Finishing up the ZFS article

1 files changed, 50 insertions, 26 deletions

diff --git a/content/blog/107_encrypted_zfs.md b/content/blog/107_encrypted_zfs.md
index 3e05fa0..f6465bb 100644
--- a/content/blog/107_encrypted_zfs.md
+++ b/content/blog/107_encrypted_zfs.md
@@ -1,15 +1,17 @@
 Title: Bikeshedding disk partitioning
 Category: Blog
 Tags: linux, zfs, nixos
-Date: 2019-06-14
-Status: Draft
+Date: 2019-07-11
 
 I recently got a new Thinkpad. Well...new is a stretch.
 It's an X230, featuring an i5 and 16GB of RAM.
 
-One of the first things I did with this laptopwas to
-[flash coreboot on it](https://octodon.social/@spacekookie/102150706024564666).
-And generally I felt like setting up a laptop in the way I would have always wanted.
+One of the first things I did with this laptop was to [flash coreboot on it][coreboot].
+This is something I've always wanted to be able to do,
+but so far lacked hardware that was supported.
+And generally, it felt like finally maybe I could have a laptop to tinker around with.
+
+[coreboot]: https://octodon.social/@spacekookie/102150706024564666
 
 And that's where this post begins...
 
@@ -34,8 +36,9 @@ but there's some limitations
 That last one _might_ not be accurate if you only want
 to have an `ext4` (or similar) rootfs. But because I
 want to have a `zfs` root, I need to embed it into an LVM.
+This is also the reason why `/boot` needs to be it's own partition.
 After we've done all this, we will install a linux distribution of choice
-(which we'll talk about later).
+(which we'll reveal later).
 
 Anyway, let's get started!
 
@@ -52,7 +55,7 @@ is very slow.
 Instead you can create a crypto-disk (luks) on it, then fill it
 with zero's. But because of the encryption it will seem random.
 
-(/dev/sda is my disk in this example).
+(`/dev/sda` is my disk in this example because lolwat is nvme even?)
 
 ```console
 $ cryptsetup luksFormat /dev/sda1
@@ -62,10 +65,10 @@ $ dd if=/dev/zero of=/dev/mapper/sda_crypto bs=512 status=progress
 
 This might take a while, but considerably less time than filling
 the disk with random data. After this is done, you might want to
-actually wipe the first 4096 bytes.
+actually wipe the first bunch of bytes.
 
 ```console
-cryptsetup luksClose sda_crypto
+$cryptsetup luksClose sda_crypto
 $ dd if=/dev/urandom of=/dev/sda bs=1M count=8
 ```
 
@@ -85,17 +88,22 @@ $ lvcreate vg0-swap -l 16G
 $ lvcreate vg0-root -L +100%FREE 
 ```
 
+I included the `swap` partition in the LVM instead of as a ZFS subvolume
+because those can sometimes deadlock and this just makes things easier.
+
 Now we want to create the filesystems. 
 For `/boot` we can just use `mkfs.ext4`,
 but consider that I want to use `zfs` on `/`,
 that will require some more work.
 
 ```console
-zpool create rtank /dev/mapper/vg0-root # feel free to call your pool whatever!
-
-# At this point you could also create subvolumes for split `/` and `/home` 
+$ zpool create rtank /dev/mapper/vg0-root
 ```
 
+Feel free to call your pool whatever!
+At this point you could also create subvolumes to 
+split `/`, `/home`, ... if you wanted.
+
 ## Mounting & Configuration
 
 So that's all good. How do we initialise this system now?
@@ -105,12 +113,11 @@ our linux secret distribution of choice (spoilers: it's [NixOS]!)
 [NixOS]: https://nixos.org
 
 ```
-mkdir -p /mnt/boot
-zpool import rtank
-mount -t zfs rtank /mnt
-mount /dev/mapper/vg0-boot /mnt/boot
-
-nixos-generate-config --root /mnt
+$ mkdir -p /mnt/boot
+$ zpool import rtank
+$ mount -t zfs rtank /mnt
+$ mount /dev/mapper/vg0-boot /mnt/boot
+$ nixos-generate-config --root /mnt
 ```
 
 That last line is obviously NixOS specific.
@@ -120,12 +127,28 @@ using EFI. Wuuh!
 The rest of this post I want to talk about how to make this
 all work with NixOS and reproducable configuration.
 
-**edit before release**
+Most of what we need to configure is in the `boot` option.
+Let's go through the settings one by one:
+
+- `boot.loader.grub`
+    - `efiSupport = false` actually the default but I like being explicit
+    - `copyKernels = true` enable this to avoid problems with ZFS becoming unbootable
+    - `device = "/dev/sda"` replace this with the device that holds your GRUB
+    - `zfsSupport = true` to enable ZFS support 😅
+    - `enableCryptodisk = true` to enable stage-1 encryption support
+- `boot.zfs.devNodes = "/dev"` to point ZFS at the correct device tree (not 100% if required)
+- `fileSystems."/".encrypted`
+    - `enable = true`
+    - `label = "lvm"` the label of your LVM
+    - `blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54"` the disk that
+      ZFS is installed to. You can find this out by looking at your symlinks in 
+      `/dev/disk/by-uuid` and picking the correct one.
+- `networking.hostId` needs to be set to some random 8 bytes    
+
+Following is the complete config to make it easier to copy stuff from:
 
-```nix
+```
 boot.loader.grub = {
-    enable = true;
-    version = 2;
     efiSupport = false;
     copyKernels = true;
     device = "/dev/sda";
@@ -133,9 +156,6 @@ boot.loader.grub = {
     enableCryptodisk = true;
 };
 boot.zfs.devNodes = "/dev";
-boot.cleanTmpDir = true;
-boot.tmpOnTmpfs = true;
-hardware.cpu.intel.updateMicrocode = true;
 
 fileSystems."/" = {
     encrypted = {
@@ -143,7 +163,11 @@ fileSystems."/" = {
         label = "lvm";
         blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54";
     };
+}
     
 networking.hostId = "<random shit>";
-};
 ```
+
+And that's it.
+If you spot any errors in this article (or any for that matter),
+feel free to e-mail me or send me a PR over on github.