From e543aa7d68f222e1e771165da9e9a64b5bf7b3e3 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 12 May 2021 20:37:06 -0700 Subject: [PATCH] doc: explain better where SSH host keys come from in tutorial fixes #17 --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 26bfe89..c53e951 100644 --- a/README.md +++ b/README.md @@ -130,14 +130,18 @@ but, if you want to (change the system based on your system): ## Tutorial -1. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys: +1. The system you want to deploy secrets to should already exist and + have `sshd` running on it so that it has generated SSH host keys in + `/etc/ssh/`. + +2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys: ```ShellSession $ mkdir secrets $ cd secrets $ touch secrets.nix ``` -2. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)): +3. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)): ```nix let user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; @@ -153,15 +157,15 @@ but, if you want to (change the system based on your system): "secret2.age".publicKeys = users ++ systems; } ``` -3. Edit secret files (these instructions assume your SSH private key is in ~/.ssh/): +4. Edit secret files (these instructions assume your SSH private key is in ~/.ssh/): ```ShellSession $ agenix -e secret1.age ``` -4. Add secret to a NixOS module config: +5. Add secret to a NixOS module config: ```nix age.secrets.secret1.file = ../secrets/secret1.age; ``` -5. NixOS rebuild or use your deployment tool like usual. +6. NixOS rebuild or use your deployment tool like usual. The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/secrets/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix).