phaer · April 24, 2025 14:23
diff --git a/make-disko-image-with-secrets.sh b/make-disko-image-with-secrets.sh
 #!/usr/bin/env bash
 # Given a hostname of a host, this uses "clan secrets" to copy the age identity key for 
 # sops-nix into a disk image built outside the nix store.
 # The file will be owned root:root with u+rw perms inside the vm, but will still only
 # be as secure as the disk image is, as it contains the age identity key unencrypted.
 # This can still be very useful to build ready-to-boot appliances which can already
 # non-interactively, access secrets on first-boot.

 set -eu

 hostname="$1"
 diskoImagesScript="$(nix build --print-out-paths .\#nixosConfigurations.${hostname}.config.system.build.diskoImagesScript)"
 tmpfile="$(mktemp --suffix="${hostname}-secrets")"
 trap 'rm -f "$tmpfile"' EXIT

 clan secrets get "${hostname}-age.key" > $tmpfile
 $diskoImagesScript --post-format-files $tmpfile /var/lib/sops-nix/key.txt
	#!/usr/bin/env bash
	# Given a hostname of a host, this uses "clan secrets" to copy the age identity key for
	# sops-nix into a disk image built outside the nix store.
	# The file will be owned root:root with u+rw perms inside the vm, but will still only
	# be as secure as the disk image is, as it contains the age identity key unencrypted.
	# This can still be very useful to build ready-to-boot appliances which can already
	# non-interactively, access secrets on first-boot.

	set -eu

	hostname="$1"
	diskoImagesScript="$(nix build --print-out-paths .\#nixosConfigurations.${hostname}.config.system.build.diskoImagesScript)"
	tmpfile="$(mktemp --suffix="${hostname}-secrets")"
	trap 'rm -f "$tmpfile"' EXIT

	clan secrets get "${hostname}-age.key" > $tmpfile
	$diskoImagesScript --post-format-files $tmpfile /var/lib/sops-nix/key.txt