[Nix-dev] config file with a password
Yury G. Kudryashov
urkud.urkud at gmail.com
Sun Feb 26 08:34:04 CET 2012
Mathijs Kwik wrote:
> Hi all,
>
> Ofcourse I don't want people to enter the password into their
> configuration.nix, but I would like to provide an option to provide a
> path to a separate file on a secure place, or they can use
> builtins.readFile.
Neither of those ways is secure. The password will appear in
/nix/store/...drv in plain text.
> Also, I would like to use the default upstream config as a basis (the
> package stores this at $out/share/gogoclient-1.2/default.conf), to
> ease future upstream changes. So no embedded config in the module
> which has to be maintained.
>
> I can probably use something like system.activationScripts to just
> copy the default to some place in /etc, chmod that, and substitute
> values in there, but it doesn't feel very elegant.
Though it seems to be the only secure way...
>
> Any suggestions?
Write all options but the password to a file in /nix/store (written by
derivation), then use activation script to substitute password in this file
and copy it to /etc.
--
Yury G. Kudryashov,
mailto: urkud at mccme.ru
More information about the nix-dev
mailing list