14 lines
999 B
Plaintext
14 lines
999 B
Plaintext
* boot target from NixOS installer USB
|
|
* passwd for nixos user on target
|
|
* note IP address, test that ssh as nixos works
|
|
* on target: nixos-generate-config --no-filesystems, copy to base host
|
|
* on target: dd if=/dev/random of=/dev/disk/by-id/<usb drive for encryption key> bs=4096 count=1
|
|
* on target: dd if=/dev/disk/by-id/<usb drive for encryption key> of=key.bin bs=4096 count=1
|
|
* copy key.bin to hosts/<target>/
|
|
* use the generated config to create new config in hosts/<target>
|
|
* set the actual device IDs in hosts/<target>/default.nix
|
|
* set or update key for target in .sops.yaml with the output from "ssh-keyscan <host> | ssh-to-age" then "sops updatekeys secrets/*.yaml"
|
|
* if new machine, add a secrets/<machine>.yaml for it
|
|
* on base host: nix run github:nix-community/nixos-anywhere -- --copy-host-keys --flake '.#<target>' nixos@<target IP>
|
|
* after confirmed working, update hosts/<target>/default.nix to set keyFile to /dev/sdX (otherwise when the USB drive fails it's harder to replace)
|