| 16 Jan 2024 |
 n3v3r_a9a1n | In reply to @oddlama:matrix.org
Please excuse the self-promotion; Since I had the same problem myself I made https://github.com/oddlama/agenix-rekey to allow storing secrets encrypted for a yubikey and have them rekeyed for hosts automatically. It sounds like this might also be useful for your usecase :) I already saw it, again, what does it do besides password generation and using yubikey
How is it different from the regular age-yubikey-plugin? π€π€π€ | 03:14:31 |
 oddlama | It is built on top of age plugin yubikey and agenix, it replaces neither. The difference is that it allows you to use a yubikey encrypted secret in your configuration and have it automatically rekeyed for the host's ssh key. Meaning you don't have to store any secrets encrypted for your host pubkeys in your repository. | 11:39:46 |
 Ilan Joselevich (Kranzes) | But there's a catch, you can't build the system closure for any system | 13:15:26 |
| n3v3r_a9a1n | In reply to @kranzes:matrix.org
But there's a catch, you can't build the system closure for any system ? π
system closure? | 13:26:19 |
| Ilan Joselevich (Kranzes) | the top level derivation of a nixos system | 13:29:41 |
| oddlama | In reply to @kranzes:matrix.org
But there's a catch, you can't build the system closure for any system true, not automatically including the secrets of course. But you can build it with dummy secrets in a CI if you want to setup a cache or something. | 13:30:51 |
| n3v3r_a9a1n | In reply to @kranzes:matrix.org
the top level derivation of a nixos system You mean like the first deploy? π
| 14:27:23 |
| Ilan Joselevich (Kranzes) | No | 14:27:35 |
| Ilan Joselevich (Kranzes) | i mean nixosConfigurations.X.config.system.build.toplevel | 14:27:59 |
| n3v3r_a9a1n | In reply to @kranzes:matrix.org
i mean nixosConfigurations.X.config.system.build.toplevel (Time for a joke)
It's says "This site canβt be reached" | 14:39:37 |
| n3v3r_a9a1n | In reply to @kranzes:matrix.org
i mean nixosConfigurations.X.config.system.build.toplevel I don't know even if i'm using it π
| 14:40:26 |
| Ilan Joselevich (Kranzes) | You are. | 14:40:41 |
| Ilan Joselevich (Kranzes) | All NixOS machines have that derivation | 14:40:52 |
| n3v3r_a9a1n | In reply to @kranzes:matrix.org
All NixOS machines have that derivation So, what basically are the restrictions i would have by using agenix-rekey
Tbh, i don't completely understand what it really does
(I forgot to reply to oddlama to clarify) | 14:44:26 |
| Ilan Joselevich (Kranzes) | The restrictions are that you can't build a nixos system from another computer that can't decrypt the secrets | 14:45:12 |
| Ilan Joselevich (Kranzes) | Which is an impurity on its own | 14:45:19 |
| oddlama | Sure, secret rekeing is fundamentally an impurity | 14:49:57 |
| n3v3r_a9a1n | In reply to @kranzes:matrix.org
The restrictions are that you can't build a nixos system from another computer that can't decrypt the secrets Thank you for your effort trying to explain me this, but i'm feeling that now i have even more dumb questions than before π« it seems like i don't really understand how agenix or sops work, i need to get more understanding of them before trying to understand some difference here π₯² | 14:52:05 |
|  @galaxyyy:matrix.org set a profile picture. | 17:56:26 |
| 17 Jan 2024 |
 gigahawk | Does anyone have experience with using agenix on SBC's like an RPi?
I'd like to be able to build an SD card image that can be flashed and booted without any further intervention (i.e. no logging in over ssh or something to update the host key) | 04:31:11 |
| gigahawk | I'm thinking something like:
- generate host key on my build machine
- build the image
- inject the key into the image
- flash onto SD and everything should just work
| 04:31:58 |
| gigahawk | and then i guess delete all local artifacts for security etc. | 04:32:36 |
| n3v3r_a9a1n | In reply to @gigahawk:matrix.org
I'm thinking something like:
- generate host key on my build machine
- build the image
- inject the key into the image
- flash onto SD and everything should just work
Can't you just inject the key declaratively? π€ | 04:34:12 |
| gigahawk | well I don't really want to have the key stored anywhere other than the final image before flashing | 04:35:06 |
| gigahawk | and it can't itself be a agenix secret because I'm building from a non nixos machine | 04:35:44 |
| n3v3r_a9a1n | In reply to @gigahawk:matrix.org
well I don't really want to have the key stored anywhere other than the final image before flashing Oh, yeah, right | 04:36:05 |
| 19 Jan 2024 |
|  @reese:cyberia.club joined the room. | 23:18:08 |
| 21 Jan 2024 |
|  @fadenb:utzutzutz.net joined the room. | 18:14:15 |
| 23 Jan 2024 |
|  @adam:robins.wtf joined the room. | 00:44:02 |
|  tornax joined the room. | 20:04:34 |
