nixops icon indicating copy to clipboard operation
nixops copied to clipboard
verified publisher icon NixOS

Prevent nixops from generating a private key & deploying it

Open phryneas opened this issue 7 years ago • 2 comments

I'm using a physical token (gpg smartcard) as ssh private key, so nixops practice of generating & deploying a private key to all target machines is a massive downgrade in security for me.

is there a way to prevent nixops from generating & deploying that key?

(I'm using the "none" backend with pre-existing target nixos machines)

phryneas avatar Apr 08 '18 19:04 phryneas

I was going to request this too.

It would be great if the SSH key generation can be turned off, and instead NixOps would rely on ssh-agent.

That way, it is easier to share NixOps state between groups of people:

  • State files won't contain private SSH keys and can therefore be exported to git
  • Each person can have their own SSH key with access to a subset of nixops deployments

wmertens avatar May 07 '19 13:05 wmertens

Close? implemented in https://github.com/NixOS/nixops/pull/1247

tomberek avatar Sep 08 '21 02:09 tomberek