1.1 En snabbkurs i Scheme

Guix använder Guile-implementationen av Scheme. För att börja leka med språket kan du installera det med guix install guile och starta en REPL—en förkortning av read-eval-print loop—genom att köra guile från kommandoraden.

Alternativt kan du också köra guix shell guile -- guile om du hellre vill undvika att Guile installeras i din användarprofil.

In the following examples, lines show what you would type at the REPL; lines starting with “⇒” show evaluation results, while lines starting with “-|” show things that get printed. See Using Guile Interactively in GNU Guile Reference Manual, for more details on the REPL.

• Scheme syntax boils down to a tree of expressions (or s-expression in Lisp lingo). An expression can be a literal such as numbers and strings, or a compound which is a parenthesized list of compounds and literals. #true and #false (abbreviated #t and #f) stand for the Booleans “true” and “false”, respectively.

  Examples of valid expressions:

  "Hello World!"
  ⇒ "Hello World!"
  
  17
  ⇒ 17
  
  (display (string-append "Hello " "Guix" "\n"))
  -| Hello Guix!
  ⇒ #<unspecified>
  

• This last example is a function call nested in another function call. When a parenthesized expression is evaluated, the first term is the function and the rest are the arguments passed to the function. Every function returns the last evaluated expression as its return value.
• Anonymous functions—procedures in Scheme parlance—are declared with the lambda term:

  (lambda (x) (* x x))
  ⇒ #<procedure 120e348 at <unknown port>:24:0 (x)>
  

  The above procedure returns the square of its argument. Since everything is an expression, the lambda expression returns an anonymous procedure, which can in turn be applied to an argument:

  ((lambda (x) (* x x)) 3)
  ⇒ 9
  

  Procedures are regular values just like numbers, strings, Booleans, and so on.

• Anything can be assigned a global name with define:

  (define a 3)
  (define square (lambda (x) (* x x)))
  (square a)
  ⇒ 9
  

• Procedures can be defined more concisely with the following syntax:

  (define (square x) (* x x))
  

• A list structure can be created with the list procedure:

  (list 2 a 5 7)
  ⇒ (2 3 5 7)
  

• Standard procedures are provided by the (srfi srfi-1) module to create and process lists (see list processing in GNU Guile Reference Manual). Here are some of the most useful ones in action:

  (use-modules (srfi srfi-1))  ;import list processing procedures
  
  (append (list 1 2) (list 3 4))
  ⇒ (1 2 3 4)
  
  (map (lambda (x) (* x x)) (list 1 2 3 4))
  ⇒ (1 4 9 16)
  
  (delete 3 (list 1 2 3 4))        ⇒ (1 2 4)
  (filter odd? (list 1 2 3 4))     ⇒ (1 3)
  (remove even? (list 1 2 3 4))    ⇒ (1 3)
  (find number? (list "a" 42 "b")) ⇒ 42
  

  Notice how the first argument to map, filter, remove, and find is a procedure!

• The quote disables evaluation of a parenthesized expression, also called an S-expression or “s-exp”: the first term is not called over the other terms (see quote in GNU Guile Reference Manual). Thus it effectively returns a list of terms.

  '(display (string-append "Hello " "Guix" "\n"))
  ⇒ (display (string-append "Hello " "Guix" "\n"))
  
  '(2 a 5 7)
  ⇒ (2 a 5 7)
  

• The quasiquote (`, a backquote) disables evaluation of a parenthesized expression until unquote (,, a comma) re-enables it. Thus it provides us with fine-grained control over what is evaluated and what is not.

  `(2 a 5 7 (2 ,a 5 ,(+ a 4)))
  ⇒ (2 a 5 7 (2 3 5 7))
  

  Note that the above result is a list of mixed elements: numbers, symbols (here a) and the last element is a list itself.

• Guix defines a variant of S-expressions on steroids called G-expressions or “gexps”, which come with a variant of quasiquote and unquote: #~ (or gexp) and #$ (or ungexp). They let you stage code for later execution.

  For example, you’ll encounter gexps in some package definitions where they provide code to be executed during the package build process. They look like this:

  (use-modules (guix gexp)           ;so we can write gexps
               (gnu packages base))  ;for 'coreutils'
  
  ;; Below is a G-expression representing staged code.
  #~(begin
      ;; Invoke 'ls' from the package defined by the 'coreutils'
      ;; variable.
      (system* #$(file-append coreutils "/bin/ls") "-l")
  
      ;; Create this package's output directory.
      (mkdir #$output))
  

  See G-Expressions in GNU Guix Reference Manual, for more on gexps.

• Multiple variables can be named locally with let (see Local Bindings in GNU Guile Reference Manual):

  (define x 10)
  (let ((x 2)
        (y 3))
    (list x y))
  ⇒ (2 3)
  
  x
  ⇒ 10
  
  y
  error→ In procedure module-lookup: Unbound variable: y
  

  Use let* to allow later variable declarations to refer to earlier definitions.

  (let* ((x 2)
         (y (* x 3)))
    (list x y))
  ⇒ (2 6)
  

• Keywords are typically used to identify the named parameters of a procedure. They are prefixed by #: (hash, colon) followed by alphanumeric characters: #:like-this. See Keywords in GNU Guile Reference Manual.
• The percentage % is typically used for read-only global variables in the build stage. Note that it is merely a convention, like _ in C. Scheme treats % exactly the same as any other letter.
• Modules are created with define-module (see Creating Guile Modules in GNU Guile Reference Manual). For instance

  (define-module (guix build-system ruby)
    #:use-module (guix store)
    #:export (ruby-build
              ruby-build-system))
  

  defines the module guix build-system ruby which must be located in guix/build-system/ruby.scm somewhere in the Guile load path. It depends on the (guix store) module and it exports two variables, ruby-build and ruby-build-system.

  See Package Modules in GNU Guix Reference Manual, for info on modules that define packages.

Going further: Scheme is a language that has been widely used to teach programming and you’ll find plenty of material using it as a vehicle. Here’s a selection of documents to learn more about Scheme:

• A Scheme Primer, by Christine Lemmer-Webber and the Spritely Institute.
• Scheme at a Glance, by Steve Litt.
• Structure and Interpretation of Computer Programs, by Harold Abelson and Gerald Jay Sussman, with Julie Sussman. Colloquially known as “SICP”, this book is a reference.

  You can also install it and read it from your computer:

  guix install sicp info-reader
  info sicp
  

You’ll find more books, tutorials and other resources at https://schemers.org/.

2.1 Pakteringshandledning

GNU Guix stands out as the hackable package manager, mostly because it uses GNU Guile, a powerful high-level programming language, one of the Scheme dialects from the Lisp family.

Package definitions are also written in Scheme, which empowers Guix in some very unique ways, unlike most other package managers that use shell scripts or simple languages.

• Use functions, structures, macros and all of Scheme expressiveness for your package definitions.
• Inheritance makes it easy to customize a package by inheriting from it and modifying only what is needed.
• Batch processing: the whole package collection can be parsed, filtered and processed. Building a headless server with all graphical interfaces stripped out? It’s possible. Want to rebuild everything from source using specific compiler optimization flags? Pass the #:make-flags "..." argument to the list of packages. It wouldn’t be a stretch to think Gentoo USE flags here, but this goes even further: the changes don’t have to be thought out beforehand by the packager, they can be programmed by the user!

The following tutorial covers all the basics around package creation with Guix. It does not assume much knowledge of the Guix system nor of the Lisp language. The reader is only expected to be familiar with the command line and to have some basic programming knowledge.

• Ett “Hello World” -paket
• Inställning
• Utökat exempel
• Andra byggsystem
• Programmeringsbar och automatiserad paketdefinition
• Få hjälp
• Slutsats
• Referenser

(define-public hello
  (package
    (name "hello")
    (version "2.10")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/hello/hello-" version
                                  ".tar.gz"))
              (sha256
               (base32
                "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
    (build-system gnu-build-system)
    (synopsis "Hello, GNU world: An example GNU package")
    (description
     "GNU Hello prints the message \"Hello, world!\" and then exits.  It
serves as an example of standard GNU coding practices.  As such, it supports
command-line arguments, multiple languages, and so on.")
    (home-page "https://www.gnu.org/software/hello/")
    (license gpl3+)))

(use-modules (guix packages)
             (guix download)
             (guix build-system gnu)
             (guix licenses))

(package
  (name "my-hello")
  (version "2.10")
  (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/hello/hello-" version
                                ".tar.gz"))
            (sha256
             (base32
              "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
  (build-system gnu-build-system)
  (synopsis "Hello, Guix world: An example custom Guix package")
  (description
   "GNU Hello prints the message \"Hello, world!\" and then exits.  It
serves as an example of standard GNU coding practices.  As such, it supports
command-line arguments, multiple languages, and so on.")
  (home-page "https://www.gnu.org/software/hello/")
  (license gpl3+))

$ guix download mirror://gnu/hello/hello-2.10.tar.gz

Starting download of /tmp/guix-file.JLYgL7
From https://ftpmirror.gnu.org/gnu/hello/hello-2.10.tar.gz...
following redirection to `https://mirror.ibcp.fr/pub/gnu/hello/hello-2.10.tar.gz'...
 …10.tar.gz  709KiB                                 2.5MiB/s 00:00 [##################] 100.0%
/gnu/store/hbdalsf5lpf01x4dcknwx6xbn6n5km6k-hello-2.10.tar.gz
0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i

$ guix download mirror://gnu/hello/hello-2.10.tar.gz.sig

Starting download of /tmp/guix-file.03tFfb
From https://ftpmirror.gnu.org/gnu/hello/hello-2.10.tar.gz.sig...
following redirection to `https://ftp.igh.cnrs.fr/pub/gnu/hello/hello-2.10.tar.gz.sig'...
 ….tar.gz.sig  819B                                                                                                                       1.2MiB/s 00:00 [##################] 100.0%
/gnu/store/rzs8wba9ka7grrmgcpfyxvs58mly0sx6-hello-2.10.tar.gz.sig
0q0v86n3y38z17rl146gdakw9xc4mcscpk8dscs412j22glrv9jf
$ gpg --verify /gnu/store/rzs8wba9ka7grrmgcpfyxvs58mly0sx6-hello-2.10.tar.gz.sig /gnu/store/hbdalsf5lpf01x4dcknwx6xbn6n5km6k-hello-2.10.tar.gz
gpg: Signature made Sun 16 Nov 2014 01:08:37 PM CET
gpg:                using RSA key A9553245FDE9B739
gpg: Good signature from "Sami Kerola <kerolasa@iki.fi>" [unknown]
gpg:                 aka "Sami Kerola (http://www.iki.fi/kerolasa/) <kerolasa@iki.fi>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8ED3 96E3 7E38 D471 A005  30D3 A955 3245 FDE9 B739

$ guix package --install-from-file=my-hello.scm

$ guix package --list-installed=my-hello
my-hello	2.10	out
/gnu/store/f1db2mfm8syb8qvc357c53slbvf1g9m9-my-hello-2.10

  -f, --install-from-file=FIL
                         installera paketet som koden inuti FIL
                         utvärderas till

mkdir ~/my-channel

(define-module (my-hello)
  #:use-module (guix licenses)
  #:use-module (guix packages)
  #:use-module (guix build-system gnu)
  #:use-module (guix download))

(define-public my-hello
  (package
    (name "my-hello")
    (version "2.10")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/hello/hello-" version
                                  ".tar.gz"))
              (sha256
               (base32
                "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
    (build-system gnu-build-system)
    (synopsis "Hello, Guix world: An example custom Guix package")
    (description
     "GNU Hello prints the message \"Hello, world!\" and then exits.  It
serves as an example of standard GNU coding practices.  As such, it supports
command-line arguments, multiple languages, and so on.")
    (home-page "https://www.gnu.org/software/hello/")
    (license gpl3+)))

;; ...
(define-public my-hello
  ;; ...
  )

my-hello

guix show -L ~/my-channel my-hello
guix build -L ~/my-channel my-hello

cd ~/my-channel
git init
git add my-hello.scm
git commit -m "First commit of my channel."

(append (list (channel
                (name 'my-channel)
                (url (string-append "file://" (getenv "HOME")
                                    "/my-channel"))))
        %default-channels)

$ git clone https://git.savannah.gnu.org/git/guix.git

(define-module (gnu packages version-control)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix utils)
  #:use-module (guix packages)
  #:use-module (guix git-download)
  #:use-module (guix build-system cmake)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages python)
  #:use-module (gnu packages ssh)
  #:use-module (gnu packages tls)
  #:use-module (gnu packages web))

(define-public my-libgit2
  (let ((commit "e98d0a37c93574d2c6107bf7f31140b548c6a7bf")
        (revision "1"))
    (package
      (name "my-libgit2")
      (version (git-version "0.26.6" revision commit))
      (source (origin
                (method git-fetch)
                (uri (git-reference
                      (url "https://github.com/libgit2/libgit2/")
                      (commit commit)))
                (file-name (git-file-name name version))
                (sha256
                 (base32
                  "17pjvprmdrx4h6bb1hhc98w9qi6ki7yl57f090n9kbhswxqfs7s3"))
                (patches (search-patches "libgit2-mtime-0.patch"))
                (modules '((guix build utils)))
                ;; Remove bundled software.
                (snippet '(delete-file-recursively "deps"))))
      (build-system cmake-build-system)
      (outputs '("out" "debug"))
      (arguments
       `(#:tests? #true                         ; Run the test suite (this is the default)
         #:configure-flags '("-DUSE_SHA1DC=ON") ; SHA-1 collision detection
         #:phases
         (modify-phases %standard-phases
           (add-after 'unpack 'fix-hardcoded-paths
             (lambda _
               (substitute* "tests/repo/init.c"
                 (("#!/bin/sh") (string-append "#!" (which "sh"))))
               (substitute* "tests/clar/fs.h"
                 (("/bin/cp") (which "cp"))
                 (("/bin/rm") (which "rm")))))
           ;; Run checks more verbosely.
           (replace 'check
             (lambda* (#:key tests? #:allow-other-keys)
               (when tests?
                 (invoke "./libgit2_clar" "-v" "-Q"))))
           (add-after 'unpack 'make-files-writable-for-tests
             (lambda _ (for-each make-file-writable (find-files ".")))))))
      (inputs
       (list libssh2 http-parser python-wrapper))
      (native-inputs
       (list pkg-config))
      (propagated-inputs
       ;; These two libraries are in 'Requires.private' in libgit2.pc.
       (list openssl zlib))
      (home-page "https://libgit2.github.com/")
      (synopsis "Library providing Git core methods")
      (description
       "Libgit2 is a portable, pure C implementation of the Git core methods
provided as a re-entrant linkable library with a solid API, allowing you to
write native speed custom Git applications in any language with bindings.")
      ;; GPLv2 with linking exception
      (license license:gpl2))))

git clone https://github.com/libgit2/libgit2/
cd libgit2
git checkout v0.26.6
guix hash -rx .

#:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out"))
                   "CC=gcc")

$ make CC=gcc prefix=/gnu/store/...-<out>

#:configure-flags '("-DUSE_SHA1DC=ON")

(define %standard-phases
  ;; Standard build phases, as a list of symbol/procedure pairs.
  (let-syntax ((phases (syntax-rules ()
                         ((_ p ...) `((p . ,p) ...)))))
    (phases set-SOURCE-DATE-EPOCH set-paths install-locale unpack
            bootstrap
            patch-usr-bin-file
            patch-source-shebangs configure patch-generated-file-shebangs
            build check install
            patch-shebangs strip
            validate-runpath
            validate-documentation-location
            delete-info-dir-file
            patch-dot-desktop-files
            install-license-files
            reset-gzip-timestamps
            compress-documentation)))

(add-to-load-path "/path/to/guix/checkout")
,use (guix build gnu-build-system)
(map first %standard-phases)
⇒ (set-SOURCE-DATE-EPOCH set-paths install-locale unpack bootstrap patch-usr-bin-file patch-source-shebangs configure patch-generated-file-shebangs build check install patch-shebangs strip validate-runpath validate-documentation-location delete-info-dir-file patch-dot-desktop-files install-license-files reset-gzip-timestamps compress-documentation)

(define* (unpack #:key source #:allow-other-keys)
  "Unpack SOURCE in the working directory, and change directory within the
source.  When SOURCE is a directory, copy it in a sub-directory of the current
working directory."
  (if (file-is-directory? source)
      (begin
        (mkdir "source")
        (chdir "source")

        ;; Preserve timestamps (set to the Epoch) on the copied tree so that
        ;; things work deterministically.
        (copy-recursively source "."
                          #:keep-mtime? #true))
      (begin
        (if (string-suffix? ".zip" source)
            (invoke "unzip" source)
            (invoke "tar" "xvf" source))
        (chdir (first-subdirectory "."))))
  #true)

(lambda* (#:key inputs outputs #:allow-other-keys)
  (let ((bash-directory (assoc-ref inputs "bash"))
        (output-directory (assoc-ref outputs "out"))
        (doc-directory (assoc-ref outputs "doc")))
    ;; ...
    #true))

$ guix import cran --recursive walrus

(define-public r-mc2d
    ; ...
    (license gpl2+)))

(define-public r-jmvcore
    ; ...
    (license gpl2+)))

(define-public r-wrs2
    ; ...
    (license gpl3)))

(define-public r-walrus
  (package
    (name "r-walrus")
    (version "1.0.3")
    (source
      (origin
        (method url-fetch)
        (uri (cran-uri "walrus" version))
        (sha256
          (base32
            "1nk2glcvy4hyksl5ipq2mz8jy4fss90hx6cq98m3w96kzjni6jjj"))))
    (build-system r-build-system)
    (propagated-inputs
      (list r-ggplot2 r-jmvcore r-r6 r-wrs2))
    (home-page "https://github.com/jamovi/walrus")
    (synopsis "Robust Statistical Methods")
    (description
      "This package provides a toolbox of common robust statistical
tests, including robust descriptives, robust t-tests, and robust ANOVA.
It is also available as a module for 'jamovi' (see
<https://www.jamovi.org> for more information).  Walrus is based on the
WRS2 package by Patrick Mair, which is in turn based on the scripts and
work of Rand Wilcox.  These analyses are described in depth in the book
'Introduction to Robust Estimation & Hypothesis Testing'.")
    (license gpl3)))

$ guix refresh hello

$ guix refresh hello --update

(define-public adwaita-icon-theme
  (package (inherit gnome-icon-theme)
    (name "adwaita-icon-theme")
    (version "3.26.1")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/" name "/"
                                  (version-major+minor version) "/"
                                  name "-" version ".tar.xz"))
              (sha256
               (base32
                "17fpahgh5dyckgz7rwqvzgnhx53cx9kr2xw0szprc6bnqy977fi8"))))
    (native-inputs (list `(,gtk+ "bin")))))

3.1 Auto-Login to a Specific TTY

While the Guix manual explains auto-login one user to all TTYs (see auto-login to TTY in GNU Guix Reference Manual), some might prefer a situation, in which one user is logged into one TTY with the other TTYs either configured to login different users or no one at all. Note that one can auto-login one user to any TTY, but it is usually advisable to avoid tty1, which, by default, is used to log warnings and errors.

Here is how one might set up auto login for one user to one tty:

(define (auto-login-to-tty config tty user)
  (if (string=? tty (mingetty-configuration-tty config))
        (mingetty-configuration
         (inherit config)
         (auto-login user))
        config))

(define %my-services
  (modify-services %base-services
    ;; …
    (mingetty-service-type config =>
                           (auto-login-to-tty
                            config "tty3" "alice"))))

(operating-system
  ;; …
  (services %my-services))

One could also compose (see Higher-Order Functions in The Guile Reference Manual) auto-login-to-tty to login multiple users to multiple ttys.

Finally, here is a note of caution. Setting up auto login to a TTY, means that anyone can turn on your computer and run commands as your regular user. However, if you have an encrypted root partition, and thus already need to enter a passphrase when the system boots, auto-login might be a convenient option.

3.2 Att anpassa kärnan

Guix is, at its core, a source based distribution with substitutes (see Substitutes in GNU Guix Reference Manual), and as such building packages from their source code is an expected part of regular package installations and upgrades. Given this starting point, it makes sense that efforts are made to reduce the amount of time spent compiling packages, and recent changes and upgrades to the building and distribution of substitutes continues to be a topic of discussion within Guix.

The kernel, while not requiring an overabundance of RAM to build, does take a rather long time on an average machine. The official kernel configuration, as is the case with many GNU/Linux distributions, errs on the side of inclusiveness, and this is really what causes the build to take such a long time when the kernel is built from source.

The Linux kernel, however, can also just be described as a regular old package, and as such can be customized just like any other package. The procedure is a little bit different, although this is primarily due to the nature of how the package definition is written.

The linux-libre kernel package definition is actually a procedure which creates a package.

(define* (make-linux-libre* version gnu-revision source supported-systems
                            #:key
                            (extra-version #f)
                            ;; A function that takes an arch and a variant.
                            ;; See kernel-config for an example.
                            (configuration-file #f)
                            (defconfig "defconfig")
                            (extra-options (default-extra-linux-options version)))
  ...)

The current linux-libre package is for the 5.15.x series, and is declared like this:

(define-public linux-libre-5.15
  (make-linux-libre* linux-libre-5.15-version
                     linux-libre-5.15-gnu-revision
                     linux-libre-5.15-source
                     '("x86_64-linux" "i686-linux" "armhf-linux"
                       "aarch64-linux" "riscv64-linux")
                     #:configuration-file kernel-config))

Any keys which are not assigned values inherit their default value from the make-linux-libre definition. When comparing the two snippets above, notice the code comment that refers to #:configuration-file. Because of this, it is not actually easy to include a custom kernel configuration from the definition, but don’t worry, there are other ways to work with what we do have.

There are two ways to create a kernel with a custom kernel configuration. The first is to provide a standard .config file during the build process by including an actual .config file as a native input to our custom kernel. The following is a snippet from the custom 'configure phase of the make-linux-libre package definition:

(let ((build  (assoc-ref %standard-phases 'build))
      (config (assoc-ref (or native-inputs inputs) "kconfig")))

  ;; Use a custom kernel configuration file or a default
  ;; configuration file.
  (if config
      (begin
        (copy-file config ".config")
        (chmod ".config" #o666))
      (invoke "make" ,defconfig)))

Below is a sample kernel package. The linux-libre package is nothing special and can be inherited from and have its fields overridden like any other package:

(define-public linux-libre/E2140
  (package
    (inherit linux-libre)
    (native-inputs
     `(("kconfig" ,(local-file "E2140.config"))
      ,@(alist-delete "kconfig"
                      (package-native-inputs linux-libre))))))

In the same directory as the file defining linux-libre-E2140 is a file named E2140.config, which is an actual kernel configuration file. The defconfig keyword of make-linux-libre is left blank here, so the only kernel configuration in the package is the one which was included in the native-inputs field.

The second way to create a custom kernel is to pass a new value to the extra-options keyword of the make-linux-libre procedure. The extra-options keyword works with another function defined right below it:

(define (default-extra-linux-options version)
  `(;; https://lists.gnu.org/archive/html/guix-devel/2014-04/msg00039.html
   ("CONFIG_DEVPTS_MULTIPLE_INSTANCES" . #true)
   ;; Modules required for initrd:
   ("CONFIG_NET_9P" . m)
   ("CONFIG_NET_9P_VIRTIO" . m)
   ("CONFIG_VIRTIO_BLK" . m)
   ("CONFIG_VIRTIO_NET" . m)
   ("CONFIG_VIRTIO_PCI" . m)
   ("CONFIG_VIRTIO_BALLOON" . m)
   ("CONFIG_VIRTIO_MMIO" . m)
   ("CONFIG_FUSE_FS" . m)
   ("CONFIG_CIFS" . m)
   ("CONFIG_9P_FS" . m)))

(define (config->string options)
  (string-join (map (match-lambda
                      ((option . 'm)
                       (string-append option "=m"))
                      ((option . #true)
                       (string-append option "=y"))
                      ((option . #false)
                       (string-append option "=n")))
                    options)
               "\n"))

And in the custom configure script from the ‘make-linux-libre‘ package:

;; Appending works even when the option wasn't in the
;; file.  The last one prevails if duplicated.
(let ((port (open-file ".config" "a"))
      (extra-configuration ,(config->string extra-options)))
  (display extra-configuration port)
  (close-port port))

(invoke "make" "oldconfig")

So by not providing a configuration-file the .config starts blank, and then we write into it the collection of flags that we want. Here’s another custom kernel:

(define %macbook41-full-config
  (append %macbook41-config-options
          %file-systems
          %efi-support
          %emulation
          ((@@ (gnu packages linux) default-extra-linux-options) version)))

(define-public linux-libre-macbook41
  ;; XXX: Access the internal 'make-linux-libre*' procedure, which is
  ;; private and unexported, and is liable to change in the future.
  ((@@ (gnu packages linux) make-linux-libre*)
   (@@ (gnu packages linux) linux-libre-version)
   (@@ (gnu packages linux) linux-libre-gnu-revision)
   (@@ (gnu packages linux) linux-libre-source)
   '("x86_64-linux")
   #:extra-version "macbook41"
   #:extra-options %macbook41-config-options))

In the above example %file-systems is a collection of flags enabling different file system support, %efi-support enables EFI support and %emulation enables a x86_64-linux machine to act in 32-bit mode also. The default-extra-linux-options procedure is the one defined above, which had to be used to avoid loosing the default configuration options of the extra-options keyword.

This all sounds like it should be doable, but how does one even know which modules are required for a particular system? Two places that can be helpful in trying to answer this question is the Gentoo Handbook and the documentation from the kernel itself. From the kernel documentation, it seems that make localmodconfig is the command we want.

In order to actually run make localmodconfig we first need to get and unpack the kernel source code:

tar xf $(guix build linux-libre --source)

Once inside the directory containing the source code run touch .config to create an initial, empty .config to start with. make localmodconfig works by seeing what you already have in .config and letting you know what you’re missing. If the file is blank then you’re missing everything. The next step is to run:

guix shell -D linux-libre -- make localmodconfig

and note the output. Do note that the .config file is still empty. The output generally contains two types of warnings. The first start with "WARNING" and can actually be ignored in our case. The second read:

module pcspkr did not have configs CONFIG_INPUT_PCSPKR

For each of these lines, copy the CONFIG_XXXX_XXXX portion into the .config in the directory, and append =m, so in the end it looks like this:

CONFIG_INPUT_PCSPKR=m
CONFIG_VIRTIO=m

After copying all the configuration options, run make localmodconfig again to make sure that you don’t have any output starting with “module”. After all of these machine specific modules there are a couple more left that are also needed. CONFIG_MODULES is necessary so that you can build and load modules separately and not have everything built into the kernel. CONFIG_BLK_DEV_SD is required for reading from hard drives. It is possible that there are other modules which you will need.

This post does not aim to be a guide to configuring your own kernel however, so if you do decide to build a custom kernel you’ll have to seek out other guides to create a kernel which is just right for your needs.

The second way to setup the kernel configuration makes more use of Guix’s features and allows you to share configuration segments between different kernels. For example, all machines using EFI to boot have a number of EFI configuration flags that they need. It is likely that all the kernels will share a list of file systems to support. By using variables it is easier to see at a glance what features are enabled and to make sure you don’t have features in one kernel but missing in another.

Left undiscussed however, is Guix’s initrd and its customization. It is likely that you’ll need to modify the initrd on a machine using a custom kernel, since certain modules which are expected to be built may not be available for inclusion into the initrd.

3.3 Guix System Image API

Historically, Guix System is centered around an operating-system structure. This structure contains various fields ranging from the bootloader and kernel declaration to the services to install.

Depending on the target machine, that can go from a standard x86_64 machine to a small ARM single board computer such as the Pine64, the image constraints can vary a lot. The hardware manufacturers will impose different image formats with various partition sizes and offsets.

To create images suitable for all those machines, a new abstraction is necessary: that’s the goal of the image record. This record contains all the required information to be transformed into a standalone image, that can be directly booted on any target machine.

(define-record-type* <image>
  image make-image
  image?
  (name               image-name ;symbol
                      (default #f))
  (format             image-format) ;symbol
  (target             image-target
                      (default #f))
  (size               image-size  ;size in bytes as integer
                      (default 'guess))
  (operating-system   image-operating-system  ;<operating-system>
                      (default #f))
  (partitions         image-partitions ;list of <partition>
                      (default '()))
  (compression?       image-compression? ;boolean
                      (default #t))
  (volatile-root?     image-volatile-root? ;boolean
                      (default #t))
  (substitutable?     image-substitutable? ;boolean
                      (default #t)))

This record contains the operating-system to instantiate. The format field defines the image type and can be efi-raw, qcow2 or iso9660 for instance. In the future, it could be extended to docker or other image types.

A new directory in the Guix sources is dedicated to images definition. For now there are four files:

• gnu/system/images/hurd.scm
• gnu/system/images/pine64.scm
• gnu/system/images/novena.scm
• gnu/system/images/pinebook-pro.scm

Let’s have a look to pine64.scm. It contains the pine64-barebones-os variable which is a minimal definition of an operating-system dedicated to the Pine A64 LTS board.

(define pine64-barebones-os
  (operating-system
   (host-name "vignemale")
   (timezone "Europe/Paris")
   (locale "en_US.utf8")
   (bootloader (bootloader-configuration
                (bootloader u-boot-pine64-lts-bootloader)
                (targets '("/dev/vda"))))
   (initrd-modules '())
   (kernel linux-libre-arm64-generic)
   (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                       %base-file-systems))
   (services (cons (service agetty-service-type
                            (agetty-configuration
                             (extra-options '("-L")) ; no carrier detect
                             (baud-rate "115200")
                             (term "vt100")
                             (tty "ttyS0")))
                   %base-services))))

The kernel and bootloader fields are pointing to packages dedicated to this board.

Right below, the pine64-image-type variable is also defined.

(define pine64-image-type
  (image-type
   (name 'pine64-raw)
   (constructor (cut image-with-os arm64-disk-image <>))))

It’s using a record we haven’t talked about yet, the image-type record, defined this way:

(define-record-type* <image-type>
  image-type make-image-type
  image-type?
  (name           image-type-name) ;symbol
  (constructor    image-type-constructor)) ;<operating-system> -> <image>

The main purpose of this record is to associate a name to a procedure transforming an operating-system to an image. To understand why it is necessary, let’s have a look to the command producing an image from an operating-system configuration file:

guix system image my-os.scm

This command expects an operating-system configuration but how should we indicate that we want an image targeting a Pine64 board? We need to provide an extra information, the image-type, by passing the --image-type or -t flag, this way:

guix system image --image-type=pine64-raw my-os.scm

This image-type parameter points to the pine64-image-type defined above. Hence, the operating-system declared in my-os.scm will be applied the (cut image-with-os arm64-disk-image <>) procedure to turn it into an image.

The resulting image looks like:

(image
 (format 'disk-image)
 (target "aarch64-linux-gnu")
 (operating-system my-os)
 (partitions
  (list (partition
         (inherit root-partition)
         (offset root-offset)))))

which is the aggregation of the operating-system defined in my-os.scm to the arm64-disk-image record.

But enough Scheme madness. What does this image API bring to the Guix user?

One can run:

mathieu@cervin:~$ guix system --list-image-types
The available image types are:

   - unmatched-raw
   - rock64-raw
   - pinebook-pro-raw
   - pine64-raw
   - novena-raw
   - hurd-raw
   - hurd-qcow2
   - qcow2
   - iso9660
   - uncompressed-iso9660
   - tarball
   - efi-raw
   - mbr-raw
   - docker
   - wsl2
   - raw-with-offset
   - efi32-raw

and by writing an operating-system file based on pine64-barebones-os, you can customize your image to your preferences in a file (my-pine-os.scm) like this:

(use-modules (gnu services linux)
             (gnu system images pine64))

(let ((base-os pine64-barebones-os))
  (operating-system
    (inherit base-os)
    (timezone "America/Indiana/Indianapolis")
    (services
     (cons
      (service earlyoom-service-type
               (earlyoom-configuration
                (prefer-regexp "icecat|chromium")))
      (operating-system-user-services base-os)))))

run:

guix system image --image-type=pine64-raw my-pine-os.scm

or,

guix system image --image-type=hurd-raw my-hurd-os.scm

to get an image that can be written directly to a hard drive and booted from.

Without changing anything to my-hurd-os.scm, calling:

guix system image --image-type=hurd-qcow2 my-hurd-os.scm

will instead produce a Hurd QEMU image.

3.4 Att använda säkerhetsnycklar

The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase – something that you know), reducing the risk of impersonation.

The example configuration detailed below showcases what minimal configuration needs to be made on your Guix System to allow the use of a Yubico security key. It is hoped the configuration can be useful for other security keys as well, with minor adjustments.

• Configuration for use as a two-factor authenticator (2FA)
• Disabling OTP code generation for a Yubikey
• Requiring a Yubikey to open a KeePassXC database

(use-package-modules ... security-token ...)
...
(operating-system
 ...
 (users (cons* (user-account
               (name "your-user")
               (group "users")
               (supplementary-groups
		'("wheel" "netdev" "audio" "video"
                  "plugdev"))           ;<- added system group
               (home-directory "/home/your-user"))
              %base-user-accounts))
 ...
 (services
  (cons*
   ...
   (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))

guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys

guix shell python-yubikey-manager -- ykman config usb --force --disable OTP

(use-package-modules ... security-token ...)
...
(operating-system
 ...
 (services
  (cons*
   ...
   (udev-rules-service 'yubikey yubikey-personalization))))

guix shell yubikey-manager-qt -- ykman-gui

3.5 Dynamic DNS mcron job

If your ISP (Internet Service Provider) only provides dynamic IP addresses, it can be useful to setup a dynamic DNS (Domain Name System) (also known as DDNS (Dynamic DNS)) service to associate a static host name to a public but dynamic (often changing) IP address. There are multiple existing services that can be used for this; in the following mcron job, DuckDNS is used. It should also work with other dynamic DNS services that offer a similar interface to update the IP address, such as https://freedns.afraid.org/, with minor adjustments.

The mcron job is provided below, where DOMAIN should be substituted for your own domain prefix, and the DuckDNS provided token associated to DOMAIN added to the /etc/duckdns/DOMAIN.token file.

(define duckdns-job
  ;; Update personal domain IP every 5 minutes.
  #~(job '(next-minute (range 0 60 5))
	 #$(program-file
            "duckdns-update"
            (with-extensions (list guile-gnutls) ;required by (web client)
              #~(begin
                  (use-modules (ice-9 textual-ports)
                               (web client))
                  (let ((token (string-trim-both
                                (call-with-input-file "/etc/duckdns/DOMAIN.token"
                                  get-string-all)))
                        (query-template (string-append "https://www.duckdns.org/"
                                                       "update?domains=DOMAIN"
                                                       "&token=~a&ip=")))
                    (http-get (format #f query-template token))))))
         "duckdns-update"
         #:user "nobody"))

The job then needs to be added to the list of mcron jobs for your system, using something like:

(operating-system
 (services
  (cons* (service mcron-service-type
           (mcron-configuration
             (jobs (list duckdns-job ...))))
         ...
         %base-services)))

3.6 Att ansluta till Wireguard VPN

To connect to a Wireguard VPN server you need the kernel module to be loaded in memory and a package providing networking tools that support it (e.g. wireguard-tools or network-manager).

Here is a configuration example for Linux-Libre < 5.6, where the module is out of tree and need to be loaded manually—following revisions of the kernel have it built-in and so don’t need such configuration:

(use-modules (gnu))
(use-service-modules desktop)
(use-package-modules vpn)

(operating-system
  ;; …
  (services (cons (simple-service 'wireguard-module
                                  kernel-module-loader-service-type
                                  '("wireguard"))
                  %desktop-services))
  (packages (cons wireguard-tools %base-packages))
  (kernel-loadable-modules (list wireguard-linux-compat)))

After reconfiguring and restarting your system you can either use Wireguard tools or NetworkManager to connect to a VPN server.

• Using Wireguard tools
• Using NetworkManager

# nmcli connection import type wireguard file wg0.conf
Connection 'wg0' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully added

$ nmcli connection up wg0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

# nmcli connection modify wg0 connection.autoconnect no

3.7 Att anpassa en fönsterhanterare

• StumpWM
• Sessionslås

(use-modules (gnu))
(use-package-modules wm)

(operating-system
  ;; …
  (packages (append (list sbcl stumpwm `(,stumpwm "lib"))
                    %base-packages)))

(use-modules (gnu))
(use-package-modules fonts wm)

(operating-system
  ;; …
  (packages (append (list sbcl stumpwm `(,stumpwm "lib"))
                    sbcl-ttf-fonts font-dejavu %base-packages)))

(require :ttf-fonts)
(setf xft:*font-dirs* '("/run/current-system/profile/share/fonts/"))
(setf clx-truetype:+font-cache-filename+ (concat (getenv "HOME")
                                                 "/.fonts/font-cache.sexp"))
(xft:cache-fonts)
(set-font (make-instance 'xft:font :family "DejaVu Sans Mono"
                                   :subfamily "Book" :size 11))

xss-lock -- slock &
exec stumpwm

(service screen-locker-service-type
         (screen-locker-configuration
          (name "slock")
          (program (file-append slock "/bin/slock"))))

3.8 Att köra Guix på en Linode-server

To run Guix on a server hosted by Linode, start with a recommended Debian server. We recommend using the default distro as a way to bootstrap Guix. Create your SSH keys.

ssh-keygen

Be sure to add your SSH key for easy login to the remote server. This is trivially done via Linode’s graphical interface for adding SSH keys. Go to your profile and click add SSH Key. Copy into it the output of:

cat ~/.ssh/<username>_rsa.pub

Power the Linode down.

In the Linode’s Storage tab, resize the Debian disk to be smaller. 30 GB free space is recommended. Then click "Add a disk", and fill out the form with the following:

• Label: "Guix"
• Filesystem: ext4
• Set it to the remaining size

In the Configurations tab, press "Edit" on the default Debian profile. Under "Block Device Assignment" click "Add a Device". It should be /dev/sdc and you can select the "Guix" disk. Save Changes.

Now "Add a Configuration", with the following:

• Label: Guix
• Kernel:GRUB 2 (it’s at the bottom! This step is IMPORTANT!)
• Block device assignment:
• /dev/sda: Guix
• /dev/sdb: swap
• Root device: /dev/sda
• Turn off all the filesystem/boot helpers

Now power it back up, booting with the Debian configuration. Once it’s running, ssh to your server via ssh root@<your-server-IP-here>. (You can find your server IP address in your Linode Summary section.) Now you can run the "install guix from see Binary Installation in GNU Guix" steps:

sudo apt-get install gpg
wget https://sv.gnu.org/people/viewgpg.php?user_id=15145 -qO - | gpg --import -
wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
chmod +x guix-install.sh
./guix-install.sh
guix pull

Now it’s time to write out a config for the server. The key information is below. Save the resulting file as guix-config.scm.

(use-modules (gnu)
             (guix modules))
(use-service-modules networking
                     ssh)
(use-package-modules admin
                     package-management
                     ssh
                     tls)

(operating-system
  (host-name "my-server")
  (timezone "America/New_York")
  (locale "en_US.UTF-8")
  ;; This goofy code will generate the grub.cfg
  ;; without installing the grub bootloader on disk.
  (bootloader (bootloader-configuration
               (bootloader
                (bootloader
                 (inherit grub-bootloader)
                 (installer #~(const #true))))))
  (file-systems (cons (file-system
                        (device "/dev/sda")
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))


  (swap-devices (list "/dev/sdb"))


  (initrd-modules (cons "virtio_scsi"    ; Needed to find the disk
                        %base-initrd-modules))

  (users (cons (user-account
                (name "janedoe")
                (group "users")
                ;; Adding the account to the "wheel" group
                ;; makes it a sudoer.
                (supplementary-groups '("wheel"))
                (home-directory "/home/janedoe"))
               %base-user-accounts))

  (packages (cons* openssh-sans-x
                   %base-packages))

  (services (cons*
             (service dhcp-client-service-type)
             (service openssh-service-type
                      (openssh-configuration
                       (openssh openssh-sans-x)
                       (password-authentication? #false)
                       (authorized-keys
                        `(("janedoe" ,(local-file "janedoe_rsa.pub"))
                          ("root" ,(local-file "janedoe_rsa.pub"))))))
             %base-services)))

Replace the following fields in the above configuration:

(host-name "my-server")       ; replace with your server name
; if you chose a linode server outside the U.S., then
; use tzselect to find a correct timezone string
(timezone "America/New_York") ; if needed replace timezone
(name "janedoe")              ; replace with your username
("janedoe" ,(local-file "janedoe_rsa.pub")) ; replace with your ssh key
("root" ,(local-file "janedoe_rsa.pub")) ; replace with your ssh key

The last line in the above example lets you log into the server as root and set the initial root password (see the note at the end of this recipe about root login). After you have done this, you may delete that line from your configuration and reconfigure to prevent root login.

Copy your ssh public key (eg: ~/.ssh/id_rsa.pub) as <your-username-here>_rsa.pub and put guix-config.scm in the same directory. In a new terminal run these commands.

sftp root@<remote server ip address>
put /path/to/files/<username>_rsa.pub .
put /path/to/files/guix-config.scm .

In your first terminal, mount the guix drive:

mkdir /mnt/guix
mount /dev/sdc /mnt/guix

Due to the way we set up the bootloader section of the guix-config.scm, only the grub configuration file will be installed. So, we need to copy over some of the other GRUB stuff already installed on the Debian system:

mkdir -p /mnt/guix/boot/grub
cp -r /boot/grub/* /mnt/guix/boot/grub/

Now initialize the Guix installation:

guix system init guix-config.scm /mnt/guix

Ok, power it down! Now from the Linode console, select boot and select "Guix".

Once it boots, you should be able to log in via SSH! (The server config will have changed though.) You may encounter an error like:

$ ssh root@<server ip address>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@     WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:0B+wp33w57AnKQuHCvQP0+ZdKaqYrI/kyU7CfVbS7R4.
Please contact your system administrator.
Add correct host key in /home/joshua/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/joshua/.ssh/known_hosts:3
ECDSA host key for 198.58.98.76 has changed and you have requested strict checking.
Host key verification failed.

Either delete ~/.ssh/known_hosts file, or delete the offending line starting with your server IP address.

Be sure to set your password and root’s password.

ssh root@<remote ip address>
passwd  ; for the root password
passwd <username> ; for the user password

You may not be able to run the above commands at this point. If you have issues remotely logging into your linode box via SSH, then you may still need to set your root and user password initially by clicking on the “Launch Console” option in your linode. Choose the “Glish” instead of “Weblish”. Now you should be able to ssh into the machine.

Hooray! At this point you can shut down the server, delete the Debian disk, and resize the Guix to the rest of the size. Congratulations!

By the way, if you save it as a disk image right at this point, you’ll have an easy time spinning up new Guix images! You may need to down-size the Guix image to 6144MB, to save it as an image. Then you can resize it again to the max size.

3.9 Att köra Guix på en Kimsufi-server

To run Guix on a server hosted by Kimsufi, click on the netboot tab then select rescue64-pro and restart.

OVH will email you the credentials required to ssh into a Debian system.

Now you can run the "install guix from see Binary Installation in GNU Guix" steps:

wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
chmod +x guix-install.sh
./guix-install.sh
guix pull

Partition the drives and format them, first stop the raid array:

mdadm --stop /dev/md127
mdadm --zero-superblock /dev/sda2 /dev/sdb2

Then wipe the disks and set up the partitions, we will create a RAID 1 array.

wipefs -a /dev/sda
wipefs -a /dev/sdb

parted /dev/sda --align=opt -s -m -- mklabel gpt
parted /dev/sda --align=opt -s -m -- \
 mkpart bios_grub 1049kb 512MiB \
 set 1 bios_grub on
parted /dev/sda --align=opt -s -m -- \
 mkpart primary 512MiB -512MiB
 set 2 raid on
parted /dev/sda --align=opt -s -m -- mkpart primary linux-swap 512MiB 100%

parted /dev/sdb --align=opt -s -m -- mklabel gpt
parted /dev/sdb --align=opt -s -m -- \
     mkpart bios_grub 1049kb 512MiB \
     set 1 bios_grub on
parted /dev/sdb --align=opt -s -m -- \
     mkpart primary 512MiB -512MiB \
     set 2 raid on
parted /dev/sdb --align=opt -s -m -- mkpart primary linux-swap 512MiB 100%

Create the array:

mdadm --create /dev/md127 --level=1 --raid-disks=2 \
  --metadata=0.90 /dev/sda2 /dev/sdb2

Now create file systems on the relevant partitions, first the boot partitions:

mkfs.ext4  /dev/sda1
mkfs.ext4  /dev/sdb1

Then the root partition:

mkfs.ext4 /dev/md127

Initialize the swap partitions:

mkswap /dev/sda3
swapon /dev/sda3
mkswap /dev/sdb3
swapon /dev/sdb3

Mount the guix drive:

mkdir /mnt/guix
mount /dev/md127 /mnt/guix

Now is time to write an operating system declaration os.scm file; here is a sample:

(use-modules (gnu) (guix))
(use-service-modules networking ssh vpn virtualization sysctl admin mcron)
(use-package-modules ssh tls tmux vpn virtualization)

(operating-system
  (host-name "kimsufi")

  (bootloader (bootloader-configuration
	       (bootloader grub-bootloader)
	       (targets (list "/dev/sda" "/dev/sdb"))
	       (terminal-outputs '(console))))

  ;; Add a kernel module for RAID-1 (aka. "mirror").
  (initrd-modules (cons* "raid1"  %base-initrd-modules))

  (mapped-devices
   (list (mapped-device
          (source (list "/dev/sda2" "/dev/sdb2"))
          (target "/dev/md127")
          (type raid-device-mapping))))

  (swap-devices
   (list (swap-space
          (target "/dev/sda3"))
         (swap-space
          (target "/dev/sdb3"))))

  (issue
   ;; Default contents for /etc/issue.
   "\
This is the GNU system at Kimsufi.  Welcome.\n")

  (file-systems (cons* (file-system
		         (mount-point "/")
		         (device "/dev/md127")
		         (type "ext4")
		         (dependencies mapped-devices))
		       %base-file-systems))

  (users (cons (user-account
	        (name "guix")
	        (comment "guix")
	        (group "users")
	        (supplementary-groups '("wheel"))
	        (home-directory "/home/guix"))
	       %base-user-accounts))

  (sudoers-file
   (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
guix ALL=(ALL) NOPASSWD:ALL\n"))

  ;; Globally-installed packages.
  (packages (cons* tmux gnutls wireguard-tools %base-packages))
  (services
   (cons*
    (service static-networking-service-type
	     (list (static-networking
		    (addresses (list (network-address
				      (device "enp3s0")
				      (value "server-ip-address/24"))))
		    (routes (list (network-route
				   (destination "default")
				   (gateway "server-gateway"))))
		    (name-servers '("213.186.33.99")))))

    (service unattended-upgrade-service-type)

    (service openssh-service-type
	     (openssh-configuration
	      (openssh openssh-sans-x)
	      (permit-root-login #f)
	      (authorized-keys
	       `(("guix" ,(plain-file "ssh-key-name.pub"
                                      "ssh-public-key-content"))))))
    (modify-services %base-services
      (sysctl-service-type
       config =>
       (sysctl-configuration
	(settings (append '(("net.ipv6.conf.all.autoconf" . "0")
			    ("net.ipv6.conf.all.accept_ra" . "0"))
			  %default-sysctl-settings))))))))

Kom ihåg att ersätta variablerna server-ip-address, server-gateway, ssh-key-name och ssh-public-key-content med dina egna värden.

The gateway is the last usable IP in your block so if you have a server with an IP of ‘37.187.79.10’ then its gateway will be ‘37.187.79.254’.

Transfer your operating system declaration os.scm file on the server via the scp or sftp commands.

Now all that is left is to install Guix with a guix system init and restart.

However we first need to set up a chroot, because the root partition of the rescue system is mounted on an aufs partition and if you try to install Guix it will fail at the GRUB install step complaining about the canonical path of "aufs".

Install packages that will be used in the chroot:

guix install bash-static parted util-linux-with-udev coreutils guix

Then run the following to create directories needed for the chroot:

cd /mnt && \
mkdir -p bin etc gnu/store root/.guix-profile/ root/.config/guix/current \
  var/guix proc sys dev

Copy the host resolv.conf in the chroot:

cp /etc/resolv.conf etc/

Mount block devices, the store and its database and the current guix config:

mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys
mount --rbind /dev /mnt/dev
mount --rbind /var/guix/ var/guix/
mount --rbind /gnu/store gnu/store/
mount --rbind /root/.config/ root/.config/
mount --rbind /root/.guix-profile/bin/ bin
mount --rbind /root/.guix-profile root/.guix-profile/

Chroot in /mnt and install the system:

chroot /mnt/ /bin/bash

guix system init /root/os.scm /guix

Finally, from the web user interface (UI), change ‘netboot’ to ‘boot to disk’ and restart (also from the web UI).

Wait a few minutes and try to ssh with ssh guix@server-ip-address> -i path-to-your-ssh-key

You should have a Guix system up and running on Kimsufi; congratulations!

3.10 Setting up a bind mount

To bind mount a file system, one must first set up some definitions before the operating-system section of the system definition. In this example we will bind mount a folder from a spinning disk drive to /tmp, to save wear and tear on the primary SSD, without dedicating an entire partition to be mounted as /tmp.

First, the source drive that hosts the folder we wish to bind mount should be defined, so that the bind mount can depend on it.

(define source-drive ;; "source-drive" can be named anything you want.
   (file-system
    (device (uuid "UUID goes here"))
    (mount-point "/path-to-spinning-disk-goes-here")
    (type "ext4"))) ;Make sure to set this to the appropriate type for your drive.

The source folder must also be defined, so that guix will know it’s not a regular block device, but a folder.

;; "source-directory" can be named any valid variable name.
(define (%source-directory) "/path-to-spinning-disk-goes-here/tmp")

Finally, inside the file-systems definition, we must add the mount itself.

(file-systems (cons*

                ...<other drives omitted for clarity>...

                ;; Must match the name you gave the source drive in the earlier definition.
                source-drive

                (file-system
                 ;; Make sure "source-directory" matches your earlier definition.
                 (device (%source-directory))
                 (mount-point "/tmp")
                 ;; We are mounting a folder, not a partition, so this type needs to be "none"
                 (type "none")
                 (flags '(bind-mount))
                 ;; Ensure "source-drive" matches what you've named the variable for the drive.
                 (dependencies (list source-drive))
                 )

                 ...<other drives omitted for clarity>...

                ))

3.11 Att få ersättningar från Tor

Guix-demon kan använda en HTTP-proxy för att få ersättningar, här konfigurerar vi den för få dem via Tor.

Varning: Not all Guix daemon’s traffic will go through Tor! Only HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections will still go through the clearnet. Again, this configuration isn’t foolproof some of your traffic won’t get routed by Tor at all. Use it at your own risk.

Also note that the procedure described here applies only to package substitution. When you update your guix distribution with guix pull, you still need to use torsocks if you want to route the connection to guix’s git repository servers through Tor.

Guix ersättningsserver är tillgänglig som en Onion-tjänst, om du vill använda den för att få dina ersättningar genom Tor konfigurerar du ditt system enligt följande:

(use-modules (gnu))
(use-service-module base networking)

(operating-system
  …
  (services
    (cons
      (service tor-service-type
              (tor-configuration
                (config-file (plain-file "tor-config"
                                         "HTTPTunnelPort 127.0.0.1:9250"))))
      (modify-services %base-services
        (guix-service-type
          config => (guix-configuration
                      (inherit config)
                      ;; ci.guix.gnu.org's Onion service
                      (substitute-urls "\
https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion")
                      (http-proxy "http://localhost:9250")))))))

This will keep a tor process running that provides a HTTP CONNECT tunnel which will be used by guix-daemon. The daemon can use other protocols than HTTP(S) to get remote resources, request using those protocols won’t go through Tor since we are only setting a HTTP tunnel here. Note that substitutes-urls is using HTTPS and not HTTP or it won’t work, that’s a limitation of Tor’s tunnel; you may want to use privoxy instead to avoid such limitations.

If you don’t want to always get substitutes through Tor but using it just some of the times, then skip the guix-configuration. When you want to get a substitute from the Tor tunnel run:

sudo herd set-http-proxy guix-daemon http://localhost:9250
guix build \
  --substitute-urls=https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion …

3.12 Ställa in NGINX med Lua

NGINX could be extended with Lua scripts.

Guix provides NGINX service with ability to load Lua module and specific Lua packages, and reply to requests by evaluating Lua scripts.

The following example demonstrates system definition with configuration to evaluate index.lua Lua script on HTTP request to http://localhost/hello endpoint:

local shell = require "resty.shell"

local stdin = ""
local timeout = 1000  -- ms
local max_size = 4096  -- byte

local ok, stdout, stderr, reason, status =
   shell.run([[/run/current-system/profile/bin/ls /tmp]], stdin, timeout, max_size)

ngx.say(stdout)

(use-modules (gnu))
(use-service-modules #;… web)
(use-package-modules #;… lua)
(operating-system
  ;; …
  (services
   ;; …
   (service nginx-service-type
            (nginx-configuration
             (modules
              (list
               (file-append nginx-lua-module "/etc/nginx/modules/ngx_http_lua_module.so")))
             (lua-package-path (list lua-resty-core
                                     lua-resty-lrucache
                                     lua-resty-signal
                                     lua-tablepool
                                     lua-resty-shell))
             (lua-package-cpath (list lua-resty-signal))
             (server-blocks
              (list (nginx-server-configuration
                     (server-name '("localhost"))
                     (listen '("80"))
                     (root "/etc")
                     (locations (list
                                 (nginx-location-configuration
                                  (uri "/hello")
                                  (body (list #~(format #f "content_by_lua_file ~s;"
                                                        #$(local-file "index.lua"))))))))))))))

3.13 Musikserver med Bluetooth-ljud

MPD, the Music Player Daemon, is a flexible server-side application for playing music. Client programs on different machines on the network — a mobile phone, a laptop, a desktop workstation — can connect to it to control the playback of audio files from your local music collection. MPD decodes the audio files and plays them back on one or many outputs.

By default MPD will play to the default audio device. In the example below we make things a little more interesting by setting up a headless music server. There will be no graphical user interface, no Pulseaudio daemon, and no local audio output. Instead we will configure MPD with two outputs: a bluetooth speaker and a web server to serve audio streams to any streaming media player.

Bluetooth is often rather frustrating to set up. You will have to pair your Bluetooth device and make sure that the device is automatically connected as soon as it powers on. The Bluetooth system service returned by the bluetooth-service procedure provides the infrastructure needed to set this up.

Omkonfigurera ditt system med åtminstone följande tjänster och paket:

(operating-system
  ;; …
  (packages (cons* bluez bluez-alsa
                   %base-packages))
  (services
   ;; …
   (dbus-service #:services (list bluez-alsa))
   (bluetooth-service #:auto-enable? #t)))

Start the bluetooth service and then use bluetoothctl to scan for Bluetooth devices. Try to identify your Bluetooth speaker and pick out its device ID from the resulting list of devices that is indubitably dominated by a baffling smorgasbord of your neighbors’ home automation gizmos. This only needs to be done once:

$ bluetoothctl 
[NEW] Controller 00:11:22:33:95:7F BlueZ 5.40 [default]

[bluetooth]# power on
[bluetooth]# Changing power on succeeded

[bluetooth]# agent on
[bluetooth]# Agent registered

[bluetooth]# default-agent
[bluetooth]# Default agent request successful

[bluetooth]# scan on
[bluetooth]# Discovery started
[CHG] Controller 00:11:22:33:95:7F Discovering: yes
[NEW] Device AA:BB:CC:A4:AA:CD My Bluetooth Speaker
[NEW] Device 44:44:FF:2A:20:DC My Neighbor's TV
…

[bluetooth]# pair AA:BB:CC:A4:AA:CD
Attempting to pair with AA:BB:CC:A4:AA:CD
[CHG] Device AA:BB:CC:A4:AA:CD Connected: yes

[My Bluetooth Speaker]# [CHG] Device AA:BB:CC:A4:AA:CD UUIDs: 0000110b-0000-1000-8000-00xxxxxxxxxx
[CHG] Device AA:BB:CC:A4:AA:CD UUIDs: 0000110c-0000-1000-8000-00xxxxxxxxxx
[CHG] Device AA:BB:CC:A4:AA:CD UUIDs: 0000110e-0000-1000-8000-00xxxxxxxxxx
[CHG] Device AA:BB:CC:A4:AA:CD Paired: yes
Pairing successful

[CHG] Device AA:BB:CC:A4:AA:CD Connected: no

[bluetooth]# 
[bluetooth]# trust AA:BB:CC:A4:AA:CD
[bluetooth]# [CHG] Device AA:BB:CC:A4:AA:CD Trusted: yes
Changing AA:BB:CC:A4:AA:CD trust succeeded

[bluetooth]# 
[bluetooth]# connect AA:BB:CC:A4:AA:CD
Attempting to connect to AA:BB:CC:A4:AA:CD
[bluetooth]# [CHG] Device AA:BB:CC:A4:AA:CD RSSI: -63
[CHG] Device AA:BB:CC:A4:AA:CD Connected: yes
Connection successful

[My Bluetooth Speaker]# scan off
[CHG] Device AA:BB:CC:A4:AA:CD RSSI is nil
Discovery stopped
[CHG] Controller 00:11:22:33:95:7F Discovering: no

Congratulations, you can now automatically connect to your Bluetooth speaker!

It is now time to configure ALSA to use the bluealsa Bluetooth module, so that you can define an ALSA pcm device corresponding to your Bluetooth speaker. For a headless server using bluealsa with a fixed Bluetooth device is likely simpler than configuring Pulseaudio and its stream switching behavior. We configure ALSA by crafting a custom alsa-configuration for the alsa-service-type. The configuration will declare a pcm type bluealsa from the bluealsa module provided by the bluez-alsa package, and then define a pcm device of that type for your Bluetooth speaker.

All that is left then is to make MPD send audio data to this ALSA device. We also add a secondary MPD output that makes the currently played audio files available as a stream through a web server on port 8080. When enabled a device on the network could listen to the audio stream by connecting any capable media player to the HTTP server on port 8080, independent of the status of the Bluetooth speaker.

What follows is the outline of an operating-system declaration that should accomplish the above-mentioned tasks:

(use-modules (gnu))
(use-service-modules audio dbus sound #;… etc)
(use-package-modules audio linux #;… etc)
(operating-system
  ;; …
  (packages (cons* bluez bluez-alsa
                   %base-packages))
  (services
   ;; …
   (service mpd-service-type
            (mpd-configuration
             (user "your-username")
             (music-dir "/path/to/your/music")
             (address "192.168.178.20")
             (outputs (list (mpd-output
                             (type "alsa")
                             (name "MPD")
                             (extra-options
                              ;; Use the same name as in the ALSA
                              ;; configuration below.
                              '((device . "pcm.btspeaker"))))
                            (mpd-output
                             (type "httpd")
                             (name "streaming")
                             (enabled? #false)
                             (always-on? #true)
                             (tags? #true)
                             (mixer-type 'null)
                             (extra-options
                              '((encoder . "vorbis")
                                (port    . "8080")
                                (bind-to-address . "192.168.178.20")
                                (max-clients . "0") ;no limit
                                (quality . "5.0")
                                (format  . "44100:16:1"))))))))
   (dbus-service #:services (list bluez-alsa))
   (bluetooth-service #:auto-enable? #t)
   (service alsa-service-type
            (alsa-configuration
             (pulseaudio? #false) ;we don't need it
             (extra-options
              #~(string-append "\
# Declare Bluetooth audio device type \"bluealsa\" from bluealsa module
pcm_type.bluealsa {
    lib \""
#$(file-append bluez-alsa "/lib/alsa-lib/libasound_module_pcm_bluealsa.so") "\"
}

# Declare control device type \"bluealsa\" from the same module
ctl_type.bluealsa {
    lib \""
#$(file-append bluez-alsa "/lib/alsa-lib/libasound_module_ctl_bluealsa.so") "\"
}

# Define the actual Bluetooth audio device.
pcm.btspeaker {
    type bluealsa
    device \"AA:BB:CC:A4:AA:CD\" # unique device identifier
    profile \"a2dp\"
}

# Define an associated controller.
ctl.btspeaker {
    type bluealsa
}
"))))))

Enjoy the music with the MPD client of your choice or a media player capable of streaming via HTTP!

4.1 Guix-behållare

The easiest way to get started is to use guix shell with the --container option. See Invoking guix shell in GNU Guix Reference Manual for a reference of valid options.

The following snippet spawns a minimal shell process with most namespaces unshared from the system. The current working directory is visible to the process, but anything else on the file system is unavailable. This extreme isolation can be very useful when you want to rule out any sort of interference from environment variables, globally installed libraries, or configuration files.

guix shell --container

It is a bleak environment, barren, desolate. You will find that not even the GNU coreutils are available here, so to explore this deserted wasteland you need to use built-in shell commands. Even the usually gigantic /gnu/store directory is reduced to a faint shadow of itself.

$ echo /gnu/store/*
/gnu/store/…-gcc-10.3.0-lib
/gnu/store/…-glibc-2.33
/gnu/store/…-bash-static-5.1.8
/gnu/store/…-ncurses-6.2.20210619
/gnu/store/…-bash-5.1.8
/gnu/store/…-profile
/gnu/store/…-readline-8.1.1

There isn’t much you can do in an environment like this other than exiting it. You can use ^D or exit to terminate this limited shell environment.

You can make other directories available inside of the container environment; use --expose=DIRECTORY to bind-mount the given directory as a read-only location inside the container, or use --share=DIRECTORY to make the location writable. With an additional mapping argument after the directory name you can control the name of the directory inside the container. In the following example we map /etc on the host system to /the/host/etc inside a container in which the GNU coreutils are installed.

$ guix shell --container --share=/etc=/the/host/etc coreutils
$ ls /the/host/etc

Similarly, you can prevent the current working directory from being mapped into the container with the --no-cwd option. Another good idea is to create a dedicated directory that will serve as the container’s home directory, and spawn the container shell from that directory.

On a foreign system a container environment can be used to compile software that cannot possibly be linked with system libraries or with the system’s compiler toolchain. A common use-case in a research context is to install packages from within an R session. Outside of a container environment there is a good chance that the foreign compiler toolchain and incompatible system libraries are found first, resulting in incompatible binaries that cannot be used by R. In a container shell this problem disappears, as system libraries and executables simply aren’t available due to the unshared mount namespace.

Let’s take a comprehensive manifest providing a comfortable development environment for use with R:

(specifications->manifest
  (list "r-minimal"

        ;; base packages
        "bash-minimal"
        "glibc-locales"
        "nss-certs"

        ;; Common command line tools lest the container is too empty.
        "coreutils"
        "grep"
        "which"
        "wget"
        "sed"

        ;; R markdown tools
        "pandoc"

        ;; Toolchain and common libraries for "install.packages"
        "gcc-toolchain@10"
        "gfortran-toolchain"
        "gawk"
        "tar"
        "gzip"
        "unzip"
        "make"
        "cmake"
        "pkg-config"
        "cairo"
        "libxt"
        "openssl"
        "curl"
        "zlib"))

Let’s use this to run R inside a container environment. For convenience we share the net namespace to use the host system’s network interfaces. Now we can build R packages from source the traditional way without having to worry about ABI mismatch or incompatibilities.

$ guix shell --container --network --manifest=manifest.scm -- R

R version 4.2.1 (2022-06-23) -- "Funny-Looking Kid"
Copyright (C) 2022 The R Foundation for Statistical Computing
…
> e <- Sys.getenv("GUIX_ENVIRONMENT")
> Sys.setenv(GIT_SSL_CAINFO=paste0(e, "/etc/ssl/certs/ca-certificates.crt"))
> Sys.setenv(SSL_CERT_FILE=paste0(e, "/etc/ssl/certs/ca-certificates.crt"))
> Sys.setenv(SSL_CERT_DIR=paste0(e, "/etc/ssl/certs"))
> install.packages("Cairo", lib=paste0(getwd()))
…
* installing *source* package 'Cairo' ...
…
* DONE (Cairo)

The downloaded source packages are in
	'/tmp/RtmpCuwdwM/downloaded_packages'
> library("Cairo", lib=getwd())
> # success!

Using container shells is fun, but they can become a little cumbersome when you want to go beyond just a single interactive process. Some tasks become a lot easier when they sit on the rock solid foundation of a proper Guix System and its rich set of system services. The next section shows you how to launch a complete Guix System inside of a container.

4.2 Guix System-behållare

The Guix System provides a wide array of interconnected system services that are configured declaratively to form a dependable stateless GNU System foundation for whatever tasks you throw at it. Even when using Guix on a foreign distribution you can benefit from the design of Guix System by running a system instance as a container. Using the same kernel features of unshared namespaces mentioned in the previous section, the resulting Guix System instance is isolated from the host system and only shares file system locations that you explicitly declare.

A Guix System container differs from the shell process created by guix shell --container in a number of important ways. While in a container shell the containerized process is a Bash shell process, a Guix System container runs the Shepherd as PID 1. In a system container all system services (see Services in GNU Guix Reference Manual) are set up just as they would be on a Guix System in a virtual machine or on bare metal—this includes daemons managed by the GNU Shepherd (see Shepherd Services in GNU Guix Reference Manual) as well as other kinds of extensions to the operating system (see Service Composition in GNU Guix Reference Manual).

The perceived increase in complexity of running a Guix System container is easily justified when dealing with more complex applications that have higher or just more rigid requirements on their execution contexts—configuration files, dedicated user accounts, directories for caches or log files, etc. In Guix System the demands of this kind of software are satisfied through the deployment of system services.

