Git Product home page Git Product logo

dotfiles's Introduction

dotfiles

NixOs installation

  1. Clone this repo and move in it:
git clone https://github.com/TGuimbert/dotfiles.git
cd dotfiles
  1. Run disko command to format the disk(s)
NEW_HOSTNAME=<hostname>
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./systems/x86_64-linux/$NEW_HOSTNAME/disks.nix
  1. Add a password for the main user with:
sudo -s
mkpasswd -s > /mnt/persistent/tguimbert-password
exit
  1. Disable lanzaboote setup and enable systemd boot:
nano systems/x86_64-linux/$NEW_HOSTNAME/default.nix
  1. Install NixOS:
sudo nixos-install --no-root-password --flake ./#$NEW_HOSTNAME

After the reboot

  1. Check that UEFI and systemd-boot are used and that Secure Boot is disabled:
bootctl status
  1. Enable secure boot in the config and rebuild:
sudo nixos-rebuild switch --flake .
  1. Create secure boot keys:
sudo sbctl create-keys
  1. Sign the created keys by rebuilding:
sudo nixos-rebuild switch --flake .
  1. Verify that everything is good (only bzImage.efi should not be signed):
sudo sbctl verify
  1. Reboot and enable Secure Boot and its setup in the BIOS menu
  2. Enroll the keys in the BIOS:
sudo sbctl enroll-keys --microsoft
  1. Reboot
  2. Check the everything is good:
bootctl status
  1. Don't forget to put a password on the BIOS menu!

Use Yubikey to unlock LUKS partition

  1. Backup LUKS header
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /run/media/tguimbert/<usb-key-name>/luks_backup.bin
  1. Enroll Yubikey
sudo systemd-cryptenroll /dev/nvme0n1p2 --fido2-device=auto
  1. Create a Recovery Key (don't forget to write it somewhere)
sudo systemd-cryptenroll /dev/nvme0n1p2 --recovery-key
  1. Create a new password if needed (don't forget that the keyboard if in QWERTY during boot)
sudo systemd-cryptenroll /dev/nvme0n1p2 --password
  1. Remove first key if needed
sudo systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=0
  1. Test all the keys!

Other setups

  1. Generate an SSH key and add it to Github:
ssh-keygen -t ed25519-sk -O verify-required
mv ~/.ssh/id_ed25519_sk.pub ~/.ssh/id_ed25519_sk.pub.hidden
cat ~/.ssh/id_ed25519_sk.pub.hidden

Filesystem layout

The main idea on the filesystem are the following:

  • The /boot is not encrypted
  • The rest of the disk is encrypted with a single LUKS partition
  • BTRFS is used
  • Different subvolumes are used to differentiate the Impermanence lifecycles:
    • root is backed up and wiped at every reboot
    • nix is permanent to hold the Nix store
    • persistent is permanent to hold the stateful files
    • log is permanent to help debug things
    • home is backed up and wiped at every reboot
      • Separating it from root allows to have different backup lifecycles
    • snapshot is permanent to hold the root and home backups
    • swap is a swapfile

dotfiles's People

Contributors

renovate[bot] avatar tguimbert avatar

Watchers

avatar

dotfiles's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

  • chore(deps): lock file maintenance

Detected dependencies

github-actions
.github/workflows/ci.yaml
  • actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
  • DeterminateSystems/flake-checker-action v8@ae43dea95bc73541287cfd10e2dee994d1877291
  • DeterminateSystems/nix-installer-action v13@ab6bcb2d5af0e904d04aea750e2089e9dc4cbfdd
  • DeterminateSystems/magic-nix-cache-action v7@b46e247b898aa56e6d2d2e728dc6df6c84fdb738
  • actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
  • DeterminateSystems/nix-installer-action v13@ab6bcb2d5af0e904d04aea750e2089e9dc4cbfdd
  • DeterminateSystems/magic-nix-cache-action v7@b46e247b898aa56e6d2d2e728dc6df6c84fdb738
  • cachix/cachix-action v15@ad2ddac53f961de1989924296a1f236fcfbaa4fc
nix
flake.nix
  • nixpkgs nixos-24.05
  • Check this box to trigger a request for Renovate to run again on this repository

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: .github/renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting String near ]
},
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.