guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

03/05: services: secret-service: Do not generate SSH and Guix key pairs.


From: guix-commits
Subject: 03/05: services: secret-service: Do not generate SSH and Guix key pairs.
Date: Thu, 10 Mar 2022 17:51:01 -0500 (EST)

civodul pushed a commit to branch master
in repository guix.

commit 2bac6ea177d5b3353ea1a4d032d17a6ac3763e96
Author: Ludovic Court├Ęs <ludo@gnu.org>
AuthorDate: Thu Mar 10 23:10:02 2022 +0100

    services: secret-service: Do not generate SSH and Guix key pairs.
    
    The justification about the order of activation snippets given in the
    comment had been obsolete since
    39e3b4b7cee175a3c1f37329744c582528d55f5d.
    
    Lately, running the activation snippets for "ssh-keygen -A" and "guix
    archive --generate-key" would take a little bit too long, thereby
    preventing the childhurd from starting on time.
    
    * gnu/services/virtualization.scm (secret-service-operating-system):
    Clear 'generate-host-keys?' and 'generate-substitute-key?'.
---
 gnu/services/virtualization.scm | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 9b4512cff7..70d4d6c34c 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -946,12 +946,20 @@ can only be accessed by their host.")))
 that will be listening to receive secret keys on port 1004, TCP."
   (operating-system
     (inherit os)
-    ;; Arrange so that the secret service activation snippet shows up before
-    ;; the OpenSSH and Guix activation snippets.  That way, we receive OpenSSH
-    ;; and Guix keys before the activation snippets try to generate fresh keys
-    ;; for nothing.
-    (services (append (operating-system-user-services os)
-                      (list (service secret-service-type 1004))))))
+    (services
+     ;; Turn off SSH and Guix key generation that normally happens during
+     ;; activation: that requires entropy and thus takes time during boot, and
+     ;; those keys are going to be overwritten by secrets received from the
+     ;; host anyway.
+     (cons (service secret-service-type 1004)
+           (modify-services (operating-system-user-services os)
+             (openssh-service-type
+              config => (openssh-configuration
+                         (inherit config)
+                         (generate-host-keys? #f)))
+             (guix-service-type
+              config => (guix-configuration
+                         (generate-substitute-key? #f))))))))
 
 
 ;;;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]