Hi Julien, Thanks! It did seem slightly odd to me how `wireguard-service-type' set the private key in a bit of a roundabout way, by referring to an external file. I'll try and set the pre-shared keys the same way.
Cheers, Timo On Tue, Nov 29, 2022 at 08:34:21PM +0100, Julien Lepiller wrote: > Hi Timo, > > Files in the store are always world-readable and there's nothing you can do > to change that. There has been discussions in the past about how to handle > secrets in the store, but no solution so far. > > One thing you can do, if wireguard allows it, is to have the pre-shared key > in a separate file out of the store and simply point the config to that file > (instead of using a file-like object). This is how we handle other secrets so > far. > > Le 29 novembre 2022 20:24:13 GMT+01:00, Timo Wilken <[email protected]> a > écrit : > >Hi Guixers, > > > >I'm trying to patch the `wireguard-service-type' to accept pre-shared > >keys and add them to the generated config. This all seems to work > >fine, except that I can't get guix to generate a non-world-readable > >configuration file. > > > >I've tried adding a `(chmod port #o400)' call to the end of the lambda > >that generates the config file (gnu/services/vpn.scm lines 784-838), > >but that seems to have no effect -- the resulting file at > >/gnu/store/...-wireguard-config/wg0.conf is still > >world-readable. Adding `(chmod #$config-file #o400)' after the > >`call-with-output-file' call doesn't work either. > > > >What do I need to do to make guix install the generated config file > >with 0400 permissions? > > > >Cheers, > >Timo > >
