diff --git a/README.md b/README.md index ce052d26..9217dbea 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ As for Flakes, refer to [Introduction to Flakes - NixOS & Nix Flakes Book](https | **Text Editor** | [Neovim][Neovim] + [DoomEmacs][DoomEmacs] | [Neovim][Neovim] + [DoomEmacs][DoomEmacs] | | **Fonts** | [Nerd fonts][Nerd fonts] | [Nerd fonts][Nerd fonts] | | **Image Viewer** | [imv][imv] | [imv][imv] | -| **Screenshot Software** | [grim][grim] | [flameshot](https://github.com/flameshot-org/flameshot) | +| **Screenshot Software** | [flameshot][flameshot] + [grim][grim] | [flameshot][flameshot] | | **Screen Recording** | [OBS][OBS] | [OBS][OBS] | | **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase | | **Secure Boot** | [lanzaboote][lanzaboote] | [lanzaboote][lanzaboote] | @@ -203,6 +203,7 @@ Other dotfiles that inspired me: [DoomEmacs]: https://github.com/doomemacs/doomemacs [flameshot]: https://github.com/flameshot-org/flameshot [grim]: https://github.com/emersion/grim +[flameshot]: https://github.com/flameshot-org/flameshot [imv]: https://sr.ht/~exec64/imv/ [OBS]: https://obsproject.com [Mako]: https://github.com/emersion/mako diff --git a/nixos-installer/README.md b/nixos-installer/README.md index f3e3f0ce..4c4908c8 100644 --- a/nixos-installer/README.md +++ b/nixos-installer/README.md @@ -244,14 +244,23 @@ And then reboot. ## Deploying the main flake's NixOS configuration -After rebooting, we can deploy the main flake's NixOS configuration by running: +After rebooting, we need to generate a new SSH key for the new machine, and add it to GitHub, so that the new machine can pull my private secrets repo: ```bash -# 1. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private git repositories. -ssh-add ~/.ssh/xxx +# 1. Generate a new SSH key with a strong passphrase +ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/idols_ai +# 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo. +ssh-add ~/.ssh/idols_ai +``` +Then follow the instructions in [../secrets/README.md](../secrets/README.md) to rekey all my secrets with the new host's system-level SSH key(`/etc/ssh/ssh_host_ed25519_key`), +so that agenix can decrypt them automatically on the new host when I deploy my NixOS configuration. + +After all these steps, we can finally deploy the main flake's NixOS configuration by: + +```bash sudo mv /etc/nixos ~/nix-config -chown -R ryan:ryan ~/nix-config +sudo chown -R ryan:ryan ~/nix-config cd ~/nix-config @@ -262,7 +271,6 @@ just hypr Finally, to enable secure boot, follow the instructions in [lanzaboote - Quick Start](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) and [nix-config/ai/secure-boot.nix](https://github.com/ryan4yin/nix-config/blob/main/hosts/idols_ai/secureboot.nix) - ## Change LUKS2's passphrase ```bash diff --git a/nixos-installer/README.shoukei.md b/nixos-installer/README.shoukei.md index d5c96607..d4c9e599 100755 --- a/nixos-installer/README.shoukei.md +++ b/nixos-installer/README.shoukei.md @@ -224,18 +224,27 @@ And then reboot. ## Deploying the main flake's NixOS configuration -After rebooting, we can deploy the main flake's NixOS configuration by running: +After rebooting, we need to generate a new SSH key for the new machine, and add it to GitHub, so that the new machine can pull my private secrets repo: ```bash -# 1. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private git repositories. -ssh-add ~/.ssh/xxx +# 1. Generate a new SSH key with a strong passphrase +ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/shoukei +# 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo. +ssh-add ~/.ssh/shoukei +``` +Then follow the instructions in [../secrets/README.md](../secrets/README.md) to rekey all my secrets with the new host's system-level SSH key(`/etc/ssh/ssh_host_ed25519_key`), +so that agenix can decrypt them automatically on the new host when I deploy my NixOS configuration. + +After all these steps, we can finally deploy the main flake's NixOS configuration by: + +```bash sudo mv /etc/nixos ~/nix-config -chown -R ryan:ryan ~/nix-config +sudo chown -R ryan:ryan ~/nix-config cd ~/nix-config -# deploy the configuration +# deploy the configuration via Justfile just s-hypr ``` diff --git a/secrets/README.md b/secrets/README.md index 5ba42143..2edf53f9 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -151,7 +151,7 @@ It will then symlink the secrets to the path defined by the `age.secrets.. ## Adding a new host -1. `cat` the public key of the new host, send it to an old host. +1. `cat` the sytem-level public key(`/etc/ssh/ssh_host_ed25519_key`) of the new host, and send it to an old host which has already been configured. 2. On the old host: 1. Add the public key to `secrets.nix`, and rekey all the secrets via `sudo agenix -r -i /etc/ssh/ssh_host_ed25519_key`. 2. Commit and push the changes to `nix-secrets`.