git clone https://github.com/prius/ansible-playbooks.git
cd ansible-playbooks
git submodule update --init --recursive
Apply local configuraiton changes
./bootstrap.sh common-desktop.yml LOCAL
Apply upstream config
./bootstrap.sh common-desktop.yml REMOTE
Dry run
./check.sh common-desktop.yml LOCAL
UI: nix-shell -p yubikey-manager-qt --run ykman-gui
UI2: nix-shell -p yubikey-personalization-gui --run yubikey-personalization-gui
#!/bin/sh
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
echo >> ~/.config/Yubico/u2f_keys
U2F_KEYS=/etc/Yubico/u2f_keys
sudo mkdir -p /etc/Yubico
sudo touch "${U2F_KEYS}"
test -f ~/.config/Yubico/u2f_keys && cat ~/.config/Yubico/u2f_keys | sudo tee -a $U2F_KEYS
rm -rf ~/.config/Yubico
if grep -q pam_u2f.so /etc/pam.d/common-auth;
then
true
else
echo "auth required pam_u2f.so nouserok authfile=${U2F_KEYS} cue" | sudo tee -a /etc/pam.d/common-auth
fi
Then merge entries for a single user into one line, for example
<username>:<KeyHandle1>,<UserKey1>,<CoseType1>,<Options1>:<KeyHandle2>,<UserKey2>,<CoseType2>,<Options2>:<KeyHandle3>,<UserKey3>,<CoseType3>,<Options3>
If the key doesn't work in chromium, try replugging it.
https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods publickey,password
systemctl restart sshd
To enable screen capture in chromium set the following flags:
chrome://flags/#enable-webrtc-pipewire-camera -> Enabled chrome://flags/#ozone-platform-hint -> Wayland
- Create ponysay backport https://github.com/fspv/ponysay-deb
- Test all vagrant scenarios locally
- Test if nix builds
- wayland apps can't be tested in vagrant, so test them locally if possible
A valid strategy to avoid formatting the entire disk is to install ubuntu on a flash drive and just copy files into the old root partition.
After that you can do something like this to make it bootable again:
sudo cryptsetup luksOpen /dev/nvme0n1p3 test
sudo mount /dev/disk/by-id/dm-name-vgubuntu-root /mnt
sudo mount /dev/disk/by-id/dm-name-vgubuntu-home /mnt/home
sudo mount /dev/nvme0n1p2 /mnt/boot
sudo mount /dev/nvme0n1p1 /mnt/boot/efi
sudo mount --bind /dev /mnt/dev
sudo mount --bind /sys /mnt/sys
sudo mount --bind /proc /mnt/proc
sudo chroot /mnt
Then you can copy old /etc/fstab
and /etc/crypttab
to the new system. When you format partition, its uuid changes, so you need to update /etc/crypttab
and /etc/fstab
.
Finally, you can update grub with
update-initramfs -k all -u
update-grub
grub-install /dev/nvme0n1
If everything is done correctly, the system should boot again.
https://wiki.debian.org/InitramfsDebug
- Try add
break
to the kernel command line - Inspect initrd image contents with
lsinitramfs /boot/initrd.img
- You can unpack initramfs image with
unmkinitramfs /boot/initrd.img /tmp/initrd
- Try to explore differences between working and non-working initramfs images with
diffoscope --exclude-directory-metadata=yes /tmp/initrd1 /tmp/initrd2
(can be installed withnix-shell -p diffoscope
)
Recent initramfs bugs can be found here https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bugs?orderby=-id&start=0