fabianhauser/dotfiles
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/README.md
Fabian Hauser e3e5b0e932
All checks were successful
CI / build (push) Successful in 1m26s
Details
Update README to hint at all installation steps more properly
2025-03-20 23:36:37 +02:00

45 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# Fabian's Dotfiles
## System Setup
> 🐈‍⬛ This is how the process should be, not how it has been done... yet 😉
1. `systemctl reboot --firmware-setup`: Activate enrollment of new Secure Boot key in the UEFI
- Depends on vendor, see [lanzaboote docs](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#part-2-enabling-secure-boot)
1. Boot into NixOS Live system
1. TODOs at this point:
- sops secrets encryption stuff.
- LUKS HDD encryption with sops stuff
- `sudo sbctl create-keys` with sops stuff.
- See [qo.is docs](https://git.qo.is/qo.is/infrastructure/src/branch/main/nixos-configurations/setup.md) for inspiration
- Configure attic cache substitution in nixos installer
1. ```bash
nixos-anywhere --copy-host-keys --build-on-remote \
--generate-hardware-config nixos-facter ./nixos-configurations/$REMOTE_HOST/facter.json
--extra-files ... \
--chown ... \
--disk-encryption-keys ... \
--flake .#$REMOTE_HOSTNAME
root@$REMOTE_IP
```
- TODO:
- with the secrets from above
- don't do nixos-anywhere phase reboot (secure boot keys not enrolled yet)
1. `sudo sbctl enroll-keys --microsoft`: Enroll our keys in UEFI
- Keeps microsoft keys - some vendor firmware and Windows dual boot require this.
1. `sudo sbctl verify`: Verify Secure Boot signatures.
- `/boot/EFI/nixos/kernel*.efi` is not supposed to be signed.
1. `systemctl reboot`: Boot into your new, signed system.
1. `bootctl status`: Verify that a secure boot worked.
- If not, activate secure boot and try again: `systemctl reboot --firmware-setup`
1. `dotfiles-enroll-tpm`: Enroll the boot PCR measurement based LUKS unlock:
- [See source for details](./packages/dotfiles-enroll-tpm).
### Secure Boot & TPM Disk Unlock
See [lanzaboote documentation](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) for more information on how to enable secure boot.
- With `nixos-rebuild {switch|boot}`, new EFI files will be automatically signed.
- In case your firmware or boot process changes, you need to insert the luks password manually.
- This should **not** happen just because of kernel updates (but might with boot param changes.)
- After a successful boot, you can re-enroll the new secure state with `dotfiles-enroll-tpm`.
Reference in a new issue View git blame Copy permalink