Key distribution in NixOps is a bit weak but there is: https://nixos.org/nixops/manual/#opt-deployment.keys
>From your description you might also be interested in setting up a CA to sign your user keys instead. E.g. [1] or [2] ~ [1] https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu [2] https://blog-habets-se.blogspot.de/2011/07/openssh-certificates.html On 19 November 2016 at 17:23, Marius Bergmann <[email protected]> wrote: > You did not attach a link to your mail, but I guess you mean > https://blog.wearewizards.io/how-to-use-nixops-in-a-team ? > > > On 2016-11-19 18:08, Maarten Hoogendoorn wrote: > > I'm not pretending to be a NixOps expert, but I think the approach of > > generating the secret in the "deployment" machine is good enough. > > You could store the private key encrypted in a git repository. Have you > > seen this [1] blog post? It describes how to do this in a team. > > > > Best regards, > > Maarten > > > > > > 2016-11-19 12:50 GMT+01:00 Marius Bergmann <[email protected] > > <mailto:[email protected]>>: > > > > On 2016-11-19 12:46, Arnold Krille wrote: > > > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <[email protected] > > <mailto:[email protected]>> > > > wrote: > > >> Is it possible to declare the distribution of a file (in my case > > a ssh > > >> server/client public key) to different machines in a nixops > > >> deployment? > > >> > > >> I want to create a client keypair on one machine and then > authorize > > >> the public part on several other machines in the deployment. Those > > >> other machines' public server keys should also be added to the > > >> known_hosts of the machine logging into them. > > >> > > >> I know I could create all the keypairs on the machine running > nixops > > >> and send both the public as well as the private keys over the > > >> network, but I would like to find out if there's a way around it. > > > > > > I think this is one of the things you don't do/want with > Nix/NixOps as > > > this is essentially self-modifying deployment. Which makes the > > > deployment non-deterministic and unreproducible in the strict > sense. > > > With deployment-/configuration-management systems that have a > central > > > node and database, like chef and puppet can have, you can do such > > > things. For Nix this is counter-intuitive. > > > > > > - Arnold > > > > Do you have a recommendation on how to handle my use case then? In > > practice, I need this to allow the backup user to log into the > machines > > being backed up. Would you use a central location for all the key > pairs? > > _______________________________________________ > > nix-dev mailing list > > [email protected] <mailto:[email protected]> > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > <http://lists.science.uu.nl/mailman/listinfo/nix-dev> > > > > > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
