[Nix-dev] Setting default group & permissions on deployment.keys

4levels 4levels at gmail.com
Tue Jun 14 12:28:31 CEST 2016


Hi Tomasz,

it is from that exact same link you posted that I was reading the defaults.
Isn't there any better way to override these defaults?  They are clearly
defined in the file you linked to.

The approach as posted by Rob seems to work but requires that all keys are
stored in a single directory, which are then copied to the /run/keys folder
on the target machine.

Since the deployment of these keys has it's own procedure (other services
need to wait for the keys to be copied completely) I'm currently not sure
if doing it Rob's way will preserve this behavior.

To be continued ;-)

Erik

On Tue, Jun 14, 2016 at 12:17 PM Tomasz Czyż <tomasz.czyz at gmail.com> wrote:

> https://nixos.org/nixops/manual/#opt-deployment.keys._name_.user
>
> 2016-06-14 11:12 GMT+01:00 4levels <4levels at gmail.com>:
>
>> Hi Rob,
>>
>> thank you for your swift reply!
>> Does this mean I'm actually overriding the default keys behavior as
>> defined in https://github.com/NixOS/nixops/blob/master/nix/keys.nix ?
>> I was kind of hoping to be able to write something like
>>
>> deployment.keys.*.group = "keys";
>> deployment.keys.*.permissions = "0640";
>>
>> I'll give it a try and post back here.
>>
>> Kind regards,
>>
>> Erik
>>
>> On Tue, Jun 14, 2016 at 12:06 PM Rob Vermaas <rob.vermaas at gmail.com>
>> wrote:
>>
>>> Hi Erik,
>>>
>>> > Is there a way to define a default group and permissions for all keys
>>> > without me specifying this for each key individually?
>>> > I'm currently well over 200 keys per machine so adding the group and
>>> > permissions for each key is quite elaborate..
>>>
>>> You could do somthing like:
>>>
>>>       deployment.keys =
>>>         let
>>>           keyDir = /path/to/dir/with/my/keys;
>>>           keys = builtins.attrNames (lib.filterAttrs (n: v: v ==
>>> "regular" ) (builtins.readDir keyDir));
>>>         in with lib; listToAttrs (map (n: nameValuePair n { text =
>>> builtins.readFile (keyDir + ("/" + n)); group = "keys"; permissions =
>>> "0640"; }) keys);
>>>
>>> This would upload all files in /path/to/dir/with/my/keys to the
>>> machine in /run/keys. Note I didn't test this, so it might have some
>>> typos, biut hope the idea is clear. It's an adapted piece copied from
>>> something similar we are using.
>>>
>>> Cheers,
>>> --
>>> Rob Vermaas
>>>
>>> [email] rob.vermaas at gmail.com
>>>
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
>
>
> --
> Tomasz Czyż
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160614/596c12e3/attachment-0001.html>


More information about the nix-dev mailing list