services: guix: Add 'generate-substitute-key?' field.

* gnu/services/base.scm (<guix-configuration>)[generate-substitute-key?]: New field. (guix-activation): Honor it. * doc/guix.texi (Base Services): Document it.
2023-12-14 03:33:07 +01:00 · 2022-03-10 22:27:04 +01:00 · 2022-03-10 22:27:04 +01:00 · 5e34e873af
parent 199da75a8a
commit 5e34e873af
2 changed files with 18 additions and 2 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -17030,6 +17030,18 @@ This example assumes that the file @file{./guix.example.org-key.pub}
 contains the public key that @code{guix.example.org} uses to sign
 substitutes.

+@item @code{generate-substitute-key?} (default: @code{#t})
+Whether to generate a @dfn{substitute key pair} under
+@file{/etc/guix/signing-key.pub} and @file{/etc/guix/signing-key.sec} if
+there is not already one.
+
+This key pair is used when exporting store items, for instance with
+@command{guix publish} (@pxref{Invoking guix publish}) or @command{guix
+archive} (@pxref{Invoking guix archive}).  Generating a key pair takes a
+few seconds when enough entropy is available and is only done once; you
+might want to turn it off for instance in a virtual machine that does
+not need it and where the extra boot time is a problem.
+
@item @code{max-silent-time} (default: @code{0})
@itemx @code{timeout} (default: @code{0})
 The number of seconds of silence and the number of seconds of activity,
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@ -183,6 +183,7 @@
            guix-configuration-authorized-keys
            guix-configuration-use-substitutes?
            guix-configuration-substitute-urls
+            guix-configuration-generate-substitute-key?
            guix-configuration-extra-options
            guix-configuration-log-file

@ -1565,6 +1566,8 @@ archive' public keys, with GUIX."
                    (default #t))
  (substitute-urls  guix-configuration-substitute-urls ;list of strings
                    (default %default-substitute-urls))
+  (generate-substitute-key? guix-configuration-generate-substitute-key?
+                            (default #t))         ;Boolean
  (chroot-directories guix-configuration-chroot-directories ;list of file-like/strings
                      (default '()))
  (max-silent-time  guix-configuration-max-silent-time ;integer
@ -1749,14 +1752,15 @@ proxy of 'guix-daemon'...~%")
 (define (guix-activation config)
  "Return the activation gexp for CONFIG."
  (match-record config <guix-configuration>
-    (guix authorize-key? authorized-keys)
+    (guix generate-substitute-key? authorize-key? authorized-keys)
    #~(begin
        ;; Assume that the store has BUILD-GROUP as its group.  We could
        ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
        ;; chown leads to an entire copy of the tree, which is a bad idea.

        ;; Generate a key pair and optionally authorize substitute server keys.
-        (unless (file-exists? "/etc/guix/signing-key.pub")
+        (unless (or #$(not generate-substitute-key?)
+                    (file-exists? "/etc/guix/signing-key.pub"))
          (system* #$(file-append guix "/bin/guix") "archive"
                   "--generate-key"))