Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use ssh-to-pgp #43

Closed
denibertovic opened this issue Nov 12, 2020 · 6 comments
Closed

How to use ssh-to-pgp #43

denibertovic opened this issue Nov 12, 2020 · 6 comments

Comments

@denibertovic
Copy link

Hi. I'm trying to use ssh-to-pgp and following the instruction here: https://github.com/Mic92/sops-nix#3-get-a-pgp-public-key-for-your-machine

I assume I have to clone this repo and run nix-shell -p ssh-to-pgp in the root of the repo next to shell.nix. However when I do that I get the following error:

error: undefined variable 'ssh-to-pgp' at (string):1:94

It's unclear from the documentation how to get ssh-to-pgp installed on the machine I'm provisioning.
What do I need to add to configuration.nix to get it installed on the remote machines?
@Mic92
Copy link
Owner

Mic92 commented Nov 12, 2020
edited

It's defined here:

sops-nix/default.nix

Line 10 in b67ae45

ssh-to-pgp = pkgs.callPackage ./pkgs/ssh-to-pgp {

You can do nix-build -A ssh-to-pgp and than ./result/bin/ssh-to-pgp to run it.

@denibertovic
Copy link
Author

hey @Mic92 thanks. I'm able to build it locally but I meant how would I get it installed on the server as part of configuration.nix. The examples all presume that it's installed on the server but just adding imports = [ "${(import ./nix/sources.nix).sops-nix}/modules/sops" ]; doesn't to seem to install it.

@Mic92
Copy link
Owner

Mic92 commented Nov 12, 2020
edited

Yes. it is not part of the nixos module. You can also just do: ssh root@server01 "cat /etc/ssh/ssh_host_rsa_key" | ssh-to-pgp -o server01.asc

@denibertovic
Copy link
Author

@Mic92 ah I see...I think I misread that command initially to mean that it's to be executed on the server. 🤣
On that subject...server01.asc is defined from the private key /etc/ssh/ssh_host_rsa_key right? But it's producing a public gpg key based on it? Which means that it's okay to commit into the repo. So there's something that makes the private key gpg key (from that same ssh key) during secret decryption on the fly?

@Mic92
Copy link
Owner

Mic92 commented Nov 12, 2020

Yes. It generates a public key but it needs the private ssh key because gnupg needs a signed public key also it would be not be required in theory.

@denibertovic
Copy link
Author

Thanks @Mic92 for the clarification! I was able to successfully deploy secrets to my demo server and am excited to roll it out to the rest. It works really well! Closing this.

@kylegentle kylegentle mentioned this issue Nov 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mic92 @denibertovic