Thanks. I guess then I need to know how to put a file in /etc/ssh without putting it in the store.
On Sat, Dec 4, 2021 at 11:13 PM Leo Famulari <l...@famulari.name> wrote: > > On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote: > > https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html > > This says to set #:recursive? #t and guix will preserve its > > permissions in the store. I have done this: > > > > (define guixrig_host_rsa_key > > (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t)) > > > > The file this expression puts in the store has permissions of 444, > > despite the original being 400. How do I prevent guix from changing > > permissions, or manually override them? > > In general, the store cannot be used to store secrets. By design, > everything in the store is made world-readable despite what permissions > are set, for example in a package definition. I'm not sure if that's > documented in the manual; I don't see it in the manual section The Store > [1]. > > I'm not sure exactly what code ensures that everything in the store is > readable, but it's probably somewhere in the daemon [0], which is what > writes to the store [1]. > > The question of how to handle secrets in Guix has been discussed many > times over the years and there are some solutions in various services; > maybe there is a canonical solution now. But basically the idea is to > store the secret outside of the store, like in /etc, as defined in a > service configuration in config.scm. > > Hopefully some other people can join the conversation with more specific > advice. > > [0] > https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0 > > [1] I'd guess that canonicaliseTimestampAndPermissions is always called: > https://guix.gnu.org/manual/en/html_node/The-Store.html