6 @documentencoding UTF-8
7 @settitle GNU Guix Reference Manual
12 @c Identifier of the OpenPGP key used to sign tarballs and such.
13 @set OPENPGP-SIGNING-KEY-ID 27D586A4F8900854329FF09F1260E46482E63562
14 @set OPENPGP-SIGNING-KEY-URL https://sv.gnu.org/people/viewgpg.php?user_id=127547
16 @c Base URL for downloads.
17 @set BASE-URL https://ftp.gnu.org/gnu/guix
19 @c The official substitute server used by default.
20 @set SUBSTITUTE-SERVER-1 ci.guix.gnu.org
21 @set SUBSTITUTE-SERVER-2 bordeaux.guix.gnu.org
22 @set SUBSTITUTE-URLS https://@value{SUBSTITUTE-SERVER-1} https://@value{SUBSTITUTE-SERVER-2}
25 Copyright @copyright{} 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès@*
26 Copyright @copyright{} 2013, 2014, 2016 Andreas Enge@*
27 Copyright @copyright{} 2013 Nikita Karetnikov@*
28 Copyright @copyright{} 2014, 2015, 2016 Alex Kost@*
29 Copyright @copyright{} 2015, 2016 Mathieu Lirzin@*
30 Copyright @copyright{} 2014 Pierre-Antoine Rault@*
31 Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
32 Copyright @copyright{} 2015, 2016, 2017, 2019, 2020, 2021 Leo Famulari@*
33 Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020 Ricardo Wurmus@*
34 Copyright @copyright{} 2016 Ben Woodcroft@*
35 Copyright @copyright{} 2016, 2017, 2018, 2021 Chris Marusich@*
36 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Efraim Flashner@*
37 Copyright @copyright{} 2016 John Darrington@*
38 Copyright @copyright{} 2016, 2017 Nikita Gillmann@*
39 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020 Jan Nieuwenhuizen@*
40 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Julien Lepiller@*
41 Copyright @copyright{} 2016 Alex ter Weele@*
42 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Christopher Baines@*
43 Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@*
44 Copyright @copyright{} 2017, 2018, 2020, 2021 Mathieu Othacehe@*
45 Copyright @copyright{} 2017 Federico Beffa@*
46 Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
47 Copyright @copyright{} 2017 Thomas Danckaert@*
48 Copyright @copyright{} 2017 humanitiesNerd@*
49 Copyright @copyright{} 2017, 2021 Christopher Lemmer Webber@*
50 Copyright @copyright{} 2017, 2018, 2019, 2020 Marius Bakke@*
51 Copyright @copyright{} 2017, 2019, 2020 Hartmut Goebel@*
52 Copyright @copyright{} 2017, 2019, 2020, 2021 Maxim Cournoyer@*
53 Copyright @copyright{} 2017, 2018, 2019, 2020, 2021 Tobias Geerinckx-Rice@*
54 Copyright @copyright{} 2017 George Clemmer@*
55 Copyright @copyright{} 2017 Andy Wingo@*
56 Copyright @copyright{} 2017, 2018, 2019, 2020 Arun Isaac@*
57 Copyright @copyright{} 2017 nee@*
58 Copyright @copyright{} 2018 Rutger Helling@*
59 Copyright @copyright{} 2018, 2021 Oleg Pykhalov@*
60 Copyright @copyright{} 2018 Mike Gerwitz@*
61 Copyright @copyright{} 2018 Pierre-Antoine Rouby@*
62 Copyright @copyright{} 2018, 2019 Gábor Boskovits@*
63 Copyright @copyright{} 2018, 2019, 2020 Florian Pelz@*
64 Copyright @copyright{} 2018 Laura Lazzati@*
65 Copyright @copyright{} 2018 Alex Vong@*
66 Copyright @copyright{} 2019 Josh Holland@*
67 Copyright @copyright{} 2019, 2020 Diego Nicola Barbato@*
68 Copyright @copyright{} 2019 Ivan Petkov@*
69 Copyright @copyright{} 2019 Jakob L. Kreuze@*
70 Copyright @copyright{} 2019 Kyle Andrews@*
71 Copyright @copyright{} 2019 Alex Griffin@*
72 Copyright @copyright{} 2019, 2020, 2021 Guillaume Le Vaillant@*
73 Copyright @copyright{} 2020 Leo Prikler@*
74 Copyright @copyright{} 2019, 2020 Simon Tournier@*
75 Copyright @copyright{} 2020 Wiktor Żelazny@*
76 Copyright @copyright{} 2020 Damien Cassou@*
77 Copyright @copyright{} 2020 Jakub Kądziołka@*
78 Copyright @copyright{} 2020 Jack Hill@*
79 Copyright @copyright{} 2020 Naga Malleswari@*
80 Copyright @copyright{} 2020, 2021 Brice Waegeneire@*
81 Copyright @copyright{} 2020 R Veera Kumar@*
82 Copyright @copyright{} 2020 Pierre Langlois@*
83 Copyright @copyright{} 2020 pinoaffe@*
84 Copyright @copyright{} 2020 André Batista@*
85 Copyright @copyright{} 2020, 2021 Alexandru-Sergiu Marton@*
86 Copyright @copyright{} 2020 raingloom@*
87 Copyright @copyright{} 2020 Daniel Brooks@*
88 Copyright @copyright{} 2020 John Soo@*
89 Copyright @copyright{} 2020 Jonathan Brielmaier@*
90 Copyright @copyright{} 2020 Edgar Vincent@*
91 Copyright @copyright{} 2021 Maxime Devos@*
92 Copyright @copyright{} 2021 B. Wilson@*
93 Copyright @copyright{} 2021 Xinglu Chen@*
94 Copyright @copyright{} 2021 Raghav Gururajan@*
95 Copyright @copyright{} 2021 Domagoj Stolfa@*
96 Copyright @copyright{} 2021 Hui Lu@*
98 Permission is granted to copy, distribute and/or modify this document
99 under the terms of the GNU Free Documentation License, Version 1.3 or
100 any later version published by the Free Software Foundation; with no
101 Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
102 copy of the license is included in the section entitled ``GNU Free
103 Documentation License''.
106 @dircategory System administration
108 * Guix: (guix). Manage installed software and system configuration.
109 * guix package: (guix)Invoking guix package. Installing, removing, and upgrading packages.
110 * guix gc: (guix)Invoking guix gc. Reclaiming unused disk space.
111 * guix pull: (guix)Invoking guix pull. Update the list of available packages.
112 * guix system: (guix)Invoking guix system. Manage the operating system configuration.
113 * guix deploy: (guix)Invoking guix deploy. Manage operating system configurations for remote hosts.
116 @dircategory Software development
118 * guix environment: (guix)Invoking guix environment. Building development environments with Guix.
119 * guix build: (guix)Invoking guix build. Building packages.
120 * guix pack: (guix)Invoking guix pack. Creating binary bundles.
124 @title GNU Guix Reference Manual
125 @subtitle Using the GNU Guix Functional Package Manager
126 @author The GNU Guix Developers
129 @vskip 0pt plus 1filll
130 Edition @value{EDITION} @*
138 @c *********************************************************************
142 This document describes GNU Guix version @value{VERSION}, a functional
143 package management tool written for the GNU system.
145 @c TRANSLATORS: You can replace the following paragraph with information on
146 @c how to join your own translation team and how to report issues with the
148 This manual is also available in Simplified Chinese (@pxref{Top,,, guix.zh_CN,
149 GNU Guix参考手册}), French (@pxref{Top,,, guix.fr, Manuel de référence de GNU
150 Guix}), German (@pxref{Top,,, guix.de, Referenzhandbuch zu GNU Guix}),
151 Spanish (@pxref{Top,,, guix.es, Manual de referencia de GNU Guix}), and
152 Russian (@pxref{Top,,, guix.ru, Руководство GNU Guix}). If you
153 would like to translate it in your native language, consider joining
154 @uref{https://translate.fedoraproject.org/projects/guix/documentation-manual,
155 Weblate} (@pxref{Translating Guix}).
158 * Introduction:: What is Guix about?
159 * Installation:: Installing Guix.
160 * System Installation:: Installing the whole operating system.
161 * Getting Started:: Your first steps.
162 * Package Management:: Package installation, upgrade, etc.
163 * Channels:: Customizing the package collection.
164 * Development:: Guix-aided software development.
165 * Programming Interface:: Using Guix in Scheme.
166 * Utilities:: Package management commands.
167 * System Configuration:: Configuring the operating system.
168 * Documentation:: Browsing software user manuals.
169 * Installing Debugging Files:: Feeding the debugger.
170 * Security Updates:: Deploying security fixes quickly.
171 * Bootstrapping:: GNU/Linux built from scratch.
172 * Porting:: Targeting another platform or kernel.
173 * Contributing:: Your help needed!
175 * Acknowledgments:: Thanks!
176 * GNU Free Documentation License:: The license of this manual.
177 * Concept Index:: Concepts.
178 * Programming Index:: Data types, functions, and variables.
181 --- The Detailed Node Listing ---
185 * Managing Software the Guix Way:: What's special.
186 * GNU Distribution:: The packages and tools.
190 * Binary Installation:: Getting Guix running in no time!
191 * Requirements:: Software needed to build and run Guix.
192 * Running the Test Suite:: Testing Guix.
193 * Setting Up the Daemon:: Preparing the build daemon's environment.
194 * Invoking guix-daemon:: Running the build daemon.
195 * Application Setup:: Application-specific setup.
196 * Upgrading Guix:: Upgrading Guix and its build daemon.
198 Setting Up the Daemon
200 * Build Environment Setup:: Preparing the isolated build environment.
201 * Daemon Offload Setup:: Offloading builds to remote machines.
202 * SELinux Support:: Using an SELinux policy for the daemon.
206 * Limitations:: What you can expect.
207 * Hardware Considerations:: Supported hardware.
208 * USB Stick and DVD Installation:: Preparing the installation medium.
209 * Preparing for Installation:: Networking, partitioning, etc.
210 * Guided Graphical Installation:: Easy graphical installation.
211 * Manual Installation:: Manual installation for wizards.
212 * After System Installation:: When installation succeeded.
213 * Installing Guix in a VM:: Guix System playground.
214 * Building the Installation Image:: How this comes to be.
218 * Keyboard Layout and Networking and Partitioning:: Initial setup.
219 * Proceeding with the Installation:: Installing.
223 * Features:: How Guix will make your life brighter.
224 * Invoking guix package:: Package installation, removal, etc.
225 * Substitutes:: Downloading pre-built binaries.
226 * Packages with Multiple Outputs:: Single source package, multiple outputs.
227 * Invoking guix gc:: Running the garbage collector.
228 * Invoking guix pull:: Fetching the latest Guix and distribution.
229 * Invoking guix time-machine:: Running an older revision of Guix.
230 * Inferiors:: Interacting with another revision of Guix.
231 * Invoking guix describe:: Display information about your Guix revision.
232 * Invoking guix archive:: Exporting and importing store files.
236 * Official Substitute Servers:: One particular source of substitutes.
237 * Substitute Server Authorization:: How to enable or disable substitutes.
238 * Getting Substitutes from Other Servers:: Substitute diversity.
239 * Substitute Authentication:: How Guix verifies substitutes.
240 * Proxy Settings:: How to get substitutes via proxy.
241 * Substitution Failure:: What happens when substitution fails.
242 * On Trusting Binaries:: How can you trust that binary blob?
246 * Specifying Additional Channels:: Extending the package collection.
247 * Using a Custom Guix Channel:: Using a customized Guix.
248 * Replicating Guix:: Running the @emph{exact same} Guix.
249 * Channel Authentication:: How Guix verifies what it fetches.
250 * Channels with Substitutes:: Using channels with available substitutes.
251 * Creating a Channel:: How to write your custom channel.
252 * Package Modules in a Sub-directory:: Specifying the channel's package modules location.
253 * Declaring Channel Dependencies:: How to depend on other channels.
254 * Specifying Channel Authorizations:: Defining channel authors authorizations.
255 * Primary URL:: Distinguishing mirror to original.
256 * Writing Channel News:: Communicating information to channel's users.
260 * Invoking guix environment:: Setting up development environments.
261 * Invoking guix pack:: Creating software bundles.
262 * The GCC toolchain:: Working with languages supported by GCC.
263 * Invoking guix git authenticate:: Authenticating Git repositories.
265 Programming Interface
267 * Package Modules:: Packages from the programmer's viewpoint.
268 * Defining Packages:: Defining new packages.
269 * Defining Package Variants:: Customizing packages.
270 * Build Systems:: Specifying how packages are built.
271 * Build Phases:: Phases of the build process of a package.
272 * Build Utilities:: Helpers for your package definitions and more.
273 * The Store:: Manipulating the package store.
274 * Derivations:: Low-level interface to package derivations.
275 * The Store Monad:: Purely functional interface to the store.
276 * G-Expressions:: Manipulating build expressions.
277 * Invoking guix repl:: Programming Guix in Guile.
281 * package Reference:: The package data type.
282 * origin Reference:: The origin data type.
286 * Invoking guix build:: Building packages from the command line.
287 * Invoking guix edit:: Editing package definitions.
288 * Invoking guix download:: Downloading a file and printing its hash.
289 * Invoking guix hash:: Computing the cryptographic hash of a file.
290 * Invoking guix import:: Importing package definitions.
291 * Invoking guix refresh:: Updating package definitions.
292 * Invoking guix lint:: Finding errors in package definitions.
293 * Invoking guix size:: Profiling disk usage.
294 * Invoking guix graph:: Visualizing the graph of packages.
295 * Invoking guix publish:: Sharing substitutes.
296 * Invoking guix challenge:: Challenging substitute servers.
297 * Invoking guix copy:: Copying to and from a remote store.
298 * Invoking guix container:: Process isolation.
299 * Invoking guix weather:: Assessing substitute availability.
300 * Invoking guix processes:: Listing client processes.
302 Invoking @command{guix build}
304 * Common Build Options:: Build options for most commands.
305 * Package Transformation Options:: Creating variants of packages.
306 * Additional Build Options:: Options specific to 'guix build'.
307 * Debugging Build Failures:: Real life packaging experience.
311 * Using the Configuration System:: Customizing your GNU system.
312 * operating-system Reference:: Detail of operating-system declarations.
313 * File Systems:: Configuring file system mounts.
314 * Mapped Devices:: Block device extra processing.
315 * User Accounts:: Specifying user accounts.
316 * Keyboard Layout:: How the system interprets key strokes.
317 * Locales:: Language and cultural convention settings.
318 * Services:: Specifying system services.
319 * Setuid Programs:: Programs running with root privileges.
320 * X.509 Certificates:: Authenticating HTTPS servers.
321 * Name Service Switch:: Configuring libc's name service switch.
322 * Initial RAM Disk:: Linux-Libre bootstrapping.
323 * Bootloader Configuration:: Configuring the boot loader.
324 * Invoking guix system:: Instantiating a system configuration.
325 * Invoking guix deploy:: Deploying a system configuration to a remote host.
326 * Running Guix in a VM:: How to run Guix System in a virtual machine.
327 * Defining Services:: Adding new service definitions.
331 * Base Services:: Essential system services.
332 * Scheduled Job Execution:: The mcron service.
333 * Log Rotation:: The rottlog service.
334 * Networking Services:: Network setup, SSH daemon, etc.
335 * Unattended Upgrades:: Automated system upgrades.
336 * X Window:: Graphical display.
337 * Printing Services:: Local and remote printer support.
338 * Desktop Services:: D-Bus and desktop services.
339 * Sound Services:: ALSA and Pulseaudio services.
340 * Database Services:: SQL databases, key-value stores, etc.
341 * Mail Services:: IMAP, POP3, SMTP, and all that.
342 * Messaging Services:: Messaging services.
343 * Telephony Services:: Telephony services.
344 * Monitoring Services:: Monitoring services.
345 * Kerberos Services:: Kerberos services.
346 * LDAP Services:: LDAP services.
347 * Web Services:: Web servers.
348 * Certificate Services:: TLS certificates via Let's Encrypt.
349 * DNS Services:: DNS daemons.
350 * VPN Services:: VPN daemons.
351 * Network File System:: NFS related services.
352 * Continuous Integration:: Cuirass and Laminar services.
353 * Power Management Services:: Extending battery life.
354 * Audio Services:: The MPD.
355 * Virtualization Services:: Virtualization services.
356 * Version Control Services:: Providing remote access to Git repositories.
357 * Game Services:: Game servers.
358 * PAM Mount Service:: Service to mount volumes when logging in.
359 * Guix Services:: Services relating specifically to Guix.
360 * Linux Services:: Services tied to the Linux kernel.
361 * Hurd Services:: Services specific for a Hurd System.
362 * Miscellaneous Services:: Other services.
366 * Service Composition:: The model for composing services.
367 * Service Types and Services:: Types and services.
368 * Service Reference:: API reference.
369 * Shepherd Services:: A particular type of service.
371 Installing Debugging Files
373 * Separate Debug Info:: Installing 'debug' outputs.
374 * Rebuilding Debug Info:: Building missing debug info.
378 * Reduced Binary Seed Bootstrap:: A Bootstrap worthy of GNU.
379 * Preparing to Use the Bootstrap Binaries:: Building that what matters most.
384 @c *********************************************************************
386 @chapter Introduction
389 GNU Guix@footnote{``Guix'' is pronounced like ``geeks'', or ``ɡiːks''
390 using the international phonetic alphabet (IPA).} is a package
391 management tool for and distribution of the GNU system.
392 Guix makes it easy for unprivileged
393 users to install, upgrade, or remove software packages, to roll back to a
394 previous package set, to build packages from source, and generally
395 assists with the creation and maintenance of software environments.
398 @cindex GuixSD, now Guix System
399 @cindex Guix System Distribution, now Guix System
400 You can install GNU@tie{}Guix on top of an existing GNU/Linux system where it
401 complements the available tools without interference (@pxref{Installation}),
402 or you can use it as a standalone operating system distribution,
403 @dfn{Guix@tie{}System}@footnote{We used to refer to Guix System as ``Guix
404 System Distribution'' or ``GuixSD''. We now consider it makes more sense to
405 group everything under the ``Guix'' banner since, after all, Guix System is
406 readily available through the @command{guix system} command, even if you're
407 using a different distro underneath!}. @xref{GNU Distribution}.
410 * Managing Software the Guix Way:: What's special.
411 * GNU Distribution:: The packages and tools.
414 @node Managing Software the Guix Way
415 @section Managing Software the Guix Way
417 @cindex user interfaces
418 Guix provides a command-line package management interface
419 (@pxref{Package Management}), tools to help with software development
420 (@pxref{Development}), command-line utilities for more advanced usage
421 (@pxref{Utilities}), as well as Scheme programming interfaces
422 (@pxref{Programming Interface}).
424 Its @dfn{build daemon} is responsible for building packages on behalf of
425 users (@pxref{Setting Up the Daemon}) and for downloading pre-built
426 binaries from authorized sources (@pxref{Substitutes}).
428 @cindex extensibility of the distribution
429 @cindex customization, of packages
430 Guix includes package definitions for many GNU and non-GNU packages, all
431 of which @uref{https://www.gnu.org/philosophy/free-sw.html, respect the
432 user's computing freedom}. It is @emph{extensible}: users can write
433 their own package definitions (@pxref{Defining Packages}) and make them
434 available as independent package modules (@pxref{Package Modules}). It
435 is also @emph{customizable}: users can @emph{derive} specialized package
436 definitions from existing ones, including from the command line
437 (@pxref{Package Transformation Options}).
439 @cindex functional package management
441 Under the hood, Guix implements the @dfn{functional package management}
442 discipline pioneered by Nix (@pxref{Acknowledgments}).
443 In Guix, the package build and installation process is seen
444 as a @emph{function}, in the mathematical sense. That function takes inputs,
445 such as build scripts, a compiler, and libraries, and
446 returns an installed package. As a pure function, its result depends
447 solely on its inputs---for instance, it cannot refer to software or
448 scripts that were not explicitly passed as inputs. A build function
449 always produces the same result when passed a given set of inputs. It
450 cannot alter the environment of the running system in
451 any way; for instance, it cannot create, modify, or delete files outside
452 of its build and installation directories. This is achieved by running
453 build processes in isolated environments (or @dfn{containers}), where only their
454 explicit inputs are visible.
457 The result of package build functions is @dfn{cached} in the file
458 system, in a special directory called @dfn{the store} (@pxref{The
459 Store}). Each package is installed in a directory of its own in the
460 store---by default under @file{/gnu/store}. The directory name contains
461 a hash of all the inputs used to build that package; thus, changing an
462 input yields a different directory name.
464 This approach is the foundation for the salient features of Guix: support
465 for transactional package upgrade and rollback, per-user installation, and
466 garbage collection of packages (@pxref{Features}).
469 @node GNU Distribution
470 @section GNU Distribution
473 Guix comes with a distribution of the GNU system consisting entirely of
474 free software@footnote{The term ``free'' here refers to the
475 @url{https://www.gnu.org/philosophy/free-sw.html,freedom provided to
476 users of that software}.}. The
477 distribution can be installed on its own (@pxref{System Installation}),
478 but it is also possible to install Guix as a package manager on top of
479 an installed GNU/Linux system (@pxref{Installation}). When we need to
480 distinguish between the two, we refer to the standalone distribution as
483 The distribution provides core GNU packages such as GNU libc, GCC, and
484 Binutils, as well as many GNU and non-GNU applications. The complete
485 list of available packages can be browsed
486 @url{https://www.gnu.org/software/guix/packages,on-line} or by
487 running @command{guix package} (@pxref{Invoking guix package}):
490 guix package --list-available
493 Our goal is to provide a practical 100% free software distribution of
494 Linux-based and other variants of GNU, with a focus on the promotion and
495 tight integration of GNU components, and an emphasis on programs and
496 tools that help users exert that freedom.
498 Packages are currently available on the following platforms:
503 Intel/AMD @code{x86_64} architecture, Linux-Libre kernel.
506 Intel 32-bit architecture (IA32), Linux-Libre kernel.
509 ARMv7-A architecture with hard float, Thumb-2 and NEON,
510 using the EABI hard-float application binary interface (ABI),
511 and Linux-Libre kernel.
514 little-endian 64-bit ARMv8-A processors, Linux-Libre kernel.
517 @uref{https://hurd.gnu.org, GNU/Hurd} on the Intel 32-bit architecture
520 This configuration is experimental and under development. The easiest
521 way for you to give it a try is by setting up an instance of
522 @code{hurd-vm-service-type} on your GNU/Linux machine
523 (@pxref{transparent-emulation-qemu, @code{hurd-vm-service-type}}).
524 @xref{Contributing}, on how to help!
526 @item mips64el-linux (deprecated)
527 little-endian 64-bit MIPS processors, specifically the Loongson series,
528 n32 ABI, and Linux-Libre kernel. This configuration is no longer fully
529 supported; in particular, there is no ongoing work to ensure that this
530 architecture still works. Should someone decide they wish to revive this
531 architecture then the code is still available.
533 @item powerpc64le-linux
534 little-endian 64-bit Power ISA processors, Linux-Libre kernel. This
535 includes POWER9 systems such as the
536 @uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom,
537 RYF Talos II mainboard}. This platform is available as a "technology
538 preview": although it is supported, substitutes are not yet available
539 from the build farm (@pxref{Substitutes}), and some packages may fail to
540 build (@pxref{Tracking Bugs and Patches}). That said, the Guix
541 community is actively working on improving this support, and now is a
542 great time to try it and get involved!
546 With Guix@tie{}System, you @emph{declare} all aspects of the operating system
547 configuration and Guix takes care of instantiating the configuration in a
548 transactional, reproducible, and stateless fashion (@pxref{System
549 Configuration}). Guix System uses the Linux-libre kernel, the Shepherd
550 initialization system (@pxref{Introduction,,, shepherd, The GNU Shepherd
551 Manual}), the well-known GNU utilities and tool chain, as well as the
552 graphical environment or system services of your choice.
554 Guix System is available on all the above platforms except
555 @code{mips64el-linux} and @code{powerpc64le-linux}.
558 For information on porting to other architectures or kernels,
561 Building this distribution is a cooperative effort, and you are invited
562 to join! @xref{Contributing}, for information about how you can help.
565 @c *********************************************************************
567 @chapter Installation
569 @cindex installing Guix
572 We recommend the use of this
573 @uref{https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh,
574 shell installer script} to install Guix on top of a running GNU/Linux system,
575 thereafter called a @dfn{foreign distro}.@footnote{This section is concerned
576 with the installation of the package manager, which can be done on top of a
577 running GNU/Linux system. If, instead, you want to install the complete GNU
578 operating system, @pxref{System Installation}.} The script automates the
579 download, installation, and initial configuration of Guix. It should be run
583 @cindex foreign distro
584 @cindex directories related to foreign distro
585 When installed on a foreign distro, GNU@tie{}Guix complements the available
586 tools without interference. Its data lives exclusively in two directories,
587 usually @file{/gnu/store} and @file{/var/guix}; other files on your system,
588 such as @file{/etc}, are left untouched.
590 Once installed, Guix can be updated by running @command{guix pull}
591 (@pxref{Invoking guix pull}).
593 If you prefer to perform the installation steps manually or want to tweak
594 them, you may find the following subsections useful. They describe the
595 software requirements of Guix, as well as how to install it manually and get
599 * Binary Installation:: Getting Guix running in no time!
600 * Requirements:: Software needed to build and run Guix.
601 * Running the Test Suite:: Testing Guix.
602 * Setting Up the Daemon:: Preparing the build daemon's environment.
603 * Invoking guix-daemon:: Running the build daemon.
604 * Application Setup:: Application-specific setup.
605 * Upgrading Guix:: Upgrading Guix and its build daemon.
608 @node Binary Installation
609 @section Binary Installation
611 @cindex installing Guix from binaries
612 @cindex installer script
613 This section describes how to install Guix on an arbitrary system from a
614 self-contained tarball providing binaries for Guix and for all its
615 dependencies. This is often quicker than installing from source, which
616 is described in the next sections. The only requirement is to have
619 @c Note duplicated from the ``Installation'' node.
621 We recommend the use of this
622 @uref{https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh,
623 shell installer script}. The script automates the download, installation, and
624 initial configuration steps described below. It should be run as the root
625 user. As root, you can thus run this:
629 wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
630 chmod +x guix-install.sh
634 When you're done, @pxref{Application Setup} for extra configuration you
635 might need, and @ref{Getting Started} for your first steps!
638 Installing goes along these lines:
642 @cindex downloading Guix binary
643 Download the binary tarball from
644 @indicateurl{@value{BASE-URL}/guix-binary-@value{VERSION}.x86_64-linux.tar.xz},
645 where @code{x86_64-linux} can be replaced with @code{i686-linux} for an
646 @code{i686} (32-bits) machine already running the kernel Linux, and so on
647 (@pxref{GNU Distribution}).
649 @c The following is somewhat duplicated in ``System Installation''.
650 Make sure to download the associated @file{.sig} file and to verify the
651 authenticity of the tarball against it, along these lines:
654 $ wget @value{BASE-URL}/guix-binary-@value{VERSION}.x86_64-linux.tar.xz.sig
655 $ gpg --verify guix-binary-@value{VERSION}.x86_64-linux.tar.xz.sig
658 If that command fails because you do not have the required public key,
659 then run this command to import it:
662 $ wget '@value{OPENPGP-SIGNING-KEY-URL}' \
663 -qO - | gpg --import -
667 and rerun the @code{gpg --verify} command.
669 Take note that a warning like ``This key is not certified with a trusted
670 signature!'' is normal.
672 @c end authentication part
675 Now, you need to become the @code{root} user. Depending on your distribution,
676 you may have to run @code{su -} or @code{sudo -i}. As @code{root}, run:
680 # tar --warning=no-timestamp -xf \
681 /path/to/guix-binary-@value{VERSION}.x86_64-linux.tar.xz
682 # mv var/guix /var/ && mv gnu /
685 This creates @file{/gnu/store} (@pxref{The Store}) and @file{/var/guix}.
686 The latter contains a ready-to-use profile for @code{root} (see next
689 Do @emph{not} unpack the tarball on a working Guix system since that
690 would overwrite its own essential files.
692 The @option{--warning=no-timestamp} option makes sure GNU@tie{}tar does
693 not emit warnings about ``implausibly old time stamps'' (such
694 warnings were triggered by GNU@tie{}tar 1.26 and older; recent
696 They stem from the fact that all the
697 files in the archive have their modification time set to 1 (which
698 means January 1st, 1970). This is done on purpose to make sure the
699 archive content is independent of its creation time, thus making it
703 Make the profile available under @file{~root/.config/guix/current}, which is
704 where @command{guix pull} will install updates (@pxref{Invoking guix pull}):
707 # mkdir -p ~root/.config/guix
708 # ln -sf /var/guix/profiles/per-user/root/current-guix \
709 ~root/.config/guix/current
712 Source @file{etc/profile} to augment @env{PATH} and other relevant
713 environment variables:
716 # GUIX_PROFILE="`echo ~root`/.config/guix/current" ; \
717 source $GUIX_PROFILE/etc/profile
721 Create the group and user accounts for build users as explained below
722 (@pxref{Build Environment Setup}).
725 Run the daemon, and set it to automatically start on boot.
727 If your host distro uses the systemd init system, this can be achieved
730 @c Versions of systemd that supported symlinked service files are not
731 @c yet widely deployed, so we should suggest that users copy the service
734 @c See this thread for more information:
735 @c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
738 # cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
739 ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
741 # systemctl enable --now gnu-store.mount guix-daemon
744 If your host distro uses the Upstart init system:
747 # initctl reload-configuration
748 # cp ~root/.config/guix/current/lib/upstart/system/guix-daemon.conf \
753 Otherwise, you can still start the daemon manually with:
756 # ~root/.config/guix/current/bin/guix-daemon \
757 --build-users-group=guixbuild
761 Make the @command{guix} command available to other users on the machine,
765 # mkdir -p /usr/local/bin
767 # ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix
770 It is also a good idea to make the Info version of this manual available
774 # mkdir -p /usr/local/share/info
775 # cd /usr/local/share/info
776 # for i in /var/guix/profiles/per-user/root/current-guix/share/info/* ;
780 That way, assuming @file{/usr/local/share/info} is in the search path,
781 running @command{info guix} will open this manual (@pxref{Other Info
782 Directories,,, texinfo, GNU Texinfo}, for more details on changing the
786 @cindex substitutes, authorization thereof
787 To use substitutes from @code{@value{SUBSTITUTE-SERVER-1}},
788 @code{@value{SUBSTITUTE-SERVER-2}} or a mirror (@pxref{Substitutes}),
792 # guix archive --authorize < \
793 ~root/.config/guix/current/share/guix/@value{SUBSTITUTE-SERVER-1}.pub
794 # guix archive --authorize < \
795 ~root/.config/guix/current/share/guix/@value{SUBSTITUTE-SERVER-2}.pub
799 If you do not enable substitutes, Guix will end up building
800 @emph{everything} from source on your machine, making each installation
801 and upgrade very expensive. @xref{On Trusting Binaries}, for a
802 discussion of reasons why one might want do disable substitutes.
806 Each user may need to perform a few additional steps to make their Guix
807 environment ready for use, @pxref{Application Setup}.
810 Voilà, the installation is complete!
812 You can confirm that Guix is working by installing a sample package into
819 The binary installation tarball can be (re)produced and verified simply
820 by running the following command in the Guix source tree:
823 make guix-binary.@var{system}.tar.xz
827 ...@: which, in turn, runs:
830 guix pack -s @var{system} --localstatedir \
831 --profile-name=current-guix guix
834 @xref{Invoking guix pack}, for more info on this handy tool.
837 @section Requirements
839 This section lists requirements when building Guix from source. The
840 build procedure for Guix is the same as for other GNU software, and is
841 not covered here. Please see the files @file{README} and @file{INSTALL}
842 in the Guix source tree for additional details.
844 @cindex official website
845 GNU Guix is available for download from its website at
846 @url{https://www.gnu.org/software/guix/}.
848 GNU Guix depends on the following packages:
851 @item @url{https://gnu.org/software/guile/, GNU Guile}, version 3.0.x;
852 @item @url{https://notabug.org/cwebber/guile-gcrypt, Guile-Gcrypt}, version
855 @uref{https://gnutls.org/, GnuTLS}, specifically its Guile bindings
856 (@pxref{Guile Preparations, how to install the GnuTLS bindings for
857 Guile,, gnutls-guile, GnuTLS-Guile});
859 @uref{https://notabug.org/guile-sqlite3/guile-sqlite3, Guile-SQLite3}, version 0.1.0
861 @item @uref{https://notabug.org/guile-zlib/guile-zlib, Guile-zlib},
862 version 0.1.0 or later;
863 @item @uref{https://notabug.org/guile-lzlib/guile-lzlib, Guile-lzlib};
864 @item @uref{https://www.nongnu.org/guile-avahi/, Guile-Avahi};
866 @uref{https://gitlab.com/guile-git/guile-git, Guile-Git}, version 0.5.0
868 @item @uref{https://savannah.nongnu.org/projects/guile-json/, Guile-JSON}
870 @item @url{https://www.gnu.org/software/make/, GNU Make}.
873 The following dependencies are optional:
877 @c Note: We need at least 0.13.0 for #:nodelay.
878 Support for build offloading (@pxref{Daemon Offload Setup}) and
879 @command{guix copy} (@pxref{Invoking guix copy}) depends on
880 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH},
881 version 0.13.0 or later.
884 @uref{https://notabug.org/guile-zstd/guile-zstd, Guile-zstd}, for zstd
885 compression and decompression in @command{guix publish} and for
886 substitutes (@pxref{Invoking guix publish}).
889 @uref{https://ngyro.com/software/guile-semver.html, Guile-Semver} for
890 the @code{crate} importer (@pxref{Invoking guix import}).
893 @uref{https://www.nongnu.org/guile-lib/doc/ref/htmlprag/, Guile-Lib} for
894 the @code{go} importer (@pxref{Invoking guix import}) and for some of
895 the ``updaters'' (@pxref{Invoking guix refresh}).
898 When @url{http://www.bzip.org, libbz2} is available,
899 @command{guix-daemon} can use it to compress build logs.
902 Unless @option{--disable-daemon} was passed to @command{configure}, the
903 following packages are also needed:
906 @item @url{https://gnupg.org/, GNU libgcrypt};
907 @item @url{https://sqlite.org, SQLite 3};
908 @item @url{https://gcc.gnu.org, GCC's g++}, with support for the
912 @cindex state directory
913 When configuring Guix on a system that already has a Guix installation,
914 be sure to specify the same state directory as the existing installation
915 using the @option{--localstatedir} option of the @command{configure}
916 script (@pxref{Directory Variables, @code{localstatedir},, standards,
917 GNU Coding Standards}). Usually, this @var{localstatedir} option is
918 set to the value @file{/var}. The @command{configure} script protects
919 against unintended misconfiguration of @var{localstatedir} so you do not
920 inadvertently corrupt your store (@pxref{The Store}).
922 @node Running the Test Suite
923 @section Running the Test Suite
926 After a successful @command{configure} and @code{make} run, it is a good
927 idea to run the test suite. It can help catch issues with the setup or
928 environment, or bugs in Guix itself---and really, reporting test
929 failures is a good way to help improve the software. To run the test
936 Test cases can run in parallel: you can use the @code{-j} option of
937 GNU@tie{}make to speed things up. The first run may take a few minutes
938 on a recent machine; subsequent runs will be faster because the store
939 that is created for test purposes will already have various things in
942 It is also possible to run a subset of the tests by defining the
943 @code{TESTS} makefile variable as in this example:
946 make check TESTS="tests/store.scm tests/cpio.scm"
949 By default, tests results are displayed at a file level. In order to
950 see the details of every individual test cases, it is possible to define
951 the @code{SCM_LOG_DRIVER_FLAGS} makefile variable as in this example:
954 make check TESTS="tests/base64.scm" SCM_LOG_DRIVER_FLAGS="--brief=no"
957 The underlying SRFI 64 custom Automake test driver used for the 'check'
958 test suite (located at @file{build-aux/test-driver.scm}) also allows
959 selecting which test cases to run at a finer level, via its
960 @option{--select} and @option{--exclude} options. Here's an example, to
961 run all the test cases from the @file{tests/packages.scm} test file
962 whose names start with ``transaction-upgrade-entry'':
965 export SCM_LOG_DRIVER_FLAGS="--select=^transaction-upgrade-entry"
966 make check TESTS="tests/packages.scm"
969 Those wishing to inspect the results of failed tests directly from the
970 command line can add the @option{--errors-only=yes} option to the
971 @code{SCM_LOG_DRIVER_FLAGS} makefile variable and set the @code{VERBOSE}
972 Automake makefile variable, as in:
975 make check SCM_LOG_DRIVER_FLAGS="--brief=no --errors-only=yes" VERBOSE=1
978 The @option{--show-duration=yes} option can be used to print the
979 duration of the individual test cases, when used in combination with
983 make check SCM_LOG_DRIVER_FLAGS="--brief=no --show-duration=yes"
986 @xref{Parallel Test Harness,,,automake,GNU Automake} for more
987 information about the Automake Parallel Test Harness.
989 Upon failure, please email @email{bug-guix@@gnu.org} and attach the
990 @file{test-suite.log} file. Please specify the Guix version being used
991 as well as version numbers of the dependencies (@pxref{Requirements}) in
994 Guix also comes with a whole-system test suite that tests complete
995 Guix System instances. It can only run on systems where
996 Guix is already installed, using:
1003 or, again, by defining @code{TESTS} to select a subset of tests to run:
1006 make check-system TESTS="basic mcron"
1009 These system tests are defined in the @code{(gnu tests @dots{})}
1010 modules. They work by running the operating systems under test with
1011 lightweight instrumentation in a virtual machine (VM). They can be
1012 computationally intensive or rather cheap, depending on whether
1013 substitutes are available for their dependencies (@pxref{Substitutes}).
1014 Some of them require a lot of storage space to hold VM images.
1016 Again in case of test failures, please send @email{bug-guix@@gnu.org}
1019 @node Setting Up the Daemon
1020 @section Setting Up the Daemon
1023 Operations such as building a package or running the garbage collector
1024 are all performed by a specialized process, the @dfn{build daemon}, on
1025 behalf of clients. Only the daemon may access the store and its
1026 associated database. Thus, any operation that manipulates the store
1027 goes through the daemon. For instance, command-line tools such as
1028 @command{guix package} and @command{guix build} communicate with the
1029 daemon (@i{via} remote procedure calls) to instruct it what to do.
1031 The following sections explain how to prepare the build daemon's
1032 environment. See also @ref{Substitutes}, for information on how to allow
1033 the daemon to download pre-built binaries.
1036 * Build Environment Setup:: Preparing the isolated build environment.
1037 * Daemon Offload Setup:: Offloading builds to remote machines.
1038 * SELinux Support:: Using an SELinux policy for the daemon.
1041 @node Build Environment Setup
1042 @subsection Build Environment Setup
1044 @cindex build environment
1045 In a standard multi-user setup, Guix and its daemon---the
1046 @command{guix-daemon} program---are installed by the system
1047 administrator; @file{/gnu/store} is owned by @code{root} and
1048 @command{guix-daemon} runs as @code{root}. Unprivileged users may use
1049 Guix tools to build packages or otherwise access the store, and the
1050 daemon will do it on their behalf, ensuring that the store is kept in a
1051 consistent state, and allowing built packages to be shared among users.
1054 When @command{guix-daemon} runs as @code{root}, you may not want package
1055 build processes themselves to run as @code{root} too, for obvious
1056 security reasons. To avoid that, a special pool of @dfn{build users}
1057 should be created for use by build processes started by the daemon.
1058 These build users need not have a shell and a home directory: they will
1059 just be used when the daemon drops @code{root} privileges in build
1060 processes. Having several such users allows the daemon to launch
1061 distinct build processes under separate UIDs, which guarantees that they
1062 do not interfere with each other---an essential feature since builds are
1063 regarded as pure functions (@pxref{Introduction}).
1065 On a GNU/Linux system, a build user pool may be created like this (using
1066 Bash syntax and the @code{shadow} commands):
1068 @c See https://lists.gnu.org/archive/html/bug-guix/2013-01/msg00239.html
1069 @c for why `-G' is needed.
1071 # groupadd --system guixbuild
1072 # for i in $(seq -w 1 10);
1074 useradd -g guixbuild -G guixbuild \
1075 -d /var/empty -s $(which nologin) \
1076 -c "Guix build user $i" --system \
1082 The number of build users determines how many build jobs may run in
1083 parallel, as specified by the @option{--max-jobs} option
1084 (@pxref{Invoking guix-daemon, @option{--max-jobs}}). To use
1085 @command{guix system vm} and related commands, you may need to add the
1086 build users to the @code{kvm} group so they can access @file{/dev/kvm},
1087 using @code{-G guixbuild,kvm} instead of @code{-G guixbuild}
1088 (@pxref{Invoking guix system}).
1090 The @code{guix-daemon} program may then be run as @code{root} with the
1091 following command@footnote{If your machine uses the systemd init system,
1092 dropping the @file{@var{prefix}/lib/systemd/system/guix-daemon.service}
1093 file in @file{/etc/systemd/system} will ensure that
1094 @command{guix-daemon} is automatically started. Similarly, if your
1095 machine uses the Upstart init system, drop the
1096 @file{@var{prefix}/lib/upstart/system/guix-daemon.conf}
1097 file in @file{/etc/init}.}:
1100 # guix-daemon --build-users-group=guixbuild
1105 This way, the daemon starts build processes in a chroot, under one of
1106 the @code{guixbuilder} users. On GNU/Linux, by default, the chroot
1107 environment contains nothing but:
1109 @c Keep this list in sync with libstore/build.cc! -----------------------
1112 a minimal @code{/dev} directory, created mostly independently from the
1113 host @code{/dev}@footnote{``Mostly'', because while the set of files
1114 that appear in the chroot's @code{/dev} is fixed, most of these files
1115 can only be created if the host has them.};
1118 the @code{/proc} directory; it only shows the processes of the container
1119 since a separate PID name space is used;
1122 @file{/etc/passwd} with an entry for the current user and an entry for
1126 @file{/etc/group} with an entry for the user's group;
1129 @file{/etc/hosts} with an entry that maps @code{localhost} to
1133 a writable @file{/tmp} directory.
1136 You can influence the directory where the daemon stores build trees
1137 @i{via} the @env{TMPDIR} environment variable. However, the build tree
1138 within the chroot is always called @file{/tmp/guix-build-@var{name}.drv-0},
1139 where @var{name} is the derivation name---e.g., @code{coreutils-8.24}.
1140 This way, the value of @env{TMPDIR} does not leak inside build
1141 environments, which avoids discrepancies in cases where build processes
1142 capture the name of their build tree.
1146 The daemon also honors the @env{http_proxy} and @env{https_proxy}
1147 environment variables for HTTP and HTTPS downloads it performs, be it
1148 for fixed-output derivations (@pxref{Derivations}) or for substitutes
1149 (@pxref{Substitutes}).
1151 If you are installing Guix as an unprivileged user, it is still possible
1152 to run @command{guix-daemon} provided you pass @option{--disable-chroot}.
1153 However, build processes will not be isolated from one another, and not
1154 from the rest of the system. Thus, build processes may interfere with
1155 each other, and may access programs, libraries, and other files
1156 available on the system---making it much harder to view them as
1157 @emph{pure} functions.
1160 @node Daemon Offload Setup
1161 @subsection Using the Offload Facility
1165 When desired, the build daemon can @dfn{offload} derivation builds to
1166 other machines running Guix, using the @code{offload} @dfn{build
1167 hook}@footnote{This feature is available only when
1168 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH} is
1169 present.}. When that feature is enabled, a list of user-specified build
1170 machines is read from @file{/etc/guix/machines.scm}; every time a build
1171 is requested, for instance via @code{guix build}, the daemon attempts to
1172 offload it to one of the machines that satisfy the constraints of the
1173 derivation, in particular its system types---e.g., @code{x86_64-linux}.
1174 A single machine can have multiple system types, either because its
1175 architecture natively supports it, via emulation
1176 (@pxref{transparent-emulation-qemu, Transparent Emulation with QEMU}),
1177 or both. Missing prerequisites for the build are
1178 copied over SSH to the target machine, which then proceeds with the
1179 build; upon success the output(s) of the build are copied back to the
1180 initial machine. The offload facility comes with a basic scheduler that
1181 attempts to select the best machine. The best machine is chosen among
1182 the available machines based on criteria such as:
1186 The availability of a build slot. A build machine can have as many
1187 build slots (connections) as the value of the @code{parallel-builds}
1188 field of its @code{build-machine} object.
1191 Its relative speed, as defined via the @code{speed} field of its
1192 @code{build-machine} object.
1195 Its load. The normalized machine load must be lower than a threshold
1196 value, configurable via the @code{overload-threshold} field of its
1197 @code{build-machine} object.
1200 Disk space availability. More than a 100 MiB must be available.
1203 The @file{/etc/guix/machines.scm} file typically looks like this:
1206 (list (build-machine
1207 (name "eightysix.example.org")
1208 (systems (list "x86_64-linux" "i686-linux"))
1209 (host-key "ssh-ed25519 AAAAC3Nza@dots{}")
1211 (speed 2.)) ;incredibly fast!
1214 (name "armeight.example.org")
1215 (systems (list "aarch64-linux"))
1216 (host-key "ssh-rsa AAAAB3Nza@dots{}")
1219 (string-append (getenv "HOME")
1220 "/.ssh/identity-for-guix"))))
1224 In the example above we specify a list of two build machines, one for
1225 the @code{x86_64} and @code{i686} architectures and one for the
1226 @code{aarch64} architecture.
1228 In fact, this file is---not surprisingly!---a Scheme file that is
1229 evaluated when the @code{offload} hook is started. Its return value
1230 must be a list of @code{build-machine} objects. While this example
1231 shows a fixed list of build machines, one could imagine, say, using
1232 DNS-SD to return a list of potential build machines discovered in the
1233 local network (@pxref{Introduction, Guile-Avahi,, guile-avahi, Using
1234 Avahi in Guile Scheme Programs}). The @code{build-machine} data type is
1237 @deftp {Data Type} build-machine
1238 This data type represents build machines to which the daemon may offload
1239 builds. The important fields are:
1244 The host name of the remote machine.
1247 The system types the remote machine supports---e.g., @code{(list
1248 "x86_64-linux" "i686-linux")}.
1251 The user account to use when connecting to the remote machine over SSH.
1252 Note that the SSH key pair must @emph{not} be passphrase-protected, to
1253 allow non-interactive logins.
1256 This must be the machine's SSH @dfn{public host key} in OpenSSH format.
1257 This is used to authenticate the machine when we connect to it. It is a
1258 long string that looks like this:
1261 ssh-ed25519 AAAAC3NzaC@dots{}mde+UhL hint@@example.org
1264 If the machine is running the OpenSSH daemon, @command{sshd}, the host
1265 key can be found in a file such as
1266 @file{/etc/ssh/ssh_host_ed25519_key.pub}.
1268 If the machine is running the SSH daemon of GNU@tie{}lsh,
1269 @command{lshd}, the host key is in @file{/etc/lsh/host-key.pub} or a
1270 similar file. It can be converted to the OpenSSH format using
1271 @command{lsh-export-key} (@pxref{Converting keys,,, lsh, LSH Manual}):
1274 $ lsh-export-key --openssh < /etc/lsh/host-key.pub
1275 ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV@dots{}
1280 A number of optional fields may be specified:
1284 @item @code{port} (default: @code{22})
1285 Port number of SSH server on the machine.
1287 @item @code{private-key} (default: @file{~root/.ssh/id_rsa})
1288 The SSH private key file to use when connecting to the machine, in
1289 OpenSSH format. This key must not be protected with a passphrase.
1291 Note that the default value is the private key @emph{of the root
1292 account}. Make sure it exists if you use the default.
1294 @item @code{compression} (default: @code{"zlib@@openssh.com,zlib"})
1295 @itemx @code{compression-level} (default: @code{3})
1296 The SSH-level compression methods and compression level requested.
1298 Note that offloading relies on SSH compression to reduce bandwidth usage
1299 when transferring files to and from build machines.
1301 @item @code{daemon-socket} (default: @code{"/var/guix/daemon-socket/socket"})
1302 File name of the Unix-domain socket @command{guix-daemon} is listening
1305 @item @code{overload-threshold} (default: @code{0.6})
1306 The load threshold above which a potential offload machine is
1307 disregarded by the offload scheduler. The value roughly translates to
1308 the total processor usage of the build machine, ranging from 0.0 (0%) to
1309 1.0 (100%). It can also be disabled by setting
1310 @code{overload-threshold} to @code{#f}.
1312 @item @code{parallel-builds} (default: @code{1})
1313 The number of builds that may run in parallel on the machine.
1315 @item @code{speed} (default: @code{1.0})
1316 A ``relative speed factor''. The offload scheduler will tend to prefer
1317 machines with a higher speed factor.
1319 @item @code{features} (default: @code{'()})
1320 A list of strings denoting specific features supported by the machine.
1321 An example is @code{"kvm"} for machines that have the KVM Linux modules
1322 and corresponding hardware support. Derivations can request features by
1323 name, and they will be scheduled on matching build machines.
1328 The @command{guix} command must be in the search path on the build
1329 machines. You can check whether this is the case by running:
1332 ssh build-machine guix repl --version
1335 There is one last thing to do once @file{machines.scm} is in place. As
1336 explained above, when offloading, files are transferred back and forth
1337 between the machine stores. For this to work, you first need to
1338 generate a key pair on each machine to allow the daemon to export signed
1339 archives of files from the store (@pxref{Invoking guix archive}):
1342 # guix archive --generate-key
1346 Each build machine must authorize the key of the master machine so that
1347 it accepts store items it receives from the master:
1350 # guix archive --authorize < master-public-key.txt
1354 Likewise, the master machine must authorize the key of each build machine.
1356 All the fuss with keys is here to express pairwise mutual trust
1357 relations between the master and the build machines. Concretely, when
1358 the master receives files from a build machine (and @i{vice versa}), its
1359 build daemon can make sure they are genuine, have not been tampered
1360 with, and that they are signed by an authorized key.
1362 @cindex offload test
1363 To test whether your setup is operational, run this command on the
1370 This will attempt to connect to each of the build machines specified in
1371 @file{/etc/guix/machines.scm}, make sure Guix is
1372 available on each machine, attempt to export to the machine and import
1373 from it, and report any error in the process.
1375 If you want to test a different machine file, just specify it on the
1379 # guix offload test machines-qualif.scm
1382 Last, you can test the subset of the machines whose name matches a
1383 regular expression like this:
1386 # guix offload test machines.scm '\.gnu\.org$'
1389 @cindex offload status
1390 To display the current load of all build hosts, run this command on the
1394 # guix offload status
1398 @node SELinux Support
1399 @subsection SELinux Support
1401 @cindex SELinux, daemon policy
1402 @cindex mandatory access control, SELinux
1403 @cindex security, guix-daemon
1404 Guix includes an SELinux policy file at @file{etc/guix-daemon.cil} that
1405 can be installed on a system where SELinux is enabled, in order to label
1406 Guix files and to specify the expected behavior of the daemon. Since
1407 Guix System does not provide an SELinux base policy, the daemon policy cannot
1408 be used on Guix System.
1410 @subsubsection Installing the SELinux policy
1411 @cindex SELinux, policy installation
1412 To install the policy run this command as root:
1415 semodule -i etc/guix-daemon.cil
1418 Then relabel the file system with @code{restorecon} or by a different
1419 mechanism provided by your system.
1421 Once the policy is installed, the file system has been relabeled, and
1422 the daemon has been restarted, it should be running in the
1423 @code{guix_daemon_t} context. You can confirm this with the following
1427 ps -Zax | grep guix-daemon
1430 Monitor the SELinux log files as you run a command like @code{guix build
1431 hello} to convince yourself that SELinux permits all necessary
1434 @subsubsection Limitations
1435 @cindex SELinux, limitations
1437 This policy is not perfect. Here is a list of limitations or quirks
1438 that should be considered when deploying the provided SELinux policy for
1443 @code{guix_daemon_socket_t} isn’t actually used. None of the socket
1444 operations involve contexts that have anything to do with
1445 @code{guix_daemon_socket_t}. It doesn’t hurt to have this unused label,
1446 but it would be preferable to define socket rules for only this label.
1449 @code{guix gc} cannot access arbitrary links to profiles. By design,
1450 the file label of the destination of a symlink is independent of the
1451 file label of the link itself. Although all profiles under
1452 $localstatedir are labelled, the links to these profiles inherit the
1453 label of the directory they are in. For links in the user’s home
1454 directory this will be @code{user_home_t}. But for links from the root
1455 user’s home directory, or @file{/tmp}, or the HTTP server’s working
1456 directory, etc, this won’t work. @code{guix gc} would be prevented from
1457 reading and following these links.
1460 The daemon’s feature to listen for TCP connections might no longer work.
1461 This might require extra rules, because SELinux treats network sockets
1462 differently from files.
1465 Currently all files with a name matching the regular expression
1466 @code{/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon} are assigned the
1467 label @code{guix_daemon_exec_t}; this means that @emph{any} file with
1468 that name in any profile would be permitted to run in the
1469 @code{guix_daemon_t} domain. This is not ideal. An attacker could
1470 build a package that provides this executable and convince a user to
1471 install and run it, which lifts it into the @code{guix_daemon_t} domain.
1472 At that point SELinux could not prevent it from accessing files that are
1473 allowed for processes in that domain.
1475 You will need to relabel the store directory after all upgrades to
1476 @file{guix-daemon}, such as after running @code{guix pull}. Assuming the
1477 store is in @file{/gnu}, you can do this with @code{restorecon -vR /gnu},
1478 or by other means provided by your operating system.
1480 We could generate a much more restrictive policy at installation time,
1481 so that only the @emph{exact} file name of the currently installed
1482 @code{guix-daemon} executable would be labelled with
1483 @code{guix_daemon_exec_t}, instead of using a broad regular expression.
1484 The downside is that root would have to install or upgrade the policy at
1485 installation time whenever the Guix package that provides the
1486 effectively running @code{guix-daemon} executable is upgraded.
1489 @node Invoking guix-daemon
1490 @section Invoking @command{guix-daemon}
1492 The @command{guix-daemon} program implements all the functionality to
1493 access the store. This includes launching build processes, running the
1494 garbage collector, querying the availability of a build result, etc. It
1495 is normally run as @code{root} like this:
1498 # guix-daemon --build-users-group=guixbuild
1502 For details on how to set it up, @pxref{Setting Up the Daemon}.
1505 @cindex container, build environment
1506 @cindex build environment
1507 @cindex reproducible builds
1508 By default, @command{guix-daemon} launches build processes under
1509 different UIDs, taken from the build group specified with
1510 @option{--build-users-group}. In addition, each build process is run in a
1511 chroot environment that only contains the subset of the store that the
1512 build process depends on, as specified by its derivation
1513 (@pxref{Programming Interface, derivation}), plus a set of specific
1514 system directories. By default, the latter contains @file{/dev} and
1515 @file{/dev/pts}. Furthermore, on GNU/Linux, the build environment is a
1516 @dfn{container}: in addition to having its own file system tree, it has
1517 a separate mount name space, its own PID name space, network name space,
1518 etc. This helps achieve reproducible builds (@pxref{Features}).
1520 When the daemon performs a build on behalf of the user, it creates a
1521 build directory under @file{/tmp} or under the directory specified by
1522 its @env{TMPDIR} environment variable. This directory is shared with
1523 the container for the duration of the build, though within the container,
1524 the build tree is always called @file{/tmp/guix-build-@var{name}.drv-0}.
1526 The build directory is automatically deleted upon completion, unless the
1527 build failed and the client specified @option{--keep-failed}
1528 (@pxref{Common Build Options, @option{--keep-failed}}).
1530 The daemon listens for connections and spawns one sub-process for each session
1531 started by a client (one of the @command{guix} sub-commands). The
1532 @command{guix processes} command allows you to get an overview of the activity
1533 on your system by viewing each of the active sessions and clients.
1534 @xref{Invoking guix processes}, for more information.
1536 The following command-line options are supported:
1539 @item --build-users-group=@var{group}
1540 Take users from @var{group} to run build processes (@pxref{Setting Up
1541 the Daemon, build users}).
1543 @item --no-substitutes
1545 Do not use substitutes for build products. That is, always build things
1546 locally instead of allowing downloads of pre-built binaries
1547 (@pxref{Substitutes}).
1549 When the daemon runs with @option{--no-substitutes}, clients can still
1550 explicitly enable substitution @i{via} the @code{set-build-options}
1551 remote procedure call (@pxref{The Store}).
1553 @anchor{daemon-substitute-urls}
1554 @item --substitute-urls=@var{urls}
1555 Consider @var{urls} the default whitespace-separated list of substitute
1556 source URLs. When this option is omitted,
1557 @indicateurl{@value{SUBSTITUTE-URLS}} is used.
1559 This means that substitutes may be downloaded from @var{urls}, as long
1560 as they are signed by a trusted signature (@pxref{Substitutes}).
1562 @xref{Getting Substitutes from Other Servers}, for more information on
1563 how to configure the daemon to get substitutes from other servers.
1567 Do not use offload builds to other machines (@pxref{Daemon Offload
1568 Setup}). That is, always build things locally instead of offloading
1569 builds to remote machines.
1571 @item --cache-failures
1572 Cache build failures. By default, only successful builds are cached.
1574 When this option is used, @command{guix gc --list-failures} can be used
1575 to query the set of store items marked as failed; @command{guix gc
1576 --clear-failures} removes store items from the set of cached failures.
1577 @xref{Invoking guix gc}.
1579 @item --cores=@var{n}
1581 Use @var{n} CPU cores to build each derivation; @code{0} means as many
1584 The default value is @code{0}, but it may be overridden by clients, such
1585 as the @option{--cores} option of @command{guix build} (@pxref{Invoking
1588 The effect is to define the @env{NIX_BUILD_CORES} environment variable
1589 in the build process, which can then use it to exploit internal
1590 parallelism---for instance, by running @code{make -j$NIX_BUILD_CORES}.
1592 @item --max-jobs=@var{n}
1594 Allow at most @var{n} build jobs in parallel. The default value is
1595 @code{1}. Setting it to @code{0} means that no builds will be performed
1596 locally; instead, the daemon will offload builds (@pxref{Daemon Offload
1597 Setup}), or simply fail.
1599 @item --max-silent-time=@var{seconds}
1600 When the build or substitution process remains silent for more than
1601 @var{seconds}, terminate it and report a build failure.
1603 The default value is @code{0}, which disables the timeout.
1605 The value specified here can be overridden by clients (@pxref{Common
1606 Build Options, @option{--max-silent-time}}).
1608 @item --timeout=@var{seconds}
1609 Likewise, when the build or substitution process lasts for more than
1610 @var{seconds}, terminate it and report a build failure.
1612 The default value is @code{0}, which disables the timeout.
1614 The value specified here can be overridden by clients (@pxref{Common
1615 Build Options, @option{--timeout}}).
1617 @item --rounds=@var{N}
1618 Build each derivation @var{n} times in a row, and raise an error if
1619 consecutive build results are not bit-for-bit identical. Note that this
1620 setting can be overridden by clients such as @command{guix build}
1621 (@pxref{Invoking guix build}).
1623 When used in conjunction with @option{--keep-failed}, the differing
1624 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
1625 This makes it easy to look for differences between the two results.
1628 Produce debugging output.
1630 This is useful to debug daemon start-up issues, but then it may be
1631 overridden by clients, for example the @option{--verbosity} option of
1632 @command{guix build} (@pxref{Invoking guix build}).
1634 @item --chroot-directory=@var{dir}
1635 Add @var{dir} to the build chroot.
1637 Doing this may change the result of build processes---for instance if
1638 they use optional dependencies found in @var{dir} when it is available,
1639 and not otherwise. For that reason, it is not recommended to do so.
1640 Instead, make sure that each derivation declares all the inputs that it
1643 @item --disable-chroot
1644 Disable chroot builds.
1646 Using this option is not recommended since, again, it would allow build
1647 processes to gain access to undeclared dependencies. It is necessary,
1648 though, when @command{guix-daemon} is running under an unprivileged user
1651 @item --log-compression=@var{type}
1652 Compress build logs according to @var{type}, one of @code{gzip},
1653 @code{bzip2}, or @code{none}.
1655 Unless @option{--lose-logs} is used, all the build logs are kept in the
1656 @var{localstatedir}. To save space, the daemon automatically compresses
1657 them with Bzip2 by default.
1659 @item --discover[=yes|no]
1660 Whether to discover substitute servers on the local network using mDNS
1663 This feature is still experimental. However, here are a few
1668 It might be faster/less expensive than fetching from remote servers;
1670 There are no security risks, only genuine substitutes will be used
1671 (@pxref{Substitute Authentication});
1673 An attacker advertising @command{guix publish} on your LAN cannot serve
1674 you malicious binaries, but they can learn what software you’re
1677 Servers may serve substitute over HTTP, unencrypted, so anyone on the
1678 LAN can see what software you’re installing.
1681 It is also possible to enable or disable substitute server discovery at
1682 run-time by running:
1685 herd discover guix-daemon on
1686 herd discover guix-daemon off
1689 @item --disable-deduplication
1690 @cindex deduplication
1691 Disable automatic file ``deduplication'' in the store.
1693 By default, files added to the store are automatically ``deduplicated'':
1694 if a newly added file is identical to another one found in the store,
1695 the daemon makes the new file a hard link to the other file. This can
1696 noticeably reduce disk usage, at the expense of slightly increased
1697 input/output load at the end of a build process. This option disables
1700 @item --gc-keep-outputs[=yes|no]
1701 Tell whether the garbage collector (GC) must keep outputs of live
1705 @cindex garbage collector roots
1706 When set to @code{yes}, the GC will keep the outputs of any live
1707 derivation available in the store---the @file{.drv} files. The default
1708 is @code{no}, meaning that derivation outputs are kept only if they are
1709 reachable from a GC root. @xref{Invoking guix gc}, for more on GC
1712 @item --gc-keep-derivations[=yes|no]
1713 Tell whether the garbage collector (GC) must keep derivations
1714 corresponding to live outputs.
1716 When set to @code{yes}, as is the case by default, the GC keeps
1717 derivations---i.e., @file{.drv} files---as long as at least one of their
1718 outputs is live. This allows users to keep track of the origins of
1719 items in their store. Setting it to @code{no} saves a bit of disk
1722 In this way, setting @option{--gc-keep-derivations} to @code{yes} causes
1723 liveness to flow from outputs to derivations, and setting
1724 @option{--gc-keep-outputs} to @code{yes} causes liveness to flow from
1725 derivations to outputs. When both are set to @code{yes}, the effect is
1726 to keep all the build prerequisites (the sources, compiler, libraries,
1727 and other build-time tools) of live objects in the store, regardless of
1728 whether these prerequisites are reachable from a GC root. This is
1729 convenient for developers since it saves rebuilds or downloads.
1731 @item --impersonate-linux-2.6
1732 On Linux-based systems, impersonate Linux 2.6. This means that the
1733 kernel's @command{uname} system call will report 2.6 as the release number.
1735 This might be helpful to build programs that (usually wrongfully) depend
1736 on the kernel version number.
1739 Do not keep build logs. By default they are kept under
1740 @file{@var{localstatedir}/guix/log}.
1742 @item --system=@var{system}
1743 Assume @var{system} as the current system type. By default it is the
1744 architecture/kernel pair found at configure time, such as
1745 @code{x86_64-linux}.
1747 @item --listen=@var{endpoint}
1748 Listen for connections on @var{endpoint}. @var{endpoint} is interpreted
1749 as the file name of a Unix-domain socket if it starts with
1750 @code{/} (slash sign). Otherwise, @var{endpoint} is interpreted as a
1751 host name or host name and port to listen to. Here are a few examples:
1754 @item --listen=/gnu/var/daemon
1755 Listen for connections on the @file{/gnu/var/daemon} Unix-domain socket,
1756 creating it if needed.
1758 @item --listen=localhost
1759 @cindex daemon, remote access
1760 @cindex remote access to the daemon
1761 @cindex daemon, cluster setup
1762 @cindex clusters, daemon setup
1763 Listen for TCP connections on the network interface corresponding to
1764 @code{localhost}, on port 44146.
1766 @item --listen=128.0.0.42:1234
1767 Listen for TCP connections on the network interface corresponding to
1768 @code{128.0.0.42}, on port 1234.
1771 This option can be repeated multiple times, in which case
1772 @command{guix-daemon} accepts connections on all the specified
1773 endpoints. Users can tell client commands what endpoint to connect to
1774 by setting the @env{GUIX_DAEMON_SOCKET} environment variable
1775 (@pxref{The Store, @env{GUIX_DAEMON_SOCKET}}).
1778 The daemon protocol is @emph{unauthenticated and unencrypted}. Using
1779 @option{--listen=@var{host}} is suitable on local networks, such as
1780 clusters, where only trusted nodes may connect to the build daemon. In
1781 other cases where remote access to the daemon is needed, we recommend
1782 using Unix-domain sockets along with SSH.
1785 When @option{--listen} is omitted, @command{guix-daemon} listens for
1786 connections on the Unix-domain socket located at
1787 @file{@var{localstatedir}/guix/daemon-socket/socket}.
1791 @node Application Setup
1792 @section Application Setup
1794 @cindex foreign distro
1795 When using Guix on top of GNU/Linux distribution other than Guix System---a
1796 so-called @dfn{foreign distro}---a few additional steps are needed to
1797 get everything in place. Here are some of them.
1801 @anchor{locales-and-locpath}
1802 @cindex locales, when not on Guix System
1804 @vindex GUIX_LOCPATH
1805 Packages installed @i{via} Guix will not use the locale data of the
1806 host system. Instead, you must first install one of the locale packages
1807 available with Guix and then define the @env{GUIX_LOCPATH} environment
1811 $ guix install glibc-locales
1812 $ export GUIX_LOCPATH=$HOME/.guix-profile/lib/locale
1815 Note that the @code{glibc-locales} package contains data for all the
1816 locales supported by the GNU@tie{}libc and weighs in at around
1817 917@tie{}MiB@. Alternatively, the @code{glibc-utf8-locales} is smaller but
1818 limited to a few UTF-8 locales.
1820 The @env{GUIX_LOCPATH} variable plays a role similar to @env{LOCPATH}
1821 (@pxref{Locale Names, @env{LOCPATH},, libc, The GNU C Library Reference
1822 Manual}). There are two important differences though:
1826 @env{GUIX_LOCPATH} is honored only by the libc in Guix, and not by the libc
1827 provided by foreign distros. Thus, using @env{GUIX_LOCPATH} allows you
1828 to make sure the programs of the foreign distro will not end up loading
1829 incompatible locale data.
1832 libc suffixes each entry of @env{GUIX_LOCPATH} with @code{/X.Y}, where
1833 @code{X.Y} is the libc version---e.g., @code{2.22}. This means that,
1834 should your Guix profile contain a mixture of programs linked against
1835 different libc version, each libc version will only try to load locale
1836 data in the right format.
1839 This is important because the locale data format used by different libc
1840 versions may be incompatible.
1842 @subsection Name Service Switch
1844 @cindex name service switch, glibc
1845 @cindex NSS (name service switch), glibc
1846 @cindex nscd (name service caching daemon)
1847 @cindex name service caching daemon (nscd)
1848 When using Guix on a foreign distro, we @emph{strongly recommend} that
1849 the system run the GNU C library's @dfn{name service cache daemon},
1850 @command{nscd}, which should be listening on the
1851 @file{/var/run/nscd/socket} socket. Failing to do that, applications
1852 installed with Guix may fail to look up host names or user accounts, or
1853 may even crash. The next paragraphs explain why.
1855 @cindex @file{nsswitch.conf}
1856 The GNU C library implements a @dfn{name service switch} (NSS), which is
1857 an extensible mechanism for ``name lookups'' in general: host name
1858 resolution, user accounts, and more (@pxref{Name Service Switch,,, libc,
1859 The GNU C Library Reference Manual}).
1861 @cindex Network information service (NIS)
1862 @cindex NIS (Network information service)
1863 Being extensible, the NSS supports @dfn{plugins}, which provide new name
1864 lookup implementations: for example, the @code{nss-mdns} plugin allow
1865 resolution of @code{.local} host names, the @code{nis} plugin allows
1866 user account lookup using the Network information service (NIS), and so
1867 on. These extra ``lookup services'' are configured system-wide in
1868 @file{/etc/nsswitch.conf}, and all the programs running on the system
1869 honor those settings (@pxref{NSS Configuration File,,, libc, The GNU C
1872 When they perform a name lookup---for instance by calling the
1873 @code{getaddrinfo} function in C---applications first try to connect to
1874 the nscd; on success, nscd performs name lookups on their behalf. If
1875 the nscd is not running, then they perform the name lookup by
1876 themselves, by loading the name lookup services into their own address
1877 space and running it. These name lookup services---the
1878 @file{libnss_*.so} files---are @code{dlopen}'d, but they may come from
1879 the host system's C library, rather than from the C library the
1880 application is linked against (the C library coming from Guix).
1882 And this is where the problem is: if your application is linked against
1883 Guix's C library (say, glibc 2.24) and tries to load NSS plugins from
1884 another C library (say, @code{libnss_mdns.so} for glibc 2.22), it will
1885 likely crash or have its name lookups fail unexpectedly.
1887 Running @command{nscd} on the system, among other advantages, eliminates
1888 this binary incompatibility problem because those @code{libnss_*.so}
1889 files are loaded in the @command{nscd} process, not in applications
1892 @subsection X11 Fonts
1895 The majority of graphical applications use Fontconfig to locate and
1896 load fonts and perform X11-client-side rendering. The @code{fontconfig}
1897 package in Guix looks for fonts in @file{$HOME/.guix-profile}
1898 by default. Thus, to allow graphical applications installed with Guix
1899 to display fonts, you have to install fonts with Guix as well.
1900 Essential font packages include @code{gs-fonts}, @code{font-dejavu}, and
1901 @code{font-gnu-freefont}.
1903 @cindex @code{fc-cache}
1905 Once you have installed or removed fonts, or when you notice an
1906 application that does not find fonts, you may need to install Fontconfig
1907 and to force an update of its font cache by running:
1910 guix install fontconfig
1914 To display text written in Chinese languages, Japanese, or Korean in
1915 graphical applications, consider installing
1916 @code{font-adobe-source-han-sans} or @code{font-wqy-zenhei}. The former
1917 has multiple outputs, one per language family (@pxref{Packages with
1918 Multiple Outputs}). For instance, the following command installs fonts
1919 for Chinese languages:
1922 guix install font-adobe-source-han-sans:cn
1925 @cindex @code{xterm}
1926 Older programs such as @command{xterm} do not use Fontconfig and instead
1927 rely on server-side font rendering. Such programs require to specify a
1928 full name of a font using XLFD (X Logical Font Description), like this:
1931 -*-dejavu sans-medium-r-normal-*-*-100-*-*-*-*-*-1
1934 To be able to use such full names for the TrueType fonts installed in
1935 your Guix profile, you need to extend the font path of the X server:
1937 @c Note: 'xset' does not accept symlinks so the trick below arranges to
1938 @c get at the real directory. See <https://bugs.gnu.org/30655>.
1940 xset +fp $(dirname $(readlink -f ~/.guix-profile/share/fonts/truetype/fonts.dir))
1943 @cindex @code{xlsfonts}
1944 After that, you can run @code{xlsfonts} (from @code{xlsfonts} package)
1945 to make sure your TrueType fonts are listed there.
1948 @subsection X.509 Certificates
1950 @cindex @code{nss-certs}
1951 The @code{nss-certs} package provides X.509 certificates, which allow
1952 programs to authenticate Web servers accessed over HTTPS.
1954 When using Guix on a foreign distro, you can install this package and
1955 define the relevant environment variables so that packages know where to
1956 look for certificates. @xref{X.509 Certificates}, for detailed
1959 @subsection Emacs Packages
1961 @cindex @code{emacs}
1962 When you install Emacs packages with Guix, the Elisp files are placed
1963 under the @file{share/emacs/site-lisp/} directory of the profile in
1964 which they are installed. The Elisp libraries are made available to
1965 Emacs through the @env{EMACSLOADPATH} environment variable, which is
1966 set when installing Emacs itself.
1968 Additionally, autoload definitions are automatically evaluated at the
1969 initialization of Emacs, by the Guix-specific
1970 @code{guix-emacs-autoload-packages} procedure. If, for some reason, you
1971 want to avoid auto-loading the Emacs packages installed with Guix, you
1972 can do so by running Emacs with the @option{--no-site-file} option
1973 (@pxref{Init File,,, emacs, The GNU Emacs Manual}).
1976 @node Upgrading Guix
1977 @section Upgrading Guix
1979 @cindex Upgrading Guix, on a foreign distro
1981 To upgrade Guix, run:
1987 @xref{Invoking guix pull}, for more information.
1989 @cindex upgrading Guix for the root user, on a foreign distro
1990 @cindex upgrading the Guix daemon, on a foreign distro
1991 @cindex @command{guix pull} for the root user, on a foreign distro
1993 On a foreign distro, you can upgrade the build daemon by running:
2000 followed by (assuming your distro uses the systemd service management
2004 systemctl restart guix-daemon.service
2007 On Guix System, upgrading the daemon is achieved by reconfiguring the
2008 system (@pxref{Invoking guix system, @code{guix system reconfigure}}).
2012 @c *********************************************************************
2013 @node System Installation
2014 @chapter System Installation
2016 @cindex installing Guix System
2017 @cindex Guix System, installation
2018 This section explains how to install Guix System
2019 on a machine. Guix, as a package manager, can
2020 also be installed on top of a running GNU/Linux system,
2021 @pxref{Installation}.
2025 @c This paragraph is for people reading this from tty2 of the
2026 @c installation image.
2027 You are reading this documentation with an Info reader. For details on
2028 how to use it, hit the @key{RET} key (``return'' or ``enter'') on the
2029 link that follows: @pxref{Top, Info reader,, info-stnd, Stand-alone GNU
2030 Info}. Hit @kbd{l} afterwards to come back here.
2032 Alternatively, run @command{info info} in another tty to keep the manual
2038 * Limitations:: What you can expect.
2039 * Hardware Considerations:: Supported hardware.
2040 * USB Stick and DVD Installation:: Preparing the installation medium.
2041 * Preparing for Installation:: Networking, partitioning, etc.
2042 * Guided Graphical Installation:: Easy graphical installation.
2043 * Manual Installation:: Manual installation for wizards.
2044 * After System Installation:: When installation succeeded.
2045 * Installing Guix in a VM:: Guix System playground.
2046 * Building the Installation Image:: How this comes to be.
2050 @section Limitations
2052 We consider Guix System to be ready for a wide range of ``desktop'' and server
2053 use cases. The reliability guarantees it provides---transactional upgrades
2054 and rollbacks, reproducibility---make it a solid foundation.
2056 Nevertheless, before you proceed with the installation, be aware of the
2057 following noteworthy limitations applicable to version @value{VERSION}:
2061 More and more system services are provided (@pxref{Services}), but some
2065 GNOME, Xfce, LXDE, and Enlightenment are available (@pxref{Desktop Services}),
2066 as well as a number of X11 window managers. However, KDE is currently
2070 More than a disclaimer, this is an invitation to report issues (and success
2071 stories!), and to join us in improving it. @xref{Contributing}, for more
2075 @node Hardware Considerations
2076 @section Hardware Considerations
2078 @cindex hardware support on Guix System
2079 GNU@tie{}Guix focuses on respecting the user's computing freedom. It
2080 builds around the kernel Linux-libre, which means that only hardware for
2081 which free software drivers and firmware exist is supported. Nowadays,
2082 a wide range of off-the-shelf hardware is supported on
2083 GNU/Linux-libre---from keyboards to graphics cards to scanners and
2084 Ethernet controllers. Unfortunately, there are still areas where
2085 hardware vendors deny users control over their own computing, and such
2086 hardware is not supported on Guix System.
2088 @cindex WiFi, hardware support
2089 One of the main areas where free drivers or firmware are lacking is WiFi
2090 devices. WiFi devices known to work include those using Atheros chips
2091 (AR9271 and AR7010), which corresponds to the @code{ath9k} Linux-libre
2092 driver, and those using Broadcom/AirForce chips (BCM43xx with
2093 Wireless-Core Revision 5), which corresponds to the @code{b43-open}
2094 Linux-libre driver. Free firmware exists for both and is available
2095 out-of-the-box on Guix System, as part of @code{%base-firmware}
2096 (@pxref{operating-system Reference, @code{firmware}}).
2098 @cindex RYF, Respects Your Freedom
2099 The @uref{https://www.fsf.org/, Free Software Foundation} runs
2100 @uref{https://www.fsf.org/ryf, @dfn{Respects Your Freedom}} (RYF), a
2101 certification program for hardware products that respect your freedom
2102 and your privacy and ensure that you have control over your device. We
2103 encourage you to check the list of RYF-certified devices.
2105 Another useful resource is the @uref{https://www.h-node.org/, H-Node}
2106 web site. It contains a catalog of hardware devices with information
2107 about their support in GNU/Linux.
2110 @node USB Stick and DVD Installation
2111 @section USB Stick and DVD Installation
2113 An ISO-9660 installation image that can be written to a USB stick or
2114 burnt to a DVD can be downloaded from
2115 @indicateurl{@value{BASE-URL}/guix-system-install-@value{VERSION}.x86_64-linux.iso},
2116 where you can replace @code{x86_64-linux} with one of:
2120 for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs;
2123 for a 32-bit GNU/Linux system on Intel-compatible CPUs.
2126 @c start duplication of authentication part from ``Binary Installation''
2127 Make sure to download the associated @file{.sig} file and to verify the
2128 authenticity of the image against it, along these lines:
2131 $ wget @value{BASE-URL}/guix-system-install-@value{VERSION}.x86_64-linux.iso.sig
2132 $ gpg --verify guix-system-install-@value{VERSION}.x86_64-linux.iso.sig
2135 If that command fails because you do not have the required public key,
2136 then run this command to import it:
2139 $ wget @value{OPENPGP-SIGNING-KEY-URL} \
2140 -qO - | gpg --import -
2144 and rerun the @code{gpg --verify} command.
2146 Take note that a warning like ``This key is not certified with a trusted
2147 signature!'' is normal.
2151 This image contains the tools necessary for an installation.
2152 It is meant to be copied @emph{as is} to a large-enough USB stick or DVD.
2154 @unnumberedsubsec Copying to a USB Stick
2156 Insert a USB stick of 1@tie{}GiB or more into your machine, and determine
2157 its device name. Assuming that the USB stick is known as @file{/dev/sdX},
2158 copy the image with:
2161 dd if=guix-system-install-@value{VERSION}.x86_64-linux.iso of=/dev/sdX status=progress
2165 Access to @file{/dev/sdX} usually requires root privileges.
2167 @unnumberedsubsec Burning on a DVD
2169 Insert a blank DVD into your machine, and determine
2170 its device name. Assuming that the DVD drive is known as @file{/dev/srX},
2171 copy the image with:
2174 growisofs -dvd-compat -Z /dev/srX=guix-system-install-@value{VERSION}.x86_64-linux.iso
2177 Access to @file{/dev/srX} usually requires root privileges.
2179 @unnumberedsubsec Booting
2181 Once this is done, you should be able to reboot the system and boot from
2182 the USB stick or DVD@. The latter usually requires you to get in the
2183 BIOS or UEFI boot menu, where you can choose to boot from the USB stick.
2184 In order to boot from Libreboot, switch to the command mode by pressing
2185 the @kbd{c} key and type @command{search_grub usb}.
2187 @xref{Installing Guix in a VM}, if, instead, you would like to install
2188 Guix System in a virtual machine (VM).
2191 @node Preparing for Installation
2192 @section Preparing for Installation
2194 Once you have booted, you can use the guided graphical installer, which makes
2195 it easy to get started (@pxref{Guided Graphical Installation}). Alternatively,
2196 if you are already familiar with GNU/Linux and if you want more control than
2197 what the graphical installer provides, you can choose the ``manual''
2198 installation process (@pxref{Manual Installation}).
2200 The graphical installer is available on TTY1. You can obtain root shells on
2201 TTYs 3 to 6 by hitting @kbd{ctrl-alt-f3}, @kbd{ctrl-alt-f4}, etc. TTY2 shows
2202 this documentation and you can reach it with @kbd{ctrl-alt-f2}. Documentation
2203 is browsable using the Info reader commands (@pxref{Top,,, info-stnd,
2204 Stand-alone GNU Info}). The installation system runs the GPM mouse daemon,
2205 which allows you to select text with the left mouse button and to paste it
2206 with the middle button.
2209 Installation requires access to the Internet so that any missing
2210 dependencies of your system configuration can be downloaded. See the
2211 ``Networking'' section below.
2214 @node Guided Graphical Installation
2215 @section Guided Graphical Installation
2217 The graphical installer is a text-based user interface. It will guide you,
2218 with dialog boxes, through the steps needed to install GNU@tie{}Guix System.
2220 The first dialog boxes allow you to set up the system as you use it during the
2221 installation: you can choose the language, keyboard layout, and set up
2222 networking, which will be used during the installation. The image below shows
2223 the networking dialog.
2225 @image{images/installer-network,5in,, networking setup with the graphical installer}
2227 Later steps allow you to partition your hard disk, as shown in the image
2228 below, to choose whether or not to use encrypted file systems, to enter the
2229 host name and root password, and to create an additional account, among other
2232 @image{images/installer-partitions,5in,, partitioning with the graphical installer}
2234 Note that, at any time, the installer allows you to exit the current
2235 installation step and resume at a previous step, as show in the image below.
2237 @image{images/installer-resume,5in,, resuming the installation process}
2239 Once you're done, the installer produces an operating system configuration and
2240 displays it (@pxref{Using the Configuration System}). At that point you can
2241 hit ``OK'' and installation will proceed. On success, you can reboot into the
2242 new system and enjoy. @xref{After System Installation}, for what's next!
2245 @node Manual Installation
2246 @section Manual Installation
2248 This section describes how you would ``manually'' install GNU@tie{}Guix System
2249 on your machine. This option requires familiarity with GNU/Linux, with the
2250 shell, and with common administration tools. If you think this is not for
2251 you, consider using the guided graphical installer (@pxref{Guided Graphical
2254 The installation system provides root shells on TTYs 3 to 6; press
2255 @kbd{ctrl-alt-f3}, @kbd{ctrl-alt-f4}, and so on to reach them. It includes
2256 many common tools needed to install the system. But it is also a full-blown
2257 Guix System, which means that you can install additional packages, should you
2258 need it, using @command{guix package} (@pxref{Invoking guix package}).
2261 * Keyboard Layout and Networking and Partitioning:: Initial setup.
2262 * Proceeding with the Installation:: Installing.
2265 @node Keyboard Layout and Networking and Partitioning
2266 @subsection Keyboard Layout, Networking, and Partitioning
2268 Before you can install the system, you may want to adjust the keyboard layout,
2269 set up networking, and partition your target hard disk. This section will
2270 guide you through this.
2272 @subsubsection Keyboard Layout
2274 @cindex keyboard layout
2275 The installation image uses the US qwerty keyboard layout. If you want
2276 to change it, you can use the @command{loadkeys} command. For example,
2277 the following command selects the Dvorak keyboard layout:
2283 See the files under @file{/run/current-system/profile/share/keymaps} for
2284 a list of available keyboard layouts. Run @command{man loadkeys} for
2287 @subsubsection Networking
2289 Run the following command to see what your network interfaces are called:
2296 @dots{} or, using the GNU/Linux-specific @command{ip} command:
2302 @c https://cgit.freedesktop.org/systemd/systemd/tree/src/udev/udev-builtin-net_id.c#n20
2303 Wired interfaces have a name starting with @samp{e}; for example, the
2304 interface corresponding to the first on-board Ethernet controller is
2305 called @samp{eno1}. Wireless interfaces have a name starting with
2306 @samp{w}, like @samp{w1p2s0}.
2309 @item Wired connection
2310 To configure a wired network run the following command, substituting
2311 @var{interface} with the name of the wired interface you want to use.
2314 ifconfig @var{interface} up
2318 @dots{} or, using the GNU/Linux-specific @command{ip} command:
2321 ip link set @var{interface} up
2324 @item Wireless connection
2327 To configure wireless networking, you can create a configuration file
2328 for the @command{wpa_supplicant} configuration tool (its location is not
2329 important) using one of the available text editors such as
2333 nano wpa_supplicant.conf
2336 As an example, the following stanza can go to this file and will work
2337 for many wireless networks, provided you give the actual SSID and
2338 passphrase for the network you are connecting to:
2342 ssid="@var{my-ssid}"
2344 psk="the network's secret passphrase"
2348 Start the wireless service and run it in the background with the
2349 following command (substitute @var{interface} with the name of the
2350 network interface you want to use):
2353 wpa_supplicant -c wpa_supplicant.conf -i @var{interface} -B
2356 Run @command{man wpa_supplicant} for more information.
2360 At this point, you need to acquire an IP address. On a network where IP
2361 addresses are automatically assigned @i{via} DHCP, you can run:
2364 dhclient -v @var{interface}
2367 Try to ping a server to see if networking is up and running:
2373 Setting up network access is almost always a requirement because the
2374 image does not contain all the software and tools that may be needed.
2376 @cindex proxy, during system installation
2377 If you need HTTP and HTTPS access to go through a proxy, run the
2381 herd set-http-proxy guix-daemon @var{URL}
2385 where @var{URL} is the proxy URL, for example
2386 @code{http://example.org:8118}.
2388 @cindex installing over SSH
2389 If you want to, you can continue the installation remotely by starting
2393 herd start ssh-daemon
2396 Make sure to either set a password with @command{passwd}, or configure
2397 OpenSSH public key authentication before logging in.
2399 @subsubsection Disk Partitioning
2401 Unless this has already been done, the next step is to partition, and
2402 then format the target partition(s).
2404 The installation image includes several partitioning tools, including
2405 Parted (@pxref{Overview,,, parted, GNU Parted User Manual}),
2406 @command{fdisk}, and @command{cfdisk}. Run it and set up your disk with
2407 the partition layout you want:
2413 If your disk uses the GUID Partition Table (GPT) format and you plan to
2414 install BIOS-based GRUB (which is the default), make sure a BIOS Boot
2415 Partition is available (@pxref{BIOS installation,,, grub, GNU GRUB
2418 @cindex EFI, installation
2419 @cindex UEFI, installation
2420 @cindex ESP, EFI system partition
2421 If you instead wish to use EFI-based GRUB, a FAT32 @dfn{EFI System Partition}
2422 (ESP) is required. This partition can be mounted at @file{/boot/efi} for
2423 instance and must have the @code{esp} flag set. E.g., for @command{parted}:
2426 parted /dev/sda set 1 esp on
2430 @vindex grub-bootloader
2431 @vindex grub-efi-bootloader
2432 Unsure whether to use EFI- or BIOS-based GRUB? If the directory
2433 @file{/sys/firmware/efi} exists in the installation image, then you should
2434 probably perform an EFI installation, using @code{grub-efi-bootloader}.
2435 Otherwise you should use the BIOS-based GRUB, known as
2436 @code{grub-bootloader}. @xref{Bootloader Configuration}, for more info on
2440 Once you are done partitioning the target hard disk drive, you have to
2441 create a file system on the relevant partition(s)@footnote{Currently
2442 Guix System only supports ext4, btrfs, JFS, and F2FS file systems. In
2443 particular, code that reads file system UUIDs and labels only works for these
2444 file system types.}. For the ESP, if you have one and assuming it is
2445 @file{/dev/sda1}, run:
2448 mkfs.fat -F32 /dev/sda1
2451 For the root file system, ext4 is the most widely used format. Other
2452 file systems, such as Btrfs, support compression, which is reported to
2453 nicely complement file deduplication that the daemon performs
2454 independently of the file system (@pxref{Invoking guix-daemon,
2457 Preferably, assign file systems a label so that you can easily and
2458 reliably refer to them in @code{file-system} declarations (@pxref{File
2459 Systems}). This is typically done using the @code{-L} option of
2460 @command{mkfs.ext4} and related commands. So, assuming the target root
2461 partition lives at @file{/dev/sda2}, a file system with the label
2462 @code{my-root} can be created with:
2465 mkfs.ext4 -L my-root /dev/sda2
2468 @cindex encrypted disk
2469 If you are instead planning to encrypt the root partition, you can use
2470 the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
2471 @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
2472 @code{man cryptsetup}} for more information). Assuming you want to
2473 store the root partition on @file{/dev/sda2}, the command sequence would
2474 be along these lines:
2477 cryptsetup luksFormat /dev/sda2
2478 cryptsetup open --type luks /dev/sda2 my-partition
2479 mkfs.ext4 -L my-root /dev/mapper/my-partition
2482 Once that is done, mount the target file system under @file{/mnt}
2483 with a command like (again, assuming @code{my-root} is the label of the
2487 mount LABEL=my-root /mnt
2490 Also mount any other file systems you would like to use on the target
2491 system relative to this path. If you have opted for @file{/boot/efi} as an
2492 EFI mount point for example, mount it at @file{/mnt/boot/efi} now so it is
2493 found by @code{guix system init} afterwards.
2495 Finally, if you plan to use one or more swap partitions (@pxref{Memory
2496 Concepts, swap space,, libc, The GNU C Library Reference Manual}), make
2497 sure to initialize them with @command{mkswap}. Assuming you have one
2498 swap partition on @file{/dev/sda3}, you would run:
2505 Alternatively, you may use a swap file. For example, assuming that in
2506 the new system you want to use the file @file{/swapfile} as a swap file,
2507 you would run@footnote{This example will work for many types of file
2508 systems (e.g., ext4). However, for copy-on-write file systems (e.g.,
2509 btrfs), the required steps may be different. For details, see the
2510 manual pages for @command{mkswap} and @command{swapon}.}:
2513 # This is 10 GiB of swap space. Adjust "count" to change the size.
2514 dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=10240
2515 # For security, make the file readable and writable only by root.
2516 chmod 600 /mnt/swapfile
2517 mkswap /mnt/swapfile
2518 swapon /mnt/swapfile
2521 Note that if you have encrypted the root partition and created a swap
2522 file in its file system as described above, then the encryption also
2523 protects the swap file, just like any other file in that file system.
2525 @node Proceeding with the Installation
2526 @subsection Proceeding with the Installation
2528 With the target partitions ready and the target root mounted on
2529 @file{/mnt}, we're ready to go. First, run:
2532 herd start cow-store /mnt
2535 This makes @file{/gnu/store} copy-on-write, such that packages added to it
2536 during the installation phase are written to the target disk on @file{/mnt}
2537 rather than kept in memory. This is necessary because the first phase of
2538 the @command{guix system init} command (see below) entails downloads or
2539 builds to @file{/gnu/store} which, initially, is an in-memory file system.
2541 Next, you have to edit a file and
2542 provide the declaration of the operating system to be installed. To
2543 that end, the installation system comes with three text editors. We
2544 recommend GNU nano (@pxref{Top,,, nano, GNU nano Manual}), which
2545 supports syntax highlighting and parentheses matching; other editors
2546 include GNU Zile (an Emacs clone), and
2547 nvi (a clone of the original BSD @command{vi} editor).
2548 We strongly recommend storing that file on the target root file system, say,
2549 as @file{/mnt/etc/config.scm}. Failing to do that, you will have lost your
2550 configuration file once you have rebooted into the newly-installed system.
2552 @xref{Using the Configuration System}, for an overview of the
2553 configuration file. The example configurations discussed in that
2554 section are available under @file{/etc/configuration} in the
2555 installation image. Thus, to get started with a system configuration
2556 providing a graphical display server (a ``desktop'' system), you can run
2557 something along these lines:
2561 # cp /etc/configuration/desktop.scm /mnt/etc/config.scm
2562 # nano /mnt/etc/config.scm
2565 You should pay attention to what your configuration file contains, and
2570 Make sure the @code{bootloader-configuration} form refers to the target
2571 you want to install GRUB on. It should mention @code{grub-bootloader} if
2572 you are installing GRUB in the legacy way, or @code{grub-efi-bootloader}
2573 for newer UEFI systems. For legacy systems, the @code{target} field
2574 names a device, like @code{/dev/sda}; for UEFI systems it names a path
2575 to a mounted EFI partition, like @code{/boot/efi}; do make sure the path is
2576 currently mounted and a @code{file-system} entry is specified in your
2580 Be sure that your file system labels match the value of their respective
2581 @code{device} fields in your @code{file-system} configuration, assuming
2582 your @code{file-system} configuration uses the @code{file-system-label}
2583 procedure in its @code{device} field.
2586 If there are encrypted or RAID partitions, make sure to add a
2587 @code{mapped-devices} field to describe them (@pxref{Mapped Devices}).
2590 Once you are done preparing the configuration file, the new system must
2591 be initialized (remember that the target root file system is mounted
2595 guix system init /mnt/etc/config.scm /mnt
2599 This copies all the necessary files and installs GRUB on
2600 @file{/dev/sdX}, unless you pass the @option{--no-bootloader} option. For
2601 more information, @pxref{Invoking guix system}. This command may trigger
2602 downloads or builds of missing packages, which can take some time.
2604 Once that command has completed---and hopefully succeeded!---you can run
2605 @command{reboot} and boot into the new system. The @code{root} password
2606 in the new system is initially empty; other users' passwords need to be
2607 initialized by running the @command{passwd} command as @code{root},
2608 unless your configuration specifies otherwise
2609 (@pxref{user-account-password, user account passwords}).
2610 @xref{After System Installation}, for what's next!
2613 @node After System Installation
2614 @section After System Installation
2616 Success, you've now booted into Guix System! From then on, you can update the
2617 system whenever you want by running, say:
2621 sudo guix system reconfigure /etc/config.scm
2625 This builds a new system generation with the latest packages and services
2626 (@pxref{Invoking guix system}). We recommend doing that regularly so that
2627 your system includes the latest security updates (@pxref{Security Updates}).
2629 @c See <https://lists.gnu.org/archive/html/guix-devel/2019-01/msg00268.html>.
2631 @cindex sudo vs. @command{guix pull}
2632 Note that @command{sudo guix} runs your user's @command{guix} command and
2633 @emph{not} root's, because @command{sudo} leaves @env{PATH} unchanged. To
2634 explicitly run root's @command{guix}, type @command{sudo -i guix @dots{}}.
2636 The difference matters here, because @command{guix pull} updates
2637 the @command{guix} command and package definitions only for the user it is run
2638 as. This means that if you choose to use @command{guix system reconfigure} in
2639 root's login shell, you'll need to @command{guix pull} separately.
2642 Now, @pxref{Getting Started}, and
2643 join us on @code{#guix} on the Libera Chat IRC network or on
2644 @email{guix-devel@@gnu.org} to share your experience!
2647 @node Installing Guix in a VM
2648 @section Installing Guix in a Virtual Machine
2650 @cindex virtual machine, Guix System installation
2651 @cindex virtual private server (VPS)
2652 @cindex VPS (virtual private server)
2653 If you'd like to install Guix System in a virtual machine (VM) or on a
2654 virtual private server (VPS) rather than on your beloved machine, this
2657 To boot a @uref{https://qemu.org/,QEMU} VM for installing Guix System in a
2658 disk image, follow these steps:
2662 First, retrieve and decompress the Guix system installation image as
2663 described previously (@pxref{USB Stick and DVD Installation}).
2666 Create a disk image that will hold the installed system. To make a
2667 qcow2-formatted disk image, use the @command{qemu-img} command:
2670 qemu-img create -f qcow2 guix-system.img 50G
2673 The resulting file will be much smaller than 50 GB (typically less than
2674 1 MB), but it will grow as the virtualized storage device is filled up.
2677 Boot the USB installation image in an VM:
2680 qemu-system-x86_64 -m 1024 -smp 1 -enable-kvm \
2681 -nic user,model=virtio-net-pci -boot menu=on,order=d \
2682 -drive file=guix-system.img \
2683 -drive media=cdrom,file=guix-system-install-@value{VERSION}.@var{system}.iso
2686 @code{-enable-kvm} is optional, but significantly improves performance,
2687 @pxref{Running Guix in a VM}.
2690 You're now root in the VM, proceed with the installation process.
2691 @xref{Preparing for Installation}, and follow the instructions.
2694 Once installation is complete, you can boot the system that's on your
2695 @file{guix-system.img} image. @xref{Running Guix in a VM}, for how to do
2698 @node Building the Installation Image
2699 @section Building the Installation Image
2701 @cindex installation image
2702 The installation image described above was built using the @command{guix
2703 system} command, specifically:
2706 guix system image -t iso9660 gnu/system/install.scm
2709 Have a look at @file{gnu/system/install.scm} in the source tree,
2710 and see also @ref{Invoking guix system} for more information
2711 about the installation image.
2713 @section Building the Installation Image for ARM Boards
2715 Many ARM boards require a specific variant of the
2716 @uref{https://www.denx.de/wiki/U-Boot/, U-Boot} bootloader.
2718 If you build a disk image and the bootloader is not available otherwise
2719 (on another boot drive etc), it's advisable to build an image that
2720 includes the bootloader, specifically:
2723 guix system image --system=armhf-linux -e '((@@ (gnu system install) os-with-u-boot) (@@ (gnu system install) installation-os) "A20-OLinuXino-Lime2")'
2726 @code{A20-OLinuXino-Lime2} is the name of the board. If you specify an invalid
2727 board, a list of possible boards will be printed.
2729 @c *********************************************************************
2730 @node Getting Started
2731 @chapter Getting Started
2733 Presumably, you've reached this section because either you have
2734 installed Guix on top of another distribution (@pxref{Installation}), or
2735 you've installed the standalone Guix System (@pxref{System
2736 Installation}). It's time for you to get started using Guix and this
2737 section aims to help you do that and give you a feel of what it's like.
2739 Guix is about installing software, so probably the first thing you'll
2740 want to do is to actually look for software. Let's say you're looking
2741 for a text editor, you can run:
2744 guix search text editor
2747 This command shows you a number of matching @dfn{packages}, each time
2748 showing the package's name, version, a description, and additional info.
2749 Once you've found out the one you want to use, let's say Emacs (ah ha!),
2750 you can go ahead and install it (run this command as a regular user,
2751 @emph{no need for root privileges}!):
2758 You've installed your first package, congrats! The package is now
2759 visible in your default @dfn{profile}, @file{$HOME/.guix-profile}---a
2760 profile is a directory containing installed packages.
2761 In the process, you've
2762 probably noticed that Guix downloaded pre-built binaries; or, if you
2763 explicitly chose to @emph{not} use pre-built binaries, then probably
2764 Guix is still building software (@pxref{Substitutes}, for more info).
2766 Unless you're using Guix System, the @command{guix install} command must
2767 have printed this hint:
2770 hint: Consider setting the necessary environment variables by running:
2772 GUIX_PROFILE="$HOME/.guix-profile"
2773 . "$GUIX_PROFILE/etc/profile"
2775 Alternately, see `guix package --search-paths -p "$HOME/.guix-profile"'.
2778 Indeed, you must now tell your shell where @command{emacs} and other
2779 programs installed with Guix are to be found. Pasting the two lines
2780 above will do just that: it will add
2781 @code{$HOME/.guix-profile/bin}---which is where the installed package
2782 is---to the @code{PATH} environment variable. You can paste these two
2783 lines in your shell so they take effect right away, but more importantly
2784 you should add them to @file{~/.bash_profile} (or equivalent file if you
2785 do not use Bash) so that environment variables are set next time you
2786 spawn a shell. You only need to do this once and other search paths
2787 environment variables will be taken care of similarly---e.g., if you
2788 eventually install @code{python} and Python libraries, @code{PYTHONPATH}
2791 You can go on installing packages at your will. To list installed
2795 guix package --list-installed
2798 To remove a package, you would unsurprisingly run @command{guix remove}.
2799 A distinguishing feature is the ability to @dfn{roll back} any operation
2800 you made---installation, removal, upgrade---by simply typing:
2803 guix package --roll-back
2806 This is because each operation is in fact a @dfn{transaction} that
2807 creates a new @dfn{generation}. These generations and the difference
2808 between them can be displayed by running:
2811 guix package --list-generations
2814 Now you know the basics of package management!
2816 @quotation Going further
2817 @xref{Package Management}, for more about package management. You may
2818 like @dfn{declarative} package management with @command{guix package
2819 --manifest}, managing separate @dfn{profiles} with @option{--profile},
2820 deleting old generations, collecting garbage, and other nifty features
2821 that will come in handy as you become more familiar with Guix. If you
2822 are a developer, @pxref{Development} for additional tools. And if
2823 you're curious, @pxref{Features}, to peek under the hood.
2826 Once you've installed a set of packages, you will want to periodically
2827 @emph{upgrade} them to the latest and greatest version. To do that, you
2828 will first pull the latest revision of Guix and its package collection:
2834 The end result is a new @command{guix} command, under
2835 @file{~/.config/guix/current/bin}. Unless you're on Guix System, the
2836 first time you run @command{guix pull}, be sure to follow the hint that
2837 the command prints and, similar to what we saw above, paste these two
2838 lines in your terminal and @file{.bash_profile}:
2841 GUIX_PROFILE="$HOME/.config/guix/current"
2842 . "$GUIX_PROFILE/etc/profile"
2846 You must also instruct your shell to point to this new @command{guix}:
2852 At this point, you're running a brand new Guix. You can thus go ahead
2853 and actually upgrade all the packages you previously installed:
2859 As you run this command, you will see that binaries are downloaded (or
2860 perhaps some packages are built), and eventually you end up with the
2861 upgraded packages. Should one of these upgraded packages not be to your
2862 liking, remember you can always roll back!
2864 You can display the exact revision of Guix you're currently using by
2871 The information it displays is @emph{all it takes to reproduce the exact
2872 same Guix}, be it at a different point in time or on a different
2875 @quotation Going further
2876 @xref{Invoking guix pull}, for more information. @xref{Channels}, on
2877 how to specify additional @dfn{channels} to pull packages from, how to
2878 replicate Guix, and more. You may also find @command{time-machine}
2879 handy (@pxref{Invoking guix time-machine}).
2882 If you installed Guix System, one of the first things you'll want to do
2883 is to upgrade your system. Once you've run @command{guix pull} to get
2884 the latest Guix, you can upgrade the system like this:
2887 sudo guix system reconfigure /etc/config.scm
2890 Upon completion, the system runs the latest versions of its software
2891 packages. When you eventually reboot, you'll notice a sub-menu in the
2892 bootloader that reads ``Old system generations'': it's what allows you
2893 to boot @emph{an older generation of your system}, should the latest
2894 generation be ``broken'' or otherwise unsatisfying. Just like for
2895 packages, you can always @emph{roll back} to a previous generation
2896 @emph{of the whole system}:
2899 sudo guix system roll-back
2902 There are many things you'll probably want to tweak on your system:
2903 adding new user accounts, adding new system services, fiddling with the
2904 configuration of those services, etc. The system configuration is
2905 @emph{entirely} described in the @file{/etc/config.scm} file.
2906 @xref{Using the Configuration System}, to learn how to change it.
2908 Now you know enough to get started!
2910 @quotation Resources
2911 The rest of this manual provides a reference for all things Guix. Here
2912 are some additional resources you may find useful:
2916 @xref{Top,,, guix-cookbook, The GNU Guix Cookbook}, for a list of
2917 ``how-to'' style of recipes for a variety of applications.
2920 The @uref{https://guix.gnu.org/guix-refcard.pdf, GNU Guix Reference
2921 Card} lists in two pages most of the commands and options you'll ever
2925 The web site contains @uref{https://guix.gnu.org/en/videos/,
2926 instructional videos} covering topics such as everyday use of Guix, how
2927 to get help, and how to become a contributor.
2930 @xref{Documentation}, to learn how to access documentation on your
2934 We hope you will enjoy Guix as much as the community enjoys building it!
2937 @c *********************************************************************
2938 @node Package Management
2939 @chapter Package Management
2942 The purpose of GNU Guix is to allow users to easily install, upgrade, and
2943 remove software packages, without having to know about their build
2944 procedures or dependencies. Guix also goes beyond this obvious set of
2947 This chapter describes the main features of Guix, as well as the
2948 package management tools it provides. Along with the command-line
2949 interface described below (@pxref{Invoking guix package, @code{guix
2950 package}}), you may also use the Emacs-Guix interface (@pxref{Top,,,
2951 emacs-guix, The Emacs-Guix Reference Manual}), after installing
2952 @code{emacs-guix} package (run @kbd{M-x guix-help} command to start
2956 guix install emacs-guix
2960 * Features:: How Guix will make your life brighter.
2961 * Invoking guix package:: Package installation, removal, etc.
2962 * Substitutes:: Downloading pre-built binaries.
2963 * Packages with Multiple Outputs:: Single source package, multiple outputs.
2964 * Invoking guix gc:: Running the garbage collector.
2965 * Invoking guix pull:: Fetching the latest Guix and distribution.
2966 * Invoking guix time-machine:: Running an older revision of Guix.
2967 * Inferiors:: Interacting with another revision of Guix.
2968 * Invoking guix describe:: Display information about your Guix revision.
2969 * Invoking guix archive:: Exporting and importing store files.
2975 Here we assume you've already made your first steps with Guix
2976 (@pxref{Getting Started}) and would like to get an overview about what's
2977 going on under the hood.
2979 When using Guix, each package ends up in the @dfn{package store}, in its
2980 own directory---something that resembles
2981 @file{/gnu/store/xxx-package-1.2}, where @code{xxx} is a base32 string.
2983 Instead of referring to these directories, users have their own
2984 @dfn{profile}, which points to the packages that they actually want to
2985 use. These profiles are stored within each user's home directory, at
2986 @code{$HOME/.guix-profile}.
2988 For example, @code{alice} installs GCC 4.7.2. As a result,
2989 @file{/home/alice/.guix-profile/bin/gcc} points to
2990 @file{/gnu/store/@dots{}-gcc-4.7.2/bin/gcc}. Now, on the same machine,
2991 @code{bob} had already installed GCC 4.8.0. The profile of @code{bob}
2992 simply continues to point to
2993 @file{/gnu/store/@dots{}-gcc-4.8.0/bin/gcc}---i.e., both versions of GCC
2994 coexist on the same system without any interference.
2996 The @command{guix package} command is the central tool to manage
2997 packages (@pxref{Invoking guix package}). It operates on the per-user
2998 profiles, and can be used @emph{with normal user privileges}.
3000 @cindex transactions
3001 The command provides the obvious install, remove, and upgrade
3002 operations. Each invocation is actually a @emph{transaction}: either
3003 the specified operation succeeds, or nothing happens. Thus, if the
3004 @command{guix package} process is terminated during the transaction,
3005 or if a power outage occurs during the transaction, then the user's
3006 profile remains in its previous state, and remains usable.
3008 In addition, any package transaction may be @emph{rolled back}. So, if,
3009 for example, an upgrade installs a new version of a package that turns
3010 out to have a serious bug, users may roll back to the previous instance
3011 of their profile, which was known to work well. Similarly, the global
3012 system configuration on Guix is subject to
3013 transactional upgrades and roll-back
3014 (@pxref{Using the Configuration System}).
3016 All packages in the package store may be @emph{garbage-collected}.
3017 Guix can determine which packages are still referenced by user
3018 profiles, and remove those that are provably no longer referenced
3019 (@pxref{Invoking guix gc}). Users may also explicitly remove old
3020 generations of their profile so that the packages they refer to can be
3023 @cindex reproducibility
3024 @cindex reproducible builds
3025 Guix takes a @dfn{purely functional} approach to package
3026 management, as described in the introduction (@pxref{Introduction}).
3027 Each @file{/gnu/store} package directory name contains a hash of all the
3028 inputs that were used to build that package---compiler, libraries, build
3029 scripts, etc. This direct correspondence allows users to make sure a
3030 given package installation matches the current state of their
3031 distribution. It also helps maximize @dfn{build reproducibility}:
3032 thanks to the isolated build environments that are used, a given build
3033 is likely to yield bit-identical files when performed on different
3034 machines (@pxref{Invoking guix-daemon, container}).
3037 This foundation allows Guix to support @dfn{transparent binary/source
3038 deployment}. When a pre-built binary for a @file{/gnu/store} item is
3039 available from an external source---a @dfn{substitute}, Guix just
3040 downloads it and unpacks it;
3041 otherwise, it builds the package from source, locally
3042 (@pxref{Substitutes}). Because build results are usually bit-for-bit
3043 reproducible, users do not have to trust servers that provide
3044 substitutes: they can force a local build and @emph{challenge} providers
3045 (@pxref{Invoking guix challenge}).
3047 Control over the build environment is a feature that is also useful for
3048 developers. The @command{guix environment} command allows developers of
3049 a package to quickly set up the right development environment for their
3050 package, without having to manually install the dependencies of the
3051 package into their profile (@pxref{Invoking guix environment}).
3053 @cindex replication, of software environments
3054 @cindex provenance tracking, of software artifacts
3055 All of Guix and its package definitions is version-controlled, and
3056 @command{guix pull} allows you to ``travel in time'' on the history of Guix
3057 itself (@pxref{Invoking guix pull}). This makes it possible to replicate a
3058 Guix instance on a different machine or at a later point in time, which in
3059 turn allows you to @emph{replicate complete software environments}, while
3060 retaining precise @dfn{provenance tracking} of the software.
3062 @node Invoking guix package
3063 @section Invoking @command{guix package}
3065 @cindex installing packages
3066 @cindex removing packages
3067 @cindex package installation
3068 @cindex package removal
3070 The @command{guix package} command is the tool that allows users to
3071 install, upgrade, and remove packages, as well as rolling back to
3072 previous configurations. These operations work on a user
3073 @dfn{profile}---a directory of installed packages. Each user has a
3074 default profile in @file{$HOME/.guix-profile}.
3075 The command operates only on the user's own profile,
3076 and works with normal user privileges (@pxref{Features}). Its syntax
3080 guix package @var{options}
3083 @cindex transactions
3084 Primarily, @var{options} specifies the operations to be performed during
3085 the transaction. Upon completion, a new profile is created, but
3086 previous @dfn{generations} of the profile remain available, should the user
3089 For example, to remove @code{lua} and install @code{guile} and
3090 @code{guile-cairo} in a single transaction:
3093 guix package -r lua -i guile guile-cairo
3096 @cindex aliases, for @command{guix package}
3097 For your convenience, we also provide the following aliases:
3101 @command{guix search} is an alias for @command{guix package -s},
3103 @command{guix install} is an alias for @command{guix package -i},
3105 @command{guix remove} is an alias for @command{guix package -r},
3107 @command{guix upgrade} is an alias for @command{guix package -u},
3109 and @command{guix show} is an alias for @command{guix package --show=}.
3112 These aliases are less expressive than @command{guix package} and provide
3113 fewer options, so in some cases you'll probably want to use @command{guix
3116 @command{guix package} also supports a @dfn{declarative approach}
3117 whereby the user specifies the exact set of packages to be available and
3118 passes it @i{via} the @option{--manifest} option
3119 (@pxref{profile-manifest, @option{--manifest}}).
3122 For each user, a symlink to the user's default profile is automatically
3123 created in @file{$HOME/.guix-profile}. This symlink always points to the
3124 current generation of the user's default profile. Thus, users can add
3125 @file{$HOME/.guix-profile/bin} to their @env{PATH} environment
3126 variable, and so on.
3127 @cindex search paths
3128 If you are not using Guix System, consider adding the
3129 following lines to your @file{~/.bash_profile} (@pxref{Bash Startup
3130 Files,,, bash, The GNU Bash Reference Manual}) so that newly-spawned
3131 shells get all the right environment variable definitions:
3134 GUIX_PROFILE="$HOME/.guix-profile" ; \
3135 source "$GUIX_PROFILE/etc/profile"
3138 In a multi-user setup, user profiles are stored in a place registered as
3139 a @dfn{garbage-collector root}, which @file{$HOME/.guix-profile} points
3140 to (@pxref{Invoking guix gc}). That directory is normally
3141 @code{@var{localstatedir}/guix/profiles/per-user/@var{user}}, where
3142 @var{localstatedir} is the value passed to @code{configure} as
3143 @option{--localstatedir}, and @var{user} is the user name. The
3144 @file{per-user} directory is created when @command{guix-daemon} is
3145 started, and the @var{user} sub-directory is created by @command{guix
3148 The @var{options} can be among the following:
3152 @item --install=@var{package} @dots{}
3153 @itemx -i @var{package} @dots{}
3154 Install the specified @var{package}s.
3156 Each @var{package} may specify either a simple package name, such as
3157 @code{guile}, or a package name followed by an at-sign and version number,
3158 such as @code{guile@@1.8.8} or simply @code{guile@@1.8} (in the latter
3159 case, the newest version prefixed by @code{1.8} is selected).
3161 If no version number is specified, the
3162 newest available version will be selected. In addition, @var{package}
3163 may contain a colon, followed by the name of one of the outputs of the
3164 package, as in @code{gcc:doc} or @code{binutils@@2.22:lib}
3165 (@pxref{Packages with Multiple Outputs}). Packages with a corresponding
3166 name (and optionally version) are searched for among the GNU
3167 distribution modules (@pxref{Package Modules}).
3169 @cindex propagated inputs
3170 Sometimes packages have @dfn{propagated inputs}: these are dependencies
3171 that automatically get installed along with the required package
3172 (@pxref{package-propagated-inputs, @code{propagated-inputs} in
3173 @code{package} objects}, for information about propagated inputs in
3174 package definitions).
3176 @anchor{package-cmd-propagated-inputs}
3177 An example is the GNU MPC library: its C header files refer to those of
3178 the GNU MPFR library, which in turn refer to those of the GMP library.
3179 Thus, when installing MPC, the MPFR and GMP libraries also get installed
3180 in the profile; removing MPC also removes MPFR and GMP---unless they had
3181 also been explicitly installed by the user.
3183 Besides, packages sometimes rely on the definition of environment
3184 variables for their search paths (see explanation of
3185 @option{--search-paths} below). Any missing or possibly incorrect
3186 environment variable definitions are reported here.
3188 @item --install-from-expression=@var{exp}
3190 Install the package @var{exp} evaluates to.
3192 @var{exp} must be a Scheme expression that evaluates to a
3193 @code{<package>} object. This option is notably useful to disambiguate
3194 between same-named variants of a package, with expressions such as
3195 @code{(@@ (gnu packages base) guile-final)}.
3197 Note that this option installs the first output of the specified
3198 package, which may be insufficient when needing a specific output of a
3199 multiple-output package.
3201 @item --install-from-file=@var{file}
3202 @itemx -f @var{file}
3203 Install the package that the code within @var{file} evaluates to.
3205 As an example, @var{file} might contain a definition like this
3206 (@pxref{Defining Packages}):
3209 @include package-hello.scm
3212 Developers may find it useful to include such a @file{guix.scm} file
3213 in the root of their project source tree that can be used to test
3214 development snapshots and create reproducible development environments
3215 (@pxref{Invoking guix environment}).
3217 The @var{file} may also contain a JSON representation of one or more
3218 package definitions. Running @code{guix package -f} on
3219 @file{hello.json} with the following contents would result in installing
3220 the package @code{greeter} after building @code{myhello}:
3223 @verbatiminclude package-hello.json
3226 @item --remove=@var{package} @dots{}
3227 @itemx -r @var{package} @dots{}
3228 Remove the specified @var{package}s.
3230 As for @option{--install}, each @var{package} may specify a version number
3231 and/or output name in addition to the package name. For instance,
3232 @samp{-r glibc:debug} would remove the @code{debug} output of
3235 @item --upgrade[=@var{regexp} @dots{}]
3236 @itemx -u [@var{regexp} @dots{}]
3237 @cindex upgrading packages
3238 Upgrade all the installed packages. If one or more @var{regexp}s are
3239 specified, upgrade only installed packages whose name matches a
3240 @var{regexp}. Also see the @option{--do-not-upgrade} option below.
3242 Note that this upgrades package to the latest version of packages found
3243 in the distribution currently installed. To update your distribution,
3244 you should regularly run @command{guix pull} (@pxref{Invoking guix
3247 @cindex package transformations, upgrades
3248 When upgrading, package transformations that were originally applied
3249 when creating the profile are automatically re-applied (@pxref{Package
3250 Transformation Options}). For example, assume you first installed Emacs
3251 from the tip of its development branch with:
3254 guix install emacs-next --with-branch=emacs-next=master
3257 Next time you run @command{guix upgrade}, Guix will again pull the tip
3258 of the Emacs development branch and build @code{emacs-next} from that
3261 Note that transformation options such as @option{--with-branch} and
3262 @option{--with-source} depend on external state; it is up to you to
3263 ensure that they work as expected. You can also discard a
3264 transformations that apply to a package by running:
3267 guix install @var{package}
3270 @item --do-not-upgrade[=@var{regexp} @dots{}]
3271 When used together with the @option{--upgrade} option, do @emph{not}
3272 upgrade any packages whose name matches a @var{regexp}. For example, to
3273 upgrade all packages in the current profile except those containing the
3274 substring ``emacs'':
3277 $ guix package --upgrade . --do-not-upgrade emacs
3280 @item @anchor{profile-manifest}--manifest=@var{file}
3281 @itemx -m @var{file}
3282 @cindex profile declaration
3283 @cindex profile manifest
3284 Create a new generation of the profile from the manifest object
3285 returned by the Scheme code in @var{file}. This option can be repeated
3286 several times, in which case the manifests are concatenated.
3288 This allows you to @emph{declare} the profile's contents rather than
3289 constructing it through a sequence of @option{--install} and similar
3290 commands. The advantage is that @var{file} can be put under version
3291 control, copied to different machines to reproduce the same profile, and
3294 @c FIXME: Add reference to (guix profile) documentation when available.
3295 @var{file} must return a @dfn{manifest} object, which is roughly a list
3298 @findex packages->manifest
3300 (use-package-modules guile emacs)
3305 ;; Use a specific package output.
3306 (list guile-2.0 "debug")))
3309 @findex specifications->manifest
3310 In this example we have to know which modules define the @code{emacs}
3311 and @code{guile-2.0} variables to provide the right
3312 @code{use-package-modules} line, which can be cumbersome. We can
3313 instead provide regular package specifications and let
3314 @code{specifications->manifest} look up the corresponding package
3318 (specifications->manifest
3319 '("emacs" "guile@@2.2" "guile@@2.2:debug"))
3322 @xref{export-manifest, @option{--export-manifest}}, to learn how to
3323 obtain a manifest file from an existing profile.
3326 @cindex rolling back
3327 @cindex undoing transactions
3328 @cindex transactions, undoing
3329 Roll back to the previous @dfn{generation} of the profile---i.e., undo
3330 the last transaction.
3332 When combined with options such as @option{--install}, roll back occurs
3333 before any other actions.
3335 When rolling back from the first generation that actually contains
3336 installed packages, the profile is made to point to the @dfn{zeroth
3337 generation}, which contains no files apart from its own metadata.
3339 After having rolled back, installing, removing, or upgrading packages
3340 overwrites previous future generations. Thus, the history of the
3341 generations in a profile is always linear.
3343 @item --switch-generation=@var{pattern}
3344 @itemx -S @var{pattern}
3346 Switch to a particular generation defined by @var{pattern}.
3348 @var{pattern} may be either a generation number or a number prefixed
3349 with ``+'' or ``-''. The latter means: move forward/backward by a
3350 specified number of generations. For example, if you want to return to
3351 the latest generation after @option{--roll-back}, use
3352 @option{--switch-generation=+1}.
3354 The difference between @option{--roll-back} and
3355 @option{--switch-generation=-1} is that @option{--switch-generation} will
3356 not make a zeroth generation, so if a specified generation does not
3357 exist, the current generation will not be changed.
3359 @item --search-paths[=@var{kind}]
3360 @cindex search paths
3361 Report environment variable definitions, in Bash syntax, that may be
3362 needed in order to use the set of installed packages. These environment
3363 variables are used to specify @dfn{search paths} for files used by some
3364 of the installed packages.
3366 For example, GCC needs the @env{CPATH} and @env{LIBRARY_PATH}
3367 environment variables to be defined so it can look for headers and
3368 libraries in the user's profile (@pxref{Environment Variables,,, gcc,
3369 Using the GNU Compiler Collection (GCC)}). If GCC and, say, the C
3370 library are installed in the profile, then @option{--search-paths} will
3371 suggest setting these variables to @file{@var{profile}/include} and
3372 @file{@var{profile}/lib}, respectively.
3374 The typical use case is to define these environment variables in the
3378 $ eval `guix package --search-paths`
3381 @var{kind} may be one of @code{exact}, @code{prefix}, or @code{suffix},
3382 meaning that the returned environment variable definitions will either
3383 be exact settings, or prefixes or suffixes of the current value of these
3384 variables. When omitted, @var{kind} defaults to @code{exact}.
3386 This option can also be used to compute the @emph{combined} search paths
3387 of several profiles. Consider this example:
3390 $ guix package -p foo -i guile
3391 $ guix package -p bar -i guile-json
3392 $ guix package -p foo -p bar --search-paths
3395 The last command above reports about the @env{GUILE_LOAD_PATH}
3396 variable, even though, taken individually, neither @file{foo} nor
3397 @file{bar} would lead to that recommendation.
3400 @cindex profile, choosing
3401 @item --profile=@var{profile}
3402 @itemx -p @var{profile}
3403 Use @var{profile} instead of the user's default profile.
3405 @var{profile} must be the name of a file that will be created upon
3406 completion. Concretely, @var{profile} will be a mere symbolic link
3407 (``symlink'') pointing to the actual profile where packages are
3411 $ guix install hello -p ~/code/my-profile
3413 $ ~/code/my-profile/bin/hello
3417 All it takes to get rid of the profile is to remove this symlink and its
3418 siblings that point to specific generations:
3421 $ rm ~/code/my-profile ~/code/my-profile-*-link
3424 @item --list-profiles
3425 List all the user's profiles:
3428 $ guix package --list-profiles
3429 /home/charlie/.guix-profile
3430 /home/charlie/code/my-profile
3431 /home/charlie/code/devel-profile
3432 /home/charlie/tmp/test
3435 When running as root, list all the profiles of all the users.
3437 @cindex collisions, in a profile
3438 @cindex colliding packages in profiles
3439 @cindex profile collisions
3440 @item --allow-collisions
3441 Allow colliding packages in the new profile. Use at your own risk!
3443 By default, @command{guix package} reports as an error @dfn{collisions}
3444 in the profile. Collisions happen when two or more different versions
3445 or variants of a given package end up in the profile.
3448 Use the bootstrap Guile to build the profile. This option is only
3449 useful to distribution developers.
3453 In addition to these actions, @command{guix package} supports the
3454 following options to query the current state of a profile, or the
3455 availability of packages:
3459 @item --search=@var{regexp}
3460 @itemx -s @var{regexp}
3461 @anchor{guix-search}
3462 @cindex searching for packages
3463 List the available packages whose name, synopsis, or description matches
3464 @var{regexp} (in a case-insensitive fashion), sorted by relevance.
3465 Print all the metadata of matching packages in
3466 @code{recutils} format (@pxref{Top, GNU recutils databases,, recutils,
3467 GNU recutils manual}).
3469 This allows specific fields to be extracted using the @command{recsel}
3470 command, for instance:
3473 $ guix package -s malloc | recsel -p name,version,relevance
3487 Similarly, to show the name of all the packages available under the
3488 terms of the GNU@tie{}LGPL version 3:
3491 $ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"'
3498 It is also possible to refine search results using several @code{-s} flags to
3499 @command{guix package}, or several arguments to @command{guix search}. For
3500 example, the following command returns a list of board games (this time using
3501 the @command{guix search} alias):
3504 $ guix search '\<board\>' game | recsel -p name
3509 If we were to omit @code{-s game}, we would also get software packages
3510 that deal with printed circuit boards; removing the angle brackets
3511 around @code{board} would further add packages that have to do with
3514 And now for a more elaborate example. The following command searches
3515 for cryptographic libraries, filters out Haskell, Perl, Python, and Ruby
3516 libraries, and prints the name and synopsis of the matching packages:
3519 $ guix search crypto library | \
3520 recsel -e '! (name ~ "^(ghc|perl|python|ruby)")' -p name,synopsis
3524 @xref{Selection Expressions,,, recutils, GNU recutils manual}, for more
3525 information on @dfn{selection expressions} for @code{recsel -e}.
3527 @item --show=@var{package}
3528 Show details about @var{package}, taken from the list of available packages, in
3529 @code{recutils} format (@pxref{Top, GNU recutils databases,, recutils, GNU
3533 $ guix package --show=python | recsel -p name,version
3541 You may also specify the full name of a package to only get details about a
3542 specific version of it (this time using the @command{guix show} alias):
3544 $ guix show python@@3.4 | recsel -p name,version
3551 @item --list-installed[=@var{regexp}]
3552 @itemx -I [@var{regexp}]
3553 List the currently installed packages in the specified profile, with the
3554 most recently installed packages shown last. When @var{regexp} is
3555 specified, list only installed packages whose name matches @var{regexp}.
3557 For each installed package, print the following items, separated by
3558 tabs: the package name, its version string, the part of the package that
3559 is installed (for instance, @code{out} for the default output,
3560 @code{include} for its headers, etc.), and the path of this package in
3563 @item --list-available[=@var{regexp}]
3564 @itemx -A [@var{regexp}]
3565 List packages currently available in the distribution for this system
3566 (@pxref{GNU Distribution}). When @var{regexp} is specified, list only
3567 available packages whose name matches @var{regexp}.
3569 For each package, print the following items separated by tabs: its name,
3570 its version string, the parts of the package (@pxref{Packages with
3571 Multiple Outputs}), and the source location of its definition.
3573 @item --list-generations[=@var{pattern}]
3574 @itemx -l [@var{pattern}]
3576 Return a list of generations along with their creation dates; for each
3577 generation, show the installed packages, with the most recently
3578 installed packages shown last. Note that the zeroth generation is never
3581 For each installed package, print the following items, separated by
3582 tabs: the name of a package, its version string, the part of the package
3583 that is installed (@pxref{Packages with Multiple Outputs}), and the
3584 location of this package in the store.
3586 When @var{pattern} is used, the command returns only matching
3587 generations. Valid patterns include:
3590 @item @emph{Integers and comma-separated integers}. Both patterns denote
3591 generation numbers. For instance, @option{--list-generations=1} returns
3594 And @option{--list-generations=1,8,2} outputs three generations in the
3595 specified order. Neither spaces nor trailing commas are allowed.
3597 @item @emph{Ranges}. @option{--list-generations=2..9} prints the
3598 specified generations and everything in between. Note that the start of
3599 a range must be smaller than its end.
3601 It is also possible to omit the endpoint. For example,
3602 @option{--list-generations=2..}, returns all generations starting from the
3605 @item @emph{Durations}. You can also get the last @emph{N}@tie{}days, weeks,
3606 or months by passing an integer along with the first letter of the
3607 duration. For example, @option{--list-generations=20d} lists generations
3608 that are up to 20 days old.
3611 @item --delete-generations[=@var{pattern}]
3612 @itemx -d [@var{pattern}]
3613 When @var{pattern} is omitted, delete all generations except the current
3616 This command accepts the same patterns as @option{--list-generations}.
3617 When @var{pattern} is specified, delete the matching generations. When
3618 @var{pattern} specifies a duration, generations @emph{older} than the
3619 specified duration match. For instance, @option{--delete-generations=1m}
3620 deletes generations that are more than one month old.
3622 If the current generation matches, it is @emph{not} deleted. Also, the
3623 zeroth generation is never deleted.
3625 Note that deleting generations prevents rolling back to them.
3626 Consequently, this command must be used with care.
3628 @cindex manifest, exporting
3629 @anchor{export-manifest}
3630 @item --export-manifest
3631 Write to standard output a manifest suitable for @option{--manifest}
3632 corresponding to the chosen profile(s).
3634 This option is meant to help you migrate from the ``imperative''
3635 operating mode---running @command{guix install}, @command{guix upgrade},
3636 etc.---to the declarative mode that @option{--manifest} offers.
3638 Be aware that the resulting manifest @emph{approximates} what your
3639 profile actually contains; for instance, depending on how your profile
3640 was created, it can refer to packages or package versions that are not
3641 exactly what you specified.
3643 Keep in mind that a manifest is purely symbolic: it only contains
3644 package names and possibly versions, and their meaning varies over time.
3645 If you wish to ``pin'' channels to the revisions that were used to build
3646 the profile(s), see @option{--export-channels} below.
3648 @cindex pinning, channel revisions of a profile
3649 @item --export-channels
3650 Write to standard output the list of channels used by the chosen
3651 profile(s), in a format suitable for @command{guix pull --channels} or
3652 @command{guix time-machine --channels} (@pxref{Channels}).
3654 Together with @option{--export-manifest}, this option provides
3655 information allowing you to replicate the current profile
3656 (@pxref{Replicating Guix}).
3658 However, note that the output of this command @emph{approximates} what
3659 was actually used to build this profile. In particular, a single
3660 profile might have been built from several different revisions of the
3661 same channel. In that case, @option{--export-manifest} chooses the last
3662 one and writes the list of other revisions in a comment. If you really
3663 need to pick packages from different channel revisions, you can use
3664 inferiors in your manifest to do so (@pxref{Inferiors}).
3666 Together with @option{--export-manifest}, this is a good starting point
3667 if you are willing to migrate from the ``imperative'' model to the fully
3668 declarative model consisting of a manifest file along with a channels
3669 file pinning the exact channel revision(s) you want.
3672 Finally, since @command{guix package} may actually start build
3673 processes, it supports all the common build options (@pxref{Common Build
3674 Options}). It also supports package transformation options, such as
3675 @option{--with-source}, and preserves them across upgrades
3676 (@pxref{Package Transformation Options}).
3679 @section Substitutes
3682 @cindex pre-built binaries
3683 Guix supports transparent source/binary deployment, which means that it
3684 can either build things locally, or download pre-built items from a
3685 server, or both. We call these pre-built items @dfn{substitutes}---they
3686 are substitutes for local build results. In many cases, downloading a
3687 substitute is much faster than building things locally.
3689 Substitutes can be anything resulting from a derivation build
3690 (@pxref{Derivations}). Of course, in the common case, they are
3691 pre-built package binaries, but source tarballs, for instance, which
3692 also result from derivation builds, can be available as substitutes.
3695 * Official Substitute Servers:: One particular source of substitutes.
3696 * Substitute Server Authorization:: How to enable or disable substitutes.
3697 * Getting Substitutes from Other Servers:: Substitute diversity.
3698 * Substitute Authentication:: How Guix verifies substitutes.
3699 * Proxy Settings:: How to get substitutes via proxy.
3700 * Substitution Failure:: What happens when substitution fails.
3701 * On Trusting Binaries:: How can you trust that binary blob?
3704 @node Official Substitute Servers
3705 @subsection Official Substitute Servers
3708 @code{@value{SUBSTITUTE-SERVER-1}} and
3709 @code{@value{SUBSTITUTE-SERVER-2}} are both front-ends to official build
3710 farms that build packages from Guix continuously for some architectures,
3711 and make them available as substitutes. These are the default source of
3712 substitutes; which can be overridden by passing the
3713 @option{--substitute-urls} option either to @command{guix-daemon}
3714 (@pxref{daemon-substitute-urls,, @code{guix-daemon --substitute-urls}})
3715 or to client tools such as @command{guix package}
3716 (@pxref{client-substitute-urls,, client @option{--substitute-urls}
3719 Substitute URLs can be either HTTP or HTTPS.
3720 HTTPS is recommended because communications are encrypted; conversely,
3721 using HTTP makes all communications visible to an eavesdropper, who
3722 could use the information gathered to determine, for instance, whether
3723 your system has unpatched security vulnerabilities.
3725 Substitutes from the official build farms are enabled by default when
3726 using Guix System (@pxref{GNU Distribution}). However,
3727 they are disabled by default when using Guix on a foreign distribution,
3728 unless you have explicitly enabled them via one of the recommended
3729 installation steps (@pxref{Installation}). The following paragraphs
3730 describe how to enable or disable substitutes for the official build
3731 farm; the same procedure can also be used to enable substitutes for any
3732 other substitute server.
3734 @node Substitute Server Authorization
3735 @subsection Substitute Server Authorization
3738 @cindex substitutes, authorization thereof
3739 @cindex access control list (ACL), for substitutes
3740 @cindex ACL (access control list), for substitutes
3741 To allow Guix to download substitutes from @code{@value{SUBSTITUTE-SERVER-1}}, @code{@value{SUBSTITUTE-SERVER-2}} or a mirror, you
3742 must add the relevant public key to the access control list (ACL) of archive
3743 imports, using the @command{guix archive} command (@pxref{Invoking guix
3744 archive}). Doing so implies that you trust the substitute server to not
3745 be compromised and to serve genuine substitutes.
3748 If you are using Guix System, you can skip this section: Guix System
3749 authorizes substitutes from @code{@value{SUBSTITUTE-SERVER-1}} and
3750 @code{@value{SUBSTITUTE-SERVER-2}} by default.
3753 The public keys for each of the project maintained substitute servers
3754 are installed along with Guix, in @code{@var{prefix}/share/guix/}, where
3755 @var{prefix} is the installation prefix of Guix. If you installed Guix
3756 from source, make sure you checked the GPG signature of
3757 @file{guix-@value{VERSION}.tar.gz}, which contains this public key file.
3758 Then, you can run something like this:
3761 # guix archive --authorize < @var{prefix}/share/guix/@value{SUBSTITUTE-SERVER-1}.pub
3762 # guix archive --authorize < @var{prefix}/share/guix/@value{SUBSTITUTE-SERVER-2}.pub
3765 Once this is in place, the output of a command like @code{guix build}
3766 should change from something like:
3769 $ guix build emacs --dry-run
3770 The following derivations would be built:
3771 /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv
3772 /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv
3773 /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv
3774 /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv
3782 $ guix build emacs --dry-run
3783 112.3 MB would be downloaded:
3784 /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3
3785 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d
3786 /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16
3787 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7
3792 The text changed from ``The following derivations would be built'' to
3793 ``112.3 MB would be downloaded''. This indicates that substitutes from
3794 the configured substitute servers are usable and will be downloaded,
3795 when possible, for future builds.
3797 @cindex substitutes, how to disable
3798 The substitute mechanism can be disabled globally by running
3799 @code{guix-daemon} with @option{--no-substitutes} (@pxref{Invoking
3800 guix-daemon}). It can also be disabled temporarily by passing the
3801 @option{--no-substitutes} option to @command{guix package},
3802 @command{guix build}, and other command-line tools.
3804 @node Getting Substitutes from Other Servers
3805 @subsection Getting Substitutes from Other Servers
3807 @cindex substitute servers, adding more
3808 Guix can look up and fetch substitutes from several servers. This is
3809 useful when you are using packages from additional channels for which
3810 the official server does not have substitutes but another server
3811 provides them. Another situation where this is useful is when you would
3812 prefer to download from your organization's substitute server, resorting
3813 to the official server only as a fallback or dismissing it altogether.
3815 You can give Guix a list of substitute server URLs and it will check
3816 them in the specified order. You also need to explicitly authorize the
3817 public keys of substitute servers to instruct Guix to accept the
3818 substitutes they sign.
3820 On Guix System, this is achieved by modifying the configuration of the
3821 @code{guix} service. Since the @code{guix} service is part of the
3822 default lists of services, @code{%base-services} and
3823 @code{%desktop-services}, you can use @code{modify-services} to change
3824 its configuration and add the URLs and substitute keys that you want
3825 (@pxref{Service Reference, @code{modify-services}}).
3827 As an example, suppose you want to fetch substitutes from
3828 @code{guix.example.org} and to authorize the signing key of that server,
3829 in addition to the default @code{@value{SUBSTITUTE-SERVER-1}} and
3830 @code{@value{SUBSTITUTE-SERVER-2}}. The resulting operating system
3831 configuration will look something like:
3837 ;; Assume we're starting from '%desktop-services'. Replace it
3838 ;; with the list of services you're actually using.
3839 (modify-services %desktop-services
3840 (guix-service-type config =>
3844 (append (list "https://guix.example.org")
3845 %default-substitute-urls))
3847 (append (list (local-file "./key.pub"))
3848 %default-authorized-guix-keys)))))))
3851 This assumes that the file @file{key.pub} contains the signing key of
3852 @code{guix.example.org}. With this change in place in your operating
3853 system configuration file (say @file{/etc/config.scm}), you can
3854 reconfigure and restart the @code{guix-daemon} service or reboot so the
3855 changes take effect:
3858 $ sudo guix system reconfigure /etc/config.scm
3859 $ sudo herd restart guix-daemon
3862 If you're running Guix on a ``foreign distro'', you would instead take
3863 the following steps to get substitutes from additional servers:
3867 Edit the service configuration file for @code{guix-daemon}; when using
3868 systemd, this is normally
3869 @file{/etc/systemd/system/guix-daemon.service}. Add the
3870 @option{--substitute-urls} option on the @command{guix-daemon} command
3871 line and list the URLs of interest (@pxref{daemon-substitute-urls,
3872 @code{guix-daemon --substitute-urls}}):
3875 @dots{} --substitute-urls='https://guix.example.org @value{SUBSTITUTE-URLS}'
3879 Restart the daemon. For systemd, it goes like this:
3882 systemctl daemon-reload
3883 systemctl restart guix-daemon.service
3887 Authorize the key of the new server (@pxref{Invoking guix archive}):
3890 guix archive --authorize < key.pub
3893 Again this assumes @file{key.pub} contains the public key that
3894 @code{guix.example.org} uses to sign substitutes.
3897 Now you're all set! Substitutes will be preferably taken from
3898 @code{https://guix.example.org}, using
3899 @code{@value{SUBSTITUTE-SERVER-1}} then
3900 @code{@value{SUBSTITUTE-SERVER-2}} as fallback options. Of course you
3901 can list as many substitute servers as you like, with the caveat that
3902 substitute lookup can be slowed down if too many servers need to be
3905 Note that there are also situations where one may want to add the URL of
3906 a substitute server @emph{without} authorizing its key.
3907 @xref{Substitute Authentication}, to understand this fine point.
3909 @node Substitute Authentication
3910 @subsection Substitute Authentication
3912 @cindex digital signatures
3913 Guix detects and raises an error when attempting to use a substitute
3914 that has been tampered with. Likewise, it ignores substitutes that are
3915 not signed, or that are not signed by one of the keys listed in the ACL.
3917 There is one exception though: if an unauthorized server provides
3918 substitutes that are @emph{bit-for-bit identical} to those provided by
3919 an authorized server, then the unauthorized server becomes eligible for
3920 downloads. For example, assume we have chosen two substitute servers
3924 --substitute-urls="https://a.example.org https://b.example.org"
3928 @cindex reproducible builds
3929 If the ACL contains only the key for @samp{b.example.org}, and if
3930 @samp{a.example.org} happens to serve the @emph{exact same} substitutes,
3931 then Guix will download substitutes from @samp{a.example.org} because it
3932 comes first in the list and can be considered a mirror of
3933 @samp{b.example.org}. In practice, independent build machines usually
3934 produce the same binaries, thanks to bit-reproducible builds (see
3937 When using HTTPS, the server's X.509 certificate is @emph{not} validated
3938 (in other words, the server is not authenticated), contrary to what
3939 HTTPS clients such as Web browsers usually do. This is because Guix
3940 authenticates substitute information itself, as explained above, which
3941 is what we care about (whereas X.509 certificates are about
3942 authenticating bindings between domain names and public keys).
3944 @node Proxy Settings
3945 @subsection Proxy Settings
3949 Substitutes are downloaded over HTTP or HTTPS@. The @env{http_proxy} and
3950 @env{https_proxy} environment variables can be set in the environment of
3951 @command{guix-daemon} and are honored for downloads of substitutes.
3952 Note that the value of those environment variables in the environment
3953 where @command{guix build}, @command{guix package}, and other client
3954 commands are run has @emph{absolutely no effect}.
3956 @node Substitution Failure
3957 @subsection Substitution Failure
3959 Even when a substitute for a derivation is available, sometimes the
3960 substitution attempt will fail. This can happen for a variety of
3961 reasons: the substitute server might be offline, the substitute may
3962 recently have been deleted, the connection might have been interrupted,
3965 When substitutes are enabled and a substitute for a derivation is
3966 available, but the substitution attempt fails, Guix will attempt to
3967 build the derivation locally depending on whether or not
3968 @option{--fallback} was given (@pxref{fallback-option,, common build
3969 option @option{--fallback}}). Specifically, if @option{--fallback} was
3970 omitted, then no local build will be performed, and the derivation is
3971 considered to have failed. However, if @option{--fallback} was given,
3972 then Guix will attempt to build the derivation locally, and the success
3973 or failure of the derivation depends on the success or failure of the
3974 local build. Note that when substitutes are disabled or no substitute
3975 is available for the derivation in question, a local build will
3976 @emph{always} be performed, regardless of whether or not
3977 @option{--fallback} was given.
3979 To get an idea of how many substitutes are available right now, you can
3980 try running the @command{guix weather} command (@pxref{Invoking guix
3981 weather}). This command provides statistics on the substitutes provided
3984 @node On Trusting Binaries
3985 @subsection On Trusting Binaries
3987 @cindex trust, of pre-built binaries
3988 Today, each individual's control over their own computing is at the
3989 mercy of institutions, corporations, and groups with enough power and
3990 determination to subvert the computing infrastructure and exploit its
3991 weaknesses. While using substitutes can be convenient, we encourage
3992 users to also build on their own, or even run their own build farm, such
3993 that the project run substitute servers are less of an interesting
3994 target. One way to help is by publishing the software you build using
3995 @command{guix publish} so that others have one more choice of server to
3996 download substitutes from (@pxref{Invoking guix publish}).
3998 Guix has the foundations to maximize build reproducibility
3999 (@pxref{Features}). In most cases, independent builds of a given
4000 package or derivation should yield bit-identical results. Thus, through
4001 a diverse set of independent package builds, we can strengthen the
4002 integrity of our systems. The @command{guix challenge} command aims to
4003 help users assess substitute servers, and to assist developers in
4004 finding out about non-deterministic package builds (@pxref{Invoking guix
4005 challenge}). Similarly, the @option{--check} option of @command{guix
4006 build} allows users to check whether previously-installed substitutes
4007 are genuine by rebuilding them locally (@pxref{build-check,
4008 @command{guix build --check}}).
4010 In the future, we want Guix to have support to publish and retrieve
4011 binaries to/from other users, in a peer-to-peer fashion. If you would
4012 like to discuss this project, join us on @email{guix-devel@@gnu.org}.
4014 @node Packages with Multiple Outputs
4015 @section Packages with Multiple Outputs
4017 @cindex multiple-output packages
4018 @cindex package outputs
4021 Often, packages defined in Guix have a single @dfn{output}---i.e., the
4022 source package leads to exactly one directory in the store. When running
4023 @command{guix install glibc}, one installs the default output of the
4024 GNU libc package; the default output is called @code{out}, but its name
4025 can be omitted as shown in this command. In this particular case, the
4026 default output of @code{glibc} contains all the C header files, shared
4027 libraries, static libraries, Info documentation, and other supporting
4030 Sometimes it is more appropriate to separate the various types of files
4031 produced from a single source package into separate outputs. For
4032 instance, the GLib C library (used by GTK+ and related packages)
4033 installs more than 20 MiB of reference documentation as HTML pages.
4034 To save space for users who do not need it, the documentation goes to a
4035 separate output, called @code{doc}. To install the main GLib output,
4036 which contains everything but the documentation, one would run:
4042 @cindex documentation
4043 The command to install its documentation is:
4046 guix install glib:doc
4049 Some packages install programs with different ``dependency footprints''.
4050 For instance, the WordNet package installs both command-line tools and
4051 graphical user interfaces (GUIs). The former depend solely on the C
4052 library, whereas the latter depend on Tcl/Tk and the underlying X
4053 libraries. In this case, we leave the command-line tools in the default
4054 output, whereas the GUIs are in a separate output. This allows users
4055 who do not need the GUIs to save space. The @command{guix size} command
4056 can help find out about such situations (@pxref{Invoking guix size}).
4057 @command{guix graph} can also be helpful (@pxref{Invoking guix graph}).
4059 There are several such multiple-output packages in the GNU distribution.
4060 Other conventional output names include @code{lib} for libraries and
4061 possibly header files, @code{bin} for stand-alone programs, and
4062 @code{debug} for debugging information (@pxref{Installing Debugging
4063 Files}). The outputs of a packages are listed in the third column of
4064 the output of @command{guix package --list-available} (@pxref{Invoking
4068 @node Invoking guix gc
4069 @section Invoking @command{guix gc}
4071 @cindex garbage collector
4073 Packages that are installed, but not used, may be @dfn{garbage-collected}.
4074 The @command{guix gc} command allows users to explicitly run the garbage
4075 collector to reclaim space from the @file{/gnu/store} directory. It is
4076 the @emph{only} way to remove files from @file{/gnu/store}---removing
4077 files or directories manually may break it beyond repair!
4080 @cindex garbage collector roots
4081 The garbage collector has a set of known @dfn{roots}: any file under
4082 @file{/gnu/store} reachable from a root is considered @dfn{live} and
4083 cannot be deleted; any other file is considered @dfn{dead} and may be
4084 deleted. The set of garbage collector roots (``GC roots'' for short)
4085 includes default user profiles; by default, the symlinks under
4086 @file{/var/guix/gcroots} represent these GC roots. New GC roots can be
4087 added with @command{guix build --root}, for example (@pxref{Invoking
4088 guix build}). The @command{guix gc --list-roots} command lists them.
4090 Prior to running @code{guix gc --collect-garbage} to make space, it is
4091 often useful to remove old generations from user profiles; that way, old
4092 package builds referenced by those generations can be reclaimed. This
4093 is achieved by running @code{guix package --delete-generations}
4094 (@pxref{Invoking guix package}).
4096 Our recommendation is to run a garbage collection periodically, or when
4097 you are short on disk space. For instance, to guarantee that at least
4098 5@tie{}GB are available on your disk, simply run:
4104 It is perfectly safe to run as a non-interactive periodic job
4105 (@pxref{Scheduled Job Execution}, for how to set up such a job).
4106 Running @command{guix gc} with no arguments will collect as
4107 much garbage as it can, but that is often inconvenient: you may find
4108 yourself having to rebuild or re-download software that is ``dead'' from
4109 the GC viewpoint but that is necessary to build other pieces of
4110 software---e.g., the compiler tool chain.
4112 The @command{guix gc} command has three modes of operation: it can be
4113 used to garbage-collect any dead files (the default), to delete specific
4114 files (the @option{--delete} option), to print garbage-collector
4115 information, or for more advanced queries. The garbage collection
4116 options are as follows:
4119 @item --collect-garbage[=@var{min}]
4120 @itemx -C [@var{min}]
4121 Collect garbage---i.e., unreachable @file{/gnu/store} files and
4122 sub-directories. This is the default operation when no option is
4125 When @var{min} is given, stop once @var{min} bytes have been collected.
4126 @var{min} may be a number of bytes, or it may include a unit as a
4127 suffix, such as @code{MiB} for mebibytes and @code{GB} for gigabytes
4128 (@pxref{Block size, size specifications,, coreutils, GNU Coreutils}).
4130 When @var{min} is omitted, collect all the garbage.
4132 @item --free-space=@var{free}
4133 @itemx -F @var{free}
4134 Collect garbage until @var{free} space is available under
4135 @file{/gnu/store}, if possible; @var{free} denotes storage space, such
4136 as @code{500MiB}, as described above.
4138 When @var{free} or more is already available in @file{/gnu/store}, do
4139 nothing and exit immediately.
4141 @item --delete-generations[=@var{duration}]
4142 @itemx -d [@var{duration}]
4143 Before starting the garbage collection process, delete all the generations
4144 older than @var{duration}, for all the user profiles; when run as root, this
4145 applies to all the profiles @emph{of all the users}.
4147 For example, this command deletes all the generations of all your profiles
4148 that are older than 2 months (except generations that are current), and then
4149 proceeds to free space until at least 10 GiB are available:
4152 guix gc -d 2m -F 10G
4157 Attempt to delete all the store files and directories specified as
4158 arguments. This fails if some of the files are not in the store, or if
4159 they are still live.
4161 @item --list-failures
4162 List store items corresponding to cached build failures.
4164 This prints nothing unless the daemon was started with
4165 @option{--cache-failures} (@pxref{Invoking guix-daemon,
4166 @option{--cache-failures}}).
4169 List the GC roots owned by the user; when run as root, list @emph{all} the GC
4173 List store items in use by currently running processes. These store
4174 items are effectively considered GC roots: they cannot be deleted.
4176 @item --clear-failures
4177 Remove the specified store items from the failed-build cache.
4179 Again, this option only makes sense when the daemon is started with
4180 @option{--cache-failures}. Otherwise, it does nothing.
4183 Show the list of dead files and directories still present in the
4184 store---i.e., files and directories no longer reachable from any root.
4187 Show the list of live store files and directories.
4191 In addition, the references among existing store files can be queried:
4197 @cindex package dependencies
4198 List the references (respectively, the referrers) of store files given
4204 List the requisites of the store files passed as arguments. Requisites
4205 include the store files themselves, their references, and the references
4206 of these, recursively. In other words, the returned list is the
4207 @dfn{transitive closure} of the store files.
4209 @xref{Invoking guix size}, for a tool to profile the size of the closure
4210 of an element. @xref{Invoking guix graph}, for a tool to visualize
4211 the graph of references.
4215 Return the derivation(s) leading to the given store items
4216 (@pxref{Derivations}).
4218 For example, this command:
4221 guix gc --derivers $(guix package -I ^emacs$ | cut -f4)
4225 returns the @file{.drv} file(s) leading to the @code{emacs} package
4226 installed in your profile.
4228 Note that there may be zero matching @file{.drv} files, for instance
4229 because these files have been garbage-collected. There can also be more
4230 than one matching @file{.drv} due to fixed-output derivations.
4233 Lastly, the following options allow you to check the integrity of the
4234 store and to control disk usage.
4238 @item --verify[=@var{options}]
4239 @cindex integrity, of the store
4240 @cindex integrity checking
4241 Verify the integrity of the store.
4243 By default, make sure that all the store items marked as valid in the
4244 database of the daemon actually exist in @file{/gnu/store}.
4246 When provided, @var{options} must be a comma-separated list containing one
4247 or more of @code{contents} and @code{repair}.
4249 When passing @option{--verify=contents}, the daemon computes the
4250 content hash of each store item and compares it against its hash in the
4251 database. Hash mismatches are reported as data corruptions. Because it
4252 traverses @emph{all the files in the store}, this command can take a
4253 long time, especially on systems with a slow disk drive.
4255 @cindex repairing the store
4256 @cindex corruption, recovering from
4257 Using @option{--verify=repair} or @option{--verify=contents,repair}
4258 causes the daemon to try to repair corrupt store items by fetching
4259 substitutes for them (@pxref{Substitutes}). Because repairing is not
4260 atomic, and thus potentially dangerous, it is available only to the
4261 system administrator. A lightweight alternative, when you know exactly
4262 which items in the store are corrupt, is @command{guix build --repair}
4263 (@pxref{Invoking guix build}).
4266 @cindex deduplication
4267 Optimize the store by hard-linking identical files---this is
4268 @dfn{deduplication}.
4270 The daemon performs deduplication after each successful build or archive
4271 import, unless it was started with @option{--disable-deduplication}
4272 (@pxref{Invoking guix-daemon, @option{--disable-deduplication}}). Thus,
4273 this option is primarily useful when the daemon was running with
4274 @option{--disable-deduplication}.
4278 @node Invoking guix pull
4279 @section Invoking @command{guix pull}
4281 @cindex upgrading Guix
4282 @cindex updating Guix
4283 @cindex @command{guix pull}
4285 @cindex security, @command{guix pull}
4286 @cindex authenticity, of code obtained with @command{guix pull}
4287 Packages are installed or upgraded to the latest version available in
4288 the distribution currently available on your local machine. To update
4289 that distribution, along with the Guix tools, you must run @command{guix
4290 pull}: the command downloads the latest Guix source code and package
4291 descriptions, and deploys it. Source code is downloaded from a
4292 @uref{https://git-scm.com, Git} repository, by default the official
4293 GNU@tie{}Guix repository, though this can be customized. @command{guix
4294 pull} ensures that the code it downloads is @emph{authentic} by
4295 verifying that commits are signed by Guix developers.
4297 Specifically, @command{guix pull} downloads code from the @dfn{channels}
4298 (@pxref{Channels}) specified by one of the followings, in this order:
4302 the @option{--channels} option;
4304 the user's @file{~/.config/guix/channels.scm} file;
4306 the system-wide @file{/etc/guix/channels.scm} file;
4308 the built-in default channels specified in the @code{%default-channels}
4312 On completion, @command{guix package} will use packages and package
4313 versions from this just-retrieved copy of Guix. Not only that, but all
4314 the Guix commands and Scheme modules will also be taken from that latest
4315 version. New @command{guix} sub-commands added by the update also
4318 Any user can update their Guix copy using @command{guix pull}, and the
4319 effect is limited to the user who ran @command{guix pull}. For
4320 instance, when user @code{root} runs @command{guix pull}, this has no
4321 effect on the version of Guix that user @code{alice} sees, and vice
4324 The result of running @command{guix pull} is a @dfn{profile} available
4325 under @file{~/.config/guix/current} containing the latest Guix. Thus,
4326 make sure to add it to the beginning of your search path so that you use
4327 the latest version, and similarly for the Info manual
4328 (@pxref{Documentation}):
4331 export PATH="$HOME/.config/guix/current/bin:$PATH"
4332 export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"
4335 The @option{--list-generations} or @option{-l} option lists past generations
4336 produced by @command{guix pull}, along with details about their provenance:
4340 Generation 1 Jun 10 2018 00:18:18
4342 repository URL: https://git.savannah.gnu.org/git/guix.git
4343 branch: origin/master
4344 commit: 65956ad3526ba09e1f7a40722c96c6ef7c0936fe
4346 Generation 2 Jun 11 2018 11:02:49
4348 repository URL: https://git.savannah.gnu.org/git/guix.git
4349 branch: origin/master
4350 commit: e0cc7f669bec22c37481dd03a7941c7d11a64f1d
4351 2 new packages: keepalived, libnfnetlink
4352 6 packages upgraded: emacs-nix-mode@@2.0.4,
4353 guile2.0-guix@@0.14.0-12.77a1aac, guix@@0.14.0-12.77a1aac,
4354 heimdal@@7.5.0, milkytracker@@1.02.00, nix@@2.0.4
4356 Generation 3 Jun 13 2018 23:31:07 (current)
4358 repository URL: https://git.savannah.gnu.org/git/guix.git
4359 branch: origin/master
4360 commit: 844cc1c8f394f03b404c5bb3aee086922373490c
4361 28 new packages: emacs-helm-ls-git, emacs-helm-mu, @dots{}
4362 69 packages upgraded: borg@@1.1.6, cheese@@3.28.0, @dots{}
4365 @xref{Invoking guix describe, @command{guix describe}}, for other ways to
4366 describe the current status of Guix.
4368 This @code{~/.config/guix/current} profile works exactly like the profiles
4369 created by @command{guix package} (@pxref{Invoking guix package}). That
4370 is, you can list generations, roll back to the previous
4371 generation---i.e., the previous Guix---and so on:
4374 $ guix pull --roll-back
4375 switched from generation 3 to 2
4376 $ guix pull --delete-generations=1
4377 deleting /var/guix/profiles/per-user/charlie/current-guix-1-link
4380 You can also use @command{guix package} (@pxref{Invoking guix package})
4381 to manage the profile by naming it explicitly:
4383 $ guix package -p ~/.config/guix/current --roll-back
4384 switched from generation 3 to 2
4385 $ guix package -p ~/.config/guix/current --delete-generations=1
4386 deleting /var/guix/profiles/per-user/charlie/current-guix-1-link
4389 The @command{guix pull} command is usually invoked with no arguments,
4390 but it supports the following options:
4393 @item --url=@var{url}
4394 @itemx --commit=@var{commit}
4395 @itemx --branch=@var{branch}
4396 Download code for the @code{guix} channel from the specified @var{url}, at the
4397 given @var{commit} (a valid Git commit ID represented as a hexadecimal
4398 string), or @var{branch}.
4400 @cindex @file{channels.scm}, configuration file
4401 @cindex configuration file for channels
4402 These options are provided for convenience, but you can also specify your
4403 configuration in the @file{~/.config/guix/channels.scm} file or using the
4404 @option{--channels} option (see below).
4406 @item --channels=@var{file}
4407 @itemx -C @var{file}
4408 Read the list of channels from @var{file} instead of
4409 @file{~/.config/guix/channels.scm} or @file{/etc/guix/channels.scm}.
4410 @var{file} must contain Scheme code that
4411 evaluates to a list of channel objects. @xref{Channels}, for more
4414 @cindex channel news
4417 Display the list of packages added or upgraded since the previous
4418 generation, as well as, occasionally, news written by channel authors
4419 for their users (@pxref{Channels, Writing Channel News}).
4421 The package information is the same as displayed upon @command{guix
4422 pull} completion, but without ellipses; it is also similar to the output
4423 of @command{guix pull -l} for the last generation (see below).
4425 @item --list-generations[=@var{pattern}]
4426 @itemx -l [@var{pattern}]
4427 List all the generations of @file{~/.config/guix/current} or, if @var{pattern}
4428 is provided, the subset of generations that match @var{pattern}.
4429 The syntax of @var{pattern} is the same as with @code{guix package
4430 --list-generations} (@pxref{Invoking guix package}).
4433 @cindex rolling back
4434 @cindex undoing transactions
4435 @cindex transactions, undoing
4436 Roll back to the previous @dfn{generation} of @file{~/.config/guix/current}---i.e.,
4437 undo the last transaction.
4439 @item --switch-generation=@var{pattern}
4440 @itemx -S @var{pattern}
4442 Switch to a particular generation defined by @var{pattern}.
4444 @var{pattern} may be either a generation number or a number prefixed
4445 with ``+'' or ``-''. The latter means: move forward/backward by a
4446 specified number of generations. For example, if you want to return to
4447 the latest generation after @option{--roll-back}, use
4448 @option{--switch-generation=+1}.
4450 @item --delete-generations[=@var{pattern}]
4451 @itemx -d [@var{pattern}]
4452 When @var{pattern} is omitted, delete all generations except the current
4455 This command accepts the same patterns as @option{--list-generations}.
4456 When @var{pattern} is specified, delete the matching generations. When
4457 @var{pattern} specifies a duration, generations @emph{older} than the
4458 specified duration match. For instance, @option{--delete-generations=1m}
4459 deletes generations that are more than one month old.
4461 If the current generation matches, it is @emph{not} deleted.
4463 Note that deleting generations prevents rolling back to them.
4464 Consequently, this command must be used with care.
4466 @xref{Invoking guix describe}, for a way to display information about the
4467 current generation only.
4469 @item --profile=@var{profile}
4470 @itemx -p @var{profile}
4471 Use @var{profile} instead of @file{~/.config/guix/current}.
4475 Show which channel commit(s) would be used and what would be built or
4476 substituted but do not actually do it.
4478 @item --allow-downgrades
4479 Allow pulling older or unrelated revisions of channels than those
4482 @cindex downgrade attacks, protection against
4483 By default, @command{guix pull} protects against so-called ``downgrade
4484 attacks'' whereby the Git repository of a channel would be reset to an
4485 earlier or unrelated revision of itself, potentially leading you to
4486 install older, known-vulnerable versions of software packages.
4489 Make sure you understand its security implications before using
4490 @option{--allow-downgrades}.
4493 @item --disable-authentication
4494 Allow pulling channel code without authenticating it.
4496 @cindex authentication, of channel code
4497 By default, @command{guix pull} authenticates code downloaded from
4498 channels by verifying that its commits are signed by authorized
4499 developers, and raises an error if this is not the case. This option
4500 instructs it to not perform any such verification.
4503 Make sure you understand its security implications before using
4504 @option{--disable-authentication}.
4507 @item --system=@var{system}
4508 @itemx -s @var{system}
4509 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
4510 the system type of the build host.
4513 Use the bootstrap Guile to build the latest Guix. This option is only
4514 useful to Guix developers.
4517 The @dfn{channel} mechanism allows you to instruct @command{guix pull} which
4518 repository and branch to pull from, as well as @emph{additional} repositories
4519 containing package modules that should be deployed. @xref{Channels}, for more
4522 In addition, @command{guix pull} supports all the common build options
4523 (@pxref{Common Build Options}).
4525 @node Invoking guix time-machine
4526 @section Invoking @command{guix time-machine}
4528 @cindex @command{guix time-machine}
4529 @cindex pinning, channels
4530 @cindex replicating Guix
4531 @cindex reproducibility, of Guix
4533 The @command{guix time-machine} command provides access to other
4534 revisions of Guix, for example to install older versions of packages,
4535 or to reproduce a computation in an identical environment. The revision
4536 of Guix to be used is defined by a commit or by a channel
4537 description file created by @command{guix describe}
4538 (@pxref{Invoking guix describe}).
4540 The general syntax is:
4543 guix time-machine @var{options}@dots{} -- @var{command} @var {arg}@dots{}
4546 where @var{command} and @var{arg}@dots{} are passed unmodified to the
4547 @command{guix} command of the specified revision. The @var{options} that define
4548 this revision are the same as for @command{guix pull} (@pxref{Invoking guix pull}):
4551 @item --url=@var{url}
4552 @itemx --commit=@var{commit}
4553 @itemx --branch=@var{branch}
4554 Use the @code{guix} channel from the specified @var{url}, at the
4555 given @var{commit} (a valid Git commit ID represented as a hexadecimal
4556 string), or @var{branch}.
4558 @item --channels=@var{file}
4559 @itemx -C @var{file}
4560 Read the list of channels from @var{file}. @var{file} must contain
4561 Scheme code that evaluates to a list of channel objects.
4562 @xref{Channels} for more information.
4565 As for @command{guix pull}, the absence of any options means that the
4566 latest commit on the master branch will be used. The command
4569 guix time-machine -- build hello
4572 will thus build the package @code{hello} as defined in the master branch,
4573 which is in general a newer revision of Guix than you have installed.
4574 Time travel works in both directions!
4576 Note that @command{guix time-machine} can trigger builds of channels and
4577 their dependencies, and these are controlled by the standard build
4578 options (@pxref{Common Build Options}).
4583 @c TODO: Remove this once we're more confident about API stability.
4585 The functionality described here is a ``technology preview'' as of version
4586 @value{VERSION}. As such, the interface is subject to change.
4590 @cindex composition of Guix revisions
4591 Sometimes you might need to mix packages from the revision of Guix you're
4592 currently running with packages available in a different revision of Guix.
4593 Guix @dfn{inferiors} allow you to achieve that by composing different Guix
4594 revisions in arbitrary ways.
4596 @cindex inferior packages
4597 Technically, an ``inferior'' is essentially a separate Guix process connected
4598 to your main Guix process through a REPL (@pxref{Invoking guix repl}). The
4599 @code{(guix inferior)} module allows you to create inferiors and to
4600 communicate with them. It also provides a high-level interface to browse and
4601 manipulate the packages that an inferior provides---@dfn{inferior packages}.
4603 When combined with channels (@pxref{Channels}), inferiors provide a simple way
4604 to interact with a separate revision of Guix. For example, let's assume you
4605 want to install in your profile the current @code{guile} package, along with
4606 the @code{guile-json} as it existed in an older revision of Guix---perhaps
4607 because the newer @code{guile-json} has an incompatible API and you want to
4608 run your code against the old API@. To do that, you could write a manifest for
4609 use by @code{guix package --manifest} (@pxref{Invoking guix package}); in that
4610 manifest, you would create an inferior for that old Guix revision you care
4611 about, and you would look up the @code{guile-json} package in the inferior:
4614 (use-modules (guix inferior) (guix channels)
4615 (srfi srfi-1)) ;for 'first'
4618 ;; This is the old revision from which we want to
4619 ;; extract guile-json.
4622 (url "https://git.savannah.gnu.org/git/guix.git")
4624 "65956ad3526ba09e1f7a40722c96c6ef7c0936fe"))))
4627 ;; An inferior representing the above revision.
4628 (inferior-for-channels channels))
4630 ;; Now create a manifest with the current "guile" package
4631 ;; and the old "guile-json" package.
4633 (list (first (lookup-inferior-packages inferior "guile-json"))
4634 (specification->package "guile")))
4637 On its first run, @command{guix package --manifest} might have to build the
4638 channel you specified before it can create the inferior; subsequent runs will
4639 be much faster because the Guix revision will be cached.
4641 The @code{(guix inferior)} module provides the following procedures to open an
4644 @deffn {Scheme Procedure} inferior-for-channels @var{channels} @
4645 [#:cache-directory] [#:ttl]
4646 Return an inferior for @var{channels}, a list of channels. Use the cache at
4647 @var{cache-directory}, where entries can be reclaimed after @var{ttl} seconds.
4648 This procedure opens a new connection to the build daemon.
4650 As a side effect, this procedure may build or substitute binaries for
4651 @var{channels}, which can take time.
4654 @deffn {Scheme Procedure} open-inferior @var{directory} @
4655 [#:command "bin/guix"]
4656 Open the inferior Guix in @var{directory}, running
4657 @code{@var{directory}/@var{command} repl} or equivalent. Return @code{#f} if
4658 the inferior could not be launched.
4661 @cindex inferior packages
4662 The procedures listed below allow you to obtain and manipulate inferior
4665 @deffn {Scheme Procedure} inferior-packages @var{inferior}
4666 Return the list of packages known to @var{inferior}.
4669 @deffn {Scheme Procedure} lookup-inferior-packages @var{inferior} @var{name} @
4671 Return the sorted list of inferior packages matching @var{name} in
4672 @var{inferior}, with highest version numbers first. If @var{version} is true,
4673 return only packages with a version number prefixed by @var{version}.
4676 @deffn {Scheme Procedure} inferior-package? @var{obj}
4677 Return true if @var{obj} is an inferior package.
4680 @deffn {Scheme Procedure} inferior-package-name @var{package}
4681 @deffnx {Scheme Procedure} inferior-package-version @var{package}
4682 @deffnx {Scheme Procedure} inferior-package-synopsis @var{package}
4683 @deffnx {Scheme Procedure} inferior-package-description @var{package}
4684 @deffnx {Scheme Procedure} inferior-package-home-page @var{package}
4685 @deffnx {Scheme Procedure} inferior-package-location @var{package}
4686 @deffnx {Scheme Procedure} inferior-package-inputs @var{package}
4687 @deffnx {Scheme Procedure} inferior-package-native-inputs @var{package}
4688 @deffnx {Scheme Procedure} inferior-package-propagated-inputs @var{package}
4689 @deffnx {Scheme Procedure} inferior-package-transitive-propagated-inputs @var{package}
4690 @deffnx {Scheme Procedure} inferior-package-native-search-paths @var{package}
4691 @deffnx {Scheme Procedure} inferior-package-transitive-native-search-paths @var{package}
4692 @deffnx {Scheme Procedure} inferior-package-search-paths @var{package}
4693 These procedures are the counterpart of package record accessors
4694 (@pxref{package Reference}). Most of them work by querying the inferior
4695 @var{package} comes from, so the inferior must still be live when you call
4699 Inferior packages can be used transparently like any other package or
4700 file-like object in G-expressions (@pxref{G-Expressions}). They are also
4701 transparently handled by the @code{packages->manifest} procedure, which is
4702 commonly used in manifests (@pxref{Invoking guix package, the
4703 @option{--manifest} option of @command{guix package}}). Thus you can insert
4704 an inferior package pretty much anywhere you would insert a regular package:
4705 in manifests, in the @code{packages} field of your @code{operating-system}
4706 declaration, and so on.
4708 @node Invoking guix describe
4709 @section Invoking @command{guix describe}
4711 @cindex reproducibility
4712 @cindex replicating Guix
4713 Often you may want to answer questions like: ``Which revision of Guix am I
4714 using?'' or ``Which channels am I using?'' This is useful information in many
4715 situations: if you want to @emph{replicate} an environment on a different
4716 machine or user account, if you want to report a bug or to determine what
4717 change in the channels you are using caused it, or if you want to record your
4718 system state for reproducibility purposes. The @command{guix describe}
4719 command answers these questions.
4721 When run from a @command{guix pull}ed @command{guix}, @command{guix describe}
4722 displays the channel(s) that it was built from, including their repository URL
4723 and commit IDs (@pxref{Channels}):
4727 Generation 10 Sep 03 2018 17:32:44 (current)
4729 repository URL: https://git.savannah.gnu.org/git/guix.git
4731 commit: e0fa68c7718fffd33d81af415279d6ddb518f727
4734 If you're familiar with the Git version control system, this is similar in
4735 spirit to @command{git describe}; the output is also similar to that of
4736 @command{guix pull --list-generations}, but limited to the current generation
4737 (@pxref{Invoking guix pull, the @option{--list-generations} option}). Because
4738 the Git commit ID shown above unambiguously refers to a snapshot of Guix, this
4739 information is all it takes to describe the revision of Guix you're using, and
4740 also to replicate it.
4742 To make it easier to replicate Guix, @command{guix describe} can also be asked
4743 to return a list of channels instead of the human-readable description above:
4746 $ guix describe -f channels
4749 (url "https://git.savannah.gnu.org/git/guix.git")
4751 "e0fa68c7718fffd33d81af415279d6ddb518f727")
4753 (make-channel-introduction
4754 "9edb3f66fd807b096b48283debdcddccfea34bad"
4755 (openpgp-fingerprint
4756 "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))))
4760 You can save this to a file and feed it to @command{guix pull -C} on some
4761 other machine or at a later point in time, which will instantiate @emph{this
4762 exact Guix revision} (@pxref{Invoking guix pull, the @option{-C} option}).
4763 From there on, since you're able to deploy the same revision of Guix, you can
4764 just as well @emph{replicate a complete software environment}. We humbly
4765 think that this is @emph{awesome}, and we hope you'll like it too!
4767 The details of the options supported by @command{guix describe} are as
4771 @item --format=@var{format}
4772 @itemx -f @var{format}
4773 Produce output in the specified @var{format}, one of:
4777 produce human-readable output;
4779 produce a list of channel specifications that can be passed to @command{guix
4780 pull -C} or installed as @file{~/.config/guix/channels.scm} (@pxref{Invoking
4782 @item channels-sans-intro
4783 like @code{channels}, but omit the @code{introduction} field; use it to
4784 produce a channel specification suitable for Guix version 1.1.0 or
4785 earlier---the @code{introduction} field has to do with channel
4786 authentication (@pxref{Channels, Channel Authentication}) and is not
4787 supported by these older versions;
4790 produce a list of channel specifications in JSON format;
4792 produce a list of channel specifications in Recutils format.
4795 @item --list-formats
4796 Display available formats for @option{--format} option.
4798 @item --profile=@var{profile}
4799 @itemx -p @var{profile}
4800 Display information about @var{profile}.
4803 @node Invoking guix archive
4804 @section Invoking @command{guix archive}
4806 @cindex @command{guix archive}
4808 The @command{guix archive} command allows users to @dfn{export} files
4809 from the store into a single archive, and to later @dfn{import} them on
4810 a machine that runs Guix.
4811 In particular, it allows store files to be transferred from one machine
4812 to the store on another machine.
4815 If you're looking for a way to produce archives in a format suitable for
4816 tools other than Guix, @pxref{Invoking guix pack}.
4819 @cindex exporting store items
4820 To export store files as an archive to standard output, run:
4823 guix archive --export @var{options} @var{specifications}...
4826 @var{specifications} may be either store file names or package
4827 specifications, as for @command{guix package} (@pxref{Invoking guix
4828 package}). For instance, the following command creates an archive
4829 containing the @code{gui} output of the @code{git} package and the main
4830 output of @code{emacs}:
4833 guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar
4836 If the specified packages are not built yet, @command{guix archive}
4837 automatically builds them. The build process may be controlled with the
4838 common build options (@pxref{Common Build Options}).
4840 To transfer the @code{emacs} package to a machine connected over SSH,
4844 guix archive --export -r emacs | ssh the-machine guix archive --import
4848 Similarly, a complete user profile may be transferred from one machine
4849 to another like this:
4852 guix archive --export -r $(readlink -f ~/.guix-profile) | \
4853 ssh the-machine guix archive --import
4857 However, note that, in both examples, all of @code{emacs} and the
4858 profile as well as all of their dependencies are transferred (due to
4859 @option{-r}), regardless of what is already available in the store on
4860 the target machine. The @option{--missing} option can help figure out
4861 which items are missing from the target store. The @command{guix copy}
4862 command simplifies and optimizes this whole process, so this is probably
4863 what you should use in this case (@pxref{Invoking guix copy}).
4865 @cindex nar, archive format
4866 @cindex normalized archive (nar)
4867 @cindex nar bundle, archive format
4868 Each store item is written in the @dfn{normalized archive} or @dfn{nar}
4869 format (described below), and the output of @command{guix archive
4870 --export} (and input of @command{guix archive --import}) is a @dfn{nar
4874 comparable in spirit to `tar', but with differences
4875 that make it more appropriate for our purposes. First, rather than
4876 recording all Unix metadata for each file, the nar format only mentions
4877 the file type (regular, directory, or symbolic link); Unix permissions
4878 and owner/group are dismissed. Second, the order in which directory
4879 entries are stored always follows the order of file names according to
4880 the C locale collation order. This makes archive production fully
4883 That nar bundle format is essentially the concatenation of zero or more
4884 nars along with metadata for each store item it contains: its file name,
4885 references, corresponding derivation, and a digital signature.
4887 When exporting, the daemon digitally signs the contents of the archive,
4888 and that digital signature is appended. When importing, the daemon
4889 verifies the signature and rejects the import in case of an invalid
4890 signature or if the signing key is not authorized.
4891 @c FIXME: Add xref to daemon doc about signatures.
4893 The main options are:
4897 Export the specified store files or packages (see below). Write the
4898 resulting archive to the standard output.
4900 Dependencies are @emph{not} included in the output, unless
4901 @option{--recursive} is passed.
4905 When combined with @option{--export}, this instructs @command{guix archive}
4906 to include dependencies of the given items in the archive. Thus, the
4907 resulting archive is self-contained: it contains the closure of the
4908 exported store items.
4911 Read an archive from the standard input, and import the files listed
4912 therein into the store. Abort if the archive has an invalid digital
4913 signature, or if it is signed by a public key not among the authorized
4914 keys (see @option{--authorize} below).
4917 Read a list of store file names from the standard input, one per line,
4918 and write on the standard output the subset of these files missing from
4921 @item --generate-key[=@var{parameters}]
4922 @cindex signing, archives
4923 Generate a new key pair for the daemon. This is a prerequisite before
4924 archives can be exported with @option{--export}. This
4925 operation is usually instantaneous but it can take time if the system's
4926 entropy pool needs to be refilled. On Guix System,
4927 @code{guix-service-type} takes care of generating this key pair the
4930 The generated key pair is typically stored under @file{/etc/guix}, in
4931 @file{signing-key.pub} (public key) and @file{signing-key.sec} (private
4932 key, which must be kept secret). When @var{parameters} is omitted,
4933 an ECDSA key using the Ed25519 curve is generated, or, for Libgcrypt
4934 versions before 1.6.0, it is a 4096-bit RSA key.
4935 Alternatively, @var{parameters} can specify
4936 @code{genkey} parameters suitable for Libgcrypt (@pxref{General
4937 public-key related Functions, @code{gcry_pk_genkey},, gcrypt, The
4938 Libgcrypt Reference Manual}).
4941 @cindex authorizing, archives
4942 Authorize imports signed by the public key passed on standard input.
4943 The public key must be in ``s-expression advanced format''---i.e., the
4944 same format as the @file{signing-key.pub} file.
4946 The list of authorized keys is kept in the human-editable file
4947 @file{/etc/guix/acl}. The file contains
4948 @url{https://people.csail.mit.edu/rivest/Sexp.txt, ``advanced-format
4949 s-expressions''} and is structured as an access-control list in the
4950 @url{https://theworld.com/~cme/spki.txt, Simple Public-Key Infrastructure
4953 @item --extract=@var{directory}
4954 @itemx -x @var{directory}
4955 Read a single-item archive as served by substitute servers
4956 (@pxref{Substitutes}) and extract it to @var{directory}. This is a
4957 low-level operation needed in only very narrow use cases; see below.
4959 For example, the following command extracts the substitute for Emacs
4960 served by @code{@value{SUBSTITUTE-SERVER-1}} to @file{/tmp/emacs}:
4964 https://@value{SUBSTITUTE-SERVER-1}/nar/gzip/@dots{}-emacs-24.5 \
4965 | gunzip | guix archive -x /tmp/emacs
4968 Single-item archives are different from multiple-item archives produced
4969 by @command{guix archive --export}; they contain a single store item,
4970 and they do @emph{not} embed a signature. Thus this operation does
4971 @emph{no} signature verification and its output should be considered
4974 The primary purpose of this operation is to facilitate inspection of
4975 archive contents coming from possibly untrusted substitute servers
4976 (@pxref{Invoking guix challenge}).
4980 Read a single-item archive as served by substitute servers
4981 (@pxref{Substitutes}) and print the list of files it contains, as in
4986 https://@value{SUBSTITUTE-SERVER-1}/nar/lzip/@dots{}-emacs-26.3 \
4987 | lzip -d | guix archive -t
4992 @c *********************************************************************
4997 @cindex @file{channels.scm}, configuration file
4998 @cindex configuration file for channels
4999 @cindex @command{guix pull}, configuration file
5000 @cindex configuration of @command{guix pull}
5001 Guix and its package collection are updated by running @command{guix pull}
5002 (@pxref{Invoking guix pull}). By default @command{guix pull} downloads and
5003 deploys Guix itself from the official GNU@tie{}Guix repository. This can be
5004 customized by defining @dfn{channels} in the
5005 @file{~/.config/guix/channels.scm} file. A channel specifies a URL and branch
5006 of a Git repository to be deployed, and @command{guix pull} can be instructed
5007 to pull from one or more channels. In other words, channels can be used
5008 to @emph{customize} and to @emph{extend} Guix, as we will see below.
5009 Guix is able to take into account security concerns and deal with authenticated
5013 * Specifying Additional Channels:: Extending the package collection.
5014 * Using a Custom Guix Channel:: Using a customized Guix.
5015 * Replicating Guix:: Running the @emph{exact same} Guix.
5016 * Channel Authentication:: How Guix verifies what it fetches.
5017 * Channels with Substitutes:: Using channels with available substitutes.
5018 * Creating a Channel:: How to write your custom channel.
5019 * Package Modules in a Sub-directory:: Specifying the channel's package modules location.
5020 * Declaring Channel Dependencies:: How to depend on other channels.
5021 * Specifying Channel Authorizations:: Defining channel authors authorizations.
5022 * Primary URL:: Distinguishing mirror to original.
5023 * Writing Channel News:: Communicating information to channel's users.
5026 @node Specifying Additional Channels
5027 @section Specifying Additional Channels
5029 @cindex extending the package collection (channels)
5030 @cindex variant packages (channels)
5031 You can specify @emph{additional channels} to pull from. To use a channel, write
5032 @code{~/.config/guix/channels.scm} to instruct @command{guix pull} to pull from it
5033 @emph{in addition} to the default Guix channel(s):
5035 @vindex %default-channels
5037 ;; Add variant packages to those Guix provides.
5039 (name 'variant-packages)
5040 (url "https://example.org/variant-packages.git"))
5045 Note that the snippet above is (as always!)@: Scheme code; we use @code{cons} to
5046 add a channel the list of channels that the variable @code{%default-channels}
5047 is bound to (@pxref{Pairs, @code{cons} and lists,, guile, GNU Guile Reference
5048 Manual}). With this file in place, @command{guix pull} builds not only Guix
5049 but also the package modules from your own repository. The result in
5050 @file{~/.config/guix/current} is the union of Guix with your own package
5054 $ guix pull --list-generations
5056 Generation 19 Aug 27 2018 16:20:48
5058 repository URL: https://git.savannah.gnu.org/git/guix.git
5060 commit: d894ab8e9bfabcefa6c49d9ba2e834dd5a73a300
5061 variant-packages dd3df5e
5062 repository URL: https://example.org/variant-packages.git
5064 commit: dd3df5e2c8818760a8fc0bd699e55d3b69fef2bb
5065 11 new packages: variant-gimp, variant-emacs-with-cool-features, @dots{}
5066 4 packages upgraded: emacs-racket-mode@@0.0.2-2.1b78827, @dots{}
5070 The output of @command{guix pull} above shows that Generation@tie{}19 includes
5071 both Guix and packages from the @code{variant-personal-packages} channel. Among
5072 the new and upgraded packages that are listed, some like @code{variant-gimp} and
5073 @code{variant-emacs-with-cool-features} might come from
5074 @code{variant-packages}, while others come from the Guix default channel.
5076 @node Using a Custom Guix Channel
5077 @section Using a Custom Guix Channel
5079 The channel called @code{guix} specifies where Guix itself---its command-line
5080 tools as well as its package collection---should be downloaded. For instance,
5081 suppose you want to update from another copy of the Guix repository at
5082 @code{example.org}, and specifically the @code{super-hacks} branch, you can
5083 write in @code{~/.config/guix/channels.scm} this specification:
5086 ;; Tell 'guix pull' to use another repo.
5089 (url "https://example.org/another-guix.git")
5090 (branch "super-hacks")))
5094 From there on, @command{guix pull} will fetch code from the @code{super-hacks}
5095 branch of the repository at @code{example.org}. The authentication concern is
5096 addressed below ((@pxref{Channel Authentication}).
5098 @node Replicating Guix
5099 @section Replicating Guix
5101 @cindex pinning, channels
5102 @cindex replicating Guix
5103 @cindex reproducibility, of Guix
5104 The @command{guix pull --list-generations} output above shows precisely which
5105 commits were used to build this instance of Guix. We can thus replicate it,
5106 say, on another machine, by providing a channel specification in
5107 @file{~/.config/guix/channels.scm} that is ``pinned'' to these commits:
5110 ;; Deploy specific commits of my channels of interest.
5113 (url "https://git.savannah.gnu.org/git/guix.git")
5114 (commit "6298c3ffd9654d3231a6f25390b056483e8f407c"))
5116 (name 'variant-packages)
5117 (url "https://example.org/variant-packages.git")
5118 (commit "dd3df5e2c8818760a8fc0bd699e55d3b69fef2bb")))
5121 The @command{guix describe --format=channels} command can even generate this
5122 list of channels directly (@pxref{Invoking guix describe}). The resulting
5123 file can be used with the -C options of @command{guix pull}
5124 (@pxref{Invoking guix pull}) or @command{guix time-machine}
5125 (@pxref{Invoking guix time-machine}).
5127 At this point the two machines run the @emph{exact same Guix}, with access to
5128 the @emph{exact same packages}. The output of @command{guix build gimp} on
5129 one machine will be exactly the same, bit for bit, as the output of the same
5130 command on the other machine. It also means both machines have access to all
5131 the source code of Guix and, transitively, to all the source code of every
5134 This gives you super powers, allowing you to track the provenance of binary
5135 artifacts with very fine grain, and to reproduce software environments at
5136 will---some sort of ``meta reproducibility'' capabilities, if you will.
5137 @xref{Inferiors}, for another way to take advantage of these super powers.
5139 @node Channel Authentication
5140 @section Channel Authentication
5142 @anchor{channel-authentication}
5143 @cindex authentication, of channel code
5144 The @command{guix pull} and @command{guix time-machine} commands
5145 @dfn{authenticate} the code retrieved from channels: they make sure each
5146 commit that is fetched is signed by an authorized developer. The goal
5147 is to protect from unauthorized modifications to the channel that would
5148 lead users to run malicious code.
5150 As a user, you must provide a @dfn{channel introduction} in your
5151 channels file so that Guix knows how to authenticate its first commit.
5152 A channel specification, including its introduction, looks something
5157 (name 'some-channel)
5158 (url "https://example.org/some-channel.git")
5160 (make-channel-introduction
5161 "6f0d8cc0d88abb59c324b2990bfee2876016bb86"
5162 (openpgp-fingerprint
5163 "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
5166 The specification above shows the name and URL of the channel. The call
5167 to @code{make-channel-introduction} above specifies that authentication
5168 of this channel starts at commit @code{6f0d8cc@dots{}}, which is signed
5169 by the OpenPGP key with fingerprint @code{CABB A931@dots{}}.
5171 For the main channel, called @code{guix}, you automatically get that
5172 information from your Guix installation. For other channels, include
5173 the channel introduction provided by the channel authors in your
5174 @file{channels.scm} file. Make sure you retrieve the channel
5175 introduction from a trusted source since that is the root of your trust.
5177 If you're curious about the authentication mechanics, read on!
5179 @node Channels with Substitutes
5180 @section Channels with Substitutes
5182 When running @command{guix pull}, Guix will first compile the
5183 definitions of every available package. This is an expensive operation
5184 for which substitutes (@pxref{Substitutes}) may be available. The
5185 following snippet in @file{channels.scm} will ensure that @command{guix
5186 pull} uses the latest commit with available substitutes for the package
5187 definitions: this is done by querying the continuous integration
5188 server at @url{https://ci.guix.gnu.org}.
5191 (use-modules (guix ci))
5193 (list (channel-with-substitutes-available
5194 %default-guix-channel
5195 "https://ci.guix.gnu.org"))
5198 Note that this does not mean that all the packages that you will
5199 install after running @command{guix pull} will have available
5200 substitutes. It only ensures that @command{guix pull} will not try to
5201 compile package definitions. This is particularly useful when using
5202 machines with limited resources.
5204 @node Creating a Channel
5205 @section Creating a Channel
5207 @cindex personal packages (channels)
5208 @cindex channels, for personal packages
5209 Let's say you have a bunch of custom package variants or personal packages
5210 that you think would make little sense to contribute to the Guix project, but
5211 would like to have these packages transparently available to you at the
5212 command line. You would first write modules containing those package
5213 definitions (@pxref{Package Modules}), maintain them in a Git repository, and
5214 then you and anyone else can use it as an additional channel to get packages
5217 @c What follows stems from discussions at
5218 @c <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22629#134> as well as
5219 @c earlier discussions on guix-devel@gnu.org.
5221 Before you, dear user, shout---``woow this is @emph{soooo coool}!''---and
5222 publish your personal channel to the world, we would like to share a few words
5227 Before publishing a channel, please consider contributing your package
5228 definitions to Guix proper (@pxref{Contributing}). Guix as a project is open
5229 to free software of all sorts, and packages in Guix proper are readily
5230 available to all Guix users and benefit from the project's quality assurance
5234 When you maintain package definitions outside Guix, we, Guix developers,
5235 consider that @emph{the compatibility burden is on you}. Remember that
5236 package modules and package definitions are just Scheme code that uses various
5237 programming interfaces (APIs). We want to remain free to change these APIs to
5238 keep improving Guix, possibly in ways that break your channel. We never
5239 change APIs gratuitously, but we will @emph{not} commit to freezing APIs
5243 Corollary: if you're using an external channel and that channel breaks, please
5244 @emph{report the issue to the channel authors}, not to the Guix project.
5247 You've been warned! Having said this, we believe external channels are a
5248 practical way to exert your freedom to augment Guix' package collection and to
5249 share your improvements, which are basic tenets of
5250 @uref{https://www.gnu.org/philosophy/free-sw.html, free software}. Please
5251 email us at @email{guix-devel@@gnu.org} if you'd like to discuss this.
5254 To create a channel, create a Git repository containing your own package
5255 modules and make it available. The repository can contain anything, but a
5256 useful channel will contain Guile modules that export packages. Once you
5257 start using a channel, Guix will behave as if the root directory of that
5258 channel's Git repository has been added to the Guile load path (@pxref{Load
5259 Paths,,, guile, GNU Guile Reference Manual}). For example, if your channel
5260 contains a file at @file{my-packages/my-tools.scm} that defines a Guile
5261 module, then the module will be available under the name @code{(my-packages
5262 my-tools)}, and you will be able to use it like any other module
5263 (@pxref{Modules,,, guile, GNU Guile Reference Manual}).
5265 As a channel author, consider bundling authentication material with your
5266 channel so that users can authenticate it. @xref{Channel
5267 Authentication}, and @ref{Specifying Channel Authorizations}, for info
5271 @node Package Modules in a Sub-directory
5272 @section Package Modules in a Sub-directory
5274 @cindex subdirectory, channels
5275 As a channel author, you may want to keep your channel modules in a
5276 sub-directory. If your modules are in the sub-directory @file{guix}, you must
5277 add a meta-data file @file{.guix-channel} that contains:
5285 @node Declaring Channel Dependencies
5286 @section Declaring Channel Dependencies
5288 @cindex dependencies, channels
5289 @cindex meta-data, channels
5290 Channel authors may decide to augment a package collection provided by other
5291 channels. They can declare their channel to be dependent on other channels in
5292 a meta-data file @file{.guix-channel}, which is to be placed in the root of
5293 the channel repository.
5295 The meta-data file should contain a simple S-expression like this:
5302 (name some-collection)
5303 (url "https://example.org/first-collection.git")
5305 ;; The 'introduction' bit below is optional: you would
5306 ;; provide it for dependencies that can be authenticated.
5308 (channel-introduction
5310 (commit "a8883b58dc82e167c96506cf05095f37c2c2c6cd")
5311 (signer "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
5313 (name some-other-collection)
5314 (url "https://example.org/second-collection.git")
5315 (branch "testing"))))
5318 In the above example this channel is declared to depend on two other channels,
5319 which will both be fetched automatically. The modules provided by the channel
5320 will be compiled in an environment where the modules of all these declared
5321 channels are available.
5323 For the sake of reliability and maintainability, you should avoid dependencies
5324 on channels that you don't control, and you should aim to keep the number of
5325 dependencies to a minimum.
5327 @node Specifying Channel Authorizations
5328 @section Specifying Channel Authorizations
5330 @cindex channel authorizations
5331 @anchor{channel-authorizations}
5332 As we saw above, Guix ensures the source code it pulls from channels
5333 comes from authorized developers. As a channel author, you need to
5334 specify the list of authorized developers in the
5335 @file{.guix-authorizations} file in the channel's Git repository. The
5336 authentication rule is simple: each commit must be signed by a key
5337 listed in the @file{.guix-authorizations} file of its parent
5338 commit(s)@footnote{Git commits form a @dfn{directed acyclic graph}
5339 (DAG). Each commit can have zero or more parents; ``regular'' commits
5340 have one parent and merge commits have two parent commits. Read
5341 @uref{https://eagain.net/articles/git-for-computer-scientists/, @i{Git
5342 for Computer Scientists}} for a great overview.} The
5343 @file{.guix-authorizations} file looks like this:
5346 ;; Example '.guix-authorizations' file.
5349 (version 0) ;current file format version
5351 (("AD17 A21E F8AE D8F1 CC02 DBD9 F8AE D8F1 765C 61E3"
5353 ("2A39 3FFF 68F4 EF7A 3D29 12AF 68F4 EF7A 22FB B2D5"
5355 ("CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"
5359 Each fingerprint is followed by optional key/value pairs, as in the
5360 example above. Currently these key/value pairs are ignored.
5362 This authentication rule creates a chicken-and-egg issue: how do we
5363 authenticate the first commit? Related to that: how do we deal with
5364 channels whose repository history contains unsigned commits and lack
5365 @file{.guix-authorizations}? And how do we fork existing channels?
5367 @cindex channel introduction
5368 Channel introductions answer these questions by describing the first
5369 commit of a channel that should be authenticated. The first time a
5370 channel is fetched with @command{guix pull} or @command{guix
5371 time-machine}, the command looks up the introductory commit and verifies
5372 that it is signed by the specified OpenPGP key. From then on, it
5373 authenticates commits according to the rule above.
5375 Additionally, your channel must provide all the OpenPGP keys that were
5376 ever mentioned in @file{.guix-authorizations}, stored as @file{.key}
5377 files, which can be either binary or ``ASCII-armored''. By default,
5378 those @file{.key} files are searched for in the branch named
5379 @code{keyring} but you can specify a different branch name in
5380 @code{.guix-channel} like so:
5385 (keyring-reference "my-keyring-branch"))
5388 To summarize, as the author of a channel, there are three things you have
5389 to do to allow users to authenticate your code:
5393 Export the OpenPGP keys of past and present committers with @command{gpg
5394 --export} and store them in @file{.key} files, by default in a branch
5395 named @code{keyring} (we recommend making it an @dfn{orphan branch}).
5398 Introduce an initial @file{.guix-authorizations} in the channel's
5399 repository. Do that in a signed commit (@pxref{Commit Access}, for
5400 information on how to sign Git commits.)
5403 Advertise the channel introduction, for instance on your channel's web
5404 page. The channel introduction, as we saw above, is the commit/key
5405 pair---i.e., the commit that introduced @file{.guix-authorizations}, and
5406 the fingerprint of the OpenPGP used to sign it.
5409 Before pushing to your public Git repository, you can run @command{guix
5410 git-authenticate} to verify that you did sign all the commits you are
5411 about to push with an authorized key:
5414 guix git authenticate @var{commit} @var{signer}
5418 where @var{commit} and @var{signer} are your channel introduction.
5419 @xref{Invoking guix git authenticate}, for details.
5421 Publishing a signed channel requires discipline: any mistake, such as an
5422 unsigned commit or a commit signed by an unauthorized key, will prevent
5423 users from pulling from your channel---well, that's the whole point of
5424 authentication! Pay attention to merges in particular: merge commits
5425 are considered authentic if and only if they are signed by a key present
5426 in the @file{.guix-authorizations} file of @emph{both} branches.
5429 @section Primary URL
5431 @cindex primary URL, channels
5432 Channel authors can indicate the primary URL of their channel's Git
5433 repository in the @file{.guix-channel} file, like so:
5438 (url "https://example.org/guix.git"))
5441 This allows @command{guix pull} to determine whether it is pulling code
5442 from a mirror of the channel; when that is the case, it warns the user
5443 that the mirror might be stale and displays the primary URL@. That way,
5444 users cannot be tricked into fetching code from a stale mirror that does
5445 not receive security updates.
5447 This feature only makes sense for authenticated repositories, such as
5448 the official @code{guix} channel, for which @command{guix pull} ensures
5449 the code it fetches is authentic.
5451 @node Writing Channel News
5452 @section Writing Channel News
5454 @cindex news, for channels
5455 Channel authors may occasionally want to communicate to their users
5456 information about important changes in the channel. You'd send them all
5457 an email, but that's not convenient.
5459 Instead, channels can provide a @dfn{news file}; when the channel users
5460 run @command{guix pull}, that news file is automatically read and
5461 @command{guix pull --news} can display the announcements that correspond
5462 to the new commits that have been pulled, if any.
5464 To do that, channel authors must first declare the name of the news file
5465 in their @file{.guix-channel} file:
5470 (news-file "etc/news.txt"))
5473 The news file itself, @file{etc/news.txt} in this example, must look
5474 something like this:
5479 (entry (tag "the-bug-fix")
5480 (title (en "Fixed terrible bug")
5482 (body (en "@@emph@{Good news@}! It's fixed!")
5483 (eo "Certe ĝi pli bone funkcias nun!")))
5484 (entry (commit "bdcabe815cd28144a2d2b4bc3c5057b051fa9906")
5485 (title (en "Added a great package")
5486 (ca "Què vol dir guix?"))
5487 (body (en "Don't miss the @@code@{hello@} package!"))))
5490 While the news file is using the Scheme syntax, avoid naming it with a
5491 @file{.scm} extension or else it will get picked up when building the
5492 channel and yield an error since it is not a valid module.
5493 Alternatively, you can move the channel module to a subdirectory and
5494 store the news file in another directory.
5496 The file consists of a list of @dfn{news entries}. Each entry is
5497 associated with a commit or tag: it describes changes made in this
5498 commit, possibly in preceding commits as well. Users see entries only
5499 the first time they obtain the commit the entry refers to.
5501 The @code{title} field should be a one-line summary while @code{body}
5502 can be arbitrarily long, and both can contain Texinfo markup
5503 (@pxref{Overview,,, texinfo, GNU Texinfo}). Both the title and body are
5504 a list of language tag/message tuples, which allows @command{guix pull}
5505 to display news in the language that corresponds to the user's locale.
5507 If you want to translate news using a gettext-based workflow, you can
5508 extract translatable strings with @command{xgettext} (@pxref{xgettext
5509 Invocation,,, gettext, GNU Gettext Utilities}). For example, assuming
5510 you write news entries in English first, the command below creates a PO
5511 file containing the strings to translate:
5514 xgettext -o news.po -l scheme -ken etc/news.txt
5517 To sum up, yes, you could use your channel as a blog. But beware, this
5518 is @emph{not quite} what your users might expect.
5520 @c *********************************************************************
5522 @chapter Development
5524 @cindex software development
5525 If you are a software developer, Guix provides tools that you should find
5526 helpful---independently of the language you're developing in. This is what
5527 this chapter is about.
5529 The @command{guix environment} command provides a convenient way to set up
5530 @dfn{development environments} containing all the dependencies and tools
5531 necessary to work on the software package of your choice. The @command{guix
5532 pack} command allows you to create @dfn{application bundles} that can be
5533 easily distributed to users who do not run Guix.
5536 * Invoking guix environment:: Setting up development environments.
5537 * Invoking guix pack:: Creating software bundles.
5538 * The GCC toolchain:: Working with languages supported by GCC.
5539 * Invoking guix git authenticate:: Authenticating Git repositories.
5542 @node Invoking guix environment
5543 @section Invoking @command{guix environment}
5545 @cindex reproducible build environments
5546 @cindex development environments
5547 @cindex @command{guix environment}
5548 @cindex environment, package build environment
5549 The purpose of @command{guix environment} is to assist hackers in
5550 creating reproducible development environments without polluting their
5551 package profile. The @command{guix environment} tool takes one or more
5552 packages, builds all of their inputs, and creates a shell
5553 environment to use them.
5555 The general syntax is:
5558 guix environment @var{options} @var{package}@dots{}
5561 The following example spawns a new shell set up for the development of
5565 guix environment guile
5568 If the needed dependencies are not built yet, @command{guix environment}
5569 automatically builds them. The environment of the new shell is an
5570 augmented version of the environment that @command{guix environment} was
5571 run in. It contains the necessary search paths for building the given
5572 package added to the existing environment variables. To create
5573 a ``pure'' environment, in which the original environment variables have
5574 been unset, use the @option{--pure} option@footnote{Users sometimes
5575 wrongfully augment environment variables such as @env{PATH} in their
5576 @file{~/.bashrc} file. As a consequence, when @command{guix
5577 environment} launches it, Bash may read @file{~/.bashrc}, thereby
5578 introducing ``impurities'' in these environment variables. It is an
5579 error to define such environment variables in @file{.bashrc}; instead,
5580 they should be defined in @file{.bash_profile}, which is sourced only by
5581 log-in shells. @xref{Bash Startup Files,,, bash, The GNU Bash Reference
5582 Manual}, for details on Bash start-up files.}.
5584 Exiting from a Guix environment is the same as exiting from the shell,
5585 and will place the user back in the old environment before @command{guix
5586 environment} was invoked. The next garbage collection (@pxref{Invoking
5587 guix gc}) will clean up packages that were installed from within the
5588 environment and are no longer used outside of it.
5590 @vindex GUIX_ENVIRONMENT
5591 @command{guix environment} defines the @env{GUIX_ENVIRONMENT}
5592 variable in the shell it spawns; its value is the file name of the
5593 profile of this environment. This allows users to, say, define a
5594 specific prompt for development environments in their @file{.bashrc}
5595 (@pxref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}):
5598 if [ -n "$GUIX_ENVIRONMENT" ]
5600 export PS1="\u@@\h \w [dev]\$ "
5605 ...@: or to browse the profile:
5608 $ ls "$GUIX_ENVIRONMENT/bin"
5611 Additionally, more than one package may be specified, in which case the
5612 union of the inputs for the given packages are used. For example, the
5613 command below spawns a shell where all of the dependencies of both Guile
5614 and Emacs are available:
5617 guix environment guile emacs
5620 Sometimes an interactive shell session is not desired. An arbitrary
5621 command may be invoked by placing the @code{--} token to separate the
5622 command from the rest of the arguments:
5625 guix environment guile -- make -j4
5628 In other situations, it is more convenient to specify the list of
5629 packages needed in the environment. For example, the following command
5630 runs @command{python} from an environment containing Python@tie{}2.7 and
5634 guix environment --ad-hoc python2-numpy python-2.7 -- python
5637 Furthermore, one might want the dependencies of a package and also some
5638 additional packages that are not build-time or runtime dependencies, but
5639 are useful when developing nonetheless. Because of this, the
5640 @option{--ad-hoc} flag is positional. Packages appearing before
5641 @option{--ad-hoc} are interpreted as packages whose dependencies will be
5642 added to the environment. Packages appearing after are interpreted as
5643 packages that will be added to the environment directly. For example,
5644 the following command creates a Guix development environment that
5645 additionally includes Git and strace:
5648 guix environment --pure guix --ad-hoc git strace
5652 Sometimes it is desirable to isolate the environment as much as
5653 possible, for maximal purity and reproducibility. In particular, when
5654 using Guix on a host distro that is not Guix System, it is desirable to
5655 prevent access to @file{/usr/bin} and other system-wide resources from
5656 the development environment. For example, the following command spawns
5657 a Guile REPL in a ``container'' where only the store and the current
5658 working directory are mounted:
5661 guix environment --ad-hoc --container guile -- guile
5665 The @option{--container} option requires Linux-libre 3.19 or newer.
5668 @cindex certificates
5669 Another typical use case for containers is to run security-sensitive
5670 applications such as a web browser. To run Eolie, we must expose and
5671 share some files and directories; we include @code{nss-certs} and expose
5672 @file{/etc/ssl/certs/} for HTTPS authentication; finally we preserve the
5673 @env{DISPLAY} environment variable since containerized graphical
5674 applications won't display without it.
5677 guix environment --preserve='^DISPLAY$' --container --network \
5678 --expose=/etc/machine-id \
5679 --expose=/etc/ssl/certs/ \
5680 --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
5681 --ad-hoc eolie nss-certs dbus -- eolie
5684 The available options are summarized below.
5687 @item --root=@var{file}
5688 @itemx -r @var{file}
5689 @cindex persistent environment
5690 @cindex garbage collector root, for environments
5691 Make @var{file} a symlink to the profile for this environment, and
5692 register it as a garbage collector root.
5694 This is useful if you want to protect your environment from garbage
5695 collection, to make it ``persistent''.
5697 When this option is omitted, the environment is protected from garbage
5698 collection only for the duration of the @command{guix environment}
5699 session. This means that next time you recreate the same environment,
5700 you could have to rebuild or re-download packages. @xref{Invoking guix
5701 gc}, for more on GC roots.
5703 @item --expression=@var{expr}
5704 @itemx -e @var{expr}
5705 Create an environment for the package or list of packages that
5706 @var{expr} evaluates to.
5708 For example, running:
5711 guix environment -e '(@@ (gnu packages maths) petsc-openmpi)'
5714 starts a shell with the environment for this specific variant of the
5720 guix environment --ad-hoc -e '(@@ (gnu) %base-packages)'
5723 starts a shell with all the base system packages available.
5725 The above commands only use the default output of the given packages.
5726 To select other outputs, two element tuples can be specified:
5729 guix environment --ad-hoc -e '(list (@@ (gnu packages bash) bash) "include")'
5732 @item --load=@var{file}
5733 @itemx -l @var{file}
5734 Create an environment for the package or list of packages that the code
5735 within @var{file} evaluates to.
5737 As an example, @var{file} might contain a definition like this
5738 (@pxref{Defining Packages}):
5741 @verbatiminclude environment-gdb.scm
5744 @item --manifest=@var{file}
5745 @itemx -m @var{file}
5746 Create an environment for the packages contained in the manifest object
5747 returned by the Scheme code in @var{file}. This option can be repeated
5748 several times, in which case the manifests are concatenated.
5750 This is similar to the same-named option in @command{guix package}
5751 (@pxref{profile-manifest, @option{--manifest}}) and uses the same
5755 Include all specified packages in the resulting environment, as if an
5756 @i{ad hoc} package were defined with them as inputs. This option is
5757 useful for quickly creating an environment without having to write a
5758 package expression to contain the desired inputs.
5760 For instance, the command:
5763 guix environment --ad-hoc guile guile-sdl -- guile
5766 runs @command{guile} in an environment where Guile and Guile-SDL are
5769 Note that this example implicitly asks for the default output of
5770 @code{guile} and @code{guile-sdl}, but it is possible to ask for a
5771 specific output---e.g., @code{glib:bin} asks for the @code{bin} output
5772 of @code{glib} (@pxref{Packages with Multiple Outputs}).
5774 This option may be composed with the default behavior of @command{guix
5775 environment}. Packages appearing before @option{--ad-hoc} are
5776 interpreted as packages whose dependencies will be added to the
5777 environment, the default behavior. Packages appearing after are
5778 interpreted as packages that will be added to the environment directly.
5781 Unset existing environment variables when building the new environment, except
5782 those specified with @option{--preserve} (see below). This has the effect of
5783 creating an environment in which search paths only contain package inputs.
5785 @item --preserve=@var{regexp}
5786 @itemx -E @var{regexp}
5787 When used alongside @option{--pure}, preserve the environment variables
5788 matching @var{regexp}---in other words, put them on a ``white list'' of
5789 environment variables that must be preserved. This option can be repeated
5793 guix environment --pure --preserve=^SLURM --ad-hoc openmpi @dots{} \
5797 This example runs @command{mpirun} in a context where the only environment
5798 variables defined are @env{PATH}, environment variables whose name starts
5799 with @samp{SLURM}, as well as the usual ``precious'' variables (@env{HOME},
5802 @item --search-paths
5803 Display the environment variable definitions that make up the
5806 @item --system=@var{system}
5807 @itemx -s @var{system}
5808 Attempt to build for @var{system}---e.g., @code{i686-linux}.
5813 Run @var{command} within an isolated container. The current working
5814 directory outside the container is mapped inside the container.
5815 Additionally, unless overridden with @option{--user}, a dummy home
5816 directory is created that matches the current user's home directory, and
5817 @file{/etc/passwd} is configured accordingly.
5819 The spawned process runs as the current user outside the container. Inside
5820 the container, it has the same UID and GID as the current user, unless
5821 @option{--user} is passed (see below).
5825 For containers, share the network namespace with the host system.
5826 Containers created without this flag only have access to the loopback
5829 @item --link-profile
5831 For containers, link the environment profile to @file{~/.guix-profile}
5832 within the container and set @code{GUIX_ENVIRONMENT} to that.
5833 This is equivalent to making @file{~/.guix-profile} a symlink to the
5834 actual profile within the container.
5835 Linking will fail and abort the environment if the directory already
5836 exists, which will certainly be the case if @command{guix environment}
5837 was invoked in the user's home directory.
5839 Certain packages are configured to look in @file{~/.guix-profile} for
5840 configuration files and data;@footnote{For example, the
5841 @code{fontconfig} package inspects @file{~/.guix-profile/share/fonts}
5842 for additional fonts.} @option{--link-profile} allows these programs to
5843 behave as expected within the environment.
5845 @item --user=@var{user}
5846 @itemx -u @var{user}
5847 For containers, use the username @var{user} in place of the current
5848 user. The generated @file{/etc/passwd} entry within the container will
5849 contain the name @var{user}, the home directory will be
5850 @file{/home/@var{user}}, and no user GECOS data will be copied. Furthermore,
5851 the UID and GID inside the container are 1000. @var{user}
5852 need not exist on the system.
5854 Additionally, any shared or exposed path (see @option{--share} and
5855 @option{--expose} respectively) whose target is within the current user's
5856 home directory will be remapped relative to @file{/home/USER}; this
5857 includes the automatic mapping of the current working directory.
5860 # will expose paths as /home/foo/wd, /home/foo/test, and /home/foo/target
5862 guix environment --container --user=foo \
5863 --expose=$HOME/test \
5864 --expose=/tmp/target=$HOME/target
5867 While this will limit the leaking of user identity through home paths
5868 and each of the user fields, this is only one useful component of a
5869 broader privacy/anonymity solution---not one in and of itself.
5872 For containers, the default behavior is to share the current working
5873 directory with the isolated container and immediately change to that
5874 directory within the container. If this is undesirable,
5875 @option{--no-cwd} will cause the current working directory to @emph{not}
5876 be automatically shared and will change to the user's home directory
5877 within the container instead. See also @option{--user}.
5879 @item --expose=@var{source}[=@var{target}]
5880 @itemx --share=@var{source}[=@var{target}]
5881 For containers, @option{--expose} (resp. @option{--share}) exposes the
5882 file system @var{source} from the host system as the read-only
5883 (resp. writable) file system @var{target} within the container. If
5884 @var{target} is not specified, @var{source} is used as the target mount
5885 point in the container.
5887 The example below spawns a Guile REPL in a container in which the user's
5888 home directory is accessible read-only via the @file{/exchange}
5892 guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile
5897 @command{guix environment}
5898 also supports all of the common build options that @command{guix
5899 build} supports (@pxref{Common Build Options}) as well as package
5900 transformation options (@pxref{Package Transformation Options}).
5902 @node Invoking guix pack
5903 @section Invoking @command{guix pack}
5905 Occasionally you want to pass software to people who are not (yet!)
5906 lucky enough to be using Guix. You'd tell them to run @command{guix
5907 package -i @var{something}}, but that's not possible in this case. This
5908 is where @command{guix pack} comes in.
5911 If you are looking for ways to exchange binaries among machines that
5912 already run Guix, @pxref{Invoking guix copy}, @ref{Invoking guix
5913 publish}, and @ref{Invoking guix archive}.
5918 @cindex application bundle
5919 @cindex software bundle
5920 The @command{guix pack} command creates a shrink-wrapped @dfn{pack} or
5921 @dfn{software bundle}: it creates a tarball or some other archive
5922 containing the binaries of the software you're interested in, and all
5923 its dependencies. The resulting archive can be used on any machine that
5924 does not have Guix, and people can run the exact same binaries as those
5925 you have with Guix. The pack itself is created in a bit-reproducible
5926 fashion, so anyone can verify that it really contains the build results
5927 that you pretend to be shipping.
5929 For example, to create a bundle containing Guile, Emacs, Geiser, and all
5930 their dependencies, you can run:
5933 $ guix pack guile emacs emacs-geiser
5935 /gnu/store/@dots{}-pack.tar.gz
5938 The result here is a tarball containing a @file{/gnu/store} directory
5939 with all the relevant packages. The resulting tarball contains a
5940 @dfn{profile} with the three packages of interest; the profile is the
5941 same as would be created by @command{guix package -i}. It is this
5942 mechanism that is used to create Guix's own standalone binary tarball
5943 (@pxref{Binary Installation}).
5945 Users of this pack would have to run
5946 @file{/gnu/store/@dots{}-profile/bin/guile} to run Guile, which you may
5947 find inconvenient. To work around it, you can create, say, a
5948 @file{/opt/gnu/bin} symlink to the profile:
5951 guix pack -S /opt/gnu/bin=bin guile emacs emacs-geiser
5955 That way, users can happily type @file{/opt/gnu/bin/guile} and enjoy.
5957 @cindex relocatable binaries, with @command{guix pack}
5958 What if the recipient of your pack does not have root privileges on
5959 their machine, and thus cannot unpack it in the root file system? In
5960 that case, you will want to use the @option{--relocatable} option (see
5961 below). This option produces @dfn{relocatable binaries}, meaning they
5962 they can be placed anywhere in the file system hierarchy: in the example
5963 above, users can unpack your tarball in their home directory and
5964 directly run @file{./opt/gnu/bin/guile}.
5966 @cindex Docker, build an image with guix pack
5967 Alternatively, you can produce a pack in the Docker image format using
5968 the following command:
5971 guix pack -f docker -S /bin=bin guile guile-readline
5975 The result is a tarball that can be passed to the @command{docker load}
5976 command, followed by @code{docker run}:
5979 docker load < @var{file}
5980 docker run -ti guile-guile-readline /bin/guile
5984 where @var{file} is the image returned by @var{guix pack}, and
5985 @code{guile-guile-readline} is its ``image tag''. See the
5986 @uref{https://docs.docker.com/engine/reference/commandline/load/, Docker
5987 documentation} for more information.
5989 @cindex Singularity, build an image with guix pack
5990 @cindex SquashFS, build an image with guix pack
5991 Yet another option is to produce a SquashFS image with the following
5995 guix pack -f squashfs bash guile emacs emacs-geiser
5999 The result is a SquashFS file system image that can either be mounted or
6000 directly be used as a file system container image with the
6001 @uref{https://www.sylabs.io/docs/, Singularity container execution
6002 environment}, using commands like @command{singularity shell} or
6003 @command{singularity exec}.
6005 Several command-line options allow you to customize your pack:
6008 @item --format=@var{format}
6009 @itemx -f @var{format}
6010 Produce a pack in the given @var{format}.
6012 The available formats are:
6016 This is the default format. It produces a tarball containing all the
6017 specified binaries and symlinks.
6020 This produces a tarball that follows the
6021 @uref{https://github.com/docker/docker/blob/master/image/spec/v1.2.md,
6022 Docker Image Specification}. The ``repository name'' as it appears in
6023 the output of the @command{docker images} command is computed from
6024 package names passed on the command line or in the manifest file.
6027 This produces a SquashFS image containing all the specified binaries and
6028 symlinks, as well as empty mount points for virtual file systems like
6032 Singularity @emph{requires} you to provide @file{/bin/sh} in the image.
6033 For that reason, @command{guix pack -f squashfs} always implies @code{-S
6034 /bin=bin}. Thus, your @command{guix pack} invocation must always start
6035 with something like:
6038 guix pack -f squashfs bash @dots{}
6041 If you forget the @code{bash} (or similar) package, @command{singularity
6042 run} and @command{singularity exec} will fail with an unhelpful ``no
6043 such file or directory'' message.
6047 This produces a Debian archive (a package with the @samp{.deb} file
6048 extension) containing all the specified binaries and symbolic links,
6049 that can be installed on top of any dpkg-based GNU(/Linux) distribution.
6052 Because archives produced with @command{guix pack} contain a collection
6053 of store items and because each @command{dpkg} package must not have
6054 conflicting files, in practice that means you likely won't be able to
6055 install more than one such archive on a given system.
6059 @command{dpkg} will assume ownership of any files contained in the pack
6060 that it does @emph{not} know about. It is unwise to install
6061 Guix-produced @samp{.deb} files on a system where @file{/gnu/store} is
6062 shared by other software, such as a Guix installation or other, non-deb
6068 @cindex relocatable binaries
6071 Produce @dfn{relocatable binaries}---i.e., binaries that can be placed
6072 anywhere in the file system hierarchy and run from there.
6074 When this option is passed once, the resulting binaries require support for
6075 @dfn{user namespaces} in the kernel Linux; when passed
6076 @emph{twice}@footnote{Here's a trick to memorize it: @code{-RR}, which adds
6077 PRoot support, can be thought of as the abbreviation of ``Really
6078 Relocatable''. Neat, isn't it?}, relocatable binaries fall to back to
6079 other techniques if user namespaces are unavailable, and essentially
6080 work anywhere---see below for the implications.
6082 For example, if you create a pack containing Bash with:
6085 guix pack -RR -S /mybin=bin bash
6089 ...@: you can copy that pack to a machine that lacks Guix, and from your
6090 home directory as a normal user, run:
6098 In that shell, if you type @code{ls /gnu/store}, you'll notice that
6099 @file{/gnu/store} shows up and contains all the dependencies of
6100 @code{bash}, even though the machine actually lacks @file{/gnu/store}
6101 altogether! That is probably the simplest way to deploy Guix-built
6102 software on a non-Guix machine.
6105 By default, relocatable binaries rely on the @dfn{user namespace} feature of
6106 the kernel Linux, which allows unprivileged users to mount or change root.
6107 Old versions of Linux did not support it, and some GNU/Linux distributions
6110 To produce relocatable binaries that work even in the absence of user
6111 namespaces, pass @option{--relocatable} or @option{-R} @emph{twice}. In that
6112 case, binaries will try user namespace support and fall back to another
6113 @dfn{execution engine} if user namespaces are not supported. The
6114 following execution engines are supported:
6118 Try user namespaces and fall back to PRoot if user namespaces are not
6119 supported (see below).
6122 Try user namespaces and fall back to Fakechroot if user namespaces are
6123 not supported (see below).
6126 Run the program through user namespaces and abort if they are not
6130 Run through PRoot. The @uref{https://proot-me.github.io/, PRoot} program
6131 provides the necessary
6132 support for file system virtualization. It achieves that by using the
6133 @code{ptrace} system call on the running program. This approach has the
6134 advantage to work without requiring special kernel support, but it incurs
6135 run-time overhead every time a system call is made.
6138 Run through Fakechroot. @uref{https://github.com/dex4er/fakechroot/,
6139 Fakechroot} virtualizes file system accesses by intercepting calls to C
6140 library functions such as @code{open}, @code{stat}, @code{exec}, and so
6141 on. Unlike PRoot, it incurs very little overhead. However, it does not
6142 always work: for example, some file system accesses made from within the
6143 C library are not intercepted, and file system accesses made @i{via}
6144 direct syscalls are not intercepted either, leading to erratic behavior.
6147 @vindex GUIX_EXECUTION_ENGINE
6148 When running a wrapped program, you can explicitly request one of the
6149 execution engines listed above by setting the
6150 @env{GUIX_EXECUTION_ENGINE} environment variable accordingly.
6153 @cindex entry point, for Docker images
6154 @item --entry-point=@var{command}
6155 Use @var{command} as the @dfn{entry point} of the resulting pack, if the pack
6156 format supports it---currently @code{docker} and @code{squashfs} (Singularity)
6157 support it. @var{command} must be relative to the profile contained in the
6160 The entry point specifies the command that tools like @code{docker run} or
6161 @code{singularity run} automatically start by default. For example, you can
6165 guix pack -f docker --entry-point=bin/guile guile
6168 The resulting pack can easily be loaded and @code{docker run} with no extra
6169 arguments will spawn @code{bin/guile}:
6172 docker load -i pack.tar.gz
6173 docker run @var{image-id}
6176 @item --expression=@var{expr}
6177 @itemx -e @var{expr}
6178 Consider the package @var{expr} evaluates to.
6180 This has the same purpose as the same-named option in @command{guix
6181 build} (@pxref{Additional Build Options, @option{--expression} in
6182 @command{guix build}}).
6184 @item --manifest=@var{file}
6185 @itemx -m @var{file}
6186 Use the packages contained in the manifest object returned by the Scheme
6187 code in @var{file}. This option can be repeated several times, in which
6188 case the manifests are concatenated.
6190 This has a similar purpose as the same-named option in @command{guix
6191 package} (@pxref{profile-manifest, @option{--manifest}}) and uses the
6192 same manifest files. It allows you to define a collection of packages
6193 once and use it both for creating profiles and for creating archives
6194 for use on machines that do not have Guix installed. Note that you can
6195 specify @emph{either} a manifest file @emph{or} a list of packages,
6198 @item --system=@var{system}
6199 @itemx -s @var{system}
6200 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
6201 the system type of the build host.
6203 @item --target=@var{triplet}
6204 @cindex cross-compilation
6205 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
6206 as @code{"aarch64-linux-gnu"} (@pxref{Specifying target triplets, GNU
6207 configuration triplets,, autoconf, Autoconf}).
6209 @item --compression=@var{tool}
6210 @itemx -C @var{tool}
6211 Compress the resulting tarball using @var{tool}---one of @code{gzip},
6212 @code{zstd}, @code{bzip2}, @code{xz}, @code{lzip}, or @code{none} for no
6215 @item --symlink=@var{spec}
6216 @itemx -S @var{spec}
6217 Add the symlinks specified by @var{spec} to the pack. This option can
6218 appear several times.
6220 @var{spec} has the form @code{@var{source}=@var{target}}, where
6221 @var{source} is the symlink that will be created and @var{target} is the
6224 For instance, @code{-S /opt/gnu/bin=bin} creates a @file{/opt/gnu/bin}
6225 symlink pointing to the @file{bin} sub-directory of the profile.
6227 @item --save-provenance
6228 Save provenance information for the packages passed on the command line.
6229 Provenance information includes the URL and commit of the channels in use
6232 Provenance information is saved in the
6233 @file{/gnu/store/@dots{}-profile/manifest} file in the pack, along with the
6234 usual package metadata---the name and version of each package, their
6235 propagated inputs, and so on. It is useful information to the recipient of
6236 the pack, who then knows how the pack was (supposedly) obtained.
6238 This option is not enabled by default because, like timestamps, provenance
6239 information contributes nothing to the build process. In other words, there
6240 is an infinity of channel URLs and commit IDs that can lead to the same pack.
6241 Recording such ``silent'' metadata in the output thus potentially breaks the
6242 source-to-binary bitwise reproducibility property.
6244 @item --root=@var{file}
6245 @itemx -r @var{file}
6246 @cindex garbage collector root, for packs
6247 Make @var{file} a symlink to the resulting pack, and register it as a garbage
6250 @item --localstatedir
6251 @itemx --profile-name=@var{name}
6252 Include the ``local state directory'', @file{/var/guix}, in the resulting
6253 pack, and notably the @file{/var/guix/profiles/per-user/root/@var{name}}
6254 profile---by default @var{name} is @code{guix-profile}, which corresponds to
6255 @file{~root/.guix-profile}.
6257 @file{/var/guix} contains the store database (@pxref{The Store}) as well
6258 as garbage-collector roots (@pxref{Invoking guix gc}). Providing it in
6259 the pack means that the store is ``complete'' and manageable by Guix;
6260 not providing it pack means that the store is ``dead'': items cannot be
6261 added to it or removed from it after extraction of the pack.
6263 One use case for this is the Guix self-contained binary tarball
6264 (@pxref{Binary Installation}).
6268 Print the name of the derivation that builds the pack.
6271 Use the bootstrap binaries to build the pack. This option is only
6272 useful to Guix developers.
6275 In addition, @command{guix pack} supports all the common build options
6276 (@pxref{Common Build Options}) and all the package transformation
6277 options (@pxref{Package Transformation Options}).
6280 @node The GCC toolchain
6281 @section The GCC toolchain
6285 @cindex linker wrapper
6286 @cindex toolchain, for C development
6287 @cindex toolchain, for Fortran development
6289 If you need a complete toolchain for compiling and linking C or C++
6290 source code, use the @code{gcc-toolchain} package. This package
6291 provides a complete GCC toolchain for C/C++ development, including GCC
6292 itself, the GNU C Library (headers and binaries, plus debugging symbols
6293 in the @code{debug} output), Binutils, and a linker wrapper.
6295 The wrapper's purpose is to inspect the @code{-L} and @code{-l} switches
6296 passed to the linker, add corresponding @code{-rpath} arguments, and
6297 invoke the actual linker with this new set of arguments. You can instruct the
6298 wrapper to refuse to link against libraries not in the store by setting the
6299 @env{GUIX_LD_WRAPPER_ALLOW_IMPURITIES} environment variable to @code{no}.
6301 The package @code{gfortran-toolchain} provides a complete GCC toolchain
6302 for Fortran development. For other languages, please use
6303 @samp{guix search gcc toolchain} (@pxref{guix-search,, Invoking guix package}).
6306 @node Invoking guix git authenticate
6307 @section Invoking @command{guix git authenticate}
6309 The @command{guix git authenticate} command authenticates a Git checkout
6310 following the same rule as for channels (@pxref{channel-authentication,
6311 channel authentication}). That is, starting from a given commit, it
6312 ensures that all subsequent commits are signed by an OpenPGP key whose
6313 fingerprint appears in the @file{.guix-authorizations} file of its
6316 You will find this command useful if you maintain a channel. But in
6317 fact, this authentication mechanism is useful in a broader context, so
6318 you might want to use it for Git repositories that have nothing to do
6321 The general syntax is:
6324 guix git authenticate @var{commit} @var{signer} [@var{options}@dots{}]
6327 By default, this command authenticates the Git checkout in the current
6328 directory; it outputs nothing and exits with exit code zero on success
6329 and non-zero on failure. @var{commit} above denotes the first commit
6330 where authentication takes place, and @var{signer} is the OpenPGP
6331 fingerprint of public key used to sign @var{commit}. Together, they
6332 form a ``channel introduction'' (@pxref{channel-authentication, channel
6333 introduction}). The options below allow you to fine-tune the process.
6336 @item --repository=@var{directory}
6337 @itemx -r @var{directory}
6338 Open the Git repository in @var{directory} instead of the current
6341 @item --keyring=@var{reference}
6342 @itemx -k @var{reference}
6343 Load OpenPGP keyring from @var{reference}, the reference of a branch
6344 such as @code{origin/keyring} or @code{my-keyring}. The branch must
6345 contain OpenPGP public keys in @file{.key} files, either in binary form
6346 or ``ASCII-armored''. By default the keyring is loaded from the branch
6347 named @code{keyring}.
6350 Display commit signing statistics upon completion.
6352 @item --cache-key=@var{key}
6353 Previously-authenticated commits are cached in a file under
6354 @file{~/.cache/guix/authentication}. This option forces the cache to be
6355 stored in file @var{key} in that directory.
6357 @item --historical-authorizations=@var{file}
6358 By default, any commit whose parent commit(s) lack the
6359 @file{.guix-authorizations} file is considered inauthentic. In
6360 contrast, this option considers the authorizations in @var{file} for any
6361 commit that lacks @file{.guix-authorizations}. The format of @var{file}
6362 is the same as that of @file{.guix-authorizations}
6363 (@pxref{channel-authorizations, @file{.guix-authorizations} format}).
6367 @c *********************************************************************
6368 @node Programming Interface
6369 @chapter Programming Interface
6371 GNU Guix provides several Scheme programming interfaces (APIs) to
6372 define, build, and query packages. The first interface allows users to
6373 write high-level package definitions. These definitions refer to
6374 familiar packaging concepts, such as the name and version of a package,
6375 its build system, and its dependencies. These definitions can then be
6376 turned into concrete build actions.
6378 Build actions are performed by the Guix daemon, on behalf of users. In a
6379 standard setup, the daemon has write access to the store---the
6380 @file{/gnu/store} directory---whereas users do not. The recommended
6381 setup also has the daemon perform builds in chroots, under specific
6382 build users, to minimize interference with the rest of the system.
6385 Lower-level APIs are available to interact with the daemon and the
6386 store. To instruct the daemon to perform a build action, users actually
6387 provide it with a @dfn{derivation}. A derivation is a low-level
6388 representation of the build actions to be taken, and the environment in
6389 which they should occur---derivations are to package definitions what
6390 assembly is to C programs. The term ``derivation'' comes from the fact
6391 that build results @emph{derive} from them.
6393 This chapter describes all these APIs in turn, starting from high-level
6394 package definitions.
6397 * Package Modules:: Packages from the programmer's viewpoint.
6398 * Defining Packages:: Defining new packages.
6399 * Defining Package Variants:: Customizing packages.
6400 * Build Systems:: Specifying how packages are built.
6401 * Build Phases:: Phases of the build process of a package.
6402 * Build Utilities:: Helpers for your package definitions and more.
6403 * The Store:: Manipulating the package store.
6404 * Derivations:: Low-level interface to package derivations.
6405 * The Store Monad:: Purely functional interface to the store.
6406 * G-Expressions:: Manipulating build expressions.
6407 * Invoking guix repl:: Programming Guix in Guile
6410 @node Package Modules
6411 @section Package Modules
6413 From a programming viewpoint, the package definitions of the
6414 GNU distribution are provided by Guile modules in the @code{(gnu packages
6415 @dots{})} name space@footnote{Note that packages under the @code{(gnu
6416 packages @dots{})} module name space are not necessarily ``GNU
6417 packages''. This module naming scheme follows the usual Guile module
6418 naming convention: @code{gnu} means that these modules are distributed
6419 as part of the GNU system, and @code{packages} identifies modules that
6420 define packages.} (@pxref{Modules, Guile modules,, guile, GNU Guile
6421 Reference Manual}). For instance, the @code{(gnu packages emacs)}
6422 module exports a variable named @code{emacs}, which is bound to a
6423 @code{<package>} object (@pxref{Defining Packages}).
6425 The @code{(gnu packages @dots{})} module name space is
6426 automatically scanned for packages by the command-line tools. For
6427 instance, when running @code{guix install emacs}, all the @code{(gnu
6428 packages @dots{})} modules are scanned until one that exports a package
6429 object whose name is @code{emacs} is found. This package search
6430 facility is implemented in the @code{(gnu packages)} module.
6432 @cindex customization, of packages
6433 @cindex package module search path
6434 Users can store package definitions in modules with different
6435 names---e.g., @code{(my-packages emacs)}@footnote{Note that the file
6436 name and module name must match. For instance, the @code{(my-packages
6437 emacs)} module must be stored in a @file{my-packages/emacs.scm} file
6438 relative to the load path specified with @option{--load-path} or
6439 @env{GUIX_PACKAGE_PATH}. @xref{Modules and the File System,,,
6440 guile, GNU Guile Reference Manual}, for details.}. There are two ways to make
6441 these package definitions visible to the user interfaces:
6445 By adding the directory containing your package modules to the search path
6446 with the @code{-L} flag of @command{guix package} and other commands
6447 (@pxref{Common Build Options}), or by setting the @env{GUIX_PACKAGE_PATH}
6448 environment variable described below.
6451 By defining a @dfn{channel} and configuring @command{guix pull} so that it
6452 pulls from it. A channel is essentially a Git repository containing package
6453 modules. @xref{Channels}, for more information on how to define and use
6457 @env{GUIX_PACKAGE_PATH} works similarly to other search path variables:
6459 @defvr {Environment Variable} GUIX_PACKAGE_PATH
6460 This is a colon-separated list of directories to search for additional
6461 package modules. Directories listed in this variable take precedence
6462 over the own modules of the distribution.
6465 The distribution is fully @dfn{bootstrapped} and @dfn{self-contained}:
6466 each package is built based solely on other packages in the
6467 distribution. The root of this dependency graph is a small set of
6468 @dfn{bootstrap binaries}, provided by the @code{(gnu packages
6469 bootstrap)} module. For more information on bootstrapping,
6470 @pxref{Bootstrapping}.
6472 @node Defining Packages
6473 @section Defining Packages
6475 The high-level interface to package definitions is implemented in the
6476 @code{(guix packages)} and @code{(guix build-system)} modules. As an
6477 example, the package definition, or @dfn{recipe}, for the GNU Hello
6478 package looks like this:
6481 (define-module (gnu packages hello)
6482 #:use-module (guix packages)
6483 #:use-module (guix download)
6484 #:use-module (guix build-system gnu)
6485 #:use-module (guix licenses)
6486 #:use-module (gnu packages gawk))
6488 (define-public hello
6494 (uri (string-append "mirror://gnu/hello/hello-" version
6498 "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
6499 (build-system gnu-build-system)
6500 (arguments '(#:configure-flags '("--enable-silent-rules")))
6501 (inputs `(("gawk" ,gawk)))
6502 (synopsis "Hello, GNU world: An example GNU package")
6503 (description "Guess what GNU Hello prints!")
6504 (home-page "https://www.gnu.org/software/hello/")
6509 Without being a Scheme expert, the reader may have guessed the meaning
6510 of the various fields here. This expression binds the variable
6511 @code{hello} to a @code{<package>} object, which is essentially a record
6512 (@pxref{SRFI-9, Scheme records,, guile, GNU Guile Reference Manual}).
6513 This package object can be inspected using procedures found in the
6514 @code{(guix packages)} module; for instance, @code{(package-name hello)}
6515 returns---surprise!---@code{"hello"}.
6517 With luck, you may be able to import part or all of the definition of
6518 the package you are interested in from another repository, using the
6519 @code{guix import} command (@pxref{Invoking guix import}).
6521 In the example above, @code{hello} is defined in a module of its own,
6522 @code{(gnu packages hello)}. Technically, this is not strictly
6523 necessary, but it is convenient to do so: all the packages defined in
6524 modules under @code{(gnu packages @dots{})} are automatically known to
6525 the command-line tools (@pxref{Package Modules}).
6527 There are a few points worth noting in the above package definition:
6531 The @code{source} field of the package is an @code{<origin>} object
6532 (@pxref{origin Reference}, for the complete reference).
6533 Here, the @code{url-fetch} method from @code{(guix download)} is used,
6534 meaning that the source is a file to be downloaded over FTP or HTTP.
6536 The @code{mirror://gnu} prefix instructs @code{url-fetch} to use one of
6537 the GNU mirrors defined in @code{(guix download)}.
6539 The @code{sha256} field specifies the expected SHA256 hash of the file
6540 being downloaded. It is mandatory, and allows Guix to check the
6541 integrity of the file. The @code{(base32 @dots{})} form introduces the
6542 base32 representation of the hash. You can obtain this information with
6543 @code{guix download} (@pxref{Invoking guix download}) and @code{guix
6544 hash} (@pxref{Invoking guix hash}).
6547 When needed, the @code{origin} form can also have a @code{patches} field
6548 listing patches to be applied, and a @code{snippet} field giving a
6549 Scheme expression to modify the source code.
6552 @cindex GNU Build System
6553 The @code{build-system} field specifies the procedure to build the
6554 package (@pxref{Build Systems}). Here, @code{gnu-build-system}
6555 represents the familiar GNU Build System, where packages may be
6556 configured, built, and installed with the usual @code{./configure &&
6557 make && make check && make install} command sequence.
6559 When you start packaging non-trivial software, you may need tools to
6560 manipulate those build phases, manipulate files, and so on. @xref{Build
6561 Utilities}, for more on this.
6564 The @code{arguments} field specifies options for the build system
6565 (@pxref{Build Systems}). Here it is interpreted by
6566 @code{gnu-build-system} as a request run @file{configure} with the
6567 @option{--enable-silent-rules} flag.
6573 What about these quote (@code{'}) characters? They are Scheme syntax to
6574 introduce a literal list; @code{'} is synonymous with @code{quote}.
6575 @xref{Expression Syntax, quoting,, guile, GNU Guile Reference Manual},
6576 for details. Here the value of the @code{arguments} field is a list of
6577 arguments passed to the build system down the road, as with @code{apply}
6578 (@pxref{Fly Evaluation, @code{apply},, guile, GNU Guile Reference
6581 The hash-colon (@code{#:}) sequence defines a Scheme @dfn{keyword}
6582 (@pxref{Keywords,,, guile, GNU Guile Reference Manual}), and
6583 @code{#:configure-flags} is a keyword used to pass a keyword argument
6584 to the build system (@pxref{Coding With Keywords,,, guile, GNU Guile
6588 The @code{inputs} field specifies inputs to the build process---i.e.,
6589 build-time or run-time dependencies of the package. Here, we define an
6590 input called @code{"gawk"} whose value is that of the @code{gawk}
6591 variable; @code{gawk} is itself bound to a @code{<package>} object.
6593 @cindex backquote (quasiquote)
6596 @cindex comma (unquote)
6600 @findex unquote-splicing
6601 Again, @code{`} (a backquote, synonymous with @code{quasiquote}) allows
6602 us to introduce a literal list in the @code{inputs} field, while
6603 @code{,} (a comma, synonymous with @code{unquote}) allows us to insert a
6604 value in that list (@pxref{Expression Syntax, unquote,, guile, GNU Guile
6607 Note that GCC, Coreutils, Bash, and other essential tools do not need to
6608 be specified as inputs here. Instead, @code{gnu-build-system} takes care
6609 of ensuring that they are present (@pxref{Build Systems}).
6611 However, any other dependencies need to be specified in the
6612 @code{inputs} field. Any dependency not specified here will simply be
6613 unavailable to the build process, possibly leading to a build failure.
6616 @xref{package Reference}, for a full description of possible fields.
6618 Once a package definition is in place, the
6619 package may actually be built using the @code{guix build} command-line
6620 tool (@pxref{Invoking guix build}), troubleshooting any build failures
6621 you encounter (@pxref{Debugging Build Failures}). You can easily jump back to the
6622 package definition using the @command{guix edit} command
6623 (@pxref{Invoking guix edit}).
6624 @xref{Packaging Guidelines}, for
6625 more information on how to test package definitions, and
6626 @ref{Invoking guix lint}, for information on how to check a definition
6627 for style conformance.
6628 @vindex GUIX_PACKAGE_PATH
6629 Lastly, @pxref{Channels}, for information
6630 on how to extend the distribution by adding your own package definitions
6633 Finally, updating the package definition to a new upstream version
6634 can be partly automated by the @command{guix refresh} command
6635 (@pxref{Invoking guix refresh}).
6637 Behind the scenes, a derivation corresponding to the @code{<package>}
6638 object is first computed by the @code{package-derivation} procedure.
6639 That derivation is stored in a @file{.drv} file under @file{/gnu/store}.
6640 The build actions it prescribes may then be realized by using the
6641 @code{build-derivations} procedure (@pxref{The Store}).
6643 @deffn {Scheme Procedure} package-derivation @var{store} @var{package} [@var{system}]
6644 Return the @code{<derivation>} object of @var{package} for @var{system}
6645 (@pxref{Derivations}).
6647 @var{package} must be a valid @code{<package>} object, and @var{system}
6648 must be a string denoting the target system type---e.g.,
6649 @code{"x86_64-linux"} for an x86_64 Linux-based GNU system. @var{store}
6650 must be a connection to the daemon, which operates on the store
6651 (@pxref{The Store}).
6655 @cindex cross-compilation
6656 Similarly, it is possible to compute a derivation that cross-builds a
6657 package for some other system:
6659 @deffn {Scheme Procedure} package-cross-derivation @var{store} @
6660 @var{package} @var{target} [@var{system}]
6661 Return the @code{<derivation>} object of @var{package} cross-built from
6662 @var{system} to @var{target}.
6664 @var{target} must be a valid GNU triplet denoting the target hardware
6665 and operating system, such as @code{"aarch64-linux-gnu"}
6666 (@pxref{Specifying Target Triplets,,, autoconf, Autoconf}).
6669 Once you have package definitions, you can easily define @emph{variants}
6670 of those packages. @xref{Defining Package Variants}, for more on that.
6673 * package Reference:: The package data type.
6674 * origin Reference:: The origin data type.
6678 @node package Reference
6679 @subsection @code{package} Reference
6681 This section summarizes all the options available in @code{package}
6682 declarations (@pxref{Defining Packages}).
6684 @deftp {Data Type} package
6685 This is the data type representing a package recipe.
6689 The name of the package, as a string.
6691 @item @code{version}
6692 The version of the package, as a string. @xref{Version Numbers}, for
6696 An object telling how the source code for the package should be
6697 acquired. Most of the time, this is an @code{origin} object, which
6698 denotes a file fetched from the Internet (@pxref{origin Reference}). It
6699 can also be any other ``file-like'' object such as a @code{local-file},
6700 which denotes a file from the local file system (@pxref{G-Expressions,
6701 @code{local-file}}).
6703 @item @code{build-system}
6704 The build system that should be used to build the package (@pxref{Build
6707 @item @code{arguments} (default: @code{'()})
6708 The arguments that should be passed to the build system. This is a
6709 list, typically containing sequential keyword-value pairs.
6711 @item @code{inputs} (default: @code{'()})
6712 @itemx @code{native-inputs} (default: @code{'()})
6713 @itemx @code{propagated-inputs} (default: @code{'()})
6714 @cindex inputs, of packages
6715 These fields list dependencies of the package. Each one is a list of
6716 tuples, where each tuple has a label for the input (a string) as its
6717 first element, a package, origin, or derivation as its second element,
6718 and optionally the name of the output thereof that should be used, which
6719 defaults to @code{"out"} (@pxref{Packages with Multiple Outputs}, for
6720 more on package outputs). For example, the list below specifies three
6724 `(("libffi" ,libffi)
6725 ("libunistring" ,libunistring)
6726 ("glib:bin" ,glib "bin")) ;the "bin" output of Glib
6729 @cindex cross compilation, package dependencies
6730 The distinction between @code{native-inputs} and @code{inputs} is
6731 necessary when considering cross-compilation. When cross-compiling,
6732 dependencies listed in @code{inputs} are built for the @emph{target}
6733 architecture; conversely, dependencies listed in @code{native-inputs}
6734 are built for the architecture of the @emph{build} machine.
6736 @code{native-inputs} is typically used to list tools needed at
6737 build time, but not at run time, such as Autoconf, Automake, pkg-config,
6738 Gettext, or Bison. @command{guix lint} can report likely mistakes in
6739 this area (@pxref{Invoking guix lint}).
6741 @anchor{package-propagated-inputs}
6742 Lastly, @code{propagated-inputs} is similar to @code{inputs}, but the
6743 specified packages will be automatically installed to profiles
6744 (@pxref{Features, the role of profiles in Guix}) alongside the package
6745 they belong to (@pxref{package-cmd-propagated-inputs, @command{guix
6746 package}}, for information on how @command{guix package} deals with
6749 For example this is necessary when packaging a C/C++ library that needs
6750 headers of another library to compile, or when a pkg-config file refers
6751 to another one @i{via} its @code{Requires} field.
6753 Another example where @code{propagated-inputs} is useful is for languages
6754 that lack a facility to record the run-time search path akin to the
6755 @code{RUNPATH} of ELF files; this includes Guile, Python, Perl, and
6756 more. When packaging libraries written in those languages, ensure they
6757 can find library code they depend on at run time by listing run-time
6758 dependencies in @code{propagated-inputs} rather than @code{inputs}.
6760 @item @code{outputs} (default: @code{'("out")})
6761 The list of output names of the package. @xref{Packages with Multiple
6762 Outputs}, for typical uses of additional outputs.
6764 @item @code{native-search-paths} (default: @code{'()})
6765 @itemx @code{search-paths} (default: @code{'()})
6766 A list of @code{search-path-specification} objects describing
6767 search-path environment variables honored by the package.
6769 @item @code{replacement} (default: @code{#f})
6770 This must be either @code{#f} or a package object that will be used as a
6771 @dfn{replacement} for this package. @xref{Security Updates, grafts},
6774 @item @code{synopsis}
6775 A one-line description of the package.
6777 @item @code{description}
6778 A more elaborate description of the package.
6780 @item @code{license}
6781 @cindex license, of packages
6782 The license of the package; a value from @code{(guix licenses)},
6783 or a list of such values.
6785 @item @code{home-page}
6786 The URL to the home-page of the package, as a string.
6788 @item @code{supported-systems} (default: @code{%supported-systems})
6789 The list of systems supported by the package, as strings of the form
6790 @code{architecture-kernel}, for example @code{"x86_64-linux"}.
6792 @item @code{location} (default: source location of the @code{package} form)
6793 The source location of the package. It is useful to override this when
6794 inheriting from another package, in which case this field is not
6795 automatically corrected.
6799 @deffn {Scheme Syntax} this-package
6800 When used in the @emph{lexical scope} of a package field definition, this
6801 identifier resolves to the package being defined.
6803 The example below shows how to add a package as a native input of itself when
6811 ;; When cross-compiled, Guile, for example, depends on
6812 ;; a native version of itself. Add it here.
6813 (native-inputs (if (%current-target-system)
6814 `(("self" ,this-package))
6818 It is an error to refer to @code{this-package} outside a package definition.
6821 Because packages are regular Scheme objects that capture a complete
6822 dependency graph and associated build procedures, it is often useful to
6823 write procedures that take a package and return a modified version
6824 thereof according to some parameters. Below are a few examples.
6826 @cindex tool chain, choosing a package's tool chain
6827 @deffn {Scheme Procedure} package-with-c-toolchain @var{package} @var{toolchain}
6828 Return a variant of @var{package} that uses @var{toolchain} instead of
6829 the default GNU C/C++ toolchain. @var{toolchain} must be a list of
6830 inputs (label/package tuples) providing equivalent functionality, such
6831 as the @code{gcc-toolchain} package.
6833 The example below returns a variant of the @code{hello} package built
6834 with GCC@tie{}10.x and the rest of the GNU tool chain (Binutils and the
6835 GNU C Library) instead of the default tool chain:
6838 (let ((toolchain (specification->package "gcc-toolchain@@10")))
6839 (package-with-c-toolchain hello `(("toolchain" ,toolchain))))
6842 The build tool chain is part of the @dfn{implicit inputs} of
6843 packages---it's usually not listed as part of the various ``inputs''
6844 fields and is instead pulled in by the build system. Consequently, this
6845 procedure works by changing the build system of @var{package} so that it
6846 pulls in @var{toolchain} instead of the defaults. @ref{Build Systems},
6847 for more on build systems.
6850 @node origin Reference
6851 @subsection @code{origin} Reference
6853 This section documents @dfn{origins}. An @code{origin} declaration
6854 specifies data that must be ``produced''---downloaded, usually---and
6855 whose content hash is known in advance. Origins are primarily used to
6856 represent the source code of packages (@pxref{Defining Packages}). For
6857 that reason, the @code{origin} form allows you to declare patches to
6858 apply to the original source code as well as code snippets to modify it.
6860 @deftp {Data Type} origin
6861 This is the data type representing a source code origin.
6865 An object containing the URI of the source. The object type depends on
6866 the @code{method} (see below). For example, when using the
6867 @var{url-fetch} method of @code{(guix download)}, the valid @code{uri}
6868 values are: a URL represented as a string, or a list thereof.
6870 @cindex fixed-output derivations, for download
6872 A monadic procedure that handles the given URI@. The procedure must
6873 accept at least three arguments: the value of the @code{uri} field and
6874 the hash algorithm and hash value specified by the @code{hash} field.
6875 It must return a store item or a derivation in the store monad
6876 (@pxref{The Store Monad}); most methods return a fixed-output derivation
6877 (@pxref{Derivations}).
6879 Commonly used methods include @code{url-fetch}, which fetches data from
6880 a URL, and @code{git-fetch}, which fetches data from a Git repository
6884 A bytevector containing the SHA-256 hash of the source. This is
6885 equivalent to providing a @code{content-hash} SHA256 object in the
6886 @code{hash} field described below.
6889 The @code{content-hash} object of the source---see below for how to use
6890 @code{content-hash}.
6892 You can obtain this information using @code{guix download}
6893 (@pxref{Invoking guix download}) or @code{guix hash} (@pxref{Invoking
6896 @item @code{file-name} (default: @code{#f})
6897 The file name under which the source code should be saved. When this is
6898 @code{#f}, a sensible default value will be used in most cases. In case
6899 the source is fetched from a URL, the file name from the URL will be
6900 used. For version control checkouts, it is recommended to provide the
6901 file name explicitly because the default is not very descriptive.
6903 @item @code{patches} (default: @code{'()})
6904 A list of file names, origins, or file-like objects (@pxref{G-Expressions,
6905 file-like objects}) pointing to patches to be applied to the source.
6907 This list of patches must be unconditional. In particular, it cannot
6908 depend on the value of @code{%current-system} or
6909 @code{%current-target-system}.
6911 @item @code{snippet} (default: @code{#f})
6912 A G-expression (@pxref{G-Expressions}) or S-expression that will be run
6913 in the source directory. This is a convenient way to modify the source,
6914 sometimes more convenient than a patch.
6916 @item @code{patch-flags} (default: @code{'("-p1")})
6917 A list of command-line flags that should be passed to the @code{patch}
6920 @item @code{patch-inputs} (default: @code{#f})
6921 Input packages or derivations to the patching process. When this is
6922 @code{#f}, the usual set of inputs necessary for patching are provided,
6923 such as GNU@tie{}Patch.
6925 @item @code{modules} (default: @code{'()})
6926 A list of Guile modules that should be loaded during the patching
6927 process and while running the code in the @code{snippet} field.
6929 @item @code{patch-guile} (default: @code{#f})
6930 The Guile package that should be used in the patching process. When
6931 this is @code{#f}, a sensible default is used.
6935 @deftp {Data Type} content-hash @var{value} [@var{algorithm}]
6936 Construct a content hash object for the given @var{algorithm}, and with
6937 @var{value} as its hash value. When @var{algorithm} is omitted, assume
6938 it is @code{sha256}.
6940 @var{value} can be a literal string, in which case it is base32-decoded,
6941 or it can be a bytevector.
6943 The following forms are all equivalent:
6946 (content-hash "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj")
6947 (content-hash "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj"
6949 (content-hash (base32
6950 "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj"))
6951 (content-hash (base64 "kkb+RPaP7uyMZmu4eXPVkM4BN8yhRd8BTHLslb6f/Rc=")
6955 Technically, @code{content-hash} is currently implemented as a macro.
6956 It performs sanity checks at macro-expansion time, when possible, such
6957 as ensuring that @var{value} has the right size for @var{algorithm}.
6960 As we have seen above, how exactly the data an origin refers to is
6961 retrieved is determined by its @code{method} field. The @code{(guix
6962 download)} module provides the most common method, @code{url-fetch},
6965 @deffn {Scheme Procedure} url-fetch @var{url} @var{hash-algo} @var{hash} @
6966 [name] [#:executable? #f]
6967 Return a fixed-output derivation that fetches data from @var{url} (a
6968 string, or a list of strings denoting alternate URLs), which is expected
6969 to have hash @var{hash} of type @var{hash-algo} (a symbol). By default,
6970 the file name is the base name of URL; optionally, @var{name} can
6971 specify a different file name. When @var{executable?} is true, make the
6972 downloaded file executable.
6974 When one of the URL starts with @code{mirror://}, then its host part is
6975 interpreted as the name of a mirror scheme, taken from @file{%mirror-file}.
6977 Alternatively, when URL starts with @code{file://}, return the
6978 corresponding file name in the store.
6981 Likewise, the @code{(guix git-download)} module defines the
6982 @code{git-fetch} origin method, which fetches data from a Git version
6983 control repository, and the @code{git-reference} data type to describe
6984 the repository and revision to fetch.
6986 @deffn {Scheme Procedure} git-fetch @var{ref} @var{hash-algo} @var{hash}
6987 Return a fixed-output derivation that fetches @var{ref}, a
6988 @code{<git-reference>} object. The output is expected to have recursive
6989 hash @var{hash} of type @var{hash-algo} (a symbol). Use @var{name} as
6990 the file name, or a generic name if @code{#f}.
6993 @deftp {Data Type} git-reference
6994 This data type represents a Git reference for @code{git-fetch} to
6999 The URL of the Git repository to clone.
7002 This string denotes either the commit to fetch (a hexadecimal string,
7003 either the full SHA1 commit or a ``short'' commit string; the latter is
7004 not recommended) or the tag to fetch.
7006 @item @code{recursive?} (default: @code{#f})
7007 This Boolean indicates whether to recursively fetch Git sub-modules.
7010 The example below denotes the @code{v2.10} tag of the GNU@tie{}Hello
7015 (url "https://git.savannah.gnu.org/git/hello.git")
7019 This is equivalent to the reference below, which explicitly names the
7024 (url "https://git.savannah.gnu.org/git/hello.git")
7025 (commit "dc7dc56a00e48fe6f231a58f6537139fe2908fb9"))
7029 For Mercurial repositories, the module @code{(guix hg-download)} defines
7030 the @code{hg-fetch} origin method and @code{hg-reference} data type for
7031 support of the Mercurial version control system.
7033 @deffn {Scheme Procedure} hg-fetch @var{ref} @var{hash-algo} @var{hash} @
7035 Return a fixed-output derivation that fetches @var{ref}, a
7036 @code{<hg-reference>} object. The output is expected to have recursive
7037 hash @var{hash} of type @var{hash-algo} (a symbol). Use @var{name} as
7038 the file name, or a generic name if @code{#false}.
7041 @node Defining Package Variants
7042 @section Defining Package Variants
7044 @cindex customizing packages
7045 @cindex variants, of packages
7046 One of the nice things with Guix is that, given a package definition,
7047 you can easily @emph{derive} variants of that package---for a different
7048 upstream version, with different dependencies, different compilation
7049 options, and so on. Some of these custom packages can be defined
7050 straight from the command line (@pxref{Package Transformation Options}).
7051 This section describes how to define package variants in code. This can
7052 be useful in ``manifests'' (@pxref{profile-manifest,
7053 @option{--manifest}}) and in your own package collection
7054 (@pxref{Creating a Channel}), among others!
7056 @cindex inherit, for package definitions
7057 As discussed earlier, packages are first-class objects in the Scheme
7058 language. The @code{(guix packages)} module provides the @code{package}
7059 construct to define new package objects (@pxref{package Reference}).
7060 The easiest way to define a package variant is using the @code{inherit}
7061 keyword together with @code{package}. This allows you to inherit from a
7062 package definition while overriding the fields you want.
7064 For example, given the @code{hello} variable, which contains a
7065 definition for the current version of GNU@tie{}Hello, here's how you
7066 would define a variant for version 2.2 (released in 2006, it's
7070 (use-modules (gnu packages base)) ;for 'hello'
7078 (uri (string-append "mirror://gnu/hello/hello-" version
7082 "0lappv4slgb5spyqbh6yl5r013zv72yqg2pcl30mginf3wdqd8k9"))))))
7085 The example above corresponds to what the @option{--with-source} package
7086 transformation option does. Essentially @code{hello-2.2} preserves all
7087 the fields of @code{hello}, except @code{version} and @code{source},
7088 which it overrides. Note that the original @code{hello} variable is
7089 still there, in the @code{(gnu packages base)} module, unchanged. When
7090 you define a custom package like this, you are really @emph{adding} a
7091 new package definition; the original one remains available.
7093 You can just as well define variants with a different set of
7094 dependencies than the original package. For example, the default
7095 @code{gdb} package depends on @code{guile}, but since that is an
7096 optional dependency, you can define a variant that removes that
7100 (use-modules (gnu packages gdb) ;for 'gdb'
7101 (srfi srfi-1)) ;for 'alist-delete'
7103 (define gdb-sans-guile
7106 (inputs (alist-delete "guile"
7107 (package-inputs gdb)))))
7110 The @code{alist-delete} call above removes the tuple from the
7111 @code{inputs} field that has @code{"guile"} as its first element
7112 (@pxref{SRFI-1 Association Lists,,, guile, GNU Guile Reference
7115 In some cases, you may find it useful to write functions
7116 (``procedures'', in Scheme parlance) that return a package based on some
7117 parameters. For example, consider the @code{luasocket} library for the
7118 Lua programming language. We want to create @code{luasocket} packages
7119 for major versions of Lua. One way to do that is to define a procedure
7120 that takes a Lua package and returns a @code{luasocket} package that
7124 (define (make-lua-socket name lua)
7125 ;; Return a luasocket package built with LUA.
7129 ;; several fields omitted
7132 (synopsis "Socket library for Lua")))
7134 (define-public lua5.1-socket
7135 (make-lua-socket "lua5.1-socket" lua-5.1))
7137 (define-public lua5.2-socket
7138 (make-lua-socket "lua5.2-socket" lua-5.2))
7141 Here we have defined packages @code{lua5.1-socket} and
7142 @code{lua5.2-socket} by calling @code{make-lua-socket} with different
7143 arguments. @xref{Procedures,,, guile, GNU Guile Reference Manual}, for
7144 more info on procedures. Having top-level public definitions for these
7145 two packages means that they can be referred to from the command line
7146 (@pxref{Package Modules}).
7148 @cindex package transformations
7149 These are pretty simple package variants. As a convenience, the
7150 @code{(guix transformations)} module provides a high-level interface
7151 that directly maps to the more sophisticated package transformation
7152 options (@pxref{Package Transformation Options}):
7154 @deffn {Scheme Procedure} options->transformation @var{opts}
7155 Return a procedure that, when passed an object to build (package,
7156 derivation, etc.), applies the transformations specified by @var{opts} and returns
7157 the resulting objects. @var{opts} must be a list of symbol/string pairs such as:
7160 ((with-branch . "guile-gcrypt=master")
7161 (without-tests . "libgcrypt"))
7164 Each symbol names a transformation and the corresponding string is an argument
7165 to that transformation.
7168 For instance, a manifest equivalent to this command:
7172 --with-branch=guile-gcrypt=master \
7173 --with-debug-info=zlib
7177 ... would look like this:
7180 (use-modules (guix transformations))
7183 ;; The package transformation procedure.
7184 (options->transformation
7185 '((with-branch . "guile-gcrypt=master")
7186 (with-debug-info . "zlib"))))
7189 (list (transform (specification->package "guix"))))
7192 @cindex input rewriting
7193 @cindex dependency graph rewriting
7194 The @code{options->transformation} procedure is convenient, but it's
7195 perhaps also not as flexible as you may like. How is it implemented?
7196 The astute reader probably noticed that most package transformation
7197 options go beyond the superficial changes shown in the first examples of
7198 this section: they involve @dfn{input rewriting}, whereby the dependency
7199 graph of a package is rewritten by replacing specific inputs by others.
7201 Dependency graph rewriting, for the purposes of swapping packages in the
7202 graph, is what the @code{package-input-rewriting} procedure in
7203 @code{(guix packages)} implements.
7205 @deffn {Scheme Procedure} package-input-rewriting @var{replacements} @
7206 [@var{rewrite-name}] [#:deep? #t]
7207 Return a procedure that, when passed a package, replaces its direct and
7208 indirect dependencies, including implicit inputs when @var{deep?} is
7209 true, according to @var{replacements}. @var{replacements} is a list of
7210 package pairs; the first element of each pair is the package to replace,
7211 and the second one is the replacement.
7213 Optionally, @var{rewrite-name} is a one-argument procedure that takes
7214 the name of a package and returns its new name after rewrite.
7218 Consider this example:
7221 (define libressl-instead-of-openssl
7222 ;; This is a procedure to replace OPENSSL by LIBRESSL,
7224 (package-input-rewriting `((,openssl . ,libressl))))
7226 (define git-with-libressl
7227 (libressl-instead-of-openssl git))
7231 Here we first define a rewriting procedure that replaces @var{openssl}
7232 with @var{libressl}. Then we use it to define a @dfn{variant} of the
7233 @var{git} package that uses @var{libressl} instead of @var{openssl}.
7234 This is exactly what the @option{--with-input} command-line option does
7235 (@pxref{Package Transformation Options, @option{--with-input}}).
7237 The following variant of @code{package-input-rewriting} can match packages to
7238 be replaced by name rather than by identity.
7240 @deffn {Scheme Procedure} package-input-rewriting/spec @var{replacements} [#:deep? #t]
7241 Return a procedure that, given a package, applies the given
7242 @var{replacements} to all the package graph, including implicit inputs
7243 unless @var{deep?} is false. @var{replacements} is a list of
7244 spec/procedures pair; each spec is a package specification such as
7245 @code{"gcc"} or @code{"guile@@2"}, and each procedure takes a matching
7246 package and returns a replacement for that package.
7249 The example above could be rewritten this way:
7252 (define libressl-instead-of-openssl
7253 ;; Replace all the packages called "openssl" with LibreSSL.
7254 (package-input-rewriting/spec `(("openssl" . ,(const libressl)))))
7257 The key difference here is that, this time, packages are matched by spec and
7258 not by identity. In other words, any package in the graph that is called
7259 @code{openssl} will be replaced.
7261 A more generic procedure to rewrite a package dependency graph is
7262 @code{package-mapping}: it supports arbitrary changes to nodes in the
7265 @deffn {Scheme Procedure} package-mapping @var{proc} [@var{cut?}] [#:deep? #f]
7266 Return a procedure that, given a package, applies @var{proc} to all the packages
7267 depended on and returns the resulting package. The procedure stops recursion
7268 when @var{cut?} returns true for a given package. When @var{deep?} is true, @var{proc} is
7269 applied to implicit inputs as well.
7274 @section Build Systems
7276 @cindex build system
7277 Each package definition specifies a @dfn{build system} and arguments for
7278 that build system (@pxref{Defining Packages}). This @code{build-system}
7279 field represents the build procedure of the package, as well as implicit
7280 dependencies of that build procedure.
7282 Build systems are @code{<build-system>} objects. The interface to
7283 create and manipulate them is provided by the @code{(guix build-system)}
7284 module, and actual build systems are exported by specific modules.
7286 @cindex bag (low-level package representation)
7287 Under the hood, build systems first compile package objects to
7288 @dfn{bags}. A @dfn{bag} is like a package, but with less
7289 ornamentation---in other words, a bag is a lower-level representation of
7290 a package, which includes all the inputs of that package, including some
7291 that were implicitly added by the build system. This intermediate
7292 representation is then compiled to a derivation (@pxref{Derivations}).
7293 The @code{package-with-c-toolchain} is an example of a way to change the
7294 implicit inputs that a package's build system pulls in (@pxref{package
7295 Reference, @code{package-with-c-toolchain}}).
7297 Build systems accept an optional list of @dfn{arguments}. In package
7298 definitions, these are passed @i{via} the @code{arguments} field
7299 (@pxref{Defining Packages}). They are typically keyword arguments
7300 (@pxref{Optional Arguments, keyword arguments in Guile,, guile, GNU
7301 Guile Reference Manual}). The value of these arguments is usually
7302 evaluated in the @dfn{build stratum}---i.e., by a Guile process launched
7303 by the daemon (@pxref{Derivations}).
7305 The main build system is @code{gnu-build-system}, which implements the
7306 standard build procedure for GNU and many other packages. It
7307 is provided by the @code{(guix build-system gnu)} module.
7309 @defvr {Scheme Variable} gnu-build-system
7310 @code{gnu-build-system} represents the GNU Build System, and variants
7311 thereof (@pxref{Configuration, configuration and makefile conventions,,
7312 standards, GNU Coding Standards}).
7314 @cindex build phases
7315 In a nutshell, packages using it are configured, built, and installed with
7316 the usual @code{./configure && make && make check && make install}
7317 command sequence. In practice, a few additional steps are often needed.
7318 All these steps are split up in separate @dfn{phases}.
7319 @xref{Build Phases}, for more info on build phases and ways to customize
7322 In addition, this build system ensures that the ``standard'' environment
7323 for GNU packages is available. This includes tools such as GCC, libc,
7324 Coreutils, Bash, Make, Diffutils, grep, and sed (see the @code{(guix
7325 build-system gnu)} module for a complete list). We call these the
7326 @dfn{implicit inputs} of a package, because package definitions do not
7327 have to mention them.
7329 This build system supports a number of keyword arguments, which can be
7330 passed @i{via} the @code{arguments} field of a package. Here are some
7331 of the main parameters:
7335 This argument specifies build-side code that evaluates to an alist of
7336 build phases. @xref{Build Phases}, for more information.
7338 @item #:configure-flags
7339 This is a list of flags (strings) passed to the @command{configure}
7340 script. @xref{Defining Packages}, for an example.
7343 This list of strings contains flags passed as arguments to
7344 @command{make} invocations in the @code{build}, @code{check}, and
7345 @code{install} phases.
7347 @item #:out-of-source?
7348 This Boolean, @code{#f} by default, indicates whether to run builds in a
7349 build directory separate from the source tree.
7351 When it is true, the @code{configure} phase creates a separate build
7352 directory, changes to that directory, and runs the @code{configure}
7353 script from there. This is useful for packages that require it, such as
7357 This Boolean, @code{#t} by default, indicates whether the @code{check}
7358 phase should run the package's test suite.
7361 This string, @code{"check"} by default, gives the name of the makefile
7362 target used by the @code{check} phase.
7364 @item #:parallel-build?
7365 @itemx #:parallel-tests?
7366 These Boolean values specify whether to build, respectively run the test
7367 suite, in parallel, with the @code{-j} flag of @command{make}. When
7368 they are true, @code{make} is passed @code{-j@var{n}}, where @var{n} is
7369 the number specified as the @option{--cores} option of
7370 @command{guix-daemon} or that of the @command{guix} client command
7371 (@pxref{Common Build Options, @option{--cores}}).
7373 @cindex RUNPATH, validation
7374 @item #:validate-runpath?
7375 This Boolean, @code{#t} by default, determines whether to ``validate''
7376 the @code{RUNPATH} of ELF binaries (@code{.so} shared libraries as well
7377 as executables) previously installed by the @code{install} phase.
7379 This validation step consists in making sure that all the shared
7380 libraries needed by an ELF binary, which are listed as
7381 @code{DT_NEEDED} entries in its @code{PT_DYNAMIC} segment, appear in the
7382 @code{DT_RUNPATH} entry of that binary. In other words, it ensures that
7383 running or using those binaries will not result in a ``file not found''
7384 error at run time. @xref{Options, @option{-rpath},, ld, The GNU
7385 Linker}, for more information on @code{RUNPATH}.
7387 @item #:substitutable?
7388 This Boolean, @code{#t} by default, tells whether the package outputs
7389 should be substitutable---i.e., whether users should be able to obtain
7390 substitutes for them instead of building locally (@pxref{Substitutes}).
7392 @item #:allowed-references
7393 @itemx #:disallowed-references
7394 When true, these arguments must be a list of dependencies that must not
7395 appear among the references of the build results. If, upon build
7396 completion, some of these references are retained, the build process
7399 This is useful to ensure that a package does not erroneously keep a
7400 reference to some of it build-time inputs, in cases where doing so
7401 would, for example, unnecessarily increase its size (@pxref{Invoking
7405 Most other build systems support these keyword arguments.
7408 Other @code{<build-system>} objects are defined to support other
7409 conventions and tools used by free software packages. They inherit most
7410 of @code{gnu-build-system}, and differ mainly in the set of inputs
7411 implicitly added to the build process, and in the list of phases
7412 executed. Some of these build systems are listed below.
7414 @defvr {Scheme Variable} ant-build-system
7415 This variable is exported by @code{(guix build-system ant)}. It
7416 implements the build procedure for Java packages that can be built with
7417 @url{https://ant.apache.org/, Ant build tool}.
7419 It adds both @code{ant} and the @dfn{Java Development Kit} (JDK) as
7420 provided by the @code{icedtea} package to the set of inputs. Different
7421 packages can be specified with the @code{#:ant} and @code{#:jdk}
7422 parameters, respectively.
7424 When the original package does not provide a suitable Ant build file,
7425 the parameter @code{#:jar-name} can be used to generate a minimal Ant
7426 build file @file{build.xml} with tasks to build the specified jar
7427 archive. In this case the parameter @code{#:source-dir} can be used to
7428 specify the source sub-directory, defaulting to ``src''.
7430 The @code{#:main-class} parameter can be used with the minimal ant
7431 buildfile to specify the main class of the resulting jar. This makes the
7432 jar file executable. The @code{#:test-include} parameter can be used to
7433 specify the list of junit tests to run. It defaults to
7434 @code{(list "**/*Test.java")}. The @code{#:test-exclude} can be used to
7435 disable some tests. It defaults to @code{(list "**/Abstract*.java")},
7436 because abstract classes cannot be run as tests.
7438 The parameter @code{#:build-target} can be used to specify the Ant task
7439 that should be run during the @code{build} phase. By default the
7440 ``jar'' task will be run.
7444 @defvr {Scheme Variable} android-ndk-build-system
7445 @cindex Android distribution
7446 @cindex Android NDK build system
7447 This variable is exported by @code{(guix build-system android-ndk)}. It
7448 implements a build procedure for Android NDK (native development kit)
7449 packages using a Guix-specific build process.
7451 The build system assumes that packages install their public interface
7452 (header) files to the subdirectory @file{include} of the @code{out} output and
7453 their libraries to the subdirectory @file{lib} the @code{out} output.
7455 It's also assumed that the union of all the dependencies of a package
7456 has no conflicting files.
7458 For the time being, cross-compilation is not supported - so right now
7459 the libraries and header files are assumed to be host tools.
7463 @defvr {Scheme Variable} asdf-build-system/source
7464 @defvrx {Scheme Variable} asdf-build-system/sbcl
7465 @defvrx {Scheme Variable} asdf-build-system/ecl
7467 These variables, exported by @code{(guix build-system asdf)}, implement
7468 build procedures for Common Lisp packages using
7469 @url{https://common-lisp.net/project/asdf/, ``ASDF''}. ASDF is a system
7470 definition facility for Common Lisp programs and libraries.
7472 The @code{asdf-build-system/source} system installs the packages in
7473 source form, and can be loaded using any common lisp implementation, via
7474 ASDF@. The others, such as @code{asdf-build-system/sbcl}, install binary
7475 systems in the format which a particular implementation understands.
7476 These build systems can also be used to produce executable programs, or
7477 lisp images which contain a set of packages pre-loaded.
7479 The build system uses naming conventions. For binary packages, the
7480 package name should be prefixed with the lisp implementation, such as
7481 @code{sbcl-} for @code{asdf-build-system/sbcl}.
7483 Additionally, the corresponding source package should be labeled using
7484 the same convention as python packages (see @ref{Python Modules}), using
7485 the @code{cl-} prefix.
7487 In order to create executable programs and images, the build-side
7488 procedures @code{build-program} and @code{build-image} can be used.
7489 They should be called in a build phase after the
7490 @code{create-asdf-configuration} phase, so that the system which was
7491 just built can be used within the resulting image. @code{build-program}
7492 requires a list of Common Lisp expressions to be passed as the
7493 @code{#:entry-program} argument.
7495 By default, all the @file{.asd} files present in the sources are read to
7496 find system definitions. The @code{#:asd-files} parameter can be used
7497 to specify the list of @file{.asd} files to read. Furthermore, if the
7498 package defines a system for its tests in a separate file, it will be
7499 loaded before the tests are run if it is specified by the
7500 @code{#:test-asd-file} parameter. If it is not set, the files
7501 @code{<system>-tests.asd}, @code{<system>-test.asd}, @code{tests.asd},
7502 and @code{test.asd} will be tried if they exist.
7504 If for some reason the package must be named in a different way than the
7505 naming conventions suggest, or if several systems must be compiled, the
7506 @code{#:asd-systems} parameter can be used to specify the list of system
7511 @defvr {Scheme Variable} cargo-build-system
7512 @cindex Rust programming language
7513 @cindex Cargo (Rust build system)
7514 This variable is exported by @code{(guix build-system cargo)}. It
7515 supports builds of packages using Cargo, the build tool of the
7516 @uref{https://www.rust-lang.org, Rust programming language}.
7518 It adds @code{rustc} and @code{cargo} to the set of inputs.
7519 A different Rust package can be specified with the @code{#:rust} parameter.
7521 Regular cargo dependencies should be added to the package definition similarly
7522 to other packages; those needed only at build time to native-inputs, others to
7523 inputs. If you need to add source-only crates then you should add them to via
7524 the @code{#:cargo-inputs} parameter as a list of name and spec pairs, where the
7525 spec can be a package or a source definition. Note that the spec must
7526 evaluate to a path to a gzipped tarball which includes a @code{Cargo.toml}
7527 file at its root, or it will be ignored. Similarly, cargo dev-dependencies
7528 should be added to the package definition via the
7529 @code{#:cargo-development-inputs} parameter.
7531 In its @code{configure} phase, this build system will make any source inputs
7532 specified in the @code{#:cargo-inputs} and @code{#:cargo-development-inputs}
7533 parameters available to cargo. It will also remove an included
7534 @code{Cargo.lock} file to be recreated by @code{cargo} during the
7535 @code{build} phase. The @code{package} phase will run @code{cargo package}
7536 to create a source crate for future use. The @code{install} phase installs
7537 the binaries defined by the crate. Unless @code{install-source? #f} is
7538 defined it will also install a source crate repository of itself and unpacked
7539 sources, to ease in future hacking on rust packages.
7542 @defvr {Scheme Variable} chicken-build-system
7543 This variable is exported by @code{(guix build-system chicken)}. It
7544 builds @uref{https://call-cc.org/, CHICKEN Scheme} modules, also called
7545 ``eggs'' or ``extensions''. CHICKEN generates C source code, which then
7546 gets compiled by a C compiler, in this case GCC.
7548 This build system adds @code{chicken} to the package inputs, as well as
7549 the packages of @code{gnu-build-system}.
7551 The build system can't (yet) deduce the egg's name automatically, so just like
7552 with @code{go-build-system} and its @code{#:import-path}, you should define
7553 @code{#:egg-name} in the package's @code{arguments} field.
7555 For example, if you are packaging the @code{srfi-1} egg:
7558 (arguments '(#:egg-name "srfi-1"))
7561 Egg dependencies must be defined in @code{propagated-inputs}, not @code{inputs}
7562 because CHICKEN doesn't embed absolute references in compiled eggs.
7563 Test dependencies should go to @code{native-inputs}, as usual.
7566 @defvr {Scheme Variable} copy-build-system
7567 This variable is exported by @code{(guix build-system copy)}. It
7568 supports builds of simple packages that don't require much compiling,
7569 mostly just moving files around.
7571 It adds much of the @code{gnu-build-system} packages to the set of
7572 inputs. Because of this, the @code{copy-build-system} does not require
7573 all the boilerplate code often needed for the
7574 @code{trivial-build-system}.
7576 To further simplify the file installation process, an
7577 @code{#:install-plan} argument is exposed to let the packager specify
7578 which files go where. The install plan is a list of @code{(@var{source}
7579 @var{target} [@var{filters}])}. @var{filters} are optional.
7582 @item When @var{source} matches a file or directory without trailing slash, install it to @var{target}.
7584 @item If @var{target} has a trailing slash, install @var{source} basename beneath @var{target}.
7585 @item Otherwise install @var{source} as @var{target}.
7588 @item When @var{source} is a directory with a trailing slash, or when @var{filters} are used,
7589 the trailing slash of @var{target} is implied with the same meaning
7592 @item Without @var{filters}, install the full @var{source} @emph{content} to @var{target}.
7593 @item With @var{filters} among @code{#:include}, @code{#:include-regexp}, @code{#:exclude},
7594 @code{#:exclude-regexp}, only select files are installed depending on
7595 the filters. Each filters is specified by a list of strings.
7597 @item With @code{#:include}, install all the files which the path suffix matches
7598 at least one of the elements in the given list.
7599 @item With @code{#:include-regexp}, install all the files which the
7600 subpaths match at least one of the regular expressions in the given
7602 @item The @code{#:exclude} and @code{#:exclude-regexp} filters
7603 are the complement of their inclusion counterpart. Without @code{#:include} flags,
7604 install all files but those matching the exclusion filters.
7605 If both inclusions and exclusions are specified, the exclusions are done
7606 on top of the inclusions.
7609 In all cases, the paths relative to @var{source} are preserved within
7616 @item @code{("foo/bar" "share/my-app/")}: Install @file{bar} to @file{share/my-app/bar}.
7617 @item @code{("foo/bar" "share/my-app/baz")}: Install @file{bar} to @file{share/my-app/baz}.
7618 @item @code{("foo/" "share/my-app")}: Install the content of @file{foo} inside @file{share/my-app},
7619 e.g., install @file{foo/sub/file} to @file{share/my-app/sub/file}.
7620 @item @code{("foo/" "share/my-app" #:include ("sub/file"))}: Install only @file{foo/sub/file} to
7621 @file{share/my-app/sub/file}.
7622 @item @code{("foo/sub" "share/my-app" #:include ("file"))}: Install @file{foo/sub/file} to
7623 @file{share/my-app/file}.
7628 @cindex Clojure (programming language)
7629 @cindex simple Clojure build system
7630 @defvr {Scheme Variable} clojure-build-system
7631 This variable is exported by @code{(guix build-system clojure)}. It implements
7632 a simple build procedure for @uref{https://clojure.org/, Clojure} packages
7633 using plain old @code{compile} in Clojure. Cross-compilation is not supported
7636 It adds @code{clojure}, @code{icedtea} and @code{zip} to the set of inputs.
7637 Different packages can be specified with the @code{#:clojure}, @code{#:jdk} and
7638 @code{#:zip} parameters, respectively.
7640 A list of source directories, test directories and jar names can be specified
7641 with the @code{#:source-dirs}, @code{#:test-dirs} and @code{#:jar-names}
7642 parameters, respectively. Compile directory and main class can be specified
7643 with the @code{#:compile-dir} and @code{#:main-class} parameters, respectively.
7644 Other parameters are documented below.
7646 This build system is an extension of @code{ant-build-system}, but with the
7647 following phases changed:
7652 This phase calls @code{compile} in Clojure to compile source files and runs
7653 @command{jar} to create jars from both source files and compiled files
7654 according to the include list and exclude list specified in
7655 @code{#:aot-include} and @code{#:aot-exclude}, respectively. The exclude list
7656 has priority over the include list. These lists consist of symbols
7657 representing Clojure libraries or the special keyword @code{#:all} representing
7658 all Clojure libraries found under the source directories. The parameter
7659 @code{#:omit-source?} decides if source should be included into the jars.
7662 This phase runs tests according to the include list and exclude list specified
7663 in @code{#:test-include} and @code{#:test-exclude}, respectively. Their
7664 meanings are analogous to that of @code{#:aot-include} and
7665 @code{#:aot-exclude}, except that the special keyword @code{#:all} now
7666 stands for all Clojure libraries found under the test directories. The
7667 parameter @code{#:tests?} decides if tests should be run.
7670 This phase installs all jars built previously.
7673 Apart from the above, this build system also contains an additional phase:
7678 This phase installs all top-level files with base name matching
7679 @code{%doc-regex}. A different regex can be specified with the
7680 @code{#:doc-regex} parameter. All files (recursively) inside the documentation
7681 directories specified in @code{#:doc-dirs} are installed as well.
7685 @defvr {Scheme Variable} cmake-build-system
7686 This variable is exported by @code{(guix build-system cmake)}. It
7687 implements the build procedure for packages using the
7688 @url{https://www.cmake.org, CMake build tool}.
7690 It automatically adds the @code{cmake} package to the set of inputs.
7691 Which package is used can be specified with the @code{#:cmake}
7694 The @code{#:configure-flags} parameter is taken as a list of flags
7695 passed to the @command{cmake} command. The @code{#:build-type}
7696 parameter specifies in abstract terms the flags passed to the compiler;
7697 it defaults to @code{"RelWithDebInfo"} (short for ``release mode with
7698 debugging information''), which roughly means that code is compiled with
7699 @code{-O2 -g}, as is the case for Autoconf-based packages by default.
7702 @defvr {Scheme Variable} dune-build-system
7703 This variable is exported by @code{(guix build-system dune)}. It
7704 supports builds of packages using @uref{https://dune.build/, Dune}, a build
7705 tool for the OCaml programming language. It is implemented as an extension
7706 of the @code{ocaml-build-system} which is described below. As such, the
7707 @code{#:ocaml} and @code{#:findlib} parameters can be passed to this build
7710 It automatically adds the @code{dune} package to the set of inputs.
7711 Which package is used can be specified with the @code{#:dune}
7714 There is no @code{configure} phase because dune packages typically don't
7715 need to be configured. The @code{#:build-flags} parameter is taken as a
7716 list of flags passed to the @code{dune} command during the build.
7718 The @code{#:jbuild?} parameter can be passed to use the @code{jbuild}
7719 command instead of the more recent @code{dune} command while building
7720 a package. Its default value is @code{#f}.
7722 The @code{#:package} parameter can be passed to specify a package name, which
7723 is useful when a package contains multiple packages and you want to build
7724 only one of them. This is equivalent to passing the @code{-p} argument to
7728 @defvr {Scheme Variable} go-build-system
7729 This variable is exported by @code{(guix build-system go)}. It
7730 implements a build procedure for Go packages using the standard
7731 @url{https://golang.org/cmd/go/#hdr-Compile_packages_and_dependencies,
7732 Go build mechanisms}.
7734 The user is expected to provide a value for the key @code{#:import-path}
7735 and, in some cases, @code{#:unpack-path}. The
7736 @url{https://golang.org/doc/code.html#ImportPaths, import path}
7737 corresponds to the file system path expected by the package's build
7738 scripts and any referring packages, and provides a unique way to
7739 refer to a Go package. It is typically based on a combination of the
7740 package source code's remote URI and file system hierarchy structure. In
7741 some cases, you will need to unpack the package's source code to a
7742 different directory structure than the one indicated by the import path,
7743 and @code{#:unpack-path} should be used in such cases.
7745 Packages that provide Go libraries should install their source code into
7746 the built output. The key @code{#:install-source?}, which defaults to
7747 @code{#t}, controls whether or not the source code is installed. It can
7748 be set to @code{#f} for packages that only provide executable files.
7751 @defvr {Scheme Variable} glib-or-gtk-build-system
7752 This variable is exported by @code{(guix build-system glib-or-gtk)}. It
7753 is intended for use with packages making use of GLib or GTK+.
7755 This build system adds the following two phases to the ones defined by
7756 @code{gnu-build-system}:
7759 @item glib-or-gtk-wrap
7760 The phase @code{glib-or-gtk-wrap} ensures that programs in
7761 @file{bin/} are able to find GLib ``schemas'' and
7762 @uref{https://developer.gnome.org/gtk3/stable/gtk-running.html, GTK+
7763 modules}. This is achieved by wrapping the programs in launch scripts
7764 that appropriately set the @env{XDG_DATA_DIRS} and @env{GTK_PATH}
7765 environment variables.
7767 It is possible to exclude specific package outputs from that wrapping
7768 process by listing their names in the
7769 @code{#:glib-or-gtk-wrap-excluded-outputs} parameter. This is useful
7770 when an output is known not to contain any GLib or GTK+ binaries, and
7771 where wrapping would gratuitously add a dependency of that output on
7774 @item glib-or-gtk-compile-schemas
7775 The phase @code{glib-or-gtk-compile-schemas} makes sure that all
7776 @uref{https://developer.gnome.org/gio/stable/glib-compile-schemas.html,
7777 GSettings schemas} of GLib are compiled. Compilation is performed by the
7778 @command{glib-compile-schemas} program. It is provided by the package
7779 @code{glib:bin} which is automatically imported by the build system.
7780 The @code{glib} package providing @command{glib-compile-schemas} can be
7781 specified with the @code{#:glib} parameter.
7784 Both phases are executed after the @code{install} phase.
7787 @defvr {Scheme Variable} guile-build-system
7788 This build system is for Guile packages that consist exclusively of Scheme
7789 code and that are so lean that they don't even have a makefile, let alone a
7790 @file{configure} script. It compiles Scheme code using @command{guild
7791 compile} (@pxref{Compilation,,, guile, GNU Guile Reference Manual}) and
7792 installs the @file{.scm} and @file{.go} files in the right place. It also
7793 installs documentation.
7795 This build system supports cross-compilation by using the
7796 @option{--target} option of @samp{guild compile}.
7798 Packages built with @code{guile-build-system} must provide a Guile package in
7799 their @code{native-inputs} field.
7802 @defvr {Scheme Variable} julia-build-system
7803 This variable is exported by @code{(guix build-system julia)}. It
7804 implements the build procedure used by @uref{https://julialang.org/,
7805 julia} packages, which essentially is similar to running @samp{julia -e
7806 'using Pkg; Pkg.add(package)'} in an environment where
7807 @env{JULIA_LOAD_PATH} contains the paths to all Julia package inputs.
7808 Tests are run by calling @code{/test/runtests.jl}.
7810 The Julia package name is read from the file @file{Project.toml}. This
7811 value can be overridden by passing the argument @code{#:julia-package-name}
7812 (which must be correctly capitalized).
7814 Julia packages usually manage their binary dependencies via
7815 @code{JLLWrappers.jl}, a Julia package that creates a module (named
7816 after the wrapped library followed by @code{_jll.jl}.
7818 To add the binary path @code{_jll.jl} packages, you need to patch the
7819 files under @file{src/wrappers/}, replacing the call to the macro
7820 @code{JLLWrappers.@@generate_wrapper_header}, adding as a second
7821 argument containing the store path the binary.
7823 As an example, in the MbedTLS Julia package, we add a build phase
7824 (@pxref{Build Phases}) to insert the absolute file name of the wrapped
7828 (add-after 'unpack 'override-binary-path
7829 (lambda* (#:key inputs #:allow-other-keys)
7830 (for-each (lambda (wrapper)
7831 (substitute* wrapper
7832 (("generate_wrapper_header.*")
7834 "generate_wrapper_header(\"MbedTLS\", \""
7835 (assoc-ref inputs "mbedtls-apache") "\")\n"))))
7836 ;; There's a Julia file for each platform, override them all.
7837 (find-files "src/wrappers/" "\\.jl$"))))
7840 Some older packages that aren't using @file{Package.toml} yet, will require
7841 this file to be created, too. The function @code{julia-create-package-toml}
7842 helps creating the file. You need to pass the outputs and the source of the
7843 package, its name (the same as the @code{file-name} parameter), the package
7844 uuid, the package version, and a list of dependencies specified by their name
7848 @defvr {Scheme Variable} maven-build-system
7849 This variable is exported by @code{(guix build-system maven)}. It implements
7850 a build procedure for @uref{https://maven.apache.org, Maven} packages. Maven
7851 is a dependency and lifecycle management tool for Java. A user of Maven
7852 specifies dependencies and plugins in a @file{pom.xml} file that Maven reads.
7853 When Maven does not have one of the dependencies or plugins in its repository,
7854 it will download them and use them to build the package.
7856 The maven build system ensures that maven will not try to download any
7857 dependency by running in offline mode. Maven will fail if a dependency is
7858 missing. Before running Maven, the @file{pom.xml} (and subprojects) are
7859 modified to specify the version of dependencies and plugins that match the
7860 versions available in the guix build environment. Dependencies and plugins
7861 must be installed in the fake maven repository at @file{lib/m2}, and are
7862 symlinked into a proper repository before maven is run. Maven is instructed
7863 to use that repository for the build and installs built artifacts there.
7864 Changed files are copied to the @file{lib/m2} directory of the package output.
7866 You can specify a @file{pom.xml} file with the @code{#:pom-file} argument,
7867 or let the build system use the default @file{pom.xml} file in the sources.
7869 In case you need to specify a dependency's version manually, you can use the
7870 @code{#:local-packages} argument. It takes an association list where the key
7871 is the groupId of the package and its value is an association list where the
7872 key is the artifactId of the package and its value is the version you want to
7873 override in the @file{pom.xml}.
7875 Some packages use dependencies or plugins that are not useful at runtime nor
7876 at build time in Guix. You can alter the @file{pom.xml} file to remove them
7877 using the @code{#:exclude} argument. Its value is an association list where
7878 the key is the groupId of the plugin or dependency you want to remove, and
7879 the value is a list of artifactId you want to remove.
7881 You can override the default @code{jdk} and @code{maven} packages with the
7882 corresponding argument, @code{#:jdk} and @code{#:maven}.
7884 The @code{#:maven-plugins} argument is a list of maven plugins used during
7885 the build, with the same format as the @code{inputs} fields of the package
7886 declaration. Its default value is @code{(default-maven-plugins)} which is
7890 @defvr {Scheme Variable} minify-build-system
7891 This variable is exported by @code{(guix build-system minify)}. It
7892 implements a minification procedure for simple JavaScript packages.
7894 It adds @code{uglify-js} to the set of inputs and uses it to compress
7895 all JavaScript files in the @file{src} directory. A different minifier
7896 package can be specified with the @code{#:uglify-js} parameter, but it
7897 is expected that the package writes the minified code to the standard
7900 When the input JavaScript files are not all located in the @file{src}
7901 directory, the parameter @code{#:javascript-files} can be used to
7902 specify a list of file names to feed to the minifier.
7905 @defvr {Scheme Variable} ocaml-build-system
7906 This variable is exported by @code{(guix build-system ocaml)}. It implements
7907 a build procedure for @uref{https://ocaml.org, OCaml} packages, which consists
7908 of choosing the correct set of commands to run for each package. OCaml
7909 packages can expect many different commands to be run. This build system will
7912 When the package has a @file{setup.ml} file present at the top-level, it will
7913 run @code{ocaml setup.ml -configure}, @code{ocaml setup.ml -build} and
7914 @code{ocaml setup.ml -install}. The build system will assume that this file
7915 was generated by @uref{http://oasis.forge.ocamlcore.org/, OASIS} and will take
7916 care of setting the prefix and enabling tests if they are not disabled. You
7917 can pass configure and build flags with the @code{#:configure-flags} and
7918 @code{#:build-flags}. The @code{#:test-flags} key can be passed to change the
7919 set of flags used to enable tests. The @code{#:use-make?} key can be used to
7920 bypass this system in the build and install phases.
7922 When the package has a @file{configure} file, it is assumed that it is a
7923 hand-made configure script that requires a different argument format than
7924 in the @code{gnu-build-system}. You can add more flags with the
7925 @code{#:configure-flags} key.
7927 When the package has a @file{Makefile} file (or @code{#:use-make?} is
7928 @code{#t}), it will be used and more flags can be passed to the build and
7929 install phases with the @code{#:make-flags} key.
7931 Finally, some packages do not have these files and use a somewhat standard
7932 location for its build system. In that case, the build system will run
7933 @code{ocaml pkg/pkg.ml} or @code{ocaml pkg/build.ml} and take care of
7934 providing the path to the required findlib module. Additional flags can
7935 be passed via the @code{#:build-flags} key. Install is taken care of by
7936 @command{opam-installer}. In this case, the @code{opam} package must
7937 be added to the @code{native-inputs} field of the package definition.
7939 Note that most OCaml packages assume they will be installed in the same
7940 directory as OCaml, which is not what we want in guix. In particular, they
7941 will install @file{.so} files in their module's directory, which is usually
7942 fine because it is in the OCaml compiler directory. In guix though, these
7943 libraries cannot be found and we use @env{CAML_LD_LIBRARY_PATH}. This
7944 variable points to @file{lib/ocaml/site-lib/stubslibs} and this is where
7945 @file{.so} libraries should be installed.
7948 @defvr {Scheme Variable} python-build-system
7949 This variable is exported by @code{(guix build-system python)}. It
7950 implements the more or less standard build procedure used by Python
7951 packages, which consists in running @code{python setup.py build} and
7952 then @code{python setup.py install --prefix=/gnu/store/@dots{}}.
7954 For packages that install stand-alone Python programs under @code{bin/},
7955 it takes care of wrapping these programs so that their @env{PYTHONPATH}
7956 environment variable points to all the Python libraries they depend on.
7958 Which Python package is used to perform the build can be specified with
7959 the @code{#:python} parameter. This is a useful way to force a package
7960 to be built for a specific version of the Python interpreter, which
7961 might be necessary if the package is only compatible with a single
7962 interpreter version.
7964 By default guix calls @code{setup.py} under control of
7965 @code{setuptools}, much like @command{pip} does. Some packages are not
7966 compatible with setuptools (and pip), thus you can disable this by
7967 setting the @code{#:use-setuptools?} parameter to @code{#f}.
7970 @defvr {Scheme Variable} perl-build-system
7971 This variable is exported by @code{(guix build-system perl)}. It
7972 implements the standard build procedure for Perl packages, which either
7973 consists in running @code{perl Build.PL --prefix=/gnu/store/@dots{}},
7974 followed by @code{Build} and @code{Build install}; or in running
7975 @code{perl Makefile.PL PREFIX=/gnu/store/@dots{}}, followed by
7976 @code{make} and @code{make install}, depending on which of
7977 @code{Build.PL} or @code{Makefile.PL} is present in the package
7978 distribution. Preference is given to the former if both @code{Build.PL}
7979 and @code{Makefile.PL} exist in the package distribution. This
7980 preference can be reversed by specifying @code{#t} for the
7981 @code{#:make-maker?} parameter.
7983 The initial @code{perl Makefile.PL} or @code{perl Build.PL} invocation
7984 passes flags specified by the @code{#:make-maker-flags} or
7985 @code{#:module-build-flags} parameter, respectively.
7987 Which Perl package is used can be specified with @code{#:perl}.
7990 @defvr {Scheme Variable} renpy-build-system
7991 This variable is exported by @code{(guix build-system renpy)}. It implements
7992 the more or less standard build procedure used by Ren'py games, which consists
7993 of loading @code{#:game} once, thereby creating bytecode for it.
7995 It further creates a wrapper script in @code{bin/} and a desktop entry in
7996 @code{share/applications}, both of which can be used to launch the game.
7998 Which Ren'py package is used can be specified with @code{#:renpy}.
7999 Games can also be installed in outputs other than ``out'' by using
8003 @defvr {Scheme Variable} qt-build-system
8004 This variable is exported by @code{(guix build-system qt)}. It
8005 is intended for use with applications using Qt or KDE.
8007 This build system adds the following two phases to the ones defined by
8008 @code{cmake-build-system}:
8012 The phase @code{check-setup} prepares the environment for running
8013 the checks as commonly used by Qt test programs.
8014 For now this only sets some environment variables:
8015 @code{QT_QPA_PLATFORM=offscreen},
8016 @code{DBUS_FATAL_WARNINGS=0} and
8017 @code{CTEST_OUTPUT_ON_FAILURE=1}.
8019 This phase is added before the @code{check} phase.
8020 It's a separate phase to ease adjusting if necessary.
8023 The phase @code{qt-wrap}
8024 searches for Qt5 plugin paths, QML paths and some XDG in the inputs
8025 and output. In case some path is found, all programs in the output's
8026 @file{bin/}, @file{sbin/}, @file{libexec/} and @file{lib/libexec/} directories
8027 are wrapped in scripts defining the necessary environment variables.
8029 It is possible to exclude specific package outputs from that wrapping process
8030 by listing their names in the @code{#:qt-wrap-excluded-outputs} parameter.
8031 This is useful when an output is known not to contain any Qt binaries, and
8032 where wrapping would gratuitously add a dependency of that output on Qt, KDE,
8035 This phase is added after the @code{install} phase.
8039 @defvr {Scheme Variable} r-build-system
8040 This variable is exported by @code{(guix build-system r)}. It
8041 implements the build procedure used by @uref{https://r-project.org, R}
8042 packages, which essentially is little more than running @samp{R CMD
8043 INSTALL --library=/gnu/store/@dots{}} in an environment where
8044 @env{R_LIBS_SITE} contains the paths to all R package inputs. Tests are
8045 run after installation using the R function
8046 @code{tools::testInstalledPackage}.
8049 @defvr {Scheme Variable} rakudo-build-system
8050 This variable is exported by @code{(guix build-system rakudo)}. It
8051 implements the build procedure used by @uref{https://rakudo.org/,
8052 Rakudo} for @uref{https://perl6.org/, Perl6} packages. It installs the
8053 package to @code{/gnu/store/@dots{}/NAME-VERSION/share/perl6} and
8054 installs the binaries, library files and the resources, as well as wrap
8055 the files under the @code{bin/} directory. Tests can be skipped by
8056 passing @code{#f} to the @code{tests?} parameter.
8058 Which rakudo package is used can be specified with @code{rakudo}.
8059 Which perl6-tap-harness package used for the tests can be specified with
8060 @code{#:prove6} or removed by passing @code{#f} to the
8061 @code{with-prove6?} parameter.
8062 Which perl6-zef package used for tests and installing can be specified
8063 with @code{#:zef} or removed by passing @code{#f} to the
8064 @code{with-zef?} parameter.
8067 @defvr {Scheme Variable} texlive-build-system
8068 This variable is exported by @code{(guix build-system texlive)}. It is
8069 used to build TeX packages in batch mode with a specified engine. The
8070 build system sets the @env{TEXINPUTS} variable to find all TeX source
8071 files in the inputs.
8073 By default it runs @code{luatex} on all files ending on @code{ins}. A
8074 different engine and format can be specified with the
8075 @code{#:tex-format} argument. Different build targets can be specified
8076 with the @code{#:build-targets} argument, which expects a list of file
8077 names. The build system adds only @code{texlive-bin} and
8078 @code{texlive-latex-base} (both from @code{(gnu packages tex}) to the
8079 inputs. Both can be overridden with the arguments @code{#:texlive-bin}
8080 and @code{#:texlive-latex-base}, respectively.
8082 The @code{#:tex-directory} parameter tells the build system where to
8083 install the built files under the texmf tree.
8086 @defvr {Scheme Variable} ruby-build-system
8087 This variable is exported by @code{(guix build-system ruby)}. It
8088 implements the RubyGems build procedure used by Ruby packages, which
8089 involves running @code{gem build} followed by @code{gem install}.
8091 The @code{source} field of a package that uses this build system
8092 typically references a gem archive, since this is the format that Ruby
8093 developers use when releasing their software. The build system unpacks
8094 the gem archive, potentially patches the source, runs the test suite,
8095 repackages the gem, and installs it. Additionally, directories and
8096 tarballs may be referenced to allow building unreleased gems from Git or
8097 a traditional source release tarball.
8099 Which Ruby package is used can be specified with the @code{#:ruby}
8100 parameter. A list of additional flags to be passed to the @command{gem}
8101 command can be specified with the @code{#:gem-flags} parameter.
8104 @defvr {Scheme Variable} waf-build-system
8105 This variable is exported by @code{(guix build-system waf)}. It
8106 implements a build procedure around the @code{waf} script. The common
8107 phases---@code{configure}, @code{build}, and @code{install}---are
8108 implemented by passing their names as arguments to the @code{waf}
8111 The @code{waf} script is executed by the Python interpreter. Which
8112 Python package is used to run the script can be specified with the
8113 @code{#:python} parameter.
8116 @defvr {Scheme Variable} scons-build-system
8117 This variable is exported by @code{(guix build-system scons)}. It
8118 implements the build procedure used by the SCons software construction
8119 tool. This build system runs @code{scons} to build the package,
8120 @code{scons test} to run tests, and then @code{scons install} to install
8123 Additional flags to be passed to @code{scons} can be specified with the
8124 @code{#:scons-flags} parameter. The default build and install targets
8125 can be overridden with @code{#:build-targets} and
8126 @code{#:install-targets} respectively. The version of Python used to
8127 run SCons can be specified by selecting the appropriate SCons package
8128 with the @code{#:scons} parameter.
8131 @defvr {Scheme Variable} haskell-build-system
8132 This variable is exported by @code{(guix build-system haskell)}. It
8133 implements the Cabal build procedure used by Haskell packages, which
8134 involves running @code{runhaskell Setup.hs configure
8135 --prefix=/gnu/store/@dots{}} and @code{runhaskell Setup.hs build}.
8136 Instead of installing the package by running @code{runhaskell Setup.hs
8137 install}, to avoid trying to register libraries in the read-only
8138 compiler store directory, the build system uses @code{runhaskell
8139 Setup.hs copy}, followed by @code{runhaskell Setup.hs register}. In
8140 addition, the build system generates the package documentation by
8141 running @code{runhaskell Setup.hs haddock}, unless @code{#:haddock? #f}
8142 is passed. Optional Haddock parameters can be passed with the help of
8143 the @code{#:haddock-flags} parameter. If the file @code{Setup.hs} is
8144 not found, the build system looks for @code{Setup.lhs} instead.
8146 Which Haskell compiler is used can be specified with the @code{#:haskell}
8147 parameter which defaults to @code{ghc}.
