encrypted laptop root and better setup guide
This commit is contained in:
parent
e4903a0de3
commit
56b4daa7fd
|
@ -9,10 +9,11 @@ export DEVICE_UNENCRYPTED_ROOT=/dev/mapper/${DEVICE_UNENCRYPTED_ROOT_NAME}
|
|||
export ENCRYPTION_KEY_PATH=mount/encryption-keys/lappy.key
|
||||
|
||||
parted /dev/${DEVICE_ROOT} -- mklabel gpt
|
||||
parted /dev/${DEVICE_ROOT} -- mkpart primary 512MiB -8GiB
|
||||
parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 500MiB
|
||||
parted /dev/${DEVICE_ROOT} -- set 3 esp on
|
||||
|
||||
parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 512MiB
|
||||
parted /dev/${DEVICE_ROOT} -- mkpart primary 620MiB -1MiB
|
||||
parted /dev/${DEVICE_ROOT} -- set 1 esp on
|
||||
parted /dev/${DEVICE_ROOT} -- name 1 nixboot
|
||||
parted /dev/${DEVICE_ROOT} -- name 2 nixos_encrypted
|
||||
mkfs.fat -n nixboot ${DEVICE_BOOT_PART}
|
||||
|
||||
cryptsetup luksFormat ${DEVICE_ENCRYPTED_ROOT_PART}
|
||||
|
@ -20,28 +21,63 @@ cryptsetup luksAddKey ${DEVICE_ENCRYPTED_ROOT_PART} ${ENCRYPTION_KEY_PATH}
|
|||
cryptsetup luksOpen ${DEVICE_ENCRYPTED_ROOT_PART} ${DEVICE_UNENCRYPTED_ROOT_NAME}
|
||||
mkfs.ext4 -L nixos ${DEVICE_UNENCRYPTED_ROOT}
|
||||
```
|
||||
## SSH Key
|
||||
## NetworkManager
|
||||
Grab passwords from Vault
|
||||
## Browser (vivaldi)
|
||||
Open up browser and install the following extensions:
|
||||
- - Stylus
|
||||
- - Tampermonkey
|
||||
- - uBlock Origin
|
||||
### Settings
|
||||
#### General
|
||||
Home Page: Start Page
|
||||
Startup With: Start Page
|
||||
#### Appearance
|
||||
Use Animation: NO!
|
||||
User Interface Zoom: 145%
|
||||
#### Themes
|
||||
Theme: Private
|
||||
#### Tabs
|
||||
- Display Close Button: Permanantly
|
||||
- Active Tab Minimum Width: 150px
|
||||
- Tab Stacking: Disable
|
||||
- Mute Tab Audio: Play only in active tab
|
||||
#### Search
|
||||
- Default search engine: Google
|
||||
- Always search in new tab: ON
|
||||
#### Privacy
|
||||
- Phishing and Malware Protection: OFF
|
||||
- DNS to help resolve navigation errors: OFF
|
||||
- Form AutoFill Assist: OFF
|
||||
- Ask websites not to track me: ON
|
||||
- No Blocking
|
||||
- Save Webpage Passwords: OFF
|
||||
#### Downloads
|
||||
- Save without asking: ON
|
||||
#### Webpages
|
||||
- Default Webpage Zoom: 145%
|
||||
- Disable Use Tab Zoom
|
||||
- Disable Use Ctrl+Scroll Zoom
|
||||
- Plugins: Enable All
|
||||
- Fonts: All to Comic Sans apart from Monospace which is Comic Code
|
||||
- Reader: Colour Scheme: Dark
|
||||
### Extensions
|
||||
Install the following extensions:
|
||||
- Stylus
|
||||
- Tampermonkey
|
||||
- uBlock Origin
|
||||
Then install all userscripts and userstyles from [Here](https://gitlab.com/ChaotiCryptidz/userstyles-userscripts/-/tree/main)
|
||||
## Telegram Desktop (kotatogram)
|
||||
- Set interface size to 200%
|
||||
- Recent stickers: show 30 stickers
|
||||
- Sticker Height: 100px
|
||||
- Recent stickers: show 40 stickers
|
||||
- Sticker Height: 140px
|
||||
- Upload Speed Boost: Slight
|
||||
- Main Font & Semibold Font: Comic Sans
|
||||
- Main Font & Semibold Font: Comic Sans MS
|
||||
- Monospaced Font: Comic Code
|
||||
- Confirm before calling: on
|
||||
## Quassel Client
|
||||
- Set theme to config dir's style.qss
|
||||
### Interface
|
||||
- Widget Style Fusion
|
||||
- Set theme to config dir's style.qss
|
||||
- Widget Style: Fusion
|
||||
- Fallback Icon Theme: Fusion
|
||||
- Show System Tray Icon
|
||||
- Invert system tray icon brightness
|
||||
### Chat View
|
||||
- Chat Window Font: Comic Code 20pt
|
||||
### Chat View Colours
|
||||
|
@ -59,6 +95,8 @@ Other: #00dda6
|
|||
```
|
||||
### Input Widget
|
||||
- Custom Font: Comic Code 18pt
|
||||
### Topic Widget
|
||||
- Custom Font: Comic Code 14pt
|
||||
### Backlog Fetching
|
||||
- Amount: 500
|
||||
- Method: Fixed
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
{ pkgs, lib, ... }:
|
||||
let
|
||||
getExtension = { id, url, sha256, version, updateUrl }: {
|
||||
inherit id;
|
||||
crxPath = builtins.fetchurl {
|
||||
url = "${url}";
|
||||
name = "${id}.crx";
|
||||
inherit sha256;
|
||||
};
|
||||
inherit version;
|
||||
inherit updateUrl;
|
||||
};
|
||||
createChromiumExtensionFor = browserVersion:
|
||||
{ id, sha256, version }: {
|
||||
inherit id;
|
||||
crxPath = builtins.fetchurl {
|
||||
url =
|
||||
"https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=${browserVersion}&x=id%3D${id}%26installsource%3Dondemand%26uc";
|
||||
name = "${id}.crx";
|
||||
inherit sha256;
|
||||
};
|
||||
#updateUrl = "http://clients2.google.com/service/update2/crx?response=updatecheck&x=id%3D${id}%26uc";
|
||||
updateUrl = "https://clients2.google.com/service/update2/crx";
|
||||
inherit version;
|
||||
};
|
||||
createChromiumExtension =
|
||||
createChromiumExtensionFor (lib.versions.major pkgs.vivaldi.version);
|
||||
in {
|
||||
programs.chromium = {
|
||||
enable = true;
|
||||
package = pkgs.vivaldi;
|
||||
extensions = [
|
||||
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
|
||||
{ id = "clngdbkpkpeebahjckkjfobafhncgmne"; }
|
||||
{ id = "adicoenigffoolephelklheejpcpoolk"; }
|
||||
];
|
||||
};
|
||||
}
|
|
@ -3,7 +3,7 @@
|
|||
{
|
||||
imports = with tree; [
|
||||
users.root
|
||||
users.chaoticryptidz
|
||||
users.chaos
|
||||
|
||||
profiles.base
|
||||
profiles.tailscale
|
||||
|
@ -24,7 +24,7 @@
|
|||
home-manager.users.root = {
|
||||
imports = with tree; [ home.base home.dev.small ];
|
||||
};
|
||||
home-manager.users.chaoticryptidz = {
|
||||
home-manager.users.chaos = {
|
||||
imports = with tree; [ home.base home.dev.small ];
|
||||
};
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ ... }:
|
||||
{ pkgs, ... }:
|
||||
let
|
||||
usb_label = "my_usb";
|
||||
encrypted_root_uuid = "";
|
||||
encrypted_root_partlabel = "nixos_encrypted";
|
||||
unencrypted_root_uuid = "";
|
||||
in {
|
||||
boot = {
|
||||
|
@ -26,33 +26,29 @@ in {
|
|||
"cryptd"
|
||||
];
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
|
||||
|
||||
initrd.postDeviceCommands = pkgs.lib.mkBefore ''
|
||||
mkdir -m 0755 -p /key
|
||||
sleep 3
|
||||
mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
|
||||
'';
|
||||
|
||||
initrd.luks.devices."cryptroot".device =
|
||||
"/dev/disk/by-partlabel/${encrypted_root_partlabel}";
|
||||
|
||||
initrd.luks.devices."cryptroot" = {
|
||||
keyFile = "/key/encryption-keys/lappy.key";
|
||||
preLVM = false;
|
||||
allowDiscards = true;
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: encrypted storage
|
||||
#initrd.postDeviceCommands = pkgs.lib.mkBefore ''
|
||||
# mkdir -m 0755 -p /key
|
||||
# sleep 3
|
||||
# mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
|
||||
#'';
|
||||
|
||||
