Re: Questions about serving substitutes in the local network

Wed, 26 Feb 2025 10:07:20 -0800 

Hi Luis,

On 25/02/25 16:16, Luis Felipe wrote:
I'm exploring how to serve/consume substitutes in the local network using two machines with Guix System installed on them. So far I see two ways of serving substitutes: 


1. Running the publish command from a terminal in the server machine. 
For example:


   sudo guix publish --user=$USER


2. Reconfiguring the server machine to provide the 
«guix-publish-service-type». For example:


   (service guix-publish-service-type
            (guix-publish-configuration
             (advertise? #true)
             (host "0.0.0.0")
             (port 8001)
             (cache "/var/cache/guix/publish")
             (ttl (* 90 24 3600))))


I like the first option for serving substitutes temporarily and the 
second one for serving substitutes permanently. Right now I'm more 
interested in the first option though, but I have a question:



Q1. While serving temporarily seems straightforward, would clients 
have to reconfigure their systems to add the server IP address and 
authorizing its signing key? Or can this be done in a faster way (I 
see a --subsitute-urls in guix commands...)?



According to section 5.3.2 Substitute Server Authorization in Guix 
manual, clients can also authorize signing keys using the low level 
command «guix archive». Like this:



  # guix archive --authorize < 
PREFIX/share/guix/some-substitute-server-signing-key.pub



where PREFIX is the installation prefix of Guix, which, if I'm not 
mistaken, clients can determine by running the following in a terminal:


  $ which guix
  /home/$USER/.config/guix/current/bin/guix

The PREFIX in this case would be «/home/$USER/.config/guix/current».


(I wonder if there's an environment variable that holds the installation 
prefix of guix though...)



Even if the above works and seems to be faster for consuming from 
temporary substitute servers, I can imagine clients forgetting that they 
have authorized these servers temporarily and litter the folder with 
signing keys they won't need anymore. Maybe authorizing servers in a 
declarative way is better in the end.


Attachment:
OpenPGP_0x0AB0D067012F08C3.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature






















					Reply via email to