1.5 KiB
1.5 KiB
to add a host:
- create the new nix targets
- hosts/by-name/HOST
- let the toplevel (impure.nix) know about HOST
- let the other hosts know about this host (hosts/common/hosts.nix)
- let sops know about the host's pubkey (.sops.yaml)
- re-encrypt all sops keys in secrets/common
- build and flash an image
- optionally expand the rootfs
cfdisk /dev/sda2-> resize partitionmount /dev/sda2 bootbtrfs filesystem resize max root
- setup required persistent directories
mkdir -p root/persist/privategocryptfs -init root/persist/private- then boot the device, and for every dangling symlink in ~/.local/share, ~/.cache, do
mkdir -pon it
- setup host ssh
mkdir -p root/persist/plaintext/etc/ssh/host_keys- boot the machine and let it create its own ssh keys
- add the pubkey to
hosts/common/hosts.nix
- setup user ssh
ssh-keygen. don't enter any password; it's stored in a password-encrypted fs.- add the pubkey to
hosts/common/hosts.nix
- allow the new host to view secrets
- instructions in hosts/common/secrets.nix
- run
ssh-to-ageon user/host pubkeys - add age key to .sops.yaml
- update encrypted secrets:
find secrets -type f -exec sops updatekeys -y '{}' ';'
- setup wireguard keys
pk=$(wg genkey)echo "$pk" | sops encrypt --filename-override secrets/$(hostname)/wg-home.priv.bin --output secrets/$(hostname)/wg-home.priv.binpub=$(echo "$pk" | wg pubkey)- add pubkey to hosts/common/hosts.nix