It is convinient to define passwords in /etc/nixos/configuration.nix. However why shouldn't we put passwords there? Because they most porbably can be found in some .drv or /nix/store/* files which are world readable, correct?
This applies to the extraUsers as well: usersFile = pkgs.writeText "users" (concatStrings (map serializedUser users)); How to remedy this problem? I'd fix this by adding a new primop writeFileToPath destination text. then instead of pkgs.writeText you could use writeFileToPath /root/extraUsers.txt "[ .. file contents .. ]" Then you have to care about /etc/nixos/configuration.nix that this isn't word readable. The nix process run by nixos-rebuild is run by root, correct? So nobody can access its memory. It might be the case that nix writes the file multiple times which wouldn't matter. Actually I don't care that much about extraUsers.. I care about creating database accounts automatically. This can be done similar to extraUsers.. However not every user who can login is allowed to access all databases. So what do you think about builtins.writeFileToPath "file-path-no-store-location" "contents" ? Is there another way to keep passwords top secret *and* specify them in one configuration file (/etc/nixos/configuration.nix) which can be implemented even faster than this primop ? Marc Weber _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
