Hi Tomasz, that is indeed the case: all these configuration values are being used to generate different config files (for eg. a symfony project, or a wordpress site, etc etc) and they do appear in /nix/store
I was not really aware of the security concerns here, but if deployment.keys can be an attribute set, I'll definitely try implementing that instead! Thank you for the pointer, I'll keep you posted here... Kind regards, Erik On Thu, Jun 9, 2016 at 11:36 AM Tomasz Czyż <[email protected]> wrote: > I'm not 100% sure as I'm pretty new to nixops, but probably if you put > credentials like that, they can end up in /nix/store. > As someone explained to me before, probably the only good way at the > moment to do that is to use deployment.keys. > > Can anyone confirm that? > > 2016-06-09 10:31 GMT+01:00 4levels <[email protected]>: > >> Hi, >> >> thank you for your swift reply! >> I'd like to avoid to literally mention all sensitive config params in the >> network.nix config. >> >> What would be the "normal" procedure to recursively merge 2 attribute >> sets? >> >> So if I have in one file >> servers.nix: { >> vm01 = { >> services.symfony.platforms = { >> database = { >> username = "www"; >> }; >> }; >> }; >> } >> >> and in the other >> keys.nix: { >> vm01 = { >> services.symfony.platforms = { >> database = { >> password = "12345678"; >> }; >> }; >> }; >> } >> >> So they become one when building: >> { >> vm01 = { >> services.symfony.platforms = { >> database = { >> username = "www"; >> password = "12345678"; >> }; >> }; >> }; >> } >> >> Kind regards, >> >> Erik >> >> On Thu, Jun 9, 2016 at 11:23 AM zimbatm <[email protected]> wrote: >> >>> Hi, >>> >>> I don’t know where you are getting this error. All I can do is suggest a >>> workaround: >>> >>> In keys.nix: >>> >>> { >>> database_password = "12345678"; >>> } >>> >>> In network.nix: >>> >>> let >>> secrets = import ./keys.nix {};in; >>> { >>> vm01 = { >>> { config, pkgs, ... }: >>> { >>> services.symfony.platforms.database.password = >>> secrets.database_password; >>> >>> .. >>> } >>> } >>> } >>> >>> >>> >>> On Thu, 9 Jun 2016 at 07:54 4levels <[email protected]> wrote: >>> >>>> Hi Nix Devs, >>>> >>>> I'm having some difficulties separating sensitive information from a >>>> nix expression used by NixOps. >>>> >>>> I keep the server config in a separate file, servers.nix: >>>> { >>>> vm01 = >>>> { config, pkgs, nodes, ... }: >>>> { >>>> deployment = { >>>> targetHost = "192.168.121.50"; >>>> }; >>>> ... >>>> } >>>> } >>>> >>>> Currently I have all relevant software config for each server in a nix >>>> expression platforms.nix as follows (where vm01 is the hostname): >>>> { >>>> vm01 = >>>> { config, pkgs, ... }: >>>> { >>>> services.symfony.platforms = { >>>> database = { >>>> username = "www"; >>>> /* password = "1234567" -> moved to keys.nix */ >>>> }; >>>> ... >>>> } >>>> } >>>> >>>> I want to remove the sensitive info from this file and put it in a >>>> separate nix expression, eg. keys.nix, maintaining the same structure so >>>> the files can be merged. >>>> >>>> In keys.nix I currently have >>>> { >>>> vm01 = { >>>> { config, pkgs, ... }: >>>> { >>>> services.symfony.platforms.database.password = "12345678"; >>>> .. >>>> } >>>> } >>>> } >>>> >>>> I've modified my nixops deploy to have keys.nix loaded after the >>>> servers.nix and platforms.nix files, but I keep getting errors like "the >>>> attribute password does not exist" >>>> >>>> I must be overlooking something obvious as all the other files I define >>>> in my deploy are being merged correctly. >>>> >>>> Can anyone advise me on how to achieve this? >>>> >>>> The underlying reason is that I'm using git-crypt to encrypt the >>>> platforms.nix file, but this makes it impossible to work with branches (or >>>> git logs) etc. as the whole file is encrypted and git cannot merge binary >>>> files (it simply replaces them). >>>> >>>> Kind regards! >>>> >>>> Erik aka 4levels >>>> >>> _______________________________________________ >>>> nix-dev mailing list >>>> [email protected] >>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev >>>> >>> >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> > > > -- > Tomasz Czyż >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
