I'm not 100% sure as I'm pretty new to nixops, but probably if you put credentials like that, they can end up in /nix/store. As someone explained to me before, probably the only good way at the moment to do that is to use deployment.keys.
Can anyone confirm that? 2016-06-09 10:31 GMT+01:00 4levels <[email protected]>: > Hi, > > thank you for your swift reply! > I'd like to avoid to literally mention all sensitive config params in the > network.nix config. > > What would be the "normal" procedure to recursively merge 2 attribute > sets? > > So if I have in one file > servers.nix: { > vm01 = { > services.symfony.platforms = { > database = { > username = "www"; > }; > }; > }; > } > > and in the other > keys.nix: { > vm01 = { > services.symfony.platforms = { > database = { > password = "12345678"; > }; > }; > }; > } > > So they become one when building: > { > vm01 = { > services.symfony.platforms = { > database = { > username = "www"; > password = "12345678"; > }; > }; > }; > } > > Kind regards, > > Erik > > On Thu, Jun 9, 2016 at 11:23 AM zimbatm <[email protected]> wrote: > >> Hi, >> >> I don’t know where you are getting this error. All I can do is suggest a >> workaround: >> >> In keys.nix: >> >> { >> database_password = "12345678"; >> } >> >> In network.nix: >> >> let >> secrets = import ./keys.nix {};in; >> { >> vm01 = { >> { config, pkgs, ... }: >> { >> services.symfony.platforms.database.password = >> secrets.database_password; >> >> .. >> } >> } >> } >> >> >> >> On Thu, 9 Jun 2016 at 07:54 4levels <[email protected]> wrote: >> >>> Hi Nix Devs, >>> >>> I'm having some difficulties separating sensitive information from a nix >>> expression used by NixOps. >>> >>> I keep the server config in a separate file, servers.nix: >>> { >>> vm01 = >>> { config, pkgs, nodes, ... }: >>> { >>> deployment = { >>> targetHost = "192.168.121.50"; >>> }; >>> ... >>> } >>> } >>> >>> Currently I have all relevant software config for each server in a nix >>> expression platforms.nix as follows (where vm01 is the hostname): >>> { >>> vm01 = >>> { config, pkgs, ... }: >>> { >>> services.symfony.platforms = { >>> database = { >>> username = "www"; >>> /* password = "1234567" -> moved to keys.nix */ >>> }; >>> ... >>> } >>> } >>> >>> I want to remove the sensitive info from this file and put it in a >>> separate nix expression, eg. keys.nix, maintaining the same structure so >>> the files can be merged. >>> >>> In keys.nix I currently have >>> { >>> vm01 = { >>> { config, pkgs, ... }: >>> { >>> services.symfony.platforms.database.password = "12345678"; >>> .. >>> } >>> } >>> } >>> >>> I've modified my nixops deploy to have keys.nix loaded after the >>> servers.nix and platforms.nix files, but I keep getting errors like "the >>> attribute password does not exist" >>> >>> I must be overlooking something obvious as all the other files I define >>> in my deploy are being merged correctly. >>> >>> Can anyone advise me on how to achieve this? >>> >>> The underlying reason is that I'm using git-crypt to encrypt the >>> platforms.nix file, but this makes it impossible to work with branches (or >>> git logs) etc. as the whole file is encrypted and git cannot merge binary >>> files (it simply replaces them). >>> >>> Kind regards! >>> >>> Erik aka 4levels >>> >> _______________________________________________ >>> nix-dev mailing list >>> [email protected] >>> http://lists.science.uu.nl/mailman/listinfo/nix-dev >>> >> > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
