services: guix: Add 'authorized-keys' configuration knob.
* gnu/services/base.scm (hydra-key-authorization): Add 'key' parameter and honor it. (%default-authorized-guix-keys): New variable. (<guix-configuration>)[authorized-keys]: New field. (guix-shepherd-service): Adjust 'match' clause accordingly. (guix-activation): Adjust call to 'hydra-key-authorization'. * doc/guix.texi (Base Services): Document 'authorized-keys'.
This commit is contained in:
parent
c08533b2cc
commit
5b58c28b7e
|
@ -7680,9 +7680,16 @@ Name of the group for build user accounts.
|
||||||
Number of build user accounts to create.
|
Number of build user accounts to create.
|
||||||
|
|
||||||
@item @code{authorize-key?} (default: @code{#t})
|
@item @code{authorize-key?} (default: @code{#t})
|
||||||
Whether to authorize the substitute key for @code{hydra.gnu.org}
|
Whether to authorize the substitute keys listed in
|
||||||
|
@code{authorized-keys}---by default that of @code{hydra.gnu.org}
|
||||||
(@pxref{Substitutes}).
|
(@pxref{Substitutes}).
|
||||||
|
|
||||||
|
@vindex %default-authorized-guix-keys
|
||||||
|
@item @code{authorized-keys} (default: @var{%default-authorized-guix-keys})
|
||||||
|
The list of authorized key files for archive imports, as a list of
|
||||||
|
string-valued gexps (@pxref{Invoking guix archive}). By default, it
|
||||||
|
contains that of @code{hydra.gnu.org} (@pxref{Substitutes}).
|
||||||
|
|
||||||
@item @code{use-substitutes?} (default: @code{#t})
|
@item @code{use-substitutes?} (default: @code{#t})
|
||||||
Whether to use substitutes.
|
Whether to use substitutes.
|
||||||
|
|
||||||
|
|
|
@ -86,6 +86,7 @@
|
||||||
syslog-service-type
|
syslog-service-type
|
||||||
%default-syslog.conf
|
%default-syslog.conf
|
||||||
|
|
||||||
|
%default-authorized-guix-keys
|
||||||
guix-configuration
|
guix-configuration
|
||||||
guix-configuration?
|
guix-configuration?
|
||||||
guix-service
|
guix-service
|
||||||
|
@ -1003,15 +1004,14 @@ starting at FIRST-UID, and under GID."
|
||||||
1+
|
1+
|
||||||
1))
|
1))
|
||||||
|
|
||||||
(define (hydra-key-authorization guix)
|
(define (hydra-key-authorization key guix)
|
||||||
"Return a gexp with code to register the hydra.gnu.org public key with
|
"Return a gexp with code to register KEY, a file containing a 'guix archive'
|
||||||
GUIX."
|
public key, with GUIX."
|
||||||
#~(unless (file-exists? "/etc/guix/acl")
|
#~(unless (file-exists? "/etc/guix/acl")
|
||||||
(let ((pid (primitive-fork)))
|
(let ((pid (primitive-fork)))
|
||||||
(case pid
|
(case pid
|
||||||
((0)
|
((0)
|
||||||
(let* ((key (string-append #$guix
|
(let* ((key #$key)
|
||||||
"/share/guix/hydra.gnu.org.pub"))
|
|
||||||
(port (open-file key "r0b")))
|
(port (open-file key "r0b")))
|
||||||
(format #t "registering public key '~a'...~%" key)
|
(format #t "registering public key '~a'...~%" key)
|
||||||
(close-port (current-input-port))
|
(close-port (current-input-port))
|
||||||
|
@ -1025,6 +1025,10 @@ GUIX."
|
||||||
(format (current-error-port) "warning: \
|
(format (current-error-port) "warning: \
|
||||||
failed to register hydra.gnu.org public key: ~a~%" status))))))))
|
failed to register hydra.gnu.org public key: ~a~%" status))))))))
|
||||||
|
|
||||||
|
(define %default-authorized-guix-keys
|
||||||
|
;; List of authorized substitute keys.
|
||||||
|
(list #~(string-append #$guix "/share/guix/hydra.gnu.org.pub")))
|
||||||
|
|
||||||
(define-record-type* <guix-configuration>
|
(define-record-type* <guix-configuration>
|
||||||
guix-configuration make-guix-configuration
|
guix-configuration make-guix-configuration
|
||||||
guix-configuration?
|
guix-configuration?
|
||||||
|
@ -1036,6 +1040,8 @@ failed to register hydra.gnu.org public key: ~a~%" status))))))))
|
||||||
(default 10))
|
(default 10))
|
||||||
(authorize-key? guix-configuration-authorize-key? ;Boolean
|
(authorize-key? guix-configuration-authorize-key? ;Boolean
|
||||||
(default #t))
|
(default #t))
|
||||||
|
(authorized-keys guix-configuration-authorized-keys ;list of gexps
|
||||||
|
(default %default-authorized-guix-keys))
|
||||||
(use-substitutes? guix-configuration-use-substitutes? ;Boolean
|
(use-substitutes? guix-configuration-use-substitutes? ;Boolean
|
||||||
(default #t))
|
(default #t))
|
||||||
(substitute-urls guix-configuration-substitute-urls ;list of strings
|
(substitute-urls guix-configuration-substitute-urls ;list of strings
|
||||||
|
@ -1053,7 +1059,8 @@ failed to register hydra.gnu.org public key: ~a~%" status))))))))
|
||||||
(define (guix-shepherd-service config)
|
(define (guix-shepherd-service config)
|
||||||
"Return a <shepherd-service> for the Guix daemon service with CONFIG."
|
"Return a <shepherd-service> for the Guix daemon service with CONFIG."
|
||||||
(match config
|
(match config
|
||||||
(($ <guix-configuration> guix build-group build-accounts authorize-key?
|
(($ <guix-configuration> guix build-group build-accounts
|
||||||
|
authorize-key? keys
|
||||||
use-substitutes? substitute-urls extra-options
|
use-substitutes? substitute-urls extra-options
|
||||||
lsof lsh)
|
lsof lsh)
|
||||||
(list (shepherd-service
|
(list (shepherd-service
|
||||||
|
@ -1093,14 +1100,15 @@ failed to register hydra.gnu.org public key: ~a~%" status))))))))
|
||||||
(define (guix-activation config)
|
(define (guix-activation config)
|
||||||
"Return the activation gexp for CONFIG."
|
"Return the activation gexp for CONFIG."
|
||||||
(match config
|
(match config
|
||||||
(($ <guix-configuration> guix build-group build-accounts authorize-key?)
|
(($ <guix-configuration> guix build-group build-accounts authorize-key? keys)
|
||||||
;; Assume that the store has BUILD-GROUP as its group. We could
|
;; Assume that the store has BUILD-GROUP as its group. We could
|
||||||
;; otherwise call 'chown' here, but the problem is that on a COW unionfs,
|
;; otherwise call 'chown' here, but the problem is that on a COW unionfs,
|
||||||
;; chown leads to an entire copy of the tree, which is a bad idea.
|
;; chown leads to an entire copy of the tree, which is a bad idea.
|
||||||
|
|
||||||
;; Optionally authorize hydra.gnu.org's key.
|
;; Optionally authorize hydra.gnu.org's key.
|
||||||
(if authorize-key?
|
(if authorize-key?
|
||||||
(hydra-key-authorization guix)
|
#~(begin
|
||||||
|
#$@(map (cut hydra-key-authorization <> guix) keys))
|
||||||
#~#f))))
|
#~#f))))
|
||||||
|
|
||||||
(define guix-service-type
|
(define guix-service-type
|
||||||
|
|
Loading…
Reference in New Issue