## Deploy
Everything (all servers, all clients)

```bash
colmena apply switch
```

All Clients

```bash
colmena apply switch --on@client
```

Append `--on=HOSTNAME` or `--on=@TAG` to target specific hosts.


### Building disk image
You can build a ready to use disk image containing the whole system using the following command:

```bash
nix build .#images.<MACHINE_NAME>
```


## Secret management
Secrets are encrypted using sops.
Sops encrypts the secrets for all administrators and the target machines using the secret.

### Prepare your system
You must derive an age key from your SSH key:
```bash
mkdir -p ~/.config/sops/age
read -s SSH_TO_AGE_PASSPHRASE
export SSH_TO_AGE_PASSPHRASE
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
unset SSH_TO_AGE_PASSPHRASE
```

### Edit/show secrets
Secrets are stored in `secrets.yaml` or in files in the `secrets` folder.
To show or edit their content, use the `sops` command. I.e.:

```
sops machines/nfs/secrets.yaml
```

### Update encryption after fresh deployment
The target machines ues the SSH host key of the target system to decryt the secrets required for that machine.
Therefore the host keys spcified in `sops-config.nix` must be kept in sync with the actual host keys.
These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem).
After the keys have been updates, the `contrib/updatekeys.sh` script must be executed.