fix: Fix more installation errors and potential security flaws

.sops.yaml

@@ -1,7 +1,9 @@
 keys:
-  - &primkey age199lxhl3xjuf0xxgskxa3kdz89atnt6689g0pqr6kup4kvqe49vmsq63t35
+  - &userkey age199lxhl3xjuf0xxgskxa3kdz89atnt6689g0pqr6kup4kvqe49vmsq63t35
+  - &hostkey age1g2qdzlgqsnuz2mc2cwlt5up3d9h8krkquhryt76e2j47dzgz498sudy45e
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
+      - age:
-      - *primkey
+          - *userkey
+          - *hostkey

README.md

@@ -8,9 +8,11 @@ This is a work-in-progress and currently DOES NOT WORK. Please check back later.
 
 ## Setup
 
-### Bootstrapping a New Device
+### Setting up Sops
 
-This guide assumes you have a somewhat sane sops setup.
+TODO.
+
+### Bootstrapping a New Device
 
 1. First, boot the NixOS live environment (minimal ISO is recommended).
 2. Then, get the harddrive ID using `lsblk` or `fdisk -l`:
@@ -46,5 +48,11 @@ This guide assumes you have a somewhat sane sops setup.
 4. Add the host to `flake.nix`.
 5. Modify the disko configuration for our host to use the correct disk ID that we found earlier.
 6. Make any other additional modifications if needed.
-7. Copy/clone the configuration over to the host to install.
+
-8. Run `sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount -f "$PWD#hostname"` to prepare the disk, replacing `hostname` with the host you want to switch to (ex. `andromeda`).
+### Installing the Configuration
+
+1. Copy/clone the configuration over to the host to install.
+2. Copy the sops key data to the host you are installing on (sops `key.txt` and `ssh_host_ed25519_key` to `/var/lib/sops-nix/`)
+3. Run `sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount -f "$PWD#hostname"` to prepare the disk, replacing `hostname` with the host you want to install (ex. `andromeda`).
+4. Before installing, prepare sops inside the mounted filesystem: `sudo mkdir -p /mnt/persist/var/lib/sops-nix/; sudo cp -r /var/lib/sops-nix/ /mnt/persist/var/lib/sops-nix/`
+5. Run `sudo nixos-install --flake "$PWD#hostname"` to install the OS, replacing `hostname` with the host you want to install (ex. `andromeda`).

SETUP.md

@@ -1 +0,0 @@
-

hosts/andromeda/configuration.nix

@@ -30,11 +30,10 @@
     extraGroups = [
       "wheel"
       "networkmanager"
-      "docker"
     ];
 
     openssh.authorizedKeys.keys = [
-      (builtins.readFile ../../secrets/id_user.pub)
+      (builtins.readFile ../../data/id_user.pub)
     ];
   };
 
@@ -45,10 +44,13 @@
   boot.supportedFilesystems = [];
 
   # Services
-  services.docker.enable = true;
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "btrfs";
+  };
 
   environment.systemPackages = builtins.attrValues {
-    inherit (pkgs.unstable) htop btop micro nano;
+    inherit (pkgs) htop btop micro nano;
   };
 
   system.stateVersion = "24.11";

system/impermanence.nix

@@ -35,6 +35,7 @@
       "/var/lib/nixos"
       "/var/lib/docker"
       "/var/lib/systemd/coredump"
+      "/var/lib/sops-nix"
       "/etc/nixos"
       "/etc/NetworkManager"
     ];
@@ -42,7 +43,6 @@
       "/etc/machine-id"
       "/etc/ssh/ssh_host_ed25519_key"
       "/etc/ssh/ssh_host_ed25519_key.pub"
-      "/var/lib/sops-nix/key.txt"
     ];
   };
 }

system/sops.nix

@@ -1,4 +1,4 @@
-{inputs, ...}; let
+{inputs, ...}: let
   secretspath = builtins.toString inputs.nix-secrets;
 in
 {
@@ -9,11 +9,14 @@ in
   sops = {
     defaultSopsFile = "${secretspath}/secrets.yaml";
     age = {
+      # I'd prefer different OpenSSH keys for different hosts so I'm not 100% screwed if one of my devices get compromised.
+      # Therefore, we set a custom path for the sops key.
+      sshKeyPaths = ["/var/lib/sops-nix/ssh_host_ed25519_key"];
       keyFile = "/var/lib/sops-nix/key.txt";
       generateKey = false;
     };
     secrets = {
-      tera_passwd = {
+      tera_password = {
         neededForUsers = true;
       };
     };