Skip to content
/ dotfiles Public

My personal Nixos and Home-Manager configuration

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TGuimbert/dotfiles

BranchesTags

Repository files navigation

dotfiles

NixOs installation

  1. Clone this repo and move in it:
git clone https://github.com/TGuimbert/dotfiles.git
cd dotfiles
  1. Run disko command to format the disk(s)
NEW_HOSTNAME=<hostname>
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./systems/x86_64-linux/$NEW_HOSTNAME/disks.nix
  1. Add a password for the main user with:
sudo -s
mkpasswd -s > /mnt/persistent/tguimbert-password
exit
  1. Disable lanzaboote setup and enable systemd boot:
nano systems/x86_64-linux/$NEW_HOSTNAME/default.nix
  1. Install NixOS:
sudo nixos-install --no-root-password --flake ./#$NEW_HOSTNAME

After the reboot

  1. Check that UEFI and systemd-boot are used and that Secure Boot is disabled:
bootctl status
  1. Enable secure boot in the config and rebuild:
sudo nixos-rebuild switch --flake .
  1. Create secure boot keys:
sudo sbctl create-keys
  1. Sign the created keys by rebuilding:
sudo nixos-rebuild switch --flake .
  1. Verify that everything is good (only bzImage.efi should not be signed):
sudo sbctl verify
  1. Reboot and enable Secure Boot and its setup in the BIOS menu
  2. Enroll the keys in the BIOS:
sudo sbctl enroll-keys --microsoft
  1. Reboot
  2. Check the everything is good:
bootctl status
  1. Don't forget to put a password on the BIOS menu!

Use Yubikey to unlock LUKS partition

  1. Backup LUKS header
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /run/media/tguimbert/<usb-key-name>/luks_backup.bin
  1. Enroll Yubikey
sudo systemd-cryptenroll /dev/nvme0n1p2 --fido2-device=auto
  1. Create a Recovery Key (don't forget to write it somewhere)
sudo systemd-cryptenroll /dev/nvme0n1p2 --recovery-key
  1. Create a new password if needed (don't forget that the keyboard if in QWERTY during boot)
sudo systemd-cryptenroll /dev/nvme0n1p2 --password
  1. Remove first key if needed
sudo systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=0
  1. Test all the keys!

Other setups

  1. Generate an SSH key and add it to Github:
ssh-keygen -t ed25519-sk -O verify-required
mv ~/.ssh/id_ed25519_sk.pub ~/.ssh/id_ed25519_sk.pub.hidden
cat ~/.ssh/id_ed25519_sk.pub.hidden

Filesystem layout

The main idea on the filesystem are the following:

  • The /boot is not encrypted
  • The rest of the disk is encrypted with a single LUKS partition
  • BTRFS is used
  • Different subvolumes are used to differentiate the Impermanence lifecycles:
    • root is backed up and wiped at every reboot
    • nix is permanent to hold the Nix store
    • persistent is permanent to hold the stateful files
    • log is permanent to help debug things
    • home is backed up and wiped at every reboot
      • Separating it from root allows to have different backup lifecycles
    • snapshot is permanent to hold the root and home backups
    • swap is a swapfile

About

My personal Nixos and Home-Manager configuration

Topics

nixos nixos-configuration home-manager home-manager-config

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Contributors 2

  •  
  •  

Languages