From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: WIP gnu social package Date: Tue, 28 Nov 2017 17:08:26 +0100 Message-ID: <87fu8yxu6d.fsf@gnu.org> References: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li> <87h8vd4p38.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42453) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJiR3-0000O9-9w for guix-devel@gnu.org; Tue, 28 Nov 2017 11:08:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJiQz-0000MV-7M for guix-devel@gnu.org; Tue, 28 Nov 2017 11:08:37 -0500 Received: from [141.255.128.1] (port=36168 helo=hera.aquilenet.fr) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJiQy-0000LL-W8 for guix-devel@gnu.org; Tue, 28 Nov 2017 11:08:33 -0500 In-Reply-To: (nee@cock.li's message of "Sun, 26 Nov 2017 21:18:47 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: nee Cc: guix-devel@gnu.org Hello, nee skribis: > Am 05.10.2017 um 17:00 schrieb Ludovic Court=C3=A8s: >> For this particular case, I would do nothing: the first time, the >> service wouldn=E2=80=99t start (I guess). Users would have to explicitl= y set >> the passwords on the command line, and then run =E2=80=9Cherd start gnu-= social=E2=80=9D. >>=20 > The advantage of using a service is the easy setup with mysql and the > gnu-social-cli-installer, otherwise people could just run nginx and > clone gnu social to /srv/gnu-social/ and manually create the database > like you would on Debian. > > I saw that NixOS has something called passwordFile. > https://github.com/NixOS/nixpkgs/issues/24288 > I haven't found any details about it, but it seems like a text file from > which passwords can be read during `system reconfigure`. > > As a start I could add a password-file field to the configuration of > gnu-social and read an alist of passwords from it during initialization. > That could later be extended by generating it with randomized passwords > if it doesn't exist to maximize the ease of installation. > >>> - The password of the database-user ends up in the config.php which is >>> generated by mixed-text-file. This file can be read by everyone. Can I >>> somehow set the owner on it and remove the reading rights from other >>> users? >>=20 >> No, the store is world-readable. If there are secrets, they should be >> stored elsewhere, but there=E2=80=99s currently no standard way to do th= at in >> Guix. >>=20 > Could a function in guix/gexp.scm be modified to generate a file outside > of the store? We could use Guile=E2=80=99s standard I/O primitives to create files wherev= er we like: https://www.gnu.org/software/guile/manual/html_node/Input-and-Output.html and/or simply refer to a non-store file; if that file exists, everything=E2=80=99s fine, and if it does not, the service might fail to st= art or print an error. Ludo=E2=80=99.