| 26 Feb 2023 |
 ryantm | age.identityPaths = [ "/home/username/.ssh/id_ed25519" ]; | 17:51:08 |
 michaelsmitth | In reply to @ryantm:matrix.org
Oh, okay. You don't in that situation. But you would need to change age.identityPaths for mainpc to have the path to your user's SSH private key. By default it only looks for the keys in the /etc/ssh directory. So there are system and user keys? | 17:51:17 |
| ryantm | Technically, no, but that's the way I encourage people to set it up. | 17:52:48 |
| michaelsmitth | Could I have one user key which I use on all the systems, or should I have one system key for each machine? | 17:53:01 |
| michaelsmitth | * Could I have one user key which I use on all the machines, or should I have one system key for each machine? | 17:53:07 |
| michaelsmitth | Because someone told me I need only a single key | 17:53:31 |
| ryantm | For every secret you want to decrypt on a machine, you must have a private key/identity file that the secret was encrypted for present on that machine. | 17:54:32 |
| michaelsmitth | In reply to @ryantm:matrix.org
Oh, okay. You don't in that situation. But you would need to change age.identityPaths for mainpc to have the path to your user's SSH private key. By default it only looks for the keys in the /etc/ssh directory. In this case it seems to make sense to just have one system key for each machine in /etc/ssh | 17:54:32 |
| michaelsmitth | In reply to @ryantm:matrix.org
For every secret you want to decrypt on a machine, you must have a private key/identity file that the secret was encrypted for present on that machine. Yes, so two system keys. One for each machine in /etc/ssh, right? What is the point of the user key then? | 17:55:28 |
| ryantm | Let's say you have a secret specific to one machine, you don't want to have to manage encrypting the secrets on that machine. | 17:57:23 |
| ryantm | That would defeat the point of remotely managing your configuration. | 17:58:09 |
| michaelsmitth | Okay, yes.
So the general plan would be:
- Create a system key for each machine in
/etc/ssh
- Create one "user key" which allows me to remotely encrypt / decrypt from one machine on another
Do I get that right?
| 17:59:33 |
| michaelsmitth | * Okay, yes.
So the general plan would be:
- Create a system key for each machine in
/etc/ssh
- Create one "user key" which allows me to remotely encrypt / decrypt from one machine on another. This would be stored in
~/.ssh
Do I get that right?
| 18:00:00 |
| ryantm | Yes, except you don't need to create the keys in /etc/ssh/ they'll automatically be generated the first time the SSH server starts on that machine. | 18:01:01 |
| michaelsmitth | I assume that is the ssh_host_ed25519_key? | 18:01:53 |
| ryantm | yep | 18:02:14 |
 cole-h | Or rsa | 18:02:24 |
| michaelsmitth | What is the difference between the two? | 18:02:41 |
| cole-h | The encryption algorithm. ed25519 allows for a smaller key with the same (or better) security iirc | 18:03:37 |
| cole-h | rsa is "tried and true" | 18:03:46 |
| michaelsmitth | Oh, so ed25519 is the newer and better one | 18:06:09 |
| cole-h | Better is kinda subjective, but it is newer, yes | 18:06:35 |
| cole-h | * Better is kinda subjective, but it is relatively newer, yes | 18:06:44 |
| michaelsmitth | Okay, so I think this should be correct now:
let
user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs9nuz0TVj/4mn6q8arUL2nMxO6W9RqarlM61sQynXo user@mainpc";
users = [ user ];
mainpc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6Tk94ilarqQZZ36ZWEi5U14nQwS/bqHkkTt7BOWxX0 root@mainpc";
mainserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHugugwi3IeKQ74mNbP50YrU9gfspmhgUWF7WDTCrjo3 root@mainserver";
systems = [ mainpc mainserver ];
in
{
"mainpc-root-password.age".publicKeys = [ user mainpc ];
"mainpc-user-password.age".publicKeys = [ user mainpc ];
"mainserver-root-password.age".publicKeys = [ user mainserver ];
"mainserver-user-password.age".publicKeys = [ user mainserver ];
"mainserver-postgres-password.age".publicKeys = [ user mainserver ];
}
| 18:10:01 |
| ryantm | Yeah, that looks pretty reasonable. On my systems, the user-password is the same among systems, so I have an entry like:
"passwordfile-ryantm.age".publicKeys = [ryantm] ++ systems;
| 18:13:47 |
| michaelsmitth | Yeah that is not the case for me. I have different ones for each systems. But the same general user in shared.nix | 18:14:31 |
| michaelsmitth | Just with different passwords | 18:14:45 |
| ryantm | looks good then | 18:15:00 |
| michaelsmitth | So now I rekey via
nix run github:ryantm/agenix -- --rekey
| 18:15:11 |
| michaelsmitth | Is that right? | 18:15:14 |
