05/13: services: guix: Generate key pair if needed during activation.

[guix-commits]

civodul pushed a commit to branch master
in repository guix.

commit d367a7f3d00de20d5c6a88123297f878b3044fee
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sun Sep 27 14:55:32 2020 +0200

    services: guix: Generate key pair if needed during activation.
    
    * gnu/services/base.scm (guix-activation): Invoke "guix archive
    --generate-key".
    * doc/guix.texi (Invoking guix archive)
    (Invoking guix deploy): Mention that 'guix-service-type' takes care of
    generating the key pair.
---
 doc/guix.texi         | 11 +++++++----
 gnu/services/base.scm | 13 +++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 4524532..e6f04e1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4600,9 +4600,11 @@ the store.
 @item --generate-key[=@var{parameters}]
 @cindex signing, archives
 Generate a new key pair for the daemon.  This is a prerequisite before
-archives can be exported with @option{--export}.  Note that this
-operation usually takes time, because it needs to gather enough entropy
-to generate the key pair.
+archives can be exported with @option{--export}.  This
+operation is usually instantaneous but it can take time if the system's
+entropy pool needs to be refilled.  On Guix System,
+@code{guix-service-type} takes care of generating this key pair the
+first boot.
 
 The generated key pair is typically stored under @file{/etc/guix}, in
 @file{signing-key.pub} (public key) and @file{signing-key.sec} (private
@@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider.  In such a 
case, a different
 
 Do note that you first need to generate a key pair on the coordinator machine
 to allow the daemon to export signed archives of files from the store
-(@pxref{Invoking guix archive}).
+(@pxref{Invoking guix archive}), though this step is automatic on Guix
+System:
 
 @example
 # guix archive --generate-key
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index bef4eef..04bc991 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1653,10 +1653,15 @@ proxy of 'guix-daemon'...~%")
      ;; otherwise call 'chown' here, but the problem is that on a COW 
overlayfs,
      ;; chown leads to an entire copy of the tree, which is a bad idea.
 
-     ;; Optionally authorize substitute server keys.
-     (if authorize-key?
-         (substitute-key-authorization keys guix)
-         #~#f))))
+     ;; Generate a key pair and optionally authorize substitute server keys.
+     #~(begin
+         (unless (file-exists? "/etc/guix/signing-key.pub")
+           (system* #$(file-append guix "/bin/guix") "archive"
+                    "--generate-key"))
+
+         #$(if authorize-key?
+               (substitute-key-authorization keys guix)
+               #~#f)))))
 
 (define* (references-file item #:optional (name "references"))
   "Return a file that contains the list of references of ITEM."