[Nix-dev] Setting default group & permissions on deployment.keys

4levels 4levels at gmail.com
Tue Jun 14 13:39:49 CEST 2016


Hi Tomasz,

I'm definitely going to look into mkDefault as that sounds exactly like
what I need ;-)

Thanks for the pointer!

Erik aka 4levels

On Tue, Jun 14, 2016 at 1:21 PM Tomasz Czyż <tomasz.czyz at gmail.com> wrote:

> Hey Erik,
>
> oh ok, I see.
> Another way you could try, you can write a function to make a key
> description.
>
> let
>   make-my-key = {text, group}: {user="root", text=text, group=group,
> permissions="640"}
> in
>
>
> and then
>
>   deployment.keys.my-key = make-my-key {group="nginx"; text="secret";};
>
> There is also "mkDefault" function in nix but I don't know how to apply
> this correctly in this case.
>
> 2016-06-14 11:28 GMT+01:00 4levels <4levels at gmail.com>:
>
>> Hi Tomasz,
>>
>> it is from that exact same link you posted that I was reading the
>> defaults.
>> Isn't there any better way to override these defaults?  They are clearly
>> defined in the file you linked to.
>>
>> The approach as posted by Rob seems to work but requires that all keys
>> are stored in a single directory, which are then copied to the /run/keys
>> folder on the target machine.
>>
>> Since the deployment of these keys has it's own procedure (other services
>> need to wait for the keys to be copied completely) I'm currently not sure
>> if doing it Rob's way will preserve this behavior.
>>
>> To be continued ;-)
>>
>> Erik
>>
>> On Tue, Jun 14, 2016 at 12:17 PM Tomasz Czyż <tomasz.czyz at gmail.com>
>> wrote:
>>
>>> https://nixos.org/nixops/manual/#opt-deployment.keys._name_.user
>>>
>>> 2016-06-14 11:12 GMT+01:00 4levels <4levels at gmail.com>:
>>>
>>>> Hi Rob,
>>>>
>>>> thank you for your swift reply!
>>>> Does this mean I'm actually overriding the default keys behavior as
>>>> defined in https://github.com/NixOS/nixops/blob/master/nix/keys.nix ?
>>>> I was kind of hoping to be able to write something like
>>>>
>>>> deployment.keys.*.group = "keys";
>>>> deployment.keys.*.permissions = "0640";
>>>>
>>>> I'll give it a try and post back here.
>>>>
>>>> Kind regards,
>>>>
>>>> Erik
>>>>
>>>> On Tue, Jun 14, 2016 at 12:06 PM Rob Vermaas <rob.vermaas at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Erik,
>>>>>
>>>>> > Is there a way to define a default group and permissions for all keys
>>>>> > without me specifying this for each key individually?
>>>>> > I'm currently well over 200 keys per machine so adding the group and
>>>>> > permissions for each key is quite elaborate..
>>>>>
>>>>> You could do somthing like:
>>>>>
>>>>>       deployment.keys =
>>>>>         let
>>>>>           keyDir = /path/to/dir/with/my/keys;
>>>>>           keys = builtins.attrNames (lib.filterAttrs (n: v: v ==
>>>>> "regular" ) (builtins.readDir keyDir));
>>>>>         in with lib; listToAttrs (map (n: nameValuePair n { text =
>>>>> builtins.readFile (keyDir + ("/" + n)); group = "keys"; permissions =
>>>>> "0640"; }) keys);
>>>>>
>>>>> This would upload all files in /path/to/dir/with/my/keys to the
>>>>> machine in /run/keys. Note I didn't test this, so it might have some
>>>>> typos, biut hope the idea is clear. It's an adapted piece copied from
>>>>> something similar we are using.
>>>>>
>>>>> Cheers,
>>>>> --
>>>>> Rob Vermaas
>>>>>
>>>>> [email] rob.vermaas at gmail.com
>>>>>
>>>>
>>>> _______________________________________________
>>>> nix-dev mailing list
>>>> nix-dev at lists.science.uu.nl
>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Tomasz Czyż
>>>
>>
>
>
> --
> Tomasz Czyż
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160614/e7ca999e/attachment.html>


More information about the nix-dev mailing list