Re: [Nix-dev] Persistent NixOps keys

2016-06-29 Thread Domen Kožar 
(IMO) a much simpler solution:
http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020690.html

On Mon, Jun 20, 2016 at 9:10 PM, Игорь Пашев  wrote:

> 2016-06-20 14:51 GMT+03:00 4levels <4lev...@gmail.com>:
> > As I never change these keys (except by a nixops deploy or nixops
> send-keys
> > call), can I assume that the save-keys service doesn't need to run every
> > single minute in this scenario?
>
>
> You can remove /root/keys by accident. In our setups, I used to clean
> all user's homes including root's :-)
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-20 Thread Игорь Пашев 
2016-06-20 14:51 GMT+03:00 4levels <4lev...@gmail.com>:
> As I never change these keys (except by a nixops deploy or nixops send-keys
> call), can I assume that the save-keys service doesn't need to run every
> single minute in this scenario?


You can remove /root/keys by accident. In our setups, I used to clean
all user's homes including root's :-)
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-20 Thread 4levels 
Hi Игорь,

thank you for clarifying this, I was already wondering what the sleep 1m
was doing there in the while loop  ;-)

As I never change these keys (except by a nixops deploy or nixops send-keys
call), can I assume that the save-keys service doesn't need to run every
single minute in this scenario?

Kind regards,

Erik

On Mon, Jun 20, 2016 at 1:05 PM Игорь Пашев  wrote:

> 2016-06-19 15:35 GMT+03:00 4levels <4lev...@gmail.com>:
> > I was just wondering how this copes with server kills
>
>
> The "save" service runs every minute to check if any keys are not saved :-)
> And it runs on every key addition / removal. So right after a fresh
> deploy you are almost safe.
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-20 Thread Игорь Пашев 
2016-06-19 15:35 GMT+03:00 4levels <4lev...@gmail.com>:
> I was just wondering how this copes with server kills


The "save" service runs every minute to check if any keys are not saved :-)
And it runs on every key addition / removal. So right after a fresh
deploy you are almost safe.
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-19 Thread 4levels 
Hi Nix-devs, hi Tomasz, hi Игорь,

I managed to get it working flawlessly by adding keys.target to the
requires and after statements of my other service configs.

I was just wondering how this copes with server kills (as Vultr
periodically resets an instance when they experience system failures).  I'm
guessing when they kill a VPS (or reset it) the systemd shutdown calls are
being bypassed.  I've opened a support request to ask if they can always
perform a normal reboot instead of a hard reset.

Thanks again for your great support and valuable pointers!

Kind regards,

Erik

On Fri, Jun 17, 2016 at 12:16 PM 4levels <4lev...@gmail.com> wrote:

> Hi Tomasz,
>
> Thanks for another great pointer!
> My own services do require the keys so I have to make them depend/require
> on keys.target
>
> I'm about to test this out, I'll keep you posted here..
>
> Kind regards,
>
> Erik
>
> On Fri, Jun 17, 2016, 11:47 Tomasz Czyż  wrote:
>
>> Erik, you also could add your load-keys service to network.target or any
>> target which starts at the system start. So then you don't have to add it
>> to specific apps, depends on your keys workflow.
>>
>> 2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>:
>>
>>> That's probably it!
>>>
>>> I still need to update all service configs to have keys.target in the
>>> wantedBy list.
>>>
>>> I read somewhere that I should also use requiredBy for it to really wait
>>> untill keys.target is finished..
>>>
>>> Kind regards,
>>>
>>> Erik
>>>
>>> On Thu, Jun 16, 2016, 23:50 Игорь Пашев  wrote:
>>>
 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>:
 > wantedBy = [ "keys.target" ];


 Maybe you don't have services depending on keys.target

>>>
>>
>>
>> --
>> Tomasz Czyż
>>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-17 Thread 4levels 
Hi Tomasz,

Thanks for another great pointer!
My own services do require the keys so I have to make them depend/require
on keys.target

I'm about to test this out, I'll keep you posted here..

Kind regards,

Erik

On Fri, Jun 17, 2016, 11:47 Tomasz Czyż  wrote:

> Erik, you also could add your load-keys service to network.target or any
> target which starts at the system start. So then you don't have to add it
> to specific apps, depends on your keys workflow.
>
> 2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>:
>
>> That's probably it!
>>
>> I still need to update all service configs to have keys.target in the
>> wantedBy list.
>>
>> I read somewhere that I should also use requiredBy for it to really wait
>> untill keys.target is finished..
>>
>> Kind regards,
>>
>> Erik
>>
>> On Thu, Jun 16, 2016, 23:50 Игорь Пашев  wrote:
>>
>>> 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>:
>>> > wantedBy = [ "keys.target" ];
>>>
>>>
>>> Maybe you don't have services depending on keys.target
>>>
>>
>
>
> --
> Tomasz Czyż
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-17 Thread Tomasz Czyż 
Erik, you also could add your load-keys service to network.target or any
target which starts at the system start. So then you don't have to add it
to specific apps, depends on your keys workflow.

2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>:

> That's probably it!
>
> I still need to update all service configs to have keys.target in the
> wantedBy list.
>
> I read somewhere that I should also use requiredBy for it to really wait
> untill keys.target is finished..
>
> Kind regards,
>
> Erik
>
> On Thu, Jun 16, 2016, 23:50 Игорь Пашев  wrote:
>
>> 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>:
>> > wantedBy = [ "keys.target" ];
>>
>>
>> Maybe you don't have services depending on keys.target
>>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-17 Thread 4levels 
That's probably it!

I still need to update all service configs to have keys.target in the
wantedBy list.

I read somewhere that I should also use requiredBy for it to really wait
untill keys.target is finished..

Kind regards,

Erik

On Thu, Jun 16, 2016, 23:50 Игорь Пашев  wrote:

> 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>:
> > wantedBy = [ "keys.target" ];
>
>
> Maybe you don't have services depending on keys.target
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-16 Thread Игорь Пашев 
2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>:
> wantedBy = [ "keys.target" ];


Maybe you don't have services depending on keys.target
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-06-14 Thread 4levels 
Hi,

I tried this but somehow the nixops-load-keys service is not automatically
started. I can see the service with systemctl status and when I restart it,
it does as expected (copies the files from /run/keys to /root/keys.
However, when I reboot the machine, the nixops-load-keys service doesn't
seem to do this automatically.  Only after running systemctl restart
nixops-load-keys it copies the files back to /run/store.
When I delete /root/keys/* and do a reboot, the keys aren't copied either.
There must be something wrong with my before and after statements I guess
since both services do work when started manually.  I'm probably
overlooking something obvious here..

I modified your script a little as follows:

let



keyStore = "/root/keys";
keyRun = "/run/keys";

keyLoad = pkgs.writeScript "nixops-load-keys" ''
  #!${pkgs.bash}/bin/bash
  set -euo pipefail
  if [ -e '${keyStore}/done' ] && [ ! -e '${keyRun}/done' ]; then
cd '${keyStore}'
cp -pf -- ${lib.concatMapStringsSep " " (k: "'${k}'")
(builtins.attrNames config.deployment.keys)} \
  '${keyRun}/' || exit 0
touch -r '${keyStore}/done' '${keyRun}/done'
  fi
'';

keySave = pkgs.writeScript "nixops-save-keys" ''
  #!${pkgs.bash}/bin/bash
  set -euo pipefail
  while true; do
if [ -e '${keyRun}/done' ]; then
  if [ ! -e '${keyStore}/done' ] || [ '${keyRun}/done' -nt
'${keyStore}/done' ] ; then
rm -rf '${keyStore}'
mkdir -p '${keyStore}'
chown --reference='${keyRun}' -- '${keyStore}'
chmod --reference='${keyRun}' -- '${keyStore}'
cd '${keyRun}'
cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames
config.deployment.keys)} '${keyStore}/' || continue
touch -r '${keyRun}/done' '${keyStore}/done'
touch -r '${keyRun}' '${keyStore}'
  fi
fi
sleep 1m
  done
'';

   

in



systemd.services.nixops-load-keys = {
  description = "Re-load nixops keys after reboot";
  before = [ "nixops-keys.service" ];
  wantedBy = [ "keys.target" ];
  unitConfig.RequiresMountsFor = [ keyRun keyStore ];
  serviceConfig = {
ExecStart = keyLoad;
Type = "oneshot";
RemainAfterExit = false;
  };
};

systemd.services.nixops-save-keys = {
  description = "Save nixops keys to re-load after reboot";
  after = [ "keys.target" ];
  wantedBy = [ "keys.target" ];
  serviceConfig = {
ExecStart = keySave;
Restart = "always";
  };
};



Kind regards,

Erik

On Mon, May 9, 2016 at 7:51 PM Игорь Пашев  wrote:

> 2016-05-09 13:49 GMT+03:00 Tomasz Czyż :
> > I'm not sure I understand this correctly. Do you want to put keys into
> the
> > initrd?
>
>
> No, I keep them under /root/keys. The save service polls /run/keys for
> updates.
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-05-09 Thread Игорь Пашев 
2016-05-09 13:49 GMT+03:00 Tomasz Czyż :
> I'm not sure I understand this correctly. Do you want to put keys into the
> initrd?


No, I keep them under /root/keys. The save service polls /run/keys for updates.
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Persistent NixOps keys

2016-05-09 Thread Tomasz Czyż 
I'm not sure I understand this correctly. Do you want to put keys into the
initrd?

2016-05-08 20:54 GMT+01:00 Игорь Пашев :

> Simple way to keep the keys on reboot.
> /run/keys is mounted somewhere in initrd,
> thus just a couple of services
> (I was thinking about on-disk /run/keys)
>
> { config, lib, pkgs, ... }:
> let
>
>   inherit (builtins) attrNames;
>   inherit (lib) mkIf concatMapStringsSep;
>   inherit (config.deployment) keys;
>
>   store = "/root/keys";
>   runkeys = "/run/keys";
>
>   load = pkgs.writeBashScript "nixops-load-keys" ''
> set -euo pipefail
> if [ -e '${store}/done' ] && [ ! -e '${runkeys}/done' ]; then
>   cd '${store}'
>   cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \
> '${runkeys}/' || exit 0
>   touch -r '${store}/done' '${runkeys}/done'
> fi
>   '';
>
>   save = pkgs.writeBashScript "nixops-save-keys" ''
> set -euo pipefail
> while true; do
>   if [ -e '${runkeys}/done' ]; then
> if [ ! -e '${store}/done' ] || [ '${runkeys}/done' -nt
> '${store}/done' ] ; then
>   rm -rf '${store}'
>   mkdir -p '${store}'
>   chown --reference='${runkeys}' -- '${store}'
>   chmod --reference='${runkeys}' -- '${store}'
>   cd '${runkeys}'
>   cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames
> keys)} \
> '${store}/' || continue
>   touch -r '${runkeys}/done' '${store}/done'
>   touch -r '${runkeys}' '${store}'
> fi
>   fi
>   sleep 1m
> done
>   '';
>
> in {
>   config = mkIf (keys != {}) {
> systemd.services.nixops-load-keys = {
>   description = "Re-load nixops keys after reboot";
>   before = [ "nixops-keys.service" ];
>   wantedBy = [ "keys.target" ];
>   unitConfig.RequiresMountsFor = [ runkeys store ];
>   serviceConfig = {
> ExecStart = load;
> Type = "oneshot";
> RemainAfterExit = false;
>   };
> };
>
> systemd.services.nixops-save-keys = {
>   description = "Save nixops keys to re-load after reboot";
>   after = [ "keys.target" ];
>   wantedBy = [ "keys.target" ];
>   serviceConfig = {
> ExecStart = save;
> Restart = "always";
>   };
> };
>   };
> }
>
>
> P. S. writeBashScript:
> { bash, writeScript, haskellPackages, runCommand }:
>
> name: text:
> let
>   f = writeScript name ''
> #!${bash}/bin/bash
> ${text}
>   '';
> in
> runCommand name { } ''
>   ${haskellPackages.ShellCheck}/bin/shellcheck ${f}
>   cp -a ${f} $out
> ''
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>



-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Persistent NixOps keys

2016-05-08 Thread Игорь Пашев 
Simple way to keep the keys on reboot.
/run/keys is mounted somewhere in initrd,
thus just a couple of services
(I was thinking about on-disk /run/keys)

{ config, lib, pkgs, ... }:
let

  inherit (builtins) attrNames;
  inherit (lib) mkIf concatMapStringsSep;
  inherit (config.deployment) keys;

  store = "/root/keys";
  runkeys = "/run/keys";

  load = pkgs.writeBashScript "nixops-load-keys" ''
set -euo pipefail
if [ -e '${store}/done' ] && [ ! -e '${runkeys}/done' ]; then
  cd '${store}'
  cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \
'${runkeys}/' || exit 0
  touch -r '${store}/done' '${runkeys}/done'
fi
  '';

  save = pkgs.writeBashScript "nixops-save-keys" ''
set -euo pipefail
while true; do
  if [ -e '${runkeys}/done' ]; then
if [ ! -e '${store}/done' ] || [ '${runkeys}/done' -nt
'${store}/done' ] ; then
  rm -rf '${store}'
  mkdir -p '${store}'
  chown --reference='${runkeys}' -- '${store}'
  chmod --reference='${runkeys}' -- '${store}'
  cd '${runkeys}'
  cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \
'${store}/' || continue
  touch -r '${runkeys}/done' '${store}/done'
  touch -r '${runkeys}' '${store}'
fi
  fi
  sleep 1m
done
  '';

in {
  config = mkIf (keys != {}) {
systemd.services.nixops-load-keys = {
  description = "Re-load nixops keys after reboot";
  before = [ "nixops-keys.service" ];
  wantedBy = [ "keys.target" ];
  unitConfig.RequiresMountsFor = [ runkeys store ];
  serviceConfig = {
ExecStart = load;
Type = "oneshot";
RemainAfterExit = false;
  };
};

systemd.services.nixops-save-keys = {
  description = "Save nixops keys to re-load after reboot";
  after = [ "keys.target" ];
  wantedBy = [ "keys.target" ];
  serviceConfig = {
ExecStart = save;
Restart = "always";
  };
};
  };
}


P. S. writeBashScript:
{ bash, writeScript, haskellPackages, runCommand }:

name: text:
let
  f = writeScript name ''
#!${bash}/bin/bash
${text}
  '';
in
runCommand name { } ''
  ${haskellPackages.ShellCheck}/bin/shellcheck ${f}
  cp -a ${f} $out
''
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev