From: Stefan Sperling Subject: Re: RFC: secrets for gotd To: Omar Polo Cc: gameoftrees@openbsd.org Date: Mon, 26 Aug 2024 09:13:51 +0200 On Sun, Aug 25, 2024 at 11:19:20PM +0200, Omar Polo wrote: > At that point, why not also use a {}-style syntax for the secret file > too? It helps to visually distinguish the entries that are used for > hmac and HTTP auth. > > but also something more smtpd-table could work for me. > > # /etc/gotd.secrets.conf > flan s3cr3tp4ssw0rd > secret1 > ... > I think a distinct syntax like this would be better. Otherwise, users could be misled into assuming secrets could be added inline to the main config file, while we really must require a separate file to satisfy gitwrapper. To keep the types of secrets visually distinct we could use a parse.y METHOD NAME STRING syntax, where METHOD indicates the type of authentication credential: auth flan "s3cr3tp4ssw0rd" hmac secret1 "hmac-secret" Perhaps we should even have separate parse.y files for secrets and the main config file, rather than including the secrets file in the main config somehow like smtpd-style tables would do. Upon startup, if the secrets file is present then gotd would parse the secrets first, then parse /etc/gotd.conf with all secrets available for validation.