From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id gCjMKye/3l4KbgAA0tVLHw (envelope-from ) for ; Mon, 08 Jun 2020 22:43:51 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QJCPJye/3l4UMAAAbx9fmQ (envelope-from ) for ; Mon, 08 Jun 2020 22:43:51 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 31F799400D3 for ; Mon, 8 Jun 2020 22:43:51 +0000 (UTC) Received: from localhost ([::1]:34586 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jiQUg-00085U-4U for larch@yhetil.org; Mon, 08 Jun 2020 18:43:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55758) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jiQUQ-00085M-To for guix-devel@gnu.org; Mon, 08 Jun 2020 18:43:34 -0400 Received: from mx1.riseup.net ([198.252.153.129]:45240) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jiQUP-0008Jb-I0 for guix-devel@gnu.org; Mon, 08 Jun 2020 18:43:34 -0400 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 49gpFH0QzkzFcg2 for ; Mon, 8 Jun 2020 15:43:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1591656211; bh=qsVk8wLVN+yvNl0sQ/5GnGrl5T2XIyDUZIc3SsRfzcQ=; h=Date:From:To:Subject:From; b=cQVsB+gMiE7e6fPMuznRyH8mzd8ZgjrHm1DxINc2WFWO1kmbK/oYiU6ipzuqILByW /jcmRTtYXdFb4n8chMQaf4y5htIzbF8jQX17oGudVJZ3NXd1t0+s9L91a6afkjshon eEjccHpEXLjImCs0zC2AQ7ps/zXVW5ClvRiNa1kM= X-Riseup-User-ID: 4ABB1A295DE060F862062A293E54EDD18B6BB92A7561310D9F37706355A30323 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 49gpFG2KljzJnrc for ; Mon, 8 Jun 2020 15:43:30 -0700 (PDT) Date: Tue, 9 Jun 2020 00:43:02 +0200 From: raingloom To: guix-devel@gnu.org Subject: Secrets in (generated) configs. How to deal with them? Message-ID: <20200609004302.3757a950@riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/08 18:43:31 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=cQVsB+gM; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -0.71 X-TUID: yGAoWIrDyyjO Hi all! I'm trying to package Yggdrasil as a Guix service and I took a look at what NixOS does and they actually don't simply generate the config in the store, instead it's combined with another input of the service and the combined JSON is fed to Yggdrasil on stdin. Is this how I should do it as well? Or maybe the Guix store can make some outputs private?