My NixOS configs
- Get and boot the minimal ISO image from nixos.org/download/
- Connect to the network
- Clone this repo
- Use disko to setup storage
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko /path/to/disk-config.nix - Add
disk-config.nixto the flake - Generate hardware configuration and add to flake
# Generates config at /mnt/etc/nixos # Copy /mnt/etc/nixos/hardware-configuration.nix to the cloned flake, then remove /mnt/etc/nixos nixos-generate-config --no-filesystems --root /mnt
- Generate password file
- hashedPasswordFile should refrence this file
- Replace
userwith the user's name
mkdir /mnt/persist/secrets mkpasswd >> /mnt/persist/secrets/user-passwd - Install:
nixos-install --root /mnt --flake /path/to/this/repo#hostname
- Reboot
- Import GPG key:
gpg --recv <key-id> - Import resident ssh key stubs
cd ~/.ssh ssh-keygen -K # Generated key stubs will be postfixed with _rk (resident key) # This needs to be removed, mv id_ed25519_sk_rk id_ed25519_sk mv id_ed25519_sk_rk.pub id_ed25519_sk.pub
- Generate local keys for pam-u2f. See the Arch Wiki
Enroll any extra devices to unlock the disk (Security key, TPM)
# To enroll a security key
sudo systemd-cryptenroll --fido2-device=auto <device-path>
# To enroll TPM
## Use --unlock-{tpm2, fido2}-device when no password is enrolled
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes --unlock-fido2-device=auto <device-path>
# Wipe plain passwords
## List enrolled tokens
sudo systemd-cryptenroll <device-path>
sudo systemd-cryptenroll --unlock-{tpm2, fido2}-device --wipe-slot=<password-slot-id>Lanzaboote is well documented and easy to set up.
The Syncthing web UI is accesible at 127.0.0.1:8384
Those hosted on github can be found in my nix stars list.