| 21 Sep 2023 |
|  dedmunwalk joined the room. | 23:06:27 |
| 22 Sep 2023 |
 willmckinnon | I'm trying to encrypt my user password with my user's public key, however it fails because I need to set age.identityPaths, but wouldn't that be set to point to the /etc/ssh directory, where system keys would live? | 04:04:29 |
| willmckinnon | I'm confused because if I've encrypted it with the user key, wouldn't it want to check the ~/.ssh directory, where the user private key is? | 04:07:24 |
| willmckinnon | That said, I don't want to set the identityPaths to the user key directory because I also want to encrypt some keys with the system key | 04:08:18 |
 uep | agenix decryption is done by system keys | 04:15:03 |
| uep | you add userkeys as well, but those are used when editing the secrets | 04:15:27 |
| uep | the system needs to decrypt the user password in order to set it, perhaps when creating the user, and the home dir may not even exist yet | 04:16:13 |
 stelcodes | > I'm trying to encrypt my user password with my user's public key, however it fails because I need to set age.identityPaths, but wouldn't that be set to point to the /etc/ssh directory, where system keys would live?
Do you have `services.openssh.enable = true;` in your config? | 04:20:43 |
| uep | I think they've encrypted it only with the user key, and not the system key, so it's not finding a suitable private key in the paths | 04:40:45 |
| uep | willmckinnon: if that doesn't already solve it for you, can you share some of your config for secrets.nix (the pubkeys for that secret) and where you're using it in configuration (I assume users.users.<you>.passwordFile = …) | 04:50:22 |
| willmckinnon | In reply to @stelcodes:matrix.org
I'm trying to encrypt my user password with my user's public key, however it fails because I need to set age.identityPaths, but wouldn't that be set to point to the /etc/ssh directory, where system keys would live?
Do you have services.openssh.enable = true; in your config? No, Im using this machine just as a client, don't have a use case to ssh into it | 05:00:19 |
| willmckinnon | In reply to @uep:matrix.org
agenix decryption is done by system keys I see, why can we specify user keys then? Trying to understand some of the design choices | 05:01:17 |
| willmckinnon | In the readme for example, it shows the user keys being used for a file in a secrets.nix | 05:01:40 |
| uep | so the age cli can decrypt them when you edit the secrets | 05:01:49 |
| willmckinnon | So it's for the age cli, not the system config? | 05:02:13 |
| uep | exactly | 05:02:25 |
| willmckinnon | I see, thanks | 05:02:32 |
| uep | You can generate a host key (ssh or otherwise) and use that, without needing to have ssh service running all the time | 05:03:39 |
| willmckinnon | Yup! Thats what I had been doing, just hadnt realized we needed to explicity specify its location (and that it had to be used over a user key) | 05:04:30 |
| uep | good pickup that this is why the path doesn't exist (and there's probably not a system key to use at all yet) | 05:04:42 |
| willmckinnon | one more question, more about nix probably and less about agenix
let
systemServer = builtins.readFile ../hosts/server/ssh_host_ed25519_key.pub;
in
{
"rootPassword.age".publicKeys = [ systemServer ];
}
results in error: cannot convert a thunk to JSON. Where am I going wrong here? For organization I thought id store my public host keys in a folder along with the host config
| 05:05:36 |
| uep | you probably want to put that in a string context to make it evaluate … = [ "${systemServer}" ] | 05:07:25 |
| uep | but I'm not sure exacrl | 05:07:31 |
| uep | * but I'm not sure exactly | 05:07:34 |
| willmckinnon | hmm still getting the same error, maybe ill try in the nixos matrix room | 05:08:25 |
| willmckinnon | thanks anyway! | 05:08:28 |
| stelcodes | Is that text in a file called secrets.nix in the cwd? I don't see anything wrong with that code. | 05:21:26 |
| uep | likely answer has been found in the main channel, I'll let willmckinnon relay back here | 05:25:17 |
| uep | makes sense to me though | 05:25:32 |
| uep | as for the confusion about the purpose of adding user keys, I wonder if calling the variable editors rather than users in the example config would help ? | 05:28:09 |
