* Yubikeys are great, if you use them correctly
  https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
* generate age public key from host's existing SSH keypair
  nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
* trigger first encryption of a secrets file
  EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml
* edit secrets in that file later
* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:
  export GPG_TTY=$(tty)
  gpgconf --reload gpg-agent
* SOPS
  https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g

INSTALL:
export device=/dev/nvme0n1
printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device}
mkfs.fat -F 32 ${device}
cryptsetup --verify-passphrase -v luksFormat "${device}p2"
cryptsetup open "${device}p2"enc
mkfs.btrfs /dev/mapper/enc
mount /dev/mapper/enc /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/nix
btrfs subvolume create /mnt/persist
btrfs subvolume create /mnt/swap
btrfs subvolume create /mnt/logs

mount -o compress=zstd,subvol=root /dev/mapper/enc /mnt
mkdir /mnt/{nix,persist,swap,logs}
mount -o compress=zstd,noatime,subvol=nix /dev/mapper/enc /mnt/nix
mount -o compress=zstd,subvol=persist /dev/mapper/enc /mnt/persist
mount -o compress=zstd,noatime,subvol=logs /dev/mapper/enc /mnt/logs
mount -o noatime,subvol=swap /dev/mapper/enc /mnt/swap

mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

nixos-generate-config --root /mnt
nano /mnt/etc/nixos/configuration.nix # manually add mount options
nixos-install

nixos-generate-config --show-hardware-config

fileSystems = {
  "/".options = [ "compress=zstd" ];
  "/nix".options = [ "compress=zstd" "noatime" ];
  "/persist".options = [ "compress=zstd" "noatime" ];
  "/logs".options = [ "compress=zstd" "noatime" ];
  "/swap".options = [ "noatime" ];
};

btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile
swapDevices = [ { device = "/swap/swapfile"; } ];
nixos-rebulid switch

export NIX_CONFIG="experimental-features = nix-command flakes"
nix-env -iA nixos.pinentry nixos.git
echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf
git clone https://github.com/gburd/nix-config.git
cd nix-config
nix develop
echo test | gpg --clearsign
gpg --list-keys
EDITOR=vi sops --config .sops.yaml hosts/common/secrets.yaml
sudo nixos-install --flake .#hostname
reboot
home-manager switch --flake .#username@hostname


export GPG_TTY=$(tty)
sudo nixos-rebuild switch --flake .#my-hostname
clear; sudo nixos-rebuild dry-activate --flake .#loki

-------
  services.pcscd.enable = true;

https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html