On Wed, May 06, 2020 at 01:03:39PM -0400, Thompson, David wrote: > On Sat, Apr 25, 2020 at 5:38 PM Jack Hill wrote: > > > > * Continued development of guix deploy. Figuring out how to deploy secrets > > to remote machines would be great. > > I used to think this was a problem that guix deploy had to deal with > but after many years doing devops full-time I no longer think this is > a concern. Industry best practice is to use a secrets management > service to fetch secrets at application boot time. For example, you > could write a shepherd service that downloads and installs an SSH host > key from AWS Secrets Manager (or a self-hosted free tool or another > cloud provider's service, you get the idea) before the SSH service > starts. In my experience, every application requires a slightly > different strategy: Maybe you need to put a key into a specific file, > maybe you need to set environment variables, maybe you need to > templatize the config file, etc. There's no single general solution to > the problem, but I strongly the believe that the guix client that is > doing the deployment should never access such secrets. > > Long story short: Guix need not worry about this. > > - Dave > For the SSH example, imagine a one-shot service that fetches a private and public keypair¹, replaces the pair already inside /etc/ssh and then restarts the openssh service. ¹ Using magic or ssh or from a thumbdrive, etc -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted