Circling back to OnlyJunk.Fans development, I'm pondering about all things ACME and sensitive data and whatnot.

I do not want to store anything on the filesystem if I can avoid it. So LetsEncrypt serialized credentials, the obtained certificates - they'll be in the database. But I can't store them in plain.

So I guess I will need another secret (there's already a session-secret, and the database URL may contain secrets too), and do some AES-GCM-SIV or XChaCha20-Poly1305 magic to store them in the db encrypted.

This will be fun.

Went with XChaCha20-Poly1305, because it promised less footguns. Now I "only" need to figure out how to make using it easy.

@algernon sodium/tink

https://github.com/project-oak/tink-rust
https://github.com/jedisct1/libsodium-rs

(not sure if pure rust implementations are available)

@buherator There's chacha20poly1305, which is pure rust, and tink-rust depends on it too. :)

For what I need, the raw library is fine.

@algernon I'm recommending this because of the "how to make using it easy" part. The repos I linked are just examples, the APIs defined by these libraries are the gist.

@buherator oh, sorry. By "make it easy", I meant building an abstraction on top, so the majority of my software doesn't need to know that the data is stored encrypted.

So... uhh. So I don't want to play with LE's staging server, because my desktop isn't visible from the internet, and I don't want to tunnel something home.

Buuut.. I'd need to install the root cert for that, because instant-acme doesn't seem to expose ways to augment what it trusts.

To install a CA, I'd need to set security.pki.certificateFiles, which would be fine, except I have not properly updated to NixOS 25.11 yet.

As in, my configuration builds, but it doesn't boot, because persistent stuff get mungled up badly. I fixed that on the laptop, and on servers, I need to fix it on the desktop too.

Le sigh.