[Nix-dev] Distributing files between machines in a nixops deployment

Thomas Hunger tehunger at gmail.com
Sun Nov 20 17:52:38 CET 2016 

Key distribution in NixOps is a bit weak but there is:
https://nixos.org/nixops/manual/#opt-deployment.keys

>From your description you might also be interested in setting up a CA to
sign your user keys instead. E.g. [1] or [2]

~

[1]
https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

[2]
https://blog-habets-se.blogspot.de/2011/07/openssh-certificates.html



On 19 November 2016 at 17:23, Marius Bergmann <marius at yeai.de> wrote:

> You did not attach a link to your mail, but I guess you mean
> https://blog.wearewizards.io/how-to-use-nixops-in-a-team ?
>
>
> On 2016-11-19 18:08, Maarten Hoogendoorn wrote:
> > I'm not pretending to be a NixOps expert, but I think the approach of
> > generating the secret in the "deployment" machine is good enough.
> > You could store the private key encrypted in a git repository. Have you
> > seen this [1] blog post? It describes how to do this in a team.
> >
> > Best regards,
> > Maarten
> >
> >
> > 2016-11-19 12:50 GMT+01:00 Marius Bergmann <marius at yeai.de
> > <mailto:marius at yeai.de>>:
> >
> >     On 2016-11-19 12:46, Arnold Krille wrote:
> >     > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <marius at yeai.de
> >     <mailto:marius at yeai.de>>
> >     > wrote:
> >     >> Is it possible to declare the distribution of a file (in my case
> >     a ssh
> >     >> server/client public key) to different machines in a nixops
> >     >> deployment?
> >     >>
> >     >> I want to create a client keypair on one machine and then
> authorize
> >     >> the public part on several other machines in the deployment. Those
> >     >> other machines' public server keys should also be added to the
> >     >> known_hosts of the machine logging into them.
> >     >>
> >     >> I know I could create all the keypairs on the machine running
> nixops
> >     >> and send both the public as well as the private keys over the
> >     >> network, but I would like to find out if there's a way around it.
> >     >
> >     > I think this is one of the things you don't do/want with
> Nix/NixOps as
> >     > this is essentially self-modifying deployment. Which makes the
> >     > deployment non-deterministic and unreproducible in the strict
> sense.
> >     > With deployment-/configuration-management systems that have a
> central
> >     > node and database, like chef and puppet can have, you can do such
> >     > things. For Nix this is counter-intuitive.
> >     >
> >     > - Arnold
> >
> >     Do you have a recommendation on how to handle my use case then? In
> >     practice, I need this to allow the backup user to log into the
> machines
> >     being backed up. Would you use a central location for all the key
> pairs?
> >     _______________________________________________
> >     nix-dev mailing list
> >     nix-dev at lists.science.uu.nl <mailto:nix-dev at lists.science.uu.nl>
> >     http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >     <http://lists.science.uu.nl/mailman/listinfo/nix-dev>
> >
> >
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161120/04266597/attachment.html>

More information about the nix-dev mailing list