Erik, https://nixos.org/nixops/manual/#opt-deployment.keys
Deployment keys won't end up in nix store, I think they are deployed using ssh just to /run/keys. They also will be removed after reboot as /run will disappear, untill you set some other option. Also there was a thread on this list few weeks ago when somebody posted solution to preserve keys between reboots usint systemd jobs. 2016-06-09 17:57 GMT+01:00 4levels <[email protected]>: > Hi Kevin, > > Thanks for the extra info! > I was wondering though, if the generated config files do end up in > /nix/store anyway, does it even make a difference if I use the > deployment.keys method? Or is there another way to have eg. a php script > read from these keys without actually writing them out? > > Symfony uses yml files, WordPress uses php files, and so on.. Each project > is defined as a service and I generate these files in my various let > statements.. > > Personally I don't mind these files sitting in /nix/store as I'm the only > one with ssh access to these machines.. > > Kind regards, > > > Erik > > On Thu, Jun 9, 2016, 17:16 Kevin Cox <[email protected]> wrote: > >> On 09/06/16 11:03, 4levels wrote: >> > Hi Kevin, >> > >> > I'm very curious how you setup sensitive information using >> deployment.keys >> > This still seems like the best option to do this, but I failed to get >> > it working.. >> > >> > Could you be so kind to post a small example, showing how you define >> > the keys and use them in functions that generate eg. a config file? >> >> Here are two examples where I read the key out of a secret directory >> (encrypted with git-crypt). Note that I don't generate any of my config >> files, but that is theoretically possible. >> >> deployment.keys.mesos.text = "root ${builtins.readFile >> ../secret/mesos-secret}"; >> deployment.keys.sumologic.text = builtins.readFile ../secret/sumologic; >> >> And this example is importing a nix expression. Note that I'm not using >> deployment.keys so this is accessible to anyone (on the server) as it >> lands in the Nix store IIUC. >> >> networking.defaultMailServer = import ../secret/smtp.nix; >> >> >> >> -- Tomasz Czyż
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
