Відео

Thanks for the feedback and for watching. Audio levels were improved on subsequent videos.

Nixos-anywhere is one of the tools used here for getting a minimal version of the flake installed. It falls short for installing the full version of the flake because that one inputs secrets from a separate private repo. I talk a little bit about this in Part 2 and will go over it more thoroughly in forthcoming videos. Thanks for watching and commenting.

Thanks for pointing this out. One of my videos was accidentally deleted and I didn't realize the playlist was affected. The playlist should be in the correct order now. Thanks for watching.

@@Emergent_Mind Thanks!

Thank you for pointing this out, it has be fixed now. Thanks for watching!

Any particular reason why? I hadn't heard of it until now but will have a look. Thanks for watching and commenting!

@@Emergent_Mind go templates, include other task files (including remotes), parallel execution for the deps.

Yeah, that should work. If you were planning to use my script as a starting point, removing the key generation lines would be quite trivial. Per-host keys is just a personal requirement/preference so eliminating the complexity should simplify the process for you. Also, remember that if you're hosting your secrets in a private repo you'll have to ensure the target host can access the repo itself during build. Sort of unrelated and also not a requirement but just mentioning as it can be easy to forget the little steps. Let me know how you make out. Thanks for watching and commenting!

​@@Emergent_Mind thanks, i have made some posts on reddit too but don't think i am allowed to link on YT. On reddit, someone has mentioned (and has been liked by others) "The pgp key is used by you (the user) to encrypt and decrypt the secrets when you need to modify them or add new ones. The machine on the other hand needs to decrypt the secrets when it switches to a new configuration, or when booting." So now i am unsure because it contradicts your point above :| it would be really good to see basic "hello world" examples showing the different ways the yubikey can be used with sops-nix. All the configs i have come across so far seem quite complex and opinionated. Also would be great if there was a way to contact you on some other medium to discuss (couldn't find any contact details on your profile/website). Thanks!

I would have to dig into this a little more to be sure but as long as you're able to store your pgp keys on a given host and configure it to use those keys then it should work. It's non-typical I suppose, which is likely where the reddit comment is coming from but again, I'd have to do some looking and experimentation to confirm. Regarding contact info, I pushed an update to my website yesterday and you can now find an email link in the footer. Contact me there and I'll see try to block a little bit of time to help. I do plan on revisiting some of the secrets management content in the future to cover more of the basics and provide some more detailed examples. I'm not sure when that will be at this point.

One of the tools used in this process is nixos-anywhere, which will allow you to provide a github url to a config. I'll be going over it and how it's used in upcoming videos but in the mean time you can check it out here: github.com/nix-community/nixos-anywhere However, if you're using secrets in similar manner to how I do, when the config builds on the target, it needs private keys to successfully access the private repo where the encrypted secrets are stored and also to decrypt the secrets. The private keys have to exist on the target so there's a chicken and egg scenario. Yubikey and public keys will still require the private key to exist on the target. I think you can get around it by using the shortened process steps I mention in the video but haven't tested it to confirm. If you go that route let me know how you make out Thanks for watching!

Great question. The secrets are always in an encrypted state while in nix store. When sops extracts the secrets (during the activation phase of nixos) they are owned by root:root adn stored in /run/secrets.d which is owned by root:keys and only exists during run time. There is pretty good information about this on the sops-nix repo if you're interested in learning more: github.com/Mic92/sops-nix Thanks for watchign!

You would have to change a few things related to secrets management that were added after this video was recorded. This was a repost due to an accidental deletion of the original. The config now takes an input from a private repository and references several values throughout. If you watch my series on NixOS Secrets Management and read through the accompanying article on my website you should be able to get it set up. Aside from that, you're correct a few small changes like you noted should be sufficient. I would recommend however, making the changes to your own config over time in increments so that you get a good understanding of how it all connects. That's how I like to learn though so maybe not your preference. :) Thanks for watching!

@@Emergent_Mind oh man, sorry to hear about the video. About the secrets management, tough, would it be simpler to just turn it off for my case? Or is it mandatory in the config?

You could disable it but I haven't set it up as a toggleble option yet so you would have to manually comment out or remove the relevant parts

I'm glad this will help you, it took quite a bit of effort to figure out and there is still room for improvement. Thanks for watching and commenting!

Thanks for this! So much to learn :)

You're correct about the context being specific and there is certainly room for refining the process. I'll make some improvements for the upcoming videos. Thank you for the suggestions, I appreciate it!

