Re: [EXT] Re: Medium-term road map

[Efraim Flashner <efraim@flashner.co.il>]

[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]

On Wed, May 06, 2020 at 01:03:39PM -0400, Thompson, David wrote:
> On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <jackhill@jackhill.us> wrote:
> >
> > * Continued development of guix deploy. Figuring out how to deploy secrets
> > to remote machines would be great.
> 
> I used to think this was a problem that guix deploy had to deal with
> but after many years doing devops full-time I no longer think this is
> a concern. Industry best practice is to use a secrets management
> service to fetch secrets at application boot time.  For example, you
> could write a shepherd service that downloads and installs an SSH host
> key from AWS Secrets Manager (or a self-hosted free tool or another
> cloud provider's service, you get the idea) before the SSH service
> starts.  In my experience, every application requires a slightly
> different strategy: Maybe you need to put a key into a specific file,
> maybe you need to set environment variables, maybe you need to
> templatize the config file, etc. There's no single general solution to
> the problem, but I strongly the believe that the guix client that is
> doing the deployment should never access such secrets.
> 
> Long story short: Guix need not worry about this.
> 
> - Dave
> 

For the SSH example, imagine a one-shot service that fetches a private
and public keypair¹, replaces the pair already inside /etc/ssh and then
restarts the openssh service.

¹ Using magic or ssh or from a thumbdrive, etc

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]