6 @documentencoding UTF-8
7 @settitle GNU Guix Reference Manual
12 @c Identifier of the OpenPGP key used to sign tarballs and such.
13 @set OPENPGP-SIGNING-KEY-ID 27D586A4F8900854329FF09F1260E46482E63562
14 @set OPENPGP-SIGNING-KEY-URL https://sv.gnu.org/people/viewgpg.php?user_id=127547
16 @c Base URL for downloads.
17 @set BASE-URL https://ftp.gnu.org/gnu/guix
19 @c The official substitute server used by default.
20 @set SUBSTITUTE-SERVER-1 ci.guix.gnu.org
21 @set SUBSTITUTE-SERVER-2 bordeaux.guix.gnu.org
22 @set SUBSTITUTE-URLS https://@value{SUBSTITUTE-SERVER-1} https://@value{SUBSTITUTE-SERVER-2}
25 Copyright @copyright{} 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès@*
26 Copyright @copyright{} 2013, 2014, 2016 Andreas Enge@*
27 Copyright @copyright{} 2013 Nikita Karetnikov@*
28 Copyright @copyright{} 2014, 2015, 2016 Alex Kost@*
29 Copyright @copyright{} 2015, 2016 Mathieu Lirzin@*
30 Copyright @copyright{} 2014 Pierre-Antoine Rault@*
31 Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
32 Copyright @copyright{} 2015, 2016, 2017, 2019, 2020, 2021 Leo Famulari@*
33 Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020 Ricardo Wurmus@*
34 Copyright @copyright{} 2016 Ben Woodcroft@*
35 Copyright @copyright{} 2016, 2017, 2018, 2021 Chris Marusich@*
36 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Efraim Flashner@*
37 Copyright @copyright{} 2016 John Darrington@*
38 Copyright @copyright{} 2016, 2017 Nikita Gillmann@*
39 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020 Jan Nieuwenhuizen@*
40 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Julien Lepiller@*
41 Copyright @copyright{} 2016 Alex ter Weele@*
42 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Christopher Baines@*
43 Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@*
44 Copyright @copyright{} 2017, 2018, 2020, 2021 Mathieu Othacehe@*
45 Copyright @copyright{} 2017 Federico Beffa@*
46 Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
47 Copyright @copyright{} 2017 Thomas Danckaert@*
48 Copyright @copyright{} 2017 humanitiesNerd@*
49 Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
50 Copyright @copyright{} 2017, 2018, 2019, 2020 Marius Bakke@*
51 Copyright @copyright{} 2017, 2019, 2020 Hartmut Goebel@*
52 Copyright @copyright{} 2017, 2019, 2020, 2021 Maxim Cournoyer@*
53 Copyright @copyright{} 2017, 2018, 2019, 2020, 2021 Tobias Geerinckx-Rice@*
54 Copyright @copyright{} 2017 George Clemmer@*
55 Copyright @copyright{} 2017 Andy Wingo@*
56 Copyright @copyright{} 2017, 2018, 2019, 2020 Arun Isaac@*
57 Copyright @copyright{} 2017 nee@*
58 Copyright @copyright{} 2018 Rutger Helling@*
59 Copyright @copyright{} 2018, 2021 Oleg Pykhalov@*
60 Copyright @copyright{} 2018 Mike Gerwitz@*
61 Copyright @copyright{} 2018 Pierre-Antoine Rouby@*
62 Copyright @copyright{} 2018, 2019 Gábor Boskovits@*
63 Copyright @copyright{} 2018, 2019, 2020 Florian Pelz@*
64 Copyright @copyright{} 2018 Laura Lazzati@*
65 Copyright @copyright{} 2018 Alex Vong@*
66 Copyright @copyright{} 2019 Josh Holland@*
67 Copyright @copyright{} 2019, 2020 Diego Nicola Barbato@*
68 Copyright @copyright{} 2019 Ivan Petkov@*
69 Copyright @copyright{} 2019 Jakob L. Kreuze@*
70 Copyright @copyright{} 2019 Kyle Andrews@*
71 Copyright @copyright{} 2019 Alex Griffin@*
72 Copyright @copyright{} 2019, 2020, 2021 Guillaume Le Vaillant@*
73 Copyright @copyright{} 2020 Leo Prikler@*
74 Copyright @copyright{} 2019, 2020 Simon Tournier@*
75 Copyright @copyright{} 2020 Wiktor Żelazny@*
76 Copyright @copyright{} 2020 Damien Cassou@*
77 Copyright @copyright{} 2020 Jakub Kądziołka@*
78 Copyright @copyright{} 2020 Jack Hill@*
79 Copyright @copyright{} 2020 Naga Malleswari@*
80 Copyright @copyright{} 2020, 2021 Brice Waegeneire@*
81 Copyright @copyright{} 2020 R Veera Kumar@*
82 Copyright @copyright{} 2020 Pierre Langlois@*
83 Copyright @copyright{} 2020 pinoaffe@*
84 Copyright @copyright{} 2020 André Batista@*
85 Copyright @copyright{} 2020, 2021 Alexandru-Sergiu Marton@*
86 Copyright @copyright{} 2020 raingloom@*
87 Copyright @copyright{} 2020 Daniel Brooks@*
88 Copyright @copyright{} 2020 John Soo@*
89 Copyright @copyright{} 2020 Jonathan Brielmaier@*
90 Copyright @copyright{} 2020 Edgar Vincent@*
91 Copyright @copyright{} 2021 Maxime Devos@*
92 Copyright @copyright{} 2021 B. Wilson@*
93 Copyright @copyright{} 2021 Xinglu Chen@*
94 Copyright @copyright{} 2021 Raghav Gururajan@*
95 Copyright @copyright{} 2021 Domagoj Stolfa@*
96 Copyright @copyright{} 2021 Hui Lu@*
97 Copyright @copyright{} 2021 pukkamustard@*
98 Copyright @copyright{} 2021 Alice Brenon@*
100 Permission is granted to copy, distribute and/or modify this document
101 under the terms of the GNU Free Documentation License, Version 1.3 or
102 any later version published by the Free Software Foundation; with no
103 Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
104 copy of the license is included in the section entitled ``GNU Free
105 Documentation License''.
108 @dircategory System administration
110 * Guix: (guix). Manage installed software and system configuration.
111 * guix package: (guix)Invoking guix package. Installing, removing, and upgrading packages.
112 * guix gc: (guix)Invoking guix gc. Reclaiming unused disk space.
113 * guix pull: (guix)Invoking guix pull. Update the list of available packages.
114 * guix system: (guix)Invoking guix system. Manage the operating system configuration.
115 * guix deploy: (guix)Invoking guix deploy. Manage operating system configurations for remote hosts.
118 @dircategory Software development
120 * guix environment: (guix)Invoking guix environment. Building development environments with Guix.
121 * guix build: (guix)Invoking guix build. Building packages.
122 * guix pack: (guix)Invoking guix pack. Creating binary bundles.
126 @title GNU Guix Reference Manual
127 @subtitle Using the GNU Guix Functional Package Manager
128 @author The GNU Guix Developers
131 @vskip 0pt plus 1filll
132 Edition @value{EDITION} @*
140 @c *********************************************************************
144 This document describes GNU Guix version @value{VERSION}, a functional
145 package management tool written for the GNU system.
147 @c TRANSLATORS: You can replace the following paragraph with information on
148 @c how to join your own translation team and how to report issues with the
150 This manual is also available in Simplified Chinese (@pxref{Top,,, guix.zh_CN,
151 GNU Guix参考手册}), French (@pxref{Top,,, guix.fr, Manuel de référence de GNU
152 Guix}), German (@pxref{Top,,, guix.de, Referenzhandbuch zu GNU Guix}),
153 Spanish (@pxref{Top,,, guix.es, Manual de referencia de GNU Guix}), and
154 Russian (@pxref{Top,,, guix.ru, Руководство GNU Guix}). If you
155 would like to translate it in your native language, consider joining
156 @uref{https://translate.fedoraproject.org/projects/guix/documentation-manual,
157 Weblate} (@pxref{Translating Guix}).
160 * Introduction:: What is Guix about?
161 * Installation:: Installing Guix.
162 * System Installation:: Installing the whole operating system.
163 * Getting Started:: Your first steps.
164 * Package Management:: Package installation, upgrade, etc.
165 * Channels:: Customizing the package collection.
166 * Development:: Guix-aided software development.
167 * Programming Interface:: Using Guix in Scheme.
168 * Utilities:: Package management commands.
169 * System Configuration:: Configuring the operating system.
170 * Documentation:: Browsing software user manuals.
171 * Installing Debugging Files:: Feeding the debugger.
172 * Security Updates:: Deploying security fixes quickly.
173 * Bootstrapping:: GNU/Linux built from scratch.
174 * Porting:: Targeting another platform or kernel.
175 * Contributing:: Your help needed!
177 * Acknowledgments:: Thanks!
178 * GNU Free Documentation License:: The license of this manual.
179 * Concept Index:: Concepts.
180 * Programming Index:: Data types, functions, and variables.
183 --- The Detailed Node Listing ---
187 * Managing Software the Guix Way:: What's special.
188 * GNU Distribution:: The packages and tools.
192 * Binary Installation:: Getting Guix running in no time!
193 * Requirements:: Software needed to build and run Guix.
194 * Running the Test Suite:: Testing Guix.
195 * Setting Up the Daemon:: Preparing the build daemon's environment.
196 * Invoking guix-daemon:: Running the build daemon.
197 * Application Setup:: Application-specific setup.
198 * Upgrading Guix:: Upgrading Guix and its build daemon.
200 Setting Up the Daemon
202 * Build Environment Setup:: Preparing the isolated build environment.
203 * Daemon Offload Setup:: Offloading builds to remote machines.
204 * SELinux Support:: Using an SELinux policy for the daemon.
208 * Limitations:: What you can expect.
209 * Hardware Considerations:: Supported hardware.
210 * USB Stick and DVD Installation:: Preparing the installation medium.
211 * Preparing for Installation:: Networking, partitioning, etc.
212 * Guided Graphical Installation:: Easy graphical installation.
213 * Manual Installation:: Manual installation for wizards.
214 * After System Installation:: When installation succeeded.
215 * Installing Guix in a VM:: Guix System playground.
216 * Building the Installation Image:: How this comes to be.
220 * Keyboard Layout and Networking and Partitioning:: Initial setup.
221 * Proceeding with the Installation:: Installing.
225 * Features:: How Guix will make your life brighter.
226 * Invoking guix package:: Package installation, removal, etc.
227 * Substitutes:: Downloading pre-built binaries.
228 * Packages with Multiple Outputs:: Single source package, multiple outputs.
229 * Invoking guix gc:: Running the garbage collector.
230 * Invoking guix pull:: Fetching the latest Guix and distribution.
231 * Invoking guix time-machine:: Running an older revision of Guix.
232 * Inferiors:: Interacting with another revision of Guix.
233 * Invoking guix describe:: Display information about your Guix revision.
234 * Invoking guix archive:: Exporting and importing store files.
238 * Official Substitute Servers:: One particular source of substitutes.
239 * Substitute Server Authorization:: How to enable or disable substitutes.
240 * Getting Substitutes from Other Servers:: Substitute diversity.
241 * Substitute Authentication:: How Guix verifies substitutes.
242 * Proxy Settings:: How to get substitutes via proxy.
243 * Substitution Failure:: What happens when substitution fails.
244 * On Trusting Binaries:: How can you trust that binary blob?
248 * Specifying Additional Channels:: Extending the package collection.
249 * Using a Custom Guix Channel:: Using a customized Guix.
250 * Replicating Guix:: Running the @emph{exact same} Guix.
251 * Channel Authentication:: How Guix verifies what it fetches.
252 * Channels with Substitutes:: Using channels with available substitutes.
253 * Creating a Channel:: How to write your custom channel.
254 * Package Modules in a Sub-directory:: Specifying the channel's package modules location.
255 * Declaring Channel Dependencies:: How to depend on other channels.
256 * Specifying Channel Authorizations:: Defining channel authors authorizations.
257 * Primary URL:: Distinguishing mirror to original.
258 * Writing Channel News:: Communicating information to channel's users.
262 * Invoking guix environment:: Setting up development environments.
263 * Invoking guix pack:: Creating software bundles.
264 * The GCC toolchain:: Working with languages supported by GCC.
265 * Invoking guix git authenticate:: Authenticating Git repositories.
267 Programming Interface
269 * Package Modules:: Packages from the programmer's viewpoint.
270 * Defining Packages:: Defining new packages.
271 * Defining Package Variants:: Customizing packages.
272 * Build Systems:: Specifying how packages are built.
273 * Build Phases:: Phases of the build process of a package.
274 * Build Utilities:: Helpers for your package definitions and more.
275 * The Store:: Manipulating the package store.
276 * Derivations:: Low-level interface to package derivations.
277 * The Store Monad:: Purely functional interface to the store.
278 * G-Expressions:: Manipulating build expressions.
279 * Invoking guix repl:: Programming Guix in Guile.
283 * package Reference:: The package data type.
284 * origin Reference:: The origin data type.
288 * Invoking guix build:: Building packages from the command line.
289 * Invoking guix edit:: Editing package definitions.
290 * Invoking guix download:: Downloading a file and printing its hash.
291 * Invoking guix hash:: Computing the cryptographic hash of a file.
292 * Invoking guix import:: Importing package definitions.
293 * Invoking guix refresh:: Updating package definitions.
294 * Invoking guix lint:: Finding errors in package definitions.
295 * Invoking guix size:: Profiling disk usage.
296 * Invoking guix graph:: Visualizing the graph of packages.
297 * Invoking guix publish:: Sharing substitutes.
298 * Invoking guix challenge:: Challenging substitute servers.
299 * Invoking guix copy:: Copying to and from a remote store.
300 * Invoking guix container:: Process isolation.
301 * Invoking guix weather:: Assessing substitute availability.
302 * Invoking guix processes:: Listing client processes.
304 Invoking @command{guix build}
306 * Common Build Options:: Build options for most commands.
307 * Package Transformation Options:: Creating variants of packages.
308 * Additional Build Options:: Options specific to 'guix build'.
309 * Debugging Build Failures:: Real life packaging experience.
313 * Using the Configuration System:: Customizing your GNU system.
314 * operating-system Reference:: Detail of operating-system declarations.
315 * File Systems:: Configuring file system mounts.
316 * Mapped Devices:: Block device extra processing.
317 * User Accounts:: Specifying user accounts.
318 * Keyboard Layout:: How the system interprets key strokes.
319 * Locales:: Language and cultural convention settings.
320 * Services:: Specifying system services.
321 * Setuid Programs:: Programs running with root privileges.
322 * X.509 Certificates:: Authenticating HTTPS servers.
323 * Name Service Switch:: Configuring libc's name service switch.
324 * Initial RAM Disk:: Linux-Libre bootstrapping.
325 * Bootloader Configuration:: Configuring the boot loader.
326 * Invoking guix system:: Instantiating a system configuration.
327 * Invoking guix deploy:: Deploying a system configuration to a remote host.
328 * Running Guix in a VM:: How to run Guix System in a virtual machine.
329 * Defining Services:: Adding new service definitions.
333 * Base Services:: Essential system services.
334 * Scheduled Job Execution:: The mcron service.
335 * Log Rotation:: The rottlog service.
336 * Networking Services:: Network setup, SSH daemon, etc.
337 * Unattended Upgrades:: Automated system upgrades.
338 * X Window:: Graphical display.
339 * Printing Services:: Local and remote printer support.
340 * Desktop Services:: D-Bus and desktop services.
341 * Sound Services:: ALSA and Pulseaudio services.
342 * Database Services:: SQL databases, key-value stores, etc.
343 * Mail Services:: IMAP, POP3, SMTP, and all that.
344 * Messaging Services:: Messaging services.
345 * Telephony Services:: Telephony services.
346 * Monitoring Services:: Monitoring services.
347 * Kerberos Services:: Kerberos services.
348 * LDAP Services:: LDAP services.
349 * Web Services:: Web servers.
350 * Certificate Services:: TLS certificates via Let's Encrypt.
351 * DNS Services:: DNS daemons.
352 * VPN Services:: VPN daemons.
353 * Network File System:: NFS related services.
354 * Continuous Integration:: Cuirass and Laminar services.
355 * Power Management Services:: Extending battery life.
356 * Audio Services:: The MPD.
357 * Virtualization Services:: Virtualization services.
358 * Version Control Services:: Providing remote access to Git repositories.
359 * Game Services:: Game servers.
360 * PAM Mount Service:: Service to mount volumes when logging in.
361 * Guix Services:: Services relating specifically to Guix.
362 * Linux Services:: Services tied to the Linux kernel.
363 * Hurd Services:: Services specific for a Hurd System.
364 * Miscellaneous Services:: Other services.
368 * Service Composition:: The model for composing services.
369 * Service Types and Services:: Types and services.
370 * Service Reference:: API reference.
371 * Shepherd Services:: A particular type of service.
373 Installing Debugging Files
375 * Separate Debug Info:: Installing 'debug' outputs.
376 * Rebuilding Debug Info:: Building missing debug info.
380 * Reduced Binary Seed Bootstrap:: A Bootstrap worthy of GNU.
381 * Preparing to Use the Bootstrap Binaries:: Building that what matters most.
386 @c *********************************************************************
388 @chapter Introduction
391 GNU Guix@footnote{``Guix'' is pronounced like ``geeks'', or ``ɡiːks''
392 using the international phonetic alphabet (IPA).} is a package
393 management tool for and distribution of the GNU system.
394 Guix makes it easy for unprivileged
395 users to install, upgrade, or remove software packages, to roll back to a
396 previous package set, to build packages from source, and generally
397 assists with the creation and maintenance of software environments.
400 @cindex GuixSD, now Guix System
401 @cindex Guix System Distribution, now Guix System
402 You can install GNU@tie{}Guix on top of an existing GNU/Linux system where it
403 complements the available tools without interference (@pxref{Installation}),
404 or you can use it as a standalone operating system distribution,
405 @dfn{Guix@tie{}System}@footnote{We used to refer to Guix System as ``Guix
406 System Distribution'' or ``GuixSD''. We now consider it makes more sense to
407 group everything under the ``Guix'' banner since, after all, Guix System is
408 readily available through the @command{guix system} command, even if you're
409 using a different distro underneath!}. @xref{GNU Distribution}.
412 * Managing Software the Guix Way:: What's special.
413 * GNU Distribution:: The packages and tools.
416 @node Managing Software the Guix Way
417 @section Managing Software the Guix Way
419 @cindex user interfaces
420 Guix provides a command-line package management interface
421 (@pxref{Package Management}), tools to help with software development
422 (@pxref{Development}), command-line utilities for more advanced usage
423 (@pxref{Utilities}), as well as Scheme programming interfaces
424 (@pxref{Programming Interface}).
426 Its @dfn{build daemon} is responsible for building packages on behalf of
427 users (@pxref{Setting Up the Daemon}) and for downloading pre-built
428 binaries from authorized sources (@pxref{Substitutes}).
430 @cindex extensibility of the distribution
431 @cindex customization, of packages
432 Guix includes package definitions for many GNU and non-GNU packages, all
433 of which @uref{https://www.gnu.org/philosophy/free-sw.html, respect the
434 user's computing freedom}. It is @emph{extensible}: users can write
435 their own package definitions (@pxref{Defining Packages}) and make them
436 available as independent package modules (@pxref{Package Modules}). It
437 is also @emph{customizable}: users can @emph{derive} specialized package
438 definitions from existing ones, including from the command line
439 (@pxref{Package Transformation Options}).
441 @cindex functional package management
443 Under the hood, Guix implements the @dfn{functional package management}
444 discipline pioneered by Nix (@pxref{Acknowledgments}).
445 In Guix, the package build and installation process is seen
446 as a @emph{function}, in the mathematical sense. That function takes inputs,
447 such as build scripts, a compiler, and libraries, and
448 returns an installed package. As a pure function, its result depends
449 solely on its inputs---for instance, it cannot refer to software or
450 scripts that were not explicitly passed as inputs. A build function
451 always produces the same result when passed a given set of inputs. It
452 cannot alter the environment of the running system in
453 any way; for instance, it cannot create, modify, or delete files outside
454 of its build and installation directories. This is achieved by running
455 build processes in isolated environments (or @dfn{containers}), where only their
456 explicit inputs are visible.
459 The result of package build functions is @dfn{cached} in the file
460 system, in a special directory called @dfn{the store} (@pxref{The
461 Store}). Each package is installed in a directory of its own in the
462 store---by default under @file{/gnu/store}. The directory name contains
463 a hash of all the inputs used to build that package; thus, changing an
464 input yields a different directory name.
466 This approach is the foundation for the salient features of Guix: support
467 for transactional package upgrade and rollback, per-user installation, and
468 garbage collection of packages (@pxref{Features}).
471 @node GNU Distribution
472 @section GNU Distribution
475 Guix comes with a distribution of the GNU system consisting entirely of
476 free software@footnote{The term ``free'' here refers to the
477 @url{https://www.gnu.org/philosophy/free-sw.html,freedom provided to
478 users of that software}.}. The
479 distribution can be installed on its own (@pxref{System Installation}),
480 but it is also possible to install Guix as a package manager on top of
481 an installed GNU/Linux system (@pxref{Installation}). When we need to
482 distinguish between the two, we refer to the standalone distribution as
485 The distribution provides core GNU packages such as GNU libc, GCC, and
486 Binutils, as well as many GNU and non-GNU applications. The complete
487 list of available packages can be browsed
488 @url{https://www.gnu.org/software/guix/packages,on-line} or by
489 running @command{guix package} (@pxref{Invoking guix package}):
492 guix package --list-available
495 Our goal is to provide a practical 100% free software distribution of
496 Linux-based and other variants of GNU, with a focus on the promotion and
497 tight integration of GNU components, and an emphasis on programs and
498 tools that help users exert that freedom.
500 Packages are currently available on the following platforms:
505 Intel/AMD @code{x86_64} architecture, Linux-Libre kernel.
508 Intel 32-bit architecture (IA32), Linux-Libre kernel.
511 ARMv7-A architecture with hard float, Thumb-2 and NEON,
512 using the EABI hard-float application binary interface (ABI),
513 and Linux-Libre kernel.
516 little-endian 64-bit ARMv8-A processors, Linux-Libre kernel.
519 @uref{https://hurd.gnu.org, GNU/Hurd} on the Intel 32-bit architecture
522 This configuration is experimental and under development. The easiest
523 way for you to give it a try is by setting up an instance of
524 @code{hurd-vm-service-type} on your GNU/Linux machine
525 (@pxref{transparent-emulation-qemu, @code{hurd-vm-service-type}}).
526 @xref{Contributing}, on how to help!
528 @item mips64el-linux (deprecated)
529 little-endian 64-bit MIPS processors, specifically the Loongson series,
530 n32 ABI, and Linux-Libre kernel. This configuration is no longer fully
531 supported; in particular, there is no ongoing work to ensure that this
532 architecture still works. Should someone decide they wish to revive this
533 architecture then the code is still available.
535 @item powerpc64le-linux
536 little-endian 64-bit Power ISA processors, Linux-Libre kernel. This
537 includes POWER9 systems such as the
538 @uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom,
539 RYF Talos II mainboard}. This platform is available as a "technology
540 preview": although it is supported, substitutes are not yet available
541 from the build farm (@pxref{Substitutes}), and some packages may fail to
542 build (@pxref{Tracking Bugs and Patches}). That said, the Guix
543 community is actively working on improving this support, and now is a
544 great time to try it and get involved!
548 With Guix@tie{}System, you @emph{declare} all aspects of the operating system
549 configuration and Guix takes care of instantiating the configuration in a
550 transactional, reproducible, and stateless fashion (@pxref{System
551 Configuration}). Guix System uses the Linux-libre kernel, the Shepherd
552 initialization system (@pxref{Introduction,,, shepherd, The GNU Shepherd
553 Manual}), the well-known GNU utilities and tool chain, as well as the
554 graphical environment or system services of your choice.
556 Guix System is available on all the above platforms except
557 @code{mips64el-linux} and @code{powerpc64le-linux}.
560 For information on porting to other architectures or kernels,
563 Building this distribution is a cooperative effort, and you are invited
564 to join! @xref{Contributing}, for information about how you can help.
567 @c *********************************************************************
569 @chapter Installation
571 @cindex installing Guix
574 We recommend the use of this
575 @uref{https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh,
576 shell installer script} to install Guix on top of a running GNU/Linux system,
577 thereafter called a @dfn{foreign distro}.@footnote{This section is concerned
578 with the installation of the package manager, which can be done on top of a
579 running GNU/Linux system. If, instead, you want to install the complete GNU
580 operating system, @pxref{System Installation}.} The script automates the
581 download, installation, and initial configuration of Guix. It should be run
585 @cindex foreign distro
586 @cindex directories related to foreign distro
587 When installed on a foreign distro, GNU@tie{}Guix complements the available
588 tools without interference. Its data lives exclusively in two directories,
589 usually @file{/gnu/store} and @file{/var/guix}; other files on your system,
590 such as @file{/etc}, are left untouched.
592 Once installed, Guix can be updated by running @command{guix pull}
593 (@pxref{Invoking guix pull}).
595 If you prefer to perform the installation steps manually or want to tweak
596 them, you may find the following subsections useful. They describe the
597 software requirements of Guix, as well as how to install it manually and get
601 * Binary Installation:: Getting Guix running in no time!
602 * Requirements:: Software needed to build and run Guix.
603 * Running the Test Suite:: Testing Guix.
604 * Setting Up the Daemon:: Preparing the build daemon's environment.
605 * Invoking guix-daemon:: Running the build daemon.
606 * Application Setup:: Application-specific setup.
607 * Upgrading Guix:: Upgrading Guix and its build daemon.
610 @node Binary Installation
611 @section Binary Installation
613 @cindex installing Guix from binaries
614 @cindex installer script
615 This section describes how to install Guix on an arbitrary system from a
616 self-contained tarball providing binaries for Guix and for all its
617 dependencies. This is often quicker than installing from source, which
618 is described in the next sections. The only requirement is to have
621 @c Note duplicated from the ``Installation'' node.
623 We recommend the use of this
624 @uref{https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh,
625 shell installer script}. The script automates the download, installation, and
626 initial configuration steps described below. It should be run as the root
627 user. As root, you can thus run this:
631 wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
632 chmod +x guix-install.sh
636 When you're done, @pxref{Application Setup} for extra configuration you
637 might need, and @ref{Getting Started} for your first steps!
640 Installing goes along these lines:
644 @cindex downloading Guix binary
645 Download the binary tarball from
646 @indicateurl{@value{BASE-URL}/guix-binary-@value{VERSION}.x86_64-linux.tar.xz},
647 where @code{x86_64-linux} can be replaced with @code{i686-linux} for an
648 @code{i686} (32-bits) machine already running the kernel Linux, and so on
649 (@pxref{GNU Distribution}).
651 @c The following is somewhat duplicated in ``System Installation''.
652 Make sure to download the associated @file{.sig} file and to verify the
653 authenticity of the tarball against it, along these lines:
656 $ wget @value{BASE-URL}/guix-binary-@value{VERSION}.x86_64-linux.tar.xz.sig
657 $ gpg --verify guix-binary-@value{VERSION}.x86_64-linux.tar.xz.sig
660 If that command fails because you do not have the required public key,
661 then run this command to import it:
664 $ wget '@value{OPENPGP-SIGNING-KEY-URL}' \
665 -qO - | gpg --import -
669 and rerun the @code{gpg --verify} command.
671 Take note that a warning like ``This key is not certified with a trusted
672 signature!'' is normal.
674 @c end authentication part
677 Now, you need to become the @code{root} user. Depending on your distribution,
678 you may have to run @code{su -} or @code{sudo -i}. As @code{root}, run:
682 # tar --warning=no-timestamp -xf \
683 /path/to/guix-binary-@value{VERSION}.x86_64-linux.tar.xz
684 # mv var/guix /var/ && mv gnu /
687 This creates @file{/gnu/store} (@pxref{The Store}) and @file{/var/guix}.
688 The latter contains a ready-to-use profile for @code{root} (see next
691 Do @emph{not} unpack the tarball on a working Guix system since that
692 would overwrite its own essential files.
694 The @option{--warning=no-timestamp} option makes sure GNU@tie{}tar does
695 not emit warnings about ``implausibly old time stamps'' (such
696 warnings were triggered by GNU@tie{}tar 1.26 and older; recent
698 They stem from the fact that all the
699 files in the archive have their modification time set to 1 (which
700 means January 1st, 1970). This is done on purpose to make sure the
701 archive content is independent of its creation time, thus making it
705 Make the profile available under @file{~root/.config/guix/current}, which is
706 where @command{guix pull} will install updates (@pxref{Invoking guix pull}):
709 # mkdir -p ~root/.config/guix
710 # ln -sf /var/guix/profiles/per-user/root/current-guix \
711 ~root/.config/guix/current
714 Source @file{etc/profile} to augment @env{PATH} and other relevant
715 environment variables:
718 # GUIX_PROFILE="`echo ~root`/.config/guix/current" ; \
719 source $GUIX_PROFILE/etc/profile
723 Create the group and user accounts for build users as explained below
724 (@pxref{Build Environment Setup}).
727 Run the daemon, and set it to automatically start on boot.
729 If your host distro uses the systemd init system, this can be achieved
732 @c Versions of systemd that supported symlinked service files are not
733 @c yet widely deployed, so we should suggest that users copy the service
736 @c See this thread for more information:
737 @c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
740 # cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
741 ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
743 # systemctl enable --now gnu-store.mount guix-daemon
746 If your host distro uses the Upstart init system:
749 # initctl reload-configuration
750 # cp ~root/.config/guix/current/lib/upstart/system/guix-daemon.conf \
755 Otherwise, you can still start the daemon manually with:
758 # ~root/.config/guix/current/bin/guix-daemon \
759 --build-users-group=guixbuild
763 Make the @command{guix} command available to other users on the machine,
767 # mkdir -p /usr/local/bin
769 # ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix
772 It is also a good idea to make the Info version of this manual available
776 # mkdir -p /usr/local/share/info
777 # cd /usr/local/share/info
778 # for i in /var/guix/profiles/per-user/root/current-guix/share/info/* ;
782 That way, assuming @file{/usr/local/share/info} is in the search path,
783 running @command{info guix} will open this manual (@pxref{Other Info
784 Directories,,, texinfo, GNU Texinfo}, for more details on changing the
788 @cindex substitutes, authorization thereof
789 To use substitutes from @code{@value{SUBSTITUTE-SERVER-1}},
790 @code{@value{SUBSTITUTE-SERVER-2}} or a mirror (@pxref{Substitutes}),
794 # guix archive --authorize < \
795 ~root/.config/guix/current/share/guix/@value{SUBSTITUTE-SERVER-1}.pub
796 # guix archive --authorize < \
797 ~root/.config/guix/current/share/guix/@value{SUBSTITUTE-SERVER-2}.pub
801 If you do not enable substitutes, Guix will end up building
802 @emph{everything} from source on your machine, making each installation
803 and upgrade very expensive. @xref{On Trusting Binaries}, for a
804 discussion of reasons why one might want do disable substitutes.
808 Each user may need to perform a few additional steps to make their Guix
809 environment ready for use, @pxref{Application Setup}.
812 Voilà, the installation is complete!
814 You can confirm that Guix is working by installing a sample package into
821 The binary installation tarball can be (re)produced and verified simply
822 by running the following command in the Guix source tree:
825 make guix-binary.@var{system}.tar.xz
829 ...@: which, in turn, runs:
832 guix pack -s @var{system} --localstatedir \
833 --profile-name=current-guix guix
836 @xref{Invoking guix pack}, for more info on this handy tool.
839 @section Requirements
841 This section lists requirements when building Guix from source. The
842 build procedure for Guix is the same as for other GNU software, and is
843 not covered here. Please see the files @file{README} and @file{INSTALL}
844 in the Guix source tree for additional details.
846 @cindex official website
847 GNU Guix is available for download from its website at
848 @url{https://www.gnu.org/software/guix/}.
850 GNU Guix depends on the following packages:
853 @item @url{https://gnu.org/software/guile/, GNU Guile}, version 3.0.x;
854 @item @url{https://notabug.org/cwebber/guile-gcrypt, Guile-Gcrypt}, version
857 @uref{https://gnutls.org/, GnuTLS}, specifically its Guile bindings
858 (@pxref{Guile Preparations, how to install the GnuTLS bindings for
859 Guile,, gnutls-guile, GnuTLS-Guile});
861 @uref{https://notabug.org/guile-sqlite3/guile-sqlite3, Guile-SQLite3}, version 0.1.0
863 @item @uref{https://notabug.org/guile-zlib/guile-zlib, Guile-zlib},
864 version 0.1.0 or later;
865 @item @uref{https://notabug.org/guile-lzlib/guile-lzlib, Guile-lzlib};
866 @item @uref{https://www.nongnu.org/guile-avahi/, Guile-Avahi};
868 @uref{https://gitlab.com/guile-git/guile-git, Guile-Git}, version 0.5.0
870 @item @uref{https://savannah.nongnu.org/projects/guile-json/, Guile-JSON}
872 @item @url{https://www.gnu.org/software/make/, GNU Make}.
875 The following dependencies are optional:
879 @c Note: We need at least 0.13.0 for #:nodelay.
880 Support for build offloading (@pxref{Daemon Offload Setup}) and
881 @command{guix copy} (@pxref{Invoking guix copy}) depends on
882 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH},
883 version 0.13.0 or later.
886 @uref{https://notabug.org/guile-zstd/guile-zstd, Guile-zstd}, for zstd
887 compression and decompression in @command{guix publish} and for
888 substitutes (@pxref{Invoking guix publish}).
891 @uref{https://ngyro.com/software/guile-semver.html, Guile-Semver} for
892 the @code{crate} importer (@pxref{Invoking guix import}).
895 @uref{https://www.nongnu.org/guile-lib/doc/ref/htmlprag/, Guile-Lib} for
896 the @code{go} importer (@pxref{Invoking guix import}) and for some of
897 the ``updaters'' (@pxref{Invoking guix refresh}).
900 When @url{http://www.bzip.org, libbz2} is available,
901 @command{guix-daemon} can use it to compress build logs.
904 Unless @option{--disable-daemon} was passed to @command{configure}, the
905 following packages are also needed:
908 @item @url{https://gnupg.org/, GNU libgcrypt};
909 @item @url{https://sqlite.org, SQLite 3};
910 @item @url{https://gcc.gnu.org, GCC's g++}, with support for the
914 @cindex state directory
915 When configuring Guix on a system that already has a Guix installation,
916 be sure to specify the same state directory as the existing installation
917 using the @option{--localstatedir} option of the @command{configure}
918 script (@pxref{Directory Variables, @code{localstatedir},, standards,
919 GNU Coding Standards}). Usually, this @var{localstatedir} option is
920 set to the value @file{/var}. The @command{configure} script protects
921 against unintended misconfiguration of @var{localstatedir} so you do not
922 inadvertently corrupt your store (@pxref{The Store}).
924 @node Running the Test Suite
925 @section Running the Test Suite
928 After a successful @command{configure} and @code{make} run, it is a good
929 idea to run the test suite. It can help catch issues with the setup or
930 environment, or bugs in Guix itself---and really, reporting test
931 failures is a good way to help improve the software. To run the test
938 Test cases can run in parallel: you can use the @code{-j} option of
939 GNU@tie{}make to speed things up. The first run may take a few minutes
940 on a recent machine; subsequent runs will be faster because the store
941 that is created for test purposes will already have various things in
944 It is also possible to run a subset of the tests by defining the
945 @code{TESTS} makefile variable as in this example:
948 make check TESTS="tests/store.scm tests/cpio.scm"
951 By default, tests results are displayed at a file level. In order to
952 see the details of every individual test cases, it is possible to define
953 the @code{SCM_LOG_DRIVER_FLAGS} makefile variable as in this example:
956 make check TESTS="tests/base64.scm" SCM_LOG_DRIVER_FLAGS="--brief=no"
959 The underlying SRFI 64 custom Automake test driver used for the 'check'
960 test suite (located at @file{build-aux/test-driver.scm}) also allows
961 selecting which test cases to run at a finer level, via its
962 @option{--select} and @option{--exclude} options. Here's an example, to
963 run all the test cases from the @file{tests/packages.scm} test file
964 whose names start with ``transaction-upgrade-entry'':
967 export SCM_LOG_DRIVER_FLAGS="--select=^transaction-upgrade-entry"
968 make check TESTS="tests/packages.scm"
971 Those wishing to inspect the results of failed tests directly from the
972 command line can add the @option{--errors-only=yes} option to the
973 @code{SCM_LOG_DRIVER_FLAGS} makefile variable and set the @code{VERBOSE}
974 Automake makefile variable, as in:
977 make check SCM_LOG_DRIVER_FLAGS="--brief=no --errors-only=yes" VERBOSE=1
980 The @option{--show-duration=yes} option can be used to print the
981 duration of the individual test cases, when used in combination with
985 make check SCM_LOG_DRIVER_FLAGS="--brief=no --show-duration=yes"
988 @xref{Parallel Test Harness,,,automake,GNU Automake} for more
989 information about the Automake Parallel Test Harness.
991 Upon failure, please email @email{bug-guix@@gnu.org} and attach the
992 @file{test-suite.log} file. Please specify the Guix version being used
993 as well as version numbers of the dependencies (@pxref{Requirements}) in
996 Guix also comes with a whole-system test suite that tests complete
997 Guix System instances. It can only run on systems where
998 Guix is already installed, using:
1005 or, again, by defining @code{TESTS} to select a subset of tests to run:
1008 make check-system TESTS="basic mcron"
1011 These system tests are defined in the @code{(gnu tests @dots{})}
1012 modules. They work by running the operating systems under test with
1013 lightweight instrumentation in a virtual machine (VM). They can be
1014 computationally intensive or rather cheap, depending on whether
1015 substitutes are available for their dependencies (@pxref{Substitutes}).
1016 Some of them require a lot of storage space to hold VM images.
1018 Again in case of test failures, please send @email{bug-guix@@gnu.org}
1021 @node Setting Up the Daemon
1022 @section Setting Up the Daemon
1025 Operations such as building a package or running the garbage collector
1026 are all performed by a specialized process, the @dfn{build daemon}, on
1027 behalf of clients. Only the daemon may access the store and its
1028 associated database. Thus, any operation that manipulates the store
1029 goes through the daemon. For instance, command-line tools such as
1030 @command{guix package} and @command{guix build} communicate with the
1031 daemon (@i{via} remote procedure calls) to instruct it what to do.
1033 The following sections explain how to prepare the build daemon's
1034 environment. See also @ref{Substitutes}, for information on how to allow
1035 the daemon to download pre-built binaries.
1038 * Build Environment Setup:: Preparing the isolated build environment.
1039 * Daemon Offload Setup:: Offloading builds to remote machines.
1040 * SELinux Support:: Using an SELinux policy for the daemon.
1043 @node Build Environment Setup
1044 @subsection Build Environment Setup
1046 @cindex build environment
1047 In a standard multi-user setup, Guix and its daemon---the
1048 @command{guix-daemon} program---are installed by the system
1049 administrator; @file{/gnu/store} is owned by @code{root} and
1050 @command{guix-daemon} runs as @code{root}. Unprivileged users may use
1051 Guix tools to build packages or otherwise access the store, and the
1052 daemon will do it on their behalf, ensuring that the store is kept in a
1053 consistent state, and allowing built packages to be shared among users.
1056 When @command{guix-daemon} runs as @code{root}, you may not want package
1057 build processes themselves to run as @code{root} too, for obvious
1058 security reasons. To avoid that, a special pool of @dfn{build users}
1059 should be created for use by build processes started by the daemon.
1060 These build users need not have a shell and a home directory: they will
1061 just be used when the daemon drops @code{root} privileges in build
1062 processes. Having several such users allows the daemon to launch
1063 distinct build processes under separate UIDs, which guarantees that they
1064 do not interfere with each other---an essential feature since builds are
1065 regarded as pure functions (@pxref{Introduction}).
1067 On a GNU/Linux system, a build user pool may be created like this (using
1068 Bash syntax and the @code{shadow} commands):
1070 @c See https://lists.gnu.org/archive/html/bug-guix/2013-01/msg00239.html
1071 @c for why `-G' is needed.
1073 # groupadd --system guixbuild
1074 # for i in $(seq -w 1 10);
1076 useradd -g guixbuild -G guixbuild \
1077 -d /var/empty -s $(which nologin) \
1078 -c "Guix build user $i" --system \
1084 The number of build users determines how many build jobs may run in
1085 parallel, as specified by the @option{--max-jobs} option
1086 (@pxref{Invoking guix-daemon, @option{--max-jobs}}). To use
1087 @command{guix system vm} and related commands, you may need to add the
1088 build users to the @code{kvm} group so they can access @file{/dev/kvm},
1089 using @code{-G guixbuild,kvm} instead of @code{-G guixbuild}
1090 (@pxref{Invoking guix system}).
1092 The @code{guix-daemon} program may then be run as @code{root} with the
1093 following command@footnote{If your machine uses the systemd init system,
1094 dropping the @file{@var{prefix}/lib/systemd/system/guix-daemon.service}
1095 file in @file{/etc/systemd/system} will ensure that
1096 @command{guix-daemon} is automatically started. Similarly, if your
1097 machine uses the Upstart init system, drop the
1098 @file{@var{prefix}/lib/upstart/system/guix-daemon.conf}
1099 file in @file{/etc/init}.}:
1102 # guix-daemon --build-users-group=guixbuild
1107 This way, the daemon starts build processes in a chroot, under one of
1108 the @code{guixbuilder} users. On GNU/Linux, by default, the chroot
1109 environment contains nothing but:
1111 @c Keep this list in sync with libstore/build.cc! -----------------------
1114 a minimal @code{/dev} directory, created mostly independently from the
1115 host @code{/dev}@footnote{``Mostly'', because while the set of files
1116 that appear in the chroot's @code{/dev} is fixed, most of these files
1117 can only be created if the host has them.};
1120 the @code{/proc} directory; it only shows the processes of the container
1121 since a separate PID name space is used;
1124 @file{/etc/passwd} with an entry for the current user and an entry for
1128 @file{/etc/group} with an entry for the user's group;
1131 @file{/etc/hosts} with an entry that maps @code{localhost} to
1135 a writable @file{/tmp} directory.
1138 You can influence the directory where the daemon stores build trees
1139 @i{via} the @env{TMPDIR} environment variable. However, the build tree
1140 within the chroot is always called @file{/tmp/guix-build-@var{name}.drv-0},
1141 where @var{name} is the derivation name---e.g., @code{coreutils-8.24}.
1142 This way, the value of @env{TMPDIR} does not leak inside build
1143 environments, which avoids discrepancies in cases where build processes
1144 capture the name of their build tree.
1148 The daemon also honors the @env{http_proxy} and @env{https_proxy}
1149 environment variables for HTTP and HTTPS downloads it performs, be it
1150 for fixed-output derivations (@pxref{Derivations}) or for substitutes
1151 (@pxref{Substitutes}).
1153 If you are installing Guix as an unprivileged user, it is still possible
1154 to run @command{guix-daemon} provided you pass @option{--disable-chroot}.
1155 However, build processes will not be isolated from one another, and not
1156 from the rest of the system. Thus, build processes may interfere with
1157 each other, and may access programs, libraries, and other files
1158 available on the system---making it much harder to view them as
1159 @emph{pure} functions.
1162 @node Daemon Offload Setup
1163 @subsection Using the Offload Facility
1167 When desired, the build daemon can @dfn{offload} derivation builds to
1168 other machines running Guix, using the @code{offload} @dfn{build
1169 hook}@footnote{This feature is available only when
1170 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH} is
1171 present.}. When that feature is enabled, a list of user-specified build
1172 machines is read from @file{/etc/guix/machines.scm}; every time a build
1173 is requested, for instance via @code{guix build}, the daemon attempts to
1174 offload it to one of the machines that satisfy the constraints of the
1175 derivation, in particular its system types---e.g., @code{x86_64-linux}.
1176 A single machine can have multiple system types, either because its
1177 architecture natively supports it, via emulation
1178 (@pxref{transparent-emulation-qemu, Transparent Emulation with QEMU}),
1179 or both. Missing prerequisites for the build are
1180 copied over SSH to the target machine, which then proceeds with the
1181 build; upon success the output(s) of the build are copied back to the
1182 initial machine. The offload facility comes with a basic scheduler that
1183 attempts to select the best machine. The best machine is chosen among
1184 the available machines based on criteria such as:
1188 The availability of a build slot. A build machine can have as many
1189 build slots (connections) as the value of the @code{parallel-builds}
1190 field of its @code{build-machine} object.
1193 Its relative speed, as defined via the @code{speed} field of its
1194 @code{build-machine} object.
1197 Its load. The normalized machine load must be lower than a threshold
1198 value, configurable via the @code{overload-threshold} field of its
1199 @code{build-machine} object.
1202 Disk space availability. More than a 100 MiB must be available.
1205 The @file{/etc/guix/machines.scm} file typically looks like this:
1208 (list (build-machine
1209 (name "eightysix.example.org")
1210 (systems (list "x86_64-linux" "i686-linux"))
1211 (host-key "ssh-ed25519 AAAAC3Nza@dots{}")
1213 (speed 2.)) ;incredibly fast!
1216 (name "armeight.example.org")
1217 (systems (list "aarch64-linux"))
1218 (host-key "ssh-rsa AAAAB3Nza@dots{}")
1221 (string-append (getenv "HOME")
1222 "/.ssh/identity-for-guix"))))
1226 In the example above we specify a list of two build machines, one for
1227 the @code{x86_64} and @code{i686} architectures and one for the
1228 @code{aarch64} architecture.
1230 In fact, this file is---not surprisingly!---a Scheme file that is
1231 evaluated when the @code{offload} hook is started. Its return value
1232 must be a list of @code{build-machine} objects. While this example
1233 shows a fixed list of build machines, one could imagine, say, using
1234 DNS-SD to return a list of potential build machines discovered in the
1235 local network (@pxref{Introduction, Guile-Avahi,, guile-avahi, Using
1236 Avahi in Guile Scheme Programs}). The @code{build-machine} data type is
1239 @deftp {Data Type} build-machine
1240 This data type represents build machines to which the daemon may offload
1241 builds. The important fields are:
1246 The host name of the remote machine.
1249 The system types the remote machine supports---e.g., @code{(list
1250 "x86_64-linux" "i686-linux")}.
1253 The user account to use when connecting to the remote machine over SSH.
1254 Note that the SSH key pair must @emph{not} be passphrase-protected, to
1255 allow non-interactive logins.
1258 This must be the machine's SSH @dfn{public host key} in OpenSSH format.
1259 This is used to authenticate the machine when we connect to it. It is a
1260 long string that looks like this:
1263 ssh-ed25519 AAAAC3NzaC@dots{}mde+UhL hint@@example.org
1266 If the machine is running the OpenSSH daemon, @command{sshd}, the host
1267 key can be found in a file such as
1268 @file{/etc/ssh/ssh_host_ed25519_key.pub}.
1270 If the machine is running the SSH daemon of GNU@tie{}lsh,
1271 @command{lshd}, the host key is in @file{/etc/lsh/host-key.pub} or a
1272 similar file. It can be converted to the OpenSSH format using
1273 @command{lsh-export-key} (@pxref{Converting keys,,, lsh, LSH Manual}):
1276 $ lsh-export-key --openssh < /etc/lsh/host-key.pub
1277 ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV@dots{}
1282 A number of optional fields may be specified:
1286 @item @code{port} (default: @code{22})
1287 Port number of SSH server on the machine.
1289 @item @code{private-key} (default: @file{~root/.ssh/id_rsa})
1290 The SSH private key file to use when connecting to the machine, in
1291 OpenSSH format. This key must not be protected with a passphrase.
1293 Note that the default value is the private key @emph{of the root
1294 account}. Make sure it exists if you use the default.
1296 @item @code{compression} (default: @code{"zlib@@openssh.com,zlib"})
1297 @itemx @code{compression-level} (default: @code{3})
1298 The SSH-level compression methods and compression level requested.
1300 Note that offloading relies on SSH compression to reduce bandwidth usage
1301 when transferring files to and from build machines.
1303 @item @code{daemon-socket} (default: @code{"/var/guix/daemon-socket/socket"})
1304 File name of the Unix-domain socket @command{guix-daemon} is listening
1307 @item @code{overload-threshold} (default: @code{0.6})
1308 The load threshold above which a potential offload machine is
1309 disregarded by the offload scheduler. The value roughly translates to
1310 the total processor usage of the build machine, ranging from 0.0 (0%) to
1311 1.0 (100%). It can also be disabled by setting
1312 @code{overload-threshold} to @code{#f}.
1314 @item @code{parallel-builds} (default: @code{1})
1315 The number of builds that may run in parallel on the machine.
1317 @item @code{speed} (default: @code{1.0})
1318 A ``relative speed factor''. The offload scheduler will tend to prefer
1319 machines with a higher speed factor.
1321 @item @code{features} (default: @code{'()})
1322 A list of strings denoting specific features supported by the machine.
1323 An example is @code{"kvm"} for machines that have the KVM Linux modules
1324 and corresponding hardware support. Derivations can request features by
1325 name, and they will be scheduled on matching build machines.
1330 The @command{guix} command must be in the search path on the build
1331 machines. You can check whether this is the case by running:
1334 ssh build-machine guix repl --version
1337 There is one last thing to do once @file{machines.scm} is in place. As
1338 explained above, when offloading, files are transferred back and forth
1339 between the machine stores. For this to work, you first need to
1340 generate a key pair on each machine to allow the daemon to export signed
1341 archives of files from the store (@pxref{Invoking guix archive}):
1344 # guix archive --generate-key
1348 Each build machine must authorize the key of the master machine so that
1349 it accepts store items it receives from the master:
1352 # guix archive --authorize < master-public-key.txt
1356 Likewise, the master machine must authorize the key of each build machine.
1358 All the fuss with keys is here to express pairwise mutual trust
1359 relations between the master and the build machines. Concretely, when
1360 the master receives files from a build machine (and @i{vice versa}), its
1361 build daemon can make sure they are genuine, have not been tampered
1362 with, and that they are signed by an authorized key.
1364 @cindex offload test
1365 To test whether your setup is operational, run this command on the
1372 This will attempt to connect to each of the build machines specified in
1373 @file{/etc/guix/machines.scm}, make sure Guix is
1374 available on each machine, attempt to export to the machine and import
1375 from it, and report any error in the process.
1377 If you want to test a different machine file, just specify it on the
1381 # guix offload test machines-qualif.scm
1384 Last, you can test the subset of the machines whose name matches a
1385 regular expression like this:
1388 # guix offload test machines.scm '\.gnu\.org$'
1391 @cindex offload status
1392 To display the current load of all build hosts, run this command on the
1396 # guix offload status
1400 @node SELinux Support
1401 @subsection SELinux Support
1403 @cindex SELinux, daemon policy
1404 @cindex mandatory access control, SELinux
1405 @cindex security, guix-daemon
1406 Guix includes an SELinux policy file at @file{etc/guix-daemon.cil} that
1407 can be installed on a system where SELinux is enabled, in order to label
1408 Guix files and to specify the expected behavior of the daemon. Since
1409 Guix System does not provide an SELinux base policy, the daemon policy cannot
1410 be used on Guix System.
1412 @subsubsection Installing the SELinux policy
1413 @cindex SELinux, policy installation
1414 To install the policy run this command as root:
1417 semodule -i etc/guix-daemon.cil
1420 Then relabel the file system with @code{restorecon} or by a different
1421 mechanism provided by your system.
1423 Once the policy is installed, the file system has been relabeled, and
1424 the daemon has been restarted, it should be running in the
1425 @code{guix_daemon_t} context. You can confirm this with the following
1429 ps -Zax | grep guix-daemon
1432 Monitor the SELinux log files as you run a command like @code{guix build
1433 hello} to convince yourself that SELinux permits all necessary
1436 @subsubsection Limitations
1437 @cindex SELinux, limitations
1439 This policy is not perfect. Here is a list of limitations or quirks
1440 that should be considered when deploying the provided SELinux policy for
1445 @code{guix_daemon_socket_t} isn’t actually used. None of the socket
1446 operations involve contexts that have anything to do with
1447 @code{guix_daemon_socket_t}. It doesn’t hurt to have this unused label,
1448 but it would be preferable to define socket rules for only this label.
1451 @code{guix gc} cannot access arbitrary links to profiles. By design,
1452 the file label of the destination of a symlink is independent of the
1453 file label of the link itself. Although all profiles under
1454 $localstatedir are labelled, the links to these profiles inherit the
1455 label of the directory they are in. For links in the user’s home
1456 directory this will be @code{user_home_t}. But for links from the root
1457 user’s home directory, or @file{/tmp}, or the HTTP server’s working
1458 directory, etc, this won’t work. @code{guix gc} would be prevented from
1459 reading and following these links.
1462 The daemon’s feature to listen for TCP connections might no longer work.
1463 This might require extra rules, because SELinux treats network sockets
1464 differently from files.
1467 Currently all files with a name matching the regular expression
1468 @code{/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon} are assigned the
1469 label @code{guix_daemon_exec_t}; this means that @emph{any} file with
1470 that name in any profile would be permitted to run in the
1471 @code{guix_daemon_t} domain. This is not ideal. An attacker could
1472 build a package that provides this executable and convince a user to
1473 install and run it, which lifts it into the @code{guix_daemon_t} domain.
1474 At that point SELinux could not prevent it from accessing files that are
1475 allowed for processes in that domain.
1477 You will need to relabel the store directory after all upgrades to
1478 @file{guix-daemon}, such as after running @code{guix pull}. Assuming the
1479 store is in @file{/gnu}, you can do this with @code{restorecon -vR /gnu},
1480 or by other means provided by your operating system.
1482 We could generate a much more restrictive policy at installation time,
1483 so that only the @emph{exact} file name of the currently installed
1484 @code{guix-daemon} executable would be labelled with
1485 @code{guix_daemon_exec_t}, instead of using a broad regular expression.
1486 The downside is that root would have to install or upgrade the policy at
1487 installation time whenever the Guix package that provides the
1488 effectively running @code{guix-daemon} executable is upgraded.
1491 @node Invoking guix-daemon
1492 @section Invoking @command{guix-daemon}
1494 The @command{guix-daemon} program implements all the functionality to
1495 access the store. This includes launching build processes, running the
1496 garbage collector, querying the availability of a build result, etc. It
1497 is normally run as @code{root} like this:
1500 # guix-daemon --build-users-group=guixbuild
1504 For details on how to set it up, @pxref{Setting Up the Daemon}.
1507 @cindex container, build environment
1508 @cindex build environment
1509 @cindex reproducible builds
1510 By default, @command{guix-daemon} launches build processes under
1511 different UIDs, taken from the build group specified with
1512 @option{--build-users-group}. In addition, each build process is run in a
1513 chroot environment that only contains the subset of the store that the
1514 build process depends on, as specified by its derivation
1515 (@pxref{Programming Interface, derivation}), plus a set of specific
1516 system directories. By default, the latter contains @file{/dev} and
1517 @file{/dev/pts}. Furthermore, on GNU/Linux, the build environment is a
1518 @dfn{container}: in addition to having its own file system tree, it has
1519 a separate mount name space, its own PID name space, network name space,
1520 etc. This helps achieve reproducible builds (@pxref{Features}).
1522 When the daemon performs a build on behalf of the user, it creates a
1523 build directory under @file{/tmp} or under the directory specified by
1524 its @env{TMPDIR} environment variable. This directory is shared with
1525 the container for the duration of the build, though within the container,
1526 the build tree is always called @file{/tmp/guix-build-@var{name}.drv-0}.
1528 The build directory is automatically deleted upon completion, unless the
1529 build failed and the client specified @option{--keep-failed}
1530 (@pxref{Common Build Options, @option{--keep-failed}}).
1532 The daemon listens for connections and spawns one sub-process for each session
1533 started by a client (one of the @command{guix} sub-commands). The
1534 @command{guix processes} command allows you to get an overview of the activity
1535 on your system by viewing each of the active sessions and clients.
1536 @xref{Invoking guix processes}, for more information.
1538 The following command-line options are supported:
1541 @item --build-users-group=@var{group}
1542 Take users from @var{group} to run build processes (@pxref{Setting Up
1543 the Daemon, build users}).
1545 @item --no-substitutes
1547 Do not use substitutes for build products. That is, always build things
1548 locally instead of allowing downloads of pre-built binaries
1549 (@pxref{Substitutes}).
1551 When the daemon runs with @option{--no-substitutes}, clients can still
1552 explicitly enable substitution @i{via} the @code{set-build-options}
1553 remote procedure call (@pxref{The Store}).
1555 @anchor{daemon-substitute-urls}
1556 @item --substitute-urls=@var{urls}
1557 Consider @var{urls} the default whitespace-separated list of substitute
1558 source URLs. When this option is omitted,
1559 @indicateurl{@value{SUBSTITUTE-URLS}} is used.
1561 This means that substitutes may be downloaded from @var{urls}, as long
1562 as they are signed by a trusted signature (@pxref{Substitutes}).
1564 @xref{Getting Substitutes from Other Servers}, for more information on
1565 how to configure the daemon to get substitutes from other servers.
1569 Do not use offload builds to other machines (@pxref{Daemon Offload
1570 Setup}). That is, always build things locally instead of offloading
1571 builds to remote machines.
1573 @item --cache-failures
1574 Cache build failures. By default, only successful builds are cached.
1576 When this option is used, @command{guix gc --list-failures} can be used
1577 to query the set of store items marked as failed; @command{guix gc
1578 --clear-failures} removes store items from the set of cached failures.
1579 @xref{Invoking guix gc}.
1581 @item --cores=@var{n}
1583 Use @var{n} CPU cores to build each derivation; @code{0} means as many
1586 The default value is @code{0}, but it may be overridden by clients, such
1587 as the @option{--cores} option of @command{guix build} (@pxref{Invoking
1590 The effect is to define the @env{NIX_BUILD_CORES} environment variable
1591 in the build process, which can then use it to exploit internal
1592 parallelism---for instance, by running @code{make -j$NIX_BUILD_CORES}.
1594 @item --max-jobs=@var{n}
1596 Allow at most @var{n} build jobs in parallel. The default value is
1597 @code{1}. Setting it to @code{0} means that no builds will be performed
1598 locally; instead, the daemon will offload builds (@pxref{Daemon Offload
1599 Setup}), or simply fail.
1601 @item --max-silent-time=@var{seconds}
1602 When the build or substitution process remains silent for more than
1603 @var{seconds}, terminate it and report a build failure.
1605 The default value is @code{0}, which disables the timeout.
1607 The value specified here can be overridden by clients (@pxref{Common
1608 Build Options, @option{--max-silent-time}}).
1610 @item --timeout=@var{seconds}
1611 Likewise, when the build or substitution process lasts for more than
1612 @var{seconds}, terminate it and report a build failure.
1614 The default value is @code{0}, which disables the timeout.
1616 The value specified here can be overridden by clients (@pxref{Common
1617 Build Options, @option{--timeout}}).
1619 @item --rounds=@var{N}
1620 Build each derivation @var{n} times in a row, and raise an error if
1621 consecutive build results are not bit-for-bit identical. Note that this
1622 setting can be overridden by clients such as @command{guix build}
1623 (@pxref{Invoking guix build}).
1625 When used in conjunction with @option{--keep-failed}, the differing
1626 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
1627 This makes it easy to look for differences between the two results.
1630 Produce debugging output.
1632 This is useful to debug daemon start-up issues, but then it may be
1633 overridden by clients, for example the @option{--verbosity} option of
1634 @command{guix build} (@pxref{Invoking guix build}).
1636 @item --chroot-directory=@var{dir}
1637 Add @var{dir} to the build chroot.
1639 Doing this may change the result of build processes---for instance if
1640 they use optional dependencies found in @var{dir} when it is available,
1641 and not otherwise. For that reason, it is not recommended to do so.
1642 Instead, make sure that each derivation declares all the inputs that it
1645 @item --disable-chroot
1646 Disable chroot builds.
1648 Using this option is not recommended since, again, it would allow build
1649 processes to gain access to undeclared dependencies. It is necessary,
1650 though, when @command{guix-daemon} is running under an unprivileged user
1653 @item --log-compression=@var{type}
1654 Compress build logs according to @var{type}, one of @code{gzip},
1655 @code{bzip2}, or @code{none}.
1657 Unless @option{--lose-logs} is used, all the build logs are kept in the
1658 @var{localstatedir}. To save space, the daemon automatically compresses
1659 them with Bzip2 by default.
1661 @item --discover[=yes|no]
1662 Whether to discover substitute servers on the local network using mDNS
1665 This feature is still experimental. However, here are a few
1670 It might be faster/less expensive than fetching from remote servers;
1672 There are no security risks, only genuine substitutes will be used
1673 (@pxref{Substitute Authentication});
1675 An attacker advertising @command{guix publish} on your LAN cannot serve
1676 you malicious binaries, but they can learn what software you’re
1679 Servers may serve substitute over HTTP, unencrypted, so anyone on the
1680 LAN can see what software you’re installing.
1683 It is also possible to enable or disable substitute server discovery at
1684 run-time by running:
1687 herd discover guix-daemon on
1688 herd discover guix-daemon off
1691 @item --disable-deduplication
1692 @cindex deduplication
1693 Disable automatic file ``deduplication'' in the store.
1695 By default, files added to the store are automatically ``deduplicated'':
1696 if a newly added file is identical to another one found in the store,
1697 the daemon makes the new file a hard link to the other file. This can
1698 noticeably reduce disk usage, at the expense of slightly increased
1699 input/output load at the end of a build process. This option disables
1702 @item --gc-keep-outputs[=yes|no]
1703 Tell whether the garbage collector (GC) must keep outputs of live
1707 @cindex garbage collector roots
1708 When set to @code{yes}, the GC will keep the outputs of any live
1709 derivation available in the store---the @file{.drv} files. The default
1710 is @code{no}, meaning that derivation outputs are kept only if they are
1711 reachable from a GC root. @xref{Invoking guix gc}, for more on GC
1714 @item --gc-keep-derivations[=yes|no]
1715 Tell whether the garbage collector (GC) must keep derivations
1716 corresponding to live outputs.
1718 When set to @code{yes}, as is the case by default, the GC keeps
1719 derivations---i.e., @file{.drv} files---as long as at least one of their
1720 outputs is live. This allows users to keep track of the origins of
1721 items in their store. Setting it to @code{no} saves a bit of disk
1724 In this way, setting @option{--gc-keep-derivations} to @code{yes} causes
1725 liveness to flow from outputs to derivations, and setting
1726 @option{--gc-keep-outputs} to @code{yes} causes liveness to flow from
1727 derivations to outputs. When both are set to @code{yes}, the effect is
1728 to keep all the build prerequisites (the sources, compiler, libraries,
1729 and other build-time tools) of live objects in the store, regardless of
1730 whether these prerequisites are reachable from a GC root. This is
1731 convenient for developers since it saves rebuilds or downloads.
1733 @item --impersonate-linux-2.6
1734 On Linux-based systems, impersonate Linux 2.6. This means that the
1735 kernel's @command{uname} system call will report 2.6 as the release number.
1737 This might be helpful to build programs that (usually wrongfully) depend
1738 on the kernel version number.
1741 Do not keep build logs. By default they are kept under
1742 @file{@var{localstatedir}/guix/log}.
1744 @item --system=@var{system}
1745 Assume @var{system} as the current system type. By default it is the
1746 architecture/kernel pair found at configure time, such as
1747 @code{x86_64-linux}.
1749 @item --listen=@var{endpoint}
1750 Listen for connections on @var{endpoint}. @var{endpoint} is interpreted
1751 as the file name of a Unix-domain socket if it starts with
1752 @code{/} (slash sign). Otherwise, @var{endpoint} is interpreted as a
1753 host name or host name and port to listen to. Here are a few examples:
1756 @item --listen=/gnu/var/daemon
1757 Listen for connections on the @file{/gnu/var/daemon} Unix-domain socket,
1758 creating it if needed.
1760 @item --listen=localhost
1761 @cindex daemon, remote access
1762 @cindex remote access to the daemon
1763 @cindex daemon, cluster setup
1764 @cindex clusters, daemon setup
1765 Listen for TCP connections on the network interface corresponding to
1766 @code{localhost}, on port 44146.
1768 @item --listen=128.0.0.42:1234
1769 Listen for TCP connections on the network interface corresponding to
1770 @code{128.0.0.42}, on port 1234.
1773 This option can be repeated multiple times, in which case
1774 @command{guix-daemon} accepts connections on all the specified
1775 endpoints. Users can tell client commands what endpoint to connect to
1776 by setting the @env{GUIX_DAEMON_SOCKET} environment variable
1777 (@pxref{The Store, @env{GUIX_DAEMON_SOCKET}}).
1780 The daemon protocol is @emph{unauthenticated and unencrypted}. Using
1781 @option{--listen=@var{host}} is suitable on local networks, such as
1782 clusters, where only trusted nodes may connect to the build daemon. In
1783 other cases where remote access to the daemon is needed, we recommend
1784 using Unix-domain sockets along with SSH.
1787 When @option{--listen} is omitted, @command{guix-daemon} listens for
1788 connections on the Unix-domain socket located at
1789 @file{@var{localstatedir}/guix/daemon-socket/socket}.
1793 @node Application Setup
1794 @section Application Setup
1796 @cindex foreign distro
1797 When using Guix on top of GNU/Linux distribution other than Guix System---a
1798 so-called @dfn{foreign distro}---a few additional steps are needed to
1799 get everything in place. Here are some of them.
1803 @anchor{locales-and-locpath}
1804 @cindex locales, when not on Guix System
1806 @vindex GUIX_LOCPATH
1807 Packages installed @i{via} Guix will not use the locale data of the
1808 host system. Instead, you must first install one of the locale packages
1809 available with Guix and then define the @env{GUIX_LOCPATH} environment
1813 $ guix install glibc-locales
1814 $ export GUIX_LOCPATH=$HOME/.guix-profile/lib/locale
1817 Note that the @code{glibc-locales} package contains data for all the
1818 locales supported by the GNU@tie{}libc and weighs in at around
1819 917@tie{}MiB@. Alternatively, the @code{glibc-utf8-locales} is smaller but
1820 limited to a few UTF-8 locales.
1822 The @env{GUIX_LOCPATH} variable plays a role similar to @env{LOCPATH}
1823 (@pxref{Locale Names, @env{LOCPATH},, libc, The GNU C Library Reference
1824 Manual}). There are two important differences though:
1828 @env{GUIX_LOCPATH} is honored only by the libc in Guix, and not by the libc
1829 provided by foreign distros. Thus, using @env{GUIX_LOCPATH} allows you
1830 to make sure the programs of the foreign distro will not end up loading
1831 incompatible locale data.
1834 libc suffixes each entry of @env{GUIX_LOCPATH} with @code{/X.Y}, where
1835 @code{X.Y} is the libc version---e.g., @code{2.22}. This means that,
1836 should your Guix profile contain a mixture of programs linked against
1837 different libc version, each libc version will only try to load locale
1838 data in the right format.
1841 This is important because the locale data format used by different libc
1842 versions may be incompatible.
1844 @subsection Name Service Switch
1846 @cindex name service switch, glibc
1847 @cindex NSS (name service switch), glibc
1848 @cindex nscd (name service caching daemon)
1849 @cindex name service caching daemon (nscd)
1850 When using Guix on a foreign distro, we @emph{strongly recommend} that
1851 the system run the GNU C library's @dfn{name service cache daemon},
1852 @command{nscd}, which should be listening on the
1853 @file{/var/run/nscd/socket} socket. Failing to do that, applications
1854 installed with Guix may fail to look up host names or user accounts, or
1855 may even crash. The next paragraphs explain why.
1857 @cindex @file{nsswitch.conf}
1858 The GNU C library implements a @dfn{name service switch} (NSS), which is
1859 an extensible mechanism for ``name lookups'' in general: host name
1860 resolution, user accounts, and more (@pxref{Name Service Switch,,, libc,
1861 The GNU C Library Reference Manual}).
1863 @cindex Network information service (NIS)
1864 @cindex NIS (Network information service)
1865 Being extensible, the NSS supports @dfn{plugins}, which provide new name
1866 lookup implementations: for example, the @code{nss-mdns} plugin allow
1867 resolution of @code{.local} host names, the @code{nis} plugin allows
1868 user account lookup using the Network information service (NIS), and so
1869 on. These extra ``lookup services'' are configured system-wide in
1870 @file{/etc/nsswitch.conf}, and all the programs running on the system
1871 honor those settings (@pxref{NSS Configuration File,,, libc, The GNU C
1874 When they perform a name lookup---for instance by calling the
1875 @code{getaddrinfo} function in C---applications first try to connect to
1876 the nscd; on success, nscd performs name lookups on their behalf. If
1877 the nscd is not running, then they perform the name lookup by
1878 themselves, by loading the name lookup services into their own address
1879 space and running it. These name lookup services---the
1880 @file{libnss_*.so} files---are @code{dlopen}'d, but they may come from
1881 the host system's C library, rather than from the C library the
1882 application is linked against (the C library coming from Guix).
1884 And this is where the problem is: if your application is linked against
1885 Guix's C library (say, glibc 2.24) and tries to load NSS plugins from
1886 another C library (say, @code{libnss_mdns.so} for glibc 2.22), it will
1887 likely crash or have its name lookups fail unexpectedly.
1889 Running @command{nscd} on the system, among other advantages, eliminates
1890 this binary incompatibility problem because those @code{libnss_*.so}
1891 files are loaded in the @command{nscd} process, not in applications
1894 @subsection X11 Fonts
1897 The majority of graphical applications use Fontconfig to locate and
1898 load fonts and perform X11-client-side rendering. The @code{fontconfig}
1899 package in Guix looks for fonts in @file{$HOME/.guix-profile}
1900 by default. Thus, to allow graphical applications installed with Guix
1901 to display fonts, you have to install fonts with Guix as well.
1902 Essential font packages include @code{gs-fonts}, @code{font-dejavu}, and
1903 @code{font-gnu-freefont}.
1905 @cindex @code{fc-cache}
1907 Once you have installed or removed fonts, or when you notice an
1908 application that does not find fonts, you may need to install Fontconfig
1909 and to force an update of its font cache by running:
1912 guix install fontconfig
1916 To display text written in Chinese languages, Japanese, or Korean in
1917 graphical applications, consider installing
1918 @code{font-adobe-source-han-sans} or @code{font-wqy-zenhei}. The former
1919 has multiple outputs, one per language family (@pxref{Packages with
1920 Multiple Outputs}). For instance, the following command installs fonts
1921 for Chinese languages:
1924 guix install font-adobe-source-han-sans:cn
1927 @cindex @code{xterm}
1928 Older programs such as @command{xterm} do not use Fontconfig and instead
1929 rely on server-side font rendering. Such programs require to specify a
1930 full name of a font using XLFD (X Logical Font Description), like this:
1933 -*-dejavu sans-medium-r-normal-*-*-100-*-*-*-*-*-1
1936 To be able to use such full names for the TrueType fonts installed in
1937 your Guix profile, you need to extend the font path of the X server:
1939 @c Note: 'xset' does not accept symlinks so the trick below arranges to
1940 @c get at the real directory. See <https://bugs.gnu.org/30655>.
1942 xset +fp $(dirname $(readlink -f ~/.guix-profile/share/fonts/truetype/fonts.dir))
1945 @cindex @code{xlsfonts}
1946 After that, you can run @code{xlsfonts} (from @code{xlsfonts} package)
1947 to make sure your TrueType fonts are listed there.
1950 @subsection X.509 Certificates
1952 @cindex @code{nss-certs}
1953 The @code{nss-certs} package provides X.509 certificates, which allow
1954 programs to authenticate Web servers accessed over HTTPS.
1956 When using Guix on a foreign distro, you can install this package and
1957 define the relevant environment variables so that packages know where to
1958 look for certificates. @xref{X.509 Certificates}, for detailed
1961 @subsection Emacs Packages
1963 @cindex @code{emacs}
1964 When you install Emacs packages with Guix, the Elisp files are placed
1965 under the @file{share/emacs/site-lisp/} directory of the profile in
1966 which they are installed. The Elisp libraries are made available to
1967 Emacs through the @env{EMACSLOADPATH} environment variable, which is
1968 set when installing Emacs itself.
1970 Additionally, autoload definitions are automatically evaluated at the
1971 initialization of Emacs, by the Guix-specific
1972 @code{guix-emacs-autoload-packages} procedure. If, for some reason, you
1973 want to avoid auto-loading the Emacs packages installed with Guix, you
1974 can do so by running Emacs with the @option{--no-site-file} option
1975 (@pxref{Init File,,, emacs, The GNU Emacs Manual}).
1978 @node Upgrading Guix
1979 @section Upgrading Guix
1981 @cindex Upgrading Guix, on a foreign distro
1983 To upgrade Guix, run:
1989 @xref{Invoking guix pull}, for more information.
1991 @cindex upgrading Guix for the root user, on a foreign distro
1992 @cindex upgrading the Guix daemon, on a foreign distro
1993 @cindex @command{guix pull} for the root user, on a foreign distro
1995 On a foreign distro, you can upgrade the build daemon by running:
2002 followed by (assuming your distro uses the systemd service management
2006 systemctl restart guix-daemon.service
2009 On Guix System, upgrading the daemon is achieved by reconfiguring the
2010 system (@pxref{Invoking guix system, @code{guix system reconfigure}}).
2014 @c *********************************************************************
2015 @node System Installation
2016 @chapter System Installation
2018 @cindex installing Guix System
2019 @cindex Guix System, installation
2020 This section explains how to install Guix System
2021 on a machine. Guix, as a package manager, can
2022 also be installed on top of a running GNU/Linux system,
2023 @pxref{Installation}.
2027 @c This paragraph is for people reading this from tty2 of the
2028 @c installation image.
2029 You are reading this documentation with an Info reader. For details on
2030 how to use it, hit the @key{RET} key (``return'' or ``enter'') on the
2031 link that follows: @pxref{Top, Info reader,, info-stnd, Stand-alone GNU
2032 Info}. Hit @kbd{l} afterwards to come back here.
2034 Alternatively, run @command{info info} in another tty to keep the manual
2040 * Limitations:: What you can expect.
2041 * Hardware Considerations:: Supported hardware.
2042 * USB Stick and DVD Installation:: Preparing the installation medium.
2043 * Preparing for Installation:: Networking, partitioning, etc.
2044 * Guided Graphical Installation:: Easy graphical installation.
2045 * Manual Installation:: Manual installation for wizards.
2046 * After System Installation:: When installation succeeded.
2047 * Installing Guix in a VM:: Guix System playground.
2048 * Building the Installation Image:: How this comes to be.
2052 @section Limitations
2054 We consider Guix System to be ready for a wide range of ``desktop'' and server
2055 use cases. The reliability guarantees it provides---transactional upgrades
2056 and rollbacks, reproducibility---make it a solid foundation.
2058 Nevertheless, before you proceed with the installation, be aware of the
2059 following noteworthy limitations applicable to version @value{VERSION}:
2063 More and more system services are provided (@pxref{Services}), but some
2067 GNOME, Xfce, LXDE, and Enlightenment are available (@pxref{Desktop Services}),
2068 as well as a number of X11 window managers. However, KDE is currently
2072 More than a disclaimer, this is an invitation to report issues (and success
2073 stories!), and to join us in improving it. @xref{Contributing}, for more
2077 @node Hardware Considerations
2078 @section Hardware Considerations
2080 @cindex hardware support on Guix System
2081 GNU@tie{}Guix focuses on respecting the user's computing freedom. It
2082 builds around the kernel Linux-libre, which means that only hardware for
2083 which free software drivers and firmware exist is supported. Nowadays,
2084 a wide range of off-the-shelf hardware is supported on
2085 GNU/Linux-libre---from keyboards to graphics cards to scanners and
2086 Ethernet controllers. Unfortunately, there are still areas where
2087 hardware vendors deny users control over their own computing, and such
2088 hardware is not supported on Guix System.
2090 @cindex WiFi, hardware support
2091 One of the main areas where free drivers or firmware are lacking is WiFi
2092 devices. WiFi devices known to work include those using Atheros chips
2093 (AR9271 and AR7010), which corresponds to the @code{ath9k} Linux-libre
2094 driver, and those using Broadcom/AirForce chips (BCM43xx with
2095 Wireless-Core Revision 5), which corresponds to the @code{b43-open}
2096 Linux-libre driver. Free firmware exists for both and is available
2097 out-of-the-box on Guix System, as part of @code{%base-firmware}
2098 (@pxref{operating-system Reference, @code{firmware}}).
2100 @cindex RYF, Respects Your Freedom
2101 The @uref{https://www.fsf.org/, Free Software Foundation} runs
2102 @uref{https://www.fsf.org/ryf, @dfn{Respects Your Freedom}} (RYF), a
2103 certification program for hardware products that respect your freedom
2104 and your privacy and ensure that you have control over your device. We
2105 encourage you to check the list of RYF-certified devices.
2107 Another useful resource is the @uref{https://www.h-node.org/, H-Node}
2108 web site. It contains a catalog of hardware devices with information
2109 about their support in GNU/Linux.
2112 @node USB Stick and DVD Installation
2113 @section USB Stick and DVD Installation
2115 An ISO-9660 installation image that can be written to a USB stick or
2116 burnt to a DVD can be downloaded from
2117 @indicateurl{@value{BASE-URL}/guix-system-install-@value{VERSION}.x86_64-linux.iso},
2118 where you can replace @code{x86_64-linux} with one of:
2122 for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs;
2125 for a 32-bit GNU/Linux system on Intel-compatible CPUs.
2128 @c start duplication of authentication part from ``Binary Installation''
2129 Make sure to download the associated @file{.sig} file and to verify the
2130 authenticity of the image against it, along these lines:
2133 $ wget @value{BASE-URL}/guix-system-install-@value{VERSION}.x86_64-linux.iso.sig
2134 $ gpg --verify guix-system-install-@value{VERSION}.x86_64-linux.iso.sig
2137 If that command fails because you do not have the required public key,
2138 then run this command to import it:
2141 $ wget @value{OPENPGP-SIGNING-KEY-URL} \
2142 -qO - | gpg --import -
2146 and rerun the @code{gpg --verify} command.
2148 Take note that a warning like ``This key is not certified with a trusted
2149 signature!'' is normal.
2153 This image contains the tools necessary for an installation.
2154 It is meant to be copied @emph{as is} to a large-enough USB stick or DVD.
2156 @unnumberedsubsec Copying to a USB Stick
2158 Insert a USB stick of 1@tie{}GiB or more into your machine, and determine
2159 its device name. Assuming that the USB stick is known as @file{/dev/sdX},
2160 copy the image with:
2163 dd if=guix-system-install-@value{VERSION}.x86_64-linux.iso of=/dev/sdX status=progress
2167 Access to @file{/dev/sdX} usually requires root privileges.
2169 @unnumberedsubsec Burning on a DVD
2171 Insert a blank DVD into your machine, and determine
2172 its device name. Assuming that the DVD drive is known as @file{/dev/srX},
2173 copy the image with:
2176 growisofs -dvd-compat -Z /dev/srX=guix-system-install-@value{VERSION}.x86_64-linux.iso
2179 Access to @file{/dev/srX} usually requires root privileges.
2181 @unnumberedsubsec Booting
2183 Once this is done, you should be able to reboot the system and boot from
2184 the USB stick or DVD@. The latter usually requires you to get in the
2185 BIOS or UEFI boot menu, where you can choose to boot from the USB stick.
2186 In order to boot from Libreboot, switch to the command mode by pressing
2187 the @kbd{c} key and type @command{search_grub usb}.
2189 @xref{Installing Guix in a VM}, if, instead, you would like to install
2190 Guix System in a virtual machine (VM).
2193 @node Preparing for Installation
2194 @section Preparing for Installation
2196 Once you have booted, you can use the guided graphical installer, which makes
2197 it easy to get started (@pxref{Guided Graphical Installation}). Alternatively,
2198 if you are already familiar with GNU/Linux and if you want more control than
2199 what the graphical installer provides, you can choose the ``manual''
2200 installation process (@pxref{Manual Installation}).
2202 The graphical installer is available on TTY1. You can obtain root shells on
2203 TTYs 3 to 6 by hitting @kbd{ctrl-alt-f3}, @kbd{ctrl-alt-f4}, etc. TTY2 shows
2204 this documentation and you can reach it with @kbd{ctrl-alt-f2}. Documentation
2205 is browsable using the Info reader commands (@pxref{Top,,, info-stnd,
2206 Stand-alone GNU Info}). The installation system runs the GPM mouse daemon,
2207 which allows you to select text with the left mouse button and to paste it
2208 with the middle button.
2211 Installation requires access to the Internet so that any missing
2212 dependencies of your system configuration can be downloaded. See the
2213 ``Networking'' section below.
2216 @node Guided Graphical Installation
2217 @section Guided Graphical Installation
2219 The graphical installer is a text-based user interface. It will guide you,
2220 with dialog boxes, through the steps needed to install GNU@tie{}Guix System.
2222 The first dialog boxes allow you to set up the system as you use it during the
2223 installation: you can choose the language, keyboard layout, and set up
2224 networking, which will be used during the installation. The image below shows
2225 the networking dialog.
2227 @image{images/installer-network,5in,, networking setup with the graphical installer}
2229 Later steps allow you to partition your hard disk, as shown in the image
2230 below, to choose whether or not to use encrypted file systems, to enter the
2231 host name and root password, and to create an additional account, among other
2234 @image{images/installer-partitions,5in,, partitioning with the graphical installer}
2236 Note that, at any time, the installer allows you to exit the current
2237 installation step and resume at a previous step, as show in the image below.
2239 @image{images/installer-resume,5in,, resuming the installation process}
2241 Once you're done, the installer produces an operating system configuration and
2242 displays it (@pxref{Using the Configuration System}). At that point you can
2243 hit ``OK'' and installation will proceed. On success, you can reboot into the
2244 new system and enjoy. @xref{After System Installation}, for what's next!
2247 @node Manual Installation
2248 @section Manual Installation
2250 This section describes how you would ``manually'' install GNU@tie{}Guix System
2251 on your machine. This option requires familiarity with GNU/Linux, with the
2252 shell, and with common administration tools. If you think this is not for
2253 you, consider using the guided graphical installer (@pxref{Guided Graphical
2256 The installation system provides root shells on TTYs 3 to 6; press
2257 @kbd{ctrl-alt-f3}, @kbd{ctrl-alt-f4}, and so on to reach them. It includes
2258 many common tools needed to install the system. But it is also a full-blown
2259 Guix System, which means that you can install additional packages, should you
2260 need it, using @command{guix package} (@pxref{Invoking guix package}).
2263 * Keyboard Layout and Networking and Partitioning:: Initial setup.
2264 * Proceeding with the Installation:: Installing.
2267 @node Keyboard Layout and Networking and Partitioning
2268 @subsection Keyboard Layout, Networking, and Partitioning
2270 Before you can install the system, you may want to adjust the keyboard layout,
2271 set up networking, and partition your target hard disk. This section will
2272 guide you through this.
2274 @subsubsection Keyboard Layout
2276 @cindex keyboard layout
2277 The installation image uses the US qwerty keyboard layout. If you want
2278 to change it, you can use the @command{loadkeys} command. For example,
2279 the following command selects the Dvorak keyboard layout:
2285 See the files under @file{/run/current-system/profile/share/keymaps} for
2286 a list of available keyboard layouts. Run @command{man loadkeys} for
2289 @subsubsection Networking
2291 Run the following command to see what your network interfaces are called:
2298 @dots{} or, using the GNU/Linux-specific @command{ip} command:
2304 @c https://cgit.freedesktop.org/systemd/systemd/tree/src/udev/udev-builtin-net_id.c#n20
2305 Wired interfaces have a name starting with @samp{e}; for example, the
2306 interface corresponding to the first on-board Ethernet controller is
2307 called @samp{eno1}. Wireless interfaces have a name starting with
2308 @samp{w}, like @samp{w1p2s0}.
2311 @item Wired connection
2312 To configure a wired network run the following command, substituting
2313 @var{interface} with the name of the wired interface you want to use.
2316 ifconfig @var{interface} up
2320 @dots{} or, using the GNU/Linux-specific @command{ip} command:
2323 ip link set @var{interface} up
2326 @item Wireless connection
2329 To configure wireless networking, you can create a configuration file
2330 for the @command{wpa_supplicant} configuration tool (its location is not
2331 important) using one of the available text editors such as
2335 nano wpa_supplicant.conf
2338 As an example, the following stanza can go to this file and will work
2339 for many wireless networks, provided you give the actual SSID and
2340 passphrase for the network you are connecting to:
2344 ssid="@var{my-ssid}"
2346 psk="the network's secret passphrase"
2350 Start the wireless service and run it in the background with the
2351 following command (substitute @var{interface} with the name of the
2352 network interface you want to use):
2355 wpa_supplicant -c wpa_supplicant.conf -i @var{interface} -B
2358 Run @command{man wpa_supplicant} for more information.
2362 At this point, you need to acquire an IP address. On a network where IP
2363 addresses are automatically assigned @i{via} DHCP, you can run:
2366 dhclient -v @var{interface}
2369 Try to ping a server to see if networking is up and running:
2375 Setting up network access is almost always a requirement because the
2376 image does not contain all the software and tools that may be needed.
2378 @cindex proxy, during system installation
2379 If you need HTTP and HTTPS access to go through a proxy, run the
2383 herd set-http-proxy guix-daemon @var{URL}
2387 where @var{URL} is the proxy URL, for example
2388 @code{http://example.org:8118}.
2390 @cindex installing over SSH
2391 If you want to, you can continue the installation remotely by starting
2395 herd start ssh-daemon
2398 Make sure to either set a password with @command{passwd}, or configure
2399 OpenSSH public key authentication before logging in.
2401 @subsubsection Disk Partitioning
2403 Unless this has already been done, the next step is to partition, and
2404 then format the target partition(s).
2406 The installation image includes several partitioning tools, including
2407 Parted (@pxref{Overview,,, parted, GNU Parted User Manual}),
2408 @command{fdisk}, and @command{cfdisk}. Run it and set up your disk with
2409 the partition layout you want:
2415 If your disk uses the GUID Partition Table (GPT) format and you plan to
2416 install BIOS-based GRUB (which is the default), make sure a BIOS Boot
2417 Partition is available (@pxref{BIOS installation,,, grub, GNU GRUB
2420 @cindex EFI, installation
2421 @cindex UEFI, installation
2422 @cindex ESP, EFI system partition
2423 If you instead wish to use EFI-based GRUB, a FAT32 @dfn{EFI System Partition}
2424 (ESP) is required. This partition can be mounted at @file{/boot/efi} for
2425 instance and must have the @code{esp} flag set. E.g., for @command{parted}:
2428 parted /dev/sda set 1 esp on
2432 @vindex grub-bootloader
2433 @vindex grub-efi-bootloader
2434 Unsure whether to use EFI- or BIOS-based GRUB? If the directory
2435 @file{/sys/firmware/efi} exists in the installation image, then you should
2436 probably perform an EFI installation, using @code{grub-efi-bootloader}.
2437 Otherwise you should use the BIOS-based GRUB, known as
2438 @code{grub-bootloader}. @xref{Bootloader Configuration}, for more info on
2442 Once you are done partitioning the target hard disk drive, you have to
2443 create a file system on the relevant partition(s)@footnote{Currently
2444 Guix System only supports ext4, btrfs, JFS, and F2FS file systems. In
2445 particular, code that reads file system UUIDs and labels only works for these
2446 file system types.}. For the ESP, if you have one and assuming it is
2447 @file{/dev/sda1}, run:
2450 mkfs.fat -F32 /dev/sda1
2453 For the root file system, ext4 is the most widely used format. Other
2454 file systems, such as Btrfs, support compression, which is reported to
2455 nicely complement file deduplication that the daemon performs
2456 independently of the file system (@pxref{Invoking guix-daemon,
2459 Preferably, assign file systems a label so that you can easily and
2460 reliably refer to them in @code{file-system} declarations (@pxref{File
2461 Systems}). This is typically done using the @code{-L} option of
2462 @command{mkfs.ext4} and related commands. So, assuming the target root
2463 partition lives at @file{/dev/sda2}, a file system with the label
2464 @code{my-root} can be created with:
2467 mkfs.ext4 -L my-root /dev/sda2
2470 @cindex encrypted disk
2471 If you are instead planning to encrypt the root partition, you can use
2472 the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
2473 @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
2474 @code{man cryptsetup}} for more information). Assuming you want to
2475 store the root partition on @file{/dev/sda2}, the command sequence would
2476 be along these lines:
2479 cryptsetup luksFormat /dev/sda2
2480 cryptsetup open --type luks /dev/sda2 my-partition
2481 mkfs.ext4 -L my-root /dev/mapper/my-partition
2484 Once that is done, mount the target file system under @file{/mnt}
2485 with a command like (again, assuming @code{my-root} is the label of the
2489 mount LABEL=my-root /mnt
2492 Also mount any other file systems you would like to use on the target
2493 system relative to this path. If you have opted for @file{/boot/efi} as an
2494 EFI mount point for example, mount it at @file{/mnt/boot/efi} now so it is
2495 found by @code{guix system init} afterwards.
2497 Finally, if you plan to use one or more swap partitions (@pxref{Memory
2498 Concepts, swap space,, libc, The GNU C Library Reference Manual}), make
2499 sure to initialize them with @command{mkswap}. Assuming you have one
2500 swap partition on @file{/dev/sda3}, you would run:
2507 Alternatively, you may use a swap file. For example, assuming that in
2508 the new system you want to use the file @file{/swapfile} as a swap file,
2509 you would run@footnote{This example will work for many types of file
2510 systems (e.g., ext4). However, for copy-on-write file systems (e.g.,
2511 btrfs), the required steps may be different. For details, see the
2512 manual pages for @command{mkswap} and @command{swapon}.}:
2515 # This is 10 GiB of swap space. Adjust "count" to change the size.
2516 dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=10240
2517 # For security, make the file readable and writable only by root.
2518 chmod 600 /mnt/swapfile
2519 mkswap /mnt/swapfile
2520 swapon /mnt/swapfile
2523 Note that if you have encrypted the root partition and created a swap
2524 file in its file system as described above, then the encryption also
2525 protects the swap file, just like any other file in that file system.
2527 @node Proceeding with the Installation
2528 @subsection Proceeding with the Installation
2530 With the target partitions ready and the target root mounted on
2531 @file{/mnt}, we're ready to go. First, run:
2534 herd start cow-store /mnt
2537 This makes @file{/gnu/store} copy-on-write, such that packages added to it
2538 during the installation phase are written to the target disk on @file{/mnt}
2539 rather than kept in memory. This is necessary because the first phase of
2540 the @command{guix system init} command (see below) entails downloads or
2541 builds to @file{/gnu/store} which, initially, is an in-memory file system.
2543 Next, you have to edit a file and
2544 provide the declaration of the operating system to be installed. To
2545 that end, the installation system comes with three text editors. We
2546 recommend GNU nano (@pxref{Top,,, nano, GNU nano Manual}), which
2547 supports syntax highlighting and parentheses matching; other editors
2548 include mg (an Emacs clone), and
2549 nvi (a clone of the original BSD @command{vi} editor).
2550 We strongly recommend storing that file on the target root file system, say,
2551 as @file{/mnt/etc/config.scm}. Failing to do that, you will have lost your
2552 configuration file once you have rebooted into the newly-installed system.
2554 @xref{Using the Configuration System}, for an overview of the
2555 configuration file. The example configurations discussed in that
2556 section are available under @file{/etc/configuration} in the
2557 installation image. Thus, to get started with a system configuration
2558 providing a graphical display server (a ``desktop'' system), you can run
2559 something along these lines:
2563 # cp /etc/configuration/desktop.scm /mnt/etc/config.scm
2564 # nano /mnt/etc/config.scm
2567 You should pay attention to what your configuration file contains, and
2572 Make sure the @code{bootloader-configuration} form refers to the targets
2573 you want to install GRUB on. It should mention @code{grub-bootloader}
2574 if you are installing GRUB in the legacy way, or
2575 @code{grub-efi-bootloader} for newer UEFI systems. For legacy systems,
2576 the @code{targets} field contain the names of the devices, like
2577 @code{(list "/dev/sda")}; for UEFI systems it names the paths to mounted
2578 EFI partitions, like @code{(list "/boot/efi")}; do make sure the paths
2579 are currently mounted and a @code{file-system} entry is specified in
2583 Be sure that your file system labels match the value of their respective
2584 @code{device} fields in your @code{file-system} configuration, assuming
2585 your @code{file-system} configuration uses the @code{file-system-label}
2586 procedure in its @code{device} field.
2589 If there are encrypted or RAID partitions, make sure to add a
2590 @code{mapped-devices} field to describe them (@pxref{Mapped Devices}).
2593 Once you are done preparing the configuration file, the new system must
2594 be initialized (remember that the target root file system is mounted
2598 guix system init /mnt/etc/config.scm /mnt
2602 This copies all the necessary files and installs GRUB on
2603 @file{/dev/sdX}, unless you pass the @option{--no-bootloader} option. For
2604 more information, @pxref{Invoking guix system}. This command may trigger
2605 downloads or builds of missing packages, which can take some time.
2607 Once that command has completed---and hopefully succeeded!---you can run
2608 @command{reboot} and boot into the new system. The @code{root} password
2609 in the new system is initially empty; other users' passwords need to be
2610 initialized by running the @command{passwd} command as @code{root},
2611 unless your configuration specifies otherwise
2612 (@pxref{user-account-password, user account passwords}).
2613 @xref{After System Installation}, for what's next!
2616 @node After System Installation
2617 @section After System Installation
2619 Success, you've now booted into Guix System! From then on, you can update the
2620 system whenever you want by running, say:
2624 sudo guix system reconfigure /etc/config.scm
2628 This builds a new system generation with the latest packages and services
2629 (@pxref{Invoking guix system}). We recommend doing that regularly so that
2630 your system includes the latest security updates (@pxref{Security Updates}).
2632 @c See <https://lists.gnu.org/archive/html/guix-devel/2019-01/msg00268.html>.
2634 @cindex sudo vs. @command{guix pull}
2635 Note that @command{sudo guix} runs your user's @command{guix} command and
2636 @emph{not} root's, because @command{sudo} leaves @env{PATH} unchanged. To
2637 explicitly run root's @command{guix}, type @command{sudo -i guix @dots{}}.
2639 The difference matters here, because @command{guix pull} updates
2640 the @command{guix} command and package definitions only for the user it is run
2641 as. This means that if you choose to use @command{guix system reconfigure} in
2642 root's login shell, you'll need to @command{guix pull} separately.
2645 Now, @pxref{Getting Started}, and
2646 join us on @code{#guix} on the Libera Chat IRC network or on
2647 @email{guix-devel@@gnu.org} to share your experience!
2650 @node Installing Guix in a VM
2651 @section Installing Guix in a Virtual Machine
2653 @cindex virtual machine, Guix System installation
2654 @cindex virtual private server (VPS)
2655 @cindex VPS (virtual private server)
2656 If you'd like to install Guix System in a virtual machine (VM) or on a
2657 virtual private server (VPS) rather than on your beloved machine, this
2660 To boot a @uref{https://qemu.org/,QEMU} VM for installing Guix System in a
2661 disk image, follow these steps:
2665 First, retrieve and decompress the Guix system installation image as
2666 described previously (@pxref{USB Stick and DVD Installation}).
2669 Create a disk image that will hold the installed system. To make a
2670 qcow2-formatted disk image, use the @command{qemu-img} command:
2673 qemu-img create -f qcow2 guix-system.img 50G
2676 The resulting file will be much smaller than 50 GB (typically less than
2677 1 MB), but it will grow as the virtualized storage device is filled up.
2680 Boot the USB installation image in an VM:
2683 qemu-system-x86_64 -m 1024 -smp 1 -enable-kvm \
2684 -nic user,model=virtio-net-pci -boot menu=on,order=d \
2685 -drive file=guix-system.img \
2686 -drive media=cdrom,file=guix-system-install-@value{VERSION}.@var{system}.iso
2689 @code{-enable-kvm} is optional, but significantly improves performance,
2690 @pxref{Running Guix in a VM}.
2693 You're now root in the VM, proceed with the installation process.
2694 @xref{Preparing for Installation}, and follow the instructions.
2697 Once installation is complete, you can boot the system that's on your
2698 @file{guix-system.img} image. @xref{Running Guix in a VM}, for how to do
2701 @node Building the Installation Image
2702 @section Building the Installation Image
2704 @cindex installation image
2705 The installation image described above was built using the @command{guix
2706 system} command, specifically:
2709 guix system image -t iso9660 gnu/system/install.scm
2712 Have a look at @file{gnu/system/install.scm} in the source tree,
2713 and see also @ref{Invoking guix system} for more information
2714 about the installation image.
2716 @section Building the Installation Image for ARM Boards
2718 Many ARM boards require a specific variant of the
2719 @uref{https://www.denx.de/wiki/U-Boot/, U-Boot} bootloader.
2721 If you build a disk image and the bootloader is not available otherwise
2722 (on another boot drive etc), it's advisable to build an image that
2723 includes the bootloader, specifically:
2726 guix system image --system=armhf-linux -e '((@@ (gnu system install) os-with-u-boot) (@@ (gnu system install) installation-os) "A20-OLinuXino-Lime2")'
2729 @code{A20-OLinuXino-Lime2} is the name of the board. If you specify an invalid
2730 board, a list of possible boards will be printed.
2732 @c *********************************************************************
2733 @node Getting Started
2734 @chapter Getting Started
2736 Presumably, you've reached this section because either you have
2737 installed Guix on top of another distribution (@pxref{Installation}), or
2738 you've installed the standalone Guix System (@pxref{System
2739 Installation}). It's time for you to get started using Guix and this
2740 section aims to help you do that and give you a feel of what it's like.
2742 Guix is about installing software, so probably the first thing you'll
2743 want to do is to actually look for software. Let's say you're looking
2744 for a text editor, you can run:
2747 guix search text editor
2750 This command shows you a number of matching @dfn{packages}, each time
2751 showing the package's name, version, a description, and additional info.
2752 Once you've found out the one you want to use, let's say Emacs (ah ha!),
2753 you can go ahead and install it (run this command as a regular user,
2754 @emph{no need for root privileges}!):
2761 You've installed your first package, congrats! The package is now
2762 visible in your default @dfn{profile}, @file{$HOME/.guix-profile}---a
2763 profile is a directory containing installed packages.
2764 In the process, you've
2765 probably noticed that Guix downloaded pre-built binaries; or, if you
2766 explicitly chose to @emph{not} use pre-built binaries, then probably
2767 Guix is still building software (@pxref{Substitutes}, for more info).
2769 Unless you're using Guix System, the @command{guix install} command must
2770 have printed this hint:
2773 hint: Consider setting the necessary environment variables by running:
2775 GUIX_PROFILE="$HOME/.guix-profile"
2776 . "$GUIX_PROFILE/etc/profile"
2778 Alternately, see `guix package --search-paths -p "$HOME/.guix-profile"'.
2781 Indeed, you must now tell your shell where @command{emacs} and other
2782 programs installed with Guix are to be found. Pasting the two lines
2783 above will do just that: it will add
2784 @code{$HOME/.guix-profile/bin}---which is where the installed package
2785 is---to the @code{PATH} environment variable. You can paste these two
2786 lines in your shell so they take effect right away, but more importantly
2787 you should add them to @file{~/.bash_profile} (or equivalent file if you
2788 do not use Bash) so that environment variables are set next time you
2789 spawn a shell. You only need to do this once and other search paths
2790 environment variables will be taken care of similarly---e.g., if you
2791 eventually install @code{python} and Python libraries, @code{PYTHONPATH}
2794 You can go on installing packages at your will. To list installed
2798 guix package --list-installed
2801 To remove a package, you would unsurprisingly run @command{guix remove}.
2802 A distinguishing feature is the ability to @dfn{roll back} any operation
2803 you made---installation, removal, upgrade---by simply typing:
2806 guix package --roll-back
2809 This is because each operation is in fact a @dfn{transaction} that
2810 creates a new @dfn{generation}. These generations and the difference
2811 between them can be displayed by running:
2814 guix package --list-generations
2817 Now you know the basics of package management!
2819 @quotation Going further
2820 @xref{Package Management}, for more about package management. You may
2821 like @dfn{declarative} package management with @command{guix package
2822 --manifest}, managing separate @dfn{profiles} with @option{--profile},
2823 deleting old generations, collecting garbage, and other nifty features
2824 that will come in handy as you become more familiar with Guix. If you
2825 are a developer, @pxref{Development} for additional tools. And if
2826 you're curious, @pxref{Features}, to peek under the hood.
2829 Once you've installed a set of packages, you will want to periodically
2830 @emph{upgrade} them to the latest and greatest version. To do that, you
2831 will first pull the latest revision of Guix and its package collection:
2837 The end result is a new @command{guix} command, under
2838 @file{~/.config/guix/current/bin}. Unless you're on Guix System, the
2839 first time you run @command{guix pull}, be sure to follow the hint that
2840 the command prints and, similar to what we saw above, paste these two
2841 lines in your terminal and @file{.bash_profile}:
2844 GUIX_PROFILE="$HOME/.config/guix/current"
2845 . "$GUIX_PROFILE/etc/profile"
2849 You must also instruct your shell to point to this new @command{guix}:
2855 At this point, you're running a brand new Guix. You can thus go ahead
2856 and actually upgrade all the packages you previously installed:
2862 As you run this command, you will see that binaries are downloaded (or
2863 perhaps some packages are built), and eventually you end up with the
2864 upgraded packages. Should one of these upgraded packages not be to your
2865 liking, remember you can always roll back!
2867 You can display the exact revision of Guix you're currently using by
2874 The information it displays is @emph{all it takes to reproduce the exact
2875 same Guix}, be it at a different point in time or on a different
2878 @quotation Going further
2879 @xref{Invoking guix pull}, for more information. @xref{Channels}, on
2880 how to specify additional @dfn{channels} to pull packages from, how to
2881 replicate Guix, and more. You may also find @command{time-machine}
2882 handy (@pxref{Invoking guix time-machine}).
2885 If you installed Guix System, one of the first things you'll want to do
2886 is to upgrade your system. Once you've run @command{guix pull} to get
2887 the latest Guix, you can upgrade the system like this:
2890 sudo guix system reconfigure /etc/config.scm
2893 Upon completion, the system runs the latest versions of its software
2894 packages. When you eventually reboot, you'll notice a sub-menu in the
2895 bootloader that reads ``Old system generations'': it's what allows you
2896 to boot @emph{an older generation of your system}, should the latest
2897 generation be ``broken'' or otherwise unsatisfying. Just like for
2898 packages, you can always @emph{roll back} to a previous generation
2899 @emph{of the whole system}:
2902 sudo guix system roll-back
2905 There are many things you'll probably want to tweak on your system:
2906 adding new user accounts, adding new system services, fiddling with the
2907 configuration of those services, etc. The system configuration is
2908 @emph{entirely} described in the @file{/etc/config.scm} file.
2909 @xref{Using the Configuration System}, to learn how to change it.
2911 Now you know enough to get started!
2913 @quotation Resources
2914 The rest of this manual provides a reference for all things Guix. Here
2915 are some additional resources you may find useful:
2919 @xref{Top,,, guix-cookbook, The GNU Guix Cookbook}, for a list of
2920 ``how-to'' style of recipes for a variety of applications.
2923 The @uref{https://guix.gnu.org/guix-refcard.pdf, GNU Guix Reference
2924 Card} lists in two pages most of the commands and options you'll ever
2928 The web site contains @uref{https://guix.gnu.org/en/videos/,
2929 instructional videos} covering topics such as everyday use of Guix, how
2930 to get help, and how to become a contributor.
2933 @xref{Documentation}, to learn how to access documentation on your
2937 We hope you will enjoy Guix as much as the community enjoys building it!
2940 @c *********************************************************************
2941 @node Package Management
2942 @chapter Package Management
2945 The purpose of GNU Guix is to allow users to easily install, upgrade, and
2946 remove software packages, without having to know about their build
2947 procedures or dependencies. Guix also goes beyond this obvious set of
2950 This chapter describes the main features of Guix, as well as the
2951 package management tools it provides. Along with the command-line
2952 interface described below (@pxref{Invoking guix package, @code{guix
2953 package}}), you may also use the Emacs-Guix interface (@pxref{Top,,,
2954 emacs-guix, The Emacs-Guix Reference Manual}), after installing
2955 @code{emacs-guix} package (run @kbd{M-x guix-help} command to start
2959 guix install emacs-guix
2963 * Features:: How Guix will make your life brighter.
2964 * Invoking guix package:: Package installation, removal, etc.
2965 * Substitutes:: Downloading pre-built binaries.
2966 * Packages with Multiple Outputs:: Single source package, multiple outputs.
2967 * Invoking guix gc:: Running the garbage collector.
2968 * Invoking guix pull:: Fetching the latest Guix and distribution.
2969 * Invoking guix time-machine:: Running an older revision of Guix.
2970 * Inferiors:: Interacting with another revision of Guix.
2971 * Invoking guix describe:: Display information about your Guix revision.
2972 * Invoking guix archive:: Exporting and importing store files.
2978 Here we assume you've already made your first steps with Guix
2979 (@pxref{Getting Started}) and would like to get an overview about what's
2980 going on under the hood.
2982 When using Guix, each package ends up in the @dfn{package store}, in its
2983 own directory---something that resembles
2984 @file{/gnu/store/xxx-package-1.2}, where @code{xxx} is a base32 string.
2986 Instead of referring to these directories, users have their own
2987 @dfn{profile}, which points to the packages that they actually want to
2988 use. These profiles are stored within each user's home directory, at
2989 @code{$HOME/.guix-profile}.
2991 For example, @code{alice} installs GCC 4.7.2. As a result,
2992 @file{/home/alice/.guix-profile/bin/gcc} points to
2993 @file{/gnu/store/@dots{}-gcc-4.7.2/bin/gcc}. Now, on the same machine,
2994 @code{bob} had already installed GCC 4.8.0. The profile of @code{bob}
2995 simply continues to point to
2996 @file{/gnu/store/@dots{}-gcc-4.8.0/bin/gcc}---i.e., both versions of GCC
2997 coexist on the same system without any interference.
2999 The @command{guix package} command is the central tool to manage
3000 packages (@pxref{Invoking guix package}). It operates on the per-user
3001 profiles, and can be used @emph{with normal user privileges}.
3003 @cindex transactions
3004 The command provides the obvious install, remove, and upgrade
3005 operations. Each invocation is actually a @emph{transaction}: either
3006 the specified operation succeeds, or nothing happens. Thus, if the
3007 @command{guix package} process is terminated during the transaction,
3008 or if a power outage occurs during the transaction, then the user's
3009 profile remains in its previous state, and remains usable.
3011 In addition, any package transaction may be @emph{rolled back}. So, if,
3012 for example, an upgrade installs a new version of a package that turns
3013 out to have a serious bug, users may roll back to the previous instance
3014 of their profile, which was known to work well. Similarly, the global
3015 system configuration on Guix is subject to
3016 transactional upgrades and roll-back
3017 (@pxref{Using the Configuration System}).
3019 All packages in the package store may be @emph{garbage-collected}.
3020 Guix can determine which packages are still referenced by user
3021 profiles, and remove those that are provably no longer referenced
3022 (@pxref{Invoking guix gc}). Users may also explicitly remove old
3023 generations of their profile so that the packages they refer to can be
3026 @cindex reproducibility
3027 @cindex reproducible builds
3028 Guix takes a @dfn{purely functional} approach to package
3029 management, as described in the introduction (@pxref{Introduction}).
3030 Each @file{/gnu/store} package directory name contains a hash of all the
3031 inputs that were used to build that package---compiler, libraries, build
3032 scripts, etc. This direct correspondence allows users to make sure a
3033 given package installation matches the current state of their
3034 distribution. It also helps maximize @dfn{build reproducibility}:
3035 thanks to the isolated build environments that are used, a given build
3036 is likely to yield bit-identical files when performed on different
3037 machines (@pxref{Invoking guix-daemon, container}).
3040 This foundation allows Guix to support @dfn{transparent binary/source
3041 deployment}. When a pre-built binary for a @file{/gnu/store} item is
3042 available from an external source---a @dfn{substitute}, Guix just
3043 downloads it and unpacks it;
3044 otherwise, it builds the package from source, locally
3045 (@pxref{Substitutes}). Because build results are usually bit-for-bit
3046 reproducible, users do not have to trust servers that provide
3047 substitutes: they can force a local build and @emph{challenge} providers
3048 (@pxref{Invoking guix challenge}).
3050 Control over the build environment is a feature that is also useful for
3051 developers. The @command{guix environment} command allows developers of
3052 a package to quickly set up the right development environment for their
3053 package, without having to manually install the dependencies of the
3054 package into their profile (@pxref{Invoking guix environment}).
3056 @cindex replication, of software environments
3057 @cindex provenance tracking, of software artifacts
3058 All of Guix and its package definitions is version-controlled, and
3059 @command{guix pull} allows you to ``travel in time'' on the history of Guix
3060 itself (@pxref{Invoking guix pull}). This makes it possible to replicate a
3061 Guix instance on a different machine or at a later point in time, which in
3062 turn allows you to @emph{replicate complete software environments}, while
3063 retaining precise @dfn{provenance tracking} of the software.
3065 @node Invoking guix package
3066 @section Invoking @command{guix package}
3068 @cindex installing packages
3069 @cindex removing packages
3070 @cindex package installation
3071 @cindex package removal
3073 The @command{guix package} command is the tool that allows users to
3074 install, upgrade, and remove packages, as well as rolling back to
3075 previous configurations. These operations work on a user
3076 @dfn{profile}---a directory of installed packages. Each user has a
3077 default profile in @file{$HOME/.guix-profile}.
3078 The command operates only on the user's own profile,
3079 and works with normal user privileges (@pxref{Features}). Its syntax
3083 guix package @var{options}
3086 @cindex transactions
3087 Primarily, @var{options} specifies the operations to be performed during
3088 the transaction. Upon completion, a new profile is created, but
3089 previous @dfn{generations} of the profile remain available, should the user
3092 For example, to remove @code{lua} and install @code{guile} and
3093 @code{guile-cairo} in a single transaction:
3096 guix package -r lua -i guile guile-cairo
3099 @cindex aliases, for @command{guix package}
3100 For your convenience, we also provide the following aliases:
3104 @command{guix search} is an alias for @command{guix package -s},
3106 @command{guix install} is an alias for @command{guix package -i},
3108 @command{guix remove} is an alias for @command{guix package -r},
3110 @command{guix upgrade} is an alias for @command{guix package -u},
3112 and @command{guix show} is an alias for @command{guix package --show=}.
3115 These aliases are less expressive than @command{guix package} and provide
3116 fewer options, so in some cases you'll probably want to use @command{guix
3119 @command{guix package} also supports a @dfn{declarative approach}
3120 whereby the user specifies the exact set of packages to be available and
3121 passes it @i{via} the @option{--manifest} option
3122 (@pxref{profile-manifest, @option{--manifest}}).
3125 For each user, a symlink to the user's default profile is automatically
3126 created in @file{$HOME/.guix-profile}. This symlink always points to the
3127 current generation of the user's default profile. Thus, users can add
3128 @file{$HOME/.guix-profile/bin} to their @env{PATH} environment
3129 variable, and so on.
3130 @cindex search paths
3131 If you are not using Guix System, consider adding the
3132 following lines to your @file{~/.bash_profile} (@pxref{Bash Startup
3133 Files,,, bash, The GNU Bash Reference Manual}) so that newly-spawned
3134 shells get all the right environment variable definitions:
3137 GUIX_PROFILE="$HOME/.guix-profile" ; \
3138 source "$GUIX_PROFILE/etc/profile"
3141 In a multi-user setup, user profiles are stored in a place registered as
3142 a @dfn{garbage-collector root}, which @file{$HOME/.guix-profile} points
3143 to (@pxref{Invoking guix gc}). That directory is normally
3144 @code{@var{localstatedir}/guix/profiles/per-user/@var{user}}, where
3145 @var{localstatedir} is the value passed to @code{configure} as
3146 @option{--localstatedir}, and @var{user} is the user name. The
3147 @file{per-user} directory is created when @command{guix-daemon} is
3148 started, and the @var{user} sub-directory is created by @command{guix
3151 The @var{options} can be among the following:
3155 @item --install=@var{package} @dots{}
3156 @itemx -i @var{package} @dots{}
3157 Install the specified @var{package}s.
3159 Each @var{package} may specify either a simple package name, such as
3160 @code{guile}, or a package name followed by an at-sign and version number,
3161 such as @code{guile@@1.8.8} or simply @code{guile@@1.8} (in the latter
3162 case, the newest version prefixed by @code{1.8} is selected).
3164 If no version number is specified, the
3165 newest available version will be selected. In addition, @var{package}
3166 may contain a colon, followed by the name of one of the outputs of the
3167 package, as in @code{gcc:doc} or @code{binutils@@2.22:lib}
3168 (@pxref{Packages with Multiple Outputs}). Packages with a corresponding
3169 name (and optionally version) are searched for among the GNU
3170 distribution modules (@pxref{Package Modules}).
3172 @cindex propagated inputs
3173 Sometimes packages have @dfn{propagated inputs}: these are dependencies
3174 that automatically get installed along with the required package
3175 (@pxref{package-propagated-inputs, @code{propagated-inputs} in
3176 @code{package} objects}, for information about propagated inputs in
3177 package definitions).
3179 @anchor{package-cmd-propagated-inputs}
3180 An example is the GNU MPC library: its C header files refer to those of
3181 the GNU MPFR library, which in turn refer to those of the GMP library.
3182 Thus, when installing MPC, the MPFR and GMP libraries also get installed
3183 in the profile; removing MPC also removes MPFR and GMP---unless they had
3184 also been explicitly installed by the user.
3186 Besides, packages sometimes rely on the definition of environment
3187 variables for their search paths (see explanation of
3188 @option{--search-paths} below). Any missing or possibly incorrect
3189 environment variable definitions are reported here.
3191 @item --install-from-expression=@var{exp}
3193 Install the package @var{exp} evaluates to.
3195 @var{exp} must be a Scheme expression that evaluates to a
3196 @code{<package>} object. This option is notably useful to disambiguate
3197 between same-named variants of a package, with expressions such as
3198 @code{(@@ (gnu packages base) guile-final)}.
3200 Note that this option installs the first output of the specified
3201 package, which may be insufficient when needing a specific output of a
3202 multiple-output package.
3204 @item --install-from-file=@var{file}
3205 @itemx -f @var{file}
3206 Install the package that the code within @var{file} evaluates to.
3208 As an example, @var{file} might contain a definition like this
3209 (@pxref{Defining Packages}):
3212 @include package-hello.scm
3215 Developers may find it useful to include such a @file{guix.scm} file
3216 in the root of their project source tree that can be used to test
3217 development snapshots and create reproducible development environments
3218 (@pxref{Invoking guix environment}).
3220 The @var{file} may also contain a JSON representation of one or more
3221 package definitions. Running @code{guix package -f} on
3222 @file{hello.json} with the following contents would result in installing
3223 the package @code{greeter} after building @code{myhello}:
3226 @verbatiminclude package-hello.json
3229 @item --remove=@var{package} @dots{}
3230 @itemx -r @var{package} @dots{}
3231 Remove the specified @var{package}s.
3233 As for @option{--install}, each @var{package} may specify a version number
3234 and/or output name in addition to the package name. For instance,
3235 @samp{-r glibc:debug} would remove the @code{debug} output of
3238 @item --upgrade[=@var{regexp} @dots{}]
3239 @itemx -u [@var{regexp} @dots{}]
3240 @cindex upgrading packages
3241 Upgrade all the installed packages. If one or more @var{regexp}s are
3242 specified, upgrade only installed packages whose name matches a
3243 @var{regexp}. Also see the @option{--do-not-upgrade} option below.
3245 Note that this upgrades package to the latest version of packages found
3246 in the distribution currently installed. To update your distribution,
3247 you should regularly run @command{guix pull} (@pxref{Invoking guix
3250 @cindex package transformations, upgrades
3251 When upgrading, package transformations that were originally applied
3252 when creating the profile are automatically re-applied (@pxref{Package
3253 Transformation Options}). For example, assume you first installed Emacs
3254 from the tip of its development branch with:
3257 guix install emacs-next --with-branch=emacs-next=master
3260 Next time you run @command{guix upgrade}, Guix will again pull the tip
3261 of the Emacs development branch and build @code{emacs-next} from that
3264 Note that transformation options such as @option{--with-branch} and
3265 @option{--with-source} depend on external state; it is up to you to
3266 ensure that they work as expected. You can also discard a
3267 transformations that apply to a package by running:
3270 guix install @var{package}
3273 @item --do-not-upgrade[=@var{regexp} @dots{}]
3274 When used together with the @option{--upgrade} option, do @emph{not}
3275 upgrade any packages whose name matches a @var{regexp}. For example, to
3276 upgrade all packages in the current profile except those containing the
3277 substring ``emacs'':
3280 $ guix package --upgrade . --do-not-upgrade emacs
3283 @item @anchor{profile-manifest}--manifest=@var{file}
3284 @itemx -m @var{file}
3285 @cindex profile declaration
3286 @cindex profile manifest
3287 Create a new generation of the profile from the manifest object
3288 returned by the Scheme code in @var{file}. This option can be repeated
3289 several times, in which case the manifests are concatenated.
3291 This allows you to @emph{declare} the profile's contents rather than
3292 constructing it through a sequence of @option{--install} and similar
3293 commands. The advantage is that @var{file} can be put under version
3294 control, copied to different machines to reproduce the same profile, and
3297 @c FIXME: Add reference to (guix profile) documentation when available.
3298 @var{file} must return a @dfn{manifest} object, which is roughly a list
3301 @findex packages->manifest
3303 (use-package-modules guile emacs)
3308 ;; Use a specific package output.
3309 (list guile-2.0 "debug")))
3312 @findex specifications->manifest
3313 In this example we have to know which modules define the @code{emacs}
3314 and @code{guile-2.0} variables to provide the right
3315 @code{use-package-modules} line, which can be cumbersome. We can
3316 instead provide regular package specifications and let
3317 @code{specifications->manifest} look up the corresponding package
3321 (specifications->manifest
3322 '("emacs" "guile@@2.2" "guile@@2.2:debug"))
3325 @xref{export-manifest, @option{--export-manifest}}, to learn how to
3326 obtain a manifest file from an existing profile.
3329 @cindex rolling back
3330 @cindex undoing transactions
3331 @cindex transactions, undoing
3332 Roll back to the previous @dfn{generation} of the profile---i.e., undo
3333 the last transaction.
3335 When combined with options such as @option{--install}, roll back occurs
3336 before any other actions.
3338 When rolling back from the first generation that actually contains
3339 installed packages, the profile is made to point to the @dfn{zeroth
3340 generation}, which contains no files apart from its own metadata.
3342 After having rolled back, installing, removing, or upgrading packages
3343 overwrites previous future generations. Thus, the history of the
3344 generations in a profile is always linear.
3346 @item --switch-generation=@var{pattern}
3347 @itemx -S @var{pattern}
3349 Switch to a particular generation defined by @var{pattern}.
3351 @var{pattern} may be either a generation number or a number prefixed
3352 with ``+'' or ``-''. The latter means: move forward/backward by a
3353 specified number of generations. For example, if you want to return to
3354 the latest generation after @option{--roll-back}, use
3355 @option{--switch-generation=+1}.
3357 The difference between @option{--roll-back} and
3358 @option{--switch-generation=-1} is that @option{--switch-generation} will
3359 not make a zeroth generation, so if a specified generation does not
3360 exist, the current generation will not be changed.
3362 @item --search-paths[=@var{kind}]
3363 @cindex search paths
3364 Report environment variable definitions, in Bash syntax, that may be
3365 needed in order to use the set of installed packages. These environment
3366 variables are used to specify @dfn{search paths} for files used by some
3367 of the installed packages.
3369 For example, GCC needs the @env{CPATH} and @env{LIBRARY_PATH}
3370 environment variables to be defined so it can look for headers and
3371 libraries in the user's profile (@pxref{Environment Variables,,, gcc,
3372 Using the GNU Compiler Collection (GCC)}). If GCC and, say, the C
3373 library are installed in the profile, then @option{--search-paths} will
3374 suggest setting these variables to @file{@var{profile}/include} and
3375 @file{@var{profile}/lib}, respectively.
3377 The typical use case is to define these environment variables in the
3381 $ eval `guix package --search-paths`
3384 @var{kind} may be one of @code{exact}, @code{prefix}, or @code{suffix},
3385 meaning that the returned environment variable definitions will either
3386 be exact settings, or prefixes or suffixes of the current value of these
3387 variables. When omitted, @var{kind} defaults to @code{exact}.
3389 This option can also be used to compute the @emph{combined} search paths
3390 of several profiles. Consider this example:
3393 $ guix package -p foo -i guile
3394 $ guix package -p bar -i guile-json
3395 $ guix package -p foo -p bar --search-paths
3398 The last command above reports about the @env{GUILE_LOAD_PATH}
3399 variable, even though, taken individually, neither @file{foo} nor
3400 @file{bar} would lead to that recommendation.
3403 @cindex profile, choosing
3404 @item --profile=@var{profile}
3405 @itemx -p @var{profile}
3406 Use @var{profile} instead of the user's default profile.
3408 @var{profile} must be the name of a file that will be created upon
3409 completion. Concretely, @var{profile} will be a mere symbolic link
3410 (``symlink'') pointing to the actual profile where packages are
3414 $ guix install hello -p ~/code/my-profile
3416 $ ~/code/my-profile/bin/hello
3420 All it takes to get rid of the profile is to remove this symlink and its
3421 siblings that point to specific generations:
3424 $ rm ~/code/my-profile ~/code/my-profile-*-link
3427 @item --list-profiles
3428 List all the user's profiles:
3431 $ guix package --list-profiles
3432 /home/charlie/.guix-profile
3433 /home/charlie/code/my-profile
3434 /home/charlie/code/devel-profile
3435 /home/charlie/tmp/test
3438 When running as root, list all the profiles of all the users.
3440 @cindex collisions, in a profile
3441 @cindex colliding packages in profiles
3442 @cindex profile collisions
3443 @item --allow-collisions
3444 Allow colliding packages in the new profile. Use at your own risk!
3446 By default, @command{guix package} reports as an error @dfn{collisions}
3447 in the profile. Collisions happen when two or more different versions
3448 or variants of a given package end up in the profile.
3451 Use the bootstrap Guile to build the profile. This option is only
3452 useful to distribution developers.
3456 In addition to these actions, @command{guix package} supports the
3457 following options to query the current state of a profile, or the
3458 availability of packages:
3462 @item --search=@var{regexp}
3463 @itemx -s @var{regexp}
3464 @anchor{guix-search}
3465 @cindex searching for packages
3466 List the available packages whose name, synopsis, or description matches
3467 @var{regexp} (in a case-insensitive fashion), sorted by relevance.
3468 Print all the metadata of matching packages in
3469 @code{recutils} format (@pxref{Top, GNU recutils databases,, recutils,
3470 GNU recutils manual}).
3472 This allows specific fields to be extracted using the @command{recsel}
3473 command, for instance:
3476 $ guix package -s malloc | recsel -p name,version,relevance
3490 Similarly, to show the name of all the packages available under the
3491 terms of the GNU@tie{}LGPL version 3:
3494 $ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"'
3501 It is also possible to refine search results using several @code{-s} flags to
3502 @command{guix package}, or several arguments to @command{guix search}. For
3503 example, the following command returns a list of board games (this time using
3504 the @command{guix search} alias):
3507 $ guix search '\<board\>' game | recsel -p name
3512 If we were to omit @code{-s game}, we would also get software packages
3513 that deal with printed circuit boards; removing the angle brackets
3514 around @code{board} would further add packages that have to do with
3517 And now for a more elaborate example. The following command searches
3518 for cryptographic libraries, filters out Haskell, Perl, Python, and Ruby
3519 libraries, and prints the name and synopsis of the matching packages:
3522 $ guix search crypto library | \
3523 recsel -e '! (name ~ "^(ghc|perl|python|ruby)")' -p name,synopsis
3527 @xref{Selection Expressions,,, recutils, GNU recutils manual}, for more
3528 information on @dfn{selection expressions} for @code{recsel -e}.
3530 @item --show=@var{package}
3531 Show details about @var{package}, taken from the list of available packages, in
3532 @code{recutils} format (@pxref{Top, GNU recutils databases,, recutils, GNU
3536 $ guix package --show=python | recsel -p name,version
3544 You may also specify the full name of a package to only get details about a
3545 specific version of it (this time using the @command{guix show} alias):
3547 $ guix show python@@3.4 | recsel -p name,version
3554 @item --list-installed[=@var{regexp}]
3555 @itemx -I [@var{regexp}]
3556 List the currently installed packages in the specified profile, with the
3557 most recently installed packages shown last. When @var{regexp} is
3558 specified, list only installed packages whose name matches @var{regexp}.
3560 For each installed package, print the following items, separated by
3561 tabs: the package name, its version string, the part of the package that
3562 is installed (for instance, @code{out} for the default output,
3563 @code{include} for its headers, etc.), and the path of this package in
3566 @item --list-available[=@var{regexp}]
3567 @itemx -A [@var{regexp}]
3568 List packages currently available in the distribution for this system
3569 (@pxref{GNU Distribution}). When @var{regexp} is specified, list only
3570 available packages whose name matches @var{regexp}.
3572 For each package, print the following items separated by tabs: its name,
3573 its version string, the parts of the package (@pxref{Packages with
3574 Multiple Outputs}), and the source location of its definition.
3576 @item --list-generations[=@var{pattern}]
3577 @itemx -l [@var{pattern}]
3579 Return a list of generations along with their creation dates; for each
3580 generation, show the installed packages, with the most recently
3581 installed packages shown last. Note that the zeroth generation is never
3584 For each installed package, print the following items, separated by
3585 tabs: the name of a package, its version string, the part of the package
3586 that is installed (@pxref{Packages with Multiple Outputs}), and the
3587 location of this package in the store.
3589 When @var{pattern} is used, the command returns only matching
3590 generations. Valid patterns include:
3593 @item @emph{Integers and comma-separated integers}. Both patterns denote
3594 generation numbers. For instance, @option{--list-generations=1} returns
3597 And @option{--list-generations=1,8,2} outputs three generations in the
3598 specified order. Neither spaces nor trailing commas are allowed.
3600 @item @emph{Ranges}. @option{--list-generations=2..9} prints the
3601 specified generations and everything in between. Note that the start of
3602 a range must be smaller than its end.
3604 It is also possible to omit the endpoint. For example,
3605 @option{--list-generations=2..}, returns all generations starting from the
3608 @item @emph{Durations}. You can also get the last @emph{N}@tie{}days, weeks,
3609 or months by passing an integer along with the first letter of the
3610 duration. For example, @option{--list-generations=20d} lists generations
3611 that are up to 20 days old.
3614 @item --delete-generations[=@var{pattern}]
3615 @itemx -d [@var{pattern}]
3616 When @var{pattern} is omitted, delete all generations except the current
3619 This command accepts the same patterns as @option{--list-generations}.
3620 When @var{pattern} is specified, delete the matching generations. When
3621 @var{pattern} specifies a duration, generations @emph{older} than the
3622 specified duration match. For instance, @option{--delete-generations=1m}
3623 deletes generations that are more than one month old.
3625 If the current generation matches, it is @emph{not} deleted. Also, the
3626 zeroth generation is never deleted.
3628 Note that deleting generations prevents rolling back to them.
3629 Consequently, this command must be used with care.
3631 @cindex manifest, exporting
3632 @anchor{export-manifest}
3633 @item --export-manifest
3634 Write to standard output a manifest suitable for @option{--manifest}
3635 corresponding to the chosen profile(s).
3637 This option is meant to help you migrate from the ``imperative''
3638 operating mode---running @command{guix install}, @command{guix upgrade},
3639 etc.---to the declarative mode that @option{--manifest} offers.
3641 Be aware that the resulting manifest @emph{approximates} what your
3642 profile actually contains; for instance, depending on how your profile
3643 was created, it can refer to packages or package versions that are not
3644 exactly what you specified.
3646 Keep in mind that a manifest is purely symbolic: it only contains
3647 package names and possibly versions, and their meaning varies over time.
3648 If you wish to ``pin'' channels to the revisions that were used to build
3649 the profile(s), see @option{--export-channels} below.
3651 @cindex pinning, channel revisions of a profile
3652 @item --export-channels
3653 Write to standard output the list of channels used by the chosen
3654 profile(s), in a format suitable for @command{guix pull --channels} or
3655 @command{guix time-machine --channels} (@pxref{Channels}).
3657 Together with @option{--export-manifest}, this option provides
3658 information allowing you to replicate the current profile
3659 (@pxref{Replicating Guix}).
3661 However, note that the output of this command @emph{approximates} what
3662 was actually used to build this profile. In particular, a single
3663 profile might have been built from several different revisions of the
3664 same channel. In that case, @option{--export-manifest} chooses the last
3665 one and writes the list of other revisions in a comment. If you really
3666 need to pick packages from different channel revisions, you can use
3667 inferiors in your manifest to do so (@pxref{Inferiors}).
3669 Together with @option{--export-manifest}, this is a good starting point
3670 if you are willing to migrate from the ``imperative'' model to the fully
3671 declarative model consisting of a manifest file along with a channels
3672 file pinning the exact channel revision(s) you want.
3675 Finally, since @command{guix package} may actually start build
3676 processes, it supports all the common build options (@pxref{Common Build
3677 Options}). It also supports package transformation options, such as
3678 @option{--with-source}, and preserves them across upgrades
3679 (@pxref{Package Transformation Options}).
3682 @section Substitutes
3685 @cindex pre-built binaries
3686 Guix supports transparent source/binary deployment, which means that it
3687 can either build things locally, or download pre-built items from a
3688 server, or both. We call these pre-built items @dfn{substitutes}---they
3689 are substitutes for local build results. In many cases, downloading a
3690 substitute is much faster than building things locally.
3692 Substitutes can be anything resulting from a derivation build
3693 (@pxref{Derivations}). Of course, in the common case, they are
3694 pre-built package binaries, but source tarballs, for instance, which
3695 also result from derivation builds, can be available as substitutes.
3698 * Official Substitute Servers:: One particular source of substitutes.
3699 * Substitute Server Authorization:: How to enable or disable substitutes.
3700 * Getting Substitutes from Other Servers:: Substitute diversity.
3701 * Substitute Authentication:: How Guix verifies substitutes.
3702 * Proxy Settings:: How to get substitutes via proxy.
3703 * Substitution Failure:: What happens when substitution fails.
3704 * On Trusting Binaries:: How can you trust that binary blob?
3707 @node Official Substitute Servers
3708 @subsection Official Substitute Servers
3711 @code{@value{SUBSTITUTE-SERVER-1}} and
3712 @code{@value{SUBSTITUTE-SERVER-2}} are both front-ends to official build
3713 farms that build packages from Guix continuously for some architectures,
3714 and make them available as substitutes. These are the default source of
3715 substitutes; which can be overridden by passing the
3716 @option{--substitute-urls} option either to @command{guix-daemon}
3717 (@pxref{daemon-substitute-urls,, @code{guix-daemon --substitute-urls}})
3718 or to client tools such as @command{guix package}
3719 (@pxref{client-substitute-urls,, client @option{--substitute-urls}
3722 Substitute URLs can be either HTTP or HTTPS.
3723 HTTPS is recommended because communications are encrypted; conversely,
3724 using HTTP makes all communications visible to an eavesdropper, who
3725 could use the information gathered to determine, for instance, whether
3726 your system has unpatched security vulnerabilities.
3728 Substitutes from the official build farms are enabled by default when
3729 using Guix System (@pxref{GNU Distribution}). However,
3730 they are disabled by default when using Guix on a foreign distribution,
3731 unless you have explicitly enabled them via one of the recommended
3732 installation steps (@pxref{Installation}). The following paragraphs
3733 describe how to enable or disable substitutes for the official build
3734 farm; the same procedure can also be used to enable substitutes for any
3735 other substitute server.
3737 @node Substitute Server Authorization
3738 @subsection Substitute Server Authorization
3741 @cindex substitutes, authorization thereof
3742 @cindex access control list (ACL), for substitutes
3743 @cindex ACL (access control list), for substitutes
3744 To allow Guix to download substitutes from @code{@value{SUBSTITUTE-SERVER-1}}, @code{@value{SUBSTITUTE-SERVER-2}} or a mirror, you
3745 must add the relevant public key to the access control list (ACL) of archive
3746 imports, using the @command{guix archive} command (@pxref{Invoking guix
3747 archive}). Doing so implies that you trust the substitute server to not
3748 be compromised and to serve genuine substitutes.
3751 If you are using Guix System, you can skip this section: Guix System
3752 authorizes substitutes from @code{@value{SUBSTITUTE-SERVER-1}} and
3753 @code{@value{SUBSTITUTE-SERVER-2}} by default.
3756 The public keys for each of the project maintained substitute servers
3757 are installed along with Guix, in @code{@var{prefix}/share/guix/}, where
3758 @var{prefix} is the installation prefix of Guix. If you installed Guix
3759 from source, make sure you checked the GPG signature of
3760 @file{guix-@value{VERSION}.tar.gz}, which contains this public key file.
3761 Then, you can run something like this:
3764 # guix archive --authorize < @var{prefix}/share/guix/@value{SUBSTITUTE-SERVER-1}.pub
3765 # guix archive --authorize < @var{prefix}/share/guix/@value{SUBSTITUTE-SERVER-2}.pub
3768 Once this is in place, the output of a command like @code{guix build}
3769 should change from something like:
3772 $ guix build emacs --dry-run
3773 The following derivations would be built:
3774 /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv
3775 /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv
3776 /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv
3777 /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv
3785 $ guix build emacs --dry-run
3786 112.3 MB would be downloaded:
3787 /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3
3788 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d
3789 /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16
3790 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7
3795 The text changed from ``The following derivations would be built'' to
3796 ``112.3 MB would be downloaded''. This indicates that substitutes from
3797 the configured substitute servers are usable and will be downloaded,
3798 when possible, for future builds.
3800 @cindex substitutes, how to disable
3801 The substitute mechanism can be disabled globally by running
3802 @code{guix-daemon} with @option{--no-substitutes} (@pxref{Invoking
3803 guix-daemon}). It can also be disabled temporarily by passing the
3804 @option{--no-substitutes} option to @command{guix package},
3805 @command{guix build}, and other command-line tools.
3807 @node Getting Substitutes from Other Servers
3808 @subsection Getting Substitutes from Other Servers
3810 @cindex substitute servers, adding more
3811 Guix can look up and fetch substitutes from several servers. This is
3812 useful when you are using packages from additional channels for which
3813 the official server does not have substitutes but another server
3814 provides them. Another situation where this is useful is when you would
3815 prefer to download from your organization's substitute server, resorting
3816 to the official server only as a fallback or dismissing it altogether.
3818 You can give Guix a list of substitute server URLs and it will check
3819 them in the specified order. You also need to explicitly authorize the
3820 public keys of substitute servers to instruct Guix to accept the
3821 substitutes they sign.
3823 On Guix System, this is achieved by modifying the configuration of the
3824 @code{guix} service. Since the @code{guix} service is part of the
3825 default lists of services, @code{%base-services} and
3826 @code{%desktop-services}, you can use @code{modify-services} to change
3827 its configuration and add the URLs and substitute keys that you want
3828 (@pxref{Service Reference, @code{modify-services}}).
3830 As an example, suppose you want to fetch substitutes from
3831 @code{guix.example.org} and to authorize the signing key of that server,
3832 in addition to the default @code{@value{SUBSTITUTE-SERVER-1}} and
3833 @code{@value{SUBSTITUTE-SERVER-2}}. The resulting operating system
3834 configuration will look something like:
3840 ;; Assume we're starting from '%desktop-services'. Replace it
3841 ;; with the list of services you're actually using.
3842 (modify-services %desktop-services
3843 (guix-service-type config =>
3847 (append (list "https://guix.example.org")
3848 %default-substitute-urls))
3850 (append (list (local-file "./key.pub"))
3851 %default-authorized-guix-keys)))))))
3854 This assumes that the file @file{key.pub} contains the signing key of
3855 @code{guix.example.org}. With this change in place in your operating
3856 system configuration file (say @file{/etc/config.scm}), you can
3857 reconfigure and restart the @code{guix-daemon} service or reboot so the
3858 changes take effect:
3861 $ sudo guix system reconfigure /etc/config.scm
3862 $ sudo herd restart guix-daemon
3865 If you're running Guix on a ``foreign distro'', you would instead take
3866 the following steps to get substitutes from additional servers:
3870 Edit the service configuration file for @code{guix-daemon}; when using
3871 systemd, this is normally
3872 @file{/etc/systemd/system/guix-daemon.service}. Add the
3873 @option{--substitute-urls} option on the @command{guix-daemon} command
3874 line and list the URLs of interest (@pxref{daemon-substitute-urls,
3875 @code{guix-daemon --substitute-urls}}):
3878 @dots{} --substitute-urls='https://guix.example.org @value{SUBSTITUTE-URLS}'
3882 Restart the daemon. For systemd, it goes like this:
3885 systemctl daemon-reload
3886 systemctl restart guix-daemon.service
3890 Authorize the key of the new server (@pxref{Invoking guix archive}):
3893 guix archive --authorize < key.pub
3896 Again this assumes @file{key.pub} contains the public key that
3897 @code{guix.example.org} uses to sign substitutes.
3900 Now you're all set! Substitutes will be preferably taken from
3901 @code{https://guix.example.org}, using
3902 @code{@value{SUBSTITUTE-SERVER-1}} then
3903 @code{@value{SUBSTITUTE-SERVER-2}} as fallback options. Of course you
3904 can list as many substitute servers as you like, with the caveat that
3905 substitute lookup can be slowed down if too many servers need to be
3908 Note that there are also situations where one may want to add the URL of
3909 a substitute server @emph{without} authorizing its key.
3910 @xref{Substitute Authentication}, to understand this fine point.
3912 @node Substitute Authentication
3913 @subsection Substitute Authentication
3915 @cindex digital signatures
3916 Guix detects and raises an error when attempting to use a substitute
3917 that has been tampered with. Likewise, it ignores substitutes that are
3918 not signed, or that are not signed by one of the keys listed in the ACL.
3920 There is one exception though: if an unauthorized server provides
3921 substitutes that are @emph{bit-for-bit identical} to those provided by
3922 an authorized server, then the unauthorized server becomes eligible for
3923 downloads. For example, assume we have chosen two substitute servers
3927 --substitute-urls="https://a.example.org https://b.example.org"
3931 @cindex reproducible builds
3932 If the ACL contains only the key for @samp{b.example.org}, and if
3933 @samp{a.example.org} happens to serve the @emph{exact same} substitutes,
3934 then Guix will download substitutes from @samp{a.example.org} because it
3935 comes first in the list and can be considered a mirror of
3936 @samp{b.example.org}. In practice, independent build machines usually
3937 produce the same binaries, thanks to bit-reproducible builds (see
3940 When using HTTPS, the server's X.509 certificate is @emph{not} validated
3941 (in other words, the server is not authenticated), contrary to what
3942 HTTPS clients such as Web browsers usually do. This is because Guix
3943 authenticates substitute information itself, as explained above, which
3944 is what we care about (whereas X.509 certificates are about
3945 authenticating bindings between domain names and public keys).
3947 @node Proxy Settings
3948 @subsection Proxy Settings
3952 Substitutes are downloaded over HTTP or HTTPS@. The @env{http_proxy} and
3953 @env{https_proxy} environment variables can be set in the environment of
3954 @command{guix-daemon} and are honored for downloads of substitutes.
3955 Note that the value of those environment variables in the environment
3956 where @command{guix build}, @command{guix package}, and other client
3957 commands are run has @emph{absolutely no effect}.
3959 @node Substitution Failure
3960 @subsection Substitution Failure
3962 Even when a substitute for a derivation is available, sometimes the
3963 substitution attempt will fail. This can happen for a variety of
3964 reasons: the substitute server might be offline, the substitute may
3965 recently have been deleted, the connection might have been interrupted,
3968 When substitutes are enabled and a substitute for a derivation is
3969 available, but the substitution attempt fails, Guix will attempt to
3970 build the derivation locally depending on whether or not
3971 @option{--fallback} was given (@pxref{fallback-option,, common build
3972 option @option{--fallback}}). Specifically, if @option{--fallback} was
3973 omitted, then no local build will be performed, and the derivation is
3974 considered to have failed. However, if @option{--fallback} was given,
3975 then Guix will attempt to build the derivation locally, and the success
3976 or failure of the derivation depends on the success or failure of the
3977 local build. Note that when substitutes are disabled or no substitute
3978 is available for the derivation in question, a local build will
3979 @emph{always} be performed, regardless of whether or not
3980 @option{--fallback} was given.
3982 To get an idea of how many substitutes are available right now, you can
3983 try running the @command{guix weather} command (@pxref{Invoking guix
3984 weather}). This command provides statistics on the substitutes provided
3987 @node On Trusting Binaries
3988 @subsection On Trusting Binaries
3990 @cindex trust, of pre-built binaries
3991 Today, each individual's control over their own computing is at the
3992 mercy of institutions, corporations, and groups with enough power and
3993 determination to subvert the computing infrastructure and exploit its
3994 weaknesses. While using substitutes can be convenient, we encourage
3995 users to also build on their own, or even run their own build farm, such
3996 that the project run substitute servers are less of an interesting
3997 target. One way to help is by publishing the software you build using
3998 @command{guix publish} so that others have one more choice of server to
3999 download substitutes from (@pxref{Invoking guix publish}).
4001 Guix has the foundations to maximize build reproducibility
4002 (@pxref{Features}). In most cases, independent builds of a given
4003 package or derivation should yield bit-identical results. Thus, through
4004 a diverse set of independent package builds, we can strengthen the
4005 integrity of our systems. The @command{guix challenge} command aims to
4006 help users assess substitute servers, and to assist developers in
4007 finding out about non-deterministic package builds (@pxref{Invoking guix
4008 challenge}). Similarly, the @option{--check} option of @command{guix
4009 build} allows users to check whether previously-installed substitutes
4010 are genuine by rebuilding them locally (@pxref{build-check,
4011 @command{guix build --check}}).
4013 In the future, we want Guix to have support to publish and retrieve
4014 binaries to/from other users, in a peer-to-peer fashion. If you would
4015 like to discuss this project, join us on @email{guix-devel@@gnu.org}.
4017 @node Packages with Multiple Outputs
4018 @section Packages with Multiple Outputs
4020 @cindex multiple-output packages
4021 @cindex package outputs
4024 Often, packages defined in Guix have a single @dfn{output}---i.e., the
4025 source package leads to exactly one directory in the store. When running
4026 @command{guix install glibc}, one installs the default output of the
4027 GNU libc package; the default output is called @code{out}, but its name
4028 can be omitted as shown in this command. In this particular case, the
4029 default output of @code{glibc} contains all the C header files, shared
4030 libraries, static libraries, Info documentation, and other supporting
4033 Sometimes it is more appropriate to separate the various types of files
4034 produced from a single source package into separate outputs. For
4035 instance, the GLib C library (used by GTK+ and related packages)
4036 installs more than 20 MiB of reference documentation as HTML pages.
4037 To save space for users who do not need it, the documentation goes to a
4038 separate output, called @code{doc}. To install the main GLib output,
4039 which contains everything but the documentation, one would run:
4045 @cindex documentation
4046 The command to install its documentation is:
4049 guix install glib:doc
4052 Some packages install programs with different ``dependency footprints''.
4053 For instance, the WordNet package installs both command-line tools and
4054 graphical user interfaces (GUIs). The former depend solely on the C
4055 library, whereas the latter depend on Tcl/Tk and the underlying X
4056 libraries. In this case, we leave the command-line tools in the default
4057 output, whereas the GUIs are in a separate output. This allows users
4058 who do not need the GUIs to save space. The @command{guix size} command
4059 can help find out about such situations (@pxref{Invoking guix size}).
4060 @command{guix graph} can also be helpful (@pxref{Invoking guix graph}).
4062 There are several such multiple-output packages in the GNU distribution.
4063 Other conventional output names include @code{lib} for libraries and
4064 possibly header files, @code{bin} for stand-alone programs, and
4065 @code{debug} for debugging information (@pxref{Installing Debugging
4066 Files}). The outputs of a packages are listed in the third column of
4067 the output of @command{guix package --list-available} (@pxref{Invoking
4071 @node Invoking guix gc
4072 @section Invoking @command{guix gc}
4074 @cindex garbage collector
4076 Packages that are installed, but not used, may be @dfn{garbage-collected}.
4077 The @command{guix gc} command allows users to explicitly run the garbage
4078 collector to reclaim space from the @file{/gnu/store} directory. It is
4079 the @emph{only} way to remove files from @file{/gnu/store}---removing
4080 files or directories manually may break it beyond repair!
4083 @cindex garbage collector roots
4084 The garbage collector has a set of known @dfn{roots}: any file under
4085 @file{/gnu/store} reachable from a root is considered @dfn{live} and
4086 cannot be deleted; any other file is considered @dfn{dead} and may be
4087 deleted. The set of garbage collector roots (``GC roots'' for short)
4088 includes default user profiles; by default, the symlinks under
4089 @file{/var/guix/gcroots} represent these GC roots. New GC roots can be
4090 added with @command{guix build --root}, for example (@pxref{Invoking
4091 guix build}). The @command{guix gc --list-roots} command lists them.
4093 Prior to running @code{guix gc --collect-garbage} to make space, it is
4094 often useful to remove old generations from user profiles; that way, old
4095 package builds referenced by those generations can be reclaimed. This
4096 is achieved by running @code{guix package --delete-generations}
4097 (@pxref{Invoking guix package}).
4099 Our recommendation is to run a garbage collection periodically, or when
4100 you are short on disk space. For instance, to guarantee that at least
4101 5@tie{}GB are available on your disk, simply run:
4107 It is perfectly safe to run as a non-interactive periodic job
4108 (@pxref{Scheduled Job Execution}, for how to set up such a job).
4109 Running @command{guix gc} with no arguments will collect as
4110 much garbage as it can, but that is often inconvenient: you may find
4111 yourself having to rebuild or re-download software that is ``dead'' from
4112 the GC viewpoint but that is necessary to build other pieces of
4113 software---e.g., the compiler tool chain.
4115 The @command{guix gc} command has three modes of operation: it can be
4116 used to garbage-collect any dead files (the default), to delete specific
4117 files (the @option{--delete} option), to print garbage-collector
4118 information, or for more advanced queries. The garbage collection
4119 options are as follows:
4122 @item --collect-garbage[=@var{min}]
4123 @itemx -C [@var{min}]
4124 Collect garbage---i.e., unreachable @file{/gnu/store} files and
4125 sub-directories. This is the default operation when no option is
4128 When @var{min} is given, stop once @var{min} bytes have been collected.
4129 @var{min} may be a number of bytes, or it may include a unit as a
4130 suffix, such as @code{MiB} for mebibytes and @code{GB} for gigabytes
4131 (@pxref{Block size, size specifications,, coreutils, GNU Coreutils}).
