unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: 39819-done@debbugs.gnu.org
Cc: guix-devel@gnu.org
Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
Date: Sun, 25 Oct 2020 01:08:52 +0200	[thread overview]
Message-ID: <87tuujgr23.fsf@gnu.org> (raw)
In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> ("Ludovic Courtès"'s message of "Wed, 21 Oct 2020 17:08:22 +0200")

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

Hello!

I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.

Let me know if anything is amiss!

Thanks,
Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 2690 bytes --]

diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
 (@pxref{Substitutes}).
 
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
 changed by invoking @command{guix archive --authorize}.  You must
 instead adjust @code{guix-configuration} as you wish and reconfigure the
 system.  This ensures that your operating system configuration file is
 self-contained.
 
 @quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
 is true, the existing @file{/etc/guix/acl} file is backed up as
 @file{/etc/guix/acl.bak} if it was determined to be a manually modified
 file.  This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
 The list of URLs where to look for substitutes by default.
 
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
 in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
 two things: (1) add @code{guix.example.org} to @code{substitute-urls},
 and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
                          (permit-root-login #t)
                          (allow-empty-passwords? #t)
                          (password-authentication? #t)))
-               %base-services/hurd))))
+
+               ;; By default, the secret service introduces a pre-initialized
+               ;; /etc/guix/acl file in the childhurd.  Thus, clear
+               ;; 'authorize-key?' so that it's not overridden at activation
+               ;; time.
+               (modify-services %base-services/hurd
+                 (guix-service-type config =>
+                                    (guix-configuration
+                                     (inherit config)
+                                     (authorize-key? #f))))))))
 
 (define-record-type* <hurd-vm-configuration>
   hurd-vm-configuration make-hurd-vm-configuration

  parent reply	other threads:[~2020-10-24 23:09 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-11 10:39 Declarative /etc/guix/acl? Ludovic Courtès
2020-10-11 11:07 ` Jan Nieuwenhuizen
     [not found]   ` <87v9ffppvf.fsf@gnu.org>
2020-10-12 20:26     ` Jan Nieuwenhuizen
2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
2020-10-21 16:06   ` Vagrant Cascadian
2020-10-24 23:08   ` Ludovic Courtès [this message]
2020-10-24 23:11   ` bug#39819: " Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87tuujgr23.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=39819-done@debbugs.gnu.org \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).