Hi Sébastien,
Sébastien Gendre <s...@k-7.ch> writes: > Hello, > > I tried to use Guix Home to configure my home environment. It work very > well, but I have a problem with the generated SSH client config. > > It is stored in /gnu/store, on its own derivation and linked into my > home dir. As planned. But it's access right is read to every users on my > system. > > That mean any other user of my server could known to which server I have > access. Same with the authorized-keys file. Yes, Guix for managing the system and home is typically used like this: You first build a file in the store, and then symlink that file to home. There are of course other alternatives, but not really natively supported ones in the guix channel. Basically you need to either keep the file out of the store, or encrypt the file and put that to store. Then decrypt it when running. For the first alternative, it would mean you keep the file somewhere else, like in location with your config in a separate file, and just copy this file to the proper location with home activation service. The second one is similar to the first one, you keep the decryption key somewhere securely, put encrypted files to the store and then use home activation service to decrypt the file and you symlink the decrypted file to the proper location. For an implementation of this, see https://github.com/fishinthecalculator/sops-guix. There definitely are other possibilities. > > I configured the SSH client with the home-openssh-service-type, like > described in this manual page: > https://guix.gnu.org/manual/devel/en/html_node/Secure-Shell.html > > Is there a way to make this file only readable by my user ? No, there is no way to make file in store readable only by some users, the file is always owned by the user that runs the guix-daemon. Regards Rutherther > > Does it the same with configs files generated by Guix System ? > > > Have a nice day.
