From mboxrd@z Thu Jan  1 00:00:00 1970
From: nee <nee@cock.li>
Subject: Re: WIP gnu social package
Date: Sun, 26 Nov 2017 21:18:47 +0100
Message-ID: <c9ea1f64-fc35-5c8e-dd41-8cd2b6fc327d@cock.li>
References: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li>
	<87h8vd4p38.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36434)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <nee@cock.li>)
	id 1eJ3O4-00078s-Vs
	for guix-devel@gnu.org; Sun, 26 Nov 2017 15:18:53 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <nee@cock.li>) id 1eJ3O0-0003NV-RC
	for guix-devel@gnu.org; Sun, 26 Nov 2017 15:18:48 -0500
In-Reply-To: <87h8vd4p38.fsf@gnu.org>
Content-Language: en-GB
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

Hey, I haven't done anything on this lately, but the php-fpm service is
probably getting accepted soon, so I might start working on this again.

Am 05.10.2017 um 17:00 schrieb Ludovic Court=C3=A8s:
> For this particular case, I would do nothing: the first time, the
> service wouldn=E2=80=99t start (I guess).  Users would have to explicit=
ly set
> the passwords on the command line, and then run =E2=80=9Cherd start gnu=
-social=E2=80=9D.
>=20
The advantage of using a service is the easy setup with mysql and the
gnu-social-cli-installer, otherwise people could just run nginx and
clone gnu social to /srv/gnu-social/ and manually create the database
like you would on Debian.

I saw that NixOS has something called passwordFile.
https://github.com/NixOS/nixpkgs/issues/24288
I haven't found any details about it, but it seems like a text file from
which passwords can be read during `system reconfigure`.

As a start I could add a password-file field to the configuration of
gnu-social and read an alist of passwords from it during initialization.
That could later be extended by generating it with randomized passwords
if it doesn't exist to maximize the ease of installation.

>> - The password of the database-user ends up in the config.php which is
>>   generated by mixed-text-file. This file can be read by everyone. Can=
 I
>>   somehow set the owner on it and remove the reading rights from other
>>   users?
>=20
> No, the store is world-readable.  If there are secrets, they should be
> stored elsewhere, but there=E2=80=99s currently no standard way to do t=
hat in
> Guix.
>=20
Could a function in guix/gexp.scm be modified to generate a file outside
of the store?