| 26 Feb 2023 |
 cole-h | rsa is "tried and true" | 18:03:46 |
 michaelsmitth | Oh, so ed25519 is the newer and better one | 18:06:09 |
| cole-h | Better is kinda subjective, but it is newer, yes | 18:06:35 |
| cole-h | * Better is kinda subjective, but it is relatively newer, yes | 18:06:44 |
| michaelsmitth | Okay, so I think this should be correct now:
let
user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs9nuz0TVj/4mn6q8arUL2nMxO6W9RqarlM61sQynXo user@mainpc";
users = [ user ];
mainpc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6Tk94ilarqQZZ36ZWEi5U14nQwS/bqHkkTt7BOWxX0 root@mainpc";
mainserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHugugwi3IeKQ74mNbP50YrU9gfspmhgUWF7WDTCrjo3 root@mainserver";
systems = [ mainpc mainserver ];
in
{
"mainpc-root-password.age".publicKeys = [ user mainpc ];
"mainpc-user-password.age".publicKeys = [ user mainpc ];
"mainserver-root-password.age".publicKeys = [ user mainserver ];
"mainserver-user-password.age".publicKeys = [ user mainserver ];
"mainserver-postgres-password.age".publicKeys = [ user mainserver ];
}
| 18:10:01 |
 ryantm | Yeah, that looks pretty reasonable. On my systems, the user-password is the same among systems, so I have an entry like:
"passwordfile-ryantm.age".publicKeys = [ryantm] ++ systems;
| 18:13:47 |
| michaelsmitth | Yeah that is not the case for me. I have different ones for each systems. But the same general user in shared.nix | 18:14:31 |
| michaelsmitth | Just with different passwords | 18:14:45 |
| ryantm | looks good then | 18:15:00 |
| michaelsmitth | So now I rekey via
nix run github:ryantm/agenix -- --rekey
| 18:15:11 |
| michaelsmitth | Is that right? | 18:15:14 |
| ryantm | yep | 18:15:21 |
| ryantm | It might not work for secrets you encrypted only with the mainserver key though. | 18:15:48 |
| ryantm | You'll have to remake those. | 18:15:57 |
| ryantm | It can only rekey the secret if it can decrypt it. | 18:16:22 |
| michaelsmitth | Ah now the sudo nixos-rebuild switch --flake .#mainpc worked. I think because it took the systems private key to decrypt | 18:17:37 |
| michaelsmitth | In reply to @ryantm:matrix.org
It might not work for secrets you encrypted only with the mainserver key though. Sorry, I cannot follow. What exactly do you mean? | 18:18:27 |
| ryantm | --rekey tries to rekey all the secrets, and it will fail if it tries to rekey a secret that it can't decrypt. It uses your user SSH keys by default to try to decrypt. | 18:20:16 |
| michaelsmitth | I did not get an error message for --rekey | 18:21:05 |
| michaelsmitth | if that is what you mean | 18:21:09 |
| michaelsmitth | Let me try to change the password for the mainserver user and then remotely deploy | 18:22:00 |
| michaelsmitth | Also, the top three lines here are required, right?
age.secrets.mainpc-user-password = {
file = ../../secrets/mainpc-user-password.age;
};
users.users.user.passwordFile = config.age.secrets.mainpc-user-password.path;
| 18:23:39 |
| ryantm | Yes, those go in your NixOS config. | 18:28:40 |
| michaelsmitth | Okay, so I also adjusted the password for the mainserver and then remotely deployed via
sudo nixos-rebuild switch --flake .#mainserver --target-host root@<host-ip>
There were no errors, so everything worked successfully.
Can I not just remove the user = entry in my secrets.nix file in this case? Since the private key is automatically taken from /etc/ssh, I do not really see why I need it in this case.
| 18:30:47 |
| michaelsmitth | I understood most of the principles now, but that is the only thing I do not understand yet. | 18:31:23 |
| michaelsmitth | I do not know if anyone understands what i mean | 18:41:00 |
| ryantm | If you always plan to deploy your secrets from the same machine, you could use that machines private ssh host key to manage all the secrets, and then you'd need to run agenix commands as root, to get access to that secret. | 18:49:57 |
| michaelsmitth | In reply to @ryantm:matrix.org
If you always plan to deploy your secrets from the same machine, you could use that machines private ssh host key to manage all the secrets, and then you'd need to run agenix commands as root, to get access to that secret. Which agenix command do you mean? | 19:14:18 |
| michaelsmitth | agenix -e? | 19:14:31 |
| ryantm | Yeah all of them basically. Edit, rekey, decrypt | 19:16:22 |
