| 26 Feb 2023 |
 ryantm | You shouldn't need to generate it for the system if you have the SSH server running on it. | 01:43:33 |
 michaelsmitth | I just need to generate a single one for github? | 01:44:22 |
| michaelsmitth | * I just need to generate a single one? | 01:45:12 |
| ryantm | Yes | 01:46:16 |
| michaelsmitth | Why do I need to provide my email though?
ssh-keygen -t ed25519 -C "your_email@example.com"
| 01:48:37 |
| ryantm | You don't. It sometimes helps you keep track of ssh keys to have a comment like that. | 01:50:13 |
| michaelsmitth | In reply to @ryantm:matrix.org
You don't. It sometimes helps you keep track of ssh keys to have a comment like that. So the command above generates my private key which I use to decrypt everything? | 13:14:38 |
| michaelsmitth | Well yeah, I have one .pub and one private | 13:16:55 |
| ryantm | Yes. | 13:53:57 |
| michaelsmitth | In reply to @ryantm:matrix.org
Yes. I have a few questions now.
I generated my public key via
ssh-keygen -t ed25519
And it looks like this:
ssh-ed... ABCDEF.... user@machine
Now I generated all my encrypted .age files which I need.
What is the best way now to use them in my configuration.nix for a user password for instance? Because I see there are multiple ways listed on the GitHub page.
And also, since I only have this ssh private key on my current desktop machnine in ~/.ssh, how can I access it on other machines to decrypt the secrets?
| 14:32:17 |
| ryantm | Use https://search.nixos.org/options?channel=22.11&show=users.users.<name>.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users.<name>.passwordFile the contents of the file need to hashed with mkpasswd. | 14:40:22 |
| ryantm | michaelsmitth: you want to also encrypt the secret with the remote system's public SSH key, that way it can decrypt it. | 14:41:36 |
| michaelsmitth | In reply to @ryantm:matrix.org
Use https://search.nixos.org/options?channel=22.11&show=users.users.<name>.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users.<name>.passwordFile the contents of the file need to hashed with mkpasswd. Is this how I should do it?
age.secrets.mainpc-user-password = {
file = ../../secrets/mainpc-user-password.age;
};
users.users.user.passwordFile = config.age.secrets.mainpc-user-password.path;
| 14:50:57 |
| michaelsmitth | At the moment I get an error No matching keys found for some reason. | 14:51:42 |
| michaelsmitth | Both of my ssh keys are in ~/.ssh | 14:51:50 |
| michaelsmitth | I do not know why it does not work. This is so complicated 😔 | 14:59:25 |
| ryantm | I feel you. The docs and set up are built up on an understanding of how SSH keys are distributed and if you don't come with that knowledge it is going to be hard mode! I should try to write a from scratch tutorial. | 15:03:50 |
| michaelsmitth | In reply to @ryantm:matrix.org
I feel you. The docs and set up are built up on an understanding of how SSH keys are distributed and if you don't come with that knowledge it is going to be hard mode! I should try to write a from scratch tutorial. Do you have any ideas why my config is not working? I am quite sure that I did everything right | 15:04:16 |
| ryantm | Do you have an SSH server running on the machine you want to deploy the secrets to? | 15:04:40 |
| michaelsmitth | How do I know if I have that running? | 15:04:56 |
| ryantm | Probably not then. You could tell by looking at the process list for a program called sshd. | 15:05:48 |
| ryantm | How many computers are in your setup right now? | 15:06:11 |
| michaelsmitth | In reply to @ryantm:matrix.org
How many computers are in your setup right now? two | 15:06:18 |
| michaelsmitth | the server and the desktop | 15:06:23 |
| michaelsmitth | I enabled openssh | 15:06:28 |
| michaelsmitth | for remote connections | 15:06:35 |
| michaelsmitth | I want to self host some stuff, that is why I need a good way to store secrets securely | 15:07:38 |
| ryantm | Great. And which computer has your NixOS expressions for configuring things? | 15:08:19 |
| michaelsmitth | In reply to @ryantm:matrix.org
Great. And which computer has your NixOS expressions for configuring things? My setup and idea is basically like this:
I have a shared.nix config which gives both machines the same one user. Then I have two differnet nixosConfigurations, one for my mainpc and one for my mainserver. If I want to change some config on the mainserver, I would edit my nixos-config on the mainpc and then deploy the changes to the mainserver remotely via the command sudo nixos-rebuild switch --flake .#mainserver --target-host root@ip
| 15:10:30 |
| ryantm | Sounds good. Can you share what your secrets.nix file looks like? | 15:12:09 |
