Thanks for the compliment!

Thank you for the kind compliment. I'm glad it was helpful!

Thank you for the kind compliment! More to come.

Thanks for watching and for the compliment.

Thank you for watching!

Thanks for the compliment, I'm glad you enjoyed the video. There two ways to handle the ssh key situation on reinstall. The first would be to copy the system's ssh key prior to reinstall and then write it to the reinstalled system after. Actually, when you're booted to the nixos installer environment you can write the ssh key pair to `/mnt/etc/ssh` and then when the install is executed the keys are written to the system. Pro: no need to update .sops.yaml and updatekeys on secrets.yaml Con: need to copy or have a back up of the original ssh key and put it on the reinstalled system The second would be to accept that the old ssh key will be paved and instead, generate a new age key for the system derived from the new ssh key. You'd just update the .sops.yaml to replace the original age public key with the new one and run a sops updatekeys command to encrypt the secrets appropriate. Pro: no need to move copies of the ssh key around Con: you need to update .sops.yaml and updatekys on secrets.yaml There may actually be other options but those are the two that I would consider. They both require a similar amount of effort but in different ways. If it's a scenario that you're running into frequently you could look into automating parts of the process with scripts. I'm experimenting with automating remote installation at the moment and currently have it set up so that, prior to install, an ssh key for the target system is generated on a source system, age keys are derived, my .sops.yaml and secrets are updated, and the ssh keys are injected into the installer. It's been a lot of fun trial and error but it's all automatic. Is that helpful? Let me know how it goes.

@@Emergent_Mind thanks a lot for the detailed answer. It makes lots of sense and I'll experiment a bit with the two options once I'm back from holiday.

Hi there, I have but it not since I was testing it out early on. There are many potential issues that could occur there so I'm not sure how to help. Maybe post your issue with some additional context on discourse.nixos.org/ I'll keep an eye out for it but I do happen to be headed on vacation for a couple of weeks so hopefully someone else can point you in the right direction. Let me know how it goes and thanks for watching!

What you described is correct. Alternatively, you could backup the 'known' host ssh key prior to reinstall and then overwrite the autogenerated one with it, which would keep the .sops.yaml and age key data unchanged. Hard to say if one is more convenient than the other though. I am working on some remote install automation at the moment, which includes handling secrets management with a private repo, and automatically generates keys and updates .sops.yaml accordingly. It's still a work in progress because of other aspects of the process but it's close to being done. I'll be making some videos to describe it all when it's finished. Thanks for watching!

Hahaha, I suspected someone would call me out on that at some point. :) My disdain for PGP is specifically from consistently bad experiences using it over a couple decades. Every time I need it for more than a minimal touch, 'out-of-the-box' scenario I run into endless problems and often lose significant amounts of time trying to troubleshoot (often to no avail). I will admit that this is most likely my own failings more than an intrinsic problem with the technoloyg but I do find it needlessly convoluted. So really, I just avoid it whenever I can. Has your experience with it been positive? Thanks for watching and for the comment!

@@Emergent_Mind yeah, I was just genuinely interested to know if it had failings as means of protecting sensitive information, as I use GPG occasionally. It sounds like your concerns were more about usability rather than the security side, although granted, a security product that is difficult or especially confusing to use can result in the security one believes to have not actually being.

Thanks for the suggestion!I will keep this in mind for future videos.

It seems like you have provided an unrelated statement. I'm not sure what you are asking. To clarify, could you please provide more context or rephrase your question? I'm here to help, and I'll do my best to provide a useful, helpful, and actionable answer once I understand your question. ;P no, I am not AI

Thanks for the suggestion and your other comment! There are already a few things I would like to improve about how I presented this series. There are a lot of other topics I'm planning to cover in the near future but I've added the multi-key topic as something to go through, when this series eventually gets a revision. It's good to know what people are interested in hearing about!