[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [EXT] Re: Medium-term road map

From: Thompson, David
Subject: Re: [EXT] Re: Medium-term road map
Date: Wed, 6 May 2020 13:03:39 -0400

On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <address@hidden> wrote:
> * Continued development of guix deploy. Figuring out how to deploy secrets
> to remote machines would be great.

I used to think this was a problem that guix deploy had to deal with
but after many years doing devops full-time I no longer think this is
a concern. Industry best practice is to use a secrets management
service to fetch secrets at application boot time.  For example, you
could write a shepherd service that downloads and installs an SSH host
key from AWS Secrets Manager (or a self-hosted free tool or another
cloud provider's service, you get the idea) before the SSH service
starts.  In my experience, every application requires a slightly
different strategy: Maybe you need to put a key into a specific file,
maybe you need to set environment variables, maybe you need to
templatize the config file, etc. There's no single general solution to
the problem, but I strongly the believe that the guix client that is
doing the deployment should never access such secrets.

Long story short: Guix need not worry about this.

- Dave

reply via email to

[Prev in Thread] Current Thread [Next in Thread]