| Host | Platform | Description |
|---|---|---|
torrent |
NixOS (x86_64-linux) | Desktop workstation |
work |
nix-darwin (aarch64-darwin) | MacBook Pro for work |
-
Clone this repository into
/etc/dotfiles:sudo git clone https://github.com/sei40kr/dotfiles.git /etc/dotfiles sudo chown -R $USER /etc/dotfiles ln -fs /etc/dotfiles ~/.dotfiles
-
Move to
/etc/dotfilescd /etc/dotfiles -
Build and switch to the configuration:
sudo nixos-rebuild switch --flake ".#${HOST}" -
Once you switch to the configuration, you can use
nhto update the system (you may need to re-login before usingnh):nh os switch
Some hosts (e.g., torrent) have Secure Boot enabled via Lanzaboote. For these hosts:
-
Before installation, disable Secure Boot in your UEFI/BIOS settings.
-
Complete the standard installation steps above.
-
After the first boot, verify Secure Boot keys are generated:
sudo sbctl status
-
Reboot into UEFI/BIOS settings and enable Setup Mode (this clears existing Secure Boot keys).
Note: Some BIOS menus may not have a "Setup Mode" option. In this case, delete all existing Secure Boot keys (PK, KEK, db, dbx) manually to enter Setup Mode.
-
Reboot the system. Lanzaboote will automatically enroll the generated keys.
-
Verify Secure Boot is working:
sudo sbctl status
You should see
Secure Boot: ✓ Enabled.
Important
When Secure Boot is enabled, GRUB cannot be used. If you have a dual-boot environment, you need to select the OS from the boot menu (typically accessible via F8, F11, or F12 during boot).
Prerequisites:
- Nix package manager
- Homebrew (nix-darwin manages Homebrew casks but does not install Homebrew itself)
-
Clone this repository into
/etc/dotfiles:sudo git clone https://github.com/sei40kr/dotfiles.git /etc/dotfiles sudo chown -R $USER /etc/dotfiles -
Build and switch to the configuration:
cd /etc/dotfiles darwin-rebuild switch --flake ".#${HOST}"
-
Once you switch to the configuration, you can use
nhto update the system (you may need to re-login before usingnh):nh darwin switch
GPG signing keys are stored in Bitwarden as secure notes named <hostname>: gpg-private.asc and <hostname>: gpg-revoke.asc.
- Copy the content of
<hostname>: gpg-private.ascfrom Bitwarden - Import the key:
gpg --import # Paste the key content, then press Ctrl+D - Trust the key:
gpg --edit-key <KEY_ID> # Type: trust # Select: 5 (ultimate) # Type: quit
The revocation certificate (<hostname>: gpg-revoke.asc) should only be used if the key is compromised.