repair flake.lock, update disko

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

README.md

@@ -14,7 +14,9 @@ to onboard a new user or system.
 
 Although we are not actively looking for new members to join in on this repo,
 we are not strictly opposed. Please reach out to
-[@ahuston-0](https://nayeonie.com/ahuston-0) for further information.
+[@ahuston-0](https://github.com/ahuston-0) or
+[@RichieCahill](https://github.com/RichieCahill)
+for further information.
 
 ## Repo Structure
 

disko/hetzner.nix

@@ -0,0 +1,47 @@
+# USAGE in your configuration.nix.
+# Update devices to match your hardware.
+# {
+#  imports = [ ./disko-config.nix ];
+#  disko.devices.disk.main.device = "/dev/sda";
+# }
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+              priority = 1;
+            };
+            root = {
+              end = "-1G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+            encryptedSwap = {
+              size = "1G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                priority = 100; # prefer to encrypt as long as we have space for it
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

docs/CONTRIBUTING.md

@@ -107,7 +107,8 @@ rules.
 We allow secrets to be embedded in the repository using `sops-nix`. As part of
 the process everything is encrypted, however adding a new user is a change
 that every existing SOPS user needs to participate in. Please reach out to
-[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested
+[@ahuston-0](https://github.com/ahuston-0) or
+[@RichieCahill](https://github.com/RichieCahill) if you are interested
 in using secrets on your machines.
 
 ## CI/CD

flake.lock

@@ -67,6 +67,27 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "firefox-addons": {
       "inputs": {
         "flake-utils": [
@@ -625,6 +646,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "firefox-addons": "firefox-addons",
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",

flake.nix

@@ -40,6 +40,12 @@
     #     flake-parts.follows = "flake-parts";
     #   };
     # };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
 
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -136,7 +142,7 @@
       systems = [
         "x86_64-linux"
         # disable arm for now as hydra isn't set up for it
-        # "aarch64-linuxa
+        # "aarch64-linux"
       ];
 
       forEachSystem = lib.genAttrs systems;
@@ -152,8 +158,8 @@
           lib = self;
         }
       );
-      inherit (lib.adev.systems) genSystems getImages;
+      inherit (lib.rad-dev.systems) genSystems getImages;
-      inherit (self) outputs; # for hydra and packages
+      inherit (self) outputs; # for hydra
     in
     rec {
       inherit lib; # for allowing use of custom functions in nix repl
@@ -168,7 +174,10 @@
         qcow = getImages nixosConfigurations "qcow";
       };
 
-      packages = import ./pkgs { pkgs = nixpkgs.legacyPackages.x86_64-linux; };
+      packages.x86_64-linux.lego-latest =
+        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
+          { };
+
       checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
       devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
 

lib/default.nix

@@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  # create adev namespace for lib
+  # create rad-dev namespace for lib
-  adev = rec {
+  rad-dev = rec {
     systems = import ./systems.nix { inherit lib; };
     container-utils = import ./container-utils.nix { inherit lib; };
 

lib/systems.nix

@@ -128,7 +128,6 @@ rec {
   # configPath: path to the folder containing hardware.nix & configuration.nix
   # hostname: hostname of the server
   # inputs: flake inputs to be used
-  # outputs: flake outputs to be used, primarily for accessing custom packages
   # src: base path of the repo
   # users: list of users to be added
   # home: enables home-manager on this machine (requires all users to have home-manager)
@@ -150,7 +149,7 @@ rec {
       configPath,
       hostname,
       inputs,
-      outputs ? { },
+      outputs,
       src,
       users,
       home ? true,
@@ -177,7 +176,7 @@ rec {
           (configPath + "/configuration.nix")
         ]
         ++ modules
-        ++ (lib.adev.fileList (src + "/modules"))
+        ++ (lib.rad-dev.fileList (src + "/modules"))
         ++ genWrapper sops genSops args
         ++ genWrapper home genHome args
         ++ genWrapper true genUsers args
@@ -192,7 +191,6 @@ rec {
   #
   # args:
   # inputs: flake-inputs to be distributed to each system config
-  # outputs: flake-outputs to be distributed to each system config
   # src: the base path to the repo
   # path: the path to read the systems from, should be a directory containing one directory per machine, each having at least the following
   #   - default.nix (with the extra params for constructSystem in it, see systems/palatine-hill/default.nix for an example)
@@ -221,10 +219,10 @@ rec {
                 ;
               hostname = name;
             }
-            // import configPath { inherit inputs outputs; }
+            // import configPath { inherit inputs; }
           );
         }
-      ) (lib.adev.lsdir path)
+      ) (lib.rad-dev.lsdir path)
     );
 
