algernon ludd on Nostr: nprofile1q…vss2n The way I solved this - with sops-nix - is that I put the private ...
nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq6mtxp68k8c3p2sj0wzhagt3kd8ywkvzlkfyt3vrx9cahzfz000vsmvss2n (nprofile…ss2n) The way I solved this - with sops-nix - is that I put the private host key in a sops-protected file, and configured sops to allow decrypting it with either the ssh host key itself, or my own age key.
Thus, I could - temporarily - lift it out when I bootstrapped the host, and once bootstrapped (with nixos-anywhere), it's stored on the host, outside of the nix store.
If I need to bring up a new VM, or a fresh install, I'll inject the host key out of band.
Thus, I could - temporarily - lift it out when I bootstrapped the host, and once bootstrapped (with nixos-anywhere), it's stored on the host, outside of the nix store.
If I need to bring up a new VM, or a fresh install, I'll inject the host key out of band.