Hi Guix,

tl;dr how do people manage secrets in Guix?

I'm slowly migrating from my old home server, that's running a foreign
distro and no Guix.  To a new server, that's running Guix System.  On my new
server I want to have better monitoring — my old one just sent out an
email if a systemd service failed.

Given that's Zabbix is packaged for Guix [0], I figured I'll start with
that.

That service require you to specify a password for the database.  Since
all my configuration is public, I don't want to simply store the
password in plain text in the configuration.  The manual suggest a
separate file and put the password there, I'm assuming keeping that file
outside of the Guix configuration and the store.  I do like having
everything handled in the configuration though, not have to rember
adding a specific file at a specific location in order for things to
work — that's pretty much my old home server.  I couldn't find any good
information about secret management in the manual, the cookbook or in
the mailing list.

So I'm curious, how do people manage secrets in Guix?

The things I can think of are:

- Having a private git repo with these files, then use GNU stow or
  equivalent to put them where they should be.

- Use pass [1] to handle the secrets.  But then it's the problem of if
  evaluating it at reconfigure time then the password will end up in the
  store, which is not super.  Or if evaluated at runtime, then it needs
  to authenticate somehow without me babysitting it and type in the
  password.

Thanks!

[0] https://guix.gnu.org/manual/devel/en/html_node/Monitoring-Services.html
[1] https://www.passwordstore.org/

-- 
s/Fred[re]+i[ck]+/Fredrik/g

Reply via email to