added not tested isntall script and some secrets

apps/install/default.nix

@@ -0,0 +1,18 @@
+{
+  writeShellApplication,
+  git,
+  ...
+}:
+
+let
+  name = "install";
+  text = builtins.readFile ./${name}.sh;
+in
+writeShellApplication {
+  inherit name text;
+  meta.mainProgram = name;
+
+  runtimeInputs = [
+    git
+  ];
+}

apps/install/install.sh

@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+
+# NixOS install script
+
+
+### VARIABLES ###
+
+ASK_VERIFICATION=1 # Default to ask for verification
+CONFIG_DIR="/tmp/nixos" # Directory to copy flake to / clone flake into
+GIT_BRANCH="main" # Default Git branch
+GIT_REPO="" # Git repository URL
+HOSTNAME="" # Hostname
+MNT="/mnt" # root mount point
+SEPARATOR="________________________________________" # line separator
+
+### FUNCTIONS ###
+
+# Function to display help information
+Show_help() {
+  echo "Usage: $0 [-r REPO] [-n HOSTNAME] [-b BRANCH] [-y] [-h]"
+  echo
+  echo "Options:"
+  echo "  -r, --repo REPO           Your NixOS configuration Git repository URL"
+  echo "  -n, --hostname HOSTNAME   Specify the hostname for the NixOS configuration"
+  echo "  -b, --branch BRANCH       Specify the Git branch to use (default: $GIT_BRANCH)"
+  echo "  -y, --yes                 Do not ask for user verification before proceeding"
+  echo "  -h, --help                Show this help message and exit"
+}
+
+# Function to format, partition, and mount disks for $HOSTNAME using disko
+Run_disko() {
+  echo "$SEPARATOR"
+  echo "Running disko..."
+  nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode disko "$CONFIG_DIR"/hosts/"$HOSTNAME"/disks.nix
+}
+
+# Function to format, partition, and mount disks for $HOSTNAME using a partitioning script
+Run_script() {
+  echo "$SEPARATOR"
+  echo "Running partitioning script..."
+  bash "$CONFIG_DIR"/hosts/"$HOSTNAME"/disks.sh
+}
+
+# Function to check mount points and partitioning
+Check_partitioning() {
+  echo "$SEPARATOR"
+  echo "Printing mount points and partitioning..."
+  mount | grep "$MNT"
+  lsblk -f
+  [[ "$ASK_VERIFICATION" == 1 ]] && read -rp "Verify the mount points and partitioning. Press Ctrl+c to cancel or Enter to continue..."
+}
+
+# Function to generate hardware configuration
+Generate_hardware_config() {
+  [[ "$ASK_VERIFICATION" == 1 ]] && read -rp "No hardware configuration found. Press Ctrl+c to cancel or Enter to generate one..."
+
+  echo "$SEPARATOR"
+  echo "Generating hardware configuration..."
+  nixos-generate-config --root "$MNT" --show-hardware-config > "$CONFIG_DIR"/hosts/"$HOSTNAME"/hardware.nix
+
+  # Check if hardware configuration has been generated
+  if [[ ! -f "$CONFIG_DIR"/hosts/"$HOSTNAME"/hardware.nix ]]; then
+    echo "Error: Hardware configuration cannot be generated."
+    exit 1
+  fi
+
+  # Add configuration to git
