subject:"\[Nix\-dev\] Distributing files between machines in a nixops deployment"

Re: [Nix-dev] Distributing files between machines in a nixops deployment

2016-11-20 Thread Thomas Hunger

Key distribution in NixOps is a bit weak but there is:
https://nixos.org/nixops/manual/#opt-deployment.keys

>From your description you might also be interested in setting up a CA to
sign your user keys instead. E.g. [1] or [2]

~

[1]
https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

[2]
https://blog-habets-se.blogspot.de/2011/07/openssh-certificates.html



On 19 November 2016 at 17:23, Marius Bergmann  wrote:

> You did not attach a link to your mail, but I guess you mean
> https://blog.wearewizards.io/how-to-use-nixops-in-a-team ?
>
>
> On 2016-11-19 18:08, Maarten Hoogendoorn wrote:
> > I'm not pretending to be a NixOps expert, but I think the approach of
> > generating the secret in the "deployment" machine is good enough.
> > You could store the private key encrypted in a git repository. Have you
> > seen this [1] blog post? It describes how to do this in a team.
> >
> > Best regards,
> > Maarten
> >
> >
> > 2016-11-19 12:50 GMT+01:00 Marius Bergmann  > >:
> >
> > On 2016-11-19 12:46, Arnold Krille wrote:
> > > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann  > >
> > > wrote:
> > >> Is it possible to declare the distribution of a file (in my case
> > a ssh
> > >> server/client public key) to different machines in a nixops
> > >> deployment?
> > >>
> > >> I want to create a client keypair on one machine and then
> authorize
> > >> the public part on several other machines in the deployment. Those
> > >> other machines' public server keys should also be added to the
> > >> known_hosts of the machine logging into them.
> > >>
> > >> I know I could create all the keypairs on the machine running
> nixops
> > >> and send both the public as well as the private keys over the
> > >> network, but I would like to find out if there's a way around it.
> > >
> > > I think this is one of the things you don't do/want with
> Nix/NixOps as
> > > this is essentially self-modifying deployment. Which makes the
> > > deployment non-deterministic and unreproducible in the strict
> sense.
> > > With deployment-/configuration-management systems that have a
> central
> > > node and database, like chef and puppet can have, you can do such
> > > things. For Nix this is counter-intuitive.
> > >
> > > - Arnold
> >
> > Do you have a recommendation on how to handle my use case then? In
> > practice, I need this to allow the backup user to log into the
> machines
> > being backed up. Would you use a central location for all the key
> pairs?
> > ___
> > nix-dev mailing list
> > nix-dev@lists.science.uu.nl 
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> > 
> >
> >
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Distributing files between machines in a nixops deployment

2016-11-19 Thread Marius Bergmann

You did not attach a link to your mail, but I guess you mean
https://blog.wearewizards.io/how-to-use-nixops-in-a-team ?


On 2016-11-19 18:08, Maarten Hoogendoorn wrote:
> I'm not pretending to be a NixOps expert, but I think the approach of
> generating the secret in the "deployment" machine is good enough.
> You could store the private key encrypted in a git repository. Have you
> seen this [1] blog post? It describes how to do this in a team.
> 
> Best regards,
> Maarten
> 
> 
> 2016-11-19 12:50 GMT+01:00 Marius Bergmann  >:
> 
> On 2016-11-19 12:46, Arnold Krille wrote:
> > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann  >
> > wrote:
> >> Is it possible to declare the distribution of a file (in my case
> a ssh
> >> server/client public key) to different machines in a nixops
> >> deployment?
> >>
> >> I want to create a client keypair on one machine and then authorize
> >> the public part on several other machines in the deployment. Those
> >> other machines' public server keys should also be added to the
> >> known_hosts of the machine logging into them.
> >>
> >> I know I could create all the keypairs on the machine running nixops
> >> and send both the public as well as the private keys over the
> >> network, but I would like to find out if there's a way around it.
> >
> > I think this is one of the things you don't do/want with Nix/NixOps as
> > this is essentially self-modifying deployment. Which makes the
> > deployment non-deterministic and unreproducible in the strict sense.
> > With deployment-/configuration-management systems that have a central
> > node and database, like chef and puppet can have, you can do such
> > things. For Nix this is counter-intuitive.
> >
> > - Arnold
> 
> Do you have a recommendation on how to handle my use case then? In
> practice, I need this to allow the backup user to log into the machines
> being backed up. Would you use a central location for all the key pairs?
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl 
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
> 
> 
> 
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Distributing files between machines in a nixops deployment

2016-11-19 Thread Maarten Hoogendoorn

I'm not pretending to be a NixOps expert, but I think the approach of
generating the secret in the "deployment" machine is good enough.
You could store the private key encrypted in a git repository. Have you
seen this [1] blog post? It describes how to do this in a team.

Best regards,
Maarten


2016-11-19 12:50 GMT+01:00 Marius Bergmann :

> On 2016-11-19 12:46, Arnold Krille wrote:
> > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann 
> > wrote:
> >> Is it possible to declare the distribution of a file (in my case a ssh
> >> server/client public key) to different machines in a nixops
> >> deployment?
> >>
> >> I want to create a client keypair on one machine and then authorize
> >> the public part on several other machines in the deployment. Those
> >> other machines' public server keys should also be added to the
> >> known_hosts of the machine logging into them.
> >>
> >> I know I could create all the keypairs on the machine running nixops
> >> and send both the public as well as the private keys over the
> >> network, but I would like to find out if there's a way around it.
> >
> > I think this is one of the things you don't do/want with Nix/NixOps as
> > this is essentially self-modifying deployment. Which makes the
> > deployment non-deterministic and unreproducible in the strict sense.
> > With deployment-/configuration-management systems that have a central
> > node and database, like chef and puppet can have, you can do such
> > things. For Nix this is counter-intuitive.
> >
> > - Arnold
>
> Do you have a recommendation on how to handle my use case then? In
> practice, I need this to allow the backup user to log into the machines
> being backed up. Would you use a central location for all the key pairs?
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Distributing files between machines in a nixops deployment

2016-11-19 Thread Marius Bergmann

On 2016-11-19 12:46, Arnold Krille wrote:
> On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann 
> wrote:
>> Is it possible to declare the distribution of a file (in my case a ssh
>> server/client public key) to different machines in a nixops
>> deployment?
>>
>> I want to create a client keypair on one machine and then authorize
>> the public part on several other machines in the deployment. Those
>> other machines' public server keys should also be added to the
>> known_hosts of the machine logging into them.
>>
>> I know I could create all the keypairs on the machine running nixops
>> and send both the public as well as the private keys over the
>> network, but I would like to find out if there's a way around it.
> 
> I think this is one of the things you don't do/want with Nix/NixOps as
> this is essentially self-modifying deployment. Which makes the
> deployment non-deterministic and unreproducible in the strict sense.
> With deployment-/configuration-management systems that have a central
> node and database, like chef and puppet can have, you can do such
> things. For Nix this is counter-intuitive.
> 
> - Arnold

Do you have a recommendation on how to handle my use case then? In
practice, I need this to allow the backup user to log into the machines
being backed up. Would you use a central location for all the key pairs?
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Distributing files between machines in a nixops deployment

2016-11-19 Thread Arnold Krille

On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann 
wrote:
> Is it possible to declare the distribution of a file (in my case a ssh
> server/client public key) to different machines in a nixops
> deployment?
> 
> I want to create a client keypair on one machine and then authorize
> the public part on several other machines in the deployment. Those
> other machines' public server keys should also be added to the
> known_hosts of the machine logging into them.
> 
> I know I could create all the keypairs on the machine running nixops
> and send both the public as well as the private keys over the
> network, but I would like to find out if there's a way around it.

I think this is one of the things you don't do/want with Nix/NixOps as
this is essentially self-modifying deployment. Which makes the
deployment non-deterministic and unreproducible in the strict sense.
With deployment-/configuration-management systems that have a central
node and database, like chef and puppet can have, you can do such
things. For Nix this is counter-intuitive.

- Arnold

signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Distributing files between machines in a nixops deployment

2016-11-19 Thread Marius Bergmann

Hello!

Is it possible to declare the distribution of a file (in my case a ssh
server/client public key) to different machines in a nixops deployment?

I want to create a client keypair on one machine and then authorize the
public part on several other machines in the deployment. Those other
machines' public server keys should also be added to the known_hosts of
the machine logging into them.

I know I could create all the keypairs on the machine running nixops and
send both the public as well as the private keys over the network, but I
would like to find out if there's a way around it.

Kind regards,
Marius
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Distributing files between machines in a nixops deployment

Re: [Nix-dev] Distributing files between machines in a nixops deployment

Re: [Nix-dev] Distributing files between machines in a nixops deployment

Re: [Nix-dev] Distributing files between machines in a nixops deployment

Re: [Nix-dev] Distributing files between machines in a nixops deployment

[Nix-dev] Distributing files between machines in a nixops deployment

6 matches

Site Navigation

Mail list logo

Footer information