| 26 Feb 2023 |
 ryantm | For every secret you want to decrypt on a machine, you must have a private key/identity file that the secret was encrypted for present on that machine. | 17:54:32 |
 michaelsmitth | In reply to @ryantm:matrix.org
Oh, okay. You don't in that situation. But you would need to change age.identityPaths for mainpc to have the path to your user's SSH private key. By default it only looks for the keys in the /etc/ssh directory. In this case it seems to make sense to just have one system key for each machine in /etc/ssh | 17:54:32 |
| michaelsmitth | In reply to @ryantm:matrix.org
For every secret you want to decrypt on a machine, you must have a private key/identity file that the secret was encrypted for present on that machine. Yes, so two system keys. One for each machine in /etc/ssh, right? What is the point of the user key then? | 17:55:28 |
| ryantm | Let's say you have a secret specific to one machine, you don't want to have to manage encrypting the secrets on that machine. | 17:57:23 |
| ryantm | That would defeat the point of remotely managing your configuration. | 17:58:09 |
| michaelsmitth | Okay, yes.
So the general plan would be:
- Create a system key for each machine in
/etc/ssh
- Create one "user key" which allows me to remotely encrypt / decrypt from one machine on another
Do I get that right?
| 17:59:33 |
| michaelsmitth | * Okay, yes.
So the general plan would be:
- Create a system key for each machine in
/etc/ssh
- Create one "user key" which allows me to remotely encrypt / decrypt from one machine on another. This would be stored in
~/.ssh
Do I get that right?
| 18:00:00 |
| ryantm | Yes, except you don't need to create the keys in /etc/ssh/ they'll automatically be generated the first time the SSH server starts on that machine. | 18:01:01 |
| michaelsmitth | I assume that is the ssh_host_ed25519_key? | 18:01:53 |
| ryantm | yep | 18:02:14 |
 cole-h | Or rsa | 18:02:24 |
| michaelsmitth | What is the difference between the two? | 18:02:41 |
| cole-h | The encryption algorithm. ed25519 allows for a smaller key with the same (or better) security iirc | 18:03:37 |
| cole-h | rsa is "tried and true" | 18:03:46 |
| michaelsmitth | Oh, so ed25519 is the newer and better one | 18:06:09 |
| cole-h | Better is kinda subjective, but it is newer, yes | 18:06:35 |
| cole-h | * Better is kinda subjective, but it is relatively newer, yes | 18:06:44 |
| michaelsmitth | Okay, so I think this should be correct now:
let
user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs9nuz0TVj/4mn6q8arUL2nMxO6W9RqarlM61sQynXo user@mainpc";
users = [ user ];
mainpc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6Tk94ilarqQZZ36ZWEi5U14nQwS/bqHkkTt7BOWxX0 root@mainpc";
mainserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHugugwi3IeKQ74mNbP50YrU9gfspmhgUWF7WDTCrjo3 root@mainserver";
systems = [ mainpc mainserver ];
in
{
"mainpc-root-password.age".publicKeys = [ user mainpc ];
"mainpc-user-password.age".publicKeys = [ user mainpc ];
"mainserver-root-password.age".publicKeys = [ user mainserver ];
"mainserver-user-password.age".publicKeys = [ user mainserver ];
"mainserver-postgres-password.age".publicKeys = [ user mainserver ];
}
| 18:10:01 |
| ryantm | Yeah, that looks pretty reasonable. On my systems, the user-password is the same among systems, so I have an entry like:
"passwordfile-ryantm.age".publicKeys = [ryantm] ++ systems;
| 18:13:47 |
| michaelsmitth | Yeah that is not the case for me. I have different ones for each systems. But the same general user in shared.nix | 18:14:31 |
| michaelsmitth | Just with different passwords | 18:14:45 |
| ryantm | looks good then | 18:15:00 |
| michaelsmitth | So now I rekey via
nix run github:ryantm/agenix -- --rekey
| 18:15:11 |
| michaelsmitth | Is that right? | 18:15:14 |
| ryantm | yep | 18:15:21 |
| ryantm | It might not work for secrets you encrypted only with the mainserver key though. | 18:15:48 |
| ryantm | You'll have to remake those. | 18:15:57 |
| ryantm | It can only rekey the secret if it can decrypt it. | 18:16:22 |
| michaelsmitth | Ah now the sudo nixos-rebuild switch --flake .#mainpc worked. I think because it took the systems private key to decrypt | 18:17:37 |
| michaelsmitth | In reply to @ryantm:matrix.org
It might not work for secrets you encrypted only with the mainserver key though. Sorry, I cannot follow. What exactly do you mean? | 18:18:27 |
