Hi Ludo’, On 02/15/2018 at 14:51 Ludovic Courtès writes:
> George myglc2 Clemmer <[email protected]> skribis: > >> On 02/09/2018 at 11:02 Ludovic Courtès writes: >> >>> George myglc2 Clemmer <[email protected]> skribis: >>> >>>> I want to set the host key in 'guix system vm-image' so that updating a >>>> VM config does not break that VM's host key entry in my client machine >>>> ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I >>>> tried this ... >> >>> The recommendation in this case is to use “out-of-band” storage—i.e., >>> have the secrets stored in a place other than the store. >>> >>> For example, you could have an activation snippet that copies secret >>> files directly to /etc, along these lines (untested): >>> >>> (simple-service 'copy-private-key activation-service-type >>> (with-imported-modules '((guix build utils)) >>> #~(begin >>> (use-modules (guix build utils)) >>> (mkdir-p "/etc/ssh") >>> (copy-file "/root/secrets/ssh_host_ed25519_key" >>> "/etc/ssh/ssh_host_ed25519_key')))) >>> >>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to >>> exist in the first place, but that’s pretty much all we can do. >> >> Thank you. So what is an easily-automated way to populate /root/secrets? > > Guix doesn’t have any helper module/tool for that yet. > > Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that > would copy a file from the host into the image. We’d have to be careful > with the implementation to make sure that it doesn’t end up in the host > store nor in the guest store. How about a '--copy-image=<imagefile>' option that copies the image out of the store? Then the ‘--copy’ could operate on <imagefile> and fail if it isn't specified. - George
