| 26 Feb 2023 |
 michaelsmitth | the server and the desktop | 15:06:23 |
| michaelsmitth | I enabled openssh | 15:06:28 |
| michaelsmitth | for remote connections | 15:06:35 |
| michaelsmitth | I want to self host some stuff, that is why I need a good way to store secrets securely | 15:07:38 |
 ryantm | Great. And which computer has your NixOS expressions for configuring things? | 15:08:19 |
| michaelsmitth | In reply to @ryantm:matrix.org
Great. And which computer has your NixOS expressions for configuring things? My setup and idea is basically like this:
I have a shared.nix config which gives both machines the same one user. Then I have two differnet nixosConfigurations, one for my mainpc and one for my mainserver. If I want to change some config on the mainserver, I would edit my nixos-config on the mainpc and then deploy the changes to the mainserver remotely via the command sudo nixos-rebuild switch --flake .#mainserver --target-host root@ip
| 15:10:30 |
| ryantm | Sounds good. Can you share what your secrets.nix file looks like? | 15:12:09 |
| michaelsmitth | yes, of course. I have to go in a bit though. Can you continue talking with me in about 2 hours as well? | 15:12:35 |
| michaelsmitth | I can just share the public key right? that does not harm me, does it? | 15:13:07 |
| ryantm | Yep | 15:13:35 |
| michaelsmitth | Here is my secrets.nix file:
let
user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs9nuz0TVj/4mn6q8arUL2nMxO6W9RqarlM61sQynXo user@mainpc";
users = [ user ];
in
{
"mainpc-root-password.age".publicKeys = [ user ];
"mainpc-user-password.age".publicKeys = [ user ];
"mainserver-user-password.age".publicKeys = [ user ];
"mainserver-user-password.age".publicKeys = [ user ];
"mainserver-postgres-password.age".publicKeys = [ user ];
}
| 15:14:11 |
| ryantm | Okay you need to also include the ssh public key of mainserver in those. The user key is supposed to just be for you managing the secrets. | 15:15:12 |
| ryantm | So run ssh-keyscan on mainserver and add it there too. | 15:15:37 |
| ryantm | Then you can do `agenix -r` to update the encrypted files. | 15:16:11 |
| michaelsmitth | Okay, I have to go for about 2 hours now. When I am finished I will ping you and continue to try to get it working 😃 | 15:16:46 |
|  johndoe1308 joined the room. | 17:12:02 |
| michaelsmitth | Okay, I am back ryantm.
Now why do I need another key on the mainserver? I currently only changed the password of my mainpc configuration to the mainpc-user-password.age. After that I ran sudo nixos-rebuild switch --flake .#mainpc.
| 17:46:59 |
| michaelsmitth | * Okay, I am back ryantm.
Now why do I need another key on the mainserver? I currently only changed the password of my user inside the mainpc configuration to the mainpc-user-password.age. After that I ran sudo nixos-rebuild switch --flake .#mainpc.
| 17:47:31 |
| ryantm | Oh, okay. You don't in that situation. But you would need to change age.identityPaths for mainpc to have the path to your user's SSH private key. By default it only looks for the keys in the /etc/ssh directory. | 17:50:30 |
| ryantm | age.identityPaths = [ "/home/username/.ssh/id_ed25519" ]; | 17:51:08 |
| michaelsmitth | In reply to @ryantm:matrix.org
Oh, okay. You don't in that situation. But you would need to change age.identityPaths for mainpc to have the path to your user's SSH private key. By default it only looks for the keys in the /etc/ssh directory. So there are system and user keys? | 17:51:17 |
| ryantm | Technically, no, but that's the way I encourage people to set it up. | 17:52:48 |
| michaelsmitth | Could I have one user key which I use on all the systems, or should I have one system key for each machine? | 17:53:01 |
| michaelsmitth | * Could I have one user key which I use on all the machines, or should I have one system key for each machine? | 17:53:07 |
| michaelsmitth | Because someone told me I need only a single key | 17:53:31 |
| ryantm | For every secret you want to decrypt on a machine, you must have a private key/identity file that the secret was encrypted for present on that machine. | 17:54:32 |
| michaelsmitth | In reply to @ryantm:matrix.org
Oh, okay. You don't in that situation. But you would need to change age.identityPaths for mainpc to have the path to your user's SSH private key. By default it only looks for the keys in the /etc/ssh directory. In this case it seems to make sense to just have one system key for each machine in /etc/ssh | 17:54:32 |
| michaelsmitth | In reply to @ryantm:matrix.org
For every secret you want to decrypt on a machine, you must have a private key/identity file that the secret was encrypted for present on that machine. Yes, so two system keys. One for each machine in /etc/ssh, right? What is the point of the user key then? | 17:55:28 |
| ryantm | Let's say you have a secret specific to one machine, you don't want to have to manage encrypting the secrets on that machine. | 17:57:23 |
| ryantm | That would defeat the point of remotely managing your configuration. | 17:58:09 |
