From dd929d89d3a0e07390c7aa3f7aff5ae33294016f Mon Sep 17 00:00:00 2001
From: imterah <me@terah.dev>
Date: Mon, 5 May 2025 16:28:37 -0400
Subject: [PATCH] fix: Fix more installation errors and potential security
 flaws

---
 .sops.yaml                        |  8 +++++---
 README.md                         | 16 ++++++++++++----
 SETUP.md                          |  1 -
 hosts/andromeda/configuration.nix | 10 ++++++----
 system/impermanence.nix           |  2 +-
 system/sops.nix                   |  7 +++++--
 6 files changed, 29 insertions(+), 15 deletions(-)
 delete mode 100644 SETUP.md

diff --git a/.sops.yaml b/.sops.yaml
index 7d126d1..18e35ab 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,7 +1,9 @@
 keys:
-  - &primkey age199lxhl3xjuf0xxgskxa3kdz89atnt6689g0pqr6kup4kvqe49vmsq63t35
+  - &userkey age199lxhl3xjuf0xxgskxa3kdz89atnt6689g0pqr6kup4kvqe49vmsq63t35
+  - &hostkey age1g2qdzlgqsnuz2mc2cwlt5up3d9h8krkquhryt76e2j47dzgz498sudy45e
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
-      - *primkey
+      - age:
+          - *userkey
+          - *hostkey
diff --git a/README.md b/README.md
index a5065e4..c974c9e 100644
--- a/README.md
+++ b/README.md
@@ -8,9 +8,11 @@ This is a work-in-progress and currently DOES NOT WORK. Please check back later.
 
 ## Setup
 
-### Bootstrapping a New Device
+### Setting up Sops
 
-This guide assumes you have a somewhat sane sops setup.
+TODO.
+
+### Bootstrapping a New Device
 
 1. First, boot the NixOS live environment (minimal ISO is recommended).
 2. Then, get the harddrive ID using `lsblk` or `fdisk -l`:
@@ -46,5 +48,11 @@ This guide assumes you have a somewhat sane sops setup.
 4. Add the host to `flake.nix`.
 5. Modify the disko configuration for our host to use the correct disk ID that we found earlier.
 6. Make any other additional modifications if needed.
-7. Copy/clone the configuration over to the host to install.
-8. Run `sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount -f "$PWD#hostname"` to prepare the disk, replacing `hostname` with the host you want to switch to (ex. `andromeda`).
+
+### Installing the Configuration
+
+1. Copy/clone the configuration over to the host to install.
+2. Copy the sops key data to the host you are installing on (sops `key.txt` and `ssh_host_ed25519_key` to `/var/lib/sops-nix/`)
+3. Run `sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount -f "$PWD#hostname"` to prepare the disk, replacing `hostname` with the host you want to install (ex. `andromeda`).
+4. Before installing, prepare sops inside the mounted filesystem: `sudo mkdir -p /mnt/persist/var/lib/sops-nix/; sudo cp -r /var/lib/sops-nix/ /mnt/persist/var/lib/sops-nix/`
+5. Run `sudo nixos-install --flake "$PWD#hostname"` to install the OS, replacing `hostname` with the host you want to install (ex. `andromeda`).
diff --git a/SETUP.md b/SETUP.md
deleted file mode 100644
index 8b13789..0000000
--- a/SETUP.md
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix
index 5114c4f..50eb5d4 100755
--- a/hosts/andromeda/configuration.nix
+++ b/hosts/andromeda/configuration.nix
@@ -30,11 +30,10 @@
     extraGroups = [
       "wheel"
       "networkmanager"
-      "docker"
     ];
 
     openssh.authorizedKeys.keys = [
-      (builtins.readFile ../../secrets/id_user.pub)
+      (builtins.readFile ../../data/id_user.pub)
     ];
   };
 
@@ -45,10 +44,13 @@
   boot.supportedFilesystems = [];
 
   # Services
-  services.docker.enable = true;
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "btrfs";
+  };
 
   environment.systemPackages = builtins.attrValues {
-    inherit (pkgs.unstable) htop btop micro nano;
+    inherit (pkgs) htop btop micro nano;
   };
 
   system.stateVersion = "24.11";
diff --git a/system/impermanence.nix b/system/impermanence.nix
index 320c5f2..7a16574 100755
--- a/system/impermanence.nix
+++ b/system/impermanence.nix
@@ -35,6 +35,7 @@
       "/var/lib/nixos"
       "/var/lib/docker"
       "/var/lib/systemd/coredump"
+      "/var/lib/sops-nix"
       "/etc/nixos"
       "/etc/NetworkManager"
     ];
@@ -42,7 +43,6 @@
       "/etc/machine-id"
       "/etc/ssh/ssh_host_ed25519_key"
       "/etc/ssh/ssh_host_ed25519_key.pub"
-      "/var/lib/sops-nix/key.txt"
     ];
   };
 }
diff --git a/system/sops.nix b/system/sops.nix
index 40c2fab..2a6c84a 100755
--- a/system/sops.nix
+++ b/system/sops.nix
@@ -1,4 +1,4 @@
-{inputs, ...}; let
+{inputs, ...}: let
   secretspath = builtins.toString inputs.nix-secrets;
 in
 {
@@ -9,11 +9,14 @@ in
   sops = {
     defaultSopsFile = "${secretspath}/secrets.yaml";
     age = {
+      # I'd prefer different OpenSSH keys for different hosts so I'm not 100% screwed if one of my devices get compromised.
+      # Therefore, we set a custom path for the sops key.
+      sshKeyPaths = ["/var/lib/sops-nix/ssh_host_ed25519_key"];
       keyFile = "/var/lib/sops-nix/key.txt";
       generateKey = false;
     };
     secrets = {
-      tera_passwd = {
+      tera_password = {
         neededForUsers = true;
       };
     };