4133 When @var{min} is omitted, collect all the garbage.
4135 @item --free-space=@var{free}
4136 @itemx -F @var{free}
4137 Collect garbage until @var{free} space is available under
4138 @file{/gnu/store}, if possible; @var{free} denotes storage space, such
4139 as @code{500MiB}, as described above.
4141 When @var{free} or more is already available in @file{/gnu/store}, do
4142 nothing and exit immediately.
4144 @item --delete-generations[=@var{duration}]
4145 @itemx -d [@var{duration}]
4146 Before starting the garbage collection process, delete all the generations
4147 older than @var{duration}, for all the user profiles; when run as root, this
4148 applies to all the profiles @emph{of all the users}.
4150 For example, this command deletes all the generations of all your profiles
4151 that are older than 2 months (except generations that are current), and then
4152 proceeds to free space until at least 10 GiB are available:
4155 guix gc -d 2m -F 10G
4160 Attempt to delete all the store files and directories specified as
4161 arguments. This fails if some of the files are not in the store, or if
4162 they are still live.
4164 @item --list-failures
4165 List store items corresponding to cached build failures.
4167 This prints nothing unless the daemon was started with
4168 @option{--cache-failures} (@pxref{Invoking guix-daemon,
4169 @option{--cache-failures}}).
4172 List the GC roots owned by the user; when run as root, list @emph{all} the GC
4176 List store items in use by currently running processes. These store
4177 items are effectively considered GC roots: they cannot be deleted.
4179 @item --clear-failures
4180 Remove the specified store items from the failed-build cache.
4182 Again, this option only makes sense when the daemon is started with
4183 @option{--cache-failures}. Otherwise, it does nothing.
4186 Show the list of dead files and directories still present in the
4187 store---i.e., files and directories no longer reachable from any root.
4190 Show the list of live store files and directories.
4194 In addition, the references among existing store files can be queried:
4200 @cindex package dependencies
4201 List the references (respectively, the referrers) of store files given
4207 List the requisites of the store files passed as arguments. Requisites
4208 include the store files themselves, their references, and the references
4209 of these, recursively. In other words, the returned list is the
4210 @dfn{transitive closure} of the store files.
4212 @xref{Invoking guix size}, for a tool to profile the size of the closure
4213 of an element. @xref{Invoking guix graph}, for a tool to visualize
4214 the graph of references.
4218 Return the derivation(s) leading to the given store items
4219 (@pxref{Derivations}).
4221 For example, this command:
4224 guix gc --derivers $(guix package -I ^emacs$ | cut -f4)
4228 returns the @file{.drv} file(s) leading to the @code{emacs} package
4229 installed in your profile.
4231 Note that there may be zero matching @file{.drv} files, for instance
4232 because these files have been garbage-collected. There can also be more
4233 than one matching @file{.drv} due to fixed-output derivations.
4236 Lastly, the following options allow you to check the integrity of the
4237 store and to control disk usage.
4241 @item --verify[=@var{options}]
4242 @cindex integrity, of the store
4243 @cindex integrity checking
4244 Verify the integrity of the store.
4246 By default, make sure that all the store items marked as valid in the
4247 database of the daemon actually exist in @file{/gnu/store}.
4249 When provided, @var{options} must be a comma-separated list containing one
4250 or more of @code{contents} and @code{repair}.
4252 When passing @option{--verify=contents}, the daemon computes the
4253 content hash of each store item and compares it against its hash in the
4254 database. Hash mismatches are reported as data corruptions. Because it
4255 traverses @emph{all the files in the store}, this command can take a
4256 long time, especially on systems with a slow disk drive.
4258 @cindex repairing the store
4259 @cindex corruption, recovering from
4260 Using @option{--verify=repair} or @option{--verify=contents,repair}
4261 causes the daemon to try to repair corrupt store items by fetching
4262 substitutes for them (@pxref{Substitutes}). Because repairing is not
4263 atomic, and thus potentially dangerous, it is available only to the
4264 system administrator. A lightweight alternative, when you know exactly
4265 which items in the store are corrupt, is @command{guix build --repair}
4266 (@pxref{Invoking guix build}).
4269 @cindex deduplication
4270 Optimize the store by hard-linking identical files---this is
4271 @dfn{deduplication}.
4273 The daemon performs deduplication after each successful build or archive
4274 import, unless it was started with @option{--disable-deduplication}
4275 (@pxref{Invoking guix-daemon, @option{--disable-deduplication}}). Thus,
4276 this option is primarily useful when the daemon was running with
4277 @option{--disable-deduplication}.
4281 @node Invoking guix pull
4282 @section Invoking @command{guix pull}
4284 @cindex upgrading Guix
4285 @cindex updating Guix
4286 @cindex @command{guix pull}
4288 @cindex security, @command{guix pull}
4289 @cindex authenticity, of code obtained with @command{guix pull}
4290 Packages are installed or upgraded to the latest version available in
4291 the distribution currently available on your local machine. To update
4292 that distribution, along with the Guix tools, you must run @command{guix
4293 pull}: the command downloads the latest Guix source code and package
4294 descriptions, and deploys it. Source code is downloaded from a
4295 @uref{https://git-scm.com, Git} repository, by default the official
4296 GNU@tie{}Guix repository, though this can be customized. @command{guix
4297 pull} ensures that the code it downloads is @emph{authentic} by
4298 verifying that commits are signed by Guix developers.
4300 Specifically, @command{guix pull} downloads code from the @dfn{channels}
4301 (@pxref{Channels}) specified by one of the followings, in this order:
4305 the @option{--channels} option;
4307 the user's @file{~/.config/guix/channels.scm} file;
4309 the system-wide @file{/etc/guix/channels.scm} file;
4311 the built-in default channels specified in the @code{%default-channels}
4315 On completion, @command{guix package} will use packages and package
4316 versions from this just-retrieved copy of Guix. Not only that, but all
4317 the Guix commands and Scheme modules will also be taken from that latest
4318 version. New @command{guix} sub-commands added by the update also
4321 Any user can update their Guix copy using @command{guix pull}, and the
4322 effect is limited to the user who ran @command{guix pull}. For
4323 instance, when user @code{root} runs @command{guix pull}, this has no
4324 effect on the version of Guix that user @code{alice} sees, and vice
4327 The result of running @command{guix pull} is a @dfn{profile} available
4328 under @file{~/.config/guix/current} containing the latest Guix. Thus,
4329 make sure to add it to the beginning of your search path so that you use
4330 the latest version, and similarly for the Info manual
4331 (@pxref{Documentation}):
4334 export PATH="$HOME/.config/guix/current/bin:$PATH"
4335 export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"
4338 The @option{--list-generations} or @option{-l} option lists past generations
4339 produced by @command{guix pull}, along with details about their provenance:
4343 Generation 1 Jun 10 2018 00:18:18
4345 repository URL: https://git.savannah.gnu.org/git/guix.git
4346 branch: origin/master
4347 commit: 65956ad3526ba09e1f7a40722c96c6ef7c0936fe
4349 Generation 2 Jun 11 2018 11:02:49
4351 repository URL: https://git.savannah.gnu.org/git/guix.git
4352 branch: origin/master
4353 commit: e0cc7f669bec22c37481dd03a7941c7d11a64f1d
4354 2 new packages: keepalived, libnfnetlink
4355 6 packages upgraded: emacs-nix-mode@@2.0.4,
4356 guile2.0-guix@@0.14.0-12.77a1aac, guix@@0.14.0-12.77a1aac,
4357 heimdal@@7.5.0, milkytracker@@1.02.00, nix@@2.0.4
4359 Generation 3 Jun 13 2018 23:31:07 (current)
4361 repository URL: https://git.savannah.gnu.org/git/guix.git
4362 branch: origin/master
4363 commit: 844cc1c8f394f03b404c5bb3aee086922373490c
4364 28 new packages: emacs-helm-ls-git, emacs-helm-mu, @dots{}
4365 69 packages upgraded: borg@@1.1.6, cheese@@3.28.0, @dots{}
4368 @xref{Invoking guix describe, @command{guix describe}}, for other ways to
4369 describe the current status of Guix.
4371 This @code{~/.config/guix/current} profile works exactly like the profiles
4372 created by @command{guix package} (@pxref{Invoking guix package}). That
4373 is, you can list generations, roll back to the previous
4374 generation---i.e., the previous Guix---and so on:
4377 $ guix pull --roll-back
4378 switched from generation 3 to 2
4379 $ guix pull --delete-generations=1
4380 deleting /var/guix/profiles/per-user/charlie/current-guix-1-link
4383 You can also use @command{guix package} (@pxref{Invoking guix package})
4384 to manage the profile by naming it explicitly:
4386 $ guix package -p ~/.config/guix/current --roll-back
4387 switched from generation 3 to 2
4388 $ guix package -p ~/.config/guix/current --delete-generations=1
4389 deleting /var/guix/profiles/per-user/charlie/current-guix-1-link
4392 The @command{guix pull} command is usually invoked with no arguments,
4393 but it supports the following options:
4396 @item --url=@var{url}
4397 @itemx --commit=@var{commit}
4398 @itemx --branch=@var{branch}
4399 Download code for the @code{guix} channel from the specified @var{url}, at the
4400 given @var{commit} (a valid Git commit ID represented as a hexadecimal
4401 string), or @var{branch}.
4403 @cindex @file{channels.scm}, configuration file
4404 @cindex configuration file for channels
4405 These options are provided for convenience, but you can also specify your
4406 configuration in the @file{~/.config/guix/channels.scm} file or using the
4407 @option{--channels} option (see below).
4409 @item --channels=@var{file}
4410 @itemx -C @var{file}
4411 Read the list of channels from @var{file} instead of
4412 @file{~/.config/guix/channels.scm} or @file{/etc/guix/channels.scm}.
4413 @var{file} must contain Scheme code that
4414 evaluates to a list of channel objects. @xref{Channels}, for more
4417 @cindex channel news
4420 Display the list of packages added or upgraded since the previous
4421 generation, as well as, occasionally, news written by channel authors
4422 for their users (@pxref{Channels, Writing Channel News}).
4424 The package information is the same as displayed upon @command{guix
4425 pull} completion, but without ellipses; it is also similar to the output
4426 of @command{guix pull -l} for the last generation (see below).
4428 @item --list-generations[=@var{pattern}]
4429 @itemx -l [@var{pattern}]
4430 List all the generations of @file{~/.config/guix/current} or, if @var{pattern}
4431 is provided, the subset of generations that match @var{pattern}.
4432 The syntax of @var{pattern} is the same as with @code{guix package
4433 --list-generations} (@pxref{Invoking guix package}).
4436 @cindex rolling back
4437 @cindex undoing transactions
4438 @cindex transactions, undoing
4439 Roll back to the previous @dfn{generation} of @file{~/.config/guix/current}---i.e.,
4440 undo the last transaction.
4442 @item --switch-generation=@var{pattern}
4443 @itemx -S @var{pattern}
4445 Switch to a particular generation defined by @var{pattern}.
4447 @var{pattern} may be either a generation number or a number prefixed
4448 with ``+'' or ``-''. The latter means: move forward/backward by a
4449 specified number of generations. For example, if you want to return to
4450 the latest generation after @option{--roll-back}, use
4451 @option{--switch-generation=+1}.
4453 @item --delete-generations[=@var{pattern}]
4454 @itemx -d [@var{pattern}]
4455 When @var{pattern} is omitted, delete all generations except the current
4458 This command accepts the same patterns as @option{--list-generations}.
4459 When @var{pattern} is specified, delete the matching generations. When
4460 @var{pattern} specifies a duration, generations @emph{older} than the
4461 specified duration match. For instance, @option{--delete-generations=1m}
4462 deletes generations that are more than one month old.
4464 If the current generation matches, it is @emph{not} deleted.
4466 Note that deleting generations prevents rolling back to them.
4467 Consequently, this command must be used with care.
4469 @xref{Invoking guix describe}, for a way to display information about the
4470 current generation only.
4472 @item --profile=@var{profile}
4473 @itemx -p @var{profile}
4474 Use @var{profile} instead of @file{~/.config/guix/current}.
4478 Show which channel commit(s) would be used and what would be built or
4479 substituted but do not actually do it.
4481 @item --allow-downgrades
4482 Allow pulling older or unrelated revisions of channels than those
4485 @cindex downgrade attacks, protection against
4486 By default, @command{guix pull} protects against so-called ``downgrade
4487 attacks'' whereby the Git repository of a channel would be reset to an
4488 earlier or unrelated revision of itself, potentially leading you to
4489 install older, known-vulnerable versions of software packages.
4492 Make sure you understand its security implications before using
4493 @option{--allow-downgrades}.
4496 @item --disable-authentication
4497 Allow pulling channel code without authenticating it.
4499 @cindex authentication, of channel code
4500 By default, @command{guix pull} authenticates code downloaded from
4501 channels by verifying that its commits are signed by authorized
4502 developers, and raises an error if this is not the case. This option
4503 instructs it to not perform any such verification.
4506 Make sure you understand its security implications before using
4507 @option{--disable-authentication}.
4510 @item --system=@var{system}
4511 @itemx -s @var{system}
4512 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
4513 the system type of the build host.
4516 Use the bootstrap Guile to build the latest Guix. This option is only
4517 useful to Guix developers.
4520 The @dfn{channel} mechanism allows you to instruct @command{guix pull} which
4521 repository and branch to pull from, as well as @emph{additional} repositories
4522 containing package modules that should be deployed. @xref{Channels}, for more
4525 In addition, @command{guix pull} supports all the common build options
4526 (@pxref{Common Build Options}).
4528 @node Invoking guix time-machine
4529 @section Invoking @command{guix time-machine}
4531 @cindex @command{guix time-machine}
4532 @cindex pinning, channels
4533 @cindex replicating Guix
4534 @cindex reproducibility, of Guix
4536 The @command{guix time-machine} command provides access to other
4537 revisions of Guix, for example to install older versions of packages,
4538 or to reproduce a computation in an identical environment. The revision
4539 of Guix to be used is defined by a commit or by a channel
4540 description file created by @command{guix describe}
4541 (@pxref{Invoking guix describe}).
4543 The general syntax is:
4546 guix time-machine @var{options}@dots{} -- @var{command} @var {arg}@dots{}
4549 where @var{command} and @var{arg}@dots{} are passed unmodified to the
4550 @command{guix} command of the specified revision. The @var{options} that define
4551 this revision are the same as for @command{guix pull} (@pxref{Invoking guix pull}):
4554 @item --url=@var{url}
4555 @itemx --commit=@var{commit}
4556 @itemx --branch=@var{branch}
4557 Use the @code{guix} channel from the specified @var{url}, at the
4558 given @var{commit} (a valid Git commit ID represented as a hexadecimal
4559 string), or @var{branch}.
4561 @item --channels=@var{file}
4562 @itemx -C @var{file}
4563 Read the list of channels from @var{file}. @var{file} must contain
4564 Scheme code that evaluates to a list of channel objects.
4565 @xref{Channels} for more information.
4568 As for @command{guix pull}, the absence of any options means that the
4569 latest commit on the master branch will be used. The command
4572 guix time-machine -- build hello
4575 will thus build the package @code{hello} as defined in the master branch,
4576 which is in general a newer revision of Guix than you have installed.
4577 Time travel works in both directions!
4579 Note that @command{guix time-machine} can trigger builds of channels and
4580 their dependencies, and these are controlled by the standard build
4581 options (@pxref{Common Build Options}).
4586 @c TODO: Remove this once we're more confident about API stability.
4588 The functionality described here is a ``technology preview'' as of version
4589 @value{VERSION}. As such, the interface is subject to change.
4593 @cindex composition of Guix revisions
4594 Sometimes you might need to mix packages from the revision of Guix you're
4595 currently running with packages available in a different revision of Guix.
4596 Guix @dfn{inferiors} allow you to achieve that by composing different Guix
4597 revisions in arbitrary ways.
4599 @cindex inferior packages
4600 Technically, an ``inferior'' is essentially a separate Guix process connected
4601 to your main Guix process through a REPL (@pxref{Invoking guix repl}). The
4602 @code{(guix inferior)} module allows you to create inferiors and to
4603 communicate with them. It also provides a high-level interface to browse and
4604 manipulate the packages that an inferior provides---@dfn{inferior packages}.
4606 When combined with channels (@pxref{Channels}), inferiors provide a simple way
4607 to interact with a separate revision of Guix. For example, let's assume you
4608 want to install in your profile the current @code{guile} package, along with
4609 the @code{guile-json} as it existed in an older revision of Guix---perhaps
4610 because the newer @code{guile-json} has an incompatible API and you want to
4611 run your code against the old API@. To do that, you could write a manifest for
4612 use by @code{guix package --manifest} (@pxref{Invoking guix package}); in that
4613 manifest, you would create an inferior for that old Guix revision you care
4614 about, and you would look up the @code{guile-json} package in the inferior:
4617 (use-modules (guix inferior) (guix channels)
4618 (srfi srfi-1)) ;for 'first'
4621 ;; This is the old revision from which we want to
4622 ;; extract guile-json.
4625 (url "https://git.savannah.gnu.org/git/guix.git")
4627 "65956ad3526ba09e1f7a40722c96c6ef7c0936fe"))))
4630 ;; An inferior representing the above revision.
4631 (inferior-for-channels channels))
4633 ;; Now create a manifest with the current "guile" package
4634 ;; and the old "guile-json" package.
4636 (list (first (lookup-inferior-packages inferior "guile-json"))
4637 (specification->package "guile")))
4640 On its first run, @command{guix package --manifest} might have to build the
4641 channel you specified before it can create the inferior; subsequent runs will
4642 be much faster because the Guix revision will be cached.
4644 The @code{(guix inferior)} module provides the following procedures to open an
4647 @deffn {Scheme Procedure} inferior-for-channels @var{channels} @
4648 [#:cache-directory] [#:ttl]
4649 Return an inferior for @var{channels}, a list of channels. Use the cache at
4650 @var{cache-directory}, where entries can be reclaimed after @var{ttl} seconds.
4651 This procedure opens a new connection to the build daemon.
4653 As a side effect, this procedure may build or substitute binaries for
4654 @var{channels}, which can take time.
4657 @deffn {Scheme Procedure} open-inferior @var{directory} @
4658 [#:command "bin/guix"]
4659 Open the inferior Guix in @var{directory}, running
4660 @code{@var{directory}/@var{command} repl} or equivalent. Return @code{#f} if
4661 the inferior could not be launched.
4664 @cindex inferior packages
4665 The procedures listed below allow you to obtain and manipulate inferior
4668 @deffn {Scheme Procedure} inferior-packages @var{inferior}
4669 Return the list of packages known to @var{inferior}.
4672 @deffn {Scheme Procedure} lookup-inferior-packages @var{inferior} @var{name} @
4674 Return the sorted list of inferior packages matching @var{name} in
4675 @var{inferior}, with highest version numbers first. If @var{version} is true,
4676 return only packages with a version number prefixed by @var{version}.
4679 @deffn {Scheme Procedure} inferior-package? @var{obj}
4680 Return true if @var{obj} is an inferior package.
4683 @deffn {Scheme Procedure} inferior-package-name @var{package}
4684 @deffnx {Scheme Procedure} inferior-package-version @var{package}
4685 @deffnx {Scheme Procedure} inferior-package-synopsis @var{package}
4686 @deffnx {Scheme Procedure} inferior-package-description @var{package}
4687 @deffnx {Scheme Procedure} inferior-package-home-page @var{package}
4688 @deffnx {Scheme Procedure} inferior-package-location @var{package}
4689 @deffnx {Scheme Procedure} inferior-package-inputs @var{package}
4690 @deffnx {Scheme Procedure} inferior-package-native-inputs @var{package}
4691 @deffnx {Scheme Procedure} inferior-package-propagated-inputs @var{package}
4692 @deffnx {Scheme Procedure} inferior-package-transitive-propagated-inputs @var{package}
4693 @deffnx {Scheme Procedure} inferior-package-native-search-paths @var{package}
4694 @deffnx {Scheme Procedure} inferior-package-transitive-native-search-paths @var{package}
4695 @deffnx {Scheme Procedure} inferior-package-search-paths @var{package}
4696 These procedures are the counterpart of package record accessors
4697 (@pxref{package Reference}). Most of them work by querying the inferior
4698 @var{package} comes from, so the inferior must still be live when you call
4702 Inferior packages can be used transparently like any other package or
4703 file-like object in G-expressions (@pxref{G-Expressions}). They are also
4704 transparently handled by the @code{packages->manifest} procedure, which is
4705 commonly used in manifests (@pxref{Invoking guix package, the
4706 @option{--manifest} option of @command{guix package}}). Thus you can insert
4707 an inferior package pretty much anywhere you would insert a regular package:
4708 in manifests, in the @code{packages} field of your @code{operating-system}
4709 declaration, and so on.
4711 @node Invoking guix describe
4712 @section Invoking @command{guix describe}
4714 @cindex reproducibility
4715 @cindex replicating Guix
4716 Often you may want to answer questions like: ``Which revision of Guix am I
4717 using?'' or ``Which channels am I using?'' This is useful information in many
4718 situations: if you want to @emph{replicate} an environment on a different
4719 machine or user account, if you want to report a bug or to determine what
4720 change in the channels you are using caused it, or if you want to record your
4721 system state for reproducibility purposes. The @command{guix describe}
4722 command answers these questions.
4724 When run from a @command{guix pull}ed @command{guix}, @command{guix describe}
4725 displays the channel(s) that it was built from, including their repository URL
4726 and commit IDs (@pxref{Channels}):
4730 Generation 10 Sep 03 2018 17:32:44 (current)
4732 repository URL: https://git.savannah.gnu.org/git/guix.git
4734 commit: e0fa68c7718fffd33d81af415279d6ddb518f727
4737 If you're familiar with the Git version control system, this is similar in
4738 spirit to @command{git describe}; the output is also similar to that of
4739 @command{guix pull --list-generations}, but limited to the current generation
4740 (@pxref{Invoking guix pull, the @option{--list-generations} option}). Because
4741 the Git commit ID shown above unambiguously refers to a snapshot of Guix, this
4742 information is all it takes to describe the revision of Guix you're using, and
4743 also to replicate it.
4745 To make it easier to replicate Guix, @command{guix describe} can also be asked
4746 to return a list of channels instead of the human-readable description above:
4749 $ guix describe -f channels
4752 (url "https://git.savannah.gnu.org/git/guix.git")
4754 "e0fa68c7718fffd33d81af415279d6ddb518f727")
4756 (make-channel-introduction
4757 "9edb3f66fd807b096b48283debdcddccfea34bad"
4758 (openpgp-fingerprint
4759 "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))))
4763 You can save this to a file and feed it to @command{guix pull -C} on some
4764 other machine or at a later point in time, which will instantiate @emph{this
4765 exact Guix revision} (@pxref{Invoking guix pull, the @option{-C} option}).
4766 From there on, since you're able to deploy the same revision of Guix, you can
4767 just as well @emph{replicate a complete software environment}. We humbly
4768 think that this is @emph{awesome}, and we hope you'll like it too!
4770 The details of the options supported by @command{guix describe} are as
4774 @item --format=@var{format}
4775 @itemx -f @var{format}
4776 Produce output in the specified @var{format}, one of:
4780 produce human-readable output;
4782 produce a list of channel specifications that can be passed to @command{guix
4783 pull -C} or installed as @file{~/.config/guix/channels.scm} (@pxref{Invoking
4785 @item channels-sans-intro
4786 like @code{channels}, but omit the @code{introduction} field; use it to
4787 produce a channel specification suitable for Guix version 1.1.0 or
4788 earlier---the @code{introduction} field has to do with channel
4789 authentication (@pxref{Channels, Channel Authentication}) and is not
4790 supported by these older versions;
4793 produce a list of channel specifications in JSON format;
4795 produce a list of channel specifications in Recutils format.
4798 @item --list-formats
4799 Display available formats for @option{--format} option.
4801 @item --profile=@var{profile}
4802 @itemx -p @var{profile}
4803 Display information about @var{profile}.
4806 @node Invoking guix archive
4807 @section Invoking @command{guix archive}
4809 @cindex @command{guix archive}
4811 The @command{guix archive} command allows users to @dfn{export} files
4812 from the store into a single archive, and to later @dfn{import} them on
4813 a machine that runs Guix.
4814 In particular, it allows store files to be transferred from one machine
4815 to the store on another machine.
4818 If you're looking for a way to produce archives in a format suitable for
4819 tools other than Guix, @pxref{Invoking guix pack}.
4822 @cindex exporting store items
4823 To export store files as an archive to standard output, run:
4826 guix archive --export @var{options} @var{specifications}...
4829 @var{specifications} may be either store file names or package
4830 specifications, as for @command{guix package} (@pxref{Invoking guix
4831 package}). For instance, the following command creates an archive
4832 containing the @code{gui} output of the @code{git} package and the main
4833 output of @code{emacs}:
4836 guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar
4839 If the specified packages are not built yet, @command{guix archive}
4840 automatically builds them. The build process may be controlled with the
4841 common build options (@pxref{Common Build Options}).
4843 To transfer the @code{emacs} package to a machine connected over SSH,
4847 guix archive --export -r emacs | ssh the-machine guix archive --import
4851 Similarly, a complete user profile may be transferred from one machine
4852 to another like this:
4855 guix archive --export -r $(readlink -f ~/.guix-profile) | \
4856 ssh the-machine guix archive --import
4860 However, note that, in both examples, all of @code{emacs} and the
4861 profile as well as all of their dependencies are transferred (due to
4862 @option{-r}), regardless of what is already available in the store on
4863 the target machine. The @option{--missing} option can help figure out
4864 which items are missing from the target store. The @command{guix copy}
4865 command simplifies and optimizes this whole process, so this is probably
4866 what you should use in this case (@pxref{Invoking guix copy}).
4868 @cindex nar, archive format
4869 @cindex normalized archive (nar)
4870 @cindex nar bundle, archive format
4871 Each store item is written in the @dfn{normalized archive} or @dfn{nar}
4872 format (described below), and the output of @command{guix archive
4873 --export} (and input of @command{guix archive --import}) is a @dfn{nar
4877 comparable in spirit to `tar', but with differences
4878 that make it more appropriate for our purposes. First, rather than
4879 recording all Unix metadata for each file, the nar format only mentions
4880 the file type (regular, directory, or symbolic link); Unix permissions
4881 and owner/group are dismissed. Second, the order in which directory
4882 entries are stored always follows the order of file names according to
4883 the C locale collation order. This makes archive production fully
4886 That nar bundle format is essentially the concatenation of zero or more
4887 nars along with metadata for each store item it contains: its file name,
4888 references, corresponding derivation, and a digital signature.
4890 When exporting, the daemon digitally signs the contents of the archive,
4891 and that digital signature is appended. When importing, the daemon
4892 verifies the signature and rejects the import in case of an invalid
4893 signature or if the signing key is not authorized.
4894 @c FIXME: Add xref to daemon doc about signatures.
4896 The main options are:
4900 Export the specified store files or packages (see below). Write the
4901 resulting archive to the standard output.
4903 Dependencies are @emph{not} included in the output, unless
4904 @option{--recursive} is passed.
4908 When combined with @option{--export}, this instructs @command{guix archive}
4909 to include dependencies of the given items in the archive. Thus, the
4910 resulting archive is self-contained: it contains the closure of the
4911 exported store items.
4914 Read an archive from the standard input, and import the files listed
4915 therein into the store. Abort if the archive has an invalid digital
4916 signature, or if it is signed by a public key not among the authorized
4917 keys (see @option{--authorize} below).
4920 Read a list of store file names from the standard input, one per line,
4921 and write on the standard output the subset of these files missing from
4924 @item --generate-key[=@var{parameters}]
4925 @cindex signing, archives
4926 Generate a new key pair for the daemon. This is a prerequisite before
4927 archives can be exported with @option{--export}. This
4928 operation is usually instantaneous but it can take time if the system's
4929 entropy pool needs to be refilled. On Guix System,
4930 @code{guix-service-type} takes care of generating this key pair the
4933 The generated key pair is typically stored under @file{/etc/guix}, in
4934 @file{signing-key.pub} (public key) and @file{signing-key.sec} (private
4935 key, which must be kept secret). When @var{parameters} is omitted,
4936 an ECDSA key using the Ed25519 curve is generated, or, for Libgcrypt
4937 versions before 1.6.0, it is a 4096-bit RSA key.
4938 Alternatively, @var{parameters} can specify
4939 @code{genkey} parameters suitable for Libgcrypt (@pxref{General
4940 public-key related Functions, @code{gcry_pk_genkey},, gcrypt, The
4941 Libgcrypt Reference Manual}).
4944 @cindex authorizing, archives
4945 Authorize imports signed by the public key passed on standard input.
4946 The public key must be in ``s-expression advanced format''---i.e., the
4947 same format as the @file{signing-key.pub} file.
4949 The list of authorized keys is kept in the human-editable file
4950 @file{/etc/guix/acl}. The file contains
4951 @url{https://people.csail.mit.edu/rivest/Sexp.txt, ``advanced-format
4952 s-expressions''} and is structured as an access-control list in the
4953 @url{https://theworld.com/~cme/spki.txt, Simple Public-Key Infrastructure
4956 @item --extract=@var{directory}
4957 @itemx -x @var{directory}
4958 Read a single-item archive as served by substitute servers
4959 (@pxref{Substitutes}) and extract it to @var{directory}. This is a
4960 low-level operation needed in only very narrow use cases; see below.
4962 For example, the following command extracts the substitute for Emacs
4963 served by @code{@value{SUBSTITUTE-SERVER-1}} to @file{/tmp/emacs}:
4967 https://@value{SUBSTITUTE-SERVER-1}/nar/gzip/@dots{}-emacs-24.5 \
4968 | gunzip | guix archive -x /tmp/emacs
4971 Single-item archives are different from multiple-item archives produced
4972 by @command{guix archive --export}; they contain a single store item,
4973 and they do @emph{not} embed a signature. Thus this operation does
4974 @emph{no} signature verification and its output should be considered
4977 The primary purpose of this operation is to facilitate inspection of
4978 archive contents coming from possibly untrusted substitute servers
4979 (@pxref{Invoking guix challenge}).
4983 Read a single-item archive as served by substitute servers
4984 (@pxref{Substitutes}) and print the list of files it contains, as in
4989 https://@value{SUBSTITUTE-SERVER-1}/nar/lzip/@dots{}-emacs-26.3 \
4990 | lzip -d | guix archive -t
4995 @c *********************************************************************
5000 @cindex @file{channels.scm}, configuration file
5001 @cindex configuration file for channels
5002 @cindex @command{guix pull}, configuration file
5003 @cindex configuration of @command{guix pull}
5004 Guix and its package collection are updated by running @command{guix pull}
5005 (@pxref{Invoking guix pull}). By default @command{guix pull} downloads and
5006 deploys Guix itself from the official GNU@tie{}Guix repository. This can be
5007 customized by defining @dfn{channels} in the
5008 @file{~/.config/guix/channels.scm} file. A channel specifies a URL and branch
5009 of a Git repository to be deployed, and @command{guix pull} can be instructed
5010 to pull from one or more channels. In other words, channels can be used
5011 to @emph{customize} and to @emph{extend} Guix, as we will see below.
5012 Guix is able to take into account security concerns and deal with authenticated
5016 * Specifying Additional Channels:: Extending the package collection.
5017 * Using a Custom Guix Channel:: Using a customized Guix.
5018 * Replicating Guix:: Running the @emph{exact same} Guix.
5019 * Channel Authentication:: How Guix verifies what it fetches.
5020 * Channels with Substitutes:: Using channels with available substitutes.
5021 * Creating a Channel:: How to write your custom channel.
5022 * Package Modules in a Sub-directory:: Specifying the channel's package modules location.
5023 * Declaring Channel Dependencies:: How to depend on other channels.
5024 * Specifying Channel Authorizations:: Defining channel authors authorizations.
5025 * Primary URL:: Distinguishing mirror to original.
5026 * Writing Channel News:: Communicating information to channel's users.
5029 @node Specifying Additional Channels
5030 @section Specifying Additional Channels
5032 @cindex extending the package collection (channels)
5033 @cindex variant packages (channels)
5034 You can specify @emph{additional channels} to pull from. To use a channel, write
5035 @code{~/.config/guix/channels.scm} to instruct @command{guix pull} to pull from it
5036 @emph{in addition} to the default Guix channel(s):
5038 @vindex %default-channels
5040 ;; Add variant packages to those Guix provides.
5042 (name 'variant-packages)
5043 (url "https://example.org/variant-packages.git"))
5048 Note that the snippet above is (as always!)@: Scheme code; we use @code{cons} to
5049 add a channel the list of channels that the variable @code{%default-channels}
5050 is bound to (@pxref{Pairs, @code{cons} and lists,, guile, GNU Guile Reference
5051 Manual}). With this file in place, @command{guix pull} builds not only Guix
5052 but also the package modules from your own repository. The result in
5053 @file{~/.config/guix/current} is the union of Guix with your own package
5057 $ guix pull --list-generations
5059 Generation 19 Aug 27 2018 16:20:48
5061 repository URL: https://git.savannah.gnu.org/git/guix.git
5063 commit: d894ab8e9bfabcefa6c49d9ba2e834dd5a73a300
5064 variant-packages dd3df5e
5065 repository URL: https://example.org/variant-packages.git
5067 commit: dd3df5e2c8818760a8fc0bd699e55d3b69fef2bb
5068 11 new packages: variant-gimp, variant-emacs-with-cool-features, @dots{}
5069 4 packages upgraded: emacs-racket-mode@@0.0.2-2.1b78827, @dots{}
5073 The output of @command{guix pull} above shows that Generation@tie{}19 includes
5074 both Guix and packages from the @code{variant-personal-packages} channel. Among
5075 the new and upgraded packages that are listed, some like @code{variant-gimp} and
5076 @code{variant-emacs-with-cool-features} might come from
5077 @code{variant-packages}, while others come from the Guix default channel.
5079 @node Using a Custom Guix Channel
5080 @section Using a Custom Guix Channel
5082 The channel called @code{guix} specifies where Guix itself---its command-line
5083 tools as well as its package collection---should be downloaded. For instance,
5084 suppose you want to update from another copy of the Guix repository at
5085 @code{example.org}, and specifically the @code{super-hacks} branch, you can
5086 write in @code{~/.config/guix/channels.scm} this specification:
5089 ;; Tell 'guix pull' to use another repo.
5092 (url "https://example.org/another-guix.git")
5093 (branch "super-hacks")))
5097 From there on, @command{guix pull} will fetch code from the @code{super-hacks}
5098 branch of the repository at @code{example.org}. The authentication concern is
5099 addressed below ((@pxref{Channel Authentication}).
5101 @node Replicating Guix
5102 @section Replicating Guix
5104 @cindex pinning, channels
5105 @cindex replicating Guix
5106 @cindex reproducibility, of Guix
5107 The @command{guix pull --list-generations} output above shows precisely which
5108 commits were used to build this instance of Guix. We can thus replicate it,
5109 say, on another machine, by providing a channel specification in
5110 @file{~/.config/guix/channels.scm} that is ``pinned'' to these commits:
5113 ;; Deploy specific commits of my channels of interest.
5116 (url "https://git.savannah.gnu.org/git/guix.git")
5117 (commit "6298c3ffd9654d3231a6f25390b056483e8f407c"))
5119 (name 'variant-packages)
5120 (url "https://example.org/variant-packages.git")
5121 (commit "dd3df5e2c8818760a8fc0bd699e55d3b69fef2bb")))
5124 The @command{guix describe --format=channels} command can even generate this
5125 list of channels directly (@pxref{Invoking guix describe}). The resulting
5126 file can be used with the -C options of @command{guix pull}
5127 (@pxref{Invoking guix pull}) or @command{guix time-machine}
5128 (@pxref{Invoking guix time-machine}).
5130 At this point the two machines run the @emph{exact same Guix}, with access to
5131 the @emph{exact same packages}. The output of @command{guix build gimp} on
5132 one machine will be exactly the same, bit for bit, as the output of the same
5133 command on the other machine. It also means both machines have access to all
5134 the source code of Guix and, transitively, to all the source code of every
5137 This gives you super powers, allowing you to track the provenance of binary
5138 artifacts with very fine grain, and to reproduce software environments at
5139 will---some sort of ``meta reproducibility'' capabilities, if you will.
5140 @xref{Inferiors}, for another way to take advantage of these super powers.
5142 @node Channel Authentication
5143 @section Channel Authentication
5145 @anchor{channel-authentication}
5146 @cindex authentication, of channel code
5147 The @command{guix pull} and @command{guix time-machine} commands
5148 @dfn{authenticate} the code retrieved from channels: they make sure each
5149 commit that is fetched is signed by an authorized developer. The goal
5150 is to protect from unauthorized modifications to the channel that would
5151 lead users to run malicious code.
5153 As a user, you must provide a @dfn{channel introduction} in your
5154 channels file so that Guix knows how to authenticate its first commit.
5155 A channel specification, including its introduction, looks something
5160 (name 'some-channel)
5161 (url "https://example.org/some-channel.git")
5163 (make-channel-introduction
5164 "6f0d8cc0d88abb59c324b2990bfee2876016bb86"
5165 (openpgp-fingerprint
5166 "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
5169 The specification above shows the name and URL of the channel. The call
5170 to @code{make-channel-introduction} above specifies that authentication
5171 of this channel starts at commit @code{6f0d8cc@dots{}}, which is signed
5172 by the OpenPGP key with fingerprint @code{CABB A931@dots{}}.
5174 For the main channel, called @code{guix}, you automatically get that
5175 information from your Guix installation. For other channels, include
5176 the channel introduction provided by the channel authors in your
5177 @file{channels.scm} file. Make sure you retrieve the channel
5178 introduction from a trusted source since that is the root of your trust.
5180 If you're curious about the authentication mechanics, read on!
5182 @node Channels with Substitutes
5183 @section Channels with Substitutes
5185 When running @command{guix pull}, Guix will first compile the
5186 definitions of every available package. This is an expensive operation
5187 for which substitutes (@pxref{Substitutes}) may be available. The
5188 following snippet in @file{channels.scm} will ensure that @command{guix
5189 pull} uses the latest commit with available substitutes for the package
5190 definitions: this is done by querying the continuous integration
5191 server at @url{https://ci.guix.gnu.org}.
5194 (use-modules (guix ci))
5196 (list (channel-with-substitutes-available
5197 %default-guix-channel
5198 "https://ci.guix.gnu.org"))
5201 Note that this does not mean that all the packages that you will
5202 install after running @command{guix pull} will have available
5203 substitutes. It only ensures that @command{guix pull} will not try to
5204 compile package definitions. This is particularly useful when using
5205 machines with limited resources.
5207 @node Creating a Channel
5208 @section Creating a Channel
5210 @cindex personal packages (channels)
5211 @cindex channels, for personal packages
5212 Let's say you have a bunch of custom package variants or personal packages
5213 that you think would make little sense to contribute to the Guix project, but
5214 would like to have these packages transparently available to you at the
5215 command line. You would first write modules containing those package
5216 definitions (@pxref{Package Modules}), maintain them in a Git repository, and
5217 then you and anyone else can use it as an additional channel to get packages
5220 @c What follows stems from discussions at
5221 @c <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22629#134> as well as
5222 @c earlier discussions on guix-devel@gnu.org.
5224 Before you, dear user, shout---``woow this is @emph{soooo coool}!''---and
5225 publish your personal channel to the world, we would like to share a few words
5230 Before publishing a channel, please consider contributing your package
5231 definitions to Guix proper (@pxref{Contributing}). Guix as a project is open
5232 to free software of all sorts, and packages in Guix proper are readily
5233 available to all Guix users and benefit from the project's quality assurance
5237 When you maintain package definitions outside Guix, we, Guix developers,
5238 consider that @emph{the compatibility burden is on you}. Remember that
5239 package modules and package definitions are just Scheme code that uses various
5240 programming interfaces (APIs). We want to remain free to change these APIs to
5241 keep improving Guix, possibly in ways that break your channel. We never
5242 change APIs gratuitously, but we will @emph{not} commit to freezing APIs
5246 Corollary: if you're using an external channel and that channel breaks, please
5247 @emph{report the issue to the channel authors}, not to the Guix project.
5250 You've been warned! Having said this, we believe external channels are a
5251 practical way to exert your freedom to augment Guix' package collection and to
5252 share your improvements, which are basic tenets of
5253 @uref{https://www.gnu.org/philosophy/free-sw.html, free software}. Please
5254 email us at @email{guix-devel@@gnu.org} if you'd like to discuss this.
5257 To create a channel, create a Git repository containing your own package
5258 modules and make it available. The repository can contain anything, but a
5259 useful channel will contain Guile modules that export packages. Once you
5260 start using a channel, Guix will behave as if the root directory of that
5261 channel's Git repository has been added to the Guile load path (@pxref{Load
5262 Paths,,, guile, GNU Guile Reference Manual}). For example, if your channel
5263 contains a file at @file{my-packages/my-tools.scm} that defines a Guile
5264 module, then the module will be available under the name @code{(my-packages
5265 my-tools)}, and you will be able to use it like any other module
5266 (@pxref{Modules,,, guile, GNU Guile Reference Manual}).
5268 As a channel author, consider bundling authentication material with your
5269 channel so that users can authenticate it. @xref{Channel
5270 Authentication}, and @ref{Specifying Channel Authorizations}, for info
5274 @node Package Modules in a Sub-directory
5275 @section Package Modules in a Sub-directory
5277 @cindex subdirectory, channels
5278 As a channel author, you may want to keep your channel modules in a
5279 sub-directory. If your modules are in the sub-directory @file{guix}, you must
5280 add a meta-data file @file{.guix-channel} that contains:
5288 @node Declaring Channel Dependencies
5289 @section Declaring Channel Dependencies
5291 @cindex dependencies, channels
5292 @cindex meta-data, channels
5293 Channel authors may decide to augment a package collection provided by other
5294 channels. They can declare their channel to be dependent on other channels in
5295 a meta-data file @file{.guix-channel}, which is to be placed in the root of
5296 the channel repository.
5298 The meta-data file should contain a simple S-expression like this:
5305 (name some-collection)
5306 (url "https://example.org/first-collection.git")
5308 ;; The 'introduction' bit below is optional: you would
5309 ;; provide it for dependencies that can be authenticated.
5311 (channel-introduction
5313 (commit "a8883b58dc82e167c96506cf05095f37c2c2c6cd")
5314 (signer "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
5316 (name some-other-collection)
5317 (url "https://example.org/second-collection.git")
5318 (branch "testing"))))
5321 In the above example this channel is declared to depend on two other channels,
5322 which will both be fetched automatically. The modules provided by the channel
5323 will be compiled in an environment where the modules of all these declared
5324 channels are available.
5326 For the sake of reliability and maintainability, you should avoid dependencies
5327 on channels that you don't control, and you should aim to keep the number of
5328 dependencies to a minimum.
5330 @node Specifying Channel Authorizations
5331 @section Specifying Channel Authorizations
5333 @cindex channel authorizations
5334 @anchor{channel-authorizations}
5335 As we saw above, Guix ensures the source code it pulls from channels
5336 comes from authorized developers. As a channel author, you need to
5337 specify the list of authorized developers in the
5338 @file{.guix-authorizations} file in the channel's Git repository. The
5339 authentication rule is simple: each commit must be signed by a key
5340 listed in the @file{.guix-authorizations} file of its parent
5341 commit(s)@footnote{Git commits form a @dfn{directed acyclic graph}
5342 (DAG). Each commit can have zero or more parents; ``regular'' commits
5343 have one parent and merge commits have two parent commits. Read
5344 @uref{https://eagain.net/articles/git-for-computer-scientists/, @i{Git
5345 for Computer Scientists}} for a great overview.} The
5346 @file{.guix-authorizations} file looks like this:
5349 ;; Example '.guix-authorizations' file.
5352 (version 0) ;current file format version
5354 (("AD17 A21E F8AE D8F1 CC02 DBD9 F8AE D8F1 765C 61E3"
5356 ("2A39 3FFF 68F4 EF7A 3D29 12AF 68F4 EF7A 22FB B2D5"
5358 ("CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"
5362 Each fingerprint is followed by optional key/value pairs, as in the
5363 example above. Currently these key/value pairs are ignored.
5365 This authentication rule creates a chicken-and-egg issue: how do we
5366 authenticate the first commit? Related to that: how do we deal with
5367 channels whose repository history contains unsigned commits and lack
5368 @file{.guix-authorizations}? And how do we fork existing channels?
5370 @cindex channel introduction
5371 Channel introductions answer these questions by describing the first
5372 commit of a channel that should be authenticated. The first time a
5373 channel is fetched with @command{guix pull} or @command{guix
5374 time-machine}, the command looks up the introductory commit and verifies
5375 that it is signed by the specified OpenPGP key. From then on, it
5376 authenticates commits according to the rule above.
5378 Additionally, your channel must provide all the OpenPGP keys that were
5379 ever mentioned in @file{.guix-authorizations}, stored as @file{.key}
5380 files, which can be either binary or ``ASCII-armored''. By default,
5381 those @file{.key} files are searched for in the branch named
5382 @code{keyring} but you can specify a different branch name in
5383 @code{.guix-channel} like so:
5388 (keyring-reference "my-keyring-branch"))
5391 To summarize, as the author of a channel, there are three things you have
5392 to do to allow users to authenticate your code:
5396 Export the OpenPGP keys of past and present committers with @command{gpg
5397 --export} and store them in @file{.key} files, by default in a branch
5398 named @code{keyring} (we recommend making it an @dfn{orphan branch}).
5401 Introduce an initial @file{.guix-authorizations} in the channel's
5402 repository. Do that in a signed commit (@pxref{Commit Access}, for
5403 information on how to sign Git commits.)
5406 Advertise the channel introduction, for instance on your channel's web
5407 page. The channel introduction, as we saw above, is the commit/key
5408 pair---i.e., the commit that introduced @file{.guix-authorizations}, and
5409 the fingerprint of the OpenPGP used to sign it.
5412 Before pushing to your public Git repository, you can run @command{guix
5413 git-authenticate} to verify that you did sign all the commits you are
5414 about to push with an authorized key:
5417 guix git authenticate @var{commit} @var{signer}
5421 where @var{commit} and @var{signer} are your channel introduction.
5422 @xref{Invoking guix git authenticate}, for details.
5424 Publishing a signed channel requires discipline: any mistake, such as an
5425 unsigned commit or a commit signed by an unauthorized key, will prevent
5426 users from pulling from your channel---well, that's the whole point of
5427 authentication! Pay attention to merges in particular: merge commits
5428 are considered authentic if and only if they are signed by a key present
5429 in the @file{.guix-authorizations} file of @emph{both} branches.
5432 @section Primary URL
5434 @cindex primary URL, channels
5435 Channel authors can indicate the primary URL of their channel's Git
5436 repository in the @file{.guix-channel} file, like so:
5441 (url "https://example.org/guix.git"))
5444 This allows @command{guix pull} to determine whether it is pulling code
5445 from a mirror of the channel; when that is the case, it warns the user
5446 that the mirror might be stale and displays the primary URL@. That way,
5447 users cannot be tricked into fetching code from a stale mirror that does
5448 not receive security updates.
5450 This feature only makes sense for authenticated repositories, such as
5451 the official @code{guix} channel, for which @command{guix pull} ensures
5452 the code it fetches is authentic.
5454 @node Writing Channel News
5455 @section Writing Channel News
5457 @cindex news, for channels
5458 Channel authors may occasionally want to communicate to their users
5459 information about important changes in the channel. You'd send them all
5460 an email, but that's not convenient.
5462 Instead, channels can provide a @dfn{news file}; when the channel users
5463 run @command{guix pull}, that news file is automatically read and
5464 @command{guix pull --news} can display the announcements that correspond
5465 to the new commits that have been pulled, if any.
5467 To do that, channel authors must first declare the name of the news file
5468 in their @file{.guix-channel} file:
5473 (news-file "etc/news.txt"))
5476 The news file itself, @file{etc/news.txt} in this example, must look
5477 something like this:
5482 (entry (tag "the-bug-fix")
5483 (title (en "Fixed terrible bug")
5485 (body (en "@@emph@{Good news@}! It's fixed!")
5486 (eo "Certe ĝi pli bone funkcias nun!")))
5487 (entry (commit "bdcabe815cd28144a2d2b4bc3c5057b051fa9906")
5488 (title (en "Added a great package")
5489 (ca "Què vol dir guix?"))
5490 (body (en "Don't miss the @@code@{hello@} package!"))))
5493 While the news file is using the Scheme syntax, avoid naming it with a
5494 @file{.scm} extension or else it will get picked up when building the
5495 channel and yield an error since it is not a valid module.
5496 Alternatively, you can move the channel module to a subdirectory and
5497 store the news file in another directory.
5499 The file consists of a list of @dfn{news entries}. Each entry is
5500 associated with a commit or tag: it describes changes made in this
5501 commit, possibly in preceding commits as well. Users see entries only
5502 the first time they obtain the commit the entry refers to.
5504 The @code{title} field should be a one-line summary while @code{body}
5505 can be arbitrarily long, and both can contain Texinfo markup
5506 (@pxref{Overview,,, texinfo, GNU Texinfo}). Both the title and body are
5507 a list of language tag/message tuples, which allows @command{guix pull}
5508 to display news in the language that corresponds to the user's locale.
5510 If you want to translate news using a gettext-based workflow, you can
5511 extract translatable strings with @command{xgettext} (@pxref{xgettext
5512 Invocation,,, gettext, GNU Gettext Utilities}). For example, assuming
5513 you write news entries in English first, the command below creates a PO
5514 file containing the strings to translate:
5517 xgettext -o news.po -l scheme -ken etc/news.txt
5520 To sum up, yes, you could use your channel as a blog. But beware, this
5521 is @emph{not quite} what your users might expect.
5523 @c *********************************************************************
5525 @chapter Development
5527 @cindex software development
5528 If you are a software developer, Guix provides tools that you should find
5529 helpful---independently of the language you're developing in. This is what
5530 this chapter is about.
5532 The @command{guix environment} command provides a convenient way to set up
5533 @dfn{development environments} containing all the dependencies and tools
5534 necessary to work on the software package of your choice. The @command{guix
5535 pack} command allows you to create @dfn{application bundles} that can be
5536 easily distributed to users who do not run Guix.
5539 * Invoking guix environment:: Setting up development environments.
5540 * Invoking guix pack:: Creating software bundles.
5541 * The GCC toolchain:: Working with languages supported by GCC.
5542 * Invoking guix git authenticate:: Authenticating Git repositories.
5545 @node Invoking guix environment
5546 @section Invoking @command{guix environment}
5548 @cindex reproducible build environments
5549 @cindex development environments
5550 @cindex @command{guix environment}
5551 @cindex environment, package build environment
5552 The purpose of @command{guix environment} is to assist hackers in
5553 creating reproducible development environments without polluting their
5554 package profile. The @command{guix environment} tool takes one or more
5555 packages, builds all of their inputs, and creates a shell
5556 environment to use them.
5558 The general syntax is:
5561 guix environment @var{options} @var{package}@dots{}
5564 The following example spawns a new shell set up for the development of
5568 guix environment guile
5571 If the needed dependencies are not built yet, @command{guix environment}
5572 automatically builds them. The environment of the new shell is an
5573 augmented version of the environment that @command{guix environment} was
5574 run in. It contains the necessary search paths for building the given
5575 package added to the existing environment variables. To create
5576 a ``pure'' environment, in which the original environment variables have
5577 been unset, use the @option{--pure} option@footnote{Users sometimes
5578 wrongfully augment environment variables such as @env{PATH} in their
5579 @file{~/.bashrc} file. As a consequence, when @command{guix
5580 environment} launches it, Bash may read @file{~/.bashrc}, thereby
5581 introducing ``impurities'' in these environment variables. It is an
5582 error to define such environment variables in @file{.bashrc}; instead,
5583 they should be defined in @file{.bash_profile}, which is sourced only by
5584 log-in shells. @xref{Bash Startup Files,,, bash, The GNU Bash Reference
5585 Manual}, for details on Bash start-up files.}.
5587 Exiting from a Guix environment is the same as exiting from the shell,
5588 and will place the user back in the old environment before @command{guix
5589 environment} was invoked. The next garbage collection (@pxref{Invoking
5590 guix gc}) will clean up packages that were installed from within the
5591 environment and are no longer used outside of it.
5593 @vindex GUIX_ENVIRONMENT
5594 @command{guix environment} defines the @env{GUIX_ENVIRONMENT}
5595 variable in the shell it spawns; its value is the file name of the
5596 profile of this environment. This allows users to, say, define a
5597 specific prompt for development environments in their @file{.bashrc}
5598 (@pxref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}):
5601 if [ -n "$GUIX_ENVIRONMENT" ]
5603 export PS1="\u@@\h \w [dev]\$ "
5608 ...@: or to browse the profile:
5611 $ ls "$GUIX_ENVIRONMENT/bin"
5614 Additionally, more than one package may be specified, in which case the
5615 union of the inputs for the given packages are used. For example, the
5616 command below spawns a shell where all of the dependencies of both Guile
5617 and Emacs are available:
5620 guix environment guile emacs
5623 Sometimes an interactive shell session is not desired. An arbitrary
5624 command may be invoked by placing the @code{--} token to separate the
5625 command from the rest of the arguments:
5628 guix environment guile -- make -j4
5631 In other situations, it is more convenient to specify the list of
5632 packages needed in the environment. For example, the following command
5633 runs @command{python} from an environment containing Python@tie{}2.7 and
5637 guix environment --ad-hoc python2-numpy python-2.7 -- python
5640 Furthermore, one might want the dependencies of a package and also some
5641 additional packages that are not build-time or runtime dependencies, but
5642 are useful when developing nonetheless. Because of this, the
5643 @option{--ad-hoc} flag is positional. Packages appearing before
5644 @option{--ad-hoc} are interpreted as packages whose dependencies will be
5645 added to the environment. Packages appearing after are interpreted as
5646 packages that will be added to the environment directly. For example,
5647 the following command creates a Guix development environment that
5648 additionally includes Git and strace:
5651 guix environment --pure guix --ad-hoc git strace
5655 Sometimes it is desirable to isolate the environment as much as
5656 possible, for maximal purity and reproducibility. In particular, when
5657 using Guix on a host distro that is not Guix System, it is desirable to
5658 prevent access to @file{/usr/bin} and other system-wide resources from
5659 the development environment. For example, the following command spawns
5660 a Guile REPL in a ``container'' where only the store and the current
5661 working directory are mounted:
5664 guix environment --ad-hoc --container guile -- guile
5668 The @option{--container} option requires Linux-libre 3.19 or newer.
5671 @cindex certificates
5672 Another typical use case for containers is to run security-sensitive
5673 applications such as a web browser. To run Eolie, we must expose and
5674 share some files and directories; we include @code{nss-certs} and expose
5675 @file{/etc/ssl/certs/} for HTTPS authentication; finally we preserve the
5676 @env{DISPLAY} environment variable since containerized graphical
5677 applications won't display without it.
5680 guix environment --preserve='^DISPLAY$' --container --network \
5681 --expose=/etc/machine-id \
5682 --expose=/etc/ssl/certs/ \
5683 --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
5684 --ad-hoc eolie nss-certs dbus -- eolie
5687 The available options are summarized below.
5690 @item --root=@var{file}
5691 @itemx -r @var{file}
5692 @cindex persistent environment
5693 @cindex garbage collector root, for environments
5694 Make @var{file} a symlink to the profile for this environment, and
5695 register it as a garbage collector root.
5697 This is useful if you want to protect your environment from garbage
5698 collection, to make it ``persistent''.
5700 When this option is omitted, the environment is protected from garbage
5701 collection only for the duration of the @command{guix environment}
5702 session. This means that next time you recreate the same environment,
5703 you could have to rebuild or re-download packages. @xref{Invoking guix
5704 gc}, for more on GC roots.
5706 @item --expression=@var{expr}
5707 @itemx -e @var{expr}
5708 Create an environment for the package or list of packages that
5709 @var{expr} evaluates to.
5711 For example, running:
5714 guix environment -e '(@@ (gnu packages maths) petsc-openmpi)'
5717 starts a shell with the environment for this specific variant of the
5723 guix environment --ad-hoc -e '(@@ (gnu) %base-packages)'
5726 starts a shell with all the base system packages available.
5728 The above commands only use the default output of the given packages.
5729 To select other outputs, two element tuples can be specified:
5732 guix environment --ad-hoc -e '(list (@@ (gnu packages bash) bash) "include")'
5735 @item --load=@var{file}
5736 @itemx -l @var{file}
5737 Create an environment for the package or list of packages that the code
5738 within @var{file} evaluates to.
5740 As an example, @var{file} might contain a definition like this
5741 (@pxref{Defining Packages}):
5744 @verbatiminclude environment-gdb.scm
5747 @item --manifest=@var{file}
5748 @itemx -m @var{file}
5749 Create an environment for the packages contained in the manifest object
5750 returned by the Scheme code in @var{file}. This option can be repeated
5751 several times, in which case the manifests are concatenated.
5753 This is similar to the same-named option in @command{guix package}
5754 (@pxref{profile-manifest, @option{--manifest}}) and uses the same
5758 Include all specified packages in the resulting environment, as if an
5759 @i{ad hoc} package were defined with them as inputs. This option is
5760 useful for quickly creating an environment without having to write a
5761 package expression to contain the desired inputs.
5763 For instance, the command:
5766 guix environment --ad-hoc guile guile-sdl -- guile
5769 runs @command{guile} in an environment where Guile and Guile-SDL are
5772 Note that this example implicitly asks for the default output of
5773 @code{guile} and @code{guile-sdl}, but it is possible to ask for a
5774 specific output---e.g., @code{glib:bin} asks for the @code{bin} output
5775 of @code{glib} (@pxref{Packages with Multiple Outputs}).
5777 This option may be composed with the default behavior of @command{guix
5778 environment}. Packages appearing before @option{--ad-hoc} are
5779 interpreted as packages whose dependencies will be added to the
5780 environment, the default behavior. Packages appearing after are
5781 interpreted as packages that will be added to the environment directly.
5784 Unset existing environment variables when building the new environment, except
5785 those specified with @option{--preserve} (see below). This has the effect of
5786 creating an environment in which search paths only contain package inputs.
5788 @item --preserve=@var{regexp}
5789 @itemx -E @var{regexp}
5790 When used alongside @option{--pure}, preserve the environment variables
5791 matching @var{regexp}---in other words, put them on a ``white list'' of
5792 environment variables that must be preserved. This option can be repeated
5796 guix environment --pure --preserve=^SLURM --ad-hoc openmpi @dots{} \
5800 This example runs @command{mpirun} in a context where the only environment
5801 variables defined are @env{PATH}, environment variables whose name starts
5802 with @samp{SLURM}, as well as the usual ``precious'' variables (@env{HOME},
5805 @item --search-paths
5806 Display the environment variable definitions that make up the
5809 @item --system=@var{system}
5810 @itemx -s @var{system}
5811 Attempt to build for @var{system}---e.g., @code{i686-linux}.
5816 Run @var{command} within an isolated container. The current working
5817 directory outside the container is mapped inside the container.
5818 Additionally, unless overridden with @option{--user}, a dummy home
5819 directory is created that matches the current user's home directory, and
5820 @file{/etc/passwd} is configured accordingly.
5822 The spawned process runs as the current user outside the container. Inside
5823 the container, it has the same UID and GID as the current user, unless
5824 @option{--user} is passed (see below).
5828 For containers, share the network namespace with the host system.
5829 Containers created without this flag only have access to the loopback
5832 @item --link-profile
5834 For containers, link the environment profile to @file{~/.guix-profile}
5835 within the container and set @code{GUIX_ENVIRONMENT} to that.
5836 This is equivalent to making @file{~/.guix-profile} a symlink to the
5837 actual profile within the container.
5838 Linking will fail and abort the environment if the directory already
5839 exists, which will certainly be the case if @command{guix environment}
5840 was invoked in the user's home directory.
5842 Certain packages are configured to look in @file{~/.guix-profile} for
5843 configuration files and data;@footnote{For example, the
5844 @code{fontconfig} package inspects @file{~/.guix-profile/share/fonts}
5845 for additional fonts.} @option{--link-profile} allows these programs to
5846 behave as expected within the environment.
5848 @item --user=@var{user}
5849 @itemx -u @var{user}
5850 For containers, use the username @var{user} in place of the current
5851 user. The generated @file{/etc/passwd} entry within the container will
5852 contain the name @var{user}, the home directory will be
5853 @file{/home/@var{user}}, and no user GECOS data will be copied. Furthermore,
5854 the UID and GID inside the container are 1000. @var{user}
5855 need not exist on the system.
5857 Additionally, any shared or exposed path (see @option{--share} and
5858 @option{--expose} respectively) whose target is within the current user's
5859 home directory will be remapped relative to @file{/home/USER}; this
5860 includes the automatic mapping of the current working directory.
5863 # will expose paths as /home/foo/wd, /home/foo/test, and /home/foo/target
5865 guix environment --container --user=foo \
5866 --expose=$HOME/test \
5867 --expose=/tmp/target=$HOME/target
5870 While this will limit the leaking of user identity through home paths
5871 and each of the user fields, this is only one useful component of a
5872 broader privacy/anonymity solution---not one in and of itself.
5875 For containers, the default behavior is to share the current working
5876 directory with the isolated container and immediately change to that
5877 directory within the container. If this is undesirable,
5878 @option{--no-cwd} will cause the current working directory to @emph{not}
5879 be automatically shared and will change to the user's home directory
5880 within the container instead. See also @option{--user}.
5882 @item --expose=@var{source}[=@var{target}]
5883 @itemx --share=@var{source}[=@var{target}]
5884 For containers, @option{--expose} (resp. @option{--share}) exposes the
5885 file system @var{source} from the host system as the read-only
5886 (resp. writable) file system @var{target} within the container. If
5887 @var{target} is not specified, @var{source} is used as the target mount
5888 point in the container.
5890 The example below spawns a Guile REPL in a container in which the user's
5891 home directory is accessible read-only via the @file{/exchange}
5895 guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile
5900 @command{guix environment}
5901 also supports all of the common build options that @command{guix
5902 build} supports (@pxref{Common Build Options}) as well as package
5903 transformation options (@pxref{Package Transformation Options}).
5905 @node Invoking guix pack
5906 @section Invoking @command{guix pack}
5908 Occasionally you want to pass software to people who are not (yet!)
5909 lucky enough to be using Guix. You'd tell them to run @command{guix
5910 package -i @var{something}}, but that's not possible in this case. This
5911 is where @command{guix pack} comes in.
5914 If you are looking for ways to exchange binaries among machines that
5915 already run Guix, @pxref{Invoking guix copy}, @ref{Invoking guix
5916 publish}, and @ref{Invoking guix archive}.
5921 @cindex application bundle
5922 @cindex software bundle
5923 The @command{guix pack} command creates a shrink-wrapped @dfn{pack} or
5924 @dfn{software bundle}: it creates a tarball or some other archive
5925 containing the binaries of the software you're interested in, and all
5926 its dependencies. The resulting archive can be used on any machine that
5927 does not have Guix, and people can run the exact same binaries as those
5928 you have with Guix. The pack itself is created in a bit-reproducible
5929 fashion, so anyone can verify that it really contains the build results
5930 that you pretend to be shipping.
5932 For example, to create a bundle containing Guile, Emacs, Geiser, and all
5933 their dependencies, you can run:
5936 $ guix pack guile emacs emacs-geiser
5938 /gnu/store/@dots{}-pack.tar.gz
5941 The result here is a tarball containing a @file{/gnu/store} directory
5942 with all the relevant packages. The resulting tarball contains a
5943 @dfn{profile} with the three packages of interest; the profile is the
5944 same as would be created by @command{guix package -i}. It is this
5945 mechanism that is used to create Guix's own standalone binary tarball
5946 (@pxref{Binary Installation}).
5948 Users of this pack would have to run
5949 @file{/gnu/store/@dots{}-profile/bin/guile} to run Guile, which you may
5950 find inconvenient. To work around it, you can create, say, a
5951 @file{/opt/gnu/bin} symlink to the profile:
5954 guix pack -S /opt/gnu/bin=bin guile emacs emacs-geiser
5958 That way, users can happily type @file{/opt/gnu/bin/guile} and enjoy.
5960 @cindex relocatable binaries, with @command{guix pack}
5961 What if the recipient of your pack does not have root privileges on
5962 their machine, and thus cannot unpack it in the root file system? In
5963 that case, you will want to use the @option{--relocatable} option (see
5964 below). This option produces @dfn{relocatable binaries}, meaning they
5965 they can be placed anywhere in the file system hierarchy: in the example
5966 above, users can unpack your tarball in their home directory and
5967 directly run @file{./opt/gnu/bin/guile}.
5969 @cindex Docker, build an image with guix pack
5970 Alternatively, you can produce a pack in the Docker image format using
5971 the following command:
5974 guix pack -f docker -S /bin=bin guile guile-readline
5978 The result is a tarball that can be passed to the @command{docker load}
5979 command, followed by @code{docker run}:
5982 docker load < @var{file}
5983 docker run -ti guile-guile-readline /bin/guile
5987 where @var{file} is the image returned by @var{guix pack}, and
5988 @code{guile-guile-readline} is its ``image tag''. See the
5989 @uref{https://docs.docker.com/engine/reference/commandline/load/, Docker
5990 documentation} for more information.
5992 @cindex Singularity, build an image with guix pack
5993 @cindex SquashFS, build an image with guix pack
5994 Yet another option is to produce a SquashFS image with the following
5998 guix pack -f squashfs bash guile emacs emacs-geiser
6002 The result is a SquashFS file system image that can either be mounted or
6003 directly be used as a file system container image with the
6004 @uref{https://www.sylabs.io/docs/, Singularity container execution
6005 environment}, using commands like @command{singularity shell} or
6006 @command{singularity exec}.
6008 Several command-line options allow you to customize your pack:
6011 @item --format=@var{format}
6012 @itemx -f @var{format}
6013 Produce a pack in the given @var{format}.
6015 The available formats are:
6019 This is the default format. It produces a tarball containing all the
6020 specified binaries and symlinks.
6023 This produces a tarball that follows the
6024 @uref{https://github.com/docker/docker/blob/master/image/spec/v1.2.md,
6025 Docker Image Specification}. The ``repository name'' as it appears in
6026 the output of the @command{docker images} command is computed from
6027 package names passed on the command line or in the manifest file.
6030 This produces a SquashFS image containing all the specified binaries and
6031 symlinks, as well as empty mount points for virtual file systems like
6035 Singularity @emph{requires} you to provide @file{/bin/sh} in the image.
6036 For that reason, @command{guix pack -f squashfs} always implies @code{-S
6037 /bin=bin}. Thus, your @command{guix pack} invocation must always start
6038 with something like:
6041 guix pack -f squashfs bash @dots{}
6044 If you forget the @code{bash} (or similar) package, @command{singularity
6045 run} and @command{singularity exec} will fail with an unhelpful ``no
6046 such file or directory'' message.
6050 This produces a Debian archive (a package with the @samp{.deb} file
6051 extension) containing all the specified binaries and symbolic links,
6052 that can be installed on top of any dpkg-based GNU(/Linux) distribution.
6053 Advanced options can be revealed via the @option{--help-deb-format}
6054 option. They allow embedding control files for more fine-grained
6055 control, such as activating specific triggers or providing a maintainer
6056 configure script to run arbitrary setup code upon installation.
6059 guix pack -f deb -C xz -S /usr/bin/hello=bin/hello hello
6063 Because archives produced with @command{guix pack} contain a collection
6064 of store items and because each @command{dpkg} package must not have
6065 conflicting files, in practice that means you likely won't be able to
6066 install more than one such archive on a given system.
6070 @command{dpkg} will assume ownership of any files contained in the pack
6071 that it does @emph{not} know about. It is unwise to install
6072 Guix-produced @samp{.deb} files on a system where @file{/gnu/store} is
6073 shared by other software, such as a Guix installation or other, non-deb
6079 @cindex relocatable binaries
6082 Produce @dfn{relocatable binaries}---i.e., binaries that can be placed
6083 anywhere in the file system hierarchy and run from there.
6085 When this option is passed once, the resulting binaries require support for
6086 @dfn{user namespaces} in the kernel Linux; when passed
6087 @emph{twice}@footnote{Here's a trick to memorize it: @code{-RR}, which adds
6088 PRoot support, can be thought of as the abbreviation of ``Really
6089 Relocatable''. Neat, isn't it?}, relocatable binaries fall to back to
6090 other techniques if user namespaces are unavailable, and essentially
6091 work anywhere---see below for the implications.
6093 For example, if you create a pack containing Bash with:
6096 guix pack -RR -S /mybin=bin bash
6100 ...@: you can copy that pack to a machine that lacks Guix, and from your
6101 home directory as a normal user, run:
6109 In that shell, if you type @code{ls /gnu/store}, you'll notice that
6110 @file{/gnu/store} shows up and contains all the dependencies of
6111 @code{bash}, even though the machine actually lacks @file{/gnu/store}
6112 altogether! That is probably the simplest way to deploy Guix-built
6113 software on a non-Guix machine.
6116 By default, relocatable binaries rely on the @dfn{user namespace} feature of
6117 the kernel Linux, which allows unprivileged users to mount or change root.
6118 Old versions of Linux did not support it, and some GNU/Linux distributions
6121 To produce relocatable binaries that work even in the absence of user
6122 namespaces, pass @option{--relocatable} or @option{-R} @emph{twice}. In that
6123 case, binaries will try user namespace support and fall back to another
6124 @dfn{execution engine} if user namespaces are not supported. The
6125 following execution engines are supported:
6129 Try user namespaces and fall back to PRoot if user namespaces are not
6130 supported (see below).
6133 Try user namespaces and fall back to Fakechroot if user namespaces are
6134 not supported (see below).
6137 Run the program through user namespaces and abort if they are not
6141 Run through PRoot. The @uref{https://proot-me.github.io/, PRoot} program
6142 provides the necessary
6143 support for file system virtualization. It achieves that by using the
6144 @code{ptrace} system call on the running program. This approach has the
6145 advantage to work without requiring special kernel support, but it incurs
6146 run-time overhead every time a system call is made.
6149 Run through Fakechroot. @uref{https://github.com/dex4er/fakechroot/,
6150 Fakechroot} virtualizes file system accesses by intercepting calls to C
6151 library functions such as @code{open}, @code{stat}, @code{exec}, and so
6152 on. Unlike PRoot, it incurs very little overhead. However, it does not
6153 always work: for example, some file system accesses made from within the
6154 C library are not intercepted, and file system accesses made @i{via}
6155 direct syscalls are not intercepted either, leading to erratic behavior.
6158 @vindex GUIX_EXECUTION_ENGINE
6159 When running a wrapped program, you can explicitly request one of the
6160 execution engines listed above by setting the
6161 @env{GUIX_EXECUTION_ENGINE} environment variable accordingly.
6164 @cindex entry point, for Docker images
6165 @item --entry-point=@var{command}
6166 Use @var{command} as the @dfn{entry point} of the resulting pack, if the pack
6167 format supports it---currently @code{docker} and @code{squashfs} (Singularity)
6168 support it. @var{command} must be relative to the profile contained in the
6171 The entry point specifies the command that tools like @code{docker run} or
6172 @code{singularity run} automatically start by default. For example, you can
6176 guix pack -f docker --entry-point=bin/guile guile
6179 The resulting pack can easily be loaded and @code{docker run} with no extra
6180 arguments will spawn @code{bin/guile}:
6183 docker load -i pack.tar.gz
6184 docker run @var{image-id}
6187 @item --expression=@var{expr}
6188 @itemx -e @var{expr}
6189 Consider the package @var{expr} evaluates to.
6191 This has the same purpose as the same-named option in @command{guix
6192 build} (@pxref{Additional Build Options, @option{--expression} in
6193 @command{guix build}}).
6195 @item --manifest=@var{file}
6196 @itemx -m @var{file}
6197 Use the packages contained in the manifest object returned by the Scheme
6198 code in @var{file}. This option can be repeated several times, in which
6199 case the manifests are concatenated.
6201 This has a similar purpose as the same-named option in @command{guix
6202 package} (@pxref{profile-manifest, @option{--manifest}}) and uses the
6203 same manifest files. It allows you to define a collection of packages
6204 once and use it both for creating profiles and for creating archives
6205 for use on machines that do not have Guix installed. Note that you can
6206 specify @emph{either} a manifest file @emph{or} a list of packages,
6209 @item --system=@var{system}
6210 @itemx -s @var{system}
6211 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
6212 the system type of the build host.
6214 @item --target=@var{triplet}
6215 @cindex cross-compilation
6216 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
6217 as @code{"aarch64-linux-gnu"} (@pxref{Specifying target triplets, GNU
6218 configuration triplets,, autoconf, Autoconf}).
6220 @item --compression=@var{tool}
6221 @itemx -C @var{tool}
6222 Compress the resulting tarball using @var{tool}---one of @code{gzip},
6223 @code{zstd}, @code{bzip2}, @code{xz}, @code{lzip}, or @code{none} for no
6226 @item --symlink=@var{spec}
6227 @itemx -S @var{spec}
6228 Add the symlinks specified by @var{spec} to the pack. This option can
6229 appear several times.
6231 @var{spec} has the form @code{@var{source}=@var{target}}, where
6232 @var{source} is the symlink that will be created and @var{target} is the
6235 For instance, @code{-S /opt/gnu/bin=bin} creates a @file{/opt/gnu/bin}
6236 symlink pointing to the @file{bin} sub-directory of the profile.
6238 @item --save-provenance
6239 Save provenance information for the packages passed on the command line.
6240 Provenance information includes the URL and commit of the channels in use
6243 Provenance information is saved in the
6244 @file{/gnu/store/@dots{}-profile/manifest} file in the pack, along with the
6245 usual package metadata---the name and version of each package, their
6246 propagated inputs, and so on. It is useful information to the recipient of
6247 the pack, who then knows how the pack was (supposedly) obtained.
6249 This option is not enabled by default because, like timestamps, provenance
6250 information contributes nothing to the build process. In other words, there
6251 is an infinity of channel URLs and commit IDs that can lead to the same pack.
6252 Recording such ``silent'' metadata in the output thus potentially breaks the
6253 source-to-binary bitwise reproducibility property.
6255 @item --root=@var{file}
6256 @itemx -r @var{file}
6257 @cindex garbage collector root, for packs
6258 Make @var{file} a symlink to the resulting pack, and register it as a garbage
6261 @item --localstatedir
6262 @itemx --profile-name=@var{name}
6263 Include the ``local state directory'', @file{/var/guix}, in the resulting
6264 pack, and notably the @file{/var/guix/profiles/per-user/root/@var{name}}
6265 profile---by default @var{name} is @code{guix-profile}, which corresponds to
6266 @file{~root/.guix-profile}.
6268 @file{/var/guix} contains the store database (@pxref{The Store}) as well
6269 as garbage-collector roots (@pxref{Invoking guix gc}). Providing it in
6270 the pack means that the store is ``complete'' and manageable by Guix;
6271 not providing it pack means that the store is ``dead'': items cannot be
6272 added to it or removed from it after extraction of the pack.
6274 One use case for this is the Guix self-contained binary tarball
6275 (@pxref{Binary Installation}).
6279 Print the name of the derivation that builds the pack.
6282 Use the bootstrap binaries to build the pack. This option is only
6283 useful to Guix developers.
6286 In addition, @command{guix pack} supports all the common build options
6287 (@pxref{Common Build Options}) and all the package transformation
6288 options (@pxref{Package Transformation Options}).
6291 @node The GCC toolchain
6292 @section The GCC toolchain
6296 @cindex linker wrapper
6297 @cindex toolchain, for C development
6298 @cindex toolchain, for Fortran development
6300 If you need a complete toolchain for compiling and linking C or C++
6301 source code, use the @code{gcc-toolchain} package. This package
6302 provides a complete GCC toolchain for C/C++ development, including GCC
6303 itself, the GNU C Library (headers and binaries, plus debugging symbols
6304 in the @code{debug} output), Binutils, and a linker wrapper.
6306 The wrapper's purpose is to inspect the @code{-L} and @code{-l} switches
6307 passed to the linker, add corresponding @code{-rpath} arguments, and
6308 invoke the actual linker with this new set of arguments. You can instruct the
6309 wrapper to refuse to link against libraries not in the store by setting the
6310 @env{GUIX_LD_WRAPPER_ALLOW_IMPURITIES} environment variable to @code{no}.
6312 The package @code{gfortran-toolchain} provides a complete GCC toolchain
6313 for Fortran development. For other languages, please use
6314 @samp{guix search gcc toolchain} (@pxref{guix-search,, Invoking guix package}).
6317 @node Invoking guix git authenticate
6318 @section Invoking @command{guix git authenticate}
6320 The @command{guix git authenticate} command authenticates a Git checkout
6321 following the same rule as for channels (@pxref{channel-authentication,
6322 channel authentication}). That is, starting from a given commit, it
6323 ensures that all subsequent commits are signed by an OpenPGP key whose
6324 fingerprint appears in the @file{.guix-authorizations} file of its
6327 You will find this command useful if you maintain a channel. But in
6328 fact, this authentication mechanism is useful in a broader context, so
6329 you might want to use it for Git repositories that have nothing to do
6332 The general syntax is:
6335 guix git authenticate @var{commit} @var{signer} [@var{options}@dots{}]
6338 By default, this command authenticates the Git checkout in the current
6339 directory; it outputs nothing and exits with exit code zero on success
6340 and non-zero on failure. @var{commit} above denotes the first commit
6341 where authentication takes place, and @var{signer} is the OpenPGP
6342 fingerprint of public key used to sign @var{commit}. Together, they
6343 form a ``channel introduction'' (@pxref{channel-authentication, channel
6344 introduction}). The options below allow you to fine-tune the process.
6347 @item --repository=@var{directory}
6348 @itemx -r @var{directory}
6349 Open the Git repository in @var{directory} instead of the current
6352 @item --keyring=@var{reference}
6353 @itemx -k @var{reference}
6354 Load OpenPGP keyring from @var{reference}, the reference of a branch
6355 such as @code{origin/keyring} or @code{my-keyring}. The branch must
6356 contain OpenPGP public keys in @file{.key} files, either in binary form
6357 or ``ASCII-armored''. By default the keyring is loaded from the branch
6358 named @code{keyring}.
6361 Display commit signing statistics upon completion.
6363 @item --cache-key=@var{key}
6364 Previously-authenticated commits are cached in a file under
6365 @file{~/.cache/guix/authentication}. This option forces the cache to be
6366 stored in file @var{key} in that directory.
6368 @item --historical-authorizations=@var{file}
6369 By default, any commit whose parent commit(s) lack the
6370 @file{.guix-authorizations} file is considered inauthentic. In
6371 contrast, this option considers the authorizations in @var{file} for any
6372 commit that lacks @file{.guix-authorizations}. The format of @var{file}
6373 is the same as that of @file{.guix-authorizations}
6374 (@pxref{channel-authorizations, @file{.guix-authorizations} format}).
6378 @c *********************************************************************
6379 @node Programming Interface
6380 @chapter Programming Interface
6382 GNU Guix provides several Scheme programming interfaces (APIs) to
6383 define, build, and query packages. The first interface allows users to
6384 write high-level package definitions. These definitions refer to
6385 familiar packaging concepts, such as the name and version of a package,
6386 its build system, and its dependencies. These definitions can then be
6387 turned into concrete build actions.
6389 Build actions are performed by the Guix daemon, on behalf of users. In a
6390 standard setup, the daemon has write access to the store---the
6391 @file{/gnu/store} directory---whereas users do not. The recommended
6392 setup also has the daemon perform builds in chroots, under specific
6393 build users, to minimize interference with the rest of the system.
6396 Lower-level APIs are available to interact with the daemon and the
6397 store. To instruct the daemon to perform a build action, users actually
6398 provide it with a @dfn{derivation}. A derivation is a low-level
6399 representation of the build actions to be taken, and the environment in
6400 which they should occur---derivations are to package definitions what
6401 assembly is to C programs. The term ``derivation'' comes from the fact
6402 that build results @emph{derive} from them.
6404 This chapter describes all these APIs in turn, starting from high-level
6405 package definitions.
6408 * Package Modules:: Packages from the programmer's viewpoint.
6409 * Defining Packages:: Defining new packages.
6410 * Defining Package Variants:: Customizing packages.
6411 * Build Systems:: Specifying how packages are built.
6412 * Build Phases:: Phases of the build process of a package.
6413 * Build Utilities:: Helpers for your package definitions and more.
6414 * The Store:: Manipulating the package store.
6415 * Derivations:: Low-level interface to package derivations.
6416 * The Store Monad:: Purely functional interface to the store.
6417 * G-Expressions:: Manipulating build expressions.
6418 * Invoking guix repl:: Programming Guix in Guile
6421 @node Package Modules
6422 @section Package Modules
6424 From a programming viewpoint, the package definitions of the
6425 GNU distribution are provided by Guile modules in the @code{(gnu packages
6426 @dots{})} name space@footnote{Note that packages under the @code{(gnu
6427 packages @dots{})} module name space are not necessarily ``GNU
6428 packages''. This module naming scheme follows the usual Guile module
6429 naming convention: @code{gnu} means that these modules are distributed
6430 as part of the GNU system, and @code{packages} identifies modules that
6431 define packages.} (@pxref{Modules, Guile modules,, guile, GNU Guile
6432 Reference Manual}). For instance, the @code{(gnu packages emacs)}
6433 module exports a variable named @code{emacs}, which is bound to a
6434 @code{<package>} object (@pxref{Defining Packages}).
6436 The @code{(gnu packages @dots{})} module name space is
6437 automatically scanned for packages by the command-line tools. For
6438 instance, when running @code{guix install emacs}, all the @code{(gnu
6439 packages @dots{})} modules are scanned until one that exports a package
6440 object whose name is @code{emacs} is found. This package search
6441 facility is implemented in the @code{(gnu packages)} module.
6443 @cindex customization, of packages
6444 @cindex package module search path
6445 Users can store package definitions in modules with different
6446 names---e.g., @code{(my-packages emacs)}@footnote{Note that the file
6447 name and module name must match. For instance, the @code{(my-packages
6448 emacs)} module must be stored in a @file{my-packages/emacs.scm} file
6449 relative to the load path specified with @option{--load-path} or
6450 @env{GUIX_PACKAGE_PATH}. @xref{Modules and the File System,,,
6451 guile, GNU Guile Reference Manual}, for details.}. There are two ways to make
6452 these package definitions visible to the user interfaces:
6456 By adding the directory containing your package modules to the search path
6457 with the @code{-L} flag of @command{guix package} and other commands
6458 (@pxref{Common Build Options}), or by setting the @env{GUIX_PACKAGE_PATH}
6459 environment variable described below.
6462 By defining a @dfn{channel} and configuring @command{guix pull} so that it
6463 pulls from it. A channel is essentially a Git repository containing package
6464 modules. @xref{Channels}, for more information on how to define and use
6468 @env{GUIX_PACKAGE_PATH} works similarly to other search path variables:
6470 @defvr {Environment Variable} GUIX_PACKAGE_PATH
6471 This is a colon-separated list of directories to search for additional
6472 package modules. Directories listed in this variable take precedence
6473 over the own modules of the distribution.
6476 The distribution is fully @dfn{bootstrapped} and @dfn{self-contained}:
6477 each package is built based solely on other packages in the
6478 distribution. The root of this dependency graph is a small set of
6479 @dfn{bootstrap binaries}, provided by the @code{(gnu packages
6480 bootstrap)} module. For more information on bootstrapping,
6481 @pxref{Bootstrapping}.
6483 @node Defining Packages
6484 @section Defining Packages
6486 The high-level interface to package definitions is implemented in the
6487 @code{(guix packages)} and @code{(guix build-system)} modules. As an
6488 example, the package definition, or @dfn{recipe}, for the GNU Hello
6489 package looks like this:
6492 (define-module (gnu packages hello)
6493 #:use-module (guix packages)
6494 #:use-module (guix download)
6495 #:use-module (guix build-system gnu)
6496 #:use-module (guix licenses)
6497 #:use-module (gnu packages gawk))
6499 (define-public hello
6505 (uri (string-append "mirror://gnu/hello/hello-" version
6509 "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
6510 (build-system gnu-build-system)
6511 (arguments '(#:configure-flags '("--enable-silent-rules")))
6512 (inputs `(("gawk" ,gawk)))
6513 (synopsis "Hello, GNU world: An example GNU package")
6514 (description "Guess what GNU Hello prints!")
6515 (home-page "https://www.gnu.org/software/hello/")
6520 Without being a Scheme expert, the reader may have guessed the meaning
6521 of the various fields here. This expression binds the variable
6522 @code{hello} to a @code{<package>} object, which is essentially a record
6523 (@pxref{SRFI-9, Scheme records,, guile, GNU Guile Reference Manual}).
6524 This package object can be inspected using procedures found in the
6525 @code{(guix packages)} module; for instance, @code{(package-name hello)}
6526 returns---surprise!---@code{"hello"}.
6528 With luck, you may be able to import part or all of the definition of
6529 the package you are interested in from another repository, using the
6530 @code{guix import} command (@pxref{Invoking guix import}).
6532 In the example above, @code{hello} is defined in a module of its own,
6533 @code{(gnu packages hello)}. Technically, this is not strictly
6534 necessary, but it is convenient to do so: all the packages defined in
6535 modules under @code{(gnu packages @dots{})} are automatically known to
6536 the command-line tools (@pxref{Package Modules}).
6538 There are a few points worth noting in the above package definition:
6542 The @code{source} field of the package is an @code{<origin>} object
6543 (@pxref{origin Reference}, for the complete reference).
6544 Here, the @code{url-fetch} method from @code{(guix download)} is used,
6545 meaning that the source is a file to be downloaded over FTP or HTTP.
6547 The @code{mirror://gnu} prefix instructs @code{url-fetch} to use one of
6548 the GNU mirrors defined in @code{(guix download)}.
6550 The @code{sha256} field specifies the expected SHA256 hash of the file
6551 being downloaded. It is mandatory, and allows Guix to check the
6552 integrity of the file. The @code{(base32 @dots{})} form introduces the
6553 base32 representation of the hash. You can obtain this information with
6554 @code{guix download} (@pxref{Invoking guix download}) and @code{guix
6555 hash} (@pxref{Invoking guix hash}).
6558 When needed, the @code{origin} form can also have a @code{patches} field
6559 listing patches to be applied, and a @code{snippet} field giving a
6560 Scheme expression to modify the source code.
6563 @cindex GNU Build System
6564 The @code{build-system} field specifies the procedure to build the
6565 package (@pxref{Build Systems}). Here, @code{gnu-build-system}
6566 represents the familiar GNU Build System, where packages may be
6567 configured, built, and installed with the usual @code{./configure &&
6568 make && make check && make install} command sequence.
6570 When you start packaging non-trivial software, you may need tools to
6571 manipulate those build phases, manipulate files, and so on. @xref{Build
6572 Utilities}, for more on this.
6575 The @code{arguments} field specifies options for the build system
6576 (@pxref{Build Systems}). Here it is interpreted by
6577 @code{gnu-build-system} as a request run @file{configure} with the
6578 @option{--enable-silent-rules} flag.
6584 What about these quote (@code{'}) characters? They are Scheme syntax to
6585 introduce a literal list; @code{'} is synonymous with @code{quote}.
6586 @xref{Expression Syntax, quoting,, guile, GNU Guile Reference Manual},
6587 for details. Here the value of the @code{arguments} field is a list of
6588 arguments passed to the build system down the road, as with @code{apply}
6589 (@pxref{Fly Evaluation, @code{apply},, guile, GNU Guile Reference
6592 The hash-colon (@code{#:}) sequence defines a Scheme @dfn{keyword}
6593 (@pxref{Keywords,,, guile, GNU Guile Reference Manual}), and
6594 @code{#:configure-flags} is a keyword used to pass a keyword argument
6595 to the build system (@pxref{Coding With Keywords,,, guile, GNU Guile
6599 The @code{inputs} field specifies inputs to the build process---i.e.,
6600 build-time or run-time dependencies of the package. Here, we define an
6601 input called @code{"gawk"} whose value is that of the @code{gawk}
6602 variable; @code{gawk} is itself bound to a @code{<package>} object.
6604 @cindex backquote (quasiquote)
6607 @cindex comma (unquote)
6611 @findex unquote-splicing
6612 Again, @code{`} (a backquote, synonymous with @code{quasiquote}) allows
6613 us to introduce a literal list in the @code{inputs} field, while
6614 @code{,} (a comma, synonymous with @code{unquote}) allows us to insert a
6615 value in that list (@pxref{Expression Syntax, unquote,, guile, GNU Guile
6618 Note that GCC, Coreutils, Bash, and other essential tools do not need to
6619 be specified as inputs here. Instead, @code{gnu-build-system} takes care
6620 of ensuring that they are present (@pxref{Build Systems}).
6622 However, any other dependencies need to be specified in the
6623 @code{inputs} field. Any dependency not specified here will simply be
6624 unavailable to the build process, possibly leading to a build failure.
6627 @xref{package Reference}, for a full description of possible fields.
6629 Once a package definition is in place, the
6630 package may actually be built using the @code{guix build} command-line
6631 tool (@pxref{Invoking guix build}), troubleshooting any build failures
6632 you encounter (@pxref{Debugging Build Failures}). You can easily jump back to the
6633 package definition using the @command{guix edit} command
6634 (@pxref{Invoking guix edit}).
6635 @xref{Packaging Guidelines}, for
6636 more information on how to test package definitions, and
6637 @ref{Invoking guix lint}, for information on how to check a definition
6638 for style conformance.
6639 @vindex GUIX_PACKAGE_PATH
6640 Lastly, @pxref{Channels}, for information
6641 on how to extend the distribution by adding your own package definitions
6644 Finally, updating the package definition to a new upstream version
6645 can be partly automated by the @command{guix refresh} command
6646 (@pxref{Invoking guix refresh}).
6648 Behind the scenes, a derivation corresponding to the @code{<package>}
6649 object is first computed by the @code{package-derivation} procedure.
6650 That derivation is stored in a @file{.drv} file under @file{/gnu/store}.
6651 The build actions it prescribes may then be realized by using the
6652 @code{build-derivations} procedure (@pxref{The Store}).
6654 @deffn {Scheme Procedure} package-derivation @var{store} @var{package} [@var{system}]
6655 Return the @code{<derivation>} object of @var{package} for @var{system}
6656 (@pxref{Derivations}).
6658 @var{package} must be a valid @code{<package>} object, and @var{system}
6659 must be a string denoting the target system type---e.g.,
6660 @code{"x86_64-linux"} for an x86_64 Linux-based GNU system. @var{store}
6661 must be a connection to the daemon, which operates on the store
6662 (@pxref{The Store}).
6666 @cindex cross-compilation
6667 Similarly, it is possible to compute a derivation that cross-builds a
6668 package for some other system:
6670 @deffn {Scheme Procedure} package-cross-derivation @var{store} @
6671 @var{package} @var{target} [@var{system}]
6672 Return the @code{<derivation>} object of @var{package} cross-built from
6673 @var{system} to @var{target}.
6675 @var{target} must be a valid GNU triplet denoting the target hardware
6676 and operating system, such as @code{"aarch64-linux-gnu"}
6677 (@pxref{Specifying Target Triplets,,, autoconf, Autoconf}).
6680 Once you have package definitions, you can easily define @emph{variants}
6681 of those packages. @xref{Defining Package Variants}, for more on that.
6684 * package Reference:: The package data type.
6685 * origin Reference:: The origin data type.
6689 @node package Reference
6690 @subsection @code{package} Reference
6692 This section summarizes all the options available in @code{package}
6693 declarations (@pxref{Defining Packages}).
6695 @deftp {Data Type} package
6696 This is the data type representing a package recipe.
6700 The name of the package, as a string.
6702 @item @code{version}
6703 The version of the package, as a string. @xref{Version Numbers}, for
6707 An object telling how the source code for the package should be
6708 acquired. Most of the time, this is an @code{origin} object, which
6709 denotes a file fetched from the Internet (@pxref{origin Reference}). It
6710 can also be any other ``file-like'' object such as a @code{local-file},
6711 which denotes a file from the local file system (@pxref{G-Expressions,
6712 @code{local-file}}).
6714 @item @code{build-system}
6715 The build system that should be used to build the package (@pxref{Build
6718 @item @code{arguments} (default: @code{'()})
6719 The arguments that should be passed to the build system. This is a
6720 list, typically containing sequential keyword-value pairs.
6722 @item @code{inputs} (default: @code{'()})
6723 @itemx @code{native-inputs} (default: @code{'()})
6724 @itemx @code{propagated-inputs} (default: @code{'()})
6725 @cindex inputs, of packages
6726 These fields list dependencies of the package. Each one is a list of
6727 tuples, where each tuple has a label for the input (a string) as its
6728 first element, a package, origin, or derivation as its second element,
6729 and optionally the name of the output thereof that should be used, which
6730 defaults to @code{"out"} (@pxref{Packages with Multiple Outputs}, for
6731 more on package outputs). For example, the list below specifies three
6735 `(("libffi" ,libffi)
6736 ("libunistring" ,libunistring)
6737 ("glib:bin" ,glib "bin")) ;the "bin" output of Glib
6740 @cindex cross compilation, package dependencies
6741 The distinction between @code{native-inputs} and @code{inputs} is
6742 necessary when considering cross-compilation. When cross-compiling,
6743 dependencies listed in @code{inputs} are built for the @emph{target}
6744 architecture; conversely, dependencies listed in @code{native-inputs}
6745 are built for the architecture of the @emph{build} machine.
6747 @code{native-inputs} is typically used to list tools needed at
6748 build time, but not at run time, such as Autoconf, Automake, pkg-config,
6749 Gettext, or Bison. @command{guix lint} can report likely mistakes in
6750 this area (@pxref{Invoking guix lint}).
6752 @anchor{package-propagated-inputs}
6753 Lastly, @code{propagated-inputs} is similar to @code{inputs}, but the
6754 specified packages will be automatically installed to profiles
6755 (@pxref{Features, the role of profiles in Guix}) alongside the package
6756 they belong to (@pxref{package-cmd-propagated-inputs, @command{guix
6757 package}}, for information on how @command{guix package} deals with
6760 For example this is necessary when packaging a C/C++ library that needs
6761 headers of another library to compile, or when a pkg-config file refers
6762 to another one @i{via} its @code{Requires} field.
6764 Another example where @code{propagated-inputs} is useful is for languages
6765 that lack a facility to record the run-time search path akin to the
6766 @code{RUNPATH} of ELF files; this includes Guile, Python, Perl, and
6767 more. When packaging libraries written in those languages, ensure they
6768 can find library code they depend on at run time by listing run-time
6769 dependencies in @code{propagated-inputs} rather than @code{inputs}.
6771 @item @code{outputs} (default: @code{'("out")})
6772 The list of output names of the package. @xref{Packages with Multiple
6773 Outputs}, for typical uses of additional outputs.
6775 @item @code{native-search-paths} (default: @code{'()})
6776 @itemx @code{search-paths} (default: @code{'()})
6777 A list of @code{search-path-specification} objects describing
6778 search-path environment variables honored by the package.
6780 @item @code{replacement} (default: @code{#f})
6781 This must be either @code{#f} or a package object that will be used as a
6782 @dfn{replacement} for this package. @xref{Security Updates, grafts},
6785 @item @code{synopsis}
6786 A one-line description of the package.
6788 @item @code{description}
6789 A more elaborate description of the package.
6791 @item @code{license}
6792 @cindex license, of packages
6793 The license of the package; a value from @code{(guix licenses)},
6794 or a list of such values.
6796 @item @code{home-page}
6797 The URL to the home-page of the package, as a string.
6799 @item @code{supported-systems} (default: @code{%supported-systems})
6800 The list of systems supported by the package, as strings of the form
6801 @code{architecture-kernel}, for example @code{"x86_64-linux"}.
6803 @item @code{location} (default: source location of the @code{package} form)
6804 The source location of the package. It is useful to override this when
6805 inheriting from another package, in which case this field is not
6806 automatically corrected.
6810 @deffn {Scheme Syntax} this-package
6811 When used in the @emph{lexical scope} of a package field definition, this
6812 identifier resolves to the package being defined.
6814 The example below shows how to add a package as a native input of itself when
6822 ;; When cross-compiled, Guile, for example, depends on
6823 ;; a native version of itself. Add it here.
6824 (native-inputs (if (%current-target-system)
6825 `(("self" ,this-package))
6829 It is an error to refer to @code{this-package} outside a package definition.
6832 Because packages are regular Scheme objects that capture a complete
6833 dependency graph and associated build procedures, it is often useful to
6834 write procedures that take a package and return a modified version
6835 thereof according to some parameters. Below are a few examples.
6837 @cindex tool chain, choosing a package's tool chain
6838 @deffn {Scheme Procedure} package-with-c-toolchain @var{package} @var{toolchain}
6839 Return a variant of @var{package} that uses @var{toolchain} instead of
6840 the default GNU C/C++ toolchain. @var{toolchain} must be a list of
6841 inputs (label/package tuples) providing equivalent functionality, such
6842 as the @code{gcc-toolchain} package.
6844 The example below returns a variant of the @code{hello} package built
6845 with GCC@tie{}10.x and the rest of the GNU tool chain (Binutils and the
6846 GNU C Library) instead of the default tool chain:
6849 (let ((toolchain (specification->package "gcc-toolchain@@10")))
6850 (package-with-c-toolchain hello `(("toolchain" ,toolchain))))
6853 The build tool chain is part of the @dfn{implicit inputs} of
6854 packages---it's usually not listed as part of the various ``inputs''
6855 fields and is instead pulled in by the build system. Consequently, this
6856 procedure works by changing the build system of @var{package} so that it
6857 pulls in @var{toolchain} instead of the defaults. @ref{Build Systems},
6858 for more on build systems.
6861 @node origin Reference
6862 @subsection @code{origin} Reference
6864 This section documents @dfn{origins}. An @code{origin} declaration
6865 specifies data that must be ``produced''---downloaded, usually---and
6866 whose content hash is known in advance. Origins are primarily used to
6867 represent the source code of packages (@pxref{Defining Packages}). For
6868 that reason, the @code{origin} form allows you to declare patches to
6869 apply to the original source code as well as code snippets to modify it.
6871 @deftp {Data Type} origin
6872 This is the data type representing a source code origin.
6876 An object containing the URI of the source. The object type depends on
6877 the @code{method} (see below). For example, when using the
6878 @var{url-fetch} method of @code{(guix download)}, the valid @code{uri}
6879 values are: a URL represented as a string, or a list thereof.
6881 @cindex fixed-output derivations, for download
6883 A monadic procedure that handles the given URI@. The procedure must
6884 accept at least three arguments: the value of the @code{uri} field and
6885 the hash algorithm and hash value specified by the @code{hash} field.
6886 It must return a store item or a derivation in the store monad
6887 (@pxref{The Store Monad}); most methods return a fixed-output derivation
6888 (@pxref{Derivations}).
6890 Commonly used methods include @code{url-fetch}, which fetches data from
6891 a URL, and @code{git-fetch}, which fetches data from a Git repository
6895 A bytevector containing the SHA-256 hash of the source. This is
6896 equivalent to providing a @code{content-hash} SHA256 object in the
6897 @code{hash} field described below.
6900 The @code{content-hash} object of the source---see below for how to use
6901 @code{content-hash}.
6903 You can obtain this information using @code{guix download}
6904 (@pxref{Invoking guix download}) or @code{guix hash} (@pxref{Invoking
6907 @item @code{file-name} (default: @code{#f})
6908 The file name under which the source code should be saved. When this is
6909 @code{#f}, a sensible default value will be used in most cases. In case
6910 the source is fetched from a URL, the file name from the URL will be
6911 used. For version control checkouts, it is recommended to provide the
6912 file name explicitly because the default is not very descriptive.
6914 @item @code{patches} (default: @code{'()})
6915 A list of file names, origins, or file-like objects (@pxref{G-Expressions,
6916 file-like objects}) pointing to patches to be applied to the source.
6918 This list of patches must be unconditional. In particular, it cannot
6919 depend on the value of @code{%current-system} or
6920 @code{%current-target-system}.
6922 @item @code{snippet} (default: @code{#f})
6923 A G-expression (@pxref{G-Expressions}) or S-expression that will be run
6924 in the source directory. This is a convenient way to modify the source,
6925 sometimes more convenient than a patch.
6927 @item @code{patch-flags} (default: @code{'("-p1")})
6928 A list of command-line flags that should be passed to the @code{patch}
6931 @item @code{patch-inputs} (default: @code{#f})
6932 Input packages or derivations to the patching process. When this is
6933 @code{#f}, the usual set of inputs necessary for patching are provided,
6934 such as GNU@tie{}Patch.
6936 @item @code{modules} (default: @code{'()})
6937 A list of Guile modules that should be loaded during the patching
6938 process and while running the code in the @code{snippet} field.
6940 @item @code{patch-guile} (default: @code{#f})
6941 The Guile package that should be used in the patching process. When
6942 this is @code{#f}, a sensible default is used.
6946 @deftp {Data Type} content-hash @var{value} [@var{algorithm}]
6947 Construct a content hash object for the given @var{algorithm}, and with
6948 @var{value} as its hash value. When @var{algorithm} is omitted, assume
6949 it is @code{sha256}.
6951 @var{value} can be a literal string, in which case it is base32-decoded,
6952 or it can be a bytevector.
6954 The following forms are all equivalent:
6957 (content-hash "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj")
6958 (content-hash "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj"
6960 (content-hash (base32
6961 "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj"))
6962 (content-hash (base64 "kkb+RPaP7uyMZmu4eXPVkM4BN8yhRd8BTHLslb6f/Rc=")
6966 Technically, @code{content-hash} is currently implemented as a macro.
6967 It performs sanity checks at macro-expansion time, when possible, such
6968 as ensuring that @var{value} has the right size for @var{algorithm}.
6971 As we have seen above, how exactly the data an origin refers to is
6972 retrieved is determined by its @code{method} field. The @code{(guix
6973 download)} module provides the most common method, @code{url-fetch},
6976 @deffn {Scheme Procedure} url-fetch @var{url} @var{hash-algo} @var{hash} @
6977 [name] [#:executable? #f]
6978 Return a fixed-output derivation that fetches data from @var{url} (a
6979 string, or a list of strings denoting alternate URLs), which is expected
6980 to have hash @var{hash} of type @var{hash-algo} (a symbol). By default,
6981 the file name is the base name of URL; optionally, @var{name} can
6982 specify a different file name. When @var{executable?} is true, make the
6983 downloaded file executable.
6985 When one of the URL starts with @code{mirror://}, then its host part is
6986 interpreted as the name of a mirror scheme, taken from @file{%mirror-file}.
6988 Alternatively, when URL starts with @code{file://}, return the
6989 corresponding file name in the store.
6992 Likewise, the @code{(guix git-download)} module defines the
6993 @code{git-fetch} origin method, which fetches data from a Git version
6994 control repository, and the @code{git-reference} data type to describe
6995 the repository and revision to fetch.
6997 @deffn {Scheme Procedure} git-fetch @var{ref} @var{hash-algo} @var{hash}
6998 Return a fixed-output derivation that fetches @var{ref}, a
6999 @code{<git-reference>} object. The output is expected to have recursive
7000 hash @var{hash} of type @var{hash-algo} (a symbol). Use @var{name} as
7001 the file name, or a generic name if @code{#f}.
7004 @deftp {Data Type} git-reference
7005 This data type represents a Git reference for @code{git-fetch} to
7010 The URL of the Git repository to clone.
7013 This string denotes either the commit to fetch (a hexadecimal string,
7014 either the full SHA1 commit or a ``short'' commit string; the latter is
7015 not recommended) or the tag to fetch.
7017 @item @code{recursive?} (default: @code{#f})
7018 This Boolean indicates whether to recursively fetch Git sub-modules.
7021 The example below denotes the @code{v2.10} tag of the GNU@tie{}Hello
7026 (url "https://git.savannah.gnu.org/git/hello.git")
7030 This is equivalent to the reference below, which explicitly names the
7035 (url "https://git.savannah.gnu.org/git/hello.git")
7036 (commit "dc7dc56a00e48fe6f231a58f6537139fe2908fb9"))
7040 For Mercurial repositories, the module @code{(guix hg-download)} defines
7041 the @code{hg-fetch} origin method and @code{hg-reference} data type for
7042 support of the Mercurial version control system.
7044 @deffn {Scheme Procedure} hg-fetch @var{ref} @var{hash-algo} @var{hash} @
7046 Return a fixed-output derivation that fetches @var{ref}, a
7047 @code{<hg-reference>} object. The output is expected to have recursive
7048 hash @var{hash} of type @var{hash-algo} (a symbol). Use @var{name} as
7049 the file name, or a generic name if @code{#false}.
7052 @node Defining Package Variants
7053 @section Defining Package Variants
7055 @cindex customizing packages
7056 @cindex variants, of packages
7057 One of the nice things with Guix is that, given a package definition,
7058 you can easily @emph{derive} variants of that package---for a different
7059 upstream version, with different dependencies, different compilation
7060 options, and so on. Some of these custom packages can be defined
7061 straight from the command line (@pxref{Package Transformation Options}).
7062 This section describes how to define package variants in code. This can
7063 be useful in ``manifests'' (@pxref{profile-manifest,
7064 @option{--manifest}}) and in your own package collection
7065 (@pxref{Creating a Channel}), among others!
7067 @cindex inherit, for package definitions
7068 As discussed earlier, packages are first-class objects in the Scheme
7069 language. The @code{(guix packages)} module provides the @code{package}
7070 construct to define new package objects (@pxref{package Reference}).
7071 The easiest way to define a package variant is using the @code{inherit}
7072 keyword together with @code{package}. This allows you to inherit from a
7073 package definition while overriding the fields you want.
7075 For example, given the @code{hello} variable, which contains a
7076 definition for the current version of GNU@tie{}Hello, here's how you
7077 would define a variant for version 2.2 (released in 2006, it's
7081 (use-modules (gnu packages base)) ;for 'hello'
7089 (uri (string-append "mirror://gnu/hello/hello-" version
7093 "0lappv4slgb5spyqbh6yl5r013zv72yqg2pcl30mginf3wdqd8k9"))))))
7096 The example above corresponds to what the @option{--with-source} package
7097 transformation option does. Essentially @code{hello-2.2} preserves all
7098 the fields of @code{hello}, except @code{version} and @code{source},
7099 which it overrides. Note that the original @code{hello} variable is
7100 still there, in the @code{(gnu packages base)} module, unchanged. When
7101 you define a custom package like this, you are really @emph{adding} a
7102 new package definition; the original one remains available.
7104 You can just as well define variants with a different set of
7105 dependencies than the original package. For example, the default
7106 @code{gdb} package depends on @code{guile}, but since that is an
7107 optional dependency, you can define a variant that removes that
7111 (use-modules (gnu packages gdb) ;for 'gdb'
7112 (srfi srfi-1)) ;for 'alist-delete'
7114 (define gdb-sans-guile
7117 (inputs (alist-delete "guile"
7118 (package-inputs gdb)))))
7121 The @code{alist-delete} call above removes the tuple from the
7122 @code{inputs} field that has @code{"guile"} as its first element
7123 (@pxref{SRFI-1 Association Lists,,, guile, GNU Guile Reference
7126 In some cases, you may find it useful to write functions
7127 (``procedures'', in Scheme parlance) that return a package based on some
7128 parameters. For example, consider the @code{luasocket} library for the
7129 Lua programming language. We want to create @code{luasocket} packages
7130 for major versions of Lua. One way to do that is to define a procedure
7131 that takes a Lua package and returns a @code{luasocket} package that
7135 (define (make-lua-socket name lua)
7136 ;; Return a luasocket package built with LUA.
7140 ;; several fields omitted
7143 (synopsis "Socket library for Lua")))
7145 (define-public lua5.1-socket
7146 (make-lua-socket "lua5.1-socket" lua-5.1))
7148 (define-public lua5.2-socket
7149 (make-lua-socket "lua5.2-socket" lua-5.2))
7152 Here we have defined packages @code{lua5.1-socket} and
7153 @code{lua5.2-socket} by calling @code{make-lua-socket} with different
7154 arguments. @xref{Procedures,,, guile, GNU Guile Reference Manual}, for
7155 more info on procedures. Having top-level public definitions for these
7156 two packages means that they can be referred to from the command line
7157 (@pxref{Package Modules}).
7159 @cindex package transformations
7160 These are pretty simple package variants. As a convenience, the
7161 @code{(guix transformations)} module provides a high-level interface
7162 that directly maps to the more sophisticated package transformation
7163 options (@pxref{Package Transformation Options}):
7165 @deffn {Scheme Procedure} options->transformation @var{opts}
7166 Return a procedure that, when passed an object to build (package,
7167 derivation, etc.), applies the transformations specified by @var{opts} and returns
7168 the resulting objects. @var{opts} must be a list of symbol/string pairs such as:
7171 ((with-branch . "guile-gcrypt=master")
7172 (without-tests . "libgcrypt"))
7175 Each symbol names a transformation and the corresponding string is an argument
7176 to that transformation.
7179 For instance, a manifest equivalent to this command:
7183 --with-branch=guile-gcrypt=master \
7184 --with-debug-info=zlib
7188 ... would look like this:
7191 (use-modules (guix transformations))
7194 ;; The package transformation procedure.
7195 (options->transformation
7196 '((with-branch . "guile-gcrypt=master")
7197 (with-debug-info . "zlib"))))
7200 (list (transform (specification->package "guix"))))
7203 @cindex input rewriting
7204 @cindex dependency graph rewriting
7205 The @code{options->transformation} procedure is convenient, but it's
7206 perhaps also not as flexible as you may like. How is it implemented?
7207 The astute reader probably noticed that most package transformation
7208 options go beyond the superficial changes shown in the first examples of
7209 this section: they involve @dfn{input rewriting}, whereby the dependency
7210 graph of a package is rewritten by replacing specific inputs by others.
7212 Dependency graph rewriting, for the purposes of swapping packages in the
7213 graph, is what the @code{package-input-rewriting} procedure in
7214 @code{(guix packages)} implements.
7216 @deffn {Scheme Procedure} package-input-rewriting @var{replacements} @
7217 [@var{rewrite-name}] [#:deep? #t]
7218 Return a procedure that, when passed a package, replaces its direct and
7219 indirect dependencies, including implicit inputs when @var{deep?} is
7220 true, according to @var{replacements}. @var{replacements} is a list of
7221 package pairs; the first element of each pair is the package to replace,
7222 and the second one is the replacement.
7224 Optionally, @var{rewrite-name} is a one-argument procedure that takes
7225 the name of a package and returns its new name after rewrite.
7229 Consider this example:
7232 (define libressl-instead-of-openssl
7233 ;; This is a procedure to replace OPENSSL by LIBRESSL,
7235 (package-input-rewriting `((,openssl . ,libressl))))
7237 (define git-with-libressl
7238 (libressl-instead-of-openssl git))
7242 Here we first define a rewriting procedure that replaces @var{openssl}
7243 with @var{libressl}. Then we use it to define a @dfn{variant} of the
7244 @var{git} package that uses @var{libressl} instead of @var{openssl}.
7245 This is exactly what the @option{--with-input} command-line option does
7246 (@pxref{Package Transformation Options, @option{--with-input}}).
7248 The following variant of @code{package-input-rewriting} can match packages to
7249 be replaced by name rather than by identity.
7251 @deffn {Scheme Procedure} package-input-rewriting/spec @var{replacements} [#:deep? #t]
7252 Return a procedure that, given a package, applies the given
7253 @var{replacements} to all the package graph, including implicit inputs
7254 unless @var{deep?} is false. @var{replacements} is a list of
7255 spec/procedures pair; each spec is a package specification such as
7256 @code{"gcc"} or @code{"guile@@2"}, and each procedure takes a matching
7257 package and returns a replacement for that package.
7260 The example above could be rewritten this way:
7263 (define libressl-instead-of-openssl
7264 ;; Replace all the packages called "openssl" with LibreSSL.
7265 (package-input-rewriting/spec `(("openssl" . ,(const libressl)))))
7268 The key difference here is that, this time, packages are matched by spec and
7269 not by identity. In other words, any package in the graph that is called
7270 @code{openssl} will be replaced.
7272 A more generic procedure to rewrite a package dependency graph is
7273 @code{package-mapping}: it supports arbitrary changes to nodes in the
7276 @deffn {Scheme Procedure} package-mapping @var{proc} [@var{cut?}] [#:deep? #f]
7277 Return a procedure that, given a package, applies @var{proc} to all the packages
7278 depended on and returns the resulting package. The procedure stops recursion
7279 when @var{cut?} returns true for a given package. When @var{deep?} is true, @var{proc} is
7280 applied to implicit inputs as well.
7285 @section Build Systems
7287 @cindex build system
7288 Each package definition specifies a @dfn{build system} and arguments for
7289 that build system (@pxref{Defining Packages}). This @code{build-system}
7290 field represents the build procedure of the package, as well as implicit
7291 dependencies of that build procedure.
7293 Build systems are @code{<build-system>} objects. The interface to
7294 create and manipulate them is provided by the @code{(guix build-system)}
7295 module, and actual build systems are exported by specific modules.
7297 @cindex bag (low-level package representation)
7298 Under the hood, build systems first compile package objects to
7299 @dfn{bags}. A @dfn{bag} is like a package, but with less
7300 ornamentation---in other words, a bag is a lower-level representation of
7301 a package, which includes all the inputs of that package, including some
7302 that were implicitly added by the build system. This intermediate
7303 representation is then compiled to a derivation (@pxref{Derivations}).
7304 The @code{package-with-c-toolchain} is an example of a way to change the
7305 implicit inputs that a package's build system pulls in (@pxref{package
7306 Reference, @code{package-with-c-toolchain}}).
7308 Build systems accept an optional list of @dfn{arguments}. In package
7309 definitions, these are passed @i{via} the @code{arguments} field
7310 (@pxref{Defining Packages}). They are typically keyword arguments
7311 (@pxref{Optional Arguments, keyword arguments in Guile,, guile, GNU
7312 Guile Reference Manual}). The value of these arguments is usually
7313 evaluated in the @dfn{build stratum}---i.e., by a Guile process launched
7314 by the daemon (@pxref{Derivations}).
7316 The main build system is @code{gnu-build-system}, which implements the
7317 standard build procedure for GNU and many other packages. It
7318 is provided by the @code{(guix build-system gnu)} module.
7320 @defvr {Scheme Variable} gnu-build-system
7321 @code{gnu-build-system} represents the GNU Build System, and variants
7322 thereof (@pxref{Configuration, configuration and makefile conventions,,
7323 standards, GNU Coding Standards}).
7325 @cindex build phases
7326 In a nutshell, packages using it are configured, built, and installed with
7327 the usual @code{./configure && make && make check && make install}
7328 command sequence. In practice, a few additional steps are often needed.
7329 All these steps are split up in separate @dfn{phases}.
7330 @xref{Build Phases}, for more info on build phases and ways to customize
7333 In addition, this build system ensures that the ``standard'' environment
7334 for GNU packages is available. This includes tools such as GCC, libc,
7335 Coreutils, Bash, Make, Diffutils, grep, and sed (see the @code{(guix
7336 build-system gnu)} module for a complete list). We call these the
7337 @dfn{implicit inputs} of a package, because package definitions do not
7338 have to mention them.
7340 This build system supports a number of keyword arguments, which can be
7341 passed @i{via} the @code{arguments} field of a package. Here are some
7342 of the main parameters:
7346 This argument specifies build-side code that evaluates to an alist of
7347 build phases. @xref{Build Phases}, for more information.
7349 @item #:configure-flags
7350 This is a list of flags (strings) passed to the @command{configure}
7351 script. @xref{Defining Packages}, for an example.
7354 This list of strings contains flags passed as arguments to
7355 @command{make} invocations in the @code{build}, @code{check}, and
7356 @code{install} phases.
7358 @item #:out-of-source?
7359 This Boolean, @code{#f} by default, indicates whether to run builds in a
7360 build directory separate from the source tree.
7362 When it is true, the @code{configure} phase creates a separate build
7363 directory, changes to that directory, and runs the @code{configure}
7364 script from there. This is useful for packages that require it, such as
7368 This Boolean, @code{#t} by default, indicates whether the @code{check}
7369 phase should run the package's test suite.
7372 This string, @code{"check"} by default, gives the name of the makefile
7373 target used by the @code{check} phase.
7375 @item #:parallel-build?
7376 @itemx #:parallel-tests?
7377 These Boolean values specify whether to build, respectively run the test
7378 suite, in parallel, with the @code{-j} flag of @command{make}. When
7379 they are true, @code{make} is passed @code{-j@var{n}}, where @var{n} is
7380 the number specified as the @option{--cores} option of
7381 @command{guix-daemon} or that of the @command{guix} client command
7382 (@pxref{Common Build Options, @option{--cores}}).
7384 @cindex RUNPATH, validation
7385 @item #:validate-runpath?
7386 This Boolean, @code{#t} by default, determines whether to ``validate''
7387 the @code{RUNPATH} of ELF binaries (@code{.so} shared libraries as well
7388 as executables) previously installed by the @code{install} phase.
7390 This validation step consists in making sure that all the shared
7391 libraries needed by an ELF binary, which are listed as
7392 @code{DT_NEEDED} entries in its @code{PT_DYNAMIC} segment, appear in the
7393 @code{DT_RUNPATH} entry of that binary. In other words, it ensures that
7394 running or using those binaries will not result in a ``file not found''
7395 error at run time. @xref{Options, @option{-rpath},, ld, The GNU
7396 Linker}, for more information on @code{RUNPATH}.
7398 @item #:substitutable?
7399 This Boolean, @code{#t} by default, tells whether the package outputs
7400 should be substitutable---i.e., whether users should be able to obtain
7401 substitutes for them instead of building locally (@pxref{Substitutes}).
7403 @item #:allowed-references
7404 @itemx #:disallowed-references
7405 When true, these arguments must be a list of dependencies that must not
7406 appear among the references of the build results. If, upon build
7407 completion, some of these references are retained, the build process
7410 This is useful to ensure that a package does not erroneously keep a
7411 reference to some of it build-time inputs, in cases where doing so
7412 would, for example, unnecessarily increase its size (@pxref{Invoking
7416 Most other build systems support these keyword arguments.
7419 Other @code{<build-system>} objects are defined to support other
7420 conventions and tools used by free software packages. They inherit most
7421 of @code{gnu-build-system}, and differ mainly in the set of inputs
7422 implicitly added to the build process, and in the list of phases
7423 executed. Some of these build systems are listed below.
7425 @defvr {Scheme Variable} ant-build-system
7426 This variable is exported by @code{(guix build-system ant)}. It
7427 implements the build procedure for Java packages that can be built with
7428 @url{https://ant.apache.org/, Ant build tool}.
7430 It adds both @code{ant} and the @dfn{Java Development Kit} (JDK) as
7431 provided by the @code{icedtea} package to the set of inputs. Different
7432 packages can be specified with the @code{#:ant} and @code{#:jdk}
7433 parameters, respectively.
7435 When the original package does not provide a suitable Ant build file,
7436 the parameter @code{#:jar-name} can be used to generate a minimal Ant
7437 build file @file{build.xml} with tasks to build the specified jar
7438 archive. In this case the parameter @code{#:source-dir} can be used to
7439 specify the source sub-directory, defaulting to ``src''.
7441 The @code{#:main-class} parameter can be used with the minimal ant
7442 buildfile to specify the main class of the resulting jar. This makes the
7443 jar file executable. The @code{#:test-include} parameter can be used to
7444 specify the list of junit tests to run. It defaults to
7445 @code{(list "**/*Test.java")}. The @code{#:test-exclude} can be used to
7446 disable some tests. It defaults to @code{(list "**/Abstract*.java")},
7447 because abstract classes cannot be run as tests.
7449 The parameter @code{#:build-target} can be used to specify the Ant task
7450 that should be run during the @code{build} phase. By default the
7451 ``jar'' task will be run.
7455 @defvr {Scheme Variable} android-ndk-build-system
7456 @cindex Android distribution
7457 @cindex Android NDK build system
7458 This variable is exported by @code{(guix build-system android-ndk)}. It
7459 implements a build procedure for Android NDK (native development kit)
7460 packages using a Guix-specific build process.
7462 The build system assumes that packages install their public interface
7463 (header) files to the subdirectory @file{include} of the @code{out} output and
7464 their libraries to the subdirectory @file{lib} the @code{out} output.
7466 It's also assumed that the union of all the dependencies of a package
7467 has no conflicting files.
7469 For the time being, cross-compilation is not supported - so right now
7470 the libraries and header files are assumed to be host tools.
7474 @defvr {Scheme Variable} asdf-build-system/source
7475 @defvrx {Scheme Variable} asdf-build-system/sbcl
7476 @defvrx {Scheme Variable} asdf-build-system/ecl
7478 These variables, exported by @code{(guix build-system asdf)}, implement
7479 build procedures for Common Lisp packages using
7480 @url{https://common-lisp.net/project/asdf/, ``ASDF''}. ASDF is a system
7481 definition facility for Common Lisp programs and libraries.
7483 The @code{asdf-build-system/source} system installs the packages in
7484 source form, and can be loaded using any common lisp implementation, via
7485 ASDF@. The others, such as @code{asdf-build-system/sbcl}, install binary
7486 systems in the format which a particular implementation understands.
7487 These build systems can also be used to produce executable programs, or
7488 lisp images which contain a set of packages pre-loaded.
7490 The build system uses naming conventions. For binary packages, the
7491 package name should be prefixed with the lisp implementation, such as
7492 @code{sbcl-} for @code{asdf-build-system/sbcl}.
7494 Additionally, the corresponding source package should be labeled using
7495 the same convention as python packages (see @ref{Python Modules}), using
7496 the @code{cl-} prefix.
7498 In order to create executable programs and images, the build-side
7499 procedures @code{build-program} and @code{build-image} can be used.
7500 They should be called in a build phase after the
7501 @code{create-asdf-configuration} phase, so that the system which was
7502 just built can be used within the resulting image. @code{build-program}
7503 requires a list of Common Lisp expressions to be passed as the
7504 @code{#:entry-program} argument.
7506 By default, all the @file{.asd} files present in the sources are read to
7507 find system definitions. The @code{#:asd-files} parameter can be used
7508 to specify the list of @file{.asd} files to read. Furthermore, if the
7509 package defines a system for its tests in a separate file, it will be
7510 loaded before the tests are run if it is specified by the
7511 @code{#:test-asd-file} parameter. If it is not set, the files
7512 @code{<system>-tests.asd}, @code{<system>-test.asd}, @code{tests.asd},
7513 and @code{test.asd} will be tried if they exist.
7515 If for some reason the package must be named in a different way than the
7516 naming conventions suggest, or if several systems must be compiled, the
7517 @code{#:asd-systems} parameter can be used to specify the list of system
7522 @defvr {Scheme Variable} cargo-build-system
7523 @cindex Rust programming language
7524 @cindex Cargo (Rust build system)
7525 This variable is exported by @code{(guix build-system cargo)}. It
7526 supports builds of packages using Cargo, the build tool of the
7527 @uref{https://www.rust-lang.org, Rust programming language}.
7529 It adds @code{rustc} and @code{cargo} to the set of inputs.
7530 A different Rust package can be specified with the @code{#:rust} parameter.
7532 Regular cargo dependencies should be added to the package definition similarly
7533 to other packages; those needed only at build time to native-inputs, others to
7534 inputs. If you need to add source-only crates then you should add them to via
7535 the @code{#:cargo-inputs} parameter as a list of name and spec pairs, where the
7536 spec can be a package or a source definition. Note that the spec must
7537 evaluate to a path to a gzipped tarball which includes a @code{Cargo.toml}
7538 file at its root, or it will be ignored. Similarly, cargo dev-dependencies
7539 should be added to the package definition via the
7540 @code{#:cargo-development-inputs} parameter.
7542 In its @code{configure} phase, this build system will make any source inputs
7543 specified in the @code{#:cargo-inputs} and @code{#:cargo-development-inputs}
7544 parameters available to cargo. It will also remove an included
7545 @code{Cargo.lock} file to be recreated by @code{cargo} during the
7546 @code{build} phase. The @code{package} phase will run @code{cargo package}
7547 to create a source crate for future use. The @code{install} phase installs
7548 the binaries defined by the crate. Unless @code{install-source? #f} is
7549 defined it will also install a source crate repository of itself and unpacked
7550 sources, to ease in future hacking on rust packages.
7553 @defvr {Scheme Variable} chicken-build-system
7554 This variable is exported by @code{(guix build-system chicken)}. It
7555 builds @uref{https://call-cc.org/, CHICKEN Scheme} modules, also called
7556 ``eggs'' or ``extensions''. CHICKEN generates C source code, which then
7557 gets compiled by a C compiler, in this case GCC.
7559 This build system adds @code{chicken} to the package inputs, as well as
7560 the packages of @code{gnu-build-system}.
7562 The build system can't (yet) deduce the egg's name automatically, so just like
7563 with @code{go-build-system} and its @code{#:import-path}, you should define
7564 @code{#:egg-name} in the package's @code{arguments} field.
7566 For example, if you are packaging the @code{srfi-1} egg:
7569 (arguments '(#:egg-name "srfi-1"))
7572 Egg dependencies must be defined in @code{propagated-inputs}, not @code{inputs}
7573 because CHICKEN doesn't embed absolute references in compiled eggs.
7574 Test dependencies should go to @code{native-inputs}, as usual.
7577 @defvr {Scheme Variable} copy-build-system
7578 This variable is exported by @code{(guix build-system copy)}. It
7579 supports builds of simple packages that don't require much compiling,
7580 mostly just moving files around.
7582 It adds much of the @code{gnu-build-system} packages to the set of
7583 inputs. Because of this, the @code{copy-build-system} does not require
7584 all the boilerplate code often needed for the
7585 @code{trivial-build-system}.
7587 To further simplify the file installation process, an
7588 @code{#:install-plan} argument is exposed to let the packager specify
7589 which files go where. The install plan is a list of @code{(@var{source}
7590 @var{target} [@var{filters}])}. @var{filters} are optional.
7593 @item When @var{source} matches a file or directory without trailing slash, install it to @var{target}.
7595 @item If @var{target} has a trailing slash, install @var{source} basename beneath @var{target}.
7596 @item Otherwise install @var{source} as @var{target}.
7599 @item When @var{source} is a directory with a trailing slash, or when @var{filters} are used,
7600 the trailing slash of @var{target} is implied with the same meaning
7603 @item Without @var{filters}, install the full @var{source} @emph{content} to @var{target}.
7604 @item With @var{filters} among @code{#:include}, @code{#:include-regexp}, @code{#:exclude},
7605 @code{#:exclude-regexp}, only select files are installed depending on
7606 the filters. Each filters is specified by a list of strings.
7608 @item With @code{#:include}, install all the files which the path suffix matches
7609 at least one of the elements in the given list.
7610 @item With @code{#:include-regexp}, install all the files which the
7611 subpaths match at least one of the regular expressions in the given
7613 @item The @code{#:exclude} and @code{#:exclude-regexp} filters
7614 are the complement of their inclusion counterpart. Without @code{#:include} flags,
7615 install all files but those matching the exclusion filters.
7616 If both inclusions and exclusions are specified, the exclusions are done
7617 on top of the inclusions.
7620 In all cases, the paths relative to @var{source} are preserved within
7627 @item @code{("foo/bar" "share/my-app/")}: Install @file{bar} to @file{share/my-app/bar}.
7628 @item @code{("foo/bar" "share/my-app/baz")}: Install @file{bar} to @file{share/my-app/baz}.
7629 @item @code{("foo/" "share/my-app")}: Install the content of @file{foo} inside @file{share/my-app},
7630 e.g., install @file{foo/sub/file} to @file{share/my-app/sub/file}.
7631 @item @code{("foo/" "share/my-app" #:include ("sub/file"))}: Install only @file{foo/sub/file} to
7632 @file{share/my-app/sub/file}.
7633 @item @code{("foo/sub" "share/my-app" #:include ("file"))}: Install @file{foo/sub/file} to
7634 @file{share/my-app/file}.
7639 @cindex Clojure (programming language)
7640 @cindex simple Clojure build system
7641 @defvr {Scheme Variable} clojure-build-system
7642 This variable is exported by @code{(guix build-system clojure)}. It implements
7643 a simple build procedure for @uref{https://clojure.org/, Clojure} packages
7644 using plain old @code{compile} in Clojure. Cross-compilation is not supported
7647 It adds @code{clojure}, @code{icedtea} and @code{zip} to the set of inputs.
7648 Different packages can be specified with the @code{#:clojure}, @code{#:jdk} and
7649 @code{#:zip} parameters, respectively.
7651 A list of source directories, test directories and jar names can be specified
7652 with the @code{#:source-dirs}, @code{#:test-dirs} and @code{#:jar-names}
7653 parameters, respectively. Compile directory and main class can be specified
7654 with the @code{#:compile-dir} and @code{#:main-class} parameters, respectively.
7655 Other parameters are documented below.
7657 This build system is an extension of @code{ant-build-system}, but with the
7658 following phases changed:
7663 This phase calls @code{compile} in Clojure to compile source files and runs
7664 @command{jar} to create jars from both source files and compiled files
7665 according to the include list and exclude list specified in
7666 @code{#:aot-include} and @code{#:aot-exclude}, respectively. The exclude list
7667 has priority over the include list. These lists consist of symbols
7668 representing Clojure libraries or the special keyword @code{#:all} representing
7669 all Clojure libraries found under the source directories. The parameter
7670 @code{#:omit-source?} decides if source should be included into the jars.
7673 This phase runs tests according to the include list and exclude list specified
7674 in @code{#:test-include} and @code{#:test-exclude}, respectively. Their
7675 meanings are analogous to that of @code{#:aot-include} and
7676 @code{#:aot-exclude}, except that the special keyword @code{#:all} now
7677 stands for all Clojure libraries found under the test directories. The
7678 parameter @code{#:tests?} decides if tests should be run.
7681 This phase installs all jars built previously.
7684 Apart from the above, this build system also contains an additional phase:
7689 This phase installs all top-level files with base name matching
7690 @code{%doc-regex}. A different regex can be specified with the
7691 @code{#:doc-regex} parameter. All files (recursively) inside the documentation
7692 directories specified in @code{#:doc-dirs} are installed as well.
7696 @defvr {Scheme Variable} cmake-build-system
7697 This variable is exported by @code{(guix build-system cmake)}. It
7698 implements the build procedure for packages using the
7699 @url{https://www.cmake.org, CMake build tool}.
7701 It automatically adds the @code{cmake} package to the set of inputs.
7702 Which package is used can be specified with the @code{#:cmake}
7705 The @code{#:configure-flags} parameter is taken as a list of flags
7706 passed to the @command{cmake} command. The @code{#:build-type}
7707 parameter specifies in abstract terms the flags passed to the compiler;
7708 it defaults to @code{"RelWithDebInfo"} (short for ``release mode with
7709 debugging information''), which roughly means that code is compiled with
7710 @code{-O2 -g}, as is the case for Autoconf-based packages by default.
7713 @defvr {Scheme Variable} dune-build-system
7714 This variable is exported by @code{(guix build-system dune)}. It
7715 supports builds of packages using @uref{https://dune.build/, Dune}, a build
7716 tool for the OCaml programming language. It is implemented as an extension
7717 of the @code{ocaml-build-system} which is described below. As such, the
7718 @code{#:ocaml} and @code{#:findlib} parameters can be passed to this build
7721 It automatically adds the @code{dune} package to the set of inputs.
7722 Which package is used can be specified with the @code{#:dune}
7725 There is no @code{configure} phase because dune packages typically don't
7726 need to be configured. The @code{#:build-flags} parameter is taken as a
7727 list of flags passed to the @code{dune} command during the build.
7729 The @code{#:jbuild?} parameter can be passed to use the @code{jbuild}
7730 command instead of the more recent @code{dune} command while building
7731 a package. Its default value is @code{#f}.
7733 The @code{#:package} parameter can be passed to specify a package name, which
7734 is useful when a package contains multiple packages and you want to build
7735 only one of them. This is equivalent to passing the @code{-p} argument to
7740 @defvr {Scheme Variable} go-build-system
7741 This variable is exported by @code{(guix build-system go)}. It
7742 implements a build procedure for Go packages using the standard
7743 @url{https://golang.org/cmd/go/#hdr-Compile_packages_and_dependencies,
7744 Go build mechanisms}.
7746 The user is expected to provide a value for the key @code{#:import-path}
7747 and, in some cases, @code{#:unpack-path}. The
7748 @url{https://golang.org/doc/code.html#ImportPaths, import path}
7749 corresponds to the file system path expected by the package's build
7750 scripts and any referring packages, and provides a unique way to
7751 refer to a Go package. It is typically based on a combination of the
7752 package source code's remote URI and file system hierarchy structure. In
7753 some cases, you will need to unpack the package's source code to a
7754 different directory structure than the one indicated by the import path,
7755 and @code{#:unpack-path} should be used in such cases.
7757 Packages that provide Go libraries should install their source code into
7758 the built output. The key @code{#:install-source?}, which defaults to
7759 @code{#t}, controls whether or not the source code is installed. It can
7760 be set to @code{#f} for packages that only provide executable files.
7763 @defvr {Scheme Variable} glib-or-gtk-build-system
7764 This variable is exported by @code{(guix build-system glib-or-gtk)}. It
7765 is intended for use with packages making use of GLib or GTK+.
7767 This build system adds the following two phases to the ones defined by
7768 @code{gnu-build-system}:
7771 @item glib-or-gtk-wrap
7772 The phase @code{glib-or-gtk-wrap} ensures that programs in
7773 @file{bin/} are able to find GLib ``schemas'' and
7774 @uref{https://developer.gnome.org/gtk3/stable/gtk-running.html, GTK+
7775 modules}. This is achieved by wrapping the programs in launch scripts
7776 that appropriately set the @env{XDG_DATA_DIRS} and @env{GTK_PATH}
7777 environment variables.
7779 It is possible to exclude specific package outputs from that wrapping
7780 process by listing their names in the
7781 @code{#:glib-or-gtk-wrap-excluded-outputs} parameter. This is useful
7782 when an output is known not to contain any GLib or GTK+ binaries, and
7783 where wrapping would gratuitously add a dependency of that output on
7786 @item glib-or-gtk-compile-schemas
7787 The phase @code{glib-or-gtk-compile-schemas} makes sure that all
7788 @uref{https://developer.gnome.org/gio/stable/glib-compile-schemas.html,
7789 GSettings schemas} of GLib are compiled. Compilation is performed by the
7790 @command{glib-compile-schemas} program. It is provided by the package
7791 @code{glib:bin} which is automatically imported by the build system.
7792 The @code{glib} package providing @command{glib-compile-schemas} can be
7793 specified with the @code{#:glib} parameter.
7796 Both phases are executed after the @code{install} phase.
7799 @defvr {Scheme Variable} guile-build-system
7800 This build system is for Guile packages that consist exclusively of Scheme
7801 code and that are so lean that they don't even have a makefile, let alone a
7802 @file{configure} script. It compiles Scheme code using @command{guild
7803 compile} (@pxref{Compilation,,, guile, GNU Guile Reference Manual}) and
7804 installs the @file{.scm} and @file{.go} files in the right place. It also
7805 installs documentation.
7807 This build system supports cross-compilation by using the
7808 @option{--target} option of @samp{guild compile}.
7810 Packages built with @code{guile-build-system} must provide a Guile package in
7811 their @code{native-inputs} field.
7814 @defvr {Scheme Variable} julia-build-system
7815 This variable is exported by @code{(guix build-system julia)}. It
7816 implements the build procedure used by @uref{https://julialang.org/,
7817 julia} packages, which essentially is similar to running @samp{julia -e
7818 'using Pkg; Pkg.add(package)'} in an environment where
7819 @env{JULIA_LOAD_PATH} contains the paths to all Julia package inputs.
7820 Tests are run by calling @code{/test/runtests.jl}.
7822 The Julia package name is read from the file @file{Project.toml}. This
7823 value can be overridden by passing the argument @code{#:julia-package-name}
7824 (which must be correctly capitalized).
7826 Julia packages usually manage their binary dependencies via
7827 @code{JLLWrappers.jl}, a Julia package that creates a module (named
7828 after the wrapped library followed by @code{_jll.jl}.
7830 To add the binary path @code{_jll.jl} packages, you need to patch the
7831 files under @file{src/wrappers/}, replacing the call to the macro
7832 @code{JLLWrappers.@@generate_wrapper_header}, adding as a second
7833 argument containing the store path the binary.
7835 As an example, in the MbedTLS Julia package, we add a build phase
7836 (@pxref{Build Phases}) to insert the absolute file name of the wrapped
7840 (add-after 'unpack 'override-binary-path
7841 (lambda* (#:key inputs #:allow-other-keys)
7842 (for-each (lambda (wrapper)
7843 (substitute* wrapper
7844 (("generate_wrapper_header.*")
7846 "generate_wrapper_header(\"MbedTLS\", \""
7847 (assoc-ref inputs "mbedtls-apache") "\")\n"))))
7848 ;; There's a Julia file for each platform, override them all.
7849 (find-files "src/wrappers/" "\\.jl$"))))
7852 Some older packages that aren't using @file{Package.toml} yet, will require
7853 this file to be created, too. The function @code{julia-create-package-toml}
7854 helps creating the file. You need to pass the outputs and the source of the
7855 package, its name (the same as the @code{file-name} parameter), the package
7856 uuid, the package version, and a list of dependencies specified by their name
7860 @defvr {Scheme Variable} maven-build-system
7861 This variable is exported by @code{(guix build-system maven)}. It implements
7862 a build procedure for @uref{https://maven.apache.org, Maven} packages. Maven
7863 is a dependency and lifecycle management tool for Java. A user of Maven
7864 specifies dependencies and plugins in a @file{pom.xml} file that Maven reads.
7865 When Maven does not have one of the dependencies or plugins in its repository,
7866 it will download them and use them to build the package.
7868 The maven build system ensures that maven will not try to download any
7869 dependency by running in offline mode. Maven will fail if a dependency is
7870 missing. Before running Maven, the @file{pom.xml} (and subprojects) are
7871 modified to specify the version of dependencies and plugins that match the
7872 versions available in the guix build environment. Dependencies and plugins
7873 must be installed in the fake maven repository at @file{lib/m2}, and are
7874 symlinked into a proper repository before maven is run. Maven is instructed
7875 to use that repository for the build and installs built artifacts there.
7876 Changed files are copied to the @file{lib/m2} directory of the package output.
7878 You can specify a @file{pom.xml} file with the @code{#:pom-file} argument,
7879 or let the build system use the default @file{pom.xml} file in the sources.
7881 In case you need to specify a dependency's version manually, you can use the
7882 @code{#:local-packages} argument. It takes an association list where the key
7883 is the groupId of the package and its value is an association list where the
7884 key is the artifactId of the package and its value is the version you want to
7885 override in the @file{pom.xml}.
7887 Some packages use dependencies or plugins that are not useful at runtime nor
7888 at build time in Guix. You can alter the @file{pom.xml} file to remove them
7889 using the @code{#:exclude} argument. Its value is an association list where
7890 the key is the groupId of the plugin or dependency you want to remove, and
7891 the value is a list of artifactId you want to remove.
7893 You can override the default @code{jdk} and @code{maven} packages with the
7894 corresponding argument, @code{#:jdk} and @code{#:maven}.
7896 The @code{#:maven-plugins} argument is a list of maven plugins used during
7897 the build, with the same format as the @code{inputs} fields of the package
7898 declaration. Its default value is @code{(default-maven-plugins)} which is
7902 @defvr {Scheme Variable} minetest-mod-build-system
7903 This variable is exported by @code{(guix build-system minetest)}. It
7904 implements a build procedure for @uref{https://www.minetest.net, Minetest}
7905 mods, which consists of copying Lua code, images and other resources to
7906 the location Minetest searches for mods. The build system also minimises
7907 PNG images and verifies that Minetest can load the mod without errors.
7910 @defvr {Scheme Variable} minify-build-system
7911 This variable is exported by @code{(guix build-system minify)}. It
7912 implements a minification procedure for simple JavaScript packages.
7914 It adds @code{uglify-js} to the set of inputs and uses it to compress
7915 all JavaScript files in the @file{src} directory. A different minifier
7916 package can be specified with the @code{#:uglify-js} parameter, but it
7917 is expected that the package writes the minified code to the standard
7920 When the input JavaScript files are not all located in the @file{src}
7921 directory, the parameter @code{#:javascript-files} can be used to
7922 specify a list of file names to feed to the minifier.
7925 @defvr {Scheme Variable} ocaml-build-system
7926 This variable is exported by @code{(guix build-system ocaml)}. It implements
7927 a build procedure for @uref{https://ocaml.org, OCaml} packages, which consists
7928 of choosing the correct set of commands to run for each package. OCaml
7929 packages can expect many different commands to be run. This build system will
7932 When the package has a @file{setup.ml} file present at the top-level, it will
7933 run @code{ocaml setup.ml -configure}, @code{ocaml setup.ml -build} and
7934 @code{ocaml setup.ml -install}. The build system will assume that this file
7935 was generated by @uref{http://oasis.forge.ocamlcore.org/, OASIS} and will take
7936 care of setting the prefix and enabling tests if they are not disabled. You
7937 can pass configure and build flags with the @code{#:configure-flags} and
7938 @code{#:build-flags}. The @code{#:test-flags} key can be passed to change the
7939 set of flags used to enable tests. The @code{#:use-make?} key can be used to
7940 bypass this system in the build and install phases.
7942 When the package has a @file{configure} file, it is assumed that it is a
7943 hand-made configure script that requires a different argument format than
7944 in the @code{gnu-build-system}. You can add more flags with the
7945 @code{#:configure-flags} key.
7947 When the package has a @file{Makefile} file (or @code{#:use-make?} is
7948 @code{#t}), it will be used and more flags can be passed to the build and
7949 install phases with the @code{#:make-flags} key.
7951 Finally, some packages do not have these files and use a somewhat standard
7952 location for its build system. In that case, the build system will run
7953 @code{ocaml pkg/pkg.ml} or @code{ocaml pkg/build.ml} and take care of
7954 providing the path to the required findlib module. Additional flags can
7955 be passed via the @code{#:build-flags} key. Install is taken care of by
7956 @command{opam-installer}. In this case, the @code{opam} package must
7957 be added to the @code{native-inputs} field of the package definition.
7959 Note that most OCaml packages assume they will be installed in the same
7960 directory as OCaml, which is not what we want in guix. In particular, they
7961 will install @file{.so} files in their module's directory, which is usually
7962 fine because it is in the OCaml compiler directory. In guix though, these
7963 libraries cannot be found and we use @env{CAML_LD_LIBRARY_PATH}. This
7964 variable points to @file{lib/ocaml/site-lib/stubslibs} and this is where
7965 @file{.so} libraries should be installed.
7968 @defvr {Scheme Variable} python-build-system
7969 This variable is exported by @code{(guix build-system python)}. It
7970 implements the more or less standard build procedure used by Python
7971 packages, which consists in running @code{python setup.py build} and
7972 then @code{python setup.py install --prefix=/gnu/store/@dots{}}.
7974 For packages that install stand-alone Python programs under @code{bin/},
7975 it takes care of wrapping these programs so that their @env{PYTHONPATH}
7976 environment variable points to all the Python libraries they depend on.
7978 Which Python package is used to perform the build can be specified with
7979 the @code{#:python} parameter. This is a useful way to force a package
7980 to be built for a specific version of the Python interpreter, which
7981 might be necessary if the package is only compatible with a single
7982 interpreter version.
7984 By default guix calls @code{setup.py} under control of
7985 @code{setuptools}, much like @command{pip} does. Some packages are not
7986 compatible with setuptools (and pip), thus you can disable this by
7987 setting the @code{#:use-setuptools?} parameter to @code{#f}.
7990 @defvr {Scheme Variable} perl-build-system
7991 This variable is exported by @code{(guix build-system perl)}. It
7992 implements the standard build procedure for Perl packages, which either
7993 consists in running @code{perl Build.PL --prefix=/gnu/store/@dots{}},
7994 followed by @code{Build} and @code{Build install}; or in running
7995 @code{perl Makefile.PL PREFIX=/gnu/store/@dots{}}, followed by
7996 @code{make} and @code{make install}, depending on which of
7997 @code{Build.PL} or @code{Makefile.PL} is present in the package
7998 distribution. Preference is given to the former if both @code{Build.PL}
7999 and @code{Makefile.PL} exist in the package distribution. This
8000 preference can be reversed by specifying @code{#t} for the
8001 @code{#:make-maker?} parameter.
8003 The initial @code{perl Makefile.PL} or @code{perl Build.PL} invocation
8004 passes flags specified by the @code{#:make-maker-flags} or
8005 @code{#:module-build-flags} parameter, respectively.
8007 Which Perl package is used can be specified with @code{#:perl}.
8010 @defvr {Scheme Variable} renpy-build-system
8011 This variable is exported by @code{(guix build-system renpy)}. It implements
8012 the more or less standard build procedure used by Ren'py games, which consists
8013 of loading @code{#:game} once, thereby creating bytecode for it.
8015 It further creates a wrapper script in @code{bin/} and a desktop entry in
8016 @code{share/applications}, both of which can be used to launch the game.
8018 Which Ren'py package is used can be specified with @code{#:renpy}.
8019 Games can also be installed in outputs other than ``out'' by using
8023 @defvr {Scheme Variable} qt-build-system
8024 This variable is exported by @code{(guix build-system qt)}. It
8025 is intended for use with applications using Qt or KDE.
8027 This build system adds the following two phases to the ones defined by
8028 @code{cmake-build-system}:
8032 The phase @code{check-setup} prepares the environment for running
8033 the checks as commonly used by Qt test programs.
8034 For now this only sets some environment variables:
8035 @code{QT_QPA_PLATFORM=offscreen},
8036 @code{DBUS_FATAL_WARNINGS=0} and
8037 @code{CTEST_OUTPUT_ON_FAILURE=1}.
8039 This phase is added before the @code{check} phase.
8040 It's a separate phase to ease adjusting if necessary.
8043 The phase @code{qt-wrap}
8044 searches for Qt5 plugin paths, QML paths and some XDG in the inputs
8045 and output. In case some path is found, all programs in the output's
8046 @file{bin/}, @file{sbin/}, @file{libexec/} and @file{lib/libexec/} directories
8047 are wrapped in scripts defining the necessary environment variables.
8049 It is possible to exclude specific package outputs from that wrapping process
8050 by listing their names in the @code{#:qt-wrap-excluded-outputs} parameter.
8051 This is useful when an output is known not to contain any Qt binaries, and
8052 where wrapping would gratuitously add a dependency of that output on Qt, KDE,
8055 This phase is added after the @code{install} phase.
8059 @defvr {Scheme Variable} r-build-system
8060 This variable is exported by @code{(guix build-system r)}. It
8061 implements the build procedure used by @uref{https://r-project.org, R}
8062 packages, which essentially is little more than running @samp{R CMD
8063 INSTALL --library=/gnu/store/@dots{}} in an environment where
8064 @env{R_LIBS_SITE} contains the paths to all R package inputs. Tests are
8065 run after installation using the R function
8066 @code{tools::testInstalledPackage}.
