add secrets

and update README & preinstall script

README.md

@@ -7,7 +7,7 @@ a flaky example of NixOS configuration with full-disk encryption, home-manager,
 0. get a [NixOS] live system, e.g., from the [NixOS download page], or by
    building the ISO image from this repo's `flake.nix`:
 
-   `nix build .#nixosConfigurations.iso.config.system.build.isoImage`
+   `nix build .#nixosConfigurations.iso.config.system.build.isoImage --impure`
 
 1. boot into the [NixOS] live system
 
@@ -19,7 +19,7 @@ a flaky example of NixOS configuration with full-disk encryption, home-manager,
 
 3. install NixOS directly from the remote:
 
-      `nixos-install --flake github:bluesquall/tabula-rasa#encom`
+      `nixos-install --flake github:bluesquall/tabula-rasa/agenix#encom`
 
    or by cloning this repo, modifying accordingly, and installing from the
    local clone:

os/preinstall

@@ -12,9 +12,6 @@ else
   exit 1;
 fi
 
-echo "set password for user:"
-echo "$(mkpasswd -m sha512crypt)" > /tmp/passwd.sha512crypt
-
 echo "preparing drive ${drive} for NixOS"
 echo ""
 echo "WARNING!"
@@ -55,13 +52,12 @@ mount -o subvol=persist,compress=zstd,noatime /dev/mapper/crypt /mnt/persist
 mount -o subvol=log,compress=zstd,noatime /dev/mapper/crypt /mnt/var/log
 mkdir -p /mnt/etc/nixos
 
-mkdir -p /mnt/home/.keys
-mv /tmp/passwd.sha512crypt /mnt/home/.keys
-chmod 700 /mnt/home/.keys
-chmod 600 /mnt/home/.keys/passwd.sha512crypt
-
 echo "prepared ${drive} for NixOS"
 echo "your next step is  to install your system from a flake, e.g.:"
 echo "  time nixos-install --flake .#encom --no-root-password"
 echo "or"
-echo "  nixos-install --flake github:bluesquall/tabula-rasa#encom"
+echo "  nixos-install --flake github:bluesquall/tabula-rasa/agenix#encom"
+
+echo ""
+echo "afterward, you need to manually install the ssh keys used by agenix,"
+echo "or, re-key the secrets to the ssh keys of the new system."

user/flynn/default.nix

@@ -1,18 +1,20 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 let
   USERNAME = "flynn";
   UID = 4983;
 in
 {
+  age.secrets.hashedPassword.file = ./secrets/hashedPassword.age;
+
   users.users.${USERNAME} = {
     uid = UID;
     home = "/home/${USERNAME}";
     createHome = true;
     isNormalUser = true;
     extraGroups = [ "dialout" "networkmanager" "wheel" ];
     shell = pkgs.zsh; # keep a POSIX login shell
-    passwordFile = "/home/.keys/passwd.sha512crypt";
+    passwordFile = config.age.secrets.hashedPassword.path;
   };
 
   home-manager.users.${USERNAME} = import ./home.nix;

user/flynn/secrets/hashedPassword.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 RZrFHQ yaMoC26yl+gZCU+m2tKbm31n1vmj7Yor8xFoNKz3vkw
+rABFvg4MJFVjNX+eWoO5/xP4iN6t0OQJt+VEYmQuOdI
+-> ssh-ed25519 KTl/eg yc94cu1SVG0nE/CcNyLCvD05dWrtTijXdbVFOVBxjgc
+T08FwdXPRB3x4MuDTPOZZ/YLhAl3Yv2Ns1S3DWDmrXg
+-> 2]?W{-grease xnY B%_
+93SfOkNxSZCHhhQqDzEq0fg99yGITTU
+--- RTyE83K6oFJts9FISlftPz2j7DmZIqE7i0Uv7d5fhTA
+���Z��p�gB�/�b�e�3-�aԌ�{v��X�H@-]wx?+ӊ���
+����ٿ�Y�	�Q�/$|!7|�x��g�-��8C��-���'z`�2x��6�Jh�佪��#=�������ž�&�܅��2JՉ�Z0��

user/flynn/secrets/secrets.nix

@@ -0,0 +1,9 @@
+let
+  flynn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ6tWsF5rxxYMnfa1fBSAB5NCTpPSfsvyarRFUGpTwU";
+
+  encom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzqvmMHoKedc6xW6cUwAeSaIy5+JXpKJxOR4AjqD7Fy";
+  systems = [ encom ];
+in
+{
+  "hashedPassword.age".publicKeys = [ flynn ] ++ systems;
+}