Mastodawn

tootbrute 5d ago

hmm nixos on root failed.

error: Path "/tmp" is world-writable or a symlink. That's not allowed for security.

let's try again.

Show thread

tootbrute 5d ago

hmm need to find a NixOS zfs on root with native encryption tutorial.

don't want unencrypted, and don't want LUKS

openzfs only gives those options
https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html

NixOS Root on ZFS — OpenZFS documentation

Show thread

tootbrute 5d ago

ok got further but...still error using the nixos.org/wiki stuff

  Mount point '/boot' which backs the random seed file is world accessible, which is a security hole!  ⚠️
⚠️ Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole! ⚠️
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
Traceback (most recent call last):
  File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 452, in <module>
    main()
    ~~~~^^
  File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 435, in main
    install_bootloader(args)
    ~~~~~~~~~~~~~~~~~~^^^^^^
  File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 329, in install_bootloader
    run(
    ~~~^
        [f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"]
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        + bootctl_flags
        ^^^^^^^^^^^^^^^
        + ["install"]
        ^^^^^^^^^^^^^
    )
    ^
  File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 58, in run
    return subprocess.run(cmd, check=True, text=True, stdout=stdout)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/qwb5ygz9k8gs5ql9bpxbrsrv12r1icgm-python3-3.13.12/lib/python3.13/subprocess.py", line 577, in run
    raise CalledProcessError(retcode, process.args,
                             output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/nix/store/y2rzx7s3kr3v95rsrl2141s8vaa4mkjf-systemd-258.5/bin/bootctl', '--esp-path=/boot', 'install']' returned non-zero exit status 1.
Failed to install bootloader

Show thread

tootbrute 5d ago

getting frustrated. try again tomorrow. i'll try the 'unofficial' wiki tomorrow.

Show thread

tootbrute 4d ago

ok. i got the furthest using the unofficial wiki
https://nixos.wiki/wiki/ZFS

but....on reboot, it can't mount the ZFS pool which seems less than ideal.

enter passphrase for 'zpool':
1 / 1 keys succesfully loaded
mounting zpool/root cannot be mounted using mount
use zfs set mountpoint=legacy or zfs mount zpool/root
see zfs(8) for more information
retrying...

ZFS - NixOS Wiki

Show thread

tootbrute 4d ago

#nixos people, anybody have a working tutorial?

zfs on root
native encryption

Show thread

Markus Wamser 4d ago

@tootbrute have a look at disko https://github.com/nix-community/disko/blob/master/example/zfs-encrypted-root.nix

disko/example/zfs-encrypted-root.nix at master · nix-community/disko

Declarative disk partitioning and formatting using nix [maintainers=@Lassulus @Enzime @iFreilicht @Mic92 @phaer] - nix-community/disko

GitHub

Show thread

tootbrute 3d ago

oooh disko is cool. i can fail faster now. i think the actual disk stuff is ok? not sure.

used example one. systemd book sort of works but then after typing in zfs password

filesystem 'zoot/root' cannot be mounted using 'mount'
use 'zfs set mountpoint=legacy' or 'zfs mount zroot/root'
see zfs(8) for more information

etc

must be something wrong with my hardware-configuration file? or maybe i just suck at installing nixos manually.

#configuration.nix
 # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

hmmm

hardware-configuration.nix
{ config, lib, pkgs, modulesPath, ... }:

{
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];

  boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "zroot/root";
      fsType = "zfs";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/82FD-BE08";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };

  fileSystems."/nix" =
    { device = "zroot/root/nix";
      fsType = "zfs";
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/97487565-3faa-4ac2-9208-e585dc63502c"; }
    ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

maybe something i'm missing in here.

#nixosTroubleshooting #zfs

Show thread

tootbrute 3d ago

looking at this....i'm maybe missing

boot.supportedFilesystems = [ "zfs" ];
boot.initrd.kernelModules = [ "zfs" ];

https://www.sekun.net/blog/nixos-on-framework-desktop

NixOS on the Framework Desktop

Hi, it's been a while (again). I've been feeling better over the past few weeks. Coincidentally, my Framework Desktop finally arrived. It's a cute lil machine that I really love. Like any other machine I get my hands on (except macbooks lol), I install NixOS in it!

Show thread

tootbrute 3d ago

seems adding options = [ "zfsutil" ]; to the hardware-configuration.nix is VERY important.

plus this in the configuration.nix

boot.supportedFilesystems = [ "zfs" ];
boot.initrd.kernelModules = [ "zfs" ];

https://wiki.nixos.org/wiki/ZFS

NOW...i wonder if i made the optimal ZFS setup. i probably should investigate this more.

right now i only have 3 datasets.
zroot pool
zroot/root for /
zroot/root/nix for /nix
zroot/root/swap for swap??? (not sure why this is disko default)

ZFS - Official NixOS Wiki

ZFS (wikipedia:en:ZFS), also known as OpenZFS (wikipedia:en:OpenZFS), is a modern filesystem which is well supported on NixOS. Besides the zfs package (ZFS Filesystem Linux Kernel module) itself, there are many packages in the ZFS ecosystem available. ZFS integrates into NixOS via the boot.zfs and services...

Show thread

tootbrute 3d ago

ok doing it with flakes now and adding /home zfs dataset. failed on first time. hopefully 5th time works.

Show thread

tootbrute 3d ago

ok something is weird. it feels like it remembers what i did with the install USB. it made a zfs dataset that i didn't declare in the latest disko.

so.... reformatting a new nixos usb to start again. i must be soooooo close.

if it fails again, i give up and will just run btrfs through nixos graphical install.

Show thread

tootbrute 3d ago

i guess i put the fear of god into my machine. it worked!

have /home and /nix dataset.

only took me 2 days and 6-8 times doing it. i'm a pro at installing this way now

blog post will be forthcoming. i took extensive notes this time.

Show thread

tootbrute 2d ago

My guide on how to do this. It took me a whole weekend to learn and figure this out. Never found a suitable basic guide that was super verbose. I hope this helps some #nixos + #zfs curious people

ZFS Encrypted Root with NixOS Minimal Install
https://blog.arkadi.one/p/zfs-encrypted-root-with-nixos-minimal-install/

If NixOS masters have suggestions on how to improve this guide, let me know.

#blog #fediblog #arkadicloud

ZFS Encrypted Root with Nixos Minimal Install

I have been looking for a simple ZFS encrypted root guide on the internet. It doesn’t seem to exist. I am putting emphasis on the word simple. I decided to sacrified my weekend and mental health to make it happen. Before attempting this, please read these links, so you have some idea about what you’re doing and are aware of the main steps needed to install NixOS manually. It looks scary, but luckily you can skip most of these steps with the tool, Disko.

arkadi-cloud

Show thread

tootbrute

also, yes, I will do a blog post about my Xteink X4 soon. Still need to use it more.