NixOS ZFS Encryption on root

Please Select a Licence from the LICENCE_HEADERS page

And place at top of your page

If no Licence is Selected/Appended, Default will be CC0

Default Licence IF there is no Licence placed below this notice! When you edit this page, you agree to release your contribution under the CC0 Licence

LICENCE: More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:

   the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
   moral rights retained by the original author(s) and/or performer(s);
   publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
   rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
   rights protecting the extraction, dissemination, use and reuse of data in a Work;
   database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
   other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers.

   No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
   Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
   Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
   Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

Prerequisites

Going to Install NixOS with ZFS on root on a ThinkPad T470 with 24gb Ram and a 1TB nvme ssd.

Live NixOS installer USB - nixos-plasma5-23.11.4761.5bf1cadb72ab-x86_64-linux.iso
Computer to install NixOS - will be wiping hard disk

Bootable Media - NixOS

Create a thumb drive with a live NixOS installer and boot up

In this tut using https://channels.nixos.org/nixos-23.11/latest-nixos-plasma5-x86_64-linux.iso

Once booted into Live NixOS, close the default installer window that opens and connect laptop to power and internet.

If you want to SSH into Live NixOS so you can follow notes and copy and paste commands

Remove Default 15 Sleep mode on Live Installer

By default the NixOS live installer will go to sleep after 15 minutes of inactively.
We are going to login to are live NixOS box with ssh so that would be bad.

KDE Plasma Desktop Live Installer

- click the Application Launcher in the Favorites section which should come up by default, click System Settings > Power Management > Energy Saving and untick Suspend session and click Apply, now we can close the window and get ready to ssh into are laptop running a live install of nixos.

Allow SSH Login to Live NixOS Installer

The NixOS installer as two user accounts.

User: nixos
User: root

You only need to set a password for nixos as the user is on the sudoers, you can just use sudo -s to upgrade to user root.

Open the Konsole terminal, you should see ICON on Desktop.

To ssh in as user nixos the user will require a password.

After running this command you will be prompted to enter a password for the user nixos, you will use this to login.

passwd nixos

Find the IP address NixOS as been assigned

ip addr
Which show my LAN IP address address the router as issued for the nix os box as 192.168.0.161

Return Output from command ip addr:

[nixos@nixos:~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether e8:6a:64:8f:ea:ae brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 38:ba:f8:8b:d7:b0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.161/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp4s0
       valid_lft 86345sec preferred_lft 86345sec
    inet6 fe80::bc45:cc59:3e71:d08/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

The ip addr command and output:

What is 'ip addr'?

The ip addr command is a tool that allows you to manage and display the IP addresses assigned to your computer's network interfaces. In simpler terms, it's a command that helps you see what 'internet addresses' your computer is using to connect to the internet or other networks.

When you run ip addr, your computer returns a list of all the network connections it has, like Wi-Fi and Ethernet, and the details about each one.

Understanding the Output

Let's break down what you'll typically see when you run this command:

- Loopback Interface (lo)

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo

lo is a special network interface that your computer uses to communicate with itself.
inet 127.0.0.1/8 is its IP address. 127.0.0.1 is like your computer's own 'home' address.

- Ethernet Interface (enp0s31f6)

2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000

enp0s31f6 is an Ethernet interface, which means it's what your computer uses when it's connected to the internet with a cable.
state DOWN means that this interface is not currently active (maybe the cable is unplugged).

- Wi-Fi Interface (wlp4s0)

3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.161/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp4s0

wlp4s0 is a Wi-Fi interface, which means this is what your computer uses when it's connected to Wi-Fi.
inet 192.168.0.161/24 is the IP address given to your computer by your Wi-Fi router.

SSH into NixOS Laptop

Now we can ssh into are NixOS Laptop and get started.

From the Macbook going to open a Terminal and login:

ssh nixos@192.168.0.161

Will be prompted to enter password for user nixos

find hard drive

lsblk

lsblk stands for list block devices and more info can be found in the manual page by typing man lsblk in terminal

[nixos@nixos:~]$ lsblk
NAME    MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0     7:0    0   2.5G  1 loop /nix/.ro-store
sda       8:0    1   7.3G  0 disk 
├─sda1    8:1    1   2.5G  0 part /iso
└─sda2    8:2    1     3M  0 part 
sdb       8:16   1     0B  0 disk 
nvme0n1 259:0    0 931.5G  0 disk

sda is the Live Boot Media (NixOS USB)

nvme0n1 is the laptops hard drive

NOTE: swap should be equal to ram at least or double.

nuke hard drive

This will wipe the hard drive

sudo sgdisk --zap-all /dev/nvme0n1

Return Output:

[nixos@nixos:~]$ sudo sgdisk --zap-all /dev/nvme0n1
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.

create partitions

Gonna duel boot with FreeBSD Later - so not using all of hard drive

EFI 2GB
NixOS Main 500GB
NixOS Swap 16GB

sudo fdisk /dev/nvme0n1

Return Output:

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x244b4973.

Command (m for help):

GPT disklabel

Create GPT disklabel by pressing g
g
Return Output:

Created a new GPT disklabel (GUID: 617C1730-CC18-A44D-8C70-3E3939D1BCC8).

Command (m for help):

When you press g after running this command, you will be initiating the creation of a new empty GPT (GUID Partition Table) partition table on the disk /dev/nvme0n1.
GPT is a modern partitioning scheme that is part of the UEFI standard, replacing the older MBR (Master Boot Record) scheme used by BIOS systems. It supports larger disk sizes and more partitions than MBR.

EFI partition

Crete EFI partition by first creating a new partition using n

n
Return Output:

Partition number (1-128, default 1):

The default should be partition 1, which can be selected by just pressing Enter or entering 1 and pressing Enter

First section

First sector (2048-1953525134, default 2048): MORE INFO

First Sector: This is the starting sector for the new partition you're creating. In disk partitioning, a "sector" is the smallest unit that can be accessed on the disk. Historically, a sector holds 512 bytes, but newer disks might use larger sector sizes.

Range (2048-1953525134): This is the range of sectors you can choose from for the starting point of the new partition. The numbers are sector indices on the disk.

The lower bound 2048 is often the default starting point for the first partition in modern systems using GPT (GUID Partition Table). This offset is used to align partitions correctly for performance reasons and to provide some space for the bootloader and partition table. The upper bound 1953525134 represents the last sector on the disk that can be used as a starting point for the new partition. Default (2048): This indicates the default choice that fdisk will use if you simply press Enter without typing a number. It's recommending you start the partition at sector 2048.

Choosing the default is usually safe and aligns with most modern storage devices' requirements for optimal performance and alignment. Why Start at Sector 2048?: Starting at sector 2048 leaves enough room for the primary GPT header and the partition entries. This is part of the standard layout for GPT disks. It's a best practice to follow these defaults unless you have a specific reason to deviate, such as specific alignment needs or following a custom partitioning scheme.

First sector (2048-1953525134, default 2048):

We want the default first sector of 2048, so just press ENTER

Create a 2 GB partition for EFI

The Return Output from the last command:

Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711):

+2GB

+2GB Explained:

The line +2GB is a simple directive used in the fdisk utility to specify the size of the new partition you are creating. Here's what it means:

"+" Symbol: This indicates that the size specified is to be added to the starting sector of the partition. It's a way of specifying how much space to allocate for the partition, starting from the beginning sector you selected (or the default starting sector).

"2GB": This specifies the size of the partition. In this case, it's 2 gigabytes. This is the amount of disk space that will be allocated to the new partition.

So, when you input +2GB in fdisk after choosing to create a new partition (n command), you are instructing fdisk to create a new partition that is 2 gigabytes in size. This is a common size for an EFI (Extensible Firmware Interface) system partition, which is used as a boot partition in modern computers with UEFI firmware.

Select type of partiton
the t command is used for changing the type of a partition.

t
Return OutPut:

Command (m for help): t
Selected partition 1
Partition type or alias (type L to list all):

Command t More info

Command 't': When you enter the t command in fdisk, it prompts you to change the type of an existing partition. This is important because the type of a partition can determine how the operating system and firmware interact with it.

Selecting a Partition: If you have more than one partition on your disk, fdisk will first ask you to specify which partition you want to change the type of. You do this by entering the partition number (e.g., 1, 2, etc.).

Partition Types: Each partition type is represented by a unique code or identifier. These types correspond to different uses, such as Linux filesystems, EFI system partitions, swap areas, etc. The partition type tells the system how to treat that partition – for example, whether it's a bootable system partition, a data storage area, or something else.

Input for EFI System Partition: When you enter 1 after the t command in the context of setting up an EFI partition, it sets the selected partition's type to 'EFI System'. This type is used for EFI boot partitions, which are necessary for systems with UEFI firmware. The EFI partition holds the boot loaders and other data needed for starting the operating system.

Set Type as "EFI system"
1 = EFI system, just type 1 and hit Enter
1
Return Output:

Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Output from pressing L

Partition type or alias (type L to list all): L
  1 EFI System                     C12A7328-F81F-11D2-BA4B-00A0C93EC93B
  2 MBR partition scheme           024DEE41-33E7-11D3-9D69-0008C781F39F
  3 Intel Fast Flash               D3BFE2DE-3DAF-11DF-BA40-E3A556D89593
  4 BIOS boot                      21686148-6449-6E6F-744E-656564454649
  5 Sony boot partition            F4019732-066E-4E12-8273-346C5641494F
  6 Lenovo boot partition          BFBFAFE7-A34F-448A-9A5B-6213EB736C22
  7 PowerPC PReP boot              9E1A2D38-C612-4316-AA26-8B49521E5A8B
  8 ONIE boot                      7412F7D5-A156-4B13-81DC-867174929325
  9 ONIE config                    D4E6E2CD-4469-46F3-B5CB-1BFF57AFC149
 10 Microsoft reserved             E3C9E316-0B5C-4DB8-817D-F92DF00215AE
 11 Microsoft basic data           EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
 12 Microsoft LDM metadata         5808C8AA-7E8F-42E0-85D2-E1E90434CFB3
 13 Microsoft LDM data             AF9B60A0-1431-4F62-BC68-3311714A69AD
 14 Windows recovery environment   DE94BBA4-06D1-4D40-A16A-BFD50179D6AC
 15 IBM General Parallel Fs        37AFFC90-EF7D-4E96-91C3-2D7AE055B174
 16 Microsoft Storage Spaces       E75CAF8F-F680-4CEE-AFA3-B001E56EFC2D
 17 HP-UX data                     75894C1E-3AEB-11D3-B7C1-7B03A0000000
 18 HP-UX service                  E2A1E728-32E3-11D6-A682-7B03A0000000
 19 Linux swap                     0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
 20 Linux filesystem               0FC63DAF-8483-4772-8E79-3D69D8477DE4
 21 Linux server data              3B8F8425-20E0-4F3B-907F-1A25A76F98E8
 22 Linux root (x86)               44479540-F297-41B2-9AF7-D131D5F0458A
 23 Linux root (x86-64)            4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709
 24 Linux root (Alpha)             6523F8AE-3EB1-4E2A-A05A-18B695AE656F
 25 Linux root (ARC)               D27F46ED-2919-4CB8-BD25-9531F3C16534
 26 Linux root (ARM)               69DAD710-2CE4-4E3C-B16C-21A1D49ABED3
 27 Linux root (ARM-64)            B921B045-1DF0-41C3-AF44-4C6F280D3FAE
 28 Linux root (IA-64)             993D8D3D-F80E-4225-855A-9DAF8ED7EA97
 29 Linux root (LoongArch-64)      77055800-792C-4F94-B39A-98C91B762BB6
 30 Linux root (MIPS-32 LE)        37C58C8A-D913-4156-A25F-48B1B64E07F0
 31 Linux root (MIPS-64 LE)        700BDA43-7A34-4507-B179-EEB93D7A7CA3
 32 Linux root (PPC)               1DE3F1EF-FA98-47B5-8DCD-4A860A654D78
 33 Linux root (PPC64)             912ADE1D-A839-4913-8964-A10EEE08FBD2
 34 Linux root (PPC64LE)           C31C45E6-3F39-412E-80FB-4809C4980599
 35 Linux root (RISC-V-32)         60D5A7FE-8E7D-435C-B714-3DD8162144E1
 36 Linux root (RISC-V-64)         72EC70A6-CF74-40E6-BD49-4BDA08E8F224
 37 Linux root (S390)              08A7ACEA-624C-4A20-91E8-6E0FA67D23F9
 38 Linux root (S390X)             5EEAD9A9-FE09-4A1E-A1D7-520D00531306
 39 Linux root (TILE-Gx)           C50CDD70-3862-4CC3-90E1-809A8C93EE2C
 40 Linux reserved                 8DA63339-0007-60C0-C436-083AC8230908
 41 Linux home                     933AC7E1-2EB4-4F13-B844-0E14E2AEF915
 42 Linux RAID                     A19D880F-05FC-4D3B-A006-743F0F84911E
 43 Linux LVM                      E6D6D379-F507-44C2-A23C-238F2A3DF928
 44 Linux variable data            4D21B016-B534-45C2-A9FB-5C16E091FD2D
 45 Linux temporary data           7EC6F557-3BC5-4ACA-B293-16EF5DF639D1
 46 Linux /usr (x86)               75250D76-8CC6-458E-BD66-BD47CC81A812
 47 Linux /usr (x86-64)            8484680C-9521-48C6-9C11-B0720656F69E
 48 Linux /usr (Alpha)             E18CF08C-33EC-4C0D-8246-C6C6FB3DA024
 49 Linux /usr (ARC)               7978A683-6316-4922-BBEE-38BFF5A2FECC
 50 Linux /usr (ARM)               7D0359A3-02B3-4F0A-865C-654403E70625
 51 Linux /usr (ARM-64)            B0E01050-EE5F-4390-949A-9101B17104E9
 52 Linux /usr (IA-64)             4301D2A6-4E3B-4B2A-BB94-9E0B2C4225EA
 53 Linux /usr (LoongArch-64)      E611C702-575C-4CBE-9A46-434FA0BF7E3F
 54 Linux /usr (MIPS-32 LE)        0F4868E9-9952-4706-979F-3ED3A473E947
 55 Linux /usr (MIPS-64 LE)        C97C1F32-BA06-40B4-9F22-236061B08AA8
 56 Linux /usr (PPC)               7D14FEC5-CC71-415D-9D6C-06BF0B3C3EAF
 57 Linux /usr (PPC64)             2C9739E2-F068-46B3-9FD0-01C5A9AFBCCA
 58 Linux /usr (PPC64LE)           15BB03AF-77E7-4D4A-B12B-C0D084F7491C
 59 Linux /usr (RISC-V-32)         B933FB22-5C3F-4F91-AF90-E2BB0FA50702
 60 Linux /usr (RISC-V-64)         BEAEC34B-8442-439B-A40B-984381ED097D
 61 Linux /usr (S390)              CD0F869B-D0FB-4CA0-B141-9EA87CC78D66
 62 Linux /usr (S390X)             8A4F5770-50AA-4ED3-874A-99B710DB6FEA
 63 Linux /usr (TILE-Gx)           55497029-C7C1-44CC-AA39-815ED1558630
 64 Linux root verity (x86)        D13C5D3B-B5D1-422A-B29F-9454FDC89D76
 65 Linux root verity (x86-64)     2C7357ED-EBD2-46D9-AEC1-23D437EC2BF5
 66 Linux root verity (Alpha)      FC56D9E9-E6E5-4C06-BE32-E74407CE09A5
 67 Linux root verity (ARC)        24B2D975-0F97-4521-AFA1-CD531E421B8D
 68 Linux root verity (ARM)        7386CDF2-203C-47A9-A498-F2ECCE45A2D6
 69 Linux root verity (ARM-64)     DF3300CE-D69F-4C92-978C-9BFB0F38D820
 70 Linux root verity (IA-64)      86ED10D5-B607-45BB-8957-D350F23D0571
 71 Linux root verity (LoongArch-64) F3393B22-E9AF-4613-A948-9D3BFBD0C535
 72 Linux root verity (MIPS-32 LE) D7D150D2-2A04-4A33-8F12-16651205FF7B
 73 Linux root verity (MIPS-64 LE) 16B417F8-3E06-4F57-8DD2-9B5232F41AA6
 74 Linux root verity (PPC)        98CFE649-1588-46DC-B2F0-ADD147424925
 75 Linux root verity (PPC64)      9225A9A3-3C19-4D89-B4F6-EEFF88F17631
 76 Linux root verity (PPC64LE)    906BD944-4589-4AAE-A4E4-DD983917446A
 77 Linux root verity (RISC-V-32)  AE0253BE-1167-4007-AC68-43926C14C5DE
 78 Linux root verity (RISC-V-64)  B6ED5582-440B-4209-B8DA-5FF7C419EA3D
 79 Linux root verity (S390)       7AC63B47-B25C-463B-8DF8-B4A94E6C90E1
 80 Linux root verity (S390X)      B325BFBE-C7BE-4AB8-8357-139E652D2F6B
 81 Linux root verity (TILE-Gx)    966061EC-28E4-4B2E-B4A5-1F0A825A1D84
 82 Linux /usr verity (x86)        8F461B0D-14EE-4E81-9AA9-049B6FB97ABD
 83 Linux /usr verity (x86-64)     77FF5F63-E7B6-4633-ACF4-1565B864C0E6
 84 Linux /usr verity (Alpha)      8CCE0D25-C0D0-4A44-BD87-46331BF1DF67
 85 Linux /usr verity (ARC)        FCA0598C-D880-4591-8C16-4EDA05C7347C
 86 Linux /usr verity (ARM)        C215D751-7BCD-4649-BE90-6627490A4C05
 87 Linux /usr verity (ARM-64)     6E11A4E7-FBCA-4DED-B9E9-E1A512BB664E
 88 Linux /usr verity (IA-64)      6A491E03-3BE7-4545-8E38-83320E0EA880
 89 Linux /usr verity (LoongArch-64) F46B2C26-59AE-48F0-9106-C50ED47F673D
 90 Linux /usr verity (MIPS-32 LE) 46B98D8D-B55C-4E8F-AAB3-37FCA7F80752
 91 Linux /usr verity (MIPS-64 LE) 3C3D61FE-B5F3-414D-BB71-8739A694A4EF
 92 Linux /usr verity (PPC)        DF765D00-270E-49E5-BC75-F47BB2118B09
 93 Linux /usr verity (PPC64)      BDB528A5-A259-475F-A87D-DA53FA736A07
 94 Linux /usr verity (PPC64LE)    EE2B9983-21E8-4153-86D9-B6901A54D1CE
 95 Linux /usr verity (RISC-V-32)  CB1EE4E3-8CD0-4136-A0A4-AA61A32E8730
 96 Linux /usr verity (RISC-V-64)  8F1056BE-9B05-47C4-81D6-BE53128E5B54
 97 Linux /usr verity (S390)       B663C618-E7BC-4D6D-90AA-11B756BB1797
 98 Linux /usr verity (S390X)      31741CC4-1A2A-4111-A581-E00B447D2D06
 99 Linux /usr verity (TILE-Gx)    2FB4BF56-07FA-42DA-8132-6B139F2026AE
100 Linux root verity sign. (x86)  5996FC05-109C-48DE-808B-23FA0830B676
101 Linux root verity sign. (x86-64) 41092B05-9FC8-4523-994F-2DEF0408B176
102 Linux root verity sign. (Alpha) D46495B7-A053-414F-80F7-700C99921EF8
103 Linux root verity sign. (ARC)  143A70BA-CBD3-4F06-919F-6C05683A78BC
104 Linux root verity sign. (ARM)  42B0455F-EB11-491D-98D3-56145BA9D037
105 Linux root verity sign. (ARM-64) 6DB69DE6-29F4-4758-A7A5-962190F00CE3
106 Linux root verity sign. (IA-64) E98B36EE-32BA-4882-9B12-0CE14655F46A
107 Linux root verity sign. (LoongArch-64) 5AFB67EB-ECC8-4F85-AE8E-AC1E7C50E7D0
108 Linux root verity sign. (MIPS-32 LE) C919CC1F-4456-4EFF-918C-F75E94525CA5
109 Linux root verity sign. (MIPS-64 LE) 904E58EF-5C65-4A31-9C57-6AF5FC7C5DE7
110 Linux root verity sign. (PPC)  1B31B5AA-ADD9-463A-B2ED-BD467FC857E7
111 Linux root verity sign. (PPC64) F5E2C20C-45B2-4FFA-BCE9-2A60737E1AAF
112 Linux root verity sign. (PPC64LE) D4A236E7-E873-4C07-BF1D-BF6CF7F1C3C6
113 Linux root verity sign. (RISC-V-32) 3A112A75-8729-4380-B4CF-764D79934448
114 Linux root verity sign. (RISC-V-64) EFE0F087-EA8D-4469-821A-4C2A96A8386A
115 Linux root verity sign. (S390) 3482388E-4254-435A-A241-766A065F9960
116 Linux root verity sign. (S390X) C80187A5-73A3-491A-901A-017C3FA953E9
117 Linux root verity sign. (TILE-Gx) B3671439-97B0-4A53-90F7-2D5A8F3AD47B
118 Linux /usr verity sign. (x86)  974A71C0-DE41-43C3-BE5D-5C5CCD1AD2C0
119 Linux /usr verity sign. (x86-64) E7BB33FB-06CF-4E81-8273-E543B413E2E2
120 Linux /usr verity sign. (Alpha) 5C6E1C76-076A-457A-A0FE-F3B4CD21CE6E
121 Linux /usr verity sign. (ARC)  94F9A9A1-9971-427A-A400-50CB297F0F35
122 Linux /usr verity sign. (ARM)  D7FF812F-37D1-4902-A810-D76BA57B975A
123 Linux /usr verity sign. (ARM-64) C23CE4FF-44BD-4B00-B2D4-B41B3419E02A
124 Linux /usr verity sign. (IA-64) 8DE58BC2-2A43-460D-B14E-A76E4A17B47F
125 Linux /usr verity sign. (LoongArch-64) B024F315-D330-444C-8461-44BBDE524E99
126 Linux /usr verity sign. (MIPS-32 LE) 3E23CA0B-A4BC-4B4E-8087-5AB6A26AA8A9
127 Linux /usr verity sign. (MIPS-64 LE) F2C2C7EE-ADCC-4351-B5C6-EE9816B66E16
128 Linux /usr verity sign. (PPC)  7007891D-D371-4A80-86A4-5CB875B9302E
129 Linux /usr verity sign. (PPC64) 0B888863-D7F8-4D9E-9766-239FCE4D58AF
130 Linux /usr verity sign. (PPC64LE) C8BFBD1E-268E-4521-8BBA-BF314C399557
131 Linux /usr verity sign. (RISC-V-32) C3836A13-3137-45BA-B583-B16C50FE5EB4
132 Linux /usr verity sign. (RISC-V-64) D2F9000A-7A18-453F-B5CD-4D32F77A7B32
133 Linux /usr verity sign. (S390) 17440E4F-A8D0-467F-A46E-3912AE6EF2C5
134 Linux /usr verity sign. (S390X) 3F324816-667B-46AE-86EE-9B0C0C6C11B4
135 Linux /usr verity sign. (TILE-Gx) 4EDE75E2-6CCC-4CC8-B9C7-70334B087510
136 Linux extended boot            BC13C2FF-59E6-4262-A352-B275FD6F7172
137 Linux user's home              773f91ef-66d4-49b5-bd83-d683bf40ad16
138 FreeBSD data                   516E7CB4-6ECF-11D6-8FF8-00022D09712B
139 FreeBSD boot                   83BD6B9D-7F41-11DC-BE0B-001560B84F0F
140 FreeBSD swap                   516E7CB5-6ECF-11D6-8FF8-00022D09712B
141 FreeBSD UFS                    516E7CB6-6ECF-11D6-8FF8-00022D09712B
142 FreeBSD ZFS                    516E7CBA-6ECF-11D6-8FF8-00022D09712B
143 FreeBSD Vinum                  516E7CB8-6ECF-11D6-8FF8-00022D09712B
144 Apple HFS/HFS+                 48465300-0000-11AA-AA11-00306543ECAC
145 Apple APFS                     7C3457EF-0000-11AA-AA11-00306543ECAC
146 Apple UFS                      55465300-0000-11AA-AA11-00306543ECAC
147 Apple RAID                     52414944-0000-11AA-AA11-00306543ECAC
148 Apple RAID offline             52414944-5F4F-11AA-AA11-00306543ECAC
149 Apple boot                     426F6F74-0000-11AA-AA11-00306543ECAC
150 Apple label                    4C616265-6C00-11AA-AA11-00306543ECAC
151 Apple TV recovery              5265636F-7665-11AA-AA11-00306543ECAC
152 Apple Core storage             53746F72-6167-11AA-AA11-00306543ECAC
153 Apple Silicon boot             69646961-6700-11AA-AA11-00306543ECAC
154 Apple Silicon recovery         52637672-7900-11AA-AA11-00306543ECAC
155 Solaris boot                   6A82CB45-1DD2-11B2-99A6-080020736631
156 Solaris root                   6A85CF4D-1DD2-11B2-99A6-080020736631
157 Solaris /usr & Apple ZFS       6A898CC3-1DD2-11B2-99A6-080020736631
158 Solaris swap                   6A87C46F-1DD2-11B2-99A6-080020736631
159 Solaris backup                 6A8B642B-1DD2-11B2-99A6-080020736631
160 Solaris /var                   6A8EF2E9-1DD2-11B2-99A6-080020736631
161 Solaris /home                  6A90BA39-1DD2-11B2-99A6-080020736631
162 Solaris alternate sector       6A9283A5-1DD2-11B2-99A6-080020736631
163 Solaris reserved 1             6A945A3B-1DD2-11B2-99A6-080020736631
164 Solaris reserved 2             6A9630D1-1DD2-11B2-99A6-080020736631
165 Solaris reserved 3             6A980767-1DD2-11B2-99A6-080020736631
166 Solaris reserved 4             6A96237F-1DD2-11B2-99A6-080020736631
167 Solaris reserved 5             6A8D2AC7-1DD2-11B2-99A6-080020736631
168 NetBSD swap                    49F48D32-B10E-11DC-B99B-0019D1879648
169 NetBSD FFS                     49F48D5A-B10E-11DC-B99B-0019D1879648
170 NetBSD LFS                     49F48D82-B10E-11DC-B99B-0019D1879648
171 NetBSD concatenated            2DB519C4-B10F-11DC-B99B-0019D1879648
172 NetBSD encrypted               2DB519EC-B10F-11DC-B99B-0019D1879648
173 NetBSD RAID                    49F48DAA-B10E-11DC-B99B-0019D1879648
174 ChromeOS kernel                FE3A2A5D-4F32-41A7-B725-ACCC3285A309
175 ChromeOS root fs               3CB8E202-3B7E-47DD-8A3C-7FF2A13CFCEC
176 ChromeOS reserved              2E0A753D-9E48-43B0-8337-B15192CB1B5E
177 MidnightBSD data               85D5E45A-237C-11E1-B4B3-E89A8F7FC3A7
178 MidnightBSD boot               85D5E45E-237C-11E1-B4B3-E89A8F7FC3A7
179 MidnightBSD swap               85D5E45B-237C-11E1-B4B3-E89A8F7FC3A7
180 MidnightBSD UFS                0394EF8B-237E-11E1-B4B3-E89A8F7FC3A7
181 MidnightBSD ZFS                85D5E45D-237C-11E1-B4B3-E89A8F7FC3A7
182 MidnightBSD Vinum              85D5E45C-237C-11E1-B4B3-E89A8F7FC3A7
183 Ceph Journal                   45B0969E-9B03-4F30-B4C6-B4B80CEFF106
184 Ceph Encrypted Journal         45B0969E-9B03-4F30-B4C6-5EC00CEFF106
185 Ceph OSD                       4FBD7E29-9D25-41B8-AFD0-062C0CEFF05D
186 Ceph crypt OSD                 4FBD7E29-9D25-41B8-AFD0-5EC00CEFF05D
187 Ceph disk in creation          89C57F98-2FE5-4DC0-89C1-F3AD0CEFF2BE
188 Ceph crypt disk in creation    89C57F98-2FE5-4DC0-89C1-5EC00CEFF2BE
189 VMware VMFS                    AA31E02A-400F-11DB-9590-000C2911D1B8
190 VMware Diagnostic              9D275380-40AD-11DB-BF97-000C2911D1B8
191 VMware Virtual SAN             381CFCCC-7288-11E0-92EE-000C2911D0B2
192 VMware Virsto                  77719A0C-A4A0-11E3-A47E-000C29745A24
193 VMware Reserved                9198EFFC-31C0-11DB-8F78-000C2911D1B8
194 OpenBSD data                   824CC7A0-36A8-11E3-890A-952519AD3F61
195 QNX6 file system               CEF5A9AD-73BC-4601-89F3-CDEEEEE321A1
196 Plan 9 partition               C91818F9-8025-47AF-89D2-F030D7000C2C
197 HiFive FSBL                    5B193300-FC78-40CD-8002-E86C45580B47
198 HiFive BBL                     2E54B353-1271-4842-806F-E436D6AF6985
199 Haiku BFS                      42465331-3BA3-10F1-802A-4861696B7521
200 Marvell Armada 3700 Boot partition 6828311A-BA55-42A4-BCDE-A89BB5EDECAE

Aliases:
   linux          - 0FC63DAF-8483-4772-8E79-3D69D8477DE4
   swap           - 0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
   home           - 933AC7E1-2EB4-4F13-B844-0E14E2AEF915
   uefi           - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
   raid           - A19D880F-05FC-4D3B-A006-743F0F84911E
   lvm            - E6D6D379-F507-44C2-A23C-238F2A3DF928

Create second partition NixOS Install

Create a Second Partition by pressing n
Return Output:

Partition number (2-128, default 2):

Press ENTER for to set the default (2)
Return Output:

First sector (4196352-1953525134, default 4196352):

Again default, just press enter
Return Output:

Last sector, +/-sectors or +/-size{K,M,G,T,P} (3907584-1953525134, default 1953523711):

+500GB

Created a new partition 2 of type 'Linux filesystem' and of size 465.7 GiB.

Create Third Partition for NixOS SWAP

n

Command (m for help): n
Partition number (3-128, default 3): 
First sector (980469760-1953525134, default 980469760): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (980469760-1953525134, default 1953523711): +16GB

NixOS Swap Note

Nix Config file will take care of the rest of swap

 swapDevices = [ {
    device = "/dev/nvme0n1p2";
    randomEncryption.enable = true; 
  } ];

Complete process terminal output

The Complete process for creating the three partitions

[nixos@nixos:~]$ sudo fdisk /dev/nvme0n1

Welcome to fdisk (util-linux 2.39.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS (MBR) disklabel with disk identifier 0xf4e4cac7.

Command (m for help): g
Created a new GPT disklabel (GUID: DB407773-03D4-499B-A96A-3A61798E4523).

Command (m for help): n
Partition number (1-128, default 1): 
First sector (2048-1953525134, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711): +2GB

Created a new partition 1 of type 'Linux filesystem' and of size 1.9 GiB.

Command (m for help): t
Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Command (m for help): n
Partition number (2-128, default 2): 
First sector (3907584-1953525134, default 3907584): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (3907584-1953525134, default 1953523711): +500GB

Created a new partition 2 of type 'Linux filesystem' and of size 465.7 GiB.
Partition #2 contains a zfs_member signature.

Do you want to remove the signature? [Y]es/[N]o: y

The signature will be removed by a write command.

Command (m for help): n
Partition number (3-128, default 3): 
First sector (980469760-1953525134, default 980469760): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (980469760-1953525134, default 1953523711): +16GB

Created a new partition 3 of type 'Linux filesystem' and of size 14.9 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Can now check partitions with lsblk

[nixos@nixos:~]$ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0         7:0    0   2.5G  1 loop /nix/.ro-store
sda           8:0    1   7.3G  0 disk 
├─sda1        8:1    1   2.5G  0 part /iso
└─sda2        8:2    1     3M  0 part 
sdb           8:16   1     0B  0 disk 
nvme0n1     259:0    0 931.5G  0 disk 
├─nvme0n1p1 259:1    0   1.9G  0 part 
├─nvme0n1p2 259:2    0 465.7G  0 part 
└─nvme0n1p3 259:3    0  14.9G  0 part

format drives/partitions

We have now created 3 partions on are hard drive nvme0n1

nvme0n1p1 the EFI partition
nvme0n1p2 the NixOS Main partition
nvme0n1p3 the NixOS Swap partition

first partion is for EFI and will be formatted in fat32

sudo mkfs.fat -F 32 /dev/nvme0n1p1

adding a label

sudo fatlabel /dev/nvme0n1p1 EFIP

Create Zpools for Root and Home

Encryption on root or unencrypted, select one option

NOTE: nvme0n1p2 is the Main partition, will be installing NixOS on. And nvme0n1p3 is the SWAP

Creating zpools for root and home NO ENCRYPTION

sudo zpool create -f \
-o altroot="/mnt" \
-o ashift=12 \
-o autotrim=on \
-O compression=lz4 \
-O acltype=posixacl \
-O xattr=sa \
-O relatime=on \
-O normalization=formD \
-O dnodesize=auto \
-O sync=disabled \
-O mountpoint=none \
NIXROOT \
/dev/nvme0n1p2

BreakDown of above command:

-o vs -O:
- The lowercase "-o" sets pool-level properties affecting the entire pool.
- The uppercase "-O" sets dataset-level properties affecting datasets within the pool.

Pool-Level Properties (Lowercase 'o'):
- -o altroot="/mnt": Temporarily sets an alternate root directory for mounting the pool.
- -o ashift=12: Specifies alignment shift for performance, with a value of 12 for 4K (2^12) disk sector size.
- -o autotrim=on: Enables automatic trimming of unused space for better SSD performance and longevity.

Dataset-Level Properties (Uppercase 'O'):
- -O compression=lz4: Enables LZ4 compression, which is effective and lightweight.
- -O acltype=posixacl: Enables POSIX ACLs for granular permission control.
- -O xattr=sa: Enables extended attributes stored as system attributes.
- -O relatime=on: Updates access times relative to modification time for efficiency.
- -O normalization=formD: Sets Unicode normalization form for system compatibility.
- -O dnodesize=auto: Allows automatic adjustment of dnode sizes for performance.
- -O sync=disabled: Disables synchronous writes for performance but may compromise data integrity.
- -O mountpoint=none: Disables automatic mounting of the new pool.

Other Parameters:
- NIXROOT: Name of the ZFS pool being created.
- /dev/nvme0n1p2: Disk partition for creating the ZFS pool.

Additional Note:
- -f: Forces pool creation, overriding safety checks. Use with caution.

Creating zpools for root and home WITH ENCRYPTION on root

You will be prompted to enter a passphase after running the below commands

sudo zpool create -f \
-o altroot="/mnt" \
-o ashift=12 \
-o autotrim=on \
-O compression=lz4 \
-O acltype=posixacl \
-O xattr=sa \
-O relatime=on \
-O normalization=formD \
-O dnodesize=auto \
-O sync=disabled \
-O encryption=aes-256-gcm \
-O keylocation=prompt  \
-O keyformat=passphrase \
-O mountpoint=none \
NIXROOT \
/dev/nvme0n1p2

BreakDown of above command:

-o vs -O:
- The lowercase "-o" sets pool-level properties affecting the entire pool.
- The uppercase "-O" sets dataset-level properties affecting datasets within the pool.

Pool-Level Properties (Lowercase 'o'):
- -o altroot="/mnt": Temporarily sets an alternate root directory for mounting the pool.
- -o ashift=12: Specifies alignment shift for performance, with a value of 12 for 4K (2^12) disk sector size.
- -o autotrim=on: Enables automatic trimming of unused space for better SSD performance and longevity.

Dataset-Level Properties (Uppercase 'O'):
- -O compression=lz4: Enables LZ4 compression, which is effective and lightweight.
- -O acltype=posixacl: Enables POSIX ACLs for granular permission control.
- -O xattr=sa: Enables extended attributes stored as system attributes.
- -O relatime=on: Updates access times relative to modification time for efficiency.
- -O normalization=formD: Sets Unicode normalization form for system compatibility.
- -O dnodesize=auto: Allows automatic adjustment of dnode sizes for performance.
- -O sync=disabled: Disables synchronous writes for performance but may compromise data integrity.
- -O encryption=aes-256-gcm: Specifies AES-256-GCM as the encryption algorithm.
- -O keylocation=prompt: Prompts for the encryption key when needed.
- -O keyformat=passphrase: Uses a passphrase for the encryption key.
- -O mountpoint=none: Disables automatic mounting of the new pool.

Other Parameters:
- NIXROOT: Name of the ZFS pool being created.
- /dev/nvme0n1p2: Disk partition for creating the ZFS pool.

Additional Note:
- -f: Forces pool creation, overriding safety checks. Use with caution.

create root volume

sudo zfs create -o mountpoint=legacy NIXROOT/root

create home partition

sudo zfs create -o mountpoint=legacy NIXROOT/home

mountpoint=legacy allow us to use normal mount commands to mount zfs volume

sudo mount -t zfs NIXROOT/root /mnt

sudo mkdir /mnt/boot /mnt/home

mount boot

sudo mount /dev/nvme0n1p1 /mnt/boot

mount zfs home

sudo mount -t zfs NIXROOT/home /mnt/home

nixos - config and install

Generate a Config File

sudo nixos-generate-config --root /mnt

This command will generate file for the nixos system - which files and what they do i do not yet know, learning as i go

to see hardware configuration file

cat /mnt/etc/nixos/hardware-configuration.nix

Network HostID

Using the command head -c 8 /etc/machine-id to generate a value for networking.hostId in NixOS for ZFS setup is a practical method to obtain a unique and consistent identifier for your system.

head -c 8 /etc/machine-id

should return 8 charaters, something like the below:

3333abcd

we will use this in the ZFS section of the nixos/configuration.nix file

edit nixos config file

/mnt/etc/nixos/configuration.nix Before any changes

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # networking.hostName = "nixos"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.

  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkbOptions in tty.
  # };

  # Enable the X11 windowing system.
  services.xserver.enable = true;


  # Enable the Plasma 5 Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;
  

  # Configure keymap in X11
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e,caps:escape";

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;

  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.alice = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  #   packages = with pkgs; [
  #     firefox
  #     tree
  #   ];
  # };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  # environment.systemPackages = with pkgs; [
  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
  #   wget
  # ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?

}

sudo $EDITOR /mnt/etc/nixos/configuration.nix

Boot Loader

By default will use systemd as boot loader which will not allow us to duel boot with freebsd (i think)

comment out the lines by placing a # in front

boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

And Insert

# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

ZFS

# zfs 
boot.supportedFilesystems = [  "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

HostName and Network Manager

In the same config file we are going to change a few other details

- networking.hostName
- can just uncomment if you are happy with the name 'nixos'
- uncomment and change name to what you like

networking.hostName = "t470nix";

- pick on e of the networking options by uncommenting

networking.networkmanager.enable = true;

Set your time zone - need to find a list of options

time.timeZone = "Europe/London";

keyboard layout

  # Configure keymap in X11
  services.xserver = {
    layout = "gb";
    xkbVariant = "";
  };

  # Configure console keymap
  console.keyMap = "uk";

Select internationalisation properties

# Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_GB.UTF-8";
    LC_IDENTIFICATION = "en_GB.UTF-8";
    LC_MEASUREMENT = "en_GB.UTF-8";
    LC_MONETARY = "en_GB.UTF-8";
    LC_NAME = "en_GB.UTF-8";
    LC_NUMERIC = "en_GB.UTF-8";
    LC_PAPER = "en_GB.UTF-8";
    LC_TELEPHONE = "en_GB.UTF-8";
    LC_TIME = "en_GB.UTF-8";
  };

Desktop - Pantheon

NOTE: because i am using latest-nixos-plasma5-x86_64-linux.iso by default the desktop will be plasma5, so going to comment out and replace with Pantheno Desktop

Default entry:

  # Enable the X11 windowing system.
  services.xserver.enable = true;


  # Enable the Plasma 5 Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;

Changed to: NOTE: Pantheon as bug, does not open from sleep if you shut laptop lid, but its easy to change desktop on NixOS, as will show later.

  # Enable the X11 windowing system.
  services.xserver.enable = true;

  # Enable the Pantheon Desktop Environment.
  services.xserver.displayManager.lightdm.enable = true;
  services.xserver.desktopManager.pantheon.enable = true;

  # Enable the Plasma 5 Desktop Environment.
#  services.xserver.displayManager.sddm.enable = true;
#  services.xserver.desktopManager.plasma5.enable = true;

Set init user

- Config a user account - we are using name noob feel free to change
- Note: change initial password after with passwd noob. SYNTAX passwd USERNAME

users.users.noob = {
 isNormalUser = true;
 initialPassword = "CompleteNoob";
 extraGroups = [ "wheel" ];
 packages = with pkgs; [
   mc
 ];
};

Enable auto login

  # Enable automatic login for the user.
  services.xserver.displayManager.autoLogin.enable = true;
  services.xserver.displayManager.autoLogin.user = "noob";

Enable Sound


  # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    #jack.enable = true;

    # use the example session manager (no others are packaged yet so this is enabled by default,
    # no need to redefine it in your config for now)
    #media-session.enable = true;
  };

Add an terminal text editor

note: 'vi' on its own does not work, needs to be 'vim', 'nano' is preinstalled by default with nixos

environment.systemPackages = with pkgs; [
  wget
  vim
];

Optional if you want to ssh in after reboot

enable sshd

services.openssh.enable = true;

disable firewall

networking.firewall.enable = false;

/mnt/etc/nixos/configuration.nix After Changes - TIDY VERSION

[noob@t470nix:~]$ cat /etc/nixos/configuration.nix 
# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

# allow ssh no firewall
services.openssh.enable = true;
networking.firewall.enable = false;



# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

# zfs 
boot.supportedFilesystems = [  "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

networking.hostName = "t470nix";

networking.networkmanager.enable = true;

time.timeZone = "Europe/London";

# Configure keymap in X11
  services.xserver = {
    layout = "gb";
    xkbVariant = "";
  };

  # Configure console keymap
  console.keyMap = "uk";

# Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_GB.UTF-8";
    LC_IDENTIFICATION = "en_GB.UTF-8";
    LC_MEASUREMENT = "en_GB.UTF-8";
    LC_MONETARY = "en_GB.UTF-8";
    LC_NAME = "en_GB.UTF-8";
    LC_NUMERIC = "en_GB.UTF-8";
    LC_PAPER = "en_GB.UTF-8";
    LC_TELEPHONE = "en_GB.UTF-8";
    LC_TIME = "en_GB.UTF-8";
  };



  # Enable the X11 windowing system.
  services.xserver.enable = true;

  # Enable the Pantheon Desktop Environment.
  services.xserver.displayManager.lightdm.enable = true;
  services.xserver.desktopManager.pantheon.enable = true;

  # Enable the Plasma 5 Desktop Environment.
#  services.xserver.displayManager.sddm.enable = true;
#  services.xserver.desktopManager.plasma5.enable = true;

# This creates a user called 'noob' with the password 'CompleteNoob'

users.users.noob = {
 isNormalUser = true;
 initialPassword = "CompleteNoob";
 extraGroups = [ "wheel" ];
 packages = with pkgs; [
   mc
 ];
};

# Enable automatic login for the user.
  services.xserver.displayManager.autoLogin.enable = true;
  services.xserver.displayManager.autoLogin.user = "noob";

 # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    #jack.enable = true;

    # use the example session manager (no others are packaged yet so this is enabled by default,
    # no need to redefine it in your config for now)
    #media-session.enable = true;
  };

environment.systemPackages = with pkgs; [
  wget
  vim
];

  system.stateVersion = "23.11"; # Did you read the comment?



swapDevices = [ {
    device = "/dev/nvme0n1p3";
    randomEncryption.enable = true; 
  } ];

}

install nixos

To Install NixOS use nixos-install sudo nixos-install

will be prompted for root password after install

Once Installed, reboot and login

Installing packages on NixOS

still new on NixOS
nix-env -i firefox installs firefox.

But its best to use configuration.nix for software installs, this way if you keep a copy of your config file and nuke and pave, you can have all your apps from the get go with out having to reinstall them all one by one again.

Reconfigure /etc/nixos/configuration.nix

To apply changes made to /etc/nixos/configuration.nix you need to rebuild

Give example on how to change back desktop to KDE

Add package FireFox and rebuild

After reboot (after desktop change) new passwd for noob account still changed - did not restore to CompleteNoob

Change DESKTOP

  # Enable the Pantheon Desktop Environment.
#  services.xserver.displayManager.lightdm.enable = true;
#  services.xserver.desktopManager.pantheon.enable = true;

  # Enable the Plasma 5 Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;

after update

AFTER UPDATE CONFIG

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

# allow ssh no firewall
services.openssh.enable = true;
networking.firewall.enable = false;



# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

# zfs 
boot.supportedFilesystems = [  "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

networking.hostName = "t470nix";

networking.networkmanager.enable = true;

time.timeZone = "Europe/London";

# Configure keymap in X11
  services.xserver = {
    layout = "gb";
    xkbVariant = "";
  };

  # Configure console keymap
  console.keyMap = "uk";

# Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_GB.UTF-8";
    LC_IDENTIFICATION = "en_GB.UTF-8";
    LC_MEASUREMENT = "en_GB.UTF-8";
    LC_MONETARY = "en_GB.UTF-8";
    LC_NAME = "en_GB.UTF-8";
    LC_NUMERIC = "en_GB.UTF-8";
    LC_PAPER = "en_GB.UTF-8";
    LC_TELEPHONE = "en_GB.UTF-8";
    LC_TIME = "en_GB.UTF-8";
  };



  # Enable the X11 windowing system.
  services.xserver.enable = true;

  # Enable the Pantheon Desktop Environment.
#  services.xserver.displayManager.lightdm.enable = true;
#  services.xserver.desktopManager.pantheon.enable = true;

  # Enable the Plasma 5 Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;

# This creates a user called 'noob' with the password 'CompleteNoob'

users.users.noob = {
 isNormalUser = true;
 initialPassword = "CompleteNoob";
 extraGroups = [ "wheel" ];
 packages = with pkgs; [
   mc
 ];
};

# Enable automatic login for the user.
  services.xserver.displayManager.autoLogin.enable = true;
  services.xserver.displayManager.autoLogin.user = "noob";

 # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    #jack.enable = true;

    # use the example session manager (no others are packaged yet so this is enabled by default,
    # no need to redefine it in your config for now)
    #media-session.enable = true;
  };

environment.systemPackages = with pkgs; [
  wget
  vim
  firefox
];

  system.stateVersion = "23.11"; # Did you read the comment?


#Swap Device setup
swapDevices = [ {
    device = "/dev/nvme0n1p3";
    randomEncryption.enable = true; 
  } ];

}

after config can rebuild sudo nixos-rebuild or sudo nixos-rebuild switch or sudo nixos-rebuild boot

And thats a basic install of NixOS on OpenZFS, still learning.

Adding brave browser

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

# allow ssh no firewall
services.openssh.enable = true;
networking.firewall.enable = false;



# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

# zfs 
boot.supportedFilesystems = [  "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

networking.hostName = "t470nix";

networking.networkmanager.enable = true;

time.timeZone = "Europe/London";

# Configure keymap in X11
  services.xserver = {
    layout = "gb";
    xkbVariant = "";
  };

  # Configure console keymap
  console.keyMap = "uk";

# Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_GB.UTF-8";
    LC_IDENTIFICATION = "en_GB.UTF-8";
    LC_MEASUREMENT = "en_GB.UTF-8";
    LC_MONETARY = "en_GB.UTF-8";
    LC_NAME = "en_GB.UTF-8";
    LC_NUMERIC = "en_GB.UTF-8";
    LC_PAPER = "en_GB.UTF-8";
    LC_TELEPHONE = "en_GB.UTF-8";
    LC_TIME = "en_GB.UTF-8";
  };



  # Enable the X11 windowing system.
  services.xserver.enable = true;

  # Enable the Pantheon Desktop Environment.
#  services.xserver.displayManager.lightdm.enable = true;
#  services.xserver.desktopManager.pantheon.enable = true;

  # Enable the Plasma 5 Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;

# This creates a user called 'noob' with the password 'CompleteNoob'

users.users.noob = {
 isNormalUser = true;
 initialPassword = "CompleteNoob";
 extraGroups = [ "wheel" ];
 packages = with pkgs; [
   mc
 ];
};

# Enable automatic login for the user.
  services.xserver.displayManager.autoLogin.enable = true;
  services.xserver.displayManager.autoLogin.user = "noob";

 # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    #jack.enable = true;

    # use the example session manager (no others are packaged yet so this is enabled by default,
    # no need to redefine it in your config for now)
    #media-session.enable = true;
  };

environment.systemPackages = with pkgs; [
  wget
  vim
  firefox
  brave
];

# use this to prevent brave from opening kwallet all the time
nixpkgs.config.overlays = [
      (self: super: {
        brave = super.brave.override {
          commandLineArgs =
            "--password-store=basic";
        };
      })
    ];

  system.stateVersion = "23.11"; # Did you read the comment?


#Swap Device setup
swapDevices = [ {
    device = "/dev/nvme0n1p3";
    randomEncryption.enable = true; 
  } ];

}

sudo nixos-rebuild switch

HatTips

Chris McDonough - https://www.youtube.com/watch?v=CboOUrkIZ2k&t=5s