[Nix-dev] store & passwords - once again

Marc Weber marco-oweber at gmx.de
Thu Jul 26 07:35:30 CEST 2012


Right now you should not put passwords into the store, because its world
readable by default. The common workaround is to store files at /root
and put the path into the /store instead, right?

What about creating a new primop which allows to write arbitrary files?

Then you could do this:

  services.foo = {
    passwordFile = builtins.__writeArbitraryFile "/root/password-for-xy" 'top-secret-password'; # should return the path
  }

This way it could be ensured that the files have the correct format -
and no passwords would be written to the store, right?

Does this make any sense?

It would be useful for creating mysql databases and the like.

Marc Weber


More information about the nix-dev mailing list