https://blog.wayofthepie.dev Zola en Sat, 30 Apr 2022 00:00:00 +0000 Sat, 30 Apr 2022 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/gpg-keys-with-a-yubikey/ https://blog.wayofthepie.dev/gpg-keys-with-a-yubikey/ <p>Recently I've wanted to move back to using <a rel="nofollow noreferrer external" href="https://www.passwordstore.org/">pass</a> as a password manager. In the past, I used <code>pass</code> with my GPG key on a yubikey and it worked out well. I do still have the key I used, but I can't remember how I set pass/GPG up to use the yubikey. So, I thought I'd do it from scratch, write about it, and maybe learn something.</p> <h1 id="initial-setup">Initial setup</h1> <p>The <code>gpg</code> and <code>scdaemon</code> packages need to be installed. Once the yubikey is inserted it should be used immediately by GPG. GPG runs a daemon called <code>gpg-agent</code> which talks through <code>scdaemon</code> to communicate with the yubikey.</p> <h1 id="generate-a-key">Generate a key</h1> <p>To start, we need to generate some keys! Run <code>gpg --expert --full-gen-key</code> and choose <code>1</code>, "RSA and RSA", as the key type. The other options should be self-explanatory.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --expert --full-gen-key</span></span> <span class="giallo-l"><span>gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.</span></span> <span class="giallo-l"><span>This is free software: you are free to change and redistribute it.</span></span> <span class="giallo-l"><span>There is NO WARRANTY, to the extent permitted by law.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Please select what kind of key you want:</span></span> <span class="giallo-l"><span> (1) RSA and RSA (default)</span></span> <span class="giallo-l"><span> (2) DSA and Elgamal</span></span> <span class="giallo-l"><span> (3) DSA (sign only)</span></span> <span class="giallo-l"><span> (4) RSA (sign only)</span></span> <span class="giallo-l"><span> (7) DSA (set your own capabilities)</span></span> <span class="giallo-l"><span> (8) RSA (set your own capabilities)</span></span> <span class="giallo-l"><span> (9) ECC and ECC</span></span> <span class="giallo-l"><span> (10) ECC (sign only)</span></span> <span class="giallo-l"><span> (11) ECC (set your own capabilities)</span></span> <span class="giallo-l"><span> (13) Existing key</span></span> <span class="giallo-l"><span> (14) Existing key from card</span></span> <span class="giallo-l"><span>Your selection? 1</span></span> <span class="giallo-l"><span>RSA keys may be between 1024 and 4096 bits long.</span></span> <span class="giallo-l"><span>What keysize do you want? (3072) 4096</span></span> <span class="giallo-l"><span>Requested keysize is 4096 bits</span></span> <span class="giallo-l"><span>RSA keys may be between 1024 and 4096 bits long.</span></span> <span class="giallo-l"><span>What keysize do you want for the subkey? (3072) 4096</span></span> <span class="giallo-l"><span>Requested keysize is 4096 bits</span></span> <span class="giallo-l"><span>Please specify how long the key should be valid.</span></span> <span class="giallo-l"><span> 0 = key does not expire</span></span> <span class="giallo-l"><span> &lt;n&gt; = key expires in n days</span></span> <span class="giallo-l"><span> &lt;n&gt;w = key expires in n weeks</span></span> <span class="giallo-l"><span> &lt;n&gt;m = key expires in n months</span></span> <span class="giallo-l"><span> &lt;n&gt;y = key expires in n years</span></span> <span class="giallo-l"><span>Key is valid for? (0) 2y</span></span> <span class="giallo-l"><span>Key expires at Mon 29 Apr 2024 17:17:40 IST</span></span> <span class="giallo-l"><span>Is this correct? (y/N) y</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>GnuPG needs to construct a user ID to identify your key.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Real name: Stephen OBrien</span></span> <span class="giallo-l"><span>Email address: wayofthepie@protonmail.com</span></span> <span class="giallo-l"><span>Comment:</span></span> <span class="giallo-l"><span>You selected this USER-ID:</span></span> <span class="giallo-l"><span> &quot;Stephen OBrien &lt;wayofthepie@protonmail.com&gt;&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o</span></span> <span class="giallo-l"><span>We need to generate a lot of random bytes. It is a good idea to perform</span></span> <span class="giallo-l"><span>some other action (type on the keyboard, move the mouse, utilize the</span></span> <span class="giallo-l"><span>disks) during the prime generation; this gives the random number</span></span> <span class="giallo-l"><span>generator a better chance to gain enough entropy.</span></span> <span class="giallo-l"><span>We need to generate a lot of random bytes. It is a good idea to perform</span></span> <span class="giallo-l"><span>some other action (type on the keyboard, move the mouse, utilize the</span></span> <span class="giallo-l"><span>disks) during the prime generation; this gives the random number</span></span> <span class="giallo-l"><span>generator a better chance to gain enough entropy.</span></span> <span class="giallo-l"><span>gpg: key 01ED8E917ECF4036 marked as ultimately trusted</span></span> <span class="giallo-l"><span>gpg: revocation certificate stored as &#39;/home/chaospie/.gnupg/openpgp-revocs.d/985DB4AF50F89C5B9ED41803817494BAD88093CB.rev&#39;</span></span> <span class="giallo-l"><span>public and secret key created and signed.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>pub rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>uid Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>sub rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span></code></pre> <p>You can run <code>gpg --list-secret-keys</code> to get a list of the secret keys generated:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --list-secret-keys</span></span> <span class="giallo-l"><span>/home/chaospie/.gnupg/pubring.kbx</span></span> <span class="giallo-l"><span>---------------------------------</span></span> <span class="giallo-l"><span>sec rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>uid [ultimate] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>ssb rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span></code></pre> <p>To see the public keys:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --list-keys</span></span> <span class="giallo-l"><span>/home/chaospie/.gnupg/pubring.kbx</span></span> <span class="giallo-l"><span>---------------------------------</span></span> <span class="giallo-l"><span>pub rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>uid [ultimate] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>sub rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span></code></pre><h2 id="gpg-terminology">GPG Terminology</h2> <p>Another thing I always forget when using GPG after some time is what all the jargon means!</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>sec rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>uid [ultimate] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>ssb rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span></code></pre> <p>Let's start from the first line <code>sec rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</code>.</p> <ul> <li><code>sec</code> means this is a secret key.</li> <li><code>rsa4096</code> is the algorithm and key size.</li> <li><code>[SC]</code> is the <em>capability</em> of the key, in this case <code>SC</code>. <code>S</code> is <code>Sign</code>, <code>C</code> is <code>Certify</code>, <code>A</code> is <code>Authenticate</code>, and <code>E</code> is <code>Encrypt</code>. You can create subkeys (more on this later) that have specific capabilities.</li> <li><code>[expires: 2024-04-29]</code> this just says when the key expires</li> </ul> <p>The second line, <code>985DB4AF50F89C5B9ED41803817494BAD88093CB</code>, is just the key id. The last line, <code>ssb rsa4096 2022-04-30 [E] [expires: 2024-04-29]</code>:</p> <ul> <li><code>ssb</code> says this key is a <em>subkey</em>. The key denoted <code>sec</code> is the primary key, and all <code>ssb</code> keys are subkeys of this.</li> <li>The rest is similar to the first line.</li> </ul> <h1 id="move-keys-to-the-yubikey">Move keys to the yubikey</h1> <p>Moving the keys to the yubikey is pretty simple. First, you should back up the secret key <em>before</em> you move it to the yubikey, you won't have access to this after moving. I have a second yubikey that I import all keys to, and I also move the secret key to a USB stick with a <a rel="nofollow noreferrer external" href="https://man7.org/linux/man-pages/man8/cryptsetup.8.html">LUKS volume</a>. Not the best practice security-wise, but it's a USB stick I never use. You can also print them so they never live anywhere except on paper. To export the secret key:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg --export-secret-key --armor $SECRET_KEY_ID &gt; secret.key</span></span></code></pre> <p><code>secret.key</code> will contain the key. Store this somewhere safe! Time to move the keys to the yubikey. Insert it, and run:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --card-status</span></span> <span class="giallo-l"><span>Reader ...........: 1050:0407:X:0</span></span> <span class="giallo-l"><span>Application ID ...: D2760001240103040006120418440000</span></span> <span class="giallo-l"><span>Application type .: OpenPGP</span></span> <span class="giallo-l"><span>Version ..........: 3.4</span></span> <span class="giallo-l"><span>Manufacturer .....: Yubico</span></span> <span class="giallo-l"><span>...</span></span></code></pre> <p>If it displays the card info, GPG can see it. To import we need the id of the secret key, you can get this by running:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --list-secret-keys</span></span> <span class="giallo-l"><span>/home/chaospie/.gnupg/pubring.kbx</span></span> <span class="giallo-l"><span>---------------------------------</span></span> <span class="giallo-l"><span>sec rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>uid [ultimate] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>ssb rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span></code></pre> <p>The id in this case is <code>985DB4AF50F89C5B9ED41803817494BAD88093CB</code>. To move the keys to the yubikey run <code>gpg --edit-key $SECRET_KEY_ID</code>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --edit-key 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.</span></span> <span class="giallo-l"><span>This is free software: you are free to change and redistribute it.</span></span> <span class="giallo-l"><span>There is NO WARRANTY, to the extent permitted by law.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Secret key is available.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>sec rsa4096/817494BAD88093CB</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: SC</span></span> <span class="giallo-l"><span> trust: unknown validity: unknown</span></span> <span class="giallo-l"><span>ssb rsa4096/5DCD3D0ABD15FA6F</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: E</span></span> <span class="giallo-l"><span>[ unknown] (1). Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>gpg&gt;</span></span></code></pre> <p>In the prompt type <code>keytocard</code> - remember, moving the key to the card means you can never read this key directly again, so make sure you back it up!</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg&gt; keytocard</span></span> <span class="giallo-l"><span>Really move the primary key? (y/N) y</span></span> <span class="giallo-l"><span>Please select where to store the key:</span></span> <span class="giallo-l"><span> (1) Signature key</span></span> <span class="giallo-l"><span> (3) Authentication key</span></span> <span class="giallo-l"><span>Your selection? 1</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>sec rsa4096/817494BAD88093CB</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: SC</span></span> <span class="giallo-l"><span> trust: unknown validity: unknown</span></span> <span class="giallo-l"><span>ssb rsa4096/5DCD3D0ABD15FA6F</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: E</span></span> <span class="giallo-l"><span>ssb rsa4096/F35B9D17C107C8AC</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: A</span></span> <span class="giallo-l"><span>[ unknown] (1). Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span></code></pre> <p>We select the <code>Signature Key</code> slot in the yubikey as the place to store this primary key. It should prompt for the keys passphrase. Once done, select the subkey with <code>key 1</code>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg&gt; key 1</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>sec rsa4096/817494BAD88093CB</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: SC</span></span> <span class="giallo-l"><span> trust: unknown validity: unknown</span></span> <span class="giallo-l"><span>ssb* rsa4096/5DCD3D0ABD15FA6F</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: E</span></span> <span class="giallo-l"><span>[ unknown] (1). Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span></code></pre> <p>Note the asterisk (<code>*</code>) after <code>ssb</code>, this means this subkey is selected.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg&gt; keytocard</span></span> <span class="giallo-l"><span>Please select where to store the key:</span></span> <span class="giallo-l"><span> (2) Encryption key</span></span> <span class="giallo-l"><span>Your selection? 2</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>sec rsa4096/817494BAD88093CB</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: SC</span></span> <span class="giallo-l"><span> trust: unknown validity: unknown</span></span> <span class="giallo-l"><span>ssb* rsa4096/5DCD3D0ABD15FA6F</span></span> <span class="giallo-l"><span> created: 2022-04-30 expires: 2024-04-29 usage: E</span></span> <span class="giallo-l"><span>[ unknown] (1). Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span></code></pre> <p>This time we select the <code>Encryption Key</code> slot in the yubikey. Once complete, type <code>quit</code> and make sure to say <code>y</code> when prompted to save.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg&gt; q</span></span> <span class="giallo-l"><span>Save changes? (y/N) y</span></span></code></pre> <p>Now, when we list the secret keys, both the primary key and the subkey should be postfixed with a <code>&gt;</code>, this denotes that GPG only has a reference to the keys, they are not stored directly in its keyring.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --list-secret-keys</span></span> <span class="giallo-l"><span>/home/chaospie/.gnupg/pubring.kbx</span></span> <span class="giallo-l"><span>---------------------------------</span></span> <span class="giallo-l"><span>sec&gt; rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span> Card serial no. = 0006 12041844</span></span> <span class="giallo-l"><span>uid [ unknown] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>ssb&gt; rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span></code></pre><h1 id="export-and-store-the-public-key">Export and store the public key</h1> <p>It's important to export and store the public key somewhere publicly accessible. To export:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg --output public.key --armor --export $SECRET_KEY_ID</span></span></code></pre> <p><code>public.key</code> will contain the key. Once you've stored the public key somewhere, edit the card again with <code>gpg --edit-card</code>. This time enable admin commands with the <code>admin</code> command, and then enter the URL to access the public key with <code>url</code>.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --edit-card</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Reader ...........: 1050:0407:X:0</span></span> <span class="giallo-l"><span>Application ID ...: D2760001240103040006120418440000</span></span> <span class="giallo-l"><span>Application type .: OpenPGP</span></span> <span class="giallo-l"><span>...</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>gpg/card&gt; admin</span></span> <span class="giallo-l"><span>Admin commands are allowed</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>gpg/card&gt; url</span></span> <span class="giallo-l"><span>URL to retrieve public key: https://raw.githubusercontent.com/wayofthepie/public-keys/main/proton.key</span></span></code></pre> <p>I stored mine in a github repo, you can also upload it to a keyserver and reference from there.</p> <h1 id="set-up-pass">Set up pass</h1> <p>Install pass, with <code>sudo apt install pass</code> or however else you want to install it. Initialize the password store with the email you used to set up your key (you can also use the full key id instead of the email):</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ pass init wayofthepie@protonmail.com</span></span> <span class="giallo-l"><span>mkdir: created directory &#39;/home/chaospie/.password-store/&#39;</span></span> <span class="giallo-l"><span>Password store initialized for wayofthepie@protonmail.com</span></span></code></pre> <p>Enable git support:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ pass git init</span></span> <span class="giallo-l"><span>Initialized empty Git repository in /home/chaospie/.password-store/.git/</span></span> <span class="giallo-l"><span>[main (root-commit) ac03bd2] Add current contents of password store.</span></span> <span class="giallo-l"><span> 1 file changed, 1 insertion(+)</span></span> <span class="giallo-l"><span> create mode 100644 .gpg-id</span></span> <span class="giallo-l"><span>[main 894baaa] Configure git repository for gpg file diff.</span></span> <span class="giallo-l"><span> 1 file changed, 1 insertion(+)</span></span> <span class="giallo-l"><span> create mode 100644 .gitattributes</span></span></code></pre> <p>Configure the <code>gpg-agent</code> to open any prompts on the terminal by editing/creating <code>~/.gnupg/gpg-agent.conf</code> and adding:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>pinentry-program /usr/bin/pinentry-curses</span></span></code></pre> <p>Either <code>pinentry-curses</code> or <code>pinentry-tty</code> can be used here, if neither is installed you should be able to install it directly through the package manager. Kill the agent to force it to reload its config:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpgconf --kill gpg-agent</span></span></code></pre> <p>It will restart automatically. Let's do a quick test, insert a key <code>test</code> with the value <code>test</code>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ pass insert test -e</span></span> <span class="giallo-l"><span>Enter password for test: test</span></span></code></pre> <p>The <code>-e</code> flag just means echo back the value I type, without it the value is hidden. Now, test retrieval, run <code>pass test</code> and it should prompt you for your PIN:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>┌──────────────────────────────────────────────┐</span></span> <span class="giallo-l"><span>│ Please unlock the card │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ Number: 0006 33333333 │</span></span> <span class="giallo-l"><span>│ Holder: │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ PIN ________________________________________ │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ &lt;OK&gt; &lt;Cancel&gt; │</span></span> <span class="giallo-l"><span>└──────────────────────────────────────────────┘</span></span></code></pre> <p>The default PIN is 123456, you should change that if it's still that value. Once entered, pass should print the value of <code>test</code>. This means it's working!</p> <p>We need to test that the key is only accessible on the yubikey also. Pull out the yubikey and try to retrieve the value for <code>test</code> again, it should show a prompt like the following:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>┌────────────────────────────────────────────┐</span></span> <span class="giallo-l"><span>│ Please insert the card with serial number: │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ 0006 33333333 │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ &lt;OK&gt; &lt;Cancel&gt; │</span></span> <span class="giallo-l"><span>└────────────────────────────────────────────┘</span></span></code></pre> <p>Now pop it back in and run <code>pass test</code>, it should ask for the PIN again.</p> <h1 id="set-up-on-another-computer">Set up on another computer</h1> <p>This is the bit that always drives me mad when I haven't used GPG for a while. Initially, on a new computer, you'll have no public or secret keys:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --list-keys</span></span> <span class="giallo-l"><span>gpg: checking the trustdb</span></span> <span class="giallo-l"><span>gpg: no ultimately trusted keys found</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>❯ gpg --list-secret-keys</span></span></code></pre> <p>If you try to use <code>pass</code> to get a secret in the store, you will get the following error:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ pass test</span></span> <span class="giallo-l"><span>gpg: decryption failed: No secret key</span></span></code></pre> <p>Let's fix it!</p> <h2 id="fetch-the-public-key">Fetch the public key</h2> <p>To get a reference to the keys on the yubikey, plug it in and run:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --card-edit</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Reader ...........: 1050:0407:X:0</span></span> <span class="giallo-l"><span>Application ID ...: D2760001240103040006120418440000</span></span> <span class="giallo-l"><span>Application type .: OpenPGP</span></span> <span class="giallo-l"><span>...</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>gpg/card&gt;</span></span></code></pre> <p>In the prompt type <code>fetch</code>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>gpg/card&gt; fetch</span></span> <span class="giallo-l"><span>gpg: requesting key from &#39;https://raw.githubusercontent.com/wayofthepie/public-keys/main/proton.key&#39;</span></span> <span class="giallo-l"><span>gpg: key 01ED8E917ECF4036: public key &quot;Stephen OBrien &lt;wayofthepie@protonmail.com&gt;&quot; imported</span></span> <span class="giallo-l"><span>gpg: Total number processed: 1</span></span> <span class="giallo-l"><span>gpg: imported: 1</span></span></code></pre> <p>That's it! Now, GPG should have a reference to the keys, and <code>pass test</code> should prompt you for your pin and read the value of our test secret <code>test</code> correctly.