[Nix-dev] NixOps - merge config files

4levels 4levels at gmail.com
Thu Jun 9 16:21:12 CEST 2016 

Hi Nix Devs,

I've tried using the deployment.keys but that seems to be only there for
user accounts and not for custom configurations.  As I need multiple keys
for each platform (eg. symfony, wordpress - cipher, key, database password,
admin user password etc etc) it seems that deployment.keys will not work
for this purpose.

I'm now resorting to using builtins.readFile and creating separate files
for the passwords in a folder I can then encrypt with git-crypt.
This way I'm also able to use conflicting nix characters in the passwords
as well.

As a last question here I was wondering if there's a way to strip trailing
newlines when reading files with builtins.readFile as my IDE keeps adding a
newline at the end of each file when saving.  I'll post a new message here
for this request as this is not relevant in this topic

Kind regards and thank you again for your support!

Erik aka 4levels

On Thu, Jun 9, 2016 at 12:29 PM 4levels <4levels at gmail.com> wrote:

> Hi all,
>
> thank you for your replies!
> The thing is, I seem not to be able to merge at the level I need, at the
> hostname level that is.
> I mean, I need to have a file with the combined sets to be used by NixOps.
>
> There is an mapAttrsRecursive function in attrsets.nix that sounds like it
> does what I need.
>
> Currently I'm more inclined to go the deployment.keys way as pointed out
> by Tomasz
>
> I'll keep you posted here..
>
>
> Kind regards, your support and engagements are fantastic!
>
> Erik
>
> On Thu, Jun 9, 2016 at 12:23 PM Tomasz Czyż <tomasz.czyz at gmail.com> wrote:
>
>> Probably some function from
>> https://github.com/NixOS/nixpkgs/blob/master/lib/attrsets.nix could be
>> useful to merge them.
>>
>> 2016-06-09 11:19 GMT+01:00 zimbatm <zimbatm at zimbatm.com>:
>>
>>> @dario: that doesn’t work recursively. { a = { x = 3; } } // { a = { y
>>> = 4; } produces { a = { y = 4 }; }
>>>>>>
>>> On Thu, 9 Jun 2016 at 10:44 Dario Bertini <berdario at gmail.com> wrote:
>>>
>>>> {a=1;}// {b=2;}
>>>> Yields
>>>> {a=1; b=2;}
>>>>
>>>> Is this enough to help you?
>>>>
>>>> On 9 June 2016 10:31:07 BST, 4levels <4levels at gmail.com> wrote:
>>>> >Hi,
>>>> >
>>>> >thank you for your swift reply!
>>>> >I'd like to avoid to literally mention all sensitive config params in
>>>> >the
>>>> >network.nix config.
>>>> >
>>>> >What would be the "normal" procedure to recursively merge 2 attribute
>>>> >sets?
>>>> >
>>>> >
>>>> >So if I have in one file
>>>> >servers.nix: {
>>>> >  vm01 = {
>>>> >    services.symfony.platforms = {
>>>> >      database = {
>>>> >        username = "www";
>>>> >      };
>>>> >    };
>>>> >  };
>>>> >}
>>>> >
>>>> >and in the other
>>>> >keys.nix: {
>>>> >  vm01 = {
>>>> >    services.symfony.platforms = {
>>>> >      database = {
>>>> >        password = "12345678";
>>>> >      };
>>>> >    };
>>>> >  };
>>>> >}
>>>> >
>>>> >So they become one when building:
>>>> >{
>>>> >  vm01 = {
>>>> >    services.symfony.platforms = {
>>>> >      database = {
>>>> >        username = "www";
>>>> >        password = "12345678";
>>>> >      };
>>>> >    };
>>>> >  };
>>>> >}
>>>> >
>>>> >Kind regards,
>>>> >
>>>> >Erik
>>>> >
>>>> >On Thu, Jun 9, 2016 at 11:23 AM zimbatm <zimbatm at zimbatm.com> wrote:
>>>> >
>>>> >> Hi,
>>>> >>
>>>> >> I don’t know where you are getting this error. All I can do is
>>>> >suggest a
>>>> >> workaround:
>>>> >>
>>>> >> In keys.nix:
>>>> >>
>>>> >> {
>>>> >>   database_password = "12345678";
>>>> >> }
>>>> >>
>>>> >> In network.nix:
>>>> >>
>>>> >> let
>>>> >>   secrets = import ./keys.nix {};in;
>>>> >> {
>>>> >>   vm01 = {
>>>> >>     { config, pkgs, ... }:
>>>> >>     {
>>>> >>       services.symfony.platforms.database.password =
>>>> >secrets.database_password;
>>>> >>
>>>> >>       ..
>>>> >>     }
>>>> >>   }
>>>> >> }
>>>> >>
>>>> >> ​
>>>> >>
>>>> >> On Thu, 9 Jun 2016 at 07:54 4levels <4levels at gmail.com> wrote:
>>>> >>
>>>> >>> Hi Nix Devs,
>>>> >>>
>>>> >>> I'm having some difficulties separating sensitive information from a
>>>> >nix
>>>> >>> expression used by NixOps.
>>>> >>>
>>>> >>> I keep the server config in a separate file, servers.nix:
>>>> >>> {
>>>> >>>   vm01 =
>>>> >>>     { config, pkgs, nodes, ... }:
>>>> >>>     {
>>>> >>>       deployment = {
>>>> >>>         targetHost = "192.168.121.50";
>>>> >>>       };
>>>> >>>       ...
>>>> >>>     }
>>>> >>> }
>>>> >>>
>>>> >>> Currently I have all relevant software config for each server in a
>>>> >nix
>>>> >>> expression platforms.nix as follows (where vm01 is the hostname):
>>>> >>> {
>>>> >>>   vm01 =
>>>> >>>     { config, pkgs, ... }:
>>>> >>>     {
>>>> >>>       services.symfony.platforms = {
>>>> >>>         database = {
>>>> >>>           username = "www";
>>>> >>>           /* password = "1234567" -> moved to keys.nix */
>>>> >>>         };
>>>> >>>       ...
>>>> >>>     }
>>>> >>> }
>>>> >>>
>>>> >>> I want to remove the sensitive info from this file and put it in a
>>>> >>> separate nix expression, eg. keys.nix, maintaining the same
>>>> >structure so
>>>> >>> the files can be merged.
>>>> >>>
>>>> >>> In keys.nix I currently have
>>>> >>> {
>>>> >>>   vm01 = {
>>>> >>>     { config, pkgs, ... }:
>>>> >>>     {
>>>> >>>       services.symfony.platforms.database.password = "12345678";
>>>> >>>       ..
>>>> >>>     }
>>>> >>>   }
>>>> >>> }
>>>> >>>
>>>> >>> I've modified my nixops deploy to have keys.nix loaded after the
>>>> >>> servers.nix and platforms.nix files, but I keep getting errors like
>>>> >"the
>>>> >>> attribute password does not exist"
>>>> >>>
>>>> >>> I must be overlooking something obvious as all the other files I
>>>> >define
>>>> >>> in my deploy are being merged correctly.
>>>> >>>
>>>> >>> Can anyone advise me on how to achieve this?
>>>> >>>
>>>> >>> The underlying reason is that I'm using git-crypt to encrypt the
>>>> >>> platforms.nix file, but this makes it impossible to work with
>>>> >branches (or
>>>> >>> git logs) etc. as the whole file is encrypted and git cannot merge
>>>> >binary
>>>> >>> files (it simply replaces them).
>>>> >>>
>>>> >>> Kind regards!
>>>> >>>
>>>> >>> Erik aka 4levels
>>>> >>>
>>>> >> _______________________________________________
>>>> >>> nix-dev mailing list
>>>> >>> nix-dev at lists.science.uu.nl
>>>> >>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>> >>>
>>>> >>
>>>> >
>>>> >
>>>>
>>>> >------------------------------------------------------------------------
>>>> >
>>>> >_______________________________________________
>>>> >nix-dev mailing list
>>>> >nix-dev at lists.science.uu.nl
>>>> >http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>
>>>> --
>>>> Sent from mobile. Please excuse my brevity.
>>>> _______________________________________________
>>>> nix-dev mailing list
>>>> nix-dev at lists.science.uu.nl
>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>
>>>
>>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>>
>>
>>
>> --
>> Tomasz Czyż
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160609/dabc57f2/attachment.html>

More information about the nix-dev mailing list