[Nix-dev] Distributing files between machines in a nixops deployment
Thomas Hunger
tehunger at gmail.com
Sun Nov 20 17:52:38 CET 2016
Key distribution in NixOps is a bit weak but there is:
https://nixos.org/nixops/manual/#opt-deployment.keys
>From your description you might also be interested in setting up a CA to
sign your user keys instead. E.g. [1] or [2]
~
[1]
https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu
[2]
https://blog-habets-se.blogspot.de/2011/07/openssh-certificates.html
On 19 November 2016 at 17:23, Marius Bergmann <marius at yeai.de> wrote:
> You did not attach a link to your mail, but I guess you mean
> https://blog.wearewizards.io/how-to-use-nixops-in-a-team ?
>
>
> On 2016-11-19 18:08, Maarten Hoogendoorn wrote:
> > I'm not pretending to be a NixOps expert, but I think the approach of
> > generating the secret in the "deployment" machine is good enough.
> > You could store the private key encrypted in a git repository. Have you
> > seen this [1] blog post? It describes how to do this in a team.
> >
> > Best regards,
> > Maarten
> >
> >
> > 2016-11-19 12:50 GMT+01:00 Marius Bergmann <marius at yeai.de
> > <mailto:marius at yeai.de>>:
> >
> > On 2016-11-19 12:46, Arnold Krille wrote:
> > > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <marius at yeai.de
> > <mailto:marius at yeai.de>>
> > > wrote:
> > >> Is it possible to declare the distribution of a file (in my case
> > a ssh
> > >> server/client public key) to different machines in a nixops
> > >> deployment?
> > >>
> > >> I want to create a client keypair on one machine and then
> authorize
> > >> the public part on several other machines in the deployment. Those
> > >> other machines' public server keys should also be added to the
> > >> known_hosts of the machine logging into them.
> > >>
> > >> I know I could create all the keypairs on the machine running
> nixops
> > >> and send both the public as well as the private keys over the
> > >> network, but I would like to find out if there's a way around it.
> > >
> > > I think this is one of the things you don't do/want with
> Nix/NixOps as
> > > this is essentially self-modifying deployment. Which makes the
> > > deployment non-deterministic and unreproducible in the strict
> sense.
> > > With deployment-/configuration-management systems that have a
> central
> > > node and database, like chef and puppet can have, you can do such
> > > things. For Nix this is counter-intuitive.
> > >
> > > - Arnold
> >
> > Do you have a recommendation on how to handle my use case then? In
> > practice, I need this to allow the backup user to log into the
> machines
> > being backed up. Would you use a central location for all the key
> pairs?
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl <mailto:nix-dev at lists.science.uu.nl>
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> > <http://lists.science.uu.nl/mailman/listinfo/nix-dev>
> >
> >
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161120/04266597/attachment.html>
More information about the nix-dev
mailing list