From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id cEtPIoQV7mRm6AAA9RJhRA:P1 (envelope-from ) for ; Tue, 29 Aug 2023 17:57:56 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id cEtPIoQV7mRm6AAA9RJhRA (envelope-from ) for ; Tue, 29 Aug 2023 17:57:56 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5CA3645293 for ; Tue, 29 Aug 2023 17:57:56 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1693324676; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=EEqRtueQtwIBG2A6xS6dzzb62aFPR78s6l5lRz/VwAI=; b=LzHSFd7z7/GmNDJ5bTVLzIc/UpsY28qr3zr99BflnJ1tTgCcSHaTghVMLX2j7iwDde1iaf 4S/unFUBFvtkFR+FbXI6UOurdM37c0GImneqLY7PLze5/2BicuKZCEWFpo9qYZiDFJ+xE2 w9XzXw3eU8y4T9f2BVXfa8eOz/tBO/k+yLUj1Z/p7spt4EOVdoWezhKBw8+EzdBA5YXtcX R6C8QMOWTfYZiTSGMRVlYKwRNVKvpJbUsx7/vtvd+QLoVkFva8co4P73c4+cdv8EF1M6Ky o6N7v3TNUYV5wM/Ryxb3dzWYukPT48HS7wudLHi2tCRHrmSMMfsZWlRs1GZicw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1693324676; a=rsa-sha256; cv=none; b=KUlb/FvSIsEC6uj5eDBIE8jKS/0uhNwYix/GODBO+9gwwdugr1U2sWuYVl0s/dVPd22N03 MuyBZzfiqajmaTATVifMSqG9gfyeucARoLVTUfTBc1rP/iRQEjX+s6Cmc/rPmPy8SK8imK MjS4yPhttdSNXLV3dqK/gsE450Qtqt189Ej2q3cJfEA0xbioiiZisFbsy1cMnQa639Cn98 EcVxXctxByR3wY5PcPgCQT8wzz2HyEsUSHifHK/vEfl03Bs+an8f9Q/Qv8t6NLpT8d76qX Wa445f6/j7RdJoJumaqcAdWbSYgMSXsP4AXEmVs6Zv9yrJm/S9HvdheheNQRGA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qb15x-00081e-9V; Tue, 29 Aug 2023 11:57:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qb15w-00081W-F5 for guix-devel@gnu.org; Tue, 29 Aug 2023 11:57:32 -0400 Received: from mout.kundenserver.de ([212.227.17.10]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qb15s-0000fI-M5 for guix-devel@gnu.org; Tue, 29 Aug 2023 11:57:32 -0400 Received: from hermia.goebel-consult.de ([91.57.75.75]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MStGi-1q6sTy1lFO-00UL9U for ; Tue, 29 Aug 2023 17:57:24 +0200 Received: from [192.168.110.2] (lenashee.goebel-consult.de [192.168.110.2]) by hermia.goebel-consult.de (Postfix) with ESMTP id 27BD75FB31 for ; Tue, 29 Aug 2023 17:57:33 +0200 (CEST) Content-Type: multipart/alternative; boundary="------------wCAHJqIAd340ruZjDQZ0ZoOl" Message-ID: Date: Tue, 29 Aug 2023 17:57:21 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: SSSD, Kerberized NFSv4 and Bacula Content-Language: de-DE, en-US To: guix-devel@gnu.org References: From: Hartmut Goebel Organization: crazy-compilers.com In-Reply-To: X-Provags-ID: V03:K1:jPqI60AdXfjnJ/y0xZTzXY36nYPppSU9sOoKaavfSNotlC4jLtT 53oPVTZ1ukBM4lNbVSA1YHqNSGgiT+RlK+mqjK42Ytkoy28RtQKf4Kye9DJV0dbWLrB5h6j xCX7WPm33jOXGMRJxU+aiBsxKwqybi8DgGWZ4kgTw/BSIi9VZvSACEV6byrQ8W1LrAiq6fT OEbqQnJhsC8hiXR6meIrw== UI-OutboundReport: notjunk:1;M01:P0:hgZaVoYLEH0=;d7SiaHJG/YUQWog6BkytgXDXmmF fxjROUAy7/zwj6WBpvsD7NMNsubvZMF1cAMQMPeVr4BeCdIB6enJZQcljWVmq43sMCctIHN0z vDbSqClLTTKxlB7MmMwrltlBeDB7TaRjZWnk22iylmf5hpulNTlPdL9QMnQT7QlG+WDIIYePJ M3uNvmC/WadWndiQ1ATsv4WaGdCTi4fp6tQAk86MFqzZyFxJLCGIc7anVeBQrPjj2GwPUgTwh ngjNl2Nji94chp4zVj1Ri+mZMXxp33Djdxq33MSCpgApPR7jfz9eLkz6Ecck0rGm3IiHFy2TB dmAQhLKqkgEgjhp5C72djyFkX0eYS/y7D0J46YJaC6vTUBhWw8dcMoS08b9zGAoGNO6o0Neva RTKHtH+FO4La6WW8b4l1Kwo+IXAnv25GhfGKmOxPPJQv9gHc5izrCTtLfD45pzP05OPHmh+zm lIk0uG6sKIn8SVaQIXhtQzWi3sN0w+argnSGBwnAvXPsL3qjuhNDS4hZyX57kZrrjsC6Y5Z0z p1AS3IIOTw0cDxnQe5EK7s8IRNR3iYSBAVRTD9QjynxJ3pGOPS1XpXBxUgpcEyMxjYVd4WoiM zOpIlF2bhEaSIi5W+Qb9u+6s4tMp5O1vBoR+AehmFUOTsJ3ITAmnkoxB9qBX4zp0nPQx9Mvqs /r/jAJ8ueBxn4c+6ybFhiM4A/Bj2YkvmQF7WFifkousnjlTpQ/REX17CpgqDJVYBbShB5Lory 0SPf3BgK1WtRZd9BJpZWaIQgnRrhCYI7721BfZ0orrf/i4TzxbT9lOiJFhVWjcsf8QW1wii1M cobocrHwnXj30FiW/aR58UJ5Bcq0Pj/rtrPRB2dH7oMP+U+Zh0nzK0UO1hW7jFUNeHR4IGkqF 9P8oiQm/AHUOH4A== Received-SPF: pass client-ip=212.227.17.10; envelope-from=h.goebel@crazy-compilers.com; helo=mout.kundenserver.de X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.242, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -3.81 X-Spam-Score: -3.81 X-Migadu-Queue-Id: 5CA3645293 X-Migadu-Scanner: mx2.migadu.com X-TUID: STG0DrnUzFqR This is a multi-part message in MIME format. --------------wCAHJqIAd340ruZjDQZ0ZoOl Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi, Am 24.08.23 um 21:55 schrieb Martin Baulig: > > 1. My "guix secrets" tool provides a command-line interface to > maintain a "secrets database" (/etc/guix/secrets.db) that's only > accessible to root.  It can contain simple passwords, arbitrary > text (like for instance X509 certificates in PEM format) and > binary data. > > 2. … > > 3. Finally, "secrets-service-type" depends on all of the above to do > its work. > > It takes a /template file/ - which is typically interned in the > store - containing special "tokens" that tell it which keys to > look up from the /secrets database/. > This sounds great and like being a major step towards "guixops" [1], [2]. [1] https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00435.html[2] https://lists.gnu.org/archive/html/guix-devel/2017-09/msg00196.html -- Regards Hartmut Goebel | Hartmut Goebel |h.goebel@crazy-compilers.com | |www.crazy-compilers.com | compilers which you thought are impossible | --------------wCAHJqIAd340ruZjDQZ0ZoOl Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hi,

Am 24.08.23 um 21:55 schrieb Martin Baulig:
  1. My "guix secrets" tool provides a command-line interface to maintain a "secrets database" (/etc/guix/secrets.db) that's only accessible to root.  It can contain simple passwords, arbitrary text (like for instance X509 certificates in PEM format) and binary data.



  3. Finally, "secrets-service-type" depends on all of the above to do its work.

    It takes a template file - which is typically interned in the store - containing special "tokens" that tell it which keys to look up from the secrets database.

This sounds great and like being a major step towards "guixops" [1], [2].

[1] https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00435.html[2] https://lists.gnu.org/archive/html/guix-devel/2017-09/msg00196.html

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |
--------------wCAHJqIAd340ruZjDQZ0ZoOl--