README.md

Intro

This repository is managed with Nix and Nix-darwin. All design is mainly considered with macOS. It's based on repositories from niklasravnsborg and drdruh.

Preliminary Considerations

Design

There is always a lot of ways how to do stuff and what someone is prefering. All software and configuration is thought in a way of OpSec, CLI, keyboard-interactive and Versioning first. It's nerdy, fast, customizable as hell and aesthetic.

What software is used?

• kitty OR ghostty with tmux for CLI
• neovim as IDE (with nerdtree, coc, copilot and themes)
• lazygit for Git
• NeoMutt with lbdb for Mail
• GPG, Smartcards and age for Encryption
• GitHub for Versioning

Requirements

This repository requires that you already have created a PKI pair of keys and stored them in the most secure place (like a SmartCard). If not, consider following the YubiKey Guide.¹

Initial Setup

Admin account is not used for day-to-day work, as recommend by Apple²³ itself.

• Create and login to admin account
• Create standard account, logout from admin account, login in standard account
• Install Nix
• Install Homebrew
• Clone this repo to ~/Git/dotfiles
• Run nix --extra-experimental-features "nix-command flakes" run nix-darwin -- switch --flake ~/Git/dotfiles
• Run softwareupdate -ia for softare updates
• Do a system cleanup softwareupdate -ia

Hardening³

Secrets

It's strongly recommended to use a password manager of any sort. To use them there are some limits to consider. Therefore I decided to use a second password manager for configuration and encrypt these with my Yubikey.⁴

macOS

Regarding to Apple's Best Practices hide admin & home dir sudo dscl . create /Users/hiddenuser IsHidden 1 sudo chflags hidden /Users/hiddenuser

sudo dscl

delete Local/Defaults/SharePoints/Hidden\ User’s\ Public\ Folder/

exit

GPG

gpg --import /Users/knaggit/Git/dotfiles/gpg/0x7426E2F78A84EB06_knaggit.asc

export KEYID=0x7426E2F78A84EB06

launchctl load $HOME/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist

nano $HOME/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist

launchctl load $HOME/Library/LaunchAgents/gnupg.gpg-agent.plist

nano $HOME/Library/LaunchAgents/gnupg.gpg-agent.plist

gpg-connect-agent /bye

git config --global user.signingkey $KEYID

SSH

Secrets

age, pass (with PGP), sops (age)

Daily Usage

Key Bindings

neomutt

lazygit

tmux

Connect with public network

• Deactivate NextDNS: nextdns deactivate
• Connect to network
• Clear DNS cache: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
• Reactivate NextDNS: nextdns activate

References

Footnotes

1. Yubikey-Guide ↩

2. Ways to avoid harmful software ↩

3. macOS-Security-and-Privacy-Guide ↩ ↩²

4. Neomutt GNUpg and Pass Howto ↩