I so rarely use network boot that it didn't cross my mind but I probably should make better use of it tbh. Using '--target-host' would be ideal but requires NixOS on the source machine, which unfortunately isn't convenient for me at the moment. Perhaps adding the option for executing it one way or the other would be a good prompt to add. Re: host SSH key. I think there was a specific reason why we generate it on the target instead but I can't remember. Thanks for the comment and suggestions!

@@Emergent_Mind If you generate the private host key on the source machine, you have to get it to the target machine safely. If someone records the ssh traffic of the installation and eventually decrypts it, the ssh key would be compromised. I'm setting up Laptop/Desktop systems with disko-install and there it's fine to generate host keys on the source machine because they only get written to the new boot drive, not sent over any network.

That's a valid point. In my case all of the targets are on a local network so the risk of exposure is lower.

@@lordkekz4 How is it unsafe to scp them to the target host (with password login the first time)?

@@Emergent_Mind I do every ops stuff from a dedicated NixOS VM

Thank for the compliment. I intend to have part two published sometime this week and expect that there will be at least four parts at the typical ~10 minute mark.

Thanks for commenting and watching. I ran across some configs similar to what you describe when I started out. It's fascinating how there are so many effective ways to go about it.

Hi thanks for the compliment! I'm glad it was good timing for you. If I'm understanding your question correctly, the user key would indeed have to be deployed in advance because the user won't have read permissions to the ssh service private key. However, you can get around by storing the user key in your secrets and extracting it to the users home prior to the homemanager sops module firing. We actually incorporated this into the config recently. See line 35 in github.com/EmergentMind/nix-config/blob/dev/hosts/common/core/sops.nix Note also, that I've also moved to having a distinct age key for the user on each host as opposed to a single dev key. Hope that helps, let me know how you make out :)

@@Emergent_Mind Thanks a lot. That's what I didn't know, if home-manager fires after the other Nix config when used as a module. I'll check how you did it in your config.

I use a program called draw.io to make the diagrams. It takes a little while but I find it enjoyable.

Thank you for watching!

Thanks for the compliment!

In some ways they are not much different and there is certainly overlap in basic utility. However, just (and make for that matter) are declaritve in nature whereas bash scripts are imperative. Granted, my examples and use case at the moment don't really demonstrate that. Thanks for watching and commenting!

@@Emergent_Mind thanks for the clarification!

stage only; git add'ing suffices.

Combining with direnv is a cool idea! Nix is a bit daunting given it's differences from the 'norm'. The declarative aspect is what ultimately sold me on diving into it. Let me know how it goes if you do give it another try :) Thanks for watching!

Excellent suggestion, I'll look into adding this to my file. Thanks for watching!

it's Make, but simpler. just is designed as a command runner rather than a build system which in consequence avoids many complexities from Make.

My current use case isn't much different but, as @khwpp5943 mentioned, expanding the recipes in the future will keep things simple. Thanks for watching!

Thanks for the suggestion, I'll look into that. I have looked briefly at NH but haven't tried it out yet. It's on the list to explore though :)

Looking forward to the new series. Just looks like Make?

Glad to hear. It's been an interesting set of problems to solve. Just syntax was inspired by Make, but the tool itself is much simpler. Thanks for watching!

Thank you for the kind compliment. I'm glad it was helpful!

Thanks for watching and for the compliment.

Thanks for pointing this out! I have started to edit the captions for existing videos and will include it as a step when posting future videos.

Thanks for the suggestion!I will keep this in mind for future videos.

Thanks for the suggestion! Adding yubikey to the mix with sops is something I'm planning to tackle eventually, so I will make a video about it fo sure. Thanks for watching.

Thanks for the kind compliment!

It's just a convenience thing; I can't be bothered to host my own private instance for the time being.

@@Emergent_Mind I see. In my case I ran into the issue that I want to store secrets in my self hosted instance but not associate my private domain name with my github profile, so I still cannot publish my nixos configs on my github😅. Thanks for all the hard work in publishing these videos and blog posts. I tried it out and it worked perfectly.

Glad to hear it worked out.

Yeah, I don't bother with a root user on any of the hosts that I've moved over to NixOS.

Hi again. Yes, currently I'm working deploying to a limited number of machines that have restricted network access so I'm not overly concerned with using the same password at the moment. This will change eventually for most physical machines and VMs will be restricted to remote access with keys. It is definitely possible to set up different passwords for each host. You would need host specific entries in your secrets.yaml file of course and you would also need to have some logic in your your hosts/common/users/<user> module, to assign the correct password for the host.

