nixos / calamares-nixos-extensions Goto Github PK
View Code? Open in Web Editor NEWNixOS calamares [maintainer=@vlinkz]
NixOS calamares [maintainer=@vlinkz]
Hello!
I tried to install the 22.11 ARM image to my Pinebook Pro but it looks like bootctl is failing to install the bootloader. I have logs which I'll link below and attach as well.
Every manual install I've done has used the default of /boot
as the EFI system partition mount point, but the graphical installer requires it to be set to /boot/efi
. Would be cool if it didn't do that, for consistency with the module defaults and when one does it the manual way.
Since October 9, 2022 Calamares has added a luksGeneration
option in partition.conf
to enable LUKS2 support for cryptsetup. The reasons why this is important for user security are outlined in that PR:
A bit of context, LUKS2 is the default encryption operating mode since cryptsetup >= 2.1.0 [...]
It is considered more secured and allows additional extensions.
It also comes with Argon2id as the default Password Based Key Derivation Function (--pbkdf option).
So it's important to provide this as an option for Calamares in order to make Linux installs more secure,
for those who wish to encrypt their system.
Since mid-April 2023, the urgency of making the upgrade to LUKS2 has been highlighted by a report of how LUKS1 encryption can feasibly be broken and how this can only fixed by using LUKS2 (with the argon2id key derivation function, which is now the cryptsetup default for LUKS2).
Following this news, more people have been attempting to use LUKS2 on Calamares and reporting a number of bugs in issue #2129. However, as of August 6th there is a comment on this issue reporting that recent patches by the Calamares team (presumably referring to PR #2146 from June) have fixed the issues with using LUKS2, as long as the /boot
partition is not encrypted.
Considering that the Calamares NixOS installer isn't encrypting /boot
anyyways, it seems like it should be possible to upgrade to LUKS2. Now that there is practical upstream support for LUKS2 from Calamares, I think there is a responsibility for distributions such as NixOS to upgrade as soon as possible to reduce the number of users that are installing systems with cryptography that is known to be insecure.
There are multiple files in LICENSES directory (copied from upstream) and some files have SPDX headers, but other files have no license information.
Upstream seem to use the REUSE standard, which i think is the best way to do it.
They have it defined here: https://github.com/calamares/calamares-extensions/blob/calamares/.reuse/dep5
Hi, I want to customize the GUI NixOS installation CD by adding a bunch of configuration that should be set by default (e.g. enabling sshd, adding ssh keys). It would be cool if it was easier to customize the set-up process to include default configuration.
I would have expected the installer to detect the nvidia GPU and add services.xserver.videoDrivers = [ "nvidia" ];
somewhere in the generated config. I also did check the "allow unfree packages" box.
Right now the repo contains git tags which actually don't belong to the project. r-rynatm is going to update to those which I don't think we want. They should be removed.
Since #21, enabling both disk encryption and swap results in failing to boot. This is because we've removed crypto_keyfile.bin
from initrd to resolve GHSA-3rvf-24q2-24ww. Without that keyfile present in initrd, it is unable to decrypt the swap partition, and boot fails.
It's easy enough to fix for UEFI boot: Simply remove this line:
NixOS will ask for your LUKS passphrase in initrd, and it will reuse that passphrase between both the root and swap partitions.
BIOS boot, however, is a different story, due to the use of Grub's cryptodisk. In BIOS boot, Grub cryptodisk is the first to ask for the LUKS passphrase, and it loads the kernel and initrd from the encrypted root partition. Before #21, the initrd contained crypto_keyfile.bin
, which allowed the kernel to unlock the root fs and the swap partition without asking for the passphrase a second time. This was secure because the initrd was stored in the encrypted root partition. On UEFI, this was very much not secure, because the initrd was stored on the unencrypted ESP (hence why #21 happened).
To continue using cryptodisk, we would need to revive storing crypto_keyfile.bin
in initrd, but only for BIOS boot with initrd on encrypted storage. The calamares documentation seems to suggest that cryptodisk is preferable, but I (and I think many other NixOS developers) think this is a bad suggestion, and it would be better to use an unencrypted /boot
partition, much like the ESP in UEFI boot.
Relatedly, due to the implementation of #21, you are now prompted for the LUKS passphrase twice when BIOS booting without swap; once for Grub, and once for initrd.
Finally, I'm sure other bugs of this kind exist when the user chooses manual partitioning with encryption involved. I haven't begun to analyze this yet.
It's down right now and there's at least two people on Matrix unable to continue installing.
This ends up in configuration.nix
after using the graphical installer. Not familiar with calamares and not sure where the catenate()
should actually go, so just reporting the issue.
When using the Calamares GUI installer it doesn't seem to be possible to create a proper BTRFS installation with subvolumes.
Creating the partitions works fine. But there is no option to configure subvolumes and there are none created automatically.
The system gets installed with BTRFS and subvolumes.
Consider making BTRFS (instead of EXT4) the default installation option when going for "erase disk", since it seems to become a wildly popular option for linux distros in general.
Should be programs.firefox.enable = true
so the wrapper options work as expected. I might look into it and submit a PR later.
Currently when one of the locale, keyboard, or users module are not used, the customization module will crash as it will fill missing global storage values with None, which will mess up the configuration.nix file.
This can be fixed by breaking up the configuration file into sections which are inserted when certain conditions are met, such as maybe checking if certain values are in global storage to see if the other modules have been run. Doing this can allow for more flexibility.
I have seen in the locale config. that geoip can be used to get the timezone. That seem like a nice feature.
Should we enable it?
Setting the system language to something other than english might not be the best experience since it totally depend on the desktop and programs if they are translated. It's also good to get errors in english to be able to search them. So english is a good default in the welcome screen.
People use linux for privacy. They might not be happy that we connect to google and tell them their IP.
Upstream changed the example because of this reason: calamares/calamares@6bf82e9
We could use https://ping.canbeuseful.com/ (hosted by OVH) or also https://geoip.kde.org/v1/calamares (small response, but has to wait for API to generate response).
microsoft have a similar check and are criticised for collecting IPs: https://www.itechtics.com/ncsi/
Other suggesting for reliable site that returns 200 HTTP code and not much else?
Using the global values from the calamares' packages module, it should be pretty easy to implement a choice in desktop environment as well as other options, such as nvidia drivers.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.