Rebuilding A Nix Server with Deploy-rs and Agenix

ops nix

published 2023-05-26 00:26

updated 2023-06-03 23:37

Let's say you accidentally killed one of your servers that you'd previously configured through Nix and now you need to set it up again. Let's also say, you had a data backup for all the services you're running on this machine. However, what if you didn't backup the SSH key that encrypted all your secrets through agenix?

Well... That does make things a little harder. I'm hoping you have backups configured backups of your software at least.

This is because with deploy-rs auto-deploy and no valid SSH key to decrypt your secrets, it'll auto-rollback and you won't be able to make any changes. You can of course turn that off, let it fail, but you'll still need the secrets presumably. I suppose if you have a backup of the key, you could add or replace the key currently on your newly provisioned server, but consider this an opportunity to learn more, and rotate your keys.

Since we're rotating our keys, and you have the old key, and you've provisioned a new server that has it's own ssh key, you can add the new key to your secrets.nix file and include it as a valid decryption key for your secret. Now you need to rekey all your keys with agenix. Unfortunately because of the linked issue to this post, agenix rekeys happen alphabetically, So you also need to rename the keys you wish to change to start with 'a'. Annoying, but solvable.