summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi38
1 files changed, 30 insertions, 8 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index e59353b7c5..454dde68ff 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -589,7 +589,7 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
(user "alice")
(private-key
(string-append (getenv "HOME")
- "/.ssh/id-rsa-for-guix"))))
+ "/.lsh/identity-for-guix"))))
@end example
@noindent
@@ -635,6 +635,10 @@ Port number of the machine's SSH server (default: 22).
@item private-key
The SSH private key file to use when connecting to the machine.
+Currently offloading uses GNU@tie{}lsh as its SSH client
+(@pxref{Invoking lsh,,, GNU lsh Manual}). Thus, the key file here must
+be an lsh key file. This may change in the future, though.
+
@item parallel-builds
The number of builds that may run in parallel on the machine (1 by
default.)
@@ -654,22 +658,40 @@ name, and they will be scheduled on matching build machines.
The @code{guix} command must be in the search path on the build
machines, since offloading works by invoking the @code{guix archive} and
-@code{guix build} commands.
+@code{guix build} commands. In addition, the Guix modules must be in
+@code{$GUILE_LOAD_PATH} on the build machine---you can check whether
+this is the case by running:
+
+@example
+lsh build-machine guile -c '(use-modules (guix config))'
+@end example
There's one last thing to do once @file{machines.scm} is in place. As
explained above, when offloading, files are transferred back and forth
-between the machine stores. For this to work, you need to generate a
-key pair to allow the daemon to export signed archives of files from the
-store (@pxref{Invoking guix archive}):
+between the machine stores. For this to work, you first need to
+generate a key pair on each machine to allow the daemon to export signed
+archives of files from the store (@pxref{Invoking guix archive}):
@example
# guix archive --generate-key
@end example
@noindent
-Thus, when receiving files, a machine's build daemon can make sure they
-are genuine, have not been tampered with, and that they are signed by an
-authorized key.
+Each build machine must authorize the key of the master machine so that
+it accepts store items it receives from the master:
+
+@example
+# guix archive --authorize < master-public-key.txt
+@end example
+
+@noindent
+Likewise, the master machine must authorize the key of each build machine.
+
+All the fuss with keys is here to express pairwise mutual trust
+relations between the master and the build machines. Concretely, when
+the master receives files from a build machine (and @i{vice versa}), its
+build daemon can make sure they are genuine, have not been tampered
+with, and that they are signed by an authorized key.
@node Invoking guix-daemon