dotfiles
March 24, 2026 ยท View on GitHub
Hosts
| Host | Platform | Description |
|---|---|---|
torrent | NixOS (x86_64-linux) | Desktop workstation |
work | nix-darwin (aarch64-darwin) | MacBook Pro for work |
Install
NixOS (torrent)
-
Clone this repository into
/etc/dotfiles:sudo git clone https://github.com/sei40kr/dotfiles.git /etc/dotfiles sudo chown -R $USER /etc/dotfiles ln -fs /etc/dotfiles ~/.dotfiles -
Move to
/etc/dotfilescd /etc/dotfiles -
Build and switch to the configuration:
sudo nixos-rebuild switch --flake ".#${HOST}" -
Once you switch to the configuration, you can use
nhto update the system (you may need to re-login before usingnh):nh os switch
Secure Boot Setup (for hosts with Lanzaboote)
Some hosts (e.g., torrent) have Secure Boot enabled via Lanzaboote. For these hosts:
-
Before installation, disable Secure Boot in your UEFI/BIOS settings.
-
Complete the standard installation steps above.
-
After the first boot, verify Secure Boot keys are generated:
sudo sbctl status -
Reboot into UEFI/BIOS settings and enable Setup Mode (this clears existing Secure Boot keys).
Note: Some BIOS menus may not have a "Setup Mode" option. In this case, delete all existing Secure Boot keys (PK, KEK, db, dbx) manually to enter Setup Mode.
-
Reboot the system. Lanzaboote will automatically enroll the generated keys.
-
Verify Secure Boot is working:
sudo sbctl statusYou should see
Secure Boot: โ Enabled.
Important
When Secure Boot is enabled, GRUB cannot be used. If you have a dual-boot environment, you need to select the OS from the boot menu (typically accessible via F8, F11, or F12 during boot).
macOS (work)
Prerequisites:
- Nix package manager
- Homebrew (nix-darwin manages Homebrew casks but does not install Homebrew itself)
-
Clone this repository into
/etc/dotfiles:sudo git clone https://github.com/sei40kr/dotfiles.git /etc/dotfiles sudo chown -R $USER /etc/dotfiles -
Build and switch to the configuration (first time):
cd /etc/dotfiles sudo nix --extra-experimental-features 'nix-command flakes' run nix-darwin -- switch --flake ".#${HOST}" -
Once you switch to the configuration,
nhbecomes available. From the second time onwards (you may need to re-login):nh darwin switch
Commit Signing Setup
NixOS (GPG)
GPG signing keys are stored in Bitwarden as secure notes named <hostname>: gpg-private.asc and <hostname>: gpg-revoke.asc.
- Copy the content of
<hostname>: gpg-private.ascfrom Bitwarden - Import the key:
gpg --import # Paste the key content, then press Ctrl+D - Trust the key:
gpg --edit-key <KEY_ID> # Type: trust # Select: 5 (ultimate) # Type: quit
The revocation certificate (<hostname>: gpg-revoke.asc) should only be used if the key is compromised.
macOS (SSH)
Uses SSH key signing via macOS Keychain. SSH keys are stored in Bitwarden as SSH key items named <hostname>: <key-name>.
- Export the SSH key from Bitwarden to
~/.ssh/. - Register the SSH key with Keychain:
ssh-add --apple-use-keychain ~/.ssh/<private-key> - Add the SSH public key to GitHub as a Signing key (Settings > SSH and GPG keys > New SSH key, Key type: "Signing key").