   # gets all the images of a specified format

modules/autopull.nix

@@ -61,7 +61,7 @@ in
     lib.mkIf cfg.enable {
       environment.systemPackages =
         [ pkgs.git ]
-        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
+        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
           pkgs.openssh
         ];
 

modules/kub_net.nix

@@ -1,10 +1,10 @@
 { lib, config, ... }:
 let
-  cfg = config.services.adev.k3s-net;
+  cfg = config.services.rad-dev.k3s-net;
 in
 {
   options = {
-    services.adev.k3s-net = {
+    services.rad-dev.k3s-net = {
       enable = lib.mkOption {
         default = false;
         example = true;

modules/nix.nix

@@ -1,9 +1,4 @@
-{
+{ lib, pkgs, ... }:
-  lib,
-  pkgs,
-  outputs,
-  ...
-}:
 {
   nix = {
     package = pkgs.nixVersions.latest;
@@ -51,11 +46,4 @@
       dates = [ "01:00" ];
     };
   };
-
-  nixpkgs.overlays = [
-    (_: _: {
-      # bring all packages into a namespace called rad-pkgs
-      rad-pkgs = lib.genAttrs (lib.attrNames outputs.packages) (pkg: outputs.packages.${pkg});
-    })
-  ];
 }

modules/yubikey.nix

@@ -5,11 +5,11 @@
   ...
 }:
 let
-  cfg = config.services.adev.yubikey;
+  cfg = config.services.rad-dev.yubikey;
 in
 {
   options = {
-    services.adev.yubikey = {
+    services.rad-dev.yubikey = {
       enable = lib.mkEnableOption "enable yubikey defaults";
       enable-desktop-app = lib.mkEnableOption "installs desktop application";
     };

pkgs/default.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-let
-  rad-maintainers = import ./maintainers.nix;
-in
-{
-
-  ftb-app = pkgs.callPackage ./ftb-app { inherit rad-maintainers; };
-  lego-latest = pkgs.callPackage ./lego-latest { inherit rad-maintainers; };
-}

