[Nix-dev] store & passwords - once again
Marc Weber
marco-oweber at gmx.de
Mon Aug 13 23:24:20 CEST 2012
Excerpts from Vladimír Čunát's message of Mon Aug 13 21:29:59 +0200 2012:
> Isn't that essentially the private-file approach, only stored outside
> the nix store?
Exacetly. An example would look like this:
Example:
let user = {
# may go to store;
domain = ...; # used for apache configuration
USER = ..;
DATABASE = ..;
# may not go to store, only use as input to writeHash ..
PASSWORD = ..; // mysql password, should not go to store, take care (don't use except as input to)
}
# file name will be set to /var/secret/hash
# can be used in mysql/apache upstart scripts to write configuration
# files which tell PHP apps about the database connection.
user_password_file_path_not_in_store = builtins.writeHashed {
dir = "/var/secret/"; contents = user.PASSWORD;
# the mysql can access the database anyway ..
uid = uids.mysql;
gid = uids.mysql;
wohe "700";
};
Then you can write code initializing the database (creating user etc)
without having to write the password to the store.
Yes - you could create the files manually - but would be more work also.
Yes - there is no "gc" deleting files again (disk is cheap, or cleanup
and rerun nixos-rebiuld)
I totally agree with it being impure. Its a 80% of value by spending 20%
of effort solution.
Marc Weber
More information about the nix-dev
mailing list