In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Change-Id: I995989bb623bb594ccdafbf4a1a6de941bd4189f
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.
* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.
Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* doc/guix.texi (Invoking guix import): Mention '--allow-yanked'.
* guix/import/crate.scm (make-crate-sexp): Add yanked? argument. For
yanked packages, use the full version suffixed by "-yanked" for
generated variable names and add a comment and package property.
(crate->guix-package): Add allow-yanked? argument and if it is set to #t,
allow importing yanked crates if no other version matching the
requirements exists.
[find-package-version]: Packages previously marked as yanked are only
included if allow-yanked? is #t and then take the lowest priority.
[find-crate-version]: If allow-yanked? is #t, also consider yanked
versions with the lowest priority.
[dependency-name+version]: Rename to ...
[dependency-name+version+yanked] ...this. Honor allow-yanked? and choose
between an existing package and an upstream package. Exit with an error
message if no version fulfilling the requirement is found.
[version*]: Exit with an error message if the crate version is not found.
(cargo-recursive-import): Add allow-yanked? argument.
* guix/read-print.scm: Export <comment>.
* guix/scripts/import/crate.scm: Add "--allow-yanked".
* tests/crate.scm: Add test 'crate-recursive-import-only-yanked-available'.
[sort-map-dependencies]: Adjust accordingly.
[remove-yanked-info]: New variable.
Adjust test 'crate-recursive-import-honors-existing-packages'.
(test-bar-dependencies): Add yanked dev-dependencies.
(test-leaf-bob-crate): Add yanked versions.
(rust-leaf-bob-3.0.2-yanked): New variable.
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
Change-Id: I175d89b39774e6b57dcd1f05bf68718d23866bb7
If --recursive-dev-dependencies is specified, development dependencies
are also included for all recursively imported packages.
* doc/guix.texi (Invoking guix import): Mention --recursive-dev-dependencies.
* guix/import/crate.scm (crate-recursive-import): Add
recursive-dev-dependencies? argument.
* guix/scripts/import/crate.scm (show-help, guix-import-crate): Add
"--recursive-dev-dependencies".
* tests/crate.scm: Test both #f and #t for #:recursive-dev-dependencies?
in the 'cargo-recursive-import' test.
(test-root-dependencies): Add intermediate-c as dev-dependency.
(test-intermediate-c-crate, test-intermediate-c-dependencies): New
variables.
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
Change-Id: Iae89794681155d77f128733120e60f03bc297717
Having a timeout seems generally preferable as it makes sure build slots
are not kept busy for no good reason (few package builds, if any, are
expected to exceed these values).
* nix/libstore/globals.cc (Settings::Settings): Change ‘maxSilentTime’
and ‘buildTimeout’.
* gnu/services/base.scm (<guix-configuration>)[max-silent-time]
[timeout]: Change default values.
* doc/guix.texi (Invoking guix-daemon, Base Services): Adjust
accordingly.
Change-Id: I25c50893f3f7fcca451b8f093d9d4d1a15fa58d8
* doc/guix.texi (Virtualization Services): Document the necessity of being
part of the "libvirt" group and augment example. Remove extraneous
"(unix-sock-group "libvirt")" from example, as this is now the default value.
Update default documented value from "root" to "libvirt".
Fixes: https://issues.guix.gnu.org/34611
Reported-by: Brett Gilio <brettg@posteo.net>
Change-Id: I5fe17706f69db55fbd661e0a43115c56d0ffd9a9
This adds a set of home Shepherd services which will start the required
services for a functional PipeWire setup.
* gnu/home/services/sound.scm (home-pipewire-shepherd-service,
home-wireplumber-shepherd-service, home-pipewire-shepherd-services,
home-pipewire-asoundrc, home-pipewire-xdg-configuration,
home-pipewire-pulseaudio-shepherd-service): New procedures.
(home-pipewire-service-type): New service type.
(home-pipewire-configuration): New struct.
(home-pipewire-disable-pulseaudio-auto-start): New variable.
* doc/guix.texi (Sound Home Services): Document it.
Change-Id: I99e0ae860de91d459c3c554ec5503bf35f785a2a
Signed-off-by: Oleg Pykhalov <go.wigust@gmail.com>
This has been effectively replaced by the bffe.
* gnu/services/guix.scm (<guix-data-service-configuration>): Remove record
type.
(guix-build-coordinator-queue-builds-shepherd-services,
guix-build-coordinator-queue-builds-activation,
guix-build-coordinator-queue-builds-account): Remove procedures
(guix-build-coordinator-queue-builds-service-type): Remove service type.
Change-Id: I2a233fb10b12cc9bfddebaa35928b25c243f82a2
* gnu/services/base.scm (guix-machines-files-installation): Handle
machines being a mixed list of build-machines and lists of
build-machines.
* doc/guix.texi (Base Services): Document it.
Change-Id: Ie404562ca0b564413233c3a624046da831893dc3
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
The goal is to make it easier to diagnose substitute
misconfiguration (where we’re passing a substitute URL whose
corresponding key is not authorized).
Suggested by Emmanuel Agullo.
* guix/scripts/weather.scm (check-narinfo-authorization): New procedure.
(report-server-coverage): Use it.
* doc/guix.texi (Invoking guix weather): Document it.
(Getting Substitutes from Other Servers): Add “Troubleshooting” frame.
Change-Id: I0a049c39eefb10d6a06634c8b16aa86902769791
* doc/guix.texi (Networking Services): Update the sample yggdrasil-private.conf.
Remove obsolete options that may contain a file whose path is specified in the
config-file field of yggdrasil-configuration.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* guix/build/git.scm (git-fetch) [lfs?]: New argument, doc and setup code.
(git-fetch-with-fallback) [lfs?]: New argument. Pass it to git-fetch.