What you described is correct. Alternatively, you could backup the 'known' host ssh key prior to reinstall and then overwrite the autogenerated one with it, which would keep the .sops.yaml and age key data unchanged. Hard to say if one is more convenient than the other though. I am working on some remote install automation at the moment, which includes handling secrets management with a private repo, and automatically generates keys and updates .sops.yaml accordingly. It's still a work in progress because of other aspects of the process but it's close to being done. I'll be making some videos to describe it all when it's finished. Thanks for watching!

Thanks for watching. The diagrams are all done in draw.io for the time being.

Hi there, I have but it not since I was testing it out early on. There are many potential issues that could occur there so I'm not sure how to help. Maybe post your issue with some additional context on discourse.nixos.org/ I'll keep an eye out for it but I do happen to be headed on vacation for a couple of weeks so hopefully someone else can point you in the right direction. Let me know how it goes and thanks for watching!

Thank you for the kind compliment! More to come.

Thanks for watching and for the comment! That's a good suggestion. You may also know that there is finally an official wiki at wiki.nixos.org/ so I will likely reference that as well. I have a few ideas for showing the reference process in the videos to help out as well.

Thanks for the kind compliment. I'm glad to help. More content is on the way in coming weeks.

Hahaha, I suspected someone would call me out on that at some point. :) My disdain for PGP is specifically from consistently bad experiences using it over a couple decades. Every time I need it for more than a minimal touch, 'out-of-the-box' scenario I run into endless problems and often lose significant amounts of time trying to troubleshoot (often to no avail). I will admit that this is most likely my own failings more than an intrinsic problem with the technoloyg but I do find it needlessly convoluted. So really, I just avoid it whenever I can. Has your experience with it been positive? Thanks for watching and for the comment!

@@Emergent_Mind yeah, I was just genuinely interested to know if it had failings as means of protecting sensitive information, as I use GPG occasionally. It sounds like your concerns were more about usability rather than the security side, although granted, a security product that is difficult or especially confusing to use can result in the security one believes to have not actually being.

Thanks for watching! That's an astute question and something I have noted for when I revise the secrets management series at some point in the future. You're correct about key rotation being the solution. Any time a key is removed you should run `sops rotate -i foo.yaml` where foo.yaml is your secrets file. I am planning on adding that command to some of my automation scripts so that it gets run on a regular basis. Another thing to consider is that, even if you rotate keys, the host will likely be able to boot into previous nixos generations that would still be using the old keys and secrets file. So in any scenario where that presents a security risk, the previous generations on that host should be purged. There may be another option for handling this but if so, I'm not aware of it.

It seems like you have provided an unrelated statement. I'm not sure what you are asking. To clarify, could you please provide more context or rephrase your question? I'm here to help, and I'll do my best to provide a useful, helpful, and actionable answer once I understand your question. ;P no, I am not AI

Thanks for the suggestion and your other comment! There are already a few things I would like to improve about how I presented this series. There are a lot of other topics I'm planning to cover in the near future but I've added the multi-key topic as something to go through, when this series eventually gets a revision. It's good to know what people are interested in hearing about!

Thanks for watching and for the kind compliment! There is more content coming.

Most of the keys in my config are related to a bunch of physical yubikeys. If you're not familiar with them, it's a little usb device that you can do a bunch of different passphrase related functions with. One of the functions is physically touching the device when ssh requires a passphrase for the associated private key. It allows you do use passphrases with keys without having to type them or copy/paste from a secure db. I have several different yubikeys for different machines work, home, remote, etc so I don't have to be unplugging/plugging a single usb device across multiple machines. Takes a little bit to set up but it's one of those things that once it's done you don't know how you lived without it hahah. I'm planning to do a video on yubikeys at some point, inlcuding how to handle multiple, possible yubikeys on a given machine using nixos. Not sure when I'll get to that though. Thanks for watching!

@@Emergent_Mind Oh, so like each yubikey has a password for a different ssh key and having all the private keys on all the devices 1. is fairly secure because while the keys are used on multiple devices, to use them physically requires one of the yubikeys, and 2. it means that no matter what yubikey you have at any given moment you can access any of your devices?

That's correct. It's quite convenient despite a couple of extra steps for management and what not.