8069 @defvr {Scheme Variable} rakudo-build-system
8070 This variable is exported by @code{(guix build-system rakudo)}. It
8071 implements the build procedure used by @uref{https://rakudo.org/,
8072 Rakudo} for @uref{https://perl6.org/, Perl6} packages. It installs the
8073 package to @code{/gnu/store/@dots{}/NAME-VERSION/share/perl6} and
8074 installs the binaries, library files and the resources, as well as wrap
8075 the files under the @code{bin/} directory. Tests can be skipped by
8076 passing @code{#f} to the @code{tests?} parameter.
8078 Which rakudo package is used can be specified with @code{rakudo}.
8079 Which perl6-tap-harness package used for the tests can be specified with
8080 @code{#:prove6} or removed by passing @code{#f} to the
8081 @code{with-prove6?} parameter.
8082 Which perl6-zef package used for tests and installing can be specified
8083 with @code{#:zef} or removed by passing @code{#f} to the
8084 @code{with-zef?} parameter.
8087 @defvr {Scheme Variable} texlive-build-system
8088 This variable is exported by @code{(guix build-system texlive)}. It is
8089 used to build TeX packages in batch mode with a specified engine. The
8090 build system sets the @env{TEXINPUTS} variable to find all TeX source
8091 files in the inputs.
8093 By default it runs @code{luatex} on all files ending on @code{ins}. A
8094 different engine and format can be specified with the
8095 @code{#:tex-format} argument. Different build targets can be specified
8096 with the @code{#:build-targets} argument, which expects a list of file
8097 names. The build system adds only @code{texlive-bin} and
8098 @code{texlive-latex-base} (both from @code{(gnu packages tex}) to the
8099 inputs. Both can be overridden with the arguments @code{#:texlive-bin}
8100 and @code{#:texlive-latex-base}, respectively.
8102 The @code{#:tex-directory} parameter tells the build system where to
8103 install the built files under the texmf tree.
8106 @defvr {Scheme Variable} ruby-build-system
8107 This variable is exported by @code{(guix build-system ruby)}. It
8108 implements the RubyGems build procedure used by Ruby packages, which
8109 involves running @code{gem build} followed by @code{gem install}.
8111 The @code{source} field of a package that uses this build system
8112 typically references a gem archive, since this is the format that Ruby
8113 developers use when releasing their software. The build system unpacks
8114 the gem archive, potentially patches the source, runs the test suite,
8115 repackages the gem, and installs it. Additionally, directories and
8116 tarballs may be referenced to allow building unreleased gems from Git or
8117 a traditional source release tarball.
8119 Which Ruby package is used can be specified with the @code{#:ruby}
8120 parameter. A list of additional flags to be passed to the @command{gem}
8121 command can be specified with the @code{#:gem-flags} parameter.
8124 @defvr {Scheme Variable} waf-build-system
8125 This variable is exported by @code{(guix build-system waf)}. It
8126 implements a build procedure around the @code{waf} script. The common
8127 phases---@code{configure}, @code{build}, and @code{install}---are
8128 implemented by passing their names as arguments to the @code{waf}
8131 The @code{waf} script is executed by the Python interpreter. Which
8132 Python package is used to run the script can be specified with the
8133 @code{#:python} parameter.
8136 @defvr {Scheme Variable} scons-build-system
8137 This variable is exported by @code{(guix build-system scons)}. It
8138 implements the build procedure used by the SCons software construction
8139 tool. This build system runs @code{scons} to build the package,
8140 @code{scons test} to run tests, and then @code{scons install} to install
8143 Additional flags to be passed to @code{scons} can be specified with the
8144 @code{#:scons-flags} parameter. The default build and install targets
8145 can be overridden with @code{#:build-targets} and
8146 @code{#:install-targets} respectively. The version of Python used to
8147 run SCons can be specified by selecting the appropriate SCons package
8148 with the @code{#:scons} parameter.
8151 @defvr {Scheme Variable} haskell-build-system
8152 This variable is exported by @code{(guix build-system haskell)}. It
8153 implements the Cabal build procedure used by Haskell packages, which
8154 involves running @code{runhaskell Setup.hs configure
8155 --prefix=/gnu/store/@dots{}} and @code{runhaskell Setup.hs build}.
8156 Instead of installing the package by running @code{runhaskell Setup.hs
8157 install}, to avoid trying to register libraries in the read-only
8158 compiler store directory, the build system uses @code{runhaskell
8159 Setup.hs copy}, followed by @code{runhaskell Setup.hs register}. In
8160 addition, the build system generates the package documentation by
8161 running @code{runhaskell Setup.hs haddock}, unless @code{#:haddock? #f}
8162 is passed. Optional Haddock parameters can be passed with the help of
8163 the @code{#:haddock-flags} parameter. If the file @code{Setup.hs} is
8164 not found, the build system looks for @code{Setup.lhs} instead.
8166 Which Haskell compiler is used can be specified with the @code{#:haskell}
8167 parameter which defaults to @code{ghc}.
8170 @defvr {Scheme Variable} dub-build-system
8171 This variable is exported by @code{(guix build-system dub)}. It
8172 implements the Dub build procedure used by D packages, which
8173 involves running @code{dub build} and @code{dub run}.
8174 Installation is done by copying the files manually.
8176 Which D compiler is used can be specified with the @code{#:ldc}
8177 parameter which defaults to @code{ldc}.
8180 @anchor{emacs-build-system}
8181 @defvr {Scheme Variable} emacs-build-system
8182 This variable is exported by @code{(guix build-system emacs)}. It
8183 implements an installation procedure similar to the packaging system
8184 of Emacs itself (@pxref{Packages,,, emacs, The GNU Emacs Manual}).
8186 It first creates the @code{@code{package}-autoloads.el} file, then it
8187 byte compiles all Emacs Lisp files. Differently from the Emacs
8188 packaging system, the Info documentation files are moved to the standard
8189 documentation directory and the @file{dir} file is deleted. The Elisp
8190 package files are installed directly under @file{share/emacs/site-lisp}.
8193 @defvr {Scheme Variable} font-build-system
8194 This variable is exported by @code{(guix build-system font)}. It
8195 implements an installation procedure for font packages where upstream
8196 provides pre-compiled TrueType, OpenType, etc.@: font files that merely
8197 need to be copied into place. It copies font files to standard
8198 locations in the output directory.
8201 @defvr {Scheme Variable} meson-build-system
8202 This variable is exported by @code{(guix build-system meson)}. It
8203 implements the build procedure for packages that use
8204 @url{https://mesonbuild.com, Meson} as their build system.
8206 It adds both Meson and @uref{https://ninja-build.org/, Ninja} to the set
8207 of inputs, and they can be changed with the parameters @code{#:meson}
8208 and @code{#:ninja} if needed. The default Meson is
8209 @code{meson-for-build}, which is special because it doesn't clear the
8210 @code{RUNPATH} of binaries and libraries when they are installed.
8212 This build system is an extension of @code{gnu-build-system}, but with the
8213 following phases changed to some specific for Meson:
8218 The phase runs @code{meson} with the flags specified in
8219 @code{#:configure-flags}. The flag @option{--buildtype} is always set to
8220 @code{debugoptimized} unless something else is specified in
8221 @code{#:build-type}.
8224 The phase runs @code{ninja} to build the package in parallel by default, but
8225 this can be changed with @code{#:parallel-build?}.
8228 The phase runs @code{ninja} with the target specified in @code{#:test-target},
8229 which is @code{"test"} by default.
8232 The phase runs @code{ninja install} and can not be changed.
8235 Apart from that, the build system also adds the following phases:
8240 This phase ensures that all binaries can find the libraries they need.
8241 It searches for required libraries in subdirectories of the package being
8242 built, and adds those to @code{RUNPATH} where needed. It also removes
8243 references to libraries left over from the build phase by
8244 @code{meson-for-build}, such as test dependencies, that aren't actually
8245 required for the program to run.
8247 @item glib-or-gtk-wrap
8248 This phase is the phase provided by @code{glib-or-gtk-build-system}, and it
8249 is not enabled by default. It can be enabled with @code{#:glib-or-gtk?}.
8251 @item glib-or-gtk-compile-schemas
8252 This phase is the phase provided by @code{glib-or-gtk-build-system}, and it
8253 is not enabled by default. It can be enabled with @code{#:glib-or-gtk?}.
8257 @defvr {Scheme Variable} linux-module-build-system
8258 @code{linux-module-build-system} allows building Linux kernel modules.
8260 @cindex build phases
8261 This build system is an extension of @code{gnu-build-system}, but with the
8262 following phases changed:
8267 This phase configures the environment so that the Linux kernel's Makefile
8268 can be used to build the external kernel module.
8271 This phase uses the Linux kernel's Makefile in order to build the external
8275 This phase uses the Linux kernel's Makefile in order to install the external
8279 It is possible and useful to specify the Linux kernel to use for building
8280 the module (in the @code{arguments} form of a package using the
8281 @code{linux-module-build-system}, use the key @code{#:linux} to specify it).
8284 @defvr {Scheme Variable} node-build-system
8285 This variable is exported by @code{(guix build-system node)}. It
8286 implements the build procedure used by @uref{https://nodejs.org,
8287 Node.js}, which implements an approximation of the @code{npm install}
8288 command, followed by an @code{npm test} command.
8290 Which Node.js package is used to interpret the @code{npm} commands can
8291 be specified with the @code{#:node} parameter which defaults to
8295 Lastly, for packages that do not need anything as sophisticated, a
8296 ``trivial'' build system is provided. It is trivial in the sense that
8297 it provides basically no support: it does not pull any implicit inputs,
8298 and does not have a notion of build phases.
8300 @defvr {Scheme Variable} trivial-build-system
8301 This variable is exported by @code{(guix build-system trivial)}.
8303 This build system requires a @code{#:builder} argument. This argument
8304 must be a Scheme expression that builds the package output(s)---as
8305 with @code{build-expression->derivation} (@pxref{Derivations,
8306 @code{build-expression->derivation}}).
8310 @section Build Phases
8312 @cindex build phases, for packages
8313 Almost all package build systems implement a notion @dfn{build phases}:
8314 a sequence of actions that the build system executes, when you build the
8315 package, leading to the installed byproducts in the store. A notable
8316 exception is the ``bare-bones'' @code{trivial-build-system}
8317 (@pxref{Build Systems}).
8319 As discussed in the previous section, those build systems provide a
8320 standard list of phases. For @code{gnu-build-system}, the main build
8321 phases are the following:
8325 Unpack the source tarball, and change the current directory to the
8326 extracted source tree. If the source is actually a directory, copy it
8327 to the build tree, and enter that directory.
8329 @item patch-source-shebangs
8330 Patch shebangs encountered in source files so they refer to the right
8331 store file names. For instance, this changes @code{#!/bin/sh} to
8332 @code{#!/gnu/store/@dots{}-bash-4.3/bin/sh}.
8335 Run the @file{configure} script with a number of default options, such
8336 as @option{--prefix=/gnu/store/@dots{}}, as well as the options specified
8337 by the @code{#:configure-flags} argument.
8340 Run @code{make} with the list of flags specified with
8341 @code{#:make-flags}. If the @code{#:parallel-build?} argument is true
8342 (the default), build with @code{make -j}.
8345 Run @code{make check}, or some other target specified with
8346 @code{#:test-target}, unless @code{#:tests? #f} is passed. If the
8347 @code{#:parallel-tests?} argument is true (the default), run @code{make
8351 Run @code{make install} with the flags listed in @code{#:make-flags}.
8353 @item patch-shebangs
8354 Patch shebangs on the installed executable files.
8357 Strip debugging symbols from ELF files (unless @code{#:strip-binaries?}
8358 is false), copying them to the @code{debug} output when available
8359 (@pxref{Installing Debugging Files}).
8362 Other build systems have similar phases, with some variations. For
8363 example, @code{cmake-build-system} has same-named phases but its
8364 @code{configure} phases runs @code{cmake} instead of @code{./configure}.
8365 Others, such as @code{python-build-system}, have a wholly different list
8366 of standard phases. All this code runs on the @dfn{build side}: it is
8367 evaluated when you actually build the package, in a dedicated build
8368 process spawned by the build daemon (@pxref{Invoking guix-daemon}).
8370 Build phases are represented as association lists or ``alists''
8371 (@pxref{Association Lists,,, guile, GNU Guile Reference Manual}) where
8372 each key is a symbol for the name of the phase and the associated value
8373 is a procedure that accepts an arbitrary number of arguments. By
8374 convention, those procedures receive information about the build in the
8375 form of @dfn{keyword parameters}, which they can use or ignore.
8377 @vindex %standard-phases
8378 For example, here is how @code{(guix build gnu-build-system)} defines
8379 @code{%standard-phases}, the variable holding its alist of build
8380 phases@footnote{We present a simplified view of those build phases, but
8381 do take a look at @code{(guix build gnu-build-system)} to see all the
8385 ;; The build phases of 'gnu-build-system'.
8387 (define* (unpack #:key source #:allow-other-keys)
8388 ;; Extract the source tarball.
8389 (invoke "tar" "xvf" source))
8391 (define* (configure #:key outputs #:allow-other-keys)
8392 ;; Run the 'configure' script. Install to output "out".
8393 (let ((out (assoc-ref outputs "out")))
8394 (invoke "./configure"
8395 (string-append "--prefix=" out))))
8397 (define* (build #:allow-other-keys)
8401 (define* (check #:key (test-target "check") (tests? #true)
8403 ;; Run the test suite.
8405 (invoke "make" test-target)
8406 (display "test suite not run\n")))
8408 (define* (install #:allow-other-keys)
8409 ;; Install files to the prefix 'configure' specified.
8410 (invoke "make" "install"))
8412 (define %standard-phases
8413 ;; The list of standard phases (quite a few are omitted
8414 ;; for brevity). Each element is a symbol/procedure pair.
8415 (list (cons 'unpack unpack)
8416 (cons 'configure configure)
8419 (cons 'install install)))
8422 This shows how @code{%standard-phases} is defined as a list of
8423 symbol/procedure pairs (@pxref{Pairs,,, guile, GNU Guile Reference
8424 Manual}). The first pair associates the @code{unpack} procedure with
8425 the @code{unpack} symbol---a name; the second pair defines the
8426 @code{configure} phase similarly, and so on. When building a package
8427 that uses @code{gnu-build-system} with its default list of phases, those
8428 phases are executed sequentially. You can see the name of each phase
8429 started and completed in the build log of packages that you build.
8431 Let's now look at the procedures themselves. Each one is defined with
8432 @code{define*}: @code{#:key} lists keyword parameters the procedure
8433 accepts, possibly with a default value, and @code{#:allow-other-keys}
8434 specifies that other keyword parameters are ignored (@pxref{Optional
8435 Arguments,,, guile, GNU Guile Reference Manual}).
8437 The @code{unpack} procedure honors the @code{source} parameter, which
8438 the build system uses to pass the file name of the source tarball (or
8439 version control checkout), and it ignores other parameters. The
8440 @code{configure} phase only cares about the @code{outputs} parameter, an
8441 alist mapping package output names to their store file name
8442 (@pxref{Packages with Multiple Outputs}). It extracts the file name of
8443 for @code{out}, the default output, and passes it to
8444 @command{./configure} as the installation prefix, meaning that
8445 @command{make install} will eventually copy all the files in that
8446 directory (@pxref{Configuration, configuration and makefile
8447 conventions,, standards, GNU Coding Standards}). @code{build} and
8448 @code{install} ignore all their arguments. @code{check} honors the
8449 @code{test-target} argument, which specifies the name of the Makefile
8450 target to run tests; it prints a message and skips tests when
8451 @code{tests?} is false.
8453 @cindex build phases, customizing
8454 The list of phases used for a particular package can be changed with the
8455 @code{#:phases} parameter of the build system. Changing the set of
8456 build phases boils down to building a new alist of phases based on the
8457 @code{%standard-phases} alist described above. This can be done with
8458 standard alist procedures such as @code{alist-delete} (@pxref{SRFI-1
8459 Association Lists,,, guile, GNU Guile Reference Manual}); however, it is
8460 more convenient to do so with @code{modify-phases} (@pxref{Build
8461 Utilities, @code{modify-phases}}).
8463 Here is an example of a package definition that removes the
8464 @code{configure} phase of @code{%standard-phases} and inserts a new
8465 phase before the @code{build} phase, called
8466 @code{set-prefix-in-makefile}:
8469 (define-public example
8472 ;; other fields omitted
8473 (build-system gnu-build-system)
8475 '(#:phases (modify-phases %standard-phases
8477 (add-before 'build 'set-prefix-in-makefile
8478 (lambda* (#:key outputs #:allow-other-keys)
8479 ;; Modify the makefile so that its
8480 ;; 'PREFIX' variable points to "out".
8481 (let ((out (assoc-ref outputs "out")))
8482 (substitute* "Makefile"
8484 (string-append "PREFIX = "
8489 The new phase that is inserted is written as an anonymous procedure,
8490 introduced with @code{lambda*}; it honors the @code{outputs} parameter
8491 we have seen before. @xref{Build Utilities}, for more about the helpers
8492 used by this phase, and for more examples of @code{modify-phases}.
8494 @cindex code staging
8495 @cindex staging, of code
8496 Keep in mind that build phases are code evaluated at the time the
8497 package is actually built. This explains why the whole
8498 @code{modify-phases} expression above is quoted (it comes after the
8499 @code{'} or apostrophe): it is @dfn{staged} for later execution.
8500 @xref{G-Expressions}, for an explanation of code staging and the
8501 @dfn{code strata} involved.
8503 @node Build Utilities
8504 @section Build Utilities
8506 As soon as you start writing non-trivial package definitions
8507 (@pxref{Defining Packages}) or other build actions
8508 (@pxref{G-Expressions}), you will likely start looking for helpers for
8509 ``shell-like'' actions---creating directories, copying and deleting
8510 files recursively, manipulating build phases, and so on. The
8511 @code{(guix build utils)} module provides such utility procedures.
8513 Most build systems load @code{(guix build utils)} (@pxref{Build
8514 Systems}). Thus, when writing custom build phases for your package
8515 definitions, you can usually assume those procedures are in scope.
8517 When writing G-expressions, you can import @code{(guix build utils)} on
8518 the ``build side'' using @code{with-imported-modules} and then put it in
8519 scope with the @code{use-modules} form (@pxref{Using Guile Modules,,,
8520 guile, GNU Guile Reference Manual}):
8523 (with-imported-modules '((guix build utils)) ;import it
8524 (computed-file "empty-tree"
8527 (use-modules (guix build utils))
8529 ;; Happily use its 'mkdir-p' procedure.
8530 (mkdir-p (string-append #$output "/a/b/c")))))
8533 The remainder of this section is the reference for most of the utility
8534 procedures provided by @code{(guix build utils)}.
8536 @c TODO Document what's missing.
8538 @subsection Dealing with Store File Names
8540 This section documents procedures that deal with store file names.
8542 @deffn {Scheme Procedure} %store-directory
8543 Return the directory name of the store.
8546 @deffn {Scheme Procedure} store-file-name? @var{file}
8547 Return true if @var{file} is in the store.
8550 @deffn {Scheme Procedure} strip-store-file-name @var{file}
8551 Strip the @file{/gnu/store} and hash from @var{file}, a store file name.
8552 The result is typically a @code{"@var{package}-@var{version}"} string.
8555 @deffn {Scheme Procedure} package-name->name+version @var{name}
8556 Given @var{name}, a package name like @code{"foo-0.9.1b"}, return two
8557 values: @code{"foo"} and @code{"0.9.1b"}. When the version part is
8558 unavailable, @var{name} and @code{#f} are returned. The first hyphen
8559 followed by a digit is considered to introduce the version part.
8562 @subsection File Types
8564 The procedures below deal with files and file types.
8566 @deffn {Scheme Procedure} directory-exists? @var{dir}
8567 Return @code{#t} if @var{dir} exists and is a directory.
8570 @deffn {Scheme Procedure} executable-file? @var{file}
8571 Return @code{#t} if @var{file} exists and is executable.
8574 @deffn {Scheme Procedure} symbolic-link? @var{file}
8575 Return @code{#t} if @var{file} is a symbolic link (aka. a ``symlink'').
8578 @deffn {Scheme Procedure} elf-file? @var{file}
8579 @deffnx {Scheme Procedure} ar-file? @var{file}
8580 @deffnx {Scheme Procedure} gzip-file? @var{file}
8581 Return @code{#t} if @var{file} is, respectively, an ELF file, an
8582 @code{ar} archive (such as a @file{.a} static library), or a gzip file.
8585 @deffn {Scheme Procedure} reset-gzip-timestamp @var{file} [#:keep-mtime? #t]
8586 If @var{file} is a gzip file, reset its embedded timestamp (as with
8587 @command{gzip --no-name}) and return true. Otherwise return @code{#f}.
8588 When @var{keep-mtime?} is true, preserve @var{file}'s modification time.
8591 @subsection File Manipulation
8593 The following procedures and macros help create, modify, and delete
8594 files. They provide functionality comparable to common shell utilities
8595 such as @command{mkdir -p}, @command{cp -r}, @command{rm -r}, and
8596 @command{sed}. They complement Guile's extensive, but low-level, file
8597 system interface (@pxref{POSIX,,, guile, GNU Guile Reference Manual}).
8599 @deffn {Scheme Syntax} with-directory-excursion @var{directory} @var{body}@dots{}
8600 Run @var{body} with @var{directory} as the process's current directory.
8602 Essentially, this macro changes the current directory to @var{directory}
8603 before evaluating @var{body}, using @code{chdir} (@pxref{Processes,,,
8604 guile, GNU Guile Reference Manual}). It changes back to the initial
8605 directory when the dynamic extent of @var{body} is left, be it @i{via}
8606 normal procedure return or @i{via} a non-local exit such as an
8610 @deffn {Scheme Procedure} mkdir-p @var{dir}
8611 Create directory @var{dir} and all its ancestors.
8614 @deffn {Scheme Procedure} install-file @var{file} @var{directory}
8615 Create @var{directory} if it does not exist and copy @var{file} in there
8616 under the same name.
8619 @deffn {Scheme Procedure} make-file-writable @var{file}
8620 Make @var{file} writable for its owner.
8623 @deffn {Scheme Procedure} copy-recursively @var{source} @var{destination} @
8624 [#:log (current-output-port)] [#:follow-symlinks? #f] [#:keep-mtime? #f]
8625 Copy @var{source} directory to @var{destination}. Follow symlinks if
8626 @var{follow-symlinks?} is true; otherwise, just preserve them. When
8627 @var{keep-mtime?} is true, keep the modification time of the files in
8628 @var{source} on those of @var{destination}. Write verbose output to the
8632 @deffn {Scheme Procedure} delete-file-recursively @var{dir} @
8633 [#:follow-mounts? #f]
8634 Delete @var{dir} recursively, like @command{rm -rf}, without following
8635 symlinks. Don't follow mount points either, unless @var{follow-mounts?}
8636 is true. Report but ignore errors.
8639 @deffn {Scheme Syntax} substitute* @var{file} @
8640 ((@var{regexp} @var{match-var}@dots{}) @var{body}@dots{}) @dots{}
8641 Substitute @var{regexp} in @var{file} by the string returned by
8642 @var{body}. @var{body} is evaluated with each @var{match-var} bound to
8643 the corresponding positional regexp sub-expression. For example:
8649 (("foo([a-z]+)bar(.*)$" all letters end)
8650 (string-append "baz" letter end)))
8653 Here, anytime a line of @var{file} contains @code{hello}, it is replaced
8654 by @code{good morning}. Anytime a line of @var{file} matches the second
8655 regexp, @code{all} is bound to the complete match, @code{letters} is bound
8656 to the first sub-expression, and @code{end} is bound to the last one.
8658 When one of the @var{match-var} is @code{_}, no variable is bound to the
8659 corresponding match substring.
8661 Alternatively, @var{file} may be a list of file names, in which case
8662 they are all subject to the substitutions.
8664 Be careful about using @code{$} to match the end of a line; by itself it
8665 won't match the terminating newline of a line.
8668 @subsection File Search
8670 @cindex file, searching
8671 This section documents procedures to search and filter files.
8673 @deffn {Scheme Procedure} file-name-predicate @var{regexp}
8674 Return a predicate that returns true when passed a file name whose base
8675 name matches @var{regexp}.
8678 @deffn {Scheme Procedure} find-files @var{dir} [@var{pred}] @
8679 [#:stat lstat] [#:directories? #f] [#:fail-on-error? #f]
8680 Return the lexicographically sorted list of files under @var{dir} for
8681 which @var{pred} returns true. @var{pred} is passed two arguments: the
8682 absolute file name, and its stat buffer; the default predicate always
8683 returns true. @var{pred} can also be a regular expression, in which
8684 case it is equivalent to @code{(file-name-predicate @var{pred})}.
8685 @var{stat} is used to obtain file information; using @code{lstat} means
8686 that symlinks are not followed. If @var{directories?} is true, then
8687 directories will also be included. If @var{fail-on-error?} is true,
8688 raise an exception upon error.
8691 Here are a few examples where we assume that the current directory is
8692 the root of the Guix source tree:
8695 ;; List all the regular files in the current directory.
8697 @result{} ("./.dir-locals.el" "./.gitignore" @dots{})
8699 ;; List all the .scm files under gnu/services.
8700 (find-files "gnu/services" "\\.scm$")
8701 @result{} ("gnu/services/admin.scm" "gnu/services/audio.scm" @dots{})
8703 ;; List ar files in the current directory.
8704 (find-files "." (lambda (file stat) (ar-file? file)))
8705 @result{} ("./libformat.a" "./libstore.a" @dots{})
8708 @deffn {Scheme Procedure} which @var{program}
8709 Return the complete file name for @var{program} as found in
8710 @code{$PATH}, or @code{#f} if @var{program} could not be found.
8713 @subsection Build Phases
8715 @cindex build phases
8716 The @code{(guix build utils)} also contains tools to manipulate build
8717 phases as used by build systems (@pxref{Build Systems}). Build phases
8718 are represented as association lists or ``alists'' (@pxref{Association
8719 Lists,,, guile, GNU Guile Reference Manual}) where each key is a symbol
8720 naming the phase and the associated value is a procedure (@pxref{Build
8723 Guile core and the @code{(srfi srfi-1)} module both provide tools to
8724 manipulate alists. The @code{(guix build utils)} module complements
8725 those with tools written with build phases in mind.
8727 @cindex build phases, modifying
8728 @deffn {Scheme Syntax} modify-phases @var{phases} @var{clause}@dots{}
8729 Modify @var{phases} sequentially as per each @var{clause}, which may
8730 have one of the following forms:
8733 (delete @var{old-phase-name})
8734 (replace @var{old-phase-name} @var{new-phase})
8735 (add-before @var{old-phase-name} @var{new-phase-name} @var{new-phase})
8736 (add-after @var{old-phase-name} @var{new-phase-name} @var{new-phase})
8739 Where every @var{phase-name} above is an expression evaluating to a
8740 symbol, and @var{new-phase} an expression evaluating to a procedure.
8743 The example below is taken from the definition of the @code{grep}
8744 package. It adds a phase to run after the @code{install} phase, called
8745 @code{fix-egrep-and-fgrep}. That phase is a procedure (@code{lambda*}
8746 is for anonymous procedures) that takes a @code{#:outputs} keyword
8747 argument and ignores extra keyword arguments (@pxref{Optional
8748 Arguments,,, guile, GNU Guile Reference Manual}, for more on
8749 @code{lambda*} and optional and keyword arguments.) The phase uses
8750 @code{substitute*} to modify the installed @file{egrep} and @file{fgrep}
8751 scripts so that they refer to @code{grep} by its absolute file name:
8754 (modify-phases %standard-phases
8755 (add-after 'install 'fix-egrep-and-fgrep
8756 ;; Patch 'egrep' and 'fgrep' to execute 'grep' via its
8757 ;; absolute file name instead of searching for it in $PATH.
8758 (lambda* (#:key outputs #:allow-other-keys)
8759 (let* ((out (assoc-ref outputs "out"))
8760 (bin (string-append out "/bin")))
8761 (substitute* (list (string-append bin "/egrep")
8762 (string-append bin "/fgrep"))
8764 (string-append "exec " bin "/grep")))
8768 In the example below, phases are modified in two ways: the standard
8769 @code{configure} phase is deleted, presumably because the package does
8770 not have a @file{configure} script or anything similar, and the default
8771 @code{install} phase is replaced by one that manually copies the
8772 executable files to be installed:
8775 (modify-phases %standard-phases
8776 (delete 'configure) ;no 'configure' script
8778 (lambda* (#:key outputs #:allow-other-keys)
8779 ;; The package's Makefile doesn't provide an "install"
8780 ;; rule so do it by ourselves.
8781 (let ((bin (string-append (assoc-ref outputs "out")
8783 (install-file "footswitch" bin)
8784 (install-file "scythe" bin)
8788 @c TODO: Add more examples.
8797 Conceptually, the @dfn{store} is the place where derivations that have
8798 been built successfully are stored---by default, @file{/gnu/store}.
8799 Sub-directories in the store are referred to as @dfn{store items} or
8800 sometimes @dfn{store paths}. The store has an associated database that
8801 contains information such as the store paths referred to by each store
8802 path, and the list of @emph{valid} store items---results of successful
8803 builds. This database resides in @file{@var{localstatedir}/guix/db},
8804 where @var{localstatedir} is the state directory specified @i{via}
8805 @option{--localstatedir} at configure time, usually @file{/var}.
8807 The store is @emph{always} accessed by the daemon on behalf of its clients
8808 (@pxref{Invoking guix-daemon}). To manipulate the store, clients
8809 connect to the daemon over a Unix-domain socket, send requests to it,
8810 and read the result---these are remote procedure calls, or RPCs.
8813 Users must @emph{never} modify files under @file{/gnu/store} directly.
8814 This would lead to inconsistencies and break the immutability
8815 assumptions of Guix's functional model (@pxref{Introduction}).
8817 @xref{Invoking guix gc, @command{guix gc --verify}}, for information on
8818 how to check the integrity of the store and attempt recovery from
8819 accidental modifications.
8822 The @code{(guix store)} module provides procedures to connect to the
8823 daemon, and to perform RPCs. These are described below. By default,
8824 @code{open-connection}, and thus all the @command{guix} commands,
8825 connect to the local daemon or to the URI specified by the
8826 @env{GUIX_DAEMON_SOCKET} environment variable.
8828 @defvr {Environment Variable} GUIX_DAEMON_SOCKET
8829 When set, the value of this variable should be a file name or a URI
8830 designating the daemon endpoint. When it is a file name, it denotes a
8831 Unix-domain socket to connect to. In addition to file names, the
8832 supported URI schemes are:
8837 These are for Unix-domain sockets.
8838 @code{file:///var/guix/daemon-socket/socket} is equivalent to
8839 @file{/var/guix/daemon-socket/socket}.
8842 @cindex daemon, remote access
8843 @cindex remote access to the daemon
8844 @cindex daemon, cluster setup
8845 @cindex clusters, daemon setup
8846 These URIs denote connections over TCP/IP, without encryption nor
8847 authentication of the remote host. The URI must specify the host name
8848 and optionally a port number (by default port 44146 is used):
8851 guix://master.guix.example.org:1234
8854 This setup is suitable on local networks, such as clusters, where only
8855 trusted nodes may connect to the build daemon at
8856 @code{master.guix.example.org}.
8858 The @option{--listen} option of @command{guix-daemon} can be used to
8859 instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
8860 @option{--listen}}).
8863 @cindex SSH access to build daemons
8864 These URIs allow you to connect to a remote daemon over SSH@. This
8865 feature requires Guile-SSH (@pxref{Requirements}) and a working
8866 @command{guile} binary in @env{PATH} on the destination machine. It
8867 supports public key and GSSAPI authentication. A typical URL might look
8871 ssh://charlie@@guix.example.org:22
8874 As for @command{guix copy}, the usual OpenSSH client configuration files
8875 are honored (@pxref{Invoking guix copy}).
8878 Additional URI schemes may be supported in the future.
8880 @c XXX: Remove this note when the protocol incurs fewer round trips
8881 @c and when (guix derivations) no longer relies on file system access.
8883 The ability to connect to remote build daemons is considered
8884 experimental as of @value{VERSION}. Please get in touch with us to
8885 share any problems or suggestions you may have (@pxref{Contributing}).
8889 @deffn {Scheme Procedure} open-connection [@var{uri}] [#:reserve-space? #t]
8890 Connect to the daemon over the Unix-domain socket at @var{uri} (a string). When
8891 @var{reserve-space?} is true, instruct it to reserve a little bit of
8892 extra space on the file system so that the garbage collector can still
8893 operate should the disk become full. Return a server object.
8895 @var{file} defaults to @code{%default-socket-path}, which is the normal
8896 location given the options that were passed to @command{configure}.
8899 @deffn {Scheme Procedure} close-connection @var{server}
8900 Close the connection to @var{server}.
8903 @defvr {Scheme Variable} current-build-output-port
8904 This variable is bound to a SRFI-39 parameter, which refers to the port
8905 where build and error logs sent by the daemon should be written.
8908 Procedures that make RPCs all take a server object as their first
8911 @deffn {Scheme Procedure} valid-path? @var{server} @var{path}
8912 @cindex invalid store items
8913 Return @code{#t} when @var{path} designates a valid store item and
8914 @code{#f} otherwise (an invalid item may exist on disk but still be
8915 invalid, for instance because it is the result of an aborted or failed
8918 A @code{&store-protocol-error} condition is raised if @var{path} is not
8919 prefixed by the store directory (@file{/gnu/store}).
8922 @deffn {Scheme Procedure} add-text-to-store @var{server} @var{name} @var{text} [@var{references}]
8923 Add @var{text} under file @var{name} in the store, and return its store
8924 path. @var{references} is the list of store paths referred to by the
8925 resulting store path.
8928 @deffn {Scheme Procedure} build-derivations @var{store} @var{derivations} @
8930 Build @var{derivations}, a list of @code{<derivation>} objects, @file{.drv}
8931 file names, or derivation/output pairs, using the specified
8932 @var{mode}---@code{(build-mode normal)} by default.
8935 Note that the @code{(guix monads)} module provides a monad as well as
8936 monadic versions of the above procedures, with the goal of making it
8937 more convenient to work with code that accesses the store (@pxref{The
8941 @i{This section is currently incomplete.}
8944 @section Derivations
8947 Low-level build actions and the environment in which they are performed
8948 are represented by @dfn{derivations}. A derivation contains the
8949 following pieces of information:
8953 The outputs of the derivation---derivations produce at least one file or
8954 directory in the store, but may produce more.
8957 @cindex build-time dependencies
8958 @cindex dependencies, build-time
8959 The inputs of the derivations---i.e., its build-time dependencies---which may
8960 be other derivations or plain files in the store (patches, build scripts,
8964 The system type targeted by the derivation---e.g., @code{x86_64-linux}.
8967 The file name of a build script in the store, along with the arguments
8971 A list of environment variables to be defined.
8975 @cindex derivation path
8976 Derivations allow clients of the daemon to communicate build actions to
8977 the store. They exist in two forms: as an in-memory representation,
8978 both on the client- and daemon-side, and as files in the store whose
8979 name end in @file{.drv}---these files are referred to as @dfn{derivation
8980 paths}. Derivations paths can be passed to the @code{build-derivations}
8981 procedure to perform the build actions they prescribe (@pxref{The
8984 @cindex fixed-output derivations
8985 Operations such as file downloads and version-control checkouts for
8986 which the expected content hash is known in advance are modeled as
8987 @dfn{fixed-output derivations}. Unlike regular derivations, the outputs
8988 of a fixed-output derivation are independent of its inputs---e.g., a
8989 source code download produces the same result regardless of the download
8990 method and tools being used.
8993 @cindex run-time dependencies
8994 @cindex dependencies, run-time
8995 The outputs of derivations---i.e., the build results---have a set of
8996 @dfn{references}, as reported by the @code{references} RPC or the
8997 @command{guix gc --references} command (@pxref{Invoking guix gc}). References
8998 are the set of run-time dependencies of the build results. References are a
8999 subset of the inputs of the derivation; this subset is automatically computed
9000 by the build daemon by scanning all the files in the outputs.
9002 The @code{(guix derivations)} module provides a representation of
9003 derivations as Scheme objects, along with procedures to create and
9004 otherwise manipulate derivations. The lowest-level primitive to create
9005 a derivation is the @code{derivation} procedure:
9007 @deffn {Scheme Procedure} derivation @var{store} @var{name} @var{builder} @
9008 @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
9009 [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @
9010 [#:system (%current-system)] [#:references-graphs #f] @
9011 [#:allowed-references #f] [#:disallowed-references #f] @
9012 [#:leaked-env-vars #f] [#:local-build? #f] @
9013 [#:substitutable? #t] [#:properties '()]
9014 Build a derivation with the given arguments, and return the resulting
9015 @code{<derivation>} object.
9017 When @var{hash} and @var{hash-algo} are given, a
9018 @dfn{fixed-output derivation} is created---i.e., one whose result is
9019 known in advance, such as a file download. If, in addition,
9020 @var{recursive?} is true, then that fixed output may be an executable
9021 file or a directory and @var{hash} must be the hash of an archive
9022 containing this output.
9024 When @var{references-graphs} is true, it must be a list of file
9025 name/store path pairs. In that case, the reference graph of each store
9026 path is exported in the build environment in the corresponding file, in
9027 a simple text format.
9029 When @var{allowed-references} is true, it must be a list of store items
9030 or outputs that the derivation's output may refer to. Likewise,
9031 @var{disallowed-references}, if true, must be a list of things the
9032 outputs may @emph{not} refer to.
9034 When @var{leaked-env-vars} is true, it must be a list of strings
9035 denoting environment variables that are allowed to ``leak'' from the
9036 daemon's environment to the build environment. This is only applicable
9037 to fixed-output derivations---i.e., when @var{hash} is true. The main
9038 use is to allow variables such as @code{http_proxy} to be passed to
9039 derivations that download files.
9041 When @var{local-build?} is true, declare that the derivation is not a
9042 good candidate for offloading and should rather be built locally
9043 (@pxref{Daemon Offload Setup}). This is the case for small derivations
9044 where the costs of data transfers would outweigh the benefits.
9046 When @var{substitutable?} is false, declare that substitutes of the
9047 derivation's output should not be used (@pxref{Substitutes}). This is
9048 useful, for instance, when building packages that capture details of the
9049 host CPU instruction set.
9051 @var{properties} must be an association list describing ``properties'' of the
9052 derivation. It is kept as-is, uninterpreted, in the derivation.
9056 Here's an example with a shell script as its builder, assuming
9057 @var{store} is an open connection to the daemon, and @var{bash} points
9058 to a Bash executable in the store:
9061 (use-modules (guix utils)
9065 (let ((builder ; add the Bash script to the store
9066 (add-text-to-store store "my-builder.sh"
9067 "echo hello world > $out\n" '())))
9068 (derivation store "foo"
9069 bash `("-e" ,builder)
9070 #:inputs `((,bash) (,builder))
9071 #:env-vars '(("HOME" . "/homeless"))))
9072 @result{} #<derivation /gnu/store/@dots{}-foo.drv => /gnu/store/@dots{}-foo>
9075 As can be guessed, this primitive is cumbersome to use directly. A
9076 better approach is to write build scripts in Scheme, of course! The
9077 best course of action for that is to write the build code as a
9078 ``G-expression'', and to pass it to @code{gexp->derivation}. For more
9079 information, @pxref{G-Expressions}.
9081 Once upon a time, @code{gexp->derivation} did not exist and constructing
9082 derivations with build code written in Scheme was achieved with
9083 @code{build-expression->derivation}, documented below. This procedure
9084 is now deprecated in favor of the much nicer @code{gexp->derivation}.
9086 @deffn {Scheme Procedure} build-expression->derivation @var{store} @
9087 @var{name} @var{exp} @
9088 [#:system (%current-system)] [#:inputs '()] @
9089 [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
9090 [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
9091 [#:references-graphs #f] [#:allowed-references #f] @
9092 [#:disallowed-references #f] @
9093 [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
9094 Return a derivation that executes Scheme expression @var{exp} as a
9095 builder for derivation @var{name}. @var{inputs} must be a list of
9096 @code{(name drv-path sub-drv)} tuples; when @var{sub-drv} is omitted,
9097 @code{"out"} is assumed. @var{modules} is a list of names of Guile
9098 modules from the current search path to be copied in the store,
9099 compiled, and made available in the load path during the execution of
9100 @var{exp}---e.g., @code{((guix build utils) (guix build
9101 gnu-build-system))}.
9103 @var{exp} is evaluated in an environment where @code{%outputs} is bound
9104 to a list of output/path pairs, and where @code{%build-inputs} is bound
9105 to a list of string/output-path pairs made from @var{inputs}.
9106 Optionally, @var{env-vars} is a list of string pairs specifying the name
9107 and value of environment variables visible to the builder. The builder
9108 terminates by passing the result of @var{exp} to @code{exit}; thus, when
9109 @var{exp} returns @code{#f}, the build is considered to have failed.
9111 @var{exp} is built using @var{guile-for-build} (a derivation). When
9112 @var{guile-for-build} is omitted or is @code{#f}, the value of the
9113 @code{%guile-for-build} fluid is used instead.
9115 See the @code{derivation} procedure for the meaning of
9116 @var{references-graphs}, @var{allowed-references},
9117 @var{disallowed-references}, @var{local-build?}, and
9118 @var{substitutable?}.
9122 Here's an example of a single-output derivation that creates a directory
9123 containing one file:
9126 (let ((builder '(let ((out (assoc-ref %outputs "out")))
9127 (mkdir out) ; create /gnu/store/@dots{}-goo
9128 (call-with-output-file (string-append out "/test")
9130 (display '(hello guix) p))))))
9131 (build-expression->derivation store "goo" builder))
9133 @result{} #<derivation /gnu/store/@dots{}-goo.drv => @dots{}>
9137 @node The Store Monad
9138 @section The Store Monad
9142 The procedures that operate on the store described in the previous
9143 sections all take an open connection to the build daemon as their first
9144 argument. Although the underlying model is functional, they either have
9145 side effects or depend on the current state of the store.
9147 The former is inconvenient: the connection to the build daemon has to be
9148 carried around in all those functions, making it impossible to compose
9149 functions that do not take that parameter with functions that do. The
9150 latter can be problematic: since store operations have side effects
9151 and/or depend on external state, they have to be properly sequenced.
9153 @cindex monadic values
9154 @cindex monadic functions
9155 This is where the @code{(guix monads)} module comes in. This module
9156 provides a framework for working with @dfn{monads}, and a particularly
9157 useful monad for our uses, the @dfn{store monad}. Monads are a
9158 construct that allows two things: associating ``context'' with values
9159 (in our case, the context is the store), and building sequences of
9160 computations (here computations include accesses to the store). Values
9161 in a monad---values that carry this additional context---are called
9162 @dfn{monadic values}; procedures that return such values are called
9163 @dfn{monadic procedures}.
9165 Consider this ``normal'' procedure:
9168 (define (sh-symlink store)
9169 ;; Return a derivation that symlinks the 'bash' executable.
9170 (let* ((drv (package-derivation store bash))
9171 (out (derivation->output-path drv))
9172 (sh (string-append out "/bin/bash")))
9173 (build-expression->derivation store "sh"
9174 `(symlink ,sh %output))))
9177 Using @code{(guix monads)} and @code{(guix gexp)}, it may be rewritten
9178 as a monadic function:
9181 (define (sh-symlink)
9182 ;; Same, but return a monadic value.
9183 (mlet %store-monad ((drv (package->derivation bash)))
9184 (gexp->derivation "sh"
9185 #~(symlink (string-append #$drv "/bin/bash")
9189 There are several things to note in the second version: the @code{store}
9190 parameter is now implicit and is ``threaded'' in the calls to the
9191 @code{package->derivation} and @code{gexp->derivation} monadic
9192 procedures, and the monadic value returned by @code{package->derivation}
9193 is @dfn{bound} using @code{mlet} instead of plain @code{let}.
9195 As it turns out, the call to @code{package->derivation} can even be
9196 omitted since it will take place implicitly, as we will see later
9197 (@pxref{G-Expressions}):
9200 (define (sh-symlink)
9201 (gexp->derivation "sh"
9202 #~(symlink (string-append #$bash "/bin/bash")
9207 @c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
9208 @c for the funny quote.
9209 Calling the monadic @code{sh-symlink} has no effect. As someone once
9210 said, ``you exit a monad like you exit a building on fire: by running''.
9211 So, to exit the monad and get the desired effect, one must use
9212 @code{run-with-store}:
9215 (run-with-store (open-connection) (sh-symlink))
9216 @result{} /gnu/store/...-sh-symlink
9219 Note that the @code{(guix monad-repl)} module extends the Guile REPL with
9220 new ``meta-commands'' to make it easier to deal with monadic procedures:
9221 @code{run-in-store}, and @code{enter-store-monad}. The former is used
9222 to ``run'' a single monadic value through the store:
9225 scheme@@(guile-user)> ,run-in-store (package->derivation hello)
9226 $1 = #<derivation /gnu/store/@dots{}-hello-2.9.drv => @dots{}>
9229 The latter enters a recursive REPL, where all the return values are
9230 automatically run through the store:
9233 scheme@@(guile-user)> ,enter-store-monad
9234 store-monad@@(guile-user) [1]> (package->derivation hello)
9235 $2 = #<derivation /gnu/store/@dots{}-hello-2.9.drv => @dots{}>
9236 store-monad@@(guile-user) [1]> (text-file "foo" "Hello!")
9237 $3 = "/gnu/store/@dots{}-foo"
9238 store-monad@@(guile-user) [1]> ,q
9239 scheme@@(guile-user)>
9243 Note that non-monadic values cannot be returned in the
9244 @code{store-monad} REPL.
9246 The main syntactic forms to deal with monads in general are provided by
9247 the @code{(guix monads)} module and are described below.
9249 @deffn {Scheme Syntax} with-monad @var{monad} @var{body} ...
9250 Evaluate any @code{>>=} or @code{return} forms in @var{body} as being
9254 @deffn {Scheme Syntax} return @var{val}
9255 Return a monadic value that encapsulates @var{val}.
9258 @deffn {Scheme Syntax} >>= @var{mval} @var{mproc} ...
9259 @dfn{Bind} monadic value @var{mval}, passing its ``contents'' to monadic
9260 procedures @var{mproc}@dots{}@footnote{This operation is commonly
9261 referred to as ``bind'', but that name denotes an unrelated procedure in
9262 Guile. Thus we use this somewhat cryptic symbol inherited from the
9263 Haskell language.}. There can be one @var{mproc} or several of them, as
9268 (with-monad %state-monad
9270 (lambda (x) (return (+ 1 x)))
9271 (lambda (x) (return (* 2 x)))))
9275 @result{} some-state
9279 @deffn {Scheme Syntax} mlet @var{monad} ((@var{var} @var{mval}) ...) @
9281 @deffnx {Scheme Syntax} mlet* @var{monad} ((@var{var} @var{mval}) ...) @
9283 Bind the variables @var{var} to the monadic values @var{mval} in
9284 @var{body}, which is a sequence of expressions. As with the bind
9285 operator, this can be thought of as ``unpacking'' the raw, non-monadic
9286 value ``contained'' in @var{mval} and making @var{var} refer to that
9287 raw, non-monadic value within the scope of the @var{body}. The form
9288 (@var{var} -> @var{val}) binds @var{var} to the ``normal'' value
9289 @var{val}, as per @code{let}. The binding operations occur in sequence
9290 from left to right. The last expression of @var{body} must be a monadic
9291 expression, and its result will become the result of the @code{mlet} or
9292 @code{mlet*} when run in the @var{monad}.
9294 @code{mlet*} is to @code{mlet} what @code{let*} is to @code{let}
9295 (@pxref{Local Bindings,,, guile, GNU Guile Reference Manual}).
9298 @deffn {Scheme System} mbegin @var{monad} @var{mexp} ...
9299 Bind @var{mexp} and the following monadic expressions in sequence,
9300 returning the result of the last expression. Every expression in the
9301 sequence must be a monadic expression.
9303 This is akin to @code{mlet}, except that the return values of the
9304 monadic expressions are ignored. In that sense, it is analogous to
9305 @code{begin}, but applied to monadic expressions.
9308 @deffn {Scheme System} mwhen @var{condition} @var{mexp0} @var{mexp*} ...
9309 When @var{condition} is true, evaluate the sequence of monadic
9310 expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When
9311 @var{condition} is false, return @code{*unspecified*} in the current
9312 monad. Every expression in the sequence must be a monadic expression.
9315 @deffn {Scheme System} munless @var{condition} @var{mexp0} @var{mexp*} ...
9316 When @var{condition} is false, evaluate the sequence of monadic
9317 expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When
9318 @var{condition} is true, return @code{*unspecified*} in the current
9319 monad. Every expression in the sequence must be a monadic expression.
9323 The @code{(guix monads)} module provides the @dfn{state monad}, which
9324 allows an additional value---the state---to be @emph{threaded} through
9325 monadic procedure calls.
9327 @defvr {Scheme Variable} %state-monad
9328 The state monad. Procedures in the state monad can access and change
9329 the state that is threaded.
9331 Consider the example below. The @code{square} procedure returns a value
9332 in the state monad. It returns the square of its argument, but also
9333 increments the current state value:
9337 (mlet %state-monad ((count (current-state)))
9338 (mbegin %state-monad
9339 (set-current-state (+ 1 count))
9342 (run-with-state (sequence %state-monad (map square (iota 3))) 0)
9347 When ``run'' through @code{%state-monad}, we obtain that additional state
9348 value, which is the number of @code{square} calls.
9351 @deffn {Monadic Procedure} current-state
9352 Return the current state as a monadic value.
9355 @deffn {Monadic Procedure} set-current-state @var{value}
9356 Set the current state to @var{value} and return the previous state as a
9360 @deffn {Monadic Procedure} state-push @var{value}
9361 Push @var{value} to the current state, which is assumed to be a list,
9362 and return the previous state as a monadic value.
9365 @deffn {Monadic Procedure} state-pop
9366 Pop a value from the current state and return it as a monadic value.
9367 The state is assumed to be a list.
9370 @deffn {Scheme Procedure} run-with-state @var{mval} [@var{state}]
9371 Run monadic value @var{mval} starting with @var{state} as the initial
9372 state. Return two values: the resulting value, and the resulting state.
9375 The main interface to the store monad, provided by the @code{(guix
9376 store)} module, is as follows.
9378 @defvr {Scheme Variable} %store-monad
9379 The store monad---an alias for @code{%state-monad}.
9381 Values in the store monad encapsulate accesses to the store. When its
9382 effect is needed, a value of the store monad must be ``evaluated'' by
9383 passing it to the @code{run-with-store} procedure (see below).
9386 @deffn {Scheme Procedure} run-with-store @var{store} @var{mval} [#:guile-for-build] [#:system (%current-system)]
9387 Run @var{mval}, a monadic value in the store monad, in @var{store}, an
9388 open store connection.
9391 @deffn {Monadic Procedure} text-file @var{name} @var{text} [@var{references}]
9392 Return as a monadic value the absolute file name in the store of the file
9393 containing @var{text}, a string. @var{references} is a list of store items that the
9394 resulting text file refers to; it defaults to the empty list.
9397 @deffn {Monadic Procedure} binary-file @var{name} @var{data} [@var{references}]
9398 Return as a monadic value the absolute file name in the store of the file
9399 containing @var{data}, a bytevector. @var{references} is a list of store
9400 items that the resulting binary file refers to; it defaults to the empty list.
9403 @deffn {Monadic Procedure} interned-file @var{file} [@var{name}] @
9404 [#:recursive? #t] [#:select? (const #t)]
9405 Return the name of @var{file} once interned in the store. Use
9406 @var{name} as its store name, or the basename of @var{file} if
9407 @var{name} is omitted.
9409 When @var{recursive?} is true, the contents of @var{file} are added
9410 recursively; if @var{file} designates a flat file and @var{recursive?}
9411 is true, its contents are added, and its permission bits are kept.
9413 When @var{recursive?} is true, call @code{(@var{select?} @var{file}
9414 @var{stat})} for each directory entry, where @var{file} is the entry's
9415 absolute file name and @var{stat} is the result of @code{lstat}; exclude
9416 entries for which @var{select?} does not return true.
9418 The example below adds a file to the store, under two different names:
9421 (run-with-store (open-connection)
9422 (mlet %store-monad ((a (interned-file "README"))
9423 (b (interned-file "README" "LEGU-MIN")))
9424 (return (list a b))))
9426 @result{} ("/gnu/store/rwm@dots{}-README" "/gnu/store/44i@dots{}-LEGU-MIN")
9431 The @code{(guix packages)} module exports the following package-related
9434 @deffn {Monadic Procedure} package-file @var{package} [@var{file}] @
9435 [#:system (%current-system)] [#:target #f] @
9438 value in the absolute file name of @var{file} within the @var{output}
9439 directory of @var{package}. When @var{file} is omitted, return the name
9440 of the @var{output} directory of @var{package}. When @var{target} is
9441 true, use it as a cross-compilation target triplet.
9443 Note that this procedure does @emph{not} build @var{package}. Thus, the
9444 result might or might not designate an existing file. We recommend not
9445 using this procedure unless you know what you are doing.
9448 @deffn {Monadic Procedure} package->derivation @var{package} [@var{system}]
9449 @deffnx {Monadic Procedure} package->cross-derivation @var{package} @
9450 @var{target} [@var{system}]
9451 Monadic version of @code{package-derivation} and
9452 @code{package-cross-derivation} (@pxref{Defining Packages}).
9457 @section G-Expressions
9459 @cindex G-expression
9460 @cindex build code quoting
9461 So we have ``derivations'', which represent a sequence of build actions
9462 to be performed to produce an item in the store (@pxref{Derivations}).
9463 These build actions are performed when asking the daemon to actually
9464 build the derivations; they are run by the daemon in a container
9465 (@pxref{Invoking guix-daemon}).
9467 @cindex code staging
9468 @cindex staging, of code
9469 @cindex strata of code
9470 It should come as no surprise that we like to write these build actions
9471 in Scheme. When we do that, we end up with two @dfn{strata} of Scheme
9472 code@footnote{The term @dfn{stratum} in this context was coined by
9473 Manuel Serrano et al.@: in the context of their work on Hop. Oleg
9474 Kiselyov, who has written insightful
9475 @url{http://okmij.org/ftp/meta-programming/#meta-scheme, essays and code
9476 on this topic}, refers to this kind of code generation as
9477 @dfn{staging}.}: the ``host code''---code that defines packages, talks
9478 to the daemon, etc.---and the ``build code''---code that actually
9479 performs build actions, such as making directories, invoking
9480 @command{make}, and so on (@pxref{Build Phases}).
9482 To describe a derivation and its build actions, one typically needs to
9483 embed build code inside host code. It boils down to manipulating build
9484 code as data, and the homoiconicity of Scheme---code has a direct
9485 representation as data---comes in handy for that. But we need more than
9486 the normal @code{quasiquote} mechanism in Scheme to construct build
9489 The @code{(guix gexp)} module implements @dfn{G-expressions}, a form of
9490 S-expressions adapted to build expressions. G-expressions, or
9491 @dfn{gexps}, consist essentially of three syntactic forms: @code{gexp},
9492 @code{ungexp}, and @code{ungexp-splicing} (or simply: @code{#~},
9493 @code{#$}, and @code{#$@@}), which are comparable to
9494 @code{quasiquote}, @code{unquote}, and @code{unquote-splicing},
9495 respectively (@pxref{Expression Syntax, @code{quasiquote},, guile,
9496 GNU Guile Reference Manual}). However, there are major differences:
9500 Gexps are meant to be written to a file and run or manipulated by other
9504 When a high-level object such as a package or derivation is unquoted
9505 inside a gexp, the result is as if its output file name had been
9509 Gexps carry information about the packages or derivations they refer to,
9510 and these dependencies are automatically added as inputs to the build
9511 processes that use them.
9514 @cindex lowering, of high-level objects in gexps
9515 This mechanism is not limited to package and derivation
9516 objects: @dfn{compilers} able to ``lower'' other high-level objects to
9517 derivations or files in the store can be defined,
9518 such that these objects can also be inserted
9519 into gexps. For example, a useful type of high-level objects that can be
9520 inserted in a gexp is ``file-like objects'', which make it easy to
9521 add files to the store and to refer to them in
9522 derivations and such (see @code{local-file} and @code{plain-file}
9525 To illustrate the idea, here is an example of a gexp:
9532 (symlink (string-append #$coreutils "/bin/ls")
9536 This gexp can be passed to @code{gexp->derivation}; we obtain a
9537 derivation that builds a directory containing exactly one symlink to
9538 @file{/gnu/store/@dots{}-coreutils-8.22/bin/ls}:
9541 (gexp->derivation "the-thing" build-exp)
9544 As one would expect, the @code{"/gnu/store/@dots{}-coreutils-8.22"} string is
9545 substituted to the reference to the @var{coreutils} package in the
9546 actual build code, and @var{coreutils} is automatically made an input to
9547 the derivation. Likewise, @code{#$output} (equivalent to @code{(ungexp
9548 output)}) is replaced by a string containing the directory name of the
9549 output of the derivation.
9551 @cindex cross compilation
9552 In a cross-compilation context, it is useful to distinguish between
9553 references to the @emph{native} build of a package---that can run on the
9554 host---versus references to cross builds of a package. To that end, the
9555 @code{#+} plays the same role as @code{#$}, but is a reference to a
9556 native package build:
9559 (gexp->derivation "vi"
9562 (mkdir (string-append #$output "/bin"))
9563 (system* (string-append #+coreutils "/bin/ln")
9565 (string-append #$emacs "/bin/emacs")
9566 (string-append #$output "/bin/vi")))
9567 #:target "aarch64-linux-gnu")
9571 In the example above, the native build of @var{coreutils} is used, so
9572 that @command{ln} can actually run on the host; but then the
9573 cross-compiled build of @var{emacs} is referenced.
9575 @cindex imported modules, for gexps
9576 @findex with-imported-modules
9577 Another gexp feature is @dfn{imported modules}: sometimes you want to be
9578 able to use certain Guile modules from the ``host environment'' in the
9579 gexp, so those modules should be imported in the ``build environment''.
9580 The @code{with-imported-modules} form allows you to express that:
9583 (let ((build (with-imported-modules '((guix build utils))
9585 (use-modules (guix build utils))
9586 (mkdir-p (string-append #$output "/bin"))))))
9587 (gexp->derivation "empty-dir"
9590 (display "success!\n")
9595 In this example, the @code{(guix build utils)} module is automatically
9596 pulled into the isolated build environment of our gexp, such that
9597 @code{(use-modules (guix build utils))} works as expected.
9599 @cindex module closure
9600 @findex source-module-closure
9601 Usually you want the @emph{closure} of the module to be imported---i.e.,
9602 the module itself and all the modules it depends on---rather than just
9603 the module; failing to do that, attempts to use the module will fail
9604 because of missing dependent modules. The @code{source-module-closure}
9605 procedure computes the closure of a module by looking at its source file
9606 headers, which comes in handy in this case:
9609 (use-modules (guix modules)) ;for 'source-module-closure'
9611 (with-imported-modules (source-module-closure
9612 '((guix build utils)
9614 (gexp->derivation "something-with-vms"
9616 (use-modules (guix build utils)
9621 @cindex extensions, for gexps
9622 @findex with-extensions
9623 In the same vein, sometimes you want to import not just pure-Scheme
9624 modules, but also ``extensions'' such as Guile bindings to C libraries
9625 or other ``full-blown'' packages. Say you need the @code{guile-json}
9626 package available on the build side, here's how you would do it:
9629 (use-modules (gnu packages guile)) ;for 'guile-json'
9631 (with-extensions (list guile-json)
9632 (gexp->derivation "something-with-json"
9634 (use-modules (json))
9638 The syntactic form to construct gexps is summarized below.
9640 @deffn {Scheme Syntax} #~@var{exp}
9641 @deffnx {Scheme Syntax} (gexp @var{exp})
9642 Return a G-expression containing @var{exp}. @var{exp} may contain one
9643 or more of the following forms:
9647 @itemx (ungexp @var{obj})
9648 Introduce a reference to @var{obj}. @var{obj} may have one of the
9649 supported types, for example a package or a
9650 derivation, in which case the @code{ungexp} form is replaced by its
9651 output file name---e.g., @code{"/gnu/store/@dots{}-coreutils-8.22}.
9653 If @var{obj} is a list, it is traversed and references to supported
9654 objects are substituted similarly.
9656 If @var{obj} is another gexp, its contents are inserted and its
9657 dependencies are added to those of the containing gexp.
9659 If @var{obj} is another kind of object, it is inserted as is.
9661 @item #$@var{obj}:@var{output}
9662 @itemx (ungexp @var{obj} @var{output})
9663 This is like the form above, but referring explicitly to the
9664 @var{output} of @var{obj}---this is useful when @var{obj} produces
9665 multiple outputs (@pxref{Packages with Multiple Outputs}).
9668 @itemx #+@var{obj}:output
9669 @itemx (ungexp-native @var{obj})
9670 @itemx (ungexp-native @var{obj} @var{output})
9671 Same as @code{ungexp}, but produces a reference to the @emph{native}
9672 build of @var{obj} when used in a cross compilation context.
9674 @item #$output[:@var{output}]
9675 @itemx (ungexp output [@var{output}])
9676 Insert a reference to derivation output @var{output}, or to the main
9677 output when @var{output} is omitted.
9679 This only makes sense for gexps passed to @code{gexp->derivation}.
9682 @itemx (ungexp-splicing @var{lst})
9683 Like the above, but splices the contents of @var{lst} inside the
9687 @itemx (ungexp-native-splicing @var{lst})
9688 Like the above, but refers to native builds of the objects listed in
9693 G-expressions created by @code{gexp} or @code{#~} are run-time objects
9694 of the @code{gexp?} type (see below).
9697 @deffn {Scheme Syntax} with-imported-modules @var{modules} @var{body}@dots{}
9698 Mark the gexps defined in @var{body}@dots{} as requiring @var{modules}
9699 in their execution environment.
9701 Each item in @var{modules} can be the name of a module, such as
9702 @code{(guix build utils)}, or it can be a module name, followed by an
9703 arrow, followed by a file-like object:
9706 `((guix build utils)
9708 ((guix config) => ,(scheme-file "config.scm"
9709 #~(define-module @dots{}))))
9713 In the example above, the first two modules are taken from the search
9714 path, and the last one is created from the given file-like object.
9716 This form has @emph{lexical} scope: it has an effect on the gexps
9717 directly defined in @var{body}@dots{}, but not on those defined, say, in
9718 procedures called from @var{body}@dots{}.
9721 @deffn {Scheme Syntax} with-extensions @var{extensions} @var{body}@dots{}
9722 Mark the gexps defined in @var{body}@dots{} as requiring
9723 @var{extensions} in their build and execution environment.
9724 @var{extensions} is typically a list of package objects such as those
9725 defined in the @code{(gnu packages guile)} module.
9727 Concretely, the packages listed in @var{extensions} are added to the
9728 load path while compiling imported modules in @var{body}@dots{}; they
9729 are also added to the load path of the gexp returned by
9733 @deffn {Scheme Procedure} gexp? @var{obj}
9734 Return @code{#t} if @var{obj} is a G-expression.
9737 G-expressions are meant to be written to disk, either as code building
9738 some derivation, or as plain files in the store. The monadic procedures
9739 below allow you to do that (@pxref{The Store Monad}, for more
9740 information about monads).
9742 @deffn {Monadic Procedure} gexp->derivation @var{name} @var{exp} @
9743 [#:system (%current-system)] [#:target #f] [#:graft? #t] @
9744 [#:hash #f] [#:hash-algo #f] @
9745 [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
9746 [#:module-path @code{%load-path}] @
9747 [#:effective-version "2.2"] @
9748 [#:references-graphs #f] [#:allowed-references #f] @
9749 [#:disallowed-references #f] @
9750 [#:leaked-env-vars #f] @
9751 [#:script-name (string-append @var{name} "-builder")] @
9752 [#:deprecation-warnings #f] @
9753 [#:local-build? #f] [#:substitutable? #t] @
9754 [#:properties '()] [#:guile-for-build #f]
9755 Return a derivation @var{name} that runs @var{exp} (a gexp) with
9756 @var{guile-for-build} (a derivation) on @var{system}; @var{exp} is
9757 stored in a file called @var{script-name}. When @var{target} is true,
9758 it is used as the cross-compilation target triplet for packages referred
9761 @var{modules} is deprecated in favor of @code{with-imported-modules}.
9763 make @var{modules} available in the evaluation context of @var{exp};
9764 @var{modules} is a list of names of Guile modules searched in
9765 @var{module-path} to be copied in the store, compiled, and made available in
9766 the load path during the execution of @var{exp}---e.g., @code{((guix
9767 build utils) (guix build gnu-build-system))}.
9769 @var{effective-version} determines the string to use when adding extensions of
9770 @var{exp} (see @code{with-extensions}) to the search path---e.g., @code{"2.2"}.
9772 @var{graft?} determines whether packages referred to by @var{exp} should be grafted when
9775 When @var{references-graphs} is true, it must be a list of tuples of one of the
9779 (@var{file-name} @var{package})
9780 (@var{file-name} @var{package} @var{output})
9781 (@var{file-name} @var{derivation})
9782 (@var{file-name} @var{derivation} @var{output})
9783 (@var{file-name} @var{store-item})
9786 The right-hand-side of each element of @var{references-graphs} is automatically made
9787 an input of the build process of @var{exp}. In the build environment, each
9788 @var{file-name} contains the reference graph of the corresponding item, in a simple
9791 @var{allowed-references} must be either @code{#f} or a list of output names and packages.
9792 In the latter case, the list denotes store items that the result is allowed to
9793 refer to. Any reference to another store item will lead to a build error.
9794 Similarly for @var{disallowed-references}, which can list items that must not be
9795 referenced by the outputs.
9797 @var{deprecation-warnings} determines whether to show deprecation warnings while
9798 compiling modules. It can be @code{#f}, @code{#t}, or @code{'detailed}.
9800 The other arguments are as for @code{derivation} (@pxref{Derivations}).
9803 @cindex file-like objects
9804 The @code{local-file}, @code{plain-file}, @code{computed-file},
9805 @code{program-file}, and @code{scheme-file} procedures below return
9806 @dfn{file-like objects}. That is, when unquoted in a G-expression,
9807 these objects lead to a file in the store. Consider this G-expression:
9810 #~(system* #$(file-append glibc "/sbin/nscd") "-f"
9811 #$(local-file "/tmp/my-nscd.conf"))
9814 The effect here is to ``intern'' @file{/tmp/my-nscd.conf} by copying it
9815 to the store. Once expanded, for instance @i{via}
9816 @code{gexp->derivation}, the G-expression refers to that copy under
9817 @file{/gnu/store}; thus, modifying or removing the file in @file{/tmp}
9818 does not have any effect on what the G-expression does.
9819 @code{plain-file} can be used similarly; it differs in that the file
9820 content is directly passed as a string.
9822 @deffn {Scheme Procedure} local-file @var{file} [@var{name}] @
9823 [#:recursive? #f] [#:select? (const #t)]
9824 Return an object representing local file @var{file} to add to the store;
9825 this object can be used in a gexp. If @var{file} is a literal string
9826 denoting a relative file name, it is looked up relative to the source
9827 file where it appears; if @var{file} is not a literal string, it is
9828 looked up relative to the current working directory at run time.
9829 @var{file} will be added to the store under @var{name}--by default the
9830 base name of @var{file}.
9832 When @var{recursive?} is true, the contents of @var{file} are added recursively; if @var{file}
9833 designates a flat file and @var{recursive?} is true, its contents are added, and its
9834 permission bits are kept.
9836 When @var{recursive?} is true, call @code{(@var{select?} @var{file}
9837 @var{stat})} for each directory entry, where @var{file} is the entry's
9838 absolute file name and @var{stat} is the result of @code{lstat}; exclude
9839 entries for which @var{select?} does not return true.
9841 This is the declarative counterpart of the @code{interned-file} monadic
9842 procedure (@pxref{The Store Monad, @code{interned-file}}).
9845 @deffn {Scheme Procedure} plain-file @var{name} @var{content}
9846 Return an object representing a text file called @var{name} with the given
9847 @var{content} (a string or a bytevector) to be added to the store.
9849 This is the declarative counterpart of @code{text-file}.
9852 @deffn {Scheme Procedure} computed-file @var{name} @var{gexp} @
9855 Return an object representing the store item @var{name}, a file or
9856 directory computed by @var{gexp}. When @var{local-build?} is true (the
9857 default), the derivation is built locally. @var{options} is a list of
9858 additional arguments to pass to @code{gexp->derivation}.
9860 This is the declarative counterpart of @code{gexp->derivation}.
9863 @deffn {Monadic Procedure} gexp->script @var{name} @var{exp} @
9864 [#:guile (default-guile)] [#:module-path %load-path] @
9865 [#:system (%current-system)] [#:target #f]
9866 Return an executable script @var{name} that runs @var{exp} using
9867 @var{guile}, with @var{exp}'s imported modules in its search path.
9868 Look up @var{exp}'s modules in @var{module-path}.
9870 The example below builds a script that simply invokes the @command{ls}
9874 (use-modules (guix gexp) (gnu packages base))
9876 (gexp->script "list-files"
9877 #~(execl #$(file-append coreutils "/bin/ls")
9881 When ``running'' it through the store (@pxref{The Store Monad,
9882 @code{run-with-store}}), we obtain a derivation that produces an
9883 executable file @file{/gnu/store/@dots{}-list-files} along these lines:
9886 #!/gnu/store/@dots{}-guile-2.0.11/bin/guile -ds
9888 (execl "/gnu/store/@dots{}-coreutils-8.22"/bin/ls" "ls")
9892 @deffn {Scheme Procedure} program-file @var{name} @var{exp} @
9893 [#:guile #f] [#:module-path %load-path]
9894 Return an object representing the executable store item @var{name} that
9895 runs @var{gexp}. @var{guile} is the Guile package used to execute that
9896 script. Imported modules of @var{gexp} are looked up in @var{module-path}.
9898 This is the declarative counterpart of @code{gexp->script}.
9901 @deffn {Monadic Procedure} gexp->file @var{name} @var{exp} @
9902 [#:set-load-path? #t] [#:module-path %load-path] @
9904 [#:guile (default-guile)]
9905 Return a derivation that builds a file @var{name} containing @var{exp}.
9906 When @var{splice?} is true, @var{exp} is considered to be a list of
9907 expressions that will be spliced in the resulting file.
9909 When @var{set-load-path?} is true, emit code in the resulting file to
9910 set @code{%load-path} and @code{%load-compiled-path} to honor
9911 @var{exp}'s imported modules. Look up @var{exp}'s modules in
9914 The resulting file holds references to all the dependencies of @var{exp}
9915 or a subset thereof.
9918 @deffn {Scheme Procedure} scheme-file @var{name} @var{exp} @
9919 [#:splice? #f] [#:set-load-path? #t]
9920 Return an object representing the Scheme file @var{name} that contains
9923 This is the declarative counterpart of @code{gexp->file}.
9926 @deffn {Monadic Procedure} text-file* @var{name} @var{text} @dots{}
9927 Return as a monadic value a derivation that builds a text file
9928 containing all of @var{text}. @var{text} may list, in addition to
9929 strings, objects of any type that can be used in a gexp: packages,
9930 derivations, local file objects, etc. The resulting store file holds
9931 references to all these.
9933 This variant should be preferred over @code{text-file} anytime the file
9934 to create will reference items from the store. This is typically the
9935 case when building a configuration file that embeds store file names,
9939 (define (profile.sh)
9940 ;; Return the name of a shell script in the store that
9941 ;; initializes the 'PATH' environment variable.
9942 (text-file* "profile.sh"
9943 "export PATH=" coreutils "/bin:"
9944 grep "/bin:" sed "/bin\n"))
9947 In this example, the resulting @file{/gnu/store/@dots{}-profile.sh} file
9948 will reference @var{coreutils}, @var{grep}, and @var{sed}, thereby
9949 preventing them from being garbage-collected during its lifetime.
9952 @deffn {Scheme Procedure} mixed-text-file @var{name} @var{text} @dots{}
9953 Return an object representing store file @var{name} containing
9954 @var{text}. @var{text} is a sequence of strings and file-like objects,
9958 (mixed-text-file "profile"
9959 "export PATH=" coreutils "/bin:" grep "/bin")
9962 This is the declarative counterpart of @code{text-file*}.
9965 @deffn {Scheme Procedure} file-union @var{name} @var{files}
9966 Return a @code{<computed-file>} that builds a directory containing all of @var{files}.
9967 Each item in @var{files} must be a two-element list where the first element is the
9968 file name to use in the new directory, and the second element is a gexp
9969 denoting the target file. Here's an example:
9973 `(("hosts" ,(plain-file "hosts"
9974 "127.0.0.1 localhost"))
9975 ("bashrc" ,(plain-file "bashrc"
9976 "alias ls='ls --color=auto'"))))
9979 This yields an @code{etc} directory containing these two files.
9982 @deffn {Scheme Procedure} directory-union @var{name} @var{things}
9983 Return a directory that is the union of @var{things}, where @var{things} is a list of
9984 file-like objects denoting directories. For example:
9987 (directory-union "guile+emacs" (list guile emacs))
9990 yields a directory that is the union of the @code{guile} and @code{emacs} packages.
9993 @deffn {Scheme Procedure} file-append @var{obj} @var{suffix} @dots{}
9994 Return a file-like object that expands to the concatenation of @var{obj}
9995 and @var{suffix}, where @var{obj} is a lowerable object and each
9996 @var{suffix} is a string.
9998 As an example, consider this gexp:
10001 (gexp->script "run-uname"
10002 #~(system* #$(file-append coreutils
10006 The same effect could be achieved with:
10009 (gexp->script "run-uname"
10010 #~(system* (string-append #$coreutils
10014 There is one difference though: in the @code{file-append} case, the
10015 resulting script contains the absolute file name as a string, whereas in
10016 the second case, the resulting script contains a @code{(string-append
10017 @dots{})} expression to construct the file name @emph{at run time}.
10020 @deffn {Scheme Syntax} let-system @var{system} @var{body}@dots{}
10021 @deffnx {Scheme Syntax} let-system (@var{system} @var{target}) @var{body}@dots{}
10022 Bind @var{system} to the currently targeted system---e.g.,
10023 @code{"x86_64-linux"}---within @var{body}.
10025 In the second case, additionally bind @var{target} to the current
10026 cross-compilation target---a GNU triplet such as
10027 @code{"arm-linux-gnueabihf"}---or @code{#f} if we are not
10030 @code{let-system} is useful in the occasional case where the object
10031 spliced into the gexp depends on the target system, as in this example:
10035 #+(let-system system
10036 (cond ((string-prefix? "armhf-" system)
10037 (file-append qemu "/bin/qemu-system-arm"))
10038 ((string-prefix? "x86_64-" system)
10039 (file-append qemu "/bin/qemu-system-x86_64"))
10041 (error "dunno!"))))
10042 "-net" "user" #$image)
10046 @deffn {Scheme Syntax} with-parameters ((@var{parameter} @var{value}) @dots{}) @var{exp}
10047 This macro is similar to the @code{parameterize} form for
10048 dynamically-bound @dfn{parameters} (@pxref{Parameters,,, guile, GNU
10049 Guile Reference Manual}). The key difference is that it takes effect
10050 when the file-like object returned by @var{exp} is lowered to a
10051 derivation or store item.
10053 A typical use of @code{with-parameters} is to force the system in effect
10054 for a given object:
10057 (with-parameters ((%current-system "i686-linux"))
10061 The example above returns an object that corresponds to the i686 build
10062 of Coreutils, regardless of the current value of @code{%current-system}.
10066 Of course, in addition to gexps embedded in ``host'' code, there are
10067 also modules containing build tools. To make it clear that they are
10068 meant to be used in the build stratum, these modules are kept in the
10069 @code{(guix build @dots{})} name space.
10071 @cindex lowering, of high-level objects in gexps
10072 Internally, high-level objects are @dfn{lowered}, using their compiler,
10073 to either derivations or store items. For instance, lowering a package
10074 yields a derivation, and lowering a @code{plain-file} yields a store
10075 item. This is achieved using the @code{lower-object} monadic procedure.
10077 @deffn {Monadic Procedure} lower-object @var{obj} [@var{system}] @
10079 Return as a value in @code{%store-monad} the derivation or store item
10080 corresponding to @var{obj} for @var{system}, cross-compiling for
10081 @var{target} if @var{target} is true. @var{obj} must be an object that
10082 has an associated gexp compiler, such as a @code{<package>}.
10085 @deffn {Procedure} gexp->approximate-sexp @var{gexp}
10086 Sometimes, it may be useful to convert a G-exp into a S-exp. For
10087 example, some linters (@pxref{Invoking guix lint}) peek into the build
10088 phases of a package to detect potential problems. This conversion can
10089 be achieved with this procedure. However, some information can be lost
10090 in the process. More specifically, lowerable objects will be silently
10091 replaced with some arbitrary object -- currently the list
10092 @code{(*approximate*)}, but this may change.
10095 @node Invoking guix repl
10096 @section Invoking @command{guix repl}
10098 @cindex REPL, read-eval-print loop, script
10099 The @command{guix repl} command makes it easier to program Guix in Guile
10100 by launching a Guile @dfn{read-eval-print loop} (REPL) for interactive
10101 programming (@pxref{Using Guile Interactively,,, guile,
10102 GNU Guile Reference Manual}), or by running Guile scripts
10103 (@pxref{Running Guile Scripts,,, guile,
10104 GNU Guile Reference Manual}).
10105 Compared to just launching the @command{guile}
10106 command, @command{guix repl} guarantees that all the Guix modules and all its
10107 dependencies are available in the search path.
10109 The general syntax is:
10112 guix repl @var{options} [@var{file} @var{args}]
10115 When a @var{file} argument is provided, @var{file} is
10116 executed as a Guile scripts:
10119 guix repl my-script.scm
10122 To pass arguments to the script, use @code{--} to prevent them from
10123 being interpreted as arguments to @command{guix repl} itself:
10126 guix repl -- my-script.scm --input=foo.txt
10129 To make a script executable directly from the shell, using the guix
10130 executable that is on the user's search path, add the following two
10131 lines at the top of the script:
10134 @code{#!/usr/bin/env -S guix repl --}
10138 Without a file name argument, a Guile REPL is started:
10142 scheme@@(guile-user)> ,use (gnu packages base)
10143 scheme@@(guile-user)> coreutils
10144 $1 = #<package coreutils@@8.29 gnu/packages/base.scm:327 3e28300>
10148 In addition, @command{guix repl} implements a simple machine-readable REPL
10149 protocol for use by @code{(guix inferior)}, a facility to interact with
10150 @dfn{inferiors}, separate processes running a potentially different revision
10153 The available options are as follows:
10156 @item --type=@var{type}
10157 @itemx -t @var{type}
10158 Start a REPL of the given @var{TYPE}, which can be one of the following:
10162 This is default, and it spawns a standard full-featured Guile REPL.
10164 Spawn a REPL that uses the machine-readable protocol. This is the protocol
10165 that the @code{(guix inferior)} module speaks.
10168 @item --listen=@var{endpoint}
10169 By default, @command{guix repl} reads from standard input and writes to
10170 standard output. When this option is passed, it will instead listen for
10171 connections on @var{endpoint}. Here are examples of valid options:
10174 @item --listen=tcp:37146
10175 Accept connections on localhost on port 37146.
10177 @item --listen=unix:/tmp/socket
10178 Accept connections on the Unix-domain socket @file{/tmp/socket}.
10181 @item --load-path=@var{directory}
10182 @itemx -L @var{directory}
10183 Add @var{directory} to the front of the package module search path
10184 (@pxref{Package Modules}).
10186 This allows users to define their own packages and make them visible to
10187 the script or REPL.
10190 Inhibit loading of the @file{~/.guile} file. By default, that
10191 configuration file is loaded when spawning a @code{guile} REPL.
10194 @c *********************************************************************
10198 This section describes Guix command-line utilities. Some of them are
10199 primarily targeted at developers and users who write new package
10200 definitions, while others are more generally useful. They complement
10201 the Scheme programming interface of Guix in a convenient way.
10204 * Invoking guix build:: Building packages from the command line.
10205 * Invoking guix edit:: Editing package definitions.
10206 * Invoking guix download:: Downloading a file and printing its hash.
10207 * Invoking guix hash:: Computing the cryptographic hash of a file.
10208 * Invoking guix import:: Importing package definitions.
10209 * Invoking guix refresh:: Updating package definitions.
10210 * Invoking guix lint:: Finding errors in package definitions.
10211 * Invoking guix size:: Profiling disk usage.
10212 * Invoking guix graph:: Visualizing the graph of packages.
10213 * Invoking guix publish:: Sharing substitutes.
10214 * Invoking guix challenge:: Challenging substitute servers.
10215 * Invoking guix copy:: Copying to and from a remote store.
10216 * Invoking guix container:: Process isolation.
10217 * Invoking guix weather:: Assessing substitute availability.
10218 * Invoking guix processes:: Listing client processes.
10221 @node Invoking guix build
10222 @section Invoking @command{guix build}
10224 @cindex package building
10225 @cindex @command{guix build}
10226 The @command{guix build} command builds packages or derivations and
10227 their dependencies, and prints the resulting store paths. Note that it
10228 does not modify the user's profile---this is the job of the
10229 @command{guix package} command (@pxref{Invoking guix package}). Thus,
10230 it is mainly useful for distribution developers.
10232 The general syntax is:
10235 guix build @var{options} @var{package-or-derivation}@dots{}
10238 As an example, the following command builds the latest versions of Emacs
10239 and of Guile, displays their build logs, and finally displays the
10240 resulting directories:
10243 guix build emacs guile
10246 Similarly, the following command builds all the available packages:
10249 guix build --quiet --keep-going \
10250 $(guix package -A | awk '@{ print $1 "@@" $2 @}')
10253 @var{package-or-derivation} may be either the name of a package found in
10254 the software distribution such as @code{coreutils} or
10255 @code{coreutils@@8.20}, or a derivation such as
10256 @file{/gnu/store/@dots{}-coreutils-8.19.drv}. In the former case, a
10257 package with the corresponding name (and optionally version) is searched
10258 for among the GNU distribution modules (@pxref{Package Modules}).
10260 Alternatively, the @option{--expression} option may be used to specify a
10261 Scheme expression that evaluates to a package; this is useful when
10262 disambiguating among several same-named packages or package variants is
10265 There may be zero or more @var{options}. The available options are
10266 described in the subsections below.
10269 * Common Build Options:: Build options for most commands.
10270 * Package Transformation Options:: Creating variants of packages.
10271 * Additional Build Options:: Options specific to 'guix build'.
10272 * Debugging Build Failures:: Real life packaging experience.
10275 @node Common Build Options
10276 @subsection Common Build Options
10278 A number of options that control the build process are common to
10279 @command{guix build} and other commands that can spawn builds, such as
10280 @command{guix package} or @command{guix archive}. These are the
10285 @item --load-path=@var{directory}
10286 @itemx -L @var{directory}
10287 Add @var{directory} to the front of the package module search path
10288 (@pxref{Package Modules}).
10290 This allows users to define their own packages and make them visible to
10291 the command-line tools.
10293 @item --keep-failed
10295 Keep the build tree of failed builds. Thus, if a build fails, its build
10296 tree is kept under @file{/tmp}, in a directory whose name is shown at
10297 the end of the build log. This is useful when debugging build issues.
10298 @xref{Debugging Build Failures}, for tips and tricks on how to debug
10301 This option implies @option{--no-offload}, and it has no effect when
10302 connecting to a remote daemon with a @code{guix://} URI (@pxref{The
10303 Store, the @env{GUIX_DAEMON_SOCKET} variable}).
10307 Keep going when some of the derivations fail to build; return only once
10308 all the builds have either completed or failed.
10310 The default behavior is to stop as soon as one of the specified
10311 derivations has failed.
10315 Do not build the derivations.
10317 @anchor{fallback-option}
10319 When substituting a pre-built binary fails, fall back to building
10320 packages locally (@pxref{Substitution Failure}).
10322 @item --substitute-urls=@var{urls}
10323 @anchor{client-substitute-urls}
10324 Consider @var{urls} the whitespace-separated list of substitute source
10325 URLs, overriding the default list of URLs of @command{guix-daemon}
10326 (@pxref{daemon-substitute-urls,, @command{guix-daemon} URLs}).
10328 This means that substitutes may be downloaded from @var{urls}, provided
10329 they are signed by a key authorized by the system administrator
10330 (@pxref{Substitutes}).
10332 When @var{urls} is the empty string, substitutes are effectively
10335 @item --no-substitutes
10336 Do not use substitutes for build products. That is, always build things
10337 locally instead of allowing downloads of pre-built binaries
10338 (@pxref{Substitutes}).
10341 Do not ``graft'' packages. In practice, this means that package updates
10342 available as grafts are not applied. @xref{Security Updates}, for more
10343 information on grafts.
10345 @item --rounds=@var{n}
10346 Build each derivation @var{n} times in a row, and raise an error if
10347 consecutive build results are not bit-for-bit identical.
10349 This is a useful way to detect non-deterministic builds processes.
10350 Non-deterministic build processes are a problem because they make it
10351 practically impossible for users to @emph{verify} whether third-party
10352 binaries are genuine. @xref{Invoking guix challenge}, for more.
10354 When used in conjunction with @option{--keep-failed}, the differing
10355 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
10356 This makes it easy to look for differences between the two results.
10359 Do not use offload builds to other machines (@pxref{Daemon Offload
10360 Setup}). That is, always build things locally instead of offloading
10361 builds to remote machines.
10363 @item --max-silent-time=@var{seconds}
10364 When the build or substitution process remains silent for more than
10365 @var{seconds}, terminate it and report a build failure.
10367 By default, the daemon's setting is honored (@pxref{Invoking
10368 guix-daemon, @option{--max-silent-time}}).
10370 @item --timeout=@var{seconds}
10371 Likewise, when the build or substitution process lasts for more than
10372 @var{seconds}, terminate it and report a build failure.
10374 By default, the daemon's setting is honored (@pxref{Invoking
10375 guix-daemon, @option{--timeout}}).
10377 @c Note: This option is actually not part of %standard-build-options but
10378 @c most programs honor it.
10379 @cindex verbosity, of the command-line tools
10380 @cindex build logs, verbosity
10381 @item -v @var{level}
10382 @itemx --verbosity=@var{level}
10383 Use the given verbosity @var{level}, an integer. Choosing 0 means that
10384 no output is produced, 1 is for quiet output; 2 is similar to 1 but it
10385 additionally displays download URLs; 3 shows all the build log output on
10388 @item --cores=@var{n}
10390 Allow the use of up to @var{n} CPU cores for the build. The special
10391 value @code{0} means to use as many CPU cores as available.
10393 @item --max-jobs=@var{n}
10395 Allow at most @var{n} build jobs in parallel. @xref{Invoking
10396 guix-daemon, @option{--max-jobs}}, for details about this option and the
10397 equivalent @command{guix-daemon} option.
10399 @item --debug=@var{level}
10400 Produce debugging output coming from the build daemon. @var{level} must be an
10401 integer between 0 and 5; higher means more verbose output. Setting a level of
10402 4 or more may be helpful when debugging setup issues with the build daemon.
10406 Behind the scenes, @command{guix build} is essentially an interface to
10407 the @code{package-derivation} procedure of the @code{(guix packages)}
10408 module, and to the @code{build-derivations} procedure of the @code{(guix
10409 derivations)} module.
10411 In addition to options explicitly passed on the command line,
10412 @command{guix build} and other @command{guix} commands that support
10413 building honor the @env{GUIX_BUILD_OPTIONS} environment variable.
10415 @defvr {Environment Variable} GUIX_BUILD_OPTIONS
10416 Users can define this variable to a list of command line options that
10417 will automatically be used by @command{guix build} and other
10418 @command{guix} commands that can perform builds, as in the example
10422 $ export GUIX_BUILD_OPTIONS="--no-substitutes -c 2 -L /foo/bar"
10425 These options are parsed independently, and the result is appended to
10426 the parsed command-line options.
10430 @node Package Transformation Options
10431 @subsection Package Transformation Options
10433 @cindex package variants
10434 Another set of command-line options supported by @command{guix build}
10435 and also @command{guix package} are @dfn{package transformation
10436 options}. These are options that make it possible to define @dfn{package
10437 variants}---for instance, packages built from different source code.
10438 This is a convenient way to create customized packages on the fly
10439 without having to type in the definitions of package variants
10440 (@pxref{Defining Packages}).
10442 Package transformation options are preserved across upgrades:
10443 @command{guix upgrade} attempts to apply transformation options
10444 initially used when creating the profile to the upgraded packages.
10446 The available options are listed below. Most commands support them and
10447 also support a @option{--help-transform} option that lists all the
10448 available options and a synopsis (these options are not shown in the
10449 @option{--help} output for brevity).
10453 @item --with-source=@var{source}
10454 @itemx --with-source=@var{package}=@var{source}
10455 @itemx --with-source=@var{package}@@@var{version}=@var{source}
10456 Use @var{source} as the source of @var{package}, and @var{version} as
10457 its version number.
10458 @var{source} must be a file name or a URL, as for @command{guix
10459 download} (@pxref{Invoking guix download}).
10461 When @var{package} is omitted,
10462 it is taken to be the package name specified on the
10463 command line that matches the base of @var{source}---e.g.,
10464 if @var{source} is @code{/src/guile-2.0.10.tar.gz}, the corresponding
10465 package is @code{guile}.
10467 Likewise, when @var{version} is omitted, the version string is inferred from
10468 @var{source}; in the previous example, it is @code{2.0.10}.
10470 This option allows users to try out versions of packages other than the
10471 one provided by the distribution. The example below downloads
10472 @file{ed-1.7.tar.gz} from a GNU mirror and uses that as the source for
10473 the @code{ed} package:
10476 guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz
10479 As a developer, @option{--with-source} makes it easy to test release
10483 guix build guile --with-source=../guile-2.0.9.219-e1bb7.tar.xz
10486 @dots{} or to build from a checkout in a pristine environment:
10489 $ git clone git://git.sv.gnu.org/guix.git
10490 $ guix build guix --with-source=guix@@1.0=./guix
10493 @item --with-input=@var{package}=@var{replacement}
10494 Replace dependency on @var{package} by a dependency on
10495 @var{replacement}. @var{package} must be a package name, and
10496 @var{replacement} must be a package specification such as @code{guile}
10497 or @code{guile@@1.8}.
10499 For instance, the following command builds Guix, but replaces its
10500 dependency on the current stable version of Guile with a dependency on
10501 the legacy version of Guile, @code{guile@@2.0}:
10504 guix build --with-input=guile=guile@@2.0 guix
10507 This is a recursive, deep replacement. So in this example, both
10508 @code{guix} and its dependency @code{guile-json} (which also depends on
10509 @code{guile}) get rebuilt against @code{guile@@2.0}.
10511 This is implemented using the @code{package-input-rewriting} Scheme
10512 procedure (@pxref{Defining Packages, @code{package-input-rewriting}}).
10514 @item --with-graft=@var{package}=@var{replacement}
10515 This is similar to @option{--with-input} but with an important difference:
10516 instead of rebuilding the whole dependency chain, @var{replacement} is
10517 built and then @dfn{grafted} onto the binaries that were initially
10518 referring to @var{package}. @xref{Security Updates}, for more
10519 information on grafts.
10521 For example, the command below grafts version 3.5.4 of GnuTLS onto Wget
10522 and all its dependencies, replacing references to the version of GnuTLS
10523 they currently refer to:
10526 guix build --with-graft=gnutls=gnutls@@3.5.4 wget
10529 This has the advantage of being much faster than rebuilding everything.
10530 But there is a caveat: it works if and only if @var{package} and
10531 @var{replacement} are strictly compatible---for example, if they provide
10532 a library, the application binary interface (ABI) of those libraries
10533 must be compatible. If @var{replacement} is somehow incompatible with
10534 @var{package}, then the resulting package may be unusable. Use with
10537 @cindex debugging info, rebuilding
10538 @item --with-debug-info=@var{package}
10539 Build @var{package} in a way that preserves its debugging info and graft
10540 it onto packages that depend on it. This is useful if @var{package}
10541 does not already provide debugging info as a @code{debug} output
10542 (@pxref{Installing Debugging Files}).
10544 For example, suppose you're experiencing a crash in Inkscape and would
10545 like to see what's up in GLib, a library deep down in Inkscape's
10546 dependency graph. GLib lacks a @code{debug} output, so debugging is
10547 tough. Fortunately, you rebuild GLib with debugging info and tack it on
10551 guix install inkscape --with-debug-info=glib
10554 Only GLib needs to be recompiled so this takes a reasonable amount of
10555 time. @xref{Installing Debugging Files}, for more info.
10558 Under the hood, this option works by passing the @samp{#:strip-binaries?
10559 #f} to the build system of the package of interest (@pxref{Build
10560 Systems}). Most build systems support that option but some do not. In
10561 that case, an error is raised.
10563 Likewise, if a C/C++ package is built without @code{-g} (which is rarely
10564 the case), debugging info will remain unavailable even when
10565 @code{#:strip-binaries?} is false.
10568 @cindex tool chain, changing the build tool chain of a package
10569 @item --with-c-toolchain=@var{package}=@var{toolchain}
10570 This option changes the compilation of @var{package} and everything that
10571 depends on it so that they get built with @var{toolchain} instead of the
10572 default GNU tool chain for C/C++.
10574 Consider this example:
10577 guix build octave-cli \
10578 --with-c-toolchain=fftw=gcc-toolchain@@10 \
10579 --with-c-toolchain=fftwf=gcc-toolchain@@10
10582 The command above builds a variant of the @code{fftw} and @code{fftwf}
10583 packages using version 10 of @code{gcc-toolchain} instead of the default
10584 tool chain, and then builds a variant of the GNU@tie{}Octave
10585 command-line interface using them. GNU@tie{}Octave itself is also built
10586 with @code{gcc-toolchain@@10}.
10588 This other example builds the Hardware Locality (@code{hwloc}) library
10589 and its dependents up to @code{intel-mpi-benchmarks} with the Clang C
10593 guix build --with-c-toolchain=hwloc=clang-toolchain \
10594 intel-mpi-benchmarks
10598 There can be application binary interface (ABI) incompatibilities among
10599 tool chains. This is particularly true of the C++ standard library and
10600 run-time support libraries such as that of OpenMP@. By rebuilding all
10601 dependents with the same tool chain, @option{--with-c-toolchain} minimizes
10602 the risks of incompatibility but cannot entirely eliminate them. Choose
10603 @var{package} wisely.
10606 @item --with-git-url=@var{package}=@var{url}
10607 @cindex Git, using the latest commit
10608 @cindex latest commit, building
10609 Build @var{package} from the latest commit of the @code{master} branch of the
10610 Git repository at @var{url}. Git sub-modules of the repository are fetched,
10613 For example, the following command builds the NumPy Python library against the
10614 latest commit of the master branch of Python itself:
10617 guix build python-numpy \
10618 --with-git-url=python=https://github.com/python/cpython
10621 This option can also be combined with @option{--with-branch} or
10622 @option{--with-commit} (see below).
10624 @cindex continuous integration
10625 Obviously, since it uses the latest commit of the given branch, the result of
10626 such a command varies over time. Nevertheless it is a convenient way to
10627 rebuild entire software stacks against the latest commit of one or more
10628 packages. This is particularly useful in the context of continuous
10631 Checkouts are kept in a cache under @file{~/.cache/guix/checkouts} to speed up
10632 consecutive accesses to the same repository. You may want to clean it up once
10633 in a while to save disk space.
10635 @item --with-branch=@var{package}=@var{branch}
10636 Build @var{package} from the latest commit of @var{branch}. If the
10637 @code{source} field of @var{package} is an origin with the @code{git-fetch}
10638 method (@pxref{origin Reference}) or a @code{git-checkout} object, the
10639 repository URL is taken from that @code{source}. Otherwise you have to use
10640 @option{--with-git-url} to specify the URL of the Git repository.
10642 For instance, the following command builds @code{guile-sqlite3} from the
10643 latest commit of its @code{master} branch, and then builds @code{guix} (which
10644 depends on it) and @code{cuirass} (which depends on @code{guix}) against this
10645 specific @code{guile-sqlite3} build:
10648 guix build --with-branch=guile-sqlite3=master cuirass
10651 @item --with-commit=@var{package}=@var{commit}
10652 This is similar to @option{--with-branch}, except that it builds from
10653 @var{commit} rather than the tip of a branch. @var{commit} must be a valid
10654 Git commit SHA1 identifier or a tag.
10656 @item --with-patch=@var{package}=@var{file}
10657 Add @var{file} to the list of patches applied to @var{package}, where
10658 @var{package} is a spec such as @code{python@@3.8} or @code{glibc}.
10659 @var{file} must contain a patch; it is applied with the flags specified
10660 in the @code{origin} of @var{package} (@pxref{origin Reference}), which
10661 by default includes @code{-p1} (@pxref{patch Directories,,, diffutils,
10662 Comparing and Merging Files}).
10664 As an example, the command below rebuilds Coreutils with the GNU C
10665 Library (glibc) patched with the given patch:
10668 guix build coreutils --with-patch=glibc=./glibc-frob.patch
10671 In this example, glibc itself as well as everything that leads to
10672 Coreutils in the dependency graph is rebuilt.
10674 @cindex upstream, latest version
10675 @item --with-latest=@var{package}
10676 So you like living on the bleeding edge? This option is for you! It
10677 replaces occurrences of @var{package} in the dependency graph with its
10678 latest upstream version, as reported by @command{guix refresh}
10679 (@pxref{Invoking guix refresh}).
10681 It does so by determining the latest upstream release of @var{package}
10682 (if possible), downloading it, and authenticating it @emph{if} it comes
10683 with an OpenPGP signature.
10685 As an example, the command below builds Guix against the latest version
10689 guix build guix --with-latest=guile-json
10692 There are limitations. First, in cases where the tool cannot or does
10693 not know how to authenticate source code, you are at risk of running
10694 malicious code; a warning is emitted in this case. Second, this option
10695 simply changes the source used in the existing package definitions,
10696 which is not always sufficient: there might be additional dependencies
10697 that need to be added, patches to apply, and more generally the quality
10698 assurance work that Guix developers normally do will be missing.
10700 You've been warned! In all the other cases, it's a snappy way to stay
10701 on top. We encourage you to submit patches updating the actual package
10702 definitions once you have successfully tested an upgrade
10703 (@pxref{Contributing}).
10705 @cindex test suite, skipping
10706 @item --without-tests=@var{package}
10707 Build @var{package} without running its tests. This can be useful in
10708 situations where you want to skip the lengthy test suite of a
10709 intermediate package, or if a package's test suite fails in a
10710 non-deterministic fashion. It should be used with care because running
10711 the test suite is a good way to ensure a package is working as intended.
10713 Turning off tests leads to a different store item. Consequently, when
10714 using this option, anything that depends on @var{package} must be
10715 rebuilt, as in this example:
10718 guix install --without-tests=python python-notebook
10721 The command above installs @code{python-notebook} on top of
10722 @code{python} built without running its test suite. To do so, it also
10723 rebuilds everything that depends on @code{python}, including
10724 @code{python-notebook} itself.
10726 Internally, @option{--without-tests} relies on changing the
10727 @code{#:tests?} option of a package's @code{check} phase (@pxref{Build
10728 Systems}). Note that some packages use a customized @code{check} phase
10729 that does not respect a @code{#:tests? #f} setting. Therefore,
10730 @option{--without-tests} has no effect on these packages.
10734 Wondering how to achieve the same effect using Scheme code, for example
10735 in your manifest, or how to write your own package transformation?
10736 @xref{Defining Package Variants}, for an overview of the programming
10737 interfaces available.
10739 @node Additional Build Options
10740 @subsection Additional Build Options
10742 The command-line options presented below are specific to @command{guix
10749 Build quietly, without displaying the build log; this is equivalent to
10750 @option{--verbosity=0}. Upon completion, the build log is kept in @file{/var}
10751 (or similar) and can always be retrieved using the @option{--log-file} option.
10753 @item --file=@var{file}
10754 @itemx -f @var{file}
10755 Build the package, derivation, or other file-like object that the code within
10756 @var{file} evaluates to (@pxref{G-Expressions, file-like objects}).
10758 As an example, @var{file} might contain a package definition like this
10759 (@pxref{Defining Packages}):
10762 @include package-hello.scm
10765 The @var{file} may also contain a JSON representation of one or more
10766 package definitions. Running @code{guix build -f} on @file{hello.json}
10767 with the following contents would result in building the packages
10768 @code{myhello} and @code{greeter}:
10771 @verbatiminclude package-hello.json
10774 @item --manifest=@var{manifest}
10775 @itemx -m @var{manifest}
10776 Build all packages listed in the given @var{manifest}
10777 (@pxref{profile-manifest, @option{--manifest}}).
10779 @item --expression=@var{expr}
10780 @itemx -e @var{expr}
10781 Build the package or derivation @var{expr} evaluates to.
10783 For example, @var{expr} may be @code{(@@ (gnu packages guile)
10784 guile-1.8)}, which unambiguously designates this specific variant of
10785 version 1.8 of Guile.
10787 Alternatively, @var{expr} may be a G-expression, in which case it is used
10788 as a build program passed to @code{gexp->derivation}
10789 (@pxref{G-Expressions}).
10791 Lastly, @var{expr} may refer to a zero-argument monadic procedure
10792 (@pxref{The Store Monad}). The procedure must return a derivation as a
10793 monadic value, which is then passed through @code{run-with-store}.
10797 Build the source derivations of the packages, rather than the packages
10800 For instance, @code{guix build -S gcc} returns something like
10801 @file{/gnu/store/@dots{}-gcc-4.7.2.tar.bz2}, which is the GCC
10804 The returned source tarball is the result of applying any patches and
10805 code snippets specified in the package @code{origin} (@pxref{Defining
10808 @cindex source, verification
10809 As with other derivations, the result of building a source derivation
10810 can be verified using the @option{--check} option (@pxref{build-check}).
10811 This is useful to validate that a (potentially already built or
10812 substituted, thus cached) package source matches against its declared
10815 Note that @command{guix build -S} compiles the sources only of the
10816 specified packages. They do not include the sources of statically
10817 linked dependencies and by themselves are insufficient for reproducing
10821 Fetch and return the source of @var{package-or-derivation} and all their
10822 dependencies, recursively. This is a handy way to obtain a local copy
10823 of all the source code needed to build @var{packages}, allowing you to
10824 eventually build them even without network access. It is an extension
10825 of the @option{--source} option and can accept one of the following
10826 optional argument values:
10830 This value causes the @option{--sources} option to behave in the same way
10831 as the @option{--source} option.
10834 Build the source derivations of all packages, including any source that
10835 might be listed as @code{inputs}. This is the default value.
10838 $ guix build --sources tzdata
10839 The following derivations will be built:
10840 /gnu/store/@dots{}-tzdata2015b.tar.gz.drv
10841 /gnu/store/@dots{}-tzcode2015b.tar.gz.drv
10845 Build the source derivations of all packages, as well of all transitive
10846 inputs to the packages. This can be used e.g.@: to
10847 prefetch package source for later offline building.
10850 $ guix build --sources=transitive tzdata
10851 The following derivations will be built:
10852 /gnu/store/@dots{}-tzcode2015b.tar.gz.drv
10853 /gnu/store/@dots{}-findutils-4.4.2.tar.xz.drv
10854 /gnu/store/@dots{}-grep-2.21.tar.xz.drv
10855 /gnu/store/@dots{}-coreutils-8.23.tar.xz.drv
10856 /gnu/store/@dots{}-make-4.1.tar.xz.drv
10857 /gnu/store/@dots{}-bash-4.3.tar.xz.drv
10863 @item --system=@var{system}
10864 @itemx -s @var{system}
10865 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
10866 the system type of the build host. The @command{guix build} command allows
10867 you to repeat this option several times, in which case it builds for all the
10868 specified systems; other commands ignore extraneous @option{-s} options.
10871 The @option{--system} flag is for @emph{native} compilation and must not
10872 be confused with cross-compilation. See @option{--target} below for
10873 information on cross-compilation.
10876 An example use of this is on Linux-based systems, which can emulate
10877 different personalities. For instance, passing
10878 @option{--system=i686-linux} on an @code{x86_64-linux} system or
10879 @option{--system=armhf-linux} on an @code{aarch64-linux} system allows
10880 you to build packages in a complete 32-bit environment.
10883 Building for an @code{armhf-linux} system is unconditionally enabled on
10884 @code{aarch64-linux} machines, although certain aarch64 chipsets do not
10885 allow for this functionality, notably the ThunderX.
10888 Similarly, when transparent emulation with QEMU and @code{binfmt_misc}
10889 is enabled (@pxref{Virtualization Services,
10890 @code{qemu-binfmt-service-type}}), you can build for any system for
10891 which a QEMU @code{binfmt_misc} handler is installed.
10893 Builds for a system other than that of the machine you are using can
10894 also be offloaded to a remote machine of the right architecture.
10895 @xref{Daemon Offload Setup}, for more information on offloading.
10897 @item --target=@var{triplet}
10898 @cindex cross-compilation
10899 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
10900 as @code{"aarch64-linux-gnu"} (@pxref{Specifying Target Triplets, GNU
10901 configuration triplets,, autoconf, Autoconf}).
10903 @anchor{build-check}
10905 @cindex determinism, checking
10906 @cindex reproducibility, checking
10907 Rebuild @var{package-or-derivation}, which are already available in the
10908 store, and raise an error if the build results are not bit-for-bit
10911 This mechanism allows you to check whether previously installed
10912 substitutes are genuine (@pxref{Substitutes}), or whether the build result
10913 of a package is deterministic. @xref{Invoking guix challenge}, for more
10914 background information and tools.
10916 When used in conjunction with @option{--keep-failed}, the differing
10917 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
10918 This makes it easy to look for differences between the two results.
10921 @cindex repairing store items
10922 @cindex corruption, recovering from
10923 Attempt to repair the specified store items, if they are corrupt, by
10924 re-downloading or rebuilding them.
10926 This operation is not atomic and thus restricted to @code{root}.
10928 @item --derivations
10930 Return the derivation paths, not the output paths, of the given
10933 @item --root=@var{file}
10934 @itemx -r @var{file}
10935 @cindex GC roots, adding
10936 @cindex garbage collector roots, adding
10937 Make @var{file} a symlink to the result, and register it as a garbage
10940 Consequently, the results of this @command{guix build} invocation are
10941 protected from garbage collection until @var{file} is removed. When
10942 that option is omitted, build results are eligible for garbage
10943 collection as soon as the build completes. @xref{Invoking guix gc}, for
10947 @cindex build logs, access
10948 Return the build log file names or URLs for the given
10949 @var{package-or-derivation}, or raise an error if build logs are
10952 This works regardless of how packages or derivations are specified. For
10953 instance, the following invocations are equivalent:
10956 guix build --log-file $(guix build -d guile)
10957 guix build --log-file $(guix build guile)
10958 guix build --log-file guile
10959 guix build --log-file -e '(@@ (gnu packages guile) guile-2.0)'
10962 If a log is unavailable locally, and unless @option{--no-substitutes} is
10963 passed, the command looks for a corresponding log on one of the
10964 substitute servers (as specified with @option{--substitute-urls}).
10966 So for instance, imagine you want to see the build log of GDB on MIPS,
10967 but you are actually on an @code{x86_64} machine:
10970 $ guix build --log-file gdb -s aarch64-linux
10971 https://@value{SUBSTITUTE-SERVER-1}/log/@dots{}-gdb-7.10
10974 You can freely access a huge library of build logs!
10977 @node Debugging Build Failures
10978 @subsection Debugging Build Failures
10980 @cindex build failures, debugging
10981 When defining a new package (@pxref{Defining Packages}), you will
10982 probably find yourself spending some time debugging and tweaking the
10983 build until it succeeds. To do that, you need to operate the build
10984 commands yourself in an environment as close as possible to the one the
10987 To that end, the first thing to do is to use the @option{--keep-failed}
10988 or @option{-K} option of @command{guix build}, which will keep the
10989 failed build tree in @file{/tmp} or whatever directory you specified as
10990 @env{TMPDIR} (@pxref{Common Build Options, @option{--keep-failed}}).
10992 From there on, you can @command{cd} to the failed build tree and source
10993 the @file{environment-variables} file, which contains all the
10994 environment variable definitions that were in place when the build
10995 failed. So let's say you're debugging a build failure in package
10996 @code{foo}; a typical session would look like this:
10999 $ guix build foo -K
11000 @dots{} @i{build fails}
11001 $ cd /tmp/guix-build-foo.drv-0
11002 $ source ./environment-variables
11006 Now, you can invoke commands as if you were the daemon (almost) and
11007 troubleshoot your build process.
11009 Sometimes it happens that, for example, a package's tests pass when you
11010 run them manually but they fail when the daemon runs them. This can
11011 happen because the daemon runs builds in containers where, unlike in our
11012 environment above, network access is missing, @file{/bin/sh} does not
11013 exist, etc. (@pxref{Build Environment Setup}).
11015 In such cases, you may need to run inspect the build process from within
11016 a container similar to the one the build daemon creates:
11019 $ guix build -K foo
11021 $ cd /tmp/guix-build-foo.drv-0
11022 $ guix environment --no-grafts -C foo --ad-hoc strace gdb
11023 [env]# source ./environment-variables
11027 Here, @command{guix environment -C} creates a container and spawns a new
11028 shell in it (@pxref{Invoking guix environment}). The @command{--ad-hoc
11029 strace gdb} part adds the @command{strace} and @command{gdb} commands to
11030 the container, which you may find handy while debugging. The
11031 @option{--no-grafts} option makes sure we get the exact same
11032 environment, with ungrafted packages (@pxref{Security Updates}, for more
11035 To get closer to a container like that used by the build daemon, we can
11036 remove @file{/bin/sh}:
11042 (Don't worry, this is harmless: this is all happening in the throw-away
11043 container created by @command{guix environment}.)
11045 The @command{strace} command is probably not in the search path, but we
11049 [env]# $GUIX_ENVIRONMENT/bin/strace -f -o log make check
11052 In this way, not only you will have reproduced the environment variables
11053 the daemon uses, you will also be running the build process in a container
11054 similar to the one the daemon uses.
11057 @node Invoking guix edit
11058 @section Invoking @command{guix edit}
11060 @cindex @command{guix edit}
11061 @cindex package definition, editing
11062 So many packages, so many source files! The @command{guix edit} command
11063 facilitates the life of users and packagers by pointing their editor at
11064 the source file containing the definition of the specified packages.
11068 guix edit gcc@@4.9 vim
11072 launches the program specified in the @env{VISUAL} or in the
11073 @env{EDITOR} environment variable to view the recipe of GCC@tie{}4.9.3
11076 If you are using a Guix Git checkout (@pxref{Building from Git}), or
11077 have created your own packages on @env{GUIX_PACKAGE_PATH}
11078 (@pxref{Package Modules}), you will be able to edit the package
11079 recipes. In other cases, you will be able to examine the read-only recipes
11080 for packages currently in the store.
11082 Instead of @env{GUIX_PACKAGE_PATH}, the command-line option
11083 @option{--load-path=@var{directory}} (or in short @option{-L
11084 @var{directory}}) allows you to add @var{directory} to the front of the
11085 package module search path and so make your own packages visible.
11087 @node Invoking guix download
11088 @section Invoking @command{guix download}
11090 @cindex @command{guix download}
11091 @cindex downloading package sources
11092 When writing a package definition, developers typically need to download
11093 a source tarball, compute its SHA256 hash, and write that
11094 hash in the package definition (@pxref{Defining Packages}). The
11095 @command{guix download} tool helps with this task: it downloads a file
11096 from the given URI, adds it to the store, and prints both its file name
11097 in the store and its SHA256 hash.
11099 The fact that the downloaded file is added to the store saves bandwidth:
11100 when the developer eventually tries to build the newly defined package
11101 with @command{guix build}, the source tarball will not have to be
11102 downloaded again because it is already in the store. It is also a
11103 convenient way to temporarily stash files, which may be deleted
11104 eventually (@pxref{Invoking guix gc}).
11106 The @command{guix download} command supports the same URIs as used in
11107 package definitions. In particular, it supports @code{mirror://} URIs.
11108 @code{https} URIs (HTTP over TLS) are supported @emph{provided} the
11109 Guile bindings for GnuTLS are available in the user's environment; when
11110 they are not available, an error is raised. @xref{Guile Preparations,
11111 how to install the GnuTLS bindings for Guile,, gnutls-guile,
11112 GnuTLS-Guile}, for more information.
11114 @command{guix download} verifies HTTPS server certificates by loading
11115 the certificates of X.509 authorities from the directory pointed to by
11116 the @env{SSL_CERT_DIR} environment variable (@pxref{X.509
11117 Certificates}), unless @option{--no-check-certificate} is used.
11119 The following options are available:
11122 @item --hash=@var{algorithm}
11123 @itemx -H @var{algorithm}
11124 Compute a hash using the specified @var{algorithm}. @xref{Invoking guix
11125 hash}, for more information.
11127 @item --format=@var{fmt}
11128 @itemx -f @var{fmt}
11129 Write the hash in the format specified by @var{fmt}. For more
11130 information on the valid values for @var{fmt}, @pxref{Invoking guix hash}.
11132 @item --no-check-certificate
11133 Do not validate the X.509 certificates of HTTPS servers.
11135 When using this option, you have @emph{absolutely no guarantee} that you
11136 are communicating with the authentic server responsible for the given
11137 URL, which makes you vulnerable to ``man-in-the-middle'' attacks.
11139 @item --output=@var{file}
11140 @itemx -o @var{file}
11141 Save the downloaded file to @var{file} instead of adding it to the
11145 @node Invoking guix hash
11146 @section Invoking @command{guix hash}
11148 @cindex @command{guix hash}
11149 The @command{guix hash} command computes the hash of a file.
11150 It is primarily a convenience tool for anyone contributing to the
11151 distribution: it computes the cryptographic hash of a file, which can be
11152 used in the definition of a package (@pxref{Defining Packages}).
11154 The general syntax is:
11157 guix hash @var{option} @var{file}
11160 When @var{file} is @code{-} (a hyphen), @command{guix hash} computes the
11161 hash of data read from standard input. @command{guix hash} has the
11166 @item --hash=@var{algorithm}
11167 @itemx -H @var{algorithm}
11168 Compute a hash using the specified @var{algorithm}, @code{sha256} by
11171 @var{algorithm} must the name of a cryptographic hash algorithm
11172 supported by Libgcrypt @i{via} Guile-Gcrypt---e.g., @code{sha512} or
11173 @code{sha3-256} (@pxref{Hash Functions,,, guile-gcrypt, Guile-Gcrypt
11174 Reference Manual}).
11176 @item --format=@var{fmt}
11177 @itemx -f @var{fmt}
11178 Write the hash in the format specified by @var{fmt}.
11180 Supported formats: @code{base64}, @code{nix-base32}, @code{base32}, @code{base16}
11181 (@code{hex} and @code{hexadecimal} can be used as well).
11183 If the @option{--format} option is not specified, @command{guix hash}
11184 will output the hash in @code{nix-base32}. This representation is used
11185 in the definitions of packages.
11189 Compute the hash on @var{file} recursively.
11191 In this case, the hash is computed on an archive containing @var{file},
11192 including its children if it is a directory. Some of the metadata of
11193 @var{file} is part of the archive; for instance, when @var{file} is a
11194 regular file, the hash is different depending on whether @var{file} is
11195 executable or not. Metadata such as time stamps has no impact on the
11196 hash (@pxref{Invoking guix archive}).
11197 @c FIXME: Replace xref above with xref to an ``Archive'' section when
11200 @item --exclude-vcs
11202 When combined with @option{--recursive}, exclude version control system
11203 directories (@file{.bzr}, @file{.git}, @file{.hg}, etc.).
11206 As an example, here is how you would compute the hash of a Git checkout,
11207 which is useful when using the @code{git-fetch} method (@pxref{origin
11211 $ git clone http://example.org/foo.git
11217 @node Invoking guix import
11218 @section Invoking @command{guix import}
11220 @cindex importing packages
11221 @cindex package import
11222 @cindex package conversion
11223 @cindex Invoking @command{guix import}
11224 The @command{guix import} command is useful for people who would like to
11225 add a package to the distribution with as little work as
11226 possible---a legitimate demand. The command knows of a few
11227 repositories from which it can ``import'' package metadata. The result
11228 is a package definition, or a template thereof, in the format we know
11229 (@pxref{Defining Packages}).
11231 The general syntax is:
11234 guix import @var{importer} @var{options}@dots{}
11237 @var{importer} specifies the source from which to import package
11238 metadata, and @var{options} specifies a package identifier and other
11239 options specific to @var{importer}.
11241 Some of the importers rely on the ability to run the @command{gpgv} command.
11242 For these, GnuPG must be installed and in @code{$PATH}; run @code{guix install
11245 Currently, the available ``importers'' are:
11249 Import metadata for the given GNU package. This provides a template
11250 for the latest version of that GNU package, including the hash of its
11251 source tarball, and its canonical synopsis and description.
11253 Additional information such as the package dependencies and its
11254 license needs to be figured out manually.
11256 For example, the following command returns a package definition for
11260 guix import gnu hello
11263 Specific command-line options are:
11266 @item --key-download=@var{policy}
11267 As for @command{guix refresh}, specify the policy to handle missing
11268 OpenPGP keys when verifying the package signature. @xref{Invoking guix
11269 refresh, @option{--key-download}}.
11274 Import metadata from the @uref{https://pypi.python.org/, Python Package
11275 Index}. Information is taken from the JSON-formatted description
11276 available at @code{pypi.python.org} and usually includes all the relevant
11277 information, including package dependencies. For maximum efficiency, it
11278 is recommended to install the @command{unzip} utility, so that the
11279 importer can unzip Python wheels and gather data from them.
11281 The command below imports metadata for the @code{itsdangerous} Python
11285 guix import pypi itsdangerous
11291 Traverse the dependency graph of the given upstream package recursively
11292 and generate package expressions for all those packages that are not yet
11298 Import metadata from @uref{https://rubygems.org/, RubyGems}. Information
11299 is taken from the JSON-formatted description available at
11300 @code{rubygems.org} and includes most relevant information, including
11301 runtime dependencies. There are some caveats, however. The metadata
11302 doesn't distinguish between synopses and descriptions, so the same string
11303 is used for both fields. Additionally, the details of non-Ruby
11304 dependencies required to build native extensions is unavailable and left
11305 as an exercise to the packager.
11307 The command below imports metadata for the @code{rails} Ruby package:
11310 guix import gem rails
11316 Traverse the dependency graph of the given upstream package recursively
11317 and generate package expressions for all those packages that are not yet
11324 Import metadata from @uref{https://content.minetest.net, ContentDB}.
11325 Information is taken from the JSON-formatted metadata provided through
11326 @uref{https://content.minetest.net/help/api/, ContentDB's API} and
11327 includes most relevant information, including dependencies. There are
11328 some caveats, however. The license information is often incomplete.
11329 The commit hash is sometimes missing. The descriptions are in the
11330 Markdown format, but Guix uses Texinfo instead. Texture packs and
11331 subgames are unsupported.
11333 The command below imports metadata for the Mesecons mod by Jeija:
11336 guix import minetest Jeija/mesecons
11339 The author name can also be left out:
11342 guix import minetest mesecons
11348 Traverse the dependency graph of the given upstream package recursively
11349 and generate package expressions for all those packages that are not yet
11355 Import metadata from @uref{https://www.metacpan.org/, MetaCPAN}.
11356 Information is taken from the JSON-formatted metadata provided through
11357 @uref{https://fastapi.metacpan.org/, MetaCPAN's API} and includes most
11358 relevant information, such as module dependencies. License information
11359 should be checked closely. If Perl is available in the store, then the
11360 @code{corelist} utility will be used to filter core modules out of the
11361 list of dependencies.
11363 The command command below imports metadata for the Acme::Boolean Perl
11367 guix import cpan Acme::Boolean
11372 @cindex Bioconductor
11373 Import metadata from @uref{https://cran.r-project.org/, CRAN}, the
11374 central repository for the @uref{https://r-project.org, GNU@tie{}R
11375 statistical and graphical environment}.
11377 Information is extracted from the @file{DESCRIPTION} file of the package.
11379 The command command below imports metadata for the Cairo R package:
11382 guix import cran Cairo
11385 When @option{--recursive} is added, the importer will traverse the
11386 dependency graph of the given upstream package recursively and generate
11387 package expressions for all those packages that are not yet in Guix.
11389 When @option{--style=specification} is added, the importer will generate
11390 package definitions whose inputs are package specifications instead of
11391 references to package variables. This is useful when generated package
11392 definitions are to be appended to existing user modules, as the list of
11393 used package modules need not be changed. The default is
11394 @option{--style=variable}.
11396 When @option{--archive=bioconductor} is added, metadata is imported from
11397 @uref{https://www.bioconductor.org/, Bioconductor}, a repository of R
11398 packages for the analysis and comprehension of high-throughput
11399 genomic data in bioinformatics.
11401 Information is extracted from the @file{DESCRIPTION} file contained in the
11404 The command below imports metadata for the GenomicRanges R package:
11407 guix import cran --archive=bioconductor GenomicRanges
11410 Finally, you can also import R packages that have not yet been published on
11411 CRAN or Bioconductor as long as they are in a git repository. Use
11412 @option{--archive=git} followed by the URL of the git repository:
11415 guix import cran --archive=git https://github.com/immunogenomics/harmony
11421 Import metadata from @uref{https://www.ctan.org/, CTAN}, the
11422 comprehensive TeX archive network for TeX packages that are part of the
11423 @uref{https://www.tug.org/texlive/, TeX Live distribution}.
11425 Information about the package is obtained through the XML API provided
11426 by CTAN, while the source code is downloaded from the SVN repository of
11427 the Tex Live project. This is done because the CTAN does not keep
11428 versioned archives.
11430 The command command below imports metadata for the @code{fontspec}
11434 guix import texlive fontspec
11437 When @option{--archive=@var{directory}} is added, the source code is
11438 downloaded not from the @file{latex} sub-directory of the
11439 @file{texmf-dist/source} tree in the TeX Live SVN repository, but from
11440 the specified sibling @var{directory} under the same root.
11442 The command below imports metadata for the @code{ifxetex} package from
11443 CTAN while fetching the sources from the directory
11444 @file{texmf/source/generic}:
11447 guix import texlive --archive=generic ifxetex
11451 @cindex JSON, import
11452 Import package metadata from a local JSON file. Consider the following
11453 example package definition in JSON format:
11459 "source": "mirror://gnu/hello/hello-2.10.tar.gz",
11460 "build-system": "gnu",
11461 "home-page": "https://www.gnu.org/software/hello/",
11462 "synopsis": "Hello, GNU world: An example GNU package",
11463 "description": "GNU Hello prints a greeting.",
11464 "license": "GPL-3.0+",
11465 "native-inputs": ["gettext"]
11469 The field names are the same as for the @code{<package>} record
11470 (@xref{Defining Packages}). References to other packages are provided
11471 as JSON lists of quoted package specification strings such as
11472 @code{guile} or @code{guile@@2.0}.
11474 The importer also supports a more explicit source definition using the
11475 common fields for @code{<origin>} records:
11481 "method": "url-fetch",
11482 "uri": "mirror://gnu/hello/hello-2.10.tar.gz",
11484 "base32": "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"
11491 The command below reads metadata from the JSON file @code{hello.json}
11492 and outputs a package expression:
11495 guix import json hello.json
11500 Import metadata from the Haskell community's central package archive
11501 @uref{https://hackage.haskell.org/, Hackage}. Information is taken from
11502 Cabal files and includes all the relevant information, including package
11505 Specific command-line options are:
11510 Read a Cabal file from standard input.
11511 @item --no-test-dependencies
11513 Do not include dependencies required only by the test suites.
11514 @item --cabal-environment=@var{alist}
11515 @itemx -e @var{alist}
11516 @var{alist} is a Scheme alist defining the environment in which the
11517 Cabal conditionals are evaluated. The accepted keys are: @code{os},
11518 @code{arch}, @code{impl} and a string representing the name of a flag.
11519 The value associated with a flag has to be either the symbol
11520 @code{true} or @code{false}. The value associated with other keys
11521 has to conform to the Cabal file format definition. The default value
11522 associated with the keys @code{os}, @code{arch} and @code{impl} is
11523 @samp{linux}, @samp{x86_64} and @samp{ghc}, respectively.
11526 Traverse the dependency graph of the given upstream package recursively
11527 and generate package expressions for all those packages that are not yet
11531 The command below imports metadata for the latest version of the
11532 HTTP Haskell package without including test dependencies and
11533 specifying the value of the flag @samp{network-uri} as @code{false}:
11536 guix import hackage -t -e "'((\"network-uri\" . false))" HTTP
11539 A specific package version may optionally be specified by following the
11540 package name by an at-sign and a version number as in the following example:
11543 guix import hackage mtl@@2.1.3.1
11548 The @code{stackage} importer is a wrapper around the @code{hackage} one.
11549 It takes a package name, looks up the package version included in a
11550 long-term support (LTS) @uref{https://www.stackage.org, Stackage}
11551 release and uses the @code{hackage} importer to retrieve its metadata.
11552 Note that it is up to you to select an LTS release compatible with the
11553 GHC compiler used by Guix.
11555 Specific command-line options are:
11558 @item --no-test-dependencies
11560 Do not include dependencies required only by the test suites.
11561 @item --lts-version=@var{version}
11562 @itemx -l @var{version}
11563 @var{version} is the desired LTS release version. If omitted the latest
11567 Traverse the dependency graph of the given upstream package recursively
11568 and generate package expressions for all those packages that are not yet
11572 The command below imports metadata for the HTTP Haskell package
11573 included in the LTS Stackage release version 7.18:
11576 guix import stackage --lts-version=7.18 HTTP
11581 Import metadata from an Emacs Lisp Package Archive (ELPA) package
11582 repository (@pxref{Packages,,, emacs, The GNU Emacs Manual}).
11584 Specific command-line options are:
11587 @item --archive=@var{repo}
11588 @itemx -a @var{repo}
11589 @var{repo} identifies the archive repository from which to retrieve the
11590 information. Currently the supported repositories and their identifiers
11594 @uref{https://elpa.gnu.org/packages, GNU}, selected by the @code{gnu}
11595 identifier. This is the default.
11597 Packages from @code{elpa.gnu.org} are signed with one of the keys
11598 contained in the GnuPG keyring at
11599 @file{share/emacs/25.1/etc/package-keyring.gpg} (or similar) in the
11600 @code{emacs} package (@pxref{Package Installation, ELPA package
11601 signatures,, emacs, The GNU Emacs Manual}).
11604 @uref{https://elpa.nongnu.org/nongnu/, NonGNU}, selected by the
11605 @code{nongnu} identifier.
11608 @uref{https://stable.melpa.org/packages, MELPA-Stable}, selected by the
11609 @code{melpa-stable} identifier.
11612 @uref{https://melpa.org/packages, MELPA}, selected by the @code{melpa}
11618 Traverse the dependency graph of the given upstream package recursively
11619 and generate package expressions for all those packages that are not yet
11625 Import metadata from the crates.io Rust package repository
11626 @uref{https://crates.io, crates.io}, as in this example:
11629 guix import crate blake2-rfc
11632 The crate importer also allows you to specify a version string:
11635 guix import crate constant-time-eq@@0.1.0
11638 Additional options include:
11643 Traverse the dependency graph of the given upstream package recursively
11644 and generate package expressions for all those packages that are not yet
11651 Import metadata from the @uref{https://opam.ocaml.org/, OPAM} package
11652 repository used by the OCaml community.
11654 Additional options include:
11659 Traverse the dependency graph of the given upstream package recursively
11660 and generate package expressions for all those packages that are not yet
11663 By default, packages are searched in the official OPAM repository. This
11664 option, which can be used more than once, lets you add other repositories
11665 which will be searched for packages. It accepts as valid arguments:
11668 @item the name of a known repository - can be one of @code{opam},
11669 @code{coq} (equivalent to @code{coq-released}),
11670 @code{coq-core-dev}, @code{coq-extra-dev} or @code{grew}.
11671 @item the URL of a repository as expected by the
11672 @code{opam repository add} command (for instance, the URL equivalent
11673 of the above @code{opam} name would be
11674 @uref{https://opam.ocaml.org}).
11675 @item the path to a local copy of a repository (a directory containing a
11676 @file{packages/} sub-directory).
11679 Repositories are assumed to be passed to this option by order of
11680 preference. The additional repositories will not replace the default
11681 @code{opam} repository, which is always kept as a fallback.
11683 Also, please note that versions are not compared accross repositories.
11684 The first repository (from left to right) that has at least one version
11685 of a given package will prevail over any others, and the version
11686 imported will be the latest one found @emph{in this repository only}.
11692 Import metadata for a Go module using
11693 @uref{https://proxy.golang.org, proxy.golang.org}.
11696 guix import go gopkg.in/yaml.v2
11699 It is possible to use a package specification with a @code{@@VERSION}
11700 suffix to import a specific version.
11702 Additional options include:
11707 Traverse the dependency graph of the given upstream package recursively
11708 and generate package expressions for all those packages that are not yet
11710 @item --pin-versions
11711 When using this option, the importer preserves the exact versions of the
11712 Go modules dependencies instead of using their latest available
11713 versions. This can be useful when attempting to import packages that
11714 recursively depend on former versions of themselves to build. When
11715 using this mode, the symbol of the package is made by appending the
11716 version to its name, so that multiple versions of the same package can
11722 Import metadata for @uref{https://wiki.call-cc.org/eggs, CHICKEN eggs}.
11723 The information is taken from @file{PACKAGE.egg} files found in the
11724 @uref{git://code.call-cc.org/eggs-5-latest, eggs-5-latest} Git
11725 repository. However, it does not provide all the information that we
11726 need, there is no ``description'' field, and the licenses used are not
11727 always precise (BSD is often used instead of BSD-N).
11730 guix import egg sourcehut
11733 Additional options include:
11737 Traverse the dependency graph of the given upstream package recursively
11738 and generate package expressions for all those packages that are not yet
11743 The structure of the @command{guix import} code is modular. It would be
11744 useful to have more importers for other package formats, and your help
11745 is welcome here (@pxref{Contributing}).
11747 @node Invoking guix refresh
11748 @section Invoking @command{guix refresh}
11750 @cindex @command {guix refresh}
11751 The primary audience of the @command{guix refresh} command is packagers.
11752 As a user, you may be interested in the @option{--with-latest} option,
11753 which can bring you package update superpowers built upon @command{guix
11754 refresh} (@pxref{Package Transformation Options,
11755 @option{--with-latest}}). By default, @command{guix refresh} reports
11756 any packages provided by the distribution that are outdated compared to
11757 the latest upstream version, like this:
11761 gnu/packages/gettext.scm:29:13: gettext would be upgraded from 0.18.1.1 to 0.18.2.1
11762 gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0
11765 Alternatively, one can specify packages to consider, in which case a
11766 warning is emitted for packages that lack an updater:
11769 $ guix refresh coreutils guile guile-ssh
11770 gnu/packages/ssh.scm:205:2: warning: no updater for guile-ssh
11771 gnu/packages/guile.scm:136:12: guile would be upgraded from 2.0.12 to 2.0.13
11774 @command{guix refresh} browses the upstream repository of each package and determines
11775 the highest version number of the releases therein. The command
11776 knows how to update specific types of packages: GNU packages, ELPA
11777 packages, etc.---see the documentation for @option{--type} below. There
11778 are many packages, though, for which it lacks a method to determine
11779 whether a new upstream release is available. However, the mechanism is
11780 extensible, so feel free to get in touch with us to add a new method!
11785 Consider the packages specified, and all the packages upon which they depend.
11788 $ guix refresh --recursive coreutils
11789 gnu/packages/acl.scm:40:13: acl would be upgraded from 2.2.53 to 2.3.1
11790 gnu/packages/m4.scm:30:12: 1.4.18 is already the latest version of m4
11791 gnu/packages/xml.scm:68:2: warning: no updater for expat
11792 gnu/packages/multiprecision.scm:40:12: 6.1.2 is already the latest version of gmp
11798 Sometimes the upstream name differs from the package name used in Guix,
11799 and @command{guix refresh} needs a little help. Most updaters honor the
11800 @code{upstream-name} property in package definitions, which can be used
11804 (define-public network-manager
11806 (name "network-manager")
11808 (properties '((upstream-name . "NetworkManager")))))
11811 When passed @option{--update}, it modifies distribution source files to
11812 update the version numbers and source tarball hashes of those package
11813 recipes (@pxref{Defining Packages}). This is achieved by downloading
11814 each package's latest source tarball and its associated OpenPGP
11815 signature, authenticating the downloaded tarball against its signature
11816 using @command{gpgv}, and finally computing its hash---note that GnuPG must be
11817 installed and in @code{$PATH}; run @code{guix install gnupg} if needed.
11820 key used to sign the tarball is missing from the user's keyring, an
11821 attempt is made to automatically retrieve it from a public key server;
11822 when this is successful, the key is added to the user's keyring; otherwise,
11823 @command{guix refresh} reports an error.
11825 The following options are supported:
11829 @item --expression=@var{expr}
11830 @itemx -e @var{expr}
11831 Consider the package @var{expr} evaluates to.
11833 This is useful to precisely refer to a package, as in this example:
11836 guix refresh -l -e '(@@@@ (gnu packages commencement) glibc-final)'
11839 This command lists the dependents of the ``final'' libc (essentially all
11844 Update distribution source files (package recipes) in place. This is
11845 usually run from a checkout of the Guix source tree (@pxref{Running
11846 Guix Before It Is Installed}):
11849 $ ./pre-inst-env guix refresh -s non-core -u
11852 @xref{Defining Packages}, for more information on package definitions.
11854 @item --select=[@var{subset}]
11855 @itemx -s @var{subset}
11856 Select all the packages in @var{subset}, one of @code{core} or
11859 The @code{core} subset refers to all the packages at the core of the
11860 distribution---i.e., packages that are used to build ``everything
11861 else''. This includes GCC, libc, Binutils, Bash, etc. Usually,
11862 changing one of these packages in the distribution entails a rebuild of
11863 all the others. Thus, such updates are an inconvenience to users in
11864 terms of build time or bandwidth used to achieve the upgrade.
11866 The @code{non-core} subset refers to the remaining packages. It is
11867 typically useful in cases where an update of the core packages would be
11870 @item --manifest=@var{file}
11871 @itemx -m @var{file}
11872 Select all the packages from the manifest in @var{file}. This is useful to
11873 check if any packages of the user manifest can be updated.
11875 @item --type=@var{updater}
11876 @itemx -t @var{updater}
11877 Select only packages handled by @var{updater} (may be a comma-separated
11878 list of updaters). Currently, @var{updater} may be one of:
11882 the updater for GNU packages;
11884 the updater for packages hosted at @uref{https://savannah.gnu.org, Savannah};
11886 the updater for packages hosted at @uref{https://sourceforge.net, SourceForge};
11888 the updater for GNOME packages;
11890 the updater for KDE packages;
11892 the updater for X.org packages;
11894 the updater for packages hosted on kernel.org;
11896 the updater for @uref{https://wiki.call-cc.org/eggs/, Egg} packages;
11898 the updater for @uref{https://elpa.gnu.org/, ELPA} packages;
11900 the updater for @uref{https://cran.r-project.org/, CRAN} packages;
11902 the updater for @uref{https://www.bioconductor.org/, Bioconductor} R packages;
11904 the updater for @uref{https://www.cpan.org/, CPAN} packages;
11906 the updater for @uref{https://pypi.python.org, PyPI} packages.
11908 the updater for @uref{https://rubygems.org, RubyGems} packages.
11910 the updater for @uref{https://github.com, GitHub} packages.
11912 the updater for @uref{https://hackage.haskell.org, Hackage} packages.
11914 the updater for @uref{https://www.stackage.org, Stackage} packages.
11916 the updater for @uref{https://crates.io, Crates} packages.
11918 the updater for @uref{https://launchpad.net, Launchpad} packages.
11920 a generic updater that crawls the HTML page where the source tarball of
11921 the package is hosted, when applicable.
11924 For instance, the following command only checks for updates of Emacs
11925 packages hosted at @code{elpa.gnu.org} and for updates of CRAN packages:
11928 $ guix refresh --type=elpa,cran
11929 gnu/packages/statistics.scm:819:13: r-testthat would be upgraded from 0.10.0 to 0.11.0
11930 gnu/packages/emacs.scm:856:13: emacs-auctex would be upgraded from 11.88.6 to 11.88.9
11933 @item --list-updaters
11935 List available updaters and exit (see @option{--type} above).
11937 For each updater, display the fraction of packages it covers; at the
11938 end, display the fraction of packages covered by all these updaters.
11941 In addition, @command{guix refresh} can be passed one or more package
11942 names, as in this example:
11945 $ ./pre-inst-env guix refresh -u emacs idutils gcc@@4.8
11949 The command above specifically updates the @code{emacs} and
11950 @code{idutils} packages. The @option{--select} option would have no
11951 effect in this case. You might also want to update definitions that
11952 correspond to the packages installed in your profile:
11955 $ ./pre-inst-env guix refresh -u \
11956 $(guix package --list-installed | cut -f1)
11959 When considering whether to upgrade a package, it is sometimes
11960 convenient to know which packages would be affected by the upgrade and
11961 should be checked for compatibility. For this the following option may
11962 be used when passing @command{guix refresh} one or more package names:
11966 @item --list-dependent
11968 List top-level dependent packages that would need to be rebuilt as a
11969 result of upgrading one or more packages.
11971 @xref{Invoking guix graph, the @code{reverse-package} type of
11972 @command{guix graph}}, for information on how to visualize the list of
11973 dependents of a package.
11977 Be aware that the @option{--list-dependent} option only
11978 @emph{approximates} the rebuilds that would be required as a result of
11979 an upgrade. More rebuilds might be required under some circumstances.
11982 $ guix refresh --list-dependent flex
11983 Building the following 120 packages would ensure 213 dependent packages are rebuilt:
11984 hop@@2.4.0 emacs-geiser@@0.13 notmuch@@0.18 mu@@0.9.9.5 cflow@@1.4 idutils@@4.6 @dots{}
11987 The command above lists a set of packages that could be built to check
11988 for compatibility with an upgraded @code{flex} package.
11992 @item --list-transitive
11993 List all the packages which one or more packages depend upon.
11996 $ guix refresh --list-transitive flex
11997 flex@@2.6.4 depends on the following 25 packages: perl@@5.28.0 help2man@@1.47.6
11998 bison@@3.0.5 indent@@2.2.10 tar@@1.30 gzip@@1.9 bzip2@@1.0.6 xz@@5.2.4 file@@5.33 @dots{}
12003 The command above lists a set of packages which, when changed, would cause
12004 @code{flex} to be rebuilt.
12006 The following options can be used to customize GnuPG operation:
12010 @item --gpg=@var{command}
12011 Use @var{command} as the GnuPG 2.x command. @var{command} is searched
12012 for in @code{$PATH}.
12014 @item --keyring=@var{file}
12015 Use @var{file} as the keyring for upstream keys. @var{file} must be in the
12016 @dfn{keybox format}. Keybox files usually have a name ending in @file{.kbx}
12017 and the GNU@tie{}Privacy Guard (GPG) can manipulate these files
12018 (@pxref{kbxutil, @command{kbxutil},, gnupg, Using the GNU Privacy Guard}, for
12019 information on a tool to manipulate keybox files).
12021 When this option is omitted, @command{guix refresh} uses
12022 @file{~/.config/guix/upstream/trustedkeys.kbx} as the keyring for upstream
12023 signing keys. OpenPGP signatures are checked against keys from this keyring;
12024 missing keys are downloaded to this keyring as well (see
12025 @option{--key-download} below).
12027 You can export keys from your default GPG keyring into a keybox file using
12028 commands like this one:
12031 gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
12034 Likewise, you can fetch keys to a specific keybox file like this:
12037 gpg --no-default-keyring --keyring mykeyring.kbx \
12038 --recv-keys @value{OPENPGP-SIGNING-KEY-ID}
12041 @xref{GPG Configuration Options, @option{--keyring},, gnupg, Using the GNU
12042 Privacy Guard}, for more information on GPG's @option{--keyring} option.
12044 @item --key-download=@var{policy}
12045 Handle missing OpenPGP keys according to @var{policy}, which may be one
12050 Always download missing OpenPGP keys from the key server, and add them
12051 to the user's GnuPG keyring.
12054 Never try to download missing OpenPGP keys. Instead just bail out.
12057 When a package signed with an unknown OpenPGP key is encountered, ask
12058 the user whether to download it or not. This is the default behavior.
12061 @item --key-server=@var{host}
12062 Use @var{host} as the OpenPGP key server when importing a public key.
12064 @item --load-path=@var{directory}
12065 Add @var{directory} to the front of the package module search path
12066 (@pxref{Package Modules}).
12068 This allows users to define their own packages and make them visible to
12069 the command-line tools.
12073 The @code{github} updater uses the
12074 @uref{https://developer.github.com/v3/, GitHub API} to query for new
12075 releases. When used repeatedly e.g.@: when refreshing all packages,
12076 GitHub will eventually refuse to answer any further API requests. By
12077 default 60 API requests per hour are allowed, and a full refresh on all
12078 GitHub packages in Guix requires more than this. Authentication with
12079 GitHub through the use of an API token alleviates these limits. To use
12080 an API token, set the environment variable @env{GUIX_GITHUB_TOKEN} to a
12081 token procured from @uref{https://github.com/settings/tokens} or
12085 @node Invoking guix lint
12086 @section Invoking @command{guix lint}
12088 @cindex @command{guix lint}
12089 @cindex package, checking for errors
12090 The @command{guix lint} command is meant to help package developers avoid
12091 common errors and use a consistent style. It runs a number of checks on
12092 a given set of packages in order to find common mistakes in their
12093 definitions. Available @dfn{checkers} include (see
12094 @option{--list-checkers} for a complete list):
12099 Validate certain typographical and stylistic rules about package
12100 descriptions and synopses.
12102 @item inputs-should-be-native
12103 Identify inputs that should most likely be native inputs.
12109 @itemx source-file-name
12110 Probe @code{home-page} and @code{source} URLs and report those that are
12111 invalid. Suggest a @code{mirror://} URL when applicable. If the
12112 @code{source} URL redirects to a GitHub URL, recommend usage of the GitHub
12113 URL@. Check that the source file name is meaningful, e.g.@: is not just a
12114 version number or ``git-checkout'', without a declared @code{file-name}
12115 (@pxref{origin Reference}).
12117 @item source-unstable-tarball
12118 Parse the @code{source} URL to determine if a tarball from GitHub is
12119 autogenerated or if it is a release tarball. Unfortunately GitHub's
12120 autogenerated tarballs are sometimes regenerated.
12123 Check that the derivation of the given packages can be successfully
12124 computed for all the supported systems (@pxref{Derivations}).
12126 @item profile-collisions
12127 Check whether installing the given packages in a profile would lead to
12128 collisions. Collisions occur when several packages with the same name
12129 but a different version or a different store file name are propagated.
12130 @xref{package Reference, @code{propagated-inputs}}, for more information
12131 on propagated inputs.
12134 @cindex Software Heritage, source code archive
12135 @cindex archival of source code, Software Heritage
12136 Checks whether the package's source code is archived at
12137 @uref{https://www.softwareheritage.org, Software Heritage}.
12139 When the source code that is not archived comes from a version-control system
12140 (VCS)---e.g., it's obtained with @code{git-fetch}, send Software Heritage a
12141 ``save'' request so that it eventually archives it. This ensures that the
12142 source will remain available in the long term, and that Guix can fall back to
12143 Software Heritage should the source code disappear from its original host.
12144 The status of recent ``save'' requests can be
12145 @uref{https://archive.softwareheritage.org/save/#requests, viewed on-line}.
12147 When source code is a tarball obtained with @code{url-fetch}, simply print a
12148 message when it is not archived. As of this writing, Software Heritage does
12149 not allow requests to save arbitrary tarballs; we are working on ways to
12150 ensure that non-VCS source code is also archived.
12153 @uref{https://archive.softwareheritage.org/api/#rate-limiting, limits the
12154 request rate per IP address}. When the limit is reached, @command{guix lint}
12155 prints a message and the @code{archival} checker stops doing anything until
12156 that limit has been reset.
12159 @cindex security vulnerabilities
12160 @cindex CVE, Common Vulnerabilities and Exposures
12161 Report known vulnerabilities found in the Common Vulnerabilities and
12162 Exposures (CVE) databases of the current and past year
12163 @uref{https://nvd.nist.gov/vuln/data-feeds, published by the US
12166 To view information about a particular vulnerability, visit pages such as:
12170 @indicateurl{https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-YYYY-ABCD}
12172 @indicateurl{https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-ABCD}
12176 where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
12177 @code{CVE-2015-7554}.
12179 Package developers can specify in package recipes the
12180 @uref{https://nvd.nist.gov/products/cpe,Common Platform Enumeration (CPE)}
12181 name and version of the package when they differ from the name or version
12182 that Guix uses, as in this example:
12188 ;; CPE calls this package "grub2".
12189 (properties '((cpe-name . "grub2")
12190 (cpe-version . "2.3"))))
12193 @c See <https://www.openwall.com/lists/oss-security/2017/03/15/3>.
12194 Some entries in the CVE database do not specify which version of a
12195 package they apply to, and would thus ``stick around'' forever. Package
12196 developers who found CVE alerts and verified they can be ignored can
12197 declare them as in this example:
12203 ;; These CVEs no longer apply and can be safely ignored.
12204 (properties `((lint-hidden-cve . ("CVE-2011-0433"
12207 "CVE-2011-5244")))))
12211 Warn about obvious source code formatting issues: trailing white space,
12212 use of tabulations, etc.
12215 The general syntax is:
12218 guix lint @var{options} @var{package}@dots{}
12221 If no package is given on the command line, then all packages are checked.
12222 The @var{options} may be zero or more of the following:
12225 @item --list-checkers
12227 List and describe all the available checkers that will be run on packages
12232 Only enable the checkers specified in a comma-separated list using the
12233 names returned by @option{--list-checkers}.
12237 Only disable the checkers specified in a comma-separated list using the
12238 names returned by @option{--list-checkers}.
12242 Only enable the checkers that do not depend on Internet access.
12244 @item --load-path=@var{directory}
12245 @itemx -L @var{directory}
12246 Add @var{directory} to the front of the package module search path
12247 (@pxref{Package Modules}).
12249 This allows users to define their own packages and make them visible to
12250 the command-line tools.
12254 @node Invoking guix size
12255 @section Invoking @command{guix size}
12258 @cindex package size
12260 @cindex @command{guix size}
12261 The @command{guix size} command helps package developers profile the
12262 disk usage of packages. It is easy to overlook the impact of an
12263 additional dependency added to a package, or the impact of using a
12264 single output for a package that could easily be split (@pxref{Packages
12265 with Multiple Outputs}). Such are the typical issues that
12266 @command{guix size} can highlight.
12268 The command can be passed one or more package specifications
12269 such as @code{gcc@@4.8}
12270 or @code{guile:debug}, or a file name in the store. Consider this
12274 $ guix size coreutils
12275 store item total self
12276 /gnu/store/@dots{}-gcc-5.5.0-lib 60.4 30.1 38.1%
12277 /gnu/store/@dots{}-glibc-2.27 30.3 28.8 36.6%
12278 /gnu/store/@dots{}-coreutils-8.28 78.9 15.0 19.0%
12279 /gnu/store/@dots{}-gmp-6.1.2 63.1 2.7 3.4%
12280 /gnu/store/@dots{}-bash-static-4.4.12 1.5 1.5 1.9%
12281 /gnu/store/@dots{}-acl-2.2.52 61.1 0.4 0.5%
12282 /gnu/store/@dots{}-attr-2.4.47 60.6 0.2 0.3%
12283 /gnu/store/@dots{}-libcap-2.25 60.5 0.2 0.2%
12288 The store items listed here constitute the @dfn{transitive closure} of
12289 Coreutils---i.e., Coreutils and all its dependencies, recursively---as
12290 would be returned by:
12293 $ guix gc -R /gnu/store/@dots{}-coreutils-8.23
12296 Here the output shows three columns next to store items. The first column,
12297 labeled ``total'', shows the size in mebibytes (MiB) of the closure of
12298 the store item---that is, its own size plus the size of all its
12299 dependencies. The next column, labeled ``self'', shows the size of the
12300 item itself. The last column shows the ratio of the size of the item
12301 itself to the space occupied by all the items listed here.
12303 In this example, we see that the closure of Coreutils weighs in at
12304 79@tie{}MiB, most of which is taken by libc and GCC's run-time support
12305 libraries. (That libc and GCC's libraries represent a large fraction of
12306 the closure is not a problem @i{per se} because they are always available
12307 on the system anyway.)
12309 Since the command also accepts store file names, assessing the size of
12310 a build result is straightforward:
12313 guix size $(guix system build config.scm)
12316 When the package(s) passed to @command{guix size} are available in the
12317 store@footnote{More precisely, @command{guix size} looks for the
12318 @emph{ungrafted} variant of the given package(s), as returned by
12319 @code{guix build @var{package} --no-grafts}. @xref{Security Updates},
12320 for information on grafts.}, @command{guix size} queries the daemon to determine its
12321 dependencies, and measures its size in the store, similar to @command{du
12322 -ms --apparent-size} (@pxref{du invocation,,, coreutils, GNU
12325 When the given packages are @emph{not} in the store, @command{guix size}
12326 reports information based on the available substitutes
12327 (@pxref{Substitutes}). This makes it possible it to profile disk usage of
12328 store items that are not even on disk, only available remotely.
12330 You can also specify several package names:
12333 $ guix size coreutils grep sed bash
12334 store item total self
12335 /gnu/store/@dots{}-coreutils-8.24 77.8 13.8 13.4%
12336 /gnu/store/@dots{}-grep-2.22 73.1 0.8 0.8%
12337 /gnu/store/@dots{}-bash-4.3.42 72.3 4.7 4.6%
12338 /gnu/store/@dots{}-readline-6.3 67.6 1.2 1.2%
12344 In this example we see that the combination of the four packages takes
12345 102.3@tie{}MiB in total, which is much less than the sum of each closure
12346 since they have a lot of dependencies in common.
12348 When looking at the profile returned by @command{guix size}, you may
12349 find yourself wondering why a given package shows up in the profile at
12350 all. To understand it, you can use @command{guix graph --path -t
12351 references} to display the shortest path between the two packages
12352 (@pxref{Invoking guix graph}).
12354 The available options are:
12358 @item --substitute-urls=@var{urls}
12359 Use substitute information from @var{urls}.
12360 @xref{client-substitute-urls, the same option for @code{guix build}}.
12362 @item --sort=@var{key}
12363 Sort lines according to @var{key}, one of the following options:
12367 the size of each item (the default);
12369 the total size of the item's closure.
12372 @item --map-file=@var{file}
12373 Write a graphical map of disk usage in PNG format to @var{file}.
12375 For the example above, the map looks like this:
12377 @image{images/coreutils-size-map,5in,, map of Coreutils disk usage
12378 produced by @command{guix size}}
12380 This option requires that
12381 @uref{https://wingolog.org/software/guile-charting/, Guile-Charting} be
12382 installed and visible in Guile's module search path. When that is not
12383 the case, @command{guix size} fails as it tries to load it.
12385 @item --system=@var{system}
12386 @itemx -s @var{system}
12387 Consider packages for @var{system}---e.g., @code{x86_64-linux}.
12389 @item --load-path=@var{directory}
12390 @itemx -L @var{directory}
12391 Add @var{directory} to the front of the package module search path
12392 (@pxref{Package Modules}).
12394 This allows users to define their own packages and make them visible to
12395 the command-line tools.
12398 @node Invoking guix graph
12399 @section Invoking @command{guix graph}
12402 @cindex @command{guix graph}
12403 @cindex package dependencies
12404 Packages and their dependencies form a @dfn{graph}, specifically a
12405 directed acyclic graph (DAG). It can quickly become difficult to have a
12406 mental model of the package DAG, so the @command{guix graph} command
12407 provides a visual representation of the DAG@. By default,
12408 @command{guix graph} emits a DAG representation in the input format of
12409 @uref{https://www.graphviz.org/, Graphviz}, so its output can be passed
12410 directly to the @command{dot} command of Graphviz. It can also emit an
12411 HTML page with embedded JavaScript code to display a ``chord diagram''
12412 in a Web browser, using the @uref{https://d3js.org/, d3.js} library, or
12413 emit Cypher queries to construct a graph in a graph database supporting
12414 the @uref{https://www.opencypher.org/, openCypher} query language. With
12415 @option{--path}, it simply displays the shortest path between two
12416 packages. The general syntax is:
12419 guix graph @var{options} @var{package}@dots{}
12422 For example, the following command generates a PDF file representing the
12423 package DAG for the GNU@tie{}Core Utilities, showing its build-time
12427 guix graph coreutils | dot -Tpdf > dag.pdf
12430 The output looks like this:
12432 @image{images/coreutils-graph,2in,,Dependency graph of the GNU Coreutils}
12434 Nice little graph, no?
12436 You may find it more pleasant to navigate the graph interactively with
12437 @command{xdot} (from the @code{xdot} package):
12440 guix graph coreutils | xdot -
12443 But there is more than one graph! The one above is concise: it is the
12444 graph of package objects, omitting implicit inputs such as GCC, libc,
12445 grep, etc. It is often useful to have such a concise graph, but
12446 sometimes one may want to see more details. @command{guix graph} supports
12447 several types of graphs, allowing you to choose the level of detail:
12451 This is the default type used in the example above. It shows the DAG of
12452 package objects, excluding implicit dependencies. It is concise, but
12453 filters out many details.
12455 @item reverse-package
12456 This shows the @emph{reverse} DAG of packages. For example:
12459 guix graph --type=reverse-package ocaml
12462 ...@: yields the graph of packages that @emph{explicitly} depend on OCaml (if
12463 you are also interested in cases where OCaml is an implicit dependency, see
12464 @code{reverse-bag} below).
12466 Note that for core packages this can yield huge graphs. If all you want
12467 is to know the number of packages that depend on a given package, use
12468 @command{guix refresh --list-dependent} (@pxref{Invoking guix refresh,
12469 @option{--list-dependent}}).
12472 This is the package DAG, @emph{including} implicit inputs.
12474 For instance, the following command:
12477 guix graph --type=bag-emerged coreutils
12480 ...@: yields this bigger graph:
12482 @image{images/coreutils-bag-graph,,5in,Detailed dependency graph of the GNU Coreutils}
12484 At the bottom of the graph, we see all the implicit inputs of
12485 @var{gnu-build-system} (@pxref{Build Systems, @code{gnu-build-system}}).
12487 Now, note that the dependencies of these implicit inputs---that is, the
12488 @dfn{bootstrap dependencies} (@pxref{Bootstrapping})---are not shown
12489 here, for conciseness.
12492 Similar to @code{bag-emerged}, but this time including all the bootstrap
12495 @item bag-with-origins
12496 Similar to @code{bag}, but also showing origins and their dependencies.
12499 This shows the @emph{reverse} DAG of packages. Unlike @code{reverse-package},
12500 it also takes implicit dependencies into account. For example:
12503 guix graph -t reverse-bag dune
12507 ...@: yields the graph of all packages that depend on Dune, directly or
12508 indirectly. Since Dune is an @emph{implicit} dependency of many packages
12509 @i{via} @code{dune-build-system}, this shows a large number of packages,
12510 whereas @code{reverse-package} would show very few if any.
12513 This is the most detailed representation: It shows the DAG of
12514 derivations (@pxref{Derivations}) and plain store items. Compared to
12515 the above representation, many additional nodes are visible, including
12516 build scripts, patches, Guile modules, etc.
12518 For this type of graph, it is also possible to pass a @file{.drv} file
12519 name instead of a package name, as in:
12522 guix graph -t derivation $(guix system build -d my-config.scm)
12526 This is the graph of @dfn{package modules} (@pxref{Package Modules}).
12527 For example, the following command shows the graph for the package
12528 module that defines the @code{guile} package:
12531 guix graph -t module guile | xdot -
12535 All the types above correspond to @emph{build-time dependencies}. The
12536 following graph type represents the @emph{run-time dependencies}:
12540 This is the graph of @dfn{references} of a package output, as returned
12541 by @command{guix gc --references} (@pxref{Invoking guix gc}).
12543 If the given package output is not available in the store, @command{guix
12544 graph} attempts to obtain dependency information from substitutes.
12546 Here you can also pass a store file name instead of a package name. For
12547 example, the command below produces the reference graph of your profile
12548 (which can be big!):
12551 guix graph -t references $(readlink -f ~/.guix-profile)
12555 This is the graph of the @dfn{referrers} of a store item, as returned by
12556 @command{guix gc --referrers} (@pxref{Invoking guix gc}).
12558 This relies exclusively on local information from your store. For
12559 instance, let us suppose that the current Inkscape is available in 10
12560 profiles on your machine; @command{guix graph -t referrers inkscape}
12561 will show a graph rooted at Inkscape and with those 10 profiles linked
12564 It can help determine what is preventing a store item from being garbage
12569 @cindex shortest path, between packages
12570 Often, the graph of the package you are interested in does not fit on
12571 your screen, and anyway all you want to know is @emph{why} that package
12572 actually depends on some seemingly unrelated package. The
12573 @option{--path} option instructs @command{guix graph} to display the
12574 shortest path between two packages (or derivations, or store items,
12578 $ guix graph --path emacs libunistring
12581 libunistring@@0.9.10
12582 $ guix graph --path -t derivation emacs libunistring
12583 /gnu/store/@dots{}-emacs-26.3.drv
12584 /gnu/store/@dots{}-mailutils-3.9.drv
12585 /gnu/store/@dots{}-libunistring-0.9.10.drv
12586 $ guix graph --path -t references emacs libunistring
12587 /gnu/store/@dots{}-emacs-26.3
12588 /gnu/store/@dots{}-libidn2-2.2.0
12589 /gnu/store/@dots{}-libunistring-0.9.10
12592 The available options are the following:
12595 @item --type=@var{type}
12596 @itemx -t @var{type}
12597 Produce a graph output of @var{type}, where @var{type} must be one of
12598 the values listed above.
12601 List the supported graph types.
12603 @item --backend=@var{backend}
12604 @itemx -b @var{backend}
12605 Produce a graph using the selected @var{backend}.
12607 @item --list-backends
12608 List the supported graph backends.
12610 Currently, the available backends are Graphviz and d3.js.
12613 Display the shortest path between two nodes of the type specified by
12614 @option{--type}. The example below shows the shortest path between
12615 @code{libreoffice} and @code{llvm} according to the references of
12616 @code{libreoffice}:
12619 $ guix graph --path -t references libreoffice llvm
12620 /gnu/store/@dots{}-libreoffice-6.4.2.2
12621 /gnu/store/@dots{}-libepoxy-1.5.4
12622 /gnu/store/@dots{}-mesa-19.3.4
12623 /gnu/store/@dots{}-llvm-9.0.1
12626 @item --expression=@var{expr}
12627 @itemx -e @var{expr}
12628 Consider the package @var{expr} evaluates to.
12630 This is useful to precisely refer to a package, as in this example:
12633 guix graph -e '(@@@@ (gnu packages commencement) gnu-make-final)'
12636 @item --system=@var{system}
12637 @itemx -s @var{system}
12638 Display the graph for @var{system}---e.g., @code{i686-linux}.
12640 The package dependency graph is largely architecture-independent, but there
12641 are some architecture-dependent bits that this option allows you to visualize.
12643 @item --load-path=@var{directory}
12644 @itemx -L @var{directory}
12645 Add @var{directory} to the front of the package module search path
12646 (@pxref{Package Modules}).
12648 This allows users to define their own packages and make them visible to
12649 the command-line tools.
12652 On top of that, @command{guix graph} supports all the usual package
12653 transformation options (@pxref{Package Transformation Options}). This
12654 makes it easy to view the effect of a graph-rewriting transformation
12655 such as @option{--with-input}. For example, the command below outputs
12656 the graph of @code{git} once @code{openssl} has been replaced by
12657 @code{libressl} everywhere in the graph:
12660 guix graph git --with-input=openssl=libressl
12663 So many possibilities, so much fun!
12665 @node Invoking guix publish
12666 @section Invoking @command{guix publish}
12668 @cindex @command{guix publish}
12669 The purpose of @command{guix publish} is to enable users to easily share
12670 their store with others, who can then use it as a substitute server
12671 (@pxref{Substitutes}).
12673 When @command{guix publish} runs, it spawns an HTTP server which allows
12674 anyone with network access to obtain substitutes from it. This means
12675 that any machine running Guix can also act as if it were a build farm,
12676 since the HTTP interface is compatible with Cuirass, the software behind
12677 the @code{@value{SUBSTITUTE-SERVER-1}} build farm.
12679 For security, each substitute is signed, allowing recipients to check
12680 their authenticity and integrity (@pxref{Substitutes}). Because
12681 @command{guix publish} uses the signing key of the system, which is only
12682 readable by the system administrator, it must be started as root; the
12683 @option{--user} option makes it drop root privileges early on.
12685 The signing key pair must be generated before @command{guix publish} is
12686 launched, using @command{guix archive --generate-key} (@pxref{Invoking
12689 When the @option{--advertise} option is passed, the server advertises
12690 its availability on the local network using multicast DNS (mDNS) and DNS
12691 service discovery (DNS-SD), currently @i{via} Guile-Avahi (@pxref{Top,,,
12692 guile-avahi, Using Avahi in Guile Scheme Programs}).
12694 The general syntax is:
12697 guix publish @var{options}@dots{}
12700 Running @command{guix publish} without any additional arguments will
12701 spawn an HTTP server on port 8080:
12707 Once a publishing server has been authorized, the daemon may download
12708 substitutes from it. @xref{Getting Substitutes from Other Servers}.
12710 By default, @command{guix publish} compresses archives on the fly as it
12711 serves them. This ``on-the-fly'' mode is convenient in that it requires
12712 no setup and is immediately available. However, when serving lots of
12713 clients, we recommend using the @option{--cache} option, which enables
12714 caching of the archives before they are sent to clients---see below for
12715 details. The @command{guix weather} command provides a handy way to
12716 check what a server provides (@pxref{Invoking guix weather}).
12718 As a bonus, @command{guix publish} also serves as a content-addressed
12719 mirror for source files referenced in @code{origin} records
12720 (@pxref{origin Reference}). For instance, assuming @command{guix
12721 publish} is running on @code{example.org}, the following URL returns the
12722 raw @file{hello-2.10.tar.gz} file with the given SHA256 hash
12723 (represented in @code{nix-base32} format, @pxref{Invoking guix hash}):
12726 http://example.org/file/hello-2.10.tar.gz/sha256/0ssi1@dots{}ndq1i
12729 Obviously, these URLs only work for files that are in the store; in
12730 other cases, they return 404 (``Not Found'').
12732 @cindex build logs, publication
12733 Build logs are available from @code{/log} URLs like:
12736 http://example.org/log/gwspk@dots{}-guile-2.2.3
12740 When @command{guix-daemon} is configured to save compressed build logs,
12741 as is the case by default (@pxref{Invoking guix-daemon}), @code{/log}
12742 URLs return the compressed log as-is, with an appropriate
12743 @code{Content-Type} and/or @code{Content-Encoding} header. We recommend
12744 running @command{guix-daemon} with @option{--log-compression=gzip} since
12745 Web browsers can automatically decompress it, which is not the case with
12748 The following options are available:
12751 @item --port=@var{port}
12752 @itemx -p @var{port}
12753 Listen for HTTP requests on @var{port}.
12755 @item --listen=@var{host}
12756 Listen on the network interface for @var{host}. The default is to
12757 accept connections from any interface.
12759 @item --user=@var{user}
12760 @itemx -u @var{user}
12761 Change privileges to @var{user} as soon as possible---i.e., once the
12762 server socket is open and the signing key has been read.
12764 @item --compression[=@var{method}[:@var{level}]]
12765 @itemx -C [@var{method}[:@var{level}]]
12766 Compress data using the given @var{method} and @var{level}. @var{method} is
12767 one of @code{lzip}, @code{zstd}, and @code{gzip}; when @var{method} is
12768 omitted, @code{gzip} is used.
12770 When @var{level} is zero, disable compression. The range 1 to 9 corresponds
12771 to different compression levels: 1 is the fastest, and 9 is the best
12772 (CPU-intensive). The default is 3.
12774 Usually, @code{lzip} compresses noticeably better than @code{gzip} for a
12775 small increase in CPU usage; see
12776 @uref{https://nongnu.org/lzip/lzip_benchmark.html,benchmarks on the lzip
12777 Web page}. However, @code{lzip} achieves low decompression throughput
12778 (on the order of 50@tie{}MiB/s on modern hardware), which can be a
12779 bottleneck for someone who downloads over a fast network connection.
12781 The compression ratio of @code{zstd} is between that of @code{lzip} and
12782 that of @code{gzip}; its main advantage is a
12783 @uref{https://facebook.github.io/zstd/,high decompression speed}.
12785 Unless @option{--cache} is used, compression occurs on the fly and
12786 the compressed streams are not
12787 cached. Thus, to reduce load on the machine that runs @command{guix
12788 publish}, it may be a good idea to choose a low compression level, to
12789 run @command{guix publish} behind a caching proxy, or to use
12790 @option{--cache}. Using @option{--cache} has the advantage that it
12791 allows @command{guix publish} to add @code{Content-Length} HTTP header
12794 This option can be repeated, in which case every substitute gets compressed
12795 using all the selected methods, and all of them are advertised. This is
12796 useful when users may not support all the compression methods: they can select
12797 the one they support.
12799 @item --cache=@var{directory}
12800 @itemx -c @var{directory}
12801 Cache archives and meta-data (@code{.narinfo} URLs) to @var{directory}
12802 and only serve archives that are in cache.
12804 When this option is omitted, archives and meta-data are created
12805 on-the-fly. This can reduce the available bandwidth, especially when
12806 compression is enabled, since this may become CPU-bound. Another
12807 drawback of the default mode is that the length of archives is not known
12808 in advance, so @command{guix publish} does not add a
12809 @code{Content-Length} HTTP header to its responses, which in turn
12810 prevents clients from knowing the amount of data being downloaded.
12812 Conversely, when @option{--cache} is used, the first request for a store
12813 item (@i{via} a @code{.narinfo} URL) triggers a
12814 background process to @dfn{bake} the archive---computing its
12815 @code{.narinfo} and compressing the archive, if needed. Once the
12816 archive is cached in @var{directory}, subsequent requests succeed and
12817 are served directly from the cache, which guarantees that clients get
12818 the best possible bandwidth.
12820 That first @code{.narinfo} request nonetheless returns 200, provided the
12821 requested store item is ``small enough'', below the cache bypass
12822 threshold---see @option{--cache-bypass-threshold} below. That way,
12823 clients do not have to wait until the archive is baked. For larger
12824 store items, the first @code{.narinfo} request returns 404, meaning that
12825 clients have to wait until the archive is baked.
12827 The ``baking'' process is performed by worker threads. By default, one
12828 thread per CPU core is created, but this can be customized. See
12829 @option{--workers} below.
12831 When @option{--ttl} is used, cached entries are automatically deleted
12832 when they have expired.
12834 @item --workers=@var{N}
12835 When @option{--cache} is used, request the allocation of @var{N} worker
12836 threads to ``bake'' archives.
12838 @item --ttl=@var{ttl}
12839 Produce @code{Cache-Control} HTTP headers that advertise a time-to-live
12840 (TTL) of @var{ttl}. @var{ttl} must denote a duration: @code{5d} means 5
12841 days, @code{1m} means 1 month, and so on.
12843 This allows the user's Guix to keep substitute information in cache for
12844 @var{ttl}. However, note that @code{guix publish} does not itself
12845 guarantee that the store items it provides will indeed remain available
12846 for as long as @var{ttl}.
12848 Additionally, when @option{--cache} is used, cached entries that have
12849 not been accessed for @var{ttl} and that no longer have a corresponding
12850 item in the store, may be deleted.
12852 @item --negative-ttl=@var{ttl}
12853 Similarly produce @code{Cache-Control} HTTP headers to advertise the
12854 time-to-live (TTL) of @emph{negative} lookups---missing store items, for
12855 which the HTTP 404 code is returned. By default, no negative TTL is
12858 This parameter can help adjust server load and substitute latency by
12859 instructing cooperating clients to be more or less patient when a store
12862 @item --cache-bypass-threshold=@var{size}
12863 When used in conjunction with @option{--cache}, store items smaller than
12864 @var{size} are immediately available, even when they are not yet in
12865 cache. @var{size} is a size in bytes, or it can be suffixed by @code{M}
12866 for megabytes and so on. The default is @code{10M}.
12868 ``Cache bypass'' allows you to reduce the publication delay for clients
12869 at the expense of possibly additional I/O and CPU use on the server
12870 side: depending on the client access patterns, those store items can end
12871 up being baked several times until a copy is available in cache.
12873 Increasing the threshold may be useful for sites that have few users, or
12874 to guarantee that users get substitutes even for store items that are
12877 @item --nar-path=@var{path}
12878 Use @var{path} as the prefix for the URLs of ``nar'' files
12879 (@pxref{Invoking guix archive, normalized archives}).
12881 By default, nars are served at a URL such as
12882 @code{/nar/gzip/@dots{}-coreutils-8.25}. This option allows you to
12883 change the @code{/nar} part to @var{path}.
12885 @item --public-key=@var{file}
12886 @itemx --private-key=@var{file}
12887 Use the specific @var{file}s as the public/private key pair used to sign
12888 the store items being published.
12890 The files must correspond to the same key pair (the private key is used
12891 for signing and the public key is merely advertised in the signature
12892 metadata). They must contain keys in the canonical s-expression format
12893 as produced by @command{guix archive --generate-key} (@pxref{Invoking
12894 guix archive}). By default, @file{/etc/guix/signing-key.pub} and
12895 @file{/etc/guix/signing-key.sec} are used.
12897 @item --repl[=@var{port}]
12898 @itemx -r [@var{port}]
12899 Spawn a Guile REPL server (@pxref{REPL Servers,,, guile, GNU Guile
12900 Reference Manual}) on @var{port} (37146 by default). This is used
12901 primarily for debugging a running @command{guix publish} server.
12904 Enabling @command{guix publish} on Guix System is a one-liner: just
12905 instantiate a @code{guix-publish-service-type} service in the @code{services} field
12906 of the @code{operating-system} declaration (@pxref{guix-publish-service-type,
12907 @code{guix-publish-service-type}}).
12909 If you are instead running Guix on a ``foreign distro'', follow these
12914 If your host distro uses the systemd init system:
12917 # ln -s ~root/.guix-profile/lib/systemd/system/guix-publish.service \
12918 /etc/systemd/system/
12919 # systemctl start guix-publish && systemctl enable guix-publish
12923 If your host distro uses the Upstart init system:
12926 # ln -s ~root/.guix-profile/lib/upstart/system/guix-publish.conf /etc/init/
12927 # start guix-publish
12931 Otherwise, proceed similarly with your distro's init system.
12934 @node Invoking guix challenge
12935 @section Invoking @command{guix challenge}
12937 @cindex reproducible builds
12938 @cindex verifiable builds
12939 @cindex @command{guix challenge}
12941 Do the binaries provided by this server really correspond to the source
12942 code it claims to build? Is a package build process deterministic?
12943 These are the questions the @command{guix challenge} command attempts to
12946 The former is obviously an important question: Before using a substitute
12947 server (@pxref{Substitutes}), one had better @emph{verify} that it
12948 provides the right binaries, and thus @emph{challenge} it. The latter
12949 is what enables the former: If package builds are deterministic, then
12950 independent builds of the package should yield the exact same result,
12951 bit for bit; if a server provides a binary different from the one
12952 obtained locally, it may be either corrupt or malicious.
12954 We know that the hash that shows up in @file{/gnu/store} file names is
12955 the hash of all the inputs of the process that built the file or
12956 directory---compilers, libraries, build scripts,
12957 etc. (@pxref{Introduction}). Assuming deterministic build processes,
12958 one store file name should map to exactly one build output.
12959 @command{guix challenge} checks whether there is, indeed, a single
12960 mapping by comparing the build outputs of several independent builds of
12961 any given store item.
12963 The command output looks like this:
12966 $ guix challenge --substitute-urls="https://@value{SUBSTITUTE-SERVER-1} https://guix.example.org"
12967 updating list of substitutes from 'https://@value{SUBSTITUTE-SERVER-1}'... 100.0%
12968 updating list of substitutes from 'https://guix.example.org'... 100.0%
12969 /gnu/store/@dots{}-openssl-1.0.2d contents differ:
12970 local hash: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
12971 https://@value{SUBSTITUTE-SERVER-1}/nar/@dots{}-openssl-1.0.2d: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
12972 https://guix.example.org/nar/@dots{}-openssl-1.0.2d: 1zy4fmaaqcnjrzzajkdn3f5gmjk754b43qkq47llbyak9z0qjyim
12974 /lib/libcrypto.so.1.1
12977 /gnu/store/@dots{}-git-2.5.0 contents differ:
12978 local hash: 00p3bmryhjxrhpn2gxs2fy0a15lnip05l97205pgbk5ra395hyha
12979 https://@value{SUBSTITUTE-SERVER-1}/nar/@dots{}-git-2.5.0: 069nb85bv4d4a6slrwjdy8v1cn4cwspm3kdbmyb81d6zckj3nq9f
12980 https://guix.example.org/nar/@dots{}-git-2.5.0: 0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73
12982 /libexec/git-core/git-fsck
12984 /gnu/store/@dots{}-pius-2.1.1 contents differ:
12985 local hash: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
12986 https://@value{SUBSTITUTE-SERVER-1}/nar/@dots{}-pius-2.1.1: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
12987 https://guix.example.org/nar/@dots{}-pius-2.1.1: 1cy25x1a4fzq5rk0pmvc8xhwyffnqz95h2bpvqsz2mpvlbccy0gs
12989 /share/man/man1/pius.1.gz
12993 6,406 store items were analyzed:
12994 - 4,749 (74.1%) were identical
12995 - 525 (8.2%) differed
12996 - 1,132 (17.7%) were inconclusive
13000 In this example, @command{guix challenge} first scans the store to
13001 determine the set of locally-built derivations---as opposed to store
13002 items that were downloaded from a substitute server---and then queries
13003 all the substitute servers. It then reports those store items for which
13004 the servers obtained a result different from the local build.
13006 @cindex non-determinism, in package builds
13007 As an example, @code{guix.example.org} always gets a different answer.
13008 Conversely, @code{@value{SUBSTITUTE-SERVER-1}} agrees with local builds, except in the
13009 case of Git. This might indicate that the build process of Git is
13010 non-deterministic, meaning that its output varies as a function of
13011 various things that Guix does not fully control, in spite of building
13012 packages in isolated environments (@pxref{Features}). Most common
13013 sources of non-determinism include the addition of timestamps in build
13014 results, the inclusion of random numbers, and directory listings sorted
13015 by inode number. See @uref{https://reproducible-builds.org/docs/}, for
13018 To find out what is wrong with this Git binary, the easiest approach is
13022 guix challenge git \
13023 --diff=diffoscope \
13024 --substitute-urls="https://@value{SUBSTITUTE-SERVER-1} https://guix.example.org"
13027 This automatically invokes @command{diffoscope}, which displays detailed
13028 information about files that differ.
13030 Alternatively, we can do something along these lines (@pxref{Invoking guix
13034 $ wget -q -O - https://@value{SUBSTITUTE-SERVER-1}/nar/lzip/@dots{}-git-2.5.0 \
13035 | lzip -d | guix archive -x /tmp/git
13036 $ diff -ur --no-dereference /gnu/store/@dots{}-git.2.5.0 /tmp/git
13039 This command shows the difference between the files resulting from the
13040 local build, and the files resulting from the build on
13041 @code{@value{SUBSTITUTE-SERVER-1}} (@pxref{Overview, Comparing and Merging Files,,
13042 diffutils, Comparing and Merging Files}). The @command{diff} command
13043 works great for text files. When binary files differ, a better option
13044 is @uref{https://diffoscope.org/, Diffoscope}, a tool that helps
13045 visualize differences for all kinds of files.
13047 Once you have done that work, you can tell whether the differences are due
13048 to a non-deterministic build process or to a malicious server. We try
13049 hard to remove sources of non-determinism in packages to make it easier
13050 to verify substitutes, but of course, this is a process that
13051 involves not just Guix, but a large part of the free software community.
13052 In the meantime, @command{guix challenge} is one tool to help address
13055 If you are writing packages for Guix, you are encouraged to check
13056 whether @code{@value{SUBSTITUTE-SERVER-1}} and other substitute servers obtain the
13057 same build result as you did with:
13060 $ guix challenge @var{package}
13064 where @var{package} is a package specification such as
13065 @code{guile@@2.0} or @code{glibc:debug}.
13067 The general syntax is:
13070 guix challenge @var{options} [@var{packages}@dots{}]
13073 When a difference is found between the hash of a locally-built item and
13074 that of a server-provided substitute, or among substitutes provided by
13075 different servers, the command displays it as in the example above and
13076 its exit code is 2 (other non-zero exit codes denote other kinds of
13079 The one option that matters is:
13083 @item --substitute-urls=@var{urls}
13084 Consider @var{urls} the whitespace-separated list of substitute source
13085 URLs to compare to.
13087 @item --diff=@var{mode}
13088 Upon mismatches, show differences according to @var{mode}, one of:
13091 @item @code{simple} (the default)
13092 Show the list of files that differ.
13094 @item @code{diffoscope}
13095 @itemx @var{command}
13096 Invoke @uref{https://diffoscope.org/, Diffoscope}, passing it
13097 two directories whose contents do not match.
13099 When @var{command} is an absolute file name, run @var{command} instead
13103 Do not show further details about the differences.
13106 Thus, unless @option{--diff=none} is passed, @command{guix challenge}
13107 downloads the store items from the given substitute servers so that it
13112 Show details about matches (identical contents) in addition to
13113 information about mismatches.
13117 @node Invoking guix copy
13118 @section Invoking @command{guix copy}
13120 @cindex copy, of store items, over SSH
13121 @cindex SSH, copy of store items
13122 @cindex sharing store items across machines
13123 @cindex transferring store items across machines
13124 The @command{guix copy} command copies items from the store of one
13125 machine to that of another machine over a secure shell (SSH)
13126 connection@footnote{This command is available only when Guile-SSH was
13127 found. @xref{Requirements}, for details.}. For example, the following
13128 command copies the @code{coreutils} package, the user's profile, and all
13129 their dependencies over to @var{host}, logged in as @var{user}:
13132 guix copy --to=@var{user}@@@var{host} \
13133 coreutils $(readlink -f ~/.guix-profile)
13136 If some of the items to be copied are already present on @var{host},
13137 they are not actually sent.
13139 The command below retrieves @code{libreoffice} and @code{gimp} from
13140 @var{host}, assuming they are available there:
13143 guix copy --from=@var{host} libreoffice gimp
13146 The SSH connection is established using the Guile-SSH client, which is
13147 compatible with OpenSSH: it honors @file{~/.ssh/known_hosts} and
13148 @file{~/.ssh/config}, and uses the SSH agent for authentication.
13150 The key used to sign items that are sent must be accepted by the remote
13151 machine. Likewise, the key used by the remote machine to sign items you
13152 are retrieving must be in @file{/etc/guix/acl} so it is accepted by your
13153 own daemon. @xref{Invoking guix archive}, for more information about
13154 store item authentication.
13156 The general syntax is:
13159 guix copy [--to=@var{spec}|--from=@var{spec}] @var{items}@dots{}
13162 You must always specify one of the following options:
13165 @item --to=@var{spec}
13166 @itemx --from=@var{spec}
13167 Specify the host to send to or receive from. @var{spec} must be an SSH
13168 spec such as @code{example.org}, @code{charlie@@example.org}, or
13169 @code{charlie@@example.org:2222}.
13172 The @var{items} can be either package names, such as @code{gimp}, or
13173 store items, such as @file{/gnu/store/@dots{}-idutils-4.6}.
13175 When specifying the name of a package to send, it is first built if
13176 needed, unless @option{--dry-run} was specified. Common build options
13177 are supported (@pxref{Common Build Options}).
13180 @node Invoking guix container
13181 @section Invoking @command{guix container}
13183 @cindex @command{guix container}
13185 As of version @value{VERSION}, this tool is experimental. The interface
13186 is subject to radical change in the future.
13189 The purpose of @command{guix container} is to manipulate processes
13190 running within an isolated environment, commonly known as a
13191 ``container'', typically created by the @command{guix environment}
13192 (@pxref{Invoking guix environment}) and @command{guix system container}
13193 (@pxref{Invoking guix system}) commands.
13195 The general syntax is:
13198 guix container @var{action} @var{options}@dots{}
13201 @var{action} specifies the operation to perform with a container, and
13202 @var{options} specifies the context-specific arguments for the action.
13204 The following actions are available:
13208 Execute a command within the context of a running container.
13213 guix container exec @var{pid} @var{program} @var{arguments}@dots{}
13216 @var{pid} specifies the process ID of the running container.
13217 @var{program} specifies an executable file name within the root file
13218 system of the container. @var{arguments} are the additional options that
13219 will be passed to @var{program}.
13221 The following command launches an interactive login shell inside a
13222 Guix system container, started by @command{guix system container}, and whose
13223 process ID is 9001:
13226 guix container exec 9001 /run/current-system/profile/bin/bash --login
13229 Note that the @var{pid} cannot be the parent process of a container. It
13230 must be PID 1 of the container or one of its child processes.
13234 @node Invoking guix weather
13235 @section Invoking @command{guix weather}
13237 Occasionally you're grumpy because substitutes are lacking and you end
13238 up building packages by yourself (@pxref{Substitutes}). The
13239 @command{guix weather} command reports on substitute availability on the
13240 specified servers so you can have an idea of whether you'll be grumpy
13241 today. It can sometimes be useful info as a user, but it is primarily
13242 useful to people running @command{guix publish} (@pxref{Invoking guix
13245 @cindex statistics, for substitutes
13246 @cindex availability of substitutes
13247 @cindex substitute availability
13248 @cindex weather, substitute availability
13249 Here's a sample run:
13252 $ guix weather --substitute-urls=https://guix.example.org
13253 computing 5,872 package derivations for x86_64-linux...
13254 looking for 6,128 store items on https://guix.example.org..
13255 updating list of substitutes from 'https://guix.example.org'... 100.0%
13256 https://guix.example.org
13257 43.4% substitutes available (2,658 out of 6,128)
13258 7,032.5 MiB of nars (compressed)
13259 19,824.2 MiB on disk (uncompressed)
13260 0.030 seconds per request (182.9 seconds in total)
13261 33.5 requests per second
13263 9.8% (342 out of 3,470) of the missing items are queued
13265 x86_64-linux: 518 (59.7%)
13266 i686-linux: 221 (25.5%)
13267 aarch64-linux: 128 (14.8%)
13268 build rate: 23.41 builds per hour
13269 x86_64-linux: 11.16 builds per hour
13270 i686-linux: 6.03 builds per hour
13271 aarch64-linux: 6.41 builds per hour
13274 @cindex continuous integration, statistics
13275 As you can see, it reports the fraction of all the packages for which
13276 substitutes are available on the server---regardless of whether
13277 substitutes are enabled, and regardless of whether this server's signing
13278 key is authorized. It also reports the size of the compressed archives
13279 (``nars'') provided by the server, the size the corresponding store
13280 items occupy in the store (assuming deduplication is turned off), and
13281 the server's throughput. The second part gives continuous integration
13282 (CI) statistics, if the server supports it. In addition, using the
13283 @option{--coverage} option, @command{guix weather} can list ``important''
13284 package substitutes missing on the server (see below).
13286 To achieve that, @command{guix weather} queries over HTTP(S) meta-data
13287 (@dfn{narinfos}) for all the relevant store items. Like @command{guix
13288 challenge}, it ignores signatures on those substitutes, which is
13289 innocuous since the command only gathers statistics and cannot install
13292 The general syntax is:
13295 guix weather @var{options}@dots{} [@var{packages}@dots{}]
13298 When @var{packages} is omitted, @command{guix weather} checks the availability
13299 of substitutes for @emph{all} the packages, or for those specified with
13300 @option{--manifest}; otherwise it only considers the specified packages. It
13301 is also possible to query specific system types with @option{--system}.
13302 @command{guix weather} exits with a non-zero code when the fraction of
13303 available substitutes is below 100%.
13305 The available options are listed below.
13308 @item --substitute-urls=@var{urls}
13309 @var{urls} is the space-separated list of substitute server URLs to
13310 query. When this option is omitted, the default set of substitute
13311 servers is queried.
13313 @item --system=@var{system}
13314 @itemx -s @var{system}
13315 Query substitutes for @var{system}---e.g., @code{aarch64-linux}. This
13316 option can be repeated, in which case @command{guix weather} will query
13317 substitutes for several system types.
13319 @item --manifest=@var{file}
13320 Instead of querying substitutes for all the packages, only ask for those
13321 specified in @var{file}. @var{file} must contain a @dfn{manifest}, as
13322 with the @code{-m} option of @command{guix package} (@pxref{Invoking
13325 This option can be repeated several times, in which case the manifests
13328 @item --coverage[=@var{count}]
13329 @itemx -c [@var{count}]
13330 Report on substitute coverage for packages: list packages with at least
13331 @var{count} dependents (zero by default) for which substitutes are
13332 unavailable. Dependent packages themselves are not listed: if @var{b} depends
13333 on @var{a} and @var{a} has no substitutes, only @var{a} is listed, even though
13334 @var{b} usually lacks substitutes as well. The result looks like this:
13337 $ guix weather --substitute-urls=@value{SUBSTITUTE-URLS} -c 10
13338 computing 8,983 package derivations for x86_64-linux...
13339 looking for 9,343 store items on @value{SUBSTITUTE-URLS}...
13340 updating substitutes from '@value{SUBSTITUTE-URLS}'... 100.0%
13341 @value{SUBSTITUTE-URLS}
13342 64.7% substitutes available (6,047 out of 9,343)
13344 2502 packages are missing from '@value{SUBSTITUTE-URLS}' for 'x86_64-linux', among which:
13345 58 kcoreaddons@@5.49.0 /gnu/store/@dots{}-kcoreaddons-5.49.0
13346 46 qgpgme@@1.11.1 /gnu/store/@dots{}-qgpgme-1.11.1
13347 37 perl-http-cookiejar@@0.008 /gnu/store/@dots{}-perl-http-cookiejar-0.008
13351 What this example shows is that @code{kcoreaddons} and presumably the 58
13352 packages that depend on it have no substitutes at
13353 @code{@value{SUBSTITUTE-SERVER-1}}; likewise for @code{qgpgme} and the 46
13354 packages that depend on it.
13356 If you are a Guix developer, or if you are taking care of this build farm,
13357 you'll probably want to have a closer look at these packages: they may simply
13360 @item --display-missing
13361 Display the list of store items for which substitutes are missing.
13364 @node Invoking guix processes
13365 @section Invoking @command{guix processes}
13367 The @command{guix processes} command can be useful to developers and system
13368 administrators, especially on multi-user machines and on build farms: it lists
13369 the current sessions (connections to the daemon), as well as information about
13370 the processes involved@footnote{Remote sessions, when @command{guix-daemon} is
13371 started with @option{--listen} specifying a TCP endpoint, are @emph{not}
13372 listed.}. Here's an example of the information it returns:
13375 $ sudo guix processes
13378 ClientCommand: guix environment --ad-hoc python
13382 ClientCommand: guix publish -u guix-publish -p 3000 -C 9 @dots{}
13386 ClientCommand: cuirass --cache-directory /var/cache/cuirass @dots{}
13387 LockHeld: /gnu/store/@dots{}-perl-ipc-cmd-0.96.lock
13388 LockHeld: /gnu/store/@dots{}-python-six-bootstrap-1.11.0.lock
13389 LockHeld: /gnu/store/@dots{}-libjpeg-turbo-2.0.0.lock
13391 ChildCommand: guix offload x86_64-linux 7200 1 28800
13393 ChildCommand: guix offload x86_64-linux 7200 1 28800
13395 ChildCommand: guix offload x86_64-linux 7200 1 28800
13398 In this example we see that @command{guix-daemon} has three clients:
13399 @command{guix environment}, @command{guix publish}, and the Cuirass continuous
13400 integration tool; their process identifier (PID) is given by the
13401 @code{ClientPID} field. The @code{SessionPID} field gives the PID of the
13402 @command{guix-daemon} sub-process of this particular session.
13404 The @code{LockHeld} fields show which store items are currently locked
13405 by this session, which corresponds to store items being built or
13406 substituted (the @code{LockHeld} field is not displayed when
13407 @command{guix processes} is not running as root). Last, by looking at
13408 the @code{ChildPID} and @code{ChildCommand} fields, we understand that
13409 these three builds are being offloaded (@pxref{Daemon Offload Setup}).
13411 The output is in Recutils format so we can use the handy @command{recsel}
13412 command to select sessions of interest (@pxref{Selection Expressions,,,
13413 recutils, GNU recutils manual}). As an example, the command shows the command
13414 line and PID of the client that triggered the build of a Perl package:
13417 $ sudo guix processes | \
13418 recsel -p ClientPID,ClientCommand -e 'LockHeld ~ "perl"'
13420 ClientCommand: cuirass --cache-directory /var/cache/cuirass @dots{}
13423 Additional options are listed below.
13426 @item --format=@var{format}
13427 @itemx -f @var{format}
13428 Produce output in the specified @var{format}, one of:
13432 The default option. It outputs a set of Session recutils records
13433 that include each @code{ChildProcess} as a field.
13436 Normalize the output records into record sets (@pxref{Record Sets,,,
13437 recutils, GNU recutils manual}). Normalizing into record sets allows
13438 joins across record types. The example below lists the PID of each
13439 @code{ChildProcess} and the associated PID for @code{Session} that
13440 spawned the @code{ChildProcess} where the @code{Session} was started
13441 using @command{guix build}.
13444 $ guix processes --format=normalized | \
13448 -p Session.PID,PID \
13449 -e 'Session.ClientCommand ~ "guix build"'
13462 @node System Configuration
13463 @chapter System Configuration
13465 @cindex system configuration
13466 Guix System supports a consistent whole-system configuration
13467 mechanism. By that we mean that all aspects of the global system
13468 configuration---such as the available system services, timezone and
13469 locale settings, user accounts---are declared in a single place. Such
13470 a @dfn{system configuration} can be @dfn{instantiated}---i.e., effected.
13472 One of the advantages of putting all the system configuration under the
13473 control of Guix is that it supports transactional system upgrades, and
13474 makes it possible to roll back to a previous system instantiation,
13475 should something go wrong with the new one (@pxref{Features}). Another
13476 advantage is that it makes it easy to replicate the exact same configuration
13477 across different machines, or at different points in time, without
13478 having to resort to additional administration tools layered on top of
13479 the own tools of the system.
13480 @c Yes, we're talking of Puppet, Chef, & co. here. ↑
13482 This section describes this mechanism. First we focus on the system
13483 administrator's viewpoint---explaining how the system is configured and
13484 instantiated. Then we show how this mechanism can be extended, for
13485 instance to support new system services.
13488 * Using the Configuration System:: Customizing your GNU system.
13489 * operating-system Reference:: Detail of operating-system declarations.
13490 * File Systems:: Configuring file system mounts.
13491 * Mapped Devices:: Block device extra processing.
13492 * User Accounts:: Specifying user accounts.
13493 * Keyboard Layout:: How the system interprets key strokes.
13494 * Locales:: Language and cultural convention settings.
13495 * Services:: Specifying system services.
13496 * Setuid Programs:: Programs running with root privileges.
13497 * X.509 Certificates:: Authenticating HTTPS servers.
13498 * Name Service Switch:: Configuring libc's name service switch.
13499 * Initial RAM Disk:: Linux-Libre bootstrapping.
13500 * Bootloader Configuration:: Configuring the boot loader.
13501 * Invoking guix system:: Instantiating a system configuration.
13502 * Invoking guix deploy:: Deploying a system configuration to a remote host.
13503 * Running Guix in a VM:: How to run Guix System in a virtual machine.
13504 * Defining Services:: Adding new service definitions.
13507 @node Using the Configuration System
13508 @section Using the Configuration System
13510 The operating system is configured by providing an
13511 @code{operating-system} declaration in a file that can then be passed to
13512 the @command{guix system} command (@pxref{Invoking guix system}). A
13513 simple setup, with the default system services, the default Linux-Libre
13514 kernel, initial RAM disk, and boot loader looks like this:
13516 @findex operating-system
13518 @include os-config-bare-bones.texi
13521 This example should be self-describing. Some of the fields defined
13522 above, such as @code{host-name} and @code{bootloader}, are mandatory.
13523 Others, such as @code{packages} and @code{services}, can be omitted, in
13524 which case they get a default value.
13526 Below we discuss the effect of some of the most important fields
13527 (@pxref{operating-system Reference}, for details about all the available
13528 fields), and how to @dfn{instantiate} the operating system using
13529 @command{guix system}.
13531 @unnumberedsubsec Bootloader
13533 @cindex legacy boot, on Intel machines
13534 @cindex BIOS boot, on Intel machines
13537 The @code{bootloader} field describes the method that will be used to boot
13538 your system. Machines based on Intel processors can boot in ``legacy'' BIOS
13539 mode, as in the example above. However, more recent machines rely instead on
13540 the @dfn{Unified Extensible Firmware Interface} (UEFI) to boot. In that case,
13541 the @code{bootloader} field should contain something along these lines:
13544 (bootloader-configuration
13545 (bootloader grub-efi-bootloader)
13546 (targets '("/boot/efi")))
13549 @xref{Bootloader Configuration}, for more information on the available
13550 configuration options.
13552 @unnumberedsubsec Globally-Visible Packages
13554 @vindex %base-packages
13555 The @code{packages} field lists packages that will be globally visible
13556 on the system, for all user accounts---i.e., in every user's @env{PATH}
13557 environment variable---in addition to the per-user profiles
13558 (@pxref{Invoking guix package}). The @code{%base-packages} variable
13559 provides all the tools one would expect for basic user and administrator
13560 tasks---including the GNU Core Utilities, the GNU Networking Utilities,
13561 the @command{mg} lightweight text editor, @command{find}, @command{grep},
13562 etc. The example above adds GNU@tie{}Screen to those,
13563 taken from the @code{(gnu packages screen)}
13564 module (@pxref{Package Modules}). The
13565 @code{(list package output)} syntax can be used to add a specific output
13569 (use-modules (gnu packages))
13570 (use-modules (gnu packages dns))
13574 (packages (cons (list isc-bind "utils")
13578 @findex specification->package
13579 Referring to packages by variable name, like @code{isc-bind} above, has
13580 the advantage of being unambiguous; it also allows typos and such to be
13581 diagnosed right away as ``unbound variables''. The downside is that one
13582 needs to know which module defines which package, and to augment the
13583 @code{use-package-modules} line accordingly. To avoid that, one can use
13584 the @code{specification->package} procedure of the @code{(gnu packages)}
13585 module, which returns the best package for a given name or name and
13589 (use-modules (gnu packages))
13593 (packages (append (map specification->package
13594 '("tcpdump" "htop" "gnupg@@2.0"))
13598 @unnumberedsubsec System Services
13601 @vindex %base-services
13602 The @code{services} field lists @dfn{system services} to be made
13603 available when the system starts (@pxref{Services}).
13604 The @code{operating-system} declaration above specifies that, in
13605 addition to the basic services, we want the OpenSSH secure shell
13606 daemon listening on port 2222 (@pxref{Networking Services,
13607 @code{openssh-service-type}}). Under the hood,
13608 @code{openssh-service-type} arranges so that @command{sshd} is started with the
13609 right command-line options, possibly with supporting configuration files
13610 generated as needed (@pxref{Defining Services}).
13612 @cindex customization, of services
13613 @findex modify-services
13614 Occasionally, instead of using the base services as is, you will want to
13615 customize them. To do this, use @code{modify-services} (@pxref{Service
13616 Reference, @code{modify-services}}) to modify the list.
13618 @anchor{auto-login to TTY} For example, suppose you want to modify
13619 @code{guix-daemon} and Mingetty (the console log-in) in the
13620 @code{%base-services} list (@pxref{Base Services,
13621 @code{%base-services}}). To do that, you can write the following in
13622 your operating system declaration:
13625 (define %my-services
13626 ;; My very own list of services.
13627 (modify-services %base-services
13628 (guix-service-type config =>
13629 (guix-configuration
13631 ;; Fetch substitutes from example.org.
13633 (list "https://example.org/guix"
13634 "https://ci.guix.gnu.org"))))
13635 (mingetty-service-type config =>
13636 (mingetty-configuration
13638 ;; Automatially log in as "guest".
13639 (auto-login "guest")))))
13643 (services %my-services))
13646 This changes the configuration---i.e., the service parameters---of the
13647 @code{guix-service-type} instance, and that of all the
13648 @code{mingetty-service-type} instances in the @code{%base-services} list
13649 (@pxref{Auto-Login to a Specific TTY, see the cookbook for how to
13650 auto-login one user to a specific TTY,, guix-cookbook, GNU Guix Cookbook})).
13651 Observe how this is accomplished: first, we arrange for the original
13652 configuration to be bound to the identifier @code{config} in the
13653 @var{body}, and then we write the @var{body} so that it evaluates to the
13654 desired configuration. In particular, notice how we use @code{inherit}
13655 to create a new configuration which has the same values as the old
13656 configuration, but with a few modifications.
13658 @cindex encrypted disk
13659 The configuration for a typical ``desktop'' usage, with an encrypted
13660 root partition, the X11 display
13661 server, GNOME and Xfce (users can choose which of these desktop
13662 environments to use at the log-in screen by pressing @kbd{F1}), network
13663 management, power management, and more, would look like this:
13666 @include os-config-desktop.texi
13669 A graphical system with a choice of lightweight window managers
13670 instead of full-blown desktop environments would look like this:
13673 @include os-config-lightweight-desktop.texi
13676 This example refers to the @file{/boot/efi} file system by its UUID,
13677 @code{1234-ABCD}. Replace this UUID with the right UUID on your system,
13678 as returned by the @command{blkid} command.
13680 @xref{Desktop Services}, for the exact list of services provided by
13681 @code{%desktop-services}. @xref{X.509 Certificates}, for background
13682 information about the @code{nss-certs} package that is used here.
13684 Again, @code{%desktop-services} is just a list of service objects. If
13685 you want to remove services from there, you can do so using the
13686 procedures for list filtering (@pxref{SRFI-1 Filtering and
13687 Partitioning,,, guile, GNU Guile Reference Manual}). For instance, the
13688 following expression returns a list that contains all the services in
13689 @code{%desktop-services} minus the Avahi service:
13692 (remove (lambda (service)
13693 (eq? (service-kind service) avahi-service-type))
13697 Alternatively, the @code{modify-services} macro can be used:
13700 (modify-services %desktop-services
13701 (delete avahi-service-type))
13705 @unnumberedsubsec Instantiating the System
13707 Assuming the @code{operating-system} declaration
13708 is stored in the @file{my-system-config.scm}
13709 file, the @command{guix system reconfigure my-system-config.scm} command
13710 instantiates that configuration, and makes it the default GRUB boot
13711 entry (@pxref{Invoking guix system}).
13713 The normal way to change the system configuration is by updating this
13714 file and re-running @command{guix system reconfigure}. One should never
13715 have to touch files in @file{/etc} or to run commands that modify the
13716 system state such as @command{useradd} or @command{grub-install}. In
13717 fact, you must avoid that since that would not only void your warranty
13718 but also prevent you from rolling back to previous versions of your
13719 system, should you ever need to.
13721 @cindex roll-back, of the operating system
13722 Speaking of roll-back, each time you run @command{guix system
13723 reconfigure}, a new @dfn{generation} of the system is created---without
13724 modifying or deleting previous generations. Old system generations get
13725 an entry in the bootloader boot menu, allowing you to boot them in case
13726 something went wrong with the latest generation. Reassuring, no? The
13727 @command{guix system list-generations} command lists the system
13728 generations available on disk. It is also possible to roll back the
13729 system via the commands @command{guix system roll-back} and
13730 @command{guix system switch-generation}.
13732 Although the @command{guix system reconfigure} command will not modify
13733 previous generations, you must take care when the current generation is not
13734 the latest (e.g., after invoking @command{guix system roll-back}), since
13735 the operation might overwrite a later generation (@pxref{Invoking guix
13738 @unnumberedsubsec The Programming Interface
13740 At the Scheme level, the bulk of an @code{operating-system} declaration
13741 is instantiated with the following monadic procedure (@pxref{The Store
13744 @deffn {Monadic Procedure} operating-system-derivation os
13745 Return a derivation that builds @var{os}, an @code{operating-system}
13746 object (@pxref{Derivations}).
13748 The output of the derivation is a single directory that refers to all
13749 the packages, configuration files, and other supporting files needed to
13750 instantiate @var{os}.
13753 This procedure is provided by the @code{(gnu system)} module. Along
13754 with @code{(gnu services)} (@pxref{Services}), this module contains the
13755 guts of Guix System. Make sure to visit it!
13758 @node operating-system Reference
13759 @section @code{operating-system} Reference
13761 This section summarizes all the options available in
13762 @code{operating-system} declarations (@pxref{Using the Configuration
13765 @deftp {Data Type} operating-system
13766 This is the data type representing an operating system configuration.
13767 By that, we mean all the global system configuration, not per-user
13768 configuration (@pxref{Using the Configuration System}).
13771 @item @code{kernel} (default: @code{linux-libre})
13772 The package object of the operating system kernel to
13773 use@footnote{Currently only the Linux-libre kernel is fully supported.
13774 Using GNU@tie{}mach with the GNU@tie{}Hurd is experimental and only
13775 available when building a virtual machine disk image.}.
13778 @item @code{hurd} (default: @code{#f})
13779 The package object of the Hurd to be started by the kernel. When this
13780 field is set, produce a GNU/Hurd operating system. In that case,
13781 @code{kernel} must also be set to the @code{gnumach} package---the
13782 microkernel the Hurd runs on.
13785 This feature is experimental and only supported for disk images.
13788 @item @code{kernel-loadable-modules} (default: '())
13789 A list of objects (usually packages) to collect loadable kernel modules
13790 from--e.g. @code{(list ddcci-driver-linux)}.
13792 @item @code{kernel-arguments} (default: @code{%default-kernel-arguments})
13793 List of strings or gexps representing additional arguments to pass on
13794 the command-line of the kernel---e.g., @code{("console=ttyS0")}.
13796 @item @code{bootloader}
13797 The system bootloader configuration object. @xref{Bootloader Configuration}.
13800 This is the label (a string) as it appears in the bootloader's menu entry.
13801 The default label includes the kernel name and version.
13803 @item @code{keyboard-layout} (default: @code{#f})
13804 This field specifies the keyboard layout to use in the console. It can be
13805 either @code{#f}, in which case the default keyboard layout is used (usually
13806 US English), or a @code{<keyboard-layout>} record. @xref{Keyboard Layout},
13807 for more information.
13809 This keyboard layout is in effect as soon as the kernel has booted. For
13810 instance, it is the keyboard layout in effect when you type a passphrase if
13811 your root file system is on a @code{luks-device-mapping} mapped device
13812 (@pxref{Mapped Devices}).
13815 This does @emph{not} specify the keyboard layout used by the bootloader, nor
13816 that used by the graphical display server. @xref{Bootloader Configuration},
13817 for information on how to specify the bootloader's keyboard layout. @xref{X
13818 Window}, for information on how to specify the keyboard layout used by the X
13822 @item @code{initrd-modules} (default: @code{%base-initrd-modules})
13824 @cindex initial RAM disk
13825 The list of Linux kernel modules that need to be available in the
13826 initial RAM disk. @xref{Initial RAM Disk}.
13828 @item @code{initrd} (default: @code{base-initrd})
13829 A procedure that returns an initial RAM disk for the Linux
13830 kernel. This field is provided to support low-level customization and
13831 should rarely be needed for casual use. @xref{Initial RAM Disk}.
13833 @item @code{firmware} (default: @code{%base-firmware})
13835 List of firmware packages loadable by the operating system kernel.
13837 The default includes firmware needed for Atheros- and Broadcom-based
13838 WiFi devices (Linux-libre modules @code{ath9k} and @code{b43-open},
13839 respectively). @xref{Hardware Considerations}, for more info on
13840 supported hardware.
13842 @item @code{host-name}
13845 @item @code{hosts-file}
13847 A file-like object (@pxref{G-Expressions, file-like objects}) for use as
13848 @file{/etc/hosts} (@pxref{Host Names,,, libc, The GNU C Library
13849 Reference Manual}). The default is a file with entries for
13850 @code{localhost} and @var{host-name}.
13852 @item @code{mapped-devices} (default: @code{'()})
13853 A list of mapped devices. @xref{Mapped Devices}.
13855 @item @code{file-systems}
13856 A list of file systems. @xref{File Systems}.
13858 @cindex swap devices
13860 @item @code{swap-devices} (default: @code{'()})
13861 A list of UUIDs, file system labels, or strings identifying devices or
13862 files to be used for ``swap
13863 space'' (@pxref{Memory Concepts,,, libc, The GNU C Library Reference
13864 Manual}). Here are some examples:
13867 @item (list (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb"))
13868 Use the swap partition with the given UUID@. You can learn the UUID of a
13869 Linux swap partition by running @command{swaplabel @var{device}}, where
13870 @var{device} is the @file{/dev} file name of that partition.
13872 @item (list (file-system-label "swap"))
13873 Use the partition with label @code{swap}. Again, the
13874 @command{swaplabel} command allows you to view and change the label of a
13875 Linux swap partition.
13877 @item (list "/swapfile")
13878 Use the file @file{/swapfile} as swap space.
13880 @item (list "/dev/sda3" "/dev/sdb2")
13881 Use the @file{/dev/sda3} and @file{/dev/sdb2} partitions as swap space.
13882 We recommend referring to swap devices by UUIDs or labels as shown above
13886 It is possible to specify a swap file in a file system on a mapped
13887 device (under @file{/dev/mapper}), provided that the necessary device
13888 mapping and file system are also specified. @xref{Mapped Devices} and
13889 @ref{File Systems}.
13891 @item @code{users} (default: @code{%base-user-accounts})
13892 @itemx @code{groups} (default: @code{%base-groups})
13893 List of user accounts and groups. @xref{User Accounts}.
13895 If the @code{users} list lacks a user account with UID@tie{}0, a
13896 ``root'' account with UID@tie{}0 is automatically added.
13898 @item @code{skeletons} (default: @code{(default-skeletons)})
13899 A list of target file name/file-like object tuples (@pxref{G-Expressions,
13900 file-like objects}). These are the skeleton files that will be added to
13901 the home directory of newly-created user accounts.
13903 For instance, a valid value may look like this:
13906 `((".bashrc" ,(plain-file "bashrc" "echo Hello\n"))
13907 (".guile" ,(plain-file "guile"
13908 "(use-modules (ice-9 readline))
13909 (activate-readline)")))
13912 @item @code{issue} (default: @code{%default-issue})
13913 A string denoting the contents of the @file{/etc/issue} file, which is
13914 displayed when users log in on a text console.
13916 @item @code{packages} (default: @code{%base-packages})
13917 A list of packages to be installed in the global profile, which is accessible
13918 at @file{/run/current-system/profile}. Each element is either a package
13919 variable or a package/output tuple. Here's a simple example of both:
13922 (cons* git ; the default "out" output
13923 (list git "send-email") ; another output of git
13924 %base-packages) ; the default set
13927 The default set includes core utilities and it is good practice to
13928 install non-core utilities in user profiles (@pxref{Invoking guix
13931 @item @code{timezone}
13932 A timezone identifying string---e.g., @code{"Europe/Paris"}.
13934 You can run the @command{tzselect} command to find out which timezone
13935 string corresponds to your region. Choosing an invalid timezone name
13936 causes @command{guix system} to fail.
13938 @item @code{locale} (default: @code{"en_US.utf8"})
13939 The name of the default locale (@pxref{Locale Names,,, libc, The GNU C
13940 Library Reference Manual}). @xref{Locales}, for more information.
13942 @item @code{locale-definitions} (default: @code{%default-locale-definitions})
13943 The list of locale definitions to be compiled and that may be used at
13944 run time. @xref{Locales}.
13946 @item @code{locale-libcs} (default: @code{(list @var{glibc})})
13947 The list of GNU@tie{}libc packages whose locale data and tools are used
13948 to build the locale definitions. @xref{Locales}, for compatibility
13949 considerations that justify this option.
13951 @item @code{name-service-switch} (default: @code{%default-nss})
13952 Configuration of the libc name service switch (NSS)---a
13953 @code{<name-service-switch>} object. @xref{Name Service Switch}, for
13956 @item @code{services} (default: @code{%base-services})
13957 A list of service objects denoting system services. @xref{Services}.
13959 @cindex essential services
13960 @item @code{essential-services} (default: ...)
13961 The list of ``essential services''---i.e., things like instances of
13962 @code{system-service-type} and @code{host-name-service-type} (@pxref{Service
13963 Reference}), which are derived from the operating system definition itself.
13964 As a user you should @emph{never} need to touch this field.
13966 @item @code{pam-services} (default: @code{(base-pam-services)})
13968 @cindex pluggable authentication modules
13969 Linux @dfn{pluggable authentication module} (PAM) services.
13970 @c FIXME: Add xref to PAM services section.
13972 @item @code{setuid-programs} (default: @code{%setuid-programs})
13973 List of @code{<setuid-program>}. @xref{Setuid Programs}, for more
13976 @item @code{sudoers-file} (default: @code{%sudoers-specification})
13977 @cindex sudoers file
13978 The contents of the @file{/etc/sudoers} file as a file-like object
13979 (@pxref{G-Expressions, @code{local-file} and @code{plain-file}}).
13981 This file specifies which users can use the @command{sudo} command, what
13982 they are allowed to do, and what privileges they may gain. The default
13983 is that only @code{root} and members of the @code{wheel} group may use
13988 @deffn {Scheme Syntax} this-operating-system
13989 When used in the @emph{lexical scope} of an operating system field definition,
13990 this identifier resolves to the operating system being defined.
13992 The example below shows how to refer to the operating system being defined in
13993 the definition of the @code{label} field:
13996 (use-modules (gnu) (guix))
14000 (label (package-full-name
14001 (operating-system-kernel this-operating-system))))
14004 It is an error to refer to @code{this-operating-system} outside an operating
14011 @section File Systems
14013 The list of file systems to be mounted is specified in the
14014 @code{file-systems} field of the operating system declaration
14015 (@pxref{Using the Configuration System}). Each file system is declared
14016 using the @code{file-system} form, like this:
14020 (mount-point "/home")
14021 (device "/dev/sda3")
14025 As usual, some of the fields are mandatory---those shown in the example
14026 above---while others can be omitted. These are described below.
14028 @deftp {Data Type} file-system
14029 Objects of this type represent file systems to be mounted. They
14030 contain the following members:
14034 This is a string specifying the type of the file system---e.g.,
14037 @item @code{mount-point}
14038 This designates the place where the file system is to be mounted.
14040 @item @code{device}
14041 This names the ``source'' of the file system. It can be one of three
14042 things: a file system label, a file system UUID, or the name of a
14043 @file{/dev} node. Labels and UUIDs offer a way to refer to file
14044 systems without having to hard-code their actual device
14045 name@footnote{Note that, while it is tempting to use
14046 @file{/dev/disk/by-uuid} and similar device names to achieve the same
14047 result, this is not recommended: These special device nodes are created
14048 by the udev daemon and may be unavailable at the time the device is
14051 @findex file-system-label
14052 File system labels are created using the @code{file-system-label}
14053 procedure, UUIDs are created using @code{uuid}, and @file{/dev} node are
14054 plain strings. Here's an example of a file system referred to by its
14055 label, as shown by the @command{e2label} command:
14059 (mount-point "/home")
14061 (device (file-system-label "my-home")))
14065 UUIDs are converted from their string representation (as shown by the
14066 @command{tune2fs -l} command) using the @code{uuid} form@footnote{The
14067 @code{uuid} form expects 16-byte UUIDs as defined in
14068 @uref{https://tools.ietf.org/html/rfc4122, RFC@tie{}4122}. This is the
14069 form of UUID used by the ext2 family of file systems and others, but it
14070 is different from ``UUIDs'' found in FAT file systems, for instance.},
14075 (mount-point "/home")
14077 (device (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")))
14080 When the source of a file system is a mapped device (@pxref{Mapped
14081 Devices}), its @code{device} field @emph{must} refer to the mapped
14082 device name---e.g., @file{"/dev/mapper/root-partition"}.
14083 This is required so that
14084 the system knows that mounting the file system depends on having the
14085 corresponding device mapping established.
14087 @item @code{flags} (default: @code{'()})
14088 This is a list of symbols denoting mount flags. Recognized flags
14089 include @code{read-only}, @code{bind-mount}, @code{no-dev} (disallow
14090 access to special files), @code{no-suid} (ignore setuid and setgid
14091 bits), @code{no-atime} (do not update file access times),
14092 @code{strict-atime} (update file access time), @code{lazy-time} (only
14093 update time on the in-memory version of the file inode), and
14094 @code{no-exec} (disallow program execution).
14095 @xref{Mount-Unmount-Remount,,, libc, The GNU C Library Reference
14096 Manual}, for more information on these flags.
14098 @item @code{options} (default: @code{#f})
14099 This is either @code{#f}, or a string denoting mount options passed to
14100 the file system driver. @xref{Mount-Unmount-Remount,,, libc, The GNU C
14101 Library Reference Manual}, for details and run @command{man 8 mount} for
14102 options for various file systems. Note that the
14103 @code{file-system-options->alist} and @code{alist->file-system-options}
14104 procedures from @code{(gnu system file-systems)} can be used to convert
14105 file system options given as an association list to the string
14106 representation, and vice-versa.
14108 @item @code{mount?} (default: @code{#t})
14109 This value indicates whether to automatically mount the file system when
14110 the system is brought up. When set to @code{#f}, the file system gets
14111 an entry in @file{/etc/fstab} (read by the @command{mount} command) but
14112 is not automatically mounted.
14114 @item @code{needed-for-boot?} (default: @code{#f})
14115 This Boolean value indicates whether the file system is needed when
14116 booting. If that is true, then the file system is mounted when the
14117 initial RAM disk (initrd) is loaded. This is always the case, for
14118 instance, for the root file system.
14120 @item @code{check?} (default: @code{#t})
14121 This Boolean indicates whether the file system needs to be checked for
14122 errors before being mounted.
14124 @item @code{create-mount-point?} (default: @code{#f})
14125 When true, the mount point is created if it does not exist yet.
14127 @item @code{mount-may-fail?} (default: @code{#f})
14128 When true, this indicates that mounting this file system can fail but
14129 that should not be considered an error. This is useful in unusual
14130 cases; an example of this is @code{efivarfs}, a file system that can
14131 only be mounted on EFI/UEFI systems.
14133 @item @code{dependencies} (default: @code{'()})
14134 This is a list of @code{<file-system>} or @code{<mapped-device>} objects
14135 representing file systems that must be mounted or mapped devices that
14136 must be opened before (and unmounted or closed after) this one.
14138 As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is
14139 a dependency of @file{/sys/fs/cgroup/cpu} and
14140 @file{/sys/fs/cgroup/memory}.
14142 Another example is a file system that depends on a mapped device, for
14143 example for an encrypted partition (@pxref{Mapped Devices}).
14147 @deffn {Scheme Procedure} file-system-label @var{str}
14148 This procedure returns an opaque file system label from @var{str}, a
14152 (file-system-label "home")
14153 @result{} #<file-system-label "home">
14156 File system labels are used to refer to file systems by label rather
14157 than by device name. See above for examples.
14160 The @code{(gnu system file-systems)} exports the following useful
14163 @defvr {Scheme Variable} %base-file-systems
14164 These are essential file systems that are required on normal systems,
14165 such as @code{%pseudo-terminal-file-system} and @code{%immutable-store} (see
14166 below). Operating system declarations should always contain at least
14170 @defvr {Scheme Variable} %pseudo-terminal-file-system
14171 This is the file system to be mounted as @file{/dev/pts}. It supports
14172 @dfn{pseudo-terminals} created @i{via} @code{openpty} and similar
14173 functions (@pxref{Pseudo-Terminals,,, libc, The GNU C Library Reference
14174 Manual}). Pseudo-terminals are used by terminal emulators such as
14178 @defvr {Scheme Variable} %shared-memory-file-system
14179 This file system is mounted as @file{/dev/shm} and is used to support
14180 memory sharing across processes (@pxref{Memory-mapped I/O,
14181 @code{shm_open},, libc, The GNU C Library Reference Manual}).
14184 @defvr {Scheme Variable} %immutable-store
14185 This file system performs a read-only ``bind mount'' of
14186 @file{/gnu/store}, making it read-only for all the users including
14187 @code{root}. This prevents against accidental modification by software
14188 running as @code{root} or by system administrators.
14190 The daemon itself is still able to write to the store: it remounts it
14191 read-write in its own ``name space.''
14194 @defvr {Scheme Variable} %binary-format-file-system
14195 The @code{binfmt_misc} file system, which allows handling of arbitrary
14196 executable file types to be delegated to user space. This requires the
14197 @code{binfmt.ko} kernel module to be loaded.
14200 @defvr {Scheme Variable} %fuse-control-file-system
14201 The @code{fusectl} file system, which allows unprivileged users to mount
14202 and unmount user-space FUSE file systems. This requires the
14203 @code{fuse.ko} kernel module to be loaded.
14206 The @code{(gnu system uuid)} module provides tools to deal with file
14207 system ``unique identifiers'' (UUIDs).
14209 @deffn {Scheme Procedure} uuid @var{str} [@var{type}]
14210 Return an opaque UUID (unique identifier) object of the given @var{type}
14211 (a symbol) by parsing @var{str} (a string):
14214 (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")
14215 @result{} #<<uuid> type: dce bv: @dots{}>
14217 (uuid "1234-ABCD" 'fat)
14218 @result{} #<<uuid> type: fat bv: @dots{}>
14221 @var{type} may be one of @code{dce}, @code{iso9660}, @code{fat},
14222 @code{ntfs}, or one of the commonly found synonyms for these.
14224 UUIDs are another way to unambiguously refer to file systems in
14225 operating system configuration. See the examples above.
14229 @node Btrfs file system
14230 @subsection Btrfs file system
14232 The Btrfs has special features, such as subvolumes, that merit being
14233 explained in more details. The following section attempts to cover
14234 basic as well as complex uses of a Btrfs file system with the Guix
14237 In its simplest usage, a Btrfs file system can be described, for
14242 (mount-point "/home")
14244 (device (file-system-label "my-home")))
14247 The example below is more complex, as it makes use of a Btrfs
14248 subvolume, named @code{rootfs}. The parent Btrfs file system is labeled
14249 @code{my-btrfs-pool}, and is located on an encrypted device (hence the
14250 dependency on @code{mapped-devices}):
14254 (device (file-system-label "my-btrfs-pool"))
14257 (options "subvol=rootfs")
14258 (dependencies mapped-devices))
14261 Some bootloaders, for example GRUB, only mount a Btrfs partition at its
14262 top level during the early boot, and rely on their configuration to
14263 refer to the correct subvolume path within that top level. The
14264 bootloaders operating in this way typically produce their configuration
14265 on a running system where the Btrfs partitions are already mounted and
14266 where the subvolume information is readily available. As an example,
14267 @command{grub-mkconfig}, the configuration generator command shipped
14268 with GRUB, reads @file{/proc/self/mountinfo} to determine the top-level
14269 path of a subvolume.
14271 The Guix System produces a bootloader configuration using the operating
14272 system configuration as its sole input; it is therefore necessary to
14273 extract the subvolume name on which @file{/gnu/store} lives (if any)
14274 from that operating system configuration. To better illustrate,
14275 consider a subvolume named 'rootfs' which contains the root file system
14276 data. In such situation, the GRUB bootloader would only see the top
14277 level of the root Btrfs partition, e.g.:
14281 ├── rootfs (subvolume directory)
14282 ├── gnu (normal directory)
14283 ├── store (normal directory)
14287 Thus, the subvolume name must be prepended to the @file{/gnu/store} path
14288 of the kernel, initrd binaries and any other files referred to in the
14289 GRUB configuration that must be found during the early boot.
14291 The next example shows a nested hierarchy of subvolumes and
14296 ├── rootfs (subvolume)
14297 ├── gnu (normal directory)
14298 ├── store (subvolume)
14302 This scenario would work without mounting the 'store' subvolume.
14303 Mounting 'rootfs' is sufficient, since the subvolume name matches its
14304 intended mount point in the file system hierarchy. Alternatively, the
14305 'store' subvolume could be referred to by setting the @code{subvol}
14306 option to either @code{/rootfs/gnu/store} or @code{rootfs/gnu/store}.
14308 Finally, a more contrived example of nested subvolumes:
14312 ├── root-snapshots (subvolume)
14313 ├── root-current (subvolume)
14314 ├── guix-store (subvolume)
14318 Here, the 'guix-store' subvolume doesn't match its intended mount point,
14319 so it is necessary to mount it. The subvolume must be fully specified,
14320 by passing its file name to the @code{subvol} option. To illustrate,
14321 the 'guix-store' subvolume could be mounted on @file{/gnu/store} by using
14322 a file system declaration such as:
14326 (device (file-system-label "btrfs-pool-1"))
14327 (mount-point "/gnu/store")
14329 (options "subvol=root-snapshots/root-current/guix-store,\
14330 compress-force=zstd,space_cache=v2"))
14333 @node Mapped Devices
14334 @section Mapped Devices
14336 @cindex device mapping
14337 @cindex mapped devices
14338 The Linux kernel has a notion of @dfn{device mapping}: a block device,
14339 such as a hard disk partition, can be @dfn{mapped} into another device,
14340 usually in @code{/dev/mapper/},
14341 with additional processing over the data that flows through
14342 it@footnote{Note that the GNU@tie{}Hurd makes no difference between the
14343 concept of a ``mapped device'' and that of a file system: both boil down
14344 to @emph{translating} input/output operations made on a file to
14345 operations on its backing store. Thus, the Hurd implements mapped
14346 devices, like file systems, using the generic @dfn{translator} mechanism
14347 (@pxref{Translators,,, hurd, The GNU Hurd Reference Manual}).}. A
14348 typical example is encryption device mapping: all writes to the mapped
14349 device are encrypted, and all reads are deciphered, transparently.
14350 Guix extends this notion by considering any device or set of devices that
14351 are @dfn{transformed} in some way to create a new device; for instance,
14352 RAID devices are obtained by @dfn{assembling} several other devices, such
14353 as hard disks or partitions, into a new one that behaves as one partition.
14355 Mapped devices are declared using the @code{mapped-device} form,
14356 defined as follows; for examples, see below.
14358 @deftp {Data Type} mapped-device
14359 Objects of this type represent device mappings that will be made when
14360 the system boots up.
14364 This is either a string specifying the name of the block device to be mapped,
14365 such as @code{"/dev/sda3"}, or a list of such strings when several devices
14366 need to be assembled for creating a new one. In case of LVM this is a
14367 string specifying name of the volume group to be mapped.
14370 This string specifies the name of the resulting mapped device. For
14371 kernel mappers such as encrypted devices of type @code{luks-device-mapping},
14372 specifying @code{"my-partition"} leads to the creation of
14373 the @code{"/dev/mapper/my-partition"} device.
14374 For RAID devices of type @code{raid-device-mapping}, the full device name
14375 such as @code{"/dev/md0"} needs to be given.
14376 LVM logical volumes of type @code{lvm-device-mapping} need to
14377 be specified as @code{"VGNAME-LVNAME"}.
14380 This list of strings specifies names of the resulting mapped devices in case
14381 there are several. The format is identical to @var{target}.
14384 This must be a @code{mapped-device-kind} object, which specifies how
14385 @var{source} is mapped to @var{target}.
14389 @defvr {Scheme Variable} luks-device-mapping
14390 This defines LUKS block device encryption using the @command{cryptsetup}
14391 command from the package with the same name. It relies on the
14392 @code{dm-crypt} Linux kernel module.
14395 @defvr {Scheme Variable} raid-device-mapping
14396 This defines a RAID device, which is assembled using the @code{mdadm}
14397 command from the package with the same name. It requires a Linux kernel
14398 module for the appropriate RAID level to be loaded, such as @code{raid456}
14399 for RAID-4, RAID-5 or RAID-6, or @code{raid10} for RAID-10.
14402 @cindex LVM, logical volume manager
14403 @defvr {Scheme Variable} lvm-device-mapping
14404 This defines one or more logical volumes for the Linux
14405 @uref{https://www.sourceware.org/lvm2/, Logical Volume Manager (LVM)}.
14406 The volume group is activated by the @command{vgchange} command from the
14407 @code{lvm2} package.
14410 @cindex disk encryption
14412 The following example specifies a mapping from @file{/dev/sda3} to
14413 @file{/dev/mapper/home} using LUKS---the
14414 @url{https://gitlab.com/cryptsetup/cryptsetup,Linux Unified Key Setup}, a
14415 standard mechanism for disk encryption.
14416 The @file{/dev/mapper/home}
14417 device can then be used as the @code{device} of a @code{file-system}
14418 declaration (@pxref{File Systems}).
14422 (source "/dev/sda3")
14424 (type luks-device-mapping))
14427 Alternatively, to become independent of device numbering, one may obtain
14428 the LUKS UUID (@dfn{unique identifier}) of the source device by a
14432 cryptsetup luksUUID /dev/sda3
14435 and use it as follows:
14439 (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44"))
14441 (type luks-device-mapping))
14444 @cindex swap encryption
14445 It is also desirable to encrypt swap space, since swap space may contain
14446 sensitive data. One way to accomplish that is to use a swap file in a
14447 file system on a device mapped via LUKS encryption. In this way, the
14448 swap file is encrypted because the entire device is encrypted.
14449 @xref{Preparing for Installation,,Disk Partitioning}, for an example.
14451 A RAID device formed of the partitions @file{/dev/sda1} and @file{/dev/sdb1}
14452 may be declared as follows:
14456 (source (list "/dev/sda1" "/dev/sdb1"))
14457 (target "/dev/md0")
14458 (type raid-device-mapping))
14461 The @file{/dev/md0} device can then be used as the @code{device} of a
14462 @code{file-system} declaration (@pxref{File Systems}).
14463 Note that the RAID level need not be given; it is chosen during the
14464 initial creation and formatting of the RAID device and is determined
14465 automatically later.
14467 LVM logical volumes ``alpha'' and ``beta'' from volume group ``vg0'' can
14468 be declared as follows:
14473 (targets (list "vg0-alpha" "vg0-beta"))
14474 (type lvm-device-mapping))
14477 Devices @file{/dev/mapper/vg0-alpha} and @file{/dev/mapper/vg0-beta} can
14478 then be used as the @code{device} of a @code{file-system} declaration
14479 (@pxref{File Systems}).
14481 @node User Accounts
14482 @section User Accounts
14486 @cindex user accounts
14487 User accounts and groups are entirely managed through the
14488 @code{operating-system} declaration. They are specified with the
14489 @code{user-account} and @code{user-group} forms:
14495 (supplementary-groups '("wheel" ;allow use of sudo, etc.
14496 "audio" ;sound card
14497 "video" ;video devices such as webcams
14498 "cdrom")) ;the good ol' CD-ROM
14499 (comment "Bob's sister"))
14502 Here's a user account that uses a different shell and a custom home
14503 directory (the default would be @file{"/home/bob"}):
14509 (comment "Alice's bro")
14510 (shell (file-append zsh "/bin/zsh"))
14511 (home-directory "/home/robert"))
14514 When booting or upon completion of @command{guix system reconfigure},
14515 the system ensures that only the user accounts and groups specified in
14516 the @code{operating-system} declaration exist, and with the specified
14517 properties. Thus, account or group creations or modifications made by
14518 directly invoking commands such as @command{useradd} are lost upon
14519 reconfiguration or reboot. This ensures that the system remains exactly
14522 @deftp {Data Type} user-account
14523 Objects of this type represent user accounts. The following members may
14528 The name of the user account.
14532 This is the name (a string) or identifier (a number) of the user group
14533 this account belongs to.
14535 @item @code{supplementary-groups} (default: @code{'()})
14536 Optionally, this can be defined as a list of group names that this
14537 account belongs to.
14539 @item @code{uid} (default: @code{#f})
14540 This is the user ID for this account (a number), or @code{#f}. In the
14541 latter case, a number is automatically chosen by the system when the
14542 account is created.
14544 @item @code{comment} (default: @code{""})
14545 A comment about the account, such as the account owner's full name.
14547 @item @code{home-directory}
14548 This is the name of the home directory for the account.
14550 @item @code{create-home-directory?} (default: @code{#t})
14551 Indicates whether the home directory of this account should be created
14552 if it does not exist yet.
14554 @item @code{shell} (default: Bash)
14555 This is a G-expression denoting the file name of a program to be used as
14556 the shell (@pxref{G-Expressions}). For example, you would refer to the
14557 Bash executable like this:
14560 (file-append bash "/bin/bash")
14564 ... and to the Zsh executable like that:
14567 (file-append zsh "/bin/zsh")
14570 @item @code{system?} (default: @code{#f})
14571 This Boolean value indicates whether the account is a ``system''
14572 account. System accounts are sometimes treated specially; for instance,
14573 graphical login managers do not list them.
14575 @anchor{user-account-password}
14576 @cindex password, for user accounts
14577 @item @code{password} (default: @code{#f})
14578 You would normally leave this field to @code{#f}, initialize user
14579 passwords as @code{root} with the @command{passwd} command, and then let
14580 users change it with @command{passwd}. Passwords set with
14581 @command{passwd} are of course preserved across reboot and
14584 If you @emph{do} want to set an initial password for an account, then
14585 this field must contain the encrypted password, as a string. You can use the
14586 @code{crypt} procedure for this purpose:
14593 ;; Specify a SHA-512-hashed initial password.
14594 (password (crypt "InitialPassword!" "$6$abc")))
14598 The hash of this initial password will be available in a file in
14599 @file{/gnu/store}, readable by all the users, so this method must be used with
14603 @xref{Passphrase Storage,,, libc, The GNU C Library Reference Manual}, for
14604 more information on password encryption, and @ref{Encryption,,, guile, GNU
14605 Guile Reference Manual}, for information on Guile's @code{crypt} procedure.
14611 User group declarations are even simpler:
14614 (user-group (name "students"))
14617 @deftp {Data Type} user-group
14618 This type is for, well, user groups. There are just a few fields:
14622 The name of the group.
14624 @item @code{id} (default: @code{#f})
14625 The group identifier (a number). If @code{#f}, a new number is
14626 automatically allocated when the group is created.
14628 @item @code{system?} (default: @code{#f})
14629 This Boolean value indicates whether the group is a ``system'' group.
14630 System groups have low numerical IDs.
14632 @item @code{password} (default: @code{#f})
14633 What, user groups can have a password? Well, apparently yes. Unless
14634 @code{#f}, this field specifies the password of the group.
14639 For convenience, a variable lists all the basic user groups one may
14642 @defvr {Scheme Variable} %base-groups
14643 This is the list of basic user groups that users and/or packages expect
14644 to be present on the system. This includes groups such as ``root'',
14645 ``wheel'', and ``users'', as well as groups used to control access to
14646 specific devices such as ``audio'', ``disk'', and ``cdrom''.
14649 @defvr {Scheme Variable} %base-user-accounts
14650 This is the list of basic system accounts that programs may expect to
14651 find on a GNU/Linux system, such as the ``nobody'' account.
14653 Note that the ``root'' account is not included here. It is a
14654 special-case and is automatically added whether or not it is specified.
14657 @node Keyboard Layout
14658 @section Keyboard Layout
14660 @cindex keyboard layout
14662 To specify what each key of your keyboard does, you need to tell the operating
14663 system what @dfn{keyboard layout} you want to use. The default, when nothing
14664 is specified, is the US English QWERTY layout for 105-key PC keyboards.
14665 However, German speakers will usually prefer the German QWERTZ layout, French
14666 speakers will want the AZERTY layout, and so on; hackers might prefer Dvorak
14667 or bépo, and they might even want to further customize the effect of some of
14668 the keys. This section explains how to get that done.
14670 @cindex keyboard layout, definition
14671 There are three components that will want to know about your keyboard layout:
14675 The @emph{bootloader} may want to know what keyboard layout you want to use
14676 (@pxref{Bootloader Configuration, @code{keyboard-layout}}). This is useful if
14677 you want, for instance, to make sure that you can type the passphrase of your
14678 encrypted root partition using the right layout.
14681 The @emph{operating system kernel}, Linux, will need that so that the console
14682 is properly configured (@pxref{operating-system Reference,
14683 @code{keyboard-layout}}).
14686 The @emph{graphical display server}, usually Xorg, also has its own idea of
14687 the keyboard layout (@pxref{X Window, @code{keyboard-layout}}).
14690 Guix allows you to configure all three separately but, fortunately, it allows
14691 you to share the same keyboard layout for all three components.
14693 @cindex XKB, keyboard layouts
14694 Keyboard layouts are represented by records created by the
14695 @code{keyboard-layout} procedure of @code{(gnu system keyboard)}. Following
14696 the X Keyboard extension (XKB), each layout has four attributes: a name (often
14697 a language code such as ``fi'' for Finnish or ``jp'' for Japanese), an
14698 optional variant name, an optional keyboard model name, and a possibly empty
14699 list of additional options. In most cases the layout name is all you care
14702 @deffn {Scheme Procedure} keyboard-layout @var{name} [@var{variant}] @
14703 [#:model] [#:options '()]
14704 Return a new keyboard layout with the given @var{name} and @var{variant}.
14706 @var{name} must be a string such as @code{"fr"}; @var{variant} must be a
14707 string such as @code{"bepo"} or @code{"nodeadkeys"}. See the
14708 @code{xkeyboard-config} package for valid options.
14711 Here are a few examples:
14714 ;; The German QWERTZ layout. Here we assume a standard
14715 ;; "pc105" keyboard model.
14716 (keyboard-layout "de")
14718 ;; The bépo variant of the French layout.
14719 (keyboard-layout "fr" "bepo")
14721 ;; The Catalan layout.
14722 (keyboard-layout "es" "cat")
14724 ;; Arabic layout with "Alt-Shift" to switch to US layout.
14725 (keyboard-layout "ar,us" #:options '("grp:alt_shift_toggle"))
14727 ;; The Latin American Spanish layout. In addition, the
14728 ;; "Caps Lock" key is used as an additional "Ctrl" key,
14729 ;; and the "Menu" key is used as a "Compose" key to enter
14730 ;; accented letters.
14731 (keyboard-layout "latam"
14732 #:options '("ctrl:nocaps" "compose:menu"))
14734 ;; The Russian layout for a ThinkPad keyboard.
14735 (keyboard-layout "ru" #:model "thinkpad")
14737 ;; The "US international" layout, which is the US layout plus
14738 ;; dead keys to enter accented characters. This is for an
14739 ;; Apple MacBook keyboard.
14740 (keyboard-layout "us" "intl" #:model "macbook78")
14743 See the @file{share/X11/xkb} directory of the @code{xkeyboard-config} package
14744 for a complete list of supported layouts, variants, and models.
14746 @cindex keyboard layout, configuration
14747 Let's say you want your system to use the Turkish keyboard layout throughout
14748 your system---bootloader, console, and Xorg. Here's what your system
14749 configuration would look like:
14751 @findex set-xorg-configuration
14753 ;; Using the Turkish layout for the bootloader, the console,
14758 (keyboard-layout (keyboard-layout "tr")) ;for the console
14759 (bootloader (bootloader-configuration
14760 (bootloader grub-efi-bootloader)
14761 (targets '("/boot/efi"))
14762 (keyboard-layout keyboard-layout))) ;for GRUB
14763 (services (cons (set-xorg-configuration
14764 (xorg-configuration ;for Xorg
14765 (keyboard-layout keyboard-layout)))
14766 %desktop-services)))
14769 In the example above, for GRUB and for Xorg, we just refer to the
14770 @code{keyboard-layout} field defined above, but we could just as well refer to
14771 a different layout. The @code{set-xorg-configuration} procedure communicates
14772 the desired Xorg configuration to the graphical log-in manager, by default
14775 We've discussed how to specify the @emph{default} keyboard layout of your
14776 system when it starts, but you can also adjust it at run time:
14780 If you're using GNOME, its settings panel has a ``Region & Language'' entry
14781 where you can select one or more keyboard layouts.
14784 Under Xorg, the @command{setxkbmap} command (from the same-named package)
14785 allows you to change the current layout. For example, this is how you would
14786 change the layout to US Dvorak:
14789 setxkbmap us dvorak
14793 The @code{loadkeys} command changes the keyboard layout in effect in the Linux
14794 console. However, note that @code{loadkeys} does @emph{not} use the XKB
14795 keyboard layout categorization described above. The command below loads the
14796 French bépo layout:
14807 A @dfn{locale} defines cultural conventions for a particular language
14808 and region of the world (@pxref{Locales,,, libc, The GNU C Library
14809 Reference Manual}). Each locale has a name that typically has the form
14810 @code{@var{language}_@var{territory}.@var{codeset}}---e.g.,
14811 @code{fr_LU.utf8} designates the locale for the French language, with
14812 cultural conventions from Luxembourg, and using the UTF-8 encoding.
14814 @cindex locale definition
14815 Usually, you will want to specify the default locale for the machine
14816 using the @code{locale} field of the @code{operating-system} declaration
14817 (@pxref{operating-system Reference, @code{locale}}).
14819 The selected locale is automatically added to the @dfn{locale
14820 definitions} known to the system if needed, with its codeset inferred
14821 from its name---e.g., @code{bo_CN.utf8} will be assumed to use the
14822 @code{UTF-8} codeset. Additional locale definitions can be specified in
14823 the @code{locale-definitions} slot of @code{operating-system}---this is
14824 useful, for instance, if the codeset could not be inferred from the
14825 locale name. The default set of locale definitions includes some widely
14826 used locales, but not all the available locales, in order to save space.
14828 For instance, to add the North Frisian locale for Germany, the value of
14832 (cons (locale-definition
14833 (name "fy_DE.utf8") (source "fy_DE"))
14834 %default-locale-definitions)
14837 Likewise, to save space, one might want @code{locale-definitions} to
14838 list only the locales that are actually used, as in:
14841 (list (locale-definition
14842 (name "ja_JP.eucjp") (source "ja_JP")
14843 (charset "EUC-JP")))
14847 The compiled locale definitions are available at
14848 @file{/run/current-system/locale/X.Y}, where @code{X.Y} is the libc
14849 version, which is the default location where the GNU@tie{}libc provided
14850 by Guix looks for locale data. This can be overridden using the
14851 @env{LOCPATH} environment variable (@pxref{locales-and-locpath,
14852 @env{LOCPATH} and locale packages}).
14854 The @code{locale-definition} form is provided by the @code{(gnu system
14855 locale)} module. Details are given below.
14857 @deftp {Data Type} locale-definition
14858 This is the data type of a locale definition.
14863 The name of the locale. @xref{Locale Names,,, libc, The GNU C Library
14864 Reference Manual}, for more information on locale names.
14866 @item @code{source}
14867 The name of the source for that locale. This is typically the
14868 @code{@var{language}_@var{territory}} part of the locale name.
14870 @item @code{charset} (default: @code{"UTF-8"})
14871 The ``character set'' or ``code set'' for that locale,
14872 @uref{https://www.iana.org/assignments/character-sets, as defined by
14878 @defvr {Scheme Variable} %default-locale-definitions
14879 A list of commonly used UTF-8 locales, used as the default
14880 value of the @code{locale-definitions} field of @code{operating-system}
14883 @cindex locale name
14884 @cindex normalized codeset in locale names
14885 These locale definitions use the @dfn{normalized codeset} for the part
14886 that follows the dot in the name (@pxref{Using gettextized software,
14887 normalized codeset,, libc, The GNU C Library Reference Manual}). So for
14888 instance it has @code{uk_UA.utf8} but @emph{not}, say,
14889 @code{uk_UA.UTF-8}.
14892 @subsection Locale Data Compatibility Considerations
14894 @cindex incompatibility, of locale data
14895 @code{operating-system} declarations provide a @code{locale-libcs} field
14896 to specify the GNU@tie{}libc packages that are used to compile locale
14897 declarations (@pxref{operating-system Reference}). ``Why would I
14898 care?'', you may ask. Well, it turns out that the binary format of
14899 locale data is occasionally incompatible from one libc version to
14902 @c See <https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html>
14903 @c and <https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00737.html>.
14904 For instance, a program linked against libc version 2.21 is unable to
14905 read locale data produced with libc 2.22; worse, that program
14906 @emph{aborts} instead of simply ignoring the incompatible locale
14907 data@footnote{Versions 2.23 and later of GNU@tie{}libc will simply skip
14908 the incompatible locale data, which is already an improvement.}.
14909 Similarly, a program linked against libc 2.22 can read most, but not
14910 all, of the locale data from libc 2.21 (specifically, @env{LC_COLLATE}
14911 data is incompatible); thus calls to @code{setlocale} may fail, but
14912 programs will not abort.
14914 The ``problem'' with Guix is that users have a lot of freedom: They can
14915 choose whether and when to upgrade software in their profiles, and might
14916 be using a libc version different from the one the system administrator
14917 used to build the system-wide locale data.
14919 Fortunately, unprivileged users can also install their own locale data
14920 and define @env{GUIX_LOCPATH} accordingly (@pxref{locales-and-locpath,
14921 @env{GUIX_LOCPATH} and locale packages}).
14923 Still, it is best if the system-wide locale data at
14924 @file{/run/current-system/locale} is built for all the libc versions
14925 actually in use on the system, so that all the programs can access
14926 it---this is especially crucial on a multi-user system. To do that, the
14927 administrator can specify several libc packages in the
14928 @code{locale-libcs} field of @code{operating-system}:
14931 (use-package-modules base)
14935 (locale-libcs (list glibc-2.21 (canonical-package glibc))))
14938 This example would lead to a system containing locale definitions for
14939 both libc 2.21 and the current version of libc in
14940 @file{/run/current-system/locale}.
14946 @cindex system services
14947 An important part of preparing an @code{operating-system} declaration is
14948 listing @dfn{system services} and their configuration (@pxref{Using the
14949 Configuration System}). System services are typically daemons launched
14950 when the system boots, or other actions needed at that time---e.g.,
14951 configuring network access.
14953 Guix has a broad definition of ``service'' (@pxref{Service
14954 Composition}), but many services are managed by the GNU@tie{}Shepherd
14955 (@pxref{Shepherd Services}). On a running system, the @command{herd}
14956 command allows you to list the available services, show their status,
14957 start and stop them, or do other specific operations (@pxref{Jump
14958 Start,,, shepherd, The GNU Shepherd Manual}). For example:
14964 The above command, run as @code{root}, lists the currently defined
14965 services. The @command{herd doc} command shows a synopsis of the given
14966 service and its associated actions:
14970 Run libc's name service cache daemon (nscd).
14972 # herd doc nscd action invalidate
14973 invalidate: Invalidate the given cache--e.g., 'hosts' for host name lookups.
14976 The @command{start}, @command{stop}, and @command{restart} sub-commands
14977 have the effect you would expect. For instance, the commands below stop
14978 the nscd service and restart the Xorg display server:
14982 Service nscd has been stopped.
14983 # herd restart xorg-server
14984 Service xorg-server has been stopped.
14985 Service xorg-server has been started.
14988 The following sections document the available services, starting with
14989 the core services, that may be used in an @code{operating-system}
14993 * Base Services:: Essential system services.
14994 * Scheduled Job Execution:: The mcron service.
14995 * Log Rotation:: The rottlog service.
14996 * Networking Services:: Network setup, SSH daemon, etc.
14997 * Unattended Upgrades:: Automated system upgrades.
14998 * X Window:: Graphical display.
14999 * Printing Services:: Local and remote printer support.
15000 * Desktop Services:: D-Bus and desktop services.
15001 * Sound Services:: ALSA and Pulseaudio services.
15002 * Database Services:: SQL databases, key-value stores, etc.
15003 * Mail Services:: IMAP, POP3, SMTP, and all that.
15004 * Messaging Services:: Messaging services.
15005 * Telephony Services:: Telephony services.
15006 * File-Sharing Services:: File-sharing services.
15007 * Monitoring Services:: Monitoring services.
15008 * Kerberos Services:: Kerberos services.
15009 * LDAP Services:: LDAP services.
15010 * Web Services:: Web servers.
15011 * Certificate Services:: TLS certificates via Let's Encrypt.
15012 * DNS Services:: DNS daemons.
15013 * VPN Services:: VPN daemons.
15014 * Network File System:: NFS related services.
15015 * Continuous Integration:: Cuirass and Laminar services.
15016 * Power Management Services:: Extending battery life.
15017 * Audio Services:: The MPD.
15018 * Virtualization Services:: Virtualization services.
15019 * Version Control Services:: Providing remote access to Git repositories.
15020 * Game Services:: Game servers.
15021 * PAM Mount Service:: Service to mount volumes when logging in.
15022 * Guix Services:: Services relating specifically to Guix.
15023 * Linux Services:: Services tied to the Linux kernel.
15024 * Hurd Services:: Services specific for a Hurd System.
15025 * Miscellaneous Services:: Other services.
15028 @node Base Services
15029 @subsection Base Services
15031 The @code{(gnu services base)} module provides definitions for the basic
15032 services that one expects from the system. The services exported by
15033 this module are listed below.
15035 @defvr {Scheme Variable} %base-services
15036 This variable contains a list of basic services (@pxref{Service Types
15037 and Services}, for more information on service objects) one would
15038 expect from the system: a login service (mingetty) on each tty, syslogd,
15039 the libc name service cache daemon (nscd), the udev device manager, and
15042 This is the default value of the @code{services} field of
15043 @code{operating-system} declarations. Usually, when customizing a
15044 system, you will want to append services to @code{%base-services}, like
15048 (append (list (service avahi-service-type)
15049 (service openssh-service-type))
15054 @defvr {Scheme Variable} special-files-service-type
15055 This is the service that sets up ``special files'' such as
15056 @file{/bin/sh}; an instance of it is part of @code{%base-services}.
15058 The value associated with @code{special-files-service-type} services
15059 must be a list of tuples where the first element is the ``special file''
15060 and the second element is its target. By default it is:
15062 @cindex @file{/bin/sh}
15063 @cindex @file{sh}, in @file{/bin}
15065 `(("/bin/sh" ,(file-append bash "/bin/sh")))
15068 @cindex @file{/usr/bin/env}
15069 @cindex @file{env}, in @file{/usr/bin}
15070 If you want to add, say, @code{/usr/bin/env} to your system, you can
15074 `(("/bin/sh" ,(file-append bash "/bin/sh"))
15075 ("/usr/bin/env" ,(file-append coreutils "/bin/env")))
15078 Since this is part of @code{%base-services}, you can use
15079 @code{modify-services} to customize the set of special files
15080 (@pxref{Service Reference, @code{modify-services}}). But the simple way
15081 to add a special file is @i{via} the @code{extra-special-file} procedure
15085 @deffn {Scheme Procedure} extra-special-file @var{file} @var{target}
15086 Use @var{target} as the ``special file'' @var{file}.
15088 For example, adding the following lines to the @code{services} field of
15089 your operating system declaration leads to a @file{/usr/bin/env}
15093 (extra-special-file "/usr/bin/env"
15094 (file-append coreutils "/bin/env"))
15098 @deffn {Scheme Procedure} host-name-service @var{name}
15099 Return a service that sets the host name to @var{name}.
15102 @defvr {Scheme Variable} console-font-service-type
15103 Install the given fonts on the specified ttys (fonts are per
15104 virtual console on the kernel Linux). The value of this service is a list of
15105 tty/font pairs. The font can be the name of a font provided by the @code{kbd}
15106 package or any valid argument to @command{setfont}, as in this example:
15109 `(("tty1" . "LatGrkCyr-8x16")
15110 ("tty2" . ,(file-append
15112 "/share/kbd/consolefonts/TamzenForPowerline10x20.psf"))
15113 ("tty3" . ,(file-append
15115 "/share/consolefonts/ter-132n"))) ; for HDPI
15119 @deffn {Scheme Procedure} login-service @var{config}
15120 Return a service to run login according to @var{config}, a
15121 @code{<login-configuration>} object, which specifies the message of the day,
15122 among other things.
15125 @deftp {Data Type} login-configuration
15126 This is the data type representing the configuration of login.
15131 @cindex message of the day
15132 A file-like object containing the ``message of the day''.
15134 @item @code{allow-empty-passwords?} (default: @code{#t})
15135 Allow empty passwords by default so that first-time users can log in when
15136 the 'root' account has just been created.
15141 @deffn {Scheme Procedure} mingetty-service @var{config}
15142 Return a service to run mingetty according to @var{config}, a
15143 @code{<mingetty-configuration>} object, which specifies the tty to run, among
15147 @deftp {Data Type} mingetty-configuration
15148 This is the data type representing the configuration of Mingetty, which
15149 provides the default implementation of virtual console log-in.
15154 The name of the console this Mingetty runs on---e.g., @code{"tty1"}.
15156 @item @code{auto-login} (default: @code{#f})
15157 When true, this field must be a string denoting the user name under
15158 which the system automatically logs in. When it is @code{#f}, a
15159 user name and password must be entered to log in.
15161 @item @code{login-program} (default: @code{#f})
15162 This must be either @code{#f}, in which case the default log-in program
15163 is used (@command{login} from the Shadow tool suite), or a gexp denoting
15164 the name of the log-in program.
15166 @item @code{login-pause?} (default: @code{#f})
15167 When set to @code{#t} in conjunction with @var{auto-login}, the user
15168 will have to press a key before the log-in shell is launched.
15170 @item @code{clear-on-logout?} (default: @code{#t})
15171 When set to @code{#t}, the screen will be cleared after logout.
15173 @item @code{mingetty} (default: @var{mingetty})
15174 The Mingetty package to use.
15179 @deffn {Scheme Procedure} agetty-service @var{config}
15180 Return a service to run agetty according to @var{config}, an
15181 @code{<agetty-configuration>} object, which specifies the tty to run,
15182 among other things.
15185 @deftp {Data Type} agetty-configuration
15186 This is the data type representing the configuration of agetty, which
15187 implements virtual and serial console log-in. See the @code{agetty(8)}
15188 man page for more information.
15193 The name of the console this agetty runs on, as a string---e.g.,
15194 @code{"ttyS0"}. This argument is optional, it will default to
15195 a reasonable default serial port used by the kernel Linux.
15197 For this, if there is a value for an option @code{agetty.tty} in the kernel
15198 command line, agetty will extract the device name of the serial port
15199 from it and use that.
15201 If not and if there is a value for an option @code{console} with a tty in
15202 the Linux command line, agetty will extract the device name of the
15203 serial port from it and use that.
15205 In both cases, agetty will leave the other serial device settings
15206 (baud rate etc.)@: alone---in the hope that Linux pinned them to the
15209 @item @code{baud-rate} (default: @code{#f})
15210 A string containing a comma-separated list of one or more baud rates, in
15213 @item @code{term} (default: @code{#f})
15214 A string containing the value used for the @env{TERM} environment
15217 @item @code{eight-bits?} (default: @code{#f})
15218 When @code{#t}, the tty is assumed to be 8-bit clean, and parity detection is
15221 @item @code{auto-login} (default: @code{#f})
15222 When passed a login name, as a string, the specified user will be logged
15223 in automatically without prompting for their login name or password.
15225 @item @code{no-reset?} (default: @code{#f})
15226 When @code{#t}, don't reset terminal cflags (control modes).
15228 @item @code{host} (default: @code{#f})
15229 This accepts a string containing the ``login_host'', which will be written
15230 into the @file{/var/run/utmpx} file.
15232 @item @code{remote?} (default: @code{#f})
15233 When set to @code{#t} in conjunction with @var{host}, this will add an
15234 @code{-r} fakehost option to the command line of the login program
15235 specified in @var{login-program}.
15237 @item @code{flow-control?} (default: @code{#f})
15238 When set to @code{#t}, enable hardware (RTS/CTS) flow control.
15240 @item @code{no-issue?} (default: @code{#f})
15241 When set to @code{#t}, the contents of the @file{/etc/issue} file will
15242 not be displayed before presenting the login prompt.
15244 @item @code{init-string} (default: @code{#f})
15245 This accepts a string that will be sent to the tty or modem before
15246 sending anything else. It can be used to initialize a modem.
15248 @item @code{no-clear?} (default: @code{#f})
15249 When set to @code{#t}, agetty will not clear the screen before showing
15252 @item @code{login-program} (default: (file-append shadow "/bin/login"))
15253 This must be either a gexp denoting the name of a log-in program, or
15254 unset, in which case the default value is the @command{login} from the
15257 @item @code{local-line} (default: @code{#f})
15258 Control the CLOCAL line flag. This accepts one of three symbols as
15259 arguments, @code{'auto}, @code{'always}, or @code{'never}. If @code{#f},
15260 the default value chosen by agetty is @code{'auto}.
15262 @item @code{extract-baud?} (default: @code{#f})
15263 When set to @code{#t}, instruct agetty to try to extract the baud rate
15264 from the status messages produced by certain types of modems.
15266 @item @code{skip-login?} (default: @code{#f})
15267 When set to @code{#t}, do not prompt the user for a login name. This
15268 can be used with @var{login-program} field to use non-standard login
15271 @item @code{no-newline?} (default: @code{#f})
15272 When set to @code{#t}, do not print a newline before printing the
15273 @file{/etc/issue} file.
15275 @c Is this dangerous only when used with login-program, or always?
15276 @item @code{login-options} (default: @code{#f})
15277 This option accepts a string containing options that are passed to the
15278 login program. When used with the @var{login-program}, be aware that a
15279 malicious user could try to enter a login name containing embedded
15280 options that could be parsed by the login program.
15282 @item @code{login-pause} (default: @code{#f})
15283 When set to @code{#t}, wait for any key before showing the login prompt.
15284 This can be used in conjunction with @var{auto-login} to save memory by
15285 lazily spawning shells.
15287 @item @code{chroot} (default: @code{#f})
15288 Change root to the specified directory. This option accepts a directory
15291 @item @code{hangup?} (default: @code{#f})
15292 Use the Linux system call @code{vhangup} to do a virtual hangup of the
15293 specified terminal.
15295 @item @code{keep-baud?} (default: @code{#f})
15296 When set to @code{#t}, try to keep the existing baud rate. The baud
15297 rates from @var{baud-rate} are used when agetty receives a @key{BREAK}
15300 @item @code{timeout} (default: @code{#f})
15301 When set to an integer value, terminate if no user name could be read
15302 within @var{timeout} seconds.
15304 @item @code{detect-case?} (default: @code{#f})
15305 When set to @code{#t}, turn on support for detecting an uppercase-only
15306 terminal. This setting will detect a login name containing only
15307 uppercase letters as indicating an uppercase-only terminal and turn on
15308 some upper-to-lower case conversions. Note that this will not support
15309 Unicode characters.
15311 @item @code{wait-cr?} (default: @code{#f})
15312 When set to @code{#t}, wait for the user or modem to send a
15313 carriage-return or linefeed character before displaying
15314 @file{/etc/issue} or login prompt. This is typically used with the
15315 @var{init-string} option.
15317 @item @code{no-hints?} (default: @code{#f})
15318 When set to @code{#t}, do not print hints about Num, Caps, and Scroll
15321 @item @code{no-hostname?} (default: @code{#f})
15322 By default, the hostname is printed. When this option is set to
15323 @code{#t}, no hostname will be shown at all.
15325 @item @code{long-hostname?} (default: @code{#f})
15326 By default, the hostname is only printed until the first dot. When this
15327 option is set to @code{#t}, the fully qualified hostname by
15328 @code{gethostname} or @code{getaddrinfo} is shown.
15330 @item @code{erase-characters} (default: @code{#f})
15331 This option accepts a string of additional characters that should be
15332 interpreted as backspace when the user types their login name.
15334 @item @code{kill-characters} (default: @code{#f})
15335 This option accepts a string that should be interpreted to mean ``ignore
15336 all previous characters'' (also called a ``kill'' character) when the user
15337 types their login name.
15339 @item @code{chdir} (default: @code{#f})
15340 This option accepts, as a string, a directory path that will be changed
15343 @item @code{delay} (default: @code{#f})
15344 This options accepts, as an integer, the number of seconds to sleep
15345 before opening the tty and displaying the login prompt.
15347 @item @code{nice} (default: @code{#f})
15348 This option accepts, as an integer, the nice value with which to run the
15349 @command{login} program.
15351 @item @code{extra-options} (default: @code{'()})
15352 This option provides an ``escape hatch'' for the user to provide arbitrary
15353 command-line arguments to @command{agetty} as a list of strings.
15358 @deffn {Scheme Procedure} kmscon-service-type @var{config}
15359 Return a service to run @uref{https://www.freedesktop.org/wiki/Software/kmscon,kmscon}
15360 according to @var{config}, a @code{<kmscon-configuration>} object, which
15361 specifies the tty to run, among other things.
15364 @deftp {Data Type} kmscon-configuration
15365 This is the data type representing the configuration of Kmscon, which
15366 implements virtual console log-in.
15370 @item @code{virtual-terminal}
15371 The name of the console this Kmscon runs on---e.g., @code{"tty1"}.
15373 @item @code{login-program} (default: @code{#~(string-append #$shadow "/bin/login")})
15374 A gexp denoting the name of the log-in program. The default log-in program is
15375 @command{login} from the Shadow tool suite.
15377 @item @code{login-arguments} (default: @code{'("-p")})
15378 A list of arguments to pass to @command{login}.
15380 @item @code{auto-login} (default: @code{#f})
15381 When passed a login name, as a string, the specified user will be logged
15382 in automatically without prompting for their login name or password.
15384 @item @code{hardware-acceleration?} (default: #f)
15385 Whether to use hardware acceleration.
15387 @item @code{font-engine} (default: @code{"pango"})
15388 Font engine used in Kmscon.
15390 @item @code{font-size} (default: @code{12})
15391 Font size used in Kmscon.
15393 @item @code{keyboard-layout} (default: @code{#f})
15394 If this is @code{#f}, Kmscon uses the default keyboard layout---usually US
15395 English (``qwerty'') for a 105-key PC keyboard.
15397 Otherwise this must be a @code{keyboard-layout} object specifying the
15398 keyboard layout. @xref{Keyboard Layout}, for more information on how to
15399 specify the keyboard layout.
15401 @item @code{kmscon} (default: @var{kmscon})
15402 The Kmscon package to use.
15407 @cindex name service cache daemon
15409 @deffn {Scheme Procedure} nscd-service [@var{config}] [#:glibc glibc] @
15410 [#:name-services '()]
15411 Return a service that runs the libc name service cache daemon (nscd) with the
15412 given @var{config}---an @code{<nscd-configuration>} object. @xref{Name
15413 Service Switch}, for an example.
15415 For convenience, the Shepherd service for nscd provides the following actions:
15419 @cindex cache invalidation, nscd
15420 @cindex nscd, cache invalidation
15421 This invalidate the given cache. For instance, running:
15424 herd invalidate nscd hosts
15428 invalidates the host name lookup cache of nscd.
15431 Running @command{herd statistics nscd} displays information about nscd usage
15437 @defvr {Scheme Variable} %nscd-default-configuration
15438 This is the default @code{<nscd-configuration>} value (see below) used
15439 by @code{nscd-service}. It uses the caches defined by
15440 @code{%nscd-default-caches}; see below.
15443 @deftp {Data Type} nscd-configuration
15444 This is the data type representing the name service cache daemon (nscd)
15449 @item @code{name-services} (default: @code{'()})
15450 List of packages denoting @dfn{name services} that must be visible to
15451 the nscd---e.g., @code{(list @var{nss-mdns})}.
15453 @item @code{glibc} (default: @var{glibc})
15454 Package object denoting the GNU C Library providing the @command{nscd}
15457 @item @code{log-file} (default: @code{"/var/log/nscd.log"})
15458 Name of the nscd log file. This is where debugging output goes when
15459 @code{debug-level} is strictly positive.
15461 @item @code{debug-level} (default: @code{0})
15462 Integer denoting the debugging levels. Higher numbers mean that more
15463 debugging output is logged.
15465 @item @code{caches} (default: @code{%nscd-default-caches})
15466 List of @code{<nscd-cache>} objects denoting things to be cached; see
15472 @deftp {Data Type} nscd-cache
15473 Data type representing a cache database of nscd and its parameters.
15477 @item @code{database}
15478 This is a symbol representing the name of the database to be cached.
15479 Valid values are @code{passwd}, @code{group}, @code{hosts}, and
15480 @code{services}, which designate the corresponding NSS database
15481 (@pxref{NSS Basics,,, libc, The GNU C Library Reference Manual}).
15483 @item @code{positive-time-to-live}
15484 @itemx @code{negative-time-to-live} (default: @code{20})
15485 A number representing the number of seconds during which a positive or
15486 negative lookup result remains in cache.
15488 @item @code{check-files?} (default: @code{#t})
15489 Whether to check for updates of the files corresponding to
15492 For instance, when @var{database} is @code{hosts}, setting this flag
15493 instructs nscd to check for updates in @file{/etc/hosts} and to take
15496 @item @code{persistent?} (default: @code{#t})
15497 Whether the cache should be stored persistently on disk.
15499 @item @code{shared?} (default: @code{#t})
15500 Whether the cache should be shared among users.
15502 @item @code{max-database-size} (default: 32@tie{}MiB)
15503 Maximum size in bytes of the database cache.
15505 @c XXX: 'suggested-size' and 'auto-propagate?' seem to be expert
15506 @c settings, so leave them out.
15511 @defvr {Scheme Variable} %nscd-default-caches
15512 List of @code{<nscd-cache>} objects used by default by
15513 @code{nscd-configuration} (see above).
15515 It enables persistent and aggressive caching of service and host name
15516 lookups. The latter provides better host name lookup performance,
15517 resilience in the face of unreliable name servers, and also better
15518 privacy---often the result of host name lookups is in local cache, so
15519 external name servers do not even need to be queried.
15522 @anchor{syslog-configuration-type}
15525 @deftp {Data Type} syslog-configuration
15526 This data type represents the configuration of the syslog daemon.
15529 @item @code{syslogd} (default: @code{#~(string-append #$inetutils "/libexec/syslogd")})
15530 The syslog daemon to use.
15532 @item @code{config-file} (default: @code{%default-syslog.conf})
15533 The syslog configuration file to use.
15538 @anchor{syslog-service}
15540 @deffn {Scheme Procedure} syslog-service @var{config}
15541 Return a service that runs a syslog daemon according to @var{config}.
15543 @xref{syslogd invocation,,, inetutils, GNU Inetutils}, for more
15544 information on the configuration file syntax.
15547 @defvr {Scheme Variable} guix-service-type
15548 This is the type of the service that runs the build daemon,
15549 @command{guix-daemon} (@pxref{Invoking guix-daemon}). Its value must be a
15550 @code{guix-configuration} record as described below.
15553 @anchor{guix-configuration-type}
15554 @deftp {Data Type} guix-configuration
15555 This data type represents the configuration of the Guix build daemon.
15556 @xref{Invoking guix-daemon}, for more information.
15559 @item @code{guix} (default: @var{guix})
15560 The Guix package to use.
15562 @item @code{build-group} (default: @code{"guixbuild"})
15563 Name of the group for build user accounts.
15565 @item @code{build-accounts} (default: @code{10})
15566 Number of build user accounts to create.
15568 @item @code{authorize-key?} (default: @code{#t})
15569 @cindex substitutes, authorization thereof
15570 Whether to authorize the substitute keys listed in
15571 @code{authorized-keys}---by default that of
15572 @code{@value{SUBSTITUTE-SERVER-1}} and
15573 @code{@value{SUBSTITUTE-SERVER-2}}
15574 (@pxref{Substitutes}).
15576 When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
15577 changed by invoking @command{guix archive --authorize}. You must
15578 instead adjust @code{guix-configuration} as you wish and reconfigure the
15579 system. This ensures that your operating system configuration file is
15583 When booting or reconfiguring to a system where @code{authorize-key?}
15584 is true, the existing @file{/etc/guix/acl} file is backed up as
15585 @file{/etc/guix/acl.bak} if it was determined to be a manually modified
15586 file. This is to facilitate migration from earlier versions, which
15587 allowed for in-place modifications to @file{/etc/guix/acl}.
15590 @vindex %default-authorized-guix-keys
15591 @item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
15592 The list of authorized key files for archive imports, as a list of
15593 string-valued gexps (@pxref{Invoking guix archive}). By default, it
15594 contains that of @code{@value{SUBSTITUTE-SERVER-1}} and
15595 @code{@value{SUBSTITUTE-SERVER-2}} (@pxref{Substitutes}). See
15596 @code{substitute-urls} below for an example on how to change it.
15598 @item @code{use-substitutes?} (default: @code{#t})
15599 Whether to use substitutes.
15601 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
15602 The list of URLs where to look for substitutes by default.
15604 Suppose you would like to fetch substitutes from @code{guix.example.org}
15605 in addition to @code{@value{SUBSTITUTE-SERVER-1}}. You will need to do
15606 two things: (1) add @code{guix.example.org} to @code{substitute-urls},
15607 and (2) authorize its signing key, having done appropriate checks
15608 (@pxref{Substitute Server Authorization}). The configuration below does
15612 (guix-configuration
15614 (append (list "https://guix.example.org")
15615 %default-substitute-urls))
15617 (append (list (local-file "./guix.example.org-key.pub"))
15618 %default-authorized-guix-keys)))
15621 This example assumes that the file @file{./guix.example.org-key.pub}
15622 contains the public key that @code{guix.example.org} uses to sign
15625 @item @code{max-silent-time} (default: @code{0})
15626 @itemx @code{timeout} (default: @code{0})
15627 The number of seconds of silence and the number of seconds of activity,
15628 respectively, after which a build process times out. A value of zero
15629 disables the timeout.
15631 @item @code{log-compression} (default: @code{'bzip2})
15632 The type of compression used for build logs---one of @code{gzip},
15633 @code{bzip2}, or @code{none}.
15635 @item @code{discover?} (default: @code{#f})
15636 Whether to discover substitute servers on the local network using mDNS
15639 @item @code{extra-options} (default: @code{'()})
15640 List of extra command-line options for @command{guix-daemon}.
15642 @item @code{log-file} (default: @code{"/var/log/guix-daemon.log"})
15643 File where @command{guix-daemon}'s standard output and standard error
15646 @cindex HTTP proxy, for @code{guix-daemon}
15647 @cindex proxy, for @code{guix-daemon} HTTP access
15648 @item @code{http-proxy} (default: @code{#f})
15649 The URL of the HTTP and HTTPS proxy used for downloading fixed-output
15650 derivations and substitutes.
15652 It is also possible to change the daemon's proxy at run time through the
15653 @code{set-http-proxy} action, which restarts it:
15656 herd set-http-proxy guix-daemon http://localhost:8118
15659 To clear the proxy settings, run:
15662 herd set-http-proxy guix-daemon
15665 @item @code{tmpdir} (default: @code{#f})
15666 A directory path where the @command{guix-daemon} will perform builds.
15671 @deffn {Scheme Procedure} udev-service [#:udev @var{eudev} #:rules @code{'()}]
15672 Run @var{udev}, which populates the @file{/dev} directory dynamically.
15673 udev rules can be provided as a list of files through the @var{rules}
15674 variable. The procedures @code{udev-rule}, @code{udev-rules-service}
15675 and @code{file->udev-rule} from @code{(gnu services base)} simplify the
15676 creation of such rule files.
15678 The @command{herd rules udev} command, as root, returns the name of the
15679 directory containing all the active udev rules.
15682 @deffn {Scheme Procedure} udev-rule [@var{file-name} @var{contents}]
15683 Return a udev-rule file named @var{file-name} containing the rules
15684 defined by the @var{contents} literal.
15686 In the following example, a rule for a USB device is defined to be
15687 stored in the file @file{90-usb-thing.rules}. The rule runs a script
15688 upon detecting a USB device with a given product identifier.
15691 (define %example-udev-rule
15693 "90-usb-thing.rules"
15694 (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
15695 "ATTR@{product@}==\"Example\", "
15696 "RUN+=\"/path/to/script\"")))
15700 @deffn {Scheme Procedure} udev-rules-service [@var{name} @var{rules}] @
15701 [#:groups @var{groups}]
15702 Return a service that extends @code{udev-service-type } with @var{rules}
15703 and @code{account-service-type} with @var{groups} as system groups.
15704 This works by creating a singleton service type
15705 @code{@var{name}-udev-rules}, of which the returned service is an
15708 Here we show how it can be used to extend @code{udev-service-type} with the
15709 previously defined rule @code{%example-udev-rule}.
15715 (cons (udev-rules-service 'usb-thing %example-udev-rule)
15716 %desktop-services)))
15720 @deffn {Scheme Procedure} file->udev-rule [@var{file-name} @var{file}]
15721 Return a udev file named @var{file-name} containing the rules defined
15722 within @var{file}, a file-like object.
15724 The following example showcases how we can use an existing rule file.
15727 (use-modules (guix download) ;for url-fetch
15728 (guix packages) ;for origin
15731 (define %android-udev-rules
15733 "51-android-udev.rules"
15734 (let ((version "20170910"))
15737 (uri (string-append "https://raw.githubusercontent.com/M0Rf30/"
15738 "android-udev-rules/" version "/51-android.rules"))
15740 (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))
15744 Additionally, Guix package definitions can be included in @var{rules} in
15745 order to extend the udev rules with the definitions found under their
15746 @file{lib/udev/rules.d} sub-directory. In lieu of the previous
15747 @var{file->udev-rule} example, we could have used the
15748 @var{android-udev-rules} package which exists in Guix in the @code{(gnu
15749 packages android)} module.
15751 The following example shows how to use the @var{android-udev-rules}
15752 package so that the Android tool @command{adb} can detect devices
15753 without root privileges. It also details how to create the
15754 @code{adbusers} group, which is required for the proper functioning of
15755 the rules defined within the @code{android-udev-rules} package. To
15756 create such a group, we must define it both as part of the
15757 @code{supplementary-groups} of our @code{user-account} declaration, as
15758 well as in the @var{groups} of the @code{udev-rules-service} procedure.
15761 (use-modules (gnu packages android) ;for android-udev-rules
15762 (gnu system shadow) ;for user-group
15767 (users (cons (user-account
15769 (supplementary-groups
15770 '("adbusers" ;for adb
15771 "wheel" "netdev" "audio" "video")))))
15774 (cons (udev-rules-service 'android android-udev-rules
15775 #:groups '("adbusers"))
15776 %desktop-services)))
15779 @defvr {Scheme Variable} urandom-seed-service-type
15780 Save some entropy in @code{%random-seed-file} to seed @file{/dev/urandom}
15781 when rebooting. It also tries to seed @file{/dev/urandom} from
15782 @file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
15786 @defvr {Scheme Variable} %random-seed-file
15787 This is the name of the file where some random bytes are saved by
15788 @var{urandom-seed-service} to seed @file{/dev/urandom} when rebooting.
15789 It defaults to @file{/var/lib/random-seed}.
15794 @defvr {Scheme Variable} gpm-service-type
15795 This is the type of the service that runs GPM, the @dfn{general-purpose
15796 mouse daemon}, which provides mouse support to the Linux console. GPM
15797 allows users to use the mouse in the console, notably to select, copy,
15800 The value for services of this type must be a @code{gpm-configuration}
15801 (see below). This service is not part of @code{%base-services}.
15804 @deftp {Data Type} gpm-configuration
15805 Data type representing the configuration of GPM.
15808 @item @code{options} (default: @code{%default-gpm-options})
15809 Command-line options passed to @command{gpm}. The default set of
15810 options instruct @command{gpm} to listen to mouse events on
15811 @file{/dev/input/mice}. @xref{Command Line,,, gpm, gpm manual}, for
15814 @item @code{gpm} (default: @code{gpm})
15815 The GPM package to use.
15820 @anchor{guix-publish-service-type}
15821 @deffn {Scheme Variable} guix-publish-service-type
15822 This is the service type for @command{guix publish} (@pxref{Invoking
15823 guix publish}). Its value must be a @code{guix-publish-configuration}
15824 object, as described below.
15826 This assumes that @file{/etc/guix} already contains a signing key pair as
15827 created by @command{guix archive --generate-key} (@pxref{Invoking guix
15828 archive}). If that is not the case, the service will fail to start.
15831 @deftp {Data Type} guix-publish-configuration
15832 Data type representing the configuration of the @code{guix publish}
15836 @item @code{guix} (default: @code{guix})
15837 The Guix package to use.
15839 @item @code{port} (default: @code{80})
15840 The TCP port to listen for connections.
15842 @item @code{host} (default: @code{"localhost"})
15843 The host (and thus, network interface) to listen to. Use
15844 @code{"0.0.0.0"} to listen on all the network interfaces.
15846 @item @code{advertise?} (default: @code{#f})
15847 When true, advertise the service on the local network @i{via} the DNS-SD
15848 protocol, using Avahi.
15850 This allows neighboring Guix devices with discovery on (see
15851 @code{guix-configuration} above) to discover this @command{guix publish}
15852 instance and to automatically download substitutes from it.
15854 @item @code{compression} (default: @code{'(("gzip" 3) ("zstd" 3))})
15855 This is a list of compression method/level tuple used when compressing
15856 substitutes. For example, to compress all substitutes with @emph{both} lzip
15857 at level 7 and gzip at level 9, write:
15860 '(("lzip" 7) ("gzip" 9))
15863 Level 9 achieves the best compression ratio at the expense of increased CPU
15864 usage, whereas level 1 achieves fast compression. @xref{Invoking guix
15865 publish}, for more information on the available compression methods and
15866 the tradeoffs involved.
15868 An empty list disables compression altogether.
15870 @item @code{nar-path} (default: @code{"nar"})
15871 The URL path at which ``nars'' can be fetched. @xref{Invoking guix
15872 publish, @option{--nar-path}}, for details.
15874 @item @code{cache} (default: @code{#f})
15875 When it is @code{#f}, disable caching and instead generate archives on
15876 demand. Otherwise, this should be the name of a directory---e.g.,
15877 @code{"/var/cache/guix/publish"}---where @command{guix publish} caches
15878 archives and meta-data ready to be sent. @xref{Invoking guix publish,
15879 @option{--cache}}, for more information on the tradeoffs involved.
15881 @item @code{workers} (default: @code{#f})
15882 When it is an integer, this is the number of worker threads used for
15883 caching; when @code{#f}, the number of processors is used.
15884 @xref{Invoking guix publish, @option{--workers}}, for more information.
15886 @item @code{cache-bypass-threshold} (default: 10 MiB)
15887 When @code{cache} is true, this is the maximum size in bytes of a store
15888 item for which @command{guix publish} may bypass its cache in case of a
15889 cache miss. @xref{Invoking guix publish,
15890 @option{--cache-bypass-threshold}}, for more information.
15892 @item @code{ttl} (default: @code{#f})
15893 When it is an integer, this denotes the @dfn{time-to-live} in seconds
15894 of the published archives. @xref{Invoking guix publish, @option{--ttl}},
15895 for more information.
15899 @anchor{rngd-service}
15900 @deffn {Scheme Procedure} rngd-service [#:rng-tools @var{rng-tools}] @
15901 [#:device "/dev/hwrng"]
15902 Return a service that runs the @command{rngd} program from @var{rng-tools}
15903 to add @var{device} to the kernel's entropy pool. The service will fail if
15904 @var{device} does not exist.
15907 @anchor{pam-limits-service}
15908 @cindex session limits
15914 @cindex open file descriptors
15915 @deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}]
15917 Return a service that installs a configuration file for the
15918 @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html,
15919 @code{pam_limits} module}. The procedure optionally takes a list of
15920 @code{pam-limits-entry} values, which can be used to specify
15921 @code{ulimit} limits and @code{nice} priority limits to user sessions.
15923 The following limits definition sets two hard and soft limits for all
15924 login sessions of users in the @code{realtime} group:
15927 (pam-limits-service
15929 (pam-limits-entry "@@realtime" 'both 'rtprio 99)
15930 (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited)))
15933 The first entry increases the maximum realtime priority for
15934 non-privileged processes; the second entry lifts any restriction of the
15935 maximum address space that can be locked in memory. These settings are
15936 commonly used for real-time audio systems.
15938 Another useful example is raising the maximum number of open file
15939 descriptors that can be used:
15942 (pam-limits-service
15944 (pam-limits-entry "*" 'both 'nofile 100000)))
15947 In the above example, the asterisk means the limit should apply to any
15948 user. It is important to ensure the chosen value doesn't exceed the
15949 maximum system value visible in the @file{/proc/sys/fs/file-max} file,
15950 else the users would be prevented from login in. For more information
15951 about the Pluggable Authentication Module (PAM) limits, refer to the
15952 @samp{pam_limits} man page from the @code{linux-pam} package.
15955 @node Scheduled Job Execution
15956 @subsection Scheduled Job Execution
15960 @cindex scheduling jobs
15961 The @code{(gnu services mcron)} module provides an interface to
15962 GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,,
15963 mcron, GNU@tie{}mcron}). GNU@tie{}mcron is similar to the traditional
15964 Unix @command{cron} daemon; the main difference is that it is
15965 implemented in Guile Scheme, which provides a lot of flexibility when
15966 specifying the scheduling of jobs and their actions.
15968 The example below defines an operating system that runs the
15969 @command{updatedb} (@pxref{Invoking updatedb,,, find, Finding Files})
15970 and the @command{guix gc} commands (@pxref{Invoking guix gc}) daily, as
15971 well as the @command{mkid} command on behalf of an unprivileged user
15972 (@pxref{mkid invocation,,, idutils, ID Database Utilities}). It uses
15973 gexps to introduce job definitions that are passed to mcron
15974 (@pxref{G-Expressions}).
15977 (use-modules (guix) (gnu) (gnu services mcron))
15978 (use-package-modules base idutils)
15980 (define updatedb-job
15981 ;; Run 'updatedb' at 3AM every day. Here we write the
15982 ;; job's action as a Scheme procedure.
15983 #~(job '(next-hour '(3))
15985 (execl (string-append #$findutils "/bin/updatedb")
15987 "--prunepaths=/tmp /var/tmp /gnu/store"))
15990 (define garbage-collector-job
15991 ;; Collect garbage 5 minutes after midnight every day.
15992 ;; The job's action is a shell command.
15993 #~(job "5 0 * * *" ;Vixie cron syntax
15996 (define idutils-job
15997 ;; Update the index database as user "charlie" at 12:15PM
15998 ;; and 19:15PM. This runs from the user's home directory.
15999 #~(job '(next-minute-from (next-hour '(12 19)) '(15))
16000 (string-append #$idutils "/bin/mkid src")
16006 ;; %BASE-SERVICES already includes an instance of
16007 ;; 'mcron-service-type', which we extend with additional
16008 ;; jobs using 'simple-service'.
16009 (services (cons (simple-service 'my-cron-jobs
16011 (list garbage-collector-job
16018 When providing the action of a job specification as a procedure, you
16019 should provide an explicit name for the job via the optional 3rd
16020 argument as done in the @code{updatedb-job} example above. Otherwise,
16021 the job would appear as ``Lambda function'' in the output of
16022 @command{herd schedule mcron}, which is not nearly descriptive enough!
16025 For more complex jobs defined in Scheme where you need control over the top
16026 level, for instance to introduce a @code{use-modules} form, you can move your
16027 code to a separate program using the @code{program-file} procedure of the
16028 @code{(guix gexp)} module (@pxref{G-Expressions}). The example below
16032 (define %battery-alert-job
16033 ;; Beep when the battery percentage falls below %MIN-LEVEL.
16035 '(next-minute (range 0 60 1))
16037 "battery-alert.scm"
16038 (with-imported-modules (source-module-closure
16039 '((guix build utils)))
16041 (use-modules (guix build utils)
16044 (ice-9 textual-ports)
16047 (define %min-level 20)
16049 (setenv "LC_ALL" "C") ;ensure English output
16050 (and-let* ((input-pipe (open-pipe*
16052 #$(file-append acpi "/bin/acpi")))
16053 (output (get-string-all input-pipe))
16054 (m (string-match "Discharging, ([0-9]+)%" output))
16055 (level (string->number (match:substring m 1)))
16056 ((< level %min-level)))
16057 (format #t "warning: Battery level is low (~a%)~%" level)
16058 (invoke #$(file-append beep "/bin/beep") "-r5")))))))
16061 @xref{Guile Syntax, mcron job specifications,, mcron, GNU@tie{}mcron},
16062 for more information on mcron job specifications. Below is the
16063 reference of the mcron service.
16065 On a running system, you can use the @code{schedule} action of the service to
16066 visualize the mcron jobs that will be executed next:
16069 # herd schedule mcron
16073 The example above lists the next five tasks that will be executed, but you can
16074 also specify the number of tasks to display:
16077 # herd schedule mcron 10
16080 @defvr {Scheme Variable} mcron-service-type
16081 This is the type of the @code{mcron} service, whose value is an
16082 @code{mcron-configuration} object.
16084 This service type can be the target of a service extension that provides
16085 it additional job specifications (@pxref{Service Composition}). In
16086 other words, it is possible to define services that provide additional
16090 @deftp {Data Type} mcron-configuration
16091 Data type representing the configuration of mcron.
16094 @item @code{mcron} (default: @var{mcron})
16095 The mcron package to use.
16098 This is a list of gexps (@pxref{G-Expressions}), where each gexp
16099 corresponds to an mcron job specification (@pxref{Syntax, mcron job
16100 specifications,, mcron, GNU@tie{}mcron}).
16106 @subsection Log Rotation
16109 @cindex log rotation
16111 Log files such as those found in @file{/var/log} tend to grow endlessly,
16112 so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
16113 their contents in separate files, possibly compressed. The @code{(gnu
16114 services admin)} module provides an interface to GNU@tie{}Rot[t]log, a
16115 log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}).
16117 This service is part of @code{%base-services}, and thus enabled by
16118 default, with the default settings, for commonly encountered log files.
16119 The example below shows how to extend it with an additional
16120 @dfn{rotation}, should you need to do that (usually, services that
16121 produce log files already take care of that):
16124 (use-modules (guix) (gnu))
16125 (use-service-modules admin)
16127 (define my-log-files
16128 ;; Log files that I want to rotate.
16129 '("/var/log/something.log" "/var/log/another.log"))
16133 (services (cons (simple-service 'rotate-my-stuff
16134 rottlog-service-type
16135 (list (log-rotation
16137 (files my-log-files))))
16141 @defvr {Scheme Variable} rottlog-service-type
16142 This is the type of the Rottlog service, whose value is a
16143 @code{rottlog-configuration} object.
16145 Other services can extend this one with new @code{log-rotation} objects
16146 (see below), thereby augmenting the set of files to be rotated.
16148 This service type can define mcron jobs (@pxref{Scheduled Job
16149 Execution}) to run the rottlog service.
16152 @deftp {Data Type} rottlog-configuration
16153 Data type representing the configuration of rottlog.
16156 @item @code{rottlog} (default: @code{rottlog})
16157 The Rottlog package to use.
16159 @item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")})
16160 The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,,
16161 rottlog, GNU Rot[t]log Manual}).
16163 @item @code{rotations} (default: @code{%default-rotations})
16164 A list of @code{log-rotation} objects as defined below.
16167 This is a list of gexps where each gexp corresponds to an mcron job
16168 specification (@pxref{Scheduled Job Execution}).
16172 @deftp {Data Type} log-rotation
16173 Data type representing the rotation of a group of log files.
16175 Taking an example from the Rottlog manual (@pxref{Period Related File
16176 Examples,,, rottlog, GNU Rot[t]log Manual}), a log rotation might be
16182 (files '("/var/log/apache/*"))
16183 (options '("storedir apache-archives"
16189 The list of fields is as follows:
16192 @item @code{frequency} (default: @code{'weekly})
16193 The log rotation frequency, a symbol.
16196 The list of files or file glob patterns to rotate.
16198 @item @code{options} (default: @code{'()})
16199 The list of rottlog options for this rotation (@pxref{Configuration
16200 parameters,,, rottlog, GNU Rot[t]lg Manual}).
16202 @item @code{post-rotate} (default: @code{#f})
16203 Either @code{#f} or a gexp to execute once the rotation has completed.
16207 @defvr {Scheme Variable} %default-rotations
16208 Specifies weekly rotation of @code{%rotated-files} and of
16209 @file{/var/log/guix-daemon.log}.
16212 @defvr {Scheme Variable} %rotated-files
16213 The list of syslog-controlled files to be rotated. By default it is:
16214 @code{'("/var/log/messages" "/var/log/secure" "/var/log/debug" \
16215 "/var/log/maillog")}.
16218 @node Networking Services
16219 @subsection Networking Services
16221 The @code{(gnu services networking)} module provides services to configure
16222 the network interface.
16224 @cindex DHCP, networking service
16225 @defvr {Scheme Variable} dhcp-client-service-type
16226 This is the type of services that run @var{dhcp}, a Dynamic Host Configuration
16227 Protocol (DHCP) client, on all the non-loopback network interfaces. Its value
16228 is the DHCP client package to use, @code{isc-dhcp} by default.
16231 @deffn {Scheme Procedure} dhcpd-service-type
16232 This type defines a service that runs a DHCP daemon. To create a
16233 service of this type, you must supply a @code{<dhcpd-configuration>}.
16237 (service dhcpd-service-type
16238 (dhcpd-configuration
16239 (config-file (local-file "my-dhcpd.conf"))
16240 (interfaces '("enp0s25"))))
16244 @deftp {Data Type} dhcpd-configuration
16246 @item @code{package} (default: @code{isc-dhcp})
16247 The package that provides the DHCP daemon. This package is expected to
16248 provide the daemon at @file{sbin/dhcpd} relative to its output
16249 directory. The default package is the
16250 @uref{https://www.isc.org/products/DHCP, ISC's DHCP server}.
16251 @item @code{config-file} (default: @code{#f})
16252 The configuration file to use. This is required. It will be passed to
16253 @code{dhcpd} via its @code{-cf} option. This may be any ``file-like''
16254 object (@pxref{G-Expressions, file-like objects}). See @code{man
16255 dhcpd.conf} for details on the configuration file syntax.
16256 @item @code{version} (default: @code{"4"})
16257 The DHCP version to use. The ISC DHCP server supports the values ``4'',
16258 ``6'', and ``4o6''. These correspond to the @code{dhcpd} program
16259 options @code{-4}, @code{-6}, and @code{-4o6}. See @code{man dhcpd} for
16261 @item @code{run-directory} (default: @code{"/run/dhcpd"})
16262 The run directory to use. At service activation time, this directory
16263 will be created if it does not exist.
16264 @item @code{pid-file} (default: @code{"/run/dhcpd/dhcpd.pid"})
16265 The PID file to use. This corresponds to the @code{-pf} option of
16266 @code{dhcpd}. See @code{man dhcpd} for details.
16267 @item @code{interfaces} (default: @code{'()})
16268 The names of the network interfaces on which dhcpd should listen for
16269 broadcasts. If this list is not empty, then its elements (which must be
16270 strings) will be appended to the @code{dhcpd} invocation when starting
16271 the daemon. It may not be necessary to explicitly specify any
16272 interfaces here; see @code{man dhcpd} for details.
16276 @defvr {Scheme Variable} static-networking-service-type
16277 This is the type for statically-configured network interfaces.
16278 @c TODO Document <static-networking> data structures.
16281 @deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @
16282 [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}] @
16283 [#:requirement @code{'(udev)}]
16284 Return a service that starts @var{interface} with address @var{ip}. If
16285 @var{netmask} is true, use it as the network mask. If @var{gateway} is true,
16286 it must be a string specifying the default network gateway. @var{requirement}
16287 can be used to declare a dependency on another service before configuring the
16290 This procedure can be called several times, one for each network
16291 interface of interest. Behind the scenes what it does is extend
16292 @code{static-networking-service-type} with additional network interfaces
16298 (static-networking-service "eno1" "192.168.1.82"
16299 #:gateway "192.168.1.2"
16300 #:name-servers '("192.168.1.2"))
16307 @cindex network management
16308 @deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}]
16309 Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
16310 management daemon that aims to simplify wired and wireless networking.
16312 This service adds the @var{wicd} package to the global profile, providing
16313 several commands to interact with the daemon and configure networking:
16314 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
16315 and @command{wicd-curses} user interfaces.
16318 @cindex ModemManager
16320 @defvr {Scheme Variable} modem-manager-service-type
16321 This is the service type for the
16322 @uref{https://wiki.gnome.org/Projects/ModemManager, ModemManager}
16323 service. The value for this service type is a
16324 @code{modem-manager-configuration} record.
16326 This service is part of @code{%desktop-services} (@pxref{Desktop
16330 @deftp {Data Type} modem-manager-configuration
16331 Data type representing the configuration of ModemManager.
16334 @item @code{modem-manager} (default: @code{modem-manager})
16335 The ModemManager package to use.
16340 @cindex USB_ModeSwitch
16341 @cindex Modeswitching
16343 @defvr {Scheme Variable} usb-modeswitch-service-type
16344 This is the service type for the
16345 @uref{https://www.draisberghof.de/usb_modeswitch/, USB_ModeSwitch}
16346 service. The value for this service type is
16347 a @code{usb-modeswitch-configuration} record.
16349 When plugged in, some USB modems (and other USB devices) initially present
16350 themselves as a read-only storage medium and not as a modem. They need to be
16351 @dfn{modeswitched} before they are usable. The USB_ModeSwitch service type
16352 installs udev rules to automatically modeswitch these devices when they are
16355 This service is part of @code{%desktop-services} (@pxref{Desktop
16359 @deftp {Data Type} usb-modeswitch-configuration
16360 Data type representing the configuration of USB_ModeSwitch.
16363 @item @code{usb-modeswitch} (default: @code{usb-modeswitch})
16364 The USB_ModeSwitch package providing the binaries for modeswitching.
16366 @item @code{usb-modeswitch-data} (default: @code{usb-modeswitch-data})
16367 The package providing the device data and udev rules file used by
16370 @item @code{config-file} (default: @code{#~(string-append #$usb-modeswitch:dispatcher "/etc/usb_modeswitch.conf")})
16371 Which config file to use for the USB_ModeSwitch dispatcher. By default the
16372 config file shipped with USB_ModeSwitch is used which disables logging to
16373 @file{/var/log} among other default settings. If set to @code{#f}, no config
16379 @cindex NetworkManager
16381 @defvr {Scheme Variable} network-manager-service-type
16382 This is the service type for the
16383 @uref{https://wiki.gnome.org/Projects/NetworkManager, NetworkManager}
16384 service. The value for this service type is a
16385 @code{network-manager-configuration} record.
16387 This service is part of @code{%desktop-services} (@pxref{Desktop
16391 @deftp {Data Type} network-manager-configuration
16392 Data type representing the configuration of NetworkManager.
16395 @item @code{network-manager} (default: @code{network-manager})
16396 The NetworkManager package to use.
16398 @item @code{dns} (default: @code{"default"})
16399 Processing mode for DNS, which affects how NetworkManager uses the
16400 @code{resolv.conf} configuration file.
16404 NetworkManager will update @code{resolv.conf} to reflect the nameservers
16405 provided by currently active connections.
16408 NetworkManager will run @code{dnsmasq} as a local caching nameserver, using a
16409 @dfn{conditional forwarding} configuration if you are connected to a VPN, and
16410 then update @code{resolv.conf} to point to the local nameserver.
16412 With this setting, you can share your network connection. For example when
16413 you want to share your network connection to another laptop @i{via} an
16414 Ethernet cable, you can open @command{nm-connection-editor} and configure the
16415 Wired connection's method for IPv4 and IPv6 to be ``Shared to other computers''
16416 and reestablish the connection (or reboot).
16418 You can also set up a @dfn{host-to-guest connection} to QEMU VMs
16419 (@pxref{Installing Guix in a VM}). With a host-to-guest connection, you can
16420 e.g.@: access a Web server running on the VM (@pxref{Web Services}) from a Web
16421 browser on your host system, or connect to the VM @i{via} SSH
16422 (@pxref{Networking Services, @code{openssh-service-type}}). To set up a
16423 host-to-guest connection, run this command once:
16426 nmcli connection add type tun \
16427 connection.interface-name tap0 \
16428 tun.mode tap tun.owner $(id -u) \
16429 ipv4.method shared \
16430 ipv4.addresses 172.28.112.1/24
16433 Then each time you launch your QEMU VM (@pxref{Running Guix in a VM}), pass
16434 @option{-nic tap,ifname=tap0,script=no,downscript=no} to
16435 @command{qemu-system-...}.
16438 NetworkManager will not modify @code{resolv.conf}.
16441 @item @code{vpn-plugins} (default: @code{'()})
16442 This is the list of available plugins for virtual private networks
16443 (VPNs). An example of this is the @code{network-manager-openvpn}
16444 package, which allows NetworkManager to manage VPNs @i{via} OpenVPN.
16450 @deffn {Scheme Variable} connman-service-type
16451 This is the service type to run @url{https://01.org/connman,Connman},
16452 a network connection manager.
16454 Its value must be an
16455 @code{connman-configuration} record as in this example:
16458 (service connman-service-type
16459 (connman-configuration
16460 (disable-vpn? #t)))
16463 See below for details about @code{connman-configuration}.
16466 @deftp {Data Type} connman-configuration
16467 Data Type representing the configuration of connman.
16470 @item @code{connman} (default: @var{connman})
16471 The connman package to use.
16473 @item @code{disable-vpn?} (default: @code{#f})
16474 When true, disable connman's vpn plugin.
16478 @cindex WPA Supplicant
16479 @defvr {Scheme Variable} wpa-supplicant-service-type
16480 This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA
16481 supplicant}, an authentication daemon required to authenticate against
16482 encrypted WiFi or ethernet networks.
16485 @deftp {Data Type} wpa-supplicant-configuration
16486 Data type representing the configuration of WPA Supplicant.
16488 It takes the following parameters:
16491 @item @code{wpa-supplicant} (default: @code{wpa-supplicant})
16492 The WPA Supplicant package to use.
16494 @item @code{requirement} (default: @code{'(user-processes loopback syslogd)}
16495 List of services that should be started before WPA Supplicant starts.
16497 @item @code{dbus?} (default: @code{#t})
16498 Whether to listen for requests on D-Bus.
16500 @item @code{pid-file} (default: @code{"/var/run/wpa_supplicant.pid"})
16501 Where to store the PID file.
16503 @item @code{interface} (default: @code{#f})
16504 If this is set, it must specify the name of a network interface that
16505 WPA supplicant will control.
16507 @item @code{config-file} (default: @code{#f})
16508 Optional configuration file to use.
16510 @item @code{extra-options} (default: @code{'()})
16511 List of additional command-line arguments to pass to the daemon.
16515 @cindex hostapd service, for Wi-Fi access points
16516 @cindex Wi-Fi access points, hostapd service
16517 @defvr {Scheme Variable} hostapd-service-type
16518 This is the service type to run the @uref{https://w1.fi/hostapd/,
16519 hostapd} daemon to set up WiFi (IEEE 802.11) access points and
16520 authentication servers. Its associated value must be a
16521 @code{hostapd-configuration} as shown below:
16524 ;; Use wlan1 to run the access point for "My Network".
16525 (service hostapd-service-type
16526 (hostapd-configuration
16527 (interface "wlan1")
16528 (ssid "My Network")
16533 @deftp {Data Type} hostapd-configuration
16534 This data type represents the configuration of the hostapd service, with
16535 the following fields:
16538 @item @code{package} (default: @code{hostapd})
16539 The hostapd package to use.
16541 @item @code{interface} (default: @code{"wlan0"})
16542 The network interface to run the WiFi access point.
16545 The SSID (@dfn{service set identifier}), a string that identifies this
16548 @item @code{broadcast-ssid?} (default: @code{#t})
16549 Whether to broadcast this SSID.
16551 @item @code{channel} (default: @code{1})
16552 The WiFi channel to use.
16554 @item @code{driver} (default: @code{"nl80211"})
16555 The driver interface type. @code{"nl80211"} is used with all Linux
16556 mac80211 drivers. Use @code{"none"} if building hostapd as a standalone
16557 RADIUS server that does # not control any wireless/wired driver.
16559 @item @code{extra-settings} (default: @code{""})
16560 Extra settings to append as-is to the hostapd configuration file. See
16561 @uref{https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf} for the
16562 configuration file reference.
16566 @defvr {Scheme Variable} simulated-wifi-service-type
16567 This is the type of a service to simulate WiFi networking, which can be
16568 useful in virtual machines for testing purposes. The service loads the
16570 @uref{https://www.kernel.org/doc/html/latest/networking/mac80211_hwsim/mac80211_hwsim.html,
16571 @code{mac80211_hwsim} module} and starts hostapd to create a pseudo WiFi
16572 network that can be seen on @code{wlan0}, by default.
16574 The service's value is a @code{hostapd-configuration} record.
16578 @defvr {Scheme Variable} iptables-service-type
16579 This is the service type to set up an iptables configuration. iptables is a
16580 packet filtering framework supported by the Linux kernel. This service
16581 supports configuring iptables for both IPv4 and IPv6. A simple example
16582 configuration rejecting all incoming connections except those to the ssh port
16586 (service iptables-service-type
16587 (iptables-configuration
16588 (ipv4-rules (plain-file "iptables.rules" "*filter
16592 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
16593 -A INPUT -p tcp --dport 22 -j ACCEPT
16594 -A INPUT -j REJECT --reject-with icmp-port-unreachable
16597 (ipv6-rules (plain-file "ip6tables.rules" "*filter
16601 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
16602 -A INPUT -p tcp --dport 22 -j ACCEPT
16603 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
16609 @deftp {Data Type} iptables-configuration
16610 The data type representing the configuration of iptables.
16613 @item @code{iptables} (default: @code{iptables})
16614 The iptables package that provides @code{iptables-restore} and
16615 @code{ip6tables-restore}.
16616 @item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules})
16617 The iptables rules to use. It will be passed to @code{iptables-restore}.
16618 This may be any ``file-like'' object (@pxref{G-Expressions, file-like
16620 @item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules})
16621 The ip6tables rules to use. It will be passed to @code{ip6tables-restore}.
16622 This may be any ``file-like'' object (@pxref{G-Expressions, file-like
16628 @defvr {Scheme Variable} nftables-service-type
16629 This is the service type to set up a nftables configuration. nftables is a
16630 netfilter project that aims to replace the existing iptables, ip6tables,
16631 arptables and ebtables framework. It provides a new packet filtering
16632 framework, a new user-space utility @command{nft}, and a compatibility layer
16633 for iptables. This service comes with a default ruleset
16634 @code{%default-nftables-ruleset} that rejecting all incoming connections
16635 except those to the ssh port 22. To use it, simply write:
16638 (service nftables-service-type)
16642 @deftp {Data Type} nftables-configuration
16643 The data type representing the configuration of nftables.
16646 @item @code{package} (default: @code{nftables})
16647 The nftables package that provides @command{nft}.
16648 @item @code{ruleset} (default: @code{%default-nftables-ruleset})
16649 The nftables ruleset to use. This may be any ``file-like'' object
16650 (@pxref{G-Expressions, file-like objects}).
16654 @cindex NTP (Network Time Protocol), service
16655 @cindex ntpd, service for the Network Time Protocol daemon
16656 @cindex real time clock
16657 @defvr {Scheme Variable} ntp-service-type
16658 This is the type of the service running the @uref{https://www.ntp.org,
16659 Network Time Protocol (NTP)} daemon, @command{ntpd}. The daemon will keep the
16660 system clock synchronized with that of the specified NTP servers.
16662 The value of this service is an @code{ntpd-configuration} object, as described
16666 @deftp {Data Type} ntp-configuration
16667 This is the data type for the NTP service configuration.
16670 @item @code{servers} (default: @code{%ntp-servers})
16671 This is the list of servers (@code{<ntp-server>} records) with which
16672 @command{ntpd} will be synchronized. See the @code{ntp-server} data type
16675 @item @code{allow-large-adjustment?} (default: @code{#t})
16676 This determines whether @command{ntpd} is allowed to make an initial
16677 adjustment of more than 1,000 seconds.
16679 @item @code{ntp} (default: @code{ntp})
16680 The NTP package to use.
16684 @defvr {Scheme Variable} %ntp-servers
16685 List of host names used as the default NTP servers. These are servers of the
16686 @uref{https://www.ntppool.org/en/, NTP Pool Project}.
16689 @deftp {Data Type} ntp-server
16690 The data type representing the configuration of a NTP server.
16693 @item @code{type} (default: @code{'server})
16694 The type of the NTP server, given as a symbol. One of @code{'pool},
16695 @code{'server}, @code{'peer}, @code{'broadcast} or @code{'manycastclient}.
16697 @item @code{address}
16698 The address of the server, as a string.
16700 @item @code{options}
16701 NTPD options to use with that specific server, given as a list of option names
16702 and/or of option names and values tuples. The following example define a server
16703 to use with the options @option{iburst} and @option{prefer}, as well as
16704 @option{version} 3 and a @option{maxpoll} time of 16 seconds.
16709 (address "some.ntp.server.org")
16710 (options `(iburst (version 3) (maxpoll 16) prefer))))
16716 @deffn {Scheme Procedure} openntpd-service-type
16717 Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as implemented
16718 by @uref{http://www.openntpd.org, OpenNTPD}. The daemon will keep the system
16719 clock synchronized with that of the given servers.
16723 openntpd-service-type
16724 (openntpd-configuration
16725 (listen-on '("127.0.0.1" "::1"))
16726 (sensor '("udcf0 correction 70000"))
16727 (constraint-from '("www.gnu.org"))
16728 (constraints-from '("https://www.google.com/"))))
16733 @defvr {Scheme Variable} %openntpd-servers
16734 This variable is a list of the server addresses defined in
16735 @code{%ntp-servers}.
16738 @deftp {Data Type} openntpd-configuration
16740 @item @code{openntpd} (default: @code{(file-append openntpd "/sbin/ntpd")})
16741 The openntpd executable to use.
16742 @item @code{listen-on} (default: @code{'("127.0.0.1" "::1")})
16743 A list of local IP addresses or hostnames the ntpd daemon should listen on.
16744 @item @code{query-from} (default: @code{'()})
16745 A list of local IP address the ntpd daemon should use for outgoing queries.
16746 @item @code{sensor} (default: @code{'()})
16747 Specify a list of timedelta sensor devices ntpd should use. @code{ntpd}
16748 will listen to each sensor that actually exists and ignore non-existent ones.
16749 See @uref{https://man.openbsd.org/ntpd.conf, upstream documentation} for more
16751 @item @code{server} (default: @code{'()})
16752 Specify a list of IP addresses or hostnames of NTP servers to synchronize to.
16753 @item @code{servers} (default: @code{%openntp-servers})
16754 Specify a list of IP addresses or hostnames of NTP pools to synchronize to.
16755 @item @code{constraint-from} (default: @code{'()})
16756 @code{ntpd} can be configured to query the ‘Date’ from trusted HTTPS servers via TLS.
16757 This time information is not used for precision but acts as an authenticated
16758 constraint, thereby reducing the impact of unauthenticated NTP
16759 man-in-the-middle attacks.
16760 Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide
16762 @item @code{constraints-from} (default: @code{'()})
16763 As with constraint from, specify a list of URLs, IP addresses or hostnames of
16764 HTTPS servers to provide a constraint. Should the hostname resolve to multiple
16765 IP addresses, @code{ntpd} will calculate a median constraint from all of them.
16770 @deffn {Scheme variable} inetd-service-type
16771 This service runs the @command{inetd} (@pxref{inetd invocation,,,
16772 inetutils, GNU Inetutils}) daemon. @command{inetd} listens for
16773 connections on internet sockets, and lazily starts the specified server
16774 program when a connection is made on one of these sockets.
16776 The value of this service is an @code{inetd-configuration} object. The
16777 following example configures the @command{inetd} daemon to provide the
16778 built-in @command{echo} service, as well as an smtp service which
16779 forwards smtp traffic over ssh to a server @code{smtp-server} behind a
16780 gateway @code{hostname}:
16785 (inetd-configuration
16789 (socket-type 'stream)
16796 (socket-type 'stream)
16800 (program (file-append openssh "/bin/ssh"))
16802 '("ssh" "-qT" "-i" "/path/to/ssh_key"
16803 "-W" "smtp-server:25" "user@@hostname")))))))
16806 See below for more details about @code{inetd-configuration}.
16809 @deftp {Data Type} inetd-configuration
16810 Data type representing the configuration of @command{inetd}.
16813 @item @code{program} (default: @code{(file-append inetutils "/libexec/inetd")})
16814 The @command{inetd} executable to use.
16816 @item @code{entries} (default: @code{'()})
16817 A list of @command{inetd} service entries. Each entry should be created
16818 by the @code{inetd-entry} constructor.
16822 @deftp {Data Type} inetd-entry
16823 Data type representing an entry in the @command{inetd} configuration.
16824 Each entry corresponds to a socket where @command{inetd} will listen for
16828 @item @code{node} (default: @code{#f})
16829 Optional string, a comma-separated list of local addresses
16830 @command{inetd} should use when listening for this service.
16831 @xref{Configuration file,,, inetutils, GNU Inetutils} for a complete
16832 description of all options.
16834 A string, the name must correspond to an entry in @code{/etc/services}.
16835 @item @code{socket-type}
16836 One of @code{'stream}, @code{'dgram}, @code{'raw}, @code{'rdm} or
16838 @item @code{protocol}
16839 A string, must correspond to an entry in @code{/etc/protocols}.
16840 @item @code{wait?} (default: @code{#t})
16841 Whether @command{inetd} should wait for the server to exit before
16842 listening to new service requests.
16844 A string containing the user (and, optionally, group) name of the user
16845 as whom the server should run. The group name can be specified in a
16846 suffix, separated by a colon or period, i.e.@: @code{"user"},
16847 @code{"user:group"} or @code{"user.group"}.
16848 @item @code{program} (default: @code{"internal"})
16849 The server program which will serve the requests, or @code{"internal"}
16850 if @command{inetd} should use a built-in service.
16851 @item @code{arguments} (default: @code{'()})
16852 A list strings or file-like objects, which are the server program's
16853 arguments, starting with the zeroth argument, i.e.@: the name of the
16854 program itself. For @command{inetd}'s internal services, this entry
16855 must be @code{'()} or @code{'("internal")}.
16858 @xref{Configuration file,,, inetutils, GNU Inetutils} for a more
16859 detailed discussion of each configuration field.
16862 @cindex opendht, distributed hash table network service
16863 @cindex dhtproxy, for use with jami
16864 @defvr {Scheme Variable} opendht-service-type
16865 This is the type of the service running a @uref{https://opendht.net,
16866 OpenDHT} node, @command{dhtnode}. The daemon can be used to host your
16867 own proxy service to the distributed hash table (DHT), for example to
16868 connect to with Jami, among other applications.
16870 @quotation Important
16871 When using the OpenDHT proxy server, the IP addresses it ``sees'' from
16872 the clients should be addresses reachable from other peers. In practice
16873 this means that a publicly reachable address is best suited for a proxy
16874 server, outside of your private network. For example, hosting the proxy
16875 server on a IPv4 private local network and exposing it via port
16876 forwarding could work for external peers, but peers local to the proxy
16877 would have their private addresses shared with the external peers,
16878 leading to connectivity problems.
16881 The value of this service is a @code{opendht-configuration} object, as
16885 @deftp {Data Type} opendht-configuration
16886 This is the data type for the OpenDHT service configuration.
16888 @c The fields documentation has been auto-generated using the
16889 @c configuration->documentation procedure from
16890 @c (gnu services configuration).
16891 Available @code{opendht-configuration} fields are:
16893 @deftypevr {@code{opendht-configuration} parameter} package opendht
16894 The @code{opendht} package to use.
16898 @deftypevr {@code{opendht-configuration} parameter} boolean peer-discovery?
16899 Whether to enable the multicast local peer discovery mechanism.
16901 Defaults to @samp{#f}.
16905 @deftypevr {@code{opendht-configuration} parameter} boolean enable-logging?
16906 Whether to enable logging messages to syslog. It is disabled by default
16907 as it is rather verbose.
16909 Defaults to @samp{#f}.
16913 @deftypevr {@code{opendht-configuration} parameter} boolean debug?
16914 Whether to enable debug-level logging messages. This has no effect if
16915 logging is disabled.
16917 Defaults to @samp{#f}.
16921 @deftypevr {@code{opendht-configuration} parameter} maybe-string bootstrap-host
16922 The node host name that is used to make the first connection to the
16923 network. A specific port value can be provided by appending the
16924 @code{:PORT} suffix. By default, it uses the Jami bootstrap nodes, but
16925 any host can be specified here. It's also possible to disable
16926 bootsrapping by setting this to the @code{'disabled} symbol.
16928 Defaults to @samp{"bootstrap.jami.net:4222"}.
16932 @deftypevr {@code{opendht-configuration} parameter} maybe-number port
16933 The UDP port to bind to. When set to @code{'disabled}, an available
16934 port is automatically selected.
16936 Defaults to @samp{4222}.
16940 @deftypevr {@code{opendht-configuration} parameter} maybe-number proxy-server-port
16941 Spawn a proxy server listening on the specified port.
16943 Defaults to @samp{disabled}.
16947 @deftypevr {@code{opendht-configuration} parameter} maybe-number proxy-server-port-tls
16948 Spawn a proxy server listening to TLS connections on the specified port.
16950 Defaults to @samp{disabled}.
16956 @defvr {Scheme Variable} tor-service-type
16957 This is the type for a service that runs the @uref{https://torproject.org,
16958 Tor} anonymous networking daemon. The service is configured using a
16959 @code{<tor-configuration>} record. By default, the Tor daemon runs as the
16960 @code{tor} unprivileged user, which is a member of the @code{tor} group.
16964 @deftp {Data Type} tor-configuration
16966 @item @code{tor} (default: @code{tor})
16967 The package that provides the Tor daemon. This package is expected to provide
16968 the daemon at @file{bin/tor} relative to its output directory. The default
16969 package is the @uref{https://www.torproject.org, Tor Project's}
16972 @item @code{config-file} (default: @code{(plain-file "empty" "")})
16973 The configuration file to use. It will be appended to a default configuration
16974 file, and the final configuration file will be passed to @code{tor} via its
16975 @code{-f} option. This may be any ``file-like'' object (@pxref{G-Expressions,
16976 file-like objects}). See @code{man tor} for details on the configuration file
16979 @item @code{hidden-services} (default: @code{'()})
16980 The list of @code{<hidden-service>} records to use. For any hidden service
16981 you include in this list, appropriate configuration to enable the hidden
16982 service will be automatically added to the default configuration file. You
16983 may conveniently create @code{<hidden-service>} records using the
16984 @code{tor-hidden-service} procedure described below.
16986 @item @code{socks-socket-type} (default: @code{'tcp})
16987 The default socket type that Tor should use for its SOCKS socket. This must
16988 be either @code{'tcp} or @code{'unix}. If it is @code{'tcp}, then by default
16989 Tor will listen on TCP port 9050 on the loopback interface (i.e., localhost).
16990 If it is @code{'unix}, then Tor will listen on the UNIX domain socket
16991 @file{/var/run/tor/socks-sock}, which will be made writable by members of the
16994 If you want to customize the SOCKS socket in more detail, leave
16995 @code{socks-socket-type} at its default value of @code{'tcp} and use
16996 @code{config-file} to override the default by providing your own
16997 @code{SocksPort} option.
16999 @item @code{control-socket?} (default: @code{#f})
17000 Whether or not to provide a ``control socket'' by which Tor can be
17001 controlled to, for instance, dynamically instantiate tor onion services.
17002 If @code{#t}, Tor will listen for control commands on the UNIX domain socket
17003 @file{/var/run/tor/control-sock}, which will be made writable by members of the
17009 @cindex hidden service
17010 @deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping}
17011 Define a new Tor @dfn{hidden service} called @var{name} and implementing
17012 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
17015 '((22 "127.0.0.1:22")
17016 (80 "127.0.0.1:8080"))
17019 In this example, port 22 of the hidden service is mapped to local port 22, and
17020 port 80 is mapped to local port 8080.
17022 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
17023 the @file{hostname} file contains the @code{.onion} host name for the hidden
17026 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
17027 project's documentation} for more information.
17030 The @code{(gnu services rsync)} module provides the following services:
17032 You might want an rsync daemon if you have files that you want available
17033 so anyone (or just yourself) can download existing files or upload new
17036 @deffn {Scheme Variable} rsync-service-type
17037 This is the service type for the @uref{https://rsync.samba.org, rsync} daemon,
17038 The value for this service type is a
17039 @command{rsync-configuration} record as in this example:
17042 (service rsync-service-type)
17045 See below for details about @code{rsync-configuration}.
17048 @deftp {Data Type} rsync-configuration
17049 Data type representing the configuration for @code{rsync-service}.
17052 @item @code{package} (default: @var{rsync})
17053 @code{rsync} package to use.
17055 @item @code{port-number} (default: @code{873})
17056 TCP port on which @command{rsync} listens for incoming connections. If port
17057 is less than @code{1024} @command{rsync} needs to be started as the
17058 @code{root} user and group.
17060 @item @code{pid-file} (default: @code{"/var/run/rsyncd/rsyncd.pid"})
17061 Name of the file where @command{rsync} writes its PID.
17063 @item @code{lock-file} (default: @code{"/var/run/rsyncd/rsyncd.lock"})
17064 Name of the file where @command{rsync} writes its lock file.
17066 @item @code{log-file} (default: @code{"/var/log/rsyncd.log"})
17067 Name of the file where @command{rsync} writes its log file.
17069 @item @code{use-chroot?} (default: @var{#t})
17070 Whether to use chroot for @command{rsync} shared directory.
17072 @item @code{share-path} (default: @file{/srv/rsync})
17073 Location of the @command{rsync} shared directory.
17075 @item @code{share-comment} (default: @code{"Rsync share"})
17076 Comment of the @command{rsync} shared directory.
17078 @item @code{read-only?} (default: @var{#f})
17079 Read-write permissions to shared directory.
17081 @item @code{timeout} (default: @code{300})
17082 I/O timeout in seconds.
17084 @item @code{user} (default: @var{"root"})
17085 Owner of the @code{rsync} process.
17087 @item @code{group} (default: @var{"root"})
17088 Group of the @code{rsync} process.
17090 @item @code{uid} (default: @var{"rsyncd"})
17091 User name or user ID that file transfers to and from that module should take
17092 place as when the daemon was run as @code{root}.
17094 @item @code{gid} (default: @var{"rsyncd"})
17095 Group name or group ID that will be used when accessing the module.
17100 The @code{(gnu services syncthing)} module provides the following services:
17103 You might want a syncthing daemon if you have files between two or more
17104 computers and want to sync them in real time, safely protected from
17107 @deffn {Scheme Variable} syncthing-service-type
17108 This is the service type for the @uref{https://syncthing.net/,
17109 syncthing} daemon, The value for this service type is a
17110 @command{syncthing-configuration} record as in this example:
17113 (service syncthing-service-type
17114 (syncthing-configuration (user "alice")))
17117 See below for details about @code{syncthing-configuration}.
17119 @deftp {Data Type} syncthing-configuration
17120 Data type representing the configuration for @code{syncthing-service-type}.
17123 @item @code{syncthing} (default: @var{syncthing})
17124 @code{syncthing} package to use.
17126 @item @code{arguments} (default: @var{'()})
17127 List of command-line arguments passing to @code{syncthing} binary.
17129 @item @code{logflags} (default: @var{0})
17130 Sum of logging flags, see
17131 @uref{https://docs.syncthing.net/users/syncthing.html#cmdoption-logflags, Syncthing documentation logflags}.
17133 @item @code{user} (default: @var{#f})
17134 The user as which the Syncthing service is to be run.
17135 This assumes that the specified user exists.
17137 @item @code{group} (default: @var{"users"})
17138 The group as which the Syncthing service is to be run.
17139 This assumes that the specified group exists.
17141 @item @code{home} (default: @var{#f})
17142 Common configuration and data directory. The default configuration
17143 directory is @file{$HOME} of the specified Syncthing @code{user}.
17149 Furthermore, @code{(gnu services ssh)} provides the following services.
17153 @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
17154 [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
17155 [#:allow-empty-passwords? #f] [#:root-login? #f] @
17156 [#:syslog-output? #t] [#:x11-forwarding? #t] @
17157 [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @
17158 [#:public-key-authentication? #t] [#:initialize? #t]
17159 Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}.
17160 @var{host-key} must designate a file containing the host key, and readable
17163 When @var{daemonic?} is true, @command{lshd} will detach from the
17164 controlling terminal and log its output to syslogd, unless one sets
17165 @var{syslog-output?} to false. Obviously, it also makes lsh-service
17166 depend on existence of syslogd service. When @var{pid-file?} is true,
17167 @command{lshd} writes its PID to the file called @var{pid-file}.
17169 When @var{initialize?} is true, automatically create the seed and host key
17170 upon service activation if they do not exist yet. This may take long and
17171 require interaction.
17173 When @var{initialize?} is false, it is up to the user to initialize the
17174 randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
17175 a key pair with the private key stored in file @var{host-key} (@pxref{lshd
17176 basics,,, lsh, LSH Manual}).
17178 When @var{interfaces} is empty, lshd listens for connections on all the
17179 network interfaces; otherwise, @var{interfaces} must be a list of host names
17182 @var{allow-empty-passwords?} specifies whether to accept log-ins with empty
17183 passwords, and @var{root-login?} specifies whether to accept log-ins as
17186 The other options should be self-descriptive.
17191 @deffn {Scheme Variable} openssh-service-type
17192 This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
17193 shell daemon, @command{sshd}. Its value must be an
17194 @code{openssh-configuration} record as in this example:
17197 (service openssh-service-type
17198 (openssh-configuration
17199 (x11-forwarding? #t)
17200 (permit-root-login 'prohibit-password)
17202 `(("alice" ,(local-file "alice.pub"))
17203 ("bob" ,(local-file "bob.pub"))))))
17206 See below for details about @code{openssh-configuration}.
17208 This service can be extended with extra authorized keys, as in this
17212 (service-extension openssh-service-type
17213 (const `(("charlie"
17214 ,(local-file "charlie.pub")))))
17218 @deftp {Data Type} openssh-configuration
17219 This is the configuration record for OpenSSH's @command{sshd}.
17222 @item @code{openssh} (default @var{openssh})
17223 The Openssh package to use.
17225 @item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
17226 Name of the file where @command{sshd} writes its PID.
17228 @item @code{port-number} (default: @code{22})
17229 TCP port on which @command{sshd} listens for incoming connections.
17231 @item @code{permit-root-login} (default: @code{#f})
17232 This field determines whether and when to allow logins as root. If
17233 @code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
17234 If it's the symbol @code{'prohibit-password}, then root logins are
17235 permitted but not with password-based authentication.
17237 @item @code{allow-empty-passwords?} (default: @code{#f})
17238 When true, users with empty passwords may log in. When false, they may
17241 @item @code{password-authentication?} (default: @code{#t})
17242 When true, users may log in with their password. When false, they have
17243 other authentication methods.
17245 @item @code{public-key-authentication?} (default: @code{#t})
17246 When true, users may log in using public key authentication. When
17247 false, users have to use other authentication method.
17249 Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
17250 This is used only by protocol version 2.
17252 @item @code{x11-forwarding?} (default: @code{#f})
17253 When true, forwarding of X11 graphical client connections is
17254 enabled---in other words, @command{ssh} options @option{-X} and
17255 @option{-Y} will work.
17257 @item @code{allow-agent-forwarding?} (default: @code{#t})
17258 Whether to allow agent forwarding.
17260 @item @code{allow-tcp-forwarding?} (default: @code{#t})
17261 Whether to allow TCP forwarding.
17263 @item @code{gateway-ports?} (default: @code{#f})
17264 Whether to allow gateway ports.
17266 @item @code{challenge-response-authentication?} (default: @code{#f})
17267 Specifies whether challenge response authentication is allowed (e.g.@: via
17270 @item @code{use-pam?} (default: @code{#t})
17271 Enables the Pluggable Authentication Module interface. If set to
17272 @code{#t}, this will enable PAM authentication using
17273 @code{challenge-response-authentication?} and
17274 @code{password-authentication?}, in addition to PAM account and session
17275 module processing for all authentication types.
17277 Because PAM challenge response authentication usually serves an
17278 equivalent role to password authentication, you should disable either
17279 @code{challenge-response-authentication?} or
17280 @code{password-authentication?}.
17282 @item @code{print-last-log?} (default: @code{#t})
17283 Specifies whether @command{sshd} should print the date and time of the
17284 last user login when a user logs in interactively.
17286 @item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
17287 Configures external subsystems (e.g.@: file transfer daemon).
17289 This is a list of two-element lists, each of which containing the
17290 subsystem name and a command (with optional arguments) to execute upon
17293 The command @command{internal-sftp} implements an in-process SFTP
17294 server. Alternatively, one can specify the @command{sftp-server} command:
17296 (service openssh-service-type
17297 (openssh-configuration
17299 `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
17302 @item @code{accepted-environment} (default: @code{'()})
17303 List of strings describing which environment variables may be exported.
17305 Each string gets on its own line. See the @code{AcceptEnv} option in
17306 @code{man sshd_config}.
17308 This example allows ssh-clients to export the @env{COLORTERM} variable.
17309 It is set by terminal emulators, which support colors. You can use it in
17310 your shell's resource file to enable colors for the prompt and commands
17311 if this variable is set.
17314 (service openssh-service-type
17315 (openssh-configuration
17316 (accepted-environment '("COLORTERM"))))
17319 @item @code{authorized-keys} (default: @code{'()})
17320 @cindex authorized keys, SSH
17321 @cindex SSH authorized keys
17322 This is the list of authorized keys. Each element of the list is a user
17323 name followed by one or more file-like objects that represent SSH public
17327 (openssh-configuration
17329 `(("rekado" ,(local-file "rekado.pub"))
17330 ("chris" ,(local-file "chris.pub"))
17331 ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
17335 registers the specified public keys for user accounts @code{rekado},
17336 @code{chris}, and @code{root}.
17338 Additional authorized keys can be specified @i{via}
17339 @code{service-extension}.
17341 Note that this does @emph{not} interfere with the use of
17342 @file{~/.ssh/authorized_keys}.
17344 @item @code{log-level} (default: @code{'info})
17345 This is a symbol specifying the logging level: @code{quiet}, @code{fatal},
17346 @code{error}, @code{info}, @code{verbose}, @code{debug}, etc. See the man
17347 page for @file{sshd_config} for the full list of level names.
17349 @item @code{extra-content} (default: @code{""})
17350 This field can be used to append arbitrary text to the configuration file. It
17351 is especially useful for elaborate configurations that cannot be expressed
17352 otherwise. This configuration, for example, would generally disable root
17353 logins, but permit them from one specific IP address:
17356 (openssh-configuration
17358 Match Address 192.168.0.1
17359 PermitRootLogin yes"))
17365 @deffn {Scheme Procedure} dropbear-service [@var{config}]
17366 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
17367 daemon} with the given @var{config}, a @code{<dropbear-configuration>}
17370 For example, to specify a Dropbear service listening on port 1234, add
17371 this call to the operating system's @code{services} field:
17374 (dropbear-service (dropbear-configuration
17375 (port-number 1234)))
17379 @deftp {Data Type} dropbear-configuration
17380 This data type represents the configuration of a Dropbear SSH daemon.
17383 @item @code{dropbear} (default: @var{dropbear})
17384 The Dropbear package to use.
17386 @item @code{port-number} (default: 22)
17387 The TCP port where the daemon waits for incoming connections.
17389 @item @code{syslog-output?} (default: @code{#t})
17390 Whether to enable syslog output.
17392 @item @code{pid-file} (default: @code{"/var/run/dropbear.pid"})
17393 File name of the daemon's PID file.
17395 @item @code{root-login?} (default: @code{#f})
17396 Whether to allow @code{root} logins.
17398 @item @code{allow-empty-passwords?} (default: @code{#f})
17399 Whether to allow empty passwords.
17401 @item @code{password-authentication?} (default: @code{#t})
17402 Whether to enable password-based authentication.
17407 @deffn {Scheme Variable} autossh-service-type
17408 This is the type for the @uref{https://www.harding.motd.ca/autossh,
17409 AutoSSH} program that runs a copy of @command{ssh} and monitors it,
17410 restarting it as necessary should it die or stop passing traffic.
17411 AutoSSH can be run manually from the command-line by passing arguments
17412 to the binary @command{autossh} from the package @code{autossh}, but it
17413 can also be run as a Guix service. This latter use case is documented
17416 AutoSSH can be used to forward local traffic to a remote machine using
17417 an SSH tunnel, and it respects the @file{~/.ssh/config} of the user it
17420 For example, to specify a service running autossh as the user
17421 @code{pino} and forwarding all local connections to port @code{8081} to
17422 @code{remote:8081} using an SSH tunnel, add this call to the operating
17423 system's @code{services} field:
17426 (service autossh-service-type
17427 (autossh-configuration
17429 (ssh-options (list "-T" "-N" "-L" "8081:localhost:8081" "remote.net"))))
17433 @deftp {Data Type} autossh-configuration
17434 This data type represents the configuration of an AutoSSH service.
17438 @item @code{user} (default @code{"autossh"})
17439 The user as which the AutoSSH service is to be run.
17440 This assumes that the specified user exists.
17442 @item @code{poll} (default @code{600})
17443 Specifies the connection poll time in seconds.
17445 @item @code{first-poll} (default @code{#f})
17446 Specifies how many seconds AutoSSH waits before the first connection
17447 test. After this first test, polling is resumed at the pace defined in
17448 @code{poll}. When set to @code{#f}, the first poll is not treated
17449 specially and will also use the connection poll specified in
17452 @item @code{gate-time} (default @code{30})
17453 Specifies how many seconds an SSH connection must be active before it is
17454 considered successful.
17456 @item @code{log-level} (default @code{1})
17457 The log level, corresponding to the levels used by syslog---so @code{0}
17458 is the most silent while @code{7} is the chattiest.
17460 @item @code{max-start} (default @code{#f})
17461 The maximum number of times SSH may be (re)started before AutoSSH exits.
17462 When set to @code{#f}, no maximum is configured and AutoSSH may restart indefinitely.
17464 @item @code{message} (default @code{""})
17465 The message to append to the echo message sent when testing connections.
17467 @item @code{port} (default @code{"0"})
17468 The ports used for monitoring the connection. When set to @code{"0"},
17469 monitoring is disabled. When set to @code{"@var{n}"} where @var{n} is
17470 a positive integer, ports @var{n} and @var{n}+1 are used for
17471 monitoring the connection, such that port @var{n} is the base
17472 monitoring port and @code{n+1} is the echo port. When set to
17473 @code{"@var{n}:@var{m}"} where @var{n} and @var{m} are positive
17474 integers, the ports @var{n} and @var{m} are used for monitoring the
17475 connection, such that port @var{n} is the base monitoring port and
17476 @var{m} is the echo port.
17478 @item @code{ssh-options} (default @code{'()})
17479 The list of command-line arguments to pass to @command{ssh} when it is
17480 run. Options @option{-f} and @option{-M} are reserved for AutoSSH and
17481 may cause undefined behaviour.
17487 @deffn {Scheme Variable} webssh-service-type
17488 This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH}
17489 program that runs a web SSH client. WebSSH can be run manually from the
17490 command-line by passing arguments to the binary @command{wssh} from the
17491 package @code{webssh}, but it can also be run as a Guix service. This
17492 latter use case is documented here.
17494 For example, to specify a service running WebSSH on loopback interface
17495 on port @code{8888} with reject policy with a list of allowed to
17496 connection hosts, and NGINX as a reverse-proxy to this service listening
17497 for HTTPS connection, add this call to the operating system's
17498 @code{services} field:
17501 (service webssh-service-type
17502 (webssh-configuration (address "127.0.0.1")
17505 (known-hosts '("localhost ecdsa-sha2-nistp256 AAAA…"
17506 "127.0.0.1 ecdsa-sha2-nistp256 AAAA…"))))
17508 (service nginx-service-type
17509 (nginx-configuration
17512 (nginx-server-configuration
17513 (inherit %webssh-configuration-nginx)
17514 (server-name '("webssh.example.com"))
17515 (listen '("443 ssl"))
17516 (ssl-certificate (letsencrypt-certificate "webssh.example.com"))
17517 (ssl-certificate-key (letsencrypt-key "webssh.example.com"))
17519 (cons (nginx-location-configuration
17520 (uri "/.well-known")
17521 (body '("root /var/www;")))
17522 (nginx-server-configuration-locations %webssh-configuration-nginx))))))))
17526 @deftp {Data Type} webssh-configuration
17527 Data type representing the configuration for @code{webssh-service}.
17530 @item @code{package} (default: @var{webssh})
17531 @code{webssh} package to use.
17533 @item @code{user-name} (default: @var{"webssh"})
17534 User name or user ID that file transfers to and from that module should take
17537 @item @code{group-name} (default: @var{"webssh"})
17538 Group name or group ID that will be used when accessing the module.
17540 @item @code{address} (default: @var{#f})
17541 IP address on which @command{webssh} listens for incoming connections.
17543 @item @code{port} (default: @var{8888})
17544 TCP port on which @command{webssh} listens for incoming connections.
17546 @item @code{policy} (default: @var{#f})
17547 Connection policy. @var{reject} policy requires to specify @var{known-hosts}.
17549 @item @code{known-hosts} (default: @var{'()})
17550 List of hosts which allowed for SSH connection from @command{webssh}.
17552 @item @code{log-file} (default: @file{"/var/log/webssh.log"})
17553 Name of the file where @command{webssh} writes its log file.
17555 @item @code{log-level} (default: @var{#f})
17561 @defvr {Scheme Variable} %facebook-host-aliases
17562 This variable contains a string for use in @file{/etc/hosts}
17563 (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). Each
17564 line contains a entry that maps a known server name of the Facebook
17565 on-line service---e.g., @code{www.facebook.com}---to the local
17566 host---@code{127.0.0.1} or its IPv6 equivalent, @code{::1}.
17568 This variable is typically used in the @code{hosts-file} field of an
17569 @code{operating-system} declaration (@pxref{operating-system Reference,
17570 @file{/etc/hosts}}):
17573 (use-modules (gnu) (guix))
17576 (host-name "mymachine")
17579 ;; Create a /etc/hosts file with aliases for "localhost"
17580 ;; and "mymachine", as well as for Facebook servers.
17581 (plain-file "hosts"
17582 (string-append (local-host-aliases host-name)
17583 %facebook-host-aliases))))
17586 This mechanism can prevent programs running locally, such as Web
17587 browsers, from accessing Facebook.
17590 The @code{(gnu services avahi)} provides the following definition.
17592 @defvr {Scheme Variable} avahi-service-type
17593 This is the service that runs @command{avahi-daemon}, a system-wide
17594 mDNS/DNS-SD responder that allows for service discovery and
17595 ``zero-configuration'' host name lookups (see @uref{https://avahi.org/}).
17596 Its value must be an @code{avahi-configuration} record---see below.
17598 This service extends the name service cache daemon (nscd) so that it can
17599 resolve @code{.local} host names using
17600 @uref{https://0pointer.de/lennart/projects/nss-mdns/, nss-mdns}. @xref{Name
17601 Service Switch}, for information on host name resolution.
17603 Additionally, add the @var{avahi} package to the system profile so that
17604 commands such as @command{avahi-browse} are directly usable.
17607 @deftp {Data Type} avahi-configuration
17608 Data type representation the configuration for Avahi.
17612 @item @code{host-name} (default: @code{#f})
17613 If different from @code{#f}, use that as the host name to
17614 publish for this machine; otherwise, use the machine's actual host name.
17616 @item @code{publish?} (default: @code{#t})
17617 When true, allow host names and services to be published (broadcast) over the
17620 @item @code{publish-workstation?} (default: @code{#t})
17621 When true, @command{avahi-daemon} publishes the machine's host name and IP
17622 address via mDNS on the local network. To view the host names published on
17623 your local network, you can run:
17626 avahi-browse _workstation._tcp
17629 @item @code{wide-area?} (default: @code{#f})
17630 When true, DNS-SD over unicast DNS is enabled.
17632 @item @code{ipv4?} (default: @code{#t})
17633 @itemx @code{ipv6?} (default: @code{#t})
17634 These fields determine whether to use IPv4/IPv6 sockets.
17636 @item @code{domains-to-browse} (default: @code{'()})
17637 This is a list of domains to browse.
17641 @deffn {Scheme Variable} openvswitch-service-type
17642 This is the type of the @uref{https://www.openvswitch.org, Open vSwitch}
17643 service, whose value should be an @code{openvswitch-configuration}
17647 @deftp {Data Type} openvswitch-configuration
17648 Data type representing the configuration of Open vSwitch, a multilayer
17649 virtual switch which is designed to enable massive network automation
17650 through programmatic extension.
17653 @item @code{package} (default: @var{openvswitch})
17654 Package object of the Open vSwitch.
17659 @defvr {Scheme Variable} pagekite-service-type
17660 This is the service type for the @uref{https://pagekite.net, PageKite} service,
17661 a tunneling solution for making localhost servers publicly visible, even from
17662 behind restrictive firewalls or NAT without forwarded ports. The value for
17663 this service type is a @code{pagekite-configuration} record.
17665 Here's an example exposing the local HTTP and SSH daemons:
17668 (service pagekite-service-type
17669 (pagekite-configuration
17670 (kites '("http:@@kitename:localhost:80:@@kitesecret"
17671 "raw/22:@@kitename:localhost:22:@@kitesecret"))
17672 (extra-file "/etc/pagekite.rc")))
17676 @deftp {Data Type} pagekite-configuration
17677 Data type representing the configuration of PageKite.
17680 @item @code{package} (default: @var{pagekite})
17681 Package object of PageKite.
17683 @item @code{kitename} (default: @code{#f})
17684 PageKite name for authenticating to the frontend server.
17686 @item @code{kitesecret} (default: @code{#f})
17687 Shared secret for authenticating to the frontend server. You should probably
17688 put this inside @code{extra-file} instead.
17690 @item @code{frontend} (default: @code{#f})
17691 Connect to the named PageKite frontend server instead of the
17692 @uref{https://pagekite.net,,pagekite.net} service.
17694 @item @code{kites} (default: @code{'("http:@@kitename:localhost:80:@@kitesecret")})
17695 List of service kites to use. Exposes HTTP on port 80 by default. The format
17696 is @code{proto:kitename:host:port:secret}.
17698 @item @code{extra-file} (default: @code{#f})
17699 Extra configuration file to read, which you are expected to create manually.
17700 Use this to add additional options and manage shared secrets out-of-band.
17705 @defvr {Scheme Variable} yggdrasil-service-type
17706 The service type for connecting to the @uref{https://yggdrasil-network.github.io/,
17707 Yggdrasil network}, an early-stage implementation of a fully end-to-end
17708 encrypted IPv6 network.
17711 Yggdrasil provides name-independent routing with cryptographically generated
17712 addresses. Static addressing means you can keep the same address as long as
17713 you want, even if you move to a new location, or generate a new address (by
17714 generating new keys) whenever you want.
17715 @uref{https://yggdrasil-network.github.io/2018/07/28/addressing.html}
17718 Pass it a value of @code{yggdrasil-configuration} to connect it to public
17719 peers and/or local peers.
17721 Here is an example using public peers and a static address. The static
17722 signing and encryption keys are defined in @file{/etc/yggdrasil-private.conf}
17723 (the default value for @code{config-file}).
17726 ;; part of the operating-system declaration
17727 (service yggdrasil-service-type
17728 (yggdrasil-configuration
17729 (autoconf? #f) ;; use only the public peers
17732 ;; https://github.com/yggdrasil-network/public-peers
17733 '((peers . #("tcp://1.2.3.4:1337"))))
17734 ;; /etc/yggdrasil-private.conf is the default value for config-file
17738 # sample content for /etc/yggdrasil-private.conf
17740 # Your public encryption key. Your peers may ask you for this to put
17741 # into their AllowedEncryptionPublicKeys configuration.
17742 EncryptionPublicKey: 378dc5...
17744 # Your private encryption key. DO NOT share this with anyone!
17745 EncryptionPrivateKey: 0777...
17747 # Your public signing key. You should not ordinarily need to share
17748 # this with anyone.
17749 SigningPublicKey: e1664...
17751 # Your private signing key. DO NOT share this with anyone!
17752 SigningPrivateKey: 0589d...
17757 @deftp {Data Type} yggdrasil-configuration
17758 Data type representing the configuration of Yggdrasil.
17761 @item @code{package} (default: @code{yggdrasil})
17762 Package object of Yggdrasil.
17764 @item @code{json-config} (default: @code{'()})
17765 Contents of @file{/etc/yggdrasil.conf}. Will be merged with
17766 @file{/etc/yggdrasil-private.conf}. Note that these settings are stored in
17767 the Guix store, which is readable to all users. @strong{Do not store your
17768 private keys in it}. See the output of @code{yggdrasil -genconf} for a
17769 quick overview of valid keys and their default values.
17771 @item @code{autoconf?} (default: @code{#f})
17772 Whether to use automatic mode. Enabling it makes Yggdrasil use adynamic IP
17773 and peer with IPv6 neighbors.
17775 @item @code{log-level} (default: @code{'info})
17776 How much detail to include in logs. Use @code{'debug} for more detail.
17778 @item @code{log-to} (default: @code{'stdout})
17779 Where to send logs. By default, the service logs standard output to
17780 @file{/var/log/yggdrasil.log}. The alternative is @code{'syslog}, which
17781 sends output to the running syslog service.
17783 @item @code{config-file} (default: @code{"/etc/yggdrasil-private.conf"})
17784 What HJSON file to load sensitive data from. This is where private keys
17785 should be stored, which are necessary to specify if you don't want a
17786 randomized address after each restart. Use @code{#f} to disable. Options
17787 defined in this file take precedence over @code{json-config}. Use the output
17788 of @code{yggdrasil -genconf} as a starting point. To configure a static
17789 address, delete everything except these options:
17792 @item @code{EncryptionPublicKey}
17793 @item @code{EncryptionPrivateKey}
17794 @item @code{SigningPublicKey}
17795 @item @code{SigningPrivateKey}
17801 @defvr {Scheme Variable} ipfs-service-type
17802 The service type for connecting to the @uref{https://ipfs.io,IPFS network},
17803 a global, versioned, peer-to-peer file system. Pass it a
17804 @code{ipfs-configuration} to change the ports used for the gateway and API.
17806 Here's an example configuration, using some non-standard ports:
17809 (service ipfs-service-type
17810 (ipfs-configuration
17811 (gateway "/ip4/127.0.0.1/tcp/8880")
17812 (api "/ip4/127.0.0.1/tcp/8881")))
17816 @deftp {Data Type} ipfs-configuration
17817 Data type representing the configuration of IPFS.
17820 @item @code{package} (default: @code{go-ipfs})
17821 Package object of IPFS.
17823 @item @code{gateway} (default: @code{"/ip4/127.0.0.1/tcp/8082"})
17824 Address of the gateway, in ‘multiaddress’ format.
17826 @item @code{api} (default: @code{"/ip4/127.0.0.1/tcp/5001"})
17827 Address of the API endpoint, in ‘multiaddress’ format.
17832 @deffn {Scheme Variable} keepalived-service-type
17833 This is the type for the @uref{https://www.keepalived.org/, Keepalived}
17834 routing software, @command{keepalived}. Its value must be an
17835 @code{keepalived-configuration} record as in this example for master
17839 (service keepalived-service-type
17840 (keepalived-configuration
17841 (config-file (local-file "keepalived-master.conf"))))
17844 where @file{keepalived-master.conf}:
17847 vrrp_instance my-group @{
17850 virtual_router_id 100
17852 unicast_peer @{ 10.0.0.2 @}
17853 virtual_ipaddress @{
17859 and for backup machine:
17862 (service keepalived-service-type
17863 (keepalived-configuration
17864 (config-file (local-file "keepalived-backup.conf"))))
17867 where @file{keepalived-backup.conf}:
17870 vrrp_instance my-group @{
17873 virtual_router_id 100
17875 unicast_peer @{ 10.0.0.3 @}
17876 virtual_ipaddress @{
17883 @node Unattended Upgrades
17884 @subsection Unattended Upgrades
17886 @cindex unattended upgrades
17887 @cindex upgrades, unattended
17888 Guix provides a service to perform @emph{unattended upgrades}:
17889 periodically, the system automatically reconfigures itself from the
17890 latest Guix. Guix System has several properties that make unattended
17895 upgrades are transactional (either the upgrade succeeds or it fails, but
17896 you cannot end up with an ``in-between'' system state);
17898 the upgrade log is kept---you can view it with @command{guix system
17899 list-generations}---and you can roll back to any previous generation,
17900 should the upgraded system fail to behave as intended;
17902 channel code is authenticated so you know you can only run genuine code
17903 (@pxref{Channels});
17905 @command{guix system reconfigure} prevents downgrades, which makes it
17906 immune to @dfn{downgrade attacks}.
17909 To set up unattended upgrades, add an instance of
17910 @code{unattended-upgrade-service-type} like the one below to the list of
17911 your operating system services:
17914 (service unattended-upgrade-service-type)
17917 The defaults above set up weekly upgrades: every Sunday at midnight.
17918 You do not need to provide the operating system configuration file: it
17919 uses @file{/run/current-system/configuration.scm}, which ensures it
17920 always uses your latest configuration---@pxref{provenance-service-type},
17921 for more information about this file.
17923 There are several things that can be configured, in particular the
17924 periodicity and services (daemons) to be restarted upon completion.
17925 When the upgrade is successful, the service takes care of deleting
17926 system generations older that some threshold, as per @command{guix
17927 system delete-generations}. See the reference below for details.
17929 To ensure that upgrades are actually happening, you can run
17930 @command{guix system describe}. To investigate upgrade failures, visit
17931 the unattended upgrade log file (see below).
17933 @defvr {Scheme Variable} unattended-upgrade-service-type
17934 This is the service type for unattended upgrades. It sets up an mcron
17935 job (@pxref{Scheduled Job Execution}) that runs @command{guix system
17936 reconfigure} from the latest version of the specified channels.
17938 Its value must be a @code{unattended-upgrade-configuration} record (see
17942 @deftp {Data Type} unattended-upgrade-configuration
17943 This data type represents the configuration of the unattended upgrade
17944 service. The following fields are available:
17947 @item @code{schedule} (default: @code{"30 01 * * 0"})
17948 This is the schedule of upgrades, expressed as a gexp containing an
17949 mcron job schedule (@pxref{Guile Syntax, mcron job specifications,,
17950 mcron, GNU@tie{}mcron}).
17952 @item @code{channels} (default: @code{#~%default-channels})
17953 This gexp specifies the channels to use for the upgrade
17954 (@pxref{Channels}). By default, the tip of the official @code{guix}
17957 @item @code{operating-system-file} (default: @code{"/run/current-system/configuration.scm"})
17958 This field specifies the operating system configuration file to use.
17959 The default is to reuse the config file of the current configuration.
17961 There are cases, though, where referring to
17962 @file{/run/current-system/configuration.scm} is not enough, for instance
17963 because that file refers to extra files (SSH public keys, extra
17964 configuration files, etc.) @i{via} @code{local-file} and similar
17965 constructs. For those cases, we recommend something along these lines:
17968 (unattended-upgrade-configuration
17969 (operating-system-file
17970 (file-append (local-file "." "config-dir" #:recursive? #t)
17974 The effect here is to import all of the current directory into the
17975 store, and to refer to @file{config.scm} within that directory.
17976 Therefore, uses of @code{local-file} within @file{config.scm} will work
17977 as expected. @xref{G-Expressions}, for information about
17978 @code{local-file} and @code{file-append}.
17980 @item @code{services-to-restart} (default: @code{'(mcron)})
17981 This field specifies the Shepherd services to restart when the upgrade
17984 Those services are restarted right away upon completion, as with
17985 @command{herd restart}, which ensures that the latest version is
17986 running---remember that by default @command{guix system reconfigure}
17987 only restarts services that are not currently running, which is
17988 conservative: it minimizes disruption but leaves outdated services
17991 Use @command{herd status} to find out candidates for restarting.
17992 @xref{Services}, for general information about services. Common
17993 services to restart would include @code{ntpd} and @code{ssh-daemon}.
17995 By default, the @code{mcron} service is restarted. This ensures that
17996 the latest version of the unattended upgrade job will be used next time.
17998 @item @code{system-expiration} (default: @code{(* 3 30 24 3600)})
17999 This is the expiration time in seconds for system generations. System
18000 generations older that this amount of time are deleted with
18001 @command{guix system delete-generations} when an upgrade completes.
18004 The unattended upgrade service does not run the garbage collector. You
18005 will probably want to set up your own mcron job to run @command{guix gc}
18009 @item @code{maximum-duration} (default: @code{3600})
18010 Maximum duration in seconds for the upgrade; past that time, the upgrade
18013 This is primarily useful to ensure the upgrade does not end up
18014 rebuilding or re-downloading ``the world''.
18016 @item @code{log-file} (default: @code{"/var/log/unattended-upgrade.log"})
18017 File where unattended upgrades are logged.
18022 @subsection X Window
18025 @cindex X Window System
18026 @cindex login manager
18027 Support for the X Window graphical display system---specifically
18028 Xorg---is provided by the @code{(gnu services xorg)} module. Note that
18029 there is no @code{xorg-service} procedure. Instead, the X server is
18030 started by the @dfn{login manager}, by default the GNOME Display Manager (GDM).
18033 @cindex GNOME, login manager
18034 GDM of course allows users to log in into window managers and desktop
18035 environments other than GNOME; for those using GNOME, GDM is required for
18036 features such as automatic screen locking.
18038 @cindex window manager
18039 To use X11, you must install at least one @dfn{window manager}---for
18040 example the @code{windowmaker} or @code{openbox} packages---preferably
18041 by adding it to the @code{packages} field of your operating system
18042 definition (@pxref{operating-system Reference, system-wide packages}).
18044 @defvr {Scheme Variable} gdm-service-type
18045 This is the type for the @uref{https://wiki.gnome.org/Projects/GDM/, GNOME
18046 Desktop Manager} (GDM), a program that manages graphical display servers and
18047 handles graphical user logins. Its value must be a @code{gdm-configuration}
18050 @cindex session types (X11)
18051 @cindex X11 session types
18052 GDM looks for @dfn{session types} described by the @file{.desktop} files in
18053 @file{/run/current-system/profile/share/xsessions} and allows users to choose
18054 a session from the log-in screen. Packages such as @code{gnome}, @code{xfce},
18055 and @code{i3} provide @file{.desktop} files; adding them to the system-wide
18056 set of packages automatically makes them available at the log-in screen.
18058 In addition, @file{~/.xsession} files are honored. When available,
18059 @file{~/.xsession} must be an executable that starts a window manager
18060 and/or other X clients.
18063 @deftp {Data Type} gdm-configuration
18065 @item @code{auto-login?} (default: @code{#f})
18066 @itemx @code{default-user} (default: @code{#f})
18067 When @code{auto-login?} is false, GDM presents a log-in screen.
18069 When @code{auto-login?} is true, GDM logs in directly as
18070 @code{default-user}.
18072 @item @code{debug?} (default: @code{#f})
18073 When true, GDM writes debug messages to its log.
18075 @item @code{gnome-shell-assets} (default: ...)
18076 List of GNOME Shell assets needed by GDM: icon theme, fonts, etc.
18078 @item @code{xorg-configuration} (default: @code{(xorg-configuration)})
18079 Configuration of the Xorg graphical server.
18081 @item @code{xsession} (default: @code{(xinitrc)})
18082 Script to run before starting a X session.
18084 @item @code{dbus-daemon} (default: @code{dbus-daemon-wrapper})
18085 File name of the @code{dbus-daemon} executable.
18087 @item @code{gdm} (default: @code{gdm})
18088 The GDM package to use.
18092 @defvr {Scheme Variable} slim-service-type
18093 This is the type for the SLiM graphical login manager for X11.
18095 Like GDM, SLiM looks for session types described by @file{.desktop} files and
18096 allows users to choose a session from the log-in screen using @kbd{F1}. It
18097 also honors @file{~/.xsession} files.
18099 Unlike GDM, SLiM does not spawn the user session on a different VT after
18100 logging in, which means that you can only start one graphical session. If you
18101 want to be able to run multiple graphical sessions at the same time you have
18102 to add multiple SLiM services to your system services. The following example
18103 shows how to replace the default GDM service with two SLiM services on tty7
18107 (use-modules (gnu services)
18108 (gnu services desktop)
18109 (gnu services xorg)
18110 (srfi srfi-1)) ;for 'remove'
18114 (services (cons* (service slim-service-type (slim-configuration
18117 (service slim-service-type (slim-configuration
18120 (modify-services %desktop-services
18121 (delete gdm-service-type)))))
18126 @deftp {Data Type} slim-configuration
18127 Data type representing the configuration of @code{slim-service-type}.
18130 @item @code{allow-empty-passwords?} (default: @code{#t})
18131 Whether to allow logins with empty passwords.
18133 @item @code{gnupg?} (default: @code{#f})
18134 If enabled, @code{pam-gnupg} will attempt to automatically unlock the
18135 user's GPG keys with the login password via @code{gpg-agent}. The
18136 keygrips of all keys to be unlocked should be written to
18137 @file{~/.pam-gnupg}, and can be queried with @code{gpg -K
18138 --with-keygrip}. Presetting passphrases must be enabled by adding
18139 @code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
18141 @item @code{auto-login?} (default: @code{#f})
18142 @itemx @code{default-user} (default: @code{""})
18143 When @code{auto-login?} is false, SLiM presents a log-in screen.
18145 When @code{auto-login?} is true, SLiM logs in directly as
18146 @code{default-user}.
18148 @item @code{theme} (default: @code{%default-slim-theme})
18149 @itemx @code{theme-name} (default: @code{%default-slim-theme-name})
18150 The graphical theme to use and its name.
18152 @item @code{auto-login-session} (default: @code{#f})
18153 If true, this must be the name of the executable to start as the default
18154 session---e.g., @code{(file-append windowmaker "/bin/windowmaker")}.
18156 If false, a session described by one of the available @file{.desktop}
18157 files in @code{/run/current-system/profile} and @code{~/.guix-profile}
18161 You must install at least one window manager in the system profile or in
18162 your user profile. Failing to do that, if @code{auto-login-session} is
18163 false, you will be unable to log in.
18166 @item @code{xorg-configuration} (default @code{(xorg-configuration)})
18167 Configuration of the Xorg graphical server.
18169 @item @code{display} (default @code{":0"})
18170 The display on which to start the Xorg graphical server.
18172 @item @code{vt} (default @code{"vt7"})
18173 The VT on which to start the Xorg graphical server.
18175 @item @code{xauth} (default: @code{xauth})
18176 The XAuth package to use.
18178 @item @code{shepherd} (default: @code{shepherd})
18179 The Shepherd package used when invoking @command{halt} and
18182 @item @code{sessreg} (default: @code{sessreg})
18183 The sessreg package used in order to register the session.
18185 @item @code{slim} (default: @code{slim})
18186 The SLiM package to use.
18190 @defvr {Scheme Variable} %default-theme
18191 @defvrx {Scheme Variable} %default-theme-name
18192 The default SLiM theme and its name.
18196 @deftp {Data Type} sddm-configuration
18197 This is the data type representing the SDDM service configuration.
18200 @item @code{display-server} (default: "x11")
18201 Select display server to use for the greeter. Valid values are
18202 @samp{"x11"} or @samp{"wayland"}.
18204 @item @code{numlock} (default: "on")
18205 Valid values are @samp{"on"}, @samp{"off"} or @samp{"none"}.
18207 @item @code{halt-command} (default @code{#~(string-apppend #$shepherd "/sbin/halt")})
18208 Command to run when halting.
18210 @item @code{reboot-command} (default @code{#~(string-append #$shepherd "/sbin/reboot")})
18211 Command to run when rebooting.
18213 @item @code{theme} (default "maldives")
18214 Theme to use. Default themes provided by SDDM are @samp{"elarun"},
18215 @samp{"maldives"} or @samp{"maya"}.
18217 @item @code{themes-directory} (default "/run/current-system/profile/share/sddm/themes")
18218 Directory to look for themes.
18220 @item @code{faces-directory} (default "/run/current-system/profile/share/sddm/faces")
18221 Directory to look for faces.
18223 @item @code{default-path} (default "/run/current-system/profile/bin")
18224 Default PATH to use.
18226 @item @code{minimum-uid} (default: 1000)
18227 Minimum UID displayed in SDDM and allowed for log-in.
18229 @item @code{maximum-uid} (default: 2000)
18230 Maximum UID to display in SDDM.
18232 @item @code{remember-last-user?} (default #t)
18233 Remember last user.
18235 @item @code{remember-last-session?} (default #t)
18236 Remember last session.
18238 @item @code{hide-users} (default "")
18239 Usernames to hide from SDDM greeter.
18241 @item @code{hide-shells} (default @code{#~(string-append #$shadow "/sbin/nologin")})
18242 Users with shells listed will be hidden from the SDDM greeter.
18244 @item @code{session-command} (default @code{#~(string-append #$sddm "/share/sddm/scripts/wayland-session")})
18245 Script to run before starting a wayland session.
18247 @item @code{sessions-directory} (default "/run/current-system/profile/share/wayland-sessions")
18248 Directory to look for desktop files starting wayland sessions.
18250 @item @code{xorg-configuration} (default @code{(xorg-configuration)})
18251 Configuration of the Xorg graphical server.
18253 @item @code{xauth-path} (default @code{#~(string-append #$xauth "/bin/xauth")})
18256 @item @code{xephyr-path} (default @code{#~(string-append #$xorg-server "/bin/Xephyr")})
18259 @item @code{xdisplay-start} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xsetup")})
18260 Script to run after starting xorg-server.
18262 @item @code{xdisplay-stop} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xstop")})
18263 Script to run before stopping xorg-server.
18265 @item @code{xsession-command} (default: @code{xinitrc})
18266 Script to run before starting a X session.
18268 @item @code{xsessions-directory} (default: "/run/current-system/profile/share/xsessions")
18269 Directory to look for desktop files starting X sessions.
18271 @item @code{minimum-vt} (default: 7)
18274 @item @code{auto-login-user} (default "")
18275 User to use for auto-login.
18277 @item @code{auto-login-session} (default "")
18278 Desktop file to use for auto-login.
18280 @item @code{relogin?} (default #f)
18281 Relogin after logout.
18286 @cindex login manager
18288 @defvr {Scheme Variable} sddm-service-type
18289 This is the type of the service to run the
18290 @uref{https://github.com/sddm/sddm,SDDM display manager}. Its value
18291 must be a @code{sddm-configuration} record (see below).
18293 Here's an example use:
18296 (service sddm-service-type
18297 (sddm-configuration
18298 (auto-login-user "alice")
18299 (auto-login-session "xfce.desktop")))
18303 @deftp {Data Type} sddm-configuration
18304 This data type represents the configuration of the SDDM login manager.
18305 The available fields are:
18308 @item @code{sddm} (default: @code{sddm})
18309 The SDDM package to use.
18311 @item @code{display-server} (default: @code{"x11"})
18312 This must be either @code{"x11"} or @code{"wayland"}.
18314 @c FIXME: Add more fields.
18316 @item @code{auto-login-user} (default: @code{""})
18317 If non-empty, this is the user account under which to log in
18320 @item @code{auto-login-session} (default: @code{""})
18321 If non-empty, this is the @file{.desktop} file name to use as the
18322 auto-login session.
18326 @cindex Xorg, configuration
18327 @deftp {Data Type} xorg-configuration
18328 This data type represents the configuration of the Xorg graphical display
18329 server. Note that there is no Xorg service; instead, the X server is started
18330 by a ``display manager'' such as GDM, SDDM, and SLiM@. Thus, the configuration
18331 of these display managers aggregates an @code{xorg-configuration} record.
18334 @item @code{modules} (default: @code{%default-xorg-modules})
18335 This is a list of @dfn{module packages} loaded by the Xorg
18336 server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on.
18338 @item @code{fonts} (default: @code{%default-xorg-fonts})
18339 This is a list of font directories to add to the server's @dfn{font path}.
18341 @item @code{drivers} (default: @code{'()})
18342 This must be either the empty list, in which case Xorg chooses a graphics
18343 driver automatically, or a list of driver names that will be tried in this
18344 order---e.g., @code{("modesetting" "vesa")}.
18346 @item @code{resolutions} (default: @code{'()})
18347 When @code{resolutions} is the empty list, Xorg chooses an appropriate screen
18348 resolution. Otherwise, it must be a list of resolutions---e.g., @code{((1024
18351 @cindex keyboard layout, for Xorg
18352 @cindex keymap, for Xorg
18353 @item @code{keyboard-layout} (default: @code{#f})
18354 If this is @code{#f}, Xorg uses the default keyboard layout---usually US
18355 English (``qwerty'') for a 105-key PC keyboard.
18357 Otherwise this must be a @code{keyboard-layout} object specifying the keyboard
18358 layout in use when Xorg is running. @xref{Keyboard Layout}, for more
18359 information on how to specify the keyboard layout.
18361 @item @code{extra-config} (default: @code{'()})
18362 This is a list of strings or objects appended to the configuration file. It
18363 is used to pass extra text to be added verbatim to the configuration file.
18365 @item @code{server} (default: @code{xorg-server})
18366 This is the package providing the Xorg server.
18368 @item @code{server-arguments} (default: @code{%default-xorg-server-arguments})
18369 This is the list of command-line arguments to pass to the X server. The
18370 default is @code{-nolisten tcp}.
18374 @deffn {Scheme Procedure} set-xorg-configuration @var{config} @
18375 [@var{login-manager-service-type}]
18376 Tell the log-in manager (of type @var{login-manager-service-type}) to use
18377 @var{config}, an @code{<xorg-configuration>} record.
18379 Since the Xorg configuration is embedded in the log-in manager's
18380 configuration---e.g., @code{gdm-configuration}---this procedure provides a
18381 shorthand to set the Xorg configuration.
18384 @deffn {Scheme Procedure} xorg-start-command [@var{config}]
18385 Return a @code{startx} script in which the modules, fonts, etc. specified
18386 in @var{config}, are available. The result should be used in place of
18389 Usually the X server is started by a login manager.
18393 @deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}]
18394 Add @var{package}, a package for a screen locker or screen saver whose
18395 command is @var{program}, to the set of setuid programs and add a PAM entry
18396 for it. For example:
18399 (screen-locker-service xlockmore "xlock")
18402 makes the good ol' XlockMore usable.
18406 @node Printing Services
18407 @subsection Printing Services
18409 @cindex printer support with CUPS
18410 The @code{(gnu services cups)} module provides a Guix service definition
18411 for the CUPS printing service. To add printer support to a Guix
18412 system, add a @code{cups-service} to the operating system definition:
18414 @deffn {Scheme Variable} cups-service-type
18415 The service type for the CUPS print server. Its value should be a valid
18416 CUPS configuration (see below). To use the default settings, simply
18419 (service cups-service-type)
18423 The CUPS configuration controls the basic things about your CUPS
18424 installation: what interfaces it listens on, what to do if a print job
18425 fails, how much logging to do, and so on. To actually add a printer,
18426 you have to visit the @url{http://localhost:631} URL, or use a tool such
18427 as GNOME's printer configuration services. By default, configuring a
18428 CUPS service will generate a self-signed certificate if needed, for
18429 secure connections to the print server.
18431 Suppose you want to enable the Web interface of CUPS and also add
18432 support for Epson printers @i{via} the @code{epson-inkjet-printer-escpr}
18433 package and for HP printers @i{via} the @code{hplip-minimal} package.
18434 You can do that directly, like this (you need to use the
18435 @code{(gnu packages cups)} module):
18438 (service cups-service-type
18439 (cups-configuration
18440 (web-interface? #t)
18442 (list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
18445 Note: If you wish to use the Qt5 based GUI which comes with the hplip
18446 package then it is suggested that you install the @code{hplip} package,
18447 either in your OS configuration file or as your user.
18449 The available configuration parameters follow. Each parameter
18450 definition is preceded by its type; for example, @samp{string-list foo}
18451 indicates that the @code{foo} parameter should be specified as a list of
18452 strings. There is also a way to specify the configuration as a string,
18453 if you have an old @code{cupsd.conf} file that you want to port over
18454 from some other system; see the end for more details.
18456 @c The following documentation was initially generated by
18457 @c (generate-documentation) in (gnu services cups). Manually maintained
18458 @c documentation is better, so we shouldn't hesitate to edit below as
18459 @c needed. However if the change you want to make to this documentation
18460 @c can be done in an automated way, it's probably easier to change
18461 @c (generate-documentation) than to make it below and have to deal with
18462 @c the churn as CUPS updates.
18465 Available @code{cups-configuration} fields are:
18467 @deftypevr {@code{cups-configuration} parameter} package cups
18471 @deftypevr {@code{cups-configuration} parameter} package-list extensions (default: @code{(list brlaser cups-filters epson-inkjet-printer-escpr foomatic-filters hplip-minimal splix)})
18472 Drivers and other extensions to the CUPS package.
18475 @deftypevr {@code{cups-configuration} parameter} files-configuration files-configuration
18476 Configuration of where to write logs, what directories to use for print
18477 spools, and related privileged configuration parameters.
18479 Available @code{files-configuration} fields are:
18481 @deftypevr {@code{files-configuration} parameter} log-location access-log
18482 Defines the access log filename. Specifying a blank filename disables
18483 access log generation. The value @code{stderr} causes log entries to be
18484 sent to the standard error file when the scheduler is running in the
18485 foreground, or to the system log daemon when run in the background. The
18486 value @code{syslog} causes log entries to be sent to the system log
18487 daemon. The server name may be included in filenames using the string
18488 @code{%s}, as in @code{/var/log/cups/%s-access_log}.
18490 Defaults to @samp{"/var/log/cups/access_log"}.
18493 @deftypevr {@code{files-configuration} parameter} file-name cache-dir
18494 Where CUPS should cache data.
18496 Defaults to @samp{"/var/cache/cups"}.
18499 @deftypevr {@code{files-configuration} parameter} string config-file-perm
18500 Specifies the permissions for all configuration files that the scheduler
18503 Note that the permissions for the printers.conf file are currently
18504 masked to only allow access from the scheduler user (typically root).
18505 This is done because printer device URIs sometimes contain sensitive
18506 authentication information that should not be generally known on the
18507 system. There is no way to disable this security feature.
18509 Defaults to @samp{"0640"}.
18512 @deftypevr {@code{files-configuration} parameter} log-location error-log
18513 Defines the error log filename. Specifying a blank filename disables
18514 error log generation. The value @code{stderr} causes log entries to be
18515 sent to the standard error file when the scheduler is running in the
18516 foreground, or to the system log daemon when run in the background. The
18517 value @code{syslog} causes log entries to be sent to the system log
18518 daemon. The server name may be included in filenames using the string
18519 @code{%s}, as in @code{/var/log/cups/%s-error_log}.
18521 Defaults to @samp{"/var/log/cups/error_log"}.
18524 @deftypevr {@code{files-configuration} parameter} string fatal-errors
18525 Specifies which errors are fatal, causing the scheduler to exit. The
18530 No errors are fatal.
18533 All of the errors below are fatal.
18536 Browsing initialization errors are fatal, for example failed connections
18537 to the DNS-SD daemon.
18540 Configuration file syntax errors are fatal.
18543 Listen or Port errors are fatal, except for IPv6 failures on the
18544 loopback or @code{any} addresses.
18547 Log file creation or write errors are fatal.
18550 Bad startup file permissions are fatal, for example shared TLS
18551 certificate and key files with world-read permissions.
18554 Defaults to @samp{"all -browse"}.
18557 @deftypevr {@code{files-configuration} parameter} boolean file-device?
18558 Specifies whether the file pseudo-device can be used for new printer
18559 queues. The URI @uref{file:///dev/null} is always allowed.
18561 Defaults to @samp{#f}.
18564 @deftypevr {@code{files-configuration} parameter} string group
18565 Specifies the group name or ID that will be used when executing external
18568 Defaults to @samp{"lp"}.
18571 @deftypevr {@code{files-configuration} parameter} string log-file-perm
18572 Specifies the permissions for all log files that the scheduler writes.
18574 Defaults to @samp{"0644"}.
18577 @deftypevr {@code{files-configuration} parameter} log-location page-log
18578 Defines the page log filename. Specifying a blank filename disables
18579 page log generation. The value @code{stderr} causes log entries to be
18580 sent to the standard error file when the scheduler is running in the
18581 foreground, or to the system log daemon when run in the background. The
18582 value @code{syslog} causes log entries to be sent to the system log
18583 daemon. The server name may be included in filenames using the string
18584 @code{%s}, as in @code{/var/log/cups/%s-page_log}.
18586 Defaults to @samp{"/var/log/cups/page_log"}.
18589 @deftypevr {@code{files-configuration} parameter} string remote-root
18590 Specifies the username that is associated with unauthenticated accesses
18591 by clients claiming to be the root user. The default is @code{remroot}.
18593 Defaults to @samp{"remroot"}.
18596 @deftypevr {@code{files-configuration} parameter} file-name request-root
18597 Specifies the directory that contains print jobs and other HTTP request
18600 Defaults to @samp{"/var/spool/cups"}.
18603 @deftypevr {@code{files-configuration} parameter} sandboxing sandboxing
18604 Specifies the level of security sandboxing that is applied to print
18605 filters, backends, and other child processes of the scheduler; either
18606 @code{relaxed} or @code{strict}. This directive is currently only
18607 used/supported on macOS.
18609 Defaults to @samp{strict}.
18612 @deftypevr {@code{files-configuration} parameter} file-name server-keychain
18613 Specifies the location of TLS certificates and private keys. CUPS will
18614 look for public and private keys in this directory: @file{.crt} files
18615 for PEM-encoded certificates and corresponding @file{.key} files for
18616 PEM-encoded private keys.
18618 Defaults to @samp{"/etc/cups/ssl"}.
18621 @deftypevr {@code{files-configuration} parameter} file-name server-root
18622 Specifies the directory containing the server configuration files.
18624 Defaults to @samp{"/etc/cups"}.
18627 @deftypevr {@code{files-configuration} parameter} boolean sync-on-close?
18628 Specifies whether the scheduler calls fsync(2) after writing
18629 configuration or state files.
18631 Defaults to @samp{#f}.
18634 @deftypevr {@code{files-configuration} parameter} space-separated-string-list system-group
18635 Specifies the group(s) to use for @code{@@SYSTEM} group authentication.
18638 @deftypevr {@code{files-configuration} parameter} file-name temp-dir
18639 Specifies the directory where temporary files are stored.
18641 Defaults to @samp{"/var/spool/cups/tmp"}.
18644 @deftypevr {@code{files-configuration} parameter} string user
18645 Specifies the user name or ID that is used when running external
18648 Defaults to @samp{"lp"}.
18651 @deftypevr {@code{files-configuration} parameter} string set-env
18652 Set the specified environment variable to be passed to child processes.
18654 Defaults to @samp{"variable value"}.
18658 @deftypevr {@code{cups-configuration} parameter} access-log-level access-log-level
18659 Specifies the logging level for the AccessLog file. The @code{config}
18660 level logs when printers and classes are added, deleted, or modified and
18661 when configuration files are accessed or updated. The @code{actions}
18662 level logs when print jobs are submitted, held, released, modified, or
18663 canceled, and any of the conditions for @code{config}. The @code{all}
18664 level logs all requests.
18666 Defaults to @samp{actions}.
18669 @deftypevr {@code{cups-configuration} parameter} boolean auto-purge-jobs?
18670 Specifies whether to purge job history data automatically when it is no
18671 longer required for quotas.
18673 Defaults to @samp{#f}.
18676 @deftypevr {@code{cups-configuration} parameter} comma-separated-string-list browse-dns-sd-sub-types
18677 Specifies a list of DNS-SD sub-types to advertise for each shared printer.
18678 For example, @samp{"_cups" "_print"} will tell network clients that both
18679 CUPS sharing and IPP Everywhere are supported.
18681 Defaults to @samp{"_cups"}.
18684 @deftypevr {@code{cups-configuration} parameter} browse-local-protocols browse-local-protocols
18685 Specifies which protocols to use for local printer sharing.
18687 Defaults to @samp{dnssd}.
18690 @deftypevr {@code{cups-configuration} parameter} boolean browse-web-if?
18691 Specifies whether the CUPS web interface is advertised.
18693 Defaults to @samp{#f}.
18696 @deftypevr {@code{cups-configuration} parameter} boolean browsing?
18697 Specifies whether shared printers are advertised.
18699 Defaults to @samp{#f}.
18702 @deftypevr {@code{cups-configuration} parameter} string classification
18703 Specifies the security classification of the server. Any valid banner
18704 name can be used, including @samp{"classified"}, @samp{"confidential"},
18705 @samp{"secret"}, @samp{"topsecret"}, and @samp{"unclassified"}, or the
18706 banner can be omitted to disable secure printing functions.
18708 Defaults to @samp{""}.
18711 @deftypevr {@code{cups-configuration} parameter} boolean classify-override?
18712 Specifies whether users may override the classification (cover page) of
18713 individual print jobs using the @code{job-sheets} option.
18715 Defaults to @samp{#f}.
18718 @deftypevr {@code{cups-configuration} parameter} default-auth-type default-auth-type
18719 Specifies the default type of authentication to use.
18721 Defaults to @samp{Basic}.
18724 @deftypevr {@code{cups-configuration} parameter} default-encryption default-encryption
18725 Specifies whether encryption will be used for authenticated requests.
18727 Defaults to @samp{Required}.
18730 @deftypevr {@code{cups-configuration} parameter} string default-language
18731 Specifies the default language to use for text and web content.
18733 Defaults to @samp{"en"}.
18736 @deftypevr {@code{cups-configuration} parameter} string default-paper-size
18737 Specifies the default paper size for new print queues. @samp{"Auto"}
18738 uses a locale-specific default, while @samp{"None"} specifies there is
18739 no default paper size. Specific size names are typically
18740 @samp{"Letter"} or @samp{"A4"}.
18742 Defaults to @samp{"Auto"}.
18745 @deftypevr {@code{cups-configuration} parameter} string default-policy
18746 Specifies the default access policy to use.
18748 Defaults to @samp{"default"}.
18751 @deftypevr {@code{cups-configuration} parameter} boolean default-shared?
18752 Specifies whether local printers are shared by default.
18754 Defaults to @samp{#t}.
18757 @deftypevr {@code{cups-configuration} parameter} non-negative-integer dirty-clean-interval
18758 Specifies the delay for updating of configuration and state files, in
18759 seconds. A value of 0 causes the update to happen as soon as possible,
18760 typically within a few milliseconds.
18762 Defaults to @samp{30}.
18765 @deftypevr {@code{cups-configuration} parameter} error-policy error-policy
18766 Specifies what to do when an error occurs. Possible values are
18767 @code{abort-job}, which will discard the failed print job;
18768 @code{retry-job}, which will retry the job at a later time;
18769 @code{retry-current-job}, which retries the failed job immediately; and
18770 @code{stop-printer}, which stops the printer.
18772 Defaults to @samp{stop-printer}.
18775 @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-limit
18776 Specifies the maximum cost of filters that are run concurrently, which
18777 can be used to minimize disk, memory, and CPU resource problems. A
18778 limit of 0 disables filter limiting. An average print to a
18779 non-PostScript printer needs a filter limit of about 200. A PostScript
18780 printer needs about half that (100). Setting the limit below these
18781 thresholds will effectively limit the scheduler to printing a single job
18784 Defaults to @samp{0}.
18787 @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-nice
18788 Specifies the scheduling priority of filters that are run to print a
18789 job. The nice value ranges from 0, the highest priority, to 19, the
18792 Defaults to @samp{0}.
18795 @deftypevr {@code{cups-configuration} parameter} host-name-lookups host-name-lookups
18796 Specifies whether to do reverse lookups on connecting clients. The
18797 @code{double} setting causes @code{cupsd} to verify that the hostname
18798 resolved from the address matches one of the addresses returned for that
18799 hostname. Double lookups also prevent clients with unregistered
18800 addresses from connecting to your server. Only set this option to
18801 @code{#t} or @code{double} if absolutely required.
18803 Defaults to @samp{#f}.
18806 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-kill-delay
18807 Specifies the number of seconds to wait before killing the filters and
18808 backend associated with a canceled or held job.
18810 Defaults to @samp{30}.
18813 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-interval
18814 Specifies the interval between retries of jobs in seconds. This is
18815 typically used for fax queues but can also be used with normal print
18816 queues whose error policy is @code{retry-job} or
18817 @code{retry-current-job}.
18819 Defaults to @samp{30}.
18822 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-limit
18823 Specifies the number of retries that are done for jobs. This is
18824 typically used for fax queues but can also be used with normal print
18825 queues whose error policy is @code{retry-job} or
18826 @code{retry-current-job}.
18828 Defaults to @samp{5}.
18831 @deftypevr {@code{cups-configuration} parameter} boolean keep-alive?
18832 Specifies whether to support HTTP keep-alive connections.
18834 Defaults to @samp{#t}.
18837 @deftypevr {@code{cups-configuration} parameter} non-negative-integer limit-request-body
18838 Specifies the maximum size of print files, IPP requests, and HTML form
18839 data. A limit of 0 disables the limit check.
18841 Defaults to @samp{0}.
18844 @deftypevr {@code{cups-configuration} parameter} multiline-string-list listen
18845 Listens on the specified interfaces for connections. Valid values are
18846 of the form @var{address}:@var{port}, where @var{address} is either an
18847 IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to
18848 indicate all addresses. Values can also be file names of local UNIX
18849 domain sockets. The Listen directive is similar to the Port directive
18850 but allows you to restrict access to specific interfaces or networks.
18853 @deftypevr {@code{cups-configuration} parameter} non-negative-integer listen-back-log
18854 Specifies the number of pending connections that will be allowed. This
18855 normally only affects very busy servers that have reached the MaxClients
18856 limit, but can also be triggered by large numbers of simultaneous
18857 connections. When the limit is reached, the operating system will
18858 refuse additional connections until the scheduler can accept the pending
18861 Defaults to @samp{128}.
18864 @deftypevr {@code{cups-configuration} parameter} location-access-control-list location-access-controls
18865 Specifies a set of additional access controls.
18867 Available @code{location-access-controls} fields are:
18869 @deftypevr {@code{location-access-controls} parameter} file-name path
18870 Specifies the URI path to which the access control applies.
18873 @deftypevr {@code{location-access-controls} parameter} access-control-list access-controls
18874 Access controls for all access to this path, in the same format as the
18875 @code{access-controls} of @code{operation-access-control}.
18877 Defaults to @samp{()}.
18880 @deftypevr {@code{location-access-controls} parameter} method-access-control-list method-access-controls
18881 Access controls for method-specific access to this path.
18883 Defaults to @samp{()}.
18885 Available @code{method-access-controls} fields are:
18887 @deftypevr {@code{method-access-controls} parameter} boolean reverse?
18888 If @code{#t}, apply access controls to all methods except the listed
18889 methods. Otherwise apply to only the listed methods.
18891 Defaults to @samp{#f}.
18894 @deftypevr {@code{method-access-controls} parameter} method-list methods
18895 Methods to which this access control applies.
18897 Defaults to @samp{()}.
18900 @deftypevr {@code{method-access-controls} parameter} access-control-list access-controls
18901 Access control directives, as a list of strings. Each string should be
18902 one directive, such as @samp{"Order allow,deny"}.
18904 Defaults to @samp{()}.
18909 @deftypevr {@code{cups-configuration} parameter} non-negative-integer log-debug-history
18910 Specifies the number of debugging messages that are retained for logging
18911 if an error occurs in a print job. Debug messages are logged regardless
18912 of the LogLevel setting.
18914 Defaults to @samp{100}.
18917 @deftypevr {@code{cups-configuration} parameter} log-level log-level
18918 Specifies the level of logging for the ErrorLog file. The value
18919 @code{none} stops all logging while @code{debug2} logs everything.
18921 Defaults to @samp{info}.
18924 @deftypevr {@code{cups-configuration} parameter} log-time-format log-time-format
18925 Specifies the format of the date and time in the log files. The value
18926 @code{standard} logs whole seconds while @code{usecs} logs microseconds.
18928 Defaults to @samp{standard}.
18931 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients
18932 Specifies the maximum number of simultaneous clients that are allowed by
18935 Defaults to @samp{100}.
18938 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients-per-host
18939 Specifies the maximum number of simultaneous clients that are allowed
18940 from a single address.
18942 Defaults to @samp{100}.
18945 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-copies
18946 Specifies the maximum number of copies that a user can print of each
18949 Defaults to @samp{9999}.
18952 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-hold-time
18953 Specifies the maximum time a job may remain in the @code{indefinite}
18954 hold state before it is canceled. A value of 0 disables cancellation of
18957 Defaults to @samp{0}.
18960 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs
18961 Specifies the maximum number of simultaneous jobs that are allowed. Set
18962 to 0 to allow an unlimited number of jobs.
18964 Defaults to @samp{500}.
18967 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-printer
18968 Specifies the maximum number of simultaneous jobs that are allowed per
18969 printer. A value of 0 allows up to MaxJobs jobs per printer.
18971 Defaults to @samp{0}.
18974 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-user
18975 Specifies the maximum number of simultaneous jobs that are allowed per
18976 user. A value of 0 allows up to MaxJobs jobs per user.
18978 Defaults to @samp{0}.
18981 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-job-time
18982 Specifies the maximum time a job may take to print before it is
18983 canceled, in seconds. Set to 0 to disable cancellation of ``stuck'' jobs.
18985 Defaults to @samp{10800}.
18988 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-log-size
18989 Specifies the maximum size of the log files before they are rotated, in
18990 bytes. The value 0 disables log rotation.
18992 Defaults to @samp{1048576}.
18995 @deftypevr {@code{cups-configuration} parameter} non-negative-integer multiple-operation-timeout
18996 Specifies the maximum amount of time to allow between files in a
18997 multiple file print job, in seconds.
18999 Defaults to @samp{300}.
19002 @deftypevr {@code{cups-configuration} parameter} string page-log-format
19003 Specifies the format of PageLog lines. Sequences beginning with percent
19004 (@samp{%}) characters are replaced with the corresponding information,
19005 while all other characters are copied literally. The following percent
19006 sequences are recognized:
19010 insert a single percent character
19013 insert the value of the specified IPP attribute
19016 insert the number of copies for the current page
19019 insert the current page number
19022 insert the current date and time in common log format
19028 insert the printer name
19031 insert the username
19034 A value of the empty string disables page logging. The string @code{%p
19035 %u %j %T %P %C %@{job-billing@} %@{job-originating-host-name@}
19036 %@{job-name@} %@{media@} %@{sides@}} creates a page log with the
19039 Defaults to @samp{""}.
19042 @deftypevr {@code{cups-configuration} parameter} environment-variables environment-variables
19043 Passes the specified environment variable(s) to child processes; a list
19046 Defaults to @samp{()}.
19049 @deftypevr {@code{cups-configuration} parameter} policy-configuration-list policies
19050 Specifies named access control policies.
19052 Available @code{policy-configuration} fields are:
19054 @deftypevr {@code{policy-configuration} parameter} string name
19055 Name of the policy.
19058 @deftypevr {@code{policy-configuration} parameter} string job-private-access
19059 Specifies an access list for a job's private values. @code{@@ACL} maps
19060 to the printer's requesting-user-name-allowed or
19061 requesting-user-name-denied values. @code{@@OWNER} maps to the job's
19062 owner. @code{@@SYSTEM} maps to the groups listed for the
19063 @code{system-group} field of the @code{files-configuration},
19064 which is reified into the @code{cups-files.conf(5)} file. Other
19065 possible elements of the access list include specific user names, and
19066 @code{@@@var{group}} to indicate members of a specific group. The
19067 access list may also be simply @code{all} or @code{default}.
19069 Defaults to @samp{"@@OWNER @@SYSTEM"}.
19072 @deftypevr {@code{policy-configuration} parameter} string job-private-values
19073 Specifies the list of job values to make private, or @code{all},
19074 @code{default}, or @code{none}.
19076 Defaults to @samp{"job-name job-originating-host-name
19077 job-originating-user-name phone"}.
19080 @deftypevr {@code{policy-configuration} parameter} string subscription-private-access
19081 Specifies an access list for a subscription's private values.
19082 @code{@@ACL} maps to the printer's requesting-user-name-allowed or
19083 requesting-user-name-denied values. @code{@@OWNER} maps to the job's
19084 owner. @code{@@SYSTEM} maps to the groups listed for the
19085 @code{system-group} field of the @code{files-configuration},
19086 which is reified into the @code{cups-files.conf(5)} file. Other
19087 possible elements of the access list include specific user names, and
19088 @code{@@@var{group}} to indicate members of a specific group. The
19089 access list may also be simply @code{all} or @code{default}.
19091 Defaults to @samp{"@@OWNER @@SYSTEM"}.
19094 @deftypevr {@code{policy-configuration} parameter} string subscription-private-values
19095 Specifies the list of job values to make private, or @code{all},
19096 @code{default}, or @code{none}.
19098 Defaults to @samp{"notify-events notify-pull-method notify-recipient-uri
19099 notify-subscriber-user-name notify-user-data"}.
19102 @deftypevr {@code{policy-configuration} parameter} operation-access-control-list access-controls
19103 Access control by IPP operation.
19105 Defaults to @samp{()}.
19109 @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-files
19110 Specifies whether job files (documents) are preserved after a job is
19111 printed. If a numeric value is specified, job files are preserved for
19112 the indicated number of seconds after printing. Otherwise a boolean
19113 value applies indefinitely.
19115 Defaults to @samp{86400}.
19118 @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-history
19119 Specifies whether the job history is preserved after a job is printed.
19120 If a numeric value is specified, the job history is preserved for the
19121 indicated number of seconds after printing. If @code{#t}, the job
19122 history is preserved until the MaxJobs limit is reached.
19124 Defaults to @samp{#t}.
19127 @deftypevr {@code{cups-configuration} parameter} non-negative-integer reload-timeout
19128 Specifies the amount of time to wait for job completion before
19129 restarting the scheduler.
19131 Defaults to @samp{30}.
19134 @deftypevr {@code{cups-configuration} parameter} string rip-cache
19135 Specifies the maximum amount of memory to use when converting documents
19136 into bitmaps for a printer.
19138 Defaults to @samp{"128m"}.
19141 @deftypevr {@code{cups-configuration} parameter} string server-admin
19142 Specifies the email address of the server administrator.
19144 Defaults to @samp{"root@@localhost.localdomain"}.
19147 @deftypevr {@code{cups-configuration} parameter} host-name-list-or-* server-alias
19148 The ServerAlias directive is used for HTTP Host header validation when
19149 clients connect to the scheduler from external interfaces. Using the
19150 special name @code{*} can expose your system to known browser-based DNS
19151 rebinding attacks, even when accessing sites through a firewall. If the
19152 auto-discovery of alternate names does not work, we recommend listing
19153 each alternate name with a ServerAlias directive instead of using
19156 Defaults to @samp{*}.
19159 @deftypevr {@code{cups-configuration} parameter} string server-name
19160 Specifies the fully-qualified host name of the server.
19162 Defaults to @samp{"localhost"}.
19165 @deftypevr {@code{cups-configuration} parameter} server-tokens server-tokens
19166 Specifies what information is included in the Server header of HTTP
19167 responses. @code{None} disables the Server header. @code{ProductOnly}
19168 reports @code{CUPS}. @code{Major} reports @code{CUPS 2}. @code{Minor}
19169 reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}.
19170 @code{OS} reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is
19171 the output of the @code{uname} command. @code{Full} reports @code{CUPS
19172 2.0.0 (@var{uname}) IPP/2.0}.
19174 Defaults to @samp{Minimal}.
19177 @deftypevr {@code{cups-configuration} parameter} multiline-string-list ssl-listen
19178 Listens on the specified interfaces for encrypted connections. Valid
19179 values are of the form @var{address}:@var{port}, where @var{address} is
19180 either an IPv6 address enclosed in brackets, an IPv4 address, or
19181 @code{*} to indicate all addresses.
19183 Defaults to @samp{()}.
19186 @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
19187 Sets encryption options. By default, CUPS only supports encryption
19188 using TLS v1.0 or higher using known secure cipher suites. Security is
19189 reduced when @code{Allow} options are used, and enhanced when @code{Deny}
19190 options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
19191 suites, which are required for some older clients. The @code{AllowSSL3} option
19192 enables SSL v3.0, which is required for some older clients that do not support
19193 TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
19194 @code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
19195 protocol version to TLS v1.1.
19197 Defaults to @samp{()}.
19200 @deftypevr {@code{cups-configuration} parameter} boolean strict-conformance?
19201 Specifies whether the scheduler requires clients to strictly adhere to
19202 the IPP specifications.
19204 Defaults to @samp{#f}.
19207 @deftypevr {@code{cups-configuration} parameter} non-negative-integer timeout
19208 Specifies the HTTP request timeout, in seconds.
19210 Defaults to @samp{300}.
19214 @deftypevr {@code{cups-configuration} parameter} boolean web-interface?
19215 Specifies whether the web interface is enabled.
19217 Defaults to @samp{#f}.
19220 At this point you're probably thinking ``oh dear, Guix manual, I like
19221 you but you can stop already with the configuration options''. Indeed.
19222 However, one more point: it could be that you have an existing
19223 @code{cupsd.conf} that you want to use. In that case, you can pass an
19224 @code{opaque-cups-configuration} as the configuration of a
19225 @code{cups-service-type}.
19227 Available @code{opaque-cups-configuration} fields are:
19229 @deftypevr {@code{opaque-cups-configuration} parameter} package cups
19233 @deftypevr {@code{opaque-cups-configuration} parameter} string cupsd.conf
19234 The contents of the @code{cupsd.conf}, as a string.
19237 @deftypevr {@code{opaque-cups-configuration} parameter} string cups-files.conf
19238 The contents of the @code{cups-files.conf} file, as a string.
19241 For example, if your @code{cupsd.conf} and @code{cups-files.conf} are in
19242 strings of the same name, you could instantiate a CUPS service like
19246 (service cups-service-type
19247 (opaque-cups-configuration
19248 (cupsd.conf cupsd.conf)
19249 (cups-files.conf cups-files.conf)))
19253 @node Desktop Services
19254 @subsection Desktop Services
19256 The @code{(gnu services desktop)} module provides services that are
19257 usually useful in the context of a ``desktop'' setup---that is, on a
19258 machine running a graphical display server, possibly with graphical user
19259 interfaces, etc. It also defines services that provide specific desktop
19260 environments like GNOME, Xfce or MATE.
19262 To simplify things, the module defines a variable containing the set of
19263 services that users typically expect on a machine with a graphical
19264 environment and networking:
19266 @defvr {Scheme Variable} %desktop-services
19267 This is a list of services that builds upon @code{%base-services} and
19268 adds or adjusts services for a typical ``desktop'' setup.
19270 In particular, it adds a graphical login manager (@pxref{X Window,
19271 @code{gdm-service-type}}), screen lockers, a network management tool
19272 (@pxref{Networking Services, @code{network-manager-service-type}}) with modem
19273 support (@pxref{Networking Services, @code{modem-manager-service-type}}),
19274 energy and color management services, the @code{elogind} login and seat
19275 manager, the Polkit privilege service, the GeoClue location service, the
19276 AccountsService daemon that allows authorized users change system passwords,
19277 an NTP client (@pxref{Networking Services}), the Avahi daemon, and has the
19278 name service switch service configured to be able to use @code{nss-mdns}
19279 (@pxref{Name Service Switch, mDNS}).
19282 The @code{%desktop-services} variable can be used as the @code{services}
19283 field of an @code{operating-system} declaration (@pxref{operating-system
19284 Reference, @code{services}}).
19286 Additionally, the @code{gnome-desktop-service-type},
19287 @code{xfce-desktop-service}, @code{mate-desktop-service-type},
19288 @code{lxqt-desktop-service-type} and @code{enlightenment-desktop-service-type}
19289 procedures can add GNOME, Xfce, MATE and/or Enlightenment to a system. To
19290 ``add GNOME'' means that system-level services like the backlight adjustment
19291 helpers and the power management utilities are added to the system, extending
19292 @code{polkit} and @code{dbus} appropriately, allowing GNOME to operate with
19293 elevated privileges on a limited number of special-purpose system interfaces.
19294 Additionally, adding a service made by @code{gnome-desktop-service-type} adds
19295 the GNOME metapackage to the system profile. Likewise, adding the Xfce
19296 service not only adds the @code{xfce} metapackage to the system profile, but
19297 it also gives the Thunar file manager the ability to open a ``root-mode'' file
19298 management window, if the user authenticates using the administrator's
19299 password via the standard polkit graphical interface. To ``add MATE'' means
19300 that @code{polkit} and @code{dbus} are extended appropriately, allowing MATE
19301 to operate with elevated privileges on a limited number of special-purpose
19302 system interfaces. Additionally, adding a service of type
19303 @code{mate-desktop-service-type} adds the MATE metapackage to the system
19304 profile. ``Adding Enlightenment'' means that @code{dbus} is extended
19305 appropriately, and several of Enlightenment's binaries are set as setuid,
19306 allowing Enlightenment's screen locker and other functionality to work as
19309 The desktop environments in Guix use the Xorg display server by
19310 default. If you'd like to use the newer display server protocol
19311 called Wayland, you need to use the @code{sddm-service} instead of
19312 GDM as the graphical login manager. You should then
19313 select the ``GNOME (Wayland)'' session in SDDM@. Alternatively you can
19314 also try starting GNOME on Wayland manually from a TTY with the
19315 command ``XDG_SESSION_TYPE=wayland exec dbus-run-session
19316 gnome-session``. Currently only GNOME has support for Wayland.
19318 @defvr {Scheme Variable} gnome-desktop-service-type
19319 This is the type of the service that adds the @uref{https://www.gnome.org,
19320 GNOME} desktop environment. Its value is a @code{gnome-desktop-configuration}
19321 object (see below).
19323 This service adds the @code{gnome} package to the system profile, and extends
19324 polkit with the actions from @code{gnome-settings-daemon}.
19327 @deftp {Data Type} gnome-desktop-configuration
19328 Configuration record for the GNOME desktop environment.
19331 @item @code{gnome} (default: @code{gnome})
19332 The GNOME package to use.
19336 @defvr {Scheme Variable} xfce-desktop-service-type
19337 This is the type of a service to run the @uref{Xfce, https://xfce.org/}
19338 desktop environment. Its value is an @code{xfce-desktop-configuration} object
19341 This service adds the @code{xfce} package to the system profile, and
19342 extends polkit with the ability for @code{thunar} to manipulate the file
19343 system as root from within a user session, after the user has authenticated
19344 with the administrator's password.
19346 Note that @code{xfce4-panel} and its plugin packages should be installed in
19347 the same profile to ensure compatibility. When using this service, you should
19348 add extra plugins (@code{xfce4-whiskermenu-plugin},
19349 @code{xfce4-weather-plugin}, etc.) to the @code{packages} field of your
19350 @code{operating-system}.
19353 @deftp {Data Type} xfce-desktop-configuration
19354 Configuration record for the Xfce desktop environment.
19357 @item @code{xfce} (default: @code{xfce})
19358 The Xfce package to use.
19362 @deffn {Scheme Variable} mate-desktop-service-type
19363 This is the type of the service that runs the @uref{https://mate-desktop.org/,
19364 MATE desktop environment}. Its value is a @code{mate-desktop-configuration}
19365 object (see below).
19367 This service adds the @code{mate} package to the system
19368 profile, and extends polkit with the actions from
19369 @code{mate-settings-daemon}.
19372 @deftp {Data Type} mate-desktop-configuration
19373 Configuration record for the MATE desktop environment.
19376 @item @code{mate} (default: @code{mate})
19377 The MATE package to use.
19381 @deffn {Scheme Variable} lxqt-desktop-service-type
19382 This is the type of the service that runs the @uref{https://lxqt-project.org,
19383 LXQt desktop environment}. Its value is a @code{lxqt-desktop-configuration}
19384 object (see below).
19386 This service adds the @code{lxqt} package to the system
19390 @deftp {Data Type} lxqt-desktop-configuration
19391 Configuration record for the LXQt desktop environment.
19394 @item @code{lxqt} (default: @code{lxqt})
19395 The LXQT package to use.
19399 @deffn {Scheme Variable} enlightenment-desktop-service-type
19400 Return a service that adds the @code{enlightenment} package to the system
19401 profile, and extends dbus with actions from @code{efl}.
19404 @deftp {Data Type} enlightenment-desktop-service-configuration
19406 @item @code{enlightenment} (default: @code{enlightenment})
19407 The enlightenment package to use.
19411 Because the GNOME, Xfce and MATE desktop services pull in so many packages,
19412 the default @code{%desktop-services} variable doesn't include any of
19413 them by default. To add GNOME, Xfce or MATE, just @code{cons} them onto
19414 @code{%desktop-services} in the @code{services} field of your
19415 @code{operating-system}:
19418 (use-modules (gnu))
19419 (use-service-modules desktop)
19422 ;; cons* adds items to the list given as its last argument.
19423 (services (cons* (service gnome-desktop-service-type)
19424 (service xfce-desktop-service)
19425 %desktop-services))
19429 These desktop environments will then be available as options in the
19430 graphical login window.
19432 The actual service definitions included in @code{%desktop-services} and
19433 provided by @code{(gnu services dbus)} and @code{(gnu services desktop)}
19434 are described below.
19436 @deffn {Scheme Procedure} dbus-service [#:dbus @var{dbus}] [#:services '()]
19437 Return a service that runs the ``system bus'', using @var{dbus}, with
19438 support for @var{services}.
19440 @uref{https://dbus.freedesktop.org/, D-Bus} is an inter-process communication
19441 facility. Its system bus is used to allow system services to communicate
19442 and to be notified of system-wide events.
19444 @var{services} must be a list of packages that provide an
19445 @file{etc/dbus-1/system.d} directory containing additional D-Bus configuration
19446 and policy files. For example, to allow avahi-daemon to use the system bus,
19447 @var{services} must be equal to @code{(list avahi)}.
19450 @deffn {Scheme Procedure} elogind-service [#:config @var{config}]
19451 Return a service that runs the @code{elogind} login and
19452 seat management daemon. @uref{https://github.com/elogind/elogind,
19453 Elogind} exposes a D-Bus interface that can be used to know which users
19454 are logged in, know what kind of sessions they have open, suspend the
19455 system, inhibit system suspend, reboot the system, and other tasks.
19457 Elogind handles most system-level power events for a computer, for
19458 example suspending the system when a lid is closed, or shutting it down
19459 when the power button is pressed.
19461 The @var{config} keyword argument specifies the configuration for
19462 elogind, and should be the result of an @code{(elogind-configuration
19463 (@var{parameter} @var{value})...)} invocation. Available parameters and
19464 their default values are:
19467 @item kill-user-processes?
19469 @item kill-only-users
19471 @item kill-exclude-users
19473 @item inhibit-delay-max-seconds
19475 @item handle-power-key
19477 @item handle-suspend-key
19479 @item handle-hibernate-key
19481 @item handle-lid-switch
19483 @item handle-lid-switch-docked
19485 @item handle-lid-switch-external-power
19487 @item power-key-ignore-inhibited?
19489 @item suspend-key-ignore-inhibited?
19491 @item hibernate-key-ignore-inhibited?
19493 @item lid-switch-ignore-inhibited?
19495 @item holdoff-timeout-seconds
19499 @item idle-action-seconds
19501 @item runtime-directory-size-percent
19503 @item runtime-directory-size
19507 @item suspend-state
19508 @code{("mem" "standby" "freeze")}
19511 @item hibernate-state
19513 @item hibernate-mode
19514 @code{("platform" "shutdown")}
19515 @item hybrid-sleep-state
19517 @item hybrid-sleep-mode
19518 @code{("suspend" "platform" "shutdown")}
19522 @deffn {Scheme Procedure} accountsservice-service @
19523 [#:accountsservice @var{accountsservice}]
19524 Return a service that runs AccountsService, a system service that can
19525 list available accounts, change their passwords, and so on.
19526 AccountsService integrates with PolicyKit to enable unprivileged users
19527 to acquire the capability to modify their system configuration.
19528 @uref{https://www.freedesktop.org/wiki/Software/AccountsService/, the
19529 accountsservice web site} for more information.
19531 The @var{accountsservice} keyword argument is the @code{accountsservice}
19532 package to expose as a service.
19535 @deffn {Scheme Procedure} polkit-service @
19536 [#:polkit @var{polkit}]
19537 Return a service that runs the
19538 @uref{https://www.freedesktop.org/wiki/Software/polkit/, Polkit privilege
19539 management service}, which allows system administrators to grant access to
19540 privileged operations in a structured way. By querying the Polkit service, a
19541 privileged system component can know when it should grant additional
19542 capabilities to ordinary users. For example, an ordinary user can be granted
19543 the capability to suspend the system if the user is logged in locally.
19546 @defvr {Scheme Variable} polkit-wheel-service
19547 Service that adds the @code{wheel} group as admins to the Polkit
19548 service. This makes it so that users in the @code{wheel} group are queried
19549 for their own passwords when performing administrative actions instead of
19550 @code{root}'s, similar to the behaviour used by @code{sudo}.
19553 @defvr {Scheme Variable} upower-service-type
19554 Service that runs @uref{https://upower.freedesktop.org/, @command{upowerd}}, a
19555 system-wide monitor for power consumption and battery levels, with the given
19556 configuration settings.
19558 It implements the @code{org.freedesktop.UPower} D-Bus interface, and is
19559 notably used by GNOME.
19562 @deftp {Data Type} upower-configuration
19563 Data type representation the configuration for UPower.
19567 @item @code{upower} (default: @var{upower})
19568 Package to use for @code{upower}.
19570 @item @code{watts-up-pro?} (default: @code{#f})
19571 Enable the Watts Up Pro device.
19573 @item @code{poll-batteries?} (default: @code{#t})
19574 Enable polling the kernel for battery level changes.
19576 @item @code{ignore-lid?} (default: @code{#f})
19577 Ignore the lid state, this can be useful if it's incorrect on a device.
19579 @item @code{use-percentage-for-policy?} (default: @code{#f})
19580 Whether battery percentage based policy should be used. The default is to use
19581 the time left, change to @code{#t} to use the percentage.
19583 @item @code{percentage-low} (default: @code{10})
19584 When @code{use-percentage-for-policy?} is @code{#t}, this sets the percentage
19585 at which the battery is considered low.
19587 @item @code{percentage-critical} (default: @code{3})
19588 When @code{use-percentage-for-policy?} is @code{#t}, this sets the percentage
19589 at which the battery is considered critical.
19591 @item @code{percentage-action} (default: @code{2})
19592 When @code{use-percentage-for-policy?} is @code{#t}, this sets the percentage
19593 at which action will be taken.
19595 @item @code{time-low} (default: @code{1200})
19596 When @code{use-time-for-policy?} is @code{#f}, this sets the time remaining in
19597 seconds at which the battery is considered low.
19599 @item @code{time-critical} (default: @code{300})
19600 When @code{use-time-for-policy?} is @code{#f}, this sets the time remaining in
19601 seconds at which the battery is considered critical.
19603 @item @code{time-action} (default: @code{120})
19604 When @code{use-time-for-policy?} is @code{#f}, this sets the time remaining in
19605 seconds at which action will be taken.
19607 @item @code{critical-power-action} (default: @code{'hybrid-sleep})
19608 The action taken when @code{percentage-action} or @code{time-action} is
19609 reached (depending on the configuration of @code{use-percentage-for-policy?}).
19611 Possible values are:
19621 @code{'hybrid-sleep}.
19627 @deffn {Scheme Procedure} udisks-service [#:udisks @var{udisks}]
19628 Return a service for @uref{https://udisks.freedesktop.org/docs/latest/,
19629 UDisks}, a @dfn{disk management} daemon that provides user interfaces
19630 with notifications and ways to mount/unmount disks. Programs that talk
19631 to UDisks include the @command{udisksctl} command, part of UDisks, and
19632 GNOME Disks. Note that Udisks relies on the @command{mount} command, so
19633 it will only be able to use the file-system utilities installed in the
19634 system profile. For example if you want to be able to mount NTFS
19635 file-systems in read and write fashion, you'll need to have
19636 @code{ntfs-3g} installed system-wide.
19639 @deffn {Scheme Variable} colord-service-type
19640 This is the type of the service that runs @command{colord}, a system
19641 service with a D-Bus
19642 interface to manage the color profiles of input and output devices such as
19643 screens and scanners. It is notably used by the GNOME Color Manager graphical
19644 tool. See @uref{https://www.freedesktop.org/software/colord/, the colord web
19645 site} for more information.
19648 @cindex scanner access
19649 @defvr {Scheme Variable} sane-service-type
19650 This service provides access to scanners @i{via}
19651 @uref{http://www.sane-project.org, SANE} by installing the necessary
19652 udev rules. It is included in @code{%desktop-services} (@pxref{Desktop
19653 Services}) and relies by default on @code{sane-backends-minimal} package
19654 (see below) for hardware support.
19657 @defvr {Scheme Variable} sane-backends-minimal
19658 The default package which the @code{sane-service-type} installs. It
19659 supports many recent scanners.
19662 @defvr {Scheme Variable} sane-backends
19663 This package includes support for all scanners that
19664 @code{sane-backends-minimal} supports, plus older Hewlett-Packard
19665 scanners supported by @code{hplip} package. In order to use this on
19666 a system which relies on @code{%desktop-services}, you may use
19667 @code{modify-services} (@pxref{Service Reference,
19668 @code{modify-services}}) as illustrated below:
19671 (use-modules (gnu))
19672 (use-service-modules
19675 (use-package-modules
19679 (define %my-desktop-services
19680 ;; List of desktop services that supports a broader range of scanners.
19681 (modify-services %desktop-services
19682 (sane-service-type _ => sane-backends)))
19686 (services %my-desktop-services)
19690 @deffn {Scheme Procedure} geoclue-application name [#:allowed? #t] [#:system? #f] [#:users '()]
19691 Return a configuration allowing an application to access GeoClue
19692 location data. @var{name} is the Desktop ID of the application, without
19693 the @code{.desktop} part. If @var{allowed?} is true, the application
19694 will have access to location information by default. The boolean
19695 @var{system?} value indicates whether an application is a system component
19696 or not. Finally @var{users} is a list of UIDs of all users for which
19697 this application is allowed location info access. An empty users list
19698 means that all users are allowed.
19701 @defvr {Scheme Variable} %standard-geoclue-applications
19702 The standard list of well-known GeoClue application configurations,
19703 granting authority to the GNOME date-and-time utility to ask for the
19704 current location in order to set the time zone, and allowing the
19705 IceCat and Epiphany web browsers to request location information.
19706 IceCat and Epiphany both query the user before allowing a web page to
19707 know the user's location.
19710 @deffn {Scheme Procedure} geoclue-service [#:colord @var{colord}] @
19711 [#:whitelist '()] @
19712 [#:wifi-geolocation-url "https://location.services.mozilla.com/v1/geolocate?key=geoclue"] @
19713 [#:submit-data? #f]
19714 [#:wifi-submission-url "https://location.services.mozilla.com/v1/submit?key=geoclue"] @
19715 [#:submission-nick "geoclue"] @
19716 [#:applications %standard-geoclue-applications]
19717 Return a service that runs the GeoClue location service. This service
19718 provides a D-Bus interface to allow applications to request access to a
19719 user's physical location, and optionally to add information to online
19720 location databases. See
19721 @uref{https://wiki.freedesktop.org/www/Software/GeoClue/, the GeoClue
19722 web site} for more information.
19725 @deffn {Scheme Procedure} bluetooth-service [#:bluez @var{bluez}] @
19726 [@w{#:auto-enable? #f}]
19727 Return a service that runs the @command{bluetoothd} daemon, which
19728 manages all the Bluetooth devices and provides a number of D-Bus
19729 interfaces. When AUTO-ENABLE? is true, the bluetooth controller is
19730 powered automatically at boot, which can be useful when using a
19731 bluetooth keyboard or mouse.
19733 Users need to be in the @code{lp} group to access the D-Bus service.
19736 @defvr {Scheme Variable} gnome-keyring-service-type
19737 This is the type of the service that adds the
19738 @uref{https://wiki.gnome.org/Projects/GnomeKeyring, GNOME Keyring}. Its
19739 value is a @code{gnome-keyring-configuration} object (see below).
19741 This service adds the @code{gnome-keyring} package to the system profile
19742 and extends PAM with entries using @code{pam_gnome_keyring.so}, unlocking
19743 a user's login keyring when they log in or setting its password with passwd.
19746 @deftp {Data Type} gnome-keyring-configuration
19747 Configuration record for the GNOME Keyring service.
19750 @item @code{keyring} (default: @code{gnome-keyring})
19751 The GNOME keyring package to use.
19753 @item @code{pam-services}
19754 A list of @code{(@var{service} . @var{kind})} pairs denoting PAM
19755 services to extend, where @var{service} is the name of an existing
19756 service to extend and @var{kind} is one of @code{login} or
19759 If @code{login} is given, it adds an optional
19760 @code{pam_gnome_keyring.so} to the auth block without arguments and to
19761 the session block with @code{auto_start}. If @code{passwd} is given, it
19762 adds an optional @code{pam_gnome_keyring.so} to the password block
19765 By default, this field contains ``gdm-password'' with the value @code{login}
19766 and ``passwd'' is with the value @code{passwd}.
19771 @node Sound Services
19772 @subsection Sound Services
19774 @cindex sound support
19776 @cindex PulseAudio, sound support
19778 The @code{(gnu services sound)} module provides a service to configure the
19779 Advanced Linux Sound Architecture (ALSA) system, which makes PulseAudio the
19780 preferred ALSA output driver.
19782 @deffn {Scheme Variable} alsa-service-type
19783 This is the type for the @uref{https://alsa-project.org/, Advanced Linux Sound
19784 Architecture} (ALSA) system, which generates the @file{/etc/asound.conf}
19785 configuration file. The value for this type is a @command{alsa-configuration}
19786 record as in this example:
19789 (service alsa-service-type)
19792 See below for details about @code{alsa-configuration}.
19795 @deftp {Data Type} alsa-configuration
19796 Data type representing the configuration for @code{alsa-service}.
19799 @item @code{alsa-plugins} (default: @var{alsa-plugins})
19800 @code{alsa-plugins} package to use.
19802 @item @code{pulseaudio?} (default: @var{#t})
19803 Whether ALSA applications should transparently be made to use the
19804 @uref{https://www.pulseaudio.org/, PulseAudio} sound server.
19806 Using PulseAudio allows you to run several sound-producing applications
19807 at the same time and to individual control them @i{via}
19808 @command{pavucontrol}, among other things.
19810 @item @code{extra-options} (default: @var{""})
19811 String to append to the @file{/etc/asound.conf} file.
19816 Individual users who want to override the system configuration of ALSA can do
19817 it with the @file{~/.asoundrc} file:
19820 # In guix, we have to specify the absolute path for plugins.
19822 lib "/home/alice/.guix-profile/lib/alsa-lib/libasound_module_pcm_jack.so"
19825 # Routing ALSA to jack:
19826 # <http://jackaudio.org/faq/routing_alsa.html>.
19830 0 system:playback_1
19831 1 system:playback_2
19848 See @uref{https://www.alsa-project.org/main/index.php/Asoundrc} for the
19851 @deffn {Scheme Variable} pulseaudio-service-type
19852 This is the type for the @uref{https://www.pulseaudio.org/, PulseAudio}
19853 sound server. It exists to allow system overrides of the default settings
19854 via @code{pulseaudio-configuration}, see below.
19857 This service overrides per-user configuration files. If you want
19858 PulseAudio to honor configuration files in @file{~/.config/pulse} you
19859 have to unset the environment variables @env{PULSE_CONFIG} and
19860 @env{PULSE_CLIENTCONFIG} in your @file{~/.bash_profile}.
19864 This service on its own does not ensure, that the @code{pulseaudio} package
19865 exists on your machine. It merely adds configuration files for it, as
19866 detailed below. In the (admittedly unlikely) case, that you find yourself
19867 without a @code{pulseaudio} package, consider enabling it through the
19868 @code{alsa-service-type} above.
19872 @deftp {Data Type} pulseaudio-configuration
19873 Data type representing the configuration for @code{pulseaudio-service}.
19876 @item @code{client-conf} (default: @code{'()})
19877 List of settings to set in @file{client.conf}.
19878 Accepts a list of strings or a symbol-value pairs. A string will be
19879 inserted as-is with a newline added. A pair will be formatted as
19880 ``key = value'', again with a newline added.
19882 @item @code{daemon-conf} (default: @code{'((flat-volumes . no))})
19883 List of settings to set in @file{daemon.conf}, formatted just like
19886 @item @code{script-file} (default: @code{(file-append pulseaudio "/etc/pulse/default.pa")})
19887 Script file to use as @file{default.pa}.
19889 @item @code{system-script-file} (default: @code{(file-append pulseaudio "/etc/pulse/system.pa")})
19890 Script file to use as @file{system.pa}.
19894 @deffn {Scheme Variable} ladspa-service-type
19895 This service sets the @var{LADSPA_PATH} variable, so that programs, which
19896 respect it, e.g. PulseAudio, can load LADSPA plugins.
19898 The following example will setup the service to enable modules from the
19899 @code{swh-plugins} package:
19902 (service ladspa-service-type
19903 (ladspa-configuration (plugins (list swh-plugins))))
19906 See @uref{http://plugin.org.uk/ladspa-swh/docs/ladspa-swh.html} for the
19911 @node Database Services
19912 @subsection Database Services
19916 The @code{(gnu services databases)} module provides the following services.
19918 @subsubheading PostgreSQL
19920 The following example describes a PostgreSQL service with the default
19924 (service postgresql-service-type
19925 (postgresql-configuration
19926 (postgresql postgresql-10)))
19929 If the services fails to start, it may be due to an incompatible
19930 cluster already present in @var{data-directory}. Adjust it (or, if you
19931 don't need the cluster anymore, delete @var{data-directory}), then
19932 restart the service.
19934 Peer authentication is used by default and the @code{postgres} user
19935 account has no shell, which prevents the direct execution of @code{psql}
19936 commands as this user. To use @code{psql}, you can temporarily log in
19937 as @code{postgres} using a shell, create a PostgreSQL superuser with the
19938 same name as one of the system users and then create the associated
19942 sudo -u postgres -s /bin/sh
19943 createuser --interactive
19944 createdb $MY_USER_LOGIN # Replace appropriately.
19947 @deftp {Data Type} postgresql-configuration
19948 Data type representing the configuration for the
19949 @code{postgresql-service-type}.
19952 @item @code{postgresql}
19953 PostgreSQL package to use for the service.
19955 @item @code{port} (default: @code{5432})
19956 Port on which PostgreSQL should listen.
19958 @item @code{locale} (default: @code{"en_US.utf8"})
19959 Locale to use as the default when creating the database cluster.
19961 @item @code{config-file} (default: @code{(postgresql-config-file)})
19962 The configuration file to use when running PostgreSQL@. The default
19963 behaviour uses the postgresql-config-file record with the default values
19966 @item @code{log-directory} (default: @code{"/var/log/postgresql"})
19967 The directory where @command{pg_ctl} output will be written in a file
19968 named @code{"pg_ctl.log"}. This file can be useful to debug PostgreSQL
19969 configuration errors for instance.
19971 @item @code{data-directory} (default: @code{"/var/lib/postgresql/data"})
19972 Directory in which to store the data.
19974 @item @code{extension-packages} (default: @code{'()})
19975 @cindex postgresql extension-packages
19976 Additional extensions are loaded from packages listed in
19977 @var{extension-packages}. Extensions are available at runtime. For instance,
19978 to create a geographic database using the @code{postgis} extension, a user can
19979 configure the postgresql-service as in this example:
19983 (use-package-modules databases geo)
19987 ;; postgresql is required to run `psql' but postgis is not required for
19988 ;; proper operation.
19989 (packages (cons* postgresql %base-packages))
19992 (service postgresql-service-type
19993 (postgresql-configuration
19994 (postgresql postgresql-10)
19995 (extension-packages (list postgis))))
19999 Then the extension becomes visible and you can initialise an empty geographic
20000 database in this way:
20004 > create database postgistest;
20005 > \connect postgistest;
20006 > create extension postgis;
20007 > create extension postgis_topology;
20010 There is no need to add this field for contrib extensions such as hstore or
20011 dblink as they are already loadable by postgresql. This field is only
20012 required to add extensions provided by other packages.
20017 @deftp {Data Type} postgresql-config-file
20018 Data type representing the PostgreSQL configuration file. As shown in
20019 the following example, this can be used to customize the configuration
20020 of PostgreSQL@. Note that you can use any G-expression or filename in
20021 place of this record, if you already have a configuration file you'd
20022 like to use for example.
20025 (service postgresql-service-type
20026 (postgresql-configuration
20028 (postgresql-config-file
20029 (log-destination "stderr")
20031 (plain-file "pg_hba.conf"
20033 local all all trust
20034 host all all 127.0.0.1/32 md5
20035 host all all ::1/128 md5"))
20037 '(("session_preload_libraries" "auto_explain")
20038 ("random_page_cost" 2)
20039 ("auto_explain.log_min_duration" "100 ms")
20040 ("work_mem" "500 MB")
20041 ("logging_collector" #t)
20042 ("log_directory" "/var/log/postgresql")))))))
20046 @item @code{log-destination} (default: @code{"syslog"})
20047 The logging method to use for PostgreSQL@. Multiple values are accepted,
20048 separated by commas.
20050 @item @code{hba-file} (default: @code{%default-postgres-hba})
20051 Filename or G-expression for the host-based authentication
20054 @item @code{ident-file} (default: @code{%default-postgres-ident})
20055 Filename or G-expression for the user name mapping configuration.
20057 @item @code{socket-directory} (default: @code{#false})
20058 Specifies the directory of the Unix-domain socket(s) on which PostgreSQL
20059 is to listen for connections from client applications. If set to
20060 @code{""} PostgreSQL does not listen on any Unix-domain sockets, in
20061 which case only TCP/IP sockets can be used to connect to the server.
20063 By default, the @code{#false} value means the PostgreSQL default value
20064 will be used, which is currently @samp{/tmp}.
20066 @item @code{extra-config} (default: @code{'()})
20067 List of additional keys and values to include in the PostgreSQL config
20068 file. Each entry in the list should be a list where the first element
20069 is the key, and the remaining elements are the values.
20071 The values can be numbers, booleans or strings and will be mapped to
20072 PostgreSQL parameters types @code{Boolean}, @code{String},
20073 @code{Numeric}, @code{Numeric with Unit} and @code{Enumerated} described
20074 @uref{https://www.postgresql.org/docs/current/config-setting.html,
20080 @deffn {Scheme Variable} postgresql-role-service-type
20081 This service allows to create PostgreSQL roles and databases after
20082 PostgreSQL service start. Here is an example of its use.
20085 (service postgresql-role-service-type
20086 (postgresql-role-configuration
20088 (list (postgresql-role
20090 (create-database? #t))))))
20093 This service can be extended with extra roles, as in this
20097 (service-extension postgresql-role-service-type
20098 (const (postgresql-role
20100 (create-database? #t))))
20104 @deftp {Data Type} postgresql-role
20105 PostgreSQL manages database access permissions using the concept of
20106 roles. A role can be thought of as either a database user, or a group
20107 of database users, depending on how the role is set up. Roles can own
20108 database objects (for example, tables) and can assign privileges on
20109 those objects to other roles to control who has access to which objects.
20115 @item @code{permissions} (default: @code{'(createdb login)})
20116 The role permissions list. Supported permissions are @code{bypassrls},
20117 @code{createdb}, @code{createrole}, @code{login}, @code{replication} and
20120 @item @code{create-database?} (default: @code{#f})
20121 Whether to create a database with the same name as the role.
20126 @deftp {Data Type} postgresql-role-configuration
20127 Data type representing the configuration of
20128 @var{postgresql-role-service-type}.
20131 @item @code{host} (default: @code{"/var/run/postgresql"})
20132 The PostgreSQL host to connect to.
20134 @item @code{log} (default: @code{"/var/log/postgresql_roles.log"})
20135 File name of the log file.
20137 @item @code{roles} (default: @code{'()})
20138 The initial PostgreSQL roles to create.
20142 @subsubheading MariaDB/MySQL
20144 @defvr {Scheme Variable} mysql-service-type
20145 This is the service type for a MySQL or MariaDB database server. Its value
20146 is a @code{mysql-configuration} object that specifies which package to use,
20147 as well as various settings for the @command{mysqld} daemon.
20150 @deftp {Data Type} mysql-configuration
20151 Data type representing the configuration of @var{mysql-service-type}.
20154 @item @code{mysql} (default: @var{mariadb})
20155 Package object of the MySQL database server, can be either @var{mariadb}
20158 For MySQL, a temporary root password will be displayed at activation time.
20159 For MariaDB, the root password is empty.
20161 @item @code{bind-address} (default: @code{"127.0.0.1"})
20162 The IP on which to listen for network connections. Use @code{"0.0.0.0"}
20163 to bind to all available network interfaces.
20165 @item @code{port} (default: @code{3306})
20166 TCP port on which the database server listens for incoming connections.
20168 @item @code{socket} (default: @code{"/run/mysqld/mysqld.sock"})
20169 Socket file to use for local (non-network) connections.
20171 @item @code{extra-content} (default: @code{""})
20172 Additional settings for the @file{my.cnf} configuration file.
20174 @item @code{extra-environment} (default: @code{#~'()})
20175 List of environment variables passed to the @command{mysqld} process.
20177 @item @code{auto-upgrade?} (default: @code{#t})
20178 Whether to automatically run @command{mysql_upgrade} after starting the
20179 service. This is necessary to upgrade the @dfn{system schema} after
20180 ``major'' updates (such as switching from MariaDB 10.4 to 10.5), but can
20181 be disabled if you would rather do that manually.
20186 @subsubheading Memcached
20188 @defvr {Scheme Variable} memcached-service-type
20189 This is the service type for the @uref{https://memcached.org/,
20190 Memcached} service, which provides a distributed in memory cache. The
20191 value for the service type is a @code{memcached-configuration} object.
20195 (service memcached-service-type)
20198 @deftp {Data Type} memcached-configuration
20199 Data type representing the configuration of memcached.
20202 @item @code{memcached} (default: @code{memcached})
20203 The Memcached package to use.
20205 @item @code{interfaces} (default: @code{'("0.0.0.0")})
20206 Network interfaces on which to listen.
20208 @item @code{tcp-port} (default: @code{11211})
20209 Port on which to accept connections.
20211 @item @code{udp-port} (default: @code{11211})
20212 Port on which to accept UDP connections on, a value of 0 will disable
20213 listening on a UDP socket.
20215 @item @code{additional-options} (default: @code{'()})
20216 Additional command line options to pass to @code{memcached}.
20220 @subsubheading Redis
20222 @defvr {Scheme Variable} redis-service-type
20223 This is the service type for the @uref{https://redis.io/, Redis}
20224 key/value store, whose value is a @code{redis-configuration} object.
20227 @deftp {Data Type} redis-configuration
20228 Data type representing the configuration of redis.
20231 @item @code{redis} (default: @code{redis})
20232 The Redis package to use.
20234 @item @code{bind} (default: @code{"127.0.0.1"})
20235 Network interface on which to listen.
20237 @item @code{port} (default: @code{6379})
20238 Port on which to accept connections on, a value of 0 will disable
20239 listening on a TCP socket.
20241 @item @code{working-directory} (default: @code{"/var/lib/redis"})
20242 Directory in which to store the database and related files.
20246 @node Mail Services
20247 @subsection Mail Services
20251 The @code{(gnu services mail)} module provides Guix service definitions
20252 for email services: IMAP, POP3, and LMTP servers, as well as mail
20253 transport agents (MTAs). Lots of acronyms! These services are detailed
20254 in the subsections below.
20256 @subsubheading Dovecot Service
20258 @deffn {Scheme Procedure} dovecot-service [#:config (dovecot-configuration)]
20259 Return a service that runs the Dovecot IMAP/POP3/LMTP mail server.
20262 By default, Dovecot does not need much configuration; the default
20263 configuration object created by @code{(dovecot-configuration)} will
20264 suffice if your mail is delivered to @code{~/Maildir}. A self-signed
20265 certificate will be generated for TLS-protected connections, though
20266 Dovecot will also listen on cleartext ports by default. There are a
20267 number of options, though, which mail administrators might need to change,
20268 and as is the case with other services, Guix allows the system
20269 administrator to specify these parameters via a uniform Scheme interface.
20271 For example, to specify that mail is located at @code{maildir~/.mail},
20272 one would instantiate the Dovecot service like this:
20275 (dovecot-service #:config
20276 (dovecot-configuration
20277 (mail-location "maildir:~/.mail")))
20280 The available configuration parameters follow. Each parameter
20281 definition is preceded by its type; for example, @samp{string-list foo}
20282 indicates that the @code{foo} parameter should be specified as a list of
20283 strings. There is also a way to specify the configuration as a string,
20284 if you have an old @code{dovecot.conf} file that you want to port over
20285 from some other system; see the end for more details.
20287 @c The following documentation was initially generated by
20288 @c (generate-documentation) in (gnu services mail). Manually maintained
20289 @c documentation is better, so we shouldn't hesitate to edit below as
20290 @c needed. However if the change you want to make to this documentation
20291 @c can be done in an automated way, it's probably easier to change
20292 @c (generate-documentation) than to make it below and have to deal with
20293 @c the churn as dovecot updates.
20295 Available @code{dovecot-configuration} fields are:
20297 @deftypevr {@code{dovecot-configuration} parameter} package dovecot
20298 The dovecot package.
20301 @deftypevr {@code{dovecot-configuration} parameter} comma-separated-string-list listen
20302 A list of IPs or hosts where to listen for connections. @samp{*}
20303 listens on all IPv4 interfaces, @samp{::} listens on all IPv6
20304 interfaces. If you want to specify non-default ports or anything more
20305 complex, customize the address and port fields of the
20306 @samp{inet-listener} of the specific services you are interested in.
20309 @deftypevr {@code{dovecot-configuration} parameter} protocol-configuration-list protocols
20310 List of protocols we want to serve. Available protocols include
20311 @samp{imap}, @samp{pop3}, and @samp{lmtp}.
20313 Available @code{protocol-configuration} fields are:
20315 @deftypevr {@code{protocol-configuration} parameter} string name
20316 The name of the protocol.
20319 @deftypevr {@code{protocol-configuration} parameter} string auth-socket-path
20320 UNIX socket path to the master authentication server to find users.
20321 This is used by imap (for shared users) and lda.
20322 It defaults to @samp{"/var/run/dovecot/auth-userdb"}.
20325 @deftypevr {@code{protocol-configuration} parameter} boolean imap-metadata?
20326 Whether to enable the @code{IMAP METADATA} extension as defined in
20327 @uref{https://tools.ietf.org/html/rfc5464,RFC@tie{}5464}, which provides
20328 a means for clients to set and retrieve per-mailbox, per-user metadata
20329 and annotations over IMAP.
20331 If this is @samp{#t}, you must also specify a dictionary @i{via} the
20332 @code{mail-attribute-dict} setting.
20334 Defaults to @samp{#f}.
20338 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list managesieve-notify-capabilities
20339 Which NOTIFY capabilities to report to clients that first connect to
20340 the ManageSieve service, before authentication. These may differ from the
20341 capabilities offered to authenticated users. If this field is left empty,
20342 report what the Sieve interpreter supports by default.
20344 Defaults to @samp{()}.
20347 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list managesieve-sieve-capability
20348 Which SIEVE capabilities to report to clients that first connect to
20349 the ManageSieve service, before authentication. These may differ from the
20350 capabilities offered to authenticated users. If this field is left empty,
20351 report what the Sieve interpreter supports by default.
20353 Defaults to @samp{()}.
20357 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list mail-plugins
20358 Space separated list of plugins to load.
20361 @deftypevr {@code{protocol-configuration} parameter} non-negative-integer mail-max-userip-connections
20362 Maximum number of IMAP connections allowed for a user from each IP
20363 address. NOTE: The username is compared case-sensitively.
20364 Defaults to @samp{10}.
20369 @deftypevr {@code{dovecot-configuration} parameter} service-configuration-list services
20370 List of services to enable. Available services include @samp{imap},
20371 @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and
20374 Available @code{service-configuration} fields are:
20376 @deftypevr {@code{service-configuration} parameter} string kind
20377 The service kind. Valid values include @code{director},
20378 @code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap},
20379 @code{pop3}, @code{auth}, @code{auth-worker}, @code{dict},
20380 @code{tcpwrap}, @code{quota-warning}, or anything else.
20383 @deftypevr {@code{service-configuration} parameter} listener-configuration-list listeners
20384 Listeners for the service. A listener is either a
20385 @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or
20386 an @code{inet-listener-configuration}.
20387 Defaults to @samp{()}.
20389 Available @code{unix-listener-configuration} fields are:
20391 @deftypevr {@code{unix-listener-configuration} parameter} string path
20392 Path to the file, relative to @code{base-dir} field. This is also used as
20396 @deftypevr {@code{unix-listener-configuration} parameter} string mode
20397 The access mode for the socket.
20398 Defaults to @samp{"0600"}.
20401 @deftypevr {@code{unix-listener-configuration} parameter} string user
20402 The user to own the socket.
20403 Defaults to @samp{""}.
20406 @deftypevr {@code{unix-listener-configuration} parameter} string group
20407 The group to own the socket.
20408 Defaults to @samp{""}.
20412 Available @code{fifo-listener-configuration} fields are:
20414 @deftypevr {@code{fifo-listener-configuration} parameter} string path
20415 Path to the file, relative to @code{base-dir} field. This is also used as
20419 @deftypevr {@code{fifo-listener-configuration} parameter} string mode
20420 The access mode for the socket.
20421 Defaults to @samp{"0600"}.
20424 @deftypevr {@code{fifo-listener-configuration} parameter} string user
20425 The user to own the socket.
20426 Defaults to @samp{""}.
20429 @deftypevr {@code{fifo-listener-configuration} parameter} string group
20430 The group to own the socket.
20431 Defaults to @samp{""}.
20435 Available @code{inet-listener-configuration} fields are:
20437 @deftypevr {@code{inet-listener-configuration} parameter} string protocol
20438 The protocol to listen for.
20441 @deftypevr {@code{inet-listener-configuration} parameter} string address
20442 The address on which to listen, or empty for all addresses.
20443 Defaults to @samp{""}.
20446 @deftypevr {@code{inet-listener-configuration} parameter} non-negative-integer port
20447 The port on which to listen.
20450 @deftypevr {@code{inet-listener-configuration} parameter} boolean ssl?
20451 Whether to use SSL for this service; @samp{yes}, @samp{no}, or
20453 Defaults to @samp{#t}.
20458 @deftypevr {@code{service-configuration} parameter} non-negative-integer client-limit
20459 Maximum number of simultaneous client connections per process. Once
20460 this number of connections is received, the next incoming connection
20461 will prompt Dovecot to spawn another process. If set to 0,
20462 @code{default-client-limit} is used instead.
20464 Defaults to @samp{0}.
20468 @deftypevr {@code{service-configuration} parameter} non-negative-integer service-count
20469 Number of connections to handle before starting a new process.
20470 Typically the only useful values are 0 (unlimited) or 1. 1 is more
20471 secure, but 0 is faster. <doc/wiki/LoginProcess.txt>.
20472 Defaults to @samp{1}.
20476 @deftypevr {@code{service-configuration} parameter} non-negative-integer process-limit
20477 Maximum number of processes that can exist for this service. If set to
20478 0, @code{default-process-limit} is used instead.
20480 Defaults to @samp{0}.
20484 @deftypevr {@code{service-configuration} parameter} non-negative-integer process-min-avail
20485 Number of processes to always keep waiting for more connections.
20486 Defaults to @samp{0}.
20489 @deftypevr {@code{service-configuration} parameter} non-negative-integer vsz-limit
20490 If you set @samp{service-count 0}, you probably need to grow
20492 Defaults to @samp{256000000}.
20497 @deftypevr {@code{dovecot-configuration} parameter} dict-configuration dict
20498 Dict configuration, as created by the @code{dict-configuration}
20501 Available @code{dict-configuration} fields are:
20503 @deftypevr {@code{dict-configuration} parameter} free-form-fields entries
20504 A list of key-value pairs that this dict should hold.
20505 Defaults to @samp{()}.
20510 @deftypevr {@code{dovecot-configuration} parameter} passdb-configuration-list passdbs
20511 A list of passdb configurations, each one created by the
20512 @code{passdb-configuration} constructor.
20514 Available @code{passdb-configuration} fields are:
20516 @deftypevr {@code{passdb-configuration} parameter} string driver
20517 The driver that the passdb should use. Valid values include
20518 @samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and
20520 Defaults to @samp{"pam"}.
20523 @deftypevr {@code{passdb-configuration} parameter} space-separated-string-list args
20524 Space separated list of arguments to the passdb driver.
20525 Defaults to @samp{""}.
20530 @deftypevr {@code{dovecot-configuration} parameter} userdb-configuration-list userdbs
20531 List of userdb configurations, each one created by the
20532 @code{userdb-configuration} constructor.
20534 Available @code{userdb-configuration} fields are:
20536 @deftypevr {@code{userdb-configuration} parameter} string driver
20537 The driver that the userdb should use. Valid values include
20538 @samp{passwd} and @samp{static}.
20539 Defaults to @samp{"passwd"}.
20542 @deftypevr {@code{userdb-configuration} parameter} space-separated-string-list args
20543 Space separated list of arguments to the userdb driver.
20544 Defaults to @samp{""}.
20547 @deftypevr {@code{userdb-configuration} parameter} free-form-args override-fields
20548 Override fields from passwd.
20549 Defaults to @samp{()}.
20554 @deftypevr {@code{dovecot-configuration} parameter} plugin-configuration plugin-configuration
20555 Plug-in configuration, created by the @code{plugin-configuration}
20559 @deftypevr {@code{dovecot-configuration} parameter} list-of-namespace-configuration namespaces
20560 List of namespaces. Each item in the list is created by the
20561 @code{namespace-configuration} constructor.
20563 Available @code{namespace-configuration} fields are:
20565 @deftypevr {@code{namespace-configuration} parameter} string name
20566 Name for this namespace.
20569 @deftypevr {@code{namespace-configuration} parameter} string type
20570 Namespace type: @samp{private}, @samp{shared} or @samp{public}.
20571 Defaults to @samp{"private"}.
20574 @deftypevr {@code{namespace-configuration} parameter} string separator
20575 Hierarchy separator to use. You should use the same separator for
20576 all namespaces or some clients get confused. @samp{/} is usually a good
20577 one. The default however depends on the underlying mail storage
20579 Defaults to @samp{""}.
20582 @deftypevr {@code{namespace-configuration} parameter} string prefix
20583 Prefix required to access this namespace. This needs to be
20584 different for all namespaces. For example @samp{Public/}.
20585 Defaults to @samp{""}.
20588 @deftypevr {@code{namespace-configuration} parameter} string location
20589 Physical location of the mailbox. This is in the same format as
20590 mail_location, which is also the default for it.
20591 Defaults to @samp{""}.
20594 @deftypevr {@code{namespace-configuration} parameter} boolean inbox?
20595 There can be only one INBOX, and this setting defines which
20597 Defaults to @samp{#f}.
20600 @deftypevr {@code{namespace-configuration} parameter} boolean hidden?
20601 If namespace is hidden, it's not advertised to clients via NAMESPACE
20602 extension. You'll most likely also want to set @samp{list? #f}. This is mostly
20603 useful when converting from another server with different namespaces
20604 which you want to deprecate but still keep working. For example you can
20605 create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/}
20607 Defaults to @samp{#f}.
20610 @deftypevr {@code{namespace-configuration} parameter} boolean list?
20611 Show the mailboxes under this namespace with the LIST command. This
20612 makes the namespace visible for clients that do not support the NAMESPACE
20613 extension. The special @code{children} value lists child mailboxes, but
20614 hides the namespace prefix.
20615 Defaults to @samp{#t}.
20618 @deftypevr {@code{namespace-configuration} parameter} boolean subscriptions?
20619 Namespace handles its own subscriptions. If set to @code{#f}, the
20620 parent namespace handles them. The empty prefix should always have this
20622 Defaults to @samp{#t}.
20625 @deftypevr {@code{namespace-configuration} parameter} mailbox-configuration-list mailboxes
20626 List of predefined mailboxes in this namespace.
20627 Defaults to @samp{()}.
20629 Available @code{mailbox-configuration} fields are:
20631 @deftypevr {@code{mailbox-configuration} parameter} string name
20632 Name for this mailbox.
20635 @deftypevr {@code{mailbox-configuration} parameter} string auto
20636 @samp{create} will automatically create this mailbox.
20637 @samp{subscribe} will both create and subscribe to the mailbox.
20638 Defaults to @samp{"no"}.
20641 @deftypevr {@code{mailbox-configuration} parameter} space-separated-string-list special-use
20642 List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154.
20643 Valid values are @code{\All}, @code{\Archive}, @code{\Drafts},
20644 @code{\Flagged}, @code{\Junk}, @code{\Sent}, and @code{\Trash}.
20645 Defaults to @samp{()}.
20652 @deftypevr {@code{dovecot-configuration} parameter} file-name base-dir
20653 Base directory where to store runtime data.
20654 Defaults to @samp{"/var/run/dovecot/"}.
20657 @deftypevr {@code{dovecot-configuration} parameter} string login-greeting
20658 Greeting message for clients.
20659 Defaults to @samp{"Dovecot ready."}.
20662 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-trusted-networks
20663 List of trusted network ranges. Connections from these IPs are
20664 allowed to override their IP addresses and ports (for logging and for
20665 authentication checks). @samp{disable-plaintext-auth} is also ignored
20666 for these networks. Typically you would specify your IMAP proxy servers
20668 Defaults to @samp{()}.
20671 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-access-sockets
20672 List of login access check sockets (e.g.@: tcpwrap).
20673 Defaults to @samp{()}.
20676 @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-proctitle?
20677 Show more verbose process titles (in ps). Currently shows user name
20678 and IP address. Useful for seeing who is actually using the IMAP
20679 processes (e.g.@: shared mailboxes or if the same uid is used for multiple
20681 Defaults to @samp{#f}.
20684 @deftypevr {@code{dovecot-configuration} parameter} boolean shutdown-clients?
20685 Should all processes be killed when Dovecot master process shuts down.
20686 Setting this to @code{#f} means that Dovecot can be upgraded without
20687 forcing existing client connections to close (although that could also
20688 be a problem if the upgrade is e.g.@: due to a security fix).
20689 Defaults to @samp{#t}.
20692 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer doveadm-worker-count
20693 If non-zero, run mail commands via this many connections to doveadm
20694 server, instead of running them directly in the same process.
20695 Defaults to @samp{0}.
20698 @deftypevr {@code{dovecot-configuration} parameter} string doveadm-socket-path
20699 UNIX socket or host:port used for connecting to doveadm server.
20700 Defaults to @samp{"doveadm-server"}.
20703 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list import-environment
20704 List of environment variables that are preserved on Dovecot startup
20705 and passed down to all of its child processes. You can also give
20706 key=value pairs to always set specific settings.
20709 @deftypevr {@code{dovecot-configuration} parameter} boolean disable-plaintext-auth?
20710 Disable LOGIN command and all other plaintext authentications unless
20711 SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
20712 matches the local IP (i.e.@: you're connecting from the same computer),
20713 the connection is considered secure and plaintext authentication is
20714 allowed. See also ssl=required setting.
20715 Defaults to @samp{#t}.
20718 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-cache-size
20719 Authentication cache size (e.g.@: @samp{#e10e6}). 0 means it's disabled.
20720 Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set
20721 for caching to be used.
20722 Defaults to @samp{0}.
20725 @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-ttl
20726 Time to live for cached data. After TTL expires the cached record
20727 is no longer used, *except* if the main database lookup returns internal
20728 failure. We also try to handle password changes automatically: If
20729 user's previous authentication was successful, but this one wasn't, the
20730 cache isn't used. For now this works only with plaintext
20732 Defaults to @samp{"1 hour"}.
20735 @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-negative-ttl
20736 TTL for negative hits (user not found, password mismatch).
20737 0 disables caching them completely.
20738 Defaults to @samp{"1 hour"}.
20741 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-realms
20742 List of realms for SASL authentication mechanisms that need them.
20743 You can leave it empty if you don't want to support multiple realms.
20744 Many clients simply use the first one listed here, so keep the default
20746 Defaults to @samp{()}.
20749 @deftypevr {@code{dovecot-configuration} parameter} string auth-default-realm
20750 Default realm/domain to use if none was specified. This is used for
20751 both SASL realms and appending @@domain to username in plaintext
20753 Defaults to @samp{""}.
20756 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-chars
20757 List of allowed characters in username. If the user-given username
20758 contains a character not listed in here, the login automatically fails.
20759 This is just an extra check to make sure user can't exploit any
20760 potential quote escaping vulnerabilities with SQL/LDAP databases. If
20761 you want to allow all characters, set this value to empty.
20762 Defaults to @samp{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@@"}.
20765 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-translation
20766 Username character translations before it's looked up from
20767 databases. The value contains series of from -> to characters. For
20768 example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are
20769 translated to @samp{@@}.
20770 Defaults to @samp{""}.
20773 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-format
20774 Username formatting before it's looked up from databases. You can
20775 use the standard variables here, e.g.@: %Lu would lowercase the username,
20776 %n would drop away the domain if it was given, or @samp{%n-AT-%d} would
20777 change the @samp{@@} into @samp{-AT-}. This translation is done after
20778 @samp{auth-username-translation} changes.
20779 Defaults to @samp{"%Lu"}.
20782 @deftypevr {@code{dovecot-configuration} parameter} string auth-master-user-separator
20783 If you want to allow master users to log in by specifying the master
20784 username within the normal username string (i.e.@: not using SASL
20785 mechanism's support for it), you can specify the separator character
20786 here. The format is then <username><separator><master username>.
20787 UW-IMAP uses @samp{*} as the separator, so that could be a good
20789 Defaults to @samp{""}.
20792 @deftypevr {@code{dovecot-configuration} parameter} string auth-anonymous-username
20793 Username to use for users logging in with ANONYMOUS SASL
20795 Defaults to @samp{"anonymous"}.
20798 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-worker-max-count
20799 Maximum number of dovecot-auth worker processes. They're used to
20800 execute blocking passdb and userdb queries (e.g.@: MySQL and PAM).
20801 They're automatically created and destroyed as needed.
20802 Defaults to @samp{30}.
20805 @deftypevr {@code{dovecot-configuration} parameter} string auth-gssapi-hostname
20806 Host name to use in GSSAPI principal names. The default is to use
20807 the name returned by gethostname(). Use @samp{$ALL} (with quotes) to
20808 allow all keytab entries.
20809 Defaults to @samp{""}.
20812 @deftypevr {@code{dovecot-configuration} parameter} string auth-krb5-keytab
20813 Kerberos keytab to use for the GSSAPI mechanism. Will use the
20814 system default (usually @file{/etc/krb5.keytab}) if not specified. You may
20815 need to change the auth service to run as root to be able to read this
20817 Defaults to @samp{""}.
20820 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-use-winbind?
20821 Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon
20822 and @samp{ntlm-auth} helper.
20823 <doc/wiki/Authentication/Mechanisms/Winbind.txt>.
20824 Defaults to @samp{#f}.
20827 @deftypevr {@code{dovecot-configuration} parameter} file-name auth-winbind-helper-path
20828 Path for Samba's @samp{ntlm-auth} helper binary.
20829 Defaults to @samp{"/usr/bin/ntlm_auth"}.
20832 @deftypevr {@code{dovecot-configuration} parameter} string auth-failure-delay
20833 Time to delay before replying to failed authentications.
20834 Defaults to @samp{"2 secs"}.
20837 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
20838 Require a valid SSL client certificate or the authentication
20840 Defaults to @samp{#f}.
20843 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-username-from-cert?
20844 Take the username from client's SSL certificate, using
20845 @code{X509_NAME_get_text_by_NID()} which returns the subject's DN's
20847 Defaults to @samp{#f}.
20850 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-mechanisms
20851 List of wanted authentication mechanisms. Supported mechanisms are:
20852 @samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5},
20853 @samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi},
20854 @samp{otp}, @samp{skey}, and @samp{gss-spnego}. NOTE: See also
20855 @samp{disable-plaintext-auth} setting.
