Marius Bakke writes: > Christopher Allan Webber writes: > >> Maxim Cournoyer writes: >> >>> +1. Although it means the keys will have to be copied by another mean >>> than the "ssh-copy-id" script. Maybe the configuration could accept >>> the public key? :) I haven't checked if this is already possible. >> >> We have discussed in the past having some service that just copies some >> static files on init. That would be enough to set up public keys >> appropriately. > > I think that can already be done with 'special-file-service-type'. > > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html Will OpenSSH know where to look, in that case? I think a little more work would be needed to tell OpenSSH where to look. For example, you would have to customize the value of AuthorizedKeysFile in the OpenSSH daemon's config file (see 'man opensshd_config' for details). In any case, it would be better if we could hide all of that in the abstraction we have for the OpenSSH service. For instance, it would be nice if we could just specify the public keys in the operating system configuration file, as part of the record type. > Another approach could be a small program that reads a configuration > file and can also pull from e.g. the ec2 metadata service which should > work with many "cloud" providers. Similar to "cloud-init" but Guile of > course :) This topic has come up before. Cloud-init (specifically, the idea of pulling SSH credentials in at first boot via the EC2 metadata service) is a useful hack for systems that cannot be declaratively defined, but for GuixSD it should not be needed. See here for details: https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00214.html https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00757.html https://lists.gnu.org/archive/html/help-guix/2016-11/msg00075.html Somebody just needs to implement the changes to our OpenSSH service abstraction so that we can declare the public keys in the operating system configuration file. Of course, to deploy onto EC2 without manual intervention would also require more changes, but that's a separate issue from the issue of how to get credentials onto the host. -- Chris