| 9 Jun 2023 |
 treed | Which is roughly what I suspect is what Ryan was suggesting | 21:58:36 |
| treed | I should probably add a third and put it on a usb key to give to a friend to keep offsite, for that matter. | 21:59:10 |
| 10 Jun 2023 |
|  bbigras joined the room. | 00:11:12 |
| 11 Jun 2023 |
|  j0 changed their profile picture. | 15:20:46 |
| 13 Jun 2023 |
 uep | Right. You encrypt to multiple recipients, the host(s) that use the secret, as well as editors that might change the source. | 06:22:55 |
| uep | Adding a dedicated "recovery" key is a fine idea if you want to manage things that way. | 06:24:40 |
|  Federico Damián Schonborn changed their profile picture. | 20:55:35 |
| 14 Jun 2023 |
|  raphi changed their display name from raphi (element unread channel fix when) to raphi. | 07:03:19 |
 bjrnmrtns | I was a bit confused. Now I understand, the public keys defined in secrets.nix are the public keys agenix/age uses to encrypt. If there are multiple you can rekey for all age files if you have multiple keys for those. | 16:44:39 |
| bjrnmrtns | * Thanks. I was a bit confused. Now I understand, the public keys defined in secrets.nix are the public keys agenix/age uses to encrypt. If there are multiple you can rekey for all age files if you have multiple keys for those. | 16:44:54 |
 Ilan Joselevich (Kranzes) | https://github.com/Foxboron/age-plugin-tpm | 16:59:20 |
| Ilan Joselevich (Kranzes) | Pretty cool | 16:59:24 |
| Ilan Joselevich (Kranzes) | How does homeage compare to agenix when it comes to home-manager support? | 17:10:37 |
| Ilan Joselevich (Kranzes) | In reply to @kranzes:matrix.org
https://github.com/Foxboron/age-plugin-tpm https://github.com/NixOS/nixpkgs/pull/237801 | 18:27:32 |
| 16 Jun 2023 |
|  grizzlt joined the room. | 05:42:20 |
| bjrnmrtns | I am considering the following steps on bootstrapping a new system e.g. reinstalling and restoring the secrets which are stored in a git repo encrypted with agenix. The git secrets repo is not "up" yet, as it will be served from this bootstrapped system.
Just before reinstalling I have the following:
- I made a backup of the git secrets repo (using git bundle create)
- I have a private/public keypair somewhere which I can use to rekey
Steps to reinstall:
- Create a two step install using flakes, e.g. defining two hosts (bootstrap-<host> and <host> with the same hostnname). The boostrap version is a minimal version of the normal one.
- The first step does not need any secrets, but will install from iso and include all packages for agenix / git / ssh etc (just the bare minimum), also partitions are created and the basic system is installed, and a git server will be up (gitolite), but will not contain a secrets repo yet. <bootstrap>-host can be build.
- In the second step, secrets backup is restored into the git server and new ssh keypairs are added to secrets.nix and rekeying is done using the ssh keypair we still have somewhere. Finally <host> is build and this build can use secrets and we are done.
| 06:56:32 |
| bjrnmrtns | * I am considering the following steps on bootstrapping a new system e.g. reinstalling and restoring the secrets which are stored in a git repo encrypted with agenix. The git secrets repo is not "up" yet, as it will be served from this bootstrapped system.
Just before reinstalling I have the following:
- I made a backup of the git secrets repo (using git bundle create)
- I have a private/public keypair somewhere which I can use to rekey
Steps to reinstall:
- Create a two step install using flakes, e.g. defining two hosts (bootstrap-<host> and <host> with the same hostnname). The boostrap version is a minimal version of the normal one.
- The first step does not need any secrets, but will install from iso and include all packages for agenix / git / ssh etc (just the bare minimum), also partitions are created and the basic system is installed, and a git server will be up (gitolite), but will not contain a secrets repo yet. <bootstrap>-host can be build.
- In the second step, secrets backup is restored into the git server and new ssh keypairs are added to secrets.nix and rekeying is done using the ssh keypair we still have somewhere. Finally <host> is build and this build can use secrets and we are done.
What are your thoughts on this? Is this overcomplicated, can this be done in one step?
| 06:57:29 |
| bjrnmrtns | * I am considering the following steps on bootstrapping a new system e.g. reinstalling and restoring the secrets which are stored in a git repo encrypted with agenix. The git secrets repo is not "up" yet, as it will be served from this bootstrapped system.
Context:
- I have one server only which runs everything
- This server contains a gitolite agenix secrets repo
- All gitolite repos are backupped not mirrored
- At some point this server needs a clean reinstall
Just before reinstalling I have the following:
- I made a backup of the git secrets repo (using git bundle create)
- I have a private/public keypair somewhere which I can use to rekey
Steps to reinstall:
- Create a two step install using flakes, e.g. defining two hosts (bootstrap-<host> and <host> with the same hostnname). The boostrap version is a minimal version of the normal one.
- The first step does not need any secrets, but will install from iso and include all packages for agenix / git / ssh etc (just the bare minimum), also partitions are created and the basic system is installed, and a git server will be up (gitolite), but will not contain a secrets repo yet. <bootstrap>-host can be build.