* guix/git-download.scm (git-lfs-package): New procedure.
(git-fetch/in-band*): New procedure, made of the logic of git-fetch/in-band,
with new git-lfs specifics, with the following changes:
New #:git-lfs argument.
<inputs>: Remove labels. Conditionally add git-lfs.
<build>: Read "git lfs?" environment
variable and pass its value to the #:lfs? argument of git-fetch-with-fallback.
Use INPUTS directly; update comment.
<gexp->derivation>: Add "git lfs?" to #:env-vars.
(git-fetch/in-band): Express in terms of git-fetch/in-band*.
(git-fetch/lfs): New procedure.
* doc/guix.texi (origin Reference): Document it.
Change-Id: I5b233b8642a7bdb8737b9d9b740e7254a89ccb25
Reviewed-by: Ludovic Courtès <ludo@gnu.org>
So far this section would appear before “Getting Started”. This moves
it right after “System Configuration”.
* doc/guix.texi (System Troubleshooting Tips): Move after “System
Configuration”.
* doc/guix.texi (Certificate Services): Replace PID file based example with
one using (gnu services herd). Rename %nginx-deploy-hook to
%certbot-deploy-hook.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Previously, the image repository name was automatically computed from
the packages in the manifest without allowing the user to set a custom
one. As such, changing the packages in the manifest would result in a
new image name. Thereby requiring updating documentation et cetera when
using `docker load` directory on the resulting image.
Inspired by `docker build -t`, this commit adds a new Docker-specific
option to `guix pack` which allows setting a custom repository name for
the resulting image. If this option is not specified, pack falls back
to computing the name from the manifest. Therefore, this change is
entirely backwards compatible.
* guix/scripts/pack.scm (guix-pack): Add --image-tag option.
(%docker-format-options): New constant.
(show-docker-format-options): New procedure.
(show-docker-format-options/detailed): New procedure.
(docker-image): Allow setting a custom
repository name for the created docker image via extra-options.
* doc/guix.texi (Invoking guix pack)[docker]: Document --image-tag option.
Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
* gnu/services/cuirass.scm (<cuirass-remote-server-configuration>)[log-expiry]:
New field.
(cuirass-shepherd-service): Honor it.
* doc/guix.texi (Continuous Integration): Document it.
* gnu/services/base.scm (<network-link>): Add mac-address field. Set
type field to #f by default, so it won't be mandatory. network-link
without a type will be used for existing interfaces.
(assert-network-link-mac-address, mac-address?): Add sanitizer. Allow
valid mac-address or #f.
(assert-network-link-type): Add sanitizer. Allow symbol or #f.
* gnu/services/base.scm (network-set-up/linux,
network-tear-down/linux): Adapt to new structure.
* doc/guix.texi (Networking Setup): Document it.
* gnu/tests/networking.scm (run-static-networking-advanced-test): New
variable.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Rewrite this section to make it easier to document later syntactical
changes.
* doc/guix.texi (Complex Configurations): Rewrite define-configuration
documentation. Fix simple serializer example.
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
When the manual has "variant-personal-packages", it actually refers to the
channel "variant-packages", as it is named so elsewhere.
To correct this, I ran the command
grep -r -l variant-personal-packages | xargs \
sed -i 's/variang-personal-packages/variant-packages/g'
* doc/guix.texi (Specifying Additional Channels): Fix channel name typo.
* po/doc/guix-manual.de.po: Fix channel name typo.
* po/doc/guix-manual.es.po: Fix channel name typo.
* po/doc/guix-manual.fr.po: Fix channel name typo.
* po/doc/guix-manual.pt_BR.po: Fix channel name typo.
* po/doc/guix-manual.ru.po: Fix channel name typo.
* po/doc/guix-manual.zh_CN.po: Fix channel name typo.
Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This allows for zero-configuration offloading to a childhurd.
* gnu/services/virtualization.scm (operating-system-with-offloading-account):
New procedure.
(<hurd-vm-configuration>)[offloading?]: New field.
(hurd-vm-disk-image): Define ‘transform’ and use it.
(hurd-vm-activation): Generate SSH key for user ‘offloading’ and add
authorize it via /etc/childhurd/etc/ssh/authorized_keys.d.
(hurd-vm-configuration-offloading-ssh-key)
(hurd-vm-guix-extension): New procedures.
(hurd-vm-service-type): Add GUIX-SERVICE-TYPE extension.
* gnu/tests/virtualization.scm (run-childhurd-test)[import-module?]: New
procedure.
[os]: Add (gnu build install) and its closure to #:import-modules.
[test]: Add “copy-on-write store” and “offloading” tests.
* doc/guix.texi (Virtualization Services): Document it.
With offloading to a childhurd is enabled, allowing password-less root
login in the childhurd to anyone amounts to providing write access to
the host’s store to anyone. Thus, disable password-based root logins in
the childhurd.
* gnu/services/virtualization.scm (%hurd-vm-operating-system): Change
‘permit-root-login’ to 'prohibit-password.
* gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’
field for ‘hurd-vm-configuration’.
* doc/guix.texi (Virtualization Services): Remove mention of
password-less root login.
Tomas Volf
Nikolaos Chatzikonstantinou
David Elsing
Oleg Pykhalov
Graham James Addis
Tomas Volf
Ludovic Courtès
Connor Clark
Maxim Cournoyer
David Thompson
Brian Cully
Christopher Baines
Nicolas Graves
Efraim Flashner
Thomas Ieong
Saku Laesvuori
Jean-Pierre De Jesus DIAZ
Ludovic Courtès
Aleksandr Vityazev
Giacomo Leidi
Jonathan Scoresby
Ekaitz Zarraga
Christina O'Donnell
Gabriel Wicki
Bruno Victal
Sören Tempel
Alexey Abramov