aboutsummaryrefslogtreecommitdiff
path: root/gnu/services
diff options
context:
space:
mode:
authorJan (janneke) Nieuwenhuizen <janneke@gnu.org>2020-08-30 22:52:56 +0200
committerJan (janneke) Nieuwenhuizen <janneke@gnu.org>2020-09-01 16:06:38 +0200
commitec32d4f291b3cc039a99f8090b6c2b2444be5a83 (patch)
tree7b5ffb69b5bdcc40689c0f1ada157c0112e2d45d /gnu/services
parent73c81ae0f153e90fb525164c068e2465f263f648 (diff)
downloadguix-ec32d4f291b3cc039a99f8090b6c2b2444be5a83.tar.gz
guix-ec32d4f291b3cc039a99f8090b6c2b2444be5a83.zip
services: Add secret-service-type.
This adds a "secret-service" that can be added to a Childhurd VM to receive out-of-band secrets (keys) sent from the host. Co-authored-by: Ludovic Courtès <ludo@gnu.org> * gnu/services/virtualization.scm (secret-service-activation): New procedure. (secret-service-type): New variable. * gnu/build/secret-service.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
Diffstat (limited to 'gnu/services')
-rw-r--r--gnu/services/virtualization.scm29
1 files changed, 28 insertions, 1 deletions
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index b93ed70099..6d6734dcd1 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017 Ryan Moe <ryan.moe@gmail.com>
-;;; Copyright © 2018 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;;
;;; This file is part of GNU Guix.
@@ -806,6 +806,33 @@ functionality of the kernel Linux.")))
;;;
+;;; Secrets for guest VMs.
+;;;
+
+(define (secret-service-activation port)
+ "Return an activation snippet that fetches sensitive material at local PORT,
+over TCP. Reboot upon failure."
+ (with-imported-modules '((gnu build secret-service)
+ (guix build utils))
+ #~(begin
+ (use-modules (gnu build secret-service))
+ (let ((sent (secret-service-receive-secrets #$port)))
+ (unless sent
+ (sleep 3)
+ (reboot))))))
+
+(define secret-service-type
+ (service-type
+ (name 'secret-service)
+ (extensions (list (service-extension activation-service-type
+ secret-service-activation)))
+ (description
+ "This service fetches secret key and other sensitive material over TCP at
+boot time. This service is meant to be used by virtual machines (VMs) that
+can only be accessed by their host.")))
+
+
+;;;
;;; The Hurd in VM service: a Childhurd.
;;;