unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* Another service definition question: Files containing secrets?
@ 2024-07-28 21:27 Zack Weinberg
  2024-07-29 15:38 ` Hartmut Goebel
  2024-07-29 23:33 ` Giacomo via
  0 siblings, 2 replies; 4+ messages in thread
From: Zack Weinberg @ 2024-07-28 21:27 UTC (permalink / raw)
  To: help-guix

The same slightly weird daemon I was talking about earlier expects to
find another file in /etc containing a piece of secret information - namely,
a token it will use to authenticate to a remote server.  This token does
not change in normal operation, and the most natural way to deal with it
would be to provide it as part of the service configuration.  (It cannot
be generated at activation time, the way SSH host keys are.)

The *problem* with this is that it appears there's no way to make a file
in the store not be world readable.

What's the best way to deal with this situation?

zw


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Another service definition question: Files containing secrets?
  2024-07-28 21:27 Another service definition question: Files containing secrets? Zack Weinberg
@ 2024-07-29 15:38 ` Hartmut Goebel
  2024-08-03  9:09   ` Marek Paśnikowski
  2024-07-29 23:33 ` Giacomo via
  1 sibling, 1 reply; 4+ messages in thread
From: Hartmut Goebel @ 2024-07-29 15:38 UTC (permalink / raw)
  To: help-guix

Hi,

Am 28.07.24 um 23:27 schrieb Zack Weinberg:
> The*problem*  with this is that it appears there's no way to make a file
> in the store not be world readable.
>
> What's the best way to deal with this situation?

I feel your pain! Several years ago already I started a nullmailer 
service for Guix - and never finished it for similar reasons. 
(nullmailer expects the password being part of the config file.)

I'm afraid, the only solution is to create a service which generates the 
config at boot time from a file containing the password and some 
template (or guile data structure). The password file would not be part 
of the Guix system definition. Anyhow I'm not aware of any example, sorry.

Please let me know if you implement something like this as I'd like to 
eventally finish the nullmailer service :-)

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          |h.goebel@crazy-compilers.com                |
|www.crazy-compilers.com  | compilers which you thought are impossible |

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Another service definition question: Files containing secrets?
  2024-07-28 21:27 Another service definition question: Files containing secrets? Zack Weinberg
  2024-07-29 15:38 ` Hartmut Goebel
@ 2024-07-29 23:33 ` Giacomo via
  1 sibling, 0 replies; 4+ messages in thread
From: Giacomo via @ 2024-07-29 23:33 UTC (permalink / raw)
  To: help-guix

Hello Zack,

I developed and currently use sops-guix, a reimplementation of sops-nix principles in Guix' terms [0]. Basically secrets never hit the disk in clear text, they are encrypted before including them in the Guix code and get decrypted at activation time, provided the right keys are present on the target machine.

While it is completely based on free software it is not in Guix mainline due to the comolexity of packaging SOPS' dependency graph. As soon as there's a SOPS package in Guix I plan to upstream the sops-secrets-service-type and sops-secret record.

HTH,

giacomo

[0]: https://github.com/fishinthecalculator/sops-guix

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Another service definition question: Files containing secrets?
  2024-07-29 15:38 ` Hartmut Goebel
@ 2024-08-03  9:09   ` Marek Paśnikowski
  0 siblings, 0 replies; 4+ messages in thread
From: Marek Paśnikowski @ 2024-08-03  9:09 UTC (permalink / raw)
  To: help-guix

Hartmut Goebel <h.goebel@crazy-compilers.com> writes:

> Hi,
>
> Am 28.07.24 um 23:27 schrieb Zack Weinberg:
>> The*problem* with this is that it appears there's no way to make a
>> file in the store not be world readable.
>>
>> What's the best way to deal with this situation?
>
> I feel your pain! Several years ago already I started a nullmailer
> service for Guix - and never finished it for similar
> reasons. (nullmailer expects the password being part of the config
> file.)
>
> I'm afraid, the only solution is to create a service which generates
> the config at boot time from a file containing the password and some
> template (or guile data structure). The password file would not be
> part of the Guix system definition. Anyhow I'm not aware of any
> example, sorry.
>
> Please let me know if you implement something like this as I'd like to
> eventally finish the nullmailer service :-)

At the start of my server configuration I have the following lines:

(define smtpd-keys "/secrets/smtpd")
(define radicale-keys "/secrets/radicale/keys")
(define dovecot-keys "/secrets/dovecot")

These files have appropriately limited permissions and are not tracked
with any version control.  It is my responsibility to ensure the
integrity of this data.

The /etc directory is writable for root, so if a configuration file must
be in /etc , it can…? I wonder how that works with the system activation
now.  I am afraid that any undeclared files in /etc could get wiped on
system reconfigurations.

In the past I had attempted to maintain a file-based guix channel for
secrets, but it was not possible to easily reconcile the necessity of
declaring the channel as a dependency and having it on one system only.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-08-03  9:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-28 21:27 Another service definition question: Files containing secrets? Zack Weinberg
2024-07-29 15:38 ` Hartmut Goebel
2024-08-03  9:09   ` Marek Paśnikowski
2024-07-29 23:33 ` Giacomo via

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).