NixOS on MNT Reform: with encrypted root and boot from eMMC (without SD card)

Prepare image

Enable flakes

mkdir -p ~/.config/nix

echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf

nix-shell -p nixUnstable

Build image

nix build "github:nix-community/hardware-mnt-reform" -L

Save flash.bin, it'll be used later

cp /nix/store/*-uboot-reform2-imx8mq-*/flash.bin /tmp/

# or `nix build "github:nix-community/hardware-mnt-reform#ubootReformImx8mq"`

Flash image

bzcat result/sd-image/nixos-sd-image-21.11.20220423.5fb3a17-aarch64-linux.img.bz2 > /dev/sdX

Instalation

Boot from SD card

Setup connection

sudo -i

wpa_supplicant -B -i wlp1s0 -c <(wpa_passphrase ${SSID} ${PASSWORD})

passwd # for ssh

Copy flash.bin over ssh

scp /tmp/flash.bin root@192.0.2.100:

Prepare encrypted partitions

parted /dev/nvme0n1 mklabel gpt

parted /dev/nvme0n1 mkpart NIX ext4 0% 100%

cryptsetup luksFormat /dev/nvme0n1p1

cryptsetup open /dev/nvme0n1p1 nix

mkfs.ext4 /dev/mapper/nix

mount /dev/mapper/nix /mnt/

parted /dev/mmcblk0 mklabel gpt

parted /dev/mmcblk0 mkpart BOOT ext4 0% 100%

mkfs.ext4 /dev/mmcblk0p1

mount /dev/mmcblk0p1 /mnt/boot

Flash bootloader to eMMC

echo 0 > /sys/class/block/mmcblk0boot0/force_ro

dd if=flash.bin of=/dev/mmcblk0boot0 bs=1024 seek=33

Install NixOS

nix-shell -p nixUnstable -p vim

mkdir -p ~/.config/nix

echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf

nixos-generate-config --root /mnt

vim /mnt/etc/nixos/flake.nix

vim /mnt/etc/nixos/configuration.nix

nixos-install --verbose --impure --flake /mnt/etc/nixos#reform

Shutdown the machine, and flip the DIP switch on the Nitrogen8M_SOM module (under the heatsink).

How to upgrade

nixos-rebuild switch --recreate-lock-file --verbose --impure --flake /etc/nixos#reform

U-Boot

nix build "github:nix-community/hardware-mnt-reform#ubootReformImx8mq"

echo 0 > /sys/class/block/mmcblk0boot0/force_ro

dd if=result/flash.bin of=/dev/mmcblk0boot0 bs=1024 seek=33

Notes

  1. There may be an issue with the early console with some kernel versions (e.g. I haven't managed to make it work on Linux v5.17.5 at the time of writing this). Just type the password blindly.
  2. You can choose the NixOS generation at the boot process with UART.