Hello. I am interested in creating a NixOS image for aarch64 with LUKS-encrypted rootfs. I see there is a very nice sd-image-aarch64.nix
that generates a non-encrypted image ready for dd
. I could add cryptsetup luksFormat
etc. in the appropriate place before making the filesystem, except that for cryptsetup luksOpen
you need to be root, and apparently you can’t run commands with root privileges at build time according to https://github.com/NixOS/nix/issues/1436.
I guess my only option then is to unpack sd-image-aarch64.nix
and relevant imports into a script to be run outside of Nix, build the NixOS derivation, and then copy files into the image again outside of Nix. I’m still new to Nix, I just want to ask here before doing this to make sure I’m not ignoring some path that might let me do the whole build with a single .nix
and minimal duplication of logic already implemented in sd-image*.nix
.
Might also be worth noting I’m building from non-NixOS host.