From 41d24a7ade0d35ed65b64e199750256262436ea8 Mon Sep 17 00:00:00 2001 From: Christoph Cullmann Date: Mon, 21 Apr 2025 18:40:36 +0200 Subject: [PATCH] try zfs again with auto rollback https://ryanseipp.com/post/nixos-encrypted-root/ --- miku/configuration.nix | 3 ++ neko/hardware-configuration.nix | 9 +---- neko/install.txt | 65 +++++++++++++++++++++------------ share/common.nix | 60 ++++++++++++------------------ 4 files changed, 69 insertions(+), 68 deletions(-) diff --git a/miku/configuration.nix b/miku/configuration.nix index aa5c49d..06ac46f 100644 --- a/miku/configuration.nix +++ b/miku/configuration.nix @@ -13,7 +13,10 @@ # Shared config of all machines /data/nixos/share/common.nix ]; +cchchchc +chchchchc +SSSSS # our hostname and an ID for ZFS networking.hostName = "miku"; networking.hostId = "c132caed"; diff --git a/neko/hardware-configuration.nix b/neko/hardware-configuration.nix index 0f97163..3bc0dff 100644 --- a/neko/hardware-configuration.nix +++ b/neko/hardware-configuration.nix @@ -15,16 +15,9 @@ # /boot efi partition to boot in UEFI mode fileSystems."/boot" = { - device = "/dev/disk/by-uuid/554C-161A"; + device = "/dev/disk/by-id/nvme-Seagate_FireCuda_530_ZP4000GM30013_7VS01VBM-part1"; fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" ]; neededForBoot = true; }; - - # encrypted system - boot.initrd.luks.devices."crypt-system" = { - device = "/dev/disk/by-uuid/91f98284-b0fa-40b9-8a32-37f71968b2dd"; - allowDiscards = true; - bypassWorkqueues = true; - }; } diff --git a/neko/install.txt b/neko/install.txt index 9281c98..5cfd9fe 100644 --- a/neko/install.txt +++ b/neko/install.txt @@ -58,46 +58,64 @@ done # take a look at the partitions lsblk -# create the RAID-0, second partitions on all disks -mdadm --create --verbose --level=0 --raid-devices=3 /dev/md/system $DISK-part2 $DISK2-part2 $DISK3-part2 +# ZFS zpool creation with compression and encryption +zpool create \ + -o ashift=13 \ + -o autotrim=off \ + -O acltype=posixacl \ + -O atime=off \ + -O canmount=off \ + -O compression=on \ + -O dnodesize=auto \ + -O utf8only=on \ + -O normalization=formD \ + -O xattr=sa \ + -O mountpoint=none \ + -O encryption=on \ + -O keylocation=prompt \ + -O keyformat=passphrase \ + zpool $DISK-part2 $DISK2-part2 $DISK3-part2 + sleep 5 # take a look at the partitions lsblk -# create the LUKS container and open it -cryptsetup luksFormat --sector-size 4096 --batch-mode --verify-passphrase /dev/md/system -cryptsetup luksOpen /dev/md/system crypt-system +# show the pool +zpool status + sleep 5 -# take a look at the partitions -lsblk +# create all the volumes +zfs create -o mountpoint=legacy zpool/data +zfs create -o mountpoint=legacy zpool/nix +zfs create -o mountpoint=legacy zpool/root -# create btrfs with volumes -mkfs.btrfs -f --features block-group-tree --label system /dev/mapper/crypt-system -mount -t btrfs /dev/mapper/crypt-system /mnt -btrfs subvolume create /mnt/data -btrfs subvolume create /mnt/nix -btrfs subvolume create /mnt/tmp -umount /mnt sleep 5 -# take a look at the partitions -lsblk +# show the pool +zpool status -# prepare install, tmpfs root -mount -t tmpfs none /mnt +sleep 5 + +# create ZFS snapshot that we'll rollback to on boot +# see https://ryanseipp.com/post/nixos-encrypted-root/ +zfs snapshot zpool/root@blank + +sleep 5 + +# prepare install, root +mount -t zfs zpool/root /mnt # Create directories to mount file systems on -mkdir -p /mnt/{data,nix,boot,root,etc/nixos,tmp} +mkdir -p /mnt/{data,nix,boot,root,etc/nixos} # mount the ESP mount $DISK-part1 /mnt/boot # mount volumes -mount -o subvol=data,noatime /dev/mapper/crypt-system /mnt/data -mount -o subvol=nix,noatime /dev/mapper/crypt-system /mnt/nix -mount -o subvol=tmp,noatime /dev/mapper/crypt-system /mnt/tmp +mount -t zfs zpool/data /mnt/data +mount -t zfs zpool/nix /mnt/nix # bind mount persistent stuff to data mkdir -p /mnt/data/{root,nixos/$HOST} @@ -127,8 +145,7 @@ nixos-install --option experimental-features 'nix-command flakes' --no-root-pass # unmount all stuff and sync umount -Rl /data /mnt -cryptsetup luksClose crypt-system -mdadm --stop /dev/md/system +zpool export -a sync # shutdown once diff --git a/share/common.nix b/share/common.nix index ddf5d5e..a9dc997 100644 --- a/share/common.nix +++ b/share/common.nix @@ -159,35 +159,38 @@ in # swap to RAM zramSwap.enable = true; - # root file system in RAM - fileSystems."/" = - { device = "none"; - fsType = "tmpfs"; - neededForBoot = true; - options = [ "defaults" "size=8G" "mode=755" ]; - }; + # root file system, we will rollback that on boot + fileSystems."/" = { + device = "zpool/root"; + fsType = "zfs"; + neededForBoot = true; + }; + + # root rollback, see https://ryanseipp.com/post/nixos-encrypted-root/ + boot.initrd.systemd.services.rollback = { + description = "Rollback root filesystem to a pristine state"; + wantedBy = ["initrd.target"]; + after = ["zfs-import-zpool.service"]; + before = ["sysroot.mount"]; + path = with pkgs; [zfs]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + zfs rollback -r zpool/root@blank && echo " >> >> Rollback Complete << <<" + ''; + }; # my data fileSystems."/data" = { - device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - options = [ "subvol=data" "noatime" "nodiscard" "commit=5" ]; + device = "zpool/data"; + fsType = "zfs"; neededForBoot = true; }; # the system fileSystems."/nix" = { - device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - options = [ "subvol=nix" "noatime" "nodiscard" "commit=5" ]; - neededForBoot = true; - }; - - # tmp to not fill RAM - fileSystems."/tmp" = { - device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - options = [ "subvol=tmp" "noatime" "nodiscard" "commit=5" ]; + device = "zpool/nix"; + fsType = "zfs"; neededForBoot = true; }; @@ -209,18 +212,6 @@ in depends = [ "/data" ]; }; - # trim the disks weekly - services.fstrim = { - enable = true; - interval = "weekly"; - }; - - # scrub the disks weekly - services.btrfs.autoScrub = { - enable = true; - interval = "weekly"; - }; - # keep some stuff persistent environment.persistence."/nix/persistent" = { hideMounts = true; @@ -244,9 +235,6 @@ in ]; }; - # kill the tmp content on reboots, we mount that to /nix/persistent to avoid memory fill-up - boot.tmp.cleanOnBoot = true; - # ensure our data is not rotting services.zfs.autoScrub = { enable = true;