pkgs/ftb-app/default.nix

@@ -1,112 +0,0 @@
-{
-  alsa-lib,
-  at-spi2-atk,
-  cairo,
-  cups,
-  dbus,
-  dpkg,
-  expat,
-  fetchurl,
-  gtk3,
-  gdk-pixbuf,
-  jre,
-  lib,
-  libdrm,
-  libgbm,
-  libxkbcommon,
-  makeWrapper,
-  mesa,
-  nspr,
-  nss,
-  pango,
-  rad-maintainers,
-  stdenv,
-  xorg,
-  ...
-}:
-# source_aarch64=("https://piston.feed-the-beast.com/app/ftb-app-${pkgver}-arm64.deb")
-# sha256sums_aarch64=(ad1197556a187693cbc488142562a0c17144e33056f1c914950c2f1496a4c532)
-stdenv.mkDerivation rec {
-  pname = "ftb-app";
-  version = "1.27.3";
-
-  src = fetchurl {
-    url = "https://piston.feed-the-beast.com/app/ftb-app-linux-${version}-amd64.deb";
-    sha256 = "031a73g58vj35h33pmp3swjrjlg09ismdx46810sp7ihrpvs0ad6";
-  };
-
-  nativeBuildInputs = [
-    dpkg
-    makeWrapper
-  ];
-
-  unpackPhase = ''
-    runHook preUnpack
-
-    dpkg -x $src ./ftb-app
-
-    runHook postUnpack
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    mkdir -p "$out"
-    cp -r ftb-app/* "$out"
-
-    # Flatten /usr and manually merge lib/ and usr/lib/, since mv refuses to.
-    mv "$out"'/opt/FTB Electron App' "$out/bin"
-    mv "$out/usr/"* "$out/"
-    rmdir "$out/usr"
-    rmdir "$out/opt"
-
-    for f in "$out/share/applications/"*.desktop; do
-       substituteInPlace "$f" \
-           --replace-fail '/opt/FTB Electron App/ftb-app' "$out/bin/ftb-app"
-    done
-
-    # prevent self-upgrade with dpkg
-    rm "$out/bin/resources/package-type"
-
-    chmod +x "$out/bin/ftb-app"
-
-    libs="${nss}/lib/libnss3.so ${nss}/lib/libnssutil3.so ${nss}/lib/libsmime3.so "
-    libs+="${nspr}/lib/libnspr4.so ${dbus.lib}/lib/libdbus-1.so.3 "
-    libs+="${at-spi2-atk}/lib/libatk-1.0.so.0 ${cups.lib}/lib/libcups.so.2 "
-    libs+="${at-spi2-atk}/lib/libatk-bridge-2.0.so.0 "
-    libs+="${libdrm}/lib/libdrm.so.2 ${gtk3}/lib/libgtk-3.so.0 "
-    libs+="${pango.out}/lib/libpango-1.0.so.0 ${cairo}/lib/libcairo.so.2 "
-    libs+="${xorg.libX11}/lib/libX11.so.6 ${xorg.libXext}/lib/libXext.so.6 "
-    libs+="${xorg.libXcomposite}/lib/libXcomposite.so.1 "
-    libs+="${xorg.libXdamage}/lib/libXdamage.so.1 "
-    libs+="${xorg.libXfixes}/lib/libXfixes.so.3 ${expat}/lib/libexpat.so.1 "
-    libs+="${xorg.libXrandr}/lib/libXrandr.so.2  "
-    libs+="${xorg.libxcb}/lib/libxcb.so.1 ${alsa-lib}/lib/libasound.so.2 "
-    libs+="${libxkbcommon}/lib/libxkbcommon.so.0 "
-    libs+="${at-spi2-atk}/lib/libatspi.so.0 ${xorg.libXtst}/lib/libXtst.so.6 "
-    libs+="${gdk-pixbuf}/lib/libgdk_pixbuf-2.0.so.0 ${libgbm}/lib/libgbm.so.1"
-
-    echo "$libs"
-
-
-    for p in "$out/bin/ftb-app"; do
-        wrapProgram "$p" \
-            --set LD_PRELOAD "$libs" \
-            --set NIX_REDIRECTS "/usr/share=$out/share:"'/opt/FTB Electron Application'"=$out/bin" \
-            --set JAVA_HOME "${jre.home}"
-            # --prefix PATH : "{lib.makeBinPath [ gzip gnutar ]}"
-    done
-
-    runHook postInstall
-  '';
-
-  meta = with lib; {
-    description = "A new Modpack launcher for FTB and Curse modpacks.";
-    homepage = "https://feed-the-beast.com/app";
-    license = with licenses; [ lgpl21Only ];
-    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
-    maintainers = with rad-maintainers; [ ahuston-0 ];
-    platforms = [ "x86_64-linux" ];
-    mainProgram = "ftb-app";
-  };
-}

pkgs/lego-latest/default.nix

@@ -2,7 +2,6 @@
   lib,
   fetchFromGitHub,
   buildGoModule,
-  rad-maintainers,
 }:
 
 buildGoModule rec {
@@ -32,7 +31,7 @@ buildGoModule rec {
     description = "Let's Encrypt client and ACME library written in Go";
     license = licenses.mit;
     homepage = "https://go-acme.github.io/lego/";
-    maintainers = teams.acme.members ++ [ rad-maintainers.ahuston-0 ];
+    maintainers = teams.acme.members;
     mainProgram = "lego";
   };
 