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>❯ gpg --list-keys</span></span> <span class="giallo-l"><span>/home/chaospie/.gnupg/pubring.kbx</span></span> <span class="giallo-l"><span>---------------------------------</span></span> <span class="giallo-l"><span>pub rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span>uid [ unknown] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>sub rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>❯ gpg --list-secret-keys</span></span> <span class="giallo-l"><span>/home/chaospie/.gnupg/pubring.kbx</span></span> <span class="giallo-l"><span>---------------------------------</span></span> <span class="giallo-l"><span>sec&gt; rsa4096 2022-04-30 [SC] [expires: 2024-04-29]</span></span> <span class="giallo-l"><span> 985DB4AF50F89C5B9ED41803817494BAD88093CB</span></span> <span class="giallo-l"><span> Card serial no. = 0006 12041844</span></span> <span class="giallo-l"><span>uid [ unknown] Stephen OBrien &lt;wayofthepie@protonmail.com&gt;</span></span> <span class="giallo-l"><span>ssb&gt; rsa4096 2022-04-30 [E] [expires: 2024-04-29]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>❯ pass test</span></span> <span class="giallo-l"><span>test</span></span></code></pre><h1 id="phew">Phew...</h1> <p>This is the third time I have had to go re-learn how GPG works. It's a bit of a nightmare usability-wise. Hopefully, this serves as a good reference for future me at the very least!</p> Sun, 28 Feb 2021 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/linux/linux-procs-and-threads/ https://blog.wayofthepie.dev/linux/linux-procs-and-threads/ <p>I want to explore how threads and processes work on Linux, under the hood, as in-depth as I can. It's been a while since I dove into the kernel. In this series of posts, I'll be writing some potentially insane C code to dive into this.</p> Thu, 11 Feb 2021 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/rc-refcell-trees/ https://blog.wayofthepie.dev/rc-refcell-trees/ <p>This post came from a Leetcode problem in February's daily challenges which I solved. It contains a few things that were issues for me when initially learning Rust, namely, how to properly use <a rel="nofollow noreferrer external" href="https://doc.rust-lang.org/std/rc/struct.Rc.html">Rc</a> and <a rel="nofollow noreferrer external" href="https://doc.rust-lang.org/std/cell/struct.RefCell.html">RefCell</a>. Now that I understand them a lot more, I thought I'd write about them.</p> Mon, 22 Jun 2020 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/rust-cert-cli/rust-cert-cli-part3/ https://blog.wayofthepie.dev/rust-cert-cli/rust-cert-cli-part3/ <p>From this post on I will leave a note at the end of some sections linking to the latest code up to that point. It will look like this:</p> <div class="alert alert-info"> <span><i class="icon fas fa-link"></i></span> <span class="alert-text"> <p> <a href="https://github.com/wayofthepie/cert-decoder/tree/a9d761e1ba306587a332e97e9fd4e654f1049ab9">wayofthepie/cert-decoder@a9d761e</a> </p> </span> </div> <p>That link points to the latest code from the last post.</p> Sun, 14 Jun 2020 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/morning-silence/ https://blog.wayofthepie.dev/morning-silence/ <p>I woke up this morning and booted my desktop. No sound! Some digging around and I noticed <code>dmesg</code> spitting out an error. I don't have that message saved but here are the details from the kernel logs.</p> Sun, 07 Jun 2020 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/rust-cert-cli/rust-cert-cli-part2/ https://blog.wayofthepie.dev/rust-cert-cli/rust-cert-cli-part2/ <p>Before we continue implementing our CLI, let's take time to set up some <a rel="nofollow noreferrer external" href="https://help.github.com/en/actions">GitHub Actions</a> to build and test our commits. We'll use the actions defined in the <a rel="nofollow noreferrer external" href="https://github.com/actions-rs">actions-rs GitHub Organization</a>.</p> Tue, 02 Jun 2020 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/rust-cert-cli/rust-cert-cli/ https://blog.wayofthepie.dev/rust-cert-cli/rust-cert-cli/ <p>In this series of posts, we'll start to build a simple cli in <a rel="nofollow noreferrer external" href="https://www.rust-lang.org/">Rust</a> for decoding X.509 certificates. I'll try to keep it as beginner-friendly as possible, by explaining things as best I can when they may be unclear. Some basic Rust knowledge should hopefully be all you need. Feel free to ask any questions in the comments below!</p> Fri, 22 May 2020 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/structure-of-an-ssl-certificate/ https://blog.wayofthepie.dev/structure-of-an-ssl-certificate/ <p>I've been working on some tooling for pulling certificate information out of the <a rel="nofollow noreferrer external" href="https://www.certificate-transparency.org/">certificate transparency logs</a> on and off for a while. I started looking at this again after a few weeks away from it and I've forgotten quite a lot! I've even forgotten some of the basics of what makes a certificate. In this post I want to dive into the structure of a certificate, what it is made of at a high level. I won't talk much about how certificates are used in protocols (e.g. Transport Layer Security (TLS)).</p> <p>This post started as a reference for myself but other folks may find it interesting or useful. It has a lot of external references to RFC's which are stored in footnotes.</p> Sun, 18 Feb 2018 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/containerizing-the-jvm-basic-mem-overview/ https://blog.wayofthepie.dev/containerizing-the-jvm-basic-mem-overview/ <p>For the past few years where I work has been running JVM applications on <a rel="nofollow noreferrer external" href="https://www.cloudfoundry.org/">Cloud Foundry</a>. We have come across many issues in relation to memory when running JVM's within memory bounded containers.</p> Sat, 15 Jul 2017 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/terraform-gcp/ https://blog.wayofthepie.dev/terraform-gcp/ <p>I've been hacking about with automated infrastructure setup a lot lately. The two tools I've focused on the most are NixOps and Terraform. This post is about the use of terraform on <a rel="nofollow noreferrer external" href="https://cloud.google.com/docs/">Google Cloud Platform</a> (GCP) to create and manage a Kubernetes Container Cluster.</p> Thu, 30 Mar 2017 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/building-an-assembler-in-haskell-part2/ https://blog.wayofthepie.dev/building-an-assembler-in-haskell-part2/ <p>In the <a href="https://blog.wayofthepie.dev/building-an-assembler-in-haskell/">previous post</a> we wrote a grammar for a simple assembly language, wrote the outline of our parser, derived some properties from the grammar for a simple parser <code>byte</code> and implemented <code>byte</code>. We also saw that there are a few deficiencies in our grammar. In this post we'll implement <code>bytes</code>, <code>menmonic</code>, <code>label</code> and <code>labelAssign</code>. For each parser I'll start with some <em>QuickCheck</em> properties then use those as the spec to implement the parser. Let's get to it!</p> Fri, 03 Mar 2017 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/building-an-assembler-in-haskell/ https://blog.wayofthepie.dev/building-an-assembler-in-haskell/ <p>Recently I started building an emulator for the MosTech 6502 Cpu, this post is about the initial stages of building an assembler for a simple assembly language that compiles to runnable 6502 machine code. I've created a repo and updated it as I wrote this post, so at the end of most sections that introduce new code I'll link to a commit which has the code up to that point.</p> Sun, 22 Jan 2017 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/js-and-haskell-stuff/ https://blog.wayofthepie.dev/js-and-haskell-stuff/ <h1 id="vulgr-ui-react">Vulgr UI - React</h1> <p>Vulgr is a project I've been working on, on and off, for a while. The goal is to build a dependency analysis platform - analyze your <code>gradle</code>/<code>node</code>/<code>whatever</code> dependencies to see whether they contain known vulnerabilities or bugs, reading from whatever data sources (CVE database, github issues, etc...) that make sense.</p> <p>This week, I did some work on how this information could be displayed to users on a web interface, e.g.:</p> <img src="/images/vulgr-ui-jan3-weekly.png" class="img-responsive" /> <p>This is built with <a rel="nofollow noreferrer external" href="https://facebook.github.io/react/">react</a> and <a rel="nofollow noreferrer external" href="http://www.material-ui.com/#/">material-ui</a>. The code for the card is located at <a rel="nofollow noreferrer external" href="https://github.com/wayofthepie/vulgr-ui-experimental/blob/material/src/components/analysis/summary/AnalysisSummaryCard.js">AnalysisSummaryCard.js</a>. Following is the code for the status icon's in the card, nice, flexible re-usable component!</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>&#39;use strict&#39;;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>import React, {PropTypes} from &#39;react&#39;;</span></span> <span class="giallo-l"><span>import ReactTooltip from &#39;react-tooltip&#39;;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>let statusIcon = (iconType, attributes, style) =&gt; {</span></span> <span class="giallo-l"><span> return (</span></span> <span class="giallo-l"><span> &lt;i className=&#39;material-icons md-36&#39; {...attributes}</span></span> <span class="giallo-l"><span> style={style}&gt;</span></span> <span class="giallo-l"><span> {iconType}</span></span> <span class="giallo-l"><span> &lt;/i&gt;</span></span> <span class="giallo-l"><span> );</span></span> <span class="giallo-l"><span>};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>let tooltippableStatusIcon = (iconType, tooltipInfo, style) =&gt; {</span></span> <span class="giallo-l"><span> let tooltip = function () {</span></span> <span class="giallo-l"><span> if (tooltipInfo) {</span></span> <span class="giallo-l"><span> return (</span></span> <span class="giallo-l"><span> &lt;ReactTooltip place=&#39;top&#39;</span></span> <span class="giallo-l"><span> id={tooltipInfo.id}</span></span> <span class="giallo-l"><span> type={tooltipInfo.type}</span></span> <span class="giallo-l"><span> effect=&#39;solid&#39;&gt;</span></span> <span class="giallo-l"><span> &lt;span &gt;&lt;strong&gt;{tooltipInfo.message}&lt;/strong&gt;&lt;/span&gt;</span></span> <span class="giallo-l"><span> &lt;/ReactTooltip&gt;</span></span> <span class="giallo-l"><span> );</span></span> <span class="giallo-l"><span> } else {</span></span> <span class="giallo-l"><span> return null;</span></span> <span class="giallo-l"><span> }</span></span> <span class="giallo-l"><span> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> let tooltippedAttributes = () =&gt; {</span></span> <span class="giallo-l"><span> return tooltipInfo ? {&#39;data-tip&#39;: &#39;&#39;, &#39;data-for&#39;: tooltipInfo.id} : [];</span></span> <span class="giallo-l"><span> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> return (</span></span> <span class="giallo-l"><span> &lt;div&gt;</span></span> <span class="giallo-l"><span> { tooltip() }</span></span> <span class="giallo-l"><span> { statusIcon(iconType, tooltippedAttributes(), style) }</span></span> <span class="giallo-l"><span> &lt;/div&gt;</span></span> <span class="giallo-l"><span> );</span></span> <span class="giallo-l"><span>};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>export const StatusIcon = ({iconType, tooltipInfo, style}) =&gt; {</span></span> <span class="giallo-l"><span> return tooltippableStatusIcon(iconType, tooltipInfo, style);</span></span> <span class="giallo-l"><span>};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>StatusIcon.propTypes = {</span></span> <span class="giallo-l"><span> iconType: PropTypes.string.isRequired,</span></span> <span class="giallo-l"><span> tooltipInfo: PropTypes.shape({</span></span> <span class="giallo-l"><span> id: PropTypes.string.isRequired,</span></span> <span class="giallo-l"><span> type: PropTypes.string.isRequired,</span></span> <span class="giallo-l"><span> message: PropTypes.string.isRequired</span></span> <span class="giallo-l"><span> }),</span></span> <span class="giallo-l"><span> style: PropTypes.object</span></span> <span class="giallo-l"><span>};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>export default StatusIcon;</span></span></code></pre> <p>Here is an example of its use to render the error icon, first a function to wrap up the JSX:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="javascript"><span class="giallo-l"><span style="color: #F97583;">let</span><span style="color: #B392F0;"> createStatusIcon</span><span style="color: #F97583;"> =</span><span> (</span><span style="color: #FFAB70;">iconType</span><span>,</span><span style="color: #FFAB70;"> tooltipInfo</span><span>,</span><span style="color: #FFAB70;"> style</span><span>)</span><span style="color: #F97583;"> =&gt;</span><span> {</span></span> <span class="giallo-l"><span style="color: #F97583;"> return</span><span> (</span></span> <span class="giallo-l"><span> &lt;</span><span style="color: #79B8FF;">StatusIcon</span></span> <span class="giallo-l"><span style="color: #B392F0;"> iconType</span><span style="color: #F97583;">=</span><span>{iconType}</span></span> <span class="giallo-l"><span style="color: #B392F0;"> tooltipInfo</span><span style="color: #F97583;">=</span><span>{tooltipInfo}</span></span> <span class="giallo-l"><span style="color: #B392F0;"> style</span><span style="color: #F97583;">=</span><span>{style} /&gt;</span></span> <span class="giallo-l"><span> );</span></span> <span class="giallo-l"><span>};</span></span></code></pre> <p>Concrete usage:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="javascript"><span class="giallo-l"><span style="color: #F97583;">let</span><span style="color: #B392F0;"> errorIcon</span><span style="color: #F97583;"> =</span><span> ()</span><span style="color: #F97583;"> =&gt;</span><span> {</span></span> <span class="giallo-l"><span style="color: #F97583;"> let</span><span> icon</span><span style="color: #F97583;"> =</span><span style="color: #9ECBFF;"> &#39;error&#39;</span><span>;</span></span> <span class="giallo-l"><span style="color: #F97583;"> let</span><span> marginLeft</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> 10</span><span>;</span></span> <span class="giallo-l"><span style="color: #F97583;"> let</span><span> tooltipInfo</span><span style="color: #F97583;"> =</span><span style="color: #B392F0;"> buildTooltipInfo</span><span>(</span><span style="color: #9ECBFF;">&#39;analysis-card-error-tooltip&#39;</span><span>,</span><span style="color: #9ECBFF;"> &#39;error&#39;</span><span>,</span><span style="color: #9ECBFF;"> &#39;Error!&#39;</span><span>, {marginLeft});</span></span> <span class="giallo-l"><span style="color: #F97583;"> let</span><span> style</span><span style="color: #F97583;"> =</span><span> {color:</span><span style="color: #9ECBFF;"> &#39;red&#39;</span><span>, float:</span><span style="color: #9ECBFF;"> &#39;left&#39;</span><span>, marginLeft};</span></span> <span class="giallo-l"><span style="color: #F97583;"> return</span><span style="color: #B392F0;"> createStatusIcon</span><span>(icon, tooltipInfo, style);</span></span> <span class="giallo-l"><span>};</span></span></code></pre> <p>Pretty flexible! The color and style can easily be changed so the icon can fit in without much hassle in components with complex styles, or can be greyed out, etc...</p> <p>I use Angular and bootstrap at work, so far <em>react</em> and <em>material</em> have been a dream in comparison.</p> <h1 id="haskell-criu-rpc-client">Haskell Criu RPC Client</h1> <p>I've been toying about with <a rel="nofollow noreferrer external" href="https://criu.org/">criu</a> for the last few weeks. I decided to write some bindings to it in haskell.</p> <p>Criu's RPC API <sup class="footnote-reference"><a href="#1">1</a></sup> uses <a rel="nofollow noreferrer external" href="https://github.com/google/protobuf">protobuf</a>. I used the <a rel="nofollow noreferrer external" href="https://github.com/google/proto-lens">proto-lens</a> library to generate lenses and data types. This gives a pretty nice foundation to build upon - the project for generation is on github, <a rel="nofollow noreferrer external" href="https://github.com/wayofthepie/haskell-criu-rpc-types">haskell-criu-rpc-types</a> <sup class="footnote-reference"><a href="#2">2</a></sup>.</p> <p>With that foundation, I threw together a quick client:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="haskell"><span class="giallo-l"><span>{-#</span><span style="color: #F97583;"> LANGUAGE OverloadedStrings</span><span> #-}</span></span> <span class="giallo-l"><span>{-#</span><span style="color: #F97583;"> LANGUAGE ScopedTypeVariables</span><span> #-}</span></span> <span class="giallo-l"><span style="color: #F97583;">module</span><span style="color: #B392F0;"> Criu</span><span> (</span></span> <span class="giallo-l"><span style="color: #F97583;"> module Proto</span><span>.</span><span style="color: #F97583;">Criu</span><span>.</span><span style="color: #F97583;">Rpc</span></span> <span class="giallo-l"><span> ,</span><span style="color: #F97583;"> module Lens</span><span>.</span><span style="color: #F97583;">Family2</span></span> <span class="giallo-l"><span> ,</span><span style="color: #B392F0;"> callCriu</span></span> <span class="giallo-l"><span> ,</span><span style="color: #B392F0;"> callCriu&#39;</span></span> <span class="giallo-l"><span> )</span><span style="color: #F97583;"> where</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F97583;">import</span><span style="color: #B392F0;"> Control.Exception.Base</span><span> (</span><span style="color: #F97583;">IOException</span><span>,</span><span style="color: #B392F0;"> bracket</span><span>,</span><span style="color: #B392F0;"> try</span><span>)</span></span> <span class="giallo-l"><span style="color: #F97583;">import</span><span style="color: #B392F0;"> Lens.Family2</span><span> ((</span><span style="color: #B392F0;">.~</span><span>))</span></span> <span class="giallo-l"><span style="color: #F97583;">import</span><span style="color: #B392F0;"> Data.ProtoLens</span><span> (</span><span style="color: #B392F0;">decodeMessage</span><span>,</span><span style="color: #B392F0;"> encodeMessage</span><span>)</span></span> <span class="giallo-l"><span style="color: #F97583;">import</span><span style="color: #B392F0;"> Proto.Criu.Rpc</span></span> <span class="giallo-l"><span style="color: #F97583;">import</span><span style="color: #B392F0;"> Network.Socket</span><span> (</span><span style="color: #F97583;">Family</span><span>(</span><span style="color: #F97583;">AF_UNIX</span><span>),</span><span style="color: #F97583;"> SocketType</span><span>(</span><span style="color: #F97583;">SeqPacket</span><span>),</span><span style="color: #F97583;"> SockAddr</span><span>(</span><span style="color: #F97583;">SockAddrUnix</span><span>),</span><span style="color: #B392F0;"> close</span><span>,</span><span style="color: #B392F0;"> connect</span><span>,</span><span style="color: #B392F0;"> socket</span><span>)</span></span> <span class="giallo-l"><span style="color: #F97583;">import</span><span style="color: #B392F0;"> Network.Socket.ByteString</span><span> (</span><span style="color: #B392F0;">recv</span><span>,</span><span style="color: #B392F0;"> send</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #6A737D;">-- | Send request to criu socket. Can throw exceptions.</span></span> <span class="giallo-l"><span style="color: #B392F0;">callCriu</span><span style="color: #F97583;"> :: FilePath -&gt; Criu_req -&gt; IO</span><span> (</span><span style="color: #F97583;">Either String Criu_resp</span><span>)</span></span> <span class="giallo-l"><span>callCriu fp req </span><span style="color: #F97583;">= do</span></span> <span class="giallo-l"><span> resp </span><span style="color: #F97583;">&lt;-</span><span> withSocket </span><span style="color: #F97583;">$ \</span><span>sock </span><span style="color: #F97583;">-&gt; do</span></span> <span class="giallo-l"><span> connect sock (</span><span style="color: #79B8FF;">SockAddrUnix</span><span> fp)</span></span> <span class="giallo-l"><span> send sock (encodeMessage req)</span></span> <span class="giallo-l"><span> recv sock </span><span style="color: #79B8FF;">1024</span></span> <span class="giallo-l"><span> pure (decodeMessage resp </span><span style="color: #F97583;">:: Either String Criu_resp</span><span>)</span></span> <span class="giallo-l"><span style="color: #F97583;"> where</span></span> <span class="giallo-l"><span> withSocket f </span><span style="color: #F97583;">=</span><span> bracket</span></span> <span class="giallo-l"><span> (socket </span><span style="color: #79B8FF;">AF_UNIX SeqPacket 0</span><span>)</span></span> <span class="giallo-l"><span> (close)</span></span> <span class="giallo-l"><span> (</span><span style="color: #F97583;">\</span><span>sock </span><span style="color: #F97583;">-&gt;</span><span> f sock)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #6A737D;">-- | Send a request to criu, but wrap up IOExceptions in Either.</span></span> <span class="giallo-l"><span style="color: #B392F0;">callCriu&#39;</span><span style="color: #F97583;"> :: FilePath -&gt; Criu_req -&gt; IO</span><span> (</span><span style="color: #F97583;">Either String Criu_resp</span><span>)</span></span> <span class="giallo-l"><span>callCriu&#39; fp req </span><span style="color: #F97583;">= do</span></span> <span class="giallo-l"><span> eitherResp </span><span style="color: #F97583;">&lt;-</span><span> try (callCriu fp req)</span></span> <span class="giallo-l"><span style="color: #F97583;"> case</span><span> eitherResp </span><span style="color: #F97583;">of</span></span> <span class="giallo-l"><span style="color: #79B8FF;"> Right</span><span> resp </span><span style="color: #F97583;">-&gt;</span><span> pure resp</span></span> <span class="giallo-l"><span style="color: #79B8FF;"> Left</span><span> (e </span><span style="color: #F97583;">:: IOException</span><span>)</span><span style="color: #F97583;"> -&gt;</span><span> pure </span><span style="color: #F97583;">.</span><span style="color: #79B8FF;"> Left</span><span style="color: #F97583;"> .</span><span> show </span><span style="color: #F97583;">$</span><span> e</span></span></code></pre> <p>Both <code>callCriu</code> and <code>callCriu'</code> expect the path to the <code>criu</code> socket and a <code>Criu_req</code> type.</p> <p>To build the actual <code>Criu_req</code> expected by the calls is is pretty straightforward. In <code>ghci</code>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="haskell"><span class="giallo-l"><span style="color: #F97583;">&gt;</span><span> build (type&#39; </span><span style="color: #F97583;">.~</span><span style="color: #79B8FF;"> CHECK</span><span>)</span><span style="color: #F97583;"> :: Criu_req</span></span> <span class="giallo-l"><span style="color: #79B8FF;">Criu_req</span><span> {</span></span> <span class="giallo-l"><span> _Criu_req&#39;type&#39;</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> CHECK</span></span> <span class="giallo-l"><span> , _Criu_req&#39;opts</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_req&#39;notifySuccess</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_req&#39;keepOpen</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_req&#39;features</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> }</span></span></code></pre> <p><code>build (type' .~ CHECK) :: Criu_req</code> builds a request for a <code>criu</code> check. So, an actual call looks as follows:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="haskell"><span class="giallo-l"><span style="color: #F97583;">&gt;</span><span> callCriu&#39; </span><span style="color: #9ECBFF;">&quot;criu_service.socket&quot;</span><span> (build (type&#39; </span><span style="color: #F97583;">.~</span><span style="color: #79B8FF;"> CHECK</span><span>)</span><span style="color: #F97583;"> :: Criu_req</span><span>)</span></span> <span class="giallo-l"><span style="color: #79B8FF;">Right</span><span> (</span></span> <span class="giallo-l"><span style="color: #79B8FF;"> Criu_resp</span><span> {</span></span> <span class="giallo-l"><span> _Criu_resp&#39;type&#39;</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> CHECK</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;success</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> True</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;dump</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;restore</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;notify</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;ps</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;crErrno</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;features</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> , _Criu_resp&#39;crErrmsg</span><span style="color: #F97583;"> =</span><span style="color: #79B8FF;"> Nothing</span></span> <span class="giallo-l"><span> }</span></span> <span class="giallo-l"><span> )</span></span></code></pre> <p>From the service logs:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="plain"><span class="giallo-l"><span>$ criu service</span></span> <span class="giallo-l"><span>Warn (cr-service.c:1023): Binding to local dir address!</span></span> <span class="giallo-l"><span>Warn (cr-check.c:827): Skipping cgroup namespaces check</span></span> <span class="giallo-l"><span>Looks good.</span></span></code></pre> <p>Success! Lots to improve, but a good start. I'll do a more in-depth post on this once it matures.</p> <div class="footnote-definition" id="1"><sup class="footnote-definition-label">1</sup> <p>See <a rel="nofollow noreferrer external" href="https://criu.org/RPC">https://criu.org/RPC</a> for more information.</p> </div> <div class="footnote-definition" id="2"><sup class="footnote-definition-label">2</sup> <p>It's also on hackage, <a rel="nofollow noreferrer external" href="https://hackage.haskell.org/package/criu-rpc-types-0.0.0.1">https://hackage.haskell.org/package/criu-rpc-types-0.0.0.1</a>, however I'm not sure what the standard is for libraries that generate their code.</p> </div> Sun, 10 Jul 2016 00:00:00 +0000 Unknown https://blog.wayofthepie.dev/installing-nixos/ https://blog.wayofthepie.dev/installing-nixos/ <h1 id="introduction">Introduction</h1> <p>I've recently started diving into <em><a rel="nofollow noreferrer external" href="https://nixos.org/nix/">Nix</a></em> and <em><a rel="nofollow noreferrer external" href="https://nixos.org/">NixOS</a></em>. <strong>Nix</strong> is a package manager for Linux/Unix systems, a quick description from its own site:</p> <blockquote> <p>Nix's purely functional approach ensures that installing or upgrading one package cannot break other packages. This is because it won't overwrite dependencies with newer versions that might cause breakage elsewhere. It allows you to roll back to previous versions, and ensures that no package is in an inconsistent state during an upgrade.</p> </blockquote> <p><strong>NixOs</strong> is an operating system which takes a declarative approach to configuration and package management and uses Nix as its package manager. Following is an example of creating a user on a NixOS system:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="haskell"><span class="giallo-l"><span style="color: #F97583;">...</span></span> <span class="giallo-l"><span>users</span><span style="color: #F97583;">.</span><span>extraUsers</span><span style="color: #F97583;">.</span><span>alice </span><span style="color: #F97583;">=</span></span> <span class="giallo-l"><span> { isNormalUser</span><span style="color: #F97583;"> =</span><span> true;</span></span> <span class="giallo-l"><span> home </span><span style="color: #F97583;">=</span><span style="color: #9ECBFF;"> &quot;/home/alice&quot;</span><span>;</span></span> <span class="giallo-l"><span> extraGroups </span><span style="color: #F97583;">=</span><span> [</span><span style="color: #9ECBFF;"> &quot;wheel&quot;</span><span> ];</span></span> <span class="giallo-l"><span> };</span></span> <span class="giallo-l"><span>security</span><span style="color: #F97583;">.</span><span>sudo</span><span style="color: #F97583;">.</span><span>enable </span><span style="color: #F97583;">=</span><span> true;</span></span> <span class="giallo-l"><span style="color: #F97583;">...</span></span></code></pre> <p>An example of a fully configured NixOS system can be found at <a rel="nofollow noreferrer external" href="https://github.com/wayofthepie/sky">https://github.com/wayofthepie/sky</a>, this is the configuration I'm currently using for my desktop.</p> <p>In this post I'm going to run through how I installed NixOs, with the aim of helping anyone new to NixOs through the installation process. Throughout the post I will be assuming the following:</p> <ul> <li>The NixOS install CD or USB installer - see <a rel="nofollow noreferrer external" href="https://nixos.org/nixos/manual/index.html#sec-installation">https://nixos.org/nixos/manual/index.html#sec-installation</a>.</li> <li>An empty disk.</li> <li>Boot with UEFI.</li> </ul> <p>These are not requirements, but will make the post easier to follow.</p> <h1 id="partition">Partition</h1> <p>Let's start! First boot into NixOs, whether from USB or the CD installer, and find the disk you wish to install onto. I will use <strong>/dev/sda</strong> in this post, you can replace this with whatever disk you are going to use.</p> <p>The system will boot with UEFI so <strong>gdisk</strong> should be used to create the partitions. This will create a GPT (GUID Partition Table) formatted disk.</p> <p>With <strong>gdisk</strong> create the following partitions:</p> <table><thead><tr><th>Partition</th><th>Size</th><th>Type</th><th>Code</th><th>Filesystem</th></tr></thead><tbody> <tr><td>/dev/sda1</td><td>2 MiB</td><td><em>Bios Boot Partition</em></td><td>ef02</td><td>None</td></tr> <tr><td>/dev/sda2</td><td>1024 MiB</td><td><em>EFI</em></td><td>ef00</td><td>vfat</td></tr> <tr><td>/dev/sda3</td><td>119 GiB</td><td><em>Linux LVM</em></td><td>8e00</td><td>xfs</td></tr> </tbody></table> <p>If you have never used <strong>gdisk</strong> before, fear not! Just run <code>gdisk /dev/sda</code> and answer the questions as outlined in the next section. If you know what you are doing, you can skip the next section.</p> <h2 id="creating-partitions-with-gdisk">Creating Partitions With gdisk</h2> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> gdisk /dev/sda</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">GPT</span><span style="color: #9ECBFF;"> fdisk</span><span> (gdisk) version 1.0.1</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Partition</span><span style="color: #9ECBFF;"> table scan:</span></span> <span class="giallo-l"><span style="color: #B392F0;"> MBR:</span><span style="color: #9ECBFF;"> not present</span></span> <span class="giallo-l"><span style="color: #B392F0;"> BSD:</span><span style="color: #9ECBFF;"> not present</span></span> <span class="giallo-l"><span style="color: #B392F0;"> APM:</span><span style="color: #9ECBFF;"> not present</span></span> <span class="giallo-l"><span style="color: #B392F0;"> GPT:</span><span style="color: #9ECBFF;"> not present</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Creating</span><span style="color: #9ECBFF;"> new GPT entries.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Command</span><span> (?</span><span style="color: #9ECBFF;"> for help</span><span>): n</span></span> <span class="giallo-l"><span style="color: #B392F0;">Partition</span><span style="color: #9ECBFF;"> number</span><span> (1-128,</span><span style="color: #9ECBFF;"> default</span><span style="color: #79B8FF;"> 1</span><span>): 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">First</span><span style="color: #9ECBFF;"> sector</span><span> (34-251658206,</span><span style="color: #9ECBFF;"> default =</span><span style="color: #79B8FF;"> 2048</span><span>) or {</span><span style="color: #B392F0;">+-}size</span><span style="color: #9ECBFF;">{KMGTP}</span><span style="color: #79B8FF;">:</span></span> <span class="giallo-l"><span style="color: #B392F0;">Last</span><span style="color: #9ECBFF;"> sector</span><span> (2048-251658206,</span><span style="color: #9ECBFF;"> default =</span><span style="color: #79B8FF;"> 251658206</span><span>) or {</span><span style="color: #B392F0;">+-}size</span><span style="color: #9ECBFF;">{KMGTP}</span><span style="color: #79B8FF;">:</span><span style="color: #9ECBFF;"> +2M</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> type is &#39;Linux filesystem&#39;</span></span> <span class="giallo-l"><span style="color: #B392F0;">Hex</span><span style="color: #9ECBFF;"> code or GUID</span><span> (L</span><span style="color: #9ECBFF;"> to show codes, Enter =</span><span style="color: #79B8FF;"> 8300</span><span>): ef02</span></span> <span class="giallo-l"><span style="color: #B392F0;">Changed</span><span style="color: #9ECBFF;"> type of partition to &#39;BIOS boot partition&#39;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Command</span><span> (?</span><span style="color: #9ECBFF;"> for help</span><span>): n</span></span> <span class="giallo-l"><span style="color: #B392F0;">Partition</span><span style="color: #9ECBFF;"> number</span><span> (2-128,</span><span style="color: #9ECBFF;"> default</span><span style="color: #79B8FF;"> 2</span><span>):</span></span> <span class="giallo-l"><span style="color: #B392F0;">First</span><span style="color: #9ECBFF;"> sector</span><span> (34-251658206,</span><span style="color: #9ECBFF;"> default =</span><span style="color: #79B8FF;"> 6144</span><span>) or {</span><span style="color: #B392F0;">+-}size</span><span style="color: #9ECBFF;">{KMGTP}</span><span style="color: #79B8FF;">:</span></span> <span class="giallo-l"><span style="color: #B392F0;">Last</span><span style="color: #9ECBFF;"> sector</span><span> (6144-251658206,</span><span style="color: #9ECBFF;"> default =</span><span style="color: #79B8FF;"> 251658206</span><span>) or {</span><span style="color: #B392F0;">+-}size</span><span style="color: #9ECBFF;">{KMGTP}</span><span style="color: #79B8FF;">:</span><span style="color: #9ECBFF;"> +1G</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> type is &#39;Linux filesystem&#39;</span></span> <span class="giallo-l"><span style="color: #B392F0;">Hex</span><span style="color: #9ECBFF;"> code or GUID</span><span> (L</span><span style="color: #9ECBFF;"> to show codes, Enter =</span><span style="color: #79B8FF;"> 8300</span><span>): ef00</span></span> <span class="giallo-l"><span style="color: #B392F0;">Changed</span><span style="color: #9ECBFF;"> type of partition to &#39;EFI System&#39;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Command</span><span> (?</span><span style="color: #9ECBFF;"> for help</span><span>): n</span></span> <span class="giallo-l"><span style="color: #B392F0;">Partition</span><span style="color: #9ECBFF;"> number</span><span> (3-128,</span><span style="color: #9ECBFF;"> default</span><span style="color: #79B8FF;"> 3</span><span>):</span></span> <span class="giallo-l"><span style="color: #B392F0;">First</span><span style="color: #9ECBFF;"> sector</span><span> (34-251658206,</span><span style="color: #9ECBFF;"> default =</span><span style="color: #79B8FF;"> 2103296</span><span>) or {</span><span style="color: #B392F0;">+-}size</span><span style="color: #9ECBFF;">{KMGTP}</span><span style="color: #79B8FF;">:</span></span> <span class="giallo-l"><span style="color: #B392F0;">Last</span><span style="color: #9ECBFF;"> sector</span><span> (2103296-251658206,</span><span style="color: #9ECBFF;"> default =</span><span style="color: #79B8FF;"> 251658206</span><span>) or {</span><span style="color: #B392F0;">+-}size</span><span style="color: #9ECBFF;">{KMGTP}</span><span style="color: #79B8FF;">:</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> type is &#39;Linux filesystem&#39;</span></span> <span class="giallo-l"><span style="color: #B392F0;">Hex</span><span style="color: #9ECBFF;"> code or GUID</span><span> (L</span><span style="color: #9ECBFF;"> to show codes, Enter =</span><span style="color: #79B8FF;"> 8300</span><span>): 8e00</span></span> <span class="giallo-l"><span style="color: #B392F0;">Changed</span><span style="color: #9ECBFF;"> type of partition to &#39;Linux LVM&#39;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Command</span><span> (?</span><span style="color: #9ECBFF;"> for help</span><span>): w</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Final</span><span style="color: #9ECBFF;"> checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING</span></span> <span class="giallo-l"><span style="color: #B392F0;">PARTITIONS!!</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Do</span><span style="color: #9ECBFF;"> you want to proceed?</span><span> (Y/N): y</span></span> <span class="giallo-l"><span style="color: #B392F0;">OK</span><span>;</span><span style="color: #B392F0;"> writing</span><span style="color: #9ECBFF;"> new GUID partition table</span><span> (GPT) to /dev/sda.</span></span> <span class="giallo-l"><span style="color: #B392F0;">The</span><span style="color: #9ECBFF;"> operation has completed successfully.</span></span></code></pre> <p>In the above, we begin creating our first new partition by using the command <strong>n</strong> when asked the question <code>Command (? for help):</code>.</p> <p>The first question we are asked is what number we would like to give, it's our first partition so <strong>1</strong>, this will create a partition called <strong>/dev/sda1</strong> on <strong>/dev/sda</strong>.</p> <p>Next, we are asked what sector to start on and what sector to end on. The starting sector can be left empty - this means start at next unused sector, which in this case is the start of the disk. As for which sector to end on, here we answer <strong>+2M</strong> which will means <em>move 2 Mebibytes <sup class="footnote-reference"><a href="#1">1</a></sup> (<strong>MiB</strong>) forward from the starting sector</em>, giving us a partition size of 2 Mebibytes.</p> <p>Finally, we are asked if we want to change the type of the partition. Our first partition should have the type <strong>ef02</strong>, more on why later.</p> <p>That's the first partition created, it should be clear now how the next two are created.</p> <h2 id="notes-on-the-partitions">Notes On The Partitions</h2> <p>Done? Good, to get a look at the disk layout run <code>gdisk -l /dev/sda</code>, this should print out the following:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> gdisk</span><span style="color: #79B8FF;"> -l</span><span style="color: #9ECBFF;"> /dev/sda</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">GPT</span><span style="color: #9ECBFF;"> fdisk</span><span> (gdisk) version 1.0.1</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Partition</span><span style="color: #9ECBFF;"> table scan:</span></span> <span class="giallo-l"><span style="color: #B392F0;"> MBR:</span><span style="color: #9ECBFF;"> protective</span></span> <span class="giallo-l"><span style="color: #B392F0;"> BSD:</span><span style="color: #9ECBFF;"> not present</span></span> <span class="giallo-l"><span style="color: #B392F0;"> APM:</span><span style="color: #9ECBFF;"> not present</span></span> <span class="giallo-l"><span style="color: #B392F0;"> GPT:</span><span style="color: #9ECBFF;"> present</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Found</span><span style="color: #9ECBFF;"> valid GPT with protective MBR</span><span>;</span><span style="color: #B392F0;"> using</span><span style="color: #9ECBFF;"> GPT.</span></span> <span class="giallo-l"><span style="color: #B392F0;">Disk</span><span style="color: #9ECBFF;"> /dev/sda:</span><span style="color: #79B8FF;"> 251658240</span><span style="color: #9ECBFF;"> sectors,</span><span style="color: #79B8FF;"> 120.0</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Logical</span><span style="color: #9ECBFF;"> sector size:</span><span style="color: #79B8FF;"> 512</span><span style="color: #9ECBFF;"> bytes</span></span> <span class="giallo-l"><span style="color: #B392F0;">Disk</span><span style="color: #9ECBFF;"> identifier</span><span> (GUID): 031652EE-C219-4EFB-84AB-9E310B14357E</span></span> <span class="giallo-l"><span style="color: #B392F0;">Partition</span><span style="color: #9ECBFF;"> table holds up to</span><span style="color: #79B8FF;"> 128</span><span style="color: #9ECBFF;"> entries</span></span> <span class="giallo-l"><span style="color: #B392F0;">First</span><span style="color: #9ECBFF;"> usable sector is 34, last usable sector is</span><span style="color: #79B8FF;"> 251658206</span></span> <span class="giallo-l"><span style="color: #B392F0;">Partitions</span><span style="color: #9ECBFF;"> will be aligned on 2048-sector boundaries</span></span> <span class="giallo-l"><span style="color: #B392F0;">Total</span><span style="color: #9ECBFF;"> free space is</span><span style="color: #79B8FF;"> 2014</span><span style="color: #9ECBFF;"> sectors</span><span> (1007.0</span><span style="color: #9ECBFF;"> KiB</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Number</span><span style="color: #9ECBFF;"> Start</span><span> (sector) End (</span><span style="color: #B392F0;">sector</span><span>) Size Code Name</span></span> <span class="giallo-l"><span style="color: #B392F0;"> 1</span><span style="color: #79B8FF;"> 2048 6143 2.0</span><span style="color: #9ECBFF;"> MiB EF02 BIOS boot partition</span></span> <span class="giallo-l"><span style="color: #B392F0;"> 2</span><span style="color: #79B8FF;"> 6144 2103295 1024.0</span><span style="color: #9ECBFF;"> MiB EF00 EFI System</span></span> <span class="giallo-l"><span style="color: #B392F0;"> 3</span><span style="color: #79B8FF;"> 2103296 251658206 119.0</span><span style="color: #9ECBFF;"> GiB 8E00 Linux LVM</span></span></code></pre><h3 id="grub-compatibility-dev-sda1">Grub Compatibility: /dev/sda1</h3> <p>This is used by <strong>grub</strong> <sup class="footnote-reference"><a href="#2">2</a></sup> at boot-time when booting off a GPT disk.</p> <h3 id="efi-partition-dev-sda2">EFI Partition: /dev/sda2</h3> <p>UEFI will load files stored in this partition when booting.</p> <h3 id="main-data-partition-dev-sda3">Main Data Partition: /dev/sda3</h3> <p>This is used for creating the logical volumes <strong>swap</strong> (4GB), <strong>/</strong> (20GB), <strong>/home</strong> (20GB) and <strong>/opt</strong> (20GB) in this post, it's size should reflect the sum of the sizes of all logical volumes you wish to create. Note that any free space left of the disk can be used later, and those logical volumes can be increased (or decreased) in size.</p> <h1 id="linux-unified-key-setup-luks">Linux Unified Key Setup (LUKS)</h1> <p>Now that the partitions are setup, it's time to encrypt the main partition, <strong>/dev/sda3</strong>. This is optional and there are a few ways to do it, this post uses <a rel="nofollow noreferrer external" href="https://guardianproject.info/code/luks/">LUKS</a>.</p> <p>The <em><a rel="nofollow noreferrer external" href="https://gitlab.com/cryptsetup/cryptsetup">cryptsetup</a></em> tool is used to create <strong>LUKS</strong> volumes. To search nix packages the command <code>nix-env -qaP packageName</code> <sup class="footnote-reference"><a href="#3">3</a></sup> can be used:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> nix-env</span><span style="color: #79B8FF;"> -qaP</span><span style="color: #9ECBFF;"> cryptsetup</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">nixos.cryptsetup</span><span style="color: #9ECBFF;"> cryptsetup-1.7.0</span></span></code></pre> <p>Now that we know <strong>cryptsetup</strong> is in the package list, we can install it with <code>nix-env</code>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> nix-env</span><span style="color: #79B8FF;"> -i</span><span style="color: #9ECBFF;"> cryptsetup</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">installing</span><span style="color: #9ECBFF;"> &#39;cryptsetup-1.7.0&#39;</span></span> <span class="giallo-l"><span style="color: #B392F0;">building</span><span style="color: #9ECBFF;"> path</span><span>(</span><span style="color: #B392F0;">s</span><span>)</span><span style="color: #9ECBFF;"> &#39;/nix/store/86mqcs95fb3gkkb74481fbf90zh5w98l-user-environment&#39;</span></span> <span class="giallo-l"><span style="color: #B392F0;">created</span><span style="color: #79B8FF;"> 44</span><span style="color: #9ECBFF;"> symlinks in user environment</span></span></code></pre><h2 id="encrypting-dev-sda3">Encrypting /dev/sda3</h2> <p>I won't go into detail about <strong>LUKS</strong> or <strong>cryptsetup</strong> here, we will also just use the defaults for both. Simply run the following <strong>cryptsetup</strong> command and enter a passphrase:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> cryptsetup</span><span style="color: #79B8FF;"> -y -v</span><span style="color: #9ECBFF;"> luksFormat /dev/sda3</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">WARNING!</span></span> <span class="giallo-l"><span style="color: #9ECBFF;">========</span></span> <span class="giallo-l"><span style="color: #B392F0;">This</span><span style="color: #9ECBFF;"> will overwrite data on /dev/sda3 irrevocably.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Are</span><span style="color: #9ECBFF;"> you sure?</span><span> (Type</span><span style="color: #9ECBFF;"> uppercase yes</span><span>): YES</span></span> <span class="giallo-l"><span style="color: #B392F0;">Enter</span><span style="color: #9ECBFF;"> passphrase:</span></span> <span class="giallo-l"><span style="color: #B392F0;">Verify</span><span style="color: #9ECBFF;"> passphrase:</span></span> <span class="giallo-l"><span style="color: #B392F0;">Command</span><span style="color: #9ECBFF;"> successful.</span></span> <span class="giallo-l"></span></code></pre> <p><strong>/dev/sda3</strong> is now encrypted! <sup class="footnote-reference"><a href="#4">4</a></sup> The options passed to <em>cryptsetup</em> have the following meaning:</p> <ul> <li><strong>-y</strong> : prompt for passphrase twice.</li> <li><strong>-v</strong> : verbose mode.</li> <li><strong>luksFormat</strong> : initializes a LUKS partition and sets the initial passphrase (for key-slot 0) <sup class="footnote-reference"><a href="#5">5</a></sup>.</li> </ul> <p>Great, we now have an encrypted disk, but how is it used? Let's jump back to <strong>cryptsetup</strong>, it has a command <code>cryptsetup luksOpen LUKS_DEVICE NAME</code> which, when it verifies the passphrase (in our case), will open the <strong>LUKS</strong> device and create a mapping to it (on the path <strong>/dev/mapper/NAME</strong>)from the given name.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> cryptsetup luksOpen /dev/sda3 enc-data</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Enter</span><span style="color: #9ECBFF;"> passphrase for /dev/sda3:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> ls</span><span style="color: #79B8FF;"> -la</span><span style="color: #9ECBFF;"> /dev/mapper/</span></span> <span class="giallo-l"><span style="color: #B392F0;">total</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">drwxr-xr-x</span><span style="color: #79B8FF;"> 2</span><span style="color: #9ECBFF;"> root root</span><span style="color: #79B8FF;"> 80</span><span style="color: #9ECBFF;"> Jul</span><span style="color: #79B8FF;"> 9</span><span style="color: #9ECBFF;"> 18:43 .</span></span> <span class="giallo-l"><span style="color: #B392F0;">drwxr-xr-x</span><span style="color: #79B8FF;"> 18</span><span style="color: #9ECBFF;"> root root</span><span style="color: #79B8FF;"> 3320</span><span style="color: #9ECBFF;"> Jul</span><span style="color: #79B8FF;"> 9</span><span style="color: #9ECBFF;"> 18:43 ..</span></span> <span class="giallo-l"><span style="color: #B392F0;">lrwxrwxrwx</span><span style="color: #79B8FF;"> 1</span><span style="color: #9ECBFF;"> root root</span><span style="color: #79B8FF;"> 7</span><span style="color: #9ECBFF;"> Jul</span><span style="color: #79B8FF;"> 9</span><span style="color: #9ECBFF;"> 18:43 enc-data</span><span> -</span><span style="color: #F97583;">&gt;</span><span style="color: #9ECBFF;"> ../dm-0</span></span> <span class="giallo-l"></span></code></pre> <p>Sweet! We now have an encrypted partition and know how to access it. All we have left to do is setup logical volumes on the partition.</p> <h1 id="lvm-setup">LVM Setup</h1> <p>Make sure our data partition - <strong>/dev/sda3</strong> - is open and mapped to the path <strong>/dev/mapper/enc-data</strong> with <strong>luksOpen</strong>, as mentioned above.</p> <p>There are three steps to setting up <em>logical volumes</em>, creating a <em>physical volume</em> (PV), a <em>volume group</em> (VG) and a <em>logical volume</em> (LV). If you are unfamiliar with Logical Volume Management (LVM) the <a rel="nofollow noreferrer external" href="https://wiki.archlinux.org/index.php/LVM">Arch Linux Wiki entry</a> is a good resource.</p> <p>As a quick description, a physical disk can be divided into one or more physical volumes, a volume group is made up of one or mode physical volumes and logical volumes are created within volume groups.</p> <h2 id="physical-volume">Physical Volume</h2> <p><code>pvcreate</code> is the command used to create physical volumes. Let's use this to create a physical volume on <strong>/dev/mapper/enc-data</strong>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> pvcreate /dev/mapper/enc-data</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Physical</span><span style="color: #9ECBFF;"> volume &quot;/dev/mapper/enc-data&quot; successfully created</span></span></code></pre> <p><code>pvdisplay</code> is used to display information on physical volumes on the system.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> pvdisplay</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">&quot;/dev/mapper/enc-data&quot;</span><span style="color: #9ECBFF;"> is a new physical volume of &quot;119.00 GiB&quot;</span></span> <span class="giallo-l"><span style="color: #B392F0;">---</span><span style="color: #9ECBFF;"> NEW Physical volume</span><span style="color: #79B8FF;"> ---</span></span> <span class="giallo-l"><span style="color: #B392F0;">PV</span><span style="color: #9ECBFF;"> Name /dev/mapper/enc-data</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Name</span></span> <span class="giallo-l"><span style="color: #B392F0;">PV</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 119.00</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Allocatable</span><span style="color: #9ECBFF;"> NO</span></span> <span class="giallo-l"><span style="color: #B392F0;">PE</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Total</span><span style="color: #9ECBFF;"> PE</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Free</span><span style="color: #9ECBFF;"> PE</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Allocated</span><span style="color: #9ECBFF;"> PE</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">PV</span><span style="color: #9ECBFF;"> UUID H3bhmD-KR9n-XaHb-03L6-TpN2-pYB5-DtUG7x</span></span></code></pre><h2 id="volume-group">Volume Group</h2> <p><code>vgcreate</code> is used to create a volume group. Lets create a volume group called <strong>vg</strong>.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> vgcreate vg /dev/mapper/enc-data</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">Volume</span><span style="color: #9ECBFF;"> group &quot;vg&quot; successfully created</span></span> <span class="giallo-l"></span></code></pre> <p><code>vgdisplay</code> displays info on the systems volume groups.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> vgdisplay</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">---</span><span style="color: #9ECBFF;"> Volume group</span><span style="color: #79B8FF;"> ---</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Name vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">System</span><span style="color: #9ECBFF;"> ID</span></span> <span class="giallo-l"><span style="color: #B392F0;">Format</span><span style="color: #9ECBFF;"> lvm2</span></span> <span class="giallo-l"><span style="color: #B392F0;">Metadata</span><span style="color: #9ECBFF;"> Areas</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">Metadata</span><span style="color: #9ECBFF;"> Sequence No</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Access read/write</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Status resizable</span></span> <span class="giallo-l"><span style="color: #B392F0;">MAX</span><span style="color: #9ECBFF;"> LV</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Cur</span><span style="color: #9ECBFF;"> LV</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Open</span><span style="color: #9ECBFF;"> LV</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Max</span><span style="color: #9ECBFF;"> PV</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Cur</span><span style="color: #9ECBFF;"> PV</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">Act</span><span style="color: #9ECBFF;"> PV</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 118.99</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">PE</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 4.00</span><span style="color: #9ECBFF;"> MiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Total</span><span style="color: #9ECBFF;"> PE</span><span style="color: #79B8FF;"> 30462</span></span> <span class="giallo-l"><span style="color: #B392F0;">Alloc</span><span style="color: #9ECBFF;"> PE / Size</span><span style="color: #79B8FF;"> 0</span><span style="color: #9ECBFF;"> /</span><span style="color: #79B8FF;"> 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">Free</span><span style="color: #9ECBFF;"> PE / Size</span><span style="color: #79B8FF;"> 30462</span><span style="color: #9ECBFF;"> /</span><span style="color: #79B8FF;"> 118.99</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> UUID O9EIaS-kX9Y-EXjo-I3zU-mPXY-9SVB-br2fEy</span></span></code></pre><h2 id="logical-volume">Logical Volume</h2> <p><code>lvcreate</code> is used to create a logical volume. In this case, we want to create four logical volumes from our volume group <strong>vg</strong>.</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">lvcreate</span><span style="color: #79B8FF;"> -n</span><span style="color: #9ECBFF;"> swap</span><span style="color: #79B8FF;"> --size</span><span style="color: #9ECBFF;"> 8G vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">lvcreate</span><span style="color: #79B8FF;"> -n</span><span style="color: #9ECBFF;"> root</span><span style="color: #79B8FF;"> --size</span><span style="color: #9ECBFF;"> 20G vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">lvcreate</span><span style="color: #79B8FF;"> -n</span><span style="color: #9ECBFF;"> home</span><span style="color: #79B8FF;"> --size</span><span style="color: #9ECBFF;"> 20G vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">lvcreate</span><span style="color: #79B8FF;"> -n</span><span style="color: #9ECBFF;"> opt</span><span style="color: #79B8FF;"> --size</span><span style="color: #9ECBFF;"> 20G vg</span></span></code></pre> <p>Running the above four lvcreate commands will give us our logical volumes <strong>swap</strong>, <strong>root</strong>, <strong>home</strong> and <strong>opt</strong>. Use <code>lvdisplay</code> to get more info on them:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> lvdisplay</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">---</span><span style="color: #9ECBFF;"> Logical volume</span><span style="color: #79B8FF;"> ---</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Path /dev/vg/swap</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Name swap</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Name vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> UUID F5DbgU-ymix-24Bh-JMTy-q2kL-ayvN-UpNUFB</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Write Access read/write</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Creation host, time nixos, 2016-07-09 19:11:46 +0000</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Status available</span></span> <span class="giallo-l"><span style="color: #6A737D;"># open 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 8.00</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> LE</span><span style="color: #79B8FF;"> 2048</span></span> <span class="giallo-l"><span style="color: #B392F0;">Segments</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">Allocation</span><span style="color: #9ECBFF;"> inherit</span></span> <span class="giallo-l"><span style="color: #B392F0;">Read</span><span style="color: #9ECBFF;"> ahead sectors auto</span></span> <span class="giallo-l"><span style="color: #B392F0;">-</span><span style="color: #9ECBFF;"> currently set to</span><span style="color: #79B8FF;"> 256</span></span> <span class="giallo-l"><span style="color: #B392F0;">Block</span><span style="color: #9ECBFF;"> device 254:1</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">---</span><span style="color: #9ECBFF;"> Logical volume</span><span style="color: #79B8FF;"> ---</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Path /dev/vg/root</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Name root</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Name vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> UUID FNLEbI-z05h-J7br-OMst-Ui0t-yq3r-BMNVjA</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Write Access read/write</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Creation host, time nixos, 2016-07-09 19:11:46 +0000</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Status available</span></span> <span class="giallo-l"><span style="color: #6A737D;"># open 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 20.00</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> LE</span><span style="color: #79B8FF;"> 5120</span></span> <span class="giallo-l"><span style="color: #B392F0;">Segments</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">Allocation</span><span style="color: #9ECBFF;"> inherit</span></span> <span class="giallo-l"><span style="color: #B392F0;">Read</span><span style="color: #9ECBFF;"> ahead sectors