Adam C. Stephens adamcstephens

Initial checks

Start by checking that there aren't any previous ssh keys inside the FIDO2 authenticator of your YubiKey. You can check if they exist by running the command below:

nix shell nixpkgs#yubikey-manager -c ykman fido credentials list

If the command above outputs a string mentioning "ssh" or "openssh", then you have already got a key generated and store on your YubiKey.

Evaluating additional authentication factors

Before generating a new ssh key to store on your YubiKey you must consider which additional required authentication factors you want to use. Below you can see a table with the available factors and their corresponding command:

SSH Authentication with TPM 2.0 and PKCS#11 on Arch Linux

Hardware: a TPM 2.0 module based on Infineon SLB9665 cryptographic processor available in the system as /dev/tpmrm0.

Installation

Required software:

# pacman -S tpm2-tools tpm2-pkcs11

Create a systemd template unit for Envoy proxies with Consul

This brief tutorial will walk through the process of creating a systemd template unit file for starting Envoy sidecars for use with Consul service mesh.

Template unit files allow systemd to address multiple units from a single configuration file. You can call a systemd template unit file using a special format to use this feature:

	{ lib, ... }:
	{
	# Enable forwarding between all interfaces, restrictions between
	# individual links are enforced by firewalling.
	boot.kernel.sysctl = {
	"net.ipv6.conf.all.forwarding" = lib.mkForce 1;
	"net.ipv4.forward" = lib.mkForce 1;
	};

	systemd.network.config = {

	{
	description = "Nerves build environment";

	inputs = {
	nixpkgs = { url = "github:NixOS/nixpkgs/nixos-22.11"; };
	flake-utils = { url = "github:numtide/flake-utils"; };
	};

	outputs = { self, nixpkgs, flake-utils }:
	flake-utils.lib.eachDefaultSystem (system:

	;; minimal version of my Emacs setup which approximates the effective points per inch on your screen
	;; and then selects your default font pts based on that
	;; Also works on wayland / WSLg because it parses out physical dims from weston.log (necessary in 2023-01)
	;; LIMITATION: Will probably not work on multi-monitor setups. Exercise for the reader!
	;; BSD 3-clause copyright Charl P. Botha <[email protected]>

	(defun get-mon-attr (which)
	(cdr (assoc which (car (display-monitor-attributes-list)))))

	(defun get-monitor-width-mm ()

	from qobuz_dl.bundle import Bundle

	bundle = Bundle()
	app_id = bundle.get_app_id()
	secrets = "\n".join(bundle.get_secrets().values())

	print(f"App ID: {app_id}")

	print("#" * 20)

	#!/sbin/openrc-run

	name="nix-daemon"
	description="Nix Daemon"
	supervisor="supervise-daemon"
	command="/nix/var/nix/profiles/default/bin/nix-daemon"
	pidfile="/run/${RC_SVCNAME}.pid"
	command_background=true

	wget https://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/aarch64/alpine-virt-3.15.0-aarch64.iso -O alpine.iso #or whatever versions suits you best
	dd if=alpine.iso of=/dev/sda

	mkdir /media/setup
	cp -a /media/sda/* /media/setup
	mkdir /lib/setup
	cp -a /.modloop/* /lib/setup
	/etc/init.d/modloop stop
	umount /dev/sda
	mv /media/setup/* /media/sda/

	{ pkgsPath ? <nixpkgs>
	, pkgs ? import pkgsPath { system = "aarch64-linux"; } }:
	let
	thirtythree = import (pkgs.path + "/nixos") {
	configuration = {
	nixpkgs.system = "aarch64-linux";
	imports = [
	./configuration.nix ./firmware.nix
	];
	boot.loader.grub.enable = false;