Dotfiles for NixOS.
It has LVM with
luks
encryption and formatted in
btrfs.
Uses USB key to decrypt, and can keep the USB usable to other thinks (like a Honeypot).
Simple UI with Hyprland as compositor and
waybar as bar.
Stylix used as Theming framework
nix build .#nixosConfigurations.minimal-iso.config.system.build.isoImage
ls result/Write in usb
dd if=result/iso/nixos-minimal-<date-version>.iso of=/dev/sdXiso/scripts/setup.sh -p "<luks password>"iso/scripts/setup.sh -p "<luks password>"
iso/scripts/update-hardware.sh <hardware file>
cp iso/minimal-configuration.nix .
vim iso/minimal-configuration.nix <edit user, pass and hostname>
systemctl reboot -iIt will give you minimal installation to reboot and boot in HD
first edit flake.nix to ensure change user to yours, default/config.nix and
default/key.nix.
Also add hosts/<your host>/default.nix and hosts/<your host>/hardware.nix.
sudo nixos-rebuild switch --flake .#<hostname>home-manager switch --flake .#<hostname>dd if=/dev/random of=hdd.key bs=4096 count=1
cryptsetup luksAddKey /dev/disk/by-id/<usb id> ./hdd.keyfirst format your usb with fdisk and skip at least 6144 bytes before first
partition.
after it format the partition to vfat and you will can use it like any other pen
drive.
For finish it, you will put the key after 2048 bytes.
dd if=hdd.key of=/dev/disk/by-id/<usb id> bs=1 seek=2048boot.initrd = {
luks.devices = {
enc = {
device = "/dev/disk/by-uuid/<device uuid>"; #luks device
keyFileSize = 4096;
keyFileOffset = 2048;
keyFileTimeout = 10; # put it to fallback to password after 10s
keyFile = "/dev/disk/by-id/<usb id>";
};
};
};After it you will have a pen drive working as media, and workings as USB key.
Put some honeypot on it, and if someone find it, will not know it is a LUKs key.