Re: [Nix-dev] NixOps - secret/credentials management

[Tomasz Czyż]

Rob: thank you!

This might be what I'm looking for, I'll try that.

2016-05-12 15:45 GMT+01:00 Tomasz Czyż :

> Igor posted some solution to have persistant keys few days back:
> https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg18995.html
>
> Worth to adding to docs?
>
> 2016-05-12 15:31 GMT+01:00 Graham Christensen :
>
>>
>>
>> On Thu, May 12, 2016 at 4:43 AM, Rob Vermaas 
>> wrote:
>>
>>>
>>> Note
>>> that this is a location on a tmpfs, so if you want to have it on a
>>> persistent disk, you'll need to copy it to a location of your
>>> choosing.
>>>
>>
>> This seems like a good candidate note to have in the documentation, as
>> nixops currently doesn't indicate it is temporary.
>>
>> I'm really glad to know of the feature, though.
>>
>> Thank you,
>> Graham Christensen
>>
>>
>
>
> --
> Tomasz Czyż
>



-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOps - secret/credentials management

[Tomasz Czyż]

Igor posted some solution to have persistant keys few days back:
https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg18995.html

Worth to adding to docs?

2016-05-12 15:31 GMT+01:00 Graham Christensen :

>
>
> On Thu, May 12, 2016 at 4:43 AM, Rob Vermaas 
> wrote:
>
>>
>> Note
>> that this is a location on a tmpfs, so if you want to have it on a
>> persistent disk, you'll need to copy it to a location of your
>> choosing.
>>
>
> This seems like a good candidate note to have in the documentation, as
> nixops currently doesn't indicate it is temporary.
>
> I'm really glad to know of the feature, though.
>
> Thank you,
> Graham Christensen
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOps - secret/credentials management

[Graham Christensen]

On Thu, May 12, 2016 at 4:43 AM, Rob Vermaas  wrote:

>
> Note
> that this is a location on a tmpfs, so if you want to have it on a
> persistent disk, you'll need to copy it to a location of your
> choosing.
>

This seems like a good candidate note to have in the documentation, as
nixops currently doesn't indicate it is temporary.

I'm really glad to know of the feature, though.

Thank you,
Graham Christensen
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOps - secret/credentials management

[Rob Vermaas]

Hi Tomasz,

> I wanted to deploy some secrets/certificates to machines and I'm not sure
> how to do that. I would like to avoid storing those in nix store. Is there
> any way to deploy secrets to machines and not use nix store?
>
> I know there is solution to deploy disk encryption keys which is stored in
> state file, but what about other secrets? Is there any general way to handle
> that?
>
> I thought that I could do that using "nixops ssh" feature, but I would like
> to describe those credentials in network.nix file, is that possible?

You can use deployment.keys.* options for this purpose, e.g. you can
add the following option to your machine config:

  deployment.keys."robs-little-secret.key".text = builtins.readFile
./robs-little-secret.key;

When deploying with nixops, nixops will put the contents of
./robs-little-secret.key in /run/keys/robs-little-secret.key . Note
that this is a location on a tmpfs, so if you want to have it on a
persistent disk, you'll need to copy it to a location of your
choosing. Nixops creates systemd service called
systemd.services.nixops-keys, which is a service that waits until
nixops has pushed the keys. You can add a postStart script to it,
e.g.:

  systemd.services.nixops-keys.postStart = "cp
/run/keys/robs-little-secret.key /root/";

You could also add a systemd service that depends on this nixops-keys
service, and do something similar.

Cheers,
Rob

-- 
Rob Vermaas

[email] rob.verm...@gmail.com
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOps - secret/credentials management

[Oliver Charles]

You're right! I didn't entirely think that one through, shouldn't reply to
emails before my morning cup of coffee ;)

Ollie

On Thu, May 12, 2016 at 9:48 AM Peter Simons  wrote:

> Hi Oliver,
>
>  > One option is to introduce these credentials as parameters to your
> network
>  > evaluation:
>  >
>  > { secretCertificate }:
>  > {
>  >   web = { ... } : ...
>  > }
>  >
>  > Then you will need to set this parameter when you do deployments in
> order to
>  > evaluate the network expression and perform deployments.
>
> I am sorry if I'm missing something terribly obvious, but I wonder how
> that helps getting the secret onto the deployed machines without having
> it added to the Nix store? You cannot say something to the effect of
> "store that information in /etc/my-secret" without going through a Nix
> derivation somewhere, can you?
>
> Best regards,
> Peter
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOps - secret/credentials management

[Peter Simons]

Hi Oliver,

 > One option is to introduce these credentials as parameters to your network
 > evaluation:
 >
 > { secretCertificate }:
 > {
 >   web = { ... } : ...
 > }
 >
 > Then you will need to set this parameter when you do deployments in order to
 > evaluate the network expression and perform deployments.

I am sorry if I'm missing something terribly obvious, but I wonder how
that helps getting the secret onto the deployed machines without having
it added to the Nix store? You cannot say something to the effect of
"store that information in /etc/my-secret" without going through a Nix
derivation somewhere, can you?

Best regards,
Peter

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOps - secret/credentials management

[Oliver Charles]

Hi Tomasz,

One option is to introduce these credentials as parameters to your network
evaluation:

{ secretCertificate }:
{
  web = { ... } : ...
}

Then you will need to set this parameter when you do deployments in order
to evaluate the network expression and perform deployments. You could
easily script this and interactively prompt the user, or maybe use GPG to
decrypt an encrypted file for the values at deployment time.

Hopefully that gives you some ideas,
Ollie

On Thu, May 12, 2016 at 12:57 AM Tomasz Czyż  wrote:

> Hi all NixOps users and devs.
>
> I wanted to deploy some secrets/certificates to machines and I'm not sure
> how to do that. I would like to avoid storing those in nix store. Is there
> any way to deploy secrets to machines and not use nix store?
>
> I know there is solution to deploy disk encryption keys which is stored in
> state file, but what about other secrets? Is there any general way to
> handle that?
>
> I thought that I could do that using "nixops ssh" feature, but I would
> like to describe those credentials in network.nix file, is that possible?
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] NixOps - secret/credentials management

[Tomasz Czyż]

Hi all NixOps users and devs.

I wanted to deploy some secrets/certificates to machines and I'm not sure
how to do that. I would like to avoid storing those in nix store. Is there
any way to deploy secrets to machines and not use nix store?

I know there is solution to deploy disk encryption keys which is stored in
state file, but what about other secrets? Is there any general way to
handle that?

I thought that I could do that using "nixops ssh" feature, but I would like
to describe those credentials in network.nix file, is that possible?
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev