1. My "guix secrets" tool provides a command-line interface to maintain a "secrets database" (/etc/guix/secrets.db) that's only accessible to root.  It can contain simple passwords, arbitrary text (like for instance X509 certificates in PEM format) and binary data.
   
   
2. …
   
   
3. Finally, "secrets-service-type" depends on all of the above to do its work.
   
   It takes a template file - which is typically interned in the store - containing special "tokens" that tell it which keys to look up from the secrets database.
   

This sounds great and like being a major step towards "guixops" [1], [2].

[1] https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00435.html[2] https://lists.gnu.org/archive/html/guix-devel/2017-09/msg00196.html

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |