#!/bin/bash # Config EFI_PART=/dev/sda1 LUKS_PART=/dev/sda2 EFI_MNT=/root/boot # Utils rbtohex() { ( od -An -vtx1 | tr -d ' \n' ) } hextorb() { ( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI'| xargs printf ) } l() { echo -en "$@" } # # ---- The real work # l "mount boot partition" mkdir "$EFI_MNT" mkfs.vfat -F 32 -n uefi "$EFI_PART" mount "$EFI_PART" "$EFI_MNT" l "setup crypt-storage" STORAGE=/crypt-storage/default mkdir -p "$(dirname $EFI_MNT$STORAGE)" l "install gcc, ykpers and openssl" nix-env -i gcc-wrapper nix-env -i ykpers nix-env -i openssl l "compile 'pbkdf2-sha512'" cc -O3 -I$(find / | grep "openssl/evp\.h" | head -1 | sed -e 's|/openssl/evp\.h$||g' | tr -d '\n') \ -L$(find / | grep "lib/libcrypto" | head -1 | sed -e 's|/libcrypto\..*$||g' | tr -d '\n') \ $(find / | grep "pbkdf2-sha512\.c" | head -1 | tr -d '\n') -o ./pbkdf2-sha512 -lcrypto l "create salt" SALT_LENGTH=16 salt="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)" l "create secret key for the yubikey" k_yubi="$(dd if=/dev/random bs=1 count=20 2>/dev/null | rbtohex)" l "get the user passphrase (recommended)" read -s k_user l "calculate initial yubikey challenge" challenge="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)" l "calculate the yk response" response="$(echo -n $challenge | hextorb | openssl dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi | rbtohex)" l "derive the luks slot key" KEY_LENGTH=512 ITERATIONS=1000000 if ( "${k_user}" != "" ); then k_luks="$(echo -n $k_user | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)" else k_luks="$(echo | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)" fi l "create luks device" CIPHER=aes-xts-plain64 HASH=sha512 echo -n "$k_luks" |\ hextorb |\ cryptsetup luksFormat --cipher="$CIPHER" \ --key-size="$KEY_LENGTH" --hash="$HASH" --key-file=- "$LUKS_PART" l "store secret key in then EFI partition" echo -ne "$salt\n$ITERATIONS" > $EFI_MNT$STORAGE l "store the secret key on the yk" SLOT=2 ykpersonalize -"$SLOT" -ochal-resp -ochal-hmac -a"$k_yubi" l "open luks device" LUKSROOT=luksroot echo -n "$k_luks" | hextorb | cryptsetup luksOpen --key-file=- "$LUKS_PART" "$LUKSROOT" l "umount the EFI partition" umount "$EFI_MNT" l "\n\n\n setup LVM \n\n\n" pvcreate "/dev/mapper/${LUKSROOT}" l "Setup a volume group (partitions)" VGNAME=partitions vgcreate "$VGNAME" "/dev/mapper/$LUKSROOT" l "set two logical partitions (root + swap)" lvcreate -L 4G -n swap "$VGNAME" FSROOT=fsroot lvcreate -l 100%FREE -n "$FSROOT" "$VGNAME" vgchange -ay l "make swap fs" mkswap -L swap /dev/partitions/swap l "\n\n\n BTRFS Setup \n\n\n" l "Step 1: Create the main btrfs volume's filesystem." mkfs.btrfs -L "$FSROOT" "/dev/partitions/$FSROOT" l "Should the above fail, you might have encountered a bug that can be solved with doing the following, then attempting the above again:" mkdir /mnt-root touch /mnt-root/nix-store.squashfs l "Step 2: Mount the main btrfs volume." mount "/dev/partitions/$FSROOT" /mnt l 'Step 3: Create the subvolumes, for example "root" and "home".' cd /mnt btrfs subvolume create root btrfs subvolume create home l "Step 4: Create mountpoints on the root subvolume and finalise things for NixOS installation." umount /mnt mount -o subvol=root "/dev/partitions/$FSROOT" /mnt mkdir /mnt/home mount -o subvol=home "/dev/partitions/$FSROOT" /mnt/home mkdir /mnt/boot mount "EFI_PART" /mnt/boot swapon /dev/partitions/swap l "generate nix config" nixos-generate-config --root /mnt l "READY to install!!!" l "\n\n edit the file /mnt/etc/nixos/configuration.nix" echo <