Re: Status of "GuixOps"?

[ludo@gnu.org (Ludovic Courtès)]

Hi!

"Thompson, David" <dthompson2@worcester.edu> skribis:

> On Sun, Sep 17, 2017 at 2:34 PM, Hartmut Goebel
> <h.goebel@crazy-compilers.com> wrote:

[...]

>> Q1: I did not follow the development closely, but I seem to recall that
>> there is some guix sub-command for configuring a remote system. But
>> grepping the manual for "remote", I did not find it, neither one of the
>> commands did attract me. How is it called?
>
> I haven't tried it but I think Ludo said that it was going to be a
> flag to 'guix system'.  Has that code been merged?  Not being able to
> easily connect to a remote daemon is what blocked me when I first
> tried writing 'guix deploy'.

The idea that I had in mind is to support:

  guix system reconfigure --target=host.example.org config.scm

which would build locally and send the new system (or build it directly
on the target), and then run remotely the effectful bits of
‘reconfigure’: running activation scripts, upgrading Shepherd services.

To get there, the idea I have is to:

  1. Isolate the effectful bits in (guix scripts system) and wrap them
     in gexps.

  2. Provide ‘eval-gexp’ (which would combine ‘build-derivations’ and
     ‘eval’) and ‘eval-gexp-remotely’ (likewise, but it would use
     Guile-SSH’s ‘node-eval’ to evaluate the gexp remotely.)

  3. Change (guix scripts system) to use ‘eval-gexp’ or
     ‘eval-gexp-remotely’ depending on whether --target was found.

This is just a subset of the functionality in you envision for ‘guix
deploy’, David, but it’s a good building block and useful in its own.

> I don't think that is the best approach, or at least it should not be
> an approach that GuixSD users *have to* use.  I use Chef at work, and
> the equivalent technology there is called "encrypted data bags"
> (terrible name, I know).  They are a pain and thus we do not manage
> secrets with it.  You're right, everything in the store is
> world-readable, therefore you should never store secrets there.  The
> most important thing to know is that secrets are stateful, which
> contrasts with many things in Guix that are stateless.  Secrets can't
> be configured at build-time, it has to be done at runtime.  So how do
> we get secrets onto machines?  I think this is a job for GuixSD system
> services.  Let's take for example a web application that connects to a
> MariaDB database.  When the web application service starts, it will
> fetch the database password from the secret store and initialize the
> application with it by whatever means is supported (command line flag,
> environment variable, etc.).  The secrets store could be a local
> GPG-encrypted file (getting the decryption key onto the machine is
> non-trivial, of course) or an external service.  To give you an idea
> of the possibilities available when it comes to secrets management,
> I'll give a more complex example.  All of my experience with this is
> with Amazon web services, so if you don't know AWS stuff you can skip
> this part but I'll describe it anyway for people that might be
> interested: EC2 instances are assigned an IAM role that allows them to
> decrypt a set of secrets that have been encrypted using a KMS key.
> The encrypted secrets happen to be stored in a DynamoDB table.  A
> command line tool for fetching the secrets is installed on the
> instances and is integrated into the application startup processes
> that need secrets.  When we want to rotate a key, we replace the
> DynamoDB record with a new one and restart the relevant services.
> Whether the secrets are stored in an encrypted file on each machine or
> in some external database, the basic process is the same: applications
> will receive their secrets when they are started, not when the system
> is configured.

Sounds interesting.  We don’t have a good story on how to deal with
secrets currently, and this is problematic for deployments.

>> Q3: One of DepOps' main features for me is easy use and the automatic
>> refresh of Let's Encrypt certificates. Basically I just say: "Create
>> certificates for hostnames A, B, C" and everything happens
>> automatically: Configuration of nginx, creating the CSR, requesting the
>> certificate, renewal, etc. What is the status for something like this
>> for GuixSD?
>
> We have an nginx service, so you can write a configuration that points
> to certs generated by Let's Encrypt.  The cron service could be
> configured to periodically run the Let's Encrypt tool that refreshes
> the certificates periodically.  The pieces are all there, you just
> need to put them together.  This is what I plan to do when I finally
> get around to switching my VPS from Debian to GuixSD.  Since this is
> all just Scheme code, we could write abstractions that make this
> common use-case "just work" for people so they don't have to worry
> about the details.  One step at a time. :)

There’s even a patch that brings a Cerbot service!

  https://bugs.gnu.org/26685

People commented on it but the patch still needs love to reach its final
form.  Maybe you can help?  :-)

Thanks,
Ludo’.