8150 @defvr {Scheme Variable} dub-build-system
8151 This variable is exported by @code{(guix build-system dub)}. It
8152 implements the Dub build procedure used by D packages, which
8153 involves running @code{dub build} and @code{dub run}.
8154 Installation is done by copying the files manually.
8156 Which D compiler is used can be specified with the @code{#:ldc}
8157 parameter which defaults to @code{ldc}.
8160 @anchor{emacs-build-system}
8161 @defvr {Scheme Variable} emacs-build-system
8162 This variable is exported by @code{(guix build-system emacs)}. It
8163 implements an installation procedure similar to the packaging system
8164 of Emacs itself (@pxref{Packages,,, emacs, The GNU Emacs Manual}).
8166 It first creates the @code{@code{package}-autoloads.el} file, then it
8167 byte compiles all Emacs Lisp files. Differently from the Emacs
8168 packaging system, the Info documentation files are moved to the standard
8169 documentation directory and the @file{dir} file is deleted. The Elisp
8170 package files are installed directly under @file{share/emacs/site-lisp}.
8173 @defvr {Scheme Variable} font-build-system
8174 This variable is exported by @code{(guix build-system font)}. It
8175 implements an installation procedure for font packages where upstream
8176 provides pre-compiled TrueType, OpenType, etc.@: font files that merely
8177 need to be copied into place. It copies font files to standard
8178 locations in the output directory.
8181 @defvr {Scheme Variable} meson-build-system
8182 This variable is exported by @code{(guix build-system meson)}. It
8183 implements the build procedure for packages that use
8184 @url{https://mesonbuild.com, Meson} as their build system.
8186 It adds both Meson and @uref{https://ninja-build.org/, Ninja} to the set
8187 of inputs, and they can be changed with the parameters @code{#:meson}
8188 and @code{#:ninja} if needed. The default Meson is
8189 @code{meson-for-build}, which is special because it doesn't clear the
8190 @code{RUNPATH} of binaries and libraries when they are installed.
8192 This build system is an extension of @code{gnu-build-system}, but with the
8193 following phases changed to some specific for Meson:
8198 The phase runs @code{meson} with the flags specified in
8199 @code{#:configure-flags}. The flag @option{--buildtype} is always set to
8200 @code{debugoptimized} unless something else is specified in
8201 @code{#:build-type}.
8204 The phase runs @code{ninja} to build the package in parallel by default, but
8205 this can be changed with @code{#:parallel-build?}.
8208 The phase runs @code{ninja} with the target specified in @code{#:test-target},
8209 which is @code{"test"} by default.
8212 The phase runs @code{ninja install} and can not be changed.
8215 Apart from that, the build system also adds the following phases:
8220 This phase ensures that all binaries can find the libraries they need.
8221 It searches for required libraries in subdirectories of the package being
8222 built, and adds those to @code{RUNPATH} where needed. It also removes
8223 references to libraries left over from the build phase by
8224 @code{meson-for-build}, such as test dependencies, that aren't actually
8225 required for the program to run.
8227 @item glib-or-gtk-wrap
8228 This phase is the phase provided by @code{glib-or-gtk-build-system}, and it
8229 is not enabled by default. It can be enabled with @code{#:glib-or-gtk?}.
8231 @item glib-or-gtk-compile-schemas
8232 This phase is the phase provided by @code{glib-or-gtk-build-system}, and it
8233 is not enabled by default. It can be enabled with @code{#:glib-or-gtk?}.
8237 @defvr {Scheme Variable} linux-module-build-system
8238 @code{linux-module-build-system} allows building Linux kernel modules.
8240 @cindex build phases
8241 This build system is an extension of @code{gnu-build-system}, but with the
8242 following phases changed:
8247 This phase configures the environment so that the Linux kernel's Makefile
8248 can be used to build the external kernel module.
8251 This phase uses the Linux kernel's Makefile in order to build the external
8255 This phase uses the Linux kernel's Makefile in order to install the external
8259 It is possible and useful to specify the Linux kernel to use for building
8260 the module (in the @code{arguments} form of a package using the
8261 @code{linux-module-build-system}, use the key @code{#:linux} to specify it).
8264 @defvr {Scheme Variable} node-build-system
8265 This variable is exported by @code{(guix build-system node)}. It
8266 implements the build procedure used by @uref{https://nodejs.org,
8267 Node.js}, which implements an approximation of the @code{npm install}
8268 command, followed by an @code{npm test} command.
8270 Which Node.js package is used to interpret the @code{npm} commands can
8271 be specified with the @code{#:node} parameter which defaults to
8275 Lastly, for packages that do not need anything as sophisticated, a
8276 ``trivial'' build system is provided. It is trivial in the sense that
8277 it provides basically no support: it does not pull any implicit inputs,
8278 and does not have a notion of build phases.
8280 @defvr {Scheme Variable} trivial-build-system
8281 This variable is exported by @code{(guix build-system trivial)}.
8283 This build system requires a @code{#:builder} argument. This argument
8284 must be a Scheme expression that builds the package output(s)---as
8285 with @code{build-expression->derivation} (@pxref{Derivations,
8286 @code{build-expression->derivation}}).
8290 @section Build Phases
8292 @cindex build phases, for packages
8293 Almost all package build systems implement a notion @dfn{build phases}:
8294 a sequence of actions that the build system executes, when you build the
8295 package, leading to the installed byproducts in the store. A notable
8296 exception is the ``bare-bones'' @code{trivial-build-system}
8297 (@pxref{Build Systems}).
8299 As discussed in the previous section, those build systems provide a
8300 standard list of phases. For @code{gnu-build-system}, the main build
8301 phases are the following:
8305 Unpack the source tarball, and change the current directory to the
8306 extracted source tree. If the source is actually a directory, copy it
8307 to the build tree, and enter that directory.
8309 @item patch-source-shebangs
8310 Patch shebangs encountered in source files so they refer to the right
8311 store file names. For instance, this changes @code{#!/bin/sh} to
8312 @code{#!/gnu/store/@dots{}-bash-4.3/bin/sh}.
8315 Run the @file{configure} script with a number of default options, such
8316 as @option{--prefix=/gnu/store/@dots{}}, as well as the options specified
8317 by the @code{#:configure-flags} argument.
8320 Run @code{make} with the list of flags specified with
8321 @code{#:make-flags}. If the @code{#:parallel-build?} argument is true
8322 (the default), build with @code{make -j}.
8325 Run @code{make check}, or some other target specified with
8326 @code{#:test-target}, unless @code{#:tests? #f} is passed. If the
8327 @code{#:parallel-tests?} argument is true (the default), run @code{make
8331 Run @code{make install} with the flags listed in @code{#:make-flags}.
8333 @item patch-shebangs
8334 Patch shebangs on the installed executable files.
8337 Strip debugging symbols from ELF files (unless @code{#:strip-binaries?}
8338 is false), copying them to the @code{debug} output when available
8339 (@pxref{Installing Debugging Files}).
8342 Other build systems have similar phases, with some variations. For
8343 example, @code{cmake-build-system} has same-named phases but its
8344 @code{configure} phases runs @code{cmake} instead of @code{./configure}.
8345 Others, such as @code{python-build-system}, have a wholly different list
8346 of standard phases. All this code runs on the @dfn{build side}: it is
8347 evaluated when you actually build the package, in a dedicated build
8348 process spawned by the build daemon (@pxref{Invoking guix-daemon}).
8350 Build phases are represented as association lists or ``alists''
8351 (@pxref{Association Lists,,, guile, GNU Guile Reference Manual}) where
8352 each key is a symbol for the name of the phase and the associated value
8353 is a procedure that accepts an arbitrary number of arguments. By
8354 convention, those procedures receive information about the build in the
8355 form of @dfn{keyword parameters}, which they can use or ignore.
8357 @vindex %standard-phases
8358 For example, here is how @code{(guix build gnu-build-system)} defines
8359 @code{%standard-phases}, the variable holding its alist of build
8360 phases@footnote{We present a simplified view of those build phases, but
8361 do take a look at @code{(guix build gnu-build-system)} to see all the
8365 ;; The build phases of 'gnu-build-system'.
8367 (define* (unpack #:key source #:allow-other-keys)
8368 ;; Extract the source tarball.
8369 (invoke "tar" "xvf" source))
8371 (define* (configure #:key outputs #:allow-other-keys)
8372 ;; Run the 'configure' script. Install to output "out".
8373 (let ((out (assoc-ref outputs "out")))
8374 (invoke "./configure"
8375 (string-append "--prefix=" out))))
8377 (define* (build #:allow-other-keys)
8381 (define* (check #:key (test-target "check") (tests? #true)
8383 ;; Run the test suite.
8385 (invoke "make" test-target)
8386 (display "test suite not run\n")))
8388 (define* (install #:allow-other-keys)
8389 ;; Install files to the prefix 'configure' specified.
8390 (invoke "make" "install"))
8392 (define %standard-phases
8393 ;; The list of standard phases (quite a few are omitted
8394 ;; for brevity). Each element is a symbol/procedure pair.
8395 (list (cons 'unpack unpack)
8396 (cons 'configure configure)
8399 (cons 'install install)))
8402 This shows how @code{%standard-phases} is defined as a list of
8403 symbol/procedure pairs (@pxref{Pairs,,, guile, GNU Guile Reference
8404 Manual}). The first pair associates the @code{unpack} procedure with
8405 the @code{unpack} symbol---a name; the second pair defines the
8406 @code{configure} phase similarly, and so on. When building a package
8407 that uses @code{gnu-build-system} with its default list of phases, those
8408 phases are executed sequentially. You can see the name of each phase
8409 started and completed in the build log of packages that you build.
8411 Let's now look at the procedures themselves. Each one is defined with
8412 @code{define*}: @code{#:key} lists keyword parameters the procedure
8413 accepts, possibly with a default value, and @code{#:allow-other-keys}
8414 specifies that other keyword parameters are ignored (@pxref{Optional
8415 Arguments,,, guile, GNU Guile Reference Manual}).
8417 The @code{unpack} procedure honors the @code{source} parameter, which
8418 the build system uses to pass the file name of the source tarball (or
8419 version control checkout), and it ignores other parameters. The
8420 @code{configure} phase only cares about the @code{outputs} parameter, an
8421 alist mapping package output names to their store file name
8422 (@pxref{Packages with Multiple Outputs}). It extracts the file name of
8423 for @code{out}, the default output, and passes it to
8424 @command{./configure} as the installation prefix, meaning that
8425 @command{make install} will eventually copy all the files in that
8426 directory (@pxref{Configuration, configuration and makefile
8427 conventions,, standards, GNU Coding Standards}). @code{build} and
8428 @code{install} ignore all their arguments. @code{check} honors the
8429 @code{test-target} argument, which specifies the name of the Makefile
8430 target to run tests; it prints a message and skips tests when
8431 @code{tests?} is false.
8433 @cindex build phases, customizing
8434 The list of phases used for a particular package can be changed with the
8435 @code{#:phases} parameter of the build system. Changing the set of
8436 build phases boils down to building a new alist of phases based on the
8437 @code{%standard-phases} alist described above. This can be done with
8438 standard alist procedures such as @code{alist-delete} (@pxref{SRFI-1
8439 Association Lists,,, guile, GNU Guile Reference Manual}); however, it is
8440 more convenient to do so with @code{modify-phases} (@pxref{Build
8441 Utilities, @code{modify-phases}}).
8443 Here is an example of a package definition that removes the
8444 @code{configure} phase of @code{%standard-phases} and inserts a new
8445 phase before the @code{build} phase, called
8446 @code{set-prefix-in-makefile}:
8449 (define-public example
8452 ;; other fields omitted
8453 (build-system gnu-build-system)
8455 '(#:phases (modify-phases %standard-phases
8457 (add-before 'build 'set-prefix-in-makefile
8458 (lambda* (#:key outputs #:allow-other-keys)
8459 ;; Modify the makefile so that its
8460 ;; 'PREFIX' variable points to "out".
8461 (let ((out (assoc-ref outputs "out")))
8462 (substitute* "Makefile"
8464 (string-append "PREFIX = "
8469 The new phase that is inserted is written as an anonymous procedure,
8470 introduced with @code{lambda*}; it honors the @code{outputs} parameter
8471 we have seen before. @xref{Build Utilities}, for more about the helpers
8472 used by this phase, and for more examples of @code{modify-phases}.
8474 @cindex code staging
8475 @cindex staging, of code
8476 Keep in mind that build phases are code evaluated at the time the
8477 package is actually built. This explains why the whole
8478 @code{modify-phases} expression above is quoted (it comes after the
8479 @code{'} or apostrophe): it is @dfn{staged} for later execution.
8480 @xref{G-Expressions}, for an explanation of code staging and the
8481 @dfn{code strata} involved.
8483 @node Build Utilities
8484 @section Build Utilities
8486 As soon as you start writing non-trivial package definitions
8487 (@pxref{Defining Packages}) or other build actions
8488 (@pxref{G-Expressions}), you will likely start looking for helpers for
8489 ``shell-like'' actions---creating directories, copying and deleting
8490 files recursively, manipulating build phases, and so on. The
8491 @code{(guix build utils)} module provides such utility procedures.
8493 Most build systems load @code{(guix build utils)} (@pxref{Build
8494 Systems}). Thus, when writing custom build phases for your package
8495 definitions, you can usually assume those procedures are in scope.
8497 When writing G-expressions, you can import @code{(guix build utils)} on
8498 the ``build side'' using @code{with-imported-modules} and then put it in
8499 scope with the @code{use-modules} form (@pxref{Using Guile Modules,,,
8500 guile, GNU Guile Reference Manual}):
8503 (with-imported-modules '((guix build utils)) ;import it
8504 (computed-file "empty-tree"
8507 (use-modules (guix build utils))
8509 ;; Happily use its 'mkdir-p' procedure.
8510 (mkdir-p (string-append #$output "/a/b/c")))))
8513 The remainder of this section is the reference for most of the utility
8514 procedures provided by @code{(guix build utils)}.
8516 @c TODO Document what's missing.
8518 @subsection Dealing with Store File Names
8520 This section documents procedures that deal with store file names.
8522 @deffn {Scheme Procedure} %store-directory
8523 Return the directory name of the store.
8526 @deffn {Scheme Procedure} store-file-name? @var{file}
8527 Return true if @var{file} is in the store.
8530 @deffn {Scheme Procedure} strip-store-file-name @var{file}
8531 Strip the @file{/gnu/store} and hash from @var{file}, a store file name.
8532 The result is typically a @code{"@var{package}-@var{version}"} string.
8535 @deffn {Scheme Procedure} package-name->name+version @var{name}
8536 Given @var{name}, a package name like @code{"foo-0.9.1b"}, return two
8537 values: @code{"foo"} and @code{"0.9.1b"}. When the version part is
8538 unavailable, @var{name} and @code{#f} are returned. The first hyphen
8539 followed by a digit is considered to introduce the version part.
8542 @subsection File Types
8544 The procedures below deal with files and file types.
8546 @deffn {Scheme Procedure} directory-exists? @var{dir}
8547 Return @code{#t} if @var{dir} exists and is a directory.
8550 @deffn {Scheme Procedure} executable-file? @var{file}
8551 Return @code{#t} if @var{file} exists and is executable.
8554 @deffn {Scheme Procedure} symbolic-link? @var{file}
8555 Return @code{#t} if @var{file} is a symbolic link (aka. a ``symlink'').
8558 @deffn {Scheme Procedure} elf-file? @var{file}
8559 @deffnx {Scheme Procedure} ar-file? @var{file}
8560 @deffnx {Scheme Procedure} gzip-file? @var{file}
8561 Return @code{#t} if @var{file} is, respectively, an ELF file, an
8562 @code{ar} archive (such as a @file{.a} static library), or a gzip file.
8565 @deffn {Scheme Procedure} reset-gzip-timestamp @var{file} [#:keep-mtime? #t]
8566 If @var{file} is a gzip file, reset its embedded timestamp (as with
8567 @command{gzip --no-name}) and return true. Otherwise return @code{#f}.
8568 When @var{keep-mtime?} is true, preserve @var{file}'s modification time.
8571 @subsection File Manipulation
8573 The following procedures and macros help create, modify, and delete
8574 files. They provide functionality comparable to common shell utilities
8575 such as @command{mkdir -p}, @command{cp -r}, @command{rm -r}, and
8576 @command{sed}. They complement Guile's extensive, but low-level, file
8577 system interface (@pxref{POSIX,,, guile, GNU Guile Reference Manual}).
8579 @deffn {Scheme Syntax} with-directory-excursion @var{directory} @var{body}@dots{}
8580 Run @var{body} with @var{directory} as the process's current directory.
8582 Essentially, this macro changes the current directory to @var{directory}
8583 before evaluating @var{body}, using @code{chdir} (@pxref{Processes,,,
8584 guile, GNU Guile Reference Manual}). It changes back to the initial
8585 directory when the dynamic extent of @var{body} is left, be it @i{via}
8586 normal procedure return or @i{via} a non-local exit such as an
8590 @deffn {Scheme Procedure} mkdir-p @var{dir}
8591 Create directory @var{dir} and all its ancestors.
8594 @deffn {Scheme Procedure} install-file @var{file} @var{directory}
8595 Create @var{directory} if it does not exist and copy @var{file} in there
8596 under the same name.
8599 @deffn {Scheme Procedure} make-file-writable @var{file}
8600 Make @var{file} writable for its owner.
8603 @deffn {Scheme Procedure} copy-recursively @var{source} @var{destination} @
8604 [#:log (current-output-port)] [#:follow-symlinks? #f] [#:keep-mtime? #f]
8605 Copy @var{source} directory to @var{destination}. Follow symlinks if
8606 @var{follow-symlinks?} is true; otherwise, just preserve them. When
8607 @var{keep-mtime?} is true, keep the modification time of the files in
8608 @var{source} on those of @var{destination}. Write verbose output to the
8612 @deffn {Scheme Procedure} delete-file-recursively @var{dir} @
8613 [#:follow-mounts? #f]
8614 Delete @var{dir} recursively, like @command{rm -rf}, without following
8615 symlinks. Don't follow mount points either, unless @var{follow-mounts?}
8616 is true. Report but ignore errors.
8619 @deffn {Scheme Syntax} substitute* @var{file} @
8620 ((@var{regexp} @var{match-var}@dots{}) @var{body}@dots{}) @dots{}
8621 Substitute @var{regexp} in @var{file} by the string returned by
8622 @var{body}. @var{body} is evaluated with each @var{match-var} bound to
8623 the corresponding positional regexp sub-expression. For example:
8629 (("foo([a-z]+)bar(.*)$" all letters end)
8630 (string-append "baz" letter end)))
8633 Here, anytime a line of @var{file} contains @code{hello}, it is replaced
8634 by @code{good morning}. Anytime a line of @var{file} matches the second
8635 regexp, @code{all} is bound to the complete match, @code{letters} is bound
8636 to the first sub-expression, and @code{end} is bound to the last one.
8638 When one of the @var{match-var} is @code{_}, no variable is bound to the
8639 corresponding match substring.
8641 Alternatively, @var{file} may be a list of file names, in which case
8642 they are all subject to the substitutions.
8644 Be careful about using @code{$} to match the end of a line; by itself it
8645 won't match the terminating newline of a line.
8648 @subsection File Search
8650 @cindex file, searching
8651 This section documents procedures to search and filter files.
8653 @deffn {Scheme Procedure} file-name-predicate @var{regexp}
8654 Return a predicate that returns true when passed a file name whose base
8655 name matches @var{regexp}.
8658 @deffn {Scheme Procedure} find-files @var{dir} [@var{pred}] @
8659 [#:stat lstat] [#:directories? #f] [#:fail-on-error? #f]
8660 Return the lexicographically sorted list of files under @var{dir} for
8661 which @var{pred} returns true. @var{pred} is passed two arguments: the
8662 absolute file name, and its stat buffer; the default predicate always
8663 returns true. @var{pred} can also be a regular expression, in which
8664 case it is equivalent to @code{(file-name-predicate @var{pred})}.
8665 @var{stat} is used to obtain file information; using @code{lstat} means
8666 that symlinks are not followed. If @var{directories?} is true, then
8667 directories will also be included. If @var{fail-on-error?} is true,
8668 raise an exception upon error.
8671 Here are a few examples where we assume that the current directory is
8672 the root of the Guix source tree:
8675 ;; List all the regular files in the current directory.
8677 @result{} ("./.dir-locals.el" "./.gitignore" @dots{})
8679 ;; List all the .scm files under gnu/services.
8680 (find-files "gnu/services" "\\.scm$")
8681 @result{} ("gnu/services/admin.scm" "gnu/services/audio.scm" @dots{})
8683 ;; List ar files in the current directory.
8684 (find-files "." (lambda (file stat) (ar-file? file)))
8685 @result{} ("./libformat.a" "./libstore.a" @dots{})
8688 @deffn {Scheme Procedure} which @var{program}
8689 Return the complete file name for @var{program} as found in
8690 @code{$PATH}, or @code{#f} if @var{program} could not be found.
8693 @subsection Build Phases
8695 @cindex build phases
8696 The @code{(guix build utils)} also contains tools to manipulate build
8697 phases as used by build systems (@pxref{Build Systems}). Build phases
8698 are represented as association lists or ``alists'' (@pxref{Association
8699 Lists,,, guile, GNU Guile Reference Manual}) where each key is a symbol
8700 naming the phase and the associated value is a procedure (@pxref{Build
8703 Guile core and the @code{(srfi srfi-1)} module both provide tools to
8704 manipulate alists. The @code{(guix build utils)} module complements
8705 those with tools written with build phases in mind.
8707 @cindex build phases, modifying
8708 @deffn {Scheme Syntax} modify-phases @var{phases} @var{clause}@dots{}
8709 Modify @var{phases} sequentially as per each @var{clause}, which may
8710 have one of the following forms:
8713 (delete @var{old-phase-name})
8714 (replace @var{old-phase-name} @var{new-phase})
8715 (add-before @var{old-phase-name} @var{new-phase-name} @var{new-phase})
8716 (add-after @var{old-phase-name} @var{new-phase-name} @var{new-phase})
8719 Where every @var{phase-name} above is an expression evaluating to a
8720 symbol, and @var{new-phase} an expression evaluating to a procedure.
8723 The example below is taken from the definition of the @code{grep}
8724 package. It adds a phase to run after the @code{install} phase, called
8725 @code{fix-egrep-and-fgrep}. That phase is a procedure (@code{lambda*}
8726 is for anonymous procedures) that takes a @code{#:outputs} keyword
8727 argument and ignores extra keyword arguments (@pxref{Optional
8728 Arguments,,, guile, GNU Guile Reference Manual}, for more on
8729 @code{lambda*} and optional and keyword arguments.) The phase uses
8730 @code{substitute*} to modify the installed @file{egrep} and @file{fgrep}
8731 scripts so that they refer to @code{grep} by its absolute file name:
8734 (modify-phases %standard-phases
8735 (add-after 'install 'fix-egrep-and-fgrep
8736 ;; Patch 'egrep' and 'fgrep' to execute 'grep' via its
8737 ;; absolute file name instead of searching for it in $PATH.
8738 (lambda* (#:key outputs #:allow-other-keys)
8739 (let* ((out (assoc-ref outputs "out"))
8740 (bin (string-append out "/bin")))
8741 (substitute* (list (string-append bin "/egrep")
8742 (string-append bin "/fgrep"))
8744 (string-append "exec " bin "/grep")))
8748 In the example below, phases are modified in two ways: the standard
8749 @code{configure} phase is deleted, presumably because the package does
8750 not have a @file{configure} script or anything similar, and the default
8751 @code{install} phase is replaced by one that manually copies the
8752 executable files to be installed:
8755 (modify-phases %standard-phases
8756 (delete 'configure) ;no 'configure' script
8758 (lambda* (#:key outputs #:allow-other-keys)
8759 ;; The package's Makefile doesn't provide an "install"
8760 ;; rule so do it by ourselves.
8761 (let ((bin (string-append (assoc-ref outputs "out")
8763 (install-file "footswitch" bin)
8764 (install-file "scythe" bin)
8768 @c TODO: Add more examples.
8777 Conceptually, the @dfn{store} is the place where derivations that have
8778 been built successfully are stored---by default, @file{/gnu/store}.
8779 Sub-directories in the store are referred to as @dfn{store items} or
8780 sometimes @dfn{store paths}. The store has an associated database that
8781 contains information such as the store paths referred to by each store
8782 path, and the list of @emph{valid} store items---results of successful
8783 builds. This database resides in @file{@var{localstatedir}/guix/db},
8784 where @var{localstatedir} is the state directory specified @i{via}
8785 @option{--localstatedir} at configure time, usually @file{/var}.
8787 The store is @emph{always} accessed by the daemon on behalf of its clients
8788 (@pxref{Invoking guix-daemon}). To manipulate the store, clients
8789 connect to the daemon over a Unix-domain socket, send requests to it,
8790 and read the result---these are remote procedure calls, or RPCs.
8793 Users must @emph{never} modify files under @file{/gnu/store} directly.
8794 This would lead to inconsistencies and break the immutability
8795 assumptions of Guix's functional model (@pxref{Introduction}).
8797 @xref{Invoking guix gc, @command{guix gc --verify}}, for information on
8798 how to check the integrity of the store and attempt recovery from
8799 accidental modifications.
8802 The @code{(guix store)} module provides procedures to connect to the
8803 daemon, and to perform RPCs. These are described below. By default,
8804 @code{open-connection}, and thus all the @command{guix} commands,
8805 connect to the local daemon or to the URI specified by the
8806 @env{GUIX_DAEMON_SOCKET} environment variable.
8808 @defvr {Environment Variable} GUIX_DAEMON_SOCKET
8809 When set, the value of this variable should be a file name or a URI
8810 designating the daemon endpoint. When it is a file name, it denotes a
8811 Unix-domain socket to connect to. In addition to file names, the
8812 supported URI schemes are:
8817 These are for Unix-domain sockets.
8818 @code{file:///var/guix/daemon-socket/socket} is equivalent to
8819 @file{/var/guix/daemon-socket/socket}.
8822 @cindex daemon, remote access
8823 @cindex remote access to the daemon
8824 @cindex daemon, cluster setup
8825 @cindex clusters, daemon setup
8826 These URIs denote connections over TCP/IP, without encryption nor
8827 authentication of the remote host. The URI must specify the host name
8828 and optionally a port number (by default port 44146 is used):
8831 guix://master.guix.example.org:1234
8834 This setup is suitable on local networks, such as clusters, where only
8835 trusted nodes may connect to the build daemon at
8836 @code{master.guix.example.org}.
8838 The @option{--listen} option of @command{guix-daemon} can be used to
8839 instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
8840 @option{--listen}}).
8843 @cindex SSH access to build daemons
8844 These URIs allow you to connect to a remote daemon over SSH@. This
8845 feature requires Guile-SSH (@pxref{Requirements}) and a working
8846 @command{guile} binary in @env{PATH} on the destination machine. It
8847 supports public key and GSSAPI authentication. A typical URL might look
8851 ssh://charlie@@guix.example.org:22
8854 As for @command{guix copy}, the usual OpenSSH client configuration files
8855 are honored (@pxref{Invoking guix copy}).
8858 Additional URI schemes may be supported in the future.
8860 @c XXX: Remove this note when the protocol incurs fewer round trips
8861 @c and when (guix derivations) no longer relies on file system access.
8863 The ability to connect to remote build daemons is considered
8864 experimental as of @value{VERSION}. Please get in touch with us to
8865 share any problems or suggestions you may have (@pxref{Contributing}).
8869 @deffn {Scheme Procedure} open-connection [@var{uri}] [#:reserve-space? #t]
8870 Connect to the daemon over the Unix-domain socket at @var{uri} (a string). When
8871 @var{reserve-space?} is true, instruct it to reserve a little bit of
8872 extra space on the file system so that the garbage collector can still
8873 operate should the disk become full. Return a server object.
8875 @var{file} defaults to @code{%default-socket-path}, which is the normal
8876 location given the options that were passed to @command{configure}.
8879 @deffn {Scheme Procedure} close-connection @var{server}
8880 Close the connection to @var{server}.
8883 @defvr {Scheme Variable} current-build-output-port
8884 This variable is bound to a SRFI-39 parameter, which refers to the port
8885 where build and error logs sent by the daemon should be written.
8888 Procedures that make RPCs all take a server object as their first
8891 @deffn {Scheme Procedure} valid-path? @var{server} @var{path}
8892 @cindex invalid store items
8893 Return @code{#t} when @var{path} designates a valid store item and
8894 @code{#f} otherwise (an invalid item may exist on disk but still be
8895 invalid, for instance because it is the result of an aborted or failed
8898 A @code{&store-protocol-error} condition is raised if @var{path} is not
8899 prefixed by the store directory (@file{/gnu/store}).
8902 @deffn {Scheme Procedure} add-text-to-store @var{server} @var{name} @var{text} [@var{references}]
8903 Add @var{text} under file @var{name} in the store, and return its store
8904 path. @var{references} is the list of store paths referred to by the
8905 resulting store path.
8908 @deffn {Scheme Procedure} build-derivations @var{store} @var{derivations} @
8910 Build @var{derivations}, a list of @code{<derivation>} objects, @file{.drv}
8911 file names, or derivation/output pairs, using the specified
8912 @var{mode}---@code{(build-mode normal)} by default.
8915 Note that the @code{(guix monads)} module provides a monad as well as
8916 monadic versions of the above procedures, with the goal of making it
8917 more convenient to work with code that accesses the store (@pxref{The
8921 @i{This section is currently incomplete.}
8924 @section Derivations
8927 Low-level build actions and the environment in which they are performed
8928 are represented by @dfn{derivations}. A derivation contains the
8929 following pieces of information:
8933 The outputs of the derivation---derivations produce at least one file or
8934 directory in the store, but may produce more.
8937 @cindex build-time dependencies
8938 @cindex dependencies, build-time
8939 The inputs of the derivations---i.e., its build-time dependencies---which may
8940 be other derivations or plain files in the store (patches, build scripts,
8944 The system type targeted by the derivation---e.g., @code{x86_64-linux}.
8947 The file name of a build script in the store, along with the arguments
8951 A list of environment variables to be defined.
8955 @cindex derivation path
8956 Derivations allow clients of the daemon to communicate build actions to
8957 the store. They exist in two forms: as an in-memory representation,
8958 both on the client- and daemon-side, and as files in the store whose
8959 name end in @file{.drv}---these files are referred to as @dfn{derivation
8960 paths}. Derivations paths can be passed to the @code{build-derivations}
8961 procedure to perform the build actions they prescribe (@pxref{The
8964 @cindex fixed-output derivations
8965 Operations such as file downloads and version-control checkouts for
8966 which the expected content hash is known in advance are modeled as
8967 @dfn{fixed-output derivations}. Unlike regular derivations, the outputs
8968 of a fixed-output derivation are independent of its inputs---e.g., a
8969 source code download produces the same result regardless of the download
8970 method and tools being used.
8973 @cindex run-time dependencies
8974 @cindex dependencies, run-time
8975 The outputs of derivations---i.e., the build results---have a set of
8976 @dfn{references}, as reported by the @code{references} RPC or the
8977 @command{guix gc --references} command (@pxref{Invoking guix gc}). References
8978 are the set of run-time dependencies of the build results. References are a
8979 subset of the inputs of the derivation; this subset is automatically computed
8980 by the build daemon by scanning all the files in the outputs.
8982 The @code{(guix derivations)} module provides a representation of
8983 derivations as Scheme objects, along with procedures to create and
8984 otherwise manipulate derivations. The lowest-level primitive to create
8985 a derivation is the @code{derivation} procedure:
8987 @deffn {Scheme Procedure} derivation @var{store} @var{name} @var{builder} @
8988 @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
8989 [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @
8990 [#:system (%current-system)] [#:references-graphs #f] @
8991 [#:allowed-references #f] [#:disallowed-references #f] @
8992 [#:leaked-env-vars #f] [#:local-build? #f] @
8993 [#:substitutable? #t] [#:properties '()]
8994 Build a derivation with the given arguments, and return the resulting
8995 @code{<derivation>} object.
8997 When @var{hash} and @var{hash-algo} are given, a
8998 @dfn{fixed-output derivation} is created---i.e., one whose result is
8999 known in advance, such as a file download. If, in addition,
9000 @var{recursive?} is true, then that fixed output may be an executable
9001 file or a directory and @var{hash} must be the hash of an archive
9002 containing this output.
9004 When @var{references-graphs} is true, it must be a list of file
9005 name/store path pairs. In that case, the reference graph of each store
9006 path is exported in the build environment in the corresponding file, in
9007 a simple text format.
9009 When @var{allowed-references} is true, it must be a list of store items
9010 or outputs that the derivation's output may refer to. Likewise,
9011 @var{disallowed-references}, if true, must be a list of things the
9012 outputs may @emph{not} refer to.
9014 When @var{leaked-env-vars} is true, it must be a list of strings
9015 denoting environment variables that are allowed to ``leak'' from the
9016 daemon's environment to the build environment. This is only applicable
9017 to fixed-output derivations---i.e., when @var{hash} is true. The main
9018 use is to allow variables such as @code{http_proxy} to be passed to
9019 derivations that download files.
9021 When @var{local-build?} is true, declare that the derivation is not a
9022 good candidate for offloading and should rather be built locally
9023 (@pxref{Daemon Offload Setup}). This is the case for small derivations
9024 where the costs of data transfers would outweigh the benefits.
9026 When @var{substitutable?} is false, declare that substitutes of the
9027 derivation's output should not be used (@pxref{Substitutes}). This is
9028 useful, for instance, when building packages that capture details of the
9029 host CPU instruction set.
9031 @var{properties} must be an association list describing ``properties'' of the
9032 derivation. It is kept as-is, uninterpreted, in the derivation.
9036 Here's an example with a shell script as its builder, assuming
9037 @var{store} is an open connection to the daemon, and @var{bash} points
9038 to a Bash executable in the store:
9041 (use-modules (guix utils)
9045 (let ((builder ; add the Bash script to the store
9046 (add-text-to-store store "my-builder.sh"
9047 "echo hello world > $out\n" '())))
9048 (derivation store "foo"
9049 bash `("-e" ,builder)
9050 #:inputs `((,bash) (,builder))
9051 #:env-vars '(("HOME" . "/homeless"))))
9052 @result{} #<derivation /gnu/store/@dots{}-foo.drv => /gnu/store/@dots{}-foo>
9055 As can be guessed, this primitive is cumbersome to use directly. A
9056 better approach is to write build scripts in Scheme, of course! The
9057 best course of action for that is to write the build code as a
9058 ``G-expression'', and to pass it to @code{gexp->derivation}. For more
9059 information, @pxref{G-Expressions}.
9061 Once upon a time, @code{gexp->derivation} did not exist and constructing
9062 derivations with build code written in Scheme was achieved with
9063 @code{build-expression->derivation}, documented below. This procedure
9064 is now deprecated in favor of the much nicer @code{gexp->derivation}.
9066 @deffn {Scheme Procedure} build-expression->derivation @var{store} @
9067 @var{name} @var{exp} @
9068 [#:system (%current-system)] [#:inputs '()] @
9069 [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
9070 [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
9071 [#:references-graphs #f] [#:allowed-references #f] @
9072 [#:disallowed-references #f] @
9073 [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
9074 Return a derivation that executes Scheme expression @var{exp} as a
9075 builder for derivation @var{name}. @var{inputs} must be a list of
9076 @code{(name drv-path sub-drv)} tuples; when @var{sub-drv} is omitted,
9077 @code{"out"} is assumed. @var{modules} is a list of names of Guile
9078 modules from the current search path to be copied in the store,
9079 compiled, and made available in the load path during the execution of
9080 @var{exp}---e.g., @code{((guix build utils) (guix build
9081 gnu-build-system))}.
9083 @var{exp} is evaluated in an environment where @code{%outputs} is bound
9084 to a list of output/path pairs, and where @code{%build-inputs} is bound
9085 to a list of string/output-path pairs made from @var{inputs}.
9086 Optionally, @var{env-vars} is a list of string pairs specifying the name
9087 and value of environment variables visible to the builder. The builder
9088 terminates by passing the result of @var{exp} to @code{exit}; thus, when
9089 @var{exp} returns @code{#f}, the build is considered to have failed.
9091 @var{exp} is built using @var{guile-for-build} (a derivation). When
9092 @var{guile-for-build} is omitted or is @code{#f}, the value of the
9093 @code{%guile-for-build} fluid is used instead.
9095 See the @code{derivation} procedure for the meaning of
9096 @var{references-graphs}, @var{allowed-references},
9097 @var{disallowed-references}, @var{local-build?}, and
9098 @var{substitutable?}.
9102 Here's an example of a single-output derivation that creates a directory
9103 containing one file:
9106 (let ((builder '(let ((out (assoc-ref %outputs "out")))
9107 (mkdir out) ; create /gnu/store/@dots{}-goo
9108 (call-with-output-file (string-append out "/test")
9110 (display '(hello guix) p))))))
9111 (build-expression->derivation store "goo" builder))
9113 @result{} #<derivation /gnu/store/@dots{}-goo.drv => @dots{}>
9117 @node The Store Monad
9118 @section The Store Monad
9122 The procedures that operate on the store described in the previous
9123 sections all take an open connection to the build daemon as their first
9124 argument. Although the underlying model is functional, they either have
9125 side effects or depend on the current state of the store.
9127 The former is inconvenient: the connection to the build daemon has to be
9128 carried around in all those functions, making it impossible to compose
9129 functions that do not take that parameter with functions that do. The
9130 latter can be problematic: since store operations have side effects
9131 and/or depend on external state, they have to be properly sequenced.
9133 @cindex monadic values
9134 @cindex monadic functions
9135 This is where the @code{(guix monads)} module comes in. This module
9136 provides a framework for working with @dfn{monads}, and a particularly
9137 useful monad for our uses, the @dfn{store monad}. Monads are a
9138 construct that allows two things: associating ``context'' with values
9139 (in our case, the context is the store), and building sequences of
9140 computations (here computations include accesses to the store). Values
9141 in a monad---values that carry this additional context---are called
9142 @dfn{monadic values}; procedures that return such values are called
9143 @dfn{monadic procedures}.
9145 Consider this ``normal'' procedure:
9148 (define (sh-symlink store)
9149 ;; Return a derivation that symlinks the 'bash' executable.
9150 (let* ((drv (package-derivation store bash))
9151 (out (derivation->output-path drv))
9152 (sh (string-append out "/bin/bash")))
9153 (build-expression->derivation store "sh"
9154 `(symlink ,sh %output))))
9157 Using @code{(guix monads)} and @code{(guix gexp)}, it may be rewritten
9158 as a monadic function:
9161 (define (sh-symlink)
9162 ;; Same, but return a monadic value.
9163 (mlet %store-monad ((drv (package->derivation bash)))
9164 (gexp->derivation "sh"
9165 #~(symlink (string-append #$drv "/bin/bash")
9169 There are several things to note in the second version: the @code{store}
9170 parameter is now implicit and is ``threaded'' in the calls to the
9171 @code{package->derivation} and @code{gexp->derivation} monadic
9172 procedures, and the monadic value returned by @code{package->derivation}
9173 is @dfn{bound} using @code{mlet} instead of plain @code{let}.
9175 As it turns out, the call to @code{package->derivation} can even be
9176 omitted since it will take place implicitly, as we will see later
9177 (@pxref{G-Expressions}):
9180 (define (sh-symlink)
9181 (gexp->derivation "sh"
9182 #~(symlink (string-append #$bash "/bin/bash")
9187 @c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
9188 @c for the funny quote.
9189 Calling the monadic @code{sh-symlink} has no effect. As someone once
9190 said, ``you exit a monad like you exit a building on fire: by running''.
9191 So, to exit the monad and get the desired effect, one must use
9192 @code{run-with-store}:
9195 (run-with-store (open-connection) (sh-symlink))
9196 @result{} /gnu/store/...-sh-symlink
9199 Note that the @code{(guix monad-repl)} module extends the Guile REPL with
9200 new ``meta-commands'' to make it easier to deal with monadic procedures:
9201 @code{run-in-store}, and @code{enter-store-monad}. The former is used
9202 to ``run'' a single monadic value through the store:
9205 scheme@@(guile-user)> ,run-in-store (package->derivation hello)
9206 $1 = #<derivation /gnu/store/@dots{}-hello-2.9.drv => @dots{}>
9209 The latter enters a recursive REPL, where all the return values are
9210 automatically run through the store:
9213 scheme@@(guile-user)> ,enter-store-monad
9214 store-monad@@(guile-user) [1]> (package->derivation hello)
9215 $2 = #<derivation /gnu/store/@dots{}-hello-2.9.drv => @dots{}>
9216 store-monad@@(guile-user) [1]> (text-file "foo" "Hello!")
9217 $3 = "/gnu/store/@dots{}-foo"
9218 store-monad@@(guile-user) [1]> ,q
9219 scheme@@(guile-user)>
9223 Note that non-monadic values cannot be returned in the
9224 @code{store-monad} REPL.
9226 The main syntactic forms to deal with monads in general are provided by
9227 the @code{(guix monads)} module and are described below.
9229 @deffn {Scheme Syntax} with-monad @var{monad} @var{body} ...
9230 Evaluate any @code{>>=} or @code{return} forms in @var{body} as being
9234 @deffn {Scheme Syntax} return @var{val}
9235 Return a monadic value that encapsulates @var{val}.
9238 @deffn {Scheme Syntax} >>= @var{mval} @var{mproc} ...
9239 @dfn{Bind} monadic value @var{mval}, passing its ``contents'' to monadic
9240 procedures @var{mproc}@dots{}@footnote{This operation is commonly
9241 referred to as ``bind'', but that name denotes an unrelated procedure in
9242 Guile. Thus we use this somewhat cryptic symbol inherited from the
9243 Haskell language.}. There can be one @var{mproc} or several of them, as
9248 (with-monad %state-monad
9250 (lambda (x) (return (+ 1 x)))
9251 (lambda (x) (return (* 2 x)))))
9255 @result{} some-state
9259 @deffn {Scheme Syntax} mlet @var{monad} ((@var{var} @var{mval}) ...) @
9261 @deffnx {Scheme Syntax} mlet* @var{monad} ((@var{var} @var{mval}) ...) @
9263 Bind the variables @var{var} to the monadic values @var{mval} in
9264 @var{body}, which is a sequence of expressions. As with the bind
9265 operator, this can be thought of as ``unpacking'' the raw, non-monadic
9266 value ``contained'' in @var{mval} and making @var{var} refer to that
9267 raw, non-monadic value within the scope of the @var{body}. The form
9268 (@var{var} -> @var{val}) binds @var{var} to the ``normal'' value
9269 @var{val}, as per @code{let}. The binding operations occur in sequence
9270 from left to right. The last expression of @var{body} must be a monadic
9271 expression, and its result will become the result of the @code{mlet} or
9272 @code{mlet*} when run in the @var{monad}.
9274 @code{mlet*} is to @code{mlet} what @code{let*} is to @code{let}
9275 (@pxref{Local Bindings,,, guile, GNU Guile Reference Manual}).
9278 @deffn {Scheme System} mbegin @var{monad} @var{mexp} ...
9279 Bind @var{mexp} and the following monadic expressions in sequence,
9280 returning the result of the last expression. Every expression in the
9281 sequence must be a monadic expression.
9283 This is akin to @code{mlet}, except that the return values of the
9284 monadic expressions are ignored. In that sense, it is analogous to
9285 @code{begin}, but applied to monadic expressions.
9288 @deffn {Scheme System} mwhen @var{condition} @var{mexp0} @var{mexp*} ...
9289 When @var{condition} is true, evaluate the sequence of monadic
9290 expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When
9291 @var{condition} is false, return @code{*unspecified*} in the current
9292 monad. Every expression in the sequence must be a monadic expression.
9295 @deffn {Scheme System} munless @var{condition} @var{mexp0} @var{mexp*} ...
9296 When @var{condition} is false, evaluate the sequence of monadic
9297 expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When
9298 @var{condition} is true, return @code{*unspecified*} in the current
9299 monad. Every expression in the sequence must be a monadic expression.
9303 The @code{(guix monads)} module provides the @dfn{state monad}, which
9304 allows an additional value---the state---to be @emph{threaded} through
9305 monadic procedure calls.
9307 @defvr {Scheme Variable} %state-monad
9308 The state monad. Procedures in the state monad can access and change
9309 the state that is threaded.
9311 Consider the example below. The @code{square} procedure returns a value
9312 in the state monad. It returns the square of its argument, but also
9313 increments the current state value:
9317 (mlet %state-monad ((count (current-state)))
9318 (mbegin %state-monad
9319 (set-current-state (+ 1 count))
9322 (run-with-state (sequence %state-monad (map square (iota 3))) 0)
9327 When ``run'' through @code{%state-monad}, we obtain that additional state
9328 value, which is the number of @code{square} calls.
9331 @deffn {Monadic Procedure} current-state
9332 Return the current state as a monadic value.
9335 @deffn {Monadic Procedure} set-current-state @var{value}
9336 Set the current state to @var{value} and return the previous state as a
9340 @deffn {Monadic Procedure} state-push @var{value}
9341 Push @var{value} to the current state, which is assumed to be a list,
9342 and return the previous state as a monadic value.
9345 @deffn {Monadic Procedure} state-pop
9346 Pop a value from the current state and return it as a monadic value.
9347 The state is assumed to be a list.
9350 @deffn {Scheme Procedure} run-with-state @var{mval} [@var{state}]
9351 Run monadic value @var{mval} starting with @var{state} as the initial
9352 state. Return two values: the resulting value, and the resulting state.
9355 The main interface to the store monad, provided by the @code{(guix
9356 store)} module, is as follows.
9358 @defvr {Scheme Variable} %store-monad
9359 The store monad---an alias for @code{%state-monad}.
9361 Values in the store monad encapsulate accesses to the store. When its
9362 effect is needed, a value of the store monad must be ``evaluated'' by
9363 passing it to the @code{run-with-store} procedure (see below).
9366 @deffn {Scheme Procedure} run-with-store @var{store} @var{mval} [#:guile-for-build] [#:system (%current-system)]
9367 Run @var{mval}, a monadic value in the store monad, in @var{store}, an
9368 open store connection.
9371 @deffn {Monadic Procedure} text-file @var{name} @var{text} [@var{references}]
9372 Return as a monadic value the absolute file name in the store of the file
9373 containing @var{text}, a string. @var{references} is a list of store items that the
9374 resulting text file refers to; it defaults to the empty list.
9377 @deffn {Monadic Procedure} binary-file @var{name} @var{data} [@var{references}]
9378 Return as a monadic value the absolute file name in the store of the file
9379 containing @var{data}, a bytevector. @var{references} is a list of store
9380 items that the resulting binary file refers to; it defaults to the empty list.
9383 @deffn {Monadic Procedure} interned-file @var{file} [@var{name}] @
9384 [#:recursive? #t] [#:select? (const #t)]
9385 Return the name of @var{file} once interned in the store. Use
9386 @var{name} as its store name, or the basename of @var{file} if
9387 @var{name} is omitted.
9389 When @var{recursive?} is true, the contents of @var{file} are added
9390 recursively; if @var{file} designates a flat file and @var{recursive?}
9391 is true, its contents are added, and its permission bits are kept.
9393 When @var{recursive?} is true, call @code{(@var{select?} @var{file}
9394 @var{stat})} for each directory entry, where @var{file} is the entry's
9395 absolute file name and @var{stat} is the result of @code{lstat}; exclude
9396 entries for which @var{select?} does not return true.
9398 The example below adds a file to the store, under two different names:
9401 (run-with-store (open-connection)
9402 (mlet %store-monad ((a (interned-file "README"))
9403 (b (interned-file "README" "LEGU-MIN")))
9404 (return (list a b))))
9406 @result{} ("/gnu/store/rwm@dots{}-README" "/gnu/store/44i@dots{}-LEGU-MIN")
9411 The @code{(guix packages)} module exports the following package-related
9414 @deffn {Monadic Procedure} package-file @var{package} [@var{file}] @
9415 [#:system (%current-system)] [#:target #f] @
9418 value in the absolute file name of @var{file} within the @var{output}
9419 directory of @var{package}. When @var{file} is omitted, return the name
9420 of the @var{output} directory of @var{package}. When @var{target} is
9421 true, use it as a cross-compilation target triplet.
9423 Note that this procedure does @emph{not} build @var{package}. Thus, the
9424 result might or might not designate an existing file. We recommend not
9425 using this procedure unless you know what you are doing.
9428 @deffn {Monadic Procedure} package->derivation @var{package} [@var{system}]
9429 @deffnx {Monadic Procedure} package->cross-derivation @var{package} @
9430 @var{target} [@var{system}]
9431 Monadic version of @code{package-derivation} and
9432 @code{package-cross-derivation} (@pxref{Defining Packages}).
9437 @section G-Expressions
9439 @cindex G-expression
9440 @cindex build code quoting
9441 So we have ``derivations'', which represent a sequence of build actions
9442 to be performed to produce an item in the store (@pxref{Derivations}).
9443 These build actions are performed when asking the daemon to actually
9444 build the derivations; they are run by the daemon in a container
9445 (@pxref{Invoking guix-daemon}).
9447 @cindex code staging
9448 @cindex staging, of code
9449 @cindex strata of code
9450 It should come as no surprise that we like to write these build actions
9451 in Scheme. When we do that, we end up with two @dfn{strata} of Scheme
9452 code@footnote{The term @dfn{stratum} in this context was coined by
9453 Manuel Serrano et al.@: in the context of their work on Hop. Oleg
9454 Kiselyov, who has written insightful
9455 @url{http://okmij.org/ftp/meta-programming/#meta-scheme, essays and code
9456 on this topic}, refers to this kind of code generation as
9457 @dfn{staging}.}: the ``host code''---code that defines packages, talks
9458 to the daemon, etc.---and the ``build code''---code that actually
9459 performs build actions, such as making directories, invoking
9460 @command{make}, and so on (@pxref{Build Phases}).
9462 To describe a derivation and its build actions, one typically needs to
9463 embed build code inside host code. It boils down to manipulating build
9464 code as data, and the homoiconicity of Scheme---code has a direct
9465 representation as data---comes in handy for that. But we need more than
9466 the normal @code{quasiquote} mechanism in Scheme to construct build
9469 The @code{(guix gexp)} module implements @dfn{G-expressions}, a form of
9470 S-expressions adapted to build expressions. G-expressions, or
9471 @dfn{gexps}, consist essentially of three syntactic forms: @code{gexp},
9472 @code{ungexp}, and @code{ungexp-splicing} (or simply: @code{#~},
9473 @code{#$}, and @code{#$@@}), which are comparable to
9474 @code{quasiquote}, @code{unquote}, and @code{unquote-splicing},
9475 respectively (@pxref{Expression Syntax, @code{quasiquote},, guile,
9476 GNU Guile Reference Manual}). However, there are major differences:
9480 Gexps are meant to be written to a file and run or manipulated by other
9484 When a high-level object such as a package or derivation is unquoted
9485 inside a gexp, the result is as if its output file name had been
9489 Gexps carry information about the packages or derivations they refer to,
9490 and these dependencies are automatically added as inputs to the build
9491 processes that use them.
9494 @cindex lowering, of high-level objects in gexps
9495 This mechanism is not limited to package and derivation
9496 objects: @dfn{compilers} able to ``lower'' other high-level objects to
9497 derivations or files in the store can be defined,
9498 such that these objects can also be inserted
9499 into gexps. For example, a useful type of high-level objects that can be
9500 inserted in a gexp is ``file-like objects'', which make it easy to
9501 add files to the store and to refer to them in
9502 derivations and such (see @code{local-file} and @code{plain-file}
9505 To illustrate the idea, here is an example of a gexp:
9512 (symlink (string-append #$coreutils "/bin/ls")
9516 This gexp can be passed to @code{gexp->derivation}; we obtain a
9517 derivation that builds a directory containing exactly one symlink to
9518 @file{/gnu/store/@dots{}-coreutils-8.22/bin/ls}:
9521 (gexp->derivation "the-thing" build-exp)
9524 As one would expect, the @code{"/gnu/store/@dots{}-coreutils-8.22"} string is
9525 substituted to the reference to the @var{coreutils} package in the
9526 actual build code, and @var{coreutils} is automatically made an input to
9527 the derivation. Likewise, @code{#$output} (equivalent to @code{(ungexp
9528 output)}) is replaced by a string containing the directory name of the
9529 output of the derivation.
9531 @cindex cross compilation
9532 In a cross-compilation context, it is useful to distinguish between
9533 references to the @emph{native} build of a package---that can run on the
9534 host---versus references to cross builds of a package. To that end, the
9535 @code{#+} plays the same role as @code{#$}, but is a reference to a
9536 native package build:
9539 (gexp->derivation "vi"
9542 (mkdir (string-append #$output "/bin"))
9543 (system* (string-append #+coreutils "/bin/ln")
9545 (string-append #$emacs "/bin/emacs")
9546 (string-append #$output "/bin/vi")))
9547 #:target "aarch64-linux-gnu")
9551 In the example above, the native build of @var{coreutils} is used, so
9552 that @command{ln} can actually run on the host; but then the
9553 cross-compiled build of @var{emacs} is referenced.
9555 @cindex imported modules, for gexps
9556 @findex with-imported-modules
9557 Another gexp feature is @dfn{imported modules}: sometimes you want to be
9558 able to use certain Guile modules from the ``host environment'' in the
9559 gexp, so those modules should be imported in the ``build environment''.
9560 The @code{with-imported-modules} form allows you to express that:
9563 (let ((build (with-imported-modules '((guix build utils))
9565 (use-modules (guix build utils))
9566 (mkdir-p (string-append #$output "/bin"))))))
9567 (gexp->derivation "empty-dir"
9570 (display "success!\n")
9575 In this example, the @code{(guix build utils)} module is automatically
9576 pulled into the isolated build environment of our gexp, such that
9577 @code{(use-modules (guix build utils))} works as expected.
9579 @cindex module closure
9580 @findex source-module-closure
9581 Usually you want the @emph{closure} of the module to be imported---i.e.,
9582 the module itself and all the modules it depends on---rather than just
9583 the module; failing to do that, attempts to use the module will fail
9584 because of missing dependent modules. The @code{source-module-closure}
9585 procedure computes the closure of a module by looking at its source file
9586 headers, which comes in handy in this case:
9589 (use-modules (guix modules)) ;for 'source-module-closure'
9591 (with-imported-modules (source-module-closure
9592 '((guix build utils)
9594 (gexp->derivation "something-with-vms"
9596 (use-modules (guix build utils)
9601 @cindex extensions, for gexps
9602 @findex with-extensions
9603 In the same vein, sometimes you want to import not just pure-Scheme
9604 modules, but also ``extensions'' such as Guile bindings to C libraries
9605 or other ``full-blown'' packages. Say you need the @code{guile-json}
9606 package available on the build side, here's how you would do it:
9609 (use-modules (gnu packages guile)) ;for 'guile-json'
9611 (with-extensions (list guile-json)
9612 (gexp->derivation "something-with-json"
9614 (use-modules (json))
9618 The syntactic form to construct gexps is summarized below.
9620 @deffn {Scheme Syntax} #~@var{exp}
9621 @deffnx {Scheme Syntax} (gexp @var{exp})
9622 Return a G-expression containing @var{exp}. @var{exp} may contain one
9623 or more of the following forms:
9627 @itemx (ungexp @var{obj})
9628 Introduce a reference to @var{obj}. @var{obj} may have one of the
9629 supported types, for example a package or a
9630 derivation, in which case the @code{ungexp} form is replaced by its
9631 output file name---e.g., @code{"/gnu/store/@dots{}-coreutils-8.22}.
9633 If @var{obj} is a list, it is traversed and references to supported
9634 objects are substituted similarly.
9636 If @var{obj} is another gexp, its contents are inserted and its
9637 dependencies are added to those of the containing gexp.
9639 If @var{obj} is another kind of object, it is inserted as is.
9641 @item #$@var{obj}:@var{output}
9642 @itemx (ungexp @var{obj} @var{output})
9643 This is like the form above, but referring explicitly to the
9644 @var{output} of @var{obj}---this is useful when @var{obj} produces
9645 multiple outputs (@pxref{Packages with Multiple Outputs}).
9648 @itemx #+@var{obj}:output
9649 @itemx (ungexp-native @var{obj})
9650 @itemx (ungexp-native @var{obj} @var{output})
9651 Same as @code{ungexp}, but produces a reference to the @emph{native}
9652 build of @var{obj} when used in a cross compilation context.
9654 @item #$output[:@var{output}]
9655 @itemx (ungexp output [@var{output}])
9656 Insert a reference to derivation output @var{output}, or to the main
9657 output when @var{output} is omitted.
9659 This only makes sense for gexps passed to @code{gexp->derivation}.
9662 @itemx (ungexp-splicing @var{lst})
9663 Like the above, but splices the contents of @var{lst} inside the
9667 @itemx (ungexp-native-splicing @var{lst})
9668 Like the above, but refers to native builds of the objects listed in
9673 G-expressions created by @code{gexp} or @code{#~} are run-time objects
9674 of the @code{gexp?} type (see below).
9677 @deffn {Scheme Syntax} with-imported-modules @var{modules} @var{body}@dots{}
9678 Mark the gexps defined in @var{body}@dots{} as requiring @var{modules}
9679 in their execution environment.
9681 Each item in @var{modules} can be the name of a module, such as
9682 @code{(guix build utils)}, or it can be a module name, followed by an
9683 arrow, followed by a file-like object:
9686 `((guix build utils)
9688 ((guix config) => ,(scheme-file "config.scm"
9689 #~(define-module @dots{}))))
9693 In the example above, the first two modules are taken from the search
9694 path, and the last one is created from the given file-like object.
9696 This form has @emph{lexical} scope: it has an effect on the gexps
9697 directly defined in @var{body}@dots{}, but not on those defined, say, in
9698 procedures called from @var{body}@dots{}.
9701 @deffn {Scheme Syntax} with-extensions @var{extensions} @var{body}@dots{}
9702 Mark the gexps defined in @var{body}@dots{} as requiring
9703 @var{extensions} in their build and execution environment.
9704 @var{extensions} is typically a list of package objects such as those
9705 defined in the @code{(gnu packages guile)} module.
9707 Concretely, the packages listed in @var{extensions} are added to the
9708 load path while compiling imported modules in @var{body}@dots{}; they
9709 are also added to the load path of the gexp returned by
9713 @deffn {Scheme Procedure} gexp? @var{obj}
9714 Return @code{#t} if @var{obj} is a G-expression.
9717 G-expressions are meant to be written to disk, either as code building
9718 some derivation, or as plain files in the store. The monadic procedures
9719 below allow you to do that (@pxref{The Store Monad}, for more
9720 information about monads).
9722 @deffn {Monadic Procedure} gexp->derivation @var{name} @var{exp} @
9723 [#:system (%current-system)] [#:target #f] [#:graft? #t] @
9724 [#:hash #f] [#:hash-algo #f] @
9725 [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
9726 [#:module-path @code{%load-path}] @
9727 [#:effective-version "2.2"] @
9728 [#:references-graphs #f] [#:allowed-references #f] @
9729 [#:disallowed-references #f] @
9730 [#:leaked-env-vars #f] @
9731 [#:script-name (string-append @var{name} "-builder")] @
9732 [#:deprecation-warnings #f] @
9733 [#:local-build? #f] [#:substitutable? #t] @
9734 [#:properties '()] [#:guile-for-build #f]
9735 Return a derivation @var{name} that runs @var{exp} (a gexp) with
9736 @var{guile-for-build} (a derivation) on @var{system}; @var{exp} is
9737 stored in a file called @var{script-name}. When @var{target} is true,
9738 it is used as the cross-compilation target triplet for packages referred
9741 @var{modules} is deprecated in favor of @code{with-imported-modules}.
9743 make @var{modules} available in the evaluation context of @var{exp};
9744 @var{modules} is a list of names of Guile modules searched in
9745 @var{module-path} to be copied in the store, compiled, and made available in
9746 the load path during the execution of @var{exp}---e.g., @code{((guix
9747 build utils) (guix build gnu-build-system))}.
9749 @var{effective-version} determines the string to use when adding extensions of
9750 @var{exp} (see @code{with-extensions}) to the search path---e.g., @code{"2.2"}.
9752 @var{graft?} determines whether packages referred to by @var{exp} should be grafted when
9755 When @var{references-graphs} is true, it must be a list of tuples of one of the
9759 (@var{file-name} @var{package})
9760 (@var{file-name} @var{package} @var{output})
9761 (@var{file-name} @var{derivation})
9762 (@var{file-name} @var{derivation} @var{output})
9763 (@var{file-name} @var{store-item})
9766 The right-hand-side of each element of @var{references-graphs} is automatically made
9767 an input of the build process of @var{exp}. In the build environment, each
9768 @var{file-name} contains the reference graph of the corresponding item, in a simple
9771 @var{allowed-references} must be either @code{#f} or a list of output names and packages.
9772 In the latter case, the list denotes store items that the result is allowed to
9773 refer to. Any reference to another store item will lead to a build error.
9774 Similarly for @var{disallowed-references}, which can list items that must not be
9775 referenced by the outputs.
9777 @var{deprecation-warnings} determines whether to show deprecation warnings while
9778 compiling modules. It can be @code{#f}, @code{#t}, or @code{'detailed}.
9780 The other arguments are as for @code{derivation} (@pxref{Derivations}).
9783 @cindex file-like objects
9784 The @code{local-file}, @code{plain-file}, @code{computed-file},
9785 @code{program-file}, and @code{scheme-file} procedures below return
9786 @dfn{file-like objects}. That is, when unquoted in a G-expression,
9787 these objects lead to a file in the store. Consider this G-expression:
9790 #~(system* #$(file-append glibc "/sbin/nscd") "-f"
9791 #$(local-file "/tmp/my-nscd.conf"))
9794 The effect here is to ``intern'' @file{/tmp/my-nscd.conf} by copying it
9795 to the store. Once expanded, for instance @i{via}
9796 @code{gexp->derivation}, the G-expression refers to that copy under
9797 @file{/gnu/store}; thus, modifying or removing the file in @file{/tmp}
9798 does not have any effect on what the G-expression does.
9799 @code{plain-file} can be used similarly; it differs in that the file
9800 content is directly passed as a string.
9802 @deffn {Scheme Procedure} local-file @var{file} [@var{name}] @
9803 [#:recursive? #f] [#:select? (const #t)]
9804 Return an object representing local file @var{file} to add to the store;
9805 this object can be used in a gexp. If @var{file} is a literal string
9806 denoting a relative file name, it is looked up relative to the source
9807 file where it appears; if @var{file} is not a literal string, it is
9808 looked up relative to the current working directory at run time.
9809 @var{file} will be added to the store under @var{name}--by default the
9810 base name of @var{file}.
9812 When @var{recursive?} is true, the contents of @var{file} are added recursively; if @var{file}
9813 designates a flat file and @var{recursive?} is true, its contents are added, and its
9814 permission bits are kept.
9816 When @var{recursive?} is true, call @code{(@var{select?} @var{file}
9817 @var{stat})} for each directory entry, where @var{file} is the entry's
9818 absolute file name and @var{stat} is the result of @code{lstat}; exclude
9819 entries for which @var{select?} does not return true.
9821 This is the declarative counterpart of the @code{interned-file} monadic
9822 procedure (@pxref{The Store Monad, @code{interned-file}}).
9825 @deffn {Scheme Procedure} plain-file @var{name} @var{content}
9826 Return an object representing a text file called @var{name} with the given
9827 @var{content} (a string or a bytevector) to be added to the store.
9829 This is the declarative counterpart of @code{text-file}.
9832 @deffn {Scheme Procedure} computed-file @var{name} @var{gexp} @
9835 Return an object representing the store item @var{name}, a file or
9836 directory computed by @var{gexp}. When @var{local-build?} is true (the
9837 default), the derivation is built locally. @var{options} is a list of
9838 additional arguments to pass to @code{gexp->derivation}.
9840 This is the declarative counterpart of @code{gexp->derivation}.
9843 @deffn {Monadic Procedure} gexp->script @var{name} @var{exp} @
9844 [#:guile (default-guile)] [#:module-path %load-path] @
9845 [#:system (%current-system)] [#:target #f]
9846 Return an executable script @var{name} that runs @var{exp} using
9847 @var{guile}, with @var{exp}'s imported modules in its search path.
9848 Look up @var{exp}'s modules in @var{module-path}.
9850 The example below builds a script that simply invokes the @command{ls}
9854 (use-modules (guix gexp) (gnu packages base))
9856 (gexp->script "list-files"
9857 #~(execl #$(file-append coreutils "/bin/ls")
9861 When ``running'' it through the store (@pxref{The Store Monad,
9862 @code{run-with-store}}), we obtain a derivation that produces an
9863 executable file @file{/gnu/store/@dots{}-list-files} along these lines:
9866 #!/gnu/store/@dots{}-guile-2.0.11/bin/guile -ds
9868 (execl "/gnu/store/@dots{}-coreutils-8.22"/bin/ls" "ls")
9872 @deffn {Scheme Procedure} program-file @var{name} @var{exp} @
9873 [#:guile #f] [#:module-path %load-path]
9874 Return an object representing the executable store item @var{name} that
9875 runs @var{gexp}. @var{guile} is the Guile package used to execute that
9876 script. Imported modules of @var{gexp} are looked up in @var{module-path}.
9878 This is the declarative counterpart of @code{gexp->script}.
9881 @deffn {Monadic Procedure} gexp->file @var{name} @var{exp} @
9882 [#:set-load-path? #t] [#:module-path %load-path] @
9884 [#:guile (default-guile)]
9885 Return a derivation that builds a file @var{name} containing @var{exp}.
9886 When @var{splice?} is true, @var{exp} is considered to be a list of
9887 expressions that will be spliced in the resulting file.
9889 When @var{set-load-path?} is true, emit code in the resulting file to
9890 set @code{%load-path} and @code{%load-compiled-path} to honor
9891 @var{exp}'s imported modules. Look up @var{exp}'s modules in
9894 The resulting file holds references to all the dependencies of @var{exp}
9895 or a subset thereof.
9898 @deffn {Scheme Procedure} scheme-file @var{name} @var{exp} @
9899 [#:splice? #f] [#:set-load-path? #t]
9900 Return an object representing the Scheme file @var{name} that contains
9903 This is the declarative counterpart of @code{gexp->file}.
9906 @deffn {Monadic Procedure} text-file* @var{name} @var{text} @dots{}
9907 Return as a monadic value a derivation that builds a text file
9908 containing all of @var{text}. @var{text} may list, in addition to
9909 strings, objects of any type that can be used in a gexp: packages,
9910 derivations, local file objects, etc. The resulting store file holds
9911 references to all these.
9913 This variant should be preferred over @code{text-file} anytime the file
9914 to create will reference items from the store. This is typically the
9915 case when building a configuration file that embeds store file names,
9919 (define (profile.sh)
9920 ;; Return the name of a shell script in the store that
9921 ;; initializes the 'PATH' environment variable.
9922 (text-file* "profile.sh"
9923 "export PATH=" coreutils "/bin:"
9924 grep "/bin:" sed "/bin\n"))
9927 In this example, the resulting @file{/gnu/store/@dots{}-profile.sh} file
9928 will reference @var{coreutils}, @var{grep}, and @var{sed}, thereby
9929 preventing them from being garbage-collected during its lifetime.
9932 @deffn {Scheme Procedure} mixed-text-file @var{name} @var{text} @dots{}
9933 Return an object representing store file @var{name} containing
9934 @var{text}. @var{text} is a sequence of strings and file-like objects,
9938 (mixed-text-file "profile"
9939 "export PATH=" coreutils "/bin:" grep "/bin")
9942 This is the declarative counterpart of @code{text-file*}.
9945 @deffn {Scheme Procedure} file-union @var{name} @var{files}
9946 Return a @code{<computed-file>} that builds a directory containing all of @var{files}.
9947 Each item in @var{files} must be a two-element list where the first element is the
9948 file name to use in the new directory, and the second element is a gexp
9949 denoting the target file. Here's an example:
9953 `(("hosts" ,(plain-file "hosts"
9954 "127.0.0.1 localhost"))
9955 ("bashrc" ,(plain-file "bashrc"
9956 "alias ls='ls --color=auto'"))))
9959 This yields an @code{etc} directory containing these two files.
9962 @deffn {Scheme Procedure} directory-union @var{name} @var{things}
9963 Return a directory that is the union of @var{things}, where @var{things} is a list of
9964 file-like objects denoting directories. For example:
9967 (directory-union "guile+emacs" (list guile emacs))
9970 yields a directory that is the union of the @code{guile} and @code{emacs} packages.
9973 @deffn {Scheme Procedure} file-append @var{obj} @var{suffix} @dots{}
9974 Return a file-like object that expands to the concatenation of @var{obj}
9975 and @var{suffix}, where @var{obj} is a lowerable object and each
9976 @var{suffix} is a string.
9978 As an example, consider this gexp:
9981 (gexp->script "run-uname"
9982 #~(system* #$(file-append coreutils
9986 The same effect could be achieved with:
9989 (gexp->script "run-uname"
9990 #~(system* (string-append #$coreutils
9994 There is one difference though: in the @code{file-append} case, the
9995 resulting script contains the absolute file name as a string, whereas in
9996 the second case, the resulting script contains a @code{(string-append
9997 @dots{})} expression to construct the file name @emph{at run time}.
10000 @deffn {Scheme Syntax} let-system @var{system} @var{body}@dots{}
10001 @deffnx {Scheme Syntax} let-system (@var{system} @var{target}) @var{body}@dots{}
10002 Bind @var{system} to the currently targeted system---e.g.,
10003 @code{"x86_64-linux"}---within @var{body}.
10005 In the second case, additionally bind @var{target} to the current
10006 cross-compilation target---a GNU triplet such as
10007 @code{"arm-linux-gnueabihf"}---or @code{#f} if we are not
10010 @code{let-system} is useful in the occasional case where the object
10011 spliced into the gexp depends on the target system, as in this example:
10015 #+(let-system system
10016 (cond ((string-prefix? "armhf-" system)
10017 (file-append qemu "/bin/qemu-system-arm"))
10018 ((string-prefix? "x86_64-" system)
10019 (file-append qemu "/bin/qemu-system-x86_64"))
10021 (error "dunno!"))))
10022 "-net" "user" #$image)
10026 @deffn {Scheme Syntax} with-parameters ((@var{parameter} @var{value}) @dots{}) @var{exp}
10027 This macro is similar to the @code{parameterize} form for
10028 dynamically-bound @dfn{parameters} (@pxref{Parameters,,, guile, GNU
10029 Guile Reference Manual}). The key difference is that it takes effect
10030 when the file-like object returned by @var{exp} is lowered to a
10031 derivation or store item.
10033 A typical use of @code{with-parameters} is to force the system in effect
10034 for a given object:
10037 (with-parameters ((%current-system "i686-linux"))
10041 The example above returns an object that corresponds to the i686 build
10042 of Coreutils, regardless of the current value of @code{%current-system}.
10046 Of course, in addition to gexps embedded in ``host'' code, there are
10047 also modules containing build tools. To make it clear that they are
10048 meant to be used in the build stratum, these modules are kept in the
10049 @code{(guix build @dots{})} name space.
10051 @cindex lowering, of high-level objects in gexps
10052 Internally, high-level objects are @dfn{lowered}, using their compiler,
10053 to either derivations or store items. For instance, lowering a package
10054 yields a derivation, and lowering a @code{plain-file} yields a store
10055 item. This is achieved using the @code{lower-object} monadic procedure.
10057 @deffn {Monadic Procedure} lower-object @var{obj} [@var{system}] @
10059 Return as a value in @code{%store-monad} the derivation or store item
10060 corresponding to @var{obj} for @var{system}, cross-compiling for
10061 @var{target} if @var{target} is true. @var{obj} must be an object that
10062 has an associated gexp compiler, such as a @code{<package>}.
10065 @deffn {Procedure} gexp->approximate-sexp @var{gexp}
10066 Sometimes, it may be useful to convert a G-exp into a S-exp. For
10067 example, some linters (@pxref{Invoking guix lint}) peek into the build
10068 phases of a package to detect potential problems. This conversion can
10069 be achieved with this procedure. However, some information can be lost
10070 in the process. More specifically, lowerable objects will be silently
10071 replaced with some arbitrary object -- currently the list
10072 @code{(*approximate*)}, but this may change.
10075 @node Invoking guix repl
10076 @section Invoking @command{guix repl}
10078 @cindex REPL, read-eval-print loop, script
10079 The @command{guix repl} command makes it easier to program Guix in Guile
10080 by launching a Guile @dfn{read-eval-print loop} (REPL) for interactive
10081 programming (@pxref{Using Guile Interactively,,, guile,
10082 GNU Guile Reference Manual}), or by running Guile scripts
10083 (@pxref{Running Guile Scripts,,, guile,
10084 GNU Guile Reference Manual}).
10085 Compared to just launching the @command{guile}
10086 command, @command{guix repl} guarantees that all the Guix modules and all its
10087 dependencies are available in the search path.
10089 The general syntax is:
10092 guix repl @var{options} [@var{file} @var{args}]
10095 When a @var{file} argument is provided, @var{file} is
10096 executed as a Guile scripts:
10099 guix repl my-script.scm
10102 To pass arguments to the script, use @code{--} to prevent them from
10103 being interpreted as arguments to @command{guix repl} itself:
10106 guix repl -- my-script.scm --input=foo.txt
10109 To make a script executable directly from the shell, using the guix
10110 executable that is on the user's search path, add the following two
10111 lines at the top of the script:
10114 @code{#!/usr/bin/env -S guix repl --}
10118 Without a file name argument, a Guile REPL is started:
10122 scheme@@(guile-user)> ,use (gnu packages base)
10123 scheme@@(guile-user)> coreutils
10124 $1 = #<package coreutils@@8.29 gnu/packages/base.scm:327 3e28300>
10128 In addition, @command{guix repl} implements a simple machine-readable REPL
10129 protocol for use by @code{(guix inferior)}, a facility to interact with
10130 @dfn{inferiors}, separate processes running a potentially different revision
10133 The available options are as follows:
10136 @item --type=@var{type}
10137 @itemx -t @var{type}
10138 Start a REPL of the given @var{TYPE}, which can be one of the following:
10142 This is default, and it spawns a standard full-featured Guile REPL.
10144 Spawn a REPL that uses the machine-readable protocol. This is the protocol
10145 that the @code{(guix inferior)} module speaks.
10148 @item --listen=@var{endpoint}
10149 By default, @command{guix repl} reads from standard input and writes to
10150 standard output. When this option is passed, it will instead listen for
10151 connections on @var{endpoint}. Here are examples of valid options:
10154 @item --listen=tcp:37146
10155 Accept connections on localhost on port 37146.
10157 @item --listen=unix:/tmp/socket
10158 Accept connections on the Unix-domain socket @file{/tmp/socket}.
10161 @item --load-path=@var{directory}
10162 @itemx -L @var{directory}
10163 Add @var{directory} to the front of the package module search path
10164 (@pxref{Package Modules}).
10166 This allows users to define their own packages and make them visible to
10167 the script or REPL.
10170 Inhibit loading of the @file{~/.guile} file. By default, that
10171 configuration file is loaded when spawning a @code{guile} REPL.
10174 @c *********************************************************************
10178 This section describes Guix command-line utilities. Some of them are
10179 primarily targeted at developers and users who write new package
10180 definitions, while others are more generally useful. They complement
10181 the Scheme programming interface of Guix in a convenient way.
10184 * Invoking guix build:: Building packages from the command line.
10185 * Invoking guix edit:: Editing package definitions.
10186 * Invoking guix download:: Downloading a file and printing its hash.
10187 * Invoking guix hash:: Computing the cryptographic hash of a file.
10188 * Invoking guix import:: Importing package definitions.
10189 * Invoking guix refresh:: Updating package definitions.
10190 * Invoking guix lint:: Finding errors in package definitions.
10191 * Invoking guix size:: Profiling disk usage.
10192 * Invoking guix graph:: Visualizing the graph of packages.
10193 * Invoking guix publish:: Sharing substitutes.
10194 * Invoking guix challenge:: Challenging substitute servers.
10195 * Invoking guix copy:: Copying to and from a remote store.
10196 * Invoking guix container:: Process isolation.
10197 * Invoking guix weather:: Assessing substitute availability.
10198 * Invoking guix processes:: Listing client processes.
10201 @node Invoking guix build
10202 @section Invoking @command{guix build}
10204 @cindex package building
10205 @cindex @command{guix build}
10206 The @command{guix build} command builds packages or derivations and
10207 their dependencies, and prints the resulting store paths. Note that it
10208 does not modify the user's profile---this is the job of the
10209 @command{guix package} command (@pxref{Invoking guix package}). Thus,
10210 it is mainly useful for distribution developers.
10212 The general syntax is:
10215 guix build @var{options} @var{package-or-derivation}@dots{}
10218 As an example, the following command builds the latest versions of Emacs
10219 and of Guile, displays their build logs, and finally displays the
10220 resulting directories:
10223 guix build emacs guile
10226 Similarly, the following command builds all the available packages:
10229 guix build --quiet --keep-going \
10230 $(guix package -A | cut -f1,2 --output-delimiter=@@)
10233 @var{package-or-derivation} may be either the name of a package found in
10234 the software distribution such as @code{coreutils} or
10235 @code{coreutils@@8.20}, or a derivation such as
10236 @file{/gnu/store/@dots{}-coreutils-8.19.drv}. In the former case, a
10237 package with the corresponding name (and optionally version) is searched
10238 for among the GNU distribution modules (@pxref{Package Modules}).
10240 Alternatively, the @option{--expression} option may be used to specify a
10241 Scheme expression that evaluates to a package; this is useful when
10242 disambiguating among several same-named packages or package variants is
10245 There may be zero or more @var{options}. The available options are
10246 described in the subsections below.
10249 * Common Build Options:: Build options for most commands.
10250 * Package Transformation Options:: Creating variants of packages.
10251 * Additional Build Options:: Options specific to 'guix build'.
10252 * Debugging Build Failures:: Real life packaging experience.
10255 @node Common Build Options
10256 @subsection Common Build Options
10258 A number of options that control the build process are common to
10259 @command{guix build} and other commands that can spawn builds, such as
10260 @command{guix package} or @command{guix archive}. These are the
10265 @item --load-path=@var{directory}
10266 @itemx -L @var{directory}
10267 Add @var{directory} to the front of the package module search path
10268 (@pxref{Package Modules}).
10270 This allows users to define their own packages and make them visible to
10271 the command-line tools.
10273 @item --keep-failed
10275 Keep the build tree of failed builds. Thus, if a build fails, its build
10276 tree is kept under @file{/tmp}, in a directory whose name is shown at
10277 the end of the build log. This is useful when debugging build issues.
10278 @xref{Debugging Build Failures}, for tips and tricks on how to debug
10281 This option implies @option{--no-offload}, and it has no effect when
10282 connecting to a remote daemon with a @code{guix://} URI (@pxref{The
10283 Store, the @env{GUIX_DAEMON_SOCKET} variable}).
10287 Keep going when some of the derivations fail to build; return only once
10288 all the builds have either completed or failed.
10290 The default behavior is to stop as soon as one of the specified
10291 derivations has failed.
10295 Do not build the derivations.
10297 @anchor{fallback-option}
10299 When substituting a pre-built binary fails, fall back to building
10300 packages locally (@pxref{Substitution Failure}).
10302 @item --substitute-urls=@var{urls}
10303 @anchor{client-substitute-urls}
10304 Consider @var{urls} the whitespace-separated list of substitute source
10305 URLs, overriding the default list of URLs of @command{guix-daemon}
10306 (@pxref{daemon-substitute-urls,, @command{guix-daemon} URLs}).
10308 This means that substitutes may be downloaded from @var{urls}, provided
10309 they are signed by a key authorized by the system administrator
10310 (@pxref{Substitutes}).
10312 When @var{urls} is the empty string, substitutes are effectively
10315 @item --no-substitutes
10316 Do not use substitutes for build products. That is, always build things
10317 locally instead of allowing downloads of pre-built binaries
10318 (@pxref{Substitutes}).
10321 Do not ``graft'' packages. In practice, this means that package updates
10322 available as grafts are not applied. @xref{Security Updates}, for more
10323 information on grafts.
10325 @item --rounds=@var{n}
10326 Build each derivation @var{n} times in a row, and raise an error if
10327 consecutive build results are not bit-for-bit identical.
10329 This is a useful way to detect non-deterministic builds processes.
10330 Non-deterministic build processes are a problem because they make it
10331 practically impossible for users to @emph{verify} whether third-party
10332 binaries are genuine. @xref{Invoking guix challenge}, for more.
10334 When used in conjunction with @option{--keep-failed}, the differing
10335 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
10336 This makes it easy to look for differences between the two results.
10339 Do not use offload builds to other machines (@pxref{Daemon Offload
10340 Setup}). That is, always build things locally instead of offloading
10341 builds to remote machines.
10343 @item --max-silent-time=@var{seconds}
10344 When the build or substitution process remains silent for more than
10345 @var{seconds}, terminate it and report a build failure.
10347 By default, the daemon's setting is honored (@pxref{Invoking
10348 guix-daemon, @option{--max-silent-time}}).
10350 @item --timeout=@var{seconds}
10351 Likewise, when the build or substitution process lasts for more than
10352 @var{seconds}, terminate it and report a build failure.
10354 By default, the daemon's setting is honored (@pxref{Invoking
10355 guix-daemon, @option{--timeout}}).
10357 @c Note: This option is actually not part of %standard-build-options but
10358 @c most programs honor it.
10359 @cindex verbosity, of the command-line tools
10360 @cindex build logs, verbosity
10361 @item -v @var{level}
10362 @itemx --verbosity=@var{level}
10363 Use the given verbosity @var{level}, an integer. Choosing 0 means that
10364 no output is produced, 1 is for quiet output; 2 is similar to 1 but it
10365 additionally displays download URLs; 3 shows all the build log output on
10368 @item --cores=@var{n}
10370 Allow the use of up to @var{n} CPU cores for the build. The special
10371 value @code{0} means to use as many CPU cores as available.
10373 @item --max-jobs=@var{n}
10375 Allow at most @var{n} build jobs in parallel. @xref{Invoking
10376 guix-daemon, @option{--max-jobs}}, for details about this option and the
10377 equivalent @command{guix-daemon} option.
10379 @item --debug=@var{level}
10380 Produce debugging output coming from the build daemon. @var{level} must be an
10381 integer between 0 and 5; higher means more verbose output. Setting a level of
10382 4 or more may be helpful when debugging setup issues with the build daemon.
10386 Behind the scenes, @command{guix build} is essentially an interface to
10387 the @code{package-derivation} procedure of the @code{(guix packages)}
10388 module, and to the @code{build-derivations} procedure of the @code{(guix
10389 derivations)} module.
10391 In addition to options explicitly passed on the command line,
10392 @command{guix build} and other @command{guix} commands that support
10393 building honor the @env{GUIX_BUILD_OPTIONS} environment variable.
10395 @defvr {Environment Variable} GUIX_BUILD_OPTIONS
10396 Users can define this variable to a list of command line options that
10397 will automatically be used by @command{guix build} and other
10398 @command{guix} commands that can perform builds, as in the example
10402 $ export GUIX_BUILD_OPTIONS="--no-substitutes -c 2 -L /foo/bar"
10405 These options are parsed independently, and the result is appended to
10406 the parsed command-line options.
10410 @node Package Transformation Options
10411 @subsection Package Transformation Options
10413 @cindex package variants
10414 Another set of command-line options supported by @command{guix build}
10415 and also @command{guix package} are @dfn{package transformation
10416 options}. These are options that make it possible to define @dfn{package
10417 variants}---for instance, packages built from different source code.
10418 This is a convenient way to create customized packages on the fly
10419 without having to type in the definitions of package variants
10420 (@pxref{Defining Packages}).
10422 Package transformation options are preserved across upgrades:
10423 @command{guix upgrade} attempts to apply transformation options
10424 initially used when creating the profile to the upgraded packages.
10426 The available options are listed below. Most commands support them and
10427 also support a @option{--help-transform} option that lists all the
10428 available options and a synopsis (these options are not shown in the
10429 @option{--help} output for brevity).
10433 @item --with-source=@var{source}
10434 @itemx --with-source=@var{package}=@var{source}
10435 @itemx --with-source=@var{package}@@@var{version}=@var{source}
10436 Use @var{source} as the source of @var{package}, and @var{version} as
10437 its version number.
10438 @var{source} must be a file name or a URL, as for @command{guix
10439 download} (@pxref{Invoking guix download}).
10441 When @var{package} is omitted,
10442 it is taken to be the package name specified on the
10443 command line that matches the base of @var{source}---e.g.,
10444 if @var{source} is @code{/src/guile-2.0.10.tar.gz}, the corresponding
10445 package is @code{guile}.
10447 Likewise, when @var{version} is omitted, the version string is inferred from
10448 @var{source}; in the previous example, it is @code{2.0.10}.
10450 This option allows users to try out versions of packages other than the
10451 one provided by the distribution. The example below downloads
10452 @file{ed-1.7.tar.gz} from a GNU mirror and uses that as the source for
10453 the @code{ed} package:
10456 guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz
10459 As a developer, @option{--with-source} makes it easy to test release
10463 guix build guile --with-source=../guile-2.0.9.219-e1bb7.tar.xz
10466 @dots{} or to build from a checkout in a pristine environment:
10469 $ git clone git://git.sv.gnu.org/guix.git
10470 $ guix build guix --with-source=guix@@1.0=./guix
10473 @item --with-input=@var{package}=@var{replacement}
10474 Replace dependency on @var{package} by a dependency on
10475 @var{replacement}. @var{package} must be a package name, and
10476 @var{replacement} must be a package specification such as @code{guile}
10477 or @code{guile@@1.8}.
10479 For instance, the following command builds Guix, but replaces its
10480 dependency on the current stable version of Guile with a dependency on
10481 the legacy version of Guile, @code{guile@@2.0}:
10484 guix build --with-input=guile=guile@@2.0 guix
10487 This is a recursive, deep replacement. So in this example, both
10488 @code{guix} and its dependency @code{guile-json} (which also depends on
10489 @code{guile}) get rebuilt against @code{guile@@2.0}.
10491 This is implemented using the @code{package-input-rewriting} Scheme
10492 procedure (@pxref{Defining Packages, @code{package-input-rewriting}}).
10494 @item --with-graft=@var{package}=@var{replacement}
10495 This is similar to @option{--with-input} but with an important difference:
10496 instead of rebuilding the whole dependency chain, @var{replacement} is
10497 built and then @dfn{grafted} onto the binaries that were initially
10498 referring to @var{package}. @xref{Security Updates}, for more
10499 information on grafts.
10501 For example, the command below grafts version 3.5.4 of GnuTLS onto Wget
10502 and all its dependencies, replacing references to the version of GnuTLS
10503 they currently refer to:
10506 guix build --with-graft=gnutls=gnutls@@3.5.4 wget
10509 This has the advantage of being much faster than rebuilding everything.
10510 But there is a caveat: it works if and only if @var{package} and
10511 @var{replacement} are strictly compatible---for example, if they provide
10512 a library, the application binary interface (ABI) of those libraries
10513 must be compatible. If @var{replacement} is somehow incompatible with
10514 @var{package}, then the resulting package may be unusable. Use with
10517 @cindex debugging info, rebuilding
10518 @item --with-debug-info=@var{package}
10519 Build @var{package} in a way that preserves its debugging info and graft
10520 it onto packages that depend on it. This is useful if @var{package}
10521 does not already provide debugging info as a @code{debug} output
10522 (@pxref{Installing Debugging Files}).
10524 For example, suppose you're experiencing a crash in Inkscape and would
10525 like to see what's up in GLib, a library deep down in Inkscape's
10526 dependency graph. GLib lacks a @code{debug} output, so debugging is
10527 tough. Fortunately, you rebuild GLib with debugging info and tack it on
10531 guix install inkscape --with-debug-info=glib
10534 Only GLib needs to be recompiled so this takes a reasonable amount of
10535 time. @xref{Installing Debugging Files}, for more info.
10538 Under the hood, this option works by passing the @samp{#:strip-binaries?
10539 #f} to the build system of the package of interest (@pxref{Build
10540 Systems}). Most build systems support that option but some do not. In
10541 that case, an error is raised.
10543 Likewise, if a C/C++ package is built without @code{-g} (which is rarely
10544 the case), debugging info will remain unavailable even when
10545 @code{#:strip-binaries?} is false.
10548 @cindex tool chain, changing the build tool chain of a package
10549 @item --with-c-toolchain=@var{package}=@var{toolchain}
10550 This option changes the compilation of @var{package} and everything that
10551 depends on it so that they get built with @var{toolchain} instead of the
10552 default GNU tool chain for C/C++.
10554 Consider this example:
10557 guix build octave-cli \
10558 --with-c-toolchain=fftw=gcc-toolchain@@10 \
10559 --with-c-toolchain=fftwf=gcc-toolchain@@10
10562 The command above builds a variant of the @code{fftw} and @code{fftwf}
10563 packages using version 10 of @code{gcc-toolchain} instead of the default
10564 tool chain, and then builds a variant of the GNU@tie{}Octave
10565 command-line interface using them. GNU@tie{}Octave itself is also built
10566 with @code{gcc-toolchain@@10}.
10568 This other example builds the Hardware Locality (@code{hwloc}) library
10569 and its dependents up to @code{intel-mpi-benchmarks} with the Clang C
10573 guix build --with-c-toolchain=hwloc=clang-toolchain \
10574 intel-mpi-benchmarks
10578 There can be application binary interface (ABI) incompatibilities among
10579 tool chains. This is particularly true of the C++ standard library and
10580 run-time support libraries such as that of OpenMP@. By rebuilding all
10581 dependents with the same tool chain, @option{--with-c-toolchain} minimizes
10582 the risks of incompatibility but cannot entirely eliminate them. Choose
10583 @var{package} wisely.
10586 @item --with-git-url=@var{package}=@var{url}
10587 @cindex Git, using the latest commit
10588 @cindex latest commit, building
10589 Build @var{package} from the latest commit of the @code{master} branch of the
10590 Git repository at @var{url}. Git sub-modules of the repository are fetched,
10593 For example, the following command builds the NumPy Python library against the
10594 latest commit of the master branch of Python itself:
10597 guix build python-numpy \
10598 --with-git-url=python=https://github.com/python/cpython
10601 This option can also be combined with @option{--with-branch} or
10602 @option{--with-commit} (see below).
10604 @cindex continuous integration
10605 Obviously, since it uses the latest commit of the given branch, the result of
10606 such a command varies over time. Nevertheless it is a convenient way to
10607 rebuild entire software stacks against the latest commit of one or more
10608 packages. This is particularly useful in the context of continuous
10611 Checkouts are kept in a cache under @file{~/.cache/guix/checkouts} to speed up
10612 consecutive accesses to the same repository. You may want to clean it up once
10613 in a while to save disk space.
10615 @item --with-branch=@var{package}=@var{branch}
10616 Build @var{package} from the latest commit of @var{branch}. If the
10617 @code{source} field of @var{package} is an origin with the @code{git-fetch}
10618 method (@pxref{origin Reference}) or a @code{git-checkout} object, the
10619 repository URL is taken from that @code{source}. Otherwise you have to use
10620 @option{--with-git-url} to specify the URL of the Git repository.
10622 For instance, the following command builds @code{guile-sqlite3} from the
10623 latest commit of its @code{master} branch, and then builds @code{guix} (which
10624 depends on it) and @code{cuirass} (which depends on @code{guix}) against this
10625 specific @code{guile-sqlite3} build:
10628 guix build --with-branch=guile-sqlite3=master cuirass
10631 @item --with-commit=@var{package}=@var{commit}
10632 This is similar to @option{--with-branch}, except that it builds from
10633 @var{commit} rather than the tip of a branch. @var{commit} must be a valid
10634 Git commit SHA1 identifier or a tag.
10636 @item --with-patch=@var{package}=@var{file}
10637 Add @var{file} to the list of patches applied to @var{package}, where
10638 @var{package} is a spec such as @code{python@@3.8} or @code{glibc}.
10639 @var{file} must contain a patch; it is applied with the flags specified
10640 in the @code{origin} of @var{package} (@pxref{origin Reference}), which
10641 by default includes @code{-p1} (@pxref{patch Directories,,, diffutils,
10642 Comparing and Merging Files}).
10644 As an example, the command below rebuilds Coreutils with the GNU C
10645 Library (glibc) patched with the given patch:
10648 guix build coreutils --with-patch=glibc=./glibc-frob.patch
10651 In this example, glibc itself as well as everything that leads to
10652 Coreutils in the dependency graph is rebuilt.
10654 @cindex upstream, latest version
10655 @item --with-latest=@var{package}
10656 So you like living on the bleeding edge? This option is for you! It
10657 replaces occurrences of @var{package} in the dependency graph with its
10658 latest upstream version, as reported by @command{guix refresh}
10659 (@pxref{Invoking guix refresh}).
10661 It does so by determining the latest upstream release of @var{package}
10662 (if possible), downloading it, and authenticating it @emph{if} it comes
10663 with an OpenPGP signature.
10665 As an example, the command below builds Guix against the latest version
10669 guix build guix --with-latest=guile-json
10672 There are limitations. First, in cases where the tool cannot or does
10673 not know how to authenticate source code, you are at risk of running
10674 malicious code; a warning is emitted in this case. Second, this option
10675 simply changes the source used in the existing package definitions,
10676 which is not always sufficient: there might be additional dependencies
10677 that need to be added, patches to apply, and more generally the quality
10678 assurance work that Guix developers normally do will be missing.
10680 You've been warned! In all the other cases, it's a snappy way to stay
10681 on top. We encourage you to submit patches updating the actual package
10682 definitions once you have successfully tested an upgrade
10683 (@pxref{Contributing}).
10685 @cindex test suite, skipping
10686 @item --without-tests=@var{package}
10687 Build @var{package} without running its tests. This can be useful in
10688 situations where you want to skip the lengthy test suite of a
10689 intermediate package, or if a package's test suite fails in a
10690 non-deterministic fashion. It should be used with care because running
10691 the test suite is a good way to ensure a package is working as intended.
10693 Turning off tests leads to a different store item. Consequently, when
10694 using this option, anything that depends on @var{package} must be
10695 rebuilt, as in this example:
10698 guix install --without-tests=python python-notebook
10701 The command above installs @code{python-notebook} on top of
10702 @code{python} built without running its test suite. To do so, it also
10703 rebuilds everything that depends on @code{python}, including
10704 @code{python-notebook} itself.
10706 Internally, @option{--without-tests} relies on changing the
10707 @code{#:tests?} option of a package's @code{check} phase (@pxref{Build
10708 Systems}). Note that some packages use a customized @code{check} phase
10709 that does not respect a @code{#:tests? #f} setting. Therefore,
10710 @option{--without-tests} has no effect on these packages.
10714 Wondering how to achieve the same effect using Scheme code, for example
10715 in your manifest, or how to write your own package transformation?
10716 @xref{Defining Package Variants}, for an overview of the programming
10717 interfaces available.
10719 @node Additional Build Options
10720 @subsection Additional Build Options
10722 The command-line options presented below are specific to @command{guix
10729 Build quietly, without displaying the build log; this is equivalent to
10730 @option{--verbosity=0}. Upon completion, the build log is kept in @file{/var}
10731 (or similar) and can always be retrieved using the @option{--log-file} option.
10733 @item --file=@var{file}
10734 @itemx -f @var{file}
10735 Build the package, derivation, or other file-like object that the code within
10736 @var{file} evaluates to (@pxref{G-Expressions, file-like objects}).
10738 As an example, @var{file} might contain a package definition like this
10739 (@pxref{Defining Packages}):
10742 @include package-hello.scm
10745 The @var{file} may also contain a JSON representation of one or more
10746 package definitions. Running @code{guix build -f} on @file{hello.json}
10747 with the following contents would result in building the packages
10748 @code{myhello} and @code{greeter}:
10751 @verbatiminclude package-hello.json
10754 @item --manifest=@var{manifest}
10755 @itemx -m @var{manifest}
10756 Build all packages listed in the given @var{manifest}
10757 (@pxref{profile-manifest, @option{--manifest}}).
10759 @item --expression=@var{expr}
10760 @itemx -e @var{expr}
10761 Build the package or derivation @var{expr} evaluates to.
10763 For example, @var{expr} may be @code{(@@ (gnu packages guile)
10764 guile-1.8)}, which unambiguously designates this specific variant of
10765 version 1.8 of Guile.
10767 Alternatively, @var{expr} may be a G-expression, in which case it is used
10768 as a build program passed to @code{gexp->derivation}
10769 (@pxref{G-Expressions}).
10771 Lastly, @var{expr} may refer to a zero-argument monadic procedure
10772 (@pxref{The Store Monad}). The procedure must return a derivation as a
10773 monadic value, which is then passed through @code{run-with-store}.
10777 Build the source derivations of the packages, rather than the packages
10780 For instance, @code{guix build -S gcc} returns something like
10781 @file{/gnu/store/@dots{}-gcc-4.7.2.tar.bz2}, which is the GCC
10784 The returned source tarball is the result of applying any patches and
10785 code snippets specified in the package @code{origin} (@pxref{Defining
10788 @cindex source, verification
10789 As with other derivations, the result of building a source derivation
10790 can be verified using the @option{--check} option (@pxref{build-check}).
10791 This is useful to validate that a (potentially already built or
10792 substituted, thus cached) package source matches against its declared
10795 Note that @command{guix build -S} compiles the sources only of the
10796 specified packages. They do not include the sources of statically
10797 linked dependencies and by themselves are insufficient for reproducing
10801 Fetch and return the source of @var{package-or-derivation} and all their
10802 dependencies, recursively. This is a handy way to obtain a local copy
10803 of all the source code needed to build @var{packages}, allowing you to
10804 eventually build them even without network access. It is an extension
10805 of the @option{--source} option and can accept one of the following
10806 optional argument values:
10810 This value causes the @option{--sources} option to behave in the same way
10811 as the @option{--source} option.
10814 Build the source derivations of all packages, including any source that
10815 might be listed as @code{inputs}. This is the default value.
10818 $ guix build --sources tzdata
10819 The following derivations will be built:
10820 /gnu/store/@dots{}-tzdata2015b.tar.gz.drv
10821 /gnu/store/@dots{}-tzcode2015b.tar.gz.drv
10825 Build the source derivations of all packages, as well of all transitive
10826 inputs to the packages. This can be used e.g.@: to
10827 prefetch package source for later offline building.
10830 $ guix build --sources=transitive tzdata
10831 The following derivations will be built:
10832 /gnu/store/@dots{}-tzcode2015b.tar.gz.drv
10833 /gnu/store/@dots{}-findutils-4.4.2.tar.xz.drv
10834 /gnu/store/@dots{}-grep-2.21.tar.xz.drv
10835 /gnu/store/@dots{}-coreutils-8.23.tar.xz.drv
10836 /gnu/store/@dots{}-make-4.1.tar.xz.drv
10837 /gnu/store/@dots{}-bash-4.3.tar.xz.drv
10843 @item --system=@var{system}
10844 @itemx -s @var{system}
10845 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
10846 the system type of the build host. The @command{guix build} command allows
10847 you to repeat this option several times, in which case it builds for all the
10848 specified systems; other commands ignore extraneous @option{-s} options.
10851 The @option{--system} flag is for @emph{native} compilation and must not
10852 be confused with cross-compilation. See @option{--target} below for
10853 information on cross-compilation.
10856 An example use of this is on Linux-based systems, which can emulate
10857 different personalities. For instance, passing
10858 @option{--system=i686-linux} on an @code{x86_64-linux} system or
10859 @option{--system=armhf-linux} on an @code{aarch64-linux} system allows
10860 you to build packages in a complete 32-bit environment.
10863 Building for an @code{armhf-linux} system is unconditionally enabled on
10864 @code{aarch64-linux} machines, although certain aarch64 chipsets do not
10865 allow for this functionality, notably the ThunderX.
10868 Similarly, when transparent emulation with QEMU and @code{binfmt_misc}
10869 is enabled (@pxref{Virtualization Services,
10870 @code{qemu-binfmt-service-type}}), you can build for any system for
10871 which a QEMU @code{binfmt_misc} handler is installed.
10873 Builds for a system other than that of the machine you are using can
10874 also be offloaded to a remote machine of the right architecture.
10875 @xref{Daemon Offload Setup}, for more information on offloading.
10877 @item --target=@var{triplet}
10878 @cindex cross-compilation
10879 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
10880 as @code{"aarch64-linux-gnu"} (@pxref{Specifying Target Triplets, GNU
10881 configuration triplets,, autoconf, Autoconf}).
10883 @anchor{build-check}
10885 @cindex determinism, checking
10886 @cindex reproducibility, checking
10887 Rebuild @var{package-or-derivation}, which are already available in the
10888 store, and raise an error if the build results are not bit-for-bit
10891 This mechanism allows you to check whether previously installed
10892 substitutes are genuine (@pxref{Substitutes}), or whether the build result
10893 of a package is deterministic. @xref{Invoking guix challenge}, for more
10894 background information and tools.
10896 When used in conjunction with @option{--keep-failed}, the differing
10897 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
10898 This makes it easy to look for differences between the two results.
10901 @cindex repairing store items
10902 @cindex corruption, recovering from
10903 Attempt to repair the specified store items, if they are corrupt, by
10904 re-downloading or rebuilding them.
10906 This operation is not atomic and thus restricted to @code{root}.
10908 @item --derivations
10910 Return the derivation paths, not the output paths, of the given
10913 @item --root=@var{file}
10914 @itemx -r @var{file}
10915 @cindex GC roots, adding
10916 @cindex garbage collector roots, adding
10917 Make @var{file} a symlink to the result, and register it as a garbage
10920 Consequently, the results of this @command{guix build} invocation are
10921 protected from garbage collection until @var{file} is removed. When
10922 that option is omitted, build results are eligible for garbage
10923 collection as soon as the build completes. @xref{Invoking guix gc}, for
10927 @cindex build logs, access
10928 Return the build log file names or URLs for the given
10929 @var{package-or-derivation}, or raise an error if build logs are
10932 This works regardless of how packages or derivations are specified. For
10933 instance, the following invocations are equivalent:
10936 guix build --log-file $(guix build -d guile)
10937 guix build --log-file $(guix build guile)
10938 guix build --log-file guile
10939 guix build --log-file -e '(@@ (gnu packages guile) guile-2.0)'
10942 If a log is unavailable locally, and unless @option{--no-substitutes} is
10943 passed, the command looks for a corresponding log on one of the
10944 substitute servers (as specified with @option{--substitute-urls}).
10946 So for instance, imagine you want to see the build log of GDB on MIPS,
10947 but you are actually on an @code{x86_64} machine:
10950 $ guix build --log-file gdb -s aarch64-linux
10951 https://@value{SUBSTITUTE-SERVER-1}/log/@dots{}-gdb-7.10
10954 You can freely access a huge library of build logs!
10957 @node Debugging Build Failures
10958 @subsection Debugging Build Failures
10960 @cindex build failures, debugging
10961 When defining a new package (@pxref{Defining Packages}), you will
10962 probably find yourself spending some time debugging and tweaking the
10963 build until it succeeds. To do that, you need to operate the build
10964 commands yourself in an environment as close as possible to the one the
10967 To that end, the first thing to do is to use the @option{--keep-failed}
10968 or @option{-K} option of @command{guix build}, which will keep the
10969 failed build tree in @file{/tmp} or whatever directory you specified as
10970 @env{TMPDIR} (@pxref{Common Build Options, @option{--keep-failed}}).
10972 From there on, you can @command{cd} to the failed build tree and source
10973 the @file{environment-variables} file, which contains all the
10974 environment variable definitions that were in place when the build
10975 failed. So let's say you're debugging a build failure in package
10976 @code{foo}; a typical session would look like this:
10979 $ guix build foo -K
10980 @dots{} @i{build fails}
10981 $ cd /tmp/guix-build-foo.drv-0
10982 $ source ./environment-variables
10986 Now, you can invoke commands as if you were the daemon (almost) and
10987 troubleshoot your build process.
10989 Sometimes it happens that, for example, a package's tests pass when you
10990 run them manually but they fail when the daemon runs them. This can
10991 happen because the daemon runs builds in containers where, unlike in our
10992 environment above, network access is missing, @file{/bin/sh} does not
10993 exist, etc. (@pxref{Build Environment Setup}).
10995 In such cases, you may need to run inspect the build process from within
10996 a container similar to the one the build daemon creates:
10999 $ guix build -K foo
11001 $ cd /tmp/guix-build-foo.drv-0
11002 $ guix environment --no-grafts -C foo --ad-hoc strace gdb
11003 [env]# source ./environment-variables
11007 Here, @command{guix environment -C} creates a container and spawns a new
11008 shell in it (@pxref{Invoking guix environment}). The @command{--ad-hoc
11009 strace gdb} part adds the @command{strace} and @command{gdb} commands to
11010 the container, which you may find handy while debugging. The
11011 @option{--no-grafts} option makes sure we get the exact same
11012 environment, with ungrafted packages (@pxref{Security Updates}, for more
11015 To get closer to a container like that used by the build daemon, we can
11016 remove @file{/bin/sh}:
11022 (Don't worry, this is harmless: this is all happening in the throw-away
11023 container created by @command{guix environment}.)
11025 The @command{strace} command is probably not in the search path, but we
11029 [env]# $GUIX_ENVIRONMENT/bin/strace -f -o log make check
11032 In this way, not only you will have reproduced the environment variables
11033 the daemon uses, you will also be running the build process in a container
11034 similar to the one the daemon uses.
11037 @node Invoking guix edit
11038 @section Invoking @command{guix edit}
11040 @cindex @command{guix edit}
11041 @cindex package definition, editing
11042 So many packages, so many source files! The @command{guix edit} command
11043 facilitates the life of users and packagers by pointing their editor at
11044 the source file containing the definition of the specified packages.
11048 guix edit gcc@@4.9 vim
11052 launches the program specified in the @env{VISUAL} or in the
11053 @env{EDITOR} environment variable to view the recipe of GCC@tie{}4.9.3
11056 If you are using a Guix Git checkout (@pxref{Building from Git}), or
11057 have created your own packages on @env{GUIX_PACKAGE_PATH}
11058 (@pxref{Package Modules}), you will be able to edit the package
11059 recipes. In other cases, you will be able to examine the read-only recipes
11060 for packages currently in the store.
11062 Instead of @env{GUIX_PACKAGE_PATH}, the command-line option
11063 @option{--load-path=@var{directory}} (or in short @option{-L
11064 @var{directory}}) allows you to add @var{directory} to the front of the
11065 package module search path and so make your own packages visible.
11067 @node Invoking guix download
11068 @section Invoking @command{guix download}
11070 @cindex @command{guix download}
11071 @cindex downloading package sources
11072 When writing a package definition, developers typically need to download
11073 a source tarball, compute its SHA256 hash, and write that
11074 hash in the package definition (@pxref{Defining Packages}). The
11075 @command{guix download} tool helps with this task: it downloads a file
11076 from the given URI, adds it to the store, and prints both its file name
11077 in the store and its SHA256 hash.
11079 The fact that the downloaded file is added to the store saves bandwidth:
11080 when the developer eventually tries to build the newly defined package
11081 with @command{guix build}, the source tarball will not have to be
11082 downloaded again because it is already in the store. It is also a
11083 convenient way to temporarily stash files, which may be deleted
11084 eventually (@pxref{Invoking guix gc}).
11086 The @command{guix download} command supports the same URIs as used in
11087 package definitions. In particular, it supports @code{mirror://} URIs.
11088 @code{https} URIs (HTTP over TLS) are supported @emph{provided} the
11089 Guile bindings for GnuTLS are available in the user's environment; when
11090 they are not available, an error is raised. @xref{Guile Preparations,
11091 how to install the GnuTLS bindings for Guile,, gnutls-guile,
11092 GnuTLS-Guile}, for more information.
11094 @command{guix download} verifies HTTPS server certificates by loading
11095 the certificates of X.509 authorities from the directory pointed to by
11096 the @env{SSL_CERT_DIR} environment variable (@pxref{X.509
11097 Certificates}), unless @option{--no-check-certificate} is used.
11099 The following options are available:
11102 @item --hash=@var{algorithm}
11103 @itemx -H @var{algorithm}
11104 Compute a hash using the specified @var{algorithm}. @xref{Invoking guix
11105 hash}, for more information.
11107 @item --format=@var{fmt}
11108 @itemx -f @var{fmt}
11109 Write the hash in the format specified by @var{fmt}. For more
11110 information on the valid values for @var{fmt}, @pxref{Invoking guix hash}.
11112 @item --no-check-certificate
11113 Do not validate the X.509 certificates of HTTPS servers.
11115 When using this option, you have @emph{absolutely no guarantee} that you
11116 are communicating with the authentic server responsible for the given
11117 URL, which makes you vulnerable to ``man-in-the-middle'' attacks.
11119 @item --output=@var{file}
11120 @itemx -o @var{file}
11121 Save the downloaded file to @var{file} instead of adding it to the
11125 @node Invoking guix hash
11126 @section Invoking @command{guix hash}
11128 @cindex @command{guix hash}
11129 The @command{guix hash} command computes the hash of a file.
11130 It is primarily a convenience tool for anyone contributing to the
11131 distribution: it computes the cryptographic hash of a file, which can be
11132 used in the definition of a package (@pxref{Defining Packages}).
11134 The general syntax is:
11137 guix hash @var{option} @var{file}
11140 When @var{file} is @code{-} (a hyphen), @command{guix hash} computes the
11141 hash of data read from standard input. @command{guix hash} has the
11146 @item --hash=@var{algorithm}
11147 @itemx -H @var{algorithm}
11148 Compute a hash using the specified @var{algorithm}, @code{sha256} by
11151 @var{algorithm} must the name of a cryptographic hash algorithm
11152 supported by Libgcrypt @i{via} Guile-Gcrypt---e.g., @code{sha512} or
11153 @code{sha3-256} (@pxref{Hash Functions,,, guile-gcrypt, Guile-Gcrypt
11154 Reference Manual}).
11156 @item --format=@var{fmt}
11157 @itemx -f @var{fmt}
11158 Write the hash in the format specified by @var{fmt}.
11160 Supported formats: @code{base64}, @code{nix-base32}, @code{base32}, @code{base16}
11161 (@code{hex} and @code{hexadecimal} can be used as well).
11163 If the @option{--format} option is not specified, @command{guix hash}
11164 will output the hash in @code{nix-base32}. This representation is used
11165 in the definitions of packages.
11169 Compute the hash on @var{file} recursively.
11171 In this case, the hash is computed on an archive containing @var{file},
11172 including its children if it is a directory. Some of the metadata of
11173 @var{file} is part of the archive; for instance, when @var{file} is a
11174 regular file, the hash is different depending on whether @var{file} is
11175 executable or not. Metadata such as time stamps has no impact on the
11176 hash (@pxref{Invoking guix archive}).
11177 @c FIXME: Replace xref above with xref to an ``Archive'' section when
11180 @item --exclude-vcs
11182 When combined with @option{--recursive}, exclude version control system
11183 directories (@file{.bzr}, @file{.git}, @file{.hg}, etc.).
11186 As an example, here is how you would compute the hash of a Git checkout,
11187 which is useful when using the @code{git-fetch} method (@pxref{origin
11191 $ git clone http://example.org/foo.git
11197 @node Invoking guix import
11198 @section Invoking @command{guix import}
11200 @cindex importing packages
11201 @cindex package import
11202 @cindex package conversion
11203 @cindex Invoking @command{guix import}
11204 The @command{guix import} command is useful for people who would like to
11205 add a package to the distribution with as little work as
11206 possible---a legitimate demand. The command knows of a few
11207 repositories from which it can ``import'' package metadata. The result
11208 is a package definition, or a template thereof, in the format we know
11209 (@pxref{Defining Packages}).
11211 The general syntax is:
11214 guix import @var{importer} @var{options}@dots{}
11217 @var{importer} specifies the source from which to import package
11218 metadata, and @var{options} specifies a package identifier and other
11219 options specific to @var{importer}.
11221 Some of the importers rely on the ability to run the @command{gpgv} command.
11222 For these, GnuPG must be installed and in @code{$PATH}; run @code{guix install
11225 Currently, the available ``importers'' are:
11229 Import metadata for the given GNU package. This provides a template
11230 for the latest version of that GNU package, including the hash of its
11231 source tarball, and its canonical synopsis and description.
11233 Additional information such as the package dependencies and its
11234 license needs to be figured out manually.
11236 For example, the following command returns a package definition for
11240 guix import gnu hello
11243 Specific command-line options are:
11246 @item --key-download=@var{policy}
11247 As for @command{guix refresh}, specify the policy to handle missing
11248 OpenPGP keys when verifying the package signature. @xref{Invoking guix
11249 refresh, @option{--key-download}}.
11254 Import metadata from the @uref{https://pypi.python.org/, Python Package
11255 Index}. Information is taken from the JSON-formatted description
11256 available at @code{pypi.python.org} and usually includes all the relevant
11257 information, including package dependencies. For maximum efficiency, it
11258 is recommended to install the @command{unzip} utility, so that the
11259 importer can unzip Python wheels and gather data from them.
11261 The command below imports metadata for the @code{itsdangerous} Python
11265 guix import pypi itsdangerous
11271 Traverse the dependency graph of the given upstream package recursively
11272 and generate package expressions for all those packages that are not yet
11278 Import metadata from @uref{https://rubygems.org/, RubyGems}. Information
11279 is taken from the JSON-formatted description available at
11280 @code{rubygems.org} and includes most relevant information, including
11281 runtime dependencies. There are some caveats, however. The metadata
11282 doesn't distinguish between synopses and descriptions, so the same string
11283 is used for both fields. Additionally, the details of non-Ruby
11284 dependencies required to build native extensions is unavailable and left
11285 as an exercise to the packager.
11287 The command below imports metadata for the @code{rails} Ruby package:
11290 guix import gem rails
11296 Traverse the dependency graph of the given upstream package recursively
11297 and generate package expressions for all those packages that are not yet
11303 Import metadata from @uref{https://www.metacpan.org/, MetaCPAN}.
11304 Information is taken from the JSON-formatted metadata provided through
11305 @uref{https://fastapi.metacpan.org/, MetaCPAN's API} and includes most
11306 relevant information, such as module dependencies. License information
11307 should be checked closely. If Perl is available in the store, then the
11308 @code{corelist} utility will be used to filter core modules out of the
11309 list of dependencies.
11311 The command command below imports metadata for the Acme::Boolean Perl
11315 guix import cpan Acme::Boolean
11320 @cindex Bioconductor
11321 Import metadata from @uref{https://cran.r-project.org/, CRAN}, the
11322 central repository for the @uref{https://r-project.org, GNU@tie{}R
11323 statistical and graphical environment}.
11325 Information is extracted from the @file{DESCRIPTION} file of the package.
11327 The command command below imports metadata for the Cairo R package:
11330 guix import cran Cairo
11333 When @option{--recursive} is added, the importer will traverse the
11334 dependency graph of the given upstream package recursively and generate
11335 package expressions for all those packages that are not yet in Guix.
11337 When @option{--style=specification} is added, the importer will generate
11338 package definitions whose inputs are package specifications instead of
11339 references to package variables. This is useful when generated package
11340 definitions are to be appended to existing user modules, as the list of
11341 used package modules need not be changed. The default is
11342 @option{--style=variable}.
11344 When @option{--archive=bioconductor} is added, metadata is imported from
11345 @uref{https://www.bioconductor.org/, Bioconductor}, a repository of R
11346 packages for the analysis and comprehension of high-throughput
11347 genomic data in bioinformatics.
11349 Information is extracted from the @file{DESCRIPTION} file contained in the
11352 The command below imports metadata for the GenomicRanges R package:
11355 guix import cran --archive=bioconductor GenomicRanges
11358 Finally, you can also import R packages that have not yet been published on
11359 CRAN or Bioconductor as long as they are in a git repository. Use
11360 @option{--archive=git} followed by the URL of the git repository:
11363 guix import cran --archive=git https://github.com/immunogenomics/harmony
11369 Import metadata from @uref{https://www.ctan.org/, CTAN}, the
11370 comprehensive TeX archive network for TeX packages that are part of the
11371 @uref{https://www.tug.org/texlive/, TeX Live distribution}.
11373 Information about the package is obtained through the XML API provided
11374 by CTAN, while the source code is downloaded from the SVN repository of
11375 the Tex Live project. This is done because the CTAN does not keep
11376 versioned archives.
11378 The command command below imports metadata for the @code{fontspec}
11382 guix import texlive fontspec
11385 When @option{--archive=@var{directory}} is added, the source code is
11386 downloaded not from the @file{latex} sub-directory of the
11387 @file{texmf-dist/source} tree in the TeX Live SVN repository, but from
11388 the specified sibling @var{directory} under the same root.
11390 The command below imports metadata for the @code{ifxetex} package from
11391 CTAN while fetching the sources from the directory
11392 @file{texmf/source/generic}:
11395 guix import texlive --archive=generic ifxetex
11399 @cindex JSON, import
11400 Import package metadata from a local JSON file. Consider the following
11401 example package definition in JSON format:
11407 "source": "mirror://gnu/hello/hello-2.10.tar.gz",
11408 "build-system": "gnu",
11409 "home-page": "https://www.gnu.org/software/hello/",
11410 "synopsis": "Hello, GNU world: An example GNU package",
11411 "description": "GNU Hello prints a greeting.",
11412 "license": "GPL-3.0+",
11413 "native-inputs": ["gettext"]
11417 The field names are the same as for the @code{<package>} record
11418 (@xref{Defining Packages}). References to other packages are provided
11419 as JSON lists of quoted package specification strings such as
11420 @code{guile} or @code{guile@@2.0}.
11422 The importer also supports a more explicit source definition using the
11423 common fields for @code{<origin>} records:
11429 "method": "url-fetch",
11430 "uri": "mirror://gnu/hello/hello-2.10.tar.gz",
11432 "base32": "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"
11439 The command below reads metadata from the JSON file @code{hello.json}
11440 and outputs a package expression:
11443 guix import json hello.json
11448 Import metadata from the Haskell community's central package archive
11449 @uref{https://hackage.haskell.org/, Hackage}. Information is taken from
11450 Cabal files and includes all the relevant information, including package
11453 Specific command-line options are:
11458 Read a Cabal file from standard input.
11459 @item --no-test-dependencies
11461 Do not include dependencies required only by the test suites.
11462 @item --cabal-environment=@var{alist}
11463 @itemx -e @var{alist}
11464 @var{alist} is a Scheme alist defining the environment in which the
11465 Cabal conditionals are evaluated. The accepted keys are: @code{os},
11466 @code{arch}, @code{impl} and a string representing the name of a flag.
11467 The value associated with a flag has to be either the symbol
11468 @code{true} or @code{false}. The value associated with other keys
11469 has to conform to the Cabal file format definition. The default value
11470 associated with the keys @code{os}, @code{arch} and @code{impl} is
11471 @samp{linux}, @samp{x86_64} and @samp{ghc}, respectively.
11474 Traverse the dependency graph of the given upstream package recursively
11475 and generate package expressions for all those packages that are not yet
11479 The command below imports metadata for the latest version of the
11480 HTTP Haskell package without including test dependencies and
11481 specifying the value of the flag @samp{network-uri} as @code{false}:
11484 guix import hackage -t -e "'((\"network-uri\" . false))" HTTP
11487 A specific package version may optionally be specified by following the
11488 package name by an at-sign and a version number as in the following example:
11491 guix import hackage mtl@@2.1.3.1
11496 The @code{stackage} importer is a wrapper around the @code{hackage} one.
11497 It takes a package name, looks up the package version included in a
11498 long-term support (LTS) @uref{https://www.stackage.org, Stackage}
11499 release and uses the @code{hackage} importer to retrieve its metadata.
11500 Note that it is up to you to select an LTS release compatible with the
11501 GHC compiler used by Guix.
11503 Specific command-line options are:
11506 @item --no-test-dependencies
11508 Do not include dependencies required only by the test suites.
11509 @item --lts-version=@var{version}
11510 @itemx -l @var{version}
11511 @var{version} is the desired LTS release version. If omitted the latest
11515 Traverse the dependency graph of the given upstream package recursively
11516 and generate package expressions for all those packages that are not yet
11520 The command below imports metadata for the HTTP Haskell package
11521 included in the LTS Stackage release version 7.18:
11524 guix import stackage --lts-version=7.18 HTTP
11529 Import metadata from an Emacs Lisp Package Archive (ELPA) package
11530 repository (@pxref{Packages,,, emacs, The GNU Emacs Manual}).
11532 Specific command-line options are:
11535 @item --archive=@var{repo}
11536 @itemx -a @var{repo}
11537 @var{repo} identifies the archive repository from which to retrieve the
11538 information. Currently the supported repositories and their identifiers
11542 @uref{https://elpa.gnu.org/packages, GNU}, selected by the @code{gnu}
11543 identifier. This is the default.
11545 Packages from @code{elpa.gnu.org} are signed with one of the keys
11546 contained in the GnuPG keyring at
11547 @file{share/emacs/25.1/etc/package-keyring.gpg} (or similar) in the
11548 @code{emacs} package (@pxref{Package Installation, ELPA package
11549 signatures,, emacs, The GNU Emacs Manual}).
11552 @uref{https://stable.melpa.org/packages, MELPA-Stable}, selected by the
11553 @code{melpa-stable} identifier.
11556 @uref{https://melpa.org/packages, MELPA}, selected by the @code{melpa}
11562 Traverse the dependency graph of the given upstream package recursively
11563 and generate package expressions for all those packages that are not yet
11569 Import metadata from the crates.io Rust package repository
11570 @uref{https://crates.io, crates.io}, as in this example:
11573 guix import crate blake2-rfc
11576 The crate importer also allows you to specify a version string:
11579 guix import crate constant-time-eq@@0.1.0
11582 Additional options include:
11587 Traverse the dependency graph of the given upstream package recursively
11588 and generate package expressions for all those packages that are not yet
11595 Import metadata from the @uref{https://opam.ocaml.org/, OPAM} package
11596 repository used by the OCaml community.
11598 Additional options include:
11603 Traverse the dependency graph of the given upstream package recursively
11604 and generate package expressions for all those packages that are not yet
11607 Select the given repository (a repository name). Possible values include:
11609 @item @code{opam}, the default opam repository,
11610 @item @code{coq} or @code{coq-released}, the stable repository for coq packages,
11611 @item @code{coq-core-dev}, the repository that contains development versions of coq,
11612 @item @code{coq-extra-dev}, the repository that contains development versions
11619 Import metadata for a Go module using
11620 @uref{https://proxy.golang.org, proxy.golang.org}.
11623 guix import go gopkg.in/yaml.v2
11626 It is possible to use a package specification with a @code{@@VERSION}
11627 suffix to import a specific version.
11629 Additional options include:
11634 Traverse the dependency graph of the given upstream package recursively
11635 and generate package expressions for all those packages that are not yet
11637 @item --pin-versions
11638 When using this option, the importer preserves the exact versions of the
11639 Go modules dependencies instead of using their latest available
11640 versions. This can be useful when attempting to import packages that
11641 recursively depend on former versions of themselves to build. When
11642 using this mode, the symbol of the package is made by appending the
11643 version to its name, so that multiple versions of the same package can
11649 Import metadata for @uref{https://wiki.call-cc.org/eggs, CHICKEN eggs}.
11650 The information is taken from @file{PACKAGE.egg} files found in the
11651 @uref{git://code.call-cc.org/eggs-5-latest, eggs-5-latest} Git
11652 repository. However, it does not provide all the information that we
11653 need, there is no ``description'' field, and the licenses used are not
11654 always precise (BSD is often used instead of BSD-N).
11657 guix import egg sourcehut
11660 Additional options include:
11664 Traverse the dependency graph of the given upstream package recursively
11665 and generate package expressions for all those packages that are not yet
11670 The structure of the @command{guix import} code is modular. It would be
11671 useful to have more importers for other package formats, and your help
11672 is welcome here (@pxref{Contributing}).
11674 @node Invoking guix refresh
11675 @section Invoking @command{guix refresh}
11677 @cindex @command {guix refresh}
11678 The primary audience of the @command{guix refresh} command is packagers.
11679 As a user, you may be interested in the @option{--with-latest} option,
11680 which can bring you package update superpowers built upon @command{guix
11681 refresh} (@pxref{Package Transformation Options,
11682 @option{--with-latest}}). By default, @command{guix refresh} reports
11683 any packages provided by the distribution that are outdated compared to
11684 the latest upstream version, like this:
11688 gnu/packages/gettext.scm:29:13: gettext would be upgraded from 0.18.1.1 to 0.18.2.1
11689 gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0
11692 Alternatively, one can specify packages to consider, in which case a
11693 warning is emitted for packages that lack an updater:
11696 $ guix refresh coreutils guile guile-ssh
11697 gnu/packages/ssh.scm:205:2: warning: no updater for guile-ssh
11698 gnu/packages/guile.scm:136:12: guile would be upgraded from 2.0.12 to 2.0.13
11701 @command{guix refresh} browses the upstream repository of each package and determines
11702 the highest version number of the releases therein. The command
11703 knows how to update specific types of packages: GNU packages, ELPA
11704 packages, etc.---see the documentation for @option{--type} below. There
11705 are many packages, though, for which it lacks a method to determine
11706 whether a new upstream release is available. However, the mechanism is
11707 extensible, so feel free to get in touch with us to add a new method!
11712 Consider the packages specified, and all the packages upon which they depend.
11715 $ guix refresh --recursive coreutils
11716 gnu/packages/acl.scm:40:13: acl would be upgraded from 2.2.53 to 2.3.1
11717 gnu/packages/m4.scm:30:12: 1.4.18 is already the latest version of m4
11718 gnu/packages/xml.scm:68:2: warning: no updater for expat
11719 gnu/packages/multiprecision.scm:40:12: 6.1.2 is already the latest version of gmp
11725 Sometimes the upstream name differs from the package name used in Guix,
11726 and @command{guix refresh} needs a little help. Most updaters honor the
11727 @code{upstream-name} property in package definitions, which can be used
11731 (define-public network-manager
11733 (name "network-manager")
11735 (properties '((upstream-name . "NetworkManager")))))
11738 When passed @option{--update}, it modifies distribution source files to
11739 update the version numbers and source tarball hashes of those package
11740 recipes (@pxref{Defining Packages}). This is achieved by downloading
11741 each package's latest source tarball and its associated OpenPGP
11742 signature, authenticating the downloaded tarball against its signature
11743 using @command{gpgv}, and finally computing its hash---note that GnuPG must be
11744 installed and in @code{$PATH}; run @code{guix install gnupg} if needed.
11747 key used to sign the tarball is missing from the user's keyring, an
11748 attempt is made to automatically retrieve it from a public key server;
11749 when this is successful, the key is added to the user's keyring; otherwise,
11750 @command{guix refresh} reports an error.
11752 The following options are supported:
11756 @item --expression=@var{expr}
11757 @itemx -e @var{expr}
11758 Consider the package @var{expr} evaluates to.
11760 This is useful to precisely refer to a package, as in this example:
11763 guix refresh -l -e '(@@@@ (gnu packages commencement) glibc-final)'
11766 This command lists the dependents of the ``final'' libc (essentially all
11771 Update distribution source files (package recipes) in place. This is
11772 usually run from a checkout of the Guix source tree (@pxref{Running
11773 Guix Before It Is Installed}):
11776 $ ./pre-inst-env guix refresh -s non-core -u
11779 @xref{Defining Packages}, for more information on package definitions.
11781 @item --select=[@var{subset}]
11782 @itemx -s @var{subset}
11783 Select all the packages in @var{subset}, one of @code{core} or
11786 The @code{core} subset refers to all the packages at the core of the
11787 distribution---i.e., packages that are used to build ``everything
11788 else''. This includes GCC, libc, Binutils, Bash, etc. Usually,
11789 changing one of these packages in the distribution entails a rebuild of
11790 all the others. Thus, such updates are an inconvenience to users in
11791 terms of build time or bandwidth used to achieve the upgrade.
11793 The @code{non-core} subset refers to the remaining packages. It is
11794 typically useful in cases where an update of the core packages would be
11797 @item --manifest=@var{file}
11798 @itemx -m @var{file}
11799 Select all the packages from the manifest in @var{file}. This is useful to
11800 check if any packages of the user manifest can be updated.
11802 @item --type=@var{updater}
11803 @itemx -t @var{updater}
11804 Select only packages handled by @var{updater} (may be a comma-separated
11805 list of updaters). Currently, @var{updater} may be one of:
11809 the updater for GNU packages;
11811 the updater for packages hosted at @uref{https://savannah.gnu.org, Savannah};
11813 the updater for packages hosted at @uref{https://sourceforge.net, SourceForge};
11815 the updater for GNOME packages;
11817 the updater for KDE packages;
11819 the updater for X.org packages;
11821 the updater for packages hosted on kernel.org;
11823 the updater for @uref{https://wiki.call-cc.org/eggs/, Egg} packages;
11825 the updater for @uref{https://elpa.gnu.org/, ELPA} packages;
11827 the updater for @uref{https://cran.r-project.org/, CRAN} packages;
11829 the updater for @uref{https://www.bioconductor.org/, Bioconductor} R packages;
11831 the updater for @uref{https://www.cpan.org/, CPAN} packages;
11833 the updater for @uref{https://pypi.python.org, PyPI} packages.
11835 the updater for @uref{https://rubygems.org, RubyGems} packages.
11837 the updater for @uref{https://github.com, GitHub} packages.
11839 the updater for @uref{https://hackage.haskell.org, Hackage} packages.
11841 the updater for @uref{https://www.stackage.org, Stackage} packages.
11843 the updater for @uref{https://crates.io, Crates} packages.
11845 the updater for @uref{https://launchpad.net, Launchpad} packages.
11847 a generic updater that crawls the HTML page where the source tarball of
11848 the package is hosted, when applicable.
11851 For instance, the following command only checks for updates of Emacs
11852 packages hosted at @code{elpa.gnu.org} and for updates of CRAN packages:
11855 $ guix refresh --type=elpa,cran
11856 gnu/packages/statistics.scm:819:13: r-testthat would be upgraded from 0.10.0 to 0.11.0
11857 gnu/packages/emacs.scm:856:13: emacs-auctex would be upgraded from 11.88.6 to 11.88.9
11860 @item --list-updaters
11862 List available updaters and exit (see @option{--type} above).
11864 For each updater, display the fraction of packages it covers; at the
11865 end, display the fraction of packages covered by all these updaters.
11868 In addition, @command{guix refresh} can be passed one or more package
11869 names, as in this example:
11872 $ ./pre-inst-env guix refresh -u emacs idutils gcc@@4.8
11876 The command above specifically updates the @code{emacs} and
11877 @code{idutils} packages. The @option{--select} option would have no
11878 effect in this case. You might also want to update definitions that
11879 correspond to the packages installed in your profile:
11882 $ ./pre-inst-env guix refresh -u \
11883 $(guix package --list-installed | cut -f1)
11886 When considering whether to upgrade a package, it is sometimes
11887 convenient to know which packages would be affected by the upgrade and
11888 should be checked for compatibility. For this the following option may
11889 be used when passing @command{guix refresh} one or more package names:
11893 @item --list-dependent
11895 List top-level dependent packages that would need to be rebuilt as a
11896 result of upgrading one or more packages.
11898 @xref{Invoking guix graph, the @code{reverse-package} type of
11899 @command{guix graph}}, for information on how to visualize the list of
11900 dependents of a package.
11904 Be aware that the @option{--list-dependent} option only
11905 @emph{approximates} the rebuilds that would be required as a result of
11906 an upgrade. More rebuilds might be required under some circumstances.
11909 $ guix refresh --list-dependent flex
11910 Building the following 120 packages would ensure 213 dependent packages are rebuilt:
11911 hop@@2.4.0 emacs-geiser@@0.13 notmuch@@0.18 mu@@0.9.9.5 cflow@@1.4 idutils@@4.6 @dots{}
11914 The command above lists a set of packages that could be built to check
11915 for compatibility with an upgraded @code{flex} package.
11919 @item --list-transitive
11920 List all the packages which one or more packages depend upon.
11923 $ guix refresh --list-transitive flex
11924 flex@@2.6.4 depends on the following 25 packages: perl@@5.28.0 help2man@@1.47.6
11925 bison@@3.0.5 indent@@2.2.10 tar@@1.30 gzip@@1.9 bzip2@@1.0.6 xz@@5.2.4 file@@5.33 @dots{}
11930 The command above lists a set of packages which, when changed, would cause
11931 @code{flex} to be rebuilt.
11933 The following options can be used to customize GnuPG operation:
11937 @item --gpg=@var{command}
11938 Use @var{command} as the GnuPG 2.x command. @var{command} is searched
11939 for in @code{$PATH}.
11941 @item --keyring=@var{file}
11942 Use @var{file} as the keyring for upstream keys. @var{file} must be in the
11943 @dfn{keybox format}. Keybox files usually have a name ending in @file{.kbx}
11944 and the GNU@tie{}Privacy Guard (GPG) can manipulate these files
11945 (@pxref{kbxutil, @command{kbxutil},, gnupg, Using the GNU Privacy Guard}, for
11946 information on a tool to manipulate keybox files).
11948 When this option is omitted, @command{guix refresh} uses
11949 @file{~/.config/guix/upstream/trustedkeys.kbx} as the keyring for upstream
11950 signing keys. OpenPGP signatures are checked against keys from this keyring;
11951 missing keys are downloaded to this keyring as well (see
11952 @option{--key-download} below).
11954 You can export keys from your default GPG keyring into a keybox file using
11955 commands like this one:
11958 gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
11961 Likewise, you can fetch keys to a specific keybox file like this:
11964 gpg --no-default-keyring --keyring mykeyring.kbx \
11965 --recv-keys @value{OPENPGP-SIGNING-KEY-ID}
11968 @xref{GPG Configuration Options, @option{--keyring},, gnupg, Using the GNU
11969 Privacy Guard}, for more information on GPG's @option{--keyring} option.
11971 @item --key-download=@var{policy}
11972 Handle missing OpenPGP keys according to @var{policy}, which may be one
11977 Always download missing OpenPGP keys from the key server, and add them
11978 to the user's GnuPG keyring.
11981 Never try to download missing OpenPGP keys. Instead just bail out.
11984 When a package signed with an unknown OpenPGP key is encountered, ask
11985 the user whether to download it or not. This is the default behavior.
11988 @item --key-server=@var{host}
11989 Use @var{host} as the OpenPGP key server when importing a public key.
11991 @item --load-path=@var{directory}
11992 Add @var{directory} to the front of the package module search path
11993 (@pxref{Package Modules}).
11995 This allows users to define their own packages and make them visible to
11996 the command-line tools.
12000 The @code{github} updater uses the
12001 @uref{https://developer.github.com/v3/, GitHub API} to query for new
12002 releases. When used repeatedly e.g.@: when refreshing all packages,
12003 GitHub will eventually refuse to answer any further API requests. By
12004 default 60 API requests per hour are allowed, and a full refresh on all
12005 GitHub packages in Guix requires more than this. Authentication with
12006 GitHub through the use of an API token alleviates these limits. To use
12007 an API token, set the environment variable @env{GUIX_GITHUB_TOKEN} to a
12008 token procured from @uref{https://github.com/settings/tokens} or
12012 @node Invoking guix lint
12013 @section Invoking @command{guix lint}
12015 @cindex @command{guix lint}
12016 @cindex package, checking for errors
12017 The @command{guix lint} command is meant to help package developers avoid
12018 common errors and use a consistent style. It runs a number of checks on
12019 a given set of packages in order to find common mistakes in their
12020 definitions. Available @dfn{checkers} include (see
12021 @option{--list-checkers} for a complete list):
12026 Validate certain typographical and stylistic rules about package
12027 descriptions and synopses.
12029 @item inputs-should-be-native
12030 Identify inputs that should most likely be native inputs.
12036 @itemx source-file-name
12037 Probe @code{home-page} and @code{source} URLs and report those that are
12038 invalid. Suggest a @code{mirror://} URL when applicable. If the
12039 @code{source} URL redirects to a GitHub URL, recommend usage of the GitHub
12040 URL@. Check that the source file name is meaningful, e.g.@: is not just a
12041 version number or ``git-checkout'', without a declared @code{file-name}
12042 (@pxref{origin Reference}).
12044 @item source-unstable-tarball
12045 Parse the @code{source} URL to determine if a tarball from GitHub is
12046 autogenerated or if it is a release tarball. Unfortunately GitHub's
12047 autogenerated tarballs are sometimes regenerated.
12050 Check that the derivation of the given packages can be successfully
12051 computed for all the supported systems (@pxref{Derivations}).
12053 @item profile-collisions
12054 Check whether installing the given packages in a profile would lead to
12055 collisions. Collisions occur when several packages with the same name
12056 but a different version or a different store file name are propagated.
12057 @xref{package Reference, @code{propagated-inputs}}, for more information
12058 on propagated inputs.
12061 @cindex Software Heritage, source code archive
12062 @cindex archival of source code, Software Heritage
12063 Checks whether the package's source code is archived at
12064 @uref{https://www.softwareheritage.org, Software Heritage}.
12066 When the source code that is not archived comes from a version-control system
12067 (VCS)---e.g., it's obtained with @code{git-fetch}, send Software Heritage a
12068 ``save'' request so that it eventually archives it. This ensures that the
12069 source will remain available in the long term, and that Guix can fall back to
12070 Software Heritage should the source code disappear from its original host.
12071 The status of recent ``save'' requests can be
12072 @uref{https://archive.softwareheritage.org/save/#requests, viewed on-line}.
12074 When source code is a tarball obtained with @code{url-fetch}, simply print a
12075 message when it is not archived. As of this writing, Software Heritage does
12076 not allow requests to save arbitrary tarballs; we are working on ways to
12077 ensure that non-VCS source code is also archived.
12080 @uref{https://archive.softwareheritage.org/api/#rate-limiting, limits the
12081 request rate per IP address}. When the limit is reached, @command{guix lint}
12082 prints a message and the @code{archival} checker stops doing anything until
12083 that limit has been reset.
12086 @cindex security vulnerabilities
12087 @cindex CVE, Common Vulnerabilities and Exposures
12088 Report known vulnerabilities found in the Common Vulnerabilities and
12089 Exposures (CVE) databases of the current and past year
12090 @uref{https://nvd.nist.gov/vuln/data-feeds, published by the US
12093 To view information about a particular vulnerability, visit pages such as:
12097 @indicateurl{https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-YYYY-ABCD}
12099 @indicateurl{https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-ABCD}
12103 where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
12104 @code{CVE-2015-7554}.
12106 Package developers can specify in package recipes the
12107 @uref{https://nvd.nist.gov/products/cpe,Common Platform Enumeration (CPE)}
12108 name and version of the package when they differ from the name or version
12109 that Guix uses, as in this example:
12115 ;; CPE calls this package "grub2".
12116 (properties '((cpe-name . "grub2")
12117 (cpe-version . "2.3"))))
12120 @c See <https://www.openwall.com/lists/oss-security/2017/03/15/3>.
12121 Some entries in the CVE database do not specify which version of a
12122 package they apply to, and would thus ``stick around'' forever. Package
12123 developers who found CVE alerts and verified they can be ignored can
12124 declare them as in this example:
12130 ;; These CVEs no longer apply and can be safely ignored.
12131 (properties `((lint-hidden-cve . ("CVE-2011-0433"
12134 "CVE-2011-5244")))))
12138 Warn about obvious source code formatting issues: trailing white space,
12139 use of tabulations, etc.
12142 The general syntax is:
12145 guix lint @var{options} @var{package}@dots{}
12148 If no package is given on the command line, then all packages are checked.
12149 The @var{options} may be zero or more of the following:
12152 @item --list-checkers
12154 List and describe all the available checkers that will be run on packages
12159 Only enable the checkers specified in a comma-separated list using the
12160 names returned by @option{--list-checkers}.
12164 Only disable the checkers specified in a comma-separated list using the
12165 names returned by @option{--list-checkers}.
12169 Only enable the checkers that do not depend on Internet access.
12171 @item --load-path=@var{directory}
12172 @itemx -L @var{directory}
12173 Add @var{directory} to the front of the package module search path
12174 (@pxref{Package Modules}).
12176 This allows users to define their own packages and make them visible to
12177 the command-line tools.
12181 @node Invoking guix size
12182 @section Invoking @command{guix size}
12185 @cindex package size
12187 @cindex @command{guix size}
12188 The @command{guix size} command helps package developers profile the
12189 disk usage of packages. It is easy to overlook the impact of an
12190 additional dependency added to a package, or the impact of using a
12191 single output for a package that could easily be split (@pxref{Packages
12192 with Multiple Outputs}). Such are the typical issues that
12193 @command{guix size} can highlight.
12195 The command can be passed one or more package specifications
12196 such as @code{gcc@@4.8}
12197 or @code{guile:debug}, or a file name in the store. Consider this
12201 $ guix size coreutils
12202 store item total self
12203 /gnu/store/@dots{}-gcc-5.5.0-lib 60.4 30.1 38.1%
12204 /gnu/store/@dots{}-glibc-2.27 30.3 28.8 36.6%
12205 /gnu/store/@dots{}-coreutils-8.28 78.9 15.0 19.0%
12206 /gnu/store/@dots{}-gmp-6.1.2 63.1 2.7 3.4%
12207 /gnu/store/@dots{}-bash-static-4.4.12 1.5 1.5 1.9%
12208 /gnu/store/@dots{}-acl-2.2.52 61.1 0.4 0.5%
12209 /gnu/store/@dots{}-attr-2.4.47 60.6 0.2 0.3%
12210 /gnu/store/@dots{}-libcap-2.25 60.5 0.2 0.2%
12215 The store items listed here constitute the @dfn{transitive closure} of
12216 Coreutils---i.e., Coreutils and all its dependencies, recursively---as
12217 would be returned by:
12220 $ guix gc -R /gnu/store/@dots{}-coreutils-8.23
12223 Here the output shows three columns next to store items. The first column,
12224 labeled ``total'', shows the size in mebibytes (MiB) of the closure of
12225 the store item---that is, its own size plus the size of all its
12226 dependencies. The next column, labeled ``self'', shows the size of the
12227 item itself. The last column shows the ratio of the size of the item
12228 itself to the space occupied by all the items listed here.
12230 In this example, we see that the closure of Coreutils weighs in at
12231 79@tie{}MiB, most of which is taken by libc and GCC's run-time support
12232 libraries. (That libc and GCC's libraries represent a large fraction of
12233 the closure is not a problem @i{per se} because they are always available
12234 on the system anyway.)
12236 Since the command also accepts store file names, assessing the size of
12237 a build result is straightforward:
12240 guix size $(guix system build config.scm)
12243 When the package(s) passed to @command{guix size} are available in the
12244 store@footnote{More precisely, @command{guix size} looks for the
12245 @emph{ungrafted} variant of the given package(s), as returned by
12246 @code{guix build @var{package} --no-grafts}. @xref{Security Updates},
12247 for information on grafts.}, @command{guix size} queries the daemon to determine its
12248 dependencies, and measures its size in the store, similar to @command{du
12249 -ms --apparent-size} (@pxref{du invocation,,, coreutils, GNU
12252 When the given packages are @emph{not} in the store, @command{guix size}
12253 reports information based on the available substitutes
12254 (@pxref{Substitutes}). This makes it possible it to profile disk usage of
12255 store items that are not even on disk, only available remotely.
12257 You can also specify several package names:
12260 $ guix size coreutils grep sed bash
12261 store item total self
12262 /gnu/store/@dots{}-coreutils-8.24 77.8 13.8 13.4%
12263 /gnu/store/@dots{}-grep-2.22 73.1 0.8 0.8%
12264 /gnu/store/@dots{}-bash-4.3.42 72.3 4.7 4.6%
12265 /gnu/store/@dots{}-readline-6.3 67.6 1.2 1.2%
12271 In this example we see that the combination of the four packages takes
12272 102.3@tie{}MiB in total, which is much less than the sum of each closure
12273 since they have a lot of dependencies in common.
12275 When looking at the profile returned by @command{guix size}, you may
12276 find yourself wondering why a given package shows up in the profile at
12277 all. To understand it, you can use @command{guix graph --path -t
12278 references} to display the shortest path between the two packages
12279 (@pxref{Invoking guix graph}).
12281 The available options are:
12285 @item --substitute-urls=@var{urls}
12286 Use substitute information from @var{urls}.
12287 @xref{client-substitute-urls, the same option for @code{guix build}}.
12289 @item --sort=@var{key}
12290 Sort lines according to @var{key}, one of the following options:
12294 the size of each item (the default);
12296 the total size of the item's closure.
12299 @item --map-file=@var{file}
12300 Write a graphical map of disk usage in PNG format to @var{file}.
12302 For the example above, the map looks like this:
12304 @image{images/coreutils-size-map,5in,, map of Coreutils disk usage
12305 produced by @command{guix size}}
12307 This option requires that
12308 @uref{https://wingolog.org/software/guile-charting/, Guile-Charting} be
12309 installed and visible in Guile's module search path. When that is not
12310 the case, @command{guix size} fails as it tries to load it.
12312 @item --system=@var{system}
12313 @itemx -s @var{system}
12314 Consider packages for @var{system}---e.g., @code{x86_64-linux}.
12316 @item --load-path=@var{directory}
12317 @itemx -L @var{directory}
12318 Add @var{directory} to the front of the package module search path
12319 (@pxref{Package Modules}).
12321 This allows users to define their own packages and make them visible to
12322 the command-line tools.
12325 @node Invoking guix graph
12326 @section Invoking @command{guix graph}
12329 @cindex @command{guix graph}
12330 @cindex package dependencies
12331 Packages and their dependencies form a @dfn{graph}, specifically a
12332 directed acyclic graph (DAG). It can quickly become difficult to have a
12333 mental model of the package DAG, so the @command{guix graph} command
12334 provides a visual representation of the DAG@. By default,
12335 @command{guix graph} emits a DAG representation in the input format of
12336 @uref{https://www.graphviz.org/, Graphviz}, so its output can be passed
12337 directly to the @command{dot} command of Graphviz. It can also emit an
12338 HTML page with embedded JavaScript code to display a ``chord diagram''
12339 in a Web browser, using the @uref{https://d3js.org/, d3.js} library, or
12340 emit Cypher queries to construct a graph in a graph database supporting
12341 the @uref{https://www.opencypher.org/, openCypher} query language. With
12342 @option{--path}, it simply displays the shortest path between two
12343 packages. The general syntax is:
12346 guix graph @var{options} @var{package}@dots{}
12349 For example, the following command generates a PDF file representing the
12350 package DAG for the GNU@tie{}Core Utilities, showing its build-time
12354 guix graph coreutils | dot -Tpdf > dag.pdf
12357 The output looks like this:
12359 @image{images/coreutils-graph,2in,,Dependency graph of the GNU Coreutils}
12361 Nice little graph, no?
12363 You may find it more pleasant to navigate the graph interactively with
12364 @command{xdot} (from the @code{xdot} package):
12367 guix graph coreutils | xdot -
12370 But there is more than one graph! The one above is concise: it is the
12371 graph of package objects, omitting implicit inputs such as GCC, libc,
12372 grep, etc. It is often useful to have such a concise graph, but
12373 sometimes one may want to see more details. @command{guix graph} supports
12374 several types of graphs, allowing you to choose the level of detail:
12378 This is the default type used in the example above. It shows the DAG of
12379 package objects, excluding implicit dependencies. It is concise, but
12380 filters out many details.
12382 @item reverse-package
12383 This shows the @emph{reverse} DAG of packages. For example:
12386 guix graph --type=reverse-package ocaml
12389 ...@: yields the graph of packages that @emph{explicitly} depend on OCaml (if
12390 you are also interested in cases where OCaml is an implicit dependency, see
12391 @code{reverse-bag} below).
12393 Note that for core packages this can yield huge graphs. If all you want
12394 is to know the number of packages that depend on a given package, use
12395 @command{guix refresh --list-dependent} (@pxref{Invoking guix refresh,
12396 @option{--list-dependent}}).
12399 This is the package DAG, @emph{including} implicit inputs.
12401 For instance, the following command:
12404 guix graph --type=bag-emerged coreutils
12407 ...@: yields this bigger graph:
12409 @image{images/coreutils-bag-graph,,5in,Detailed dependency graph of the GNU Coreutils}
12411 At the bottom of the graph, we see all the implicit inputs of
12412 @var{gnu-build-system} (@pxref{Build Systems, @code{gnu-build-system}}).
12414 Now, note that the dependencies of these implicit inputs---that is, the
12415 @dfn{bootstrap dependencies} (@pxref{Bootstrapping})---are not shown
12416 here, for conciseness.
12419 Similar to @code{bag-emerged}, but this time including all the bootstrap
12422 @item bag-with-origins
12423 Similar to @code{bag}, but also showing origins and their dependencies.
12426 This shows the @emph{reverse} DAG of packages. Unlike @code{reverse-package},
12427 it also takes implicit dependencies into account. For example:
12430 guix graph -t reverse-bag dune
12434 ...@: yields the graph of all packages that depend on Dune, directly or
12435 indirectly. Since Dune is an @emph{implicit} dependency of many packages
12436 @i{via} @code{dune-build-system}, this shows a large number of packages,
12437 whereas @code{reverse-package} would show very few if any.
