diff options
author | Jan (janneke) Nieuwenhuizen <janneke@gnu.org> | 2020-08-30 22:52:56 +0200 |
---|---|---|
committer | Jan (janneke) Nieuwenhuizen <janneke@gnu.org> | 2020-09-01 16:06:38 +0200 |
commit | ec32d4f291b3cc039a99f8090b6c2b2444be5a83 (patch) | |
tree | 7b5ffb69b5bdcc40689c0f1ada157c0112e2d45d /gnu/services | |
parent | 73c81ae0f153e90fb525164c068e2465f263f648 (diff) | |
download | guix-ec32d4f291b3cc039a99f8090b6c2b2444be5a83.tar.gz guix-ec32d4f291b3cc039a99f8090b6c2b2444be5a83.zip |
services: Add secret-service-type.
This adds a "secret-service" that can be added to a Childhurd VM to receive
out-of-band secrets (keys) sent from the host.
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
* gnu/services/virtualization.scm (secret-service-activation): New procedure.
(secret-service-type): New variable.
* gnu/build/secret-service.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
Diffstat (limited to 'gnu/services')
-rw-r--r-- | gnu/services/virtualization.scm | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index b93ed70099..6d6734dcd1 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Ryan Moe <ryan.moe@gmail.com> -;;; Copyright © 2018 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2018, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> ;;; ;;; This file is part of GNU Guix. @@ -806,6 +806,33 @@ functionality of the kernel Linux."))) ;;; +;;; Secrets for guest VMs. +;;; + +(define (secret-service-activation port) + "Return an activation snippet that fetches sensitive material at local PORT, +over TCP. Reboot upon failure." + (with-imported-modules '((gnu build secret-service) + (guix build utils)) + #~(begin + (use-modules (gnu build secret-service)) + (let ((sent (secret-service-receive-secrets #$port))) + (unless sent + (sleep 3) + (reboot)))))) + +(define secret-service-type + (service-type + (name 'secret-service) + (extensions (list (service-extension activation-service-type + secret-service-activation))) + (description + "This service fetches secret key and other sensitive material over TCP at +boot time. This service is meant to be used by virtual machines (VMs) that +can only be accessed by their host."))) + + +;;; ;;; The Hurd in VM service: a Childhurd. ;;; |