Hello Ludovic, I applied all your suggestions and updated the documentation. The patch is attached below. I run a ddclient service from this patch currently. ludo@gnu.org (Ludovic Courtès) writes: […] >> Also, the generated ‘ddclient.conf’ which contains secrets is stored in >> the store. I probably should change the ‘ddclient-activation’ procedure >> >> (copy-file #$(plain-file "ddclient.conf" config-str) file) >> >> to a procedure which writes ‘config-str’ to the file without storing it >> somewhere else. WDYT? > > The problem would be the same: the activation script would contain > ‘config-str’, and it would live in the store. > > In short we must not manipulate secrets in anything that goes through > the store. The only thing I can suggest is to leave it up to the > user to create a file containing the secret in an out-of-band fashion; > /etc is a good place for such things. > > For example, they could create /etc/ddclient-secrets and then we would > somehow arrange to get that file read. > > To do that there are two possibilities that come to mind: > > 1. If the config file syntax has an “include” directive, just include > /etc/ddclient-secrets unconditionally in the generated config file. > > 2. Write an activation snippet that concatenates the generated config > file with /etc/ddclient-secrets and stores that as > /etc/ddclient.conf (or something like that.) > > Thoughts? Could we use ‘/etc/ddclient’ directory for secrets file, because ddclient program use this directory by default? --8<---------------cut here---------------start------------->8--- The following example will configure the service. By default, the @code{secret-file} in @code{ddclient-configuration} is pointing to @file{/etc/ddclient/secrets.conf} file, which will be appended to @file{/etc/ddclient/ddclient.conf} and should be created in advance. See samples inside @file{/share/ddclient} directory of @code{ddclient} package. @example (service ddclient-service-type) @end example --8<---------------cut here---------------end--------------->8---