unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Secrets in (generated) configs. How to deal with them?
@ 2020-06-08 22:43 raingloom
  2020-06-08 22:51 ` Julien Lepiller
  2020-06-09 16:24 ` Ludovic Courtès
  0 siblings, 2 replies; 3+ messages in thread
From: raingloom @ 2020-06-08 22:43 UTC (permalink / raw)
  To: guix-devel

Hi all!

I'm trying to package Yggdrasil as a Guix service and I took a look at
what NixOS does and they actually don't simply generate the config in
the store, instead it's combined with another input of the service and
the combined JSON is fed to Yggdrasil on stdin.

Is this how I should do it as well? Or maybe the Guix store can make
some outputs private?


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Secrets in (generated) configs. How to deal with them?
  2020-06-08 22:43 Secrets in (generated) configs. How to deal with them? raingloom
@ 2020-06-08 22:51 ` Julien Lepiller
  2020-06-09 16:24 ` Ludovic Courtès
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Lepiller @ 2020-06-08 22:51 UTC (permalink / raw)
  To: guix-devel, raingloom

Le 8 juin 2020 18:43:02 GMT-04:00, raingloom <raingloom@riseup.net> a écrit :
>Hi all!
>
>I'm trying to package Yggdrasil as a Guix service and I took a look at
>what NixOS does and they actually don't simply generate the config in
>the store, instead it's combined with another input of the service and
>the combined JSON is fed to Yggdrasil on stdin.
>
>Is this how I should do it as well? Or maybe the Guix store can make
>some outputs private?

The store is always world-readable, no output can be private. I think we have some examples of that. For instance, knot (the DNS server) can read some secrets from its configuration. We suggest to our users to instead create a small file outside the store that contains the secrets, and use an include in the conf. This is only possible when the configuration language allows that of course.

It would be nice to have a better and more generic way to handle secrets though.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Secrets in (generated) configs. How to deal with them?
  2020-06-08 22:43 Secrets in (generated) configs. How to deal with them? raingloom
  2020-06-08 22:51 ` Julien Lepiller
@ 2020-06-09 16:24 ` Ludovic Courtès
  1 sibling, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2020-06-09 16:24 UTC (permalink / raw)
  To: raingloom; +Cc: guix-devel

Hi,

raingloom <raingloom@riseup.net> skribis:

> I'm trying to package Yggdrasil as a Guix service and I took a look at
> what NixOS does and they actually don't simply generate the config in
> the store, instead it's combined with another input of the service and
> the combined JSON is fed to Yggdrasil on stdin.
>
> Is this how I should do it as well? Or maybe the Guix store can make
> some outputs private?

This is one of the things we discussed at the Guix Days:

  https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/doc/guix-days-2020/guix-secrets.org

One of the ideas we came up with that could fly is to have a
‘secret-service-type’ (ah ha!), which you could extend with key/value
pairs.  At run time, secrets could be fetched from the local file
system or by querying a daemon.

Food for thought!

Ludo’.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-06-09 16:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-08 22:43 Secrets in (generated) configs. How to deal with them? raingloom
2020-06-08 22:51 ` Julien Lepiller
2020-06-09 16:24 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).