diff options
author | Ludovic Courtès <ludo@gnu.org> | 2022-03-10 22:27:04 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2022-03-10 23:46:50 +0100 |
commit | 5e34e873af088ef9aa417290bcddf5b095501614 (patch) | |
tree | fba88624a3809142c6e93308ab4f06071d88392e | |
parent | 199da75a8adf37381c32ee1e3028b08b94703584 (diff) | |
download | guix-5e34e873af088ef9aa417290bcddf5b095501614.tar.gz |
services: guix: Add 'generate-substitute-key?' field.
* gnu/services/base.scm (<guix-configuration>)[generate-substitute-key?]: New field. (guix-activation): Honor it. * doc/guix.texi (Base Services): Document it.
-rw-r--r-- | doc/guix.texi | 12 | ||||
-rw-r--r-- | gnu/services/base.scm | 8 |
2 files changed, 18 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index f479fe05ff..01c16ba85d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17030,6 +17030,18 @@ This example assumes that the file @file{./guix.example.org-key.pub} contains the public key that @code{guix.example.org} uses to sign substitutes. +@item @code{generate-substitute-key?} (default: @code{#t}) +Whether to generate a @dfn{substitute key pair} under +@file{/etc/guix/signing-key.pub} and @file{/etc/guix/signing-key.sec} if +there is not already one. + +This key pair is used when exporting store items, for instance with +@command{guix publish} (@pxref{Invoking guix publish}) or @command{guix +archive} (@pxref{Invoking guix archive}). Generating a key pair takes a +few seconds when enough entropy is available and is only done once; you +might want to turn it off for instance in a virtual machine that does +not need it and where the extra boot time is a problem. + @item @code{max-silent-time} (default: @code{0}) @itemx @code{timeout} (default: @code{0}) The number of seconds of silence and the number of seconds of activity, diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 463f034305..f278cb76de 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -183,6 +183,7 @@ guix-configuration-authorized-keys guix-configuration-use-substitutes? guix-configuration-substitute-urls + guix-configuration-generate-substitute-key? guix-configuration-extra-options guix-configuration-log-file @@ -1565,6 +1566,8 @@ archive' public keys, with GUIX." (default #t)) (substitute-urls guix-configuration-substitute-urls ;list of strings (default %default-substitute-urls)) + (generate-substitute-key? guix-configuration-generate-substitute-key? + (default #t)) ;Boolean (chroot-directories guix-configuration-chroot-directories ;list of file-like/strings (default '())) (max-silent-time guix-configuration-max-silent-time ;integer @@ -1749,14 +1752,15 @@ proxy of 'guix-daemon'...~%") (define (guix-activation config) "Return the activation gexp for CONFIG." (match-record config <guix-configuration> - (guix authorize-key? authorized-keys) + (guix generate-substitute-key? authorize-key? authorized-keys) #~(begin ;; Assume that the store has BUILD-GROUP as its group. We could ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs, ;; chown leads to an entire copy of the tree, which is a bad idea. ;; Generate a key pair and optionally authorize substitute server keys. - (unless (file-exists? "/etc/guix/signing-key.pub") + (unless (or #$(not generate-substitute-key?) + (file-exists? "/etc/guix/signing-key.pub")) (system* #$(file-append guix "/bin/guix") "archive" "--generate-key")) |