[Nix-dev] NixOps - secret/credentials management

Rob Vermaas rob.vermaas at gmail.com
Thu May 12 11:43:44 CEST 2016


Hi Tomasz,

> I wanted to deploy some secrets/certificates to machines and I'm not sure
> how to do that. I would like to avoid storing those in nix store. Is there
> any way to deploy secrets to machines and not use nix store?
>
> I know there is solution to deploy disk encryption keys which is stored in
> state file, but what about other secrets? Is there any general way to handle
> that?
>
> I thought that I could do that using "nixops ssh" feature, but I would like
> to describe those credentials in network.nix file, is that possible?

You can use deployment.keys.* options for this purpose, e.g. you can
add the following option to your machine config:

  deployment.keys."robs-little-secret.key".text = builtins.readFile
./robs-little-secret.key;

When deploying with nixops, nixops will put the contents of
./robs-little-secret.key in /run/keys/robs-little-secret.key . Note
that this is a location on a tmpfs, so if you want to have it on a
persistent disk, you'll need to copy it to a location of your
choosing. Nixops creates systemd service called
systemd.services.nixops-keys, which is a service that waits until
nixops has pushed the keys. You can add a postStart script to it,
e.g.:

  systemd.services.nixops-keys.postStart = "cp
/run/keys/robs-little-secret.key /root/";

You could also add a systemd service that depends on this nixops-keys
service, and do something similar.

Cheers,
Rob

-- 
Rob Vermaas

[email] rob.vermaas at gmail.com


More information about the nix-dev mailing list