| 31 Oct 2023 |
 jeroen | In reply to @k900:0upti.me
No, how would it work then I thought it might use the ssh-agent, but this confirms my suspicion, thank you! | 09:33:47 |
 peter-lustig | K900 ⚡️: i got [agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
decrypting '/nix/store/426r27dfbgqaw3kn8sa78xk25148rbvb-hedgedoc-environment-file.age' to '/run/agenix.d/1/hedgedoc-environment-file'...
Error: No matching keys found
on my server
| 22:47:50 |
| peter-lustig | but server public key and user public key is stored in secret.nix | 22:48:03 |
| peter-lustig | so idk why it does not work | 22:48:26 |
| peter-lustig | can you help me ryantm | 22:48:30 |
| peter-lustig | I created the secret on my desktop machine with agenix -e hedgedoc-environment-file.age and then deployed it to server with nixos-rebuild --target-host, and secrets.nix has both server public key and pc public key | 22:49:27 |
 ryantm | If you look at the .age file in the store, you should be able to see which keys it is encrypted with. | 22:49:58 |
| ryantm | Can you share your secrets.nix file? | 22:50:58 |
| peter-lustig | In reply to @ryantm:matrix.org
Can you share your secrets.nix file? yes | 22:51:04 |
| peter-lustig | let
server = "key is here";
pc = "key is here";
in
{
"hedgedoc-environment-file.age".publicKeys = [ server pc ];
"discord-bot-token.age".publicKeys = [ server pc ];
}
| 22:51:32 |
| ryantm | Looks reasonable. Can you share your NixOS configuration too? | 22:52:14 |
| peter-lustig | ryantm: maybe worth mentioning, the contents of that hedgedoc age file looks like this:
CMD_GITHUB_CLIENTID=number
CMD_GITHUB_CLIENTSECRET=number
| 22:53:04 |
| peter-lustig | maybe that is a problem | 22:53:08 |
| ryantm | The contents of the file shouldn't matter at all. | 22:53:33 |
| peter-lustig | and i do this then in my config:
age.secrets.hedgedoc-environment-file.file = ../../secrets/hedgedoc-environment-file.age;
hedgedoc = {
...
environmentFile = config.age.secrets.hedgedoc-environment-file.path;
};
| 22:54:03 |
| ryantm | Does your server have openssh enabled? | 22:54:25 |
| ryantm | Or, what kind of key are you using for the server. | 22:54:44 |
| peter-lustig | In reply to @ryantm:matrix.org
Does your server have openssh enabled? uhm i can ssh into it if that is what you mean | 22:54:46 |
| peter-lustig | with my pc and laptop | 22:54:56 |
| ryantm | Cool. | 22:55:02 |
| ryantm | Does ssh-keyscan server match the key in secrets.nix? | 22:55:22 |
| peter-lustig | In reply to @ryantm:matrix.org
Does ssh-keyscan server match the key in secrets.nix? what command exactly? | 22:56:16 |
| ryantm | On your pc do ssh-keyscan serverhostname | 22:56:39 |
| ryantm | It should output the public keys of your server, one of them should match the one in secrets.nix | 22:57:10 |
| peter-lustig | hmm i think none matches | 22:58:32 |
| ryantm | Then you've encrypted it with the wrong key somehow. | 22:58:49 |
| peter-lustig | but I just did cat .ssh/id_ed25519.pub on both server and pc and then just put both in my config file | 22:58:52 |
| peter-lustig | hmm | 22:58:58 |
| ryantm | The server keys are /etc/ssh/ | 22:59:15 |
| peter-lustig | does .ssh not work? | 22:59:28 |
