| 26 Feb 2023 |
 michaelsmitth | And that secret1.age is just a file which could for example be one for my userpassword.age, rootpassword.age and so on? | 01:25:52 |
 ryantm | Yep | 01:26:13 |
| michaelsmitth | Is it recommended to create one age file for each individual secret, or are mutliple in one also possible? | 01:26:38 |
| ryantm | You can do either but one secret per file is usually the more ergonomic way. | 01:27:28 |
| michaelsmitth | Okay, good. And how would I generate the secret key with ssh-keyscan now? | 01:29:14 |
| ryantm | ssh-keysacn doesn't generate keys it just grabs the public key from the SSH server. | 01:30:19 |
| michaelsmitth | Hm, okay. So how would I add a public key for mainuser here?
let
mainuser = "";
in
{
"mainpc-root-password".publicKeys = [ mainuser ];
"mainpc-user-password".publicKeys = [ mainuser ];
"mainserver-root-password".publicKeys = [ mainuser ];
"mainserver-user-password".publicKeys = [ mainuser ];
}
| 01:33:04 |
| michaelsmitth | The tutorial says:
Add public keys to secrets.nix file (hint: use ssh-keyscan or GitHub (for example, https://github.com/ryantm.keys)):
| 01:33:42 |
| ryantm | Do you have a ssh key for yourself? In ~.ssh | 01:35:24 |
| michaelsmitth | In reply to @ryantm:matrix.org
Do you have a ssh key for yourself? In ~.ssh there is only a known_hosts file in there | 01:36:29 |
| ryantm | Typically people doing this already have SSH keys. So either you could make some, or you could make an age identity file to use instead. | 01:41:47 |
| michaelsmitth | Which method do you recommend? | 01:42:30 |
| ryantm | SSH key | 01:42:40 |
| michaelsmitth | How would I generate one for my user and how for the system? | 01:42:55 |
| ryantm | https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent | 01:43:07 |
| ryantm | You shouldn't need to generate it for the system if you have the SSH server running on it. | 01:43:33 |
| michaelsmitth | I just need to generate a single one for github? | 01:44:22 |
| michaelsmitth | * I just need to generate a single one? | 01:45:12 |
| ryantm | Yes | 01:46:16 |
| michaelsmitth | Why do I need to provide my email though?
ssh-keygen -t ed25519 -C "your_email@example.com"
| 01:48:37 |
| ryantm | You don't. It sometimes helps you keep track of ssh keys to have a comment like that. | 01:50:13 |
| michaelsmitth | In reply to @ryantm:matrix.org
You don't. It sometimes helps you keep track of ssh keys to have a comment like that. So the command above generates my private key which I use to decrypt everything? | 13:14:38 |
| michaelsmitth | Well yeah, I have one .pub and one private | 13:16:55 |
| ryantm | Yes. | 13:53:57 |
| michaelsmitth | In reply to @ryantm:matrix.org
Yes. I have a few questions now.
I generated my public key via
ssh-keygen -t ed25519
And it looks like this:
ssh-ed... ABCDEF.... user@machine
Now I generated all my encrypted .age files which I need.
What is the best way now to use them in my configuration.nix for a user password for instance? Because I see there are multiple ways listed on the GitHub page.
And also, since I only have this ssh private key on my current desktop machnine in ~/.ssh, how can I access it on other machines to decrypt the secrets?
| 14:32:17 |
| ryantm | Use https://search.nixos.org/options?channel=22.11&show=users.users.<name>.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users.<name>.passwordFile the contents of the file need to hashed with mkpasswd. | 14:40:22 |
| ryantm | michaelsmitth: you want to also encrypt the secret with the remote system's public SSH key, that way it can decrypt it. | 14:41:36 |
| michaelsmitth | In reply to @ryantm:matrix.org
Use https://search.nixos.org/options?channel=22.11&show=users.users.<name>.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users.<name>.passwordFile the contents of the file need to hashed with mkpasswd. Is this how I should do it?
age.secrets.mainpc-user-password = {
file = ../../secrets/mainpc-user-password.age;
};
users.users.user.passwordFile = config.age.secrets.mainpc-user-password.path;
| 14:50:57 |
| michaelsmitth | At the moment I get an error No matching keys found for some reason. | 14:51:42 |
| michaelsmitth | Both of my ssh keys are in ~/.ssh | 14:51:50 |
