From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: WIP gnu social package Date: Thu, 05 Oct 2017 17:00:11 +0200 Message-ID: <87h8vd4p38.fsf@gnu.org> References: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49108) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e07dL-0003Wo-Ix for guix-devel@gnu.org; Thu, 05 Oct 2017 11:00:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e07dF-0005vO-Nx for guix-devel@gnu.org; Thu, 05 Oct 2017 11:00:19 -0400 In-Reply-To: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li> (nee@cock.li's message of "Mon, 25 Sep 2017 23:14:13 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: nee Cc: guix-devel@gnu.org Hello, nee skribis: > I made a package that builds the translations and installs gnu social > into the store. [...] > Here is an example config: http://paste.lisp.org/display/356859 Really cool that we can set up a complex service like this with just a few lines! > Here are a bunch of issues I have with guixSD in general: > > - Setting up the database requires the sql root password, the new > social_db_user password, and a password for the first admin user to > create in gnu social. > Having plaintext passwords in /etc/config.scm sounds pretty bad. > I'm not sure what the solution here is. > - Could we add a password store to guix? It could automatically > generate passwords and pass them to services. > - Should I generate a script that must be run manually and asks for > password input through stdin? > - Something else? For this particular case, I would do nothing: the first time, the service wouldn=E2=80=99t start (I guess). Users would have to explicitly s= et the passwords on the command line, and then run =E2=80=9Cherd start gnu-soc= ial=E2=80=9D. > - The password of the database-user ends up in the config.php which is > generated by mixed-text-file. This file can be read by everyone. Can I > somehow set the owner on it and remove the reading rights from other > users? No, the store is world-readable. If there are secrets, they should be stored elsewhere, but there=E2=80=99s currently no standard way to do that = in Guix. Thanks for sharing, and sorry for the late reply! Ludo=E2=80=99.