Re: [EXT] Re: Medium-term road map

[Jack Hill <jackhill@jackhill.us>]

[-- Attachment #1: Type: text/plain, Size: 1816 bytes --]

Dave,

On Wed, 6 May 2020, Thompson, David wrote:

> On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <jackhill@jackhill.us> wrote:
>>
>> * Continued development of guix deploy. Figuring out how to deploy secrets
>> to remote machines would be great.
>
> I used to think this was a problem that guix deploy had to deal with
> but after many years doing devops full-time I no longer think this is
> a concern. Industry best practice is to use a secrets management
> service to fetch secrets at application boot time.  For example, you
> could write a shepherd service that downloads and installs an SSH host
> key from AWS Secrets Manager (or a self-hosted free tool or another
> cloud provider's service, you get the idea) before the SSH service
> starts.  In my experience, every application requires a slightly
> different strategy: Maybe you need to put a key into a specific file,
> maybe you need to set environment variables, maybe you need to
> templatize the config file, etc. There's no single general solution to
> the problem, but I strongly the believe that the guix client that is
> doing the deployment should never access such secrets.

Good idea, thanks for sharing. That sounds like a reasonable path forward 
to me. However, …

> Long story short: Guix need not worry about this.

I think we may want to do some work in Guix to support this workflow 
conveniently. That work could include having a secrets management service, 
bootstrapping new hosts for access to the service, or writing system 
services that can be easily configured for different secret management at 
deploy time. It's fun to think about what we could do, but as Ludo’ 
suggested elsewhere in the thread, we'll find out by trying to deploy more 
hosts with more complex configurations. I hope to be able to do so soon.

Best,
Jack