Pre Install Sanity Check

Help
1

Hello everyone,

I am about to install nixos on my laptop (surface book 2) which I would like to dual-boot with an existing installation of windows.
I have previously successfully installed archlinux on the laptop, but I have since deleted it as a preparation for the nixos installation. Still, I wanted to make sure that I do not accidentally brick my windows installation, which is why it would be great to get a second pair of eyes on this.

I would like to use full disk encryption and I have previously used lvm on luks to accomplish this.
I also use a script to set everything up so that I can make incremental changes. The script is on github:
https://github.com/busti/iso-surfacebook_2/blob/52a6d73388460fd74a19e82cbe9e75680663e7d8/entry.sh

Running this results in the following partition table:

nvme0n1        259:0    0 238.5G  0 disk  
├─nvme0n1p1    259:1    0   260M  0 part                 WIN-EFI
├─nvme0n1p2    259:2    0   128M  0 part                 WIN-Reserved
├─nvme0n1p3    259:3    0 107.6G  0 part                 WIN-OS
├─nvme0n1p4    259:4    0   1.9G  0 part                 WIN-Recovery
├─nvme0n1p5    259:9    0     2G  0 part  /mnt/boot      NIX-BOOT
└─nvme0n1p6    259:10   0 126.6G  0 part                 Cryptroot
  └─cryptlvm   254:0    0 126.5G  0 crypt                
    ├─vg0-root 254:1    0   100G  0 lvm   /mnt           Root
    └─vg0-swap 254:2    0     8G  0 lvm   [SWAP]         Swap

I then clone the following config repo into /etc/nixos:

I have mapped all partitions by their label and currently I have this boot config:

  boot = {
    loader = {
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot";
      };
      grub = {
        enable = true;
        version = 2;
        device = "nodev";
        useOSProber = true;
        efiSupport = true;
        enableCryptodisk = true;
      };
    };
    initrd.luks.devices = {
      root = {
        device = "/dev/disk/by-label/cryptroot";
        preLVM = true;
      };
    };
  };

Is this good? Or is there anything obvious I have missed?

2

by-uuid guarantees to do not change

in general it is not recommended to use by-label because it can change (e.g. with changes in the hardware setup)

/dev/nvme0n1 nixos # ssd1
add another ssd e.g. per PCIe slot or second M.2

/dev/nvme1n1    
/dev/nvme0n1    # ssd2
3

Good point. However in that case I would have to copy the uuid into my config using the install script somehow. I suppose I will change that in the future, but for now it should be fine since I would have to drill open my laptop if I wanted to do anything to the ssd (damn you microsoft).
As long as I can use by-label in initrd.luks.device.root.device at all of course.
In my arch install script I used to write the uuid to /etc/crypttab.

UUID=$(lsblk -lpo NAME,UUID | grep ${DEVICE}${PART_ROOT} | awk '{print $2}')
echo cryptlvm UUID=${UUID} none luks >$TARGET/etc/crypttab
4

e.g.
device = "/dev/nvme0n1p6";
should all work

regarding fstab
none luks,discard is what I found to be “standard”

in your .sh
luksOpen –allow-discards

I’m using (a bit shorter)
uuid=$(blkid -s UUID -o value "${partition}" ) # partition=/dev/nvme0n1p6 # uuid

5

Do I have to append to crypttab at all? Shouldn’t that be handled by the config option?
The blkid stuff is nice

6

not on nixos installation itself
(only when using e.g. a third linux like ubuntu - then it is needed manually during installation)

regarding you .sh
your fdisk looks funny
I like to use e.g.

parted "${drive}" -- mkpart "LVM" 27% 100%
parted "${drive}" -- set 6 lvm on  
parted "${drive}" -- align-check optimal 6
8

Yeah I should really fix that. I used fdisk initially and just ported that part over from the old script, but its not very elegant.

9

For nixos config integrated partitioning disko
thanks @lassulus @Mic92