I'm not pretending to be a NixOps expert, but I think the approach of generating the secret in the "deployment" machine is good enough. You could store the private key encrypted in a git repository. Have you seen this [1] blog post? It describes how to do this in a team.
Best regards, Maarten 2016-11-19 12:50 GMT+01:00 Marius Bergmann <mar...@yeai.de>: > On 2016-11-19 12:46, Arnold Krille wrote: > > On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann <mar...@yeai.de> > > wrote: > >> Is it possible to declare the distribution of a file (in my case a ssh > >> server/client public key) to different machines in a nixops > >> deployment? > >> > >> I want to create a client keypair on one machine and then authorize > >> the public part on several other machines in the deployment. Those > >> other machines' public server keys should also be added to the > >> known_hosts of the machine logging into them. > >> > >> I know I could create all the keypairs on the machine running nixops > >> and send both the public as well as the private keys over the > >> network, but I would like to find out if there's a way around it. > > > > I think this is one of the things you don't do/want with Nix/NixOps as > > this is essentially self-modifying deployment. Which makes the > > deployment non-deterministic and unreproducible in the strict sense. > > With deployment-/configuration-management systems that have a central > > node and database, like chef and puppet can have, you can do such > > things. For Nix this is counter-intuitive. > > > > - Arnold > > Do you have a recommendation on how to handle my use case then? In > practice, I need this to allow the backup user to log into the machines > being backed up. Would you use a central location for all the key pairs? > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev