From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: How best to set host key in vm
Date: Thu, 15 Feb 2018 15:51:43 +0100
Message-ID: <87h8qi8fwg.fsf@gnu.org>
References: <86tvut25uf.fsf@gmail.com> <87eflu2zoc.fsf@gnu.org>
	<86zi4iqc88.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44057)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1emKt4-00045Y-Ah
	for help-guix@gnu.org; Thu, 15 Feb 2018 09:51:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1emKt0-0003L7-9W
	for help-guix@gnu.org; Thu, 15 Feb 2018 09:51:50 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:50650)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <ludo@gnu.org>) id 1emKt0-0003Ks-2o
	for help-guix@gnu.org; Thu, 15 Feb 2018 09:51:46 -0500
In-Reply-To: <86zi4iqc88.fsf@gmail.com> (George myglc's message of "Fri, 09
	Feb 2018 12:55:35 -0500")
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: George myglc2 Clemmer <myglc2@gmail.com>
Cc: help-guix <help-guix@gnu.org>

George myglc2 Clemmer <myglc2@gmail.com> skribis:

> On 02/09/2018 at 11:02 Ludovic Court=C3=A8s writes:
>
>> George myglc2 Clemmer <myglc2@gmail.com> skribis:
>>
>>> I want to set the host key in 'guix system vm-image' so that updating a
>>> VM config does not break that VM's host key entry in my client machine
>>> ~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
>>> tried this ...
>
>> The recommendation in this case is to use =E2=80=9Cout-of-band=E2=80=9D =
storage=E2=80=94i.e.,
>> have the secrets stored in a place other than the store.
>>
>> For example, you could have an activation snippet that copies secret
>> files directly to /etc, along these lines (untested):
>>
>>   (simple-service 'copy-private-key activation-service-type
>>                   (with-imported-modules '((guix build utils))
>>                     #~(begin
>>                         (use-modules (guix build utils))
>>                         (mkdir-p "/etc/ssh")
>>                         (copy-file "/root/secrets/ssh_host_ed25519_key"
>>                                    "/etc/ssh/ssh_host_ed25519_key'))))
>>
>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
>> exist in the first place, but that=E2=80=99s pretty much all we can do.
>
> Thank you. So what is an easily-automated way to populate /root/secrets?

Guix doesn=E2=80=99t have any helper module/tool for that yet.

Perhaps =E2=80=98guix system vm-image=E2=80=99 could include a =E2=80=98--c=
opy=E2=80=99 option that
would copy a file from the host into the image.  We=E2=80=99d have to be ca=
reful
with the implementation to make sure that it doesn=E2=80=99t end up in the =
host
store nor in the guest store.

Ludo=E2=80=99.