The `mode = "0400"` approach seems to work indeed, thanks! And just as you advised, the secret is then world-readable in /nix/store/*-etc/... and in /etc/nixos/configuration.nix anyway. I see the same issue was discussed in the aforementioned #12015 ( https://github.com/NixOS/nixpkgs/pull/12015#discussion-diff-48864628), but it was apparently stepped over and accepted for the time being. Personally, I'm inclined to add some comment / "SECURITY WARNING" to both the manual and the option description in my forthcoming PR. That said, I'm sure interested in how /etc/shadow works if it could possibly be helpful here.
As to other aspects, currently I'm reusing the "networking.wireless.networks" property from #12015 to build the simple WiFi config for network-manager. Is that a good way to go (+ modifying the comments in the config & manual to account for nm), or should I create a parallel option definition in e.g. "networking.networkmanager.wirelessNetworks" instead? Or should I go on and send the PR when ready and move that part of the discussion there? Thanks, /Mateusz. On Thu, Jan 7, 2016 at 12:45 PM, Tomasz Czyż <[email protected]> wrote: > So, how /etc/shadow file works? I did a quick look and seems it's > generated by some perl scripts (probably omitting nix store), is that > correct? Maybe the same way could be used here. > > 2016-01-06 15:03 GMT+00:00 Fabian Schmitthenner <[email protected]>: > >> I think you can use >> >> environment.etc."NetworkManager/system-connections/some-file" = { >> text = "Text of file"; >> mode = "0400"; >> } >> >> This will copy the file into /etc with appropriate mode at activation >> time. See also http://nixos.org/nixos/options.html and search for >> environment.etc for further options. >> >> (Of cause other users can still read the original file in the nix store, >> so the contents would still be reachable for all users). >> >> Greetings >> >> Fabian >> >> On 01/06/2016 02:26 PM, Vladimír Čunát wrote: >> > On 01/06/2016 12:52 AM, Mateusz Czaplinski wrote: >> >> NetworkManager expects to have network definitions as chmod 400 files >> in >> >> /etc/NetworkManager/system-connections/ IIRC. >> > >> > Files in nix store can't be chmod 400. >> > >> > --Vladimir >> > >> > >> > >> > >> > _______________________________________________ >> > nix-dev mailing list >> > [email protected] >> > http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > >> >> >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> > > > -- > Tomasz Czyż > > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev > >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
