From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id SOmGEAgJs15iNgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 06 May 2020 18:59:20 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id wB97CRQJs16ZcAAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 06 May 2020 18:59:32 +0000
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id CC60F940B6B
	for <larch@yhetil.org>; Wed,  6 May 2020 18:59:29 +0000 (UTC)
Received: from localhost ([::1]:34212 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1jWPGU-0006TK-DH
	for larch@yhetil.org; Wed, 06 May 2020 14:59:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:39262)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <efraim@flashner.co.il>)
 id 1jWPGL-0006T8-NN
 for guix-devel@gnu.org; Wed, 06 May 2020 14:59:21 -0400
Received: from flashner.co.il ([178.62.234.194]:58430)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <efraim@flashner.co.il>) id 1jWPGK-0004nR-6J
 for guix-devel@gnu.org; Wed, 06 May 2020 14:59:21 -0400
Received: from localhost (unknown [188.120.128.132])
 by flashner.co.il (Postfix) with ESMTPSA id 3D41640212;
 Wed,  6 May 2020 18:59:18 +0000 (UTC)
Date: Wed, 6 May 2020 21:58:44 +0300
From: Efraim Flashner <efraim@flashner.co.il>
To: "Thompson, David" <dthompson2@worcester.edu>
Subject: Re: [EXT] Re: Medium-term road map
Message-ID: <20200506185844.GD2359@E5400>
References: <87mu6zd6tz.fsf@gnu.org>
 <alpine.DEB.2.20.2004251721340.5735@marsh.hcoop.net>
 <CAJ=RwfYnPvRSCbPRh8YJ07=QQW-B5zqWV2ZTVG9oUHB5YKamhQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="Dzs2zDY0zgkG72+7"
Content-Disposition: inline
In-Reply-To: <CAJ=RwfYnPvRSCbPRh8YJ07=QQW-B5zqWV2ZTVG9oUHB5YKamhQ@mail.gmail.com>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Received-SPF: pass client-ip=178.62.234.194;
 envelope-from=efraim@flashner.co.il; helo=flashner.co.il
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/06 14:59:18
X-ACL-Warn: Detected OS   = ???
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel <guix-devel@gnu.org>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
X-Spam-Score: 0.69
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Scan-Result: default: False [0.69 / 13.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 GENERIC_REPUTATION(0.00)[-0.49687419182787];
	 DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail];
	 IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)];
	 R_SPF_ALLOW(0.00)[+ip6:2001:470:142::/48];
	 TO_DN_ALL(0.00)[];
	 MX_GOOD(-0.50)[cached: eggs.gnu.org];
	 RCPT_COUNT_TWO(0.00)[2];
	 MAILLIST(-0.20)[mailman];
	 SIGNED_PGP(-2.00)[];
	 FORGED_RECIPIENTS_MAILLIST(0.00)[];
	 RECEIVED_SPAMHAUS_PBL(0.00)[188.120.128.132:received];
	 RCVD_TLS_LAST(0.00)[];
	 R_DKIM_NA(0.00)[];
	 RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 TAGGED_FROM(0.00)[larch=yhetil.org];
	 ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US];
	 FROM_NEQ_ENVFROM(0.00)[efraim@flashner.co.il,guix-devel-bounces@gnu.org];
	 RECEIVED_SPAMHAUS_XBL(3.00)[188.120.128.132:received];
	 RCVD_COUNT_FIVE(0.00)[5];
	 ARC_NA(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 SPF_REPUTATION_HAM(0.00)[-0.57198100919258];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 URIBL_BLOCKED(0.00)[jackhill.us:email,flashner.co.il:email];
	 DMARC_NA(0.00)[flashner.co.il];
	 HAS_LIST_UNSUB(-0.01)[];
	 BAD_REP_POLICIES(0.10)[];
	 MID_RHS_NOT_FQDN(0.50)[];
	 FORGED_SENDER_MAILLIST(0.00)[]
X-TUID: rrusYxtg7ns7


--Dzs2zDY0zgkG72+7
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 06, 2020 at 01:03:39PM -0400, Thompson, David wrote:
> On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <jackhill@jackhill.us> wrote:
> >
> > * Continued development of guix deploy. Figuring out how to deploy secr=
ets
> > to remote machines would be great.
>=20
> I used to think this was a problem that guix deploy had to deal with
> but after many years doing devops full-time I no longer think this is
> a concern. Industry best practice is to use a secrets management
> service to fetch secrets at application boot time.  For example, you
> could write a shepherd service that downloads and installs an SSH host
> key from AWS Secrets Manager (or a self-hosted free tool or another
> cloud provider's service, you get the idea) before the SSH service
> starts.  In my experience, every application requires a slightly
> different strategy: Maybe you need to put a key into a specific file,
> maybe you need to set environment variables, maybe you need to
> templatize the config file, etc. There's no single general solution to
> the problem, but I strongly the believe that the guix client that is
> doing the deployment should never access such secrets.
>=20
> Long story short: Guix need not worry about this.
>=20
> - Dave
>=20

For the SSH example, imagine a one-shot service that fetches a private
and public keypair=C2=B9, replaces the pair already inside /etc/ssh and then
restarts the openssh service.

=C2=B9 Using magic or ssh or from a thumbdrive, etc

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--Dzs2zDY0zgkG72+7
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl6zCNoACgkQQarn3Mo9
g1FygA/+OZuX2CMK0u1mDDfsz9L7hUSyP0UFmw3aH+E0AuKA2S1ZmCoQUUuDiP90
uUW3jT2sj7qDTlYF0BoTbq98yP0M6MXkdfYGZ3mhhUT5s0XFAAUYGs2+TLNAPKXk
RbkuvC0aluejVfYiV269PNuOb8d5SjXiRviTcRySQ8Arzdup6UVt5dufbru1if7B
rvYqQ7RgpstzpokCxSbn0hXqdXpkkh3aPhzzVp/xQGHQuNHqVTFjyMZZKQdeuiZE
/tHyvRjviCOWYlNRMqKFogL7iAIGdJyAIlB4wE7Y/SasnJKcSoNxcIoj7+J9pXjl
r9SYt08wa0bfv0wEMq0dbCUsUEcaALksqSo2EEM6JsiFJfgD31aMgHD6jrnoObWr
upvmQA7Gs2RqONN3famYejGx2Kq/J0S+3RjrV/lxc9VUK4YuJOE+lzHlsrRVBVKI
F0ukoG001LzWHsDdRhwGkaoGDnGZF+5GzjECPXWl2ZKRtTMA6Ob8L30BXcq4VjGh
0QoMiJC80Fdpk6sVBlFe8jfLYTkAp/9dKcuvDE8z3gNqTqf70V2M9SWNCKKt1Grf
qtq1131cwsVS1ppaPu7PUtP5VdRUpwrnoAlImADGQcTEdkAR+lg21JoS2KTUKYTa
7s4jHIg3T/+yV0qRcjlSCC9lP7y3rr0sSQF7f4g/XtpUCA2QYSs=
=qi/t
-----END PGP SIGNATURE-----

--Dzs2zDY0zgkG72+7--