Since October 9, 2022 Calamares has added a luksGeneration option in partition.conf to enable LUKS2 support for cryptsetup. The reasons why this is important for user security are outlined in that PR:

A bit of context, LUKS2 is the default encryption operating mode since cryptsetup >= 2.1.0 [...] 
It is considered more secured and allows additional extensions. 
It also comes with Argon2id as the default Password Based Key Derivation Function (--pbkdf option). 
So it's important to provide this as an option for Calamares in order to make Linux installs more secure, 
for those who wish to encrypt their system.

Since mid-April 2023, the urgency of making the upgrade to LUKS2 has been highlighted by a report of how LUKS1 encryption can feasibly be broken and how this can only fixed by using LUKS2 (with the argon2id key derivation function, which is now the cryptsetup default for LUKS2).

Following this news, more people have been attempting to use LUKS2 on Calamares and reporting a number of bugs in issue #2129. However, as of August 6th there is a comment on this issue reporting that recent patches by the Calamares team (presumably referring to PR #2146 from June) have fixed the issues with using LUKS2, as long as the /boot partition is not encrypted.

Considering that the Calamares NixOS installer isn't encrypting /boot anyyways, it seems like it should be possible to upgrade to LUKS2. Now that there is practical upstream support for LUKS2 from Calamares, I think there is a responsibility for distributions such as NixOS to upgrade as soon as possible to reduce the number of users that are installing systems with cryptography that is known to be insecure.

Using the global values from the calamares' packages module, it should be pretty easy to implement a choice in desktop environment as well as other options, such as nvidia drivers.

Describe the bug

When using the Calamares GUI installer it doesn't seem to be possible to create a proper BTRFS installation with subvolumes.
Creating the partitions works fine. But there is no option to configure subvolumes and there are none created automatically.

Steps To Reproduce

1. Download a 22.05 Live ISO
2. Use "manual partitioning" in the GUI installer to setup a BTRFS filesystem
3. Install the system

Expected behavior

The system gets installed with BTRFS and subvolumes.

Additional context

Consider making BTRFS (instead of EXT4) the default installation option when going for "erase disk", since it seems to become a wildly popular option for linux distros in general.

Hello!

I tried to install the 22.11 ARM image to my Pinebook Pro but it looks like bootctl is failing to install the bootloader. I have logs which I'll link below and attach as well.

http://termbin.com/6lc8

nixos-22.11-PBP-failed_install.txt

Connecting to Wi-Fi in the middle of Installer says that the system is not connected to the internet. The installer should maybe refresh the internet connection status more often than only at the launch of the installer.

Currently when one of the locale, keyboard, or users module are not used, the customization module will crash as it will fill missing global storage values with None, which will mess up the configuration.nix file.

This can be fixed by breaking up the configuration file into sections which are inserted when certain conditions are met, such as maybe checking if certain values are in global storage to see if the other modules have been run. Doing this can allow for more flexibility.

There are multiple files in LICENSES directory (copied from upstream) and some files have SPDX headers, but other files have no license information.

Upstream seem to use the REUSE standard, which i think is the best way to do it.

https://reuse.software/

They have it defined here: https://github.com/calamares/calamares-extensions/blob/calamares/.reuse/dep5

I have seen in the locale config. that geoip can be used to get the timezone. That seem like a nice feature.
Should we enable it?

Setting the system language to something other than english might not be the best experience since it totally depend on the desktop and programs if they are translated. It's also good to get errors in english to be able to search them. So english is a good default in the welcome screen.

Should be programs.firefox.enable = true so the wrapper options work as expected. I might look into it and submit a PR later.

Hi, I want to customize the GUI NixOS installation CD by adding a bunch of configuration that should be set by default (e.g. enabling sshd, adding ssh keys). It would be cool if it was easier to customize the set-up process to include default configuration.

This ends up in configuration.nix after using the graphical installer. Not familiar with calamares and not sure where the catenate() should actually go, so just reporting the issue.

It's down right now and there's at least two people on Matrix unable to continue installing.

Every manual install I've done has used the default of /boot as the EFI system partition mount point, but the graphical installer requires it to be set to /boot/efi. Would be cool if it didn't do that, for consistency with the module defaults and when one does it the manual way.

Since #21, enabling both disk encryption and swap results in failing to boot. This is because we've removed crypto_keyfile.bin from initrd to resolve GHSA-3rvf-24q2-24ww. Without that keyfile present in initrd, it is unable to decrypt the swap partition, and boot fails.

It's easy enough to fix for UEFI boot: Simply remove this line:

NixOS will ask for your LUKS passphrase in initrd, and it will reuse that passphrase between both the root and swap partitions.

BIOS boot, however, is a different story, due to the use of Grub's cryptodisk. In BIOS boot, Grub cryptodisk is the first to ask for the LUKS passphrase, and it loads the kernel and initrd from the encrypted root partition. Before #21, the initrd contained crypto_keyfile.bin, which allowed the kernel to unlock the root fs and the swap partition without asking for the passphrase a second time. This was secure because the initrd was stored in the encrypted root partition. On UEFI, this was very much not secure, because the initrd was stored on the unencrypted ESP (hence why #21 happened).

To continue using cryptodisk, we would need to revive storing crypto_keyfile.bin in initrd, but only for BIOS boot with initrd on encrypted storage. The calamares documentation seems to suggest that cryptodisk is preferable, but I (and I think many other NixOS developers) think this is a bad suggestion, and it would be better to use an unencrypted /boot partition, much like the ESP in UEFI boot.

Relatedly, due to the implementation of #21, you are now prompted for the LUKS passphrase twice when BIOS booting without swap; once for Grub, and once for initrd.

Finally, I'm sure other bugs of this kind exist when the user chooses manual partitioning with encryption involved. I haven't begun to analyze this yet.

Right now the repo contains git tags which actually don't belong to the project. r-rynatm is going to update to those which I don't think we want. They should be removed.

I would have expected the installer to detect the nvidia GPU and add services.xserver.videoDrivers = [ "nvidia" ]; somewhere in the generated config. I also did check the "allow unfree packages" box.

People use linux for privacy. They might not be happy that we connect to google and tell them their IP.

Upstream changed the example because of this reason: calamares/calamares@6bf82e9

We could use https://ping.canbeuseful.com/ (hosted by OVH) or also https://geoip.kde.org/v1/calamares (small response, but has to wait for API to generate response).

microsoft have a similar check and are criticised for collecting IPs: https://www.itechtics.com/ncsi/

Other suggesting for reliable site that returns 200 HTTP code and not much else?