dotfiles

March 24, 2026 ยท View on GitHub

Made with Doom Emacs

Hosts

HostPlatformDescription
torrentNixOS (x86_64-linux)Desktop workstation
worknix-darwin (aarch64-darwin)MacBook Pro for work

Install

NixOS (torrent)

  1. Clone this repository into /etc/dotfiles:

    sudo git clone https://github.com/sei40kr/dotfiles.git /etc/dotfiles
    sudo chown -R $USER /etc/dotfiles
    ln -fs /etc/dotfiles ~/.dotfiles
    
  2. Move to /etc/dotfiles

    cd /etc/dotfiles
    
  3. Build and switch to the configuration:

    sudo nixos-rebuild switch --flake ".#${HOST}"
    
  4. Once you switch to the configuration, you can use nh to update the system (you may need to re-login before using nh):

    nh os switch
    

Secure Boot Setup (for hosts with Lanzaboote)

Some hosts (e.g., torrent) have Secure Boot enabled via Lanzaboote. For these hosts:

  1. Before installation, disable Secure Boot in your UEFI/BIOS settings.

  2. Complete the standard installation steps above.

  3. After the first boot, verify Secure Boot keys are generated:

    sudo sbctl status
    
  4. Reboot into UEFI/BIOS settings and enable Setup Mode (this clears existing Secure Boot keys).

    Note: Some BIOS menus may not have a "Setup Mode" option. In this case, delete all existing Secure Boot keys (PK, KEK, db, dbx) manually to enter Setup Mode.

  5. Reboot the system. Lanzaboote will automatically enroll the generated keys.

  6. Verify Secure Boot is working:

    sudo sbctl status
    

    You should see Secure Boot: โœ“ Enabled.

Important

When Secure Boot is enabled, GRUB cannot be used. If you have a dual-boot environment, you need to select the OS from the boot menu (typically accessible via F8, F11, or F12 during boot).

macOS (work)

Prerequisites:

  • Nix package manager
  • Homebrew (nix-darwin manages Homebrew casks but does not install Homebrew itself)
  1. Clone this repository into /etc/dotfiles:

    sudo git clone https://github.com/sei40kr/dotfiles.git /etc/dotfiles
    sudo chown -R $USER /etc/dotfiles
    
  2. Build and switch to the configuration (first time):

    cd /etc/dotfiles
    sudo nix --extra-experimental-features 'nix-command flakes' run nix-darwin -- switch --flake ".#${HOST}"
    
  3. Once you switch to the configuration, nh becomes available. From the second time onwards (you may need to re-login):

    nh darwin switch
    

Commit Signing Setup

NixOS (GPG)

GPG signing keys are stored in Bitwarden as secure notes named <hostname>: gpg-private.asc and <hostname>: gpg-revoke.asc.

  1. Copy the content of <hostname>: gpg-private.asc from Bitwarden
  2. Import the key:
    gpg --import
    # Paste the key content, then press Ctrl+D
    
  3. Trust the key:
    gpg --edit-key <KEY_ID>
    # Type: trust
    # Select: 5 (ultimate)
    # Type: quit
    

The revocation certificate (<hostname>: gpg-revoke.asc) should only be used if the key is compromised.

macOS (SSH)

Uses SSH key signing via macOS Keychain. SSH keys are stored in Bitwarden as SSH key items named <hostname>: <key-name>.

  1. Export the SSH key from Bitwarden to ~/.ssh/.
  2. Register the SSH key with Keychain:
    ssh-add --apple-use-keychain ~/.ssh/<private-key>
    
  3. Add the SSH public key to GitHub as a Signing key (Settings > SSH and GPG keys > New SSH key, Key type: "Signing key").

Acknowledgements