8 Aug 2024 |
| @galaxyyy:matrix.org left the room. | 05:37:23 |
9 Aug 2024 |
| Different changed their display name from different-name to Different. | 01:49:43 |
10 Aug 2024 |
| Khaneliman changed their display name from Khaneliman to Austin Horstman. | 03:50:04 |
| Mahmoud joined the room. | 15:48:11 |
12 Aug 2024 |
| kyub left the room. | 16:59:16 |
| haennes joined the room. | 19:59:12 |
13 Aug 2024 |
@raijin_:matrix.org | I'm getting the error age.secrets.mysecret.owner does not exist . I'm trying to use a secret as an admin password for the DB in the NixOS Nextcloud module, but NC was complaining about permissions being wrong. Im trying to assign it to be owned by nextcloud | 16:25:31 |
15 Aug 2024 |
| NixOS Moderation Bot banned @xp5hw23vz5j23g4dql:hackliberty.org (repeated aggressive behaviour). | 17:29:41 |
16 Aug 2024 |
| nebucatnetzer13 set a profile picture. | 11:05:57 |
18 Aug 2024 |
| allout58 joined the room. | 01:19:35 |
20 Aug 2024 |
| @pascal.dietrich:mintux.de joined the room. | 22:30:45 |
@pascal.dietrich:mintux.de | Redacted or Malformed Event | 22:33:08 |
@pascal.dietrich:mintux.de | Hi, I store multiple secrets using the same SSH key with agenix but every time I rebuild my system, I have to enter the password of the key for each secret. Is there an option to only enter it once? | 22:36:07 |
21 Aug 2024 |
| eyJhb joined the room. | 19:20:47 |
22 Aug 2024 |
uep | you shouldn't have to enter it at all | 08:58:51 |
uep | the secrets should be decrypted on the host at runtime, not during build. Something is amiss with your config it seems. | 09:00:07 |
uep | the only time you should need to enter your user key is when editing or rekeying secrets to additional hosts | 09:01:32 |
@pascal.dietrich:mintux.de | In reply to @uep:matrix.org you shouldn't have to enter it at all My key has a password so I should have to enter it at some point. | 09:12:45 |
@pascal.dietrich:mintux.de | In reply to @uep:matrix.org the secrets should be decrypted on the host at runtime, not during build. Something is amiss with your config it seems. Could it be that this happens because I also switch the generation and not only rebuild? | 09:12:55 |
@pascal.dietrich:mintux.de | But I'll look in the docs again. | 09:13:08 |
uep | Secrets should be encrypted to several keys:
- the ssh host public key of each system that needs it, to be decrypted at boot / activation
- the user public key of each admin that needs to edit or change the config, such as when re-encrypting to add a new host
Note, in particular, that neither of these happens during build (but, yes, switch involves activation that should not involve a user key)
| 19:06:01 |
@pascal.dietrich:mintux.de | On my system, I am the admin AND user with one single key. | 19:09:05 |
uep | yes | 19:09:20 |
uep | that's the second row. You still want the first row for the host key as well | 19:10:02 |
uep | the minimum useful case is one of each | 19:10:24 |
uep | more if the key is shared between hosts, there are multiple admins, backup keys, etc etc | 19:11:31 |
@pascal.dietrich:mintux.de | Or is the idea, that I have one key for me (eventually with a password) and one without one for the system? | 19:12:27 |
uep | I suspect your host won't boot properly and won't decrypt the secret except when you're running switch in a user session with sudo etc | 19:13:45 |
uep | thhd | 19:13:51 |
uep | * the ssh host key is the usual choice for that system key. yes. | 19:14:34 |