Hi Rutherther, Rutherther <[email protected]> writes:
> Yes, Guix for managing the system and home is typically used like this: > You first build a file in the store, and then symlink that file to home. > > There are of course other alternatives, but not really natively > supported ones in the guix channel. > > Basically you need to either keep the file out of the store, or encrypt > the file and put that to store. Then decrypt it when running. > > For the first alternative, it would mean you keep the file somewhere > else, like in location with your config in a separate file, and just > copy this file to the proper location with home activation service. > > The second one is similar to the first one, you keep the decryption key > somewhere securely, put encrypted files to the store and then use home > activation service to decrypt the file and you symlink the decrypted > file to the proper location. For an implementation of this, see > https://github.com/fishinthecalculator/sops-guix. > > There definitely are other possibilities. > > … > > No, there is no way to make file in store readable only by some users, > the file is always owned by the user that runs the guix-daemon. Do you known if their is plan to modify how Guix System/Home work, to be able to make the generated config files or other sensitive info only readable by the user who need it ? Because, if any configuration done with Guix System or Guix Home can be read by any users, it's a major issue. That mean I cannot use any of the home or system service to enable and configure something. I have to use an external tool and to manually create Shepherd services.
signature.asc
Description: PGP signature
