[Nix-dev] NixOps - merge config files
Tomasz Czyż
tomasz.czyz at gmail.com
Thu Jun 9 11:36:13 CEST 2016
I'm not 100% sure as I'm pretty new to nixops, but probably if you put
credentials like that, they can end up in /nix/store.
As someone explained to me before, probably the only good way at the moment
to do that is to use deployment.keys.
Can anyone confirm that?
2016-06-09 10:31 GMT+01:00 4levels <4levels at gmail.com>:
> Hi,
>
> thank you for your swift reply!
> I'd like to avoid to literally mention all sensitive config params in the
> network.nix config.
>
> What would be the "normal" procedure to recursively merge 2 attribute
> sets?
>
> So if I have in one file
> servers.nix: {
> vm01 = {
> services.symfony.platforms = {
> database = {
> username = "www";
> };
> };
> };
> }
>
> and in the other
> keys.nix: {
> vm01 = {
> services.symfony.platforms = {
> database = {
> password = "12345678";
> };
> };
> };
> }
>
> So they become one when building:
> {
> vm01 = {
> services.symfony.platforms = {
> database = {
> username = "www";
> password = "12345678";
> };
> };
> };
> }
>
> Kind regards,
>
> Erik
>
> On Thu, Jun 9, 2016 at 11:23 AM zimbatm <zimbatm at zimbatm.com> wrote:
>
>> Hi,
>>
>> I don’t know where you are getting this error. All I can do is suggest a
>> workaround:
>>
>> In keys.nix:
>>
>> {
>> database_password = "12345678";
>> }
>>
>> In network.nix:
>>
>> let
>> secrets = import ./keys.nix {};in;
>> {
>> vm01 = {
>> { config, pkgs, ... }:
>> {
>> services.symfony.platforms.database.password = secrets.database_password;
>>
>> ..
>> }
>> }
>> }
>>
>>
>>
>> On Thu, 9 Jun 2016 at 07:54 4levels <4levels at gmail.com> wrote:
>>
>>> Hi Nix Devs,
>>>
>>> I'm having some difficulties separating sensitive information from a nix
>>> expression used by NixOps.
>>>
>>> I keep the server config in a separate file, servers.nix:
>>> {
>>> vm01 =
>>> { config, pkgs, nodes, ... }:
>>> {
>>> deployment = {
>>> targetHost = "192.168.121.50";
>>> };
>>> ...
>>> }
>>> }
>>>
>>> Currently I have all relevant software config for each server in a nix
>>> expression platforms.nix as follows (where vm01 is the hostname):
>>> {
>>> vm01 =
>>> { config, pkgs, ... }:
>>> {
>>> services.symfony.platforms = {
>>> database = {
>>> username = "www";
>>> /* password = "1234567" -> moved to keys.nix */
>>> };
>>> ...
>>> }
>>> }
>>>
>>> I want to remove the sensitive info from this file and put it in a
>>> separate nix expression, eg. keys.nix, maintaining the same structure so
>>> the files can be merged.
>>>
>>> In keys.nix I currently have
>>> {
>>> vm01 = {
>>> { config, pkgs, ... }:
>>> {
>>> services.symfony.platforms.database.password = "12345678";
>>> ..
>>> }
>>> }
>>> }
>>>
>>> I've modified my nixops deploy to have keys.nix loaded after the
>>> servers.nix and platforms.nix files, but I keep getting errors like "the
>>> attribute password does not exist"
>>>
>>> I must be overlooking something obvious as all the other files I define
>>> in my deploy are being merged correctly.
>>>
>>> Can anyone advise me on how to achieve this?
>>>
>>> The underlying reason is that I'm using git-crypt to encrypt the
>>> platforms.nix file, but this makes it impossible to work with branches (or
>>> git logs) etc. as the whole file is encrypted and git cannot merge binary
>>> files (it simply replaces them).
>>>
>>> Kind regards!
>>>
>>> Erik aka 4levels
>>>
>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
--
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160609/16e636e2/attachment.html>
More information about the nix-dev
mailing list