From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 0EU1LQsUs14yXgAA0tVLHw (envelope-from ) for ; Wed, 06 May 2020 19:46:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +AECJxcUs14xFgAAB5/wlQ (envelope-from ) for ; Wed, 06 May 2020 19:46:31 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 85E089400EF for ; Wed, 6 May 2020 19:46:29 +0000 (UTC) Received: from localhost ([::1]:53226 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jWPzy-0003ta-2B for larch@yhetil.org; Wed, 06 May 2020 15:46:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49506) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jWPzo-0003t9-Bi for guix-devel@gnu.org; Wed, 06 May 2020 15:46:20 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:39092) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jWPzn-00053B-Bv; Wed, 06 May 2020 15:46:20 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jWPzl-00058X-MP; Wed, 06 May 2020 15:46:17 -0400 Date: Wed, 6 May 2020 15:46:17 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: "Thompson, David" Subject: Re: [EXT] Re: Medium-term road map In-Reply-To: Message-ID: References: <87mu6zd6tz.fsf@gnu.org> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-175535366-1588794377=:5735" Received-SPF: pass client-ip=104.248.1.95; envelope-from=jackhill@jackhill.us; helo=minsky.hcoop.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/06 15:46:17 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 X-Spam-Score: -0.01 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Scan-Result: default: False [-0.01 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49689752816163]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; CTYPE_MIXED_BOGUS(1.00)[]; RCPT_COUNT_TWO(0.00)[2]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; MIME_TRACE(0.00)[0:+,1:+]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; URIBL_BLOCKED(0.00)[jackhill.us:email]; FROM_HAS_DN(0.00)[]; FROM_NEQ_ENVFROM(0.00)[jackhill@jackhill.us,guix-devel-bounces@gnu.org]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; DMARC_NA(0.00)[jackhill.us]; HAS_LIST_UNSUB(-0.01)[]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: fmhyVhctVbBh This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-175535366-1588794377=:5735 Content-Type: text/plain; format=flowed; charset=UTF-8 Content-Transfer-Encoding: 8BIT Dave, On Wed, 6 May 2020, Thompson, David wrote: > On Sat, Apr 25, 2020 at 5:38 PM Jack Hill wrote: >> >> * Continued development of guix deploy. Figuring out how to deploy secrets >> to remote machines would be great. > > I used to think this was a problem that guix deploy had to deal with > but after many years doing devops full-time I no longer think this is > a concern. Industry best practice is to use a secrets management > service to fetch secrets at application boot time. For example, you > could write a shepherd service that downloads and installs an SSH host > key from AWS Secrets Manager (or a self-hosted free tool or another > cloud provider's service, you get the idea) before the SSH service > starts. In my experience, every application requires a slightly > different strategy: Maybe you need to put a key into a specific file, > maybe you need to set environment variables, maybe you need to > templatize the config file, etc. There's no single general solution to > the problem, but I strongly the believe that the guix client that is > doing the deployment should never access such secrets. Good idea, thanks for sharing. That sounds like a reasonable path forward to me. However, … > Long story short: Guix need not worry about this. I think we may want to do some work in Guix to support this workflow conveniently. That work could include having a secrets management service, bootstrapping new hosts for access to the service, or writing system services that can be easily configured for different secret management at deploy time. It's fun to think about what we could do, but as Ludo’ suggested elsewhere in the thread, we'll find out by trying to deploy more hosts with more complex configurations. I hope to be able to do so soon. Best, Jack --925712948-175535366-1588794377=:5735--