feat(weller): add bootstrap configuration for two-stage install

docs/weller-dualboot-2025.md

@@ -95,58 +95,77 @@ Configure UDM Pro:
 
 ---
 
-## 5. Installation Steps
-
-### 5.1 Boot NixOS Installer via PXE
-
-1. Boot the machine and press F11/F12 for boot menu
-2. Select "UEFI: Network Boot" or similar
-3. netboot.xyz will load → select Linux Network Installs → NixOS
-4. Connect to network (should already be connected via PXE)
-
-### 5.2 Verify Target Disk
-
-```bash
-# List disks and find the Seagate by-id
-ls -la /dev/disk/by-id/ | grep -i seagate
-
-# Should show something like:
-# nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_0024_CF01_4800_43D3
-
-# Verify this matches the disk-config.nix device path
-```
-
-### 5.3 Partition, Encrypt, and Format with Disko
-
-```bash
-# Clone cosmo repo
-nix-shell -p git
-git clone https://github.com/patflynn/cosmo /tmp/cosmo
-cd /tmp/cosmo
-
-# Run disko to partition, encrypt, and mount
-# This will prompt for the LUKS encryption password
-sudo nix --experimental-features "nix-command flakes" \
-  run github:nix-community/disko -- \
-  --mode disko ./hosts/weller/disk-config.nix
-```
-
-Disko will:
-- Create GPT partition table
-- Create 1GB EFI partition
-- Create LUKS2 encrypted partition (prompts for password)
-- Format with Btrfs and create subvolumes (@root, @home, @nix, @swap)
-- Mount everything to /mnt
-- Create 16GB swapfile
-
-### 5.4 Install NixOS
-
-```bash
-# Install NixOS from the flake
-nixos-install --no-write-lock-file --flake /tmp/cosmo#weller
-
-# Set root password when prompted (or skip if using SSH keys only)
-```
+## 5. Installation Steps (Two-Stage Process)
+
+To avoid "chicken-and-egg" problems with secrets (`agenix`) and SSH keys, we use a two-stage installation process.
+
+### 5.1 Stage 1: Bootstrap Install
+
+The first stage installs a minimal system with:
+- **Mutable users** (allows setting/changing passwords)
+- **SSH enabled** with password authentication
+- **No secrets/agenix** (prevents decryption errors on first boot)
+
+1. **Boot NixOS Installer via PXE**
+   - Boot the machine and press F11/F12 for boot menu
+   - Select "UEFI: Network Boot" or similar
+   - netboot.xyz will load → select Linux Network Installs → NixOS
+
+2. **Partition and Format with Disko**
+   ```bash
+   # Clone cosmo repo
+   nix-shell -p git
+   git clone https://github.com/patflynn/cosmo /tmp/cosmo
+   cd /tmp/cosmo
+
+   # Run disko to partition, encrypt, and mount
+   # This will prompt for the LUKS encryption password
+   sudo nix --experimental-features "nix-command flakes" \
+     run github:nix-community/disko -- \
+     --mode disko ./hosts/weller/disk-config.nix
+   ```
+
+3. **Install the Bootstrap Configuration**
+   ```bash
+   # Install using the weller-bootstrap target
+   nixos-install --no-write-lock-file --flake /tmp/cosmo#weller-bootstrap
+   ```
+
+4. **Reboot and Access via SSH**
+   - Reboot into the new system.
+   - From your laptop, log in as `root` (using your SSH keys):
+     ```bash
+     ssh root@weller-bootstrap
+     ```
+   - No initial password is required as your keys from `secrets/keys.nix` are pre-authorized in the bootstrap image.
+   - For better security, password authentication is disabled by default.
+
+### 5.2 Stage 2: Full Configuration
+
+Once the bootstrap system is running, we can finalize the setup.
+
+1. **Generate Host SSH Key**
+   ```bash
+   # The host key is usually at /etc/ssh/ssh_host_ed25519_key.pub
+   cat /etc/ssh/ssh_host_ed25519_key.pub
+   ```
+
+2. **Update Repository Secrets (on your laptop)**
+   - Copy the new host key to `secrets/keys.nix`.
+   - Rekey secrets: `agenix -r`.
+   - Commit and push changes to GitHub.
+
+3. **Apply Full Configuration (on weller)**
+   ```bash
+   cd ~/hack/cosmo # or wherever you keep the repo
+   git pull
+   sudo nixos-rebuild switch --flake .#weller
+   ```
+
+The system will now have:
+- Immutable users (managed by Nix)
+- Secrets decrypted via `agenix`
+- Full workstation environment (NVIDIA, Hyprland, etc.)
 
