From: Efraim Flashner <efraim@flashner.co.il>
To: "Thompson, David" <dthompson2@worcester.edu>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: [EXT] Re: Medium-term road map
Date: Wed, 6 May 2020 21:58:44 +0300 [thread overview]
Message-ID: <20200506185844.GD2359@E5400> (raw)
In-Reply-To: <CAJ=RwfYnPvRSCbPRh8YJ07=QQW-B5zqWV2ZTVG9oUHB5YKamhQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]
On Wed, May 06, 2020 at 01:03:39PM -0400, Thompson, David wrote:
> On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <jackhill@jackhill.us> wrote:
> >
> > * Continued development of guix deploy. Figuring out how to deploy secrets
> > to remote machines would be great.
>
> I used to think this was a problem that guix deploy had to deal with
> but after many years doing devops full-time I no longer think this is
> a concern. Industry best practice is to use a secrets management
> service to fetch secrets at application boot time. For example, you
> could write a shepherd service that downloads and installs an SSH host
> key from AWS Secrets Manager (or a self-hosted free tool or another
> cloud provider's service, you get the idea) before the SSH service
> starts. In my experience, every application requires a slightly
> different strategy: Maybe you need to put a key into a specific file,
> maybe you need to set environment variables, maybe you need to
> templatize the config file, etc. There's no single general solution to
> the problem, but I strongly the believe that the guix client that is
> doing the deployment should never access such secrets.
>
> Long story short: Guix need not worry about this.
>
> - Dave
>
For the SSH example, imagine a one-shot service that fetches a private
and public keypair¹, replaces the pair already inside /etc/ssh and then
restarts the openssh service.
¹ Using magic or ssh or from a thumbdrive, etc
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2020-05-06 18:59 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-25 13:37 Medium-term road map Ludovic Courtès
2020-04-25 16:23 ` Pierre Neidhardt
2020-05-03 20:13 ` Ludovic Courtès
2020-04-25 21:38 ` Jack Hill
2020-04-26 1:22 ` Josh Marshall
2020-05-03 20:18 ` Ludovic Courtès
2020-05-06 17:03 ` [EXT] " Thompson, David
2020-05-06 18:58 ` Efraim Flashner [this message]
2020-05-06 19:46 ` Jack Hill
2020-05-07 12:24 ` [EXT] " Thompson, David
2020-04-26 16:06 ` zimoun
2020-04-26 18:20 ` Christopher Baines
2020-05-03 20:07 ` Ludovic Courtès
2020-05-04 10:32 ` zimoun
2020-04-26 18:14 ` Christopher Baines
2020-05-03 20:11 ` Ludovic Courtès
2020-04-27 8:16 ` Andy Wingo
2020-04-27 13:06 ` Christopher Lemmer Webber
2020-04-30 21:27 ` Joshua Branson
2020-05-05 23:50 ` raingloom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200506185844.GD2359@E5400 \
--to=efraim@flashner.co.il \
--cc=dthompson2@worcester.edu \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.