[LorenzoGood]

You can also use something like agenix or sops-nix to deploy the secrets encrypted to the machine in the system closure.

[Macha]

These are a little chicken and egg as you need the system's host key for that. If you want to use a signed host key, you need to deploy that, otherwise if you just let it generate a host key you're in TOFU territory

[LorenzoGood]

I don't really feel like bootstrapping is that much work, since you usually need that public key to deploy the whole clojure anyway.

Also, SCPing the file over is bad for reproducibility.

[socksy]

It’s finally happened, people are typo’ing closure as clojure, instead of the other way around!

For the topic at hand isn’t this always a problem with deployment systems? You need to have the secret somewhere after all. In my case I only ever use nix for personal systems, so feel totally justified just storing my ssh key as a secret in yadm.