Hi Roman, Roman Scherer <roman.sche...@burningswell.com> skribis:
> - I'm looking forward to the status checks Romain is working on. Seeing > what's going on with CI directly on Codeberg would be super nice! It’s coming: <https://issues.guix.gnu.org/76474>. :-) > - I'm using a Nginx module [1] to do JWT authentication with Nginx > [2]. It seems to work, but I had to disable the auth_jwt_validate_exp > option. For some reason the module was complaining that the token I > generated has expired. I checked my token online, and it looked ok. > > - This is how I generate the JWKS and JWT: [3] > > - There is also another JWT module for Nginx [4], but I haven't tried it > yet. Not sure which is better yet. > > - I copied the JWKS manually on my server. I was wondering how I could > automate this. I was looking into sops-guix, but then I read somewhere > that mixing secrets with config can have issues with rollbacks. Do you > have a recommended way how to deal with secrets? Nice, and more sophisticated than what we have at guix.bordeaux.inria.fr. For secrets, the key is to make sure to handle them out-of-band. For example, we have an /etc/nginx-htpasswd file that contains credentials for basic authentication as used for /admin/event/forgejo: https://gitlab.inria.fr/guix-hpc/sysadmin/-/blob/master/nginx-config/nginx-locations.conf?ref_type=heads I hope that answers your questions! Ludo’.
