Hi Guix, tl;dr how do people manage secrets in Guix?
I'm slowly migrating from my old home server, that's running a foreign distro and no Guix. To a new server, that's running Guix System. On my new server I want to have better monitoring — my old one just sent out an email if a systemd service failed. Given that's Zabbix is packaged for Guix [0], I figured I'll start with that. That service require you to specify a password for the database. Since all my configuration is public, I don't want to simply store the password in plain text in the configuration. The manual suggest a separate file and put the password there, I'm assuming keeping that file outside of the Guix configuration and the store. I do like having everything handled in the configuration though, not have to rember adding a specific file at a specific location in order for things to work — that's pretty much my old home server. I couldn't find any good information about secret management in the manual, the cookbook or in the mailing list. So I'm curious, how do people manage secrets in Guix? The things I can think of are: - Having a private git repo with these files, then use GNU stow or equivalent to put them where they should be. - Use pass [1] to handle the secrets. But then it's the problem of if evaluating it at reconfigure time then the password will end up in the store, which is not super. Or if evaluated at runtime, then it needs to authenticate somehow without me babysitting it and type in the password. Thanks! [0] https://guix.gnu.org/manual/devel/en/html_node/Monitoring-Services.html [1] https://www.passwordstore.org/ -- s/Fred[re]+i[ck]+/Fredrik/g
