From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id YAyOLZy0lF88AgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 24 Oct 2020 23:11:24 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id QBRuKZy0lF/OFgAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 24 Oct 2020 23:11:24 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 7A2689403C4
	for <larch@yhetil.org>; Sat, 24 Oct 2020 23:11:24 +0000 (UTC)
Received: from localhost ([::1]:58602 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1kWSh1-0003dR-FO
	for larch@yhetil.org; Sat, 24 Oct 2020 19:11:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56536)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1kWSgo-0003cw-ED
 for guix-devel@gnu.org; Sat, 24 Oct 2020 19:11:10 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:55229)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1kWSgo-0004Eq-4W; Sat, 24 Oct 2020 19:11:10 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53994 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1kWSgn-0004yh-K9; Sat, 24 Oct 2020 19:11:09 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: 39819@debbugs.gnu.org
Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl
 really declarative by default.
References: <87v9fhf3my.fsf@inria.fr> <20201021150823.20508-1-ludo@gnu.org>
Date: Sun, 25 Oct 2020 01:11:06 +0200
In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> ("Ludovic =?utf-8?Q?Cou?=
 =?utf-8?Q?rt=C3=A8s=22's?=
 message of "Wed, 21 Oct 2020 17:08:22 +0200")
Message-ID: <87pn57gqyd.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Spam-Score: -0.51
X-TUID: H8BU3DYDhk14

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

BTW, attached it the script I used to retrieve the signing keys of all
the build nodes of the build farm so we can have them declared in the
config of the head node.  You may find it handy if you have a similar
setup!

Ludo=E2=80=99.


--=-=-=
Content-Type: text/plain
Content-Disposition: inline; filename=fetch-signing-keys.scm
Content-Description: the code

(use-modules (guix scripts offload)
             (guix ssh)
             (guix inferior)
             (ssh session)
             (srfi srfi-34)
             (ice-9 match))

(define open-ssh-session
  (@@ (guix scripts offload) open-ssh-session))

(define build-machine-name (@@ (guix scripts offload) build-machine-name))
(define build-machine-port (@@ (guix scripts offload) build-machine-port))

(define (fetch-key machine)
  (format #t "fetching key from ~s...~%" machine)
  (let* ((session  (open-ssh-session machine 5))
         (inferior (remote-inferior session)))
    (define key
      (inferior-eval '(begin
                        (use-modules (rnrs io ports))

                        (with-fluids ((%default-port-encoding "ISO-8859-1"))
                          (call-with-input-file "/etc/guix/signing-key.pub"
                            get-string-all)))
                     inferior))

    (define file
      (string-append (build-machine-name machine)
                     (match (build-machine-port machine)
                       (22 "")
                       (port
                        (string-append ":"
                                       (number->string
                                        port))))
                     ".pub"))

    (with-fluids ((%default-port-encoding "ISO-8859-1"))
      (call-with-output-file file
        (lambda (port)
          (display key port))))

    (close-inferior inferior)
    (disconnect! session)))

(let ((machines (load "/etc/guix/machines.scm")))
  (for-each (lambda (machine)
              (guard (c (pk 'fail c))
                (fetch-key machine)))
            machines))

--=-=-=--