Re: Secrets in (generated) configs. How to deal with them?

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Julien Lepiller <julien@lepiller.eu>
To: guix-devel@gnu.org,raingloom <raingloom@riseup.net>
Subject: Re: Secrets in (generated) configs. How to deal with them?
Date: Mon, 08 Jun 2020 18:51:31 -0400	[thread overview]
Message-ID: <D2B91EA2-EC1A-4BCE-9A8A-9D81BE68726A@lepiller.eu> (raw)
In-Reply-To: <20200609004302.3757a950@riseup.net>

Le 8 juin 2020 18:43:02 GMT-04:00, raingloom <raingloom@riseup.net> a écrit :
>Hi all!
>
>I'm trying to package Yggdrasil as a Guix service and I took a look at
>what NixOS does and they actually don't simply generate the config in
>the store, instead it's combined with another input of the service and
>the combined JSON is fed to Yggdrasil on stdin.
>
>Is this how I should do it as well? Or maybe the Guix store can make
>some outputs private?

The store is always world-readable, no output can be private. I think we have some examples of that. For instance, knot (the DNS server) can read some secrets from its configuration. We suggest to our users to instead create a small file outside the store that contains the secrets, and use an include in the conf. This is only possible when the configuration language allows that of course.

It would be nice to have a better and more generic way to handle secrets though.

next prev parent reply	other threads:[~2020-06-08 22:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-08 22:43 Secrets in (generated) configs. How to deal with them? raingloom
2020-06-08 22:51 ` Julien Lepiller [this message]
2020-06-09 16:24 ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=D2B91EA2-EC1A-4BCE-9A8A-9D81BE68726A@lepiller.eu \
    --to=julien@lepiller.eu \
    --cc=guix-devel@gnu.org \
    --cc=raingloom@riseup.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.