create top-level machine definition that is used by both deploy-rs and

nixos
rename bootstrap script

agenix.nix

@@ -1,11 +1,11 @@
+{ machine, ...}:
 {
   age = {
     identityPaths = [ "/root/age_ed25519" ];
 
     secrets = {
-      # TODO: make machine independent
+      "host_ed25519".file = ./secrets/${machine.name}_host_ed25519.age;
-      "jefke_host_ed25519".file = ./secrets/jefke_host_ed25519.age;
+      "user_ed25519".file = ./secrets/${machine.name}_user_ed25519.age;
-      "jefke_user_ed25519".file = ./secrets/jefke_user_ed25519.age;
     };
   };
 }

configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, machine, ... }: {
   imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ];
 
   boot.loader = {
@@ -31,10 +31,9 @@
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
       };
-      # TODO! machine independent
       extraConfig = ''
-        HostCertificate ${builtins.toFile "jefke_host_ed25519-cert.pub" (builtins.readFile ./jefke_host_ed25519-cert.pub)}
+        HostCertificate ${builtins.toFile "host_ed25519-cert.pub" machine.host-cert}
-        HostKey ${config.age.secrets.jefke_host_ed25519.path}
+        HostKey ${config.age.secrets.host_ed25519.path}
       '';
     };
 
@@ -66,10 +65,9 @@
       };
     };
 
-    # TODO: machine independent
     extraConfig = ''
-      CertificateFile ${builtins.toFile "jefke_user_ed25519-cert.pub" (builtins.readFile ./jefke_user_ed25519-cert.pub)}
+      CertificateFile ${builtins.toFile "user_ed25519-cert.pub" machine.user-cert}
-      HostKey ${config.age.secrets.jefke_user_ed25519.path}
+      HostKey ${config.age.secrets.user_ed25519.path}
     '';
   };
 

flake.nix

@@ -20,33 +20,55 @@
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
       pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
+      machines = {
+        jefke = {
+          name = "jefke";
+          hostname = "jefke.hyp";
+          user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub;
+          host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub;
+        };
+      };
     in {
       devShells.${system}.default = pkgs.mkShell {
-        packages = with pkgs-unstable; [ libsecret nixos-anywhere ];
+        packages = [
-      };
+          pkgs.libsecret
-
+          pkgs-unstable.nixos-anywhere
-      formatter = pkgs.nixfmt;
+          pkgs-unstable.deploy-rs
-
-      nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
-        inherit system;
-        modules = [
-          disko.nixosModules.disko
-          agenix.nixosModules.default
-          ./configuration.nix
         ];
       };
 
+      # TODO. if uncommented, nix flake check fails
+      # formatter = pkgs.nixfmt;
+
+      # TODO create helper
+      nixosConfigurations = nixpkgs.lib.foldlAttrs (acc: name: machine:
+        acc // {
+          "${name}" = nixpkgs.lib.nixosSystem {
+            inherit system;
+            specialArgs = { inherit machine; };
+            modules = [
+              disko.nixosModules.disko
+              agenix.nixosModules.default
+              ./configuration.nix
+            ];
+          };
+        }) { } machines;
+
       deploy = {
         sshUser = "root";
         user = "root";
 
-        nodes.jefke = {
+        # TODO create helper
-          hostname = "jefke.hyp";
+        nodes = nixpkgs.lib.foldlAttrs (acc: name: machine:
-          profiles.hypervisor = {
+          acc // {
-            path = deploy-rs.lib.${system}.activate.nixos
+            "${name}" = {
-              self.nixosConfigurations.hypervisor;
+              hostname = machine.hostname;
-          };
+              profiles.hypervisor = {
-        };
+                path = deploy-rs.lib.${system}.activate.nixos
+                  self.nixosConfigurations.${name};
+              };
+            };
+          }) { } machines;
       };
 
       checks = builtins.mapAttrs