me/guix
Archived
1
0
Fork 0
Code Activity

services: guix: Add 'authorized-keys' configuration knob.

Browse source 
* gnu/services/base.scm (hydra-key-authorization): Add 'key' parameter
and honor it.
(%default-authorized-guix-keys): New variable.
(<guix-configuration>)[authorized-keys]: New field.
(guix-shepherd-service): Adjust 'match' clause accordingly.
(guix-activation): Adjust call to 'hydra-key-authorization'.
* doc/guix.texi (Base Services): Document 'authorized-keys'.
This commit is contained in:
Ludovic Courtès 2016-08-18 16:33:01 +02:00
parent c08533b2cc
commit 5b58c28b7e
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 24 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
doc/guix.texi
View file

@ -7680,9 +7680,16 @@ Name of the group for build user accounts.
Number of build user accounts to create. Number of build user accounts to create.
@item @code{authorize-key?} (default: @code{#t}) @item @code{authorize-key?} (default: @code{#t})
Whether to authorize the substitute key for @code{hydra.gnu.org} Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{hydra.gnu.org}
(@pxref{Substitutes}). (@pxref{Substitutes}).
@vindex %default-authorized-guix-keys
@item @code{authorized-keys} (default: @var{%default-authorized-guix-keys})
The list of authorized key files for archive imports, as a list of
string-valued gexps (@pxref{Invoking guix archive}). By default, it
contains that of @code{hydra.gnu.org} (@pxref{Substitutes}).
@item @code{use-substitutes?} (default: @code{#t}) @item @code{use-substitutes?} (default: @code{#t})
Whether to use substitutes. Whether to use substitutes.

24
gnu/services/base.scm
View file

@ -86,6 +86,7 @@
syslog-service-type syslog-service-type
%default-syslog.conf %default-syslog.conf
%default-authorized-guix-keys
guix-configuration guix-configuration
guix-configuration? guix-configuration?
guix-service guix-service
@ -1003,15 +1004,14 @@ starting at FIRST-UID, and under GID."
1+ 1+
1)) 1))
(define (hydra-key-authorization guix) (define (hydra-key-authorization key guix)
"Return a gexp with code to register the hydra.gnu.org public key with "Return a gexp with code to register KEY, a file containing a 'guix archive'
GUIX." public key, with GUIX."
#~(unless (file-exists? "/etc/guix/acl") #~(unless (file-exists? "/etc/guix/acl")
(let ((pid (primitive-fork))) (let ((pid (primitive-fork)))
(case pid (case pid
((0) ((0)
(let* ((key (string-append #$guix (let* ((key #$key)
"/share/guix/hydra.gnu.org.pub"))
(port (open-file key "r0b"))) (port (open-file key "r0b")))
(format #t "registering public key '~a'...~%" key) (format #t "registering public key '~a'...~%" key)
(close-port (current-input-port)) (close-port (current-input-port))
@ -1025,6 +1025,10 @@ GUIX."
(format (current-error-port) "warning: \ (format (current-error-port) "warning: \
failed to register hydra.gnu.org public key: ~a~%" status)))))))) failed to register hydra.gnu.org public key: ~a~%" status))))))))
(define %default-authorized-guix-keys
;; List of authorized substitute keys.
(list #~(string-append #$guix "/share/guix/hydra.gnu.org.pub")))
(define-record-type* <guix-configuration> (define-record-type* <guix-configuration>
guix-configuration make-guix-configuration guix-configuration make-guix-configuration
guix-configuration? guix-configuration?
@ -1036,6 +1040,8 @@ failed to register hydra.gnu.org public key: ~a~%" status))))))))
(default 10)) (default 10))
(authorize-key? guix-configuration-authorize-key? ;Boolean (authorize-key? guix-configuration-authorize-key? ;Boolean
(default #t)) (default #t))
(authorized-keys guix-configuration-authorized-keys ;list of gexps
(default %default-authorized-guix-keys))
(use-substitutes? guix-configuration-use-substitutes? ;Boolean (use-substitutes? guix-configuration-use-substitutes? ;Boolean
(default #t)) (default #t))
(substitute-urls guix-configuration-substitute-urls ;list of strings (substitute-urls guix-configuration-substitute-urls ;list of strings
@ -1053,7 +1059,8 @@ failed to register hydra.gnu.org public key: ~a~%" status))))))))
(define (guix-shepherd-service config) (define (guix-shepherd-service config)
"Return a <shepherd-service> for the Guix daemon service with CONFIG." "Return a <shepherd-service> for the Guix daemon service with CONFIG."
(match config (match config
(($ <guix-configuration> guix build-group build-accounts authorize-key? (($ <guix-configuration> guix build-group build-accounts
authorize-key? keys
use-substitutes? substitute-urls extra-options use-substitutes? substitute-urls extra-options
lsof lsh) lsof lsh)
(list (shepherd-service (list (shepherd-service
@ -1093,14 +1100,15 @@ failed to register hydra.gnu.org public key: ~a~%" status))))))))
(define (guix-activation config) (define (guix-activation config)
"Return the activation gexp for CONFIG." "Return the activation gexp for CONFIG."
(match config (match config
(($ <guix-configuration> guix build-group build-accounts authorize-key?) (($ <guix-configuration> guix build-group build-accounts authorize-key? keys)
;; Assume that the store has BUILD-GROUP as its group. We could ;; Assume that the store has BUILD-GROUP as its group. We could
;; otherwise call 'chown' here, but the problem is that on a COW unionfs, ;; otherwise call 'chown' here, but the problem is that on a COW unionfs,
;; chown leads to an entire copy of the tree, which is a bad idea. ;; chown leads to an entire copy of the tree, which is a bad idea.
;; Optionally authorize hydra.gnu.org's key. ;; Optionally authorize hydra.gnu.org's key.
(if authorize-key? (if authorize-key?
(hydra-key-authorization guix) #~(begin
#$@(map (cut hydra-key-authorization <> guix) keys))
#~#f)))) #~#f))))
(define guix-service-type (define guix-service-type