12440 This is the most detailed representation: It shows the DAG of
12441 derivations (@pxref{Derivations}) and plain store items. Compared to
12442 the above representation, many additional nodes are visible, including
12443 build scripts, patches, Guile modules, etc.
12445 For this type of graph, it is also possible to pass a @file{.drv} file
12446 name instead of a package name, as in:
12449 guix graph -t derivation $(guix system build -d my-config.scm)
12453 This is the graph of @dfn{package modules} (@pxref{Package Modules}).
12454 For example, the following command shows the graph for the package
12455 module that defines the @code{guile} package:
12458 guix graph -t module guile | xdot -
12462 All the types above correspond to @emph{build-time dependencies}. The
12463 following graph type represents the @emph{run-time dependencies}:
12467 This is the graph of @dfn{references} of a package output, as returned
12468 by @command{guix gc --references} (@pxref{Invoking guix gc}).
12470 If the given package output is not available in the store, @command{guix
12471 graph} attempts to obtain dependency information from substitutes.
12473 Here you can also pass a store file name instead of a package name. For
12474 example, the command below produces the reference graph of your profile
12475 (which can be big!):
12478 guix graph -t references $(readlink -f ~/.guix-profile)
12482 This is the graph of the @dfn{referrers} of a store item, as returned by
12483 @command{guix gc --referrers} (@pxref{Invoking guix gc}).
12485 This relies exclusively on local information from your store. For
12486 instance, let us suppose that the current Inkscape is available in 10
12487 profiles on your machine; @command{guix graph -t referrers inkscape}
12488 will show a graph rooted at Inkscape and with those 10 profiles linked
12491 It can help determine what is preventing a store item from being garbage
12496 @cindex shortest path, between packages
12497 Often, the graph of the package you are interested in does not fit on
12498 your screen, and anyway all you want to know is @emph{why} that package
12499 actually depends on some seemingly unrelated package. The
12500 @option{--path} option instructs @command{guix graph} to display the
12501 shortest path between two packages (or derivations, or store items,
12505 $ guix graph --path emacs libunistring
12508 libunistring@@0.9.10
12509 $ guix graph --path -t derivation emacs libunistring
12510 /gnu/store/@dots{}-emacs-26.3.drv
12511 /gnu/store/@dots{}-mailutils-3.9.drv
12512 /gnu/store/@dots{}-libunistring-0.9.10.drv
12513 $ guix graph --path -t references emacs libunistring
12514 /gnu/store/@dots{}-emacs-26.3
12515 /gnu/store/@dots{}-libidn2-2.2.0
12516 /gnu/store/@dots{}-libunistring-0.9.10
12519 The available options are the following:
12522 @item --type=@var{type}
12523 @itemx -t @var{type}
12524 Produce a graph output of @var{type}, where @var{type} must be one of
12525 the values listed above.
12528 List the supported graph types.
12530 @item --backend=@var{backend}
12531 @itemx -b @var{backend}
12532 Produce a graph using the selected @var{backend}.
12534 @item --list-backends
12535 List the supported graph backends.
12537 Currently, the available backends are Graphviz and d3.js.
12540 Display the shortest path between two nodes of the type specified by
12541 @option{--type}. The example below shows the shortest path between
12542 @code{libreoffice} and @code{llvm} according to the references of
12543 @code{libreoffice}:
12546 $ guix graph --path -t references libreoffice llvm
12547 /gnu/store/@dots{}-libreoffice-6.4.2.2
12548 /gnu/store/@dots{}-libepoxy-1.5.4
12549 /gnu/store/@dots{}-mesa-19.3.4
12550 /gnu/store/@dots{}-llvm-9.0.1
12553 @item --expression=@var{expr}
12554 @itemx -e @var{expr}
12555 Consider the package @var{expr} evaluates to.
12557 This is useful to precisely refer to a package, as in this example:
12560 guix graph -e '(@@@@ (gnu packages commencement) gnu-make-final)'
12563 @item --system=@var{system}
12564 @itemx -s @var{system}
12565 Display the graph for @var{system}---e.g., @code{i686-linux}.
12567 The package dependency graph is largely architecture-independent, but there
12568 are some architecture-dependent bits that this option allows you to visualize.
12570 @item --load-path=@var{directory}
12571 @itemx -L @var{directory}
12572 Add @var{directory} to the front of the package module search path
12573 (@pxref{Package Modules}).
12575 This allows users to define their own packages and make them visible to
12576 the command-line tools.
12579 On top of that, @command{guix graph} supports all the usual package
12580 transformation options (@pxref{Package Transformation Options}). This
12581 makes it easy to view the effect of a graph-rewriting transformation
12582 such as @option{--with-input}. For example, the command below outputs
12583 the graph of @code{git} once @code{openssl} has been replaced by
12584 @code{libressl} everywhere in the graph:
12587 guix graph git --with-input=openssl=libressl
12590 So many possibilities, so much fun!
12592 @node Invoking guix publish
12593 @section Invoking @command{guix publish}
12595 @cindex @command{guix publish}
12596 The purpose of @command{guix publish} is to enable users to easily share
12597 their store with others, who can then use it as a substitute server
12598 (@pxref{Substitutes}).
12600 When @command{guix publish} runs, it spawns an HTTP server which allows
12601 anyone with network access to obtain substitutes from it. This means
12602 that any machine running Guix can also act as if it were a build farm,
12603 since the HTTP interface is compatible with Cuirass, the software behind
12604 the @code{@value{SUBSTITUTE-SERVER-1}} build farm.
12606 For security, each substitute is signed, allowing recipients to check
12607 their authenticity and integrity (@pxref{Substitutes}). Because
12608 @command{guix publish} uses the signing key of the system, which is only
12609 readable by the system administrator, it must be started as root; the
12610 @option{--user} option makes it drop root privileges early on.
12612 The signing key pair must be generated before @command{guix publish} is
12613 launched, using @command{guix archive --generate-key} (@pxref{Invoking
12616 When the @option{--advertise} option is passed, the server advertises
12617 its availability on the local network using multicast DNS (mDNS) and DNS
12618 service discovery (DNS-SD), currently @i{via} Guile-Avahi (@pxref{Top,,,
12619 guile-avahi, Using Avahi in Guile Scheme Programs}).
12621 The general syntax is:
12624 guix publish @var{options}@dots{}
12627 Running @command{guix publish} without any additional arguments will
12628 spawn an HTTP server on port 8080:
12634 Once a publishing server has been authorized, the daemon may download
12635 substitutes from it. @xref{Getting Substitutes from Other Servers}.
12637 By default, @command{guix publish} compresses archives on the fly as it
12638 serves them. This ``on-the-fly'' mode is convenient in that it requires
12639 no setup and is immediately available. However, when serving lots of
12640 clients, we recommend using the @option{--cache} option, which enables
12641 caching of the archives before they are sent to clients---see below for
12642 details. The @command{guix weather} command provides a handy way to
12643 check what a server provides (@pxref{Invoking guix weather}).
12645 As a bonus, @command{guix publish} also serves as a content-addressed
12646 mirror for source files referenced in @code{origin} records
12647 (@pxref{origin Reference}). For instance, assuming @command{guix
12648 publish} is running on @code{example.org}, the following URL returns the
12649 raw @file{hello-2.10.tar.gz} file with the given SHA256 hash
12650 (represented in @code{nix-base32} format, @pxref{Invoking guix hash}):
12653 http://example.org/file/hello-2.10.tar.gz/sha256/0ssi1@dots{}ndq1i
12656 Obviously, these URLs only work for files that are in the store; in
12657 other cases, they return 404 (``Not Found'').
12659 @cindex build logs, publication
12660 Build logs are available from @code{/log} URLs like:
12663 http://example.org/log/gwspk@dots{}-guile-2.2.3
12667 When @command{guix-daemon} is configured to save compressed build logs,
12668 as is the case by default (@pxref{Invoking guix-daemon}), @code{/log}
12669 URLs return the compressed log as-is, with an appropriate
12670 @code{Content-Type} and/or @code{Content-Encoding} header. We recommend
12671 running @command{guix-daemon} with @option{--log-compression=gzip} since
12672 Web browsers can automatically decompress it, which is not the case with
12675 The following options are available:
12678 @item --port=@var{port}
12679 @itemx -p @var{port}
12680 Listen for HTTP requests on @var{port}.
12682 @item --listen=@var{host}
12683 Listen on the network interface for @var{host}. The default is to
12684 accept connections from any interface.
12686 @item --user=@var{user}
12687 @itemx -u @var{user}
12688 Change privileges to @var{user} as soon as possible---i.e., once the
12689 server socket is open and the signing key has been read.
12691 @item --compression[=@var{method}[:@var{level}]]
12692 @itemx -C [@var{method}[:@var{level}]]
12693 Compress data using the given @var{method} and @var{level}. @var{method} is
12694 one of @code{lzip}, @code{zstd}, and @code{gzip}; when @var{method} is
12695 omitted, @code{gzip} is used.
12697 When @var{level} is zero, disable compression. The range 1 to 9 corresponds
12698 to different compression levels: 1 is the fastest, and 9 is the best
12699 (CPU-intensive). The default is 3.
12701 Usually, @code{lzip} compresses noticeably better than @code{gzip} for a
12702 small increase in CPU usage; see
12703 @uref{https://nongnu.org/lzip/lzip_benchmark.html,benchmarks on the lzip
12704 Web page}. However, @code{lzip} achieves low decompression throughput
12705 (on the order of 50@tie{}MiB/s on modern hardware), which can be a
12706 bottleneck for someone who downloads over a fast network connection.
12708 The compression ratio of @code{zstd} is between that of @code{lzip} and
12709 that of @code{gzip}; its main advantage is a
12710 @uref{https://facebook.github.io/zstd/,high decompression speed}.
12712 Unless @option{--cache} is used, compression occurs on the fly and
12713 the compressed streams are not
12714 cached. Thus, to reduce load on the machine that runs @command{guix
12715 publish}, it may be a good idea to choose a low compression level, to
12716 run @command{guix publish} behind a caching proxy, or to use
12717 @option{--cache}. Using @option{--cache} has the advantage that it
12718 allows @command{guix publish} to add @code{Content-Length} HTTP header
12721 This option can be repeated, in which case every substitute gets compressed
12722 using all the selected methods, and all of them are advertised. This is
12723 useful when users may not support all the compression methods: they can select
12724 the one they support.
12726 @item --cache=@var{directory}
12727 @itemx -c @var{directory}
12728 Cache archives and meta-data (@code{.narinfo} URLs) to @var{directory}
12729 and only serve archives that are in cache.
12731 When this option is omitted, archives and meta-data are created
12732 on-the-fly. This can reduce the available bandwidth, especially when
12733 compression is enabled, since this may become CPU-bound. Another
12734 drawback of the default mode is that the length of archives is not known
12735 in advance, so @command{guix publish} does not add a
12736 @code{Content-Length} HTTP header to its responses, which in turn
12737 prevents clients from knowing the amount of data being downloaded.
12739 Conversely, when @option{--cache} is used, the first request for a store
12740 item (@i{via} a @code{.narinfo} URL) triggers a
12741 background process to @dfn{bake} the archive---computing its
12742 @code{.narinfo} and compressing the archive, if needed. Once the
12743 archive is cached in @var{directory}, subsequent requests succeed and
12744 are served directly from the cache, which guarantees that clients get
12745 the best possible bandwidth.
12747 That first @code{.narinfo} request nonetheless returns 200, provided the
12748 requested store item is ``small enough'', below the cache bypass
12749 threshold---see @option{--cache-bypass-threshold} below. That way,
12750 clients do not have to wait until the archive is baked. For larger
12751 store items, the first @code{.narinfo} request returns 404, meaning that
12752 clients have to wait until the archive is baked.
12754 The ``baking'' process is performed by worker threads. By default, one
12755 thread per CPU core is created, but this can be customized. See
12756 @option{--workers} below.
12758 When @option{--ttl} is used, cached entries are automatically deleted
12759 when they have expired.
12761 @item --workers=@var{N}
12762 When @option{--cache} is used, request the allocation of @var{N} worker
12763 threads to ``bake'' archives.
12765 @item --ttl=@var{ttl}
12766 Produce @code{Cache-Control} HTTP headers that advertise a time-to-live
12767 (TTL) of @var{ttl}. @var{ttl} must denote a duration: @code{5d} means 5
12768 days, @code{1m} means 1 month, and so on.
12770 This allows the user's Guix to keep substitute information in cache for
12771 @var{ttl}. However, note that @code{guix publish} does not itself
12772 guarantee that the store items it provides will indeed remain available
12773 for as long as @var{ttl}.
12775 Additionally, when @option{--cache} is used, cached entries that have
12776 not been accessed for @var{ttl} and that no longer have a corresponding
12777 item in the store, may be deleted.
12779 @item --negative-ttl=@var{ttl}
12780 Similarly produce @code{Cache-Control} HTTP headers to advertise the
12781 time-to-live (TTL) of @emph{negative} lookups---missing store items, for
12782 which the HTTP 404 code is returned. By default, no negative TTL is
12785 This parameter can help adjust server load and substitute latency by
12786 instructing cooperating clients to be more or less patient when a store
12789 @item --cache-bypass-threshold=@var{size}
12790 When used in conjunction with @option{--cache}, store items smaller than
12791 @var{size} are immediately available, even when they are not yet in
12792 cache. @var{size} is a size in bytes, or it can be suffixed by @code{M}
12793 for megabytes and so on. The default is @code{10M}.
12795 ``Cache bypass'' allows you to reduce the publication delay for clients
12796 at the expense of possibly additional I/O and CPU use on the server
12797 side: depending on the client access patterns, those store items can end
12798 up being baked several times until a copy is available in cache.
12800 Increasing the threshold may be useful for sites that have few users, or
12801 to guarantee that users get substitutes even for store items that are
12804 @item --nar-path=@var{path}
12805 Use @var{path} as the prefix for the URLs of ``nar'' files
12806 (@pxref{Invoking guix archive, normalized archives}).
12808 By default, nars are served at a URL such as
12809 @code{/nar/gzip/@dots{}-coreutils-8.25}. This option allows you to
12810 change the @code{/nar} part to @var{path}.
12812 @item --public-key=@var{file}
12813 @itemx --private-key=@var{file}
12814 Use the specific @var{file}s as the public/private key pair used to sign
12815 the store items being published.
12817 The files must correspond to the same key pair (the private key is used
12818 for signing and the public key is merely advertised in the signature
12819 metadata). They must contain keys in the canonical s-expression format
12820 as produced by @command{guix archive --generate-key} (@pxref{Invoking
12821 guix archive}). By default, @file{/etc/guix/signing-key.pub} and
12822 @file{/etc/guix/signing-key.sec} are used.
12824 @item --repl[=@var{port}]
12825 @itemx -r [@var{port}]
12826 Spawn a Guile REPL server (@pxref{REPL Servers,,, guile, GNU Guile
12827 Reference Manual}) on @var{port} (37146 by default). This is used
12828 primarily for debugging a running @command{guix publish} server.
12831 Enabling @command{guix publish} on Guix System is a one-liner: just
12832 instantiate a @code{guix-publish-service-type} service in the @code{services} field
12833 of the @code{operating-system} declaration (@pxref{guix-publish-service-type,
12834 @code{guix-publish-service-type}}).
12836 If you are instead running Guix on a ``foreign distro'', follow these
12841 If your host distro uses the systemd init system:
12844 # ln -s ~root/.guix-profile/lib/systemd/system/guix-publish.service \
12845 /etc/systemd/system/
12846 # systemctl start guix-publish && systemctl enable guix-publish
12850 If your host distro uses the Upstart init system:
12853 # ln -s ~root/.guix-profile/lib/upstart/system/guix-publish.conf /etc/init/
12854 # start guix-publish
12858 Otherwise, proceed similarly with your distro's init system.
12861 @node Invoking guix challenge
12862 @section Invoking @command{guix challenge}
12864 @cindex reproducible builds
12865 @cindex verifiable builds
12866 @cindex @command{guix challenge}
12868 Do the binaries provided by this server really correspond to the source
12869 code it claims to build? Is a package build process deterministic?
12870 These are the questions the @command{guix challenge} command attempts to
12873 The former is obviously an important question: Before using a substitute
12874 server (@pxref{Substitutes}), one had better @emph{verify} that it
12875 provides the right binaries, and thus @emph{challenge} it. The latter
12876 is what enables the former: If package builds are deterministic, then
12877 independent builds of the package should yield the exact same result,
12878 bit for bit; if a server provides a binary different from the one
12879 obtained locally, it may be either corrupt or malicious.
12881 We know that the hash that shows up in @file{/gnu/store} file names is
12882 the hash of all the inputs of the process that built the file or
12883 directory---compilers, libraries, build scripts,
12884 etc. (@pxref{Introduction}). Assuming deterministic build processes,
12885 one store file name should map to exactly one build output.
12886 @command{guix challenge} checks whether there is, indeed, a single
12887 mapping by comparing the build outputs of several independent builds of
12888 any given store item.
12890 The command output looks like this:
12893 $ guix challenge --substitute-urls="https://@value{SUBSTITUTE-SERVER-1} https://guix.example.org"
12894 updating list of substitutes from 'https://@value{SUBSTITUTE-SERVER-1}'... 100.0%
12895 updating list of substitutes from 'https://guix.example.org'... 100.0%
12896 /gnu/store/@dots{}-openssl-1.0.2d contents differ:
12897 local hash: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
12898 https://@value{SUBSTITUTE-SERVER-1}/nar/@dots{}-openssl-1.0.2d: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
12899 https://guix.example.org/nar/@dots{}-openssl-1.0.2d: 1zy4fmaaqcnjrzzajkdn3f5gmjk754b43qkq47llbyak9z0qjyim
12901 /lib/libcrypto.so.1.1
12904 /gnu/store/@dots{}-git-2.5.0 contents differ:
12905 local hash: 00p3bmryhjxrhpn2gxs2fy0a15lnip05l97205pgbk5ra395hyha
12906 https://@value{SUBSTITUTE-SERVER-1}/nar/@dots{}-git-2.5.0: 069nb85bv4d4a6slrwjdy8v1cn4cwspm3kdbmyb81d6zckj3nq9f
12907 https://guix.example.org/nar/@dots{}-git-2.5.0: 0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73
12909 /libexec/git-core/git-fsck
12911 /gnu/store/@dots{}-pius-2.1.1 contents differ:
12912 local hash: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
12913 https://@value{SUBSTITUTE-SERVER-1}/nar/@dots{}-pius-2.1.1: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
12914 https://guix.example.org/nar/@dots{}-pius-2.1.1: 1cy25x1a4fzq5rk0pmvc8xhwyffnqz95h2bpvqsz2mpvlbccy0gs
12916 /share/man/man1/pius.1.gz
12920 6,406 store items were analyzed:
12921 - 4,749 (74.1%) were identical
12922 - 525 (8.2%) differed
12923 - 1,132 (17.7%) were inconclusive
12927 In this example, @command{guix challenge} first scans the store to
12928 determine the set of locally-built derivations---as opposed to store
12929 items that were downloaded from a substitute server---and then queries
12930 all the substitute servers. It then reports those store items for which
12931 the servers obtained a result different from the local build.
12933 @cindex non-determinism, in package builds
12934 As an example, @code{guix.example.org} always gets a different answer.
12935 Conversely, @code{@value{SUBSTITUTE-SERVER-1}} agrees with local builds, except in the
12936 case of Git. This might indicate that the build process of Git is
12937 non-deterministic, meaning that its output varies as a function of
12938 various things that Guix does not fully control, in spite of building
12939 packages in isolated environments (@pxref{Features}). Most common
12940 sources of non-determinism include the addition of timestamps in build
12941 results, the inclusion of random numbers, and directory listings sorted
12942 by inode number. See @uref{https://reproducible-builds.org/docs/}, for
12945 To find out what is wrong with this Git binary, the easiest approach is
12949 guix challenge git \
12950 --diff=diffoscope \
12951 --substitute-urls="https://@value{SUBSTITUTE-SERVER-1} https://guix.example.org"
12954 This automatically invokes @command{diffoscope}, which displays detailed
12955 information about files that differ.
12957 Alternatively, we can do something along these lines (@pxref{Invoking guix
12961 $ wget -q -O - https://@value{SUBSTITUTE-SERVER-1}/nar/lzip/@dots{}-git-2.5.0 \
12962 | lzip -d | guix archive -x /tmp/git
12963 $ diff -ur --no-dereference /gnu/store/@dots{}-git.2.5.0 /tmp/git
12966 This command shows the difference between the files resulting from the
12967 local build, and the files resulting from the build on
12968 @code{@value{SUBSTITUTE-SERVER-1}} (@pxref{Overview, Comparing and Merging Files,,
12969 diffutils, Comparing and Merging Files}). The @command{diff} command
12970 works great for text files. When binary files differ, a better option
12971 is @uref{https://diffoscope.org/, Diffoscope}, a tool that helps
12972 visualize differences for all kinds of files.
12974 Once you have done that work, you can tell whether the differences are due
12975 to a non-deterministic build process or to a malicious server. We try
12976 hard to remove sources of non-determinism in packages to make it easier
12977 to verify substitutes, but of course, this is a process that
12978 involves not just Guix, but a large part of the free software community.
12979 In the meantime, @command{guix challenge} is one tool to help address
12982 If you are writing packages for Guix, you are encouraged to check
12983 whether @code{@value{SUBSTITUTE-SERVER-1}} and other substitute servers obtain the
12984 same build result as you did with:
12987 $ guix challenge @var{package}
12991 where @var{package} is a package specification such as
12992 @code{guile@@2.0} or @code{glibc:debug}.
12994 The general syntax is:
12997 guix challenge @var{options} [@var{packages}@dots{}]
13000 When a difference is found between the hash of a locally-built item and
13001 that of a server-provided substitute, or among substitutes provided by
13002 different servers, the command displays it as in the example above and
13003 its exit code is 2 (other non-zero exit codes denote other kinds of
13006 The one option that matters is:
13010 @item --substitute-urls=@var{urls}
13011 Consider @var{urls} the whitespace-separated list of substitute source
13012 URLs to compare to.
13014 @item --diff=@var{mode}
13015 Upon mismatches, show differences according to @var{mode}, one of:
13018 @item @code{simple} (the default)
13019 Show the list of files that differ.
13021 @item @code{diffoscope}
13022 @itemx @var{command}
13023 Invoke @uref{https://diffoscope.org/, Diffoscope}, passing it
13024 two directories whose contents do not match.
13026 When @var{command} is an absolute file name, run @var{command} instead
13030 Do not show further details about the differences.
13033 Thus, unless @option{--diff=none} is passed, @command{guix challenge}
13034 downloads the store items from the given substitute servers so that it
13039 Show details about matches (identical contents) in addition to
13040 information about mismatches.
13044 @node Invoking guix copy
13045 @section Invoking @command{guix copy}
13047 @cindex copy, of store items, over SSH
13048 @cindex SSH, copy of store items
13049 @cindex sharing store items across machines
13050 @cindex transferring store items across machines
13051 The @command{guix copy} command copies items from the store of one
13052 machine to that of another machine over a secure shell (SSH)
13053 connection@footnote{This command is available only when Guile-SSH was
13054 found. @xref{Requirements}, for details.}. For example, the following
13055 command copies the @code{coreutils} package, the user's profile, and all
13056 their dependencies over to @var{host}, logged in as @var{user}:
13059 guix copy --to=@var{user}@@@var{host} \
13060 coreutils $(readlink -f ~/.guix-profile)
13063 If some of the items to be copied are already present on @var{host},
13064 they are not actually sent.
13066 The command below retrieves @code{libreoffice} and @code{gimp} from
13067 @var{host}, assuming they are available there:
13070 guix copy --from=@var{host} libreoffice gimp
13073 The SSH connection is established using the Guile-SSH client, which is
13074 compatible with OpenSSH: it honors @file{~/.ssh/known_hosts} and
13075 @file{~/.ssh/config}, and uses the SSH agent for authentication.
13077 The key used to sign items that are sent must be accepted by the remote
13078 machine. Likewise, the key used by the remote machine to sign items you
13079 are retrieving must be in @file{/etc/guix/acl} so it is accepted by your
13080 own daemon. @xref{Invoking guix archive}, for more information about
13081 store item authentication.
13083 The general syntax is:
13086 guix copy [--to=@var{spec}|--from=@var{spec}] @var{items}@dots{}
13089 You must always specify one of the following options:
13092 @item --to=@var{spec}
13093 @itemx --from=@var{spec}
13094 Specify the host to send to or receive from. @var{spec} must be an SSH
13095 spec such as @code{example.org}, @code{charlie@@example.org}, or
13096 @code{charlie@@example.org:2222}.
13099 The @var{items} can be either package names, such as @code{gimp}, or
13100 store items, such as @file{/gnu/store/@dots{}-idutils-4.6}.
13102 When specifying the name of a package to send, it is first built if
13103 needed, unless @option{--dry-run} was specified. Common build options
13104 are supported (@pxref{Common Build Options}).
13107 @node Invoking guix container
13108 @section Invoking @command{guix container}
13110 @cindex @command{guix container}
13112 As of version @value{VERSION}, this tool is experimental. The interface
13113 is subject to radical change in the future.
13116 The purpose of @command{guix container} is to manipulate processes
13117 running within an isolated environment, commonly known as a
13118 ``container'', typically created by the @command{guix environment}
13119 (@pxref{Invoking guix environment}) and @command{guix system container}
13120 (@pxref{Invoking guix system}) commands.
13122 The general syntax is:
13125 guix container @var{action} @var{options}@dots{}
13128 @var{action} specifies the operation to perform with a container, and
13129 @var{options} specifies the context-specific arguments for the action.
13131 The following actions are available:
13135 Execute a command within the context of a running container.
13140 guix container exec @var{pid} @var{program} @var{arguments}@dots{}
13143 @var{pid} specifies the process ID of the running container.
13144 @var{program} specifies an executable file name within the root file
13145 system of the container. @var{arguments} are the additional options that
13146 will be passed to @var{program}.
13148 The following command launches an interactive login shell inside a
13149 Guix system container, started by @command{guix system container}, and whose
13150 process ID is 9001:
13153 guix container exec 9001 /run/current-system/profile/bin/bash --login
13156 Note that the @var{pid} cannot be the parent process of a container. It
13157 must be PID 1 of the container or one of its child processes.
13161 @node Invoking guix weather
13162 @section Invoking @command{guix weather}
13164 Occasionally you're grumpy because substitutes are lacking and you end
13165 up building packages by yourself (@pxref{Substitutes}). The
13166 @command{guix weather} command reports on substitute availability on the
13167 specified servers so you can have an idea of whether you'll be grumpy
13168 today. It can sometimes be useful info as a user, but it is primarily
13169 useful to people running @command{guix publish} (@pxref{Invoking guix
13172 @cindex statistics, for substitutes
13173 @cindex availability of substitutes
13174 @cindex substitute availability
13175 @cindex weather, substitute availability
13176 Here's a sample run:
13179 $ guix weather --substitute-urls=https://guix.example.org
13180 computing 5,872 package derivations for x86_64-linux...
13181 looking for 6,128 store items on https://guix.example.org..
13182 updating list of substitutes from 'https://guix.example.org'... 100.0%
13183 https://guix.example.org
13184 43.4% substitutes available (2,658 out of 6,128)
13185 7,032.5 MiB of nars (compressed)
13186 19,824.2 MiB on disk (uncompressed)
13187 0.030 seconds per request (182.9 seconds in total)
13188 33.5 requests per second
13190 9.8% (342 out of 3,470) of the missing items are queued
13192 x86_64-linux: 518 (59.7%)
13193 i686-linux: 221 (25.5%)
13194 aarch64-linux: 128 (14.8%)
13195 build rate: 23.41 builds per hour
13196 x86_64-linux: 11.16 builds per hour
13197 i686-linux: 6.03 builds per hour
13198 aarch64-linux: 6.41 builds per hour
13201 @cindex continuous integration, statistics
13202 As you can see, it reports the fraction of all the packages for which
13203 substitutes are available on the server---regardless of whether
13204 substitutes are enabled, and regardless of whether this server's signing
13205 key is authorized. It also reports the size of the compressed archives
13206 (``nars'') provided by the server, the size the corresponding store
13207 items occupy in the store (assuming deduplication is turned off), and
13208 the server's throughput. The second part gives continuous integration
13209 (CI) statistics, if the server supports it. In addition, using the
13210 @option{--coverage} option, @command{guix weather} can list ``important''
13211 package substitutes missing on the server (see below).
13213 To achieve that, @command{guix weather} queries over HTTP(S) meta-data
13214 (@dfn{narinfos}) for all the relevant store items. Like @command{guix
13215 challenge}, it ignores signatures on those substitutes, which is
13216 innocuous since the command only gathers statistics and cannot install
13219 The general syntax is:
13222 guix weather @var{options}@dots{} [@var{packages}@dots{}]
13225 When @var{packages} is omitted, @command{guix weather} checks the availability
13226 of substitutes for @emph{all} the packages, or for those specified with
13227 @option{--manifest}; otherwise it only considers the specified packages. It
13228 is also possible to query specific system types with @option{--system}.
13229 @command{guix weather} exits with a non-zero code when the fraction of
13230 available substitutes is below 100%.
13232 The available options are listed below.
13235 @item --substitute-urls=@var{urls}
13236 @var{urls} is the space-separated list of substitute server URLs to
13237 query. When this option is omitted, the default set of substitute
13238 servers is queried.
13240 @item --system=@var{system}
13241 @itemx -s @var{system}
13242 Query substitutes for @var{system}---e.g., @code{aarch64-linux}. This
13243 option can be repeated, in which case @command{guix weather} will query
13244 substitutes for several system types.
13246 @item --manifest=@var{file}
13247 Instead of querying substitutes for all the packages, only ask for those
13248 specified in @var{file}. @var{file} must contain a @dfn{manifest}, as
13249 with the @code{-m} option of @command{guix package} (@pxref{Invoking
13252 This option can be repeated several times, in which case the manifests
13255 @item --coverage[=@var{count}]
13256 @itemx -c [@var{count}]
13257 Report on substitute coverage for packages: list packages with at least
13258 @var{count} dependents (zero by default) for which substitutes are
13259 unavailable. Dependent packages themselves are not listed: if @var{b} depends
13260 on @var{a} and @var{a} has no substitutes, only @var{a} is listed, even though
13261 @var{b} usually lacks substitutes as well. The result looks like this:
13264 $ guix weather --substitute-urls=@value{SUBSTITUTE-URLS} -c 10
13265 computing 8,983 package derivations for x86_64-linux...
13266 looking for 9,343 store items on @value{SUBSTITUTE-URLS}...
13267 updating substitutes from '@value{SUBSTITUTE-URLS}'... 100.0%
13268 @value{SUBSTITUTE-URLS}
13269 64.7% substitutes available (6,047 out of 9,343)
13271 2502 packages are missing from '@value{SUBSTITUTE-URLS}' for 'x86_64-linux', among which:
13272 58 kcoreaddons@@5.49.0 /gnu/store/@dots{}-kcoreaddons-5.49.0
13273 46 qgpgme@@1.11.1 /gnu/store/@dots{}-qgpgme-1.11.1
13274 37 perl-http-cookiejar@@0.008 /gnu/store/@dots{}-perl-http-cookiejar-0.008
13278 What this example shows is that @code{kcoreaddons} and presumably the 58
13279 packages that depend on it have no substitutes at
13280 @code{@value{SUBSTITUTE-SERVER-1}}; likewise for @code{qgpgme} and the 46
13281 packages that depend on it.
13283 If you are a Guix developer, or if you are taking care of this build farm,
13284 you'll probably want to have a closer look at these packages: they may simply
13287 @item --display-missing
13288 Display the list of store items for which substitutes are missing.
13291 @node Invoking guix processes
13292 @section Invoking @command{guix processes}
13294 The @command{guix processes} command can be useful to developers and system
13295 administrators, especially on multi-user machines and on build farms: it lists
13296 the current sessions (connections to the daemon), as well as information about
13297 the processes involved@footnote{Remote sessions, when @command{guix-daemon} is
13298 started with @option{--listen} specifying a TCP endpoint, are @emph{not}
13299 listed.}. Here's an example of the information it returns:
13302 $ sudo guix processes
13305 ClientCommand: guix environment --ad-hoc python
13309 ClientCommand: guix publish -u guix-publish -p 3000 -C 9 @dots{}
13313 ClientCommand: cuirass --cache-directory /var/cache/cuirass @dots{}
13314 LockHeld: /gnu/store/@dots{}-perl-ipc-cmd-0.96.lock
13315 LockHeld: /gnu/store/@dots{}-python-six-bootstrap-1.11.0.lock
13316 LockHeld: /gnu/store/@dots{}-libjpeg-turbo-2.0.0.lock
13318 ChildCommand: guix offload x86_64-linux 7200 1 28800
13320 ChildCommand: guix offload x86_64-linux 7200 1 28800
13322 ChildCommand: guix offload x86_64-linux 7200 1 28800
13325 In this example we see that @command{guix-daemon} has three clients:
13326 @command{guix environment}, @command{guix publish}, and the Cuirass continuous
13327 integration tool; their process identifier (PID) is given by the
13328 @code{ClientPID} field. The @code{SessionPID} field gives the PID of the
13329 @command{guix-daemon} sub-process of this particular session.
13331 The @code{LockHeld} fields show which store items are currently locked
13332 by this session, which corresponds to store items being built or
13333 substituted (the @code{LockHeld} field is not displayed when
13334 @command{guix processes} is not running as root). Last, by looking at
13335 the @code{ChildPID} and @code{ChildCommand} fields, we understand that
13336 these three builds are being offloaded (@pxref{Daemon Offload Setup}).
13338 The output is in Recutils format so we can use the handy @command{recsel}
13339 command to select sessions of interest (@pxref{Selection Expressions,,,
13340 recutils, GNU recutils manual}). As an example, the command shows the command
13341 line and PID of the client that triggered the build of a Perl package:
13344 $ sudo guix processes | \
13345 recsel -p ClientPID,ClientCommand -e 'LockHeld ~ "perl"'
13347 ClientCommand: cuirass --cache-directory /var/cache/cuirass @dots{}
13350 Additional options are listed below.
13353 @item --format=@var{format}
13354 @itemx -f @var{format}
13355 Produce output in the specified @var{format}, one of:
13359 The default option. It outputs a set of Session recutils records
13360 that include each @code{ChildProcess} as a field.
13363 Normalize the output records into record sets (@pxref{Record Sets,,,
13364 recutils, GNU recutils manual}). Normalizing into record sets allows
13365 joins across record types. The example below lists the PID of each
13366 @code{ChildProcess} and the associated PID for @code{Session} that
13367 spawned the @code{ChildProcess} where the @code{Session} was started
13368 using @command{guix build}.
13371 $ guix processes --format=normalized | \
13375 -p Session.PID,PID \
13376 -e 'Session.ClientCommand ~ "guix build"'
13389 @node System Configuration
13390 @chapter System Configuration
13392 @cindex system configuration
13393 Guix System supports a consistent whole-system configuration
13394 mechanism. By that we mean that all aspects of the global system
13395 configuration---such as the available system services, timezone and
13396 locale settings, user accounts---are declared in a single place. Such
13397 a @dfn{system configuration} can be @dfn{instantiated}---i.e., effected.
13399 One of the advantages of putting all the system configuration under the
13400 control of Guix is that it supports transactional system upgrades, and
13401 makes it possible to roll back to a previous system instantiation,
13402 should something go wrong with the new one (@pxref{Features}). Another
13403 advantage is that it makes it easy to replicate the exact same configuration
13404 across different machines, or at different points in time, without
13405 having to resort to additional administration tools layered on top of
13406 the own tools of the system.
13407 @c Yes, we're talking of Puppet, Chef, & co. here. ↑
13409 This section describes this mechanism. First we focus on the system
13410 administrator's viewpoint---explaining how the system is configured and
13411 instantiated. Then we show how this mechanism can be extended, for
13412 instance to support new system services.
13415 * Using the Configuration System:: Customizing your GNU system.
13416 * operating-system Reference:: Detail of operating-system declarations.
13417 * File Systems:: Configuring file system mounts.
13418 * Mapped Devices:: Block device extra processing.
13419 * User Accounts:: Specifying user accounts.
13420 * Keyboard Layout:: How the system interprets key strokes.
13421 * Locales:: Language and cultural convention settings.
13422 * Services:: Specifying system services.
13423 * Setuid Programs:: Programs running with root privileges.
13424 * X.509 Certificates:: Authenticating HTTPS servers.
13425 * Name Service Switch:: Configuring libc's name service switch.
13426 * Initial RAM Disk:: Linux-Libre bootstrapping.
13427 * Bootloader Configuration:: Configuring the boot loader.
13428 * Invoking guix system:: Instantiating a system configuration.
13429 * Invoking guix deploy:: Deploying a system configuration to a remote host.
13430 * Running Guix in a VM:: How to run Guix System in a virtual machine.
13431 * Defining Services:: Adding new service definitions.
13434 @node Using the Configuration System
13435 @section Using the Configuration System
13437 The operating system is configured by providing an
13438 @code{operating-system} declaration in a file that can then be passed to
13439 the @command{guix system} command (@pxref{Invoking guix system}). A
13440 simple setup, with the default system services, the default Linux-Libre
13441 kernel, initial RAM disk, and boot loader looks like this:
13443 @findex operating-system
13445 @include os-config-bare-bones.texi
13448 This example should be self-describing. Some of the fields defined
13449 above, such as @code{host-name} and @code{bootloader}, are mandatory.
13450 Others, such as @code{packages} and @code{services}, can be omitted, in
13451 which case they get a default value.
13453 Below we discuss the effect of some of the most important fields
13454 (@pxref{operating-system Reference}, for details about all the available
13455 fields), and how to @dfn{instantiate} the operating system using
13456 @command{guix system}.
13458 @unnumberedsubsec Bootloader
13460 @cindex legacy boot, on Intel machines
13461 @cindex BIOS boot, on Intel machines
13464 The @code{bootloader} field describes the method that will be used to boot
13465 your system. Machines based on Intel processors can boot in ``legacy'' BIOS
13466 mode, as in the example above. However, more recent machines rely instead on
13467 the @dfn{Unified Extensible Firmware Interface} (UEFI) to boot. In that case,
13468 the @code{bootloader} field should contain something along these lines:
13471 (bootloader-configuration
13472 (bootloader grub-efi-bootloader)
13473 (target "/boot/efi"))
13476 @xref{Bootloader Configuration}, for more information on the available
13477 configuration options.
13479 @unnumberedsubsec Globally-Visible Packages
13481 @vindex %base-packages
13482 The @code{packages} field lists packages that will be globally visible
13483 on the system, for all user accounts---i.e., in every user's @env{PATH}
13484 environment variable---in addition to the per-user profiles
13485 (@pxref{Invoking guix package}). The @code{%base-packages} variable
13486 provides all the tools one would expect for basic user and administrator
13487 tasks---including the GNU Core Utilities, the GNU Networking Utilities,
13488 the GNU Zile lightweight text editor, @command{find}, @command{grep},
13489 etc. The example above adds GNU@tie{}Screen to those,
13490 taken from the @code{(gnu packages screen)}
13491 module (@pxref{Package Modules}). The
13492 @code{(list package output)} syntax can be used to add a specific output
13496 (use-modules (gnu packages))
13497 (use-modules (gnu packages dns))
13501 (packages (cons (list isc-bind "utils")
13505 @findex specification->package
13506 Referring to packages by variable name, like @code{isc-bind} above, has
13507 the advantage of being unambiguous; it also allows typos and such to be
13508 diagnosed right away as ``unbound variables''. The downside is that one
13509 needs to know which module defines which package, and to augment the
13510 @code{use-package-modules} line accordingly. To avoid that, one can use
13511 the @code{specification->package} procedure of the @code{(gnu packages)}
13512 module, which returns the best package for a given name or name and
13516 (use-modules (gnu packages))
13520 (packages (append (map specification->package
13521 '("tcpdump" "htop" "gnupg@@2.0"))
13525 @unnumberedsubsec System Services
13528 @vindex %base-services
13529 The @code{services} field lists @dfn{system services} to be made
13530 available when the system starts (@pxref{Services}).
13531 The @code{operating-system} declaration above specifies that, in
13532 addition to the basic services, we want the OpenSSH secure shell
13533 daemon listening on port 2222 (@pxref{Networking Services,
13534 @code{openssh-service-type}}). Under the hood,
13535 @code{openssh-service-type} arranges so that @command{sshd} is started with the
13536 right command-line options, possibly with supporting configuration files
13537 generated as needed (@pxref{Defining Services}).
13539 @cindex customization, of services
13540 @findex modify-services
13541 Occasionally, instead of using the base services as is, you will want to
13542 customize them. To do this, use @code{modify-services} (@pxref{Service
13543 Reference, @code{modify-services}}) to modify the list.
13545 @anchor{auto-login to TTY} For example, suppose you want to modify
13546 @code{guix-daemon} and Mingetty (the console log-in) in the
13547 @code{%base-services} list (@pxref{Base Services,
13548 @code{%base-services}}). To do that, you can write the following in
13549 your operating system declaration:
13552 (define %my-services
13553 ;; My very own list of services.
13554 (modify-services %base-services
13555 (guix-service-type config =>
13556 (guix-configuration
13558 ;; Fetch substitutes from example.org.
13560 (list "https://example.org/guix"
13561 "https://ci.guix.gnu.org"))))
13562 (mingetty-service-type config =>
13563 (mingetty-configuration
13565 ;; Automatially log in as "guest".
13566 (auto-login "guest")))))
13570 (services %my-services))
13573 This changes the configuration---i.e., the service parameters---of the
13574 @code{guix-service-type} instance, and that of all the
13575 @code{mingetty-service-type} instances in the @code{%base-services} list
13576 (@pxref{Auto-Login to a Specific TTY, see the cookbook for how to
13577 auto-login one user to a specific TTY,, guix-cookbook, GNU Guix Cookbook})).
13578 Observe how this is accomplished: first, we arrange for the original
13579 configuration to be bound to the identifier @code{config} in the
13580 @var{body}, and then we write the @var{body} so that it evaluates to the
13581 desired configuration. In particular, notice how we use @code{inherit}
13582 to create a new configuration which has the same values as the old
13583 configuration, but with a few modifications.
13585 @cindex encrypted disk
13586 The configuration for a typical ``desktop'' usage, with an encrypted
13587 root partition, the X11 display
13588 server, GNOME and Xfce (users can choose which of these desktop
13589 environments to use at the log-in screen by pressing @kbd{F1}), network
13590 management, power management, and more, would look like this:
13593 @include os-config-desktop.texi
13596 A graphical system with a choice of lightweight window managers
13597 instead of full-blown desktop environments would look like this:
13600 @include os-config-lightweight-desktop.texi
13603 This example refers to the @file{/boot/efi} file system by its UUID,
13604 @code{1234-ABCD}. Replace this UUID with the right UUID on your system,
13605 as returned by the @command{blkid} command.
13607 @xref{Desktop Services}, for the exact list of services provided by
13608 @code{%desktop-services}. @xref{X.509 Certificates}, for background
13609 information about the @code{nss-certs} package that is used here.
13611 Again, @code{%desktop-services} is just a list of service objects. If
13612 you want to remove services from there, you can do so using the
13613 procedures for list filtering (@pxref{SRFI-1 Filtering and
13614 Partitioning,,, guile, GNU Guile Reference Manual}). For instance, the
13615 following expression returns a list that contains all the services in
13616 @code{%desktop-services} minus the Avahi service:
13619 (remove (lambda (service)
13620 (eq? (service-kind service) avahi-service-type))
13624 Alternatively, the @code{modify-services} macro can be used:
13627 (modify-services %desktop-services
13628 (delete avahi-service-type))
13632 @unnumberedsubsec Instantiating the System
13634 Assuming the @code{operating-system} declaration
13635 is stored in the @file{my-system-config.scm}
13636 file, the @command{guix system reconfigure my-system-config.scm} command
13637 instantiates that configuration, and makes it the default GRUB boot
13638 entry (@pxref{Invoking guix system}).
13640 The normal way to change the system configuration is by updating this
13641 file and re-running @command{guix system reconfigure}. One should never
13642 have to touch files in @file{/etc} or to run commands that modify the
13643 system state such as @command{useradd} or @command{grub-install}. In
13644 fact, you must avoid that since that would not only void your warranty
13645 but also prevent you from rolling back to previous versions of your
13646 system, should you ever need to.
13648 @cindex roll-back, of the operating system
13649 Speaking of roll-back, each time you run @command{guix system
13650 reconfigure}, a new @dfn{generation} of the system is created---without
13651 modifying or deleting previous generations. Old system generations get
13652 an entry in the bootloader boot menu, allowing you to boot them in case
13653 something went wrong with the latest generation. Reassuring, no? The
13654 @command{guix system list-generations} command lists the system
13655 generations available on disk. It is also possible to roll back the
13656 system via the commands @command{guix system roll-back} and
13657 @command{guix system switch-generation}.
13659 Although the @command{guix system reconfigure} command will not modify
13660 previous generations, you must take care when the current generation is not
13661 the latest (e.g., after invoking @command{guix system roll-back}), since
13662 the operation might overwrite a later generation (@pxref{Invoking guix
13665 @unnumberedsubsec The Programming Interface
13667 At the Scheme level, the bulk of an @code{operating-system} declaration
13668 is instantiated with the following monadic procedure (@pxref{The Store
13671 @deffn {Monadic Procedure} operating-system-derivation os
13672 Return a derivation that builds @var{os}, an @code{operating-system}
13673 object (@pxref{Derivations}).
13675 The output of the derivation is a single directory that refers to all
13676 the packages, configuration files, and other supporting files needed to
13677 instantiate @var{os}.
13680 This procedure is provided by the @code{(gnu system)} module. Along
13681 with @code{(gnu services)} (@pxref{Services}), this module contains the
13682 guts of Guix System. Make sure to visit it!
13685 @node operating-system Reference
13686 @section @code{operating-system} Reference
13688 This section summarizes all the options available in
13689 @code{operating-system} declarations (@pxref{Using the Configuration
13692 @deftp {Data Type} operating-system
13693 This is the data type representing an operating system configuration.
13694 By that, we mean all the global system configuration, not per-user
13695 configuration (@pxref{Using the Configuration System}).
13698 @item @code{kernel} (default: @code{linux-libre})
13699 The package object of the operating system kernel to
13700 use@footnote{Currently only the Linux-libre kernel is fully supported.
13701 Using GNU@tie{}mach with the GNU@tie{}Hurd is experimental and only
13702 available when building a virtual machine disk image.}.
13705 @item @code{hurd} (default: @code{#f})
13706 The package object of the Hurd to be started by the kernel. When this
13707 field is set, produce a GNU/Hurd operating system. In that case,
13708 @code{kernel} must also be set to the @code{gnumach} package---the
13709 microkernel the Hurd runs on.
13712 This feature is experimental and only supported for disk images.
13715 @item @code{kernel-loadable-modules} (default: '())
13716 A list of objects (usually packages) to collect loadable kernel modules
13717 from--e.g. @code{(list ddcci-driver-linux)}.
13719 @item @code{kernel-arguments} (default: @code{%default-kernel-arguments})
13720 List of strings or gexps representing additional arguments to pass on
13721 the command-line of the kernel---e.g., @code{("console=ttyS0")}.
13723 @item @code{bootloader}
13724 The system bootloader configuration object. @xref{Bootloader Configuration}.
13727 This is the label (a string) as it appears in the bootloader's menu entry.
13728 The default label includes the kernel name and version.
13730 @item @code{keyboard-layout} (default: @code{#f})
13731 This field specifies the keyboard layout to use in the console. It can be
13732 either @code{#f}, in which case the default keyboard layout is used (usually
13733 US English), or a @code{<keyboard-layout>} record. @xref{Keyboard Layout},
13734 for more information.
13736 This keyboard layout is in effect as soon as the kernel has booted. For
13737 instance, it is the keyboard layout in effect when you type a passphrase if
13738 your root file system is on a @code{luks-device-mapping} mapped device
13739 (@pxref{Mapped Devices}).
13742 This does @emph{not} specify the keyboard layout used by the bootloader, nor
13743 that used by the graphical display server. @xref{Bootloader Configuration},
13744 for information on how to specify the bootloader's keyboard layout. @xref{X
13745 Window}, for information on how to specify the keyboard layout used by the X
13749 @item @code{initrd-modules} (default: @code{%base-initrd-modules})
13751 @cindex initial RAM disk
13752 The list of Linux kernel modules that need to be available in the
13753 initial RAM disk. @xref{Initial RAM Disk}.
13755 @item @code{initrd} (default: @code{base-initrd})
13756 A procedure that returns an initial RAM disk for the Linux
13757 kernel. This field is provided to support low-level customization and
13758 should rarely be needed for casual use. @xref{Initial RAM Disk}.
13760 @item @code{firmware} (default: @code{%base-firmware})
13762 List of firmware packages loadable by the operating system kernel.
13764 The default includes firmware needed for Atheros- and Broadcom-based
13765 WiFi devices (Linux-libre modules @code{ath9k} and @code{b43-open},
13766 respectively). @xref{Hardware Considerations}, for more info on
13767 supported hardware.
13769 @item @code{host-name}
13772 @item @code{hosts-file}
13774 A file-like object (@pxref{G-Expressions, file-like objects}) for use as
13775 @file{/etc/hosts} (@pxref{Host Names,,, libc, The GNU C Library
13776 Reference Manual}). The default is a file with entries for
13777 @code{localhost} and @var{host-name}.
13779 @item @code{mapped-devices} (default: @code{'()})
13780 A list of mapped devices. @xref{Mapped Devices}.
13782 @item @code{file-systems}
13783 A list of file systems. @xref{File Systems}.
13785 @cindex swap devices
13787 @item @code{swap-devices} (default: @code{'()})
13788 A list of UUIDs, file system labels, or strings identifying devices or
13789 files to be used for ``swap
13790 space'' (@pxref{Memory Concepts,,, libc, The GNU C Library Reference
13791 Manual}). Here are some examples:
13794 @item (list (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb"))
13795 Use the swap partition with the given UUID@. You can learn the UUID of a
13796 Linux swap partition by running @command{swaplabel @var{device}}, where
13797 @var{device} is the @file{/dev} file name of that partition.
13799 @item (list (file-system-label "swap"))
13800 Use the partition with label @code{swap}. Again, the
13801 @command{swaplabel} command allows you to view and change the label of a
13802 Linux swap partition.
13804 @item (list "/swapfile")
13805 Use the file @file{/swapfile} as swap space.
13807 @item (list "/dev/sda3" "/dev/sdb2")
13808 Use the @file{/dev/sda3} and @file{/dev/sdb2} partitions as swap space.
13809 We recommend referring to swap devices by UUIDs or labels as shown above
13813 It is possible to specify a swap file in a file system on a mapped
13814 device (under @file{/dev/mapper}), provided that the necessary device
13815 mapping and file system are also specified. @xref{Mapped Devices} and
13816 @ref{File Systems}.
13818 @item @code{users} (default: @code{%base-user-accounts})
13819 @itemx @code{groups} (default: @code{%base-groups})
13820 List of user accounts and groups. @xref{User Accounts}.
13822 If the @code{users} list lacks a user account with UID@tie{}0, a
13823 ``root'' account with UID@tie{}0 is automatically added.
13825 @item @code{skeletons} (default: @code{(default-skeletons)})
13826 A list of target file name/file-like object tuples (@pxref{G-Expressions,
13827 file-like objects}). These are the skeleton files that will be added to
13828 the home directory of newly-created user accounts.
13830 For instance, a valid value may look like this:
13833 `((".bashrc" ,(plain-file "bashrc" "echo Hello\n"))
13834 (".guile" ,(plain-file "guile"
13835 "(use-modules (ice-9 readline))
13836 (activate-readline)")))
13839 @item @code{issue} (default: @code{%default-issue})
13840 A string denoting the contents of the @file{/etc/issue} file, which is
13841 displayed when users log in on a text console.
13843 @item @code{packages} (default: @code{%base-packages})
13844 A list of packages to be installed in the global profile, which is accessible
13845 at @file{/run/current-system/profile}. Each element is either a package
13846 variable or a package/output tuple. Here's a simple example of both:
13849 (cons* git ; the default "out" output
13850 (list git "send-email") ; another output of git
13851 %base-packages) ; the default set
13854 The default set includes core utilities and it is good practice to
13855 install non-core utilities in user profiles (@pxref{Invoking guix
13858 @item @code{timezone}
13859 A timezone identifying string---e.g., @code{"Europe/Paris"}.
13861 You can run the @command{tzselect} command to find out which timezone
13862 string corresponds to your region. Choosing an invalid timezone name
13863 causes @command{guix system} to fail.
13865 @item @code{locale} (default: @code{"en_US.utf8"})
13866 The name of the default locale (@pxref{Locale Names,,, libc, The GNU C
13867 Library Reference Manual}). @xref{Locales}, for more information.
13869 @item @code{locale-definitions} (default: @code{%default-locale-definitions})
13870 The list of locale definitions to be compiled and that may be used at
13871 run time. @xref{Locales}.
13873 @item @code{locale-libcs} (default: @code{(list @var{glibc})})
13874 The list of GNU@tie{}libc packages whose locale data and tools are used
13875 to build the locale definitions. @xref{Locales}, for compatibility
13876 considerations that justify this option.
13878 @item @code{name-service-switch} (default: @code{%default-nss})
13879 Configuration of the libc name service switch (NSS)---a
13880 @code{<name-service-switch>} object. @xref{Name Service Switch}, for
13883 @item @code{services} (default: @code{%base-services})
13884 A list of service objects denoting system services. @xref{Services}.
13886 @cindex essential services
13887 @item @code{essential-services} (default: ...)
13888 The list of ``essential services''---i.e., things like instances of
13889 @code{system-service-type} and @code{host-name-service-type} (@pxref{Service
13890 Reference}), which are derived from the operating system definition itself.
13891 As a user you should @emph{never} need to touch this field.
13893 @item @code{pam-services} (default: @code{(base-pam-services)})
13895 @cindex pluggable authentication modules
13896 Linux @dfn{pluggable authentication module} (PAM) services.
13897 @c FIXME: Add xref to PAM services section.
13899 @item @code{setuid-programs} (default: @code{%setuid-programs})
13900 List of string-valued G-expressions denoting setuid programs.
13901 @xref{Setuid Programs}.
13903 @item @code{sudoers-file} (default: @code{%sudoers-specification})
13904 @cindex sudoers file
13905 The contents of the @file{/etc/sudoers} file as a file-like object
13906 (@pxref{G-Expressions, @code{local-file} and @code{plain-file}}).
13908 This file specifies which users can use the @command{sudo} command, what
13909 they are allowed to do, and what privileges they may gain. The default
13910 is that only @code{root} and members of the @code{wheel} group may use
13915 @deffn {Scheme Syntax} this-operating-system
13916 When used in the @emph{lexical scope} of an operating system field definition,
13917 this identifier resolves to the operating system being defined.
13919 The example below shows how to refer to the operating system being defined in
13920 the definition of the @code{label} field:
13923 (use-modules (gnu) (guix))
13927 (label (package-full-name
13928 (operating-system-kernel this-operating-system))))
13931 It is an error to refer to @code{this-operating-system} outside an operating
13938 @section File Systems
13940 The list of file systems to be mounted is specified in the
13941 @code{file-systems} field of the operating system declaration
13942 (@pxref{Using the Configuration System}). Each file system is declared
13943 using the @code{file-system} form, like this:
13947 (mount-point "/home")
13948 (device "/dev/sda3")
13952 As usual, some of the fields are mandatory---those shown in the example
13953 above---while others can be omitted. These are described below.
13955 @deftp {Data Type} file-system
13956 Objects of this type represent file systems to be mounted. They
13957 contain the following members:
13961 This is a string specifying the type of the file system---e.g.,
13964 @item @code{mount-point}
13965 This designates the place where the file system is to be mounted.
13967 @item @code{device}
13968 This names the ``source'' of the file system. It can be one of three
13969 things: a file system label, a file system UUID, or the name of a
13970 @file{/dev} node. Labels and UUIDs offer a way to refer to file
13971 systems without having to hard-code their actual device
13972 name@footnote{Note that, while it is tempting to use
13973 @file{/dev/disk/by-uuid} and similar device names to achieve the same
13974 result, this is not recommended: These special device nodes are created
13975 by the udev daemon and may be unavailable at the time the device is
13978 @findex file-system-label
13979 File system labels are created using the @code{file-system-label}
13980 procedure, UUIDs are created using @code{uuid}, and @file{/dev} node are
13981 plain strings. Here's an example of a file system referred to by its
13982 label, as shown by the @command{e2label} command:
13986 (mount-point "/home")
13988 (device (file-system-label "my-home")))
13992 UUIDs are converted from their string representation (as shown by the
13993 @command{tune2fs -l} command) using the @code{uuid} form@footnote{The
13994 @code{uuid} form expects 16-byte UUIDs as defined in
13995 @uref{https://tools.ietf.org/html/rfc4122, RFC@tie{}4122}. This is the
13996 form of UUID used by the ext2 family of file systems and others, but it
13997 is different from ``UUIDs'' found in FAT file systems, for instance.},
14002 (mount-point "/home")
14004 (device (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")))
14007 When the source of a file system is a mapped device (@pxref{Mapped
14008 Devices}), its @code{device} field @emph{must} refer to the mapped
14009 device name---e.g., @file{"/dev/mapper/root-partition"}.
14010 This is required so that
14011 the system knows that mounting the file system depends on having the
14012 corresponding device mapping established.
14014 @item @code{flags} (default: @code{'()})
14015 This is a list of symbols denoting mount flags. Recognized flags
14016 include @code{read-only}, @code{bind-mount}, @code{no-dev} (disallow
14017 access to special files), @code{no-suid} (ignore setuid and setgid
14018 bits), @code{no-atime} (do not update file access times),
14019 @code{strict-atime} (update file access time), @code{lazy-time} (only
14020 update time on the in-memory version of the file inode), and
14021 @code{no-exec} (disallow program execution).
14022 @xref{Mount-Unmount-Remount,,, libc, The GNU C Library Reference
14023 Manual}, for more information on these flags.
14025 @item @code{options} (default: @code{#f})
14026 This is either @code{#f}, or a string denoting mount options passed to
14027 the file system driver. @xref{Mount-Unmount-Remount,,, libc, The GNU C
14028 Library Reference Manual}, for details and run @command{man 8 mount} for
14029 options for various file systems. Note that the
14030 @code{file-system-options->alist} and @code{alist->file-system-options}
14031 procedures from @code{(gnu system file-systems)} can be used to convert
14032 file system options given as an association list to the string
14033 representation, and vice-versa.
14035 @item @code{mount?} (default: @code{#t})
14036 This value indicates whether to automatically mount the file system when
14037 the system is brought up. When set to @code{#f}, the file system gets
14038 an entry in @file{/etc/fstab} (read by the @command{mount} command) but
14039 is not automatically mounted.
14041 @item @code{needed-for-boot?} (default: @code{#f})
14042 This Boolean value indicates whether the file system is needed when
14043 booting. If that is true, then the file system is mounted when the
14044 initial RAM disk (initrd) is loaded. This is always the case, for
14045 instance, for the root file system.
14047 @item @code{check?} (default: @code{#t})
14048 This Boolean indicates whether the file system needs to be checked for
14049 errors before being mounted.
14051 @item @code{create-mount-point?} (default: @code{#f})
14052 When true, the mount point is created if it does not exist yet.
14054 @item @code{mount-may-fail?} (default: @code{#f})
14055 When true, this indicates that mounting this file system can fail but
14056 that should not be considered an error. This is useful in unusual
14057 cases; an example of this is @code{efivarfs}, a file system that can
14058 only be mounted on EFI/UEFI systems.
14060 @item @code{dependencies} (default: @code{'()})
14061 This is a list of @code{<file-system>} or @code{<mapped-device>} objects
14062 representing file systems that must be mounted or mapped devices that
14063 must be opened before (and unmounted or closed after) this one.
14065 As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is
14066 a dependency of @file{/sys/fs/cgroup/cpu} and
14067 @file{/sys/fs/cgroup/memory}.
14069 Another example is a file system that depends on a mapped device, for
14070 example for an encrypted partition (@pxref{Mapped Devices}).
14074 @deffn {Scheme Procedure} file-system-label @var{str}
14075 This procedure returns an opaque file system label from @var{str}, a
14079 (file-system-label "home")
14080 @result{} #<file-system-label "home">
14083 File system labels are used to refer to file systems by label rather
14084 than by device name. See above for examples.
14087 The @code{(gnu system file-systems)} exports the following useful
14090 @defvr {Scheme Variable} %base-file-systems
14091 These are essential file systems that are required on normal systems,
14092 such as @code{%pseudo-terminal-file-system} and @code{%immutable-store} (see
14093 below). Operating system declarations should always contain at least
14097 @defvr {Scheme Variable} %pseudo-terminal-file-system
14098 This is the file system to be mounted as @file{/dev/pts}. It supports
14099 @dfn{pseudo-terminals} created @i{via} @code{openpty} and similar
14100 functions (@pxref{Pseudo-Terminals,,, libc, The GNU C Library Reference
14101 Manual}). Pseudo-terminals are used by terminal emulators such as
14105 @defvr {Scheme Variable} %shared-memory-file-system
14106 This file system is mounted as @file{/dev/shm} and is used to support
14107 memory sharing across processes (@pxref{Memory-mapped I/O,
14108 @code{shm_open},, libc, The GNU C Library Reference Manual}).
14111 @defvr {Scheme Variable} %immutable-store
14112 This file system performs a read-only ``bind mount'' of
14113 @file{/gnu/store}, making it read-only for all the users including
14114 @code{root}. This prevents against accidental modification by software
14115 running as @code{root} or by system administrators.
14117 The daemon itself is still able to write to the store: it remounts it
14118 read-write in its own ``name space.''
14121 @defvr {Scheme Variable} %binary-format-file-system
14122 The @code{binfmt_misc} file system, which allows handling of arbitrary
14123 executable file types to be delegated to user space. This requires the
14124 @code{binfmt.ko} kernel module to be loaded.
14127 @defvr {Scheme Variable} %fuse-control-file-system
14128 The @code{fusectl} file system, which allows unprivileged users to mount
14129 and unmount user-space FUSE file systems. This requires the
14130 @code{fuse.ko} kernel module to be loaded.
14133 The @code{(gnu system uuid)} module provides tools to deal with file
14134 system ``unique identifiers'' (UUIDs).
14136 @deffn {Scheme Procedure} uuid @var{str} [@var{type}]
14137 Return an opaque UUID (unique identifier) object of the given @var{type}
14138 (a symbol) by parsing @var{str} (a string):
14141 (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")
14142 @result{} #<<uuid> type: dce bv: @dots{}>
14144 (uuid "1234-ABCD" 'fat)
14145 @result{} #<<uuid> type: fat bv: @dots{}>
14148 @var{type} may be one of @code{dce}, @code{iso9660}, @code{fat},
14149 @code{ntfs}, or one of the commonly found synonyms for these.
14151 UUIDs are another way to unambiguously refer to file systems in
14152 operating system configuration. See the examples above.
14156 @node Btrfs file system
14157 @subsection Btrfs file system
14159 The Btrfs has special features, such as subvolumes, that merit being
14160 explained in more details. The following section attempts to cover
14161 basic as well as complex uses of a Btrfs file system with the Guix
14164 In its simplest usage, a Btrfs file system can be described, for
14169 (mount-point "/home")
14171 (device (file-system-label "my-home")))
14174 The example below is more complex, as it makes use of a Btrfs
14175 subvolume, named @code{rootfs}. The parent Btrfs file system is labeled
14176 @code{my-btrfs-pool}, and is located on an encrypted device (hence the
14177 dependency on @code{mapped-devices}):
14181 (device (file-system-label "my-btrfs-pool"))
14184 (options "subvol=rootfs")
14185 (dependencies mapped-devices))
14188 Some bootloaders, for example GRUB, only mount a Btrfs partition at its
14189 top level during the early boot, and rely on their configuration to
14190 refer to the correct subvolume path within that top level. The
14191 bootloaders operating in this way typically produce their configuration
14192 on a running system where the Btrfs partitions are already mounted and
14193 where the subvolume information is readily available. As an example,
14194 @command{grub-mkconfig}, the configuration generator command shipped
14195 with GRUB, reads @file{/proc/self/mountinfo} to determine the top-level
14196 path of a subvolume.
14198 The Guix System produces a bootloader configuration using the operating
14199 system configuration as its sole input; it is therefore necessary to
14200 extract the subvolume name on which @file{/gnu/store} lives (if any)
14201 from that operating system configuration. To better illustrate,
14202 consider a subvolume named 'rootfs' which contains the root file system
14203 data. In such situation, the GRUB bootloader would only see the top
14204 level of the root Btrfs partition, e.g.:
14208 ├── rootfs (subvolume directory)
14209 ├── gnu (normal directory)
14210 ├── store (normal directory)
14214 Thus, the subvolume name must be prepended to the @file{/gnu/store} path
14215 of the kernel, initrd binaries and any other files referred to in the
14216 GRUB configuration that must be found during the early boot.
14218 The next example shows a nested hierarchy of subvolumes and
14223 ├── rootfs (subvolume)
14224 ├── gnu (normal directory)
14225 ├── store (subvolume)
14229 This scenario would work without mounting the 'store' subvolume.
14230 Mounting 'rootfs' is sufficient, since the subvolume name matches its
14231 intended mount point in the file system hierarchy. Alternatively, the
14232 'store' subvolume could be referred to by setting the @code{subvol}
14233 option to either @code{/rootfs/gnu/store} or @code{rootfs/gnu/store}.
14235 Finally, a more contrived example of nested subvolumes:
14239 ├── root-snapshots (subvolume)
14240 ├── root-current (subvolume)
14241 ├── guix-store (subvolume)
14245 Here, the 'guix-store' subvolume doesn't match its intended mount point,
14246 so it is necessary to mount it. The subvolume must be fully specified,
14247 by passing its file name to the @code{subvol} option. To illustrate,
14248 the 'guix-store' subvolume could be mounted on @file{/gnu/store} by using
14249 a file system declaration such as:
14253 (device (file-system-label "btrfs-pool-1"))
14254 (mount-point "/gnu/store")
14256 (options "subvol=root-snapshots/root-current/guix-store,\
14257 compress-force=zstd,space_cache=v2"))
14260 @node Mapped Devices
14261 @section Mapped Devices
14263 @cindex device mapping
14264 @cindex mapped devices
14265 The Linux kernel has a notion of @dfn{device mapping}: a block device,
14266 such as a hard disk partition, can be @dfn{mapped} into another device,
14267 usually in @code{/dev/mapper/},
14268 with additional processing over the data that flows through
14269 it@footnote{Note that the GNU@tie{}Hurd makes no difference between the
14270 concept of a ``mapped device'' and that of a file system: both boil down
14271 to @emph{translating} input/output operations made on a file to
14272 operations on its backing store. Thus, the Hurd implements mapped
14273 devices, like file systems, using the generic @dfn{translator} mechanism
14274 (@pxref{Translators,,, hurd, The GNU Hurd Reference Manual}).}. A
14275 typical example is encryption device mapping: all writes to the mapped
14276 device are encrypted, and all reads are deciphered, transparently.
14277 Guix extends this notion by considering any device or set of devices that
14278 are @dfn{transformed} in some way to create a new device; for instance,
14279 RAID devices are obtained by @dfn{assembling} several other devices, such
14280 as hard disks or partitions, into a new one that behaves as one partition.
14282 Mapped devices are declared using the @code{mapped-device} form,
14283 defined as follows; for examples, see below.
14285 @deftp {Data Type} mapped-device
14286 Objects of this type represent device mappings that will be made when
14287 the system boots up.
14291 This is either a string specifying the name of the block device to be mapped,
14292 such as @code{"/dev/sda3"}, or a list of such strings when several devices
14293 need to be assembled for creating a new one. In case of LVM this is a
14294 string specifying name of the volume group to be mapped.
14297 This string specifies the name of the resulting mapped device. For
14298 kernel mappers such as encrypted devices of type @code{luks-device-mapping},
14299 specifying @code{"my-partition"} leads to the creation of
14300 the @code{"/dev/mapper/my-partition"} device.
14301 For RAID devices of type @code{raid-device-mapping}, the full device name
14302 such as @code{"/dev/md0"} needs to be given.
14303 LVM logical volumes of type @code{lvm-device-mapping} need to
14304 be specified as @code{"VGNAME-LVNAME"}.
14307 This list of strings specifies names of the resulting mapped devices in case
14308 there are several. The format is identical to @var{target}.
14311 This must be a @code{mapped-device-kind} object, which specifies how
14312 @var{source} is mapped to @var{target}.
14316 @defvr {Scheme Variable} luks-device-mapping
14317 This defines LUKS block device encryption using the @command{cryptsetup}
14318 command from the package with the same name. It relies on the
14319 @code{dm-crypt} Linux kernel module.
14322 @defvr {Scheme Variable} raid-device-mapping
14323 This defines a RAID device, which is assembled using the @code{mdadm}
14324 command from the package with the same name. It requires a Linux kernel
14325 module for the appropriate RAID level to be loaded, such as @code{raid456}
14326 for RAID-4, RAID-5 or RAID-6, or @code{raid10} for RAID-10.
14329 @cindex LVM, logical volume manager
14330 @defvr {Scheme Variable} lvm-device-mapping
14331 This defines one or more logical volumes for the Linux
14332 @uref{https://www.sourceware.org/lvm2/, Logical Volume Manager (LVM)}.
14333 The volume group is activated by the @command{vgchange} command from the
14334 @code{lvm2} package.
14337 @cindex disk encryption
14339 The following example specifies a mapping from @file{/dev/sda3} to
14340 @file{/dev/mapper/home} using LUKS---the
14341 @url{https://gitlab.com/cryptsetup/cryptsetup,Linux Unified Key Setup}, a
14342 standard mechanism for disk encryption.
14343 The @file{/dev/mapper/home}
14344 device can then be used as the @code{device} of a @code{file-system}
14345 declaration (@pxref{File Systems}).
14349 (source "/dev/sda3")
14351 (type luks-device-mapping))
14354 Alternatively, to become independent of device numbering, one may obtain
14355 the LUKS UUID (@dfn{unique identifier}) of the source device by a
14359 cryptsetup luksUUID /dev/sda3
14362 and use it as follows:
14366 (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44"))
14368 (type luks-device-mapping))
14371 @cindex swap encryption
14372 It is also desirable to encrypt swap space, since swap space may contain
14373 sensitive data. One way to accomplish that is to use a swap file in a
14374 file system on a device mapped via LUKS encryption. In this way, the
14375 swap file is encrypted because the entire device is encrypted.
14376 @xref{Preparing for Installation,,Disk Partitioning}, for an example.
14378 A RAID device formed of the partitions @file{/dev/sda1} and @file{/dev/sdb1}
14379 may be declared as follows:
14383 (source (list "/dev/sda1" "/dev/sdb1"))
14384 (target "/dev/md0")
14385 (type raid-device-mapping))
14388 The @file{/dev/md0} device can then be used as the @code{device} of a
14389 @code{file-system} declaration (@pxref{File Systems}).
14390 Note that the RAID level need not be given; it is chosen during the
14391 initial creation and formatting of the RAID device and is determined
14392 automatically later.
14394 LVM logical volumes ``alpha'' and ``beta'' from volume group ``vg0'' can
14395 be declared as follows:
14400 (targets (list "vg0-alpha" "vg0-beta"))
14401 (type lvm-device-mapping))
14404 Devices @file{/dev/mapper/vg0-alpha} and @file{/dev/mapper/vg0-beta} can
14405 then be used as the @code{device} of a @code{file-system} declaration
14406 (@pxref{File Systems}).
14408 @node User Accounts
14409 @section User Accounts
14413 @cindex user accounts
14414 User accounts and groups are entirely managed through the
14415 @code{operating-system} declaration. They are specified with the
14416 @code{user-account} and @code{user-group} forms:
14422 (supplementary-groups '("wheel" ;allow use of sudo, etc.
14423 "audio" ;sound card
14424 "video" ;video devices such as webcams
14425 "cdrom")) ;the good ol' CD-ROM
14426 (comment "Bob's sister"))
14429 Here's a user account that uses a different shell and a custom home
14430 directory (the default would be @file{"/home/bob"}):
14436 (comment "Alice's bro")
14437 (shell (file-append zsh "/bin/zsh"))
14438 (home-directory "/home/robert"))
14441 When booting or upon completion of @command{guix system reconfigure},
14442 the system ensures that only the user accounts and groups specified in
14443 the @code{operating-system} declaration exist, and with the specified
14444 properties. Thus, account or group creations or modifications made by
14445 directly invoking commands such as @command{useradd} are lost upon
14446 reconfiguration or reboot. This ensures that the system remains exactly
14449 @deftp {Data Type} user-account
14450 Objects of this type represent user accounts. The following members may
14455 The name of the user account.
14459 This is the name (a string) or identifier (a number) of the user group
14460 this account belongs to.
14462 @item @code{supplementary-groups} (default: @code{'()})
14463 Optionally, this can be defined as a list of group names that this
14464 account belongs to.
14466 @item @code{uid} (default: @code{#f})
14467 This is the user ID for this account (a number), or @code{#f}. In the
14468 latter case, a number is automatically chosen by the system when the
14469 account is created.
14471 @item @code{comment} (default: @code{""})
14472 A comment about the account, such as the account owner's full name.
14474 @item @code{home-directory}
14475 This is the name of the home directory for the account.
14477 @item @code{create-home-directory?} (default: @code{#t})
14478 Indicates whether the home directory of this account should be created
14479 if it does not exist yet.
14481 @item @code{shell} (default: Bash)
14482 This is a G-expression denoting the file name of a program to be used as
14483 the shell (@pxref{G-Expressions}). For example, you would refer to the
14484 Bash executable like this:
14487 (file-append bash "/bin/bash")
14491 ... and to the Zsh executable like that:
14494 (file-append zsh "/bin/zsh")
14497 @item @code{system?} (default: @code{#f})
14498 This Boolean value indicates whether the account is a ``system''
14499 account. System accounts are sometimes treated specially; for instance,
14500 graphical login managers do not list them.
14502 @anchor{user-account-password}
14503 @cindex password, for user accounts
14504 @item @code{password} (default: @code{#f})
14505 You would normally leave this field to @code{#f}, initialize user
14506 passwords as @code{root} with the @command{passwd} command, and then let
14507 users change it with @command{passwd}. Passwords set with
14508 @command{passwd} are of course preserved across reboot and
14511 If you @emph{do} want to set an initial password for an account, then
14512 this field must contain the encrypted password, as a string. You can use the
14513 @code{crypt} procedure for this purpose:
14520 ;; Specify a SHA-512-hashed initial password.
14521 (password (crypt "InitialPassword!" "$6$abc")))
14525 The hash of this initial password will be available in a file in
14526 @file{/gnu/store}, readable by all the users, so this method must be used with
14530 @xref{Passphrase Storage,,, libc, The GNU C Library Reference Manual}, for
14531 more information on password encryption, and @ref{Encryption,,, guile, GNU
14532 Guile Reference Manual}, for information on Guile's @code{crypt} procedure.
14538 User group declarations are even simpler:
14541 (user-group (name "students"))
14544 @deftp {Data Type} user-group
14545 This type is for, well, user groups. There are just a few fields:
14549 The name of the group.
14551 @item @code{id} (default: @code{#f})
14552 The group identifier (a number). If @code{#f}, a new number is
14553 automatically allocated when the group is created.
14555 @item @code{system?} (default: @code{#f})
14556 This Boolean value indicates whether the group is a ``system'' group.
14557 System groups have low numerical IDs.
14559 @item @code{password} (default: @code{#f})
14560 What, user groups can have a password? Well, apparently yes. Unless
14561 @code{#f}, this field specifies the password of the group.
14566 For convenience, a variable lists all the basic user groups one may
14569 @defvr {Scheme Variable} %base-groups
14570 This is the list of basic user groups that users and/or packages expect
14571 to be present on the system. This includes groups such as ``root'',
14572 ``wheel'', and ``users'', as well as groups used to control access to
14573 specific devices such as ``audio'', ``disk'', and ``cdrom''.
14576 @defvr {Scheme Variable} %base-user-accounts
14577 This is the list of basic system accounts that programs may expect to
14578 find on a GNU/Linux system, such as the ``nobody'' account.
14580 Note that the ``root'' account is not included here. It is a
14581 special-case and is automatically added whether or not it is specified.
14584 @node Keyboard Layout
14585 @section Keyboard Layout
14587 @cindex keyboard layout
14589 To specify what each key of your keyboard does, you need to tell the operating
14590 system what @dfn{keyboard layout} you want to use. The default, when nothing
14591 is specified, is the US English QWERTY layout for 105-key PC keyboards.
14592 However, German speakers will usually prefer the German QWERTZ layout, French
14593 speakers will want the AZERTY layout, and so on; hackers might prefer Dvorak
14594 or bépo, and they might even want to further customize the effect of some of
14595 the keys. This section explains how to get that done.
14597 @cindex keyboard layout, definition
14598 There are three components that will want to know about your keyboard layout:
14602 The @emph{bootloader} may want to know what keyboard layout you want to use
14603 (@pxref{Bootloader Configuration, @code{keyboard-layout}}). This is useful if
14604 you want, for instance, to make sure that you can type the passphrase of your
14605 encrypted root partition using the right layout.
14608 The @emph{operating system kernel}, Linux, will need that so that the console
14609 is properly configured (@pxref{operating-system Reference,
14610 @code{keyboard-layout}}).
14613 The @emph{graphical display server}, usually Xorg, also has its own idea of
14614 the keyboard layout (@pxref{X Window, @code{keyboard-layout}}).
14617 Guix allows you to configure all three separately but, fortunately, it allows
14618 you to share the same keyboard layout for all three components.
14620 @cindex XKB, keyboard layouts
14621 Keyboard layouts are represented by records created by the
14622 @code{keyboard-layout} procedure of @code{(gnu system keyboard)}. Following
14623 the X Keyboard extension (XKB), each layout has four attributes: a name (often
14624 a language code such as ``fi'' for Finnish or ``jp'' for Japanese), an
14625 optional variant name, an optional keyboard model name, and a possibly empty
14626 list of additional options. In most cases the layout name is all you care
14629 @deffn {Scheme Procedure} keyboard-layout @var{name} [@var{variant}] @
14630 [#:model] [#:options '()]
14631 Return a new keyboard layout with the given @var{name} and @var{variant}.
14633 @var{name} must be a string such as @code{"fr"}; @var{variant} must be a
14634 string such as @code{"bepo"} or @code{"nodeadkeys"}. See the
14635 @code{xkeyboard-config} package for valid options.
14638 Here are a few examples:
14641 ;; The German QWERTZ layout. Here we assume a standard
14642 ;; "pc105" keyboard model.
14643 (keyboard-layout "de")
14645 ;; The bépo variant of the French layout.
14646 (keyboard-layout "fr" "bepo")
14648 ;; The Catalan layout.
14649 (keyboard-layout "es" "cat")
14651 ;; Arabic layout with "Alt-Shift" to switch to US layout.
14652 (keyboard-layout "ar,us" #:options '("grp:alt_shift_toggle"))
14654 ;; The Latin American Spanish layout. In addition, the
14655 ;; "Caps Lock" key is used as an additional "Ctrl" key,
14656 ;; and the "Menu" key is used as a "Compose" key to enter
14657 ;; accented letters.
14658 (keyboard-layout "latam"
14659 #:options '("ctrl:nocaps" "compose:menu"))
14661 ;; The Russian layout for a ThinkPad keyboard.
14662 (keyboard-layout "ru" #:model "thinkpad")
14664 ;; The "US international" layout, which is the US layout plus
14665 ;; dead keys to enter accented characters. This is for an
14666 ;; Apple MacBook keyboard.
14667 (keyboard-layout "us" "intl" #:model "macbook78")
14670 See the @file{share/X11/xkb} directory of the @code{xkeyboard-config} package
14671 for a complete list of supported layouts, variants, and models.
14673 @cindex keyboard layout, configuration
14674 Let's say you want your system to use the Turkish keyboard layout throughout
14675 your system---bootloader, console, and Xorg. Here's what your system
14676 configuration would look like:
14678 @findex set-xorg-configuration
14680 ;; Using the Turkish layout for the bootloader, the console,
14685 (keyboard-layout (keyboard-layout "tr")) ;for the console
14686 (bootloader (bootloader-configuration
14687 (bootloader grub-efi-bootloader)
14688 (target "/boot/efi")
14689 (keyboard-layout keyboard-layout))) ;for GRUB
14690 (services (cons (set-xorg-configuration
14691 (xorg-configuration ;for Xorg
14692 (keyboard-layout keyboard-layout)))
14693 %desktop-services)))
14696 In the example above, for GRUB and for Xorg, we just refer to the
14697 @code{keyboard-layout} field defined above, but we could just as well refer to
14698 a different layout. The @code{set-xorg-configuration} procedure communicates
14699 the desired Xorg configuration to the graphical log-in manager, by default
14702 We've discussed how to specify the @emph{default} keyboard layout of your
14703 system when it starts, but you can also adjust it at run time:
14707 If you're using GNOME, its settings panel has a ``Region & Language'' entry
14708 where you can select one or more keyboard layouts.
14711 Under Xorg, the @command{setxkbmap} command (from the same-named package)
14712 allows you to change the current layout. For example, this is how you would
14713 change the layout to US Dvorak:
14716 setxkbmap us dvorak
14720 The @code{loadkeys} command changes the keyboard layout in effect in the Linux
14721 console. However, note that @code{loadkeys} does @emph{not} use the XKB
14722 keyboard layout categorization described above. The command below loads the
14723 French bépo layout:
14734 A @dfn{locale} defines cultural conventions for a particular language
14735 and region of the world (@pxref{Locales,,, libc, The GNU C Library
14736 Reference Manual}). Each locale has a name that typically has the form
14737 @code{@var{language}_@var{territory}.@var{codeset}}---e.g.,
14738 @code{fr_LU.utf8} designates the locale for the French language, with
14739 cultural conventions from Luxembourg, and using the UTF-8 encoding.
14741 @cindex locale definition
14742 Usually, you will want to specify the default locale for the machine
14743 using the @code{locale} field of the @code{operating-system} declaration
14744 (@pxref{operating-system Reference, @code{locale}}).
14746 The selected locale is automatically added to the @dfn{locale
14747 definitions} known to the system if needed, with its codeset inferred
14748 from its name---e.g., @code{bo_CN.utf8} will be assumed to use the
14749 @code{UTF-8} codeset. Additional locale definitions can be specified in
14750 the @code{locale-definitions} slot of @code{operating-system}---this is
14751 useful, for instance, if the codeset could not be inferred from the
14752 locale name. The default set of locale definitions includes some widely
14753 used locales, but not all the available locales, in order to save space.
14755 For instance, to add the North Frisian locale for Germany, the value of
14759 (cons (locale-definition
14760 (name "fy_DE.utf8") (source "fy_DE"))
14761 %default-locale-definitions)
14764 Likewise, to save space, one might want @code{locale-definitions} to
14765 list only the locales that are actually used, as in:
14768 (list (locale-definition
14769 (name "ja_JP.eucjp") (source "ja_JP")
14770 (charset "EUC-JP")))
14774 The compiled locale definitions are available at
14775 @file{/run/current-system/locale/X.Y}, where @code{X.Y} is the libc
14776 version, which is the default location where the GNU@tie{}libc provided
14777 by Guix looks for locale data. This can be overridden using the
14778 @env{LOCPATH} environment variable (@pxref{locales-and-locpath,
14779 @env{LOCPATH} and locale packages}).
14781 The @code{locale-definition} form is provided by the @code{(gnu system
14782 locale)} module. Details are given below.
14784 @deftp {Data Type} locale-definition
14785 This is the data type of a locale definition.
14790 The name of the locale. @xref{Locale Names,,, libc, The GNU C Library
14791 Reference Manual}, for more information on locale names.
14793 @item @code{source}
14794 The name of the source for that locale. This is typically the
14795 @code{@var{language}_@var{territory}} part of the locale name.
14797 @item @code{charset} (default: @code{"UTF-8"})
14798 The ``character set'' or ``code set'' for that locale,
14799 @uref{https://www.iana.org/assignments/character-sets, as defined by
14805 @defvr {Scheme Variable} %default-locale-definitions
14806 A list of commonly used UTF-8 locales, used as the default
14807 value of the @code{locale-definitions} field of @code{operating-system}
14810 @cindex locale name
14811 @cindex normalized codeset in locale names
14812 These locale definitions use the @dfn{normalized codeset} for the part
14813 that follows the dot in the name (@pxref{Using gettextized software,
14814 normalized codeset,, libc, The GNU C Library Reference Manual}). So for
14815 instance it has @code{uk_UA.utf8} but @emph{not}, say,
14816 @code{uk_UA.UTF-8}.
14819 @subsection Locale Data Compatibility Considerations
14821 @cindex incompatibility, of locale data
14822 @code{operating-system} declarations provide a @code{locale-libcs} field
14823 to specify the GNU@tie{}libc packages that are used to compile locale
14824 declarations (@pxref{operating-system Reference}). ``Why would I
14825 care?'', you may ask. Well, it turns out that the binary format of
14826 locale data is occasionally incompatible from one libc version to
14829 @c See <https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html>
14830 @c and <https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00737.html>.
14831 For instance, a program linked against libc version 2.21 is unable to
14832 read locale data produced with libc 2.22; worse, that program
14833 @emph{aborts} instead of simply ignoring the incompatible locale
14834 data@footnote{Versions 2.23 and later of GNU@tie{}libc will simply skip
14835 the incompatible locale data, which is already an improvement.}.
14836 Similarly, a program linked against libc 2.22 can read most, but not
14837 all, of the locale data from libc 2.21 (specifically, @env{LC_COLLATE}
14838 data is incompatible); thus calls to @code{setlocale} may fail, but
14839 programs will not abort.
14841 The ``problem'' with Guix is that users have a lot of freedom: They can
14842 choose whether and when to upgrade software in their profiles, and might
14843 be using a libc version different from the one the system administrator
14844 used to build the system-wide locale data.
14846 Fortunately, unprivileged users can also install their own locale data
14847 and define @env{GUIX_LOCPATH} accordingly (@pxref{locales-and-locpath,
14848 @env{GUIX_LOCPATH} and locale packages}).
14850 Still, it is best if the system-wide locale data at
14851 @file{/run/current-system/locale} is built for all the libc versions
14852 actually in use on the system, so that all the programs can access
14853 it---this is especially crucial on a multi-user system. To do that, the
14854 administrator can specify several libc packages in the
14855 @code{locale-libcs} field of @code{operating-system}:
14858 (use-package-modules base)
14862 (locale-libcs (list glibc-2.21 (canonical-package glibc))))
14865 This example would lead to a system containing locale definitions for
14866 both libc 2.21 and the current version of libc in
14867 @file{/run/current-system/locale}.
14873 @cindex system services
14874 An important part of preparing an @code{operating-system} declaration is
14875 listing @dfn{system services} and their configuration (@pxref{Using the
14876 Configuration System}). System services are typically daemons launched
14877 when the system boots, or other actions needed at that time---e.g.,
14878 configuring network access.
14880 Guix has a broad definition of ``service'' (@pxref{Service
14881 Composition}), but many services are managed by the GNU@tie{}Shepherd
14882 (@pxref{Shepherd Services}). On a running system, the @command{herd}
14883 command allows you to list the available services, show their status,
14884 start and stop them, or do other specific operations (@pxref{Jump
14885 Start,,, shepherd, The GNU Shepherd Manual}). For example:
14891 The above command, run as @code{root}, lists the currently defined
14892 services. The @command{herd doc} command shows a synopsis of the given
14893 service and its associated actions:
14897 Run libc's name service cache daemon (nscd).
14899 # herd doc nscd action invalidate
14900 invalidate: Invalidate the given cache--e.g., 'hosts' for host name lookups.
14903 The @command{start}, @command{stop}, and @command{restart} sub-commands
14904 have the effect you would expect. For instance, the commands below stop
14905 the nscd service and restart the Xorg display server:
14909 Service nscd has been stopped.
14910 # herd restart xorg-server
14911 Service xorg-server has been stopped.
14912 Service xorg-server has been started.
14915 The following sections document the available services, starting with
14916 the core services, that may be used in an @code{operating-system}
14920 * Base Services:: Essential system services.
14921 * Scheduled Job Execution:: The mcron service.
14922 * Log Rotation:: The rottlog service.
14923 * Networking Services:: Network setup, SSH daemon, etc.
14924 * Unattended Upgrades:: Automated system upgrades.
14925 * X Window:: Graphical display.
14926 * Printing Services:: Local and remote printer support.
14927 * Desktop Services:: D-Bus and desktop services.
14928 * Sound Services:: ALSA and Pulseaudio services.
14929 * Database Services:: SQL databases, key-value stores, etc.
14930 * Mail Services:: IMAP, POP3, SMTP, and all that.
14931 * Messaging Services:: Messaging services.
14932 * Telephony Services:: Telephony services.
14933 * File-Sharing Services:: File-sharing services.
14934 * Monitoring Services:: Monitoring services.
14935 * Kerberos Services:: Kerberos services.
14936 * LDAP Services:: LDAP services.
14937 * Web Services:: Web servers.
14938 * Certificate Services:: TLS certificates via Let's Encrypt.
14939 * DNS Services:: DNS daemons.
14940 * VPN Services:: VPN daemons.
14941 * Network File System:: NFS related services.
14942 * Continuous Integration:: Cuirass and Laminar services.
14943 * Power Management Services:: Extending battery life.
14944 * Audio Services:: The MPD.
14945 * Virtualization Services:: Virtualization services.
14946 * Version Control Services:: Providing remote access to Git repositories.
14947 * Game Services:: Game servers.
14948 * PAM Mount Service:: Service to mount volumes when logging in.
14949 * Guix Services:: Services relating specifically to Guix.
14950 * Linux Services:: Services tied to the Linux kernel.
14951 * Hurd Services:: Services specific for a Hurd System.
14952 * Miscellaneous Services:: Other services.
14955 @node Base Services
14956 @subsection Base Services
14958 The @code{(gnu services base)} module provides definitions for the basic
14959 services that one expects from the system. The services exported by
14960 this module are listed below.
14962 @defvr {Scheme Variable} %base-services
14963 This variable contains a list of basic services (@pxref{Service Types
14964 and Services}, for more information on service objects) one would
14965 expect from the system: a login service (mingetty) on each tty, syslogd,
14966 the libc name service cache daemon (nscd), the udev device manager, and
14969 This is the default value of the @code{services} field of
14970 @code{operating-system} declarations. Usually, when customizing a
14971 system, you will want to append services to @code{%base-services}, like
14975 (append (list (service avahi-service-type)
14976 (service openssh-service-type))
14981 @defvr {Scheme Variable} special-files-service-type
14982 This is the service that sets up ``special files'' such as
14983 @file{/bin/sh}; an instance of it is part of @code{%base-services}.
14985 The value associated with @code{special-files-service-type} services
14986 must be a list of tuples where the first element is the ``special file''
14987 and the second element is its target. By default it is:
14989 @cindex @file{/bin/sh}
14990 @cindex @file{sh}, in @file{/bin}
14992 `(("/bin/sh" ,(file-append bash "/bin/sh")))
14995 @cindex @file{/usr/bin/env}
14996 @cindex @file{env}, in @file{/usr/bin}
14997 If you want to add, say, @code{/usr/bin/env} to your system, you can
15001 `(("/bin/sh" ,(file-append bash "/bin/sh"))
15002 ("/usr/bin/env" ,(file-append coreutils "/bin/env")))
15005 Since this is part of @code{%base-services}, you can use
15006 @code{modify-services} to customize the set of special files
15007 (@pxref{Service Reference, @code{modify-services}}). But the simple way
15008 to add a special file is @i{via} the @code{extra-special-file} procedure
15012 @deffn {Scheme Procedure} extra-special-file @var{file} @var{target}
15013 Use @var{target} as the ``special file'' @var{file}.
15015 For example, adding the following lines to the @code{services} field of
15016 your operating system declaration leads to a @file{/usr/bin/env}
15020 (extra-special-file "/usr/bin/env"
15021 (file-append coreutils "/bin/env"))
15025 @deffn {Scheme Procedure} host-name-service @var{name}
15026 Return a service that sets the host name to @var{name}.
15029 @defvr {Scheme Variable} console-font-service-type
15030 Install the given fonts on the specified ttys (fonts are per
15031 virtual console on the kernel Linux). The value of this service is a list of
15032 tty/font pairs. The font can be the name of a font provided by the @code{kbd}
15033 package or any valid argument to @command{setfont}, as in this example:
15036 `(("tty1" . "LatGrkCyr-8x16")
15037 ("tty2" . ,(file-append
15039 "/share/kbd/consolefonts/TamzenForPowerline10x20.psf"))
15040 ("tty3" . ,(file-append
15042 "/share/consolefonts/ter-132n"))) ; for HDPI
15046 @deffn {Scheme Procedure} login-service @var{config}
15047 Return a service to run login according to @var{config}, a
15048 @code{<login-configuration>} object, which specifies the message of the day,
15049 among other things.
15052 @deftp {Data Type} login-configuration
15053 This is the data type representing the configuration of login.
15058 @cindex message of the day
15059 A file-like object containing the ``message of the day''.
15061 @item @code{allow-empty-passwords?} (default: @code{#t})
15062 Allow empty passwords by default so that first-time users can log in when
15063 the 'root' account has just been created.
15068 @deffn {Scheme Procedure} mingetty-service @var{config}
15069 Return a service to run mingetty according to @var{config}, a
15070 @code{<mingetty-configuration>} object, which specifies the tty to run, among
15074 @deftp {Data Type} mingetty-configuration
15075 This is the data type representing the configuration of Mingetty, which
15076 provides the default implementation of virtual console log-in.
15081 The name of the console this Mingetty runs on---e.g., @code{"tty1"}.
15083 @item @code{auto-login} (default: @code{#f})
15084 When true, this field must be a string denoting the user name under
15085 which the system automatically logs in. When it is @code{#f}, a
15086 user name and password must be entered to log in.
15088 @item @code{login-program} (default: @code{#f})
15089 This must be either @code{#f}, in which case the default log-in program
15090 is used (@command{login} from the Shadow tool suite), or a gexp denoting
15091 the name of the log-in program.
15093 @item @code{login-pause?} (default: @code{#f})
15094 When set to @code{#t} in conjunction with @var{auto-login}, the user
15095 will have to press a key before the log-in shell is launched.
15097 @item @code{clear-on-logout?} (default: @code{#t})
15098 When set to @code{#t}, the screen will be cleared after logout.
15100 @item @code{mingetty} (default: @var{mingetty})
15101 The Mingetty package to use.
15106 @deffn {Scheme Procedure} agetty-service @var{config}
15107 Return a service to run agetty according to @var{config}, an
15108 @code{<agetty-configuration>} object, which specifies the tty to run,
15109 among other things.
15112 @deftp {Data Type} agetty-configuration
15113 This is the data type representing the configuration of agetty, which
15114 implements virtual and serial console log-in. See the @code{agetty(8)}
15115 man page for more information.
15120 The name of the console this agetty runs on, as a string---e.g.,
15121 @code{"ttyS0"}. This argument is optional, it will default to
15122 a reasonable default serial port used by the kernel Linux.
15124 For this, if there is a value for an option @code{agetty.tty} in the kernel
15125 command line, agetty will extract the device name of the serial port
15126 from it and use that.
15128 If not and if there is a value for an option @code{console} with a tty in
15129 the Linux command line, agetty will extract the device name of the
15130 serial port from it and use that.
15132 In both cases, agetty will leave the other serial device settings
15133 (baud rate etc.)@: alone---in the hope that Linux pinned them to the
15136 @item @code{baud-rate} (default: @code{#f})
15137 A string containing a comma-separated list of one or more baud rates, in
15140 @item @code{term} (default: @code{#f})
15141 A string containing the value used for the @env{TERM} environment
15144 @item @code{eight-bits?} (default: @code{#f})
15145 When @code{#t}, the tty is assumed to be 8-bit clean, and parity detection is
15148 @item @code{auto-login} (default: @code{#f})
15149 When passed a login name, as a string, the specified user will be logged
15150 in automatically without prompting for their login name or password.
15152 @item @code{no-reset?} (default: @code{#f})
15153 When @code{#t}, don't reset terminal cflags (control modes).
15155 @item @code{host} (default: @code{#f})
15156 This accepts a string containing the ``login_host'', which will be written
15157 into the @file{/var/run/utmpx} file.
15159 @item @code{remote?} (default: @code{#f})
15160 When set to @code{#t} in conjunction with @var{host}, this will add an
15161 @code{-r} fakehost option to the command line of the login program
15162 specified in @var{login-program}.
15164 @item @code{flow-control?} (default: @code{#f})
15165 When set to @code{#t}, enable hardware (RTS/CTS) flow control.
15167 @item @code{no-issue?} (default: @code{#f})
15168 When set to @code{#t}, the contents of the @file{/etc/issue} file will
15169 not be displayed before presenting the login prompt.
15171 @item @code{init-string} (default: @code{#f})
15172 This accepts a string that will be sent to the tty or modem before
15173 sending anything else. It can be used to initialize a modem.
15175 @item @code{no-clear?} (default: @code{#f})
15176 When set to @code{#t}, agetty will not clear the screen before showing
15179 @item @code{login-program} (default: (file-append shadow "/bin/login"))
15180 This must be either a gexp denoting the name of a log-in program, or
15181 unset, in which case the default value is the @command{login} from the
15184 @item @code{local-line} (default: @code{#f})
15185 Control the CLOCAL line flag. This accepts one of three symbols as
15186 arguments, @code{'auto}, @code{'always}, or @code{'never}. If @code{#f},
15187 the default value chosen by agetty is @code{'auto}.
15189 @item @code{extract-baud?} (default: @code{#f})
15190 When set to @code{#t}, instruct agetty to try to extract the baud rate
15191 from the status messages produced by certain types of modems.
15193 @item @code{skip-login?} (default: @code{#f})
15194 When set to @code{#t}, do not prompt the user for a login name. This
15195 can be used with @var{login-program} field to use non-standard login
15198 @item @code{no-newline?} (default: @code{#f})
15199 When set to @code{#t}, do not print a newline before printing the
15200 @file{/etc/issue} file.
15202 @c Is this dangerous only when used with login-program, or always?
15203 @item @code{login-options} (default: @code{#f})
15204 This option accepts a string containing options that are passed to the
15205 login program. When used with the @var{login-program}, be aware that a
15206 malicious user could try to enter a login name containing embedded
15207 options that could be parsed by the login program.
15209 @item @code{login-pause} (default: @code{#f})
15210 When set to @code{#t}, wait for any key before showing the login prompt.
15211 This can be used in conjunction with @var{auto-login} to save memory by
15212 lazily spawning shells.
15214 @item @code{chroot} (default: @code{#f})
15215 Change root to the specified directory. This option accepts a directory
15218 @item @code{hangup?} (default: @code{#f})
15219 Use the Linux system call @code{vhangup} to do a virtual hangup of the
15220 specified terminal.
15222 @item @code{keep-baud?} (default: @code{#f})
15223 When set to @code{#t}, try to keep the existing baud rate. The baud
15224 rates from @var{baud-rate} are used when agetty receives a @key{BREAK}
15227 @item @code{timeout} (default: @code{#f})
15228 When set to an integer value, terminate if no user name could be read
15229 within @var{timeout} seconds.
15231 @item @code{detect-case?} (default: @code{#f})
15232 When set to @code{#t}, turn on support for detecting an uppercase-only
15233 terminal. This setting will detect a login name containing only
15234 uppercase letters as indicating an uppercase-only terminal and turn on
15235 some upper-to-lower case conversions. Note that this will not support
15236 Unicode characters.
15238 @item @code{wait-cr?} (default: @code{#f})
15239 When set to @code{#t}, wait for the user or modem to send a
15240 carriage-return or linefeed character before displaying
15241 @file{/etc/issue} or login prompt. This is typically used with the
15242 @var{init-string} option.
15244 @item @code{no-hints?} (default: @code{#f})
15245 When set to @code{#t}, do not print hints about Num, Caps, and Scroll
15248 @item @code{no-hostname?} (default: @code{#f})
15249 By default, the hostname is printed. When this option is set to
15250 @code{#t}, no hostname will be shown at all.
15252 @item @code{long-hostname?} (default: @code{#f})
15253 By default, the hostname is only printed until the first dot. When this
15254 option is set to @code{#t}, the fully qualified hostname by
15255 @code{gethostname} or @code{getaddrinfo} is shown.
15257 @item @code{erase-characters} (default: @code{#f})
15258 This option accepts a string of additional characters that should be
15259 interpreted as backspace when the user types their login name.
15261 @item @code{kill-characters} (default: @code{#f})
15262 This option accepts a string that should be interpreted to mean ``ignore
15263 all previous characters'' (also called a ``kill'' character) when the user
15264 types their login name.
15266 @item @code{chdir} (default: @code{#f})
15267 This option accepts, as a string, a directory path that will be changed
15270 @item @code{delay} (default: @code{#f})
15271 This options accepts, as an integer, the number of seconds to sleep
15272 before opening the tty and displaying the login prompt.
15274 @item @code{nice} (default: @code{#f})
15275 This option accepts, as an integer, the nice value with which to run the
15276 @command{login} program.
15278 @item @code{extra-options} (default: @code{'()})
15279 This option provides an ``escape hatch'' for the user to provide arbitrary
15280 command-line arguments to @command{agetty} as a list of strings.
15285 @deffn {Scheme Procedure} kmscon-service-type @var{config}
15286 Return a service to run @uref{https://www.freedesktop.org/wiki/Software/kmscon,kmscon}
15287 according to @var{config}, a @code{<kmscon-configuration>} object, which
15288 specifies the tty to run, among other things.
15291 @deftp {Data Type} kmscon-configuration
15292 This is the data type representing the configuration of Kmscon, which
15293 implements virtual console log-in.
15297 @item @code{virtual-terminal}
15298 The name of the console this Kmscon runs on---e.g., @code{"tty1"}.
15300 @item @code{login-program} (default: @code{#~(string-append #$shadow "/bin/login")})
15301 A gexp denoting the name of the log-in program. The default log-in program is
15302 @command{login} from the Shadow tool suite.
15304 @item @code{login-arguments} (default: @code{'("-p")})
15305 A list of arguments to pass to @command{login}.
15307 @item @code{auto-login} (default: @code{#f})
15308 When passed a login name, as a string, the specified user will be logged
15309 in automatically without prompting for their login name or password.
15311 @item @code{hardware-acceleration?} (default: #f)
15312 Whether to use hardware acceleration.
15314 @item @code{font-engine} (default: @code{"pango"})
15315 Font engine used in Kmscon.
15317 @item @code{font-size} (default: @code{12})
15318 Font size used in Kmscon.
15320 @item @code{keyboard-layout} (default: @code{#f})
15321 If this is @code{#f}, Kmscon uses the default keyboard layout---usually US
15322 English (``qwerty'') for a 105-key PC keyboard.
15324 Otherwise this must be a @code{keyboard-layout} object specifying the
15325 keyboard layout. @xref{Keyboard Layout}, for more information on how to
15326 specify the keyboard layout.
15328 @item @code{kmscon} (default: @var{kmscon})
15329 The Kmscon package to use.
15334 @cindex name service cache daemon
15336 @deffn {Scheme Procedure} nscd-service [@var{config}] [#:glibc glibc] @
15337 [#:name-services '()]
15338 Return a service that runs the libc name service cache daemon (nscd) with the
15339 given @var{config}---an @code{<nscd-configuration>} object. @xref{Name
15340 Service Switch}, for an example.
15342 For convenience, the Shepherd service for nscd provides the following actions:
15346 @cindex cache invalidation, nscd
15347 @cindex nscd, cache invalidation
15348 This invalidate the given cache. For instance, running:
15351 herd invalidate nscd hosts
15355 invalidates the host name lookup cache of nscd.
15358 Running @command{herd statistics nscd} displays information about nscd usage
15364 @defvr {Scheme Variable} %nscd-default-configuration
15365 This is the default @code{<nscd-configuration>} value (see below) used
15366 by @code{nscd-service}. It uses the caches defined by
15367 @code{%nscd-default-caches}; see below.
15370 @deftp {Data Type} nscd-configuration
15371 This is the data type representing the name service cache daemon (nscd)
15376 @item @code{name-services} (default: @code{'()})
15377 List of packages denoting @dfn{name services} that must be visible to
15378 the nscd---e.g., @code{(list @var{nss-mdns})}.
15380 @item @code{glibc} (default: @var{glibc})
15381 Package object denoting the GNU C Library providing the @command{nscd}
15384 @item @code{log-file} (default: @code{"/var/log/nscd.log"})
15385 Name of the nscd log file. This is where debugging output goes when
15386 @code{debug-level} is strictly positive.
15388 @item @code{debug-level} (default: @code{0})
15389 Integer denoting the debugging levels. Higher numbers mean that more
15390 debugging output is logged.
15392 @item @code{caches} (default: @code{%nscd-default-caches})
15393 List of @code{<nscd-cache>} objects denoting things to be cached; see
15399 @deftp {Data Type} nscd-cache
15400 Data type representing a cache database of nscd and its parameters.
15404 @item @code{database}
15405 This is a symbol representing the name of the database to be cached.
15406 Valid values are @code{passwd}, @code{group}, @code{hosts}, and
15407 @code{services}, which designate the corresponding NSS database
15408 (@pxref{NSS Basics,,, libc, The GNU C Library Reference Manual}).
15410 @item @code{positive-time-to-live}
15411 @itemx @code{negative-time-to-live} (default: @code{20})
15412 A number representing the number of seconds during which a positive or
15413 negative lookup result remains in cache.
15415 @item @code{check-files?} (default: @code{#t})
15416 Whether to check for updates of the files corresponding to
15419 For instance, when @var{database} is @code{hosts}, setting this flag
15420 instructs nscd to check for updates in @file{/etc/hosts} and to take
15423 @item @code{persistent?} (default: @code{#t})
15424 Whether the cache should be stored persistently on disk.
15426 @item @code{shared?} (default: @code{#t})
15427 Whether the cache should be shared among users.
15429 @item @code{max-database-size} (default: 32@tie{}MiB)
15430 Maximum size in bytes of the database cache.
15432 @c XXX: 'suggested-size' and 'auto-propagate?' seem to be expert
15433 @c settings, so leave them out.
15438 @defvr {Scheme Variable} %nscd-default-caches
15439 List of @code{<nscd-cache>} objects used by default by
15440 @code{nscd-configuration} (see above).
15442 It enables persistent and aggressive caching of service and host name
15443 lookups. The latter provides better host name lookup performance,
15444 resilience in the face of unreliable name servers, and also better
15445 privacy---often the result of host name lookups is in local cache, so
15446 external name servers do not even need to be queried.
15449 @anchor{syslog-configuration-type}
15452 @deftp {Data Type} syslog-configuration
15453 This data type represents the configuration of the syslog daemon.
15456 @item @code{syslogd} (default: @code{#~(string-append #$inetutils "/libexec/syslogd")})
15457 The syslog daemon to use.
15459 @item @code{config-file} (default: @code{%default-syslog.conf})
15460 The syslog configuration file to use.
15465 @anchor{syslog-service}
15467 @deffn {Scheme Procedure} syslog-service @var{config}
15468 Return a service that runs a syslog daemon according to @var{config}.
15470 @xref{syslogd invocation,,, inetutils, GNU Inetutils}, for more
15471 information on the configuration file syntax.
15474 @defvr {Scheme Variable} guix-service-type
15475 This is the type of the service that runs the build daemon,
15476 @command{guix-daemon} (@pxref{Invoking guix-daemon}). Its value must be a
15477 @code{guix-configuration} record as described below.
15480 @anchor{guix-configuration-type}
15481 @deftp {Data Type} guix-configuration
15482 This data type represents the configuration of the Guix build daemon.
15483 @xref{Invoking guix-daemon}, for more information.
15486 @item @code{guix} (default: @var{guix})
15487 The Guix package to use.
15489 @item @code{build-group} (default: @code{"guixbuild"})
15490 Name of the group for build user accounts.
15492 @item @code{build-accounts} (default: @code{10})
15493 Number of build user accounts to create.
15495 @item @code{authorize-key?} (default: @code{#t})
15496 @cindex substitutes, authorization thereof
15497 Whether to authorize the substitute keys listed in
15498 @code{authorized-keys}---by default that of
15499 @code{@value{SUBSTITUTE-SERVER-1}} and
15500 @code{@value{SUBSTITUTE-SERVER-2}}
15501 (@pxref{Substitutes}).
15503 When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
15504 changed by invoking @command{guix archive --authorize}. You must
15505 instead adjust @code{guix-configuration} as you wish and reconfigure the
15506 system. This ensures that your operating system configuration file is
15510 When booting or reconfiguring to a system where @code{authorize-key?}
15511 is true, the existing @file{/etc/guix/acl} file is backed up as
15512 @file{/etc/guix/acl.bak} if it was determined to be a manually modified
15513 file. This is to facilitate migration from earlier versions, which
15514 allowed for in-place modifications to @file{/etc/guix/acl}.
15517 @vindex %default-authorized-guix-keys
15518 @item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
15519 The list of authorized key files for archive imports, as a list of
15520 string-valued gexps (@pxref{Invoking guix archive}). By default, it
15521 contains that of @code{@value{SUBSTITUTE-SERVER-1}} and
15522 @code{@value{SUBSTITUTE-SERVER-2}} (@pxref{Substitutes}). See
15523 @code{substitute-urls} below for an example on how to change it.
15525 @item @code{use-substitutes?} (default: @code{#t})
15526 Whether to use substitutes.
15528 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
15529 The list of URLs where to look for substitutes by default.
15531 Suppose you would like to fetch substitutes from @code{guix.example.org}
15532 in addition to @code{@value{SUBSTITUTE-SERVER-1}}. You will need to do
15533 two things: (1) add @code{guix.example.org} to @code{substitute-urls},
15534 and (2) authorize its signing key, having done appropriate checks
15535 (@pxref{Substitute Server Authorization}). The configuration below does
15539 (guix-configuration
15541 (append (list "https://guix.example.org")
15542 %default-substitute-urls))
15544 (append (list (local-file "./guix.example.org-key.pub"))
15545 %default-authorized-guix-keys)))
15548 This example assumes that the file @file{./guix.example.org-key.pub}
15549 contains the public key that @code{guix.example.org} uses to sign
15552 @item @code{max-silent-time} (default: @code{0})
15553 @itemx @code{timeout} (default: @code{0})
15554 The number of seconds of silence and the number of seconds of activity,
15555 respectively, after which a build process times out. A value of zero
15556 disables the timeout.
15558 @item @code{log-compression} (default: @code{'bzip2})
15559 The type of compression used for build logs---one of @code{gzip},
15560 @code{bzip2}, or @code{none}.
15562 @item @code{discover?} (default: @code{#f})
15563 Whether to discover substitute servers on the local network using mDNS
15566 @item @code{extra-options} (default: @code{'()})
15567 List of extra command-line options for @command{guix-daemon}.
15569 @item @code{log-file} (default: @code{"/var/log/guix-daemon.log"})
15570 File where @command{guix-daemon}'s standard output and standard error
15573 @cindex HTTP proxy, for @code{guix-daemon}
15574 @cindex proxy, for @code{guix-daemon} HTTP access
15575 @item @code{http-proxy} (default: @code{#f})
15576 The URL of the HTTP and HTTPS proxy used for downloading fixed-output
15577 derivations and substitutes.
15579 It is also possible to change the daemon's proxy at run time through the
15580 @code{set-http-proxy} action, which restarts it:
15583 herd set-http-proxy guix-daemon http://localhost:8118
15586 To clear the proxy settings, run:
15589 herd set-http-proxy guix-daemon
15592 @item @code{tmpdir} (default: @code{#f})
15593 A directory path where the @command{guix-daemon} will perform builds.
15598 @deffn {Scheme Procedure} udev-service [#:udev @var{eudev} #:rules @code{'()}]
15599 Run @var{udev}, which populates the @file{/dev} directory dynamically.
15600 udev rules can be provided as a list of files through the @var{rules}
15601 variable. The procedures @code{udev-rule}, @code{udev-rules-service}
15602 and @code{file->udev-rule} from @code{(gnu services base)} simplify the
15603 creation of such rule files.
15605 The @command{herd rules udev} command, as root, returns the name of the
15606 directory containing all the active udev rules.
15609 @deffn {Scheme Procedure} udev-rule [@var{file-name} @var{contents}]
15610 Return a udev-rule file named @var{file-name} containing the rules
15611 defined by the @var{contents} literal.
15613 In the following example, a rule for a USB device is defined to be
15614 stored in the file @file{90-usb-thing.rules}. The rule runs a script
15615 upon detecting a USB device with a given product identifier.
15618 (define %example-udev-rule
15620 "90-usb-thing.rules"
15621 (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
15622 "ATTR@{product@}==\"Example\", "
15623 "RUN+=\"/path/to/script\"")))
15627 @deffn {Scheme Procedure} udev-rules-service [@var{name} @var{rules}] @
15628 [#:groups @var{groups}]
15629 Return a service that extends @code{udev-service-type } with @var{rules}
15630 and @code{account-service-type} with @var{groups} as system groups.
15631 This works by creating a singleton service type
15632 @code{@var{name}-udev-rules}, of which the returned service is an
15635 Here we show how it can be used to extend @code{udev-service-type} with the
15636 previously defined rule @code{%example-udev-rule}.
15642 (cons (udev-rules-service 'usb-thing %example-udev-rule)
15643 %desktop-services)))
15647 @deffn {Scheme Procedure} file->udev-rule [@var{file-name} @var{file}]
15648 Return a udev file named @var{file-name} containing the rules defined
15649 within @var{file}, a file-like object.
15651 The following example showcases how we can use an existing rule file.
15654 (use-modules (guix download) ;for url-fetch
15655 (guix packages) ;for origin
15658 (define %android-udev-rules
15660 "51-android-udev.rules"
15661 (let ((version "20170910"))
15664 (uri (string-append "https://raw.githubusercontent.com/M0Rf30/"
15665 "android-udev-rules/" version "/51-android.rules"))
15667 (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))
15671 Additionally, Guix package definitions can be included in @var{rules} in
15672 order to extend the udev rules with the definitions found under their
15673 @file{lib/udev/rules.d} sub-directory. In lieu of the previous
15674 @var{file->udev-rule} example, we could have used the
15675 @var{android-udev-rules} package which exists in Guix in the @code{(gnu
15676 packages android)} module.
15678 The following example shows how to use the @var{android-udev-rules}
15679 package so that the Android tool @command{adb} can detect devices
15680 without root privileges. It also details how to create the
15681 @code{adbusers} group, which is required for the proper functioning of
15682 the rules defined within the @code{android-udev-rules} package. To
15683 create such a group, we must define it both as part of the
15684 @code{supplementary-groups} of our @code{user-account} declaration, as
15685 well as in the @var{groups} of the @code{udev-rules-service} procedure.
15688 (use-modules (gnu packages android) ;for android-udev-rules
15689 (gnu system shadow) ;for user-group
15694 (users (cons (user-account
15696 (supplementary-groups
15697 '("adbusers" ;for adb
15698 "wheel" "netdev" "audio" "video")))))
15701 (cons (udev-rules-service 'android android-udev-rules
15702 #:groups '("adbusers"))
15703 %desktop-services)))
15706 @defvr {Scheme Variable} urandom-seed-service-type
15707 Save some entropy in @code{%random-seed-file} to seed @file{/dev/urandom}
15708 when rebooting. It also tries to seed @file{/dev/urandom} from
15709 @file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
15713 @defvr {Scheme Variable} %random-seed-file
15714 This is the name of the file where some random bytes are saved by
15715 @var{urandom-seed-service} to seed @file{/dev/urandom} when rebooting.
15716 It defaults to @file{/var/lib/random-seed}.
15721 @defvr {Scheme Variable} gpm-service-type
15722 This is the type of the service that runs GPM, the @dfn{general-purpose
15723 mouse daemon}, which provides mouse support to the Linux console. GPM
15724 allows users to use the mouse in the console, notably to select, copy,
15727 The value for services of this type must be a @code{gpm-configuration}
15728 (see below). This service is not part of @code{%base-services}.
15731 @deftp {Data Type} gpm-configuration
15732 Data type representing the configuration of GPM.
15735 @item @code{options} (default: @code{%default-gpm-options})
15736 Command-line options passed to @command{gpm}. The default set of
15737 options instruct @command{gpm} to listen to mouse events on
15738 @file{/dev/input/mice}. @xref{Command Line,,, gpm, gpm manual}, for
15741 @item @code{gpm} (default: @code{gpm})
15742 The GPM package to use.
15747 @anchor{guix-publish-service-type}
15748 @deffn {Scheme Variable} guix-publish-service-type
15749 This is the service type for @command{guix publish} (@pxref{Invoking
15750 guix publish}). Its value must be a @code{guix-publish-configuration}
15751 object, as described below.
15753 This assumes that @file{/etc/guix} already contains a signing key pair as
15754 created by @command{guix archive --generate-key} (@pxref{Invoking guix
15755 archive}). If that is not the case, the service will fail to start.
15758 @deftp {Data Type} guix-publish-configuration
15759 Data type representing the configuration of the @code{guix publish}
15763 @item @code{guix} (default: @code{guix})
15764 The Guix package to use.
15766 @item @code{port} (default: @code{80})
15767 The TCP port to listen for connections.
15769 @item @code{host} (default: @code{"localhost"})
15770 The host (and thus, network interface) to listen to. Use
15771 @code{"0.0.0.0"} to listen on all the network interfaces.
15773 @item @code{advertise?} (default: @code{#f})
15774 When true, advertise the service on the local network @i{via} the DNS-SD
15775 protocol, using Avahi.
15777 This allows neighboring Guix devices with discovery on (see
15778 @code{guix-configuration} above) to discover this @command{guix publish}
15779 instance and to automatically download substitutes from it.
15781 @item @code{compression} (default: @code{'(("gzip" 3) ("zstd" 3))})
15782 This is a list of compression method/level tuple used when compressing
15783 substitutes. For example, to compress all substitutes with @emph{both} lzip
15784 at level 7 and gzip at level 9, write:
15787 '(("lzip" 7) ("gzip" 9))
15790 Level 9 achieves the best compression ratio at the expense of increased CPU
15791 usage, whereas level 1 achieves fast compression. @xref{Invoking guix
15792 publish}, for more information on the available compression methods and
15793 the tradeoffs involved.
15795 An empty list disables compression altogether.
15797 @item @code{nar-path} (default: @code{"nar"})
15798 The URL path at which ``nars'' can be fetched. @xref{Invoking guix
15799 publish, @option{--nar-path}}, for details.
15801 @item @code{cache} (default: @code{#f})
15802 When it is @code{#f}, disable caching and instead generate archives on
15803 demand. Otherwise, this should be the name of a directory---e.g.,
15804 @code{"/var/cache/guix/publish"}---where @command{guix publish} caches
15805 archives and meta-data ready to be sent. @xref{Invoking guix publish,
15806 @option{--cache}}, for more information on the tradeoffs involved.
15808 @item @code{workers} (default: @code{#f})
15809 When it is an integer, this is the number of worker threads used for
15810 caching; when @code{#f}, the number of processors is used.
15811 @xref{Invoking guix publish, @option{--workers}}, for more information.
15813 @item @code{cache-bypass-threshold} (default: 10 MiB)
15814 When @code{cache} is true, this is the maximum size in bytes of a store
15815 item for which @command{guix publish} may bypass its cache in case of a
15816 cache miss. @xref{Invoking guix publish,
15817 @option{--cache-bypass-threshold}}, for more information.
15819 @item @code{ttl} (default: @code{#f})
15820 When it is an integer, this denotes the @dfn{time-to-live} in seconds
15821 of the published archives. @xref{Invoking guix publish, @option{--ttl}},
15822 for more information.
15826 @anchor{rngd-service}
15827 @deffn {Scheme Procedure} rngd-service [#:rng-tools @var{rng-tools}] @
15828 [#:device "/dev/hwrng"]
15829 Return a service that runs the @command{rngd} program from @var{rng-tools}
15830 to add @var{device} to the kernel's entropy pool. The service will fail if
15831 @var{device} does not exist.
15834 @anchor{pam-limits-service}
15835 @cindex session limits
15841 @cindex open file descriptors
15842 @deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}]
15844 Return a service that installs a configuration file for the
15845 @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html,
15846 @code{pam_limits} module}. The procedure optionally takes a list of
15847 @code{pam-limits-entry} values, which can be used to specify
15848 @code{ulimit} limits and @code{nice} priority limits to user sessions.
15850 The following limits definition sets two hard and soft limits for all
15851 login sessions of users in the @code{realtime} group:
15854 (pam-limits-service
15856 (pam-limits-entry "@@realtime" 'both 'rtprio 99)
15857 (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited)))
15860 The first entry increases the maximum realtime priority for
15861 non-privileged processes; the second entry lifts any restriction of the
15862 maximum address space that can be locked in memory. These settings are
15863 commonly used for real-time audio systems.
15865 Another useful example is raising the maximum number of open file
15866 descriptors that can be used:
15869 (pam-limits-service
15871 (pam-limits-entry "*" 'both 'nofile 100000)))
15874 In the above example, the asterisk means the limit should apply to any
15875 user. It is important to ensure the chosen value doesn't exceed the
15876 maximum system value visible in the @file{/proc/sys/fs/file-max} file,
15877 else the users would be prevented from login in. For more information
15878 about the Pluggable Authentication Module (PAM) limits, refer to the
15879 @samp{pam_limits} man page from the @code{linux-pam} package.
15882 @node Scheduled Job Execution
15883 @subsection Scheduled Job Execution
15887 @cindex scheduling jobs
15888 The @code{(gnu services mcron)} module provides an interface to
15889 GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,,
15890 mcron, GNU@tie{}mcron}). GNU@tie{}mcron is similar to the traditional
15891 Unix @command{cron} daemon; the main difference is that it is
15892 implemented in Guile Scheme, which provides a lot of flexibility when
15893 specifying the scheduling of jobs and their actions.
15895 The example below defines an operating system that runs the
15896 @command{updatedb} (@pxref{Invoking updatedb,,, find, Finding Files})
15897 and the @command{guix gc} commands (@pxref{Invoking guix gc}) daily, as
15898 well as the @command{mkid} command on behalf of an unprivileged user
15899 (@pxref{mkid invocation,,, idutils, ID Database Utilities}). It uses
15900 gexps to introduce job definitions that are passed to mcron
15901 (@pxref{G-Expressions}).
15904 (use-modules (guix) (gnu) (gnu services mcron))
15905 (use-package-modules base idutils)
15907 (define updatedb-job
15908 ;; Run 'updatedb' at 3AM every day. Here we write the
15909 ;; job's action as a Scheme procedure.
15910 #~(job '(next-hour '(3))
15912 (execl (string-append #$findutils "/bin/updatedb")
15914 "--prunepaths=/tmp /var/tmp /gnu/store"))))
15916 (define garbage-collector-job
15917 ;; Collect garbage 5 minutes after midnight every day.
15918 ;; The job's action is a shell command.
15919 #~(job "5 0 * * *" ;Vixie cron syntax
15922 (define idutils-job
15923 ;; Update the index database as user "charlie" at 12:15PM
15924 ;; and 19:15PM. This runs from the user's home directory.
15925 #~(job '(next-minute-from (next-hour '(12 19)) '(15))
15926 (string-append #$idutils "/bin/mkid src")
15932 ;; %BASE-SERVICES already includes an instance of
15933 ;; 'mcron-service-type', which we extend with additional
15934 ;; jobs using 'simple-service'.
15935 (services (cons (simple-service 'my-cron-jobs
15937 (list garbage-collector-job
15943 For more complex jobs defined in Scheme where you need control over the top
15944 level, for instance to introduce a @code{use-modules} form, you can move your
15945 code to a separate program using the @code{program-file} procedure of the
15946 @code{(guix gexp)} module (@pxref{G-Expressions}). The example below
15950 (define %battery-alert-job
15951 ;; Beep when the battery percentage falls below %MIN-LEVEL.
15953 '(next-minute (range 0 60 1))
15955 "battery-alert.scm"
15956 (with-imported-modules (source-module-closure
15957 '((guix build utils)))
15959 (use-modules (guix build utils)
15962 (ice-9 textual-ports)
15965 (define %min-level 20)
15967 (setenv "LC_ALL" "C") ;ensure English output
15968 (and-let* ((input-pipe (open-pipe*
15970 #$(file-append acpi "/bin/acpi")))
15971 (output (get-string-all input-pipe))
15972 (m (string-match "Discharging, ([0-9]+)%" output))
15973 (level (string->number (match:substring m 1)))
15974 ((< level %min-level)))
15975 (format #t "warning: Battery level is low (~a%)~%" level)
15976 (invoke #$(file-append beep "/bin/beep") "-r5")))))))
15979 @xref{Guile Syntax, mcron job specifications,, mcron, GNU@tie{}mcron},
15980 for more information on mcron job specifications. Below is the
15981 reference of the mcron service.
15983 On a running system, you can use the @code{schedule} action of the service to
15984 visualize the mcron jobs that will be executed next:
15987 # herd schedule mcron
15991 The example above lists the next five tasks that will be executed, but you can
15992 also specify the number of tasks to display:
15995 # herd schedule mcron 10
15998 @defvr {Scheme Variable} mcron-service-type
15999 This is the type of the @code{mcron} service, whose value is an
16000 @code{mcron-configuration} object.
16002 This service type can be the target of a service extension that provides
16003 it additional job specifications (@pxref{Service Composition}). In
16004 other words, it is possible to define services that provide additional
16008 @deftp {Data Type} mcron-configuration
16009 Data type representing the configuration of mcron.
16012 @item @code{mcron} (default: @var{mcron})
16013 The mcron package to use.
16016 This is a list of gexps (@pxref{G-Expressions}), where each gexp
16017 corresponds to an mcron job specification (@pxref{Syntax, mcron job
16018 specifications,, mcron, GNU@tie{}mcron}).
16024 @subsection Log Rotation
16027 @cindex log rotation
16029 Log files such as those found in @file{/var/log} tend to grow endlessly,
16030 so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
16031 their contents in separate files, possibly compressed. The @code{(gnu
16032 services admin)} module provides an interface to GNU@tie{}Rot[t]log, a
16033 log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}).
16035 This service is part of @code{%base-services}, and thus enabled by
16036 default, with the default settings, for commonly encountered log files.
16037 The example below shows how to extend it with an additional
16038 @dfn{rotation}, should you need to do that (usually, services that
16039 produce log files already take care of that):
16042 (use-modules (guix) (gnu))
16043 (use-service-modules admin)
16045 (define my-log-files
16046 ;; Log files that I want to rotate.
16047 '("/var/log/something.log" "/var/log/another.log"))
16051 (services (cons (simple-service 'rotate-my-stuff
16052 rottlog-service-type
16053 (list (log-rotation
16055 (files my-log-files))))
16059 @defvr {Scheme Variable} rottlog-service-type
16060 This is the type of the Rottlog service, whose value is a
16061 @code{rottlog-configuration} object.
16063 Other services can extend this one with new @code{log-rotation} objects
16064 (see below), thereby augmenting the set of files to be rotated.
16066 This service type can define mcron jobs (@pxref{Scheduled Job
16067 Execution}) to run the rottlog service.
16070 @deftp {Data Type} rottlog-configuration
16071 Data type representing the configuration of rottlog.
16074 @item @code{rottlog} (default: @code{rottlog})
16075 The Rottlog package to use.
16077 @item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")})
16078 The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,,
16079 rottlog, GNU Rot[t]log Manual}).
16081 @item @code{rotations} (default: @code{%default-rotations})
16082 A list of @code{log-rotation} objects as defined below.
16085 This is a list of gexps where each gexp corresponds to an mcron job
16086 specification (@pxref{Scheduled Job Execution}).
16090 @deftp {Data Type} log-rotation
16091 Data type representing the rotation of a group of log files.
16093 Taking an example from the Rottlog manual (@pxref{Period Related File
16094 Examples,,, rottlog, GNU Rot[t]log Manual}), a log rotation might be
16100 (files '("/var/log/apache/*"))
16101 (options '("storedir apache-archives"
16107 The list of fields is as follows:
16110 @item @code{frequency} (default: @code{'weekly})
16111 The log rotation frequency, a symbol.
16114 The list of files or file glob patterns to rotate.
16116 @item @code{options} (default: @code{'()})
16117 The list of rottlog options for this rotation (@pxref{Configuration
16118 parameters,,, rottlog, GNU Rot[t]lg Manual}).
16120 @item @code{post-rotate} (default: @code{#f})
16121 Either @code{#f} or a gexp to execute once the rotation has completed.
16125 @defvr {Scheme Variable} %default-rotations
16126 Specifies weekly rotation of @code{%rotated-files} and of
16127 @file{/var/log/guix-daemon.log}.
16130 @defvr {Scheme Variable} %rotated-files
16131 The list of syslog-controlled files to be rotated. By default it is:
16132 @code{'("/var/log/messages" "/var/log/secure" "/var/log/debug" \
16133 "/var/log/maillog")}.
16136 @node Networking Services
16137 @subsection Networking Services
16139 The @code{(gnu services networking)} module provides services to configure
16140 the network interface.
16142 @cindex DHCP, networking service
16143 @defvr {Scheme Variable} dhcp-client-service-type
16144 This is the type of services that run @var{dhcp}, a Dynamic Host Configuration
16145 Protocol (DHCP) client, on all the non-loopback network interfaces. Its value
16146 is the DHCP client package to use, @code{isc-dhcp} by default.
16149 @deffn {Scheme Procedure} dhcpd-service-type
16150 This type defines a service that runs a DHCP daemon. To create a
16151 service of this type, you must supply a @code{<dhcpd-configuration>}.
16155 (service dhcpd-service-type
16156 (dhcpd-configuration
16157 (config-file (local-file "my-dhcpd.conf"))
16158 (interfaces '("enp0s25"))))
16162 @deftp {Data Type} dhcpd-configuration
16164 @item @code{package} (default: @code{isc-dhcp})
16165 The package that provides the DHCP daemon. This package is expected to
16166 provide the daemon at @file{sbin/dhcpd} relative to its output
16167 directory. The default package is the
16168 @uref{https://www.isc.org/products/DHCP, ISC's DHCP server}.
16169 @item @code{config-file} (default: @code{#f})
16170 The configuration file to use. This is required. It will be passed to
16171 @code{dhcpd} via its @code{-cf} option. This may be any ``file-like''
16172 object (@pxref{G-Expressions, file-like objects}). See @code{man
16173 dhcpd.conf} for details on the configuration file syntax.
16174 @item @code{version} (default: @code{"4"})
16175 The DHCP version to use. The ISC DHCP server supports the values ``4'',
16176 ``6'', and ``4o6''. These correspond to the @code{dhcpd} program
16177 options @code{-4}, @code{-6}, and @code{-4o6}. See @code{man dhcpd} for
16179 @item @code{run-directory} (default: @code{"/run/dhcpd"})
16180 The run directory to use. At service activation time, this directory
16181 will be created if it does not exist.
16182 @item @code{pid-file} (default: @code{"/run/dhcpd/dhcpd.pid"})
16183 The PID file to use. This corresponds to the @code{-pf} option of
16184 @code{dhcpd}. See @code{man dhcpd} for details.
16185 @item @code{interfaces} (default: @code{'()})
16186 The names of the network interfaces on which dhcpd should listen for
16187 broadcasts. If this list is not empty, then its elements (which must be
16188 strings) will be appended to the @code{dhcpd} invocation when starting
16189 the daemon. It may not be necessary to explicitly specify any
16190 interfaces here; see @code{man dhcpd} for details.
16194 @defvr {Scheme Variable} static-networking-service-type
16195 This is the type for statically-configured network interfaces.
16196 @c TODO Document <static-networking> data structures.
16199 @deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @
16200 [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}] @
16201 [#:requirement @code{'(udev)}]
16202 Return a service that starts @var{interface} with address @var{ip}. If
16203 @var{netmask} is true, use it as the network mask. If @var{gateway} is true,
16204 it must be a string specifying the default network gateway. @var{requirement}
16205 can be used to declare a dependency on another service before configuring the
16208 This procedure can be called several times, one for each network
16209 interface of interest. Behind the scenes what it does is extend
16210 @code{static-networking-service-type} with additional network interfaces
16216 (static-networking-service "eno1" "192.168.1.82"
16217 #:gateway "192.168.1.2"
16218 #:name-servers '("192.168.1.2"))
16225 @cindex network management
16226 @deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}]
16227 Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
16228 management daemon that aims to simplify wired and wireless networking.
16230 This service adds the @var{wicd} package to the global profile, providing
16231 several commands to interact with the daemon and configure networking:
16232 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
16233 and @command{wicd-curses} user interfaces.
16236 @cindex ModemManager
16238 @defvr {Scheme Variable} modem-manager-service-type
16239 This is the service type for the
16240 @uref{https://wiki.gnome.org/Projects/ModemManager, ModemManager}
16241 service. The value for this service type is a
16242 @code{modem-manager-configuration} record.
16244 This service is part of @code{%desktop-services} (@pxref{Desktop
16248 @deftp {Data Type} modem-manager-configuration
16249 Data type representing the configuration of ModemManager.
16252 @item @code{modem-manager} (default: @code{modem-manager})
16253 The ModemManager package to use.
16258 @cindex USB_ModeSwitch
16259 @cindex Modeswitching
16261 @defvr {Scheme Variable} usb-modeswitch-service-type
16262 This is the service type for the
16263 @uref{https://www.draisberghof.de/usb_modeswitch/, USB_ModeSwitch}
16264 service. The value for this service type is
16265 a @code{usb-modeswitch-configuration} record.
16267 When plugged in, some USB modems (and other USB devices) initially present
16268 themselves as a read-only storage medium and not as a modem. They need to be
16269 @dfn{modeswitched} before they are usable. The USB_ModeSwitch service type
16270 installs udev rules to automatically modeswitch these devices when they are
16273 This service is part of @code{%desktop-services} (@pxref{Desktop
16277 @deftp {Data Type} usb-modeswitch-configuration
16278 Data type representing the configuration of USB_ModeSwitch.
16281 @item @code{usb-modeswitch} (default: @code{usb-modeswitch})
16282 The USB_ModeSwitch package providing the binaries for modeswitching.
16284 @item @code{usb-modeswitch-data} (default: @code{usb-modeswitch-data})
16285 The package providing the device data and udev rules file used by
16288 @item @code{config-file} (default: @code{#~(string-append #$usb-modeswitch:dispatcher "/etc/usb_modeswitch.conf")})
16289 Which config file to use for the USB_ModeSwitch dispatcher. By default the
16290 config file shipped with USB_ModeSwitch is used which disables logging to
16291 @file{/var/log} among other default settings. If set to @code{#f}, no config
16297 @cindex NetworkManager
16299 @defvr {Scheme Variable} network-manager-service-type
16300 This is the service type for the
16301 @uref{https://wiki.gnome.org/Projects/NetworkManager, NetworkManager}
16302 service. The value for this service type is a
16303 @code{network-manager-configuration} record.
16305 This service is part of @code{%desktop-services} (@pxref{Desktop
16309 @deftp {Data Type} network-manager-configuration
16310 Data type representing the configuration of NetworkManager.
16313 @item @code{network-manager} (default: @code{network-manager})
16314 The NetworkManager package to use.
16316 @item @code{dns} (default: @code{"default"})
16317 Processing mode for DNS, which affects how NetworkManager uses the
16318 @code{resolv.conf} configuration file.
16322 NetworkManager will update @code{resolv.conf} to reflect the nameservers
16323 provided by currently active connections.
16326 NetworkManager will run @code{dnsmasq} as a local caching nameserver, using a
16327 @dfn{conditional forwarding} configuration if you are connected to a VPN, and
16328 then update @code{resolv.conf} to point to the local nameserver.
16330 With this setting, you can share your network connection. For example when
16331 you want to share your network connection to another laptop @i{via} an
16332 Ethernet cable, you can open @command{nm-connection-editor} and configure the
16333 Wired connection's method for IPv4 and IPv6 to be ``Shared to other computers''
16334 and reestablish the connection (or reboot).
16336 You can also set up a @dfn{host-to-guest connection} to QEMU VMs
16337 (@pxref{Installing Guix in a VM}). With a host-to-guest connection, you can
16338 e.g.@: access a Web server running on the VM (@pxref{Web Services}) from a Web
16339 browser on your host system, or connect to the VM @i{via} SSH
16340 (@pxref{Networking Services, @code{openssh-service-type}}). To set up a
16341 host-to-guest connection, run this command once:
16344 nmcli connection add type tun \
16345 connection.interface-name tap0 \
16346 tun.mode tap tun.owner $(id -u) \
16347 ipv4.method shared \
16348 ipv4.addresses 172.28.112.1/24
16351 Then each time you launch your QEMU VM (@pxref{Running Guix in a VM}), pass
16352 @option{-nic tap,ifname=tap0,script=no,downscript=no} to
16353 @command{qemu-system-...}.
16356 NetworkManager will not modify @code{resolv.conf}.
16359 @item @code{vpn-plugins} (default: @code{'()})
16360 This is the list of available plugins for virtual private networks
16361 (VPNs). An example of this is the @code{network-manager-openvpn}
16362 package, which allows NetworkManager to manage VPNs @i{via} OpenVPN.
16368 @deffn {Scheme Variable} connman-service-type
16369 This is the service type to run @url{https://01.org/connman,Connman},
16370 a network connection manager.
16372 Its value must be an
16373 @code{connman-configuration} record as in this example:
16376 (service connman-service-type
16377 (connman-configuration
16378 (disable-vpn? #t)))
16381 See below for details about @code{connman-configuration}.
16384 @deftp {Data Type} connman-configuration
16385 Data Type representing the configuration of connman.
16388 @item @code{connman} (default: @var{connman})
16389 The connman package to use.
16391 @item @code{disable-vpn?} (default: @code{#f})
16392 When true, disable connman's vpn plugin.
16396 @cindex WPA Supplicant
16397 @defvr {Scheme Variable} wpa-supplicant-service-type
16398 This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA
16399 supplicant}, an authentication daemon required to authenticate against
16400 encrypted WiFi or ethernet networks.
16403 @deftp {Data Type} wpa-supplicant-configuration
16404 Data type representing the configuration of WPA Supplicant.
16406 It takes the following parameters:
16409 @item @code{wpa-supplicant} (default: @code{wpa-supplicant})
16410 The WPA Supplicant package to use.
16412 @item @code{requirement} (default: @code{'(user-processes loopback syslogd)}
16413 List of services that should be started before WPA Supplicant starts.
16415 @item @code{dbus?} (default: @code{#t})
16416 Whether to listen for requests on D-Bus.
16418 @item @code{pid-file} (default: @code{"/var/run/wpa_supplicant.pid"})
16419 Where to store the PID file.
16421 @item @code{interface} (default: @code{#f})
16422 If this is set, it must specify the name of a network interface that
16423 WPA supplicant will control.
16425 @item @code{config-file} (default: @code{#f})
16426 Optional configuration file to use.
16428 @item @code{extra-options} (default: @code{'()})
16429 List of additional command-line arguments to pass to the daemon.
16433 @cindex hostapd service, for Wi-Fi access points
16434 @cindex Wi-Fi access points, hostapd service
16435 @defvr {Scheme Variable} hostapd-service-type
16436 This is the service type to run the @uref{https://w1.fi/hostapd/,
16437 hostapd} daemon to set up WiFi (IEEE 802.11) access points and
16438 authentication servers. Its associated value must be a
16439 @code{hostapd-configuration} as shown below:
16442 ;; Use wlan1 to run the access point for "My Network".
16443 (service hostapd-service-type
16444 (hostapd-configuration
16445 (interface "wlan1")
16446 (ssid "My Network")
16451 @deftp {Data Type} hostapd-configuration
16452 This data type represents the configuration of the hostapd service, with
16453 the following fields:
16456 @item @code{package} (default: @code{hostapd})
16457 The hostapd package to use.
16459 @item @code{interface} (default: @code{"wlan0"})
16460 The network interface to run the WiFi access point.
16463 The SSID (@dfn{service set identifier}), a string that identifies this
16466 @item @code{broadcast-ssid?} (default: @code{#t})
16467 Whether to broadcast this SSID.
16469 @item @code{channel} (default: @code{1})
16470 The WiFi channel to use.
16472 @item @code{driver} (default: @code{"nl80211"})
16473 The driver interface type. @code{"nl80211"} is used with all Linux
16474 mac80211 drivers. Use @code{"none"} if building hostapd as a standalone
16475 RADIUS server that does # not control any wireless/wired driver.
16477 @item @code{extra-settings} (default: @code{""})
16478 Extra settings to append as-is to the hostapd configuration file. See
16479 @uref{https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf} for the
16480 configuration file reference.
16484 @defvr {Scheme Variable} simulated-wifi-service-type
16485 This is the type of a service to simulate WiFi networking, which can be
16486 useful in virtual machines for testing purposes. The service loads the
16488 @uref{https://www.kernel.org/doc/html/latest/networking/mac80211_hwsim/mac80211_hwsim.html,
16489 @code{mac80211_hwsim} module} and starts hostapd to create a pseudo WiFi
16490 network that can be seen on @code{wlan0}, by default.
16492 The service's value is a @code{hostapd-configuration} record.
16496 @defvr {Scheme Variable} iptables-service-type
16497 This is the service type to set up an iptables configuration. iptables is a
16498 packet filtering framework supported by the Linux kernel. This service
16499 supports configuring iptables for both IPv4 and IPv6. A simple example
16500 configuration rejecting all incoming connections except those to the ssh port
16504 (service iptables-service-type
16505 (iptables-configuration
16506 (ipv4-rules (plain-file "iptables.rules" "*filter
16510 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
16511 -A INPUT -p tcp --dport 22 -j ACCEPT
16512 -A INPUT -j REJECT --reject-with icmp-port-unreachable
16515 (ipv6-rules (plain-file "ip6tables.rules" "*filter
16519 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
16520 -A INPUT -p tcp --dport 22 -j ACCEPT
16521 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
16527 @deftp {Data Type} iptables-configuration
16528 The data type representing the configuration of iptables.
16531 @item @code{iptables} (default: @code{iptables})
16532 The iptables package that provides @code{iptables-restore} and
16533 @code{ip6tables-restore}.
16534 @item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules})
16535 The iptables rules to use. It will be passed to @code{iptables-restore}.
16536 This may be any ``file-like'' object (@pxref{G-Expressions, file-like
16538 @item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules})
16539 The ip6tables rules to use. It will be passed to @code{ip6tables-restore}.
16540 This may be any ``file-like'' object (@pxref{G-Expressions, file-like
16546 @defvr {Scheme Variable} nftables-service-type
16547 This is the service type to set up a nftables configuration. nftables is a
16548 netfilter project that aims to replace the existing iptables, ip6tables,
16549 arptables and ebtables framework. It provides a new packet filtering
16550 framework, a new user-space utility @command{nft}, and a compatibility layer
16551 for iptables. This service comes with a default ruleset
16552 @code{%default-nftables-ruleset} that rejecting all incoming connections
16553 except those to the ssh port 22. To use it, simply write:
16556 (service nftables-service-type)
16560 @deftp {Data Type} nftables-configuration
16561 The data type representing the configuration of nftables.
16564 @item @code{package} (default: @code{nftables})
16565 The nftables package that provides @command{nft}.
16566 @item @code{ruleset} (default: @code{%default-nftables-ruleset})
16567 The nftables ruleset to use. This may be any ``file-like'' object
16568 (@pxref{G-Expressions, file-like objects}).
16572 @cindex NTP (Network Time Protocol), service
16573 @cindex ntpd, service for the Network Time Protocol daemon
16574 @cindex real time clock
16575 @defvr {Scheme Variable} ntp-service-type
16576 This is the type of the service running the @uref{https://www.ntp.org,
16577 Network Time Protocol (NTP)} daemon, @command{ntpd}. The daemon will keep the
16578 system clock synchronized with that of the specified NTP servers.
16580 The value of this service is an @code{ntpd-configuration} object, as described
16584 @deftp {Data Type} ntp-configuration
16585 This is the data type for the NTP service configuration.
16588 @item @code{servers} (default: @code{%ntp-servers})
16589 This is the list of servers (@code{<ntp-server>} records) with which
16590 @command{ntpd} will be synchronized. See the @code{ntp-server} data type
16593 @item @code{allow-large-adjustment?} (default: @code{#t})
16594 This determines whether @command{ntpd} is allowed to make an initial
16595 adjustment of more than 1,000 seconds.
16597 @item @code{ntp} (default: @code{ntp})
16598 The NTP package to use.
16602 @defvr {Scheme Variable} %ntp-servers
16603 List of host names used as the default NTP servers. These are servers of the
16604 @uref{https://www.ntppool.org/en/, NTP Pool Project}.
16607 @deftp {Data Type} ntp-server
16608 The data type representing the configuration of a NTP server.
16611 @item @code{type} (default: @code{'server})
16612 The type of the NTP server, given as a symbol. One of @code{'pool},
16613 @code{'server}, @code{'peer}, @code{'broadcast} or @code{'manycastclient}.
16615 @item @code{address}
16616 The address of the server, as a string.
16618 @item @code{options}
16619 NTPD options to use with that specific server, given as a list of option names
16620 and/or of option names and values tuples. The following example define a server
16621 to use with the options @option{iburst} and @option{prefer}, as well as
16622 @option{version} 3 and a @option{maxpoll} time of 16 seconds.
16627 (address "some.ntp.server.org")
16628 (options `(iburst (version 3) (maxpoll 16) prefer))))
16634 @deffn {Scheme Procedure} openntpd-service-type
16635 Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as implemented
16636 by @uref{http://www.openntpd.org, OpenNTPD}. The daemon will keep the system
16637 clock synchronized with that of the given servers.
16641 openntpd-service-type
16642 (openntpd-configuration
16643 (listen-on '("127.0.0.1" "::1"))
16644 (sensor '("udcf0 correction 70000"))
16645 (constraint-from '("www.gnu.org"))
16646 (constraints-from '("https://www.google.com/"))))
16651 @defvr {Scheme Variable} %openntpd-servers
16652 This variable is a list of the server addresses defined in
16653 @code{%ntp-servers}.
16656 @deftp {Data Type} openntpd-configuration
16658 @item @code{openntpd} (default: @code{(file-append openntpd "/sbin/ntpd")})
16659 The openntpd executable to use.
16660 @item @code{listen-on} (default: @code{'("127.0.0.1" "::1")})
16661 A list of local IP addresses or hostnames the ntpd daemon should listen on.
16662 @item @code{query-from} (default: @code{'()})
16663 A list of local IP address the ntpd daemon should use for outgoing queries.
16664 @item @code{sensor} (default: @code{'()})
16665 Specify a list of timedelta sensor devices ntpd should use. @code{ntpd}
16666 will listen to each sensor that actually exists and ignore non-existent ones.
16667 See @uref{https://man.openbsd.org/ntpd.conf, upstream documentation} for more
16669 @item @code{server} (default: @code{'()})
16670 Specify a list of IP addresses or hostnames of NTP servers to synchronize to.
16671 @item @code{servers} (default: @code{%openntp-servers})
16672 Specify a list of IP addresses or hostnames of NTP pools to synchronize to.
16673 @item @code{constraint-from} (default: @code{'()})
16674 @code{ntpd} can be configured to query the ‘Date’ from trusted HTTPS servers via TLS.
16675 This time information is not used for precision but acts as an authenticated
16676 constraint, thereby reducing the impact of unauthenticated NTP
16677 man-in-the-middle attacks.
16678 Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide
16680 @item @code{constraints-from} (default: @code{'()})
16681 As with constraint from, specify a list of URLs, IP addresses or hostnames of
16682 HTTPS servers to provide a constraint. Should the hostname resolve to multiple
16683 IP addresses, @code{ntpd} will calculate a median constraint from all of them.
16688 @deffn {Scheme variable} inetd-service-type
16689 This service runs the @command{inetd} (@pxref{inetd invocation,,,
16690 inetutils, GNU Inetutils}) daemon. @command{inetd} listens for
16691 connections on internet sockets, and lazily starts the specified server
16692 program when a connection is made on one of these sockets.
16694 The value of this service is an @code{inetd-configuration} object. The
16695 following example configures the @command{inetd} daemon to provide the
16696 built-in @command{echo} service, as well as an smtp service which
16697 forwards smtp traffic over ssh to a server @code{smtp-server} behind a
16698 gateway @code{hostname}:
16703 (inetd-configuration
16707 (socket-type 'stream)
16714 (socket-type 'stream)
16718 (program (file-append openssh "/bin/ssh"))
16720 '("ssh" "-qT" "-i" "/path/to/ssh_key"
16721 "-W" "smtp-server:25" "user@@hostname")))))))
16724 See below for more details about @code{inetd-configuration}.
16727 @deftp {Data Type} inetd-configuration
16728 Data type representing the configuration of @command{inetd}.
16731 @item @code{program} (default: @code{(file-append inetutils "/libexec/inetd")})
16732 The @command{inetd} executable to use.
16734 @item @code{entries} (default: @code{'()})
16735 A list of @command{inetd} service entries. Each entry should be created
16736 by the @code{inetd-entry} constructor.
16740 @deftp {Data Type} inetd-entry
16741 Data type representing an entry in the @command{inetd} configuration.
16742 Each entry corresponds to a socket where @command{inetd} will listen for
16746 @item @code{node} (default: @code{#f})
16747 Optional string, a comma-separated list of local addresses
16748 @command{inetd} should use when listening for this service.
16749 @xref{Configuration file,,, inetutils, GNU Inetutils} for a complete
16750 description of all options.
16752 A string, the name must correspond to an entry in @code{/etc/services}.
16753 @item @code{socket-type}
16754 One of @code{'stream}, @code{'dgram}, @code{'raw}, @code{'rdm} or
16756 @item @code{protocol}
16757 A string, must correspond to an entry in @code{/etc/protocols}.
16758 @item @code{wait?} (default: @code{#t})
16759 Whether @command{inetd} should wait for the server to exit before
16760 listening to new service requests.
16762 A string containing the user (and, optionally, group) name of the user
16763 as whom the server should run. The group name can be specified in a
16764 suffix, separated by a colon or period, i.e.@: @code{"user"},
16765 @code{"user:group"} or @code{"user.group"}.
16766 @item @code{program} (default: @code{"internal"})
16767 The server program which will serve the requests, or @code{"internal"}
16768 if @command{inetd} should use a built-in service.
16769 @item @code{arguments} (default: @code{'()})
16770 A list strings or file-like objects, which are the server program's
16771 arguments, starting with the zeroth argument, i.e.@: the name of the
16772 program itself. For @command{inetd}'s internal services, this entry
16773 must be @code{'()} or @code{'("internal")}.
16776 @xref{Configuration file,,, inetutils, GNU Inetutils} for a more
16777 detailed discussion of each configuration field.
16780 @cindex opendht, distributed hash table network service
16781 @cindex dhtproxy, for use with jami
16782 @defvr {Scheme Variable} opendht-service-type
16783 This is the type of the service running a @uref{https://opendht.net,
16784 OpenDHT} node, @command{dhtnode}. The daemon can be used to host your
16785 own proxy service to the distributed hash table (DHT), for example to
16786 connect to with Jami, among other applications.
16788 @quotation Important
16789 When using the OpenDHT proxy server, the IP addresses it ``sees'' from
16790 the clients should be addresses reachable from other peers. In practice
16791 this means that a publicly reachable address is best suited for a proxy
16792 server, outside of your private network. For example, hosting the proxy
16793 server on a IPv4 private local network and exposing it via port
16794 forwarding could work for external peers, but peers local to the proxy
16795 would have their private addresses shared with the external peers,
16796 leading to connectivity problems.
16799 The value of this service is a @code{opendht-configuration} object, as
16803 @deftp {Data Type} opendht-configuration
16804 This is the data type for the OpenDHT service configuration.
16806 @c The fields documentation has been auto-generated using the
16807 @c configuration->documentation procedure from
16808 @c (gnu services configuration).
16809 Available @code{opendht-configuration} fields are:
16811 @deftypevr {@code{opendht-configuration} parameter} package opendht
16812 The @code{opendht} package to use.
16816 @deftypevr {@code{opendht-configuration} parameter} boolean peer-discovery?
16817 Whether to enable the multicast local peer discovery mechanism.
16819 Defaults to @samp{#f}.
16823 @deftypevr {@code{opendht-configuration} parameter} boolean enable-logging?
16824 Whether to enable logging messages to syslog. It is disabled by default
16825 as it is rather verbose.
16827 Defaults to @samp{#f}.
16831 @deftypevr {@code{opendht-configuration} parameter} boolean debug?
16832 Whether to enable debug-level logging messages. This has no effect if
16833 logging is disabled.
16835 Defaults to @samp{#f}.
16839 @deftypevr {@code{opendht-configuration} parameter} maybe-string bootstrap-host
16840 The node host name that is used to make the first connection to the
16841 network. A specific port value can be provided by appending the
16842 @code{:PORT} suffix. By default, it uses the Jami bootstrap nodes, but
16843 any host can be specified here. It's also possible to disable
16844 bootsrapping by setting this to the @code{'disabled} symbol.
16846 Defaults to @samp{"bootstrap.jami.net:4222"}.
16850 @deftypevr {@code{opendht-configuration} parameter} maybe-number port
16851 The UDP port to bind to. When set to @code{'disabled}, an available
16852 port is automatically selected.
16854 Defaults to @samp{4222}.
16858 @deftypevr {@code{opendht-configuration} parameter} maybe-number proxy-server-port
16859 Spawn a proxy server listening on the specified port.
16861 Defaults to @samp{disabled}.
16865 @deftypevr {@code{opendht-configuration} parameter} maybe-number proxy-server-port-tls
16866 Spawn a proxy server listening to TLS connections on the specified port.
16868 Defaults to @samp{disabled}.
16874 @defvr {Scheme Variable} tor-service-type
16875 This is the type for a service that runs the @uref{https://torproject.org,
16876 Tor} anonymous networking daemon. The service is configured using a
16877 @code{<tor-configuration>} record. By default, the Tor daemon runs as the
16878 @code{tor} unprivileged user, which is a member of the @code{tor} group.
16882 @deftp {Data Type} tor-configuration
16884 @item @code{tor} (default: @code{tor})
16885 The package that provides the Tor daemon. This package is expected to provide
16886 the daemon at @file{bin/tor} relative to its output directory. The default
16887 package is the @uref{https://www.torproject.org, Tor Project's}
16890 @item @code{config-file} (default: @code{(plain-file "empty" "")})
16891 The configuration file to use. It will be appended to a default configuration
16892 file, and the final configuration file will be passed to @code{tor} via its
16893 @code{-f} option. This may be any ``file-like'' object (@pxref{G-Expressions,
16894 file-like objects}). See @code{man tor} for details on the configuration file
16897 @item @code{hidden-services} (default: @code{'()})
16898 The list of @code{<hidden-service>} records to use. For any hidden service
16899 you include in this list, appropriate configuration to enable the hidden
16900 service will be automatically added to the default configuration file. You
16901 may conveniently create @code{<hidden-service>} records using the
16902 @code{tor-hidden-service} procedure described below.
16904 @item @code{socks-socket-type} (default: @code{'tcp})
16905 The default socket type that Tor should use for its SOCKS socket. This must
16906 be either @code{'tcp} or @code{'unix}. If it is @code{'tcp}, then by default
16907 Tor will listen on TCP port 9050 on the loopback interface (i.e., localhost).
16908 If it is @code{'unix}, then Tor will listen on the UNIX domain socket
16909 @file{/var/run/tor/socks-sock}, which will be made writable by members of the
16912 If you want to customize the SOCKS socket in more detail, leave
16913 @code{socks-socket-type} at its default value of @code{'tcp} and use
16914 @code{config-file} to override the default by providing your own
16915 @code{SocksPort} option.
16917 @item @code{control-socket?} (default: @code{#f})
16918 Whether or not to provide a ``control socket'' by which Tor can be
16919 controlled to, for instance, dynamically instantiate tor onion services.
16920 If @code{#t}, Tor will listen for control commands on the UNIX domain socket
16921 @file{/var/run/tor/control-sock}, which will be made writable by members of the
16927 @cindex hidden service
16928 @deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping}
16929 Define a new Tor @dfn{hidden service} called @var{name} and implementing
16930 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
16933 '((22 "127.0.0.1:22")
16934 (80 "127.0.0.1:8080"))
16937 In this example, port 22 of the hidden service is mapped to local port 22, and
16938 port 80 is mapped to local port 8080.
16940 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
16941 the @file{hostname} file contains the @code{.onion} host name for the hidden
16944 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
16945 project's documentation} for more information.
16948 The @code{(gnu services rsync)} module provides the following services:
16950 You might want an rsync daemon if you have files that you want available
16951 so anyone (or just yourself) can download existing files or upload new
16954 @deffn {Scheme Variable} rsync-service-type
16955 This is the service type for the @uref{https://rsync.samba.org, rsync} daemon,
16956 The value for this service type is a
16957 @command{rsync-configuration} record as in this example:
16960 (service rsync-service-type)
16963 See below for details about @code{rsync-configuration}.
16966 @deftp {Data Type} rsync-configuration
16967 Data type representing the configuration for @code{rsync-service}.
16970 @item @code{package} (default: @var{rsync})
16971 @code{rsync} package to use.
16973 @item @code{port-number} (default: @code{873})
16974 TCP port on which @command{rsync} listens for incoming connections. If port
16975 is less than @code{1024} @command{rsync} needs to be started as the
16976 @code{root} user and group.
16978 @item @code{pid-file} (default: @code{"/var/run/rsyncd/rsyncd.pid"})
16979 Name of the file where @command{rsync} writes its PID.
16981 @item @code{lock-file} (default: @code{"/var/run/rsyncd/rsyncd.lock"})
16982 Name of the file where @command{rsync} writes its lock file.
16984 @item @code{log-file} (default: @code{"/var/log/rsyncd.log"})
16985 Name of the file where @command{rsync} writes its log file.
16987 @item @code{use-chroot?} (default: @var{#t})
16988 Whether to use chroot for @command{rsync} shared directory.
16990 @item @code{share-path} (default: @file{/srv/rsync})
16991 Location of the @command{rsync} shared directory.
16993 @item @code{share-comment} (default: @code{"Rsync share"})
16994 Comment of the @command{rsync} shared directory.
16996 @item @code{read-only?} (default: @var{#f})
16997 Read-write permissions to shared directory.
16999 @item @code{timeout} (default: @code{300})
17000 I/O timeout in seconds.
17002 @item @code{user} (default: @var{"root"})
17003 Owner of the @code{rsync} process.
17005 @item @code{group} (default: @var{"root"})
17006 Group of the @code{rsync} process.
17008 @item @code{uid} (default: @var{"rsyncd"})
17009 User name or user ID that file transfers to and from that module should take
17010 place as when the daemon was run as @code{root}.
17012 @item @code{gid} (default: @var{"rsyncd"})
17013 Group name or group ID that will be used when accessing the module.
17018 The @code{(gnu services syncthing)} module provides the following services:
17021 You might want a syncthing daemon if you have files between two or more
17022 computers and want to sync them in real time, safely protected from
17025 @deffn {Scheme Variable} syncthing-service-type
17026 This is the service type for the @uref{https://syncthing.net/,
17027 syncthing} daemon, The value for this service type is a
17028 @command{syncthing-configuration} record as in this example:
17031 (service syncthing-service-type
17032 (syncthing-configuration (user "alice")))
17035 See below for details about @code{syncthing-configuration}.
17037 @deftp {Data Type} syncthing-configuration
17038 Data type representing the configuration for @code{syncthing-service-type}.
17041 @item @code{syncthing} (default: @var{syncthing})
17042 @code{syncthing} package to use.
17044 @item @code{arguments} (default: @var{'()})
17045 List of command-line arguments passing to @code{syncthing} binary.
17047 @item @code{logflags} (default: @var{0})
17048 Sum of logging flags, see
17049 @uref{https://docs.syncthing.net/users/syncthing.html#cmdoption-logflags, Syncthing documentation logflags}.
17051 @item @code{user} (default: @var{#f})
17052 The user as which the Syncthing service is to be run.
17053 This assumes that the specified user exists.
17055 @item @code{group} (default: @var{"users"})
17056 The group as which the Syncthing service is to be run.
17057 This assumes that the specified group exists.
17059 @item @code{home} (default: @var{#f})
17060 Common configuration and data directory. The default configuration
17061 directory is @file{$HOME} of the specified Syncthing @code{user}.
17067 Furthermore, @code{(gnu services ssh)} provides the following services.
17071 @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
17072 [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
17073 [#:allow-empty-passwords? #f] [#:root-login? #f] @
17074 [#:syslog-output? #t] [#:x11-forwarding? #t] @
17075 [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @
17076 [#:public-key-authentication? #t] [#:initialize? #t]
17077 Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}.
17078 @var{host-key} must designate a file containing the host key, and readable
17081 When @var{daemonic?} is true, @command{lshd} will detach from the
17082 controlling terminal and log its output to syslogd, unless one sets
17083 @var{syslog-output?} to false. Obviously, it also makes lsh-service
17084 depend on existence of syslogd service. When @var{pid-file?} is true,
17085 @command{lshd} writes its PID to the file called @var{pid-file}.
17087 When @var{initialize?} is true, automatically create the seed and host key
17088 upon service activation if they do not exist yet. This may take long and
17089 require interaction.
17091 When @var{initialize?} is false, it is up to the user to initialize the
17092 randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
17093 a key pair with the private key stored in file @var{host-key} (@pxref{lshd
17094 basics,,, lsh, LSH Manual}).
17096 When @var{interfaces} is empty, lshd listens for connections on all the
17097 network interfaces; otherwise, @var{interfaces} must be a list of host names
17100 @var{allow-empty-passwords?} specifies whether to accept log-ins with empty
17101 passwords, and @var{root-login?} specifies whether to accept log-ins as
17104 The other options should be self-descriptive.
17109 @deffn {Scheme Variable} openssh-service-type
17110 This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
17111 shell daemon, @command{sshd}. Its value must be an
17112 @code{openssh-configuration} record as in this example:
17115 (service openssh-service-type
17116 (openssh-configuration
17117 (x11-forwarding? #t)
17118 (permit-root-login 'prohibit-password)
17120 `(("alice" ,(local-file "alice.pub"))
17121 ("bob" ,(local-file "bob.pub"))))))
17124 See below for details about @code{openssh-configuration}.
17126 This service can be extended with extra authorized keys, as in this
17130 (service-extension openssh-service-type
17131 (const `(("charlie"
17132 ,(local-file "charlie.pub")))))
17136 @deftp {Data Type} openssh-configuration
17137 This is the configuration record for OpenSSH's @command{sshd}.
17140 @item @code{openssh} (default @var{openssh})
17141 The Openssh package to use.
17143 @item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
17144 Name of the file where @command{sshd} writes its PID.
17146 @item @code{port-number} (default: @code{22})
17147 TCP port on which @command{sshd} listens for incoming connections.
17149 @item @code{permit-root-login} (default: @code{#f})
17150 This field determines whether and when to allow logins as root. If
17151 @code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
17152 If it's the symbol @code{'prohibit-password}, then root logins are
17153 permitted but not with password-based authentication.
17155 @item @code{allow-empty-passwords?} (default: @code{#f})
17156 When true, users with empty passwords may log in. When false, they may
17159 @item @code{password-authentication?} (default: @code{#t})
17160 When true, users may log in with their password. When false, they have
17161 other authentication methods.
17163 @item @code{public-key-authentication?} (default: @code{#t})
17164 When true, users may log in using public key authentication. When
17165 false, users have to use other authentication method.
17167 Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
17168 This is used only by protocol version 2.
17170 @item @code{x11-forwarding?} (default: @code{#f})
17171 When true, forwarding of X11 graphical client connections is
17172 enabled---in other words, @command{ssh} options @option{-X} and
17173 @option{-Y} will work.
17175 @item @code{allow-agent-forwarding?} (default: @code{#t})
17176 Whether to allow agent forwarding.
17178 @item @code{allow-tcp-forwarding?} (default: @code{#t})
17179 Whether to allow TCP forwarding.
17181 @item @code{gateway-ports?} (default: @code{#f})
17182 Whether to allow gateway ports.
17184 @item @code{challenge-response-authentication?} (default: @code{#f})
17185 Specifies whether challenge response authentication is allowed (e.g.@: via
17188 @item @code{use-pam?} (default: @code{#t})
17189 Enables the Pluggable Authentication Module interface. If set to
17190 @code{#t}, this will enable PAM authentication using
17191 @code{challenge-response-authentication?} and
17192 @code{password-authentication?}, in addition to PAM account and session
17193 module processing for all authentication types.
17195 Because PAM challenge response authentication usually serves an
17196 equivalent role to password authentication, you should disable either
17197 @code{challenge-response-authentication?} or
17198 @code{password-authentication?}.
17200 @item @code{print-last-log?} (default: @code{#t})
17201 Specifies whether @command{sshd} should print the date and time of the
17202 last user login when a user logs in interactively.
17204 @item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
17205 Configures external subsystems (e.g.@: file transfer daemon).
17207 This is a list of two-element lists, each of which containing the
17208 subsystem name and a command (with optional arguments) to execute upon
17211 The command @command{internal-sftp} implements an in-process SFTP
17212 server. Alternatively, one can specify the @command{sftp-server} command:
17214 (service openssh-service-type
17215 (openssh-configuration
17217 `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
17220 @item @code{accepted-environment} (default: @code{'()})
17221 List of strings describing which environment variables may be exported.
17223 Each string gets on its own line. See the @code{AcceptEnv} option in
17224 @code{man sshd_config}.
17226 This example allows ssh-clients to export the @env{COLORTERM} variable.
17227 It is set by terminal emulators, which support colors. You can use it in
17228 your shell's resource file to enable colors for the prompt and commands
17229 if this variable is set.
17232 (service openssh-service-type
17233 (openssh-configuration
17234 (accepted-environment '("COLORTERM"))))
17237 @item @code{authorized-keys} (default: @code{'()})
17238 @cindex authorized keys, SSH
17239 @cindex SSH authorized keys
17240 This is the list of authorized keys. Each element of the list is a user
17241 name followed by one or more file-like objects that represent SSH public
17245 (openssh-configuration
17247 `(("rekado" ,(local-file "rekado.pub"))
17248 ("chris" ,(local-file "chris.pub"))
17249 ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
17253 registers the specified public keys for user accounts @code{rekado},
17254 @code{chris}, and @code{root}.
17256 Additional authorized keys can be specified @i{via}
17257 @code{service-extension}.
17259 Note that this does @emph{not} interfere with the use of
17260 @file{~/.ssh/authorized_keys}.
17262 @item @code{log-level} (default: @code{'info})
17263 This is a symbol specifying the logging level: @code{quiet}, @code{fatal},
17264 @code{error}, @code{info}, @code{verbose}, @code{debug}, etc. See the man
17265 page for @file{sshd_config} for the full list of level names.
17267 @item @code{extra-content} (default: @code{""})
17268 This field can be used to append arbitrary text to the configuration file. It
17269 is especially useful for elaborate configurations that cannot be expressed
17270 otherwise. This configuration, for example, would generally disable root
17271 logins, but permit them from one specific IP address:
17274 (openssh-configuration
17276 Match Address 192.168.0.1
17277 PermitRootLogin yes"))
17283 @deffn {Scheme Procedure} dropbear-service [@var{config}]
17284 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
17285 daemon} with the given @var{config}, a @code{<dropbear-configuration>}
17288 For example, to specify a Dropbear service listening on port 1234, add
17289 this call to the operating system's @code{services} field:
17292 (dropbear-service (dropbear-configuration
17293 (port-number 1234)))
17297 @deftp {Data Type} dropbear-configuration
17298 This data type represents the configuration of a Dropbear SSH daemon.
17301 @item @code{dropbear} (default: @var{dropbear})
17302 The Dropbear package to use.
17304 @item @code{port-number} (default: 22)
17305 The TCP port where the daemon waits for incoming connections.
17307 @item @code{syslog-output?} (default: @code{#t})
17308 Whether to enable syslog output.
17310 @item @code{pid-file} (default: @code{"/var/run/dropbear.pid"})
17311 File name of the daemon's PID file.
17313 @item @code{root-login?} (default: @code{#f})
17314 Whether to allow @code{root} logins.
17316 @item @code{allow-empty-passwords?} (default: @code{#f})
17317 Whether to allow empty passwords.
17319 @item @code{password-authentication?} (default: @code{#t})
17320 Whether to enable password-based authentication.
17325 @deffn {Scheme Variable} autossh-service-type
17326 This is the type for the @uref{https://www.harding.motd.ca/autossh,
17327 AutoSSH} program that runs a copy of @command{ssh} and monitors it,
17328 restarting it as necessary should it die or stop passing traffic.
17329 AutoSSH can be run manually from the command-line by passing arguments
17330 to the binary @command{autossh} from the package @code{autossh}, but it
17331 can also be run as a Guix service. This latter use case is documented
17334 AutoSSH can be used to forward local traffic to a remote machine using
17335 an SSH tunnel, and it respects the @file{~/.ssh/config} of the user it
17338 For example, to specify a service running autossh as the user
17339 @code{pino} and forwarding all local connections to port @code{8081} to
17340 @code{remote:8081} using an SSH tunnel, add this call to the operating
17341 system's @code{services} field:
17344 (service autossh-service-type
17345 (autossh-configuration
17347 (ssh-options (list "-T" "-N" "-L" "8081:localhost:8081" "remote.net"))))
17351 @deftp {Data Type} autossh-configuration
17352 This data type represents the configuration of an AutoSSH service.
17356 @item @code{user} (default @code{"autossh"})
17357 The user as which the AutoSSH service is to be run.
17358 This assumes that the specified user exists.
17360 @item @code{poll} (default @code{600})
17361 Specifies the connection poll time in seconds.
17363 @item @code{first-poll} (default @code{#f})
17364 Specifies how many seconds AutoSSH waits before the first connection
17365 test. After this first test, polling is resumed at the pace defined in
17366 @code{poll}. When set to @code{#f}, the first poll is not treated
17367 specially and will also use the connection poll specified in
17370 @item @code{gate-time} (default @code{30})
17371 Specifies how many seconds an SSH connection must be active before it is
17372 considered successful.
17374 @item @code{log-level} (default @code{1})
17375 The log level, corresponding to the levels used by syslog---so @code{0}
17376 is the most silent while @code{7} is the chattiest.
17378 @item @code{max-start} (default @code{#f})
17379 The maximum number of times SSH may be (re)started before AutoSSH exits.
17380 When set to @code{#f}, no maximum is configured and AutoSSH may restart indefinitely.
17382 @item @code{message} (default @code{""})
17383 The message to append to the echo message sent when testing connections.
17385 @item @code{port} (default @code{"0"})
17386 The ports used for monitoring the connection. When set to @code{"0"},
17387 monitoring is disabled. When set to @code{"@var{n}"} where @var{n} is
17388 a positive integer, ports @var{n} and @var{n}+1 are used for
17389 monitoring the connection, such that port @var{n} is the base
17390 monitoring port and @code{n+1} is the echo port. When set to
17391 @code{"@var{n}:@var{m}"} where @var{n} and @var{m} are positive
17392 integers, the ports @var{n} and @var{m} are used for monitoring the
17393 connection, such that port @var{n} is the base monitoring port and
17394 @var{m} is the echo port.
17396 @item @code{ssh-options} (default @code{'()})
17397 The list of command-line arguments to pass to @command{ssh} when it is
17398 run. Options @option{-f} and @option{-M} are reserved for AutoSSH and
17399 may cause undefined behaviour.
17405 @deffn {Scheme Variable} webssh-service-type
17406 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
17407 program that runs a web SSH client. WebSSH can be run manually from the
17408 command-line by passing arguments to the binary @command{wssh} from the
17409 package @code{webssh}, but it can also be run as a Guix service. This
17410 latter use case is documented here.
17412 For example, to specify a service running WebSSH on loopback interface
17413 on port @code{8888} with reject policy with a list of allowed to
17414 connection hosts, and NGINX as a reverse-proxy to this service listening
17415 for HTTPS connection, add this call to the operating system's
17416 @code{services} field:
17419 (service webssh-service-type
17420 (webssh-configuration (address "127.0.0.1")
17423 (known-hosts '("localhost ecdsa-sha2-nistp256 AAAA…"
17424 "127.0.0.1 ecdsa-sha2-nistp256 AAAA…"))))
17426 (service nginx-service-type
17427 (nginx-configuration
17430 (nginx-server-configuration
17431 (inherit %webssh-configuration-nginx)
17432 (server-name '("webssh.example.com"))
17433 (listen '("443 ssl"))
17434 (ssl-certificate (letsencrypt-certificate "webssh.example.com"))
17435 (ssl-certificate-key (letsencrypt-key "webssh.example.com"))
17437 (cons (nginx-location-configuration
17438 (uri "/.well-known")
17439 (body '("root /var/www;")))
17440 (nginx-server-configuration-locations %webssh-configuration-nginx))))))))
17444 @deftp {Data Type} webssh-configuration
17445 Data type representing the configuration for @code{webssh-service}.
17448 @item @code{package} (default: @var{webssh})
17449 @code{webssh} package to use.
17451 @item @code{user-name} (default: @var{"webssh"})
17452 User name or user ID that file transfers to and from that module should take
17455 @item @code{group-name} (default: @var{"webssh"})
17456 Group name or group ID that will be used when accessing the module.
17458 @item @code{address} (default: @var{#f})
17459 IP address on which @command{webssh} listens for incoming connections.
17461 @item @code{port} (default: @var{8888})
17462 TCP port on which @command{webssh} listens for incoming connections.
17464 @item @code{policy} (default: @var{#f})
17465 Connection policy. @var{reject} policy requires to specify @var{known-hosts}.
17467 @item @code{known-hosts} (default: @var{'()})
17468 List of hosts which allowed for SSH connection from @command{webssh}.
17470 @item @code{log-file} (default: @file{"/var/log/webssh.log"})
17471 Name of the file where @command{webssh} writes its log file.
17473 @item @code{log-level} (default: @var{#f})
17479 @defvr {Scheme Variable} %facebook-host-aliases
17480 This variable contains a string for use in @file{/etc/hosts}
17481 (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). Each
17482 line contains a entry that maps a known server name of the Facebook
17483 on-line service---e.g., @code{www.facebook.com}---to the local
17484 host---@code{127.0.0.1} or its IPv6 equivalent, @code{::1}.
17486 This variable is typically used in the @code{hosts-file} field of an
17487 @code{operating-system} declaration (@pxref{operating-system Reference,
17488 @file{/etc/hosts}}):
17491 (use-modules (gnu) (guix))
17494 (host-name "mymachine")
17497 ;; Create a /etc/hosts file with aliases for "localhost"
17498 ;; and "mymachine", as well as for Facebook servers.
17499 (plain-file "hosts"
17500 (string-append (local-host-aliases host-name)
17501 %facebook-host-aliases))))
17504 This mechanism can prevent programs running locally, such as Web
17505 browsers, from accessing Facebook.
17508 The @code{(gnu services avahi)} provides the following definition.
17510 @defvr {Scheme Variable} avahi-service-type
17511 This is the service that runs @command{avahi-daemon}, a system-wide
17512 mDNS/DNS-SD responder that allows for service discovery and
17513 ``zero-configuration'' host name lookups (see @uref{https://avahi.org/}).
17514 Its value must be an @code{avahi-configuration} record---see below.
17516 This service extends the name service cache daemon (nscd) so that it can
17517 resolve @code{.local} host names using
17518 @uref{https://0pointer.de/lennart/projects/nss-mdns/, nss-mdns}. @xref{Name
17519 Service Switch}, for information on host name resolution.
17521 Additionally, add the @var{avahi} package to the system profile so that
17522 commands such as @command{avahi-browse} are directly usable.
17525 @deftp {Data Type} avahi-configuration
17526 Data type representation the configuration for Avahi.
17530 @item @code{host-name} (default: @code{#f})
17531 If different from @code{#f}, use that as the host name to
17532 publish for this machine; otherwise, use the machine's actual host name.
17534 @item @code{publish?} (default: @code{#t})
17535 When true, allow host names and services to be published (broadcast) over the
17538 @item @code{publish-workstation?} (default: @code{#t})
17539 When true, @command{avahi-daemon} publishes the machine's host name and IP
17540 address via mDNS on the local network. To view the host names published on
17541 your local network, you can run:
17544 avahi-browse _workstation._tcp
17547 @item @code{wide-area?} (default: @code{#f})
17548 When true, DNS-SD over unicast DNS is enabled.
17550 @item @code{ipv4?} (default: @code{#t})
17551 @itemx @code{ipv6?} (default: @code{#t})
17552 These fields determine whether to use IPv4/IPv6 sockets.
17554 @item @code{domains-to-browse} (default: @code{'()})
17555 This is a list of domains to browse.
17559 @deffn {Scheme Variable} openvswitch-service-type
17560 This is the type of the @uref{https://www.openvswitch.org, Open vSwitch}
17561 service, whose value should be an @code{openvswitch-configuration}
17565 @deftp {Data Type} openvswitch-configuration
17566 Data type representing the configuration of Open vSwitch, a multilayer
17567 virtual switch which is designed to enable massive network automation
17568 through programmatic extension.
17571 @item @code{package} (default: @var{openvswitch})
17572 Package object of the Open vSwitch.
17577 @defvr {Scheme Variable} pagekite-service-type
17578 This is the service type for the @uref{https://pagekite.net, PageKite} service,
17579 a tunneling solution for making localhost servers publicly visible, even from
17580 behind restrictive firewalls or NAT without forwarded ports. The value for
17581 this service type is a @code{pagekite-configuration} record.
17583 Here's an example exposing the local HTTP and SSH daemons:
17586 (service pagekite-service-type
17587 (pagekite-configuration
17588 (kites '("http:@@kitename:localhost:80:@@kitesecret"
17589 "raw/22:@@kitename:localhost:22:@@kitesecret"))
17590 (extra-file "/etc/pagekite.rc")))
17594 @deftp {Data Type} pagekite-configuration
17595 Data type representing the configuration of PageKite.
17598 @item @code{package} (default: @var{pagekite})
17599 Package object of PageKite.
17601 @item @code{kitename} (default: @code{#f})
17602 PageKite name for authenticating to the frontend server.
17604 @item @code{kitesecret} (default: @code{#f})
17605 Shared secret for authenticating to the frontend server. You should probably
17606 put this inside @code{extra-file} instead.
17608 @item @code{frontend} (default: @code{#f})
17609 Connect to the named PageKite frontend server instead of the
17610 @uref{https://pagekite.net,,pagekite.net} service.
17612 @item @code{kites} (default: @code{'("http:@@kitename:localhost:80:@@kitesecret")})
17613 List of service kites to use. Exposes HTTP on port 80 by default. The format
17614 is @code{proto:kitename:host:port:secret}.
17616 @item @code{extra-file} (default: @code{#f})
17617 Extra configuration file to read, which you are expected to create manually.
17618 Use this to add additional options and manage shared secrets out-of-band.
17623 @defvr {Scheme Variable} yggdrasil-service-type
17624 The service type for connecting to the @uref{https://yggdrasil-network.github.io/,
17625 Yggdrasil network}, an early-stage implementation of a fully end-to-end
17626 encrypted IPv6 network.
17629 Yggdrasil provides name-independent routing with cryptographically generated
17630 addresses. Static addressing means you can keep the same address as long as
17631 you want, even if you move to a new location, or generate a new address (by
17632 generating new keys) whenever you want.
17633 @uref{https://yggdrasil-network.github.io/2018/07/28/addressing.html}
17636 Pass it a value of @code{yggdrasil-configuration} to connect it to public
17637 peers and/or local peers.
17639 Here is an example using public peers and a static address. The static
17640 signing and encryption keys are defined in @file{/etc/yggdrasil-private.conf}
17641 (the default value for @code{config-file}).
17644 ;; part of the operating-system declaration
17645 (service yggdrasil-service-type
17646 (yggdrasil-configuration
17647 (autoconf? #f) ;; use only the public peers
17650 ;; https://github.com/yggdrasil-network/public-peers
17651 '((peers . #("tcp://1.2.3.4:1337"))))
17652 ;; /etc/yggdrasil-private.conf is the default value for config-file
17656 # sample content for /etc/yggdrasil-private.conf
17658 # Your public encryption key. Your peers may ask you for this to put
17659 # into their AllowedEncryptionPublicKeys configuration.
17660 EncryptionPublicKey: 378dc5...
17662 # Your private encryption key. DO NOT share this with anyone!
17663 EncryptionPrivateKey: 0777...
17665 # Your public signing key. You should not ordinarily need to share
17666 # this with anyone.
17667 SigningPublicKey: e1664...
17669 # Your private signing key. DO NOT share this with anyone!
17670 SigningPrivateKey: 0589d...
17675 @deftp {Data Type} yggdrasil-configuration
17676 Data type representing the configuration of Yggdrasil.
17679 @item @code{package} (default: @code{yggdrasil})
17680 Package object of Yggdrasil.
17682 @item @code{json-config} (default: @code{'()})
17683 Contents of @file{/etc/yggdrasil.conf}. Will be merged with
17684 @file{/etc/yggdrasil-private.conf}. Note that these settings are stored in
17685 the Guix store, which is readable to all users. @strong{Do not store your
17686 private keys in it}. See the output of @code{yggdrasil -genconf} for a
17687 quick overview of valid keys and their default values.
17689 @item @code{autoconf?} (default: @code{#f})
17690 Whether to use automatic mode. Enabling it makes Yggdrasil use adynamic IP
17691 and peer with IPv6 neighbors.
17693 @item @code{log-level} (default: @code{'info})
17694 How much detail to include in logs. Use @code{'debug} for more detail.
17696 @item @code{log-to} (default: @code{'stdout})
17697 Where to send logs. By default, the service logs standard output to
17698 @file{/var/log/yggdrasil.log}. The alternative is @code{'syslog}, which
17699 sends output to the running syslog service.
17701 @item @code{config-file} (default: @code{"/etc/yggdrasil-private.conf"})
17702 What HJSON file to load sensitive data from. This is where private keys
17703 should be stored, which are necessary to specify if you don't want a
17704 randomized address after each restart. Use @code{#f} to disable. Options
17705 defined in this file take precedence over @code{json-config}. Use the output
17706 of @code{yggdrasil -genconf} as a starting point. To configure a static
17707 address, delete everything except these options:
17710 @item @code{EncryptionPublicKey}
17711 @item @code{EncryptionPrivateKey}
17712 @item @code{SigningPublicKey}
17713 @item @code{SigningPrivateKey}
17719 @defvr {Scheme Variable} ipfs-service-type
17720 The service type for connecting to the @uref{https://ipfs.io,IPFS network},
17721 a global, versioned, peer-to-peer file system. Pass it a
17722 @code{ipfs-configuration} to change the ports used for the gateway and API.
17724 Here's an example configuration, using some non-standard ports:
17727 (service ipfs-service-type
17728 (ipfs-configuration
17729 (gateway "/ip4/127.0.0.1/tcp/8880")
17730 (api "/ip4/127.0.0.1/tcp/8881")))
17734 @deftp {Data Type} ipfs-configuration
17735 Data type representing the configuration of IPFS.
17738 @item @code{package} (default: @code{go-ipfs})
17739 Package object of IPFS.
17741 @item @code{gateway} (default: @code{"/ip4/127.0.0.1/tcp/8082"})
17742 Address of the gateway, in ‘multiaddress’ format.
17744 @item @code{api} (default: @code{"/ip4/127.0.0.1/tcp/5001"})
17745 Address of the API endpoint, in ‘multiaddress’ format.
17750 @deffn {Scheme Variable} keepalived-service-type
17751 This is the type for the @uref{https://www.keepalived.org/, Keepalived}
17752 routing software, @command{keepalived}. Its value must be an
17753 @code{keepalived-configuration} record as in this example for master
17757 (service keepalived-service-type
17758 (keepalived-configuration
17759 (config-file (local-file "keepalived-master.conf"))))
17762 where @file{keepalived-master.conf}:
17765 vrrp_instance my-group @{
17768 virtual_router_id 100
17770 unicast_peer @{ 10.0.0.2 @}
17771 virtual_ipaddress @{
17777 and for backup machine:
17780 (service keepalived-service-type
17781 (keepalived-configuration
17782 (config-file (local-file "keepalived-backup.conf"))))
17785 where @file{keepalived-backup.conf}:
17788 vrrp_instance my-group @{
17791 virtual_router_id 100
17793 unicast_peer @{ 10.0.0.3 @}
17794 virtual_ipaddress @{
17801 @node Unattended Upgrades
17802 @subsection Unattended Upgrades
17804 @cindex unattended upgrades
17805 @cindex upgrades, unattended
17806 Guix provides a service to perform @emph{unattended upgrades}:
17807 periodically, the system automatically reconfigures itself from the
17808 latest Guix. Guix System has several properties that make unattended
17813 upgrades are transactional (either the upgrade succeeds or it fails, but
17814 you cannot end up with an ``in-between'' system state);
17816 the upgrade log is kept---you can view it with @command{guix system
17817 list-generations}---and you can roll back to any previous generation,
17818 should the upgraded system fail to behave as intended;
17820 channel code is authenticated so you know you can only run genuine code
17821 (@pxref{Channels});
17823 @command{guix system reconfigure} prevents downgrades, which makes it
17824 immune to @dfn{downgrade attacks}.
17827 To set up unattended upgrades, add an instance of
17828 @code{unattended-upgrade-service-type} like the one below to the list of
17829 your operating system services:
17832 (service unattended-upgrade-service-type)
17835 The defaults above set up weekly upgrades: every Sunday at midnight.
17836 You do not need to provide the operating system configuration file: it
17837 uses @file{/run/current-system/configuration.scm}, which ensures it
17838 always uses your latest configuration---@pxref{provenance-service-type},
17839 for more information about this file.
17841 There are several things that can be configured, in particular the
17842 periodicity and services (daemons) to be restarted upon completion.
17843 When the upgrade is successful, the service takes care of deleting
17844 system generations older that some threshold, as per @command{guix
17845 system delete-generations}. See the reference below for details.
17847 To ensure that upgrades are actually happening, you can run
17848 @command{guix system describe}. To investigate upgrade failures, visit
17849 the unattended upgrade log file (see below).
17851 @defvr {Scheme Variable} unattended-upgrade-service-type
17852 This is the service type for unattended upgrades. It sets up an mcron
17853 job (@pxref{Scheduled Job Execution}) that runs @command{guix system
17854 reconfigure} from the latest version of the specified channels.
17856 Its value must be a @code{unattended-upgrade-configuration} record (see
17860 @deftp {Data Type} unattended-upgrade-configuration
17861 This data type represents the configuration of the unattended upgrade
17862 service. The following fields are available:
17865 @item @code{schedule} (default: @code{"30 01 * * 0"})
17866 This is the schedule of upgrades, expressed as a gexp containing an
17867 mcron job schedule (@pxref{Guile Syntax, mcron job specifications,,
17868 mcron, GNU@tie{}mcron}).
17870 @item @code{channels} (default: @code{#~%default-channels})
17871 This gexp specifies the channels to use for the upgrade
17872 (@pxref{Channels}). By default, the tip of the official @code{guix}
17875 @item @code{operating-system-file} (default: @code{"/run/current-system/configuration.scm"})
17876 This field specifies the operating system configuration file to use.
17877 The default is to reuse the config file of the current configuration.
17879 There are cases, though, where referring to
17880 @file{/run/current-system/configuration.scm} is not enough, for instance
17881 because that file refers to extra files (SSH public keys, extra
17882 configuration files, etc.) @i{via} @code{local-file} and similar
17883 constructs. For those cases, we recommend something along these lines:
17886 (unattended-upgrade-configuration
17887 (operating-system-file
17888 (file-append (local-file "." "config-dir" #:recursive? #t)
17892 The effect here is to import all of the current directory into the
17893 store, and to refer to @file{config.scm} within that directory.
17894 Therefore, uses of @code{local-file} within @file{config.scm} will work
17895 as expected. @xref{G-Expressions}, for information about
17896 @code{local-file} and @code{file-append}.
17898 @item @code{services-to-restart} (default: @code{'(mcron)})
17899 This field specifies the Shepherd services to restart when the upgrade
17902 Those services are restarted right away upon completion, as with
17903 @command{herd restart}, which ensures that the latest version is
17904 running---remember that by default @command{guix system reconfigure}
17905 only restarts services that are not currently running, which is
17906 conservative: it minimizes disruption but leaves outdated services
17909 Use @command{herd status} to find out candidates for restarting.
17910 @xref{Services}, for general information about services. Common
17911 services to restart would include @code{ntpd} and @code{ssh-daemon}.
17913 By default, the @code{mcron} service is restarted. This ensures that
17914 the latest version of the unattended upgrade job will be used next time.
17916 @item @code{system-expiration} (default: @code{(* 3 30 24 3600)})
17917 This is the expiration time in seconds for system generations. System
17918 generations older that this amount of time are deleted with
17919 @command{guix system delete-generations} when an upgrade completes.
17922 The unattended upgrade service does not run the garbage collector. You
17923 will probably want to set up your own mcron job to run @command{guix gc}
17927 @item @code{maximum-duration} (default: @code{3600})
17928 Maximum duration in seconds for the upgrade; past that time, the upgrade
17931 This is primarily useful to ensure the upgrade does not end up
17932 rebuilding or re-downloading ``the world''.
17934 @item @code{log-file} (default: @code{"/var/log/unattended-upgrade.log"})
17935 File where unattended upgrades are logged.
17940 @subsection X Window
17943 @cindex X Window System
17944 @cindex login manager
17945 Support for the X Window graphical display system---specifically
17946 Xorg---is provided by the @code{(gnu services xorg)} module. Note that
17947 there is no @code{xorg-service} procedure. Instead, the X server is
17948 started by the @dfn{login manager}, by default the GNOME Display Manager (GDM).
17951 @cindex GNOME, login manager
17952 GDM of course allows users to log in into window managers and desktop
17953 environments other than GNOME; for those using GNOME, GDM is required for
17954 features such as automatic screen locking.
17956 @cindex window manager
17957 To use X11, you must install at least one @dfn{window manager}---for
17958 example the @code{windowmaker} or @code{openbox} packages---preferably
17959 by adding it to the @code{packages} field of your operating system
17960 definition (@pxref{operating-system Reference, system-wide packages}).
17962 @defvr {Scheme Variable} gdm-service-type
17963 This is the type for the @uref{https://wiki.gnome.org/Projects/GDM/, GNOME
17964 Desktop Manager} (GDM), a program that manages graphical display servers and
17965 handles graphical user logins. Its value must be a @code{gdm-configuration}
17968 @cindex session types (X11)
17969 @cindex X11 session types
17970 GDM looks for @dfn{session types} described by the @file{.desktop} files in
17971 @file{/run/current-system/profile/share/xsessions} and allows users to choose
17972 a session from the log-in screen. Packages such as @code{gnome}, @code{xfce},
17973 and @code{i3} provide @file{.desktop} files; adding them to the system-wide
17974 set of packages automatically makes them available at the log-in screen.
17976 In addition, @file{~/.xsession} files are honored. When available,
17977 @file{~/.xsession} must be an executable that starts a window manager
17978 and/or other X clients.
17981 @deftp {Data Type} gdm-configuration
17983 @item @code{auto-login?} (default: @code{#f})
17984 @itemx @code{default-user} (default: @code{#f})
17985 When @code{auto-login?} is false, GDM presents a log-in screen.
17987 When @code{auto-login?} is true, GDM logs in directly as
17988 @code{default-user}.
17990 @item @code{debug?} (default: @code{#f})
17991 When true, GDM writes debug messages to its log.
17993 @item @code{gnome-shell-assets} (default: ...)
17994 List of GNOME Shell assets needed by GDM: icon theme, fonts, etc.
17996 @item @code{xorg-configuration} (default: @code{(xorg-configuration)})
17997 Configuration of the Xorg graphical server.
17999 @item @code{xsession} (default: @code{(xinitrc)})
18000 Script to run before starting a X session.
18002 @item @code{dbus-daemon} (default: @code{dbus-daemon-wrapper})
18003 File name of the @code{dbus-daemon} executable.
18005 @item @code{gdm} (default: @code{gdm})
18006 The GDM package to use.
18010 @defvr {Scheme Variable} slim-service-type
18011 This is the type for the SLiM graphical login manager for X11.
18013 Like GDM, SLiM looks for session types described by @file{.desktop} files and
18014 allows users to choose a session from the log-in screen using @kbd{F1}. It
18015 also honors @file{~/.xsession} files.
18017 Unlike GDM, SLiM does not spawn the user session on a different VT after
18018 logging in, which means that you can only start one graphical session. If you
18019 want to be able to run multiple graphical sessions at the same time you have
18020 to add multiple SLiM services to your system services. The following example
18021 shows how to replace the default GDM service with two SLiM services on tty7
18025 (use-modules (gnu services)
18026 (gnu services desktop)
18027 (gnu services xorg)
18028 (srfi srfi-1)) ;for 'remove'
18032 (services (cons* (service slim-service-type (slim-configuration
18035 (service slim-service-type (slim-configuration
18038 (modify-services %desktop-services
18039 (delete gdm-service-type)))))
18044 @deftp {Data Type} slim-configuration
18045 Data type representing the configuration of @code{slim-service-type}.
18048 @item @code{allow-empty-passwords?} (default: @code{#t})
18049 Whether to allow logins with empty passwords.
18051 @item @code{auto-login?} (default: @code{#f})
18052 @itemx @code{default-user} (default: @code{""})
18053 When @code{auto-login?} is false, SLiM presents a log-in screen.
18055 When @code{auto-login?} is true, SLiM logs in directly as
18056 @code{default-user}.
18058 @item @code{theme} (default: @code{%default-slim-theme})
18059 @itemx @code{theme-name} (default: @code{%default-slim-theme-name})
18060 The graphical theme to use and its name.
18062 @item @code{auto-login-session} (default: @code{#f})
18063 If true, this must be the name of the executable to start as the default
18064 session---e.g., @code{(file-append windowmaker "/bin/windowmaker")}.
18066 If false, a session described by one of the available @file{.desktop}
18067 files in @code{/run/current-system/profile} and @code{~/.guix-profile}
18071 You must install at least one window manager in the system profile or in
18072 your user profile. Failing to do that, if @code{auto-login-session} is
18073 false, you will be unable to log in.
18076 @item @code{xorg-configuration} (default @code{(xorg-configuration)})
18077 Configuration of the Xorg graphical server.
18079 @item @code{display} (default @code{":0"})
18080 The display on which to start the Xorg graphical server.
18082 @item @code{vt} (default @code{"vt7"})
18083 The VT on which to start the Xorg graphical server.
18085 @item @code{xauth} (default: @code{xauth})
18086 The XAuth package to use.
18088 @item @code{shepherd} (default: @code{shepherd})
18089 The Shepherd package used when invoking @command{halt} and
18092 @item @code{sessreg} (default: @code{sessreg})
18093 The sessreg package used in order to register the session.
18095 @item @code{slim} (default: @code{slim})
18096 The SLiM package to use.
18100 @defvr {Scheme Variable} %default-theme
18101 @defvrx {Scheme Variable} %default-theme-name
18102 The default SLiM theme and its name.
18106 @deftp {Data Type} sddm-configuration
18107 This is the data type representing the SDDM service configuration.
18110 @item @code{display-server} (default: "x11")
18111 Select display server to use for the greeter. Valid values are
18112 @samp{"x11"} or @samp{"wayland"}.
18114 @item @code{numlock} (default: "on")
18115 Valid values are @samp{"on"}, @samp{"off"} or @samp{"none"}.
18117 @item @code{halt-command} (default @code{#~(string-apppend #$shepherd "/sbin/halt")})
18118 Command to run when halting.
18120 @item @code{reboot-command} (default @code{#~(string-append #$shepherd "/sbin/reboot")})
18121 Command to run when rebooting.
18123 @item @code{theme} (default "maldives")
18124 Theme to use. Default themes provided by SDDM are @samp{"elarun"},
18125 @samp{"maldives"} or @samp{"maya"}.
18127 @item @code{themes-directory} (default "/run/current-system/profile/share/sddm/themes")
18128 Directory to look for themes.
18130 @item @code{faces-directory} (default "/run/current-system/profile/share/sddm/faces")
18131 Directory to look for faces.
18133 @item @code{default-path} (default "/run/current-system/profile/bin")
18134 Default PATH to use.
18136 @item @code{minimum-uid} (default: 1000)
18137 Minimum UID displayed in SDDM and allowed for log-in.
18139 @item @code{maximum-uid} (default: 2000)
18140 Maximum UID to display in SDDM.
18142 @item @code{remember-last-user?} (default #t)
18143 Remember last user.
18145 @item @code{remember-last-session?} (default #t)
18146 Remember last session.
18148 @item @code{hide-users} (default "")
18149 Usernames to hide from SDDM greeter.
18151 @item @code{hide-shells} (default @code{#~(string-append #$shadow "/sbin/nologin")})
18152 Users with shells listed will be hidden from the SDDM greeter.
18154 @item @code{session-command} (default @code{#~(string-append #$sddm "/share/sddm/scripts/wayland-session")})
18155 Script to run before starting a wayland session.
18157 @item @code{sessions-directory} (default "/run/current-system/profile/share/wayland-sessions")
18158 Directory to look for desktop files starting wayland sessions.
18160 @item @code{xorg-configuration} (default @code{(xorg-configuration)})
18161 Configuration of the Xorg graphical server.
18163 @item @code{xauth-path} (default @code{#~(string-append #$xauth "/bin/xauth")})
18166 @item @code{xephyr-path} (default @code{#~(string-append #$xorg-server "/bin/Xephyr")})
18169 @item @code{xdisplay-start} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xsetup")})
18170 Script to run after starting xorg-server.
18172 @item @code{xdisplay-stop} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xstop")})
18173 Script to run before stopping xorg-server.
18175 @item @code{xsession-command} (default: @code{xinitrc})
18176 Script to run before starting a X session.
18178 @item @code{xsessions-directory} (default: "/run/current-system/profile/share/xsessions")
18179 Directory to look for desktop files starting X sessions.
18181 @item @code{minimum-vt} (default: 7)
18184 @item @code{auto-login-user} (default "")
18185 User to use for auto-login.
18187 @item @code{auto-login-session} (default "")
18188 Desktop file to use for auto-login.
18190 @item @code{relogin?} (default #f)
18191 Relogin after logout.
18196 @cindex login manager
18198 @defvr {Scheme Variable} sddm-service-type
18199 This is the type of the service to run the
18200 @uref{https://github.com/sddm/sddm,SDDM display manager}. Its value
18201 must be a @code{sddm-configuration} record (see below).
18203 Here's an example use:
18206 (service sddm-service-type
18207 (sddm-configuration
18208 (auto-login-user "alice")
18209 (auto-login-session "xfce.desktop")))
18213 @deftp {Data Type} sddm-configuration
18214 This data type represents the configuration of the SDDM login manager.
18215 The available fields are:
18218 @item @code{sddm} (default: @code{sddm})
18219 The SDDM package to use.
18221 @item @code{display-server} (default: @code{"x11"})
18222 This must be either @code{"x11"} or @code{"wayland"}.
18224 @c FIXME: Add more fields.
18226 @item @code{auto-login-user} (default: @code{""})
18227 If non-empty, this is the user account under which to log in
18230 @item @code{auto-login-session} (default: @code{""})
18231 If non-empty, this is the @file{.desktop} file name to use as the
18232 auto-login session.
18236 @cindex Xorg, configuration
18237 @deftp {Data Type} xorg-configuration
18238 This data type represents the configuration of the Xorg graphical display
18239 server. Note that there is no Xorg service; instead, the X server is started
18240 by a ``display manager'' such as GDM, SDDM, and SLiM@. Thus, the configuration
18241 of these display managers aggregates an @code{xorg-configuration} record.
18244 @item @code{modules} (default: @code{%default-xorg-modules})
18245 This is a list of @dfn{module packages} loaded by the Xorg
18246 server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on.
18248 @item @code{fonts} (default: @code{%default-xorg-fonts})
18249 This is a list of font directories to add to the server's @dfn{font path}.
18251 @item @code{drivers} (default: @code{'()})
18252 This must be either the empty list, in which case Xorg chooses a graphics
18253 driver automatically, or a list of driver names that will be tried in this
18254 order---e.g., @code{("modesetting" "vesa")}.
18256 @item @code{resolutions} (default: @code{'()})
18257 When @code{resolutions} is the empty list, Xorg chooses an appropriate screen
18258 resolution. Otherwise, it must be a list of resolutions---e.g., @code{((1024
18261 @cindex keyboard layout, for Xorg
18262 @cindex keymap, for Xorg
18263 @item @code{keyboard-layout} (default: @code{#f})
18264 If this is @code{#f}, Xorg uses the default keyboard layout---usually US
18265 English (``qwerty'') for a 105-key PC keyboard.
18267 Otherwise this must be a @code{keyboard-layout} object specifying the keyboard
18268 layout in use when Xorg is running. @xref{Keyboard Layout}, for more
18269 information on how to specify the keyboard layout.
18271 @item @code{extra-config} (default: @code{'()})
18272 This is a list of strings or objects appended to the configuration file. It
18273 is used to pass extra text to be added verbatim to the configuration file.
18275 @item @code{server} (default: @code{xorg-server})
18276 This is the package providing the Xorg server.
18278 @item @code{server-arguments} (default: @code{%default-xorg-server-arguments})
18279 This is the list of command-line arguments to pass to the X server. The
18280 default is @code{-nolisten tcp}.
18284 @deffn {Scheme Procedure} set-xorg-configuration @var{config} @
18285 [@var{login-manager-service-type}]
18286 Tell the log-in manager (of type @var{login-manager-service-type}) to use
18287 @var{config}, an @code{<xorg-configuration>} record.
18289 Since the Xorg configuration is embedded in the log-in manager's
18290 configuration---e.g., @code{gdm-configuration}---this procedure provides a
18291 shorthand to set the Xorg configuration.
18294 @deffn {Scheme Procedure} xorg-start-command [@var{config}]
18295 Return a @code{startx} script in which the modules, fonts, etc. specified
18296 in @var{config}, are available. The result should be used in place of
18299 Usually the X server is started by a login manager.
18303 @deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}]
18304 Add @var{package}, a package for a screen locker or screen saver whose
18305 command is @var{program}, to the set of setuid programs and add a PAM entry
18306 for it. For example:
18309 (screen-locker-service xlockmore "xlock")
18312 makes the good ol' XlockMore usable.
18316 @node Printing Services
18317 @subsection Printing Services
18319 @cindex printer support with CUPS
18320 The @code{(gnu services cups)} module provides a Guix service definition
18321 for the CUPS printing service. To add printer support to a Guix
18322 system, add a @code{cups-service} to the operating system definition:
18324 @deffn {Scheme Variable} cups-service-type
18325 The service type for the CUPS print server. Its value should be a valid
18326 CUPS configuration (see below). To use the default settings, simply
18329 (service cups-service-type)
18333 The CUPS configuration controls the basic things about your CUPS
18334 installation: what interfaces it listens on, what to do if a print job
18335 fails, how much logging to do, and so on. To actually add a printer,
18336 you have to visit the @url{http://localhost:631} URL, or use a tool such
18337 as GNOME's printer configuration services. By default, configuring a
18338 CUPS service will generate a self-signed certificate if needed, for
18339 secure connections to the print server.
18341 Suppose you want to enable the Web interface of CUPS and also add
18342 support for Epson printers @i{via} the @code{epson-inkjet-printer-escpr}
18343 package and for HP printers @i{via} the @code{hplip-minimal} package.
18344 You can do that directly, like this (you need to use the
18345 @code{(gnu packages cups)} module):
18348 (service cups-service-type
18349 (cups-configuration
18350 (web-interface? #t)
18352 (list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
18355 Note: If you wish to use the Qt5 based GUI which comes with the hplip
18356 package then it is suggested that you install the @code{hplip} package,
18357 either in your OS configuration file or as your user.
18359 The available configuration parameters follow. Each parameter
18360 definition is preceded by its type; for example, @samp{string-list foo}
18361 indicates that the @code{foo} parameter should be specified as a list of
18362 strings. There is also a way to specify the configuration as a string,
18363 if you have an old @code{cupsd.conf} file that you want to port over
18364 from some other system; see the end for more details.
18366 @c The following documentation was initially generated by
18367 @c (generate-documentation) in (gnu services cups). Manually maintained
18368 @c documentation is better, so we shouldn't hesitate to edit below as
18369 @c needed. However if the change you want to make to this documentation
18370 @c can be done in an automated way, it's probably easier to change
18371 @c (generate-documentation) than to make it below and have to deal with
18372 @c the churn as CUPS updates.
18375 Available @code{cups-configuration} fields are:
18377 @deftypevr {@code{cups-configuration} parameter} package cups
18381 @deftypevr {@code{cups-configuration} parameter} package-list extensions (default: @code{(list brlaser cups-filters epson-inkjet-printer-escpr foomatic-filters hplip-minimal splix)})
18382 Drivers and other extensions to the CUPS package.
18385 @deftypevr {@code{cups-configuration} parameter} files-configuration files-configuration
18386 Configuration of where to write logs, what directories to use for print
18387 spools, and related privileged configuration parameters.
18389 Available @code{files-configuration} fields are:
18391 @deftypevr {@code{files-configuration} parameter} log-location access-log
18392 Defines the access log filename. Specifying a blank filename disables
18393 access log generation. The value @code{stderr} causes log entries to be
18394 sent to the standard error file when the scheduler is running in the
18395 foreground, or to the system log daemon when run in the background. The
18396 value @code{syslog} causes log entries to be sent to the system log
18397 daemon. The server name may be included in filenames using the string
18398 @code{%s}, as in @code{/var/log/cups/%s-access_log}.
18400 Defaults to @samp{"/var/log/cups/access_log"}.
18403 @deftypevr {@code{files-configuration} parameter} file-name cache-dir
18404 Where CUPS should cache data.
18406 Defaults to @samp{"/var/cache/cups"}.
18409 @deftypevr {@code{files-configuration} parameter} string config-file-perm
18410 Specifies the permissions for all configuration files that the scheduler
18413 Note that the permissions for the printers.conf file are currently
18414 masked to only allow access from the scheduler user (typically root).
18415 This is done because printer device URIs sometimes contain sensitive
18416 authentication information that should not be generally known on the
18417 system. There is no way to disable this security feature.
18419 Defaults to @samp{"0640"}.
18422 @deftypevr {@code{files-configuration} parameter} log-location error-log
18423 Defines the error log filename. Specifying a blank filename disables
18424 error log generation. The value @code{stderr} causes log entries to be
18425 sent to the standard error file when the scheduler is running in the
18426 foreground, or to the system log daemon when run in the background. The
18427 value @code{syslog} causes log entries to be sent to the system log
18428 daemon. The server name may be included in filenames using the string
18429 @code{%s}, as in @code{/var/log/cups/%s-error_log}.
18431 Defaults to @samp{"/var/log/cups/error_log"}.
18434 @deftypevr {@code{files-configuration} parameter} string fatal-errors
18435 Specifies which errors are fatal, causing the scheduler to exit. The
18440 No errors are fatal.
18443 All of the errors below are fatal.
18446 Browsing initialization errors are fatal, for example failed connections
18447 to the DNS-SD daemon.
18450 Configuration file syntax errors are fatal.
18453 Listen or Port errors are fatal, except for IPv6 failures on the
18454 loopback or @code{any} addresses.
18457 Log file creation or write errors are fatal.
18460 Bad startup file permissions are fatal, for example shared TLS
18461 certificate and key files with world-read permissions.
18464 Defaults to @samp{"all -browse"}.
18467 @deftypevr {@code{files-configuration} parameter} boolean file-device?
18468 Specifies whether the file pseudo-device can be used for new printer
18469 queues. The URI @uref{file:///dev/null} is always allowed.
18471 Defaults to @samp{#f}.
18474 @deftypevr {@code{files-configuration} parameter} string group
18475 Specifies the group name or ID that will be used when executing external
18478 Defaults to @samp{"lp"}.
18481 @deftypevr {@code{files-configuration} parameter} string log-file-perm
18482 Specifies the permissions for all log files that the scheduler writes.
18484 Defaults to @samp{"0644"}.
18487 @deftypevr {@code{files-configuration} parameter} log-location page-log
18488 Defines the page log filename. Specifying a blank filename disables
18489 page log generation. The value @code{stderr} causes log entries to be
18490 sent to the standard error file when the scheduler is running in the
18491 foreground, or to the system log daemon when run in the background. The
18492 value @code{syslog} causes log entries to be sent to the system log
18493 daemon. The server name may be included in filenames using the string
18494 @code{%s}, as in @code{/var/log/cups/%s-page_log}.
18496 Defaults to @samp{"/var/log/cups/page_log"}.
18499 @deftypevr {@code{files-configuration} parameter} string remote-root
18500 Specifies the username that is associated with unauthenticated accesses
18501 by clients claiming to be the root user. The default is @code{remroot}.
18503 Defaults to @samp{"remroot"}.
18506 @deftypevr {@code{files-configuration} parameter} file-name request-root
18507 Specifies the directory that contains print jobs and other HTTP request
18510 Defaults to @samp{"/var/spool/cups"}.
18513 @deftypevr {@code{files-configuration} parameter} sandboxing sandboxing
18514 Specifies the level of security sandboxing that is applied to print
18515 filters, backends, and other child processes of the scheduler; either
18516 @code{relaxed} or @code{strict}. This directive is currently only
18517 used/supported on macOS.
18519 Defaults to @samp{strict}.
18522 @deftypevr {@code{files-configuration} parameter} file-name server-keychain
18523 Specifies the location of TLS certificates and private keys. CUPS will
18524 look for public and private keys in this directory: @file{.crt} files
18525 for PEM-encoded certificates and corresponding @file{.key} files for
18526 PEM-encoded private keys.
18528 Defaults to @samp{"/etc/cups/ssl"}.
18531 @deftypevr {@code{files-configuration} parameter} file-name server-root
18532 Specifies the directory containing the server configuration files.
18534 Defaults to @samp{"/etc/cups"}.
18537 @deftypevr {@code{files-configuration} parameter} boolean sync-on-close?
18538 Specifies whether the scheduler calls fsync(2) after writing
18539 configuration or state files.
18541 Defaults to @samp{#f}.
18544 @deftypevr {@code{files-configuration} parameter} space-separated-string-list system-group
18545 Specifies the group(s) to use for @code{@@SYSTEM} group authentication.
18548 @deftypevr {@code{files-configuration} parameter} file-name temp-dir
18549 Specifies the directory where temporary files are stored.
18551 Defaults to @samp{"/var/spool/cups/tmp"}.
18554 @deftypevr {@code{files-configuration} parameter} string user
18555 Specifies the user name or ID that is used when running external
18558 Defaults to @samp{"lp"}.
18561 @deftypevr {@code{files-configuration} parameter} string set-env
18562 Set the specified environment variable to be passed to child processes.
18564 Defaults to @samp{"variable value"}.
18568 @deftypevr {@code{cups-configuration} parameter} access-log-level access-log-level
18569 Specifies the logging level for the AccessLog file. The @code{config}
18570 level logs when printers and classes are added, deleted, or modified and
18571 when configuration files are accessed or updated. The @code{actions}
18572 level logs when print jobs are submitted, held, released, modified, or
18573 canceled, and any of the conditions for @code{config}. The @code{all}
18574 level logs all requests.
18576 Defaults to @samp{actions}.
18579 @deftypevr {@code{cups-configuration} parameter} boolean auto-purge-jobs?
18580 Specifies whether to purge job history data automatically when it is no
18581 longer required for quotas.
18583 Defaults to @samp{#f}.
18586 @deftypevr {@code{cups-configuration} parameter} comma-separated-string-list browse-dns-sd-sub-types
18587 Specifies a list of DNS-SD sub-types to advertise for each shared printer.
18588 For example, @samp{"_cups" "_print"} will tell network clients that both
18589 CUPS sharing and IPP Everywhere are supported.
18591 Defaults to @samp{"_cups"}.
18594 @deftypevr {@code{cups-configuration} parameter} browse-local-protocols browse-local-protocols
18595 Specifies which protocols to use for local printer sharing.
18597 Defaults to @samp{dnssd}.
18600 @deftypevr {@code{cups-configuration} parameter} boolean browse-web-if?
18601 Specifies whether the CUPS web interface is advertised.
18603 Defaults to @samp{#f}.
18606 @deftypevr {@code{cups-configuration} parameter} boolean browsing?
18607 Specifies whether shared printers are advertised.
18609 Defaults to @samp{#f}.
18612 @deftypevr {@code{cups-configuration} parameter} string classification
18613 Specifies the security classification of the server. Any valid banner
18614 name can be used, including @samp{"classified"}, @samp{"confidential"},
18615 @samp{"secret"}, @samp{"topsecret"}, and @samp{"unclassified"}, or the
18616 banner can be omitted to disable secure printing functions.
18618 Defaults to @samp{""}.
18621 @deftypevr {@code{cups-configuration} parameter} boolean classify-override?
18622 Specifies whether users may override the classification (cover page) of
18623 individual print jobs using the @code{job-sheets} option.
18625 Defaults to @samp{#f}.
18628 @deftypevr {@code{cups-configuration} parameter} default-auth-type default-auth-type
18629 Specifies the default type of authentication to use.
18631 Defaults to @samp{Basic}.
18634 @deftypevr {@code{cups-configuration} parameter} default-encryption default-encryption
18635 Specifies whether encryption will be used for authenticated requests.
18637 Defaults to @samp{Required}.
18640 @deftypevr {@code{cups-configuration} parameter} string default-language
18641 Specifies the default language to use for text and web content.
18643 Defaults to @samp{"en"}.
18646 @deftypevr {@code{cups-configuration} parameter} string default-paper-size
18647 Specifies the default paper size for new print queues. @samp{"Auto"}
18648 uses a locale-specific default, while @samp{"None"} specifies there is
18649 no default paper size. Specific size names are typically
18650 @samp{"Letter"} or @samp{"A4"}.
18652 Defaults to @samp{"Auto"}.
18655 @deftypevr {@code{cups-configuration} parameter} string default-policy
18656 Specifies the default access policy to use.
18658 Defaults to @samp{"default"}.
18661 @deftypevr {@code{cups-configuration} parameter} boolean default-shared?
18662 Specifies whether local printers are shared by default.
18664 Defaults to @samp{#t}.
18667 @deftypevr {@code{cups-configuration} parameter} non-negative-integer dirty-clean-interval
18668 Specifies the delay for updating of configuration and state files, in
18669 seconds. A value of 0 causes the update to happen as soon as possible,
18670 typically within a few milliseconds.
18672 Defaults to @samp{30}.
18675 @deftypevr {@code{cups-configuration} parameter} error-policy error-policy
18676 Specifies what to do when an error occurs. Possible values are
18677 @code{abort-job}, which will discard the failed print job;
18678 @code{retry-job}, which will retry the job at a later time;
18679 @code{retry-current-job}, which retries the failed job immediately; and
18680 @code{stop-printer}, which stops the printer.
18682 Defaults to @samp{stop-printer}.
18685 @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-limit
18686 Specifies the maximum cost of filters that are run concurrently, which
18687 can be used to minimize disk, memory, and CPU resource problems. A
18688 limit of 0 disables filter limiting. An average print to a
18689 non-PostScript printer needs a filter limit of about 200. A PostScript
18690 printer needs about half that (100). Setting the limit below these
18691 thresholds will effectively limit the scheduler to printing a single job
18694 Defaults to @samp{0}.
18697 @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-nice
18698 Specifies the scheduling priority of filters that are run to print a
18699 job. The nice value ranges from 0, the highest priority, to 19, the
18702 Defaults to @samp{0}.
18705 @deftypevr {@code{cups-configuration} parameter} host-name-lookups host-name-lookups
18706 Specifies whether to do reverse lookups on connecting clients. The
18707 @code{double} setting causes @code{cupsd} to verify that the hostname
18708 resolved from the address matches one of the addresses returned for that
18709 hostname. Double lookups also prevent clients with unregistered
18710 addresses from connecting to your server. Only set this option to
18711 @code{#t} or @code{double} if absolutely required.
18713 Defaults to @samp{#f}.
18716 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-kill-delay
18717 Specifies the number of seconds to wait before killing the filters and
18718 backend associated with a canceled or held job.
18720 Defaults to @samp{30}.
18723 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-interval
18724 Specifies the interval between retries of jobs in seconds. This is
18725 typically used for fax queues but can also be used with normal print
18726 queues whose error policy is @code{retry-job} or
18727 @code{retry-current-job}.
18729 Defaults to @samp{30}.
18732 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-limit
18733 Specifies the number of retries that are done for jobs. This is
18734 typically used for fax queues but can also be used with normal print
18735 queues whose error policy is @code{retry-job} or
18736 @code{retry-current-job}.
18738 Defaults to @samp{5}.
18741 @deftypevr {@code{cups-configuration} parameter} boolean keep-alive?
18742 Specifies whether to support HTTP keep-alive connections.
18744 Defaults to @samp{#t}.
18747 @deftypevr {@code{cups-configuration} parameter} non-negative-integer limit-request-body
18748 Specifies the maximum size of print files, IPP requests, and HTML form
18749 data. A limit of 0 disables the limit check.
18751 Defaults to @samp{0}.
18754 @deftypevr {@code{cups-configuration} parameter} multiline-string-list listen
18755 Listens on the specified interfaces for connections. Valid values are
18756 of the form @var{address}:@var{port}, where @var{address} is either an
18757 IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to
18758 indicate all addresses. Values can also be file names of local UNIX
18759 domain sockets. The Listen directive is similar to the Port directive
18760 but allows you to restrict access to specific interfaces or networks.
18763 @deftypevr {@code{cups-configuration} parameter} non-negative-integer listen-back-log
18764 Specifies the number of pending connections that will be allowed. This
18765 normally only affects very busy servers that have reached the MaxClients
18766 limit, but can also be triggered by large numbers of simultaneous
18767 connections. When the limit is reached, the operating system will
18768 refuse additional connections until the scheduler can accept the pending
18771 Defaults to @samp{128}.
18774 @deftypevr {@code{cups-configuration} parameter} location-access-control-list location-access-controls
18775 Specifies a set of additional access controls.
18777 Available @code{location-access-controls} fields are:
18779 @deftypevr {@code{location-access-controls} parameter} file-name path
18780 Specifies the URI path to which the access control applies.
18783 @deftypevr {@code{location-access-controls} parameter} access-control-list access-controls
18784 Access controls for all access to this path, in the same format as the
18785 @code{access-controls} of @code{operation-access-control}.
18787 Defaults to @samp{()}.
18790 @deftypevr {@code{location-access-controls} parameter} method-access-control-list method-access-controls
18791 Access controls for method-specific access to this path.
18793 Defaults to @samp{()}.
18795 Available @code{method-access-controls} fields are:
18797 @deftypevr {@code{method-access-controls} parameter} boolean reverse?
18798 If @code{#t}, apply access controls to all methods except the listed
18799 methods. Otherwise apply to only the listed methods.
18801 Defaults to @samp{#f}.
18804 @deftypevr {@code{method-access-controls} parameter} method-list methods
18805 Methods to which this access control applies.
18807 Defaults to @samp{()}.
18810 @deftypevr {@code{method-access-controls} parameter} access-control-list access-controls
18811 Access control directives, as a list of strings. Each string should be
18812 one directive, such as @samp{"Order allow,deny"}.
18814 Defaults to @samp{()}.
18819 @deftypevr {@code{cups-configuration} parameter} non-negative-integer log-debug-history
18820 Specifies the number of debugging messages that are retained for logging
18821 if an error occurs in a print job. Debug messages are logged regardless
18822 of the LogLevel setting.
18824 Defaults to @samp{100}.
18827 @deftypevr {@code{cups-configuration} parameter} log-level log-level
18828 Specifies the level of logging for the ErrorLog file. The value
18829 @code{none} stops all logging while @code{debug2} logs everything.
18831 Defaults to @samp{info}.
18834 @deftypevr {@code{cups-configuration} parameter} log-time-format log-time-format
18835 Specifies the format of the date and time in the log files. The value
18836 @code{standard} logs whole seconds while @code{usecs} logs microseconds.
18838 Defaults to @samp{standard}.
18841 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients
18842 Specifies the maximum number of simultaneous clients that are allowed by
18845 Defaults to @samp{100}.
18848 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients-per-host
18849 Specifies the maximum number of simultaneous clients that are allowed
18850 from a single address.
18852 Defaults to @samp{100}.
18855 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-copies
18856 Specifies the maximum number of copies that a user can print of each
18859 Defaults to @samp{9999}.
18862 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-hold-time
18863 Specifies the maximum time a job may remain in the @code{indefinite}
18864 hold state before it is canceled. A value of 0 disables cancellation of
18867 Defaults to @samp{0}.
18870 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs
18871 Specifies the maximum number of simultaneous jobs that are allowed. Set
18872 to 0 to allow an unlimited number of jobs.
18874 Defaults to @samp{500}.
18877 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-printer
18878 Specifies the maximum number of simultaneous jobs that are allowed per
18879 printer. A value of 0 allows up to MaxJobs jobs per printer.
18881 Defaults to @samp{0}.
18884 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-user
18885 Specifies the maximum number of simultaneous jobs that are allowed per
18886 user. A value of 0 allows up to MaxJobs jobs per user.
18888 Defaults to @samp{0}.
18891 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-job-time
18892 Specifies the maximum time a job may take to print before it is
18893 canceled, in seconds. Set to 0 to disable cancellation of ``stuck'' jobs.
18895 Defaults to @samp{10800}.
18898 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-log-size
18899 Specifies the maximum size of the log files before they are rotated, in
18900 bytes. The value 0 disables log rotation.
18902 Defaults to @samp{1048576}.
18905 @deftypevr {@code{cups-configuration} parameter} non-negative-integer multiple-operation-timeout
18906 Specifies the maximum amount of time to allow between files in a
18907 multiple file print job, in seconds.
18909 Defaults to @samp{300}.
18912 @deftypevr {@code{cups-configuration} parameter} string page-log-format
18913 Specifies the format of PageLog lines. Sequences beginning with percent
18914 (@samp{%}) characters are replaced with the corresponding information,
18915 while all other characters are copied literally. The following percent
18916 sequences are recognized:
18920 insert a single percent character
18923 insert the value of the specified IPP attribute
18926 insert the number of copies for the current page
18929 insert the current page number
18932 insert the current date and time in common log format
18938 insert the printer name
18941 insert the username
18944 A value of the empty string disables page logging. The string @code{%p
18945 %u %j %T %P %C %@{job-billing@} %@{job-originating-host-name@}
18946 %@{job-name@} %@{media@} %@{sides@}} creates a page log with the
18949 Defaults to @samp{""}.
18952 @deftypevr {@code{cups-configuration} parameter} environment-variables environment-variables
18953 Passes the specified environment variable(s) to child processes; a list
18956 Defaults to @samp{()}.
18959 @deftypevr {@code{cups-configuration} parameter} policy-configuration-list policies
18960 Specifies named access control policies.
18962 Available @code{policy-configuration} fields are:
18964 @deftypevr {@code{policy-configuration} parameter} string name
18965 Name of the policy.
18968 @deftypevr {@code{policy-configuration} parameter} string job-private-access
18969 Specifies an access list for a job's private values. @code{@@ACL} maps
18970 to the printer's requesting-user-name-allowed or
18971 requesting-user-name-denied values. @code{@@OWNER} maps to the job's
18972 owner. @code{@@SYSTEM} maps to the groups listed for the
18973 @code{system-group} field of the @code{files-configuration},
18974 which is reified into the @code{cups-files.conf(5)} file. Other
18975 possible elements of the access list include specific user names, and
18976 @code{@@@var{group}} to indicate members of a specific group. The
18977 access list may also be simply @code{all} or @code{default}.
18979 Defaults to @samp{"@@OWNER @@SYSTEM"}.
18982 @deftypevr {@code{policy-configuration} parameter} string job-private-values
18983 Specifies the list of job values to make private, or @code{all},
18984 @code{default}, or @code{none}.
18986 Defaults to @samp{"job-name job-originating-host-name
18987 job-originating-user-name phone"}.
18990 @deftypevr {@code{policy-configuration} parameter} string subscription-private-access
18991 Specifies an access list for a subscription's private values.
18992 @code{@@ACL} maps to the printer's requesting-user-name-allowed or
18993 requesting-user-name-denied values. @code{@@OWNER} maps to the job's
18994 owner. @code{@@SYSTEM} maps to the groups listed for the
18995 @code{system-group} field of the @code{files-configuration},
18996 which is reified into the @code{cups-files.conf(5)} file. Other
18997 possible elements of the access list include specific user names, and
18998 @code{@@@var{group}} to indicate members of a specific group. The
18999 access list may also be simply @code{all} or @code{default}.
19001 Defaults to @samp{"@@OWNER @@SYSTEM"}.
19004 @deftypevr {@code{policy-configuration} parameter} string subscription-private-values
19005 Specifies the list of job values to make private, or @code{all},
19006 @code{default}, or @code{none}.
19008 Defaults to @samp{"notify-events notify-pull-method notify-recipient-uri
19009 notify-subscriber-user-name notify-user-data"}.
19012 @deftypevr {@code{policy-configuration} parameter} operation-access-control-list access-controls
19013 Access control by IPP operation.
19015 Defaults to @samp{()}.
19019 @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-files
19020 Specifies whether job files (documents) are preserved after a job is
19021 printed. If a numeric value is specified, job files are preserved for
19022 the indicated number of seconds after printing. Otherwise a boolean
19023 value applies indefinitely.
19025 Defaults to @samp{86400}.
19028 @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-history
19029 Specifies whether the job history is preserved after a job is printed.
19030 If a numeric value is specified, the job history is preserved for the
19031 indicated number of seconds after printing. If @code{#t}, the job
19032 history is preserved until the MaxJobs limit is reached.
19034 Defaults to @samp{#t}.
19037 @deftypevr {@code{cups-configuration} parameter} non-negative-integer reload-timeout
19038 Specifies the amount of time to wait for job completion before
19039 restarting the scheduler.
19041 Defaults to @samp{30}.
19044 @deftypevr {@code{cups-configuration} parameter} string rip-cache
19045 Specifies the maximum amount of memory to use when converting documents
19046 into bitmaps for a printer.
19048 Defaults to @samp{"128m"}.
19051 @deftypevr {@code{cups-configuration} parameter} string server-admin
19052 Specifies the email address of the server administrator.
19054 Defaults to @samp{"root@@localhost.localdomain"}.
19057 @deftypevr {@code{cups-configuration} parameter} host-name-list-or-* server-alias
19058 The ServerAlias directive is used for HTTP Host header validation when
19059 clients connect to the scheduler from external interfaces. Using the
19060 special name @code{*} can expose your system to known browser-based DNS
19061 rebinding attacks, even when accessing sites through a firewall. If the
19062 auto-discovery of alternate names does not work, we recommend listing
19063 each alternate name with a ServerAlias directive instead of using
19066 Defaults to @samp{*}.
19069 @deftypevr {@code{cups-configuration} parameter} string server-name
19070 Specifies the fully-qualified host name of the server.
19072 Defaults to @samp{"localhost"}.
19075 @deftypevr {@code{cups-configuration} parameter} server-tokens server-tokens
19076 Specifies what information is included in the Server header of HTTP
19077 responses. @code{None} disables the Server header. @code{ProductOnly}
19078 reports @code{CUPS}. @code{Major} reports @code{CUPS 2}. @code{Minor}
19079 reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}.
19080 @code{OS} reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is
19081 the output of the @code{uname} command. @code{Full} reports @code{CUPS
19082 2.0.0 (@var{uname}) IPP/2.0}.
19084 Defaults to @samp{Minimal}.
19087 @deftypevr {@code{cups-configuration} parameter} multiline-string-list ssl-listen
19088 Listens on the specified interfaces for encrypted connections. Valid
19089 values are of the form @var{address}:@var{port}, where @var{address} is
19090 either an IPv6 address enclosed in brackets, an IPv4 address, or
19091 @code{*} to indicate all addresses.
19093 Defaults to @samp{()}.
19096 @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
19097 Sets encryption options. By default, CUPS only supports encryption
19098 using TLS v1.0 or higher using known secure cipher suites. Security is
19099 reduced when @code{Allow} options are used, and enhanced when @code{Deny}
19100 options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
19101 suites, which are required for some older clients. The @code{AllowSSL3} option
19102 enables SSL v3.0, which is required for some older clients that do not support
19103 TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
19104 @code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
19105 protocol version to TLS v1.1.
19107 Defaults to @samp{()}.
19110 @deftypevr {@code{cups-configuration} parameter} boolean strict-conformance?
19111 Specifies whether the scheduler requires clients to strictly adhere to
19112 the IPP specifications.
19114 Defaults to @samp{#f}.
19117 @deftypevr {@code{cups-configuration} parameter} non-negative-integer timeout
19118 Specifies the HTTP request timeout, in seconds.
19120 Defaults to @samp{300}.
19124 @deftypevr {@code{cups-configuration} parameter} boolean web-interface?
19125 Specifies whether the web interface is enabled.
19127 Defaults to @samp{#f}.
19130 At this point you're probably thinking ``oh dear, Guix manual, I like
19131 you but you can stop already with the configuration options''. Indeed.
19132 However, one more point: it could be that you have an existing
19133 @code{cupsd.conf} that you want to use. In that case, you can pass an
19134 @code{opaque-cups-configuration} as the configuration of a
19135 @code{cups-service-type}.
19137 Available @code{opaque-cups-configuration} fields are:
19139 @deftypevr {@code{opaque-cups-configuration} parameter} package cups
19143 @deftypevr {@code{opaque-cups-configuration} parameter} string cupsd.conf
19144 The contents of the @code{cupsd.conf}, as a string.
19147 @deftypevr {@code{opaque-cups-configuration} parameter} string cups-files.conf
19148 The contents of the @code{cups-files.conf} file, as a string.
19151 For example, if your @code{cupsd.conf} and @code{cups-files.conf} are in
19152 strings of the same name, you could instantiate a CUPS service like
19156 (service cups-service-type
19157 (opaque-cups-configuration
19158 (cupsd.conf cupsd.conf)
19159 (cups-files.conf cups-files.conf)))
19163 @node Desktop Services
19164 @subsection Desktop Services
19166 The @code{(gnu services desktop)} module provides services that are
19167 usually useful in the context of a ``desktop'' setup---that is, on a
19168 machine running a graphical display server, possibly with graphical user
19169 interfaces, etc. It also defines services that provide specific desktop
19170 environments like GNOME, Xfce or MATE.
19172 To simplify things, the module defines a variable containing the set of
19173 services that users typically expect on a machine with a graphical
19174 environment and networking:
19176 @defvr {Scheme Variable} %desktop-services
19177 This is a list of services that builds upon @code{%base-services} and
19178 adds or adjusts services for a typical ``desktop'' setup.
19180 In particular, it adds a graphical login manager (@pxref{X Window,
19181 @code{gdm-service-type}}), screen lockers, a network management tool
19182 (@pxref{Networking Services, @code{network-manager-service-type}}) with modem
19183 support (@pxref{Networking Services, @code{modem-manager-service-type}}),
19184 energy and color management services, the @code{elogind} login and seat
19185 manager, the Polkit privilege service, the GeoClue location service, the
19186 AccountsService daemon that allows authorized users change system passwords,
19187 an NTP client (@pxref{Networking Services}), the Avahi daemon, and has the
19188 name service switch service configured to be able to use @code{nss-mdns}
19189 (@pxref{Name Service Switch, mDNS}).
19192 The @code{%desktop-services} variable can be used as the @code{services}
19193 field of an @code{operating-system} declaration (@pxref{operating-system
19194 Reference, @code{services}}).
19196 Additionally, the @code{gnome-desktop-service-type},
19197 @code{xfce-desktop-service}, @code{mate-desktop-service-type},
19198 @code{lxqt-desktop-service-type} and @code{enlightenment-desktop-service-type}
19199 procedures can add GNOME, Xfce, MATE and/or Enlightenment to a system. To
19200 ``add GNOME'' means that system-level services like the backlight adjustment
19201 helpers and the power management utilities are added to the system, extending
19202 @code{polkit} and @code{dbus} appropriately, allowing GNOME to operate with
19203 elevated privileges on a limited number of special-purpose system interfaces.
19204 Additionally, adding a service made by @code{gnome-desktop-service-type} adds
19205 the GNOME metapackage to the system profile. Likewise, adding the Xfce
19206 service not only adds the @code{xfce} metapackage to the system profile, but
19207 it also gives the Thunar file manager the ability to open a ``root-mode'' file
19208 management window, if the user authenticates using the administrator's
19209 password via the standard polkit graphical interface. To ``add MATE'' means
19210 that @code{polkit} and @code{dbus} are extended appropriately, allowing MATE
19211 to operate with elevated privileges on a limited number of special-purpose
19212 system interfaces. Additionally, adding a service of type
19213 @code{mate-desktop-service-type} adds the MATE metapackage to the system
19214 profile. ``Adding Enlightenment'' means that @code{dbus} is extended
19215 appropriately, and several of Enlightenment's binaries are set as setuid,
19216 allowing Enlightenment's screen locker and other functionality to work as
19219 The desktop environments in Guix use the Xorg display server by
19220 default. If you'd like to use the newer display server protocol
19221 called Wayland, you need to use the @code{sddm-service} instead of
19222 GDM as the graphical login manager. You should then
19223 select the ``GNOME (Wayland)'' session in SDDM@. Alternatively you can
19224 also try starting GNOME on Wayland manually from a TTY with the
19225 command ``XDG_SESSION_TYPE=wayland exec dbus-run-session
19226 gnome-session``. Currently only GNOME has support for Wayland.
19228 @defvr {Scheme Variable} gnome-desktop-service-type
19229 This is the type of the service that adds the @uref{https://www.gnome.org,
19230 GNOME} desktop environment. Its value is a @code{gnome-desktop-configuration}
19231 object (see below).
19233 This service adds the @code{gnome} package to the system profile, and extends
19234 polkit with the actions from @code{gnome-settings-daemon}.
19237 @deftp {Data Type} gnome-desktop-configuration
19238 Configuration record for the GNOME desktop environment.
19241 @item @code{gnome} (default: @code{gnome})
19242 The GNOME package to use.
19246 @defvr {Scheme Variable} xfce-desktop-service-type
19247 This is the type of a service to run the @uref{Xfce, https://xfce.org/}
19248 desktop environment. Its value is an @code{xfce-desktop-configuration} object
19251 This service adds the @code{xfce} package to the system profile, and
19252 extends polkit with the ability for @code{thunar} to manipulate the file
19253 system as root from within a user session, after the user has authenticated
19254 with the administrator's password.
19256 Note that @code{xfce4-panel} and its plugin packages should be installed in
19257 the same profile to ensure compatibility. When using this service, you should
19258 add extra plugins (@code{xfce4-whiskermenu-plugin},
19259 @code{xfce4-weather-plugin}, etc.) to the @code{packages} field of your
19260 @code{operating-system}.
19263 @deftp {Data Type} xfce-desktop-configuration
19264 Configuration record for the Xfce desktop environment.
19267 @item @code{xfce} (default: @code{xfce})
19268 The Xfce package to use.
19272 @deffn {Scheme Variable} mate-desktop-service-type
19273 This is the type of the service that runs the @uref{https://mate-desktop.org/,
19274 MATE desktop environment}. Its value is a @code{mate-desktop-configuration}
19275 object (see below).
19277 This service adds the @code{mate} package to the system
19278 profile, and extends polkit with the actions from
19279 @code{mate-settings-daemon}.
19282 @deftp {Data Type} mate-desktop-configuration
19283 Configuration record for the MATE desktop environment.
19286 @item @code{mate} (default: @code{mate})
19287 The MATE package to use.
19291 @deffn {Scheme Variable} lxqt-desktop-service-type
19292 This is the type of the service that runs the @uref{https://lxqt-project.org,
19293 LXQt desktop environment}. Its value is a @code{lxqt-desktop-configuration}
19294 object (see below).
19296 This service adds the @code{lxqt} package to the system
19300 @deftp {Data Type} lxqt-desktop-configuration
19301 Configuration record for the LXQt desktop environment.
19304 @item @code{lxqt} (default: @code{lxqt})
19305 The LXQT package to use.
19309 @deffn {Scheme Variable} enlightenment-desktop-service-type
19310 Return a service that adds the @code{enlightenment} package to the system
19311 profile, and extends dbus with actions from @code{efl}.
19314 @deftp {Data Type} enlightenment-desktop-service-configuration
19316 @item @code{enlightenment} (default: @code{enlightenment})
19317 The enlightenment package to use.
19321 Because the GNOME, Xfce and MATE desktop services pull in so many packages,
19322 the default @code{%desktop-services} variable doesn't include any of
19323 them by default. To add GNOME, Xfce or MATE, just @code{cons} them onto
19324 @code{%desktop-services} in the @code{services} field of your
19325 @code{operating-system}:
19328 (use-modules (gnu))
19329 (use-service-modules desktop)
19332 ;; cons* adds items to the list given as its last argument.
19333 (services (cons* (service gnome-desktop-service-type)
19334 (service xfce-desktop-service)
19335 %desktop-services))
19339 These desktop environments will then be available as options in the
19340 graphical login window.
19342 The actual service definitions included in @code{%desktop-services} and
19343 provided by @code{(gnu services dbus)} and @code{(gnu services desktop)}
19344 are described below.
19346 @deffn {Scheme Procedure} dbus-service [#:dbus @var{dbus}] [#:services '()]
19347 Return a service that runs the ``system bus'', using @var{dbus}, with
19348 support for @var{services}.
19350 @uref{https://dbus.freedesktop.org/, D-Bus} is an inter-process communication
19351 facility. Its system bus is used to allow system services to communicate
19352 and to be notified of system-wide events.
19354 @var{services} must be a list of packages that provide an
19355 @file{etc/dbus-1/system.d} directory containing additional D-Bus configuration
19356 and policy files. For example, to allow avahi-daemon to use the system bus,
19357 @var{services} must be equal to @code{(list avahi)}.
19360 @deffn {Scheme Procedure} elogind-service [#:config @var{config}]
19361 Return a service that runs the @code{elogind} login and
19362 seat management daemon. @uref{https://github.com/elogind/elogind,
19363 Elogind} exposes a D-Bus interface that can be used to know which users
19364 are logged in, know what kind of sessions they have open, suspend the
19365 system, inhibit system suspend, reboot the system, and other tasks.
19367 Elogind handles most system-level power events for a computer, for
19368 example suspending the system when a lid is closed, or shutting it down
19369 when the power button is pressed.
19371 The @var{config} keyword argument specifies the configuration for
19372 elogind, and should be the result of an @code{(elogind-configuration
19373 (@var{parameter} @var{value})...)} invocation. Available parameters and
19374 their default values are:
19377 @item kill-user-processes?
19379 @item kill-only-users
19381 @item kill-exclude-users
19383 @item inhibit-delay-max-seconds
19385 @item handle-power-key
19387 @item handle-suspend-key
19389 @item handle-hibernate-key
19391 @item handle-lid-switch
19393 @item handle-lid-switch-docked
19395 @item handle-lid-switch-external-power
19397 @item power-key-ignore-inhibited?
19399 @item suspend-key-ignore-inhibited?
19401 @item hibernate-key-ignore-inhibited?
19403 @item lid-switch-ignore-inhibited?
19405 @item holdoff-timeout-seconds
19409 @item idle-action-seconds
19411 @item runtime-directory-size-percent
19413 @item runtime-directory-size
19417 @item suspend-state
19418 @code{("mem" "standby" "freeze")}
19421 @item hibernate-state
19423 @item hibernate-mode
19424 @code{("platform" "shutdown")}
19425 @item hybrid-sleep-state
19427 @item hybrid-sleep-mode
19428 @code{("suspend" "platform" "shutdown")}
19432 @deffn {Scheme Procedure} accountsservice-service @
19433 [#:accountsservice @var{accountsservice}]
19434 Return a service that runs AccountsService, a system service that can
19435 list available accounts, change their passwords, and so on.
19436 AccountsService integrates with PolicyKit to enable unprivileged users
19437 to acquire the capability to modify their system configuration.
19438 @uref{https://www.freedesktop.org/wiki/Software/AccountsService/, the
19439 accountsservice web site} for more information.
19441 The @var{accountsservice} keyword argument is the @code{accountsservice}
19442 package to expose as a service.
19445 @deffn {Scheme Procedure} polkit-service @
19446 [#:polkit @var{polkit}]
19447 Return a service that runs the
19448 @uref{https://www.freedesktop.org/wiki/Software/polkit/, Polkit privilege
19449 management service}, which allows system administrators to grant access to
19450 privileged operations in a structured way. By querying the Polkit service, a
19451 privileged system component can know when it should grant additional
19452 capabilities to ordinary users. For example, an ordinary user can be granted
19453 the capability to suspend the system if the user is logged in locally.
19456 @defvr {Scheme Variable} polkit-wheel-service
19457 Service that adds the @code{wheel} group as admins to the Polkit
19458 service. This makes it so that users in the @code{wheel} group are queried
19459 for their own passwords when performing administrative actions instead of
19460 @code{root}'s, similar to the behaviour used by @code{sudo}.
19463 @defvr {Scheme Variable} upower-service-type
19464 Service that runs @uref{https://upower.freedesktop.org/, @command{upowerd}}, a
19465 system-wide monitor for power consumption and battery levels, with the given
19466 configuration settings.
19468 It implements the @code{org.freedesktop.UPower} D-Bus interface, and is
19469 notably used by GNOME.
19472 @deftp {Data Type} upower-configuration
19473 Data type representation the configuration for UPower.
19477 @item @code{upower} (default: @var{upower})
19478 Package to use for @code{upower}.
19480 @item @code{watts-up-pro?} (default: @code{#f})
19481 Enable the Watts Up Pro device.
19483 @item @code{poll-batteries?} (default: @code{#t})
19484 Enable polling the kernel for battery level changes.
19486 @item @code{ignore-lid?} (default: @code{#f})
19487 Ignore the lid state, this can be useful if it's incorrect on a device.
19489 @item @code{use-percentage-for-policy?} (default: @code{#f})
19490 Whether battery percentage based policy should be used. The default is to use
19491 the time left, change to @code{#t} to use the percentage.
19493 @item @code{percentage-low} (default: @code{10})
19494 When @code{use-percentage-for-policy?} is @code{#t}, this sets the percentage
19495 at which the battery is considered low.
19497 @item @code{percentage-critical} (default: @code{3})
19498 When @code{use-percentage-for-policy?} is @code{#t}, this sets the percentage
19499 at which the battery is considered critical.
19501 @item @code{percentage-action} (default: @code{2})
19502 When @code{use-percentage-for-policy?} is @code{#t}, this sets the percentage
19503 at which action will be taken.
19505 @item @code{time-low} (default: @code{1200})
19506 When @code{use-time-for-policy?} is @code{#f}, this sets the time remaining in
19507 seconds at which the battery is considered low.
19509 @item @code{time-critical} (default: @code{300})
19510 When @code{use-time-for-policy?} is @code{#f}, this sets the time remaining in
19511 seconds at which the battery is considered critical.
19513 @item @code{time-action} (default: @code{120})
19514 When @code{use-time-for-policy?} is @code{#f}, this sets the time remaining in
19515 seconds at which action will be taken.
19517 @item @code{critical-power-action} (default: @code{'hybrid-sleep})
19518 The action taken when @code{percentage-action} or @code{time-action} is
19519 reached (depending on the configuration of @code{use-percentage-for-policy?}).
19521 Possible values are:
19531 @code{'hybrid-sleep}.
19537 @deffn {Scheme Procedure} udisks-service [#:udisks @var{udisks}]
19538 Return a service for @uref{https://udisks.freedesktop.org/docs/latest/,
19539 UDisks}, a @dfn{disk management} daemon that provides user interfaces
19540 with notifications and ways to mount/unmount disks. Programs that talk
19541 to UDisks include the @command{udisksctl} command, part of UDisks, and
19542 GNOME Disks. Note that Udisks relies on the @command{mount} command, so
19543 it will only be able to use the file-system utilities installed in the
19544 system profile. For example if you want to be able to mount NTFS
19545 file-systems in read and write fashion, you'll need to have
19546 @code{ntfs-3g} installed system-wide.
19549 @deffn {Scheme Variable} colord-service-type
19550 This is the type of the service that runs @command{colord}, a system
19551 service with a D-Bus
19552 interface to manage the color profiles of input and output devices such as
19553 screens and scanners. It is notably used by the GNOME Color Manager graphical
19554 tool. See @uref{https://www.freedesktop.org/software/colord/, the colord web
19555 site} for more information.
19558 @cindex scanner access
19559 @defvr {Scheme Variable} sane-service-type
19560 This service provides access to scanners @i{via}
19561 @uref{http://www.sane-project.org, SANE} by installing the necessary
19562 udev rules. It is included in @code{%desktop-services} (@pxref{Desktop
19563 Services}) and relies by default on @code{sane-backends-minimal} package
19564 (see below) for hardware support.
19567 @defvr {Scheme Variable} sane-backends-minimal
19568 The default package which the @code{sane-service-type} installs. It
19569 supports many recent scanners.
19572 @defvr {Scheme Variable} sane-backends
19573 This package includes support for all scanners that
19574 @code{sane-backends-minimal} supports, plus older Hewlett-Packard
19575 scanners supported by @code{hplip} package. In order to use this on
19576 a system which relies on @code{%desktop-services}, you may use
19577 @code{modify-services} (@pxref{Service Reference,
19578 @code{modify-services}}) as illustrated below:
19581 (use-modules (gnu))
19582 (use-service-modules
19585 (use-package-modules
19589 (define %my-desktop-services
19590 ;; List of desktop services that supports a broader range of scanners.
19591 (modify-services %desktop-services
19592 (sane-service-type _ => sane-backends)))
19596 (services %my-desktop-services)
19600 @deffn {Scheme Procedure} geoclue-application name [#:allowed? #t] [#:system? #f] [#:users '()]
19601 Return a configuration allowing an application to access GeoClue
19602 location data. @var{name} is the Desktop ID of the application, without
19603 the @code{.desktop} part. If @var{allowed?} is true, the application
19604 will have access to location information by default. The boolean
19605 @var{system?} value indicates whether an application is a system component
19606 or not. Finally @var{users} is a list of UIDs of all users for which
19607 this application is allowed location info access. An empty users list
19608 means that all users are allowed.
19611 @defvr {Scheme Variable} %standard-geoclue-applications
19612 The standard list of well-known GeoClue application configurations,
19613 granting authority to the GNOME date-and-time utility to ask for the
19614 current location in order to set the time zone, and allowing the
19615 IceCat and Epiphany web browsers to request location information.
19616 IceCat and Epiphany both query the user before allowing a web page to
19617 know the user's location.
19620 @deffn {Scheme Procedure} geoclue-service [#:colord @var{colord}] @
19621 [#:whitelist '()] @
19622 [#:wifi-geolocation-url "https://location.services.mozilla.com/v1/geolocate?key=geoclue"] @
19623 [#:submit-data? #f]
19624 [#:wifi-submission-url "https://location.services.mozilla.com/v1/submit?key=geoclue"] @
19625 [#:submission-nick "geoclue"] @
19626 [#:applications %standard-geoclue-applications]
19627 Return a service that runs the GeoClue location service. This service
19628 provides a D-Bus interface to allow applications to request access to a
19629 user's physical location, and optionally to add information to online
19630 location databases. See
19631 @uref{https://wiki.freedesktop.org/www/Software/GeoClue/, the GeoClue
19632 web site} for more information.
19635 @deffn {Scheme Procedure} bluetooth-service [#:bluez @var{bluez}] @
19636 [@w{#:auto-enable? #f}]
19637 Return a service that runs the @command{bluetoothd} daemon, which
19638 manages all the Bluetooth devices and provides a number of D-Bus
19639 interfaces. When AUTO-ENABLE? is true, the bluetooth controller is
19640 powered automatically at boot, which can be useful when using a
19641 bluetooth keyboard or mouse.
19643 Users need to be in the @code{lp} group to access the D-Bus service.
19646 @defvr {Scheme Variable} gnome-keyring-service-type
19647 This is the type of the service that adds the
19648 @uref{https://wiki.gnome.org/Projects/GnomeKeyring, GNOME Keyring}. Its
19649 value is a @code{gnome-keyring-configuration} object (see below).
19651 This service adds the @code{gnome-keyring} package to the system profile
19652 and extends PAM with entries using @code{pam_gnome_keyring.so}, unlocking
19653 a user's login keyring when they log in or setting its password with passwd.
19656 @deftp {Data Type} gnome-keyring-configuration
19657 Configuration record for the GNOME Keyring service.
19660 @item @code{keyring} (default: @code{gnome-keyring})
19661 The GNOME keyring package to use.
19663 @item @code{pam-services}
19664 A list of @code{(@var{service} . @var{kind})} pairs denoting PAM
19665 services to extend, where @var{service} is the name of an existing
19666 service to extend and @var{kind} is one of @code{login} or
19669 If @code{login} is given, it adds an optional
19670 @code{pam_gnome_keyring.so} to the auth block without arguments and to
19671 the session block with @code{auto_start}. If @code{passwd} is given, it
19672 adds an optional @code{pam_gnome_keyring.so} to the password block
19675 By default, this field contains ``gdm-password'' with the value @code{login}
19676 and ``passwd'' is with the value @code{passwd}.
19681 @node Sound Services
19682 @subsection Sound Services
19684 @cindex sound support
19686 @cindex PulseAudio, sound support
19688 The @code{(gnu services sound)} module provides a service to configure the
19689 Advanced Linux Sound Architecture (ALSA) system, which makes PulseAudio the
19690 preferred ALSA output driver.
19692 @deffn {Scheme Variable} alsa-service-type
19693 This is the type for the @uref{https://alsa-project.org/, Advanced Linux Sound
19694 Architecture} (ALSA) system, which generates the @file{/etc/asound.conf}
19695 configuration file. The value for this type is a @command{alsa-configuration}
19696 record as in this example:
19699 (service alsa-service-type)
19702 See below for details about @code{alsa-configuration}.
19705 @deftp {Data Type} alsa-configuration
19706 Data type representing the configuration for @code{alsa-service}.
19709 @item @code{alsa-plugins} (default: @var{alsa-plugins})
19710 @code{alsa-plugins} package to use.
19712 @item @code{pulseaudio?} (default: @var{#t})
19713 Whether ALSA applications should transparently be made to use the
19714 @uref{https://www.pulseaudio.org/, PulseAudio} sound server.
19716 Using PulseAudio allows you to run several sound-producing applications
19717 at the same time and to individual control them @i{via}
19718 @command{pavucontrol}, among other things.
19720 @item @code{extra-options} (default: @var{""})
19721 String to append to the @file{/etc/asound.conf} file.
19726 Individual users who want to override the system configuration of ALSA can do
19727 it with the @file{~/.asoundrc} file:
19730 # In guix, we have to specify the absolute path for plugins.
19732 lib "/home/alice/.guix-profile/lib/alsa-lib/libasound_module_pcm_jack.so"
19735 # Routing ALSA to jack:
19736 # <http://jackaudio.org/faq/routing_alsa.html>.
19740 0 system:playback_1
19741 1 system:playback_2
19758 See @uref{https://www.alsa-project.org/main/index.php/Asoundrc} for the
19761 @deffn {Scheme Variable} pulseaudio-service-type
19762 This is the type for the @uref{https://www.pulseaudio.org/, PulseAudio}
19763 sound server. It exists to allow system overrides of the default settings
19764 via @code{pulseaudio-configuration}, see below.
19767 This service overrides per-user configuration files. If you want
19768 PulseAudio to honor configuration files in @file{~/.config/pulse} you
19769 have to unset the environment variables @env{PULSE_CONFIG} and
19770 @env{PULSE_CLIENTCONFIG} in your @file{~/.bash_profile}.
19774 This service on its own does not ensure, that the @code{pulseaudio} package
19775 exists on your machine. It merely adds configuration files for it, as
19776 detailed below. In the (admittedly unlikely) case, that you find yourself
19777 without a @code{pulseaudio} package, consider enabling it through the
19778 @code{alsa-service-type} above.
19782 @deftp {Data Type} pulseaudio-configuration
19783 Data type representing the configuration for @code{pulseaudio-service}.
19786 @item @code{client-conf} (default: @code{'()})
19787 List of settings to set in @file{client.conf}.
19788 Accepts a list of strings or a symbol-value pairs. A string will be
19789 inserted as-is with a newline added. A pair will be formatted as
19790 ``key = value'', again with a newline added.
19792 @item @code{daemon-conf} (default: @code{'((flat-volumes . no))})
19793 List of settings to set in @file{daemon.conf}, formatted just like
19796 @item @code{script-file} (default: @code{(file-append pulseaudio "/etc/pulse/default.pa")})
19797 Script file to use as @file{default.pa}.
19799 @item @code{system-script-file} (default: @code{(file-append pulseaudio "/etc/pulse/system.pa")})
19800 Script file to use as @file{system.pa}.
19804 @deffn {Scheme Variable} ladspa-service-type
19805 This service sets the @var{LADSPA_PATH} variable, so that programs, which
19806 respect it, e.g. PulseAudio, can load LADSPA plugins.
19808 The following example will setup the service to enable modules from the
19809 @code{swh-plugins} package:
19812 (service ladspa-service-type
19813 (ladspa-configuration (plugins (list swh-plugins))))
19816 See @uref{http://plugin.org.uk/ladspa-swh/docs/ladspa-swh.html} for the
19821 @node Database Services
19822 @subsection Database Services
19826 The @code{(gnu services databases)} module provides the following services.
19828 @subsubheading PostgreSQL
19830 The following example describes a PostgreSQL service with the default
19834 (service postgresql-service-type
19835 (postgresql-configuration
19836 (postgresql postgresql-10)))
19839 If the services fails to start, it may be due to an incompatible
19840 cluster already present in @var{data-directory}. Adjust it (or, if you
19841 don't need the cluster anymore, delete @var{data-directory}), then
19842 restart the service.
19844 Peer authentication is used by default and the @code{postgres} user
19845 account has no shell, which prevents the direct execution of @code{psql}
19846 commands as this user. To use @code{psql}, you can temporarily log in
19847 as @code{postgres} using a shell, create a PostgreSQL superuser with the
19848 same name as one of the system users and then create the associated
19852 sudo -u postgres -s /bin/sh
19853 createuser --interactive
19854 createdb $MY_USER_LOGIN # Replace appropriately.
19857 @deftp {Data Type} postgresql-configuration
19858 Data type representing the configuration for the
19859 @code{postgresql-service-type}.
19862 @item @code{postgresql}
19863 PostgreSQL package to use for the service.
19865 @item @code{port} (default: @code{5432})
19866 Port on which PostgreSQL should listen.
19868 @item @code{locale} (default: @code{"en_US.utf8"})
19869 Locale to use as the default when creating the database cluster.
19871 @item @code{config-file} (default: @code{(postgresql-config-file)})
19872 The configuration file to use when running PostgreSQL@. The default
19873 behaviour uses the postgresql-config-file record with the default values
19876 @item @code{log-directory} (default: @code{"/var/log/postgresql"})
19877 The directory where @command{pg_ctl} output will be written in a file
19878 named @code{"pg_ctl.log"}. This file can be useful to debug PostgreSQL
19879 configuration errors for instance.
19881 @item @code{data-directory} (default: @code{"/var/lib/postgresql/data"})
19882 Directory in which to store the data.
19884 @item @code{extension-packages} (default: @code{'()})
19885 @cindex postgresql extension-packages
19886 Additional extensions are loaded from packages listed in
19887 @var{extension-packages}. Extensions are available at runtime. For instance,
19888 to create a geographic database using the @code{postgis} extension, a user can
19889 configure the postgresql-service as in this example:
19893 (use-package-modules databases geo)
19897 ;; postgresql is required to run `psql' but postgis is not required for
19898 ;; proper operation.
19899 (packages (cons* postgresql %base-packages))
19902 (service postgresql-service-type
19903 (postgresql-configuration
19904 (postgresql postgresql-10)
19905 (extension-packages (list postgis))))
19909 Then the extension becomes visible and you can initialise an empty geographic
19910 database in this way:
19914 > create database postgistest;
19915 > \connect postgistest;
19916 > create extension postgis;
19917 > create extension postgis_topology;
19920 There is no need to add this field for contrib extensions such as hstore or
19921 dblink as they are already loadable by postgresql. This field is only
19922 required to add extensions provided by other packages.
19927 @deftp {Data Type} postgresql-config-file
19928 Data type representing the PostgreSQL configuration file. As shown in
19929 the following example, this can be used to customize the configuration
19930 of PostgreSQL@. Note that you can use any G-expression or filename in
19931 place of this record, if you already have a configuration file you'd
19932 like to use for example.
19935 (service postgresql-service-type
19936 (postgresql-configuration
19938 (postgresql-config-file
19939 (log-destination "stderr")
19941 (plain-file "pg_hba.conf"
19943 local all all trust
19944 host all all 127.0.0.1/32 md5
19945 host all all ::1/128 md5"))
19947 '(("session_preload_libraries" "auto_explain")
19948 ("random_page_cost" 2)
19949 ("auto_explain.log_min_duration" "100 ms")
19950 ("work_mem" "500 MB")
19951 ("logging_collector" #t)
19952 ("log_directory" "/var/log/postgresql")))))))
19956 @item @code{log-destination} (default: @code{"syslog"})
19957 The logging method to use for PostgreSQL@. Multiple values are accepted,
19958 separated by commas.
19960 @item @code{hba-file} (default: @code{%default-postgres-hba})
19961 Filename or G-expression for the host-based authentication
19964 @item @code{ident-file} (default: @code{%default-postgres-ident})
19965 Filename or G-expression for the user name mapping configuration.
19967 @item @code{socket-directory} (default: @code{#false})
19968 Specifies the directory of the Unix-domain socket(s) on which PostgreSQL
19969 is to listen for connections from client applications. If set to
19970 @code{""} PostgreSQL does not listen on any Unix-domain sockets, in
19971 which case only TCP/IP sockets can be used to connect to the server.
19973 By default, the @code{#false} value means the PostgreSQL default value
19974 will be used, which is currently @samp{/tmp}.
19976 @item @code{extra-config} (default: @code{'()})
19977 List of additional keys and values to include in the PostgreSQL config
19978 file. Each entry in the list should be a list where the first element
19979 is the key, and the remaining elements are the values.
19981 The values can be numbers, booleans or strings and will be mapped to
19982 PostgreSQL parameters types @code{Boolean}, @code{String},
19983 @code{Numeric}, @code{Numeric with Unit} and @code{Enumerated} described
19984 @uref{https://www.postgresql.org/docs/current/config-setting.html,
19990 @deffn {Scheme Variable} postgresql-role-service-type
19991 This service allows to create PostgreSQL roles and databases after
19992 PostgreSQL service start. Here is an example of its use.
19995 (service postgresql-role-service-type
19996 (postgresql-role-configuration
19998 (list (postgresql-role
20000 (create-database? #t))))))
20003 This service can be extended with extra roles, as in this
20007 (service-extension postgresql-role-service-type
20008 (const (postgresql-role
20010 (create-database? #t))))
20014 @deftp {Data Type} postgresql-role
20015 PostgreSQL manages database access permissions using the concept of
20016 roles. A role can be thought of as either a database user, or a group
20017 of database users, depending on how the role is set up. Roles can own
20018 database objects (for example, tables) and can assign privileges on
20019 those objects to other roles to control who has access to which objects.
20025 @item @code{permissions} (default: @code{'(createdb login)})
20026 The role permissions list. Supported permissions are @code{bypassrls},
20027 @code{createdb}, @code{createrole}, @code{login}, @code{replication} and
20030 @item @code{create-database?} (default: @code{#f})
20031 Whether to create a database with the same name as the role.
20036 @deftp {Data Type} postgresql-role-configuration
20037 Data type representing the configuration of
20038 @var{postgresql-role-service-type}.
20041 @item @code{host} (default: @code{"/var/run/postgresql"})
20042 The PostgreSQL host to connect to.
20044 @item @code{log} (default: @code{"/var/log/postgresql_roles.log"})
20045 File name of the log file.
20047 @item @code{roles} (default: @code{'()})
20048 The initial PostgreSQL roles to create.
20052 @subsubheading MariaDB/MySQL
20054 @defvr {Scheme Variable} mysql-service-type
20055 This is the service type for a MySQL or MariaDB database server. Its value
20056 is a @code{mysql-configuration} object that specifies which package to use,
20057 as well as various settings for the @command{mysqld} daemon.
20060 @deftp {Data Type} mysql-configuration
20061 Data type representing the configuration of @var{mysql-service-type}.
20064 @item @code{mysql} (default: @var{mariadb})
20065 Package object of the MySQL database server, can be either @var{mariadb}
20068 For MySQL, a temporary root password will be displayed at activation time.
20069 For MariaDB, the root password is empty.
20071 @item @code{bind-address} (default: @code{"127.0.0.1"})
20072 The IP on which to listen for network connections. Use @code{"0.0.0.0"}
20073 to bind to all available network interfaces.
20075 @item @code{port} (default: @code{3306})
20076 TCP port on which the database server listens for incoming connections.
20078 @item @code{socket} (default: @code{"/run/mysqld/mysqld.sock"})
20079 Socket file to use for local (non-network) connections.
20081 @item @code{extra-content} (default: @code{""})
20082 Additional settings for the @file{my.cnf} configuration file.
20084 @item @code{extra-environment} (default: @code{#~'()})
20085 List of environment variables passed to the @command{mysqld} process.
20087 @item @code{auto-upgrade?} (default: @code{#t})
20088 Whether to automatically run @command{mysql_upgrade} after starting the
20089 service. This is necessary to upgrade the @dfn{system schema} after
20090 ``major'' updates (such as switching from MariaDB 10.4 to 10.5), but can
20091 be disabled if you would rather do that manually.
20096 @subsubheading Memcached
20098 @defvr {Scheme Variable} memcached-service-type
20099 This is the service type for the @uref{https://memcached.org/,
20100 Memcached} service, which provides a distributed in memory cache. The
20101 value for the service type is a @code{memcached-configuration} object.
20105 (service memcached-service-type)
20108 @deftp {Data Type} memcached-configuration
20109 Data type representing the configuration of memcached.
20112 @item @code{memcached} (default: @code{memcached})
20113 The Memcached package to use.
20115 @item @code{interfaces} (default: @code{'("0.0.0.0")})
20116 Network interfaces on which to listen.
20118 @item @code{tcp-port} (default: @code{11211})
20119 Port on which to accept connections.
20121 @item @code{udp-port} (default: @code{11211})
20122 Port on which to accept UDP connections on, a value of 0 will disable
20123 listening on a UDP socket.
20125 @item @code{additional-options} (default: @code{'()})
20126 Additional command line options to pass to @code{memcached}.
20130 @subsubheading Redis
20132 @defvr {Scheme Variable} redis-service-type
20133 This is the service type for the @uref{https://redis.io/, Redis}
20134 key/value store, whose value is a @code{redis-configuration} object.
20137 @deftp {Data Type} redis-configuration
20138 Data type representing the configuration of redis.
20141 @item @code{redis} (default: @code{redis})
20142 The Redis package to use.
20144 @item @code{bind} (default: @code{"127.0.0.1"})
20145 Network interface on which to listen.
20147 @item @code{port} (default: @code{6379})
20148 Port on which to accept connections on, a value of 0 will disable
20149 listening on a TCP socket.
20151 @item @code{working-directory} (default: @code{"/var/lib/redis"})
20152 Directory in which to store the database and related files.
20156 @node Mail Services
20157 @subsection Mail Services
20161 The @code{(gnu services mail)} module provides Guix service definitions
20162 for email services: IMAP, POP3, and LMTP servers, as well as mail
20163 transport agents (MTAs). Lots of acronyms! These services are detailed
20164 in the subsections below.
20166 @subsubheading Dovecot Service
20168 @deffn {Scheme Procedure} dovecot-service [#:config (dovecot-configuration)]
20169 Return a service that runs the Dovecot IMAP/POP3/LMTP mail server.
20172 By default, Dovecot does not need much configuration; the default
20173 configuration object created by @code{(dovecot-configuration)} will
20174 suffice if your mail is delivered to @code{~/Maildir}. A self-signed
20175 certificate will be generated for TLS-protected connections, though
20176 Dovecot will also listen on cleartext ports by default. There are a
20177 number of options, though, which mail administrators might need to change,
20178 and as is the case with other services, Guix allows the system
20179 administrator to specify these parameters via a uniform Scheme interface.
20181 For example, to specify that mail is located at @code{maildir~/.mail},
20182 one would instantiate the Dovecot service like this:
20185 (dovecot-service #:config
20186 (dovecot-configuration
20187 (mail-location "maildir:~/.mail")))
20190 The available configuration parameters follow. Each parameter
20191 definition is preceded by its type; for example, @samp{string-list foo}
20192 indicates that the @code{foo} parameter should be specified as a list of
20193 strings. There is also a way to specify the configuration as a string,
20194 if you have an old @code{dovecot.conf} file that you want to port over
20195 from some other system; see the end for more details.
20197 @c The following documentation was initially generated by
20198 @c (generate-documentation) in (gnu services mail). Manually maintained
20199 @c documentation is better, so we shouldn't hesitate to edit below as
20200 @c needed. However if the change you want to make to this documentation
20201 @c can be done in an automated way, it's probably easier to change
20202 @c (generate-documentation) than to make it below and have to deal with
20203 @c the churn as dovecot updates.
20205 Available @code{dovecot-configuration} fields are:
20207 @deftypevr {@code{dovecot-configuration} parameter} package dovecot
20208 The dovecot package.
20211 @deftypevr {@code{dovecot-configuration} parameter} comma-separated-string-list listen
20212 A list of IPs or hosts where to listen for connections. @samp{*}
20213 listens on all IPv4 interfaces, @samp{::} listens on all IPv6
20214 interfaces. If you want to specify non-default ports or anything more
20215 complex, customize the address and port fields of the
20216 @samp{inet-listener} of the specific services you are interested in.
20219 @deftypevr {@code{dovecot-configuration} parameter} protocol-configuration-list protocols
20220 List of protocols we want to serve. Available protocols include
20221 @samp{imap}, @samp{pop3}, and @samp{lmtp}.
20223 Available @code{protocol-configuration} fields are:
20225 @deftypevr {@code{protocol-configuration} parameter} string name
20226 The name of the protocol.
20229 @deftypevr {@code{protocol-configuration} parameter} string auth-socket-path
20230 UNIX socket path to the master authentication server to find users.
20231 This is used by imap (for shared users) and lda.
20232 It defaults to @samp{"/var/run/dovecot/auth-userdb"}.
20235 @deftypevr {@code{protocol-configuration} parameter} boolean imap-metadata?
20236 Whether to enable the @code{IMAP METADATA} extension as defined in
20237 @uref{https://tools.ietf.org/html/rfc5464,RFC@tie{}5464}, which provides
20238 a means for clients to set and retrieve per-mailbox, per-user metadata
20239 and annotations over IMAP.
20241 If this is @samp{#t}, you must also specify a dictionary @i{via} the
20242 @code{mail-attribute-dict} setting.
20244 Defaults to @samp{#f}.
20248 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list managesieve-notify-capabilities
20249 Which NOTIFY capabilities to report to clients that first connect to
20250 the ManageSieve service, before authentication. These may differ from the
20251 capabilities offered to authenticated users. If this field is left empty,
20252 report what the Sieve interpreter supports by default.
20254 Defaults to @samp{()}.
20257 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list managesieve-sieve-capability
20258 Which SIEVE capabilities to report to clients that first connect to
20259 the ManageSieve service, before authentication. These may differ from the
20260 capabilities offered to authenticated users. If this field is left empty,
20261 report what the Sieve interpreter supports by default.
20263 Defaults to @samp{()}.
20267 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list mail-plugins
20268 Space separated list of plugins to load.
20271 @deftypevr {@code{protocol-configuration} parameter} non-negative-integer mail-max-userip-connections
20272 Maximum number of IMAP connections allowed for a user from each IP
20273 address. NOTE: The username is compared case-sensitively.
20274 Defaults to @samp{10}.
20279 @deftypevr {@code{dovecot-configuration} parameter} service-configuration-list services
20280 List of services to enable. Available services include @samp{imap},
20281 @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and
20284 Available @code{service-configuration} fields are:
20286 @deftypevr {@code{service-configuration} parameter} string kind
20287 The service kind. Valid values include @code{director},
20288 @code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap},
20289 @code{pop3}, @code{auth}, @code{auth-worker}, @code{dict},
20290 @code{tcpwrap}, @code{quota-warning}, or anything else.
20293 @deftypevr {@code{service-configuration} parameter} listener-configuration-list listeners
20294 Listeners for the service. A listener is either a
20295 @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or
20296 an @code{inet-listener-configuration}.
20297 Defaults to @samp{()}.
20299 Available @code{unix-listener-configuration} fields are:
20301 @deftypevr {@code{unix-listener-configuration} parameter} string path
20302 Path to the file, relative to @code{base-dir} field. This is also used as
20306 @deftypevr {@code{unix-listener-configuration} parameter} string mode
20307 The access mode for the socket.
20308 Defaults to @samp{"0600"}.
20311 @deftypevr {@code{unix-listener-configuration} parameter} string user
20312 The user to own the socket.
20313 Defaults to @samp{""}.
20316 @deftypevr {@code{unix-listener-configuration} parameter} string group
20317 The group to own the socket.
20318 Defaults to @samp{""}.
20322 Available @code{fifo-listener-configuration} fields are:
20324 @deftypevr {@code{fifo-listener-configuration} parameter} string path
20325 Path to the file, relative to @code{base-dir} field. This is also used as
20329 @deftypevr {@code{fifo-listener-configuration} parameter} string mode
20330 The access mode for the socket.
20331 Defaults to @samp{"0600"}.
20334 @deftypevr {@code{fifo-listener-configuration} parameter} string user
20335 The user to own the socket.
20336 Defaults to @samp{""}.
20339 @deftypevr {@code{fifo-listener-configuration} parameter} string group
20340 The group to own the socket.
20341 Defaults to @samp{""}.
20345 Available @code{inet-listener-configuration} fields are:
20347 @deftypevr {@code{inet-listener-configuration} parameter} string protocol
20348 The protocol to listen for.
20351 @deftypevr {@code{inet-listener-configuration} parameter} string address
20352 The address on which to listen, or empty for all addresses.
20353 Defaults to @samp{""}.
20356 @deftypevr {@code{inet-listener-configuration} parameter} non-negative-integer port
20357 The port on which to listen.
20360 @deftypevr {@code{inet-listener-configuration} parameter} boolean ssl?
20361 Whether to use SSL for this service; @samp{yes}, @samp{no}, or
20363 Defaults to @samp{#t}.
20368 @deftypevr {@code{service-configuration} parameter} non-negative-integer client-limit
20369 Maximum number of simultaneous client connections per process. Once
20370 this number of connections is received, the next incoming connection
20371 will prompt Dovecot to spawn another process. If set to 0,
20372 @code{default-client-limit} is used instead.
20374 Defaults to @samp{0}.
20378 @deftypevr {@code{service-configuration} parameter} non-negative-integer service-count
20379 Number of connections to handle before starting a new process.
20380 Typically the only useful values are 0 (unlimited) or 1. 1 is more
20381 secure, but 0 is faster. <doc/wiki/LoginProcess.txt>.
20382 Defaults to @samp{1}.
20386 @deftypevr {@code{service-configuration} parameter} non-negative-integer process-limit
20387 Maximum number of processes that can exist for this service. If set to
20388 0, @code{default-process-limit} is used instead.
20390 Defaults to @samp{0}.
20394 @deftypevr {@code{service-configuration} parameter} non-negative-integer process-min-avail
20395 Number of processes to always keep waiting for more connections.
20396 Defaults to @samp{0}.
20399 @deftypevr {@code{service-configuration} parameter} non-negative-integer vsz-limit
20400 If you set @samp{service-count 0}, you probably need to grow
20402 Defaults to @samp{256000000}.
20407 @deftypevr {@code{dovecot-configuration} parameter} dict-configuration dict
20408 Dict configuration, as created by the @code{dict-configuration}
20411 Available @code{dict-configuration} fields are:
20413 @deftypevr {@code{dict-configuration} parameter} free-form-fields entries
20414 A list of key-value pairs that this dict should hold.
20415 Defaults to @samp{()}.
20420 @deftypevr {@code{dovecot-configuration} parameter} passdb-configuration-list passdbs
20421 A list of passdb configurations, each one created by the
20422 @code{passdb-configuration} constructor.
20424 Available @code{passdb-configuration} fields are:
20426 @deftypevr {@code{passdb-configuration} parameter} string driver
20427 The driver that the passdb should use. Valid values include
20428 @samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and
20430 Defaults to @samp{"pam"}.
20433 @deftypevr {@code{passdb-configuration} parameter} space-separated-string-list args
20434 Space separated list of arguments to the passdb driver.
20435 Defaults to @samp{""}.
20440 @deftypevr {@code{dovecot-configuration} parameter} userdb-configuration-list userdbs
20441 List of userdb configurations, each one created by the
20442 @code{userdb-configuration} constructor.
20444 Available @code{userdb-configuration} fields are:
20446 @deftypevr {@code{userdb-configuration} parameter} string driver
20447 The driver that the userdb should use. Valid values include
20448 @samp{passwd} and @samp{static}.
20449 Defaults to @samp{"passwd"}.
20452 @deftypevr {@code{userdb-configuration} parameter} space-separated-string-list args
20453 Space separated list of arguments to the userdb driver.
20454 Defaults to @samp{""}.
20457 @deftypevr {@code{userdb-configuration} parameter} free-form-args override-fields
20458 Override fields from passwd.
20459 Defaults to @samp{()}.
20464 @deftypevr {@code{dovecot-configuration} parameter} plugin-configuration plugin-configuration
20465 Plug-in configuration, created by the @code{plugin-configuration}
20469 @deftypevr {@code{dovecot-configuration} parameter} list-of-namespace-configuration namespaces
20470 List of namespaces. Each item in the list is created by the
20471 @code{namespace-configuration} constructor.
20473 Available @code{namespace-configuration} fields are:
20475 @deftypevr {@code{namespace-configuration} parameter} string name
20476 Name for this namespace.
20479 @deftypevr {@code{namespace-configuration} parameter} string type
20480 Namespace type: @samp{private}, @samp{shared} or @samp{public}.
20481 Defaults to @samp{"private"}.
20484 @deftypevr {@code{namespace-configuration} parameter} string separator
20485 Hierarchy separator to use. You should use the same separator for
20486 all namespaces or some clients get confused. @samp{/} is usually a good
20487 one. The default however depends on the underlying mail storage
20489 Defaults to @samp{""}.
20492 @deftypevr {@code{namespace-configuration} parameter} string prefix
20493 Prefix required to access this namespace. This needs to be
20494 different for all namespaces. For example @samp{Public/}.
20495 Defaults to @samp{""}.
20498 @deftypevr {@code{namespace-configuration} parameter} string location
20499 Physical location of the mailbox. This is in the same format as
20500 mail_location, which is also the default for it.
20501 Defaults to @samp{""}.
20504 @deftypevr {@code{namespace-configuration} parameter} boolean inbox?
20505 There can be only one INBOX, and this setting defines which
20507 Defaults to @samp{#f}.
20510 @deftypevr {@code{namespace-configuration} parameter} boolean hidden?
20511 If namespace is hidden, it's not advertised to clients via NAMESPACE
20512 extension. You'll most likely also want to set @samp{list? #f}. This is mostly
20513 useful when converting from another server with different namespaces
20514 which you want to deprecate but still keep working. For example you can
20515 create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/}
20517 Defaults to @samp{#f}.
20520 @deftypevr {@code{namespace-configuration} parameter} boolean list?
20521 Show the mailboxes under this namespace with the LIST command. This
20522 makes the namespace visible for clients that do not support the NAMESPACE
20523 extension. The special @code{children} value lists child mailboxes, but
20524 hides the namespace prefix.
20525 Defaults to @samp{#t}.
20528 @deftypevr {@code{namespace-configuration} parameter} boolean subscriptions?
20529 Namespace handles its own subscriptions. If set to @code{#f}, the
20530 parent namespace handles them. The empty prefix should always have this
20532 Defaults to @samp{#t}.
20535 @deftypevr {@code{namespace-configuration} parameter} mailbox-configuration-list mailboxes
20536 List of predefined mailboxes in this namespace.
20537 Defaults to @samp{()}.
20539 Available @code{mailbox-configuration} fields are:
20541 @deftypevr {@code{mailbox-configuration} parameter} string name
20542 Name for this mailbox.
20545 @deftypevr {@code{mailbox-configuration} parameter} string auto
20546 @samp{create} will automatically create this mailbox.
20547 @samp{subscribe} will both create and subscribe to the mailbox.
20548 Defaults to @samp{"no"}.
20551 @deftypevr {@code{mailbox-configuration} parameter} space-separated-string-list special-use
20552 List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154.
20553 Valid values are @code{\All}, @code{\Archive}, @code{\Drafts},
20554 @code{\Flagged}, @code{\Junk}, @code{\Sent}, and @code{\Trash}.
20555 Defaults to @samp{()}.
20562 @deftypevr {@code{dovecot-configuration} parameter} file-name base-dir
20563 Base directory where to store runtime data.
20564 Defaults to @samp{"/var/run/dovecot/"}.
20567 @deftypevr {@code{dovecot-configuration} parameter} string login-greeting
20568 Greeting message for clients.
20569 Defaults to @samp{"Dovecot ready."}.
20572 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-trusted-networks
20573 List of trusted network ranges. Connections from these IPs are
20574 allowed to override their IP addresses and ports (for logging and for
20575 authentication checks). @samp{disable-plaintext-auth} is also ignored
20576 for these networks. Typically you would specify your IMAP proxy servers
20578 Defaults to @samp{()}.
20581 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-access-sockets
20582 List of login access check sockets (e.g.@: tcpwrap).
20583 Defaults to @samp{()}.
20586 @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-proctitle?
20587 Show more verbose process titles (in ps). Currently shows user name
20588 and IP address. Useful for seeing who is actually using the IMAP
20589 processes (e.g.@: shared mailboxes or if the same uid is used for multiple
20591 Defaults to @samp{#f}.
20594 @deftypevr {@code{dovecot-configuration} parameter} boolean shutdown-clients?
20595 Should all processes be killed when Dovecot master process shuts down.
20596 Setting this to @code{#f} means that Dovecot can be upgraded without
20597 forcing existing client connections to close (although that could also
20598 be a problem if the upgrade is e.g.@: due to a security fix).
20599 Defaults to @samp{#t}.
20602 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer doveadm-worker-count
20603 If non-zero, run mail commands via this many connections to doveadm
20604 server, instead of running them directly in the same process.
20605 Defaults to @samp{0}.
20608 @deftypevr {@code{dovecot-configuration} parameter} string doveadm-socket-path
20609 UNIX socket or host:port used for connecting to doveadm server.
20610 Defaults to @samp{"doveadm-server"}.
20613 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list import-environment
20614 List of environment variables that are preserved on Dovecot startup
20615 and passed down to all of its child processes. You can also give
20616 key=value pairs to always set specific settings.
20619 @deftypevr {@code{dovecot-configuration} parameter} boolean disable-plaintext-auth?
20620 Disable LOGIN command and all other plaintext authentications unless
20621 SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
20622 matches the local IP (i.e.@: you're connecting from the same computer),
20623 the connection is considered secure and plaintext authentication is
20624 allowed. See also ssl=required setting.
20625 Defaults to @samp{#t}.
20628 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-cache-size
20629 Authentication cache size (e.g.@: @samp{#e10e6}). 0 means it's disabled.
20630 Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set
20631 for caching to be used.
20632 Defaults to @samp{0}.
20635 @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-ttl
20636 Time to live for cached data. After TTL expires the cached record
20637 is no longer used, *except* if the main database lookup returns internal
20638 failure. We also try to handle password changes automatically: If
20639 user's previous authentication was successful, but this one wasn't, the
20640 cache isn't used. For now this works only with plaintext
20642 Defaults to @samp{"1 hour"}.
20645 @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-negative-ttl
20646 TTL for negative hits (user not found, password mismatch).
20647 0 disables caching them completely.
20648 Defaults to @samp{"1 hour"}.
20651 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-realms
20652 List of realms for SASL authentication mechanisms that need them.
20653 You can leave it empty if you don't want to support multiple realms.
20654 Many clients simply use the first one listed here, so keep the default
20656 Defaults to @samp{()}.
20659 @deftypevr {@code{dovecot-configuration} parameter} string auth-default-realm
20660 Default realm/domain to use if none was specified. This is used for
20661 both SASL realms and appending @@domain to username in plaintext
20663 Defaults to @samp{""}.
20666 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-chars
20667 List of allowed characters in username. If the user-given username
20668 contains a character not listed in here, the login automatically fails.
20669 This is just an extra check to make sure user can't exploit any
20670 potential quote escaping vulnerabilities with SQL/LDAP databases. If
20671 you want to allow all characters, set this value to empty.
20672 Defaults to @samp{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@@"}.
20675 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-translation
20676 Username character translations before it's looked up from
20677 databases. The value contains series of from -> to characters. For
20678 example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are
20679 translated to @samp{@@}.
20680 Defaults to @samp{""}.
20683 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-format
20684 Username formatting before it's looked up from databases. You can
20685 use the standard variables here, e.g.@: %Lu would lowercase the username,
20686 %n would drop away the domain if it was given, or @samp{%n-AT-%d} would
20687 change the @samp{@@} into @samp{-AT-}. This translation is done after
20688 @samp{auth-username-translation} changes.
20689 Defaults to @samp{"%Lu"}.
20692 @deftypevr {@code{dovecot-configuration} parameter} string auth-master-user-separator
20693 If you want to allow master users to log in by specifying the master
20694 username within the normal username string (i.e.@: not using SASL
20695 mechanism's support for it), you can specify the separator character
20696 here. The format is then <username><separator><master username>.
20697 UW-IMAP uses @samp{*} as the separator, so that could be a good
20699 Defaults to @samp{""}.
20702 @deftypevr {@code{dovecot-configuration} parameter} string auth-anonymous-username
20703 Username to use for users logging in with ANONYMOUS SASL
20705 Defaults to @samp{"anonymous"}.
20708 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-worker-max-count
20709 Maximum number of dovecot-auth worker processes. They're used to
20710 execute blocking passdb and userdb queries (e.g.@: MySQL and PAM).
20711 They're automatically created and destroyed as needed.
20712 Defaults to @samp{30}.
20715 @deftypevr {@code{dovecot-configuration} parameter} string auth-gssapi-hostname
20716 Host name to use in GSSAPI principal names. The default is to use
20717 the name returned by gethostname(). Use @samp{$ALL} (with quotes) to
20718 allow all keytab entries.
20719 Defaults to @samp{""}.
20722 @deftypevr {@code{dovecot-configuration} parameter} string auth-krb5-keytab
20723 Kerberos keytab to use for the GSSAPI mechanism. Will use the
20724 system default (usually @file{/etc/krb5.keytab}) if not specified. You may
20725 need to change the auth service to run as root to be able to read this
20727 Defaults to @samp{""}.
20730 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-use-winbind?
20731 Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon
20732 and @samp{ntlm-auth} helper.
20733 <doc/wiki/Authentication/Mechanisms/Winbind.txt>.
20734 Defaults to @samp{#f}.
20737 @deftypevr {@code{dovecot-configuration} parameter} file-name auth-winbind-helper-path
20738 Path for Samba's @samp{ntlm-auth} helper binary.
20739 Defaults to @samp{"/usr/bin/ntlm_auth"}.
20742 @deftypevr {@code{dovecot-configuration} parameter} string auth-failure-delay
20743 Time to delay before replying to failed authentications.
20744 Defaults to @samp{"2 secs"}.
20747 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
20748 Require a valid SSL client certificate or the authentication
20750 Defaults to @samp{#f}.
20753 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-username-from-cert?
20754 Take the username from client's SSL certificate, using
20755 @code{X509_NAME_get_text_by_NID()} which returns the subject's DN's
20757 Defaults to @samp{#f}.
20760 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-mechanisms
20761 List of wanted authentication mechanisms. Supported mechanisms are:
20762 @samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5},
20763 @samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi},
20764 @samp{otp}, @samp{skey}, and @samp{gss-spnego}. NOTE: See also
20765 @samp{disable-plaintext-auth} setting.
20768 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-servers
20769 List of IPs or hostnames to all director servers, including ourself.
20770 Ports can be specified as ip:port. The default port is the same as what
20771 director service's @samp{inet-listener} is using.
20772 Defaults to @samp{()}.
20775 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-mail-servers
20776 List of IPs or hostnames to all backend mail servers. Ranges are
20777 allowed too, like 10.0.0.10-10.0.0.30.
20778 Defaults to @samp{()}.
20781 @deftypevr {@code{dovecot-configuration} parameter} string director-user-expire
20782 How long to redirect users to a specific server after it no longer
20783 has any connections.
20784 Defaults to @samp{"15 min"}.
20787 @deftypevr {@code{dovecot-configuration} parameter} string director-username-hash
20788 How the username is translated before being hashed. Useful values
20789 include %Ln if user can log in with or without @@domain, %Ld if mailboxes
20790 are shared within domain.
20791 Defaults to @samp{"%Lu"}.
20794 @deftypevr {@code{dovecot-configuration} parameter} string log-path
20795 Log file to use for error messages. @samp{syslog} logs to syslog,
20796 @samp{/dev/stderr} logs to stderr.
20797 Defaults to @samp{"syslog"}.
20800 @deftypevr {@code{dovecot-configuration} parameter} string info-log-path
20801 Log file to use for informational messages. Defaults to
20803 Defaults to @samp{""}.
20806 @deftypevr {@code{dovecot-configuration} parameter} string debug-log-path
20807 Log file to use for debug messages. Defaults to
20808 @samp{info-log-path}.
20809 Defaults to @samp{""}.
20812 @deftypevr {@code{dovecot-configuration} parameter} string syslog-facility
20813 Syslog facility to use if you're logging to syslog. Usually if you
20814 don't want to use @samp{mail}, you'll use local0..local7. Also other
20815 standard facilities are supported.
20816 Defaults to @samp{"mail"}.
20819 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-verbose?
20820 Log unsuccessful authentication attempts and the reasons why they
20822 Defaults to @samp{#f}.
20825 @deftypevr {@code{dovecot-configuration} parameter} string auth-verbose-passwords
20826 In case of password mismatches, log the attempted password. Valid
20827 values are no, plain and sha1. sha1 can be useful for detecting brute
20828 force password attempts vs. user simply trying the same password over
20829 and over again. You can also truncate the value to n chars by appending
20830 ":n" (e.g.@: sha1:6).
20831 Defaults to @samp{"no"}.
20834 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug?
20835 Even more verbose logging for debugging purposes. Shows for example
20837 Defaults to @samp{#f}.
20840 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug-passwords?
20841 In case of password mismatches, log the passwords and used scheme so
20842 the problem can be debugged. Enabling this also enables
20844 Defaults to @samp{#f}.
20847 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-debug?
20848 Enable mail process debugging. This can help you figure out why
20849 Dovecot isn't finding your mails.
20850 Defaults to @samp{#f}.
20853 @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-ssl?
20854 Show protocol level SSL errors.
20855 Defaults to @samp{#f}.
20858 @deftypevr {@code{dovecot-configuration} parameter} string log-timestamp
20859 Prefix for each line written to log file. % codes are in
20860 strftime(3) format.
20861 Defaults to @samp{"\"%b %d %H:%M:%S \""}.
20864 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-log-format-elements
20865 List of elements we want to log. The elements which have a
20866 non-empty variable value are joined together to form a comma-separated
20870 @deftypevr {@code{dovecot-configuration} parameter} string login-log-format
20871 Login log format. %s contains @samp{login-log-format-elements}
20872 string, %$ contains the data we want to log.
20873 Defaults to @samp{"%$: %s"}.
20876 @deftypevr {@code{dovecot-configuration} parameter} string mail-log-prefix
20877 Log prefix for mail processes. See doc/wiki/Variables.txt for list
20878 of possible variables you can use.
20879 Defaults to @samp{"\"%s(%u)<%@{pid@}><%@{session@}>: \""}.
20882 @deftypevr {@code{dovecot-configuration} parameter} string deliver-log-format
20883 Format to use for logging mail deliveries. You can use variables:
20886 Delivery status message (e.g.@: @samp{saved to INBOX})
20898 Defaults to @samp{"msgid=%m: %$"}.
20901 @deftypevr {@code{dovecot-configuration} parameter} string mail-location
20902 Location for users' mailboxes. The default is empty, which means
20903 that Dovecot tries to find the mailboxes automatically. This won't work
20904 if the user doesn't yet have any mail, so you should explicitly tell
20905 Dovecot the full location.
20907 If you're using mbox, giving a path to the INBOX
20908 file (e.g.@: @file{/var/mail/%u}) isn't enough. You'll also need to tell Dovecot
20909 where the other mailboxes are kept. This is called the @emph{root mail
20910 directory}, and it must be the first path given in the
20911 @samp{mail-location} setting.
20913 There are a few special variables you can use, e.g.:
20919 user part in user@@domain, same as %u if there's no domain
20921 domain part in user@@domain, empty if there's no domain
20926 See doc/wiki/Variables.txt for full list. Some examples:
20928 @item maildir:~/Maildir
20929 @item mbox:~/mail:INBOX=/var/mail/%u
20930 @item mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%
20932 Defaults to @samp{""}.
20935 @deftypevr {@code{dovecot-configuration} parameter} string mail-uid
20936 System user and group used to access mails. If you use multiple,
20937 userdb can override these by returning uid or gid fields. You can use
20938 either numbers or names. <doc/wiki/UserIds.txt>.
20939 Defaults to @samp{""}.
20942 @deftypevr {@code{dovecot-configuration} parameter} string mail-gid
20944 Defaults to @samp{""}.
20947 @deftypevr {@code{dovecot-configuration} parameter} string mail-privileged-group
20948 Group to enable temporarily for privileged operations. Currently
20949 this is used only with INBOX when either its initial creation or
20950 dotlocking fails. Typically this is set to @samp{"mail"} to give access to
20952 Defaults to @samp{""}.
20955 @deftypevr {@code{dovecot-configuration} parameter} string mail-access-groups
20956 Grant access to these supplementary groups for mail processes.
20957 Typically these are used to set up access to shared mailboxes. Note
20958 that it may be dangerous to set these if users can create symlinks
20959 (e.g.@: if @samp{mail} group is set here, @code{ln -s /var/mail ~/mail/var}
20960 could allow a user to delete others' mailboxes, or @code{ln -s
20961 /secret/shared/box ~/mail/mybox} would allow reading it). Defaults to
20965 @deftypevr {@code{dovecot-configuration} parameter} string mail-attribute-dict
20966 The location of a dictionary used to store @code{IMAP METADATA}
20967 as defined by @uref{https://tools.ietf.org/html/rfc5464, RFC@tie{}5464}.
20969 The IMAP METADATA commands are available only if the ``imap''
20970 protocol configuration's @code{imap-metadata?} field is @samp{#t}.
20972 Defaults to @samp{""}.
20976 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-full-filesystem-access?
20977 Allow full file system access to clients. There's no access checks
20978 other than what the operating system does for the active UID/GID@. It
20979 works with both maildir and mboxes, allowing you to prefix mailboxes
20980 names with e.g.@: @file{/path/} or @file{~user/}.
20981 Defaults to @samp{#f}.
20984 @deftypevr {@code{dovecot-configuration} parameter} boolean mmap-disable?
20985 Don't use @code{mmap()} at all. This is required if you store indexes to
20986 shared file systems (NFS or clustered file system).
20987 Defaults to @samp{#f}.
20990 @deftypevr {@code{dovecot-configuration} parameter} boolean dotlock-use-excl?
20991 Rely on @samp{O_EXCL} to work when creating dotlock files. NFS
20992 supports @samp{O_EXCL} since version 3, so this should be safe to use
20993 nowadays by default.
20994 Defaults to @samp{#t}.
20997 @deftypevr {@code{dovecot-configuration} parameter} string mail-fsync
20998 When to use fsync() or fdatasync() calls:
21001 Whenever necessary to avoid losing important data
21003 Useful with e.g.@: NFS when @code{write()}s are delayed
21005 Never use it (best performance, but crashes can lose data).
21007 Defaults to @samp{"optimized"}.
21010 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-storage?
21011 Mail storage exists in NFS@. Set this to yes to make Dovecot flush
21012 NFS caches whenever needed. If you're using only a single mail server
21014 Defaults to @samp{#f}.
21017 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-index?
21018 Mail index files also exist in NFS@. Setting this to yes requires
21019 @samp{mmap-disable? #t} and @samp{fsync-disable? #f}.
21020 Defaults to @samp{#f}.
21023 @deftypevr {@code{dovecot-configuration} parameter} string lock-method
21024 Locking method for index files. Alternatives are fcntl, flock and
21025 dotlock. Dotlocking uses some tricks which may create more disk I/O
21026 than other locking methods. NFS users: flock doesn't work, remember to
21027 change @samp{mmap-disable}.
21028 Defaults to @samp{"fcntl"}.
21031 @deftypevr {@code{dovecot-configuration} parameter} file-name mail-temp-dir
21032 Directory in which LDA/LMTP temporarily stores incoming mails >128
21034 Defaults to @samp{"/tmp"}.
21037 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-uid
21038 Valid UID range for users. This is mostly to make sure that users can't
21039 log in as daemons or other system users. Note that denying root logins is
21040 hardcoded to dovecot binary and can't be done even if @samp{first-valid-uid}
21042 Defaults to @samp{500}.
21045 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-uid
21047 Defaults to @samp{0}.
21050 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-gid
21051 Valid GID range for users. Users having non-valid GID as primary group ID
21052 aren't allowed to log in. If user belongs to supplementary groups with
21053 non-valid GIDs, those groups are not set.
21054 Defaults to @samp{1}.
21057 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-gid
21059 Defaults to @samp{0}.
21062 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-max-keyword-length
21063 Maximum allowed length for mail keyword name. It's only forced when
21064 trying to create new keywords.
21065 Defaults to @samp{50}.
21068 @deftypevr {@code{dovecot-configuration} parameter} colon-separated-file-name-list valid-chroot-dirs
21069 List of directories under which chrooting is allowed for mail
21070 processes (i.e.@: @file{/var/mail} will allow chrooting to @file{/var/mail/foo/bar}
21071 too). This setting doesn't affect @samp{login-chroot}
21072 @samp{mail-chroot} or auth chroot settings. If this setting is empty,
21073 @samp{/./} in home dirs are ignored. WARNING: Never add directories here
21074 which local users can modify, that may lead to root exploit. Usually
21075 this should be done only if you don't allow shell access for users.
21076 <doc/wiki/Chrooting.txt>.
21077 Defaults to @samp{()}.
21080 @deftypevr {@code{dovecot-configuration} parameter} string mail-chroot
21081 Default chroot directory for mail processes. This can be overridden
21082 for specific users in user database by giving @samp{/./} in user's home
21083 directory (e.g.@: @samp{/home/./user} chroots into @file{/home}). Note that usually
21084 there is no real need to do chrooting, Dovecot doesn't allow users to
21085 access files outside their mail directory anyway. If your home
21086 directories are prefixed with the chroot directory, append @samp{/.} to
21087 @samp{mail-chroot}. <doc/wiki/Chrooting.txt>.
21088 Defaults to @samp{""}.
21091 @deftypevr {@code{dovecot-configuration} parameter} file-name auth-socket-path
21092 UNIX socket path to master authentication server to find users.
21093 This is used by imap (for shared users) and lda.
21094 Defaults to @samp{"/var/run/dovecot/auth-userdb"}.
21097 @deftypevr {@code{dovecot-configuration} parameter} file-name mail-plugin-dir
21098 Directory where to look up mail plugins.
21099 Defaults to @samp{"/usr/lib/dovecot"}.
21102 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mail-plugins
21103 List of plugins to load for all services. Plugins specific to IMAP,
21104 LDA, etc.@: are added to this list in their own .conf files.
21105 Defaults to @samp{()}.
21108 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-cache-min-mail-count
21109 The minimum number of mails in a mailbox before updates are done to
21110 cache file. This allows optimizing Dovecot's behavior to do less disk
21111 writes at the cost of more disk reads.
21112 Defaults to @samp{0}.
21115 @deftypevr {@code{dovecot-configuration} parameter} string mailbox-idle-check-interval
21116 When IDLE command is running, mailbox is checked once in a while to
21117 see if there are any new mails or other changes. This setting defines
21118 the minimum time to wait between those checks. Dovecot can also use
21119 dnotify, inotify and kqueue to find out immediately when changes
21121 Defaults to @samp{"30 secs"}.
21124 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-save-crlf?
21125 Save mails with CR+LF instead of plain LF@. This makes sending those
21126 mails take less CPU, especially with sendfile() syscall with Linux and
21127 FreeBSD@. But it also creates a bit more disk I/O which may just make it
21128 slower. Also note that if other software reads the mboxes/maildirs,
21129 they may handle the extra CRs wrong and cause problems.
21130 Defaults to @samp{#f}.
21133 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-stat-dirs?
21134 By default LIST command returns all entries in maildir beginning
21135 with a dot. Enabling this option makes Dovecot return only entries
21136 which are directories. This is done by stat()ing each entry, so it
21137 causes more disk I/O.
21138 (For systems setting struct @samp{dirent->d_type} this check is free
21139 and it's done always regardless of this setting).
21140 Defaults to @samp{#f}.
21143 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-copy-with-hardlinks?
21144 When copying a message, do it with hard links whenever possible.
21145 This makes the performance much better, and it's unlikely to have any
21147 Defaults to @samp{#t}.
21150 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-very-dirty-syncs?
21151 Assume Dovecot is the only MUA accessing Maildir: Scan cur/
21152 directory only when its mtime changes unexpectedly or when we can't find
21153 the mail otherwise.
21154 Defaults to @samp{#f}.
21157 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-read-locks
21158 Which locking methods to use for locking mbox. There are four
21163 Create <mailbox>.lock file. This is the oldest and most NFS-safe
21164 solution. If you want to use /var/mail/ like directory, the users will
21165 need write access to that directory.
21167 Same as dotlock, but if it fails because of permissions or because there
21168 isn't enough disk space, just skip it.
21170 Use this if possible. Works with NFS too if lockd is used.
21172 May not exist in all systems. Doesn't work with NFS.
21174 May not exist in all systems. Doesn't work with NFS.
21177 You can use multiple locking methods; if you do the order they're declared
21178 in is important to avoid deadlocks if other MTAs/MUAs are using multiple
21179 locking methods as well. Some operating systems don't allow using some of
21180 them simultaneously.
21183 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-write-locks
21187 @deftypevr {@code{dovecot-configuration} parameter} string mbox-lock-timeout
21188 Maximum time to wait for lock (all of them) before aborting.
21189 Defaults to @samp{"5 mins"}.
21192 @deftypevr {@code{dovecot-configuration} parameter} string mbox-dotlock-change-timeout
21193 If dotlock exists but the mailbox isn't modified in any way,
21194 override the lock file after this much time.
21195 Defaults to @samp{"2 mins"}.
21198 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-dirty-syncs?
21199 When mbox changes unexpectedly we have to fully read it to find out
21200 what changed. If the mbox is large this can take a long time. Since
21201 the change is usually just a newly appended mail, it'd be faster to
21202 simply read the new mails. If this setting is enabled, Dovecot does
21203 this but still safely fallbacks to re-reading the whole mbox file
21204 whenever something in mbox isn't how it's expected to be. The only real
21205 downside to this setting is that if some other MUA changes message
21206 flags, Dovecot doesn't notice it immediately. Note that a full sync is
21207 done with SELECT, EXAMINE, EXPUNGE and CHECK commands.
21208 Defaults to @samp{#t}.
21211 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-very-dirty-syncs?
21212 Like @samp{mbox-dirty-syncs}, but don't do full syncs even with SELECT,
21213 EXAMINE, EXPUNGE or CHECK commands. If this is set,
21214 @samp{mbox-dirty-syncs} is ignored.
21215 Defaults to @samp{#f}.
21218 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-lazy-writes?
21219 Delay writing mbox headers until doing a full write sync (EXPUNGE
21220 and CHECK commands and when closing the mailbox). This is especially
21221 useful for POP3 where clients often delete all mails. The downside is
21222 that our changes aren't immediately visible to other MUAs.
21223 Defaults to @samp{#t}.
21226 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mbox-min-index-size
21227 If mbox size is smaller than this (e.g.@: 100k), don't write index
21228 files. If an index file already exists it's still read, just not
21230 Defaults to @samp{0}.
21233 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mdbox-rotate-size
21234 Maximum dbox file size until it's rotated.
21235 Defaults to @samp{10000000}.
21238 @deftypevr {@code{dovecot-configuration} parameter} string mdbox-rotate-interval
21239 Maximum dbox file age until it's rotated. Typically in days. Day
21240 begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check
21242 Defaults to @samp{"1d"}.
21245 @deftypevr {@code{dovecot-configuration} parameter} boolean mdbox-preallocate-space?
21246 When creating new mdbox files, immediately preallocate their size to
21247 @samp{mdbox-rotate-size}. This setting currently works only in Linux
21248 with some file systems (ext4, xfs).
21249 Defaults to @samp{#f}.
21252 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-dir
21253 sdbox and mdbox support saving mail attachments to external files,
21254 which also allows single instance storage for them. Other backends
21255 don't support this for now.
21257 WARNING: This feature hasn't been tested much yet. Use at your own risk.
21259 Directory root where to store mail attachments. Disabled, if empty.
21260 Defaults to @samp{""}.
21263 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-attachment-min-size
21264 Attachments smaller than this aren't saved externally. It's also
21265 possible to write a plugin to disable saving specific attachments
21267 Defaults to @samp{128000}.
21270 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-fs
21271 File system backend to use for saving attachments:
21274 No SiS done by Dovecot (but this might help FS's own deduplication)
21276 SiS with immediate byte-by-byte comparison during saving
21277 @item sis-queue posix
21278 SiS with delayed comparison and deduplication.
21280 Defaults to @samp{"sis posix"}.
21283 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-hash
21284 Hash format to use in attachment filenames. You can add any text and
21285 variables: @code{%@{md4@}}, @code{%@{md5@}}, @code{%@{sha1@}},
21286 @code{%@{sha256@}}, @code{%@{sha512@}}, @code{%@{size@}}. Variables can be
21287 truncated, e.g.@: @code{%@{sha256:80@}} returns only first 80 bits.
21288 Defaults to @samp{"%@{sha1@}"}.
21291 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-process-limit
21293 Defaults to @samp{100}.
21296 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-client-limit
21298 Defaults to @samp{1000}.
21301 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-vsz-limit
21302 Default VSZ (virtual memory size) limit for service processes.
21303 This is mainly intended to catch and kill processes that leak memory
21304 before they eat up everything.
21305 Defaults to @samp{256000000}.
21308 @deftypevr {@code{dovecot-configuration} parameter} string default-login-user
21309 Login user is internally used by login processes. This is the most
21310 untrusted user in Dovecot system. It shouldn't have access to anything
21312 Defaults to @samp{"dovenull"}.
21315 @deftypevr {@code{dovecot-configuration} parameter} string default-internal-user
21316 Internal user is used by unprivileged processes. It should be
21317 separate from login user, so that login processes can't disturb other
21319 Defaults to @samp{"dovecot"}.
21322 @deftypevr {@code{dovecot-configuration} parameter} string ssl?
21323 SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>.
21324 Defaults to @samp{"required"}.
21327 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert
21328 PEM encoded X.509 SSL/TLS certificate (public key).
21329 Defaults to @samp{"</etc/dovecot/default.pem"}.
21332 @deftypevr {@code{dovecot-configuration} parameter} string ssl-key
21333 PEM encoded SSL/TLS private key. The key is opened before
21334 dropping root privileges, so keep the key file unreadable by anyone but
21336 Defaults to @samp{"</etc/dovecot/private/default.pem"}.
21339 @deftypevr {@code{dovecot-configuration} parameter} string ssl-key-password
21340 If key file is password protected, give the password here.
21341 Alternatively give it when starting dovecot with -p parameter. Since
21342 this file is often world-readable, you may want to place this setting
21343 instead to a different.
21344 Defaults to @samp{""}.
21347 @deftypevr {@code{dovecot-configuration} parameter} string ssl-ca
21348 PEM encoded trusted certificate authority. Set this only if you
21349 intend to use @samp{ssl-verify-client-cert? #t}. The file should
21350 contain the CA certificate(s) followed by the matching
21351 CRL(s). (e.g.@: @samp{ssl-ca </etc/ssl/certs/ca.pem}).
21352 Defaults to @samp{""}.
21355 @deftypevr {@code{dovecot-configuration} parameter} boolean ssl-require-crl?
21356 Require that CRL check succeeds for client certificates.
21357 Defaults to @samp{#t}.
21360 @deftypevr {@code{dovecot-configuration} parameter} boolean ssl-verify-client-cert?
21361 Request client to send a certificate. If you also want to require
21362 it, set @samp{auth-ssl-require-client-cert? #t} in auth section.
21363 Defaults to @samp{#f}.
21366 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert-username-field
21367 Which field from certificate to use for username. commonName and
21368 x500UniqueIdentifier are the usual choices. You'll also need to set
21369 @samp{auth-ssl-username-from-cert? #t}.
21370 Defaults to @samp{"commonName"}.
21373 @deftypevr {@code{dovecot-configuration} parameter} string ssl-min-protocol
21374 Minimum SSL protocol version to accept.
21375 Defaults to @samp{"TLSv1"}.
21378 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cipher-list
21379 SSL ciphers to use.
21380 Defaults to @samp{"ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@@STRENGTH"}.
21383 @deftypevr {@code{dovecot-configuration} parameter} string ssl-crypto-device
21384 SSL crypto device to use, for valid values run "openssl engine".
21385 Defaults to @samp{""}.
21388 @deftypevr {@code{dovecot-configuration} parameter} string postmaster-address
21389 Address to use when sending rejection mails.
21390 %d expands to recipient domain.
21391 Defaults to @samp{"postmaster@@%d"}.
21394 @deftypevr {@code{dovecot-configuration} parameter} string hostname
21395 Hostname to use in various parts of sent mails (e.g.@: in Message-Id)
21396 and in LMTP replies. Default is the system's real hostname@@domain.
21397 Defaults to @samp{""}.
21400 @deftypevr {@code{dovecot-configuration} parameter} boolean quota-full-tempfail?
21401 If user is over quota, return with temporary failure instead of
21403 Defaults to @samp{#f}.
21406 @deftypevr {@code{dovecot-configuration} parameter} file-name sendmail-path
21407 Binary to use for sending mails.
21408 Defaults to @samp{"/usr/sbin/sendmail"}.
21411 @deftypevr {@code{dovecot-configuration} parameter} string submission-host
21412 If non-empty, send mails via this SMTP host[:port] instead of
21414 Defaults to @samp{""}.
21417 @deftypevr {@code{dovecot-configuration} parameter} string rejection-subject
21418 Subject: header to use for rejection mails. You can use the same
21419 variables as for @samp{rejection-reason} below.
21420 Defaults to @samp{"Rejected: %s"}.
21423 @deftypevr {@code{dovecot-configuration} parameter} string rejection-reason
21424 Human readable error message for rejection mails. You can use
21437 Defaults to @samp{"Your message to <%t> was automatically rejected:%n%r"}.
21440 @deftypevr {@code{dovecot-configuration} parameter} string recipient-delimiter
21441 Delimiter character between local-part and detail in email
21443 Defaults to @samp{"+"}.
21446 @deftypevr {@code{dovecot-configuration} parameter} string lda-original-recipient-header
21447 Header where the original recipient address (SMTP's RCPT TO:
21448 address) is taken from if not available elsewhere. With dovecot-lda -a
21449 parameter overrides this. A commonly used header for this is
21451 Defaults to @samp{""}.
21454 @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autocreate?
21455 Should saving a mail to a nonexistent mailbox automatically create
21457 Defaults to @samp{#f}.
21460 @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autosubscribe?
21461 Should automatically created mailboxes be also automatically
21463 Defaults to @samp{#f}.
21466 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer imap-max-line-length
21467 Maximum IMAP command line length. Some clients generate very long
21468 command lines with huge mailboxes, so you may need to raise this if you
21469 get "Too long argument" or "IMAP command line too large" errors
21471 Defaults to @samp{64000}.
21474 @deftypevr {@code{dovecot-configuration} parameter} string imap-logout-format
21475 IMAP logout format string:
21478 total number of bytes read from client
21480 total number of bytes sent to client.
21482 See @file{doc/wiki/Variables.txt} for a list of all the variables you can use.
21483 Defaults to @samp{"in=%i out=%o deleted=%@{deleted@} expunged=%@{expunged@} trashed=%@{trashed@} hdr_count=%@{fetch_hdr_count@} hdr_bytes=%@{fetch_hdr_bytes@} body_count=%@{fetch_body_count@} body_bytes=%@{fetch_body_bytes@}"}.
21486 @deftypevr {@code{dovecot-configuration} parameter} string imap-capability
21487 Override the IMAP CAPABILITY response. If the value begins with '+',
21488 add the given capabilities on top of the defaults (e.g.@: +XFOO XBAR).
21489 Defaults to @samp{""}.
21492 @deftypevr {@code{dovecot-configuration} parameter} string imap-idle-notify-interval
21493 How long to wait between "OK Still here" notifications when client
21495 Defaults to @samp{"2 mins"}.
21498 @deftypevr {@code{dovecot-configuration} parameter} string imap-id-send
21499 ID field names and values to send to clients. Using * as the value
21500 makes Dovecot use the default value. The following fields have default
21501 values currently: name, version, os, os-version, support-url,
21503 Defaults to @samp{""}.
21506 @deftypevr {@code{dovecot-configuration} parameter} string imap-id-log
21507 ID fields sent by client to log. * means everything.
21508 Defaults to @samp{""}.
21511 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list imap-client-workarounds
21512 Workarounds for various client bugs:
21515 @item delay-newmail
21516 Send EXISTS/RECENT new mail notifications only when replying to NOOP and
21517 CHECK commands. Some clients ignore them otherwise, for example OSX
21518 Mail (<v2.1). Outlook Express breaks more badly though, without this it
21519 may show user "Message no longer in server" errors. Note that OE6
21520 still breaks even with this workaround if synchronization is set to
21523 @item tb-extra-mailbox-sep
21524 Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
21525 adds extra @samp{/} suffixes to mailbox names. This option causes Dovecot to
21526 ignore the extra @samp{/} instead of treating it as invalid mailbox name.
21528 @item tb-lsub-flags
21529 Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g.@: mbox).
21530 This makes Thunderbird realize they aren't selectable and show them
21531 greyed out, instead of only later giving "not selectable" popup error.
21533 Defaults to @samp{()}.
21536 @deftypevr {@code{dovecot-configuration} parameter} string imap-urlauth-host
21537 Host allowed in URLAUTH URLs sent by client. "*" allows all.
21538 Defaults to @samp{""}.
21542 Whew! Lots of configuration options. The nice thing about it though is
21543 that Guix has a complete interface to Dovecot's configuration
21544 language. This allows not only a nice way to declare configurations,
21545 but also offers reflective capabilities as well: users can write code to
21546 inspect and transform configurations from within Scheme.
21548 However, it could be that you just want to get a @code{dovecot.conf} up
21549 and running. In that case, you can pass an
21550 @code{opaque-dovecot-configuration} as the @code{#:config} parameter to
21551 @code{dovecot-service}. As its name indicates, an opaque configuration
21552 does not have easy reflective capabilities.
21554 Available @code{opaque-dovecot-configuration} fields are:
21556 @deftypevr {@code{opaque-dovecot-configuration} parameter} package dovecot
21557 The dovecot package.
21560 @deftypevr {@code{opaque-dovecot-configuration} parameter} string string
21561 The contents of the @code{dovecot.conf}, as a string.
21564 For example, if your @code{dovecot.conf} is just the empty string, you
21565 could instantiate a dovecot service like this:
21568 (dovecot-service #:config
21569 (opaque-dovecot-configuration
21573 @subsubheading OpenSMTPD Service
21575 @deffn {Scheme Variable} opensmtpd-service-type
21576 This is the type of the @uref{https://www.opensmtpd.org, OpenSMTPD}
21577 service, whose value should be an @code{opensmtpd-configuration} object
21578 as in this example:
21581 (service opensmtpd-service-type
21582 (opensmtpd-configuration
21583 (config-file (local-file "./my-smtpd.conf"))))
21587 @deftp {Data Type} opensmtpd-configuration
21588 Data type representing the configuration of opensmtpd.
21591 @item @code{package} (default: @var{opensmtpd})
21592 Package object of the OpenSMTPD SMTP server.
21594 @item @code{config-file} (default: @code{%default-opensmtpd-file})
21595 File-like object of the OpenSMTPD configuration file to use. By default
21596 it listens on the loopback network interface, and allows for mail from
21597 users and daemons on the local machine, as well as permitting email to
21598 remote servers. Run @command{man smtpd.conf} for more information.
21603 @subsubheading Exim Service
21605 @cindex mail transfer agent (MTA)
21606 @cindex MTA (mail transfer agent)
21609 @deffn {Scheme Variable} exim-service-type
21610 This is the type of the @uref{https://exim.org, Exim} mail transfer
21611 agent (MTA), whose value should be an @code{exim-configuration} object
21612 as in this example:
21615 (service exim-service-type
21616 (exim-configuration
21617 (config-file (local-file "./my-exim.conf"))))
21621 In order to use an @code{exim-service-type} service you must also have a
21622 @code{mail-aliases-service-type} service present in your
21623 @code{operating-system} (even if it has no aliases).
21625 @deftp {Data Type} exim-configuration
21626 Data type representing the configuration of exim.
21629 @item @code{package} (default: @var{exim})
21630 Package object of the Exim server.
21632 @item @code{config-file} (default: @code{#f})
21633 File-like object of the Exim configuration file to use. If its value is
21634 @code{#f} then use the default configuration file from the package
21635 provided in @code{package}. The resulting configuration file is loaded
21636 after setting the @code{exim_user} and @code{exim_group} configuration
21642 @subsubheading Getmail service
21647 @deffn {Scheme Variable} getmail-service-type
21648 This is the type of the @uref{http://pyropus.ca/software/getmail/, Getmail}
21649 mail retriever, whose value should be an @code{getmail-configuration}.
21652 Available @code{getmail-configuration} fields are:
21654 @deftypevr {@code{getmail-configuration} parameter} symbol name
21655 A symbol to identify the getmail service.
21657 Defaults to @samp{"unset"}.
21661 @deftypevr {@code{getmail-configuration} parameter} package package
21662 The getmail package to use.
21666 @deftypevr {@code{getmail-configuration} parameter} string user
21667 The user to run getmail as.
21669 Defaults to @samp{"getmail"}.
21673 @deftypevr {@code{getmail-configuration} parameter} string group
21674 The group to run getmail as.
21676 Defaults to @samp{"getmail"}.
21680 @deftypevr {@code{getmail-configuration} parameter} string directory
21681 The getmail directory to use.
21683 Defaults to @samp{"/var/lib/getmail/default"}.
21687 @deftypevr {@code{getmail-configuration} parameter} getmail-configuration-file rcfile
21688 The getmail configuration file to use.
21690 Available @code{getmail-configuration-file} fields are:
21692 @deftypevr {@code{getmail-configuration-file} parameter} getmail-retriever-configuration retriever
21693 What mail account to retrieve mail from, and how to access that account.
21695 Available @code{getmail-retriever-configuration} fields are:
21697 @deftypevr {@code{getmail-retriever-configuration} parameter} string type
21698 The type of mail retriever to use. Valid values include @samp{passwd}
21701 Defaults to @samp{"SimpleIMAPSSLRetriever"}.
21705 @deftypevr {@code{getmail-retriever-configuration} parameter} string server
21706 Username to login to the mail server with.
21708 Defaults to @samp{unset}.
21712 @deftypevr {@code{getmail-retriever-configuration} parameter} string username
21713 Username to login to the mail server with.
21715 Defaults to @samp{unset}.
21719 @deftypevr {@code{getmail-retriever-configuration} parameter} non-negative-integer port
21720 Port number to connect to.
21722 Defaults to @samp{#f}.
21726 @deftypevr {@code{getmail-retriever-configuration} parameter} string password
21727 Override fields from passwd.
21729 Defaults to @samp{""}.
21733 @deftypevr {@code{getmail-retriever-configuration} parameter} list password-command
21734 Override fields from passwd.
21736 Defaults to @samp{()}.
21740 @deftypevr {@code{getmail-retriever-configuration} parameter} string keyfile
21741 PEM-formatted key file to use for the TLS negotiation.
21743 Defaults to @samp{""}.
21747 @deftypevr {@code{getmail-retriever-configuration} parameter} string certfile
21748 PEM-formatted certificate file to use for the TLS negotiation.
21750 Defaults to @samp{""}.
21754 @deftypevr {@code{getmail-retriever-configuration} parameter} string ca-certs
21755 CA certificates to use.
21757 Defaults to @samp{""}.
21761 @deftypevr {@code{getmail-retriever-configuration} parameter} parameter-alist extra-parameters
21762 Extra retriever parameters.
21764 Defaults to @samp{()}.
21770 @deftypevr {@code{getmail-configuration-file} parameter} getmail-destination-configuration destination
21771 What to do with retrieved messages.
21773 Available @code{getmail-destination-configuration} fields are:
21775 @deftypevr {@code{getmail-destination-configuration} parameter} string type
21776 The type of mail destination. Valid values include @samp{Maildir},
21777 @samp{Mboxrd} and @samp{MDA_external}.
21779 Defaults to @samp{unset}.
21783 @deftypevr {@code{getmail-destination-configuration} parameter} string-or-filelike path
21784 The path option for the mail destination. The behaviour depends on the
21787 Defaults to @samp{""}.
21791 @deftypevr {@code{getmail-destination-configuration} parameter} parameter-alist extra-parameters
21792 Extra destination parameters
21794 Defaults to @samp{()}.
21800 @deftypevr {@code{getmail-configuration-file} parameter} getmail-options-configuration options
21803 Available @code{getmail-options-configuration} fields are:
21805 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer verbose
21806 If set to @samp{0}, getmail will only print warnings and errors. A
21807 value of @samp{1} means that messages will be printed about retrieving
21808 and deleting messages. If set to @samp{2}, getmail will print messages
21809 about each of its actions.
21811 Defaults to @samp{1}.
21815 @deftypevr {@code{getmail-options-configuration} parameter} boolean read-all
21816 If true, getmail will retrieve all available messages. Otherwise it
21817 will only retrieve messages it hasn't seen previously.
21819 Defaults to @samp{#t}.
21823 @deftypevr {@code{getmail-options-configuration} parameter} boolean delete
21824 If set to true, messages will be deleted from the server after
21825 retrieving and successfully delivering them. Otherwise, messages will
21826 be left on the server.
21828 Defaults to @samp{#f}.
21832 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer delete-after
21833 Getmail will delete messages this number of days after seeing them, if
21834 they have been delivered. This means messages will be left on the
21835 server this number of days after delivering them. A value of @samp{0}
21836 disabled this feature.
21838 Defaults to @samp{0}.
21842 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer delete-bigger-than
21843 Delete messages larger than this of bytes after retrieving them, even if
21844 the delete and delete-after options are disabled. A value of @samp{0}
21845 disables this feature.
21847 Defaults to @samp{0}.
21851 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer max-bytes-per-session
21852 Retrieve messages totalling up to this number of bytes before closing
21853 the session with the server. A value of @samp{0} disables this feature.
21855 Defaults to @samp{0}.
21859 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer max-message-size
21860 Don't retrieve messages larger than this number of bytes. A value of
21861 @samp{0} disables this feature.
21863 Defaults to @samp{0}.
21867 @deftypevr {@code{getmail-options-configuration} parameter} boolean delivered-to
21868 If true, getmail will add a Delivered-To header to messages.
21870 Defaults to @samp{#t}.
21874 @deftypevr {@code{getmail-options-configuration} parameter} boolean received
21875 If set, getmail adds a Received header to the messages.
21877 Defaults to @samp{#t}.
21881 @deftypevr {@code{getmail-options-configuration} parameter} string message-log
21882 Getmail will record a log of its actions to the named file. A value of
21883 @samp{""} disables this feature.
21885 Defaults to @samp{""}.
21889 @deftypevr {@code{getmail-options-configuration} parameter} boolean message-log-syslog
21890 If true, getmail will record a log of its actions using the system
21893 Defaults to @samp{#f}.
21897 @deftypevr {@code{getmail-options-configuration} parameter} boolean message-log-verbose
21898 If true, getmail will log information about messages not retrieved and
21899 the reason for not retrieving them, as well as starting and ending
21902 Defaults to @samp{#f}.
21906 @deftypevr {@code{getmail-options-configuration} parameter} parameter-alist extra-parameters
21907 Extra options to include.
21909 Defaults to @samp{()}.
21917 @deftypevr {@code{getmail-configuration} parameter} list idle
21918 A list of mailboxes that getmail should wait on the server for new mail
21919 notifications. This depends on the server supporting the IDLE
21922 Defaults to @samp{()}.
21926 @deftypevr {@code{getmail-configuration} parameter} list environment-variables
21927 Environment variables to set for getmail.
21929 Defaults to @samp{()}.
21933 @subsubheading Mail Aliases Service
21935 @cindex email aliases
21936 @cindex aliases, for email addresses
21938 @deffn {Scheme Variable} mail-aliases-service-type
21939 This is the type of the service which provides @code{/etc/aliases},
21940 specifying how to deliver mail to users on this system.
21943 (service mail-aliases-service-type
21944 '(("postmaster" "bob")
21945 ("bob" "bob@@example.com" "bob@@example2.com")))
21949 The configuration for a @code{mail-aliases-service-type} service is an
21950 association list denoting how to deliver mail that comes to this
21951 system. Each entry is of the form @code{(alias addresses ...)}, with
21952 @code{alias} specifying the local alias and @code{addresses} specifying
21953 where to deliver this user's mail.
21955 The aliases aren't required to exist as users on the local system. In
21956 the above example, there doesn't need to be a @code{postmaster} entry in
21957 the @code{operating-system}'s @code{user-accounts} in order to deliver
21958 the @code{postmaster} mail to @code{bob} (which subsequently would
21959 deliver mail to @code{bob@@example.com} and @code{bob@@example2.com}).
21961 @subsubheading GNU Mailutils IMAP4 Daemon
21962 @cindex GNU Mailutils IMAP4 Daemon
21964 @deffn {Scheme Variable} imap4d-service-type
21965 This is the type of the GNU Mailutils IMAP4 Daemon (@pxref{imap4d,,,
21966 mailutils, GNU Mailutils Manual}), whose value should be an
21967 @code{imap4d-configuration} object as in this example:
21970 (service imap4d-service-type
21971 (imap4d-configuration
21972 (config-file (local-file "imap4d.conf"))))
21976 @deftp {Data Type} imap4d-configuration
21977 Data type representing the configuration of @command{imap4d}.
21980 @item @code{package} (default: @code{mailutils})
21981 The package that provides @command{imap4d}.
21983 @item @code{config-file} (default: @code{%default-imap4d-config-file})
21984 File-like object of the configuration file to use, by default it will listen
21985 on TCP port 143 of @code{localhost}. @xref{Conf-imap4d,,, mailutils, GNU
21986 Mailutils Manual}, for details.
21991 @subsubheading Radicale Service
21995 @deffn {Scheme Variable} radicale-service-type
21996 This is the type of the @uref{https://radicale.org, Radicale} CalDAV/CardDAV
21997 server whose value should be a @code{radicale-configuration}.
22000 @deftp {Data Type} radicale-configuration
22001 Data type representing the configuration of @command{radicale}.
22004 @item @code{package} (default: @code{radicale})
22005 The package that provides @command{radicale}.
22007 @item @code{config-file} (default: @code{%default-radicale-config-file})
22008 File-like object of the configuration file to use, by default it will listen
22009 on TCP port 5232 of @code{localhost} and use the @code{htpasswd} file at
22010 @file{/var/lib/radicale/users} with no (@code{plain}) encryption.
22015 @node Messaging Services
22016 @subsection Messaging Services
22021 The @code{(gnu services messaging)} module provides Guix service
22022 definitions for messaging services. Currently it provides the following
22025 @subsubheading Prosody Service
22027 @deffn {Scheme Variable} prosody-service-type
22028 This is the type for the @uref{https://prosody.im, Prosody XMPP
22029 communication server}. Its value must be a @code{prosody-configuration}
22030 record as in this example:
22033 (service prosody-service-type
22034 (prosody-configuration
22035 (modules-enabled (cons* "groups" "mam" %default-modules-enabled))
22038 (int-component-configuration
22039 (hostname "conference.example.net")
22041 (mod-muc (mod-muc-configuration)))))
22044 (virtualhost-configuration
22045 (domain "example.net"))))))
22048 See below for details about @code{prosody-configuration}.
22052 By default, Prosody does not need much configuration. Only one
22053 @code{virtualhosts} field is needed: it specifies the domain you wish
22056 You can perform various sanity checks on the generated configuration
22057 with the @code{prosodyctl check} command.
22059 Prosodyctl will also help you to import certificates from the
22060 @code{letsencrypt} directory so that the @code{prosody} user can access
22061 them. See @url{https://prosody.im/doc/letsencrypt}.
22064 prosodyctl --root cert import /etc/letsencrypt/live
22067 The available configuration parameters follow. Each parameter
22068 definition is preceded by its type; for example, @samp{string-list foo}
22069 indicates that the @code{foo} parameter should be specified as a list of
22070 strings. Types starting with @code{maybe-} denote parameters that won't
22071 show up in @code{prosody.cfg.lua} when their value is @code{'disabled}.
22073 There is also a way to specify the configuration as a string, if you
22074 have an old @code{prosody.cfg.lua} file that you want to port over from
22075 some other system; see the end for more details.
22077 The @code{file-object} type designates either a file-like object
22078 (@pxref{G-Expressions, file-like objects}) or a file name.
22080 @c The following documentation was initially generated by
22081 @c (generate-documentation) in (gnu services messaging). Manually maintained
22082 @c documentation is better, so we shouldn't hesitate to edit below as
22083 @c needed. However if the change you want to make to this documentation
22084 @c can be done in an automated way, it's probably easier to change
22085 @c (generate-documentation) than to make it below and have to deal with
22086 @c the churn as Prosody updates.
22088 Available @code{prosody-configuration} fields are:
22090 @deftypevr {@code{prosody-configuration} parameter} package prosody
22091 The Prosody package.
22094 @deftypevr {@code{prosody-configuration} parameter} file-name data-path
22095 Location of the Prosody data storage directory. See
22096 @url{https://prosody.im/doc/configure}.
22097 Defaults to @samp{"/var/lib/prosody"}.
22100 @deftypevr {@code{prosody-configuration} parameter} file-object-list plugin-paths
22101 Additional plugin directories. They are searched in all the specified
22102 paths in order. See @url{https://prosody.im/doc/plugins_directory}.
22103 Defaults to @samp{()}.
22106 @deftypevr {@code{prosody-configuration} parameter} file-name certificates
22107 Every virtual host and component needs a certificate so that clients and
22108 servers can securely verify its identity. Prosody will automatically load
22109 certificates/keys from the directory specified here.
22110 Defaults to @samp{"/etc/prosody/certs"}.
22113 @deftypevr {@code{prosody-configuration} parameter} string-list admins
22114 This is a list of accounts that are admins for the server. Note that you
22115 must create the accounts separately. See @url{https://prosody.im/doc/admins} and
22116 @url{https://prosody.im/doc/creating_accounts}.
22117 Example: @code{(admins '("user1@@example.com" "user2@@example.net"))}
22118 Defaults to @samp{()}.
22121 @deftypevr {@code{prosody-configuration} parameter} boolean use-libevent?
22122 Enable use of libevent for better performance under high load. See
22123 @url{https://prosody.im/doc/libevent}.
22124 Defaults to @samp{#f}.
22127 @deftypevr {@code{prosody-configuration} parameter} module-list modules-enabled
22128 This is the list of modules Prosody will load on startup. It looks for
22129 @code{mod_modulename.lua} in the plugins folder, so make sure that exists too.
22130 Documentation on modules can be found at:
22131 @url{https://prosody.im/doc/modules}.
22132 Defaults to @samp{("roster" "saslauth" "tls" "dialback" "disco" "carbons" "private" "blocklist" "vcard" "version" "uptime" "time" "ping" "pep" "register" "admin_adhoc")}.
22135 @deftypevr {@code{prosody-configuration} parameter} string-list modules-disabled
22136 @samp{"offline"}, @samp{"c2s"} and @samp{"s2s"} are auto-loaded, but
22137 should you want to disable them then add them to this list.
22138 Defaults to @samp{()}.
22141 @deftypevr {@code{prosody-configuration} parameter} file-object groups-file
22142 Path to a text file where the shared groups are defined. If this path is
22143 empty then @samp{mod_groups} does nothing. See
22144 @url{https://prosody.im/doc/modules/mod_groups}.
22145 Defaults to @samp{"/var/lib/prosody/sharedgroups.txt"}.
22148 @deftypevr {@code{prosody-configuration} parameter} boolean allow-registration?
22149 Disable account creation by default, for security. See
22150 @url{https://prosody.im/doc/creating_accounts}.
22151 Defaults to @samp{#f}.
22154 @deftypevr {@code{prosody-configuration} parameter} maybe-ssl-configuration ssl
22155 These are the SSL/TLS-related settings. Most of them are disabled so to
22156 use Prosody's defaults. If you do not completely understand these options, do
22157 not add them to your config, it is easy to lower the security of your server
22158 using them. See @url{https://prosody.im/doc/advanced_ssl_config}.
22160 Available @code{ssl-configuration} fields are:
22162 @deftypevr {@code{ssl-configuration} parameter} maybe-string protocol
22163 This determines what handshake to use.
22166 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name key
22167 Path to your private key file.
22170 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name certificate
22171 Path to your certificate file.
22174 @deftypevr {@code{ssl-configuration} parameter} file-object capath
22175 Path to directory containing root certificates that you wish Prosody to
22176 trust when verifying the certificates of remote servers.
22177 Defaults to @samp{"/etc/ssl/certs"}.
22180 @deftypevr {@code{ssl-configuration} parameter} maybe-file-object cafile
22181 Path to a file containing root certificates that you wish Prosody to trust.
22182 Similar to @code{capath} but with all certificates concatenated together.
22185 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list verify
22186 A list of verification options (these mostly map to OpenSSL's
22187 @code{set_verify()} flags).
22190 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list options
22191 A list of general options relating to SSL/TLS@. These map to OpenSSL's
22192 @code{set_options()}. For a full list of options available in LuaSec, see the
22196 @deftypevr {@code{ssl-configuration} parameter} maybe-non-negative-integer depth
22197 How long a chain of certificate authorities to check when looking for a
22198 trusted root certificate.
22201 @deftypevr {@code{ssl-configuration} parameter} maybe-string ciphers
22202 An OpenSSL cipher string. This selects what ciphers Prosody will offer to
22203 clients, and in what order.
22206 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name dhparam
22207 A path to a file containing parameters for Diffie-Hellman key exchange. You
22208 can create such a file with:
22209 @code{openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048}
22212 @deftypevr {@code{ssl-configuration} parameter} maybe-string curve
22213 Curve for Elliptic curve Diffie-Hellman. Prosody's default is
22214 @samp{"secp384r1"}.
22217 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list verifyext
22218 A list of ``extra'' verification options.
22221 @deftypevr {@code{ssl-configuration} parameter} maybe-string password
22222 Password for encrypted private keys.
22227 @deftypevr {@code{prosody-configuration} parameter} boolean c2s-require-encryption?
22228 Whether to force all client-to-server connections to be encrypted or not.
22229 See @url{https://prosody.im/doc/modules/mod_tls}.
22230 Defaults to @samp{#f}.
22233 @deftypevr {@code{prosody-configuration} parameter} string-list disable-sasl-mechanisms
22234 Set of mechanisms that will never be offered. See
22235 @url{https://prosody.im/doc/modules/mod_saslauth}.
22236 Defaults to @samp{("DIGEST-MD5")}.
22239 @deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption?
22240 Whether to force all server-to-server connections to be encrypted or not.
22241 See @url{https://prosody.im/doc/modules/mod_tls}.
22242 Defaults to @samp{#f}.
22245 @deftypevr {@code{prosody-configuration} parameter} boolean s2s-secure-auth?
22246 Whether to require encryption and certificate authentication. This
22247 provides ideal security, but requires servers you communicate with to support
22248 encryption AND present valid, trusted certificates. See
22249 @url{https://prosody.im/doc/s2s#security}.
22250 Defaults to @samp{#f}.
22253 @deftypevr {@code{prosody-configuration} parameter} string-list s2s-insecure-domains
22254 Many servers don't support encryption or have invalid or self-signed
22255 certificates. You can list domains here that will not be required to
22256 authenticate using certificates. They will be authenticated using DNS@. See
22257 @url{https://prosody.im/doc/s2s#security}.
22258 Defaults to @samp{()}.
22261 @deftypevr {@code{prosody-configuration} parameter} string-list s2s-secure-domains
22262 Even if you leave @code{s2s-secure-auth?} disabled, you can still require
22263 valid certificates for some domains by specifying a list here. See
22264 @url{https://prosody.im/doc/s2s#security}.
22265 Defaults to @samp{()}.
22268 @deftypevr {@code{prosody-configuration} parameter} string authentication
22269 Select the authentication backend to use. The default provider stores
22270 passwords in plaintext and uses Prosody's configured data storage to store the
22271 authentication data. If you do not trust your server please see
22272 @url{https://prosody.im/doc/modules/mod_auth_internal_hashed} for information
22273 about using the hashed backend. See also
22274 @url{https://prosody.im/doc/authentication}
22275 Defaults to @samp{"internal_plain"}.
22278 @deftypevr {@code{prosody-configuration} parameter} maybe-string log
22279 Set logging options. Advanced logging configuration is not yet supported
22280 by the Prosody service. See @url{https://prosody.im/doc/logging}.
22281 Defaults to @samp{"*syslog"}.
22284 @deftypevr {@code{prosody-configuration} parameter} file-name pidfile
22285 File to write pid in. See @url{https://prosody.im/doc/modules/mod_posix}.
22286 Defaults to @samp{"/var/run/prosody/prosody.pid"}.
22289 @deftypevr {@code{prosody-configuration} parameter} maybe-non-negative-integer http-max-content-size
22290 Maximum allowed size of the HTTP body (in bytes).
22293 @deftypevr {@code{prosody-configuration} parameter} maybe-string http-external-url
22294 Some modules expose their own URL in various ways. This URL is built
22295 from the protocol, host and port used. If Prosody sits behind a proxy, the
22296 public URL will be @code{http-external-url} instead. See
22297 @url{https://prosody.im/doc/http#external_url}.
22300 @deftypevr {@code{prosody-configuration} parameter} virtualhost-configuration-list virtualhosts
22301 A host in Prosody is a domain on which user accounts can be created. For
22302 example if you want your users to have addresses like
22303 @samp{"john.smith@@example.com"} then you need to add a host
22304 @samp{"example.com"}. All options in this list will apply only to this host.
22306 Note: the name @emph{virtual} host is used in configuration to avoid confusion with
22307 the actual physical host that Prosody is installed on. A single Prosody
22308 instance can serve many domains, each one defined as a VirtualHost entry in
22309 Prosody's configuration. Conversely a server that hosts a single domain would
22310 have just one VirtualHost entry.
22312 See @url{https://prosody.im/doc/configure#virtual_host_settings}.
22314 Available @code{virtualhost-configuration} fields are:
22316 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
22317 @deftypevr {@code{virtualhost-configuration} parameter} string domain
22318 Domain you wish Prosody to serve.
22323 @deftypevr {@code{prosody-configuration} parameter} int-component-configuration-list int-components
22324 Components are extra services on a server which are available to clients,
22325 usually on a subdomain of the main server (such as
22326 @samp{"mycomponent.example.com"}). Example components might be chatroom
22327 servers, user directories, or gateways to other protocols.
22329 Internal components are implemented with Prosody-specific plugins. To add an
22330 internal component, you simply fill the hostname field, and the plugin you wish
22331 to use for the component.
22333 See @url{https://prosody.im/doc/components}.
22334 Defaults to @samp{()}.
22336 Available @code{int-component-configuration} fields are:
22338 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
22339 @deftypevr {@code{int-component-configuration} parameter} string hostname
22340 Hostname of the component.
22343 @deftypevr {@code{int-component-configuration} parameter} string plugin
22344 Plugin you wish to use for the component.
22347 @deftypevr {@code{int-component-configuration} parameter} maybe-mod-muc-configuration mod-muc
22348 Multi-user chat (MUC) is Prosody's module for allowing you to create
22349 hosted chatrooms/conferences for XMPP users.
22351 General information on setting up and using multi-user chatrooms can be found
22352 in the ``Chatrooms'' documentation (@url{https://prosody.im/doc/chatrooms}),
22353 which you should read if you are new to XMPP chatrooms.
22355 See also @url{https://prosody.im/doc/modules/mod_muc}.
22357 Available @code{mod-muc-configuration} fields are:
22359 @deftypevr {@code{mod-muc-configuration} parameter} string name
22360 The name to return in service discovery responses.
22361 Defaults to @samp{"Prosody Chatrooms"}.
22364 @deftypevr {@code{mod-muc-configuration} parameter} string-or-boolean restrict-room-creation
22365 If @samp{#t}, this will only allow admins to create new chatrooms.
22366 Otherwise anyone can create a room. The value @samp{"local"} restricts room
22367 creation to users on the service's parent domain. E.g.@: @samp{user@@example.com}
22368 can create rooms on @samp{rooms.example.com}. The value @samp{"admin"}
22369 restricts to service administrators only.
22370 Defaults to @samp{#f}.
22373 @deftypevr {@code{mod-muc-configuration} parameter} non-negative-integer max-history-messages
22374 Maximum number of history messages that will be sent to the member that has
22375 just joined the room.
22376 Defaults to @samp{20}.
22383 @deftypevr {@code{prosody-configuration} parameter} ext-component-configuration-list ext-components
22384 External components use XEP-0114, which most standalone components
22385 support. To add an external component, you simply fill the hostname field. See
22386 @url{https://prosody.im/doc/components}.
22387 Defaults to @samp{()}.
22389 Available @code{ext-component-configuration} fields are:
22391 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
22392 @deftypevr {@code{ext-component-configuration} parameter} string component-secret
22393 Password which the component will use to log in.
22396 @deftypevr {@code{ext-component-configuration} parameter} string hostname
22397 Hostname of the component.
22402 @deftypevr {@code{prosody-configuration} parameter} non-negative-integer-list component-ports
22403 Port(s) Prosody listens on for component connections.
22404 Defaults to @samp{(5347)}.
22407 @deftypevr {@code{prosody-configuration} parameter} string component-interface
22408 Interface Prosody listens on for component connections.
22409 Defaults to @samp{"127.0.0.1"}.
22412 @deftypevr {@code{prosody-configuration} parameter} maybe-raw-content raw-content
22413 Raw content that will be added to the configuration file.
22416 It could be that you just want to get a @code{prosody.cfg.lua}
22417 up and running. In that case, you can pass an
22418 @code{opaque-prosody-configuration} record as the value of
22419 @code{prosody-service-type}. As its name indicates, an opaque configuration
22420 does not have easy reflective capabilities.
22421 Available @code{opaque-prosody-configuration} fields are:
22423 @deftypevr {@code{opaque-prosody-configuration} parameter} package prosody
22424 The prosody package.
22427 @deftypevr {@code{opaque-prosody-configuration} parameter} string prosody.cfg.lua
22428 The contents of the @code{prosody.cfg.lua} to use.
22431 For example, if your @code{prosody.cfg.lua} is just the empty
22432 string, you could instantiate a prosody service like this:
22435 (service prosody-service-type
22436 (opaque-prosody-configuration
22437 (prosody.cfg.lua "")))
22440 @c end of Prosody auto-generated documentation
22442 @subsubheading BitlBee Service
22444 @cindex IRC (Internet Relay Chat)
22445 @cindex IRC gateway
22446 @url{https://bitlbee.org,BitlBee} is a gateway that provides an IRC
22447 interface to a variety of messaging protocols such as XMPP.
22449 @defvr {Scheme Variable} bitlbee-service-type
22450 This is the service type for the @url{https://bitlbee.org,BitlBee} IRC
22451 gateway daemon. Its value is a @code{bitlbee-configuration} (see
22454 To have BitlBee listen on port 6667 on localhost, add this line to your
22458 (service bitlbee-service-type)
22462 @deftp {Data Type} bitlbee-configuration
22463 This is the configuration for BitlBee, with the following fields:
22466 @item @code{interface} (default: @code{"127.0.0.1"})
22467 @itemx @code{port} (default: @code{6667})
22468 Listen on the network interface corresponding to the IP address
22469 specified in @var{interface}, on @var{port}.
22471 When @var{interface} is @code{127.0.0.1}, only local clients can
22472 connect; when it is @code{0.0.0.0}, connections can come from any
22473 networking interface.
22475 @item @code{bitlbee} (default: @code{bitlbee})
22476 The BitlBee package to use.
22478 @item @code{plugins} (default: @code{'()})
22479 List of plugin packages to use---e.g., @code{bitlbee-discord}.
22481 @item @code{extra-settings} (default: @code{""})
22482 Configuration snippet added as-is to the BitlBee configuration file.
22486 @subsubheading Quassel Service
22488 @cindex IRC (Internet Relay Chat)
22489 @url{https://quassel-irc.org/,Quassel} is a distributed IRC client,
22490 meaning that one or more clients can attach to and detach from the
22493 @defvr {Scheme Variable} quassel-service-type
22494 This is the service type for the @url{https://quassel-irc.org/,Quassel}
22495 IRC backend daemon. Its value is a @code{quassel-configuration}
22499 @deftp {Data Type} quassel-configuration
22500 This is the configuration for Quassel, with the following fields:
22503 @item @code{quassel} (default: @code{quassel})
22504 The Quassel package to use.
22506 @item @code{interface} (default: @code{"::,0.0.0.0"})
22507 @item @code{port} (default: @code{4242})
22508 Listen on the network interface(s) corresponding to the IPv4 or IPv6
22509 interfaces specified in the comma delimited @var{interface}, on
22512 @item @code{loglevel} (default: @code{"Info"})
22513 The level of logging desired. Accepted values are Debug, Info, Warning
22518 @node Telephony Services
22519 @subsection Telephony Services
22521 @cindex Murmur (VoIP server)
22522 @cindex VoIP server
22523 This section describes how to set up and run a Murmur server. Murmur is
22524 the server of the @uref{https://mumble.info, Mumble} voice-over-IP
22527 @deftp {Data Type} murmur-configuration
22528 The service type for the Murmur server. An example configuration can
22532 (service murmur-service-type
22533 (murmur-configuration
22535 "Welcome to this Mumble server running on Guix!")
22536 (cert-required? #t) ;disallow text password logins
22537 (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
22538 (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
22541 After reconfiguring your system, you can manually set the murmur @code{SuperUser}
22542 password with the command that is printed during the activation phase.
22544 It is recommended to register a normal Mumble user account
22545 and grant it admin or moderator rights.
22546 You can use the @code{mumble} client to
22547 login as new normal user, register yourself, and log out.
22548 For the next step login with the name @code{SuperUser} use
22549 the @code{SuperUser} password that you set previously,
22550 and grant your newly registered mumble user administrator or moderator
22551 rights and create some channels.
22553 Available @code{murmur-configuration} fields are:
22556 @item @code{package} (default: @code{mumble})
22557 Package that contains @code{bin/murmurd}.
22559 @item @code{user} (default: @code{"murmur"})
22560 User who will run the Murmur server.
22562 @item @code{group} (default: @code{"murmur"})
22563 Group of the user who will run the murmur server.
22565 @item @code{port} (default: @code{64738})
22566 Port on which the server will listen.
22568 @item @code{welcome-text} (default: @code{""})
22569 Welcome text sent to clients when they connect.
22571 @item @code{server-password} (default: @code{""})
22572 Password the clients have to enter in order to connect.
22574 @item @code{max-users} (default: @code{100})
22575 Maximum of users that can be connected to the server at once.
22577 @item @code{max-user-bandwidth} (default: @code{#f})
22578 Maximum voice traffic a user can send per second.
22580 @item @code{database-file} (default: @code{"/var/lib/murmur/db.sqlite"})
22581 File name of the sqlite database.
22582 The service's user will become the owner of the directory.
22584 @item @code{log-file} (default: @code{"/var/log/murmur/murmur.log"})
22585 File name of the log file.
22586 The service's user will become the owner of the directory.
22588 @item @code{autoban-attempts} (default: @code{10})
22589 Maximum number of logins a user can make in @code{autoban-timeframe}
22590 without getting auto banned for @code{autoban-time}.
22592 @item @code{autoban-timeframe} (default: @code{120})
22593 Timeframe for autoban in seconds.
22595 @item @code{autoban-time} (default: @code{300})
22596 Amount of time in seconds for which a client gets banned
22597 when violating the autoban limits.
22599 @item @code{opus-threshold} (default: @code{100})
22600 Percentage of clients that need to support opus
22601 before switching over to opus audio codec.
22603 @item @code{channel-nesting-limit} (default: @code{10})
22604 How deep channels can be nested at maximum.
22606 @item @code{channelname-regex} (default: @code{#f})
22607 A string in form of a Qt regular expression that channel names must conform to.
22609 @item @code{username-regex} (default: @code{#f})
22610 A string in form of a Qt regular expression that user names must conform to.
22612 @item @code{text-message-length} (default: @code{5000})
22613 Maximum size in bytes that a user can send in one text chat message.
22615 @item @code{image-message-length} (default: @code{(* 128 1024)})
22616 Maximum size in bytes that a user can send in one image message.
22618 @item @code{cert-required?} (default: @code{#f})
22619 If it is set to @code{#t} clients that use weak password authentication
22620 will not be accepted. Users must have completed the certificate wizard to join.
22622 @item @code{remember-channel?} (default: @code{#f})
22623 Should murmur remember the last channel each user was in when they disconnected
22624 and put them into the remembered channel when they rejoin.
22626 @item @code{allow-html?} (default: @code{#f})
22627 Should html be allowed in text messages, user comments, and channel descriptions.
22629 @item @code{allow-ping?} (default: @code{#f})
22630 Setting to true exposes the current user count, the maximum user count, and
22631 the server's maximum bandwidth per client to unauthenticated users. In the
22632 Mumble client, this information is shown in the Connect dialog.
22634 Disabling this setting will prevent public listing of the server.
22636 @item @code{bonjour?} (default: @code{#f})
22637 Should the server advertise itself in the local network through the bonjour protocol.
22639 @item @code{send-version?} (default: @code{#f})
22640 Should the murmur server version be exposed in ping requests.
22642 @item @code{log-days} (default: @code{31})
22643 Murmur also stores logs in the database, which are accessible via RPC.
22644 The default is 31 days of months, but you can set this setting to 0 to keep logs forever,
22645 or -1 to disable logging to the database.
22647 @item @code{obfuscate-ips?} (default: @code{#t})
22648 Should logged ips be obfuscated to protect the privacy of users.
22650 @item @code{ssl-cert} (default: @code{#f})
22651 File name of the SSL/TLS certificate used for encrypted connections.
22654 (ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
22656 @item @code{ssl-key} (default: @code{#f})
22657 Filepath to the ssl private key used for encrypted connections.
22659 (ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
22662 @item @code{ssl-dh-params} (default: @code{#f})
22663 File name of a PEM-encoded file with Diffie-Hellman parameters
22664 for the SSL/TLS encryption. Alternatively you set it to
22665 @code{"@@ffdhe2048"}, @code{"@@ffdhe3072"}, @code{"@@ffdhe4096"}, @code{"@@ffdhe6144"}
22666 or @code{"@@ffdhe8192"} to use bundled parameters from RFC 7919.
22668 @item @code{ssl-ciphers} (default: @code{#f})
22669 The @code{ssl-ciphers} option chooses the cipher suites to make available for use
22672 This option is specified using
22673 @uref{https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT,
22674 OpenSSL cipher list notation}.
22676 It is recommended that you try your cipher string using 'openssl ciphers <string>'
22677 before setting it here, to get a feel for which cipher suites you will get.
22678 After setting this option, it is recommend that you inspect your Murmur log
22679 to ensure that Murmur is using the cipher suites that you expected it to.
22681 Note: Changing this option may impact the backwards compatibility of your
22682 Murmur server, and can remove the ability for older Mumble clients to be able
22685 @item @code{public-registration} (default: @code{#f})
22686 Must be a @code{<murmur-public-registration-configuration>} record or @code{#f}.
22688 You can optionally register your server in the public server list that the
22689 @code{mumble} client shows on startup.
22690 You cannot register your server if you have set a @code{server-password},
22691 or set @code{allow-ping} to @code{#f}.
22693 It might take a few hours until it shows up in the public list.
22695 @item @code{file} (default: @code{#f})
22696 Optional alternative override for this configuration.
22700 @deftp {Data Type} murmur-public-registration-configuration
22701 Configuration for public registration of a murmur service.
22705 This is a display name for your server. Not to be confused with the hostname.
22707 @item @code{password}
22708 A password to identify your registration.
22709 Subsequent updates will need the same password. Don't lose your password.
22712 This should be a @code{http://} or @code{https://} link to your web
22715 @item @code{hostname} (default: @code{#f})
22716 By default your server will be listed by its IP address.
22717 If it is set your server will be linked by this host name instead.
22723 @node File-Sharing Services
22724 @subsection File-Sharing Services
22726 The @code{(gnu services file-sharing)} module provides services that
22727 assist with transferring files over peer-to-peer file-sharing networks.
22729 @subsubheading Transmission Daemon Service
22731 @uref{https://transmissionbt.com/, Transmission} is a flexible
22732 BitTorrent client that offers a variety of graphical and command-line
22733 interfaces. A @code{transmission-daemon-service-type} service provides
22734 Transmission's headless variant, @command{transmission-daemon}, as a
22735 system service, allowing users to share files via BitTorrent even when
22736 they are not logged in.
22738 @deffn {Scheme Variable} transmission-daemon-service-type
22739 The service type for the Transmission Daemon BitTorrent client. Its
22740 value must be a @code{transmission-daemon-configuration} object as in
22744 (service transmission-daemon-service-type
22745 (transmission-daemon-configuration
22746 ;; Restrict access to the RPC ("control") interface
22747 (rpc-authentication-required? #t)
22748 (rpc-username "transmission")
22750 (transmission-password-hash
22751 "transmission" ; desired password
22752 "uKd1uMs9")) ; arbitrary salt value
22754 ;; Accept requests from this and other hosts on the
22756 (rpc-whitelist-enabled? #t)
22757 (rpc-whitelist '("::1" "127.0.0.1" "192.168.0.*"))
22759 ;; Limit bandwidth use during work hours
22760 (alt-speed-down (* 1024 2)) ; 2 MB/s
22761 (alt-speed-up 512) ; 512 kB/s
22763 (alt-speed-time-enabled? #t)
22764 (alt-speed-time-day 'weekdays)
22765 (alt-speed-time-begin
22766 (+ (* 60 8) 30)) ; 8:30 am
22767 (alt-speed-time-end
22768 (+ (* 60 (+ 12 5)) 30)))) ; 5:30 pm
22772 Once the service is started, users can interact with the daemon through
22773 its Web interface (at @code{http://localhost:9091/}) or by using the
22774 @command{transmission-remote} command-line tool, available in the
22775 @code{transmission} package. (Emacs users may want to also consider the
22776 @code{emacs-transmission} package.) Both communicate with the daemon
22777 through its remote procedure call (RPC) interface, which by default is
22778 available to all users on the system; you may wish to change this by
22779 assigning values to the @code{rpc-authentication-required?},
22780 @code{rpc-username} and @code{rpc-password} settings, as shown in the
22781 example above and documented further below.
22783 The value for @code{rpc-password} must be a password hash of the type
22784 generated and used by Transmission clients. This can be copied verbatim
22785 from an existing @file{settings.json} file, if another Transmission
22786 client is already being used. Otherwise, the
22787 @code{transmission-password-hash} and @code{transmission-random-salt}
22788 procedures provided by this module can be used to obtain a suitable hash
22791 @deffn {Scheme Procedure} transmission-password-hash @var{password} @var{salt}
22792 Returns a string containing the result of hashing @var{password}
22793 together with @var{salt}, in the format recognized by Transmission
22794 clients for their @code{rpc-password} configuration setting.
22796 @var{salt} must be an eight-character string. The
22797 @code{transmission-random-salt} procedure can be used to generate a
22798 suitable salt value at random.
22801 @deffn {Scheme Procedure} transmission-random-salt
22802 Returns a string containing a random, eight-character salt value of the
22803 type generated and used by Transmission clients, suitable for passing to
22804 the @code{transmission-password-hash} procedure.
22807 These procedures are accessible from within a Guile REPL started with
22808 the @command{guix repl} command (@pxref{Invoking guix repl}). This is
22809 useful for obtaining a random salt value to provide as the second
22810 parameter to `transmission-password-hash`, as in this example session:
22814 scheme@@(guix-user)> ,use (gnu services file-sharing)
22815 scheme@@(guix-user)> (transmission-random-salt)
22819 Alternatively, a complete password hash can generated in a single step:
22822 scheme@@(guix-user)> (transmission-password-hash "transmission"
22823 (transmission-random-salt))
22824 $2 = "@{c8bbc6d1740cd8dc819a6e25563b67812c1c19c9VtFPfdsX"
22827 The resulting string can be used as-is for the value of
22828 @code{rpc-password}, allowing the password to be kept hidden even in the
22829 operating-system configuration.
22831 Torrent files downloaded by the daemon are directly accessible only to
22832 users in the ``transmission'' user group, who receive read-only access
22833 to the directory specified by the @code{download-dir} configuration
22834 setting (and also the directory specified by @code{incomplete-dir}, if
22835 @code{incomplete-dir-enabled?} is @code{#t}). Downloaded files can be
22836 moved to another directory or deleted altogether using
22837 @command{transmission-remote} with its @code{--move} and
22838 @code{--remove-and-delete} options.
22840 If the @code{watch-dir-enabled?} setting is set to @code{#t}, users in
22841 the ``transmission'' group are able also to place @file{.torrent} files
22842 in the directory specified by @code{watch-dir} to have the corresponding
22843 torrents added by the daemon. (The @code{trash-original-torrent-files?}
22844 setting controls whether the daemon deletes these files after processing
22847 Some of the daemon's configuration settings can be changed temporarily
22848 by @command{transmission-remote} and similar tools. To undo these
22849 changes, use the service's @code{reload} action to have the daemon
22850 reload its settings from disk:
22853 # herd reload transmission-daemon
22856 The full set of available configuration settings is defined by the
22857 @code{transmission-daemon-configuration} data type.
22859 @deftp {Data Type} transmission-daemon-configuration
22860 The data type representing configuration settings for Transmission
22861 Daemon. These correspond directly to the settings recognized by
22862 Transmission clients in their @file{settings.json} file.
22865 @c The following documentation was initially generated by
22866 @c (generate-transmission-daemon-documentation) in (gnu services
22867 @c file-sharing). Manually maintained documentation is better, so we
22868 @c shouldn't hesitate to edit below as needed. However if the change
22869 @c you want to make to this documentation can be done in an automated
22870 @c way, it's probably easier to change (generate-documentation) than to
22871 @c make it below and have to deal with the churn as Transmission Daemon
22874 @c %start of fragment
22876 Available @code{transmission-daemon-configuration} fields are:
22878 @deftypevr {@code{transmission-daemon-configuration} parameter} package transmission
22879 The Transmission package to use.
22883 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer stop-wait-period
22884 The period, in seconds, to wait when stopping the service for
22885 @command{transmission-daemon} to exit before killing its process. This
22886 allows the daemon time to complete its housekeeping and send a final
22887 update to trackers as it shuts down. On slow hosts, or hosts with a
22888 slow network connection, this value may need to be increased.
22890 Defaults to @samp{10}.
22894 @deftypevr {@code{transmission-daemon-configuration} parameter} string download-dir
22895 The directory to which torrent files are downloaded.
22897 Defaults to @samp{"/var/lib/transmission-daemon/downloads"}.
22901 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean incomplete-dir-enabled?
22902 If @code{#t}, files will be held in @code{incomplete-dir} while their
22903 torrent is being downloaded, then moved to @code{download-dir} once the
22904 torrent is complete. Otherwise, files for all torrents (including those
22905 still being downloaded) will be placed in @code{download-dir}.
22907 Defaults to @samp{#f}.
22911 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string incomplete-dir
22912 The directory in which files from incompletely downloaded torrents will
22913 be held when @code{incomplete-dir-enabled?} is @code{#t}.
22915 Defaults to @samp{disabled}.
22919 @deftypevr {@code{transmission-daemon-configuration} parameter} umask umask
22920 The file mode creation mask used for downloaded files. (See the
22921 @command{umask} man page for more information.)
22923 Defaults to @samp{18}.
22927 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rename-partial-files?
22928 When @code{#t}, ``.part'' is appended to the name of partially
22931 Defaults to @samp{#t}.
22935 @deftypevr {@code{transmission-daemon-configuration} parameter} preallocation-mode preallocation
22936 The mode by which space should be preallocated for downloaded files, one
22937 of @code{none}, @code{fast} (or @code{sparse}) and @code{full}.
22938 Specifying @code{full} will minimize disk fragmentation at a cost to
22939 file-creation speed.
22941 Defaults to @samp{fast}.
22945 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean watch-dir-enabled?
22946 If @code{#t}, the directory specified by @code{watch-dir} will be
22947 watched for new @file{.torrent} files and the torrents they describe
22948 added automatically (and the original files removed, if
22949 @code{trash-original-torrent-files?} is @code{#t}).
22951 Defaults to @samp{#f}.
22955 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string watch-dir
22956 The directory to be watched for @file{.torrent} files indicating new
22957 torrents to be added, when @code{watch-dir-enabled} is @code{#t}.
22959 Defaults to @samp{disabled}.
22963 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean trash-original-torrent-files?
22964 When @code{#t}, @file{.torrent} files will be deleted from the watch
22965 directory once their torrent has been added (see
22966 @code{watch-directory-enabled?}).
22968 Defaults to @samp{#f}.
22972 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-down-enabled?
22973 When @code{#t}, the daemon's download speed will be limited to the rate
22974 specified by @code{speed-limit-down}.
22976 Defaults to @samp{#f}.
22980 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-down
22981 The default global-maximum download speed, in kilobytes per second.
22983 Defaults to @samp{100}.
22987 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-up-enabled?
22988 When @code{#t}, the daemon's upload speed will be limited to the rate
22989 specified by @code{speed-limit-up}.
22991 Defaults to @samp{#f}.
22995 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-up
22996 The default global-maximum upload speed, in kilobytes per second.
22998 Defaults to @samp{100}.
23002 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-enabled?
23003 When @code{#t}, the alternate speed limits @code{alt-speed-down} and
23004 @code{alt-speed-up} are used (in place of @code{speed-limit-down} and
23005 @code{speed-limit-up}, if they are enabled) to constrain the daemon's
23006 bandwidth usage. This can be scheduled to occur automatically at
23007 certain times during the week; see @code{alt-speed-time-enabled?}.
23009 Defaults to @samp{#f}.
23013 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-down
23014 The alternate global-maximum download speed, in kilobytes per second.
23016 Defaults to @samp{50}.
23020 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-up
23021 The alternate global-maximum upload speed, in kilobytes per second.
23023 Defaults to @samp{50}.
23027 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-time-enabled?
23028 When @code{#t}, the alternate speed limits @code{alt-speed-down} and
23029 @code{alt-speed-up} will be enabled automatically during the periods
23030 specified by @code{alt-speed-time-day}, @code{alt-speed-time-begin} and
23031 @code{alt-time-speed-end}.
23033 Defaults to @samp{#f}.
23037 @deftypevr {@code{transmission-daemon-configuration} parameter} day-list alt-speed-time-day
23038 The days of the week on which the alternate-speed schedule should be
23039 used, specified either as a list of days (@code{sunday}, @code{monday},
23040 and so on) or using one of the symbols @code{weekdays}, @code{weekends}
23043 Defaults to @samp{all}.
23047 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-begin
23048 The time of day at which to enable the alternate speed limits, expressed
23049 as a number of minutes since midnight.
23051 Defaults to @samp{540}.
23055 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-end
23056 The time of day at which to disable the alternate speed limits,
23057 expressed as a number of minutes since midnight.
23059 Defaults to @samp{1020}.
23063 @deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv4
23064 The IP address at which to listen for peer connections, or ``0.0.0.0''
23065 to listen at all available IP addresses.
23067 Defaults to @samp{"0.0.0.0"}.
23071 @deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv6
23072 The IPv6 address at which to listen for peer connections, or ``::'' to
23073 listen at all available IPv6 addresses.
23075 Defaults to @samp{"::"}.
23079 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean peer-port-random-on-start?
23080 If @code{#t}, when the daemon starts it will select a port at random on
23081 which to listen for peer connections, from the range specified
23082 (inclusively) by @code{peer-port-random-low} and
23083 @code{peer-port-random-high}. Otherwise, it listens on the port
23084 specified by @code{peer-port}.
23086 Defaults to @samp{#f}.
23090 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-low
23091 The lowest selectable port number when @code{peer-port-random-on-start?}
23094 Defaults to @samp{49152}.
23098 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-high
23099 The highest selectable port number when @code{peer-port-random-on-start}
23102 Defaults to @samp{65535}.
23106 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port
23107 The port on which to listen for peer connections when
23108 @code{peer-port-random-on-start?} is @code{#f}.
23110 Defaults to @samp{51413}.
23114 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean port-forwarding-enabled?
23115 If @code{#t}, the daemon will attempt to configure port-forwarding on an
23116 upstream gateway automatically using @acronym{UPnP} and
23119 Defaults to @samp{#t}.
23123 @deftypevr {@code{transmission-daemon-configuration} parameter} encryption-mode encryption
23124 The encryption preference for peer connections, one of
23125 @code{prefer-unencrypted-connections},
23126 @code{prefer-encrypted-connections} or
23127 @code{require-encrypted-connections}.
23129 Defaults to @samp{prefer-encrypted-connections}.
23133 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string peer-congestion-algorithm
23134 The TCP congestion-control algorithm to use for peer connections,
23135 specified using a string recognized by the operating system in calls to
23136 @code{setsockopt} (or set to @code{disabled}, in which case the
23137 operating-system default is used).
23139 Note that on GNU/Linux systems, the kernel must be configured to allow
23140 processes to use a congestion-control algorithm not in the default set;
23141 otherwise, it will deny these requests with ``Operation not permitted''.
23142 To see which algorithms are available on your system and which are
23143 currently permitted for use, look at the contents of the files
23144 @file{tcp_available_congestion_control} and
23145 @file{tcp_allowed_congestion_control} in the @file{/proc/sys/net/ipv4}
23148 As an example, to have Transmission Daemon use
23149 @uref{http://www-ece.rice.edu/networks/TCP-LP/,the TCP Low Priority
23150 congestion-control algorithm}, you'll need to modify your kernel
23151 configuration to build in support for the algorithm, then update your
23152 operating-system configuration to allow its use by adding a
23153 @code{sysctl-service-type} service (or updating the existing one's
23154 configuration) with lines like the following:
23157 (service sysctl-service-type
23158 (sysctl-configuration
23160 ("net.ipv4.tcp_allowed_congestion_control" .
23161 "reno cubic lp"))))
23164 The Transmission Daemon configuration can then be updated with
23167 (peer-congestion-algorithm "lp")
23170 and the system reconfigured to have the changes take effect.
23172 Defaults to @samp{disabled}.
23176 @deftypevr {@code{transmission-daemon-configuration} parameter} tcp-type-of-service peer-socket-tos
23177 The type of service to request in outgoing @acronym{TCP} packets, one of
23178 @code{default}, @code{low-cost}, @code{throughput}, @code{low-delay} and
23179 @code{reliability}.
23181 Defaults to @samp{default}.
23185 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-global
23186 The global limit on the number of connected peers.
23188 Defaults to @samp{200}.
23192 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-per-torrent
23193 The per-torrent limit on the number of connected peers.
23195 Defaults to @samp{50}.
23199 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer upload-slots-per-torrent
23200 The maximum number of peers to which the daemon will upload data
23201 simultaneously for each torrent.
23203 Defaults to @samp{14}.
23207 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-id-ttl-hours
23208 The maximum lifespan, in hours, of the peer ID associated with each
23209 public torrent before it is regenerated.
23211 Defaults to @samp{6}.
23215 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean blocklist-enabled?
23216 When @code{#t}, the daemon will ignore peers mentioned in the blocklist
23217 it has most recently downloaded from @code{blocklist-url}.
23219 Defaults to @samp{#f}.
23223 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string blocklist-url
23224 The URL of a peer blocklist (in @acronym{P2P}-plaintext or eMule
23225 @file{.dat} format) to be periodically downloaded and applied when
23226 @code{blocklist-enabled?} is @code{#t}.
23228 Defaults to @samp{disabled}.
23232 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean download-queue-enabled?
23233 If @code{#t}, the daemon will be limited to downloading at most
23234 @code{download-queue-size} non-stalled torrents simultaneously.
23236 Defaults to @samp{#t}.
23240 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer download-queue-size
23241 The size of the daemon's download queue, which limits the number of
23242 non-stalled torrents it will download at any one time when
23243 @code{download-queue-enabled?} is @code{#t}.
23245 Defaults to @samp{5}.
23249 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean seed-queue-enabled?
23250 If @code{#t}, the daemon will be limited to seeding at most
23251 @code{seed-queue-size} non-stalled torrents simultaneously.
23253 Defaults to @samp{#f}.
23257 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer seed-queue-size
23258 The size of the daemon's seed queue, which limits the number of
23259 non-stalled torrents it will seed at any one time when
23260 @code{seed-queue-enabled?} is @code{#t}.
23262 Defaults to @samp{10}.
23266 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean queue-stalled-enabled?
23267 When @code{#t}, the daemon will consider torrents for which it has not
23268 shared data in the past @code{queue-stalled-minutes} minutes to be
23269 stalled and not count them against its @code{download-queue-size} and
23270 @code{seed-queue-size} limits.
23272 Defaults to @samp{#t}.
23276 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer queue-stalled-minutes
23277 The maximum period, in minutes, a torrent may be idle before it is
23278 considered to be stalled, when @code{queue-stalled-enabled?} is
23281 Defaults to @samp{30}.
23285 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean ratio-limit-enabled?
23286 When @code{#t}, a torrent being seeded will automatically be paused once
23287 it reaches the ratio specified by @code{ratio-limit}.
23289 Defaults to @samp{#f}.
23293 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-rational ratio-limit
23294 The ratio at which a torrent being seeded will be paused, when
23295 @code{ratio-limit-enabled?} is @code{#t}.
23297 Defaults to @samp{2.0}.
23301 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean idle-seeding-limit-enabled?
23302 When @code{#t}, a torrent being seeded will automatically be paused once
23303 it has been idle for @code{idle-seeding-limit} minutes.
23305 Defaults to @samp{#f}.
23309 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer idle-seeding-limit
23310 The maximum period, in minutes, a torrent being seeded may be idle
23311 before it is paused, when @code{idle-seeding-limit-enabled?} is
23314 Defaults to @samp{30}.
23318 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean dht-enabled?
23319 Enable @uref{http://bittorrent.org/beps/bep_0005.html,the distributed
23320 hash table (@acronym{DHT}) protocol}, which supports the use of
23321 trackerless torrents.
23323 Defaults to @samp{#t}.
23327 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean lpd-enabled?
23328 Enable @uref{https://en.wikipedia.org/wiki/Local_Peer_Discovery,local
23329 peer discovery} (@acronym{LPD}), which allows the discovery of peers on
23330 the local network and may reduce the amount of data sent over the public
23333 Defaults to @samp{#f}.
23337 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean pex-enabled?
23338 Enable @uref{https://en.wikipedia.org/wiki/Peer_exchange,peer exchange}
23339 (@acronym{PEX}), which reduces the daemon's reliance on external
23340 trackers and may improve its performance.
23342 Defaults to @samp{#t}.
23346 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean utp-enabled?
23347 Enable @uref{http://bittorrent.org/beps/bep_0029.html,the micro
23348 transport protocol} (@acronym{uTP}), which aims to reduce the impact of
23349 BitTorrent traffic on other users of the local network while maintaining
23350 full utilization of the available bandwidth.
23352 Defaults to @samp{#t}.
23356 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-enabled?
23357 If @code{#t}, enable the remote procedure call (@acronym{RPC})
23358 interface, which allows remote control of the daemon via its Web
23359 interface, the @command{transmission-remote} command-line client, and
23362 Defaults to @samp{#t}.
23366 @deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-bind-address
23367 The IP address at which to listen for @acronym{RPC} connections, or
23368 ``0.0.0.0'' to listen at all available IP addresses.
23370 Defaults to @samp{"0.0.0.0"}.
23374 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number rpc-port
23375 The port on which to listen for @acronym{RPC} connections.
23377 Defaults to @samp{9091}.
23381 @deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-url
23382 The path prefix to use in the @acronym{RPC}-endpoint @acronym{URL}.
23384 Defaults to @samp{"/transmission/"}.
23388 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-authentication-required?
23389 When @code{#t}, clients must authenticate (see @code{rpc-username} and
23390 @code{rpc-password}) when using the @acronym{RPC} interface. Note this
23391 has the side effect of disabling host-name whitelisting (see
23392 @code{rpc-host-whitelist-enabled?}.
23394 Defaults to @samp{#f}.
23398 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string rpc-username
23399 The username required by clients to access the @acronym{RPC} interface
23400 when @code{rpc-authentication-required?} is @code{#t}.
23402 Defaults to @samp{disabled}.
23406 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-transmission-password-hash rpc-password
23407 The password required by clients to access the @acronym{RPC} interface
23408 when @code{rpc-authentication-required?} is @code{#t}. This must be
23409 specified using a password hash in the format recognized by Transmission
23410 clients, either copied from an existing @file{settings.json} file or
23411 generated using the @code{transmission-password-hash} procedure.
23413 Defaults to @samp{disabled}.
23417 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-whitelist-enabled?
23418 When @code{#t}, @acronym{RPC} requests will be accepted only when they
23419 originate from an address specified in @code{rpc-whitelist}.
23421 Defaults to @samp{#t}.
23425 @deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-whitelist
23426 The list of IP and IPv6 addresses from which @acronym{RPC} requests will
23427 be accepted when @code{rpc-whitelist-enabled?} is @code{#t}. Wildcards
23428 may be specified using @samp{*}.
23430 Defaults to @samp{("127.0.0.1" "::1")}.
23434 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-host-whitelist-enabled?
23435 When @code{#t}, @acronym{RPC} requests will be accepted only when they
23436 are addressed to a host named in @code{rpc-host-whitelist}. Note that
23437 requests to ``localhost'' or ``localhost.'', or to a numeric address,
23438 are always accepted regardless of these settings.
23440 Note also this functionality is disabled when
23441 @code{rpc-authentication-required?} is @code{#t}.
23443 Defaults to @samp{#t}.
23447 @deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-host-whitelist
23448 The list of host names recognized by the @acronym{RPC} server when
23449 @code{rpc-host-whitelist-enabled?} is @code{#t}.
23451 Defaults to @samp{()}.
23455 @deftypevr {@code{transmission-daemon-configuration} parameter} message-level message-level
23456 The minimum severity level of messages to be logged (to
23457 @file{/var/log/transmission.log}) by the daemon, one of @code{none} (no
23458 logging), @code{error}, @code{info} and @code{debug}.
23460 Defaults to @samp{info}.
23464 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean start-added-torrents?
23465 When @code{#t}, torrents are started as soon as they are added;
23466 otherwise, they are added in ``paused'' state.
23468 Defaults to @samp{#t}.
23472 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean script-torrent-done-enabled?
23473 When @code{#t}, the script specified by
23474 @code{script-torrent-done-filename} will be invoked each time a torrent
23477 Defaults to @samp{#f}.
23481 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-file-object script-torrent-done-filename
23482 A file name or file-like object specifying a script to run each time a
23483 torrent completes, when @code{script-torrent-done-enabled?} is
23486 Defaults to @samp{disabled}.
23490 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean scrape-paused-torrents-enabled?
23491 When @code{#t}, the daemon will scrape trackers for a torrent even when
23492 the torrent is paused.
23494 Defaults to @samp{#t}.
23498 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer cache-size-mb
23499 The amount of memory, in megabytes, to allocate for the daemon's
23500 in-memory cache. A larger value may increase performance by reducing
23501 the frequency of disk I/O.
23503 Defaults to @samp{4}.
23507 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean prefetch-enabled?
23508 When @code{#t}, the daemon will try to improve I/O performance by
23509 hinting to the operating system which data is likely to be read next
23510 from disk to satisfy requests from peers.
23512 Defaults to @samp{#t}.
23517 @c %end of fragment
23521 @node Monitoring Services
23522 @subsection Monitoring Services
23524 @subsubheading Tailon Service
23526 @uref{https://tailon.readthedocs.io/, Tailon} is a web application for
23527 viewing and searching log files.
23529 The following example will configure the service with default values.
23530 By default, Tailon can be accessed on port 8080 (@code{http://localhost:8080}).
23533 (service tailon-service-type)
23536 The following example customises more of the Tailon configuration,
23537 adding @command{sed} to the list of allowed commands.
23540 (service tailon-service-type
23541 (tailon-configuration
23543 (tailon-configuration-file
23544 (allowed-commands '("tail" "grep" "awk" "sed"))))))
23548 @deftp {Data Type} tailon-configuration
23549 Data type representing the configuration of Tailon.
23550 This type has the following parameters:
23553 @item @code{config-file} (default: @code{(tailon-configuration-file)})
23554 The configuration file to use for Tailon. This can be set to a
23555 @dfn{tailon-configuration-file} record value, or any gexp
23556 (@pxref{G-Expressions}).
23558 For example, to instead use a local file, the @code{local-file} function
23562 (service tailon-service-type
23563 (tailon-configuration
23564 (config-file (local-file "./my-tailon.conf"))))
23567 @item @code{package} (default: @code{tailon})
23568 The tailon package to use.
23573 @deftp {Data Type} tailon-configuration-file
23574 Data type representing the configuration options for Tailon.
23575 This type has the following parameters:
23578 @item @code{files} (default: @code{(list "/var/log")})
23579 List of files to display. The list can include strings for a single file
23580 or directory, or a list, where the first item is the name of a
23581 subsection, and the remaining items are the files or directories in that
23584 @item @code{bind} (default: @code{"localhost:8080"})
23585 Address and port to which Tailon should bind on.
23587 @item @code{relative-root} (default: @code{#f})
23588 URL path to use for Tailon, set to @code{#f} to not use a path.
23590 @item @code{allow-transfers?} (default: @code{#t})
23591 Allow downloading the log files in the web interface.
23593 @item @code{follow-names?} (default: @code{#t})
23594 Allow tailing of not-yet existent files.
23596 @item @code{tail-lines} (default: @code{200})
23597 Number of lines to read initially from each file.
23599 @item @code{allowed-commands} (default: @code{(list "tail" "grep" "awk")})
23600 Commands to allow running. By default, @code{sed} is disabled.
23602 @item @code{debug?} (default: @code{#f})
23603 Set @code{debug?} to @code{#t} to show debug messages.
23605 @item @code{wrap-lines} (default: @code{#t})
23606 Initial line wrapping state in the web interface. Set to @code{#t} to
23607 initially wrap lines (the default), or to @code{#f} to initially not
23610 @item @code{http-auth} (default: @code{#f})
23611 HTTP authentication type to use. Set to @code{#f} to disable
23612 authentication (the default). Supported values are @code{"digest"} or
23615 @item @code{users} (default: @code{#f})
23616 If HTTP authentication is enabled (see @code{http-auth}), access will be
23617 restricted to the credentials provided here. To configure users, use a
23618 list of pairs, where the first element of the pair is the username, and
23619 the 2nd element of the pair is the password.
23622 (tailon-configuration-file
23623 (http-auth "basic")
23624 (users '(("user1" . "password1")
23625 ("user2" . "password2"))))
23632 @subsubheading Darkstat Service
23634 Darkstat is a packet sniffer that captures network traffic, calculates
23635 statistics about usage, and serves reports over HTTP.
23637 @defvar {Scheme Variable} darkstat-service-type
23638 This is the service type for the
23639 @uref{https://unix4lyfe.org/darkstat/, darkstat}
23640 service, its value must be a @code{darkstat-configuration} record as in
23644 (service darkstat-service-type
23645 (darkstat-configuration
23646 (interface "eno1")))
23650 @deftp {Data Type} darkstat-configuration
23651 Data type representing the configuration of @command{darkstat}.
23654 @item @code{package} (default: @code{darkstat})
23655 The darkstat package to use.
23657 @item @code{interface}
23658 Capture traffic on the specified network interface.
23660 @item @code{port} (default: @code{"667"})
23661 Bind the web interface to the specified port.
23663 @item @code{bind-address} (default: @code{"127.0.0.1"})
23664 Bind the web interface to the specified address.
23666 @item @code{base} (default: @code{"/"})
23667 Specify the path of the base URL@. This can be useful if
23668 @command{darkstat} is accessed via a reverse proxy.
23673 @subsubheading Prometheus Node Exporter Service
23675 @cindex prometheus-node-exporter
23676 The Prometheus ``node exporter'' makes hardware and operating system statistics
23677 provided by the Linux kernel available for the Prometheus monitoring system.
23678 This service should be deployed on all physical nodes and virtual machines,
23679 where monitoring these statistics is desirable.
23681 @defvar {Scheme variable} prometheus-node-exporter-service-type
23682 This is the service type for the
23683 @uref{https://github.com/prometheus/node_exporter/, prometheus-node-exporter}
23684 service, its value must be a @code{prometheus-node-exporter-configuration}.
23687 (service prometheus-node-exporter-service-type)
23691 @deftp {Data Type} prometheus-node-exporter-configuration
23692 Data type representing the configuration of @command{node_exporter}.
23695 @item @code{package} (default: @code{go-github-com-prometheus-node-exporter})
23696 The prometheus-node-exporter package to use.
23698 @item @code{web-listen-address} (default: @code{":9100"})
23699 Bind the web interface to the specified address.
23701 @item @code{textfile-directory} (default: @code{"/var/lib/prometheus/node-exporter"})
23702 This directory can be used to export metrics specific to this machine.
23703 Files containing metrics in the text format, with the filename ending in
23704 @code{.prom} should be placed in this directory.
23706 @item @code{extra-options} (default: @code{'()})
23707 Extra options to pass to the Prometheus node exporter.
23712 @subsubheading Zabbix server
23713 @cindex zabbix zabbix-server
23714 Zabbix provides monitoring metrics, among others network utilization, CPU load
23715 and disk space consumption:
23718 @item High performance, high capacity (able to monitor hundreds of thousands of devices).
23719 @item Auto-discovery of servers and network devices and interfaces.
23720 @item Low-level discovery, allows to automatically start monitoring new items, file systems or network interfaces among others.
23721 @item Distributed monitoring with centralized web administration.
23722 @item Native high performance agents.
23723 @item SLA, and ITIL KPI metrics on reporting.
23724 @item High-level (business) view of monitored resources through user-defined visual console screens and dashboards.
23725 @item Remote command execution through Zabbix proxies.
23728 @c %start of fragment
23730 Available @code{zabbix-server-configuration} fields are:
23732 @deftypevr {@code{zabbix-server-configuration} parameter} package zabbix-server
23733 The zabbix-server package.
23737 @deftypevr {@code{zabbix-server-configuration} parameter} string user
23738 User who will run the Zabbix server.
23740 Defaults to @samp{"zabbix"}.
23744 @deftypevr {@code{zabbix-server-configuration} parameter} group group
23745 Group who will run the Zabbix server.
23747 Defaults to @samp{"zabbix"}.
23751 @deftypevr {@code{zabbix-server-configuration} parameter} string db-host
23752 Database host name.
23754 Defaults to @samp{"127.0.0.1"}.
23758 @deftypevr {@code{zabbix-server-configuration} parameter} string db-name
23761 Defaults to @samp{"zabbix"}.
23765 @deftypevr {@code{zabbix-server-configuration} parameter} string db-user
23768 Defaults to @samp{"zabbix"}.
23772 @deftypevr {@code{zabbix-server-configuration} parameter} string db-password
23773 Database password. Please, use @code{include-files} with
23774 @code{DBPassword=SECRET} inside a specified file instead.
23776 Defaults to @samp{""}.
23780 @deftypevr {@code{zabbix-server-configuration} parameter} number db-port
23783 Defaults to @samp{5432}.
23787 @deftypevr {@code{zabbix-server-configuration} parameter} string log-type
23788 Specifies where log messages are written to:
23792 @code{system} - syslog.
23795 @code{file} - file specified with @code{log-file} parameter.
23798 @code{console} - standard output.
23802 Defaults to @samp{""}.
23806 @deftypevr {@code{zabbix-server-configuration} parameter} string log-file
23807 Log file name for @code{log-type} @code{file} parameter.
23809 Defaults to @samp{"/var/log/zabbix/server.log"}.
23813 @deftypevr {@code{zabbix-server-configuration} parameter} string pid-file
23816 Defaults to @samp{"/var/run/zabbix/zabbix_server.pid"}.
23820 @deftypevr {@code{zabbix-server-configuration} parameter} string ssl-ca-location
23821 The location of certificate authority (CA) files for SSL server
23822 certificate verification.
23824 Defaults to @samp{"/etc/ssl/certs/ca-certificates.crt"}.
23828 @deftypevr {@code{zabbix-server-configuration} parameter} string ssl-cert-location
23829 Location of SSL client certificates.
23831 Defaults to @samp{"/etc/ssl/certs"}.
23835 @deftypevr {@code{zabbix-server-configuration} parameter} string extra-options
23836 Extra options will be appended to Zabbix server configuration file.
23838 Defaults to @samp{""}.
23842 @deftypevr {@code{zabbix-server-configuration} parameter} include-files include-files
23843 You may include individual files or all files in a directory in the
23844 configuration file.
23846 Defaults to @samp{()}.
23850 @c %end of fragment
23852 @subsubheading Zabbix agent
23853 @cindex zabbix zabbix-agent
23855 Zabbix agent gathers information for Zabbix server.
23857 @c %start of fragment
23859 Available @code{zabbix-agent-configuration} fields are:
23861 @deftypevr {@code{zabbix-agent-configuration} parameter} package zabbix-agent
23862 The zabbix-agent package.
23866 @deftypevr {@code{zabbix-agent-configuration} parameter} string user
23867 User who will run the Zabbix agent.
23869 Defaults to @samp{"zabbix"}.
23873 @deftypevr {@code{zabbix-agent-configuration} parameter} group group
23874 Group who will run the Zabbix agent.
23876 Defaults to @samp{"zabbix"}.
23880 @deftypevr {@code{zabbix-agent-configuration} parameter} string hostname
23881 Unique, case sensitive hostname which is required for active checks and
23882 must match hostname as configured on the server.
23884 Defaults to @samp{""}.
23888 @deftypevr {@code{zabbix-agent-configuration} parameter} string log-type
23889 Specifies where log messages are written to:
23893 @code{system} - syslog.
23896 @code{file} - file specified with @code{log-file} parameter.
23899 @code{console} - standard output.
23903 Defaults to @samp{""}.
23907 @deftypevr {@code{zabbix-agent-configuration} parameter} string log-file
23908 Log file name for @code{log-type} @code{file} parameter.
23910 Defaults to @samp{"/var/log/zabbix/agent.log"}.
23914 @deftypevr {@code{zabbix-agent-configuration} parameter} string pid-file
23917 Defaults to @samp{"/var/run/zabbix/zabbix_agent.pid"}.
23921 @deftypevr {@code{zabbix-agent-configuration} parameter} list server
23922 List of IP addresses, optionally in CIDR notation, or hostnames of
23923 Zabbix servers and Zabbix proxies. Incoming connections will be
23924 accepted only from the hosts listed here.
23926 Defaults to @samp{("127.0.0.1")}.
23930 @deftypevr {@code{zabbix-agent-configuration} parameter} list server-active
23931 List of IP:port (or hostname:port) pairs of Zabbix servers and Zabbix
23932 proxies for active checks. If port is not specified, default port is
23933 used. If this parameter is not specified, active checks are disabled.
23935 Defaults to @samp{("127.0.0.1")}.
23939 @deftypevr {@code{zabbix-agent-configuration} parameter} string extra-options
23940 Extra options will be appended to Zabbix server configuration file.
23942 Defaults to @samp{""}.
23946 @deftypevr {@code{zabbix-agent-configuration} parameter} include-files include-files
23947 You may include individual files or all files in a directory in the
23948 configuration file.
23950 Defaults to @samp{()}.
23954 @c %end of fragment
23956 @subsubheading Zabbix front-end
23957 @cindex zabbix zabbix-front-end
23959 This service provides a WEB interface to Zabbix server.
23961 @c %start of fragment
23963 Available @code{zabbix-front-end-configuration} fields are:
23965 @deftypevr {@code{zabbix-front-end-configuration} parameter} nginx-server-configuration-list nginx
23966 NGINX configuration.
23970 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-host
23971 Database host name.
23973 Defaults to @samp{"localhost"}.
23977 @deftypevr {@code{zabbix-front-end-configuration} parameter} number db-port
23980 Defaults to @samp{5432}.
23984 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-name
23987 Defaults to @samp{"zabbix"}.
23991 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-user
23994 Defaults to @samp{"zabbix"}.
23998 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-password
23999 Database password. Please, use @code{db-secret-file} instead.
24001 Defaults to @samp{""}.
24005 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-secret-file
24006 Secret file containing the credentials for the Zabbix front-end. The value
24007 must be a local file name, not a G-expression. You are expected to create
24008 this file manually. Its contents will be copied into @file{zabbix.conf.php}
24009 as the value of @code{$DB['PASSWORD']}.
24011 Defaults to @samp{""}.
24015 @deftypevr {@code{zabbix-front-end-configuration} parameter} string zabbix-host
24016 Zabbix server hostname.
24018 Defaults to @samp{"localhost"}.
24022 @deftypevr {@code{zabbix-front-end-configuration} parameter} number zabbix-port
24023 Zabbix server port.
24025 Defaults to @samp{10051}.
24030 @c %end of fragment
24032 @node Kerberos Services
24033 @subsection Kerberos Services
24036 The @code{(gnu services kerberos)} module provides services relating to
24037 the authentication protocol @dfn{Kerberos}.
24039 @subsubheading Krb5 Service
24041 Programs using a Kerberos client library normally
24042 expect a configuration file in @file{/etc/krb5.conf}.
24043 This service generates such a file from a definition provided in the
24044 operating system declaration.
24045 It does not cause any daemon to be started.
24047 No ``keytab'' files are provided by this service---you must explicitly create them.
24048 This service is known to work with the MIT client library, @code{mit-krb5}.
24049 Other implementations have not been tested.
24051 @defvr {Scheme Variable} krb5-service-type
24052 A service type for Kerberos 5 clients.
24056 Here is an example of its use:
24058 (service krb5-service-type
24059 (krb5-configuration
24060 (default-realm "EXAMPLE.COM")
24061 (allow-weak-crypto? #t)
24064 (name "EXAMPLE.COM")
24065 (admin-server "groucho.example.com")
24066 (kdc "karl.example.com"))
24069 (admin-server "kerb-admin.argrx.edu")
24070 (kdc "keys.argrx.edu"))))))
24074 This example provides a Kerberos@tie{}5 client configuration which:
24076 @item Recognizes two realms, @i{viz:} ``EXAMPLE.COM'' and ``ARGRX.EDU'', both
24077 of which have distinct administration servers and key distribution centers;
24078 @item Will default to the realm ``EXAMPLE.COM'' if the realm is not explicitly
24079 specified by clients;
24080 @item Accepts services which only support encryption types known to be weak.
24083 The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
24084 Only the most commonly used ones are described here.
24085 For a full list, and more detailed explanation of each, see the MIT
24086 @uref{https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
24090 @deftp {Data Type} krb5-realm
24091 @cindex realm, kerberos
24094 This field is a string identifying the name of the realm.
24095 A common convention is to use the fully qualified DNS name of your organization,
24096 converted to upper case.
24098 @item @code{admin-server}
24099 This field is a string identifying the host where the administration server is
24103 This field is a string identifying the key distribution center
24108 @deftp {Data Type} krb5-configuration
24111 @item @code{allow-weak-crypto?} (default: @code{#f})
24112 If this flag is @code{#t} then services which only offer encryption algorithms
24113 known to be weak will be accepted.
24115 @item @code{default-realm} (default: @code{#f})
24116 This field should be a string identifying the default Kerberos
24117 realm for the client.
24118 You should set this field to the name of your Kerberos realm.
24119 If this value is @code{#f}
24120 then a realm must be specified with every Kerberos principal when invoking programs
24121 such as @command{kinit}.
24123 @item @code{realms}
24124 This should be a non-empty list of @code{krb5-realm} objects, which clients may
24126 Normally, one of them will have a @code{name} field matching the @code{default-realm}
24132 @subsubheading PAM krb5 Service
24135 The @code{pam-krb5} service allows for login authentication and password
24136 management via Kerberos.
24137 You will need this service if you want PAM enabled applications to authenticate
24138 users using Kerberos.
24140 @defvr {Scheme Variable} pam-krb5-service-type
24141 A service type for the Kerberos 5 PAM module.
24144 @deftp {Data Type} pam-krb5-configuration
24145 Data type representing the configuration of the Kerberos 5 PAM module.
24146 This type has the following parameters:
24148 @item @code{pam-krb5} (default: @code{pam-krb5})
24149 The pam-krb5 package to use.
24151 @item @code{minimum-uid} (default: @code{1000})
24152 The smallest user ID for which Kerberos authentications should be attempted.
24153 Local accounts with lower values will silently fail to authenticate.
24158 @node LDAP Services
24159 @subsection LDAP Services
24161 @cindex nslcd, LDAP service
24163 The @code{(gnu services authentication)} module provides the
24164 @code{nslcd-service-type}, which can be used to authenticate against an LDAP
24165 server. In addition to configuring the service itself, you may want to add
24166 @code{ldap} as a name service to the Name Service Switch. @xref{Name Service
24167 Switch} for detailed information.
24169 Here is a simple operating system declaration with a default configuration of
24170 the @code{nslcd-service-type} and a Name Service Switch configuration that
24171 consults the @code{ldap} name service last:
24174 (use-service-modules authentication)
24175 (use-modules (gnu system nss))
24181 (service nslcd-service-type)
24182 (service dhcp-client-service-type)
24184 (name-service-switch
24185 (let ((services (list (name-service (name "db"))
24186 (name-service (name "files"))
24187 (name-service (name "ldap")))))
24188 (name-service-switch
24189 (inherit %mdns-host-lookup-nss)
24190 (password services)
24193 (netgroup services)
24194 (gshadow services)))))
24197 @c %start of generated documentation for nslcd-configuration
24199 Available @code{nslcd-configuration} fields are:
24201 @deftypevr {@code{nslcd-configuration} parameter} package nss-pam-ldapd
24202 The @code{nss-pam-ldapd} package to use.
24206 @deftypevr {@code{nslcd-configuration} parameter} maybe-number threads
24207 The number of threads to start that can handle requests and perform LDAP
24208 queries. Each thread opens a separate connection to the LDAP server.
24209 The default is to start 5 threads.
24211 Defaults to @samp{disabled}.
24215 @deftypevr {@code{nslcd-configuration} parameter} string uid
24216 This specifies the user id with which the daemon should be run.
24218 Defaults to @samp{"nslcd"}.
24222 @deftypevr {@code{nslcd-configuration} parameter} string gid
24223 This specifies the group id with which the daemon should be run.
24225 Defaults to @samp{"nslcd"}.
24229 @deftypevr {@code{nslcd-configuration} parameter} log-option log
24230 This option controls the way logging is done via a list containing
24231 SCHEME and LEVEL@. The SCHEME argument may either be the symbols
24232 @samp{none} or @samp{syslog}, or an absolute file name. The LEVEL
24233 argument is optional and specifies the log level. The log level may be
24234 one of the following symbols: @samp{crit}, @samp{error}, @samp{warning},
24235 @samp{notice}, @samp{info} or @samp{debug}. All messages with the
24236 specified log level or higher are logged.
24238 Defaults to @samp{("/var/log/nslcd" info)}.
24242 @deftypevr {@code{nslcd-configuration} parameter} list uri
24243 The list of LDAP server URIs. Normally, only the first server will be
24244 used with the following servers as fall-back.
24246 Defaults to @samp{("ldap://localhost:389/")}.
24250 @deftypevr {@code{nslcd-configuration} parameter} maybe-string ldap-version
24251 The version of the LDAP protocol to use. The default is to use the
24252 maximum version supported by the LDAP library.
24254 Defaults to @samp{disabled}.
24258 @deftypevr {@code{nslcd-configuration} parameter} maybe-string binddn
24259 Specifies the distinguished name with which to bind to the directory
24260 server for lookups. The default is to bind anonymously.
24262 Defaults to @samp{disabled}.
24266 @deftypevr {@code{nslcd-configuration} parameter} maybe-string bindpw
24267 Specifies the credentials with which to bind. This option is only
24268 applicable when used with binddn.
24270 Defaults to @samp{disabled}.
24274 @deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmoddn
24275 Specifies the distinguished name to use when the root user tries to
24276 modify a user's password using the PAM module.
24278 Defaults to @samp{disabled}.
24282 @deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmodpw
24283 Specifies the credentials with which to bind if the root user tries to
24284 change a user's password. This option is only applicable when used with
24287 Defaults to @samp{disabled}.
24291 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-mech
24292 Specifies the SASL mechanism to be used when performing SASL
24295 Defaults to @samp{disabled}.
24299 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-realm
24300 Specifies the SASL realm to be used when performing SASL authentication.
24302 Defaults to @samp{disabled}.
24306 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authcid
24307 Specifies the authentication identity to be used when performing SASL
24310 Defaults to @samp{disabled}.
24314 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authzid
24315 Specifies the authorization identity to be used when performing SASL
24318 Defaults to @samp{disabled}.
24322 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean sasl-canonicalize?
24323 Determines whether the LDAP server host name should be canonicalised. If
24324 this is enabled the LDAP library will do a reverse host name lookup. By
24325 default, it is left up to the LDAP library whether this check is
24328 Defaults to @samp{disabled}.
24332 @deftypevr {@code{nslcd-configuration} parameter} maybe-string krb5-ccname
24333 Set the name for the GSS-API Kerberos credentials cache.
24335 Defaults to @samp{disabled}.
24339 @deftypevr {@code{nslcd-configuration} parameter} string base
24340 The directory search base.
24342 Defaults to @samp{"dc=example,dc=com"}.
24346 @deftypevr {@code{nslcd-configuration} parameter} scope-option scope
24347 Specifies the search scope (subtree, onelevel, base or children). The
24348 default scope is subtree; base scope is almost never useful for name
24349 service lookups; children scope is not supported on all servers.
24351 Defaults to @samp{(subtree)}.
24355 @deftypevr {@code{nslcd-configuration} parameter} maybe-deref-option deref
24356 Specifies the policy for dereferencing aliases. The default policy is
24357 to never dereference aliases.
24359 Defaults to @samp{disabled}.
24363 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean referrals
24364 Specifies whether automatic referral chasing should be enabled. The
24365 default behaviour is to chase referrals.
24367 Defaults to @samp{disabled}.
24371 @deftypevr {@code{nslcd-configuration} parameter} list-of-map-entries maps
24372 This option allows for custom attributes to be looked up instead of the
24373 default RFC 2307 attributes. It is a list of maps, each consisting of
24374 the name of a map, the RFC 2307 attribute to match and the query
24375 expression for the attribute as it is available in the directory.
24377 Defaults to @samp{()}.
24381 @deftypevr {@code{nslcd-configuration} parameter} list-of-filter-entries filters
24382 A list of filters consisting of the name of a map to which the filter
24383 applies and an LDAP search filter expression.
24385 Defaults to @samp{()}.
24389 @deftypevr {@code{nslcd-configuration} parameter} maybe-number bind-timelimit
24390 Specifies the time limit in seconds to use when connecting to the
24391 directory server. The default value is 10 seconds.
24393 Defaults to @samp{disabled}.
24397 @deftypevr {@code{nslcd-configuration} parameter} maybe-number timelimit
24398 Specifies the time limit (in seconds) to wait for a response from the
24399 LDAP server. A value of zero, which is the default, is to wait
24400 indefinitely for searches to be completed.
24402 Defaults to @samp{disabled}.
24406 @deftypevr {@code{nslcd-configuration} parameter} maybe-number idle-timelimit
24407 Specifies the period if inactivity (in seconds) after which the con‐
24408 nection to the LDAP server will be closed. The default is not to time
24411 Defaults to @samp{disabled}.
24415 @deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-sleeptime
24416 Specifies the number of seconds to sleep when connecting to all LDAP
24417 servers fails. By default one second is waited between the first
24418 failure and the first retry.
24420 Defaults to @samp{disabled}.
24424 @deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-retrytime
24425 Specifies the time after which the LDAP server is considered to be
24426 permanently unavailable. Once this time is reached retries will be done
24427 only once per this time period. The default value is 10 seconds.
24429 Defaults to @samp{disabled}.
24433 @deftypevr {@code{nslcd-configuration} parameter} maybe-ssl-option ssl
24434 Specifies whether to use SSL/TLS or not (the default is not to). If
24435 'start-tls is specified then StartTLS is used rather than raw LDAP over
24438 Defaults to @samp{disabled}.
24442 @deftypevr {@code{nslcd-configuration} parameter} maybe-tls-reqcert-option tls-reqcert
24443 Specifies what checks to perform on a server-supplied certificate. The
24444 meaning of the values is described in the ldap.conf(5) manual page.
24446 Defaults to @samp{disabled}.
24450 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertdir
24451 Specifies the directory containing X.509 certificates for peer authen‐
24452 tication. This parameter is ignored when using GnuTLS.
24454 Defaults to @samp{disabled}.
24458 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertfile
24459 Specifies the path to the X.509 certificate for peer authentication.
24461 Defaults to @samp{disabled}.
24465 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-randfile
24466 Specifies the path to an entropy source. This parameter is ignored when
24469 Defaults to @samp{disabled}.
24473 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-ciphers
24474 Specifies the ciphers to use for TLS as a string.
24476 Defaults to @samp{disabled}.
24480 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cert
24481 Specifies the path to the file containing the local certificate for
24482 client TLS authentication.
24484 Defaults to @samp{disabled}.
24488 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-key
24489 Specifies the path to the file containing the private key for client TLS
24492 Defaults to @samp{disabled}.
24496 @deftypevr {@code{nslcd-configuration} parameter} maybe-number pagesize
24497 Set this to a number greater than 0 to request paged results from the
24498 LDAP server in accordance with RFC2696. The default (0) is to not
24499 request paged results.
24501 Defaults to @samp{disabled}.
24505 @deftypevr {@code{nslcd-configuration} parameter} maybe-ignore-users-option nss-initgroups-ignoreusers
24506 This option prevents group membership lookups through LDAP for the
24507 specified users. Alternatively, the value 'all-local may be used. With
24508 that value nslcd builds a full list of non-LDAP users on startup.
24510 Defaults to @samp{disabled}.
24514 @deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-min-uid
24515 This option ensures that LDAP users with a numeric user id lower than
24516 the specified value are ignored.
24518 Defaults to @samp{disabled}.
24522 @deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-uid-offset
24523 This option specifies an offset that is added to all LDAP numeric user
24524 ids. This can be used to avoid user id collisions with local users.
24526 Defaults to @samp{disabled}.
24530 @deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-gid-offset
24531 This option specifies an offset that is added to all LDAP numeric group
24532 ids. This can be used to avoid user id collisions with local groups.
24534 Defaults to @samp{disabled}.
24538 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-nested-groups
24539 If this option is set, the member attribute of a group may point to
24540 another group. Members of nested groups are also returned in the higher
24541 level group and parent groups are returned when finding groups for a
24542 specific user. The default is not to perform extra searches for nested
24545 Defaults to @samp{disabled}.
24549 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-getgrent-skipmembers
24550 If this option is set, the group member list is not retrieved when
24551 looking up groups. Lookups for finding which groups a user belongs to
24552 will remain functional so the user will likely still get the correct
24553 groups assigned on login.
24555 Defaults to @samp{disabled}.
24559 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-disable-enumeration
24560 If this option is set, functions which cause all user/group entries to
24561 be loaded from the directory will not succeed in doing so. This can
24562 dramatically reduce LDAP server load in situations where there are a
24563 great number of users and/or groups. This option is not recommended for
24564 most configurations.
24566 Defaults to @samp{disabled}.
24570 @deftypevr {@code{nslcd-configuration} parameter} maybe-string validnames
24571 This option can be used to specify how user and group names are verified
24572 within the system. This pattern is used to check all user and group
24573 names that are requested and returned from LDAP.
24575 Defaults to @samp{disabled}.
24579 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean ignorecase
24580 This specifies whether or not to perform searches using case-insensitive
24581 matching. Enabling this could open up the system to authorization
24582 bypass vulnerabilities and introduce nscd cache poisoning
24583 vulnerabilities which allow denial of service.
24585 Defaults to @samp{disabled}.
24589 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean pam-authc-ppolicy
24590 This option specifies whether password policy controls are requested and
24591 handled from the LDAP server when performing user authentication.
24593 Defaults to @samp{disabled}.
24597 @deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authc-search
24598 By default nslcd performs an LDAP search with the user's credentials
24599 after BIND (authentication) to ensure that the BIND operation was
24600 successful. The default search is a simple check to see if the user's
24601 DN exists. A search filter can be specified that will be used instead.
24602 It should return at least one entry.
24604 Defaults to @samp{disabled}.
24608 @deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authz-search
24609 This option allows flexible fine tuning of the authorisation check that
24610 should be performed. The search filter specified is executed and if any
24611 entries match, access is granted, otherwise access is denied.
24613 Defaults to @samp{disabled}.
24617 @deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-password-prohibit-message
24618 If this option is set password modification using pam_ldap will be
24619 denied and the specified message will be presented to the user instead.
24620 The message can be used to direct the user to an alternative means of
24621 changing their password.
24623 Defaults to @samp{disabled}.
24627 @deftypevr {@code{nslcd-configuration} parameter} list pam-services
24628 List of pam service names for which LDAP authentication should suffice.
24630 Defaults to @samp{()}.
24634 @c %end of generated documentation for nslcd-configuration
24638 @subsection Web Services
24643 The @code{(gnu services web)} module provides the Apache HTTP Server,
24644 the nginx web server, and also a fastcgi wrapper daemon.
24646 @subsubheading Apache HTTP Server
24648 @deffn {Scheme Variable} httpd-service-type
24649 Service type for the @uref{https://httpd.apache.org/,Apache HTTP} server
24650 (@dfn{httpd}). The value for this service type is a
24651 @code{httpd-configuration} record.
24653 A simple example configuration is given below.
24656 (service httpd-service-type
24657 (httpd-configuration
24660 (server-name "www.example.com")
24661 (document-root "/srv/http/www.example.com")))))
24664 Other services can also extend the @code{httpd-service-type} to add to
24668 (simple-service 'www.example.com-server httpd-service-type
24672 (list (string-join '("ServerName www.example.com"
24673 "DocumentRoot /srv/http/www.example.com")
24678 The details for the @code{httpd-configuration}, @code{httpd-module},
24679 @code{httpd-config-file} and @code{httpd-virtualhost} record types are
24682 @deffn {Data Type} httpd-configuration
24683 This data type represents the configuration for the httpd service.
24686 @item @code{package} (default: @code{httpd})
24687 The httpd package to use.
24689 @item @code{pid-file} (default: @code{"/var/run/httpd"})
24690 The pid file used by the shepherd-service.
24692 @item @code{config} (default: @code{(httpd-config-file)})
24693 The configuration file to use with the httpd service. The default value
24694 is a @code{httpd-config-file} record, but this can also be a different
24695 G-expression that generates a file, for example a @code{plain-file}. A
24696 file outside of the store can also be specified through a string.
24701 @deffn {Data Type} httpd-module
24702 This data type represents a module for the httpd service.
24706 The name of the module.
24709 The file for the module. This can be relative to the httpd package being
24710 used, the absolute location of a file, or a G-expression for a file
24711 within the store, for example @code{(file-append mod-wsgi
24712 "/modules/mod_wsgi.so")}.
24717 @defvr {Scheme Variable} %default-httpd-modules
24718 A default list of @code{httpd-module} objects.
24721 @deffn {Data Type} httpd-config-file
24722 This data type represents a configuration file for the httpd service.
24725 @item @code{modules} (default: @code{%default-httpd-modules})
24726 The modules to load. Additional modules can be added here, or loaded by
24727 additional configuration.
24729 For example, in order to handle requests for PHP files, you can use Apache’s
24730 @code{mod_proxy_fcgi} module along with @code{php-fpm-service-type}:
24733 (service httpd-service-type
24734 (httpd-configuration
24739 (name "proxy_module")
24740 (file "modules/mod_proxy.so"))
24742 (name "proxy_fcgi_module")
24743 (file "modules/mod_proxy_fcgi.so"))
24744 %default-httpd-modules))
24745 (extra-config (list "\
24746 <FilesMatch \\.php$>
24747 SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\"
24748 </FilesMatch>"))))))
24749 (service php-fpm-service-type
24750 (php-fpm-configuration
24751 (socket "/var/run/php-fpm.sock")
24752 (socket-group "httpd")))
24755 @item @code{server-root} (default: @code{httpd})
24756 The @code{ServerRoot} in the configuration file, defaults to the httpd
24757 package. Directives including @code{Include} and @code{LoadModule} are
24758 taken as relative to the server root.
24760 @item @code{server-name} (default: @code{#f})
24761 The @code{ServerName} in the configuration file, used to specify the
24762 request scheme, hostname and port that the server uses to identify
24765 This doesn't need to be set in the server config, and can be specified
24766 in virtual hosts. The default is @code{#f} to not specify a
24769 @item @code{document-root} (default: @code{"/srv/http"})
24770 The @code{DocumentRoot} from which files will be served.
24772 @item @code{listen} (default: @code{'("80")})
24773 The list of values for the @code{Listen} directives in the config
24774 file. The value should be a list of strings, when each string can
24775 specify the port number to listen on, and optionally the IP address and
24778 @item @code{pid-file} (default: @code{"/var/run/httpd"})
24779 The @code{PidFile} to use. This should match the @code{pid-file} set in
24780 the @code{httpd-configuration} so that the Shepherd service is
24781 configured correctly.
24783 @item @code{error-log} (default: @code{"/var/log/httpd/error_log"})
24784 The @code{ErrorLog} to which the server will log errors.
24786 @item @code{user} (default: @code{"httpd"})
24787 The @code{User} which the server will answer requests as.
24789 @item @code{group} (default: @code{"httpd"})
24790 The @code{Group} which the server will answer requests as.
24792 @item @code{extra-config} (default: @code{(list "TypesConfig etc/httpd/mime.types")})
24793 A flat list of strings and G-expressions which will be added to the end
24794 of the configuration file.
24796 Any values which the service is extended with will be appended to this
24802 @deffn {Data Type} httpd-virtualhost
24803 This data type represents a virtualhost configuration block for the httpd service.
24805 These should be added to the extra-config for the httpd-service.
24808 (simple-service 'www.example.com-server httpd-service-type
24812 (list (string-join '("ServerName www.example.com"
24813 "DocumentRoot /srv/http/www.example.com")
24818 @item @code{addresses-and-ports}
24819 The addresses and ports for the @code{VirtualHost} directive.
24821 @item @code{contents}
24822 The contents of the @code{VirtualHost} directive, this should be a list
24823 of strings and G-expressions.
24828 @subsubheading NGINX
24830 @deffn {Scheme Variable} nginx-service-type
24831 Service type for the @uref{https://nginx.org/,NGinx} web server. The
24832 value for this service type is a @code{<nginx-configuration>} record.
24834 A simple example configuration is given below.
24837 (service nginx-service-type
24838 (nginx-configuration
24840 (list (nginx-server-configuration
24841 (server-name '("www.example.com"))
24842 (root "/srv/http/www.example.com"))))))
24845 In addition to adding server blocks to the service configuration
24846 directly, this service can be extended by other services to add server
24847 blocks, as in this example:
24850 (simple-service 'my-extra-server nginx-service-type
24851 (list (nginx-server-configuration
24852 (root "/srv/http/extra-website")
24853 (try-files (list "$uri" "$uri/index.html")))))
24857 At startup, @command{nginx} has not yet read its configuration file, so
24858 it uses a default file to log error messages. If it fails to load its
24859 configuration file, that is where error messages are logged. After the
24860 configuration file is loaded, the default error log file changes as per
24861 configuration. In our case, startup error messages can be found in
24862 @file{/var/run/nginx/logs/error.log}, and after configuration in
24863 @file{/var/log/nginx/error.log}. The second location can be changed
24864 with the @var{log-directory} configuration option.
24866 @deffn {Data Type} nginx-configuration
24867 This data type represents the configuration for NGinx. Some
24868 configuration can be done through this and the other provided record
24869 types, or alternatively, a config file can be provided.
24872 @item @code{nginx} (default: @code{nginx})
24873 The nginx package to use.
24875 @item @code{log-directory} (default: @code{"/var/log/nginx"})
24876 The directory to which NGinx will write log files.
24878 @item @code{run-directory} (default: @code{"/var/run/nginx"})
24879 The directory in which NGinx will create a pid file, and write temporary
24882 @item @code{server-blocks} (default: @code{'()})
24883 A list of @dfn{server blocks} to create in the generated configuration
24884 file, the elements should be of type
24885 @code{<nginx-server-configuration>}.
24887 The following example would setup NGinx to serve @code{www.example.com}
24888 from the @code{/srv/http/www.example.com} directory, without using
24891 (service nginx-service-type
24892 (nginx-configuration
24894 (list (nginx-server-configuration
24895 (server-name '("www.example.com"))
24896 (root "/srv/http/www.example.com"))))))
24899 @item @code{upstream-blocks} (default: @code{'()})
24900 A list of @dfn{upstream blocks} to create in the generated configuration
24901 file, the elements should be of type
24902 @code{<nginx-upstream-configuration>}.
24904 Configuring upstreams through the @code{upstream-blocks} can be useful
24905 when combined with @code{locations} in the
24906 @code{<nginx-server-configuration>} records. The following example
24907 creates a server configuration with one location configuration, that
24908 will proxy requests to a upstream configuration, which will handle
24909 requests with two servers.
24914 (nginx-configuration
24916 (list (nginx-server-configuration
24917 (server-name '("www.example.com"))
24918 (root "/srv/http/www.example.com")
24921 (nginx-location-configuration
24923 (body '("proxy_pass http://server-proxy;"))))))))
24925 (list (nginx-upstream-configuration
24926 (name "server-proxy")
24927 (servers (list "server1.example.com"
24928 "server2.example.com")))))))
24931 @item @code{file} (default: @code{#f})
24932 If a configuration @var{file} is provided, this will be used, rather than
24933 generating a configuration file from the provided @code{log-directory},
24934 @code{run-directory}, @code{server-blocks} and @code{upstream-blocks}. For
24935 proper operation, these arguments should match what is in @var{file} to ensure
24936 that the directories are created when the service is activated.
24938 This can be useful if you have an existing configuration file, or it's
24939 not possible to do what is required through the other parts of the
24940 nginx-configuration record.
24942 @item @code{server-names-hash-bucket-size} (default: @code{#f})
24943 Bucket size for the server names hash tables, defaults to @code{#f} to
24944 use the size of the processors cache line.
24946 @item @code{server-names-hash-bucket-max-size} (default: @code{#f})
24947 Maximum bucket size for the server names hash tables.
24949 @item @code{modules} (default: @code{'()})
24950 List of nginx dynamic modules to load. This should be a list of file
24951 names of loadable modules, as in this example:
24956 (file-append nginx-accept-language-module "\
24957 /etc/nginx/modules/ngx_http_accept_language_module.so")
24958 (file-append nginx-lua-module "\
24959 /etc/nginx/modules/ngx_http_lua_module.so")))
24962 @item @code{lua-package-path} (default: @code{'()})
24963 List of nginx lua packages to load. This should be a list of package
24964 names of loadable lua modules, as in this example:
24967 (lua-package-path (list lua-resty-core
24974 @item @code{lua-package-cpath} (default: @code{'()})
24975 List of nginx lua C packages to load. This should be a list of package
24976 names of loadable lua C modules, as in this example:
24979 (lua-package-cpath (list lua-resty-signal))
24982 @item @code{global-directives} (default: @code{'((events . ()))})
24983 Association list of global directives for the top level of the nginx
24984 configuration. Values may themselves be association lists.
24988 `((worker_processes . 16)
24990 (events . ((worker_connections . 1024)))))
24993 @item @code{extra-content} (default: @code{""})
24994 Extra content for the @code{http} block. Should be string or a string
24995 valued G-expression.
25000 @deftp {Data Type} nginx-server-configuration
25001 Data type representing the configuration of an nginx server block.
25002 This type has the following parameters:
25005 @item @code{listen} (default: @code{'("80" "443 ssl")})
25006 Each @code{listen} directive sets the address and port for IP, or the
25007 path for a UNIX-domain socket on which the server will accept requests.
25008 Both address and port, or only address or only port can be specified.
25009 An address may also be a hostname, for example:
25012 '("127.0.0.1:8000" "127.0.0.1" "8000" "*:8000" "localhost:8000")
25015 @item @code{server-name} (default: @code{(list 'default)})
25016 A list of server names this server represents. @code{'default} represents the
25017 default server for connections matching no other server.
25019 @item @code{root} (default: @code{"/srv/http"})
25020 Root of the website nginx will serve.
25022 @item @code{locations} (default: @code{'()})
25023 A list of @dfn{nginx-location-configuration} or
25024 @dfn{nginx-named-location-configuration} records to use within this
25027 @item @code{index} (default: @code{(list "index.html")})
25028 Index files to look for when clients ask for a directory. If it cannot be found,
25029 Nginx will send the list of files in the directory.
25031 @item @code{try-files} (default: @code{'()})
25032 A list of files whose existence is checked in the specified order.
25033 @code{nginx} will use the first file it finds to process the request.
25035 @item @code{ssl-certificate} (default: @code{#f})
25036 Where to find the certificate for secure connections. Set it to @code{#f} if
25037 you don't have a certificate or you don't want to use HTTPS.
25039 @item @code{ssl-certificate-key} (default: @code{#f})
25040 Where to find the private key for secure connections. Set it to @code{#f} if
25041 you don't have a key or you don't want to use HTTPS.
25043 @item @code{server-tokens?} (default: @code{#f})
25044 Whether the server should add its configuration to response.
25046 @item @code{raw-content} (default: @code{'()})
25047 A list of raw lines added to the server block.
25052 @deftp {Data Type} nginx-upstream-configuration
25053 Data type representing the configuration of an nginx @code{upstream}
25054 block. This type has the following parameters:
25058 Name for this group of servers.
25060 @item @code{servers}
25061 Specify the addresses of the servers in the group. The address can be
25062 specified as a IP address (e.g.@: @samp{127.0.0.1}), domain name
25063 (e.g.@: @samp{backend1.example.com}) or a path to a UNIX socket using the
25064 prefix @samp{unix:}. For addresses using an IP address or domain name,
25065 the default port is 80, and a different port can be specified
25071 @deftp {Data Type} nginx-location-configuration
25072 Data type representing the configuration of an nginx @code{location}
25073 block. This type has the following parameters:
25077 URI which this location block matches.
25079 @anchor{nginx-location-configuration body}
25081 Body of the location block, specified as a list of strings. This can contain
25083 configuration directives. For example, to pass requests to a upstream
25084 server group defined using an @code{nginx-upstream-configuration} block,
25085 the following directive would be specified in the body @samp{(list "proxy_pass
25086 http://upstream-name;")}.
25091 @deftp {Data Type} nginx-named-location-configuration
25092 Data type representing the configuration of an nginx named location
25093 block. Named location blocks are used for request redirection, and not
25094 used for regular request processing. This type has the following
25099 Name to identify this location block.
25102 @xref{nginx-location-configuration body}, as the body for named location
25103 blocks can be used in a similar way to the
25104 @code{nginx-location-configuration body}. One restriction is that the
25105 body of a named location block cannot contain location blocks.
25110 @subsubheading Varnish Cache
25112 Varnish is a fast cache server that sits in between web applications
25113 and end users. It proxies requests from clients and caches the
25114 accessed URLs such that multiple requests for the same resource only
25115 creates one request to the back-end.
25117 @defvr {Scheme Variable} varnish-service-type
25118 Service type for the Varnish daemon.
25121 @deftp {Data Type} varnish-configuration
25122 Data type representing the @code{varnish} service configuration.
25123 This type has the following parameters:
25126 @item @code{package} (default: @code{varnish})
25127 The Varnish package to use.
25129 @item @code{name} (default: @code{"default"})
25130 A name for this Varnish instance. Varnish will create a directory in
25131 @file{/var/varnish/} with this name and keep temporary files there. If
25132 the name starts with a forward slash, it is interpreted as an absolute
25135 Pass the @code{-n} argument to other Varnish programs to connect to the
25136 named instance, e.g.@: @command{varnishncsa -n default}.
25138 @item @code{backend} (default: @code{"localhost:8080"})
25139 The backend to use. This option has no effect if @code{vcl} is set.
25141 @item @code{vcl} (default: #f)
25142 The @dfn{VCL} (Varnish Configuration Language) program to run. If this
25143 is @code{#f}, Varnish will proxy @code{backend} using the default
25144 configuration. Otherwise this must be a file-like object with valid
25147 @c Varnish does not support HTTPS, so keep this URL to avoid confusion.
25148 For example, to mirror @url{https://www.gnu.org,www.gnu.org} with VCL you
25149 can do something along these lines:
25152 (define %gnu-mirror
25153 (plain-file "gnu.vcl"
25155 backend gnu @{ .host = \"www.gnu.org\"; @}"))
25159 (services (cons (service varnish-service-type
25160 (varnish-configuration
25162 (vcl %gnu-mirror)))
25166 The configuration of an already running Varnish instance can be inspected
25167 and changed using the @command{varnishadm} program.
25169 Consult the @url{https://varnish-cache.org/docs/,Varnish User Guide} and
25170 @url{https://book.varnish-software.com/4.0/,Varnish Book} for
25171 comprehensive documentation on Varnish and its configuration language.
25173 @item @code{listen} (default: @code{'("localhost:80")})
25174 List of addresses Varnish will listen on.
25176 @item @code{storage} (default: @code{'("malloc,128m")})
25177 List of storage backends that will be available in VCL.
25179 @item @code{parameters} (default: @code{'()})
25180 List of run-time parameters in the form @code{'(("parameter" . "value"))}.
25182 @item @code{extra-options} (default: @code{'()})
25183 Additional arguments to pass to the @command{varnishd} process.
25188 @subsubheading Patchwork
25190 Patchwork is a patch tracking system. It can collect patches sent to a
25191 mailing list, and display them in a web interface.
25193 @defvr {Scheme Variable} patchwork-service-type
25194 Service type for Patchwork.
25197 The following example is an example of a minimal service for Patchwork, for
25198 the @code{patchwork.example.com} domain.
25201 (service patchwork-service-type
25202 (patchwork-configuration
25203 (domain "patchwork.example.com")
25205 (patchwork-settings-module
25206 (allowed-hosts (list domain))
25207 (default-from-email "patchwork@@patchwork.example.com")))
25208 (getmail-retriever-config
25209 (getmail-retriever-configuration
25210 (type "SimpleIMAPSSLRetriever")
25211 (server "imap.example.com")
25213 (username "patchwork")
25215 (list (file-append coreutils "/bin/cat")
25216 "/etc/getmail-patchwork-imap-password"))
25218 '((mailboxes . ("Patches"))))))))
25222 There are three records for configuring the Patchwork service. The
25223 @code{<patchwork-configuration>} relates to the configuration for Patchwork
25224 within the HTTPD service.
25226 The @code{settings-module} field within the @code{<patchwork-configuration>}
25227 record can be populated with the @code{<patchwork-settings-module>} record,
25228 which describes a settings module that is generated within the Guix store.
25230 For the @code{database-configuration} field within the
25231 @code{<patchwork-settings-module>}, the
25232 @code{<patchwork-database-configuration>} must be used.
25234 @deftp {Data Type} patchwork-configuration
25235 Data type representing the Patchwork service configuration. This type has the
25236 following parameters:
25239 @item @code{patchwork} (default: @code{patchwork})
25240 The Patchwork package to use.
25242 @item @code{domain}
25243 The domain to use for Patchwork, this is used in the HTTPD service virtual
25246 @item @code{settings-module}
25247 The settings module to use for Patchwork. As a Django application, Patchwork
25248 is configured with a Python module containing the settings. This can either be
25249 an instance of the @code{<patchwork-settings-module>} record, any other record
25250 that represents the settings in the store, or a directory outside of the
25253 @item @code{static-path} (default: @code{"/static/"})
25254 The path under which the HTTPD service should serve the static files.
25256 @item @code{getmail-retriever-config}
25257 The getmail-retriever-configuration record value to use with
25258 Patchwork. Getmail will be configured with this value, the messages will be
25259 delivered to Patchwork.
25264 @deftp {Data Type} patchwork-settings-module
25265 Data type representing a settings module for Patchwork. Some of these
25266 settings relate directly to Patchwork, but others relate to Django, the web
25267 framework used by Patchwork, or the Django Rest Framework library. This type
25268 has the following parameters:
25271 @item @code{database-configuration} (default: @code{(patchwork-database-configuration)})
25272 The database connection settings used for Patchwork. See the
25273 @code{<patchwork-database-configuration>} record type for more information.
25275 @item @code{secret-key-file} (default: @code{"/etc/patchwork/django-secret-key"})
25276 Patchwork, as a Django web application uses a secret key for cryptographically
25277 signing values. This file should contain a unique unpredictable value.
25279 If this file does not exist, it will be created and populated with a random
25280 value by the patchwork-setup shepherd service.
25282 This setting relates to Django.
25284 @item @code{allowed-hosts}
25285 A list of valid hosts for this Patchwork service. This should at least include
25286 the domain specified in the @code{<patchwork-configuration>} record.
25288 This is a Django setting.
25290 @item @code{default-from-email}
25291 The email address from which Patchwork should send email by default.
25293 This is a Patchwork setting.
25295 @item @code{static-url} (default: @code{#f})
25296 The URL to use when serving static assets. It can be part of a URL, or a full
25297 URL, but must end in a @code{/}.
25299 If the default value is used, the @code{static-path} value from the
25300 @code{<patchwork-configuration>} record will be used.
25302 This is a Django setting.
25304 @item @code{admins} (default: @code{'()})
25305 Email addresses to send the details of errors that occur. Each value should
25306 be a list containing two elements, the name and then the email address.
25308 This is a Django setting.
25310 @item @code{debug?} (default: @code{#f})
25311 Whether to run Patchwork in debug mode. If set to @code{#t}, detailed error
25312 messages will be shown.
25314 This is a Django setting.
25316 @item @code{enable-rest-api?} (default: @code{#t})
25317 Whether to enable the Patchwork REST API.
25319 This is a Patchwork setting.
25321 @item @code{enable-xmlrpc?} (default: @code{#t})
25322 Whether to enable the XML RPC API.
25324 This is a Patchwork setting.
25326 @item @code{force-https-links?} (default: @code{#t})
25327 Whether to use HTTPS links on Patchwork pages.
25329 This is a Patchwork setting.
25331 @item @code{extra-settings} (default: @code{""})
25332 Extra code to place at the end of the Patchwork settings module.
25337 @deftp {Data Type} patchwork-database-configuration
25338 Data type representing the database configuration for Patchwork.
25341 @item @code{engine} (default: @code{"django.db.backends.postgresql_psycopg2"})
25342 The database engine to use.
25344 @item @code{name} (default: @code{"patchwork"})
25345 The name of the database to use.
25347 @item @code{user} (default: @code{"httpd"})
25348 The user to connect to the database as.
25350 @item @code{password} (default: @code{""})
25351 The password to use when connecting to the database.
25353 @item @code{host} (default: @code{""})
25354 The host to make the database connection to.
25356 @item @code{port} (default: @code{""})
25357 The port on which to connect to the database.
25362 @subsubheading Mumi
25364 @cindex Mumi, Debbugs Web interface
25365 @cindex Debbugs, Mumi Web interface
25366 @uref{https://git.elephly.net/gitweb.cgi?p=software/mumi.git, Mumi} is a
25367 Web interface to the Debbugs bug tracker, by default for
25368 @uref{https://bugs.gnu.org, the GNU instance}. Mumi is a Web server,
25369 but it also fetches and indexes mail retrieved from Debbugs.
25371 @defvr {Scheme Variable} mumi-service-type
25372 This is the service type for Mumi.
25375 @deftp {Data Type} mumi-configuration
25376 Data type representing the Mumi service configuration. This type has the
25380 @item @code{mumi} (default: @code{mumi})
25381 The Mumi package to use.
25383 @item @code{mailer?} (default: @code{#true})
25384 Whether to enable or disable the mailer component.
25386 @item @code{mumi-configuration-sender}
25387 The email address used as the sender for comments.
25389 @item @code{mumi-configuration-smtp}
25390 A URI to configure the SMTP settings for Mailutils. This could be
25391 something like @code{sendmail:///path/to/bin/msmtp} or any other URI
25392 supported by Mailutils. @xref{SMTP Mailboxes, SMTP Mailboxes,,
25393 mailutils, GNU@tie{}Mailutils}.
25399 @subsubheading FastCGI
25402 FastCGI is an interface between the front-end and the back-end of a web
25403 service. It is a somewhat legacy facility; new web services should
25404 generally just talk HTTP between the front-end and the back-end.
25405 However there are a number of back-end services such as PHP or the
25406 optimized HTTP Git repository access that use FastCGI, so we have
25407 support for it in Guix.
25409 To use FastCGI, you configure the front-end web server (e.g., nginx) to
25410 dispatch some subset of its requests to the fastcgi backend, which
25411 listens on a local TCP or UNIX socket. There is an intermediary
25412 @code{fcgiwrap} program that sits between the actual backend process and
25413 the web server. The front-end indicates which backend program to run,
25414 passing that information to the @code{fcgiwrap} process.
25416 @defvr {Scheme Variable} fcgiwrap-service-type
25417 A service type for the @code{fcgiwrap} FastCGI proxy.
25420 @deftp {Data Type} fcgiwrap-configuration
25421 Data type representing the configuration of the @code{fcgiwrap} service.
25422 This type has the following parameters:
25424 @item @code{package} (default: @code{fcgiwrap})
25425 The fcgiwrap package to use.
25427 @item @code{socket} (default: @code{tcp:127.0.0.1:9000})
25428 The socket on which the @code{fcgiwrap} process should listen, as a
25429 string. Valid @var{socket} values include
25430 @code{unix:@var{/path/to/unix/socket}},
25431 @code{tcp:@var{dot.ted.qu.ad}:@var{port}} and
25432 @code{tcp6:[@var{ipv6_addr}]:port}.
25434 @item @code{user} (default: @code{fcgiwrap})
25435 @itemx @code{group} (default: @code{fcgiwrap})
25436 The user and group names, as strings, under which to run the
25437 @code{fcgiwrap} process. The @code{fastcgi} service will ensure that if
25438 the user asks for the specific user or group names @code{fcgiwrap} that
25439 the corresponding user and/or group is present on the system.
25441 It is possible to configure a FastCGI-backed web service to pass HTTP
25442 authentication information from the front-end to the back-end, and to
25443 allow @code{fcgiwrap} to run the back-end process as a corresponding
25444 local user. To enable this capability on the back-end, run
25445 @code{fcgiwrap} as the @code{root} user and group. Note that this
25446 capability also has to be configured on the front-end as well.
25451 PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation
25452 with some additional features useful for sites of any size.
25454 These features include:
25456 @item Adaptive process spawning
25457 @item Basic statistics (similar to Apache's mod_status)
25458 @item Advanced process management with graceful stop/start
25459 @item Ability to start workers with different uid/gid/chroot/environment
25460 and different php.ini (replaces safe_mode)
25461 @item Stdout & stderr logging
25462 @item Emergency restart in case of accidental opcode cache destruction
25463 @item Accelerated upload support
25464 @item Support for a "slowlog"
25465 @item Enhancements to FastCGI, such as fastcgi_finish_request() -
25466 a special function to finish request & flush all data while continuing to do
25467 something time-consuming (video converting, stats processing, etc.)
25469 ...@: and much more.
25471 @defvr {Scheme Variable} php-fpm-service-type
25472 A Service type for @code{php-fpm}.
25475 @deftp {Data Type} php-fpm-configuration
25476 Data Type for php-fpm service configuration.
25478 @item @code{php} (default: @code{php})
25479 The php package to use.
25480 @item @code{socket} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock")})
25481 The address on which to accept FastCGI requests. Valid syntaxes are:
25483 @item @code{"ip.add.re.ss:port"}
25484 Listen on a TCP socket to a specific address on a specific port.
25485 @item @code{"port"}
25486 Listen on a TCP socket to all addresses on a specific port.
25487 @item @code{"/path/to/unix/socket"}
25488 Listen on a unix socket.
25491 @item @code{user} (default: @code{php-fpm})
25492 User who will own the php worker processes.
25493 @item @code{group} (default: @code{php-fpm})
25494 Group of the worker processes.
25495 @item @code{socket-user} (default: @code{php-fpm})
25496 User who can speak to the php-fpm socket.
25497 @item @code{socket-group} (default: @code{nginx})
25498 Group that can speak to the php-fpm socket.
25499 @item @code{pid-file} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid")})
25500 The process id of the php-fpm process is written to this file
25501 once the service has started.
25502 @item @code{log-file} (default: @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.log")})
25503 Log for the php-fpm master process.
25504 @item @code{process-manager} (default: @code{(php-fpm-dynamic-process-manager-configuration)})
25505 Detailed settings for the php-fpm process manager.
25508 @item @code{<php-fpm-dynamic-process-manager-configuration>}
25509 @item @code{<php-fpm-static-process-manager-configuration>}
25510 @item @code{<php-fpm-on-demand-process-manager-configuration>}
25512 @item @code{display-errors} (default @code{#f})
25513 Determines whether php errors and warning should be sent to clients
25514 and displayed in their browsers.
25515 This is useful for local php development, but a security risk for public sites,
25516 as error messages can reveal passwords and personal data.
25517 @item @code{timezone} (default @code{#f})
25518 Specifies @code{php_admin_value[date.timezone]} parameter.
25519 @item @code{workers-logfile} (default @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.www.log")})
25520 This file will log the @code{stderr} outputs of php worker processes.
25521 Can be set to @code{#f} to disable logging.
25522 @item @code{file} (default @code{#f})
25523 An optional override of the whole configuration.
25524 You can use the @code{mixed-text-file} function or an absolute filepath for it.
25525 @item @code{php-ini-file} (default @code{#f})
25526 An optional override of the default php settings.
25527 It may be any ``file-like'' object (@pxref{G-Expressions, file-like objects}).
25528 You can use the @code{mixed-text-file} function or an absolute filepath for it.
25530 For local development it is useful to set a higher timeout and memory
25531 limit for spawned php processes. This be accomplished with the
25532 following operating system configuration snippet:
25534 (define %local-php-ini
25535 (plain-file "php.ini"
25537 max_execution_time = 1800"))
25541 (services (cons (service php-fpm-service-type
25542 (php-fpm-configuration
25543 (php-ini-file %local-php-ini)))
25547 Consult the @url{https://www.php.net/manual/en/ini.core.php,core php.ini
25548 directives} for comprehensive documentation on the acceptable
25549 @file{php.ini} directives.
25553 @deftp {Data type} php-fpm-dynamic-process-manager-configuration
25554 Data Type for the @code{dynamic} php-fpm process manager. With the
25555 @code{dynamic} process manager, spare worker processes are kept around
25556 based on its configured limits.
25558 @item @code{max-children} (default: @code{5})
25559 Maximum of worker processes.
25560 @item @code{start-servers} (default: @code{2})
25561 How many worker processes should be started on start-up.
25562 @item @code{min-spare-servers} (default: @code{1})
25563 How many spare worker processes should be kept around at minimum.
25564 @item @code{max-spare-servers} (default: @code{3})
25565 How many spare worker processes should be kept around at maximum.
25569 @deftp {Data type} php-fpm-static-process-manager-configuration
25570 Data Type for the @code{static} php-fpm process manager. With the
25571 @code{static} process manager, an unchanging number of worker processes
25574 @item @code{max-children} (default: @code{5})
25575 Maximum of worker processes.
25579 @deftp {Data type} php-fpm-on-demand-process-manager-configuration
25580 Data Type for the @code{on-demand} php-fpm process manager. With the
25581 @code{on-demand} process manager, worker processes are only created as
25584 @item @code{max-children} (default: @code{5})
25585 Maximum of worker processes.
25586 @item @code{process-idle-timeout} (default: @code{10})
25587 The time in seconds after which a process with no requests is killed.
25592 @deffn {Scheme Procedure} nginx-php-location @
25593 [#:nginx-package nginx] @
25594 [socket (string-append "/var/run/php" @
25595 (version-major (package-version php)) @
25597 A helper function to quickly add php to an @code{nginx-server-configuration}.
25600 A simple services setup for nginx with php can look like this:
25602 (services (cons* (service dhcp-client-service-type)
25603 (service php-fpm-service-type)
25604 (service nginx-service-type
25605 (nginx-server-configuration
25606 (server-name '("example.com"))
25607 (root "/srv/http/")
25609 (list (nginx-php-location)))
25611 (ssl-certificate #f)
25612 (ssl-certificate-key #f)))
25616 @cindex cat-avatar-generator
25617 The cat avatar generator is a simple service to demonstrate the use of php-fpm
25618 in @code{Nginx}. It is used to generate cat avatar from a seed, for instance
25619 the hash of a user's email address.
25621 @deffn {Scheme Procedure} cat-avatar-generator-service @
25622 [#:cache-dir "/var/cache/cat-avatar-generator"] @
25623 [#:package cat-avatar-generator] @
25624 [#:configuration (nginx-server-configuration)]
25625 Returns an nginx-server-configuration that inherits @code{configuration}. It
25626 extends the nginx configuration to add a server block that serves @code{package},
25627 a version of cat-avatar-generator. During execution, cat-avatar-generator will
25628 be able to use @code{cache-dir} as its cache directory.
25631 A simple setup for cat-avatar-generator can look like this:
25633 (services (cons* (cat-avatar-generator-service
25635 (nginx-server-configuration
25636 (server-name '("example.com"))))
25641 @subsubheading Hpcguix-web
25643 @cindex hpcguix-web
25644 The @uref{https://github.com/UMCUGenetics/hpcguix-web/, hpcguix-web}
25645 program is a customizable web interface to browse Guix packages,
25646 initially designed for users of high-performance computing (HPC)
25649 @defvr {Scheme Variable} hpcguix-web-service-type
25650 The service type for @code{hpcguix-web}.
25653 @deftp {Data Type} hpcguix-web-configuration
25654 Data type for the hpcguix-web service configuration.
25658 A gexp (@pxref{G-Expressions}) specifying the hpcguix-web service
25659 configuration. The main items available in this spec are:
25662 @item @code{title-prefix} (default: @code{"hpcguix | "})
25663 The page title prefix.
25665 @item @code{guix-command} (default: @code{"guix"})
25666 The @command{guix} command.
25668 @item @code{package-filter-proc} (default: @code{(const #t)})
25669 A procedure specifying how to filter packages that are displayed.
25671 @item @code{package-page-extension-proc} (default: @code{(const '())})
25672 Extension package for @code{hpcguix-web}.
25674 @item @code{menu} (default: @code{'()})
25675 Additional entry in page @code{menu}.
25677 @item @code{channels} (default: @code{%default-channels})
25678 List of channels from which the package list is built (@pxref{Channels}).
25680 @item @code{package-list-expiration} (default: @code{(* 12 3600)})
25681 The expiration time, in seconds, after which the package list is rebuilt from
25682 the latest instances of the given channels.
25685 See the hpcguix-web repository for a
25686 @uref{https://github.com/UMCUGenetics/hpcguix-web/blob/master/hpcweb-configuration.scm,
25689 @item @code{package} (default: @code{hpcguix-web})
25690 The hpcguix-web package to use.
25694 A typical hpcguix-web service declaration looks like this:
25697 (service hpcguix-web-service-type
25698 (hpcguix-web-configuration
25700 #~(define site-config
25701 (hpcweb-configuration
25702 (title-prefix "Guix-HPC - ")
25703 (menu '(("/about" "ABOUT"))))))))
25707 The hpcguix-web service periodically updates the package list it publishes by
25708 pulling channels from Git. To that end, it needs to access X.509 certificates
25709 so that it can authenticate Git servers when communicating over HTTPS, and it
25710 assumes that @file{/etc/ssl/certs} contains those certificates.
25712 Thus, make sure to add @code{nss-certs} or another certificate package to the
25713 @code{packages} field of your configuration. @ref{X.509 Certificates}, for
25714 more information on X.509 certificates.
25717 @subsubheading gmnisrv
25720 The @uref{https://git.sr.ht/~sircmpwn/gmnisrv, gmnisrv} program is a
25721 simple @uref{https://gemini.circumlunar.space/, Gemini} protocol server.
25723 @deffn {Scheme Variable} gmnisrv-service-type
25724 This is the type of the gmnisrv service, whose value should be a
25725 @code{gmnisrv-configuration} object, as in this example:
25728 (service gmnisrv-service-type
25729 (gmnisrv-configuration
25730 (config-file (local-file "./my-gmnisrv.ini"))))
25734 @deftp {Data Type} gmnisrv-configuration
25735 Data type representing the configuration of gmnisrv.
25738 @item @code{package} (default: @var{gmnisrv})
25739 Package object of the gmnisrv server.
25741 @item @code{config-file} (default: @code{%default-gmnisrv-config-file})
25742 File-like object of the gmnisrv configuration file to use. The default
25743 configuration listens on port 1965 and serves files from
25744 @file{/srv/gemini}. Certificates are stored in
25745 @file{/var/lib/gemini/certs}. For more information, run @command{man
25746 gmnisrv} and @command{man gmnisrv.ini}.
25751 @subsubheading Agate
25754 The @uref{gemini://qwertqwefsday.eu/agate.gmi, Agate}
25755 (@uref{https://github.com/mbrubeck/agate, GitHub page over HTTPS})
25756 program is a simple @uref{https://gemini.circumlunar.space/, Gemini}
25757 protocol server written in Rust.
25759 @deffn {Scheme Variable} agate-service-type
25760 This is the type of the agate service, whose value should be an
25761 @code{agate-service-type} object, as in this example:
25764 (service agate-service-type
25765 (agate-configuration
25766 (content "/srv/gemini")
25767 (cert "/srv/cert.pem")
25768 (key "/srv/key.rsa")))
25771 The example above represents the minimal tweaking necessary to get Agate
25772 up and running. Specifying the path to the certificate and key is
25773 always necessary, as the Gemini protocol requires TLS by default.
25775 To obtain a certificate and a key, you could, for example, use OpenSSL,
25776 running a command similar to the following example:
25779 openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \
25780 -days 3650 -nodes -subj "/CN=example.com"
25783 Of course, you'll have to replace @i{example.com} with your own domain
25784 name, and then point the Agate configuration towards the path of the
25785 generated key and certificate.
25789 @deftp {Data Type} agate-configuration
25790 Data type representing the configuration of Agate.
25793 @item @code{package} (default: @code{agate})
25794 The package object of the Agate server.
25796 @item @code{content} (default: @file{"/srv/gemini"})
25797 The directory from which Agate will serve files.
25799 @item @code{cert} (default: @code{#f})
25800 The path to the TLS certificate PEM file to be used for encrypted
25801 connections. Must be filled in with a value from the user.
25803 @item @code{key} (default: @code{#f})
25804 The path to the PKCS8 private key file to be used for encrypted
25805 connections. Must be filled in with a value from the user.
25807 @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")})
25808 A list of the addresses to listen on.
25810 @item @code{hostname} (default: @code{#f})
25811 The domain name of this Gemini server. Optional.
25813 @item @code{lang} (default: @code{#f})
25814 RFC 4646 language code(s) for text/gemini documents. Optional.
25816 @item @code{silent?} (default: @code{#f})
25817 Set to @code{#t} to disable logging output.
25819 @item @code{serve-secret?} (default: @code{#f})
25820 Set to @code{#t} to serve secret files (files/directories starting with
25823 @item @code{log-ip?} (default: @code{#t})
25824 Whether or not to output IP addresses when logging.
25826 @item @code{user} (default: @code{"agate"})
25827 Owner of the @code{agate} process.
25829 @item @code{group} (default: @code{"agate"})
25830 Owner's group of the @code{agate} process.
25832 @item @code{log-file} (default: @file{"/var/log/agate.log"})
25833 The file which should store the logging output of Agate.
25838 @node Certificate Services
25839 @subsection Certificate Services
25842 @cindex HTTP, HTTPS
25843 @cindex Let's Encrypt
25844 @cindex TLS certificates
25845 The @code{(gnu services certbot)} module provides a service to
25846 automatically obtain a valid TLS certificate from the Let's Encrypt
25847 certificate authority. These certificates can then be used to serve
25848 content securely over HTTPS or other TLS-based protocols, with the
25849 knowledge that the client will be able to verify the server's
25852 @url{https://letsencrypt.org/, Let's Encrypt} provides the
25853 @code{certbot} tool to automate the certification process. This tool
25854 first securely generates a key on the server. It then makes a request
25855 to the Let's Encrypt certificate authority (CA) to sign the key. The CA
25856 checks that the request originates from the host in question by using a
25857 challenge-response protocol, requiring the server to provide its
25858 response over HTTP@. If that protocol completes successfully, the CA
25859 signs the key, resulting in a certificate. That certificate is valid
25860 for a limited period of time, and therefore to continue to provide TLS
25861 services, the server needs to periodically ask the CA to renew its
25864 The certbot service automates this process: the initial key
25865 generation, the initial certification request to the Let's Encrypt
25866 service, the web server challenge/response integration, writing the
25867 certificate to disk, the automated periodic renewals, and the deployment
25868 tasks associated with the renewal (e.g.@: reloading services, copying keys
25869 with different permissions).
25871 Certbot is run twice a day, at a random minute within the hour. It
25872 won't do anything until your certificates are due for renewal or
25873 revoked, but running it regularly would give your service a chance of
25874 staying online in case a Let's Encrypt-initiated revocation happened for
25877 By using this service, you agree to the ACME Subscriber Agreement, which
25878 can be found there:
25879 @url{https://acme-v01.api.letsencrypt.org/directory}.
25881 @defvr {Scheme Variable} certbot-service-type
25882 A service type for the @code{certbot} Let's Encrypt client. Its value
25883 must be a @code{certbot-configuration} record as in this example:
25886 (define %nginx-deploy-hook
25888 "nginx-deploy-hook"
25889 #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
25890 (kill pid SIGHUP))))
25892 (service certbot-service-type
25893 (certbot-configuration
25894 (email "foo@@example.net")
25897 (certificate-configuration
25898 (domains '("example.net" "www.example.net"))
25899 (deploy-hook %nginx-deploy-hook))
25900 (certificate-configuration
25901 (domains '("bar.example.net")))))))
25904 See below for details about @code{certbot-configuration}.
25907 @deftp {Data Type} certbot-configuration
25908 Data type representing the configuration of the @code{certbot} service.
25909 This type has the following parameters:
25912 @item @code{package} (default: @code{certbot})
25913 The certbot package to use.
25915 @item @code{webroot} (default: @code{/var/www})
25916 The directory from which to serve the Let's Encrypt challenge/response
25919 @item @code{certificates} (default: @code{()})
25920 A list of @code{certificates-configuration}s for which to generate
25921 certificates and request signatures. Each certificate has a @code{name}
25922 and several @code{domains}.
25924 @item @code{email} (default: @code{#f})
25925 Optional email address used for registration and recovery contact.
25926 Setting this is encouraged as it allows you to receive important
25927 notifications about the account and issued certificates.
25929 @item @code{server} (default: @code{#f})
25930 Optional URL of ACME server. Setting this overrides certbot's default,
25931 which is the Let's Encrypt server.
25933 @item @code{rsa-key-size} (default: @code{2048})
25934 Size of the RSA key.
25936 @item @code{default-location} (default: @i{see below})
25937 The default @code{nginx-location-configuration}. Because @code{certbot}
25938 needs to be able to serve challenges and responses, it needs to be able
25939 to run a web server. It does so by extending the @code{nginx} web
25940 service with an @code{nginx-server-configuration} listening on the
25941 @var{domains} on port 80, and which has a
25942 @code{nginx-location-configuration} for the @code{/.well-known/} URI
25943 path subspace used by Let's Encrypt. @xref{Web Services}, for more on
25944 these nginx configuration data types.
25946 Requests to other URL paths will be matched by the
25947 @code{default-location}, which if present is added to all
25948 @code{nginx-server-configuration}s.
25950 By default, the @code{default-location} will issue a redirect from
25951 @code{http://@var{domain}/...} to @code{https://@var{domain}/...}, leaving
25952 you to define what to serve on your site via @code{https}.
25954 Pass @code{#f} to not issue a default location.
25958 @deftp {Data Type} certificate-configuration
25959 Data type representing the configuration of a certificate.
25960 This type has the following parameters:
25963 @item @code{name} (default: @i{see below})
25964 This name is used by Certbot for housekeeping and in file paths; it
25965 doesn't affect the content of the certificate itself. To see
25966 certificate names, run @code{certbot certificates}.
25968 Its default is the first provided domain.
25970 @item @code{domains} (default: @code{()})
25971 The first domain provided will be the subject CN of the certificate, and
25972 all domains will be Subject Alternative Names on the certificate.
25974 @item @code{challenge} (default: @code{#f})
25975 The challenge type that has to be run by certbot. If @code{#f} is specified,
25976 default to the HTTP challenge. If a value is specified, defaults to the
25977 manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and
25978 the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
25979 and gives Let's Encrypt permission to log the public IP address of the
25980 requesting machine.
25982 @item @code{csr} (default: @code{#f})
25983 File name of Certificate Signing Request (CSR) in DER or PEM format.
25984 If @code{#f} is specified, this argument will not be passed to certbot.
25985 If a value is specified, certbot will use it to obtain a certificate, instead of
25986 using a self-generated CSR.
25987 The domain-name(s) mentioned in @code{domains}, must be consistent with the
25988 domain-name(s) mentioned in CSR file.
25990 @item @code{authentication-hook} (default: @code{#f})
25991 Command to be run in a shell once for each certificate challenge to be
25992 answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
25993 will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
25994 contains the validation string and @code{$CERTBOT_TOKEN} contains the
25995 file name of the resource requested when performing an HTTP-01 challenge.
25997 @item @code{cleanup-hook} (default: @code{#f})
25998 Command to be run in a shell once for each certificate challenge that
25999 have been answered by the @code{auth-hook}. For this command, the shell
26000 variables available in the @code{auth-hook} script are still available, and
26001 additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
26002 of the @code{auth-hook} script.
26004 @item @code{deploy-hook} (default: @code{#f})
26005 Command to be run in a shell once for each successfully issued
26006 certificate. For this command, the shell variable
26007 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
26008 example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
26009 certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
26010 contain a space-delimited list of renewed certificate domains (for
26011 example, @samp{"example.com www.example.com"}.
26016 For each @code{certificate-configuration}, the certificate is saved to
26017 @code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is
26018 saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}.
26020 @subsection DNS Services
26021 @cindex DNS (domain name system)
26022 @cindex domain name system (DNS)
26024 The @code{(gnu services dns)} module provides services related to the
26025 @dfn{domain name system} (DNS). It provides a server service for hosting
26026 an @emph{authoritative} DNS server for multiple zones, slave or master.
26027 This service uses @uref{https://www.knot-dns.cz/, Knot DNS}. And also a
26028 caching and forwarding DNS server for the LAN, which uses
26029 @uref{http://www.thekelleys.org.uk/dnsmasq/doc.html, dnsmasq}.
26031 @subsubheading Knot Service
26033 An example configuration of an authoritative server for two zones, one master
26037 (define-zone-entries example.org.zone
26038 ;; Name TTL Class Type Data
26039 ("@@" "" "IN" "A" "127.0.0.1")
26040 ("@@" "" "IN" "NS" "ns")
26041 ("ns" "" "IN" "A" "127.0.0.1"))
26043 (define master-zone
26044 (knot-zone-configuration
26045 (domain "example.org")
26047 (origin "example.org")
26048 (entries example.org.zone)))))
26051 (knot-zone-configuration
26052 (domain "plop.org")
26053 (dnssec-policy "default")
26054 (master (list "plop-master"))))
26056 (define plop-master
26057 (knot-remote-configuration
26059 (address (list "208.76.58.171"))))
26063 (services (cons* (service knot-service-type
26064 (knot-configuration
26065 (remotes (list plop-master))
26066 (zones (list master-zone slave-zone))))
26071 @deffn {Scheme Variable} knot-service-type
26072 This is the type for the Knot DNS server.
26074 Knot DNS is an authoritative DNS server, meaning that it can serve multiple
26075 zones, that is to say domain names you would buy from a registrar. This server
26076 is not a resolver, meaning that it can only resolve names for which it is
26077 authoritative. This server can be configured to serve zones as a master server
26078 or a slave server as a per-zone basis. Slave zones will get their data from
26079 masters, and will serve it as an authoritative server. From the point of view
26080 of a resolver, there is no difference between master and slave.
26082 The following data types are used to configure the Knot DNS server:
26085 @deftp {Data Type} knot-key-configuration
26086 Data type representing a key.
26087 This type has the following parameters:
26090 @item @code{id} (default: @code{""})
26091 An identifier for other configuration fields to refer to this key. IDs must
26092 be unique and must not be empty.
26094 @item @code{algorithm} (default: @code{#f})
26095 The algorithm to use. Choose between @code{#f}, @code{'hmac-md5},
26096 @code{'hmac-sha1}, @code{'hmac-sha224}, @code{'hmac-sha256}, @code{'hmac-sha384}
26097 and @code{'hmac-sha512}.
26099 @item @code{secret} (default: @code{""})
26100 The secret key itself.
26105 @deftp {Data Type} knot-acl-configuration
26106 Data type representing an Access Control List (ACL) configuration.
26107 This type has the following parameters:
26110 @item @code{id} (default: @code{""})
26111 An identifier for other configuration fields to refer to this key. IDs must be
26112 unique and must not be empty.
26114 @item @code{address} (default: @code{'()})
26115 An ordered list of IP addresses, network subnets, or network ranges represented
26116 with strings. The query must match one of them. Empty value means that
26117 address match is not required.
26119 @item @code{key} (default: @code{'()})
26120 An ordered list of references to keys represented with strings. The string
26121 must match a key ID defined in a @code{knot-key-configuration}. No key means
26122 that a key is not require to match that ACL.
26124 @item @code{action} (default: @code{'()})
26125 An ordered list of actions that are permitted or forbidden by this ACL@. Possible
26126 values are lists of zero or more elements from @code{'transfer}, @code{'notify}
26127 and @code{'update}.
26129 @item @code{deny?} (default: @code{#f})
26130 When true, the ACL defines restrictions. Listed actions are forbidden. When
26131 false, listed actions are allowed.
26136 @deftp {Data Type} zone-entry
26137 Data type representing a record entry in a zone file.
26138 This type has the following parameters:
26141 @item @code{name} (default: @code{"@@"})
26142 The name of the record. @code{"@@"} refers to the origin of the zone. Names
26143 are relative to the origin of the zone. For example, in the @code{example.org}
26144 zone, @code{"ns.example.org"} actually refers to @code{ns.example.org.example.org}.
26145 Names ending with a dot are absolute, which means that @code{"ns.example.org."}
26146 refers to @code{ns.example.org}.
26148 @item @code{ttl} (default: @code{""})
26149 The Time-To-Live (TTL) of this record. If not set, the default TTL is used.
26151 @item @code{class} (default: @code{"IN"})
26152 The class of the record. Knot currently supports only @code{"IN"} and
26153 partially @code{"CH"}.
26155 @item @code{type} (default: @code{"A"})
26156 The type of the record. Common types include A (IPv4 address), AAAA (IPv6
26157 address), NS (Name Server) and MX (Mail eXchange). Many other types are
26160 @item @code{data} (default: @code{""})
26161 The data contained in the record. For instance an IP address associated with
26162 an A record, or a domain name associated with an NS record. Remember that
26163 domain names are relative to the origin unless they end with a dot.
26168 @deftp {Data Type} zone-file
26169 Data type representing the content of a zone file.
26170 This type has the following parameters:
26173 @item @code{entries} (default: @code{'()})
26174 The list of entries. The SOA record is taken care of, so you don't need to
26175 put it in the list of entries. This list should probably contain an entry
26176 for your primary authoritative DNS server. Other than using a list of entries
26177 directly, you can use @code{define-zone-entries} to define a object containing
26178 the list of entries more easily, that you can later pass to the @code{entries}
26179 field of the @code{zone-file}.
26181 @item @code{origin} (default: @code{""})
26182 The name of your zone. This parameter cannot be empty.
26184 @item @code{ns} (default: @code{"ns"})
26185 The domain of your primary authoritative DNS server. The name is relative to
26186 the origin, unless it ends with a dot. It is mandatory that this primary
26187 DNS server corresponds to an NS record in the zone and that it is associated
26188 to an IP address in the list of entries.
26190 @item @code{mail} (default: @code{"hostmaster"})
26191 An email address people can contact you at, as the owner of the zone. This
26192 is translated as @code{<mail>@@<origin>}.
26194 @item @code{serial} (default: @code{1})
26195 The serial number of the zone. As this is used to keep track of changes by
26196 both slaves and resolvers, it is mandatory that it @emph{never} decreases.
26197 Always increment it when you make a change in your zone.
26199 @item @code{refresh} (default: @code{(* 2 24 3600)})
26200 The frequency at which slaves will do a zone transfer. This value is a number
26201 of seconds. It can be computed by multiplications or with
26202 @code{(string->duration)}.
26204 @item @code{retry} (default: @code{(* 15 60)})
26205 The period after which a slave will retry to contact its master when it fails
26206 to do so a first time.
26208 @item @code{expiry} (default: @code{(* 14 24 3600)})
26209 Default TTL of records. Existing records are considered correct for at most
26210 this amount of time. After this period, resolvers will invalidate their cache
26211 and check again that it still exists.
26213 @item @code{nx} (default: @code{3600})
26214 Default TTL of inexistent records. This delay is usually short because you want
26215 your new domains to reach everyone quickly.
26220 @deftp {Data Type} knot-remote-configuration
26221 Data type representing a remote configuration.
26222 This type has the following parameters:
26225 @item @code{id} (default: @code{""})
26226 An identifier for other configuration fields to refer to this remote. IDs must
26227 be unique and must not be empty.
26229 @item @code{address} (default: @code{'()})
26230 An ordered list of destination IP addresses. Addresses are tried in sequence.
26231 An optional port can be given with the @@ separator. For instance:
26232 @code{(list "1.2.3.4" "2.3.4.5@@53")}. Default port is 53.
26234 @item @code{via} (default: @code{'()})
26235 An ordered list of source IP addresses. An empty list will have Knot choose
26236 an appropriate source IP@. An optional port can be given with the @@ separator.
26237 The default is to choose at random.
26239 @item @code{key} (default: @code{#f})
26240 A reference to a key, that is a string containing the identifier of a key
26241 defined in a @code{knot-key-configuration} field.
26246 @deftp {Data Type} knot-keystore-configuration
26247 Data type representing a keystore to hold dnssec keys.
26248 This type has the following parameters:
26251 @item @code{id} (default: @code{""})
26252 The id of the keystore. It must not be empty.
26254 @item @code{backend} (default: @code{'pem})
26255 The backend to store the keys in. Can be @code{'pem} or @code{'pkcs11}.
26257 @item @code{config} (default: @code{"/var/lib/knot/keys/keys"})
26258 The configuration string of the backend. An example for the PKCS#11 is:
26259 @code{"pkcs11:token=knot;pin-value=1234 /gnu/store/.../lib/pkcs11/libsofthsm2.so"}.
26260 For the pem backend, the string represents a path in the file system.
26265 @deftp {Data Type} knot-policy-configuration
26266 Data type representing a dnssec policy. Knot DNS is able to automatically
26267 sign your zones. It can either generate and manage your keys automatically or
26268 use keys that you generate.
26270 Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that is
26271 used to sign the second, and a Zone Signing Key (ZSK) that is used to sign the
26272 zone. In order to be trusted, the KSK needs to be present in the parent zone
26273 (usually a top-level domain). If your registrar supports dnssec, you will
26274 have to send them your KSK's hash so they can add a DS record in their zone.
26275 This is not automated and need to be done each time you change your KSK.
26277 The policy also defines the lifetime of keys. Usually, ZSK can be changed
26278 easily and use weaker cryptographic functions (they use lower parameters) in
26279 order to sign records quickly, so they are changed often. The KSK however
26280 requires manual interaction with the registrar, so they are changed less often
26281 and use stronger parameters because they sign only one record.
26283 This type has the following parameters:
26286 @item @code{id} (default: @code{""})
26287 The id of the policy. It must not be empty.
26289 @item @code{keystore} (default: @code{"default"})
26290 A reference to a keystore, that is a string containing the identifier of a
26291 keystore defined in a @code{knot-keystore-configuration} field. The
26292 @code{"default"} identifier means the default keystore (a kasp database that
26293 was setup by this service).
26295 @item @code{manual?} (default: @code{#f})
26296 Whether the key management is manual or automatic.
26298 @item @code{single-type-signing?} (default: @code{#f})
26299 When @code{#t}, use the Single-Type Signing Scheme.
26301 @item @code{algorithm} (default: @code{"ecdsap256sha256"})
26302 An algorithm of signing keys and issued signatures.
26304 @item @code{ksk-size} (default: @code{256})
26305 The length of the KSK@. Note that this value is correct for the default
26306 algorithm, but would be unsecure for other algorithms.
26308 @item @code{zsk-size} (default: @code{256})
26309 The length of the ZSK@. Note that this value is correct for the default
26310 algorithm, but would be unsecure for other algorithms.
26312 @item @code{dnskey-ttl} (default: @code{'default})
26313 The TTL value for DNSKEY records added into zone apex. The special
26314 @code{'default} value means same as the zone SOA TTL.
26316 @item @code{zsk-lifetime} (default: @code{(* 30 24 3600)})
26317 The period between ZSK publication and the next rollover initiation.
26319 @item @code{propagation-delay} (default: @code{(* 24 3600)})
26320 An extra delay added for each key rollover step. This value should be high
26321 enough to cover propagation of data from the master server to all slaves.
26323 @item @code{rrsig-lifetime} (default: @code{(* 14 24 3600)})
26324 A validity period of newly issued signatures.
26326 @item @code{rrsig-refresh} (default: @code{(* 7 24 3600)})
26327 A period how long before a signature expiration the signature will be refreshed.
26329 @item @code{nsec3?} (default: @code{#f})
26330 When @code{#t}, NSEC3 will be used instead of NSEC.
26332 @item @code{nsec3-iterations} (default: @code{5})
26333 The number of additional times the hashing is performed.
26335 @item @code{nsec3-salt-length} (default: @code{8})
26336 The length of a salt field in octets, which is appended to the original owner
26337 name before hashing.
26339 @item @code{nsec3-salt-lifetime} (default: @code{(* 30 24 3600)})
26340 The validity period of newly issued salt field.
26345 @deftp {Data Type} knot-zone-configuration
26346 Data type representing a zone served by Knot.
26347 This type has the following parameters:
26350 @item @code{domain} (default: @code{""})
26351 The domain served by this configuration. It must not be empty.
26353 @item @code{file} (default: @code{""})
26354 The file where this zone is saved. This parameter is ignored by master zones.
26355 Empty means default location that depends on the domain name.
26357 @item @code{zone} (default: @code{(zone-file)})
26358 The content of the zone file. This parameter is ignored by slave zones. It
26359 must contain a zone-file record.
26361 @item @code{master} (default: @code{'()})
26362 A list of master remotes. When empty, this zone is a master. When set, this
26363 zone is a slave. This is a list of remotes identifiers.
26365 @item @code{ddns-master} (default: @code{#f})
26366 The main master. When empty, it defaults to the first master in the list of
26369 @item @code{notify} (default: @code{'()})
26370 A list of slave remote identifiers.
26372 @item @code{acl} (default: @code{'()})
26373 A list of acl identifiers.
26375 @item @code{semantic-checks?} (default: @code{#f})
26376 When set, this adds more semantic checks to the zone.
26378 @item @code{disable-any?} (default: @code{#f})
26379 When set, this forbids queries of the ANY type.
26381 @item @code{zonefile-sync} (default: @code{0})
26382 The delay between a modification in memory and on disk. 0 means immediate
26385 @item @code{zonefile-load} (default: @code{#f})
26386 The way the zone file contents are applied during zone load. Possible values
26390 @item @code{#f} for using the default value from Knot,
26391 @item @code{'none} for not using the zone file at all,
26392 @item @code{'difference} for computing the difference between already available
26393 contents and zone contents and applying it to the current zone contents,
26394 @item @code{'difference-no-serial} for the same as @code{'difference}, but
26395 ignoring the SOA serial in the zone file, while the server takes care of it
26397 @item @code{'whole} for loading zone contents from the zone file.
26400 @item @code{journal-content} (default: @code{#f})
26401 The way the journal is used to store zone and its changes. Possible values
26402 are @code{'none} to not use it at all, @code{'changes} to store changes and
26403 @code{'all} to store contents. @code{#f} does not set this option, so the
26404 default value from Knot is used.
26406 @item @code{max-journal-usage} (default: @code{#f})
26407 The maximum size for the journal on disk. @code{#f} does not set this option,
26408 so the default value from Knot is used.
26410 @item @code{max-journal-depth} (default: @code{#f})
26411 The maximum size of the history. @code{#f} does not set this option, so the
26412 default value from Knot is used.
26414 @item @code{max-zone-size} (default: @code{#f})
26415 The maximum size of the zone file. This limit is enforced for incoming
26416 transfer and updates. @code{#f} does not set this option, so the default
26417 value from Knot is used.
26419 @item @code{dnssec-policy} (default: @code{#f})
26420 A reference to a @code{knot-policy-configuration} record, or the special
26421 name @code{"default"}. If the value is @code{#f}, there is no dnssec signing
26424 @item @code{serial-policy} (default: @code{'increment})
26425 A policy between @code{'increment} and @code{'unixtime}.
26430 @deftp {Data Type} knot-configuration
26431 Data type representing the Knot configuration.
26432 This type has the following parameters:
26435 @item @code{knot} (default: @code{knot})
26438 @item @code{run-directory} (default: @code{"/var/run/knot"})
26439 The run directory. This directory will be used for pid file and sockets.
26441 @item @code{includes} (default: @code{'()})
26442 A list of strings or file-like objects denoting other files that must be
26443 included at the top of the configuration file.
26445 @cindex secrets, Knot service
26446 This can be used to manage secrets out-of-band. For example, secret
26447 keys may be stored in an out-of-band file not managed by Guix, and
26448 thus not visible in @file{/gnu/store}---e.g., you could store secret
26449 key configuration in @file{/etc/knot/secrets.conf} and add this file
26450 to the @code{includes} list.
26452 One can generate a secret tsig key (for nsupdate and zone transfers with the
26453 keymgr command from the knot package. Note that the package is not automatically
26454 installed by the service. The following example shows how to generate a new
26458 keymgr -t mysecret > /etc/knot/secrets.conf
26459 chmod 600 /etc/knot/secrets.conf
26462 Also note that the generated key will be named @var{mysecret}, so it is the
26463 name that needs to be used in the @var{key} field of the
26464 @code{knot-acl-configuration} record and in other places that need to refer
26467 It can also be used to add configuration not supported by this interface.
26469 @item @code{listen-v4} (default: @code{"0.0.0.0"})
26470 An ip address on which to listen.
26472 @item @code{listen-v6} (default: @code{"::"})
26473 An ip address on which to listen.
26475 @item @code{listen-port} (default: @code{53})
26476 A port on which to listen.
26478 @item @code{keys} (default: @code{'()})
26479 The list of knot-key-configuration used by this configuration.
26481 @item @code{acls} (default: @code{'()})
26482 The list of knot-acl-configuration used by this configuration.
26484 @item @code{remotes} (default: @code{'()})
26485 The list of knot-remote-configuration used by this configuration.
26487 @item @code{zones} (default: @code{'()})
26488 The list of knot-zone-configuration used by this configuration.
26493 @subsubheading Knot Resolver Service
26495 @deffn {Scheme Variable} knot-resolver-service-type
26496 This is the type of the knot resolver service, whose value should be
26497 an @code{knot-resolver-configuration} object as in this example:
26500 (service knot-resolver-service-type
26501 (knot-resolver-configuration
26502 (kresd-config-file (plain-file "kresd.conf" "
26503 net.listen('192.168.0.1', 5353)
26504 user('knot-resolver', 'knot-resolver')
26505 modules = @{ 'hints > iterate', 'stats', 'predict' @}
26506 cache.size = 100 * MB
26510 For more information, refer its @url{https://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration, manual}.
26513 @deftp {Data Type} knot-resolver-configuration
26514 Data type representing the configuration of knot-resolver.
26517 @item @code{package} (default: @var{knot-resolver})
26518 Package object of the knot DNS resolver.
26520 @item @code{kresd-config-file} (default: %kresd.conf)
26521 File-like object of the kresd configuration file to use, by default it
26522 will listen on @code{127.0.0.1} and @code{::1}.
26524 @item @code{garbage-collection-interval} (default: 1000)
26525 Number of milliseconds for @code{kres-cache-gc} to periodically trim the cache.
26531 @subsubheading Dnsmasq Service
26533 @deffn {Scheme Variable} dnsmasq-service-type
26534 This is the type of the dnsmasq service, whose value should be an
26535 @code{dnsmasq-configuration} object as in this example:
26538 (service dnsmasq-service-type
26539 (dnsmasq-configuration
26541 (servers '("192.168.1.1"))))
26545 @deftp {Data Type} dnsmasq-configuration
26546 Data type representing the configuration of dnsmasq.
26549 @item @code{package} (default: @var{dnsmasq})
26550 Package object of the dnsmasq server.
26552 @item @code{no-hosts?} (default: @code{#f})
26553 When true, don't read the hostnames in /etc/hosts.
26555 @item @code{port} (default: @code{53})
26556 The port to listen on. Setting this to zero completely disables DNS
26557 responses, leaving only DHCP and/or TFTP functions.
26559 @item @code{local-service?} (default: @code{#t})
26560 Accept DNS queries only from hosts whose address is on a local subnet,
26561 ie a subnet for which an interface exists on the server.
26563 @item @code{listen-addresses} (default: @code{'()})
26564 Listen on the given IP addresses.
26566 @item @code{resolv-file} (default: @code{"/etc/resolv.conf"})
26567 The file to read the IP address of the upstream nameservers from.
26569 @item @code{no-resolv?} (default: @code{#f})
26570 When true, don't read @var{resolv-file}.
26572 @item @code{servers} (default: @code{'()})
26573 Specify IP address of upstream servers directly.
26575 @item @code{addresses} (default: @code{'()})
26576 For each entry, specify an IP address to return for any host in the
26577 given domains. Queries in the domains are never forwarded and always
26578 replied to with the specified IP address.
26580 This is useful for redirecting hosts locally, for example:
26583 (service dnsmasq-service-type
26584 (dnsmasq-configuration
26586 '(; Redirect to a local web-server.
26587 "/example.org/127.0.0.1"
26588 ; Redirect subdomain to a specific IP.
26589 "/subdomain.example.org/192.168.1.42"))))
26592 Note that rules in @file{/etc/hosts} take precedence over this.
26594 @item @code{cache-size} (default: @code{150})
26595 Set the size of dnsmasq's cache. Setting the cache size to zero
26598 @item @code{negative-cache?} (default: @code{#t})
26599 When false, disable negative caching.
26601 @item @code{tftp-enable?} (default: @code{#f})
26602 Whether to enable the built-in TFTP server.
26604 @item @code{tftp-no-fail?} (default: @code{#f})
26605 If true, does not fail dnsmasq if the TFTP server could not start up.
26607 @item @code{tftp-single-port?} (default: @code{#f})
26608 Whether to use only one single port for TFTP.
26610 @item @code{tftp-secure?} (default: @code{#f})
26611 If true, only files owned by the user running the dnsmasq process are accessible.
26613 If dnsmasq is being run as root, different rules apply:
26614 @code{tftp-secure?} has no effect, but only files which have the
26615 world-readable bit set are accessible.
26617 @item @code{tftp-max} (default: @code{#f})
26618 If set, sets the maximal number of concurrent connections allowed.
26620 @item @code{tftp-mtu} (default: @code{#f})
26621 If set, sets the MTU for TFTP packets to that value.
26623 @item @code{tftp-no-blocksize?} (default: @code{#f})
26624 If true, stops the TFTP server from negotiating the blocksize with a client.
26626 @item @code{tftp-lowercase?} (default: @code{#f})
26627 Whether to convert all filenames in TFTP requests to lowercase.
26629 @item @code{tftp-port-range} (default: @code{#f})
26630 If set, fixes the dynamical ports (one per client) to the given range
26631 (@code{"<start>,<end>"}).
26633 @item @code{tftp-root} (default: @code{/var/empty,lo})
26634 Look for files to transfer using TFTP relative to the given directory.
26635 When this is set, TFTP paths which include @samp{..} are rejected, to stop clients
26636 getting outside the specified root. Absolute paths (starting with @samp{/}) are
26637 allowed, but they must be within the TFTP-root. If the optional interface
26638 argument is given, the directory is only used for TFTP requests via that
26641 @item @code{tftp-unique-root} (default: @code{#f})
26642 If set, add the IP or hardware address of the TFTP client as a path component
26643 on the end of the TFTP-root. Only valid if a TFTP root is set and the
26644 directory exists. Defaults to adding IP address (in standard dotted-quad
26647 For instance, if @option{--tftp-root} is @samp{/tftp} and client
26648 @samp{1.2.3.4} requests file @file{myfile} then the effective path will
26649 be @file{/tftp/1.2.3.4/myfile} if @file{/tftp/1.2.3.4} exists or
26650 @file{/tftp/myfile} otherwise. When @samp{=mac} is specified it will
26651 append the MAC address instead, using lowercase zero padded digits
26652 separated by dashes, e.g.: @samp{01-02-03-04-aa-bb}. Note that
26653 resolving MAC addresses is only possible if the client is in the local
26654 network or obtained a DHCP lease from dnsmasq.
26659 @subsubheading ddclient Service
26662 The ddclient service described below runs the ddclient daemon, which takes
26663 care of automatically updating DNS entries for service providers such as
26664 @uref{https://dyn.com/dns/, Dyn}.
26666 The following example show instantiates the service with its default
26670 (service ddclient-service-type)
26673 Note that ddclient needs to access credentials that are stored in a
26674 @dfn{secret file}, by default @file{/etc/ddclient/secrets} (see
26675 @code{secret-file} below). You are expected to create this file manually, in
26676 an ``out-of-band'' fashion (you @emph{could} make this file part of the
26677 service configuration, for instance by using @code{plain-file}, but it will be
26678 world-readable @i{via} @file{/gnu/store}). See the examples in the
26679 @file{share/ddclient} directory of the @code{ddclient} package.
26681 @c %start of fragment
26683 Available @code{ddclient-configuration} fields are:
26685 @deftypevr {@code{ddclient-configuration} parameter} package ddclient
26686 The ddclient package.
26690 @deftypevr {@code{ddclient-configuration} parameter} integer daemon
26691 The period after which ddclient will retry to check IP and domain name.
26693 Defaults to @samp{300}.
26697 @deftypevr {@code{ddclient-configuration} parameter} boolean syslog
26698 Use syslog for the output.
26700 Defaults to @samp{#t}.
26704 @deftypevr {@code{ddclient-configuration} parameter} string mail
26707 Defaults to @samp{"root"}.
26711 @deftypevr {@code{ddclient-configuration} parameter} string mail-failure
26712 Mail failed update to user.
26714 Defaults to @samp{"root"}.
26718 @deftypevr {@code{ddclient-configuration} parameter} string pid
26719 The ddclient PID file.
26721 Defaults to @samp{"/var/run/ddclient/ddclient.pid"}.
26725 @deftypevr {@code{ddclient-configuration} parameter} boolean ssl
26726 Enable SSL support.
26728 Defaults to @samp{#t}.
26732 @deftypevr {@code{ddclient-configuration} parameter} string user
26733 Specifies the user name or ID that is used when running ddclient
26736 Defaults to @samp{"ddclient"}.
26740 @deftypevr {@code{ddclient-configuration} parameter} string group
26741 Group of the user who will run the ddclient program.
26743 Defaults to @samp{"ddclient"}.
26747 @deftypevr {@code{ddclient-configuration} parameter} string secret-file
26748 Secret file which will be appended to @file{ddclient.conf} file. This
26749 file contains credentials for use by ddclient. You are expected to
26750 create it manually.
26752 Defaults to @samp{"/etc/ddclient/secrets.conf"}.
26756 @deftypevr {@code{ddclient-configuration} parameter} list extra-options
26757 Extra options will be appended to @file{ddclient.conf} file.
26759 Defaults to @samp{()}.
26764 @c %end of fragment
26768 @subsection VPN Services
26769 @cindex VPN (virtual private network)
26770 @cindex virtual private network (VPN)
26772 The @code{(gnu services vpn)} module provides services related to
26773 @dfn{virtual private networks} (VPNs).
26775 @subsubheading OpenVPN
26777 It provides a @emph{client} service for your machine to connect to a
26778 VPN, and a @emph{server} service for your machine to host a VPN@.
26780 @deffn {Scheme Procedure} openvpn-client-service @
26781 [#:config (openvpn-client-configuration)]
26783 Return a service that runs @command{openvpn}, a VPN daemon, as a client.
26786 @deffn {Scheme Procedure} openvpn-server-service @
26787 [#:config (openvpn-server-configuration)]
26789 Return a service that runs @command{openvpn}, a VPN daemon, as a server.
26791 Both can be run simultaneously.
26794 @c %automatically generated documentation
26796 Available @code{openvpn-client-configuration} fields are:
26798 @deftypevr {@code{openvpn-client-configuration} parameter} package openvpn
26799 The OpenVPN package.
26803 @deftypevr {@code{openvpn-client-configuration} parameter} string pid-file
26804 The OpenVPN pid file.
26806 Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.
26810 @deftypevr {@code{openvpn-client-configuration} parameter} proto proto
26811 The protocol (UDP or TCP) used to open a channel between clients and
26814 Defaults to @samp{udp}.
26818 @deftypevr {@code{openvpn-client-configuration} parameter} dev dev
26819 The device type used to represent the VPN connection.
26821 Defaults to @samp{tun}.
26825 If you do not have some of these files (eg.@: you use a username and
26826 password), you can disable any of the following three fields by setting
26827 it to @code{'disabled}.
26829 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string ca
26830 The certificate authority to check connections against.
26832 Defaults to @samp{"/etc/openvpn/ca.crt"}.
26836 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string cert
26837 The certificate of the machine the daemon is running on. It should be
26838 signed by the authority given in @code{ca}.
26840 Defaults to @samp{"/etc/openvpn/client.crt"}.
26844 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string key
26845 The key of the machine the daemon is running on. It must be the key whose
26846 certificate is @code{cert}.
26848 Defaults to @samp{"/etc/openvpn/client.key"}.
26852 @deftypevr {@code{openvpn-client-configuration} parameter} boolean comp-lzo?
26853 Whether to use the lzo compression algorithm.
26855 Defaults to @samp{#t}.
26859 @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-key?
26860 Don't re-read key files across SIGUSR1 or --ping-restart.
26862 Defaults to @samp{#t}.
26866 @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-tun?
26867 Don't close and reopen TUN/TAP device or run up/down scripts across
26868 SIGUSR1 or --ping-restart restarts.
26870 Defaults to @samp{#t}.
26874 @deftypevr {@code{openvpn-client-configuration} parameter} boolean fast-io?
26875 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to
26876 poll/epoll/select prior to the write operation.
26878 Defaults to @samp{#f}.
26881 @deftypevr {@code{openvpn-client-configuration} parameter} number verbosity
26884 Defaults to @samp{3}.
26888 @deftypevr {@code{openvpn-client-configuration} parameter} tls-auth-client tls-auth
26889 Add an additional layer of HMAC authentication on top of the TLS control
26890 channel to protect against DoS attacks.
26892 Defaults to @samp{#f}.
26896 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string auth-user-pass
26897 Authenticate with server using username/password. The option is a file
26898 containing username/password on 2 lines. Do not use a file-like object as it
26899 would be added to the store and readable by any user.
26901 Defaults to @samp{'disabled}.
26904 @deftypevr {@code{openvpn-client-configuration} parameter} key-usage verify-key-usage?
26905 Whether to check the server certificate has server usage extension.
26907 Defaults to @samp{#t}.
26911 @deftypevr {@code{openvpn-client-configuration} parameter} bind bind?
26912 Bind to a specific local port number.
26914 Defaults to @samp{#f}.
26918 @deftypevr {@code{openvpn-client-configuration} parameter} resolv-retry resolv-retry?
26919 Retry resolving server address.
26921 Defaults to @samp{#t}.
26925 @deftypevr {@code{openvpn-client-configuration} parameter} openvpn-remote-list remote
26926 A list of remote servers to connect to.
26928 Defaults to @samp{()}.
26930 Available @code{openvpn-remote-configuration} fields are:
26932 @deftypevr {@code{openvpn-remote-configuration} parameter} string name
26935 Defaults to @samp{"my-server"}.
26939 @deftypevr {@code{openvpn-remote-configuration} parameter} number port
26940 Port number the server listens to.
26942 Defaults to @samp{1194}.
26947 @c %end of automatic openvpn-client documentation
26949 @c %automatically generated documentation
26951 Available @code{openvpn-server-configuration} fields are:
26953 @deftypevr {@code{openvpn-server-configuration} parameter} package openvpn
26954 The OpenVPN package.
26958 @deftypevr {@code{openvpn-server-configuration} parameter} string pid-file
26959 The OpenVPN pid file.
26961 Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.
26965 @deftypevr {@code{openvpn-server-configuration} parameter} proto proto
26966 The protocol (UDP or TCP) used to open a channel between clients and
26969 Defaults to @samp{udp}.
26973 @deftypevr {@code{openvpn-server-configuration} parameter} dev dev
26974 The device type used to represent the VPN connection.
26976 Defaults to @samp{tun}.
26980 If you do not have some of these files (eg.@: you use a username and
26981 password), you can disable any of the following three fields by setting
26982 it to @code{'disabled}.
26984 @deftypevr {@code{openvpn-server-configuration} parameter} maybe-string ca
26985 The certificate authority to check connections against.
26987 Defaults to @samp{"/etc/openvpn/ca.crt"}.
26991 @deftypevr {@code{openvpn-server-configuration} parameter} maybe-string cert
26992 The certificate of the machine the daemon is running on. It should be
26993 signed by the authority given in @code{ca}.
26995 Defaults to @samp{"/etc/openvpn/client.crt"}.
26999 @deftypevr {@code{openvpn-server-configuration} parameter} maybe-string key
27000 The key of the machine the daemon is running on. It must be the key whose
27001 certificate is @code{cert}.
27003 Defaults to @samp{"/etc/openvpn/client.key"}.
27007 @deftypevr {@code{openvpn-server-configuration} parameter} boolean comp-lzo?
27008 Whether to use the lzo compression algorithm.
27010 Defaults to @samp{#t}.
27014 @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-key?
27015 Don't re-read key files across SIGUSR1 or --ping-restart.
27017 Defaults to @samp{#t}.
27021 @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-tun?
27022 Don't close and reopen TUN/TAP device or run up/down scripts across
27023 SIGUSR1 or --ping-restart restarts.
27025 Defaults to @samp{#t}.
27029 @deftypevr {@code{openvpn-server-configuration} parameter} boolean fast-io?
27030 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to
27031 poll/epoll/select prior to the write operation.
27033 Defaults to @samp{#f}.
27036 @deftypevr {@code{openvpn-server-configuration} parameter} number verbosity
27039 Defaults to @samp{3}.
27043 @deftypevr {@code{openvpn-server-configuration} parameter} tls-auth-server tls-auth
27044 Add an additional layer of HMAC authentication on top of the TLS control
27045 channel to protect against DoS attacks.
27047 Defaults to @samp{#f}.
27051 @deftypevr {@code{openvpn-server-configuration} parameter} number port
27052 Specifies the port number on which the server listens.
27054 Defaults to @samp{1194}.
27058 @deftypevr {@code{openvpn-server-configuration} parameter} ip-mask server
27059 An ip and mask specifying the subnet inside the virtual network.
27061 Defaults to @samp{"10.8.0.0 255.255.255.0"}.
27065 @deftypevr {@code{openvpn-server-configuration} parameter} cidr6 server-ipv6
27066 A CIDR notation specifying the IPv6 subnet inside the virtual network.
27068 Defaults to @samp{#f}.
27072 @deftypevr {@code{openvpn-server-configuration} parameter} string dh
27073 The Diffie-Hellman parameters file.
27075 Defaults to @samp{"/etc/openvpn/dh2048.pem"}.
27079 @deftypevr {@code{openvpn-server-configuration} parameter} string ifconfig-pool-persist
27080 The file that records client IPs.
27082 Defaults to @samp{"/etc/openvpn/ipp.txt"}.
27086 @deftypevr {@code{openvpn-server-configuration} parameter} gateway redirect-gateway?
27087 When true, the server will act as a gateway for its clients.
27089 Defaults to @samp{#f}.
27093 @deftypevr {@code{openvpn-server-configuration} parameter} boolean client-to-client?
27094 When true, clients are allowed to talk to each other inside the VPN.
27096 Defaults to @samp{#f}.
27100 @deftypevr {@code{openvpn-server-configuration} parameter} keepalive keepalive
27101 Causes ping-like messages to be sent back and forth over the link so
27102 that each side knows when the other side has gone down. @code{keepalive}
27103 requires a pair. The first element is the period of the ping sending,
27104 and the second element is the timeout before considering the other side
27109 @deftypevr {@code{openvpn-server-configuration} parameter} number max-clients
27110 The maximum number of clients.
27112 Defaults to @samp{100}.
27116 @deftypevr {@code{openvpn-server-configuration} parameter} string status
27117 The status file. This file shows a small report on current connection.
27118 It is truncated and rewritten every minute.
27120 Defaults to @samp{"/var/run/openvpn/status"}.
27124 @deftypevr {@code{openvpn-server-configuration} parameter} openvpn-ccd-list client-config-dir
27125 The list of configuration for some clients.
27127 Defaults to @samp{()}.
27129 Available @code{openvpn-ccd-configuration} fields are:
27131 @deftypevr {@code{openvpn-ccd-configuration} parameter} string name
27134 Defaults to @samp{"client"}.
27138 @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask iroute
27141 Defaults to @samp{#f}.
27145 @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask ifconfig-push
27148 Defaults to @samp{#f}.
27154 @c %end of automatic openvpn-server documentation
27156 @subheading strongSwan
27158 Currently, the strongSwan service only provides legacy-style configuration with
27159 @file{ipsec.conf} and @file{ipsec.secrets} files.
27161 @defvr {Scheme Variable} strongswan-service-type
27162 A service type for configuring strongSwan for IPsec @acronym{VPN,
27163 Virtual Private Networking}. Its value must be a
27164 @code{strongswan-configuration} record as in this example:
27167 (service strongswan-service-type
27168 (strongswan-configuration
27169 (ipsec-conf "/etc/ipsec.conf")
27170 (ipsec-secrets "/etc/ipsec.secrets")))
27175 @deftp {Data Type} strongswan-configuration
27176 Data type representing the configuration of the StrongSwan service.
27179 @item @code{strongswan}
27180 The strongSwan package to use for this service.
27182 @item @code{ipsec-conf} (default: @code{#f})
27183 The file name of your @file{ipsec.conf}. If not @code{#f}, then this and
27184 @code{ipsec-secrets} must both be strings.
27186 @item @code{ipsec-secrets} (default @code{#f})
27187 The file name of your @file{ipsec.secrets}. If not @code{#f}, then this and
27188 @code{ipsec-conf} must both be strings.
27193 @subsubheading Wireguard
27195 @defvr {Scheme Variable} wireguard-service-type
27196 A service type for a Wireguard tunnel interface. Its value must be a
27197 @code{wireguard-configuration} record as in this example:
27200 (service wireguard-service-type
27201 (wireguard-configuration
27206 (endpoint "my.wireguard.com:51820")
27207 (public-key "hzpKg9X1yqu1axN6iJp0mWf6BZGo8m1wteKwtTmDGF4=")
27208 (allowed-ips '("10.0.0.2/32")))))))
27213 @deftp {Data Type} wireguard-configuration
27214 Data type representing the configuration of the Wireguard service.
27217 @item @code{wireguard}
27218 The wireguard package to use for this service.
27220 @item @code{interface} (default: @code{"wg0"})
27221 The interface name for the VPN.
27223 @item @code{addresses} (default: @code{'("10.0.0.1/32")})
27224 The IP addresses to be assigned to the above interface.
27226 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
27227 The private key file for the interface. It is automatically generated if
27228 the file does not exist.
27230 @item @code{peers} (default: @code{'()})
27231 The authorized peers on this interface. This is a list of
27232 @var{wireguard-peer} records.
27237 @deftp {Data Type} wireguard-peer
27238 Data type representing a Wireguard peer attached to a given interface.
27244 @item @code{endpoint} (default: @code{#f})
27245 The optional endpoint for the peer, such as
27246 @code{"demo.wireguard.com:51820"}.
27248 @item @code{public-key}
27249 The peer public-key represented as a base64 string.
27251 @item @code{allowed-ips}
27252 A list of IP addresses from which incoming traffic for this peer is
27253 allowed and to which incoming traffic for this peer is directed.
27255 @item @code{keep-alive} (default: @code{#f})
27256 An optional time interval in seconds. A packet will be sent to the
27257 server endpoint once per time interval. This helps receiving
27258 incoming connections from this peer when you are behind a NAT or
27264 @node Network File System
27265 @subsection Network File System
27268 The @code{(gnu services nfs)} module provides the following services,
27269 which are most commonly used in relation to mounting or exporting
27270 directory trees as @dfn{network file systems} (NFS).
27272 While it is possible to use the individual components that together make
27273 up a Network File System service, we recommended to configure an NFS
27274 server with the @code{nfs-service-type}.
27276 @subsubheading NFS Service
27277 @cindex NFS, server
27279 The NFS service takes care of setting up all NFS component services,
27280 kernel configuration file systems, and installs configuration files in
27281 the locations that NFS expects.
27283 @defvr {Scheme Variable} nfs-service-type
27284 A service type for a complete NFS server.
27287 @deftp {Data Type} nfs-configuration
27288 This data type represents the configuration of the NFS service and all
27291 It has the following parameters:
27293 @item @code{nfs-utils} (default: @code{nfs-utils})
27294 The nfs-utils package to use.
27296 @item @code{nfs-versions} (default: @code{'("4.2" "4.1" "4.0")})
27297 If a list of string values is provided, the @command{rpc.nfsd} daemon
27298 will be limited to supporting the given versions of the NFS protocol.
27300 @item @code{exports} (default: @code{'()})
27301 This is a list of directories the NFS server should export. Each entry
27302 is a list consisting of two elements: a directory name and a string
27303 containing all options. This is an example in which the directory
27304 @file{/export} is served to all NFS clients as a read-only share:
27310 "*(ro,insecure,no_subtree_check,crossmnt,fsid=0)"))))
27313 @item @code{rpcmountd-port} (default: @code{#f})
27314 The network port that the @command{rpc.mountd} daemon should use.
27316 @item @code{rpcstatd-port} (default: @code{#f})
27317 The network port that the @command{rpc.statd} daemon should use.
27319 @item @code{rpcbind} (default: @code{rpcbind})
27320 The rpcbind package to use.
27322 @item @code{idmap-domain} (default: @code{"localdomain"})
27323 The local NFSv4 domain name.
27325 @item @code{nfsd-port} (default: @code{2049})
27326 The network port that the @command{nfsd} daemon should use.
27328 @item @code{nfsd-threads} (default: @code{8})
27329 The number of threads used by the @command{nfsd} daemon.
27331 @item @code{nfsd-tcp?} (default: @code{#t})
27332 Whether the @command{nfsd} daemon should listen on a TCP socket.
27334 @item @code{nfsd-udp?} (default: @code{#f})
27335 Whether the @command{nfsd} daemon should listen on a UDP socket.
27337 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27338 The directory where the pipefs file system is mounted.
27340 @item @code{debug} (default: @code{'()"})
27341 A list of subsystems for which debugging output should be enabled. This
27342 is a list of symbols. Any of these symbols are valid: @code{nfsd},
27343 @code{nfs}, @code{rpc}, @code{idmap}, @code{statd}, or @code{mountd}.
27347 If you don't need a complete NFS service or prefer to build it yourself
27348 you can use the individual component services that are documented below.
27350 @subsubheading RPC Bind Service
27353 The RPC Bind service provides a facility to map program numbers into
27354 universal addresses.
27355 Many NFS related services use this facility. Hence it is automatically
27356 started when a dependent service starts.
27358 @defvr {Scheme Variable} rpcbind-service-type
27359 A service type for the RPC portmapper daemon.
27363 @deftp {Data Type} rpcbind-configuration
27364 Data type representing the configuration of the RPC Bind Service.
27365 This type has the following parameters:
27367 @item @code{rpcbind} (default: @code{rpcbind})
27368 The rpcbind package to use.
27370 @item @code{warm-start?} (default: @code{#t})
27371 If this parameter is @code{#t}, then the daemon will read a
27372 state file on startup thus reloading state information saved by a previous
27378 @subsubheading Pipefs Pseudo File System
27382 The pipefs file system is used to transfer NFS related data
27383 between the kernel and user space programs.
27385 @defvr {Scheme Variable} pipefs-service-type
27386 A service type for the pipefs pseudo file system.
27389 @deftp {Data Type} pipefs-configuration
27390 Data type representing the configuration of the pipefs pseudo file system service.
27391 This type has the following parameters:
27393 @item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27394 The directory to which the file system is to be attached.
27399 @subsubheading GSS Daemon Service
27402 @cindex global security system
27404 The @dfn{global security system} (GSS) daemon provides strong security for RPC
27406 Before exchanging RPC requests an RPC client must establish a security
27407 context. Typically this is done using the Kerberos command @command{kinit}
27408 or automatically at login time using PAM services (@pxref{Kerberos Services}).
27410 @defvr {Scheme Variable} gss-service-type
27411 A service type for the Global Security System (GSS) daemon.
27414 @deftp {Data Type} gss-configuration
27415 Data type representing the configuration of the GSS daemon service.
27416 This type has the following parameters:
27418 @item @code{nfs-utils} (default: @code{nfs-utils})
27419 The package in which the @command{rpc.gssd} command is to be found.
27421 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27422 The directory where the pipefs file system is mounted.
27428 @subsubheading IDMAP Daemon Service
27430 @cindex name mapper
27432 The idmap daemon service provides mapping between user IDs and user names.
27433 Typically it is required in order to access file systems mounted via NFSv4.
27435 @defvr {Scheme Variable} idmap-service-type
27436 A service type for the Identity Mapper (IDMAP) daemon.
27439 @deftp {Data Type} idmap-configuration
27440 Data type representing the configuration of the IDMAP daemon service.
27441 This type has the following parameters:
27443 @item @code{nfs-utils} (default: @code{nfs-utils})
27444 The package in which the @command{rpc.idmapd} command is to be found.
27446 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27447 The directory where the pipefs file system is mounted.
27449 @item @code{domain} (default: @code{#f})
27450 The local NFSv4 domain name.
27451 This must be a string or @code{#f}.
27452 If it is @code{#f} then the daemon will use the host's fully qualified domain name.
27454 @item @code{verbosity} (default: @code{0})
27455 The verbosity level of the daemon.
27460 @node Continuous Integration
27461 @subsection Continuous Integration
27463 @cindex continuous integration
27464 @uref{https://guix.gnu.org/cuirass/, Cuirass} is a continuous
27465 integration tool for Guix. It can be used both for development and for
27466 providing substitutes to others (@pxref{Substitutes}).
27468 The @code{(gnu services cuirass)} module provides the following service.
27470 @defvr {Scheme Procedure} cuirass-service-type
27471 The type of the Cuirass service. Its value must be a
27472 @code{cuirass-configuration} object, as described below.
27475 To add build jobs, you have to set the @code{specifications} field of
27476 the configuration. For instance, the following example will build all
27477 the packages provided by the @code{my-channel} channel.
27480 (define %cuirass-specs
27481 #~(list (specification
27482 (name "my-channel")
27483 (build '(channels my-channel))
27487 (url "https://my-channel.git"))
27488 %default-channels)))))
27490 (service cuirass-service-type
27491 (cuirass-configuration
27492 (specifications %cuirass-specs)))
27495 To build the @code{linux-libre} package defined by the default Guix
27496 channel, one can use the following configuration.
27499 (define %cuirass-specs
27500 #~(list (specification
27502 (build '(packages "linux-libre")))))
27504 (service cuirass-service-type
27505 (cuirass-configuration
27506 (specifications %cuirass-specs)))
27509 The other configuration possibilities, as well as the specification
27510 record itself are described in the Cuirass manual
27511 (@pxref{Specifications,,, cuirass, Cuirass}).
27513 While information related to build jobs is located directly in the
27514 specifications, global settings for the @command{cuirass} process are
27515 accessible in other @code{cuirass-configuration} fields.
27517 @deftp {Data Type} cuirass-configuration
27518 Data type representing the configuration of Cuirass.
27521 @item @code{cuirass} (default: @code{cuirass})
27522 The Cuirass package to use.
27524 @item @code{log-file} (default: @code{"/var/log/cuirass.log"})
27525 Location of the log file.
27527 @item @code{web-log-file} (default: @code{"/var/log/cuirass-web.log"})
27528 Location of the log file used by the web interface.
27530 @item @code{cache-directory} (default: @code{"/var/cache/cuirass"})
27531 Location of the repository cache.
27533 @item @code{user} (default: @code{"cuirass"})
27534 Owner of the @code{cuirass} process.
27536 @item @code{group} (default: @code{"cuirass"})
27537 Owner's group of the @code{cuirass} process.
27539 @item @code{interval} (default: @code{60})
27540 Number of seconds between the poll of the repositories followed by the
27543 @item @code{parameters} (default: @code{#f})
27544 Read parameters from the given @var{parameters} file. The supported
27545 parameters are described here (@pxref{Parameters,,, cuirass, Cuirass}).
27547 @item @code{remote-server} (default: @code{#f})
27548 A @code{cuirass-remote-server-configuration} record to use the build
27549 remote mechanism or @code{#f} to use the default build mechanism.
27551 @item @code{database} (default: @code{"dbname=cuirass host=/var/run/postgresql"})
27552 Use @var{database} as the database containing the jobs and the past
27553 build results. Since Cuirass uses PostgreSQL as a database engine,
27554 @var{database} must be a string such as @code{"dbname=cuirass
27557 @item @code{port} (default: @code{8081})
27558 Port number used by the HTTP server.
27560 @item @code{host} (default: @code{"localhost"})
27561 Listen on the network interface for @var{host}. The default is to
27562 accept connections from localhost.
27564 @item @code{specifications} (default: @code{#~'()})
27565 A gexp (@pxref{G-Expressions}) that evaluates to a list of
27566 specifications records. The specification record is described in the
27567 Cuirass manual (@pxref{Specifications,,, cuirass, Cuirass}).
27569 @item @code{use-substitutes?} (default: @code{#f})
27570 This allows using substitutes to avoid building every dependencies of a job
27573 @item @code{one-shot?} (default: @code{#f})
27574 Only evaluate specifications and build derivations once.
27576 @item @code{fallback?} (default: @code{#f})
27577 When substituting a pre-built binary fails, fall back to building
27580 @item @code{extra-options} (default: @code{'()})
27581 Extra options to pass when running the Cuirass processes.
27586 @cindex remote build
27587 @subsubheading Cuirass remote building
27589 Cuirass supports two mechanisms to build derivations.
27592 @item Using the local Guix daemon.
27593 This is the default build mechanism. Once the build jobs are
27594 evaluated, they are sent to the local Guix daemon. Cuirass then
27595 listens to the Guix daemon output to detect the various build events.
27597 @item Using the remote build mechanism.
27598 The build jobs are not submitted to the local Guix daemon. Instead, a
27599 remote server dispatches build requests to the connect remote workers,
27600 according to the build priorities.
27604 To enable this build mode a @code{cuirass-remote-server-configuration}
27605 record must be passed as @code{remote-server} argument of the
27606 @code{cuirass-configuration} record. The
27607 @code{cuirass-remote-server-configuration} record is described below.
27609 This build mode scales way better than the default build mode. This is
27610 the build mode that is used on the GNU Guix build farm at
27611 @url{https://ci.guix.gnu.org}. It should be preferred when using
27612 Cuirass to build large amount of packages.
27614 @deftp {Data Type} cuirass-remote-server-configuration
27615 Data type representing the configuration of the Cuirass remote-server.
27618 @item @code{backend-port} (default: @code{5555})
27619 The TCP port for communicating with @code{remote-worker} processes
27620 using ZMQ. It defaults to @code{5555}.
27622 @item @code{log-port} (default: @code{5556})
27623 The TCP port of the log server. It defaults to @code{5556}.
27625 @item @code{publish-port} (default: @code{5557})
27626 The TCP port of the publish server. It defaults to @code{5557}.
27628 @item @code{log-file} (default: @code{"/var/log/cuirass-remote-server.log"})
27629 Location of the log file.
27631 @item @code{cache} (default: @code{"/var/cache/cuirass/remote"})
27632 Use @var{cache} directory to cache build log files.
27634 @item @code{trigger-url} (default: @code{#f})
27635 Once a substitute is successfully fetched, trigger substitute baking at
27638 @item @code{public-key}
27639 @item @code{private-key}
27640 Use the specific @var{file}s as the public/private key pair used to sign
27641 the store items being published.
27646 At least one remote worker must also be started on any machine of the
27647 local network to actually perform the builds and report their status.
27649 @deftp {Data Type} cuirass-remote-worker-configuration
27650 Data type representing the configuration of the Cuirass remote-worker.
27653 @item @code{cuirass} (default: @code{cuirass})
27654 The Cuirass package to use.
27656 @item @code{workers} (default: @code{1})
27657 Start @var{workers} parallel workers.
27659 @item @code{server} (default: @code{#f})
27660 Do not use Avahi discovery and connect to the given @code{server} IP
27663 @item @code{systems} (default: @code{(list (%current-system))})
27664 Only request builds for the given @var{systems}.
27666 @item @code{log-file} (default: @code{"/var/log/cuirass-remote-worker.log"})
27667 Location of the log file.
27669 @item @code{publish-port} (default: @code{5558})
27670 The TCP port of the publish server. It defaults to @code{5558}.
27672 @item @code{public-key}
27673 @item @code{private-key}
27674 Use the specific @var{file}s as the public/private key pair used to sign
27675 the store items being published.
27680 @subsubheading Laminar
27682 @uref{https://laminar.ohwg.net/, Laminar} is a lightweight and modular
27683 Continuous Integration service. It doesn't have a configuration web UI
27684 instead uses version-controllable configuration files and scripts.
27686 Laminar encourages the use of existing tools such as bash and cron
27687 instead of reinventing them.
27689 @defvr {Scheme Procedure} laminar-service-type
27690 The type of the Laminar service. Its value must be a
27691 @code{laminar-configuration} object, as described below.
27693 All configuration values have defaults, a minimal configuration to get
27694 Laminar running is shown below. By default, the web interface is
27695 available on port 8080.
27698 (service laminar-service-type)
27702 @deftp {Data Type} laminar-configuration
27703 Data type representing the configuration of Laminar.
27706 @item @code{laminar} (default: @code{laminar})
27707 The Laminar package to use.
27709 @item @code{home-directory} (default: @code{"/var/lib/laminar"})
27710 The directory for job configurations and run directories.
27712 @item @code{bind-http} (default: @code{"*:8080"})
27713 The interface/port or unix socket on which laminard should listen for
27714 incoming connections to the web frontend.
27716 @item @code{bind-rpc} (default: @code{"unix-abstract:laminar"})
27717 The interface/port or unix socket on which laminard should listen for
27718 incoming commands such as build triggers.
27720 @item @code{title} (default: @code{"Laminar"})
27721 The page title to show in the web frontend.
27723 @item @code{keep-rundirs} (default: @code{0})
27724 Set to an integer defining how many rundirs to keep per job. The
27725 lowest-numbered ones will be deleted. The default is 0, meaning all run
27726 dirs will be immediately deleted.
27728 @item @code{archive-url} (default: @code{#f})
27729 The web frontend served by laminard will use this URL to form links to
27730 artefacts archived jobs.
27732 @item @code{base-url} (default: @code{#f})
27733 Base URL to use for links to laminar itself.
27738 @node Power Management Services
27739 @subsection Power Management Services
27742 @cindex power management with TLP
27743 @subsubheading TLP daemon
27745 The @code{(gnu services pm)} module provides a Guix service definition
27746 for the Linux power management tool TLP.
27748 TLP enables various powersaving modes in userspace and kernel.
27749 Contrary to @code{upower-service}, it is not a passive,
27750 monitoring tool, as it will apply custom settings each time a new power
27751 source is detected. More information can be found at
27752 @uref{https://linrunner.de/en/tlp/tlp.html, TLP home page}.
27754 @deffn {Scheme Variable} tlp-service-type
27755 The service type for the TLP tool. The default settings are optimised
27756 for battery life on most systems, but you can tweak them to your heart's
27757 content by adding a valid @code{tlp-configuration}:
27759 (service tlp-service-type
27761 (cpu-scaling-governor-on-ac (list "performance"))
27762 (sched-powersave-on-bat? #t)))
27766 Each parameter definition is preceded by its type; for example,
27767 @samp{boolean foo} indicates that the @code{foo} parameter
27768 should be specified as a boolean. Types starting with
27769 @code{maybe-} denote parameters that won't show up in TLP config file
27770 when their value is @code{'disabled}.
27772 @c The following documentation was initially generated by
27773 @c (generate-tlp-documentation) in (gnu services pm). Manually maintained
27774 @c documentation is better, so we shouldn't hesitate to edit below as
27775 @c needed. However if the change you want to make to this documentation
27776 @c can be done in an automated way, it's probably easier to change
27777 @c (generate-documentation) than to make it below and have to deal with
27778 @c the churn as TLP updates.
27780 Available @code{tlp-configuration} fields are:
27782 @deftypevr {@code{tlp-configuration} parameter} package tlp
27787 @deftypevr {@code{tlp-configuration} parameter} boolean tlp-enable?
27788 Set to true if you wish to enable TLP.
27790 Defaults to @samp{#t}.
27794 @deftypevr {@code{tlp-configuration} parameter} string tlp-default-mode
27795 Default mode when no power supply can be detected. Alternatives are AC
27798 Defaults to @samp{"AC"}.
27802 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-ac
27803 Number of seconds Linux kernel has to wait after the disk goes idle,
27804 before syncing on AC.
27806 Defaults to @samp{0}.
27810 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-bat
27811 Same as @code{disk-idle-ac} but on BAT mode.
27813 Defaults to @samp{2}.
27817 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-ac
27818 Dirty pages flushing periodicity, expressed in seconds.
27820 Defaults to @samp{15}.
27824 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-bat
27825 Same as @code{max-lost-work-secs-on-ac} but on BAT mode.
27827 Defaults to @samp{60}.
27831 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-ac
27832 CPU frequency scaling governor on AC mode. With intel_pstate driver,
27833 alternatives are powersave and performance. With acpi-cpufreq driver,
27834 alternatives are ondemand, powersave, performance and conservative.
27836 Defaults to @samp{disabled}.
27840 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-bat
27841 Same as @code{cpu-scaling-governor-on-ac} but on BAT mode.
27843 Defaults to @samp{disabled}.
27847 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-ac
27848 Set the min available frequency for the scaling governor on AC.
27850 Defaults to @samp{disabled}.
27854 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-ac
27855 Set the max available frequency for the scaling governor on AC.
27857 Defaults to @samp{disabled}.
27861 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-bat
27862 Set the min available frequency for the scaling governor on BAT.
27864 Defaults to @samp{disabled}.
27868 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-bat
27869 Set the max available frequency for the scaling governor on BAT.
27871 Defaults to @samp{disabled}.
27875 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-ac
27876 Limit the min P-state to control the power dissipation of the CPU, in AC
27877 mode. Values are stated as a percentage of the available performance.
27879 Defaults to @samp{disabled}.
27883 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-ac
27884 Limit the max P-state to control the power dissipation of the CPU, in AC
27885 mode. Values are stated as a percentage of the available performance.
27887 Defaults to @samp{disabled}.
27891 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-bat
27892 Same as @code{cpu-min-perf-on-ac} on BAT mode.
27894 Defaults to @samp{disabled}.
27898 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-bat
27899 Same as @code{cpu-max-perf-on-ac} on BAT mode.
27901 Defaults to @samp{disabled}.
27905 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-ac?
27906 Enable CPU turbo boost feature on AC mode.
27908 Defaults to @samp{disabled}.
27912 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-bat?
27913 Same as @code{cpu-boost-on-ac?} on BAT mode.
27915 Defaults to @samp{disabled}.
27919 @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-ac?
27920 Allow Linux kernel to minimize the number of CPU cores/hyper-threads
27921 used under light load conditions.
27923 Defaults to @samp{#f}.
27927 @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-bat?
27928 Same as @code{sched-powersave-on-ac?} but on BAT mode.
27930 Defaults to @samp{#t}.
27934 @deftypevr {@code{tlp-configuration} parameter} boolean nmi-watchdog?
27935 Enable Linux kernel NMI watchdog.
27937 Defaults to @samp{#f}.
27941 @deftypevr {@code{tlp-configuration} parameter} maybe-string phc-controls
27942 For Linux kernels with PHC patch applied, change CPU voltages. An
27943 example value would be @samp{"F:V F:V F:V F:V"}.
27945 Defaults to @samp{disabled}.
27949 @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-ac
27950 Set CPU performance versus energy saving policy on AC@. Alternatives are
27951 performance, normal, powersave.
27953 Defaults to @samp{"performance"}.
27957 @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-bat
27958 Same as @code{energy-perf-policy-ac} but on BAT mode.
27960 Defaults to @samp{"powersave"}.
27964 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disks-devices
27969 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-ac
27970 Hard disk advanced power management level.
27974 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-bat
27975 Same as @code{disk-apm-bat} but on BAT mode.
27979 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-ac
27980 Hard disk spin down timeout. One value has to be specified for each
27981 declared hard disk.
27983 Defaults to @samp{disabled}.
27987 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-bat
27988 Same as @code{disk-spindown-timeout-on-ac} but on BAT mode.
27990 Defaults to @samp{disabled}.
27994 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-iosched
27995 Select IO scheduler for disk devices. One value has to be specified for
27996 each declared hard disk. Example alternatives are cfq, deadline and
27999 Defaults to @samp{disabled}.
28003 @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-ac
28004 SATA aggressive link power management (ALPM) level. Alternatives are
28005 min_power, medium_power, max_performance.
28007 Defaults to @samp{"max_performance"}.
28011 @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-bat
28012 Same as @code{sata-linkpwr-ac} but on BAT mode.
28014 Defaults to @samp{"min_power"}.
28018 @deftypevr {@code{tlp-configuration} parameter} maybe-string sata-linkpwr-blacklist
28019 Exclude specified SATA host devices for link power management.
28021 Defaults to @samp{disabled}.
28025 @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-ac?
28026 Enable Runtime Power Management for AHCI controller and disks on AC
28029 Defaults to @samp{disabled}.
28033 @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-bat?
28034 Same as @code{ahci-runtime-pm-on-ac} on BAT mode.
28036 Defaults to @samp{disabled}.
28040 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer ahci-runtime-pm-timeout
28041 Seconds of inactivity before disk is suspended.
28043 Defaults to @samp{15}.
28047 @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-ac
28048 PCI Express Active State Power Management level. Alternatives are
28049 default, performance, powersave.
28051 Defaults to @samp{"performance"}.
28055 @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-bat
28056 Same as @code{pcie-aspm-ac} but on BAT mode.
28058 Defaults to @samp{"powersave"}.
28062 @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-ac
28063 Radeon graphics clock speed level. Alternatives are low, mid, high,
28066 Defaults to @samp{"high"}.
28070 @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-bat
28071 Same as @code{radeon-power-ac} but on BAT mode.
28073 Defaults to @samp{"low"}.
28077 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-ac
28078 Radeon dynamic power management method (DPM). Alternatives are battery,
28081 Defaults to @samp{"performance"}.
28085 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-bat
28086 Same as @code{radeon-dpm-state-ac} but on BAT mode.
28088 Defaults to @samp{"battery"}.
28092 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-ac
28093 Radeon DPM performance level. Alternatives are auto, low, high.
28095 Defaults to @samp{"auto"}.
28099 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-bat
28100 Same as @code{radeon-dpm-perf-ac} but on BAT mode.
28102 Defaults to @samp{"auto"}.
28106 @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-ac?
28107 Wifi power saving mode.
28109 Defaults to @samp{#f}.
28113 @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-bat?
28114 Same as @code{wifi-power-ac?} but on BAT mode.
28116 Defaults to @samp{#t}.
28120 @deftypevr {@code{tlp-configuration} parameter} y-n-boolean wol-disable?
28121 Disable wake on LAN.
28123 Defaults to @samp{#t}.
28127 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-ac
28128 Timeout duration in seconds before activating audio power saving on
28129 Intel HDA and AC97 devices. A value of 0 disables power saving.
28131 Defaults to @samp{0}.
28135 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-bat
28136 Same as @code{sound-powersave-ac} but on BAT mode.
28138 Defaults to @samp{1}.
28142 @deftypevr {@code{tlp-configuration} parameter} y-n-boolean sound-power-save-controller?
28143 Disable controller in powersaving mode on Intel HDA devices.
28145 Defaults to @samp{#t}.
28149 @deftypevr {@code{tlp-configuration} parameter} boolean bay-poweroff-on-bat?
28150 Enable optical drive in UltraBay/MediaBay on BAT mode. Drive can be
28151 powered on again by releasing (and reinserting) the eject lever or by
28152 pressing the disc eject button on newer models.
28154 Defaults to @samp{#f}.
28158 @deftypevr {@code{tlp-configuration} parameter} string bay-device
28159 Name of the optical drive device to power off.
28161 Defaults to @samp{"sr0"}.
28165 @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-ac
28166 Runtime Power Management for PCI(e) bus devices. Alternatives are on
28169 Defaults to @samp{"on"}.
28173 @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-bat
28174 Same as @code{runtime-pm-ac} but on BAT mode.
28176 Defaults to @samp{"auto"}.
28180 @deftypevr {@code{tlp-configuration} parameter} boolean runtime-pm-all?
28181 Runtime Power Management for all PCI(e) bus devices, except blacklisted
28184 Defaults to @samp{#t}.
28188 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list runtime-pm-blacklist
28189 Exclude specified PCI(e) device addresses from Runtime Power Management.
28191 Defaults to @samp{disabled}.
28195 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list runtime-pm-driver-blacklist
28196 Exclude PCI(e) devices assigned to the specified drivers from Runtime
28201 @deftypevr {@code{tlp-configuration} parameter} boolean usb-autosuspend?
28202 Enable USB autosuspend feature.
28204 Defaults to @samp{#t}.
28208 @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-blacklist
28209 Exclude specified devices from USB autosuspend.
28211 Defaults to @samp{disabled}.
28215 @deftypevr {@code{tlp-configuration} parameter} boolean usb-blacklist-wwan?
28216 Exclude WWAN devices from USB autosuspend.
28218 Defaults to @samp{#t}.
28222 @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-whitelist
28223 Include specified devices into USB autosuspend, even if they are already
28224 excluded by the driver or via @code{usb-blacklist-wwan?}.
28226 Defaults to @samp{disabled}.
28230 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean usb-autosuspend-disable-on-shutdown?
28231 Enable USB autosuspend before shutdown.
28233 Defaults to @samp{disabled}.
28237 @deftypevr {@code{tlp-configuration} parameter} boolean restore-device-state-on-startup?
28238 Restore radio device state (bluetooth, wifi, wwan) from previous
28239 shutdown on system startup.
28241 Defaults to @samp{#f}.
28246 @cindex CPU frequency scaling with thermald
28247 @subsubheading Thermald daemon
28249 The @code{(gnu services pm)} module provides an interface to
28250 thermald, a CPU frequency scaling service which helps prevent overheating.
28252 @defvr {Scheme Variable} thermald-service-type
28253 This is the service type for
28254 @uref{https://01.org/linux-thermal-daemon/, thermald}, the Linux
28255 Thermal Daemon, which is responsible for controlling the thermal state
28256 of processors and preventing overheating.
28259 @deftp {Data Type} thermald-configuration
28260 Data type representing the configuration of @code{thermald-service-type}.
28263 @item @code{ignore-cpuid-check?} (default: @code{#f})
28264 Ignore cpuid check for supported CPU models.
28266 @item @code{thermald} (default: @var{thermald})
28267 Package object of thermald.
28272 @node Audio Services
28273 @subsection Audio Services
28275 The @code{(gnu services audio)} module provides a service to start MPD
28276 (the Music Player Daemon).
28279 @subsubheading Music Player Daemon
28281 The Music Player Daemon (MPD) is a service that can play music while
28282 being controlled from the local machine or over the network by a variety
28285 The following example shows how one might run @code{mpd} as user
28286 @code{"bob"} on port @code{6666}. It uses pulseaudio for output.
28289 (service mpd-service-type
28295 @defvr {Scheme Variable} mpd-service-type
28296 The service type for @command{mpd}
28299 @deftp {Data Type} mpd-configuration
28300 Data type representing the configuration of @command{mpd}.
28303 @item @code{user} (default: @code{"mpd"})
28304 The user to run mpd as.
28306 @item @code{music-dir} (default: @code{"~/Music"})
28307 The directory to scan for music files.
28309 @item @code{playlist-dir} (default: @code{"~/.mpd/playlists"})
28310 The directory to store playlists.
28312 @item @code{db-file} (default: @code{"~/.mpd/tag_cache"})
28313 The location of the music database.
28315 @item @code{state-file} (default: @code{"~/.mpd/state"})
28316 The location of the file that stores current MPD's state.
28318 @item @code{sticker-file} (default: @code{"~/.mpd/sticker.sql"})
28319 The location of the sticker database.
28321 @item @code{port} (default: @code{"6600"})
28322 The port to run mpd on.
28324 @item @code{address} (default: @code{"any"})
28325 The address that mpd will bind to. To use a Unix domain socket,
28326 an absolute path can be specified here.
28328 @item @code{outputs} (default: @code{"(list (mpd-output))"})
28329 The audio outputs that MPD can use. By default this is a single output using pulseaudio.
28334 @deftp {Data Type} mpd-output
28335 Data type representing an @command{mpd} audio output.
28338 @item @code{name} (default: @code{"MPD"})
28339 The name of the audio output.
28341 @item @code{type} (default: @code{"pulse"})
28342 The type of audio output.
28344 @item @code{enabled?} (default: @code{#t})
28345 Specifies whether this audio output is enabled when MPD is started. By
28346 default, all audio outputs are enabled. This is just the default
28347 setting when there is no state file; with a state file, the previous
28350 @item @code{tags?} (default: @code{#t})
28351 If set to @code{#f}, then MPD will not send tags to this output. This
28352 is only useful for output plugins that can receive tags, for example the
28353 @code{httpd} output plugin.
28355 @item @code{always-on?} (default: @code{#f})
28356 If set to @code{#t}, then MPD attempts to keep this audio output always
28357 open. This may be useful for streaming servers, when you don’t want to
28358 disconnect all listeners even when playback is accidentally stopped.
28360 @item @code{mixer-type}
28361 This field accepts a symbol that specifies which mixer should be used
28362 for this audio output: the @code{hardware} mixer, the @code{software}
28363 mixer, the @code{null} mixer (allows setting the volume, but with no
28364 effect; this can be used as a trick to implement an external mixer
28365 External Mixer) or no mixer (@code{none}).
28367 @item @code{extra-options} (default: @code{'()})
28368 An association list of option symbols to string values to be appended to
28369 the audio output configuration.
28374 The following example shows a configuration of @code{mpd} that provides
28375 an HTTP audio streaming output.
28378 (service mpd-service-type
28386 `((encoder . "vorbis")
28387 (port . "8080"))))))))
28391 @node Virtualization Services
28392 @subsection Virtualization Services
28394 The @code{(gnu services virtualization)} module provides services for
28395 the libvirt and virtlog daemons, as well as other virtualization-related
28398 @subsubheading Libvirt daemon
28400 @code{libvirtd} is the server side daemon component of the libvirt
28401 virtualization management system. This daemon runs on host servers
28402 and performs required management tasks for virtualized guests.
28404 @deffn {Scheme Variable} libvirt-service-type
28405 This is the type of the @uref{https://libvirt.org, libvirt daemon}.
28406 Its value must be a @code{libvirt-configuration}.
28409 (service libvirt-service-type
28410 (libvirt-configuration
28411 (unix-sock-group "libvirt")
28412 (tls-port "16555")))
28416 @c Auto-generated with (generate-libvirt-documentation)
28417 Available @code{libvirt-configuration} fields are:
28419 @deftypevr {@code{libvirt-configuration} parameter} package libvirt
28424 @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tls?
28425 Flag listening for secure TLS connections on the public TCP/IP port.
28426 You must set @code{listen} for this to have any effect.
28428 It is necessary to setup a CA and issue server certificates before using
28431 Defaults to @samp{#t}.
28435 @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tcp?
28436 Listen for unencrypted TCP connections on the public TCP/IP port. You must
28437 set @code{listen} for this to have any effect.
28439 Using the TCP socket requires SASL authentication by default. Only SASL
28440 mechanisms which support data encryption are allowed. This is
28441 DIGEST_MD5 and GSSAPI (Kerberos5).
28443 Defaults to @samp{#f}.
28447 @deftypevr {@code{libvirt-configuration} parameter} string tls-port
28448 Port for accepting secure TLS connections. This can be a port number,
28451 Defaults to @samp{"16514"}.
28455 @deftypevr {@code{libvirt-configuration} parameter} string tcp-port
28456 Port for accepting insecure TCP connections. This can be a port number,
28459 Defaults to @samp{"16509"}.
28463 @deftypevr {@code{libvirt-configuration} parameter} string listen-addr
28464 IP address or hostname used for client connections.
28466 Defaults to @samp{"0.0.0.0"}.
28470 @deftypevr {@code{libvirt-configuration} parameter} boolean mdns-adv?
28471 Flag toggling mDNS advertisement of the libvirt service.
28473 Alternatively can disable for all services on a host by stopping the
28476 Defaults to @samp{#f}.
28480 @deftypevr {@code{libvirt-configuration} parameter} string mdns-name
28481 Default mDNS advertisement name. This must be unique on the immediate
28484 Defaults to @samp{"Virtualization Host <hostname>"}.
28488 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-group
28489 UNIX domain socket group ownership. This can be used to allow a
28490 'trusted' set of users access to management capabilities without
28493 Defaults to @samp{"root"}.
28497 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-ro-perms
28498 UNIX socket permissions for the R/O socket. This is used for monitoring
28501 Defaults to @samp{"0777"}.
28505 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-rw-perms
28506 UNIX socket permissions for the R/W socket. Default allows only root.
28507 If PolicyKit is enabled on the socket, the default will change to allow
28508 everyone (eg, 0777)
28510 Defaults to @samp{"0770"}.
28514 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-admin-perms
28515 UNIX socket permissions for the admin socket. Default allows only owner
28516 (root), do not change it unless you are sure to whom you are exposing
28519 Defaults to @samp{"0777"}.
28523 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-dir
28524 The directory in which sockets will be found/created.
28526 Defaults to @samp{"/var/run/libvirt"}.
28530 @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-ro
28531 Authentication scheme for UNIX read-only sockets. By default socket
28532 permissions allow anyone to connect
28534 Defaults to @samp{"polkit"}.
28538 @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-rw
28539 Authentication scheme for UNIX read-write sockets. By default socket
28540 permissions only allow root. If PolicyKit support was compiled into
28541 libvirt, the default will be to use 'polkit' auth.
28543 Defaults to @samp{"polkit"}.
28547 @deftypevr {@code{libvirt-configuration} parameter} string auth-tcp
28548 Authentication scheme for TCP sockets. If you don't enable SASL, then
28549 all TCP traffic is cleartext. Don't do this outside of a dev/test
28552 Defaults to @samp{"sasl"}.
28556 @deftypevr {@code{libvirt-configuration} parameter} string auth-tls
28557 Authentication scheme for TLS sockets. TLS sockets already have
28558 encryption provided by the TLS layer, and limited authentication is done
28561 It is possible to make use of any SASL authentication mechanism as well,
28562 by using 'sasl' for this option
28564 Defaults to @samp{"none"}.
28568 @deftypevr {@code{libvirt-configuration} parameter} optional-list access-drivers
28569 API access control scheme.
28571 By default an authenticated user is allowed access to all APIs. Access
28572 drivers can place restrictions on this.
28574 Defaults to @samp{()}.
28578 @deftypevr {@code{libvirt-configuration} parameter} string key-file
28579 Server key file path. If set to an empty string, then no private key is
28582 Defaults to @samp{""}.
28586 @deftypevr {@code{libvirt-configuration} parameter} string cert-file
28587 Server key file path. If set to an empty string, then no certificate is
28590 Defaults to @samp{""}.
28594 @deftypevr {@code{libvirt-configuration} parameter} string ca-file
28595 Server key file path. If set to an empty string, then no CA certificate
28598 Defaults to @samp{""}.
28602 @deftypevr {@code{libvirt-configuration} parameter} string crl-file
28603 Certificate revocation list path. If set to an empty string, then no
28606 Defaults to @samp{""}.
28610 @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-sanity-cert
28611 Disable verification of our own server certificates.
28613 When libvirtd starts it performs some sanity checks against its own
28616 Defaults to @samp{#f}.
28620 @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-verify-cert
28621 Disable verification of client certificates.
28623 Client certificate verification is the primary authentication mechanism.
28624 Any client which does not present a certificate signed by the CA will be
28627 Defaults to @samp{#f}.
28631 @deftypevr {@code{libvirt-configuration} parameter} optional-list tls-allowed-dn-list
28632 Whitelist of allowed x509 Distinguished Name.
28634 Defaults to @samp{()}.
28638 @deftypevr {@code{libvirt-configuration} parameter} optional-list sasl-allowed-usernames
28639 Whitelist of allowed SASL usernames. The format for username depends on
28640 the SASL authentication mechanism.
28642 Defaults to @samp{()}.
28646 @deftypevr {@code{libvirt-configuration} parameter} string tls-priority
28647 Override the compile time default TLS priority string. The default is
28648 usually @samp{"NORMAL"} unless overridden at build time. Only set this is it
28649 is desired for libvirt to deviate from the global default settings.
28651 Defaults to @samp{"NORMAL"}.
28655 @deftypevr {@code{libvirt-configuration} parameter} integer max-clients
28656 Maximum number of concurrent client connections to allow over all
28659 Defaults to @samp{5000}.
28663 @deftypevr {@code{libvirt-configuration} parameter} integer max-queued-clients
28664 Maximum length of queue of connections waiting to be accepted by the
28665 daemon. Note, that some protocols supporting retransmission may obey
28666 this so that a later reattempt at connection succeeds.
28668 Defaults to @samp{1000}.
28672 @deftypevr {@code{libvirt-configuration} parameter} integer max-anonymous-clients
28673 Maximum length of queue of accepted but not yet authenticated clients.
28674 Set this to zero to turn this feature off
28676 Defaults to @samp{20}.
28680 @deftypevr {@code{libvirt-configuration} parameter} integer min-workers
28681 Number of workers to start up initially.
28683 Defaults to @samp{5}.
28687 @deftypevr {@code{libvirt-configuration} parameter} integer max-workers
28688 Maximum number of worker threads.
28690 If the number of active clients exceeds @code{min-workers}, then more
28691 threads are spawned, up to max_workers limit. Typically you'd want
28692 max_workers to equal maximum number of clients allowed.
28694 Defaults to @samp{20}.
28698 @deftypevr {@code{libvirt-configuration} parameter} integer prio-workers
28699 Number of priority workers. If all workers from above pool are stuck,
28700 some calls marked as high priority (notably domainDestroy) can be
28701 executed in this pool.
28703 Defaults to @samp{5}.
28707 @deftypevr {@code{libvirt-configuration} parameter} integer max-requests
28708 Total global limit on concurrent RPC calls.
28710 Defaults to @samp{20}.
28714 @deftypevr {@code{libvirt-configuration} parameter} integer max-client-requests
28715 Limit on concurrent requests from a single client connection. To avoid
28716 one client monopolizing the server this should be a small fraction of
28717 the global max_requests and max_workers parameter.
28719 Defaults to @samp{5}.
28723 @deftypevr {@code{libvirt-configuration} parameter} integer admin-min-workers
28724 Same as @code{min-workers} but for the admin interface.
28726 Defaults to @samp{1}.
28730 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-workers
28731 Same as @code{max-workers} but for the admin interface.
28733 Defaults to @samp{5}.
28737 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-clients
28738 Same as @code{max-clients} but for the admin interface.
28740 Defaults to @samp{5}.
28744 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-queued-clients
28745 Same as @code{max-queued-clients} but for the admin interface.
28747 Defaults to @samp{5}.
28751 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-client-requests
28752 Same as @code{max-client-requests} but for the admin interface.
28754 Defaults to @samp{5}.
28758 @deftypevr {@code{libvirt-configuration} parameter} integer log-level
28759 Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
28761 Defaults to @samp{3}.
28765 @deftypevr {@code{libvirt-configuration} parameter} string log-filters
28768 A filter allows to select a different logging level for a given category
28769 of logs. The format for a filter is one of:
28780 where @code{name} is a string which is matched against the category
28781 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
28782 file, e.g., @samp{"remote"}, @samp{"qemu"}, or @samp{"util.json"} (the
28783 name in the filter can be a substring of the full category name, in
28784 order to match multiple similar categories), the optional @samp{"+"}
28785 prefix tells libvirt to log stack trace for each message matching name,
28786 and @code{x} is the minimal level where matching messages should be
28804 Multiple filters can be defined in a single filters statement, they just
28805 need to be separated by spaces.
28807 Defaults to @samp{"3:remote 4:event"}.
28811 @deftypevr {@code{libvirt-configuration} parameter} string log-outputs
28814 An output is one of the places to save logging information. The format
28815 for an output can be:
28819 output goes to stderr
28821 @item x:syslog:name
28822 use syslog for the output and use the given name as the ident
28824 @item x:file:file_path
28825 output to a file, with the given filepath
28828 output to journald logging system
28832 In all case the x prefix is the minimal level, acting as a filter
28849 Multiple outputs can be defined, they just need to be separated by
28852 Defaults to @samp{"3:stderr"}.
28856 @deftypevr {@code{libvirt-configuration} parameter} integer audit-level
28857 Allows usage of the auditing subsystem to be altered
28861 0: disable all auditing
28864 1: enable auditing, only if enabled on host
28867 2: enable auditing, and exit if disabled on host.
28871 Defaults to @samp{1}.
28875 @deftypevr {@code{libvirt-configuration} parameter} boolean audit-logging
28876 Send audit messages via libvirt logging infrastructure.
28878 Defaults to @samp{#f}.
28882 @deftypevr {@code{libvirt-configuration} parameter} optional-string host-uuid
28883 Host UUID@. UUID must not have all digits be the same.
28885 Defaults to @samp{""}.
28889 @deftypevr {@code{libvirt-configuration} parameter} string host-uuid-source
28890 Source to read host UUID.
28894 @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
28897 @code{machine-id}: fetch the UUID from @code{/etc/machine-id}
28901 If @code{dmidecode} does not provide a valid UUID a temporary UUID will
28904 Defaults to @samp{"smbios"}.
28908 @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-interval
28909 A keepalive message is sent to a client after @code{keepalive_interval}
28910 seconds of inactivity to check if the client is still responding. If
28911 set to -1, libvirtd will never send keepalive requests; however clients
28912 can still send them and the daemon will send responses.
28914 Defaults to @samp{5}.
28918 @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-count
28919 Maximum number of keepalive messages that are allowed to be sent to the
28920 client without getting any response before the connection is considered
28923 In other words, the connection is automatically closed approximately
28924 after @code{keepalive_interval * (keepalive_count + 1)} seconds since
28925 the last message received from the client. When @code{keepalive-count}
28926 is set to 0, connections will be automatically closed after
28927 @code{keepalive-interval} seconds of inactivity without sending any
28928 keepalive messages.
28930 Defaults to @samp{5}.
28934 @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-interval
28935 Same as above but for admin interface.
28937 Defaults to @samp{5}.
28941 @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-count
28942 Same as above but for admin interface.
28944 Defaults to @samp{5}.
28948 @deftypevr {@code{libvirt-configuration} parameter} integer ovs-timeout
28949 Timeout for Open vSwitch calls.
28951 The @code{ovs-vsctl} utility is used for the configuration and its
28952 timeout option is set by default to 5 seconds to avoid potential
28953 infinite waits blocking libvirt.
28955 Defaults to @samp{5}.
28959 @c %end of autogenerated docs
28961 @subsubheading Virtlog daemon
28962 The virtlogd service is a server side daemon component of libvirt that is
28963 used to manage logs from virtual machine consoles.
28965 This daemon is not used directly by libvirt client applications, rather it
28966 is called on their behalf by @code{libvirtd}. By maintaining the logs in a
28967 standalone daemon, the main @code{libvirtd} daemon can be restarted without
28968 risk of losing logs. The @code{virtlogd} daemon has the ability to re-exec()
28969 itself upon receiving @code{SIGUSR1}, to allow live upgrades without downtime.
28971 @deffn {Scheme Variable} virtlog-service-type
28972 This is the type of the virtlog daemon.
28973 Its value must be a @code{virtlog-configuration}.
28976 (service virtlog-service-type
28977 (virtlog-configuration
28978 (max-clients 1000)))
28982 @deftypevr {@code{virtlog-configuration} parameter} integer log-level
28983 Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
28985 Defaults to @samp{3}.
28989 @deftypevr {@code{virtlog-configuration} parameter} string log-filters
28992 A filter allows to select a different logging level for a given category
28993 of logs The format for a filter is one of:
29004 where @code{name} is a string which is matched against the category
29005 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
29006 file, e.g., "remote", "qemu", or "util.json" (the name in the filter can
29007 be a substring of the full category name, in order to match multiple
29008 similar categories), the optional "+" prefix tells libvirt to log stack
29009 trace for each message matching name, and @code{x} is the minimal level
29010 where matching messages should be logged:
29027 Multiple filters can be defined in a single filters statement, they just
29028 need to be separated by spaces.
29030 Defaults to @samp{"3:remote 4:event"}.
29034 @deftypevr {@code{virtlog-configuration} parameter} string log-outputs
29037 An output is one of the places to save logging information The format
29038 for an output can be:
29042 output goes to stderr
29044 @item x:syslog:name
29045 use syslog for the output and use the given name as the ident
29047 @item x:file:file_path
29048 output to a file, with the given filepath
29051 output to journald logging system
29055 In all case the x prefix is the minimal level, acting as a filter
29072 Multiple outputs can be defined, they just need to be separated by
29075 Defaults to @samp{"3:stderr"}.
29079 @deftypevr {@code{virtlog-configuration} parameter} integer max-clients
29080 Maximum number of concurrent client connections to allow over all
29083 Defaults to @samp{1024}.
29087 @deftypevr {@code{virtlog-configuration} parameter} integer max-size
29088 Maximum file size before rolling over.
29090 Defaults to @samp{2MB}
29094 @deftypevr {@code{virtlog-configuration} parameter} integer max-backups
29095 Maximum number of backup files to keep.
29097 Defaults to @samp{3}
29101 @anchor{transparent-emulation-qemu}
29102 @subsubheading Transparent Emulation with QEMU
29105 @cindex @code{binfmt_misc}
29106 @code{qemu-binfmt-service-type} provides support for transparent
29107 emulation of program binaries built for different architectures---e.g.,
29108 it allows you to transparently execute an ARMv7 program on an x86_64
29109 machine. It achieves this by combining the @uref{https://www.qemu.org,
29110 QEMU} emulator and the @code{binfmt_misc} feature of the kernel Linux.
29111 This feature only allows you to emulate GNU/Linux on a different
29112 architecture, but see below for GNU/Hurd support.
29114 @defvr {Scheme Variable} qemu-binfmt-service-type
29115 This is the type of the QEMU/binfmt service for transparent emulation.
29116 Its value must be a @code{qemu-binfmt-configuration} object, which
29117 specifies the QEMU package to use as well as the architecture we want to
29121 (service qemu-binfmt-service-type
29122 (qemu-binfmt-configuration
29123 (platforms (lookup-qemu-platforms "arm" "aarch64"))))
29126 In this example, we enable transparent emulation for the ARM and aarch64
29127 platforms. Running @code{herd stop qemu-binfmt} turns it off, and
29128 running @code{herd start qemu-binfmt} turns it back on (@pxref{Invoking
29129 herd, the @command{herd} command,, shepherd, The GNU Shepherd Manual}).
29132 @deftp {Data Type} qemu-binfmt-configuration
29133 This is the configuration for the @code{qemu-binfmt} service.
29136 @item @code{platforms} (default: @code{'()})
29137 The list of emulated QEMU platforms. Each item must be a @dfn{platform
29138 object} as returned by @code{lookup-qemu-platforms} (see below).
29140 For example, let's suppose you're on an x86_64 machine and you have this
29144 (service qemu-binfmt-service-type
29145 (qemu-binfmt-configuration
29146 (platforms (lookup-qemu-platforms "arm"))))
29152 guix build -s armhf-linux inkscape
29156 and it will build Inkscape for ARMv7 @emph{as if it were a native
29157 build}, transparently using QEMU to emulate the ARMv7 CPU@. Pretty handy
29158 if you'd like to test a package build for an architecture you don't have
29161 @item @code{qemu} (default: @code{qemu})
29162 The QEMU package to use.
29166 @deffn {Scheme Procedure} lookup-qemu-platforms @var{platforms}@dots{}
29167 Return the list of QEMU platform objects corresponding to
29168 @var{platforms}@dots{}. @var{platforms} must be a list of strings
29169 corresponding to platform names, such as @code{"arm"}, @code{"sparc"},
29170 @code{"mips64el"}, and so on.
29173 @deffn {Scheme Procedure} qemu-platform? @var{obj}
29174 Return true if @var{obj} is a platform object.
29177 @deffn {Scheme Procedure} qemu-platform-name @var{platform}
29178 Return the name of @var{platform}---a string such as @code{"arm"}.
29182 @subsubheading The Hurd in a Virtual Machine
29184 @cindex @code{hurd}
29188 Service @code{hurd-vm} provides support for running GNU/Hurd in a
29189 virtual machine (VM), a so-called @dfn{childhurd}. This service is meant
29190 to be used on GNU/Linux and the given GNU/Hurd operating system
29191 configuration is cross-compiled. The virtual machine is a Shepherd
29192 service that can be referred to by the names @code{hurd-vm} and
29193 @code{childhurd} and be controlled with commands such as:
29197 herd stop childhurd
29200 When the service is running, you can view its console by connecting to
29201 it with a VNC client, for example with:
29204 guix environment --ad-hoc tigervnc-client -- \
29205 vncviewer localhost:5900
29208 The default configuration (see @code{hurd-vm-configuration} below)
29209 spawns a secure shell (SSH) server in your GNU/Hurd system, which QEMU
29210 (the virtual machine emulator) redirects to port 10222 on the host.
29211 Thus, you can connect over SSH to the childhurd with:
29214 ssh root@@localhost -p 10022
29217 The childhurd is volatile and stateless: it starts with a fresh root
29218 file system every time you restart it. By default though, all the files
29219 under @file{/etc/childhurd} on the host are copied as is to the root
29220 file system of the childhurd when it boots. This allows you to
29221 initialize ``secrets'' inside the VM: SSH host keys, authorized
29222 substitute keys, and so on---see the explanation of @code{secret-root}
29225 @defvr {Scheme Variable} hurd-vm-service-type
29226 This is the type of the Hurd in a Virtual Machine service. Its value
29227 must be a @code{hurd-vm-configuration} object, which specifies the
29228 operating system (@pxref{operating-system Reference}) and the disk size
29229 for the Hurd Virtual Machine, the QEMU package to use as well as the
29230 options for running it.
29235 (service hurd-vm-service-type
29236 (hurd-vm-configuration
29237 (disk-size (* 5000 (expt 2 20))) ;5G
29238 (memory-size 1024))) ;1024MiB
29241 would create a disk image big enough to build GNU@tie{}Hello, with some
29245 @deftp {Data Type} hurd-vm-configuration
29246 The data type representing the configuration for
29247 @code{hurd-vm-service-type}.
29250 @item @code{os} (default: @var{%hurd-vm-operating-system})
29251 The operating system to instantiate. This default is bare-bones with a
29252 permissive OpenSSH secure shell daemon listening on port 2222
29253 (@pxref{Networking Services, @code{openssh-service-type}}).
29255 @item @code{qemu} (default: @code{qemu-minimal})
29256 The QEMU package to use.
29258 @item @code{image} (default: @var{hurd-vm-disk-image})
29259 The procedure used to build the disk-image built from this
29262 @item @code{disk-size} (default: @code{'guess})
29263 The size of the disk image.
29265 @item @code{memory-size} (default: @code{512})
29266 The memory size of the Virtual Machine in mebibytes.
29268 @item @code{options} (default: @code{'("--snapshot")})
29269 The extra options for running QEMU.
29271 @item @code{id} (default: @code{#f})
29272 If set, a non-zero positive integer used to parameterize Childhurd
29273 instances. It is appended to the service's name,
29274 e.g. @code{childhurd1}.
29276 @item @code{net-options} (default: @var{hurd-vm-net-options})
29277 The procedure used to produce the list of QEMU networking options.
29279 By default, it produces
29282 '("--device" "rtl8139,netdev=net0"
29283 "--netdev" (string-append
29285 "hostfwd=tcp:127.0.0.1:@var{secrets-port}-:1004,"
29286 "hostfwd=tcp:127.0.0.1:@var{ssh-port}-:2222,"
29287 "hostfwd=tcp:127.0.0.1:@var{vnc-port}-:5900"))
29290 with forwarded ports:
29293 @var{secrets-port}: @code{(+ 11004 (* 1000 @var{ID}))}
29294 @var{ssh-port}: @code{(+ 10022 (* 1000 @var{ID}))}
29295 @var{vnc-port}: @code{(+ 15900 (* 1000 @var{ID}))}
29298 @item @code{secret-root} (default: @file{/etc/childhurd})
29299 The root directory with out-of-band secrets to be installed into the
29300 childhurd once it runs. Childhurds are volatile which means that on
29301 every startup, secrets such as the SSH host keys and Guix signing key
29304 If the @file{/etc/childhurd} directory does not exist, the
29305 @code{secret-service} running in the Childhurd will be sent an empty
29308 By default, the service automatically populates @file{/etc/childhurd}
29309 with the following non-volatile secrets, unless they already exist:
29312 /etc/childhurd/etc/guix/acl
29313 /etc/childhurd/etc/guix/signing-key.pub
29314 /etc/childhurd/etc/guix/signing-key.sec
29315 /etc/childhurd/etc/ssh/ssh_host_ed25519_key
29316 /etc/childhurd/etc/ssh/ssh_host_ecdsa_key
29317 /etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
29318 /etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
29321 These files are automatically sent to the guest Hurd VM when it boots,
29322 including permissions.
29324 @cindex childhurd, offloading
29325 @cindex Hurd, offloading
29326 Having these files in place means that only a couple of things are
29327 missing to allow the host to offload @code{i586-gnu} builds to the
29332 Authorizing the childhurd's key on the host so that the host accepts
29333 build results coming from the childhurd, which can be done like so:
29336 guix archive --authorize < \
29337 /etc/childhurd/etc/guix/signing-key.pub
29341 Adding the childhurd to @file{/etc/guix/machines.scm} (@pxref{Daemon
29345 We're working towards making that happen automatically---get in touch
29346 with us at @email{guix-devel@@gnu.org} to discuss it!
29350 Note that by default the VM image is volatile, i.e., once stopped the
29351 contents are lost. If you want a stateful image instead, override the
29352 configuration's @code{image} and @code{options} without
29353 the @code{--snapshot} flag using something along these lines:
29356 (service hurd-vm-service-type
29357 (hurd-vm-configuration
29358 (image (const "/out/of/store/writable/hurd.img"))
29362 @subsubheading Ganeti
29367 This service is considered experimental. Configuration options may be changed
29368 in a backwards-incompatible manner, and not all features have been thorougly
29369 tested. Users of this service are encouraged to share their experience at
29370 @email{guix-devel@@gnu.org}.
29373 Ganeti is a virtual machine management system. It is designed to keep virtual
29374 machines running on a cluster of servers even in the event of hardware failures,
29375 and to make maintenance and recovery tasks easy. It consists of multiple
29376 services which are described later in this section. In addition to the Ganeti
29377 service, you will need the OpenSSH service (@pxref{Networking Services,
29378 @code{openssh-service-type}}), and update the @file{/etc/hosts} file
29379 (@pxref{operating-system Reference, @code{hosts-file}}) with the cluster name
29380 and address (or use a DNS server).
29382 All nodes participating in a Ganeti cluster should have the same Ganeti and
29383 @file{/etc/hosts} configuration. Here is an example configuration for a Ganeti
29384 cluster node that supports multiple storage backends, and installs the
29385 @code{debootstrap} and @code{guix} @dfn{OS providers}:
29388 (use-package-modules virtualization)
29389 (use-service-modules base ganeti networking ssh)
29392 (host-name "node1")
29393 (hosts-file (plain-file "hosts" (format #f "
29394 127.0.0.1 localhost
29397 192.168.1.200 ganeti.example.com
29398 192.168.1.201 node1.example.com node1
29399 192.168.1.202 node2.example.com node2
29402 ;; Install QEMU so we can use KVM-based instances, and LVM, DRBD and Ceph
29403 ;; in order to use the "plain", "drbd" and "rbd" storage backends.
29404 (packages (append (map specification->package
29405 '("qemu" "lvm2" "drbd-utils" "ceph"
29406 ;; Add the debootstrap and guix OS providers.
29407 "ganeti-instance-guix" "ganeti-instance-debootstrap"))
29410 (append (list (static-networking-service "eth0" "192.168.1.201"
29411 #:netmask "255.255.255.0"
29412 #:gateway "192.168.1.254"
29413 #:name-servers '("192.168.1.252"
29416 ;; Ganeti uses SSH to communicate between nodes.
29417 (service openssh-service-type
29418 (openssh-configuration
29419 (permit-root-login 'prohibit-password)))
29421 (service ganeti-service-type
29422 (ganeti-configuration
29423 ;; This list specifies allowed file system paths
29424 ;; for storing virtual machine images.
29425 (file-storage-paths '("/srv/ganeti/file-storage"))
29426 ;; This variable configures a single "variant" for
29427 ;; both Debootstrap and Guix that works with KVM.
29428 (os %default-ganeti-os))))
29432 Users are advised to read the
29433 @url{http://docs.ganeti.org/ganeti/master/html/admin.html,Ganeti
29434 administrators guide} to learn about the various cluster options and
29435 day-to-day operations. There is also a
29436 @url{https://guix.gnu.org/blog/2020/running-a-ganeti-cluster-on-guix/,blog post}
29437 describing how to configure and initialize a small cluster.
29439 @defvr {Scheme Variable} ganeti-service-type
29440 This is a service type that includes all the various services that Ganeti
29443 Its value is a @code{ganeti-configuration} object that defines the package
29444 to use for CLI operations, as well as configuration for the various daemons.
29445 Allowed file storage paths and available guest operating systems are also
29446 configured through this data type.
29449 @deftp {Data Type} ganeti-configuration
29450 The @code{ganeti} service takes the following configuration options:
29453 @item @code{ganeti} (default: @code{ganeti})
29454 The @code{ganeti} package to use. It will be installed to the system profile
29455 and make @command{gnt-cluster}, @command{gnt-instance}, etc available. Note
29456 that the value specified here does not affect the other services as each refer
29457 to a specific @code{ganeti} package (see below).
29459 @item @code{noded-configuration} (default: @code{(ganeti-noded-configuration)})
29460 @itemx @code{confd-configuration} (default: @code{(ganeti-confd-configuration)})
29461 @itemx @code{wconfd-configuration} (default: @code{(ganeti-wconfd-configuration)})
29462 @itemx @code{luxid-configuration} (default: @code{(ganeti-luxid-configuration)})
29463 @itemx @code{rapi-configuration} (default: @code{(ganeti-rapi-configuration)})
29464 @itemx @code{kvmd-configuration} (default: @code{(ganeti-kvmd-configuration)})
29465 @itemx @code{mond-configuration} (default: @code{(ganeti-mond-configuration)})
29466 @itemx @code{metad-configuration} (default: @code{(ganeti-metad-configuration)})
29467 @itemx @code{watcher-configuration} (default: @code{(ganeti-watcher-configuration)})
29468 @itemx @code{cleaner-configuration} (default: @code{(ganeti-cleaner-configuration)})
29470 These options control the various daemons and cron jobs that are distributed
29471 with Ganeti. The possible values for these are described in detail below.
29472 To override a setting, you must use the configuration type for that service:
29475 (service ganeti-service-type
29476 (ganeti-configuration
29477 (rapi-configuration
29478 (ganeti-rapi-configuration
29479 (interface "eth1"))))
29480 (watcher-configuration
29481 (ganeti-watcher-configuration
29482 (rapi-ip "10.0.0.1"))))
29485 @item @code{file-storage-paths} (default: @code{'()})
29486 List of allowed directories for file storage backend.
29488 @item @code{os} (default: @code{%default-ganeti-os})
29489 List of @code{<ganeti-os>} records.
29492 In essence @code{ganeti-service-type} is shorthand for declaring each service
29496 (service ganeti-noded-service-type)
29497 (service ganeti-confd-service-type)
29498 (service ganeti-wconfd-service-type)
29499 (service ganeti-luxid-service-type)
29500 (service ganeti-kvmd-service-type)
29501 (service ganeti-mond-service-type)
29502 (service ganeti-metad-service-type)
29503 (service ganeti-watcher-service-type)
29504 (service ganeti-cleaner-service-type)
29507 Plus a service extension for @code{etc-service-type} that configures the file
29508 storage backend and OS variants.
29512 @deftp {Data Type} ganeti-os
29513 This data type is suitable for passing to the @code{os} parameter of
29514 @code{ganeti-configuration}. It takes the following parameters:
29518 The name for this OS provider. It is only used to specify where the
29519 configuration ends up. Setting it to ``debootstrap'' will create
29520 @file{/etc/ganeti/instance-debootstrap}.
29522 @item @code{extension}
29523 The file extension for variants of this OS type. For example
29524 @file{.conf} or @file{.scm}.
29526 @item @code{variants} (default: @code{'()})
29527 List of @code{ganeti-os-variant} objects for this OS.
29532 @deftp {Data Type} ganeti-os-variant
29533 This is the data type for a Ganeti OS variant. It takes the following
29538 The name of this variant.
29540 @item @code{configuration}
29541 A configuration file for this variant.
29545 @defvr {Scheme Variable} %default-debootstrap-hooks
29546 This variable contains hooks to configure networking and the GRUB bootloader.
29549 @defvr {Scheme Variable} %default-debootstrap-extra-pkgs
29550 This variable contains a list of packages suitable for a fully-virtualized guest.
29553 @deftp {Data Type} debootstrap-configuration
29555 This data type creates configuration files suitable for the debootstrap OS provider.
29558 @item @code{hooks} (default: @code{%default-debootstrap-hooks})
29559 When not @code{#f}, this must be a G-expression that specifies a directory with
29560 scripts that will run when the OS is installed. It can also be a list of
29561 @code{(name . file-like)} pairs. For example:
29564 `((99-hello-world . ,(plain-file "#!/bin/sh\necho Hello, World")))
29567 That will create a directory with one executable named @code{99-hello-world}
29568 and run it every time this variant is installed. If set to @code{#f}, hooks
29569 in @file{/etc/ganeti/instance-debootstrap/hooks} will be used, if any.
29570 @item @code{proxy} (default: @code{#f})
29571 Optional HTTP proxy to use.
29572 @item @code{mirror} (default: @code{#f})
29573 The Debian mirror. Typically something like @code{http://ftp.no.debian.org/debian}.
29574 The default varies depending on the distribution.
29575 @item @code{arch} (default: @code{#f})
29576 The dpkg architecture. Set to @code{armhf} to debootstrap an ARMv7 instance
29577 on an AArch64 host. Default is to use the current system architecture.
29578 @item @code{suite} (default: @code{"stable"})
29579 When set, this must be a Debian distribution ``suite'' such as @code{buster}
29580 or @code{focal}. If set to @code{#f}, the default for the OS provider is used.
29581 @item @code{extra-pkgs} (default: @code{%default-debootstrap-extra-pkgs})
29582 List of extra packages that will get installed by dpkg in addition
29583 to the minimal system.
29584 @item @code{components} (default: @code{#f})
29585 When set, must be a list of Debian repository ``components''. For example
29586 @code{'("main" "contrib")}.
29587 @item @code{generate-cache?} (default: @code{#t})
29588 Whether to automatically cache the generated debootstrap archive.
29589 @item @code{clean-cache} (default: @code{14})
29590 Discard the cache after this amount of days. Use @code{#f} to never
29592 @item @code{partition-style} (default: @code{'msdos})
29593 The type of partition to create. When set, it must be one of
29594 @code{'msdos}, @code{'none} or a string.
29595 @item @code{partition-alignment} (default: @code{2048})
29596 Alignment of the partition in sectors.
29600 @deffn {Scheme Procedure} debootstrap-variant @var{name} @var{configuration}
29601 This is a helper procedure that creates a @code{ganeti-os-variant} record. It
29602 takes two parameters: a name and a @code{debootstrap-configuration} object.
29605 @deffn {Scheme Procedure} debootstrap-os @var{variants}@dots{}
29606 This is a helper procedure that creates a @code{ganeti-os} record. It takes
29607 a list of variants created with @code{debootstrap-variant}.
29610 @deffn {Scheme Procedure} guix-variant @var{name} @var{configuration}
29611 This is a helper procedure that creates a @code{ganeti-os-variant} record for
29612 use with the Guix OS provider. It takes a name and a G-expression that returns
29613 a ``file-like'' (@pxref{G-Expressions, file-like objects}) object containing a
29614 Guix System configuration.
29617 @deffn {Scheme Procedure} guix-os @var{variants}@dots{}
29618 This is a helper procedure that creates a @code{ganeti-os} record. It
29619 takes a list of variants produced by @code{guix-variant}.
29622 @defvr {Scheme Variable} %default-debootstrap-variants
29623 This is a convenience variable to make the debootstrap provider work
29624 ``out of the box'' without users having to declare variants manually. It
29625 contains a single debootstrap variant with the default configuration:
29628 (list (debootstrap-variant
29630 (debootstrap-configuration)))
29634 @defvr {Scheme Variable} %default-guix-variants
29635 This is a convenience variable to make the Guix OS provider work without
29636 additional configuration. It creates a virtual machine that has an SSH
29637 server, a serial console, and authorizes the Ganeti hosts SSH keys.
29640 (list (guix-variant
29642 (file-append ganeti-instance-guix
29643 "/share/doc/ganeti-instance-guix/examples/dynamic.scm")))
29647 Users can implement support for OS providers unbeknownst to Guix by extending
29648 the @code{ganeti-os} and @code{ganeti-os-variant} records appropriately.
29654 (extension ".conf")
29656 (list (ganeti-os-variant
29658 (configuration (plain-file "bar" "this is fine"))))))
29661 That creates @file{/etc/ganeti/instance-custom/variants/foo.conf} which points
29662 to a file in the store with contents @code{this is fine}. It also creates
29663 @file{/etc/ganeti/instance-custom/variants/variants.list} with contents @code{foo}.
29665 Obviously this may not work for all OS providers out there. If you find the
29666 interface limiting, please reach out to @email{guix-devel@@gnu.org}.
29668 The rest of this section documents the various services that are included by
29669 @code{ganeti-service-type}.
29671 @defvr {Scheme Variable} ganeti-noded-service-type
29672 @command{ganeti-noded} is the daemon responsible for node-specific functions
29673 within the Ganeti system. The value of this service must be a
29674 @code{ganeti-noded-configuration} object.
29677 @deftp {Data Type} ganeti-noded-configuration
29678 This is the configuration for the @code{ganeti-noded} service.
29681 @item @code{ganeti} (default: @code{ganeti})
29682 The @code{ganeti} package to use for this service.
29684 @item @code{port} (default: @code{1811})
29685 The TCP port on which the node daemon listens for network requests.
29687 @item @code{address} (default: @code{"0.0.0.0"})
29688 The network address that the daemon will bind to. The default address means
29689 bind to all available addresses.
29691 @item @code{interface} (default: @code{#f})
29692 When this is set, it must be a specific network interface (e.g.@: @code{eth0})
29693 that the daemon will bind to.
29695 @item @code{max-clients} (default: @code{20})
29696 This sets a limit on the maximum number of simultaneous client connections
29697 that the daemon will handle. Connections above this count are accepted, but
29698 no responses will be sent until enough connections have closed.
29700 @item @code{ssl?} (default: @code{#t})
29701 Whether to use SSL/TLS to encrypt network communications. The certificate
29702 is automatically provisioned by the cluster and can be rotated with
29703 @command{gnt-cluster renew-crypto}.
29705 @item @code{ssl-key} (default: @file{"/var/lib/ganeti/server.pem"})
29706 This can be used to provide a specific encryption key for TLS communications.
29708 @item @code{ssl-cert} (default: @file{"/var/lib/ganeti/server.pem"})
29709 This can be used to provide a specific certificate for TLS communications.
29711 @item @code{debug?} (default: @code{#f})
29712 When true, the daemon performs additional logging for debugging purposes.
29713 Note that this will leak encryption details to the log files, use with caution.
29718 @defvr {Scheme Variable} ganeti-confd-service-type
29719 @command{ganeti-confd} answers queries related to the configuration of a
29720 Ganeti cluster. The purpose of this daemon is to have a highly available
29721 and fast way to query cluster configuration values. It is automatically
29722 active on all @dfn{master candidates}. The value of this service must be a
29723 @code{ganeti-confd-configuration} object.
29727 @deftp {Data Type} ganeti-confd-configuration
29728 This is the configuration for the @code{ganeti-confd} service.
29731 @item @code{ganeti} (default: @code{ganeti})
29732 The @code{ganeti} package to use for this service.
29734 @item @code{port} (default: @code{1814})
29735 The UDP port on which to listen for network requests.
29737 @item @code{address} (default: @code{"0.0.0.0"})
29738 Network address that the daemon will bind to.
29740 @item @code{debug?} (default: @code{#f})
29741 When true, the daemon performs additional logging for debugging purposes.
29746 @defvr {Scheme Variable} ganeti-wconfd-service-type
29747 @command{ganeti-wconfd} is the daemon that has authoritative knowledge
29748 about the cluster configuration and is the only entity that can accept
29749 changes to it. All jobs that need to modify the configuration will do so
29750 by sending appropriate requests to this daemon. It only runs on the
29751 @dfn{master node} and will automatically disable itself on other nodes.
29753 The value of this service must be a
29754 @code{ganeti-wconfd-configuration} object.
29757 @deftp {Data Type} ganeti-wconfd-configuration
29758 This is the configuration for the @code{ganeti-wconfd} service.
29761 @item @code{ganeti} (default: @code{ganeti})
29762 The @code{ganeti} package to use for this service.
29764 @item @code{no-voting?} (default: @code{#f})
29765 The daemon will refuse to start if the majority of cluster nodes does not
29766 agree that it is running on the master node. Set to @code{#t} to start
29767 even if a quorum can not be reached (dangerous, use with caution).
29769 @item @code{debug?} (default: @code{#f})
29770 When true, the daemon performs additional logging for debugging purposes.
29775 @defvr {Scheme Variable} ganeti-luxid-service-type
29776 @command{ganeti-luxid} is a daemon used to answer queries related to the
29777 configuration and the current live state of a Ganeti cluster. Additionally,
29778 it is the authoritative daemon for the Ganeti job queue. Jobs can be
29779 submitted via this daemon and it schedules and starts them.
29781 It takes a @code{ganeti-luxid-configuration} object.
29784 @deftp {Data Type} ganeti-luxid-configuration
29785 This is the configuration for the @code{ganeti-wconfd} service.
29788 @item @code{ganeti} (default: @code{ganeti})
29789 The @code{ganeti} package to use for this service.
29791 @item @code{no-voting?} (default: @code{#f})
29792 The daemon will refuse to start if it cannot verify that the majority of
29793 cluster nodes believes that it is running on the master node. Set to
29794 @code{#t} to ignore such checks and start anyway (this can be dangerous).
29796 @item @code{debug?} (default: @code{#f})
29797 When true, the daemon performs additional logging for debugging purposes.
29802 @defvr {Scheme Variable} ganeti-rapi-service-type
29803 @command{ganeti-rapi} provides a remote API for Ganeti clusters. It runs on
29804 the master node and can be used to perform cluster actions programmatically
29805 via a JSON-based RPC protocol.
29807 Most query operations are allowed without authentication (unless
29808 @var{require-authentication?} is set), whereas write operations require
29809 explicit authorization via the @file{/var/lib/ganeti/rapi/users} file. See
29810 the @url{http://docs.ganeti.org/ganeti/master/html/rapi.html, Ganeti Remote
29811 API documentation} for more information.
29813 The value of this service must be a @code{ganeti-rapi-configuration} object.
29816 @deftp {Data Type} ganeti-rapi-configuration
29817 This is the configuration for the @code{ganeti-rapi} service.
29820 @item @code{ganeti} (default: @code{ganeti})
29821 The @code{ganeti} package to use for this service.
29823 @item @code{require-authentication?} (default: @code{#f})
29824 Whether to require authentication even for read-only operations.
29826 @item @code{port} (default: @code{5080})
29827 The TCP port on which to listen to API requests.
29829 @item @code{address} (default: @code{"0.0.0.0"})
29830 The network address that the service will bind to. By default it listens
29831 on all configured addresses.
29833 @item @code{interface} (default: @code{#f})
29834 When set, it must specify a specific network interface such as @code{eth0}
29835 that the daemon will bind to.
29837 @item @code{max-clients} (default: @code{20})
29838 The maximum number of simultaneous client requests to handle. Further
29839 connections are allowed, but no responses are sent until enough connections
29842 @item @code{ssl?} (default: @code{#t})
29843 Whether to use SSL/TLS encryption on the RAPI port.
29845 @item @code{ssl-key} (default: @file{"/var/lib/ganeti/server.pem"})
29846 This can be used to provide a specific encryption key for TLS communications.
29848 @item @code{ssl-cert} (default: @file{"/var/lib/ganeti/server.pem"})
29849 This can be used to provide a specific certificate for TLS communications.
29851 @item @code{debug?} (default: @code{#f})
29852 When true, the daemon performs additional logging for debugging purposes.
29853 Note that this will leak encryption details to the log files, use with caution.
29858 @defvr {Scheme Variable} ganeti-kvmd-service-type
29859 @command{ganeti-kvmd} is responsible for determining whether a given KVM
29860 instance was shut down by an administrator or a user. Normally Ganeti will
29861 restart an instance that was not stopped through Ganeti itself. If the
29862 cluster option @code{user_shutdown} is true, this daemon monitors the
29863 @code{QMP} socket provided by QEMU and listens for shutdown events, and
29864 marks the instance as @dfn{USER_down} instead of @dfn{ERROR_down} when
29865 it shuts down gracefully by itself.
29867 It takes a @code{ganeti-kvmd-configuration} object.
29870 @deftp {Data Type} ganeti-kvmd-configuration
29873 @item @code{ganeti} (default: @code{ganeti})
29874 The @code{ganeti} package to use for this service.
29876 @item @code{debug?} (default: @code{#f})
29877 When true, the daemon performs additional logging for debugging purposes.
29882 @defvr {Scheme Variable} ganeti-mond-service-type
29883 @command{ganeti-mond} is an optional daemon that provides Ganeti monitoring
29884 functionality. It is responsible for running data collectors and publish the
29885 collected information through a HTTP interface.
29887 It takes a @code{ganeti-mond-configuration} object.
29890 @deftp {Data Type} ganeti-mond-configuration
29893 @item @code{ganeti} (default: @code{ganeti})
29894 The @code{ganeti} package to use for this service.
29896 @item @code{port} (default: @code{1815})
29897 The port on which the daemon will listen.
29899 @item @code{address} (default: @code{"0.0.0.0"})
29900 The network address that the daemon will bind to. By default it binds to all
29901 available interfaces.
29903 @item @code{debug?} (default: @code{#f})
29904 When true, the daemon performs additional logging for debugging purposes.
29909 @defvr {Scheme Variable} ganeti-metad-service-type
29910 @command{ganeti-metad} is an optional daemon that can be used to provide
29911 information about the cluster to instances or OS install scripts.
29913 It takes a @code{ganeti-metad-configuration} object.
29916 @deftp {Data Type} ganeti-metad-configuration
29919 @item @code{ganeti} (default: @code{ganeti})
29920 The @code{ganeti} package to use for this service.
29922 @item @code{port} (default: @code{80})
29923 The port on which the daemon will listen.
29925 @item @code{address} (default: @code{#f})
29926 If set, the daemon will bind to this address only. If left unset, the behavior
29927 depends on the cluster configuration.
29929 @item @code{debug?} (default: @code{#f})
29930 When true, the daemon performs additional logging for debugging purposes.
29935 @defvr {Scheme Variable} ganeti-watcher-service-type
29936 @command{ganeti-watcher} is a script designed to run periodically and ensure
29937 the health of a cluster. It will automatically restart instances that have
29938 stopped without Ganeti's consent, and repairs DRBD links in case a node has
29939 rebooted. It also archives old cluster jobs and restarts Ganeti daemons
29940 that are not running. If the cluster parameter @code{ensure_node_health}
29941 is set, the watcher will also shutdown instances and DRBD devices if the
29942 node it is running on is declared offline by known master candidates.
29944 It can be paused on all nodes with @command{gnt-cluster watcher pause}.
29946 The service takes a @code{ganeti-watcher-configuration} object.
29949 @deftp {Data Type} ganeti-watcher-configuration
29952 @item @code{ganeti} (default: @code{ganeti})
29953 The @code{ganeti} package to use for this service.
29955 @item @code{schedule} (default: @code{'(next-second-from (next-minute (range 0 60 5)))})
29956 How often to run the script. The default is every five minutes.
29958 @item @code{rapi-ip} (default: @code{#f})
29959 This option needs to be specified only if the RAPI daemon is configured to use
29960 a particular interface or address. By default the cluster address is used.
29962 @item @code{job-age} (default: @code{(* 6 3600)})
29963 Archive cluster jobs older than this age, specified in seconds. The default
29964 is 6 hours. This keeps @command{gnt-job list} manageable.
29966 @item @code{verify-disks?} (default: @code{#t})
29967 If this is @code{#f}, the watcher will not try to repair broken DRBD links
29968 automatically. Administrators will need to use @command{gnt-cluster verify-disks}
29971 @item @code{debug?} (default: @code{#f})
29972 When @code{#t}, the script performs additional logging for debugging purposes.
29977 @defvr {Scheme Variable} ganeti-cleaner-service-type
29978 @command{ganeti-cleaner} is a script designed to run periodically and remove
29979 old files from the cluster. This service type controls two @dfn{cron jobs}:
29980 one intended for the master node that permanently purges old cluster jobs,
29981 and one intended for every node that removes expired X509 certificates, keys,
29982 and outdated @command{ganeti-watcher} information. Like all Ganeti services,
29983 it is safe to include even on non-master nodes as it will disable itself as
29986 It takes a @code{ganeti-cleaner-configuration} object.
29989 @deftp {Data Type} ganeti-cleaner-configuration
29992 @item @code{ganeti} (default: @code{ganeti})
29993 The @code{ganeti} package to use for the @command{gnt-cleaner} command.
29995 @item @code{master-schedule} (default: @code{"45 1 * * *"})
29996 How often to run the master cleaning job. The default is once per day, at
29999 @item @code{node-schedule} (default: @code{"45 2 * * *"})
30000 How often to run the node cleaning job. The default is once per day, at
30006 @node Version Control Services
30007 @subsection Version Control Services
30009 The @code{(gnu services version-control)} module provides a service to
30010 allow remote access to local Git repositories. There are three options:
30011 the @code{git-daemon-service}, which provides access to repositories via
30012 the @code{git://} unsecured TCP-based protocol, extending the
30013 @code{nginx} web server to proxy some requests to
30014 @code{git-http-backend}, or providing a web interface with
30015 @code{cgit-service-type}.
30017 @deffn {Scheme Procedure} git-daemon-service [#:config (git-daemon-configuration)]
30019 Return a service that runs @command{git daemon}, a simple TCP server to
30020 expose repositories over the Git protocol for anonymous access.
30022 The optional @var{config} argument should be a
30023 @code{<git-daemon-configuration>} object, by default it allows read-only
30024 access to exported@footnote{By creating the magic file
30025 @file{git-daemon-export-ok} in the repository directory.} repositories under
30030 @deftp {Data Type} git-daemon-configuration
30031 Data type representing the configuration for @code{git-daemon-service}.
30034 @item @code{package} (default: @code{git})
30035 Package object of the Git distributed version control system.
30037 @item @code{export-all?} (default: @code{#f})
30038 Whether to allow access for all Git repositories, even if they do not
30039 have the @file{git-daemon-export-ok} file.
30041 @item @code{base-path} (default: @file{/srv/git})
30042 Whether to remap all the path requests as relative to the given path.
30043 If you run @command{git daemon} with @code{(base-path "/srv/git")} on
30044 @samp{example.com}, then if you later try to pull
30045 @indicateurl{git://example.com/hello.git}, git daemon will interpret the
30046 path as @file{/srv/git/hello.git}.
30048 @item @code{user-path} (default: @code{#f})
30049 Whether to allow @code{~user} notation to be used in requests. When
30050 specified with empty string, requests to
30051 @indicateurl{git://host/~alice/foo} is taken as a request to access
30052 @code{foo} repository in the home directory of user @code{alice}. If
30053 @code{(user-path "@var{path}")} is specified, the same request is taken
30054 as a request to access @file{@var{path}/foo} repository in the home
30055 directory of user @code{alice}.
30057 @item @code{listen} (default: @code{'()})
30058 Whether to listen on specific IP addresses or hostnames, defaults to
30061 @item @code{port} (default: @code{#f})
30062 Whether to listen on an alternative port, which defaults to 9418.
30064 @item @code{whitelist} (default: @code{'()})
30065 If not empty, only allow access to this list of directories.
30067 @item @code{extra-options} (default: @code{'()})
30068 Extra options will be passed to @command{git daemon}, please run
30069 @command{man git-daemon} for more information.
30074 The @code{git://} protocol lacks authentication. When you pull from a
30075 repository fetched via @code{git://}, you don't know whether the data you
30076 receive was modified or is even coming from the specified host, and your
30077 connection is subject to eavesdropping. It's better to use an authenticated
30078 and encrypted transport, such as @code{https}. Although Git allows you
30079 to serve repositories using unsophisticated file-based web servers,
30080 there is a faster protocol implemented by the @code{git-http-backend}
30081 program. This program is the back-end of a proper Git web service. It
30082 is designed to sit behind a FastCGI proxy. @xref{Web Services}, for more
30083 on running the necessary @code{fcgiwrap} daemon.
30085 Guix has a separate configuration data type for serving Git repositories
30088 @deftp {Data Type} git-http-configuration
30089 Data type representing the configuration for a future
30090 @code{git-http-service-type}; can currently be used to configure Nginx
30091 through @code{git-http-nginx-location-configuration}.
30094 @item @code{package} (default: @var{git})
30095 Package object of the Git distributed version control system.
30097 @item @code{git-root} (default: @file{/srv/git})
30098 Directory containing the Git repositories to expose to the world.
30100 @item @code{export-all?} (default: @code{#f})
30101 Whether to expose access for all Git repositories in @var{git-root},
30102 even if they do not have the @file{git-daemon-export-ok} file.
30104 @item @code{uri-path} (default: @samp{/git/})
30105 Path prefix for Git access. With the default @samp{/git/} prefix, this
30106 will map @indicateurl{http://@var{server}/git/@var{repo}.git} to
30107 @file{/srv/git/@var{repo}.git}. Requests whose URI paths do not begin
30108 with this prefix are not passed on to this Git instance.
30110 @item @code{fcgiwrap-socket} (default: @code{127.0.0.1:9000})
30111 The socket on which the @code{fcgiwrap} daemon is listening. @xref{Web
30116 There is no @code{git-http-service-type}, currently; instead you can
30117 create an @code{nginx-location-configuration} from a
30118 @code{git-http-configuration} and then add that location to a web
30121 @deffn {Scheme Procedure} git-http-nginx-location-configuration @
30122 [config=(git-http-configuration)]
30123 Compute an @code{nginx-location-configuration} that corresponds to the
30124 given Git http configuration. An example nginx service definition to
30125 serve the default @file{/srv/git} over HTTPS might be:
30128 (service nginx-service-type
30129 (nginx-configuration
30132 (nginx-server-configuration
30133 (listen '("443 ssl"))
30134 (server-name "git.my-host.org")
30136 "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
30137 (ssl-certificate-key
30138 "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
30141 (git-http-nginx-location-configuration
30142 (git-http-configuration (uri-path "/"))))))))))
30145 This example assumes that you are using Let's Encrypt to get your TLS
30146 certificate. @xref{Certificate Services}. The default @code{certbot}
30147 service will redirect all HTTP traffic on @code{git.my-host.org} to
30148 HTTPS@. You will also need to add an @code{fcgiwrap} proxy to your
30149 system services. @xref{Web Services}.
30152 @subsubheading Cgit Service
30154 @cindex Cgit service
30155 @cindex Git, web interface
30156 @uref{https://git.zx2c4.com/cgit/, Cgit} is a web frontend for Git
30157 repositories written in C.
30159 The following example will configure the service with default values.
30160 By default, Cgit can be accessed on port 80 (@code{http://localhost:80}).
30163 (service cgit-service-type)
30166 The @code{file-object} type designates either a file-like object
30167 (@pxref{G-Expressions, file-like objects}) or a string.
30169 @c %start of fragment
30171 Available @code{cgit-configuration} fields are:
30173 @deftypevr {@code{cgit-configuration} parameter} package package
30178 @deftypevr {@code{cgit-configuration} parameter} nginx-server-configuration-list nginx
30179 NGINX configuration.
30183 @deftypevr {@code{cgit-configuration} parameter} file-object about-filter
30184 Specifies a command which will be invoked to format the content of about
30185 pages (both top-level and for each repository).
30187 Defaults to @samp{""}.
30191 @deftypevr {@code{cgit-configuration} parameter} string agefile
30192 Specifies a path, relative to each repository path, which can be used to
30193 specify the date and time of the youngest commit in the repository.
30195 Defaults to @samp{""}.
30199 @deftypevr {@code{cgit-configuration} parameter} file-object auth-filter
30200 Specifies a command that will be invoked for authenticating repository
30203 Defaults to @samp{""}.
30207 @deftypevr {@code{cgit-configuration} parameter} string branch-sort
30208 Flag which, when set to @samp{age}, enables date ordering in the branch
30209 ref list, and when set @samp{name} enables ordering by branch name.
30211 Defaults to @samp{"name"}.
30215 @deftypevr {@code{cgit-configuration} parameter} string cache-root
30216 Path used to store the cgit cache entries.
30218 Defaults to @samp{"/var/cache/cgit"}.
30222 @deftypevr {@code{cgit-configuration} parameter} integer cache-static-ttl
30223 Number which specifies the time-to-live, in minutes, for the cached
30224 version of repository pages accessed with a fixed SHA1.
30226 Defaults to @samp{-1}.
30230 @deftypevr {@code{cgit-configuration} parameter} integer cache-dynamic-ttl
30231 Number which specifies the time-to-live, in minutes, for the cached
30232 version of repository pages accessed without a fixed SHA1.
30234 Defaults to @samp{5}.
30238 @deftypevr {@code{cgit-configuration} parameter} integer cache-repo-ttl
30239 Number which specifies the time-to-live, in minutes, for the cached
30240 version of the repository summary page.
30242 Defaults to @samp{5}.
30246 @deftypevr {@code{cgit-configuration} parameter} integer cache-root-ttl
30247 Number which specifies the time-to-live, in minutes, for the cached
30248 version of the repository index page.
30250 Defaults to @samp{5}.
30254 @deftypevr {@code{cgit-configuration} parameter} integer cache-scanrc-ttl
30255 Number which specifies the time-to-live, in minutes, for the result of
30256 scanning a path for Git repositories.
30258 Defaults to @samp{15}.
30262 @deftypevr {@code{cgit-configuration} parameter} integer cache-about-ttl
30263 Number which specifies the time-to-live, in minutes, for the cached
30264 version of the repository about page.
30266 Defaults to @samp{15}.
30270 @deftypevr {@code{cgit-configuration} parameter} integer cache-snapshot-ttl
30271 Number which specifies the time-to-live, in minutes, for the cached
30272 version of snapshots.
30274 Defaults to @samp{5}.
30278 @deftypevr {@code{cgit-configuration} parameter} integer cache-size
30279 The maximum number of entries in the cgit cache. When set to @samp{0},
30280 caching is disabled.
30282 Defaults to @samp{0}.
30286 @deftypevr {@code{cgit-configuration} parameter} boolean case-sensitive-sort?
30287 Sort items in the repo list case sensitively.
30289 Defaults to @samp{#t}.
30293 @deftypevr {@code{cgit-configuration} parameter} list clone-prefix
30294 List of common prefixes which, when combined with a repository URL,
30295 generates valid clone URLs for the repository.
30297 Defaults to @samp{()}.
30301 @deftypevr {@code{cgit-configuration} parameter} list clone-url
30302 List of @code{clone-url} templates.
30304 Defaults to @samp{()}.
30308 @deftypevr {@code{cgit-configuration} parameter} file-object commit-filter
30309 Command which will be invoked to format commit messages.
30311 Defaults to @samp{""}.
30315 @deftypevr {@code{cgit-configuration} parameter} string commit-sort
30316 Flag which, when set to @samp{date}, enables strict date ordering in the
30317 commit log, and when set to @samp{topo} enables strict topological
30320 Defaults to @samp{"git log"}.
30324 @deftypevr {@code{cgit-configuration} parameter} file-object css
30325 URL which specifies the css document to include in all cgit pages.
30327 Defaults to @samp{"/share/cgit/cgit.css"}.
30331 @deftypevr {@code{cgit-configuration} parameter} file-object email-filter
30332 Specifies a command which will be invoked to format names and email
30333 address of committers, authors, and taggers, as represented in various
30334 places throughout the cgit interface.
30336 Defaults to @samp{""}.
30340 @deftypevr {@code{cgit-configuration} parameter} boolean embedded?
30341 Flag which, when set to @samp{#t}, will make cgit generate a HTML
30342 fragment suitable for embedding in other HTML pages.
30344 Defaults to @samp{#f}.
30348 @deftypevr {@code{cgit-configuration} parameter} boolean enable-commit-graph?
30349 Flag which, when set to @samp{#t}, will make cgit print an ASCII-art
30350 commit history graph to the left of the commit messages in the
30351 repository log page.
30353 Defaults to @samp{#f}.
30357 @deftypevr {@code{cgit-configuration} parameter} boolean enable-filter-overrides?
30358 Flag which, when set to @samp{#t}, allows all filter settings to be
30359 overridden in repository-specific cgitrc files.
30361 Defaults to @samp{#f}.
30365 @deftypevr {@code{cgit-configuration} parameter} boolean enable-follow-links?
30366 Flag which, when set to @samp{#t}, allows users to follow a file in the
30369 Defaults to @samp{#f}.
30373 @deftypevr {@code{cgit-configuration} parameter} boolean enable-http-clone?
30374 If set to @samp{#t}, cgit will act as an dumb HTTP endpoint for Git
30377 Defaults to @samp{#t}.
30381 @deftypevr {@code{cgit-configuration} parameter} boolean enable-index-links?
30382 Flag which, when set to @samp{#t}, will make cgit generate extra links
30383 "summary", "commit", "tree" for each repo in the repository index.
30385 Defaults to @samp{#f}.
30389 @deftypevr {@code{cgit-configuration} parameter} boolean enable-index-owner?
30390 Flag which, when set to @samp{#t}, will make cgit display the owner of
30391 each repo in the repository index.
30393 Defaults to @samp{#t}.
30397 @deftypevr {@code{cgit-configuration} parameter} boolean enable-log-filecount?
30398 Flag which, when set to @samp{#t}, will make cgit print the number of
30399 modified files for each commit on the repository log page.
30401 Defaults to @samp{#f}.
30405 @deftypevr {@code{cgit-configuration} parameter} boolean enable-log-linecount?
30406 Flag which, when set to @samp{#t}, will make cgit print the number of
30407 added and removed lines for each commit on the repository log page.
30409 Defaults to @samp{#f}.
30413 @deftypevr {@code{cgit-configuration} parameter} boolean enable-remote-branches?
30414 Flag which, when set to @code{#t}, will make cgit display remote
30415 branches in the summary and refs views.
30417 Defaults to @samp{#f}.
30421 @deftypevr {@code{cgit-configuration} parameter} boolean enable-subject-links?
30422 Flag which, when set to @code{1}, will make cgit use the subject of the
30423 parent commit as link text when generating links to parent commits in
30426 Defaults to @samp{#f}.
30430 @deftypevr {@code{cgit-configuration} parameter} boolean enable-html-serving?
30431 Flag which, when set to @samp{#t}, will make cgit use the subject of the
30432 parent commit as link text when generating links to parent commits in
30435 Defaults to @samp{#f}.
30439 @deftypevr {@code{cgit-configuration} parameter} boolean enable-tree-linenumbers?
30440 Flag which, when set to @samp{#t}, will make cgit generate linenumber
30441 links for plaintext blobs printed in the tree view.
30443 Defaults to @samp{#t}.
30447 @deftypevr {@code{cgit-configuration} parameter} boolean enable-git-config?
30448 Flag which, when set to @samp{#f}, will allow cgit to use Git config to
30449 set any repo specific settings.
30451 Defaults to @samp{#f}.
30455 @deftypevr {@code{cgit-configuration} parameter} file-object favicon
30456 URL used as link to a shortcut icon for cgit.
30458 Defaults to @samp{"/favicon.ico"}.
30462 @deftypevr {@code{cgit-configuration} parameter} string footer
30463 The content of the file specified with this option will be included
30464 verbatim at the bottom of all pages (i.e.@: it replaces the standard
30465 "generated by..."@: message).
30467 Defaults to @samp{""}.
30471 @deftypevr {@code{cgit-configuration} parameter} string head-include
30472 The content of the file specified with this option will be included
30473 verbatim in the HTML HEAD section on all pages.
30475 Defaults to @samp{""}.
30479 @deftypevr {@code{cgit-configuration} parameter} string header
30480 The content of the file specified with this option will be included
30481 verbatim at the top of all pages.
30483 Defaults to @samp{""}.
30487 @deftypevr {@code{cgit-configuration} parameter} file-object include
30488 Name of a configfile to include before the rest of the current config-
30491 Defaults to @samp{""}.
30495 @deftypevr {@code{cgit-configuration} parameter} string index-header
30496 The content of the file specified with this option will be included
30497 verbatim above the repository index.
30499 Defaults to @samp{""}.
30503 @deftypevr {@code{cgit-configuration} parameter} string index-info
30504 The content of the file specified with this option will be included
30505 verbatim below the heading on the repository index page.
30507 Defaults to @samp{""}.
30511 @deftypevr {@code{cgit-configuration} parameter} boolean local-time?
30512 Flag which, if set to @samp{#t}, makes cgit print commit and tag times
30513 in the servers timezone.
30515 Defaults to @samp{#f}.
30519 @deftypevr {@code{cgit-configuration} parameter} file-object logo
30520 URL which specifies the source of an image which will be used as a logo
30523 Defaults to @samp{"/share/cgit/cgit.png"}.
30527 @deftypevr {@code{cgit-configuration} parameter} string logo-link
30528 URL loaded when clicking on the cgit logo image.
30530 Defaults to @samp{""}.
30534 @deftypevr {@code{cgit-configuration} parameter} file-object owner-filter
30535 Command which will be invoked to format the Owner column of the main
30538 Defaults to @samp{""}.
30542 @deftypevr {@code{cgit-configuration} parameter} integer max-atom-items
30543 Number of items to display in atom feeds view.
30545 Defaults to @samp{10}.
30549 @deftypevr {@code{cgit-configuration} parameter} integer max-commit-count
30550 Number of entries to list per page in "log" view.
30552 Defaults to @samp{50}.
30556 @deftypevr {@code{cgit-configuration} parameter} integer max-message-length
30557 Number of commit message characters to display in "log" view.
30559 Defaults to @samp{80}.
30563 @deftypevr {@code{cgit-configuration} parameter} integer max-repo-count
30564 Specifies the number of entries to list per page on the repository index
30567 Defaults to @samp{50}.
30571 @deftypevr {@code{cgit-configuration} parameter} integer max-repodesc-length
30572 Specifies the maximum number of repo description characters to display
30573 on the repository index page.
30575 Defaults to @samp{80}.
30579 @deftypevr {@code{cgit-configuration} parameter} integer max-blob-size
30580 Specifies the maximum size of a blob to display HTML for in KBytes.
30582 Defaults to @samp{0}.
30586 @deftypevr {@code{cgit-configuration} parameter} string max-stats
30587 Maximum statistics period. Valid values are @samp{week},@samp{month},
30588 @samp{quarter} and @samp{year}.
30590 Defaults to @samp{""}.
30594 @deftypevr {@code{cgit-configuration} parameter} mimetype-alist mimetype
30595 Mimetype for the specified filename extension.
30597 Defaults to @samp{((gif "image/gif") (html "text/html") (jpg
30598 "image/jpeg") (jpeg "image/jpeg") (pdf "application/pdf") (png
30599 "image/png") (svg "image/svg+xml"))}.
30603 @deftypevr {@code{cgit-configuration} parameter} file-object mimetype-file
30604 Specifies the file to use for automatic mimetype lookup.
30606 Defaults to @samp{""}.
30610 @deftypevr {@code{cgit-configuration} parameter} string module-link
30611 Text which will be used as the formatstring for a hyperlink when a
30612 submodule is printed in a directory listing.
30614 Defaults to @samp{""}.
30618 @deftypevr {@code{cgit-configuration} parameter} boolean nocache?
30619 If set to the value @samp{#t} caching will be disabled.
30621 Defaults to @samp{#f}.
30625 @deftypevr {@code{cgit-configuration} parameter} boolean noplainemail?
30626 If set to @samp{#t} showing full author email addresses will be
30629 Defaults to @samp{#f}.
30633 @deftypevr {@code{cgit-configuration} parameter} boolean noheader?
30634 Flag which, when set to @samp{#t}, will make cgit omit the standard
30635 header on all pages.
30637 Defaults to @samp{#f}.
30641 @deftypevr {@code{cgit-configuration} parameter} project-list project-list
30642 A list of subdirectories inside of @code{repository-directory}, relative
30643 to it, that should loaded as Git repositories. An empty list means that
30644 all subdirectories will be loaded.
30646 Defaults to @samp{()}.
30650 @deftypevr {@code{cgit-configuration} parameter} file-object readme
30651 Text which will be used as default value for @code{cgit-repo-readme}.
30653 Defaults to @samp{""}.
30657 @deftypevr {@code{cgit-configuration} parameter} boolean remove-suffix?
30658 If set to @code{#t} and @code{repository-directory} is enabled, if any
30659 repositories are found with a suffix of @code{.git}, this suffix will be
30660 removed for the URL and name.
30662 Defaults to @samp{#f}.
30666 @deftypevr {@code{cgit-configuration} parameter} integer renamelimit
30667 Maximum number of files to consider when detecting renames.
30669 Defaults to @samp{-1}.
30673 @deftypevr {@code{cgit-configuration} parameter} string repository-sort
30674 The way in which repositories in each section are sorted.
30676 Defaults to @samp{""}.
30680 @deftypevr {@code{cgit-configuration} parameter} robots-list robots
30681 Text used as content for the @code{robots} meta-tag.
30683 Defaults to @samp{("noindex" "nofollow")}.
30687 @deftypevr {@code{cgit-configuration} parameter} string root-desc
30688 Text printed below the heading on the repository index page.
30690 Defaults to @samp{"a fast webinterface for the git dscm"}.
30694 @deftypevr {@code{cgit-configuration} parameter} string root-readme
30695 The content of the file specified with this option will be included
30696 verbatim below the ``about'' link on the repository index page.
30698 Defaults to @samp{""}.
30702 @deftypevr {@code{cgit-configuration} parameter} string root-title
30703 Text printed as heading on the repository index page.
30705 Defaults to @samp{""}.
30709 @deftypevr {@code{cgit-configuration} parameter} boolean scan-hidden-path
30710 If set to @samp{#t} and repository-directory is enabled,
30711 repository-directory will recurse into directories whose name starts
30712 with a period. Otherwise, repository-directory will stay away from such
30713 directories, considered as ``hidden''. Note that this does not apply to
30714 the @file{.git} directory in non-bare repos.
30716 Defaults to @samp{#f}.
30720 @deftypevr {@code{cgit-configuration} parameter} list snapshots
30721 Text which specifies the default set of snapshot formats that cgit
30722 generates links for.
30724 Defaults to @samp{()}.
30728 @deftypevr {@code{cgit-configuration} parameter} repository-directory repository-directory
30729 Name of the directory to scan for repositories (represents
30732 Defaults to @samp{"/srv/git"}.
30736 @deftypevr {@code{cgit-configuration} parameter} string section
30737 The name of the current repository section - all repositories defined
30738 after this option will inherit the current section name.
30740 Defaults to @samp{""}.
30744 @deftypevr {@code{cgit-configuration} parameter} string section-sort
30745 Flag which, when set to @samp{1}, will sort the sections on the
30746 repository listing by name.
30748 Defaults to @samp{""}.
30752 @deftypevr {@code{cgit-configuration} parameter} integer section-from-path
30753 A number which, if defined prior to repository-directory, specifies how
30754 many path elements from each repo path to use as a default section name.
30756 Defaults to @samp{0}.
30760 @deftypevr {@code{cgit-configuration} parameter} boolean side-by-side-diffs?
30761 If set to @samp{#t} shows side-by-side diffs instead of unidiffs per
30764 Defaults to @samp{#f}.
30768 @deftypevr {@code{cgit-configuration} parameter} file-object source-filter
30769 Specifies a command which will be invoked to format plaintext blobs in
30772 Defaults to @samp{""}.
30776 @deftypevr {@code{cgit-configuration} parameter} integer summary-branches
30777 Specifies the number of branches to display in the repository ``summary''
30780 Defaults to @samp{10}.
30784 @deftypevr {@code{cgit-configuration} parameter} integer summary-log
30785 Specifies the number of log entries to display in the repository
30788 Defaults to @samp{10}.
30792 @deftypevr {@code{cgit-configuration} parameter} integer summary-tags
30793 Specifies the number of tags to display in the repository ``summary''
30796 Defaults to @samp{10}.
30800 @deftypevr {@code{cgit-configuration} parameter} string strict-export
30801 Filename which, if specified, needs to be present within the repository
30802 for cgit to allow access to that repository.
30804 Defaults to @samp{""}.
30808 @deftypevr {@code{cgit-configuration} parameter} string virtual-root
30809 URL which, if specified, will be used as root for all cgit links.
30811 Defaults to @samp{"/"}.
30815 @deftypevr {@code{cgit-configuration} parameter} repository-cgit-configuration-list repositories
30816 A list of @dfn{cgit-repo} records to use with config.
30818 Defaults to @samp{()}.
30820 Available @code{repository-cgit-configuration} fields are:
30822 @deftypevr {@code{repository-cgit-configuration} parameter} repo-list snapshots
30823 A mask of snapshot formats for this repo that cgit generates links for,
30824 restricted by the global @code{snapshots} setting.
30826 Defaults to @samp{()}.
30830 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object source-filter
30831 Override the default @code{source-filter}.
30833 Defaults to @samp{""}.
30837 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string url
30838 The relative URL used to access the repository.
30840 Defaults to @samp{""}.
30844 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object about-filter
30845 Override the default @code{about-filter}.
30847 Defaults to @samp{""}.
30851 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string branch-sort
30852 Flag which, when set to @samp{age}, enables date ordering in the branch
30853 ref list, and when set to @samp{name} enables ordering by branch name.
30855 Defaults to @samp{""}.
30859 @deftypevr {@code{repository-cgit-configuration} parameter} repo-list clone-url
30860 A list of URLs which can be used to clone repo.
30862 Defaults to @samp{()}.
30866 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object commit-filter
30867 Override the default @code{commit-filter}.
30869 Defaults to @samp{""}.
30873 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string commit-sort
30874 Flag which, when set to @samp{date}, enables strict date ordering in the
30875 commit log, and when set to @samp{topo} enables strict topological
30878 Defaults to @samp{""}.
30882 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string defbranch
30883 The name of the default branch for this repository. If no such branch
30884 exists in the repository, the first branch name (when sorted) is used as
30885 default instead. By default branch pointed to by HEAD, or ``master'' if
30886 there is no suitable HEAD.
30888 Defaults to @samp{""}.
30892 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string desc
30893 The value to show as repository description.
30895 Defaults to @samp{""}.
30899 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string homepage
30900 The value to show as repository homepage.
30902 Defaults to @samp{""}.
30906 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object email-filter
30907 Override the default @code{email-filter}.
30909 Defaults to @samp{""}.
30913 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-commit-graph?
30914 A flag which can be used to disable the global setting
30915 @code{enable-commit-graph?}.
30917 Defaults to @samp{disabled}.
30921 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-log-filecount?
30922 A flag which can be used to disable the global setting
30923 @code{enable-log-filecount?}.
30925 Defaults to @samp{disabled}.
30929 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-log-linecount?
30930 A flag which can be used to disable the global setting
30931 @code{enable-log-linecount?}.
30933 Defaults to @samp{disabled}.
30937 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-remote-branches?
30938 Flag which, when set to @code{#t}, will make cgit display remote
30939 branches in the summary and refs views.
30941 Defaults to @samp{disabled}.
30945 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-subject-links?
30946 A flag which can be used to override the global setting
30947 @code{enable-subject-links?}.
30949 Defaults to @samp{disabled}.
30953 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-html-serving?
30954 A flag which can be used to override the global setting
30955 @code{enable-html-serving?}.
30957 Defaults to @samp{disabled}.
30961 @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean hide?
30962 Flag which, when set to @code{#t}, hides the repository from the
30965 Defaults to @samp{#f}.
30969 @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean ignore?
30970 Flag which, when set to @samp{#t}, ignores the repository.
30972 Defaults to @samp{#f}.
30976 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object logo
30977 URL which specifies the source of an image which will be used as a logo
30978 on this repo’s pages.
30980 Defaults to @samp{""}.
30984 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string logo-link
30985 URL loaded when clicking on the cgit logo image.
30987 Defaults to @samp{""}.
30991 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object owner-filter
30992 Override the default @code{owner-filter}.
30994 Defaults to @samp{""}.
30998 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string module-link
30999 Text which will be used as the formatstring for a hyperlink when a
31000 submodule is printed in a directory listing. The arguments for the
31001 formatstring are the path and SHA1 of the submodule commit.
31003 Defaults to @samp{""}.
31007 @deftypevr {@code{repository-cgit-configuration} parameter} module-link-path module-link-path
31008 Text which will be used as the formatstring for a hyperlink when a
31009 submodule with the specified subdirectory path is printed in a directory
31012 Defaults to @samp{()}.
31016 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string max-stats
31017 Override the default maximum statistics period.
31019 Defaults to @samp{""}.
31023 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string name
31024 The value to show as repository name.
31026 Defaults to @samp{""}.
31030 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string owner
31031 A value used to identify the owner of the repository.
31033 Defaults to @samp{""}.
31037 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string path
31038 An absolute path to the repository directory.
31040 Defaults to @samp{""}.
31044 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string readme
31045 A path (relative to repo) which specifies a file to include verbatim as
31046 the ``About'' page for this repo.
31048 Defaults to @samp{""}.
31052 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string section
31053 The name of the current repository section - all repositories defined
31054 after this option will inherit the current section name.
31056 Defaults to @samp{""}.
31060 @deftypevr {@code{repository-cgit-configuration} parameter} repo-list extra-options
31061 Extra options will be appended to cgitrc file.
31063 Defaults to @samp{()}.
31069 @deftypevr {@code{cgit-configuration} parameter} list extra-options
31070 Extra options will be appended to cgitrc file.
31072 Defaults to @samp{()}.
31077 @c %end of fragment
31079 However, it could be that you just want to get a @code{cgitrc} up and
31080 running. In that case, you can pass an @code{opaque-cgit-configuration}
31081 as a record to @code{cgit-service-type}. As its name indicates, an
31082 opaque configuration does not have easy reflective capabilities.
31084 Available @code{opaque-cgit-configuration} fields are:
31086 @deftypevr {@code{opaque-cgit-configuration} parameter} package cgit
31090 @deftypevr {@code{opaque-cgit-configuration} parameter} string string
31091 The contents of the @code{cgitrc}, as a string.
31094 For example, if your @code{cgitrc} is just the empty string, you
31095 could instantiate a cgit service like this:
31098 (service cgit-service-type
31099 (opaque-cgit-configuration
31103 @subsubheading Gitolite Service
31105 @cindex Gitolite service
31106 @cindex Git, hosting
31107 @uref{https://gitolite.com/gitolite/, Gitolite} is a tool for hosting Git
31108 repositories on a central server.
31110 Gitolite can handle multiple repositories and users, and supports flexible
31111 configuration of the permissions for the users on the repositories.
31113 The following example will configure Gitolite using the default @code{git}
31114 user, and the provided SSH public key.
31117 (service gitolite-service-type
31118 (gitolite-configuration
31119 (admin-pubkey (plain-file
31121 "ssh-rsa AAAA... guix@@example.com"))))
31124 Gitolite is configured through a special admin repository which you can clone,
31125 for example, if you setup Gitolite on @code{example.com}, you would run the
31126 following command to clone the admin repository.
31129 git clone git@@example.com:gitolite-admin
31132 When the Gitolite service is activated, the provided @code{admin-pubkey} will
31133 be inserted in to the @file{keydir} directory in the gitolite-admin
31134 repository. If this results in a change in the repository, it will be
31135 committed using the message ``gitolite setup by GNU Guix''.
31137 @deftp {Data Type} gitolite-configuration
31138 Data type representing the configuration for @code{gitolite-service-type}.
31141 @item @code{package} (default: @var{gitolite})
31142 Gitolite package to use.
31144 @item @code{user} (default: @var{git})
31145 User to use for Gitolite. This will be user that you use when accessing
31148 @item @code{group} (default: @var{git})
31149 Group to use for Gitolite.
31151 @item @code{home-directory} (default: @var{"/var/lib/gitolite"})
31152 Directory in which to store the Gitolite configuration and repositories.
31154 @item @code{rc-file} (default: @var{(gitolite-rc-file)})
31155 A ``file-like'' object (@pxref{G-Expressions, file-like objects}),
31156 representing the configuration for Gitolite.
