Skip to content

jx-wi/vessel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.github/workflows
.github/workflows
 
 
iridium
iridium
 
 
jaxxen
jaxxen
 
 
secrets
secrets
 
 
.gitignore
.gitignore
 
 
.sops.yaml
.sops.yaml
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 
shell.nix
shell.nix
 
 

Repository files navigation

vessel

Hardened NixOS workstation, meticulously tailored home-manager, and universal dev shell

100% reproducible from this repository.

flake check NixOS License: MIT

Iridium · Jaxxen's home-manager · Dev shell

Iridium

About

  • System: NixOS + Zen kernel + Lanzaboote (Secure Boot) + NVIDIA drivers + CUDA
  • Disk: LUKS2 (argon2id, iter-time 5000) → btrfs subvolumes
  • Impermanence: Rollback service wipes @ and @home on every boot; declared portions of state persist at /persist
  • Rehomify: Standalone home-manager configuration(s) reapplied on boot via Rehomify
  • Secrets: sops-nix/age, age key derived from SSH host key at /var/lib/ssh/ssh_host_ed25519_key
  • Network: NetworkManager + DHCP + Tailscale (tag:iridium)

Installation

Note

iridium/disks.nix targets /dev/nvme0n1. Verify your drive with lsblk and adjust if needed.

In the NixOS installer:

passwd nixos # use a 7+ word passphrase

From your dev machine:

# replace TARGET_IP
ssh nixos@TARGET_IP

While SSH'd into the installer:

sudo -i
git clone https://github.com/jx-wi/vessel.git
nix --experimental-features "nix-command flakes" run nixpkgs#disko -- --mode destroy,format,mount vessel/iridium/disks.nix
nixos-generate-config --root /mnt --no-filesystems --dir vessel/iridium
mkdir -p /mnt/persist/etc/nixos
cp -a vessel/. /mnt/persist/etc/nixos
nix --experimental-features "nix-command flakes" run nixpkgs#sbctl -- create-keys
mkdir -p /mnt/var/lib
mkdir -p /mnt/persist/var/lib
cp -r /var/lib/sbctl /mnt/var/lib/
cp -r /var/lib/sbctl /mnt/persist/var/lib/
nixos-install --flake /mnt/persist/etc/nixos#iridium
exit
exit

After the second exit, inject the SSH host key from your dev machine (with age key loaded):

Note

sops-nix derives its age decryption key from the SSH host key. The key must exist before first boot or sops cannot decrypt any secret — including the user password and Tailscale auth key. On Iridium, /var/lib lives under impermanence persistence, so the injection target is /mnt/persist/var/lib/ssh/ rather than /mnt/etc/ssh/.

# replace REPO_DIR and TARGET_IP
cd REPO_DIR

sops --extract '["ssh_host_ed25519_key"]' -d secrets/iridium/ssh.yaml \
  | ssh nixos@TARGET_IP \
    "sudo mkdir -p /mnt/persist/var/lib/ssh && sudo tee /mnt/persist/var/lib/ssh/ssh_host_ed25519_key > /dev/null && sudo chmod 600 /mnt/persist/var/lib/ssh/ssh_host_ed25519_key"

If all seems well, reboot Iridium.

Secure Boot

Warning

Secure Boot isn't very securing if you don't have a UEFI password set. If you don't already have a UEFI password set, and you actually want to leverage the security benefits of Secure Boot, configure that password after following this section. Some UEFIs have a setting to allow the password to be reset by a hardware trick. Ensure you understand the implications of this and have your password backed up before disabling this.

Reboot into Iridium's UEFI, ensure Secure Boot is disabled, clear the current Secure Boot keys, apply your changes and reboot back into NixOS.

Once back in NixOS, log in / SSH in and run:

sudo sbctl enroll-keys --microsoft

Warning

--microsoft retains Microsoft's UEFI CA alongside your own keys. Required for most consumer motherboards that ship GPU option ROMs signed by Microsoft. Omit only if you are certain your firmware has no Microsoft-signed components.

Reboot into UEFI again and re-enable Secure Boot. Apply your changes, reboot back into NixOS, and verify the status of Secure Boot with:

sbctl status

TPM2 automatic LUKS unlock

If you chose to properly set up Secure Boot, you may want to leverage TPM2 to automatically unlock Iridium's LUKS.

To best enable this feature, bind LUKS to the TPM against PCR 0+7 (firmware + Secure Boot state):

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p2

Reboot and verify LUKS unlocks automatically without a passphrase prompt.

Jaxxen's home-manager

About

  • Standalone home-manager: No elevated permissions required to manage your user-level configurations
  • Zsh: Powerlevel10k instant prompt + autosuggestions + syntax highlighting + vim-style navigation
  • Nixvim: Treesitter + LSP for nix/md/js/ts/py
  • Desktop: Personalized Hyprland + Ghostty + Rofi + Dunst + LibreWolf
  • Theme: Maple Mono NF + TokyoNight Night (Ghostty) + Catppuccin Mocha (Nixvim) + Graphite Black (GTK/Qt)

Installation

While logged in as jaxxen:

nh home switch github:jx-wi/vessel

Dev shell

About

  • Universal: Accessible from any system with Nix via a single command
  • Zsh: Powerlevel10k instant prompt, autosuggestions, syntax highlighting, & vim-style navigation
  • Nixvim: Treesitter, LSP for nix+md+js+ts+py, Catppuccin Mocha theme
  • Packages: nh, git, sops, age, ssh-to-age, ...

Usage

nix develop github:jx-wi/vessel

About

Hardened NixOS workstation — TPM2, Secure Boot, impermanence, sops-nix. Home-manager + devshell. Copy-paste deploy.

Topics

security nixos workstation declarative home-manager impermanence sops-nix lanzaboote dev-shell

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Contributors

Languages