 ---
 

flake.nix

@@ -71,6 +71,33 @@
             }
           ];
         };
+
+      mkBootstrap =
+        {
+          system ? "x86_64-linux",
+          hardware,
+          disk ? null,
+          hostName ? "nixos-bootstrap",
+          hostId ? null,
+          user ? "patrick",
+          email ? "big.pat@gmail.com",
+        }:
+        nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = { inherit inputs; };
+          modules = [
+            hardware
+            (if disk != null then disk else { })
+            (if disk != null then inputs.disko.nixosModules.disko else { })
+            ./modules/bootstrap.nix
+            {
+              networking.hostName = hostName;
+              cosmo.user.default = user;
+              cosmo.user.email = email;
+            }
+            (if hostId != null then { networking.hostId = hostId; } else { })
+          ];
+        };
     in
     {
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-tree;
@@ -103,6 +130,13 @@
           ];
         };
 
+        # Hostname: classic-laddie-bootstrap
+        classic-laddie-bootstrap = mkBootstrap {
+          hardware = ./hosts/classic-laddie/hardware.nix;
+          hostName = "classic-laddie-bootstrap";
+          hostId = "8425e349";
+        };
+
         # Hostname: makers-nix
         makers-nix = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
@@ -156,6 +190,13 @@
           ];
         };
 
+        # Hostname: weller-bootstrap (Initial install target)
+        weller-bootstrap = mkBootstrap {
+          hardware = ./hosts/weller/hardware.nix;
+          disk = ./hosts/weller/disk-config.nix;
+          hostName = "weller-bootstrap";
+        };
+
         # Hostname: weller (dual-boot Windows 11 + NixOS workstation)
         weller = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";

hosts/classic-laddie/default.nix

@@ -7,7 +7,7 @@
 
 {
   imports = [
-    ./hardware-configuration.nix
+    ./hardware.nix
     ../../modules/common/system.nix
     ../../modules/common/users.nix
     ../../modules/common/workstation.nix
@@ -18,6 +18,11 @@
   cosmo.user.default = "patrick";
   cosmo.user.email = "big.pat@gmail.com";
 
+  # ---------------------------------------------------------------------------
+  # Networking
+  # ---------------------------------------------------------------------------
+  networking.hostName = "classic-laddie";
+
   # ---------------------------------------------------------------------------
   # Remote Desktop Streaming (Sunshine/Moonlight)
   # ---------------------------------------------------------------------------
@@ -40,41 +45,9 @@
     mode = "0440";
   };
 
-  # Bootloader (Keep what matches your hardware!)
-  # If your hardware-configuration.nix says you are EFI, use systemd-boot:
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  # If you are Legacy BIOS, you might need: boot.loader.grub.device = "/dev/sda";
-
-  # Enable proprietary software (required for Nvidia drivers)
-  nixpkgs.config.allowUnfree = true;
-
-  # Graphics
-  hardware.graphics.enable = true;
-
-  # Nvidia Driver Configuration
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.nvidia = {
-    modesetting.enable = true;
-    powerManagement.enable = false;
-    powerManagement.finegrained = false;
-    open = false;
-    nvidiaSettings = true;
-    package = config.boot.kernelPackages.nvidiaPackages.stable;
-  };
-
-  # Allow qemu-libvirtd to access the GPU
-  users.groups.video.members = [ "qemu-libvirtd" ];
-  users.groups.render.members = [ "qemu-libvirtd" ];
-
-  networking.hostName = "classic-laddie";
-  networking.hostId = "8425e349"; # Required for ZFS
-  networking.networkmanager.enable = true;
-
-  # Storage Support (Roadmap Phase 1)
-  boot.supportedFilesystems = [ "zfs" ];
-
+  # ---------------------------------------------------------------------------
   # Remote Access (Roadmap Phase 1)
+  # ---------------------------------------------------------------------------
   services.tailscale = {
     enable = true;
     useRoutingFeatures = "server";

hosts/classic-laddie/hardware.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # ---------------------------------------------------------------------------
+  # Bootloader
+  # ---------------------------------------------------------------------------
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # ---------------------------------------------------------------------------
+  # Networking
+  # ---------------------------------------------------------------------------
+  networking.hostId = "8425e349"; # Required for ZFS
+  networking.networkmanager.enable = true;
+
+  # ---------------------------------------------------------------------------
+  # Hardware - NVIDIA
+  # ---------------------------------------------------------------------------
+  nixpkgs.config.allowUnfree = true;
+  hardware.graphics.enable = true;
+
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia = {
+    modesetting.enable = true;
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+    open = false;
+    nvidiaSettings = true;
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+
+  # Allow qemu-libvirtd to access the GPU
+  users.groups.video.members = [ "qemu-libvirtd" ];
+  users.groups.render.members = [ "qemu-libvirtd" ];
+
+  # ---------------------------------------------------------------------------
+  # Storage Support
+  # ---------------------------------------------------------------------------
+  boot.supportedFilesystems = [ "zfs" ];
+}