My personal space on the web. Mostly about FOSS and technological autonomy.
This project implements secure, atomic, trustless secret provisioning with Guix. It works by putting encrypted secrets in the store and by adding a one-shot Shepherd service that decrypts them at startup in a ramfs/tmpfs filesystem. This means that clear text secrets never hit the disk and that you can (and actually are encouraged to) check in your SOPS secrets in the same version control system you use to track you Guix configurations.
This project aims at providing a community managed library of Guix services. Code from this channel implements a Guix native experience for services that are not yet guixable, through OCI backed
Shepherd services. In general it implements the ability to declare a set of OCI volumes, networks and containers and have them provisioned by Guix. This functionality is supposed to replace docker compose: it integrates with the Shepherd (Guix System's PID 1) providing a consistent interface to manage OCI containers and allows to take advantage of Guix specific features such as atomic upgrades and rollbacks. This means that, contrary to docker compose, users can always go back to a previous working state in case of problems due to a bad update.
The oci-service-type's API is agnostic to the underlying OCI runtime: currently Docker and rootless Podman are supported.