me/guix
Archived
1
0
Fork 0
Code Activity

services: guix: Make /etc/guix/acl really declarative by default.

Browse source 
Fixes <https://bugs.gnu.org/39819>.
Reported by Maxim Cournoyer <maxim.cournoyer@gmail.com>.

* gnu/services/base.scm (substitute-key-authorization): Symlink
DEFAULT-ACL to /etc/guix/acl unconditionally.  Add code to optionally
back up /etc/guix/acl if it was possibly modified by hand.
* doc/guix.texi (Base Services): Clarify the effect of setting
'authorize-keys?' to true.  Mention the backup.  Give an example showing
how to authorize substitutes from another server.
This commit is contained in:
Ludovic Courtès 2020-10-21 16:17:26 +02:00
parent e220b77828
commit 3b6e4e5fd0
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
3 changed files with 58 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
doc/guix.texi
View file

@ -14582,11 +14582,26 @@ Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}} @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}). (@pxref{Substitutes}).
When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
changed by invoking @command{guix archive --authorize}. You must
instead adjust @code{guix-configuration} as you wish and reconfigure the
system. This ensures that your operating system configuration file is
self-contained.
@quotation Note
When booting or reconfiguring to a system where @code{authorize-key?}
is true, the existing @file{/etc/guix/acl} file is backed up as
@file{/etc/guix/acl.bak} if it was determined to be a manually modified
file. This is to facilitate migration from earlier versions, which
allowed for in-place modifications to @file{/etc/guix/acl}.
@end quotation
@vindex %default-authorized-guix-keys @vindex %default-authorized-guix-keys
@item @code{authorized-keys} (default: @code{%default-authorized-guix-keys}) @item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
The list of authorized key files for archive imports, as a list of The list of authorized key files for archive imports, as a list of
string-valued gexps (@pxref{Invoking guix archive}). By default, it string-valued gexps (@pxref{Invoking guix archive}). By default, it
contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}). contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}).
See @code{substitute-urls} below for an example on how to change it.
@item @code{use-substitutes?} (default: @code{#t}) @item @code{use-substitutes?} (default: @code{#t})
Whether to use substitutes. Whether to use substitutes.
@ -14594,6 +14609,27 @@ Whether to use substitutes.
@item @code{substitute-urls} (default: @code{%default-substitute-urls}) @item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default. The list of URLs where to look for substitutes by default.
Suppose you would like to fetch substitutes from @code{guix.example.org}
in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
two things: (1) add @code{guix.example.org} to @code{substitute-urls},
and (2) authorize its signing key, having done appropriate checks
(@pxref{Substitute Server Authorization}). The configuration below does
exactly that:
@lisp
(guix-configuration
(substitute-urls
(append (list "https://guix.example.org")
%default-substitute-urls))
(authorized-keys
(append (list (local-file "./guix.example.org-key.pub"))
%default-authorized-guix-keys)))
@end lisp
This example assumes that the file @file{./guix.example.org-key.pub}
contains the public key that @code{guix.example.org} uses to sign
substitutes.
@item @code{max-silent-time} (default: @code{0}) @item @code{max-silent-time} (default: @code{0})
@itemx @code{timeout} (default: @code{0}) @itemx @code{timeout} (default: @code{0})
The number of seconds of silence and the number of seconds of activity, The number of seconds of silence and the number of seconds of activity,

16
gnu/services/base.scm
View file

@ -1476,10 +1476,18 @@ archive' public keys, with GUIX."
#~(begin #~(begin
(use-modules (guix build utils)) (use-modules (guix build utils))
(unless (file-exists? "/etc/guix/acl") ;; If the ACL already exists, move it out of the way. Create a backup
(mkdir-p "/etc/guix") ;; if it's a regular file: it's likely that the user manually updated
(copy-file #+default-acl "/etc/guix/acl") ;; it with 'guix archive --authorize'.
(chmod "/etc/guix/acl" #o600))))) (if (file-exists? "/etc/guix/acl")
(if (and (symbolic-link? "/etc/guix/acl")
(store-file-name? (readlink "/etc/guix/acl")))
(delete-file "/etc/guix/acl")
(rename-file "/etc/guix/acl" "/etc/guix/acl.bak"))
(mkdir-p "/etc/guix"))
;; Installed the declared ACL.
(symlink #+default-acl "/etc/guix/acl"))))
(define %default-authorized-guix-keys (define %default-authorized-guix-keys
;; List of authorized substitute keys. ;; List of authorized substitute keys.

11
gnu/services/virtualization.scm
View file

@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
(permit-root-login #t) (permit-root-login #t)
(allow-empty-passwords? #t) (allow-empty-passwords? #t)
(password-authentication? #t))) (password-authentication? #t)))
%base-services/hurd))))
;; By default, the secret service introduces a pre-initialized
;; /etc/guix/acl file in the childhurd. Thus, clear
;; 'authorize-key?' so that it's not overridden at activation
;; time.
(modify-services %base-services/hurd
(guix-service-type config =>
(guix-configuration
(inherit config)
(authorize-key? #f))))))))
(define-record-type* <hurd-vm-configuration> (define-record-type* <hurd-vm-configuration>
hurd-vm-configuration make-hurd-vm-configuration hurd-vm-configuration make-hurd-vm-configuration