34 lines
1.5 KiB
Markdown
34 lines
1.5 KiB
Markdown
to add a host:
|
|
- create the new nix targets
|
|
- hosts/by-name/HOST
|
|
- let the toplevel (impure.nix) know about HOST
|
|
- let the other hosts know about this host (hosts/common/hosts.nix)
|
|
- let sops know about the host's pubkey (.sops.yaml)
|
|
- re-encrypt all sops keys in secrets/common
|
|
- build and flash an image
|
|
- optionally expand the rootfs
|
|
- `cfdisk /dev/sda2` -> resize partition
|
|
- `mount /dev/sda2 boot`
|
|
- `btrfs filesystem resize max root`
|
|
- setup required persistent directories
|
|
- `mkdir -p root/persist/private`
|
|
- `gocryptfs -init root/persist/private`
|
|
- then boot the device, and for every dangling symlink in ~/.local/share, ~/.cache, do `mkdir -p` on it
|
|
- setup host ssh
|
|
- `mkdir -p root/persist/plaintext/etc/ssh/host_keys`
|
|
- boot the machine and let it create its own ssh keys
|
|
- add the pubkey to `hosts/common/hosts.nix`
|
|
- setup user ssh
|
|
- `ssh-keygen`. don't enter any password; it's stored in a password-encrypted fs.
|
|
- add the pubkey to `hosts/common/hosts.nix`
|
|
- allow the new host to view secrets
|
|
- instructions in hosts/common/secrets.nix
|
|
- run `ssh-to-age` on user/host pubkeys
|
|
- add age key to .sops.yaml
|
|
- update encrypted secrets: `find secrets -type f -exec sops updatekeys -y '{}' ';'`
|
|
- setup wireguard keys
|
|
- `pk=$(wg genkey)`
|
|
- `echo "$pk" | sops encrypt --filename-override secrets/$(hostname)/wg-home.priv.bin --output secrets/$(hostname)/wg-home.priv.bin`
|
|
- `pub=$(echo "$pk" | wg pubkey)`
|
|
- add pubkey to hosts/common/hosts.nix
|