Skip to content

Latest commit



266 lines (225 loc) · 12 KB

File metadata and controls

266 lines (225 loc) · 12 KB

Installation notes

Instructions for setting up environments on various non-NixOS devices.

Work Laptop - Ubuntu 22.04

Assuming fresh laptop provisioned with IT security tools.

Change user and disk passwords:

sudo passwd tedj
sudo cryptsetup luksChangeKey /dev/nvme0n1p3 -S 0
sudo cryptsetup --verbose open --test-passphrase /dev/nvme0n1p3

Import agenix key:

cp /mnt/tedj@work.agenix.key ~/.ssh/

Clear the way:

rm -r .bashrc .bash_logout .profile .config/user-dirs.* .sudo_as_admin_successful Public Templates

Install nix:

export NIX_CONFIG=$'use-xdg-base-directories = true\nextra-experimental-features = nix-command flakes'
sh <(curl -L --daemon
echo 'trusted-users = tedj' | sudo tee --append /etc/nix/nix.conf
sudo systemctl restart nix-daemon
. /nix/var/nix/profiles/default/etc/profile.d/
nix run home-manager -- switch --flake github:tedski999/dots#tedj@work --refresh

Disable sudo password for tedj, admin_flag, env_reset and secure_path:

printf 'Defaults !admin_flag\ntedj ALL=(ALL) NOPASSWD: ALL\n' | sudo tee /etc/sudoers.d/qol
printf 'Defaults !env_reset\nDefaults !secure_path\n' | sudo tee /etc/sudoers.d/keep_env

Install IT security tools (give helpdesk@ a heads-up): Note google-chrome is pushed once enrolled into WS1, you can sign into the browser with Arista credentials.

Install system packages:

sudo apt install xdg-desktop-portal-wlr libspa-0.2-bluetooth

Add PAM integration for swaylock:

# TODO(swaylock) pam password authentication
echo "auth required" | sudo tee /etc/pam.d/swaylock

Import GPG subkeys:

gpg --import $XDG_RUNTIME_DIR/agenix/

Login to Bitwarden:

bw login

Connect to corporate Wi-Fi:

nmcli connection add type wifi con-name ARISTA-Corp ssid ARISTA-Corp -- \
    wifi-sec.key-mgmt wpa-eap 802-1x.eap tls 802-1x.identity tedj \
    802-1x.client-cert $XDG_RUNTIME_DIR/agenix/ \
    802-1x.private-key $XDG_RUNTIME_DIR/agenix/
nmcli connection edit ARISTA-Corp # set 802-1x.private-key-password, save, quit

Install arista-ssh-agent: You should also comment out GSSAPIAuthentication yes in /etc/ssh/ssh_config.

Disable some unneeded software:

sudo snap remove --purge firefox
sudo snap remove --purge gtk-common-themes
sudo snap remove --purge gnome-42-2204
sudo snap remove --purge snapd-desktop-integration
sudo snap remove --purge snap-store
sudo snap remove --purge core22
sudo snap remove --purge bare
sudo snap remove --purge snapd
sudo systemctl stop snapd
sudo systemctl stop snapd.socket
sudo apt purge snapd -y
sudo apt-mark hold snapd
sudo apt-get purge --auto-remove 'gnome*'
del ~/snap

sudo apt-get update && sudo apt-get update and reboot

Work Server - AlmaLinux 9.3

Assuming fresh homebus instance.

Import agenix key:

cp /mnt/tedj@wbus.agenix.key ~/.ssh/

Install nix:

export NIX_CONFIG=$'use-xdg-base-directories = true\nextra-experimental-features = nix-command flakes'
sh <(curl -L --no-daemon
. $HOME/.local/state/nix/profile/etc/profile.d/
nix-env --set-flag priority 0 nix
nix run home-manager/master -- switch --flake github:tedski999/dots#tedj@wbus --refresh

Disable sudo env_reset:

printf 'Defaults !env_reset\nDefaults !secure_path\n' | sudo tee /etc/sudoers.d/keep_env

After you create a new container or if you want to update your home-manager profile, as the homebus+a4c nix stores are all managed separately to avoid NFS, you should use ahome within homebus to install/update all nix store instances at once to keep them consistent with the NFS home:


Home Desktop - Windows 10 IoT Enterprise LTSC

Assuming fresh install using custom unattend.xml and activated using appropriate key.

