Adds VM Partition and Formatting Script
This script will help create a VM with the following attributes: 1. BTRFS file system with subvolume creation and mounting. 2. LUKS2 Full Disk Encryption. Additional commands and comments will be added when `flake.nix` is implemented with the proper structures. At the moment I just want to provide an MVP that helps people contribute to [Sublinks](https://github.com/sublinks).
This commit is contained in:
parent
5fedbb8571
commit
48c3d3ff88
|
@ -0,0 +1,124 @@
|
||||||
|
### Partitioning: Stage Start.
|
||||||
|
|
||||||
|
## Creating a GPT partition table for our reproducible dev environment.
|
||||||
|
sudo parted /dev/vda -- mklabel gpt
|
||||||
|
## Configuring a boot partition of size 525 MiB with a 1MiB offset.
|
||||||
|
sudo parted /dev/vda -- mkpart ESP fat32 1MiB 526MiB
|
||||||
|
## Setting the first partition as our boot location.
|
||||||
|
sudo parted /dev/vda -- set 1 esp on
|
||||||
|
## Creating a primary partition that allocates/uses the remaining space (starting from our boot to leaving 16GiB for swap partition).
|
||||||
|
sudo parted /dev/vda -- mkpart primary 526MiB -16GiB
|
||||||
|
## Allocating the remaining 16GiB of disk space for a swap partition.
|
||||||
|
sudo parted /dev/vda -- mkpart linux-swap -16GiB 100%
|
||||||
|
|
||||||
|
### Partitioning: Stage End.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Format Stage 1.
|
||||||
|
## Formatting the boot partition with the FAT32 file system.
|
||||||
|
sudo mkfs.fat -F 32 -n BOOT /dev/vda1
|
||||||
|
|
||||||
|
|
||||||
|
## Initializing the swap partition.
|
||||||
|
sudo mkswap /dev/vda3
|
||||||
|
## Activating swap.
|
||||||
|
sudo swapon /dev/vda3
|
||||||
|
|
||||||
|
|
||||||
|
### Full Disk Encryption: Stage Start.
|
||||||
|
## This FDE stage can be skipped/commented if you don't need/care about:
|
||||||
|
## [Encryption at Rest](https://www.youtube.com/watch?v=5rlZtasM-Pk).
|
||||||
|
## [Data at rest - Encryption](https://en.wikipedia.org/wiki/Data_at_rest#Encryption).
|
||||||
|
|
||||||
|
## All of the options/flags are succinctly described on the [Archlinux Wiki Site](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_with_dm-crypt) (please donate if you can!<3)
|
||||||
|
## Fully encrypts the main storage space using LUKS2 with the [Argon2id key derivation](https://en.wikipedia.org/wiki/Argon2).
|
||||||
|
sudo cryptsetup --verbose --type luks2 --cipher aes-xts-plain64 --hash sha512 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/vda2
|
||||||
|
|
||||||
|
## Opens the encryption while also labeling the disk partition to "luksroot".
|
||||||
|
sudo cryptsetup luksOpen /dev/vda2 luksroot
|
||||||
|
|
||||||
|
### Full disk encryption: Stage End.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Format Stage 2.
|
||||||
|
## If FDE was skipped please uncomment and use the "Alt" variant bash commands and comment out the "First" commands.
|
||||||
|
## First:
|
||||||
|
sudo mkfs.btrfs -L nixos /dev/mapper/luksroot
|
||||||
|
## Alt:
|
||||||
|
# sudo mkfs.btrfs -L nixos /dev/vda2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### BTRFS Subvolume Creation: Stage Start.
