On Thu, Aug 10, 2023 at 02:38:24PM +0200, Hartmut Goebel wrote: > Am 10.08.23 um 14:12 schrieb wolf: > > > > I guess you could have a script that would use the existence of the key > > itself > > as a marker. In that case you would likely want to recreate it if the > > marker > > (key) got deleted, > > No! The key must not be recreated. The key is expected to be replaced by a > new one when the box will become a machine. Thus, using the key as a marker > is not possible, as the would recreate the insecure key on next reboot. The > key must never ever be put into back into place.
I feel compelled to ask if the key must be in ~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant is acceptable. Also, could you use /etc/services or another file in /etc/static as a marker that the system has been booted at least once before? > > I do not have much experience with Vagrant, but I assumed the general idea > > for > > these kind of systems declarative systems is to just recreate the when > > updates > > are required. Is it expected to actually run guix reconfigure inside the > > VM? > > This depends on how one uses the virtual machines :-) > > And even if it is not expected to run guix reconfigure on it: If one does, > this but open a front door to the system - which is not what one wants. I suppose if you did include an /etc/os-config file you could include a custom one that doesn't include the file placed in ~vagrant and only have it in the initial creation config. They could still extract the actual file from `guix system describe` but I don't suppose there's much you could do there other than leave a warning to remove those lines. > > Anyhow, thanks for sharing thoughts, > > -- > Regards > Hartmut Goebel > > | Hartmut Goebel | h.goe...@crazy-compilers.com | > | www.crazy-compilers.com | compilers which you thought are impossible | > > -- Efraim Flashner <efr...@flashner.co.il> רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature
