[prev in list] [next in list] [prev in thread] [next in thread]
List: nix-dev
Subject: Re: [Nix-dev] Distributing files between machines in a nixops deployment
From: Maarten Hoogendoorn <maarten () moretea ! nl>
Date: 2016-11-19 17:08:23
Message-ID: CAHcRk1KzDfaaxr0QyEoEAHvSm+tsawvFh-KKRdb1DMOXdZd=iA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I'm not pretending to be a NixOps expert, but I think the approach of
generating the secret in the "deployment" machine is good enough.
You could store the private key encrypted in a git repository. Have you
seen this [1] blog post? It describes how to do this in a team.
Best regards,
Maarten
2016-11-19 12:50 GMT+01:00 Marius Bergmann <marius@yeai.de>:
> On 2016-11-19 12:46, Arnold Krille wrote:
> > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <marius@yeai.de>
> > wrote:
> >> Is it possible to declare the distribution of a file (in my case a ssh
> >> server/client public key) to different machines in a nixops
> >> deployment?
> >>
> >> I want to create a client keypair on one machine and then authorize
> >> the public part on several other machines in the deployment. Those
> >> other machines' public server keys should also be added to the
> >> known_hosts of the machine logging into them.
> >>
> >> I know I could create all the keypairs on the machine running nixops
> >> and send both the public as well as the private keys over the
> >> network, but I would like to find out if there's a way around it.
> >
> > I think this is one of the things you don't do/want with Nix/NixOps as
> > this is essentially self-modifying deployment. Which makes the
> > deployment non-deterministic and unreproducible in the strict sense.
> > With deployment-/configuration-management systems that have a central
> > node and database, like chef and puppet can have, you can do such
> > things. For Nix this is counter-intuitive.
> >
> > - Arnold
>
> Do you have a recommendation on how to handle my use case then? In
> practice, I need this to allow the backup user to log into the machines
> being backed up. Would you use a central location for all the key pairs?
> _______________________________________________
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>I'm not pretending to be a NixOps expert, but I think the \
approach of generating the secret in the "deployment" machine is good \
enough.</div><div>You could store the private key encrypted in a git repository. Have \
you seen this [1] blog post? It describes how to do this in a \
team.<br></div><div><br></div><div>Best \
regards,</div><div>Maarten</div><div><br></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">2016-11-19 12:50 GMT+01:00 Marius \
Bergmann <span dir="ltr"><<a href="mailto:marius@yeai.de" \
target="_blank">marius@yeai.de</a>></span>:<br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2016-11-19 \
12:46, Arnold Krille wrote:<br> > On Sat, 19 Nov 2016 12:10:59 +0100 Marius \
Bergmann <<a href="mailto:marius@yeai.de">marius@yeai.de</a>><br> > \
wrote:<br> >> Is it possible to declare the distribution of a file (in my case \
a ssh<br> >> server/client public key) to different machines in a nixops<br>
>> deployment?<br>
>><br>
>> I want to create a client keypair on one machine and then authorize<br>
>> the public part on several other machines in the deployment. Those<br>
>> other machines' public server keys should also be added to the<br>
>> known_hosts of the machine logging into them.<br>
>><br>
>> I know I could create all the keypairs on the machine running nixops<br>
>> and send both the public as well as the private keys over the<br>
>> network, but I would like to find out if there's a way around it.<br>
><br>
> I think this is one of the things you don't do/want with Nix/NixOps as<br>
> this is essentially self-modifying deployment. Which makes the<br>
> deployment non-deterministic and unreproducible in the strict sense.<br>
> With deployment-/configuration-<wbr>management systems that have a central<br>
> node and database, like chef and puppet can have, you can do such<br>
> things. For Nix this is counter-intuitive.<br>
><br>
> - Arnold<br>
<br>
Do you have a recommendation on how to handle my use case then? In<br>
practice, I need this to allow the backup user to log into the machines<br>
being backed up. Would you use a central location for all the key pairs?<br>
______________________________<wbr>_________________<br>
nix-dev mailing list<br>
<a href="mailto:nix-dev@lists.science.uu.nl">nix-dev@lists.science.uu.nl</a><br>
<a href="http://lists.science.uu.nl/mailman/listinfo/nix-dev" rel="noreferrer" \
target="_blank">http://lists.science.uu.nl/<wbr>mailman/listinfo/nix-dev</a><br> \
</blockquote></div><br></div>
_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic