From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id uE0AEwPusl5jIQAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 06 May 2020 17:04:03 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id QNbkCQ/usl7qGwAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 06 May 2020 17:04:15 +0000
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id F278A940FF6
	for <larch@yhetil.org>; Wed,  6 May 2020 17:04:12 +0000 (UTC)
Received: from localhost ([::1]:49130 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1jWNSv-0004py-E2
	for larch@yhetil.org; Wed, 06 May 2020 13:04:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37964)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dthompson2@worcester.edu>)
 id 1jWNSd-0004pJ-KN
 for guix-devel@gnu.org; Wed, 06 May 2020 13:03:55 -0400
Received: from mail-ua1-x933.google.com ([2607:f8b0:4864:20::933]:42508)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <dthompson2@worcester.edu>)
 id 1jWNSb-0000qQ-CK
 for guix-devel@gnu.org; Wed, 06 May 2020 13:03:55 -0400
Received: by mail-ua1-x933.google.com with SMTP id 36so775361uaf.9
 for <guix-devel@gnu.org>; Wed, 06 May 2020 10:03:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=worcester-edu.20150623.gappssmtp.com; s=20150623;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=qWa3EsR3BU3KbOeOOLRB/PGw7YYmZoz/gi68IbZ8VEM=;
 b=GQRlZBo3IOeo/mICk19OFHCv8VKpGl2Hej9s3G4zqDB7WhT/bep3Fiq4OzHV2xn53K
 h600/UnTIuH0TQIJ1ABW3MYUH67MowTc+qVBlROSdc6o2JtG9xrI4hGuz/x9ofF4DsOk
 vCfZRGR+3FF05EdOiTe8c3n4FjYQSfHj/ZV79h6MMr8RipKyD9tg8AM/VrU8E3VoBJj7
 WRFNWJUYSOO5JWNMnfSrPZFtBtZGYy+9j6cdhhKQohIche26A0SbeQgGfWkJUS9yKbbg
 O15oJR6TBqnOVEoGTLt29BAak+7W1ipeVrg2U4ech5xYgvYD5DqQmqW1lzc/R280+qxk
 Ph4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=qWa3EsR3BU3KbOeOOLRB/PGw7YYmZoz/gi68IbZ8VEM=;
 b=aVSjOI+2WPyG09Jl7lj8mgN+64bC8XJepyb2Ssy3qY52ZZb/4CUXuXrcEVnytpW/OO
 zVwYKxIyPavj176ilSRnbgZpL+aQh7hKzsFxSjQmgNVGDIvB96uYwO9k9XILtw2C7aiB
 BLpQITqSP6U6twtqg0sb58+M8WixEvbpnkZ77bYCdpi75vq0H5WYw0owIktyJ7YpGqJu
 KWfVuGYEPbBVmlzU4aWQ98wKV1uk0PgtRosHK3+r42IahCl655k0HQdRMB6Pr3P+zpts
 3eyYVVKZygrmd4WX9IWJj9r9uOeK6as4JmGJrfV1SRuLJUN8A1iVr9+ZZS7zPFElMZ+j
 jR5Q==
X-Gm-Message-State: AGi0PuYRKdjKG9nf7eY/GzTEES4VcmKM5KKOooS8V5/psZUGpW+VrJfe
 7YbKxd/DUg2TWOnJTmTJFpSsUyLrUjaHu1gjeR8DNyuuLJ0=
X-Google-Smtp-Source: APiQypKfS9fpRxKxXwhpAaTjLvhC7jzChJrjKcRu/IzBAPvuwO+saSxltYH/juSSsHagqVsLDYiNSlPzzHh3hBfbMgw=
X-Received: by 2002:ab0:38f:: with SMTP id 15mr8109824uau.12.1588784630149;
 Wed, 06 May 2020 10:03:50 -0700 (PDT)
MIME-Version: 1.0
References: <87mu6zd6tz.fsf@gnu.org>
 <alpine.DEB.2.20.2004251721340.5735@marsh.hcoop.net>
In-Reply-To: <alpine.DEB.2.20.2004251721340.5735@marsh.hcoop.net>
From: "Thompson, David" <dthompson2@worcester.edu>
Date: Wed, 6 May 2020 13:03:39 -0400
Message-ID: <CAJ=RwfYnPvRSCbPRh8YJ07=QQW-B5zqWV2ZTVG9oUHB5YKamhQ@mail.gmail.com>
Subject: Re: [EXT] Re: Medium-term road map
To: Jack Hill <jackhill@jackhill.us>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=2607:f8b0:4864:20::933;
 envelope-from=dthompson2@worcester.edu; helo=mail-ua1-x933.google.com
X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache.
 That's all we know.
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel <guix-devel@gnu.org>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
X-Spam-Score: -0.01
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (rsa verify failed) header.d=worcester-edu.20150623.gappssmtp.com header.s=20150623 header.b=GQRlZBo3;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Scan-Result: default: False [-0.01 / 13.00];
	 GENERIC_REPUTATION(0.00)[-0.49663104041901];
	 DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail];
	 R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c];
	 R_DKIM_REJECT(1.00)[worcester-edu.20150623.gappssmtp.com:s=20150623];
	 IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)];
	 TO_DN_ALL(0.00)[];
	 DKIM_TRACE(0.00)[worcester-edu.20150623.gappssmtp.com:-];
	 RCPT_COUNT_TWO(0.00)[2];
	 MX_GOOD(-0.50)[cached: eggs.gnu.org];
	 MAILLIST(-0.20)[mailman];
	 FORGED_RECIPIENTS_MAILLIST(0.00)[];
	 RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail];
	 MIME_TRACE(0.00)[0:+];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US];
	 TAGGED_FROM(0.00)[larch=yhetil.org];
	 FROM_NEQ_ENVFROM(0.00)[dthompson2@worcester.edu,guix-devel-bounces@gnu.org];
	 ARC_NA(0.00)[];
	 RCVD_COUNT_FIVE(0.00)[5];
	 URIBL_BLOCKED(0.00)[jackhill.us:email];
	 FROM_HAS_DN(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[guix-devel@gnu.org];
	 DMARC_NA(0.00)[worcester.edu];
	 HAS_LIST_UNSUB(-0.01)[];
	 FORGED_SENDER_MAILLIST(0.00)[]
X-TUID: ZHABU0Egt+c2

On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <jackhill@jackhill.us> wrote:
>
> * Continued development of guix deploy. Figuring out how to deploy secrets
> to remote machines would be great.

I used to think this was a problem that guix deploy had to deal with
but after many years doing devops full-time I no longer think this is
a concern. Industry best practice is to use a secrets management
service to fetch secrets at application boot time.  For example, you
could write a shepherd service that downloads and installs an SSH host
key from AWS Secrets Manager (or a self-hosted free tool or another
cloud provider's service, you get the idea) before the SSH service
starts.  In my experience, every application requires a slightly
different strategy: Maybe you need to put a key into a specific file,
maybe you need to set environment variables, maybe you need to
templatize the config file, etc. There's no single general solution to
the problem, but I strongly the believe that the guix client that is
doing the deployment should never access such secrets.

Long story short: Guix need not worry about this.

- Dave