mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
services: guix: Generate key pair if needed during activation.
* gnu/services/base.scm (guix-activation): Invoke "guix archive --generate-key". * doc/guix.texi (Invoking guix archive) (Invoking guix deploy): Mention that 'guix-service-type' takes care of generating the key pair.
This commit is contained in:
parent
8ac318068b
commit
d367a7f3d0
2 changed files with 16 additions and 8 deletions
|
@ -4600,9 +4600,11 @@ the store.
|
||||||
@item --generate-key[=@var{parameters}]
|
@item --generate-key[=@var{parameters}]
|
||||||
@cindex signing, archives
|
@cindex signing, archives
|
||||||
Generate a new key pair for the daemon. This is a prerequisite before
|
Generate a new key pair for the daemon. This is a prerequisite before
|
||||||
archives can be exported with @option{--export}. Note that this
|
archives can be exported with @option{--export}. This
|
||||||
operation usually takes time, because it needs to gather enough entropy
|
operation is usually instantaneous but it can take time if the system's
|
||||||
to generate the key pair.
|
entropy pool needs to be refilled. On Guix System,
|
||||||
|
@code{guix-service-type} takes care of generating this key pair the
|
||||||
|
first boot.
|
||||||
|
|
||||||
The generated key pair is typically stored under @file{/etc/guix}, in
|
The generated key pair is typically stored under @file{/etc/guix}, in
|
||||||
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
|
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
|
||||||
|
@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider. In such a case, a different
|
||||||
|
|
||||||
Do note that you first need to generate a key pair on the coordinator machine
|
Do note that you first need to generate a key pair on the coordinator machine
|
||||||
to allow the daemon to export signed archives of files from the store
|
to allow the daemon to export signed archives of files from the store
|
||||||
(@pxref{Invoking guix archive}).
|
(@pxref{Invoking guix archive}), though this step is automatic on Guix
|
||||||
|
System:
|
||||||
|
|
||||||
@example
|
@example
|
||||||
# guix archive --generate-key
|
# guix archive --generate-key
|
||||||
|
|
|
@ -1653,10 +1653,15 @@ (define (guix-activation config)
|
||||||
;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
|
;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
|
||||||
;; chown leads to an entire copy of the tree, which is a bad idea.
|
;; chown leads to an entire copy of the tree, which is a bad idea.
|
||||||
|
|
||||||
;; Optionally authorize substitute server keys.
|
;; Generate a key pair and optionally authorize substitute server keys.
|
||||||
(if authorize-key?
|
#~(begin
|
||||||
(substitute-key-authorization keys guix)
|
(unless (file-exists? "/etc/guix/signing-key.pub")
|
||||||
#~#f))))
|
(system* #$(file-append guix "/bin/guix") "archive"
|
||||||
|
"--generate-key"))
|
||||||
|
|
||||||
|
#$(if authorize-key?
|
||||||
|
(substitute-key-authorization keys guix)
|
||||||
|
#~#f)))))
|
||||||
|
|
||||||
(define* (references-file item #:optional (name "references"))
|
(define* (references-file item #:optional (name "references"))
|
||||||
"Return a file that contains the list of references of ITEM."
|
"Return a file that contains the list of references of ITEM."
|
||||||
|
|
Loading…
Reference in a new issue