From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: WIP gnu social package
Date: Thu, 05 Oct 2017 17:00:11 +0200
Message-ID: <87h8vd4p38.fsf@gnu.org>
References: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49108)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1e07dL-0003Wo-Ix
	for guix-devel@gnu.org; Thu, 05 Oct 2017 11:00:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1e07dF-0005vO-Nx
	for guix-devel@gnu.org; Thu, 05 Oct 2017 11:00:19 -0400
In-Reply-To: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li> (nee@cock.li's
	message of "Mon, 25 Sep 2017 23:14:13 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: nee <nee@cock.li>
Cc: guix-devel@gnu.org

Hello,

nee <nee@cock.li> skribis:

> I made a package that builds the translations and installs gnu social
> into the store.

[...]

> Here is an example config: http://paste.lisp.org/display/356859

Really cool that we can set up a complex service like this with just a
few lines!

> Here are a bunch of issues I have with guixSD in general:
>
> - Setting up the database requires the sql root password, the new
>   social_db_user password, and a password for the first admin user to
>   create in gnu social.
>   Having plaintext passwords in /etc/config.scm sounds pretty bad.
>   I'm not sure what the solution here is.
>   - Could we add a password store to guix? It could automatically
>     generate passwords and pass them to services.
>   - Should I generate a script that must be run manually and asks for
>     password input through stdin?
>   - Something else?

For this particular case, I would do nothing: the first time, the
service wouldn=E2=80=99t start (I guess).  Users would have to explicitly s=
et
the passwords on the command line, and then run =E2=80=9Cherd start gnu-soc=
ial=E2=80=9D.

> - The password of the database-user ends up in the config.php which is
>   generated by mixed-text-file. This file can be read by everyone. Can I
>   somehow set the owner on it and remove the reading rights from other
>   users?

No, the store is world-readable.  If there are secrets, they should be
stored elsewhere, but there=E2=80=99s currently no standard way to do that =
in
Guix.

Thanks for sharing, and sorry for the late reply!

Ludo=E2=80=99.