mirror of
https://github.com/gburd/nix-config.git
synced 2024-07-04 00:47:20 +00:00
35 lines
1.2 KiB
Plaintext
35 lines
1.2 KiB
Plaintext
* Yubikeys are great, if you use them correctly
|
|
https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
|
|
* generate age public key from host's existing SSH keypair
|
|
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
|
* trigger first encryption of a secrets file
|
|
EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml
|
|
* edit secrets in that file later
|
|
* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:
|
|
export GPG_TTY=$(tty)
|
|
gpgconf --reload gpg-agent
|
|
* SOPS
|
|
https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g
|
|
|
|
INSTALL:
|
|
export NIX_CONFIG="experimental-features = nix-command flakes"
|
|
nix-env -iA nixos.pinentry nixos.git
|
|
echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf
|
|
git clone https://github.com/gburd/nix-config.git
|
|
cd nix-config
|
|
nix develop
|
|
echo test | gpg --clearsign
|
|
gpg --list-keys
|
|
EDITOR=vi sops --config .sops.yaml hosts/common/secrets.yaml
|
|
sudo nixos-install --flake .#hostname
|
|
reboot
|
|
home-manager switch --flake .#username@hostname
|
|
|
|
|
|
export GPG_TTY=$(tty)
|
|
sudo nixos-rebuild switch --flake .#my-hostname
|
|
clear; sudo nixos-rebuild dry-activate --flake .#loki
|
|
|
|
-------
|
|
services.pcscd.enable = true;
|