aboutsummaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
authorJoris2024-03-31 20:36:16 +0200
committerJoris2024-03-31 20:36:16 +0200
commit0896cec87b3398b4ed90594aacca3b80cadf92d8 (patch)
treef1142b367e5b838f4dfe8158110534d5c0196e27 /README.md
parent166ab70bd131f470b2f8bb91b53dd15d9ee00d86 (diff)
Update private key import instructions
Diffstat (limited to 'README.md')
-rw-r--r--README.md126
1 files changed, 94 insertions, 32 deletions
diff --git a/README.md b/README.md
index 49e0b93..0df651c 100644
--- a/README.md
+++ b/README.md
@@ -11,21 +11,17 @@
2. Write ISO to a USB stick:
- sudo dd if=nix.iso of=/dev/sdX status=progress
+ ```sh
+ sudo dd if=nix.iso of=/dev/sdX bs=4M status=progress
+ ```
3. Boot from the USB stick on the target machine.
4. Connect as sudo:
+ ```sh
sudo su
-
-5. Switch to bepo:
-
- loadkeys fr-bepo
-
-6. Check if UEFI mode is enabled:
-
- ls /sys/firmware/efi/efivars
+ ```
# SWAP size
@@ -48,57 +44,76 @@ https://itsfoss.com/swap-size/
3. Encrypt your disk and open it:
+ ```sh
cryptsetup luksFormat /dev/<SYSTEM>
cryptsetup luksOpen /dev/<SYSTEM> crypted
+ ```
4. Create swap and root logical volumes:
+ ```sh
pvcreate /dev/mapper/crypted
vgcreate vg /dev/mapper/crypted
lvcreate -L <ram-size>G -n swap vg
lvcreate -l '100%FREE' -n root vg
+ ```
5. Format the partitions:
+ ```sh
mkfs.fat -F 32 -n BOOT /dev/<BOOT>
mkfs.ext4 -L nixos /dev/vg/root
mkswap -L swap /dev/vg/swap
+ ```
6. Mount partitions
+ ```sh
mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/<BOOT> /mnt/boot
swapon /dev/vg/swap
+ ```
# Connect to Internet
1. Note your wifi interface:
+ ```sh
ifconfig
+ ```
2. Scan available ESSID with:
+ ```sh
iwlist <INTERFACE> scan | grep ESSID
+ ```
3. Write `wpa_supplicant` configuration:
+ ```sh
wpa_passphrase <ESSID> | sudo tee /etc/wpa_supplicant.conf
+ ```
4. Start `wpa_supplicant`:
+ ```sh
wpa_supplicant -B -i <INTERFACE> -c /etc/wpa_supplicant.conf
+ ```
# Install
1. Generate configuration:
+ ```sh
nixos-generate-config --root /mnt
+ ```
2. Rename disks by labels in `mnt/etc/nixos/hardware-configuration.nix`.
3. Complete `/mnt/etc/nixos/configuration.nix`
+ ```nix
# Hostname
networking.hostName = "joris-laptop";
@@ -112,9 +127,6 @@ https://itsfoss.com/swap-size/
# Network manager
networking.networkmanager.enable = true;
- # Bepo keymap (ease entering a passphrase for decrypting the disk)
- console.keyMap = "fr-bepo";
-
# Enable gpg agent
programs.gnupg.agent = {
enable = true;
@@ -130,27 +142,35 @@ https://itsfoss.com/swap-size/
# Editor
environment.systemPackages = [ pkgs.vim ];
-
+
# Flakes
nix = {
package = pkgs.nixFlakes;
extraOptions = "experimental-features = nix-command flakes";
};
+ ```
4. Install:
+ ```sh
nixos-install
+ ```
5. Set user password:
+ ```sh
passwd joris
+ ```
6. Reboot:
+ ```sh
reboot
+ ```
If the system doesn’t boot, boot from the USB key, and:
+ ```sh
sudo su
cryptsetup luksOpen /dev/<SYSTEM> crypted
lvchange -a y /dev/vg/swap
@@ -158,58 +178,91 @@ If the system doesn’t boot, boot from the USB key, and:
mount /dev/vg/root /mnt
mount /dev/<BOOT> /mnt/boot
swapon /dev/vg/swap
+ ```
# Import GPG key
-1. Extract:
+1. Plug in recuperation key and check label with `lsblk`.
