[Nix-dev] Including SSL certificates with NixOS configuration

Tomasz Czyż tomasz.czyz at gmail.com
Tue Sep 13 00:18:00 CEST 2016


Wilhelm,

all files written by nix (or maybe almost all) end up in /nix/store and are
world-readable, not the best way to keep secrets.

You have to deploy secrets manually or you could use NixOps (and
deployment.keys) to deploy server with NixOS and deploy keys/secrets.

2016-09-12 22:54 GMT+01:00 Wilhelm Schuster <ws at wilhelm.re>:

> Hi,
>
> I’m quite new to Nix/NixOS; coming from Archlinux I like being able to
> configure my system in a declarative manner. I tried setting up a small web
> server using nginx and I hit an interesting challenge:
>
> How would be the a good way to include SSL certificates with the NixOS
> configuration. I’d like to have all my system configuration inside a couple
> of nix expressions to easily be able to move between different systems. I
> figured I’d have a separate .nix file which includes all certificates,
> dhparams, etc. as strings (PEM) which I import into my main
> configuration.nix. I found builtins.toFile for writing a certificate file
> from a string, but there doesn’t seem a way to set permissions, which would
> be important for private certificates (chmod 400).
>
> How would you solve this? Is this even the right approach?
>
> Thanks and cheers, Wilhelm Schuster.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>



-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160912/6bb97a7e/attachment.html>


More information about the nix-dev mailing list