From 44d91e885e8cc730912c7951c42687930a7409d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Sat, 28 Aug 2021 11:44:38 +0200 Subject: [PATCH] Add review suggestions --- README.md | 11 +++++++++-- modules/sops/default.nix | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 232bc39..2c66e58 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,8 @@ be used to decrypt the secrets on the target machine. The tool `ssh-to-pgp` can be used to derive a gnupg key from a ssh (host) key in RSA format. The other method is age which is based on [age](https://github.com/FiloSottile/age). -A tool is provided with sops-nix that can convert ssh host or user keys to age keys. +A tool is provided with sops-nix that can convert ssh host or user keys in ed25519 +format to age keys. ## Usage example @@ -201,11 +202,13 @@ have one, you can generate one using $ ssh-keygen -t ed25519 ``` -Converting it to the age format works like this: +Converting the public key to the age format works like this: ```console $ nix run -f default.nix sops-ssh-to-age -c sh -c 'ssh-add -L | sops-ssh-to-age' ``` +Ssh public key files may also be piped into the `sops-ssh-to-age` tool. + ### 3a. Get a PGP Public key for your machine The easiest way to add new hosts is using ssh host keys (requires openssh to be enabled). @@ -408,6 +411,10 @@ If you derived your server public key from ssh, all you need in your configurati sops.secrets.example-key = {}; # This is using ssh keys in the age format: sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # This is using an age key that is expected to already be in the filesystem + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new key if the key specified above does not exist + sops.age.generateKey = true; } ``` diff --git a/modules/sops/default.nix b/modules/sops/default.nix index 76060e7..7e4f36f 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -156,7 +156,7 @@ in { sshKeyPaths = mkOption { type = types.listOf types.path; - default = []; # If we set this like the gnupg option, we would use age by default + default = []; # If we set this like the gnupg option, we would use ed25519 by default description = '' Path to ssh keys added as age keys during sops description. This option must be explicitly unset if config.sops.age.keyFile is set.