• En databasbehållare
• Container Networking

(service postgresql-service-type
         (postgresql-configuration
          (postgresql postgresql-14)))

(use-modules (gnu))
(use-package-modules databases)
(use-service-modules databases)

(operating-system
  (host-name "container")
  (timezone "Europe/Berlin")
  (file-systems (cons (file-system
                        (device (file-system-label "does-not-matter"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets '("/dev/sdX"))))
  (services
   (cons* (service postgresql-service-type
                   (postgresql-configuration
                    (postgresql postgresql-14)
                    (config-file
                     (postgresql-config-file
                      (log-destination "stderr")
                      (hba-file
                       (plain-file "pg_hba.conf"
                                   "\
local	all	all			trust
host	all	all	10.0.0.1/32 	trust"))
                      (extra-config
                       '(("listen_addresses" "*")
                         ("log_directory"    "/var/log/postgresql")))))))
          (service postgresql-role-service-type
                   (postgresql-role-configuration
                    (roles
                     (list (postgresql-role
                            (name "test")
                            (create-database? #t))))))
          %base-services)))

$ guix system container os.scm
The following derivations will be built:
  /gnu/store/…-run-container.drv
  …
building /gnu/store/…-run-container.drv...
/gnu/store/…-run-container

$ sudo /gnu/store/…-run-container
system container is running as PID 5983
…

$ guix shell util-linux
$ sudo nsenter -a -t 5983
root@container /# pgrep -a postgres
49 /gnu/store/…-postgresql-14.4/bin/postgres -D /var/lib/postgresql/data --config-file=/gnu/store/…-postgresql.conf -p 5432
51 postgres: checkpointer
52 postgres: background writer
53 postgres: walwriter
54 postgres: autovacuum launcher
55 postgres: stats collector
56 postgres: logical replication launcher
root@container /# exit

pid=5983
ns="guix-test"
host="veth-test"
client="ceth-test"

# Attach the new net namespace "guix-test" to the container PID.
sudo ip netns attach $ns $pid

# Create the pair of devices
sudo ip link add $host type veth peer name $client

# Move the client device into the container's net namespace
sudo ip link set $client netns $ns

sudo ip link set $host up
sudo ip addr add 10.0.0.1/24 dev $host

sudo ip netns exec $ns  ip link set lo up
sudo ip netns exec $ns  ip link set $client up
sudo ip netns exec $ns  ip addr add 10.0.0.2/24 dev $client

$ psql -h 10.0.0.2 -U test
psql (14.4)
Type "help" for help.

test=> CREATE TABLE hello (who TEXT NOT NULL);
CREATE TABLE
test=> INSERT INTO hello (who) VALUES ('world');
INSERT 0 1
test=> SELECT * FROM hello;
  who
-------
 world
(1 row)

sudo kill $pid
sudo ip netns del $ns
sudo ip link del $host

5.1 Nätverksbrygga för QEMU

By default, QEMU uses a so-called “user mode” host network back-end, which is convenient as it does not require any configuration. Unfortunately, it is also quite limited. In this mode, the guest VM (virtual machine) can access the network the same way the host would, but it cannot be reached from the host. Additionally, since the QEMU user networking mode relies on ICMP, ICMP-based networking tools such as ping do not work in this mode. Thus, it is often desirable to configure a network bridge, which enables the guest to fully participate in the network. This is necessary, for example, when the guest is to be used as a server.

• Creating a network bridge interface
• Configuring the QEMU bridge helper script
• Invoking QEMU with the right command line options
• Networking issues caused by Docker

# nmcli con add type bridge con-name br0 ifname br0

# nmcli con add type bridge-slave ifname enp2s0 master br0

(privileged-programs
 (cons (privileged-program
         (program (file-append qemu "/libexec/qemu-bridge-helper"))
         (setuid? #t))
       %default-privileged-programs))

(extra-special-file "/etc/qemu/host.conf" "allow br0\n")

$ qemu-system-x86_64 [...] \
    -device virtio-net-pci,netdev=user0,mac=XX:XX:XX:XX:XX:XX \
    -netdev bridge,id=user0,br=br0 \
    [...]

mac_address="52:54:00:$(dd if=/dev/urandom bs=512 count=1 2>/dev/null \
                           | md5sum \
                           | sed -E 's/^(..)(..)(..).*$/\1:\2:\3/')"
echo $mac_address

(service iptables-service-type
             (iptables-configuration
              (ipv4-rules (plain-file "iptables.rules" "\
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i br0 -o br0 -j ACCEPT
COMMIT
"))

5.2 Routed network for libvirt

If the machine hosting your virtual machines is connected wirelessly to the network, you won’t be able to use a true network bridge as explained in the preceding section (see Nätverksbrygga för QEMU). In this case, the next best option is to use a virtual bridge with static routing and to configure a libvirt-powered virtual machine to use it (via the virt-manager GUI for example). This is similar to the default mode of operation of QEMU/libvirt, except that instead of using NAT (Network Address Translation), it relies on static routes to join the VM (virtual machine) IP address to the LAN (local area network). This provides two-way connectivity to and from the virtual machine, which is needed for exposing services hosted on the virtual machine.

• Creating a virtual network bridge
• Configuring the static routes for your virtual bridge

<network>
  <name>virbr0</name>
  <bridge name="virbr0" />
  <forward mode="route"/>
  <ip address="192.168.2.0" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.2.1" end="192.168.2.254"/>
    </dhcp>
  </ip>
</network>

virsh net-define /tmp/virbr0.xml
virsh net-autostart virbr0
virsh net-start virbr0

6.1 Guix-profiler i praktiken

Guix provides a very useful feature that may be quite foreign to newcomers: profiles. They are a way to group package installations together and all users on the same system are free to use as many profiles as they want.

Whether you’re a developer or not, you may find that multiple profiles bring you great power and flexibility. While they shift the paradigm somewhat compared to traditional package managers, they are very convenient to use once you’ve understood how to set them up.

Observera: This section is an opinionated guide on the use of multiple profiles. It predates guix shell and its fast profile cache (see Invoking guix shell in GNU Guix Reference Manual).

In many cases, you may find that using guix shell to set up the environment you need, when you need it, is less work that maintaining a dedicated profile. Your call!

If you are familiar with Python’s ‘virtualenv’, you can think of a profile as a kind of universal ‘virtualenv’ that can hold any kind of software whatsoever, not just Python software. Furthermore, profiles are self-sufficient: they capture all the runtime dependencies which guarantees that all programs within a profile will always work at any point in time.

Multiple profiles have many benefits:

• Clean semantic separation of the various packages a user needs for different contexts.
• Multiple profiles can be made available into the environment either on login or within a dedicated shell.
• Profiles can be loaded on demand. For instance, the user can use multiple shells, each of them running different profiles.
• Isolation: Programs from one profile will not use programs from the other, and the user can even install different versions of the same programs to the two profiles without conflict.
• Deduplication: Profiles share dependencies that happens to be the exact same. This makes multiple profiles storage-efficient.
• Reproducible: when used with declarative manifests, a profile can be fully specified by the Guix commit that was active when it was set up. This means that the exact same profile can be set up anywhere and anytime, with just the commit information. See the section on Reproducerbara profiler.
• Easier upgrades and maintenance: Multiple profiles make it easy to keep package listings at hand and make upgrades completely frictionless.

Concretely, here follows some typical profiles:

• The dependencies of a project you are working on.
• Your favourite programming language libraries.
• Laptop-specific programs (like ‘powertop’) that you don’t need on a desktop.
• TeXlive (this one can be really useful when you need to install just one package for this one document you’ve just received over email).
• Spel.

Let’s dive in the set up!

• Grundläggande inställning med manifest
• Nödvändiga paket
• Standardprofil
• Manifestens fördelar
• Reproducerbara profiler

(specifications->manifest
  '("package-1"
    ;; Version 1.3 of package-2.
    "package-2@1.3"
    ;; The "lib" output of package-3.
    "package-3:lib"
    ; ...
    "package-N"))

GUIX_EXTRA_PROFILES=$HOME/.guix-extra-profiles
mkdir -p "$GUIX_EXTRA_PROFILES"/my-project # if it does not exist yet
guix package --manifest=/path/to/guix-my-project-manifest.scm \
 --profile="$GUIX_EXTRA_PROFILES"/my-project/my-project

guix package --list-profiles

for i in $GUIX_EXTRA_PROFILES/*; do
  profile=$i/$(basename "$i")
  if [ -f "$profile"/etc/profile ]; then
    GUIX_PROFILE="$profile"
    . "$GUIX_PROFILE"/etc/profile
  fi
  unset profile
done

for i in "$GUIX_EXTRA_PROFILES"/my-project-1 "$GUIX_EXTRA_PROFILES"/my-project-2; do
  profile=$i/$(basename "$i")
  if [ -f "$profile"/etc/profile ]; then
    GUIX_PROFILE="$profile"
    . "$GUIX_PROFILE"/etc/profile
  fi
  unset profile
done

GUIX_PROFILE="path/to/my-project" ; . "$GUIX_PROFILE"/etc/profile

guix package --search-paths=prefix --profile=$my_profile"

guix package -m /path/to/guix-my-project-manifest.scm \
 -p "$GUIX_EXTRA_PROFILES"/my-project/my-project

for profile in "$GUIX_EXTRA_PROFILES"/*; do
  guix package --profile="$profile" \
   --manifest="$HOME/.guix-manifests/guix-$profile-manifest.scm"
done

guix package -p "$GUIX_EXTRA_PROFILES"/my-project/my-project --list-generations

guix package -p "$GUIX_EXTRA_PROFILES"/my-project/my-project --switch-generations=17

env -i $(which bash) --login --noprofile --norc
. my-project/etc/profile

guix install package-foo
guix upgrade package-bar

GUIX_EXTRA_PROFILES=$HOME/.guix-extra-profiles
GUIX_EXTRA=$HOME/.guix-extra

mkdir -p "$GUIX_EXTRA"/my-project
guix pull --channels=channel-specs.scm --profile="$GUIX_EXTRA/my-project/guix"

mkdir -p "$GUIX_EXTRA_PROFILES/my-project"
"$GUIX_EXTRA"/my-project/guix/bin/guix package \
 --manifest=/path/to/guix-my-project-manifest.scm \
 --profile="$GUIX_EXTRA_PROFILES"/my-project/my-project

7.1 Att komma igång

How do we go about “Guixifying” a repository? The first step, as we’ve seen, will be to add a guix.scm at the root of the repository in question. We’ll take Guile as an example in this chapter: it’s written in Scheme (mostly) and C, and has a number of dependencies—a C compilation tool chain, C libraries, Autoconf and its friends, LaTeX, and so on. The resulting guix.scm looks like the usual package definition (see Defining Packages in GNU Guix Reference Manual), just without the define-public bit:

;; The ‘guix.scm’ file for Guile, for use by ‘guix shell’.

(use-modules (guix)
             (guix build-system gnu)
             ((guix licenses) #:prefix license:)
             (gnu packages autotools)
             (gnu packages base)
             (gnu packages bash)
             (gnu packages bdw-gc)
             (gnu packages compression)
             (gnu packages flex)
             (gnu packages gdb)
             (gnu packages gettext)
             (gnu packages gperf)
             (gnu packages libffi)
             (gnu packages libunistring)
             (gnu packages linux)
             (gnu packages pkg-config)
             (gnu packages readline)
             (gnu packages tex)
             (gnu packages texinfo)
             (gnu packages version-control))

(package
  (name "guile")
  (version "3.0.99-git")                          ;funky version number
  (source #f)                                     ;no source
  (build-system gnu-build-system)
  (native-inputs
   (append (list autoconf
                 automake
                 libtool
                 gnu-gettext
                 flex
                 texinfo
                 texlive-base                 ;for "make pdf"
                 texlive-epsf
                 gperf
                 git
                 gdb
                 strace
                 readline
                 lzip
                 pkg-config)

           ;; When cross-compiling, a native version of Guile itself is
           ;; needed.
           (if (%current-target-system)
               (list this-package)
               '())))
  (inputs
   (list libffi bash-minimal))
  (propagated-inputs
   (list libunistring libgc))

  (native-search-paths
   (list (search-path-specification
          (variable "GUILE_LOAD_PATH")
          (files '("share/guile/site/3.0")))
         (search-path-specification
          (variable "GUILE_LOAD_COMPILED_PATH")
          (files '("lib/guile/3.0/site-ccache")))))
  (synopsis "Scheme implementation intended especially for extensions")
  (description
   "Guile is the GNU Ubiquitous Intelligent Language for Extensions,
and it's actually a full-blown Scheme implementation!")
  (home-page "https://www.gnu.org/software/guile/")
  (license license:lgpl3+))

Quite a bit of boilerplate, but now someone who’d like to hack on Guile now only needs to run:

guix shell

That gives them a shell containing all the dependencies of Guile: those listed above, but also implicit dependencies such as the GCC tool chain, GNU Make, sed, grep, and so on. See Invoking guix shell in GNU Guix Reference Manual, for more info on guix shell.

The chef’s recommendation: Our suggestion is to create development environments like this:

guix shell --container --link-profile

... or, for short:

guix shell -CP

That gives a shell in an isolated container, and all the dependencies show up in $HOME/.guix-profile, which plays well with caches such as config.cache (see Cache Files in Autoconf) and absolute file names recorded in generated Makefiles and the likes. The fact that the shell runs in a container brings peace of mind: nothing but the current directory and Guile’s dependencies is visible inside the container; nothing from the system can possibly interfere with your development.

7.2 Level 1: Building with Guix

Now that we have a package definition (see Att komma igång), why not also take advantage of it so we can build Guile with Guix? We had left the source field empty, because guix shell above only cares about the inputs of our package—so it can set up the development environment—not about the package itself.

To build the package with Guix, we’ll need to fill out the source field, along these lines:

(use-modules (guix)
             (guix git-download)  ;for ‘git-predicate’
             …)

(define vcs-file?
  ;; Return true if the given file is under version control.
  (or (git-predicate (current-source-directory))
      (const #t)))                                ;not in a Git checkout

(package
  (name "guile")
  (version "3.0.99-git")                          ;funky version number
  (source (local-file "." "guile-checkout"
                      #:recursive? #t
                      #:select? vcs-file?))
  …)

Here’s what we changed compared to the previous section:

1. We added (guix git-download) to our set of imported modules, so we can use its git-predicate procedure.
2. We defined vcs-file? as a procedure that returns true when passed a file that is under version control. For good measure, we add a fallback case for when we’re not in a Git checkout: always return true.
3. We set source to a local-file—a recursive copy of the current directory ("."), limited to files under version control (the #:select? bit).

From there on, our guix.scm file serves a second purpose: it lets us build the software with Guix. The whole point of building with Guix is that it’s a “clean” build—you can be sure nothing from your working tree or system interferes with the build result—and it lets you test a variety of things. First, you can do a plain native build:

guix build -f guix.scm

But you can also build for another system (possibly after setting up see offloading in GNU Guix Reference Manual or see transparent emulation in GNU Guix Reference Manual):

guix build -f guix.scm -s aarch64-linux -s riscv64-linux

… or cross-compile:

guix build -f guix.scm --target=x86_64-w64-mingw32

You can also use package transformations to test package variants (see Package Transformation Options in GNU Guix Reference Manual):

# What if we built with Clang instead of GCC?
guix build -f guix.scm \
  --with-c-toolchain=guile@3.0.99-git=clang-toolchain

# What about that under-tested configure flag?
guix build -f guix.scm \
  --with-configure-flag=guile@3.0.99-git=--disable-networking

Handy!

7.3 Level 2: The Repository as a Channel

We now have a Git repository containing (among other things) a package definition (see Level 1: Building with Guix). Can’t we turn it into a channel (see Channels in GNU Guix Reference Manual)? After all, channels are designed to ship package definitions to users, and that’s exactly what we’re doing with our guix.scm.

Turns out we can indeed turn it into a channel, but with one caveat: we must create a separate directory for the .scm file(s) of our channel so that guix pull doesn’t load unrelated .scm files when someone pulls the channel—and in Guile, there are lots of them! So we’ll start like this, keeping a top-level guix.scm symlink for the sake of guix shell:

mkdir -p .guix/modules
mv guix.scm .guix/modules/guile-package.scm
ln -s .guix/modules/guile-package.scm guix.scm

To make it usable as part of a channel, we need to turn our guix.scm file into a package module (see Package Modules in GNU Guix Reference Manual): we do that by changing the use-modules form at the top to a define-module form. We also need to actually export a package variable, with define-public, while still returning the package value at the end of the file so we can still use guix shell and guix build -f guix.scm. The end result looks like this (not repeating things that haven’t changed):

(define-module (guile-package)
  #:use-module (guix)
  #:use-module (guix git-download)   ;for ‘git-predicate’
  …)

(define vcs-file?
  ;; Return true if the given file is under version control.
  (or (git-predicate (dirname (dirname (current-source-directory))))
      (const #t)))                                ;not in a Git checkout

(define-public guile
  (package
    (name "guile")
    (version "3.0.99-git")                          ;funky version number
    (source (local-file "../.." "guile-checkout"
                        #:recursive? #t
                        #:select? vcs-file?))
    …))

;; Return the package object define above at the end of the module.
guile

We need one last thing: a .guix-channel file so Guix knows where to look for package modules in our repository:

;; This file lets us present this repo as a Guix channel.

(channel
  (version 0)
  (directory ".guix/modules"))  ;look for package modules under .guix/modules/

To recap, we now have these files:

.
├── .guix-channel
├── guix.scm → .guix/modules/guile-package.scm
└── .guix
    └── modules
       └── guile-package.scm

And that’s it: we have a channel! (We could do better and support channel authentication so users know they’re pulling genuine code. We’ll spare you the details here but it’s worth considering!) Users can pull from this channel by adding it to ~/.config/guix/channels.scm, along these lines:

(append (list (channel
                (name 'guile)
                (url "https://git.savannah.gnu.org/git/guile.git")
                (branch "main")))
        %default-channels)

After running guix pull, we can see the new package:

$ guix describe
Generation 264  May 26 2023 16:00:35    (current)
  guile 36fd2b4
    repository URL: https://git.savannah.gnu.org/git/guile.git
    branch: main
    commit: 36fd2b4920ae926c79b936c29e739e71a6dff2bc
  guix c5bc698
    repository URL: https://git.savannah.gnu.org/git/guix.git
    commit: c5bc698e8922d78ed85989985cc2ceb034de2f23
$ guix package -A ^guile$
guile   3.0.99-git      out,debug       guile-package.scm:51:4
guile   3.0.9           out,debug       gnu/packages/guile.scm:317:2
guile   2.2.7           out,debug       gnu/packages/guile.scm:258:2
guile   2.2.4           out,debug       gnu/packages/guile.scm:304:2
guile   2.0.14          out,debug       gnu/packages/guile.scm:148:2
guile   1.8.8           out             gnu/packages/guile.scm:77:2
$ guix build guile@3.0.99-git
[…]
/gnu/store/axnzbl89yz7ld78bmx72vpqp802dwsar-guile-3.0.99-git-debug
/gnu/store/r34gsij7f0glg2fbakcmmk0zn4v62s5w-guile-3.0.99-git

That’s how, as a developer, you get your software delivered directly into the hands of users! No intermediaries, yet no loss of transparency and provenance tracking.

With that in place, it also becomes trivial for anyone to create Docker images, Deb/RPM packages, or a plain tarball with guix pack (see Invoking guix pack in GNU Guix Reference Manual):

# How about a Docker image of our Guile snapshot?
guix pack -f docker -S /bin=bin guile@3.0.99-git

# And a relocatable RPM?
guix pack -f rpm -R -S /bin=bin guile@3.0.99-git

7.4 Bonus: Package Variants

We now have an actual channel, but it contains only one package (see Level 2: The Repository as a Channel). While we’re at it, we can define package variants (see Defining Package Variants in GNU Guix Reference Manual) in our guile-package.scm file, variants that we want to be able to test as Guile developers—similar to what we did above with transformation options. We can add them like so:

;; This is the ‘.guix/modules/guile-package.scm’ file.

(define-module (guile-package)
  …)

(define-public guile
  …)

(define (package-with-configure-flags p flags)
  "Return P with FLAGS as additional 'configure' flags."
  (package/inherit p
    (arguments
     (substitute-keyword-arguments (package-arguments p)
       ((#:configure-flags original-flags #~(list))
        #~(append #$original-flags #$flags))))))

(define-public guile-without-threads
  (package
    (inherit (package-with-configure-flags guile
                                           #~(list "--without-threads")))
    (name "guile-without-threads")))

(define-public guile-without-networking
  (package
    (inherit (package-with-configure-flags guile
                                           #~(list "--disable-networking")))
    (name "guile-without-networking")))


;; Return the package object defined above at the end of the module.
guile

We can build these variants as regular packages once we’ve pulled the channel. Alternatively, from a checkout of Guile, we can run a command like this one from the top level:

guix build -L $PWD/.guix/modules guile-without-threads

7.5 Level 3: Setting Up Continuous Integration

The channel we defined above (see Level 2: The Repository as a Channel) becomes even more interesting once we set up continuous integration (CI). There are several ways to do that.

You can use one of the mainstream continuous integration tools, such as GitLab-CI. To do that, you need to make sure you run jobs in a Docker image or virtual machine that has Guix installed. If we were to do that in the case of Guile, we’d have a job that runs a shell command like this one:

guix build -L $PWD/.guix/modules guile@3.0.99-git

Doing this works great and has the advantage of being easy to achieve on your favorite CI platform.

That said, you’ll really get the most of it by using Cuirass, a CI tool designed for and tightly integrated with Guix. Using it is more work than using a hosted CI tool because you first need to set it up, but that setup phase is greatly simplified if you use its Guix System service (see Continuous Integration in GNU Guix Reference Manual). Going back to our example, we give Cuirass a spec file that goes like this:

;; Cuirass spec file to build all the packages of the ‘guile’ channel.
(list (specification
        (name "guile")
        (build '(channels guile))
        (channels
         (append (list (channel
                         (name 'guile)
                         (url "https://git.savannah.gnu.org/git/guile.git")
                         (branch "main")))
                 %default-channels))))

It differs from what you’d do with other CI tools in two important ways:

• Cuirass knows it’s tracking two channels, guile and guix. Indeed, our own guile package depends on many packages provided by the guix channel—GCC, the GNU libc, libffi, and so on. Changes to packages from the guix channel can potentially influence our guile build and this is something we’d like to see as soon as possible as Guile developers.
• Build results are not thrown away: they can be distributed as substitutes so that users of our guile channel transparently get pre-built binaries! (see Substitutes in GNU Guix Reference Manual, for background info on substitutes.)

From a developer’s viewpoint, the end result is this status page listing evaluations: each evaluation is a combination of commits of the guix and guile channels providing a number of jobs—one job per package defined in guile-package.scm times the number of target architectures.

As for substitutes, they come for free! As an example, since our guile jobset is built on ci.guix.gnu.org, which runs guix publish (see Invoking guix publish in GNU Guix Reference Manual) in addition to Cuirass, one automatically gets substitutes for guile builds from ci.guix.gnu.org; no additional work is needed for that.

7.6 Bonus: Build manifest

The Cuirass spec above is convenient: it builds every package in our channel, which includes a few variants (see Level 3: Setting Up Continuous Integration). However, this might be insufficiently expressive in some cases: one might want specific cross-compilation jobs, transformations, Docker images, RPM/Deb packages, or even system tests.

To achieve that, you can write a manifest (see Writing Manifests in GNU Guix Reference Manual). The one we have for Guile has entries for the package variants we defined above, as well as additional variants and cross builds:

;; This is ‘.guix/manifest.scm’.

(use-modules (guix)
             (guix profiles)
             (guile-package))   ;import our own package module

(define* (package->manifest-entry* package system
                                   #:key target)
  "Return a manifest entry for PACKAGE on SYSTEM, optionally cross-compiled to
TARGET."
  (manifest-entry
    (inherit (package->manifest-entry package))
    (name (string-append (package-name package) "." system
                         (if target
                             (string-append "." target)
                             "")))
    (item (with-parameters ((%current-system system)
                            (%current-target-system target))
            package))))

(define native-builds
  (manifest
   (append (map (lambda (system)
                  (package->manifest-entry* guile system))

                '("x86_64-linux" "i686-linux"
                  "aarch64-linux" "armhf-linux"
                  "powerpc64le-linux"))
           (map (lambda (guile)
                  (package->manifest-entry* guile "x86_64-linux"))
                (cons (package
                        (inherit (package-with-c-toolchain
                                  guile
                                  `(("clang-toolchain"
                                     ,(specification->package
                                       "clang-toolchain")))))
                        (name "guile-clang"))
                      (list guile-without-threads
                            guile-without-networking
                            guile-debug
                            guile-strict-typing))))))

(define cross-builds
  (manifest
   (map (lambda (target)
          (package->manifest-entry* guile "x86_64-linux"
                                    #:target target))
        '("i586-pc-gnu"
          "aarch64-linux-gnu"
          "riscv64-linux-gnu"
          "i686-w64-mingw32"
          "x86_64-linux-gnu"))))

(concatenate-manifests (list native-builds cross-builds))

We won’t go into the details of this manifest; suffice to say that it provides additional flexibility. We now need to tell Cuirass to build this manifest, which is done with a spec slightly different from the previous one:

;; Cuirass spec file to build all the packages of the ‘guile’ channel.
(list (specification
        (name "guile")
        (build '(manifest ".guix/manifest.scm"))
        (channels
         (append (list (channel
                         (name 'guile)
                         (url "https://git.savannah.gnu.org/git/guile.git")
                         (branch "main")))
                 %default-channels))))

We changed the (build …) part of the spec to '(manifest ".guix/manifest.scm") so that it would pick our manifest, and that’s it!

7.7 Wrapping Up

We picked Guile as the running example in this chapter and you can see the result here:

• .guix-channel;
• .guix/modules/guile-package.scm with the top-level guix.scm symlink;
• .guix/manifest.scm.

These days, repositories are commonly peppered with dot files for various tools: .envrc, .gitlab-ci.yml, .github/workflows, Dockerfile, .buildpacks, Aptfile, requirements.txt, and whatnot. It may sound like we’re proposing a bunch of additional files, but in fact those files are expressive enough to supersede most or all of those listed above.

Med några filer får vi stöd för:

• utvecklingsmiljöer (guix shell);
• pristine test builds, including for package variants and for cross-compilation (guix build);
• continuous integration (with Cuirass or with some other tool);
• continuous delivery to users (via the channel and with pre-built binaries);
• generation of derivative build artifacts such as Docker images or Deb/RPM packages (guix pack).

This a nice (in our view!) unified tool set for reproducible software deployment, and an illustration of how you as a developer can benefit from it!

8.1 Guix-miljö via direnv

Guix provides a ‘direnv’ package, which could extend shell after directory change. This tool could be used to prepare a pure Guix environment.

The following example provides a shell function for ~/.direnvrc file, which could be used from Guix Git repository in ~/src/guix/.envrc file to setup a build environment similar to described in see Building from Git in GNU Guix Reference Manual.

Create a ~/.direnvrc with a Bash code:

# Thanks <https://github.com/direnv/direnv/issues/73#issuecomment-152284914>
export_function()
{
  local name=$1
  local alias_dir=$PWD/.direnv/aliases
  mkdir -p "$alias_dir"
  PATH_add "$alias_dir"
  local target="$alias_dir/$name"
  if declare -f "$name" >/dev/null; then
    echo "#!$SHELL" > "$target"
    declare -f "$name" >> "$target" 2>/dev/null
    # Notice that we add shell variables to the function trigger.
    echo "$name \$*" >> "$target"
    chmod +x "$target"
  fi
}

use_guix()
{
    # Set GitHub token.
    export GUIX_GITHUB_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

    # Unset 'GUIX_PACKAGE_PATH'.
    export GUIX_PACKAGE_PATH=""

    # Recreate a garbage collector root.
    gcroots="$HOME/.config/guix/gcroots"
    mkdir -p "$gcroots"
    gcroot="$gcroots/guix"
    if [ -L "$gcroot" ]
    then
        rm -v "$gcroot"
    fi

    # Miscellaneous packages.
    PACKAGES_MAINTENANCE=(
        direnv
        git
        git:send-email
        git-cal
        gnupg
        guile-colorized
        guile-readline
        less
        ncurses
        openssh
        xdot
    )

    # Environment packages.
    PACKAGES=(help2man guile-sqlite3 guile-gcrypt)

    # Thanks <https://lists.gnu.org/archive/html/guix-devel/2016-09/msg00859.html>
    eval "$(guix shell --search-paths --root="$gcroot" --pure \
     --development guix ${PACKAGES[@]} ${PACKAGES_MAINTENANCE[@]} "$@")"

    # Predefine configure flags.
    configure()
    {
        ./configure
    }
    export_function configure

    # Run make and optionally build something.
    build()
    {
        make -j 2
        if [ $# -gt 0 ]
        then
            ./pre-inst-env guix build "$@"
        fi
    }
    export_function build

    # Predefine push Git command.
    push()
    {
        git push --set-upstream origin
    }
    export_function push

    clear                        # Clean up the screen.
    git-cal --author='Your Name' # Show contributions calendar.

    # Show commands help.
    echo "
build          build a package or just a project if no argument provided
configure      run ./configure with predefined parameters
push           push to upstream Git repository
"
}

Every project containing .envrc with a string use guix will have predefined environment variables and procedures.

Run direnv allow to setup the environment for the first time.

9.1 Setting Up a Head Node

The recommended approach is to set up one head node running guix-daemon and exporting /gnu/store over NFS to compute nodes.

Remember that guix-daemon is responsible for spawning build processes and downloads on behalf of clients (see Invoking guix-daemon in GNU Guix Reference Manual), and more generally accessing /gnu/store, which contains all the package binaries built by all the users (see The Store in GNU Guix Reference Manual). “Client” here refers to all the Guix commands that users see, such as guix install. On a cluster, these commands may be running on the compute nodes and we’ll want them to talk to the head node’s guix-daemon instance.

To begin with, the head node can be installed following the usual binary installation instructions (see Binary Installation in GNU Guix Reference Manual). Thanks to the installation script, this should be quick. Once installation is complete, we need to make some adjustments.

Since we want guix-daemon to be reachable not just from the head node but also from the compute nodes, we need to arrange so that it listens for connections over TCP/IP. To do that, we’ll edit the systemd startup file for guix-daemon, /etc/systemd/system/guix-daemon.service, and add a --listen argument to the ExecStart line so that it looks something like this:

ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild --listen=/var/guix/daemon-socket/socket --listen=0.0.0.0

For these changes to take effect, the service needs to be restarted:

systemctl daemon-reload
systemctl restart guix-daemon

Observera: The --listen=0.0.0.0 bit means that guix-daemon will process all incoming TCP connections on port 44146 (see Invoking guix-daemon in GNU Guix Reference Manual). This is usually fine in a cluster setup where the head node is reachable exclusively from the cluster’s local area network—you don’t want that to be exposed to the Internet!

The next step is to define our NFS exports in /etc/exports by adding something along these lines:

/gnu/store    *(ro)
/var/guix     *(rw, async)
/var/log/guix *(ro)

The /gnu/store directory can be exported read-only since only guix-daemon on the master node will ever modify it. /var/guix contains user profiles as managed by guix package; thus, to allow users to install packages with guix package, this must be read-write.

Users can create as many profiles as they like in addition to the default profile, ~/.guix-profile. For instance, guix package -p ~/dev/python-dev -i python installs Python in a profile reachable from the ~/dev/python-dev symlink. To make sure that this profile is protected from garbage collection—i.e., that Python will not be removed from /gnu/store while this profile exists—, home directories should be mounted on the head node as well so that guix-daemon knows about these non-standard profiles and avoids collecting software they refer to.

It may be a good idea to periodically remove unused bits from /gnu/store by running guix gc (see Invoking guix gc in GNU Guix Reference Manual). This can be done by adding a crontab entry on the head node:

root@master# crontab -e

... with something like this:

# Every day at 5AM, run the garbage collector to make sure
# at least 10 GB are free on /gnu/store.
0 5 * * 1  /usr/local/bin/guix gc -F10G

We’re done with the head node! Let’s look at compute nodes now.

9.2 Setting Up Compute Nodes

First of all, we need compute nodes to mount those NFS directories that the head node exports. This can be done by adding the following lines to /etc/fstab:

head-node:/gnu/store    /gnu/store    nfs  defaults,_netdev,vers=3 0 0
head-node:/var/guix     /var/guix     nfs  defaults,_netdev,vers=3 0 0
head-node:/var/log/guix /var/log/guix nfs  defaults,_netdev,vers=3 0 0

... where head-node is the name or IP address of your head node. From there on, assuming the mount points exist, you should be able to mount each of these on the compute nodes.

Next, we need to provide a default guix command that users can run when they first connect to the cluster (eventually they will invoke guix pull, which will provide them with their “own” guix command). Similar to what the binary installation script did on the head node, we’ll store that in /usr/local/bin:

mkdir -p /usr/local/bin
ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix \
      /usr/local/bin/guix

We then need to tell guix to talk to the daemon running on our master node, by adding these lines to /etc/profile:

GUIX_DAEMON_SOCKET="guix://head-node"
export GUIX_DAEMON_SOCKET

To avoid warnings and make sure guix uses the right locale, we need to tell it to use locale data provided by Guix (see Application Setup in GNU Guix Reference Manual):

GUIX_LOCPATH=/var/guix/profiles/per-user/root/guix-profile/lib/locale
export GUIX_LOCPATH

# Here we must use a valid locale name.  Try "ls $GUIX_LOCPATH/*"
# to see what names can be used.
LC_ALL=fr_FR.utf8
export LC_ALL

For convenience, guix package automatically generates ~/.guix-profile/etc/profile, which defines all the environment variables necessary to use the packages—PATH, C_INCLUDE_PATH, PYTHONPATH, etc. Likewise, guix pull does that under ~/.config/guix/current. Thus it’s a good idea to source both from /etc/profile:

for GUIX_PROFILE in "$HOME/.config/guix/current" "$HOME/.guix-profile"
do
  if [ -f "$GUIX_PROFILE/etc/profile" ]; then
    . "$GUIX_PROFILE/etc/profile"
  fi
done

Last but not least, Guix provides command-line completion notably for Bash and zsh. In /etc/bashrc, consider adding this line:

. /var/guix/profiles/per-user/root/current-guix/etc/bash_completion.d/guix

Voilà!

You can check that everything’s in place by logging in on a compute node and running:

guix install hello

The daemon on the head node should download pre-built binaries on your behalf and unpack them in /gnu/store, and guix install should create ~/.guix-profile containing the ~/.guix-profile/bin/hello command.

9.3 Nätverksåtkomst

Guix kräver en nätverksåtkomst för att hämta källkod och förbyggda binärfiler. The good news is that only the head node needs that since compute nodes simply delegate to it.

It is customary for cluster nodes to have access at best to a white list of hosts. Our head node needs at least ci.guix.gnu.org in this white list since this is where it gets pre-built binaries from by default, for all the packages that are in Guix proper.

Incidentally, ci.guix.gnu.org also serves as a content-addressed mirror of the source code of those packages. Consequently, it is sufficient to have only ci.guix.gnu.org in that white list.

Software packages maintained in a separate repository such as one of the various HPC channels are of course unavailable from ci.guix.gnu.org. For these packages, you may want to extend the white list such that source and pre-built binaries (assuming this-party servers provide binaries for these packages) can be downloaded. As a last resort, users can always download source on their workstation and add it to the cluster’s /gnu/store, like this:

GUIX_DAEMON_SOCKET=ssh://compute-node.example.org \
  guix download http://starpu.gforge.inria.fr/files/starpu-1.2.3/starpu-1.2.3.tar.gz

The above command downloads starpu-1.2.3.tar.gz and sends it to the cluster’s guix-daemon instance over SSH.

Air-gapped clusters require more work. At the moment, our suggestion would be to download all the necessary source code on a workstation running Guix. For instance, using the --sources option of guix build (see Invoking guix build in GNU Guix Reference Manual), the example below downloads all the source code the openmpi package depends on:

$ guix build --sources=transitive openmpi

…

/gnu/store/xc17sm60fb8nxadc4qy0c7rqph499z8s-openmpi-1.10.7.tar.bz2
/gnu/store/s67jx92lpipy2nfj5cz818xv430n4b7w-gcc-5.4.0.tar.xz
/gnu/store/npw9qh8a46lrxiwh9xwk0wpi3jlzmjnh-gmp-6.0.0a.tar.xz
/gnu/store/hcz0f4wkdbsvsdky3c0vdvcawhdkyldb-mpfr-3.1.5.tar.xz
/gnu/store/y9akh452n3p4w2v631nj0injx7y0d68x-mpc-1.0.3.tar.gz
/gnu/store/6g5c35q8avfnzs3v14dzl54cmrvddjm2-glibc-2.25.tar.xz
/gnu/store/p9k48dk3dvvk7gads7fk30xc2pxsd66z-hwloc-1.11.8.tar.bz2
/gnu/store/cry9lqidwfrfmgl0x389cs3syr15p13q-gcc-5.4.0.tar.xz
/gnu/store/7ak0v3rzpqm2c5q1mp3v7cj0rxz0qakf-libfabric-1.4.1.tar.bz2
/gnu/store/vh8syjrsilnbfcf582qhmvpg1v3rampf-rdma-core-14.tar.gz
…

(Ifall du undrar är det där mer än 320 MiB av komprimerad källkod.)

We can then make a big archive containing all of this (see Invoking guix archive in GNU Guix Reference Manual):

$ guix archive --export \
    `guix build --sources=transitive openmpi` \
    > openmpi-source-code.nar

… and we can eventually transfer that archive to the cluster on removable storage and unpack it there:

$ guix archive --import < openmpi-source-code.nar

This process has to be repeated every time new source code needs to be brought to the cluster.

As we write this, the research institutes involved in Guix-HPC do not have air-gapped clusters though. If you have experience with such setups, we would like to hear feedback and suggestions.

9.4 Diskanvändning

A common concern of sysadmins’ is whether this is all going to eat a lot of disk space. If anything, if something is going to exhaust disk space, it’s going to be scientific data sets rather than compiled software—that’s our experience with almost ten years of Guix usage on HPC clusters. Nevertheless, it’s worth taking a look at how Guix contributes to disk usage.

First, having several versions or variants of a given package in /gnu/store does not necessarily cost much, because guix-daemon implements deduplication of identical files, and package variants are likely to have a number of common files.

As mentioned above, we recommend having a cron job to run guix gc periodically, which removes unused software from /gnu/store. However, there’s always a possibility that users will keep lots of software in their profiles, or lots of old generations of their profiles, which is “live” and cannot be deleted from the viewpoint of guix gc.

Lösningen till det här är för användarna att regelbundet ta bort gamla generationer av sina profiler. Exempelvis kommer följande kommando att ta bort generationer som är mer än två månader gamla:

guix package --delete-generations=2m

Dessutom är det en god idé att uppmuntra användare till att regelbundet uppgradera sina profiler, vilket kan reducera antalet varianter av en given programvara som lagras i /gnu/store:

guix pull
guix upgrade

Som en sista utväg är det alltid möjligt för systemadministratörer att göra en del av det här på deras användares vägnar. Trots allt är en av Guix styrkor den frihet och kontroll över sin programmiljö som Guix skänker sina användare, därför rekommenderar vi starkt att lämna över kontrollen till användarna.

9.5 Security Considerations

On an HPC cluster, Guix is typically used to manage scientific software. Security-critical software such as the operating system kernel and system services such as sshd and the batch scheduler remain under control of sysadmins.

Guix-projektet har en god vana av att tillhandahålla säkerhetsuppdateringar i rättan tid (see Security Updates in GNU Guix Reference Manual). För att få säkerhetsuppdateringar behöver användare köra guix pull && guix upgrade.

Because Guix uniquely identifies software variants, it is easy to see if a vulnerable piece of software is in use. For instance, to check whether the glibc 2.25 variant without the mitigation patch against “Stack Clash”, one can check whether user profiles refer to it at all:

guix gc --referrers /gnu/store/…-glibc-2.25

Det här kommer att rapportera om profiler som refererar till den här specifika glibc-varianten existerar.