20858 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-servers
20859 List of IPs or hostnames to all director servers, including ourself.
20860 Ports can be specified as ip:port. The default port is the same as what
20861 director service's @samp{inet-listener} is using.
20862 Defaults to @samp{()}.
20865 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-mail-servers
20866 List of IPs or hostnames to all backend mail servers. Ranges are
20867 allowed too, like 10.0.0.10-10.0.0.30.
20868 Defaults to @samp{()}.
20871 @deftypevr {@code{dovecot-configuration} parameter} string director-user-expire
20872 How long to redirect users to a specific server after it no longer
20873 has any connections.
20874 Defaults to @samp{"15 min"}.
20877 @deftypevr {@code{dovecot-configuration} parameter} string director-username-hash
20878 How the username is translated before being hashed. Useful values
20879 include %Ln if user can log in with or without @@domain, %Ld if mailboxes
20880 are shared within domain.
20881 Defaults to @samp{"%Lu"}.
20884 @deftypevr {@code{dovecot-configuration} parameter} string log-path
20885 Log file to use for error messages. @samp{syslog} logs to syslog,
20886 @samp{/dev/stderr} logs to stderr.
20887 Defaults to @samp{"syslog"}.
20890 @deftypevr {@code{dovecot-configuration} parameter} string info-log-path
20891 Log file to use for informational messages. Defaults to
20893 Defaults to @samp{""}.
20896 @deftypevr {@code{dovecot-configuration} parameter} string debug-log-path
20897 Log file to use for debug messages. Defaults to
20898 @samp{info-log-path}.
20899 Defaults to @samp{""}.
20902 @deftypevr {@code{dovecot-configuration} parameter} string syslog-facility
20903 Syslog facility to use if you're logging to syslog. Usually if you
20904 don't want to use @samp{mail}, you'll use local0..local7. Also other
20905 standard facilities are supported.
20906 Defaults to @samp{"mail"}.
20909 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-verbose?
20910 Log unsuccessful authentication attempts and the reasons why they
20912 Defaults to @samp{#f}.
20915 @deftypevr {@code{dovecot-configuration} parameter} string auth-verbose-passwords
20916 In case of password mismatches, log the attempted password. Valid
20917 values are no, plain and sha1. sha1 can be useful for detecting brute
20918 force password attempts vs. user simply trying the same password over
20919 and over again. You can also truncate the value to n chars by appending
20920 ":n" (e.g.@: sha1:6).
20921 Defaults to @samp{"no"}.
20924 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug?
20925 Even more verbose logging for debugging purposes. Shows for example
20927 Defaults to @samp{#f}.
20930 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug-passwords?
20931 In case of password mismatches, log the passwords and used scheme so
20932 the problem can be debugged. Enabling this also enables
20934 Defaults to @samp{#f}.
20937 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-debug?
20938 Enable mail process debugging. This can help you figure out why
20939 Dovecot isn't finding your mails.
20940 Defaults to @samp{#f}.
20943 @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-ssl?
20944 Show protocol level SSL errors.
20945 Defaults to @samp{#f}.
20948 @deftypevr {@code{dovecot-configuration} parameter} string log-timestamp
20949 Prefix for each line written to log file. % codes are in
20950 strftime(3) format.
20951 Defaults to @samp{"\"%b %d %H:%M:%S \""}.
20954 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-log-format-elements
20955 List of elements we want to log. The elements which have a
20956 non-empty variable value are joined together to form a comma-separated
20960 @deftypevr {@code{dovecot-configuration} parameter} string login-log-format
20961 Login log format. %s contains @samp{login-log-format-elements}
20962 string, %$ contains the data we want to log.
20963 Defaults to @samp{"%$: %s"}.
20966 @deftypevr {@code{dovecot-configuration} parameter} string mail-log-prefix
20967 Log prefix for mail processes. See doc/wiki/Variables.txt for list
20968 of possible variables you can use.
20969 Defaults to @samp{"\"%s(%u)<%@{pid@}><%@{session@}>: \""}.
20972 @deftypevr {@code{dovecot-configuration} parameter} string deliver-log-format
20973 Format to use for logging mail deliveries. You can use variables:
20976 Delivery status message (e.g.@: @samp{saved to INBOX})
20988 Defaults to @samp{"msgid=%m: %$"}.
20991 @deftypevr {@code{dovecot-configuration} parameter} string mail-location
20992 Location for users' mailboxes. The default is empty, which means
20993 that Dovecot tries to find the mailboxes automatically. This won't work
20994 if the user doesn't yet have any mail, so you should explicitly tell
20995 Dovecot the full location.
20997 If you're using mbox, giving a path to the INBOX
20998 file (e.g.@: @file{/var/mail/%u}) isn't enough. You'll also need to tell Dovecot
20999 where the other mailboxes are kept. This is called the @emph{root mail
21000 directory}, and it must be the first path given in the
21001 @samp{mail-location} setting.
21003 There are a few special variables you can use, e.g.:
21009 user part in user@@domain, same as %u if there's no domain
21011 domain part in user@@domain, empty if there's no domain
21016 See doc/wiki/Variables.txt for full list. Some examples:
21018 @item maildir:~/Maildir
21019 @item mbox:~/mail:INBOX=/var/mail/%u
21020 @item mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%
21022 Defaults to @samp{""}.
21025 @deftypevr {@code{dovecot-configuration} parameter} string mail-uid
21026 System user and group used to access mails. If you use multiple,
21027 userdb can override these by returning uid or gid fields. You can use
21028 either numbers or names. <doc/wiki/UserIds.txt>.
21029 Defaults to @samp{""}.
21032 @deftypevr {@code{dovecot-configuration} parameter} string mail-gid
21034 Defaults to @samp{""}.
21037 @deftypevr {@code{dovecot-configuration} parameter} string mail-privileged-group
21038 Group to enable temporarily for privileged operations. Currently
21039 this is used only with INBOX when either its initial creation or
21040 dotlocking fails. Typically this is set to @samp{"mail"} to give access to
21042 Defaults to @samp{""}.
21045 @deftypevr {@code{dovecot-configuration} parameter} string mail-access-groups
21046 Grant access to these supplementary groups for mail processes.
21047 Typically these are used to set up access to shared mailboxes. Note
21048 that it may be dangerous to set these if users can create symlinks
21049 (e.g.@: if @samp{mail} group is set here, @code{ln -s /var/mail ~/mail/var}
21050 could allow a user to delete others' mailboxes, or @code{ln -s
21051 /secret/shared/box ~/mail/mybox} would allow reading it). Defaults to
21055 @deftypevr {@code{dovecot-configuration} parameter} string mail-attribute-dict
21056 The location of a dictionary used to store @code{IMAP METADATA}
21057 as defined by @uref{https://tools.ietf.org/html/rfc5464, RFC@tie{}5464}.
21059 The IMAP METADATA commands are available only if the ``imap''
21060 protocol configuration's @code{imap-metadata?} field is @samp{#t}.
21062 Defaults to @samp{""}.
21066 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-full-filesystem-access?
21067 Allow full file system access to clients. There's no access checks
21068 other than what the operating system does for the active UID/GID@. It
21069 works with both maildir and mboxes, allowing you to prefix mailboxes
21070 names with e.g.@: @file{/path/} or @file{~user/}.
21071 Defaults to @samp{#f}.
21074 @deftypevr {@code{dovecot-configuration} parameter} boolean mmap-disable?
21075 Don't use @code{mmap()} at all. This is required if you store indexes to
21076 shared file systems (NFS or clustered file system).
21077 Defaults to @samp{#f}.
21080 @deftypevr {@code{dovecot-configuration} parameter} boolean dotlock-use-excl?
21081 Rely on @samp{O_EXCL} to work when creating dotlock files. NFS
21082 supports @samp{O_EXCL} since version 3, so this should be safe to use
21083 nowadays by default.
21084 Defaults to @samp{#t}.
21087 @deftypevr {@code{dovecot-configuration} parameter} string mail-fsync
21088 When to use fsync() or fdatasync() calls:
21091 Whenever necessary to avoid losing important data
21093 Useful with e.g.@: NFS when @code{write()}s are delayed
21095 Never use it (best performance, but crashes can lose data).
21097 Defaults to @samp{"optimized"}.
21100 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-storage?
21101 Mail storage exists in NFS@. Set this to yes to make Dovecot flush
21102 NFS caches whenever needed. If you're using only a single mail server
21104 Defaults to @samp{#f}.
21107 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-index?
21108 Mail index files also exist in NFS@. Setting this to yes requires
21109 @samp{mmap-disable? #t} and @samp{fsync-disable? #f}.
21110 Defaults to @samp{#f}.
21113 @deftypevr {@code{dovecot-configuration} parameter} string lock-method
21114 Locking method for index files. Alternatives are fcntl, flock and
21115 dotlock. Dotlocking uses some tricks which may create more disk I/O
21116 than other locking methods. NFS users: flock doesn't work, remember to
21117 change @samp{mmap-disable}.
21118 Defaults to @samp{"fcntl"}.
21121 @deftypevr {@code{dovecot-configuration} parameter} file-name mail-temp-dir
21122 Directory in which LDA/LMTP temporarily stores incoming mails >128
21124 Defaults to @samp{"/tmp"}.
21127 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-uid
21128 Valid UID range for users. This is mostly to make sure that users can't
21129 log in as daemons or other system users. Note that denying root logins is
21130 hardcoded to dovecot binary and can't be done even if @samp{first-valid-uid}
21132 Defaults to @samp{500}.
21135 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-uid
21137 Defaults to @samp{0}.
21140 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-gid
21141 Valid GID range for users. Users having non-valid GID as primary group ID
21142 aren't allowed to log in. If user belongs to supplementary groups with
21143 non-valid GIDs, those groups are not set.
21144 Defaults to @samp{1}.
21147 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-gid
21149 Defaults to @samp{0}.
21152 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-max-keyword-length
21153 Maximum allowed length for mail keyword name. It's only forced when
21154 trying to create new keywords.
21155 Defaults to @samp{50}.
21158 @deftypevr {@code{dovecot-configuration} parameter} colon-separated-file-name-list valid-chroot-dirs
21159 List of directories under which chrooting is allowed for mail
21160 processes (i.e.@: @file{/var/mail} will allow chrooting to @file{/var/mail/foo/bar}
21161 too). This setting doesn't affect @samp{login-chroot}
21162 @samp{mail-chroot} or auth chroot settings. If this setting is empty,
21163 @samp{/./} in home dirs are ignored. WARNING: Never add directories here
21164 which local users can modify, that may lead to root exploit. Usually
21165 this should be done only if you don't allow shell access for users.
21166 <doc/wiki/Chrooting.txt>.
21167 Defaults to @samp{()}.
21170 @deftypevr {@code{dovecot-configuration} parameter} string mail-chroot
21171 Default chroot directory for mail processes. This can be overridden
21172 for specific users in user database by giving @samp{/./} in user's home
21173 directory (e.g.@: @samp{/home/./user} chroots into @file{/home}). Note that usually
21174 there is no real need to do chrooting, Dovecot doesn't allow users to
21175 access files outside their mail directory anyway. If your home
21176 directories are prefixed with the chroot directory, append @samp{/.} to
21177 @samp{mail-chroot}. <doc/wiki/Chrooting.txt>.
21178 Defaults to @samp{""}.
21181 @deftypevr {@code{dovecot-configuration} parameter} file-name auth-socket-path
21182 UNIX socket path to master authentication server to find users.
21183 This is used by imap (for shared users) and lda.
21184 Defaults to @samp{"/var/run/dovecot/auth-userdb"}.
21187 @deftypevr {@code{dovecot-configuration} parameter} file-name mail-plugin-dir
21188 Directory where to look up mail plugins.
21189 Defaults to @samp{"/usr/lib/dovecot"}.
21192 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mail-plugins
21193 List of plugins to load for all services. Plugins specific to IMAP,
21194 LDA, etc.@: are added to this list in their own .conf files.
21195 Defaults to @samp{()}.
21198 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-cache-min-mail-count
21199 The minimum number of mails in a mailbox before updates are done to
21200 cache file. This allows optimizing Dovecot's behavior to do less disk
21201 writes at the cost of more disk reads.
21202 Defaults to @samp{0}.
21205 @deftypevr {@code{dovecot-configuration} parameter} string mailbox-idle-check-interval
21206 When IDLE command is running, mailbox is checked once in a while to
21207 see if there are any new mails or other changes. This setting defines
21208 the minimum time to wait between those checks. Dovecot can also use
21209 dnotify, inotify and kqueue to find out immediately when changes
21211 Defaults to @samp{"30 secs"}.
21214 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-save-crlf?
21215 Save mails with CR+LF instead of plain LF@. This makes sending those
21216 mails take less CPU, especially with sendfile() syscall with Linux and
21217 FreeBSD@. But it also creates a bit more disk I/O which may just make it
21218 slower. Also note that if other software reads the mboxes/maildirs,
21219 they may handle the extra CRs wrong and cause problems.
21220 Defaults to @samp{#f}.
21223 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-stat-dirs?
21224 By default LIST command returns all entries in maildir beginning
21225 with a dot. Enabling this option makes Dovecot return only entries
21226 which are directories. This is done by stat()ing each entry, so it
21227 causes more disk I/O.
21228 (For systems setting struct @samp{dirent->d_type} this check is free
21229 and it's done always regardless of this setting).
21230 Defaults to @samp{#f}.
21233 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-copy-with-hardlinks?
21234 When copying a message, do it with hard links whenever possible.
21235 This makes the performance much better, and it's unlikely to have any
21237 Defaults to @samp{#t}.
21240 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-very-dirty-syncs?
21241 Assume Dovecot is the only MUA accessing Maildir: Scan cur/
21242 directory only when its mtime changes unexpectedly or when we can't find
21243 the mail otherwise.
21244 Defaults to @samp{#f}.
21247 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-read-locks
21248 Which locking methods to use for locking mbox. There are four
21253 Create <mailbox>.lock file. This is the oldest and most NFS-safe
21254 solution. If you want to use /var/mail/ like directory, the users will
21255 need write access to that directory.
21257 Same as dotlock, but if it fails because of permissions or because there
21258 isn't enough disk space, just skip it.
21260 Use this if possible. Works with NFS too if lockd is used.
21262 May not exist in all systems. Doesn't work with NFS.
21264 May not exist in all systems. Doesn't work with NFS.
21267 You can use multiple locking methods; if you do the order they're declared
21268 in is important to avoid deadlocks if other MTAs/MUAs are using multiple
21269 locking methods as well. Some operating systems don't allow using some of
21270 them simultaneously.
21273 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-write-locks
21277 @deftypevr {@code{dovecot-configuration} parameter} string mbox-lock-timeout
21278 Maximum time to wait for lock (all of them) before aborting.
21279 Defaults to @samp{"5 mins"}.
21282 @deftypevr {@code{dovecot-configuration} parameter} string mbox-dotlock-change-timeout
21283 If dotlock exists but the mailbox isn't modified in any way,
21284 override the lock file after this much time.
21285 Defaults to @samp{"2 mins"}.
21288 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-dirty-syncs?
21289 When mbox changes unexpectedly we have to fully read it to find out
21290 what changed. If the mbox is large this can take a long time. Since
21291 the change is usually just a newly appended mail, it'd be faster to
21292 simply read the new mails. If this setting is enabled, Dovecot does
21293 this but still safely fallbacks to re-reading the whole mbox file
21294 whenever something in mbox isn't how it's expected to be. The only real
21295 downside to this setting is that if some other MUA changes message
21296 flags, Dovecot doesn't notice it immediately. Note that a full sync is
21297 done with SELECT, EXAMINE, EXPUNGE and CHECK commands.
21298 Defaults to @samp{#t}.
21301 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-very-dirty-syncs?
21302 Like @samp{mbox-dirty-syncs}, but don't do full syncs even with SELECT,
21303 EXAMINE, EXPUNGE or CHECK commands. If this is set,
21304 @samp{mbox-dirty-syncs} is ignored.
21305 Defaults to @samp{#f}.
21308 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-lazy-writes?
21309 Delay writing mbox headers until doing a full write sync (EXPUNGE
21310 and CHECK commands and when closing the mailbox). This is especially
21311 useful for POP3 where clients often delete all mails. The downside is
21312 that our changes aren't immediately visible to other MUAs.
21313 Defaults to @samp{#t}.
21316 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mbox-min-index-size
21317 If mbox size is smaller than this (e.g.@: 100k), don't write index
21318 files. If an index file already exists it's still read, just not
21320 Defaults to @samp{0}.
21323 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mdbox-rotate-size
21324 Maximum dbox file size until it's rotated.
21325 Defaults to @samp{10000000}.
21328 @deftypevr {@code{dovecot-configuration} parameter} string mdbox-rotate-interval
21329 Maximum dbox file age until it's rotated. Typically in days. Day
21330 begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check
21332 Defaults to @samp{"1d"}.
21335 @deftypevr {@code{dovecot-configuration} parameter} boolean mdbox-preallocate-space?
21336 When creating new mdbox files, immediately preallocate their size to
21337 @samp{mdbox-rotate-size}. This setting currently works only in Linux
21338 with some file systems (ext4, xfs).
21339 Defaults to @samp{#f}.
21342 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-dir
21343 sdbox and mdbox support saving mail attachments to external files,
21344 which also allows single instance storage for them. Other backends
21345 don't support this for now.
21347 WARNING: This feature hasn't been tested much yet. Use at your own risk.
21349 Directory root where to store mail attachments. Disabled, if empty.
21350 Defaults to @samp{""}.
21353 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-attachment-min-size
21354 Attachments smaller than this aren't saved externally. It's also
21355 possible to write a plugin to disable saving specific attachments
21357 Defaults to @samp{128000}.
21360 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-fs
21361 File system backend to use for saving attachments:
21364 No SiS done by Dovecot (but this might help FS's own deduplication)
21366 SiS with immediate byte-by-byte comparison during saving
21367 @item sis-queue posix
21368 SiS with delayed comparison and deduplication.
21370 Defaults to @samp{"sis posix"}.
21373 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-hash
21374 Hash format to use in attachment filenames. You can add any text and
21375 variables: @code{%@{md4@}}, @code{%@{md5@}}, @code{%@{sha1@}},
21376 @code{%@{sha256@}}, @code{%@{sha512@}}, @code{%@{size@}}. Variables can be
21377 truncated, e.g.@: @code{%@{sha256:80@}} returns only first 80 bits.
21378 Defaults to @samp{"%@{sha1@}"}.
21381 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-process-limit
21383 Defaults to @samp{100}.
21386 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-client-limit
21388 Defaults to @samp{1000}.
21391 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-vsz-limit
21392 Default VSZ (virtual memory size) limit for service processes.
21393 This is mainly intended to catch and kill processes that leak memory
21394 before they eat up everything.
21395 Defaults to @samp{256000000}.
21398 @deftypevr {@code{dovecot-configuration} parameter} string default-login-user
21399 Login user is internally used by login processes. This is the most
21400 untrusted user in Dovecot system. It shouldn't have access to anything
21402 Defaults to @samp{"dovenull"}.
21405 @deftypevr {@code{dovecot-configuration} parameter} string default-internal-user
21406 Internal user is used by unprivileged processes. It should be
21407 separate from login user, so that login processes can't disturb other
21409 Defaults to @samp{"dovecot"}.
21412 @deftypevr {@code{dovecot-configuration} parameter} string ssl?
21413 SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>.
21414 Defaults to @samp{"required"}.
21417 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert
21418 PEM encoded X.509 SSL/TLS certificate (public key).
21419 Defaults to @samp{"</etc/dovecot/default.pem"}.
21422 @deftypevr {@code{dovecot-configuration} parameter} string ssl-key
21423 PEM encoded SSL/TLS private key. The key is opened before
21424 dropping root privileges, so keep the key file unreadable by anyone but
21426 Defaults to @samp{"</etc/dovecot/private/default.pem"}.
21429 @deftypevr {@code{dovecot-configuration} parameter} string ssl-key-password
21430 If key file is password protected, give the password here.
21431 Alternatively give it when starting dovecot with -p parameter. Since
21432 this file is often world-readable, you may want to place this setting
21433 instead to a different.
21434 Defaults to @samp{""}.
21437 @deftypevr {@code{dovecot-configuration} parameter} string ssl-ca
21438 PEM encoded trusted certificate authority. Set this only if you
21439 intend to use @samp{ssl-verify-client-cert? #t}. The file should
21440 contain the CA certificate(s) followed by the matching
21441 CRL(s). (e.g.@: @samp{ssl-ca </etc/ssl/certs/ca.pem}).
21442 Defaults to @samp{""}.
21445 @deftypevr {@code{dovecot-configuration} parameter} boolean ssl-require-crl?
21446 Require that CRL check succeeds for client certificates.
21447 Defaults to @samp{#t}.
21450 @deftypevr {@code{dovecot-configuration} parameter} boolean ssl-verify-client-cert?
21451 Request client to send a certificate. If you also want to require
21452 it, set @samp{auth-ssl-require-client-cert? #t} in auth section.
21453 Defaults to @samp{#f}.
21456 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert-username-field
21457 Which field from certificate to use for username. commonName and
21458 x500UniqueIdentifier are the usual choices. You'll also need to set
21459 @samp{auth-ssl-username-from-cert? #t}.
21460 Defaults to @samp{"commonName"}.
21463 @deftypevr {@code{dovecot-configuration} parameter} string ssl-min-protocol
21464 Minimum SSL protocol version to accept.
21465 Defaults to @samp{"TLSv1"}.
21468 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cipher-list
21469 SSL ciphers to use.
21470 Defaults to @samp{"ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@@STRENGTH"}.
21473 @deftypevr {@code{dovecot-configuration} parameter} string ssl-crypto-device
21474 SSL crypto device to use, for valid values run "openssl engine".
21475 Defaults to @samp{""}.
21478 @deftypevr {@code{dovecot-configuration} parameter} string postmaster-address
21479 Address to use when sending rejection mails.
21480 %d expands to recipient domain.
21481 Defaults to @samp{"postmaster@@%d"}.
21484 @deftypevr {@code{dovecot-configuration} parameter} string hostname
21485 Hostname to use in various parts of sent mails (e.g.@: in Message-Id)
21486 and in LMTP replies. Default is the system's real hostname@@domain.
21487 Defaults to @samp{""}.
21490 @deftypevr {@code{dovecot-configuration} parameter} boolean quota-full-tempfail?
21491 If user is over quota, return with temporary failure instead of
21493 Defaults to @samp{#f}.
21496 @deftypevr {@code{dovecot-configuration} parameter} file-name sendmail-path
21497 Binary to use for sending mails.
21498 Defaults to @samp{"/usr/sbin/sendmail"}.
21501 @deftypevr {@code{dovecot-configuration} parameter} string submission-host
21502 If non-empty, send mails via this SMTP host[:port] instead of
21504 Defaults to @samp{""}.
21507 @deftypevr {@code{dovecot-configuration} parameter} string rejection-subject
21508 Subject: header to use for rejection mails. You can use the same
21509 variables as for @samp{rejection-reason} below.
21510 Defaults to @samp{"Rejected: %s"}.
21513 @deftypevr {@code{dovecot-configuration} parameter} string rejection-reason
21514 Human readable error message for rejection mails. You can use
21527 Defaults to @samp{"Your message to <%t> was automatically rejected:%n%r"}.
21530 @deftypevr {@code{dovecot-configuration} parameter} string recipient-delimiter
21531 Delimiter character between local-part and detail in email
21533 Defaults to @samp{"+"}.
21536 @deftypevr {@code{dovecot-configuration} parameter} string lda-original-recipient-header
21537 Header where the original recipient address (SMTP's RCPT TO:
21538 address) is taken from if not available elsewhere. With dovecot-lda -a
21539 parameter overrides this. A commonly used header for this is
21541 Defaults to @samp{""}.
21544 @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autocreate?
21545 Should saving a mail to a nonexistent mailbox automatically create
21547 Defaults to @samp{#f}.
21550 @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autosubscribe?
21551 Should automatically created mailboxes be also automatically
21553 Defaults to @samp{#f}.
21556 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer imap-max-line-length
21557 Maximum IMAP command line length. Some clients generate very long
21558 command lines with huge mailboxes, so you may need to raise this if you
21559 get "Too long argument" or "IMAP command line too large" errors
21561 Defaults to @samp{64000}.
21564 @deftypevr {@code{dovecot-configuration} parameter} string imap-logout-format
21565 IMAP logout format string:
21568 total number of bytes read from client
21570 total number of bytes sent to client.
21572 See @file{doc/wiki/Variables.txt} for a list of all the variables you can use.
21573 Defaults to @samp{"in=%i out=%o deleted=%@{deleted@} expunged=%@{expunged@} trashed=%@{trashed@} hdr_count=%@{fetch_hdr_count@} hdr_bytes=%@{fetch_hdr_bytes@} body_count=%@{fetch_body_count@} body_bytes=%@{fetch_body_bytes@}"}.
21576 @deftypevr {@code{dovecot-configuration} parameter} string imap-capability
21577 Override the IMAP CAPABILITY response. If the value begins with '+',
21578 add the given capabilities on top of the defaults (e.g.@: +XFOO XBAR).
21579 Defaults to @samp{""}.
21582 @deftypevr {@code{dovecot-configuration} parameter} string imap-idle-notify-interval
21583 How long to wait between "OK Still here" notifications when client
21585 Defaults to @samp{"2 mins"}.
21588 @deftypevr {@code{dovecot-configuration} parameter} string imap-id-send
21589 ID field names and values to send to clients. Using * as the value
21590 makes Dovecot use the default value. The following fields have default
21591 values currently: name, version, os, os-version, support-url,
21593 Defaults to @samp{""}.
21596 @deftypevr {@code{dovecot-configuration} parameter} string imap-id-log
21597 ID fields sent by client to log. * means everything.
21598 Defaults to @samp{""}.
21601 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list imap-client-workarounds
21602 Workarounds for various client bugs:
21605 @item delay-newmail
21606 Send EXISTS/RECENT new mail notifications only when replying to NOOP and
21607 CHECK commands. Some clients ignore them otherwise, for example OSX
21608 Mail (<v2.1). Outlook Express breaks more badly though, without this it
21609 may show user "Message no longer in server" errors. Note that OE6
21610 still breaks even with this workaround if synchronization is set to
21613 @item tb-extra-mailbox-sep
21614 Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
21615 adds extra @samp{/} suffixes to mailbox names. This option causes Dovecot to
21616 ignore the extra @samp{/} instead of treating it as invalid mailbox name.
21618 @item tb-lsub-flags
21619 Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g.@: mbox).
21620 This makes Thunderbird realize they aren't selectable and show them
21621 greyed out, instead of only later giving "not selectable" popup error.
21623 Defaults to @samp{()}.
21626 @deftypevr {@code{dovecot-configuration} parameter} string imap-urlauth-host
21627 Host allowed in URLAUTH URLs sent by client. "*" allows all.
21628 Defaults to @samp{""}.
21632 Whew! Lots of configuration options. The nice thing about it though is
21633 that Guix has a complete interface to Dovecot's configuration
21634 language. This allows not only a nice way to declare configurations,
21635 but also offers reflective capabilities as well: users can write code to
21636 inspect and transform configurations from within Scheme.
21638 However, it could be that you just want to get a @code{dovecot.conf} up
21639 and running. In that case, you can pass an
21640 @code{opaque-dovecot-configuration} as the @code{#:config} parameter to
21641 @code{dovecot-service}. As its name indicates, an opaque configuration
21642 does not have easy reflective capabilities.
21644 Available @code{opaque-dovecot-configuration} fields are:
21646 @deftypevr {@code{opaque-dovecot-configuration} parameter} package dovecot
21647 The dovecot package.
21650 @deftypevr {@code{opaque-dovecot-configuration} parameter} string string
21651 The contents of the @code{dovecot.conf}, as a string.
21654 For example, if your @code{dovecot.conf} is just the empty string, you
21655 could instantiate a dovecot service like this:
21658 (dovecot-service #:config
21659 (opaque-dovecot-configuration
21663 @subsubheading OpenSMTPD Service
21665 @deffn {Scheme Variable} opensmtpd-service-type
21666 This is the type of the @uref{https://www.opensmtpd.org, OpenSMTPD}
21667 service, whose value should be an @code{opensmtpd-configuration} object
21668 as in this example:
21671 (service opensmtpd-service-type
21672 (opensmtpd-configuration
21673 (config-file (local-file "./my-smtpd.conf"))))
21677 @deftp {Data Type} opensmtpd-configuration
21678 Data type representing the configuration of opensmtpd.
21681 @item @code{package} (default: @var{opensmtpd})
21682 Package object of the OpenSMTPD SMTP server.
21684 @item @code{config-file} (default: @code{%default-opensmtpd-file})
21685 File-like object of the OpenSMTPD configuration file to use. By default
21686 it listens on the loopback network interface, and allows for mail from
21687 users and daemons on the local machine, as well as permitting email to
21688 remote servers. Run @command{man smtpd.conf} for more information.
21693 @subsubheading Exim Service
21695 @cindex mail transfer agent (MTA)
21696 @cindex MTA (mail transfer agent)
21699 @deffn {Scheme Variable} exim-service-type
21700 This is the type of the @uref{https://exim.org, Exim} mail transfer
21701 agent (MTA), whose value should be an @code{exim-configuration} object
21702 as in this example:
21705 (service exim-service-type
21706 (exim-configuration
21707 (config-file (local-file "./my-exim.conf"))))
21711 In order to use an @code{exim-service-type} service you must also have a
21712 @code{mail-aliases-service-type} service present in your
21713 @code{operating-system} (even if it has no aliases).
21715 @deftp {Data Type} exim-configuration
21716 Data type representing the configuration of exim.
21719 @item @code{package} (default: @var{exim})
21720 Package object of the Exim server.
21722 @item @code{config-file} (default: @code{#f})
21723 File-like object of the Exim configuration file to use. If its value is
21724 @code{#f} then use the default configuration file from the package
21725 provided in @code{package}. The resulting configuration file is loaded
21726 after setting the @code{exim_user} and @code{exim_group} configuration
21732 @subsubheading Getmail service
21737 @deffn {Scheme Variable} getmail-service-type
21738 This is the type of the @uref{http://pyropus.ca/software/getmail/, Getmail}
21739 mail retriever, whose value should be an @code{getmail-configuration}.
21742 Available @code{getmail-configuration} fields are:
21744 @deftypevr {@code{getmail-configuration} parameter} symbol name
21745 A symbol to identify the getmail service.
21747 Defaults to @samp{"unset"}.
21751 @deftypevr {@code{getmail-configuration} parameter} package package
21752 The getmail package to use.
21756 @deftypevr {@code{getmail-configuration} parameter} string user
21757 The user to run getmail as.
21759 Defaults to @samp{"getmail"}.
21763 @deftypevr {@code{getmail-configuration} parameter} string group
21764 The group to run getmail as.
21766 Defaults to @samp{"getmail"}.
21770 @deftypevr {@code{getmail-configuration} parameter} string directory
21771 The getmail directory to use.
21773 Defaults to @samp{"/var/lib/getmail/default"}.
21777 @deftypevr {@code{getmail-configuration} parameter} getmail-configuration-file rcfile
21778 The getmail configuration file to use.
21780 Available @code{getmail-configuration-file} fields are:
21782 @deftypevr {@code{getmail-configuration-file} parameter} getmail-retriever-configuration retriever
21783 What mail account to retrieve mail from, and how to access that account.
21785 Available @code{getmail-retriever-configuration} fields are:
21787 @deftypevr {@code{getmail-retriever-configuration} parameter} string type
21788 The type of mail retriever to use. Valid values include @samp{passwd}
21791 Defaults to @samp{"SimpleIMAPSSLRetriever"}.
21795 @deftypevr {@code{getmail-retriever-configuration} parameter} string server
21796 Username to login to the mail server with.
21798 Defaults to @samp{unset}.
21802 @deftypevr {@code{getmail-retriever-configuration} parameter} string username
21803 Username to login to the mail server with.
21805 Defaults to @samp{unset}.
21809 @deftypevr {@code{getmail-retriever-configuration} parameter} non-negative-integer port
21810 Port number to connect to.
21812 Defaults to @samp{#f}.
21816 @deftypevr {@code{getmail-retriever-configuration} parameter} string password
21817 Override fields from passwd.
21819 Defaults to @samp{""}.
21823 @deftypevr {@code{getmail-retriever-configuration} parameter} list password-command
21824 Override fields from passwd.
21826 Defaults to @samp{()}.
21830 @deftypevr {@code{getmail-retriever-configuration} parameter} string keyfile
21831 PEM-formatted key file to use for the TLS negotiation.
21833 Defaults to @samp{""}.
21837 @deftypevr {@code{getmail-retriever-configuration} parameter} string certfile
21838 PEM-formatted certificate file to use for the TLS negotiation.
21840 Defaults to @samp{""}.
21844 @deftypevr {@code{getmail-retriever-configuration} parameter} string ca-certs
21845 CA certificates to use.
21847 Defaults to @samp{""}.
21851 @deftypevr {@code{getmail-retriever-configuration} parameter} parameter-alist extra-parameters
21852 Extra retriever parameters.
21854 Defaults to @samp{()}.
21860 @deftypevr {@code{getmail-configuration-file} parameter} getmail-destination-configuration destination
21861 What to do with retrieved messages.
21863 Available @code{getmail-destination-configuration} fields are:
21865 @deftypevr {@code{getmail-destination-configuration} parameter} string type
21866 The type of mail destination. Valid values include @samp{Maildir},
21867 @samp{Mboxrd} and @samp{MDA_external}.
21869 Defaults to @samp{unset}.
21873 @deftypevr {@code{getmail-destination-configuration} parameter} string-or-filelike path
21874 The path option for the mail destination. The behaviour depends on the
21877 Defaults to @samp{""}.
21881 @deftypevr {@code{getmail-destination-configuration} parameter} parameter-alist extra-parameters
21882 Extra destination parameters
21884 Defaults to @samp{()}.
21890 @deftypevr {@code{getmail-configuration-file} parameter} getmail-options-configuration options
21893 Available @code{getmail-options-configuration} fields are:
21895 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer verbose
21896 If set to @samp{0}, getmail will only print warnings and errors. A
21897 value of @samp{1} means that messages will be printed about retrieving
21898 and deleting messages. If set to @samp{2}, getmail will print messages
21899 about each of its actions.
21901 Defaults to @samp{1}.
21905 @deftypevr {@code{getmail-options-configuration} parameter} boolean read-all
21906 If true, getmail will retrieve all available messages. Otherwise it
21907 will only retrieve messages it hasn't seen previously.
21909 Defaults to @samp{#t}.
21913 @deftypevr {@code{getmail-options-configuration} parameter} boolean delete
21914 If set to true, messages will be deleted from the server after
21915 retrieving and successfully delivering them. Otherwise, messages will
21916 be left on the server.
21918 Defaults to @samp{#f}.
21922 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer delete-after
21923 Getmail will delete messages this number of days after seeing them, if
21924 they have been delivered. This means messages will be left on the
21925 server this number of days after delivering them. A value of @samp{0}
21926 disabled this feature.
21928 Defaults to @samp{0}.
21932 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer delete-bigger-than
21933 Delete messages larger than this of bytes after retrieving them, even if
21934 the delete and delete-after options are disabled. A value of @samp{0}
21935 disables this feature.
21937 Defaults to @samp{0}.
21941 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer max-bytes-per-session
21942 Retrieve messages totalling up to this number of bytes before closing
21943 the session with the server. A value of @samp{0} disables this feature.
21945 Defaults to @samp{0}.
21949 @deftypevr {@code{getmail-options-configuration} parameter} non-negative-integer max-message-size
21950 Don't retrieve messages larger than this number of bytes. A value of
21951 @samp{0} disables this feature.
21953 Defaults to @samp{0}.
21957 @deftypevr {@code{getmail-options-configuration} parameter} boolean delivered-to
21958 If true, getmail will add a Delivered-To header to messages.
21960 Defaults to @samp{#t}.
21964 @deftypevr {@code{getmail-options-configuration} parameter} boolean received
21965 If set, getmail adds a Received header to the messages.
21967 Defaults to @samp{#t}.
21971 @deftypevr {@code{getmail-options-configuration} parameter} string message-log
21972 Getmail will record a log of its actions to the named file. A value of
21973 @samp{""} disables this feature.
21975 Defaults to @samp{""}.
21979 @deftypevr {@code{getmail-options-configuration} parameter} boolean message-log-syslog
21980 If true, getmail will record a log of its actions using the system
21983 Defaults to @samp{#f}.
21987 @deftypevr {@code{getmail-options-configuration} parameter} boolean message-log-verbose
21988 If true, getmail will log information about messages not retrieved and
21989 the reason for not retrieving them, as well as starting and ending
21992 Defaults to @samp{#f}.
21996 @deftypevr {@code{getmail-options-configuration} parameter} parameter-alist extra-parameters
21997 Extra options to include.
21999 Defaults to @samp{()}.
22007 @deftypevr {@code{getmail-configuration} parameter} list idle
22008 A list of mailboxes that getmail should wait on the server for new mail
22009 notifications. This depends on the server supporting the IDLE
22012 Defaults to @samp{()}.
22016 @deftypevr {@code{getmail-configuration} parameter} list environment-variables
22017 Environment variables to set for getmail.
22019 Defaults to @samp{()}.
22023 @subsubheading Mail Aliases Service
22025 @cindex email aliases
22026 @cindex aliases, for email addresses
22028 @deffn {Scheme Variable} mail-aliases-service-type
22029 This is the type of the service which provides @code{/etc/aliases},
22030 specifying how to deliver mail to users on this system.
22033 (service mail-aliases-service-type
22034 '(("postmaster" "bob")
22035 ("bob" "bob@@example.com" "bob@@example2.com")))
22039 The configuration for a @code{mail-aliases-service-type} service is an
22040 association list denoting how to deliver mail that comes to this
22041 system. Each entry is of the form @code{(alias addresses ...)}, with
22042 @code{alias} specifying the local alias and @code{addresses} specifying
22043 where to deliver this user's mail.
22045 The aliases aren't required to exist as users on the local system. In
22046 the above example, there doesn't need to be a @code{postmaster} entry in
22047 the @code{operating-system}'s @code{user-accounts} in order to deliver
22048 the @code{postmaster} mail to @code{bob} (which subsequently would
22049 deliver mail to @code{bob@@example.com} and @code{bob@@example2.com}).
22051 @subsubheading GNU Mailutils IMAP4 Daemon
22052 @cindex GNU Mailutils IMAP4 Daemon
22054 @deffn {Scheme Variable} imap4d-service-type
22055 This is the type of the GNU Mailutils IMAP4 Daemon (@pxref{imap4d,,,
22056 mailutils, GNU Mailutils Manual}), whose value should be an
22057 @code{imap4d-configuration} object as in this example:
22060 (service imap4d-service-type
22061 (imap4d-configuration
22062 (config-file (local-file "imap4d.conf"))))
22066 @deftp {Data Type} imap4d-configuration
22067 Data type representing the configuration of @command{imap4d}.
22070 @item @code{package} (default: @code{mailutils})
22071 The package that provides @command{imap4d}.
22073 @item @code{config-file} (default: @code{%default-imap4d-config-file})
22074 File-like object of the configuration file to use, by default it will listen
22075 on TCP port 143 of @code{localhost}. @xref{Conf-imap4d,,, mailutils, GNU
22076 Mailutils Manual}, for details.
22081 @subsubheading Radicale Service
22085 @deffn {Scheme Variable} radicale-service-type
22086 This is the type of the @uref{https://radicale.org, Radicale} CalDAV/CardDAV
22087 server whose value should be a @code{radicale-configuration}.
22090 @deftp {Data Type} radicale-configuration
22091 Data type representing the configuration of @command{radicale}.
22094 @item @code{package} (default: @code{radicale})
22095 The package that provides @command{radicale}.
22097 @item @code{config-file} (default: @code{%default-radicale-config-file})
22098 File-like object of the configuration file to use, by default it will listen
22099 on TCP port 5232 of @code{localhost} and use the @code{htpasswd} file at
22100 @file{/var/lib/radicale/users} with no (@code{plain}) encryption.
22105 @node Messaging Services
22106 @subsection Messaging Services
22111 The @code{(gnu services messaging)} module provides Guix service
22112 definitions for messaging services. Currently it provides the following
22115 @subsubheading Prosody Service
22117 @deffn {Scheme Variable} prosody-service-type
22118 This is the type for the @uref{https://prosody.im, Prosody XMPP
22119 communication server}. Its value must be a @code{prosody-configuration}
22120 record as in this example:
22123 (service prosody-service-type
22124 (prosody-configuration
22125 (modules-enabled (cons* "groups" "mam" %default-modules-enabled))
22128 (int-component-configuration
22129 (hostname "conference.example.net")
22131 (mod-muc (mod-muc-configuration)))))
22134 (virtualhost-configuration
22135 (domain "example.net"))))))
22138 See below for details about @code{prosody-configuration}.
22142 By default, Prosody does not need much configuration. Only one
22143 @code{virtualhosts} field is needed: it specifies the domain you wish
22146 You can perform various sanity checks on the generated configuration
22147 with the @code{prosodyctl check} command.
22149 Prosodyctl will also help you to import certificates from the
22150 @code{letsencrypt} directory so that the @code{prosody} user can access
22151 them. See @url{https://prosody.im/doc/letsencrypt}.
22154 prosodyctl --root cert import /etc/letsencrypt/live
22157 The available configuration parameters follow. Each parameter
22158 definition is preceded by its type; for example, @samp{string-list foo}
22159 indicates that the @code{foo} parameter should be specified as a list of
22160 strings. Types starting with @code{maybe-} denote parameters that won't
22161 show up in @code{prosody.cfg.lua} when their value is @code{'disabled}.
22163 There is also a way to specify the configuration as a string, if you
22164 have an old @code{prosody.cfg.lua} file that you want to port over from
22165 some other system; see the end for more details.
22167 The @code{file-object} type designates either a file-like object
22168 (@pxref{G-Expressions, file-like objects}) or a file name.
22170 @c The following documentation was initially generated by
22171 @c (generate-documentation) in (gnu services messaging). Manually maintained
22172 @c documentation is better, so we shouldn't hesitate to edit below as
22173 @c needed. However if the change you want to make to this documentation
22174 @c can be done in an automated way, it's probably easier to change
22175 @c (generate-documentation) than to make it below and have to deal with
22176 @c the churn as Prosody updates.
22178 Available @code{prosody-configuration} fields are:
22180 @deftypevr {@code{prosody-configuration} parameter} package prosody
22181 The Prosody package.
22184 @deftypevr {@code{prosody-configuration} parameter} file-name data-path
22185 Location of the Prosody data storage directory. See
22186 @url{https://prosody.im/doc/configure}.
22187 Defaults to @samp{"/var/lib/prosody"}.
22190 @deftypevr {@code{prosody-configuration} parameter} file-object-list plugin-paths
22191 Additional plugin directories. They are searched in all the specified
22192 paths in order. See @url{https://prosody.im/doc/plugins_directory}.
22193 Defaults to @samp{()}.
22196 @deftypevr {@code{prosody-configuration} parameter} file-name certificates
22197 Every virtual host and component needs a certificate so that clients and
22198 servers can securely verify its identity. Prosody will automatically load
22199 certificates/keys from the directory specified here.
22200 Defaults to @samp{"/etc/prosody/certs"}.
22203 @deftypevr {@code{prosody-configuration} parameter} string-list admins
22204 This is a list of accounts that are admins for the server. Note that you
22205 must create the accounts separately. See @url{https://prosody.im/doc/admins} and
22206 @url{https://prosody.im/doc/creating_accounts}.
22207 Example: @code{(admins '("user1@@example.com" "user2@@example.net"))}
22208 Defaults to @samp{()}.
22211 @deftypevr {@code{prosody-configuration} parameter} boolean use-libevent?
22212 Enable use of libevent for better performance under high load. See
22213 @url{https://prosody.im/doc/libevent}.
22214 Defaults to @samp{#f}.
22217 @deftypevr {@code{prosody-configuration} parameter} module-list modules-enabled
22218 This is the list of modules Prosody will load on startup. It looks for
22219 @code{mod_modulename.lua} in the plugins folder, so make sure that exists too.
22220 Documentation on modules can be found at:
22221 @url{https://prosody.im/doc/modules}.
22222 Defaults to @samp{("roster" "saslauth" "tls" "dialback" "disco" "carbons" "private" "blocklist" "vcard" "version" "uptime" "time" "ping" "pep" "register" "admin_adhoc")}.
22225 @deftypevr {@code{prosody-configuration} parameter} string-list modules-disabled
22226 @samp{"offline"}, @samp{"c2s"} and @samp{"s2s"} are auto-loaded, but
22227 should you want to disable them then add them to this list.
22228 Defaults to @samp{()}.
22231 @deftypevr {@code{prosody-configuration} parameter} file-object groups-file
22232 Path to a text file where the shared groups are defined. If this path is
22233 empty then @samp{mod_groups} does nothing. See
22234 @url{https://prosody.im/doc/modules/mod_groups}.
22235 Defaults to @samp{"/var/lib/prosody/sharedgroups.txt"}.
22238 @deftypevr {@code{prosody-configuration} parameter} boolean allow-registration?
22239 Disable account creation by default, for security. See
22240 @url{https://prosody.im/doc/creating_accounts}.
22241 Defaults to @samp{#f}.
22244 @deftypevr {@code{prosody-configuration} parameter} maybe-ssl-configuration ssl
22245 These are the SSL/TLS-related settings. Most of them are disabled so to
22246 use Prosody's defaults. If you do not completely understand these options, do
22247 not add them to your config, it is easy to lower the security of your server
22248 using them. See @url{https://prosody.im/doc/advanced_ssl_config}.
22250 Available @code{ssl-configuration} fields are:
22252 @deftypevr {@code{ssl-configuration} parameter} maybe-string protocol
22253 This determines what handshake to use.
22256 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name key
22257 Path to your private key file.
22260 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name certificate
22261 Path to your certificate file.
22264 @deftypevr {@code{ssl-configuration} parameter} file-object capath
22265 Path to directory containing root certificates that you wish Prosody to
22266 trust when verifying the certificates of remote servers.
22267 Defaults to @samp{"/etc/ssl/certs"}.
22270 @deftypevr {@code{ssl-configuration} parameter} maybe-file-object cafile
22271 Path to a file containing root certificates that you wish Prosody to trust.
22272 Similar to @code{capath} but with all certificates concatenated together.
22275 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list verify
22276 A list of verification options (these mostly map to OpenSSL's
22277 @code{set_verify()} flags).
22280 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list options
22281 A list of general options relating to SSL/TLS@. These map to OpenSSL's
22282 @code{set_options()}. For a full list of options available in LuaSec, see the
22286 @deftypevr {@code{ssl-configuration} parameter} maybe-non-negative-integer depth
22287 How long a chain of certificate authorities to check when looking for a
22288 trusted root certificate.
22291 @deftypevr {@code{ssl-configuration} parameter} maybe-string ciphers
22292 An OpenSSL cipher string. This selects what ciphers Prosody will offer to
22293 clients, and in what order.
22296 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name dhparam
22297 A path to a file containing parameters for Diffie-Hellman key exchange. You
22298 can create such a file with:
22299 @code{openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048}
22302 @deftypevr {@code{ssl-configuration} parameter} maybe-string curve
22303 Curve for Elliptic curve Diffie-Hellman. Prosody's default is
22304 @samp{"secp384r1"}.
22307 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list verifyext
22308 A list of ``extra'' verification options.
22311 @deftypevr {@code{ssl-configuration} parameter} maybe-string password
22312 Password for encrypted private keys.
22317 @deftypevr {@code{prosody-configuration} parameter} boolean c2s-require-encryption?
22318 Whether to force all client-to-server connections to be encrypted or not.
22319 See @url{https://prosody.im/doc/modules/mod_tls}.
22320 Defaults to @samp{#f}.
22323 @deftypevr {@code{prosody-configuration} parameter} string-list disable-sasl-mechanisms
22324 Set of mechanisms that will never be offered. See
22325 @url{https://prosody.im/doc/modules/mod_saslauth}.
22326 Defaults to @samp{("DIGEST-MD5")}.
22329 @deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption?
22330 Whether to force all server-to-server connections to be encrypted or not.
22331 See @url{https://prosody.im/doc/modules/mod_tls}.
22332 Defaults to @samp{#f}.
22335 @deftypevr {@code{prosody-configuration} parameter} boolean s2s-secure-auth?
22336 Whether to require encryption and certificate authentication. This
22337 provides ideal security, but requires servers you communicate with to support
22338 encryption AND present valid, trusted certificates. See
22339 @url{https://prosody.im/doc/s2s#security}.
22340 Defaults to @samp{#f}.
22343 @deftypevr {@code{prosody-configuration} parameter} string-list s2s-insecure-domains
22344 Many servers don't support encryption or have invalid or self-signed
22345 certificates. You can list domains here that will not be required to
22346 authenticate using certificates. They will be authenticated using DNS@. See
22347 @url{https://prosody.im/doc/s2s#security}.
22348 Defaults to @samp{()}.
22351 @deftypevr {@code{prosody-configuration} parameter} string-list s2s-secure-domains
22352 Even if you leave @code{s2s-secure-auth?} disabled, you can still require
22353 valid certificates for some domains by specifying a list here. See
22354 @url{https://prosody.im/doc/s2s#security}.
22355 Defaults to @samp{()}.
22358 @deftypevr {@code{prosody-configuration} parameter} string authentication
22359 Select the authentication backend to use. The default provider stores
22360 passwords in plaintext and uses Prosody's configured data storage to store the
22361 authentication data. If you do not trust your server please see
22362 @url{https://prosody.im/doc/modules/mod_auth_internal_hashed} for information
22363 about using the hashed backend. See also
22364 @url{https://prosody.im/doc/authentication}
22365 Defaults to @samp{"internal_plain"}.
22368 @deftypevr {@code{prosody-configuration} parameter} maybe-string log
22369 Set logging options. Advanced logging configuration is not yet supported
22370 by the Prosody service. See @url{https://prosody.im/doc/logging}.
22371 Defaults to @samp{"*syslog"}.
22374 @deftypevr {@code{prosody-configuration} parameter} file-name pidfile
22375 File to write pid in. See @url{https://prosody.im/doc/modules/mod_posix}.
22376 Defaults to @samp{"/var/run/prosody/prosody.pid"}.
22379 @deftypevr {@code{prosody-configuration} parameter} maybe-non-negative-integer http-max-content-size
22380 Maximum allowed size of the HTTP body (in bytes).
22383 @deftypevr {@code{prosody-configuration} parameter} maybe-string http-external-url
22384 Some modules expose their own URL in various ways. This URL is built
22385 from the protocol, host and port used. If Prosody sits behind a proxy, the
22386 public URL will be @code{http-external-url} instead. See
22387 @url{https://prosody.im/doc/http#external_url}.
22390 @deftypevr {@code{prosody-configuration} parameter} virtualhost-configuration-list virtualhosts
22391 A host in Prosody is a domain on which user accounts can be created. For
22392 example if you want your users to have addresses like
22393 @samp{"john.smith@@example.com"} then you need to add a host
22394 @samp{"example.com"}. All options in this list will apply only to this host.
22396 Note: the name @emph{virtual} host is used in configuration to avoid confusion with
22397 the actual physical host that Prosody is installed on. A single Prosody
22398 instance can serve many domains, each one defined as a VirtualHost entry in
22399 Prosody's configuration. Conversely a server that hosts a single domain would
22400 have just one VirtualHost entry.
22402 See @url{https://prosody.im/doc/configure#virtual_host_settings}.
22404 Available @code{virtualhost-configuration} fields are:
22406 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
22407 @deftypevr {@code{virtualhost-configuration} parameter} string domain
22408 Domain you wish Prosody to serve.
22413 @deftypevr {@code{prosody-configuration} parameter} int-component-configuration-list int-components
22414 Components are extra services on a server which are available to clients,
22415 usually on a subdomain of the main server (such as
22416 @samp{"mycomponent.example.com"}). Example components might be chatroom
22417 servers, user directories, or gateways to other protocols.
22419 Internal components are implemented with Prosody-specific plugins. To add an
22420 internal component, you simply fill the hostname field, and the plugin you wish
22421 to use for the component.
22423 See @url{https://prosody.im/doc/components}.
22424 Defaults to @samp{()}.
22426 Available @code{int-component-configuration} fields are:
22428 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
22429 @deftypevr {@code{int-component-configuration} parameter} string hostname
22430 Hostname of the component.
22433 @deftypevr {@code{int-component-configuration} parameter} string plugin
22434 Plugin you wish to use for the component.
22437 @deftypevr {@code{int-component-configuration} parameter} maybe-mod-muc-configuration mod-muc
22438 Multi-user chat (MUC) is Prosody's module for allowing you to create
22439 hosted chatrooms/conferences for XMPP users.
22441 General information on setting up and using multi-user chatrooms can be found
22442 in the ``Chatrooms'' documentation (@url{https://prosody.im/doc/chatrooms}),
22443 which you should read if you are new to XMPP chatrooms.
22445 See also @url{https://prosody.im/doc/modules/mod_muc}.
22447 Available @code{mod-muc-configuration} fields are:
22449 @deftypevr {@code{mod-muc-configuration} parameter} string name
22450 The name to return in service discovery responses.
22451 Defaults to @samp{"Prosody Chatrooms"}.
22454 @deftypevr {@code{mod-muc-configuration} parameter} string-or-boolean restrict-room-creation
22455 If @samp{#t}, this will only allow admins to create new chatrooms.
22456 Otherwise anyone can create a room. The value @samp{"local"} restricts room
22457 creation to users on the service's parent domain. E.g.@: @samp{user@@example.com}
22458 can create rooms on @samp{rooms.example.com}. The value @samp{"admin"}
22459 restricts to service administrators only.
22460 Defaults to @samp{#f}.
22463 @deftypevr {@code{mod-muc-configuration} parameter} non-negative-integer max-history-messages
22464 Maximum number of history messages that will be sent to the member that has
22465 just joined the room.
22466 Defaults to @samp{20}.
22473 @deftypevr {@code{prosody-configuration} parameter} ext-component-configuration-list ext-components
22474 External components use XEP-0114, which most standalone components
22475 support. To add an external component, you simply fill the hostname field. See
22476 @url{https://prosody.im/doc/components}.
22477 Defaults to @samp{()}.
22479 Available @code{ext-component-configuration} fields are:
22481 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
22482 @deftypevr {@code{ext-component-configuration} parameter} string component-secret
22483 Password which the component will use to log in.
22486 @deftypevr {@code{ext-component-configuration} parameter} string hostname
22487 Hostname of the component.
22492 @deftypevr {@code{prosody-configuration} parameter} non-negative-integer-list component-ports
22493 Port(s) Prosody listens on for component connections.
22494 Defaults to @samp{(5347)}.
22497 @deftypevr {@code{prosody-configuration} parameter} string component-interface
22498 Interface Prosody listens on for component connections.
22499 Defaults to @samp{"127.0.0.1"}.
22502 @deftypevr {@code{prosody-configuration} parameter} maybe-raw-content raw-content
22503 Raw content that will be added to the configuration file.
22506 It could be that you just want to get a @code{prosody.cfg.lua}
22507 up and running. In that case, you can pass an
22508 @code{opaque-prosody-configuration} record as the value of
22509 @code{prosody-service-type}. As its name indicates, an opaque configuration
22510 does not have easy reflective capabilities.
22511 Available @code{opaque-prosody-configuration} fields are:
22513 @deftypevr {@code{opaque-prosody-configuration} parameter} package prosody
22514 The prosody package.
22517 @deftypevr {@code{opaque-prosody-configuration} parameter} string prosody.cfg.lua
22518 The contents of the @code{prosody.cfg.lua} to use.
22521 For example, if your @code{prosody.cfg.lua} is just the empty
22522 string, you could instantiate a prosody service like this:
22525 (service prosody-service-type
22526 (opaque-prosody-configuration
22527 (prosody.cfg.lua "")))
22530 @c end of Prosody auto-generated documentation
22532 @subsubheading BitlBee Service
22534 @cindex IRC (Internet Relay Chat)
22535 @cindex IRC gateway
22536 @url{https://bitlbee.org,BitlBee} is a gateway that provides an IRC
22537 interface to a variety of messaging protocols such as XMPP.
22539 @defvr {Scheme Variable} bitlbee-service-type
22540 This is the service type for the @url{https://bitlbee.org,BitlBee} IRC
22541 gateway daemon. Its value is a @code{bitlbee-configuration} (see
22544 To have BitlBee listen on port 6667 on localhost, add this line to your
22548 (service bitlbee-service-type)
22552 @deftp {Data Type} bitlbee-configuration
22553 This is the configuration for BitlBee, with the following fields:
22556 @item @code{interface} (default: @code{"127.0.0.1"})
22557 @itemx @code{port} (default: @code{6667})
22558 Listen on the network interface corresponding to the IP address
22559 specified in @var{interface}, on @var{port}.
22561 When @var{interface} is @code{127.0.0.1}, only local clients can
22562 connect; when it is @code{0.0.0.0}, connections can come from any
22563 networking interface.
22565 @item @code{bitlbee} (default: @code{bitlbee})
22566 The BitlBee package to use.
22568 @item @code{plugins} (default: @code{'()})
22569 List of plugin packages to use---e.g., @code{bitlbee-discord}.
22571 @item @code{extra-settings} (default: @code{""})
22572 Configuration snippet added as-is to the BitlBee configuration file.
22576 @subsubheading Quassel Service
22578 @cindex IRC (Internet Relay Chat)
22579 @url{https://quassel-irc.org/,Quassel} is a distributed IRC client,
22580 meaning that one or more clients can attach to and detach from the
22583 @defvr {Scheme Variable} quassel-service-type
22584 This is the service type for the @url{https://quassel-irc.org/,Quassel}
22585 IRC backend daemon. Its value is a @code{quassel-configuration}
22589 @deftp {Data Type} quassel-configuration
22590 This is the configuration for Quassel, with the following fields:
22593 @item @code{quassel} (default: @code{quassel})
22594 The Quassel package to use.
22596 @item @code{interface} (default: @code{"::,0.0.0.0"})
22597 @item @code{port} (default: @code{4242})
22598 Listen on the network interface(s) corresponding to the IPv4 or IPv6
22599 interfaces specified in the comma delimited @var{interface}, on
22602 @item @code{loglevel} (default: @code{"Info"})
22603 The level of logging desired. Accepted values are Debug, Info, Warning
22608 @node Telephony Services
22609 @subsection Telephony Services
22611 @cindex telephony, services
22612 The @code{(gnu services telephony)} module contains Guix service
22613 definitions for telephony services. Currently it provides the following
22616 @subsubheading Jami
22618 @cindex jami, service
22620 This section describes how to configure a Jami server that can be used
22621 to host video (or audio) conferences, among other uses. The following
22622 example demonstrates how to specify Jami account archives (backups) to
22623 be provisioned automatically:
22626 (service jami-service-type
22627 (jami-configuration
22629 (list (jami-account
22630 (archive "/etc/jami/unencrypted-account-1.gz"))
22632 (archive "/etc/jami/unencrypted-account-2.gz"))))))
22635 When the accounts field is specified, the Jami account files of the
22636 service found under @file{/var/lib/jami} are recreated every time the
22639 Jami accounts and their corresponding backup archives can be generated
22640 using either the @code{jami-qt} or @code{jami-gnome} Jami clients. The
22641 accounts should not be password-protected, but it is wise to ensure
22642 their files are only readable by @samp{root}.
22644 The next example shows how to declare that only some contacts should be
22645 allowed to communicate with a given account:
22648 (service jami-service-type
22649 (jami-configuration
22651 (list (jami-account
22652 (archive "/etc/jami/unencrypted-account-1.gz")
22653 (peer-discovery? #t)
22654 (rendezvous-point? #t)
22656 '("1dbcb0f5f37324228235564b79f2b9737e9a008f"
22657 "2dbcb0f5f37324228235564b79f2b9737e9a008f")))))))
22660 In this mode, only the declared @code{allowed-contacts} can initiate
22661 communication with the Jami account. This can be used, for example,
22662 with rendezvous point accounts to create a private video conferencing
22665 To put the system administrator in full control of the conferences
22666 hosted on their system, the Jami service supports the following actions:
22669 # herd doc jami list-actions
22671 list-account-details
22672 list-banned-contacts
22681 The above actions aim to provide the most valuable actions for
22682 moderation purposes, not to cover the whole Jami API. Users wanting to
22683 interact with the Jami daemon from Guile may be interested in
22684 experimenting with the @code{(gnu build jami-service)} module, which
22685 powers the above Shepherd actions.
22687 @c TODO: This should be auto-generated from the doc already defined on
22688 @c the shepherd-actions themselves in (gnu services telephony).
22689 The @code{add-moderator} and @code{ban-contact} actions accept a contact
22690 @emph{fingerprint} (40 characters long hash) as first argument and an
22691 account fingerprint or username as second argument:
22694 # herd add-moderator jami 1dbcb0f5f37324228235564b79f2b9737e9a008f \
22695 f3345f2775ddfe07a4b0d95daea111d15fbc1199
22697 # herd list-moderators jami
22698 Moderators for account f3345f2775ddfe07a4b0d95daea111d15fbc1199:
22699 - 1dbcb0f5f37324228235564b79f2b9737e9a008f
22703 In the case of @code{ban-contact}, the second username argument is
22704 optional; when omitted, the account is banned from all Jami accounts:
22707 # herd ban-contact jami 1dbcb0f5f37324228235564b79f2b9737e9a008f
22709 # herd list-banned-contacts jami
22710 Banned contacts for account f3345f2775ddfe07a4b0d95daea111d15fbc1199:
22711 - 1dbcb0f5f37324228235564b79f2b9737e9a008f
22715 Banned contacts are also stripped from their moderation privileges.
22717 The @code{disable-account} action allows to completely disconnect an
22718 account from the network, making it unreachable, while
22719 @code{enable-account} does the inverse. They accept a single account
22720 username or fingerprint as first argument:
22723 # herd disable-account jami f3345f2775ddfe07a4b0d95daea111d15fbc1199
22725 # herd list-accounts jami
22726 The following Jami accounts are available:
22727 - f3345f2775ddfe07a4b0d95daea111d15fbc1199 (dummy) [disabled]
22731 The @code{list-account-details} action prints the detailed parameters of
22732 each accounts in the Recutils format, which means the @command{recsel}
22733 command can be used to select accounts of interest (@pxref{Selection
22734 Expressions,,,recutils, GNU recutils manual}). Note that period
22735 characters (@samp{.}) found in the account parameter keys are mapped to
22736 underscores (@samp{_}) in the output, to meet the requirements of the
22737 Recutils format. The following example shows how to print the account
22738 fingerprints for all accounts operating in the rendezvous point mode:
22741 # herd list-account-details jami | \
22742 recsel -p Account.username -e 'Account.rendezVous ~ "true"'
22743 Account_username: f3345f2775ddfe07a4b0d95daea111d15fbc1199
22746 The remaining actions should be self-explanatory.
22748 The complete set of available configuration options is detailed below.
22750 @c TODO: Ideally, the following fragments would be auto-generated at
22751 @c build time, so that they needn't be manually duplicated.
22752 @c Auto-generated via (configuration->documentation 'jami-configuration)
22753 @deftp {Data Type} jami-configuration
22754 Available @code{jami-configuration} fields are:
22757 @item @code{jamid} (default: @code{libring}) (type: package)
22758 The Jami daemon package to use.
22760 @item @code{dbus} (default: @code{dbus}) (type: package)
22761 The D-Bus package to use to start the required D-Bus session.
22763 @item @code{nss-certs} (default: @code{nss-certs}) (type: package)
22764 The nss-certs package to use to provide TLS certificates.
22766 @item @code{enable-logging?} (default: @code{#t}) (type: boolean)
22767 Whether to enable logging to syslog.
22769 @item @code{debug?} (default: @code{#f}) (type: boolean)
22770 Whether to enable debug level messages.
22772 @item @code{auto-answer?} (default: @code{#f}) (type: boolean)
22773 Whether to force automatic answer to incoming calls.
22775 @item @code{accounts} (default: @code{disabled}) (type: maybe-jami-account-list)
22776 A list of Jami accounts to be (re-)provisioned every time the Jami
22777 daemon service starts. When providing this field, the account
22778 directories under @file{/var/lib/jami/} are recreated every time the
22779 service starts, ensuring a consistent state.
22785 @c Auto-generated via (configuration->documentation 'jami-account)
22786 @deftp {Data Type} jami-account
22787 Available @code{jami-account} fields are:
22790 @item @code{archive} (type: string-or-computed-file)
22791 The account archive (backup) file name of the account. This is used to
22792 provision the account when the service starts. The account archive
22793 should @emph{not} be encrypted. It is highly recommended to make it
22794 readable only to the @samp{root} user (i.e., not in the store), to guard
22795 against leaking the secret key material of the Jami account it contains.
22797 @item @code{allowed-contacts} (default: @code{disabled}) (type: maybe-account-fingerprint-list)
22798 The list of allowed contacts for the account, entered as their 40
22799 characters long fingerprint. Messages or calls from accounts not in
22800 that list will be rejected. When unspecified, the configuration of the
22801 account archive is used as-is with respect to contacts and public
22802 inbound calls/messaging allowance, which typically defaults to allow any
22803 contact to communicate with the account.
22805 @item @code{moderators} (default: @code{disabled}) (type: maybe-account-fingerprint-list)
22806 The list of contacts that should have moderation privileges (to ban,
22807 mute, etc. other users) in rendezvous conferences, entered as their 40
22808 characters long fingerprint. When unspecified, the configuration of the
22809 account archive is used as-is with respect to moderation, which
22810 typically defaults to allow anyone to moderate.
22812 @item @code{rendezvous-point?} (default: @code{disabled}) (type: maybe-boolean)
22813 Whether the account should operate in the rendezvous mode. In this
22814 mode, all the incoming audio/video calls are mixed into a conference.
22815 When left unspecified, the value from the account archive prevails.
22817 @item @code{peer-discovery?} (default: @code{disabled}) (type: maybe-boolean)
22818 Whether peer discovery should be enabled. Peer discovery is used to
22819 discover other OpenDHT nodes on the local network, which can be useful
22820 to maintain communication between devices on such network even when the
22821 connection to the the Internet has been lost. When left unspecified,
22822 the value from the account archive prevails.
22824 @item @code{bootstrap-hostnames} (default: @code{disabled}) (type: maybe-string-list)
22825 A list of hostnames or IPs pointing to OpenDHT nodes, that should be
22826 used to initially join the OpenDHT network. When left unspecified, the
22827 value from the account archive prevails.
22829 @item @code{name-server-uri} (default: @code{disabled}) (type: maybe-string)
22830 The URI of the name server to use, that can be used to retrieve the
22831 account fingerprint for a registered username.
22837 @subsubheading Murmur (VoIP server)
22839 @cindex Murmur (VoIP server)
22840 @cindex VoIP server
22841 This section describes how to set up and run a Murmur server. Murmur is
22842 the server of the @uref{https://mumble.info, Mumble} voice-over-IP
22845 @deftp {Data Type} murmur-configuration
22846 The service type for the Murmur server. An example configuration can
22850 (service murmur-service-type
22851 (murmur-configuration
22853 "Welcome to this Mumble server running on Guix!")
22854 (cert-required? #t) ;disallow text password logins
22855 (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
22856 (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
22859 After reconfiguring your system, you can manually set the murmur @code{SuperUser}
22860 password with the command that is printed during the activation phase.
22862 It is recommended to register a normal Mumble user account
22863 and grant it admin or moderator rights.
22864 You can use the @code{mumble} client to
22865 login as new normal user, register yourself, and log out.
22866 For the next step login with the name @code{SuperUser} use
22867 the @code{SuperUser} password that you set previously,
22868 and grant your newly registered mumble user administrator or moderator
22869 rights and create some channels.
22871 Available @code{murmur-configuration} fields are:
22874 @item @code{package} (default: @code{mumble})
22875 Package that contains @code{bin/murmurd}.
22877 @item @code{user} (default: @code{"murmur"})
22878 User who will run the Murmur server.
22880 @item @code{group} (default: @code{"murmur"})
22881 Group of the user who will run the murmur server.
22883 @item @code{port} (default: @code{64738})
22884 Port on which the server will listen.
22886 @item @code{welcome-text} (default: @code{""})
22887 Welcome text sent to clients when they connect.
22889 @item @code{server-password} (default: @code{""})
22890 Password the clients have to enter in order to connect.
22892 @item @code{max-users} (default: @code{100})
22893 Maximum of users that can be connected to the server at once.
22895 @item @code{max-user-bandwidth} (default: @code{#f})
22896 Maximum voice traffic a user can send per second.
22898 @item @code{database-file} (default: @code{"/var/lib/murmur/db.sqlite"})
22899 File name of the sqlite database.
22900 The service's user will become the owner of the directory.
22902 @item @code{log-file} (default: @code{"/var/log/murmur/murmur.log"})
22903 File name of the log file.
22904 The service's user will become the owner of the directory.
22906 @item @code{autoban-attempts} (default: @code{10})
22907 Maximum number of logins a user can make in @code{autoban-timeframe}
22908 without getting auto banned for @code{autoban-time}.
22910 @item @code{autoban-timeframe} (default: @code{120})
22911 Timeframe for autoban in seconds.
22913 @item @code{autoban-time} (default: @code{300})
22914 Amount of time in seconds for which a client gets banned
22915 when violating the autoban limits.
22917 @item @code{opus-threshold} (default: @code{100})
22918 Percentage of clients that need to support opus
22919 before switching over to opus audio codec.
22921 @item @code{channel-nesting-limit} (default: @code{10})
22922 How deep channels can be nested at maximum.
22924 @item @code{channelname-regex} (default: @code{#f})
22925 A string in form of a Qt regular expression that channel names must conform to.
22927 @item @code{username-regex} (default: @code{#f})
22928 A string in form of a Qt regular expression that user names must conform to.
22930 @item @code{text-message-length} (default: @code{5000})
22931 Maximum size in bytes that a user can send in one text chat message.
22933 @item @code{image-message-length} (default: @code{(* 128 1024)})
22934 Maximum size in bytes that a user can send in one image message.
22936 @item @code{cert-required?} (default: @code{#f})
22937 If it is set to @code{#t} clients that use weak password authentication
22938 will not be accepted. Users must have completed the certificate wizard to join.
22940 @item @code{remember-channel?} (default: @code{#f})
22941 Should murmur remember the last channel each user was in when they disconnected
22942 and put them into the remembered channel when they rejoin.
22944 @item @code{allow-html?} (default: @code{#f})
22945 Should html be allowed in text messages, user comments, and channel descriptions.
22947 @item @code{allow-ping?} (default: @code{#f})
22948 Setting to true exposes the current user count, the maximum user count, and
22949 the server's maximum bandwidth per client to unauthenticated users. In the
22950 Mumble client, this information is shown in the Connect dialog.
22952 Disabling this setting will prevent public listing of the server.
22954 @item @code{bonjour?} (default: @code{#f})
22955 Should the server advertise itself in the local network through the bonjour protocol.
22957 @item @code{send-version?} (default: @code{#f})
22958 Should the murmur server version be exposed in ping requests.
22960 @item @code{log-days} (default: @code{31})
22961 Murmur also stores logs in the database, which are accessible via RPC.
22962 The default is 31 days of months, but you can set this setting to 0 to keep logs forever,
22963 or -1 to disable logging to the database.
22965 @item @code{obfuscate-ips?} (default: @code{#t})
22966 Should logged ips be obfuscated to protect the privacy of users.
22968 @item @code{ssl-cert} (default: @code{#f})
22969 File name of the SSL/TLS certificate used for encrypted connections.
22972 (ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
22974 @item @code{ssl-key} (default: @code{#f})
22975 Filepath to the ssl private key used for encrypted connections.
22977 (ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
22980 @item @code{ssl-dh-params} (default: @code{#f})
22981 File name of a PEM-encoded file with Diffie-Hellman parameters
22982 for the SSL/TLS encryption. Alternatively you set it to
22983 @code{"@@ffdhe2048"}, @code{"@@ffdhe3072"}, @code{"@@ffdhe4096"}, @code{"@@ffdhe6144"}
22984 or @code{"@@ffdhe8192"} to use bundled parameters from RFC 7919.
22986 @item @code{ssl-ciphers} (default: @code{#f})
22987 The @code{ssl-ciphers} option chooses the cipher suites to make available for use
22990 This option is specified using
22991 @uref{https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT,
22992 OpenSSL cipher list notation}.
22994 It is recommended that you try your cipher string using 'openssl ciphers <string>'
22995 before setting it here, to get a feel for which cipher suites you will get.
22996 After setting this option, it is recommend that you inspect your Murmur log
22997 to ensure that Murmur is using the cipher suites that you expected it to.
22999 Note: Changing this option may impact the backwards compatibility of your
23000 Murmur server, and can remove the ability for older Mumble clients to be able
23003 @item @code{public-registration} (default: @code{#f})
23004 Must be a @code{<murmur-public-registration-configuration>} record or @code{#f}.
23006 You can optionally register your server in the public server list that the
23007 @code{mumble} client shows on startup.
23008 You cannot register your server if you have set a @code{server-password},
23009 or set @code{allow-ping} to @code{#f}.
23011 It might take a few hours until it shows up in the public list.
23013 @item @code{file} (default: @code{#f})
23014 Optional alternative override for this configuration.
23018 @deftp {Data Type} murmur-public-registration-configuration
23019 Configuration for public registration of a murmur service.
23023 This is a display name for your server. Not to be confused with the hostname.
23025 @item @code{password}
23026 A password to identify your registration.
23027 Subsequent updates will need the same password. Don't lose your password.
23030 This should be a @code{http://} or @code{https://} link to your web
23033 @item @code{hostname} (default: @code{#f})
23034 By default your server will be listed by its IP address.
23035 If it is set your server will be linked by this host name instead.
23041 @node File-Sharing Services
23042 @subsection File-Sharing Services
23044 The @code{(gnu services file-sharing)} module provides services that
23045 assist with transferring files over peer-to-peer file-sharing networks.
23047 @subsubheading Transmission Daemon Service
23049 @uref{https://transmissionbt.com/, Transmission} is a flexible
23050 BitTorrent client that offers a variety of graphical and command-line
23051 interfaces. A @code{transmission-daemon-service-type} service provides
23052 Transmission's headless variant, @command{transmission-daemon}, as a
23053 system service, allowing users to share files via BitTorrent even when
23054 they are not logged in.
23056 @deffn {Scheme Variable} transmission-daemon-service-type
23057 The service type for the Transmission Daemon BitTorrent client. Its
23058 value must be a @code{transmission-daemon-configuration} object as in
23062 (service transmission-daemon-service-type
23063 (transmission-daemon-configuration
23064 ;; Restrict access to the RPC ("control") interface
23065 (rpc-authentication-required? #t)
23066 (rpc-username "transmission")
23068 (transmission-password-hash
23069 "transmission" ; desired password
23070 "uKd1uMs9")) ; arbitrary salt value
23072 ;; Accept requests from this and other hosts on the
23074 (rpc-whitelist-enabled? #t)
23075 (rpc-whitelist '("::1" "127.0.0.1" "192.168.0.*"))
23077 ;; Limit bandwidth use during work hours
23078 (alt-speed-down (* 1024 2)) ; 2 MB/s
23079 (alt-speed-up 512) ; 512 kB/s
23081 (alt-speed-time-enabled? #t)
23082 (alt-speed-time-day 'weekdays)
23083 (alt-speed-time-begin
23084 (+ (* 60 8) 30)) ; 8:30 am
23085 (alt-speed-time-end
23086 (+ (* 60 (+ 12 5)) 30)))) ; 5:30 pm
23090 Once the service is started, users can interact with the daemon through
23091 its Web interface (at @code{http://localhost:9091/}) or by using the
23092 @command{transmission-remote} command-line tool, available in the
23093 @code{transmission} package. (Emacs users may want to also consider the
23094 @code{emacs-transmission} package.) Both communicate with the daemon
23095 through its remote procedure call (RPC) interface, which by default is
23096 available to all users on the system; you may wish to change this by
23097 assigning values to the @code{rpc-authentication-required?},
23098 @code{rpc-username} and @code{rpc-password} settings, as shown in the
23099 example above and documented further below.
23101 The value for @code{rpc-password} must be a password hash of the type
23102 generated and used by Transmission clients. This can be copied verbatim
23103 from an existing @file{settings.json} file, if another Transmission
23104 client is already being used. Otherwise, the
23105 @code{transmission-password-hash} and @code{transmission-random-salt}
23106 procedures provided by this module can be used to obtain a suitable hash
23109 @deffn {Scheme Procedure} transmission-password-hash @var{password} @var{salt}
23110 Returns a string containing the result of hashing @var{password}
23111 together with @var{salt}, in the format recognized by Transmission
23112 clients for their @code{rpc-password} configuration setting.
23114 @var{salt} must be an eight-character string. The
23115 @code{transmission-random-salt} procedure can be used to generate a
23116 suitable salt value at random.
23119 @deffn {Scheme Procedure} transmission-random-salt
23120 Returns a string containing a random, eight-character salt value of the
23121 type generated and used by Transmission clients, suitable for passing to
23122 the @code{transmission-password-hash} procedure.
23125 These procedures are accessible from within a Guile REPL started with
23126 the @command{guix repl} command (@pxref{Invoking guix repl}). This is
23127 useful for obtaining a random salt value to provide as the second
23128 parameter to `transmission-password-hash`, as in this example session:
23132 scheme@@(guix-user)> ,use (gnu services file-sharing)
23133 scheme@@(guix-user)> (transmission-random-salt)
23137 Alternatively, a complete password hash can generated in a single step:
23140 scheme@@(guix-user)> (transmission-password-hash "transmission"
23141 (transmission-random-salt))
23142 $2 = "@{c8bbc6d1740cd8dc819a6e25563b67812c1c19c9VtFPfdsX"
23145 The resulting string can be used as-is for the value of
23146 @code{rpc-password}, allowing the password to be kept hidden even in the
23147 operating-system configuration.
23149 Torrent files downloaded by the daemon are directly accessible only to
23150 users in the ``transmission'' user group, who receive read-only access
23151 to the directory specified by the @code{download-dir} configuration
23152 setting (and also the directory specified by @code{incomplete-dir}, if
23153 @code{incomplete-dir-enabled?} is @code{#t}). Downloaded files can be
23154 moved to another directory or deleted altogether using
23155 @command{transmission-remote} with its @code{--move} and
23156 @code{--remove-and-delete} options.
23158 If the @code{watch-dir-enabled?} setting is set to @code{#t}, users in
23159 the ``transmission'' group are able also to place @file{.torrent} files
23160 in the directory specified by @code{watch-dir} to have the corresponding
23161 torrents added by the daemon. (The @code{trash-original-torrent-files?}
23162 setting controls whether the daemon deletes these files after processing
23165 Some of the daemon's configuration settings can be changed temporarily
23166 by @command{transmission-remote} and similar tools. To undo these
23167 changes, use the service's @code{reload} action to have the daemon
23168 reload its settings from disk:
23171 # herd reload transmission-daemon
23174 The full set of available configuration settings is defined by the
23175 @code{transmission-daemon-configuration} data type.
23177 @deftp {Data Type} transmission-daemon-configuration
23178 The data type representing configuration settings for Transmission
23179 Daemon. These correspond directly to the settings recognized by
23180 Transmission clients in their @file{settings.json} file.
23183 @c The following documentation was initially generated by
23184 @c (generate-transmission-daemon-documentation) in (gnu services
23185 @c file-sharing). Manually maintained documentation is better, so we
23186 @c shouldn't hesitate to edit below as needed. However if the change
23187 @c you want to make to this documentation can be done in an automated
23188 @c way, it's probably easier to change (generate-documentation) than to
23189 @c make it below and have to deal with the churn as Transmission Daemon
23192 @c %start of fragment
23194 Available @code{transmission-daemon-configuration} fields are:
23196 @deftypevr {@code{transmission-daemon-configuration} parameter} package transmission
23197 The Transmission package to use.
23201 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer stop-wait-period
23202 The period, in seconds, to wait when stopping the service for
23203 @command{transmission-daemon} to exit before killing its process. This
23204 allows the daemon time to complete its housekeeping and send a final
23205 update to trackers as it shuts down. On slow hosts, or hosts with a
23206 slow network connection, this value may need to be increased.
23208 Defaults to @samp{10}.
23212 @deftypevr {@code{transmission-daemon-configuration} parameter} string download-dir
23213 The directory to which torrent files are downloaded.
23215 Defaults to @samp{"/var/lib/transmission-daemon/downloads"}.
23219 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean incomplete-dir-enabled?
23220 If @code{#t}, files will be held in @code{incomplete-dir} while their
23221 torrent is being downloaded, then moved to @code{download-dir} once the
23222 torrent is complete. Otherwise, files for all torrents (including those
23223 still being downloaded) will be placed in @code{download-dir}.
23225 Defaults to @samp{#f}.
23229 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string incomplete-dir
23230 The directory in which files from incompletely downloaded torrents will
23231 be held when @code{incomplete-dir-enabled?} is @code{#t}.
23233 Defaults to @samp{disabled}.
23237 @deftypevr {@code{transmission-daemon-configuration} parameter} umask umask
23238 The file mode creation mask used for downloaded files. (See the
23239 @command{umask} man page for more information.)
23241 Defaults to @samp{18}.
23245 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rename-partial-files?
23246 When @code{#t}, ``.part'' is appended to the name of partially
23249 Defaults to @samp{#t}.
23253 @deftypevr {@code{transmission-daemon-configuration} parameter} preallocation-mode preallocation
23254 The mode by which space should be preallocated for downloaded files, one
23255 of @code{none}, @code{fast} (or @code{sparse}) and @code{full}.
23256 Specifying @code{full} will minimize disk fragmentation at a cost to
23257 file-creation speed.
23259 Defaults to @samp{fast}.
23263 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean watch-dir-enabled?
23264 If @code{#t}, the directory specified by @code{watch-dir} will be
23265 watched for new @file{.torrent} files and the torrents they describe
23266 added automatically (and the original files removed, if
23267 @code{trash-original-torrent-files?} is @code{#t}).
23269 Defaults to @samp{#f}.
23273 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string watch-dir
23274 The directory to be watched for @file{.torrent} files indicating new
23275 torrents to be added, when @code{watch-dir-enabled} is @code{#t}.
23277 Defaults to @samp{disabled}.
23281 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean trash-original-torrent-files?
23282 When @code{#t}, @file{.torrent} files will be deleted from the watch
23283 directory once their torrent has been added (see
23284 @code{watch-directory-enabled?}).
23286 Defaults to @samp{#f}.
23290 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-down-enabled?
23291 When @code{#t}, the daemon's download speed will be limited to the rate
23292 specified by @code{speed-limit-down}.
23294 Defaults to @samp{#f}.
23298 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-down
23299 The default global-maximum download speed, in kilobytes per second.
23301 Defaults to @samp{100}.
23305 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-up-enabled?
23306 When @code{#t}, the daemon's upload speed will be limited to the rate
23307 specified by @code{speed-limit-up}.
23309 Defaults to @samp{#f}.
23313 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-up
23314 The default global-maximum upload speed, in kilobytes per second.
23316 Defaults to @samp{100}.
23320 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-enabled?
23321 When @code{#t}, the alternate speed limits @code{alt-speed-down} and
23322 @code{alt-speed-up} are used (in place of @code{speed-limit-down} and
23323 @code{speed-limit-up}, if they are enabled) to constrain the daemon's
23324 bandwidth usage. This can be scheduled to occur automatically at
23325 certain times during the week; see @code{alt-speed-time-enabled?}.
23327 Defaults to @samp{#f}.
23331 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-down
23332 The alternate global-maximum download speed, in kilobytes per second.
23334 Defaults to @samp{50}.
23338 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-up
23339 The alternate global-maximum upload speed, in kilobytes per second.
23341 Defaults to @samp{50}.
23345 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-time-enabled?
23346 When @code{#t}, the alternate speed limits @code{alt-speed-down} and
23347 @code{alt-speed-up} will be enabled automatically during the periods
23348 specified by @code{alt-speed-time-day}, @code{alt-speed-time-begin} and
23349 @code{alt-time-speed-end}.
23351 Defaults to @samp{#f}.
23355 @deftypevr {@code{transmission-daemon-configuration} parameter} day-list alt-speed-time-day
23356 The days of the week on which the alternate-speed schedule should be
23357 used, specified either as a list of days (@code{sunday}, @code{monday},
23358 and so on) or using one of the symbols @code{weekdays}, @code{weekends}
23361 Defaults to @samp{all}.
23365 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-begin
23366 The time of day at which to enable the alternate speed limits, expressed
23367 as a number of minutes since midnight.
23369 Defaults to @samp{540}.
23373 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-end
23374 The time of day at which to disable the alternate speed limits,
23375 expressed as a number of minutes since midnight.
23377 Defaults to @samp{1020}.
23381 @deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv4
23382 The IP address at which to listen for peer connections, or ``0.0.0.0''
23383 to listen at all available IP addresses.
23385 Defaults to @samp{"0.0.0.0"}.
23389 @deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv6
23390 The IPv6 address at which to listen for peer connections, or ``::'' to
23391 listen at all available IPv6 addresses.
23393 Defaults to @samp{"::"}.
23397 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean peer-port-random-on-start?
23398 If @code{#t}, when the daemon starts it will select a port at random on
23399 which to listen for peer connections, from the range specified
23400 (inclusively) by @code{peer-port-random-low} and
23401 @code{peer-port-random-high}. Otherwise, it listens on the port
23402 specified by @code{peer-port}.
23404 Defaults to @samp{#f}.
23408 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-low
23409 The lowest selectable port number when @code{peer-port-random-on-start?}
23412 Defaults to @samp{49152}.
23416 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-high
23417 The highest selectable port number when @code{peer-port-random-on-start}
23420 Defaults to @samp{65535}.
23424 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port
23425 The port on which to listen for peer connections when
23426 @code{peer-port-random-on-start?} is @code{#f}.
23428 Defaults to @samp{51413}.
23432 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean port-forwarding-enabled?
23433 If @code{#t}, the daemon will attempt to configure port-forwarding on an
23434 upstream gateway automatically using @acronym{UPnP} and
23437 Defaults to @samp{#t}.
23441 @deftypevr {@code{transmission-daemon-configuration} parameter} encryption-mode encryption
23442 The encryption preference for peer connections, one of
23443 @code{prefer-unencrypted-connections},
23444 @code{prefer-encrypted-connections} or
23445 @code{require-encrypted-connections}.
23447 Defaults to @samp{prefer-encrypted-connections}.
23451 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string peer-congestion-algorithm
23452 The TCP congestion-control algorithm to use for peer connections,
23453 specified using a string recognized by the operating system in calls to
23454 @code{setsockopt} (or set to @code{disabled}, in which case the
23455 operating-system default is used).
23457 Note that on GNU/Linux systems, the kernel must be configured to allow
23458 processes to use a congestion-control algorithm not in the default set;
23459 otherwise, it will deny these requests with ``Operation not permitted''.
23460 To see which algorithms are available on your system and which are
23461 currently permitted for use, look at the contents of the files
23462 @file{tcp_available_congestion_control} and
23463 @file{tcp_allowed_congestion_control} in the @file{/proc/sys/net/ipv4}
23466 As an example, to have Transmission Daemon use
23467 @uref{http://www-ece.rice.edu/networks/TCP-LP/,the TCP Low Priority
23468 congestion-control algorithm}, you'll need to modify your kernel
23469 configuration to build in support for the algorithm, then update your
23470 operating-system configuration to allow its use by adding a
23471 @code{sysctl-service-type} service (or updating the existing one's
23472 configuration) with lines like the following:
23475 (service sysctl-service-type
23476 (sysctl-configuration
23478 ("net.ipv4.tcp_allowed_congestion_control" .
23479 "reno cubic lp"))))
23482 The Transmission Daemon configuration can then be updated with
23485 (peer-congestion-algorithm "lp")
23488 and the system reconfigured to have the changes take effect.
23490 Defaults to @samp{disabled}.
23494 @deftypevr {@code{transmission-daemon-configuration} parameter} tcp-type-of-service peer-socket-tos
23495 The type of service to request in outgoing @acronym{TCP} packets, one of
23496 @code{default}, @code{low-cost}, @code{throughput}, @code{low-delay} and
23497 @code{reliability}.
23499 Defaults to @samp{default}.
23503 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-global
23504 The global limit on the number of connected peers.
23506 Defaults to @samp{200}.
23510 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-per-torrent
23511 The per-torrent limit on the number of connected peers.
23513 Defaults to @samp{50}.
23517 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer upload-slots-per-torrent
23518 The maximum number of peers to which the daemon will upload data
23519 simultaneously for each torrent.
23521 Defaults to @samp{14}.
23525 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-id-ttl-hours
23526 The maximum lifespan, in hours, of the peer ID associated with each
23527 public torrent before it is regenerated.
23529 Defaults to @samp{6}.
23533 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean blocklist-enabled?
23534 When @code{#t}, the daemon will ignore peers mentioned in the blocklist
23535 it has most recently downloaded from @code{blocklist-url}.
23537 Defaults to @samp{#f}.
23541 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string blocklist-url
23542 The URL of a peer blocklist (in @acronym{P2P}-plaintext or eMule
23543 @file{.dat} format) to be periodically downloaded and applied when
23544 @code{blocklist-enabled?} is @code{#t}.
23546 Defaults to @samp{disabled}.
23550 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean download-queue-enabled?
23551 If @code{#t}, the daemon will be limited to downloading at most
23552 @code{download-queue-size} non-stalled torrents simultaneously.
23554 Defaults to @samp{#t}.
23558 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer download-queue-size
23559 The size of the daemon's download queue, which limits the number of
23560 non-stalled torrents it will download at any one time when
23561 @code{download-queue-enabled?} is @code{#t}.
23563 Defaults to @samp{5}.
23567 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean seed-queue-enabled?
23568 If @code{#t}, the daemon will be limited to seeding at most
23569 @code{seed-queue-size} non-stalled torrents simultaneously.
23571 Defaults to @samp{#f}.
23575 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer seed-queue-size
23576 The size of the daemon's seed queue, which limits the number of
23577 non-stalled torrents it will seed at any one time when
23578 @code{seed-queue-enabled?} is @code{#t}.
23580 Defaults to @samp{10}.
23584 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean queue-stalled-enabled?
23585 When @code{#t}, the daemon will consider torrents for which it has not
23586 shared data in the past @code{queue-stalled-minutes} minutes to be
23587 stalled and not count them against its @code{download-queue-size} and
23588 @code{seed-queue-size} limits.
23590 Defaults to @samp{#t}.
23594 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer queue-stalled-minutes
23595 The maximum period, in minutes, a torrent may be idle before it is
23596 considered to be stalled, when @code{queue-stalled-enabled?} is
23599 Defaults to @samp{30}.
23603 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean ratio-limit-enabled?
23604 When @code{#t}, a torrent being seeded will automatically be paused once
23605 it reaches the ratio specified by @code{ratio-limit}.
23607 Defaults to @samp{#f}.
23611 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-rational ratio-limit
23612 The ratio at which a torrent being seeded will be paused, when
23613 @code{ratio-limit-enabled?} is @code{#t}.
23615 Defaults to @samp{2.0}.
23619 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean idle-seeding-limit-enabled?
23620 When @code{#t}, a torrent being seeded will automatically be paused once
23621 it has been idle for @code{idle-seeding-limit} minutes.
23623 Defaults to @samp{#f}.
23627 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer idle-seeding-limit
23628 The maximum period, in minutes, a torrent being seeded may be idle
23629 before it is paused, when @code{idle-seeding-limit-enabled?} is
23632 Defaults to @samp{30}.
23636 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean dht-enabled?
23637 Enable @uref{http://bittorrent.org/beps/bep_0005.html,the distributed
23638 hash table (@acronym{DHT}) protocol}, which supports the use of
23639 trackerless torrents.
23641 Defaults to @samp{#t}.
23645 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean lpd-enabled?
23646 Enable @uref{https://en.wikipedia.org/wiki/Local_Peer_Discovery,local
23647 peer discovery} (@acronym{LPD}), which allows the discovery of peers on
23648 the local network and may reduce the amount of data sent over the public
23651 Defaults to @samp{#f}.
23655 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean pex-enabled?
23656 Enable @uref{https://en.wikipedia.org/wiki/Peer_exchange,peer exchange}
23657 (@acronym{PEX}), which reduces the daemon's reliance on external
23658 trackers and may improve its performance.
23660 Defaults to @samp{#t}.
23664 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean utp-enabled?
23665 Enable @uref{http://bittorrent.org/beps/bep_0029.html,the micro
23666 transport protocol} (@acronym{uTP}), which aims to reduce the impact of
23667 BitTorrent traffic on other users of the local network while maintaining
23668 full utilization of the available bandwidth.
23670 Defaults to @samp{#t}.
23674 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-enabled?
23675 If @code{#t}, enable the remote procedure call (@acronym{RPC})
23676 interface, which allows remote control of the daemon via its Web
23677 interface, the @command{transmission-remote} command-line client, and
23680 Defaults to @samp{#t}.
23684 @deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-bind-address
23685 The IP address at which to listen for @acronym{RPC} connections, or
23686 ``0.0.0.0'' to listen at all available IP addresses.
23688 Defaults to @samp{"0.0.0.0"}.
23692 @deftypevr {@code{transmission-daemon-configuration} parameter} port-number rpc-port
23693 The port on which to listen for @acronym{RPC} connections.
23695 Defaults to @samp{9091}.
23699 @deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-url
23700 The path prefix to use in the @acronym{RPC}-endpoint @acronym{URL}.
23702 Defaults to @samp{"/transmission/"}.
23706 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-authentication-required?
23707 When @code{#t}, clients must authenticate (see @code{rpc-username} and
23708 @code{rpc-password}) when using the @acronym{RPC} interface. Note this
23709 has the side effect of disabling host-name whitelisting (see
23710 @code{rpc-host-whitelist-enabled?}.
23712 Defaults to @samp{#f}.
23716 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string rpc-username
23717 The username required by clients to access the @acronym{RPC} interface
23718 when @code{rpc-authentication-required?} is @code{#t}.
23720 Defaults to @samp{disabled}.
23724 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-transmission-password-hash rpc-password
23725 The password required by clients to access the @acronym{RPC} interface
23726 when @code{rpc-authentication-required?} is @code{#t}. This must be
23727 specified using a password hash in the format recognized by Transmission
23728 clients, either copied from an existing @file{settings.json} file or
23729 generated using the @code{transmission-password-hash} procedure.
23731 Defaults to @samp{disabled}.
23735 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-whitelist-enabled?
23736 When @code{#t}, @acronym{RPC} requests will be accepted only when they
23737 originate from an address specified in @code{rpc-whitelist}.
23739 Defaults to @samp{#t}.
23743 @deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-whitelist
23744 The list of IP and IPv6 addresses from which @acronym{RPC} requests will
23745 be accepted when @code{rpc-whitelist-enabled?} is @code{#t}. Wildcards
23746 may be specified using @samp{*}.
23748 Defaults to @samp{("127.0.0.1" "::1")}.
23752 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-host-whitelist-enabled?
23753 When @code{#t}, @acronym{RPC} requests will be accepted only when they
23754 are addressed to a host named in @code{rpc-host-whitelist}. Note that
23755 requests to ``localhost'' or ``localhost.'', or to a numeric address,
23756 are always accepted regardless of these settings.
23758 Note also this functionality is disabled when
23759 @code{rpc-authentication-required?} is @code{#t}.
23761 Defaults to @samp{#t}.
23765 @deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-host-whitelist
23766 The list of host names recognized by the @acronym{RPC} server when
23767 @code{rpc-host-whitelist-enabled?} is @code{#t}.
23769 Defaults to @samp{()}.
23773 @deftypevr {@code{transmission-daemon-configuration} parameter} message-level message-level
23774 The minimum severity level of messages to be logged (to
23775 @file{/var/log/transmission.log}) by the daemon, one of @code{none} (no
23776 logging), @code{error}, @code{info} and @code{debug}.
23778 Defaults to @samp{info}.
23782 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean start-added-torrents?
23783 When @code{#t}, torrents are started as soon as they are added;
23784 otherwise, they are added in ``paused'' state.
23786 Defaults to @samp{#t}.
23790 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean script-torrent-done-enabled?
23791 When @code{#t}, the script specified by
23792 @code{script-torrent-done-filename} will be invoked each time a torrent
23795 Defaults to @samp{#f}.
23799 @deftypevr {@code{transmission-daemon-configuration} parameter} maybe-file-object script-torrent-done-filename
23800 A file name or file-like object specifying a script to run each time a
23801 torrent completes, when @code{script-torrent-done-enabled?} is
23804 Defaults to @samp{disabled}.
23808 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean scrape-paused-torrents-enabled?
23809 When @code{#t}, the daemon will scrape trackers for a torrent even when
23810 the torrent is paused.
23812 Defaults to @samp{#t}.
23816 @deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer cache-size-mb
23817 The amount of memory, in megabytes, to allocate for the daemon's
23818 in-memory cache. A larger value may increase performance by reducing
23819 the frequency of disk I/O.
23821 Defaults to @samp{4}.
23825 @deftypevr {@code{transmission-daemon-configuration} parameter} boolean prefetch-enabled?
23826 When @code{#t}, the daemon will try to improve I/O performance by
23827 hinting to the operating system which data is likely to be read next
23828 from disk to satisfy requests from peers.
23830 Defaults to @samp{#t}.
23835 @c %end of fragment
23839 @node Monitoring Services
23840 @subsection Monitoring Services
23842 @subsubheading Tailon Service
23844 @uref{https://tailon.readthedocs.io/, Tailon} is a web application for
23845 viewing and searching log files.
23847 The following example will configure the service with default values.
23848 By default, Tailon can be accessed on port 8080 (@code{http://localhost:8080}).
23851 (service tailon-service-type)
23854 The following example customises more of the Tailon configuration,
23855 adding @command{sed} to the list of allowed commands.
23858 (service tailon-service-type
23859 (tailon-configuration
23861 (tailon-configuration-file
23862 (allowed-commands '("tail" "grep" "awk" "sed"))))))
23866 @deftp {Data Type} tailon-configuration
23867 Data type representing the configuration of Tailon.
23868 This type has the following parameters:
23871 @item @code{config-file} (default: @code{(tailon-configuration-file)})
23872 The configuration file to use for Tailon. This can be set to a
23873 @dfn{tailon-configuration-file} record value, or any gexp
23874 (@pxref{G-Expressions}).
23876 For example, to instead use a local file, the @code{local-file} function
23880 (service tailon-service-type
23881 (tailon-configuration
23882 (config-file (local-file "./my-tailon.conf"))))
23885 @item @code{package} (default: @code{tailon})
23886 The tailon package to use.
23891 @deftp {Data Type} tailon-configuration-file
23892 Data type representing the configuration options for Tailon.
23893 This type has the following parameters:
23896 @item @code{files} (default: @code{(list "/var/log")})
23897 List of files to display. The list can include strings for a single file
23898 or directory, or a list, where the first item is the name of a
23899 subsection, and the remaining items are the files or directories in that
23902 @item @code{bind} (default: @code{"localhost:8080"})
23903 Address and port to which Tailon should bind on.
23905 @item @code{relative-root} (default: @code{#f})
23906 URL path to use for Tailon, set to @code{#f} to not use a path.
23908 @item @code{allow-transfers?} (default: @code{#t})
23909 Allow downloading the log files in the web interface.
23911 @item @code{follow-names?} (default: @code{#t})
23912 Allow tailing of not-yet existent files.
23914 @item @code{tail-lines} (default: @code{200})
23915 Number of lines to read initially from each file.
23917 @item @code{allowed-commands} (default: @code{(list "tail" "grep" "awk")})
23918 Commands to allow running. By default, @code{sed} is disabled.
23920 @item @code{debug?} (default: @code{#f})
23921 Set @code{debug?} to @code{#t} to show debug messages.
23923 @item @code{wrap-lines} (default: @code{#t})
23924 Initial line wrapping state in the web interface. Set to @code{#t} to
23925 initially wrap lines (the default), or to @code{#f} to initially not
23928 @item @code{http-auth} (default: @code{#f})
23929 HTTP authentication type to use. Set to @code{#f} to disable
23930 authentication (the default). Supported values are @code{"digest"} or
23933 @item @code{users} (default: @code{#f})
23934 If HTTP authentication is enabled (see @code{http-auth}), access will be
23935 restricted to the credentials provided here. To configure users, use a
23936 list of pairs, where the first element of the pair is the username, and
23937 the 2nd element of the pair is the password.
23940 (tailon-configuration-file
23941 (http-auth "basic")
23942 (users '(("user1" . "password1")
23943 ("user2" . "password2"))))
23950 @subsubheading Darkstat Service
23952 Darkstat is a packet sniffer that captures network traffic, calculates
23953 statistics about usage, and serves reports over HTTP.
23955 @defvar {Scheme Variable} darkstat-service-type
23956 This is the service type for the
23957 @uref{https://unix4lyfe.org/darkstat/, darkstat}
23958 service, its value must be a @code{darkstat-configuration} record as in
23962 (service darkstat-service-type
23963 (darkstat-configuration
23964 (interface "eno1")))
23968 @deftp {Data Type} darkstat-configuration
23969 Data type representing the configuration of @command{darkstat}.
23972 @item @code{package} (default: @code{darkstat})
23973 The darkstat package to use.
23975 @item @code{interface}
23976 Capture traffic on the specified network interface.
23978 @item @code{port} (default: @code{"667"})
23979 Bind the web interface to the specified port.
23981 @item @code{bind-address} (default: @code{"127.0.0.1"})
23982 Bind the web interface to the specified address.
23984 @item @code{base} (default: @code{"/"})
23985 Specify the path of the base URL@. This can be useful if
23986 @command{darkstat} is accessed via a reverse proxy.
23991 @subsubheading Prometheus Node Exporter Service
23993 @cindex prometheus-node-exporter
23994 The Prometheus ``node exporter'' makes hardware and operating system statistics
23995 provided by the Linux kernel available for the Prometheus monitoring system.
23996 This service should be deployed on all physical nodes and virtual machines,
23997 where monitoring these statistics is desirable.
23999 @defvar {Scheme variable} prometheus-node-exporter-service-type
24000 This is the service type for the
24001 @uref{https://github.com/prometheus/node_exporter/, prometheus-node-exporter}
24002 service, its value must be a @code{prometheus-node-exporter-configuration}.
24005 (service prometheus-node-exporter-service-type)
24009 @deftp {Data Type} prometheus-node-exporter-configuration
24010 Data type representing the configuration of @command{node_exporter}.
24013 @item @code{package} (default: @code{go-github-com-prometheus-node-exporter})
24014 The prometheus-node-exporter package to use.
24016 @item @code{web-listen-address} (default: @code{":9100"})
24017 Bind the web interface to the specified address.
24019 @item @code{textfile-directory} (default: @code{"/var/lib/prometheus/node-exporter"})
24020 This directory can be used to export metrics specific to this machine.
24021 Files containing metrics in the text format, with the filename ending in
24022 @code{.prom} should be placed in this directory.
24024 @item @code{extra-options} (default: @code{'()})
24025 Extra options to pass to the Prometheus node exporter.
24030 @subsubheading Zabbix server
24031 @cindex zabbix zabbix-server
24032 Zabbix provides monitoring metrics, among others network utilization, CPU load
24033 and disk space consumption:
24036 @item High performance, high capacity (able to monitor hundreds of thousands of devices).
24037 @item Auto-discovery of servers and network devices and interfaces.
24038 @item Low-level discovery, allows to automatically start monitoring new items, file systems or network interfaces among others.
24039 @item Distributed monitoring with centralized web administration.
24040 @item Native high performance agents.
24041 @item SLA, and ITIL KPI metrics on reporting.
24042 @item High-level (business) view of monitored resources through user-defined visual console screens and dashboards.
24043 @item Remote command execution through Zabbix proxies.
24046 @c %start of fragment
24048 Available @code{zabbix-server-configuration} fields are:
24050 @deftypevr {@code{zabbix-server-configuration} parameter} package zabbix-server
24051 The zabbix-server package.
24055 @deftypevr {@code{zabbix-server-configuration} parameter} string user
24056 User who will run the Zabbix server.
24058 Defaults to @samp{"zabbix"}.
24062 @deftypevr {@code{zabbix-server-configuration} parameter} group group
24063 Group who will run the Zabbix server.
24065 Defaults to @samp{"zabbix"}.
24069 @deftypevr {@code{zabbix-server-configuration} parameter} string db-host
24070 Database host name.
24072 Defaults to @samp{"127.0.0.1"}.
24076 @deftypevr {@code{zabbix-server-configuration} parameter} string db-name
24079 Defaults to @samp{"zabbix"}.
24083 @deftypevr {@code{zabbix-server-configuration} parameter} string db-user
24086 Defaults to @samp{"zabbix"}.
24090 @deftypevr {@code{zabbix-server-configuration} parameter} string db-password
24091 Database password. Please, use @code{include-files} with
24092 @code{DBPassword=SECRET} inside a specified file instead.
24094 Defaults to @samp{""}.
24098 @deftypevr {@code{zabbix-server-configuration} parameter} number db-port
24101 Defaults to @samp{5432}.
24105 @deftypevr {@code{zabbix-server-configuration} parameter} string log-type
24106 Specifies where log messages are written to:
24110 @code{system} - syslog.
24113 @code{file} - file specified with @code{log-file} parameter.
24116 @code{console} - standard output.
24120 Defaults to @samp{""}.
24124 @deftypevr {@code{zabbix-server-configuration} parameter} string log-file
24125 Log file name for @code{log-type} @code{file} parameter.
24127 Defaults to @samp{"/var/log/zabbix/server.log"}.
24131 @deftypevr {@code{zabbix-server-configuration} parameter} string pid-file
24134 Defaults to @samp{"/var/run/zabbix/zabbix_server.pid"}.
24138 @deftypevr {@code{zabbix-server-configuration} parameter} string ssl-ca-location
24139 The location of certificate authority (CA) files for SSL server
24140 certificate verification.
24142 Defaults to @samp{"/etc/ssl/certs/ca-certificates.crt"}.
24146 @deftypevr {@code{zabbix-server-configuration} parameter} string ssl-cert-location
24147 Location of SSL client certificates.
24149 Defaults to @samp{"/etc/ssl/certs"}.
24153 @deftypevr {@code{zabbix-server-configuration} parameter} string extra-options
24154 Extra options will be appended to Zabbix server configuration file.
24156 Defaults to @samp{""}.
24160 @deftypevr {@code{zabbix-server-configuration} parameter} include-files include-files
24161 You may include individual files or all files in a directory in the
24162 configuration file.
24164 Defaults to @samp{()}.
24168 @c %end of fragment
24170 @subsubheading Zabbix agent
24171 @cindex zabbix zabbix-agent
24173 Zabbix agent gathers information for Zabbix server.
24175 @c %start of fragment
24177 Available @code{zabbix-agent-configuration} fields are:
24179 @deftypevr {@code{zabbix-agent-configuration} parameter} package zabbix-agent
24180 The zabbix-agent package.
24184 @deftypevr {@code{zabbix-agent-configuration} parameter} string user
24185 User who will run the Zabbix agent.
24187 Defaults to @samp{"zabbix"}.
24191 @deftypevr {@code{zabbix-agent-configuration} parameter} group group
24192 Group who will run the Zabbix agent.
24194 Defaults to @samp{"zabbix"}.
24198 @deftypevr {@code{zabbix-agent-configuration} parameter} string hostname
24199 Unique, case sensitive hostname which is required for active checks and
24200 must match hostname as configured on the server.
24202 Defaults to @samp{""}.
24206 @deftypevr {@code{zabbix-agent-configuration} parameter} string log-type
24207 Specifies where log messages are written to:
24211 @code{system} - syslog.
24214 @code{file} - file specified with @code{log-file} parameter.
24217 @code{console} - standard output.
24221 Defaults to @samp{""}.
24225 @deftypevr {@code{zabbix-agent-configuration} parameter} string log-file
24226 Log file name for @code{log-type} @code{file} parameter.
24228 Defaults to @samp{"/var/log/zabbix/agent.log"}.
24232 @deftypevr {@code{zabbix-agent-configuration} parameter} string pid-file
24235 Defaults to @samp{"/var/run/zabbix/zabbix_agent.pid"}.
24239 @deftypevr {@code{zabbix-agent-configuration} parameter} list server
24240 List of IP addresses, optionally in CIDR notation, or hostnames of
24241 Zabbix servers and Zabbix proxies. Incoming connections will be
24242 accepted only from the hosts listed here.
24244 Defaults to @samp{("127.0.0.1")}.
24248 @deftypevr {@code{zabbix-agent-configuration} parameter} list server-active
24249 List of IP:port (or hostname:port) pairs of Zabbix servers and Zabbix
24250 proxies for active checks. If port is not specified, default port is
24251 used. If this parameter is not specified, active checks are disabled.
24253 Defaults to @samp{("127.0.0.1")}.
24257 @deftypevr {@code{zabbix-agent-configuration} parameter} string extra-options
24258 Extra options will be appended to Zabbix server configuration file.
24260 Defaults to @samp{""}.
24264 @deftypevr {@code{zabbix-agent-configuration} parameter} include-files include-files
24265 You may include individual files or all files in a directory in the
24266 configuration file.
24268 Defaults to @samp{()}.
24272 @c %end of fragment
24274 @subsubheading Zabbix front-end
24275 @cindex zabbix zabbix-front-end
24277 This service provides a WEB interface to Zabbix server.
24279 @c %start of fragment
24281 Available @code{zabbix-front-end-configuration} fields are:
24283 @deftypevr {@code{zabbix-front-end-configuration} parameter} nginx-server-configuration-list nginx
24284 NGINX configuration.
24288 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-host
24289 Database host name.
24291 Defaults to @samp{"localhost"}.
24295 @deftypevr {@code{zabbix-front-end-configuration} parameter} number db-port
24298 Defaults to @samp{5432}.
24302 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-name
24305 Defaults to @samp{"zabbix"}.
24309 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-user
24312 Defaults to @samp{"zabbix"}.
24316 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-password
24317 Database password. Please, use @code{db-secret-file} instead.
24319 Defaults to @samp{""}.
24323 @deftypevr {@code{zabbix-front-end-configuration} parameter} string db-secret-file
24324 Secret file containing the credentials for the Zabbix front-end. The value
24325 must be a local file name, not a G-expression. You are expected to create
24326 this file manually. Its contents will be copied into @file{zabbix.conf.php}
24327 as the value of @code{$DB['PASSWORD']}.
24329 Defaults to @samp{""}.
24333 @deftypevr {@code{zabbix-front-end-configuration} parameter} string zabbix-host
24334 Zabbix server hostname.
24336 Defaults to @samp{"localhost"}.
24340 @deftypevr {@code{zabbix-front-end-configuration} parameter} number zabbix-port
24341 Zabbix server port.
24343 Defaults to @samp{10051}.
24348 @c %end of fragment
24350 @node Kerberos Services
24351 @subsection Kerberos Services
24354 The @code{(gnu services kerberos)} module provides services relating to
24355 the authentication protocol @dfn{Kerberos}.
24357 @subsubheading Krb5 Service
24359 Programs using a Kerberos client library normally
24360 expect a configuration file in @file{/etc/krb5.conf}.
24361 This service generates such a file from a definition provided in the
24362 operating system declaration.
24363 It does not cause any daemon to be started.
24365 No ``keytab'' files are provided by this service---you must explicitly create them.
24366 This service is known to work with the MIT client library, @code{mit-krb5}.
24367 Other implementations have not been tested.
24369 @defvr {Scheme Variable} krb5-service-type
24370 A service type for Kerberos 5 clients.
24374 Here is an example of its use:
24376 (service krb5-service-type
24377 (krb5-configuration
24378 (default-realm "EXAMPLE.COM")
24379 (allow-weak-crypto? #t)
24382 (name "EXAMPLE.COM")
24383 (admin-server "groucho.example.com")
24384 (kdc "karl.example.com"))
24387 (admin-server "kerb-admin.argrx.edu")
24388 (kdc "keys.argrx.edu"))))))
24392 This example provides a Kerberos@tie{}5 client configuration which:
24394 @item Recognizes two realms, @i{viz:} ``EXAMPLE.COM'' and ``ARGRX.EDU'', both
24395 of which have distinct administration servers and key distribution centers;
24396 @item Will default to the realm ``EXAMPLE.COM'' if the realm is not explicitly
24397 specified by clients;
24398 @item Accepts services which only support encryption types known to be weak.
24401 The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
24402 Only the most commonly used ones are described here.
24403 For a full list, and more detailed explanation of each, see the MIT
24404 @uref{https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
24408 @deftp {Data Type} krb5-realm
24409 @cindex realm, kerberos
24412 This field is a string identifying the name of the realm.
24413 A common convention is to use the fully qualified DNS name of your organization,
24414 converted to upper case.
24416 @item @code{admin-server}
24417 This field is a string identifying the host where the administration server is
24421 This field is a string identifying the key distribution center
24426 @deftp {Data Type} krb5-configuration
24429 @item @code{allow-weak-crypto?} (default: @code{#f})
24430 If this flag is @code{#t} then services which only offer encryption algorithms
24431 known to be weak will be accepted.
24433 @item @code{default-realm} (default: @code{#f})
24434 This field should be a string identifying the default Kerberos
24435 realm for the client.
24436 You should set this field to the name of your Kerberos realm.
24437 If this value is @code{#f}
24438 then a realm must be specified with every Kerberos principal when invoking programs
24439 such as @command{kinit}.
24441 @item @code{realms}
24442 This should be a non-empty list of @code{krb5-realm} objects, which clients may
24444 Normally, one of them will have a @code{name} field matching the @code{default-realm}
24450 @subsubheading PAM krb5 Service
24453 The @code{pam-krb5} service allows for login authentication and password
24454 management via Kerberos.
24455 You will need this service if you want PAM enabled applications to authenticate
24456 users using Kerberos.
24458 @defvr {Scheme Variable} pam-krb5-service-type
24459 A service type for the Kerberos 5 PAM module.
24462 @deftp {Data Type} pam-krb5-configuration
24463 Data type representing the configuration of the Kerberos 5 PAM module.
24464 This type has the following parameters:
24466 @item @code{pam-krb5} (default: @code{pam-krb5})
24467 The pam-krb5 package to use.
24469 @item @code{minimum-uid} (default: @code{1000})
24470 The smallest user ID for which Kerberos authentications should be attempted.
24471 Local accounts with lower values will silently fail to authenticate.
24476 @node LDAP Services
24477 @subsection LDAP Services
24479 @cindex nslcd, LDAP service
24481 The @code{(gnu services authentication)} module provides the
24482 @code{nslcd-service-type}, which can be used to authenticate against an LDAP
24483 server. In addition to configuring the service itself, you may want to add
24484 @code{ldap} as a name service to the Name Service Switch. @xref{Name Service
24485 Switch} for detailed information.
24487 Here is a simple operating system declaration with a default configuration of
24488 the @code{nslcd-service-type} and a Name Service Switch configuration that
24489 consults the @code{ldap} name service last:
24492 (use-service-modules authentication)
24493 (use-modules (gnu system nss))
24499 (service nslcd-service-type)
24500 (service dhcp-client-service-type)
24502 (name-service-switch
24503 (let ((services (list (name-service (name "db"))
24504 (name-service (name "files"))
24505 (name-service (name "ldap")))))
24506 (name-service-switch
24507 (inherit %mdns-host-lookup-nss)
24508 (password services)
24511 (netgroup services)
24512 (gshadow services)))))
24515 @c %start of generated documentation for nslcd-configuration
24517 Available @code{nslcd-configuration} fields are:
24519 @deftypevr {@code{nslcd-configuration} parameter} package nss-pam-ldapd
24520 The @code{nss-pam-ldapd} package to use.
24524 @deftypevr {@code{nslcd-configuration} parameter} maybe-number threads
24525 The number of threads to start that can handle requests and perform LDAP
24526 queries. Each thread opens a separate connection to the LDAP server.
24527 The default is to start 5 threads.
24529 Defaults to @samp{disabled}.
24533 @deftypevr {@code{nslcd-configuration} parameter} string uid
24534 This specifies the user id with which the daemon should be run.
24536 Defaults to @samp{"nslcd"}.
24540 @deftypevr {@code{nslcd-configuration} parameter} string gid
24541 This specifies the group id with which the daemon should be run.
24543 Defaults to @samp{"nslcd"}.
24547 @deftypevr {@code{nslcd-configuration} parameter} log-option log
24548 This option controls the way logging is done via a list containing
24549 SCHEME and LEVEL@. The SCHEME argument may either be the symbols
24550 @samp{none} or @samp{syslog}, or an absolute file name. The LEVEL
24551 argument is optional and specifies the log level. The log level may be
24552 one of the following symbols: @samp{crit}, @samp{error}, @samp{warning},
24553 @samp{notice}, @samp{info} or @samp{debug}. All messages with the
24554 specified log level or higher are logged.
24556 Defaults to @samp{("/var/log/nslcd" info)}.
24560 @deftypevr {@code{nslcd-configuration} parameter} list uri
24561 The list of LDAP server URIs. Normally, only the first server will be
24562 used with the following servers as fall-back.
24564 Defaults to @samp{("ldap://localhost:389/")}.
24568 @deftypevr {@code{nslcd-configuration} parameter} maybe-string ldap-version
24569 The version of the LDAP protocol to use. The default is to use the
24570 maximum version supported by the LDAP library.
24572 Defaults to @samp{disabled}.
24576 @deftypevr {@code{nslcd-configuration} parameter} maybe-string binddn
24577 Specifies the distinguished name with which to bind to the directory
24578 server for lookups. The default is to bind anonymously.
24580 Defaults to @samp{disabled}.
24584 @deftypevr {@code{nslcd-configuration} parameter} maybe-string bindpw
24585 Specifies the credentials with which to bind. This option is only
24586 applicable when used with binddn.
24588 Defaults to @samp{disabled}.
24592 @deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmoddn
24593 Specifies the distinguished name to use when the root user tries to
24594 modify a user's password using the PAM module.
24596 Defaults to @samp{disabled}.
24600 @deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmodpw
24601 Specifies the credentials with which to bind if the root user tries to
24602 change a user's password. This option is only applicable when used with
24605 Defaults to @samp{disabled}.
24609 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-mech
24610 Specifies the SASL mechanism to be used when performing SASL
24613 Defaults to @samp{disabled}.
24617 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-realm
24618 Specifies the SASL realm to be used when performing SASL authentication.
24620 Defaults to @samp{disabled}.
24624 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authcid
24625 Specifies the authentication identity to be used when performing SASL
24628 Defaults to @samp{disabled}.
24632 @deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authzid
24633 Specifies the authorization identity to be used when performing SASL
24636 Defaults to @samp{disabled}.
24640 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean sasl-canonicalize?
24641 Determines whether the LDAP server host name should be canonicalised. If
24642 this is enabled the LDAP library will do a reverse host name lookup. By
24643 default, it is left up to the LDAP library whether this check is
24646 Defaults to @samp{disabled}.
24650 @deftypevr {@code{nslcd-configuration} parameter} maybe-string krb5-ccname
24651 Set the name for the GSS-API Kerberos credentials cache.
24653 Defaults to @samp{disabled}.
24657 @deftypevr {@code{nslcd-configuration} parameter} string base
24658 The directory search base.
24660 Defaults to @samp{"dc=example,dc=com"}.
24664 @deftypevr {@code{nslcd-configuration} parameter} scope-option scope
24665 Specifies the search scope (subtree, onelevel, base or children). The
24666 default scope is subtree; base scope is almost never useful for name
24667 service lookups; children scope is not supported on all servers.
24669 Defaults to @samp{(subtree)}.
24673 @deftypevr {@code{nslcd-configuration} parameter} maybe-deref-option deref
24674 Specifies the policy for dereferencing aliases. The default policy is
24675 to never dereference aliases.
24677 Defaults to @samp{disabled}.
24681 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean referrals
24682 Specifies whether automatic referral chasing should be enabled. The
24683 default behaviour is to chase referrals.
24685 Defaults to @samp{disabled}.
24689 @deftypevr {@code{nslcd-configuration} parameter} list-of-map-entries maps
24690 This option allows for custom attributes to be looked up instead of the
24691 default RFC 2307 attributes. It is a list of maps, each consisting of
24692 the name of a map, the RFC 2307 attribute to match and the query
24693 expression for the attribute as it is available in the directory.
24695 Defaults to @samp{()}.
24699 @deftypevr {@code{nslcd-configuration} parameter} list-of-filter-entries filters
24700 A list of filters consisting of the name of a map to which the filter
24701 applies and an LDAP search filter expression.
24703 Defaults to @samp{()}.
24707 @deftypevr {@code{nslcd-configuration} parameter} maybe-number bind-timelimit
24708 Specifies the time limit in seconds to use when connecting to the
24709 directory server. The default value is 10 seconds.
24711 Defaults to @samp{disabled}.
24715 @deftypevr {@code{nslcd-configuration} parameter} maybe-number timelimit
24716 Specifies the time limit (in seconds) to wait for a response from the
24717 LDAP server. A value of zero, which is the default, is to wait
24718 indefinitely for searches to be completed.
24720 Defaults to @samp{disabled}.
24724 @deftypevr {@code{nslcd-configuration} parameter} maybe-number idle-timelimit
24725 Specifies the period if inactivity (in seconds) after which the con‐
24726 nection to the LDAP server will be closed. The default is not to time
24729 Defaults to @samp{disabled}.
24733 @deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-sleeptime
24734 Specifies the number of seconds to sleep when connecting to all LDAP
24735 servers fails. By default one second is waited between the first
24736 failure and the first retry.
24738 Defaults to @samp{disabled}.
24742 @deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-retrytime
24743 Specifies the time after which the LDAP server is considered to be
24744 permanently unavailable. Once this time is reached retries will be done
24745 only once per this time period. The default value is 10 seconds.
24747 Defaults to @samp{disabled}.
24751 @deftypevr {@code{nslcd-configuration} parameter} maybe-ssl-option ssl
24752 Specifies whether to use SSL/TLS or not (the default is not to). If
24753 'start-tls is specified then StartTLS is used rather than raw LDAP over
24756 Defaults to @samp{disabled}.
24760 @deftypevr {@code{nslcd-configuration} parameter} maybe-tls-reqcert-option tls-reqcert
24761 Specifies what checks to perform on a server-supplied certificate. The
24762 meaning of the values is described in the ldap.conf(5) manual page.
24764 Defaults to @samp{disabled}.
24768 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertdir
24769 Specifies the directory containing X.509 certificates for peer authen‐
24770 tication. This parameter is ignored when using GnuTLS.
24772 Defaults to @samp{disabled}.
24776 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertfile
24777 Specifies the path to the X.509 certificate for peer authentication.
24779 Defaults to @samp{disabled}.
24783 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-randfile
24784 Specifies the path to an entropy source. This parameter is ignored when
24787 Defaults to @samp{disabled}.
24791 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-ciphers
24792 Specifies the ciphers to use for TLS as a string.
24794 Defaults to @samp{disabled}.
24798 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cert
24799 Specifies the path to the file containing the local certificate for
24800 client TLS authentication.
24802 Defaults to @samp{disabled}.
24806 @deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-key
24807 Specifies the path to the file containing the private key for client TLS
24810 Defaults to @samp{disabled}.
24814 @deftypevr {@code{nslcd-configuration} parameter} maybe-number pagesize
24815 Set this to a number greater than 0 to request paged results from the
24816 LDAP server in accordance with RFC2696. The default (0) is to not
24817 request paged results.
24819 Defaults to @samp{disabled}.
24823 @deftypevr {@code{nslcd-configuration} parameter} maybe-ignore-users-option nss-initgroups-ignoreusers
24824 This option prevents group membership lookups through LDAP for the
24825 specified users. Alternatively, the value 'all-local may be used. With
24826 that value nslcd builds a full list of non-LDAP users on startup.
24828 Defaults to @samp{disabled}.
24832 @deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-min-uid
24833 This option ensures that LDAP users with a numeric user id lower than
24834 the specified value are ignored.
24836 Defaults to @samp{disabled}.
24840 @deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-uid-offset
24841 This option specifies an offset that is added to all LDAP numeric user
24842 ids. This can be used to avoid user id collisions with local users.
24844 Defaults to @samp{disabled}.
24848 @deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-gid-offset
24849 This option specifies an offset that is added to all LDAP numeric group
24850 ids. This can be used to avoid user id collisions with local groups.
24852 Defaults to @samp{disabled}.
24856 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-nested-groups
24857 If this option is set, the member attribute of a group may point to
24858 another group. Members of nested groups are also returned in the higher
24859 level group and parent groups are returned when finding groups for a
24860 specific user. The default is not to perform extra searches for nested
24863 Defaults to @samp{disabled}.
24867 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-getgrent-skipmembers
24868 If this option is set, the group member list is not retrieved when
24869 looking up groups. Lookups for finding which groups a user belongs to
24870 will remain functional so the user will likely still get the correct
24871 groups assigned on login.
24873 Defaults to @samp{disabled}.
24877 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-disable-enumeration
24878 If this option is set, functions which cause all user/group entries to
24879 be loaded from the directory will not succeed in doing so. This can
24880 dramatically reduce LDAP server load in situations where there are a
24881 great number of users and/or groups. This option is not recommended for
24882 most configurations.
24884 Defaults to @samp{disabled}.
24888 @deftypevr {@code{nslcd-configuration} parameter} maybe-string validnames
24889 This option can be used to specify how user and group names are verified
24890 within the system. This pattern is used to check all user and group
24891 names that are requested and returned from LDAP.
24893 Defaults to @samp{disabled}.
24897 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean ignorecase
24898 This specifies whether or not to perform searches using case-insensitive
24899 matching. Enabling this could open up the system to authorization
24900 bypass vulnerabilities and introduce nscd cache poisoning
24901 vulnerabilities which allow denial of service.
24903 Defaults to @samp{disabled}.
24907 @deftypevr {@code{nslcd-configuration} parameter} maybe-boolean pam-authc-ppolicy
24908 This option specifies whether password policy controls are requested and
24909 handled from the LDAP server when performing user authentication.
24911 Defaults to @samp{disabled}.
24915 @deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authc-search
24916 By default nslcd performs an LDAP search with the user's credentials
24917 after BIND (authentication) to ensure that the BIND operation was
24918 successful. The default search is a simple check to see if the user's
24919 DN exists. A search filter can be specified that will be used instead.
24920 It should return at least one entry.
24922 Defaults to @samp{disabled}.
24926 @deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authz-search
24927 This option allows flexible fine tuning of the authorisation check that
24928 should be performed. The search filter specified is executed and if any
24929 entries match, access is granted, otherwise access is denied.
24931 Defaults to @samp{disabled}.
24935 @deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-password-prohibit-message
24936 If this option is set password modification using pam_ldap will be
24937 denied and the specified message will be presented to the user instead.
24938 The message can be used to direct the user to an alternative means of
24939 changing their password.
24941 Defaults to @samp{disabled}.
24945 @deftypevr {@code{nslcd-configuration} parameter} list pam-services
24946 List of pam service names for which LDAP authentication should suffice.
24948 Defaults to @samp{()}.
24952 @c %end of generated documentation for nslcd-configuration
24956 @subsection Web Services
24961 The @code{(gnu services web)} module provides the Apache HTTP Server,
24962 the nginx web server, and also a fastcgi wrapper daemon.
24964 @subsubheading Apache HTTP Server
24966 @deffn {Scheme Variable} httpd-service-type
24967 Service type for the @uref{https://httpd.apache.org/,Apache HTTP} server
24968 (@dfn{httpd}). The value for this service type is a
24969 @code{httpd-configuration} record.
24971 A simple example configuration is given below.
24974 (service httpd-service-type
24975 (httpd-configuration
24978 (server-name "www.example.com")
24979 (document-root "/srv/http/www.example.com")))))
24982 Other services can also extend the @code{httpd-service-type} to add to
24986 (simple-service 'www.example.com-server httpd-service-type
24990 (list (string-join '("ServerName www.example.com"
24991 "DocumentRoot /srv/http/www.example.com")
24996 The details for the @code{httpd-configuration}, @code{httpd-module},
24997 @code{httpd-config-file} and @code{httpd-virtualhost} record types are
25000 @deffn {Data Type} httpd-configuration
25001 This data type represents the configuration for the httpd service.
25004 @item @code{package} (default: @code{httpd})
25005 The httpd package to use.
25007 @item @code{pid-file} (default: @code{"/var/run/httpd"})
25008 The pid file used by the shepherd-service.
25010 @item @code{config} (default: @code{(httpd-config-file)})
25011 The configuration file to use with the httpd service. The default value
25012 is a @code{httpd-config-file} record, but this can also be a different
25013 G-expression that generates a file, for example a @code{plain-file}. A
25014 file outside of the store can also be specified through a string.
25019 @deffn {Data Type} httpd-module
25020 This data type represents a module for the httpd service.
25024 The name of the module.
25027 The file for the module. This can be relative to the httpd package being
25028 used, the absolute location of a file, or a G-expression for a file
25029 within the store, for example @code{(file-append mod-wsgi
25030 "/modules/mod_wsgi.so")}.
25035 @defvr {Scheme Variable} %default-httpd-modules
25036 A default list of @code{httpd-module} objects.
25039 @deffn {Data Type} httpd-config-file
25040 This data type represents a configuration file for the httpd service.
25043 @item @code{modules} (default: @code{%default-httpd-modules})
25044 The modules to load. Additional modules can be added here, or loaded by
25045 additional configuration.
25047 For example, in order to handle requests for PHP files, you can use Apache’s
25048 @code{mod_proxy_fcgi} module along with @code{php-fpm-service-type}:
25051 (service httpd-service-type
25052 (httpd-configuration
25057 (name "proxy_module")
25058 (file "modules/mod_proxy.so"))
25060 (name "proxy_fcgi_module")
25061 (file "modules/mod_proxy_fcgi.so"))
25062 %default-httpd-modules))
25063 (extra-config (list "\
25064 <FilesMatch \\.php$>
25065 SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\"
25066 </FilesMatch>"))))))
25067 (service php-fpm-service-type
25068 (php-fpm-configuration
25069 (socket "/var/run/php-fpm.sock")
25070 (socket-group "httpd")))
25073 @item @code{server-root} (default: @code{httpd})
25074 The @code{ServerRoot} in the configuration file, defaults to the httpd
25075 package. Directives including @code{Include} and @code{LoadModule} are
25076 taken as relative to the server root.
25078 @item @code{server-name} (default: @code{#f})
25079 The @code{ServerName} in the configuration file, used to specify the
25080 request scheme, hostname and port that the server uses to identify
25083 This doesn't need to be set in the server config, and can be specified
25084 in virtual hosts. The default is @code{#f} to not specify a
25087 @item @code{document-root} (default: @code{"/srv/http"})
25088 The @code{DocumentRoot} from which files will be served.
25090 @item @code{listen} (default: @code{'("80")})
25091 The list of values for the @code{Listen} directives in the config
25092 file. The value should be a list of strings, when each string can
25093 specify the port number to listen on, and optionally the IP address and
25096 @item @code{pid-file} (default: @code{"/var/run/httpd"})
25097 The @code{PidFile} to use. This should match the @code{pid-file} set in
25098 the @code{httpd-configuration} so that the Shepherd service is
25099 configured correctly.
25101 @item @code{error-log} (default: @code{"/var/log/httpd/error_log"})
25102 The @code{ErrorLog} to which the server will log errors.
25104 @item @code{user} (default: @code{"httpd"})
25105 The @code{User} which the server will answer requests as.
25107 @item @code{group} (default: @code{"httpd"})
25108 The @code{Group} which the server will answer requests as.
25110 @item @code{extra-config} (default: @code{(list "TypesConfig etc/httpd/mime.types")})
25111 A flat list of strings and G-expressions which will be added to the end
25112 of the configuration file.
25114 Any values which the service is extended with will be appended to this
25120 @deffn {Data Type} httpd-virtualhost
25121 This data type represents a virtualhost configuration block for the httpd service.
25123 These should be added to the extra-config for the httpd-service.
25126 (simple-service 'www.example.com-server httpd-service-type
25130 (list (string-join '("ServerName www.example.com"
25131 "DocumentRoot /srv/http/www.example.com")
25136 @item @code{addresses-and-ports}
25137 The addresses and ports for the @code{VirtualHost} directive.
25139 @item @code{contents}
25140 The contents of the @code{VirtualHost} directive, this should be a list
25141 of strings and G-expressions.
25147 @subsubheading NGINX
25149 @deffn {Scheme Variable} nginx-service-type
25150 Service type for the @uref{https://nginx.org/,NGinx} web server. The
25151 value for this service type is a @code{<nginx-configuration>} record.
25153 A simple example configuration is given below.
25156 (service nginx-service-type
25157 (nginx-configuration
25159 (list (nginx-server-configuration
25160 (server-name '("www.example.com"))
25161 (root "/srv/http/www.example.com"))))))
25164 In addition to adding server blocks to the service configuration
25165 directly, this service can be extended by other services to add server
25166 blocks, as in this example:
25169 (simple-service 'my-extra-server nginx-service-type
25170 (list (nginx-server-configuration
25171 (root "/srv/http/extra-website")
25172 (try-files (list "$uri" "$uri/index.html")))))
25176 At startup, @command{nginx} has not yet read its configuration file, so
25177 it uses a default file to log error messages. If it fails to load its
25178 configuration file, that is where error messages are logged. After the
25179 configuration file is loaded, the default error log file changes as per
25180 configuration. In our case, startup error messages can be found in
25181 @file{/var/run/nginx/logs/error.log}, and after configuration in
25182 @file{/var/log/nginx/error.log}. The second location can be changed
25183 with the @var{log-directory} configuration option.
25185 @deffn {Data Type} nginx-configuration
25186 This data type represents the configuration for NGinx. Some
25187 configuration can be done through this and the other provided record
25188 types, or alternatively, a config file can be provided.
25191 @item @code{nginx} (default: @code{nginx})
25192 The nginx package to use.
25194 @item @code{log-directory} (default: @code{"/var/log/nginx"})
25195 The directory to which NGinx will write log files.
25197 @item @code{run-directory} (default: @code{"/var/run/nginx"})
25198 The directory in which NGinx will create a pid file, and write temporary
25201 @item @code{server-blocks} (default: @code{'()})
25202 A list of @dfn{server blocks} to create in the generated configuration
25203 file, the elements should be of type
25204 @code{<nginx-server-configuration>}.
25206 The following example would setup NGinx to serve @code{www.example.com}
25207 from the @code{/srv/http/www.example.com} directory, without using
25210 (service nginx-service-type
25211 (nginx-configuration
25213 (list (nginx-server-configuration
25214 (server-name '("www.example.com"))
25215 (root "/srv/http/www.example.com"))))))
25218 @item @code{upstream-blocks} (default: @code{'()})
25219 A list of @dfn{upstream blocks} to create in the generated configuration
25220 file, the elements should be of type
25221 @code{<nginx-upstream-configuration>}.
25223 Configuring upstreams through the @code{upstream-blocks} can be useful
25224 when combined with @code{locations} in the
25225 @code{<nginx-server-configuration>} records. The following example
25226 creates a server configuration with one location configuration, that
25227 will proxy requests to a upstream configuration, which will handle
25228 requests with two servers.
25233 (nginx-configuration
25235 (list (nginx-server-configuration
25236 (server-name '("www.example.com"))
25237 (root "/srv/http/www.example.com")
25240 (nginx-location-configuration
25242 (body '("proxy_pass http://server-proxy;"))))))))
25244 (list (nginx-upstream-configuration
25245 (name "server-proxy")
25246 (servers (list "server1.example.com"
25247 "server2.example.com")))))))
25250 @item @code{file} (default: @code{#f})
25251 If a configuration @var{file} is provided, this will be used, rather than
25252 generating a configuration file from the provided @code{log-directory},
25253 @code{run-directory}, @code{server-blocks} and @code{upstream-blocks}. For
25254 proper operation, these arguments should match what is in @var{file} to ensure
25255 that the directories are created when the service is activated.
25257 This can be useful if you have an existing configuration file, or it's
25258 not possible to do what is required through the other parts of the
25259 nginx-configuration record.
25261 @item @code{server-names-hash-bucket-size} (default: @code{#f})
25262 Bucket size for the server names hash tables, defaults to @code{#f} to
25263 use the size of the processors cache line.
25265 @item @code{server-names-hash-bucket-max-size} (default: @code{#f})
25266 Maximum bucket size for the server names hash tables.
25268 @item @code{modules} (default: @code{'()})
25269 List of nginx dynamic modules to load. This should be a list of file
25270 names of loadable modules, as in this example:
25275 (file-append nginx-accept-language-module "\
25276 /etc/nginx/modules/ngx_http_accept_language_module.so")
25277 (file-append nginx-lua-module "\
25278 /etc/nginx/modules/ngx_http_lua_module.so")))
25281 @item @code{lua-package-path} (default: @code{'()})
25282 List of nginx lua packages to load. This should be a list of package
25283 names of loadable lua modules, as in this example:
25286 (lua-package-path (list lua-resty-core
25293 @item @code{lua-package-cpath} (default: @code{'()})
25294 List of nginx lua C packages to load. This should be a list of package
25295 names of loadable lua C modules, as in this example:
25298 (lua-package-cpath (list lua-resty-signal))
25301 @item @code{global-directives} (default: @code{'((events . ()))})
25302 Association list of global directives for the top level of the nginx
25303 configuration. Values may themselves be association lists.
25307 `((worker_processes . 16)
25309 (events . ((worker_connections . 1024)))))
25312 @item @code{extra-content} (default: @code{""})
25313 Extra content for the @code{http} block. Should be string or a string
25314 valued G-expression.
25319 @deftp {Data Type} nginx-server-configuration
25320 Data type representing the configuration of an nginx server block.
25321 This type has the following parameters:
25324 @item @code{listen} (default: @code{'("80" "443 ssl")})
25325 Each @code{listen} directive sets the address and port for IP, or the
25326 path for a UNIX-domain socket on which the server will accept requests.
25327 Both address and port, or only address or only port can be specified.
25328 An address may also be a hostname, for example:
25331 '("127.0.0.1:8000" "127.0.0.1" "8000" "*:8000" "localhost:8000")
25334 @item @code{server-name} (default: @code{(list 'default)})
25335 A list of server names this server represents. @code{'default} represents the
25336 default server for connections matching no other server.
25338 @item @code{root} (default: @code{"/srv/http"})
25339 Root of the website nginx will serve.
25341 @item @code{locations} (default: @code{'()})
25342 A list of @dfn{nginx-location-configuration} or
25343 @dfn{nginx-named-location-configuration} records to use within this
25346 @item @code{index} (default: @code{(list "index.html")})
25347 Index files to look for when clients ask for a directory. If it cannot be found,
25348 Nginx will send the list of files in the directory.
25350 @item @code{try-files} (default: @code{'()})
25351 A list of files whose existence is checked in the specified order.
25352 @code{nginx} will use the first file it finds to process the request.
25354 @item @code{ssl-certificate} (default: @code{#f})
25355 Where to find the certificate for secure connections. Set it to @code{#f} if
25356 you don't have a certificate or you don't want to use HTTPS.
25358 @item @code{ssl-certificate-key} (default: @code{#f})
25359 Where to find the private key for secure connections. Set it to @code{#f} if
25360 you don't have a key or you don't want to use HTTPS.
25362 @item @code{server-tokens?} (default: @code{#f})
25363 Whether the server should add its configuration to response.
25365 @item @code{raw-content} (default: @code{'()})
25366 A list of raw lines added to the server block.
25371 @deftp {Data Type} nginx-upstream-configuration
25372 Data type representing the configuration of an nginx @code{upstream}
25373 block. This type has the following parameters:
25377 Name for this group of servers.
25379 @item @code{servers}
25380 Specify the addresses of the servers in the group. The address can be
25381 specified as a IP address (e.g.@: @samp{127.0.0.1}), domain name
25382 (e.g.@: @samp{backend1.example.com}) or a path to a UNIX socket using the
25383 prefix @samp{unix:}. For addresses using an IP address or domain name,
25384 the default port is 80, and a different port can be specified
25390 @deftp {Data Type} nginx-location-configuration
25391 Data type representing the configuration of an nginx @code{location}
25392 block. This type has the following parameters:
25396 URI which this location block matches.
25398 @anchor{nginx-location-configuration body}
25400 Body of the location block, specified as a list of strings. This can contain
25402 configuration directives. For example, to pass requests to a upstream
25403 server group defined using an @code{nginx-upstream-configuration} block,
25404 the following directive would be specified in the body @samp{(list "proxy_pass
25405 http://upstream-name;")}.
25410 @deftp {Data Type} nginx-named-location-configuration
25411 Data type representing the configuration of an nginx named location
25412 block. Named location blocks are used for request redirection, and not
25413 used for regular request processing. This type has the following
25418 Name to identify this location block.
25421 @xref{nginx-location-configuration body}, as the body for named location
25422 blocks can be used in a similar way to the
25423 @code{nginx-location-configuration body}. One restriction is that the
25424 body of a named location block cannot contain location blocks.
25429 @subsubheading Varnish Cache
25431 Varnish is a fast cache server that sits in between web applications
25432 and end users. It proxies requests from clients and caches the
25433 accessed URLs such that multiple requests for the same resource only
25434 creates one request to the back-end.
25436 @defvr {Scheme Variable} varnish-service-type
25437 Service type for the Varnish daemon.
25440 @deftp {Data Type} varnish-configuration
25441 Data type representing the @code{varnish} service configuration.
25442 This type has the following parameters:
25445 @item @code{package} (default: @code{varnish})
25446 The Varnish package to use.
25448 @item @code{name} (default: @code{"default"})
25449 A name for this Varnish instance. Varnish will create a directory in
25450 @file{/var/varnish/} with this name and keep temporary files there. If
25451 the name starts with a forward slash, it is interpreted as an absolute
25454 Pass the @code{-n} argument to other Varnish programs to connect to the
25455 named instance, e.g.@: @command{varnishncsa -n default}.
25457 @item @code{backend} (default: @code{"localhost:8080"})
25458 The backend to use. This option has no effect if @code{vcl} is set.
25460 @item @code{vcl} (default: #f)
25461 The @dfn{VCL} (Varnish Configuration Language) program to run. If this
25462 is @code{#f}, Varnish will proxy @code{backend} using the default
25463 configuration. Otherwise this must be a file-like object with valid
25466 @c Varnish does not support HTTPS, so keep this URL to avoid confusion.
25467 For example, to mirror @url{https://www.gnu.org,www.gnu.org} with VCL you
25468 can do something along these lines:
25471 (define %gnu-mirror
25472 (plain-file "gnu.vcl"
25474 backend gnu @{ .host = \"www.gnu.org\"; @}"))
25478 (services (cons (service varnish-service-type
25479 (varnish-configuration
25481 (vcl %gnu-mirror)))
25485 The configuration of an already running Varnish instance can be inspected
25486 and changed using the @command{varnishadm} program.
25488 Consult the @url{https://varnish-cache.org/docs/,Varnish User Guide} and
25489 @url{https://book.varnish-software.com/4.0/,Varnish Book} for
25490 comprehensive documentation on Varnish and its configuration language.
25492 @item @code{listen} (default: @code{'("localhost:80")})
25493 List of addresses Varnish will listen on.
25495 @item @code{storage} (default: @code{'("malloc,128m")})
25496 List of storage backends that will be available in VCL.
25498 @item @code{parameters} (default: @code{'()})
25499 List of run-time parameters in the form @code{'(("parameter" . "value"))}.
25501 @item @code{extra-options} (default: @code{'()})
25502 Additional arguments to pass to the @command{varnishd} process.
25507 @subsubheading Patchwork
25509 Patchwork is a patch tracking system. It can collect patches sent to a
25510 mailing list, and display them in a web interface.
25512 @defvr {Scheme Variable} patchwork-service-type
25513 Service type for Patchwork.
25516 The following example is an example of a minimal service for Patchwork, for
25517 the @code{patchwork.example.com} domain.
25520 (service patchwork-service-type
25521 (patchwork-configuration
25522 (domain "patchwork.example.com")
25524 (patchwork-settings-module
25525 (allowed-hosts (list domain))
25526 (default-from-email "patchwork@@patchwork.example.com")))
25527 (getmail-retriever-config
25528 (getmail-retriever-configuration
25529 (type "SimpleIMAPSSLRetriever")
25530 (server "imap.example.com")
25532 (username "patchwork")
25534 (list (file-append coreutils "/bin/cat")
25535 "/etc/getmail-patchwork-imap-password"))
25537 '((mailboxes . ("Patches"))))))))
25541 There are three records for configuring the Patchwork service. The
25542 @code{<patchwork-configuration>} relates to the configuration for Patchwork
25543 within the HTTPD service.
25545 The @code{settings-module} field within the @code{<patchwork-configuration>}
25546 record can be populated with the @code{<patchwork-settings-module>} record,
25547 which describes a settings module that is generated within the Guix store.
25549 For the @code{database-configuration} field within the
25550 @code{<patchwork-settings-module>}, the
25551 @code{<patchwork-database-configuration>} must be used.
25553 @deftp {Data Type} patchwork-configuration
25554 Data type representing the Patchwork service configuration. This type has the
25555 following parameters:
25558 @item @code{patchwork} (default: @code{patchwork})
25559 The Patchwork package to use.
25561 @item @code{domain}
25562 The domain to use for Patchwork, this is used in the HTTPD service virtual
25565 @item @code{settings-module}
25566 The settings module to use for Patchwork. As a Django application, Patchwork
25567 is configured with a Python module containing the settings. This can either be
25568 an instance of the @code{<patchwork-settings-module>} record, any other record
25569 that represents the settings in the store, or a directory outside of the
25572 @item @code{static-path} (default: @code{"/static/"})
25573 The path under which the HTTPD service should serve the static files.
25575 @item @code{getmail-retriever-config}
25576 The getmail-retriever-configuration record value to use with
25577 Patchwork. Getmail will be configured with this value, the messages will be
25578 delivered to Patchwork.
25583 @deftp {Data Type} patchwork-settings-module
25584 Data type representing a settings module for Patchwork. Some of these
25585 settings relate directly to Patchwork, but others relate to Django, the web
25586 framework used by Patchwork, or the Django Rest Framework library. This type
25587 has the following parameters:
25590 @item @code{database-configuration} (default: @code{(patchwork-database-configuration)})
25591 The database connection settings used for Patchwork. See the
25592 @code{<patchwork-database-configuration>} record type for more information.
25594 @item @code{secret-key-file} (default: @code{"/etc/patchwork/django-secret-key"})
25595 Patchwork, as a Django web application uses a secret key for cryptographically
25596 signing values. This file should contain a unique unpredictable value.
25598 If this file does not exist, it will be created and populated with a random
25599 value by the patchwork-setup shepherd service.
25601 This setting relates to Django.
25603 @item @code{allowed-hosts}
25604 A list of valid hosts for this Patchwork service. This should at least include
25605 the domain specified in the @code{<patchwork-configuration>} record.
25607 This is a Django setting.
25609 @item @code{default-from-email}
25610 The email address from which Patchwork should send email by default.
25612 This is a Patchwork setting.
25614 @item @code{static-url} (default: @code{#f})
25615 The URL to use when serving static assets. It can be part of a URL, or a full
25616 URL, but must end in a @code{/}.
25618 If the default value is used, the @code{static-path} value from the
25619 @code{<patchwork-configuration>} record will be used.
25621 This is a Django setting.
25623 @item @code{admins} (default: @code{'()})
25624 Email addresses to send the details of errors that occur. Each value should
25625 be a list containing two elements, the name and then the email address.
25627 This is a Django setting.
25629 @item @code{debug?} (default: @code{#f})
25630 Whether to run Patchwork in debug mode. If set to @code{#t}, detailed error
25631 messages will be shown.
25633 This is a Django setting.
25635 @item @code{enable-rest-api?} (default: @code{#t})
25636 Whether to enable the Patchwork REST API.
25638 This is a Patchwork setting.
25640 @item @code{enable-xmlrpc?} (default: @code{#t})
25641 Whether to enable the XML RPC API.
25643 This is a Patchwork setting.
25645 @item @code{force-https-links?} (default: @code{#t})
25646 Whether to use HTTPS links on Patchwork pages.
25648 This is a Patchwork setting.
25650 @item @code{extra-settings} (default: @code{""})
25651 Extra code to place at the end of the Patchwork settings module.
25656 @deftp {Data Type} patchwork-database-configuration
25657 Data type representing the database configuration for Patchwork.
25660 @item @code{engine} (default: @code{"django.db.backends.postgresql_psycopg2"})
25661 The database engine to use.
25663 @item @code{name} (default: @code{"patchwork"})
25664 The name of the database to use.
25666 @item @code{user} (default: @code{"httpd"})
25667 The user to connect to the database as.
25669 @item @code{password} (default: @code{""})
25670 The password to use when connecting to the database.
25672 @item @code{host} (default: @code{""})
25673 The host to make the database connection to.
25675 @item @code{port} (default: @code{""})
25676 The port on which to connect to the database.
25681 @subsubheading Mumi
25683 @cindex Mumi, Debbugs Web interface
25684 @cindex Debbugs, Mumi Web interface
25685 @uref{https://git.elephly.net/gitweb.cgi?p=software/mumi.git, Mumi} is a
25686 Web interface to the Debbugs bug tracker, by default for
25687 @uref{https://bugs.gnu.org, the GNU instance}. Mumi is a Web server,
25688 but it also fetches and indexes mail retrieved from Debbugs.
25690 @defvr {Scheme Variable} mumi-service-type
25691 This is the service type for Mumi.
25694 @deftp {Data Type} mumi-configuration
25695 Data type representing the Mumi service configuration. This type has the
25699 @item @code{mumi} (default: @code{mumi})
25700 The Mumi package to use.
25702 @item @code{mailer?} (default: @code{#true})
25703 Whether to enable or disable the mailer component.
25705 @item @code{mumi-configuration-sender}
25706 The email address used as the sender for comments.
25708 @item @code{mumi-configuration-smtp}
25709 A URI to configure the SMTP settings for Mailutils. This could be
25710 something like @code{sendmail:///path/to/bin/msmtp} or any other URI
25711 supported by Mailutils. @xref{SMTP Mailboxes, SMTP Mailboxes,,
25712 mailutils, GNU@tie{}Mailutils}.
25718 @subsubheading FastCGI
25721 FastCGI is an interface between the front-end and the back-end of a web
25722 service. It is a somewhat legacy facility; new web services should
25723 generally just talk HTTP between the front-end and the back-end.
25724 However there are a number of back-end services such as PHP or the
25725 optimized HTTP Git repository access that use FastCGI, so we have
25726 support for it in Guix.
25728 To use FastCGI, you configure the front-end web server (e.g., nginx) to
25729 dispatch some subset of its requests to the fastcgi backend, which
25730 listens on a local TCP or UNIX socket. There is an intermediary
25731 @code{fcgiwrap} program that sits between the actual backend process and
25732 the web server. The front-end indicates which backend program to run,
25733 passing that information to the @code{fcgiwrap} process.
25735 @defvr {Scheme Variable} fcgiwrap-service-type
25736 A service type for the @code{fcgiwrap} FastCGI proxy.
25739 @deftp {Data Type} fcgiwrap-configuration
25740 Data type representing the configuration of the @code{fcgiwrap} service.
25741 This type has the following parameters:
25743 @item @code{package} (default: @code{fcgiwrap})
25744 The fcgiwrap package to use.
25746 @item @code{socket} (default: @code{tcp:127.0.0.1:9000})
25747 The socket on which the @code{fcgiwrap} process should listen, as a
25748 string. Valid @var{socket} values include
25749 @code{unix:@var{/path/to/unix/socket}},
25750 @code{tcp:@var{dot.ted.qu.ad}:@var{port}} and
25751 @code{tcp6:[@var{ipv6_addr}]:port}.
25753 @item @code{user} (default: @code{fcgiwrap})
25754 @itemx @code{group} (default: @code{fcgiwrap})
25755 The user and group names, as strings, under which to run the
25756 @code{fcgiwrap} process. The @code{fastcgi} service will ensure that if
25757 the user asks for the specific user or group names @code{fcgiwrap} that
25758 the corresponding user and/or group is present on the system.
25760 It is possible to configure a FastCGI-backed web service to pass HTTP
25761 authentication information from the front-end to the back-end, and to
25762 allow @code{fcgiwrap} to run the back-end process as a corresponding
25763 local user. To enable this capability on the back-end, run
25764 @code{fcgiwrap} as the @code{root} user and group. Note that this
25765 capability also has to be configured on the front-end as well.
25770 PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation
25771 with some additional features useful for sites of any size.
25773 These features include:
25775 @item Adaptive process spawning
25776 @item Basic statistics (similar to Apache's mod_status)
25777 @item Advanced process management with graceful stop/start
25778 @item Ability to start workers with different uid/gid/chroot/environment
25779 and different php.ini (replaces safe_mode)
25780 @item Stdout & stderr logging
25781 @item Emergency restart in case of accidental opcode cache destruction
25782 @item Accelerated upload support
25783 @item Support for a "slowlog"
25784 @item Enhancements to FastCGI, such as fastcgi_finish_request() -
25785 a special function to finish request & flush all data while continuing to do
25786 something time-consuming (video converting, stats processing, etc.)
25788 ...@: and much more.
25790 @defvr {Scheme Variable} php-fpm-service-type
25791 A Service type for @code{php-fpm}.
25794 @deftp {Data Type} php-fpm-configuration
25795 Data Type for php-fpm service configuration.
25797 @item @code{php} (default: @code{php})
25798 The php package to use.
25799 @item @code{socket} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock")})
25800 The address on which to accept FastCGI requests. Valid syntaxes are:
25802 @item @code{"ip.add.re.ss:port"}
25803 Listen on a TCP socket to a specific address on a specific port.
25804 @item @code{"port"}
25805 Listen on a TCP socket to all addresses on a specific port.
25806 @item @code{"/path/to/unix/socket"}
25807 Listen on a unix socket.
25810 @item @code{user} (default: @code{php-fpm})
25811 User who will own the php worker processes.
25812 @item @code{group} (default: @code{php-fpm})
25813 Group of the worker processes.
25814 @item @code{socket-user} (default: @code{php-fpm})
25815 User who can speak to the php-fpm socket.
25816 @item @code{socket-group} (default: @code{nginx})
25817 Group that can speak to the php-fpm socket.
25818 @item @code{pid-file} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid")})
25819 The process id of the php-fpm process is written to this file
25820 once the service has started.
25821 @item @code{log-file} (default: @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.log")})
25822 Log for the php-fpm master process.
25823 @item @code{process-manager} (default: @code{(php-fpm-dynamic-process-manager-configuration)})
25824 Detailed settings for the php-fpm process manager.
25827 @item @code{<php-fpm-dynamic-process-manager-configuration>}
25828 @item @code{<php-fpm-static-process-manager-configuration>}
25829 @item @code{<php-fpm-on-demand-process-manager-configuration>}
25831 @item @code{display-errors} (default @code{#f})
25832 Determines whether php errors and warning should be sent to clients
25833 and displayed in their browsers.
25834 This is useful for local php development, but a security risk for public sites,
25835 as error messages can reveal passwords and personal data.
25836 @item @code{timezone} (default @code{#f})
25837 Specifies @code{php_admin_value[date.timezone]} parameter.
25838 @item @code{workers-logfile} (default @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.www.log")})
25839 This file will log the @code{stderr} outputs of php worker processes.
25840 Can be set to @code{#f} to disable logging.
25841 @item @code{file} (default @code{#f})
25842 An optional override of the whole configuration.
25843 You can use the @code{mixed-text-file} function or an absolute filepath for it.
25844 @item @code{php-ini-file} (default @code{#f})
25845 An optional override of the default php settings.
25846 It may be any ``file-like'' object (@pxref{G-Expressions, file-like objects}).
25847 You can use the @code{mixed-text-file} function or an absolute filepath for it.
25849 For local development it is useful to set a higher timeout and memory
25850 limit for spawned php processes. This be accomplished with the
25851 following operating system configuration snippet:
25853 (define %local-php-ini
25854 (plain-file "php.ini"
25856 max_execution_time = 1800"))
25860 (services (cons (service php-fpm-service-type
25861 (php-fpm-configuration
25862 (php-ini-file %local-php-ini)))
25866 Consult the @url{https://www.php.net/manual/en/ini.core.php,core php.ini
25867 directives} for comprehensive documentation on the acceptable
25868 @file{php.ini} directives.
25872 @deftp {Data type} php-fpm-dynamic-process-manager-configuration
25873 Data Type for the @code{dynamic} php-fpm process manager. With the
25874 @code{dynamic} process manager, spare worker processes are kept around
25875 based on its configured limits.
25877 @item @code{max-children} (default: @code{5})
25878 Maximum of worker processes.
25879 @item @code{start-servers} (default: @code{2})
25880 How many worker processes should be started on start-up.
25881 @item @code{min-spare-servers} (default: @code{1})
25882 How many spare worker processes should be kept around at minimum.
25883 @item @code{max-spare-servers} (default: @code{3})
25884 How many spare worker processes should be kept around at maximum.
25888 @deftp {Data type} php-fpm-static-process-manager-configuration
25889 Data Type for the @code{static} php-fpm process manager. With the
25890 @code{static} process manager, an unchanging number of worker processes
25893 @item @code{max-children} (default: @code{5})
25894 Maximum of worker processes.
25898 @deftp {Data type} php-fpm-on-demand-process-manager-configuration
25899 Data Type for the @code{on-demand} php-fpm process manager. With the
25900 @code{on-demand} process manager, worker processes are only created as
25903 @item @code{max-children} (default: @code{5})
25904 Maximum of worker processes.
25905 @item @code{process-idle-timeout} (default: @code{10})
25906 The time in seconds after which a process with no requests is killed.
25911 @deffn {Scheme Procedure} nginx-php-location @
25912 [#:nginx-package nginx] @
25913 [socket (string-append "/var/run/php" @
25914 (version-major (package-version php)) @
25916 A helper function to quickly add php to an @code{nginx-server-configuration}.
25919 A simple services setup for nginx with php can look like this:
25921 (services (cons* (service dhcp-client-service-type)
25922 (service php-fpm-service-type)
25923 (service nginx-service-type
25924 (nginx-server-configuration
25925 (server-name '("example.com"))
25926 (root "/srv/http/")
25928 (list (nginx-php-location)))
25930 (ssl-certificate #f)
25931 (ssl-certificate-key #f)))
25935 @cindex cat-avatar-generator
25936 The cat avatar generator is a simple service to demonstrate the use of php-fpm
25937 in @code{Nginx}. It is used to generate cat avatar from a seed, for instance
25938 the hash of a user's email address.
25940 @deffn {Scheme Procedure} cat-avatar-generator-service @
25941 [#:cache-dir "/var/cache/cat-avatar-generator"] @
25942 [#:package cat-avatar-generator] @
25943 [#:configuration (nginx-server-configuration)]
25944 Returns an nginx-server-configuration that inherits @code{configuration}. It
25945 extends the nginx configuration to add a server block that serves @code{package},
25946 a version of cat-avatar-generator. During execution, cat-avatar-generator will
25947 be able to use @code{cache-dir} as its cache directory.
25950 A simple setup for cat-avatar-generator can look like this:
25952 (services (cons* (cat-avatar-generator-service
25954 (nginx-server-configuration
25955 (server-name '("example.com"))))
25960 @subsubheading Hpcguix-web
25962 @cindex hpcguix-web
25963 The @uref{https://github.com/UMCUGenetics/hpcguix-web/, hpcguix-web}
25964 program is a customizable web interface to browse Guix packages,
25965 initially designed for users of high-performance computing (HPC)
25968 @defvr {Scheme Variable} hpcguix-web-service-type
25969 The service type for @code{hpcguix-web}.
25972 @deftp {Data Type} hpcguix-web-configuration
25973 Data type for the hpcguix-web service configuration.
25977 A gexp (@pxref{G-Expressions}) specifying the hpcguix-web service
25978 configuration. The main items available in this spec are:
25981 @item @code{title-prefix} (default: @code{"hpcguix | "})
25982 The page title prefix.
25984 @item @code{guix-command} (default: @code{"guix"})
25985 The @command{guix} command.
25987 @item @code{package-filter-proc} (default: @code{(const #t)})
25988 A procedure specifying how to filter packages that are displayed.
25990 @item @code{package-page-extension-proc} (default: @code{(const '())})
25991 Extension package for @code{hpcguix-web}.
25993 @item @code{menu} (default: @code{'()})
25994 Additional entry in page @code{menu}.
25996 @item @code{channels} (default: @code{%default-channels})
25997 List of channels from which the package list is built (@pxref{Channels}).
25999 @item @code{package-list-expiration} (default: @code{(* 12 3600)})
26000 The expiration time, in seconds, after which the package list is rebuilt from
26001 the latest instances of the given channels.
26004 See the hpcguix-web repository for a
26005 @uref{https://github.com/UMCUGenetics/hpcguix-web/blob/master/hpcweb-configuration.scm,
26008 @item @code{package} (default: @code{hpcguix-web})
26009 The hpcguix-web package to use.
26013 A typical hpcguix-web service declaration looks like this:
26016 (service hpcguix-web-service-type
26017 (hpcguix-web-configuration
26019 #~(define site-config
26020 (hpcweb-configuration
26021 (title-prefix "Guix-HPC - ")
26022 (menu '(("/about" "ABOUT"))))))))
26026 The hpcguix-web service periodically updates the package list it publishes by
26027 pulling channels from Git. To that end, it needs to access X.509 certificates
26028 so that it can authenticate Git servers when communicating over HTTPS, and it
26029 assumes that @file{/etc/ssl/certs} contains those certificates.
26031 Thus, make sure to add @code{nss-certs} or another certificate package to the
26032 @code{packages} field of your configuration. @ref{X.509 Certificates}, for
26033 more information on X.509 certificates.
26036 @subsubheading gmnisrv
26039 The @uref{https://git.sr.ht/~sircmpwn/gmnisrv, gmnisrv} program is a
26040 simple @uref{https://gemini.circumlunar.space/, Gemini} protocol server.
26042 @deffn {Scheme Variable} gmnisrv-service-type
26043 This is the type of the gmnisrv service, whose value should be a
26044 @code{gmnisrv-configuration} object, as in this example:
26047 (service gmnisrv-service-type
26048 (gmnisrv-configuration
26049 (config-file (local-file "./my-gmnisrv.ini"))))
26053 @deftp {Data Type} gmnisrv-configuration
26054 Data type representing the configuration of gmnisrv.
26057 @item @code{package} (default: @var{gmnisrv})
26058 Package object of the gmnisrv server.
26060 @item @code{config-file} (default: @code{%default-gmnisrv-config-file})
26061 File-like object of the gmnisrv configuration file to use. The default
26062 configuration listens on port 1965 and serves files from
26063 @file{/srv/gemini}. Certificates are stored in
26064 @file{/var/lib/gemini/certs}. For more information, run @command{man
26065 gmnisrv} and @command{man gmnisrv.ini}.
26070 @subsubheading Agate
26073 The @uref{gemini://qwertqwefsday.eu/agate.gmi, Agate}
26074 (@uref{https://github.com/mbrubeck/agate, GitHub page over HTTPS})
26075 program is a simple @uref{https://gemini.circumlunar.space/, Gemini}
26076 protocol server written in Rust.
26078 @deffn {Scheme Variable} agate-service-type
26079 This is the type of the agate service, whose value should be an
26080 @code{agate-service-type} object, as in this example:
26083 (service agate-service-type
26084 (agate-configuration
26085 (content "/srv/gemini")
26086 (cert "/srv/cert.pem")
26087 (key "/srv/key.rsa")))
26090 The example above represents the minimal tweaking necessary to get Agate
26091 up and running. Specifying the path to the certificate and key is
26092 always necessary, as the Gemini protocol requires TLS by default.
26094 To obtain a certificate and a key, you could, for example, use OpenSSL,
26095 running a command similar to the following example:
26098 openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \
26099 -days 3650 -nodes -subj "/CN=example.com"
26102 Of course, you'll have to replace @i{example.com} with your own domain
26103 name, and then point the Agate configuration towards the path of the
26104 generated key and certificate.
26108 @deftp {Data Type} agate-configuration
26109 Data type representing the configuration of Agate.
26112 @item @code{package} (default: @code{agate})
26113 The package object of the Agate server.
26115 @item @code{content} (default: @file{"/srv/gemini"})
26116 The directory from which Agate will serve files.
26118 @item @code{cert} (default: @code{#f})
26119 The path to the TLS certificate PEM file to be used for encrypted
26120 connections. Must be filled in with a value from the user.
26122 @item @code{key} (default: @code{#f})
26123 The path to the PKCS8 private key file to be used for encrypted
26124 connections. Must be filled in with a value from the user.
26126 @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")})
26127 A list of the addresses to listen on.
26129 @item @code{hostname} (default: @code{#f})
26130 The domain name of this Gemini server. Optional.
26132 @item @code{lang} (default: @code{#f})
26133 RFC 4646 language code(s) for text/gemini documents. Optional.
26135 @item @code{silent?} (default: @code{#f})
26136 Set to @code{#t} to disable logging output.
26138 @item @code{serve-secret?} (default: @code{#f})
26139 Set to @code{#t} to serve secret files (files/directories starting with
26142 @item @code{log-ip?} (default: @code{#t})
26143 Whether or not to output IP addresses when logging.
26145 @item @code{user} (default: @code{"agate"})
26146 Owner of the @code{agate} process.
26148 @item @code{group} (default: @code{"agate"})
26149 Owner's group of the @code{agate} process.
26151 @item @code{log-file} (default: @file{"/var/log/agate.log"})
26152 The file which should store the logging output of Agate.
26157 @node Certificate Services
26158 @subsection Certificate Services
26161 @cindex HTTP, HTTPS
26162 @cindex Let's Encrypt
26163 @cindex TLS certificates
26164 The @code{(gnu services certbot)} module provides a service to
26165 automatically obtain a valid TLS certificate from the Let's Encrypt
26166 certificate authority. These certificates can then be used to serve
26167 content securely over HTTPS or other TLS-based protocols, with the
26168 knowledge that the client will be able to verify the server's
26171 @url{https://letsencrypt.org/, Let's Encrypt} provides the
26172 @code{certbot} tool to automate the certification process. This tool
26173 first securely generates a key on the server. It then makes a request
26174 to the Let's Encrypt certificate authority (CA) to sign the key. The CA
26175 checks that the request originates from the host in question by using a
26176 challenge-response protocol, requiring the server to provide its
26177 response over HTTP@. If that protocol completes successfully, the CA
26178 signs the key, resulting in a certificate. That certificate is valid
26179 for a limited period of time, and therefore to continue to provide TLS
26180 services, the server needs to periodically ask the CA to renew its
26183 The certbot service automates this process: the initial key
26184 generation, the initial certification request to the Let's Encrypt
26185 service, the web server challenge/response integration, writing the
26186 certificate to disk, the automated periodic renewals, and the deployment
26187 tasks associated with the renewal (e.g.@: reloading services, copying keys
26188 with different permissions).
26190 Certbot is run twice a day, at a random minute within the hour. It
26191 won't do anything until your certificates are due for renewal or
26192 revoked, but running it regularly would give your service a chance of
26193 staying online in case a Let's Encrypt-initiated revocation happened for
26196 By using this service, you agree to the ACME Subscriber Agreement, which
26197 can be found there:
26198 @url{https://acme-v01.api.letsencrypt.org/directory}.
26200 @defvr {Scheme Variable} certbot-service-type
26201 A service type for the @code{certbot} Let's Encrypt client. Its value
26202 must be a @code{certbot-configuration} record as in this example:
26205 (define %nginx-deploy-hook
26207 "nginx-deploy-hook"
26208 #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
26209 (kill pid SIGHUP))))
26211 (service certbot-service-type
26212 (certbot-configuration
26213 (email "foo@@example.net")
26216 (certificate-configuration
26217 (domains '("example.net" "www.example.net"))
26218 (deploy-hook %nginx-deploy-hook))
26219 (certificate-configuration
26220 (domains '("bar.example.net")))))))
26223 See below for details about @code{certbot-configuration}.
26226 @deftp {Data Type} certbot-configuration
26227 Data type representing the configuration of the @code{certbot} service.
26228 This type has the following parameters:
26231 @item @code{package} (default: @code{certbot})
26232 The certbot package to use.
26234 @item @code{webroot} (default: @code{/var/www})
26235 The directory from which to serve the Let's Encrypt challenge/response
26238 @item @code{certificates} (default: @code{()})
26239 A list of @code{certificates-configuration}s for which to generate
26240 certificates and request signatures. Each certificate has a @code{name}
26241 and several @code{domains}.
26243 @item @code{email} (default: @code{#f})
26244 Optional email address used for registration and recovery contact.
26245 Setting this is encouraged as it allows you to receive important
26246 notifications about the account and issued certificates.
26248 @item @code{server} (default: @code{#f})
26249 Optional URL of ACME server. Setting this overrides certbot's default,
26250 which is the Let's Encrypt server.
26252 @item @code{rsa-key-size} (default: @code{2048})
26253 Size of the RSA key.
26255 @item @code{default-location} (default: @i{see below})
26256 The default @code{nginx-location-configuration}. Because @code{certbot}
26257 needs to be able to serve challenges and responses, it needs to be able
26258 to run a web server. It does so by extending the @code{nginx} web
26259 service with an @code{nginx-server-configuration} listening on the
26260 @var{domains} on port 80, and which has a
26261 @code{nginx-location-configuration} for the @code{/.well-known/} URI
26262 path subspace used by Let's Encrypt. @xref{Web Services}, for more on
26263 these nginx configuration data types.
26265 Requests to other URL paths will be matched by the
26266 @code{default-location}, which if present is added to all
26267 @code{nginx-server-configuration}s.
26269 By default, the @code{default-location} will issue a redirect from
26270 @code{http://@var{domain}/...} to @code{https://@var{domain}/...}, leaving
26271 you to define what to serve on your site via @code{https}.
26273 Pass @code{#f} to not issue a default location.
26277 @deftp {Data Type} certificate-configuration
26278 Data type representing the configuration of a certificate.
26279 This type has the following parameters:
26282 @item @code{name} (default: @i{see below})
26283 This name is used by Certbot for housekeeping and in file paths; it
26284 doesn't affect the content of the certificate itself. To see
26285 certificate names, run @code{certbot certificates}.
26287 Its default is the first provided domain.
26289 @item @code{domains} (default: @code{()})
26290 The first domain provided will be the subject CN of the certificate, and
26291 all domains will be Subject Alternative Names on the certificate.
26293 @item @code{challenge} (default: @code{#f})
26294 The challenge type that has to be run by certbot. If @code{#f} is specified,
26295 default to the HTTP challenge. If a value is specified, defaults to the
26296 manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and
26297 the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
26298 and gives Let's Encrypt permission to log the public IP address of the
26299 requesting machine.
26301 @item @code{csr} (default: @code{#f})
26302 File name of Certificate Signing Request (CSR) in DER or PEM format.
26303 If @code{#f} is specified, this argument will not be passed to certbot.
26304 If a value is specified, certbot will use it to obtain a certificate, instead of
26305 using a self-generated CSR.
26306 The domain-name(s) mentioned in @code{domains}, must be consistent with the
26307 domain-name(s) mentioned in CSR file.
26309 @item @code{authentication-hook} (default: @code{#f})
26310 Command to be run in a shell once for each certificate challenge to be
26311 answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
26312 will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
26313 contains the validation string and @code{$CERTBOT_TOKEN} contains the
26314 file name of the resource requested when performing an HTTP-01 challenge.
26316 @item @code{cleanup-hook} (default: @code{#f})
26317 Command to be run in a shell once for each certificate challenge that
26318 have been answered by the @code{auth-hook}. For this command, the shell
26319 variables available in the @code{auth-hook} script are still available, and
26320 additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
26321 of the @code{auth-hook} script.
26323 @item @code{deploy-hook} (default: @code{#f})
26324 Command to be run in a shell once for each successfully issued
26325 certificate. For this command, the shell variable
26326 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
26327 example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
26328 certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
26329 contain a space-delimited list of renewed certificate domains (for
26330 example, @samp{"example.com www.example.com"}.
26335 For each @code{certificate-configuration}, the certificate is saved to
26336 @code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is
26337 saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}.
26339 @subsection DNS Services
26340 @cindex DNS (domain name system)
26341 @cindex domain name system (DNS)
26343 The @code{(gnu services dns)} module provides services related to the
26344 @dfn{domain name system} (DNS). It provides a server service for hosting
26345 an @emph{authoritative} DNS server for multiple zones, slave or master.
26346 This service uses @uref{https://www.knot-dns.cz/, Knot DNS}. And also a
26347 caching and forwarding DNS server for the LAN, which uses
26348 @uref{http://www.thekelleys.org.uk/dnsmasq/doc.html, dnsmasq}.
26350 @subsubheading Knot Service
26352 An example configuration of an authoritative server for two zones, one master
26356 (define-zone-entries example.org.zone
26357 ;; Name TTL Class Type Data
26358 ("@@" "" "IN" "A" "127.0.0.1")
26359 ("@@" "" "IN" "NS" "ns")
26360 ("ns" "" "IN" "A" "127.0.0.1"))
26362 (define master-zone
26363 (knot-zone-configuration
26364 (domain "example.org")
26366 (origin "example.org")
26367 (entries example.org.zone)))))
26370 (knot-zone-configuration
26371 (domain "plop.org")
26372 (dnssec-policy "default")
26373 (master (list "plop-master"))))
26375 (define plop-master
26376 (knot-remote-configuration
26378 (address (list "208.76.58.171"))))
26382 (services (cons* (service knot-service-type
26383 (knot-configuration
26384 (remotes (list plop-master))
26385 (zones (list master-zone slave-zone))))
26390 @deffn {Scheme Variable} knot-service-type
26391 This is the type for the Knot DNS server.
26393 Knot DNS is an authoritative DNS server, meaning that it can serve multiple
26394 zones, that is to say domain names you would buy from a registrar. This server
26395 is not a resolver, meaning that it can only resolve names for which it is
26396 authoritative. This server can be configured to serve zones as a master server
26397 or a slave server as a per-zone basis. Slave zones will get their data from
26398 masters, and will serve it as an authoritative server. From the point of view
26399 of a resolver, there is no difference between master and slave.
26401 The following data types are used to configure the Knot DNS server:
26404 @deftp {Data Type} knot-key-configuration
26405 Data type representing a key.
26406 This type has the following parameters:
26409 @item @code{id} (default: @code{""})
26410 An identifier for other configuration fields to refer to this key. IDs must
26411 be unique and must not be empty.
26413 @item @code{algorithm} (default: @code{#f})
26414 The algorithm to use. Choose between @code{#f}, @code{'hmac-md5},
26415 @code{'hmac-sha1}, @code{'hmac-sha224}, @code{'hmac-sha256}, @code{'hmac-sha384}
26416 and @code{'hmac-sha512}.
26418 @item @code{secret} (default: @code{""})
26419 The secret key itself.
26424 @deftp {Data Type} knot-acl-configuration
26425 Data type representing an Access Control List (ACL) configuration.
26426 This type has the following parameters:
26429 @item @code{id} (default: @code{""})
26430 An identifier for other configuration fields to refer to this key. IDs must be
26431 unique and must not be empty.
26433 @item @code{address} (default: @code{'()})
26434 An ordered list of IP addresses, network subnets, or network ranges represented
26435 with strings. The query must match one of them. Empty value means that
26436 address match is not required.
26438 @item @code{key} (default: @code{'()})
26439 An ordered list of references to keys represented with strings. The string
26440 must match a key ID defined in a @code{knot-key-configuration}. No key means
26441 that a key is not require to match that ACL.
26443 @item @code{action} (default: @code{'()})
26444 An ordered list of actions that are permitted or forbidden by this ACL@. Possible
26445 values are lists of zero or more elements from @code{'transfer}, @code{'notify}
26446 and @code{'update}.
26448 @item @code{deny?} (default: @code{#f})
26449 When true, the ACL defines restrictions. Listed actions are forbidden. When
26450 false, listed actions are allowed.
26455 @deftp {Data Type} zone-entry
26456 Data type representing a record entry in a zone file.
26457 This type has the following parameters:
26460 @item @code{name} (default: @code{"@@"})
26461 The name of the record. @code{"@@"} refers to the origin of the zone. Names
26462 are relative to the origin of the zone. For example, in the @code{example.org}
26463 zone, @code{"ns.example.org"} actually refers to @code{ns.example.org.example.org}.
26464 Names ending with a dot are absolute, which means that @code{"ns.example.org."}
26465 refers to @code{ns.example.org}.
26467 @item @code{ttl} (default: @code{""})
26468 The Time-To-Live (TTL) of this record. If not set, the default TTL is used.
26470 @item @code{class} (default: @code{"IN"})
26471 The class of the record. Knot currently supports only @code{"IN"} and
26472 partially @code{"CH"}.
26474 @item @code{type} (default: @code{"A"})
26475 The type of the record. Common types include A (IPv4 address), AAAA (IPv6
26476 address), NS (Name Server) and MX (Mail eXchange). Many other types are
26479 @item @code{data} (default: @code{""})
26480 The data contained in the record. For instance an IP address associated with
26481 an A record, or a domain name associated with an NS record. Remember that
26482 domain names are relative to the origin unless they end with a dot.
26487 @deftp {Data Type} zone-file
26488 Data type representing the content of a zone file.
26489 This type has the following parameters:
26492 @item @code{entries} (default: @code{'()})
26493 The list of entries. The SOA record is taken care of, so you don't need to
26494 put it in the list of entries. This list should probably contain an entry
26495 for your primary authoritative DNS server. Other than using a list of entries
26496 directly, you can use @code{define-zone-entries} to define a object containing
26497 the list of entries more easily, that you can later pass to the @code{entries}
26498 field of the @code{zone-file}.
26500 @item @code{origin} (default: @code{""})
26501 The name of your zone. This parameter cannot be empty.
26503 @item @code{ns} (default: @code{"ns"})
26504 The domain of your primary authoritative DNS server. The name is relative to
26505 the origin, unless it ends with a dot. It is mandatory that this primary
26506 DNS server corresponds to an NS record in the zone and that it is associated
26507 to an IP address in the list of entries.
26509 @item @code{mail} (default: @code{"hostmaster"})
26510 An email address people can contact you at, as the owner of the zone. This
26511 is translated as @code{<mail>@@<origin>}.
26513 @item @code{serial} (default: @code{1})
26514 The serial number of the zone. As this is used to keep track of changes by
26515 both slaves and resolvers, it is mandatory that it @emph{never} decreases.
26516 Always increment it when you make a change in your zone.
26518 @item @code{refresh} (default: @code{(* 2 24 3600)})
26519 The frequency at which slaves will do a zone transfer. This value is a number
26520 of seconds. It can be computed by multiplications or with
26521 @code{(string->duration)}.
26523 @item @code{retry} (default: @code{(* 15 60)})
26524 The period after which a slave will retry to contact its master when it fails
26525 to do so a first time.
26527 @item @code{expiry} (default: @code{(* 14 24 3600)})
26528 Default TTL of records. Existing records are considered correct for at most
26529 this amount of time. After this period, resolvers will invalidate their cache
26530 and check again that it still exists.
26532 @item @code{nx} (default: @code{3600})
26533 Default TTL of inexistent records. This delay is usually short because you want
26534 your new domains to reach everyone quickly.
26539 @deftp {Data Type} knot-remote-configuration
26540 Data type representing a remote configuration.
26541 This type has the following parameters:
26544 @item @code{id} (default: @code{""})
26545 An identifier for other configuration fields to refer to this remote. IDs must
26546 be unique and must not be empty.
26548 @item @code{address} (default: @code{'()})
26549 An ordered list of destination IP addresses. Addresses are tried in sequence.
26550 An optional port can be given with the @@ separator. For instance:
26551 @code{(list "1.2.3.4" "2.3.4.5@@53")}. Default port is 53.
26553 @item @code{via} (default: @code{'()})
26554 An ordered list of source IP addresses. An empty list will have Knot choose
26555 an appropriate source IP@. An optional port can be given with the @@ separator.
26556 The default is to choose at random.
26558 @item @code{key} (default: @code{#f})
26559 A reference to a key, that is a string containing the identifier of a key
26560 defined in a @code{knot-key-configuration} field.
26565 @deftp {Data Type} knot-keystore-configuration
26566 Data type representing a keystore to hold dnssec keys.
26567 This type has the following parameters:
26570 @item @code{id} (default: @code{""})
26571 The id of the keystore. It must not be empty.
26573 @item @code{backend} (default: @code{'pem})
26574 The backend to store the keys in. Can be @code{'pem} or @code{'pkcs11}.
26576 @item @code{config} (default: @code{"/var/lib/knot/keys/keys"})
26577 The configuration string of the backend. An example for the PKCS#11 is:
26578 @code{"pkcs11:token=knot;pin-value=1234 /gnu/store/.../lib/pkcs11/libsofthsm2.so"}.
26579 For the pem backend, the string represents a path in the file system.
26584 @deftp {Data Type} knot-policy-configuration
26585 Data type representing a dnssec policy. Knot DNS is able to automatically
26586 sign your zones. It can either generate and manage your keys automatically or
26587 use keys that you generate.
26589 Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that is
26590 used to sign the second, and a Zone Signing Key (ZSK) that is used to sign the
26591 zone. In order to be trusted, the KSK needs to be present in the parent zone
26592 (usually a top-level domain). If your registrar supports dnssec, you will
26593 have to send them your KSK's hash so they can add a DS record in their zone.
26594 This is not automated and need to be done each time you change your KSK.
26596 The policy also defines the lifetime of keys. Usually, ZSK can be changed
26597 easily and use weaker cryptographic functions (they use lower parameters) in
26598 order to sign records quickly, so they are changed often. The KSK however
26599 requires manual interaction with the registrar, so they are changed less often
26600 and use stronger parameters because they sign only one record.
26602 This type has the following parameters:
26605 @item @code{id} (default: @code{""})
26606 The id of the policy. It must not be empty.
26608 @item @code{keystore} (default: @code{"default"})
26609 A reference to a keystore, that is a string containing the identifier of a
26610 keystore defined in a @code{knot-keystore-configuration} field. The
26611 @code{"default"} identifier means the default keystore (a kasp database that
26612 was setup by this service).
26614 @item @code{manual?} (default: @code{#f})
26615 Whether the key management is manual or automatic.
26617 @item @code{single-type-signing?} (default: @code{#f})
26618 When @code{#t}, use the Single-Type Signing Scheme.
26620 @item @code{algorithm} (default: @code{"ecdsap256sha256"})
26621 An algorithm of signing keys and issued signatures.
26623 @item @code{ksk-size} (default: @code{256})
26624 The length of the KSK@. Note that this value is correct for the default
26625 algorithm, but would be unsecure for other algorithms.
26627 @item @code{zsk-size} (default: @code{256})
26628 The length of the ZSK@. Note that this value is correct for the default
26629 algorithm, but would be unsecure for other algorithms.
26631 @item @code{dnskey-ttl} (default: @code{'default})
26632 The TTL value for DNSKEY records added into zone apex. The special
26633 @code{'default} value means same as the zone SOA TTL.
26635 @item @code{zsk-lifetime} (default: @code{(* 30 24 3600)})
26636 The period between ZSK publication and the next rollover initiation.
26638 @item @code{propagation-delay} (default: @code{(* 24 3600)})
26639 An extra delay added for each key rollover step. This value should be high
26640 enough to cover propagation of data from the master server to all slaves.
26642 @item @code{rrsig-lifetime} (default: @code{(* 14 24 3600)})
26643 A validity period of newly issued signatures.
26645 @item @code{rrsig-refresh} (default: @code{(* 7 24 3600)})
26646 A period how long before a signature expiration the signature will be refreshed.
26648 @item @code{nsec3?} (default: @code{#f})
26649 When @code{#t}, NSEC3 will be used instead of NSEC.
26651 @item @code{nsec3-iterations} (default: @code{5})
26652 The number of additional times the hashing is performed.
26654 @item @code{nsec3-salt-length} (default: @code{8})
26655 The length of a salt field in octets, which is appended to the original owner
26656 name before hashing.
26658 @item @code{nsec3-salt-lifetime} (default: @code{(* 30 24 3600)})
26659 The validity period of newly issued salt field.
26664 @deftp {Data Type} knot-zone-configuration
26665 Data type representing a zone served by Knot.
26666 This type has the following parameters:
26669 @item @code{domain} (default: @code{""})
26670 The domain served by this configuration. It must not be empty.
26672 @item @code{file} (default: @code{""})
26673 The file where this zone is saved. This parameter is ignored by master zones.
26674 Empty means default location that depends on the domain name.
26676 @item @code{zone} (default: @code{(zone-file)})
26677 The content of the zone file. This parameter is ignored by slave zones. It
26678 must contain a zone-file record.
26680 @item @code{master} (default: @code{'()})
26681 A list of master remotes. When empty, this zone is a master. When set, this
26682 zone is a slave. This is a list of remotes identifiers.
26684 @item @code{ddns-master} (default: @code{#f})
26685 The main master. When empty, it defaults to the first master in the list of
26688 @item @code{notify} (default: @code{'()})
26689 A list of slave remote identifiers.
26691 @item @code{acl} (default: @code{'()})
26692 A list of acl identifiers.
26694 @item @code{semantic-checks?} (default: @code{#f})
26695 When set, this adds more semantic checks to the zone.
26697 @item @code{disable-any?} (default: @code{#f})
26698 When set, this forbids queries of the ANY type.
26700 @item @code{zonefile-sync} (default: @code{0})
26701 The delay between a modification in memory and on disk. 0 means immediate
26704 @item @code{zonefile-load} (default: @code{#f})
26705 The way the zone file contents are applied during zone load. Possible values
26709 @item @code{#f} for using the default value from Knot,
26710 @item @code{'none} for not using the zone file at all,
26711 @item @code{'difference} for computing the difference between already available
26712 contents and zone contents and applying it to the current zone contents,
26713 @item @code{'difference-no-serial} for the same as @code{'difference}, but
26714 ignoring the SOA serial in the zone file, while the server takes care of it
26716 @item @code{'whole} for loading zone contents from the zone file.
26719 @item @code{journal-content} (default: @code{#f})
26720 The way the journal is used to store zone and its changes. Possible values
26721 are @code{'none} to not use it at all, @code{'changes} to store changes and
26722 @code{'all} to store contents. @code{#f} does not set this option, so the
26723 default value from Knot is used.
26725 @item @code{max-journal-usage} (default: @code{#f})
26726 The maximum size for the journal on disk. @code{#f} does not set this option,
26727 so the default value from Knot is used.
26729 @item @code{max-journal-depth} (default: @code{#f})
26730 The maximum size of the history. @code{#f} does not set this option, so the
26731 default value from Knot is used.
26733 @item @code{max-zone-size} (default: @code{#f})
26734 The maximum size of the zone file. This limit is enforced for incoming
26735 transfer and updates. @code{#f} does not set this option, so the default
26736 value from Knot is used.
26738 @item @code{dnssec-policy} (default: @code{#f})
26739 A reference to a @code{knot-policy-configuration} record, or the special
26740 name @code{"default"}. If the value is @code{#f}, there is no dnssec signing
26743 @item @code{serial-policy} (default: @code{'increment})
26744 A policy between @code{'increment} and @code{'unixtime}.
26749 @deftp {Data Type} knot-configuration
26750 Data type representing the Knot configuration.
26751 This type has the following parameters:
26754 @item @code{knot} (default: @code{knot})
26757 @item @code{run-directory} (default: @code{"/var/run/knot"})
26758 The run directory. This directory will be used for pid file and sockets.
26760 @item @code{includes} (default: @code{'()})
26761 A list of strings or file-like objects denoting other files that must be
26762 included at the top of the configuration file.
26764 @cindex secrets, Knot service
26765 This can be used to manage secrets out-of-band. For example, secret
26766 keys may be stored in an out-of-band file not managed by Guix, and
26767 thus not visible in @file{/gnu/store}---e.g., you could store secret
26768 key configuration in @file{/etc/knot/secrets.conf} and add this file
26769 to the @code{includes} list.
26771 One can generate a secret tsig key (for nsupdate and zone transfers with the
26772 keymgr command from the knot package. Note that the package is not automatically
26773 installed by the service. The following example shows how to generate a new
26777 keymgr -t mysecret > /etc/knot/secrets.conf
26778 chmod 600 /etc/knot/secrets.conf
26781 Also note that the generated key will be named @var{mysecret}, so it is the
26782 name that needs to be used in the @var{key} field of the
26783 @code{knot-acl-configuration} record and in other places that need to refer
26786 It can also be used to add configuration not supported by this interface.
26788 @item @code{listen-v4} (default: @code{"0.0.0.0"})
26789 An ip address on which to listen.
26791 @item @code{listen-v6} (default: @code{"::"})
26792 An ip address on which to listen.
26794 @item @code{listen-port} (default: @code{53})
26795 A port on which to listen.
26797 @item @code{keys} (default: @code{'()})
26798 The list of knot-key-configuration used by this configuration.
26800 @item @code{acls} (default: @code{'()})
26801 The list of knot-acl-configuration used by this configuration.
26803 @item @code{remotes} (default: @code{'()})
26804 The list of knot-remote-configuration used by this configuration.
26806 @item @code{zones} (default: @code{'()})
26807 The list of knot-zone-configuration used by this configuration.
26812 @subsubheading Knot Resolver Service
26814 @deffn {Scheme Variable} knot-resolver-service-type
26815 This is the type of the knot resolver service, whose value should be
26816 an @code{knot-resolver-configuration} object as in this example:
26819 (service knot-resolver-service-type
26820 (knot-resolver-configuration
26821 (kresd-config-file (plain-file "kresd.conf" "
26822 net.listen('192.168.0.1', 5353)
26823 user('knot-resolver', 'knot-resolver')
26824 modules = @{ 'hints > iterate', 'stats', 'predict' @}
26825 cache.size = 100 * MB
26829 For more information, refer its @url{https://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration, manual}.
26832 @deftp {Data Type} knot-resolver-configuration
26833 Data type representing the configuration of knot-resolver.
26836 @item @code{package} (default: @var{knot-resolver})
26837 Package object of the knot DNS resolver.
26839 @item @code{kresd-config-file} (default: %kresd.conf)
26840 File-like object of the kresd configuration file to use, by default it
26841 will listen on @code{127.0.0.1} and @code{::1}.
26843 @item @code{garbage-collection-interval} (default: 1000)
26844 Number of milliseconds for @code{kres-cache-gc} to periodically trim the cache.
26850 @subsubheading Dnsmasq Service
26852 @deffn {Scheme Variable} dnsmasq-service-type
26853 This is the type of the dnsmasq service, whose value should be an
26854 @code{dnsmasq-configuration} object as in this example:
26857 (service dnsmasq-service-type
26858 (dnsmasq-configuration
26860 (servers '("192.168.1.1"))))
26864 @deftp {Data Type} dnsmasq-configuration
26865 Data type representing the configuration of dnsmasq.
26868 @item @code{package} (default: @var{dnsmasq})
26869 Package object of the dnsmasq server.
26871 @item @code{no-hosts?} (default: @code{#f})
26872 When true, don't read the hostnames in /etc/hosts.
26874 @item @code{port} (default: @code{53})
26875 The port to listen on. Setting this to zero completely disables DNS
26876 responses, leaving only DHCP and/or TFTP functions.
26878 @item @code{local-service?} (default: @code{#t})
26879 Accept DNS queries only from hosts whose address is on a local subnet,
26880 ie a subnet for which an interface exists on the server.
26882 @item @code{listen-addresses} (default: @code{'()})
26883 Listen on the given IP addresses.
26885 @item @code{resolv-file} (default: @code{"/etc/resolv.conf"})
26886 The file to read the IP address of the upstream nameservers from.
26888 @item @code{no-resolv?} (default: @code{#f})
26889 When true, don't read @var{resolv-file}.
26891 @item @code{servers} (default: @code{'()})
26892 Specify IP address of upstream servers directly.
26894 @item @code{addresses} (default: @code{'()})
26895 For each entry, specify an IP address to return for any host in the
26896 given domains. Queries in the domains are never forwarded and always
26897 replied to with the specified IP address.
26899 This is useful for redirecting hosts locally, for example:
26902 (service dnsmasq-service-type
26903 (dnsmasq-configuration
26905 '(; Redirect to a local web-server.
26906 "/example.org/127.0.0.1"
26907 ; Redirect subdomain to a specific IP.
26908 "/subdomain.example.org/192.168.1.42"))))
26911 Note that rules in @file{/etc/hosts} take precedence over this.
26913 @item @code{cache-size} (default: @code{150})
26914 Set the size of dnsmasq's cache. Setting the cache size to zero
26917 @item @code{negative-cache?} (default: @code{#t})
26918 When false, disable negative caching.
26920 @item @code{tftp-enable?} (default: @code{#f})
26921 Whether to enable the built-in TFTP server.
26923 @item @code{tftp-no-fail?} (default: @code{#f})
26924 If true, does not fail dnsmasq if the TFTP server could not start up.
26926 @item @code{tftp-single-port?} (default: @code{#f})
26927 Whether to use only one single port for TFTP.
26929 @item @code{tftp-secure?} (default: @code{#f})
26930 If true, only files owned by the user running the dnsmasq process are accessible.
26932 If dnsmasq is being run as root, different rules apply:
26933 @code{tftp-secure?} has no effect, but only files which have the
26934 world-readable bit set are accessible.
26936 @item @code{tftp-max} (default: @code{#f})
26937 If set, sets the maximal number of concurrent connections allowed.
26939 @item @code{tftp-mtu} (default: @code{#f})
26940 If set, sets the MTU for TFTP packets to that value.
26942 @item @code{tftp-no-blocksize?} (default: @code{#f})
26943 If true, stops the TFTP server from negotiating the blocksize with a client.
26945 @item @code{tftp-lowercase?} (default: @code{#f})
26946 Whether to convert all filenames in TFTP requests to lowercase.
26948 @item @code{tftp-port-range} (default: @code{#f})
26949 If set, fixes the dynamical ports (one per client) to the given range
26950 (@code{"<start>,<end>"}).
26952 @item @code{tftp-root} (default: @code{/var/empty,lo})
26953 Look for files to transfer using TFTP relative to the given directory.
26954 When this is set, TFTP paths which include @samp{..} are rejected, to stop clients
26955 getting outside the specified root. Absolute paths (starting with @samp{/}) are
26956 allowed, but they must be within the TFTP-root. If the optional interface
26957 argument is given, the directory is only used for TFTP requests via that
26960 @item @code{tftp-unique-root} (default: @code{#f})
26961 If set, add the IP or hardware address of the TFTP client as a path component
26962 on the end of the TFTP-root. Only valid if a TFTP root is set and the
26963 directory exists. Defaults to adding IP address (in standard dotted-quad
26966 For instance, if @option{--tftp-root} is @samp{/tftp} and client
26967 @samp{1.2.3.4} requests file @file{myfile} then the effective path will
26968 be @file{/tftp/1.2.3.4/myfile} if @file{/tftp/1.2.3.4} exists or
26969 @file{/tftp/myfile} otherwise. When @samp{=mac} is specified it will
26970 append the MAC address instead, using lowercase zero padded digits
26971 separated by dashes, e.g.: @samp{01-02-03-04-aa-bb}. Note that
26972 resolving MAC addresses is only possible if the client is in the local
26973 network or obtained a DHCP lease from dnsmasq.
26978 @subsubheading ddclient Service
26981 The ddclient service described below runs the ddclient daemon, which takes
26982 care of automatically updating DNS entries for service providers such as
26983 @uref{https://dyn.com/dns/, Dyn}.
26985 The following example show instantiates the service with its default
26989 (service ddclient-service-type)
26992 Note that ddclient needs to access credentials that are stored in a
26993 @dfn{secret file}, by default @file{/etc/ddclient/secrets} (see
26994 @code{secret-file} below). You are expected to create this file manually, in
26995 an ``out-of-band'' fashion (you @emph{could} make this file part of the
26996 service configuration, for instance by using @code{plain-file}, but it will be
26997 world-readable @i{via} @file{/gnu/store}). See the examples in the
26998 @file{share/ddclient} directory of the @code{ddclient} package.
27000 @c %start of fragment
27002 Available @code{ddclient-configuration} fields are:
27004 @deftypevr {@code{ddclient-configuration} parameter} package ddclient
27005 The ddclient package.
27009 @deftypevr {@code{ddclient-configuration} parameter} integer daemon
27010 The period after which ddclient will retry to check IP and domain name.
27012 Defaults to @samp{300}.
27016 @deftypevr {@code{ddclient-configuration} parameter} boolean syslog
27017 Use syslog for the output.
27019 Defaults to @samp{#t}.
27023 @deftypevr {@code{ddclient-configuration} parameter} string mail
27026 Defaults to @samp{"root"}.
27030 @deftypevr {@code{ddclient-configuration} parameter} string mail-failure
27031 Mail failed update to user.
27033 Defaults to @samp{"root"}.
27037 @deftypevr {@code{ddclient-configuration} parameter} string pid
27038 The ddclient PID file.
27040 Defaults to @samp{"/var/run/ddclient/ddclient.pid"}.
27044 @deftypevr {@code{ddclient-configuration} parameter} boolean ssl
27045 Enable SSL support.
27047 Defaults to @samp{#t}.
27051 @deftypevr {@code{ddclient-configuration} parameter} string user
27052 Specifies the user name or ID that is used when running ddclient
27055 Defaults to @samp{"ddclient"}.
27059 @deftypevr {@code{ddclient-configuration} parameter} string group
27060 Group of the user who will run the ddclient program.
27062 Defaults to @samp{"ddclient"}.
27066 @deftypevr {@code{ddclient-configuration} parameter} string secret-file
27067 Secret file which will be appended to @file{ddclient.conf} file. This
27068 file contains credentials for use by ddclient. You are expected to
27069 create it manually.
27071 Defaults to @samp{"/etc/ddclient/secrets.conf"}.
27075 @deftypevr {@code{ddclient-configuration} parameter} list extra-options
27076 Extra options will be appended to @file{ddclient.conf} file.
27078 Defaults to @samp{()}.
27083 @c %end of fragment
27087 @subsection VPN Services
27088 @cindex VPN (virtual private network)
27089 @cindex virtual private network (VPN)
27091 The @code{(gnu services vpn)} module provides services related to
27092 @dfn{virtual private networks} (VPNs).
27094 @subsubheading Bitmask
27096 @defvr {Scheme Variable} bitmask-service-type
27097 A service type for the @uref{https://bitmask.net, Bitmask} VPN client. It makes
27098 the client available in the system and loads its polkit policy. Please note that
27099 the client expects an active polkit-agent, which is either run by your
27100 desktop-environment or should be run manually.
27103 @subsubheading OpenVPN
27105 It provides a @emph{client} service for your machine to connect to a
27106 VPN, and a @emph{server} service for your machine to host a VPN@.
27108 @deffn {Scheme Procedure} openvpn-client-service @
27109 [#:config (openvpn-client-configuration)]
27111 Return a service that runs @command{openvpn}, a VPN daemon, as a client.
27114 @deffn {Scheme Procedure} openvpn-server-service @
27115 [#:config (openvpn-server-configuration)]
27117 Return a service that runs @command{openvpn}, a VPN daemon, as a server.
27119 Both can be run simultaneously.
27122 @c %automatically generated documentation
27124 Available @code{openvpn-client-configuration} fields are:
27126 @deftypevr {@code{openvpn-client-configuration} parameter} package openvpn
27127 The OpenVPN package.
27131 @deftypevr {@code{openvpn-client-configuration} parameter} string pid-file
27132 The OpenVPN pid file.
27134 Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.
27138 @deftypevr {@code{openvpn-client-configuration} parameter} proto proto
27139 The protocol (UDP or TCP) used to open a channel between clients and
27142 Defaults to @samp{udp}.
27146 @deftypevr {@code{openvpn-client-configuration} parameter} dev dev
27147 The device type used to represent the VPN connection.
27149 Defaults to @samp{tun}.
27153 If you do not have some of these files (eg.@: you use a username and
27154 password), you can disable any of the following three fields by setting
27155 it to @code{'disabled}.
27157 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string ca
27158 The certificate authority to check connections against.
27160 Defaults to @samp{"/etc/openvpn/ca.crt"}.
27164 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string cert
27165 The certificate of the machine the daemon is running on. It should be
27166 signed by the authority given in @code{ca}.
27168 Defaults to @samp{"/etc/openvpn/client.crt"}.
27172 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string key
27173 The key of the machine the daemon is running on. It must be the key whose
27174 certificate is @code{cert}.
27176 Defaults to @samp{"/etc/openvpn/client.key"}.
27180 @deftypevr {@code{openvpn-client-configuration} parameter} boolean comp-lzo?
27181 Whether to use the lzo compression algorithm.
27183 Defaults to @samp{#t}.
27187 @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-key?
27188 Don't re-read key files across SIGUSR1 or --ping-restart.
27190 Defaults to @samp{#t}.
27194 @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-tun?
27195 Don't close and reopen TUN/TAP device or run up/down scripts across
27196 SIGUSR1 or --ping-restart restarts.
27198 Defaults to @samp{#t}.
27202 @deftypevr {@code{openvpn-client-configuration} parameter} boolean fast-io?
27203 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to
27204 poll/epoll/select prior to the write operation.
27206 Defaults to @samp{#f}.
27209 @deftypevr {@code{openvpn-client-configuration} parameter} number verbosity
27212 Defaults to @samp{3}.
27216 @deftypevr {@code{openvpn-client-configuration} parameter} tls-auth-client tls-auth
27217 Add an additional layer of HMAC authentication on top of the TLS control
27218 channel to protect against DoS attacks.
27220 Defaults to @samp{#f}.
27224 @deftypevr {@code{openvpn-client-configuration} parameter} maybe-string auth-user-pass
27225 Authenticate with server using username/password. The option is a file
27226 containing username/password on 2 lines. Do not use a file-like object as it
27227 would be added to the store and readable by any user.
27229 Defaults to @samp{'disabled}.
27232 @deftypevr {@code{openvpn-client-configuration} parameter} key-usage verify-key-usage?
27233 Whether to check the server certificate has server usage extension.
27235 Defaults to @samp{#t}.
27239 @deftypevr {@code{openvpn-client-configuration} parameter} bind bind?
27240 Bind to a specific local port number.
27242 Defaults to @samp{#f}.
27246 @deftypevr {@code{openvpn-client-configuration} parameter} resolv-retry resolv-retry?
27247 Retry resolving server address.
27249 Defaults to @samp{#t}.
27253 @deftypevr {@code{openvpn-client-configuration} parameter} openvpn-remote-list remote
27254 A list of remote servers to connect to.
27256 Defaults to @samp{()}.
27258 Available @code{openvpn-remote-configuration} fields are:
27260 @deftypevr {@code{openvpn-remote-configuration} parameter} string name
27263 Defaults to @samp{"my-server"}.
27267 @deftypevr {@code{openvpn-remote-configuration} parameter} number port
27268 Port number the server listens to.
27270 Defaults to @samp{1194}.
27275 @c %end of automatic openvpn-client documentation
27277 @c %automatically generated documentation
27279 Available @code{openvpn-server-configuration} fields are:
27281 @deftypevr {@code{openvpn-server-configuration} parameter} package openvpn
27282 The OpenVPN package.
27286 @deftypevr {@code{openvpn-server-configuration} parameter} string pid-file
27287 The OpenVPN pid file.
27289 Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.
27293 @deftypevr {@code{openvpn-server-configuration} parameter} proto proto
27294 The protocol (UDP or TCP) used to open a channel between clients and
27297 Defaults to @samp{udp}.
27301 @deftypevr {@code{openvpn-server-configuration} parameter} dev dev
27302 The device type used to represent the VPN connection.
27304 Defaults to @samp{tun}.
27308 If you do not have some of these files (eg.@: you use a username and
27309 password), you can disable any of the following three fields by setting
27310 it to @code{'disabled}.
27312 @deftypevr {@code{openvpn-server-configuration} parameter} maybe-string ca
27313 The certificate authority to check connections against.
27315 Defaults to @samp{"/etc/openvpn/ca.crt"}.
27319 @deftypevr {@code{openvpn-server-configuration} parameter} maybe-string cert
27320 The certificate of the machine the daemon is running on. It should be
27321 signed by the authority given in @code{ca}.
27323 Defaults to @samp{"/etc/openvpn/client.crt"}.
27327 @deftypevr {@code{openvpn-server-configuration} parameter} maybe-string key
27328 The key of the machine the daemon is running on. It must be the key whose
27329 certificate is @code{cert}.
27331 Defaults to @samp{"/etc/openvpn/client.key"}.
27335 @deftypevr {@code{openvpn-server-configuration} parameter} boolean comp-lzo?
27336 Whether to use the lzo compression algorithm.
27338 Defaults to @samp{#t}.
27342 @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-key?
27343 Don't re-read key files across SIGUSR1 or --ping-restart.
27345 Defaults to @samp{#t}.
27349 @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-tun?
27350 Don't close and reopen TUN/TAP device or run up/down scripts across
27351 SIGUSR1 or --ping-restart restarts.
27353 Defaults to @samp{#t}.
27357 @deftypevr {@code{openvpn-server-configuration} parameter} boolean fast-io?
27358 (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to
27359 poll/epoll/select prior to the write operation.
27361 Defaults to @samp{#f}.
27364 @deftypevr {@code{openvpn-server-configuration} parameter} number verbosity
27367 Defaults to @samp{3}.
27371 @deftypevr {@code{openvpn-server-configuration} parameter} tls-auth-server tls-auth
27372 Add an additional layer of HMAC authentication on top of the TLS control
27373 channel to protect against DoS attacks.
27375 Defaults to @samp{#f}.
27379 @deftypevr {@code{openvpn-server-configuration} parameter} number port
27380 Specifies the port number on which the server listens.
27382 Defaults to @samp{1194}.
27386 @deftypevr {@code{openvpn-server-configuration} parameter} ip-mask server
27387 An ip and mask specifying the subnet inside the virtual network.
27389 Defaults to @samp{"10.8.0.0 255.255.255.0"}.
27393 @deftypevr {@code{openvpn-server-configuration} parameter} cidr6 server-ipv6
27394 A CIDR notation specifying the IPv6 subnet inside the virtual network.
27396 Defaults to @samp{#f}.
27400 @deftypevr {@code{openvpn-server-configuration} parameter} string dh
27401 The Diffie-Hellman parameters file.
27403 Defaults to @samp{"/etc/openvpn/dh2048.pem"}.
27407 @deftypevr {@code{openvpn-server-configuration} parameter} string ifconfig-pool-persist
27408 The file that records client IPs.
27410 Defaults to @samp{"/etc/openvpn/ipp.txt"}.
27414 @deftypevr {@code{openvpn-server-configuration} parameter} gateway redirect-gateway?
27415 When true, the server will act as a gateway for its clients.
27417 Defaults to @samp{#f}.
27421 @deftypevr {@code{openvpn-server-configuration} parameter} boolean client-to-client?
27422 When true, clients are allowed to talk to each other inside the VPN.
27424 Defaults to @samp{#f}.
27428 @deftypevr {@code{openvpn-server-configuration} parameter} keepalive keepalive
27429 Causes ping-like messages to be sent back and forth over the link so
27430 that each side knows when the other side has gone down. @code{keepalive}
27431 requires a pair. The first element is the period of the ping sending,
27432 and the second element is the timeout before considering the other side
27437 @deftypevr {@code{openvpn-server-configuration} parameter} number max-clients
27438 The maximum number of clients.
27440 Defaults to @samp{100}.
27444 @deftypevr {@code{openvpn-server-configuration} parameter} string status
27445 The status file. This file shows a small report on current connection.
27446 It is truncated and rewritten every minute.
27448 Defaults to @samp{"/var/run/openvpn/status"}.
27452 @deftypevr {@code{openvpn-server-configuration} parameter} openvpn-ccd-list client-config-dir
27453 The list of configuration for some clients.
27455 Defaults to @samp{()}.
27457 Available @code{openvpn-ccd-configuration} fields are:
27459 @deftypevr {@code{openvpn-ccd-configuration} parameter} string name
27462 Defaults to @samp{"client"}.
27466 @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask iroute
27469 Defaults to @samp{#f}.
27473 @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask ifconfig-push
27476 Defaults to @samp{#f}.
27482 @c %end of automatic openvpn-server documentation
27484 @subheading strongSwan
27486 Currently, the strongSwan service only provides legacy-style configuration with
27487 @file{ipsec.conf} and @file{ipsec.secrets} files.
27489 @defvr {Scheme Variable} strongswan-service-type
27490 A service type for configuring strongSwan for IPsec @acronym{VPN,
27491 Virtual Private Networking}. Its value must be a
27492 @code{strongswan-configuration} record as in this example:
27495 (service strongswan-service-type
27496 (strongswan-configuration
27497 (ipsec-conf "/etc/ipsec.conf")
27498 (ipsec-secrets "/etc/ipsec.secrets")))
27503 @deftp {Data Type} strongswan-configuration
27504 Data type representing the configuration of the StrongSwan service.
27507 @item @code{strongswan}
27508 The strongSwan package to use for this service.
27510 @item @code{ipsec-conf} (default: @code{#f})
27511 The file name of your @file{ipsec.conf}. If not @code{#f}, then this and
27512 @code{ipsec-secrets} must both be strings.
27514 @item @code{ipsec-secrets} (default @code{#f})
27515 The file name of your @file{ipsec.secrets}. If not @code{#f}, then this and
27516 @code{ipsec-conf} must both be strings.
27521 @subsubheading Wireguard
27523 @defvr {Scheme Variable} wireguard-service-type
27524 A service type for a Wireguard tunnel interface. Its value must be a
27525 @code{wireguard-configuration} record as in this example:
27528 (service wireguard-service-type
27529 (wireguard-configuration
27534 (endpoint "my.wireguard.com:51820")
27535 (public-key "hzpKg9X1yqu1axN6iJp0mWf6BZGo8m1wteKwtTmDGF4=")
27536 (allowed-ips '("10.0.0.2/32")))))))
27541 @deftp {Data Type} wireguard-configuration
27542 Data type representing the configuration of the Wireguard service.
27545 @item @code{wireguard}
27546 The wireguard package to use for this service.
27548 @item @code{interface} (default: @code{"wg0"})
27549 The interface name for the VPN.
27551 @item @code{addresses} (default: @code{'("10.0.0.1/32")})
27552 The IP addresses to be assigned to the above interface.
27554 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
27555 The private key file for the interface. It is automatically generated if
27556 the file does not exist.
27558 @item @code{peers} (default: @code{'()})
27559 The authorized peers on this interface. This is a list of
27560 @var{wireguard-peer} records.
27565 @deftp {Data Type} wireguard-peer
27566 Data type representing a Wireguard peer attached to a given interface.
27572 @item @code{endpoint} (default: @code{#f})
27573 The optional endpoint for the peer, such as
27574 @code{"demo.wireguard.com:51820"}.
27576 @item @code{public-key}
27577 The peer public-key represented as a base64 string.
27579 @item @code{allowed-ips}
27580 A list of IP addresses from which incoming traffic for this peer is
27581 allowed and to which incoming traffic for this peer is directed.
27583 @item @code{keep-alive} (default: @code{#f})
27584 An optional time interval in seconds. A packet will be sent to the
27585 server endpoint once per time interval. This helps receiving
27586 incoming connections from this peer when you are behind a NAT or
27592 @node Network File System
27593 @subsection Network File System
27596 The @code{(gnu services nfs)} module provides the following services,
27597 which are most commonly used in relation to mounting or exporting
27598 directory trees as @dfn{network file systems} (NFS).
27600 While it is possible to use the individual components that together make
27601 up a Network File System service, we recommended to configure an NFS
27602 server with the @code{nfs-service-type}.
27604 @subsubheading NFS Service
27605 @cindex NFS, server
27607 The NFS service takes care of setting up all NFS component services,
27608 kernel configuration file systems, and installs configuration files in
27609 the locations that NFS expects.
27611 @defvr {Scheme Variable} nfs-service-type
27612 A service type for a complete NFS server.
27615 @deftp {Data Type} nfs-configuration
27616 This data type represents the configuration of the NFS service and all
27619 It has the following parameters:
27621 @item @code{nfs-utils} (default: @code{nfs-utils})
27622 The nfs-utils package to use.
27624 @item @code{nfs-versions} (default: @code{'("4.2" "4.1" "4.0")})
27625 If a list of string values is provided, the @command{rpc.nfsd} daemon
27626 will be limited to supporting the given versions of the NFS protocol.
27628 @item @code{exports} (default: @code{'()})
27629 This is a list of directories the NFS server should export. Each entry
27630 is a list consisting of two elements: a directory name and a string
27631 containing all options. This is an example in which the directory
27632 @file{/export} is served to all NFS clients as a read-only share:
27638 "*(ro,insecure,no_subtree_check,crossmnt,fsid=0)"))))
27641 @item @code{rpcmountd-port} (default: @code{#f})
27642 The network port that the @command{rpc.mountd} daemon should use.
27644 @item @code{rpcstatd-port} (default: @code{#f})
27645 The network port that the @command{rpc.statd} daemon should use.
27647 @item @code{rpcbind} (default: @code{rpcbind})
27648 The rpcbind package to use.
27650 @item @code{idmap-domain} (default: @code{"localdomain"})
27651 The local NFSv4 domain name.
27653 @item @code{nfsd-port} (default: @code{2049})
27654 The network port that the @command{nfsd} daemon should use.
27656 @item @code{nfsd-threads} (default: @code{8})
27657 The number of threads used by the @command{nfsd} daemon.
27659 @item @code{nfsd-tcp?} (default: @code{#t})
27660 Whether the @command{nfsd} daemon should listen on a TCP socket.
27662 @item @code{nfsd-udp?} (default: @code{#f})
27663 Whether the @command{nfsd} daemon should listen on a UDP socket.
27665 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27666 The directory where the pipefs file system is mounted.
27668 @item @code{debug} (default: @code{'()"})
27669 A list of subsystems for which debugging output should be enabled. This
27670 is a list of symbols. Any of these symbols are valid: @code{nfsd},
27671 @code{nfs}, @code{rpc}, @code{idmap}, @code{statd}, or @code{mountd}.
27675 If you don't need a complete NFS service or prefer to build it yourself
27676 you can use the individual component services that are documented below.
27678 @subsubheading RPC Bind Service
27681 The RPC Bind service provides a facility to map program numbers into
27682 universal addresses.
27683 Many NFS related services use this facility. Hence it is automatically
27684 started when a dependent service starts.
27686 @defvr {Scheme Variable} rpcbind-service-type
27687 A service type for the RPC portmapper daemon.
27691 @deftp {Data Type} rpcbind-configuration
27692 Data type representing the configuration of the RPC Bind Service.
27693 This type has the following parameters:
27695 @item @code{rpcbind} (default: @code{rpcbind})
27696 The rpcbind package to use.
27698 @item @code{warm-start?} (default: @code{#t})
27699 If this parameter is @code{#t}, then the daemon will read a
27700 state file on startup thus reloading state information saved by a previous
27706 @subsubheading Pipefs Pseudo File System
27710 The pipefs file system is used to transfer NFS related data
27711 between the kernel and user space programs.
27713 @defvr {Scheme Variable} pipefs-service-type
27714 A service type for the pipefs pseudo file system.
27717 @deftp {Data Type} pipefs-configuration
27718 Data type representing the configuration of the pipefs pseudo file system service.
27719 This type has the following parameters:
27721 @item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27722 The directory to which the file system is to be attached.
27727 @subsubheading GSS Daemon Service
27730 @cindex global security system
27732 The @dfn{global security system} (GSS) daemon provides strong security for RPC
27734 Before exchanging RPC requests an RPC client must establish a security
27735 context. Typically this is done using the Kerberos command @command{kinit}
27736 or automatically at login time using PAM services (@pxref{Kerberos Services}).
27738 @defvr {Scheme Variable} gss-service-type
27739 A service type for the Global Security System (GSS) daemon.
27742 @deftp {Data Type} gss-configuration
27743 Data type representing the configuration of the GSS daemon service.
27744 This type has the following parameters:
27746 @item @code{nfs-utils} (default: @code{nfs-utils})
27747 The package in which the @command{rpc.gssd} command is to be found.
27749 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27750 The directory where the pipefs file system is mounted.
27756 @subsubheading IDMAP Daemon Service
27758 @cindex name mapper
27760 The idmap daemon service provides mapping between user IDs and user names.
27761 Typically it is required in order to access file systems mounted via NFSv4.
27763 @defvr {Scheme Variable} idmap-service-type
27764 A service type for the Identity Mapper (IDMAP) daemon.
27767 @deftp {Data Type} idmap-configuration
27768 Data type representing the configuration of the IDMAP daemon service.
27769 This type has the following parameters:
27771 @item @code{nfs-utils} (default: @code{nfs-utils})
27772 The package in which the @command{rpc.idmapd} command is to be found.
27774 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
27775 The directory where the pipefs file system is mounted.
27777 @item @code{domain} (default: @code{#f})
27778 The local NFSv4 domain name.
27779 This must be a string or @code{#f}.
27780 If it is @code{#f} then the daemon will use the host's fully qualified domain name.
27782 @item @code{verbosity} (default: @code{0})
27783 The verbosity level of the daemon.
27788 @node Continuous Integration
27789 @subsection Continuous Integration
27791 @cindex continuous integration
27792 @uref{https://guix.gnu.org/cuirass/, Cuirass} is a continuous
27793 integration tool for Guix. It can be used both for development and for
27794 providing substitutes to others (@pxref{Substitutes}).
27796 The @code{(gnu services cuirass)} module provides the following service.
27798 @defvr {Scheme Procedure} cuirass-service-type
27799 The type of the Cuirass service. Its value must be a
27800 @code{cuirass-configuration} object, as described below.
27803 To add build jobs, you have to set the @code{specifications} field of
27804 the configuration. For instance, the following example will build all
27805 the packages provided by the @code{my-channel} channel.
27808 (define %cuirass-specs
27809 #~(list (specification
27810 (name "my-channel")
27811 (build '(channels my-channel))
27815 (url "https://my-channel.git"))
27816 %default-channels)))))
27818 (service cuirass-service-type
27819 (cuirass-configuration
27820 (specifications %cuirass-specs)))
27823 To build the @code{linux-libre} package defined by the default Guix
27824 channel, one can use the following configuration.
27827 (define %cuirass-specs
27828 #~(list (specification
27830 (build '(packages "linux-libre")))))
27832 (service cuirass-service-type
27833 (cuirass-configuration
27834 (specifications %cuirass-specs)))
27837 The other configuration possibilities, as well as the specification
27838 record itself are described in the Cuirass manual
27839 (@pxref{Specifications,,, cuirass, Cuirass}).
27841 While information related to build jobs is located directly in the
27842 specifications, global settings for the @command{cuirass} process are
27843 accessible in other @code{cuirass-configuration} fields.
27845 @deftp {Data Type} cuirass-configuration
27846 Data type representing the configuration of Cuirass.
27849 @item @code{cuirass} (default: @code{cuirass})
27850 The Cuirass package to use.
27852 @item @code{log-file} (default: @code{"/var/log/cuirass.log"})
27853 Location of the log file.
27855 @item @code{web-log-file} (default: @code{"/var/log/cuirass-web.log"})
27856 Location of the log file used by the web interface.
27858 @item @code{cache-directory} (default: @code{"/var/cache/cuirass"})
27859 Location of the repository cache.
27861 @item @code{user} (default: @code{"cuirass"})
27862 Owner of the @code{cuirass} process.
27864 @item @code{group} (default: @code{"cuirass"})
27865 Owner's group of the @code{cuirass} process.
27867 @item @code{interval} (default: @code{60})
27868 Number of seconds between the poll of the repositories followed by the
27871 @item @code{parameters} (default: @code{#f})
27872 Read parameters from the given @var{parameters} file. The supported
27873 parameters are described here (@pxref{Parameters,,, cuirass, Cuirass}).
27875 @item @code{remote-server} (default: @code{#f})
27876 A @code{cuirass-remote-server-configuration} record to use the build
27877 remote mechanism or @code{#f} to use the default build mechanism.
27879 @item @code{database} (default: @code{"dbname=cuirass host=/var/run/postgresql"})
27880 Use @var{database} as the database containing the jobs and the past
27881 build results. Since Cuirass uses PostgreSQL as a database engine,
27882 @var{database} must be a string such as @code{"dbname=cuirass
27885 @item @code{port} (default: @code{8081})
27886 Port number used by the HTTP server.
27888 @item @code{host} (default: @code{"localhost"})
27889 Listen on the network interface for @var{host}. The default is to
27890 accept connections from localhost.
27892 @item @code{specifications} (default: @code{#~'()})
27893 A gexp (@pxref{G-Expressions}) that evaluates to a list of
27894 specifications records. The specification record is described in the
27895 Cuirass manual (@pxref{Specifications,,, cuirass, Cuirass}).
27897 @item @code{use-substitutes?} (default: @code{#f})
27898 This allows using substitutes to avoid building every dependencies of a job
27901 @item @code{one-shot?} (default: @code{#f})
27902 Only evaluate specifications and build derivations once.
27904 @item @code{fallback?} (default: @code{#f})
27905 When substituting a pre-built binary fails, fall back to building
27908 @item @code{extra-options} (default: @code{'()})
27909 Extra options to pass when running the Cuirass processes.
27914 @cindex remote build
27915 @subsubheading Cuirass remote building
27917 Cuirass supports two mechanisms to build derivations.
27920 @item Using the local Guix daemon.
27921 This is the default build mechanism. Once the build jobs are
27922 evaluated, they are sent to the local Guix daemon. Cuirass then
27923 listens to the Guix daemon output to detect the various build events.
27925 @item Using the remote build mechanism.
27926 The build jobs are not submitted to the local Guix daemon. Instead, a
27927 remote server dispatches build requests to the connect remote workers,
27928 according to the build priorities.
27932 To enable this build mode a @code{cuirass-remote-server-configuration}
27933 record must be passed as @code{remote-server} argument of the
27934 @code{cuirass-configuration} record. The
27935 @code{cuirass-remote-server-configuration} record is described below.
27937 This build mode scales way better than the default build mode. This is
27938 the build mode that is used on the GNU Guix build farm at
27939 @url{https://ci.guix.gnu.org}. It should be preferred when using
27940 Cuirass to build large amount of packages.
27942 @deftp {Data Type} cuirass-remote-server-configuration
27943 Data type representing the configuration of the Cuirass remote-server.
27946 @item @code{backend-port} (default: @code{5555})
27947 The TCP port for communicating with @code{remote-worker} processes
27948 using ZMQ. It defaults to @code{5555}.
27950 @item @code{log-port} (default: @code{5556})
27951 The TCP port of the log server. It defaults to @code{5556}.
27953 @item @code{publish-port} (default: @code{5557})
27954 The TCP port of the publish server. It defaults to @code{5557}.
27956 @item @code{log-file} (default: @code{"/var/log/cuirass-remote-server.log"})
27957 Location of the log file.
27959 @item @code{cache} (default: @code{"/var/cache/cuirass/remote"})
27960 Use @var{cache} directory to cache build log files.
27962 @item @code{trigger-url} (default: @code{#f})
27963 Once a substitute is successfully fetched, trigger substitute baking at
27966 @item @code{publish?} (default: @code{#t})
27967 If set to false, do not start a publish server and ignore the
27968 @code{publish-port} argument. This can be useful if there is already a
27969 standalone publish server standing next to the remote server.
27971 @item @code{public-key}
27972 @item @code{private-key}
27973 Use the specific @var{file}s as the public/private key pair used to sign
27974 the store items being published.
27979 At least one remote worker must also be started on any machine of the
27980 local network to actually perform the builds and report their status.
27982 @deftp {Data Type} cuirass-remote-worker-configuration
27983 Data type representing the configuration of the Cuirass remote-worker.
27986 @item @code{cuirass} (default: @code{cuirass})
27987 The Cuirass package to use.
27989 @item @code{workers} (default: @code{1})
27990 Start @var{workers} parallel workers.
27992 @item @code{server} (default: @code{#f})
27993 Do not use Avahi discovery and connect to the given @code{server} IP
27996 @item @code{systems} (default: @code{(list (%current-system))})
27997 Only request builds for the given @var{systems}.
27999 @item @code{log-file} (default: @code{"/var/log/cuirass-remote-worker.log"})
28000 Location of the log file.
28002 @item @code{publish-port} (default: @code{5558})
28003 The TCP port of the publish server. It defaults to @code{5558}.
28005 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
28006 The list of URLs where to look for substitutes by default.
28008 @item @code{public-key}
28009 @item @code{private-key}
28010 Use the specific @var{file}s as the public/private key pair used to sign
28011 the store items being published.
28016 @subsubheading Laminar
28018 @uref{https://laminar.ohwg.net/, Laminar} is a lightweight and modular
28019 Continuous Integration service. It doesn't have a configuration web UI
28020 instead uses version-controllable configuration files and scripts.
28022 Laminar encourages the use of existing tools such as bash and cron
28023 instead of reinventing them.
28025 @defvr {Scheme Procedure} laminar-service-type
28026 The type of the Laminar service. Its value must be a
28027 @code{laminar-configuration} object, as described below.
28029 All configuration values have defaults, a minimal configuration to get
28030 Laminar running is shown below. By default, the web interface is
28031 available on port 8080.
28034 (service laminar-service-type)
28038 @deftp {Data Type} laminar-configuration
28039 Data type representing the configuration of Laminar.
28042 @item @code{laminar} (default: @code{laminar})
28043 The Laminar package to use.
28045 @item @code{home-directory} (default: @code{"/var/lib/laminar"})
28046 The directory for job configurations and run directories.
28048 @item @code{bind-http} (default: @code{"*:8080"})
28049 The interface/port or unix socket on which laminard should listen for
28050 incoming connections to the web frontend.
28052 @item @code{bind-rpc} (default: @code{"unix-abstract:laminar"})
28053 The interface/port or unix socket on which laminard should listen for
28054 incoming commands such as build triggers.
28056 @item @code{title} (default: @code{"Laminar"})
28057 The page title to show in the web frontend.
28059 @item @code{keep-rundirs} (default: @code{0})
28060 Set to an integer defining how many rundirs to keep per job. The
28061 lowest-numbered ones will be deleted. The default is 0, meaning all run
28062 dirs will be immediately deleted.
28064 @item @code{archive-url} (default: @code{#f})
28065 The web frontend served by laminard will use this URL to form links to
28066 artefacts archived jobs.
28068 @item @code{base-url} (default: @code{#f})
28069 Base URL to use for links to laminar itself.
28074 @node Power Management Services
28075 @subsection Power Management Services
28078 @cindex power management with TLP
28079 @subsubheading TLP daemon
28081 The @code{(gnu services pm)} module provides a Guix service definition
28082 for the Linux power management tool TLP.
28084 TLP enables various powersaving modes in userspace and kernel.
28085 Contrary to @code{upower-service}, it is not a passive,
28086 monitoring tool, as it will apply custom settings each time a new power
28087 source is detected. More information can be found at
28088 @uref{https://linrunner.de/en/tlp/tlp.html, TLP home page}.
28090 @deffn {Scheme Variable} tlp-service-type
28091 The service type for the TLP tool. The default settings are optimised
28092 for battery life on most systems, but you can tweak them to your heart's
28093 content by adding a valid @code{tlp-configuration}:
28095 (service tlp-service-type
28097 (cpu-scaling-governor-on-ac (list "performance"))
28098 (sched-powersave-on-bat? #t)))
28102 Each parameter definition is preceded by its type; for example,
28103 @samp{boolean foo} indicates that the @code{foo} parameter
28104 should be specified as a boolean. Types starting with
28105 @code{maybe-} denote parameters that won't show up in TLP config file
28106 when their value is @code{'disabled}.
28108 @c The following documentation was initially generated by
28109 @c (generate-tlp-documentation) in (gnu services pm). Manually maintained
28110 @c documentation is better, so we shouldn't hesitate to edit below as
28111 @c needed. However if the change you want to make to this documentation
28112 @c can be done in an automated way, it's probably easier to change
28113 @c (generate-documentation) than to make it below and have to deal with
28114 @c the churn as TLP updates.
28116 Available @code{tlp-configuration} fields are:
28118 @deftypevr {@code{tlp-configuration} parameter} package tlp
28123 @deftypevr {@code{tlp-configuration} parameter} boolean tlp-enable?
28124 Set to true if you wish to enable TLP.
28126 Defaults to @samp{#t}.
28130 @deftypevr {@code{tlp-configuration} parameter} string tlp-default-mode
28131 Default mode when no power supply can be detected. Alternatives are AC
28134 Defaults to @samp{"AC"}.
28138 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-ac
28139 Number of seconds Linux kernel has to wait after the disk goes idle,
28140 before syncing on AC.
28142 Defaults to @samp{0}.
28146 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-bat
28147 Same as @code{disk-idle-ac} but on BAT mode.
28149 Defaults to @samp{2}.
28153 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-ac
28154 Dirty pages flushing periodicity, expressed in seconds.
28156 Defaults to @samp{15}.
28160 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-bat
28161 Same as @code{max-lost-work-secs-on-ac} but on BAT mode.
28163 Defaults to @samp{60}.
28167 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-ac
28168 CPU frequency scaling governor on AC mode. With intel_pstate driver,
28169 alternatives are powersave and performance. With acpi-cpufreq driver,
28170 alternatives are ondemand, powersave, performance and conservative.
28172 Defaults to @samp{disabled}.
28176 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-bat
28177 Same as @code{cpu-scaling-governor-on-ac} but on BAT mode.
28179 Defaults to @samp{disabled}.
28183 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-ac
28184 Set the min available frequency for the scaling governor on AC.
28186 Defaults to @samp{disabled}.
28190 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-ac
28191 Set the max available frequency for the scaling governor on AC.
28193 Defaults to @samp{disabled}.
28197 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-bat
28198 Set the min available frequency for the scaling governor on BAT.
28200 Defaults to @samp{disabled}.
28204 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-bat
28205 Set the max available frequency for the scaling governor on BAT.
28207 Defaults to @samp{disabled}.
28211 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-ac
28212 Limit the min P-state to control the power dissipation of the CPU, in AC
28213 mode. Values are stated as a percentage of the available performance.
28215 Defaults to @samp{disabled}.
28219 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-ac
28220 Limit the max P-state to control the power dissipation of the CPU, in AC
28221 mode. Values are stated as a percentage of the available performance.
28223 Defaults to @samp{disabled}.
28227 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-bat
28228 Same as @code{cpu-min-perf-on-ac} on BAT mode.
28230 Defaults to @samp{disabled}.
28234 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-bat
28235 Same as @code{cpu-max-perf-on-ac} on BAT mode.
28237 Defaults to @samp{disabled}.
28241 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-ac?
28242 Enable CPU turbo boost feature on AC mode.
28244 Defaults to @samp{disabled}.
28248 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-bat?
28249 Same as @code{cpu-boost-on-ac?} on BAT mode.
28251 Defaults to @samp{disabled}.
28255 @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-ac?
28256 Allow Linux kernel to minimize the number of CPU cores/hyper-threads
28257 used under light load conditions.
28259 Defaults to @samp{#f}.
28263 @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-bat?
28264 Same as @code{sched-powersave-on-ac?} but on BAT mode.
28266 Defaults to @samp{#t}.
28270 @deftypevr {@code{tlp-configuration} parameter} boolean nmi-watchdog?
28271 Enable Linux kernel NMI watchdog.
28273 Defaults to @samp{#f}.
28277 @deftypevr {@code{tlp-configuration} parameter} maybe-string phc-controls
28278 For Linux kernels with PHC patch applied, change CPU voltages. An
28279 example value would be @samp{"F:V F:V F:V F:V"}.
28281 Defaults to @samp{disabled}.
28285 @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-ac
28286 Set CPU performance versus energy saving policy on AC@. Alternatives are
28287 performance, normal, powersave.
28289 Defaults to @samp{"performance"}.
28293 @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-bat
28294 Same as @code{energy-perf-policy-ac} but on BAT mode.
28296 Defaults to @samp{"powersave"}.
28300 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disks-devices
28305 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-ac
28306 Hard disk advanced power management level.
28310 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-bat
28311 Same as @code{disk-apm-bat} but on BAT mode.
28315 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-ac
28316 Hard disk spin down timeout. One value has to be specified for each
28317 declared hard disk.
28319 Defaults to @samp{disabled}.
28323 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-bat
28324 Same as @code{disk-spindown-timeout-on-ac} but on BAT mode.
28326 Defaults to @samp{disabled}.
28330 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-iosched
28331 Select IO scheduler for disk devices. One value has to be specified for
28332 each declared hard disk. Example alternatives are cfq, deadline and
28335 Defaults to @samp{disabled}.
28339 @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-ac
28340 SATA aggressive link power management (ALPM) level. Alternatives are
28341 min_power, medium_power, max_performance.
28343 Defaults to @samp{"max_performance"}.
28347 @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-bat
28348 Same as @code{sata-linkpwr-ac} but on BAT mode.
28350 Defaults to @samp{"min_power"}.
28354 @deftypevr {@code{tlp-configuration} parameter} maybe-string sata-linkpwr-blacklist
28355 Exclude specified SATA host devices for link power management.
28357 Defaults to @samp{disabled}.
28361 @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-ac?
28362 Enable Runtime Power Management for AHCI controller and disks on AC
28365 Defaults to @samp{disabled}.
28369 @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-bat?
28370 Same as @code{ahci-runtime-pm-on-ac} on BAT mode.
28372 Defaults to @samp{disabled}.
28376 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer ahci-runtime-pm-timeout
28377 Seconds of inactivity before disk is suspended.
28379 Defaults to @samp{15}.
28383 @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-ac
28384 PCI Express Active State Power Management level. Alternatives are
28385 default, performance, powersave.
28387 Defaults to @samp{"performance"}.
28391 @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-bat
28392 Same as @code{pcie-aspm-ac} but on BAT mode.
28394 Defaults to @samp{"powersave"}.
28398 @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-ac
28399 Radeon graphics clock speed level. Alternatives are low, mid, high,
28402 Defaults to @samp{"high"}.
28406 @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-bat
28407 Same as @code{radeon-power-ac} but on BAT mode.
28409 Defaults to @samp{"low"}.
28413 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-ac
28414 Radeon dynamic power management method (DPM). Alternatives are battery,
28417 Defaults to @samp{"performance"}.
28421 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-bat
28422 Same as @code{radeon-dpm-state-ac} but on BAT mode.
28424 Defaults to @samp{"battery"}.
28428 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-ac
28429 Radeon DPM performance level. Alternatives are auto, low, high.
28431 Defaults to @samp{"auto"}.
28435 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-bat
28436 Same as @code{radeon-dpm-perf-ac} but on BAT mode.
28438 Defaults to @samp{"auto"}.
28442 @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-ac?
28443 Wifi power saving mode.
28445 Defaults to @samp{#f}.
28449 @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-bat?
28450 Same as @code{wifi-power-ac?} but on BAT mode.
28452 Defaults to @samp{#t}.
28456 @deftypevr {@code{tlp-configuration} parameter} y-n-boolean wol-disable?
28457 Disable wake on LAN.
28459 Defaults to @samp{#t}.
28463 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-ac
28464 Timeout duration in seconds before activating audio power saving on
28465 Intel HDA and AC97 devices. A value of 0 disables power saving.
28467 Defaults to @samp{0}.
28471 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-bat
28472 Same as @code{sound-powersave-ac} but on BAT mode.
28474 Defaults to @samp{1}.
28478 @deftypevr {@code{tlp-configuration} parameter} y-n-boolean sound-power-save-controller?
28479 Disable controller in powersaving mode on Intel HDA devices.
28481 Defaults to @samp{#t}.
28485 @deftypevr {@code{tlp-configuration} parameter} boolean bay-poweroff-on-bat?
28486 Enable optical drive in UltraBay/MediaBay on BAT mode. Drive can be
28487 powered on again by releasing (and reinserting) the eject lever or by
28488 pressing the disc eject button on newer models.
28490 Defaults to @samp{#f}.
28494 @deftypevr {@code{tlp-configuration} parameter} string bay-device
28495 Name of the optical drive device to power off.
28497 Defaults to @samp{"sr0"}.
28501 @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-ac
28502 Runtime Power Management for PCI(e) bus devices. Alternatives are on
28505 Defaults to @samp{"on"}.
28509 @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-bat
28510 Same as @code{runtime-pm-ac} but on BAT mode.
28512 Defaults to @samp{"auto"}.
28516 @deftypevr {@code{tlp-configuration} parameter} boolean runtime-pm-all?
28517 Runtime Power Management for all PCI(e) bus devices, except blacklisted
28520 Defaults to @samp{#t}.
28524 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list runtime-pm-blacklist
28525 Exclude specified PCI(e) device addresses from Runtime Power Management.
28527 Defaults to @samp{disabled}.
28531 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list runtime-pm-driver-blacklist
28532 Exclude PCI(e) devices assigned to the specified drivers from Runtime
28537 @deftypevr {@code{tlp-configuration} parameter} boolean usb-autosuspend?
28538 Enable USB autosuspend feature.
28540 Defaults to @samp{#t}.
28544 @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-blacklist
28545 Exclude specified devices from USB autosuspend.
28547 Defaults to @samp{disabled}.
28551 @deftypevr {@code{tlp-configuration} parameter} boolean usb-blacklist-wwan?
28552 Exclude WWAN devices from USB autosuspend.
28554 Defaults to @samp{#t}.
28558 @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-whitelist
28559 Include specified devices into USB autosuspend, even if they are already
28560 excluded by the driver or via @code{usb-blacklist-wwan?}.
28562 Defaults to @samp{disabled}.
28566 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean usb-autosuspend-disable-on-shutdown?
28567 Enable USB autosuspend before shutdown.
28569 Defaults to @samp{disabled}.
28573 @deftypevr {@code{tlp-configuration} parameter} boolean restore-device-state-on-startup?
28574 Restore radio device state (bluetooth, wifi, wwan) from previous
28575 shutdown on system startup.
28577 Defaults to @samp{#f}.
28582 @cindex CPU frequency scaling with thermald
28583 @subsubheading Thermald daemon
28585 The @code{(gnu services pm)} module provides an interface to
28586 thermald, a CPU frequency scaling service which helps prevent overheating.
28588 @defvr {Scheme Variable} thermald-service-type
28589 This is the service type for
28590 @uref{https://01.org/linux-thermal-daemon/, thermald}, the Linux
28591 Thermal Daemon, which is responsible for controlling the thermal state
28592 of processors and preventing overheating.
28595 @deftp {Data Type} thermald-configuration
28596 Data type representing the configuration of @code{thermald-service-type}.
28599 @item @code{ignore-cpuid-check?} (default: @code{#f})
28600 Ignore cpuid check for supported CPU models.
28602 @item @code{thermald} (default: @var{thermald})
28603 Package object of thermald.
28608 @node Audio Services
28609 @subsection Audio Services
28611 The @code{(gnu services audio)} module provides a service to start MPD
28612 (the Music Player Daemon).
28615 @subsubheading Music Player Daemon
28617 The Music Player Daemon (MPD) is a service that can play music while
28618 being controlled from the local machine or over the network by a variety
28621 The following example shows how one might run @code{mpd} as user
28622 @code{"bob"} on port @code{6666}. It uses pulseaudio for output.
28625 (service mpd-service-type
28631 @defvr {Scheme Variable} mpd-service-type
28632 The service type for @command{mpd}
28635 @deftp {Data Type} mpd-configuration
28636 Data type representing the configuration of @command{mpd}.
28639 @item @code{user} (default: @code{"mpd"})
28640 The user to run mpd as.
28642 @item @code{music-dir} (default: @code{"~/Music"})
28643 The directory to scan for music files.
28645 @item @code{playlist-dir} (default: @code{"~/.mpd/playlists"})
28646 The directory to store playlists.
28648 @item @code{db-file} (default: @code{"~/.mpd/tag_cache"})
28649 The location of the music database.
28651 @item @code{state-file} (default: @code{"~/.mpd/state"})
28652 The location of the file that stores current MPD's state.
28654 @item @code{sticker-file} (default: @code{"~/.mpd/sticker.sql"})
28655 The location of the sticker database.
28657 @item @code{port} (default: @code{"6600"})
28658 The port to run mpd on.
28660 @item @code{address} (default: @code{"any"})
28661 The address that mpd will bind to. To use a Unix domain socket,
28662 an absolute path can be specified here.
28664 @item @code{outputs} (default: @code{"(list (mpd-output))"})
28665 The audio outputs that MPD can use. By default this is a single output using pulseaudio.
28670 @deftp {Data Type} mpd-output
28671 Data type representing an @command{mpd} audio output.
28674 @item @code{name} (default: @code{"MPD"})
28675 The name of the audio output.
28677 @item @code{type} (default: @code{"pulse"})
28678 The type of audio output.
28680 @item @code{enabled?} (default: @code{#t})
28681 Specifies whether this audio output is enabled when MPD is started. By
28682 default, all audio outputs are enabled. This is just the default
28683 setting when there is no state file; with a state file, the previous
28686 @item @code{tags?} (default: @code{#t})
28687 If set to @code{#f}, then MPD will not send tags to this output. This
28688 is only useful for output plugins that can receive tags, for example the
28689 @code{httpd} output plugin.
28691 @item @code{always-on?} (default: @code{#f})
28692 If set to @code{#t}, then MPD attempts to keep this audio output always
28693 open. This may be useful for streaming servers, when you don’t want to
28694 disconnect all listeners even when playback is accidentally stopped.
28696 @item @code{mixer-type}
28697 This field accepts a symbol that specifies which mixer should be used
28698 for this audio output: the @code{hardware} mixer, the @code{software}
28699 mixer, the @code{null} mixer (allows setting the volume, but with no
28700 effect; this can be used as a trick to implement an external mixer
28701 External Mixer) or no mixer (@code{none}).
28703 @item @code{extra-options} (default: @code{'()})
28704 An association list of option symbols to string values to be appended to
28705 the audio output configuration.
28710 The following example shows a configuration of @code{mpd} that provides
28711 an HTTP audio streaming output.
28714 (service mpd-service-type
28722 `((encoder . "vorbis")
28723 (port . "8080"))))))))
28727 @node Virtualization Services
28728 @subsection Virtualization Services
28730 The @code{(gnu services virtualization)} module provides services for
28731 the libvirt and virtlog daemons, as well as other virtualization-related
28734 @subsubheading Libvirt daemon
28736 @code{libvirtd} is the server side daemon component of the libvirt
28737 virtualization management system. This daemon runs on host servers
28738 and performs required management tasks for virtualized guests.
28740 @deffn {Scheme Variable} libvirt-service-type
28741 This is the type of the @uref{https://libvirt.org, libvirt daemon}.
28742 Its value must be a @code{libvirt-configuration}.
28745 (service libvirt-service-type
28746 (libvirt-configuration
28747 (unix-sock-group "libvirt")
28748 (tls-port "16555")))
28752 @c Auto-generated with (generate-libvirt-documentation)
28753 Available @code{libvirt-configuration} fields are:
28755 @deftypevr {@code{libvirt-configuration} parameter} package libvirt
28760 @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tls?
28761 Flag listening for secure TLS connections on the public TCP/IP port.
28762 You must set @code{listen} for this to have any effect.
28764 It is necessary to setup a CA and issue server certificates before using
28767 Defaults to @samp{#t}.
28771 @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tcp?
28772 Listen for unencrypted TCP connections on the public TCP/IP port. You must
28773 set @code{listen} for this to have any effect.
28775 Using the TCP socket requires SASL authentication by default. Only SASL
28776 mechanisms which support data encryption are allowed. This is
28777 DIGEST_MD5 and GSSAPI (Kerberos5).
28779 Defaults to @samp{#f}.
28783 @deftypevr {@code{libvirt-configuration} parameter} string tls-port
28784 Port for accepting secure TLS connections. This can be a port number,
28787 Defaults to @samp{"16514"}.
28791 @deftypevr {@code{libvirt-configuration} parameter} string tcp-port
28792 Port for accepting insecure TCP connections. This can be a port number,
28795 Defaults to @samp{"16509"}.
28799 @deftypevr {@code{libvirt-configuration} parameter} string listen-addr
28800 IP address or hostname used for client connections.
28802 Defaults to @samp{"0.0.0.0"}.
28806 @deftypevr {@code{libvirt-configuration} parameter} boolean mdns-adv?
28807 Flag toggling mDNS advertisement of the libvirt service.
28809 Alternatively can disable for all services on a host by stopping the
28812 Defaults to @samp{#f}.
28816 @deftypevr {@code{libvirt-configuration} parameter} string mdns-name
28817 Default mDNS advertisement name. This must be unique on the immediate
28820 Defaults to @samp{"Virtualization Host <hostname>"}.
28824 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-group
28825 UNIX domain socket group ownership. This can be used to allow a
28826 'trusted' set of users access to management capabilities without
28829 Defaults to @samp{"root"}.
28833 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-ro-perms
28834 UNIX socket permissions for the R/O socket. This is used for monitoring
28837 Defaults to @samp{"0777"}.
28841 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-rw-perms
28842 UNIX socket permissions for the R/W socket. Default allows only root.
28843 If PolicyKit is enabled on the socket, the default will change to allow
28844 everyone (eg, 0777)
28846 Defaults to @samp{"0770"}.
28850 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-admin-perms
28851 UNIX socket permissions for the admin socket. Default allows only owner
28852 (root), do not change it unless you are sure to whom you are exposing
28855 Defaults to @samp{"0777"}.
28859 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-dir
28860 The directory in which sockets will be found/created.
28862 Defaults to @samp{"/var/run/libvirt"}.
28866 @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-ro
28867 Authentication scheme for UNIX read-only sockets. By default socket
28868 permissions allow anyone to connect
28870 Defaults to @samp{"polkit"}.
28874 @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-rw
28875 Authentication scheme for UNIX read-write sockets. By default socket
28876 permissions only allow root. If PolicyKit support was compiled into
28877 libvirt, the default will be to use 'polkit' auth.
28879 Defaults to @samp{"polkit"}.
28883 @deftypevr {@code{libvirt-configuration} parameter} string auth-tcp
28884 Authentication scheme for TCP sockets. If you don't enable SASL, then
28885 all TCP traffic is cleartext. Don't do this outside of a dev/test
28888 Defaults to @samp{"sasl"}.
28892 @deftypevr {@code{libvirt-configuration} parameter} string auth-tls
28893 Authentication scheme for TLS sockets. TLS sockets already have
28894 encryption provided by the TLS layer, and limited authentication is done
28897 It is possible to make use of any SASL authentication mechanism as well,
28898 by using 'sasl' for this option
28900 Defaults to @samp{"none"}.
28904 @deftypevr {@code{libvirt-configuration} parameter} optional-list access-drivers
28905 API access control scheme.
28907 By default an authenticated user is allowed access to all APIs. Access
28908 drivers can place restrictions on this.
28910 Defaults to @samp{()}.
28914 @deftypevr {@code{libvirt-configuration} parameter} string key-file
28915 Server key file path. If set to an empty string, then no private key is
28918 Defaults to @samp{""}.
28922 @deftypevr {@code{libvirt-configuration} parameter} string cert-file
28923 Server key file path. If set to an empty string, then no certificate is
28926 Defaults to @samp{""}.
28930 @deftypevr {@code{libvirt-configuration} parameter} string ca-file
28931 Server key file path. If set to an empty string, then no CA certificate
28934 Defaults to @samp{""}.
28938 @deftypevr {@code{libvirt-configuration} parameter} string crl-file
28939 Certificate revocation list path. If set to an empty string, then no
28942 Defaults to @samp{""}.
28946 @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-sanity-cert
28947 Disable verification of our own server certificates.
28949 When libvirtd starts it performs some sanity checks against its own
28952 Defaults to @samp{#f}.
28956 @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-verify-cert
28957 Disable verification of client certificates.
28959 Client certificate verification is the primary authentication mechanism.
28960 Any client which does not present a certificate signed by the CA will be
28963 Defaults to @samp{#f}.
28967 @deftypevr {@code{libvirt-configuration} parameter} optional-list tls-allowed-dn-list
28968 Whitelist of allowed x509 Distinguished Name.
28970 Defaults to @samp{()}.
28974 @deftypevr {@code{libvirt-configuration} parameter} optional-list sasl-allowed-usernames
28975 Whitelist of allowed SASL usernames. The format for username depends on
28976 the SASL authentication mechanism.
28978 Defaults to @samp{()}.
28982 @deftypevr {@code{libvirt-configuration} parameter} string tls-priority
28983 Override the compile time default TLS priority string. The default is
28984 usually @samp{"NORMAL"} unless overridden at build time. Only set this is it
28985 is desired for libvirt to deviate from the global default settings.
28987 Defaults to @samp{"NORMAL"}.
28991 @deftypevr {@code{libvirt-configuration} parameter} integer max-clients
28992 Maximum number of concurrent client connections to allow over all
28995 Defaults to @samp{5000}.
28999 @deftypevr {@code{libvirt-configuration} parameter} integer max-queued-clients
29000 Maximum length of queue of connections waiting to be accepted by the
29001 daemon. Note, that some protocols supporting retransmission may obey
29002 this so that a later reattempt at connection succeeds.
29004 Defaults to @samp{1000}.
29008 @deftypevr {@code{libvirt-configuration} parameter} integer max-anonymous-clients
29009 Maximum length of queue of accepted but not yet authenticated clients.
29010 Set this to zero to turn this feature off
29012 Defaults to @samp{20}.
29016 @deftypevr {@code{libvirt-configuration} parameter} integer min-workers
29017 Number of workers to start up initially.
29019 Defaults to @samp{5}.
29023 @deftypevr {@code{libvirt-configuration} parameter} integer max-workers
29024 Maximum number of worker threads.
29026 If the number of active clients exceeds @code{min-workers}, then more
29027 threads are spawned, up to max_workers limit. Typically you'd want
29028 max_workers to equal maximum number of clients allowed.
29030 Defaults to @samp{20}.
29034 @deftypevr {@code{libvirt-configuration} parameter} integer prio-workers
29035 Number of priority workers. If all workers from above pool are stuck,
29036 some calls marked as high priority (notably domainDestroy) can be
29037 executed in this pool.
29039 Defaults to @samp{5}.
29043 @deftypevr {@code{libvirt-configuration} parameter} integer max-requests
29044 Total global limit on concurrent RPC calls.
29046 Defaults to @samp{20}.
29050 @deftypevr {@code{libvirt-configuration} parameter} integer max-client-requests
29051 Limit on concurrent requests from a single client connection. To avoid
29052 one client monopolizing the server this should be a small fraction of
29053 the global max_requests and max_workers parameter.
29055 Defaults to @samp{5}.
29059 @deftypevr {@code{libvirt-configuration} parameter} integer admin-min-workers
29060 Same as @code{min-workers} but for the admin interface.
29062 Defaults to @samp{1}.
29066 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-workers
29067 Same as @code{max-workers} but for the admin interface.
29069 Defaults to @samp{5}.
29073 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-clients
29074 Same as @code{max-clients} but for the admin interface.
29076 Defaults to @samp{5}.
29080 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-queued-clients
29081 Same as @code{max-queued-clients} but for the admin interface.
29083 Defaults to @samp{5}.
29087 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-client-requests
29088 Same as @code{max-client-requests} but for the admin interface.
29090 Defaults to @samp{5}.
29094 @deftypevr {@code{libvirt-configuration} parameter} integer log-level
29095 Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
29097 Defaults to @samp{3}.
29101 @deftypevr {@code{libvirt-configuration} parameter} string log-filters
29104 A filter allows to select a different logging level for a given category
29105 of logs. The format for a filter is one of:
29116 where @code{name} is a string which is matched against the category
29117 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
29118 file, e.g., @samp{"remote"}, @samp{"qemu"}, or @samp{"util.json"} (the
29119 name in the filter can be a substring of the full category name, in
29120 order to match multiple similar categories), the optional @samp{"+"}
29121 prefix tells libvirt to log stack trace for each message matching name,
29122 and @code{x} is the minimal level where matching messages should be
29140 Multiple filters can be defined in a single filters statement, they just
29141 need to be separated by spaces.
29143 Defaults to @samp{"3:remote 4:event"}.
29147 @deftypevr {@code{libvirt-configuration} parameter} string log-outputs
29150 An output is one of the places to save logging information. The format
29151 for an output can be:
29155 output goes to stderr
29157 @item x:syslog:name
29158 use syslog for the output and use the given name as the ident
29160 @item x:file:file_path
29161 output to a file, with the given filepath
29164 output to journald logging system
29168 In all case the x prefix is the minimal level, acting as a filter
29185 Multiple outputs can be defined, they just need to be separated by
29188 Defaults to @samp{"3:stderr"}.
29192 @deftypevr {@code{libvirt-configuration} parameter} integer audit-level
29193 Allows usage of the auditing subsystem to be altered
29197 0: disable all auditing
29200 1: enable auditing, only if enabled on host
29203 2: enable auditing, and exit if disabled on host.
29207 Defaults to @samp{1}.
29211 @deftypevr {@code{libvirt-configuration} parameter} boolean audit-logging
29212 Send audit messages via libvirt logging infrastructure.
29214 Defaults to @samp{#f}.
29218 @deftypevr {@code{libvirt-configuration} parameter} optional-string host-uuid
29219 Host UUID@. UUID must not have all digits be the same.
29221 Defaults to @samp{""}.
29225 @deftypevr {@code{libvirt-configuration} parameter} string host-uuid-source
29226 Source to read host UUID.
29230 @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
29233 @code{machine-id}: fetch the UUID from @code{/etc/machine-id}
29237 If @code{dmidecode} does not provide a valid UUID a temporary UUID will
29240 Defaults to @samp{"smbios"}.
29244 @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-interval
29245 A keepalive message is sent to a client after @code{keepalive_interval}
29246 seconds of inactivity to check if the client is still responding. If
29247 set to -1, libvirtd will never send keepalive requests; however clients
29248 can still send them and the daemon will send responses.
29250 Defaults to @samp{5}.
29254 @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-count
29255 Maximum number of keepalive messages that are allowed to be sent to the
29256 client without getting any response before the connection is considered
29259 In other words, the connection is automatically closed approximately
29260 after @code{keepalive_interval * (keepalive_count + 1)} seconds since
29261 the last message received from the client. When @code{keepalive-count}
29262 is set to 0, connections will be automatically closed after
29263 @code{keepalive-interval} seconds of inactivity without sending any
29264 keepalive messages.
29266 Defaults to @samp{5}.
29270 @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-interval
29271 Same as above but for admin interface.
29273 Defaults to @samp{5}.
29277 @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-count
29278 Same as above but for admin interface.
29280 Defaults to @samp{5}.
29284 @deftypevr {@code{libvirt-configuration} parameter} integer ovs-timeout
29285 Timeout for Open vSwitch calls.
29287 The @code{ovs-vsctl} utility is used for the configuration and its
29288 timeout option is set by default to 5 seconds to avoid potential
29289 infinite waits blocking libvirt.
29291 Defaults to @samp{5}.
29295 @c %end of autogenerated docs
29297 @subsubheading Virtlog daemon
29298 The virtlogd service is a server side daemon component of libvirt that is
29299 used to manage logs from virtual machine consoles.
29301 This daemon is not used directly by libvirt client applications, rather it
29302 is called on their behalf by @code{libvirtd}. By maintaining the logs in a
29303 standalone daemon, the main @code{libvirtd} daemon can be restarted without
29304 risk of losing logs. The @code{virtlogd} daemon has the ability to re-exec()
29305 itself upon receiving @code{SIGUSR1}, to allow live upgrades without downtime.
29307 @deffn {Scheme Variable} virtlog-service-type
29308 This is the type of the virtlog daemon.
29309 Its value must be a @code{virtlog-configuration}.
29312 (service virtlog-service-type
29313 (virtlog-configuration
29314 (max-clients 1000)))
29318 @deftypevr {@code{virtlog-configuration} parameter} integer log-level
29319 Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
29321 Defaults to @samp{3}.
29325 @deftypevr {@code{virtlog-configuration} parameter} string log-filters
29328 A filter allows to select a different logging level for a given category
29329 of logs The format for a filter is one of:
29340 where @code{name} is a string which is matched against the category
29341 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
29342 file, e.g., "remote", "qemu", or "util.json" (the name in the filter can
29343 be a substring of the full category name, in order to match multiple
29344 similar categories), the optional "+" prefix tells libvirt to log stack
29345 trace for each message matching name, and @code{x} is the minimal level
29346 where matching messages should be logged:
29363 Multiple filters can be defined in a single filters statement, they just
29364 need to be separated by spaces.
29366 Defaults to @samp{"3:remote 4:event"}.
29370 @deftypevr {@code{virtlog-configuration} parameter} string log-outputs
29373 An output is one of the places to save logging information The format
29374 for an output can be:
29378 output goes to stderr
29380 @item x:syslog:name
29381 use syslog for the output and use the given name as the ident
29383 @item x:file:file_path
29384 output to a file, with the given filepath
29387 output to journald logging system
29391 In all case the x prefix is the minimal level, acting as a filter
29408 Multiple outputs can be defined, they just need to be separated by
29411 Defaults to @samp{"3:stderr"}.
29415 @deftypevr {@code{virtlog-configuration} parameter} integer max-clients
29416 Maximum number of concurrent client connections to allow over all
29419 Defaults to @samp{1024}.
29423 @deftypevr {@code{virtlog-configuration} parameter} integer max-size
29424 Maximum file size before rolling over.
29426 Defaults to @samp{2MB}
29430 @deftypevr {@code{virtlog-configuration} parameter} integer max-backups
29431 Maximum number of backup files to keep.
29433 Defaults to @samp{3}
29437 @anchor{transparent-emulation-qemu}
29438 @subsubheading Transparent Emulation with QEMU
29441 @cindex @code{binfmt_misc}
29442 @code{qemu-binfmt-service-type} provides support for transparent
29443 emulation of program binaries built for different architectures---e.g.,
29444 it allows you to transparently execute an ARMv7 program on an x86_64
29445 machine. It achieves this by combining the @uref{https://www.qemu.org,
29446 QEMU} emulator and the @code{binfmt_misc} feature of the kernel Linux.
29447 This feature only allows you to emulate GNU/Linux on a different
29448 architecture, but see below for GNU/Hurd support.
29450 @defvr {Scheme Variable} qemu-binfmt-service-type
29451 This is the type of the QEMU/binfmt service for transparent emulation.
29452 Its value must be a @code{qemu-binfmt-configuration} object, which
29453 specifies the QEMU package to use as well as the architecture we want to
29457 (service qemu-binfmt-service-type
29458 (qemu-binfmt-configuration
29459 (platforms (lookup-qemu-platforms "arm" "aarch64"))))
29462 In this example, we enable transparent emulation for the ARM and aarch64
29463 platforms. Running @code{herd stop qemu-binfmt} turns it off, and
29464 running @code{herd start qemu-binfmt} turns it back on (@pxref{Invoking
29465 herd, the @command{herd} command,, shepherd, The GNU Shepherd Manual}).
29468 @deftp {Data Type} qemu-binfmt-configuration
29469 This is the configuration for the @code{qemu-binfmt} service.
29472 @item @code{platforms} (default: @code{'()})
29473 The list of emulated QEMU platforms. Each item must be a @dfn{platform
29474 object} as returned by @code{lookup-qemu-platforms} (see below).
29476 For example, let's suppose you're on an x86_64 machine and you have this
29480 (service qemu-binfmt-service-type
29481 (qemu-binfmt-configuration
29482 (platforms (lookup-qemu-platforms "arm"))))
29488 guix build -s armhf-linux inkscape
29492 and it will build Inkscape for ARMv7 @emph{as if it were a native
29493 build}, transparently using QEMU to emulate the ARMv7 CPU@. Pretty handy
29494 if you'd like to test a package build for an architecture you don't have
29497 @item @code{qemu} (default: @code{qemu})
29498 The QEMU package to use.
29502 @deffn {Scheme Procedure} lookup-qemu-platforms @var{platforms}@dots{}
29503 Return the list of QEMU platform objects corresponding to
29504 @var{platforms}@dots{}. @var{platforms} must be a list of strings
29505 corresponding to platform names, such as @code{"arm"}, @code{"sparc"},
29506 @code{"mips64el"}, and so on.
29509 @deffn {Scheme Procedure} qemu-platform? @var{obj}
29510 Return true if @var{obj} is a platform object.
29513 @deffn {Scheme Procedure} qemu-platform-name @var{platform}
29514 Return the name of @var{platform}---a string such as @code{"arm"}.
29518 @subsubheading The Hurd in a Virtual Machine
29520 @cindex @code{hurd}
29524 Service @code{hurd-vm} provides support for running GNU/Hurd in a
29525 virtual machine (VM), a so-called @dfn{childhurd}. This service is meant
29526 to be used on GNU/Linux and the given GNU/Hurd operating system
29527 configuration is cross-compiled. The virtual machine is a Shepherd
29528 service that can be referred to by the names @code{hurd-vm} and
29529 @code{childhurd} and be controlled with commands such as:
29533 herd stop childhurd
29536 When the service is running, you can view its console by connecting to
29537 it with a VNC client, for example with:
29540 guix environment --ad-hoc tigervnc-client -- \
29541 vncviewer localhost:5900
29544 The default configuration (see @code{hurd-vm-configuration} below)
29545 spawns a secure shell (SSH) server in your GNU/Hurd system, which QEMU
29546 (the virtual machine emulator) redirects to port 10222 on the host.
29547 Thus, you can connect over SSH to the childhurd with:
29550 ssh root@@localhost -p 10022
29553 The childhurd is volatile and stateless: it starts with a fresh root
29554 file system every time you restart it. By default though, all the files
29555 under @file{/etc/childhurd} on the host are copied as is to the root
29556 file system of the childhurd when it boots. This allows you to
29557 initialize ``secrets'' inside the VM: SSH host keys, authorized
29558 substitute keys, and so on---see the explanation of @code{secret-root}
29561 @defvr {Scheme Variable} hurd-vm-service-type
29562 This is the type of the Hurd in a Virtual Machine service. Its value
29563 must be a @code{hurd-vm-configuration} object, which specifies the
29564 operating system (@pxref{operating-system Reference}) and the disk size
29565 for the Hurd Virtual Machine, the QEMU package to use as well as the
29566 options for running it.
29571 (service hurd-vm-service-type
29572 (hurd-vm-configuration
29573 (disk-size (* 5000 (expt 2 20))) ;5G
29574 (memory-size 1024))) ;1024MiB
29577 would create a disk image big enough to build GNU@tie{}Hello, with some
29581 @deftp {Data Type} hurd-vm-configuration
29582 The data type representing the configuration for
29583 @code{hurd-vm-service-type}.
29586 @item @code{os} (default: @var{%hurd-vm-operating-system})
29587 The operating system to instantiate. This default is bare-bones with a
29588 permissive OpenSSH secure shell daemon listening on port 2222
29589 (@pxref{Networking Services, @code{openssh-service-type}}).
29591 @item @code{qemu} (default: @code{qemu-minimal})
29592 The QEMU package to use.
29594 @item @code{image} (default: @var{hurd-vm-disk-image})
29595 The procedure used to build the disk-image built from this
29598 @item @code{disk-size} (default: @code{'guess})
29599 The size of the disk image.
29601 @item @code{memory-size} (default: @code{512})
29602 The memory size of the Virtual Machine in mebibytes.
29604 @item @code{options} (default: @code{'("--snapshot")})
29605 The extra options for running QEMU.
29607 @item @code{id} (default: @code{#f})
29608 If set, a non-zero positive integer used to parameterize Childhurd
29609 instances. It is appended to the service's name,
29610 e.g. @code{childhurd1}.
29612 @item @code{net-options} (default: @var{hurd-vm-net-options})
29613 The procedure used to produce the list of QEMU networking options.
29615 By default, it produces
29618 '("--device" "rtl8139,netdev=net0"
29619 "--netdev" (string-append
29621 "hostfwd=tcp:127.0.0.1:@var{secrets-port}-:1004,"
29622 "hostfwd=tcp:127.0.0.1:@var{ssh-port}-:2222,"
29623 "hostfwd=tcp:127.0.0.1:@var{vnc-port}-:5900"))
29626 with forwarded ports:
29629 @var{secrets-port}: @code{(+ 11004 (* 1000 @var{ID}))}
29630 @var{ssh-port}: @code{(+ 10022 (* 1000 @var{ID}))}
29631 @var{vnc-port}: @code{(+ 15900 (* 1000 @var{ID}))}
29634 @item @code{secret-root} (default: @file{/etc/childhurd})
29635 The root directory with out-of-band secrets to be installed into the
29636 childhurd once it runs. Childhurds are volatile which means that on
29637 every startup, secrets such as the SSH host keys and Guix signing key
29640 If the @file{/etc/childhurd} directory does not exist, the
29641 @code{secret-service} running in the Childhurd will be sent an empty
29644 By default, the service automatically populates @file{/etc/childhurd}
29645 with the following non-volatile secrets, unless they already exist:
29648 /etc/childhurd/etc/guix/acl
29649 /etc/childhurd/etc/guix/signing-key.pub
29650 /etc/childhurd/etc/guix/signing-key.sec
29651 /etc/childhurd/etc/ssh/ssh_host_ed25519_key
29652 /etc/childhurd/etc/ssh/ssh_host_ecdsa_key
29653 /etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
29654 /etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
29657 These files are automatically sent to the guest Hurd VM when it boots,
29658 including permissions.
29660 @cindex childhurd, offloading
29661 @cindex Hurd, offloading
29662 Having these files in place means that only a couple of things are
29663 missing to allow the host to offload @code{i586-gnu} builds to the
29668 Authorizing the childhurd's key on the host so that the host accepts
29669 build results coming from the childhurd, which can be done like so:
29672 guix archive --authorize < \
29673 /etc/childhurd/etc/guix/signing-key.pub
29677 Adding the childhurd to @file{/etc/guix/machines.scm} (@pxref{Daemon
29681 We're working towards making that happen automatically---get in touch
29682 with us at @email{guix-devel@@gnu.org} to discuss it!
29686 Note that by default the VM image is volatile, i.e., once stopped the
29687 contents are lost. If you want a stateful image instead, override the
29688 configuration's @code{image} and @code{options} without
29689 the @code{--snapshot} flag using something along these lines:
29692 (service hurd-vm-service-type
29693 (hurd-vm-configuration
29694 (image (const "/out/of/store/writable/hurd.img"))
29698 @subsubheading Ganeti
29703 This service is considered experimental. Configuration options may be changed
29704 in a backwards-incompatible manner, and not all features have been thorougly
29705 tested. Users of this service are encouraged to share their experience at
29706 @email{guix-devel@@gnu.org}.
29709 Ganeti is a virtual machine management system. It is designed to keep virtual
29710 machines running on a cluster of servers even in the event of hardware failures,
29711 and to make maintenance and recovery tasks easy. It consists of multiple
29712 services which are described later in this section. In addition to the Ganeti
29713 service, you will need the OpenSSH service (@pxref{Networking Services,
29714 @code{openssh-service-type}}), and update the @file{/etc/hosts} file
29715 (@pxref{operating-system Reference, @code{hosts-file}}) with the cluster name
29716 and address (or use a DNS server).
29718 All nodes participating in a Ganeti cluster should have the same Ganeti and
29719 @file{/etc/hosts} configuration. Here is an example configuration for a Ganeti
29720 cluster node that supports multiple storage backends, and installs the
29721 @code{debootstrap} and @code{guix} @dfn{OS providers}:
29724 (use-package-modules virtualization)
29725 (use-service-modules base ganeti networking ssh)
29728 (host-name "node1")
29729 (hosts-file (plain-file "hosts" (format #f "
29730 127.0.0.1 localhost
29733 192.168.1.200 ganeti.example.com
29734 192.168.1.201 node1.example.com node1
29735 192.168.1.202 node2.example.com node2
29738 ;; Install QEMU so we can use KVM-based instances, and LVM, DRBD and Ceph
29739 ;; in order to use the "plain", "drbd" and "rbd" storage backends.
29740 (packages (append (map specification->package
29741 '("qemu" "lvm2" "drbd-utils" "ceph"
29742 ;; Add the debootstrap and guix OS providers.
29743 "ganeti-instance-guix" "ganeti-instance-debootstrap"))
29746 (append (list (static-networking-service "eth0" "192.168.1.201"
29747 #:netmask "255.255.255.0"
29748 #:gateway "192.168.1.254"
29749 #:name-servers '("192.168.1.252"
29752 ;; Ganeti uses SSH to communicate between nodes.
29753 (service openssh-service-type
29754 (openssh-configuration
29755 (permit-root-login 'prohibit-password)))
29757 (service ganeti-service-type
29758 (ganeti-configuration
29759 ;; This list specifies allowed file system paths
29760 ;; for storing virtual machine images.
29761 (file-storage-paths '("/srv/ganeti/file-storage"))
29762 ;; This variable configures a single "variant" for
29763 ;; both Debootstrap and Guix that works with KVM.
29764 (os %default-ganeti-os))))
29768 Users are advised to read the
29769 @url{http://docs.ganeti.org/ganeti/master/html/admin.html,Ganeti
29770 administrators guide} to learn about the various cluster options and
29771 day-to-day operations. There is also a
29772 @url{https://guix.gnu.org/blog/2020/running-a-ganeti-cluster-on-guix/,blog post}
29773 describing how to configure and initialize a small cluster.
29775 @defvr {Scheme Variable} ganeti-service-type
29776 This is a service type that includes all the various services that Ganeti
29779 Its value is a @code{ganeti-configuration} object that defines the package
29780 to use for CLI operations, as well as configuration for the various daemons.
29781 Allowed file storage paths and available guest operating systems are also
29782 configured through this data type.
29785 @deftp {Data Type} ganeti-configuration
29786 The @code{ganeti} service takes the following configuration options:
29789 @item @code{ganeti} (default: @code{ganeti})
29790 The @code{ganeti} package to use. It will be installed to the system profile
29791 and make @command{gnt-cluster}, @command{gnt-instance}, etc available. Note
29792 that the value specified here does not affect the other services as each refer
29793 to a specific @code{ganeti} package (see below).
29795 @item @code{noded-configuration} (default: @code{(ganeti-noded-configuration)})
29796 @itemx @code{confd-configuration} (default: @code{(ganeti-confd-configuration)})
29797 @itemx @code{wconfd-configuration} (default: @code{(ganeti-wconfd-configuration)})
29798 @itemx @code{luxid-configuration} (default: @code{(ganeti-luxid-configuration)})
29799 @itemx @code{rapi-configuration} (default: @code{(ganeti-rapi-configuration)})
29800 @itemx @code{kvmd-configuration} (default: @code{(ganeti-kvmd-configuration)})
29801 @itemx @code{mond-configuration} (default: @code{(ganeti-mond-configuration)})
29802 @itemx @code{metad-configuration} (default: @code{(ganeti-metad-configuration)})
29803 @itemx @code{watcher-configuration} (default: @code{(ganeti-watcher-configuration)})
29804 @itemx @code{cleaner-configuration} (default: @code{(ganeti-cleaner-configuration)})
29806 These options control the various daemons and cron jobs that are distributed
29807 with Ganeti. The possible values for these are described in detail below.
29808 To override a setting, you must use the configuration type for that service:
29811 (service ganeti-service-type
29812 (ganeti-configuration
29813 (rapi-configuration
29814 (ganeti-rapi-configuration
29815 (interface "eth1"))))
29816 (watcher-configuration
29817 (ganeti-watcher-configuration
29818 (rapi-ip "10.0.0.1"))))
29821 @item @code{file-storage-paths} (default: @code{'()})
29822 List of allowed directories for file storage backend.
29824 @item @code{os} (default: @code{%default-ganeti-os})
29825 List of @code{<ganeti-os>} records.
29828 In essence @code{ganeti-service-type} is shorthand for declaring each service
29832 (service ganeti-noded-service-type)
29833 (service ganeti-confd-service-type)
29834 (service ganeti-wconfd-service-type)
29835 (service ganeti-luxid-service-type)
29836 (service ganeti-kvmd-service-type)
29837 (service ganeti-mond-service-type)
29838 (service ganeti-metad-service-type)
29839 (service ganeti-watcher-service-type)
29840 (service ganeti-cleaner-service-type)
29843 Plus a service extension for @code{etc-service-type} that configures the file
29844 storage backend and OS variants.
29848 @deftp {Data Type} ganeti-os
29849 This data type is suitable for passing to the @code{os} parameter of
29850 @code{ganeti-configuration}. It takes the following parameters:
29854 The name for this OS provider. It is only used to specify where the
29855 configuration ends up. Setting it to ``debootstrap'' will create
29856 @file{/etc/ganeti/instance-debootstrap}.
29858 @item @code{extension}
29859 The file extension for variants of this OS type. For example
29860 @file{.conf} or @file{.scm}.
29862 @item @code{variants} (default: @code{'()})
29863 List of @code{ganeti-os-variant} objects for this OS.
29868 @deftp {Data Type} ganeti-os-variant
29869 This is the data type for a Ganeti OS variant. It takes the following
29874 The name of this variant.
29876 @item @code{configuration}
29877 A configuration file for this variant.
29881 @defvr {Scheme Variable} %default-debootstrap-hooks
29882 This variable contains hooks to configure networking and the GRUB bootloader.
29885 @defvr {Scheme Variable} %default-debootstrap-extra-pkgs
29886 This variable contains a list of packages suitable for a fully-virtualized guest.
29889 @deftp {Data Type} debootstrap-configuration
29891 This data type creates configuration files suitable for the debootstrap OS provider.
29894 @item @code{hooks} (default: @code{%default-debootstrap-hooks})
29895 When not @code{#f}, this must be a G-expression that specifies a directory with
29896 scripts that will run when the OS is installed. It can also be a list of
29897 @code{(name . file-like)} pairs. For example:
29900 `((99-hello-world . ,(plain-file "#!/bin/sh\necho Hello, World")))
29903 That will create a directory with one executable named @code{99-hello-world}
29904 and run it every time this variant is installed. If set to @code{#f}, hooks
29905 in @file{/etc/ganeti/instance-debootstrap/hooks} will be used, if any.
29906 @item @code{proxy} (default: @code{#f})
29907 Optional HTTP proxy to use.
29908 @item @code{mirror} (default: @code{#f})
29909 The Debian mirror. Typically something like @code{http://ftp.no.debian.org/debian}.
29910 The default varies depending on the distribution.
29911 @item @code{arch} (default: @code{#f})
29912 The dpkg architecture. Set to @code{armhf} to debootstrap an ARMv7 instance
29913 on an AArch64 host. Default is to use the current system architecture.
29914 @item @code{suite} (default: @code{"stable"})
29915 When set, this must be a Debian distribution ``suite'' such as @code{buster}
29916 or @code{focal}. If set to @code{#f}, the default for the OS provider is used.
29917 @item @code{extra-pkgs} (default: @code{%default-debootstrap-extra-pkgs})
29918 List of extra packages that will get installed by dpkg in addition
29919 to the minimal system.
29920 @item @code{components} (default: @code{#f})
29921 When set, must be a list of Debian repository ``components''. For example
29922 @code{'("main" "contrib")}.
29923 @item @code{generate-cache?} (default: @code{#t})
29924 Whether to automatically cache the generated debootstrap archive.
29925 @item @code{clean-cache} (default: @code{14})
29926 Discard the cache after this amount of days. Use @code{#f} to never
29928 @item @code{partition-style} (default: @code{'msdos})
29929 The type of partition to create. When set, it must be one of
29930 @code{'msdos}, @code{'none} or a string.
29931 @item @code{partition-alignment} (default: @code{2048})
29932 Alignment of the partition in sectors.
29936 @deffn {Scheme Procedure} debootstrap-variant @var{name} @var{configuration}
29937 This is a helper procedure that creates a @code{ganeti-os-variant} record. It
29938 takes two parameters: a name and a @code{debootstrap-configuration} object.
29941 @deffn {Scheme Procedure} debootstrap-os @var{variants}@dots{}
29942 This is a helper procedure that creates a @code{ganeti-os} record. It takes
29943 a list of variants created with @code{debootstrap-variant}.
29946 @deffn {Scheme Procedure} guix-variant @var{name} @var{configuration}
29947 This is a helper procedure that creates a @code{ganeti-os-variant} record for
29948 use with the Guix OS provider. It takes a name and a G-expression that returns
29949 a ``file-like'' (@pxref{G-Expressions, file-like objects}) object containing a
29950 Guix System configuration.
29953 @deffn {Scheme Procedure} guix-os @var{variants}@dots{}
29954 This is a helper procedure that creates a @code{ganeti-os} record. It
29955 takes a list of variants produced by @code{guix-variant}.
29958 @defvr {Scheme Variable} %default-debootstrap-variants
29959 This is a convenience variable to make the debootstrap provider work
29960 ``out of the box'' without users having to declare variants manually. It
29961 contains a single debootstrap variant with the default configuration:
29964 (list (debootstrap-variant
29966 (debootstrap-configuration)))
29970 @defvr {Scheme Variable} %default-guix-variants
29971 This is a convenience variable to make the Guix OS provider work without
29972 additional configuration. It creates a virtual machine that has an SSH
29973 server, a serial console, and authorizes the Ganeti hosts SSH keys.
29976 (list (guix-variant
29978 (file-append ganeti-instance-guix
29979 "/share/doc/ganeti-instance-guix/examples/dynamic.scm")))
29983 Users can implement support for OS providers unbeknownst to Guix by extending
29984 the @code{ganeti-os} and @code{ganeti-os-variant} records appropriately.
29990 (extension ".conf")
29992 (list (ganeti-os-variant
29994 (configuration (plain-file "bar" "this is fine"))))))
29997 That creates @file{/etc/ganeti/instance-custom/variants/foo.conf} which points
29998 to a file in the store with contents @code{this is fine}. It also creates
29999 @file{/etc/ganeti/instance-custom/variants/variants.list} with contents @code{foo}.
30001 Obviously this may not work for all OS providers out there. If you find the
30002 interface limiting, please reach out to @email{guix-devel@@gnu.org}.
30004 The rest of this section documents the various services that are included by
30005 @code{ganeti-service-type}.
30007 @defvr {Scheme Variable} ganeti-noded-service-type
30008 @command{ganeti-noded} is the daemon responsible for node-specific functions
30009 within the Ganeti system. The value of this service must be a
30010 @code{ganeti-noded-configuration} object.
30013 @deftp {Data Type} ganeti-noded-configuration
30014 This is the configuration for the @code{ganeti-noded} service.
30017 @item @code{ganeti} (default: @code{ganeti})
30018 The @code{ganeti} package to use for this service.
30020 @item @code{port} (default: @code{1811})
30021 The TCP port on which the node daemon listens for network requests.
30023 @item @code{address} (default: @code{"0.0.0.0"})
30024 The network address that the daemon will bind to. The default address means
30025 bind to all available addresses.
30027 @item @code{interface} (default: @code{#f})
30028 When this is set, it must be a specific network interface (e.g.@: @code{eth0})
30029 that the daemon will bind to.
30031 @item @code{max-clients} (default: @code{20})
30032 This sets a limit on the maximum number of simultaneous client connections
30033 that the daemon will handle. Connections above this count are accepted, but
30034 no responses will be sent until enough connections have closed.
30036 @item @code{ssl?} (default: @code{#t})
30037 Whether to use SSL/TLS to encrypt network communications. The certificate
30038 is automatically provisioned by the cluster and can be rotated with
30039 @command{gnt-cluster renew-crypto}.
30041 @item @code{ssl-key} (default: @file{"/var/lib/ganeti/server.pem"})
30042 This can be used to provide a specific encryption key for TLS communications.
30044 @item @code{ssl-cert} (default: @file{"/var/lib/ganeti/server.pem"})
30045 This can be used to provide a specific certificate for TLS communications.
30047 @item @code{debug?} (default: @code{#f})
30048 When true, the daemon performs additional logging for debugging purposes.
30049 Note that this will leak encryption details to the log files, use with caution.
30054 @defvr {Scheme Variable} ganeti-confd-service-type
30055 @command{ganeti-confd} answers queries related to the configuration of a
30056 Ganeti cluster. The purpose of this daemon is to have a highly available
30057 and fast way to query cluster configuration values. It is automatically
30058 active on all @dfn{master candidates}. The value of this service must be a
30059 @code{ganeti-confd-configuration} object.
30063 @deftp {Data Type} ganeti-confd-configuration
30064 This is the configuration for the @code{ganeti-confd} service.
30067 @item @code{ganeti} (default: @code{ganeti})
30068 The @code{ganeti} package to use for this service.
30070 @item @code{port} (default: @code{1814})
30071 The UDP port on which to listen for network requests.
30073 @item @code{address} (default: @code{"0.0.0.0"})
30074 Network address that the daemon will bind to.
30076 @item @code{debug?} (default: @code{#f})
30077 When true, the daemon performs additional logging for debugging purposes.
30082 @defvr {Scheme Variable} ganeti-wconfd-service-type
30083 @command{ganeti-wconfd} is the daemon that has authoritative knowledge
30084 about the cluster configuration and is the only entity that can accept
30085 changes to it. All jobs that need to modify the configuration will do so
30086 by sending appropriate requests to this daemon. It only runs on the
30087 @dfn{master node} and will automatically disable itself on other nodes.
30089 The value of this service must be a
30090 @code{ganeti-wconfd-configuration} object.
30093 @deftp {Data Type} ganeti-wconfd-configuration
30094 This is the configuration for the @code{ganeti-wconfd} service.
30097 @item @code{ganeti} (default: @code{ganeti})
30098 The @code{ganeti} package to use for this service.
30100 @item @code{no-voting?} (default: @code{#f})
30101 The daemon will refuse to start if the majority of cluster nodes does not
30102 agree that it is running on the master node. Set to @code{#t} to start
30103 even if a quorum can not be reached (dangerous, use with caution).
30105 @item @code{debug?} (default: @code{#f})
30106 When true, the daemon performs additional logging for debugging purposes.
30111 @defvr {Scheme Variable} ganeti-luxid-service-type
30112 @command{ganeti-luxid} is a daemon used to answer queries related to the
30113 configuration and the current live state of a Ganeti cluster. Additionally,
30114 it is the authoritative daemon for the Ganeti job queue. Jobs can be
30115 submitted via this daemon and it schedules and starts them.
30117 It takes a @code{ganeti-luxid-configuration} object.
30120 @deftp {Data Type} ganeti-luxid-configuration
30121 This is the configuration for the @code{ganeti-wconfd} service.
30124 @item @code{ganeti} (default: @code{ganeti})
30125 The @code{ganeti} package to use for this service.
30127 @item @code{no-voting?} (default: @code{#f})
30128 The daemon will refuse to start if it cannot verify that the majority of
30129 cluster nodes believes that it is running on the master node. Set to
30130 @code{#t} to ignore such checks and start anyway (this can be dangerous).
30132 @item @code{debug?} (default: @code{#f})
30133 When true, the daemon performs additional logging for debugging purposes.
30138 @defvr {Scheme Variable} ganeti-rapi-service-type
30139 @command{ganeti-rapi} provides a remote API for Ganeti clusters. It runs on
30140 the master node and can be used to perform cluster actions programmatically
30141 via a JSON-based RPC protocol.
30143 Most query operations are allowed without authentication (unless
30144 @var{require-authentication?} is set), whereas write operations require
30145 explicit authorization via the @file{/var/lib/ganeti/rapi/users} file. See
30146 the @url{http://docs.ganeti.org/ganeti/master/html/rapi.html, Ganeti Remote
30147 API documentation} for more information.
30149 The value of this service must be a @code{ganeti-rapi-configuration} object.
30152 @deftp {Data Type} ganeti-rapi-configuration
30153 This is the configuration for the @code{ganeti-rapi} service.
30156 @item @code{ganeti} (default: @code{ganeti})
30157 The @code{ganeti} package to use for this service.
30159 @item @code{require-authentication?} (default: @code{#f})
30160 Whether to require authentication even for read-only operations.
30162 @item @code{port} (default: @code{5080})
30163 The TCP port on which to listen to API requests.
30165 @item @code{address} (default: @code{"0.0.0.0"})
30166 The network address that the service will bind to. By default it listens
30167 on all configured addresses.
30169 @item @code{interface} (default: @code{#f})
30170 When set, it must specify a specific network interface such as @code{eth0}
30171 that the daemon will bind to.
30173 @item @code{max-clients} (default: @code{20})
30174 The maximum number of simultaneous client requests to handle. Further
30175 connections are allowed, but no responses are sent until enough connections
30178 @item @code{ssl?} (default: @code{#t})
30179 Whether to use SSL/TLS encryption on the RAPI port.
30181 @item @code{ssl-key} (default: @file{"/var/lib/ganeti/server.pem"})
30182 This can be used to provide a specific encryption key for TLS communications.
30184 @item @code{ssl-cert} (default: @file{"/var/lib/ganeti/server.pem"})
30185 This can be used to provide a specific certificate for TLS communications.
30187 @item @code{debug?} (default: @code{#f})
30188 When true, the daemon performs additional logging for debugging purposes.
30189 Note that this will leak encryption details to the log files, use with caution.
30194 @defvr {Scheme Variable} ganeti-kvmd-service-type
30195 @command{ganeti-kvmd} is responsible for determining whether a given KVM
30196 instance was shut down by an administrator or a user. Normally Ganeti will
30197 restart an instance that was not stopped through Ganeti itself. If the
30198 cluster option @code{user_shutdown} is true, this daemon monitors the
30199 @code{QMP} socket provided by QEMU and listens for shutdown events, and
30200 marks the instance as @dfn{USER_down} instead of @dfn{ERROR_down} when
30201 it shuts down gracefully by itself.
30203 It takes a @code{ganeti-kvmd-configuration} object.
30206 @deftp {Data Type} ganeti-kvmd-configuration
30209 @item @code{ganeti} (default: @code{ganeti})
30210 The @code{ganeti} package to use for this service.
30212 @item @code{debug?} (default: @code{#f})
30213 When true, the daemon performs additional logging for debugging purposes.
30218 @defvr {Scheme Variable} ganeti-mond-service-type
30219 @command{ganeti-mond} is an optional daemon that provides Ganeti monitoring
30220 functionality. It is responsible for running data collectors and publish the
30221 collected information through a HTTP interface.
30223 It takes a @code{ganeti-mond-configuration} object.
30226 @deftp {Data Type} ganeti-mond-configuration
30229 @item @code{ganeti} (default: @code{ganeti})
30230 The @code{ganeti} package to use for this service.
30232 @item @code{port} (default: @code{1815})
30233 The port on which the daemon will listen.
30235 @item @code{address} (default: @code{"0.0.0.0"})
30236 The network address that the daemon will bind to. By default it binds to all
30237 available interfaces.
30239 @item @code{debug?} (default: @code{#f})
30240 When true, the daemon performs additional logging for debugging purposes.
30245 @defvr {Scheme Variable} ganeti-metad-service-type
30246 @command{ganeti-metad} is an optional daemon that can be used to provide
30247 information about the cluster to instances or OS install scripts.
30249 It takes a @code{ganeti-metad-configuration} object.
30252 @deftp {Data Type} ganeti-metad-configuration
30255 @item @code{ganeti} (default: @code{ganeti})
30256 The @code{ganeti} package to use for this service.
30258 @item @code{port} (default: @code{80})
30259 The port on which the daemon will listen.
30261 @item @code{address} (default: @code{#f})
30262 If set, the daemon will bind to this address only. If left unset, the behavior
30263 depends on the cluster configuration.
30265 @item @code{debug?} (default: @code{#f})
30266 When true, the daemon performs additional logging for debugging purposes.
30271 @defvr {Scheme Variable} ganeti-watcher-service-type
30272 @command{ganeti-watcher} is a script designed to run periodically and ensure
30273 the health of a cluster. It will automatically restart instances that have
30274 stopped without Ganeti's consent, and repairs DRBD links in case a node has
30275 rebooted. It also archives old cluster jobs and restarts Ganeti daemons
30276 that are not running. If the cluster parameter @code{ensure_node_health}
30277 is set, the watcher will also shutdown instances and DRBD devices if the
30278 node it is running on is declared offline by known master candidates.
30280 It can be paused on all nodes with @command{gnt-cluster watcher pause}.
30282 The service takes a @code{ganeti-watcher-configuration} object.
30285 @deftp {Data Type} ganeti-watcher-configuration
30288 @item @code{ganeti} (default: @code{ganeti})
30289 The @code{ganeti} package to use for this service.
30291 @item @code{schedule} (default: @code{'(next-second-from (next-minute (range 0 60 5)))})
30292 How often to run the script. The default is every five minutes.
30294 @item @code{rapi-ip} (default: @code{#f})
30295 This option needs to be specified only if the RAPI daemon is configured to use
30296 a particular interface or address. By default the cluster address is used.
30298 @item @code{job-age} (default: @code{(* 6 3600)})
30299 Archive cluster jobs older than this age, specified in seconds. The default
30300 is 6 hours. This keeps @command{gnt-job list} manageable.
30302 @item @code{verify-disks?} (default: @code{#t})
30303 If this is @code{#f}, the watcher will not try to repair broken DRBD links
30304 automatically. Administrators will need to use @command{gnt-cluster verify-disks}
30307 @item @code{debug?} (default: @code{#f})
30308 When @code{#t}, the script performs additional logging for debugging purposes.
30313 @defvr {Scheme Variable} ganeti-cleaner-service-type
30314 @command{ganeti-cleaner} is a script designed to run periodically and remove
30315 old files from the cluster. This service type controls two @dfn{cron jobs}:
30316 one intended for the master node that permanently purges old cluster jobs,
30317 and one intended for every node that removes expired X509 certificates, keys,
30318 and outdated @command{ganeti-watcher} information. Like all Ganeti services,
30319 it is safe to include even on non-master nodes as it will disable itself as
30322 It takes a @code{ganeti-cleaner-configuration} object.
30325 @deftp {Data Type} ganeti-cleaner-configuration
30328 @item @code{ganeti} (default: @code{ganeti})
30329 The @code{ganeti} package to use for the @command{gnt-cleaner} command.
30331 @item @code{master-schedule} (default: @code{"45 1 * * *"})
30332 How often to run the master cleaning job. The default is once per day, at
30335 @item @code{node-schedule} (default: @code{"45 2 * * *"})
30336 How often to run the node cleaning job. The default is once per day, at
30342 @node Version Control Services
30343 @subsection Version Control Services
30345 The @code{(gnu services version-control)} module provides a service to
30346 allow remote access to local Git repositories. There are three options:
30347 the @code{git-daemon-service}, which provides access to repositories via
30348 the @code{git://} unsecured TCP-based protocol, extending the
30349 @code{nginx} web server to proxy some requests to
30350 @code{git-http-backend}, or providing a web interface with
30351 @code{cgit-service-type}.
30353 @deffn {Scheme Procedure} git-daemon-service [#:config (git-daemon-configuration)]
30355 Return a service that runs @command{git daemon}, a simple TCP server to
30356 expose repositories over the Git protocol for anonymous access.
30358 The optional @var{config} argument should be a
30359 @code{<git-daemon-configuration>} object, by default it allows read-only
30360 access to exported@footnote{By creating the magic file
30361 @file{git-daemon-export-ok} in the repository directory.} repositories under
30366 @deftp {Data Type} git-daemon-configuration
30367 Data type representing the configuration for @code{git-daemon-service}.
30370 @item @code{package} (default: @code{git})
30371 Package object of the Git distributed version control system.
30373 @item @code{export-all?} (default: @code{#f})
30374 Whether to allow access for all Git repositories, even if they do not
30375 have the @file{git-daemon-export-ok} file.
30377 @item @code{base-path} (default: @file{/srv/git})
30378 Whether to remap all the path requests as relative to the given path.
30379 If you run @command{git daemon} with @code{(base-path "/srv/git")} on
30380 @samp{example.com}, then if you later try to pull
30381 @indicateurl{git://example.com/hello.git}, git daemon will interpret the
30382 path as @file{/srv/git/hello.git}.
30384 @item @code{user-path} (default: @code{#f})
30385 Whether to allow @code{~user} notation to be used in requests. When
30386 specified with empty string, requests to
30387 @indicateurl{git://host/~alice/foo} is taken as a request to access
30388 @code{foo} repository in the home directory of user @code{alice}. If
30389 @code{(user-path "@var{path}")} is specified, the same request is taken
30390 as a request to access @file{@var{path}/foo} repository in the home
30391 directory of user @code{alice}.
30393 @item @code{listen} (default: @code{'()})
30394 Whether to listen on specific IP addresses or hostnames, defaults to
30397 @item @code{port} (default: @code{#f})
30398 Whether to listen on an alternative port, which defaults to 9418.
30400 @item @code{whitelist} (default: @code{'()})
30401 If not empty, only allow access to this list of directories.
30403 @item @code{extra-options} (default: @code{'()})
30404 Extra options will be passed to @command{git daemon}, please run
30405 @command{man git-daemon} for more information.
30410 The @code{git://} protocol lacks authentication. When you pull from a
30411 repository fetched via @code{git://}, you don't know whether the data you
30412 receive was modified or is even coming from the specified host, and your
30413 connection is subject to eavesdropping. It's better to use an authenticated
30414 and encrypted transport, such as @code{https}. Although Git allows you
30415 to serve repositories using unsophisticated file-based web servers,
30416 there is a faster protocol implemented by the @code{git-http-backend}
30417 program. This program is the back-end of a proper Git web service. It
30418 is designed to sit behind a FastCGI proxy. @xref{Web Services}, for more
30419 on running the necessary @code{fcgiwrap} daemon.
30421 Guix has a separate configuration data type for serving Git repositories
30424 @deftp {Data Type} git-http-configuration
30425 Data type representing the configuration for a future
30426 @code{git-http-service-type}; can currently be used to configure Nginx
30427 through @code{git-http-nginx-location-configuration}.
