Re: Secrets in (generated) configs. How to deal with them?

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secrets in (generated) configs. How to deal with them?

From:	Julien Lepiller
Subject:	Re: Secrets in (generated) configs. How to deal with them?
Date:	Mon, 08 Jun 2020 18:51:31 -0400
User-agent:	K-9 Mail for Android

Le 8 juin 2020 18:43:02 GMT-04:00, raingloom <raingloom@riseup.net> a écrit :
>Hi all!
>
>I'm trying to package Yggdrasil as a Guix service and I took a look at
>what NixOS does and they actually don't simply generate the config in
>the store, instead it's combined with another input of the service and
>the combined JSON is fed to Yggdrasil on stdin.
>
>Is this how I should do it as well? Or maybe the Guix store can make
>some outputs private?

The store is always world-readable, no output can be private. I think we have 
some examples of that. For instance, knot (the DNS server) can read some 
secrets from its configuration. We suggest to our users to instead create a 
small file outside the store that contains the secrets, and use an include in 
the conf. This is only possible when the configuration language allows that of 
course.

It would be nice to have a better and more generic way to handle secrets though.

[Prev in Thread]

Current Thread

[Next in Thread]

Secrets in (generated) configs. How to deal with them?, raingloom, 2020/06/08
- Re: Secrets in (generated) configs. How to deal with them?, Julien Lepiller <=
- Re: Secrets in (generated) configs. How to deal with them?, Ludovic Courtès, 2020/06/09

Prev by Date: Secrets in (generated) configs. How to deal with them?
Next by Date: Canonical-packages restoration.
Previous by thread: Secrets in (generated) configs. How to deal with them?
Next by thread: Re: Secrets in (generated) configs. How to deal with them?
Index(es):
- Date
- Thread