nix-config/NOTES

* Yubikeys are great, if you use them correctly
  https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
* generate age public key from host's existing SSH keypair
  nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
* trigger first encryption of a secrets file
  EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml
* edit secrets in that file later
* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:
  export GPG_TTY=$(tty)
  gpgconf --reload gpg-agent
* SOPS
  https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g
  export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF"
  sops -e /etc/ssh/ssh_host_id > hosts/floki/

INSTALL:
export device=/dev/nvme0n1
printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device}
mkfs.fat -F 32 ${device}
cryptsetup --verify-passphrase -v luksFormat "${device}p2"
cryptsetup open "${device}p2"enc
mkfs.btrfs /dev/mapper/enc
mount /dev/mapper/enc /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/nix
btrfs subvolume create /mnt/persist
btrfs subvolume create /mnt/swap
btrfs subvolume create /mnt/logs

mount -o compress=zstd,subvol=root /dev/mapper/enc /mnt
mkdir /mnt/{nix,persist,swap,var/logs}
mount -o compress=zstd,noatime,subvol=nix /dev/mapper/enc /mnt/nix
mount -o compress=zstd,subvol=persist /dev/mapper/enc /mnt/persist
mount -o compress=zstd,noatime,subvol=logs /dev/mapper/enc /mnt/var/logs
mount -o noatime,subvol=swap /dev/mapper/enc /mnt/swap

mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

nixos-generate-config --root /mnt
nano /mnt/etc/nixos/configuration.nix # manually add mount options
nixos-install

nixos-generate-config --show-hardware-config

fileSystems = {
  "/".options = [ "compress=zstd" ];
  "/nix".options = [ "compress=zstd" "noatime" ];
  "/persist".options = [ "compress=zstd" "noatime" ];
  "/logs".options = [ "compress=zstd" "noatime" ];
  "/swap".options = [ "noatime" ];
};

user hashedPassword: mkpasswd -m sha-512

btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile
swapDevices = [ { device = "/swap/swapfile"; } ];
nixos-rebulid switch

export NIX_CONFIG="experimental-features = nix-command flakes"
nix-env -iA nixos.pinentry nixos.git
echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf
git clone https://github.com/gburd/nix-config.git
cd nix-config
nix develop
export GPG_TTY=$(tty)
gpg-connect-agent reloadagent /bye
echo test | gpg --clearsign
gpg --list-keys
EDITOR=vi sops --config .sops.yaml hosts/common/secrets.yaml
sudo nixos-install --flake .#hostname
reboot
home-manager switch --flake .#username@hostname


sudo nixos-rebuild switch --flake .#my-hostname
clear; sudo nixos-rebuild dry-activate --flake .#floki

-------
  services.pcscd.enable = true;

https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html
refined for my use 2023-09-19 17:05:08 +00:00			`* Yubikeys are great, if you use them correctly`
			`https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/`
			`* generate age public key from host's existing SSH keypair`
			`nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub \| ssh-to-age'`
			`* trigger first encryption of a secrets file`
			`EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml`
			`* edit secrets in that file later`
public key mismatch 2023-09-19 19:40:04 +00:00			`* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:`
			`export GPG_TTY=$(tty)`
			`gpgconf --reload gpg-agent`
notes 2023-09-20 12:29:42 +00:00			`* SOPS`
			`https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g`
update host ssh key 2023-09-22 14:42:28 +00:00			`export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF"`
			`sops -e /etc/ssh/ssh_host_id > hosts/floki/`
notes 2023-09-20 12:29:42 +00:00
add LICENSE 2023-09-20 15:47:08 +00:00			`INSTALL:`
btrfs 2023-09-21 18:19:52 +00:00			`export device=/dev/nvme0n1`
			`printf "label: gpt\n,550M,U\n,,L\n" \| sfdisk ${device}`
			`mkfs.fat -F 32 ${device}`
			`cryptsetup --verify-passphrase -v luksFormat "${device}p2"`
			`cryptsetup open "${device}p2"enc`
			`mkfs.btrfs /dev/mapper/enc`
			`mount /dev/mapper/enc /mnt`
			`btrfs subvolume create /mnt/root`
			`btrfs subvolume create /mnt/nix`
			`btrfs subvolume create /mnt/persist`
			`btrfs subvolume create /mnt/swap`
			`btrfs subvolume create /mnt/logs`

			`mount -o compress=zstd,subvol=root /dev/mapper/enc /mnt`
s/loki/floki/g 2023-09-22 14:10:04 +00:00			`mkdir /mnt/{nix,persist,swap,var/logs}`
btrfs 2023-09-21 18:19:52 +00:00			`mount -o compress=zstd,noatime,subvol=nix /dev/mapper/enc /mnt/nix`
			`mount -o compress=zstd,subvol=persist /dev/mapper/enc /mnt/persist`
s/loki/floki/g 2023-09-22 14:10:04 +00:00			`mount -o compress=zstd,noatime,subvol=logs /dev/mapper/enc /mnt/var/logs`
btrfs 2023-09-21 18:19:52 +00:00			`mount -o noatime,subvol=swap /dev/mapper/enc /mnt/swap`

			`mkdir /mnt/boot`
			`mount /dev/sda1 /mnt/boot`

			`nixos-generate-config --root /mnt`
			`nano /mnt/etc/nixos/configuration.nix # manually add mount options`
			`nixos-install`

			`nixos-generate-config --show-hardware-config`

			`fileSystems = {`
			`"/".options = [ "compress=zstd" ];`
			`"/nix".options = [ "compress=zstd" "noatime" ];`
			`"/persist".options = [ "compress=zstd" "noatime" ];`
			`"/logs".options = [ "compress=zstd" "noatime" ];`
			`"/swap".options = [ "noatime" ];`
			`};`

s/loki/floki/g 2023-09-22 14:10:04 +00:00			`user hashedPassword: mkpasswd -m sha-512`

btrfs 2023-09-21 18:19:52 +00:00			`btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile`
			`swapDevices = [ { device = "/swap/swapfile"; } ];`
			`nixos-rebulid switch`

add LICENSE 2023-09-20 15:47:08 +00:00			`export NIX_CONFIG="experimental-features = nix-command flakes"`
reorder 2023-09-20 20:14:48 +00:00			`nix-env -iA nixos.pinentry nixos.git`
learning 2023-09-20 17:32:13 +00:00			`echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf`
add LICENSE 2023-09-20 15:47:08 +00:00			`git clone https://github.com/gburd/nix-config.git`
			`cd nix-config`
			`nix develop`
adjust order 2023-09-21 18:36:14 +00:00			`export GPG_TTY=$(tty)`
			`gpg-connect-agent reloadagent /bye`
reorder 2023-09-20 20:14:48 +00:00			`echo test \| gpg --clearsign`
			`gpg --list-keys`
			`EDITOR=vi sops --config .sops.yaml hosts/common/secrets.yaml`
learning 2023-09-20 17:32:13 +00:00			`sudo nixos-install --flake .#hostname`
add LICENSE 2023-09-20 15:47:08 +00:00			`reboot`
			`home-manager switch --flake .#username@hostname`
refined for my use 2023-09-19 17:05:08 +00:00
add LICENSE 2023-09-20 15:47:08 +00:00
refined for my use 2023-09-19 17:05:08 +00:00			`sudo nixos-rebuild switch --flake .#my-hostname`
s/loki/floki/g 2023-09-22 14:10:04 +00:00			`clear; sudo nixos-rebuild dry-activate --flake .#floki`
memory 2023-09-19 18:38:19 +00:00
refined for my use 2023-09-19 17:05:08 +00:00			`-------`
			`services.pcscd.enable = true;`
btrfs 2023-09-21 18:19:52 +00:00
s/loki/floki/g 2023-09-22 14:10:04 +00:00			`https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html`