all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Efraim Flashner <efraim@flashner.co.il>
To: "Thompson, David" <dthompson2@worcester.edu>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: [EXT] Re: Medium-term road map
Date: Wed, 6 May 2020 21:58:44 +0300	[thread overview]
Message-ID: <20200506185844.GD2359@E5400> (raw)
In-Reply-To: <CAJ=RwfYnPvRSCbPRh8YJ07=QQW-B5zqWV2ZTVG9oUHB5YKamhQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]

On Wed, May 06, 2020 at 01:03:39PM -0400, Thompson, David wrote:
> On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <jackhill@jackhill.us> wrote:
> >
> > * Continued development of guix deploy. Figuring out how to deploy secrets
> > to remote machines would be great.
> 
> I used to think this was a problem that guix deploy had to deal with
> but after many years doing devops full-time I no longer think this is
> a concern. Industry best practice is to use a secrets management
> service to fetch secrets at application boot time.  For example, you
> could write a shepherd service that downloads and installs an SSH host
> key from AWS Secrets Manager (or a self-hosted free tool or another
> cloud provider's service, you get the idea) before the SSH service
> starts.  In my experience, every application requires a slightly
> different strategy: Maybe you need to put a key into a specific file,
> maybe you need to set environment variables, maybe you need to
> templatize the config file, etc. There's no single general solution to
> the problem, but I strongly the believe that the guix client that is
> doing the deployment should never access such secrets.
> 
> Long story short: Guix need not worry about this.
> 
> - Dave
> 

For the SSH example, imagine a one-shot service that fetches a private
and public keypair¹, replaces the pair already inside /etc/ssh and then
restarts the openssh service.

¹ Using magic or ssh or from a thumbdrive, etc

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2020-05-06 18:59 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-25 13:37 Medium-term road map Ludovic Courtès
2020-04-25 16:23 ` Pierre Neidhardt
2020-05-03 20:13   ` Ludovic Courtès
2020-04-25 21:38 ` Jack Hill
2020-04-26  1:22   ` Josh Marshall
2020-05-03 20:18   ` Ludovic Courtès
2020-05-06 17:03   ` [EXT] " Thompson, David
2020-05-06 18:58     ` Efraim Flashner [this message]
2020-05-06 19:46     ` Jack Hill
2020-05-07 12:24       ` [EXT] " Thompson, David
2020-04-26 16:06 ` zimoun
2020-04-26 18:20   ` Christopher Baines
2020-05-03 20:07     ` Ludovic Courtès
2020-05-04 10:32       ` zimoun
2020-04-26 18:14 ` Christopher Baines
2020-05-03 20:11   ` Ludovic Courtès
2020-04-27  8:16 ` Andy Wingo
2020-04-27 13:06   ` Christopher Lemmer Webber
2020-04-30 21:27   ` Joshua Branson
2020-05-05 23:50 ` raingloom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200506185844.GD2359@E5400 \
    --to=efraim@flashner.co.il \
    --cc=dthompson2@worcester.edu \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.