Hi Timo, Timo Wilken 写道:
I'm trying to patch the `wireguard-service-type' to accept pre-shared keys and add them to the generated config. This all seems to work fine, except that I can't get guix to generate a non-world-readableconfiguration file.
Alas (for your plans), this is not possible. Guix's store model, inherited from Nix, is a word-readable heap.
Dealing with secrets outside of the store is one area where Nix is ‘ahead’ of Guix, in that they seem to have multiple solutions[0]. Very Nix.
Guix users currently use strategies similar to the second half of that table: the secret is placed outside of the store, not managed through Guix, and the Guix service/package is pointed to it at run time. Every search result for ‘secrets’ in the Guix manual is part of such a primitive scheme.
This is how Wireguard is set up on berlin, the Guix build farm. /etc/wireguard/private.key was generated manually and Guix never deals with it.
If you want to add secrets to Guix services, you'll have to design a general mechanism for doing so first. I don't have links handy but I'm sure there's prior discussion, perhaps even art, on the mailing lists.
Sorry, T G-R [0]: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes
signature.asc
Description: PGP signature
