[bug#43106,v3,0/2] Secret services for the Childhurd

Message ID	20200831063913.664-1-janneke@gnu.org
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd References: <20200829215726.3910-1-janneke@gnu.org> In-Reply-To: <20200829215726.3910-1-janneke@gnu.org> Resent-From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 31 Aug 2020 06:40:02 +0000 Resent-Message-ID: <handler.43106.B43106.15988559801558@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, 43106@debbugs.gnu.org From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org> Date: Mon, 31 Aug 2020 08:39:11 +0200 Message-Id: <20200831063913.664-1-janneke@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches

Message ID

20200831063913.664-1-janneke@gnu.org

Headers

Subject: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd
References: <20200829215726.3910-1-janneke@gnu.org>
In-Reply-To: <20200829215726.3910-1-janneke@gnu.org>
Resent-From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 31 Aug 2020 06:40:02 +0000
Resent-Message-ID: <handler.43106.B43106.15988559801558@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, 43106@debbugs.gnu.org
From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Date: Mon, 31 Aug 2020 08:39:11 +0200
Message-Id: <20200831063913.664-1-janneke@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>

Message

Janneke Nieuwenhuizen Aug. 31, 2020, 6:39 a.m. UTC

Jan Nieuwenhuizen writes:

Hello,

As discussed on IRC, version 3 follows.

> Ludovic Courtès writes:
>> "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org> skribis:
>>>
>>> +@example
>>> +/etc/childhurd/etc/guix/signing-key.pub
>>> +/etc/childhurd/etc/guix/signing-key.sec
>>> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key
>>> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key
>>> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
>>> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
>>> +@end example
>>
>> Would it make sense to have a list of source/target pairs instead of a
>> directory:
>>
>>   (("/etc/childhurd/pubkey" . "/etc/guix/signing-key.pub")
>>    …)
>>
>> ?
>
> We could do that...I'm not opposed to it and in fact I thought about
> something like this but then opted for the file system root idea because
> I didn't see the need for adding this extra indirection.  If you think
> it's a good idea, sure.  Postponed that for now, though.

[this still open]

Also, I think 5900 is a bad idea, qemu opens a server there.  We could
use ports 2222 (forwarded to 12222), as SSH only starts later -- but
hmm.  As this is all running as root anyway, I opted for 1004 (MI5).

Greetings,
Janneke

Jan (janneke) Nieuwenhuizen (2):
  services: Add secret-service-type.
  services: childhurd: Support installing secrets from the host.

 doc/guix.texi                      |  21 +++++
 gnu/build/secret-service.scm       | 138 +++++++++++++++++++++++++++++
 gnu/local.mk                       |   1 +
 gnu/services/virtualization.scm    |  92 ++++++++++++++++---
 gnu/system/examples/bare-hurd.tmpl |  20 +++--
 5 files changed, 251 insertions(+), 21 deletions(-)
 create mode 100644 gnu/build/secret-service.scm

Comments

Ludovic Courtès Sept. 1, 2020, 8:45 p.m. UTC | #1

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

> Ludovic Courtès writes:
>
>> "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org> skribis:
>>
>>> Also, I think 5900 is a bad idea, qemu opens a server there. 
>>
>> Oops, my bad!
>>
>>> We could use ports 2222 (forwarded to 12222), as SSH only starts later
>>> -- but hmm.  As this is all running as root anyway, I opted for 1004
>>> (MI5).
>>
>> Did you mean MI6?
>
> Hmm, (checks the interwebs) yeah, Mi6.  Then the joke is really
> too far-fetched, because
>
>> But then, why 1004?
>
> I was thinking MI5 ~> MIV => (roman numerals) 1004.  But that doesn't
> really work with "6" :-(

Oooh, brilliant!

>> Just because we can’t use 007?
>
> Yeah, that too.  Also, how to pick an arbitrary number?  Anyway, it's'
> 1004 now, feel free to suggest something else :-)

1004 is perfect, we have a good story to back it up!  (And it’s not in
/etc/services, which makes it even better.)

Ludo’.