* How do I install a file with custom permissions?
@ 2022-11-29 19:24 Timo Wilken
2022-11-29 19:34 ` Julien Lepiller
2022-11-29 19:34 ` Tobias Geerinckx-Rice
0 siblings, 2 replies; 5+ messages in thread
From: Timo Wilken @ 2022-11-29 19:24 UTC (permalink / raw)
To: help-guix
Hi Guixers,
I'm trying to patch the `wireguard-service-type' to accept pre-shared
keys and add them to the generated config. This all seems to work
fine, except that I can't get guix to generate a non-world-readable
configuration file.
I've tried adding a `(chmod port #o400)' call to the end of the lambda
that generates the config file (gnu/services/vpn.scm lines 784-838),
but that seems to have no effect -- the resulting file at
/gnu/store/...-wireguard-config/wg0.conf is still
world-readable. Adding `(chmod #$config-file #o400)' after the
`call-with-output-file' call doesn't work either.
What do I need to do to make guix install the generated config file
with 0400 permissions?
Cheers,
Timo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How do I install a file with custom permissions?
2022-11-29 19:24 How do I install a file with custom permissions? Timo Wilken
@ 2022-11-29 19:34 ` Julien Lepiller
2022-11-29 19:43 ` Timo Wilken
2022-11-29 19:34 ` Tobias Geerinckx-Rice
1 sibling, 1 reply; 5+ messages in thread
From: Julien Lepiller @ 2022-11-29 19:34 UTC (permalink / raw)
To: help-guix, Timo Wilken
Hi Timo,
Files in the store are always world-readable and there's nothing you can do to change that. There has been discussions in the past about how to handle secrets in the store, but no solution so far.
One thing you can do, if wireguard allows it, is to have the pre-shared key in a separate file out of the store and simply point the config to that file (instead of using a file-like object). This is how we handle other secrets so far.
Le 29 novembre 2022 20:24:13 GMT+01:00, Timo Wilken <guix@twilken.net> a écrit :
>Hi Guixers,
>
>I'm trying to patch the `wireguard-service-type' to accept pre-shared
>keys and add them to the generated config. This all seems to work
>fine, except that I can't get guix to generate a non-world-readable
>configuration file.
>
>I've tried adding a `(chmod port #o400)' call to the end of the lambda
>that generates the config file (gnu/services/vpn.scm lines 784-838),
>but that seems to have no effect -- the resulting file at
>/gnu/store/...-wireguard-config/wg0.conf is still
>world-readable. Adding `(chmod #$config-file #o400)' after the
>`call-with-output-file' call doesn't work either.
>
>What do I need to do to make guix install the generated config file
>with 0400 permissions?
>
>Cheers,
>Timo
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How do I install a file with custom permissions?
2022-11-29 19:24 How do I install a file with custom permissions? Timo Wilken
2022-11-29 19:34 ` Julien Lepiller
@ 2022-11-29 19:34 ` Tobias Geerinckx-Rice
2022-11-29 20:56 ` Timo Wilken
1 sibling, 1 reply; 5+ messages in thread
From: Tobias Geerinckx-Rice @ 2022-11-29 19:34 UTC (permalink / raw)
To: Timo Wilken; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]
Hi Timo,
Timo Wilken 写道:
> I'm trying to patch the `wireguard-service-type' to accept
> pre-shared
> keys and add them to the generated config. This all seems to
> work
> fine, except that I can't get guix to generate a
> non-world-readable
> configuration file.
Alas (for your plans), this is not possible. Guix's store model,
inherited from Nix, is a word-readable heap.
Dealing with secrets outside of the store is one area where Nix is
‘ahead’ of Guix, in that they seem to have multiple solutions[0].
Very Nix.
Guix users currently use strategies similar to the second half of
that table: the secret is placed outside of the store, not managed
through Guix, and the Guix service/package is pointed to it at run
time. Every search result for ‘secrets’ in the Guix manual is
part of such a primitive scheme.
This is how Wireguard is set up on berlin, the Guix build farm.
/etc/wireguard/private.key was generated manually and Guix never
deals with it.
If you want to add secrets to Guix services, you'll have to design
a general mechanism for doing so first. I don't have links handy
but I'm sure there's prior discussion, perhaps even art, on the
mailing lists.
Sorry,
T G-R
[0]: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How do I install a file with custom permissions?
2022-11-29 19:34 ` Julien Lepiller
@ 2022-11-29 19:43 ` Timo Wilken
0 siblings, 0 replies; 5+ messages in thread
From: Timo Wilken @ 2022-11-29 19:43 UTC (permalink / raw)
To: Julien Lepiller, help-guix
Hi Julien,
Thanks! It did seem slightly odd to me how `wireguard-service-type'
set the private key in a bit of a roundabout way, by referring to an
external file. I'll try and set the pre-shared keys the same way.
Cheers,
Timo
On Tue, Nov 29, 2022 at 08:34:21PM +0100, Julien Lepiller wrote:
> Hi Timo,
>
> Files in the store are always world-readable and there's nothing you can do to change that. There has been discussions in the past about how to handle secrets in the store, but no solution so far.
>
> One thing you can do, if wireguard allows it, is to have the pre-shared key in a separate file out of the store and simply point the config to that file (instead of using a file-like object). This is how we handle other secrets so far.
>
> Le 29 novembre 2022 20:24:13 GMT+01:00, Timo Wilken <guix@twilken.net> a écrit :
> >Hi Guixers,
> >
> >I'm trying to patch the `wireguard-service-type' to accept pre-shared
> >keys and add them to the generated config. This all seems to work
> >fine, except that I can't get guix to generate a non-world-readable
> >configuration file.
> >
> >I've tried adding a `(chmod port #o400)' call to the end of the lambda
> >that generates the config file (gnu/services/vpn.scm lines 784-838),
> >but that seems to have no effect -- the resulting file at
> >/gnu/store/...-wireguard-config/wg0.conf is still
> >world-readable. Adding `(chmod #$config-file #o400)' after the
> >`call-with-output-file' call doesn't work either.
> >
> >What do I need to do to make guix install the generated config file
> >with 0400 permissions?
> >
> >Cheers,
> >Timo
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How do I install a file with custom permissions?
2022-11-29 19:34 ` Tobias Geerinckx-Rice
@ 2022-11-29 20:56 ` Timo Wilken
0 siblings, 0 replies; 5+ messages in thread
From: Timo Wilken @ 2022-11-29 20:56 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: help-guix
Hi Tobias,
On Tue, Nov 29, 2022 at 08:34:44PM +0100, Tobias Geerinckx-Rice wrote:
> Hi Timo,
>
> Timo Wilken 写道:
> > I'm trying to patch the `wireguard-service-type' to accept pre-shared
> > keys and add them to the generated config. This all seems to work
> > fine, except that I can't get guix to generate a non-world-readable
> > configuration file.
>
> Alas (for your plans), this is not possible. Guix's store model, inherited
> from Nix, is a word-readable heap.
>
> Dealing with secrets outside of the store is one area where Nix is ‘ahead’
> of Guix, in that they seem to have multiple solutions[0]. Very Nix.
>
> Guix users currently use strategies similar to the second half of that
> table: the secret is placed outside of the store, not managed through Guix,
> and the Guix service/package is pointed to it at run time. Every search
> result for ‘secrets’ in the Guix manual is part of such a primitive scheme.
Fair enough. Thanks for the pointers!
Cheers,
Timo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-29 20:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-29 19:24 How do I install a file with custom permissions? Timo Wilken
2022-11-29 19:34 ` Julien Lepiller
2022-11-29 19:43 ` Timo Wilken
2022-11-29 19:34 ` Tobias Geerinckx-Rice
2022-11-29 20:56 ` Timo Wilken
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).