On Sat, Apr 25, 2020 at 5:38 PM Jack Hill <address@hidden> wrote:
* Continued development of guix deploy. Figuring out how to deploy secrets
to remote machines would be great.
I used to think this was a problem that guix deploy had to deal with
but after many years doing devops full-time I no longer think this is
a concern. Industry best practice is to use a secrets management
service to fetch secrets at application boot time. For example, you
could write a shepherd service that downloads and installs an SSH host
key from AWS Secrets Manager (or a self-hosted free tool or another
cloud provider's service, you get the idea) before the SSH service
starts. In my experience, every application requires a slightly
different strategy: Maybe you need to put a key into a specific file,
maybe you need to set environment variables, maybe you need to
templatize the config file, etc. There's no single general solution to
the problem, but I strongly the believe that the guix client that is
doing the deployment should never access such secrets.