On 02/09/2018 at 11:02 Ludovic Courtès writes: > George myglc2 Clemmer <[email protected]> skribis: > >> I want to set the host key in 'guix system vm-image' so that updating a >> VM config does not break that VM's host key entry in my client machine >> ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I >> tried this ...
> The recommendation in this case is to use “out-of-band” storage—i.e., > have the secrets stored in a place other than the store. > > For example, you could have an activation snippet that copies secret > files directly to /etc, along these lines (untested): > > (simple-service 'copy-private-key activation-service-type > (with-imported-modules '((guix build utils)) > #~(begin > (use-modules (guix build utils)) > (mkdir-p "/etc/ssh") > (copy-file "/root/secrets/ssh_host_ed25519_key" > "/etc/ssh/ssh_host_ed25519_key')))) > > That means you have to arrange for /root/secrets/ssh_host_ed25519_key to > exist in the first place, but that’s pretty much all we can do. Thank you. So what is an easily-automated way to populate /root/secrets? Is there a tests module that I should hack? TIA - George
