Hi Timo,

Timo Wilken 写道：
> I'm trying to patch the `wireguard-service-type' to accept 
> pre-shared
> keys and add them to the generated config. This all seems to 
> work
> fine, except that I can't get guix to generate a 
> non-world-readable
> configuration file.

Alas (for your plans), this is not possible.  Guix's store model, 
inherited from Nix, is a word-readable heap.

Dealing with secrets outside of the store is one area where Nix is 
‘ahead’ of Guix, in that they seem to have multiple solutions[0]. 
Very Nix.

Guix users currently use strategies similar to the second half of 
that table: the secret is placed outside of the store, not managed 
through Guix, and the Guix service/package is pointed to it at run 
time.  Every search result for ‘secrets’ in the Guix manual is 
part of such a primitive scheme.

This is how Wireguard is set up on berlin, the Guix build farm. 
/etc/wireguard/private.key was generated manually and Guix never 
deals with it.

If you want to add secrets to Guix services, you'll have to design 
a general mechanism for doing so first.  I don't have links handy 
but I'm sure there's prior discussion, perhaps even art, on the 
mailing lists.

Sorry,

T G-R

[0]: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes