Hi! "Jan (janneke) Nieuwenhuizen" skribis: > This adds a "secret-service" that can be added to a Childhurd VM to receive > out-of-band secrets (keys) sent from the host. > > Co-authored-by: Ludovic Courtès > > * gnu/services/virtualization.scm (secret-service-activation): New procedure. > (secret-service-type): New variable. > * gnu/build/secret-service.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. Very nice! Minor suggestions: > + (format (current-error-port) "secret-service-send-secrets\n") Perhaps write “sending secrets to ~a:~a...~%” or similar. > + (let ((sock (socket AF_INET SOCK_STREAM 0)) > + (addr (make-socket-address AF_INET INADDR_LOOPBACK port))) > + ;; connect to wait for port > + (let loop ((retry retry)) > + (if (zero? retry) > + (error "connecting to childhurd failed") s/childhurd/secret server/ > + (catch 'system-error > + (lambda _ > + (connect sock addr)) > + (lambda (key . args) > + (format (current-error-port) "connect failed: ~a ~s\n" key args) Perhaps remove print “retrying connection” (or similar), and re-throw the exception when RETRY is zero, so that it goes through as is (and thus you can remove the call to ‘error’ above.) > + ;; copy tree > + (let* ((files (if secret-root (find-files secret-root) '())) > + (files-sizes-modes (map file->file+size+mode files)) > + (secrets `(secrets > + (version 0) > + (files ,files-sizes-modes)))) > + (write secrets sock) > + (for-each (compose (cute display <> sock) > + (cute with-input-from-file <> read-string)) Instead of loading it all in memory, we can use ‘dump-port’ from (guix build utils) here. That’s it! Ludo’.