[Nix-dev] Persistent NixOps keys

4levels 4levels at gmail.com
Tue Jun 14 16:17:00 CEST 2016


Hi,

I tried this but somehow the nixops-load-keys service is not automatically
started. I can see the service with systemctl status and when I restart it,
it does as expected (copies the files from /run/keys to /root/keys.
However, when I reboot the machine, the nixops-load-keys service doesn't
seem to do this automatically.  Only after running systemctl restart
nixops-load-keys it copies the files back to /run/store.
When I delete /root/keys/* and do a reboot, the keys aren't copied either.
There must be something wrong with my before and after statements I guess
since both services do work when started manually.  I'm probably
overlooking something obvious here..

I modified your script a little as follows:

let

    ....

    keyStore = "/root/keys";
    keyRun = "/run/keys";

    keyLoad = pkgs.writeScript "nixops-load-keys" ''
      #!${pkgs.bash}/bin/bash
      set -euo pipefail
      if [ -e '${keyStore}/done' ] && [ ! -e '${keyRun}/done' ]; then
        cd '${keyStore}'
        cp -pf -- ${lib.concatMapStringsSep " " (k: "'${k}'")
(builtins.attrNames config.deployment.keys)} \
          '${keyRun}/' || exit 0
        touch -r '${keyStore}/done' '${keyRun}/done'
      fi
    '';

    keySave = pkgs.writeScript "nixops-save-keys" ''
      #!${pkgs.bash}/bin/bash
      set -euo pipefail
      while true; do
        if [ -e '${keyRun}/done' ]; then
          if [ ! -e '${keyStore}/done' ] || [ '${keyRun}/done' -nt
'${keyStore}/done' ] ; then
            rm -rf '${keyStore}'
            mkdir -p '${keyStore}'
            chown --reference='${keyRun}' -- '${keyStore}'
            chmod --reference='${keyRun}' -- '${keyStore}'
            cd '${keyRun}'
            cp -pf -- ${concatMapStringsSep " " (k: "'${k}'") (attrNames
config.deployment.keys)} '${keyStore}/' || continue
            touch -r '${keyRun}/done' '${keyStore}/done'
            touch -r '${keyRun}' '${keyStore}'
          fi
        fi
        sleep 1m
      done
    '';

   ....

in

    ....

    systemd.services.nixops-load-keys = {
      description = "Re-load nixops keys after reboot";
      before = [ "nixops-keys.service" ];
      wantedBy = [ "keys.target" ];
      unitConfig.RequiresMountsFor = [ keyRun keyStore ];
      serviceConfig = {
        ExecStart = keyLoad;
        Type = "oneshot";
        RemainAfterExit = false;
      };
    };

    systemd.services.nixops-save-keys = {
      description = "Save nixops keys to re-load after reboot";
      after = [ "keys.target" ];
      wantedBy = [ "keys.target" ];
      serviceConfig = {
        ExecStart = keySave;
        Restart = "always";
      };
    };

    ....

Kind regards,

Erik

On Mon, May 9, 2016 at 7:51 PM Игорь Пашев <pashev.igor at gmail.com> wrote:

> 2016-05-09 13:49 GMT+03:00 Tomasz Czyż <tomasz.czyz at gmail.com>:
> > I'm not sure I understand this correctly. Do you want to put keys into
> the
> > initrd?
>
>
> No, I keep them under /root/keys. The save service polls /run/keys for
> updates.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160614/167f94fe/attachment.html>


More information about the nix-dev mailing list