* Another service definition question: Files containing secrets?
@ 2024-07-28 21:27 Zack Weinberg
2024-07-29 15:38 ` Hartmut Goebel
2024-07-29 23:33 ` Giacomo via
0 siblings, 2 replies; 4+ messages in thread
From: Zack Weinberg @ 2024-07-28 21:27 UTC (permalink / raw)
To: help-guix
The same slightly weird daemon I was talking about earlier expects to
find another file in /etc containing a piece of secret information - namely,
a token it will use to authenticate to a remote server. This token does
not change in normal operation, and the most natural way to deal with it
would be to provide it as part of the service configuration. (It cannot
be generated at activation time, the way SSH host keys are.)
The *problem* with this is that it appears there's no way to make a file
in the store not be world readable.
What's the best way to deal with this situation?
zw
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another service definition question: Files containing secrets?
2024-07-28 21:27 Another service definition question: Files containing secrets? Zack Weinberg
@ 2024-07-29 15:38 ` Hartmut Goebel
2024-08-03 9:09 ` Marek Paśnikowski
2024-07-29 23:33 ` Giacomo via
1 sibling, 1 reply; 4+ messages in thread
From: Hartmut Goebel @ 2024-07-29 15:38 UTC (permalink / raw)
To: help-guix
Hi,
Am 28.07.24 um 23:27 schrieb Zack Weinberg:
> The*problem* with this is that it appears there's no way to make a file
> in the store not be world readable.
>
> What's the best way to deal with this situation?
I feel your pain! Several years ago already I started a nullmailer
service for Guix - and never finished it for similar reasons.
(nullmailer expects the password being part of the config file.)
I'm afraid, the only solution is to create a service which generates the
config at boot time from a file containing the password and some
template (or guile data structure). The password file would not be part
of the Guix system definition. Anyhow I'm not aware of any example, sorry.
Please let me know if you implement something like this as I'd like to
eventally finish the nullmailer service :-)
--
Regards
Hartmut Goebel
| Hartmut Goebel |h.goebel@crazy-compilers.com |
|www.crazy-compilers.com | compilers which you thought are impossible |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another service definition question: Files containing secrets?
2024-07-29 15:38 ` Hartmut Goebel
@ 2024-08-03 9:09 ` Marek Paśnikowski
0 siblings, 0 replies; 4+ messages in thread
From: Marek Paśnikowski @ 2024-08-03 9:09 UTC (permalink / raw)
To: help-guix
Hartmut Goebel <h.goebel@crazy-compilers.com> writes:
> Hi,
>
> Am 28.07.24 um 23:27 schrieb Zack Weinberg:
>> The*problem* with this is that it appears there's no way to make a
>> file in the store not be world readable.
>>
>> What's the best way to deal with this situation?
>
> I feel your pain! Several years ago already I started a nullmailer
> service for Guix - and never finished it for similar
> reasons. (nullmailer expects the password being part of the config
> file.)
>
> I'm afraid, the only solution is to create a service which generates
> the config at boot time from a file containing the password and some
> template (or guile data structure). The password file would not be
> part of the Guix system definition. Anyhow I'm not aware of any
> example, sorry.
>
> Please let me know if you implement something like this as I'd like to
> eventally finish the nullmailer service :-)
At the start of my server configuration I have the following lines:
(define smtpd-keys "/secrets/smtpd")
(define radicale-keys "/secrets/radicale/keys")
(define dovecot-keys "/secrets/dovecot")
These files have appropriately limited permissions and are not tracked
with any version control. It is my responsibility to ensure the
integrity of this data.
The /etc directory is writable for root, so if a configuration file must
be in /etc , it can…? I wonder how that works with the system activation
now. I am afraid that any undeclared files in /etc could get wiped on
system reconfigurations.
In the past I had attempted to maintain a file-based guix channel for
secrets, but it was not possible to easily reconcile the necessity of
declaring the channel as a dependency and having it on one system only.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another service definition question: Files containing secrets?
2024-07-28 21:27 Another service definition question: Files containing secrets? Zack Weinberg
2024-07-29 15:38 ` Hartmut Goebel
@ 2024-07-29 23:33 ` Giacomo via
1 sibling, 0 replies; 4+ messages in thread
From: Giacomo via @ 2024-07-29 23:33 UTC (permalink / raw)
To: help-guix
Hello Zack,
I developed and currently use sops-guix, a reimplementation of sops-nix principles in Guix' terms [0]. Basically secrets never hit the disk in clear text, they are encrypted before including them in the Guix code and get decrypted at activation time, provided the right keys are present on the target machine.
While it is completely based on free software it is not in Guix mainline due to the comolexity of packaging SOPS' dependency graph. As soon as there's a SOPS package in Guix I plan to upstream the sops-secrets-service-type and sops-secret record.
HTH,
giacomo
[0]: https://github.com/fishinthecalculator/sops-guix
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-08-03 9:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-28 21:27 Another service definition question: Files containing secrets? Zack Weinberg
2024-07-29 15:38 ` Hartmut Goebel
2024-08-03 9:09 ` Marek Paśnikowski
2024-07-29 23:33 ` Giacomo via
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).