Hi Tomasz, > I wanted to deploy some secrets/certificates to machines and I'm not sure > how to do that. I would like to avoid storing those in nix store. Is there > any way to deploy secrets to machines and not use nix store? > > I know there is solution to deploy disk encryption keys which is stored in > state file, but what about other secrets? Is there any general way to handle > that? > > I thought that I could do that using "nixops ssh" feature, but I would like > to describe those credentials in network.nix file, is that possible?
You can use deployment.keys.* options for this purpose, e.g. you can add the following option to your machine config: deployment.keys."robs-little-secret.key".text = builtins.readFile ./robs-little-secret.key; When deploying with nixops, nixops will put the contents of ./robs-little-secret.key in /run/keys/robs-little-secret.key . Note that this is a location on a tmpfs, so if you want to have it on a persistent disk, you'll need to copy it to a location of your choosing. Nixops creates systemd service called systemd.services.nixops-keys, which is a service that waits until nixops has pushed the keys. You can add a postStart script to it, e.g.: systemd.services.nixops-keys.postStart = "cp /run/keys/robs-little-secret.key /root/"; You could also add a systemd service that depends on this nixops-keys service, and do something similar. Cheers, Rob -- Rob Vermaas [email] rob.verm...@gmail.com _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev