I want to deploy on remote metal machines somewhere in the world without an internet connection.
While keeping the process as simple as possible.
Here’s my sketch so far:
install base nix on the PC
copy machine’s public key
generate new nix config binary using public key to encrypt secrets with Agenix
deploy binary (USB stick + the normal commands)
- perhaps I could install Nix with a specific private key while keeping it out of the main configuration somehow
And reduce the install process to one step…
Then again, probably not.