap = "$CONSOLE_KEYMAP";
     defaultLocale = "en_US.UTF-8";
  };

  time.timeZone = "Asia/Hong_Kong";

  environment.systemPackages = with pkgs; [
    git
    vim
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.bash.enableCompletion = true;
  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

  services.openssh.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.$NIXOS_USER = {
     isNormalUser = true;
     uid = 1000;
     extraGroups = [ "wheel" ];
  };

  system.stateVersion = "$NIXOS_VERSION"; # Did you read the comment?
}
EOF

nixos-install

echo "Reboot now, good luck!"
	#!usr/bin/env bash
	#
	# Installs nixos with full disk encrypted root partition.
	#
	# - Prompts for password initially, after that no interaction should
	# be required.
	# - At the end it will prompt for a root password, could not make
	# echo-ing it into nixos-install work.
	# - Reserves 550MB for boot partition, rest for the root volume.
	# - After booting, log in as root user and set password for normal user.
	# - Removed LVM on Luks due to terrible (only 20%) write performance (???)
	#
	# USAGE:
	# 1. Fill in variables on top.
	# 2. $bash install.sh
	#
	set -euo pipefail

	DISK="/dev/sda"
	BOOT="/dev/sda1"
	ROOT="/dev/sda2"
	NIXOS_USER=""
	HOSTNAME=""
	NIXOS_VERSION="19.03"
	# CONSOLE_KEYMAP="us" # the default
	CONSOLE_KEYMAP="colemak/en-latin9"
	# XKB_VARIANT="" # the default
	XKB_VARIANT="colemak"
	CRYPT_VOLUME="/dev/mapper/crypted-nixos"

	########################################################
	# No need to edit anything below for normal usage. #
	########################################################

	read -s -p "DISK Password: " PASSWORD
	echo
	read -s -p "Confirm: " CONFIRMATION
	echo
	if [ ! "$PASSWORD" = "$CONFIRMATION" ]; then
	echo "Didn't match. Try again."
	exit 1
	fi

	echo "Creating partition table."
	(echo o # new table
	echo Y # yes
	echo n # new part
	echo # number 1
	echo # start
	echo '+550M' # end
	echo 'ef00' # EFI
	echo n # new part
	echo # number 2
	echo # start
	echo # end
	echo # linux
	echo w # write
	echo Y # yes
	) \| gdisk $DISK

	echo "Setting up LUKS."
	echo $PASSWORD \| cryptsetup luksFormat $ROOT
	echo "Opening crypt volume."
	echo $PASSWORD \| cryptsetup luksOpen $ROOT crypted-nixos

	echo "Formatting partitions."
	mkfs.fat -F 32 $BOOT
	mkfs.ext4 -L root $CRYPT_VOLUME

	echo "Mounting partitions."
	mount $CRYPT_VOLUME /mnt
	mkdir -p /mnt/boot
	mount $BOOT /mnt/boot

	nixos-generate-config --root /mnt

	cat > /mnt/etc/nixos/configuration.nix <<EOF
	{ config, pkgs, ... }:

	{

	imports = [ ./hardware-configuration.nix ];

	boot.loader.systemd-boot.enable = true;
	boot.loader.efi.canTouchEfiVariables = true;

	networking.hostName = "$HOSTNAME";
	networking.networkmanager.enable = true;

	i18n = {
	consoleKeyMap = "$CONSOLE_KEYMAP";
	defaultLocale = "en_US.UTF-8";
	};

	time.timeZone = "Asia/Hong_Kong";

	environment.systemPackages = with pkgs; [
	git
	vim
	];

	# Some programs need SUID wrappers, can be configured further or are
	# started in user sessions.
	programs.bash.enableCompletion = true;
	programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

	services.openssh.enable = true;

	# Define a user account. Don't forget to set a password with ‘passwd’.
	users.extraUsers.$NIXOS_USER = {
	isNormalUser = true;
	uid = 1000;
	extraGroups = [ "wheel" ];
	};

	system.stateVersion = "$NIXOS_VERSION"; # Did you read the comment?
	}
	EOF

	nixos-install

	echo "Reboot now, good luck!"