Hello, nee <n...@cock.li> skribis:
> Am 05.10.2017 um 17:00 schrieb Ludovic Courtès: >> For this particular case, I would do nothing: the first time, the >> service wouldn’t start (I guess). Users would have to explicitly set >> the passwords on the command line, and then run “herd start gnu-social”. >> > The advantage of using a service is the easy setup with mysql and the > gnu-social-cli-installer, otherwise people could just run nginx and > clone gnu social to /srv/gnu-social/ and manually create the database > like you would on Debian. > > I saw that NixOS has something called passwordFile. > https://github.com/NixOS/nixpkgs/issues/24288 > I haven't found any details about it, but it seems like a text file from > which passwords can be read during `system reconfigure`. > > As a start I could add a password-file field to the configuration of > gnu-social and read an alist of passwords from it during initialization. > That could later be extended by generating it with randomized passwords > if it doesn't exist to maximize the ease of installation. > >>> - The password of the database-user ends up in the config.php which is >>> generated by mixed-text-file. This file can be read by everyone. Can I >>> somehow set the owner on it and remove the reading rights from other >>> users? >> >> No, the store is world-readable. If there are secrets, they should be >> stored elsewhere, but there’s currently no standard way to do that in >> Guix. >> > Could a function in guix/gexp.scm be modified to generate a file outside > of the store? We could use Guile’s standard I/O primitives to create files wherever we like: https://www.gnu.org/software/guile/manual/html_node/Input-and-Output.html and/or simply refer to a non-store file; if that file exists, everything’s fine, and if it does not, the service might fail to start or print an error. Ludo’.