pkgs/maintainers.nix

@@ -1,77 +0,0 @@
-/*
-  Borrowed this from nixpkgs :)
-  List of NixOS maintainers.
-   ```nix
-   handle = {
-     # Required
-     name = "Your name";
-
-     # Optional, but at least one of email, matrix or githubId must be given
-     email = "address@example.org";
-     matrix = "@user:example.org";
-     github = "GithubUsername";
-     githubId = your-github-id;
-
-     keys = [{
-       fingerprint = "AAAA BBBB CCCC DDDD EEEE  FFFF 0000 1111 2222 3333";
-     }];
-   };
-   ```
-
-   where
-
-   - `handle` is the handle you are going to use in nixpkgs expressions,
-   - `name` is a name that people would know and recognize you by,
-   - `email` is your maintainer email address,
-   - `matrix` is your Matrix user ID,
-   - `github` is your GitHub handle (as it appears in the URL of your profile page, `https://github.com/<userhandle>`),
-   - `githubId` is your GitHub user ID, which can be found at `https://api.github.com/users/<userhandle>`,
-   - `keys` is a list of your PGP/GPG key fingerprints.
-
-   Specifying a GitHub account ensures that you automatically:
-   - get invited to the @NixOS/nixpkgs-maintainers team ;
-   - once you are part of the @NixOS org, OfBorg will request you review
-     pull requests that modify a package for which you are a maintainer.
-
-   `handle == github` is strongly preferred whenever `github` is an acceptable attribute name and is short and convenient.
-
-   If `github` begins with a numeral, `handle` should be prefixed with an underscore.
-   ```nix
-   _1example = {
-     github = "1example";
-   };
-   ```
-
-   Add PGP/GPG keys only if you actually use them to sign commits and/or mail.
-
-   To get the required PGP/GPG values for a key run
-   ```shell
-   gpg --fingerprint <email> | head -n 2
-   ```
-
-   !!! Note that PGP/GPG values stored here are for informational purposes only, don't use this file as a source of truth.
-
-   More fields may be added in the future, however, in order to comply with GDPR this file should stay as minimal as possible.
-
-   When editing this file:
-    * keep the list alphabetically sorted, check with:
-        nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix
-    * test the validity of the format with:
-        nix-build lib/tests/maintainers.nix
-
-   See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
-
-   When adding a new maintainer, be aware of the current commit conventions
-   documented at [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#commit-conventions)
-   file located in the root of the Nixpkgs repo.
-*/
-
-{
-  ahuston-0 = {
-    name = "ahuston-0";
-    email = "aliceghuston@gmail.com";
-    github = "ahuston-0";
-    githubId = 43225907;
-    keys = [ { fingerprint = "F638 32C3 080D 6E1A C77E  ECF8 0B42 45FF E305 BC82"; } ];
-  };
-}

shell.nix

@@ -38,7 +38,7 @@ forEachSystem (
     };
 
     # constructs a custom shell with commonly used utilities
-    adev = pkgs.mkShell {
+    rad-dev = pkgs.mkShell {
       packages = with pkgs; [
         deadnix
         pre-commit
@@ -56,7 +56,7 @@ forEachSystem (
     default = pkgs.mkShell {
       inputsFrom = [
         pre-commit
-        adev
+        rad-dev
         sops
       ];
     };

systems/artemision/configuration.nix

@@ -75,7 +75,7 @@
     fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;
 
-    adev.yubikey = {
+    rad-dev.yubikey = {
       enable = true;
       enable-desktop-app = true;
     };

systems/artemision/desktop.nix

@@ -30,10 +30,6 @@
   };
   # Optional, hint electron apps to use wayland:
   environment.sessionVariables.NIXOS_OZONE_WL = "1";
-  xdg.portal = {
-    enable = true;
-    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
-  };
 
   services = {
     xserver = {

systems/artemision/programs.nix

@@ -72,7 +72,6 @@
     protontricks
     proxychains
     qrencode
-    rad-pkgs.ftb-app
     redshift
     restic
     ripgrep

