Merge pull request #74 from ryan4yin/update-aarch-riscv

feat: UEFI NixOS on aarch64(rk3588)

Justfile

@@ -202,10 +202,18 @@ aarch:
   colmena apply --on '@aarch' --verbose --show-trace
 
 suzu:
-  colmena apply --on '@suzu' --verbose --show-trace
+  colmena apply --on '@suzu' --build-on-target --verbose --show-trace
 
-suzu-debug:
-  colmena apply --on '@suzu' --verbose --show-trace
+suzu-local mode="default":
+  use utils.nu *; \
+  nixos-switch suzu {{mode}}
+
+rakushun:
+  colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
+
+rakushun-local mode="default":
+  use utils.nu *; \
+  nixos-switch rakushun {{mode}}
 
 ############################################################################
 #

hosts/12kingdoms_rakushun/README.md

@@ -0,0 +1,119 @@
+# Rakushun - Orange Pi 5 Plus
+
+LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
+
+## Showcases
+
+![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
+
+Disk layout:
+
+```bash
+[ryan@rakushun:~]$ lsblk
+NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
+sda           8:0    1 58.6G  0 disk
+└─sda1        8:1    1  487M  0 part
+mtdblock0    31:0    0   16M  0 disk
+zram0       254:0    0    0B  0 disk
+nvme0n1     259:0    0  1.8T  0 disk
+├─nvme0n1p1 259:1    0  630M  0 part  /boot
+└─nvme0n1p2 259:2    0  1.8T  0 part
+  └─crypted 253:0    0  1.8T  0 crypt /tmp
+                                      /swap
+                                      /snapshots
+                                      /home
+                                      /nix/store
+                                      /var/lib
+                                      /nix
+                                      /
+```
+
+CPU info:
+
+```bash
+[ryan@rakushun:~]$ lscpu
+Architecture:           aarch64
+  CPU op-mode(s):       32-bit, 64-bit
+  Byte Order:           Little Endian
+CPU(s):                 8
+  On-line CPU(s) list:  0-7
+Vendor ID:              ARM
+  Model name:           Cortex-A55
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 4
+    Socket(s):          1
+    Stepping:           r2p0
+    CPU(s) scaling MHz: 67%
+    CPU max MHz:        1800.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+  Model name:           Cortex-A76
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 2
+    Socket(s):          2
+    Stepping:           r4p0
+    CPU(s) scaling MHz: 18%
+    CPU max MHz:        2256.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+Caches (sum of all):
+  L1d:                  384 KiB (8 instances)
+  L1i:                  384 KiB (8 instances)
+  L2:                   2.5 MiB (8 instances)
+  L3:                   3 MiB (1 instance)
+```
+
+## How to install NixOS on Orange Pi 5 Plus
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
+mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5plus-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5plus-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5P_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# transfer the nix-config to the target machine
+rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
+
+# login via ssh
+ssh rk@<ip-addr>
+
+cd ~/nix-config/hosts/12kingdoms_rakushun
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
+```
+
+

hosts/12kingdoms_rakushun/default.nix

@@ -0,0 +1,48 @@
+{
+  disko,
+  nixos-rk3588,
+  vars_networking,
+  ...
+}:
+#############################################################
+#
+#  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
+#
+#############################################################
+let
+  hostName = "rakushun"; # Define your hostname.
+  hostAddress = vars_networking.hostAddress.${hostName};
+in {
+  imports = [
+    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
+    nixos-rk3588.nixosModules.orangepi5plus.core
+    disko.nixosModules.default
+    ./disko-fs.nix
+    ./hardware-configuration.nix
+  ];
+
+  networking = {
+    inherit hostName;
+    inherit (vars_networking) defaultGateway nameservers;
+
+    networkmanager.enable = false;
+    # RJ45 port 1
+    interfaces.enP4p65s0 = {
+      useDHCP = false;
+      ipv4.addresses = [hostAddress];
+    };
+    # RJ45 port 2
+    # interfaces.enP3p49s0 = {
+    # useDHCP = false;
+    # ipv4.addresses = [hostAddress];
+    # };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/12kingdoms_rakushun/disko-fs.nix

@@ -0,0 +1,98 @@
+{
+  disko.devices = {
+    # TODO: rename to nvme0n1
+    disk.sda = {
+      type = "disk";
+      # When using disko-install, we will overwrite this value from the commandline
+      device = "/dev/nvme0n1"; # The device to partition
+      content = {
+        type = "gpt";
+        partitions = {
+          # The EFI & Boot partition
+          ESP = {
+            size = "630M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+          # The root partition
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "crypted";
+              settings = {
+                keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
+                # The maxium size of the keyfile is 8192 bytes
+                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
+                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
+                fallbackToPassword = true;
+                allowDiscards = true;
+              };
+              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
+              initrdUnlock = true;
+
+              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+              # cryptsetup luksFormat
+              extraFormatArgs = [
+                "--type luks2"
+                "--cipher aes-xts-plain64"
+                "--hash sha512"
+                "--iter-time 5000"
+                "--key-size 256"
+                "--pbkdf argon2id"
+                # use true random data from /dev/random, will block until enough entropy is available
+                "--use-random"
+              ];
+              extraOpenArgs = [
+                "--timeout 10"
+              ];
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  # TODO: tmpfs on root
+                  "@root" = {
+                    mountpoint = "/";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@home" = {
+                    mountpoint = "/home";
+                    mountOptions = ["compress-force=zstd:1"];
+                  };
+                  "@lib" = {
+                    mountpoint = "/var/lib";
+                    mountOptions = ["compress-force=zstd:1"];
+                  };
+
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@tmp" = {
+                    mountpoint = "/tmp";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@snapshots" = {
+                    mountpoint = "/snapshots";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@swap" = {
+                    mountpoint = "/swap";
+                    swap.swapfile.size = "16384M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}