Hello Sébastien
Sébastien Gendre <s...@k-7.ch> writes: > Hi Rutherther, > > Rutherther <ruthert...@ditigal.xyz> writes: > >> Yes, Guix for managing the system and home is typically used like this: >> You first build a file in the store, and then symlink that file to home. >> >> There are of course other alternatives, but not really natively >> supported ones in the guix channel. >> >> Basically you need to either keep the file out of the store, or encrypt >> the file and put that to store. Then decrypt it when running. >> >> For the first alternative, it would mean you keep the file somewhere >> else, like in location with your config in a separate file, and just >> copy this file to the proper location with home activation service. >> >> The second one is similar to the first one, you keep the decryption key >> somewhere securely, put encrypted files to the store and then use home >> activation service to decrypt the file and you symlink the decrypted >> file to the proper location. For an implementation of this, see >> https://github.com/fishinthecalculator/sops-guix. >> >> There definitely are other possibilities. >> >> … >> >> No, there is no way to make file in store readable only by some users, >> the file is always owned by the user that runs the guix-daemon. > > Do you known if their is plan to modify how Guix System/Home work, to be > able to make the generated config files or other sensitive info only > readable by the user who need it ? This is not about how guix system or home work, it's 1. how guix works, 2. how the services are done, not something that would be inherent disadvantage of guix system/home. You are perfectly capable of making such services as a user. > > Because, if any configuration done with Guix System or Guix Home can be > read by any users, it's a major issue. That mean I cannot use any of > the home or system service to enable and configure something. I have to > use an external tool and to manually create Shepherd services. This is not true. Guix is completely capable of doing such things, you just have to declare it as such. Meaning you need to think of a way to store the secrets securely, and code the services that will do that. People have already done this for Nix and someone has tried to do something similar for Guix: https://github.com/fishinthecalculator/sops-guix I would be surprised if Guix channel didn't accept changes to services that would make something like that easier, like being able to use files in the service configurations rather than using config snippets in Guix. Rutherther
