Re: [Nix-dev] NixOps - secret/credentials management
Rob: thank you! This might be what I'm looking for, I'll try that. 2016-05-12 15:45 GMT+01:00 Tomasz Czyż: > Igor posted some solution to have persistant keys few days back: > https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg18995.html > > Worth to adding to docs? > > 2016-05-12 15:31 GMT+01:00 Graham Christensen : > >> >> >> On Thu, May 12, 2016 at 4:43 AM, Rob Vermaas >> wrote: >> >>> >>> Note >>> that this is a location on a tmpfs, so if you want to have it on a >>> persistent disk, you'll need to copy it to a location of your >>> choosing. >>> >> >> This seems like a good candidate note to have in the documentation, as >> nixops currently doesn't indicate it is temporary. >> >> I'm really glad to know of the feature, though. >> >> Thank you, >> Graham Christensen >> >> > > > -- > Tomasz Czyż > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOps - secret/credentials management
Igor posted some solution to have persistant keys few days back: https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg18995.html Worth to adding to docs? 2016-05-12 15:31 GMT+01:00 Graham Christensen: > > > On Thu, May 12, 2016 at 4:43 AM, Rob Vermaas > wrote: > >> >> Note >> that this is a location on a tmpfs, so if you want to have it on a >> persistent disk, you'll need to copy it to a location of your >> choosing. >> > > This seems like a good candidate note to have in the documentation, as > nixops currently doesn't indicate it is temporary. > > I'm really glad to know of the feature, though. > > Thank you, > Graham Christensen > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOps - secret/credentials management
On Thu, May 12, 2016 at 4:43 AM, Rob Vermaaswrote: > > Note > that this is a location on a tmpfs, so if you want to have it on a > persistent disk, you'll need to copy it to a location of your > choosing. > This seems like a good candidate note to have in the documentation, as nixops currently doesn't indicate it is temporary. I'm really glad to know of the feature, though. Thank you, Graham Christensen ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOps - secret/credentials management
Hi Tomasz, > I wanted to deploy some secrets/certificates to machines and I'm not sure > how to do that. I would like to avoid storing those in nix store. Is there > any way to deploy secrets to machines and not use nix store? > > I know there is solution to deploy disk encryption keys which is stored in > state file, but what about other secrets? Is there any general way to handle > that? > > I thought that I could do that using "nixops ssh" feature, but I would like > to describe those credentials in network.nix file, is that possible? You can use deployment.keys.* options for this purpose, e.g. you can add the following option to your machine config: deployment.keys."robs-little-secret.key".text = builtins.readFile ./robs-little-secret.key; When deploying with nixops, nixops will put the contents of ./robs-little-secret.key in /run/keys/robs-little-secret.key . Note that this is a location on a tmpfs, so if you want to have it on a persistent disk, you'll need to copy it to a location of your choosing. Nixops creates systemd service called systemd.services.nixops-keys, which is a service that waits until nixops has pushed the keys. You can add a postStart script to it, e.g.: systemd.services.nixops-keys.postStart = "cp /run/keys/robs-little-secret.key /root/"; You could also add a systemd service that depends on this nixops-keys service, and do something similar. Cheers, Rob -- Rob Vermaas [email] rob.verm...@gmail.com ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOps - secret/credentials management
You're right! I didn't entirely think that one through, shouldn't reply to emails before my morning cup of coffee ;) Ollie On Thu, May 12, 2016 at 9:48 AM Peter Simonswrote: > Hi Oliver, > > > One option is to introduce these credentials as parameters to your > network > > evaluation: > > > > { secretCertificate }: > > { > > web = { ... } : ... > > } > > > > Then you will need to set this parameter when you do deployments in > order to > > evaluate the network expression and perform deployments. > > I am sorry if I'm missing something terribly obvious, but I wonder how > that helps getting the secret onto the deployed machines without having > it added to the Nix store? You cannot say something to the effect of > "store that information in /etc/my-secret" without going through a Nix > derivation somewhere, can you? > > Best regards, > Peter > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOps - secret/credentials management
Hi Oliver, > One option is to introduce these credentials as parameters to your network > evaluation: > > { secretCertificate }: > { > web = { ... } : ... > } > > Then you will need to set this parameter when you do deployments in order to > evaluate the network expression and perform deployments. I am sorry if I'm missing something terribly obvious, but I wonder how that helps getting the secret onto the deployed machines without having it added to the Nix store? You cannot say something to the effect of "store that information in /etc/my-secret" without going through a Nix derivation somewhere, can you? Best regards, Peter ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOps - secret/credentials management
Hi Tomasz, One option is to introduce these credentials as parameters to your network evaluation: { secretCertificate }: { web = { ... } : ... } Then you will need to set this parameter when you do deployments in order to evaluate the network expression and perform deployments. You could easily script this and interactively prompt the user, or maybe use GPG to decrypt an encrypted file for the values at deployment time. Hopefully that gives you some ideas, Ollie On Thu, May 12, 2016 at 12:57 AM Tomasz Czyżwrote: > Hi all NixOps users and devs. > > I wanted to deploy some secrets/certificates to machines and I'm not sure > how to do that. I would like to avoid storing those in nix store. Is there > any way to deploy secrets to machines and not use nix store? > > I know there is solution to deploy disk encryption keys which is stored in > state file, but what about other secrets? Is there any general way to > handle that? > > I thought that I could do that using "nixops ssh" feature, but I would > like to describe those credentials in network.nix file, is that possible? > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] NixOps - secret/credentials management
Hi all NixOps users and devs. I wanted to deploy some secrets/certificates to machines and I'm not sure how to do that. I would like to avoid storing those in nix store. Is there any way to deploy secrets to machines and not use nix store? I know there is solution to deploy disk encryption keys which is stored in state file, but what about other secrets? Is there any general way to handle that? I thought that I could do that using "nixops ssh" feature, but I would like to describe those credentials in network.nix file, is that possible? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev