services: guix: Make /etc/guix/acl really declarative by default.

Fixes <https://bugs.gnu.org/39819>. Reported by Maxim Cournoyer <maxim.cournoyer@gmail.com>. * gnu/services/base.scm (substitute-key-authorization): Symlink DEFAULT-ACL to /etc/guix/acl unconditionally. Add code to optionally back up /etc/guix/acl if it was possibly modified by hand. * doc/guix.texi (Base Services): Clarify the effect of setting 'authorize-keys?' to true. Mention the backup. Give an example showing how to authorize substitutes from another server.
2026-05-21 16:45:58 +02:00 · 2020-10-21 16:17:26 +02:00
parent e220b77828
commit 3b6e4e5fd0
3 changed files with 58 additions and 5 deletions
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
                         (permit-root-login #t)
                         (allow-empty-passwords? #t)
                         (password-authentication? #t)))
-               %base-services/hurd))))
+
+               ;; By default, the secret service introduces a pre-initialized
+               ;; /etc/guix/acl file in the childhurd.  Thus, clear
+               ;; 'authorize-key?' so that it's not overridden at activation
+               ;; time.
+               (modify-services %base-services/hurd
+                 (guix-service-type config =>
+                                    (guix-configuration
+                                     (inherit config)
+                                     (authorize-key? #f))))))))

 (define-record-type* <hurd-vm-configuration>
  hurd-vm-configuration make-hurd-vm-configuration