feat: install nixos on orange pi 5 plus with edk2-rk3588(uefi)

hosts/12kingdoms_suzu/README.md

@@ -0,0 +1,54 @@
+# Suzu - Orange Pi 5
+
+LUKS encrypted SSD for NixOS, on Orange Pi 5.
+
+## How to install NixOS on Orange Pi 5 
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart primary 2M 512MB
+mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
+
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# login via ssh
+ssh rk@<ip-addr>
+
+git clone https://github.com/ryan4yin/nix-config.git
+
+cd ~/nix-config/hosts/12kingdoms_suzu
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
+```
+
+

hosts/12kingdoms_suzu/default.nix

@@ -1,11 +1,12 @@
 {
+  disko,
   nixos-rk3588,
   vars_networking,
   ...
 }:
 #############################################################
 #
-#  Suzu - Orange Pi 5, RK3588s
+#  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #############################################################
 let
@@ -14,7 +15,10 @@ let
 in {
   imports = [
     # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
-    nixos-rk3588.nixosModules.orangepi5
+    nixos-rk3588.nixosModules.orangepi5plus.core
+    disko.nixosModules.default
+    ./disko-fs.nix
+    ./hardware-configuration.nix
   ];
 
   networking = {

hosts/12kingdoms_suzu/disko-fs.nix

@@ -0,0 +1,98 @@
+{
+  disko.devices = {
+    # TODO: rename to nvme0n1
+    disk.sda = {
+      type = "disk";
+      # When using disko-install, we will overwrite this value from the commandline
+      device = "/dev/nvme0n1"; # The device to partition
+      content = {
+        type = "gpt";
+        partitions = {
+          # The EFI & Boot partition
+          ESP = {
+            size = "630M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+          # The root partition
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "crypted";
+              settings = {
+                keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick
+                # The maxium size of the keyfile is 8192 bytes
+                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
+                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
+                fallbackToPassword = true;
+                allowDiscards = true;
+              };
+              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
+              initrdUnlock = true;
+
+              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+              # cryptsetup luksFormat
+              extraFormatArgs = [
+                "--type luks2"
+                "--cipher aes-xts-plain64"
+                "--hash sha512"
+                "--iter-time 5000"
+                "--key-size 256"
+                "--pbkdf argon2id"
+                # use true random data from /dev/random, will block until enough entropy is available
+                "--use-random"
+              ];
+              extraOpenArgs = [
+                "--timeout 10"
+              ];
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  # TODO: tmpfs on root
+                  "@root" = {
+                    mountpoint = "/";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@home" = {
+                    mountpoint = "/home";
+                    mountOptions = ["compress-force=zstd:1"];
+                  };
+                  "@lib" = {
+                    mountpoint = "/var/lib";
+                    mountOptions = ["compress-force=zstd:1"];
+                  };
+
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@tmp" = {
+                    mountpoint = "/tmp";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@snapshots" = {
+                    mountpoint = "/snapshots";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@swap" = {
+                    mountpoint = "/swap";
+                    swap.swapfile.size = "8192M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/12kingdoms_suzu/hardware-configuration.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.loader = {
+    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
+    efi.efiSysMountPoint = "/boot/";
+    efi.canTouchEfiVariables = true;
+    # do not use systemd-boot here, it has problems when running `nixos-install`
+    grub = {
+      device = "nodev";
+      efiSupport = true;
+    };
+  };
+  # clear /tmp on boot to get a stateless /tmp directory.
+  boot.tmp.cleanOnBoot = true;
+
+  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}