From a3c610e09034001c0a7d368c448d4a71b6bc96e1 Mon Sep 17 00:00:00 2001 From: Katharina Fey Date: Thu, 11 Jul 2019 15:14:30 +0100 Subject: Finishing up the ZFS article --- content/blog/107_encrypted_zfs.md | 76 +++++++++++++++++++++++++-------------- 1 file changed, 50 insertions(+), 26 deletions(-) diff --git a/content/blog/107_encrypted_zfs.md b/content/blog/107_encrypted_zfs.md index 3e05fa0..f6465bb 100644 --- a/content/blog/107_encrypted_zfs.md +++ b/content/blog/107_encrypted_zfs.md @@ -1,15 +1,17 @@ Title: Bikeshedding disk partitioning Category: Blog Tags: linux, zfs, nixos -Date: 2019-06-14 -Status: Draft +Date: 2019-07-11 I recently got a new Thinkpad. Well...new is a stretch. It's an X230, featuring an i5 and 16GB of RAM. -One of the first things I did with this laptopwas to -[flash coreboot on it](https://octodon.social/@spacekookie/102150706024564666). -And generally I felt like setting up a laptop in the way I would have always wanted. +One of the first things I did with this laptop was to [flash coreboot on it][coreboot]. +This is something I've always wanted to be able to do, +but so far lacked hardware that was supported. +And generally, it felt like finally maybe I could have a laptop to tinker around with. + +[coreboot]: https://octodon.social/@spacekookie/102150706024564666 And that's where this post begins... @@ -34,8 +36,9 @@ but there's some limitations That last one _might_ not be accurate if you only want to have an `ext4` (or similar) rootfs. But because I want to have a `zfs` root, I need to embed it into an LVM. +This is also the reason why `/boot` needs to be it's own partition. After we've done all this, we will install a linux distribution of choice -(which we'll talk about later). +(which we'll reveal later). Anyway, let's get started! @@ -52,7 +55,7 @@ is very slow. Instead you can create a crypto-disk (luks) on it, then fill it with zero's. But because of the encryption it will seem random. -(/dev/sda is my disk in this example). +(`/dev/sda` is my disk in this example because lolwat is nvme even?) ```console $ cryptsetup luksFormat /dev/sda1 @@ -62,10 +65,10 @@ $ dd if=/dev/zero of=/dev/mapper/sda_crypto bs=512 status=progress This might take a while, but considerably less time than filling the disk with random data. After this is done, you might want to -actually wipe the first 4096 bytes. +actually wipe the first bunch of bytes. ```console -cryptsetup luksClose sda_crypto +$cryptsetup luksClose sda_crypto $ dd if=/dev/urandom of=/dev/sda bs=1M count=8 ``` @@ -85,17 +88,22 @@ $ lvcreate vg0-swap -l 16G $ lvcreate vg0-root -L +100%FREE ``` +I included the `swap` partition in the LVM instead of as a ZFS subvolume +because those can sometimes deadlock and this just makes things easier. + Now we want to create the filesystems. For `/boot` we can just use `mkfs.ext4`, but consider that I want to use `zfs` on `/`, that will require some more work. ```console -zpool create rtank /dev/mapper/vg0-root # feel free to call your pool whatever! - -# At this point you could also create subvolumes for split `/` and `/home` +$ zpool create rtank /dev/mapper/vg0-root ``` +Feel free to call your pool whatever! +At this point you could also create subvolumes to +split `/`, `/home`, ... if you wanted. + ## Mounting & Configuration So that's all good. How do we initialise this system now? @@ -105,12 +113,11 @@ our linux secret distribution of choice (spoilers: it's [NixOS]!) [NixOS]: https://nixos.org ``` -mkdir -p /mnt/boot -zpool import rtank -mount -t zfs rtank /mnt -mount /dev/mapper/vg0-boot /mnt/boot - -nixos-generate-config --root /mnt +$ mkdir -p /mnt/boot +$ zpool import rtank +$ mount -t zfs rtank /mnt +$ mount /dev/mapper/vg0-boot /mnt/boot +$ nixos-generate-config --root /mnt ``` That last line is obviously NixOS specific. @@ -120,12 +127,28 @@ using EFI. Wuuh! The rest of this post I want to talk about how to make this all work with NixOS and reproducable configuration. -**edit before release** +Most of what we need to configure is in the `boot` option. +Let's go through the settings one by one: + +- `boot.loader.grub` + - `efiSupport = false` actually the default but I like being explicit + - `copyKernels = true` enable this to avoid problems with ZFS becoming unbootable + - `device = "/dev/sda"` replace this with the device that holds your GRUB + - `zfsSupport = true` to enable ZFS support 😅 + - `enableCryptodisk = true` to enable stage-1 encryption support +- `boot.zfs.devNodes = "/dev"` to point ZFS at the correct device tree (not 100% if required) +- `fileSystems."/".encrypted` + - `enable = true` + - `label = "lvm"` the label of your LVM + - `blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54"` the disk that + ZFS is installed to. You can find this out by looking at your symlinks in + `/dev/disk/by-uuid` and picking the correct one. +- `networking.hostId` needs to be set to some random 8 bytes + +Following is the complete config to make it easier to copy stuff from: -```nix +``` boot.loader.grub = { - enable = true; - version = 2; efiSupport = false; copyKernels = true; device = "/dev/sda"; @@ -133,9 +156,6 @@ boot.loader.grub = { enableCryptodisk = true; }; boot.zfs.devNodes = "/dev"; -boot.cleanTmpDir = true; -boot.tmpOnTmpfs = true; -hardware.cpu.intel.updateMicrocode = true; fileSystems."/" = { encrypted = { @@ -143,7 +163,11 @@ fileSystems."/" = { label = "lvm"; blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54"; }; +} networking.hostId = ""; -}; ``` + +And that's it. +If you spot any errors in this article (or any for that matter), +feel free to e-mail me or send me a PR over on github. -- cgit v1.2.3