- In the second step, secrets backup is restored into the git server and new ssh keypairs are added to secrets.nix and rekeying is done using the ssh keypair we still have somewhere. Finally <host> is build and this build can use secrets and we are done.
What are your thoughts on this? Is this overcomplicated, can this be done in one step?
| 06:59:32 |
| bjrnmrtns | * I am considering the following steps on bootstrapping a new system e.g. reinstalling and restoring the secrets which are stored in a git repo encrypted with agenix. The git secrets repo is not "up" yet, as it will be served from this bootstrapped system.
Context:
- I have one server only which runs everything
- This server contains a gitolite agenix secrets repo
- All gitolite repos are backupped not mirrored
- At some point this server needs a clean reinstall
- This reinstall is depending on the secrets git repo
Just before reinstalling I have the following:
- I made a backup of the git secrets repo (using git bundle create)
- I have a private/public keypair somewhere which I can use to rekey
Steps to reinstall:
- Create a two step install using flakes, e.g. defining two hosts (bootstrap-<host> and <host> with the same hostnname). The boostrap version is a minimal version of the normal one.
- The first step does not need any secrets, but will install from iso and include all packages for agenix / git / ssh etc (just the bare minimum), also partitions are created and the basic system is installed, and a git server will be up (gitolite), but will not contain a secrets repo yet. <bootstrap>-host can be build.
- In the second step, secrets backup is restored into the git server and new ssh keypairs are added to secrets.nix and rekeying is done using the ssh keypair we still have somewhere. Finally <host> is build and this build can use secrets and we are done.
What are your thoughts on this? Is this overcomplicated, can this be done in one step?
| 07:00:14 |
| bjrnmrtns | * I am considering the following steps on bootstrapping a new system e.g. reinstalling and restoring the secrets which are stored in a git repo encrypted with agenix. The git secrets repo is not "up" yet during this install, as it will be served from this bootstrapped system.
Context:
- I have one server only which runs everything
- This server contains a gitolite agenix secrets repo
- All gitolite repos are backupped not mirrored
- At some point this server needs a clean reinstall
- This reinstall is depending on the secrets git repo
Just before reinstalling I have the following:
- I made a backup of the git secrets repo (using git bundle create)
- I have a private/public keypair somewhere which I can use to rekey
Steps to reinstall:
- Create a two step install using flakes, e.g. defining two hosts (bootstrap-<host> and <host> with the same hostnname). The boostrap version is a minimal version of the normal one.
- The first step does not need any secrets, but will install from iso and include all packages for agenix / git / ssh etc (just the bare minimum), also partitions are created and the basic system is installed, and a git server will be up (gitolite), but will not contain a secrets repo yet. <bootstrap>-host can be build.
- In the second step, secrets backup is restored into the git server and new ssh keypairs are added to secrets.nix and rekeying is done using the ssh keypair we still have somewhere. Finally <host> is build and this build can use secrets and we are done.
What are your thoughts on this? Is this overcomplicated, can this be done in one step?
| 07:06:06 |
| bjrnmrtns | * I am considering the following steps on bootstrapping a new system e.g. reinstalling and restoring the secrets which are stored in a git repo encrypted with agenix. The git secrets repo is not "up" yet during this bootstrap, as it will be served from this same final system.
Context:
- I have one server only which runs everything
- This server contains a gitolite agenix secrets repo
- All gitolite repos are backupped not mirrored
- At some point this server needs a clean reinstall
- This reinstall is depending on the secrets git repo
Just before reinstalling I have the following:
- I made a backup of the git secrets repo (using git bundle create)
- I have a private/public keypair somewhere which I can use to rekey
Steps to reinstall:
- Create a two step install using flakes, e.g. defining two hosts (bootstrap-<host> and <host> with the same hostnname). The boostrap version is a minimal version of the normal one.
- The first step does not need any secrets, but will install from iso and include all packages for agenix / git / ssh etc (just the bare minimum), also partitions are created and the basic system is installed, and a git server will be up (gitolite), but will not contain a secrets repo yet. <bootstrap>-host can be build.
- In the second step, secrets backup is restored into the git server and new ssh keypairs are added to secrets.nix and rekeying is done using the ssh keypair we still have somewhere. Finally <host> is build and this build can use secrets and we are done.
What are your thoughts on this? Is this overcomplicated, can this be done in one step?
| 07:06:28 |
| 18 Jun 2023 |
|  /madonius[er|he] changed their display name from /madonius [er|him] to madonius [PL]. | 11:55:24 |
| /madonius[er|he] changed their display name from madonius [PL] to /madonius[er|he]. | 15:29:39 |
| 19 Jun 2023 |
 ryantm | Sounds reasonable | 03:22:08 |
|  eahlberg joined the room. | 12:49:49 |
| 20 Jun 2023 |
|  gigahawk joined the room. | 06:21:42 |
| gigahawk | I have a question about the system keys shown in the readme, currently I have the "virtualbox" key pointing to my host key under /etc/ssh, but it doesn't seem to be picked up? | 06:28:42 |
| gigahawk | 
Download image.png | 06:28:46 |
| gigahawk | what are the system keys supposed to be? | 06:28:56 |
| gigahawk | should I just be treating an ssh key associated with the root account as the system key? | 06:29:22 |
