update installation instructions

README.md

@@ -1,26 +1,37 @@
 # nixos
 
 ## Installation
-Follow the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to obtain and boot
+Follow the [NixOS
-the installation medium. Use the graphical ISO image since it ships with useful programs such as `nmtui`; the
+manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to
-installation can still be done through the terminal.
+obtain and boot the installation medium. Use the graphical ISO image since it
+ships with useful programs such as `nmtui`; the installation can still be done
+through the terminal.
 
 ### Disk Partitioning
-For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should be done as outlined in the [tmpfs
+For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should
-as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with `/nix` as a [LUKS-encrypted file
+be done as outlined in the [tmpfs as
-system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems). The boot partition will not be
+root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with
-encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under `/nix/persist`. To
+`/nix` as a [LUKS-encrypted file
-find out which of our darlings will be erased on reboot do `tree -x /` or `ncdu -x /`.
+system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems).
+The boot partition will not be encrypted, since that is poorly supported by
+systemd-boot. Persistent files will be saved under `/nix/persist`. To find out
+which of our darlings will be erased on reboot do `tree -x /` or `ncdu -x /`.
 
-The following is based on the [tmpfs as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS
+The following is based on the [tmpfs as
-manual's [partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),
+root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS
-[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting) and
+manual's
-[LUKS-Encrypted File Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems) sections,
+[partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),
-ArchWiki's [LVM on LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),
+[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting)
-the unofficial NixOS wiki [Full Disk Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub
+and [LUKS-Encrypted File
+Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems)
+sections, ArchWiki's [LVM on
+LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),
+the unofficial NixOS wiki [Full Disk
+Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub
 gist](https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134).
 
-We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our LUKS-encrypted volume:
+We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our
+LUKS-encrypted volume:
 ```fish
 # Create partition table
 parted /dev/sda -- mklabel gpt
@@ -58,8 +69,10 @@ sda
     └─vg-root ext4        1.0              nix
 ```
 
-Whereas the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing) mounts
+Whereas the [NixOS
-the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs as root_ blogpost and mount `/mnt` as `tmpfs`:
+manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing)
+mounts the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs
+as root_ blogpost and mount `/mnt` as `tmpfs`:
 ```fish
 mount -t tmpfs none /mnt
 mount --mkdir /dev/disk/by-label/BOOT /mnt/boot
@@ -68,44 +81,62 @@ mkdir -p /mnt/nix/persist/
 ```
 
 ### Secrets
-All files in the Nix store are world-readable, so it is not a suitable place for including cleartext secrets,
+All files in the Nix store are world-readable, so it is not a suitable place
-even if we had a scheme to securely transfer them to each system. [Agenix](https://github.com/ryantm/agenix)
+for including cleartext secrets, even if we had a scheme to securely transfer
-solves this issue by encrypting the secrets using [age](https://github.com/FiloSottile/age), and then decrypting
+them to each system. [Agenix](https://github.com/ryantm/agenix) solves this
-and symlinking them using the system's SSH host key during system activation.
+issue by encrypting the secrets using
+[age](https://github.com/FiloSottile/age), and then decrypting and symlinking
+them using the system's SSH host key during system activation.
 
 All secrets, and other private configuration such as DNS zonefiles, are stored
 in a separate, private [repo](https://git.caspervk.net/caspervk/nixos-secrets).
-To bootstrap a new system, we must first generate a host key manually using
+To bootstrap a new system, we must generate a host key manually during
-`ssh-keygen -A -f /mnt/nix/persist` during installation. Then, on an existing
+installation:
-system, add the new host's public key to `secrets.nix` in the `nixos-secrets`
+```fish
-repo and rekey all secrets using `agenix --rekey`. Commit and transfer the
+mkdir -p /mnt/nix/persist/etc/ssh/
-repository to the new system.
+ssh-keygen -A -f /mnt/nix/persist
-
+nc alpha.caspervk.net 1337 < /mnt/nix/persist/etc/ssh/ssh_host_ed25519.pub
-When managing secrets, the Keepass recovery key is used like so:
+```
+Then, on an existing system, add the new host's public key to `secrets.nix` in
+the `nixos-secrets` repo and **rekey** all secrets. When managing secrets, the
+Keepass recovery key is used like so:
 ```fish
 set AGE_KEY_FILE (mktemp); read -s > $AGE_KEY_FILE
+agenix -i $AGE_KEY_FILE --rekey
 agenix -i $AGE_KEY_FILE -e foo.age
 ```
 
+The new system needs to be able to pull the `nixos-secrets` repo temporarily
+during installation:
+```fish
+ssh-keygen -t ed25519
+nc alpha.caspervk.net 1337 < /root/.ssh/id_ed25519.pub
+# https://git.caspervk.net/caspervk/nixos-secrets/settings/keys
+```
+After bootstrapping, servers will auto-upgrade using the shared `autoUpgrade`
+SSH key. Desktops will need to add `~caspervk/.ssh/id_ed25519.pub` either as a
+deploy key for the `nixos-secrets` repo, or to the entire git user.
+
 ### Installation
 The remaining installation can be done (more or less) according to the [NixOS
 manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing).
 ```fish
 cd /mnt/nix
-git clone https://git.caspervk.net/caspervk/nixos.git tmp
+git clone https://git.caspervk.net/caspervk/nixos.git
-cd tmp/
+cd nixos/
 nixos-generate-config --root /mnt --show-hardware-config
 vim hosts/omega/hardware.nix
 git add .  # nix sometimes ignores files outside version control
-nixos-install --no-root-passwd --flake .#omega --override-input secrets ./../nixos-secrets/
+nixos-install --no-root-passwd --flake .#omega
 ```
 
 ### Hardware Configuration
-`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config --show-hardware-config`, _is_ manually
+`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config
-modified.
+--show-hardware-config`, _is_ manually modified.
 
 ### State Version
-Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo is [easy
+Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo
+is [easy
 enough](https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.com%3FNixOS%2Fnixpkgs%24++lang%3ANix+stateVersion+AND+23.11).