From 0896cec87b3398b4ed90594aacca3b80cadf92d8 Mon Sep 17 00:00:00 2001 From: Joris Date: Sun, 31 Mar 2024 20:36:16 +0200 Subject: Update private key import instructions --- README.md | 126 ++++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 94 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 49e0b93..0df651c 100644 --- a/README.md +++ b/README.md @@ -11,21 +11,17 @@ 2. Write ISO to a USB stick: - sudo dd if=nix.iso of=/dev/sdX status=progress + ```sh + sudo dd if=nix.iso of=/dev/sdX bs=4M status=progress + ``` 3. Boot from the USB stick on the target machine. 4. Connect as sudo: + ```sh sudo su - -5. Switch to bepo: - - loadkeys fr-bepo - -6. Check if UEFI mode is enabled: - - ls /sys/firmware/efi/efivars + ``` # SWAP size @@ -48,57 +44,76 @@ https://itsfoss.com/swap-size/ 3. Encrypt your disk and open it: + ```sh cryptsetup luksFormat /dev/ cryptsetup luksOpen /dev/ crypted + ``` 4. Create swap and root logical volumes: + ```sh pvcreate /dev/mapper/crypted vgcreate vg /dev/mapper/crypted lvcreate -L G -n swap vg lvcreate -l '100%FREE' -n root vg + ``` 5. Format the partitions: + ```sh mkfs.fat -F 32 -n BOOT /dev/ mkfs.ext4 -L nixos /dev/vg/root mkswap -L swap /dev/vg/swap + ``` 6. Mount partitions + ```sh mount /dev/vg/root /mnt mkdir /mnt/boot mount /dev/ /mnt/boot swapon /dev/vg/swap + ``` # Connect to Internet 1. Note your wifi interface: + ```sh ifconfig + ``` 2. Scan available ESSID with: + ```sh iwlist scan | grep ESSID + ``` 3. Write `wpa_supplicant` configuration: + ```sh wpa_passphrase | sudo tee /etc/wpa_supplicant.conf + ``` 4. Start `wpa_supplicant`: + ```sh wpa_supplicant -B -i -c /etc/wpa_supplicant.conf + ``` # Install 1. Generate configuration: + ```sh nixos-generate-config --root /mnt + ``` 2. Rename disks by labels in `mnt/etc/nixos/hardware-configuration.nix`. 3. Complete `/mnt/etc/nixos/configuration.nix` + ```nix # Hostname networking.hostName = "joris-laptop"; @@ -112,9 +127,6 @@ https://itsfoss.com/swap-size/ # Network manager networking.networkmanager.enable = true; - # Bepo keymap (ease entering a passphrase for decrypting the disk) - console.keyMap = "fr-bepo"; - # Enable gpg agent programs.gnupg.agent = { enable = true; @@ -130,27 +142,35 @@ https://itsfoss.com/swap-size/ # Editor environment.systemPackages = [ pkgs.vim ]; - + # Flakes nix = { package = pkgs.nixFlakes; extraOptions = "experimental-features = nix-command flakes"; }; + ``` 4. Install: + ```sh nixos-install + ``` 5. Set user password: + ```sh passwd joris + ``` 6. Reboot: + ```sh reboot + ``` If the system doesn’t boot, boot from the USB key, and: + ```sh sudo su cryptsetup luksOpen /dev/ crypted lvchange -a y /dev/vg/swap @@ -158,58 +178,91 @@ If the system doesn’t boot, boot from the USB key, and: mount /dev/vg/root /mnt mount /dev/ /mnt/boot swapon /dev/vg/swap + ``` # Import GPG key -1. Extract: +1. Plug in recuperation key and check label with `lsblk`. + +2. Decrypt and mount private backup: - gpg --decrypt keys.tar.gpg > keys.tar - tar -xf keys.tar -C . + ```sh + sudo cryptsetup luksOpen /dev/XXX secrets + sudo mkdir encrypted-storage + sudo mount /dev/mapper/secrets encrypted-storage + ``` -2. Import: +3. Import: - gpg --import pubkey.asc - gpg --allow-secret-key-import --import privkey.asc + ```sh + gpg --import encrypted-storage/pubkey.asc + gpg --allow-secret-key-import --import encrypted-storage/privkey.asc + ``` -3. Trust: +4. Trust: + ```sh gpg --edit-key joris@guyonvarch.me gpg> trust + ``` -4. Write SSH keygrip in `~/gnupg/sshcontrol`: +5. Write SSH keygrip in `~/.gnupg/sshcontrol`: + ```sh gpg2 -K --with-keygrip # [A] keygrip + ``` -5. Verify that SSH key is available: +6. Verify that SSH key is available: + ```sh ssh-add -L + ``` + +7. Unmount and close the encrypted volume: + + ```bash + sudo umount encrypted-storage/ + sudo cryptsetup luksClose secret + ``` + +8. Unplug the volume. # Clone the system 1. Connect to Internet: + ```sh nmtui + ``` 2. Install git: + ```sh nix-env -i git + ``` 3. Clone the configuration: + ```sh git clone git@guyonvarch.me:/home/git/config /home/joris/code/config cd code/config git checkout main + ``` 4. Extract the system’s `hardware-configuration.nix`, and add it to `./hosts/joris/hardware/`. 5. Move aside the previous configuration: + ```sh cp -r /etc/nixos config-old sudo rm -rf /etc/nixos - + ``` + 6. Link `/etc/nixos` to the configuration: + ```sh sudo ln -s /home/joris/code/config /etc/nixos + ``` 7. Disable automatic export of documents if it’s not the principal system. @@ -219,51 +272,58 @@ If the system doesn’t boot, boot from the USB key, and: 10. Build: + ```sh nixos-rebuild switch + ``` # Setup user environment 1. Create user directories: + ```sh mkdir code documents downloads music pictures videos + ``` 2. Create `.less` to setup less keybindings from `.lesskey`: + ```sh lesskey + ``` 3. Setup password store: + ```sh git clone git@guyonvarch.me:/home/git/password-store.git .password-store + ``` 4. Get documents: + ```sh duplicity restore rsync://guyonvarch.me/~/backups/documents documents + ``` # Set up user services Look at user services: + ```sh systemctl --user list-units systemctl --user list-timers --all + ``` If services do not appear, run: + ```sh systemctl --user daemon-reload + ``` # Check hardware acceleration “OpenGL renderer string” should not be llvm: + ```sh nix-shell -p glxinfo --run "glxinfo | grep OpenGL" - -# Export GPG keys - -Save to a physical USB key: - - gpg --export-secret-keys --armor joris@guyonvarch.me > privkey.asc - gpg --export --armor joris@guyonvarch.me > pubkey.asc - tar -cf keys.tar privkey.asc pubkey.asc - gpg --symmetric keys.tar + ``` # Synchronize @@ -271,6 +331,8 @@ In order to link a device, use `cobang` to get the link from the QR code. Then run: + ```sh signal-cli addDevice --uri "uri" + ``` If you get `NotFoundException`, you may have been too slow in the process. -- cgit v1.2.3