120 lines
3.0 KiB
Markdown
120 lines
3.0 KiB
Markdown
# 1. Installation of new servers
|
|
- install ubuntu 20.04
|
|
- get age key from SSH
|
|
```console
|
|
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=hetznercloud NIX_CHANNEL=nixos-25.05 bash 2>&1 | tee /tmp/infect.log
|
|
nix-shell -p ssh-to-age --run 'ssh-keyscan install.cloonar.com | ssh-to-age'
|
|
```
|
|
- fix secrets files
|
|
```console
|
|
nix-shell -p sops --run "sops updatekeys -y secrets.yaml"
|
|
```
|
|
- run install command
|
|
```console
|
|
./install.sh example.com
|
|
```
|
|
|
|
# 2. Sops command
|
|
```console
|
|
nix-shell -p sops --run 'sops hosts/cloonar.com/secrets.yaml'
|
|
```
|
|
|
|
# 2. Web Server specific
|
|
- change the permissions for /var/www
|
|
```console
|
|
chown nginx:nginx /var/www
|
|
chmod 755 /var/www
|
|
```
|
|
|
|
# 3. Net data
|
|
- Netdata data page: Add a node
|
|
- Once you got the token, we will claim it to associate it to a node:
|
|
- create /var/lib/netdata/cloud.d/token and write the token in it
|
|
- run nix-shell -p netdata --run "netdata-claim.sh -id=$(uuidgen)" as root
|
|
- your node should be registered in Netdata cloud
|
|
|
|
# Borg Backup
|
|
add ssh key to hetzner
|
|
cat ~/.ssh/id_rsa.pub | ssh -p23 u149513-subx@u149513-subx.your-backup.de install-ssh-key
|
|
|
|
# 4. Add new Host
|
|
```console
|
|
sftp host@git.cloonar.com:/config/bootstrap.sh ./
|
|
```
|
|
|
|
# 5. Yubikey
|
|
```console
|
|
ykman fido access change-pin --new-pin 654321
|
|
systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2
|
|
```
|
|
|
|
# 6. Wireguard
|
|
```console
|
|
wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey
|
|
umask 0077; wg genpsk > psk
|
|
```
|
|
|
|
# 7. Hash for new packages
|
|
```console
|
|
nix hash to-sri --type sha256 $(nix-prefetch-url https://tar.gz)
|
|
```
|
|
|
|
# 8. Fingerprint Reader Setup (e.g., on Framework Laptop with Goodix reader)
|
|
|
|
This section assumes you have configured fingerprint support in your NixOS configuration, for example, by creating and importing a module like `hosts/nb/modules/fingerprint.nix` with the following content:
|
|
|
|
```nix
|
|
# hosts/nb/modules/fingerprint.nix
|
|
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.fprintd.enable = true;
|
|
|
|
security.pam.services.login.fprintAuth = true;
|
|
security.pam.services.sudo.fprintAuth = true;
|
|
# Add other services like swaylock if needed
|
|
# security.pam.services.swaylock.fprintAuth = true;
|
|
}
|
|
```
|
|
|
|
After rebuilding your NixOS configuration (`sudo nixos-rebuild switch`), you can enroll fingerprints for a user.
|
|
|
|
## Enrolling Fingerprints
|
|
|
|
To enroll a fingerprint for the current user:
|
|
```console
|
|
fprintd-enroll
|
|
```
|
|
Or for a specific user (e.g., `dominik`):
|
|
```console
|
|
fprintd-enroll dominik
|
|
```
|
|
Follow the on-screen prompts to scan your fingerprint multiple times.
|
|
|
|
## Verifying Enrollment
|
|
You can verify enrolled fingerprints:
|
|
```console
|
|
fprintd-verify
|
|
```
|
|
|
|
## Listing Enrolled Fingerprints
|
|
To see which fingers are enrolled for the current user:
|
|
```console
|
|
fprintd-list $(whoami)
|
|
```
|
|
Or for a specific user:
|
|
```console
|
|
fprintd-list dominik
|
|
```
|
|
|
|
## Deleting Fingerprints
|
|
To delete all fingerprints for the current user:
|
|
```console
|
|
fprintd-delete $(whoami)
|
|
```
|
|
Or for a specific user:
|
|
```console
|
|
fprintd-delete dominik
|
|
```
|
|
You can also delete specific fingerprints by their ID if you know it.
|