[Nix-dev] NixOps - merge config files
4levels
4levels at gmail.com
Thu Jun 9 18:57:16 CEST 2016
Hi Kevin,
Thanks for the extra info!
I was wondering though, if the generated config files do end up in
/nix/store anyway, does it even make a difference if I use the
deployment.keys method? Or is there another way to have eg. a php script
read from these keys without actually writing them out?
Symfony uses yml files, WordPress uses php files, and so on.. Each project
is defined as a service and I generate these files in my various let
statements..
Personally I don't mind these files sitting in /nix/store as I'm the only
one with ssh access to these machines..
Kind regards,
Erik
On Thu, Jun 9, 2016, 17:16 Kevin Cox <kevincox at kevincox.ca> wrote:
> On 09/06/16 11:03, 4levels wrote:
> > Hi Kevin,
> >
> > I'm very curious how you setup sensitive information using
> deployment.keys
> > This still seems like the best option to do this, but I failed to get
> > it working..
> >
> > Could you be so kind to post a small example, showing how you define
> > the keys and use them in functions that generate eg. a config file?
>
> Here are two examples where I read the key out of a secret directory
> (encrypted with git-crypt). Note that I don't generate any of my config
> files, but that is theoretically possible.
>
> deployment.keys.mesos.text = "root ${builtins.readFile
> ../secret/mesos-secret}";
> deployment.keys.sumologic.text = builtins.readFile ../secret/sumologic;
>
> And this example is importing a nix expression. Note that I'm not using
> deployment.keys so this is accessible to anyone (on the server) as it
> lands in the Nix store IIUC.
>
> networking.defaultMailServer = import ../secret/smtp.nix;
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160609/68f46e35/attachment.html>
More information about the nix-dev
mailing list