On Wed, May 6, 2020 at 3:46 PM Jack Hill <jackh...@jackhill.us> wrote: > > > Long story short: Guix need not worry about this. > > I think we may want to do some work in Guix to support this workflow > conveniently. That work could include having a secrets management service, > bootstrapping new hosts for access to the service, or writing system > services that can be easily configured for different secret management at > deploy time. It's fun to think about what we could do, but as Ludo’ > suggested elsewhere in the thread, we'll find out by trying to deploy more > hosts with more complex configurations. I hope to be able to do so soon.
To that end, I think a good starting place would be to research the available free secrets management applications (my knowledge is a few years out of date), package it, and write a shepherd service for it. >From there, we could see what additional integration would be useful for clients (your other servers being clients of the secrets management server.) I don't know if this would actually work, but I can picture a world where service configuration objects are aware of secret fields (some new Scheme data type) and will arrange to lazily generate config files in a just-in-time fashion on the server when shepherd starts the service. Sounds like a real fun project, IMO! Okay, so I take it back: Guix *should* worry about this, but in a very specific way that is orders of magnitude better than every other configuration management system out there, just like the rest of Guix. :) - Dave