31158 @item @code{admin-pubkey} (default: @var{#f})
31159 A ``file-like'' object (@pxref{G-Expressions, file-like objects}) used to
31160 setup Gitolite. This will be inserted in to the @file{keydir} directory
31161 within the gitolite-admin repository.
31163 To specify the SSH key as a string, use the @code{plain-file} function.
31166 (plain-file "yourname.pub" "ssh-rsa AAAA... guix@@example.com")
31172 @deftp {Data Type} gitolite-rc-file
31173 Data type representing the Gitolite RC file.
31176 @item @code{umask} (default: @code{#o0077})
31177 This controls the permissions Gitolite sets on the repositories and their
31180 A value like @code{#o0027} will give read access to the group used by Gitolite
31181 (by default: @code{git}). This is necessary when using Gitolite with software
31182 like cgit or gitweb.
31184 @item @code{git-config-keys} (default: @code{""})
31185 Gitolite allows you to set git config values using the @samp{config}
31186 keyword. This setting allows control over the config keys to accept.
31188 @item @code{roles} (default: @code{'(("READERS" . 1) ("WRITERS" . ))})
31189 Set the role names allowed to be used by users running the perms command.
31191 @item @code{enable} (default: @code{'("help" "desc" "info" "perms" "writable" "ssh-authkeys" "git-config" "daemon" "gitweb")})
31192 This setting controls the commands and features to enable within Gitolite.
31198 @node Game Services
31199 @subsection Game Services
31201 @subsubheading The Battle for Wesnoth Service
31203 @uref{https://wesnoth.org, The Battle for Wesnoth} is a fantasy, turn
31204 based tactical strategy game, with several single player campaigns, and
31205 multiplayer games (both networked and local).
31207 @defvar {Scheme Variable} wesnothd-service-type
31208 Service type for the wesnothd service. Its value must be a
31209 @code{wesnothd-configuration} object. To run wesnothd in the default
31210 configuration, instantiate it as:
31213 (service wesnothd-service-type)
31217 @deftp {Data Type} wesnothd-configuration
31218 Data type representing the configuration of @command{wesnothd}.
31221 @item @code{package} (default: @code{wesnoth-server})
31222 The wesnoth server package to use.
31224 @item @code{port} (default: @code{15000})
31225 The port to bind the server to.
31230 @node PAM Mount Service
31231 @subsection PAM Mount Service
31234 The @code{(gnu services pam-mount)} module provides a service allowing
31235 users to mount volumes when they log in. It should be able to mount any
31236 volume format supported by the system.
31238 @defvar {Scheme Variable} pam-mount-service-type
31239 Service type for PAM Mount support.
31242 @deftp {Data Type} pam-mount-configuration
31243 Data type representing the configuration of PAM Mount.
31245 It takes the following parameters:
31249 The configuration rules that will be used to generate
31250 @file{/etc/security/pam_mount.conf.xml}.
31252 The configuration rules are SXML elements (@pxref{SXML,,, guile, GNU
31253 Guile Reference Manual}), and the default ones don't mount anything for
31257 `((debug (@@ (enable "0")))
31258 (mntoptions (@@ (allow ,(string-join
31259 '("nosuid" "nodev" "loop"
31260 "encryption" "fsck" "nonempty"
31261 "allow_root" "allow_other")
31263 (mntoptions (@@ (require "nosuid,nodev")))
31264 (logout (@@ (wait "0")
31268 (mkmountpoint (@@ (enable "1")
31272 Some @code{volume} elements must be added to automatically mount volumes
31273 at login. Here's an example allowing the user @code{alice} to mount her
31274 encrypted @env{HOME} directory and allowing the user @code{bob} to mount
31275 the partition where he stores his data:
31278 (define pam-mount-rules
31279 `((debug (@@ (enable "0")))
31280 (volume (@@ (user "alice")
31283 (mountpoint "/home/alice")))
31284 (volume (@@ (user "bob")
31287 (mountpoint "/home/bob/data")
31288 (options "defaults,autodefrag,compress")))
31289 (mntoptions (@@ (allow ,(string-join
31290 '("nosuid" "nodev" "loop"
31291 "encryption" "fsck" "nonempty"
31292 "allow_root" "allow_other")
31294 (mntoptions (@@ (require "nosuid,nodev")))
31295 (logout (@@ (wait "0")
31299 (mkmountpoint (@@ (enable "1")
31300 (remove "true")))))
31302 (service pam-mount-service-type
31303 (pam-mount-configuration
31304 (rules pam-mount-rules)))
31307 The complete list of possible options can be found in the man page for
31308 @uref{http://pam-mount.sourceforge.net/pam_mount.conf.5.html, pam_mount.conf}.
31313 @node Guix Services
31314 @subsection Guix Services
31316 @subsubheading Guix Build Coordinator
31317 The @uref{https://git.cbaines.net/guix/build-coordinator/,Guix Build
31318 Coordinator} aids in distributing derivation builds among machines
31319 running an @dfn{agent}. The build daemon is still used to build the
31320 derivations, but the Guix Build Coordinator manages allocating builds
31321 and working with the results.
31324 This service is considered experimental. Configuration options may be
31325 changed in a backwards-incompatible manner, and not all features have
31326 been thorougly tested.
31329 The Guix Build Coordinator consists of one @dfn{coordinator}, and one or
31330 more connected @dfn{agent} processes. The coordinator process handles
31331 clients submitting builds, and allocating builds to agents. The agent
31332 processes talk to a build daemon to actually perform the builds, then
31333 send the results back to the coordinator.
31335 There is a script to run the coordinator component of the Guix Build
31336 Coordinator, but the Guix service uses a custom Guile script instead, to
31337 provide better integration with G-expressions used in the configuration.
31339 @defvar {Scheme Variable} guix-build-coordinator-service-type
31340 Service type for the Guix Build Coordinator. Its value must be a
31341 @code{guix-build-coordinator-configuration} object.
31344 @deftp {Data Type} guix-build-coordinator-configuration
31345 Data type representing the configuration of the Guix Build Coordinator.
31348 @item @code{package} (default: @code{guix-build-coordinator})
31349 The Guix Build Coordinator package to use.
31351 @item @code{user} (default: @code{"guix-build-coordinator"})
31352 The system user to run the service as.
31354 @item @code{group} (default: @code{"guix-build-coordinator"})
31355 The system group to run the service as.
31357 @item @code{database-uri-string} (default: @code{"sqlite:///var/lib/guix-build-coordinator/guix_build_coordinator.db"})
31358 The URI to use for the database.
31360 @item @code{agent-communication-uri} (default: @code{"http://0.0.0.0:8745"})
31361 The URI describing how to listen to requests from agent processes.
31363 @item @code{client-communication-uri} (default: @code{"http://127.0.0.1:8746"})
31364 The URI describing how to listen to requests from clients. The client
31365 API allows submitting builds and currently isn't authenticated, so take
31366 care when configuring this value.
31368 @item @code{allocation-strategy} (default: @code{#~basic-build-allocation-strategy})
31369 A G-expression for the allocation strategy to be used. This is a
31370 procedure that takes the datastore as an argument and populates the
31371 allocation plan in the database.
31373 @item @code{hooks} (default: @var{'()})
31374 An association list of hooks. These provide a way to execute arbitrary
31375 code upon certain events, like a build result being processed.
31377 @item @code{guile} (default: @code{guile-3.0-latest})
31378 The Guile package with which to run the Guix Build Coordinator.
31383 @defvar {Scheme Variable} guix-build-coordinator-agent-service-type
31384 Service type for a Guix Build Coordinator agent. Its value must be a
31385 @code{guix-build-coordinator-agent-configuration} object.
31388 @deftp {Data Type} guix-build-coordinator-agent-configuration
31389 Data type representing the configuration a Guix Build Coordinator agent.
31392 @item @code{package} (default: @code{guix-build-coordinator})
31393 The Guix Build Coordinator package to use.
31395 @item @code{user} (default: @code{"guix-build-coordinator-agent"})
31396 The system user to run the service as.
31398 @item @code{coordinator} (default: @code{"http://localhost:8745"})
31399 The URI to use when connecting to the coordinator.
31401 @item @code{authentication}
31402 Record describing how this agent should authenticate with the
31403 coordinator. Possible record types are described below.
31405 @item @code{systems} (default: @code{#f})
31406 The systems for which this agent should fetch builds. The agent process
31407 will use the current system it's running on as the default.
31409 @item @code{max-parallel-builds} (default: @code{1})
31410 The number of builds to perform in parallel.
31412 @item @code{max-1min-load-average} (default: @code{#f})
31413 Load average value to look at when considering starting new builds, if
31414 the 1 minute load average exceeds this value, the agent will wait before
31415 starting new builds.
31417 This will be unspecified if the value is @code{#f}, and the agent will
31418 use the number of cores reported by the system as the max 1 minute load
31421 @item @code{derivation-substitute-urls} (default: @code{#f})
31422 URLs from which to attempt to fetch substitutes for derivations, if the
31423 derivations aren't already available.
31425 @item @code{non-derivation-substitute-urls} (default: @code{#f})
31426 URLs from which to attempt to fetch substitutes for build inputs, if the
31427 input store items aren't already available.
31432 @deftp {Data Type} guix-build-coordinator-agent-password-auth
31433 Data type representing an agent authenticating with a coordinator via a
31438 The UUID of the agent. This should be generated by the coordinator
31439 process, stored in the coordinator database, and used by the intended
31442 @item @code{password}
31443 The password to use when connecting to the coordinator.
31448 @deftp {Data Type} guix-build-coordinator-agent-password-file-auth
31449 Data type representing an agent authenticating with a coordinator via a
31450 UUID and password read from a file.
31454 The UUID of the agent. This should be generated by the coordinator
31455 process, stored in the coordinator database, and used by the intended
31458 @item @code{password-file}
31459 A file containing the password to use when connecting to the
31465 @deftp {Data Type} guix-build-coordinator-agent-dynamic-auth
31466 Data type representing an agent authenticating with a coordinator via a
31467 dynamic auth token and agent name.
31470 @item @code{agent-name}
31471 Name of an agent, this is used to match up to an existing entry in the
31472 database if there is one. When no existing entry is found, a new entry
31473 is automatically added.
31476 Dynamic auth token, this is created and stored in the coordinator
31477 database, and is used by the agent to authenticate.
31482 @deftp {Data Type} guix-build-coordinator-agent-dynamic-auth-with-file
31483 Data type representing an agent authenticating with a coordinator via a
31484 dynamic auth token read from a file and agent name.
31487 @item @code{agent-name}
31488 Name of an agent, this is used to match up to an existing entry in the
31489 database if there is one. When no existing entry is found, a new entry
31490 is automatically added.
31492 @item @code{token-file}
31493 File containing the dynamic auth token, this is created and stored in
31494 the coordinator database, and is used by the agent to authenticate.
31499 The Guix Build Coordinator package contains a script to query an
31500 instance of the Guix Data Service for derivations to build, and then
31501 submit builds for those derivations to the coordinator. The service
31502 type below assists in running this script. This is an additional tool
31503 that may be useful when building derivations contained within an
31504 instance of the Guix Data Service.
31506 @defvar {Scheme Variable} guix-build-coordinator-queue-builds-service-type
31507 Service type for the
31508 guix-build-coordinator-queue-builds-from-guix-data-service script. Its
31509 value must be a @code{guix-build-coordinator-queue-builds-configuration}
31513 @deftp {Data Type} guix-build-coordinator-queue-builds-configuration
31514 Data type representing the options to the queue builds from guix data
31518 @item @code{package} (default: @code{guix-build-coordinator})
31519 The Guix Build Coordinator package to use.
31521 @item @code{user} (default: @code{"guix-build-coordinator-queue-builds"})
31522 The system user to run the service as.
31524 @item @code{coordinator} (default: @code{"http://localhost:8746"})
31525 The URI to use when connecting to the coordinator.
31527 @item @code{systems} (default: @code{#f})
31528 The systems for which to fetch derivations to build.
31530 @item @code{systems-and-targets} (default: @code{#f})
31531 An association list of system and target pairs for which to fetch
31532 derivations to build.
31534 @item @code{guix-data-service} (default: @code{"https://data.guix.gnu.org"})
31535 The Guix Data Service instance from which to query to find out about
31536 derivations to build.
31538 @item @code{processed-commits-file} (default: @code{"/var/cache/guix-build-coordinator-queue-builds/processed-commits"})
31539 A file to record which commits have been processed, to avoid needlessly
31540 processing them again if the service is restarted.
31545 @subsubheading Guix Data Service
31546 The @uref{http://data.guix.gnu.org,Guix Data Service} processes, stores
31547 and provides data about GNU Guix. This includes information about
31548 packages, derivations and lint warnings.
31550 The data is stored in a PostgreSQL database, and available through a web
31553 @defvar {Scheme Variable} guix-data-service-type
31554 Service type for the Guix Data Service. Its value must be a
31555 @code{guix-data-service-configuration} object. The service optionally
31556 extends the getmail service, as the guix-commits mailing list is used to
31557 find out about changes in the Guix git repository.
31560 @deftp {Data Type} guix-data-service-configuration
31561 Data type representing the configuration of the Guix Data Service.
31564 @item @code{package} (default: @code{guix-data-service})
31565 The Guix Data Service package to use.
31567 @item @code{user} (default: @code{"guix-data-service"})
31568 The system user to run the service as.
31570 @item @code{group} (default: @code{"guix-data-service"})
31571 The system group to run the service as.
31573 @item @code{port} (default: @code{8765})
31574 The port to bind the web service to.
31576 @item @code{host} (default: @code{"127.0.0.1"})
31577 The host to bind the web service to.
31579 @item @code{getmail-idle-mailboxes} (default: @code{#f})
31580 If set, this is the list of mailboxes that the getmail service will be
31581 configured to listen to.
31583 @item @code{commits-getmail-retriever-configuration} (default: @code{#f})
31584 If set, this is the @code{getmail-retriever-configuration} object with
31585 which to configure getmail to fetch mail from the guix-commits mailing
31588 @item @code{extra-options} (default: @var{'()})
31589 Extra command line options for @code{guix-data-service}.
31591 @item @code{extra-process-jobs-options} (default: @var{'()})
31592 Extra command line options for @code{guix-data-service-process-jobs}.
31597 @node Linux Services
31598 @subsection Linux Services
31601 @cindex out of memory killer
31603 @cindex early out of memory daemon
31604 @subsubheading Early OOM Service
31606 @uref{https://github.com/rfjakob/earlyoom,Early OOM}, also known as
31607 Earlyoom, is a minimalist out of memory (OOM) daemon that runs in user
31608 space and provides a more responsive and configurable alternative to the
31609 in-kernel OOM killer. It is useful to prevent the system from becoming
31610 unresponsive when it runs out of memory.
31612 @deffn {Scheme Variable} earlyoom-service-type
31613 The service type for running @command{earlyoom}, the Early OOM daemon.
31614 Its value must be a @code{earlyoom-configuration} object, described
31615 below. The service can be instantiated in its default configuration
31619 (service earlyoom-service-type)
31623 @deftp {Data Type} earlyoom-configuration
31624 This is the configuration record for the @code{earlyoom-service-type}.
31627 @item @code{earlyoom} (default: @var{earlyoom})
31628 The Earlyoom package to use.
31630 @item @code{minimum-available-memory} (default: @code{10})
31631 The threshold for the minimum @emph{available} memory, in percentages.
31633 @item @code{minimum-free-swap} (default: @code{10})
31634 The threshold for the minimum free swap memory, in percentages.
31636 @item @code{prefer-regexp} (default: @code{#f})
31637 A regular expression (as a string) to match the names of the processes
31638 that should be preferably killed.
31640 @item @code{avoid-regexp} (default: @code{#f})
31641 A regular expression (as a string) to match the names of the processes
31642 that should @emph{not} be killed.
31644 @item @code{memory-report-interval} (default: @code{0})
31645 The interval in seconds at which a memory report is printed. It is
31646 disabled by default.
31648 @item @code{ignore-positive-oom-score-adj?} (default: @code{#f})
31649 A boolean indicating whether the positive adjustments set in
31650 @file{/proc/*/oom_score_adj} should be ignored.
31652 @item @code{show-debug-messages?} (default: @code{#f})
31653 A boolean indicating whether debug messages should be printed. The logs
31654 are saved at @file{/var/log/earlyoom.log}.
31656 @item @code{send-notification-command} (default: @code{#f})
31657 This can be used to provide a custom command used for sending
31663 @cindex kernel module loader
31664 @subsubheading Kernel Module Loader Service
31666 The kernel module loader service allows one to load loadable kernel
31667 modules at boot. This is especially useful for modules that don't
31668 autoload and need to be manually loaded, as is the case with
31671 @deffn {Scheme Variable} kernel-module-loader-service-type
31672 The service type for loading loadable kernel modules at boot with
31673 @command{modprobe}. Its value must be a list of strings representing
31674 module names. For example loading the drivers provided by
31675 @code{ddcci-driver-linux}, in debugging mode by passing some module
31676 parameters, can be done as follow:
31679 (use-modules (gnu) (gnu services))
31680 (use-package-modules linux)
31681 (use-service-modules linux)
31683 (define ddcci-config
31684 (plain-file "ddcci.conf"
31685 "options ddcci dyndbg delay=120"))
31689 (services (cons* (service kernel-module-loader-service-type
31690 '("ddcci" "ddcci_backlight"))
31691 (simple-service 'ddcci-config etc-service-type
31692 (list `("modprobe.d/ddcci.conf"
31695 (kernel-loadable-modules (list ddcci-driver-linux)))
31700 @cindex Platform Reliability, Availability and Serviceability daemon
31701 @subsubheading Rasdaemon Service
31703 The Rasdaemon service provides a daemon which monitors platform
31704 @acronym{RAS, Reliability@comma{} Availability@comma{} and Serviceability} reports from
31705 Linux kernel trace events, logging them to syslogd.
31707 Reliability, Availability and Serviceability is a concept used on servers meant
31708 to measure their robustness.
31710 @strong{Relability} is the probability that a system will produce correct
31714 @item Generally measured as Mean Time Between Failures (MTBF), and
31715 @item Enhanced by features that help to avoid, detect and repair hardware
31719 @strong{Availability} is the probability that a system is operational at a
31723 @item Generally measured as a percentage of downtime per a period of time, and
31724 @item Often uses mechanisms to detect and correct hardware faults in runtime.
31727 @strong{Serviceability} is the simplicity and speed with which a system can be
31728 repaired or maintained:
31731 @item Generally measured on Mean Time Between Repair (MTBR).
31735 Among the monitoring measures, the most usual ones include:
31738 @item CPU – detect errors at instruction execution and at L1/L2/L3 caches;
31739 @item Memory – add error correction logic (ECC) to detect and correct errors;
31740 @item I/O – add CRC checksums for transferred data;
31741 @item Storage – RAID, journal file systems, checksums, Self-Monitoring,
31742 Analysis and Reporting Technology (SMART).
31745 By monitoring the number of occurrences of error detections, it is possible to
31746 identify if the probability of hardware errors is increasing, and, on such
31747 case, do a preventive maintenance to replace a degraded component while those
31748 errors are correctable.
31750 For detailed information about the types of error events gathered and how to
31751 make sense of them, see the kernel administrator's guide at
31752 @url{https://www.kernel.org/doc/html/latest/admin-guide/ras.html}.
31754 @defvr {Scheme Variable} rasdaemon-service-type
31755 Service type for the @command{rasdaemon} service. It accepts a
31756 @code{rasdaemon-configuration} object. Instantiating like
31759 (service rasdaemon-service-type)
31762 will load with a default configuration, which monitors all events and logs to
31766 @deftp {Data Type} rasdaemon-configuration
31767 The data type representing the configuration of @command{rasdaemon}.
31770 @item @code{record?} (default: @code{#f})
31772 A boolean indicating whether to record the events in an SQLite database. This
31773 provides a more structured access to the information contained in the log file.
31774 The database location is hard-coded to @file{/var/lib/rasdaemon/ras-mc_event.db}.
31780 @cindex compressed swap
31781 @cindex Compressed RAM-based block devices
31782 @subsubheading Zram Device Service
31784 The Zram device service provides a compressed swap device in system
31785 memory. The Linux Kernel documentation has more information about
31786 @uref{https://www.kernel.org/doc/html/latest/admin-guide/blockdev/zram.html,zram}
31789 @deffn {Scheme Variable} zram-device-service-type
31790 This service creates the zram block device, formats it as swap and
31791 enables it as a swap device. The service's value is a
31792 @code{zram-device-configuration} record.
31794 @deftp {Data Type} zram-device-configuration
31795 This is the data type representing the configuration for the zram-device
31799 @item @code{size} (default @code{"1G"})
31800 This is the amount of space you wish to provide for the zram device. It
31801 accepts a string and can be a number of bytes or use a suffix, eg.:
31802 @code{"512M"} or @code{1024000}.
31803 @item @code{compression-algorithm} (default @code{'lzo})
31804 This is the compression algorithm you wish to use. It is difficult to
31805 list all the possible compression options, but common ones supported by
31806 Guix's Linux Libre Kernel include @code{'lzo}, @code{'lz4} and @code{'zstd}.
31807 @item @code{memory-limit} (default @code{0})
31808 This is the maximum amount of memory which the zram device can use.
31809 Setting it to '0' disables the limit. While it is generally expected
31810 that compression will be 2:1, it is possible that uncompressable data
31811 can be written to swap and this is a method to limit how much memory can
31812 be used. It accepts a string and can be a number of bytes or use a
31813 suffix, eg.: @code{"2G"}.
31814 @item @code{priority} (default @code{-1})
31815 This is the priority of the swap device created from the zram device.
31816 @code{swapon} accepts values between -1 and 32767, with higher values
31817 indicating higher priority. Higher priority swap will generally be used
31824 @node Hurd Services
31825 @subsection Hurd Services
31827 @defvr {Scheme Variable} hurd-console-service-type
31828 This service starts the fancy @code{VGA} console client on the Hurd.
31830 The service's value is a @code{hurd-console-configuration} record.
31833 @deftp {Data Type} hurd-console-configuration
31834 This is the data type representing the configuration for the
31835 hurd-console-service.
31838 @item @code{hurd} (default: @var{hurd})
31839 The Hurd package to use.
31843 @defvr {Scheme Variable} hurd-getty-service-type
31844 This service starts a tty using the Hurd @code{getty} program.
31846 The service's value is a @code{hurd-getty-configuration} record.
31849 @deftp {Data Type} hurd-getty-configuration
31850 This is the data type representing the configuration for the
31851 hurd-getty-service.
31854 @item @code{hurd} (default: @var{hurd})
31855 The Hurd package to use.
31858 The name of the console this Getty runs on---e.g., @code{"tty1"}.
31860 @item @code{baud-rate} (default: @code{38400})
31861 An integer specifying the baud rate of the tty.
31866 @node Miscellaneous Services
31867 @subsection Miscellaneous Services
31869 @cindex fingerprint
31870 @subsubheading Fingerprint Service
31872 The @code{(gnu services authentication)} module provides a DBus service to
31873 read and identify fingerprints via a fingerprint sensor.
31875 @defvr {Scheme Variable} fprintd-service-type
31876 The service type for @command{fprintd}, which provides the fingerprint
31877 reading capability.
31880 (service fprintd-service-type)
31885 @subsubheading System Control Service
31887 The @code{(gnu services sysctl)} provides a service to configure kernel
31888 parameters at boot.
31890 @defvr {Scheme Variable} sysctl-service-type
31891 The service type for @command{sysctl}, which modifies kernel parameters
31892 under @file{/proc/sys/}. To enable IPv4 forwarding, it can be
31896 (service sysctl-service-type
31897 (sysctl-configuration
31898 (settings '(("net.ipv4.ip_forward" . "1")))))
31901 Since @code{sysctl-service-type} is used in the default lists of
31902 services, @code{%base-services} and @code{%desktop-services}, you can
31903 use @code{modify-services} to change its configuration and add the
31904 kernel parameters that you want (@pxref{Service Reference,
31905 @code{modify-services}}).
31908 (modify-services %base-services
31909 (sysctl-service-type config =>
31910 (sysctl-configuration
31911 (settings (append '(("net.ipv4.ip_forward" . "1"))
31912 %default-sysctl-settings)))))
31917 @deftp {Data Type} sysctl-configuration
31918 The data type representing the configuration of @command{sysctl}.
31921 @item @code{sysctl} (default: @code{(file-append procps "/sbin/sysctl"})
31922 The @command{sysctl} executable to use.
31924 @item @code{settings} (default: @code{%default-sysctl-settings})
31925 An association list specifies kernel parameters and their values.
31929 @defvr {Scheme Variable} %default-sysctl-settings
31930 An association list specifying the default @command{sysctl} parameters
31935 @subsubheading PC/SC Smart Card Daemon Service
31937 The @code{(gnu services security-token)} module provides the following service
31938 to run @command{pcscd}, the PC/SC Smart Card Daemon. @command{pcscd} is the
31939 daemon program for pcsc-lite and the MuscleCard framework. It is a resource
31940 manager that coordinates communications with smart card readers, smart cards
31941 and cryptographic tokens that are connected to the system.
31943 @defvr {Scheme Variable} pcscd-service-type
31944 Service type for the @command{pcscd} service. Its value must be a
31945 @code{pcscd-configuration} object. To run pcscd in the default
31946 configuration, instantiate it as:
31949 (service pcscd-service-type)
31953 @deftp {Data Type} pcscd-configuration
31954 The data type representing the configuration of @command{pcscd}.
31957 @item @code{pcsc-lite} (default: @code{pcsc-lite})
31958 The pcsc-lite package that provides pcscd.
31959 @item @code{usb-drivers} (default: @code{(list ccid)})
31960 List of packages that provide USB drivers to pcscd. Drivers are expected to be
31961 under @file{pcsc/drivers} in the store directory of the package.
31966 @subsubheading Lirc Service
31968 The @code{(gnu services lirc)} module provides the following service.
31970 @deffn {Scheme Procedure} lirc-service [#:lirc lirc] @
31971 [#:device #f] [#:driver #f] [#:config-file #f] @
31972 [#:extra-options '()]
31973 Return a service that runs @url{http://www.lirc.org,LIRC}, a daemon that
31974 decodes infrared signals from remote controls.
31976 Optionally, @var{device}, @var{driver} and @var{config-file}
31977 (configuration file name) may be specified. See @command{lircd} manual
31980 Finally, @var{extra-options} is a list of additional command-line options
31981 passed to @command{lircd}.
31985 @subsubheading Spice Service
31987 The @code{(gnu services spice)} module provides the following service.
31989 @deffn {Scheme Procedure} spice-vdagent-service [#:spice-vdagent]
31990 Returns a service that runs @url{https://www.spice-space.org,VDAGENT}, a daemon
31991 that enables sharing the clipboard with a vm and setting the guest display
31992 resolution when the graphical console window resizes.
31995 @cindex inputattach
31996 @subsubheading inputattach Service
31998 @cindex tablet input, for Xorg
31999 @cindex touchscreen input, for Xorg
32000 The @uref{https://linuxwacom.github.io/, inputattach} service allows you to
32001 use input devices such as Wacom tablets, touchscreens, or joysticks with the
32002 Xorg display server.
32004 @deffn {Scheme Variable} inputattach-service-type
32005 Type of a service that runs @command{inputattach} on a device and
32006 dispatches events from it.
32009 @deftp {Data Type} inputattach-configuration
32011 @item @code{device-type} (default: @code{"wacom"})
32012 The type of device to connect to. Run @command{inputattach --help}, from the
32013 @code{inputattach} package, to see the list of supported device types.
32015 @item @code{device} (default: @code{"/dev/ttyS0"})
32016 The device file to connect to the device.
32018 @item @code{baud-rate} (default: @code{#f})
32019 Baud rate to use for the serial connection.
32020 Should be a number or @code{#f}.
32022 @item @code{log-file} (default: @code{#f})
32023 If true, this must be the name of a file to log messages to.
32027 @subsubheading Dictionary Service
32029 The @code{(gnu services dict)} module provides the following service:
32031 @defvr {Scheme Variable} dicod-service-type
32032 This is the type of the service that runs the @command{dicod} daemon, an
32033 implementation of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}).
32036 @deffn {Scheme Procedure} dicod-service [#:config (dicod-configuration)]
32037 Return a service that runs the @command{dicod} daemon, an implementation
32038 of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}).
32040 The optional @var{config} argument specifies the configuration for
32041 @command{dicod}, which should be a @code{<dicod-configuration>} object, by
32042 default it serves the GNU Collaborative International Dictionary of English.
32044 You can add @command{open localhost} to your @file{~/.dico} file to make
32045 @code{localhost} the default server for @command{dico} client
32046 (@pxref{Initialization File,,, dico, GNU Dico Manual}).
32049 @deftp {Data Type} dicod-configuration
32050 Data type representing the configuration of dicod.
32053 @item @code{dico} (default: @var{dico})
32054 Package object of the GNU Dico dictionary server.
32056 @item @code{interfaces} (default: @var{'("localhost")})
32057 This is the list of IP addresses and ports and possibly socket file
32058 names to listen to (@pxref{Server Settings, @code{listen} directive,,
32059 dico, GNU Dico Manual}).
32061 @item @code{handlers} (default: @var{'()})
32062 List of @code{<dicod-handler>} objects denoting handlers (module instances).
32064 @item @code{databases} (default: @var{(list %dicod-database:gcide)})
32065 List of @code{<dicod-database>} objects denoting dictionaries to be served.
32069 @deftp {Data Type} dicod-handler
32070 Data type representing a dictionary handler (module instance).
32074 Name of the handler (module instance).
32076 @item @code{module} (default: @var{#f})
32077 Name of the dicod module of the handler (instance). If it is @code{#f},
32078 the module has the same name as the handler.
32079 (@pxref{Modules,,, dico, GNU Dico Manual}).
32081 @item @code{options}
32082 List of strings or gexps representing the arguments for the module handler
32086 @deftp {Data Type} dicod-database
32087 Data type representing a dictionary database.
32091 Name of the database, will be used in DICT commands.
32093 @item @code{handler}
32094 Name of the dicod handler (module instance) used by this database
32095 (@pxref{Handlers,,, dico, GNU Dico Manual}).
32097 @item @code{complex?} (default: @var{#f})
32098 Whether the database configuration complex. The complex configuration
32099 will need a corresponding @code{<dicod-handler>} object, otherwise not.
32101 @item @code{options}
32102 List of strings or gexps representing the arguments for the database
32103 (@pxref{Databases,,, dico, GNU Dico Manual}).
32107 @defvr {Scheme Variable} %dicod-database:gcide
32108 A @code{<dicod-database>} object serving the GNU Collaborative International
32109 Dictionary of English using the @code{gcide} package.
32112 The following is an example @code{dicod-service} configuration.
32115 (dicod-service #:config
32116 (dicod-configuration
32117 (handlers (list (dicod-handler
32121 (list #~(string-append "dbdir=" #$wordnet))))))
32122 (databases (list (dicod-database
32125 (handler "wordnet")
32126 (options '("database=wn")))
32127 %dicod-database:gcide))))
32131 @subsubheading Docker Service
32133 The @code{(gnu services docker)} module provides the following services.
32135 @defvr {Scheme Variable} docker-service-type
32137 This is the type of the service that runs @url{https://www.docker.com,Docker},
32138 a daemon that can execute application bundles (sometimes referred to as
32139 ``containers'') in isolated environments.
32143 @deftp {Data Type} docker-configuration
32144 This is the data type representing the configuration of Docker and Containerd.
32148 @item @code{package} (default: @code{docker})
32149 The Docker daemon package to use.
32151 @item @code{package} (default: @code{docker-cli})
32152 The Docker client package to use.
32154 @item @code{containerd} (default: @var{containerd})
32155 The Containerd package to use.
32157 @item @code{proxy} (default @var{docker-libnetwork-cmd-proxy})
32158 The Docker user-land networking proxy package to use.
32160 @item @code{enable-proxy?} (default @code{#t})
32161 Enable or disable the use of the Docker user-land networking proxy.
32163 @item @code{debug?} (default @code{#f})
32164 Enable or disable debug output.
32166 @item @code{enable-iptables?} (default @code{#t})
32167 Enable or disable the addition of iptables rules.
32172 @cindex Singularity, container service
32173 @defvr {Scheme Variable} singularity-service-type
32174 This is the type of the service that allows you to run
32175 @url{https://www.sylabs.io/singularity/, Singularity}, a Docker-style tool to
32176 create and run application bundles (aka. ``containers''). The value for this
32177 service is the Singularity package to use.
32179 The service does not install a daemon; instead, it installs helper programs as
32180 setuid-root (@pxref{Setuid Programs}) such that unprivileged users can invoke
32181 @command{singularity run} and similar commands.
32185 @subsubheading Auditd Service
32187 The @code{(gnu services auditd)} module provides the following service.
32189 @defvr {Scheme Variable} auditd-service-type
32191 This is the type of the service that runs
32192 @url{https://people.redhat.com/sgrubb/audit/,auditd},
32193 a daemon that tracks security-relevant information on your system.
32195 Examples of things that can be tracked:
32205 Failed login attempts
32212 @command{auditctl} from the @code{audit} package can be used in order
32213 to add or remove events to be tracked (until the next reboot).
32214 In order to permanently track events, put the command line arguments
32215 of auditctl into a file called @code{audit.rules} in the configuration
32216 directory (see below).
32217 @command{aureport} from the @code{audit} package can be used in order
32218 to view a report of all recorded events.
32219 The audit daemon by default logs into the file
32220 @file{/var/log/audit.log}.
32224 @deftp {Data Type} auditd-configuration
32225 This is the data type representing the configuration of auditd.
32229 @item @code{audit} (default: @code{audit})
32230 The audit package to use.
32232 @item @code{configuration-directory} (default: @code{%default-auditd-configuration-directory})
32233 The directory containing the configuration file for the audit package, which
32234 must be named @code{auditd.conf}, and optionally some audit rules to
32235 instantiate on startup.
32241 @subsubheading R-Shiny service
32243 The @code{(gnu services science)} module provides the following service.
32245 @defvr {Scheme Variable} rshiny-service-type
32247 This is a type of service which is used to run a webapp created with
32248 @code{r-shiny}. This service sets the @env{R_LIBS_USER} environment
32249 variable and runs the provided script to call @code{runApp}.
32251 @deftp {Data Type} rshiny-configuration
32252 This is the data type representing the configuration of rshiny.
32256 @item @code{package} (default: @code{r-shiny})
32257 The package to use.
32259 @item @code{binary} (defaunlt @code{"rshiny"})
32260 The name of the binary or shell script located at @code{package/bin/} to
32261 run when the service is run.
32263 The common way to create this file is as follows:
32267 (let* ((out (assoc-ref %outputs "out"))
32268 (targetdir (string-append out "/share/" ,name))
32269 (app (string-append out "/bin/" ,name))
32270 (Rbin (string-append (assoc-ref %build-inputs "r-min")
32273 (mkdir-p (string-append out "/bin"))
32274 (call-with-output-file app
32280 runApp(launch.browser=0, port=4202)~%\n"
32289 @subsubheading Nix service
32291 The @code{(gnu services nix)} module provides the following service.
32293 @defvr {Scheme Variable} nix-service-type
32295 This is the type of the service that runs build daemon of the
32296 @url{https://nixos.org/nix/, Nix} package manager. Here is an example showing
32300 (use-modules (gnu))
32301 (use-service-modules nix)
32302 (use-package-modules package-management)
32306 (packages (append (list nix)
32309 (services (append (list (service nix-service-type))
32313 After @command{guix system reconfigure} configure Nix for your user:
32316 @item Add a Nix channel and update it. See
32317 @url{https://nixos.org/nix/manual/, Nix Package Manager Guide}.
32319 @item Create a symlink to your profile and activate Nix profile:
32323 $ ln -s "/nix/var/nix/profiles/per-user/$USER/profile" ~/.nix-profile
32324 $ source /run/current-system/profile/etc/profile.d/nix.sh
32329 @deftp {Data Type} nix-configuration
32330 This data type represents the configuration of the Nix daemon.
32333 @item @code{nix} (default: @code{nix})
32334 The Nix package to use.
32336 @item @code{sandbox} (default: @code{#t})
32337 Specifies whether builds are sandboxed by default.
32339 @item @code{build-sandbox-items} (default: @code{'()})
32340 This is a list of strings or objects appended to the
32341 @code{build-sandbox-items} field of the configuration file.
32343 @item @code{extra-config} (default: @code{'()})
32344 This is a list of strings or objects appended to the configuration file.
32345 It is used to pass extra text to be added verbatim to the configuration
32348 @item @code{extra-options} (default: @code{'()})
32349 Extra command line options for @code{nix-service-type}.
32353 @node Setuid Programs
32354 @section Setuid Programs
32356 @cindex setuid programs
32357 Some programs need to run with ``root'' privileges, even when they are
32358 launched by unprivileged users. A notorious example is the
32359 @command{passwd} program, which users can run to change their
32360 password, and which needs to access the @file{/etc/passwd} and
32361 @file{/etc/shadow} files---something normally restricted to root, for
32362 obvious security reasons. To address that, these executables are
32363 @dfn{setuid-root}, meaning that they always run with root privileges
32364 (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual},
32365 for more info about the setuid mechanism).
32367 The store itself @emph{cannot} contain setuid programs: that would be a
32368 security issue since any user on the system can write derivations that
32369 populate the store (@pxref{The Store}). Thus, a different mechanism is
32370 used: instead of changing the setuid bit directly on files that are in
32371 the store, we let the system administrator @emph{declare} which programs
32372 should be setuid root.
32374 The @code{setuid-programs} field of an @code{operating-system}
32375 declaration contains a list of G-expressions denoting the names of
32376 programs to be setuid-root (@pxref{Using the Configuration System}).
32377 For instance, the @command{passwd} program, which is part of the Shadow
32378 package, can be designated by this G-expression (@pxref{G-Expressions}):
32381 #~(string-append #$shadow "/bin/passwd")
32384 A default set of setuid programs is defined by the
32385 @code{%setuid-programs} variable of the @code{(gnu system)} module.
32387 @defvr {Scheme Variable} %setuid-programs
32388 A list of G-expressions denoting common programs that are setuid-root.
32390 The list includes commands such as @command{passwd}, @command{ping},
32391 @command{su}, and @command{sudo}.
32394 Under the hood, the actual setuid programs are created in the
32395 @file{/run/setuid-programs} directory at system activation time. The
32396 files in this directory refer to the ``real'' binaries, which are in the
32399 @node X.509 Certificates
32400 @section X.509 Certificates
32402 @cindex HTTPS, certificates
32403 @cindex X.509 certificates
32405 Web servers available over HTTPS (that is, HTTP over the transport-layer
32406 security mechanism, TLS) send client programs an @dfn{X.509 certificate}
32407 that the client can then use to @emph{authenticate} the server. To do
32408 that, clients verify that the server's certificate is signed by a
32409 so-called @dfn{certificate authority} (CA). But to verify the CA's
32410 signature, clients must have first acquired the CA's certificate.
32412 Web browsers such as GNU@tie{}IceCat include their own set of CA
32413 certificates, such that they are able to verify CA signatures
32416 However, most other programs that can talk HTTPS---@command{wget},
32417 @command{git}, @command{w3m}, etc.---need to be told where CA
32418 certificates can be found.
32420 @cindex @code{nss-certs}
32421 In Guix, this is done by adding a package that provides certificates
32422 to the @code{packages} field of the @code{operating-system} declaration
32423 (@pxref{operating-system Reference}). Guix includes one such package,
32424 @code{nss-certs}, which is a set of CA certificates provided as part of
32425 Mozilla's Network Security Services.
32427 Note that it is @emph{not} part of @code{%base-packages}, so you need to
32428 explicitly add it. The @file{/etc/ssl/certs} directory, which is where
32429 most applications and libraries look for certificates by default, points
32430 to the certificates installed globally.
32432 Unprivileged users, including users of Guix on a foreign distro,
32433 can also install their own certificate package in
32434 their profile. A number of environment variables need to be defined so
32435 that applications and libraries know where to find them. Namely, the
32436 OpenSSL library honors the @env{SSL_CERT_DIR} and @env{SSL_CERT_FILE}
32437 variables. Some applications add their own environment variables; for
32438 instance, the Git version control system honors the certificate bundle
32439 pointed to by the @env{GIT_SSL_CAINFO} environment variable. Thus, you
32440 would typically run something like:
32443 guix install nss-certs
32444 export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
32445 export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
32446 export GIT_SSL_CAINFO="$SSL_CERT_FILE"
32449 As another example, R requires the @env{CURL_CA_BUNDLE} environment
32450 variable to point to a certificate bundle, so you would have to run
32451 something like this:
32454 guix install nss-certs
32455 export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
32458 For other applications you may want to look up the required environment
32459 variable in the relevant documentation.
32462 @node Name Service Switch
32463 @section Name Service Switch
32465 @cindex name service switch
32467 The @code{(gnu system nss)} module provides bindings to the
32468 configuration file of the libc @dfn{name service switch} or @dfn{NSS}
32469 (@pxref{NSS Configuration File,,, libc, The GNU C Library Reference
32470 Manual}). In a nutshell, the NSS is a mechanism that allows libc to be
32471 extended with new ``name'' lookup methods for system databases, which
32472 includes host names, service names, user accounts, and more (@pxref{Name
32473 Service Switch, System Databases and Name Service Switch,, libc, The GNU
32474 C Library Reference Manual}).
32476 The NSS configuration specifies, for each system database, which lookup
32477 method is to be used, and how the various methods are chained
32478 together---for instance, under which circumstances NSS should try the
32479 next method in the list. The NSS configuration is given in the
32480 @code{name-service-switch} field of @code{operating-system} declarations
32481 (@pxref{operating-system Reference, @code{name-service-switch}}).
32484 @cindex .local, host name lookup
32485 As an example, the declaration below configures the NSS to use the
32486 @uref{https://0pointer.de/lennart/projects/nss-mdns/, @code{nss-mdns}
32487 back-end}, which supports host name lookups over multicast DNS (mDNS)
32488 for host names ending in @code{.local}:
32491 (name-service-switch
32492 (hosts (list %files ;first, check /etc/hosts
32494 ;; If the above did not succeed, try
32495 ;; with 'mdns_minimal'.
32497 (name "mdns_minimal")
32499 ;; 'mdns_minimal' is authoritative for
32500 ;; '.local'. When it returns "not found",
32501 ;; no need to try the next methods.
32502 (reaction (lookup-specification
32503 (not-found => return))))
32505 ;; Then fall back to DNS.
32509 ;; Finally, try with the "full" 'mdns'.
32514 Do not worry: the @code{%mdns-host-lookup-nss} variable (see below)
32515 contains this configuration, so you will not have to type it if all you
32516 want is to have @code{.local} host lookup working.
32518 Note that, in this case, in addition to setting the
32519 @code{name-service-switch} of the @code{operating-system} declaration,
32520 you also need to use @code{avahi-service-type} (@pxref{Networking Services,
32521 @code{avahi-service-type}}), or @code{%desktop-services}, which includes it
32522 (@pxref{Desktop Services}). Doing this makes @code{nss-mdns} accessible
32523 to the name service cache daemon (@pxref{Base Services,
32524 @code{nscd-service}}).
32526 For convenience, the following variables provide typical NSS
32529 @defvr {Scheme Variable} %default-nss
32530 This is the default name service switch configuration, a
32531 @code{name-service-switch} object.
32534 @defvr {Scheme Variable} %mdns-host-lookup-nss
32535 This is the name service switch configuration with support for host name
32536 lookup over multicast DNS (mDNS) for host names ending in @code{.local}.
32539 The reference for name service switch configuration is given below. It
32540 is a direct mapping of the configuration file format of the C library , so
32541 please refer to the C library manual for more information (@pxref{NSS
32542 Configuration File,,, libc, The GNU C Library Reference Manual}).
32543 Compared to the configuration file format of libc NSS, it has the advantage
32544 not only of adding this warm parenthetic feel that we like, but also
32545 static checks: you will know about syntax errors and typos as soon as you
32546 run @command{guix system}.
32548 @deftp {Data Type} name-service-switch
32550 This is the data type representation the configuration of libc's name
32551 service switch (NSS). Each field below represents one of the supported
32568 The system databases handled by the NSS@. Each of these fields must be a
32569 list of @code{<name-service>} objects (see below).
32573 @deftp {Data Type} name-service
32575 This is the data type representing an actual name service and the
32576 associated lookup action.
32580 A string denoting the name service (@pxref{Services in the NSS
32581 configuration,,, libc, The GNU C Library Reference Manual}).
32583 Note that name services listed here must be visible to nscd. This is
32584 achieved by passing the @code{#:name-services} argument to
32585 @code{nscd-service} the list of packages providing the needed name
32586 services (@pxref{Base Services, @code{nscd-service}}).
32589 An action specified using the @code{lookup-specification} macro
32590 (@pxref{Actions in the NSS configuration,,, libc, The GNU C Library
32591 Reference Manual}). For example:
32594 (lookup-specification (unavailable => continue)
32595 (success => return))
32600 @node Initial RAM Disk
32601 @section Initial RAM Disk
32604 @cindex initial RAM disk
32605 For bootstrapping purposes, the Linux-Libre kernel is passed an
32606 @dfn{initial RAM disk}, or @dfn{initrd}. An initrd contains a temporary
32607 root file system as well as an initialization script. The latter is
32608 responsible for mounting the real root file system, and for loading any
32609 kernel modules that may be needed to achieve that.
32611 The @code{initrd-modules} field of an @code{operating-system}
32612 declaration allows you to specify Linux-libre kernel modules that must
32613 be available in the initrd. In particular, this is where you would list
32614 modules needed to actually drive the hard disk where your root partition
32615 is---although the default value of @code{initrd-modules} should cover
32616 most use cases. For example, assuming you need the @code{megaraid_sas}
32617 module in addition to the default modules to be able to access your root
32618 file system, you would write:
32623 (initrd-modules (cons "megaraid_sas" %base-initrd-modules)))
32626 @defvr {Scheme Variable} %base-initrd-modules
32627 This is the list of kernel modules included in the initrd by default.
32630 Furthermore, if you need lower-level customization, the @code{initrd}
32631 field of an @code{operating-system} declaration allows
32632 you to specify which initrd you would like to use. The @code{(gnu
32633 system linux-initrd)} module provides three ways to build an initrd: the
32634 high-level @code{base-initrd} procedure and the low-level
32635 @code{raw-initrd} and @code{expression->initrd} procedures.
32637 The @code{base-initrd} procedure is intended to cover most common uses.
32638 For example, if you want to add a bunch of kernel modules to be loaded
32639 at boot time, you can define the @code{initrd} field of the operating
32640 system declaration like this:
32643 (initrd (lambda (file-systems . rest)
32644 ;; Create a standard initrd but set up networking
32645 ;; with the parameters QEMU expects by default.
32646 (apply base-initrd file-systems
32647 #:qemu-networking? #t
32651 The @code{base-initrd} procedure also handles common use cases that
32652 involves using the system as a QEMU guest, or as a ``live'' system with
32653 volatile root file system.
32655 The @code{base-initrd} procedure is built from @code{raw-initrd} procedure.
32656 Unlike @code{base-initrd}, @code{raw-initrd} doesn't do anything high-level,
32657 such as trying to guess which kernel modules and packages should be included
32658 to the initrd. An example use of @code{raw-initrd} is when a user has
32659 a custom Linux kernel configuration and default kernel modules included by
32660 @code{base-initrd} are not available.
32662 The initial RAM disk produced by @code{base-initrd} or @code{raw-initrd}
32663 honors several options passed on the Linux kernel command line
32664 (that is, arguments passed @i{via} the @code{linux} command of GRUB, or the
32665 @code{-append} option of QEMU), notably:
32668 @item --load=@var{boot}
32669 Tell the initial RAM disk to load @var{boot}, a file containing a Scheme
32670 program, once it has mounted the root file system.
32672 Guix uses this option to yield control to a boot program that runs the
32673 service activation programs and then spawns the GNU@tie{}Shepherd, the
32674 initialization system.
32676 @item --root=@var{root}
32677 Mount @var{root} as the root file system. @var{root} can be a device
32678 name like @code{/dev/sda1}, a file system label, or a file system UUID.
32679 When unspecified, the device name from the root file system of the
32680 operating system declaration is used.
32682 @item --system=@var{system}
32683 Have @file{/run/booted-system} and @file{/run/current-system} point to
32686 @item modprobe.blacklist=@var{modules}@dots{}
32687 @cindex module, black-listing
32688 @cindex black list, of kernel modules
32689 Instruct the initial RAM disk as well as the @command{modprobe} command
32690 (from the kmod package) to refuse to load @var{modules}. @var{modules}
32691 must be a comma-separated list of module names---e.g.,
32692 @code{usbkbd,9pnet}.
32695 Start a read-eval-print loop (REPL) from the initial RAM disk before it
32696 tries to load kernel modules and to mount the root file system. Our
32697 marketing team calls it @dfn{boot-to-Guile}. The Schemer in you will
32698 love it. @xref{Using Guile Interactively,,, guile, GNU Guile Reference
32699 Manual}, for more information on Guile's REPL.
32703 Now that you know all the features that initial RAM disks produced by
32704 @code{base-initrd} and @code{raw-initrd} provide,
32705 here is how to use it and customize it further.
32708 @cindex initial RAM disk
32709 @deffn {Scheme Procedure} raw-initrd @var{file-systems} @
32710 [#:linux-modules '()] [#:mapped-devices '()] @
32711 [#:keyboard-layout #f] @
32712 [#:helper-packages '()] [#:qemu-networking? #f] [#:volatile-root? #f]
32713 Return a derivation that builds a raw initrd. @var{file-systems} is
32714 a list of file systems to be mounted by the initrd, possibly in addition to
32715 the root file system specified on the kernel command line via @option{--root}.
32716 @var{linux-modules} is a list of kernel modules to be loaded at boot time.
32717 @var{mapped-devices} is a list of device mappings to realize before
32718 @var{file-systems} are mounted (@pxref{Mapped Devices}).
32719 @var{helper-packages} is a list of packages to be copied in the initrd.
32721 include @code{e2fsck/static} or other packages needed by the initrd to check
32722 the root file system.
32724 When true, @var{keyboard-layout} is a @code{<keyboard-layout>} record denoting
32725 the desired console keyboard layout. This is done before @var{mapped-devices}
32726 are set up and before @var{file-systems} are mounted such that, should the
32727 user need to enter a passphrase or use the REPL, this happens using the
32728 intended keyboard layout.
32730 When @var{qemu-networking?} is true, set up networking with the standard QEMU
32731 parameters. When @var{virtio?} is true, load additional modules so that the
32732 initrd can be used as a QEMU guest with para-virtualized I/O drivers.
32734 When @var{volatile-root?} is true, the root file system is writable but any changes
32738 @deffn {Scheme Procedure} base-initrd @var{file-systems} @
32739 [#:mapped-devices '()] [#:keyboard-layout #f] @
32740 [#:qemu-networking? #f] [#:volatile-root? #f] @
32741 [#:linux-modules '()]
32742 Return as a file-like object a generic initrd, with kernel
32743 modules taken from @var{linux}. @var{file-systems} is a list of file-systems to be
32744 mounted by the initrd, possibly in addition to the root file system specified
32745 on the kernel command line via @option{--root}. @var{mapped-devices} is a list of device
32746 mappings to realize before @var{file-systems} are mounted.
32748 When true, @var{keyboard-layout} is a @code{<keyboard-layout>} record denoting
32749 the desired console keyboard layout. This is done before @var{mapped-devices}
32750 are set up and before @var{file-systems} are mounted such that, should the
32751 user need to enter a passphrase or use the REPL, this happens using the
32752 intended keyboard layout.
32754 @var{qemu-networking?} and @var{volatile-root?} behaves as in @code{raw-initrd}.
32756 The initrd is automatically populated with all the kernel modules necessary
32757 for @var{file-systems} and for the given options. Additional kernel
32758 modules can be listed in @var{linux-modules}. They will be added to the initrd, and
32759 loaded at boot time in the order in which they appear.
32762 Needless to say, the initrds we produce and use embed a
32763 statically-linked Guile, and the initialization program is a Guile
32764 program. That gives a lot of flexibility. The
32765 @code{expression->initrd} procedure builds such an initrd, given the
32766 program to run in that initrd.
32768 @deffn {Scheme Procedure} expression->initrd @var{exp} @
32769 [#:guile %guile-3.0-static-stripped] [#:name "guile-initrd"]
32770 Return as a file-like object a Linux initrd (a gzipped cpio archive)
32771 containing @var{guile} and that evaluates @var{exp}, a G-expression,
32772 upon booting. All the derivations referenced by @var{exp} are
32773 automatically copied to the initrd.
32776 @node Bootloader Configuration
32777 @section Bootloader Configuration
32780 @cindex boot loader
32782 The operating system supports multiple bootloaders. The bootloader is
32783 configured using @code{bootloader-configuration} declaration. All the
32784 fields of this structure are bootloader agnostic except for one field,
32785 @code{bootloader} that indicates the bootloader to be configured and
32788 Some of the bootloaders do not honor every field of
32789 @code{bootloader-configuration}. For instance, the extlinux
32790 bootloader does not support themes and thus ignores the @code{theme}
32793 @deftp {Data Type} bootloader-configuration
32794 The type of a bootloader configuration declaration.
32798 @item @code{bootloader}
32799 @cindex EFI, bootloader
32800 @cindex UEFI, bootloader
32801 @cindex BIOS, bootloader
32802 The bootloader to use, as a @code{bootloader} object. For now
32803 @code{grub-bootloader}, @code{grub-efi-bootloader},
32804 @code{grub-efi-netboot-bootloader}, @code{extlinux-bootloader} and
32805 @code{u-boot-bootloader} are supported.
32807 @cindex ARM, bootloaders
32808 @cindex AArch64, bootloaders
32809 Available bootloaders are described in @code{(gnu bootloader @dots{})}
32810 modules. In particular, @code{(gnu bootloader u-boot)} contains definitions
32811 of bootloaders for a wide range of ARM and AArch64 systems, using the
32812 @uref{https://www.denx.de/wiki/U-Boot/, U-Boot bootloader}.
32814 @vindex grub-efi-bootloader
32815 @code{grub-efi-bootloader} allows to boot on modern systems using the
32816 @dfn{Unified Extensible Firmware Interface} (UEFI). This is what you should
32817 use if the installation image contains a @file{/sys/firmware/efi} directory
32818 when you boot it on your system.
32820 @vindex grub-bootloader
32821 @code{grub-bootloader} allows you to boot in particular Intel-based machines
32822 in ``legacy'' BIOS mode.
32824 @vindex grub-efi-netboot-bootloader
32825 @code{grub-efi-netboot-bootloader} allows you to boot your system over network
32826 through TFTP@. In combination with an NFS root file system this allows you to
32827 build a diskless Guix system.
32829 The installation of the @code{grub-efi-netboot-bootloader} generates the content
32830 of the TFTP root directory at @code{target}
32831 (@pxref{Bootloader Configuration, @code{target}}), to be served by a TFTP server.
32832 You may want to mount your TFTP server directory onto @code{target} to move the
32833 required files to the TFTP server automatically.
32835 If you plan to use an NFS root file system as well (actually if you mount the
32836 store from an NFS share), then the TFTP server needs to serve the file
32837 @file{/boot/grub/grub.cfg} and other files from the store (like GRUBs background
32838 image, the kernel (@pxref{operating-system Reference, @code{kernel}}) and the
32839 initrd (@pxref{operating-system Reference, @code{initrd}})), too. All these
32840 files from the store will be accessed by GRUB through TFTP with their normal
32841 store path, for example as
32842 @file{tftp://tftp-server/gnu/store/…-initrd/initrd.cpio.gz}.
32844 Two symlinks are created to make this possible. The first symlink is
32845 @code{target}@file{/efi/Guix/boot/grub/grub.cfg} pointing to
32846 @file{../../../boot/grub/grub.cfg},
32847 where @code{target} may be @file{/boot}. In this case the link is not leaving
32848 the served TFTP root directory, but otherwise it does. The second link is
32849 @code{target}@file{/gnu/store} and points to @file{../gnu/store}. This link
32850 is leaving the served TFTP root directory.
32852 The assumption behind all this is that you have an NFS server exporting the root
32853 file system for your Guix system, and additionally a TFTP server exporting your
32854 @code{target} directory—usually @file{/boot}—from that same root file system for
32855 your Guix system. In this constellation the symlinks will work.
32857 For other constellations you will have to program your own bootloader installer,
32858 which then takes care to make necessary files from the store accessible through
32859 TFTP, for example by copying them into the TFTP root directory at @code{target}.
32861 It is important to note that symlinks pointing outside the TFTP root directory
32862 may need to be allowed in the configuration of your TFTP server. Further the
32863 store link exposes the whole store through TFTP@. Both points need to be
32864 considered carefully for security aspects.
32866 Beside the @code{grub-efi-netboot-bootloader}, the already mentioned TFTP and
32867 NFS servers, you also need a properly configured DHCP server to make the booting
32868 over netboot possible. For all this we can currently only recommend you to look
32869 for instructions about @acronym{PXE, Preboot eXecution Environment}.
32871 @item @code{target}
32872 This is a string denoting the target onto which to install the
32875 The interpretation depends on the bootloader in question. For
32876 @code{grub-bootloader}, for example, it should be a device name understood by
32877 the bootloader @command{installer} command, such as @code{/dev/sda} or
32878 @code{(hd0)} (@pxref{Invoking grub-install,,, grub, GNU GRUB Manual}). For
32879 @code{grub-efi-bootloader}, it should be the mount point of the EFI file
32880 system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader},
32881 @code{target} should be the mount point corresponding to the TFTP root
32882 directory of your TFTP server.
32884 @item @code{menu-entries} (default: @code{()})
32885 A possibly empty list of @code{menu-entry} objects (see below), denoting
32886 entries to appear in the bootloader menu, in addition to the current
32887 system entry and the entry pointing to previous system generations.
32889 @item @code{default-entry} (default: @code{0})
32890 The index of the default boot menu entry. Index 0 is for the entry of the
32893 @item @code{timeout} (default: @code{5})
32894 The number of seconds to wait for keyboard input before booting. Set to
32895 0 to boot immediately, and to -1 to wait indefinitely.
32897 @cindex keyboard layout, for the bootloader
32898 @item @code{keyboard-layout} (default: @code{#f})
32899 If this is @code{#f}, the bootloader's menu (if any) uses the default keyboard
32900 layout, usually US@tie{}English (``qwerty'').
32902 Otherwise, this must be a @code{keyboard-layout} object (@pxref{Keyboard
32906 This option is currently ignored by bootloaders other than @code{grub} and
32910 @item @code{theme} (default: @var{#f})
32911 The bootloader theme object describing the theme to use. If no theme
32912 is provided, some bootloaders might use a default theme, that's true
32915 @item @code{terminal-outputs} (default: @code{'(gfxterm)})
32916 The output terminals used for the bootloader boot menu, as a list of
32917 symbols. GRUB accepts the values: @code{console}, @code{serial},
32918 @code{serial_@{0-3@}}, @code{gfxterm}, @code{vga_text},
32919 @code{mda_text}, @code{morse}, and @code{pkmodem}. This field
32920 corresponds to the GRUB variable @code{GRUB_TERMINAL_OUTPUT} (@pxref{Simple
32921 configuration,,, grub,GNU GRUB manual}).
32923 @item @code{terminal-inputs} (default: @code{'()})
32924 The input terminals used for the bootloader boot menu, as a list of
32925 symbols. For GRUB, the default is the native platform terminal as
32926 determined at run-time. GRUB accepts the values: @code{console},
32927 @code{serial}, @code{serial_@{0-3@}}, @code{at_keyboard}, and
32928 @code{usb_keyboard}. This field corresponds to the GRUB variable
32929 @code{GRUB_TERMINAL_INPUT} (@pxref{Simple configuration,,, grub,GNU GRUB
32932 @item @code{serial-unit} (default: @code{#f})
32933 The serial unit used by the bootloader, as an integer from 0 to 3.
32934 For GRUB, it is chosen at run-time; currently GRUB chooses 0, which
32935 corresponds to COM1 (@pxref{Serial terminal,,, grub,GNU GRUB manual}).
32937 @item @code{serial-speed} (default: @code{#f})
32938 The speed of the serial interface, as an integer. For GRUB, the
32939 default value is chosen at run-time; currently GRUB chooses
32940 9600@tie{}bps (@pxref{Serial terminal,,, grub,GNU GRUB manual}).
32947 Should you want to list additional boot menu entries @i{via} the
32948 @code{menu-entries} field above, you will need to create them with the
32949 @code{menu-entry} form. For example, imagine you want to be able to
32950 boot another distro (hard to imagine!), you can define a menu entry
32955 (label "The Other Distro")
32956 (linux "/boot/old/vmlinux-2.6.32")
32957 (linux-arguments '("root=/dev/sda2"))
32958 (initrd "/boot/old/initrd"))
32963 @deftp {Data Type} menu-entry
32964 The type of an entry in the bootloader menu.
32969 The label to show in the menu---e.g., @code{"GNU"}.
32971 @item @code{linux} (default: @code{#f})
32972 The Linux kernel image to boot, for example:
32975 (file-append linux-libre "/bzImage")
32978 For GRUB, it is also possible to specify a device explicitly in the
32979 file path using GRUB's device naming convention (@pxref{Naming
32980 convention,,, grub, GNU GRUB manual}), for example:
32983 "(hd0,msdos1)/boot/vmlinuz"
32986 If the device is specified explicitly as above, then the @code{device}
32987 field is ignored entirely.
32989 @item @code{linux-arguments} (default: @code{()})
32990 The list of extra Linux kernel command-line arguments---e.g.,
32991 @code{("console=ttyS0")}.
32993 @item @code{initrd} (default: @code{#f})
32994 A G-Expression or string denoting the file name of the initial RAM disk
32995 to use (@pxref{G-Expressions}).
32997 @item @code{device} (default: @code{#f})
32998 The device where the kernel and initrd are to be found---i.e., for GRUB,
32999 @dfn{root} for this menu entry (@pxref{root,,, grub, GNU GRUB manual}).
33001 This may be a file system label (a string), a file system UUID (a
33002 bytevector, @pxref{File Systems}), or @code{#f}, in which case
33003 the bootloader will search the device containing the file specified by
33004 the @code{linux} field (@pxref{search,,, grub, GNU GRUB manual}). It
33005 must @emph{not} be an OS device name such as @file{/dev/sda1}.
33007 @item @code{multiboot-kernel} (default: @code{#f})
33008 The kernel to boot in Multiboot-mode (@pxref{multiboot,,, grub, GNU GRUB
33009 manual}). When this field is set, a Multiboot menu-entry is generated.
33013 (file-append mach "/boot/gnumach")
33016 @item @code{multiboot-arguments} (default: @code{()})
33017 The list of extra command-line arguments for the multiboot-kernel.
33019 @item @code{multiboot-modules} (default: @code{()})
33020 The list of commands for loading Multiboot modules. For example:
33023 (list (list (file-append hurd "/hurd/ext2fs.static") "ext2fs"
33025 (list (file-append libc "/lib/ld.so.1") "exec"
33035 @c FIXME: Write documentation once it's stable.
33036 For now only GRUB has theme support. GRUB themes are created using
33037 the @code{grub-theme} form, which is not fully documented yet.
33039 @deftp {Data Type} grub-theme
33040 Data type representing the configuration of the GRUB theme.
33043 @item @code{gfxmode} (default: @code{'("auto")})
33044 The GRUB @code{gfxmode} to set (a list of screen resolution strings,
33045 @pxref{gfxmode,,, grub, GNU GRUB manual}).
33049 @deffn {Scheme Procedure} grub-theme
33050 Return the default GRUB theme used by the operating system if no
33051 @code{theme} field is specified in @code{bootloader-configuration}
33054 It comes with a fancy background image displaying the GNU and Guix
33058 For example, to override the default resolution, you may use something
33063 (bootloader-configuration
33066 (inherit (grub-theme))
33067 (gfxmode '("1024x786x32" "auto"))))))
33070 @node Invoking guix system
33071 @section Invoking @code{guix system}
33073 Once you have written an operating system declaration as seen in the
33074 previous section, it can be @dfn{instantiated} using the @command{guix
33075 system} command. The synopsis is:
33078 guix system @var{options}@dots{} @var{action} @var{file}
33081 @var{file} must be the name of a file containing an
33082 @code{operating-system} declaration. @var{action} specifies how the
33083 operating system is instantiated. Currently the following values are
33088 Display available service type definitions that match the given regular
33089 expressions, sorted by relevance:
33095 $ guix system search console
33096 name: console-fonts
33097 location: gnu/services/base.scm:806:2
33098 extends: shepherd-root
33099 description: Install the given fonts on the specified ttys (fonts are per
33100 + virtual console on GNU/Linux). The value of this service is a list of
33101 + tty/font pairs. The font can be the name of a font provided by the `kbd'
33102 + package or any valid argument to `setfont', as in this example:
33104 + '(("tty1" . "LatGrkCyr-8x16")
33105 + ("tty2" . (file-append
33107 + "/share/kbd/consolefonts/TamzenForPowerline10x20.psf"))
33108 + ("tty3" . (file-append
33110 + "/share/consolefonts/ter-132n"))) ; for HDPI
33114 location: gnu/services/base.scm:1190:2
33115 extends: shepherd-root
33116 description: Provide console login using the `mingetty' program.
33120 location: gnu/services/base.scm:860:2
33122 description: Provide a console log-in service as specified by its
33123 + configuration value, a `login-configuration' object.
33129 As for @command{guix package --search}, the result is written in
33130 @code{recutils} format, which makes it easy to filter the output
33131 (@pxref{Top, GNU recutils databases,, recutils, GNU recutils manual}).
33134 Build the operating system described in @var{file}, activate it, and
33135 switch to it@footnote{This action (and the related actions
33136 @code{switch-generation} and @code{roll-back}) are usable only on
33137 systems already running Guix System.}.
33140 @c The paragraph below refers to the problem discussed at
33141 @c <https://lists.gnu.org/archive/html/guix-devel/2014-08/msg00057.html>.
33142 It is highly recommended to run @command{guix pull} once before you run
33143 @command{guix system reconfigure} for the first time (@pxref{Invoking
33144 guix pull}). Failing to do that you would see an older version of Guix
33145 once @command{reconfigure} has completed.
33148 This effects all the configuration specified in @var{file}: user
33149 accounts, system services, global package list, setuid programs, etc.
33150 The command starts system services specified in @var{file} that are not
33151 currently running; if a service is currently running this command will
33152 arrange for it to be upgraded the next time it is stopped (e.g.@: by
33153 @code{herd stop X} or @code{herd restart X}).
33155 This command creates a new generation whose number is one greater than
33156 the current generation (as reported by @command{guix system
33157 list-generations}). If that generation already exists, it will be
33158 overwritten. This behavior mirrors that of @command{guix package}
33159 (@pxref{Invoking guix package}).
33161 It also adds a bootloader menu entry for the new OS configuration,
33162 ---unless @option{--no-bootloader} is passed. For GRUB, it moves
33163 entries for older configurations to a submenu, allowing you to choose
33164 an older system generation at boot time should you need it.
33166 @cindex provenance tracking, of the operating system
33167 Upon completion, the new system is deployed under
33168 @file{/run/current-system}. This directory contains @dfn{provenance
33169 meta-data}: the list of channels in use (@pxref{Channels}) and
33170 @var{file} itself, when available. You can view it by running:
33173 guix system describe
33176 This information is useful should you later want to inspect how this
33177 particular generation was built. In fact, assuming @var{file} is
33178 self-contained, you can later rebuild generation @var{n} of your
33179 operating system with:
33182 guix time-machine \
33183 -C /var/guix/profiles/system-@var{n}-link/channels.scm -- \
33184 system reconfigure \
33185 /var/guix/profiles/system-@var{n}-link/configuration.scm
33188 You can think of it as some sort of built-in version control! Your
33189 system is not just a binary artifact: @emph{it carries its own source}.
33190 @xref{Service Reference, @code{provenance-service-type}}, for more
33191 information on provenance tracking.
33193 By default, @command{reconfigure} @emph{prevents you from downgrading
33194 your system}, which could (re)introduce security vulnerabilities and
33195 also cause problems with ``stateful'' services such as database
33196 management systems. You can override that behavior by passing
33197 @option{--allow-downgrades}.
33199 @item switch-generation
33200 @cindex generations
33201 Switch to an existing system generation. This action atomically
33202 switches the system profile to the specified system generation. It
33203 also rearranges the system's existing bootloader menu entries. It
33204 makes the menu entry for the specified system generation the default,
33205 and it moves the entries for the other generations to a submenu, if
33206 supported by the bootloader being used. The next time the system
33207 boots, it will use the specified system generation.
33209 The bootloader itself is not being reinstalled when using this
33210 command. Thus, the installed bootloader is used with an updated
33211 configuration file.
33213 The target generation can be specified explicitly by its generation
33214 number. For example, the following invocation would switch to system
33218 guix system switch-generation 7
33221 The target generation can also be specified relative to the current
33222 generation with the form @code{+N} or @code{-N}, where @code{+3} means
33223 ``3 generations ahead of the current generation,'' and @code{-1} means
33224 ``1 generation prior to the current generation.'' When specifying a
33225 negative value such as @code{-1}, you must precede it with @code{--} to
33226 prevent it from being parsed as an option. For example:
33229 guix system switch-generation -- -1
33232 Currently, the effect of invoking this action is @emph{only} to switch
33233 the system profile to an existing generation and rearrange the
33234 bootloader menu entries. To actually start using the target system
33235 generation, you must reboot after running this action. In the future,
33236 it will be updated to do the same things as @command{reconfigure},
33237 like activating and deactivating services.
33239 This action will fail if the specified generation does not exist.
33242 @cindex rolling back
33243 Switch to the preceding system generation. The next time the system
33244 boots, it will use the preceding system generation. This is the inverse
33245 of @command{reconfigure}, and it is exactly the same as invoking
33246 @command{switch-generation} with an argument of @code{-1}.
33248 Currently, as with @command{switch-generation}, you must reboot after
33249 running this action to actually start using the preceding system
33252 @item delete-generations
33253 @cindex deleting system generations
33254 @cindex saving space
33255 Delete system generations, making them candidates for garbage collection
33256 (@pxref{Invoking guix gc}, for information on how to run the ``garbage
33259 This works in the same way as @samp{guix package --delete-generations}
33260 (@pxref{Invoking guix package, @option{--delete-generations}}). With no
33261 arguments, all system generations but the current one are deleted:
33264 guix system delete-generations
33267 You can also select the generations you want to delete. The example below
33268 deletes all the system generations that are more than two month old:
33271 guix system delete-generations 2m
33274 Running this command automatically reinstalls the bootloader with an updated
33275 list of menu entries---e.g., the ``old generations'' sub-menu in GRUB no
33276 longer lists the generations that have been deleted.
33279 Build the derivation of the operating system, which includes all the
33280 configuration files and programs needed to boot and run the system.
33281 This action does not actually install anything.
33284 Populate the given directory with all the files necessary to run the
33285 operating system specified in @var{file}. This is useful for first-time
33286 installations of Guix System. For instance:
33289 guix system init my-os-config.scm /mnt
33292 copies to @file{/mnt} all the store items required by the configuration
33293 specified in @file{my-os-config.scm}. This includes configuration
33294 files, packages, and so on. It also creates other essential files
33295 needed for the system to operate correctly---e.g., the @file{/etc},
33296 @file{/var}, and @file{/run} directories, and the @file{/bin/sh} file.
33298 This command also installs bootloader on the target specified in
33299 @file{my-os-config}, unless the @option{--no-bootloader} option was
33303 @cindex virtual machine
33305 @anchor{guix system vm}
33306 Build a virtual machine that contains the operating system declared in
33307 @var{file}, and return a script to run that virtual machine (VM).
33310 The @code{vm} action and others below
33311 can use KVM support in the Linux-libre kernel. Specifically, if the
33312 machine has hardware virtualization support, the corresponding
33313 KVM kernel module should be loaded, and the @file{/dev/kvm} device node
33314 must exist and be readable and writable by the user and by the
33315 build users of the daemon (@pxref{Build Environment Setup}).
33318 Arguments given to the script are passed to QEMU as in the example
33319 below, which enables networking and requests 1@tie{}GiB of RAM for the
33323 $ /gnu/store/@dots{}-run-vm.sh -m 1024 -smp 2 -nic user,model=virtio-net-pci
33326 The VM shares its store with the host system.
33328 Additional file systems can be shared between the host and the VM using
33329 the @option{--share} and @option{--expose} command-line options: the former
33330 specifies a directory to be shared with write access, while the latter
33331 provides read-only access to the shared directory.
33333 The example below creates a VM in which the user's home directory is
33334 accessible read-only, and where the @file{/exchange} directory is a
33335 read-write mapping of @file{$HOME/tmp} on the host:
33338 guix system vm my-config.scm \
33339 --expose=$HOME --share=$HOME/tmp=/exchange
33342 On GNU/Linux, the default is to boot directly to the kernel; this has
33343 the advantage of requiring only a very tiny root disk image since the
33344 store of the host can then be mounted.
33346 The @option{--full-boot} option forces a complete boot sequence, starting
33347 with the bootloader. This requires more disk space since a root image
33348 containing at least the kernel, initrd, and bootloader data files must
33349 be created. The @option{--image-size} option can be used to specify the
33352 @cindex System images, creation in various formats
33353 @cindex Creating system images in various formats
33355 @itemx docker-image
33356 Return a virtual machine, disk image, or Docker image of the operating
33357 system declared in @var{file} that stands alone. By default,
33358 @command{guix system} estimates the size of the image needed to store
33359 the system, but you can use the @option{--image-size} option to specify
33360 a value. Docker images are built to contain exactly what they need, so
33361 the @option{--image-size} option is ignored in the case of
33362 @code{docker-image}.
33364 @cindex image, creating disk images
33365 The @code{image} command can produce various image types. The
33366 image type can be selected using the @option{--image-type} option. It
33367 defaults to @code{efi-raw}. When its value is @code{iso9660}, the
33368 @option{--label} option can be used to specify a volume ID with
33369 @code{image}. By default, the root file system of a disk image is
33370 mounted non-volatile; the @option{--volatile} option can be provided to
33371 make it volatile instead. When using @code{image}, the bootloader
33372 installed on the generated image is taken from the provided
33373 @code{operating-system} definition. The following example demonstrates
33374 how to generate an image that uses the @code{grub-efi-bootloader}
33375 bootloader and boot it with QEMU:
33378 image=$(guix system image --image-type=qcow2 \
33379 gnu/system/examples/lightweight-desktop.tmpl)
33380 cp $image /tmp/my-image.qcow2
33381 chmod +w /tmp/my-image.qcow2
33382 qemu-system-x86_64 -enable-kvm -hda /tmp/my-image.qcow2 -m 1000 \
33383 -bios $(guix build ovmf)/share/firmware/ovmf_x64.bin
33386 When using the @code{efi-raw} image type, a raw disk image is produced;
33387 it can be copied as is to a USB stick, for instance. Assuming
33388 @code{/dev/sdc} is the device corresponding to a USB stick, one can copy
33389 the image to it using the following command:
33392 # dd if=$(guix system image my-os.scm) of=/dev/sdc status=progress
33395 The @code{--list-image-types} command lists all the available image
33398 @cindex creating virtual machine images
33399 When using the @code{qcow2} image type, the returned image is in qcow2
33400 format, which the QEMU emulator can efficiently use. @xref{Running Guix
33401 in a VM}, for more information on how to run the image in a virtual
33402 machine. The @code{grub-bootloader} bootloader is always used
33403 independently of what is declared in the @code{operating-system} file
33404 passed as argument. This is to make it easier to work with QEMU, which
33405 uses the SeaBIOS BIOS by default, expecting a bootloader to be installed
33406 in the Master Boot Record (MBR).
33408 @cindex docker-image, creating docker images
33409 When using @code{docker-image}, a Docker image is produced. Guix builds
33410 the image from scratch, not from a pre-existing Docker base image. As a
33411 result, it contains @emph{exactly} what you define in the operating
33412 system configuration file. You can then load the image and launch a
33413 Docker container using commands like the following:
33416 image_id="$(docker load < guix-system-docker-image.tar.gz)"
33417 container_id="$(docker create $image_id)"
33418 docker start $container_id
33421 This command starts a new Docker container from the specified image. It
33422 will boot the Guix system in the usual manner, which means it will
33423 start any services you have defined in the operating system
33424 configuration. You can get an interactive shell running in the container
33425 using @command{docker exec}:
33428 docker exec -ti $container_id /run/current-system/profile/bin/bash --login
33431 Depending on what you run in the Docker container, it
33432 may be necessary to give the container additional permissions. For
33433 example, if you intend to build software using Guix inside of the Docker
33434 container, you may need to pass the @option{--privileged} option to
33435 @code{docker create}.
33437 Last, the @option{--network} option applies to @command{guix system
33438 docker-image}: it produces an image where network is supposedly shared
33439 with the host, and thus without services like nscd or NetworkManager.
33442 Return a script to run the operating system declared in @var{file}
33443 within a container. Containers are a set of lightweight isolation
33444 mechanisms provided by the kernel Linux-libre. Containers are
33445 substantially less resource-demanding than full virtual machines since
33446 the kernel, shared objects, and other resources can be shared with the
33447 host system; this also means they provide thinner isolation.
33449 Currently, the script must be run as root in order to support more than
33450 a single user and group. The container shares its store with the host
33453 As with the @code{vm} action (@pxref{guix system vm}), additional file
33454 systems to be shared between the host and container can be specified
33455 using the @option{--share} and @option{--expose} options:
33458 guix system container my-config.scm \
33459 --expose=$HOME --share=$HOME/tmp=/exchange
33463 This option requires Linux-libre 3.19 or newer.
33468 @var{options} can contain any of the common build options (@pxref{Common
33469 Build Options}). In addition, @var{options} can contain one of the
33473 @item --expression=@var{expr}
33474 @itemx -e @var{expr}
33475 Consider the operating-system @var{expr} evaluates to.
33476 This is an alternative to specifying a file which evaluates to an
33478 This is used to generate the Guix system installer @pxref{Building the
33479 Installation Image}).
33481 @item --system=@var{system}
33482 @itemx -s @var{system}
33483 Attempt to build for @var{system} instead of the host system type.
33484 This works as per @command{guix build} (@pxref{Invoking guix build}).
33488 Return the derivation file name of the given operating system without
33491 @cindex provenance tracking, of the operating system
33492 @item --save-provenance
33493 As discussed above, @command{guix system init} and @command{guix system
33494 reconfigure} always save provenance information @i{via} a dedicated
33495 service (@pxref{Service Reference, @code{provenance-service-type}}).
33496 However, other commands don't do that by default. If you wish to, say,
33497 create a virtual machine image that contains provenance information, you
33501 guix system image -t qcow2 --save-provenance config.scm
33504 That way, the resulting image will effectively ``embed its own source''
33505 in the form of meta-data in @file{/run/current-system}. With that
33506 information, one can rebuild the image to make sure it really contains
33507 what it pretends to contain; or they could use that to derive a variant
33510 @item --image-type=@var{type}
33511 @itemx -t @var{type}
33512 For the @code{image} action, create an image with given @var{type}.
33514 When this option is omitted, @command{guix system} uses the
33515 @code{efi-raw} image type.
33517 @cindex ISO-9660 format
33518 @cindex CD image format
33519 @cindex DVD image format
33520 @option{--image-type=iso9660} produces an ISO-9660 image, suitable
33521 for burning on CDs and DVDs.
33523 @item --image-size=@var{size}
33524 For the @code{image} action, create an image of the given @var{size}.
33525 @var{size} may be a number of bytes, or it may include a unit as a
33526 suffix (@pxref{Block size, size specifications,, coreutils, GNU
33529 When this option is omitted, @command{guix system} computes an estimate
33530 of the image size as a function of the size of the system declared in
33535 For the @code{container} action, allow containers to access the host network,
33536 that is, do not create a network namespace.
33538 @item --root=@var{file}
33539 @itemx -r @var{file}
33540 Make @var{file} a symlink to the result, and register it as a garbage
33543 @item --skip-checks
33544 Skip pre-installation safety checks.
33546 By default, @command{guix system init} and @command{guix system
33547 reconfigure} perform safety checks: they make sure the file systems that
33548 appear in the @code{operating-system} declaration actually exist
33549 (@pxref{File Systems}), and that any Linux kernel modules that may be
33550 needed at boot time are listed in @code{initrd-modules} (@pxref{Initial
33551 RAM Disk}). Passing this option skips these tests altogether.
33553 @item --allow-downgrades
33554 Instruct @command{guix system reconfigure} to allow system downgrades.
33556 By default, @command{reconfigure} prevents you from downgrading your
33557 system. It achieves that by comparing the provenance info of your
33558 system (shown by @command{guix system describe}) with that of your
33559 @command{guix} command (shown by @command{guix describe}). If the
33560 commits for @command{guix} are not descendants of those used for your
33561 system, @command{guix system reconfigure} errors out. Passing
33562 @option{--allow-downgrades} allows you to bypass these checks.
33565 Make sure you understand its security implications before using
33566 @option{--allow-downgrades}.
33570 @cindex on-error strategy
33571 @cindex error strategy
33572 @item --on-error=@var{strategy}
33573 Apply @var{strategy} when an error occurs when reading @var{file}.
33574 @var{strategy} may be one of the following:
33577 @item nothing-special
33578 Report the error concisely and exit. This is the default strategy.
33581 Likewise, but also display a backtrace.
33584 Report the error and enter Guile's debugger. From there, you can run
33585 commands such as @code{,bt} to get a backtrace, @code{,locals} to
33586 display local variable values, and more generally inspect the state of the
33587 program. @xref{Debug Commands,,, guile, GNU Guile Reference Manual}, for
33588 a list of available debugging commands.
33592 Once you have built, configured, re-configured, and re-re-configured
33593 your Guix installation, you may find it useful to list the operating
33594 system generations available on disk---and that you can choose from the
33595 bootloader boot menu:
33600 Describe the current system generation: its file name, the kernel and
33601 bootloader used, etc., as well as provenance information when available.
33603 @item list-generations
33604 List a summary of each generation of the operating system available on
33605 disk, in a human-readable way. This is similar to the
33606 @option{--list-generations} option of @command{guix package}
33607 (@pxref{Invoking guix package}).
33609 Optionally, one can specify a pattern, with the same syntax that is used
33610 in @command{guix package --list-generations}, to restrict the list of
33611 generations displayed. For instance, the following command displays
33612 generations that are up to 10 days old:
33615 $ guix system list-generations 10d
33620 The @command{guix system} command has even more to offer! The following
33621 sub-commands allow you to visualize how your system services relate to
33624 @anchor{system-extension-graph}
33627 @item extension-graph
33628 Emit to standard output the @dfn{service
33629 extension graph} of the operating system defined in @var{file}
33630 (@pxref{Service Composition}, for more information on service
33631 extensions). By default the output is in Dot/Graphviz format, but you
33632 can choose a different format with @option{--graph-backend}, as with
33633 @command{guix graph} (@pxref{Invoking guix graph, @option{--backend}}):
33638 $ guix system extension-graph @var{file} | xdot -
33641 shows the extension relations among services.
33643 @anchor{system-shepherd-graph}
33644 @item shepherd-graph
33645 Emit to standard output the @dfn{dependency
33646 graph} of shepherd services of the operating system defined in
33647 @var{file}. @xref{Shepherd Services}, for more information and for an
33650 Again, the default output format is Dot/Graphviz, but you can pass
33651 @option{--graph-backend} to select a different one.
33655 @node Invoking guix deploy
33656 @section Invoking @code{guix deploy}
33658 We've already seen @code{operating-system} declarations used to manage a
33659 machine's configuration locally. Suppose you need to configure multiple
33660 machines, though---perhaps you're managing a service on the web that's
33661 comprised of several servers. @command{guix deploy} enables you to use those
33662 same @code{operating-system} declarations to manage multiple remote hosts at
33663 once as a logical ``deployment''.
33666 The functionality described in this section is still under development
33667 and is subject to change. Get in touch with us on
33668 @email{guix-devel@@gnu.org}!
33672 guix deploy @var{file}
33675 Such an invocation will deploy the machines that the code within @var{file}
33676 evaluates to. As an example, @var{file} might contain a definition like this:
33679 ;; This is a Guix deployment of a "bare bones" setup, with
33680 ;; no X11 display server, to a machine with an SSH daemon
33681 ;; listening on localhost:2222. A configuration such as this
33682 ;; may be appropriate for virtual machine with ports
33683 ;; forwarded to the host's loopback interface.
33685 (use-service-modules networking ssh)
33686 (use-package-modules bootloaders)
33690 (host-name "gnu-deployed")
33691 (timezone "Etc/UTC")
33692 (bootloader (bootloader-configuration
33693 (bootloader grub-bootloader)
33694 (target "/dev/vda")
33695 (terminal-outputs '(console))))
33696 (file-systems (cons (file-system
33698 (device "/dev/vda1")
33700 %base-file-systems))
33702 (append (list (service dhcp-client-service-type)
33703 (service openssh-service-type
33704 (openssh-configuration
33705 (permit-root-login #t)
33706 (allow-empty-passwords? #t))))
33710 (operating-system %system)
33711 (environment managed-host-environment-type)
33712 (configuration (machine-ssh-configuration
33713 (host-name "localhost")
33714 (system "x86_64-linux")
33716 (identity "./id_rsa")
33720 The file should evaluate to a list of @var{machine} objects. This example,
33721 upon being deployed, will create a new generation on the remote system
33722 realizing the @code{operating-system} declaration @code{%system}.
33723 @code{environment} and @code{configuration} specify how the machine should be
33724 provisioned---that is, how the computing resources should be created and
33725 managed. The above example does not create any resources, as a
33726 @code{'managed-host} is a machine that is already running the Guix system and
33727 available over the network. This is a particularly simple case; a more
33728 complex deployment may involve, for example, starting virtual machines through
33729 a Virtual Private Server (VPS) provider. In such a case, a different
33730 @var{environment} type would be used.
33732 Do note that you first need to generate a key pair on the coordinator machine
33733 to allow the daemon to export signed archives of files from the store
33734 (@pxref{Invoking guix archive}), though this step is automatic on Guix
33738 # guix archive --generate-key
33742 Each target machine must authorize the key of the master machine so that it
33743 accepts store items it receives from the coordinator:
33746 # guix archive --authorize < coordinator-public-key.txt
33749 @code{user}, in this example, specifies the name of the user account to log in
33750 as to perform the deployment. Its default value is @code{root}, but root
33751 login over SSH may be forbidden in some cases. To work around this,
33752 @command{guix deploy} can log in as an unprivileged user and employ
33753 @code{sudo} to escalate privileges. This will only work if @code{sudo} is
33754 currently installed on the remote and can be invoked non-interactively as
33755 @code{user}. That is, the line in @code{sudoers} granting @code{user} the
33756 ability to use @code{sudo} must contain the @code{NOPASSWD} tag. This can
33757 be accomplished with the following operating system configuration snippet:
33761 (gnu system)) ;for %sudoers-specification
33763 (define %user "username")
33768 (plain-file "sudoers"
33769 (string-append (plain-file-content %sudoers-specification)
33770 (format #f "~a ALL = NOPASSWD: ALL~%"
33775 For more information regarding the format of the @file{sudoers} file,
33776 consult @command{man sudoers}.
33778 @deftp {Data Type} machine
33779 This is the data type representing a single machine in a heterogeneous Guix
33783 @item @code{operating-system}
33784 The object of the operating system configuration to deploy.
33786 @item @code{environment}
33787 An @code{environment-type} describing how the machine should be provisioned.
33789 @item @code{configuration} (default: @code{#f})
33790 An object describing the configuration for the machine's @code{environment}.
33791 If the @code{environment} has a default configuration, @code{#f} may be used.
33792 If @code{#f} is used for an environment with no default configuration,
33793 however, an error will be thrown.
33797 @deftp {Data Type} machine-ssh-configuration
33798 This is the data type representing the SSH client parameters for a machine
33799 with an @code{environment} of @code{managed-host-environment-type}.
33802 @item @code{host-name}
33803 @item @code{build-locally?} (default: @code{#t})
33804 If false, system derivations will be built on the machine being deployed to.
33805 @item @code{system}
33806 The system type describing the architecture of the machine being deployed
33807 to---e.g., @code{"x86_64-linux"}.
33808 @item @code{authorize?} (default: @code{#t})
33809 If true, the coordinator's signing key will be added to the remote's ACL
33811 @item @code{port} (default: @code{22})
33812 @item @code{user} (default: @code{"root"})
33813 @item @code{identity} (default: @code{#f})
33814 If specified, the path to the SSH private key to use to authenticate with the
33817 @item @code{host-key} (default: @code{#f})
33818 This should be the SSH host key of the machine, which looks like this:
33821 ssh-ed25519 AAAAC3Nz@dots{} root@@example.org
33824 When @code{host-key} is @code{#f}, the server is authenticated against
33825 the @file{~/.ssh/known_hosts} file, just like the OpenSSH @command{ssh}
33828 @item @code{allow-downgrades?} (default: @code{#f})
33829 Whether to allow potential downgrades.
33831 Like @command{guix system reconfigure}, @command{guix deploy} compares
33832 the channel commits currently deployed on the remote host (as returned
33833 by @command{guix system describe}) to those currently in use (as
33834 returned by @command{guix describe}) to determine whether commits
33835 currently in use are descendants of those deployed. When this is not
33836 the case and @code{allow-downgrades?} is false, it raises an error.
33837 This ensures you do not accidentally downgrade remote machines.
33841 @deftp {Data Type} digital-ocean-configuration
33842 This is the data type describing the Droplet that should be created for a
33843 machine with an @code{environment} of @code{digital-ocean-environment-type}.
33846 @item @code{ssh-key}
33847 The path to the SSH private key to use to authenticate with the remote
33848 host. In the future, this field may not exist.
33850 A list of string ``tags'' that uniquely identify the machine. Must be given
33851 such that no two machines in the deployment have the same set of tags.
33852 @item @code{region}
33853 A Digital Ocean region slug, such as @code{"nyc3"}.
33855 A Digital Ocean size slug, such as @code{"s-1vcpu-1gb"}
33856 @item @code{enable-ipv6?}
33857 Whether or not the droplet should be created with IPv6 networking.
33861 @node Running Guix in a VM
33862 @section Running Guix in a Virtual Machine
33864 @cindex virtual machine
33865 To run Guix in a virtual machine (VM), one can use the pre-built Guix VM
33866 image distributed at
33867 @url{@value{BASE-URL}/guix-system-vm-image-@value{VERSION}.x86_64-linux.qcow2}.
33868 This image is a compressed image in QCOW format. You can pass it to an
33869 emulator such as @uref{https://qemu.org/, QEMU} (see below for details).
33871 This image boots the Xfce graphical environment and it contains some
33872 commonly used tools. You can install more software in the image by running
33873 @command{guix package} in a terminal (@pxref{Invoking guix package}). You can
33874 also reconfigure the system based on its initial configuration file available
33875 as @file{/run/current-system/configuration.scm} (@pxref{Using the
33876 Configuration System}).
33878 Instead of using this pre-built image, one can also build their own
33879 image using @command{guix system image} (@pxref{Invoking guix system}).
33882 If you built your own image, you must copy it out of the store
33883 (@pxref{The Store}) and give yourself permission to write to the copy
33884 before you can use it. When invoking QEMU, you must choose a system
33885 emulator that is suitable for your hardware platform. Here is a minimal
33886 QEMU invocation that will boot the result of @command{guix system
33887 image -t qcow2} on x86_64 hardware:
33890 $ qemu-system-x86_64 \
33891 -nic user,model=virtio-net-pci \
33892 -enable-kvm -m 1024 \
33893 -device virtio-blk,drive=myhd \
33894 -drive if=none,file=/tmp/qemu-image,id=myhd
33897 Here is what each of these options means:
33900 @item qemu-system-x86_64
33901 This specifies the hardware platform to emulate. This should match the
33904 @item -nic user,model=virtio-net-pci
33905 Enable the unprivileged user-mode network stack. The guest OS can
33906 access the host but not vice versa. This is the simplest way to get the
33907 guest OS online. @code{model} specifies which network device to emulate:
33908 @code{virtio-net-pci} is a special device made for virtualized operating
33909 systems and recommended for most uses. Assuming your hardware platform is
33910 x86_64, you can get a list of available NIC models by running
33911 @command{qemu-system-x86_64 -nic model=help}.
33914 If your system has hardware virtualization extensions, enabling the
33915 virtual machine support (KVM) of the Linux kernel will make things run
33918 @c To run Xfce + 'guix pull', we need at least 1G of RAM.
33920 RAM available to the guest OS, in mebibytes. Defaults to 128@tie{}MiB,
33921 which may be insufficient for some operations.
33923 @item -device virtio-blk,drive=myhd
33924 Create a @code{virtio-blk} drive called ``myhd''. @code{virtio-blk} is a
33925 ``paravirtualization'' mechanism for block devices that allows QEMU to achieve
33926 better performance than if it were emulating a complete disk drive. See the
33927 QEMU and KVM documentation for more info.
33929 @item -drive if=none,file=/tmp/qemu-image,id=myhd
33930 Use our QCOW image, the @file{/tmp/qemu-image} file, as the backing
33931 store of the ``myhd'' drive.
33934 The default @command{run-vm.sh} script that is returned by an invocation of
33935 @command{guix system vm} does not add a @command{-nic user} flag by default.
33936 To get network access from within the vm add the @code{(dhcp-client-service)}
33937 to your system definition and start the VM using
33938 @command{$(guix system vm config.scm) -nic user}. An important caveat of using
33939 @command{-nic user} for networking is that @command{ping} will not work, because
33940 it uses the ICMP protocol. You'll have to use a different command to check for
33941 network connectivity, for example @command{guix download}.
33943 @subsection Connecting Through SSH
33947 To enable SSH inside a VM you need to add an SSH server like
33948 @code{openssh-service-type} to your VM (@pxref{Networking Services,
33949 @code{openssh-service-type}}). In addition you need to forward the SSH port,
33950 22 by default, to the host. You can do this with
33953 $(guix system vm config.scm) -nic user,model=virtio-net-pci,hostfwd=tcp::10022-:22
33956 To connect to the VM you can run
33959 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 localhost
33962 The @command{-p} tells @command{ssh} the port you want to connect to.
33963 @command{-o UserKnownHostsFile=/dev/null} prevents @command{ssh} from complaining
33964 every time you modify your @command{config.scm} file and the
33965 @command{-o StrictHostKeyChecking=no} prevents you from having to allow a
33966 connection to an unknown host every time you connect.
33969 If you find the above @samp{hostfwd} example not to be working (e.g.,
33970 your SSH client hangs attempting to connect to the mapped port of your
33971 VM), make sure that your Guix System VM has networking support, such as
33972 by using the @code{dhcp-client-service-type} service type.
33975 @subsection Using @command{virt-viewer} with Spice
33977 As an alternative to the default @command{qemu} graphical client you can
33978 use the @command{remote-viewer} from the @command{virt-viewer} package. To
33979 connect pass the @command{-spice port=5930,disable-ticketing} flag to
33980 @command{qemu}. See previous section for further information on how to do this.
33982 Spice also allows you to do some nice stuff like share your clipboard with your
33983 VM@. To enable that you'll also have to pass the following flags to @command{qemu}:
33986 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5
33987 -chardev spicevmc,name=vdagent,id=vdagent
33988 -device virtserialport,nr=1,bus=virtio-serial0.0,chardev=vdagent,
33989 name=com.redhat.spice.0
33992 You'll also need to add the @code{(spice-vdagent-service)} to your
33993 system definition (@pxref{Miscellaneous Services, Spice service}).
33995 @node Defining Services
33996 @section Defining Services
33998 The previous sections show the available services and how one can combine
33999 them in an @code{operating-system} declaration. But how do we define
34000 them in the first place? And what is a service anyway?
34003 * Service Composition:: The model for composing services.
34004 * Service Types and Services:: Types and services.
34005 * Service Reference:: API reference.
34006 * Shepherd Services:: A particular type of service.
34009 @node Service Composition
34010 @subsection Service Composition
34014 Here we define a @dfn{service} as, broadly, something that extends the
34015 functionality of the operating system. Often a service is a process---a
34016 @dfn{daemon}---started when the system boots: a secure shell server, a
34017 Web server, the Guix build daemon, etc. Sometimes a service is a daemon
34018 whose execution can be triggered by another daemon---e.g., an FTP server
34019 started by @command{inetd} or a D-Bus service activated by
34020 @command{dbus-daemon}. Occasionally, a service does not map to a
34021 daemon. For instance, the ``account'' service collects user accounts
34022 and makes sure they exist when the system runs; the ``udev'' service
34023 collects device management rules and makes them available to the eudev
34024 daemon; the @file{/etc} service populates the @file{/etc} directory
34027 @cindex service extensions
34028 Guix system services are connected by @dfn{extensions}. For instance, the
34029 secure shell service @emph{extends} the Shepherd---the
34030 initialization system, running as PID@tie{}1---by giving it the command
34031 lines to start and stop the secure shell daemon (@pxref{Networking
34032 Services, @code{openssh-service-type}}); the UPower service extends the D-Bus
34033 service by passing it its @file{.service} specification, and extends the
34034 udev service by passing it device management rules (@pxref{Desktop
34035 Services, @code{upower-service}}); the Guix daemon service extends the
34036 Shepherd by passing it the command lines to start and stop the daemon,
34037 and extends the account service by passing it a list of required build
34038 user accounts (@pxref{Base Services}).
34040 All in all, services and their ``extends'' relations form a directed
34041 acyclic graph (DAG). If we represent services as boxes and extensions
34042 as arrows, a typical system might provide something like this:
34044 @image{images/service-graph,,5in,Typical service extension graph.}
34046 @cindex system service
34047 At the bottom, we see the @dfn{system service}, which produces the
34048 directory containing everything to run and boot the system, as returned
34049 by the @command{guix system build} command. @xref{Service Reference},
34050 to learn about the other service types shown here.
34051 @xref{system-extension-graph, the @command{guix system extension-graph}
34052 command}, for information on how to generate this representation for a
34053 particular operating system definition.
34055 @cindex service types
34056 Technically, developers can define @dfn{service types} to express these
34057 relations. There can be any number of services of a given type on the
34058 system---for instance, a system running two instances of the GNU secure
34059 shell server (lsh) has two instances of @code{lsh-service-type}, with
34060 different parameters.
34062 The following section describes the programming interface for service
34063 types and services.
34065 @node Service Types and Services
34066 @subsection Service Types and Services
34068 A @dfn{service type} is a node in the DAG described above. Let us start
34069 with a simple example, the service type for the Guix build daemon
34070 (@pxref{Invoking guix-daemon}):
34073 (define guix-service-type
34077 (list (service-extension shepherd-root-service-type guix-shepherd-service)
34078 (service-extension account-service-type guix-accounts)
34079 (service-extension activation-service-type guix-activation)))
34080 (default-value (guix-configuration))))
34084 It defines three things:
34088 A name, whose sole purpose is to make inspection and debugging easier.
34091 A list of @dfn{service extensions}, where each extension designates the
34092 target service type and a procedure that, given the parameters of the
34093 service, returns a list of objects to extend the service of that type.
34095 Every service type has at least one service extension. The only
34096 exception is the @dfn{boot service type}, which is the ultimate service.
34099 Optionally, a default value for instances of this type.
34102 In this example, @code{guix-service-type} extends three services:
34105 @item shepherd-root-service-type
34106 The @code{guix-shepherd-service} procedure defines how the Shepherd
34107 service is extended. Namely, it returns a @code{<shepherd-service>}
34108 object that defines how @command{guix-daemon} is started and stopped
34109 (@pxref{Shepherd Services}).
34111 @item account-service-type
34112 This extension for this service is computed by @code{guix-accounts},
34113 which returns a list of @code{user-group} and @code{user-account}
34114 objects representing the build user accounts (@pxref{Invoking
34117 @item activation-service-type
34118 Here @code{guix-activation} is a procedure that returns a gexp, which is
34119 a code snippet to run at ``activation time''---e.g., when the service is
34123 A service of this type is instantiated like this:
34126 (service guix-service-type
34127 (guix-configuration
34129 (extra-options '("--gc-keep-derivations"))))
34132 The second argument to the @code{service} form is a value representing
34133 the parameters of this specific service instance.
34134 @xref{guix-configuration-type, @code{guix-configuration}}, for
34135 information about the @code{guix-configuration} data type. When the
34136 value is omitted, the default value specified by
34137 @code{guix-service-type} is used:
34140 (service guix-service-type)
34143 @code{guix-service-type} is quite simple because it extends other
34144 services but is not extensible itself.
34146 @c @subsubsubsection Extensible Service Types
34148 The service type for an @emph{extensible} service looks like this:
34151 (define udev-service-type
34152 (service-type (name 'udev)
34154 (list (service-extension shepherd-root-service-type
34155 udev-shepherd-service)))
34157 (compose concatenate) ;concatenate the list of rules
34158 (extend (lambda (config rules)
34160 (($ <udev-configuration> udev initial-rules)
34161 (udev-configuration
34162 (udev udev) ;the udev package to use
34163 (rules (append initial-rules rules)))))))))
34166 This is the service type for the
34167 @uref{https://wiki.gentoo.org/wiki/Project:Eudev, eudev device
34168 management daemon}. Compared to the previous example, in addition to an
34169 extension of @code{shepherd-root-service-type}, we see two new fields:
34173 This is the procedure to @dfn{compose} the list of extensions to
34174 services of this type.
34176 Services can extend the udev service by passing it lists of rules; we
34177 compose those extensions simply by concatenating them.
34180 This procedure defines how the value of the service is @dfn{extended} with
34181 the composition of the extensions.
34183 Udev extensions are composed into a list of rules, but the udev service
34184 value is itself a @code{<udev-configuration>} record. So here, we
34185 extend that record by appending the list of rules it contains to the
34186 list of contributed rules.
34189 This is a string giving an overview of the service type. The string can
34190 contain Texinfo markup (@pxref{Overview,,, texinfo, GNU Texinfo}). The
34191 @command{guix system search} command searches these strings and displays
34192 them (@pxref{Invoking guix system}).
34195 There can be only one instance of an extensible service type such as
34196 @code{udev-service-type}. If there were more, the
34197 @code{service-extension} specifications would be ambiguous.
34199 Still here? The next section provides a reference of the programming
34200 interface for services.
34202 @node Service Reference
34203 @subsection Service Reference
34205 We have seen an overview of service types (@pxref{Service Types and
34206 Services}). This section provides a reference on how to manipulate
34207 services and service types. This interface is provided by the
34208 @code{(gnu services)} module.
34210 @deffn {Scheme Procedure} service @var{type} [@var{value}]
34211 Return a new service of @var{type}, a @code{<service-type>} object (see
34212 below). @var{value} can be any object; it represents the parameters of
34213 this particular service instance.
34215 When @var{value} is omitted, the default value specified by @var{type}
34216 is used; if @var{type} does not specify a default value, an error is
34219 For instance, this:
34222 (service openssh-service-type)
34226 is equivalent to this:
34229 (service openssh-service-type
34230 (openssh-configuration))
34233 In both cases the result is an instance of @code{openssh-service-type}
34234 with the default configuration.
34237 @deffn {Scheme Procedure} service? @var{obj}
34238 Return true if @var{obj} is a service.
34241 @deffn {Scheme Procedure} service-kind @var{service}
34242 Return the type of @var{service}---i.e., a @code{<service-type>} object.
34245 @deffn {Scheme Procedure} service-value @var{service}
34246 Return the value associated with @var{service}. It represents its
34250 Here is an example of how a service is created and manipulated:
34254 (service nginx-service-type
34255 (nginx-configuration
34257 (log-directory log-directory)
34258 (run-directory run-directory)
34259 (file config-file))))
34264 (eq? (service-kind s) nginx-service-type)
34268 The @code{modify-services} form provides a handy way to change the
34269 parameters of some of the services of a list such as
34270 @code{%base-services} (@pxref{Base Services, @code{%base-services}}). It
34271 evaluates to a list of services. Of course, you could always use
34272 standard list combinators such as @code{map} and @code{fold} to do that
34273 (@pxref{SRFI-1, List Library,, guile, GNU Guile Reference Manual});
34274 @code{modify-services} simply provides a more concise form for this
34277 @deffn {Scheme Syntax} modify-services @var{services} @
34278 (@var{type} @var{variable} => @var{body}) @dots{}
34280 Modify the services listed in @var{services} according to the given
34281 clauses. Each clause has the form:
34284 (@var{type} @var{variable} => @var{body})
34287 where @var{type} is a service type---e.g.,
34288 @code{guix-service-type}---and @var{variable} is an identifier that is
34289 bound within the @var{body} to the service parameters---e.g., a
34290 @code{guix-configuration} instance---of the original service of that
34293 The @var{body} should evaluate to the new service parameters, which will
34294 be used to configure the new service. This new service will replace the
34295 original in the resulting list. Because a service's service parameters
34296 are created using @code{define-record-type*}, you can write a succinct
34297 @var{body} that evaluates to the new service parameters by using the
34298 @code{inherit} feature that @code{define-record-type*} provides.
34300 @xref{Using the Configuration System}, for example usage.
34304 Next comes the programming interface for service types. This is
34305 something you want to know when writing new service definitions, but not
34306 necessarily when simply looking for ways to customize your
34307 @code{operating-system} declaration.
34309 @deftp {Data Type} service-type
34310 @cindex service type
34311 This is the representation of a @dfn{service type} (@pxref{Service Types
34316 This is a symbol, used only to simplify inspection and debugging.
34318 @item @code{extensions}
34319 A non-empty list of @code{<service-extension>} objects (see below).
34321 @item @code{compose} (default: @code{#f})
34322 If this is @code{#f}, then the service type denotes services that cannot
34323 be extended---i.e., services that do not receive ``values'' from other
34326 Otherwise, it must be a one-argument procedure. The procedure is called
34327 by @code{fold-services} and is passed a list of values collected from
34328 extensions. It may return any single value.
34330 @item @code{extend} (default: @code{#f})
34331 If this is @code{#f}, services of this type cannot be extended.
34333 Otherwise, it must be a two-argument procedure: @code{fold-services}
34334 calls it, passing it the initial value of the service as the first
34335 argument and the result of applying @code{compose} to the extension
34336 values as the second argument. It must return a value that is a valid
34337 parameter value for the service instance.
34339 @item @code{description}
34340 This is a string, possibly using Texinfo markup, describing in a couple
34341 of sentences what the service is about. This string allows users to
34342 find about the service through @command{guix system search}
34343 (@pxref{Invoking guix system}).
34345 @item @code{default-value} (default: @code{&no-default-value})
34346 The default value associated for instances of this service type. This
34347 allows users to use the @code{service} form without its second argument:
34350 (service @var{type})
34353 The returned service in this case has the default value specified by
34357 @xref{Service Types and Services}, for examples.
34360 @deffn {Scheme Procedure} service-extension @var{target-type} @
34362 Return a new extension for services of type @var{target-type}.
34363 @var{compute} must be a one-argument procedure: @code{fold-services}
34364 calls it, passing it the value associated with the service that provides
34365 the extension; it must return a valid value for the target service.
34368 @deffn {Scheme Procedure} service-extension? @var{obj}
34369 Return true if @var{obj} is a service extension.
34372 Occasionally, you might want to simply extend an existing service. This
34373 involves creating a new service type and specifying the extension of
34374 interest, which can be verbose; the @code{simple-service} procedure
34375 provides a shorthand for this.
34377 @deffn {Scheme Procedure} simple-service @var{name} @var{target} @var{value}
34378 Return a service that extends @var{target} with @var{value}. This works
34379 by creating a singleton service type @var{name}, of which the returned
34380 service is an instance.
34382 For example, this extends mcron (@pxref{Scheduled Job Execution}) with
34386 (simple-service 'my-mcron-job mcron-service-type
34387 #~(job '(next-hour (3)) "guix gc -F 2G"))
34391 At the core of the service abstraction lies the @code{fold-services}
34392 procedure, which is responsible for ``compiling'' a list of services
34393 down to a single directory that contains everything needed to boot and
34394 run the system---the directory shown by the @command{guix system build}
34395 command (@pxref{Invoking guix system}). In essence, it propagates
34396 service extensions down the service graph, updating each node parameters
34397 on the way, until it reaches the root node.
34399 @deffn {Scheme Procedure} fold-services @var{services} @
34400 [#:target-type @var{system-service-type}]
34401 Fold @var{services} by propagating their extensions down to the root of
34402 type @var{target-type}; return the root service adjusted accordingly.
34405 Lastly, the @code{(gnu services)} module also defines several essential
34406 service types, some of which are listed below.
34408 @defvr {Scheme Variable} system-service-type
34409 This is the root of the service graph. It produces the system directory
34410 as returned by the @command{guix system build} command.
34413 @defvr {Scheme Variable} boot-service-type
34414 The type of the ``boot service'', which produces the @dfn{boot script}.
34415 The boot script is what the initial RAM disk runs when booting.
34418 @defvr {Scheme Variable} etc-service-type
34419 The type of the @file{/etc} service. This service is used to create
34420 files under @file{/etc} and can be extended by
34421 passing it name/file tuples such as:
34424 (list `("issue" ,(plain-file "issue" "Welcome!\n")))
34427 In this example, the effect would be to add an @file{/etc/issue} file
34428 pointing to the given file.
34431 @defvr {Scheme Variable} setuid-program-service-type
34432 Type for the ``setuid-program service''. This service collects lists of
34433 executable file names, passed as gexps, and adds them to the set of
34434 setuid-root programs on the system (@pxref{Setuid Programs}).
34437 @defvr {Scheme Variable} profile-service-type
34438 Type of the service that populates the @dfn{system profile}---i.e., the
34439 programs under @file{/run/current-system/profile}. Other services can
34440 extend it by passing it lists of packages to add to the system profile.
34443 @cindex provenance tracking, of the operating system
34444 @anchor{provenance-service-type}
34445 @defvr {Scheme Variable} provenance-service-type
34446 This is the type of the service that records @dfn{provenance meta-data}
34447 in the system itself. It creates several files under
34448 @file{/run/current-system}:
34452 This is a ``channel file'' that can be passed to @command{guix pull -C}
34453 or @command{guix time-machine -C}, and which describes the channels used
34454 to build the system, if that information was available
34455 (@pxref{Channels}).
34457 @item configuration.scm
34458 This is the file that was passed as the value for this
34459 @code{provenance-service-type} service. By default, @command{guix
34460 system reconfigure} automatically passes the OS configuration file it
34461 received on the command line.
34464 This contains the same information as the two other files but in a
34465 format that is more readily processable.
34468 In general, these two pieces of information (channels and configuration
34469 file) are enough to reproduce the operating system ``from source''.
34472 This information is necessary to rebuild your operating system, but it
34473 is not always sufficient. In particular, @file{configuration.scm}
34474 itself is insufficient if it is not self-contained---if it refers to
34475 external Guile modules or to extra files. If you want
34476 @file{configuration.scm} to be self-contained, we recommend that modules
34477 or files it refers to be part of a channel.
34479 Besides, provenance meta-data is ``silent'' in the sense that it does
34480 not change the bits contained in your system, @emph{except for the
34481 meta-data bits themselves}. Two different OS configurations or sets of
34482 channels can lead to the same system, bit-for-bit; when
34483 @code{provenance-service-type} is used, these two systems will have
34484 different meta-data and thus different store file names, which makes
34485 comparison less trivial.
34488 This service is automatically added to your operating system
34489 configuration when you use @command{guix system reconfigure},
34490 @command{guix system init}, or @command{guix deploy}.
34493 @defvr {Scheme Variable} linux-loadable-module-service-type
34494 Type of the service that collects lists of packages containing
34495 kernel-loadable modules, and adds them to the set of kernel-loadable
34498 This service type is intended to be extended by other service types,
34502 (simple-service 'installing-module
34503 linux-loadable-module-service-type
34504 (list module-to-install-1
34505 module-to-install-2))
34508 This does not actually load modules at bootup, only adds it to the
34509 kernel profile so that it @emph{can} be loaded by other means.
34512 @node Shepherd Services
34513 @subsection Shepherd Services
34515 @cindex shepherd services
34517 @cindex init system
34518 The @code{(gnu services shepherd)} module provides a way to define
34519 services managed by the GNU@tie{}Shepherd, which is the
34520 initialization system---the first process that is started when the
34521 system boots, also known as PID@tie{}1
34522 (@pxref{Introduction,,, shepherd, The GNU Shepherd Manual}).
34524 Services in the Shepherd can depend on each other. For instance, the
34525 SSH daemon may need to be started after the syslog daemon has been
34526 started, which in turn can only happen once all the file systems have
34527 been mounted. The simple operating system defined earlier (@pxref{Using
34528 the Configuration System}) results in a service graph like this:
34530 @image{images/shepherd-graph,,5in,Typical shepherd service graph.}
34532 You can actually generate such a graph for any operating system
34533 definition using the @command{guix system shepherd-graph} command
34534 (@pxref{system-shepherd-graph, @command{guix system shepherd-graph}}).
34536 The @code{%shepherd-root-service} is a service object representing
34537 PID@tie{}1, of type @code{shepherd-root-service-type}; it can be extended
34538 by passing it lists of @code{<shepherd-service>} objects.
34540 @deftp {Data Type} shepherd-service
34541 The data type representing a service managed by the Shepherd.
34544 @item @code{provision}
34545 This is a list of symbols denoting what the service provides.
34547 These are the names that may be passed to @command{herd start},
34548 @command{herd status}, and similar commands (@pxref{Invoking herd,,,
34549 shepherd, The GNU Shepherd Manual}). @xref{Slots of services, the
34550 @code{provides} slot,, shepherd, The GNU Shepherd Manual}, for details.
34552 @item @code{requirement} (default: @code{'()})
34553 List of symbols denoting the Shepherd services this one depends on.
34555 @cindex one-shot services, for the Shepherd
34556 @item @code{one-shot?} (default: @code{#f})
34557 Whether this service is @dfn{one-shot}. One-shot services stop immediately
34558 after their @code{start} action has completed. @xref{Slots of services,,,
34559 shepherd, The GNU Shepherd Manual}, for more info.
34561 @item @code{respawn?} (default: @code{#t})
34562 Whether to restart the service when it stops, for instance when the
34563 underlying process dies.
34566 @itemx @code{stop} (default: @code{#~(const #f)})
34567 The @code{start} and @code{stop} fields refer to the Shepherd's
34568 facilities to start and stop processes (@pxref{Service De- and
34569 Constructors,,, shepherd, The GNU Shepherd Manual}). They are given as
34570 G-expressions that get expanded in the Shepherd configuration file
34571 (@pxref{G-Expressions}).
34573 @item @code{actions} (default: @code{'()})
34574 @cindex actions, of Shepherd services
34575 This is a list of @code{shepherd-action} objects (see below) defining
34576 @dfn{actions} supported by the service, in addition to the standard
34577 @code{start} and @code{stop} actions. Actions listed here become available as
34578 @command{herd} sub-commands:
34581 herd @var{action} @var{service} [@var{arguments}@dots{}]
34584 @item @code{auto-start?} (default: @code{#t})
34585 Whether this service should be started automatically by the Shepherd. If it
34586 is @code{#f} the service has to be started manually with @code{herd start}.
34588 @item @code{documentation}
34589 A documentation string, as shown when running:
34592 herd doc @var{service-name}
34595 where @var{service-name} is one of the symbols in @code{provision}
34596 (@pxref{Invoking herd,,, shepherd, The GNU Shepherd Manual}).
34598 @item @code{modules} (default: @code{%default-modules})
34599 This is the list of modules that must be in scope when @code{start} and
34600 @code{stop} are evaluated.
34605 The example below defines a Shepherd service that spawns
34606 @command{syslogd}, the system logger from the GNU Networking Utilities
34607 (@pxref{syslogd invocation, @command{syslogd},, inetutils, GNU
34611 (let ((config (plain-file "syslogd.conf" "@dots{}")))
34613 (documentation "Run the syslog daemon (syslogd).")
34614 (provision '(syslogd))
34615 (requirement '(user-processes))
34616 (start #~(make-forkexec-constructor
34617 (list #$(file-append inetutils "/libexec/syslogd")
34618 "--rcfile" #$config)
34619 #:pid-file "/var/run/syslog.pid"))
34620 (stop #~(make-kill-destructor))))
34623 Key elements in this example are the @code{start} and @code{stop}
34624 fields: they are @dfn{staged} code snippets that use the
34625 @code{make-forkexec-constructor} procedure provided by the Shepherd and
34626 its dual, @code{make-kill-destructor} (@pxref{Service De- and
34627 Constructors,,, shepherd, The GNU Shepherd Manual}). The @code{start}
34628 field will have @command{shepherd} spawn @command{syslogd} with the
34629 given option; note that we pass @code{config} after @option{--rcfile},
34630 which is a configuration file declared above (contents of this file are
34631 omitted). Likewise, the @code{stop} field tells how this service is to
34632 be stopped; in this case, it is stopped by making the @code{kill} system
34633 call on its PID@. Code staging is achieved using G-expressions:
34634 @code{#~} stages code, while @code{#$} ``escapes'' back to host code
34635 (@pxref{G-Expressions}).
34637 @deftp {Data Type} shepherd-action
34638 This is the data type that defines additional actions implemented by a
34639 Shepherd service (see above).
34643 Symbol naming the action.
34645 @item documentation
34646 This is a documentation string for the action. It can be viewed by running:
34649 herd doc @var{service} action @var{action}
34653 This should be a gexp that evaluates to a procedure of at least one argument,
34654 which is the ``running value'' of the service (@pxref{Slots of services,,,
34655 shepherd, The GNU Shepherd Manual}).
34658 The following example defines an action called @code{say-hello} that kindly
34664 (documentation "Say hi!")
34665 (procedure #~(lambda (running . args)
34666 (format #t "Hello, friend! arguments: ~s\n"
34671 Assuming this action is added to the @code{example} service, then you can do:
34674 # herd say-hello example
34675 Hello, friend! arguments: ()
34676 # herd say-hello example a b c
34677 Hello, friend! arguments: ("a" "b" "c")
34680 This, as you can see, is a fairly sophisticated way to say hello.
34681 @xref{Service Convenience,,, shepherd, The GNU Shepherd Manual}, for more
34685 @defvr {Scheme Variable} shepherd-root-service-type
34686 The service type for the Shepherd ``root service''---i.e., PID@tie{}1.
34688 This is the service type that extensions target when they want to create
34689 shepherd services (@pxref{Service Types and Services}, for an example).
34690 Each extension must pass a list of @code{<shepherd-service>}. Its
34691 value must be a @code{shepherd-configuration}, as described below.
34694 @deftp {Data Type} shepherd-configuration
34695 This data type represents the Shepherd's configuration.
34698 @item shepherd (default: @code{shepherd})
34699 The Shepherd package to use.
34701 @item services (default: @code{'()})
34702 A list of @code{<shepherd-service>} to start.
34703 You should probably use the service extension
34704 mechanism instead (@pxref{Shepherd Services}).
34708 The following example specifies the Shepherd package for the operating
34714 (services (append (list openssh-service-type))
34718 ;; Use own Shepherd package.
34719 (essential-services
34720 (modify-services (operating-system-default-essential-services
34721 this-operating-system)
34722 (shepherd-root-service-type config => (shepherd-configuration
34724 (shepherd my-shepherd))))))
34727 @defvr {Scheme Variable} %shepherd-root-service
34728 This service represents PID@tie{}1.
34732 @node Documentation
34733 @chapter Documentation
34735 @cindex documentation, searching for
34736 @cindex searching for documentation
34737 @cindex Info, documentation format
34739 @cindex manual pages
34740 In most cases packages installed with Guix come with documentation.
34741 There are two main documentation formats: ``Info'', a browsable
34742 hypertext format used for GNU software, and ``manual pages'' (or ``man
34743 pages''), the linear documentation format traditionally found on Unix.
34744 Info manuals are accessed with the @command{info} command or with Emacs,
34745 and man pages are accessed using @command{man}.
34747 You can look for documentation of software installed on your system by
34748 keyword. For example, the following command searches for information
34749 about ``TLS'' in Info manuals:
34753 "(emacs)Network Security" -- STARTTLS
34754 "(emacs)Network Security" -- TLS
34755 "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_flags
34756 "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_function
34761 The command below searches for the same keyword in man pages:
34765 SSL (7) - OpenSSL SSL/TLS library
34766 certtool (1) - GnuTLS certificate tool
34770 These searches are purely local to your computer so you have the
34771 guarantee that documentation you find corresponds to what you have
34772 actually installed, you can access it off-line, and your privacy is
34775 Once you have these results, you can view the relevant documentation by
34779 $ info "(gnutls)Core TLS API"
34789 Info manuals contain sections and indices as well as hyperlinks like
34790 those found in Web pages. The @command{info} reader (@pxref{Top, Info
34791 reader,, info-stnd, Stand-alone GNU Info}) and its Emacs counterpart
34792 (@pxref{Misc Help,,, emacs, The GNU Emacs Manual}) provide intuitive key
34793 bindings to navigate manuals. @xref{Getting Started,,, info, Info: An
34794 Introduction}, for an introduction to Info navigation.
34796 @node Installing Debugging Files
34797 @chapter Installing Debugging Files
34799 @cindex debugging files
34800 Program binaries, as produced by the GCC compilers for instance, are
34801 typically written in the ELF format, with a section containing
34802 @dfn{debugging information}. Debugging information is what allows the
34803 debugger, GDB, to map binary code to source code; it is required to
34804 debug a compiled program in good conditions.
34806 This chapter explains how to use separate debug info when packages
34807 provide it, and how to rebuild packages with debug info when it's
34811 * Separate Debug Info:: Installing 'debug' outputs.
34812 * Rebuilding Debug Info:: Building missing debug info.
34815 @node Separate Debug Info
34816 @section Separate Debug Info
34818 The problem with debugging information is that is takes up a fair amount
34819 of disk space. For example, debugging information for the GNU C Library
34820 weighs in at more than 60 MiB@. Thus, as a user, keeping all the
34821 debugging info of all the installed programs is usually not an option.
34822 Yet, space savings should not come at the cost of an impediment to
34823 debugging---especially in the GNU system, which should make it easier
34824 for users to exert their computing freedom (@pxref{GNU Distribution}).
34826 Thankfully, the GNU Binary Utilities (Binutils) and GDB provide a
34827 mechanism that allows users to get the best of both worlds: debugging
34828 information can be stripped from the binaries and stored in separate
34829 files. GDB is then able to load debugging information from those files,
34830 when they are available (@pxref{Separate Debug Files,,, gdb, Debugging
34833 The GNU distribution takes advantage of this by storing debugging
34834 information in the @code{lib/debug} sub-directory of a separate package
34835 output unimaginatively called @code{debug} (@pxref{Packages with
34836 Multiple Outputs}). Users can choose to install the @code{debug} output
34837 of a package when they need it. For instance, the following command
34838 installs the debugging information for the GNU C Library and for GNU
34842 guix install glibc:debug guile:debug
34845 GDB must then be told to look for debug files in the user's profile, by
34846 setting the @code{debug-file-directory} variable (consider setting it
34847 from the @file{~/.gdbinit} file, @pxref{Startup,,, gdb, Debugging with
34851 (gdb) set debug-file-directory ~/.guix-profile/lib/debug
34854 From there on, GDB will pick up debugging information from the
34855 @file{.debug} files under @file{~/.guix-profile/lib/debug}.
34857 In addition, you will most likely want GDB to be able to show the source
34858 code being debugged. To do that, you will have to unpack the source
34859 code of the package of interest (obtained with @code{guix build
34860 --source}, @pxref{Invoking guix build}), and to point GDB to that source
34861 directory using the @code{directory} command (@pxref{Source Path,
34862 @code{directory},, gdb, Debugging with GDB}).
34864 @c XXX: keep me up-to-date
34865 The @code{debug} output mechanism in Guix is implemented by the
34866 @code{gnu-build-system} (@pxref{Build Systems}). Currently, it is
34867 opt-in---debugging information is available only for the packages with
34868 definitions explicitly declaring a @code{debug} output. To check
34869 whether a package has a @code{debug} output, use @command{guix package
34870 --list-available} (@pxref{Invoking guix package}).
34872 Read on for how to deal with packages lacking a @code{debug} output.
34874 @node Rebuilding Debug Info
34875 @section Rebuilding Debug Info
34877 @cindex debugging info, rebuilding
34878 As we saw above, some packages, but not all, provide debugging info in a
34879 @code{debug} output. What can you do when debugging info is missing?
34880 The @option{--with-debug-info} option provides a solution to that: it
34881 allows you to rebuild the package(s) for which debugging info is
34882 missing---and only those---and to graft those onto the application
34883 you're debugging. Thus, while it's not as fast as installing a
34884 @code{debug} output, it is relatively inexpensive.
34886 Let's illustrate that. Suppose you're experiencing a bug in Inkscape
34887 and would like to see what's going on in GLib, a library that's deep
34888 down in its dependency graph. As it turns out, GLib does not have a
34889 @code{debug} output and the backtrace GDB shows is all sadness:
34893 #0 0x00007ffff5f92190 in g_getenv ()
34894 from /gnu/store/@dots{}-glib-2.62.6/lib/libglib-2.0.so.0
34895 #1 0x00007ffff608a7d6 in gobject_init_ctor ()
34896 from /gnu/store/@dots{}-glib-2.62.6/lib/libgobject-2.0.so.0
34897 #2 0x00007ffff7fe275a in call_init (l=<optimized out>, argc=argc@@entry=1, argv=argv@@entry=0x7fffffffcfd8,
34898 env=env@@entry=0x7fffffffcfe8) at dl-init.c:72
34899 #3 0x00007ffff7fe2866 in call_init (env=0x7fffffffcfe8, argv=0x7fffffffcfd8, argc=1, l=<optimized out>)
34903 To address that, you install Inkscape linked against a variant GLib that
34904 contains debug info:
34907 guix install inkscape --with-debug-info=glib
34910 This time, debugging will be a whole lot nicer:
34913 $ gdb --args sh -c 'exec inkscape'
34916 Function "g_getenv" not defined.
34917 Make breakpoint pending on future shared library load? (y or [n]) y
34918 Breakpoint 1 (g_getenv) pending.
34920 Starting program: /gnu/store/@dots{}-profile/bin/sh -c exec\ inkscape
34923 #0 g_getenv (variable=variable@@entry=0x7ffff60c7a2e "GOBJECT_DEBUG") at ../glib-2.62.6/glib/genviron.c:252
34924 #1 0x00007ffff608a7d6 in gobject_init () at ../glib-2.62.6/gobject/gtype.c:4380
34925 #2 gobject_init_ctor () at ../glib-2.62.6/gobject/gtype.c:4493
34926 #3 0x00007ffff7fe275a in call_init (l=<optimized out>, argc=argc@@entry=3, argv=argv@@entry=0x7fffffffd088,
34927 env=env@@entry=0x7fffffffd0a8) at dl-init.c:72
34933 Note that there can be packages for which @option{--with-debug-info}
34934 will not have the desired effect. @xref{Package Transformation Options,
34935 @option{--with-debug-info}}, for more information.
34937 @node Security Updates
34938 @chapter Security Updates
34940 @cindex security updates
34941 @cindex security vulnerabilities
34942 Occasionally, important security vulnerabilities are discovered in software
34943 packages and must be patched. Guix developers try hard to keep track of
34944 known vulnerabilities and to apply fixes as soon as possible in the
34945 @code{master} branch of Guix (we do not yet provide a ``stable'' branch
34946 containing only security updates). The @command{guix lint} tool helps
34947 developers find out about vulnerable versions of software packages in the
34952 gnu/packages/base.scm:652:2: glibc@@2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547
34953 gnu/packages/gcc.scm:334:2: gcc@@4.9.3: probably vulnerable to CVE-2015-5276
34954 gnu/packages/image.scm:312:2: openjpeg@@2.1.0: probably vulnerable to CVE-2016-1923, CVE-2016-1924
34958 @xref{Invoking guix lint}, for more information.
34960 Guix follows a functional
34961 package management discipline (@pxref{Introduction}), which implies
34962 that, when a package is changed, @emph{every package that depends on it}
34963 must be rebuilt. This can significantly slow down the deployment of
34964 fixes in core packages such as libc or Bash, since basically the whole
34965 distribution would need to be rebuilt. Using pre-built binaries helps
34966 (@pxref{Substitutes}), but deployment may still take more time than
34970 To address this, Guix implements @dfn{grafts}, a mechanism that allows
34971 for fast deployment of critical updates without the costs associated
34972 with a whole-distribution rebuild. The idea is to rebuild only the
34973 package that needs to be patched, and then to ``graft'' it onto packages
34974 explicitly installed by the user and that were previously referring to
34975 the original package. The cost of grafting is typically very low, and
34976 order of magnitudes lower than a full rebuild of the dependency chain.
34978 @cindex replacements of packages, for grafts
34979 For instance, suppose a security update needs to be applied to Bash.
34980 Guix developers will provide a package definition for the ``fixed''
34981 Bash, say @code{bash-fixed}, in the usual way (@pxref{Defining
34982 Packages}). Then, the original package definition is augmented with a
34983 @code{replacement} field pointing to the package containing the bug fix:
34990 (replacement bash-fixed)))
34993 From there on, any package depending directly or indirectly on Bash---as
34994 reported by @command{guix gc --requisites} (@pxref{Invoking guix
34995 gc})---that is installed is automatically ``rewritten'' to refer to
34996 @code{bash-fixed} instead of @code{bash}. This grafting process takes
34997 time proportional to the size of the package, usually less than a
34998 minute for an ``average'' package on a recent machine. Grafting is
34999 recursive: when an indirect dependency requires grafting, then grafting
35000 ``propagates'' up to the package that the user is installing.
35002 Currently, the length of the name and version of the graft and that of
35003 the package it replaces (@code{bash-fixed} and @code{bash} in the example
35004 above) must be equal. This restriction mostly comes from the fact that
35005 grafting works by patching files, including binary files, directly.
35006 Other restrictions may apply: for instance, when adding a graft to a
35007 package providing a shared library, the original shared library and its
35008 replacement must have the same @code{SONAME} and be binary-compatible.
35010 The @option{--no-grafts} command-line option allows you to forcefully
35011 avoid grafting (@pxref{Common Build Options, @option{--no-grafts}}).
35015 guix build bash --no-grafts
35019 returns the store file name of the original Bash, whereas:
35026 returns the store file name of the ``fixed'', replacement Bash. This
35027 allows you to distinguish between the two variants of Bash.
35029 To verify which Bash your whole profile refers to, you can run
35030 (@pxref{Invoking guix gc}):
35033 guix gc -R $(readlink -f ~/.guix-profile) | grep bash
35037 @dots{} and compare the store file names that you get with those above.
35038 Likewise for a complete Guix system generation:
35041 guix gc -R $(guix system build my-config.scm) | grep bash
35044 Lastly, to check which Bash running processes are using, you can use the
35045 @command{lsof} command:
35048 lsof | grep /gnu/store/.*bash
35052 @node Bootstrapping
35053 @chapter Bootstrapping
35055 @c Adapted from the ELS 2013 paper.
35057 @cindex bootstrapping
35059 Bootstrapping in our context refers to how the distribution gets built
35060 ``from nothing''. Remember that the build environment of a derivation
35061 contains nothing but its declared inputs (@pxref{Introduction}). So
35062 there's an obvious chicken-and-egg problem: how does the first package
35063 get built? How does the first compiler get compiled?
35065 It is tempting to think of this question as one that only die-hard
35066 hackers may care about. However, while the answer to that question is
35067 technical in nature, its implications are wide-ranging. How the
35068 distribution is bootstrapped defines the extent to which we, as
35069 individuals and as a collective of users and hackers, can trust the
35070 software we run. It is a central concern from the standpoint of
35071 @emph{security} and from a @emph{user freedom} viewpoint.
35073 @cindex bootstrap binaries
35074 The GNU system is primarily made of C code, with libc at its core. The
35075 GNU build system itself assumes the availability of a Bourne shell and
35076 command-line tools provided by GNU Coreutils, Awk, Findutils, `sed', and
35077 `grep'. Furthermore, build programs---programs that run
35078 @code{./configure}, @code{make}, etc.---are written in Guile Scheme
35079 (@pxref{Derivations}). Consequently, to be able to build anything at
35080 all, from scratch, Guix relies on pre-built binaries of Guile, GCC,
35081 Binutils, libc, and the other packages mentioned above---the
35082 @dfn{bootstrap binaries}.
35084 These bootstrap binaries are ``taken for granted'', though we can also
35085 re-create them if needed (@pxref{Preparing to Use the Bootstrap
35089 * Reduced Binary Seed Bootstrap:: A Bootstrap worthy of GNU.
35090 * Preparing to Use the Bootstrap Binaries:: Building that what matters most.
35093 @node Reduced Binary Seed Bootstrap
35094 @section The Reduced Binary Seed Bootstrap
35096 Guix---like other GNU/Linux distributions---is traditionally bootstrapped from
35097 a set of bootstrap binaries: Bourne shell, command-line tools provided by GNU
35098 Coreutils, Awk, Findutils, `sed', and `grep' and Guile, GCC, Binutils, and the
35099 GNU C Library (@pxref{Bootstrapping}). Usually, these bootstrap binaries are
35100 ``taken for granted.''
35102 Taking the bootstrap binaries for granted means that we consider them to
35103 be a correct and trustworthy ``seed'' for building the complete system.
35104 Therein lies a problem: the combined size of these bootstrap binaries is
35105 about 250MB (@pxref{Bootstrappable Builds,,, mes, GNU Mes}). Auditing
35106 or even inspecting these is next to impossible.
35108 For @code{i686-linux} and @code{x86_64-linux}, Guix now features a
35109 ``Reduced Binary Seed'' bootstrap @footnote{We would like to say: ``Full
35110 Source Bootstrap'' and while we are working towards that goal it would
35111 be hyperbole to use that term for what we do now.}.
35113 The Reduced Binary Seed bootstrap removes the most critical tools---from a
35114 trust perspective---from the bootstrap binaries: GCC, Binutils and the GNU C
35115 Library are replaced by: @code{bootstrap-mescc-tools} (a tiny assembler and
35116 linker) and @code{bootstrap-mes} (a small Scheme Interpreter and a C compiler
35117 written in Scheme and the Mes C Library, built for TinyCC and for GCC).
35119 Using these new binary seeds the ``missing'' Binutils, GCC, and the GNU
35120 C Library are built from source. From here on the more traditional
35121 bootstrap process resumes. This approach has reduced the bootstrap
35122 binaries in size to about 145MB in Guix v1.1.
35124 The next step that Guix has taken is to replace the shell and all its
35125 utilities with implementations in Guile Scheme, the @emph{Scheme-only
35126 bootstrap}. Gash (@pxref{Gash,,, gash, The Gash manual}) is a
35127 POSIX-compatible shell that replaces Bash, and it comes with Gash Utils
35128 which has minimalist replacements for Awk, the GNU Core Utilities, Grep,
35129 Gzip, Sed, and Tar. The rest of the bootstrap binary seeds that were
35130 removed are now built from source.
35132 Building the GNU System from source is currently only possible by adding
35133 some historical GNU packages as intermediate steps@footnote{Packages
35134 such as @code{gcc-2.95.3}, @code{binutils-2.14}, @code{glibc-2.2.5},
35135 @code{gzip-1.2.4}, @code{tar-1.22}, and some others. For details, see
35136 @file{gnu/packages/commencement.scm}.}. As Gash and Gash Utils mature,
35137 and GNU packages become more bootstrappable again (e.g., new releases of
35138 GNU Sed will also ship as gzipped tarballs again, as alternative to the
35139 hard to bootstrap @code{xz}-compression), this set of added packages can
35140 hopefully be reduced again.
35142 The graph below shows the resulting dependency graph for
35143 @code{gcc-core-mesboot0}, the bootstrap compiler used for the
35144 traditional bootstrap of the rest of the Guix System.
35146 @c ./pre-inst-env guix graph -e '(@@ (gnu packages commencement) gcc-core-mesboot0)' | sed -re 's,((bootstrap-mescc-tools|bootstrap-mes|guile-bootstrap).*shape =) box,\1 ellipse,' > doc/images/gcc-core-mesboot0-graph.dot
35147 @image{images/gcc-core-mesboot0-graph,6in,,Dependency graph of gcc-core-mesboot0}
35149 The only significant binary bootstrap seeds that remain@footnote{
35150 Ignoring the 68KB @code{mescc-tools}; that will be removed later,
35151 together with @code{mes}.} are a Scheme interpreter and a Scheme
35152 compiler: GNU Mes and GNU Guile@footnote{Not shown in this graph are the
35153 static binaries for @file{bash}, @code{tar}, and @code{xz} that are used
35154 to get Guile running.}.
35156 This further reduction has brought down the size of the binary seed to
35157 about 60MB for @code{i686-linux} and @code{x86_64-linux}.
35159 Work is ongoing to remove all binary blobs from our free software
35160 bootstrap stack, working towards a Full Source Bootstrap. Also ongoing
35161 is work to bring these bootstraps to the @code{arm-linux} and
35162 @code{aarch64-linux} architectures and to the Hurd.
35164 If you are interested, join us on @samp{#bootstrappable} on the Freenode
35165 IRC network or discuss on @email{bug-mes@@gnu.org} or
35166 @email{gash-devel@@nongnu.org}.
35168 @node Preparing to Use the Bootstrap Binaries
35169 @section Preparing to Use the Bootstrap Binaries
35171 @c As of Emacs 24.3, Info-mode displays the image, but since it's a
35172 @c large image, it's hard to scroll. Oh well.
35173 @image{images/bootstrap-graph,6in,,Dependency graph of the early bootstrap derivations}
35175 The figure above shows the very beginning of the dependency graph of the
35176 distribution, corresponding to the package definitions of the @code{(gnu
35177 packages bootstrap)} module. A similar figure can be generated with
35178 @command{guix graph} (@pxref{Invoking guix graph}), along the lines of:
35181 guix graph -t derivation \
35182 -e '(@@@@ (gnu packages bootstrap) %bootstrap-gcc)' \
35183 | dot -Tps > gcc.ps
35186 or, for the further Reduced Binary Seed bootstrap
35189 guix graph -t derivation \
35190 -e '(@@@@ (gnu packages bootstrap) %bootstrap-mes)' \
35191 | dot -Tps > mes.ps
35194 At this level of detail, things are
35195 slightly complex. First, Guile itself consists of an ELF executable,
35196 along with many source and compiled Scheme files that are dynamically
35197 loaded when it runs. This gets stored in the @file{guile-2.0.7.tar.xz}
35198 tarball shown in this graph. This tarball is part of Guix's ``source''
35199 distribution, and gets inserted into the store with @code{add-to-store}
35200 (@pxref{The Store}).
35202 But how do we write a derivation that unpacks this tarball and adds it
35203 to the store? To solve this problem, the @code{guile-bootstrap-2.0.drv}
35204 derivation---the first one that gets built---uses @code{bash} as its
35205 builder, which runs @code{build-bootstrap-guile.sh}, which in turn calls
35206 @code{tar} to unpack the tarball. Thus, @file{bash}, @file{tar},
35207 @file{xz}, and @file{mkdir} are statically-linked binaries, also part of
35208 the Guix source distribution, whose sole purpose is to allow the Guile
35209 tarball to be unpacked.
35211 Once @code{guile-bootstrap-2.0.drv} is built, we have a functioning
35212 Guile that can be used to run subsequent build programs. Its first task
35213 is to download tarballs containing the other pre-built binaries---this
35214 is what the @file{.tar.xz.drv} derivations do. Guix modules such as
35215 @code{ftp-client.scm} are used for this purpose. The
35216 @code{module-import.drv} derivations import those modules in a directory
35217 in the store, using the original layout. The
35218 @code{module-import-compiled.drv} derivations compile those modules, and
35219 write them in an output directory with the right layout. This
35220 corresponds to the @code{#:modules} argument of
35221 @code{build-expression->derivation} (@pxref{Derivations}).
35223 Finally, the various tarballs are unpacked by the derivations
35224 @code{gcc-bootstrap-0.drv}, @code{glibc-bootstrap-0.drv}, or
35225 @code{bootstrap-mes-0.drv} and @code{bootstrap-mescc-tools-0.drv}, at which
35226 point we have a working C tool chain.
35228 @unnumberedsec Building the Build Tools
35230 Bootstrapping is complete when we have a full tool chain that does not
35231 depend on the pre-built bootstrap tools discussed above. This
35232 no-dependency requirement is verified by checking whether the files of
35233 the final tool chain contain references to the @file{/gnu/store}
35234 directories of the bootstrap inputs. The process that leads to this
35235 ``final'' tool chain is described by the package definitions found in
35236 the @code{(gnu packages commencement)} module.
35238 The @command{guix graph} command allows us to ``zoom out'' compared to
35239 the graph above, by looking at the level of package objects instead of
35240 individual derivations---remember that a package may translate to
35241 several derivations, typically one derivation to download its source,
35242 one to build the Guile modules it needs, and one to actually build the
35243 package from source. The command:
35246 guix graph -t bag \
35247 -e '(@@@@ (gnu packages commencement)
35248 glibc-final-with-bootstrap-bash)' | xdot -
35252 displays the dependency graph leading to the ``final'' C
35253 library@footnote{You may notice the @code{glibc-intermediate} label,
35254 suggesting that it is not @emph{quite} final, but as a good
35255 approximation, we will consider it final.}, depicted below.
35257 @image{images/bootstrap-packages,6in,,Dependency graph of the early packages}
35259 @c See <https://lists.gnu.org/archive/html/gnu-system-discuss/2012-10/msg00000.html>.
35260 The first tool that gets built with the bootstrap binaries is
35261 GNU@tie{}Make---noted @code{make-boot0} above---which is a prerequisite
35262 for all the following packages. From there Findutils and Diffutils get
35265 Then come the first-stage Binutils and GCC, built as pseudo cross
35266 tools---i.e., with @option{--target} equal to @option{--host}. They are
35267 used to build libc. Thanks to this cross-build trick, this libc is
35268 guaranteed not to hold any reference to the initial tool chain.
35270 From there the final Binutils and GCC (not shown above) are built. GCC
35271 uses @command{ld} from the final Binutils, and links programs against
35272 the just-built libc. This tool chain is used to build the other
35273 packages used by Guix and by the GNU Build System: Guile, Bash,
35276 And voilà! At this point we have the complete set of build tools that
35277 the GNU Build System expects. These are in the @code{%final-inputs}
35278 variable of the @code{(gnu packages commencement)} module, and are
35279 implicitly used by any package that uses @code{gnu-build-system}
35280 (@pxref{Build Systems, @code{gnu-build-system}}).
35283 @unnumberedsec Building the Bootstrap Binaries
35285 @cindex bootstrap binaries
35286 Because the final tool chain does not depend on the bootstrap binaries,
35287 those rarely need to be updated. Nevertheless, it is useful to have an
35288 automated way to produce them, should an update occur, and this is what
35289 the @code{(gnu packages make-bootstrap)} module provides.
35291 The following command builds the tarballs containing the bootstrap binaries
35292 (Binutils, GCC, glibc, for the traditional bootstrap and linux-libre-headers,
35293 bootstrap-mescc-tools, bootstrap-mes for the Reduced Binary Seed bootstrap,
35294 and Guile, and a tarball containing a mixture of Coreutils and other basic
35295 command-line tools):
35298 guix build bootstrap-tarballs
35301 The generated tarballs are those that should be referred to in the
35302 @code{(gnu packages bootstrap)} module mentioned at the beginning of
35305 Still here? Then perhaps by now you've started to wonder: when do we
35306 reach a fixed point? That is an interesting question! The answer is
35307 unknown, but if you would like to investigate further (and have
35308 significant computational and storage resources to do so), then let us
35311 @unnumberedsec Reducing the Set of Bootstrap Binaries
35313 Our traditional bootstrap includes GCC, GNU Libc, Guile, etc. That's a lot of
35314 binary code! Why is that a problem? It's a problem because these big chunks
35315 of binary code are practically non-auditable, which makes it hard to establish
35316 what source code produced them. Every unauditable binary also leaves us
35317 vulnerable to compiler backdoors as described by Ken Thompson in the 1984
35318 paper @emph{Reflections on Trusting Trust}.
35320 This is mitigated by the fact that our bootstrap binaries were generated
35321 from an earlier Guix revision. Nevertheless it lacks the level of
35322 transparency that we get in the rest of the package dependency graph,
35323 where Guix always gives us a source-to-binary mapping. Thus, our goal
35324 is to reduce the set of bootstrap binaries to the bare minimum.
35326 The @uref{https://bootstrappable.org, Bootstrappable.org web site} lists
35327 on-going projects to do that. One of these is about replacing the
35328 bootstrap GCC with a sequence of assemblers, interpreters, and compilers
35329 of increasing complexity, which could be built from source starting from
35330 a simple and auditable assembler.
35332 Our first major achievement is the replacement of of GCC, the GNU C Library
35333 and Binutils by MesCC-Tools (a simple hex linker and macro assembler) and Mes
35334 (@pxref{Top, GNU Mes Reference Manual,, mes, GNU Mes}, a Scheme interpreter
35335 and C compiler in Scheme). Neither MesCC-Tools nor Mes can be fully
35336 bootstrapped yet and thus we inject them as binary seeds. We call this the
35337 Reduced Binary Seed bootstrap, as it has halved the size of our bootstrap
35338 binaries! Also, it has eliminated the C compiler binary; i686-linux and
35339 x86_64-linux Guix packages are now bootstrapped without any binary C compiler.
35341 Work is ongoing to make MesCC-Tools and Mes fully bootstrappable and we are
35342 also looking at any other bootstrap binaries. Your help is welcome!
35345 @chapter Porting to a New Platform
35347 As discussed above, the GNU distribution is self-contained, and
35348 self-containment is achieved by relying on pre-built ``bootstrap
35349 binaries'' (@pxref{Bootstrapping}). These binaries are specific to an
35350 operating system kernel, CPU architecture, and application binary
35351 interface (ABI). Thus, to port the distribution to a platform that is
35352 not yet supported, one must build those bootstrap binaries, and update
35353 the @code{(gnu packages bootstrap)} module to use them on that platform.
35355 Fortunately, Guix can @emph{cross compile} those bootstrap binaries.
35356 When everything goes well, and assuming the GNU tool chain supports the
35357 target platform, this can be as simple as running a command like this
35361 guix build --target=armv5tel-linux-gnueabi bootstrap-tarballs
35364 For this to work, the @code{glibc-dynamic-linker} procedure in
35365 @code{(gnu packages bootstrap)} must be augmented to return the right
35366 file name for libc's dynamic linker on that platform; likewise,
35367 @code{system->linux-architecture} in @code{(gnu packages linux)} must be
35368 taught about the new platform.
35370 Once these are built, the @code{(gnu packages bootstrap)} module needs
35371 to be updated to refer to these binaries on the target platform. That
35372 is, the hashes and URLs of the bootstrap tarballs for the new platform
35373 must be added alongside those of the currently supported platforms. The
35374 bootstrap Guile tarball is treated specially: it is expected to be
35375 available locally, and @file{gnu/local.mk} has rules to download it for
35376 the supported architectures; a rule for the new platform must be added
35379 In practice, there may be some complications. First, it may be that the
35380 extended GNU triplet that specifies an ABI (like the @code{eabi} suffix
35381 above) is not recognized by all the GNU tools. Typically, glibc
35382 recognizes some of these, whereas GCC uses an extra @option{--with-abi}
35383 configure flag (see @code{gcc.scm} for examples of how to handle this).
35384 Second, some of the required packages could fail to build for that
35385 platform. Lastly, the generated binaries could be broken for some
35388 @c *********************************************************************
35389 @include contributing.texi
35391 @c *********************************************************************
35392 @node Acknowledgments
35393 @chapter Acknowledgments
35395 Guix is based on the @uref{https://nixos.org/nix/, Nix package manager},
35396 which was designed and
35397 implemented by Eelco Dolstra, with contributions from other people (see
35398 the @file{nix/AUTHORS} file in Guix). Nix pioneered functional package
35399 management, and promoted unprecedented features, such as transactional
35400 package upgrades and rollbacks, per-user profiles, and referentially
35401 transparent build processes. Without this work, Guix would not exist.
35403 The Nix-based software distributions, Nixpkgs and NixOS, have also been
35404 an inspiration for Guix.
35406 GNU@tie{}Guix itself is a collective work with contributions from a
35407 number of people. See the @file{AUTHORS} file in Guix for more
35408 information on these fine people. The @file{THANKS} file lists people
35409 who have helped by reporting bugs, taking care of the infrastructure,
35410 providing artwork and themes, making suggestions, and more---thank you!
35413 @c *********************************************************************
35414 @node GNU Free Documentation License
35415 @appendix GNU Free Documentation License
35416 @cindex license, GNU Free Documentation License
35417 @include fdl-1.3.texi
35419 @c *********************************************************************
35420 @node Concept Index
35421 @unnumbered Concept Index
35424 @node Programming Index
35425 @unnumbered Programming Index
35426 @syncodeindex tp fn
35427 @syncodeindex vr fn
35432 @c Local Variables:
35433 @c ispell-local-dictionary: "american";