!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

323 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/93 Servers

You have reached the beginning of time (for this room).


SenderMessageTime
10 Mar 2025
@kiwicutter:matrix.orgkiwicutterI guess the host keys will only be generated during a first startup though and not already during nixos-install? Else one could already check those and rekey right after the install..08:43:32
@danielo515:matrix.orgDaniel Rodríguez RiveroAs far as I know, they just put empty files in places, instead of failing. Is that what agenix does too?08:54:16
@danielo515:matrix.orgDaniel Rodríguez RiveroBut in order to rekey, you need to do that in an environment where the secrets are available. No? so you can't do that in the host being built08:57:41
@kiwicutter:matrix.orgkiwicutter As long as i have my "master" key i can just go about and re-key everything no problem or am i missing something 14:50:10
@gaelj:matrix-ga.eljam.esGaël joined the room.22:27:10
@charles:computer.surgeryCharles left the room.22:30:10
12 Mar 2025
@xoredg:matrix.orgxored Hi everyone, I've been trying to use the path option to decrypt a secret to $home/.config/ntfy/client.yaml, but is not working, my best guess is that is not being evaluated? 02:53:43
@elikoga:matrix.orgelikoga Are you using straight up "$home"? Either that's not evaluated or placed at the home of the agenix activation script user (probably root?) 02:56:11
@xoredg:matrix.orgxored No I am using an interpolated string 02:56:48
@xoredg:matrix.orgxored put that to save typing hahaha 02:57:07
@xoredg:matrix.orgxored oh for the love of god, it was wrong name in cfg = config.modulename that i pasted from another file 02:59:13
@xoredg:matrix.orgxoredno wonder it did not eval02:59:23
16 Mar 2025
@memyk:matrix.orgmemyk joined the room.12:38:26
18 Mar 2025
@raijin_:matrix.org@raijin_:matrix.org

I'm a little confused on how I use Agenix secrets with multiple machines?

I have Agenix set up on machine A, and a key on machine A was used to create/encrypt the secrets

I installed NixOS on machine B, and I have generated a new keypair to belong to this machine.

If I add my new public key to secrets.nix, and I designate that this key can read a given secret in .publicKeys, will this work?

I'm struggling to see how a malicious actor couldn't just download the repo, add their keys, and decrypt? The "original" key (on machine A) has to be used to decrypt at some point right? What am I missing here? Do I just have to share the same keypair across machines? Obviously not, or else why can we configure multiple?

22:47:03
19 Mar 2025
@k900:0upti.meK900You need to rekey your secrets manually on a machine that can decrypt them 00:34:28
@raijin_:matrix.org@raijin_:matrix.org K900: ok, this enables the secrets to be read by multiple users? 01:51:37
@raijin_:matrix.org@raijin_:matrix.orgis https://github.com/oddlama/agenix-rekey recommended?02:00:16
@k900:0upti.meK900
In reply to @raijin_:matrix.org
is https://github.com/oddlama/agenix-rekey recommended?
Not necessarily, depends on your setup
06:45:41
@raijin_:matrix.org@raijin_:matrix.org

K900: this is my current secrets "architecture" https://github.com/GideonWolfe/nix/tree/main/configs/secrets

I did some reorganizing to separate system/user secrets, but I'm not sure how to really make the whole process "seamless" to set up a new machine

15:25:22
20 Mar 2025
@rane:junkyard.systemsrane [they/them] raijin_: you'll need the private key for a public key which has "access" to a given age/agenix secret to be able to decrypt it, public key just allows for encryption not decryption. So for example, my workflow is that all secrets can be decrypted by the SSH private keys of machines which need them, and also my yubikey's age key (which is stored on the yubikey and has to be plugged in). If I want to add a new host, I do an ssh-keyscan to get the public key, add it to my list of identies, and then rekey everything. My yubikey is sufficient to rekey because if it is plugged in then I have access to a private key which can decrypt the secrets. Does that make sense? 20:23:07

Show newer messages


Back to Room ListRoom Version: 6