nix-files/doc/adding-a-host.md

to add a host:

• create the new nix targets
  • hosts/by-name/HOST
  • let the toplevel (flake.nix) know about HOST
• build and flash an image
• optionally expand the rootfs
  • cfdisk /dev/sda2 -> resize partition
  • mount /dev/sda2 boot
  • btrfs filesystem resize max root
• setup required persistent directories
  • mkdir -p root/persist/private
  • gocryptfs -init root/persist/private
  • then boot the device, and for every dangling symlink in ~/.local/share, ~/.cache, do mkdir -p on it
• setup host ssh
  • mkdir -p root/persist/plaintext/etc/ssh/host_keys
  • boot the machine and let it create its own ssh keys
  • add the pubkey to hosts/common/hosts.nix
• setup user ssh
  • ssh-keygen. don't enter any password; it's stored in a password-encrypted fs.
  • add the pubkey to hosts/common/hosts.nix
• allow the new host to view secrets
  • instructions in hosts/common/secrets.nix
  • run ssh-to-age on user/host pubkeys
  • add age key to .sops.yaml
  • update encrypted secrets: sops updatekeys path/to/secret.yaml