[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nix-dev
Subject:    Re: [Nix-dev] Distributing files between machines in a nixops deployment
From:       Maarten Hoogendoorn <maarten () moretea ! nl>
Date:       2016-11-19 17:08:23
Message-ID: CAHcRk1KzDfaaxr0QyEoEAHvSm+tsawvFh-KKRdb1DMOXdZd=iA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I'm not pretending to be a NixOps expert, but I think the approach of
generating the secret in the "deployment" machine is good enough.
You could store the private key encrypted in a git repository. Have you
seen this [1] blog post? It describes how to do this in a team.

Best regards,
Maarten


2016-11-19 12:50 GMT+01:00 Marius Bergmann <marius@yeai.de>:

> On 2016-11-19 12:46, Arnold Krille wrote:
> > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <marius@yeai.de>
> > wrote:
> >> Is it possible to declare the distribution of a file (in my case a ssh
> >> server/client public key) to different machines in a nixops
> >> deployment?
> >>
> >> I want to create a client keypair on one machine and then authorize
> >> the public part on several other machines in the deployment. Those
> >> other machines' public server keys should also be added to the
> >> known_hosts of the machine logging into them.
> >>
> >> I know I could create all the keypairs on the machine running nixops
> >> and send both the public as well as the private keys over the
> >> network, but I would like to find out if there's a way around it.
> >
> > I think this is one of the things you don't do/want with Nix/NixOps as
> > this is essentially self-modifying deployment. Which makes the
> > deployment non-deterministic and unreproducible in the strict sense.
> > With deployment-/configuration-management systems that have a central
> > node and database, like chef and puppet can have, you can do such
> > things. For Nix this is counter-intuitive.
> >
> > - Arnold
>
> Do you have a recommendation on how to handle my use case then? In
> practice, I need this to allow the backup user to log into the machines
> being backed up. Would you use a central location for all the key pairs?
> _______________________________________________
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>

[Attachment #5 (text/html)]

<div dir="ltr"><div>I&#39;m not pretending to be a NixOps expert, but I think the \
approach of generating the secret in the &quot;deployment&quot; machine is good \
enough.</div><div>You could store the private key encrypted in a git repository. Have \
you seen this [1] blog post? It describes how to do this in a \
team.<br></div><div><br></div><div>Best \
regards,</div><div>Maarten</div><div><br></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">2016-11-19 12:50 GMT+01:00 Marius \
Bergmann <span dir="ltr">&lt;<a href="mailto:marius@yeai.de" \
target="_blank">marius@yeai.de</a>&gt;</span>:<br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2016-11-19 \
12:46, Arnold Krille wrote:<br> &gt; On Sat, 19 Nov 2016 12:10:59 +0100 Marius \
Bergmann &lt;<a href="mailto:marius@yeai.de">marius@yeai.de</a>&gt;<br> &gt; \
wrote:<br> &gt;&gt; Is it possible to declare the distribution of a file (in my case \
a ssh<br> &gt;&gt; server/client public key) to different machines in a nixops<br>
&gt;&gt; deployment?<br>
&gt;&gt;<br>
&gt;&gt; I want to create a client keypair on one machine and then authorize<br>
&gt;&gt; the public part on several other machines in the deployment. Those<br>
&gt;&gt; other machines&#39; public server keys should also be added to the<br>
&gt;&gt; known_hosts of the machine logging into them.<br>
&gt;&gt;<br>
&gt;&gt; I know I could create all the keypairs on the machine running nixops<br>
&gt;&gt; and send both the public as well as the private keys over the<br>
&gt;&gt; network, but I would like to find out if there&#39;s a way around it.<br>
&gt;<br>
&gt; I think this is one of the things you don&#39;t do/want with Nix/NixOps as<br>
&gt; this is essentially self-modifying deployment. Which makes the<br>
&gt; deployment non-deterministic and unreproducible in the strict sense.<br>
&gt; With deployment-/configuration-<wbr>management systems that have a central<br>
&gt; node and database, like chef and puppet can have, you can do such<br>
&gt; things. For Nix this is counter-intuitive.<br>
&gt;<br>
&gt; - Arnold<br>
<br>
Do you have a recommendation on how to handle my use case then? In<br>
practice, I need this to allow the backup user to log into the machines<br>
being backed up. Would you use a central location for all the key pairs?<br>
______________________________<wbr>_________________<br>
nix-dev mailing list<br>
<a href="mailto:nix-dev@lists.science.uu.nl">nix-dev@lists.science.uu.nl</a><br>
<a href="http://lists.science.uu.nl/mailman/listinfo/nix-dev" rel="noreferrer" \
target="_blank">http://lists.science.uu.nl/<wbr>mailman/listinfo/nix-dev</a><br> \
</blockquote></div><br></div>



_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic