Hi Tobias, On Tue, Nov 29, 2022 at 08:34:44PM +0100, Tobias Geerinckx-Rice wrote: > Hi Timo, > > Timo Wilken 写道: > > I'm trying to patch the `wireguard-service-type' to accept pre-shared > > keys and add them to the generated config. This all seems to work > > fine, except that I can't get guix to generate a non-world-readable > > configuration file. > > Alas (for your plans), this is not possible. Guix's store model, inherited > from Nix, is a word-readable heap. > > Dealing with secrets outside of the store is one area where Nix is ‘ahead’ > of Guix, in that they seem to have multiple solutions[0]. Very Nix. > > Guix users currently use strategies similar to the second half of that > table: the secret is placed outside of the store, not managed through Guix, > and the Guix service/package is pointed to it at run time. Every search > result for ‘secrets’ in the Guix manual is part of such a primitive scheme.
Fair enough. Thanks for the pointers! Cheers, Timo
