Re: [Nix-dev] Persistent NixOps keys
(IMO) a much simpler solution: http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020690.html On Mon, Jun 20, 2016 at 9:10 PM, Игорь Пашев wrote: > 2016-06-20 14:51 GMT+03:00 4levels <4lev...@gmail.com>: > > As I never change these keys (except by a nixops deploy or nixops > send-keys > > call), can I assume that the save-keys service doesn't need to run every > > single minute in this scenario? > > > You can remove /root/keys by accident. In our setups, I used to clean > all user's homes including root's :-) > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
2016-06-20 14:51 GMT+03:00 4levels <4lev...@gmail.com>: > As I never change these keys (except by a nixops deploy or nixops send-keys > call), can I assume that the save-keys service doesn't need to run every > single minute in this scenario? You can remove /root/keys by accident. In our setups, I used to clean all user's homes including root's :-) ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
Hi Игорь, thank you for clarifying this, I was already wondering what the sleep 1m was doing there in the while loop ;-) As I never change these keys (except by a nixops deploy or nixops send-keys call), can I assume that the save-keys service doesn't need to run every single minute in this scenario? Kind regards, Erik On Mon, Jun 20, 2016 at 1:05 PM Игорь Пашев wrote: > 2016-06-19 15:35 GMT+03:00 4levels <4lev...@gmail.com>: > > I was just wondering how this copes with server kills > > > The "save" service runs every minute to check if any keys are not saved :-) > And it runs on every key addition / removal. So right after a fresh > deploy you are almost safe. > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
2016-06-19 15:35 GMT+03:00 4levels <4lev...@gmail.com>: > I was just wondering how this copes with server kills The "save" service runs every minute to check if any keys are not saved :-) And it runs on every key addition / removal. So right after a fresh deploy you are almost safe. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
Hi Nix-devs, hi Tomasz, hi Игорь, I managed to get it working flawlessly by adding keys.target to the requires and after statements of my other service configs. I was just wondering how this copes with server kills (as Vultr periodically resets an instance when they experience system failures). I'm guessing when they kill a VPS (or reset it) the systemd shutdown calls are being bypassed. I've opened a support request to ask if they can always perform a normal reboot instead of a hard reset. Thanks again for your great support and valuable pointers! Kind regards, Erik On Fri, Jun 17, 2016 at 12:16 PM 4levels <4lev...@gmail.com> wrote: > Hi Tomasz, > > Thanks for another great pointer! > My own services do require the keys so I have to make them depend/require > on keys.target > > I'm about to test this out, I'll keep you posted here.. > > Kind regards, > > Erik > > On Fri, Jun 17, 2016, 11:47 Tomasz Czyż wrote: > >> Erik, you also could add your load-keys service to network.target or any >> target which starts at the system start. So then you don't have to add it >> to specific apps, depends on your keys workflow. >> >> 2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>: >> >>> That's probably it! >>> >>> I still need to update all service configs to have keys.target in the >>> wantedBy list. >>> >>> I read somewhere that I should also use requiredBy for it to really wait >>> untill keys.target is finished.. >>> >>> Kind regards, >>> >>> Erik >>> >>> On Thu, Jun 16, 2016, 23:50 Игорь Пашев wrote: >>> 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>: > wantedBy = [ "keys.target" ]; Maybe you don't have services depending on keys.target >>> >> >> >> -- >> Tomasz Czyż >> > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
Hi Tomasz, Thanks for another great pointer! My own services do require the keys so I have to make them depend/require on keys.target I'm about to test this out, I'll keep you posted here.. Kind regards, Erik On Fri, Jun 17, 2016, 11:47 Tomasz Czyż wrote: > Erik, you also could add your load-keys service to network.target or any > target which starts at the system start. So then you don't have to add it > to specific apps, depends on your keys workflow. > > 2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>: > >> That's probably it! >> >> I still need to update all service configs to have keys.target in the >> wantedBy list. >> >> I read somewhere that I should also use requiredBy for it to really wait >> untill keys.target is finished.. >> >> Kind regards, >> >> Erik >> >> On Thu, Jun 16, 2016, 23:50 Игорь Пашев wrote: >> >>> 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>: >>> > wantedBy = [ "keys.target" ]; >>> >>> >>> Maybe you don't have services depending on keys.target >>> >> > > > -- > Tomasz Czyż > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
Erik, you also could add your load-keys service to network.target or any target which starts at the system start. So then you don't have to add it to specific apps, depends on your keys workflow. 2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>: > That's probably it! > > I still need to update all service configs to have keys.target in the > wantedBy list. > > I read somewhere that I should also use requiredBy for it to really wait > untill keys.target is finished.. > > Kind regards, > > Erik > > On Thu, Jun 16, 2016, 23:50 Игорь Пашев wrote: > >> 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>: >> > wantedBy = [ "keys.target" ]; >> >> >> Maybe you don't have services depending on keys.target >> > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
That's probably it! I still need to update all service configs to have keys.target in the wantedBy list. I read somewhere that I should also use requiredBy for it to really wait untill keys.target is finished.. Kind regards, Erik On Thu, Jun 16, 2016, 23:50 Игорь Пашев wrote: > 2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>: > > wantedBy = [ "keys.target" ]; > > > Maybe you don't have services depending on keys.target > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>: > wantedBy = [ "keys.target" ]; Maybe you don't have services depending on keys.target ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
Hi, I tried this but somehow the nixops-load-keys service is not automatically started. I can see the service with systemctl status and when I restart it, it does as expected (copies the files from /run/keys to /root/keys. However, when I reboot the machine, the nixops-load-keys service doesn't seem to do this automatically. Only after running systemctl restart nixops-load-keys it copies the files back to /run/store. When I delete /root/keys/* and do a reboot, the keys aren't copied either. There must be something wrong with my before and after statements I guess since both services do work when started manually. I'm probably overlooking something obvious here.. I modified your script a little as follows: let keyStore = "/root/keys"; keyRun = "/run/keys"; keyLoad = pkgs.writeScript "nixops-load-keys" '' #!${pkgs.bash}/bin/bash set -euo pipefail if [ -e '${keyStore}/done' ] && [ ! -e '${keyRun}/done' ]; then cd '${keyStore}' cp -pf -- ${lib.concatMapStringsSep " " (k: "'${k}'") (builtins.attrNames config.deployment.keys)} \ '${keyRun}/' || exit 0 touch -r '${keyStore}/done' '${keyRun}/done' fi ''; keySave = pkgs.writeScript "nixops-save-keys" '' #!${pkgs.bash}/bin/bash set -euo pipefail while true; do if [ -e '${keyRun}/done' ]; then if [ ! -e '${keyStore}/done' ] || [ '${keyRun}/done' -nt '${keyStore}/done' ] ; then rm -rf '${keyStore}' mkdir -p '${keyStore}' chown --reference='${keyRun}' -- '${keyStore}' chmod --reference='${keyRun}' -- '${keyStore}' cd '${keyRun}' cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames config.deployment.keys)} '${keyStore}/' || continue touch -r '${keyRun}/done' '${keyStore}/done' touch -r '${keyRun}' '${keyStore}' fi fi sleep 1m done ''; in systemd.services.nixops-load-keys = { description = "Re-load nixops keys after reboot"; before = [ "nixops-keys.service" ]; wantedBy = [ "keys.target" ]; unitConfig.RequiresMountsFor = [ keyRun keyStore ]; serviceConfig = { ExecStart = keyLoad; Type = "oneshot"; RemainAfterExit = false; }; }; systemd.services.nixops-save-keys = { description = "Save nixops keys to re-load after reboot"; after = [ "keys.target" ]; wantedBy = [ "keys.target" ]; serviceConfig = { ExecStart = keySave; Restart = "always"; }; }; Kind regards, Erik On Mon, May 9, 2016 at 7:51 PM Игорь Пашев wrote: > 2016-05-09 13:49 GMT+03:00 Tomasz Czyż : > > I'm not sure I understand this correctly. Do you want to put keys into > the > > initrd? > > > No, I keep them under /root/keys. The save service polls /run/keys for > updates. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
2016-05-09 13:49 GMT+03:00 Tomasz Czyż : > I'm not sure I understand this correctly. Do you want to put keys into the > initrd? No, I keep them under /root/keys. The save service polls /run/keys for updates. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Persistent NixOps keys
I'm not sure I understand this correctly. Do you want to put keys into the initrd? 2016-05-08 20:54 GMT+01:00 Игорь Пашев : > Simple way to keep the keys on reboot. > /run/keys is mounted somewhere in initrd, > thus just a couple of services > (I was thinking about on-disk /run/keys) > > { config, lib, pkgs, ... }: > let > > inherit (builtins) attrNames; > inherit (lib) mkIf concatMapStringsSep; > inherit (config.deployment) keys; > > store = "/root/keys"; > runkeys = "/run/keys"; > > load = pkgs.writeBashScript "nixops-load-keys" '' > set -euo pipefail > if [ -e '${store}/done' ] && [ ! -e '${runkeys}/done' ]; then > cd '${store}' > cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \ > '${runkeys}/' || exit 0 > touch -r '${store}/done' '${runkeys}/done' > fi > ''; > > save = pkgs.writeBashScript "nixops-save-keys" '' > set -euo pipefail > while true; do > if [ -e '${runkeys}/done' ]; then > if [ ! -e '${store}/done' ] || [ '${runkeys}/done' -nt > '${store}/done' ] ; then > rm -rf '${store}' > mkdir -p '${store}' > chown --reference='${runkeys}' -- '${store}' > chmod --reference='${runkeys}' -- '${store}' > cd '${runkeys}' > cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames > keys)} \ > '${store}/' || continue > touch -r '${runkeys}/done' '${store}/done' > touch -r '${runkeys}' '${store}' > fi > fi > sleep 1m > done > ''; > > in { > config = mkIf (keys != {}) { > systemd.services.nixops-load-keys = { > description = "Re-load nixops keys after reboot"; > before = [ "nixops-keys.service" ]; > wantedBy = [ "keys.target" ]; > unitConfig.RequiresMountsFor = [ runkeys store ]; > serviceConfig = { > ExecStart = load; > Type = "oneshot"; > RemainAfterExit = false; > }; > }; > > systemd.services.nixops-save-keys = { > description = "Save nixops keys to re-load after reboot"; > after = [ "keys.target" ]; > wantedBy = [ "keys.target" ]; > serviceConfig = { > ExecStart = save; > Restart = "always"; > }; > }; > }; > } > > > P. S. writeBashScript: > { bash, writeScript, haskellPackages, runCommand }: > > name: text: > let > f = writeScript name '' > #!${bash}/bin/bash > ${text} > ''; > in > runCommand name { } '' > ${haskellPackages.ShellCheck}/bin/shellcheck ${f} > cp -a ${f} $out > '' > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Persistent NixOps keys
Simple way to keep the keys on reboot. /run/keys is mounted somewhere in initrd, thus just a couple of services (I was thinking about on-disk /run/keys) { config, lib, pkgs, ... }: let inherit (builtins) attrNames; inherit (lib) mkIf concatMapStringsSep; inherit (config.deployment) keys; store = "/root/keys"; runkeys = "/run/keys"; load = pkgs.writeBashScript "nixops-load-keys" '' set -euo pipefail if [ -e '${store}/done' ] && [ ! -e '${runkeys}/done' ]; then cd '${store}' cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \ '${runkeys}/' || exit 0 touch -r '${store}/done' '${runkeys}/done' fi ''; save = pkgs.writeBashScript "nixops-save-keys" '' set -euo pipefail while true; do if [ -e '${runkeys}/done' ]; then if [ ! -e '${store}/done' ] || [ '${runkeys}/done' -nt '${store}/done' ] ; then rm -rf '${store}' mkdir -p '${store}' chown --reference='${runkeys}' -- '${store}' chmod --reference='${runkeys}' -- '${store}' cd '${runkeys}' cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames keys)} \ '${store}/' || continue touch -r '${runkeys}/done' '${store}/done' touch -r '${runkeys}' '${store}' fi fi sleep 1m done ''; in { config = mkIf (keys != {}) { systemd.services.nixops-load-keys = { description = "Re-load nixops keys after reboot"; before = [ "nixops-keys.service" ]; wantedBy = [ "keys.target" ]; unitConfig.RequiresMountsFor = [ runkeys store ]; serviceConfig = { ExecStart = load; Type = "oneshot"; RemainAfterExit = false; }; }; systemd.services.nixops-save-keys = { description = "Save nixops keys to re-load after reboot"; after = [ "keys.target" ]; wantedBy = [ "keys.target" ]; serviceConfig = { ExecStart = save; Restart = "always"; }; }; }; } P. S. writeBashScript: { bash, writeScript, haskellPackages, runCommand }: name: text: let f = writeScript name '' #!${bash}/bin/bash ${text} ''; in runCommand name { } '' ${haskellPackages.ShellCheck}/bin/shellcheck ${f} cp -a ${f} $out '' ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev