[Nix-dev] NixOps - merge config files

Tomasz Czyż tomasz.czyz at gmail.com
Thu Jun 9 20:36:39 CEST 2016 

Erik,

https://nixos.org/nixops/manual/#opt-deployment.keys

Deployment keys won't end up in nix store, I think they are deployed using
ssh just to /run/keys. They also will be removed after reboot as /run will
disappear, untill you set some other option.

Also there was a thread on this list few weeks ago when somebody posted
solution to preserve keys between reboots usint systemd jobs.

2016-06-09 17:57 GMT+01:00 4levels <4levels at gmail.com>:

> Hi Kevin,
>
> Thanks for the extra info!
> I was wondering though, if the generated config files do end up in
> /nix/store anyway, does it even make a difference if I use the
> deployment.keys method? Or is there another way to have eg. a php script
> read from these keys without actually writing them out?
>
> Symfony uses yml files, WordPress uses php files, and so on.. Each project
> is defined as a service and I generate these files in my various let
> statements..
>
> Personally I don't mind these files sitting in /nix/store as I'm the only
> one with ssh access to these machines..
>
> Kind regards,
>
>
> Erik
>
> On Thu, Jun 9, 2016, 17:16 Kevin Cox <kevincox at kevincox.ca> wrote:
>
>> On 09/06/16 11:03, 4levels wrote:
>> > Hi Kevin,
>> >
>> > I'm very curious how you setup sensitive information using
>> deployment.keys
>> > This still seems like the best option to do this, but I failed to get
>> > it working..
>> >
>> > Could you be so kind to post a small example, showing how you define
>> > the keys and use them in functions that generate eg. a config file?
>>
>> Here are two examples where I read the key out of a secret directory
>> (encrypted with git-crypt). Note that I don't generate any of my config
>> files, but that is theoretically possible.
>>
>> deployment.keys.mesos.text = "root ${builtins.readFile
>> ../secret/mesos-secret}";
>> deployment.keys.sumologic.text = builtins.readFile ../secret/sumologic;
>>
>> And this example is importing a nix expression. Note that I'm not using
>> deployment.keys so this is accessible to anyone (on the server) as it
>> lands in the Nix store IIUC.
>>
>> networking.defaultMailServer = import ../secret/smtp.nix;
>>
>>
>>
>>


-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160609/748b11ec/attachment.html>

More information about the nix-dev mailing list