Heya, George myglc2 Clemmer <myg...@gmail.com> skribis:
> I want to set the host key in 'guix system vm-image' so that updating a > VM config does not break that VM's host key entry in my client machine > ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I > tried this ... > > (services (cons* > [...] > (extra-special-file "/etc/ssh/ssh_host_ed25519_key" > (local-file "ssh_host_ed25519_key")) > (extra-special-file "/etc/ssh/ssh_host_ed25519_key.pub" > (local-file "ssh_host_ed25519_key.pub")) > ) > > ... which does work but naturally throws errors ... > > localhost sshd[236]: error: > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > localhost sshd[236]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! > @ > localhost sshd[236]: error: > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ You should *not* do that, indeed, because the private key file ends up in the store, and every file in the store is world-readable. There’s no way around it, currently at least. The recommendation in this case is to use “out-of-band” storage—i.e., have the secrets stored in a place other than the store. For example, you could have an activation snippet that copies secret files directly to /etc, along these lines (untested): (simple-service 'copy-private-key activation-service-type (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p "/etc/ssh") (copy-file "/root/secrets/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key')))) That means you have to arrange for /root/secrets/ssh_host_ed25519_key to exist in the first place, but that’s pretty much all we can do. HTH! Ludo’.