From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qPlzNfD9s14aQwAA0tVLHw (envelope-from ) for ; Thu, 07 May 2020 12:24:16 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id GC8eBP39s17RKAAAbx9fmQ (envelope-from ) for ; Thu, 07 May 2020 12:24:29 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 30DA59400AB for ; Thu, 7 May 2020 12:24:27 +0000 (UTC) Received: from localhost ([::1]:58170 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jWfZj-0004mO-Qd for larch@yhetil.org; Thu, 07 May 2020 08:24:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44540) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jWfZb-0004kg-Du for guix-devel@gnu.org; Thu, 07 May 2020 08:24:19 -0400 Received: from mail-ua1-x92f.google.com ([2607:f8b0:4864:20::92f]:35852) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jWfZW-0006pP-6J for guix-devel@gnu.org; Thu, 07 May 2020 08:24:16 -0400 Received: by mail-ua1-x92f.google.com with SMTP id t8so1766851uap.3 for ; Thu, 07 May 2020 05:24:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=worcester-edu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fOtQ+MGbOAiCG5FTrz6oMPdERB6SUWLjHifl+nNE5Jg=; b=QEYpCXCQ6JocgMHQ+CXd3C36qzvmGQKP9wIz9qDQdo5LA0O+LsEo1RSYOHxE0cxvp4 JgxOWktU+sg+yWTjLw3TgyW+wWouqP/g3eWVr4gAMMtip5vtqth0BgnBcqIF5UgMn3WH hthPseC1nkVlrPlH5qw2IRE81EKTWBJUJSV6ce+wcM64kK8vGtSfb/WpY4xLUM5xN44y ZpcRyK0NqcafSpjpx274UC5WeuzyUrZU/15VO3Oa3aW8duYLlWgeqRoSp5sF+Xfk54NF iycECGbJQwJB1WqYkwHyjWtwuZ5Vsa2UxM1LPFSpALS9ABioObeaYGJvI/prp3kN4dBP C5xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fOtQ+MGbOAiCG5FTrz6oMPdERB6SUWLjHifl+nNE5Jg=; b=ECQzqsL6WbdwJwNZMXYxeDXGlgf20S1ebZAQvys7SKpaPDYuIvotmObRScjgLxrSaC 89PaiMXHuMzHYa0/SzM5jtSq8RTmnD8acrsv2I7L0hTrrO+p0VK8eZRfoEQ4eUXr4UAg Dt0TTiPRy6Qh/so9TRaKZxN39Z/eIBwBXIX8j3mcZPbmzwSQq2OHHgWRIHbb7FKWSbOL Wk2F0tIn2Gts5fTEvrOhgzF0sOtHiNJIJCoUxw+0GdJY34D7WtCTE+UTzZc5sWh9jXNa cBZBJrmov7rExK5dcDGkGERtcKmaaDUiARVeN65D4LZghJRnTrl9+0iOvek8WFy9kdn1 XxHw== X-Gm-Message-State: AGi0PuYA2doMihdaNpk13cSDRdWPjAcVezF//APu1uhMGF/D0PGCaUTl dvcEYqlzhiz9RuGXSPK1knmv4cKxzN/1K08MIxhshyRb6ZI= X-Google-Smtp-Source: APiQypL91jZd+EZgjbnrow4Wn4evz97UN0ENOGa17arnh6x5NqwQYqlW4lBvOJYFnn+AGlZ6xEAd4W0UAMDFzinDAFA= X-Received: by 2002:ab0:408a:: with SMTP id i10mr11308382uad.80.1588854252535; Thu, 07 May 2020 05:24:12 -0700 (PDT) MIME-Version: 1.0 References: <87mu6zd6tz.fsf@gnu.org> In-Reply-To: From: "Thompson, David" Date: Thu, 7 May 2020 08:24:01 -0400 Message-ID: Subject: Re: [EXT] Re: [EXT] Re: Medium-term road map To: Jack Hill Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::92f; envelope-from=dthompson2@worcester.edu; helo=mail-ua1-x92f.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 X-Spam-Score: -0.01 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=worcester-edu.20150623.gappssmtp.com header.s=20150623 header.b=QEYpCXCQ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Scan-Result: default: False [-0.01 / 13.00]; GENERIC_REPUTATION(0.00)[-0.49799576218748]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; R_DKIM_REJECT(1.00)[worcester-edu.20150623.gappssmtp.com:s=20150623]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[worcester-edu.20150623.gappssmtp.com:-]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; TAGGED_FROM(0.00)[larch=yhetil.org]; FROM_NEQ_ENVFROM(0.00)[dthompson2@worcester.edu,guix-devel-bounces@gnu.org]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; URIBL_BLOCKED(0.00)[jackhill.us:email]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[guix-devel@gnu.org]; DMARC_NA(0.00)[worcester.edu]; HAS_LIST_UNSUB(-0.01)[]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: ZH6vFpMgWxZt On Wed, May 6, 2020 at 3:46 PM Jack Hill wrote: > > > Long story short: Guix need not worry about this. > > I think we may want to do some work in Guix to support this workflow > conveniently. That work could include having a secrets management service= , > bootstrapping new hosts for access to the service, or writing system > services that can be easily configured for different secret management at > deploy time. It's fun to think about what we could do, but as Ludo=E2=80= =99 > suggested elsewhere in the thread, we'll find out by trying to deploy mor= e > hosts with more complex configurations. I hope to be able to do so soon. To that end, I think a good starting place would be to research the available free secrets management applications (my knowledge is a few years out of date), package it, and write a shepherd service for it. >From there, we could see what additional integration would be useful for clients (your other servers being clients of the secrets management server.) I don't know if this would actually work, but I can picture a world where service configuration objects are aware of secret fields (some new Scheme data type) and will arrange to lazily generate config files in a just-in-time fashion on the server when shepherd starts the service. Sounds like a real fun project, IMO! Okay, so I take it back: Guix *should* worry about this, but in a very specific way that is orders of magnitude better than every other configuration management system out there, just like the rest of Guix. :) - Dave