[Nix-dev] Setting default group & permissions on deployment.keys

Tomasz Czyż tomasz.czyz at gmail.com
Tue Jun 14 13:21:02 CEST 2016 

Hey Erik,

oh ok, I see.
Another way you could try, you can write a function to make a key
description.

let
  make-my-key = {text, group}: {user="root", text=text, group=group,
permissions="640"}
in


and then

  deployment.keys.my-key = make-my-key {group="nginx"; text="secret";};

There is also "mkDefault" function in nix but I don't know how to apply
this correctly in this case.

2016-06-14 11:28 GMT+01:00 4levels <4levels at gmail.com>:

> Hi Tomasz,
>
> it is from that exact same link you posted that I was reading the defaults.
> Isn't there any better way to override these defaults?  They are clearly
> defined in the file you linked to.
>
> The approach as posted by Rob seems to work but requires that all keys are
> stored in a single directory, which are then copied to the /run/keys folder
> on the target machine.
>
> Since the deployment of these keys has it's own procedure (other services
> need to wait for the keys to be copied completely) I'm currently not sure
> if doing it Rob's way will preserve this behavior.
>
> To be continued ;-)
>
> Erik
>
> On Tue, Jun 14, 2016 at 12:17 PM Tomasz Czyż <tomasz.czyz at gmail.com>
> wrote:
>
>> https://nixos.org/nixops/manual/#opt-deployment.keys._name_.user
>>
>> 2016-06-14 11:12 GMT+01:00 4levels <4levels at gmail.com>:
>>
>>> Hi Rob,
>>>
>>> thank you for your swift reply!
>>> Does this mean I'm actually overriding the default keys behavior as
>>> defined in https://github.com/NixOS/nixops/blob/master/nix/keys.nix ?
>>> I was kind of hoping to be able to write something like
>>>
>>> deployment.keys.*.group = "keys";
>>> deployment.keys.*.permissions = "0640";
>>>
>>> I'll give it a try and post back here.
>>>
>>> Kind regards,
>>>
>>> Erik
>>>
>>> On Tue, Jun 14, 2016 at 12:06 PM Rob Vermaas <rob.vermaas at gmail.com>
>>> wrote:
>>>
>>>> Hi Erik,
>>>>
>>>> > Is there a way to define a default group and permissions for all keys
>>>> > without me specifying this for each key individually?
>>>> > I'm currently well over 200 keys per machine so adding the group and
>>>> > permissions for each key is quite elaborate..
>>>>
>>>> You could do somthing like:
>>>>
>>>>       deployment.keys =
>>>>         let
>>>>           keyDir = /path/to/dir/with/my/keys;
>>>>           keys = builtins.attrNames (lib.filterAttrs (n: v: v ==
>>>> "regular" ) (builtins.readDir keyDir));
>>>>         in with lib; listToAttrs (map (n: nameValuePair n { text =
>>>> builtins.readFile (keyDir + ("/" + n)); group = "keys"; permissions =
>>>> "0640"; }) keys);
>>>>
>>>> This would upload all files in /path/to/dir/with/my/keys to the
>>>> machine in /run/keys. Note I didn't test this, so it might have some
>>>> typos, biut hope the idea is clear. It's an adapted piece copied from
>>>> something similar we are using.
>>>>
>>>> Cheers,
>>>> --
>>>> Rob Vermaas
>>>>
>>>> [email] rob.vermaas at gmail.com
>>>>
>>>
>>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>>
>>
>>
>> --
>> Tomasz Czyż
>>
>


-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160614/75b4061d/attachment.html>

More information about the nix-dev mailing list