Hi Kevin, Thanks for the extra info! I was wondering though, if the generated config files do end up in /nix/store anyway, does it even make a difference if I use the deployment.keys method? Or is there another way to have eg. a php script read from these keys without actually writing them out?
Symfony uses yml files, WordPress uses php files, and so on.. Each project is defined as a service and I generate these files in my various let statements.. Personally I don't mind these files sitting in /nix/store as I'm the only one with ssh access to these machines.. Kind regards, Erik On Thu, Jun 9, 2016, 17:16 Kevin Cox <kevin...@kevincox.ca> wrote: > On 09/06/16 11:03, 4levels wrote: > > Hi Kevin, > > > > I'm very curious how you setup sensitive information using > deployment.keys > > This still seems like the best option to do this, but I failed to get > > it working.. > > > > Could you be so kind to post a small example, showing how you define > > the keys and use them in functions that generate eg. a config file? > > Here are two examples where I read the key out of a secret directory > (encrypted with git-crypt). Note that I don't generate any of my config > files, but that is theoretically possible. > > deployment.keys.mesos.text = "root ${builtins.readFile > ../secret/mesos-secret}"; > deployment.keys.sumologic.text = builtins.readFile ../secret/sumologic; > > And this example is importing a nix expression. Note that I'm not using > deployment.keys so this is accessible to anyone (on the server) as it > lands in the Nix store IIUC. > > networking.defaultMailServer = import ../secret/smtp.nix; > > > >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev