| 29 Oct 2023 |
|  jacekpoz | 11:58:31 |
| jacekpoz | 11:58:40 |
| jacekpoz | 13:45:23 |
| jacekpoz | 13:45:31 |
| jacekpoz | 17:43:51 |
| jacekpoz | 17:43:59 |
| jacekpoz | 17:45:02 |
| jacekpoz | 20:54:25 |
| jacekpoz | 20:54:34 |
| 31 Oct 2023 |
 peter-lustig | If I have two hosts, laptop and personal computer that should be able to do remote deployments to a server, how should the top section of this secrets.nix file look like? I do the deployments with nixos-rebuild --target-host, and I am a bit confused on how I would achieve this:
let
server = "";
in
{
"hedgedoc-environment-file.age".publicKeys = [ server ];
"discord-bot-token.age".publicKeys = [ server ];
}
| 09:15:32 |
 K900 ⚡️ | The server's SSH host key | 09:20:56 |
| peter-lustig | In reply to @k900:0upti.me
The server's SSH host key just the public key of the server? | 09:23:36 |
| K900 ⚡️ | Yes | 09:23:44 |
| peter-lustig | but if i want to do remote deployments do I not need the public keys of the machines as well | 09:24:09 |
| peter-lustig | laptop and pc | 09:24:12 |
| K900 ⚡️ | No | 09:24:19 |
| K900 ⚡️ | Well | 09:24:21 |
| K900 ⚡️ | It depends on whether you want to edit those files in the future | 09:24:31 |
| peter-lustig | In reply to @k900:0upti.me
It depends on whether you want to edit those files in the future i guess I would just ssh onto the server and then do the agenix -e stuff | 09:24:51 |
| K900 ⚡️ | You can always reencrypt to the server's host key if you want | 09:24:56 |
| K900 ⚡️ | You just won't be able to decrypt the existing contents not on the server | 09:25:12 |
 jeroen | In reply to @k900:0upti.me
No, how would it work then I thought it might use the ssh-agent, but this confirms my suspicion, thank you! | 09:33:47 |
| peter-lustig | K900 ⚡️: i got [agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
decrypting '/nix/store/426r27dfbgqaw3kn8sa78xk25148rbvb-hedgedoc-environment-file.age' to '/run/agenix.d/1/hedgedoc-environment-file'...
Error: No matching keys found
on my server
| 22:47:50 |
| peter-lustig | but server public key and user public key is stored in secret.nix | 22:48:03 |
| peter-lustig | so idk why it does not work | 22:48:26 |
| peter-lustig | can you help me ryantm | 22:48:30 |
| peter-lustig | I created the secret on my desktop machine with agenix -e hedgedoc-environment-file.age and then deployed it to server with nixos-rebuild --target-host, and secrets.nix has both server public key and pc public key | 22:49:27 |
 ryantm | If you look at the .age file in the store, you should be able to see which keys it is encrypted with. | 22:49:58 |
| ryantm | Can you share your secrets.nix file? | 22:50:58 |
| peter-lustig | In reply to @ryantm:matrix.org
Can you share your secrets.nix file? yes | 22:51:04 |
