jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b5e358ee2265d6075e9d2ab82219c06eedbda9ee
NixOS/specs/003-vps-image-migration/research.md
Danilo Reyes 979bb915a6 init
2026-02-03 15:13:56 -06:00

1.1 KiB
Raw Blame History

Research: VPS Image Migration

Decision 1: Replace deprecated image generator usage

  • Decision: Use NixOS's built-in image building workflow (nixos-rebuild build-image) for Linode-compatible images.
  • Rationale: The NixOS manual documents nixos-rebuild build-image and lists Linode as a supported image target via image.modules, indicating the upstream path for image generation.
  • Alternatives considered:
    • Keep using nixos-generators (rejected due to deprecation and upstream migration).

Decision 2: Secure-first secrets bootstrap for vps

  • Decision: Use a two-phase bootstrap where the vps generates its own age key on first boot, then the host public key is added as a recipient and secrets are re-encrypted before the second deploy.
  • Rationale: sops-nix supports generating an age key when missing and can use SSH host keys to derive age identities; this avoids embedding private keys in the image or repository.
  • Alternatives considered:
    • Bake a static age key into the image (rejected for security risk).
    • Ship a fixed SSH host key in the image (rejected for key reuse across hosts).
Reference in New Issue View Git Blame Copy Permalink