systems/hetzner-bridge/configuration.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../../disko/hetzner.nix
+    ./networking.nix
+  ];
+  disko.devices.disk.main.device = "scsi-0QEMU_QEMU_HARDDISK_55513992";
+
+  boot = {
+    useSystemdBoot = true;
+  };
+
+  virtualisation.docker.enable = false;
+  services = {
+    locate.enable = false;
+    endlessh-go.enable = false;
+  };
+
+  #hardware.enableAllFirmware = true;
+
+  system.stateVersion = "24.05";
+}

systems/hetzner-bridge/default.nix

@@ -0,0 +1,8 @@
+{ inputs, ... }:
+{
+  users = [ "alice" ];
+  modules = [
+    # inputs.attic.nixosModules.atticd
+    inputs.disko.nixosModules.disko
+  ];
+}

systems/hetzner-bridge/hardware.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "ahci"
+      "xhci_pci"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

systems/hetzner-bridge/networking.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      #matchConfig.Name = "enp1s0"; # either ens3 or enp1s0 depending on system, check 'ip addr'
+      matchConfig.Name = "ether";
+      networkConfig.DHCP = "ipv4";
+    };
+  };
+}

systems/palatine-hill/acme.nix

@@ -31,7 +31,7 @@
       openssl
     ]
     ++ [
-      outputs.packages.lego-latest
+      outputs.packages.x86_64-linux.lego-latest
     ]
   );
 

systems/palatine-hill/docker/archiveteam.nix

@@ -122,7 +122,7 @@ let
     cmd = lib.splitString " " "--concurrent 6 AmAnd0";
 
   };
-  inherit (lib.adev.container-utils) createTemplatedContainers;
+  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
 
   vars = import ../vars.nix;
   at_path = vars.primary_archiveteam;

systems/palatine-hill/docker/minecraft.nix

@@ -46,7 +46,7 @@ in
       cmd = [
         (
           "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
-          + (lib.adev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
+          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
         )
       ];
     };

users/alice/home.nix

@@ -76,7 +76,6 @@
       nix-prefetch
       nix-tree
       nh
-      nix-prefetch-scripts
 
       # doom emacs dependencies
       fd
@@ -91,7 +90,6 @@
       nodejs_20
       nodePackages.prettier
       treefmt
-
     ];
   };
 

utils/hetzner-install.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#git --command bash
+
+set -o errexit   # abort on nonzero exitstatus
+set -o nounset   # abort on unbound variable
+set -o pipefail  # don't hide errors within pipes
+
+MACHINENAME="hetzner-bridge"
+
+sudo mkdir /root/.ssh
+sudo chmod 700 /root/.ssh
+sudo ssh-keygen -t ed25519 -o -a 100 -f "/root/.ssh/id_ed25519_giteadeploy" -q -N "" -C "$MACHINENAME" || echo "key already exists"
+
+sudo cat /root/.ssh/id_ed25519_giteadeploy.pub
+
+sudo ssh-keygen -A
+
+nix --extra-experimental-features 'flakes nix-command' shell nixpkgs#git
+nix --extra-experimental-features 'flakes nix-command' store gc
+FLAKE="git+ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles?ref=feature/hetzner-bridge#hetzner-bridge"
+DISK_DEVICE=/dev/sda
+sudo nix \
+    --extra-experimental-features 'flakes nix-command' \
+    run github:nix-community/disko#disko-install -- \
+    --flake "$FLAKE" \
+    --write-efi-boot-entries \
+    --disk main "$DISK_DEVICE"

utils/hetzner-nixos-anywhere.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#mktemp nixpkgs#openssh nixpkgs#nixos-anywhere nixpkgs#sops --command bash
+
+echoerr() { printf "%s\n" "$*" >&2; }
+
+if (( $# != 1 )); then
+    echoerr "usage: $0 <hostname>"
+fi
+
+HOSTNAME=$1
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/etc/ssh"
+
+# Create host keys
+ssh-keygen -A -f "$temp/etc/ssh/"
+
+# Set the correct permissions so sshd will accept the key
+chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
+
+AGEKEY=$(ssh-to-age < "$temp/etc/ssh/ssh_host_ed25519_key.pub")
+
+echo "$AGEKEY" | tee "./$HOSTNAME.age"
+
+# Install NixOS to the host system with our secrets
+nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip