Managing my systems and dotfiles using Nix.
- Set up Yubikey for GPG + SSH
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
- Clone repo
- Set up home-manager
nix run home-manager/master -- init
home-manager switch --flake .#aos
- nvim (install plugins)
nvim +PlugInstall +PlugClean! +qall
home-manager switch --flake .#aos@tower
- Import the public key:
gpg --import gpg-public-key-$KEYID.asc - Import trust settings:
gpg --import-ownertrust < gpg-owner-trust.txt - Insert yubikey into USB
- Import:
gpg --card-status
nix develop
sops sops/general/secrets.enc.yaml
If you want to edit with the SSH host key, you must generate a temporary age secret key
SOPS_AGE_KEY=$(ssh-to-age -private-key -i ~/.ssh/id_tower) sops sops/general/secrets.enc.yaml
There is a sops-local action that does that above simply.
When generating a new host, grab the SSH pub key from /etc/ssh/ssh_host_key* and add that to the .sops.yaml via:
ssh-to-age -i <pub_key_file>
If this host needs access to the general secrets, you need to ensure to add that host to the .sops.yaml and
update the keys:
sops-local updatekeys sops/general/secrets.enc.yaml
nix develop
nix-inspect -p .
nixos-rebuild --flake .#pylon --target-host <host> switch
nix build ./hosts/minimal-iso#iso