| 26 Feb 2023 |
 michaelsmitth | So now I rekey via
nix run github:ryantm/agenix -- --rekey
| 18:15:11 |
| michaelsmitth | Is that right? | 18:15:14 |
 ryantm | yep | 18:15:21 |
| ryantm | It might not work for secrets you encrypted only with the mainserver key though. | 18:15:48 |
| ryantm | You'll have to remake those. | 18:15:57 |
| ryantm | It can only rekey the secret if it can decrypt it. | 18:16:22 |
| michaelsmitth | Ah now the sudo nixos-rebuild switch --flake .#mainpc worked. I think because it took the systems private key to decrypt | 18:17:37 |
| michaelsmitth | In reply to @ryantm:matrix.org
It might not work for secrets you encrypted only with the mainserver key though. Sorry, I cannot follow. What exactly do you mean? | 18:18:27 |
| ryantm | --rekey tries to rekey all the secrets, and it will fail if it tries to rekey a secret that it can't decrypt. It uses your user SSH keys by default to try to decrypt. | 18:20:16 |
| michaelsmitth | I did not get an error message for --rekey | 18:21:05 |
| michaelsmitth | if that is what you mean | 18:21:09 |
| michaelsmitth | Let me try to change the password for the mainserver user and then remotely deploy | 18:22:00 |
| michaelsmitth | Also, the top three lines here are required, right?
age.secrets.mainpc-user-password = {
file = ../../secrets/mainpc-user-password.age;
};
users.users.user.passwordFile = config.age.secrets.mainpc-user-password.path;
| 18:23:39 |
| ryantm | Yes, those go in your NixOS config. | 18:28:40 |
| michaelsmitth | Okay, so I also adjusted the password for the mainserver and then remotely deployed via
sudo nixos-rebuild switch --flake .#mainserver --target-host root@<host-ip>
There were no errors, so everything worked successfully.
Can I not just remove the user = entry in my secrets.nix file in this case? Since the private key is automatically taken from /etc/ssh, I do not really see why I need it in this case.
| 18:30:47 |
| michaelsmitth | I understood most of the principles now, but that is the only thing I do not understand yet. | 18:31:23 |
| michaelsmitth | I do not know if anyone understands what i mean | 18:41:00 |
| ryantm | If you always plan to deploy your secrets from the same machine, you could use that machines private ssh host key to manage all the secrets, and then you'd need to run agenix commands as root, to get access to that secret. | 18:49:57 |
| michaelsmitth | In reply to @ryantm:matrix.org
If you always plan to deploy your secrets from the same machine, you could use that machines private ssh host key to manage all the secrets, and then you'd need to run agenix commands as root, to get access to that secret. Which agenix command do you mean? | 19:14:18 |
| michaelsmitth | agenix -e? | 19:14:31 |
| ryantm | Yeah all of them basically. Edit, rekey, decrypt | 19:16:22 |
| michaelsmitth | When editing a key, I always get asked for the openssh key. Is that what I need the user for? | 19:17:24 |
| michaelsmitth | * When editing a key, I always get asked for the openssh key passphrase. Is that what I need the user for? | 19:17:40 |
| ryantm | Yeah. You'd have to use `-i /etc/ssh/...` with all the commands to use the host key. | 19:18:45 |
| michaelsmitth | So I just removed the user to test it. When I now do nix run github:ryantm/agenix -- -e mainserver-user-password.age -i /etc/ssh/ssh_host_ed25519_key it tells me Permission denied. | 19:21:35 |
| michaelsmitth | Redacted or Malformed Event | 19:21:47 |
| michaelsmitth | Should this not work now | 19:23:47 |
| michaelsmitth | It also does not work for the other files | 19:25:16 |
| michaelsmitth | Error: Permission denied (os error 13)
[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report
| 19:27:51 |
| ryantm | Try using -v to see what is failing | 19:28:56 |
