| 26 Feb 2023 |
 ryantm | Yes, those go in your NixOS config. | 18:28:40 |
 michaelsmitth | Okay, so I also adjusted the password for the mainserver and then remotely deployed via
sudo nixos-rebuild switch --flake .#mainserver --target-host root@<host-ip>
There were no errors, so everything worked successfully.
Can I not just remove the user = entry in my secrets.nix file in this case? Since the private key is automatically taken from /etc/ssh, I do not really see why I need it in this case.
| 18:30:47 |
| michaelsmitth | I understood most of the principles now, but that is the only thing I do not understand yet. | 18:31:23 |
| michaelsmitth | I do not know if anyone understands what i mean | 18:41:00 |
| ryantm | If you always plan to deploy your secrets from the same machine, you could use that machines private ssh host key to manage all the secrets, and then you'd need to run agenix commands as root, to get access to that secret. | 18:49:57 |
| michaelsmitth | In reply to @ryantm:matrix.org
If you always plan to deploy your secrets from the same machine, you could use that machines private ssh host key to manage all the secrets, and then you'd need to run agenix commands as root, to get access to that secret. Which agenix command do you mean? | 19:14:18 |
| michaelsmitth | agenix -e? | 19:14:31 |
| ryantm | Yeah all of them basically. Edit, rekey, decrypt | 19:16:22 |
| michaelsmitth | When editing a key, I always get asked for the openssh key. Is that what I need the user for? | 19:17:24 |
| michaelsmitth | * When editing a key, I always get asked for the openssh key passphrase. Is that what I need the user for? | 19:17:40 |
| ryantm | Yeah. You'd have to use `-i /etc/ssh/...` with all the commands to use the host key. | 19:18:45 |
| michaelsmitth | So I just removed the user to test it. When I now do nix run github:ryantm/agenix -- -e mainserver-user-password.age -i /etc/ssh/ssh_host_ed25519_key it tells me Permission denied. | 19:21:35 |
| michaelsmitth | Redacted or Malformed Event | 19:21:47 |
| michaelsmitth | Should this not work now | 19:23:47 |
| michaelsmitth | It also does not work for the other files | 19:25:16 |
| michaelsmitth | Error: Permission denied (os error 13)
[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report
| 19:27:51 |
| ryantm | Try using -v to see what is failing | 19:28:56 |
| michaelsmitth | The output is quite cryptic | 19:29:47 |
| michaelsmitth | When I run with sudo:
/nix/store/smy2vqg1mg2nfwmcx2yqyr7af82cfdac-agenix-0.13.0/bin/agenix: line 162: EDITOR: unbound variable
| 19:30:42 |
| michaelsmitth | So that seems to work, but the EDITOR environment variable causes some trouble | 19:32:12 |
 cole-h | Try `sudo -E` | 19:33:02 |
| michaelsmitth | $HOME ('/home/user') is not owned by you, falling back to the one defined in the 'passwd' file ('/root')
Do i need chown 777?
| 19:33:44 |
| michaelsmitth | but weird that it is not owned by me | 19:34:16 |
| michaelsmitth |
- without capital
E it works. -e
| 19:36:20 |
| michaelsmitth | So it seems like I can edit all the files like this ryantm:
sudo -e nix run github:ryantm/agenix -- -e mainserver-user-password.age -i /etc/ssh/ssh_host_ed25519_key
| 19:37:47 |
| ryantm | Nice. I'm glad this edge case works somehow. | 19:38:46 |
| michaelsmitth | I just wonder how I am able to edit the ones from the mainserver | 19:39:03 |
| michaelsmitth | because:
let
mainpc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6Tk94ilarqQZZ36ZWEi5U14nQwS/bqHkkTt7BOWxX0 root@mainpc";
mainserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHugugwi3IeKQ74mNbP50YrU9gfspmhgUWF7WDTCrjo3 root@mainserver";
systems = [ mainpc mainserver ];
in
{
"mainpc-root-password.age".publicKeys = [ mainpc ];
"mainpc-user-password.age".publicKeys = [ mainpc ];
"mainserver-root-password.age".publicKeys = [ mainserver ];
"mainserver-user-password.age".publicKeys = [ mainserver ];
"mainserver-postgres-password.age".publicKeys = [ mainserver ];
}
because I did not give permission
| 19:40:07 |
| michaelsmitth | * because:
let
mainpc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6Tk94ilarqQZZ36ZWEi5U14nQwS/bqHkkTt7BOWxX0 root@mainpc";
mainserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHugugwi3IeKQ74mNbP50YrU9gfspmhgUWF7WDTCrjo3 root@mainserver";
systems = [ mainpc mainserver ];
in
{
"mainpc-root-password.age".publicKeys = [ mainpc ];
"mainpc-user-password.age".publicKeys = [ mainpc ];
"mainserver-root-password.age".publicKeys = [ mainserver ];
"mainserver-user-password.age".publicKeys = [ mainserver ];
"mainserver-postgres-password.age".publicKeys = [ mainserver ];
}
I did not give mainpc permission to do that
| 19:40:26 |
| ryantm | If you look at the .age file in a text editor you can see what identities can decrypt the file. | 19:41:43 |
