Fabian's Dotfiles

System Setup

🐈‍⬛ This is how the process should be, not how it has been done... yet 😉

1. systemctl reboot --firmware-setup: Activate enrollment of new Secure Boot key in the UEFI
   • Depends on vendor, see lanzaboote docs
2. Boot into NixOS Live system
3. TODOs at this point:
   • sops secrets encryption stuff.
   • LUKS HDD encryption with sops stuff
   • sudo sbctl create-keys with sops stuff.
   • See qo.is docs for inspiration
   • Configure attic cache substitution in nixos installer

4. nixos-anywhere --copy-host-keys --build-on-remote \
     --generate-hardware-config nixos-facter ./nixos-configurations/$REMOTE_HOST/facter.json
     --extra-files ... \
     --chown ... \
     --disk-encryption-keys ... \
     --flake .#$REMOTE_HOSTNAME
     root@$REMOTE_IP
   

   • TODO:
     • with the secrets from above
     • don't do nixos-anywhere phase reboot (secure boot keys not enrolled yet)
5. sudo sbctl enroll-keys --microsoft: Enroll our keys in UEFI
   • Keeps microsoft keys - some vendor firmware and Windows dual boot require this.
6. sudo sbctl verify: Verify Secure Boot signatures.
   • /boot/EFI/nixos/kernel*.efi is not supposed to be signed.
7. systemctl reboot: Boot into your new, signed system.
8. bootctl status: Verify that a secure boot worked.
   • If not, activate secure boot and try again: systemctl reboot --firmware-setup
9. dotfiles-enroll-tpm: Enroll the boot PCR measurement based LUKS unlock:
   • See source for details.

Secure Boot & TPM Disk Unlock

See lanzaboote documentation for more information on how to enable secure boot.

• With nixos-rebuild {switch|boot}, new EFI files will be automatically signed.
• In case your firmware or boot process changes, you need to insert the luks password manually.
  • This should not happen just because of kernel updates (but might with boot param changes.)
  • After a successful boot, you can re-enroll the new secure state with dotfiles-enroll-tpm.