#boot.initrd.luks.devices."cryptroot".device =
|
||||
# "/dev/disk/by-uuid/${encrypted_root_uuid}";
|
||||
|
||||
#initrd.luks.devices."cryptroot" = {
|
||||
# keyFile = "/key/encryption-keys/lappy.key";
|
||||
# preLVM = false;
|
||||
# allowDiscards = true;
|
||||
#};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
device = "/dev/mapper/cryptroot";
|
||||
fsType = "ext4";
|
||||
};
|
||||
#"/" = {
|
||||
# device = "/dev/mapper/cryptroot";
|
||||
# fsType = "ext4";
|
||||
#};
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-label/nixboot";
|
||||
fsType = "vfat";
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
./hardware.nix
|
||||
|
||||
users.root
|
||||
users.chaoticryptidz
|
||||
users.chaos
|
||||
profiles.tailscale
|
||||
profiles.dnscrypt
|
||||
profiles.printing
|
||||
|
@ -41,7 +41,7 @@
|
|||
];
|
||||
|
||||
home-manager.users.root = { imports = with tree; [ home.base ]; };
|
||||
home-manager.users.chaoticryptidz = {
|
||||
home-manager.users.chaos = {
|
||||
imports = with tree; [
|
||||
home.base
|
||||
home.dev.all
|
||||
|
@ -61,7 +61,6 @@
|
|||
home.apps.vivaldi
|
||||
home.apps.telegram
|
||||
home.apps.quassel
|
||||
home.apps.chromium
|
||||
|
||||
home.programming
|
||||
#home.programming.languages.go
|
||||
|
@ -70,7 +69,7 @@
|
|||
};
|
||||
|
||||
services.getty.extraArgs =
|
||||
[ "--skip-login" "--login-options" "chaoticryptidz" ];
|
||||
[ "--skip-login" "--login-options" "chaos" ];
|
||||
|
||||
networking.firewall.enable = true;
|
||||
# let vscode, vivaldi, etc work.
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
{
|
||||
imports = with tree; [
|
||||
users.root
|
||||
users.chaoticryptidz
|
||||
users.chaos
|
||||
|
||||
profiles.base
|
||||
profiles.tailscale
|
||||
|
@ -21,7 +21,7 @@
|
|||
home-manager.users.root = {
|
||||
imports = with tree; [ home.base home.dev.small ];
|
||||
};
|
||||
home-manager.users.chaoticryptidz = {
|
||||
home-manager.users.chaos = {
|
||||
imports = with tree; [ home.base home.dev.small ];
|
||||
};
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
{
|
||||
imports = with tree; [
|
||||
users.root
|
||||
users.chaoticryptidz
|
||||
users.chaos
|
||||
profiles.base
|
||||
profiles.gui
|
||||
profiles.gui.environments.sway
|
||||
|
@ -16,7 +16,7 @@
|
|||
home-manager.users.root = {
|
||||
imports = with tree; [ home.base home.dev.all ];
|
||||
};
|
||||
home-manager.users.chaoticryptidz = {
|
||||
home-manager.users.chaos = {
|
||||
imports = with tree; [
|
||||
home.base
|
||||
home.gui
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ config, ... }: {
|
||||
users.users.chaoticryptidz = {
|
||||
users.users.chaos = {
|
||||
uid = 1000;
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
|
@ -13,7 +13,7 @@
|
|||
"uinput"
|
||||
];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4L1eBZzYXZNGBucTn/eOFp48el9JPiYt9iXQDpBSg/ chaoticryptidz@owo.monster"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeN3T1aZkTm5xS0b66cRDyKUbdEQCFyzVWXeW+eIbsa chaos@chaos"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
{ config, ... }: {
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4L1eBZzYXZNGBucTn/eOFp48el9JPiYt9iXQDpBSg/ chaoticryptidz@owo.monster"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeN3T1aZkTm5xS0b66cRDyKUbdEQCFyzVWXeW+eIbsa chaos@chaos"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue