services: guix: Add 'generate-substitute-key?' field.

* gnu/services/base.scm (<guix-configuration>)[generate-substitute-key?]:
New field.
(guix-activation): Honor it.
* doc/guix.texi (Base Services): Document it.
This commit is contained in:
Ludovic Courtès 2022-03-10 22:27:04 +01:00
parent 199da75a8a
commit 5e34e873af
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 18 additions and 2 deletions

View file

@ -17030,6 +17030,18 @@ This example assumes that the file @file{./guix.example.org-key.pub}
contains the public key that @code{guix.example.org} uses to sign contains the public key that @code{guix.example.org} uses to sign
substitutes. substitutes.
@item @code{generate-substitute-key?} (default: @code{#t})
Whether to generate a @dfn{substitute key pair} under
@file{/etc/guix/signing-key.pub} and @file{/etc/guix/signing-key.sec} if
there is not already one.
This key pair is used when exporting store items, for instance with
@command{guix publish} (@pxref{Invoking guix publish}) or @command{guix
archive} (@pxref{Invoking guix archive}). Generating a key pair takes a
few seconds when enough entropy is available and is only done once; you
might want to turn it off for instance in a virtual machine that does
not need it and where the extra boot time is a problem.
@item @code{max-silent-time} (default: @code{0}) @item @code{max-silent-time} (default: @code{0})
@itemx @code{timeout} (default: @code{0}) @itemx @code{timeout} (default: @code{0})
The number of seconds of silence and the number of seconds of activity, The number of seconds of silence and the number of seconds of activity,

View file

@ -183,6 +183,7 @@ (define-module (gnu services base)
guix-configuration-authorized-keys guix-configuration-authorized-keys
guix-configuration-use-substitutes? guix-configuration-use-substitutes?
guix-configuration-substitute-urls guix-configuration-substitute-urls
guix-configuration-generate-substitute-key?
guix-configuration-extra-options guix-configuration-extra-options
guix-configuration-log-file guix-configuration-log-file
@ -1565,6 +1566,8 @@ (define-record-type* <guix-configuration>
(default #t)) (default #t))
(substitute-urls guix-configuration-substitute-urls ;list of strings (substitute-urls guix-configuration-substitute-urls ;list of strings
(default %default-substitute-urls)) (default %default-substitute-urls))
(generate-substitute-key? guix-configuration-generate-substitute-key?
(default #t)) ;Boolean
(chroot-directories guix-configuration-chroot-directories ;list of file-like/strings (chroot-directories guix-configuration-chroot-directories ;list of file-like/strings
(default '())) (default '()))
(max-silent-time guix-configuration-max-silent-time ;integer (max-silent-time guix-configuration-max-silent-time ;integer
@ -1749,14 +1752,15 @@ (define (guix-accounts config)
(define (guix-activation config) (define (guix-activation config)
"Return the activation gexp for CONFIG." "Return the activation gexp for CONFIG."
(match-record config <guix-configuration> (match-record config <guix-configuration>
(guix authorize-key? authorized-keys) (guix generate-substitute-key? authorize-key? authorized-keys)
#~(begin #~(begin
;; Assume that the store has BUILD-GROUP as its group. We could ;; Assume that the store has BUILD-GROUP as its group. We could
;; otherwise call 'chown' here, but the problem is that on a COW overlayfs, ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
;; chown leads to an entire copy of the tree, which is a bad idea. ;; chown leads to an entire copy of the tree, which is a bad idea.
;; Generate a key pair and optionally authorize substitute server keys. ;; Generate a key pair and optionally authorize substitute server keys.
(unless (file-exists? "/etc/guix/signing-key.pub") (unless (or #$(not generate-substitute-key?)
(file-exists? "/etc/guix/signing-key.pub"))
(system* #$(file-append guix "/bin/guix") "archive" (system* #$(file-append guix "/bin/guix") "archive"
"--generate-key")) "--generate-key"))