+  git -C "$CONFIG_DIR" add hosts/"$HOSTNAME"/hardware.nix
+
+  echo "Hardware configuration generated successfully."
+}
+
+# Function to install configuration for $HOSTNAME
+Install() {
+  # Check if hardware configuration exists
+  [[ ! -f "$CONFIG_DIR"/hosts/"$HOSTNAME"/hardware.nix ]] && Generate_hardware_config
+
+  echo "$SEPARATOR"
+  echo "Installing NixOS..."
+  nixos-install --root "$MNT" --no-root-password --flake "$CONFIG_DIR"#"$HOSTNAME" && echo "You can reboot the system now."
+}
+
+### PARSE ARGUMENTS ###
+
+while [[ "$#" -gt 0 ]]; do
+  case $1 in
+    -r|--repo) GIT_REPO="$2"; shift ;;
+    -b|--branch) GIT_BRANCH="$2"; shift ;;
+    -y|--yes) ASK_VERIFICATION=0 ;;
+    -h|--help) Show_help; exit 0 ;;
+    -n|--hostname) HOSTNAME="$2"; shift ;;
+    *) echo "Unknown option: $1"; Show_help; exit 1 ;;
+  esac
+  shift
+done
+
+### PREREQUISITES ###
+
+echo "$SEPARATOR"
+mkdir -p "$CONFIG_DIR"
+
+# Clone NixOS configuration from $GIT_REPO if provided
+if [[ -n "$GIT_REPO" ]]; then
+  # Clone Git repo if directory is empty
+  if [[ -z "$(ls -A "$CONFIG_DIR" 2>/dev/null)" ]]; then
+    echo "Cloning NixOS configuration repo..."
+    git clone --depth 1 -b "$GIT_BRANCH" "$GIT_REPO" "$CONFIG_DIR"
+
+    # Check if git repository has been cloned
+    if [[ ! -d "$CONFIG_DIR"/.git ]]; then
+      echo "Error: Git repository could not be cloned."
+      exit 1
+    fi
+  else
+    echo "$CONFIG_DIR is not empty. Skip cloning $GIT_REPO."
+  fi
+fi
+
+if [[ ! -f "$CONFIG_DIR"/flake.nix ]]; then
+  echo "Error: $CONFIG_DIR does not contain 'flake.nix'."
+  exit 1
+fi
+
+### CHOOSE CONFIG ###
+
+# If hostname is not provided via options, prompt the user
+if [[ -z "$HOSTNAME" ]]; then
+  # Get list of available hostnames
+  HOSTNAMES=$(ls "$CONFIG_DIR"/hosts)
+
+  echo "$SEPARATOR"
+  echo "Please choose a hostname to install its NixOS configuration."
+  echo "$HOSTNAMES"
+  read -rp "Enter hostname: " HOSTNAME
+
+  # Check if hostname is empty
+  if [[ -z "$HOSTNAME" ]]; then
+    echo "Error: Hostname cannot be empty."
+    exit 1
+  fi
+fi
+
+### INSTALLATION ###
+
+# Check if NixOS configuration exists
+if [[ -d "$CONFIG_DIR"/hosts/"$HOSTNAME" ]]; then
+
+  # Check for existing disko configuration
+  if [[ -f "$CONFIG_DIR"/hosts/"$HOSTNAME"/disks.nix ]]; then
+    Run_disko || ( echo "Error: disko failed." && exit 1 )
+  # Check for partitioning script
+  elif [[ -f "$CONFIG_DIR"/hosts/"$HOSTNAME"/disks.sh ]]; then
+    Run_script || ( echo "Error: Partitioning script failed." && exit 1 )
+  else
+    echo "Error: No disko configuration (disks.nix) or partitioning script (disks.sh) found for host '$HOSTNAME'."
+    exit 1
+  fi
+
+  Check_partitioning
+  Install || ( echo "Error: Installation failed." && exit 1 )
+else
+  echo "Error: Configuration for host '$HOSTNAME' does not exist."
+  exit 1
+fi

docs/getting-started/first-install.md

@@ -111,18 +111,29 @@ Optional per SSH verbinden (bequemer):
 ssh -o StrictHostKeyChecking=no root@<IP>
 ```
 
-### 2.3 Repository klonen und installieren
+### 2.3 Installieren
 
 ```bash
-nix-shell -p git
+nix --experimental-features "nix-command flakes" run \
-git clone <REPO_URL> /tmp/nixos
+  git+<REPO_URL>#apps.x86_64-linux.install -- \
-bash /tmp/nixos/scripts/install.sh -n <hostname>
+  -n <hostname> \
+  -r <REPO_URL>
+```
+
+Alternativ, falls das Repository bereits unter `/tmp/nixos` geklont wurde:
+
+```bash
+nix --experimental-features "nix-command flakes" run /tmp/nixos#install -- -n <hostname>
 ```
 
 > **Hinweis:** Die Disk-ID in `hosts/<hostname>/disks.sh` muss zur Hardware passen.
 > Pruefen mit `ls -la /dev/disk/by-id/`.
 
-Das Script partitioniert die Disk, generiert `hardware.nix` (falls noetig) und installiert NixOS.
+Das Script:
+1. Klont das Repository (bei `-r`)
+2. Partitioniert die Disk (via `disks.nix` oder `disks.sh`)
+3. Generiert `hardware.nix` (falls nicht vorhanden)
+4. Installiert NixOS
 
 ### 2.4 Reboot
 

flake.nix

@@ -77,6 +77,7 @@
           };
         in
         {
+          install = mkApp "install";
           rebuild = mkApp "rebuild";
         }
       );

hosts/cryodev-main/secrets.yaml

@@ -1,18 +1,37 @@
-# SOPS encrypted secrets for cryodev-main
-# This file should be encrypted with sops before committing
-# See INSTRUCTIONS.md for setup instructions
-
-# Placeholder - replace with actual encrypted secrets
-forgejo-runner:
-    token: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
 tailscale:
-    auth-key: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
+    auth-key: ENC[AES256_GCM,data:APMZrLYEqywYTmc=,iv:KiFwgR3UXLXCdl9DlR5tJOr8XUyQEeDomPx9hOREhnw=,tag:32quLtu74EIxAgmjH3hvIw==,type:str]
+forgejo-runner:
+    token: ENC[AES256_GCM,data:/i9KVMeEXYwQnn0=,iv:pILMNbhDviifDUFRINi6n9dtGSAeqxKMdBgjYwtXXEM=,tag:JCj5v5BZdZteo0MdTVKREw==,type:str]
 headplane:
-    cookie_secret: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
+    cookie_secret: ENC[AES256_GCM,data:HICF31i6yCLZGNeOFYTR3Bp0a7i0UKOvGAvx/pD3NB4=,iv:ZtK8r1YUWnf5Af0Ls341k0w1mZm+D5Rb0E1uS5z/Gdo=,tag:vwM9+4dpcmnjn/wR6Ty/MQ==,type:str]
-    agent_pre_authkey: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
+    agent_pre_authkey: ENC[AES256_GCM,data:aYkPZTR4fwArcKQ=,iv:+OhbIpwsyCJ4i4k8eyCKYAHE25F4iUHfdM+CG0+BQd8=,tag:BkT73WPjOv5Lu6dCFBXxWg==,type:str]
 mailserver:
     accounts:
-        forgejo: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
+        admin: ENC[AES256_GCM,data:gY2k3x3sA98yGNLcSWUr9aC0566MJM2UXhwLtWPUL3PRvxQt0XOzjeiC7ddgbqTAol4dBNeaV0zbFInD,iv:rxp0M9kHMgD73K+RDC562sUpXaJ067eU1CeciAke+LM=,tag:VKobduo/ZULAk17M9LD3bw==,type:str]
-        admin: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
+        forgejo: ENC[AES256_GCM,data:brpyVL8THAQcwt7pVYnWviX3PZg1TzfnNEZw9rO/DuFj4sbzLPSPuxxfe6Jj2pwZ4IVoWmastKV3oTnr,iv:Imo6VPA4tqC4Ta8OEniCv0M+UCqQm8YcmE3kIG7G9aY=,tag:uoQ9o2cigN4XwRFnSvC5Lg==,type:str]
 forgejo:
-    mail-pw: ENC[AES256_GCM,data:placeholder,tag:placeholder,type:str]
+    mail-pw: ENC[AES256_GCM,data:ol8dGa6KydnxDR8ybEro6wOcsi6iwu3IMfgO5xTpz34=,iv:SHmku32PdtXjueIjakCTstspzTzCN+iQg7K5DUEJoYk=,tag:yW/Z84q+kUzfPhLQiwGxGA==,type:str]
+sops:
+    age:
+        - recipient: age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QytQUlNqSlNPaEd6Mlp0
+            UVo2WnNyamhxelBod2ZoRERaa1Z3L2NtbVFZCllHZGYxMWtqMGpxemI2bnlpMG5k
+            MklyMFkrdjd5eTlEUWJFMDBlRk1hQkEKLS0tIDhHWG9NVnd2czdBQVJ3VmdMOWNu
+            RVNlZVYxOGdZYnpSalF4WHo0SUVhakEKE7CyGNSk03dbSfXrw9n6fi87PYoqEAxI
+            t74NY/MxQt5gg0fJjtRbOj/cer0gaX86MvMSMJzREPEch5Q52gqKUw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y6hushuapy0k04mrvvpev0t8lq44w904r596jus44nhkflky0yhqgq2xx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMU1pUR1dxS3BHOGxiL3pj
+            emFaWGdNWmRxTVo4dkc1VDF4Sm8xVnVFQkJrCkRNcnNWODhGNHoxVGtGZWVpc1hn
+            N1JVbUY4c043b0JZVC84NlQzSGhnVzQKLS0tIG1EL3J1aWY0ZG95V0s4TTJmRnUy
+            MEpGbGlQbVRsM1NxN1JxY2J1MVNTTE0KuIvuM2c1VIXKv0LGLb0NwqtSyBYcRcb1
+            uiIjNV0UzEt/WvnCeUTMPgIXBHk6jWcaKe13v6MHeha+/CVZ9Su/Lw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-14T10:28:25Z"
+    mac: ENC[AES256_GCM,data:oeT8I9gMIAPnm8wlNUFjn/0UT6qfTA//fLp3USO33FMsNIOWmqt3kB4NsozS+n6ZeMxBVWQZPss8t819DYqv0xQarzfOqQe1idCGCB+7NBFcFP2VLFzkIH+9Wei9AJSlR3BRnzyVaQDi797P6pEXFn/IoQWPWZ8sX8ZKugOfY0w=,iv:RjsKhPcVZBHHLs1W3PDhcseGLV4eawafg0is6KrzhtE=,tag:ifkobUteslEZ78OvkZw8JQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0