|
||||||
|
## First:
|
||||||
|
sudo mount /dev/mapper/luksroot /mnt
|
||||||
|
## Alt:
|
||||||
|
# sudo mount /dev/vda2 /mnt
|
||||||
|
cd /mnt
|
||||||
|
sudo btrfs subvolume create /mnt/root
|
||||||
|
sudo btrfs subvolume create /mnt/home
|
||||||
|
sudo btrfs subvolume create /mnt/nix
|
||||||
|
sudo btrfs subvolume create /mnt/.logs
|
||||||
|
sudo btrfs subvolume create /mnt/.snapshots
|
||||||
|
cd
|
||||||
|
sudo umount /mnt
|
||||||
|
|
||||||
|
## First:
|
||||||
|
sudo mount -o compress=zstd,discard=async,noatime,space_cache=v2,subvol=root /dev/mapper/luksroot /mnt
|
||||||
|
# Alt:
|
||||||
|
# sudo mount -o compress=zstd,discard=async,noatime,space_cache=v2,subvol=root /dev/vda2 /mnt
|
||||||
|
|
||||||
|
### BTRFS Subvolume Creation: Stage End.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Partition Mounting: Stage Start.
|
||||||
|
## Creating the corresponding directories to mount the subvolumes.
|
||||||
|
sudo mkdir -p /mnt/{boot,home,nix,.logs,.snapshots}
|
||||||
|
|
||||||
|
sudo mount -o compress=zstd,discard=async,noatime,space_cache=v2,subvol=home /dev/mapper/luksroot /mnt/home
|
||||||
|
|
||||||
|
sudo mount -o compress=zstd,discard=async,noatime,space_cache=v2,subvol=nix /dev/mapper/luksroot /mnt/nix
|
||||||
|
|
||||||
|
sudo mount -o compress=zstd,discard=async,noatime,space_cache=v2,subvol=.logs /dev/mapper/luksroot /mnt/.logs
|
||||||
|
|
||||||
|
sudo mount -o compress=zstd,discard=async,noatime,space_cache=v2,subvol=.snapshots /dev/mapper/luksroot /mnt/.snapshots
|
||||||
|
|
||||||
|
sudo mount -o umask=077 /dev/vda1 /mnt/boot
|
||||||
|
|
||||||
|
### Partition Mounting: Stage End.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Initial Config Generation.
|
||||||
|
## This generates the initial `configuration.nix` and `hardware-configuration.nix`.
|
||||||
|
## `configuration.nix` will be replaced with the one provided in the repository but the command is still necessary to generate the proper config for `hardware-configuration.nix`.
|
||||||
|
sudo nixos-generate-config --root /mnt
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# sudo nixos-install --no-root-passwd
|
||||||
|
## ^this last bash command is commented to allow users to configure/customize their dev environment before performing the first install.
|
||||||
|
## Once you've added your username, password, and a hostname into `secrets.nix` you're ready to install!
|
||||||
|
## Running this command will perform the first NixOS install using the config details that was provided in:
|
||||||
|
## `configuration.nix`, `hardware-configuration.nix`, `secrets.nix`.
|
||||||
|
|
||||||
|
|
||||||
|
## After the initial install is complete, you'll want to use/run the following command to update your system:
|
||||||
|
# sudo nixos-rebuild switch --upgrade
|
||||||
|
|
||||||
|
## ^this updates your system on the fly and generates a new bootable entry when you first turn on your computer/VM.
|
||||||
|
## Congrats you now have an indestructable system!
|
||||||
|
## Whenever one entry/version fails to boot,
|
||||||
|
## you can restart your comp and just select another previous version and choose to update again.
|
||||||
|
|
||||||
|
|
||||||
|
## Ex: version 1 works but you decide today's a good day to update. Version 2 loads on the fly, you work for a bit, turn off your comp, and turn in for the day.
|
||||||
|
## Later, after turning on your comp and loading v2 it fails to load which sucks.
|
||||||
|
## So you load v1 again, log in, update again which creates v3.
|
||||||
|
## If v3 works then your update just works and the broken v2 update can safely be nuked from orbit.
|
||||||
|
## ez upgrades, ez life
|
||||||
|
## perfection
|
Loading…
Reference in New Issue