[Nix-dev] Distributing files between machines in a nixops deployment
Maarten Hoogendoorn
maarten at moretea.nl
Sat Nov 19 18:08:23 CET 2016
I'm not pretending to be a NixOps expert, but I think the approach of
generating the secret in the "deployment" machine is good enough.
You could store the private key encrypted in a git repository. Have you
seen this [1] blog post? It describes how to do this in a team.
Best regards,
Maarten
2016-11-19 12:50 GMT+01:00 Marius Bergmann <marius at yeai.de>:
> On 2016-11-19 12:46, Arnold Krille wrote:
> > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <marius at yeai.de>
> > wrote:
> >> Is it possible to declare the distribution of a file (in my case a ssh
> >> server/client public key) to different machines in a nixops
> >> deployment?
> >>
> >> I want to create a client keypair on one machine and then authorize
> >> the public part on several other machines in the deployment. Those
> >> other machines' public server keys should also be added to the
> >> known_hosts of the machine logging into them.
> >>
> >> I know I could create all the keypairs on the machine running nixops
> >> and send both the public as well as the private keys over the
> >> network, but I would like to find out if there's a way around it.
> >
> > I think this is one of the things you don't do/want with Nix/NixOps as
> > this is essentially self-modifying deployment. Which makes the
> > deployment non-deterministic and unreproducible in the strict sense.
> > With deployment-/configuration-management systems that have a central
> > node and database, like chef and puppet can have, you can do such
> > things. For Nix this is counter-intuitive.
> >
> > - Arnold
>
> Do you have a recommendation on how to handle my use case then? In
> practice, I need this to allow the backup user to log into the machines
> being backed up. Would you use a central location for all the key pairs?
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161119/50eb10aa/attachment-0001.html>
More information about the nix-dev
mailing list