|
|
| (8 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| This is a userspace draft and is not supported by NixOS Wiki.
| | Moved to here: |
| | https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html |
|
| |
|
| == Enable ZFS on Existing Installation ==
| | Last version is: https://wiki.nixos.org/w/index.php?title=User:2r/NixOS_on_ZFS&oldid=5406 |
| Add the following lines to configuration:
| |
| <pre>boot.supportedFilesystems = [ "zfs" ];
| |
| networking.hostId = "deadbeef";</pre>
| |
| Host ID should be unique, generate one with <code>head -c 8 /etc/machine-id</code>.
| |
| | |
| Rebuild system with <code>nixos-rebuild switch</code>.
| |
| | |
| == Install NixOS on ZFS ==
| |
| === Layout ===
| |
| ==== Partitions ====
| |
| As swap on ZFS will cause deadlock and does not support hibernation, a separate swap partition should be created.
| |
| | |
| {| class="wikitable"
| |
| |+ GPT partition table
| |
| |-
| |
| |
| |
| | ESP
| |
| | bpool
| |
| | rpool
| |
| | swap
| |
| | BIOS boot sector
| |
| |-
| |
| |width=5% valign=top| Filesystem
| |
| |width=20% valign=top| vfat
| |
| |width=20% valign=top| ZFS, feature limited for GRUB compatibility.
| |
| |width=20% valign=top| ZFS
| |
| |width=20% valign=top| swap
| |
| |width=5% valign=top| N/A
| |
| |-
| |
| |width=5% valign=top| Content
| |
| |width=20% valign=top| <code>grubx64.efi</code>
| |
| |width=20% valign=top| <code>/boot</code>
| |
| |width=20% valign=top| <code>/</code>
| |
| |width=20% valign=top| swap
| |
| |width=5% valign=top| N/A
| |
| |-
| |
| |width=5% valign=top| Encryption
| |
| |width=20% valign=top| No, can be validated with Secure Boot
| |
| |width=20% valign=top| LUKS1
| |
| |width=20% valign=top| ZFS Encrytion
| |
| |width=20% valign=top| random/LUKS2
| |
| |width=5% valign=top| N/A
| |
| |}
| |
| ==== Datasets ====
| |
| As NixOS lacks a service to handle native ZFS mounting at boot, such as <code>zfs-mount-generator</code>, all mountable datasets must be created with <code>mountpoint=legacy</code> to be mounted with <code>fileSystems</code> option.
| |
| | |
| Datasets with <code>canmount=off mountpoint=none</code> are used as containers, that is, no data is stored directly under such datasets, but child datasets can inherit their properties or imitate directory structures, such as <code>/var/log</code>.
| |
| | |
| {| class="wikitable"
| |
| |+ Dataset layout
| |
| |-
| |
| |colspan="3"| Containers
| |
| |
| |
| | mountpoint
| |
| | canmount
| |
| | comment
| |
| |-
| |
| | bpool
| |
| | sys
| |
| | BOOT
| |
| | default
| |
| | /boot
| |
| | noauto
| |
| |-
| |
| |rowspan="3"| rpool
| |
| |rowspan="3"| sys
| |
| | ROOT
| |
| | default
| |
| | /
| |
| | noauto
| |
| |-
| |
| |rowspan="2"| DATA
| |
| | local
| |
| | /
| |
| | off
| |
| | container for datasets that do not need backup, such as /nix
| |
| |-
| |
| | safe
| |
| | /
| |
| | off
| |
| | container for datasets that need backup, such as /{root,home,home,user}
| |
| |}
| |
| ==== Encryption ====
| |
| Boot pool can be encrypted with LUKS1 to prevent initrd tempering, however ZFS on LUKS is discouraged on root pool as LUKS abstracts physical devices and thus not desirable. Also, data needs to be encrypted per disk, thus slower than per file, as with ZFS native encryption.
| |
| | |
| ZFS native encryption does not encrypt dataset paths and default properties. Custom properties containing colon <code>custom:property</code> is encrypted. Also, as ZFS currently does not support replacing master key, once the passphrase/keyfile is compromised, the encrypted dataset must be destroyed to protect confidentiality. Therefore, users are advised to choose a strong password at the beginning.
| |