| 15 May 2023 |
 David A. Buser (boozedog) | appreciate the help! | 18:44:32 |
| 21 May 2023 |
 REASON...UNKNOWN | is there some way to splat the contents of a file into a new secret without actual copy&paste? maybe by setting EDITOR appropriately? ive tried a dozen things but cant get it | 02:16:58 |
 Nicolas Lenz | In reply to @ctx:kungfu-g.rip
is there some way to splat the contents of a file into a new secret without actual copy&paste? maybe by setting EDITOR appropriately? ive tried a dozen things but cant get it agenix -d input.age | EDITOR=cat agenix -e output.age using pipes seems to work for me (given that both input.age and output.age are defined in secrets.age) | 13:20:43 |
| 27 May 2023 |
|  NixOS Moderation Botchanged room power levels. | 16:40:19 |
| 30 May 2023 |
|  vlashada joined the room. | 22:34:05 |
| vlashada | What is the purpose of agenix? Can I use it to add ssh keys and password store to my dotfiles git repo? | 22:36:06 |
| vlashada | * What is the purpose of agenix? Can I use it to add ssh keys and password store to my dotfiles git repo? Can I add the file secrets.nix and for instance my-server.pub.age and my-server.age files to a folder inside my git repo? | 22:41:55 |
| 31 May 2023 |
 ryantm | The purpose is to deliver secrets to NixOS machines in a secure and ergonomic manner. | 00:02:50 |
| 1 Jun 2023 |
|  raphi changed their display name from raphi to raphi (element unread channel fix when). | 13:03:19 |
| 2 Jun 2023 |
|  Lukas joined the room. | 22:54:26 |
| 3 Jun 2023 |
|  Secirian left the room. | 11:06:42 |
|  noonien left the room. | 20:17:20 |
| 4 Jun 2023 |
|  Federico Damián Schonborn changed their profile picture. | 17:40:30 |
|  Phobos joined the room. | 21:25:19 |
| 7 Jun 2023 |
|  nebucatnetzer13 joined the room. | 21:47:00 |
| 8 Jun 2023 |
|  bjrnmrtns joined the room. | 19:12:59 |
| 9 Jun 2023 |
| bjrnmrtns | I want agenix to store my server secrets in a git repo. The host ssh key is normally used for encryption of the secrets. If I want to reinstall my system in a few months and I want to re-use this git repo with secrets for easier install, how do I handle that with this host ssh key. Do I need to backup the private/public host key? Or is the approach I try to use wrong, maybe I just need to regenerate all secrets and encrypt them with a new host key?
Anybody any suggestions for an approach? | 11:42:23 |
| bjrnmrtns | * I want agenix to store my server secrets in a git repo. The host ssh key is normally used for encryption of the secrets. If I want to reinstall my system in a few months and I want to re-use this git repo with secrets for easier install, how do I handle that with this host ssh key. Do I need to backup the private/public host key? Or is this approach wrong. For example: Do I need to regenerate all secrets and encrypt them with a new host key?
Anybody any suggestions for an approach? | 11:43:31 |
| ryantm | Either way works. I recommend having at least the host key and your personal SSH key on secrets. That way you can use the rekey feature to add the new host key to the secrets if you go that way. | 12:17:30 |
| bjrnmrtns | I think i will go for the following steps:
- Just before reinstalling backup private/public host keypair which is used by agenix.
- Reinstall system and let it generate a new private/public host keypair like it normally would.
- Add the "old" host private/public keypair and rekey with new keypair.
- Delete old host keypair.
If I would mess up by not backing up my private/public keypair, I could still regenerate all secrets, but that would be annoying depending on where it is all used.
| 13:19:43 |
| ryantm | Sounds fine. Keep in mind you could have two secrets on the key for a short time if that eases the transition. | 13:22:23 |
| ryantm | * Sounds fine. Keep in mind you could have two keys on the secrets for a short time if that eases the transition. | 13:22:45 |
| bjrnmrtns | In reply to @ryantm:matrix.org
Sounds fine. Keep in mind you could have two keys on the secrets for a short time if that eases the transition. I'm not sure I understand. The private keys with which I encrypt the secrets are not part of the secrets right?
I'm actually talking about the situations where my old server is gone (which happens when I reinstall/repartition etc). And I install a NixOS from scratch, and the only thing I have left is the secrets, which are encrypted.
In that situation I need to have the key for decrypting. That key is somewhere, and as it is the host key, this one needs to be restored in some way right? | 13:31:19 |
 treed | My approach to that is that I have two of my ssh user key from two different computers included as a recipient for all the secrets. | 21:58:01 |
| treed | Host keys themselves don't really matter for my ability to edit or rekey the secrets. | 21:58:17 |
| treed | Which is roughly what I suspect is what Ryan was suggesting | 21:58:36 |
| treed | I should probably add a third and put it on a usb key to give to a friend to keep offsite, for that matter. | 21:59:10 |
| 10 Jun 2023 |
|  bbigras joined the room. | 00:11:12 |
| 11 Jun 2023 |
|  j0 changed their profile picture. | 15:20:46 |
| 13 Jun 2023 |
 uep | Right. You encrypt to multiple recipients, the host(s) that use the secret, as well as editors that might change the source. | 06:22:55 |
