From ed2b5f67b975366c35967940c269ba199de01c64 Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Tue, 6 Feb 2024 18:40:07 +0100 Subject: [PATCH] docs --- template/README.md | 26 ++++++++++++++++++++++---- template/ssh-fde-unlock.nix | 1 + 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/template/README.md b/template/README.md index e2ee468..98325a7 100644 --- a/template/README.md +++ b/template/README.md @@ -10,9 +10,13 @@ Manuals: * disko reference: https://github.com/nix-community/disko/blob/master/docs/reference.md * nixos-anywhere reference: https://github.com/nix-community/nixos-anywhere/blob/main/docs/reference.md -## Build installer ISO with passwordless SSH +## Build installer ISO with password-less SSH + +In [./iso.nix](./iso.nix), replace `./nitrokey.pub` with your SSH public key. ```shell +sudo nix-channel --update + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix # aarch64 ISO (requires emulation) #nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix --argstr system aarch64-linux @@ -47,7 +51,7 @@ Lastly, in [./flake.nix](./flake.nix) replace `pbkdf-memory` with your amount of --- -Optionally, if `ssh-fde-unlock.nix` is imported in [./flake.nix](./flake.nix), replace the kernel network driver with the correct one there. +Optionally, if `ssh-fde-unlock.nix` is imported in [./flake.nix](./flake.nix), replace `boot.initrd.availableKernelModules` with the kernel network driver in use. ## Installation @@ -58,19 +62,33 @@ nix --extra-experimental-features nix-command --extra-experimental-features flak run github:numtide/nixos-anywhere -- -f '.#mysystem' --vm-test ``` -To install on remote target machine: +To install on remote target machine (if fde is **not** configured): ```shell nix --extra-experimental-features nix-command --extra-experimental-features flakes \ run github:numtide/nixos-anywhere -- --flake '.#mysystem' -p 22 root@192.168.178.106 ``` -To install on remote target machine **and** print the SSH fingerprint of the new system. If no encrypted disks are set up, the disk password can be left empty: +To install on remote target machine (with or without fde) **and** print the SSH fingerprint of the new system. If fde is not set up, then the disk password can be left empty when asked for it: ```shell ./install-helper.sh 22 root@192.168.178.106 ``` +## Connect to installed system + +fde unlock: + +```shell +ssh root@192.168.178.106 +``` + +Once unlocked, connect with SSH. If the connection fails, double check on your router if the system was assigned to another IP address. + +```shell +ssh root@192.168.178.106 +``` + ## Updating dependencies Recreate the lock file (i.e. update all inputs) and commit the new lock file: diff --git a/template/ssh-fde-unlock.nix b/template/ssh-fde-unlock.nix index ead16ef..a824e70 100644 --- a/template/ssh-fde-unlock.nix +++ b/template/ssh-fde-unlock.nix @@ -9,6 +9,7 @@ enable = true; shell = "/bin/cryptsetup-askpass"; authorizedKeys = [ + # This is my public SSH key. (builtins.readFile ./nitrokey.pub) ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];