[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [EXT] Re: Medium-term road map
From: |
Thompson, David |
Subject: |
Re: [EXT] Re: Medium-term road map |
Date: |
Wed, 6 May 2020 13:03:39 -0400 |
On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <address@hidden> wrote:
>
> * Continued development of guix deploy. Figuring out how to deploy secrets
> to remote machines would be great.
I used to think this was a problem that guix deploy had to deal with
but after many years doing devops full-time I no longer think this is
a concern. Industry best practice is to use a secrets management
service to fetch secrets at application boot time. For example, you
could write a shepherd service that downloads and installs an SSH host
key from AWS Secrets Manager (or a self-hosted free tool or another
cloud provider's service, you get the idea) before the SSH service
starts. In my experience, every application requires a slightly
different strategy: Maybe you need to put a key into a specific file,
maybe you need to set environment variables, maybe you need to
templatize the config file, etc. There's no single general solution to
the problem, but I strongly the believe that the guix client that is
doing the deployment should never access such secrets.
Long story short: Guix need not worry about this.
- Dave
- Re: [EXT] Re: Medium-term road map,
Thompson, David <=