(IMO) a much simpler solution:
http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020690.html
On Mon, Jun 20, 2016 at 9:10 PM, Игорь Пашев wrote:
> 2016-06-20 14:51 GMT+03:00 4levels <4lev...@gmail.com>:
> > As I never change these keys (except by a nixops deploy or
2016-06-20 14:51 GMT+03:00 4levels <4lev...@gmail.com>:
> As I never change these keys (except by a nixops deploy or nixops send-keys
> call), can I assume that the save-keys service doesn't need to run every
> single minute in this scenario?
You can remove /root/keys by accident. In our setups,
Hi Игорь,
thank you for clarifying this, I was already wondering what the sleep 1m
was doing there in the while loop ;-)
As I never change these keys (except by a nixops deploy or nixops send-keys
call), can I assume that the save-keys service doesn't need to run every
single minute in this
2016-06-19 15:35 GMT+03:00 4levels <4lev...@gmail.com>:
> I was just wondering how this copes with server kills
The "save" service runs every minute to check if any keys are not saved :-)
And it runs on every key addition / removal. So right after a fresh
deploy you are almost safe.
Hi Nix-devs, hi Tomasz, hi Игорь,
I managed to get it working flawlessly by adding keys.target to the
requires and after statements of my other service configs.
I was just wondering how this copes with server kills (as Vultr
periodically resets an instance when they experience system failures).
Hi Tomasz,
Thanks for another great pointer!
My own services do require the keys so I have to make them depend/require
on keys.target
I'm about to test this out, I'll keep you posted here..
Kind regards,
Erik
On Fri, Jun 17, 2016, 11:47 Tomasz Czyż wrote:
> Erik, you
Erik, you also could add your load-keys service to network.target or any
target which starts at the system start. So then you don't have to add it
to specific apps, depends on your keys workflow.
2016-06-17 9:48 GMT+01:00 4levels <4lev...@gmail.com>:
> That's probably it!
>
> I still need to
That's probably it!
I still need to update all service configs to have keys.target in the
wantedBy list.
I read somewhere that I should also use requiredBy for it to really wait
untill keys.target is finished..
Kind regards,
Erik
On Thu, Jun 16, 2016, 23:50 Игорь Пашев
2016-06-14 17:17 GMT+03:00 4levels <4lev...@gmail.com>:
> wantedBy = [ "keys.target" ];
Maybe you don't have services depending on keys.target
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Hi,
I tried this but somehow the nixops-load-keys service is not automatically
started. I can see the service with systemctl status and when I restart it,
it does as expected (copies the files from /run/keys to /root/keys.
However, when I reboot the machine, the nixops-load-keys service doesn't
2016-05-09 13:49 GMT+03:00 Tomasz Czyż :
> I'm not sure I understand this correctly. Do you want to put keys into the
> initrd?
No, I keep them under /root/keys. The save service polls /run/keys for updates.
___
nix-dev mailing
I'm not sure I understand this correctly. Do you want to put keys into the
initrd?
2016-05-08 20:54 GMT+01:00 Игорь Пашев :
> Simple way to keep the keys on reboot.
> /run/keys is mounted somewhere in initrd,
> thus just a couple of services
> (I was thinking about on-disk
Simple way to keep the keys on reboot.
/run/keys is mounted somewhere in initrd,
thus just a couple of services
(I was thinking about on-disk /run/keys)
{ config, lib, pkgs, ... }:
let
inherit (builtins) attrNames;
inherit (lib) mkIf concatMapStringsSep;
inherit (config.deployment) keys;
13 matches
Mail list logo