From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id 7gAwBBPB3l42BQAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 08 Jun 2020 22:52:03 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id 0L1KOxLB3l5BMgAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 08 Jun 2020 22:52:02 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 6B8AC9404D3
	for <larch@yhetil.org>; Mon,  8 Jun 2020 22:52:02 +0000 (UTC)
Received: from localhost ([::1]:35852 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1jiQcb-0000mH-ES
	for larch@yhetil.org; Mon, 08 Jun 2020 18:52:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56592)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@lepiller.eu>)
 id 1jiQcU-0000m9-9C
 for guix-devel@gnu.org; Mon, 08 Jun 2020 18:51:54 -0400
Received: from lepiller.eu ([2a00:5884:8208::1]:46372)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@lepiller.eu>)
 id 1jiQcS-0001Mc-7t
 for guix-devel@gnu.org; Mon, 08 Jun 2020 18:51:53 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 0f41d2fd;
 Mon, 8 Jun 2020 22:51:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date
 :in-reply-to:references:mime-version:content-type
 :content-transfer-encoding:subject:to:from:message-id; s=dkim;
 bh=6rLR+ssArzlglK33D1h8VQiGQyzFbhQ0EIHNpWIVFdg=; b=axgYELx6IFZV
 c4JCbdVabnxfi8yrXgs2evqcLwkziauAX11bnjttQ3dGsFjpMh0AV3upD+gYyUju
 4UVYUcNPJsXrSqmTXf7trZNuNjr6wiYPtut0zNIWoZ3hftSY2jPj2DfOWtz2tX9e
 4ELAa9wc8sbpPILf0AG2SVev7+snQpvjXM9C/m8SC3APf50o6/C1BUr5/cLtFVIf
 UE6JNd/FjEIhlTUaZyhb7g2/DeqbTfRTHuSkYal3Fx0UDDNuivKTTLbPf+0YV2xz
 GmZ7d2WUWYbkCZCURlksvGlj+Nndzq7WKNKRnsl+OEAD2fjBPdl4V66l54FHVHLT
 8aRZWCLKEw==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 8a57ad04
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Mon, 8 Jun 2020 22:51:44 +0000 (UTC)
Date: Mon, 08 Jun 2020 18:51:31 -0400
User-Agent: K-9 Mail for Android
In-Reply-To: <20200609004302.3757a950@riseup.net>
References: <20200609004302.3757a950@riseup.net>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: Secrets in (generated) configs. How to deal with them?
To: guix-devel@gnu.org,raingloom <raingloom@riseup.net>
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <D2B91EA2-EC1A-4BCE-9A8A-9D81BE68726A@lepiller.eu>
Received-SPF: none client-ip=2a00:5884:8208::1;
 envelope-from=julien@lepiller.eu; helo=lepiller.eu
X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache.
 That's all we know.
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=lepiller.eu header.s=dkim header.b=axgYELx6;
	dmarc=pass (policy=none) header.from=lepiller.eu;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Spam-Score: -0.71
X-TUID: Z7cgTAjWIQ30

Le 8 juin 2020 18:43:02 GMT-04:00, raingloom <raingloom@riseup=2Enet> a =C3=
=A9crit :
>Hi all!
>
>I'm trying to package Yggdrasil as a Guix service and I took a look at
>what NixOS does and they actually don't simply generate the config in
>the store, instead it's combined with another input of the service and
>the combined JSON is fed to Yggdrasil on stdin=2E
>
>Is this how I should do it as well? Or maybe the Guix store can make
>some outputs private?

The store is always world-readable, no output can be private=2E I think we=
 have some examples of that=2E For instance, knot (the DNS server) can read=
 some secrets from its configuration=2E We suggest to our users to instead =
create a small file outside the store that contains the secrets, and use an=
 include in the conf=2E This is only possible when the configuration langua=
ge allows that of course=2E

It would be nice to have a better and more generic way to handle secrets t=
hough=2E