diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2021-12-13 11:49:15 +0100 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2021-12-13 11:49:15 +0100 |
| commit | 1052ae5f03de931b52c7a638c8e4f8d8d7093af3 (patch) | |
| tree | 4913e4a7834f4ad6e44906d814cd46e7c21d981b /gnu/services/virtualization.scm | |
| parent | 869d69ad3248288ffe30264f5e5bd760792ca758 (diff) | |
| parent | 788f56b4dc0729e07ad546c5bc9694759c271f09 (diff) | |
| download | guix-patches-1052ae5f03de931b52c7a638c8e4f8d8d7093af3.tar guix-patches-1052ae5f03de931b52c7a638c8e4f8d8d7093af3.tar.gz | |
Merge branch 'master' into core-updates-frozen
Diffstat (limited to 'gnu/services/virtualization.scm')
| -rw-r--r-- | gnu/services/virtualization.scm | 45 |
1 files changed, 33 insertions, 12 deletions
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 4222bb4353..66ae1a1565 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -898,23 +898,44 @@ specified, the QEMU default path is used.")) ;;; Secrets for guest VMs. ;;; -(define (secret-service-activation port) - "Return an activation snippet that fetches sensitive material at local PORT, +(define (secret-service-shepherd-services port) + "Return a Shepherd service that fetches sensitive material at local PORT, over TCP. Reboot upon failure." - (with-imported-modules '((gnu build secret-service) - (guix build utils)) - #~(begin - (use-modules (gnu build secret-service)) - (let ((sent (secret-service-receive-secrets #$port))) - (unless sent - (sleep 3) - (reboot)))))) + ;; This is a Shepherd service, rather than an activation snippet, to make + ;; sure it is started once 'networking' is up so it can accept incoming + ;; connections. + (list + (shepherd-service + (documentation "Fetch secrets from the host at startup time.") + (provision '(secret-service-client)) + (requirement '(loopback networking)) + (modules '((gnu build secret-service) + (guix build utils))) + (start (with-imported-modules '((gnu build secret-service) + (guix build utils)) + #~(lambda () + ;; Since shepherd's output port goes to /dev/log, write this + ;; message to stderr so it's visible on the Mach console. + (format (current-error-port) + "receiving secrets from the host...~%") + (force-output (current-error-port)) + + (let ((sent (secret-service-receive-secrets #$port))) + (unless sent + (sleep 3) + (reboot)))))) + (stop #~(const #f))))) (define secret-service-type (service-type (name 'secret-service) - (extensions (list (service-extension activation-service-type - secret-service-activation))) + (extensions (list (service-extension shepherd-root-service-type + secret-service-shepherd-services) + + ;; Make every Shepherd service depend on + ;; 'secret-service-client'. + (service-extension user-processes-service-type + (const '(secret-service-client))))) (description "This service fetches secret key and other sensitive material over TCP at boot time. This service is meant to be used by virtual machines (VMs) that |