auto</span></span> <span class="giallo-l"><span style="color: #B392F0;">-</span><span style="color: #9ECBFF;"> currently set to</span><span style="color: #79B8FF;"> 256</span></span> <span class="giallo-l"><span style="color: #B392F0;">Block</span><span style="color: #9ECBFF;"> device 254:2</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">---</span><span style="color: #9ECBFF;"> Logical volume</span><span style="color: #79B8FF;"> ---</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Path /dev/vg/home</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Name home</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Name vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> UUID zBLqKD-S6n7-BcTh-1oAF-TLvV-26Oc-dQ3wQR</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Write Access read/write</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Creation host, time nixos, 2016-07-09 19:11:46 +0000</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Status available</span></span> <span class="giallo-l"><span style="color: #6A737D;"># open 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 20.00</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> LE</span><span style="color: #79B8FF;"> 5120</span></span> <span class="giallo-l"><span style="color: #B392F0;">Segments</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">Allocation</span><span style="color: #9ECBFF;"> inherit</span></span> <span class="giallo-l"><span style="color: #B392F0;">Read</span><span style="color: #9ECBFF;"> ahead sectors auto</span></span> <span class="giallo-l"><span style="color: #B392F0;">-</span><span style="color: #9ECBFF;"> currently set to</span><span style="color: #79B8FF;"> 256</span></span> <span class="giallo-l"><span style="color: #B392F0;">Block</span><span style="color: #9ECBFF;"> device 254:3</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">---</span><span style="color: #9ECBFF;"> Logical volume</span><span style="color: #79B8FF;"> ---</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Path /dev/vg/opt</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Name opt</span></span> <span class="giallo-l"><span style="color: #B392F0;">VG</span><span style="color: #9ECBFF;"> Name vg</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> UUID hr3GRw-d0P4-hDIw-HRIo-hqKK-Lql9-gD58a7</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Write Access read/write</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Creation host, time nixos, 2016-07-09 19:11:47 +0000</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Status available</span></span> <span class="giallo-l"><span style="color: #6A737D;"># open 0</span></span> <span class="giallo-l"><span style="color: #B392F0;">LV</span><span style="color: #9ECBFF;"> Size</span><span style="color: #79B8FF;"> 20.00</span><span style="color: #9ECBFF;"> GiB</span></span> <span class="giallo-l"><span style="color: #B392F0;">Current</span><span style="color: #9ECBFF;"> LE</span><span style="color: #79B8FF;"> 5120</span></span> <span class="giallo-l"><span style="color: #B392F0;">Segments</span><span style="color: #79B8FF;"> 1</span></span> <span class="giallo-l"><span style="color: #B392F0;">Allocation</span><span style="color: #9ECBFF;"> inherit</span></span> <span class="giallo-l"><span style="color: #B392F0;">Read</span><span style="color: #9ECBFF;"> ahead sectors auto</span></span> <span class="giallo-l"><span style="color: #B392F0;">-</span><span style="color: #9ECBFF;"> currently set to</span><span style="color: #79B8FF;"> 256</span></span> <span class="giallo-l"><span style="color: #B392F0;">Block</span><span style="color: #9ECBFF;"> device 254:4</span></span></code></pre> <p>Ok! That's our disk setup ~90% complete.</p> <p>#Final Disk Setup All we have left to do now is format the boot partition and our logical volumes and we ca start preparing NixOs for install. The formatting can be done with a short script:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">mkfs.vfat</span><span style="color: #79B8FF;"> -n</span><span style="color: #9ECBFF;"> BOOT /dev/sda2</span></span> <span class="giallo-l"><span style="color: #B392F0;">mkswap</span><span style="color: #79B8FF;"> -L</span><span style="color: #9ECBFF;"> swap /dev/vg/swap</span></span> <span class="giallo-l"><span style="color: #F97583;">for</span><span> lv</span><span style="color: #F97583;"> in</span><span style="color: #9ECBFF;"> root home opt</span><span>;</span><span style="color: #F97583;"> do</span></span> <span class="giallo-l"><span style="color: #B392F0;"> mkfs.xfs</span><span style="color: #79B8FF;"> -L</span><span> $lv</span><span style="color: #9ECBFF;"> /dev/vg/</span><span>$lv</span></span> <span class="giallo-l"><span style="color: #F97583;">done</span></span></code></pre> <p>This formats <strong>/dev/sda2</strong> with vfat and labels it <strong>BOOT</strong>, sets up a swap area on our LV <strong>/dev/vg/swap</strong> and finally formats our LV's <strong>/dev/vg/root</strong>, <strong>/dev/vg/home</strong> and <strong>/dev/vg/opt</strong> with <strong>xfs</strong>.</p> <p>Awesome! Disk setup is now 100% complete!</p> <h1 id="install-nixos">Install NixOS</h1> <p>Now that our disk is ready we can prepare to install NixOs, this is pretty short, and sweet.</p> <p>First, we need to create the directories <strong>/mnt/boot</strong>, <strong>/mnt/home</strong> and <strong>/mnt/opt</strong>. Then, we need to mount our LV's - that we created in the previous section - and our boot partition:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">mkdir</span><span style="color: #9ECBFF;"> /mnt/{boot,home,opt}</span></span> <span class="giallo-l"><span style="color: #B392F0;">mount</span><span style="color: #9ECBFF;"> /dev/vg/root /mnt</span></span> <span class="giallo-l"><span style="color: #B392F0;">mount</span><span style="color: #9ECBFF;"> /dev/vg/home /mnt/home</span></span> <span class="giallo-l"><span style="color: #B392F0;">mount</span><span style="color: #9ECBFF;"> /dev/vg/opt /mnt/opt</span></span> <span class="giallo-l"><span style="color: #B392F0;">mount</span><span style="color: #9ECBFF;"> /dev/sda2 /mnt/boot</span></span></code></pre> <p>Before we install NixOs, we have to run <code>nixos-generate-config --root /mnt/</code> <sup class="footnote-reference"><a href="#6">6</a></sup>:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">$</span><span style="color: #9ECBFF;"> nixos-generate-config</span><span style="color: #79B8FF;"> --root</span><span style="color: #9ECBFF;"> /mnt/</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #B392F0;">writing</span><span style="color: #9ECBFF;"> /mnt/etc/nixos/hardware-configuration.nix...</span></span> <span class="giallo-l"><span style="color: #B392F0;">writing</span><span style="color: #9ECBFF;"> /mnt/etc/nixos/configuration.nix...</span></span> <span class="giallo-l"></span></code></pre> <ul> <li><strong>/mnt/etc/nixos/hardware-configuration.nix</strong> contains NixOs configuration options based on current hardware config.</li> <li><strong>/mnt/etc/nixos/configuration.nix</strong> is the main NixOs system configuration module.</li> </ul> <p>We need to add some extra information to <strong>/mnt/etc/nixos/configuration.nix</strong> to tell NixOs what our boot device is, and the fact that it is also a LUKS device:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="haskell"><span class="giallo-l"><span>boot</span><span style="color: #F97583;">.</span><span>loader</span><span style="color: #F97583;">.</span><span>grub</span><span style="color: #F97583;">.</span><span>device </span><span style="color: #F97583;">=</span><span style="color: #9ECBFF;"> &quot;/dev/sda&quot;</span><span>;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>boot</span><span style="color: #F97583;">.</span><span>initrd</span><span style="color: #F97583;">.</span><span>luks</span><span style="color: #F97583;">.</span><span>devices </span><span style="color: #F97583;">=</span><span> [{</span></span> <span class="giallo-l"><span> name</span><span style="color: #F97583;"> =</span><span style="color: #9ECBFF;"> &quot;root&quot;</span><span>;</span></span> <span class="giallo-l"><span> device </span><span style="color: #F97583;">=</span><span style="color: #9ECBFF;"> &quot;/dev/sda3&quot;</span><span>;</span></span> <span class="giallo-l"><span> preLVM </span><span style="color: #F97583;">=</span><span> true;</span></span> <span class="giallo-l"><span>}];</span></span> <span class="giallo-l"></span></code></pre> <p>This can be added anywhere in the file, however there should already be a section for <strong>boot.loader.grub.device</strong> which is commented out. If so, uncomment it and add the config for LUKS (<strong>boot.initrd.luks.devices</strong>) right after it.</p> <p>Now we can install! Just run:</p> <pre class="giallo" style="color: #E1E4E8; background-color: #24292E;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #B392F0;">nixos-install</span></span></code></pre> <p>This can take some time, you should see information on what packages are being downloaded and installed while the installation is running. You will be prompted to enter the <strong>root</strong> password during the installationi, once you do that the installation has completed and you can boot up your new NixOs install! <sup class="footnote-reference"><a href="#7">7</a></sup></p> <h1 id="conclusion">Conclusion</h1> <p>The aim of this post was just to get NixOs installed, using the steps I used on my own system. I plan on doing some more posts on Nix and NixOs once I get some time to dive deeper into them.</p> <div class="footnote-definition" id="1"><sup class="footnote-definition-label">1</sup> <p>1 MiB = 2²⁰ bytes = 1024 kibibytes = 1048576 bytes.</p> </div> <div class="footnote-definition" id="2"><sup class="footnote-definition-label">2</sup> <p>See <a rel="nofollow noreferrer external" href="https://wiki.archlinux.org/index.php/GRUB#GUID_Partition_Table_.28GPT.29_specific_instructions">Arch Linux - Grub GPT</a></p> </div> <div class="footnote-definition" id="3"><sup class="footnote-definition-label">3</sup> <p>Short for <code>nix-env --query --available --attr-path packageName</code>. This searches all available packages for the packageName, and will also print out its attribute path (see <a rel="nofollow noreferrer external" href="https://nixos.org/wiki/Howto_find_a_package_in_NixOS#Install_by_attribute">Install By Attribute Path</a>).</p> </div> <div class="footnote-definition" id="4"><sup class="footnote-definition-label">4</sup> <p>Running <code>cryptsetup -y -v luksFormat /dev/sda3</code> will use the default LUKS settings, which can be found by running <code>cryptsetup --help</code>. In my case (v1.7.0 of <strong>cryptsetup</strong>) they are <em>LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom</em>.</p> </div> <div class="footnote-definition" id="5"><sup class="footnote-definition-label">5</sup> <p>See <a rel="nofollow noreferrer external" href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_management">Arch Linux - Luks KeyMangement</a> for more information.</p> </div> <div class="footnote-definition" id="6"><sup class="footnote-definition-label">6</sup> <p>For more info on <code>nixos-generate-config</code> see Section 10 of the <a rel="nofollow noreferrer external" href="https://nixos.org/nixos/manual/#sec-installation">Nix Install Manual</a>.</p> </div> <div class="footnote-definition" id="7"><sup class="footnote-definition-label">7</sup> <p>When the system boots you will be asked for a password <em>before</em> the login prompt, this is the password you used to create the LUKS volume.</p> </div>