+
+2. Decrypt and mount private backup:
- gpg --decrypt keys.tar.gpg > keys.tar
- tar -xf keys.tar -C .
+ ```sh
+ sudo cryptsetup luksOpen /dev/XXX secrets
+ sudo mkdir encrypted-storage
+ sudo mount /dev/mapper/secrets encrypted-storage
+ ```
-2. Import:
+3. Import:
- gpg --import pubkey.asc
- gpg --allow-secret-key-import --import privkey.asc
+ ```sh
+ gpg --import encrypted-storage/pubkey.asc
+ gpg --allow-secret-key-import --import encrypted-storage/privkey.asc
+ ```
-3. Trust:
+4. Trust:
+ ```sh
gpg --edit-key joris@guyonvarch.me
gpg> trust
+ ```
-4. Write SSH keygrip in `~/gnupg/sshcontrol`:
+5. Write SSH keygrip in `~/.gnupg/sshcontrol`:
+ ```sh
gpg2 -K --with-keygrip # [A] keygrip
+ ```
-5. Verify that SSH key is available:
+6. Verify that SSH key is available:
+ ```sh
ssh-add -L
+ ```
+
+7. Unmount and close the encrypted volume:
+
+ ```bash
+ sudo umount encrypted-storage/
+ sudo cryptsetup luksClose secret
+ ```
+
+8. Unplug the volume.
# Clone the system
1. Connect to Internet:
+ ```sh
nmtui
+ ```
2. Install git:
+ ```sh
nix-env -i git
+ ```
3. Clone the configuration:
+ ```sh
git clone git@guyonvarch.me:/home/git/config /home/joris/code/config
cd code/config
git checkout main
+ ```
4. Extract the system’s `hardware-configuration.nix`, and add it to `./hosts/joris/hardware/`.
5. Move aside the previous configuration:
+ ```sh
cp -r /etc/nixos config-old
sudo rm -rf /etc/nixos
-
+ ```
+
6. Link `/etc/nixos` to the configuration:
+ ```sh
sudo ln -s /home/joris/code/config /etc/nixos
+ ```
7. Disable automatic export of documents if it’s not the principal system.
@@ -219,51 +272,58 @@ If the system doesn’t boot, boot from the USB key, and:
10. Build:
+ ```sh
nixos-rebuild switch
+ ```
# Setup user environment
1. Create user directories:
+ ```sh
mkdir code documents downloads music pictures videos
+ ```
2. Create `.less` to setup less keybindings from `.lesskey`:
+ ```sh
lesskey
+ ```
3. Setup password store:
+ ```sh
git clone git@guyonvarch.me:/home/git/password-store.git .password-store
+ ```
4. Get documents:
+ ```sh
duplicity restore rsync://guyonvarch.me/~/backups/documents documents
+ ```
# Set up user services
Look at user services:
+ ```sh
systemctl --user list-units
systemctl --user list-timers --all
+ ```
If services do not appear, run:
+ ```sh
systemctl --user daemon-reload
+ ```
# Check hardware acceleration
“OpenGL renderer string” should not be llvm:
+ ```sh
nix-shell -p glxinfo --run "glxinfo | grep OpenGL"
-
-# Export GPG keys
-
-Save to a physical USB key:
-
- gpg --export-secret-keys --armor joris@guyonvarch.me > privkey.asc
- gpg --export --armor joris@guyonvarch.me > pubkey.asc
- tar -cf keys.tar privkey.asc pubkey.asc
- gpg --symmetric keys.tar
+ ```
# Synchronize
@@ -271,6 +331,8 @@ In order to link a device, use `cobang` to get the link from the QR code.
Then run:
+ ```sh
signal-cli addDevice --uri "uri"
+ ```
If you get `NotFoundException`, you may have been too slow in the process.