help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do I install a file with custom permissions?


From: Tobias Geerinckx-Rice
Subject: Re: How do I install a file with custom permissions?
Date: Tue, 29 Nov 2022 20:34:44 +0100

Hi Timo,

Timo Wilken 写道:
I'm trying to patch the `wireguard-service-type' to accept pre-shared keys and add them to the generated config. This all seems to work fine, except that I can't get guix to generate a non-world-readable
configuration file.

Alas (for your plans), this is not possible. Guix's store model, inherited from Nix, is a word-readable heap.

Dealing with secrets outside of the store is one area where Nix is ‘ahead’ of Guix, in that they seem to have multiple solutions[0]. Very Nix.

Guix users currently use strategies similar to the second half of that table: the secret is placed outside of the store, not managed through Guix, and the Guix service/package is pointed to it at run time. Every search result for ‘secrets’ in the Guix manual is part of such a primitive scheme.

This is how Wireguard is set up on berlin, the Guix build farm. /etc/wireguard/private.key was generated manually and Guix never deals with it.

If you want to add secrets to Guix services, you'll have to design a general mechanism for doing so first. I don't have links handy but I'm sure there's prior discussion, perhaps even art, on the mailing lists.

Sorry,

T G-R

[0]: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]