| 26 Feb 2023 |
 ryantm | Do you have a ssh key for yourself? In ~.ssh | 01:35:24 |
 michaelsmitth | In reply to @ryantm:matrix.org
Do you have a ssh key for yourself? In ~.ssh there is only a known_hosts file in there | 01:36:29 |
| ryantm | Typically people doing this already have SSH keys. So either you could make some, or you could make an age identity file to use instead. | 01:41:47 |
| michaelsmitth | Which method do you recommend? | 01:42:30 |
| ryantm | SSH key | 01:42:40 |
| michaelsmitth | How would I generate one for my user and how for the system? | 01:42:55 |
| ryantm | https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent | 01:43:07 |
| ryantm | You shouldn't need to generate it for the system if you have the SSH server running on it. | 01:43:33 |
| michaelsmitth | I just need to generate a single one for github? | 01:44:22 |
| michaelsmitth | * I just need to generate a single one? | 01:45:12 |
| ryantm | Yes | 01:46:16 |
| michaelsmitth | Why do I need to provide my email though?
ssh-keygen -t ed25519 -C "your_email@example.com"
| 01:48:37 |
| ryantm | You don't. It sometimes helps you keep track of ssh keys to have a comment like that. | 01:50:13 |
| michaelsmitth | In reply to @ryantm:matrix.org
You don't. It sometimes helps you keep track of ssh keys to have a comment like that. So the command above generates my private key which I use to decrypt everything? | 13:14:38 |
| michaelsmitth | Well yeah, I have one .pub and one private | 13:16:55 |
| ryantm | Yes. | 13:53:57 |
| michaelsmitth | In reply to @ryantm:matrix.org
Yes. I have a few questions now.
I generated my public key via
ssh-keygen -t ed25519
And it looks like this:
ssh-ed... ABCDEF.... user@machine
Now I generated all my encrypted .age files which I need.
What is the best way now to use them in my configuration.nix for a user password for instance? Because I see there are multiple ways listed on the GitHub page.
And also, since I only have this ssh private key on my current desktop machnine in ~/.ssh, how can I access it on other machines to decrypt the secrets?
| 14:32:17 |
| ryantm | Use https://search.nixos.org/options?channel=22.11&show=users.users.<name>.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users.<name>.passwordFile the contents of the file need to hashed with mkpasswd. | 14:40:22 |
| ryantm | michaelsmitth: you want to also encrypt the secret with the remote system's public SSH key, that way it can decrypt it. | 14:41:36 |
| michaelsmitth | In reply to @ryantm:matrix.org
Use https://search.nixos.org/options?channel=22.11&show=users.users.<name>.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users.<name>.passwordFile the contents of the file need to hashed with mkpasswd. Is this how I should do it?
age.secrets.mainpc-user-password = {
file = ../../secrets/mainpc-user-password.age;
};
users.users.user.passwordFile = config.age.secrets.mainpc-user-password.path;
| 14:50:57 |
| michaelsmitth | At the moment I get an error No matching keys found for some reason. | 14:51:42 |
| michaelsmitth | Both of my ssh keys are in ~/.ssh | 14:51:50 |
| michaelsmitth | I do not know why it does not work. This is so complicated 😔 | 14:59:25 |
| ryantm | I feel you. The docs and set up are built up on an understanding of how SSH keys are distributed and if you don't come with that knowledge it is going to be hard mode! I should try to write a from scratch tutorial. | 15:03:50 |
| michaelsmitth | In reply to @ryantm:matrix.org
I feel you. The docs and set up are built up on an understanding of how SSH keys are distributed and if you don't come with that knowledge it is going to be hard mode! I should try to write a from scratch tutorial. Do you have any ideas why my config is not working? I am quite sure that I did everything right | 15:04:16 |
| ryantm | Do you have an SSH server running on the machine you want to deploy the secrets to? | 15:04:40 |
| michaelsmitth | How do I know if I have that running? | 15:04:56 |
| ryantm | Probably not then. You could tell by looking at the process list for a program called sshd. | 15:05:48 |
| ryantm | How many computers are in your setup right now? | 15:06:11 |
| michaelsmitth | In reply to @ryantm:matrix.org
How many computers are in your setup right now? two | 15:06:18 |
