From patchwork Mon Aug 31 06:39:11 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Janneke Nieuwenhuizen <janneke@gnu.org>
X-Patchwork-Id: 23837
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id C988D27BBE7; Mon, 31 Aug 2020 07:40:13 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTP id C4B5A27BBE6
	for <patchwork@mira.cbaines.net>; Mon, 31 Aug 2020 07:40:12 +0100 (BST)
Received: from localhost ([::1]:41160 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1kCdUC-0001JE-8a
	for patchwork@mira.cbaines.net; Mon, 31 Aug 2020 02:40:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45912)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kCdU3-0001Iq-1y
 for guix-patches@gnu.org; Mon, 31 Aug 2020 02:40:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:39821)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kCdU2-000127-Ic
 for guix-patches@gnu.org; Mon, 31 Aug 2020 02:40:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kCdU2-0000Q0-Eb
 for guix-patches@gnu.org; Mon, 31 Aug 2020 02:40:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd
References: <20200829215726.3910-1-janneke@gnu.org>
In-Reply-To: <20200829215726.3910-1-janneke@gnu.org>
Resent-From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 31 Aug 2020 06:40:02 +0000
Resent-Message-ID: <handler.43106.B43106.15988559801558@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 43106
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, 43106@debbugs.gnu.org
Received: via spool by 43106-submit@debbugs.gnu.org id=B43106.15988559801558
 (code B ref 43106); Mon, 31 Aug 2020 06:40:02 +0000
Received: (at 43106) by debbugs.gnu.org; 31 Aug 2020 06:39:40 +0000
Received: from localhost ([127.0.0.1]:51363 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kCdTY-0000Ol-2n
 for submit@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:40 -0400
Received: from eggs.gnu.org ([209.51.188.92]:35758)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <janneke@gnu.org>) id 1kCdTT-0000OJ-8x
 for 43106@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:30 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:51264)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <janneke@gnu.org>)
 id 1kCdTN-00011M-56; Mon, 31 Aug 2020 02:39:21 -0400
Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=35160
 helo=dundal.fritz.box) by fencepost.gnu.org with esmtpa (Exim 4.82)
 (envelope-from <janneke@gnu.org>)
 id 1kCdTL-0002CR-HN; Mon, 31 Aug 2020 02:39:20 -0400
From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Date: Mon, 31 Aug 2020 08:39:11 +0200
Message-Id: <20200831063913.664-1-janneke@gnu.org>
X-Mailer: git-send-email 2.28.0
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

Jan Nieuwenhuizen writes:

Hello,

As discussed on IRC, version 3 follows.

> Ludovic Courtès writes:
>> "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org> skribis:
>>>
>>> +@example
>>> +/etc/childhurd/etc/guix/signing-key.pub
>>> +/etc/childhurd/etc/guix/signing-key.sec
>>> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key
>>> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key
>>> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
>>> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
>>> +@end example
>>
>> Would it make sense to have a list of source/target pairs instead of a
>> directory:
>>
>>   (("/etc/childhurd/pubkey" . "/etc/guix/signing-key.pub")
>>    …)
>>
>> ?
>
> We could do that...I'm not opposed to it and in fact I thought about
> something like this but then opted for the file system root idea because
> I didn't see the need for adding this extra indirection.  If you think
> it's a good idea, sure.  Postponed that for now, though.

[this still open]

Also, I think 5900 is a bad idea, qemu opens a server there.  We could
use ports 2222 (forwarded to 12222), as SSH only starts later -- but
hmm.  As this is all running as root anyway, I opted for 1004 (MI5).

Greetings,
Janneke

Jan (janneke) Nieuwenhuizen (2):
  services: Add secret-service-type.
  services: childhurd: Support installing secrets from the host.

 doc/guix.texi                      |  21 +++++
 gnu/build/secret-service.scm       | 138 +++++++++++++++++++++++++++++
 gnu/local.mk                       |   1 +
 gnu/services/virtualization.scm    |  92 ++++++++++++++++---
 gnu/system/examples/bare-hurd.tmpl |  20 +++--
 5 files changed, 251 insertions(+), 21 deletions(-)
 create mode 100644 gnu/build/secret-service.scm