[Nix-dev] NixOps - merge config files

4levels 4levels at gmail.com
Fri Jun 10 13:07:20 CEST 2016


Hi Tomasz,

That sounds really interesting, I read the other threads and it seems like
I can implement this strategy.

I'm not yet 100% clear on how I can have the keys from /run/keys loaded in
the various configuration files.  For plain PHP config files like wordpress
uses, I'm sure a simple file_get_contents will do the trick.  I'm currently
experimenting if I can have symfony parse yml files with embedded php
inside (to load eg. the password).  Lumen / Laravel uses .env files in the
root folder of the project, but probably that can also be skipped if the
config exists in the real php configuration files.

For node apps etc. I'm quite sure similar approaches must be viable to load
contents from key files stored in /run/keys.

I'm definitely going to implement the persistent key service as described
in the mentioned threads!

Kind regards and thanks again to all for your relentless efforts in helping
Nix "users" (vs. "developers")!

Erik

On Thu, Jun 9, 2016, 20:36 Tomasz Czyż <tomasz.czyz at gmail.com> wrote:

> Erik,
>
> https://nixos.org/nixops/manual/#opt-deployment.keys
>
> Deployment keys won't end up in nix store, I think they are deployed using
> ssh just to /run/keys. They also will be removed after reboot as /run will
> disappear, untill you set some other option.
>
> Also there was a thread on this list few weeks ago when somebody posted
> solution to preserve keys between reboots usint systemd jobs.
>
> 2016-06-09 17:57 GMT+01:00 4levels <4levels at gmail.com>:
>
>> Hi Kevin,
>>
>> Thanks for the extra info!
>> I was wondering though, if the generated config files do end up in
>> /nix/store anyway, does it even make a difference if I use the
>> deployment.keys method? Or is there another way to have eg. a php script
>> read from these keys without actually writing them out?
>>
>> Symfony uses yml files, WordPress uses php files, and so on.. Each
>> project is defined as a service and I generate these files in my various
>> let statements..
>>
>> Personally I don't mind these files sitting in /nix/store as I'm the only
>> one with ssh access to these machines..
>>
>> Kind regards,
>>
>>
>> Erik
>>
>> On Thu, Jun 9, 2016, 17:16 Kevin Cox <kevincox at kevincox.ca> wrote:
>>
>>> On 09/06/16 11:03, 4levels wrote:
>>> > Hi Kevin,
>>> >
>>> > I'm very curious how you setup sensitive information using
>>> deployment.keys
>>> > This still seems like the best option to do this, but I failed to get
>>> > it working..
>>> >
>>> > Could you be so kind to post a small example, showing how you define
>>> > the keys and use them in functions that generate eg. a config file?
>>>
>>> Here are two examples where I read the key out of a secret directory
>>> (encrypted with git-crypt). Note that I don't generate any of my config
>>> files, but that is theoretically possible.
>>>
>>> deployment.keys.mesos.text = "root ${builtins.readFile
>>> ../secret/mesos-secret}";
>>> deployment.keys.sumologic.text = builtins.readFile ../secret/sumologic;
>>>
>>> And this example is importing a nix expression. Note that I'm not using
>>> deployment.keys so this is accessible to anyone (on the server) as it
>>> lands in the Nix store IIUC.
>>>
>>> networking.defaultMailServer = import ../secret/smtp.nix;
>>>
>>>
>>>
>>>
>
>
> --
> Tomasz Czyż
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160610/8dc2d27c/attachment-0001.html>


More information about the nix-dev mailing list