[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How do I install a file with custom permissions?
From: |
Tobias Geerinckx-Rice |
Subject: |
Re: How do I install a file with custom permissions? |
Date: |
Tue, 29 Nov 2022 20:34:44 +0100 |
Hi Timo,
Timo Wilken 写道:
I'm trying to patch the `wireguard-service-type' to accept
pre-shared
keys and add them to the generated config. This all seems to
work
fine, except that I can't get guix to generate a
non-world-readable
configuration file.
Alas (for your plans), this is not possible. Guix's store model,
inherited from Nix, is a word-readable heap.
Dealing with secrets outside of the store is one area where Nix is
‘ahead’ of Guix, in that they seem to have multiple solutions[0].
Very Nix.
Guix users currently use strategies similar to the second half of
that table: the secret is placed outside of the store, not managed
through Guix, and the Guix service/package is pointed to it at run
time. Every search result for ‘secrets’ in the Guix manual is
part of such a primitive scheme.
This is how Wireguard is set up on berlin, the Guix build farm.
/etc/wireguard/private.key was generated manually and Guix never
deals with it.
If you want to add secrets to Guix services, you'll have to design
a general mechanism for doing so first. I don't have links handy
but I'm sure there's prior discussion, perhaps even art, on the
mailing lists.
Sorry,
T G-R
[0]: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes
signature.asc
Description: PGP signature