| 8 Mar 2025 |
 K900 | Not your user key | 07:07:19 |
 laurent | In reply to @k900:0upti.me
You don't want any password prompts at all? I dont want a password prompt hanging on the boot sequence as it freezes my machine, and the "asking for password prompt" is hidden behind the nixos booting logo. Im used to only have one ssh key with other linux distrib,so i prob didnt setup things properly by having the same key for host and user. Ill investigate! | 07:16:23 |
| K900 | The host key is not something you need to manually create | 07:16:52 |
| K900 | It's created when you start sshd for the first time, in /etc/ssh/sshhostkey_ed25519 | 07:17:05 |
| laurent | Ahh thx, i wasnt even aware of this folder! I put my key in my ~/.ssh as for other linux! | 07:20:11 |
| K900 | Those are different keys | 07:20:23 |
| K900 | Your key in ~/.ssh identifies your user | 07:20:28 |
| K900 | The host key in /etc/ssh identifies the machine | 07:20:35 |
| laurent | Got it! And when i set up agenix i encrypted with my user key, which i then use in the identityfile option of agenix! So i should have encrypted with the host machine correct? But this host ssh key is automatically regenerated on a new nixos install? | 07:25:13 |
| K900 | You encrypt with the public part of the host key | 07:25:36 |
| K900 | And then it's decrypted with the private part | 07:25:43 |
| laurent | * Got it! And when i set up agenix, i encrypted with my user key, which i then use in the identityfile option of agenix! So i should have encrypted with the host machine correct? But this host ssh key is automatically regenerated on a new nixos install? | 07:25:45 |
| K900 | And yes, the host key is generated per machine | 07:25:48 |
| K900 | So you probably want to also encrypt to your own user key, so you can access the secrets if you don't have any of the host keys | 07:26:06 |
| laurent | Thx! I did everything the wrong way then. So the host key needs obviously to be backed up. I ll check some doc to see how to reinstall it the nix way on a fresh install.thx a lot fornyour help | 07:29:13 |
 Valodim | It does not need to be backed up. Just create a new one and rekey on redeployment | 07:49:26 |
| laurent | In reply to @Valodim:stratum0.org
It does not need to be backed up. Just create a new one and rekey on redeployment Do you mean to re encrypt all secrets with the then new host key? | 08:13:45 |
| Valodim | Yes | 08:14:05 |
| Valodim | The same as you'll have to do on other occasions when public keys changes, e.g. when some secret should be available for a new host | 08:14:57 |
| Valodim | Maybe study the agenix docs some more. it's in there :) | 08:15:13 |
| laurent | In reply to @Valodim:stratum0.org
Maybe study the agenix docs some more. it's in there :) I reckon thats what i have to do haha. Been wanting to take shortcuts with nix to be able to have a quick working env but its time to go back to the doc now that i understand more the ecosystem | 08:17:33 |
|  Qyriad changed their display name from qyriad to Qyriad. | 21:41:03 |
| 9 Mar 2025 |
|  kiwicutter joined the room. | 23:34:49 |
| 10 Mar 2025 |
| kiwicutter | So, ive been using agenix for a bit and only now thought to myself hey, maybe i should check how (easily) recreating my system actually is in case i ever need to do so. The issue i ran into was, of course, that the install media can't decrypt any secrets during nixos-install. Is there a way to supply a user or a previous host key to that or do i have to re-key everything? | 00:01:46 |
| Valodim | Personally I find it's easiest to deploy a relatively blank nixos (e.g. just disk config), rekey, then do the full in install. Doesn't hurt to have new host keys once in a while, but ymmv | 06:35:11 |
 Daniel RodrÃguez Rivero | If that is the intended usage, would not be SOPS simpler? It will work fine without the secrets, then you put them and run again to get the data decryted for real | 08:19:45 |
| Valodim | agenix also "works fine" without secrets, the secret files just won't be there 🤷 | 08:25:52 |
| Daniel RodrÃguez Rivero | then you don't need a relatively blank anything, no? | 08:28:16 |
| Daniel RodrÃguez Rivero | just don't depend on secrets for your system to function | 08:28:33 |
| Valodim | maybe I just misunderstood what you meant by "sops will work fine without the secrets". I'd think it behaves very similar to agenix in this regard | 08:33:54 |
