Finalize calypso install!

home/features/cli/ssh.nix

@@ -1,10 +1,15 @@
-{ config, ... }: {
+{ config, ... }:
+{
   programs.ssh.enable = true;
 
   satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
-
+  systemd.user.tmpfiles.rules =
-  # Makes it easy to copy ssh keys at install time without messing up permissions
+    let
-  systemd.user.tmpfiles.rules = [
+      ssh = "${config.satellite.persistence.at.state.home}/ssh/.ssh";
-    "d ${config.satellite.persistence.at.state.home}/ssh/.ssh/etc/ssh"
+    in
+    [
+      "d ${ssh}/ssh/.ssh"
+      "e ${ssh}/ssh/.ssh/id_rsa 0700"
+      "e ${ssh}/id_ed25519 0700"
     ];
 }

home/features/neovim/config/lazy-lock.json

@@ -16,13 +16,11 @@
   "ftft": { "branch": "master", "commit": "f3e43c9584e14b27f04c27a95a9d9f0e58dfec02" },
   "github-actions": { "branch": "master", "commit": "728374ef59b11a5f5991ea2560d149a4ae33fd22" },
   "gitlinker": { "branch": "master", "commit": "cc59f732f3d043b626c8702cb725c82e54d35c25" },
-  "gitsigns": { "branch": "main", "commit": "e9c4187c3774a46df2d086a66cf3a7e6bea4c432" },
   "gruvbox": { "branch": "main", "commit": "7a1b23e4edf73a39642e77508ee6b9cbb8c60f9e" },
   "harpoon": { "branch": "master", "commit": "ccae1b9bec717ae284906b0bf83d720e59d12b91" },
   "haskell-tools": { "branch": "master", "commit": "92e097c6832405fb64e4c44a7ce8bebe7836cae6" },
   "hyprland": { "branch": "main", "commit": "71760fe0cad972070657b0528f48456f7e0027b2" },
   "idris": { "branch": "main", "commit": "8bff02984a33264437e70fd9fff4359679d910da" },
-  "inc-rename": { "branch": "main", "commit": "8ba77017ca468f3029bf88ef409c2d20476ea66b" },
   "indent-blankline": { "branch": "master", "commit": "65e20ab94a26d0e14acac5049b8641336819dfc7" },
   "lastplace": { "branch": "main", "commit": "0bb6103c506315044872e0f84b1f736c4172bb20" },
   "lean": { "branch": "main", "commit": "182703184edb866d7bfe878be358295e189c8223" },
@@ -47,7 +45,6 @@
   "rust-tools": { "branch": "master", "commit": "676187908a1ce35ffcd727c654ed68d851299d3e" },
   "rzip": { "branch": "master", "commit": "f65400fed27b27c7cff7ef8d428c4e5ff749bf28" },
   "scrap": { "branch": "main", "commit": "cc8453ed613932c744c3d1ec42f379b78bd8b92c" },
-  "ssr": { "branch": "main", "commit": "bb323ba621ac647b4ac5638b47666e3ef3c279e1" },
   "telescope": { "branch": "master", "commit": "a0bbec21143c7bc5f8bb02e0005fa0b982edc026" },
   "treesitter": { "branch": "master", "commit": "7f4ac678770175cdf0d42c015f4a5b6e18b6cb33" },
   "typst": { "branch": "main", "commit": "4d18ced62599ffe5b3c0e5e49566d5456121bc02" },

hosts/nixos/calypso/services/snapper.nix

@@ -6,7 +6,7 @@
     configs = {
       # {{{ Data
       data = {
-        SUBVOLUME = "/root/persist/data";
+        SUBVOLUME = "/persist/data";
         TIMELINE_CREATE = true;
         TIMELINE_CLEANUP = true;
         BACKGROUND_COMPARISON = "yes";
@@ -20,7 +20,7 @@
       # }}}
       # {{{ State
       state = {
-        SUBVOLUME = "/root/persist/state";
+        SUBVOLUME = "/persist/state";
         TIMELINE_CREATE = true;
         TIMELINE_CLEANUP = true;
         BACKGROUND_COMPARISON = "yes";

hosts/nixos/common/global/services/openssh.nix

@@ -68,5 +68,7 @@ in
   services.fail2ban.enable = true;
 
   # Makes it easy to copy host keys at install time without messing up permissions
-  systemd.tmpfiles.rules = [ "d /persist/state/etc/ssh" ];
+  systemd.tmpfiles.rules = [
+    "d /persist/state/etc/ssh"
+  ] ++ (lib.lists.forEach config.services.openssh.hostKeys (key: "e ${key.path} 0700"));
 }

scripts/emergency.sh

@@ -49,6 +49,16 @@ if [ "$action" = "install" ]; then
 
   echo "Installing nixos"
   nixos-install --flake ".#$host"
+
+  echo "Copying user ssh keys"
+  for dir in /mnt/persist/state/home/*; do
+    mkdir -p "$dir/ssh/.ssh"
+    cp /hermes/secrets/$host/id* "$dir/ssh/.ssh"
+  done
+
+  echo "Copying host ssh keys"
+  mkdir -p /mnt/persist/state/home/
+  cp /hermes/secrets/$host/ssh* /mnt/persist/state/etc/ssh/
 fi
 
 if [ "$action" = "enter" ]; then