From 89ae4455bb4704135712a5581859bdb29d6c60f9 Mon Sep 17 00:00:00 2001
From: Benedikt Heine <bebe@bebehei.de>
Date: Mon, 2 Dec 2024 21:28:49 +0100
Subject: [PATCH 1/4] Fix problems in umask

You must set the umask to not spill the directory permissions

$> umask
022
$> echo asdf1234 > password
$> ls -la password
-rw-r--r-- 1 bebe bebe 9  2. Dez 21:29 password
$> rm password
$> (umask 077; echo "my-super-safe-password" > password)
$> ls -la password
-rw------- 1 bebe bebe 23 Dec  2 21:28 password
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d01cda2..1aca7d4 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,7 @@ used flakes:
 
             ```bash
             # enter disk encryption key
-            echo "my-super-safe-password" > /tmp/disk.key
+            (umask 077; echo "my-super-safe-password" > /tmp/disk.key)
 
             temp=$(mktemp -d)
             # ssh-host keys
@@ -98,7 +98,7 @@ used flakes:
         1. existing host
 
             ```bash
-            echo "my-super-safe-password" > /tmp/disk.key
+            (umask 077; echo "my-super-safe-password" > /tmp/disk.key)
             temp=$(mktemp -d)
             find $temp -printf '%M %p\n'
             ```

From bc3eb0a9636ddcd6280ae4036f5ffae56117e152 Mon Sep 17 00:00:00 2001
From: Benedikt Heine <bebe@bebehei.de>
Date: Mon, 2 Dec 2024 21:32:28 +0100
Subject: [PATCH 2/4] Remove superfluous chmods

ssh-keygen already cares about the permission bits. Adding another chmod
600 on top of it is a noop
---
 README.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/README.md b/README.md
index 1aca7d4..b56814c 100644
--- a/README.md
+++ b/README.md
@@ -86,13 +86,10 @@ used flakes:
             # ssh-host keys
             install -d -m755 "$temp/etc/ssh"
             ssh-keygen -o -t rsa -a 100 -N "" -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
-            chmod 600 "$temp/etc/ssh/ssh_host_rsa_key"
             ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/ssh/ssh_host_ed25519_key"
-            chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
             # initrd key
             install -d -m755 "$temp/etc/secrets/initrd"
             ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
-            chmod 600 "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
             ```
 
         1. existing host

From 04598a9aebc18faac062b6d54b7b282a37bb1077 Mon Sep 17 00:00:00 2001
From: Benedikt Heine <bebe@bebehei.de>
Date: Mon, 2 Dec 2024 21:33:48 +0100
Subject: [PATCH 3/4] Make option parameters to `ssh-keygen` uniform

---
 README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b56814c..573be7e 100644
--- a/README.md
+++ b/README.md
@@ -85,11 +85,10 @@ used flakes:
             temp=$(mktemp -d)
             # ssh-host keys
             install -d -m755 "$temp/etc/ssh"
-            ssh-keygen -o -t rsa -a 100 -N "" -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
-            ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/ssh/ssh_host_ed25519_key"
-            # initrd key
             install -d -m755 "$temp/etc/secrets/initrd"
-            ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
+            ssh-keygen -o -a 100 -N "" -t rsa     -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
+            ssh-keygen -o -a 100 -N "" -t ed25519         -f "$temp/etc/ssh/ssh_host_ed25519_key"
+            ssh-keygen -o -a 100 -N "" -t ed25519         -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
             ```
 
         1. existing host

From c3d0ff427ad7aaefd85682571e9206d0a1454714 Mon Sep 17 00:00:00 2001
From: Benedikt Heine <bebe@bebehei.de>
Date: Mon, 2 Dec 2024 22:00:53 +0100
Subject: [PATCH 4/4] Fix nixos-anywhere repo URL to nix-community

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 573be7e..1c4d67c 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ used flakes:
 - secrets: [sops-nix](https://github.com/Mic92/sops-nix)
 - deployment: [nixinate](https://github.com/MatthewCroughan/nixinate), see [usage](#usage)
 - formatting: [git-hooks](https://github.com/cachix/git-hooks.nix)
-- install: [nixos-anywhere](https://github.com/numtide/nixos-anywhere/)
+- install: [nixos-anywhere](https://github.com/nix-community/nixos-anywhere/)
 
 ## Structure
 
@@ -120,7 +120,7 @@ used flakes:
         now simply install by executing (this will delete all data!):
 
         ```bash
-        nix run github:numtide/nixos-anywhere -- \
+        nix run github:nix-community/nixos-anywhere -- \
             --disk-encryption-keys /tmp/disk.key /tmp/disk.key \
             --extra-files "$temp" \
             --flake .#<flake> \