Re: “Towards Guix for DevOps”

[zerodaysfordays@sdf.lonestar.org (Jakob L. Kreuze)]

[-- Attachment #1: Type: text/plain, Size: 1816 bytes --]

Hi Alex,

Alex Sassmannshausen <alex.sassmannshausen@gmail.com> writes:

> Hello,
>
> I just wanted to drop a quick note on the guix deploy work carried out
> by Jakob.
>
> I've started using it to manage servers, and it seems to work an
> absolute charm. Congratulations to all involved.

That's awesome. Hearing another success story with 'guix deploy'
absolutely made my day.

> I did hit the following small stumbling blocks:
>
> - When first running guix deploy it complained about a missing
>   /etc/guix/signing-key.sec. I fairly quickly realised that deploy
>   probably used archive infrastructure, so figured out how to generate
>   the keys. But maybe the manual should contain a line about this?

Excellent suggestion, I'll see about submitting a patch to mention that
in the manual.

The idea to automatically authorize the coordinator machine's signing
key has been rolling around in my mind since I started on this, since it
that something like that would fall into the category of "provisioning".

> - The machine-ssh-configuration allows for the specification of users
>   other than root, but my understanding is that only root will allow for
>   a successful deployment (because root is required to actually
>   reconfigure the target system). I don't know what conclusions to draw
>   from this, as I'm not 100% on the roadmap for development. But maybe
>   for now, this could be a gotcha for new users.

That's correct. This is another area where I'm not quite sure what the
optimal solution would be; conventional wisdom suggests that a server's
SSH daemon should be configured to disallow root login, which makes me
think that we should implement some sort of privilege escalation with
'sudo', but I'm open to additional suggestions.

Thank you very much for your comments :)

Regards,
Jakob

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]