Hi.
To wrap this up somewhat, here’s the current approximation to what I had in mind in the beginning.
It’s a modified minimal installer that will automatically
- ask you the encryption key of an archive of SSH keys for git
- unpack it
- clone the repo with the NixOS conf.
After this bootstrapping, off you go with installing a new machine 
iso.nix
{ config, pkgs, ... }:
with pkgs;
let
# ...
myBootstrapFile = ".my-bootstrap.tar.gz.gpg";
myBootstrap = (writeShellApplication {
name = "myBootstrap";
runtimeInputs = [
gnupg
gnutar
git
];
text = ''
set -e
set -o pipefail
cd ~
echo Enter bootstrap password:
gpg --decrypt ${myBootstrapFile} | tar xf -
git clone ...
'';
});
in
{
# ...
imports = [
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
"${(import ../nix/sources.nix).home-manager}/nixos"
];
# password prompt
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "tty";
};
home-manager.users.nixos = {
home.stateVersion = "23.11";
home.packages = [ git ];
programs.bash.enable = true;
programs.bash.profileExtra = "${myBootstrap}/bin/myBootstrap";
home.file."${myBootstrapFile}".source = ./. + "/../${myBootstrapFile}";
programs.ssh = # ...
};
}
build-installer.sh
#!/usr/bin/env sh
set -e
MY_BOOTSTRAP_FILE="$(pwd)/.my-bootstrap.tar.gz.gpg"
if [ ! -f "${MY_BOOTSTRAP_FILE}" ]
then
(
cd ~
export GPG_TTY=$(tty)
tar --create --dereference -f - THE_KEYS | gpg --symmetric --output "${MY_BOOTSTRAP_FILE}" -
)
fi
nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=installer/iso.nix
Cheers.