Now `nixpkgs` will be pointing to a specific release, which has a much
smaller chance to unexpectedly break. Currently 23.11. The next one will
be 24.05, 24.11, etc.
NixOS *releases* receive security updates, but packages are upgraded
conservatively, thus don't generally break. As a result, we should need
to worry about NixOS upgrades every 6-12 months. The upgrade means "bump
the version number and try to build it". If it breaks, it will generally
break only then. Less reactive, more proactive surprises.
`flake.nix` was written by @thomaseizinger in
https://github.com/drduh/YubiKey-Guide/issues/406. Changes from the
original:
- change Gnome to xfce. Now it loads with 384MB of RAM and works well
with the simplest graphics (hello qemu).
- less nasty workaround for hopenpgp-tools. Fixed upstream
(https://github.com/NixOS/nixpkgs/pull/279117).
- do not default `copytoram`, user can select this option in the
bootloader.
Here is how to test it:
```
$ nix run .#nixosConfigurations.yubikeyLive.x86_64-linux.config.system.build.vm
```
*Note for the maintainer*: it would be great if you could occasionally
run `nix flake update --commit-lock-file`, *especially* after updating
github.com/drduh/config.git.
Fixes#406
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Quote ISO URL, and add `$` RegExp end-of-string anchor to return only the ISO file and none of the other entries that contain `xfce.iso`.
This avoids unnecessary cURL errors.
4 months ago
3 changed files with 279 additions and 212 deletions
@ -99,7 +99,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
All YubiKeys except the blue "security key" model and the "Bio Series - FIDO Edition" are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). A list of the YubiKeys compatible with OpenPGP is available [here](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP). In May 2021, Yubico also released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details.
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/hc/en-us/articles/360013723419-How-to-Confirm-Your-Yubico-Device-is-Genuine) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
This website verifies YubiKey device attestation certificates signed by a set of Yubico certificate authorities, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
@ -121,11 +121,11 @@ This guide recommends using a bootable "live" Debian Linux image to provide such
With this image, you won't need to manually create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image.