Re: Secrets in (generated) configs. How to deal with them?
Hi, raingloom skribis: > I'm trying to package Yggdrasil as a Guix service and I took a look at > what NixOS does and they actually don't simply generate the config in > the store, instead it's combined with another input of the service and > the combined JSON is fed to Yggdrasil on stdin. > > Is this how I should do it as well? Or maybe the Guix store can make > some outputs private? This is one of the things we discussed at the Guix Days: https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/doc/guix-days-2020/guix-secrets.org One of the ideas we came up with that could fly is to have a ‘secret-service-type’ (ah ha!), which you could extend with key/value pairs. At run time, secrets could be fetched from the local file system or by querying a daemon. Food for thought! Ludo’.
Re: Secrets in (generated) configs. How to deal with them?
Le 8 juin 2020 18:43:02 GMT-04:00, raingloom a écrit : >Hi all! > >I'm trying to package Yggdrasil as a Guix service and I took a look at >what NixOS does and they actually don't simply generate the config in >the store, instead it's combined with another input of the service and >the combined JSON is fed to Yggdrasil on stdin. > >Is this how I should do it as well? Or maybe the Guix store can make >some outputs private? The store is always world-readable, no output can be private. I think we have some examples of that. For instance, knot (the DNS server) can read some secrets from its configuration. We suggest to our users to instead create a small file outside the store that contains the secrets, and use an include in the conf. This is only possible when the configuration language allows that of course. It would be nice to have a better and more generic way to handle secrets though.
Secrets in (generated) configs. How to deal with them?
Hi all! I'm trying to package Yggdrasil as a Guix service and I took a look at what NixOS does and they actually don't simply generate the config in the store, instead it's combined with another input of the service and the combined JSON is fed to Yggdrasil on stdin. Is this how I should do it as well? Or maybe the Guix store can make some outputs private?
