2.3 KiB
2.3 KiB
Fabian's Dotfiles
System Setup
🐈⬛ This is how the process should be, not how it has been done... yet 😉
systemctl reboot --firmware-setup: Activate enrollment of new Secure Boot key in the UEFI- Depends on vendor, see lanzaboote docs
- Boot into NixOS Live system
- TODOs at this point:
- sops secrets encryption stuff.
- LUKS HDD encryption with sops stuff
sudo sbctl create-keyswith sops stuff.- See qo.is docs for inspiration
- Configure attic cache substitution in nixos installer
-
nixos-anywhere --copy-host-keys --build-on-remote \ --generate-hardware-config nixos-facter ./nixos-configurations/$REMOTE_HOST/facter.json --extra-files ... \ --chown ... \ --disk-encryption-keys ... \ --flake .#$REMOTE_HOSTNAME root@$REMOTE_IP- TODO:
- with the secrets from above
- don't do nixos-anywhere phase reboot (secure boot keys not enrolled yet)
- TODO:
sudo sbctl enroll-keys --microsoft: Enroll our keys in UEFI- Keeps microsoft keys - some vendor firmware and Windows dual boot require this.
sudo sbctl verify: Verify Secure Boot signatures./boot/EFI/nixos/kernel*.efiis not supposed to be signed.
systemctl reboot: Boot into your new, signed system.bootctl status: Verify that a secure boot worked.- If not, activate secure boot and try again:
systemctl reboot --firmware-setup
- If not, activate secure boot and try again:
dotfiles-enroll-tpm: Enroll the boot PCR measurement based LUKS unlock:
Secure Boot & TPM Disk Unlock
See lanzaboote documentation for more information on how to enable secure boot.
- With
nixos-rebuild {switch|boot}, new EFI files will be automatically signed. - In case your firmware or boot process changes, you need to insert the luks password manually.
- This should not happen just because of kernel updates (but might with boot param changes.)
- After a successful boot, you can re-enroll the new secure state with
dotfiles-enroll-tpm.