GNU Guix Reference Manual

Table of Contents

Next: , Up: (dir)   [Contents][Index]

GNU Guix

This document describes GNU Guix version 0.15.0, a functional package management tool written for the GNU system.

This manual is also available in French (see Manuel de référence de GNU Guix). If you would like to translate it in your native language, consider joining the Translation Project.


Next: , Previous: , Up: Top   [Contents][Index]

1 Introduction

GNU Guix1 is a package management tool for the GNU system. Guix makes it easy for unprivileged users to install, upgrade, or remove packages, to roll back to a previous package set, to build packages from source, and generally assists with the creation and maintenance of software environments.

Guix provides a command-line package management interface (see Invoking guix package), a set of command-line utilities (see Utilities), as well as Scheme programming interfaces (see Programming Interface). Its build daemon is responsible for building packages on behalf of users (see Setting Up the Daemon) and for downloading pre-built binaries from authorized sources (see Substitutes).

Guix includes package definitions for many GNU and non-GNU packages, all of which respect the user’s computing freedom. It is extensible: users can write their own package definitions (see Defining Packages) and make them available as independent package modules (see Package Modules). It is also customizable: users can derive specialized package definitions from existing ones, including from the command line (see Package Transformation Options).

You can install GNU Guix on top of an existing GNU/Linux system where it complements the available tools without interference (see Installation), or you can use it as part of the standalone Guix System Distribution or GuixSD (see GNU Distribution). With GNU GuixSD, you declare all aspects of the operating system configuration and Guix takes care of instantiating the configuration in a transactional, reproducible, and stateless fashion (see System Configuration).

Under the hood, Guix implements the functional package management discipline pioneered by Nix (see Acknowledgments). In Guix, the package build and installation process is seen as a function, in the mathematical sense. That function takes inputs, such as build scripts, a compiler, and libraries, and returns an installed package. As a pure function, its result depends solely on its inputs—for instance, it cannot refer to software or scripts that were not explicitly passed as inputs. A build function always produces the same result when passed a given set of inputs. It cannot alter the environment of the running system in any way; for instance, it cannot create, modify, or delete files outside of its build and installation directories. This is achieved by running build processes in isolated environments (or containers), where only their explicit inputs are visible.

The result of package build functions is cached in the file system, in a special directory called the store (see The Store). Each package is installed in a directory of its own in the store—by default under /gnu/store. The directory name contains a hash of all the inputs used to build that package; thus, changing an input yields a different directory name.

This approach is the foundation for the salient features of Guix: support for transactional package upgrade and rollback, per-user installation, and garbage collection of packages (see Features).


Next: , Previous: , Up: Top   [Contents][Index]

2 Installation

GNU Guix is available for download from its website at http://www.gnu.org/software/guix/. This section describes the software requirements of Guix, as well as how to install it and get ready to use it.

Note that this section is concerned with the installation of the package manager, which can be done on top of a running GNU/Linux system. If, instead, you want to install the complete GNU operating system, see System Installation.

When installed on a running GNU/Linux system—thereafter called a foreign distro—GNU Guix complements the available tools without interference. Its data lives exclusively in two directories, usually /gnu/store and /var/guix; other files on your system, such as /etc, are left untouched.

Once installed, Guix can be updated by running guix pull (see Invoking guix pull).


Next: , Up: Installation   [Contents][Index]

2.1 Binary Installation

This section describes how to install Guix on an arbitrary system from a self-contained tarball providing binaries for Guix and for all its dependencies. This is often quicker than installing from source, which is described in the next sections. The only requirement is to have GNU tar and Xz.

We provide a shell installer script, which automates the download, installation, and initial configuration of Guix. It should be run as the root user.

Installing goes along these lines:

  1. Download the binary tarball from ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.15.0.system.tar.xz’, where system is x86_64-linux for an x86_64 machine already running the kernel Linux, and so on.

    Make sure to download the associated .sig file and to verify the authenticity of the tarball against it, along these lines:

    $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.15.0.system.tar.xz.sig
    $ gpg --verify guix-binary-0.15.0.system.tar.xz.sig
    

    If that command fails because you do not have the required public key, then run this command to import it:

    $ gpg --keyserver pgp.mit.edu --recv-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
    

    and rerun the gpg --verify command.

  2. Now, you need to become the root user. Depending on your distribution, you may have to run su - or sudo -i. As root, run:
    # cd /tmp
    # tar --warning=no-timestamp -xf \
         guix-binary-0.15.0.system.tar.xz
    # mv var/guix /var/ && mv gnu /
    

    This creates /gnu/store (see The Store) and /var/guix. The latter contains a ready-to-use profile for root (see next step.)

    Do not unpack the tarball on a working Guix system since that would overwrite its own essential files.

    The --warning=no-timestamp option makes sure GNU tar does not emit warnings about “implausibly old time stamps” (such warnings were triggered by GNU tar 1.26 and older; recent versions are fine.) They stem from the fact that all the files in the archive have their modification time set to zero (which means January 1st, 1970.) This is done on purpose to make sure the archive content is independent of its creation time, thus making it reproducible.

  3. Make root’s profile available under ~root/.guix-profile:
    # ln -sf /var/guix/profiles/per-user/root/guix-profile \
             ~root/.guix-profile
    

    Source etc/profile to augment PATH and other relevant environment variables:

    # GUIX_PROFILE="`echo ~root`/.guix-profile" ; \
      source $GUIX_PROFILE/etc/profile
    
  4. Create the group and user accounts for build users as explained below (see Build Environment Setup).
  5. Run the daemon, and set it to automatically start on boot.

    If your host distro uses the systemd init system, this can be achieved with these commands:

    # cp ~root/.guix-profile/lib/systemd/system/guix-daemon.service \
            /etc/systemd/system/
    # systemctl start guix-daemon && systemctl enable guix-daemon
    

    If your host distro uses the Upstart init system:

    # initctl reload-configuration
    # cp ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/
    # start guix-daemon
    

    Otherwise, you can still start the daemon manually with:

    # ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild
    
  6. Make the guix command available to other users on the machine, for instance with:
    # mkdir -p /usr/local/bin
    # cd /usr/local/bin
    # ln -s /var/guix/profiles/per-user/root/guix-profile/bin/guix
    

    It is also a good idea to make the Info version of this manual available there:

    # mkdir -p /usr/local/share/info
    # cd /usr/local/share/info
    # for i in /var/guix/profiles/per-user/root/guix-profile/share/info/* ;
      do ln -s $i ; done
    

    That way, assuming /usr/local/share/info is in the search path, running info guix will open this manual (see Other Info Directories in GNU Texinfo, for more details on changing the Info search path.)

  7. To use substitutes from hydra.gnu.org or one of its mirrors (see Substitutes), authorize them:
    # guix archive --authorize < ~root/.guix-profile/share/guix/hydra.gnu.org.pub
    
  8. Each user may need to perform a few additional steps to make their Guix environment ready for use, see Application Setup.

Voilà, the installation is complete!

You can confirm that Guix is working by installing a sample package into the root profile:

# guix package -i hello

The guix package must remain available in root’s profile, or it would become subject to garbage collection—in which case you would find yourself badly handicapped by the lack of the guix command. In other words, do not remove guix by running guix package -r guix.

The binary installation tarball can be (re)produced and verified simply by running the following command in the Guix source tree:

make guix-binary.system.tar.xz

... which, in turn, runs:

guix pack -s system --localstatedir guix

See Invoking guix pack, for more info on this handy tool.


Next: , Previous: , Up: Installation   [Contents][Index]

2.2 Requirements

This section lists requirements when building Guix from source. The build procedure for Guix is the same as for other GNU software, and is not covered here. Please see the files README and INSTALL in the Guix source tree for additional details.

GNU Guix depends on the following packages:

The following dependencies are optional:

Unless --disable-daemon was passed to configure, the following packages are also needed:

When configuring Guix on a system that already has a Guix installation, be sure to specify the same state directory as the existing installation using the --localstatedir option of the configure script (see localstatedir in GNU Coding Standards). The configure script protects against unintended misconfiguration of localstatedir so you do not inadvertently corrupt your store (see The Store).

When a working installation of the Nix package manager is available, you can instead configure Guix with --disable-daemon. In that case, Nix replaces the three dependencies above.

Guix is compatible with Nix, so it is possible to share the same store between both. To do so, you must pass configure not only the same --with-store-dir value, but also the same --localstatedir value. The latter is essential because it specifies where the database that stores metadata about the store is located, among other things. The default values for Nix are --with-store-dir=/nix/store and --localstatedir=/nix/var. Note that --disable-daemon is not required if your goal is to share the store with Nix.


Next: , Previous: , Up: Installation   [Contents][Index]

2.3 Running the Test Suite

After a successful configure and make run, it is a good idea to run the test suite. It can help catch issues with the setup or environment, or bugs in Guix itself—and really, reporting test failures is a good way to help improve the software. To run the test suite, type:

make check

Test cases can run in parallel: you can use the -j option of GNU make to speed things up. The first run may take a few minutes on a recent machine; subsequent runs will be faster because the store that is created for test purposes will already have various things in cache.

It is also possible to run a subset of the tests by defining the TESTS makefile variable as in this example:

make check TESTS="tests/store.scm tests/cpio.scm"

By default, tests results are displayed at a file level. In order to see the details of every individual test cases, it is possible to define the SCM_LOG_DRIVER_FLAGS makefile variable as in this example:

make check TESTS="tests/base64.scm" SCM_LOG_DRIVER_FLAGS="--brief=no"

Upon failure, please email bug-guix@gnu.org and attach the test-suite.log file. Please specify the Guix version being used as well as version numbers of the dependencies (see Requirements) in your message.

Guix also comes with a whole-system test suite that tests complete GuixSD operating system instances. It can only run on systems where Guix is already installed, using:

make check-system

or, again, by defining TESTS to select a subset of tests to run:

make check-system TESTS="basic mcron"

These system tests are defined in the (gnu tests …) modules. They work by running the operating systems under test with lightweight instrumentation in a virtual machine (VM). They can be computationally intensive or rather cheap, depending on whether substitutes are available for their dependencies (see Substitutes). Some of them require a lot of storage space to hold VM images.

Again in case of test failures, please send bug-guix@gnu.org all the details.


Next: , Previous: , Up: Installation   [Contents][Index]

2.4 Setting Up the Daemon

Operations such as building a package or running the garbage collector are all performed by a specialized process, the build daemon, on behalf of clients. Only the daemon may access the store and its associated database. Thus, any operation that manipulates the store goes through the daemon. For instance, command-line tools such as guix package and guix build communicate with the daemon (via remote procedure calls) to instruct it what to do.

The following sections explain how to prepare the build daemon’s environment. See also Substitutes, for information on how to allow the daemon to download pre-built binaries.


Next: , Up: Setting Up the Daemon   [Contents][Index]

2.4.1 Build Environment Setup

In a standard multi-user setup, Guix and its daemon—the guix-daemon program—are installed by the system administrator; /gnu/store is owned by root and guix-daemon runs as root. Unprivileged users may use Guix tools to build packages or otherwise access the store, and the daemon will do it on their behalf, ensuring that the store is kept in a consistent state, and allowing built packages to be shared among users.

When guix-daemon runs as root, you may not want package build processes themselves to run as root too, for obvious security reasons. To avoid that, a special pool of build users should be created for use by build processes started by the daemon. These build users need not have a shell and a home directory: they will just be used when the daemon drops root privileges in build processes. Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other—an essential feature since builds are regarded as pure functions (see Introduction).

On a GNU/Linux system, a build user pool may be created like this (using Bash syntax and the shadow commands):

# groupadd --system guixbuild
# for i in `seq -w 1 10`;
  do
    useradd -g guixbuild -G guixbuild           \
            -d /var/empty -s `which nologin`    \
            -c "Guix build user $i" --system    \
            guixbuilder$i;
  done

The number of build users determines how many build jobs may run in parallel, as specified by the --max-jobs option (see --max-jobs). To use guix system vm and related commands, you may need to add the build users to the kvm group so they can access /dev/kvm, using -G guixbuild,kvm instead of -G guixbuild (see Invoking guix system).

The guix-daemon program may then be run as root with the following command2:

# guix-daemon --build-users-group=guixbuild

This way, the daemon starts build processes in a chroot, under one of the guixbuilder users. On GNU/Linux, by default, the chroot environment contains nothing but:

You can influence the directory where the daemon stores build trees via the TMPDIR environment variable. However, the build tree within the chroot is always called /tmp/guix-build-name.drv-0, where name is the derivation name—e.g., coreutils-8.24. This way, the value of TMPDIR does not leak inside build environments, which avoids discrepancies in cases where build processes capture the name of their build tree.

The daemon also honors the http_proxy environment variable for HTTP downloads it performs, be it for fixed-output derivations (see Derivations) or for substitutes (see Substitutes).

If you are installing Guix as an unprivileged user, it is still possible to run guix-daemon provided you pass --disable-chroot. However, build processes will not be isolated from one another, and not from the rest of the system. Thus, build processes may interfere with each other, and may access programs, libraries, and other files available on the system—making it much harder to view them as pure functions.


Next: , Previous: , Up: Setting Up the Daemon   [Contents][Index]

2.4.2 Using the Offload Facility

When desired, the build daemon can offload derivation builds to other machines running Guix, using the offload build hook4. When that feature is enabled, a list of user-specified build machines is read from /etc/guix/machines.scm; every time a build is requested, for instance via guix build, the daemon attempts to offload it to one of the machines that satisfy the constraints of the derivation, in particular its system type—e.g., x86_64-linux. Missing prerequisites for the build are copied over SSH to the target machine, which then proceeds with the build; upon success the output(s) of the build are copied back to the initial machine.

The /etc/guix/machines.scm file typically looks like this:

(list (build-machine
        (name "eightysix.example.org")
        (system "x86_64-linux")
        (host-key "ssh-ed25519 AAAAC3Nza…")
        (user "bob")
        (speed 2.))     ;incredibly fast!

      (build-machine
        (name "meeps.example.org")
        (system "mips64el-linux")
        (host-key "ssh-rsa AAAAB3Nza…")
        (user "alice")
        (private-key
         (string-append (getenv "HOME")
                        "/.ssh/identity-for-guix"))))

In the example above we specify a list of two build machines, one for the x86_64 architecture and one for the mips64el architecture.

In fact, this file is—not surprisingly!—a Scheme file that is evaluated when the offload hook is started. Its return value must be a list of build-machine objects. While this example shows a fixed list of build machines, one could imagine, say, using DNS-SD to return a list of potential build machines discovered in the local network (see Guile-Avahi in Using Avahi in Guile Scheme Programs). The build-machine data type is detailed below.

Data Type: build-machine

This data type represents build machines to which the daemon may offload builds. The important fields are:

name

The host name of the remote machine.

system

The system type of the remote machine—e.g., "x86_64-linux".

user

The user account to use when connecting to the remote machine over SSH. Note that the SSH key pair must not be passphrase-protected, to allow non-interactive logins.

host-key

This must be the machine’s SSH public host key in OpenSSH format. This is used to authenticate the machine when we connect to it. It is a long string that looks like this:

ssh-ed25519 AAAAC3NzaC…mde+UhL hint@example.org

If the machine is running the OpenSSH daemon, sshd, the host key can be found in a file such as /etc/ssh/ssh_host_ed25519_key.pub.

If the machine is running the SSH daemon of GNU lsh, lshd, the host key is in /etc/lsh/host-key.pub or a similar file. It can be converted to the OpenSSH format using lsh-export-key (see Converting keys in LSH Manual):

$ lsh-export-key --openssh < /etc/lsh/host-key.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV…

A number of optional fields may be specified:

port (default: 22)

Port number of SSH server on the machine.

private-key (default: ~root/.ssh/id_rsa)

The SSH private key file to use when connecting to the machine, in OpenSSH format. This key must not be protected with a passphrase.

Note that the default value is the private key of the root account. Make sure it exists if you use the default.

compression (default: "zlib@openssh.com,zlib")
compression-level (default: 3)

The SSH-level compression methods and compression level requested.

Note that offloading relies on SSH compression to reduce bandwidth usage when transferring files to and from build machines.

daemon-socket (default: "/var/guix/daemon-socket/socket")

File name of the Unix-domain socket guix-daemon is listening to on that machine.

parallel-builds (default: 1)

The number of builds that may run in parallel on the machine.

speed (default: 1.0)

A “relative speed factor”. The offload scheduler will tend to prefer machines with a higher speed factor.

features (default: '())

A list of strings denoting specific features supported by the machine. An example is "kvm" for machines that have the KVM Linux modules and corresponding hardware support. Derivations can request features by name, and they will be scheduled on matching build machines.

The guile command must be in the search path on the build machines. In addition, the Guix modules must be in $GUILE_LOAD_PATH on the build machine—you can check whether this is the case by running:

ssh build-machine guile -c "'(use-modules (guix config))'"

There is one last thing to do once machines.scm is in place. As explained above, when offloading, files are transferred back and forth between the machine stores. For this to work, you first need to generate a key pair on each machine to allow the daemon to export signed archives of files from the store (see Invoking guix archive):

# guix archive --generate-key

Each build machine must authorize the key of the master machine so that it accepts store items it receives from the master:

# guix archive --authorize < master-public-key.txt

Likewise, the master machine must authorize the key of each build machine.

All the fuss with keys is here to express pairwise mutual trust relations between the master and the build machines. Concretely, when the master receives files from a build machine (and vice versa), its build daemon can make sure they are genuine, have not been tampered with, and that they are signed by an authorized key.

To test whether your setup is operational, run this command on the master node:

# guix offload test

This will attempt to connect to each of the build machines specified in /etc/guix/machines.scm, make sure Guile and the Guix modules are available on each machine, attempt to export to the machine and import from it, and report any error in the process.

If you want to test a different machine file, just specify it on the command line:

# guix offload test machines-qualif.scm

Last, you can test the subset of the machines whose name matches a regular expression like this:

# guix offload test machines.scm '\.gnu\.org$'

To display the current load of all build hosts, run this command on the main node:

# guix offload status

Previous: , Up: Setting Up the Daemon   [Contents][Index]

2.4.3 SELinux Support

Guix includes an SELinux policy file at etc/guix-daemon.cil that can be installed on a system where SELinux is enabled, in order to label Guix files and to specify the expected behavior of the daemon. Since GuixSD does not provide an SELinux base policy, the daemon policy cannot be used on GuixSD.

2.4.3.1 Installing the SELinux policy

To install the policy run this command as root:

semodule -i etc/guix-daemon.cil

Then relabel the file system with restorecon or by a different mechanism provided by your system.

Once the policy is installed, the file system has been relabeled, and the daemon has been restarted, it should be running in the guix_daemon_t context. You can confirm this with the following command:

ps -Zax | grep guix-daemon

Monitor the SELinux log files as you run a command like guix build hello to convince yourself that SELinux permits all necessary operations.

2.4.3.2 Limitations

This policy is not perfect. Here is a list of limitations or quirks that should be considered when deploying the provided SELinux policy for the Guix daemon.

  1. guix_daemon_socket_t isn’t actually used. None of the socket operations involve contexts that have anything to do with guix_daemon_socket_t. It doesn’t hurt to have this unused label, but it would be preferrable to define socket rules for only this label.
  2. guix gc cannot access arbitrary links to profiles. By design, the file label of the destination of a symlink is independent of the file label of the link itself. Although all profiles under $localstatedir are labelled, the links to these profiles inherit the label of the directory they are in. For links in the user’s home directory this will be user_home_t. But for links from the root user’s home directory, or /tmp, or the HTTP server’s working directory, etc, this won’t work. guix gc would be prevented from reading and following these links.
  3. The daemon’s feature to listen for TCP connections might no longer work. This might require extra rules, because SELinux treats network sockets differently from files.
  4. Currently all files with a name matching the regular expression /gnu/store/.+-(guix-.+|profile)/bin/guix-daemon are assigned the label guix_daemon_exec_t; this means that any file with that name in any profile would be permitted to run in the guix_daemon_t domain. This is not ideal. An attacker could build a package that provides this executable and convince a user to install and run it, which lifts it into the guix_daemon_t domain. At that point SELinux could not prevent it from accessing files that are allowed for processes in that domain.

    We could generate a much more restrictive policy at installation time, so that only the exact file name of the currently installed guix-daemon executable would be labelled with guix_daemon_exec_t, instead of using a broad regular expression. The downside is that root would have to install or upgrade the policy at installation time whenever the Guix package that provides the effectively running guix-daemon executable is upgraded.


Next: , Previous: , Up: Installation   [Contents][Index]

2.5 Invoking guix-daemon

The guix-daemon program implements all the functionality to access the store. This includes launching build processes, running the garbage collector, querying the availability of a build result, etc. It is normally run as root like this:

# guix-daemon --build-users-group=guixbuild

For details on how to set it up, see Setting Up the Daemon.

By default, guix-daemon launches build processes under different UIDs, taken from the build group specified with --build-users-group. In addition, each build process is run in a chroot environment that only contains the subset of the store that the build process depends on, as specified by its derivation (see derivation), plus a set of specific system directories. By default, the latter contains /dev and /dev/pts. Furthermore, on GNU/Linux, the build environment is a container: in addition to having its own file system tree, it has a separate mount name space, its own PID name space, network name space, etc. This helps achieve reproducible builds (see Features).

When the daemon performs a build on behalf of the user, it creates a build directory under /tmp or under the directory specified by its TMPDIR environment variable; this directory is shared with the container for the duration of the build. Be aware that using a directory other than /tmp can affect build results—for example, with a longer directory name, a build process that uses Unix-domain sockets might hit the name length limitation for sun_path, which it would otherwise not hit.

The build directory is automatically deleted upon completion, unless the build failed and the client specified --keep-failed (see --keep-failed).

The following command-line options are supported:

--build-users-group=group

Take users from group to run build processes (see build users).

--no-substitutes

Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries (see Substitutes).

When the daemon runs with --no-substitutes, clients can still explicitly enable substitution via the set-build-options remote procedure call (see The Store).

--substitute-urls=urls

Consider urls the default whitespace-separated list of substitute source URLs. When this option is omitted, ‘https://mirror.hydra.gnu.org https://hydra.gnu.org’ is used (mirror.hydra.gnu.org is a mirror of hydra.gnu.org).

This means that substitutes may be downloaded from urls, as long as they are signed by a trusted signature (see Substitutes).

--no-build-hook

Do not use the build hook.

The build hook is a helper program that the daemon can start and to which it submits build requests. This mechanism is used to offload builds to other machines (see Daemon Offload Setup).

--cache-failures

Cache build failures. By default, only successful builds are cached.

When this option is used, guix gc --list-failures can be used to query the set of store items marked as failed; guix gc --clear-failures removes store items from the set of cached failures. See Invoking guix gc.

--cores=n
-c n

Use n CPU cores to build each derivation; 0 means as many as available.

The default value is 0, but it may be overridden by clients, such as the --cores option of guix build (see Invoking guix build).

The effect is to define the NIX_BUILD_CORES environment variable in the build process, which can then use it to exploit internal parallelism—for instance, by running make -j$NIX_BUILD_CORES.

--max-jobs=n
-M n

Allow at most n build jobs in parallel. The default value is 1. Setting it to 0 means that no builds will be performed locally; instead, the daemon will offload builds (see Daemon Offload Setup), or simply fail.

--max-silent-time=seconds

When the build or substitution process remains silent for more than seconds, terminate it and report a build failure.

The default value is 0, which disables the timeout.

The value specified here can be overridden by clients (see --max-silent-time).

--timeout=seconds

Likewise, when the build or substitution process lasts for more than seconds, terminate it and report a build failure.

The default value is 0, which disables the timeout.

The value specified here can be overridden by clients (see --timeout).

--rounds=N

Build each derivation n times in a row, and raise an error if consecutive build results are not bit-for-bit identical. Note that this setting can be overridden by clients such as guix build (see Invoking guix build).

When used in conjunction with --keep-failed, the differing output is kept in the store, under /gnu/store/…-check. This makes it easy to look for differences between the two results.

--debug

Produce debugging output.

This is useful to debug daemon start-up issues, but then it may be overridden by clients, for example the --verbosity option of guix build (see Invoking guix build).

--chroot-directory=dir

Add dir to the build chroot.

Doing this may change the result of build processes—for instance if they use optional dependencies found in dir when it is available, and not otherwise. For that reason, it is not recommended to do so. Instead, make sure that each derivation declares all the inputs that it needs.

--disable-chroot

Disable chroot builds.

Using this option is not recommended since, again, it would allow build processes to gain access to undeclared dependencies. It is necessary, though, when guix-daemon is running under an unprivileged user account.

--log-compression=type

Compress build logs according to type, one of gzip, bzip2, or none.

Unless --lose-logs is used, all the build logs are kept in the localstatedir. To save space, the daemon automatically compresses them with bzip2 by default.

--disable-deduplication

Disable automatic file “deduplication” in the store.

By default, files added to the store are automatically “deduplicated”: if a newly added file is identical to another one found in the store, the daemon makes the new file a hard link to the other file. This can noticeably reduce disk usage, at the expense of slightly increased input/output load at the end of a build process. This option disables this optimization.

--gc-keep-outputs[=yes|no]

Tell whether the garbage collector (GC) must keep outputs of live derivations.

When set to “yes”, the GC will keep the outputs of any live derivation available in the store—the .drv files. The default is “no”, meaning that derivation outputs are kept only if they are GC roots. See Invoking guix gc, for more on GC roots.

--gc-keep-derivations[=yes|no]

Tell whether the garbage collector (GC) must keep derivations corresponding to live outputs.

When set to “yes”, as is the case by default, the GC keeps derivations—i.e., .drv files—as long as at least one of their outputs is live. This allows users to keep track of the origins of items in their store. Setting it to “no” saves a bit of disk space.

Note that when both --gc-keep-derivations and --gc-keep-outputs are used, the effect is to keep all the build prerequisites (the sources, compiler, libraries, and other build-time tools) of live objects in the store, regardless of whether these prerequisites are live. This is convenient for developers since it saves rebuilds or downloads.

--impersonate-linux-2.6

On Linux-based systems, impersonate Linux 2.6. This means that the kernel’s uname system call will report 2.6 as the release number.

This might be helpful to build programs that (usually wrongfully) depend on the kernel version number.

--lose-logs

Do not keep build logs. By default they are kept under localstatedir/guix/log.

--system=system

Assume system as the current system type. By default it is the architecture/kernel pair found at configure time, such as x86_64-linux.

--listen=endpoint

Listen for connections on endpoint. endpoint is interpreted as the file name of a Unix-domain socket if it starts with / (slash sign). Otherwise, endpoint is interpreted as a host name or host name and port to listen to. Here are a few examples:

--listen=/gnu/var/daemon

Listen for connections on the /gnu/var/daemon Unix-domain socket, creating it if needed.

--listen=localhost

Listen for TCP connections on the network interface corresponding to localhost, on port 44146.

--listen=128.0.0.42:1234

Listen for TCP connections on the network interface corresponding to 128.0.0.42, on port 1234.

This option can be repeated multiple times, in which case guix-daemon accepts connections on all the specified endpoints. Users can tell client commands what endpoint to connect to by setting the GUIX_DAEMON_SOCKET environment variable (see GUIX_DAEMON_SOCKET).

Note: The daemon protocol is unauthenticated and unencrypted. Using --listen=host is suitable on local networks, such as clusters, where only trusted nodes may connect to the build daemon. In other cases where remote access to the daemon is needed, we recommend using Unix-domain sockets along with SSH.

When --listen is omitted, guix-daemon listens for connections on the Unix-domain socket located at localstatedir/guix/daemon-socket/socket.


Previous: , Up: Installation   [Contents][Index]

2.6 Application Setup

When using Guix on top of GNU/Linux distribution other than GuixSD—a so-called foreign distro—a few additional steps are needed to get everything in place. Here are some of them.

2.6.1 Locales

Packages installed via Guix will not use the locale data of the host system. Instead, you must first install one of the locale packages available with Guix and then define the GUIX_LOCPATH environment variable:

$ guix package -i glibc-locales
$ export GUIX_LOCPATH=$HOME/.guix-profile/lib/locale

Note that the glibc-locales package contains data for all the locales supported by the GNU libc and weighs in at around 110 MiB. Alternatively, the glibc-utf8-locales is smaller but limited to a few UTF-8 locales.

The GUIX_LOCPATH variable plays a role similar to LOCPATH (see LOCPATH in The GNU C Library Reference Manual). There are two important differences though:

  1. GUIX_LOCPATH is honored only by the libc in Guix, and not by the libc provided by foreign distros. Thus, using GUIX_LOCPATH allows you to make sure the programs of the foreign distro will not end up loading incompatible locale data.
  2. libc suffixes each entry of GUIX_LOCPATH with /X.Y, where X.Y is the libc version—e.g., 2.22. This means that, should your Guix profile contain a mixture of programs linked against different libc version, each libc version will only try to load locale data in the right format.

This is important because the locale data format used by different libc versions may be incompatible.

2.6.2 Name Service Switch

When using Guix on a foreign distro, we strongly recommend that the system run the GNU C library’s name service cache daemon, nscd, which should be listening on the /var/run/nscd/socket socket. Failing to do that, applications installed with Guix may fail to look up host names or user accounts, or may even crash. The next paragraphs explain why.

The GNU C library implements a name service switch (NSS), which is an extensible mechanism for “name lookups” in general: host name resolution, user accounts, and more (see Name Service Switch in The GNU C Library Reference Manual).

Being extensible, the NSS supports plugins, which provide new name lookup implementations: for example, the nss-mdns plugin allow resolution of .local host names, the nis plugin allows user account lookup using the Network information service (NIS), and so on. These extra “lookup services” are configured system-wide in /etc/nsswitch.conf, and all the programs running on the system honor those settings (see NSS Configuration File in The GNU C Reference Manual).

When they perform a name lookup—for instance by calling the getaddrinfo function in C—applications first try to connect to the nscd; on success, nscd performs name lookups on their behalf. If the nscd is not running, then they perform the name lookup by themselves, by loading the name lookup services into their own address space and running it. These name lookup services—the libnss_*.so files—are dlopen’d, but they may come from the host system’s C library, rather than from the C library the application is linked against (the C library coming from Guix).

And this is where the problem is: if your application is linked against Guix’s C library (say, glibc 2.24) and tries to load NSS plugins from another C library (say, libnss_mdns.so for glibc 2.22), it will likely crash or have its name lookups fail unexpectedly.

Running nscd on the system, among other advantages, eliminates this binary incompatibility problem because those libnss_*.so files are loaded in the nscd process, not in applications themselves.

2.6.3 X11 Fonts

The majority of graphical applications use Fontconfig to locate and load fonts and perform X11-client-side rendering. The fontconfig package in Guix looks for fonts in $HOME/.guix-profile by default. Thus, to allow graphical applications installed with Guix to display fonts, you have to install fonts with Guix as well. Essential font packages include gs-fonts, font-dejavu, and font-gnu-freefont-ttf.

To display text written in Chinese languages, Japanese, or Korean in graphical applications, consider installing font-adobe-source-han-sans or font-wqy-zenhei. The former has multiple outputs, one per language family (see Packages with Multiple Outputs). For instance, the following command installs fonts for Chinese languages:

guix package -i font-adobe-source-han-sans:cn

Older programs such as xterm do not use Fontconfig and instead rely on server-side font rendering. Such programs require to specify a full name of a font using XLFD (X Logical Font Description), like this:

-*-dejavu sans-medium-r-normal-*-*-100-*-*-*-*-*-1

To be able to use such full names for the TrueType fonts installed in your Guix profile, you need to extend the font path of the X server:

xset +fp $(dirname $(readlink -f ~/.guix-profile/share/fonts/truetype/fonts.dir))

After that, you can run xlsfonts (from xlsfonts package) to make sure your TrueType fonts are listed there.

After installing fonts you may have to refresh the font cache to use them in applications. The same applies when applications installed via Guix do not seem to find fonts. To force rebuilding of the font cache run fc-cache -f. The fc-cache command is provided by the fontconfig package.

2.6.4 X.509 Certificates

The nss-certs package provides X.509 certificates, which allow programs to authenticate Web servers accessed over HTTPS.

When using Guix on a foreign distro, you can install this package and define the relevant environment variables so that packages know where to look for certificates. See X.509 Certificates, for detailed information.

2.6.5 Emacs Packages

When you install Emacs packages with Guix, the elisp files may be placed either in $HOME/.guix-profile/share/emacs/site-lisp/ or in sub-directories of $HOME/.guix-profile/share/emacs/site-lisp/guix.d/. The latter directory exists because potentially there may exist thousands of Emacs packages and storing all their files in a single directory may not be reliable (because of name conflicts). So we think using a separate directory for each package is a good idea. It is very similar to how the Emacs package system organizes the file structure (see Package Files in The GNU Emacs Manual).

By default, Emacs (installed with Guix) “knows” where these packages are placed, so you do not need to perform any configuration. If, for some reason, you want to avoid auto-loading Emacs packages installed with Guix, you can do so by running Emacs with --no-site-file option (see Init File in The GNU Emacs Manual).

2.6.6 The GCC toolchain

Guix offers individual compiler packages such as gcc but if you are in need of a complete toolchain for compiling and linking source code what you really want is the gcc-toolchain package. This package provides a complete GCC toolchain for C/C++ development, including GCC itself, the GNU C Library (headers and binaries, plus debugging symbols in the debug output), Binutils, and a linker wrapper.

The wrapper’s purpose is to inspect the -L and -l switches passed to the linker, add corresponding -rpath arguments, and invoke the actual linker with this new set of arguments. By default, the linker wrapper refuses to link to libraries outside the store to ensure “purity”. This can be annoying when using the toolchain to link with local libraries. To allow references to libraries outside the store you need to define the environment variable GUIX_LD_WRAPPER_ALLOW_IMPURITIES.


Next: , Previous: , Up: Top   [Contents][Index]

3 Package Management

The purpose of GNU Guix is to allow users to easily install, upgrade, and remove software packages, without having to know about their build procedures or dependencies. Guix also goes beyond this obvious set of features.

This chapter describes the main features of Guix, as well as the package management tools it provides. Along with the command-line interface described below (see guix package), you may also use the Emacs-Guix interface (see The Emacs-Guix Reference Manual), after installing emacs-guix package (run M-x guix-help command to start with it):

guix package -i emacs-guix

Next: , Up: Package Management   [Contents][Index]

3.1 Features

When using Guix, each package ends up in the package store, in its own directory—something that resembles /gnu/store/xxx-package-1.2, where xxx is a base32 string.

Instead of referring to these directories, users have their own profile, which points to the packages that they actually want to use. These profiles are stored within each user’s home directory, at $HOME/.guix-profile.

For example, alice installs GCC 4.7.2. As a result, /home/alice/.guix-profile/bin/gcc points to /gnu/store/…-gcc-4.7.2/bin/gcc. Now, on the same machine, bob had already installed GCC 4.8.0. The profile of bob simply continues to point to /gnu/store/…-gcc-4.8.0/bin/gcc—i.e., both versions of GCC coexist on the same system without any interference.

The guix package command is the central tool to manage packages (see Invoking guix package). It operates on the per-user profiles, and can be used with normal user privileges.

The command provides the obvious install, remove, and upgrade operations. Each invocation is actually a transaction: either the specified operation succeeds, or nothing happens. Thus, if the guix package process is terminated during the transaction, or if a power outage occurs during the transaction, then the user’s profile remains in its previous state, and remains usable.

In addition, any package transaction may be rolled back. So, if, for example, an upgrade installs a new version of a package that turns out to have a serious bug, users may roll back to the previous instance of their profile, which was known to work well. Similarly, the global system configuration on GuixSD is subject to transactional upgrades and roll-back (see Using the Configuration System).

All packages in the package store may be garbage-collected. Guix can determine which packages are still referenced by user profiles, and remove those that are provably no longer referenced (see Invoking guix gc). Users may also explicitly remove old generations of their profile so that the packages they refer to can be collected.

Finally, Guix takes a purely functional approach to package management, as described in the introduction (see Introduction). Each /gnu/store package directory name contains a hash of all the inputs that were used to build that package—compiler, libraries, build scripts, etc. This direct correspondence allows users to make sure a given package installation matches the current state of their distribution. It also helps maximize build reproducibility: thanks to the isolated build environments that are used, a given build is likely to yield bit-identical files when performed on different machines (see container).

This foundation allows Guix to support transparent binary/source deployment. When a pre-built binary for a /gnu/store item is available from an external source—a substitute, Guix just downloads it and unpacks it; otherwise, it builds the package from source, locally (see Substitutes). Because build results are usually bit-for-bit reproducible, users do not have to trust servers that provide substitutes: they can force a local build and challenge providers (see Invoking guix challenge).

Control over the build environment is a feature that is also useful for developers. The guix environment command allows developers of a package to quickly set up the right development environment for their package, without having to manually install the dependencies of the package into their profile (see Invoking guix environment).


Next: , Previous: , Up: Package Management   [Contents][Index]

3.2 Invoking guix package

The guix package command is the tool that allows users to install, upgrade, and remove packages, as well as rolling back to previous configurations. It operates only on the user’s own profile, and works with normal user privileges (see Features). Its syntax is:

guix package options

Primarily, options specifies the operations to be performed during the transaction. Upon completion, a new profile is created, but previous generations of the profile remain available, should the user want to roll back.

For example, to remove lua and install guile and guile-cairo in a single transaction:

guix package -r lua -i guile guile-cairo

guix package also supports a declarative approach whereby the user specifies the exact set of packages to be available and passes it via the --manifest option (see --manifest).

For each user, a symlink to the user’s default profile is automatically created in $HOME/.guix-profile. This symlink always points to the current generation of the user’s default profile. Thus, users can add $HOME/.guix-profile/bin to their PATH environment variable, and so on. If you are not using the Guix System Distribution, consider adding the following lines to your ~/.bash_profile (see Bash Startup Files in The GNU Bash Reference Manual) so that newly-spawned shells get all the right environment variable definitions:

GUIX_PROFILE="$HOME/.guix-profile" ; \
source "$HOME/.guix-profile/etc/profile"

In a multi-user setup, user profiles are stored in a place registered as a garbage-collector root, which $HOME/.guix-profile points to (see Invoking guix gc). That directory is normally localstatedir/guix/profiles/per-user/user, where localstatedir is the value passed to configure as --localstatedir, and user is the user name. The per-user directory is created when guix-daemon is started, and the user sub-directory is created by guix package.

The options can be among the following:

--install=package
-i package

Install the specified packages.

Each package may specify either a simple package name, such as guile, or a package name followed by an at-sign and version number, such as guile@1.8.8 or simply guile@1.8 (in the latter case, the newest version prefixed by 1.8 is selected.)

If no version number is specified, the newest available version will be selected. In addition, package may contain a colon, followed by the name of one of the outputs of the package, as in gcc:doc or binutils@2.22:lib (see Packages with Multiple Outputs). Packages with a corresponding name (and optionally version) are searched for among the GNU distribution modules (see Package Modules).

Sometimes packages have propagated inputs: these are dependencies that automatically get installed along with the required package (see propagated-inputs in package objects, for information about propagated inputs in package definitions).

An example is the GNU MPC library: its C header files refer to those of the GNU MPFR library, which in turn refer to those of the GMP library. Thus, when installing MPC, the MPFR and GMP libraries also get installed in the profile; removing MPC also removes MPFR and GMP—unless they had also been explicitly installed by the user.

Besides, packages sometimes rely on the definition of environment variables for their search paths (see explanation of --search-paths below). Any missing or possibly incorrect environment variable definitions are reported here.

--install-from-expression=exp
-e exp

Install the package exp evaluates to.

exp must be a Scheme expression that evaluates to a <package> object. This option is notably useful to disambiguate between same-named variants of a package, with expressions such as (@ (gnu packages base) guile-final).

Note that this option installs the first output of the specified package, which may be insufficient when needing a specific output of a multiple-output package.

--install-from-file=file
-f file

Install the package that the code within file evaluates to.

As an example, file might contain a definition like this (see Defining Packages):

(use-modules (guix)
             (guix build-system gnu)
             (guix licenses))

(package
  (name "hello")
  (version "2.10")
  (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/hello/hello-" version
                                ".tar.gz"))
            (sha256
             (base32
              "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
  (build-system gnu-build-system)
  (synopsis "Hello, GNU world: An example GNU package")
  (description "Guess what GNU Hello prints!")
  (home-page "http://www.gnu.org/software/hello/")
  (license gpl3+))

Developers may find it useful to include such a guix.scm file in the root of their project source tree that can be used to test development snapshots and create reproducible development environments (see Invoking guix environment).

--remove=package
-r package

Remove the specified packages.

As for --install, each package may specify a version number and/or output name in addition to the package name. For instance, -r glibc:debug would remove the debug output of glibc.

--upgrade[=regexp …]
-u [regexp …]

Upgrade all the installed packages. If one or more regexps are specified, upgrade only installed packages whose name matches a regexp. Also see the --do-not-upgrade option below.

Note that this upgrades package to the latest version of packages found in the distribution currently installed. To update your distribution, you should regularly run guix pull (see Invoking guix pull).

--do-not-upgrade[=regexp …]

When used together with the --upgrade option, do not upgrade any packages whose name matches a regexp. For example, to upgrade all packages in the current profile except those containing the substring “emacs”:

$ guix package --upgrade . --do-not-upgrade emacs
--manifest=file
-m file

Create a new generation of the profile from the manifest object returned by the Scheme code in file.

This allows you to declare the profile’s contents rather than constructing it through a sequence of --install and similar commands. The advantage is that file can be put under version control, copied to different machines to reproduce the same profile, and so on.

file must return a manifest object, which is roughly a list of packages:

(use-package-modules guile emacs)

(packages->manifest
 (list emacs
       guile-2.0
       ;; Use a specific package output.
       (list guile-2.0 "debug")))

In this example we have to know which modules define the emacs and guile-2.0 variables to provide the right use-package-modules line, which can be cumbersome. We can instead provide regular package specifications and let specifications->manifest look up the corresponding package objects, like this:

(specifications->manifest
 '("emacs" "guile@2.2" "guile@2.2:debug"))
--roll-back

Roll back to the previous generation of the profile—i.e., undo the last transaction.

When combined with options such as --install, roll back occurs before any other actions.

When rolling back from the first generation that actually contains installed packages, the profile is made to point to the zeroth generation, which contains no files apart from its own metadata.

After having rolled back, installing, removing, or upgrading packages overwrites previous future generations. Thus, the history of the generations in a profile is always linear.

--switch-generation=pattern
-S pattern

Switch to a particular generation defined by pattern.

pattern may be either a generation number or a number prefixed with “+” or “-”. The latter means: move forward/backward by a specified number of generations. For example, if you want to return to the latest generation after --roll-back, use --switch-generation=+1.

The difference between --roll-back and --switch-generation=-1 is that --switch-generation will not make a zeroth generation, so if a specified generation does not exist, the current generation will not be changed.

--search-paths[=kind]

Report environment variable definitions, in Bash syntax, that may be needed in order to use the set of installed packages. These environment variables are used to specify search paths for files used by some of the installed packages.

For example, GCC needs the CPATH and LIBRARY_PATH environment variables to be defined so it can look for headers and libraries in the user’s profile (see Environment Variables in Using the GNU Compiler Collection (GCC)). If GCC and, say, the C library are installed in the profile, then --search-paths will suggest setting these variables to profile/include and profile/lib, respectively.

The typical use case is to define these environment variables in the shell:

$ eval `guix package --search-paths`

kind may be one of exact, prefix, or suffix, meaning that the returned environment variable definitions will either be exact settings, or prefixes or suffixes of the current value of these variables. When omitted, kind defaults to exact.

This option can also be used to compute the combined search paths of several profiles. Consider this example:

$ guix package -p foo -i guile
$ guix package -p bar -i guile-json
$ guix package -p foo -p bar --search-paths

The last command above reports about the GUILE_LOAD_PATH variable, even though, taken individually, neither foo nor bar would lead to that recommendation.

--profile=profile
-p profile

Use profile instead of the user’s default profile.

--allow-collisions

Allow colliding packages in the new profile. Use at your own risk!

By default, guix package reports as an error collisions in the profile. Collisions happen when two or more different versions or variants of a given package end up in the profile.

--verbose

Produce verbose output. In particular, emit the build log of the environment on the standard error port.

--bootstrap

Use the bootstrap Guile to build the profile. This option is only useful to distribution developers.

In addition to these actions, guix package supports the following options to query the current state of a profile, or the availability of packages:

--search=regexp
-s regexp

List the available packages whose name, synopsis, or description matches regexp, sorted by relevance. Print all the metadata of matching packages in recutils format (see GNU recutils databases in GNU recutils manual).

This allows specific fields to be extracted using the recsel command, for instance:

$ guix package -s malloc | recsel -p name,version,relevance
name: jemalloc
version: 4.5.0
relevance: 6

name: glibc
version: 2.25
relevance: 1

name: libgc
version: 7.6.0
relevance: 1

Similarly, to show the name of all the packages available under the terms of the GNU LGPL version 3:

$ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"'
name: elfutils

name: gmp
…

It is also possible to refine search results using several -s flags. For example, the following command returns a list of board games:

$ guix package -s '\<board\>' -s game | recsel -p name
name: gnubg
…

If we were to omit -s game, we would also get software packages that deal with printed circuit boards; removing the angle brackets around board would further add packages that have to do with keyboards.

And now for a more elaborate example. The following command searches for cryptographic libraries, filters out Haskell, Perl, Python, and Ruby libraries, and prints the name and synopsis of the matching packages:

$ guix package -s crypto -s library | \
    recsel -e '! (name ~ "^(ghc|perl|python|ruby)")' -p name,synopsis

See Selection Expressions in GNU recutils manual, for more information on selection expressions for recsel -e.

--show=package

Show details about package, taken from the list of available packages, in recutils format (see GNU recutils databases in GNU recutils manual).

$ guix package --show=python | recsel -p name,version
name: python
version: 2.7.6

name: python
version: 3.3.5

You may also specify the full name of a package to only get details about a specific version of it:

$ guix package --show=python@3.4 | recsel -p name,version
name: python
version: 3.4.3
--list-installed[=regexp]
-I [regexp]

List the currently installed packages in the specified profile, with the most recently installed packages shown last. When regexp is specified, list only installed packages whose name matches regexp.

For each installed package, print the following items, separated by tabs: the package name, its version string, the part of the package that is installed (for instance, out for the default output, include for its headers, etc.), and the path of this package in the store.

--list-available[=regexp]
-A [regexp]

List packages currently available in the distribution for this system (see GNU Distribution). When regexp is specified, list only installed packages whose name matches regexp.

For each package, print the following items separated by tabs: its name, its version string, the parts of the package (see Packages with Multiple Outputs), and the source location of its definition.

--list-generations[=pattern]
-l [pattern]

Return a list of generations along with their creation dates; for each generation, show the installed packages, with the most recently installed packages shown last. Note that the zeroth generation is never shown.

For each installed package, print the following items, separated by tabs: the name of a package, its version string, the part of the package that is installed (see Packages with Multiple Outputs), and the location of this package in the store.

When pattern is used, the command returns only matching generations. Valid patterns include:

--delete-generations[=pattern]
-d [pattern]

When pattern is omitted, delete all generations except the current one.

This command accepts the same patterns as --list-generations. When pattern is specified, delete the matching generations. When pattern specifies a duration, generations older than the specified duration match. For instance, --delete-generations=1m deletes generations that are more than one month old.

If the current generation matches, it is not deleted. Also, the zeroth generation is never deleted.

Note that deleting generations prevents rolling back to them. Consequently, this command must be used with care.

Finally, since guix package may actually start build processes, it supports all the common build options (see Common Build Options). It also supports package transformation options, such as --with-source (see Package Transformation Options). However, note that package transformations are lost when upgrading; to preserve transformations across upgrades, you should define your own package variant in a Guile module and add it to GUIX_PACKAGE_PATH (see Defining Packages).


Next: , Previous: , Up: Package Management   [Contents][Index]

3.3 Substitutes

Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server, or both. We call these pre-built items substitutes—they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally.

Substitutes can be anything resulting from a derivation build (see Derivations). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result from derivation builds, can be available as substitutes.


Next: , Up: Substitutes   [Contents][Index]

3.3.1 Official Substitute Server

The mirror.hydra.gnu.org server is a front-end to an official build farm that builds packages from Guix continuously for some architectures, and makes them available as substitutes. This is the default source of substitutes; it can be overridden by passing the --substitute-urls option either to guix-daemon (see guix-daemon --substitute-urls) or to client tools such as guix package (see client --substitute-urls option).

Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended because communications are encrypted; conversely, using HTTP makes all communications visible to an eavesdropper, who could use the information gathered to determine, for instance, whether your system has unpatched security vulnerabilities.

Substitutes from the official build farm are enabled by default when using the Guix System Distribution (see GNU Distribution). However, they are disabled by default when using Guix on a foreign distribution, unless you have explicitly enabled them via one of the recommended installation steps (see Installation). The following paragraphs describe how to enable or disable substitutes for the official build farm; the same procedure can also be used to enable substitutes for any other substitute server.


Next: , Previous: , Up: Substitutes   [Contents][Index]

3.3.2 Substitute Server Authorization

To allow Guix to download substitutes from hydra.gnu.org or a mirror thereof, you must add its public key to the access control list (ACL) of archive imports, using the guix archive command (see Invoking guix archive). Doing so implies that you trust hydra.gnu.org to not be compromised and to serve genuine substitutes.

The public key for hydra.gnu.org is installed along with Guix, in prefix/share/guix/hydra.gnu.org.pub, where prefix is the installation prefix of Guix. If you installed Guix from source, make sure you checked the GPG signature of guix-0.15.0.tar.gz, which contains this public key file. Then, you can run something like this:

# guix archive --authorize < prefix/share/guix/hydra.gnu.org.pub

Note: Similarly, the berlin.guixsd.org.pub file contains the public key for the project’s new build farm, reachable at ‘https://berlin.guixsd.org’.

As of this writing berlin.guixsd.org is being upgraded so it can better scale up, but you might want to give it a try. It is backed by 20 x86_64/i686 build nodes and may be able to provide substitutes more quickly than mirror.hydra.gnu.org.

Once this is in place, the output of a command like guix build should change from something like:

$ guix build emacs --dry-run
The following derivations would be built:
   /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv
   /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv
   /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv
   /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv
…

to something like:

$ guix build emacs --dry-run
112.3 MB would be downloaded:
   /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3
   /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d
   /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16
   /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7
…

This indicates that substitutes from hydra.gnu.org are usable and will be downloaded, when possible, for future builds.

The substitute mechanism can be disabled globally by running guix-daemon with --no-substitutes (see Invoking guix-daemon). It can also be disabled temporarily by passing the --no-substitutes option to guix package, guix build, and other command-line tools.


Next: , Previous: , Up: Substitutes   [Contents][Index]

3.3.3 Substitute Authentication

Guix detects and raises an error when attempting to use a substitute that has been tampered with. Likewise, it ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL.

There is one exception though: if an unauthorized server provides substitutes that are bit-for-bit identical to those provided by an authorized server, then the unauthorized server becomes eligible for downloads. For example, assume we have chosen two substitute servers with this option:

--substitute-urls="https://a.example.org https://b.example.org"

If the ACL contains only the key for b.example.org, and if a.example.org happens to serve the exact same substitutes, then Guix will download substitutes from a.example.org because it comes first in the list and can be considered a mirror of b.example.org. In practice, independent build machines usually produce the same binaries, thanks to bit-reproducible builds (see below).

When using HTTPS, the server’s X.509 certificate is not validated (in other words, the server is not authenticated), contrary to what HTTPS clients such as Web browsers usually do. This is because Guix authenticates substitute information itself, as explained above, which is what we care about (whereas X.509 certificates are about authenticating bindings between domain names and public keys.)


Next: , Previous: , Up: Substitutes   [Contents][Index]

3.3.4 Proxy Settings

Substitutes are downloaded over HTTP or HTTPS. The http_proxy environment variable can be set in the environment of guix-daemon and is honored for downloads of substitutes. Note that the value of http_proxy in the environment where guix build, guix package, and other client commands are run has absolutely no effect.


Next: , Previous: , Up: Substitutes   [Contents][Index]

3.3.5 Substitution Failure

Even when a substitute for a derivation is available, sometimes the substitution attempt will fail. This can happen for a variety of reasons: the substitute server might be offline, the substitute may recently have been deleted, the connection might have been interrupted, etc.

When substitutes are enabled and a substitute for a derivation is available, but the substitution attempt fails, Guix will attempt to build the derivation locally depending on whether or not --fallback was given (see common build option --fallback). Specifically, if --fallback was omitted, then no local build will be performed, and the derivation is considered to have failed. However, if --fallback was given, then Guix will attempt to build the derivation locally, and the success or failure of the derivation depends on the success or failure of the local build. Note that when substitutes are disabled or no substitute is available for the derivation in question, a local build will always be performed, regardless of whether or not --fallback was given.

To get an idea of how many substitutes are available right now, you can try running the guix weather command (see Invoking guix weather). This command provides statistics on the substitutes provided by a server.


Previous: , Up: Substitutes   [Contents][Index]

3.3.6 On Trusting Binaries

Today, each individual’s control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using hydra.gnu.org substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that hydra.gnu.org is less of an interesting target. One way to help is by publishing the software you build using guix publish so that others have one more choice of server to download substitutes from (see Invoking guix publish).

Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. The guix challenge command aims to help users assess substitute servers, and to assist developers in finding out about non-deterministic package builds (see Invoking guix challenge). Similarly, the --check option of guix build allows users to check whether previously-installed substitutes are genuine by rebuilding them locally (see guix build --check).

In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on guix-devel@gnu.org.


Next: , Previous: , Up: Package Management   [Contents][Index]

3.4 Packages with Multiple Outputs

Often, packages defined in Guix have a single output—i.e., the source package leads to exactly one directory in the store. When running guix package -i glibc, one installs the default output of the GNU libc package; the default output is called out, but its name can be omitted as shown in this command. In this particular case, the default output of glibc contains all the C header files, shared libraries, static libraries, Info documentation, and other supporting files.

Sometimes it is more appropriate to separate the various types of files produced from a single source package into separate outputs. For instance, the GLib C library (used by GTK+ and related packages) installs more than 20 MiB of reference documentation as HTML pages. To save space for users who do not need it, the documentation goes to a separate output, called doc. To install the main GLib output, which contains everything but the documentation, one would run:

guix package -i glib

The command to install its documentation is:

guix package -i glib:doc

Some packages install programs with different “dependency footprints”. For instance, the WordNet package installs both command-line tools and graphical user interfaces (GUIs). The former depend solely on the C library, whereas the latter depend on Tcl/Tk and the underlying X libraries. In this case, we leave the command-line tools in the default output, whereas the GUIs are in a separate output. This allows users who do not need the GUIs to save space. The guix size command can help find out about such situations (see Invoking guix size). guix graph can also be helpful (see Invoking guix graph).

There are several such multiple-output packages in the GNU distribution. Other conventional output names include lib for libraries and possibly header files, bin for stand-alone programs, and debug for debugging information (see Installing Debugging Files). The outputs of a packages are listed in the third column of the output of guix package --list-available (see Invoking guix package).


Next: , Previous: , Up: Package Management   [Contents][Index]

3.5 Invoking guix gc

Packages that are installed, but not used, may be garbage-collected. The guix gc command allows users to explicitly run the garbage collector to reclaim space from the /gnu/store directory. It is the only way to remove files from /gnu/store—removing files or directories manually may break it beyond repair!

The garbage collector has a set of known roots: any file under /gnu/store reachable from a root is considered live and cannot be deleted; any other file is considered dead and may be deleted. The set of garbage collector roots (“GC roots” for short) includes default user profiles; by default, the symlinks under /var/guix/gcroots represent these GC roots. New GC roots can be added with guix build --root, for example (see Invoking guix build).

Prior to running guix gc --collect-garbage to make space, it is often useful to remove old generations from user profiles; that way, old package builds referenced by those generations can be reclaimed. This is achieved by running guix package --delete-generations (see Invoking guix package).

Our recommendation is to run a garbage collection periodically, or when you are short on disk space. For instance, to guarantee that at least 5 GB are available on your disk, simply run:

guix gc -F 5G

It is perfectly safe to run as a non-interactive periodic job (see Scheduled Job Execution, for how to set up such a job on GuixSD). Running guix gc with no arguments will collect as much garbage as it can, but that is often inconvenient: you may find yourself having to rebuild or re-download software that is “dead” from the GC viewpoint but that is necessary to build other pieces of software—e.g., the compiler tool chain.

The guix gc command has three modes of operation: it can be used to garbage-collect any dead files (the default), to delete specific files (the --delete option), to print garbage-collector information, or for more advanced queries. The garbage collection options are as follows:

--collect-garbage[=min]
-C [min]

Collect garbage—i.e., unreachable /gnu/store files and sub-directories. This is the default operation when no option is specified.

When min is given, stop once min bytes have been collected. min may be a number of bytes, or it may include a unit as a suffix, such as MiB for mebibytes and GB for gigabytes (see size specifications in GNU Coreutils).

When min is omitted, collect all the garbage.

--free-space=free
-F free

Collect garbage until free space is available under /gnu/store, if possible; free denotes storage space, such as 500MiB, as described above.

When free or more is already available in /gnu/store, do nothing and exit immediately.

--delete
-d

Attempt to delete all the store files and directories specified as arguments. This fails if some of the files are not in the store, or if they are still live.

--list-failures

List store items corresponding to cached build failures.

This prints nothing unless the daemon was started with --cache-failures (see --cache-failures).

--clear-failures

Remove the specified store items from the failed-build cache.

Again, this option only makes sense when the daemon is started with --cache-failures. Otherwise, it does nothing.

--list-dead

Show the list of dead files and directories still present in the store—i.e., files and directories no longer reachable from any root.

--list-live

Show the list of live store files and directories.

In addition, the references among existing store files can be queried:

--references
--referrers

List the references (respectively, the referrers) of store files given as arguments.

--requisites
-R

List the requisites of the store files passed as arguments. Requisites include the store files themselves, their references, and the references of these, recursively. In other words, the returned list is the transitive closure of the store files.

See Invoking guix size, for a tool to profile the size of the closure of an element. See Invoking guix graph, for a tool to visualize the graph of references.

--derivers

Return the derivation(s) leading to the given store items (see Derivations).

For example, this command:

guix gc --derivers `guix package -I ^emacs$ | cut -f4`

returns the .drv file(s) leading to the emacs package installed in your profile.

Note that there may be zero matching .drv files, for instance because these files have been garbage-collected. There can also be more than one matching .drv due to fixed-output derivations.

Lastly, the following options allow you to check the integrity of the store and to control disk usage.

--verify[=options]

Verify the integrity of the store.

By default, make sure that all the store items marked as valid in the database of the daemon actually exist in /gnu/store.

When provided, options must be a comma-separated list containing one or more of contents and repair.

When passing --verify=contents, the daemon computes the content hash of each store item and compares it against its hash in the database. Hash mismatches are reported as data corruptions. Because it traverses all the files in the store, this command can take a long time, especially on systems with a slow disk drive.

Using --verify=repair or --verify=contents,repair causes the daemon to try to repair corrupt store items by fetching substitutes for them (see Substitutes). Because repairing is not atomic, and thus potentially dangerous, it is available only to the system administrator. A lightweight alternative, when you know exactly which items in the store are corrupt, is guix build --repair (see Invoking guix build).

--optimize

Optimize the store by hard-linking identical files—this is deduplication.

The daemon performs deduplication after each successful build or archive import, unless it was started with --disable-deduplication (see --disable-deduplication). Thus, this option is primarily useful when the daemon was running with --disable-deduplication.


Next: , Previous: , Up: Package Management   [Contents][Index]

3.6 Invoking guix pull

Packages are installed or upgraded to the latest version available in the distribution currently available on your local machine. To update that distribution, along with the Guix tools, you must run guix pull: the command downloads the latest Guix source code and package descriptions, and deploys it. Source code is downloaded from a Git repository.

On completion, guix package will use packages and package versions from this just-retrieved copy of Guix. Not only that, but all the Guix commands and Scheme modules will also be taken from that latest version. New guix sub-commands added by the update also become available.

Any user can update their Guix copy using guix pull, and the effect is limited to the user who run guix pull. For instance, when user root runs guix pull, this has no effect on the version of Guix that user alice sees, and vice versa.

The result of running guix pull is a profile available under ~/.config/guix/current containing the latest Guix. Thus, make sure to add it to the beginning of your search path so that you use the latest version, and similarly for the Info manual (see Documentation):

export PATH="$HOME/.config/guix/current/bin:$PATH"
export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"

The --list-generations or -l option lists past generations produced by guix pull, along with details about their provenance:

$ guix pull -l
Generation 1	Jun 10 2018 00:18:18
  guix 65956ad
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: origin/master
    commit: 65956ad3526ba09e1f7a40722c96c6ef7c0936fe

Generation 2	Jun 11 2018 11:02:49
  guix e0cc7f6
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: origin/master
    commit: e0cc7f669bec22c37481dd03a7941c7d11a64f1d

Generation 3	Jun 13 2018 23:31:07	(current)
  guix 844cc1c
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: origin/master
    commit: 844cc1c8f394f03b404c5bb3aee086922373490c

This ~/.config/guix/current profile works like any other profile created by guix package (see Invoking guix package). That is, you can list generations, roll back to the previous generation—i.e., the previous Guix—and so on:

$ guix package -p ~/.config/guix/current --roll-back
switched from generation 3 to 2
$ guix package -p ~/.config/guix/current --delete-generations=1
deleting /home/charlie/.config/guix/current-1-link

The guix pull command is usually invoked with no arguments, but it supports the following options:

--verbose

Produce verbose output, writing build logs to the standard error output.

--url=url

Download Guix from the Git repository at url.

By default, the source is taken from its canonical Git repository at gnu.org, for the stable branch of Guix. To use a different source, set the GUIX_PULL_URL environment variable.

--commit=commit

Deploy commit, a valid Git commit ID represented as a hexadecimal string.

--branch=branch

Deploy the tip of branch, the name of a Git branch available on the repository at url.

--list-generations[=pattern]
-l [pattern]

List all the generations of ~/.config/guix/current or, if pattern is provided, the subset of generations that match pattern. The syntax of pattern is the same as with guix package --list-generations (see Invoking guix package).

--bootstrap

Use the bootstrap Guile to build the latest Guix. This option is only useful to Guix developers.

In addition, guix pull supports all the common build options (see Common Build Options).


Next: , Previous: , Up: Package Management   [Contents][Index]

3.7 Invoking guix pack

Occasionally you want to pass software to people who are not (yet!) lucky enough to be using Guix. You’d tell them to run guix package -i something, but that’s not possible in this case. This is where guix pack comes in.

Note: If you are looking for ways to exchange binaries among machines that already run Guix, see Invoking guix copy, Invoking guix publish, and Invoking guix archive.

The guix pack command creates a shrink-wrapped pack or software bundle: it creates a tarball or some other archive containing the binaries of the software you’re interested in, and all its dependencies. The resulting archive can be used on any machine that does not have Guix, and people can run the exact same binaries as those you have with Guix. The pack itself is created in a bit-reproducible fashion, so anyone can verify that it really contains the build results that you pretend to be shipping.

For example, to create a bundle containing Guile, Emacs, Geiser, and all their dependencies, you can run:

$ guix pack guile emacs geiser
…
/gnu/store/…-pack.tar.gz

The result here is a tarball containing a /gnu/store directory with all the relevant packages. The resulting tarball contains a profile with the three packages of interest; the profile is the same as would be created by guix package -i. It is this mechanism that is used to create Guix’s own standalone binary tarball (see Binary Installation).

Users of this pack would have to run /gnu/store/…-profile/bin/guile to run Guile, which you may find inconvenient. To work around it, you can create, say, a /opt/gnu/bin symlink to the profile:

guix pack -S /opt/gnu/bin=bin guile emacs geiser

That way, users can happily type /opt/gnu/bin/guile and enjoy.

What if the recipient of your pack does not have root privileges on their machine, and thus cannot unpack it in the root file system? In that case, you will want to use the --relocatable option (see below). This option produces relocatable binaries, meaning they they can be placed anywhere in the file system hierarchy: in the example above, users can unpack your tarball in their home directory and directly run ./opt/gnu/bin/guile.

Alternatively, you can produce a pack in the Docker image format using the following command:

guix pack -f docker guile emacs geiser

The result is a tarball that can be passed to the docker load command. See the Docker documentation for more information.

Yet another option is to produce a SquashFS image with the following command:

guix pack -f squashfs guile emacs geiser

The result is a SquashFS file system image that can either be mounted or directly be used as a file system container image with the Singularity container execution environment, using commands like singularity shell or singularity exec.

Several command-line options allow you to customize your pack:

--format=format
-f format

Produce a pack in the given format.

The available formats are:

tarball

This is the default format. It produces a tarball containing all the specified binaries and symlinks.

docker

This produces a tarball that follows the Docker Image Specification.

squashfs

This produces a SquashFS image containing all the specified binaries and symlinks, as well as empty mount points for virtual file systems like procfs.

--relocatable
-R

Produce relocatable binaries—i.e., binaries that can be placed anywhere in the file system hierarchy and run from there. For example, if you create a pack containing Bash with:

guix pack -R -S /mybin=bin bash

... you can copy that pack to a machine that lacks Guix, and from your home directory as a normal user, run:

tar xf pack.tar.gz
./mybin/sh

In that shell, if you type ls /gnu/store, you’ll notice that /gnu/store shows up and contains all the dependencies of bash, even though the machine actually lacks /gnu/store altogether! That is probably the simplest way to deploy Guix-built software on a non-Guix machine.

There’s a gotcha though: this technique relies on the user namespace feature of the kernel Linux, which allows unprivileged users to mount or change root. Old versions of Linux did not support it, and some GNU/Linux distributions turn it off; on these systems, programs from the pack will fail to run, unless they are unpacked in the root file system.

--expression=expr
-e expr

Consider the package expr evaluates to.

This has the same purpose as the same-named option in guix build (see --expression in guix build).

--manifest=file
-m file

Use the packages contained in the manifest object returned by the Scheme code in file.

This has a similar purpose as the same-named option in guix package (see --manifest) and uses the same manifest files. It allows you to define a collection of packages once and use it both for creating profiles and for creating archives for use on machines that do not have Guix installed. Note that you can specify either a manifest file or a list of packages, but not both.

--system=system
-s system

Attempt to build for system—e.g., i686-linux—instead of the system type of the build host.

--target=triplet

Cross-build for triplet, which must be a valid GNU triplet, such as "mips64el-linux-gnu" (see GNU configuration triplets in Autoconf).

--compression=tool
-C tool

Compress the resulting tarball using tool—one of gzip, bzip2, xz, lzip, or none for no compression.

--symlink=spec
-S spec

Add the symlinks specified by spec to the pack. This option can appear several times.

spec has the form source=target, where source is the symlink that will be created and target is the symlink target.

For instance, -S /opt/gnu/bin=bin creates a /opt/gnu/bin symlink pointing to the bin sub-directory of the profile.

--localstatedir

Include the “local state directory”, /var/guix, in the resulting pack.

/var/guix contains the store database (see The Store) as well as garbage-collector roots (see Invoking guix gc). Providing it in the pack means that the store is “complete” and manageable by Guix; not providing it pack means that the store is “dead”: items cannot be added to it or removed from it after extraction of the pack.

One use case for this is the Guix self-contained binary tarball (see Binary Installation).

--bootstrap

Use the bootstrap binaries to build the pack. This option is only useful to Guix developers.

In addition, guix pack supports all the common build options (see Common Build Options) and all the package transformation options (see Package Transformation Options).


Previous: , Up: Package Management   [Contents][Index]

3.8 Invoking guix archive

The guix archive command allows users to export files from the store into a single archive, and to later import them on a machine that runs Guix. In particular, it allows store files to be transferred from one machine to the store on another machine.

Note: If you’re looking for a way to produce archives in a format suitable for tools other than Guix, see Invoking guix pack.

To export store files as an archive to standard output, run:

guix archive --export options specifications...

specifications may be either store file names or package specifications, as for guix package (see Invoking guix package). For instance, the following command creates an archive containing the gui output of the git package and the main output of emacs:

guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar

If the specified packages are not built yet, guix archive automatically builds them. The build process may be controlled with the common build options (see Common Build Options).

To transfer the emacs package to a machine connected over SSH, one would run:

guix archive --export -r emacs | ssh the-machine guix archive --import

Similarly, a complete user profile may be transferred from one machine to another like this:

guix archive --export -r $(readlink -f ~/.guix-profile) | \
  ssh the-machine guix-archive --import

However, note that, in both examples, all of emacs and the profile as well as all of their dependencies are transferred (due to -r), regardless of what is already available in the store on the target machine. The --missing option can help figure out which items are missing from the target store. The guix copy command simplifies and optimizes this whole process, so this is probably what you should use in this case (see Invoking guix copy).

Archives are stored in the “normalized archive” or “nar” format, which is comparable in spirit to ‘tar’, but with differences that make it more appropriate for our purposes. First, rather than recording all Unix metadata for each file, the nar format only mentions the file type (regular, directory, or symbolic link); Unix permissions and owner/group are dismissed. Second, the order in which directory entries are stored always follows the order of file names according to the C locale collation order. This makes archive production fully deterministic.

When exporting, the daemon digitally signs the contents of the archive, and that digital signature is appended. When importing, the daemon verifies the signature and rejects the import in case of an invalid signature or if the signing key is not authorized.

The main options are:

--export

Export the specified store files or packages (see below.) Write the resulting archive to the standard output.

Dependencies are not included in the output, unless --recursive is passed.

-r
--recursive

When combined with --export, this instructs guix archive to include dependencies of the given items in the archive. Thus, the resulting archive is self-contained: it contains the closure of the exported store items.

--import

Read an archive from the standard input, and import the files listed therein into the store. Abort if the archive has an invalid digital signature, or if it is signed by a public key not among the authorized keys (see --authorize below.)

--missing

Read a list of store file names from the standard input, one per line, and write on the standard output the subset of these files missing from the store.

--generate-key[=parameters]

Generate a new key pair for the daemon. This is a prerequisite before archives can be exported with --export. Note that this operation usually takes time, because it needs to gather enough entropy to generate the key pair.

The generated key pair is typically stored under /etc/guix, in signing-key.pub (public key) and signing-key.sec (private key, which must be kept secret.) When parameters is omitted, an ECDSA key using the Ed25519 curve is generated, or, for Libgcrypt versions before 1.6.0, it is a 4096-bit RSA key. Alternatively, parameters can specify genkey parameters suitable for Libgcrypt (see gcry_pk_genkey in The Libgcrypt Reference Manual).

--authorize

Authorize imports signed by the public key passed on standard input. The public key must be in “s-expression advanced format”—i.e., the same format as the signing-key.pub file.

The list of authorized keys is kept in the human-editable file /etc/guix/acl. The file contains “advanced-format s-expressions” and is structured as an access-control list in the Simple Public-Key Infrastructure (SPKI).

--extract=directory
-x directory

Read a single-item archive as served by substitute servers (see Substitutes) and extract it to directory. This is a low-level operation needed in only very narrow use cases; see below.

For example, the following command extracts the substitute for Emacs served by hydra.gnu.org to /tmp/emacs:

$ wget -O - \
  https://hydra.gnu.org/nar/…-emacs-24.5 \
  | bunzip2 | guix archive -x /tmp/emacs

Single-item archives are different from multiple-item archives produced by guix archive --export; they contain a single store item, and they do not embed a signature. Thus this operation does no signature verification and its output should be considered unsafe.

The primary purpose of this operation is to facilitate inspection of archive contents coming from possibly untrusted substitute servers.


Next: , Previous: , Up: Top   [Contents][Index]

4 Programming Interface

GNU Guix provides several Scheme programming interfaces (APIs) to define, build, and query packages. The first interface allows users to write high-level package definitions. These definitions refer to familiar packaging concepts, such as the name and version of a package, its build system, and its dependencies. These definitions can then be turned into concrete build actions.

Build actions are performed by the Guix daemon, on behalf of users. In a standard setup, the daemon has write access to the store—the /gnu/store directory—whereas users do not. The recommended setup also has the daemon perform builds in chroots, under a specific build users, to minimize interference with the rest of the system.

Lower-level APIs are available to interact with the daemon and the store. To instruct the daemon to perform a build action, users actually provide it with a derivation. A derivation is a low-level representation of the build actions to be taken, and the environment in which they should occur—derivations are to package definitions what assembly is to C programs. The term “derivation” comes from the fact that build results derive from them.

This chapter describes all these APIs in turn, starting from high-level package definitions.


Next: , Up: Programming Interface   [Contents][Index]

4.1 Defining Packages

The high-level interface to package definitions is implemented in the (guix packages) and (guix build-system) modules. As an example, the package definition, or recipe, for the GNU Hello package looks like this:

(define-module (gnu packages hello)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix build-system gnu)
  #:use-module (guix licenses)
  #:use-module (gnu packages gawk))

(define-public hello
  (package
    (name "hello")
    (version "2.10")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/hello/hello-" version
                                  ".tar.gz"))
              (sha256
               (base32
                "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
    (build-system gnu-build-system)
    (arguments '(#:configure-flags '("--enable-silent-rules")))
    (inputs `(("gawk" ,gawk)))
    (synopsis "Hello, GNU world: An example GNU package")
    (description "Guess what GNU Hello prints!")
    (home-page "http://www.gnu.org/software/hello/")
    (license gpl3+)))

Without being a Scheme expert, the reader may have guessed the meaning of the various fields here. This expression binds the variable hello to a <package> object, which is essentially a record (see Scheme records in GNU Guile Reference Manual). This package object can be inspected using procedures found in the (guix packages) module; for instance, (package-name hello) returns—surprise!—"hello".

With luck, you may be able to import part or all of the definition of the package you are interested in from another repository, using the guix import command (see Invoking guix import).

In the example above, hello is defined in a module of its own, (gnu packages hello). Technically, this is not strictly necessary, but it is convenient to do so: all the packages defined in modules under (gnu packages …) are automatically known to the command-line tools (see Package Modules).

There are a few points worth noting in the above package definition:

See package Reference, for a full description of possible fields.

Once a package definition is in place, the package may actually be built using the guix build command-line tool (see Invoking guix build), troubleshooting any build failures you encounter (see Debugging Build Failures). You can easily jump back to the package definition using the guix edit command (see Invoking guix edit). See Packaging Guidelines, for more information on how to test package definitions, and Invoking guix lint, for information on how to check a definition for style conformance. Lastly, see Package Modules, for information on how to extend the distribution by adding your own package definitions to GUIX_PACKAGE_PATH.

Finally, updating the package definition to a new upstream version can be partly automated by the guix refresh command (see Invoking guix refresh).

Behind the scenes, a derivation corresponding to the <package> object is first computed by the package-derivation procedure. That derivation is stored in a .drv file under /gnu/store. The build actions it prescribes may then be realized by using the build-derivations procedure (see The Store).

Scheme Procedure: package-derivation store package [system]

Return the <derivation> object of package for system (see Derivations).

package must be a valid <package> object, and system must be a string denoting the target system type—e.g., "x86_64-linux" for an x86_64 Linux-based GNU system. store must be a connection to the daemon, which operates on the store (see The Store).

Similarly, it is possible to compute a derivation that cross-builds a package for some other system:

Scheme Procedure: package-cross-derivation store package target [system]

Return the <derivation> object of package cross-built from system to target.

target must be a valid GNU triplet denoting the target hardware and operating system, such as "mips64el-linux-gnu" (see GNU configuration triplets in GNU Configure and Build System).

Packages can be manipulated in arbitrary ways. An example of a useful transformation is input rewriting, whereby the dependency tree of a package is rewritten by replacing specific inputs by others:

Scheme Procedure: package-input-rewriting replacements [rewrite-name]

Return a procedure that, when passed a package, replaces its direct and indirect dependencies (but not its implicit inputs) according to replacements. replacements is a list of package pairs; the first element of each pair is the package to replace, and the second one is the replacement.

Optionally, rewrite-name is a one-argument procedure that takes the name of a package and returns its new name after rewrite.

Consider this example:

(define libressl-instead-of-openssl
  ;; This is a procedure to replace OPENSSL by LIBRESSL,
  ;; recursively.
  (package-input-rewriting `((,openssl . ,libressl))))

(define git-with-libressl
  (libressl-instead-of-openssl git))

Here we first define a rewriting procedure that replaces openssl with libressl. Then we use it to define a variant of the git package that uses libressl instead of openssl. This is exactly what the --with-input command-line option does (see --with-input).

A more generic procedure to rewrite a package dependency graph is package-mapping: it supports arbitrary changes to nodes in the graph.

Scheme Procedure: package-mapping proc [cut?]

Return a procedure that, given a package, applies proc to all the packages depended on and returns the resulting package. The procedure stops recursion when cut? returns true for a given package.


Next: , Up: Defining Packages   [Contents][Index]

4.1.1 package Reference

This section summarizes all the options available in package declarations (see Defining Packages).

Data Type: package

This is the data type representing a package recipe.

name

The name of the package, as a string.

version

The version of the package, as a string.

source

An object telling how the source code for the package should be acquired. Most of the time, this is an origin object, which denotes a file fetched from the Internet (see origin Reference). It can also be any other “file-like” object such as a local-file, which denotes a file from the local file system (see local-file).

build-system

The build system that should be used to build the package (see Build Systems).

arguments (default: '())

The arguments that should be passed to the build system. This is a list, typically containing sequential keyword-value pairs.

inputs (default: '())
native-inputs (default: '())
propagated-inputs (default: '())

These fields list dependencies of the package. Each one is a list of tuples, where each tuple has a label for the input (a string) as its first element, a package, origin, or derivation as its second element, and optionally the name of the output thereof that should be used, which defaults to "out" (see Packages with Multiple Outputs, for more on package outputs). For example, the list below specifies three inputs:

`(("libffi" ,libffi)
  ("libunistring" ,libunistring)
  ("glib:bin" ,glib "bin"))  ;the "bin" output of Glib

The distinction between native-inputs and inputs is necessary when considering cross-compilation. When cross-compiling, dependencies listed in inputs are built for the target architecture; conversely, dependencies listed in native-inputs are built for the architecture of the build machine.

native-inputs is typically used to list tools needed at build time, but not at run time, such as Autoconf, Automake, pkg-config, Gettext, or Bison. guix lint can report likely mistakes in this area (see Invoking guix lint).

Lastly, propagated-inputs is similar to inputs, but the specified packages will be automatically installed alongside the package they belong to (see guix package, for information on how guix package deals with propagated inputs.)

For example this is necessary when a C/C++ library needs headers of another library to compile, or when a pkg-config file refers to another one via its Requires field.

Another example where propagated-inputs is useful is for languages that lack a facility to record the run-time search path akin to the RUNPATH of ELF files; this includes Guile, Python, Perl, and more. To ensure that libraries written in those languages can find library code they depend on at run time, run-time dependencies must be listed in propagated-inputs rather than inputs.

self-native-input? (default: #f)

This is a Boolean field telling whether the package should use itself as a native input when cross-compiling.

outputs (default: '("out"))

The list of output names of the package. See Packages with Multiple Outputs, for typical uses of additional outputs.

native-search-paths (default: '())
search-paths (default: '())

A list of search-path-specification objects describing search-path environment variables honored by the package.

replacement (default: #f)

This must be either #f or a package object that will be used as a replacement for this package. See grafts, for details.

synopsis

A one-line description of the package.

description

A more elaborate description of the package.

license

The license of the package; a value from (guix licenses), or a list of such values.

home-page

The URL to the home-page of the package, as a string.

supported-systems (default: %supported-systems)

The list of systems supported by the package, as strings of the form architecture-kernel, for example "x86_64-linux".

maintainers (default: '())

The list of maintainers of the package, as maintainer objects.

location (default: source location of the package form)

The source location of the package. It is useful to override this when inheriting from another package, in which case this field is not automatically corrected.


Previous: , Up: Defining Packages   [Contents][Index]

4.1.2 origin Reference

This section summarizes all the options available in origin declarations (see Defining Packages).

Data Type: origin

This is the data type representing a source code origin.

uri

An object containing the URI of the source. The object type depends on the method (see below). For example, when using the url-fetch method of (guix download), the valid uri values are: a URL represented as a string, or a list thereof.

method

A procedure that handles the URI.

Examples include:

url-fetch from (guix download)

download a file from the HTTP, HTTPS, or FTP URL specified in the uri field;

git-fetch from (guix git-download)

clone the Git version control repository, and check out the revision specified in the uri field as a git-reference object; a git-reference looks like this:

(git-reference
  (url "git://git.debian.org/git/pkg-shadow/shadow")
  (commit "v4.1.5.1"))
sha256

A bytevector containing the SHA-256 hash of the source. Typically the base32 form is used here to generate the bytevector from a base-32 string.

You can obtain this information using guix download (see Invoking guix download) or guix hash (see Invoking guix hash).

file-name (default: #f)

The file name under which the source code should be saved. When this is #f, a sensible default value will be used in most cases. In case the source is fetched from a URL, the file name from the URL will be used. For version control checkouts, it is recommended to provide the file name explicitly because the default is not very descriptive.

patches (default: '())

A list of file names, origins, or file-like objects (see file-like objects) pointing to patches to be applied to the source.

This list of patches must be unconditional. In particular, it cannot depend on the value of %current-system or %current-target-system.

snippet (default: #f)

A G-expression (see G-Expressions) or S-expression that will be run in the source directory. This is a convenient way to modify the source, sometimes more convenient than a patch.

patch-flags (default: '("-p1"))

A list of command-line flags that should be passed to the patch command.

patch-inputs (default: #f)

Input packages or derivations to the patching process. When this is #f, the usual set of inputs necessary for patching are provided, such as GNU Patch.

modules (default: '())

A list of Guile modules that should be loaded during the patching process and while running the code in the snippet field.

patch-guile (default: #f)

The Guile package that should be used in the patching process. When this is #f, a sensible default is used.


Next: , Previous: , Up: Programming Interface   [Contents][Index]

4.2 Build Systems

Each package definition specifies a build system and arguments for that build system (see Defining Packages). This build-system field represents the build procedure of the package, as well as implicit dependencies of that build procedure.

Build systems are <build-system> objects. The interface to create and manipulate them is provided by the (guix build-system) module, and actual build systems are exported by specific modules.

Under the hood, build systems first compile package objects to bags. A bag is like a package, but with less ornamentation—in other words, a bag is a lower-level representation of a package, which includes all the inputs of that package, including some that were implicitly added by the build system. This intermediate representation is then compiled to a derivation (see Derivations).

Build systems accept an optional list of arguments. In package definitions, these are passed via the arguments field (see Defining Packages). They are typically keyword arguments (see keyword arguments in Guile in GNU Guile Reference Manual). The value of these arguments is usually evaluated in the build stratum—i.e., by a Guile process launched by the daemon (see Derivations).

The main build system is gnu-build-system, which implements the standard build procedure for GNU and many other packages. It is provided by the (guix build-system gnu) module.

Scheme Variable: gnu-build-system

gnu-build-system represents the GNU Build System, and variants thereof (see configuration and makefile conventions in GNU Coding Standards).

In a nutshell, packages using it are configured, built, and installed with the usual ./configure && make && make check && make install command sequence. In practice, a few additional steps are often needed. All these steps are split up in separate phases, notably5:

unpack

Unpack the source tarball, and change the current directory to the extracted source tree. If the source is actually a directory, copy it to the build tree, and enter that directory.

patch-source-shebangs

Patch shebangs encountered in source files so they refer to the right store file names. For instance, this changes #!/bin/sh to #!/gnu/store/…-bash-4.3/bin/sh.

configure

Run the configure script with a number of default options, such as --prefix=/gnu/store/…, as well as the options specified by the #:configure-flags argument.

build

Run make with the list of flags specified with #:make-flags. If the #:parallel-build? argument is true (the default), build with make -j.

check

Run make check, or some other target specified with #:test-target, unless #:tests? #f is passed. If the #:parallel-tests? argument is true (the default), run make check -j.

install

Run make install with the flags listed in #:make-flags.

patch-shebangs

Patch shebangs on the installed executable files.

strip

Strip debugging symbols from ELF files (unless #:strip-binaries? is false), copying them to the debug output when available (see Installing Debugging Files).

The build-side module (guix build gnu-build-system) defines %standard-phases as the default list of build phases. %standard-phases is a list of symbol/procedure pairs, where the procedure implements the actual phase.

The list of phases used for a particular package can be changed with the #:phases parameter. For instance, passing:

#:phases (modify-phases %standard-phases (delete 'configure))

means that all the phases described above will be used, except the configure phase.

In addition, this build system ensures that the “standard” environment for GNU packages is available. This includes tools such as GCC, libc, Coreutils, Bash, Make, Diffutils, grep, and sed (see the (guix build-system gnu) module for a complete list). We call these the implicit inputs of a package, because package definitions do not have to mention them.

Other <build-system> objects are defined to support other conventions and tools used by free software packages. They inherit most of gnu-build-system, and differ mainly in the set of inputs implicitly added to the build process, and in the list of phases executed. Some of these build systems are listed below.

Scheme Variable: ant-build-system

This variable is exported by (guix build-system ant). It implements the build procedure for Java packages that can be built with Ant build tool.

It adds both ant and the Java Development Kit (JDK) as provided by the icedtea package to the set of inputs. Different packages can be specified with the #:ant and #:jdk parameters, respectively.

When the original package does not provide a suitable Ant build file, the parameter #:jar-name can be used to generate a minimal Ant build file build.xml with tasks to build the specified jar archive. In this case the parameter #:source-dir can be used to specify the source sub-directory, defaulting to “src”.

The #:main-class parameter can be used with the minimal ant buildfile to specify the main class of the resulting jar. This makes the jar file executable. The #:test-include parameter can be used to specify the list of junit tests to run. It defaults to (list "**/*Test.java"). The #:test-exclude can be used to disable some tests. It defaults to (list "**/Abstract*.java"), because abstract classes cannot be run as tests.

The parameter #:build-target can be used to specify the Ant task that should be run during the build phase. By default the “jar” task will be run.

Scheme Variable: android-ndk-build-system

This variable is exported by (guix build-system android-ndk). It implements a build procedure for Android NDK (native development kit) packages using a Guix-specific build process.

The build system assumes that packages install their public interface (header) files to the subdirectory "include" of the "out" output and their libraries to the subdirectory "lib" of the "out" output.

It’s also assumed that the union of all the dependencies of a package has no conflicting files.

For the time being, cross-compilation is not supported - so right now the libraries and header files are assumed to be host tools.

Scheme Variable: asdf-build-system/source
Scheme Variable: asdf-build-system/sbcl
Scheme Variable: asdf-build-system/ecl

These variables, exported by (guix build-system asdf), implement build procedures for Common Lisp packages using “ASDF”. ASDF is a system definition facility for Common Lisp programs and libraries.

The asdf-build-system/source system installs the packages in source form, and can be loaded using any common lisp implementation, via ASDF. The others, such as asdf-build-system/sbcl, install binary systems in the format which a particular implementation understands. These build systems can also be used to produce executable programs, or lisp images which contain a set of packages pre-loaded.

The build system uses naming conventions. For binary packages, the package name should be prefixed with the lisp implementation, such as sbcl- for asdf-build-system/sbcl.

Additionally, the corresponding source package should be labeled using the same convention as python packages (see Python Modules), using the cl- prefix.

For binary packages, each system should be defined as a Guix package. If one package origin contains several systems, package variants can be created in order to build all the systems. Source packages, which use asdf-build-system/source, may contain several systems.

In order to create executable programs and images, the build-side procedures build-program and build-image can be used. They should be called in a build phase after the create-symlinks phase, so that the system which was just built can be used within the resulting image. build-program requires a list of Common Lisp expressions to be passed as the #:entry-program argument.

If the system is not defined within its own .asd file of the same name, then the #:asd-file parameter should be used to specify which file the system is defined in. Furthermore, if the package defines a system for its tests in a separate file, it will be loaded before the tests are run if it is specified by the #:test-asd-file parameter. If it is not set, the files <system>-tests.asd, <system>-test.asd, tests.asd, and test.asd will be tried if they exist.

If for some reason the package must be named in a different way than the naming conventions suggest, the #:asd-system-name parameter can be used to specify the name of the system.

Scheme Variable: cargo-build-system

This variable is exported by (guix build-system cargo). It supports builds of packages using Cargo, the build tool of the Rust programming language.

In its configure phase, this build system replaces dependencies specified in the Carto.toml file with inputs to the Guix package. The install phase installs the binaries, and it also installs the source code and Cargo.toml file.

Scheme Variable: cmake-build-system

This variable is exported by (guix build-system cmake). It implements the build procedure for packages using the CMake build tool.

It automatically adds the cmake package to the set of inputs. Which package is used can be specified with the #:cmake parameter.

The #:configure-flags parameter is taken as a list of flags passed to the cmake command. The #:build-type parameter specifies in abstract terms the flags passed to the compiler; it defaults to "RelWithDebInfo" (short for “release mode with debugging information”), which roughly means that code is compiled with -O2 -g, as is the case for Autoconf-based packages by default.

Scheme Variable: go-build-system

This variable is exported by (guix build-system go). It implements a build procedure for Go packages using the standard Go build mechanisms.

The user is expected to provide a value for the key #:import-path and, in some cases, #:unpack-path. The import path corresponds to the file system path expected by the package’s build scripts and any referring packages, and provides a unique way to refer to a Go package. It is typically based on a combination of the package source code’s remote URI and file system hierarchy structure. In some cases, you will need to unpack the package’s source code to a different directory structure than the one indicated by the import path, and #:unpack-path should be used in such cases.

Packages that provide Go libraries should be installed along with their source code. The key #:install-source?, which defaults to #t, controls whether or not the source code is installed. It can be set to #f for packages that only provide executable files.

Scheme Variable: glib-or-gtk-build-system

This variable is exported by (guix build-system glib-or-gtk). It is intended for use with packages making use of GLib or GTK+.

This build system adds the following two phases to the ones defined by gnu-build-system:

glib-or-gtk-wrap

The phase glib-or-gtk-wrap ensures that programs in bin/ are able to find GLib “schemas” and GTK+ modules. This is achieved by wrapping the programs in launch scripts that appropriately set the XDG_DATA_DIRS and GTK_PATH environment variables.

It is possible to exclude specific package outputs from that wrapping process by listing their names in the #:glib-or-gtk-wrap-excluded-outputs parameter. This is useful when an output is known not to contain any GLib or GTK+ binaries, and where wrapping would gratuitously add a dependency of that output on GLib and GTK+.

glib-or-gtk-compile-schemas

The phase glib-or-gtk-compile-schemas makes sure that all GSettings schemas of GLib are compiled. Compilation is performed by the glib-compile-schemas program. It is provided by the package glib:bin which is automatically imported by the build system. The glib package providing glib-compile-schemas can be specified with the #:glib parameter.

Both phases are executed after the install phase.

Scheme Variable: minify-build-system

This variable is exported by (guix build-system minify). It implements a minification procedure for simple JavaScript packages.

It adds uglify-js to the set of inputs and uses it to compress all JavaScript files in the src directory. A different minifier package can be specified with the #:uglify-js parameter, but it is expected that the package writes the minified code to the standard output.

When the input JavaScript files are not all located in the src directory, the parameter #:javascript-files can be used to specify a list of file names to feed to the minifier.

Scheme Variable: ocaml-build-system

This variable is exported by (guix build-system ocaml). It implements a build procedure for OCaml packages, which consists of choosing the correct set of commands to run for each package. OCaml packages can expect many different commands to be run. This build system will try some of them.

When the package has a setup.ml file present at the top-level, it will run ocaml setup.ml -configure, ocaml setup.ml -build and ocaml setup.ml -install. The build system will assume that this file was generated by OASIS and will take care of setting the prefix and enabling tests if they are not disabled. You can pass configure and build flags with the #:configure-flags and #:build-flags. The #:test-flags key can be passed to change the set of flags used to enable tests. The #:use-make? key can be used to bypass this system in the build and install phases.

When the package has a configure file, it is assumed that it is a hand-made configure script that requires a different argument format than in the gnu-build-system. You can add more flags with the #:configure-flags key.

When the package has a Makefile file (or #:use-make? is #t), it will be used and more flags can be passed to the build and install phases with the #:make-flags key.

Finally, some packages do not have these files and use a somewhat standard location for its build system. In that case, the build system will run ocaml pkg/pkg.ml or ocaml pkg/build.ml and take care of providing the path to the required findlib module. Additional flags can be passed via the #:build-flags key. Install is taken care of by opam-installer. In this case, the opam package must be added to the native-inputs field of the package definition.

Note that most OCaml packages assume they will be installed in the same directory as OCaml, which is not what we want in guix. In particular, they will install .so files in their module’s directory, which is usually fine because it is in the OCaml compiler directory. In guix though, these libraries cannot be found and we use CAML_LD_LIBRARY_PATH. This variable points to lib/ocaml/site-lib/stubslibs and this is where .so libraries should be installed.

Scheme Variable: python-build-system

This variable is exported by (guix build-system python). It implements the more or less standard build procedure used by Python packages, which consists in running python setup.py build and then python setup.py install --prefix=/gnu/store/….

For packages that install stand-alone Python programs under bin/, it takes care of wrapping these programs so that their PYTHONPATH environment variable points to all the Python libraries they depend on.

Which Python package is used to perform the build can be specified with the #:python parameter. This is a useful way to force a package to be built for a specific version of the Python interpreter, which might be necessary if the package is only compatible with a single interpreter version.

By default guix calls setup.py under control of setuptools, much like pip does. Some packages are not compatible with setuptools (and pip), thus you can disable this by setting the #:use-setuptools parameter to #f.

Scheme Variable: perl-build-system

This variable is exported by (guix build-system perl). It implements the standard build procedure for Perl packages, which either consists in running perl Build.PL --prefix=/gnu/store/…, followed by Build and Build install; or in running perl Makefile.PL PREFIX=/gnu/store/…, followed by make and make install, depending on which of Build.PL or Makefile.PL is present in the package distribution. Preference is given to the former if both Build.PL and Makefile.PL exist in the package distribution. This preference can be reversed by specifying #t for the #:make-maker? parameter.

The initial perl Makefile.PL or perl Build.PL invocation passes flags specified by the #:make-maker-flags or #:module-build-flags parameter, respectively.

Which Perl package is used can be specified with #:perl.

Scheme Variable: r-build-system

This variable is exported by (guix build-system r). It implements the build procedure used by R packages, which essentially is little more than running R CMD INSTALL --library=/gnu/store/… in an environment where R_LIBS_SITE contains the paths to all R package inputs. Tests are run after installation using the R function tools::testInstalledPackage.

Scheme Variable: texlive-build-system

This variable is exported by (guix build-system texlive). It is used to build TeX packages in batch mode with a specified engine. The build system sets the TEXINPUTS variable to find all TeX source files in the inputs.

By default it runs luatex on all files ending on ins. A different engine and format can be specified with the #:tex-format argument. Different build targets can be specified with the #:build-targets argument, which expects a list of file names. The build system adds only texlive-bin and texlive-latex-base (both from (gnu packages tex) to the inputs. Both can be overridden with the arguments #:texlive-bin and #:texlive-latex-base, respectively.

The #:tex-directory parameter tells the build system where to install the built files under the texmf tree.

Scheme Variable: ruby-build-system

This variable is exported by (guix build-system ruby). It implements the RubyGems build procedure used by Ruby packages, which involves running gem build followed by gem install.

The source field of a package that uses this build system typically references a gem archive, since this is the format that Ruby developers use when releasing their software. The build system unpacks the gem archive, potentially patches the source, runs the test suite, repackages the gem, and installs it. Additionally, directories and tarballs may be referenced to allow building unreleased gems from Git or a traditional source release tarball.

Which Ruby package is used can be specified with the #:ruby parameter. A list of additional flags to be passed to the gem command can be specified with the #:gem-flags parameter.

Scheme Variable: waf-build-system

This variable is exported by (guix build-system waf). It implements a build procedure around the waf script. The common phases—configure, build, and install—are implemented by passing their names as arguments to the waf script.

The waf script is executed by the Python interpreter. Which Python package is used to run the script can be specified with the #:python parameter.

Scheme Variable: scons-build-system

This variable is exported by (guix build-system scons). It implements the build procedure used by the SCons software construction tool. This build system runs scons to build the package, scons test to run tests, and then scons install to install the package.

Additional flags to be passed to scons can be specified with the #:scons-flags parameter. The version of Python used to run SCons can be specified by selecting the appropriate SCons package with the #:scons parameter.

Scheme Variable: haskell-build-system

This variable is exported by (guix build-system haskell). It implements the Cabal build procedure used by Haskell packages, which involves running runhaskell Setup.hs configure --prefix=/gnu/store/… and runhaskell Setup.hs build. Instead of installing the package by running runhaskell Setup.hs install, to avoid trying to register libraries in the read-only compiler store directory, the build system uses runhaskell Setup.hs copy, followed by runhaskell Setup.hs register. In addition, the build system generates the package documentation by running runhaskell Setup.hs haddock, unless #:haddock? #f is passed. Optional Haddock parameters can be passed with the help of the #:haddock-flags parameter. If the file Setup.hs is not found, the build system looks for Setup.lhs instead.

Which Haskell compiler is used can be specified with the #:haskell parameter which defaults to ghc.

Scheme Variable: dub-build-system

This variable is exported by (guix build-system dub). It implements the Dub build procedure used by D packages, which involves running dub build and dub run. Installation is done by copying the files manually.

Which D compiler is used can be specified with the #:ldc parameter which defaults to ldc.

Scheme Variable: emacs-build-system

This variable is exported by (guix build-system emacs). It implements an installation procedure similar to the packaging system of Emacs itself (see Packages in The GNU Emacs Manual).

It first creates the package-autoloads.el file, then it byte compiles all Emacs Lisp files. Differently from the Emacs packaging system, the Info documentation files are moved to the standard documentation directory and the dir file is deleted. Each package is installed in its own directory under share/emacs/site-lisp/guix.d.

Scheme Variable: font-build-system

This variable is exported by (guix build-system font). It implements an installation procedure for font packages where upstream provides pre-compiled TrueType, OpenType, etc. font files that merely need to be copied into place. It copies font files to standard locations in the output directory.

Scheme Variable: meson-build-system

This variable is exported by (guix build-system meson). It implements the build procedure for packages that use Meson as their build system.

It adds both Meson and Ninja to the set of inputs, and they can be changed with the parameters #:meson and #:ninja if needed. The default Meson is meson-for-build, which is special because it doesn’t clear the RUNPATH of binaries and libraries when they are installed.

This build system is an extension of gnu-build-system, but with the following phases changed to some specific for Meson:

configure

The phase runs meson with the flags specified in #:configure-flags. The flag --build-type is always set to plain unless something else is specified in #:build-type.

build

The phase runs ninja to build the package in parallel by default, but this can be changed with #:parallel-build?.

check

The phase runs ninja with the target specified in #:test-target, which is "test" by default.

install

The phase runs ninja install and can not be changed.

Apart from that, the build system also adds the following phases:

fix-runpath

This phase ensures that all binaries can find the libraries they need. It searches for required libraries in subdirectories of the package being built, and adds those to RUNPATH where needed. It also removes references to libraries left over from the build phase by meson-for-build, such as test dependencies, that aren’t actually required for the program to run.

glib-or-gtk-wrap

This phase is the phase provided by glib-or-gtk-build-system, and it is not enabled by default. It can be enabled with #:glib-or-gtk?.

glib-or-gtk-compile-schemas

This phase is the phase provided by glib-or-gtk-build-system, and it is not enabled by default. It can be enabled with #:glib-or-gtk?.

Lastly, for packages that do not need anything as sophisticated, a “trivial” build system is provided. It is trivial in the sense that it provides basically no support: it does not pull any implicit inputs, and does not have a notion of build phases.

Scheme Variable: trivial-build-system

This variable is exported by (guix build-system trivial).

This build system requires a #:builder argument. This argument must be a Scheme expression that builds the package output(s)—as with build-expression->derivation (see build-expression->derivation).


Next: , Previous: , Up: Programming Interface   [Contents][Index]

4.3 The Store

Conceptually, the store is the place where derivations that have been built successfully are stored—by default, /gnu/store. Sub-directories in the store are referred to as store items or sometimes store paths. The store has an associated database that contains information such as the store paths referred to by each store path, and the list of valid store items—results of successful builds. This database resides in localstatedir/guix/db, where localstatedir is the state directory specified via --localstatedir at configure time, usually /var.

The store is always accessed by the daemon on behalf of its clients (see Invoking guix-daemon). To manipulate the store, clients connect to the daemon over a Unix-domain socket, send requests to it, and read the result—these are remote procedure calls, or RPCs.

Note: Users must never modify files under /gnu/store directly. This would lead to inconsistencies and break the immutability assumptions of Guix’s functional model (see Introduction).

See guix gc --verify, for information on how to check the integrity of the store and attempt recovery from accidental modifications.

The (guix store) module provides procedures to connect to the daemon, and to perform RPCs. These are described below. By default, open-connection, and thus all the guix commands, connect to the local daemon or to the URI specified by the GUIX_DAEMON_SOCKET environment variable.

Environment Variable: GUIX_DAEMON_SOCKET

When set, the value of this variable should be a file name or a URI designating the daemon endpoint. When it is a file name, it denotes a Unix-domain socket to connect to. In addition to file names, the supported URI schemes are:

file
unix

These are for Unix-domain sockets. file:///var/guix/daemon-socket/socket is equivalent to /var/guix/daemon-socket/socket.

guix

These URIs denote connections over TCP/IP, without encryption nor authentication of the remote host. The URI must specify the host name and optionally a port number (by default port 44146 is used):

guix://master.guix.example.org:1234

This setup is suitable on local networks, such as clusters, where only trusted nodes may connect to the build daemon at master.guix.example.org.

The --listen option of guix-daemon can be used to instruct it to listen for TCP connections (see --listen).

ssh

These URIs allow you to connect to a remote daemon over SSH6. A typical URL might look like this:

ssh://charlie@guix.example.org:22

As for guix copy, the usual OpenSSH client configuration files are honored (see Invoking guix copy).

Additional URI schemes may be supported in the future.

Note: The ability to connect to remote build daemons is considered experimental as of 0.15.0. Please get in touch with us to share any problems or suggestions you may have (see Contributing).

Scheme Procedure: open-connection [uri] [#:reserve-space? #t]

Connect to the daemon over the Unix-domain socket at uri (a string). When reserve-space? is true, instruct it to reserve a little bit of extra space on the file system so that the garbage collector can still operate should the disk become full. Return a server object.

file defaults to %default-socket-path, which is the normal location given the options that were passed to configure.

Scheme Procedure: close-connection server

Close the connection to server.

Scheme Variable: current-build-output-port

This variable is bound to a SRFI-39 parameter, which refers to the port where build and error logs sent by the daemon should be written.

Procedures that make RPCs all take a server object as their first argument.

Scheme Procedure: valid-path? server path

Return #t when path designates a valid store item and #f otherwise (an invalid item may exist on disk but still be invalid, for instance because it is the result of an aborted or failed build.)

A &nix-protocol-error condition is raised if path is not prefixed by the store directory (/gnu/store).

Scheme Procedure: add-text-to-store server name text [references]

Add text under file name in the store, and return its store path. references is the list of store paths referred to by the resulting store path.

Scheme Procedure: build-derivations server derivations

Build derivations (a list of <derivation> objects or derivation paths), and return when the worker is done building them. Return #t on success.

Note that the (guix monads) module provides a monad as well as monadic versions of the above procedures, with the goal of making it more convenient to work with code that accesses the store (see The Store Monad).

This section is currently incomplete.


Next: , Previous: , Up: Programming Interface   [Contents][Index]

4.4 Derivations

Low-level build actions and the environment in which they are performed are represented by derivations. A derivation contains the following pieces of information:

Derivations allow clients of the daemon to communicate build actions to the store. They exist in two forms: as an in-memory representation, both on the client- and daemon-side, and as files in the store whose name end in .drv—these files are referred to as derivation paths. Derivations paths can be passed to the build-derivations procedure to perform the build actions they prescribe (see The Store).

Operations such as file downloads and version-control checkouts for which the expected content hash is known in advance are modeled as fixed-output derivations. Unlike regular derivations, the outputs of a fixed-output derivation are independent of its inputs—e.g., a source code download produces the same result regardless of the download method and tools being used.

The (guix derivations) module provides a representation of derivations as Scheme objects, along with procedures to create and otherwise manipulate derivations. The lowest-level primitive to create a derivation is the derivation procedure:

Scheme Procedure: derivation store name builder args [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] [#:recursive? #f] [#:inputs '()] [#:env-vars '()] [#:system (%current-system)] [#:references-graphs #f] [#:allowed-references #f] [#:disallowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] [#:substitutable? #t]

Build a derivation with the given arguments, and return the resulting <derivation> object.

When hash and hash-algo are given, a fixed-output derivation is created—i.e., one whose result is known in advance, such as a file download. If, in addition, recursive? is true, then that fixed output may be an executable file or a directory and hash must be the hash of an archive containing this output.

When references-graphs is true, it must be a list of file name/store path pairs. In that case, the reference graph of each store path is exported in the build environment in the corresponding file, in a simple text format.

When allowed-references is true, it must be a list of store items or outputs that the derivation’s output may refer to. Likewise, disallowed-references, if true, must be a list of things the outputs may not refer to.

When leaked-env-vars is true, it must be a list of strings denoting environment variables that are allowed to “leak” from the daemon’s environment to the build environment. This is only applicable to fixed-output derivations—i.e., when hash is true. The main use is to allow variables such as http_proxy to be passed to derivations that download files.

When local-build? is true, declare that the derivation is not a good candidate for offloading and should rather be built locally (see Daemon Offload Setup). This is the case for small derivations where the costs of data transfers would outweigh the benefits.

When substitutable? is false, declare that substitutes of the derivation’s output should not be used (see Substitutes). This is useful, for instance, when building packages that capture details of the host CPU instruction set.

Here’s an example with a shell script as its builder, assuming store is an open connection to the daemon, and bash points to a Bash executable in the store:

(use-modules (guix utils)
             (guix store)
             (guix derivations))

(let ((builder   ; add the Bash script to the store
        (add-text-to-store store "my-builder.sh"
                           "echo hello world > $out\n" '())))
  (derivation store "foo"
              bash `("-e" ,builder)
              #:inputs `((,bash) (,builder))
              #:env-vars '(("HOME" . "/homeless"))))
⇒ #<derivation /gnu/store/…-foo.drv => /gnu/store/…-foo>

As can be guessed, this primitive is cumbersome to use directly. A better approach is to write build scripts in Scheme, of course! The best course of action for that is to write the build code as a “G-expression”, and to pass it to gexp->derivation. For more information, see G-Expressions.

Once upon a time, gexp->derivation did not exist and constructing derivations with build code written in Scheme was achieved with build-expression->derivation, documented below. This procedure is now deprecated in favor of the much nicer gexp->derivation.

Scheme Procedure: build-expression->derivation store name exp [#:system (%current-system)] [#:inputs '()] [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] [#:recursive? #f] [#:env-vars '()] [#:modules '()] [#:references-graphs #f] [#:allowed-references #f] [#:disallowed-references #f] [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]

Return a derivation that executes Scheme expression exp as a builder for derivation name. inputs must be a list of (name drv-path sub-drv) tuples; when sub-drv is omitted, "out" is assumed. modules is a list of names of Guile modules from the current search path to be copied in the store, compiled, and made available in the load path during the execution of exp—e.g., ((guix build utils) (guix build gnu-build-system)).

exp is evaluated in an environment where %outputs is bound to a list of output/path pairs, and where %build-inputs is bound to a list of string/output-path pairs made from inputs. Optionally, env-vars is a list of string pairs specifying the name and value of environment variables visible to the builder. The builder terminates by passing the result of exp to exit; thus, when exp returns #f, the build is considered to have failed.

exp is built using guile-for-build (a derivation). When guile-for-build is omitted or is #f, the value of the %guile-for-build fluid is used instead.

See the derivation procedure for the meaning of references-graphs, allowed-references, disallowed-references, local-build?, and substitutable?.

Here’s an example of a single-output derivation that creates a directory containing one file:

(let ((builder '(let ((out (assoc-ref %outputs "out")))
                  (mkdir out)    ; create /gnu/store/…-goo
                  (call-with-output-file (string-append out "/test")
                    (lambda (p)
                      (display '(hello guix) p))))))
  (build-expression->derivation store "goo" builder))

⇒ #<derivation /gnu/store/…-goo.drv => …>

Next: , Previous: , Up: Programming Interface   [Contents][Index]

4.5 The Store Monad

The procedures that operate on the store described in the previous sections all take an open connection to the build daemon as their first argument. Although the underlying model is functional, they either have side effects or depend on the current state of the store.

The former is inconvenient: the connection to the build daemon has to be carried around in all those functions, making it impossible to compose functions that do not take that parameter with functions that do. The latter can be problematic: since store operations have side effects and/or depend on external state, they have to be properly sequenced.

This is where the (guix monads) module comes in. This module provides a framework for working with monads, and a particularly useful monad for our uses, the store monad. Monads are a construct that allows two things: associating “context” with values (in our case, the context is the store), and building sequences of computations (here computations include accesses to the store). Values in a monad—values that carry this additional context—are called monadic values; procedures that return such values are called monadic procedures.

Consider this “normal” procedure:

(define (sh-symlink store)
  ;; Return a derivation that symlinks the 'bash' executable.
  (let* ((drv (package-derivation store bash))
         (out (derivation->output-path drv))
         (sh  (string-append out "/bin/bash")))
    (build-expression->derivation store "sh"
                                  `(symlink ,sh %output))))

Using (guix monads) and (guix gexp), it may be rewritten as a monadic function:

(define (sh-symlink)
  ;; Same, but return a monadic value.
  (mlet %store-monad ((drv (package->derivation bash)))
    (gexp->derivation "sh"
                      #~(symlink (string-append #$drv "/bin/bash")
                                 #$output))))

There are several things to note in the second version: the store parameter is now implicit and is “threaded” in the calls to the package->derivation and gexp->derivation monadic procedures, and the monadic value returned by package->derivation is bound using mlet instead of plain let.

As it turns out, the call to package->derivation can even be omitted since it will take place implicitly, as we will see later (see G-Expressions):

(define (sh-symlink)
  (gexp->derivation "sh"
                    #~(symlink (string-append #$bash "/bin/bash")
                               #$output)))

Calling the monadic sh-symlink has no effect. As someone once said, “you exit a monad like you exit a building on fire: by running”. So, to exit the monad and get the desired effect, one must use run-with-store:

(run-with-store (open-connection) (sh-symlink))
⇒ /gnu/store/...-sh-symlink

Note that the (guix monad-repl) module extends the Guile REPL with new “meta-commands” to make it easier to deal with monadic procedures: run-in-store, and enter-store-monad. The former is used to “run” a single monadic value through the store:

scheme@(guile-user)> ,run-in-store (package->derivation hello)
$1 = #<derivation /gnu/store/…-hello-2.9.drv => …>

The latter enters a recursive REPL, where all the return values are automatically run through the store:

scheme@(guile-user)> ,enter-store-monad
store-monad@(guile-user) [1]> (package->derivation hello)
$2 = #<derivation /gnu/store/…-hello-2.9.drv => …>
store-monad@(guile-user) [1]> (text-file "foo" "Hello!")
$3 = "/gnu/store/…-foo"
store-monad@(guile-user) [1]> ,q
scheme@(guile-user)>

Note that non-monadic values cannot be returned in the store-monad REPL.

The main syntactic forms to deal with monads in general are provided by the (guix monads) module and are described below.

Scheme Syntax: with-monad monad body ...

Evaluate any >>= or return forms in body as being in monad.

Scheme Syntax: return val

Return a monadic value that encapsulates val.

Scheme Syntax: >>= mval mproc ...

Bind monadic value mval, passing its “contents” to monadic procedures mproc7. There can be one mproc or several of them, as in this example:

(run-with-state
    (with-monad %state-monad
      (>>= (return 1)
           (lambda (x) (return (+ 1 x)))
           (lambda (x) (return (* 2 x)))))
  'some-state)

⇒ 4
⇒ some-state
Scheme Syntax: mlet monad ((var mval) ...) body ...
Scheme Syntax: mlet* monad ((var mval) ...) body ...

Bind the variables var to the monadic values mval in body, which is a sequence of expressions. As with the bind operator, this can be thought of as “unpacking” the raw, non-monadic value “contained” in mval and making var refer to that raw, non-monadic value within the scope of the body. The form (var -> val) binds var to the “normal” value val, as per let. The binding operations occur in sequence from left to right. The last expression of body must be a monadic expression, and its result will become the result of the mlet or mlet* when run in the monad.

mlet* is to mlet what let* is to let (see Local Bindings in GNU Guile Reference Manual).

Scheme System: mbegin monad mexp ...

Bind mexp and the following monadic expressions in sequence, returning the result of the last expression. Every expression in the sequence must be a monadic expression.

This is akin to mlet, except that the return values of the monadic expressions are ignored. In that sense, it is analogous to begin, but applied to monadic expressions.

Scheme System: mwhen condition mexp0 mexp* ...

When condition is true, evaluate the sequence of monadic expressions mexp0..mexp* as in an mbegin. When condition is false, return *unspecified* in the current monad. Every expression in the sequence must be a monadic expression.

Scheme System: munless condition mexp0 mexp* ...

When condition is false, evaluate the sequence of monadic expressions mexp0..mexp* as in an mbegin. When condition is true, return *unspecified* in the current monad. Every expression in the sequence must be a monadic expression.

The (guix monads) module provides the state monad, which allows an additional value—the state—to be threaded through monadic procedure calls.

Scheme Variable: %state-monad

The state monad. Procedures in the state monad can access and change the state that is threaded.

Consider the example below. The square procedure returns a value in the state monad. It returns the square of its argument, but also increments the current state value:

(define (square x)
  (mlet %state-monad ((count (current-state)))
    (mbegin %state-monad
      (set-current-state (+ 1 count))
      (return (* x x)))))

(run-with-state (sequence %state-monad (map square (iota 3))) 0)
⇒ (0 1 4)
⇒ 3

When “run” through %state-monad, we obtain that additional state value, which is the number of square calls.

Monadic Procedure: current-state

Return the current state as a monadic value.

Monadic Procedure: set-current-state value

Set the current state to value and return the previous state as a monadic value.

Monadic Procedure: state-push value

Push value to the current state, which is assumed to be a list, and return the previous state as a monadic value.

Monadic Procedure: state-pop

Pop a value from the current state and return it as a monadic value. The state is assumed to be a list.

Scheme Procedure: run-with-state mval [state]

Run monadic value mval starting with state as the initial state. Return two values: the resulting value, and the resulting state.

The main interface to the store monad, provided by the (guix store) module, is as follows.

Scheme Variable: %store-monad

The store monad—an alias for %state-monad.

Values in the store monad encapsulate accesses to the store. When its effect is needed, a value of the store monad must be “evaluated” by passing it to the run-with-store procedure (see below.)

Scheme Procedure: run-with-store store mval [#:guile-for-build] [#:system (%current-system)]

Run mval, a monadic value in the store monad, in store, an open store connection.

Monadic Procedure: text-file name text [references]

Return as a monadic value the absolute file name in the store of the file containing text, a string. references is a list of store items that the resulting text file refers to; it defaults to the empty list.

Monadic Procedure: interned-file file [name] [#:recursive? #t] [#:select? (const #t)]

Return the name of file once interned in the store. Use name as its store name, or the basename of file if name is omitted.

When recursive? is true, the contents of file are added recursively; if file designates a flat file and recursive? is true, its contents are added, and its permission bits are kept.

When recursive? is true, call (select? file stat) for each directory entry, where file is the entry’s absolute file name and stat is the result of lstat; exclude entries for which select? does not return true.

The example below adds a file to the store, under two different names:

(run-with-store (open-connection)
  (mlet %store-monad ((a (interned-file "README"))
                      (b (interned-file "README" "LEGU-MIN")))
    (return (list a b))))

⇒ ("/gnu/store/rwm…-README" "/gnu/store/44i…-LEGU-MIN")

The (guix packages) module exports the following package-related monadic procedures:

Monadic Procedure: package-file package [file] [#:system (%current-system)] [#:target #f] [#:output "out"]

Return as a monadic value in the absolute file name of file within the output directory of package. When file is omitted, return the name of the output directory of package. When target is true, use it as a cross-compilation target triplet.

Monadic Procedure: package->derivation package [system]
Monadic Procedure: package->cross-derivation package target [system]

Monadic version of package-derivation and package-cross-derivation (see Defining Packages).


Previous: , Up: Programming Interface   [Contents][Index]

4.6 G-Expressions

So we have “derivations”, which represent a sequence of build actions to be performed to produce an item in the store (see Derivations). These build actions are performed when asking the daemon to actually build the derivations; they are run by the daemon in a container (see Invoking guix-daemon).

It should come as no surprise that we like to write these build actions in Scheme. When we do that, we end up with two strata of Scheme code8: the “host code”—code that defines packages, talks to the daemon, etc.—and the “build code”—code that actually performs build actions, such as making directories, invoking make, etc.

To describe a derivation and its build actions, one typically needs to embed build code inside host code. It boils down to manipulating build code as data, and the homoiconicity of Scheme—code has a direct representation as data—comes in handy for that. But we need more than the normal quasiquote mechanism in Scheme to construct build expressions.

The (guix gexp) module implements G-expressions, a form of S-expressions adapted to build expressions. G-expressions, or gexps, consist essentially of three syntactic forms: gexp, ungexp, and ungexp-splicing (or simply: #~, #$, and #$@), which are comparable to quasiquote, unquote, and unquote-splicing, respectively (see quasiquote in GNU Guile Reference Manual). However, there are major differences:

This mechanism is not limited to package and derivation objects: compilers able to “lower” other high-level objects to derivations or files in the store can be defined, such that these objects can also be inserted into gexps. For example, a useful type of high-level objects that can be inserted in a gexp is “file-like objects”, which make it easy to add files to the store and to refer to them in derivations and such (see local-file and plain-file below.)

To illustrate the idea, here is an example of a gexp:

(define build-exp
  #~(begin
      (mkdir #$output)
      (chdir #$output)
      (symlink (string-append #$coreutils "/bin/ls")
               "list-files")))

This gexp can be passed to gexp->derivation; we obtain a derivation that builds a directory containing exactly one symlink to /gnu/store/…-coreutils-8.22/bin/ls:

(gexp->derivation "the-thing" build-exp)

As one would expect, the "/gnu/store/…-coreutils-8.22" string is substituted to the reference to the coreutils package in the actual build code, and coreutils is automatically made an input to the derivation. Likewise, #$output (equivalent to (ungexp output)) is replaced by a string containing the directory name of the output of the derivation.

In a cross-compilation context, it is useful to distinguish between references to the native build of a package—that can run on the host—versus references to cross builds of a package. To that end, the #+ plays the same role as #$, but is a reference to a native package build:

(gexp->derivation "vi"
   #~(begin
       (mkdir #$output)
       (system* (string-append #+coreutils "/bin/ln")
                "-s"
                (string-append #$emacs "/bin/emacs")
                (string-append #$output "/bin/vi")))
   #:target "mips64el-linux-gnu")

In the example above, the native build of coreutils is used, so that ln can actually run on the host; but then the cross-compiled build of emacs is referenced.

Another gexp feature is imported modules: sometimes you want to be able to use certain Guile modules from the “host environment” in the gexp, so those modules should be imported in the “build environment”. The with-imported-modules form allows you to express that:

(let ((build (with-imported-modules '((guix build utils))
               #~(begin
                   (use-modules (guix build utils))
                   (mkdir-p (string-append #$output "/bin"))))))
  (gexp->derivation "empty-dir"
                    #~(begin
                        #$build
                        (display "success!\n")
                        #t)))

In this example, the (guix build utils) module is automatically pulled into the isolated build environment of our gexp, such that (use-modules (guix build utils)) works as expected.

Usually you want the closure of the module to be imported—i.e., the module itself and all the modules it depends on—rather than just the module; failing to do that, attempts to use the module will fail because of missing dependent modules. The source-module-closure procedure computes the closure of a module by looking at its source file headers, which comes in handy in this case:

(use-modules (guix modules))   ;for 'source-module-closure'

(with-imported-modules (source-module-closure
                         '((guix build utils)
                           (gnu build vm)))
  (gexp->derivation "something-with-vms"
                    #~(begin
                        (use-modules (guix build utils)
                                     (gnu build vm))
                        …)))

In the same vein, sometimes you want to import not just pure-Scheme modules, but also “extensions” such as Guile bindings to C libraries or other “full-blown” packages. Say you need the guile-json package available on the build side, here’s how you would do it:

(use-modules (gnu packages guile))  ;for 'guile-json'

(with-extensions (list guile-json)
  (gexp->derivation "something-with-json"
                    #~(begin
                        (use-modules (json))
                        …)))

The syntactic form to construct gexps is summarized below.

Scheme Syntax: #~exp
Scheme Syntax: (gexp exp)

Return a G-expression containing exp. exp may contain one or more of the following forms:

#$obj
(ungexp obj)

Introduce a reference to obj. obj may have one of the supported types, for example a package or a derivation, in which case the ungexp form is replaced by its output file name—e.g., "/gnu/store/…-coreutils-8.22.

If obj is a list, it is traversed and references to supported objects are substituted similarly.

If obj is another gexp, its contents are inserted and its dependencies are added to those of the containing gexp.

If obj is another kind of object, it is inserted as is.

#$obj:output
(ungexp obj output)

This is like the form above, but referring explicitly to the output of obj—this is useful when obj produces multiple outputs (see Packages with Multiple Outputs).

#+obj
#+obj:output
(ungexp-native obj)
(ungexp-native obj output)

Same as ungexp, but produces a reference to the native build of obj when used in a cross compilation context.

#$output[:output]
(ungexp output [output])

Insert a reference to derivation output output, or to the main output when output is omitted.

This only makes sense for gexps passed to gexp->derivation.

#$@lst
(ungexp-splicing lst)

Like the above, but splices the contents of lst inside the containing list.

#+@lst
(ungexp-native-splicing lst)

Like the above, but refers to native builds of the objects listed in lst.

G-expressions created by gexp or #~ are run-time objects of the gexp? type (see below.)

Scheme Syntax: with-imported-modules modules body

Mark the gexps defined in body… as requiring modules in their execution environment.

Each item in modules can be the name of a module, such as (guix build utils), or it can be a module name, followed by an arrow, followed by a file-like object:

`((guix build utils)
  (guix gcrypt)
  ((guix config) => ,(scheme-file "config.scm"
                                  #~(define-module …))))

In the example above, the first two modules are taken from the search path, and the last one is created from the given file-like object.

This form has lexical scope: it has an effect on the gexps directly defined in body…, but not on those defined, say, in procedures called from body….

Scheme Syntax: with-extensions extensions body

Mark the gexps defined in body… as requiring extensions in their build and execution environment. extensions is typically a list of package objects such as those defined in the (gnu packages guile) module.

Concretely, the packages listed in extensions are added to the load path while compiling imported modules in body…; they are also added to the load path of the gexp returned by body….

Scheme Procedure: gexp? obj

Return #t if obj is a G-expression.

G-expressions are meant to be written to disk, either as code building some derivation, or as plain files in the store. The monadic procedures below allow you to do that (see The Store Monad, for more information about monads.)

Monadic Procedure: gexp->derivation name exp [#:system (%current-system)] [#:target #f] [#:graft? #t] [#:hash #f] [#:hash-algo #f] [#:recursive? #f] [#:env-vars '()] [#:modules '()] [#:module-path %load-path] [#:effective-version "2.2"] [#:references-graphs #f] [#:allowed-references #f] [#:disallowed-references #f] [#:leaked-env-vars #f] [#:script-name (string-append name "-builder")] [#:deprecation-warnings #f] [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]

Return a derivation name that runs exp (a gexp) with guile-for-build (a derivation) on system; exp is stored in a file called script-name. When target is true, it is used as the cross-compilation target triplet for packages referred to by exp.

modules is deprecated in favor of with-imported-modules. Its meaning is to make modules available in the evaluation context of exp; modules is a list of names of Guile modules searched in module-path to be copied in the store, compiled, and made available in the load path during the execution of exp—e.g., ((guix build utils) (guix build gnu-build-system)).

effective-version determines the string to use when adding extensions of exp (see with-extensions) to the search path—e.g., "2.2".

graft? determines whether packages referred to by exp should be grafted when applicable.

When references-graphs is true, it must be a list of tuples of one of the following forms:

(file-name package)
(file-name package output)
(file-name derivation)
(file-name derivation output)
(file-name store-item)

The right-hand-side of each element of references-graphs is automatically made an input of the build process of exp. In the build environment, each file-name contains the reference graph of the corresponding item, in a simple text format.

allowed-references must be either #f or a list of output names and packages. In the latter case, the list denotes store items that the result is allowed to refer to. Any reference to another store item will lead to a build error. Similarly for disallowed-references, which can list items that must not be referenced by the outputs.

deprecation-warnings determines whether to show deprecation warnings while compiling modules. It can be #f, #t, or 'detailed.

The other arguments are as for derivation (see Derivations).

The local-file, plain-file, computed-file, program-file, and scheme-file procedures below return file-like objects. That is, when unquoted in a G-expression, these objects lead to a file in the store. Consider this G-expression:

#~(system* #$(file-append glibc "/sbin/nscd") "-f"
           #$(local-file "/tmp/my-nscd.conf"))

The effect here is to “intern” /tmp/my-nscd.conf by copying it to the store. Once expanded, for instance via gexp->derivation, the G-expression refers to that copy under /gnu/store; thus, modifying or removing the file in /tmp does not have any effect on what the G-expression does. plain-file can be used similarly; it differs in that the file content is directly passed as a string.

Scheme Procedure: local-file file [name] [#:recursive? #f] [#:select? (const #t)]

Return an object representing local file file to add to the store; this object can be used in a gexp. If file is a relative file name, it is looked up relative to the source file where this form appears. file will be added to the store under name–by default the base name of file.

When recursive? is true, the contents of file are added recursively; if file designates a flat file and recursive? is true, its contents are added, and its permission bits are kept.

When recursive? is true, call (select? file stat) for each directory entry, where file is the entry’s absolute file name and stat is the result of lstat; exclude entries for which select? does not return true.

This is the declarative counterpart of the interned-file monadic procedure (see interned-file).

Scheme Procedure: plain-file name content

Return an object representing a text file called name with the given content (a string) to be added to the store.

This is the declarative counterpart of text-file.

Scheme Procedure: computed-file name gexp [#:options '(#:local-build? #t)]

Return an object representing the store item name, a file or directory computed by gexp. options is a list of additional arguments to pass to gexp->derivation.

This is the declarative counterpart of gexp->derivation.

Monadic Procedure: gexp->script name exp [#:guile (default-guile)] [#:module-path %load-path]

Return an executable script name that runs exp using guile, with exp’s imported modules in its search path. Look up exp’s modules in module-path.

The example below builds a script that simply invokes the ls command:

(use-modules (guix gexp) (gnu packages base))

(gexp->script "list-files"
              #~(execl #$(file-append coreutils "/bin/ls")
                       "ls"))

When “running” it through the store (see run-with-store), we obtain a derivation that produces an executable file /gnu/store/…-list-files along these lines:

#!/gnu/store/…-guile-2.0.11/bin/guile -ds
!#
(execl "/gnu/store/…-coreutils-8.22"/bin/ls" "ls")
Scheme Procedure: program-file name exp [#:guile #f] [#:module-path %load-path]

Return an object representing the executable store item name that runs gexp. guile is the Guile package used to execute that script. Imported modules of gexp are looked up in module-path.

This is the declarative counterpart of gexp->script.

Monadic Procedure: gexp->file name exp [#:set-load-path? #t] [#:module-path %load-path] [#:splice? #f] [#:guile (default-guile)]

Return a derivation that builds a file name containing exp. When splice? is true, exp is considered to be a list of expressions that will be spliced in the resulting file.

When set-load-path? is true, emit code in the resulting file to set %load-path and %load-compiled-path to honor exp’s imported modules. Look up exp’s modules in module-path.

The resulting file holds references to all the dependencies of exp or a subset thereof.

Scheme Procedure: scheme-file name exp [#:splice? #f]

Return an object representing the Scheme file name that contains exp.

This is the declarative counterpart of gexp->file.

Monadic Procedure: text-file* name text

Return as a monadic value a derivation that builds a text file containing all of text. text may list, in addition to strings, objects of any type that can be used in a gexp: packages, derivations, local file objects, etc. The resulting store file holds references to all these.

This variant should be preferred over text-file anytime the file to create will reference items from the store. This is typically the case when building a configuration file that embeds store file names, like this:

(define (profile.sh)
  ;; Return the name of a shell script in the store that
  ;; initializes the 'PATH' environment variable.
  (text-file* "profile.sh"
              "export PATH=" coreutils "/bin:"
              grep "/bin:" sed "/bin\n"))

In this example, the resulting /gnu/store/…-profile.sh file will reference coreutils, grep, and sed, thereby preventing them from being garbage-collected during its lifetime.

Scheme Procedure: mixed-text-file name text

Return an object representing store file name containing text. text is a sequence of strings and file-like objects, as in:

(mixed-text-file "profile"
                 "export PATH=" coreutils "/bin:" grep "/bin")

This is the declarative counterpart of text-file*.

Scheme Procedure: file-union name files

Return a <computed-file> that builds a directory containing all of files. Each item in files must be a two-element list where the first element is the file name to use in the new directory, and the second element is a gexp denoting the target file. Here’s an example:

(file-union "etc"
            `(("hosts" ,(plain-file "hosts"
                                    "127.0.0.1 localhost"))
              ("bashrc" ,(plain-file "bashrc"
                                     "alias ls='ls --color'"))))

This yields an etc directory containing these two files.

Scheme Procedure: directory-union name things

Return a directory that is the union of things, where things is a list of file-like objects denoting directories. For example:

(directory-union "guile+emacs" (list guile emacs))

yields a directory that is the union of the guile and emacs packages.

Scheme Procedure: file-append obj suffix

Return a file-like object that expands to the concatenation of obj and suffix, where obj is a lowerable object and each suffix is a string.

As an example, consider this gexp:

(gexp->script "run-uname"
              #~(system* #$(file-append coreutils
                                        "/bin/uname")))

The same effect could be achieved with:

(gexp->script "run-uname"
              #~(system* (string-append #$coreutils
                                        "/bin/uname")))

There is one difference though: in the file-append case, the resulting script contains the absolute file name as a string, whereas in the second case, the resulting script contains a (string-append …) expression to construct the file name at run time.

Of course, in addition to gexps embedded in “host” code, there are also modules containing build tools. To make it clear that they are meant to be used in the build stratum, these modules are kept in the (guix build …) name space.

Internally, high-level objects are lowered, using their compiler, to either derivations or store items. For instance, lowering a package yields a derivation, and lowering a plain-file yields a store item. This is achieved using the lower-object monadic procedure.

Monadic Procedure: lower-object obj [system] [#:target #f]

Return as a value in %store-monad the derivation or store item corresponding to obj for system, cross-compiling for target if target is true. obj must be an object that has an associated gexp compiler, such as a <package>.


Next: , Previous: , Up: Top   [Contents][Index]

5 Utilities

This section describes Guix command-line utilities. Some of them are primarily targeted at developers and users who write new package definitions, while others are more generally useful. They complement the Scheme programming interface of Guix in a convenient way.


Next: , Up: Utilities   [Contents][Index]

5.1 Invoking guix build

The guix build command builds packages or derivations and their dependencies, and prints the resulting store paths. Note that it does not modify the user’s profile—this is the job of the guix package command (see Invoking guix package). Thus, it is mainly useful for distribution developers.

The general syntax is:

guix build options package-or-derivation

As an example, the following command builds the latest versions of Emacs and of Guile, displays their build logs, and finally displays the resulting directories:

guix build emacs guile

Similarly, the following command builds all the available packages:

guix build --quiet --keep-going \
  `guix package -A | cut -f1,2 --output-delimiter=@`

package-or-derivation may be either the name of a package found in the software distribution such as coreutils or coreutils@8.20, or a derivation such as /gnu/store/…-coreutils-8.19.drv. In the former case, a package with the corresponding name (and optionally version) is searched for among the GNU distribution modules (see Package Modules).

Alternatively, the --expression option may be used to specify a Scheme expression that evaluates to a package; this is useful when disambiguating among several same-named packages or package variants is needed.

There may be zero or more options. The available options are described in the subsections below.


Next: , Up: Invoking guix build   [Contents][Index]

5.1.1 Common Build Options

A number of options that control the build process are common to guix build and other commands that can spawn builds, such as guix package or guix archive. These are the following:

--load-path=directory
-L directory

Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the command-line tools.

--keep-failed
-K

Keep the build tree of failed builds. Thus, if a build fails, its build tree is kept under /tmp, in a directory whose name is shown at the end of the build log. This is useful when debugging build issues. See Debugging Build Failures, for tips and tricks on how to debug build issues.

--keep-going
-k

Keep going when some of the derivations fail to build; return only once all the builds have either completed or failed.

The default behavior is to stop as soon as one of the specified derivations has failed.

--dry-run
-n

Do not build the derivations.

--fallback

When substituting a pre-built binary fails, fall back to building packages locally (see Substitution Failure).

--substitute-urls=urls

Consider urls the whitespace-separated list of substitute source URLs, overriding the default list of URLs of guix-daemon (see guix-daemon URLs).

This means that substitutes may be downloaded from urls, provided they are signed by a key authorized by the system administrator (see Substitutes).

When urls is the empty string, substitutes are effectively disabled.

--no-substitutes

Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries (see Substitutes).

--no-grafts

Do not “graft” packages. In practice, this means that package updates available as grafts are not applied. See Security Updates, for more information on grafts.

--rounds=n

Build each derivation n times in a row, and raise an error if consecutive build results are not bit-for-bit identical.

This is a useful way to detect non-deterministic builds processes. Non-deterministic build processes are a problem because they make it practically impossible for users to verify whether third-party binaries are genuine. See Invoking guix challenge, for more.

Note that, currently, the differing build results are not kept around, so you will have to manually investigate in case of an error—e.g., by stashing one of the build results with guix archive --export (see Invoking guix archive), then rebuilding, and finally comparing the two results.

--no-build-hook

Do not attempt to offload builds via the “build hook” of the daemon (see Daemon Offload Setup). That is, always build things locally instead of offloading builds to remote machines.

--max-silent-time=seconds

When the build or substitution process remains silent for more than seconds, terminate it and report a build failure.

By default, the daemon’s setting is honored (see --max-silent-time).

--timeout=seconds

Likewise, when the build or substitution process lasts for more than seconds, terminate it and report a build failure.

By default, the daemon’s setting is honored (see --timeout).

--verbosity=level

Use the given verbosity level. level must be an integer between 0 and 5; higher means more verbose output. Setting a level of 4 or more may be helpful when debugging setup issues with the build daemon.

--cores=n
-c n

Allow the use of up to n CPU cores for the build. The special value 0 means to use as many CPU cores as available.

--max-jobs=n
-M n

Allow at most n build jobs in parallel. See --max-jobs, for details about this option and the equivalent guix-daemon option.

Behind the scenes, guix build is essentially an interface to the package-derivation procedure of the (guix packages) module, and to the build-derivations procedure of the (guix derivations) module.

In addition to options explicitly passed on the command line, guix build and other guix commands that support building honor the GUIX_BUILD_OPTIONS environment variable.

Environment Variable: GUIX_BUILD_OPTIONS

Users can define this variable to a list of command line options that will automatically be used by guix build and other guix commands that can perform builds, as in the example below:

$ export GUIX_BUILD_OPTIONS="--no-substitutes -c 2 -L /foo/bar"

These options are parsed independently, and the result is appended to the parsed command-line options.


Next: , Previous: , Up: Invoking guix build   [Contents][Index]

5.1.2 Package Transformation Options

Another set of command-line options supported by guix build and also guix package are package transformation options. These are options that make it possible to define package variants—for instance, packages built from different source code. This is a convenient way to create customized packages on the fly without having to type in the definitions of package variants (see Defining Packages).

--with-source=source
--with-source=package=source
--with-source=package@version=source

Use source as the source of package, and version as its version number. source must be a file name or a URL, as for guix download (see Invoking guix download).

When package is omitted, it is taken to be the package name specified on the command line that matches the base of source—e.g., if source is /src/guile-2.0.10.tar.gz, the corresponding package is guile.

Likewise, when version is omitted, the version string is inferred from source; in the previous example, it is 2.0.10.

This option allows users to try out versions of packages other than the one provided by the distribution. The example below downloads ed-1.7.tar.gz from a GNU mirror and uses that as the source for the ed package:

guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz

As a developer, --with-source makes it easy to test release candidates:

guix build guile --with-source=../guile-2.0.9.219-e1bb7.tar.xz

… or to build from a checkout in a pristine environment:

$ git clone git://git.sv.gnu.org/guix.git
$ guix build guix --with-source=guix@1.0=./guix
--with-input=package=replacement

Replace dependency on package by a dependency on replacement. package must be a package name, and replacement must be a package specification such as guile or guile@1.8.

For instance, the following command builds Guix, but replaces its dependency on the current stable version of Guile with a dependency on the legacy version of Guile, guile@2.0:

guix build --with-input=guile=guile@2.0 guix

This is a recursive, deep replacement. So in this example, both guix and its dependency guile-json (which also depends on guile) get rebuilt against guile@2.0.

This is implemented using the package-input-rewriting Scheme procedure (see package-input-rewriting).

--with-graft=package=replacement

This is similar to --with-input but with an important difference: instead of rebuilding the whole dependency chain, replacement is built and then grafted onto the binaries that were initially referring to package. See Security Updates, for more information on grafts.

For example, the command below grafts version 3.5.4 of GnuTLS onto Wget and all its dependencies, replacing references to the version of GnuTLS they currently refer to:

guix build --with-graft=gnutls=gnutls@3.5.4 wget

This has the advantage of being much faster than rebuilding everything. But there is a caveat: it works if and only if package and replacement are strictly compatible—for example, if they provide a library, the application binary interface (ABI) of those libraries must be compatible. If replacement is somehow incompatible with package, then the resulting package may be unusable. Use with care!


Next: , Previous: , Up: Invoking guix build   [Contents][Index]

5.1.3 Additional Build Options

The command-line options presented below are specific to guix build.

--quiet
-q

Build quietly, without displaying the build log. Upon completion, the build log is kept in /var (or similar) and can always be retrieved using the --log-file option.

--file=file
-f file

Build the package or derivation that the code within file evaluates to.

As an example, file might contain a package definition like this (see Defining Packages):

(use-modules (guix)
             (guix build-system gnu)
             (guix licenses))

(package
  (name "hello")
  (version "2.10")
  (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/hello/hello-" version
                                ".tar.gz"))
            (sha256
             (base32
              "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
  (build-system gnu-build-system)
  (synopsis "Hello, GNU world: An example GNU package")
  (description "Guess what GNU Hello prints!")
  (home-page "http://www.gnu.org/software/hello/")
  (license gpl3+))
--expression=expr
-e expr

Build the package or derivation expr evaluates to.

For example, expr may be (@ (gnu packages guile) guile-1.8), which unambiguously designates this specific variant of version 1.8 of Guile.

Alternatively, expr may be a G-expression, in which case it is used as a build program passed to gexp->derivation (see G-Expressions).

Lastly, expr may refer to a zero-argument monadic procedure (see The Store Monad). The procedure must return a derivation as a monadic value, which is then passed through run-with-store.

--source
-S

Build the source derivations of the packages, rather than the packages themselves.

For instance, guix build -S gcc returns something like /gnu/store/…-gcc-4.7.2.tar.bz2, which is the GCC source tarball.

The returned source tarball is the result of applying any patches and code snippets specified in the package origin (see Defining Packages).

--sources

Fetch and return the source of package-or-derivation and all their dependencies, recursively. This is a handy way to obtain a local copy of all the source code needed to build packages, allowing you to eventually build them even without network access. It is an extension of the --source option and can accept one of the following optional argument values:

package

This value causes the --sources option to behave in the same way as the --source option.

all

Build the source derivations of all packages, including any source that might be listed as inputs. This is the default value.

$ guix build --sources tzdata
The following derivations will be built:
   /gnu/store/…-tzdata2015b.tar.gz.drv
   /gnu/store/…-tzcode2015b.tar.gz.drv
transitive

Build the source derivations of all packages, as well of all transitive inputs to the packages. This can be used e.g. to prefetch package source for later offline building.

$ guix build --sources=transitive tzdata
The following derivations will be built:
   /gnu/store/…-tzcode2015b.tar.gz.drv
   /gnu/store/…-findutils-4.4.2.tar.xz.drv
   /gnu/store/…-grep-2.21.tar.xz.drv
   /gnu/store/…-coreutils-8.23.tar.xz.drv
   /gnu/store/…-make-4.1.tar.xz.drv
   /gnu/store/…-bash-4.3.tar.xz.drv
…
--system=system
-s system

Attempt to build for system—e.g., i686-linux—instead of the system type of the build host.

Note: The --system flag is for native compilation and must not be confused with cross-compilation. See --target below for information on cross-compilation.

An example use of this is on Linux-based systems, which can emulate different personalities. For instance, passing --system=i686-linux on an x86_64-linux system or --system=armhf-linux on an aarch64-linux system allows you to build packages in a complete 32-bit environment.

Note: Building for an armhf-linux system is unconditionally enabled on aarch64-linux machines, although certain aarch64 chipsets do not allow for this functionality, notably the ThunderX.

Similarly, when transparent emulation with QEMU and binfmt_misc is enabled (see qemu-binfmt-service-type), you can build for any system for which a QEMU binfmt_misc handler is installed.

Builds for a system other than that of the machine you are using can also be offloaded to a remote machine of the right architecture. See Daemon Offload Setup, for more information on offloading.

--target=triplet

Cross-build for triplet, which must be a valid GNU triplet, such as "mips64el-linux-gnu" (see GNU configuration triplets in Autoconf).

--check

Rebuild package-or-derivation, which are already available in the store, and raise an error if the build results are not bit-for-bit identical.

This mechanism allows you to check whether previously installed substitutes are genuine (see Substitutes), or whether the build result of a package is deterministic. See Invoking guix challenge, for more background information and tools.

When used in conjunction with --keep-failed, the differing output is kept in the store, under /gnu/store/…-check. This makes it easy to look for differences between the two results.

--repair

Attempt to repair the specified store items, if they are corrupt, by re-downloading or rebuilding them.

This operation is not atomic and thus restricted to root.

--derivations
-d

Return the derivation paths, not the output paths, of the given packages.

--root=file
-r file

Make file a symlink to the result, and register it as a garbage collector root.

Consequently, the results of this guix build invocation are protected from garbage collection until file is removed. When that option is omitted, build results are eligible for garbage collection as soon as the build completes. See Invoking guix gc, for more on GC roots.

--log-file

Return the build log file names or URLs for the given package-or-derivation, or raise an error if build logs are missing.

This works regardless of how packages or derivations are specified. For instance, the following invocations are equivalent:

guix build --log-file `guix build -d guile`
guix build --log-file `guix build guile`
guix build --log-file guile
guix build --log-file -e '(@ (gnu packages guile) guile-2.0)'

If a log is unavailable locally, and unless --no-substitutes is passed, the command looks for a corresponding log on one of the substitute servers (as specified with --substitute-urls.)

So for instance, imagine you want to see the build log of GDB on MIPS, but you are actually on an x86_64 machine:

$ guix build --log-file gdb -s mips64el-linux
https://hydra.gnu.org/log/…-gdb-7.10

You can freely access a huge library of build logs!


Previous: , Up: Invoking guix build   [Contents][Index]

5.1.4 Debugging Build Failures

When defining a new package (see Defining Packages), you will probably find yourself spending some time debugging and tweaking the build until it succeeds. To do that, you need to operate the build commands yourself in an environment as close as possible to the one the build daemon uses.

To that end, the first thing to do is to use the --keep-failed or -K option of guix build, which will keep the failed build tree in /tmp or whatever directory you specified as TMPDIR (see --keep-failed).

From there on, you can cd to the failed build tree and source the environment-variables file, which contains all the environment variable definitions that were in place when the build failed. So let’s say you’re debugging a build failure in package foo; a typical session would look like this:

$ guix build foo -K
… build fails
$ cd /tmp/guix-build-foo.drv-0
$ source ./environment-variables
$ cd foo-1.2

Now, you can invoke commands as if you were the daemon (almost) and troubleshoot your build process.

Sometimes it happens that, for example, a package’s tests pass when you run them manually but they fail when the daemon runs them. This can happen because the daemon runs builds in containers where, unlike in our environment above, network access is missing, /bin/sh does not exist, etc. (see Build Environment Setup).

In such cases, you may need to run inspect the build process from within a container similar to the one the build daemon creates:

$ guix build -K foo
…
$ cd /tmp/guix-build-foo.drv-0
$ guix environment --no-grafts -C foo --ad-hoc strace gdb
[env]# source ./environment-variables
[env]# cd foo-1.2

Here, guix environment -C creates a container and spawns a new shell in it (see Invoking guix environment). The --ad-hoc strace gdb part adds the strace and gdb commands to the container, which would may find handy while debugging. The --no-grafts option makes sure we get the exact same environment, with ungrafted packages (see Security Updates, for more info on grafts).

To get closer to a container like that used by the build daemon, we can remove /bin/sh:

[env]# rm /bin/sh

(Don’t worry, this is harmless: this is all happening in the throw-away container created by guix environment.)

The strace command is probably not in the search path, but we can run:

[env]# $GUIX_ENVIRONMENT/bin/strace -f -o log make check

In this way, not only you will have reproduced the environment variables the daemon uses, you will also be running the build process in a container similar to the one the daemon uses.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.2 Invoking guix edit

So many packages, so many source files! The guix edit command facilitates the life of users and packagers by pointing their editor at the source file containing the definition of the specified packages. For instance:

guix edit gcc@4.9 vim

launches the program specified in the VISUAL or in the EDITOR environment variable to view the recipe of GCC 4.9.3 and that of Vim.

If you are using a Guix Git checkout (see Building from Git), or have created your own packages on GUIX_PACKAGE_PATH (see Defining Packages), you will be able to edit the package recipes. Otherwise, you will be able to examine the read-only recipes for packages currently in the store.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.3 Invoking guix download

When writing a package definition, developers typically need to download a source tarball, compute its SHA256 hash, and write that hash in the package definition (see Defining Packages). The guix download tool helps with this task: it downloads a file from the given URI, adds it to the store, and prints both its file name in the store and its SHA256 hash.

The fact that the downloaded file is added to the store saves bandwidth: when the developer eventually tries to build the newly defined package with guix build, the source tarball will not have to be downloaded again because it is already in the store. It is also a convenient way to temporarily stash files, which may be deleted eventually (see Invoking guix gc).

The guix download command supports the same URIs as used in package definitions. In particular, it supports mirror:// URIs. https URIs (HTTP over TLS) are supported provided the Guile bindings for GnuTLS are available in the user’s environment; when they are not available, an error is raised. See how to install the GnuTLS bindings for Guile in GnuTLS-Guile, for more information.

guix download verifies HTTPS server certificates by loading the certificates of X.509 authorities from the directory pointed to by the SSL_CERT_DIR environment variable (see X.509 Certificates), unless --no-check-certificate is used.

The following options are available:

--format=fmt
-f fmt

Write the hash in the format specified by fmt. For more information on the valid values for fmt, see Invoking guix hash.

--no-check-certificate

Do not validate the X.509 certificates of HTTPS servers.

When using this option, you have absolutely no guarantee that you are communicating with the authentic server responsible for the given URL, which makes you vulnerable to “man-in-the-middle” attacks.

--output=file
-o file

Save the downloaded file to file instead of adding it to the store.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.4 Invoking guix hash

The guix hash command computes the SHA256 hash of a file. It is primarily a convenience tool for anyone contributing to the distribution: it computes the cryptographic hash of a file, which can be used in the definition of a package (see Defining Packages).

The general syntax is:

guix hash option file

When file is - (a hyphen), guix hash computes the hash of data read from standard input. guix hash has the following options:

--format=fmt
-f fmt

Write the hash in the format specified by fmt.

Supported formats: nix-base32, base32, base16 (hex and hexadecimal can be used as well).

If the --format option is not specified, guix hash will output the hash in nix-base32. This representation is used in the definitions of packages.

--recursive
-r

Compute the hash on file recursively.

In this case, the hash is computed on an archive containing file, including its children if it is a directory. Some of the metadata of file is part of the archive; for instance, when file is a regular file, the hash is different depending on whether file is executable or not. Metadata such as time stamps has no impact on the hash (see Invoking guix archive).

--exclude-vcs
-x

When combined with --recursive, exclude version control system directories (.bzr, .git, .hg, etc.)

As an example, here is how you would compute the hash of a Git checkout, which is useful when using the git-fetch method (see origin Reference):

$ git clone http://example.org/foo.git
$ cd foo
$ guix hash -rx .

Next: , Previous: , Up: Utilities   [Contents][Index]

5.5 Invoking guix import

The guix import command is useful for people who would like to add a package to the distribution with as little work as possible—a legitimate demand. The command knows of a few repositories from which it can “import” package metadata. The result is a package definition, or a template thereof, in the format we know (see Defining Packages).

The general syntax is:

guix import importer options

importer specifies the source from which to import package metadata, and options specifies a package identifier and other options specific to importer. Currently, the available “importers” are:

gnu

Import metadata for the given GNU package. This provides a template for the latest version of that GNU package, including the hash of its source tarball, and its canonical synopsis and description.

Additional information such as the package dependencies and its license needs to be figured out manually.

For example, the following command returns a package definition for GNU Hello:

guix import gnu hello

Specific command-line options are:

--key-download=policy

As for guix refresh, specify the policy to handle missing OpenPGP keys when verifying the package signature. See --key-download.

pypi

Import metadata from the Python Package Index9. Information is taken from the JSON-formatted description available at pypi.python.org and usually includes all the relevant information, including package dependencies. For maximum efficiency, it is recommended to install the unzip utility, so that the importer can unzip Python wheels and gather data from them.

The command below imports metadata for the itsdangerous Python package:

guix import pypi itsdangerous
gem

Import metadata from RubyGems10. Information is taken from the JSON-formatted description available at rubygems.org and includes most relevant information, including runtime dependencies. There are some caveats, however. The metadata doesn’t distinguish between synopses and descriptions, so the same string is used for both fields. Additionally, the details of non-Ruby dependencies required to build native extensions is unavailable and left as an exercise to the packager.

The command below imports metadata for the rails Ruby package:

guix import gem rails
cpan

Import metadata from MetaCPAN11. Information is taken from the JSON-formatted metadata provided through MetaCPAN’s API and includes most relevant information, such as module dependencies. License information should be checked closely. If Perl is available in the store, then the corelist utility will be used to filter core modules out of the list of dependencies.

The command command below imports metadata for the Acme::Boolean Perl module:

guix import cpan Acme::Boolean
cran

Import metadata from CRAN, the central repository for the GNU R statistical and graphical environment.

Information is extracted from the DESCRIPTION file of the package.

The command command below imports metadata for the Cairo R package:

guix import cran Cairo

When --recursive is added, the importer will traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.

When --archive=bioconductor is added, metadata is imported from Bioconductor, a repository of R packages for for the analysis and comprehension of high-throughput genomic data in bioinformatics.

Information is extracted from the DESCRIPTION file of a package published on the web interface of the Bioconductor SVN repository.

The command below imports metadata for the GenomicRanges R package:

guix import cran --archive=bioconductor GenomicRanges
texlive

Import metadata from CTAN, the comprehensive TeX archive network for TeX packages that are part of the TeX Live distribution.

Information about the package is obtained through the XML API provided by CTAN, while the source code is downloaded from the SVN repository of the Tex Live project. This is done because the CTAN does not keep versioned archives.

The command command below imports metadata for the fontspec TeX package:

guix import texlive fontspec

When --archive=DIRECTORY is added, the source code is downloaded not from the latex sub-directory of the texmf-dist/source tree in the TeX Live SVN repository, but from the specified sibling directory under the same root.

The command below imports metadata for the ifxetex package from CTAN while fetching the sources from the directory texmf/source/generic:

guix import texlive --archive=generic ifxetex
json

Import package metadata from a local JSON file12. Consider the following example package definition in JSON format:

{
  "name": "hello",
  "version": "2.10",
  "source": "mirror://gnu/hello/hello-2.10.tar.gz",
  "build-system": "gnu",
  "home-page": "https://www.gnu.org/software/hello/",
  "synopsis": "Hello, GNU world: An example GNU package",
  "description": "GNU Hello prints a greeting.",
  "license": "GPL-3.0+",
  "native-inputs": ["gcc@6"]
}

The field names are the same as for the <package> record (See Defining Packages). References to other packages are provided as JSON lists of quoted package specification strings such as guile or guile@2.0.

The importer also supports a more explicit source definition using the common fields for <origin> records:

{
  …
  "source": {
    "method": "url-fetch",
    "uri": "mirror://gnu/hello/hello-2.10.tar.gz",
    "sha256": {
      "base32": "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"
    }
  }
  …
}

The command below reads metadata from the JSON file hello.json and outputs a package expression:

guix import json hello.json
nix

Import metadata from a local copy of the source of the Nixpkgs distribution13. Package definitions in Nixpkgs are typically written in a mixture of Nix-language and Bash code. This command only imports the high-level package structure that is written in the Nix language. It normally includes all the basic fields of a package definition.

When importing a GNU package, the synopsis and descriptions are replaced by their canonical upstream variant.

Usually, you will first need to do:

export NIX_REMOTE=daemon

so that nix-instantiate does not try to open the Nix database.

As an example, the command below imports the package definition of LibreOffice (more precisely, it imports the definition of the package bound to the libreoffice top-level attribute):

guix import nix ~/path/to/nixpkgs libreoffice
hackage

Import metadata from the Haskell community’s central package archive Hackage. Information is taken from Cabal files and includes all the relevant information, including package dependencies.

Specific command-line options are:

--stdin
-s

Read a Cabal file from standard input.

--no-test-dependencies
-t

Do not include dependencies required only by the test suites.

--cabal-environment=alist
-e alist

alist is a Scheme alist defining the environment in which the Cabal conditionals are evaluated. The accepted keys are: os, arch, impl and a string representing the name of a flag. The value associated with a flag has to be either the symbol true or false. The value associated with other keys has to conform to the Cabal file format definition. The default value associated with the keys os, arch and impl is ‘linux’, ‘x86_64’ and ‘ghc’, respectively.

The command below imports metadata for the latest version of the HTTP Haskell package without including test dependencies and specifying the value of the flag ‘network-uri’ as false:

guix import hackage -t -e "'((\"network-uri\" . false))" HTTP

A specific package version may optionally be specified by following the package name by an at-sign and a version number as in the following example:

guix import hackage mtl@2.1.3.1
stackage

The stackage importer is a wrapper around the hackage one. It takes a package name, looks up the package version included in a long-term support (LTS) Stackage release and uses the hackage importer to retrieve its metadata. Note that it is up to you to select an LTS release compatible with the GHC compiler used by Guix.

Specific command-line options are:

--no-test-dependencies
-t

Do not include dependencies required only by the test suites.

--lts-version=version
-r version

version is the desired LTS release version. If omitted the latest release is used.

The command below imports metadata for the HTTP Haskell package included in the LTS Stackage release version 7.18:

guix import stackage --lts-version=7.18 HTTP
elpa

Import metadata from an Emacs Lisp Package Archive (ELPA) package repository (see Packages in The GNU Emacs Manual).

Specific command-line options are:

--archive=repo
-a repo

repo identifies the archive repository from which to retrieve the information. Currently the supported repositories and their identifiers are:

  • - GNU, selected by the gnu identifier. This is the default.

    Packages from elpa.gnu.org are signed with one of the keys contained in the GnuPG keyring at share/emacs/25.1/etc/package-keyring.gpg (or similar) in the emacs package (see ELPA package signatures in The GNU Emacs Manual).

  • - MELPA-Stable, selected by the melpa-stable identifier.
  • - MELPA, selected by the melpa identifier.
--recursive
-r

Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.

crate

Import metadata from the crates.io Rust package repository crates.io.

The structure of the guix import code is modular. It would be useful to have more importers for other package formats, and your help is welcome here (see Contributing).


Next: , Previous: , Up: Utilities   [Contents][Index]

5.6 Invoking guix refresh

The primary audience of the guix refresh command is developers of the GNU software distribution. By default, it reports any packages provided by the distribution that are outdated compared to the latest upstream version, like this:

$ guix refresh
gnu/packages/gettext.scm:29:13: gettext would be upgraded from 0.18.1.1 to 0.18.2.1
gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0

Alternately, one can specify packages to consider, in which case a warning is emitted for packages that lack an updater:

$ guix refresh coreutils guile guile-ssh
gnu/packages/ssh.scm:205:2: warning: no updater for guile-ssh
gnu/packages/guile.scm:136:12: guile would be upgraded from 2.0.12 to 2.0.13

guix refresh browses the upstream repository of each package and determines the highest version number of the releases therein. The command knows how to update specific types of packages: GNU packages, ELPA packages, etc.—see the documentation for --type below. There are many packages, though, for which it lacks a method to determine whether a new upstream release is available. However, the mechanism is extensible, so feel free to get in touch with us to add a new method!

Sometimes the upstream name differs from the package name used in Guix, and guix refresh needs a little help. Most updaters honor the upstream-name property in package definitions, which can be used to that effect:

(define-public network-manager
  (package
    (name "network-manager")
    ;; …
    (properties '((upstream-name . "NetworkManager")))))

When passed --update, it modifies distribution source files to update the version numbers and source tarball hashes of those package recipes (see Defining Packages). This is achieved by downloading each package’s latest source tarball and its associated OpenPGP signature, authenticating the downloaded tarball against its signature using gpg, and finally computing its hash. When the public key used to sign the tarball is missing from the user’s keyring, an attempt is made to automatically retrieve it from a public key server; when this is successful, the key is added to the user’s keyring; otherwise, guix refresh reports an error.

The following options are supported:

--expression=expr
-e expr

Consider the package expr evaluates to.

This is useful to precisely refer to a package, as in this example:

guix refresh -l -e '(@@ (gnu packages commencement) glibc-final)'

This command lists the dependents of the “final” libc (essentially all the packages.)

--update
-u

Update distribution source files (package recipes) in place. This is usually run from a checkout of the Guix source tree (see Running Guix Before It Is Installed):

$ ./pre-inst-env guix refresh -s non-core -u

See Defining Packages, for more information on package definitions.

--select=[subset]
-s subset

Select all the packages in subset, one of core or non-core.

The core subset refers to all the packages at the core of the distribution—i.e., packages that are used to build “everything else”. This includes GCC, libc, Binutils, Bash, etc. Usually, changing one of these packages in the distribution entails a rebuild of all the others. Thus, such updates are an inconvenience to users in terms of build time or bandwidth used to achieve the upgrade.

The non-core subset refers to the remaining packages. It is typically useful in cases where an update of the core packages would be inconvenient.

--manifest=file
-m file

Select all the packages from the manifest in file. This is useful to check if any packages of the user manifest can be updated.

--type=updater
-t updater

Select only packages handled by updater (may be a comma-separated list of updaters). Currently, updater may be one of:

gnu

the updater for GNU packages;

gnome

the updater for GNOME packages;

kde

the updater for KDE packages;

xorg

the updater for X.org packages;

kernel.org

the updater for packages hosted on kernel.org;

elpa

the updater for ELPA packages;

cran

the updater for CRAN packages;

bioconductor

the updater for Bioconductor R packages;

cpan

the updater for CPAN packages;

pypi

the updater for PyPI packages.

gem

the updater for RubyGems packages.

github

the updater for GitHub packages.

hackage

the updater for Hackage packages.

stackage

the updater for Stackage packages.

crate

the updater for Crates packages.

For instance, the following command only checks for updates of Emacs packages hosted at elpa.gnu.org and for updates of CRAN packages:

$ guix refresh --type=elpa,cran
gnu/packages/statistics.scm:819:13: r-testthat would be upgraded from 0.10.0 to 0.11.0
gnu/packages/emacs.scm:856:13: emacs-auctex would be upgraded from 11.88.6 to 11.88.9

In addition, guix refresh can be passed one or more package names, as in this example:

$ ./pre-inst-env guix refresh -u emacs idutils gcc@4.8

The command above specifically updates the emacs and idutils packages. The --select option would have no effect in this case.

When considering whether to upgrade a package, it is sometimes convenient to know which packages would be affected by the upgrade and should be checked for compatibility. For this the following option may be used when passing guix refresh one or more package names:

--list-updaters
-L

List available updaters and exit (see --type above.)

For each updater, display the fraction of packages it covers; at the end, display the fraction of packages covered by all these updaters.

--list-dependent
-l

List top-level dependent packages that would need to be rebuilt as a result of upgrading one or more packages.

See the reverse-package type of guix graph, for information on how to visualize the list of dependents of a package.

Be aware that the --list-dependent option only approximates the rebuilds that would be required as a result of an upgrade. More rebuilds might be required under some circumstances.

$ guix refresh --list-dependent flex
Building the following 120 packages would ensure 213 dependent packages are rebuilt:
hop@2.4.0 geiser@0.4 notmuch@0.18 mu@0.9.9.5 cflow@1.4 idutils@4.6 …

The command above lists a set of packages that could be built to check for compatibility with an upgraded flex package.

The following options can be used to customize GnuPG operation:

--gpg=command

Use command as the GnuPG 2.x command. command is searched for in $PATH.

--key-download=policy

Handle missing OpenPGP keys according to policy, which may be one of:

always

Always download missing OpenPGP keys from the key server, and add them to the user’s GnuPG keyring.

never

Never try to download missing OpenPGP keys. Instead just bail out.

interactive

When a package signed with an unknown OpenPGP key is encountered, ask the user whether to download it or not. This is the default behavior.

--key-server=host

Use host as the OpenPGP key server when importing a public key.

The github updater uses the GitHub API to query for new releases. When used repeatedly e.g. when refreshing all packages, GitHub will eventually refuse to answer any further API requests. By default 60 API requests per hour are allowed, and a full refresh on all GitHub packages in Guix requires more than this. Authentication with GitHub through the use of an API token alleviates these limits. To use an API token, set the environment variable GUIX_GITHUB_TOKEN to a token procured from https://github.com/settings/tokens or otherwise.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.7 Invoking guix lint

The guix lint command is meant to help package developers avoid common errors and use a consistent style. It runs a number of checks on a given set of packages in order to find common mistakes in their definitions. Available checkers include (see --list-checkers for a complete list):

synopsis
description

Validate certain typographical and stylistic rules about package descriptions and synopses.

inputs-should-be-native

Identify inputs that should most likely be native inputs.

source
home-page
mirror-url
source-file-name

Probe home-page and source URLs and report those that are invalid. Suggest a mirror:// URL when applicable. Check that the source file name is meaningful, e.g. is not just a version number or “git-checkout”, without a declared file-name (see origin Reference).

cve

Report known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) databases of the current and past year published by the US NIST.

To view information about a particular vulnerability, visit pages such as:

where CVE-YYYY-ABCD is the CVE identifier—e.g., CVE-2015-7554.

Package developers can specify in package recipes the Common Platform Enumeration (CPE) name and version of the package when they differ from the name or version that Guix uses, as in this example:

(package
  (name "grub")
  ;; …
  ;; CPE calls this package "grub2".
  (properties '((cpe-name . "grub2")
                (cpe-version . "2.3")))

Some entries in the CVE database do not specify which version of a package they apply to, and would thus “stick around” forever. Package developers who found CVE alerts and verified they can be ignored can declare them as in this example:

(package
  (name "t1lib")
  ;; …
  ;; These CVEs no longer apply and can be safely ignored.
  (properties `((lint-hidden-cve . ("CVE-2011-0433"
                                    "CVE-2011-1553"
                                    "CVE-2011-1554"
                                    "CVE-2011-5244")))))
formatting

Warn about obvious source code formatting issues: trailing white space, use of tabulations, etc.

The general syntax is:

guix lint options package

If no package is given on the command line, then all packages are checked. The options may be zero or more of the following:

--list-checkers
-l

List and describe all the available checkers that will be run on packages and exit.

--checkers
-c

Only enable the checkers specified in a comma-separated list using the names returned by --list-checkers.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.8 Invoking guix size

The guix size command helps package developers profile the disk usage of packages. It is easy to overlook the impact of an additional dependency added to a package, or the impact of using a single output for a package that could easily be split (see Packages with Multiple Outputs). Such are the typical issues that guix size can highlight.

The command can be passed one or more package specifications such as gcc@4.8 or guile:debug, or a file name in the store. Consider this example:

$ guix size coreutils
store item                               total    self
/gnu/store/…-gcc-5.5.0-lib           60.4    30.1  38.1%
/gnu/store/…-glibc-2.27              30.3    28.8  36.6%
/gnu/store/…-coreutils-8.28          78.9    15.0  19.0%
/gnu/store/…-gmp-6.1.2               63.1     2.7   3.4%
/gnu/store/…-bash-static-4.4.12       1.5     1.5   1.9%
/gnu/store/…-acl-2.2.52              61.1     0.4   0.5%
/gnu/store/…-attr-2.4.47             60.6     0.2   0.3%
/gnu/store/…-libcap-2.25             60.5     0.2   0.2%
total: 78.9 MiB

The store items listed here constitute the transitive closure of Coreutils—i.e., Coreutils and all its dependencies, recursively—as would be returned by:

$ guix gc -R /gnu/store/…-coreutils-8.23

Here the output shows three columns next to store items. The first column, labeled “total”, shows the size in mebibytes (MiB) of the closure of the store item—that is, its own size plus the size of all its dependencies. The next column, labeled “self”, shows the size of the item itself. The last column shows the ratio of the size of the item itself to the space occupied by all the items listed here.

In this example, we see that the closure of Coreutils weighs in at 79 MiB, most of which is taken by libc and GCC’s run-time support libraries. (That libc and GCC’s libraries represent a large fraction of the closure is not a problem per se because they are always available on the system anyway.)

When the package(s) passed to guix size are available in the store14, guix size queries the daemon to determine its dependencies, and measures its size in the store, similar to du -ms --apparent-size (see du invocation in GNU Coreutils).

When the given packages are not in the store, guix size reports information based on the available substitutes (see Substitutes). This makes it possible it to profile disk usage of store items that are not even on disk, only available remotely.

You can also specify several package names:

$ guix size coreutils grep sed bash
store item                               total    self
/gnu/store/…-coreutils-8.24          77.8    13.8  13.4%
/gnu/store/…-grep-2.22               73.1     0.8   0.8%
/gnu/store/…-bash-4.3.42             72.3     4.7   4.6%
/gnu/store/…-readline-6.3            67.6     1.2   1.2%
…
total: 102.3 MiB

In this example we see that the combination of the four packages takes 102.3 MiB in total, which is much less than the sum of each closure since they have a lot of dependencies in common.

The available options are:

--substitute-urls=urls

Use substitute information from urls. See the same option for guix build.

--sort=key

Sort lines according to key, one of the following options:

self

the size of each item (the default);

closure

the total size of the item’s closure.

--map-file=file

Write a graphical map of disk usage in PNG format to file.

For the example above, the map looks like this:

map of Coreutils disk usage
produced by guix size

This option requires that Guile-Charting be installed and visible in Guile’s module search path. When that is not the case, guix size fails as it tries to load it.

--system=system
-s system

Consider packages for system—e.g., x86_64-linux.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.9 Invoking guix graph

Packages and their dependencies form a graph, specifically a directed acyclic graph (DAG). It can quickly become difficult to have a mental model of the package DAG, so the guix graph command provides a visual representation of the DAG. By default, guix graph emits a DAG representation in the input format of Graphviz, so its output can be passed directly to the dot command of Graphviz. It can also emit an HTML page with embedded JavaScript code to display a “chord diagram” in a Web browser, using the d3.js library, or emit Cypher queries to construct a graph in a graph database supporting the openCypher query language. The general syntax is:

guix graph options package

For example, the following command generates a PDF file representing the package DAG for the GNU Core Utilities, showing its build-time dependencies:

guix graph coreutils | dot -Tpdf > dag.pdf

The output looks like this:

Dependency graph of the GNU Coreutils

Nice little graph, no?

But there is more than one graph! The one above is concise: it is the graph of package objects, omitting implicit inputs such as GCC, libc, grep, etc. It is often useful to have such a concise graph, but sometimes one may want to see more details. guix graph supports several types of graphs, allowing you to choose the level of detail:

package

This is the default type used in the example above. It shows the DAG of package objects, excluding implicit dependencies. It is concise, but filters out many details.

reverse-package

This shows the reverse DAG of packages. For example:

guix graph --type=reverse-package ocaml

... yields the graph of packages that depend on OCaml.

Note that for core packages this can yield huge graphs. If all you want is to know the number of packages that depend on a given package, use guix refresh --list-dependent (see --list-dependent).

bag-emerged

This is the package DAG, including implicit inputs.

For instance, the following command:

guix graph --type=bag-emerged coreutils | dot -Tpdf > dag.pdf

... yields this bigger graph:

Detailed dependency graph of the GNU Coreutils

At the bottom of the graph, we see all the implicit inputs of gnu-build-system (see gnu-build-system).

Now, note that the dependencies of these implicit inputs—that is, the bootstrap dependencies (see Bootstrapping)—are not shown here, for conciseness.

bag

Similar to bag-emerged, but this time including all the bootstrap dependencies.

bag-with-origins

Similar to bag, but also showing origins and their dependencies.

derivation

This is the most detailed representation: It shows the DAG of derivations (see Derivations) and plain store items. Compared to the above representation, many additional nodes are visible, including build scripts, patches, Guile modules, etc.

For this type of graph, it is also possible to pass a .drv file name instead of a package name, as in:

guix graph -t derivation `guix system build -d my-config.scm`
module

This is the graph of package modules (see Package Modules). For example, the following command shows the graph for the package module that defines the guile package:

guix graph -t module guile | dot -Tpdf > module-graph.pdf

All the types above correspond to build-time dependencies. The following graph type represents the run-time dependencies:

references

This is the graph of references of a package output, as returned by guix gc --references (see Invoking guix gc).

If the given package output is not available in the store, guix graph attempts to obtain dependency information from substitutes.

Here you can also pass a store file name instead of a package name. For example, the command below produces the reference graph of your profile (which can be big!):

guix graph -t references `readlink -f ~/.guix-profile`
referrers

This is the graph of the referrers of a store item, as returned by guix gc --referrers (see Invoking guix gc).

This relies exclusively on local information from your store. For instance, let us suppose that the current Inkscape is available in 10 profiles on your machine; guix graph -t referrers inkscape will show a graph rooted at Inkscape and with those 10 profiles linked to it.

It can help determine what is preventing a store item from being garbage collected.

The available options are the following:

--type=type
-t type

Produce a graph output of type, where type must be one of the values listed above.

--list-types

List the supported graph types.

--backend=backend
-b backend

Produce a graph using the selected backend.

--list-backends

List the supported graph backends.

Currently, the available backends are Graphviz and d3.js.

--expression=expr
-e expr

Consider the package expr evaluates to.

This is useful to precisely refer to a package, as in this example:

guix graph -e '(@@ (gnu packages commencement) gnu-make-final)'

Next: , Previous: , Up: Utilities   [Contents][Index]

5.10 Invoking guix environment

The purpose of guix environment is to assist hackers in creating reproducible development environments without polluting their package profile. The guix environment tool takes one or more packages, builds all of their inputs, and creates a shell environment to use them.

The general syntax is:

guix environment options package

The following example spawns a new shell set up for the development of GNU Guile:

guix environment guile

If the needed dependencies are not built yet, guix environment automatically builds them. The environment of the new shell is an augmented version of the environment that guix environment was run in. It contains the necessary search paths for building the given package added to the existing environment variables. To create a “pure” environment, in which the original environment variables have been unset, use the --pure option15.

guix environment defines the GUIX_ENVIRONMENT variable in the shell it spawns; its value is the file name of the profile of this environment. This allows users to, say, define a specific prompt for development environments in their .bashrc (see Bash Startup Files in The GNU Bash Reference Manual):

if [ -n "$GUIX_ENVIRONMENT" ]
then
    export PS1="\u@\h \w [dev]\$ "
fi

... or to browse the profile:

$ ls "$GUIX_ENVIRONMENT/bin"

Additionally, more than one package may be specified, in which case the union of the inputs for the given packages are used. For example, the command below spawns a shell where all of the dependencies of both Guile and Emacs are available:

guix environment guile emacs

Sometimes an interactive shell session is not desired. An arbitrary command may be invoked by placing the -- token to separate the command from the rest of the arguments:

guix environment guile -- make -j4

In other situations, it is more convenient to specify the list of packages needed in the environment. For example, the following command runs python from an environment containing Python 2.7 and NumPy:

guix environment --ad-hoc python2-numpy python-2.7 -- python

Furthermore, one might want the dependencies of a package and also some additional packages that are not build-time or runtime dependencies, but are useful when developing nonetheless. Because of this, the --ad-hoc flag is positional. Packages appearing before --ad-hoc are interpreted as packages whose dependencies will be added to the environment. Packages appearing after are interpreted as packages that will be added to the environment directly. For example, the following command creates a Guix development environment that additionally includes Git and strace:

guix environment guix --ad-hoc git strace

Sometimes it is desirable to isolate the environment as much as possible, for maximal purity and reproducibility. In particular, when using Guix on a host distro that is not GuixSD, it is desirable to prevent access to /usr/bin and other system-wide resources from the development environment. For example, the following command spawns a Guile REPL in a “container” where only the store and the current working directory are mounted:

guix environment --ad-hoc --container guile -- guile

Note: The --container option requires Linux-libre 3.19 or newer.

The available options are summarized below.

--root=file
-r file

Make file a symlink to the profile for this environment, and register it as a garbage collector root.

This is useful if you want to protect your environment from garbage collection, to make it “persistent”.

When this option is omitted, the environment is protected from garbage collection only for the duration of the guix environment session. This means that next time you recreate the same environment, you could have to rebuild or re-download packages. See Invoking guix gc, for more on GC roots.

--expression=expr
-e expr

Create an environment for the package or list of packages that expr evaluates to.

For example, running:

guix environment -e '(@ (gnu packages maths) petsc-openmpi)'

starts a shell with the environment for this specific variant of the PETSc package.

Running:

guix environment --ad-hoc -e '(@ (gnu) %base-packages)'

starts a shell with all the GuixSD base packages available.

The above commands only use the default output of the given packages. To select other outputs, two element tuples can be specified:

guix environment --ad-hoc -e '(list (@ (gnu packages bash) bash) "include")'
--load=file
-l file

Create an environment for the package or list of packages that the code within file evaluates to.

As an example, file might contain a definition like this (see Defining Packages):

(use-modules (guix)
             (gnu packages gdb)
             (gnu packages autotools)
             (gnu packages texinfo))

;; Augment the package definition of GDB with the build tools
;; needed when developing GDB (and which are not needed when
;; simply installing it.)
(package (inherit gdb)
  (native-inputs `(("autoconf" ,autoconf-2.64)
                   ("automake" ,automake)
                   ("texinfo" ,texinfo)
                   ,@(package-native-inputs gdb))))
--manifest=file
-m file

Create an environment for the packages contained in the manifest object returned by the Scheme code in file.

This is similar to the same-named option in guix package (see --manifest) and uses the same manifest files.

--ad-hoc

Include all specified packages in the resulting environment, as if an ad hoc package were defined with them as inputs. This option is useful for quickly creating an environment without having to write a package expression to contain the desired inputs.

For instance, the command:

guix environment --ad-hoc guile guile-sdl -- guile

runs guile in an environment where Guile and Guile-SDL are available.

Note that this example implicitly asks for the default output of guile and guile-sdl, but it is possible to ask for a specific output—e.g., glib:bin asks for the bin output of glib (see Packages with Multiple Outputs).

This option may be composed with the default behavior of guix environment. Packages appearing before --ad-hoc are interpreted as packages whose dependencies will be added to the environment, the default behavior. Packages appearing after are interpreted as packages that will be added to the environment directly.

--pure

Unset existing environment variables when building the new environment. This has the effect of creating an environment in which search paths only contain package inputs.

--search-paths

Display the environment variable definitions that make up the environment.

--system=system
-s system

Attempt to build for system—e.g., i686-linux.

--container
-C

Run command within an isolated container. The current working directory outside the container is mapped inside the container. Additionally, unless overridden with --user, a dummy home directory is created that matches the current user’s home directory, and /etc/passwd is configured accordingly. The spawned process runs as the current user outside the container, but has root privileges in the context of the container.

--network
-N

For containers, share the network namespace with the host system. Containers created without this flag only have access to the loopback device.

--link-profile
-P

For containers, link the environment profile to ~/.guix-profile within the container. This is equivalent to running the command ln -s $GUIX_ENVIRONMENT ~/.guix-profile within the container. Linking will fail and abort the environment if the directory already exists, which will certainly be the case if guix environment was invoked in the user’s home directory.

Certain packages are configured to look in ~/.guix-profile for configuration files and data;16 --link-profile allows these programs to behave as expected within the environment.

--user=user
-u user

For containers, use the username user in place of the current user. The generated /etc/passwd entry within the container will contain the name user; the home directory will be /home/USER; and no user GECOS data will be copied. user need not exist on the system.

Additionally, any shared or exposed path (see --share and --expose respectively) whose target is within the current user’s home directory will be remapped relative to /home/USER; this includes the automatic mapping of the current working directory.

# will expose paths as /home/foo/wd, /home/foo/test, and /home/foo/target
cd $HOME/wd
guix environment --container --user=foo \
     --expose=$HOME/test \
     --expose=/tmp/target=$HOME/target

While this will limit the leaking of user identity through home paths and each of the user fields, this is only one useful component of a broader privacy/anonymity solution—not one in and of itself.

--expose=source[=target]

For containers, expose the file system source from the host system as the read-only file system target within the container. If target is not specified, source is used as the target mount point in the container.

The example below spawns a Guile REPL in a container in which the user’s home directory is accessible read-only via the /exchange directory:

guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile
--share=source[=target]

For containers, share the file system source from the host system as the writable file system target within the container. If target is not specified, source is used as the target mount point in the container.

The example below spawns a Guile REPL in a container in which the user’s home directory is accessible for both reading and writing via the /exchange directory:

guix environment --container --share=$HOME=/exchange --ad-hoc guile -- guile

guix environment also supports all of the common build options that guix build supports (see Common Build Options).


Next: , Previous: , Up: Utilities   [Contents][Index]

5.11 Invoking guix publish

The purpose of guix publish is to enable users to easily share their store with others, who can then use it as a substitute server (see Substitutes).

When guix publish runs, it spawns an HTTP server which allows anyone with network access to obtain substitutes from it. This means that any machine running Guix can also act as if it were a build farm, since the HTTP interface is compatible with Hydra, the software behind the hydra.gnu.org build farm.

For security, each substitute is signed, allowing recipients to check their authenticity and integrity (see Substitutes). Because guix publish uses the signing key of the system, which is only readable by the system administrator, it must be started as root; the --user option makes it drop root privileges early on.

The signing key pair must be generated before guix publish is launched, using guix archive --generate-key (see Invoking guix archive).

The general syntax is:

guix publish options

Running guix publish without any additional arguments will spawn an HTTP server on port 8080:

guix publish

Once a publishing server has been authorized (see Invoking guix archive), the daemon may download substitutes from it:

guix-daemon --substitute-urls=http://example.org:8080

By default, guix publish compresses archives on the fly as it serves them. This “on-the-fly” mode is convenient in that it requires no setup and is immediately available. However, when serving lots of clients, we recommend using the --cache option, which enables caching of the archives before they are sent to clients—see below for details. The guix weather command provides a handy way to check what a server provides (see Invoking guix weather).

As a bonus, guix publish also serves as a content-addressed mirror for source files referenced in origin records (see origin Reference). For instance, assuming guix publish is running on example.org, the following URL returns the raw hello-2.10.tar.gz file with the given SHA256 hash (represented in nix-base32 format, see Invoking guix hash):

http://example.org/file/hello-2.10.tar.gz/sha256/0ssi1…ndq1i

Obviously, these URLs only work for files that are in the store; in other cases, they return 404 (“Not Found”).

Build logs are available from /log URLs like:

http://example.org/log/gwspk…-guile-2.2.3

When guix-daemon is configured to save compressed build logs, as is the case by default (see Invoking guix-daemon), /log URLs return the compressed log as-is, with an appropriate Content-Type and/or Content-Encoding header. We recommend running guix-daemon with --log-compression=gzip since Web browsers can automatically decompress it, which is not the case with bzip2 compression.

The following options are available:

--port=port
-p port

Listen for HTTP requests on port.

--listen=host

Listen on the network interface for host. The default is to accept connections from any interface.

--user=user
-u user

Change privileges to user as soon as possible—i.e., once the server socket is open and the signing key has been read.

--compression[=level]
-C [level]

Compress data using the given level. When level is zero, disable compression. The range 1 to 9 corresponds to different gzip compression levels: 1 is the fastest, and 9 is the best (CPU-intensive). The default is 3.

Unless --cache is used, compression occurs on the fly and the compressed streams are not cached. Thus, to reduce load on the machine that runs guix publish, it may be a good idea to choose a low compression level, to run guix publish behind a caching proxy, or to use --cache. Using --cache has the advantage that it allows guix publish to add Content-Length HTTP header to its responses.

--cache=directory
-c directory

Cache archives and meta-data (.narinfo URLs) to directory and only serve archives that are in cache.

When this option is omitted, archives and meta-data are created on-the-fly. This can reduce the available bandwidth, especially when compression is enabled, since this may become CPU-bound. Another drawback of the default mode is that the length of archives is not known in advance, so guix publish does not add a Content-Length HTTP header to its responses, which in turn prevents clients from knowing the amount of data being downloaded.

Conversely, when --cache is used, the first request for a store item (via a .narinfo URL) returns 404 and triggers a background process to bake the archive—computing its .narinfo and compressing the archive, if needed. Once the archive is cached in directory, subsequent requests succeed and are served directly from the cache, which guarantees that clients get the best possible bandwidth.

The “baking” process is performed by worker threads. By default, one thread per CPU core is created, but this can be customized. See --workers below.

When --ttl is used, cached entries are automatically deleted when they have expired.

--workers=N

When --cache is used, request the allocation of N worker threads to “bake” archives.

--ttl=ttl

Produce Cache-Control HTTP headers that advertise a time-to-live (TTL) of ttl. ttl must denote a duration: 5d means 5 days, 1m means 1 month, and so on.

This allows the user’s Guix to keep substitute information in cache for ttl. However, note that guix publish does not itself guarantee that the store items it provides will indeed remain available for as long as ttl.

Additionally, when --cache is used, cached entries that have not been accessed for ttl and that no longer have a corresponding item in the store, may be deleted.

--nar-path=path

Use path as the prefix for the URLs of “nar” files (see normalized archives).

By default, nars are served at a URL such as /nar/gzip/…-coreutils-8.25. This option allows you to change the /nar part to path.

--public-key=file
--private-key=file

Use the specific files as the public/private key pair used to sign the store items being published.

The files must correspond to the same key pair (the private key is used for signing and the public key is merely advertised in the signature metadata). They must contain keys in the canonical s-expression format as produced by guix archive --generate-key (see Invoking guix archive). By default, /etc/guix/signing-key.pub and /etc/guix/signing-key.sec are used.

--repl[=port]
-r [port]

Spawn a Guile REPL server (see REPL Servers in GNU Guile Reference Manual) on port (37146 by default). This is used primarily for debugging a running guix publish server.

Enabling guix publish on a GuixSD system is a one-liner: just instantiate a guix-publish-service-type service in the services field of the operating-system declaration (see guix-publish-service-type).

If you are instead running Guix on a “foreign distro”, follow these instructions:”


Next: , Previous: , Up: Utilities   [Contents][Index]

5.12 Invoking guix challenge

Do the binaries provided by this server really correspond to the source code it claims to build? Is a package build process deterministic? These are the questions the guix challenge command attempts to answer.

The former is obviously an important question: Before using a substitute server (see Substitutes), one had better verify that it provides the right binaries, and thus challenge it. The latter is what enables the former: If package builds are deterministic, then independent builds of the package should yield the exact same result, bit for bit; if a server provides a binary different from the one obtained locally, it may be either corrupt or malicious.

We know that the hash that shows up in /gnu/store file names is the hash of all the inputs of the process that built the file or directory—compilers, libraries, build scripts, etc. (see Introduction). Assuming deterministic build processes, one store file name should map to exactly one build output. guix challenge checks whether there is, indeed, a single mapping by comparing the build outputs of several independent builds of any given store item.

The command output looks like this:

$ guix challenge --substitute-urls="https://hydra.gnu.org https://guix.example.org"
updating list of substitutes from 'https://hydra.gnu.org'... 100.0%
updating list of substitutes from 'https://guix.example.org'... 100.0%
/gnu/store/…-openssl-1.0.2d contents differ:
  local hash: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
  https://hydra.gnu.org/nar/…-openssl-1.0.2d: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
  https://guix.example.org/nar/…-openssl-1.0.2d: 1zy4fmaaqcnjrzzajkdn3f5gmjk754b43qkq47llbyak9z0qjyim
/gnu/store/…-git-2.5.0 contents differ:
  local hash: 00p3bmryhjxrhpn2gxs2fy0a15lnip05l97205pgbk5ra395hyha
  https://hydra.gnu.org/nar/…-git-2.5.0: 069nb85bv4d4a6slrwjdy8v1cn4cwspm3kdbmyb81d6zckj3nq9f
  https://guix.example.org/nar/…-git-2.5.0: 0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73
/gnu/store/…-pius-2.1.1 contents differ:
  local hash: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
  https://hydra.gnu.org/nar/…-pius-2.1.1: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
  https://guix.example.org/nar/…-pius-2.1.1: 1cy25x1a4fzq5rk0pmvc8xhwyffnqz95h2bpvqsz2mpvlbccy0gs

…

6,406 store items were analyzed:
  - 4,749 (74.1%) were identical
  - 525 (8.2%) differed
  - 1,132 (17.7%) were inconclusive

In this example, guix challenge first scans the store to determine the set of locally-built derivations—as opposed to store items that were downloaded from a substitute server—and then queries all the substitute servers. It then reports those store items for which the servers obtained a result different from the local build.

As an example, guix.example.org always gets a different answer. Conversely, hydra.gnu.org agrees with local builds, except in the case of Git. This might indicate that the build process of Git is non-deterministic, meaning that its output varies as a function of various things that Guix does not fully control, in spite of building packages in isolated environments (see Features). Most common sources of non-determinism include the addition of timestamps in build results, the inclusion of random numbers, and directory listings sorted by inode number. See https://reproducible-builds.org/docs/, for more information.

To find out what is wrong with this Git binary, we can do something along these lines (see Invoking guix archive):

$ wget -q -O - https://hydra.gnu.org/nar/…-git-2.5.0 \
   | guix archive -x /tmp/git
$ diff -ur --no-dereference /gnu/store/…-git.2.5.0 /tmp/git

This command shows the difference between the files resulting from the local build, and the files resulting from the build on hydra.gnu.org (see Comparing and Merging Files in Comparing and Merging Files). The diff command works great for text files. When binary files differ, a better option is Diffoscope, a tool that helps visualize differences for all kinds of files.

Once you have done that work, you can tell whether the differences are due to a non-deterministic build process or to a malicious server. We try hard to remove sources of non-determinism in packages to make it easier to verify substitutes, but of course, this is a process that involves not just Guix, but a large part of the free software community. In the meantime, guix challenge is one tool to help address the problem.

If you are writing packages for Guix, you are encouraged to check whether hydra.gnu.org and other substitute servers obtain the same build result as you did with:

$ guix challenge package

where package is a package specification such as guile@2.0 or glibc:debug.

The general syntax is:

guix challenge options [packages…]

When a difference is found between the hash of a locally-built item and that of a server-provided substitute, or among substitutes provided by different servers, the command displays it as in the example above and its exit code is 2 (other non-zero exit codes denote other kinds of errors.)

The one option that matters is:

--substitute-urls=urls

Consider urls the whitespace-separated list of substitute source URLs to compare to.

--verbose
-v

Show details about matches (identical contents) in addition to information about mismatches.


Next: , Previous: , Up: Utilities   [Contents][Index]

5.13 Invoking guix copy

The guix copy command copies items from the store of one machine to that of another machine over a secure shell (SSH) connection17. For example, the following command copies the coreutils package, the user’s profile, and all their dependencies over to host, logged in as user:

guix copy --to=user@host \
          coreutils `readlink -f ~/.guix-profile`

If some of the items to be copied are already present on host, they are not actually sent.

The command below retrieves libreoffice and gimp from host, assuming they are available there:

guix copy --from=host libreoffice gimp

The SSH connection is established using the Guile-SSH client, which is compatible with OpenSSH: it honors ~/.ssh/known_hosts and ~/.ssh/config, and uses the SSH agent for authentication.

The key used to sign items that are sent must be accepted by the remote machine. Likewise, the key used by the remote machine to sign items you are retrieving must be in /etc/guix/acl so it is accepted by your own daemon. See Invoking guix archive, for more information about store item authentication.

The general syntax is:

guix copy [--to=spec|--from=spec] items

You must always specify one of the following options:

--to=spec
--from=spec

Specify the host to send to or receive from. spec must be an SSH spec such as example.org, charlie@example.org, or charlie@example.org:2222.

The items can be either package names, such as gimp, or store items, such as /gnu/store/…-idutils-4.6.

When specifying the name of a package to send, it is first built if needed, unless --dry-run was specified. Common build options are supported (see Common Build Options).


Next: , Previous: , Up: Utilities   [Contents][Index]

5.14 Invoking guix container

Note: As of version 0.15.0, this tool is experimental. The interface is subject to radical change in the future.

The purpose of guix container is to manipulate processes running within an isolated environment, commonly known as a “container”, typically created by the guix environment (see Invoking guix environment) and guix system container (see Invoking guix system) commands.

The general syntax is:

guix container action options

action specifies the operation to perform with a container, and options specifies the context-specific arguments for the action.

The following actions are available:

exec

Execute a command within the context of a running container.

The syntax is:

guix container exec pid program arguments

pid specifies the process ID of the running container. program specifies an executable file name within the root file system of the container. arguments are the additional options that will be passed to program.

The following command launches an interactive login shell inside a GuixSD container, started by guix system container, and whose process ID is 9001:

guix container exec 9001 /run/current-system/profile/bin/bash --login

Note that the pid cannot be the parent process of a container. It must be PID 1 of the container or one of its child processes.


Previous: , Up: Utilities   [Contents][Index]

5.15 Invoking guix weather

Occasionally you’re grumpy because substitutes are lacking and you end up building packages by yourself (see Substitutes). The guix weather command reports on substitute availability on the specified servers so you can have an idea of whether you’ll be grumpy today. It can sometimes be useful info as a user, but it is primarily useful to people running guix publish (see Invoking guix publish).

Here’s a sample run:

$ guix weather --substitute-urls=https://guix.example.org
computing 5,872 package derivations for x86_64-linux...
looking for 6,128 store items on https://guix.example.org..
updating list of substitutes from 'https://guix.example.org'... 100.0%
https://guix.example.org
  43.4% substitutes available (2,658 out of 6,128)
  7,032.5 MiB of nars (compressed)
  19,824.2 MiB on disk (uncompressed)
  0.030 seconds per request (182.9 seconds in total)
  33.5 requests per second

  9.8% (342 out of 3,470) of the missing items are queued
  867 queued builds
      x86_64-linux: 518 (59.7%)
      i686-linux: 221 (25.5%)
      aarch64-linux: 128 (14.8%)
  build rate: 23.41 builds per hour
      x86_64-linux: 11.16 builds per hour
      i686-linux: 6.03 builds per hour
      aarch64-linux: 6.41 builds per hour

As you can see, it reports the fraction of all the packages for which substitutes are available on the server—regardless of whether substitutes are enabled, and regardless of whether this server’s signing key is authorized. It also reports the size of the compressed archives (“nars”) provided by the server, the size the corresponding store items occupy in the store (assuming deduplication is turned off), and the server’s throughput. The second part gives continuous integration (CI) statistics, if the server supports it.

To achieve that, guix weather queries over HTTP(S) meta-data (narinfos) for all the relevant store items. Like guix challenge, it ignores signatures on those substitutes, which is innocuous since the command only gathers statistics and cannot install those substitutes.

Among other things, it is possible to query specific system types and specific package sets. The available options are listed below.

--substitute-urls=urls

urls is the space-separated list of substitute server URLs to query. When this option is omitted, the default set of substitute servers is queried.

--system=system
-s system

Query substitutes for system—e.g., aarch64-linux. This option can be repeated, in which case guix weather will query substitutes for several system types.

--manifest=file

Instead of querying substitutes for all the packages, only ask for those specified in file. file must contain a manifest, as with the -m option of guix package (see Invoking guix package).


Next: , Previous: , Up: Top   [Contents][Index]

6 GNU Distribution

Guix comes with a distribution of the GNU system consisting entirely of free software18. The distribution can be installed on its own (see System Installation), but it is also possible to install Guix as a package manager on top of an installed GNU/Linux system (see Installation). To distinguish between the two, we refer to the standalone distribution as the Guix System Distribution, or GuixSD.

The distribution provides core GNU packages such as GNU libc, GCC, and Binutils, as well as many GNU and non-GNU applications. The complete list of available packages can be browsed on-line or by running guix package (see Invoking guix package):

guix package --list-available

Our goal is to provide a practical 100% free software distribution of Linux-based and other variants of GNU, with a focus on the promotion and tight integration of GNU components, and an emphasis on programs and tools that help users exert that freedom.

Packages are currently available on the following platforms:

x86_64-linux

Intel/AMD x86_64 architecture, Linux-Libre kernel;

i686-linux

Intel 32-bit architecture (IA32), Linux-Libre kernel;

armhf-linux

ARMv7-A architecture with hard float, Thumb-2 and NEON, using the EABI hard-float application binary interface (ABI), and Linux-Libre kernel.

aarch64-linux

little-endian 64-bit ARMv8-A processors, Linux-Libre kernel. This is currently in an experimental stage, with limited support. See Contributing, for how to help!

mips64el-linux

little-endian 64-bit MIPS processors, specifically the Loongson series, n32 ABI, and Linux-Libre kernel.

GuixSD itself is currently only available on i686 and x86_64.

For information on porting to other architectures or kernels, see Porting.

Building this distribution is a cooperative effort, and you are invited to join! See Contributing, for information about how you can help.


Next: , Up: GNU Distribution   [Contents][Index]

6.1 System Installation

This section explains how to install the Guix System Distribution (GuixSD) on a machine. The Guix package manager can also be installed on top of a running GNU/Linux system, see Installation.


Next: , Up: System Installation   [Contents][Index]

6.1.1 Limitations

As of version 0.15.0, the Guix System Distribution (GuixSD) is not production-ready. It may contain bugs and lack important features. Thus, if you are looking for a stable production system that respects your freedom as a computer user, a good solution at this point is to consider one of the more established GNU/Linux distributions. We hope you can soon switch to the GuixSD without fear, of course. In the meantime, you can also keep using your distribution and try out the package manager on top of it (see Installation).

Before you proceed with the installation, be aware of the following noteworthy limitations applicable to version 0.15.0:

You have been warned! But more than a disclaimer, this is an invitation to report issues (and success stories!), and to join us in improving it. See Contributing, for more info.


Next: , Previous: , Up: System Installation   [Contents][Index]

6.1.2 Hardware Considerations

GNU GuixSD focuses on respecting the user’s computing freedom. It builds around the kernel Linux-libre, which means that only hardware for which free software drivers and firmware exist is supported. Nowadays, a wide range of off-the-shelf hardware is supported on GNU/Linux-libre—from keyboards to graphics cards to scanners and Ethernet controllers. Unfortunately, there are still areas where hardware vendors deny users control over their own computing, and such hardware is not supported on GuixSD.

One of the main areas where free drivers or firmware are lacking is WiFi devices. WiFi devices known to work include those using Atheros chips (AR9271 and AR7010), which corresponds to the ath9k Linux-libre driver, and those using Broadcom/AirForce chips (BCM43xx with Wireless-Core Revision 5), which corresponds to the b43-open Linux-libre driver. Free firmware exists for both and is available out-of-the-box on GuixSD, as part of %base-firmware (see firmware).

The Free Software Foundation runs Respects Your Freedom (RYF), a certification program for hardware products that respect your freedom and your privacy and ensure that you have control over your device. We encourage you to check the list of RYF-certified devices.

Another useful resource is the H-Node web site. It contains a catalog of hardware devices with information about their support in GNU/Linux.


Next: , Previous: , Up: System Installation   [Contents][Index]

6.1.3 USB Stick and DVD Installation

An ISO-9660 installation image that can be written to a USB stick or burnt to a DVD can be downloaded from ‘ftp://alpha.gnu.org/gnu/guix/guixsd-install-0.15.0.system.iso.xz’, where system is one of:

x86_64-linux

for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs;

i686-linux

for a 32-bit GNU/Linux system on Intel-compatible CPUs.

Make sure to download the associated .sig file and to verify the authenticity of the image against it, along these lines:

$ wget ftp://alpha.gnu.org/gnu/guix/guixsd-install-0.15.0.system.iso.xz.sig
$ gpg --verify guixsd-install-0.15.0.system.iso.xz.sig

If that command fails because you do not have the required public key, then run this command to import it:

$ gpg --keyserver pgp.mit.edu --recv-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5

and rerun the gpg --verify command.

This image contains the tools necessary for an installation. It is meant to be copied as is to a large-enough USB stick or DVD.

Copying to a USB Stick

To copy the image to a USB stick, follow these steps:

  1. Decompress the image using the xz command:
    xz -d guixsd-install-0.15.0.system.iso.xz
    
  2. Insert a USB stick of 1 GiB or more into your machine, and determine its device name. Assuming that the USB stick is known as /dev/sdX, copy the image with:
    dd if=guixsd-install-0.15.0.x86_64-linux.iso of=/dev/sdX
    sync
    

    Access to /dev/sdX usually requires root privileges.

Burning on a DVD

To copy the image to a DVD, follow these steps:

  1. Decompress the image using the xz command:
    xz -d guixsd-install-0.15.0.system.iso.xz
    
  2. Insert a blank DVD into your machine, and determine its device name. Assuming that the DVD drive is known as /dev/srX, copy the image with:
    growisofs -dvd-compat -Z /dev/srX=guixsd-install-0.15.0.x86_64.iso
    

    Access to /dev/srX usually requires root privileges.

Booting

Once this is done, you should be able to reboot the system and boot from the USB stick or DVD. The latter usually requires you to get in the BIOS or UEFI boot menu, where you can choose to boot from the USB stick.

See Installing GuixSD in a VM, if, instead, you would like to install GuixSD in a virtual machine (VM).


Next: , Previous: , Up: System Installation   [Contents][Index]

6.1.4 Preparing for Installation

Once you have successfully booted your computer using the installation medium, you should end up with a root prompt. Several console TTYs are configured and can be used to run commands as root. TTY2 shows this documentation, browsable using the Info reader commands (see Stand-alone GNU Info). The installation system runs the GPM mouse daemon, which allows you to select text with the left mouse button and to paste it with the middle button.

Note: Installation requires access to the Internet so that any missing dependencies of your system configuration can be downloaded. See the “Networking” section below.

The installation system includes many common tools needed for this task. But it is also a full-blown GuixSD system, which means that you can install additional packages, should you need it, using guix package (see Invoking guix package).

6.1.4.1 Keyboard Layout

The installation image uses the US qwerty keyboard layout. If you want to change it, you can use the loadkeys command. For example, the following command selects the Dvorak keyboard layout:

loadkeys dvorak

See the files under /run/current-system/profile/share/keymaps for a list of available keyboard layouts. Run man loadkeys for more information.

6.1.4.2 Networking

Run the following command see what your network interfaces are called:

ifconfig -a

… or, using the GNU/Linux-specific ip command:

ip a

Wired interfaces have a name starting with ‘e’; for example, the interface corresponding to the first on-board Ethernet controller is called ‘eno1’. Wireless interfaces have a name starting with ‘w’, like ‘w1p2s0’.

Wired connection

To configure a wired network run the following command, substituting interface with the name of the wired interface you want to use.

ifconfig interface up
Wireless connection

To configure wireless networking, you can create a configuration file for the wpa_supplicant configuration tool (its location is not important) using one of the available text editors such as nano:

nano wpa_supplicant.conf

As an example, the following stanza can go to this file and will work for many wireless networks, provided you give the actual SSID and passphrase for the network you are connecting to:

network={
  ssid="my-ssid"
  key_mgmt=WPA-PSK
  psk="the network's secret passphrase"
}

Start the wireless service and run it in the background with the following command (substitute interface with the name of the network interface you want to use):

wpa_supplicant -c wpa_supplicant.conf -i interface -B

Run man wpa_supplicant for more information.

At this point, you need to acquire an IP address. On a network where IP addresses are automatically assigned via DHCP, you can run:

dhclient -v interface

Try to ping a server to see if networking is up and running:

ping -c 3 gnu.org

Setting up network access is almost always a requirement because the image does not contain all the software and tools that may be needed.

If you want to, you can continue the installation remotely by starting an SSH server:

herd start ssh-daemon

Make sure to either set a password with passwd, or configure OpenSSH public key authentication before logging in.

6.1.4.3 Disk Partitioning

Unless this has already been done, the next step is to partition, and then format the target partition(s).

The installation image includes several partitioning tools, including Parted (see Overview in GNU Parted User Manual), fdisk, and cfdisk. Run it and set up your disk with the partition layout you want:

cfdisk

If your disk uses the GUID Partition Table (GPT) format and you plan to install BIOS-based GRUB (which is the default), make sure a BIOS Boot Partition is available (see BIOS installation in GNU GRUB manual).

If you instead wish to use EFI-based GRUB, a FAT32 EFI System Partition (ESP) is required. This partition should be mounted at /boot/efi and must have the esp flag set. E.g., for parted:

parted /dev/sda set 1 esp on

Note: Unsure whether to use EFI- or BIOS-based GRUB? If the directory /sys/firmware/efi exists in the installation image, the you should probably perform an EFI installation, using grub-efi-bootloader. Otherwise you should use the BIOS-based GRUB, known as grub-bootloader. See Bootloader Configuration, for more info on bootloaders.

Once you are done partitioning the target hard disk drive, you have to create a file system on the relevant partition(s)19. For the ESP, if you have one and assuming it is /dev/sda1, run:

mkfs.fat -F32 /dev/sda1

Preferably, assign file systems a label so that you can easily and reliably refer to them in file-system declarations (see File Systems). This is typically done using the -L option of mkfs.ext4 and related commands. So, assuming the target root partition lives at /dev/sda2, a file system with the label my-root can be created with:

mkfs.ext4 -L my-root /dev/sda2

If you are instead planning to encrypt the root partition, you can use the Cryptsetup/LUKS utilities to do that (see man cryptsetup for more information.) Assuming you want to store the root partition on /dev/sda2, the command sequence would be along these lines:

cryptsetup luksFormat /dev/sda2
cryptsetup open --type luks /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition

Once that is done, mount the target file system under /mnt with a command like (again, assuming my-root is the label of the root file system):

mount LABEL=my-root /mnt

Also mount any other file systems you would like to use on the target system relative to this path. If you have /boot on a separate partition for example, mount it at /mnt/boot now so it is found by guix system init afterwards.

Finally, if you plan to use one or more swap partitions (see swap space in The GNU C Library Reference Manual), make sure to initialize them with mkswap. Assuming you have one swap partition on /dev/sda3, you would run:

mkswap /dev/sda3
swapon /dev/sda3

Alternatively, you may use a swap file. For example, assuming that in the new system you want to use the file /swapfile as a swap file, you would run20:

# This is 10 GiB of swap space.  Adjust "count" to change the size.
dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=10240
# For security, make the file readable and writable only by root.
chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile

Note that if you have encrypted the root partition and created a swap file in its file system as described above, then the encryption also protects the swap file, just like any other file in that file system.


Next: , Previous: , Up: System Installation   [Contents][Index]

6.1.5 Proceeding with the Installation

With the target partitions ready and the target root mounted on /mnt, we’re ready to go. First, run:

herd start cow-store /mnt

This makes /gnu/store copy-on-write, such that packages added to it during the installation phase are written to the target disk on /mnt rather than kept in memory. This is necessary because the first phase of the guix system init command (see below) entails downloads or builds to /gnu/store which, initially, is an in-memory file system.

Next, you have to edit a file and provide the declaration of the operating system to be installed. To that end, the installation system comes with three text editors. We recommend GNU nano (see GNU nano Manual), which supports syntax highlighting and parentheses matching; other editors include GNU Zile (an Emacs clone), and nvi (a clone of the original BSD vi editor). We strongly recommend storing that file on the target root file system, say, as /mnt/etc/config.scm. Failing to do that, you will have lost your configuration file once you have rebooted into the newly-installed system.

See Using the Configuration System, for an overview of the configuration file. The example configurations discussed in that section are available under /etc/configuration in the installation image. Thus, to get started with a system configuration providing a graphical display server (a “desktop” system), you can run something along these lines:

# mkdir /mnt/etc
# cp /etc/configuration/desktop.scm /mnt/etc/config.scm
# nano /mnt/etc/config.scm

You should pay attention to what your configuration file contains, and in particular:

Once you are done preparing the configuration file, the new system must be initialized (remember that the target root file system is mounted under /mnt):

guix system init /mnt/etc/config.scm /mnt

This copies all the necessary files and installs GRUB on /dev/sdX, unless you pass the --no-bootloader option. For more information, see Invoking guix system. This command may trigger downloads or builds of missing packages, which can take some time.

Once that command has completed—and hopefully succeeded!—you can run reboot and boot into the new system. The root password in the new system is initially empty; other users’ passwords need to be initialized by running the passwd command as root, unless your configuration specifies otherwise (see user account passwords).

From then on, you can update GuixSD whenever you want by running guix pull as root (see Invoking guix pull), and then running guix system reconfigure to build a new system generation with the latest packages and services (see Invoking guix system). We recommend doing that regularly so that your system includes the latest security updates (see Security Updates).

Join us on #guix on the Freenode IRC network or on guix-devel@gnu.org to share your experience—good or not so good.


Next: , Previous: , Up: System Installation   [Contents][Index]

6.1.6 Installing GuixSD in a Virtual Machine

If you’d like to install GuixSD in a virtual machine (VM) or on a virtual private server (VPS) rather than on your beloved machine, this section is for you.

To boot a QEMU VM for installing GuixSD in a disk image, follow these steps:

  1. First, retrieve and decompress the GuixSD installation image as described previously (see USB Stick and DVD Installation).
  2. Create a disk image that will hold the installed system. To make a qcow2-formatted disk image, use the qemu-img command:
    qemu-img create -f qcow2 guixsd.img 50G
    

    The resulting file will be much smaller than 50 GB (typically less than 1 MB), but it will grow as the virtualized storage device is filled up.

  3. Boot the USB installation image in an VM:
    qemu-system-x86_64 -m 1024 -smp 1 \
      -net user -net nic,model=virtio -boot menu=on \
      -drive file=guixsd-install-0.15.0.system.iso \
      -drive file=guixsd.img
    

    The ordering of the drives matters.

    In the VM console, quickly press the F12 key to enter the boot menu. Then press the 2 key and the RET key to validate your selection.

  4. You’re now root in the VM, proceed with the installation process. See Preparing for Installation, and follow the instructions.

Once installation is complete, you can boot the system that’s on your guixsd.img image. See Running GuixSD in a VM, for how to do that.


Previous: , Up: System Installation   [Contents][Index]

6.1.7 Building the Installation Image

The installation image described above was built using the guix system command, specifically:

guix system disk-image gnu/system/install.scm

Have a look at gnu/system/install.scm in the source tree, and see also Invoking guix system for more information about the installation image.

6.1.8 Building the Installation Image for ARM Boards

Many ARM boards require a specific variant of the U-Boot bootloader.

If you build a disk image and the bootloader is not available otherwise (on another boot drive etc), it’s advisable to build an image that includes the bootloader, specifically:

guix system disk-image --system=armhf-linux -e '((@ (gnu system install) os-with-u-boot) (@ (gnu system install) installation-os) "A20-OLinuXino-Lime2")'

A20-OLinuXino-Lime2 is the name of the board. If you specify an invalid board, a list of possible boards will be printed.


Next: , Previous: , Up: GNU Distribution   [Contents][Index]

6.2 System Configuration

The Guix System Distribution supports a consistent whole-system configuration mechanism. By that we mean that all aspects of the global system configuration—such as the available system services, timezone and locale settings, user accounts—are declared in a single place. Such a system configuration can be instantiated—i.e., effected.

One of the advantages of putting all the system configuration under the control of Guix is that it supports transactional system upgrades, and makes it possible to roll back to a previous system instantiation, should something go wrong with the new one (see Features). Another advantage is that it makes it easy to replicate the exact same configuration across different machines, or at different points in time, without having to resort to additional administration tools layered on top of the own tools of the system.

This section describes this mechanism. First we focus on the system administrator’s viewpoint—explaining how the system is configured and instantiated. Then we show how this mechanism can be extended, for instance to support new system services.


Next: , Up: System Configuration   [Contents][Index]

6.2.1 Using the Configuration System

The operating system is configured by providing an operating-system declaration in a file that can then be passed to the guix system command (see Invoking guix system). A simple setup, with the default system services, the default Linux-Libre kernel, initial RAM disk, and boot loader looks like this:

;; This is an operating system configuration template
;; for a "bare bones" setup, with no X11 display server.

(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh)

(operating-system
  (host-name "komputilo")
  (timezone "Europe/Berlin")
  (locale "en_US.utf8")

  ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
  ;; target hard disk, and "my-root" is the label of the target
  ;; root file system.
  (bootloader (bootloader-configuration
                (bootloader grub-bootloader)
                (target "/dev/sdX")))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  ;; This is where user accounts are specified.  The "root"
  ;; account is implicit, and is initially created with the
  ;; empty password.
  (users (cons (user-account
                (name "alice")
                (comment "Bob's sister")
                (group "users")

                ;; Adding the account to the "wheel" group
                ;; makes it a sudoer.  Adding it to "audio"
                ;; and "video" allows the user to play sound
                ;; and access the webcam.
                (supplementary-groups '("wheel"
                                        "audio" "video"))
                (home-directory "/home/alice"))
               %base-user-accounts))

  ;; Globally-installed packages.
  (packages (cons* screen openssh %base-packages))

  ;; Add services to the baseline: a DHCP client and
  ;; an SSH server.
  (services (cons* (dhcp-client-service)
                   (service openssh-service-type
                            (openssh-configuration
                              (port-number 2222)))
                   %base-services)))

This example should be self-describing. Some of the fields defined above, such as host-name and bootloader, are mandatory. Others, such as packages and services, can be omitted, in which case they get a default value.

Below we discuss the effect of some of the most important fields (see operating-system Reference, for details about all the available fields), and how to instantiate the operating system using guix system.

Bootloader

The bootloader field describes the method that will be used to boot your system. Machines based on Intel processors can boot in “legacy” BIOS mode, as in the example above. However, more recent machines rely instead on the Unified Extensible Firmware Interface (UEFI) to boot. In that case, the bootloader field should contain something along these lines:

(bootloader-configuration
  (bootloader grub-efi-bootloader)
  (target "/boot/efi"))

See Bootloader Configuration, for more information on the available configuration options.

Globally-Visible Packages

The packages field lists packages that will be globally visible on the system, for all user accounts—i.e., in every user’s PATH environment variable—in addition to the per-user profiles (see Invoking guix package). The %base-packages variable provides all the tools one would expect for basic user and administrator tasks—including the GNU Core Utilities, the GNU Networking Utilities, the GNU Zile lightweight text editor, find, grep, etc. The example above adds GNU Screen and OpenSSH to those, taken from the (gnu packages screen) and (gnu packages ssh) modules (see Package Modules). The (list package output) syntax can be used to add a specific output of a package:

(use-modules (gnu packages))
(use-modules (gnu packages dns))

(operating-system
  ;; ...
  (packages (cons (list bind "utils")
                  %base-packages)))

Referring to packages by variable name, like bind above, has the advantage of being unambiguous; it also allows typos and such to be diagnosed right away as “unbound variables”. The downside is that one needs to know which module defines which package, and to augment the use-package-modules line accordingly. To avoid that, one can use the specification->package procedure of the (gnu packages) module, which returns the best package for a given name or name and version:

(use-modules (gnu packages))

(operating-system
  ;; ...
  (packages (append (map specification->package
                         '("tcpdump" "htop" "gnupg@2.0"))
                    %base-packages)))

System Services

The services field lists system services to be made available when the system starts (see Services). The operating-system declaration above specifies that, in addition to the basic services, we want the lshd secure shell daemon listening on port 2222 (see lsh-service). Under the hood, lsh-service arranges so that lshd is started with the right command-line options, possibly with supporting configuration files generated as needed (see Defining Services).

Occasionally, instead of using the base services as is, you will want to customize them. To do this, use modify-services (see modify-services) to modify the list.

For example, suppose you want to modify guix-daemon and Mingetty (the console log-in) in the %base-services list (see %base-services). To do that, you can write the following in your operating system declaration:

(define %my-services
  ;; My very own list of services.
  (modify-services %base-services
    (guix-service-type config =>
                       (guix-configuration
                        (inherit config)
                        (use-substitutes? #f)
                        (extra-options '("--gc-keep-derivations"))))
    (mingetty-service-type config =>
                           (mingetty-configuration
                            (inherit config)))))

(operating-system
  ;; …
  (services %my-services))

This changes the configuration—i.e., the service parameters—of the guix-service-type instance, and that of all the mingetty-service-type instances in the %base-services list. Observe how this is accomplished: first, we arrange for the original configuration to be bound to the identifier config in the body, and then we write the body so that it evaluates to the desired configuration. In particular, notice how we use inherit to create a new configuration which has the same values as the old configuration, but with a few modifications.

The configuration for a typical “desktop” usage, with an encrypted root partition, the X11 display server, GNOME and Xfce (users can choose which of these desktop environments to use at the log-in screen by pressing F1), network management, power management, and more, would look like this:

;; This is an operating system configuration template
;; for a "desktop" setup with GNOME and Xfce where the
;; root partition is encrypted with LUKS.

(use-modules (gnu) (gnu system nss))
(use-service-modules desktop)
(use-package-modules certs gnome)

(operating-system
  (host-name "antelope")
  (timezone "Europe/Paris")
  (locale "en_US.utf8")

  ;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader)
                (target "/boot/efi")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "12345678-1234-1234-1234-123456789abc"))
          (target "my-root")
          (type luks-device-mapping))))

  (file-systems (cons (file-system
                        (device "my-root")
                        (mount-point "/")
                        (type "ext4")
                        (dependencies mapped-devices))
                      %base-file-systems))

  (users (cons (user-account
                (name "bob")
                (comment "Alice's brother")
                (group "users")
                (supplementary-groups '("wheel" "netdev"
                                        "audio" "video"))
                (home-directory "/home/bob"))
               %base-user-accounts))

  ;; This is where we specify system-wide packages.
  (packages (cons* nss-certs         ;for HTTPS access
                   gvfs              ;for user mounts
                   %base-packages))

  ;; Add GNOME and/or Xfce---we can choose at the log-in
  ;; screen with F1.  Use the "desktop" services, which
  ;; include the X11 log-in service, networking with
  ;; NetworkManager, and more.
  (services (cons* (gnome-desktop-service)
                   (xfce-desktop-service)
                   %desktop-services))

  ;; Allow resolution of '.local' host names with mDNS.
  (name-service-switch %mdns-host-lookup-nss))

A graphical system with a choice of lightweight window managers instead of full-blown desktop environments would look like this:

;; This is an operating system configuration template
;; for a "desktop" setup without full-blown desktop
;; environments.

(use-modules (gnu) (gnu system nss))
(use-service-modules desktop)
(use-package-modules bootloaders certs ratpoison suckless wm)

(operating-system
  (host-name "antelope")
  (timezone "Europe/Paris")
  (locale "en_US.utf8")

  ;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader)
                (target "/boot/efi")))

  ;; Assume the target root file system is labelled "my-root",
  ;; and the EFI System Partition has UUID 1234-ABCD.
  (file-systems (cons* (file-system
                         (device (file-system-label "my-root"))
                         (mount-point "/")
                         (type "ext4"))
                       (file-system
                         (device (uuid "1234-ABCD" 'fat))
                         (mount-point "/boot/efi")
                         (type "vfat"))
                       %base-file-systems))

  (users (cons (user-account
                (name "alice")
                (comment "Bob's sister")
                (group "users")
                (supplementary-groups '("wheel" "netdev"
                                        "audio" "video"))
                (home-directory "/home/alice"))
               %base-user-accounts))

  ;; Add a bunch of window managers; we can choose one at
  ;; the log-in screen with F1.
  (packages (cons* ratpoison i3-wm i3status dmenu ;window managers
                   nss-certs                      ;for HTTPS access
                   %base-packages))

  ;; Use the "desktop" services, which include the X11
  ;; log-in service, networking with NetworkManager, and more.
  (services %desktop-services)

  ;; Allow resolution of '.local' host names with mDNS.
  (name-service-switch %mdns-host-lookup-nss))

This example refers to the /boot/efi file system by its UUID, 1234-ABCD. Replace this UUID with the right UUID on your system, as returned by the blkid command.

See Desktop Services, for the exact list of services provided by %desktop-services. See X.509 Certificates, for background information about the nss-certs package that is used here.

Again, %desktop-services is just a list of service objects. If you want to remove services from there, you can do so using the procedures for list filtering (see SRFI-1 Filtering and Partitioning in GNU Guile Reference Manual). For instance, the following expression returns a list that contains all the services in %desktop-services minus the Avahi service:

(remove (lambda (service)
          (eq? (service-kind service) avahi-service-type))
        %desktop-services)

Instantiating the System

Assuming the operating-system declaration is stored in the my-system-config.scm file, the guix system reconfigure my-system-config.scm command instantiates that configuration, and makes it the default GRUB boot entry (see Invoking guix system).

The normal way to change the system configuration is by updating this file and re-running guix system reconfigure. One should never have to touch files in /etc or to run commands that modify the system state such as useradd or grub-install. In fact, you must avoid that since that would not only void your warranty but also prevent you from rolling back to previous versions of your system, should you ever need to.

Speaking of roll-back, each time you run guix system reconfigure, a new generation of the system is created—without modifying or deleting previous generations. Old system generations get an entry in the bootloader boot menu, allowing you to boot them in case something went wrong with the latest generation. Reassuring, no? The guix system list-generations command lists the system generations available on disk. It is also possible to roll back the system via the commands guix system roll-back and guix system switch-generation.

Although the command guix system reconfigure will not modify previous generations, must take care when the current generation is not the latest (e.g., after invoking guix system roll-back), since the operation might overwrite a later generation (see Invoking guix system).

The Programming Interface

At the Scheme level, the bulk of an operating-system declaration is instantiated with the following monadic procedure (see The Store Monad):

Monadic Procedure: operating-system-derivation os

Return a derivation that builds os, an operating-system object (see Derivations).

The output of the derivation is a single directory that refers to all the packages, configuration files, and other supporting files needed to instantiate os.

This procedure is provided by the (gnu system) module. Along with (gnu services) (see Services), this module contains the guts of GuixSD. Make sure to visit it!


Next: , Previous: , Up: System Configuration   [Contents][Index]

6.2.2 operating-system Reference

This section summarizes all the options available in operating-system declarations (see Using the Configuration System).

Data Type: operating-system

This is the data type representing an operating system configuration. By that, we mean all the global system configuration, not per-user configuration (see Using the Configuration System).

kernel (default: linux-libre)

The package object of the operating system kernel to use21.

kernel-arguments (default: '())

List of strings or gexps representing additional arguments to pass on the command-line of the kernel—e.g., ("console=ttyS0").

bootloader

The system bootloader configuration object. See Bootloader Configuration.

initrd-modules (default: %base-initrd-modules)

The list of Linux kernel modules that need to be available in the initial RAM disk. See Initial RAM Disk.

initrd (default: base-initrd)

A monadic procedure that returns an initial RAM disk for the Linux kernel. This field is provided to support low-level customization and should rarely be needed for casual use. See Initial RAM Disk.

firmware (default: %base-firmware)

List of firmware packages loadable by the operating system kernel.

The default includes firmware needed for Atheros- and Broadcom-based WiFi devices (Linux-libre modules ath9k and b43-open, respectively). See Hardware Considerations, for more info on supported hardware.

host-name

The host name.

hosts-file

A file-like object (see file-like objects) for use as /etc/hosts (see Host Names in The GNU C Library Reference Manual). The default is a file with entries for localhost and host-name.

mapped-devices (default: '())

A list of mapped devices. See Mapped Devices.

file-systems

A list of file systems. See File Systems.

swap-devices (default: '())

A list of strings identifying devices or files to be used for “swap space” (see Memory Concepts in The GNU C Library Reference Manual). For example, '("/dev/sda3") or '("/swapfile"). It is possible to specify a swap file in a file system on a mapped device, provided that the necessary device mapping and file system are also specified. See Mapped Devices and File Systems.

users (default: %base-user-accounts)
groups (default: %base-groups)

List of user accounts and groups. See User Accounts.

If the users list lacks a user account with UID 0, a “root” account with UID 0 is automatically added.

skeletons (default: (default-skeletons))

A list target file name/file-like object tuples (see file-like objects). These are the skeleton files that will be added to the home directory of newly-created user accounts.

For instance, a valid value may look like this:

`((".bashrc" ,(plain-file "bashrc" "echo Hello\n"))
  (".guile" ,(plain-file "guile"
                         "(use-modules (ice-9 readline))
                          (activate-readline)")))
issue (default: %default-issue)

A string denoting the contents of the /etc/issue file, which is displayed when users log in on a text console.

packages (default: %base-packages)

The set of packages installed in the global profile, which is accessible at /run/current-system/profile.

The default set includes core utilities and it is good practice to install non-core utilities in user profiles (see Invoking guix package).

timezone

A timezone identifying string—e.g., "Europe/Paris".

You can run the tzselect command to find out which timezone string corresponds to your region. Choosing an invalid timezone name causes guix system to fail.

locale (default: "en_US.utf8")

The name of the default locale (see Locale Names in The GNU C Library Reference Manual). See Locales, for more information.

locale-definitions (default: %default-locale-definitions)

The list of locale definitions to be compiled and that may be used at run time. See Locales.

locale-libcs (default: (list glibc))

The list of GNU libc packages whose locale data and tools are used to build the locale definitions. See Locales, for compatibility considerations that justify this option.

name-service-switch (default: %default-nss)

Configuration of the libc name service switch (NSS)—a <name-service-switch> object. See Name Service Switch, for details.

services (default: %base-services)

A list of service objects denoting system services. See Services.

pam-services (default: (base-pam-services))

Linux pluggable authentication module (PAM) services.

setuid-programs (default: %setuid-programs)

List of string-valued G-expressions denoting setuid programs. See Setuid Programs.

sudoers-file (default: %sudoers-specification)

The contents of the /etc/sudoers file as a file-like object (see local-file and plain-file).

This file specifies which users can use the sudo command, what they are allowed to do, and what privileges they may gain. The default is that only root and members of the wheel group may use sudo.


Next: , Previous: , Up: System Configuration   [Contents][Index]

6.2.3 File Systems

The list of file systems to be mounted is specified in the file-systems field of the operating system declaration (see Using the Configuration System). Each file system is declared using the file-system form, like this:

(file-system
  (mount-point "/home")
  (device "/dev/sda3")
  (type "ext4"))

As usual, some of the fields are mandatory—those shown in the example above—while others can be omitted. These are described below.

Data Type: file-system

Objects of this type represent file systems to be mounted. They contain the following members:

type

This is a string specifying the type of the file system—e.g., "ext4".

mount-point

This designates the place where the file system is to be mounted.

device

This names the “source” of the file system. It can be one of three things: a file system label, a file system UUID, or the name of a /dev node. Labels and UUIDs offer a way to refer to file systems without having to hard-code their actual device name22.

File system labels are created using the file-system-label procedure, UUIDs are created using uuid, and /dev node are plain strings. Here’s an example of a file system referred to by its label, as shown by the e2label command:

(file-system
  (mount-point "/home")
  (type "ext4")
  (device (file-system-label "my-home")))

UUIDs are converted from their string representation (as shown by the tune2fs -l command) using the uuid form23, like this:

(file-system
  (mount-point "/home")
  (type "ext4")
  (device (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")))

When the source of a file system is a mapped device (see Mapped Devices), its device field must refer to the mapped device name—e.g., "/dev/mapper/root-partition". This is required so that the system knows that mounting the file system depends on having the corresponding device mapping established.

flags (default: '())

This is a list of symbols denoting mount flags. Recognized flags include read-only, bind-mount, no-dev (disallow access to special files), no-suid (ignore setuid and setgid bits), and no-exec (disallow program execution.)

options (default: #f)

This is either #f, or a string denoting mount options.

mount? (default: #t)

This value indicates whether to automatically mount the file system when the system is brought up. When set to #f, the file system gets an entry in /etc/fstab (read by the mount command) but is not automatically mounted.

needed-for-boot? (default: #f)

This Boolean value indicates whether the file system is needed when booting. If that is true, then the file system is mounted when the initial RAM disk (initrd) is loaded. This is always the case, for instance, for the root file system.

check? (default: #t)

This Boolean indicates whether the file system needs to be checked for errors before being mounted.

create-mount-point? (default: #f)

When true, the mount point is created if it does not exist yet.

dependencies (default: '())

This is a list of <file-system> or <mapped-device> objects representing file systems that must be mounted or mapped devices that must be opened before (and unmounted or closed after) this one.

As an example, consider a hierarchy of mounts: /sys/fs/cgroup is a dependency of /sys/fs/cgroup/cpu and /sys/fs/cgroup/memory.

Another example is a file system that depends on a mapped device, for example for an encrypted partition (see Mapped Devices).

The (gnu system file-systems) exports the following useful variables.

Scheme Variable: %base-file-systems

These are essential file systems that are required on normal systems, such as %pseudo-terminal-file-system and %immutable-store (see below.) Operating system declarations should always contain at least these.

Scheme Variable: %pseudo-terminal-file-system

This is the file system to be mounted as /dev/pts. It supports pseudo-terminals created via openpty and similar functions (see Pseudo-Terminals in The GNU C Library Reference Manual). Pseudo-terminals are used by terminal emulators such as xterm.

Scheme Variable: %shared-memory-file-system

This file system is mounted as /dev/shm and is used to support memory sharing across processes (see shm_open in The GNU C Library Reference Manual).

Scheme Variable: %immutable-store

This file system performs a read-only “bind mount” of /gnu/store, making it read-only for all the users including root. This prevents against accidental modification by software running as root or by system administrators.

The daemon itself is still able to write to the store: it remounts it read-write in its own “name space.”

Scheme Variable: %binary-format-file-system

The binfmt_misc file system, which allows handling of arbitrary executable file types to be delegated to user space. This requires the binfmt.ko kernel module to be loaded.

Scheme Variable: %fuse-control-file-system

The fusectl file system, which allows unprivileged users to mount and unmount user-space FUSE file systems. This requires the fuse.ko kernel module to be loaded.


Next: , Previous: , Up: System Configuration   [Contents][Index]

6.2.4 Mapped Devices

The Linux kernel has a notion of device mapping: a block device, such as a hard disk partition, can be mapped into another device, usually in /dev/mapper/, with additional processing over the data that flows through it24. A typical example is encryption device mapping: all writes to the mapped device are encrypted, and all reads are deciphered, transparently. Guix extends this notion by considering any device or set of devices that are transformed in some way to create a new device; for instance, RAID devices are obtained by assembling several other devices, such as hard disks or partitions, into a new one that behaves as one partition. Other examples, not yet implemented, are LVM logical volumes.

Mapped devices are declared using the mapped-device form, defined as follows; for examples, see below.

Data Type: mapped-device

Objects of this type represent device mappings that will be made when the system boots up.

source

This is either a string specifying the name of the block device to be mapped, such as "/dev/sda3", or a list of such strings when several devices need to be assembled for creating a new one.

target

This string specifies the name of the resulting mapped device. For kernel mappers such as encrypted devices of type luks-device-mapping, specifying "my-partition" leads to the creation of the "/dev/mapper/my-partition" device. For RAID devices of type raid-device-mapping, the full device name such as "/dev/md0" needs to be given.

type

This must be a mapped-device-kind object, which specifies how source is mapped to target.

Scheme Variable: luks-device-mapping

This defines LUKS block device encryption using the cryptsetup command from the package with the same name. It relies on the dm-crypt Linux kernel module.

Scheme Variable: raid-device-mapping

This defines a RAID device, which is assembled using the mdadm command from the package with the same name. It requires a Linux kernel module for the appropriate RAID level to be loaded, such as raid456 for RAID-4, RAID-5 or RAID-6, or raid10 for RAID-10.

The following example specifies a mapping from /dev/sda3 to /dev/mapper/home using LUKS—the Linux Unified Key Setup, a standard mechanism for disk encryption. The /dev/mapper/home device can then be used as the device of a file-system declaration (see File Systems).

(mapped-device
  (source "/dev/sda3")
  (target "home")
  (type luks-device-mapping))

Alternatively, to become independent of device numbering, one may obtain the LUKS UUID (unique identifier) of the source device by a command like:

cryptsetup luksUUID /dev/sda3

and use it as follows:

(mapped-device
  (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44"))
  (target "home")
  (type luks-device-mapping))

It is also desirable to encrypt swap space, since swap space may contain sensitive data. One way to accomplish that is to use a swap file in a file system on a device mapped via LUKS encryption. In this way, the swap file is encrypted because the entire device is encrypted. See Disk Partitioning, for an example.

A RAID device formed of the partitions /dev/sda1 and /dev/sdb1 may be declared as follows:

(mapped-device
  (source (list "/dev/sda1" "/dev/sdb1"))
  (target "/dev/md0")
  (type raid-device-mapping))

The /dev/md0 device can then be used as the device of a file-system declaration (see File Systems). Note that the RAID level need not be given; it is chosen during the initial creation and formatting of the RAID device and is determined automatically later.


Next: , Previous: , Up: System Configuration   [Contents][Index]

6.2.5 User Accounts

User accounts and groups are entirely managed through the operating-system declaration. They are specified with the user-account and user-group forms:

(user-account
  (name "alice")
  (group "users")
  (supplementary-groups '("wheel"   ;allow use of sudo, etc.
                          "audio"   ;sound card
                          "video"   ;video devices such as webcams
                          "cdrom")) ;the good ol' CD-ROM
  (comment "Bob's sister")
  (home-directory "/home/alice"))

When booting or upon completion of guix system reconfigure, the system ensures that only the user accounts and groups specified in the operating-system declaration exist, and with the specified properties. Thus, account or group creations or modifications made by directly invoking commands such as useradd are lost upon reconfiguration or reboot. This ensures that the system remains exactly as declared.

Data Type: user-account

Objects of this type represent user accounts. The following members may be specified:

name

The name of the user account.

group

This is the name (a string) or identifier (a number) of the user group this account belongs to.

supplementary-groups (default: '())

Optionally, this can be defined as a list of group names that this account belongs to.

uid (default: #f)

This is the user ID for this account (a number), or #f. In the latter case, a number is automatically chosen by the system when the account is created.

comment (default: "")

A comment about the account, such as the account owner’s full name.

home-directory

This is the name of the home directory for the account.

create-home-directory? (default: #t)

Indicates whether the home directory of this account should be created if it does not exist yet.

shell (default: Bash)

This is a G-expression denoting the file name of a program to be used as the shell (see G-Expressions).

system? (default: #f)

This Boolean value indicates whether the account is a “system” account. System accounts are sometimes treated specially; for instance, graphical login managers do not list them.

password (default: #f)

You would normally leave this field to #f, initialize user passwords as root with the passwd command, and then let users change it with passwd. Passwords set with passwd are of course preserved across reboot and reconfiguration.

If you do want to have a preset password for an account, then this field must contain the encrypted password, as a string. See crypt in The GNU C Library Reference Manual, for more information on password encryption, and Encryption in GNU Guile Reference Manual, for information on Guile’s crypt procedure.

User group declarations are even simpler:

(user-group (name "students"))
Data Type: user-group

This type is for, well, user groups. There are just a few fields:

name

The name of the group.

id (default: #f)

The group identifier (a number). If #f, a new number is automatically allocated when the group is created.

system? (default: #f)

This Boolean value indicates whether the group is a “system” group. System groups have low numerical IDs.

password (default: #f)

What, user groups can have a password? Well, apparently yes. Unless #f, this field specifies the password of the group.

For convenience, a variable lists all the basic user groups one may expect:

Scheme Variable: %base-groups

This is the list of basic user groups that users and/or packages expect to be present on the system. This includes groups such as “root”, “wheel”, and “users”, as well as groups used to control access to specific devices such as “audio”, “disk”, and “cdrom”.

Scheme Variable: %base-user-accounts

This is the list of basic system accounts that programs may expect to find on a GNU/Linux system, such as the “nobody” account.

Note that the “root” account is not included here. It is a special-case and is automatically added whether or not it is specified.


Next: , Previous: , Up: System Configuration   [Contents][Index]

6.2.6 Locales

A locale defines cultural conventions for a particular language and region of the world (see Locales in The GNU C Library Reference Manual). Each locale has a name that typically has the form language_territory.codeset—e.g., fr_LU.utf8 designates the locale for the French language, with cultural conventions from Luxembourg, and using the UTF-8 encoding.

Usually, you will want to specify the default locale for the machine using the locale field of the operating-system declaration (see locale).

The selected locale is automatically added to the locale definitions known to the system if needed, with its codeset inferred from its name—e.g., bo_CN.utf8 will be assumed to use the UTF-8 codeset. Additional locale definitions can be specified in the locale-definitions slot of operating-system—this is useful, for instance, if the codeset could not be inferred from the locale name. The default set of locale definitions includes some widely used locales, but not all the available locales, in order to save space.

For instance, to add the North Frisian locale for Germany, the value of that field may be:

(cons (locale-definition
        (name "fy_DE.utf8") (source "fy_DE"))
      %default-locale-definitions)

Likewise, to save space, one might want locale-definitions to list only the locales that are actually used, as in:

(list (locale-definition
        (name "ja_JP.eucjp") (source "ja_JP")
        (charset "EUC-JP")))

The compiled locale definitions are available at /run/current-system/locale/X.Y, where X.Y is the libc version, which is the default location where the GNU libc provided by Guix looks for locale data. This can be overridden using the LOCPATH environment variable (see LOCPATH and locale packages).

The locale-definition form is provided by the (gnu system locale) module. Details are given below.

Data Type: locale-definition

This is the data type of a locale definition.

name

The name of the locale. See Locale Names in The GNU C Library Reference Manual, for more information on locale names.

source

The name of the source for that locale. This is typically the language_territory part of the locale name.

charset (default: "UTF-8")

The “character set” or “code set” for that locale, as defined by IANA.

Scheme Variable: %default-locale-definitions

A list of commonly used UTF-8 locales, used as the default value of the locale-definitions field of operating-system declarations.

These locale definitions use the normalized codeset for the part that follows the dot in the name (see normalized codeset in The GNU C Library Reference Manual). So for instance it has uk_UA.utf8 but not, say, uk_UA.UTF-8.

6.2.6.1 Locale Data Compatibility Considerations

operating-system declarations provide a locale-libcs field to specify the GNU libc packages that are used to compile locale declarations (see operating-system Reference). “Why would I care?”, you may ask. Well, it turns out that the binary format of locale data is occasionally incompatible from one libc version to another.

For instance, a program linked against libc version 2.21 is unable to read locale data produced with libc 2.22; worse, that program aborts instead of simply ignoring the incompatible locale data25. Similarly, a program linked against libc 2.22 can read most, but not all, of the locale data from libc 2.21 (specifically, LC_COLLATE data is incompatible); thus calls to setlocale may fail, but programs will not abort.

The “problem” in GuixSD is that users have a lot of freedom: They can choose whether and when to upgrade software in their profiles, and might be using a libc version different from the one the system administrator used to build the system-wide locale data.

Fortunately, unprivileged users can also install their own locale data and define GUIX_LOCPATH accordingly (see GUIX_LOCPATH and locale packages).

Still, it is best if the system-wide locale data at /run/current-system/locale is built for all the libc versions actually in use on the system, so that all the programs can access it—this is especially crucial on a multi-user system. To do that, the administrator can specify several libc packages in the locale-libcs field of operating-system:

(use-package-modules base)

(operating-system
  ;; …
  (locale-libcs (list glibc-2.21 (canonical-package glibc))))

This example would lead to a system containing locale definitions for both libc 2.21 and the current version of libc in /run/current-system/locale.


Next: , Previous: , Up: System Configuration   [Contents][Index]

6.2.7 Services

An important part of preparing an operating-system declaration is listing system services and their configuration (see Using the Configuration System). System services are typically daemons launched when the system boots, or other actions needed at that time—e.g., configuring network access.

GuixSD has a broad definition of “service” (see Service Composition), but many services are managed by the GNU Shepherd (see Shepherd Services). On a running system, the herd command allows you to list the available services, show their status, start and stop them, or do other specific operations (see Jump Start in The GNU Shepherd Manual). For example:

# herd status

The above command, run as root, lists the currently defined services. The herd doc command shows a synopsis of the given service:

# herd doc nscd
Run libc's name service cache daemon (nscd).

The start, stop, and restart sub-commands have the effect you would expect. For instance, the commands below stop the nscd service and restart the Xorg display server:

# herd stop nscd
Service nscd has been stopped.
# herd restart xorg-server
Service xorg-server has been stopped.
Service xorg-server has been started.

The following sections document the available services, starting with the core services, that may be used in an operating-system declaration.


Next: , Up: Services   [Contents][Index]

6.2.7.1 Base Services

The (gnu services base) module provides definitions for the basic services that one expects from the system. The services exported by this module are listed below.

Scheme Variable: %base-services

This variable contains a list of basic services (see Service Types and Services, for more information on service objects) one would expect from the system: a login service (mingetty) on each tty, syslogd, the libc name service cache daemon (nscd), the udev device manager, and more.

This is the default value of the services field of operating-system declarations. Usually, when customizing a system, you will want to append services to %base-services, like this:

(cons* (avahi-service) (lsh-service) %base-services)
Scheme Variable: special-files-service-type

This is the service that sets up “special files” such as /bin/sh; an instance of it is part of %base-services.

The value associated with special-files-service-type services must be a list of tuples where the first element is the “special file” and the second element is its target. By default it is:

`(("/bin/sh" ,(file-append bash "/bin/sh")))

If you want to add, say, /usr/bin/env to your system, you can change it to:

`(("/bin/sh" ,(file-append bash "/bin/sh"))
  ("/usr/bin/env" ,(file-append coreutils "/bin/env")))

Since this is part of %base-services, you can use modify-services to customize the set of special files (see modify-services). But the simple way to add a special file is via the extra-special-file procedure (see below.)

Scheme Procedure: extra-special-file file target

Use target as the “special file” file.

For example, adding the following lines to the services field of your operating system declaration leads to a /usr/bin/env symlink:

(extra-special-file "/usr/bin/env"
                    (file-append coreutils "/bin/env"))
Scheme Procedure: host-name-service name

Return a service that sets the host name to name.

Scheme Procedure: login-service config

Return a service to run login according to config, a <login-configuration> object, which specifies the message of the day, among other things.

Data Type: login-configuration

This is the data type representing the configuration of login.

motd

A file-like object containing the “message of the day”.

allow-empty-passwords? (default: #t)

Allow empty passwords by default so that first-time users can log in when the ’root’ account has just been created.

Scheme Procedure: mingetty-service config

Return a service to run mingetty according to config, a <mingetty-configuration> object, which specifies the tty to run, among other things.

Data Type: mingetty-configuration

This is the data type representing the configuration of Mingetty, which provides the default implementation of virtual console log-in.

tty

The name of the console this Mingetty runs on—e.g., "tty1".

auto-login (default: #f)

When true, this field must be a string denoting the user name under which the system automatically logs in. When it is #f, a user name and password must be entered to log in.

login-program (default: #f)

This must be either #f, in which case the default log-in program is used (login from the Shadow tool suite), or a gexp denoting the name of the log-in program.

login-pause? (default: #f)

When set to #t in conjunction with auto-login, the user will have to press a key before the log-in shell is launched.

mingetty (default: mingetty)

The Mingetty package to use.

Scheme Procedure: agetty-service config

Return a service to run agetty according to config, an <agetty-configuration> object, which specifies the tty to run, among other things.

Data Type: agetty-configuration

This is the data type representing the configuration of agetty, which implements virtual and serial console log-in. See the agetty(8) man page for more information.

tty

The name of the console this agetty runs on, as a string—e.g., "ttyS0". This argument is optional, it will default to a reasonable default serial port used by the kernel Linux.

For this, if there is a value for an option agetty.tty in the kernel command line, agetty will extract the device name of the serial port from it and use that.

If not and if there is a value for an option console with a tty in the Linux command line, agetty will extract the device name of the serial port from it and use that.

In both cases, agetty will leave the other serial device settings (baud rate etc.) alone—in the hope that Linux pinned them to the correct values.

baud-rate (default: #f)

A string containing a comma-separated list of one or more baud rates, in descending order.

term (default: #f)

A string containing the value used for the TERM environment variable.

eight-bits? (default: #f)

When #t, the tty is assumed to be 8-bit clean, and parity detection is disabled.

auto-login (default: #f)

When passed a login name, as a string, the specified user will be logged in automatically without prompting for their login name or password.

no-reset? (default: #f)

When #t, don’t reset terminal cflags (control modes).

host (default: #f)

This accepts a string containing the "login_host", which will be written into the /var/run/utmpx file.

remote? (default: #f)

When set to #t in conjunction with host, this will add an -r fakehost option to the command line of the login program specified in login-program.

flow-control? (default: #f)

When set to #t, enable hardware (RTS/CTS) flow control.

no-issue? (default: #f)

When set to #t, the contents of the /etc/issue file will not be displayed before presenting the login prompt.

init-string (default: #f)

This accepts a string that will be sent to the tty or modem before sending anything else. It can be used to initialize a modem.

no-clear? (default: #f)

When set to #t, agetty will not clear the screen before showing the login prompt.

login-program (default: (file-append shadow "/bin/login"))

This must be either a gexp denoting the name of a log-in program, or unset, in which case the default value is the login from the Shadow tool suite.

local-line (default: #f)

Control the CLOCAL line flag. This accepts one of three symbols as arguments, 'auto, 'always, or 'never. If #f, the default value chosen by agetty is 'auto.

extract-baud? (default: #f)

When set to #t, instruct agetty to try to extract the baud rate from the status messages produced by certain types of modems.

skip-login? (default: #f)

When set to #t, do not prompt the user for a login name. This can be used with login-program field to use non-standard login systems.

no-newline? (default: #f)

When set to #t, do not print a newline before printing the /etc/issue file.

login-options (default: #f)

This option accepts a string containing options that are passed to the login program. When used with the login-program, be aware that a malicious user could try to enter a login name containing embedded options that could be parsed by the login program.

login-pause (default: #f)

When set to #t, wait for any key before showing the login prompt. This can be used in conjunction with auto-login to save memory by lazily spawning shells.

chroot (default: #f)

Change root to the specified directory. This option accepts a directory path as a string.

hangup? (default: #f)

Use the Linux system call vhangup to do a virtual hangup of the specified terminal.

keep-baud? (default: #f)

When set to #t, try to keep the existing baud rate. The baud rates from baud-rate are used when agetty receives a BREAK character.

timeout (default: #f)

When set to an integer value, terminate if no user name could be read within timeout seconds.

detect-case? (default: #f)

When set to #t, turn on support for detecting an uppercase-only terminal. This setting will detect a login name containing only uppercase letters as indicating an uppercase-only terminal and turn on some upper-to-lower case conversions. Note that this will not support Unicode characters.

wait-cr? (default: #f)

When set to #t, wait for the user or modem to send a carriage-return or linefeed character before displaying /etc/issue or login prompt. This is typically used with the init-string option.

no-hints? (default: #f)

When set to #t, do not print hints about Num, Caps, and Scroll locks.

no-hostname? (default: #f)

By default, the hostname is printed. When this option is set to #t, no hostname will be shown at all.

long-hostname? (default: #f)

By default, the hostname is only printed until the first dot. When this option is set to #t, the fully qualified hostname by gethostname or getaddrinfo is shown.

erase-characters (default: #f)

This option accepts a string of additional characters that should be interpreted as backspace when the user types their login name.

kill-characters (default: #f)

This option accepts a string that should be interpreted to mean "ignore all previous characters" (also called a "kill" character) when the types their login name.

chdir (default: #f)

This option accepts, as a string, a directory path that will be changed to before login.

delay (default: #f)

This options accepts, as an integer, the number of seconds to sleep before opening the tty and displaying the login prompt.

nice (default: #f)

This option accepts, as an integer, the nice value with which to run the login program.

extra-options (default: '())

This option provides an "escape hatch" for the user to provide arbitrary command-line arguments to agetty as a list of strings.

Scheme Procedure: kmscon-service-type config

Return a service to run kmscon according to config, a <kmscon-configuration> object, which specifies the tty to run, among other things.

Data Type: kmscon-configuration

This is the data type representing the configuration of Kmscon, which implements virtual console log-in.

virtual-terminal

The name of the console this Kmscon runs on—e.g., "tty1".

login-program (default: #~(string-append #$shadow "/bin/login"))

A gexp denoting the name of the log-in program. The default log-in program is login from the Shadow tool suite.

login-arguments (default: '("-p"))

A list of arguments to pass to login.

hardware-acceleration? (default: #f)

Whether to use hardware acceleration.

kmscon (default: kmscon)

The Kmscon package to use.

Scheme Procedure: nscd-service [config] [#:glibc glibc] [#:name-services '()]

Return a service that runs the libc name service cache daemon (nscd) with the given config—an <nscd-configuration> object. See Name Service Switch, for an example.

Scheme Variable: %nscd-default-configuration

This is the default <nscd-configuration> value (see below) used by nscd-service. It uses the caches defined by %nscd-default-caches; see below.

Data Type: nscd-configuration

This is the data type representing the name service cache daemon (nscd) configuration.

name-services (default: '())

List of packages denoting name services that must be visible to the nscd—e.g., (list nss-mdns).

glibc (default: glibc)

Package object denoting the GNU C Library providing the nscd command.

log-file (default: "/var/log/nscd.log")

Name of the nscd log file. This is where debugging output goes when debug-level is strictly positive.

debug-level (default: 0)

Integer denoting the debugging levels. Higher numbers mean that more debugging output is logged.

caches (default: %nscd-default-caches)

List of <nscd-cache> objects denoting things to be cached; see below.

Data Type: nscd-cache

Data type representing a cache database of nscd and its parameters.

database

This is a symbol representing the name of the database to be cached. Valid values are passwd, group, hosts, and services, which designate the corresponding NSS database (see NSS Basics in The GNU C Library Reference Manual).

positive-time-to-live
negative-time-to-live (default: 20)

A number representing the number of seconds during which a positive or negative lookup result remains in cache.

check-files? (default: #t)

Whether to check for updates of the files corresponding to database.

For instance, when database is hosts, setting this flag instructs nscd to check for updates in /etc/hosts and to take them into account.

persistent? (default: #t)

Whether the cache should be stored persistently on disk.

shared? (default: #t)

Whether the cache should be shared among users.

max-database-size (default: 32 MiB)

Maximum size in bytes of the database cache.

Scheme Variable: %nscd-default-caches

List of <nscd-cache> objects used by default by nscd-configuration (see above).

It enables persistent and aggressive caching of service and host name lookups. The latter provides better host name lookup performance, resilience in the face of unreliable name servers, and also better privacy—often the result of host name lookups is in local cache, so external name servers do not even need to be queried.

Data Type: syslog-configuration

This data type represents the configuration of the syslog daemon.

syslogd (default: #~(string-append #$inetutils "/libexec/syslogd"))

The syslog daemon to use.

config-file (default: %default-syslog.conf)

The syslog configuration file to use.

Scheme Procedure: syslog-service config

Return a service that runs a syslog daemon according to config.

See syslogd invocation in GNU Inetutils, for more information on the configuration file syntax.

Data Type: guix-configuration

This data type represents the configuration of the Guix build daemon. See Invoking guix-daemon, for more information.

guix (default: guix)

The Guix package to use.

build-group (default: "guixbuild")

Name of the group for build user accounts.

build-accounts (default: 10)

Number of build user accounts to create.

authorize-key? (default: #t)

Whether to authorize the substitute keys listed in authorized-keys—by default that of hydra.gnu.org (see Substitutes).

authorized-keys (default: %default-authorized-guix-keys)

The list of authorized key files for archive imports, as a list of string-valued gexps (see Invoking guix archive). By default, it contains that of hydra.gnu.org (see Substitutes).

use-substitutes? (default: #t)

Whether to use substitutes.

substitute-urls (default: %default-substitute-urls)

The list of URLs where to look for substitutes by default.

max-silent-time (default: 0)
timeout (default: 0)

The number of seconds of silence and the number of seconds of activity, respectively, after which a build process times out. A value of zero disables the timeout.

log-compression (default: 'bzip2)

The type of compression used for build logs—one of gzip, bzip2, or none.

extra-options (default: '())

List of extra command-line options for guix-daemon.

log-file (default: "/var/log/guix-daemon.log")

File where guix-daemon’s standard output and standard error are written.

http-proxy (default: #f)

The HTTP proxy used for downloading fixed-output derivations and substitutes.

tmpdir (default: #f)

A directory path where the guix-daemon will perform builds.

Scheme Procedure: guix-service config

Return a service that runs the Guix build daemon according to config.

Scheme Procedure: udev-service [#:udev eudev #:rules '()]

Run udev, which populates the /dev directory dynamically. udev rules can be provided as a list of files through the rules variable. The procedures udev-rule and file->udev-rule from (gnu services base) simplify the creation of such rule files.

Scheme Procedure: udev-rule [file-name contents]

Return a udev-rule file named file-name containing the rules defined by the contents literal.

In the following example, a rule for a USB device is defined to be stored in the file 90-usb-thing.rules. The rule runs a script upon detecting a USB device with a given product identifier.

(define %example-udev-rule
  (udev-rule
    "90-usb-thing.rules"
    (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
                   "ATTR{product}==\"Example\", "
                   "RUN+=\"/path/to/script\"")))

Here we show how the default udev-service can be extended with it.

(operating-system
 ;; …
 (services
 (modify-services %desktop-services
   (udev-service-type config =>
     (udev-configuration (inherit config)
      (rules (append (udev-configuration-rules config)
                     (list %example-udev-rule))))))))
Scheme Procedure: file->udev-rule [file-name file]

Return a udev file named file-name containing the rules defined within file, a file-like object.

The following example showcases how we can use an existing rule file.

(use-modules (guix download)     ;for url-fetch
             (guix packages)     ;for origin
             ;; …)

(define %android-udev-rules
  (file->udev-rule
    "51-android-udev.rules"
    (let ((version "20170910"))
      (origin
       (method url-fetch)
       (uri (string-append "https://raw.githubusercontent.com/M0Rf30/"
                           "android-udev-rules/" version "/51-android.rules"))
       (sha256
        (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))

Additionally, Guix package definitions can be included in rules in order to extend the udev rules with the definitions found under their lib/udev/rules.d sub-directory. In lieu of the previous file->udev-rule example, we could have used the android-udev-rules package which exists in Guix in the (gnu packages android) module.

The following example shows how to use the android-udev-rules package so that the Android tool adb can detect devices without root privileges. It also details how to create the adbusers group, which is required for the proper functioning of the rules defined within the android-udev-rules package. To create such a group, we must define it both as part of the supplementary-groups of our user-account declaration, as well as in the groups field of the operating-system record.

(use-modules (gnu packages android)  ;for android-udev-rules
             (gnu system shadow)     ;for user-group
             ;; …)

(operating-system
  ;; …
  (users (cons (user-acount
                ;; …
                (supplementary-groups
                 '("adbusers"   ;for adb
                   "wheel" "netdev" "audio" "video"))
                ;; …)))

  (groups (cons (user-group (system? #t) (name "adbusers"))
                %base-groups))

  ;; …

  (services
    (modify-services %desktop-services
      (udev-service-type config =>
       (udev-configuration (inherit config)
       (rules (cons* android-udev-rules
              (udev-configuration-rules config))))))))
Scheme Variable: urandom-seed-service-type

Save some entropy in %random-seed-file to seed /dev/urandom when rebooting. It also tries to seed /dev/urandom from /dev/hwrng while booting, if /dev/hwrng exists and is readable.

Scheme Variable: %random-seed-file

This is the name of the file where some random bytes are saved by urandom-seed-service to seed /dev/urandom when rebooting. It defaults to /var/lib/random-seed.

Scheme Procedure: console-keymap-service files ...

Return a service to load console keymaps from files using loadkeys command. Most likely, you want to load some default keymap, which can be done like this:

(console-keymap-service "dvorak")

Or, for example, for a Swedish keyboard, you may need to combine the following keymaps:

(console-keymap-service "se-lat6" "se-fi-lat6")

Also you can specify a full file name (or file names) of your keymap(s). See man loadkeys for details.

Scheme Variable: gpm-service-type

This is the type of the service that runs GPM, the general-purpose mouse daemon, which provides mouse support to the Linux console. GPM allows users to use the mouse in the console, notably to select, copy, and paste text.

The value for services of this type must be a gpm-configuration (see below). This service is not part of %base-services.

Data Type: gpm-configuration

Data type representing the configuration of GPM.

options (default: %default-gpm-options)

Command-line options passed to gpm. The default set of options instruct gpm to listen to mouse events on /dev/input/mice. See Command Line in gpm manual, for more information.

gpm (default: gpm)

The GPM package to use.

Scheme Variable: guix-publish-service-type

This is the service type for guix publish (see Invoking guix publish). Its value must be a guix-configuration object, as described below.

This assumes that /etc/guix already contains a signing key pair as created by guix archive --generate-key (see Invoking guix archive). If that is not the case, the service will fail to start.

Data Type: guix-publish-configuration

Data type representing the configuration of the guix publish service.

guix (default: guix)

The Guix package to use.

port (default: 80)

The TCP port to listen for connections.

host (default: "localhost")

The host (and thus, network interface) to listen to. Use "0.0.0.0" to listen on all the network interfaces.

compression-level (default: 3)

The gzip compression level at which substitutes are compressed. Use 0 to disable compression altogether, and 9 to get the best compression ratio at the expense of increased CPU usage.

nar-path (default: "nar")

The URL path at which “nars” can be fetched. See --nar-path, for details.

cache (default: #f)

When it is #f, disable caching and instead generate archives on demand. Otherwise, this should be the name of a directory—e.g., "/var/cache/guix/publish"—where guix publish caches archives and meta-data ready to be sent. See --cache, for more information on the tradeoffs involved.

workers (default: #f)

When it is an integer, this is the number of worker threads used for caching; when #f, the number of processors is used. See --workers, for more information.

ttl (default: #f)

When it is an integer, this denotes the time-to-live in seconds of the published archives. See --ttl, for more information.

Scheme Procedure: rngd-service [#:rng-tools rng-tools] [#:device "/dev/hwrng"]

Return a service that runs the rngd program from rng-tools to add device to the kernel’s entropy pool. The service will fail if device does not exist.

Scheme Procedure: pam-limits-service [#:limits '()]

Return a service that installs a configuration file for the pam_limits module. The procedure optionally takes a list of pam-limits-entry values, which can be used to specify ulimit limits and nice priority limits to user sessions.

The following limits definition sets two hard and soft limits for all login sessions of users in the realtime group:

(pam-limits-service
 (list
  (pam-limits-entry "@realtime" 'both 'rtprio 99)
  (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))

The first entry increases the maximum realtime priority for non-privileged processes; the second entry lifts any restriction of the maximum address space that can be locked in memory. These settings are commonly used for real-time audio systems.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.2 Scheduled Job Execution

The (gnu services mcron) module provides an interface to GNU mcron, a daemon to run jobs at scheduled times (see GNU mcron). GNU mcron is similar to the traditional Unix cron daemon; the main difference is that it is implemented in Guile Scheme, which provides a lot of flexibility when specifying the scheduling of jobs and their actions.

The example below defines an operating system that runs the updatedb (see Invoking updatedb in Finding Files) and the guix gc commands (see Invoking guix gc) daily, as well as the mkid command on behalf of an unprivileged user (see mkid invocation in ID Database Utilities). It uses gexps to introduce job definitions that are passed to mcron (see G-Expressions).

(use-modules (guix) (gnu) (gnu services mcron))
(use-package-modules base idutils)

(define updatedb-job
  ;; Run 'updatedb' at 3AM every day.  Here we write the
  ;; job's action as a Scheme procedure.
  #~(job '(next-hour '(3))
         (lambda ()
           (execl (string-append #$findutils "/bin/updatedb")
                  "updatedb"
                  "--prunepaths=/tmp /var/tmp /gnu/store"))))

(define garbage-collector-job
  ;; Collect garbage 5 minutes after midnight every day.
  ;; The job's action is a shell command.
  #~(job "5 0 * * *"            ;Vixie cron syntax
         "guix gc -F 1G"))

(define idutils-job
  ;; Update the index database as user "charlie" at 12:15PM
  ;; and 19:15PM.  This runs from the user's home directory.
  #~(job '(next-minute-from (next-hour '(12 19)) '(15))
         (string-append #$idutils "/bin/mkid src")
         #:user "charlie"))

(operating-system
  ;; …
  (services (cons (mcron-service (list garbage-collector-job
                                       updatedb-job
                                       idutils-job))
                  %base-services)))

See mcron job specifications in GNU mcron, for more information on mcron job specifications. Below is the reference of the mcron service.

Scheme Procedure: mcron-service jobs [#:mcron mcron]

Return an mcron service running mcron that schedules jobs, a list of gexps denoting mcron job specifications.

This is a shorthand for:

(service mcron-service-type
         (mcron-configuration (mcron mcron) (jobs jobs)))
Scheme Variable: mcron-service-type

This is the type of the mcron service, whose value is an mcron-configuration object.

This service type can be the target of a service extension that provides it additional job specifications (see Service Composition). In other words, it is possible to define services that provide additional mcron jobs to run.

Data Type: mcron-configuration

Data type representing the configuration of mcron.

mcron (default: mcron)

The mcron package to use.

jobs

This is a list of gexps (see G-Expressions), where each gexp corresponds to an mcron job specification (see mcron job specifications in GNU mcron).


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.3 Log Rotation

Log files such as those found in /var/log tend to grow endlessly, so it’s a good idea to rotate them once in a while—i.e., archive their contents in separate files, possibly compressed. The (gnu services admin) module provides an interface to GNU Rot[t]log, a log rotation tool (see GNU Rot[t]log Manual).

The example below defines an operating system that provides log rotation with the default settings, for commonly encountered log files.

(use-modules (guix) (gnu))
(use-service-modules admin mcron)
(use-package-modules base idutils)

(operating-system
  ;; …
  (services (cons (service rottlog-service-type)
                  %base-services)))
Scheme Variable: rottlog-service-type

This is the type of the Rottlog service, whose value is a rottlog-configuration object.

Other services can extend this one with new log-rotation objects (see below), thereby augmenting the set of files to be rotated.

This service type can define mcron jobs (see Scheduled Job Execution) to run the rottlog service.

Data Type: rottlog-configuration

Data type representing the configuration of rottlog.

rottlog (default: rottlog)

The Rottlog package to use.

rc-file (default: (file-append rottlog "/etc/rc"))

The Rottlog configuration file to use (see Mandatory RC Variables in GNU Rot[t]log Manual).

rotations (default: %default-rotations)

A list of log-rotation objects as defined below.

jobs

This is a list of gexps where each gexp corresponds to an mcron job specification (see Scheduled Job Execution).

Data Type: log-rotation

Data type representing the rotation of a group of log files.

Taking an example from the Rottlog manual (see Period Related File Examples in GNU Rot[t]log Manual), a log rotation might be defined like this:

(log-rotation
  (frequency 'daily)
  (files '("/var/log/apache/*"))
  (options '("storedir apache-archives"
             "rotate 6"
             "notifempty"
             "nocompress")))

The list of fields is as follows:

frequency (default: 'weekly)

The log rotation frequency, a symbol.

files

The list of files or file glob patterns to rotate.

options (default: '())

The list of rottlog options for this rotation (see Configuration parameters in GNU Rot[t]lg Manual).

post-rotate (default: #f)

Either #f or a gexp to execute once the rotation has completed.

Scheme Variable: %default-rotations

Specifies weekly rotation of %rotated-files and a couple of other files.

Scheme Variable: %rotated-files

The list of syslog-controlled files to be rotated. By default it is: '("/var/log/messages" "/var/log/secure").


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.4 Networking Services

The (gnu services networking) module provides services to configure the network interface.

Scheme Procedure: dhcp-client-service [#:dhcp isc-dhcp]

Return a service that runs dhcp, a Dynamic Host Configuration Protocol (DHCP) client, on all the non-loopback network interfaces.

Scheme Procedure: dhcpd-service-type

This type defines a service that runs a DHCP daemon. To create a service of this type, you must supply a <dhcpd-configuration>. For example:

(service dhcpd-service-type
         (dhcpd-configuration
          (config-file (local-file "my-dhcpd.conf"))
          (interfaces '("enp0s25"))))
Data Type: dhcpd-configuration
package (default: isc-dhcp)

The package that provides the DHCP daemon. This package is expected to provide the daemon at sbin/dhcpd relative to its output directory. The default package is the ISC’s DHCP server.

config-file (default: #f)

The configuration file to use. This is required. It will be passed to dhcpd via its -cf option. This may be any “file-like” object (see file-like objects). See man dhcpd.conf for details on the configuration file syntax.

version (default: "4")

The DHCP version to use. The ISC DHCP server supports the values “4”, “6”, and “4o6”. These correspond to the dhcpd program options -4, -6, and -4o6. See man dhcpd for details.

run-directory (default: "/run/dhcpd")

The run directory to use. At service activation time, this directory will be created if it does not exist.

pid-file (default: "/run/dhcpd/dhcpd.pid")

The PID file to use. This corresponds to the -pf option of dhcpd. See man dhcpd for details.

interfaces (default: '())

The names of the network interfaces on which dhcpd should listen for broadcasts. If this list is not empty, then its elements (which must be strings) will be appended to the dhcpd invocation when starting the daemon. It may not be necessary to explicitly specify any interfaces here; see man dhcpd for details.

Scheme Variable: static-networking-service-type

This is the type for statically-configured network interfaces.

Scheme Procedure: static-networking-service interface ip [#:netmask #f] [#:gateway #f] [#:name-servers '()]

[#:requirement '(udev)] Return a service that starts interface with address ip. If netmask is true, use it as the network mask. If gateway is true, it must be a string specifying the default network gateway. requirement can be used to declare a dependency on another service before configuring the interface.

This procedure can be called several times, one for each network interface of interest. Behind the scenes what it does is extend static-networking-service-type with additional network interfaces to handle.

Scheme Procedure: wicd-service [#:wicd wicd]

Return a service that runs Wicd, a network management daemon that aims to simplify wired and wireless networking.

This service adds the wicd package to the global profile, providing several commands to interact with the daemon and configure networking: wicd-client, a graphical user interface, and the wicd-cli and wicd-curses user interfaces.

Scheme Variable: modem-manager-service-type

This is the service type for the ModemManager service. The value for this service type is a modem-manager-configuration record.

This service is part of %desktop-services (see Desktop Services).

Data Type: modem-manager-configuration

Data type representing the configuration of ModemManager.

modem-manager (default: modem-manager)

The ModemManager package to use.

Scheme Variable: network-manager-service-type

This is the service type for the NetworkManager service. The value for this service type is a network-manager-configuration record.

This service is part of %desktop-services (see Desktop Services).

Data Type: network-manager-configuration

Data type representing the configuration of NetworkManager.

network-manager (default: network-manager)

The NetworkManager package to use.

dns (default: "default")

Processing mode for DNS, which affects how NetworkManager uses the resolv.conf configuration file.

default

NetworkManager will update resolv.conf to reflect the nameservers provided by currently active connections.

dnsmasq

NetworkManager will run dnsmasq as a local caching nameserver, using a "split DNS" configuration if you are connected to a VPN, and then update resolv.conf to point to the local nameserver.

none

NetworkManager will not modify resolv.conf.

vpn-plugins (default: '())

This is the list of available plugins for virtual private networks (VPNs). An example of this is the network-manager-openvpn package, which allows NetworkManager to manage VPNs via OpenVPN.

Scheme Variable: connman-service-type

This is the service type to run Connman, a network connection manager.

Its value must be an connman-configuration record as in this example:

(service connman-service-type
         (connman-configuration
           (disable-vpn? #t)))

See below for details about connman-configuration.

Data Type: connman-configuration

Data Type representing the configuration of connman.

connman (default: connman)

The connman package to use.

disable-vpn? (default: #f)

When true, enable connman’s vpn plugin.

Scheme Variable: wpa-supplicant-service-type

This is the service type to run WPA supplicant, an authentication daemon required to authenticate against encrypted WiFi or ethernet networks. It is configured to listen for requests on D-Bus.

The value of this service is the wpa-supplicant package to use. Thus, it can be instantiated like this:

(use-modules (gnu services networking))

(service wpa-supplicant-service-type)
Scheme Procedure: ntp-service [#:ntp ntp] [#:servers %ntp-servers] [#:allow-large-adjustment? #f]

Return a service that runs the daemon from ntp, the Network Time Protocol package. The daemon will keep the system clock synchronized with that of servers. allow-large-adjustment? determines whether ntpd is allowed to make an initial adjustment of more than 1,000 seconds.

Scheme Variable: %ntp-servers

List of host names used as the default NTP servers.

Scheme Procedure: openntpd-service-type

Run the ntpd, the Network Time Protocol (NTP) daemon, as implemented by OpenNTPD. The daemon will keep the system clock synchronized with that of the given servers.

(service
 openntpd-service-type
 (openntpd-configuration
  (listen-on '("127.0.0.1" "::1"))
  (sensor '("udcf0 correction 70000"))
  (constraint-from '("www.gnu.org"))
  (constraints-from '("https://www.google.com/"))
  (allow-large-adjustment? #t)))

Data Type: openntpd-configuration
openntpd (default: (file-append openntpd "/sbin/ntpd"))

The openntpd executable to use.

listen-on (default: '("127.0.0.1" "::1"))

A list of local IP addresses or hostnames the ntpd daemon should listen on.

query-from (default: '())

A list of local IP address the ntpd daemon should use for outgoing queries.

sensor (default: '())

Specify a list of timedelta sensor devices ntpd should use. ntpd will listen to each sensor that acutally exists and ignore non-existant ones. See upstream documentation for more information.

server (default: %ntp-servers)

Specify a list of IP addresses or hostnames of NTP servers to synchronize to.

servers (default: '())

Specify a list of IP addresses or hostnames of NTP pools to synchronize to.

constraint-from (default: '())

ntpd can be configured to query the ‘Date’ from trusted HTTPS servers via TLS. This time information is not used for precision but acts as an authenticated constraint, thereby reducing the impact of unauthenticated NTP man-in-the-middle attacks. Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide a constraint.

constraints-from (default: '())

As with constraint from, specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide a constraint. Should the hostname resolve to multiple IP addresses, ntpd will calculate a median constraint from all of them.

allow-large-adjustment? (default: #f)

Determines if ntpd is allowed to make an initial adjustment of more than 180 seconds.

Scheme variable: inetd-service-type

This service runs the inetd (see inetd invocation in GNU Inetutils) daemon. inetd listens for connections on internet sockets, and lazily starts the specified server program when a connection is made on one of these sockets.

The value of this service is an inetd-configuration object. The following example configures the inetd daemon to provide the built-in echo service, as well as an smtp service which forwards smtp traffic over ssh to a server smtp-server behind a gateway hostname:

(service
 inetd-service-type
 (inetd-configuration
  (entries (list
            (inetd-entry
             (name "echo")
             (socket-type 'stream)
             (protocol "tcp")
             (wait? #f)
             (user "root"))
            (inetd-entry
             (node "127.0.0.1")
             (name "smtp")
             (socket-type 'stream)
             (protocol "tcp")
             (wait? #f)
             (user "root")
             (program (file-append openssh "/bin/ssh"))
             (arguments
              '("ssh" "-qT" "-i" "/path/to/ssh_key"
                "-W" "smtp-server:25" "user@hostname")))))

See below for more details about inetd-configuration.

Data Type: inetd-configuration

Data type representing the configuration of inetd.

program (default: (file-append inetutils "/libexec/inetd"))

The inetd executable to use.

entries (default: '())

A list of inetd service entries. Each entry should be created by the inetd-entry constructor.

Data Type: inetd-entry

Data type representing an entry in the inetd configuration. Each entry corresponds to a socket where inetd will listen for requests.

node (default: #f)

Optional string, a comma-separated list of local addresses inetd should use when listening for this service. See Configuration file in GNU Inetutils for a complete description of all options.

name

A string, the name must correspond to an entry in /etc/services.

socket-type

One of 'stream, 'dgram, 'raw, 'rdm or 'seqpacket.

protocol

A string, must correspond to an entry in /etc/protocols.

wait? (default: #t)

Whether inetd should wait for the server to exit before listening to new service requests.

user

A string containing the user (and, optionally, group) name of the user as whom the server should run. The group name can be specified in a suffix, separated by a colon or period, i.e. "user", "user:group" or "user.group".

program (default: "internal")

The server program which will serve the requests, or "internal" if inetd should use a built-in service.

arguments (default: '())

A list strings or file-like objects, which are the server program’s arguments, starting with the zeroth argument, i.e. the name of the program itself. For inetd’s internal services, this entry must be '() or '("internal").

See Configuration file in GNU Inetutils for a more detailed discussion of each configuration field.

Scheme Procedure: tor-service [config-file] [#:tor tor]

Return a service to run the Tor anonymous networking daemon.

The daemon runs as the tor unprivileged user. It is passed config-file, a file-like object, with an additional User tor line and lines for hidden services added via tor-hidden-service. Run man tor for information about the configuration file.

Scheme Procedure: tor-hidden-service name mapping

Define a new Tor hidden service called name and implementing mapping. mapping is a list of port/host tuples, such as:

 '((22 "127.0.0.1:22")
   (80 "127.0.0.1:8080"))

In this example, port 22 of the hidden service is mapped to local port 22, and port 80 is mapped to local port 8080.

This creates a /var/lib/tor/hidden-services/name directory, where the hostname file contains the .onion host name for the hidden service.

See the Tor project’s documentation for more information.

The (gnu services rsync) module provides the following services:

You might want an rsync daemon if you have files that you want available so anyone (or just yourself) can download existing files or upload new files.

Scheme Variable: rsync-service-type

This is the type for the rsync rsync daemon, rsync-configuration record as in this example:

(service rsync-service-type)

See below for details about rsync-configuration.

Data Type: rsync-configuration

Data type representing the configuration for rsync-service.

package (default: rsync)

rsync package to use.

port-number (default: 873)

TCP port on which rsync listens for incoming connections. If port is less than 1024 rsync needs to be started as the root user and group.

pid-file (default: "/var/run/rsyncd/rsyncd.pid")

Name of the file where rsync writes its PID.

lock-file (default: "/var/run/rsyncd/rsyncd.lock")

Name of the file where rsync writes its lock file.

log-file (default: "/var/log/rsyncd.log")

Name of the file where rsync writes its log file.

use-chroot? (default: #t)

Whether to use chroot for rsync shared directory.

share-path (default: /srv/rsync)

Location of the rsync shared directory.

share-comment (default: "Rsync share")

Comment of the rsync shared directory.

read-only? (default: #f)

Read-write permissions to shared directory.

timeout (default: 300)

I/O timeout in seconds.

user (default: "root")

Owner of the rsync process.

group (default: "root")

Group of the rsync process.

uid (default: "rsyncd")

User name or user ID that file transfers to and from that module should take place as when the daemon was run as root.

gid (default: "rsyncd")

Group name or group ID that will be used when accessing the module.

Furthermore, (gnu services ssh) provides the following services.

Scheme Procedure: lsh-service [#:host-key "/etc/lsh/host-key"] [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] [#:allow-empty-passwords? #f] [#:root-login? #f] [#:syslog-output? #t] [#:x11-forwarding? #t] [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] [#:public-key-authentication? #t] [#:initialize? #t]

Run the lshd program from lsh to listen on port port-number. host-key must designate a file containing the host key, and readable only by root.

When daemonic? is true, lshd will detach from the controlling terminal and log its output to syslogd, unless one sets syslog-output? to false. Obviously, it also makes lsh-service depend on existence of syslogd service. When pid-file? is true, lshd writes its PID to the file called pid-file.

When initialize? is true, automatically create the seed and host key upon service activation if they do not exist yet. This may take long and require interaction.

When initialize? is false, it is up to the user to initialize the randomness generator (see lsh-make-seed in LSH Manual), and to create a key pair with the private key stored in file host-key (see lshd basics in LSH Manual).

When interfaces is empty, lshd listens for connections on all the network interfaces; otherwise, interfaces must be a list of host names or addresses.

allow-empty-passwords? specifies whether to accept log-ins with empty passwords, and root-login? specifies whether to accept log-ins as root.

The other options should be self-descriptive.

Scheme Variable: openssh-service-type

This is the type for the OpenSSH secure shell daemon, sshd. Its value must be an openssh-configuration record as in this example:

(service openssh-service-type
         (openssh-configuration
           (x11-forwarding? #t)
           (permit-root-login 'without-password)
           (authorized-keys
             `(("alice" ,(local-file "alice.pub"))
               ("bob" ,(local-file "bob.pub"))))))

See below for details about openssh-configuration.

This service can be extended with extra authorized keys, as in this example:

(service-extension openssh-service-type
                   (const `(("charlie"
                             ,(local-file "charlie.pub")))))
Data Type: openssh-configuration

This is the configuration record for OpenSSH’s sshd.

pid-file (default: "/var/run/sshd.pid")

Name of the file where sshd writes its PID.

port-number (default: 22)

TCP port on which sshd listens for incoming connections.

permit-root-login (default: #f)

This field determines whether and when to allow logins as root. If #f, root logins are disallowed; if #t, they are allowed. If it’s the symbol 'without-password, then root logins are permitted but not with password-based authentication.

allow-empty-passwords? (default: #f)

When true, users with empty passwords may log in. When false, they may not.

password-authentication? (default: #t)

When true, users may log in with their password. When false, they have other authentication methods.

public-key-authentication? (default: #t)

When true, users may log in using public key authentication. When false, users have to use other authentication method.

Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only by protocol version 2.

x11-forwarding? (default: #f)

When true, forwarding of X11 graphical client connections is enabled—in other words, ssh options -X and -Y will work.

challenge-response-authentication? (default: #f)

Specifies whether challenge response authentication is allowed (e.g. via PAM).

use-pam? (default: #t)

Enables the Pluggable Authentication Module interface. If set to #t, this will enable PAM authentication using challenge-response-authentication? and password-authentication?, in addition to PAM account and session module processing for all authentication types.

Because PAM challenge response authentication usually serves an equivalent role to password authentication, you should disable either challenge-response-authentication? or password-authentication?.

print-last-log? (default: #t)

Specifies whether sshd should print the date and time of the last user login when a user logs in interactively.

subsystems (default: '(("sftp" "internal-sftp")))

Configures external subsystems (e.g. file transfer daemon).

This is a list of two-element lists, each of which containing the subsystem name and a command (with optional arguments) to execute upon subsystem request.

The command internal-sftp implements an in-process SFTP server. Alternately, one can specify the sftp-server command:

(service openssh-service-type
         (openssh-configuration
          (subsystems
           `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
accepted-environment (default: '())

List of strings describing which environment variables may be exported.

Each string gets on its own line. See the AcceptEnv option in man sshd_config.

This example allows ssh-clients to export the COLORTERM variable. It is set by terminal emulators, which support colors. You can use it in your shell’s ressource file to enable colors for the prompt and commands if this variable is set.

(service openssh-service-type
         (openssh-configuration
           (accepted-environment '("COLORTERM"))))
authorized-keys (default: '())

This is the list of authorized keys. Each element of the list is a user name followed by one or more file-like objects that represent SSH public keys. For example:

(openssh-configuration
  (authorized-keys
    `(("rekado" ,(local-file "rekado.pub"))
      ("chris" ,(local-file "chris.pub"))
      ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))

registers the specified public keys for user accounts rekado, chris, and root.

Additional authorized keys can be specified via service-extension.

Note that this does not interfere with the use of ~/.ssh/authorized_keys.

Scheme Procedure: dropbear-service [config]

Run the Dropbear SSH daemon with the given config, a <dropbear-configuration> object.

For example, to specify a Dropbear service listening on port 1234, add this call to the operating system’s services field:

(dropbear-service (dropbear-configuration
                    (port-number 1234)))
Data Type: dropbear-configuration

This data type represents the configuration of a Dropbear SSH daemon.

dropbear (default: dropbear)

The Dropbear package to use.

port-number (default: 22)

The TCP port where the daemon waits for incoming connections.

syslog-output? (default: #t)

Whether to enable syslog output.

pid-file (default: "/var/run/dropbear.pid")

File name of the daemon’s PID file.

root-login? (default: #f)

Whether to allow root logins.

allow-empty-passwords? (default: #f)

Whether to allow empty passwords.

password-authentication? (default: #t)

Whether to enable password-based authentication.

Scheme Variable: %facebook-host-aliases

This variable contains a string for use in /etc/hosts (see Host Names in The GNU C Library Reference Manual). Each line contains a entry that maps a known server name of the Facebook on-line service—e.g., www.facebook.com—to the local host—127.0.0.1 or its IPv6 equivalent, ::1.

This variable is typically used in the hosts-file field of an operating-system declaration (see /etc/hosts):

(use-modules (gnu) (guix))

(operating-system
  (host-name "mymachine")
  ;; ...
  (hosts-file
    ;; Create a /etc/hosts file with aliases for "localhost"
    ;; and "mymachine", as well as for Facebook servers.
    (plain-file "hosts"
                (string-append (local-host-aliases host-name)
                               %facebook-host-aliases))))

This mechanism can prevent programs running locally, such as Web browsers, from accessing Facebook.

The (gnu services avahi) provides the following definition.

Scheme Procedure: avahi-service [#:avahi avahi] [#:host-name #f] [#:publish? #t] [#:ipv4? #t] [#:ipv6? #t] [#:wide-area? #f] [#:domains-to-browse '()] [#:debug? #f]

Return a service that runs avahi-daemon, a system-wide mDNS/DNS-SD responder that allows for service discovery and "zero-configuration" host name lookups (see http://avahi.org/), and extends the name service cache daemon (nscd) so that it can resolve .local host names using nss-mdns. Additionally, add the avahi package to the system profile so that commands such as avahi-browse are directly usable.

If host-name is different from #f, use that as the host name to publish for this machine; otherwise, use the machine’s actual host name.

When publish? is true, publishing of host names and services is allowed; in particular, avahi-daemon will publish the machine’s host name and IP address via mDNS on the local network.

When wide-area? is true, DNS-SD over unicast DNS is enabled.

Boolean values ipv4? and ipv6? determine whether to use IPv4/IPv6 sockets.

Scheme Variable: openvswitch-service-type

This is the type of the Open vSwitch service, whose value should be an openvswitch-configuration object.

Data Type: openvswitch-configuration

Data type representing the configuration of Open vSwitch, a multilayer virtual switch which is designed to enable massive network automation through programmatic extension.

package (default: openvswitch)

Package object of the Open vSwitch.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.5 X Window

Support for the X Window graphical display system—specifically Xorg—is provided by the (gnu services xorg) module. Note that there is no xorg-service procedure. Instead, the X server is started by the login manager, by default SLiM.

To use X11, you must install at least one window manager—for example the windowmaker or openbox packages—preferably by adding it to the packages field of your operating system definition (see system-wide packages).

Scheme Variable: slim-service-type

This is the type for the SLiM graphical login manager for X11.

SLiM looks for session types described by the .desktop files in /run/current-system/profile/share/xsessions and allows users to choose a session from the log-in screen using F1. Packages such as xfce, sawfish, and ratpoison provide .desktop files; adding them to the system-wide set of packages automatically makes them available at the log-in screen.

In addition, ~/.xsession files are honored. When available, ~/.xsession must be an executable that starts a window manager and/or other X clients.

Data Type: slim-configuration

Data type representing the configuration of slim-service-type.

allow-empty-passwords? (default: #t)

Whether to allow logins with empty passwords.

auto-login? (default: #f)
default-user (default: "")

When auto-login? is false, SLiM presents a log-in screen.

When auto-login? is true, SLiM logs in directly as default-user.

theme (default: %default-slim-theme)
theme-name (default: %default-slim-theme-name)

The graphical theme to use and its name.

auto-login-session (default: #f)

If true, this must be the name of the executable to start as the default session—e.g., (file-append windowmaker "/bin/windowmaker").

If false, a session described by one of the available .desktop files in /run/current-system/profile and ~/.guix-profile will be used.

Note: You must install at least one window manager in the system profile or in your user profile. Failing to do that, if auto-login-session is false, you will be unable to log in.

startx (default: (xorg-start-command))

The command used to start the X11 graphical server.

xauth (default: xauth)

The XAuth package to use.

shepherd (default: shepherd)

The Shepherd package used when invoking halt and reboot.

sessreg (default: sessreg)

The sessreg package used in order to register the session.

slim (default: slim)

The SLiM package to use.

Scheme Variable: %default-theme
Scheme Variable: %default-theme-name

The default SLiM theme and its name.

Data Type: sddm-configuration

This is the data type representing the sddm service configuration.

display-server (default: "x11")

Select display server to use for the greeter. Valid values are "x11" or "wayland".

numlock (default: "on")

Valid values are "on", "off" or "none".

halt-command (default #~(string-apppend #$shepherd "/sbin/halt"))

Command to run when halting.

reboot-command (default #~(string-append #$shepherd "/sbin/reboot"))

Command to run when rebooting.

theme (default "maldives")

Theme to use. Default themes provided by SDDM are "elarun" or "maldives".

themes-directory (default "/run/current-system/profile/share/sddm/themes")

Directory to look for themes.

faces-directory (default "/run/current-system/profile/share/sddm/faces")

Directory to look for faces.

default-path (default "/run/current-system/profile/bin")

Default PATH to use.

minimum-uid (default 1000)

Minimum UID to display in SDDM.

maximum-uid (default 2000)

Maximum UID to display in SDDM

remember-last-user? (default #t)

Remember last user.

remember-last-session? (default #t)

Remember last session.

hide-users (default "")

Usernames to hide from SDDM greeter.

hide-shells (default #~(string-append #$shadow "/sbin/nologin"))

Users with shells listed will be hidden from the SDDM greeter.

session-command (default #~(string-append #$sddm "/share/sddm/scripts/wayland-session"))

Script to run before starting a wayland session.

sessions-directory (default "/run/current-system/profile/share/wayland-sessions")

Directory to look for desktop files starting wayland sessions.

xorg-server-path (default xorg-start-command)

Path to xorg-server.

xauth-path (default #~(string-append #$xauth "/bin/xauth"))

Path to xauth.

xephyr-path (default #~(string-append #$xorg-server "/bin/Xephyr"))

Path to Xephyr.

xdisplay-start (default #~(string-append #$sddm "/share/sddm/scripts/Xsetup"))

Script to run after starting xorg-server.

xdisplay-stop (default #~(string-append #$sddm "/share/sddm/scripts/Xstop"))

Script to run before stopping xorg-server.

xsession-command (default: xinitrc)

Script to run before starting a X session.

xsessions-directory (default: "/run/current-system/profile/share/xsessions")

Directory to look for desktop files starting X sessions.

minimum-vt (default: 7)

Minimum VT to use.

xserver-arguments (default "-nolisten tcp")

Arguments to pass to xorg-server.

auto-login-user (default "")

User to use for auto-login.

auto-login-session (default "")

Desktop file to use for auto-login.

relogin? (default #f)

Relogin after logout.

Scheme Procedure: sddm-service config

Return a service that spawns the SDDM graphical login manager for config of type <sddm-configuration>.

  (sddm-service (sddm-configuration
                 (auto-login-user "Alice")
                 (auto-login-session "xfce.desktop")))
Scheme Procedure: xorg-start-command [#:guile] [#:modules %default-xorg-modules] [#:fonts %default-xorg-fonts] [#:configuration-file (xorg-configuration-file …)] [#:xorg-server xorg-server]

Return a startx script in which modules, a list of X module packages, and fonts, a list of X font directories, are available. See xorg-wrapper for more details on the arguments. The result should be used in place of startx.

Usually the X server is started by a login manager.

Scheme Procedure: xorg-configuration-file [#:modules %default-xorg-modules] [#:fonts %default-xorg-fonts] [#:drivers '()] [#:resolutions '()] [#:extra-config '()]

Return a configuration file for the Xorg server containing search paths for all the common drivers.

modules must be a list of module packages loaded by the Xorg server—e.g., xf86-video-vesa, xf86-input-keyboard, and so on. fonts must be a list of font directories to add to the server’s font path.

drivers must be either the empty list, in which case Xorg chooses a graphics driver automatically, or a list of driver names that will be tried in this order—e.g., ("modesetting" "vesa").

Likewise, when resolutions is the empty list, Xorg chooses an appropriate screen resolution; otherwise, it must be a list of resolutions—e.g., ((1024 768) (640 480)).

Last, extra-config is a list of strings or objects appended to the configuration file. It is used to pass extra text to be added verbatim to the configuration file.

This procedure is especially useful to configure a different keyboard layout than the default US keymap. For instance, to use the “bépo” keymap by default on the display manager:

(define bepo-evdev
  "Section \"InputClass\"
        Identifier \"evdev keyboard catchall\"
        Driver \"evdev\"
        MatchIsKeyboard \"on\"
        Option \"xkb_layout\" \"fr\"
        Option \"xkb_variant\" \"bepo\"
EndSection")

(operating-system
  ...
  (services
    (modify-services %desktop-services
      (slim-service-type config =>
        (slim-configuration
          (inherit config)
          (startx (xorg-start-command
                   #:configuration-file
                   (xorg-configuration-file
                     #:extra-config
                     (list bepo-evdev)))))))))

The MatchIsKeyboard line specifies that we only apply the configuration to keyboards. Without this line, other devices such as touchpad may not work correctly because they will be attached to the wrong driver. In this example, the user typically used setxkbmap fr bepo to set their favorite keymap once logged in. The first argument corresponds to the layout, while the second argument corresponds to the variant. The xkb_variant line can be omitted to select the default variant.

Scheme Procedure: screen-locker-service package [program]

Add package, a package for a screen locker or screen saver whose command is program, to the set of setuid programs and add a PAM entry for it. For example:

(screen-locker-service xlockmore "xlock")

makes the good ol’ XlockMore usable.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.6 Printing Services

The (gnu services cups) module provides a Guix service definition for the CUPS printing service. To add printer support to a GuixSD system, add a cups-service to the operating system definition:

Scheme Variable: cups-service-type

The service type for the CUPS print server. Its value should be a valid CUPS configuration (see below). To use the default settings, simply write:

(service cups-service-type)

The CUPS configuration controls the basic things about your CUPS installation: what interfaces it listens on, what to do if a print job fails, how much logging to do, and so on. To actually add a printer, you have to visit the http://localhost:631 URL, or use a tool such as GNOME’s printer configuration services. By default, configuring a CUPS service will generate a self-signed certificate if needed, for secure connections to the print server.

Suppose you want to enable the Web interface of CUPS and also add support for Epson printers via the escpr package and for HP printers via the hplip package. You can do that directly, like this (you need to use the (gnu packages cups) module):

(service cups-service-type
         (cups-configuration
           (web-interface? #t)
           (extensions
             (list cups-filters escpr hplip))))

The available configuration parameters follow. Each parameter definition is preceded by its type; for example, ‘string-list foo’ indicates that the foo parameter should be specified as a list of strings. There is also a way to specify the configuration as a string, if you have an old cupsd.conf file that you want to port over from some other system; see the end for more details.

Available cups-configuration fields are:

cups-configuration parameter: package cups

The CUPS package.

cups-configuration parameter: package-list extensions

Drivers and other extensions to the CUPS package.

cups-configuration parameter: files-configuration files-configuration

Configuration of where to write logs, what directories to use for print spools, and related privileged configuration parameters.

Available files-configuration fields are:

files-configuration parameter: log-location access-log

Defines the access log filename. Specifying a blank filename disables access log generation. The value stderr causes log entries to be sent to the standard error file when the scheduler is running in the foreground, or to the system log daemon when run in the background. The value syslog causes log entries to be sent to the system log daemon. The server name may be included in filenames using the string %s, as in /var/log/cups/%s-access_log.

Defaults to ‘"/var/log/cups/access_log"’.

files-configuration parameter: file-name cache-dir

Where CUPS should cache data.

Defaults to ‘"/var/cache/cups"’.

files-configuration parameter: string config-file-perm

Specifies the permissions for all configuration files that the scheduler writes.

Note that the permissions for the printers.conf file are currently masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

Defaults to ‘"0640"’.

files-configuration parameter: log-location error-log

Defines the error log filename. Specifying a blank filename disables access log generation. The value stderr causes log entries to be sent to the standard error file when the scheduler is running in the foreground, or to the system log daemon when run in the background. The value syslog causes log entries to be sent to the system log daemon. The server name may be included in filenames using the string %s, as in /var/log/cups/%s-error_log.

Defaults to ‘"/var/log/cups/error_log"’.

files-configuration parameter: string fatal-errors

Specifies which errors are fatal, causing the scheduler to exit. The kind strings are:

none

No errors are fatal.

all

All of the errors below are fatal.

browse

Browsing initialization errors are fatal, for example failed connections to the DNS-SD daemon.

config

Configuration file syntax errors are fatal.

listen

Listen or Port errors are fatal, except for IPv6 failures on the loopback or any addresses.

log

Log file creation or write errors are fatal.

permissions

Bad startup file permissions are fatal, for example shared TLS certificate and key files with world-read permissions.

Defaults to ‘"all -browse"’.

files-configuration parameter: boolean file-device?

Specifies whether the file pseudo-device can be used for new printer queues. The URI file:///dev/null is always allowed.

Defaults to ‘#f’.

files-configuration parameter: string group

Specifies the group name or ID that will be used when executing external programs.

Defaults to ‘"lp"’.

files-configuration parameter: string log-file-perm

Specifies the permissions for all log files that the scheduler writes.

Defaults to ‘"0644"’.

files-configuration parameter: log-location page-log

Defines the page log filename. Specifying a blank filename disables access log generation. The value stderr causes log entries to be sent to the standard error file when the scheduler is running in the foreground, or to the system log daemon when run in the background. The value syslog causes log entries to be sent to the system log daemon. The server name may be included in filenames using the string %s, as in /var/log/cups/%s-page_log.

Defaults to ‘"/var/log/cups/page_log"’.

files-configuration parameter: string remote-root

Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. The default is remroot.

Defaults to ‘"remroot"’.

files-configuration parameter: file-name request-root

Specifies the directory that contains print jobs and other HTTP request data.

Defaults to ‘"/var/spool/cups"’.

files-configuration parameter: sandboxing sandboxing

Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler; either relaxed or strict. This directive is currently only used/supported on macOS.

Defaults to ‘strict’.

files-configuration parameter: file-name server-keychain

Specifies the location of TLS certificates and private keys. CUPS will look for public and private keys in this directory: a .crt files for PEM-encoded certificates and corresponding .key files for PEM-encoded private keys.

Defaults to ‘"/etc/cups/ssl"’.

files-configuration parameter: file-name server-root

Specifies the directory containing the server configuration files.

Defaults to ‘"/etc/cups"’.

files-configuration parameter: boolean sync-on-close?

Specifies whether the scheduler calls fsync(2) after writing configuration or state files.

Defaults to ‘#f’.

files-configuration parameter: space-separated-string-list system-group

Specifies the group(s) to use for @SYSTEM group authentication.

files-configuration parameter: file-name temp-dir

Specifies the directory where temporary files are stored.

Defaults to ‘"/var/spool/cups/tmp"’.

files-configuration parameter: string user

Specifies the user name or ID that is used when running external programs.

Defaults to ‘"lp"’.

cups-configuration parameter: access-log-level access-log-level

Specifies the logging level for the AccessLog file. The config level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated. The actions level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for config. The all level logs all requests.

Defaults to ‘actions’.

cups-configuration parameter: boolean auto-purge-jobs?

Specifies whether to purge job history data automatically when it is no longer required for quotas.

Defaults to ‘#f’.

cups-configuration parameter: browse-local-protocols browse-local-protocols

Specifies which protocols to use for local printer sharing.

Defaults to ‘dnssd’.

cups-configuration parameter: boolean browse-web-if?

Specifies whether the CUPS web interface is advertised.

Defaults to ‘#f’.

cups-configuration parameter: boolean browsing?

Specifies whether shared printers are advertised.

Defaults to ‘#f’.

cups-configuration parameter: string classification

Specifies the security classification of the server. Any valid banner name can be used, including "classified", "confidential", "secret", "topsecret", and "unclassified", or the banner can be omitted to disable secure printing functions.

Defaults to ‘""’.

cups-configuration parameter: boolean classify-override?

Specifies whether users may override the classification (cover page) of individual print jobs using the job-sheets option.

Defaults to ‘#f’.

cups-configuration parameter: default-auth-type default-auth-type

Specifies the default type of authentication to use.

Defaults to ‘Basic’.

cups-configuration parameter: default-encryption default-encryption

Specifies whether encryption will be used for authenticated requests.

Defaults to ‘Required’.

cups-configuration parameter: string default-language

Specifies the default language to use for text and web content.

Defaults to ‘"en"’.

cups-configuration parameter: string default-paper-size

Specifies the default paper size for new print queues. ‘"Auto"’ uses a locale-specific default, while ‘"None"’ specifies there is no default paper size. Specific size names are typically ‘"Letter"’ or ‘"A4"’.

Defaults to ‘"Auto"’.

cups-configuration parameter: string default-policy

Specifies the default access policy to use.

Defaults to ‘"default"’.

cups-configuration parameter: boolean default-shared?

Specifies whether local printers are shared by default.

Defaults to ‘#t’.

cups-configuration parameter: non-negative-integer dirty-clean-interval

Specifies the delay for updating of configuration and state files, in seconds. A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds.

Defaults to ‘30’.

cups-configuration parameter: error-policy error-policy

Specifies what to do when an error occurs. Possible values are abort-job, which will discard the failed print job; retry-job, which will retry the job at a later time; retry-this-job, which retries the failed job immediately; and stop-printer, which stops the printer.

Defaults to ‘stop-printer’.

cups-configuration parameter: non-negative-integer filter-limit

Specifies the maximum cost of filters that are run concurrently, which can be used to minimize disk, memory, and CPU resource problems. A limit of 0 disables filter limiting. An average print to a non-PostScript printer needs a filter limit of about 200. A PostScript printer needs about half that (100). Setting the limit below these thresholds will effectively limit the scheduler to printing a single job at any time.

Defaults to ‘0’.

cups-configuration parameter: non-negative-integer filter-nice

Specifies the scheduling priority of filters that are run to print a job. The nice value ranges from 0, the highest priority, to 19, the lowest priority.

Defaults to ‘0’.

cups-configuration parameter: host-name-lookups host-name-lookups

Specifies whether to do reverse lookups on connecting clients. The double setting causes cupsd to verify that the hostname resolved from the address matches one of the addresses returned for that hostname. Double lookups also prevent clients with unregistered addresses from connecting to your server. Only set this option to #t or double if absolutely required.

Defaults to ‘#f’.

cups-configuration parameter: non-negative-integer job-kill-delay

Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job.

Defaults to ‘30’.

cups-configuration parameter: non-negative-integer job-retry-interval

Specifies the interval between retries of jobs in seconds. This is typically used for fax queues but can also be used with normal print queues whose error policy is retry-job or retry-current-job.

Defaults to ‘30’.

cups-configuration parameter: non-negative-integer job-retry-limit

Specifies the number of retries that are done for jobs. This is typically used for fax queues but can also be used with normal print queues whose error policy is retry-job or retry-current-job.

Defaults to ‘5’.

cups-configuration parameter: boolean keep-alive?

Specifies whether to support HTTP keep-alive connections.

Defaults to ‘#t’.

cups-configuration parameter: non-negative-integer keep-alive-timeout

Specifies how long an idle client connection remains open, in seconds.

Defaults to ‘30’.

cups-configuration parameter: non-negative-integer limit-request-body

Specifies the maximum size of print files, IPP requests, and HTML form data. A limit of 0 disables the limit check.

Defaults to ‘0’.

cups-configuration parameter: multiline-string-list listen

Listens on the specified interfaces for connections. Valid values are of the form address:port, where address is either an IPv6 address enclosed in brackets, an IPv4 address, or * to indicate all addresses. Values can also be file names of local UNIX domain sockets. The Listen directive is similar to the Port directive but allows you to restrict access to specific interfaces or networks.

cups-configuration parameter: non-negative-integer listen-back-log

Specifies the number of pending connections that will be allowed. This normally only affects very busy servers that have reached the MaxClients limit, but can also be triggered by large numbers of simultaneous connections. When the limit is reached, the operating system will refuse additional connections until the scheduler can accept the pending ones.

Defaults to ‘128’.

cups-configuration parameter: location-access-control-list location-access-controls

Specifies a set of additional access controls.

Available location-access-controls fields are:

location-access-controls parameter: file-name path

Specifies the URI path to which the access control applies.

location-access-controls parameter: access-control-list access-controls

Access controls for all access to this path, in the same format as the access-controls of operation-access-control.

Defaults to ‘()’.

location-access-controls parameter: method-access-control-list method-access-controls

Access controls for method-specific access to this path.

Defaults to ‘()’.

Available method-access-controls fields are:

method-access-controls parameter: boolean reverse?

If #t, apply access controls to all methods except the listed methods. Otherwise apply to only the listed methods.

Defaults to ‘#f’.

method-access-controls parameter: method-list methods

Methods to which this access control applies.

Defaults to ‘()’.

method-access-controls parameter: access-control-list access-controls

Access control directives, as a list of strings. Each string should be one directive, such as "Order allow,deny".

Defaults to ‘()’.

cups-configuration parameter: non-negative-integer log-debug-history

Specifies the number of debugging messages that are retained for logging if an error occurs in a print job. Debug messages are logged regardless of the LogLevel setting.

Defaults to ‘100’.

cups-configuration parameter: log-level log-level

Specifies the level of logging for the ErrorLog file. The value none stops all logging while debug2 logs everything.

Defaults to ‘info’.

cups-configuration parameter: log-time-format log-time-format

Specifies the format of the date and time in the log files. The value standard logs whole seconds while usecs logs microseconds.

Defaults to ‘standard’.

cups-configuration parameter: non-negative-integer max-clients

Specifies the maximum number of simultaneous clients that are allowed by the scheduler.

Defaults to ‘100’.

cups-configuration parameter: non-negative-integer max-clients-per-host

Specifies the maximum number of simultaneous clients that are allowed from a single address.

Defaults to ‘100’.

cups-configuration parameter: non-negative-integer max-copies

Specifies the maximum number of copies that a user can print of each job.

Defaults to ‘9999’.

cups-configuration parameter: non-negative-integer max-hold-time

Specifies the maximum time a job may remain in the indefinite hold state before it is canceled. A value of 0 disables cancellation of held jobs.

Defaults to ‘0’.

cups-configuration parameter: non-negative-integer max-jobs

Specifies the maximum number of simultaneous jobs that are allowed. Set to 0 to allow an unlimited number of jobs.

Defaults to ‘500’.

cups-configuration parameter: non-negative-integer max-jobs-per-printer

Specifies the maximum number of simultaneous jobs that are allowed per printer. A value of 0 allows up to MaxJobs jobs per printer.

Defaults to ‘0’.

cups-configuration parameter: non-negative-integer max-jobs-per-user

Specifies the maximum number of simultaneous jobs that are allowed per user. A value of 0 allows up to MaxJobs jobs per user.

Defaults to ‘0’.

cups-configuration parameter: non-negative-integer max-job-time

Specifies the maximum time a job may take to print before it is canceled, in seconds. Set to 0 to disable cancellation of "stuck" jobs.

Defaults to ‘10800’.

cups-configuration parameter: non-negative-integer max-log-size

Specifies the maximum size of the log files before they are rotated, in bytes. The value 0 disables log rotation.

Defaults to ‘1048576’.

cups-configuration parameter: non-negative-integer multiple-operation-timeout

Specifies the maximum amount of time to allow between files in a multiple file print job, in seconds.

Defaults to ‘300’.

cups-configuration parameter: string page-log-format

Specifies the format of PageLog lines. Sequences beginning with percent (‘%’) characters are replaced with the corresponding information, while all other characters are copied literally. The following percent sequences are recognized:

%%

insert a single percent character

%{name}

insert the value of the specified IPP attribute

%C

insert the number of copies for the current page

%P

insert the current page number

%T

insert the current date and time in common log format

%j

insert the job ID

%p

insert the printer name

%u

insert the username

A value of the empty string disables page logging. The string %p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides} creates a page log with the standard items.

Defaults to ‘""’.

cups-configuration parameter: environment-variables environment-variables

Passes the specified environment variable(s) to child processes; a list of strings.

Defaults to ‘()’.

cups-configuration parameter: policy-configuration-list policies

Specifies named access control policies.

Available policy-configuration fields are:

policy-configuration parameter: string name

Name of the policy.

policy-configuration parameter: string job-private-access

Specifies an access list for a job’s private values. @ACL maps to the printer’s requesting-user-name-allowed or requesting-user-name-denied values. @OWNER maps to the job’s owner. @SYSTEM maps to the groups listed for the system-group field of the files-config configuration, which is reified into the cups-files.conf(5) file. Other possible elements of the access list include specific user names, and @group to indicate members of a specific group. The access list may also be simply all or default.

Defaults to ‘"@OWNER @SYSTEM"’.

policy-configuration parameter: string job-private-values

Specifies the list of job values to make private, or all, default, or none.

Defaults to ‘"job-name job-originating-host-name job-originating-user-name phone"’.

policy-configuration parameter: string subscription-private-access

Specifies an access list for a subscription’s private values. @ACL maps to the printer’s requesting-user-name-allowed or requesting-user-name-denied values. @OWNER maps to the job’s owner. @SYSTEM maps to the groups listed for the system-group field of the files-config configuration, which is reified into the cups-files.conf(5) file. Other possible elements of the access list include specific user names, and @group to indicate members of a specific group. The access list may also be simply all or default.

Defaults to ‘"@OWNER @SYSTEM"’.

policy-configuration parameter: string subscription-private-values

Specifies the list of job values to make private, or all, default, or none.

Defaults to ‘"notify-events notify-pull-method notify-recipient-uri notify-subscriber-user-name notify-user-data"’.

policy-configuration parameter: operation-access-control-list access-controls

Access control by IPP operation.

Defaults to ‘()’.

cups-configuration parameter: boolean-or-non-negative-integer preserve-job-files

Specifies whether job files (documents) are preserved after a job is printed. If a numeric value is specified, job files are preserved for the indicated number of seconds after printing. Otherwise a boolean value applies indefinitely.

Defaults to ‘86400’.

cups-configuration parameter: boolean-or-non-negative-integer preserve-job-history

Specifies whether the job history is preserved after a job is printed. If a numeric value is specified, the job history is preserved for the indicated number of seconds after printing. If #t, the job history is preserved until the MaxJobs limit is reached.

Defaults to ‘#t’.

cups-configuration parameter: non-negative-integer reload-timeout

Specifies the amount of time to wait for job completion before restarting the scheduler.

Defaults to ‘30’.

cups-configuration parameter: string rip-cache

Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.

Defaults to ‘"128m"’.

cups-configuration parameter: string server-admin

Specifies the email address of the server administrator.

Defaults to ‘"root@localhost.localdomain"’.

cups-configuration parameter: host-name-list-or-* server-alias

The ServerAlias directive is used for HTTP Host header validation when clients connect to the scheduler from external interfaces. Using the special name * can expose your system to known browser-based DNS rebinding attacks, even when accessing sites through a firewall. If the auto-discovery of alternate names does not work, we recommend listing each alternate name with a ServerAlias directive instead of using *.

Defaults to ‘*’.

cups-configuration parameter: string server-name

Specifies the fully-qualified host name of the server.

Defaults to ‘"localhost"’.

cups-configuration parameter: server-tokens server-tokens

Specifies what information is included in the Server header of HTTP responses. None disables the Server header. ProductOnly reports CUPS. Major reports CUPS 2. Minor reports CUPS 2.0. Minimal reports CUPS 2.0.0. OS reports CUPS 2.0.0 (uname) where uname is the output of the uname command. Full reports CUPS 2.0.0 (uname) IPP/2.0.

Defaults to ‘Minimal’.

cups-configuration parameter: string set-env

Set the specified environment variable to be passed to child processes.

Defaults to ‘"variable value"’.

cups-configuration parameter: multiline-string-list ssl-listen

Listens on the specified interfaces for encrypted connections. Valid values are of the form address:port, where address is either an IPv6 address enclosed in brackets, an IPv4 address, or * to indicate all addresses.

Defaults to ‘()’.

cups-configuration parameter: ssl-options ssl-options

Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.

Defaults to ‘()’.

cups-configuration parameter: boolean strict-conformance?

Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications.

Defaults to ‘#f’.

cups-configuration parameter: non-negative-integer timeout

Specifies the HTTP request timeout, in seconds.

Defaults to ‘300’.

cups-configuration parameter: boolean web-interface?

Specifies whether the web interface is enabled.

Defaults to ‘#f’.

At this point you’re probably thinking “oh dear, Guix manual, I like you but you can stop already with the configuration options”. Indeed. However, one more point: it could be that you have an existing cupsd.conf that you want to use. In that case, you can pass an opaque-cups-configuration as the configuration of a cups-service-type.

Available opaque-cups-configuration fields are:

opaque-cups-configuration parameter: package cups

The CUPS package.

opaque-cups-configuration parameter: string cupsd.conf

The contents of the cupsd.conf, as a string.

opaque-cups-configuration parameter: string cups-files.conf

The contents of the cups-files.conf file, as a string.

For example, if your cupsd.conf and cups-files.conf are in strings of the same name, you could instantiate a CUPS service like this:

(service cups-service-type
         (opaque-cups-configuration
           (cupsd.conf cupsd.conf)
           (cups-files.conf cups-files.conf)))

Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.7 Desktop Services

The (gnu services desktop) module provides services that are usually useful in the context of a “desktop” setup—that is, on a machine running a graphical display server, possibly with graphical user interfaces, etc. It also defines services that provide specific desktop environments like GNOME, XFCE or MATE.

To simplify things, the module defines a variable containing the set of services that users typically expect on a machine with a graphical environment and networking:

Scheme Variable: %desktop-services

This is a list of services that builds upon %base-services and adds or adjusts services for a typical “desktop” setup.

In particular, it adds a graphical login manager (see slim-service), screen lockers, a network management tool (see network-manager-service-type), energy and color management services, the elogind login and seat manager, the Polkit privilege service, the GeoClue location service, the AccountsService daemon that allows authorized users change system passwords, an NTP client (see Networking Services), the Avahi daemon, and has the name service switch service configured to be able to use nss-mdns (see mDNS).

The %desktop-services variable can be used as the services field of an operating-system declaration (see services).

Additionally, the gnome-desktop-service, xfce-desktop-service, mate-desktop-service and enlightenment-desktop-service-type procedures can add GNOME, XFCE, MATE and/or Enlightenment to a system. To “add GNOME” means that system-level services like the backlight adjustment helpers and the power management utilities are added to the system, extending polkit and dbus appropriately, allowing GNOME to operate with elevated privileges on a limited number of special-purpose system interfaces. Additionally, adding a service made by gnome-desktop-service adds the GNOME metapackage to the system profile. Likewise, adding the XFCE service not only adds the xfce metapackage to the system profile, but it also gives the Thunar file manager the ability to open a “root-mode” file management window, if the user authenticates using the administrator’s password via the standard polkit graphical interface. To “add MATE” means that polkit and dbus are extended appropriately, allowing MATE to operate with elevated privileges on a limited number of special-purpose system interfaces. Additionally, adding a service made by mate-desktop-service adds the MATE metapackage to the system profile. “Adding ENLIGHTENMENT” means that dbus is extended appropriately, and several of Enlightenment’s binaries are set as setuid, allowing Enlightenment’s screen locker and other functionality to work as expetected.

The desktop environments in Guix use the Xorg display server by default. If you’d like to use the newer display server protocol called Wayland, you need to use the sddm-service instead of the slim-service for the graphical login manager. You should then select the “GNOME (Wayland)” session in SDDM. Alternatively you can also try starting GNOME on Wayland manually from a TTY with the command “XDG_SESSION_TYPE=wayland exec dbus-run-session gnome-session“. Currently only GNOME has support for Wayland.

Scheme Procedure: gnome-desktop-service

Return a service that adds the gnome package to the system profile, and extends polkit with the actions from gnome-settings-daemon.

Scheme Procedure: xfce-desktop-service

Return a service that adds the xfce package to the system profile, and extends polkit with the ability for thunar to manipulate the file system as root from within a user session, after the user has authenticated with the administrator’s password.

Scheme Procedure: mate-desktop-service

Return a service that adds the mate package to the system profile, and extends polkit with the actions from mate-settings-daemon.

Scheme Procedure: enlightenment-desktop-service-type

Return a service that adds the enlightenment package to the system profile, and extends dbus with actions from efl.

Data Type: enlightenment-desktop-service-configuration
enlightenment (default enlightenment)

The enlightenment package to use.

Because the GNOME, XFCE and MATE desktop services pull in so many packages, the default %desktop-services variable doesn’t include any of them by default. To add GNOME, XFCE or MATE, just cons them onto %desktop-services in the services field of your operating-system:

(use-modules (gnu))
(use-service-modules desktop)
(operating-system
  ...
  ;; cons* adds items to the list given as its last argument.
  (services (cons* (gnome-desktop-service)
                   (xfce-desktop-service)
                   %desktop-services))
  ...)

These desktop environments will then be available as options in the graphical login window.

The actual service definitions included in %desktop-services and provided by (gnu services dbus) and (gnu services desktop) are described below.

Scheme Procedure: dbus-service [#:dbus dbus] [#:services '()]

Return a service that runs the “system bus”, using dbus, with support for services.

D-Bus is an inter-process communication facility. Its system bus is used to allow system services to communicate and to be notified of system-wide events.

services must be a list of packages that provide an etc/dbus-1/system.d directory containing additional D-Bus configuration and policy files. For example, to allow avahi-daemon to use the system bus, services must be equal to (list avahi).

Scheme Procedure: elogind-service [#:config config]

Return a service that runs the elogind login and seat management daemon. Elogind exposes a D-Bus interface that can be used to know which users are logged in, know what kind of sessions they have open, suspend the system, inhibit system suspend, reboot the system, and other tasks.

Elogind handles most system-level power events for a computer, for example suspending the system when a lid is closed, or shutting it down when the power button is pressed.

The config keyword argument specifies the configuration for elogind, and should be the result of an (elogind-configuration (parameter value)...) invocation. Available parameters and their default values are:

kill-user-processes?

#f

kill-only-users

()

kill-exclude-users

("root")

inhibit-delay-max-seconds

5

handle-power-key

poweroff

handle-suspend-key

suspend

handle-hibernate-key

hibernate

handle-lid-switch

suspend

handle-lid-switch-docked

ignore

power-key-ignore-inhibited?

#f

suspend-key-ignore-inhibited?

#f

hibernate-key-ignore-inhibited?

#f

lid-switch-ignore-inhibited?

#t

holdoff-timeout-seconds

30

idle-action

ignore

idle-action-seconds

(* 30 60)

runtime-directory-size-percent

10

runtime-directory-size

#f

remove-ipc?

#t

suspend-state

("mem" "standby" "freeze")

suspend-mode

()

hibernate-state

("disk")

hibernate-mode

("platform" "shutdown")

hybrid-sleep-state

("disk")

hybrid-sleep-mode

("suspend" "platform" "shutdown")

Scheme Procedure: accountsservice-service [#:accountsservice accountsservice]

Return a service that runs AccountsService, a system service that can list available accounts, change their passwords, and so on. AccountsService integrates with PolicyKit to enable unprivileged users to acquire the capability to modify their system configuration. the accountsservice web site for more information.

The accountsservice keyword argument is the accountsservice package to expose as a service.

Scheme Procedure: polkit-service [#:polkit polkit]

Return a service that runs the Polkit privilege management service, which allows system administrators to grant access to privileged operations in a structured way. By querying the Polkit service, a privileged system component can know when it should grant additional capabilities to ordinary users. For example, an ordinary user can be granted the capability to suspend the system if the user is logged in locally.

Scheme Procedure: upower-service [#:upower upower] [#:watts-up-pro? #f] [#:poll-batteries? #t] [#:ignore-lid? #f] [#:use-percentage-for-policy? #f] [#:percentage-low 10] [#:percentage-critical 3] [#:percentage-action 2] [#:time-low 1200] [#:time-critical 300] [#:time-action 120] [#:critical-power-action 'hybrid-sleep]

Return a service that runs upowerd, a system-wide monitor for power consumption and battery levels, with the given configuration settings. It implements the org.freedesktop.UPower D-Bus interface, and is notably used by GNOME.

Scheme Procedure: udisks-service [#:udisks udisks]

Return a service for UDisks, a disk management daemon that provides user interfaces with notifications and ways to mount/unmount disks. Programs that talk to UDisks include the udisksctl command, part of UDisks, and GNOME Disks.

Scheme Procedure: colord-service [#:colord colord]

Return a service that runs colord, a system service with a D-Bus interface to manage the color profiles of input and output devices such as screens and scanners. It is notably used by the GNOME Color Manager graphical tool. See the colord web site for more information.

Scheme Procedure: geoclue-application name [#:allowed? #t] [#:system? #f] [#:users '()]

Return a configuration allowing an application to access GeoClue location data. name is the Desktop ID of the application, without the .desktop part. If allowed? is true, the application will have access to location information by default. The boolean system? value indicates whether an application is a system component or not. Finally users is a list of UIDs of all users for which this application is allowed location info access. An empty users list means that all users are allowed.

Scheme Variable: %standard-geoclue-applications

The standard list of well-known GeoClue application configurations, granting authority to the GNOME date-and-time utility to ask for the current location in order to set the time zone, and allowing the IceCat and Epiphany web browsers to request location information. IceCat and Epiphany both query the user before allowing a web page to know the user’s location.

Scheme Procedure: geoclue-service [#:colord colord] [#:whitelist '()] [#:wifi-geolocation-url "https://location.services.mozilla.com/v1/geolocate?key=geoclue"] [#:submit-data? #f]

[#:wifi-submission-url "https://location.services.mozilla.com/v1/submit?key=geoclue"]   [#:submission-nick "geoclue"]   [#:applications %standard-geoclue-applications] Return a service that runs the GeoClue location service. This service provides a D-Bus interface to allow applications to request access to a user’s physical location, and optionally to add information to online location databases. See the GeoClue web site for more information.

Scheme Procedure: bluetooth-service [#:bluez bluez] [#:auto-enable? #f]

Return a service that runs the bluetoothd daemon, which manages all the Bluetooth devices and provides a number of D-Bus interfaces. When AUTO-ENABLE? is true, the bluetooth controller is powered automatically at boot, which can be useful when using a bluetooth keyboard or mouse.

Users need to be in the lp group to access the D-Bus service.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.8 Sound Services

The (gnu services sound) module provides a service to configure the Advanced Linux Sound Architecture (ALSA) system, which making PulseAudio the prefered ALSA output driver.

Scheme Variable: alsa-service-type

This is the type for the Advanced Linux Sound Architecture (ALSA) system, which generates the /etc/asound.conf configuration file. The value for this type is a alsa-configuration record as in this example:

(service alsa-service-type)

See below for details about alsa-configuration.

Data Type: alsa-configuration

Data type representing the configuration for alsa-service.

alsa-plugins (default: alsa-plugins)

alsa-plugins package to use.

pulseaudio? (default: #t)

Whether ALSA applications should transparently be made to use the PulseAudio sound server.

Using PulseAudio allows you to run several sound-producing applications at the same time and to individual control them via pavucontrol, among other things.

extra-options (default: "")

String to append to the /etc/asound.conf file.

Individual users who want to override the system configuration of ALSA can do it with the ~/.asoundrc file:

# In guix, we have to specify the absolute path for plugins.
pcm_type.jack {
  lib "/home/alice/.guix-profile/lib/alsa-lib/libasound_module_pcm_jack.so"
}

# Routing ALSA to jack:
# <http://jackaudio.org/faq/routing_alsa.html>.
pcm.rawjack {
  type jack
  playback_ports {
    0 system:playback_1
    1 system:playback_2
  }

  capture_ports {
    0 system:capture_1
    1 system:capture_2
  }
}

pcm.!default {
  type plug
  slave {
    pcm "rawjack"
  }
}

See https://www.alsa-project.org/main/index.php/Asoundrc for the details.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.9 Database Services

The (gnu services databases) module provides the following services.

Scheme Procedure: postgresql-service [#:postgresql postgresql] [#:config-file] [#:data-directory ``/var/lib/postgresql/data''] [#:port 5432] [#:locale ``en_US.utf8'']

Return a service that runs postgresql, the PostgreSQL database server.

The PostgreSQL daemon loads its runtime configuration from config-file, creates a database cluster with locale as the default locale, stored in data-directory. It then listens on port.

Scheme Procedure: mysql-service [#:config (mysql-configuration)]

Return a service that runs mysqld, the MySQL or MariaDB database server.

The optional config argument specifies the configuration for mysqld, which should be a <mysql-configuration> object.

Data Type: mysql-configuration

Data type representing the configuration of mysql-service.

mysql (default: mariadb)

Package object of the MySQL database server, can be either mariadb or mysql.

For MySQL, a temporary root password will be displayed at activation time. For MariaDB, the root password is empty.

port (default: 3306)

TCP port on which the database server listens for incoming connections.

Scheme Variable: memcached-service-type

This is the service type for the Memcached service, which provides a distributed in memory cache. The value for the service type is a memcached-configuration object.

(service memcached-service-type)
Data Type: memcached-configuration

Data type representing the configuration of memcached.

memcached (default: memcached)

The Memcached package to use.

interfaces (default: '("0.0.0.0"))

Network interfaces on which to listen.

tcp-port (default: 11211)

Port on which to accept connections on,

udp-port (default: 11211)

Port on which to accept UDP connections on, a value of 0 will disable listening on a UDP socket.

additional-options (default: '())

Additional command line options to pass to memcached.

Scheme Variable: mongodb-service-type

This is the service type for MongoDB. The value for the service type is a mongodb-configuration object.

(service mongodb-service-type)
Data Type: mongodb-configuration

Data type representing the configuration of mongodb.

mongodb (default: mongodb)

The MongoDB package to use.

config-file (default: %default-mongodb-configuration-file)

The configuration file for MongoDB.

data-directory (default: "/var/lib/mongodb")

This value is used to create the directory, so that it exists and is owned by the mongodb user. It should match the data-directory which MongoDB is configured to use through the configuration file.

Scheme Variable: redis-service-type

This is the service type for the Redis key/value store, whose value is a redis-configuration object.

Data Type: redis-configuration

Data type representing the configuration of redis.

redis (default: redis)

The Redis package to use.

bind (default: "127.0.0.1")

Network interface on which to listen.

port (default: 6379)

Port on which to accept connections on, a value of 0 will disable listening on a TCP socket.

working-directory (default: "/var/lib/redis")

Directory in which to store the database and related files.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.10 Mail Services

The (gnu services mail) module provides Guix service definitions for email services: IMAP, POP3, and LMTP servers, as well as mail transport agents (MTAs). Lots of acronyms! These services are detailed in the subsections below.

Dovecot Service

Scheme Procedure: dovecot-service [#:config (dovecot-configuration)]

Return a service that runs the Dovecot IMAP/POP3/LMTP mail server.

By default, Dovecot does not need much configuration; the default configuration object created by (dovecot-configuration) will suffice if your mail is delivered to ~/Maildir. A self-signed certificate will be generated for TLS-protected connections, though Dovecot will also listen on cleartext ports by default. There are a number of options, though, which mail administrators might need to change, and as is the case with other services, Guix allows the system administrator to specify these parameters via a uniform Scheme interface.

For example, to specify that mail is located at maildir~/.mail, one would instantiate the Dovecot service like this:

(dovecot-service #:config
                 (dovecot-configuration
                  (mail-location "maildir:~/.mail")))

The available configuration parameters follow. Each parameter definition is preceded by its type; for example, ‘string-list foo’ indicates that the foo parameter should be specified as a list of strings. There is also a way to specify the configuration as a string, if you have an old dovecot.conf file that you want to port over from some other system; see the end for more details.

Available dovecot-configuration fields are:

dovecot-configuration parameter: package dovecot

The dovecot package.

dovecot-configuration parameter: comma-separated-string-list listen

A list of IPs or hosts where to listen for connections. ‘*’ listens on all IPv4 interfaces, ‘::’ listens on all IPv6 interfaces. If you want to specify non-default ports or anything more complex, customize the address and port fields of the ‘inet-listener’ of the specific services you are interested in.

dovecot-configuration parameter: protocol-configuration-list protocols

List of protocols we want to serve. Available protocols include ‘imap’, ‘pop3’, and ‘lmtp’.

Available protocol-configuration fields are:

protocol-configuration parameter: string name

The name of the protocol.

protocol-configuration parameter: string auth-socket-path

UNIX socket path to the master authentication server to find users. This is used by imap (for shared users) and lda. It defaults to ‘"/var/run/dovecot/auth-userdb"’.

protocol-configuration parameter: space-separated-string-list mail-plugins

Space separated list of plugins to load.

protocol-configuration parameter: non-negative-integer mail-max-userip-connections

Maximum number of IMAP connections allowed for a user from each IP address. NOTE: The username is compared case-sensitively. Defaults to ‘10’.

dovecot-configuration parameter: service-configuration-list services

List of services to enable. Available services include ‘imap’, ‘imap-login’, ‘pop3’, ‘pop3-login’, ‘auth’, and ‘lmtp’.

Available service-configuration fields are:

service-configuration parameter: string kind

The service kind. Valid values include director, imap-login, pop3-login, lmtp, imap, pop3, auth, auth-worker, dict, tcpwrap, quota-warning, or anything else.

service-configuration parameter: listener-configuration-list listeners

Listeners for the service. A listener is either a unix-listener-configuration, a fifo-listener-configuration, or an inet-listener-configuration. Defaults to ‘()’.

Available unix-listener-configuration fields are:

unix-listener-configuration parameter: string path

Path to the file, relative to base-dir field. This is also used as the section name.

unix-listener-configuration parameter: string mode

The access mode for the socket. Defaults to ‘"0600"’.

unix-listener-configuration parameter: string user

The user to own the socket. Defaults to ‘""’.

unix-listener-configuration parameter: string group

The group to own the socket. Defaults to ‘""’.

Available fifo-listener-configuration fields are:

fifo-listener-configuration parameter: string path

Path to the file, relative to base-dir field. This is also used as the section name.

fifo-listener-configuration parameter: string mode

The access mode for the socket. Defaults to ‘"0600"’.

fifo-listener-configuration parameter: string user

The user to own the socket. Defaults to ‘""’.

fifo-listener-configuration parameter: string group

The group to own the socket. Defaults to ‘""’.

Available inet-listener-configuration fields are:

inet-listener-configuration parameter: string protocol

The protocol to listen for.

inet-listener-configuration parameter: string address

The address on which to listen, or empty for all addresses. Defaults to ‘""’.

inet-listener-configuration parameter: non-negative-integer port

The port on which to listen.

inet-listener-configuration parameter: boolean ssl?

Whether to use SSL for this service; ‘yes’, ‘no’, or ‘required’. Defaults to ‘#t’.

service-configuration parameter: non-negative-integer service-count

Number of connections to handle before starting a new process. Typically the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 is faster. <doc/wiki/LoginProcess.txt>. Defaults to ‘1’.

service-configuration parameter: non-negative-integer process-min-avail

Number of processes to always keep waiting for more connections. Defaults to ‘0’.

service-configuration parameter: non-negative-integer vsz-limit

If you set ‘service-count 0’, you probably need to grow this. Defaults to ‘256000000’.

dovecot-configuration parameter: dict-configuration dict

Dict configuration, as created by the dict-configuration constructor.

Available dict-configuration fields are:

dict-configuration parameter: free-form-fields entries

A list of key-value pairs that this dict should hold. Defaults to ‘()’.

dovecot-configuration parameter: passdb-configuration-list passdbs

A list of passdb configurations, each one created by the passdb-configuration constructor.

Available passdb-configuration fields are:

passdb-configuration parameter: string driver

The driver that the passdb should use. Valid values include ‘pam’, ‘passwd’, ‘shadow’, ‘bsdauth’, and ‘static’. Defaults to ‘"pam"’.

passdb-configuration parameter: space-separated-string-list args

Space separated list of arguments to the passdb driver. Defaults to ‘""’.

dovecot-configuration parameter: userdb-configuration-list userdbs

List of userdb configurations, each one created by the userdb-configuration constructor.

Available userdb-configuration fields are:

userdb-configuration parameter: string driver

The driver that the userdb should use. Valid values include ‘passwd’ and ‘static’. Defaults to ‘"passwd"’.

userdb-configuration parameter: space-separated-string-list args

Space separated list of arguments to the userdb driver. Defaults to ‘""’.

userdb-configuration parameter: free-form-args override-fields

Override fields from passwd. Defaults to ‘()’.

dovecot-configuration parameter: plugin-configuration plugin-configuration

Plug-in configuration, created by the plugin-configuration constructor.

dovecot-configuration parameter: list-of-namespace-configuration namespaces

List of namespaces. Each item in the list is created by the namespace-configuration constructor.

Available namespace-configuration fields are:

namespace-configuration parameter: string name

Name for this namespace.

namespace-configuration parameter: string type

Namespace type: ‘private’, ‘shared’ or ‘public’. Defaults to ‘"private"’.

namespace-configuration parameter: string separator

Hierarchy separator to use. You should use the same separator for all namespaces or some clients get confused. ‘/’ is usually a good one. The default however depends on the underlying mail storage format. Defaults to ‘""’.

namespace-configuration parameter: string prefix

Prefix required to access this namespace. This needs to be different for all namespaces. For example ‘Public/’. Defaults to ‘""’.

namespace-configuration parameter: string location

Physical location of the mailbox. This is in the same format as mail_location, which is also the default for it. Defaults to ‘""’.

namespace-configuration parameter: boolean inbox?

There can be only one INBOX, and this setting defines which namespace has it. Defaults to ‘#f’.

namespace-configuration parameter: boolean hidden?

If namespace is hidden, it’s not advertised to clients via NAMESPACE extension. You’ll most likely also want to set ‘list? #f’. This is mostly useful when converting from another server with different namespaces which you want to deprecate but still keep working. For example you can create hidden namespaces with prefixes ‘~/mail/’, ‘~%u/mail/’ and ‘mail/’. Defaults to ‘#f’.

namespace-configuration parameter: boolean list?

Show the mailboxes under this namespace with the LIST command. This makes the namespace visible for clients that do not support the NAMESPACE extension. The special children value lists child mailboxes, but hides the namespace prefix. Defaults to ‘#t’.

namespace-configuration parameter: boolean subscriptions?

Namespace handles its own subscriptions. If set to #f, the parent namespace handles them. The empty prefix should always have this as #t). Defaults to ‘#t’.

namespace-configuration parameter: mailbox-configuration-list mailboxes

List of predefined mailboxes in this namespace. Defaults to ‘()’.

Available mailbox-configuration fields are:

mailbox-configuration parameter: string name

Name for this mailbox.

mailbox-configuration parameter: string auto

create’ will automatically create this mailbox. ‘subscribe’ will both create and subscribe to the mailbox. Defaults to ‘"no"’.

mailbox-configuration parameter: space-separated-string-list special-use

List of IMAP SPECIAL-USE attributes as specified by RFC 6154. Valid values are \All, \Archive, \Drafts, \Flagged, \Junk, \Sent, and \Trash. Defaults to ‘()’.

dovecot-configuration parameter: file-name base-dir

Base directory where to store runtime data. Defaults to ‘"/var/run/dovecot/"’.

dovecot-configuration parameter: string login-greeting

Greeting message for clients. Defaults to ‘"Dovecot ready."’.

dovecot-configuration parameter: space-separated-string-list login-trusted-networks

List of trusted network ranges. Connections from these IPs are allowed to override their IP addresses and ports (for logging and for authentication checks). ‘disable-plaintext-auth’ is also ignored for these networks. Typically you would specify your IMAP proxy servers here. Defaults to ‘()’.

dovecot-configuration parameter: space-separated-string-list login-access-sockets

List of login access check sockets (e.g. tcpwrap). Defaults to ‘()’.

dovecot-configuration parameter: boolean verbose-proctitle?

Show more verbose process titles (in ps). Currently shows user name and IP address. Useful for seeing who is actually using the IMAP processes (e.g. shared mailboxes or if the same uid is used for multiple accounts). Defaults to ‘#f’.

dovecot-configuration parameter: boolean shutdown-clients?

Should all processes be killed when Dovecot master process shuts down. Setting this to #f means that Dovecot can be upgraded without forcing existing client connections to close (although that could also be a problem if the upgrade is e.g. due to a security fix). Defaults to ‘#t’.

dovecot-configuration parameter: non-negative-integer doveadm-worker-count

If non-zero, run mail commands via this many connections to doveadm server, instead of running them directly in the same process. Defaults to ‘0’.

dovecot-configuration parameter: string doveadm-socket-path

UNIX socket or host:port used for connecting to doveadm server. Defaults to ‘"doveadm-server"’.

dovecot-configuration parameter: space-separated-string-list import-environment

List of environment variables that are preserved on Dovecot startup and passed down to all of its child processes. You can also give key=value pairs to always set specific settings.

dovecot-configuration parameter: boolean disable-plaintext-auth?

Disable LOGIN command and all other plaintext authentications unless SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP matches the local IP (i.e. you’re connecting from the same computer), the connection is considered secure and plaintext authentication is allowed. See also ssl=required setting. Defaults to ‘#t’.

dovecot-configuration parameter: non-negative-integer auth-cache-size

Authentication cache size (e.g. ‘#e10e6’). 0 means it’s disabled. Note that bsdauth, PAM and vpopmail require ‘cache-key’ to be set for caching to be used. Defaults to ‘0’.

dovecot-configuration parameter: string auth-cache-ttl

Time to live for cached data. After TTL expires the cached record is no longer used, *except* if the main database lookup returns internal failure. We also try to handle password changes automatically: If user’s previous authentication was successful, but this one wasn’t, the cache isn’t used. For now this works only with plaintext authentication. Defaults to ‘"1 hour"’.

dovecot-configuration parameter: string auth-cache-negative-ttl

TTL for negative hits (user not found, password mismatch). 0 disables caching them completely. Defaults to ‘"1 hour"’.

dovecot-configuration parameter: space-separated-string-list auth-realms

List of realms for SASL authentication mechanisms that need them. You can leave it empty if you don’t want to support multiple realms. Many clients simply use the first one listed here, so keep the default realm first. Defaults to ‘()’.

dovecot-configuration parameter: string auth-default-realm

Default realm/domain to use if none was specified. This is used for both SASL realms and appending @domain to username in plaintext logins. Defaults to ‘""’.

dovecot-configuration parameter: string auth-username-chars

List of allowed characters in username. If the user-given username contains a character not listed in here, the login automatically fails. This is just an extra check to make sure user can’t exploit any potential quote escaping vulnerabilities with SQL/LDAP databases. If you want to allow all characters, set this value to empty. Defaults to ‘"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"’.

dovecot-configuration parameter: string auth-username-translation

Username character translations before it’s looked up from databases. The value contains series of from -> to characters. For example ‘#@/@’ means that ‘#’ and ‘/’ characters are translated to ‘@’. Defaults to ‘""’.

dovecot-configuration parameter: string auth-username-format

Username formatting before it’s looked up from databases. You can use the standard variables here, e.g. %Lu would lowercase the username, %n would drop away the domain if it was given, or ‘%n-AT-%d’ would change the ‘@’ into ‘-AT-’. This translation is done after ‘auth-username-translation’ changes. Defaults to ‘"%Lu"’.

dovecot-configuration parameter: string auth-master-user-separator

If you want to allow master users to log in by specifying the master username within the normal username string (i.e. not using SASL mechanism’s support for it), you can specify the separator character here. The format is then <username><separator><master username>. UW-IMAP uses ‘*’ as the separator, so that could be a good choice. Defaults to ‘""’.

dovecot-configuration parameter: string auth-anonymous-username

Username to use for users logging in with ANONYMOUS SASL mechanism. Defaults to ‘"anonymous"’.

dovecot-configuration parameter: non-negative-integer auth-worker-max-count

Maximum number of dovecot-auth worker processes. They’re used to execute blocking passdb and userdb queries (e.g. MySQL and PAM). They’re automatically created and destroyed as needed. Defaults to ‘30’.

dovecot-configuration parameter: string auth-gssapi-hostname

Host name to use in GSSAPI principal names. The default is to use the name returned by gethostname(). Use ‘$ALL’ (with quotes) to allow all keytab entries. Defaults to ‘""’.

dovecot-configuration parameter: string auth-krb5-keytab

Kerberos keytab to use for the GSSAPI mechanism. Will use the system default (usually /etc/krb5.keytab) if not specified. You may need to change the auth service to run as root to be able to read this file. Defaults to ‘""’.

dovecot-configuration parameter: boolean auth-use-winbind?

Do NTLM and GSS-SPNEGO authentication using Samba’s winbind daemon and ‘ntlm-auth’ helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>. Defaults to ‘#f’.

dovecot-configuration parameter: file-name auth-winbind-helper-path

Path for Samba’s ‘ntlm-auth’ helper binary. Defaults to ‘"/usr/bin/ntlm_auth"’.

dovecot-configuration parameter: string auth-failure-delay

Time to delay before replying to failed authentications. Defaults to ‘"2 secs"’.

dovecot-configuration parameter: boolean auth-ssl-require-client-cert?

Require a valid SSL client certificate or the authentication fails. Defaults to ‘#f’.

dovecot-configuration parameter: boolean auth-ssl-username-from-cert?

Take the username from client’s SSL certificate, using X509_NAME_get_text_by_NID() which returns the subject’s DN’s CommonName. Defaults to ‘#f’.

dovecot-configuration parameter: space-separated-string-list auth-mechanisms

List of wanted authentication mechanisms. Supported mechanisms are: ‘plain’, ‘login’, ‘digest-md5’, ‘cram-md5’, ‘ntlm’, ‘rpa’, ‘apop’, ‘anonymous’, ‘gssapi’, ‘otp’, ‘skey’, and ‘gss-spnego’. NOTE: See also ‘disable-plaintext-auth’ setting.

dovecot-configuration parameter: space-separated-string-list director-servers

List of IPs or hostnames to all director servers, including ourself. Ports can be specified as ip:port. The default port is the same as what director service’s ‘inet-listener’ is using. Defaults to ‘()’.

dovecot-configuration parameter: space-separated-string-list director-mail-servers

List of IPs or hostnames to all backend mail servers. Ranges are allowed too, like 10.0.0.10-10.0.0.30. Defaults to ‘()’.

dovecot-configuration parameter: string director-user-expire

How long to redirect users to a specific server after it no longer has any connections. Defaults to ‘"15 min"’.

dovecot-configuration parameter: string director-username-hash

How the username is translated before being hashed. Useful values include %Ln if user can log in with or without @domain, %Ld if mailboxes are shared within domain. Defaults to ‘"%Lu"’.

dovecot-configuration parameter: string log-path

Log file to use for error messages. ‘syslog’ logs to syslog, ‘/dev/stderr’ logs to stderr. Defaults to ‘"syslog"’.

dovecot-configuration parameter: string info-log-path

Log file to use for informational messages. Defaults to ‘log-path’. Defaults to ‘""’.

dovecot-configuration parameter: string debug-log-path

Log file to use for debug messages. Defaults to ‘info-log-path’. Defaults to ‘""’.

dovecot-configuration parameter: string syslog-facility

Syslog facility to use if you’re logging to syslog. Usually if you don’t want to use ‘mail’, you’ll use local0..local7. Also other standard facilities are supported. Defaults to ‘"mail"’.

dovecot-configuration parameter: boolean auth-verbose?

Log unsuccessful authentication attempts and the reasons why they failed. Defaults to ‘#f’.

dovecot-configuration parameter: boolean auth-verbose-passwords?

In case of password mismatches, log the attempted password. Valid values are no, plain and sha1. sha1 can be useful for detecting brute force password attempts vs. user simply trying the same password over and over again. You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). Defaults to ‘#f’.

dovecot-configuration parameter: boolean auth-debug?

Even more verbose logging for debugging purposes. Shows for example SQL queries. Defaults to ‘#f’.

dovecot-configuration parameter: boolean auth-debug-passwords?

In case of password mismatches, log the passwords and used scheme so the problem can be debugged. Enabling this also enables ‘auth-debug’. Defaults to ‘#f’.

dovecot-configuration parameter: boolean mail-debug?

Enable mail process debugging. This can help you figure out why Dovecot isn’t finding your mails. Defaults to ‘#f’.

dovecot-configuration parameter: boolean verbose-ssl?

Show protocol level SSL errors. Defaults to ‘#f’.

dovecot-configuration parameter: string log-timestamp

Prefix for each line written to log file. % codes are in strftime(3) format. Defaults to ‘"\"%b %d %H:%M:%S \""’.

dovecot-configuration parameter: space-separated-string-list login-log-format-elements

List of elements we want to log. The elements which have a non-empty variable value are joined together to form a comma-separated string.

dovecot-configuration parameter: string login-log-format

Login log format. %s contains ‘login-log-format-elements’ string, %$ contains the data we want to log. Defaults to ‘"%$: %s"’.

dovecot-configuration parameter: string mail-log-prefix

Log prefix for mail processes. See doc/wiki/Variables.txt for list of possible variables you can use. Defaults to ‘"\"%s(%u)<%{pid}><%{session}>: \""’.

dovecot-configuration parameter: string deliver-log-format

Format to use for logging mail deliveries. You can use variables:

%$

Delivery status message (e.g. ‘saved to INBOX’)

%m

Message-ID

%s

Subject

%f

From address

%p

Physical size

%w

Virtual size.

Defaults to ‘"msgid=%m: %$"’.

dovecot-configuration parameter: string mail-location

Location for users’ mailboxes. The default is empty, which means that Dovecot tries to find the mailboxes automatically. This won’t work if the user doesn’t yet have any mail, so you should explicitly tell Dovecot the full location.

If you’re using mbox, giving a path to the INBOX file (e.g. /var/mail/%u) isn’t enough. You’ll also need to tell Dovecot where the other mailboxes are kept. This is called the "root mail directory", and it must be the first path given in the ‘mail-location’ setting.

There are a few special variables you can use, eg.:

%u

username

%n

user part in user@domain, same as %u if there’s no domain

%d

domain part in user@domain, empty if there’s no domain

%h

home director

See doc/wiki/Variables.txt for full list. Some examples:

maildir:~/Maildir
mbox:~/mail:INBOX=/var/mail/%u
mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%

Defaults to ‘""’.

dovecot-configuration parameter: string mail-uid

System user and group used to access mails. If you use multiple, userdb can override these by returning uid or gid fields. You can use either numbers or names. <doc/wiki/UserIds.txt>. Defaults to ‘""’.

dovecot-configuration parameter: string mail-gid

Defaults to ‘""’.

dovecot-configuration parameter: string mail-privileged-group

Group to enable temporarily for privileged operations. Currently this is used only with INBOX when either its initial creation or dotlocking fails. Typically this is set to "mail" to give access to /var/mail. Defaults to ‘""’.

dovecot-configuration parameter: string mail-access-groups

Grant access to these supplementary groups for mail processes. Typically these are used to set up access to shared mailboxes. Note that it may be dangerous to set these if users can create symlinks (e.g. if "mail" group is set here, ln -s /var/mail ~/mail/var could allow a user to delete others’ mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). Defaults to ‘""’.

dovecot-configuration parameter: boolean mail-full-filesystem-access?

Allow full file system access to clients. There’s no access checks other than what the operating system does for the active UID/GID. It works with both maildir and mboxes, allowing you to prefix mailboxes names with e.g. /path/ or ~user/. Defaults to ‘#f’.

dovecot-configuration parameter: boolean mmap-disable?

Don’t use mmap() at all. This is required if you store indexes to shared file systems (NFS or clustered file system). Defaults to ‘#f’.

dovecot-configuration parameter: boolean dotlock-use-excl?

Rely on ‘O_EXCL’ to work when creating dotlock files. NFS supports ‘O_EXCL’ since version 3, so this should be safe to use nowadays by default. Defaults to ‘#t’.

dovecot-configuration parameter: string mail-fsync

When to use fsync() or fdatasync() calls:

optimized

Whenever necessary to avoid losing important data

always

Useful with e.g. NFS when write()s are delayed

never

Never use it (best performance, but crashes can lose data).

Defaults to ‘"optimized"’.

dovecot-configuration parameter: boolean mail-nfs-storage?

Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches whenever needed. If you’re using only a single mail server this isn’t needed. Defaults to ‘#f’.

dovecot-configuration parameter: boolean mail-nfs-index?

Mail index files also exist in NFS. Setting this to yes requires ‘mmap-disable? #t’ and ‘fsync-disable? #f’. Defaults to ‘#f’.

dovecot-configuration parameter: string lock-method

Locking method for index files. Alternatives are fcntl, flock and dotlock. Dotlocking uses some tricks which may create more disk I/O than other locking methods. NFS users: flock doesn’t work, remember to change ‘mmap-disable’. Defaults to ‘"fcntl"’.

dovecot-configuration parameter: file-name mail-temp-dir

Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. Defaults to ‘"/tmp"’.

dovecot-configuration parameter: non-negative-integer first-valid-uid

Valid UID range for users. This is mostly to make sure that users can’t log in as daemons or other system users. Note that denying root logins is hardcoded to dovecot binary and can’t be done even if ‘first-valid-uid’ is set to 0. Defaults to ‘500’.

dovecot-configuration parameter: non-negative-integer last-valid-uid

Defaults to ‘0’.

dovecot-configuration parameter: non-negative-integer first-valid-gid

Valid GID range for users. Users having non-valid GID as primary group ID aren’t allowed to log in. If user belongs to supplementary groups with non-valid GIDs, those groups are not set. Defaults to ‘1’.

dovecot-configuration parameter: non-negative-integer last-valid-gid

Defaults to ‘0’.

dovecot-configuration parameter: non-negative-integer mail-max-keyword-length

Maximum allowed length for mail keyword name. It’s only forced when trying to create new keywords. Defaults to ‘50’.

dovecot-configuration parameter: colon-separated-file-name-list valid-chroot-dirs

List of directories under which chrooting is allowed for mail processes (i.e. /var/mail will allow chrooting to /var/mail/foo/bar too). This setting doesn’t affect ‘login-chroot’ ‘mail-chroot’ or auth chroot settings. If this setting is empty, "/./" in home dirs are ignored. WARNING: Never add directories here which local users can modify, that may lead to root exploit. Usually this should be done only if you don’t allow shell access for users. <doc/wiki/Chrooting.txt>. Defaults to ‘()’.

dovecot-configuration parameter: string mail-chroot

Default chroot directory for mail processes. This can be overridden for specific users in user database by giving /./ in user’s home directory (e.g. /home/./user chroots into /home). Note that usually there is no real need to do chrooting, Dovecot doesn’t allow users to access files outside their mail directory anyway. If your home directories are prefixed with the chroot directory, append "/." to ‘mail-chroot’. <doc/wiki/Chrooting.txt>. Defaults to ‘""’.

dovecot-configuration parameter: file-name auth-socket-path

UNIX socket path to master authentication server to find users. This is used by imap (for shared users) and lda. Defaults to ‘"/var/run/dovecot/auth-userdb"’.

dovecot-configuration parameter: file-name mail-plugin-dir

Directory where to look up mail plugins. Defaults to ‘"/usr/lib/dovecot"’.

dovecot-configuration parameter: space-separated-string-list mail-plugins

List of plugins to load for all services. Plugins specific to IMAP, LDA, etc. are added to this list in their own .conf files. Defaults to ‘()’.

dovecot-configuration parameter: non-negative-integer mail-cache-min-mail-count

The minimum number of mails in a mailbox before updates are done to cache file. This allows optimizing Dovecot’s behavior to do less disk writes at the cost of more disk reads. Defaults to ‘0’.

dovecot-configuration parameter: string mailbox-idle-check-interval

When IDLE command is running, mailbox is checked once in a while to see if there are any new mails or other changes. This setting defines the minimum time to wait between those checks. Dovecot can also use dnotify, inotify and kqueue to find out immediately when changes occur. Defaults to ‘"30 secs"’.

dovecot-configuration parameter: boolean mail-save-crlf?

Save mails with CR+LF instead of plain LF. This makes sending those mails take less CPU, especially with sendfile() syscall with Linux and FreeBSD. But it also creates a bit more disk I/O which may just make it slower. Also note that if other software reads the mboxes/maildirs, they may handle the extra CRs wrong and cause problems. Defaults to ‘#f’.

dovecot-configuration parameter: boolean maildir-stat-dirs?

By default LIST command returns all entries in maildir beginning with a dot. Enabling this option makes Dovecot return only entries which are directories. This is done by stat()ing each entry, so it causes more disk I/O. (For systems setting struct ‘dirent->d_type’ this check is free and it’s done always regardless of this setting). Defaults to ‘#f’.

dovecot-configuration parameter: boolean maildir-copy-with-hardlinks?

When copying a message, do it with hard links whenever possible. This makes the performance much better, and it’s unlikely to have any side effects. Defaults to ‘#t’.

dovecot-configuration parameter: boolean maildir-very-dirty-syncs?

Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only when its mtime changes unexpectedly or when we can’t find the mail otherwise. Defaults to ‘#f’.

dovecot-configuration parameter: space-separated-string-list mbox-read-locks

Which locking methods to use for locking mbox. There are four available:

dotlock

Create <mailbox>.lock file. This is the oldest and most NFS-safe solution. If you want to use /var/mail/ like directory, the users will need write access to that directory.

dotlock-try

Same as dotlock, but if it fails because of permissions or because there isn’t enough disk space, just skip it.

fcntl

Use this if possible. Works with NFS too if lockd is used.

flock

May not exist in all systems. Doesn’t work with NFS.

lockf

May not exist in all systems. Doesn’t work with NFS.

You can use multiple locking methods; if you do the order they’re declared in is important to avoid deadlocks if other MTAs/MUAs are using multiple locking methods as well. Some operating systems don’t allow using some of them simultaneously.

dovecot-configuration parameter: space-separated-string-list mbox-write-locks
dovecot-configuration parameter: string mbox-lock-timeout

Maximum time to wait for lock (all of them) before aborting. Defaults to ‘"5 mins"’.

dovecot-configuration parameter: string mbox-dotlock-change-timeout

If dotlock exists but the mailbox isn’t modified in any way, override the lock file after this much time. Defaults to ‘"2 mins"’.

dovecot-configuration parameter: boolean mbox-dirty-syncs?

When mbox changes unexpectedly we have to fully read it to find out what changed. If the mbox is large this can take a long time. Since the change is usually just a newly appended mail, it’d be faster to simply read the new mails. If this setting is enabled, Dovecot does this but still safely fallbacks to re-reading the whole mbox file whenever something in mbox isn’t how it’s expected to be. The only real downside to this setting is that if some other MUA changes message flags, Dovecot doesn’t notice it immediately. Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK commands. Defaults to ‘#t’.

dovecot-configuration parameter: boolean mbox-very-dirty-syncs?

Like ‘mbox-dirty-syncs’, but don’t do full syncs even with SELECT, EXAMINE, EXPUNGE or CHECK commands. If this is set, ‘mbox-dirty-syncs’ is ignored. Defaults to ‘#f’.

dovecot-configuration parameter: boolean mbox-lazy-writes?

Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK commands and when closing the mailbox). This is especially useful for POP3 where clients often delete all mails. The downside is that our changes aren’t immediately visible to other MUAs. Defaults to ‘#t’.

dovecot-configuration parameter: non-negative-integer mbox-min-index-size

If mbox size is smaller than this (e.g. 100k), don’t write index files. If an index file already exists it’s still read, just not updated. Defaults to ‘0’.

dovecot-configuration parameter: non-negative-integer mdbox-rotate-size

Maximum dbox file size until it’s rotated. Defaults to ‘10000000’.

dovecot-configuration parameter: string mdbox-rotate-interval

Maximum dbox file age until it’s rotated. Typically in days. Day begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. Defaults to ‘"1d"’.

dovecot-configuration parameter: boolean mdbox-preallocate-space?

When creating new mdbox files, immediately preallocate their size to ‘mdbox-rotate-size’. This setting currently works only in Linux with some file systems (ext4, xfs). Defaults to ‘#f’.

dovecot-configuration parameter: string mail-attachment-dir

sdbox and mdbox support saving mail attachments to external files, which also allows single instance storage for them. Other backends don’t support this for now.

WARNING: This feature hasn’t been tested much yet. Use at your own risk.

Directory root where to store mail attachments. Disabled, if empty. Defaults to ‘""’.

dovecot-configuration parameter: non-negative-integer mail-attachment-min-size

Attachments smaller than this aren’t saved externally. It’s also possible to write a plugin to disable saving specific attachments externally. Defaults to ‘128000’.

dovecot-configuration parameter: string mail-attachment-fs

File system backend to use for saving attachments:

posix

No SiS done by Dovecot (but this might help FS’s own deduplication)

sis posix

SiS with immediate byte-by-byte comparison during saving

sis-queue posix

SiS with delayed comparison and deduplication.

Defaults to ‘"sis posix"’.

dovecot-configuration parameter: string mail-attachment-hash

Hash format to use in attachment filenames. You can add any text and variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits. Defaults to ‘"%{sha1}"’.

dovecot-configuration parameter: non-negative-integer default-process-limit

Defaults to ‘100’.

dovecot-configuration parameter: non-negative-integer default-client-limit

Defaults to ‘1000’.

dovecot-configuration parameter: non-negative-integer default-vsz-limit

Default VSZ (virtual memory size) limit for service processes. This is mainly intended to catch and kill processes that leak memory before they eat up everything. Defaults to ‘256000000’.

dovecot-configuration parameter: string default-login-user

Login user is internally used by login processes. This is the most untrusted user in Dovecot system. It shouldn’t have access to anything at all. Defaults to ‘"dovenull"’.

dovecot-configuration parameter: string default-internal-user

Internal user is used by unprivileged processes. It should be separate from login user, so that login processes can’t disturb other processes. Defaults to ‘"dovecot"’.

dovecot-configuration parameter: string ssl?

SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>. Defaults to ‘"required"’.

dovecot-configuration parameter: string ssl-cert

PEM encoded X.509 SSL/TLS certificate (public key). Defaults to ‘"</etc/dovecot/default.pem"’.

dovecot-configuration parameter: string ssl-key

PEM encoded SSL/TLS private key. The key is opened before dropping root privileges, so keep the key file unreadable by anyone but root. Defaults to ‘"</etc/dovecot/private/default.pem"’.

dovecot-configuration parameter: string ssl-key-password

If key file is password protected, give the password here. Alternatively give it when starting dovecot with -p parameter. Since this file is often world-readable, you may want to place this setting instead to a different. Defaults to ‘""’.

dovecot-configuration parameter: string ssl-ca

PEM encoded trusted certificate authority. Set this only if you intend to use ‘ssl-verify-client-cert? #t’. The file should contain the CA certificate(s) followed by the matching CRL(s). (e.g. ‘ssl-ca </etc/ssl/certs/ca.pem’). Defaults to ‘""’.

dovecot-configuration parameter: boolean ssl-require-crl?

Require that CRL check succeeds for client certificates. Defaults to ‘#t’.

dovecot-configuration parameter: boolean ssl-verify-client-cert?

Request client to send a certificate. If you also want to require it, set ‘auth-ssl-require-client-cert? #t’ in auth section. Defaults to ‘#f’.

dovecot-configuration parameter: string ssl-cert-username-field

Which field from certificate to use for username. commonName and x500UniqueIdentifier are the usual choices. You’ll also need to set ‘auth-ssl-username-from-cert? #t’. Defaults to ‘"commonName"’.

dovecot-configuration parameter: string ssl-min-protocol

Minimum SSL protocol version to accept. Defaults to ‘"TLSv1"’.

dovecot-configuration parameter: string ssl-cipher-list

SSL ciphers to use. Defaults to ‘"ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH"’.

dovecot-configuration parameter: string ssl-crypto-device

SSL crypto device to use, for valid values run "openssl engine". Defaults to ‘""’.

dovecot-configuration parameter: string postmaster-address

Address to use when sending rejection mails. %d expands to recipient domain. Defaults to ‘"postmaster@%d"’.

dovecot-configuration parameter: string hostname

Hostname to use in various parts of sent mails (e.g. in Message-Id) and in LMTP replies. Default is the system’s real hostname@domain. Defaults to ‘""’.

dovecot-configuration parameter: boolean quota-full-tempfail?

If user is over quota, return with temporary failure instead of bouncing the mail. Defaults to ‘#f’.

dovecot-configuration parameter: file-name sendmail-path

Binary to use for sending mails. Defaults to ‘"/usr/sbin/sendmail"’.

dovecot-configuration parameter: string submission-host

If non-empty, send mails via this SMTP host[:port] instead of sendmail. Defaults to ‘""’.

dovecot-configuration parameter: string rejection-subject

Subject: header to use for rejection mails. You can use the same variables as for ‘rejection-reason’ below. Defaults to ‘"Rejected: %s"’.

dovecot-configuration parameter: string rejection-reason

Human readable error message for rejection mails. You can use variables:

%n

CRLF

%r

reason

%s

original subject

%t

recipient

Defaults to ‘"Your message to <%t> was automatically rejected:%n%r"’.

dovecot-configuration parameter: string recipient-delimiter

Delimiter character between local-part and detail in email address. Defaults to ‘"+"’.

dovecot-configuration parameter: string lda-original-recipient-header

Header where the original recipient address (SMTP’s RCPT TO: address) is taken from if not available elsewhere. With dovecot-lda -a parameter overrides this. A commonly used header for this is X-Original-To. Defaults to ‘""’.

dovecot-configuration parameter: boolean lda-mailbox-autocreate?

Should saving a mail to a nonexistent mailbox automatically create it?. Defaults to ‘#f’.

dovecot-configuration parameter: boolean lda-mailbox-autosubscribe?

Should automatically created mailboxes be also automatically subscribed?. Defaults to ‘#f’.

dovecot-configuration parameter: non-negative-integer imap-max-line-length

Maximum IMAP command line length. Some clients generate very long command lines with huge mailboxes, so you may need to raise this if you get "Too long argument" or "IMAP command line too large" errors often. Defaults to ‘64000’.

dovecot-configuration parameter: string imap-logout-format

IMAP logout format string:

%i

total number of bytes read from client

%o

total number of bytes sent to client.

See doc/wiki/Variables.txt for a list of all the variables you can use. Defaults to ‘"in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}"’.

dovecot-configuration parameter: string imap-capability

Override the IMAP CAPABILITY response. If the value begins with ’+’, add the given capabilities on top of the defaults (e.g. +XFOO XBAR). Defaults to ‘""’.

dovecot-configuration parameter: string imap-idle-notify-interval

How long to wait between "OK Still here" notifications when client is IDLEing. Defaults to ‘"2 mins"’.

dovecot-configuration parameter: string imap-id-send

ID field names and values to send to clients. Using * as the value makes Dovecot use the default value. The following fields have default values currently: name, version, os, os-version, support-url, support-email. Defaults to ‘""’.

dovecot-configuration parameter: string imap-id-log

ID fields sent by client to log. * means everything. Defaults to ‘""’.

dovecot-configuration parameter: space-separated-string-list imap-client-workarounds

Workarounds for various client bugs:

delay-newmail

Send EXISTS/RECENT new mail notifications only when replying to NOOP and CHECK commands. Some clients ignore them otherwise, for example OSX Mail (<v2.1). Outlook Express breaks more badly though, without this it may show user "Message no longer in server" errors. Note that OE6 still breaks even with this workaround if synchronization is set to "Headers Only".

tb-extra-mailbox-sep

Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and adds extra ‘/’ suffixes to mailbox names. This option causes Dovecot to ignore the extra ‘/’ instead of treating it as invalid mailbox name.

tb-lsub-flags

Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). This makes Thunderbird realize they aren’t selectable and show them greyed out, instead of only later giving "not selectable" popup error.

Defaults to ‘()’.

dovecot-configuration parameter: string imap-urlauth-host

Host allowed in URLAUTH URLs sent by client. "*" allows all. Defaults to ‘""’.

Whew! Lots of configuration options. The nice thing about it though is that GuixSD has a complete interface to Dovecot’s configuration language. This allows not only a nice way to declare configurations, but also offers reflective capabilities as well: users can write code to inspect and transform configurations from within Scheme.

However, it could be that you just want to get a dovecot.conf up and running. In that case, you can pass an opaque-dovecot-configuration as the #:config parameter to dovecot-service. As its name indicates, an opaque configuration does not have easy reflective capabilities.

Available opaque-dovecot-configuration fields are:

opaque-dovecot-configuration parameter: package dovecot

The dovecot package.

opaque-dovecot-configuration parameter: string string

The contents of the dovecot.conf, as a string.

For example, if your dovecot.conf is just the empty string, you could instantiate a dovecot service like this:

(dovecot-service #:config
                 (opaque-dovecot-configuration
                  (string "")))

OpenSMTPD Service

Scheme Variable: opensmtpd-service-type

This is the type of the OpenSMTPD service, whose value should be an opensmtpd-configuration object as in this example:

(service opensmtpd-service-type
         (opensmtpd-configuration
           (config-file (local-file "./my-smtpd.conf"))))
Data Type: opensmtpd-configuration

Data type representing the configuration of opensmtpd.

package (default: opensmtpd)

Package object of the OpenSMTPD SMTP server.

config-file (default: %default-opensmtpd-file)

File-like object of the OpenSMTPD configuration file to use. By default it listens on the loopback network interface, and allows for mail from users and daemons on the local machine, as well as permitting email to remote servers. Run man smtpd.conf for more information.

Exim Service

Scheme Variable: exim-service-type

This is the type of the Exim mail transfer agent (MTA), whose value should be an exim-configuration object as in this example:

(service exim-service-type
         (exim-configuration
           (config-file (local-file "./my-exim.conf"))))

In order to use an exim-service-type service you must also have a mail-aliases-service-type service present in your operating-system (even if it has no aliases).

Data Type: exim-configuration

Data type representing the configuration of exim.

package (default: exim)

Package object of the Exim server.

config-file (default: #f)

File-like object of the Exim configuration file to use. If its value is #f then use the default configuration file from the package provided in package. The resulting configuration file is loaded after setting the exim_user and exim_group configuration variables.

Mail Aliases Service

Scheme Variable: mail-aliases-service-type

This is the type of the service which provides /etc/aliases, specifying how to deliver mail to users on this system.

(service mail-aliases-service-type
         '(("postmaster" "bob")
           ("bob" "bob@example.com" "bob@example2.com")))

The configuration for a mail-aliases-service-type service is an association list denoting how to deliver mail that comes to this system. Each entry is of the form (alias addresses ...), with alias specifying the local alias and addresses specifying where to deliver this user’s mail.

The aliases aren’t required to exist as users on the local system. In the above example, there doesn’t need to be a postmaster entry in the operating-system’s user-accounts in order to deliver the postmaster mail to bob (which subsequently would deliver mail to bob@example.com and bob@example2.com).


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.11 Messaging Services

The (gnu services messaging) module provides Guix service definitions for messaging services: currently only Prosody is supported.

Prosody Service

Scheme Variable: prosody-service-type

This is the type for the Prosody XMPP communication server. Its value must be a prosody-configuration record as in this example:

(service prosody-service-type
         (prosody-configuration
          (modules-enabled (cons "groups" "mam" %default-modules-enabled))
          (int-components
           (list
            (int-component-configuration
             (hostname "conference.example.net")
             (plugin "muc")
             (mod-muc (mod-muc-configuration)))))
          (virtualhosts
           (list
            (virtualhost-configuration
             (domain "example.net"))))))

See below for details about prosody-configuration.

By default, Prosody does not need much configuration. Only one virtualhosts field is needed: it specifies the domain you wish Prosody to serve.

You can perform various sanity checks on the generated configuration with the prosodyctl check command.

Prosodyctl will also help you to import certificates from the letsencrypt directory so that the prosody user can access them. See https://prosody.im/doc/letsencrypt.

prosodyctl --root cert import /etc/letsencrypt/live

The available configuration parameters follow. Each parameter definition is preceded by its type; for example, ‘string-list foo’ indicates that the foo parameter should be specified as a list of strings. Types starting with maybe- denote parameters that won’t show up in prosody.cfg.lua when their value is 'disabled.

There is also a way to specify the configuration as a string, if you have an old prosody.cfg.lua file that you want to port over from some other system; see the end for more details.

The file-object type designates either a file-like object (see file-like objects) or a file name.

Available prosody-configuration fields are:

prosody-configuration parameter: package prosody

The Prosody package.

prosody-configuration parameter: file-name data-path

Location of the Prosody data storage directory. See https://prosody.im/doc/configure. Defaults to ‘"/var/lib/prosody"’.

prosody-configuration parameter: file-object-list plugin-paths

Additional plugin directories. They are searched in all the specified paths in order. See https://prosody.im/doc/plugins_directory. Defaults to ‘()’.

prosody-configuration parameter: file-name certificates

Every virtual host and component needs a certificate so that clients and servers can securely verify its identity. Prosody will automatically load certificates/keys from the directory specified here. Defaults to ‘"/etc/prosody/certs"’.

prosody-configuration parameter: string-list admins

This is a list of accounts that are admins for the server. Note that you must create the accounts separately. See https://prosody.im/doc/admins and https://prosody.im/doc/creating_accounts. Example: (admins '("user1@example.com" "user2@example.net")) Defaults to ‘()’.

prosody-configuration parameter: boolean use-libevent?

Enable use of libevent for better performance under high load. See https://prosody.im/doc/libevent. Defaults to ‘#f’.

prosody-configuration parameter: module-list modules-enabled

This is the list of modules Prosody will load on startup. It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. Documentation on modules can be found at: https://prosody.im/doc/modules. Defaults to ‘("roster" "saslauth" "tls" "dialback" "disco" "carbons" "private" "blocklist" "vcard" "version" "uptime" "time" "ping" "pep" "register" "admin_adhoc")’.

prosody-configuration parameter: string-list modules-disabled

"offline"’, ‘"c2s"’ and ‘"s2s"’ are auto-loaded, but should you want to disable them then add them to this list. Defaults to ‘()’.

prosody-configuration parameter: file-object groups-file

Path to a text file where the shared groups are defined. If this path is empty then ‘mod_groups’ does nothing. See https://prosody.im/doc/modules/mod_groups. Defaults to ‘"/var/lib/prosody/sharedgroups.txt"’.

prosody-configuration parameter: boolean allow-registration?

Disable account creation by default, for security. See https://prosody.im/doc/creating_accounts. Defaults to ‘#f’.

prosody-configuration parameter: maybe-ssl-configuration ssl

These are the SSL/TLS-related settings. Most of them are disabled so to use Prosody’s defaults. If you do not completely understand these options, do not add them to your config, it is easy to lower the security of your server using them. See https://prosody.im/doc/advanced_ssl_config.

Available ssl-configuration fields are:

ssl-configuration parameter: maybe-string protocol

This determines what handshake to use.

ssl-configuration parameter: maybe-file-name key

Path to your private key file.

ssl-configuration parameter: maybe-file-name certificate

Path to your certificate file.

ssl-configuration parameter: file-object capath

Path to directory containing root certificates that you wish Prosody to trust when verifying the certificates of remote servers. Defaults to ‘"/etc/ssl/certs"’.

ssl-configuration parameter: maybe-file-object cafile

Path to a file containing root certificates that you wish Prosody to trust. Similar to capath but with all certificates concatenated together.

ssl-configuration parameter: maybe-string-list verify

A list of verification options (these mostly map to OpenSSL’s set_verify() flags).

ssl-configuration parameter: maybe-string-list options

A list of general options relating to SSL/TLS. These map to OpenSSL’s set_options(). For a full list of options available in LuaSec, see the LuaSec source.

ssl-configuration parameter: maybe-non-negative-integer depth

How long a chain of certificate authorities to check when looking for a trusted root certificate.

ssl-configuration parameter: maybe-string ciphers

An OpenSSL cipher string. This selects what ciphers Prosody will offer to clients, and in what order.

ssl-configuration parameter: maybe-file-name dhparam

A path to a file containing parameters for Diffie-Hellman key exchange. You can create such a file with: openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048

ssl-configuration parameter: maybe-string curve

Curve for Elliptic curve Diffie-Hellman. Prosody’s default is ‘"secp384r1"’.

ssl-configuration parameter: maybe-string-list verifyext

A list of "extra" verification options.

ssl-configuration parameter: maybe-string password

Password for encrypted private keys.

prosody-configuration parameter: boolean c2s-require-encryption?

Whether to force all client-to-server connections to be encrypted or not. See https://prosody.im/doc/modules/mod_tls. Defaults to ‘#f’.

prosody-configuration parameter: string-list disable-sasl-mechanisms

Set of mechanisms that will never be offered. See https://prosody.im/doc/modules/mod_saslauth. Defaults to ‘("DIGEST-MD5")’.

prosody-configuration parameter: boolean s2s-require-encryption?

Whether to force all server-to-server connections to be encrypted or not. See https://prosody.im/doc/modules/mod_tls. Defaults to ‘#f’.

prosody-configuration parameter: boolean s2s-secure-auth?

Whether to require encryption and certificate authentication. This provides ideal security, but requires servers you communicate with to support encryption AND present valid, trusted certificates. See https://prosody.im/doc/s2s#security. Defaults to ‘#f’.

prosody-configuration parameter: string-list s2s-insecure-domains

Many servers don’t support encryption or have invalid or self-signed certificates. You can list domains here that will not be required to authenticate using certificates. They will be authenticated using DNS. See https://prosody.im/doc/s2s#security. Defaults to ‘()’.

prosody-configuration parameter: string-list s2s-secure-domains

Even if you leave s2s-secure-auth? disabled, you can still require valid certificates for some domains by specifying a list here. See https://prosody.im/doc/s2s#security. Defaults to ‘()’.

prosody-configuration parameter: string authentication

Select the authentication backend to use. The default provider stores passwords in plaintext and uses Prosody’s configured data storage to store the authentication data. If you do not trust your server please see https://prosody.im/doc/modules/mod_auth_internal_hashed for information about using the hashed backend. See also https://prosody.im/doc/authentication Defaults to ‘"internal_plain"’.

prosody-configuration parameter: maybe-string log

Set logging options. Advanced logging configuration is not yet supported by the GuixSD Prosody Service. See https://prosody.im/doc/logging. Defaults to ‘"*syslog"’.

prosody-configuration parameter: file-name pidfile

File to write pid in. See https://prosody.im/doc/modules/mod_posix. Defaults to ‘"/var/run/prosody/prosody.pid"’.

prosody-configuration parameter: maybe-non-negative-integer http-max-content-size

Maximum allowed size of the HTTP body (in bytes).

prosody-configuration parameter: maybe-string http-external-url

Some modules expose their own URL in various ways. This URL is built from the protocol, host and port used. If Prosody sits behind a proxy, the public URL will be http-external-url instead. See https://prosody.im/doc/http#external_url.

prosody-configuration parameter: virtualhost-configuration-list virtualhosts

A host in Prosody is a domain on which user accounts can be created. For example if you want your users to have addresses like ‘"john.smith@example.com"’ then you need to add a host ‘"example.com"’. All options in this list will apply only to this host.

Note: the name "virtual" host is used in configuration to avoid confusion with the actual physical host that Prosody is installed on. A single Prosody instance can serve many domains, each one defined as a VirtualHost entry in Prosody’s configuration. Conversely a server that hosts a single domain would have just one VirtualHost entry.

See https://prosody.im/doc/configure#virtual_host_settings.

Available virtualhost-configuration fields are:

all these prosody-configuration fields: admins, use-libevent?, modules-enabled, modules-disabled, groups-file, allow-registration?, ssl, c2s-require-encryption?, disable-sasl-mechanisms, s2s-require-encryption?, s2s-secure-auth?, s2s-insecure-domains, s2s-secure-domains, authentication, log, http-max-content-size, http-external-url, raw-content, plus:

virtualhost-configuration parameter: string domain

Domain you wish Prosody to serve.

prosody-configuration parameter: int-component-configuration-list int-components

Components are extra services on a server which are available to clients, usually on a subdomain of the main server (such as ‘"mycomponent.example.com"’). Example components might be chatroom servers, user directories, or gateways to other protocols.

Internal components are implemented with Prosody-specific plugins. To add an internal component, you simply fill the hostname field, and the plugin you wish to use for the component.

See https://prosody.im/doc/components. Defaults to ‘()’.

Available int-component-configuration fields are:

all these prosody-configuration fields: admins, use-libevent?, modules-enabled, modules-disabled, groups-file, allow-registration?, ssl, c2s-require-encryption?, disable-sasl-mechanisms, s2s-require-encryption?, s2s-secure-auth?, s2s-insecure-domains, s2s-secure-domains, authentication, log, http-max-content-size, http-external-url, raw-content, plus:

int-component-configuration parameter: string hostname

Hostname of the component.

int-component-configuration parameter: string plugin

Plugin you wish to use for the component.

int-component-configuration parameter: maybe-mod-muc-configuration mod-muc

Multi-user chat (MUC) is Prosody’s module for allowing you to create hosted chatrooms/conferences for XMPP users.

General information on setting up and using multi-user chatrooms can be found in the "Chatrooms" documentation (https://prosody.im/doc/chatrooms), which you should read if you are new to XMPP chatrooms.

See also https://prosody.im/doc/modules/mod_muc.

Available mod-muc-configuration fields are:

mod-muc-configuration parameter: string name

The name to return in service discovery responses. Defaults to ‘"Prosody Chatrooms"’.

mod-muc-configuration parameter: string-or-boolean restrict-room-creation

If ‘#t’, this will only allow admins to create new chatrooms. Otherwise anyone can create a room. The value ‘"local"’ restricts room creation to users on the service’s parent domain. E.g. ‘user@example.com’ can create rooms on ‘rooms.example.com’. The value ‘"admin"’ restricts to service administrators only. Defaults to ‘#f’.

mod-muc-configuration parameter: non-negative-integer max-history-messages

Maximum number of history messages that will be sent to the member that has just joined the room. Defaults to ‘20’.

prosody-configuration parameter: ext-component-configuration-list ext-components

External components use XEP-0114, which most standalone components support. To add an external component, you simply fill the hostname field. See https://prosody.im/doc/components. Defaults to ‘()’.

Available ext-component-configuration fields are:

all these prosody-configuration fields: admins, use-libevent?, modules-enabled, modules-disabled, groups-file, allow-registration?, ssl, c2s-require-encryption?, disable-sasl-mechanisms, s2s-require-encryption?, s2s-secure-auth?, s2s-insecure-domains, s2s-secure-domains, authentication, log, http-max-content-size, http-external-url, raw-content, plus:

ext-component-configuration parameter: string component-secret

Password which the component will use to log in.

ext-component-configuration parameter: string hostname

Hostname of the component.

prosody-configuration parameter: non-negative-integer-list component-ports

Port(s) Prosody listens on for component connections. Defaults to ‘(5347)’.

prosody-configuration parameter: string component-interface

Interface Prosody listens on for component connections. Defaults to ‘"127.0.0.1"’.

prosody-configuration parameter: maybe-raw-content raw-content

Raw content that will be added to the configuration file.

It could be that you just want to get a prosody.cfg.lua up and running. In that case, you can pass an opaque-prosody-configuration record as the value of prosody-service-type. As its name indicates, an opaque configuration does not have easy reflective capabilities. Available opaque-prosody-configuration fields are:

opaque-prosody-configuration parameter: package prosody

The prosody package.

opaque-prosody-configuration parameter: string prosody.cfg.lua

The contents of the prosody.cfg.lua to use.

For example, if your prosody.cfg.lua is just the empty string, you could instantiate a prosody service like this:

(service prosody-service-type
         (opaque-prosody-configuration
          (prosody.cfg.lua "")))

BitlBee Service

BitlBee is a gateway that provides an IRC interface to a variety of messaging protocols such as XMPP.

Scheme Variable: bitlbee-service-type

This is the service type for the BitlBee IRC gateway daemon. Its value is a bitlbee-configuration (see below).

To have BitlBee listen on port 6667 on localhost, add this line to your services:

(service bitlbee-service-type)
Data Type: bitlbee-configuration

This is the configuration for BitlBee, with the following fields:

interface (default: "127.0.0.1")
port (default: 6667)

Listen on the network interface corresponding to the IP address specified in interface, on port.

When interface is 127.0.0.1, only local clients can connect; when it is 0.0.0.0, connections can come from any networking interface.

package (default: bitlbee)

The BitlBee package to use.

plugins (default: '())

List of plugin packages to use—e.g., bitlbee-discord.

extra-settings (default: "")

Configuration snippet added as-is to the BitlBee configuration file.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.12 Telephony Services

This section describes how to set up and run a Murmur server. Murmur is the server of the Mumble voice-over-IP (VoIP) suite.

Data Type: murmur-configuration

The service type for the Murmur server. An example configuration can look like this:

(service murmur-service-type
         (murmur-configuration
          (welcome-text
            "Welcome to this Mumble server running on GuixSD!")
          (cert-required? #t) ;disallow text password logins
          (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
          (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))

After reconfiguring your system, you can manually set the murmur SuperUser password with the command that is printed during the activation phase.

It is recommended to register a normal Mumble user account and grant it admin or moderator rights. You can use the mumble client to login as new normal user, register yourself, and log out. For the next step login with the name SuperUser use the SuperUser password that you set previously, and grant your newly registered mumble user administrator or moderator rights and create some channels.

Available murmur-configuration fields are:

package (default: mumble)

Package that contains bin/murmurd.

user (default: "murmur")

User who will run the Murmur server.

group (default: "murmur")

Group of the user who will run the murmur server.

port (default: 64738)

Port on which the server will listen.

welcome-text (default: "")

Welcome text sent to clients when they connect.

server-password (default: "")

Password the clients have to enter in order to connect.

max-users (default: 100)

Maximum of users that can be connected to the server at once.

max-user-bandwidth (default: #f)

Maximum voice traffic a user can send per second.

database-file (default: "/var/lib/murmur/db.sqlite")

File name of the sqlite database. The service’s user will become the owner of the directory.

log-file (default: "/var/log/murmur/murmur.log")

File name of the log file. The service’s user will become the owner of the directory.

autoban-attempts (default: 10)

Maximum number of logins a user can make in autoban-timeframe without getting auto banned for autoban-time.

autoban-timeframe (default: 120)

Timeframe for autoban in seconds.

autoban-time (default: 300)

Amount of time in seconds for which a client gets banned when violating the autoban limits.

opus-threshold (default: 100)

Percentage of clients that need to support opus before switching over to opus audio codec.

channel-nesting-limit (default: 10)

How deep channels can be nested at maximum.

channelname-regex (default: #f)

A string in from of a Qt regular expression that channel names must conform to.

username-regex (default: #f)

A string in from of a Qt regular expression that user names must conform to.

text-message-length (default: 5000)

Maximum size in bytes that a user can send in one text chat message.

image-message-length (default: (* 128 1024))

Maximum size in bytes that a user can send in one image message.

cert-required? (default: #f)

If it is set to #t clients that use weak password authentification will not be accepted. Users must have completed the certificate wizard to join.

remember-channel? (defualt #f)

Should murmur remember the last channel each user was in when they disconnected and put them into the remembered channel when they rejoin.

allow-html? (default: #f)

Should html be allowed in text messages, user comments, and channel descriptions.

allow-ping? (default: #f)

Setting to true exposes the current user count, the maximum user count, and the server’s maximum bandwidth per client to unauthenticated users. In the Mumble client, this information is shown in the Connect dialog.

Disabling this setting will prevent public listing of the server.

bonjour? (default: #f)

Should the server advertise itself in the local network through the bonjour protocol.

send-version? (default: #f)

Should the murmur server version be exposed in ping requests.

log-days (default: 31)

Murmur also stores logs in the database, which are accessible via RPC. The default is 31 days of months, but you can set this setting to 0 to keep logs forever, or -1 to disable logging to the database.

obfuscate-ips? (default #t)

Should logged ips be obfuscated to protect the privacy of users.

ssl-cert (default: #f)

File name of the SSL/TLS certificate used for encrypted connections.

(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
ssl-key (default: #f)

Filepath to the ssl private key used for encrypted connections.

(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
ssl-dh-params (default: #f)

File name of a PEM-encoded file with Diffie-Hellman parameters for the SSL/TLS encryption. Alternatively you set it to "@ffdhe2048", "@ffdhe3072", "@ffdhe4096", "@ffdhe6144" or "@ffdhe8192" to use bundled parameters from RFC 7919.

ssl-ciphers (default: #f)

The ssl-ciphers option chooses the cipher suites to make available for use in SSL/TLS.

This option is specified using OpenSSL cipher list notation.

It is recommended that you try your cipher string using ’openssl ciphers <string>’ before setting it here, to get a feel for which cipher suites you will get. After setting this option, it is recommend that you inspect your Murmur log to ensure that Murmur is using the cipher suites that you expected it to.

Note: Changing this option may impact the backwards compatibility of your Murmur server, and can remove the ability for older Mumble clients to be able to connect to it.

public-registration (default: #f)

Must be a <murmur-public-registration-configuration> record or #f.

You can optionally register your server in the public server list that the mumble client shows on startup. You cannot register your server if you have set a server-password, or set allow-ping to #f.

It might take a few hours until it shows up in the public list.

file (default: #f)

Optional alternative override for this configuration.

Data Type: murmur-public-registration-configuration

Configuration for public registration of a murmur service.

name

This is a display name for your server. Not to be confused with the hostname.

password

A password to identify your registration. Subsequent updates will need the same password. Don’t lose your password.

url

This should be a http:// or https:// link to your web site.

hostname (default: #f)

By default your server will be listed by its IP address. If it is set your server will be linked by this host name instead.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.13 Monitoring Services

Tailon Service

Tailon is a web application for viewing and searching log files.

The following example will configure the service with default values. By default, Tailon can be accessed on port 8080 (http://localhost:8080).

(service tailon-service-type)

The following example customises more of the Tailon configuration, adding sed to the list of allowed commands.

(service tailon-service-type
         (tailon-configuration
           (config-file
             (tailon-configuration-file
               (allowed-commands '("tail" "grep" "awk" "sed"))))))
Data Type: tailon-configuration

Data type representing the configuration of Tailon. This type has the following parameters:

config-file (default: (tailon-configuration-file))

The configuration file to use for Tailon. This can be set to a tailon-configuration-file record value, or any gexp (see G-Expressions).

For example, to instead use a local file, the local-file function can be used:

(service tailon-service-type
         (tailon-configuration
           (config-file (local-file "./my-tailon.conf"))))
package (default: tailon)

The tailon package to use.

Data Type: tailon-configuration-file

Data type representing the configuration options for Tailon. This type has the following parameters:

files (default: (list "/var/log"))

List of files to display. The list can include strings for a single file or directory, or a list, where the first item is the name of a subsection, and the remaining items are the files or directories in that subsection.

bind (default: "localhost:8080")

Address and port to which Tailon should bind on.

relative-root (default: #f)

URL path to use for Tailon, set to #f to not use a path.

allow-transfers? (default: #t)

Allow downloading the log files in the web interface.

follow-names? (default: #t)

Allow tailing of not-yet existent files.

tail-lines (default: 200)

Number of lines to read initially from each file.

allowed-commands (default: (list "tail" "grep" "awk"))

Commands to allow running. By default, sed is disabled.

debug? (default: #f)

Set debug? to #t to show debug messages.

wrap-lines (default: #t)

Initial line wrapping state in the web interface. Set to #t to initially wrap lines (the default), or to #f to initially not wrap lines.

http-auth (default: #f)

HTTP authentication type to use. Set to #f to disable authentication (the default). Supported values are "digest" or "basic".

users (default: #f)

If HTTP authentication is enabled (see http-auth), access will be restricted to the credentials provided here. To configure users, use a list of pairs, where the first element of the pair is the username, and the 2nd element of the pair is the password.

(tailon-configuration-file
  (http-auth "basic")
  (users     '(("user1" . "password1")
               ("user2" . "password2"))))

Darkstat Service

Darkstat is a packet sniffer that captures network traffic, calculates statistics about usage, and serves reports over HTTP.

Variable: Scheme Variable darkstat-service-type

This is the service type for the darkstat service, its value must be a darkstat-configuration record as in this example:

(service darkstat-service-type
         (darkstat-configuration
           (interface "eno1")))
Data Type: darkstat-configuration

Data type representing the configuration of darkstat.

package (default: darkstat)

The darkstat package to use.

interface

Capture traffic on the specified network interface.

port (default: "667")

Bind the web interface to the specified port.

bind-address (default: "127.0.0.1")

Bind the web interface to the specified address.

base (default: "/")

Specify the path of the base URL. This can be useful if darkstat is accessed via a reverse proxy.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.14 Kerberos Services

The (gnu services kerberos) module provides services relating to the authentication protocol Kerberos.

Krb5 Service

Programs using a Kerberos client library normally expect a configuration file in /etc/krb5.conf. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started.

No “keytab” files are provided by this service—you must explicitly create them. This service is known to work with the MIT client library, mit-krb5. Other implementations have not been tested.

Scheme Variable: krb5-service-type

A service type for Kerberos 5 clients.

Here is an example of its use:

(service krb5-service-type
         (krb5-configuration
          (default-realm "EXAMPLE.COM")
          (allow-weak-crypto? #t)
          (realms (list
                   (krb5-realm
                    (name "EXAMPLE.COM")
                    (admin-server "groucho.example.com")
                    (kdc "karl.example.com"))
                   (krb5-realm
                    (name "ARGRX.EDU")
                    (admin-server "kerb-admin.argrx.edu")
                    (kdc "keys.argrx.edu"))))))

This example provides a Kerberos 5 client configuration which:

The krb5-realm and krb5-configuration types have many fields. Only the most commonly used ones are described here. For a full list, and more detailed explanation of each, see the MIT krb5.conf documentation.

Data Type: krb5-realm
name

This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case.

admin-server

This field is a string identifying the host where the administration server is running.

kdc

This field is a string identifying the key distribution center for the realm.

Data Type: krb5-configuration
allow-weak-crypto? (default: #f)

If this flag is #t then services which only offer encryption algorithms known to be weak will be accepted.

default-realm (default: #f)

This field should be a string identifying the default Kerberos realm for the client. You should set this field to the name of your Kerberos realm. If this value is #f then a realm must be specified with every Kerberos principal when invoking programs such as kinit.

realms

This should be a non-empty list of krb5-realm objects, which clients may access. Normally, one of them will have a name field matching the default-realm field.

PAM krb5 Service

The pam-krb5 service allows for login authentication and password management via Kerberos. You will need this service if you want PAM enabled applications to authenticate users using Kerberos.

Scheme Variable: pam-krb5-service-type

A service type for the Kerberos 5 PAM module.

Data Type: pam-krb5-configuration

Data type representing the configuration of the Kerberos 5 PAM module This type has the following parameters:

pam-krb5 (default: pam-krb5)

The pam-krb5 package to use.

minimum-uid (default: 1000)

The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.15 Web Services

The (gnu services web) module provides the Apache HTTP Server, the nginx web server, and also a fastcgi wrapper daemon.

Apache HTTP Server

Scheme Variable: httpd-service-type

Service type for the Apache HTTP server (httpd). The value for this service type is a https-configuration record.

A simple example configuration is given below.

(service httpd-service-type
         (httpd-configuration
           (config
             (httpd-config-file
               (server-name "www.example.com")
               (document-root "/srv/http/www.example.com")))))

Other services can also extend the httpd-service-type to add to the configuration.

(simple-service 'my-extra-server httpd-service-type
                (list
                  (httpd-virtualhost
                    "*:80"
                    (list (string-append
                           "ServerName "www.example.com
                            DocumentRoot \"/srv/http/www.example.com\"")))))

The details for the httpd-configuration, httpd-module, httpd-config-file and httpd-virtualhost record types are given below.

Data Type: httpd-configuration

This data type represents the configuration for the httpd service.

package (default: httpd)

The httpd package to use.

pid-file (default: "/var/run/httpd")

The pid file used by the shepherd-service.

config (default: (httpd-config-file))

The configuration file to use with the httpd service. The default value is a httpd-config-file record, but this can also be a different G-expression that generates a file, for example a plain-file. A file outside of the store can also be specified through a string.

Data Type: httpd-module

This data type represents a module for the httpd service.

name

The name of the module.

file

The file for the module. This can be relative to the httpd package being used, the absolute location of a file, or a G-expression for a file within the store, for example (file-append mod-wsgi "/modules/mod_wsgi.so").

Data Type: httpd-config-file

This data type represents a configuration file for the httpd service.

modules (default: %default-httpd-modules)

The modules to load. Additional modules can be added here, or loaded by additional configuration.

server-root (default: httpd)

The ServerRoot in the configuration file, defaults to the httpd package. Directives including Include and LoadModule are taken as relative to the server root.

server-name (default: #f)

The ServerName in the configuration file, used to specify the request scheme, hostname and port that the server uses to identify itself.

This doesn’t need to be set in the server config, and can be specifyed in virtual hosts. The default is #f to not specify a ServerName.

document-root (default: "/srv/http")

The DocumentRoot from which files will be served.

listen (default: '("80"))

The list of values for the Listen directives in the config file. The value should be a list of strings, when each string can specify the port number to listen on, and optionally the IP address and protocol to use.

pid-file (default: "/var/run/httpd")

The PidFile to use. This should match the pid-file set in the httpd-configuration so that the Shepherd service is configured correctly.

error-log (default: "/var/log/httpd/error_log")

The ErrorLog to which the server will log errors.

user (default: "httpd")

The User which the server will answer requests as.

group (default: "httpd")

The Group which the server will answer requests as.

extra-config (default: (list "TypesConfig etc/httpd/mime.types"))

A flat list of strings and G-expressions which will be added to the end of the configuration file.

Any values which the service is extended with will be appended to this list.

Data Type: httpd-virtualhost

This data type represents a virtualhost configuration block for the httpd service.

These should be added to the extra-config for the httpd-service.

(simple-service 'my-extra-server httpd-service-type
                (list
                  (httpd-virtualhost
                    "*:80"
                    (list (string-append
                           "ServerName "www.example.com
                            DocumentRoot \"/srv/http/www.example.com\"")))))
addresses-and-ports

The addresses and ports for the VirtualHost directive.

contents

The contents of the VirtualHost directive, this should be a list of strings and G-expressions.

NGINX

Scheme Variable: nginx-service-type

Service type for the NGinx web server. The value for this service type is a <nginx-configuration> record.

A simple example configuration is given below.

(service nginx-service-type
         (nginx-configuration
           (server-blocks
             (list (nginx-server-configuration
                     (server-name '("www.example.com"))
                     (root "/srv/http/www.example.com"))))))

In addition to adding server blocks to the service configuration directly, this service can be extended by other services to add server blocks, as in this example:

(simple-service 'my-extra-server nginx-service-type
                (list (nginx-server-configuration
                        (root "/srv/http/extra-website")
                        (try-files (list "$uri" "$uri/index.html")))))

At startup, nginx has not yet read its configuration file, so it uses a default file to log error messages. If it fails to load its configuration file, that is where error messages are logged. After the configuration file is loaded, the default error log file changes as per configuration. In our case, startup error messages can be found in /var/run/nginx/logs/error.log, and after configuration in /var/log/nginx/error.log. The second location can be changed with the log-directory configuration option.

Data Type: nginx-configuration

This data type represents the configuration for NGinx. Some configuration can be done through this and the other provided record types, or alternatively, a config file can be provided.

nginx (default: nginx)

The nginx package to use.

log-directory (default: "/var/log/nginx")

The directory to which NGinx will write log files.

run-directory (default: "/var/run/nginx")

The directory in which NGinx will create a pid file, and write temporary files.

server-blocks (default: '())

A list of server blocks to create in the generated configuration file, the elements should be of type <nginx-server-configuration>.

The following example would setup NGinx to serve www.example.com from the /srv/http/www.example.com directory, without using HTTPS.

(service nginx-service-type
         (nginx-configuration
           (server-blocks
             (list (nginx-server-configuration
                     (server-name '("www.example.com"))
                     (root "/srv/http/www.example.com"))))))
upstream-blocks (default: '())

A list of upstream blocks to create in the generated configuration file, the elements should be of type <nginx-upstream-configuration>.

Configuring upstreams through the upstream-blocks can be useful when combined with locations in the <nginx-server-configuration> records. The following example creates a server configuration with one location configuration, that will proxy requests to a upstream configuration, which will handle requests with two servers.

(service
  nginx-service-type
  (nginx-configuration
    (server-blocks
      (list (nginx-server-configuration
              (server-name '("www.example.com"))
              (root "/srv/http/www.example.com")
              (locations
                (list
                  (nginx-location-configuration
                  (uri "/path1")
                  (body '("proxy_pass http://server-proxy;"))))))))
    (upstream-blocks
      (list (nginx-upstream-configuration
              (name "server-proxy")
              (servers (list "server1.example.com"
                             "server2.example.com")))))))
file (default: #f)

If a configuration file is provided, this will be used, rather than generating a configuration file from the provided log-directory, run-directory, server-blocks and upstream-blocks. For proper operation, these arguments should match what is in file to ensure that the directories are created when the service is activated.

This can be useful if you have an existing configuration file, or it’s not possible to do what is required through the other parts of the nginx-configuration record.

server-names-hash-bucket-size (default: #f)

Bucket size for the server names hash tables, defaults to #f to use the size of the processors cache line.

server-names-hash-bucket-max-size (default: #f)

Maximum bucket size for the server names hash tables.

extra-content (default: "")

Extra content for the http block. Should be string or a string valued G-expression.

Data Type: nginx-server-configuration

Data type representing the configuration of an nginx server block. This type has the following parameters:

listen (default: '("80" "443 ssl"))

Each listen directive sets the address and port for IP, or the path for a UNIX-domain socket on which the server will accept requests. Both address and port, or only address or only port can be specified. An address may also be a hostname, for example:

'("127.0.0.1:8000" "127.0.0.1" "8000" "*:8000" "localhost:8000")
server-name (default: (list 'default))

A list of server names this server represents. 'default represents the default server for connections matching no other server.

root (default: "/srv/http")

Root of the website nginx will serve.

locations (default: '())

A list of nginx-location-configuration or nginx-named-location-configuration records to use within this server block.

index (default: (list "index.html"))

Index files to look for when clients ask for a directory. If it cannot be found, Nginx will send the list of files in the directory.

try-files (default: '())

A list of files whose existence is checked in the specified order. nginx will use the first file it finds to process the request.

ssl-certificate (default: #f)

Where to find the certificate for secure connections. Set it to #f if you don’t have a certificate or you don’t want to use HTTPS.

ssl-certificate-key (default: #f)

Where to find the private key for secure connections. Set it to #f if you don’t have a key or you don’t want to use HTTPS.

server-tokens? (default: #f)

Whether the server should add its configuration to response.

raw-content (default: '())

A list of raw lines added to the server block.

Data Type: nginx-upstream-configuration

Data type representing the configuration of an nginx upstream block. This type has the following parameters:

name

Name for this group of servers.

servers

Specify the addresses of the servers in the group. The address can be specified as a IP address (e.g. ‘127.0.0.1’), domain name (e.g. ‘backend1.example.com’) or a path to a UNIX socket using the prefix ‘unix:’. For addresses using an IP address or domain name, the default port is 80, and a different port can be specified explicitly.

Data Type: nginx-location-configuration

Data type representing the configuration of an nginx location block. This type has the following parameters:

uri

URI which this location block matches.

body

Body of the location block, specified as a list of strings. This can contain many configuration directives. For example, to pass requests to a upstream server group defined using an nginx-upstream-configuration block, the following directive would be specified in the body ‘(list "proxy_pass http://upstream-name;")’.

Data Type: nginx-named-location-configuration

Data type representing the configuration of an nginx named location block. Named location blocks are used for request redirection, and not used for regular request processing. This type has the following parameters:

name

Name to identify this location block.

body

See nginx-location-configuration body, as the body for named location blocks can be used in a similar way to the nginx-location-configuration body. One restriction is that the body of a named location block cannot contain location blocks.

FastCGI is an interface between the front-end and the back-end of a web service. It is a somewhat legacy facility; new web services should generally just talk HTTP between the front-end and the back-end. However there are a number of back-end services such as PHP or the optimized HTTP Git repository access that use FastCGI, so we have support for it in Guix.

To use FastCGI, you configure the front-end web server (e.g., nginx) to dispatch some subset of its requests to the fastcgi backend, which listens on a local TCP or UNIX socket. There is an intermediary fcgiwrap program that sits between the actual backend process and the web server. The front-end indicates which backend program to run, passing that information to the fcgiwrap process.

Scheme Variable: fcgiwrap-service-type

A service type for the fcgiwrap FastCGI proxy.

Data Type: fcgiwrap-configuration

Data type representing the configuration of the fcgiwrap serice. This type has the following parameters:

package (default: fcgiwrap)

The fcgiwrap package to use.

socket (default: tcp:127.0.0.1:9000)

The socket on which the fcgiwrap process should listen, as a string. Valid socket values include unix:/path/to/unix/socket, tcp:dot.ted.qu.ad:port and tcp6:[ipv6_addr]:port.

user (default: fcgiwrap)
group (default: fcgiwrap)

The user and group names, as strings, under which to run the fcgiwrap process. The fastcgi service will ensure that if the user asks for the specific user or group names fcgiwrap that the corresponding user and/or group is present on the system.

It is possible to configure a FastCGI-backed web service to pass HTTP authentication information from the front-end to the back-end, and to allow fcgiwrap to run the back-end process as a corresponding local user. To enable this capability on the back-end., run fcgiwrap as the root user and group. Note that this capability also has to be configured on the front-end as well.

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size.

These features include:

... and much more.

Scheme Variable: php-fpm-service-type

A Service type for php-fpm.

Data Type: php-fpm-configuration

Data Type for php-fpm service configuration.

php (default: php)

The php package to use.

socket (default: (string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock"))

The address on which to accept FastCGI requests. Valid syntaxes are:

"ip.add.re.ss:port"

Listen on a TCP socket to a specific address on a specific port.

"port"

Listen on a TCP socket to all addresses on a specific port.

"/path/to/unix/socket"

Listen on a unix socket.

user (default: php-fpm)

User who will own the php worker processes.

group (default: php-fpm)

Group of the worker processes.

socket-user (default: php-fpm)

User who can speak to the php-fpm socket.

socket-group (default: php-fpm)

Group that can speak to the php-fpm socket.

pid-file (default: (string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid"))

The process id of the php-fpm process is written to this file once the service has started.

log-file (default: (string-append "/var/log/php" (version-major (package-version php)) "-fpm.log"))

Log for the php-fpm master process.

process-manager (default: (php-fpm-dynamic-process-manager-configuration))

Detailed settings for the php-fpm process manager. Must be either:

<php-fpm-dynamic-process-manager-configuration>
<php-fpm-static-process-manager-configuration>
<php-fpm-on-demand-process-manager-configuration>
display-errors (default #f)

Determines whether php errors and warning should be sent to clients and displayed in their browsers. This is useful for local php development, but a security risk for public sites, as error messages can reveal passwords and personal data.

workers-logfile (default (string-append "/var/log/php" (version-major (package-version php)) "-fpm.www.log"))

This file will log the stderr outputs of php worker processes. Can be set to #f to disable logging.

file (default #f)

An optional override of the whole configuration. You can use the mixed-text-file function or an absolute filepath for it.

Data type: php-fpm-dynamic-process-manager-configuration

Data Type for the dynamic php-fpm process manager. With the dynamic process manager, spare worker processes are kept around based on it’s configured limits.

max-children (default: 5)

Maximum of worker processes.

start-servers (default: 2)

How many worker processes should be started on start-up.

min-spare-servers (default: 1)

How many spare worker processes should be kept around at minimum.

max-spare-servers (default: 3)

How many spare worker processes should be kept around at maximum.

Data type: php-fpm-static-process-manager-configuration

Data Type for the static php-fpm process manager. With the static process manager, an unchanging number of worker processes are created.

max-children (default: 5)

Maximum of worker processes.

Data type: php-fpm-on-demand-process-manager-configuration

Data Type for the on-demand php-fpm process manager. With the on-demand process manager, worker processes are only created as requests arrive.

max-children (default: 5)

Maximum of worker processes.

process-idle-timeout (default: 10)

The time in seconds after which a process with no requests is killed.

Scheme Procedure: nginx-php-fpm-location [#:nginx-package nginx] [socket (string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock")]

A helper function to quickly add php to an nginx-server-configuration.

A simple services setup for nginx with php can look like this:

(services (cons* (dhcp-client-service)
                 (service php-fpm-service-type)
                 (service nginx-service-type
                          (nginx-server-configuration
                           (server-name '("example.com"))
                           (root "/srv/http/")
                           (locations
                            (list (nginx-php-location)))
                           (https-port #f)
                           (ssl-certificate #f)
                           (ssl-certificate-key #f)))
                 %base-services))

The cat avatar generator is a simple service to demonstrate the use of php-fpm in Nginx. It is used to generate cat avatar from a seed, for instance the hash of a user’s email address.

Scheme Procedure: cat-avatar-generator-serice [#:cache-dir "/var/cache/cat-avatar-generator"] [#:package cat-avatar-generator] [#:configuration (nginx-server-configuration)]

Returns an nginx-server-configuration that inherits configuration. It extends the nginx configuration to add a server block that serves package, a version of cat-avatar-generator. During execution, cat-avatar-generator will be able to use cache-dir as its cache directory.

A simple setup for cat-avatar-generator can look like this:

(services (cons* (cat-avatar-generator-service
                  #:configuration
                  (nginx-server-configuration
                    (server-name '("example.com"))))
                 ...
                 %base-services))

Hpcguix-web

The https://github.com/UMCUGenetics/hpcguix-web/ program is a customizable web interface to browse Guix packages, initially designed for users of high-performance computing (HPC) clusters.

Scheme Variable: hpcguix-web-service-type

The service type for hpcguix-web.

Data Type: hpcguix-web-configuration

Data type for the hpcguix-web service configuration.

specs

A gexp (see G-Expressions) specifying the hpcguix-web service configuration. The main items available in this spec are:

title-prefix (default: "hpcguix | ")

The page title prefix.

guix-command (default: "guix")

The guix command.

package-filter-proc (default: (const #t))

A procedure specifying how to filter packages that are displayed.

package-page-extension-proc (default: (const '()))

Extension package for hpcguix-web.

menu (default: '())

Additional entry in page menu.

See the hpcguix-web repository for a complete example.

package (default: hpcguix-web)

The hpcguix-web package to use.

A typical hpcguix-web service declaration looks like this:

(service hpcguix-web-service-type
         (hpcguix-web-configuration
          (specs
           #~(define site-config
               (hpcweb-configuration
                (title-prefix "Guix-HPC - ")
                (menu '(("/about" "ABOUT"))))))))

Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.16 Certificate Services

The (gnu services certbot) module provides a service to automatically obtain a valid TLS certificate from the Let’s Encrypt certificate authority. These certificates can then be used to serve content securely over HTTPS or other TLS-based protocols, with the knowledge that the client will be able to verify the server’s authenticity.

Let’s Encrypt provides the certbot tool to automate the certification process. This tool first securely generates a key on the server. It then makes a request to the Let’s Encrypt certificate authority (CA) to sign the key. The CA checks that the request originates from the host in question by using a challenge-response protocol, requiring the server to provide its response over HTTP. If that protocol completes successfully, the CA signs the key, resulting in a certificate. That certificate is valid for a limited period of time, and therefore to continue to provide TLS services, the server needs to periodically ask the CA to renew its signature.

The certbot service automates this process: the initial key generation, the initial certification request to the Let’s Encrypt service, the web server challenge/response integration, writing the certificate to disk, the automated periodic renewals, and the deployment tasks associated with the renewal (e.g. reloading services, copying keys with different permissions).

Certbot is run twice a day, at a random minute within the hour. It won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your service a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason.

By using this service, you agree to the ACME Subscriber Agreement, which can be found there: https://acme-v01.api.letsencrypt.org/directory.

Scheme Variable: certbot-service-type

A service type for the certbot Let’s Encrypt client. Its value must be a certbot-configuration record as in this example:

(define %nginx-deploy-hook
  (program-file
   "nginx-deploy-hook"
   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
       (kill pid SIGHUP))))

(service certbot-service-type
         (certbot-configuration
          (email "foo@example.net")
          (certificates
           (list
            (certificate-configuration
             (domains '("example.net" "www.example.net"))
             (deploy-hook %nginx-deploy-hook))
            (certificate-configuration
             (domains '("bar.example.net")))))))

See below for details about certbot-configuration.

Data Type: certbot-configuration

Data type representing the configuration of the certbot service. This type has the following parameters:

package (default: certbot)

The certbot package to use.

webroot (default: /var/www)

The directory from which to serve the Let’s Encrypt challenge/response files.

certificates (default: ())

A list of certificates-configurations for which to generate certificates and request signatures. Each certificate has a name and several domains.

email

Mandatory email used for registration, recovery contact, and important account notifications.

rsa-key-size (default: 2048)

Size of the RSA key.

default-location (default: see below)

The default nginx-location-configuration. Because certbot needs to be able to serve challenges and responses, it needs to be able to run a web server. It does so by extending the nginx web service with an nginx-server-configuration listening on the domains on port 80, and which has a nginx-location-configuration for the /.well-known/ URI path subspace used by Let’s Encrypt. See Web Services, for more on these nginx configuration data types.

Requests to other URL paths will be matched by the default-location, which if present is added to all nginx-server-configurations.

By default, the default-location will issue a redirect from http://domain/... to https://domain/..., leaving you to define what to serve on your site via https.

Pass #f to not issue a default location.

Data Type: certificate-configuration

Data type representing the configuration of a certificate. This type has the following parameters:

name (default: see below)

This name is used by Certbot for housekeeping and in file paths; it doesn’t affect the content of the certificate itself. To see certificate names, run certbot certificates.

Its default is the first provided domain.

domains (default: ())

The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate.

deploy-hook (default: #f)

Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable $RENEWED_LINEAGE will point to the config live subdirectory (for example, ‘"/etc/letsencrypt/live/example.com"’) containing the new certificates and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example, ‘"example.com www.example.com"’.

For each certificate-configuration, the certificate is saved to /etc/letsencrypt/live/name/fullchain.pem and the key is saved to /etc/letsencrypt/live/name/privkey.pem.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.17 DNS Services

The (gnu services dns) module provides services related to the domain name system (DNS). It provides a server service for hosting an authoritative DNS server for multiple zones, slave or master. This service uses Knot DNS. And also a caching and forwarding DNS server for the LAN, which uses dnsmasq.

Knot Service

An example configuration of an authoritative server for two zones, one master and one slave, is:

(define-zone-entries example.org.zone
;; Name TTL Class Type Data
  ("@"  ""  "IN"  "A"  "127.0.0.1")
  ("@"  ""  "IN"  "NS" "ns")
  ("ns" ""  "IN"  "A"  "127.0.0.1"))

(define master-zone
  (knot-zone-configuration
    (domain "example.org")
    (zone (zone-file
            (origin "example.org")
            (entries example.org.zone)))))

(define slave-zone
  (knot-zone-configuration
    (domain "plop.org")
    (dnssec-policy "default")
    (master (list "plop-master"))))

(define plop-master
  (knot-remote-configuration
    (id "plop-master")
    (address (list "208.76.58.171"))))

(operating-system
  ;; ...
  (services (cons* (service knot-service-type
                     (knot-configuration
                       (remotes (list plop-master))
                       (zones (list master-zone slave-zone))))
                   ;; ...
                   %base-services)))
Scheme Variable: knot-service-type

This is the type for the Knot DNS server.

Knot DNS is an authoritative DNS server, meaning that it can serve multiple zones, that is to say domain names you would buy from a registrar. This server is not a resolver, meaning that it can only resolve names for which it is authoritative. This server can be configured to serve zones as a master server or a slave server as a per-zone basis. Slave zones will get their data from masters, and will serve it as an authoritative server. From the point of view of a resolver, there is no difference between master and slave.

The following data types are used to configure the Knot DNS server:

Data Type: knot-key-configuration

Data type representing a key. This type has the following parameters:

id (default: "")

An identifier for other configuration fields to refer to this key. IDs must be unique and must not be empty.

algorithm (default: #f)

The algorithm to use. Choose between #f, 'hmac-md5, 'hmac-sha1, 'hmac-sha224, 'hmac-sha256, 'hmac-sha384 and 'hmac-sha512.

secret (default: "")

The secret key itself.

Data Type: knot-acl-configuration

Data type representing an Access Control List (ACL) configuration. This type has the following parameters:

id (default: "")

An identifier for ether configuration fields to refer to this key. IDs must be unique and must not be empty.

address (default: '())

An ordered list of IP addresses, network subnets, or network ranges represented with strings. The query must match one of them. Empty value means that address match is not required.

key (default: '())

An ordered list of references to keys represented with strings. The string must match a key ID defined in a knot-key-configuration. No key means that a key is not require to match that ACL.

action (default: '())

An ordered list of actions that are permitted or forbidden by this ACL. Possible values are lists of zero or more elements from 'transfer, 'notify and 'update.

deny? (default: #f)

When true, the ACL defines restrictions. Listed actions are forbidden. When false, listed actions are allowed.

Data Type: zone-entry

Data type represnting a record entry in a zone file. This type has the following parameters:

name (default: "@")

The name of the record. "@" refers to the origin of the zone. Names are relative to the origin of the zone. For example, in the example.org zone, "ns.example.org" actually refers to ns.example.org.example.org. Names ending with a dot are absolute, which means that "ns.example.org." refers to ns.example.org.

ttl (default: "")

The Time-To-Live (TTL) of this record. If not set, the default TTL is used.

class (default: "IN")

The class of the record. Knot currently supports only "IN" and partially "CH".

type (default: "A")

The type of the record. Common types include A (IPv4 address), AAAA (IPv6 address), NS (Name Server) and MX (Mail eXchange). Many other types are defined.

data (default: "")

The data contained in the record. For instance an IP address associated with an A record, or a domain name associated with an NS record. Remember that domain names are relative to the origin unless they end with a dot.

Data Type: zone-file

Data type representing the content of a zone file. This type has the following parameters:

entries (default: '())

The list of entries. The SOA record is taken care of, so you don’t need to put it in the list of entries. This list should probably contain an entry for your primary authoritative DNS server. Other than using a list of entries directly, you can use define-zone-entries to define a object containing the list of entries more easily, that you can later pass to the entries field of the zone-file.

origin (default: "")

The name of your zone. This parameter cannot be empty.

ns (default: "ns")

The domain of your primary authoritative DNS server. The name is relative to the origin, unless it ends with a dot. It is mandatory that this primary DNS server corresponds to an NS record in the zone and that it is associated to an IP address in the list of entries.

mail (default: "hostmaster")

An email address people can contact you at, as the owner of the zone. This is translated as <mail>@<origin>.

serial (default: 1)

The serial number of the zone. As this is used to keep track of changes by both slaves and resolvers, it is mandatory that it never decreases. Always increment it when you make a change in your zone.

refresh (default: (* 2 24 3600))

The frequency at which slaves will do a zone transfer. This value is a number of seconds. It can be computed by multiplications or with (string->duration).

retry (default: (* 15 60))

The period after which a slave will retry to contact its master when it fails to do so a first time.

expiry (default: (* 14 24 3600))

Default TTL of records. Existing records are considered correct for at most this amount of time. After this period, resolvers will invalidate their cache and check again that it still exists.

nx (default: 3600)

Default TTL of inexistant records. This delay is usually short because you want your new domains to reach everyone quickly.

Data Type: knot-remote-configuration

Data type representing a remote configuration. This type has the following parameters:

id (default: "")

An identifier for other configuration fields to refer to this remote. IDs must be unique and must not be empty.

address (default: '())

An ordered list of destination IP addresses. Addresses are tried in sequence. An optional port can be given with the @ separator. For instance: (list "1.2.3.4" "2.3.4.5@53"). Default port is 53.

via (default: '())

An ordered list of source IP addresses. An empty list will have Knot choose an appropriate source IP. An optional port can be given with the @ separator. The default is to choose at random.

key (default: #f)

A reference to a key, that is a string containing the identifier of a key defined in a knot-key-configuration field.

Data Type: knot-keystore-configuration

Data type representing a keystore to hold dnssec keys. This type has the following parameters:

id (default: "")

The id of the keystore. It must not be empty.

backend (default: 'pem)

The backend to store the keys in. Can be 'pem or 'pkcs11.

config (default: "/var/lib/knot/keys/keys")

The configuration string of the backend. An example for the PKCS#11 is: "pkcs11:token=knot;pin-value=1234 /gnu/store/.../lib/pkcs11/libsofthsm2.so". For the pem backend, the string reprensents a path in the file system.

Data Type: knot-policy-configuration

Data type representing a dnssec policy. Knot DNS is able to automatically sign your zones. It can either generate and manage your keys automatically or use keys that you generate.

Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that is used to sign the second, and a Zone Signing Key (ZSK) that is used to sign the zone. In order to be trusted, the KSK needs to be present in the parent zone (usually a top-level domain). If your registrar supports dnssec, you will have to send them your KSK’s hash so they can add a DS record in their zone. This is not automated and need to be done each time you change your KSK.

The policy also defines the lifetime of keys. Usually, ZSK can be changed easily and use weaker cryptographic functions (they use lower parameters) in order to sign records quickly, so they are changed often. The KSK however requires manual interaction with the registrar, so they are changed less often and use stronger parameters because they sign only one record.

This type has the following parameters:

id (default: "")

The id of the policy. It must not be empty.

keystore (default: "default")

A reference to a keystore, that is a string containing the identifier of a keystore defined in a knot-keystore-configuration field. The "default" identifier means the default keystore (a kasp database that was setup by this service).

manual? (default: #f)

Whether the key management is manual or automatic.

single-type-signing? (default: #f)

When #t, use the Single-Type Signing Scheme.

algorithm (default: "ecdsap256sha256")

An algorithm of signing keys and issued signatures.

ksk-size (default: 256)

The length of the KSK. Note that this value is correct for the default algorithm, but would be unsecure for other algorithms.

zsk-size (default: 256)

The length of the ZSK. Note that this value is correct for the default algorithm, but would be unsecure for other algorithms.

dnskey-ttl (default: 'default)

The TTL value for DNSKEY records added into zone apex. The special 'default value means same as the zone SOA TTL.

zsk-lifetime (default: (* 30 24 3600))

The period between ZSK publication and the next rollover initiation.

propagation-delay (default: (* 24 3600))

An extra delay added for each key rollover step. This value should be high enough to cover propagation of data from the master server to all slaves.

rrsig-lifetime (default: (* 14 24 3600))

A validity period of newly issued signatures.

rrsig-refresh (default: (* 7 24 3600))

A period how long before a signature expiration the signature will be refreshed.

nsec3? (default: #f)

When #t, NSEC3 will be used instead of NSEC.

nsec3-iterations (default: 5)

The number of additional times the hashing is performed.

nsec3-salt-length (default: 8)

The length of a salt field in octets, which is appended to the original owner name before hashing.

nsec3-salt-lifetime (default: (* 30 24 3600))

The validity period of newly issued salt field.

Data Type: knot-zone-configuration

Data type representing a zone served by Knot. This type has the following parameters:

domain (default: "")

The domain served by this configuration. It must not be empty.

file (default: "")

The file where this zone is saved. This parameter is ignored by master zones. Empty means default location that depends on the domain name.

zone (default: (zone-file))

The content of the zone file. This parameter is ignored by slave zones. It must contain a zone-file record.

master (default: '())

A list of master remotes. When empty, this zone is a master. When set, this zone is a slave. This is a list of remotes identifiers.

ddns-master (default: #f)

The main master. When empty, it defaults to the first master in the list of masters.

notify (default: '())

A list of slave remote identifiers.

acl (default: '())

A list of acl identifiers.

semantic-checks? (default: #f)

When set, this adds more semantic checks to the zone.

disable-any? (default: #f)

When set, this forbids queries of the ANY type.

zonefile-sync (default: 0)

The delay between a modification in memory and on disk. 0 means immediate synchronization.

serial-policy (default: 'increment)

A policy between 'increment and 'unixtime.

Data Type: knot-configuration

Data type representing the Knot configuration. This type has the following parameters:

knot (default: knot)

The Knot package.

run-directory (default: "/var/run/knot")

The run directory. This directory will be used for pid file and sockets.

listen-v4 (default: "0.0.0.0")

An ip address on which to listen.

listen-v6 (default: "::")

An ip address on which to listen.

listen-port (default: 53)

A port on which to listen.

keys (default: '())

The list of knot-key-configuration used by this configuration.

acls (default: '())

The list of knot-acl-configuration used by this configuration.

remotes (default: '())

The list of knot-remote-configuration used by this configuration.

zones (default: '())

The list of knot-zone-configuration used by this configuration.

Dnsmasq Service

Scheme Variable: dnsmasq-service-type

This is the type of the dnsmasq service, whose value should be an dnsmasq-configuration object as in this example:

(service dnsmasq-service-type
         (dnsmasq-configuration
           (no-resolv? #t)
           (servers '("192.168.1.1"))))
Data Type: dnsmasq-configuration

Data type representing the configuration of dnsmasq.

package (default: dnsmasq)

Package object of the dnsmasq server.

no-hosts? (default: #f)

When true, don’t read the hostnames in /etc/hosts.

port (default: 53)

The port to listen on. Setting this to zero completely disables DNS funtion, leaving only DHCP and/or TFTP.

local-service? (default: #t)

Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server.

listen-addresses (default: '())

Listen on the given IP addresses.

resolv-file (default: "/etc/resolv.conf")

The file to read the IP address of the upstream nameservers from.

no-resolv? (default: #f)

When true, don’t read resolv-file.

servers (default: '())

Specify IP address of upstream servers directly.

cache-size (default: 150)

Set the size of dnsmasq’s cache. Setting the cache size to zero disables caching.

negative-cache? (default: #t)

When false, disable negative caching.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.18 VPN Services

The (gnu services vpn) module provides services related to virtual private networks (VPNs). It provides a client service for your machine to connect to a VPN, and a servire service for your machine to host a VPN. Both services use OpenVPN.

Scheme Procedure: openvpn-client-service [#:config (openvpn-client-configuration)]

Return a service that runs openvpn, a VPN daemon, as a client.

Scheme Procedure: openvpn-server-service [#:config (openvpn-server-configuration)]

Return a service that runs openvpn, a VPN daemon, as a server.

Both can be run simultaneously.

Available openvpn-client-configuration fields are:

openvpn-client-configuration parameter: package openvpn

The OpenVPN package.

openvpn-client-configuration parameter: string pid-file

The OpenVPN pid file.

Defaults to ‘"/var/run/openvpn/openvpn.pid"’.

openvpn-client-configuration parameter: proto proto

The protocol (UDP or TCP) used to open a channel between clients and servers.

Defaults to ‘udp’.

openvpn-client-configuration parameter: dev dev

The device type used to represent the VPN connection.

Defaults to ‘tun’.

openvpn-client-configuration parameter: string ca

The certificate authority to check connections against.

Defaults to ‘"/etc/openvpn/ca.crt"’.

openvpn-client-configuration parameter: string cert

The certificate of the machine the daemon is running on. It should be signed by the authority given in ca.

Defaults to ‘"/etc/openvpn/client.crt"’.

openvpn-client-configuration parameter: string key

The key of the machine the daemon is running on. It must be the key whose certificate is cert.

Defaults to ‘"/etc/openvpn/client.key"’.

openvpn-client-configuration parameter: boolean comp-lzo?

Whether to use the lzo compression algorithm.

Defaults to ‘#t’.

openvpn-client-configuration parameter: boolean persist-key?

Don’t re-read key files across SIGUSR1 or –ping-restart.

Defaults to ‘#t’.

openvpn-client-configuration parameter: boolean persist-tun?

Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts.

Defaults to ‘#t’.

openvpn-client-configuration parameter: number verbosity

Verbosity level.

Defaults to ‘3’.

openvpn-client-configuration parameter: tls-auth-client tls-auth

Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

Defaults to ‘#f’.

openvpn-client-configuration parameter: key-usage verify-key-usage?

Whether to check the server certificate has server usage extension.

Defaults to ‘#t’.

openvpn-client-configuration parameter: bind bind?

Bind to a specific local port number.

Defaults to ‘#f’.

openvpn-client-configuration parameter: resolv-retry resolv-retry?

Retry resolving server address.

Defaults to ‘#t’.

openvpn-client-configuration parameter: openvpn-remote-list remote

A list of remote servers to connect to.

Defaults to ‘()’.

Available openvpn-remote-configuration fields are:

openvpn-remote-configuration parameter: string name

Server name.

Defaults to ‘"my-server"’.

openvpn-remote-configuration parameter: number port

Port number the server listens to.

Defaults to ‘1194’.

Available openvpn-server-configuration fields are:

openvpn-server-configuration parameter: package openvpn

The OpenVPN package.

openvpn-server-configuration parameter: string pid-file

The OpenVPN pid file.

Defaults to ‘"/var/run/openvpn/openvpn.pid"’.

openvpn-server-configuration parameter: proto proto

The protocol (UDP or TCP) used to open a channel between clients and servers.

Defaults to ‘udp’.

openvpn-server-configuration parameter: dev dev

The device type used to represent the VPN connection.

Defaults to ‘tun’.

openvpn-server-configuration parameter: string ca

The certificate authority to check connections against.

Defaults to ‘"/etc/openvpn/ca.crt"’.

openvpn-server-configuration parameter: string cert

The certificate of the machine the daemon is running on. It should be signed by the authority given in ca.

Defaults to ‘"/etc/openvpn/client.crt"’.

openvpn-server-configuration parameter: string key

The key of the machine the daemon is running on. It must be the key whose certificate is cert.

Defaults to ‘"/etc/openvpn/client.key"’.

openvpn-server-configuration parameter: boolean comp-lzo?

Whether to use the lzo compression algorithm.

Defaults to ‘#t’.

openvpn-server-configuration parameter: boolean persist-key?

Don’t re-read key files across SIGUSR1 or –ping-restart.

Defaults to ‘#t’.

openvpn-server-configuration parameter: boolean persist-tun?

Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts.

Defaults to ‘#t’.

openvpn-server-configuration parameter: number verbosity

Verbosity level.

Defaults to ‘3’.

openvpn-server-configuration parameter: tls-auth-server tls-auth

Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

Defaults to ‘#f’.

openvpn-server-configuration parameter: number port

Specifies the port number on which the server listens.

Defaults to ‘1194’.

openvpn-server-configuration parameter: ip-mask server

An ip and mask specifying the subnet inside the virtual network.

Defaults to ‘"10.8.0.0 255.255.255.0"’.

openvpn-server-configuration parameter: cidr6 server-ipv6

A CIDR notation specifying the IPv6 subnet inside the virtual network.

Defaults to ‘#f’.

openvpn-server-configuration parameter: string dh

The Diffie-Hellman parameters file.

Defaults to ‘"/etc/openvpn/dh2048.pem"’.

openvpn-server-configuration parameter: string ifconfig-pool-persist

The file that records client IPs.

Defaults to ‘"/etc/openvpn/ipp.txt"’.

openvpn-server-configuration parameter: gateway redirect-gateway?

When true, the server will act as a gateway for its clients.

Defaults to ‘#f’.

openvpn-server-configuration parameter: boolean client-to-client?

When true, clients are allowed to talk to each other inside the VPN.

Defaults to ‘#f’.

openvpn-server-configuration parameter: keepalive keepalive

Causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. keepalive requires a pair. The first element is the period of the ping sending, and the second element is the timeout before considering the other side down.

openvpn-server-configuration parameter: number max-clients

The maximum number of clients.

Defaults to ‘100’.

openvpn-server-configuration parameter: string status

The status file. This file shows a small report on current connection. It is truncated and rewritten every minute.

Defaults to ‘"/var/run/openvpn/status"’.

openvpn-server-configuration parameter: openvpn-ccd-list client-config-dir

The list of configuration for some clients.

Defaults to ‘()’.

Available openvpn-ccd-configuration fields are:

openvpn-ccd-configuration parameter: string name

Client name.

Defaults to ‘"client"’.

openvpn-ccd-configuration parameter: ip-mask iroute

Client own network

Defaults to ‘#f’.

openvpn-ccd-configuration parameter: ip-mask ifconfig-push

Client VPN IP.

Defaults to ‘#f’.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.19 Network File System

The (gnu services nfs) module provides the following services, which are most commonly used in relation to mounting or exporting directory trees as network file systems (NFS).

RPC Bind Service

The RPC Bind service provides a facility to map program numbers into universal addresses. Many NFS related services use this facility. Hence it is automatically started when a dependent service starts.

Scheme Variable: rpcbind-service-type

A service type for the RPC portmapper daemon.

Data Type: rpcbind-configuration

Data type representing the configuration of the RPC Bind Service. This type has the following parameters:

rpcbind (default: rpcbind)

The rpcbind package to use.

warm-start? (default: #t)

If this parameter is #t, then the daemon will read a state file on startup thus reloading state information saved by a previous instance.

Pipefs Pseudo File System

The pipefs file system is used to transfer NFS related data between the kernel and user space programs.

Scheme Variable: pipefs-service-type

A service type for the pipefs pseudo file system.

Data Type: pipefs-configuration

Data type representing the configuration of the pipefs pseudo file system service. This type has the following parameters:

mount-point (default: "/var/lib/nfs/rpc_pipefs")

The directory to which the file system is to be attached.

GSS Daemon Service

The global security system (GSS) daemon provides strong security for RPC based protocols. Before exchanging RPC requests an RPC client must establish a security context. Typically this is done using the Kerberos command kinit or automatically at login time using PAM services (see Kerberos Services).

Scheme Variable: gss-service-type

A service type for the Global Security System (GSS) daemon.

Data Type: gss-configuration

Data type representing the configuration of the GSS daemon service. This type has the following parameters:

nfs-utils (default: nfs-utils)

The package in which the rpc.gssd command is to be found.

pipefs-directory (default: "/var/lib/nfs/rpc_pipefs")

The directory where the pipefs file system is mounted.

IDMAP Daemon Service

The idmap daemon service provides mapping between user IDs and user names. Typically it is required in order to access file systems mounted via NFSv4.

Scheme Variable: idmap-service-type

A service type for the Identity Mapper (IDMAP) daemon.

Data Type: idmap-configuration

Data type representing the configuration of the IDMAP daemon service. This type has the following parameters:

nfs-utils (default: nfs-utils)

The package in which the rpc.idmapd command is to be found.

pipefs-directory (default: "/var/lib/nfs/rpc_pipefs")

The directory where the pipefs file system is mounted.

domain (default: #f)

The local NFSv4 domain name. This must be a string or #f. If it is #f then the daemon will use the host’s fully qualified domain name.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.20 Continuous Integration

Cuirass is a continuous integration tool for Guix. It can be used both for development and for providing substitutes to others (see Substitutes).

The (gnu services cuirass) module provides the following service.

Scheme Procedure: cuirass-service-type

The type of the Cuirass service. Its value must be a cuirass-configuration object, as described below.

To add build jobs, you have to set the specifications field of the configuration. Here is an example of a service defining a build job based on a specification that can be found in Cuirass source tree. This service polls the Guix repository and builds a subset of the Guix packages, as prescribed in the gnu-system.scm example spec:

(let ((spec #~((#:name . "guix")
               (#:url . "git://git.savannah.gnu.org/guix.git")
               (#:load-path . ".")
               (#:file . "build-aux/cuirass/gnu-system.scm")
               (#:proc . cuirass-jobs)
               (#:arguments (subset . "hello"))
               (#:branch . "master"))))
  (service cuirass-service-type
           (cuirass-configuration
            (specifications #~(list '#$spec)))))

While information related to build jobs is located directly in the specifications, global settings for the cuirass process are accessible in other cuirass-configuration fields.

Data Type: cuirass-configuration

Data type representing the configuration of Cuirass.

log-file (default: "/var/log/cuirass.log")

Location of the log file.

cache-directory (default: "/var/cache/cuirass")

Location of the repository cache.

user (default: "cuirass")

Owner of the cuirass process.

group (default: "cuirass")

Owner’s group of the cuirass process.

interval (default: 60)

Number of seconds between the poll of the repositories followed by the Cuirass jobs.

database (default: "/var/run/cuirass/cuirass.db")

Location of sqlite database which contains the build results and previously added specifications.

port (default: 8081)

Port number used by the HTTP server.

–listen=host

Listen on the network interface for host. The default is to accept connections from localhost.

specifications (default: #~'())

A gexp (see G-Expressions) that evaluates to a list of specifications, where a specification is an association list (see Associations Lists in GNU Guile Reference Manual) whose keys are keywords (#:keyword-example) as shown in the example above.

use-substitutes? (default: #f)

This allows using substitutes to avoid building every dependencies of a job from source.

one-shot? (default: #f)

Only evaluate specifications and build derivations once.

fallback? (default: #f)

When substituting a pre-built binary fails, fall back to building packages locally.

load-path (default: '())

This allows users to define their own packages and make them visible to cuirass as in guix build command.

cuirass (default: cuirass)

The Cuirass package to use.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.21 Power Management Services

TLP daemon

The (gnu services pm) module provides a Guix service definition for the Linux power management tool TLP.

TLP enables various powersaving modes in userspace and kernel. Contrary to upower-service, it is not a passive, monitoring tool, as it will apply custom settings each time a new power source is detected. More information can be found at TLP home page.

Scheme Variable: tlp-service-type

The service type for the TLP tool. Its value should be a valid TLP configuration (see below). To use the default settings, simply write:

(service tlp-service-type)

By default TLP does not need much configuration but most TLP parameters can be tweaked using tlp-configuration.

Each parameter definition is preceded by its type; for example, ‘boolean foo’ indicates that the foo parameter should be specified as a boolean. Types starting with maybe- denote parameters that won’t show up in TLP config file when their value is 'disabled.

Available tlp-configuration fields are:

tlp-configuration parameter: package tlp

The TLP package.

tlp-configuration parameter: boolean tlp-enable?

Set to true if you wish to enable TLP.

Defaults to ‘#t’.

tlp-configuration parameter: string tlp-default-mode

Default mode when no power supply can be detected. Alternatives are AC and BAT.

Defaults to ‘"AC"’.

tlp-configuration parameter: non-negative-integer disk-idle-secs-on-ac

Number of seconds Linux kernel has to wait after the disk goes idle, before syncing on AC.

Defaults to ‘0’.

tlp-configuration parameter: non-negative-integer disk-idle-secs-on-bat

Same as disk-idle-ac but on BAT mode.

Defaults to ‘2’.

tlp-configuration parameter: non-negative-integer max-lost-work-secs-on-ac

Dirty pages flushing periodicity, expressed in seconds.

Defaults to ‘15’.

tlp-configuration parameter: non-negative-integer max-lost-work-secs-on-bat

Same as max-lost-work-secs-on-ac but on BAT mode.

Defaults to ‘60’.

tlp-configuration parameter: maybe-space-separated-string-list cpu-scaling-governor-on-ac

CPU frequency scaling governor on AC mode. With intel_pstate driver, alternatives are powersave and performance. With acpi-cpufreq driver, alternatives are ondemand, powersave, performance and conservative.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-space-separated-string-list cpu-scaling-governor-on-bat

Same as cpu-scaling-governor-on-ac but on BAT mode.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-scaling-min-freq-on-ac

Set the min available frequency for the scaling governor on AC.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-scaling-max-freq-on-ac

Set the max available frequency for the scaling governor on AC.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-scaling-min-freq-on-bat

Set the min available frequency for the scaling governor on BAT.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-scaling-max-freq-on-bat

Set the max available frequency for the scaling governor on BAT.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-min-perf-on-ac

Limit the min P-state to control the power dissipation of the CPU, in AC mode. Values are stated as a percentage of the available performance.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-max-perf-on-ac

Limit the max P-state to control the power dissipation of the CPU, in AC mode. Values are stated as a percentage of the available performance.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-min-perf-on-bat

Same as cpu-min-perf-on-ac on BAT mode.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-non-negative-integer cpu-max-perf-on-bat

Same as cpu-max-perf-on-ac on BAT mode.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-boolean cpu-boost-on-ac?

Enable CPU turbo boost feature on AC mode.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-boolean cpu-boost-on-bat?

Same as cpu-boost-on-ac? on BAT mode.

Defaults to ‘disabled’.

tlp-configuration parameter: boolean sched-powersave-on-ac?

Allow Linux kernel to minimize the number of CPU cores/hyper-threads used under light load conditions.

Defaults to ‘#f’.

tlp-configuration parameter: boolean sched-powersave-on-bat?

Same as sched-powersave-on-ac? but on BAT mode.

Defaults to ‘#t’.

tlp-configuration parameter: boolean nmi-watchdog?

Enable Linux kernel NMI watchdog.

Defaults to ‘#f’.

tlp-configuration parameter: maybe-string phc-controls

For Linux kernels with PHC patch applied, change CPU voltages. An example value would be ‘"F:V F:V F:V F:V"’.

Defaults to ‘disabled’.

tlp-configuration parameter: string energy-perf-policy-on-ac

Set CPU performance versus energy saving policy on AC. Alternatives are performance, normal, powersave.

Defaults to ‘"performance"’.

tlp-configuration parameter: string energy-perf-policy-on-bat

Same as energy-perf-policy-ac but on BAT mode.

Defaults to ‘"powersave"’.

tlp-configuration parameter: space-separated-string-list disks-devices

Hard disk devices.

tlp-configuration parameter: space-separated-string-list disk-apm-level-on-ac

Hard disk advanced power management level.

tlp-configuration parameter: space-separated-string-list disk-apm-level-on-bat

Same as disk-apm-bat but on BAT mode.

tlp-configuration parameter: maybe-space-separated-string-list disk-spindown-timeout-on-ac

Hard disk spin down timeout. One value has to be specified for each declared hard disk.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-space-separated-string-list disk-spindown-timeout-on-bat

Same as disk-spindown-timeout-on-ac but on BAT mode.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-space-separated-string-list disk-iosched

Select IO scheduler for disk devices. One value has to be specified for each declared hard disk. Example alternatives are cfq, deadline and noop.

Defaults to ‘disabled’.

tlp-configuration parameter: string sata-linkpwr-on-ac

SATA aggressive link power management (ALPM) level. Alternatives are min_power, medium_power, max_performance.

Defaults to ‘"max_performance"’.

tlp-configuration parameter: string sata-linkpwr-on-bat

Same as sata-linkpwr-ac but on BAT mode.

Defaults to ‘"min_power"’.

tlp-configuration parameter: maybe-string sata-linkpwr-blacklist

Exclude specified SATA host devices for link power management.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-on-off-boolean ahci-runtime-pm-on-ac?

Enable Runtime Power Management for AHCI controller and disks on AC mode.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-on-off-boolean ahci-runtime-pm-on-bat?

Same as ahci-runtime-pm-on-ac on BAT mode.

Defaults to ‘disabled’.

tlp-configuration parameter: non-negative-integer ahci-runtime-pm-timeout

Seconds of inactivity before disk is suspended.

Defaults to ‘15’.

tlp-configuration parameter: string pcie-aspm-on-ac

PCI Express Active State Power Management level. Alternatives are default, performance, powersave.

Defaults to ‘"performance"’.

tlp-configuration parameter: string pcie-aspm-on-bat

Same as pcie-aspm-ac but on BAT mode.

Defaults to ‘"powersave"’.

tlp-configuration parameter: string radeon-power-profile-on-ac

Radeon graphics clock speed level. Alternatives are low, mid, high, auto, default.

Defaults to ‘"high"’.

tlp-configuration parameter: string radeon-power-profile-on-bat

Same as radeon-power-ac but on BAT mode.

Defaults to ‘"low"’.

tlp-configuration parameter: string radeon-dpm-state-on-ac

Radeon dynamic power management method (DPM). Alternatives are battery, performance.

Defaults to ‘"performance"’.

tlp-configuration parameter: string radeon-dpm-state-on-bat

Same as radeon-dpm-state-ac but on BAT mode.

Defaults to ‘"battery"’.

tlp-configuration parameter: string radeon-dpm-perf-level-on-ac

Radeon DPM performance level. Alternatives are auto, low, high.

Defaults to ‘"auto"’.

tlp-configuration parameter: string radeon-dpm-perf-level-on-bat

Same as radeon-dpm-perf-ac but on BAT mode.

Defaults to ‘"auto"’.

tlp-configuration parameter: on-off-boolean wifi-pwr-on-ac?

Wifi power saving mode.

Defaults to ‘#f’.

tlp-configuration parameter: on-off-boolean wifi-pwr-on-bat?

Same as wifi-power-ac? but on BAT mode.

Defaults to ‘#t’.

tlp-configuration parameter: y-n-boolean wol-disable?

Disable wake on LAN.

Defaults to ‘#t’.

tlp-configuration parameter: non-negative-integer sound-power-save-on-ac

Timeout duration in seconds before activating audio power saving on Intel HDA and AC97 devices. A value of 0 disables power saving.

Defaults to ‘0’.

tlp-configuration parameter: non-negative-integer sound-power-save-on-bat

Same as sound-powersave-ac but on BAT mode.

Defaults to ‘1’.

tlp-configuration parameter: y-n-boolean sound-power-save-controller?

Disable controller in powersaving mode on Intel HDA devices.

Defaults to ‘#t’.

tlp-configuration parameter: boolean bay-poweroff-on-bat?

Enable optical drive in UltraBay/MediaBay on BAT mode. Drive can be powered on again by releasing (and reinserting) the eject lever or by pressing the disc eject button on newer models.

Defaults to ‘#f’.

tlp-configuration parameter: string bay-device

Name of the optical drive device to power off.

Defaults to ‘"sr0"’.

tlp-configuration parameter: string runtime-pm-on-ac

Runtime Power Management for PCI(e) bus devices. Alternatives are on and auto.

Defaults to ‘"on"’.

tlp-configuration parameter: string runtime-pm-on-bat

Same as runtime-pm-ac but on BAT mode.

Defaults to ‘"auto"’.

tlp-configuration parameter: boolean runtime-pm-all?

Runtime Power Management for all PCI(e) bus devices, except blacklisted ones.

Defaults to ‘#t’.

tlp-configuration parameter: maybe-space-separated-string-list runtime-pm-blacklist

Exclude specified PCI(e) device addresses from Runtime Power Management.

Defaults to ‘disabled’.

tlp-configuration parameter: space-separated-string-list runtime-pm-driver-blacklist

Exclude PCI(e) devices assigned to the specified drivers from Runtime Power Management.

tlp-configuration parameter: boolean usb-autosuspend?

Enable USB autosuspend feature.

Defaults to ‘#t’.

tlp-configuration parameter: maybe-string usb-blacklist

Exclude specified devices from USB autosuspend.

Defaults to ‘disabled’.

tlp-configuration parameter: boolean usb-blacklist-wwan?

Exclude WWAN devices from USB autosuspend.

Defaults to ‘#t’.

tlp-configuration parameter: maybe-string usb-whitelist

Include specified devices into USB autosuspend, even if they are already excluded by the driver or via usb-blacklist-wwan?.

Defaults to ‘disabled’.

tlp-configuration parameter: maybe-boolean usb-autosuspend-disable-on-shutdown?

Enable USB autosuspend before shutdown.

Defaults to ‘disabled’.

tlp-configuration parameter: boolean restore-device-state-on-startup?

Restore radio device state (bluetooth, wifi, wwan) from previous shutdown on system startup.

Defaults to ‘#f’.

Thermald daemon

The (gnu services pm) module provides an interface to thermald, a CPU frequency scaling service which helps prevent overheating.

Scheme Variable: thermald-service-type

This is the service type for thermald, the Linux Thermal Daemon, which is responsible for controlling the thermal state of processors and preventing overheating.

Data Type: thermald-configuration

Data type representing the configuration of thermald-service-type.

ignore-cpuid-check? (default: #f)

Ignore cpuid check for supported CPU models.

thermald (default: thermald)

Package object of thermald.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.22 Audio Services

The (gnu services audio) module provides a service to start MPD (the Music Player Daemon).

Music Player Daemon

The Music Player Daemon (MPD) is a service that can play music while being controlled from the local machine or over the network by a variety of clients.

The following example shows how one might run mpd as user "bob" on port 6666. It uses pulseaudio for output.

(service mpd-service-type
         (mpd-configuration
          (user "bob")
          (port "6666")))
Scheme Variable: mpd-service-type

The service type for mpd

Data Type: mpd-configuration

Data type representing the configuration of mpd.

user (default: "mpd")

The user to run mpd as.

music-dir (default: "~/Music")

The directory to scan for music files.

playlist-dir (default: "~/.mpd/playlists")

The directory to store playlists.

port (default: "6600")

The port to run mpd on.

address (default: "any")

The address that mpd will bind to. To use a Unix domain socket, an absolute path can be specified here.


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.23 Virtualization services

The (gnu services virtualization) module provides services for the libvirt and virtlog daemons, as well as other virtualization-related services.

Libvirt daemon

libvirtd is the server side daemon component of the libvirt virtualization management system. This daemon runs on host servers and performs required management tasks for virtualized guests.

Scheme Variable: libvirt-service-type

This is the type of the libvirt daemon. Its value must be a libvirt-configuration.

(service libvirt-service-type
         (libvirt-configuration
          (unix-sock-group "libvirt")
          (tls-port "16555")))

Available libvirt-configuration fields are:

libvirt-configuration parameter: package libvirt

Libvirt package.

libvirt-configuration parameter: boolean listen-tls?

Flag listening for secure TLS connections on the public TCP/IP port. must set listen for this to have any effect.

It is necessary to setup a CA and issue server certificates before using this capability.

Defaults to ‘#t’.

libvirt-configuration parameter: boolean listen-tcp?

Listen for unencrypted TCP connections on the public TCP/IP port. must set listen for this to have any effect.

Using the TCP socket requires SASL authentication by default. Only SASL mechanisms which support data encryption are allowed. This is DIGEST_MD5 and GSSAPI (Kerberos5)

Defaults to ‘#f’.

libvirt-configuration parameter: string tls-port

Port for accepting secure TLS connections This can be a port number, or service name

Defaults to ‘"16514"’.

libvirt-configuration parameter: string tcp-port

Port for accepting insecure TCP connections This can be a port number, or service name

Defaults to ‘"16509"’.

libvirt-configuration parameter: string listen-addr

IP address or hostname used for client connections.

Defaults to ‘"0.0.0.0"’.

libvirt-configuration parameter: boolean mdns-adv?

Flag toggling mDNS advertisement of the libvirt service.

Alternatively can disable for all services on a host by stopping the Avahi daemon.

Defaults to ‘#f’.

libvirt-configuration parameter: string mdns-name

Default mDNS advertisement name. This must be unique on the immediate broadcast network.

Defaults to ‘"Virtualization Host <hostname>"’.

libvirt-configuration parameter: string unix-sock-group

UNIX domain socket group ownership. This can be used to allow a ’trusted’ set of users access to management capabilities without becoming root.

Defaults to ‘"root"’.

libvirt-configuration parameter: string unix-sock-ro-perms

UNIX socket permissions for the R/O socket. This is used for monitoring VM status only.

Defaults to ‘"0777"’.

libvirt-configuration parameter: string unix-sock-rw-perms

UNIX socket permissions for the R/W socket. Default allows only root. If PolicyKit is enabled on the socket, the default will change to allow everyone (eg, 0777)

Defaults to ‘"0770"’.

libvirt-configuration parameter: string unix-sock-admin-perms

UNIX socket permissions for the admin socket. Default allows only owner (root), do not change it unless you are sure to whom you are exposing the access to.

Defaults to ‘"0777"’.

libvirt-configuration parameter: string unix-sock-dir

The directory in which sockets will be found/created.

Defaults to ‘"/var/run/libvirt"’.

libvirt-configuration parameter: string auth-unix-ro

Authentication scheme for UNIX read-only sockets. By default socket permissions allow anyone to connect

Defaults to ‘"polkit"’.

libvirt-configuration parameter: string auth-unix-rw

Authentication scheme for UNIX read-write sockets. By default socket permissions only allow root. If PolicyKit support was compiled into libvirt, the default will be to use ’polkit’ auth.

Defaults to ‘"polkit"’.

libvirt-configuration parameter: string auth-tcp

Authentication scheme for TCP sockets. If you don’t enable SASL, then all TCP traffic is cleartext. Don’t do this outside of a dev/test scenario.

Defaults to ‘"sasl"’.

libvirt-configuration parameter: string auth-tls

Authentication scheme for TLS sockets. TLS sockets already have encryption provided by the TLS layer, and limited authentication is done by certificates.

It is possible to make use of any SASL authentication mechanism as well, by using ’sasl’ for this option

Defaults to ‘"none"’.

libvirt-configuration parameter: optional-list access-drivers

API access control scheme.

By default an authenticated user is allowed access to all APIs. Access drivers can place restrictions on this.

Defaults to ‘()’.

libvirt-configuration parameter: string key-file

Server key file path. If set to an empty string, then no private key is loaded.

Defaults to ‘""’.

libvirt-configuration parameter: string cert-file

Server key file path. If set to an empty string, then no certificate is loaded.

Defaults to ‘""’.

libvirt-configuration parameter: string ca-file

Server key file path. If set to an empty string, then no CA certificate is loaded.

Defaults to ‘""’.

libvirt-configuration parameter: string crl-file

Certificate revocation list path. If set to an empty string, then no CRL is loaded.

Defaults to ‘""’.

libvirt-configuration parameter: boolean tls-no-sanity-cert

Disable verification of our own server certificates.

When libvirtd starts it performs some sanity checks against its own certificates.

Defaults to ‘#f’.

libvirt-configuration parameter: boolean tls-no-verify-cert

Disable verification of client certificates.

Client certificate verification is the primary authentication mechanism. Any client which does not present a certificate signed by the CA will be rejected.

Defaults to ‘#f’.

libvirt-configuration parameter: optional-list tls-allowed-dn-list

Whitelist of allowed x509 Distinguished Name.

Defaults to ‘()’.

libvirt-configuration parameter: optional-list sasl-allowed-usernames

Whitelist of allowed SASL usernames. The format for username depends on the SASL authentication mechanism.

Defaults to ‘()’.

libvirt-configuration parameter: string tls-priority

Override the compile time default TLS priority string. The default is usually "NORMAL" unless overridden at build time. Only set this is it is desired for libvirt to deviate from the global default settings.

Defaults to ‘"NORMAL"’.

libvirt-configuration parameter: integer max-clients

Maximum number of concurrent client connections to allow over all sockets combined.

Defaults to ‘5000’.

libvirt-configuration parameter: integer max-queued-clients

Maximum length of queue of connections waiting to be accepted by the daemon. Note, that some protocols supporting retransmission may obey this so that a later reattempt at connection succeeds.

Defaults to ‘1000’.

libvirt-configuration parameter: integer max-anonymous-clients

Maximum length of queue of accepted but not yet authenticated clients. Set this to zero to turn this feature off

Defaults to ‘20’.

libvirt-configuration parameter: integer min-workers

Number of workers to start up initially.

Defaults to ‘5’.

libvirt-configuration parameter: integer max-workers

Maximum number of worker threads.

If the number of active clients exceeds min-workers, then more threads are spawned, up to max_workers limit. Typically you’d want max_workers to equal maximum number of clients allowed.

Defaults to ‘20’.

libvirt-configuration parameter: integer prio-workers

Number of priority workers. If all workers from above pool are stuck, some calls marked as high priority (notably domainDestroy) can be executed in this pool.

Defaults to ‘5’.

libvirt-configuration parameter: integer max-requests

Total global limit on concurrent RPC calls.

Defaults to ‘20’.

libvirt-configuration parameter: integer max-client-requests

Limit on concurrent requests from a single client connection. To avoid one client monopolizing the server this should be a small fraction of the global max_requests and max_workers parameter.

Defaults to ‘5’.

libvirt-configuration parameter: integer admin-min-workers

Same as min-workers but for the admin interface.

Defaults to ‘1’.

libvirt-configuration parameter: integer admin-max-workers

Same as max-workers but for the admin interface.

Defaults to ‘5’.

libvirt-configuration parameter: integer admin-max-clients

Same as max-clients but for the admin interface.

Defaults to ‘5’.

libvirt-configuration parameter: integer admin-max-queued-clients

Same as max-queued-clients but for the admin interface.

Defaults to ‘5’.

libvirt-configuration parameter: integer admin-max-client-requests

Same as max-client-requests but for the admin interface.

Defaults to ‘5’.

libvirt-configuration parameter: integer log-level

Logging level. 4 errors, 3 warnings, 2 information, 1 debug.

Defaults to ‘3’.

libvirt-configuration parameter: string log-filters

Logging filters.

A filter allows to select a different logging level for a given category of logs The format for a filter is one of:

where name is a string which is matched against the category given in the VIR_LOG_INIT() at the top of each libvirt source file, e.g., "remote", "qemu", or "util.json" (the name in the filter can be a substring of the full category name, in order to match multiple similar categories), the optional "+" prefix tells libvirt to log stack trace for each message matching name, and x is the minimal level where matching messages should be logged:

Multiple filters can be defined in a single filters statement, they just need to be separated by spaces.

Defaults to ‘"3:remote 4:event"’.

libvirt-configuration parameter: string log-outputs

Logging outputs.

An output is one of the places to save logging information The format for an output can be:

x:stderr

output goes to stderr

x:syslog:name

use syslog for the output and use the given name as the ident

x:file:file_path

output to a file, with the given filepath

x:journald

output to journald logging system

In all case the x prefix is the minimal level, acting as a filter

Multiple outputs can be defined, they just need to be separated by spaces.

Defaults to ‘"3:stderr"’.

libvirt-configuration parameter: integer audit-level

Allows usage of the auditing subsystem to be altered

Defaults to ‘1’.

libvirt-configuration parameter: boolean audit-logging

Send audit messages via libvirt logging infrastructure.

Defaults to ‘#f’.

libvirt-configuration parameter: optional-string host-uuid

Host UUID. UUID must not have all digits be the same.

Defaults to ‘""’.

libvirt-configuration parameter: string host-uuid-source

Source to read host UUID.

If dmidecode does not provide a valid UUID a temporary UUID will be generated.

Defaults to ‘"smbios"’.

libvirt-configuration parameter: integer keepalive-interval

A keepalive message is sent to a client after keepalive_interval seconds of inactivity to check if the client is still responding. If set to -1, libvirtd will never send keepalive requests; however clients can still send them and the daemon will send responses.

Defaults to ‘5’.

libvirt-configuration parameter: integer keepalive-count

Maximum number of keepalive messages that are allowed to be sent to the client without getting any response before the connection is considered broken.

In other words, the connection is automatically closed approximately after keepalive_interval * (keepalive_count + 1) seconds since the last message received from the client. When keepalive-count is set to 0, connections will be automatically closed after keepalive-interval seconds of inactivity without sending any keepalive messages.

Defaults to ‘5’.

libvirt-configuration parameter: integer admin-keepalive-interval

Same as above but for admin interface.

Defaults to ‘5’.

libvirt-configuration parameter: integer admin-keepalive-count

Same as above but for admin interface.

Defaults to ‘5’.

libvirt-configuration parameter: integer ovs-timeout

Timeout for Open vSwitch calls.

The ovs-vsctl utility is used for the configuration and its timeout option is set by default to 5 seconds to avoid potential infinite waits blocking libvirt.

Defaults to ‘5’.

Virtlog daemon

The virtlogd service is a server side daemon component of libvirt that is used to manage logs from virtual machine consoles.

This daemon is not used directly by libvirt client applications, rather it is called on their behalf by libvirtd. By maintaining the logs in a standalone daemon, the main libvirtd daemon can be restarted without risk of losing logs. The virtlogd daemon has the ability to re-exec() itself upon receiving SIGUSR1, to allow live upgrades without downtime.

Scheme Variable: virtlog-service-type

This is the type of the virtlog daemon. Its value must be a virtlog-configuration.

(service virtlog-service-type
         (virtlog-configuration
          (max-clients 1000)))
virtlog-configuration parameter: integer log-level

Logging level. 4 errors, 3 warnings, 2 information, 1 debug.

Defaults to ‘3’.

virtlog-configuration parameter: string log-filters

Logging filters.

A filter allows to select a different logging level for a given category of logs The format for a filter is one of:

where name is a string which is matched against the category given in the VIR_LOG_INIT() at the top of each libvirt source file, e.g., "remote", "qemu", or "util.json" (the name in the filter can be a substring of the full category name, in order to match multiple similar categories), the optional "+" prefix tells libvirt to log stack trace for each message matching name, and x is the minimal level where matching messages should be logged:

Multiple filters can be defined in a single filters statement, they just need to be separated by spaces.

Defaults to ‘"3:remote 4:event"’.

virtlog-configuration parameter: string log-outputs

Logging outputs.

An output is one of the places to save logging information The format for an output can be:

x:stderr

output goes to stderr

x:syslog:name

use syslog for the output and use the given name as the ident

x:file:file_path

output to a file, with the given filepath

x:journald

output to journald logging system

In all case the x prefix is the minimal level, acting as a filter

Multiple outputs can be defined, they just need to be separated by spaces.

Defaults to ‘"3:stderr"’.

virtlog-configuration parameter: integer max-clients

Maximum number of concurrent client connections to allow over all sockets combined.

Defaults to ‘1024’.

virtlog-configuration parameter: integer max-size

Maximum file size before rolling over.

Defaults to ‘2MB

virtlog-configuration parameter: integer max-backups

Maximum number of backup files to keep.

Defaults to ‘3

Transparent Emulation with QEMU

qemu-binfmt-service-type provides support for transparent emulation of program binaries built for different architectures—e.g., it allows you to transparently execute an ARMv7 program on an x86_64 machine. It achieves this by combining the QEMU emulator and the binfmt_misc feature of the kernel Linux.

Scheme Variable: qemu-binfmt-service-type

This is the type of the QEMU/binfmt service for transparent emulation. Its value must be a qemu-binfmt-configuration object, which specifies the QEMU package to use as well as the architecture we want to emulated:

(service qemu-binfmt-service-type
         (qemu-binfmt-configuration
           (platforms (lookup-qemu-platforms "arm" "aarch64" "ppc"))))

In this example, we enable transparent emulation for the ARM and aarch64 platforms. Running herd stop qemu-binfmt turns it off, and running herd start qemu-binfmt turns it back on (see the herd command in The GNU Shepherd Manual).

Data Type: qemu-binfmt-configuration

This is the configuration for the qemu-binfmt service.

platforms (default: '())

The list of emulated QEMU platforms. Each item must be a platform object as returned by lookup-qemu-platforms (see below).

guix-support? (default: #f)

When it is true, QEMU and all its dependencies are added to the build environment of guix-daemon (see --chroot-directory option). This allows the binfmt_misc handlers to be used within the build environment, which in turn means that you can transparently build programs for another architecture.

For example, let’s suppose you’re on an x86_64 machine and you have this service:

(service qemu-binfmt-service-type
         (qemu-binfmt-configuration
           (platforms (lookup-qemu-platforms "arm"))
           (guix-support? #t)))

You can run:

guix build -s armhf-linux inkscape

and it will build Inkscape for ARMv7 as if it were a native build, transparently using QEMU to emulate the ARMv7 CPU. Pretty handy if you’d like to test a package build for an architecture you don’t have access to!

qemu (default: qemu)

The QEMU package to use.

Scheme Procedure: lookup-qemu-platforms platforms

Return the list of QEMU platform objects corresponding to platforms…. platforms must be a list of strings corresponding to platform names, such as "arm", "sparc", "mips64el", and so on.

Scheme Procedure: qemu-platform? obj

Return true if obj is a platform object.

Scheme Procedure: qemu-platform-name platform

Return the name of platform—a string such as "arm".


Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.24 Version Control Services

The (gnu services version-control) module provides a service to allow remote access to local Git repositories. There are three options: the git-daemon-service, which provides access to repositories via the git:// unsecured TCP-based protocol, extending the nginx web server to proxy some requests to git-http-backend, or providing a web interface with cgit-service-type.

Scheme Procedure: git-daemon-service [#:config (git-daemon-configuration)]

Return a service that runs git daemon, a simple TCP server to expose repositories over the Git protocol for anonymous access.

The optional config argument should be a <git-daemon-configuration> object, by default it allows read-only access to exported26 repositories under /srv/git.

Data Type: git-daemon-configuration

Data type representing the configuration for git-daemon-service.

package (default: git)

Package object of the Git distributed version control system.

export-all? (default: #f)

Whether to allow access for all Git repositories, even if they do not have the git-daemon-export-ok file.

base-path (default: /srv/git)

Whether to remap all the path requests as relative to the given path. If you run git daemon with (base-path "/srv/git") on example.com, then if you later try to pull git://example.com/hello.git, git daemon will interpret the path as /srv/git/hello.git.

user-path (default: #f)

Whether to allow ~user notation to be used in requests. When specified with empty string, requests to git://host/~alice/foo is taken as a request to access foo repository in the home directory of user alice. If (user-path "path") is specified, the same request is taken as a request to access path/foo repository in the home directory of user alice.

listen (default: ’())

Whether to listen on specific IP addresses or hostnames, defaults to all.

port (default: #f)

Whether to listen on an alternative port, which defaults to 9418.

whitelist (default: ’())

If not empty, only allow access to this list of directories.

extra-options (default: ’())

Extra options will be passed to git daemon, please run man git-daemon for more information.

The git:// protocol lacks authentication. When you pull from a repository fetched via git://, you don’t know that the data you receive was modified is really coming from the specified host, and you have your connection is subject to eavesdropping. It’s better to use an authenticated and encrypted transport, such as https. Although Git allows you to serve repositories using unsophisticated file-based web servers, there is a faster protocol implemented by the git-http-backend program. This program is the back-end of a proper Git web service. It is designed to sit behind a FastCGI proxy. See Web Services, for more on running the necessary fcgiwrap daemon.

Guix has a separate configuration data type for serving Git repositories over HTTP.

Data Type: git-http-configuration

Data type representing the configuration for git-http-service.

package (default: git)

Package object of the Git distributed version control system.

git-root (default: /srv/git)

Directory containing the Git repositories to expose to the world.

export-all? (default: #f)

Whether to expose access for all Git repositories in git-root, even if they do not have the git-daemon-export-ok file.

uri-path (default: /git/)

Path prefix for Git access. With the default /git/ prefix, this will map http://server/git/repo.git to /srv/git/repo.git. Requests whose URI paths do not begin with this prefix are not passed on to this Git instance.

fcgiwrap-socket (default: 127.0.0.1:9000)

The socket on which the fcgiwrap daemon is listening. See Web Services.

There is no git-http-service-type, currently; instead you can create an nginx-location-configuration from a git-http-configuration and then add that location to a web server.

Scheme Procedure: git-http-nginx-location-configuration [config=(git-http-configuration)]

Compute an nginx-location-configuration that corresponds to the given Git http configuration. An example nginx service definition to serve the default /srv/git over HTTPS might be:

(service nginx-service-type
         (nginx-configuration
          (server-blocks
           (list
            (nginx-server-configuration
             (listen '("443 ssl"))
             (server-name "git.my-host.org")
             (ssl-certificate
              "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
             (ssl-certificate-key
              "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
             (locations
              (list
               (git-http-nginx-location-configuration
                (git-http-configuration (uri-path "/"))))))))))

This example assumes that you are using Let’s Encrypt to get your TLS certificate. See Certificate Services. The default certbot service will redirect all HTTP traffic on git.my-host.org to HTTPS. You will also need to add an fcgiwrap proxy to your system services. See Web Services.

Cgit Service

Cgit is a web frontend for Git repositories written in C.

The following example will configure the service with default values. By default, Cgit can be accessed on port 80 (http://localhost:80).

(service cgit-service-type)

The file-object type designates either a file-like object (see file-like objects) or a string.

Available cgit-configuration fields are:

cgit-configuration parameter: package package

The CGIT package.

cgit-configuration parameter: nginx-server-configuration-list nginx

NGINX configuration.

cgit-configuration parameter: file-object about-filter

Specifies a command which will be invoked to format the content of about pages (both top-level and for each repository).

Defaults to ‘""’.

cgit-configuration parameter: string agefile

Specifies a path, relative to each repository path, which can be used to specify the date and time of the youngest commit in the repository.

Defaults to ‘""’.

cgit-configuration parameter: file-object auth-filter

Specifies a command that will be invoked for authenticating repository access.

Defaults to ‘""’.

cgit-configuration parameter: string branch-sort

Flag which, when set to ‘age’, enables date ordering in the branch ref list, and when set ‘name’ enables ordering by branch name.

Defaults to ‘"name"’.

cgit-configuration parameter: string cache-root

Path used to store the cgit cache entries.

Defaults to ‘"/var/cache/cgit"’.

cgit-configuration parameter: integer cache-static-ttl

Number which specifies the time-to-live, in minutes, for the cached version of repository pages accessed with a fixed SHA1.

Defaults to ‘-1’.

cgit-configuration parameter: integer cache-dynamic-ttl

Number which specifies the time-to-live, in minutes, for the cached version of repository pages accessed without a fixed SHA1.

Defaults to ‘5’.

cgit-configuration parameter: integer cache-repo-ttl

Number which specifies the time-to-live, in minutes, for the cached version of the repository summary page.

Defaults to ‘5’.

cgit-configuration parameter: integer cache-root-ttl

Number which specifies the time-to-live, in minutes, for the cached version of the repository index page.

Defaults to ‘5’.

cgit-configuration parameter: integer cache-scanrc-ttl

Number which specifies the time-to-live, in minutes, for the result of scanning a path for Git repositories.

Defaults to ‘15’.

cgit-configuration parameter: integer cache-about-ttl

Number which specifies the time-to-live, in minutes, for the cached version of the repository about page.

Defaults to ‘15’.

cgit-configuration parameter: integer cache-snapshot-ttl

Number which specifies the time-to-live, in minutes, for the cached version of snapshots.

Defaults to ‘5’.

cgit-configuration parameter: integer cache-size

The maximum number of entries in the cgit cache. When set to ‘0’, caching is disabled.

Defaults to ‘0’.

cgit-configuration parameter: boolean case-sensitive-sort?

Sort items in the repo list case sensitively.

Defaults to ‘#t’.

cgit-configuration parameter: list clone-prefix

List of common prefixes which, when combined with a repository URL, generates valid clone URLs for the repository.

Defaults to ‘()’.

cgit-configuration parameter: list clone-url

List of clone-url templates.

Defaults to ‘()’.

cgit-configuration parameter: file-object commit-filter

Command which will be invoked to format commit messages.

Defaults to ‘""’.

cgit-configuration parameter: string commit-sort

Flag which, when set to ‘date’, enables strict date ordering in the commit log, and when set to ‘topo’ enables strict topological ordering.

Defaults to ‘"git log"’.

cgit-configuration parameter: file-object css

URL which specifies the css document to include in all cgit pages.

Defaults to ‘"/share/cgit/cgit.css"’.

cgit-configuration parameter: file-object email-filter

Specifies a command which will be invoked to format names and email address of committers, authors, and taggers, as represented in various places throughout the cgit interface.

Defaults to ‘""’.

cgit-configuration parameter: boolean embedded?

Flag which, when set to ‘#t’, will make cgit generate a HTML fragment suitable for embedding in other HTML pages.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-commit-graph?

Flag which, when set to ‘#t’, will make cgit print an ASCII-art commit history graph to the left of the commit messages in the repository log page.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-filter-overrides?

Flag which, when set to ‘#t’, allows all filter settings to be overridden in repository-specific cgitrc files.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-follow-links?

Flag which, when set to ‘#t’, allows users to follow a file in the log view.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-http-clone?

If set to ‘#t’, cgit will act as an dumb HTTP endpoint for Git clones.

Defaults to ‘#t’.

cgit-configuration parameter: boolean enable-index-links?

Flag which, when set to ‘#t’, will make cgit generate extra links "summary", "commit", "tree" for each repo in the repository index.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-index-owner?

Flag which, when set to ‘#t’, will make cgit display the owner of each repo in the repository index.

Defaults to ‘#t’.

cgit-configuration parameter: boolean enable-log-filecount?

Flag which, when set to ‘#t’, will make cgit print the number of modified files for each commit on the repository log page.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-log-linecount?

Flag which, when set to ‘#t’, will make cgit print the number of added and removed lines for each commit on the repository log page.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-remote-branches?

Flag which, when set to #t, will make cgit display remote branches in the summary and refs views.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-subject-links?

Flag which, when set to 1, will make cgit use the subject of the parent commit as link text when generating links to parent commits in commit view.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-html-serving?

Flag which, when set to ‘#t’, will make cgit use the subject of the parent commit as link text when generating links to parent commits in commit view.

Defaults to ‘#f’.

cgit-configuration parameter: boolean enable-tree-linenumbers?

Flag which, when set to ‘#t’, will make cgit generate linenumber links for plaintext blobs printed in the tree view.

Defaults to ‘#t’.

cgit-configuration parameter: boolean enable-git-config?

Flag which, when set to ‘#f’, will allow cgit to use Git config to set any repo specific settings.

Defaults to ‘#f’.

cgit-configuration parameter: file-object favicon

URL used as link to a shortcut icon for cgit.

Defaults to ‘"/favicon.ico"’.

cgit-configuration parameter: string footer

The content of the file specified with this option will be included verbatim at the bottom of all pages (i.e. it replaces the standard "generated by..." message).

Defaults to ‘""’.

cgit-configuration parameter: string head-include

The content of the file specified with this option will be included verbatim in the HTML HEAD section on all pages.

Defaults to ‘""’.

cgit-configuration parameter: string header

The content of the file specified with this option will be included verbatim at the top of all pages.

Defaults to ‘""’.

cgit-configuration parameter: file-object include

Name of a configfile to include before the rest of the current config- file is parsed.

Defaults to ‘""’.

cgit-configuration parameter: string index-header

The content of the file specified with this option will be included verbatim above the repository index.

Defaults to ‘""’.

cgit-configuration parameter: string index-info

The content of the file specified with this option will be included verbatim below the heading on the repository index page.

Defaults to ‘""’.

cgit-configuration parameter: boolean local-time?

Flag which, if set to ‘#t’, makes cgit print commit and tag times in the servers timezone.

Defaults to ‘#f’.

cgit-configuration parameter: file-object logo

URL which specifies the source of an image which will be used as a logo on all cgit pages.

Defaults to ‘"/share/cgit/cgit.png"’.

cgit-configuration parameter: string logo-link

URL loaded when clicking on the cgit logo image.

Defaults to ‘""’.

cgit-configuration parameter: file-object owner-filter

Command which will be invoked to format the Owner column of the main page.

Defaults to ‘""’.

cgit-configuration parameter: integer max-atom-items

Number of items to display in atom feeds view.

Defaults to ‘10’.

cgit-configuration parameter: integer max-commit-count

Number of entries to list per page in "log" view.

Defaults to ‘50’.

cgit-configuration parameter: integer max-message-length

Number of commit message characters to display in "log" view.

Defaults to ‘80’.

cgit-configuration parameter: integer max-repo-count

Specifies the number of entries to list per page on the repository index page.

Defaults to ‘50’.

cgit-configuration parameter: integer max-repodesc-length

Specifies the maximum number of repo description characters to display on the repository index page.

Defaults to ‘80’.

cgit-configuration parameter: integer max-blob-size

Specifies the maximum size of a blob to display HTML for in KBytes.

Defaults to ‘0’.

cgit-configuration parameter: string max-stats

Maximum statistics period. Valid values are ‘week’,‘month’, ‘quarter’ and ‘year’.

Defaults to ‘""’.

cgit-configuration parameter: mimetype-alist mimetype

Mimetype for the specified filename extension.

Defaults to ‘((gif "image/gif") (html "text/html") (jpg "image/jpeg") (jpeg "image/jpeg") (pdf "application/pdf") (png "image/png") (svg "image/svg+xml"))’.

cgit-configuration parameter: file-object mimetype-file

Specifies the file to use for automatic mimetype lookup.

Defaults to ‘""’.

cgit-configuration parameter: string module-link

Text which will be used as the formatstring for a hyperlink when a submodule is printed in a directory listing.

Defaults to ‘""’.

cgit-configuration parameter: boolean nocache?

If set to the value ‘#t’ caching will be disabled.

Defaults to ‘#f’.

cgit-configuration parameter: boolean noplainemail?

If set to ‘#t’ showing full author email addresses will be disabled.

Defaults to ‘#f’.

cgit-configuration parameter: boolean noheader?

Flag which, when set to ‘#t’, will make cgit omit the standard header on all pages.

Defaults to ‘#f’.

cgit-configuration parameter: project-list project-list

A list of subdirectories inside of repository-directory, relative to it, that should loaded as Git repositories. An empty list means that all subdirectories will be loaded.

Defaults to ‘()’.

cgit-configuration parameter: file-object readme

Text which will be used as default value for cgit-repo-readme.

Defaults to ‘""’.

cgit-configuration parameter: boolean remove-suffix?

If set to #t and repository-directory is enabled, if any repositories are found with a suffix of .git, this suffix will be removed for the URL and name.

Defaults to ‘#f’.

cgit-configuration parameter: integer renamelimit

Maximum number of files to consider when detecting renames.

Defaults to ‘-1’.

cgit-configuration parameter: string repository-sort

The way in which repositories in each section are sorted.

Defaults to ‘""’.

cgit-configuration parameter: robots-list robots

Text used as content for the robots meta-tag.

Defaults to ‘("noindex" "nofollow")’.

cgit-configuration parameter: string root-desc

Text printed below the heading on the repository index page.

Defaults to ‘"a fast webinterface for the git dscm"’.

cgit-configuration parameter: string root-readme

The content of the file specified with this option will be included verbatim below thef "about" link on the repository index page.

Defaults to ‘""’.

cgit-configuration parameter: string root-title

Text printed as heading on the repository index page.

Defaults to ‘""’.

cgit-configuration parameter: boolean scan-hidden-path

If set to ‘#t’ and repository-directory is enabled, repository-directory will recurse into directories whose name starts with a period. Otherwise, repository-directory will stay away from such directories, considered as "hidden". Note that this does not apply to the ".git" directory in non-bare repos.

Defaults to ‘#f’.

cgit-configuration parameter: list snapshots

Text which specifies the default set of snapshot formats that cgit generates links for.

Defaults to ‘()’.

cgit-configuration parameter: repository-directory repository-directory

Name of the directory to scan for repositories (represents scan-path).

Defaults to ‘"/srv/git"’.

cgit-configuration parameter: string section

The name of the current repository section - all repositories defined after this option will inherit the current section name.

Defaults to ‘""’.

cgit-configuration parameter: string section-sort

Flag which, when set to ‘1’, will sort the sections on the repository listing by name.

Defaults to ‘""’.

cgit-configuration parameter: integer section-from-path

A number which, if defined prior to repository-directory, specifies how many path elements from each repo path to use as a default section name.

Defaults to ‘0’.

cgit-configuration parameter: boolean side-by-side-diffs?

If set to ‘#t’ shows side-by-side diffs instead of unidiffs per default.

Defaults to ‘#f’.

cgit-configuration parameter: file-object source-filter

Specifies a command which will be invoked to format plaintext blobs in the tree view.

Defaults to ‘""’.

cgit-configuration parameter: integer summary-branches

Specifies the number of branches to display in the repository "summary" view.

Defaults to ‘10’.

cgit-configuration parameter: integer summary-log

Specifies the number of log entries to display in the repository "summary" view.

Defaults to ‘10’.

cgit-configuration parameter: integer summary-tags

Specifies the number of tags to display in the repository "summary" view.

Defaults to ‘10’.

cgit-configuration parameter: string strict-export

Filename which, if specified, needs to be present within the repository for cgit to allow access to that repository.

Defaults to ‘""’.

cgit-configuration parameter: string virtual-root

URL which, if specified, will be used as root for all cgit links.

Defaults to ‘"/"’.

cgit-configuration parameter: repository-cgit-configuration-list repositories

A list of cgit-repo records to use with config.

Defaults to ‘()’.

Available repository-cgit-configuration fields are:

repository-cgit-configuration parameter: repo-list snapshots

A mask of snapshot formats for this repo that cgit generates links for, restricted by the global snapshots setting.

Defaults to ‘()’.

repository-cgit-configuration parameter: repo-file-object source-filter

Override the default source-filter.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string url

The relative URL used to access the repository.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-file-object about-filter

Override the default about-filter.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string branch-sort

Flag which, when set to ‘age’, enables date ordering in the branch ref list, and when set to ‘name’ enables ordering by branch name.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-list clone-url

A list of URLs which can be used to clone repo.

Defaults to ‘()’.

repository-cgit-configuration parameter: repo-file-object commit-filter

Override the default commit-filter.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string commit-sort

Flag which, when set to ‘date’, enables strict date ordering in the commit log, and when set to ‘topo’ enables strict topological ordering.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string defbranch

The name of the default branch for this repository. If no such branch exists in the repository, the first branch name (when sorted) is used as default instead. By default branch pointed to by HEAD, or "master" if there is no suitable HEAD.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string desc

The value to show as repository description.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string homepage

The value to show as repository homepage.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-file-object email-filter

Override the default email-filter.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-boolean enable-commit-graph?

A flag which can be used to disable the global setting enable-commit-graph?.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean enable-log-filecount?

A flag which can be used to disable the global setting enable-log-filecount?.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean enable-log-linecount?

A flag which can be used to disable the global setting enable-log-linecount?.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean enable-remote-branches?

Flag which, when set to #t, will make cgit display remote branches in the summary and refs views.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean enable-subject-links?

A flag which can be used to override the global setting enable-subject-links?.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean enable-html-serving?

A flag which can be used to override the global setting enable-html-serving?.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean hide?

Flag which, when set to #t, hides the repository from the repository index.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-boolean ignore?

Flag which, when set to ‘#t’, ignores the repository.

Defaults to ‘#f’.

repository-cgit-configuration parameter: repo-file-object logo

URL which specifies the source of an image which will be used as a logo on this repo’s pages.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string logo-link

URL loaded when clicking on the cgit logo image.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-file-object owner-filter

Override the default owner-filter.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string module-link

Text which will be used as the formatstring for a hyperlink when a submodule is printed in a directory listing. The arguments for the formatstring are the path and SHA1 of the submodule commit.

Defaults to ‘""’.

repository-cgit-configuration parameter: module-link-path module-link-path

Text which will be used as the formatstring for a hyperlink when a submodule with the specified subdirectory path is printed in a directory listing.

Defaults to ‘()’.

repository-cgit-configuration parameter: repo-string max-stats

Override the default maximum statistics period.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string name

The value to show as repository name.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string owner

A value used to identify the owner of the repository.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string path

An absolute path to the repository directory.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string readme

A path (relative to repo) which specifies a file to include verbatim as the "About" page for this repo.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-string section

The name of the current repository section - all repositories defined after this option will inherit the current section name.

Defaults to ‘""’.

repository-cgit-configuration parameter: repo-list extra-options

Extra options will be appended to cgitrc file.

Defaults to ‘()’.

cgit-configuration parameter: list extra-options

Extra options will be appended to cgitrc file.

Defaults to ‘()’.

However, it could be that you just want to get a cgitrc up and running. In that case, you can pass an opaque-cgit-configuration as a record to cgit-service-type. As its name indicates, an opaque configuration does not have easy reflective capabilities.

Available opaque-cgit-configuration fields are:

opaque-cgit-configuration parameter: package cgit

The cgit package.

opaque-cgit-configuration parameter: string string

The contents of the cgitrc, as a string.

For example, if your cgitrc is just the empty string, you could instantiate a cgit service like this:

(service cgit-service-type
         (opaque-cgit-configuration
          (cgitrc "")))

Next: , Previous: , Up: Services   [Contents][Index]

6.2.7.25 Game Services

The Battle for Wesnoth Service

The Battle for Wesnoth is a fantasy, turn based tactical strategy game, with several single player campaigns, and multiplayer games (both networked and local).

Variable: Scheme Variable wesnothd-service-type

Service type for the wesnothd service. Its value must be a wesnothd-configuration object. To run wesnothd in the default configuration, instantiate it as:

(service wesnothd-service-type)
Data Type: wesnothd-configuration

Data type representing the configuration of wesnothd.

package (default: wesnoth-server)

The wesnoth server package to use.

port (default: 15000)

The port to bind the server to.


Previous: , Up: Services   [Contents][Index]

6.2.7.26 Miscellaneous Services

Fingerprint Service

The (gnu services fingerprint) module provides a DBus service to read and identify fingerprints via a fingerprint sensor.

Scheme Variable: fprintd-service-type

The service type for fprintd, which provides the fingerprint reading capability.

(service fprintd-service-type)

System Control Service

The (gnu services sysctl) provides a service to configure kernel parameters at boot.

Scheme Variable: sysctl-service-type

The service type for sysctl, which modifies kernel parameters under /proc/sys/. To enable IPv4 forwarding, it can be instantiated as:

(service sysctl-service-type
         (sysctl-configuration
           (settings '(("net.ipv4.ip_f