1. Installation of new servers

• install ubuntu 20.04
• get age key from SSH

curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=hetznercloud NIX_CHANNEL=nixos-24.05 bash 2>&1 | tee /tmp/infect.log
nix-shell -p ssh-to-age --run 'ssh-keyscan install.cloonar.com | ssh-to-age'

• fix secrets files

nix-shell -p sops --run "sops updatekeys -y secrets.yaml"

• run install command

./install.sh example.com

2. Sops command

nix-shell -p sops --run 'sops hosts/cloonar.com/secrets.yaml'

2. Web Server specific

• change the permissions for /var/www

chown nginx:nginx /var/www
chmod 755 /var/www

3. Net data

• Netdata data page: Add a node
• Once you got the token, we will claim it to associate it to a node:
• create /var/lib/netdata/cloud.d/token and write the token in it
• run nix-shell -p netdata --run "netdata-claim.sh -id=$(uuidgen)" as root
• your node should be registered in Netdata cloud

Borg Backup

add ssh key to hetzner cat ~/.ssh/id_rsa.pub | ssh -p23 u149513-subx@u149513-subx.your-backup.de install-ssh-key

4. Add new Host

sftp host.cloonar.com@git.cloonar.com:/config/bootstrap.sh ./

5. Yubikey

ykman fido access change-pin --new-pin 654321
systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2

6. Wireguard

wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey
umask 0077; wg genpsk > psk

7. Hash for new packages

nix hash to-sri --type sha256 $(nix-prefetch-url https://tar.gz)

8. Fingerprint Reader Setup (e.g., on Framework Laptop with Goodix reader)

This section assumes you have configured fingerprint support in your NixOS configuration, for example, by creating and importing a module like hosts/nb/modules/fingerprint.nix with the following content:

# hosts/nb/modules/fingerprint.nix
{ config, pkgs, ... }:

{
  services.fprintd.enable = true;

  security.pam.services.login.fprintAuth = true;
  security.pam.services.sudo.fprintAuth = true;
  # Add other services like swaylock if needed
  # security.pam.services.swaylock.fprintAuth = true;
}

After rebuilding your NixOS configuration (sudo nixos-rebuild switch), you can enroll fingerprints for a user.

Enrolling Fingerprints

To enroll a fingerprint for the current user:

fprintd-enroll

Or for a specific user (e.g., dominik):

fprintd-enroll dominik

Follow the on-screen prompts to scan your fingerprint multiple times.

Verifying Enrollment

You can verify enrolled fingerprints:

fprintd-verify

Listing Enrolled Fingerprints

To see which fingers are enrolled for the current user:

fprintd-list $(whoami)

Or for a specific user:

fprintd-list dominik

Deleting Fingerprints

To delete all fingerprints for the current user:

fprintd-delete $(whoami)

Or for a specific user:

fprintd-delete dominik

You can also delete specific fingerprints by their ID if you know it.