Connect to Internet. This will likely initiate installations of drivers in the background and require rebooting at a later stage.

Grab this if you don't want to bother with Microsoft Edge:

Invoke-WebRequest -Uri "" -OutFile "..."

Install additional drivers:

  • AMD chipset driver
  • MediaTek Bluetooth driver
  • MediaTek Wireless Lan driver

Configure and enable BitLocker:

  • gpedit.msc Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup:
    • Enabled
    • Allow BitLocker without a compatible TPM: True
    • Configure TPM startup: Do not allow TPM
    • Configure TPM startup PIN: Require startup PIN with TPM
    • Configure TPM startup key: Do not allow startup key with TPM
    • Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
  • gpedit.msc Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup:
    • Enabled
  • Control Panel System and Security\BitLocker Drive Encryption\Turn on BitLocker
    • Enter a PIN
    • Save encryption key to file
    • Encrypt used disk space only
    • New encryption mode
    • System check
    • Restart now


System\Display\DISPLAY 1\Advanced display\Choose a refresh rate: 100 Hz
System\Power\Power mode: Best Performance
System\Shared experiences\Share across devices: Off
System\Clipboard\Clipboard history: On
System\About\Rename this PC: SkiC, restart later
Personalization\Background\Personalize your background: Solid color\Custom colors\More\#1c1c1c
Personalization\Colors\Choose your mode: Dark
Personalization\Colors\Accent color: Manual\Navy Blue
Personalization\Start\Show recently added apps: Off
Personalization\Start\Show recommended files in Start, recent files in File Explorer, and items in Jump Lists: Off
Personalization\Start\Choose which folders appear on Start: File Explorer, Settings
Personalization\Taskbar\Combine taskbar buttons: Never
Personalization\Taskbar\Turn system icons on or off: Clock, Volume, Network, Power, Action Center
Personalization\Taskbar\Multiple displays\Show taskbar buttons on: Taskbar where window is open
Personalization\Taskbar\Multiple displays\Combine buttons on other taskbars: Never
Apps\Optional features: Notepad, OpenSSH Client, Windows Media Player
Apps\Microsoft Edge: Uninstall
Gaming\Xbox Game Bar\ Enable Xbox Game Bar: Off
Accessibility\Keyboard\Allow the shortcut key to start Sticky/Toggle/Filter Keys: Off
Search\Permissions & History\SafeSearch: Off
Search\Searching Windows\Find My Files: Enhanced
Privacy\Activity history\Store my activity history on this device: Off
Update & Security\For developers\File Explorer: Apply

Import agenix key:

Copy-Item "D:\ski@skic.agenix.key" -Destination "$env:LOCALAPPDATA"

Download dots:

New-Item -ItemType Directory -Force -Path "$((gi $env:temp).fullname)\dots"
New-Item -ItemType Directory -Force -Path "$($env:LOCALAPPDATA)\Programs"
Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\"
Expand-Archive -Path "$((gi $env:temp).fullname)\dots\" -DestinationPath "$((gi $env:temp).fullname)\dots"

Install age:

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\"
Expand-Archive -Path "$((gi $env:temp).fullname)\dots\" -DestinationPath "$((gi $env:temp).fullname)\dots"
Copy-Item "$((gi $env:temp).fullname)\dots\age\age.exe" -Destination "$($env:LOCALAPPDATA)\Programs"
Copy-Item "$((gi $env:temp).fullname)\dots\age\age-keygen.exe" -Destination "$($env:LOCALAPPDATA)\Programs"

Install configure syncthing (will autostart on next login):

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\"
Expand-Archive -Path "$((gi $env:temp).fullname)\dots\" -DestinationPath "$((gi $env:temp).fullname)\dots"
Copy-Item "$((gi $env:temp).fullname)\dots\syncthing-windows-amd64-v1.27.12\syncthing.exe" -Destination "$($env:LOCALAPPDATA)\Programs"
New-Item -ItemType Directory -Force -Path "$($env:LOCALAPPDATA)\Syncthing"
& "$($env:LOCALAPPDATA)\Programs\age.exe" --decrypt --identity "$($env:LOCALAPPDATA)\ski@skic.agenix.key" --output "$($env:LOCALAPPDATA)\Syncthing\cert.pem" "$((gi $env:temp).fullname)\dots\dots-main\secrets\syncthing\ski_skic\cert.pem.age"
& "$($env:LOCALAPPDATA)\Programs\age.exe" --decrypt --identity "$($env:LOCALAPPDATA)\ski@skic.agenix.key" --output "$($env:LOCALAPPDATA)\Syncthing\config.xml" "$((gi $env:temp).fullname)\dots\dots-main\secrets\syncthing\ski_skic\config.xml.age"
& "$($env:LOCALAPPDATA)\Programs\age.exe" --decrypt --identity "$($env:LOCALAPPDATA)\ski@skic.agenix.key" --output "$($env:LOCALAPPDATA)\Syncthing\https-cert.pem" "$((gi $env:temp).fullname)\dots\dots-main\secrets\syncthing\ski_skic\https-cert.pem.age"
& "$($env:LOCALAPPDATA)\Programs\age.exe" --decrypt --identity "$($env:LOCALAPPDATA)\ski@skic.agenix.key" --output "$($env:LOCALAPPDATA)\Syncthing\https-key.pem" "$((gi $env:temp).fullname)\dots\dots-main\secrets\syncthing\ski_skic\https-key.pem.age"
& "$($env:LOCALAPPDATA)\Programs\age.exe" --decrypt --identity "$($env:LOCALAPPDATA)\ski@skic.agenix.key" --output "$($env:LOCALAPPDATA)\Syncthing\key.pem" "$((gi $env:temp).fullname)\dots\dots-main\secrets\syncthing\ski_skic\key.pem.age"
$SyncthingLnk = (New-Object -comObject WScript.Shell).CreateShortcut("$($env:APPDATA)\Microsoft\Windows\Start Menu\Programs\Startup\syncthing.lnk")
$SyncthingLnk.TargetPath = "$($env:LOCALAPPDATA)\Programs\syncthing.exe"
$SyncthingLnk.Arguments = "serve --no-console --no-browser --no-default-folder"

Install Firefox:

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\firefox-installer.exe"
& "$((gi $env:temp).fullname)\dots\firefox-installer.exe"

Install Steam:

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\steam-installer.exe"
& "$((gi $env:temp).fullname)\dots\steam-installer.exe"

Install Discord:

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\discord-installer.exe"
& "$((gi $env:temp).fullname)\dots\discord-installer.exe"

Install Prism:

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\prism-installer.exe"
& "$((gi $env:temp).fullname)\dots\prism-installer.exe"

Install ckan:

Invoke-WebRequest -Uri "" -OutFile "$($env:LOCALAPPDATA)\Programs\ckan.exe"
$CkanLnk = (New-Object -comObject WScript.Shell).CreateShortcut("$($env:APPDATA)\Microsoft\Windows\Start Menu\Programs\ckan.lnk")
$CkanLnk.TargetPath = "$($env:LOCALAPPDATA)\Programs\ckan.exe"

Install OpenTTD jgrpp:

Invoke-WebRequest -Uri "" -OutFile "$((gi $env:temp).fullname)\dots\"
Expand-Archive -Path "$((gi $env:temp).fullname)\dots\" -DestinationPath "$((gi $env:temp).fullname)\dots"
Copy-Item -Recurse "$((gi $env:temp).fullname)\dots\openttd-jgrpp-0.62.0-windows-win64" -Destination "$($env:LOCALAPPDATA)\Programs\openttd"
$OttdLnk = (New-Object -comObject WScript.Shell).CreateShortcut("$($env:APPDATA)\Microsoft\Windows\Start Menu\Programs\OpenTTD.lnk")
$OttdLnk.TargetPath = "$($env:LOCALAPPDATA)\Programs\openttd\openttd.exe"