Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added a keyCmd option for fetching a key from local command #1280

Merged
merged 3 commits into from May 15, 2020

Conversation

@kisik21
Copy link
Contributor

kisik21 commented Apr 14, 2020

The option deployment.keys.*.keyCmd executes a command on the local machine and sends its output as a key to the remote machine.

The use-case is storing NixOps secrets in encrypted form using, e.g. password-store.

The patch should also apply to the flake-support branch - since I developed this feature with flakes in mind, should I file another pull-request to cherry-pick it there?

@grahamc grahamc added this to In progress in kanban Apr 20, 2020
@grahamc grahamc added this to the 2.0 milestone Apr 20, 2020
@grahamc
Copy link
Member

grahamc commented Apr 20, 2020

I'm excited for this PR. I'd like to merge it after #1275. Can you try to address the failing checks? Thank you!

options.keyCmd = mkOption {
default = null;
example = "pass show secrettoken";
type = types.nullOr types.str;

This comment has been minimized.

Copy link
@grahamc

grahamc Apr 20, 2020

Member

What if this was a listof str's, which are executed without a shell?

This comment has been minimized.

Copy link
@kisik21

kisik21 Apr 22, 2020

Author Contributor

@grahamc well I could do that thing but I'm not sure how to process it on Python side. I mostly copy-pasted python code for this from other options :3 need to study the internal APIs more I guess?

@grahamc grahamc moved this from In progress to To do in kanban Apr 23, 2020
`deployment.keys.*.keyCmd` option executes a command on the local
machine and sends its output as a key to the remote machine.

The use-case is storing NixOps secrets in encrypted form using,
e.g. password-store.

note: rebased and updated against master, and removed a bit of code
around storeKeysOnMachine since that feature no longer exists.

Co-authored-by: Adam Höse <adam.hose@tweag.io>
Co-authored-by: Graham Christensen <graham.christensen@tweag.io>
@grahamc grahamc force-pushed the kisik21:keyCmd branch from b7923b0 to 6f89831 May 15, 2020
'';
};

options.keyCmd = mkOption {

This comment has been minimized.

Copy link
@grahamc

grahamc May 15, 2020

Member
Suggested change
options.keyCmd = mkOption {
options.keyCommand = mkOption {
grahamc and others added 2 commits May 15, 2020
* keyCmd -> keyCommand: clarity over typing
* keyCommand: make a list of strings [ "pass" "..." ] vs. [ "pass ..." ]
  so users don't need to consider shell escaping right away
* keyFile: only apply toString if an argument is provided, so we
  don't need to check for an empty string

Co-authored-by: Adam Höse <adam.hose@tweag.io>
Copy link
Member

grahamc left a comment

We've made a few changes, like making keyCmd named keyCommand and a list of strings. Great PR, thank you a lot -- once tests pass let's merge.

@adisbladis adisbladis merged commit 3829588 into NixOS:master May 15, 2020
9 of 10 checks passed
9 of 10 checks passed
parsing
Details
build
Details
black
Details
mypy
Details
flake8
Details
mypy-ratchet mypy-ratchet
Details
coverage
Details
docs
Details
poetry-up-to-date
Details
docs/readthedocs.org:nixops Read the Docs build succeeded!
Details
kanban automation moved this from To do to Done May 15, 2020
@grahamc
Copy link
Member

grahamc commented May 15, 2020

🥳

@kisik21
Copy link
Contributor Author

kisik21 commented May 16, 2020

OH NO! I hope you fixed the bug I may or may not have introduced earlier!!!

@kisik21
Copy link
Contributor Author

kisik21 commented May 16, 2020

Whew, you did fix that bug. I was so worried about it, I almost had a heart attack

@grahamc
Copy link
Member

grahamc commented May 16, 2020

What was the bug you might have introduced? :D :) <3

@grahamc
Copy link
Member

grahamc commented May 16, 2020

btw the test deployment we ran used nix-shell -p fortune --run fortune to generate our secret. Great success:

[grahamc@kif:~]$ sudo cat /run/keys/my-cool-keycommand
If everything is coming your way then you're in the wrong lane.
@kisik21
Copy link
Contributor Author

kisik21 commented May 16, 2020

Sometimes it wasn't waiting for the command to complete, and the secret was empty. Should be fine now, but just to check: make a script that waits around 15 seconds and see if Nixops blocks on it. If it doesn't, the bug is there.

The fix should've been in one of my branches I use for flakes, so if it isn't fixed, I'll quickly PR it here

@grahamc
Copy link
Member

grahamc commented May 16, 2020

It definitely waits :) Thanks for the PR, Vika!

@kisik21
Copy link
Contributor Author

kisik21 commented May 16, 2020

❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
kanban
  
Done
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.