> Nathan Dehnel <[email protected]> writes: > > Thanks. I guess then I need to know how to put a file in /etc/ssh > without putting it in the store.
> On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <[email protected]> wrote: > > To programmatically add a file to /etc, you can extend the > etc-service-type in your operating-system's services field like so: > > ``` > (use-modules > ((gnu services) #:select (simple-service etc-service-type)) > ((gnu services desktop) #:select (%desktop-services)) > ((gnu system) #:select (operating-system)) > ((guix gexp) #:select (local-file))) > > (define guixrig_host_rsa_key > (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t)) > > (operating-system > ... > (services (cons* (simple-service 'my-secret-service etc-service-type > `(("ssh/guixrig_host_rsa_key" > ,guixrig_host_rsa_key))) > %desktop-services))) > ``` > > Have fun and happy hacking! > ~Gary > Nathan Dehnel <[email protected]> writes: > > Thanks. Though that code causes "guix system: error: symlink: File > exists: "/etc/ssh"" when I use it, and by the looks of it, would still > be putting the key in the store, which is insecure. Bummer. It works as expected when I run that code on my system with: ``` sudo guix system reconfigure config.scm ``` Maybe you manually created /etc/ssh already, which could be causing the error on your end? Either way, your file does end up in the store and is owned by root:root with permissions 444. I'm not aware of a way to add files to /etc or any other guix-managed directory without placing a copy in the store. However, once your file lands in /etc/ssh/guixrig_host_rsa_key, isn't it owned by root:root and readable as well? Perhaps one of the other Guix wizards on this mailing list would have some ideas on how to control the permissions on these auto-generated files. Good luck, Gary -- GPG Key ID: 7BC158ED Use `gpg --search-keys lambdatronic' to find me Protect yourself from surveillance: https://emailselfdefense.fsf.org ======================================================================= () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is HTML email a security nightmare? See https://useplaintext.email/ Please avoid sending me MS-Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