30430 @item @code{package} (default: @var{git})
30431 Package object of the Git distributed version control system.
30433 @item @code{git-root} (default: @file{/srv/git})
30434 Directory containing the Git repositories to expose to the world.
30436 @item @code{export-all?} (default: @code{#f})
30437 Whether to expose access for all Git repositories in @var{git-root},
30438 even if they do not have the @file{git-daemon-export-ok} file.
30440 @item @code{uri-path} (default: @samp{/git/})
30441 Path prefix for Git access. With the default @samp{/git/} prefix, this
30442 will map @indicateurl{http://@var{server}/git/@var{repo}.git} to
30443 @file{/srv/git/@var{repo}.git}. Requests whose URI paths do not begin
30444 with this prefix are not passed on to this Git instance.
30446 @item @code{fcgiwrap-socket} (default: @code{127.0.0.1:9000})
30447 The socket on which the @code{fcgiwrap} daemon is listening. @xref{Web
30452 There is no @code{git-http-service-type}, currently; instead you can
30453 create an @code{nginx-location-configuration} from a
30454 @code{git-http-configuration} and then add that location to a web
30457 @deffn {Scheme Procedure} git-http-nginx-location-configuration @
30458 [config=(git-http-configuration)]
30459 Compute an @code{nginx-location-configuration} that corresponds to the
30460 given Git http configuration. An example nginx service definition to
30461 serve the default @file{/srv/git} over HTTPS might be:
30464 (service nginx-service-type
30465 (nginx-configuration
30468 (nginx-server-configuration
30469 (listen '("443 ssl"))
30470 (server-name "git.my-host.org")
30472 "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
30473 (ssl-certificate-key
30474 "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
30477 (git-http-nginx-location-configuration
30478 (git-http-configuration (uri-path "/"))))))))))
30481 This example assumes that you are using Let's Encrypt to get your TLS
30482 certificate. @xref{Certificate Services}. The default @code{certbot}
30483 service will redirect all HTTP traffic on @code{git.my-host.org} to
30484 HTTPS@. You will also need to add an @code{fcgiwrap} proxy to your
30485 system services. @xref{Web Services}.
30488 @subsubheading Cgit Service
30490 @cindex Cgit service
30491 @cindex Git, web interface
30492 @uref{https://git.zx2c4.com/cgit/, Cgit} is a web frontend for Git
30493 repositories written in C.
30495 The following example will configure the service with default values.
30496 By default, Cgit can be accessed on port 80 (@code{http://localhost:80}).
30499 (service cgit-service-type)
30502 The @code{file-object} type designates either a file-like object
30503 (@pxref{G-Expressions, file-like objects}) or a string.
30505 @c %start of fragment
30507 Available @code{cgit-configuration} fields are:
30509 @deftypevr {@code{cgit-configuration} parameter} package package
30514 @deftypevr {@code{cgit-configuration} parameter} nginx-server-configuration-list nginx
30515 NGINX configuration.
30519 @deftypevr {@code{cgit-configuration} parameter} file-object about-filter
30520 Specifies a command which will be invoked to format the content of about
30521 pages (both top-level and for each repository).
30523 Defaults to @samp{""}.
30527 @deftypevr {@code{cgit-configuration} parameter} string agefile
30528 Specifies a path, relative to each repository path, which can be used to
30529 specify the date and time of the youngest commit in the repository.
30531 Defaults to @samp{""}.
30535 @deftypevr {@code{cgit-configuration} parameter} file-object auth-filter
30536 Specifies a command that will be invoked for authenticating repository
30539 Defaults to @samp{""}.
30543 @deftypevr {@code{cgit-configuration} parameter} string branch-sort
30544 Flag which, when set to @samp{age}, enables date ordering in the branch
30545 ref list, and when set @samp{name} enables ordering by branch name.
30547 Defaults to @samp{"name"}.
30551 @deftypevr {@code{cgit-configuration} parameter} string cache-root
30552 Path used to store the cgit cache entries.
30554 Defaults to @samp{"/var/cache/cgit"}.
30558 @deftypevr {@code{cgit-configuration} parameter} integer cache-static-ttl
30559 Number which specifies the time-to-live, in minutes, for the cached
30560 version of repository pages accessed with a fixed SHA1.
30562 Defaults to @samp{-1}.
30566 @deftypevr {@code{cgit-configuration} parameter} integer cache-dynamic-ttl
30567 Number which specifies the time-to-live, in minutes, for the cached
30568 version of repository pages accessed without a fixed SHA1.
30570 Defaults to @samp{5}.
30574 @deftypevr {@code{cgit-configuration} parameter} integer cache-repo-ttl
30575 Number which specifies the time-to-live, in minutes, for the cached
30576 version of the repository summary page.
30578 Defaults to @samp{5}.
30582 @deftypevr {@code{cgit-configuration} parameter} integer cache-root-ttl
30583 Number which specifies the time-to-live, in minutes, for the cached
30584 version of the repository index page.
30586 Defaults to @samp{5}.
30590 @deftypevr {@code{cgit-configuration} parameter} integer cache-scanrc-ttl
30591 Number which specifies the time-to-live, in minutes, for the result of
30592 scanning a path for Git repositories.
30594 Defaults to @samp{15}.
30598 @deftypevr {@code{cgit-configuration} parameter} integer cache-about-ttl
30599 Number which specifies the time-to-live, in minutes, for the cached
30600 version of the repository about page.
30602 Defaults to @samp{15}.
30606 @deftypevr {@code{cgit-configuration} parameter} integer cache-snapshot-ttl
30607 Number which specifies the time-to-live, in minutes, for the cached
30608 version of snapshots.
30610 Defaults to @samp{5}.
30614 @deftypevr {@code{cgit-configuration} parameter} integer cache-size
30615 The maximum number of entries in the cgit cache. When set to @samp{0},
30616 caching is disabled.
30618 Defaults to @samp{0}.
30622 @deftypevr {@code{cgit-configuration} parameter} boolean case-sensitive-sort?
30623 Sort items in the repo list case sensitively.
30625 Defaults to @samp{#t}.
30629 @deftypevr {@code{cgit-configuration} parameter} list clone-prefix
30630 List of common prefixes which, when combined with a repository URL,
30631 generates valid clone URLs for the repository.
30633 Defaults to @samp{()}.
30637 @deftypevr {@code{cgit-configuration} parameter} list clone-url
30638 List of @code{clone-url} templates.
30640 Defaults to @samp{()}.
30644 @deftypevr {@code{cgit-configuration} parameter} file-object commit-filter
30645 Command which will be invoked to format commit messages.
30647 Defaults to @samp{""}.
30651 @deftypevr {@code{cgit-configuration} parameter} string commit-sort
30652 Flag which, when set to @samp{date}, enables strict date ordering in the
30653 commit log, and when set to @samp{topo} enables strict topological
30656 Defaults to @samp{"git log"}.
30660 @deftypevr {@code{cgit-configuration} parameter} file-object css
30661 URL which specifies the css document to include in all cgit pages.
30663 Defaults to @samp{"/share/cgit/cgit.css"}.
30667 @deftypevr {@code{cgit-configuration} parameter} file-object email-filter
30668 Specifies a command which will be invoked to format names and email
30669 address of committers, authors, and taggers, as represented in various
30670 places throughout the cgit interface.
30672 Defaults to @samp{""}.
30676 @deftypevr {@code{cgit-configuration} parameter} boolean embedded?
30677 Flag which, when set to @samp{#t}, will make cgit generate a HTML
30678 fragment suitable for embedding in other HTML pages.
30680 Defaults to @samp{#f}.
30684 @deftypevr {@code{cgit-configuration} parameter} boolean enable-commit-graph?
30685 Flag which, when set to @samp{#t}, will make cgit print an ASCII-art
30686 commit history graph to the left of the commit messages in the
30687 repository log page.
30689 Defaults to @samp{#f}.
30693 @deftypevr {@code{cgit-configuration} parameter} boolean enable-filter-overrides?
30694 Flag which, when set to @samp{#t}, allows all filter settings to be
30695 overridden in repository-specific cgitrc files.
30697 Defaults to @samp{#f}.
30701 @deftypevr {@code{cgit-configuration} parameter} boolean enable-follow-links?
30702 Flag which, when set to @samp{#t}, allows users to follow a file in the
30705 Defaults to @samp{#f}.
30709 @deftypevr {@code{cgit-configuration} parameter} boolean enable-http-clone?
30710 If set to @samp{#t}, cgit will act as an dumb HTTP endpoint for Git
30713 Defaults to @samp{#t}.
30717 @deftypevr {@code{cgit-configuration} parameter} boolean enable-index-links?
30718 Flag which, when set to @samp{#t}, will make cgit generate extra links
30719 "summary", "commit", "tree" for each repo in the repository index.
30721 Defaults to @samp{#f}.
30725 @deftypevr {@code{cgit-configuration} parameter} boolean enable-index-owner?
30726 Flag which, when set to @samp{#t}, will make cgit display the owner of
30727 each repo in the repository index.
30729 Defaults to @samp{#t}.
30733 @deftypevr {@code{cgit-configuration} parameter} boolean enable-log-filecount?
30734 Flag which, when set to @samp{#t}, will make cgit print the number of
30735 modified files for each commit on the repository log page.
30737 Defaults to @samp{#f}.
30741 @deftypevr {@code{cgit-configuration} parameter} boolean enable-log-linecount?
30742 Flag which, when set to @samp{#t}, will make cgit print the number of
30743 added and removed lines for each commit on the repository log page.
30745 Defaults to @samp{#f}.
30749 @deftypevr {@code{cgit-configuration} parameter} boolean enable-remote-branches?
30750 Flag which, when set to @code{#t}, will make cgit display remote
30751 branches in the summary and refs views.
30753 Defaults to @samp{#f}.
30757 @deftypevr {@code{cgit-configuration} parameter} boolean enable-subject-links?
30758 Flag which, when set to @code{1}, will make cgit use the subject of the
30759 parent commit as link text when generating links to parent commits in
30762 Defaults to @samp{#f}.
30766 @deftypevr {@code{cgit-configuration} parameter} boolean enable-html-serving?
30767 Flag which, when set to @samp{#t}, will make cgit use the subject of the
30768 parent commit as link text when generating links to parent commits in
30771 Defaults to @samp{#f}.
30775 @deftypevr {@code{cgit-configuration} parameter} boolean enable-tree-linenumbers?
30776 Flag which, when set to @samp{#t}, will make cgit generate linenumber
30777 links for plaintext blobs printed in the tree view.
30779 Defaults to @samp{#t}.
30783 @deftypevr {@code{cgit-configuration} parameter} boolean enable-git-config?
30784 Flag which, when set to @samp{#f}, will allow cgit to use Git config to
30785 set any repo specific settings.
30787 Defaults to @samp{#f}.
30791 @deftypevr {@code{cgit-configuration} parameter} file-object favicon
30792 URL used as link to a shortcut icon for cgit.
30794 Defaults to @samp{"/favicon.ico"}.
30798 @deftypevr {@code{cgit-configuration} parameter} string footer
30799 The content of the file specified with this option will be included
30800 verbatim at the bottom of all pages (i.e.@: it replaces the standard
30801 "generated by..."@: message).
30803 Defaults to @samp{""}.
30807 @deftypevr {@code{cgit-configuration} parameter} string head-include
30808 The content of the file specified with this option will be included
30809 verbatim in the HTML HEAD section on all pages.
30811 Defaults to @samp{""}.
30815 @deftypevr {@code{cgit-configuration} parameter} string header
30816 The content of the file specified with this option will be included
30817 verbatim at the top of all pages.
30819 Defaults to @samp{""}.
30823 @deftypevr {@code{cgit-configuration} parameter} file-object include
30824 Name of a configfile to include before the rest of the current config-
30827 Defaults to @samp{""}.
30831 @deftypevr {@code{cgit-configuration} parameter} string index-header
30832 The content of the file specified with this option will be included
30833 verbatim above the repository index.
30835 Defaults to @samp{""}.
30839 @deftypevr {@code{cgit-configuration} parameter} string index-info
30840 The content of the file specified with this option will be included
30841 verbatim below the heading on the repository index page.
30843 Defaults to @samp{""}.
30847 @deftypevr {@code{cgit-configuration} parameter} boolean local-time?
30848 Flag which, if set to @samp{#t}, makes cgit print commit and tag times
30849 in the servers timezone.
30851 Defaults to @samp{#f}.
30855 @deftypevr {@code{cgit-configuration} parameter} file-object logo
30856 URL which specifies the source of an image which will be used as a logo
30859 Defaults to @samp{"/share/cgit/cgit.png"}.
30863 @deftypevr {@code{cgit-configuration} parameter} string logo-link
30864 URL loaded when clicking on the cgit logo image.
30866 Defaults to @samp{""}.
30870 @deftypevr {@code{cgit-configuration} parameter} file-object owner-filter
30871 Command which will be invoked to format the Owner column of the main
30874 Defaults to @samp{""}.
30878 @deftypevr {@code{cgit-configuration} parameter} integer max-atom-items
30879 Number of items to display in atom feeds view.
30881 Defaults to @samp{10}.
30885 @deftypevr {@code{cgit-configuration} parameter} integer max-commit-count
30886 Number of entries to list per page in "log" view.
30888 Defaults to @samp{50}.
30892 @deftypevr {@code{cgit-configuration} parameter} integer max-message-length
30893 Number of commit message characters to display in "log" view.
30895 Defaults to @samp{80}.
30899 @deftypevr {@code{cgit-configuration} parameter} integer max-repo-count
30900 Specifies the number of entries to list per page on the repository index
30903 Defaults to @samp{50}.
30907 @deftypevr {@code{cgit-configuration} parameter} integer max-repodesc-length
30908 Specifies the maximum number of repo description characters to display
30909 on the repository index page.
30911 Defaults to @samp{80}.
30915 @deftypevr {@code{cgit-configuration} parameter} integer max-blob-size
30916 Specifies the maximum size of a blob to display HTML for in KBytes.
30918 Defaults to @samp{0}.
30922 @deftypevr {@code{cgit-configuration} parameter} string max-stats
30923 Maximum statistics period. Valid values are @samp{week},@samp{month},
30924 @samp{quarter} and @samp{year}.
30926 Defaults to @samp{""}.
30930 @deftypevr {@code{cgit-configuration} parameter} mimetype-alist mimetype
30931 Mimetype for the specified filename extension.
30933 Defaults to @samp{((gif "image/gif") (html "text/html") (jpg
30934 "image/jpeg") (jpeg "image/jpeg") (pdf "application/pdf") (png
30935 "image/png") (svg "image/svg+xml"))}.
30939 @deftypevr {@code{cgit-configuration} parameter} file-object mimetype-file
30940 Specifies the file to use for automatic mimetype lookup.
30942 Defaults to @samp{""}.
30946 @deftypevr {@code{cgit-configuration} parameter} string module-link
30947 Text which will be used as the formatstring for a hyperlink when a
30948 submodule is printed in a directory listing.
30950 Defaults to @samp{""}.
30954 @deftypevr {@code{cgit-configuration} parameter} boolean nocache?
30955 If set to the value @samp{#t} caching will be disabled.
30957 Defaults to @samp{#f}.
30961 @deftypevr {@code{cgit-configuration} parameter} boolean noplainemail?
30962 If set to @samp{#t} showing full author email addresses will be
30965 Defaults to @samp{#f}.
30969 @deftypevr {@code{cgit-configuration} parameter} boolean noheader?
30970 Flag which, when set to @samp{#t}, will make cgit omit the standard
30971 header on all pages.
30973 Defaults to @samp{#f}.
30977 @deftypevr {@code{cgit-configuration} parameter} project-list project-list
30978 A list of subdirectories inside of @code{repository-directory}, relative
30979 to it, that should loaded as Git repositories. An empty list means that
30980 all subdirectories will be loaded.
30982 Defaults to @samp{()}.
30986 @deftypevr {@code{cgit-configuration} parameter} file-object readme
30987 Text which will be used as default value for @code{cgit-repo-readme}.
30989 Defaults to @samp{""}.
30993 @deftypevr {@code{cgit-configuration} parameter} boolean remove-suffix?
30994 If set to @code{#t} and @code{repository-directory} is enabled, if any
30995 repositories are found with a suffix of @code{.git}, this suffix will be
30996 removed for the URL and name.
30998 Defaults to @samp{#f}.
31002 @deftypevr {@code{cgit-configuration} parameter} integer renamelimit
31003 Maximum number of files to consider when detecting renames.
31005 Defaults to @samp{-1}.
31009 @deftypevr {@code{cgit-configuration} parameter} string repository-sort
31010 The way in which repositories in each section are sorted.
31012 Defaults to @samp{""}.
31016 @deftypevr {@code{cgit-configuration} parameter} robots-list robots
31017 Text used as content for the @code{robots} meta-tag.
31019 Defaults to @samp{("noindex" "nofollow")}.
31023 @deftypevr {@code{cgit-configuration} parameter} string root-desc
31024 Text printed below the heading on the repository index page.
31026 Defaults to @samp{"a fast webinterface for the git dscm"}.
31030 @deftypevr {@code{cgit-configuration} parameter} string root-readme
31031 The content of the file specified with this option will be included
31032 verbatim below the ``about'' link on the repository index page.
31034 Defaults to @samp{""}.
31038 @deftypevr {@code{cgit-configuration} parameter} string root-title
31039 Text printed as heading on the repository index page.
31041 Defaults to @samp{""}.
31045 @deftypevr {@code{cgit-configuration} parameter} boolean scan-hidden-path
31046 If set to @samp{#t} and repository-directory is enabled,
31047 repository-directory will recurse into directories whose name starts
31048 with a period. Otherwise, repository-directory will stay away from such
31049 directories, considered as ``hidden''. Note that this does not apply to
31050 the @file{.git} directory in non-bare repos.
31052 Defaults to @samp{#f}.
31056 @deftypevr {@code{cgit-configuration} parameter} list snapshots
31057 Text which specifies the default set of snapshot formats that cgit
31058 generates links for.
31060 Defaults to @samp{()}.
31064 @deftypevr {@code{cgit-configuration} parameter} repository-directory repository-directory
31065 Name of the directory to scan for repositories (represents
31068 Defaults to @samp{"/srv/git"}.
31072 @deftypevr {@code{cgit-configuration} parameter} string section
31073 The name of the current repository section - all repositories defined
31074 after this option will inherit the current section name.
31076 Defaults to @samp{""}.
31080 @deftypevr {@code{cgit-configuration} parameter} string section-sort
31081 Flag which, when set to @samp{1}, will sort the sections on the
31082 repository listing by name.
31084 Defaults to @samp{""}.
31088 @deftypevr {@code{cgit-configuration} parameter} integer section-from-path
31089 A number which, if defined prior to repository-directory, specifies how
31090 many path elements from each repo path to use as a default section name.
31092 Defaults to @samp{0}.
31096 @deftypevr {@code{cgit-configuration} parameter} boolean side-by-side-diffs?
31097 If set to @samp{#t} shows side-by-side diffs instead of unidiffs per
31100 Defaults to @samp{#f}.
31104 @deftypevr {@code{cgit-configuration} parameter} file-object source-filter
31105 Specifies a command which will be invoked to format plaintext blobs in
31108 Defaults to @samp{""}.
31112 @deftypevr {@code{cgit-configuration} parameter} integer summary-branches
31113 Specifies the number of branches to display in the repository ``summary''
31116 Defaults to @samp{10}.
31120 @deftypevr {@code{cgit-configuration} parameter} integer summary-log
31121 Specifies the number of log entries to display in the repository
31124 Defaults to @samp{10}.
31128 @deftypevr {@code{cgit-configuration} parameter} integer summary-tags
31129 Specifies the number of tags to display in the repository ``summary''
31132 Defaults to @samp{10}.
31136 @deftypevr {@code{cgit-configuration} parameter} string strict-export
31137 Filename which, if specified, needs to be present within the repository
31138 for cgit to allow access to that repository.
31140 Defaults to @samp{""}.
31144 @deftypevr {@code{cgit-configuration} parameter} string virtual-root
31145 URL which, if specified, will be used as root for all cgit links.
31147 Defaults to @samp{"/"}.
31151 @deftypevr {@code{cgit-configuration} parameter} repository-cgit-configuration-list repositories
31152 A list of @dfn{cgit-repo} records to use with config.
31154 Defaults to @samp{()}.
31156 Available @code{repository-cgit-configuration} fields are:
31158 @deftypevr {@code{repository-cgit-configuration} parameter} repo-list snapshots
31159 A mask of snapshot formats for this repo that cgit generates links for,
31160 restricted by the global @code{snapshots} setting.
31162 Defaults to @samp{()}.
31166 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object source-filter
31167 Override the default @code{source-filter}.
31169 Defaults to @samp{""}.
31173 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string url
31174 The relative URL used to access the repository.
31176 Defaults to @samp{""}.
31180 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object about-filter
31181 Override the default @code{about-filter}.
31183 Defaults to @samp{""}.
31187 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string branch-sort
31188 Flag which, when set to @samp{age}, enables date ordering in the branch
31189 ref list, and when set to @samp{name} enables ordering by branch name.
31191 Defaults to @samp{""}.
31195 @deftypevr {@code{repository-cgit-configuration} parameter} repo-list clone-url
31196 A list of URLs which can be used to clone repo.
31198 Defaults to @samp{()}.
31202 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object commit-filter
31203 Override the default @code{commit-filter}.
31205 Defaults to @samp{""}.
31209 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string commit-sort
31210 Flag which, when set to @samp{date}, enables strict date ordering in the
31211 commit log, and when set to @samp{topo} enables strict topological
31214 Defaults to @samp{""}.
31218 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string defbranch
31219 The name of the default branch for this repository. If no such branch
31220 exists in the repository, the first branch name (when sorted) is used as
31221 default instead. By default branch pointed to by HEAD, or ``master'' if
31222 there is no suitable HEAD.
31224 Defaults to @samp{""}.
31228 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string desc
31229 The value to show as repository description.
31231 Defaults to @samp{""}.
31235 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string homepage
31236 The value to show as repository homepage.
31238 Defaults to @samp{""}.
31242 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object email-filter
31243 Override the default @code{email-filter}.
31245 Defaults to @samp{""}.
31249 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-commit-graph?
31250 A flag which can be used to disable the global setting
31251 @code{enable-commit-graph?}.
31253 Defaults to @samp{disabled}.
31257 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-log-filecount?
31258 A flag which can be used to disable the global setting
31259 @code{enable-log-filecount?}.
31261 Defaults to @samp{disabled}.
31265 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-log-linecount?
31266 A flag which can be used to disable the global setting
31267 @code{enable-log-linecount?}.
31269 Defaults to @samp{disabled}.
31273 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-remote-branches?
31274 Flag which, when set to @code{#t}, will make cgit display remote
31275 branches in the summary and refs views.
31277 Defaults to @samp{disabled}.
31281 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-subject-links?
31282 A flag which can be used to override the global setting
31283 @code{enable-subject-links?}.
31285 Defaults to @samp{disabled}.
31289 @deftypevr {@code{repository-cgit-configuration} parameter} maybe-repo-boolean enable-html-serving?
31290 A flag which can be used to override the global setting
31291 @code{enable-html-serving?}.
31293 Defaults to @samp{disabled}.
31297 @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean hide?
31298 Flag which, when set to @code{#t}, hides the repository from the
31301 Defaults to @samp{#f}.
31305 @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean ignore?
31306 Flag which, when set to @samp{#t}, ignores the repository.
31308 Defaults to @samp{#f}.
31312 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object logo
31313 URL which specifies the source of an image which will be used as a logo
31314 on this repo’s pages.
31316 Defaults to @samp{""}.
31320 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string logo-link
31321 URL loaded when clicking on the cgit logo image.
31323 Defaults to @samp{""}.
31327 @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object owner-filter
31328 Override the default @code{owner-filter}.
31330 Defaults to @samp{""}.
31334 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string module-link
31335 Text which will be used as the formatstring for a hyperlink when a
31336 submodule is printed in a directory listing. The arguments for the
31337 formatstring are the path and SHA1 of the submodule commit.
31339 Defaults to @samp{""}.
31343 @deftypevr {@code{repository-cgit-configuration} parameter} module-link-path module-link-path
31344 Text which will be used as the formatstring for a hyperlink when a
31345 submodule with the specified subdirectory path is printed in a directory
31348 Defaults to @samp{()}.
31352 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string max-stats
31353 Override the default maximum statistics period.
31355 Defaults to @samp{""}.
31359 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string name
31360 The value to show as repository name.
31362 Defaults to @samp{""}.
31366 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string owner
31367 A value used to identify the owner of the repository.
31369 Defaults to @samp{""}.
31373 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string path
31374 An absolute path to the repository directory.
31376 Defaults to @samp{""}.
31380 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string readme
31381 A path (relative to repo) which specifies a file to include verbatim as
31382 the ``About'' page for this repo.
31384 Defaults to @samp{""}.
31388 @deftypevr {@code{repository-cgit-configuration} parameter} repo-string section
31389 The name of the current repository section - all repositories defined
31390 after this option will inherit the current section name.
31392 Defaults to @samp{""}.
31396 @deftypevr {@code{repository-cgit-configuration} parameter} repo-list extra-options
31397 Extra options will be appended to cgitrc file.
31399 Defaults to @samp{()}.
31405 @deftypevr {@code{cgit-configuration} parameter} list extra-options
31406 Extra options will be appended to cgitrc file.
31408 Defaults to @samp{()}.
31413 @c %end of fragment
31415 However, it could be that you just want to get a @code{cgitrc} up and
31416 running. In that case, you can pass an @code{opaque-cgit-configuration}
31417 as a record to @code{cgit-service-type}. As its name indicates, an
31418 opaque configuration does not have easy reflective capabilities.
31420 Available @code{opaque-cgit-configuration} fields are:
31422 @deftypevr {@code{opaque-cgit-configuration} parameter} package cgit
31426 @deftypevr {@code{opaque-cgit-configuration} parameter} string string
31427 The contents of the @code{cgitrc}, as a string.
31430 For example, if your @code{cgitrc} is just the empty string, you
31431 could instantiate a cgit service like this:
31434 (service cgit-service-type
31435 (opaque-cgit-configuration
31439 @subsubheading Gitolite Service
31441 @cindex Gitolite service
31442 @cindex Git, hosting
31443 @uref{https://gitolite.com/gitolite/, Gitolite} is a tool for hosting Git
31444 repositories on a central server.
31446 Gitolite can handle multiple repositories and users, and supports flexible
31447 configuration of the permissions for the users on the repositories.
31449 The following example will configure Gitolite using the default @code{git}
31450 user, and the provided SSH public key.
31453 (service gitolite-service-type
31454 (gitolite-configuration
31455 (admin-pubkey (plain-file
31457 "ssh-rsa AAAA... guix@@example.com"))))
31460 Gitolite is configured through a special admin repository which you can clone,
31461 for example, if you setup Gitolite on @code{example.com}, you would run the
31462 following command to clone the admin repository.
31465 git clone git@@example.com:gitolite-admin
31468 When the Gitolite service is activated, the provided @code{admin-pubkey} will
31469 be inserted in to the @file{keydir} directory in the gitolite-admin
31470 repository. If this results in a change in the repository, it will be
31471 committed using the message ``gitolite setup by GNU Guix''.
31473 @deftp {Data Type} gitolite-configuration
31474 Data type representing the configuration for @code{gitolite-service-type}.
31477 @item @code{package} (default: @var{gitolite})
31478 Gitolite package to use.
31480 @item @code{user} (default: @var{git})
31481 User to use for Gitolite. This will be user that you use when accessing
31484 @item @code{group} (default: @var{git})
31485 Group to use for Gitolite.
31487 @item @code{home-directory} (default: @var{"/var/lib/gitolite"})
31488 Directory in which to store the Gitolite configuration and repositories.
31490 @item @code{rc-file} (default: @var{(gitolite-rc-file)})
31491 A ``file-like'' object (@pxref{G-Expressions, file-like objects}),
31492 representing the configuration for Gitolite.
31494 @item @code{admin-pubkey} (default: @var{#f})
31495 A ``file-like'' object (@pxref{G-Expressions, file-like objects}) used to
31496 setup Gitolite. This will be inserted in to the @file{keydir} directory
31497 within the gitolite-admin repository.
31499 To specify the SSH key as a string, use the @code{plain-file} function.
31502 (plain-file "yourname.pub" "ssh-rsa AAAA... guix@@example.com")
31508 @deftp {Data Type} gitolite-rc-file
31509 Data type representing the Gitolite RC file.
31512 @item @code{umask} (default: @code{#o0077})
31513 This controls the permissions Gitolite sets on the repositories and their
31516 A value like @code{#o0027} will give read access to the group used by Gitolite
31517 (by default: @code{git}). This is necessary when using Gitolite with software
31518 like cgit or gitweb.
31520 @item @code{unsafe-pattern} (default: @code{#f})
31521 An optional Perl regular expression for catching unsafe configurations in
31522 the configuration file. See
31523 @uref{https://gitolite.com/gitolite/git-config.html#compensating-for-unsafe_patt,
31524 Gitolite's documentation} for more information.
31526 When the value is not @code{#f}, it should be a string containing a Perl
31527 regular expression, such as @samp{"[`~#\$\&()|;<>]"}, which is the default
31528 value used by gitolite. It rejects any special character in configuration
31529 that might be interpreted by a shell, which is useful when sharing the
31530 administration burden with other people that do not otherwise have shell
31531 access on the server.
31533 @item @code{git-config-keys} (default: @code{""})
31534 Gitolite allows you to set git config values using the @samp{config}
31535 keyword. This setting allows control over the config keys to accept.
31537 @item @code{roles} (default: @code{'(("READERS" . 1) ("WRITERS" . ))})
31538 Set the role names allowed to be used by users running the perms command.
31540 @item @code{enable} (default: @code{'("help" "desc" "info" "perms" "writable" "ssh-authkeys" "git-config" "daemon" "gitweb")})
31541 This setting controls the commands and features to enable within Gitolite.
31547 @subsubheading Gitile Service
31549 @cindex Gitile service
31551 @uref{https://git.lepiller.eu/gitile, Gitile} is a Git forge for viewing
31552 public git repository contents from a web browser.
31554 Gitile works best in collaboration with Gitolite, and will serve the public
31555 repositories from Gitolite by default. The service should listen only on
31556 a local port, and a webserver should be configured to serve static resources.
31557 The gitile service provides an easy way to extend the Nginx service for
31558 that purpose (@pxref{NGINX}).
31560 The following example will configure Gitile to serve repositories from a
31561 custom location, with some default messages for the home page and the
31565 (service gitile-service-type
31566 (gitile-configuration
31567 (repositories "/srv/git")
31568 (base-git-url "https://myweb.site/git")
31569 (index-title "My git repositories")
31570 (intro '((p "This is all my public work!")))
31571 (footer '((p "This is the end")))
31572 (nginx-server-block
31573 (nginx-server-configuration
31575 "/etc/letsencrypt/live/myweb.site/fullchain.pem")
31576 (ssl-certificate-key
31577 "/etc/letsencrypt/live/myweb.site/privkey.pem")
31578 (listen '("443 ssl http2" "[::]:443 ssl http2"))
31581 ;; Allow for https anonymous fetch on /git/ urls.
31582 (git-http-nginx-location-configuration
31583 (git-http-configuration
31585 (git-root "/var/lib/gitolite/repositories")))))))))
31588 In addition to the configuration record, you should configure your git
31589 repositories to contain some optional information. First, your public
31590 repositories need to contain the @file{git-daemon-export-ok} magic file
31591 that allows Git to export the repository. Gitile uses the presence of this
31592 file to detect public repositories it should make accessible. To do so with
31593 Gitolite for instance, modify your @file{conf/gitolite.conf} to include
31594 this in the repositories you want to make public:
31601 In addition, Gitile can read the repository configuration to display more
31602 infomation on the repository. Gitile uses the gitweb namespace for its
31603 configuration. As an example, you can use the following in your
31604 @file{conf/gitolite.conf}:
31609 desc = A long description, optionally with <i>HTML</i>, shown on the index page
31610 config gitweb.name = The Foo Project
31611 config gitweb.synopsis = A short description, shown on the main page of the project
31614 Do not forget to commit and push these changes once you are satisfied. You
31615 may need to change your gitolite configuration to allow the previous
31616 configuration options to be set. One way to do that is to add the
31617 following service definition:
31620 (service gitolite-service-type
31621 (gitolite-configuration
31622 (admin-pubkey (local-file "key.pub"))
31626 ;; Allow to set any configuration key
31627 (git-config-keys ".*")
31628 ;; Allow any text as a valid configuration value
31629 (unsafe-patt "^$")))))
31632 @deftp {Data Type} gitile-configuration
31633 Data type representing the configuration for @code{gitile-service-type}.
31636 @item @code{package} (default: @var{gitile})
31637 Gitile package to use.
31639 @item @code{host} (default: @code{"localhost"})
31640 The host on which gitile is listening.
31642 @item @code{port} (default: @code{8080})
31643 The port on which gitile is listening.
31645 @item @code{database} (default: @code{"/var/lib/gitile/gitile-db.sql"})
31646 The location of the database.
31648 @item @code{repositories} (default: @code{"/var/lib/gitolite/repositories"})
31649 The location of the repositories. Note that only public repositories will
31650 be shown by Gitile. To make a repository public, add an empty
31651 @file{git-daemon-export-ok} file at the root of that repository.
31653 @item @code{base-git-url}
31654 The base git url that will be used to show clone commands.
31656 @item @code{index-title} (default: @code{"Index"})
31657 The page title for the index page that lists all the available repositories.
31659 @item @code{intro} (default: @code{'()})
31660 The intro content, as a list of sxml expressions. This is shown above the list
31661 of repositories, on the index page.
31663 @item @code{footer} (default: @code{'()})
31664 The footer content, as a list of sxml expressions. This is shown on every
31665 page served by Gitile.
31667 @item @code{nginx-server-block}
31668 An nginx server block that will be extended and used as a reverse proxy by
31669 Gitile to serve its pages, and as a normal web server to serve its assets.
31671 You can use this block to add more custom URLs to your domain, such as a
31672 @code{/git/} URL for anonymous clones, or serving any other files you would
31678 @node Game Services
31679 @subsection Game Services
31681 @subsubheading The Battle for Wesnoth Service
31683 @uref{https://wesnoth.org, The Battle for Wesnoth} is a fantasy, turn
31684 based tactical strategy game, with several single player campaigns, and
31685 multiplayer games (both networked and local).
31687 @defvar {Scheme Variable} wesnothd-service-type
31688 Service type for the wesnothd service. Its value must be a
31689 @code{wesnothd-configuration} object. To run wesnothd in the default
31690 configuration, instantiate it as:
31693 (service wesnothd-service-type)
31697 @deftp {Data Type} wesnothd-configuration
31698 Data type representing the configuration of @command{wesnothd}.
31701 @item @code{package} (default: @code{wesnoth-server})
31702 The wesnoth server package to use.
31704 @item @code{port} (default: @code{15000})
31705 The port to bind the server to.
31710 @node PAM Mount Service
31711 @subsection PAM Mount Service
31714 The @code{(gnu services pam-mount)} module provides a service allowing
31715 users to mount volumes when they log in. It should be able to mount any
31716 volume format supported by the system.
31718 @defvar {Scheme Variable} pam-mount-service-type
31719 Service type for PAM Mount support.
31722 @deftp {Data Type} pam-mount-configuration
31723 Data type representing the configuration of PAM Mount.
31725 It takes the following parameters:
31729 The configuration rules that will be used to generate
31730 @file{/etc/security/pam_mount.conf.xml}.
31732 The configuration rules are SXML elements (@pxref{SXML,,, guile, GNU
31733 Guile Reference Manual}), and the default ones don't mount anything for
31737 `((debug (@@ (enable "0")))
31738 (mntoptions (@@ (allow ,(string-join
31739 '("nosuid" "nodev" "loop"
31740 "encryption" "fsck" "nonempty"
31741 "allow_root" "allow_other")
31743 (mntoptions (@@ (require "nosuid,nodev")))
31744 (logout (@@ (wait "0")
31748 (mkmountpoint (@@ (enable "1")
31752 Some @code{volume} elements must be added to automatically mount volumes
31753 at login. Here's an example allowing the user @code{alice} to mount her
31754 encrypted @env{HOME} directory and allowing the user @code{bob} to mount
31755 the partition where he stores his data:
31758 (define pam-mount-rules
31759 `((debug (@@ (enable "0")))
31760 (volume (@@ (user "alice")
31763 (mountpoint "/home/alice")))
31764 (volume (@@ (user "bob")
31767 (mountpoint "/home/bob/data")
31768 (options "defaults,autodefrag,compress")))
31769 (mntoptions (@@ (allow ,(string-join
31770 '("nosuid" "nodev" "loop"
31771 "encryption" "fsck" "nonempty"
31772 "allow_root" "allow_other")
31774 (mntoptions (@@ (require "nosuid,nodev")))
31775 (logout (@@ (wait "0")
31779 (mkmountpoint (@@ (enable "1")
31780 (remove "true")))))
31782 (service pam-mount-service-type
31783 (pam-mount-configuration
31784 (rules pam-mount-rules)))
31787 The complete list of possible options can be found in the man page for
31788 @uref{http://pam-mount.sourceforge.net/pam_mount.conf.5.html, pam_mount.conf}.
31793 @node Guix Services
31794 @subsection Guix Services
31796 @subsubheading Guix Build Coordinator
31797 The @uref{https://git.cbaines.net/guix/build-coordinator/,Guix Build
31798 Coordinator} aids in distributing derivation builds among machines
31799 running an @dfn{agent}. The build daemon is still used to build the
31800 derivations, but the Guix Build Coordinator manages allocating builds
31801 and working with the results.
31804 This service is considered experimental. Configuration options may be
31805 changed in a backwards-incompatible manner, and not all features have
31806 been thorougly tested.
31809 The Guix Build Coordinator consists of one @dfn{coordinator}, and one or
31810 more connected @dfn{agent} processes. The coordinator process handles
31811 clients submitting builds, and allocating builds to agents. The agent
31812 processes talk to a build daemon to actually perform the builds, then
31813 send the results back to the coordinator.
31815 There is a script to run the coordinator component of the Guix Build
31816 Coordinator, but the Guix service uses a custom Guile script instead, to
31817 provide better integration with G-expressions used in the configuration.
31819 @defvar {Scheme Variable} guix-build-coordinator-service-type
31820 Service type for the Guix Build Coordinator. Its value must be a
31821 @code{guix-build-coordinator-configuration} object.
31824 @deftp {Data Type} guix-build-coordinator-configuration
31825 Data type representing the configuration of the Guix Build Coordinator.
31828 @item @code{package} (default: @code{guix-build-coordinator})
31829 The Guix Build Coordinator package to use.
31831 @item @code{user} (default: @code{"guix-build-coordinator"})
31832 The system user to run the service as.
31834 @item @code{group} (default: @code{"guix-build-coordinator"})
31835 The system group to run the service as.
31837 @item @code{database-uri-string} (default: @code{"sqlite:///var/lib/guix-build-coordinator/guix_build_coordinator.db"})
31838 The URI to use for the database.
31840 @item @code{agent-communication-uri} (default: @code{"http://0.0.0.0:8745"})
31841 The URI describing how to listen to requests from agent processes.
31843 @item @code{client-communication-uri} (default: @code{"http://127.0.0.1:8746"})
31844 The URI describing how to listen to requests from clients. The client
31845 API allows submitting builds and currently isn't authenticated, so take
31846 care when configuring this value.
31848 @item @code{allocation-strategy} (default: @code{#~basic-build-allocation-strategy})
31849 A G-expression for the allocation strategy to be used. This is a
31850 procedure that takes the datastore as an argument and populates the
31851 allocation plan in the database.
31853 @item @code{hooks} (default: @var{'()})
31854 An association list of hooks. These provide a way to execute arbitrary
31855 code upon certain events, like a build result being processed.
31857 @item @code{guile} (default: @code{guile-3.0-latest})
31858 The Guile package with which to run the Guix Build Coordinator.
31863 @defvar {Scheme Variable} guix-build-coordinator-agent-service-type
31864 Service type for a Guix Build Coordinator agent. Its value must be a
31865 @code{guix-build-coordinator-agent-configuration} object.
31868 @deftp {Data Type} guix-build-coordinator-agent-configuration
31869 Data type representing the configuration a Guix Build Coordinator agent.
31872 @item @code{package} (default: @code{guix-build-coordinator})
31873 The Guix Build Coordinator package to use.
31875 @item @code{user} (default: @code{"guix-build-coordinator-agent"})
31876 The system user to run the service as.
31878 @item @code{coordinator} (default: @code{"http://localhost:8745"})
31879 The URI to use when connecting to the coordinator.
31881 @item @code{authentication}
31882 Record describing how this agent should authenticate with the
31883 coordinator. Possible record types are described below.
31885 @item @code{systems} (default: @code{#f})
31886 The systems for which this agent should fetch builds. The agent process
31887 will use the current system it's running on as the default.
31889 @item @code{max-parallel-builds} (default: @code{1})
31890 The number of builds to perform in parallel.
31892 @item @code{max-1min-load-average} (default: @code{#f})
31893 Load average value to look at when considering starting new builds, if
31894 the 1 minute load average exceeds this value, the agent will wait before
31895 starting new builds.
31897 This will be unspecified if the value is @code{#f}, and the agent will
31898 use the number of cores reported by the system as the max 1 minute load
31901 @item @code{derivation-substitute-urls} (default: @code{#f})
31902 URLs from which to attempt to fetch substitutes for derivations, if the
31903 derivations aren't already available.
31905 @item @code{non-derivation-substitute-urls} (default: @code{#f})
31906 URLs from which to attempt to fetch substitutes for build inputs, if the
31907 input store items aren't already available.
31912 @deftp {Data Type} guix-build-coordinator-agent-password-auth
31913 Data type representing an agent authenticating with a coordinator via a
31918 The UUID of the agent. This should be generated by the coordinator
31919 process, stored in the coordinator database, and used by the intended
31922 @item @code{password}
31923 The password to use when connecting to the coordinator.
31928 @deftp {Data Type} guix-build-coordinator-agent-password-file-auth
31929 Data type representing an agent authenticating with a coordinator via a
31930 UUID and password read from a file.
31934 The UUID of the agent. This should be generated by the coordinator
31935 process, stored in the coordinator database, and used by the intended
31938 @item @code{password-file}
31939 A file containing the password to use when connecting to the
31945 @deftp {Data Type} guix-build-coordinator-agent-dynamic-auth
31946 Data type representing an agent authenticating with a coordinator via a
31947 dynamic auth token and agent name.
31950 @item @code{agent-name}
31951 Name of an agent, this is used to match up to an existing entry in the
31952 database if there is one. When no existing entry is found, a new entry
31953 is automatically added.
31956 Dynamic auth token, this is created and stored in the coordinator
31957 database, and is used by the agent to authenticate.
31962 @deftp {Data Type} guix-build-coordinator-agent-dynamic-auth-with-file
31963 Data type representing an agent authenticating with a coordinator via a
31964 dynamic auth token read from a file and agent name.
31967 @item @code{agent-name}
31968 Name of an agent, this is used to match up to an existing entry in the
31969 database if there is one. When no existing entry is found, a new entry
31970 is automatically added.
31972 @item @code{token-file}
31973 File containing the dynamic auth token, this is created and stored in
31974 the coordinator database, and is used by the agent to authenticate.
31979 The Guix Build Coordinator package contains a script to query an
31980 instance of the Guix Data Service for derivations to build, and then
31981 submit builds for those derivations to the coordinator. The service
31982 type below assists in running this script. This is an additional tool
31983 that may be useful when building derivations contained within an
31984 instance of the Guix Data Service.
31986 @defvar {Scheme Variable} guix-build-coordinator-queue-builds-service-type
31987 Service type for the
31988 guix-build-coordinator-queue-builds-from-guix-data-service script. Its
31989 value must be a @code{guix-build-coordinator-queue-builds-configuration}
31993 @deftp {Data Type} guix-build-coordinator-queue-builds-configuration
31994 Data type representing the options to the queue builds from guix data
31998 @item @code{package} (default: @code{guix-build-coordinator})
31999 The Guix Build Coordinator package to use.
32001 @item @code{user} (default: @code{"guix-build-coordinator-queue-builds"})
32002 The system user to run the service as.
32004 @item @code{coordinator} (default: @code{"http://localhost:8746"})
32005 The URI to use when connecting to the coordinator.
32007 @item @code{systems} (default: @code{#f})
32008 The systems for which to fetch derivations to build.
32010 @item @code{systems-and-targets} (default: @code{#f})
32011 An association list of system and target pairs for which to fetch
32012 derivations to build.
32014 @item @code{guix-data-service} (default: @code{"https://data.guix.gnu.org"})
32015 The Guix Data Service instance from which to query to find out about
32016 derivations to build.
32018 @item @code{processed-commits-file} (default: @code{"/var/cache/guix-build-coordinator-queue-builds/processed-commits"})
32019 A file to record which commits have been processed, to avoid needlessly
32020 processing them again if the service is restarted.
32025 @subsubheading Guix Data Service
32026 The @uref{http://data.guix.gnu.org,Guix Data Service} processes, stores
32027 and provides data about GNU Guix. This includes information about
32028 packages, derivations and lint warnings.
32030 The data is stored in a PostgreSQL database, and available through a web
32033 @defvar {Scheme Variable} guix-data-service-type
32034 Service type for the Guix Data Service. Its value must be a
32035 @code{guix-data-service-configuration} object. The service optionally
32036 extends the getmail service, as the guix-commits mailing list is used to
32037 find out about changes in the Guix git repository.
32040 @deftp {Data Type} guix-data-service-configuration
32041 Data type representing the configuration of the Guix Data Service.
32044 @item @code{package} (default: @code{guix-data-service})
32045 The Guix Data Service package to use.
32047 @item @code{user} (default: @code{"guix-data-service"})
32048 The system user to run the service as.
32050 @item @code{group} (default: @code{"guix-data-service"})
32051 The system group to run the service as.
32053 @item @code{port} (default: @code{8765})
32054 The port to bind the web service to.
32056 @item @code{host} (default: @code{"127.0.0.1"})
32057 The host to bind the web service to.
32059 @item @code{getmail-idle-mailboxes} (default: @code{#f})
32060 If set, this is the list of mailboxes that the getmail service will be
32061 configured to listen to.
32063 @item @code{commits-getmail-retriever-configuration} (default: @code{#f})
32064 If set, this is the @code{getmail-retriever-configuration} object with
32065 which to configure getmail to fetch mail from the guix-commits mailing
32068 @item @code{extra-options} (default: @var{'()})
32069 Extra command line options for @code{guix-data-service}.
32071 @item @code{extra-process-jobs-options} (default: @var{'()})
32072 Extra command line options for @code{guix-data-service-process-jobs}.
32077 @node Linux Services
32078 @subsection Linux Services
32081 @cindex out of memory killer
32083 @cindex early out of memory daemon
32084 @subsubheading Early OOM Service
32086 @uref{https://github.com/rfjakob/earlyoom,Early OOM}, also known as
32087 Earlyoom, is a minimalist out of memory (OOM) daemon that runs in user
32088 space and provides a more responsive and configurable alternative to the
32089 in-kernel OOM killer. It is useful to prevent the system from becoming
32090 unresponsive when it runs out of memory.
32092 @deffn {Scheme Variable} earlyoom-service-type
32093 The service type for running @command{earlyoom}, the Early OOM daemon.
32094 Its value must be a @code{earlyoom-configuration} object, described
32095 below. The service can be instantiated in its default configuration
32099 (service earlyoom-service-type)
32103 @deftp {Data Type} earlyoom-configuration
32104 This is the configuration record for the @code{earlyoom-service-type}.
32107 @item @code{earlyoom} (default: @var{earlyoom})
32108 The Earlyoom package to use.
32110 @item @code{minimum-available-memory} (default: @code{10})
32111 The threshold for the minimum @emph{available} memory, in percentages.
32113 @item @code{minimum-free-swap} (default: @code{10})
32114 The threshold for the minimum free swap memory, in percentages.
32116 @item @code{prefer-regexp} (default: @code{#f})
32117 A regular expression (as a string) to match the names of the processes
32118 that should be preferably killed.
32120 @item @code{avoid-regexp} (default: @code{#f})
32121 A regular expression (as a string) to match the names of the processes
32122 that should @emph{not} be killed.
32124 @item @code{memory-report-interval} (default: @code{0})
32125 The interval in seconds at which a memory report is printed. It is
32126 disabled by default.
32128 @item @code{ignore-positive-oom-score-adj?} (default: @code{#f})
32129 A boolean indicating whether the positive adjustments set in
32130 @file{/proc/*/oom_score_adj} should be ignored.
32132 @item @code{show-debug-messages?} (default: @code{#f})
32133 A boolean indicating whether debug messages should be printed. The logs
32134 are saved at @file{/var/log/earlyoom.log}.
32136 @item @code{send-notification-command} (default: @code{#f})
32137 This can be used to provide a custom command used for sending
32143 @cindex kernel module loader
32144 @subsubheading Kernel Module Loader Service
32146 The kernel module loader service allows one to load loadable kernel
32147 modules at boot. This is especially useful for modules that don't
32148 autoload and need to be manually loaded, as is the case with
32151 @deffn {Scheme Variable} kernel-module-loader-service-type
32152 The service type for loading loadable kernel modules at boot with
32153 @command{modprobe}. Its value must be a list of strings representing
32154 module names. For example loading the drivers provided by
32155 @code{ddcci-driver-linux}, in debugging mode by passing some module
32156 parameters, can be done as follow:
32159 (use-modules (gnu) (gnu services))
32160 (use-package-modules linux)
32161 (use-service-modules linux)
32163 (define ddcci-config
32164 (plain-file "ddcci.conf"
32165 "options ddcci dyndbg delay=120"))
32169 (services (cons* (service kernel-module-loader-service-type
32170 '("ddcci" "ddcci_backlight"))
32171 (simple-service 'ddcci-config etc-service-type
32172 (list `("modprobe.d/ddcci.conf"
32175 (kernel-loadable-modules (list ddcci-driver-linux)))
32180 @cindex Platform Reliability, Availability and Serviceability daemon
32181 @subsubheading Rasdaemon Service
32183 The Rasdaemon service provides a daemon which monitors platform
32184 @acronym{RAS, Reliability@comma{} Availability@comma{} and Serviceability} reports from
32185 Linux kernel trace events, logging them to syslogd.
32187 Reliability, Availability and Serviceability is a concept used on servers meant
32188 to measure their robustness.
32190 @strong{Relability} is the probability that a system will produce correct
32194 @item Generally measured as Mean Time Between Failures (MTBF), and
32195 @item Enhanced by features that help to avoid, detect and repair hardware
32199 @strong{Availability} is the probability that a system is operational at a
32203 @item Generally measured as a percentage of downtime per a period of time, and
32204 @item Often uses mechanisms to detect and correct hardware faults in runtime.
32207 @strong{Serviceability} is the simplicity and speed with which a system can be
32208 repaired or maintained:
32211 @item Generally measured on Mean Time Between Repair (MTBR).
32215 Among the monitoring measures, the most usual ones include:
32218 @item CPU – detect errors at instruction execution and at L1/L2/L3 caches;
32219 @item Memory – add error correction logic (ECC) to detect and correct errors;
32220 @item I/O – add CRC checksums for transferred data;
32221 @item Storage – RAID, journal file systems, checksums, Self-Monitoring,
32222 Analysis and Reporting Technology (SMART).
32225 By monitoring the number of occurrences of error detections, it is possible to
32226 identify if the probability of hardware errors is increasing, and, on such
32227 case, do a preventive maintenance to replace a degraded component while those
32228 errors are correctable.
32230 For detailed information about the types of error events gathered and how to
32231 make sense of them, see the kernel administrator's guide at
32232 @url{https://www.kernel.org/doc/html/latest/admin-guide/ras.html}.
32234 @defvr {Scheme Variable} rasdaemon-service-type
32235 Service type for the @command{rasdaemon} service. It accepts a
32236 @code{rasdaemon-configuration} object. Instantiating like
32239 (service rasdaemon-service-type)
32242 will load with a default configuration, which monitors all events and logs to
32246 @deftp {Data Type} rasdaemon-configuration
32247 The data type representing the configuration of @command{rasdaemon}.
32250 @item @code{record?} (default: @code{#f})
32252 A boolean indicating whether to record the events in an SQLite database. This
32253 provides a more structured access to the information contained in the log file.
32254 The database location is hard-coded to @file{/var/lib/rasdaemon/ras-mc_event.db}.
32260 @cindex compressed swap
32261 @cindex Compressed RAM-based block devices
32262 @subsubheading Zram Device Service
32264 The Zram device service provides a compressed swap device in system
32265 memory. The Linux Kernel documentation has more information about
32266 @uref{https://www.kernel.org/doc/html/latest/admin-guide/blockdev/zram.html,zram}
32269 @deffn {Scheme Variable} zram-device-service-type
32270 This service creates the zram block device, formats it as swap and
32271 enables it as a swap device. The service's value is a
32272 @code{zram-device-configuration} record.
32274 @deftp {Data Type} zram-device-configuration
32275 This is the data type representing the configuration for the zram-device
32279 @item @code{size} (default @code{"1G"})
32280 This is the amount of space you wish to provide for the zram device. It
32281 accepts a string and can be a number of bytes or use a suffix, eg.:
32282 @code{"512M"} or @code{1024000}.
32283 @item @code{compression-algorithm} (default @code{'lzo})
32284 This is the compression algorithm you wish to use. It is difficult to
32285 list all the possible compression options, but common ones supported by
32286 Guix's Linux Libre Kernel include @code{'lzo}, @code{'lz4} and @code{'zstd}.
32287 @item @code{memory-limit} (default @code{0})
32288 This is the maximum amount of memory which the zram device can use.
32289 Setting it to '0' disables the limit. While it is generally expected
32290 that compression will be 2:1, it is possible that uncompressable data
32291 can be written to swap and this is a method to limit how much memory can
32292 be used. It accepts a string and can be a number of bytes or use a
32293 suffix, eg.: @code{"2G"}.
32294 @item @code{priority} (default @code{-1})
32295 This is the priority of the swap device created from the zram device.
32296 @code{swapon} accepts values between -1 and 32767, with higher values
32297 indicating higher priority. Higher priority swap will generally be used
32304 @node Hurd Services
32305 @subsection Hurd Services
32307 @defvr {Scheme Variable} hurd-console-service-type
32308 This service starts the fancy @code{VGA} console client on the Hurd.
32310 The service's value is a @code{hurd-console-configuration} record.
32313 @deftp {Data Type} hurd-console-configuration
32314 This is the data type representing the configuration for the
32315 hurd-console-service.
32318 @item @code{hurd} (default: @var{hurd})
32319 The Hurd package to use.
32323 @defvr {Scheme Variable} hurd-getty-service-type
32324 This service starts a tty using the Hurd @code{getty} program.
32326 The service's value is a @code{hurd-getty-configuration} record.
32329 @deftp {Data Type} hurd-getty-configuration
32330 This is the data type representing the configuration for the
32331 hurd-getty-service.
32334 @item @code{hurd} (default: @var{hurd})
32335 The Hurd package to use.
32338 The name of the console this Getty runs on---e.g., @code{"tty1"}.
32340 @item @code{baud-rate} (default: @code{38400})
32341 An integer specifying the baud rate of the tty.
32346 @node Miscellaneous Services
32347 @subsection Miscellaneous Services
32349 @cindex fingerprint
32350 @subsubheading Fingerprint Service
32352 The @code{(gnu services authentication)} module provides a DBus service to
32353 read and identify fingerprints via a fingerprint sensor.
32355 @defvr {Scheme Variable} fprintd-service-type
32356 The service type for @command{fprintd}, which provides the fingerprint
32357 reading capability.
32360 (service fprintd-service-type)
32365 @subsubheading System Control Service
32367 The @code{(gnu services sysctl)} provides a service to configure kernel
32368 parameters at boot.
32370 @defvr {Scheme Variable} sysctl-service-type
32371 The service type for @command{sysctl}, which modifies kernel parameters
32372 under @file{/proc/sys/}. To enable IPv4 forwarding, it can be
32376 (service sysctl-service-type
32377 (sysctl-configuration
32378 (settings '(("net.ipv4.ip_forward" . "1")))))
32381 Since @code{sysctl-service-type} is used in the default lists of
32382 services, @code{%base-services} and @code{%desktop-services}, you can
32383 use @code{modify-services} to change its configuration and add the
32384 kernel parameters that you want (@pxref{Service Reference,
32385 @code{modify-services}}).
32388 (modify-services %base-services
32389 (sysctl-service-type config =>
32390 (sysctl-configuration
32391 (settings (append '(("net.ipv4.ip_forward" . "1"))
32392 %default-sysctl-settings)))))
32397 @deftp {Data Type} sysctl-configuration
32398 The data type representing the configuration of @command{sysctl}.
32401 @item @code{sysctl} (default: @code{(file-append procps "/sbin/sysctl"})
32402 The @command{sysctl} executable to use.
32404 @item @code{settings} (default: @code{%default-sysctl-settings})
32405 An association list specifies kernel parameters and their values.
32409 @defvr {Scheme Variable} %default-sysctl-settings
32410 An association list specifying the default @command{sysctl} parameters
32415 @subsubheading PC/SC Smart Card Daemon Service
32417 The @code{(gnu services security-token)} module provides the following service
32418 to run @command{pcscd}, the PC/SC Smart Card Daemon. @command{pcscd} is the
32419 daemon program for pcsc-lite and the MuscleCard framework. It is a resource
32420 manager that coordinates communications with smart card readers, smart cards
32421 and cryptographic tokens that are connected to the system.
32423 @defvr {Scheme Variable} pcscd-service-type
32424 Service type for the @command{pcscd} service. Its value must be a
32425 @code{pcscd-configuration} object. To run pcscd in the default
32426 configuration, instantiate it as:
32429 (service pcscd-service-type)
32433 @deftp {Data Type} pcscd-configuration
32434 The data type representing the configuration of @command{pcscd}.
32437 @item @code{pcsc-lite} (default: @code{pcsc-lite})
32438 The pcsc-lite package that provides pcscd.
32439 @item @code{usb-drivers} (default: @code{(list ccid)})
32440 List of packages that provide USB drivers to pcscd. Drivers are expected to be
32441 under @file{pcsc/drivers} in the store directory of the package.
32446 @subsubheading Lirc Service
32448 The @code{(gnu services lirc)} module provides the following service.
32450 @deffn {Scheme Procedure} lirc-service [#:lirc lirc] @
32451 [#:device #f] [#:driver #f] [#:config-file #f] @
32452 [#:extra-options '()]
32453 Return a service that runs @url{http://www.lirc.org,LIRC}, a daemon that
32454 decodes infrared signals from remote controls.
32456 Optionally, @var{device}, @var{driver} and @var{config-file}
32457 (configuration file name) may be specified. See @command{lircd} manual
32460 Finally, @var{extra-options} is a list of additional command-line options
32461 passed to @command{lircd}.
32465 @subsubheading Spice Service
32467 The @code{(gnu services spice)} module provides the following service.
32469 @deffn {Scheme Procedure} spice-vdagent-service [#:spice-vdagent]
32470 Returns a service that runs @url{https://www.spice-space.org,VDAGENT}, a daemon
32471 that enables sharing the clipboard with a vm and setting the guest display
32472 resolution when the graphical console window resizes.
32475 @cindex inputattach
32476 @subsubheading inputattach Service
32478 @cindex tablet input, for Xorg
32479 @cindex touchscreen input, for Xorg
32480 The @uref{https://linuxwacom.github.io/, inputattach} service allows you to
32481 use input devices such as Wacom tablets, touchscreens, or joysticks with the
32482 Xorg display server.
32484 @deffn {Scheme Variable} inputattach-service-type
32485 Type of a service that runs @command{inputattach} on a device and
32486 dispatches events from it.
32489 @deftp {Data Type} inputattach-configuration
32491 @item @code{device-type} (default: @code{"wacom"})
32492 The type of device to connect to. Run @command{inputattach --help}, from the
32493 @code{inputattach} package, to see the list of supported device types.
32495 @item @code{device} (default: @code{"/dev/ttyS0"})
32496 The device file to connect to the device.
32498 @item @code{baud-rate} (default: @code{#f})
32499 Baud rate to use for the serial connection.
32500 Should be a number or @code{#f}.
32502 @item @code{log-file} (default: @code{#f})
32503 If true, this must be the name of a file to log messages to.
32507 @subsubheading Dictionary Service
32509 The @code{(gnu services dict)} module provides the following service:
32511 @defvr {Scheme Variable} dicod-service-type
32512 This is the type of the service that runs the @command{dicod} daemon, an
32513 implementation of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}).
32516 @deffn {Scheme Procedure} dicod-service [#:config (dicod-configuration)]
32517 Return a service that runs the @command{dicod} daemon, an implementation
32518 of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}).
32520 The optional @var{config} argument specifies the configuration for
32521 @command{dicod}, which should be a @code{<dicod-configuration>} object, by
32522 default it serves the GNU Collaborative International Dictionary of English.
32524 You can add @command{open localhost} to your @file{~/.dico} file to make
32525 @code{localhost} the default server for @command{dico} client
32526 (@pxref{Initialization File,,, dico, GNU Dico Manual}).
32529 @deftp {Data Type} dicod-configuration
32530 Data type representing the configuration of dicod.
32533 @item @code{dico} (default: @var{dico})
32534 Package object of the GNU Dico dictionary server.
32536 @item @code{interfaces} (default: @var{'("localhost")})
32537 This is the list of IP addresses and ports and possibly socket file
32538 names to listen to (@pxref{Server Settings, @code{listen} directive,,
32539 dico, GNU Dico Manual}).
32541 @item @code{handlers} (default: @var{'()})
32542 List of @code{<dicod-handler>} objects denoting handlers (module instances).
32544 @item @code{databases} (default: @var{(list %dicod-database:gcide)})
32545 List of @code{<dicod-database>} objects denoting dictionaries to be served.
32549 @deftp {Data Type} dicod-handler
32550 Data type representing a dictionary handler (module instance).
32554 Name of the handler (module instance).
32556 @item @code{module} (default: @var{#f})
32557 Name of the dicod module of the handler (instance). If it is @code{#f},
32558 the module has the same name as the handler.
32559 (@pxref{Modules,,, dico, GNU Dico Manual}).
32561 @item @code{options}
32562 List of strings or gexps representing the arguments for the module handler
32566 @deftp {Data Type} dicod-database
32567 Data type representing a dictionary database.
32571 Name of the database, will be used in DICT commands.
32573 @item @code{handler}
32574 Name of the dicod handler (module instance) used by this database
32575 (@pxref{Handlers,,, dico, GNU Dico Manual}).
32577 @item @code{complex?} (default: @var{#f})
32578 Whether the database configuration complex. The complex configuration
32579 will need a corresponding @code{<dicod-handler>} object, otherwise not.
32581 @item @code{options}
32582 List of strings or gexps representing the arguments for the database
32583 (@pxref{Databases,,, dico, GNU Dico Manual}).
32587 @defvr {Scheme Variable} %dicod-database:gcide
32588 A @code{<dicod-database>} object serving the GNU Collaborative International
32589 Dictionary of English using the @code{gcide} package.
32592 The following is an example @code{dicod-service} configuration.
32595 (dicod-service #:config
32596 (dicod-configuration
32597 (handlers (list (dicod-handler
32601 (list #~(string-append "dbdir=" #$wordnet))))))
32602 (databases (list (dicod-database
32605 (handler "wordnet")
32606 (options '("database=wn")))
32607 %dicod-database:gcide))))
32611 @subsubheading Docker Service
32613 The @code{(gnu services docker)} module provides the following services.
32615 @defvr {Scheme Variable} docker-service-type
32617 This is the type of the service that runs @url{https://www.docker.com,Docker},
32618 a daemon that can execute application bundles (sometimes referred to as
32619 ``containers'') in isolated environments.
32623 @deftp {Data Type} docker-configuration
32624 This is the data type representing the configuration of Docker and Containerd.
32628 @item @code{docker} (default: @code{docker})
32629 The Docker daemon package to use.
32631 @item @code{docker-cli} (default: @code{docker-cli})
32632 The Docker client package to use.
32634 @item @code{containerd} (default: @var{containerd})
32635 The Containerd package to use.
32637 @item @code{proxy} (default @var{docker-libnetwork-cmd-proxy})
32638 The Docker user-land networking proxy package to use.
32640 @item @code{enable-proxy?} (default @code{#t})
32641 Enable or disable the use of the Docker user-land networking proxy.
32643 @item @code{debug?} (default @code{#f})
32644 Enable or disable debug output.
32646 @item @code{enable-iptables?} (default @code{#t})
32647 Enable or disable the addition of iptables rules.
32652 @cindex Singularity, container service
32653 @defvr {Scheme Variable} singularity-service-type
32654 This is the type of the service that allows you to run
32655 @url{https://www.sylabs.io/singularity/, Singularity}, a Docker-style tool to
32656 create and run application bundles (aka. ``containers''). The value for this
32657 service is the Singularity package to use.
32659 The service does not install a daemon; instead, it installs helper programs as
32660 setuid-root (@pxref{Setuid Programs}) such that unprivileged users can invoke
32661 @command{singularity run} and similar commands.
32665 @subsubheading Auditd Service
32667 The @code{(gnu services auditd)} module provides the following service.
32669 @defvr {Scheme Variable} auditd-service-type
32671 This is the type of the service that runs
32672 @url{https://people.redhat.com/sgrubb/audit/,auditd},
32673 a daemon that tracks security-relevant information on your system.
32675 Examples of things that can be tracked:
32685 Failed login attempts
32692 @command{auditctl} from the @code{audit} package can be used in order
32693 to add or remove events to be tracked (until the next reboot).
32694 In order to permanently track events, put the command line arguments
32695 of auditctl into a file called @code{audit.rules} in the configuration
32696 directory (see below).
32697 @command{aureport} from the @code{audit} package can be used in order
32698 to view a report of all recorded events.
32699 The audit daemon by default logs into the file
32700 @file{/var/log/audit.log}.
32704 @deftp {Data Type} auditd-configuration
32705 This is the data type representing the configuration of auditd.
32709 @item @code{audit} (default: @code{audit})
32710 The audit package to use.
32712 @item @code{configuration-directory} (default: @code{%default-auditd-configuration-directory})
32713 The directory containing the configuration file for the audit package, which
32714 must be named @code{auditd.conf}, and optionally some audit rules to
32715 instantiate on startup.
32721 @subsubheading R-Shiny service
32723 The @code{(gnu services science)} module provides the following service.
32725 @defvr {Scheme Variable} rshiny-service-type
32727 This is a type of service which is used to run a webapp created with
32728 @code{r-shiny}. This service sets the @env{R_LIBS_USER} environment
32729 variable and runs the provided script to call @code{runApp}.
32731 @deftp {Data Type} rshiny-configuration
32732 This is the data type representing the configuration of rshiny.
32736 @item @code{package} (default: @code{r-shiny})
32737 The package to use.
32739 @item @code{binary} (defaunlt @code{"rshiny"})
32740 The name of the binary or shell script located at @code{package/bin/} to
32741 run when the service is run.
32743 The common way to create this file is as follows:
32747 (let* ((out (assoc-ref %outputs "out"))
32748 (targetdir (string-append out "/share/" ,name))
32749 (app (string-append out "/bin/" ,name))
32750 (Rbin (string-append (assoc-ref %build-inputs "r-min")
32753 (mkdir-p (string-append out "/bin"))
32754 (call-with-output-file app
32760 runApp(launch.browser=0, port=4202)~%\n"
32769 @subsubheading Nix service
32771 The @code{(gnu services nix)} module provides the following service.
32773 @defvr {Scheme Variable} nix-service-type
32775 This is the type of the service that runs build daemon of the
32776 @url{https://nixos.org/nix/, Nix} package manager. Here is an example showing
32780 (use-modules (gnu))
32781 (use-service-modules nix)
32782 (use-package-modules package-management)
32786 (packages (append (list nix)
32789 (services (append (list (service nix-service-type))
32793 After @command{guix system reconfigure} configure Nix for your user:
32796 @item Add a Nix channel and update it. See
32797 @url{https://nixos.org/nix/manual/, Nix Package Manager Guide}.
32799 @item Create a symlink to your profile and activate Nix profile:
32803 $ ln -s "/nix/var/nix/profiles/per-user/$USER/profile" ~/.nix-profile
32804 $ source /run/current-system/profile/etc/profile.d/nix.sh
32809 @deftp {Data Type} nix-configuration
32810 This data type represents the configuration of the Nix daemon.
32813 @item @code{nix} (default: @code{nix})
32814 The Nix package to use.
32816 @item @code{sandbox} (default: @code{#t})
32817 Specifies whether builds are sandboxed by default.
32819 @item @code{build-sandbox-items} (default: @code{'()})
32820 This is a list of strings or objects appended to the
32821 @code{build-sandbox-items} field of the configuration file.
32823 @item @code{extra-config} (default: @code{'()})
32824 This is a list of strings or objects appended to the configuration file.
32825 It is used to pass extra text to be added verbatim to the configuration
32828 @item @code{extra-options} (default: @code{'()})
32829 Extra command line options for @code{nix-service-type}.
32833 @node Setuid Programs
32834 @section Setuid Programs
32836 @cindex setuid programs
32837 Some programs need to run with ``root'' privileges, even when they are
32838 launched by unprivileged users. A notorious example is the
32839 @command{passwd} program, which users can run to change their
32840 password, and which needs to access the @file{/etc/passwd} and
32841 @file{/etc/shadow} files---something normally restricted to root, for
32842 obvious security reasons. To address that, these executables are
32843 @dfn{setuid-root}, meaning that they always run with root privileges
32844 (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual},
32845 for more info about the setuid mechanism).
32847 The store itself @emph{cannot} contain setuid programs: that would be a
32848 security issue since any user on the system can write derivations that
32849 populate the store (@pxref{The Store}). Thus, a different mechanism is
32850 used: instead of changing the setuid bit directly on files that are in
32851 the store, we let the system administrator @emph{declare} which programs
32852 should be setuid root.
32854 The @code{setuid-programs} field of an @code{operating-system}
32855 declaration contains a list of @code{<setuid-program>} denoting the
32856 names of programs to have a setuid or setgid bit set (@pxref{Using the
32857 Configuration System}). For instance, the @command{passwd} program,
32858 which is part of the Shadow package, with a setuid root can be
32859 designated like this:
32863 (program (file-append #$shadow "/bin/passwd")))
32866 @deftp {Data Type} setuid-program
32867 This data type represents a program with a setuid or setgid bit set.
32870 @item @code{program}
32871 A file-like object having its setuid and/or setgid bit set.
32873 @item @code{setuid?} (default: @code{#t})
32874 Whether to set user setuid bit.
32876 @item @code{setgid?} (default: @code{#f})
32877 Whether to set group setgid bit.
32879 @item @code{user} (default: @code{0})
32880 UID (integer) or user name (string) for the user owner of the program,
32883 @item @code{group} (default: @code{0})
32884 GID (integer) goup name (string) for the group owner of the program,
32890 A default set of setuid programs is defined by the
32891 @code{%setuid-programs} variable of the @code{(gnu system)} module.
32893 @defvr {Scheme Variable} %setuid-programs
32894 A list of @code{<setuid-program>} denoting common programs that are
32897 The list includes commands such as @command{passwd}, @command{ping},
32898 @command{su}, and @command{sudo}.
32901 Under the hood, the actual setuid programs are created in the
32902 @file{/run/setuid-programs} directory at system activation time. The
32903 files in this directory refer to the ``real'' binaries, which are in the
32906 @node X.509 Certificates
32907 @section X.509 Certificates
32909 @cindex HTTPS, certificates
32910 @cindex X.509 certificates
32912 Web servers available over HTTPS (that is, HTTP over the transport-layer
32913 security mechanism, TLS) send client programs an @dfn{X.509 certificate}
32914 that the client can then use to @emph{authenticate} the server. To do
32915 that, clients verify that the server's certificate is signed by a
32916 so-called @dfn{certificate authority} (CA). But to verify the CA's
32917 signature, clients must have first acquired the CA's certificate.
32919 Web browsers such as GNU@tie{}IceCat include their own set of CA
32920 certificates, such that they are able to verify CA signatures
32923 However, most other programs that can talk HTTPS---@command{wget},
32924 @command{git}, @command{w3m}, etc.---need to be told where CA
32925 certificates can be found.
32927 @cindex @code{nss-certs}
32928 In Guix, this is done by adding a package that provides certificates
32929 to the @code{packages} field of the @code{operating-system} declaration
32930 (@pxref{operating-system Reference}). Guix includes one such package,
32931 @code{nss-certs}, which is a set of CA certificates provided as part of
32932 Mozilla's Network Security Services.
32934 Note that it is @emph{not} part of @code{%base-packages}, so you need to
32935 explicitly add it. The @file{/etc/ssl/certs} directory, which is where
32936 most applications and libraries look for certificates by default, points
32937 to the certificates installed globally.
32939 Unprivileged users, including users of Guix on a foreign distro,
32940 can also install their own certificate package in
32941 their profile. A number of environment variables need to be defined so
32942 that applications and libraries know where to find them. Namely, the
32943 OpenSSL library honors the @env{SSL_CERT_DIR} and @env{SSL_CERT_FILE}
32944 variables. Some applications add their own environment variables; for
32945 instance, the Git version control system honors the certificate bundle
32946 pointed to by the @env{GIT_SSL_CAINFO} environment variable. Thus, you
32947 would typically run something like:
32950 guix install nss-certs
32951 export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
32952 export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
32953 export GIT_SSL_CAINFO="$SSL_CERT_FILE"
32956 As another example, R requires the @env{CURL_CA_BUNDLE} environment
32957 variable to point to a certificate bundle, so you would have to run
32958 something like this:
32961 guix install nss-certs
32962 export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
32965 For other applications you may want to look up the required environment
32966 variable in the relevant documentation.
32969 @node Name Service Switch
32970 @section Name Service Switch
32972 @cindex name service switch
32974 The @code{(gnu system nss)} module provides bindings to the
32975 configuration file of the libc @dfn{name service switch} or @dfn{NSS}
32976 (@pxref{NSS Configuration File,,, libc, The GNU C Library Reference
32977 Manual}). In a nutshell, the NSS is a mechanism that allows libc to be
32978 extended with new ``name'' lookup methods for system databases, which
32979 includes host names, service names, user accounts, and more (@pxref{Name
32980 Service Switch, System Databases and Name Service Switch,, libc, The GNU
32981 C Library Reference Manual}).
32983 The NSS configuration specifies, for each system database, which lookup
32984 method is to be used, and how the various methods are chained
32985 together---for instance, under which circumstances NSS should try the
32986 next method in the list. The NSS configuration is given in the
32987 @code{name-service-switch} field of @code{operating-system} declarations
32988 (@pxref{operating-system Reference, @code{name-service-switch}}).
32991 @cindex .local, host name lookup
32992 As an example, the declaration below configures the NSS to use the
32993 @uref{https://0pointer.de/lennart/projects/nss-mdns/, @code{nss-mdns}
32994 back-end}, which supports host name lookups over multicast DNS (mDNS)
32995 for host names ending in @code{.local}:
32998 (name-service-switch
32999 (hosts (list %files ;first, check /etc/hosts
33001 ;; If the above did not succeed, try
33002 ;; with 'mdns_minimal'.
33004 (name "mdns_minimal")
33006 ;; 'mdns_minimal' is authoritative for
33007 ;; '.local'. When it returns "not found",
33008 ;; no need to try the next methods.
33009 (reaction (lookup-specification
33010 (not-found => return))))
33012 ;; Then fall back to DNS.
33016 ;; Finally, try with the "full" 'mdns'.
33021 Do not worry: the @code{%mdns-host-lookup-nss} variable (see below)
33022 contains this configuration, so you will not have to type it if all you
33023 want is to have @code{.local} host lookup working.
33025 Note that, in this case, in addition to setting the
33026 @code{name-service-switch} of the @code{operating-system} declaration,
33027 you also need to use @code{avahi-service-type} (@pxref{Networking Services,
33028 @code{avahi-service-type}}), or @code{%desktop-services}, which includes it
33029 (@pxref{Desktop Services}). Doing this makes @code{nss-mdns} accessible
33030 to the name service cache daemon (@pxref{Base Services,
33031 @code{nscd-service}}).
33033 For convenience, the following variables provide typical NSS
33036 @defvr {Scheme Variable} %default-nss
33037 This is the default name service switch configuration, a
33038 @code{name-service-switch} object.
33041 @defvr {Scheme Variable} %mdns-host-lookup-nss
33042 This is the name service switch configuration with support for host name
33043 lookup over multicast DNS (mDNS) for host names ending in @code{.local}.
33046 The reference for name service switch configuration is given below. It
33047 is a direct mapping of the configuration file format of the C library , so
33048 please refer to the C library manual for more information (@pxref{NSS
33049 Configuration File,,, libc, The GNU C Library Reference Manual}).
33050 Compared to the configuration file format of libc NSS, it has the advantage
33051 not only of adding this warm parenthetic feel that we like, but also
33052 static checks: you will know about syntax errors and typos as soon as you
33053 run @command{guix system}.
33055 @deftp {Data Type} name-service-switch
33057 This is the data type representation the configuration of libc's name
33058 service switch (NSS). Each field below represents one of the supported
33075 The system databases handled by the NSS@. Each of these fields must be a
33076 list of @code{<name-service>} objects (see below).
33080 @deftp {Data Type} name-service
33082 This is the data type representing an actual name service and the
33083 associated lookup action.
33087 A string denoting the name service (@pxref{Services in the NSS
33088 configuration,,, libc, The GNU C Library Reference Manual}).
33090 Note that name services listed here must be visible to nscd. This is
33091 achieved by passing the @code{#:name-services} argument to
33092 @code{nscd-service} the list of packages providing the needed name
33093 services (@pxref{Base Services, @code{nscd-service}}).
33096 An action specified using the @code{lookup-specification} macro
33097 (@pxref{Actions in the NSS configuration,,, libc, The GNU C Library
33098 Reference Manual}). For example:
33101 (lookup-specification (unavailable => continue)
33102 (success => return))
33107 @node Initial RAM Disk
33108 @section Initial RAM Disk
33111 @cindex initial RAM disk
33112 For bootstrapping purposes, the Linux-Libre kernel is passed an
33113 @dfn{initial RAM disk}, or @dfn{initrd}. An initrd contains a temporary
33114 root file system as well as an initialization script. The latter is
33115 responsible for mounting the real root file system, and for loading any
33116 kernel modules that may be needed to achieve that.
33118 The @code{initrd-modules} field of an @code{operating-system}
33119 declaration allows you to specify Linux-libre kernel modules that must
33120 be available in the initrd. In particular, this is where you would list
33121 modules needed to actually drive the hard disk where your root partition
33122 is---although the default value of @code{initrd-modules} should cover
33123 most use cases. For example, assuming you need the @code{megaraid_sas}
33124 module in addition to the default modules to be able to access your root
33125 file system, you would write:
33130 (initrd-modules (cons "megaraid_sas" %base-initrd-modules)))
33133 @defvr {Scheme Variable} %base-initrd-modules
33134 This is the list of kernel modules included in the initrd by default.
33137 Furthermore, if you need lower-level customization, the @code{initrd}
33138 field of an @code{operating-system} declaration allows
33139 you to specify which initrd you would like to use. The @code{(gnu
33140 system linux-initrd)} module provides three ways to build an initrd: the
33141 high-level @code{base-initrd} procedure and the low-level
33142 @code{raw-initrd} and @code{expression->initrd} procedures.
33144 The @code{base-initrd} procedure is intended to cover most common uses.
33145 For example, if you want to add a bunch of kernel modules to be loaded
33146 at boot time, you can define the @code{initrd} field of the operating
33147 system declaration like this:
33150 (initrd (lambda (file-systems . rest)
33151 ;; Create a standard initrd but set up networking
33152 ;; with the parameters QEMU expects by default.
33153 (apply base-initrd file-systems
33154 #:qemu-networking? #t
33158 The @code{base-initrd} procedure also handles common use cases that
33159 involves using the system as a QEMU guest, or as a ``live'' system with
33160 volatile root file system.
33162 The @code{base-initrd} procedure is built from @code{raw-initrd} procedure.
33163 Unlike @code{base-initrd}, @code{raw-initrd} doesn't do anything high-level,
33164 such as trying to guess which kernel modules and packages should be included
33165 to the initrd. An example use of @code{raw-initrd} is when a user has
33166 a custom Linux kernel configuration and default kernel modules included by
33167 @code{base-initrd} are not available.
33169 The initial RAM disk produced by @code{base-initrd} or @code{raw-initrd}
33170 honors several options passed on the Linux kernel command line
33171 (that is, arguments passed @i{via} the @code{linux} command of GRUB, or the
33172 @code{-append} option of QEMU), notably:
33175 @item --load=@var{boot}
33176 Tell the initial RAM disk to load @var{boot}, a file containing a Scheme
33177 program, once it has mounted the root file system.
33179 Guix uses this option to yield control to a boot program that runs the
33180 service activation programs and then spawns the GNU@tie{}Shepherd, the
33181 initialization system.
33183 @item --root=@var{root}
33184 Mount @var{root} as the root file system. @var{root} can be a device
33185 name like @code{/dev/sda1}, a file system label, or a file system UUID.
33186 When unspecified, the device name from the root file system of the
33187 operating system declaration is used.
33189 @item --system=@var{system}
33190 Have @file{/run/booted-system} and @file{/run/current-system} point to
33193 @item modprobe.blacklist=@var{modules}@dots{}
33194 @cindex module, black-listing
33195 @cindex black list, of kernel modules
33196 Instruct the initial RAM disk as well as the @command{modprobe} command
33197 (from the kmod package) to refuse to load @var{modules}. @var{modules}
33198 must be a comma-separated list of module names---e.g.,
33199 @code{usbkbd,9pnet}.
33202 Start a read-eval-print loop (REPL) from the initial RAM disk before it
33203 tries to load kernel modules and to mount the root file system. Our
33204 marketing team calls it @dfn{boot-to-Guile}. The Schemer in you will
33205 love it. @xref{Using Guile Interactively,,, guile, GNU Guile Reference
33206 Manual}, for more information on Guile's REPL.
33210 Now that you know all the features that initial RAM disks produced by
33211 @code{base-initrd} and @code{raw-initrd} provide,
33212 here is how to use it and customize it further.
33215 @cindex initial RAM disk
33216 @deffn {Scheme Procedure} raw-initrd @var{file-systems} @
33217 [#:linux-modules '()] [#:mapped-devices '()] @
33218 [#:keyboard-layout #f] @
33219 [#:helper-packages '()] [#:qemu-networking? #f] [#:volatile-root? #f]
33220 Return a derivation that builds a raw initrd. @var{file-systems} is
33221 a list of file systems to be mounted by the initrd, possibly in addition to
33222 the root file system specified on the kernel command line via @option{--root}.
33223 @var{linux-modules} is a list of kernel modules to be loaded at boot time.
33224 @var{mapped-devices} is a list of device mappings to realize before
33225 @var{file-systems} are mounted (@pxref{Mapped Devices}).
33226 @var{helper-packages} is a list of packages to be copied in the initrd.
33228 include @code{e2fsck/static} or other packages needed by the initrd to check
33229 the root file system.
33231 When true, @var{keyboard-layout} is a @code{<keyboard-layout>} record denoting
33232 the desired console keyboard layout. This is done before @var{mapped-devices}
33233 are set up and before @var{file-systems} are mounted such that, should the
33234 user need to enter a passphrase or use the REPL, this happens using the
33235 intended keyboard layout.
33237 When @var{qemu-networking?} is true, set up networking with the standard QEMU
33238 parameters. When @var{virtio?} is true, load additional modules so that the
33239 initrd can be used as a QEMU guest with para-virtualized I/O drivers.
33241 When @var{volatile-root?} is true, the root file system is writable but any changes
33245 @deffn {Scheme Procedure} base-initrd @var{file-systems} @
33246 [#:mapped-devices '()] [#:keyboard-layout #f] @
33247 [#:qemu-networking? #f] [#:volatile-root? #f] @
33248 [#:linux-modules '()]
33249 Return as a file-like object a generic initrd, with kernel
33250 modules taken from @var{linux}. @var{file-systems} is a list of file-systems to be
33251 mounted by the initrd, possibly in addition to the root file system specified
33252 on the kernel command line via @option{--root}. @var{mapped-devices} is a list of device
33253 mappings to realize before @var{file-systems} are mounted.
33255 When true, @var{keyboard-layout} is a @code{<keyboard-layout>} record denoting
33256 the desired console keyboard layout. This is done before @var{mapped-devices}
33257 are set up and before @var{file-systems} are mounted such that, should the
33258 user need to enter a passphrase or use the REPL, this happens using the
33259 intended keyboard layout.
33261 @var{qemu-networking?} and @var{volatile-root?} behaves as in @code{raw-initrd}.
33263 The initrd is automatically populated with all the kernel modules necessary
33264 for @var{file-systems} and for the given options. Additional kernel
33265 modules can be listed in @var{linux-modules}. They will be added to the initrd, and
33266 loaded at boot time in the order in which they appear.
33269 Needless to say, the initrds we produce and use embed a
33270 statically-linked Guile, and the initialization program is a Guile
33271 program. That gives a lot of flexibility. The
33272 @code{expression->initrd} procedure builds such an initrd, given the
33273 program to run in that initrd.
33275 @deffn {Scheme Procedure} expression->initrd @var{exp} @
33276 [#:guile %guile-static-stripped] [#:name "guile-initrd"]
33277 Return as a file-like object a Linux initrd (a gzipped cpio archive)
33278 containing @var{guile} and that evaluates @var{exp}, a G-expression,
33279 upon booting. All the derivations referenced by @var{exp} are
33280 automatically copied to the initrd.
33283 @node Bootloader Configuration
33284 @section Bootloader Configuration
33287 @cindex boot loader
33289 The operating system supports multiple bootloaders. The bootloader is
33290 configured using @code{bootloader-configuration} declaration. All the
33291 fields of this structure are bootloader agnostic except for one field,
33292 @code{bootloader} that indicates the bootloader to be configured and
33295 Some of the bootloaders do not honor every field of
33296 @code{bootloader-configuration}. For instance, the extlinux
33297 bootloader does not support themes and thus ignores the @code{theme}
33300 @deftp {Data Type} bootloader-configuration
33301 The type of a bootloader configuration declaration.
33305 @item @code{bootloader}
33306 @cindex EFI, bootloader
33307 @cindex UEFI, bootloader
33308 @cindex BIOS, bootloader
33309 The bootloader to use, as a @code{bootloader} object. For now
33310 @code{grub-bootloader}, @code{grub-efi-bootloader},
33311 @code{grub-efi-netboot-bootloader}, @code{extlinux-bootloader} and
33312 @code{u-boot-bootloader} are supported.
33314 @cindex ARM, bootloaders
33315 @cindex AArch64, bootloaders
33316 Available bootloaders are described in @code{(gnu bootloader @dots{})}
33317 modules. In particular, @code{(gnu bootloader u-boot)} contains definitions
33318 of bootloaders for a wide range of ARM and AArch64 systems, using the
33319 @uref{https://www.denx.de/wiki/U-Boot/, U-Boot bootloader}.
33321 @vindex grub-efi-bootloader
33322 @code{grub-efi-bootloader} allows to boot on modern systems using the
33323 @dfn{Unified Extensible Firmware Interface} (UEFI). This is what you should
33324 use if the installation image contains a @file{/sys/firmware/efi} directory
33325 when you boot it on your system.
33327 @vindex grub-bootloader
33328 @code{grub-bootloader} allows you to boot in particular Intel-based machines
33329 in ``legacy'' BIOS mode.
33331 @vindex grub-efi-netboot-bootloader
33332 @code{grub-efi-netboot-bootloader} allows you to boot your system over network
33333 through TFTP@. In combination with an NFS root file system this allows you to
33334 build a diskless Guix system.
33336 The installation of the @code{grub-efi-netboot-bootloader} generates the
33337 content of the TFTP root directory at @code{targets} (@pxref{Bootloader
33338 Configuration, @code{targets}}), to be served by a TFTP server. You may
33339 want to mount your TFTP server directories onto the @code{targets} to
33340 move the required files to the TFTP server automatically.
33342 If you plan to use an NFS root file system as well (actually if you mount the
33343 store from an NFS share), then the TFTP server needs to serve the file
33344 @file{/boot/grub/grub.cfg} and other files from the store (like GRUBs background
33345 image, the kernel (@pxref{operating-system Reference, @code{kernel}}) and the
33346 initrd (@pxref{operating-system Reference, @code{initrd}})), too. All these
33347 files from the store will be accessed by GRUB through TFTP with their normal
33348 store path, for example as
33349 @file{tftp://tftp-server/gnu/store/…-initrd/initrd.cpio.gz}.
33351 Two symlinks are created to make this possible. For each target in the
33352 @code{targets} field, the first symlink is
33353 @samp{target}@file{/efi/Guix/boot/grub/grub.cfg} pointing to
33354 @file{../../../boot/grub/grub.cfg}, where @samp{target} may be
33355 @file{/boot}. In this case the link is not leaving the served TFTP root
33356 directory, but otherwise it does. The second link is
33357 @samp{target}@file{/gnu/store} and points to @file{../gnu/store}. This
33358 link is leaving the served TFTP root directory.
33360 The assumption behind all this is that you have an NFS server exporting
33361 the root file system for your Guix system, and additionally a TFTP
33362 server exporting your @code{targets} directories—usually a single
33363 @file{/boot}—from that same root file system for your Guix system. In
33364 this constellation the symlinks will work.
33366 For other constellations you will have to program your own bootloader
33367 installer, which then takes care to make necessary files from the store
33368 accessible through TFTP, for example by copying them into the TFTP root
33369 directory to your @code{targets}.
33371 It is important to note that symlinks pointing outside the TFTP root directory
33372 may need to be allowed in the configuration of your TFTP server. Further the
33373 store link exposes the whole store through TFTP@. Both points need to be
33374 considered carefully for security aspects.
33376 Beside the @code{grub-efi-netboot-bootloader}, the already mentioned TFTP and
33377 NFS servers, you also need a properly configured DHCP server to make the booting
33378 over netboot possible. For all this we can currently only recommend you to look
33379 for instructions about @acronym{PXE, Preboot eXecution Environment}.
33381 @item @code{targets}
33382 This is a list of strings denoting the targets onto which to install the
33385 The interpretation of targets depends on the bootloader in question.
33386 For @code{grub-bootloader}, for example, they should be device names
33387 understood by the bootloader @command{installer} command, such as
33388 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
33389 GNU GRUB Manual}). For @code{grub-efi-bootloader}, they should be mount
33390 points of the EFI file system, usually @file{/boot/efi}. For
33391 @code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
33392 points corresponding to TFTP root directories served by your TFTP
33395 @item @code{menu-entries} (default: @code{()})
33396 A possibly empty list of @code{menu-entry} objects (see below), denoting
33397 entries to appear in the bootloader menu, in addition to the current
33398 system entry and the entry pointing to previous system generations.
33400 @item @code{default-entry} (default: @code{0})
33401 The index of the default boot menu entry. Index 0 is for the entry of the
33404 @item @code{timeout} (default: @code{5})
33405 The number of seconds to wait for keyboard input before booting. Set to
33406 0 to boot immediately, and to -1 to wait indefinitely.
33408 @cindex keyboard layout, for the bootloader
33409 @item @code{keyboard-layout} (default: @code{#f})
33410 If this is @code{#f}, the bootloader's menu (if any) uses the default keyboard
33411 layout, usually US@tie{}English (``qwerty'').
33413 Otherwise, this must be a @code{keyboard-layout} object (@pxref{Keyboard
33417 This option is currently ignored by bootloaders other than @code{grub} and
33421 @item @code{theme} (default: @var{#f})
33422 The bootloader theme object describing the theme to use. If no theme
33423 is provided, some bootloaders might use a default theme, that's true
33426 @item @code{terminal-outputs} (default: @code{'(gfxterm)})
33427 The output terminals used for the bootloader boot menu, as a list of
33428 symbols. GRUB accepts the values: @code{console}, @code{serial},
33429 @code{serial_@{0-3@}}, @code{gfxterm}, @code{vga_text},
33430 @code{mda_text}, @code{morse}, and @code{pkmodem}. This field
33431 corresponds to the GRUB variable @code{GRUB_TERMINAL_OUTPUT} (@pxref{Simple
33432 configuration,,, grub,GNU GRUB manual}).
33434 @item @code{terminal-inputs} (default: @code{'()})
33435 The input terminals used for the bootloader boot menu, as a list of
33436 symbols. For GRUB, the default is the native platform terminal as
33437 determined at run-time. GRUB accepts the values: @code{console},
33438 @code{serial}, @code{serial_@{0-3@}}, @code{at_keyboard}, and
33439 @code{usb_keyboard}. This field corresponds to the GRUB variable
33440 @code{GRUB_TERMINAL_INPUT} (@pxref{Simple configuration,,, grub,GNU GRUB
33443 @item @code{serial-unit} (default: @code{#f})
33444 The serial unit used by the bootloader, as an integer from 0 to 3.
33445 For GRUB, it is chosen at run-time; currently GRUB chooses 0, which
33446 corresponds to COM1 (@pxref{Serial terminal,,, grub,GNU GRUB manual}).
33448 @item @code{serial-speed} (default: @code{#f})
33449 The speed of the serial interface, as an integer. For GRUB, the
33450 default value is chosen at run-time; currently GRUB chooses
33451 9600@tie{}bps (@pxref{Serial terminal,,, grub,GNU GRUB manual}).
33458 Should you want to list additional boot menu entries @i{via} the
33459 @code{menu-entries} field above, you will need to create them with the
33460 @code{menu-entry} form. For example, imagine you want to be able to
33461 boot another distro (hard to imagine!), you can define a menu entry
33466 (label "The Other Distro")
33467 (linux "/boot/old/vmlinux-2.6.32")
33468 (linux-arguments '("root=/dev/sda2"))
33469 (initrd "/boot/old/initrd"))
33474 @deftp {Data Type} menu-entry
33475 The type of an entry in the bootloader menu.
33480 The label to show in the menu---e.g., @code{"GNU"}.
33482 @item @code{linux} (default: @code{#f})
33483 The Linux kernel image to boot, for example:
33486 (file-append linux-libre "/bzImage")
33489 For GRUB, it is also possible to specify a device explicitly in the
33490 file path using GRUB's device naming convention (@pxref{Naming
33491 convention,,, grub, GNU GRUB manual}), for example:
33494 "(hd0,msdos1)/boot/vmlinuz"
33497 If the device is specified explicitly as above, then the @code{device}
33498 field is ignored entirely.
33500 @item @code{linux-arguments} (default: @code{()})
33501 The list of extra Linux kernel command-line arguments---e.g.,
33502 @code{("console=ttyS0")}.
33504 @item @code{initrd} (default: @code{#f})
33505 A G-Expression or string denoting the file name of the initial RAM disk
33506 to use (@pxref{G-Expressions}).
33508 @item @code{device} (default: @code{#f})
33509 The device where the kernel and initrd are to be found---i.e., for GRUB,
33510 @dfn{root} for this menu entry (@pxref{root,,, grub, GNU GRUB manual}).
33512 This may be a file system label (a string), a file system UUID (a
33513 bytevector, @pxref{File Systems}), or @code{#f}, in which case
33514 the bootloader will search the device containing the file specified by
33515 the @code{linux} field (@pxref{search,,, grub, GNU GRUB manual}). It
33516 must @emph{not} be an OS device name such as @file{/dev/sda1}.
33518 @item @code{multiboot-kernel} (default: @code{#f})
33519 The kernel to boot in Multiboot-mode (@pxref{multiboot,,, grub, GNU GRUB
33520 manual}). When this field is set, a Multiboot menu-entry is generated.
33524 (file-append mach "/boot/gnumach")
33527 @item @code{multiboot-arguments} (default: @code{()})
33528 The list of extra command-line arguments for the multiboot-kernel.
33530 @item @code{multiboot-modules} (default: @code{()})
33531 The list of commands for loading Multiboot modules. For example:
33534 (list (list (file-append hurd "/hurd/ext2fs.static") "ext2fs"
33536 (list (file-append libc "/lib/ld.so.1") "exec"
33546 @c FIXME: Write documentation once it's stable.
33547 For now only GRUB has theme support. GRUB themes are created using
33548 the @code{grub-theme} form, which is not fully documented yet.
33550 @deftp {Data Type} grub-theme
33551 Data type representing the configuration of the GRUB theme.
33554 @item @code{gfxmode} (default: @code{'("auto")})
33555 The GRUB @code{gfxmode} to set (a list of screen resolution strings,
33556 @pxref{gfxmode,,, grub, GNU GRUB manual}).
33560 @deffn {Scheme Procedure} grub-theme
33561 Return the default GRUB theme used by the operating system if no
33562 @code{theme} field is specified in @code{bootloader-configuration}
33565 It comes with a fancy background image displaying the GNU and Guix
33569 For example, to override the default resolution, you may use something
33574 (bootloader-configuration
33577 (inherit (grub-theme))
33578 (gfxmode '("1024x786x32" "auto"))))))
33581 @node Invoking guix system
33582 @section Invoking @code{guix system}
33584 Once you have written an operating system declaration as seen in the
33585 previous section, it can be @dfn{instantiated} using the @command{guix
33586 system} command. The synopsis is:
33589 guix system @var{options}@dots{} @var{action} @var{file}
33592 @var{file} must be the name of a file containing an
33593 @code{operating-system} declaration. @var{action} specifies how the
33594 operating system is instantiated. Currently the following values are
33599 Display available service type definitions that match the given regular
33600 expressions, sorted by relevance:
33606 $ guix system search console
33607 name: console-fonts
33608 location: gnu/services/base.scm:806:2
33609 extends: shepherd-root
33610 description: Install the given fonts on the specified ttys (fonts are per
33611 + virtual console on GNU/Linux). The value of this service is a list of
33612 + tty/font pairs. The font can be the name of a font provided by the `kbd'
33613 + package or any valid argument to `setfont', as in this example:
33615 + '(("tty1" . "LatGrkCyr-8x16")
33616 + ("tty2" . (file-append
33618 + "/share/kbd/consolefonts/TamzenForPowerline10x20.psf"))
33619 + ("tty3" . (file-append
33621 + "/share/consolefonts/ter-132n"))) ; for HDPI
33625 location: gnu/services/base.scm:1190:2
33626 extends: shepherd-root
33627 description: Provide console login using the `mingetty' program.
33631 location: gnu/services/base.scm:860:2
33633 description: Provide a console log-in service as specified by its
33634 + configuration value, a `login-configuration' object.
33640 As for @command{guix package --search}, the result is written in
33641 @code{recutils} format, which makes it easy to filter the output
33642 (@pxref{Top, GNU recutils databases,, recutils, GNU recutils manual}).
33645 Build the operating system described in @var{file}, activate it, and
33646 switch to it@footnote{This action (and the related actions
33647 @code{switch-generation} and @code{roll-back}) are usable only on
33648 systems already running Guix System.}.
33651 @c The paragraph below refers to the problem discussed at
33652 @c <https://lists.gnu.org/archive/html/guix-devel/2014-08/msg00057.html>.
33653 It is highly recommended to run @command{guix pull} once before you run
33654 @command{guix system reconfigure} for the first time (@pxref{Invoking
33655 guix pull}). Failing to do that you would see an older version of Guix
33656 once @command{reconfigure} has completed.
33659 This effects all the configuration specified in @var{file}: user
33660 accounts, system services, global package list, setuid programs, etc.
33661 The command starts system services specified in @var{file} that are not
33662 currently running; if a service is currently running this command will
33663 arrange for it to be upgraded the next time it is stopped (e.g.@: by
33664 @code{herd stop X} or @code{herd restart X}).
33666 This command creates a new generation whose number is one greater than
33667 the current generation (as reported by @command{guix system
33668 list-generations}). If that generation already exists, it will be
33669 overwritten. This behavior mirrors that of @command{guix package}
33670 (@pxref{Invoking guix package}).
33672 It also adds a bootloader menu entry for the new OS configuration,
33673 ---unless @option{--no-bootloader} is passed. For GRUB, it moves
33674 entries for older configurations to a submenu, allowing you to choose
33675 an older system generation at boot time should you need it.
33677 @cindex provenance tracking, of the operating system
33678 Upon completion, the new system is deployed under
33679 @file{/run/current-system}. This directory contains @dfn{provenance
33680 meta-data}: the list of channels in use (@pxref{Channels}) and
33681 @var{file} itself, when available. You can view it by running:
33684 guix system describe
33687 This information is useful should you later want to inspect how this
33688 particular generation was built. In fact, assuming @var{file} is
33689 self-contained, you can later rebuild generation @var{n} of your
33690 operating system with:
33693 guix time-machine \
33694 -C /var/guix/profiles/system-@var{n}-link/channels.scm -- \
33695 system reconfigure \
33696 /var/guix/profiles/system-@var{n}-link/configuration.scm
33699 You can think of it as some sort of built-in version control! Your
33700 system is not just a binary artifact: @emph{it carries its own source}.
33701 @xref{Service Reference, @code{provenance-service-type}}, for more
33702 information on provenance tracking.
33704 By default, @command{reconfigure} @emph{prevents you from downgrading
33705 your system}, which could (re)introduce security vulnerabilities and
33706 also cause problems with ``stateful'' services such as database
33707 management systems. You can override that behavior by passing
33708 @option{--allow-downgrades}.
33710 @item switch-generation
33711 @cindex generations
33712 Switch to an existing system generation. This action atomically
33713 switches the system profile to the specified system generation. It
33714 also rearranges the system's existing bootloader menu entries. It
33715 makes the menu entry for the specified system generation the default,
33716 and it moves the entries for the other generations to a submenu, if
33717 supported by the bootloader being used. The next time the system
33718 boots, it will use the specified system generation.
33720 The bootloader itself is not being reinstalled when using this
33721 command. Thus, the installed bootloader is used with an updated
33722 configuration file.
33724 The target generation can be specified explicitly by its generation
33725 number. For example, the following invocation would switch to system
33729 guix system switch-generation 7
33732 The target generation can also be specified relative to the current
33733 generation with the form @code{+N} or @code{-N}, where @code{+3} means
33734 ``3 generations ahead of the current generation,'' and @code{-1} means
33735 ``1 generation prior to the current generation.'' When specifying a
33736 negative value such as @code{-1}, you must precede it with @code{--} to
33737 prevent it from being parsed as an option. For example:
33740 guix system switch-generation -- -1
33743 Currently, the effect of invoking this action is @emph{only} to switch
33744 the system profile to an existing generation and rearrange the
33745 bootloader menu entries. To actually start using the target system
33746 generation, you must reboot after running this action. In the future,
33747 it will be updated to do the same things as @command{reconfigure},
33748 like activating and deactivating services.
33750 This action will fail if the specified generation does not exist.
33753 @cindex rolling back
33754 Switch to the preceding system generation. The next time the system
33755 boots, it will use the preceding system generation. This is the inverse
33756 of @command{reconfigure}, and it is exactly the same as invoking
33757 @command{switch-generation} with an argument of @code{-1}.
33759 Currently, as with @command{switch-generation}, you must reboot after
33760 running this action to actually start using the preceding system
33763 @item delete-generations
33764 @cindex deleting system generations
33765 @cindex saving space
33766 Delete system generations, making them candidates for garbage collection
33767 (@pxref{Invoking guix gc}, for information on how to run the ``garbage
33770 This works in the same way as @samp{guix package --delete-generations}
33771 (@pxref{Invoking guix package, @option{--delete-generations}}). With no
33772 arguments, all system generations but the current one are deleted:
33775 guix system delete-generations
33778 You can also select the generations you want to delete. The example below
33779 deletes all the system generations that are more than two month old:
33782 guix system delete-generations 2m
33785 Running this command automatically reinstalls the bootloader with an updated
33786 list of menu entries---e.g., the ``old generations'' sub-menu in GRUB no
33787 longer lists the generations that have been deleted.
33790 Build the derivation of the operating system, which includes all the
33791 configuration files and programs needed to boot and run the system.
33792 This action does not actually install anything.
33795 Populate the given directory with all the files necessary to run the
33796 operating system specified in @var{file}. This is useful for first-time
33797 installations of Guix System. For instance:
33800 guix system init my-os-config.scm /mnt
33803 copies to @file{/mnt} all the store items required by the configuration
33804 specified in @file{my-os-config.scm}. This includes configuration
33805 files, packages, and so on. It also creates other essential files
33806 needed for the system to operate correctly---e.g., the @file{/etc},
33807 @file{/var}, and @file{/run} directories, and the @file{/bin/sh} file.
33809 This command also installs bootloader on the targets specified in
33810 @file{my-os-config}, unless the @option{--no-bootloader} option was
33814 @cindex virtual machine
33816 @anchor{guix system vm}
33817 Build a virtual machine that contains the operating system declared in
33818 @var{file}, and return a script to run that virtual machine (VM).
33821 The @code{vm} action and others below
33822 can use KVM support in the Linux-libre kernel. Specifically, if the
33823 machine has hardware virtualization support, the corresponding
33824 KVM kernel module should be loaded, and the @file{/dev/kvm} device node
33825 must exist and be readable and writable by the user and by the
33826 build users of the daemon (@pxref{Build Environment Setup}).
33829 Arguments given to the script are passed to QEMU as in the example
33830 below, which enables networking and requests 1@tie{}GiB of RAM for the
33834 $ /gnu/store/@dots{}-run-vm.sh -m 1024 -smp 2 -nic user,model=virtio-net-pci
33837 The VM shares its store with the host system.
33839 Additional file systems can be shared between the host and the VM using
33840 the @option{--share} and @option{--expose} command-line options: the former
33841 specifies a directory to be shared with write access, while the latter
33842 provides read-only access to the shared directory.
33844 The example below creates a VM in which the user's home directory is
33845 accessible read-only, and where the @file{/exchange} directory is a
33846 read-write mapping of @file{$HOME/tmp} on the host:
33849 guix system vm my-config.scm \
33850 --expose=$HOME --share=$HOME/tmp=/exchange
33853 On GNU/Linux, the default is to boot directly to the kernel; this has
33854 the advantage of requiring only a very tiny root disk image since the
33855 store of the host can then be mounted.
33857 The @option{--full-boot} option forces a complete boot sequence, starting
33858 with the bootloader. This requires more disk space since a root image
33859 containing at least the kernel, initrd, and bootloader data files must
33860 be created. The @option{--image-size} option can be used to specify the
33863 @cindex System images, creation in various formats
33864 @cindex Creating system images in various formats
33866 @itemx docker-image
33867 Return a virtual machine, disk image, or Docker image of the operating
33868 system declared in @var{file} that stands alone. By default,
33869 @command{guix system} estimates the size of the image needed to store
33870 the system, but you can use the @option{--image-size} option to specify
33871 a value. Docker images are built to contain exactly what they need, so
33872 the @option{--image-size} option is ignored in the case of
33873 @code{docker-image}.
33875 @cindex image, creating disk images
33876 The @code{image} command can produce various image types. The
33877 image type can be selected using the @option{--image-type} option. It
33878 defaults to @code{efi-raw}. When its value is @code{iso9660}, the
33879 @option{--label} option can be used to specify a volume ID with
33880 @code{image}. By default, the root file system of a disk image is
33881 mounted non-volatile; the @option{--volatile} option can be provided to
33882 make it volatile instead. When using @code{image}, the bootloader
33883 installed on the generated image is taken from the provided
33884 @code{operating-system} definition. The following example demonstrates
33885 how to generate an image that uses the @code{grub-efi-bootloader}
33886 bootloader and boot it with QEMU:
33889 image=$(guix system image --image-type=qcow2 \
33890 gnu/system/examples/lightweight-desktop.tmpl)
33891 cp $image /tmp/my-image.qcow2
33892 chmod +w /tmp/my-image.qcow2
33893 qemu-system-x86_64 -enable-kvm -hda /tmp/my-image.qcow2 -m 1000 \
33894 -bios $(guix build ovmf)/share/firmware/ovmf_x64.bin
33897 When using the @code{efi-raw} image type, a raw disk image is produced;
33898 it can be copied as is to a USB stick, for instance. Assuming
33899 @code{/dev/sdc} is the device corresponding to a USB stick, one can copy
33900 the image to it using the following command:
33903 # dd if=$(guix system image my-os.scm) of=/dev/sdc status=progress
33906 The @code{--list-image-types} command lists all the available image
33909 @cindex creating virtual machine images
33910 When using the @code{qcow2} image type, the returned image is in qcow2
33911 format, which the QEMU emulator can efficiently use. @xref{Running Guix
33912 in a VM}, for more information on how to run the image in a virtual
33913 machine. The @code{grub-bootloader} bootloader is always used
33914 independently of what is declared in the @code{operating-system} file
33915 passed as argument. This is to make it easier to work with QEMU, which
33916 uses the SeaBIOS BIOS by default, expecting a bootloader to be installed
33917 in the Master Boot Record (MBR).
33919 @cindex docker-image, creating docker images
33920 When using @code{docker-image}, a Docker image is produced. Guix builds
33921 the image from scratch, not from a pre-existing Docker base image. As a
33922 result, it contains @emph{exactly} what you define in the operating
33923 system configuration file. You can then load the image and launch a
33924 Docker container using commands like the following:
33927 image_id="$(docker load < guix-system-docker-image.tar.gz)"
33928 container_id="$(docker create $image_id)"
33929 docker start $container_id
33932 This command starts a new Docker container from the specified image. It
33933 will boot the Guix system in the usual manner, which means it will
33934 start any services you have defined in the operating system
33935 configuration. You can get an interactive shell running in the container
33936 using @command{docker exec}:
33939 docker exec -ti $container_id /run/current-system/profile/bin/bash --login
33942 Depending on what you run in the Docker container, it
33943 may be necessary to give the container additional permissions. For
33944 example, if you intend to build software using Guix inside of the Docker
33945 container, you may need to pass the @option{--privileged} option to
33946 @code{docker create}.
33948 Last, the @option{--network} option applies to @command{guix system
33949 docker-image}: it produces an image where network is supposedly shared
33950 with the host, and thus without services like nscd or NetworkManager.
33953 Return a script to run the operating system declared in @var{file}
33954 within a container. Containers are a set of lightweight isolation
33955 mechanisms provided by the kernel Linux-libre. Containers are
33956 substantially less resource-demanding than full virtual machines since
33957 the kernel, shared objects, and other resources can be shared with the
33958 host system; this also means they provide thinner isolation.
33960 Currently, the script must be run as root in order to support more than
33961 a single user and group. The container shares its store with the host
33964 As with the @code{vm} action (@pxref{guix system vm}), additional file
33965 systems to be shared between the host and container can be specified
33966 using the @option{--share} and @option{--expose} options:
33969 guix system container my-config.scm \
33970 --expose=$HOME --share=$HOME/tmp=/exchange
33974 This option requires Linux-libre 3.19 or newer.
33979 @var{options} can contain any of the common build options (@pxref{Common
33980 Build Options}). In addition, @var{options} can contain one of the
33984 @item --expression=@var{expr}
33985 @itemx -e @var{expr}
33986 Consider the operating-system @var{expr} evaluates to.
33987 This is an alternative to specifying a file which evaluates to an
33989 This is used to generate the Guix system installer @pxref{Building the
33990 Installation Image}).
33992 @item --system=@var{system}
33993 @itemx -s @var{system}
33994 Attempt to build for @var{system} instead of the host system type.
33995 This works as per @command{guix build} (@pxref{Invoking guix build}).
33999 Return the derivation file name of the given operating system without
34002 @cindex provenance tracking, of the operating system
34003 @item --save-provenance
34004 As discussed above, @command{guix system init} and @command{guix system
34005 reconfigure} always save provenance information @i{via} a dedicated
34006 service (@pxref{Service Reference, @code{provenance-service-type}}).
34007 However, other commands don't do that by default. If you wish to, say,
34008 create a virtual machine image that contains provenance information, you
34012 guix system image -t qcow2 --save-provenance config.scm
34015 That way, the resulting image will effectively ``embed its own source''
34016 in the form of meta-data in @file{/run/current-system}. With that
34017 information, one can rebuild the image to make sure it really contains
34018 what it pretends to contain; or they could use that to derive a variant
34021 @item --image-type=@var{type}
34022 @itemx -t @var{type}
34023 For the @code{image} action, create an image with given @var{type}.
34025 When this option is omitted, @command{guix system} uses the
34026 @code{efi-raw} image type.
34028 @cindex ISO-9660 format
34029 @cindex CD image format
34030 @cindex DVD image format
34031 @option{--image-type=iso9660} produces an ISO-9660 image, suitable
34032 for burning on CDs and DVDs.
34034 @item --image-size=@var{size}
34035 For the @code{image} action, create an image of the given @var{size}.
34036 @var{size} may be a number of bytes, or it may include a unit as a
34037 suffix (@pxref{Block size, size specifications,, coreutils, GNU
34040 When this option is omitted, @command{guix system} computes an estimate
34041 of the image size as a function of the size of the system declared in
34046 For the @code{container} action, allow containers to access the host network,
34047 that is, do not create a network namespace.
34049 @item --root=@var{file}
34050 @itemx -r @var{file}
34051 Make @var{file} a symlink to the result, and register it as a garbage
34054 @item --skip-checks
34055 Skip pre-installation safety checks.
34057 By default, @command{guix system init} and @command{guix system
34058 reconfigure} perform safety checks: they make sure the file systems that
34059 appear in the @code{operating-system} declaration actually exist
34060 (@pxref{File Systems}), and that any Linux kernel modules that may be
34061 needed at boot time are listed in @code{initrd-modules} (@pxref{Initial
34062 RAM Disk}). Passing this option skips these tests altogether.
34064 @item --allow-downgrades
34065 Instruct @command{guix system reconfigure} to allow system downgrades.
34067 By default, @command{reconfigure} prevents you from downgrading your
34068 system. It achieves that by comparing the provenance info of your
34069 system (shown by @command{guix system describe}) with that of your
34070 @command{guix} command (shown by @command{guix describe}). If the
34071 commits for @command{guix} are not descendants of those used for your
34072 system, @command{guix system reconfigure} errors out. Passing
34073 @option{--allow-downgrades} allows you to bypass these checks.
34076 Make sure you understand its security implications before using
34077 @option{--allow-downgrades}.
34081 @cindex on-error strategy
34082 @cindex error strategy
34083 @item --on-error=@var{strategy}
34084 Apply @var{strategy} when an error occurs when reading @var{file}.
34085 @var{strategy} may be one of the following:
34088 @item nothing-special
34089 Report the error concisely and exit. This is the default strategy.
34092 Likewise, but also display a backtrace.
34095 Report the error and enter Guile's debugger. From there, you can run
34096 commands such as @code{,bt} to get a backtrace, @code{,locals} to
34097 display local variable values, and more generally inspect the state of the
34098 program. @xref{Debug Commands,,, guile, GNU Guile Reference Manual}, for
34099 a list of available debugging commands.
34103 Once you have built, configured, re-configured, and re-re-configured
34104 your Guix installation, you may find it useful to list the operating
34105 system generations available on disk---and that you can choose from the
34106 bootloader boot menu:
34111 Describe the current system generation: its file name, the kernel and
34112 bootloader used, etc., as well as provenance information when available.
34114 @item list-generations
34115 List a summary of each generation of the operating system available on
34116 disk, in a human-readable way. This is similar to the
34117 @option{--list-generations} option of @command{guix package}
34118 (@pxref{Invoking guix package}).
34120 Optionally, one can specify a pattern, with the same syntax that is used
34121 in @command{guix package --list-generations}, to restrict the list of
34122 generations displayed. For instance, the following command displays
34123 generations that are up to 10 days old:
34126 $ guix system list-generations 10d
34131 The @command{guix system} command has even more to offer! The following
34132 sub-commands allow you to visualize how your system services relate to
34135 @anchor{system-extension-graph}
34138 @item extension-graph
34139 Emit to standard output the @dfn{service
34140 extension graph} of the operating system defined in @var{file}
34141 (@pxref{Service Composition}, for more information on service
34142 extensions). By default the output is in Dot/Graphviz format, but you
34143 can choose a different format with @option{--graph-backend}, as with
34144 @command{guix graph} (@pxref{Invoking guix graph, @option{--backend}}):
34149 $ guix system extension-graph @var{file} | xdot -
34152 shows the extension relations among services.
34154 @anchor{system-shepherd-graph}
34155 @item shepherd-graph
34156 Emit to standard output the @dfn{dependency
34157 graph} of shepherd services of the operating system defined in
34158 @var{file}. @xref{Shepherd Services}, for more information and for an
34161 Again, the default output format is Dot/Graphviz, but you can pass
34162 @option{--graph-backend} to select a different one.
34166 @node Invoking guix deploy
34167 @section Invoking @code{guix deploy}
34169 We've already seen @code{operating-system} declarations used to manage a
34170 machine's configuration locally. Suppose you need to configure multiple
34171 machines, though---perhaps you're managing a service on the web that's
34172 comprised of several servers. @command{guix deploy} enables you to use those
34173 same @code{operating-system} declarations to manage multiple remote hosts at
34174 once as a logical ``deployment''.
34177 The functionality described in this section is still under development
34178 and is subject to change. Get in touch with us on
34179 @email{guix-devel@@gnu.org}!
34183 guix deploy @var{file}
34186 Such an invocation will deploy the machines that the code within @var{file}
34187 evaluates to. As an example, @var{file} might contain a definition like this:
34190 ;; This is a Guix deployment of a "bare bones" setup, with
34191 ;; no X11 display server, to a machine with an SSH daemon
34192 ;; listening on localhost:2222. A configuration such as this
34193 ;; may be appropriate for virtual machine with ports
34194 ;; forwarded to the host's loopback interface.
34196 (use-service-modules networking ssh)
34197 (use-package-modules bootloaders)
34201 (host-name "gnu-deployed")
34202 (timezone "Etc/UTC")
34203 (bootloader (bootloader-configuration
34204 (bootloader grub-bootloader)
34205 (targets '("/dev/vda"))
34206 (terminal-outputs '(console))))
34207 (file-systems (cons (file-system
34209 (device "/dev/vda1")
34211 %base-file-systems))
34213 (append (list (service dhcp-client-service-type)
34214 (service openssh-service-type
34215 (openssh-configuration
34216 (permit-root-login #t)
34217 (allow-empty-passwords? #t))))
34221 (operating-system %system)
34222 (environment managed-host-environment-type)
34223 (configuration (machine-ssh-configuration
34224 (host-name "localhost")
34225 (system "x86_64-linux")
34227 (identity "./id_rsa")
34231 The file should evaluate to a list of @var{machine} objects. This example,
34232 upon being deployed, will create a new generation on the remote system
34233 realizing the @code{operating-system} declaration @code{%system}.
34234 @code{environment} and @code{configuration} specify how the machine should be
34235 provisioned---that is, how the computing resources should be created and
34236 managed. The above example does not create any resources, as a
34237 @code{'managed-host} is a machine that is already running the Guix system and
34238 available over the network. This is a particularly simple case; a more
34239 complex deployment may involve, for example, starting virtual machines through
34240 a Virtual Private Server (VPS) provider. In such a case, a different
34241 @var{environment} type would be used.
34243 Do note that you first need to generate a key pair on the coordinator machine
34244 to allow the daemon to export signed archives of files from the store
34245 (@pxref{Invoking guix archive}), though this step is automatic on Guix
34249 # guix archive --generate-key
34253 Each target machine must authorize the key of the master machine so that it
34254 accepts store items it receives from the coordinator:
34257 # guix archive --authorize < coordinator-public-key.txt
34260 @code{user}, in this example, specifies the name of the user account to log in
34261 as to perform the deployment. Its default value is @code{root}, but root
34262 login over SSH may be forbidden in some cases. To work around this,
34263 @command{guix deploy} can log in as an unprivileged user and employ
34264 @code{sudo} to escalate privileges. This will only work if @code{sudo} is
34265 currently installed on the remote and can be invoked non-interactively as
34266 @code{user}. That is, the line in @code{sudoers} granting @code{user} the
34267 ability to use @code{sudo} must contain the @code{NOPASSWD} tag. This can
34268 be accomplished with the following operating system configuration snippet:
34272 (gnu system)) ;for %sudoers-specification
34274 (define %user "username")
34279 (plain-file "sudoers"
34280 (string-append (plain-file-content %sudoers-specification)
34281 (format #f "~a ALL = NOPASSWD: ALL~%"
34286 For more information regarding the format of the @file{sudoers} file,
34287 consult @command{man sudoers}.
34289 @deftp {Data Type} machine
34290 This is the data type representing a single machine in a heterogeneous Guix
34294 @item @code{operating-system}
34295 The object of the operating system configuration to deploy.
34297 @item @code{environment}
34298 An @code{environment-type} describing how the machine should be provisioned.
34300 @item @code{configuration} (default: @code{#f})
34301 An object describing the configuration for the machine's @code{environment}.
34302 If the @code{environment} has a default configuration, @code{#f} may be used.
34303 If @code{#f} is used for an environment with no default configuration,
34304 however, an error will be thrown.
34308 @deftp {Data Type} machine-ssh-configuration
34309 This is the data type representing the SSH client parameters for a machine
34310 with an @code{environment} of @code{managed-host-environment-type}.
34313 @item @code{host-name}
34314 @item @code{build-locally?} (default: @code{#t})
34315 If false, system derivations will be built on the machine being deployed to.
34316 @item @code{system}
34317 The system type describing the architecture of the machine being deployed
34318 to---e.g., @code{"x86_64-linux"}.
34319 @item @code{authorize?} (default: @code{#t})
34320 If true, the coordinator's signing key will be added to the remote's ACL
34322 @item @code{port} (default: @code{22})
34323 @item @code{user} (default: @code{"root"})
34324 @item @code{identity} (default: @code{#f})
34325 If specified, the path to the SSH private key to use to authenticate with the
34328 @item @code{host-key} (default: @code{#f})
34329 This should be the SSH host key of the machine, which looks like this:
34332 ssh-ed25519 AAAAC3Nz@dots{} root@@example.org
34335 When @code{host-key} is @code{#f}, the server is authenticated against
34336 the @file{~/.ssh/known_hosts} file, just like the OpenSSH @command{ssh}
34339 @item @code{allow-downgrades?} (default: @code{#f})
34340 Whether to allow potential downgrades.
34342 Like @command{guix system reconfigure}, @command{guix deploy} compares
34343 the channel commits currently deployed on the remote host (as returned
34344 by @command{guix system describe}) to those currently in use (as
34345 returned by @command{guix describe}) to determine whether commits
34346 currently in use are descendants of those deployed. When this is not
34347 the case and @code{allow-downgrades?} is false, it raises an error.
34348 This ensures you do not accidentally downgrade remote machines.
34352 @deftp {Data Type} digital-ocean-configuration
34353 This is the data type describing the Droplet that should be created for a
34354 machine with an @code{environment} of @code{digital-ocean-environment-type}.
34357 @item @code{ssh-key}
34358 The path to the SSH private key to use to authenticate with the remote
34359 host. In the future, this field may not exist.
34361 A list of string ``tags'' that uniquely identify the machine. Must be given
34362 such that no two machines in the deployment have the same set of tags.
34363 @item @code{region}
34364 A Digital Ocean region slug, such as @code{"nyc3"}.
34366 A Digital Ocean size slug, such as @code{"s-1vcpu-1gb"}
34367 @item @code{enable-ipv6?}
34368 Whether or not the droplet should be created with IPv6 networking.
34372 @node Running Guix in a VM
34373 @section Running Guix in a Virtual Machine
34375 @cindex virtual machine
34376 To run Guix in a virtual machine (VM), one can use the pre-built Guix VM
34377 image distributed at
34378 @url{@value{BASE-URL}/guix-system-vm-image-@value{VERSION}.x86_64-linux.qcow2}.
34379 This image is a compressed image in QCOW format. You can pass it to an
34380 emulator such as @uref{https://qemu.org/, QEMU} (see below for details).
34382 This image boots the Xfce graphical environment and it contains some
34383 commonly used tools. You can install more software in the image by running
34384 @command{guix package} in a terminal (@pxref{Invoking guix package}). You can
34385 also reconfigure the system based on its initial configuration file available
34386 as @file{/run/current-system/configuration.scm} (@pxref{Using the
34387 Configuration System}).
34389 Instead of using this pre-built image, one can also build their own
34390 image using @command{guix system image} (@pxref{Invoking guix system}).
34393 If you built your own image, you must copy it out of the store
34394 (@pxref{The Store}) and give yourself permission to write to the copy
34395 before you can use it. When invoking QEMU, you must choose a system
34396 emulator that is suitable for your hardware platform. Here is a minimal
34397 QEMU invocation that will boot the result of @command{guix system
34398 image -t qcow2} on x86_64 hardware:
34401 $ qemu-system-x86_64 \
34402 -nic user,model=virtio-net-pci \
34403 -enable-kvm -m 1024 \
34404 -device virtio-blk,drive=myhd \
34405 -drive if=none,file=/tmp/qemu-image,id=myhd
34408 Here is what each of these options means:
34411 @item qemu-system-x86_64
34412 This specifies the hardware platform to emulate. This should match the
34415 @item -nic user,model=virtio-net-pci
34416 Enable the unprivileged user-mode network stack. The guest OS can
34417 access the host but not vice versa. This is the simplest way to get the
34418 guest OS online. @code{model} specifies which network device to emulate:
34419 @code{virtio-net-pci} is a special device made for virtualized operating
34420 systems and recommended for most uses. Assuming your hardware platform is
34421 x86_64, you can get a list of available NIC models by running
34422 @command{qemu-system-x86_64 -nic model=help}.
34425 If your system has hardware virtualization extensions, enabling the
34426 virtual machine support (KVM) of the Linux kernel will make things run
34429 @c To run Xfce + 'guix pull', we need at least 1G of RAM.
34431 RAM available to the guest OS, in mebibytes. Defaults to 128@tie{}MiB,
34432 which may be insufficient for some operations.
34434 @item -device virtio-blk,drive=myhd
34435 Create a @code{virtio-blk} drive called ``myhd''. @code{virtio-blk} is a
34436 ``paravirtualization'' mechanism for block devices that allows QEMU to achieve
34437 better performance than if it were emulating a complete disk drive. See the
34438 QEMU and KVM documentation for more info.
34440 @item -drive if=none,file=/tmp/qemu-image,id=myhd
34441 Use our QCOW image, the @file{/tmp/qemu-image} file, as the backing
34442 store of the ``myhd'' drive.
34445 The default @command{run-vm.sh} script that is returned by an invocation of
34446 @command{guix system vm} does not add a @command{-nic user} flag by default.
34447 To get network access from within the vm add the @code{(dhcp-client-service)}
34448 to your system definition and start the VM using
34449 @command{$(guix system vm config.scm) -nic user}. An important caveat of using
34450 @command{-nic user} for networking is that @command{ping} will not work, because
34451 it uses the ICMP protocol. You'll have to use a different command to check for
34452 network connectivity, for example @command{guix download}.
34454 @subsection Connecting Through SSH
34458 To enable SSH inside a VM you need to add an SSH server like
34459 @code{openssh-service-type} to your VM (@pxref{Networking Services,
34460 @code{openssh-service-type}}). In addition you need to forward the SSH port,
34461 22 by default, to the host. You can do this with
34464 $(guix system vm config.scm) -nic user,model=virtio-net-pci,hostfwd=tcp::10022-:22
34467 To connect to the VM you can run
34470 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 localhost
34473 The @command{-p} tells @command{ssh} the port you want to connect to.
34474 @command{-o UserKnownHostsFile=/dev/null} prevents @command{ssh} from complaining
34475 every time you modify your @command{config.scm} file and the
34476 @command{-o StrictHostKeyChecking=no} prevents you from having to allow a
34477 connection to an unknown host every time you connect.
34480 If you find the above @samp{hostfwd} example not to be working (e.g.,
34481 your SSH client hangs attempting to connect to the mapped port of your
34482 VM), make sure that your Guix System VM has networking support, such as
34483 by using the @code{dhcp-client-service-type} service type.
34486 @subsection Using @command{virt-viewer} with Spice
34488 As an alternative to the default @command{qemu} graphical client you can
34489 use the @command{remote-viewer} from the @command{virt-viewer} package. To
34490 connect pass the @command{-spice port=5930,disable-ticketing} flag to
34491 @command{qemu}. See previous section for further information on how to do this.
34493 Spice also allows you to do some nice stuff like share your clipboard with your
34494 VM@. To enable that you'll also have to pass the following flags to @command{qemu}:
34497 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5
34498 -chardev spicevmc,name=vdagent,id=vdagent
34499 -device virtserialport,nr=1,bus=virtio-serial0.0,chardev=vdagent,
34500 name=com.redhat.spice.0
34503 You'll also need to add the @code{(spice-vdagent-service)} to your
34504 system definition (@pxref{Miscellaneous Services, Spice service}).
34506 @node Defining Services
34507 @section Defining Services
34509 The previous sections show the available services and how one can combine
34510 them in an @code{operating-system} declaration. But how do we define
34511 them in the first place? And what is a service anyway?
34514 * Service Composition:: The model for composing services.
34515 * Service Types and Services:: Types and services.
34516 * Service Reference:: API reference.
34517 * Shepherd Services:: A particular type of service.
34520 @node Service Composition
34521 @subsection Service Composition
34525 Here we define a @dfn{service} as, broadly, something that extends the
34526 functionality of the operating system. Often a service is a process---a
34527 @dfn{daemon}---started when the system boots: a secure shell server, a
34528 Web server, the Guix build daemon, etc. Sometimes a service is a daemon
34529 whose execution can be triggered by another daemon---e.g., an FTP server
34530 started by @command{inetd} or a D-Bus service activated by
34531 @command{dbus-daemon}. Occasionally, a service does not map to a
34532 daemon. For instance, the ``account'' service collects user accounts
34533 and makes sure they exist when the system runs; the ``udev'' service
34534 collects device management rules and makes them available to the eudev
34535 daemon; the @file{/etc} service populates the @file{/etc} directory
34538 @cindex service extensions
34539 Guix system services are connected by @dfn{extensions}. For instance, the
34540 secure shell service @emph{extends} the Shepherd---the
34541 initialization system, running as PID@tie{}1---by giving it the command
34542 lines to start and stop the secure shell daemon (@pxref{Networking
34543 Services, @code{openssh-service-type}}); the UPower service extends the D-Bus
34544 service by passing it its @file{.service} specification, and extends the
34545 udev service by passing it device management rules (@pxref{Desktop
34546 Services, @code{upower-service}}); the Guix daemon service extends the
34547 Shepherd by passing it the command lines to start and stop the daemon,
34548 and extends the account service by passing it a list of required build
34549 user accounts (@pxref{Base Services}).
34551 All in all, services and their ``extends'' relations form a directed
34552 acyclic graph (DAG). If we represent services as boxes and extensions
34553 as arrows, a typical system might provide something like this:
34555 @image{images/service-graph,,5in,Typical service extension graph.}
34557 @cindex system service
34558 At the bottom, we see the @dfn{system service}, which produces the
34559 directory containing everything to run and boot the system, as returned
34560 by the @command{guix system build} command. @xref{Service Reference},
34561 to learn about the other service types shown here.
34562 @xref{system-extension-graph, the @command{guix system extension-graph}
34563 command}, for information on how to generate this representation for a
34564 particular operating system definition.
34566 @cindex service types
34567 Technically, developers can define @dfn{service types} to express these
34568 relations. There can be any number of services of a given type on the
34569 system---for instance, a system running two instances of the GNU secure
34570 shell server (lsh) has two instances of @code{lsh-service-type}, with
34571 different parameters.
34573 The following section describes the programming interface for service
34574 types and services.
34576 @node Service Types and Services
34577 @subsection Service Types and Services
34579 A @dfn{service type} is a node in the DAG described above. Let us start
34580 with a simple example, the service type for the Guix build daemon
34581 (@pxref{Invoking guix-daemon}):
34584 (define guix-service-type
34588 (list (service-extension shepherd-root-service-type guix-shepherd-service)
34589 (service-extension account-service-type guix-accounts)
34590 (service-extension activation-service-type guix-activation)))
34591 (default-value (guix-configuration))))
34595 It defines three things:
34599 A name, whose sole purpose is to make inspection and debugging easier.
34602 A list of @dfn{service extensions}, where each extension designates the
34603 target service type and a procedure that, given the parameters of the
34604 service, returns a list of objects to extend the service of that type.
34606 Every service type has at least one service extension. The only
34607 exception is the @dfn{boot service type}, which is the ultimate service.
34610 Optionally, a default value for instances of this type.
34613 In this example, @code{guix-service-type} extends three services:
34616 @item shepherd-root-service-type
34617 The @code{guix-shepherd-service} procedure defines how the Shepherd
34618 service is extended. Namely, it returns a @code{<shepherd-service>}
34619 object that defines how @command{guix-daemon} is started and stopped
34620 (@pxref{Shepherd Services}).
34622 @item account-service-type
34623 This extension for this service is computed by @code{guix-accounts},
34624 which returns a list of @code{user-group} and @code{user-account}
34625 objects representing the build user accounts (@pxref{Invoking
34628 @item activation-service-type
34629 Here @code{guix-activation} is a procedure that returns a gexp, which is
34630 a code snippet to run at ``activation time''---e.g., when the service is
34634 A service of this type is instantiated like this:
34637 (service guix-service-type
34638 (guix-configuration
34640 (extra-options '("--gc-keep-derivations"))))
34643 The second argument to the @code{service} form is a value representing
34644 the parameters of this specific service instance.
34645 @xref{guix-configuration-type, @code{guix-configuration}}, for
34646 information about the @code{guix-configuration} data type. When the
34647 value is omitted, the default value specified by
34648 @code{guix-service-type} is used:
34651 (service guix-service-type)
34654 @code{guix-service-type} is quite simple because it extends other
34655 services but is not extensible itself.
34657 @c @subsubsubsection Extensible Service Types
34659 The service type for an @emph{extensible} service looks like this:
34662 (define udev-service-type
34663 (service-type (name 'udev)
34665 (list (service-extension shepherd-root-service-type
34666 udev-shepherd-service)))
34668 (compose concatenate) ;concatenate the list of rules
34669 (extend (lambda (config rules)
34671 (($ <udev-configuration> udev initial-rules)
34672 (udev-configuration
34673 (udev udev) ;the udev package to use
34674 (rules (append initial-rules rules)))))))))
34677 This is the service type for the
34678 @uref{https://wiki.gentoo.org/wiki/Project:Eudev, eudev device
34679 management daemon}. Compared to the previous example, in addition to an
34680 extension of @code{shepherd-root-service-type}, we see two new fields:
34684 This is the procedure to @dfn{compose} the list of extensions to
34685 services of this type.
34687 Services can extend the udev service by passing it lists of rules; we
34688 compose those extensions simply by concatenating them.
34691 This procedure defines how the value of the service is @dfn{extended} with
34692 the composition of the extensions.
34694 Udev extensions are composed into a list of rules, but the udev service
34695 value is itself a @code{<udev-configuration>} record. So here, we
34696 extend that record by appending the list of rules it contains to the
34697 list of contributed rules.
34700 This is a string giving an overview of the service type. The string can
34701 contain Texinfo markup (@pxref{Overview,,, texinfo, GNU Texinfo}). The
34702 @command{guix system search} command searches these strings and displays
34703 them (@pxref{Invoking guix system}).
34706 There can be only one instance of an extensible service type such as
34707 @code{udev-service-type}. If there were more, the
34708 @code{service-extension} specifications would be ambiguous.
34710 Still here? The next section provides a reference of the programming
34711 interface for services.
34713 @node Service Reference
34714 @subsection Service Reference
34716 We have seen an overview of service types (@pxref{Service Types and
34717 Services}). This section provides a reference on how to manipulate
34718 services and service types. This interface is provided by the
34719 @code{(gnu services)} module.
34721 @deffn {Scheme Procedure} service @var{type} [@var{value}]
34722 Return a new service of @var{type}, a @code{<service-type>} object (see
34723 below). @var{value} can be any object; it represents the parameters of
34724 this particular service instance.
34726 When @var{value} is omitted, the default value specified by @var{type}
34727 is used; if @var{type} does not specify a default value, an error is
34730 For instance, this:
34733 (service openssh-service-type)
34737 is equivalent to this:
34740 (service openssh-service-type
34741 (openssh-configuration))
34744 In both cases the result is an instance of @code{openssh-service-type}
34745 with the default configuration.
34748 @deffn {Scheme Procedure} service? @var{obj}
34749 Return true if @var{obj} is a service.
34752 @deffn {Scheme Procedure} service-kind @var{service}
34753 Return the type of @var{service}---i.e., a @code{<service-type>} object.
34756 @deffn {Scheme Procedure} service-value @var{service}
34757 Return the value associated with @var{service}. It represents its
34761 Here is an example of how a service is created and manipulated:
34765 (service nginx-service-type
34766 (nginx-configuration
34768 (log-directory log-directory)
34769 (run-directory run-directory)
34770 (file config-file))))
34775 (eq? (service-kind s) nginx-service-type)
34779 The @code{modify-services} form provides a handy way to change the
34780 parameters of some of the services of a list such as
34781 @code{%base-services} (@pxref{Base Services, @code{%base-services}}). It
34782 evaluates to a list of services. Of course, you could always use
34783 standard list combinators such as @code{map} and @code{fold} to do that
34784 (@pxref{SRFI-1, List Library,, guile, GNU Guile Reference Manual});
34785 @code{modify-services} simply provides a more concise form for this
34788 @deffn {Scheme Syntax} modify-services @var{services} @
34789 (@var{type} @var{variable} => @var{body}) @dots{}
34791 Modify the services listed in @var{services} according to the given
34792 clauses. Each clause has the form:
34795 (@var{type} @var{variable} => @var{body})
34798 where @var{type} is a service type---e.g.,
34799 @code{guix-service-type}---and @var{variable} is an identifier that is
34800 bound within the @var{body} to the service parameters---e.g., a
34801 @code{guix-configuration} instance---of the original service of that
34804 The @var{body} should evaluate to the new service parameters, which will
34805 be used to configure the new service. This new service will replace the
34806 original in the resulting list. Because a service's service parameters
34807 are created using @code{define-record-type*}, you can write a succinct
34808 @var{body} that evaluates to the new service parameters by using the
34809 @code{inherit} feature that @code{define-record-type*} provides.
34811 @xref{Using the Configuration System}, for example usage.
34815 Next comes the programming interface for service types. This is
34816 something you want to know when writing new service definitions, but not
34817 necessarily when simply looking for ways to customize your
34818 @code{operating-system} declaration.
34820 @deftp {Data Type} service-type
34821 @cindex service type
34822 This is the representation of a @dfn{service type} (@pxref{Service Types
34827 This is a symbol, used only to simplify inspection and debugging.
34829 @item @code{extensions}
34830 A non-empty list of @code{<service-extension>} objects (see below).
34832 @item @code{compose} (default: @code{#f})
34833 If this is @code{#f}, then the service type denotes services that cannot
34834 be extended---i.e., services that do not receive ``values'' from other
34837 Otherwise, it must be a one-argument procedure. The procedure is called
34838 by @code{fold-services} and is passed a list of values collected from
34839 extensions. It may return any single value.
34841 @item @code{extend} (default: @code{#f})
34842 If this is @code{#f}, services of this type cannot be extended.
34844 Otherwise, it must be a two-argument procedure: @code{fold-services}
34845 calls it, passing it the initial value of the service as the first
34846 argument and the result of applying @code{compose} to the extension
34847 values as the second argument. It must return a value that is a valid
34848 parameter value for the service instance.
34850 @item @code{description}
34851 This is a string, possibly using Texinfo markup, describing in a couple
34852 of sentences what the service is about. This string allows users to
34853 find about the service through @command{guix system search}
34854 (@pxref{Invoking guix system}).
34856 @item @code{default-value} (default: @code{&no-default-value})
34857 The default value associated for instances of this service type. This
34858 allows users to use the @code{service} form without its second argument:
34861 (service @var{type})
34864 The returned service in this case has the default value specified by
34868 @xref{Service Types and Services}, for examples.
34871 @deffn {Scheme Procedure} service-extension @var{target-type} @
34873 Return a new extension for services of type @var{target-type}.
34874 @var{compute} must be a one-argument procedure: @code{fold-services}
34875 calls it, passing it the value associated with the service that provides
34876 the extension; it must return a valid value for the target service.
34879 @deffn {Scheme Procedure} service-extension? @var{obj}
34880 Return true if @var{obj} is a service extension.
34883 Occasionally, you might want to simply extend an existing service. This
34884 involves creating a new service type and specifying the extension of
34885 interest, which can be verbose; the @code{simple-service} procedure
34886 provides a shorthand for this.
34888 @deffn {Scheme Procedure} simple-service @var{name} @var{target} @var{value}
34889 Return a service that extends @var{target} with @var{value}. This works
34890 by creating a singleton service type @var{name}, of which the returned
34891 service is an instance.
34893 For example, this extends mcron (@pxref{Scheduled Job Execution}) with
34897 (simple-service 'my-mcron-job mcron-service-type
34898 #~(job '(next-hour (3)) "guix gc -F 2G"))
34902 At the core of the service abstraction lies the @code{fold-services}
34903 procedure, which is responsible for ``compiling'' a list of services
34904 down to a single directory that contains everything needed to boot and
34905 run the system---the directory shown by the @command{guix system build}
34906 command (@pxref{Invoking guix system}). In essence, it propagates
34907 service extensions down the service graph, updating each node parameters
34908 on the way, until it reaches the root node.
34910 @deffn {Scheme Procedure} fold-services @var{services} @
34911 [#:target-type @var{system-service-type}]
34912 Fold @var{services} by propagating their extensions down to the root of
34913 type @var{target-type}; return the root service adjusted accordingly.
34916 Lastly, the @code{(gnu services)} module also defines several essential
34917 service types, some of which are listed below.
34919 @defvr {Scheme Variable} system-service-type
34920 This is the root of the service graph. It produces the system directory
34921 as returned by the @command{guix system build} command.
34924 @defvr {Scheme Variable} boot-service-type
34925 The type of the ``boot service'', which produces the @dfn{boot script}.
34926 The boot script is what the initial RAM disk runs when booting.
34929 @defvr {Scheme Variable} etc-service-type
34930 The type of the @file{/etc} service. This service is used to create
34931 files under @file{/etc} and can be extended by
34932 passing it name/file tuples such as:
34935 (list `("issue" ,(plain-file "issue" "Welcome!\n")))
34938 In this example, the effect would be to add an @file{/etc/issue} file
34939 pointing to the given file.
34942 @defvr {Scheme Variable} setuid-program-service-type
34943 Type for the ``setuid-program service''. This service collects lists of
34944 executable file names, passed as gexps, and adds them to the set of
34945 setuid-root programs on the system (@pxref{Setuid Programs}).
34948 @defvr {Scheme Variable} profile-service-type
34949 Type of the service that populates the @dfn{system profile}---i.e., the
34950 programs under @file{/run/current-system/profile}. Other services can
34951 extend it by passing it lists of packages to add to the system profile.
34954 @cindex provenance tracking, of the operating system
34955 @anchor{provenance-service-type}
34956 @defvr {Scheme Variable} provenance-service-type
34957 This is the type of the service that records @dfn{provenance meta-data}
34958 in the system itself. It creates several files under
34959 @file{/run/current-system}:
34963 This is a ``channel file'' that can be passed to @command{guix pull -C}
34964 or @command{guix time-machine -C}, and which describes the channels used
34965 to build the system, if that information was available
34966 (@pxref{Channels}).
34968 @item configuration.scm
34969 This is the file that was passed as the value for this
34970 @code{provenance-service-type} service. By default, @command{guix
34971 system reconfigure} automatically passes the OS configuration file it
34972 received on the command line.
34975 This contains the same information as the two other files but in a
34976 format that is more readily processable.
34979 In general, these two pieces of information (channels and configuration
34980 file) are enough to reproduce the operating system ``from source''.
34983 This information is necessary to rebuild your operating system, but it
34984 is not always sufficient. In particular, @file{configuration.scm}
34985 itself is insufficient if it is not self-contained---if it refers to
34986 external Guile modules or to extra files. If you want
34987 @file{configuration.scm} to be self-contained, we recommend that modules
34988 or files it refers to be part of a channel.
34990 Besides, provenance meta-data is ``silent'' in the sense that it does
34991 not change the bits contained in your system, @emph{except for the
34992 meta-data bits themselves}. Two different OS configurations or sets of
34993 channels can lead to the same system, bit-for-bit; when
34994 @code{provenance-service-type} is used, these two systems will have
34995 different meta-data and thus different store file names, which makes
34996 comparison less trivial.
34999 This service is automatically added to your operating system
35000 configuration when you use @command{guix system reconfigure},
35001 @command{guix system init}, or @command{guix deploy}.
35004 @defvr {Scheme Variable} linux-loadable-module-service-type
35005 Type of the service that collects lists of packages containing
35006 kernel-loadable modules, and adds them to the set of kernel-loadable
35009 This service type is intended to be extended by other service types,
35013 (simple-service 'installing-module
35014 linux-loadable-module-service-type
35015 (list module-to-install-1
35016 module-to-install-2))
35019 This does not actually load modules at bootup, only adds it to the
35020 kernel profile so that it @emph{can} be loaded by other means.
35023 @node Shepherd Services
35024 @subsection Shepherd Services
35026 @cindex shepherd services
35028 @cindex init system
35029 The @code{(gnu services shepherd)} module provides a way to define
35030 services managed by the GNU@tie{}Shepherd, which is the
35031 initialization system---the first process that is started when the
35032 system boots, also known as PID@tie{}1
35033 (@pxref{Introduction,,, shepherd, The GNU Shepherd Manual}).
35035 Services in the Shepherd can depend on each other. For instance, the
35036 SSH daemon may need to be started after the syslog daemon has been
35037 started, which in turn can only happen once all the file systems have
35038 been mounted. The simple operating system defined earlier (@pxref{Using
35039 the Configuration System}) results in a service graph like this:
35041 @image{images/shepherd-graph,,5in,Typical shepherd service graph.}
35043 You can actually generate such a graph for any operating system
35044 definition using the @command{guix system shepherd-graph} command
35045 (@pxref{system-shepherd-graph, @command{guix system shepherd-graph}}).
35047 The @code{%shepherd-root-service} is a service object representing
35048 PID@tie{}1, of type @code{shepherd-root-service-type}; it can be extended
35049 by passing it lists of @code{<shepherd-service>} objects.
35051 @deftp {Data Type} shepherd-service
35052 The data type representing a service managed by the Shepherd.
35055 @item @code{provision}
35056 This is a list of symbols denoting what the service provides.
35058 These are the names that may be passed to @command{herd start},
35059 @command{herd status}, and similar commands (@pxref{Invoking herd,,,
35060 shepherd, The GNU Shepherd Manual}). @xref{Slots of services, the
35061 @code{provides} slot,, shepherd, The GNU Shepherd Manual}, for details.
35063 @item @code{requirement} (default: @code{'()})
35064 List of symbols denoting the Shepherd services this one depends on.
35066 @cindex one-shot services, for the Shepherd
35067 @item @code{one-shot?} (default: @code{#f})
35068 Whether this service is @dfn{one-shot}. One-shot services stop immediately
35069 after their @code{start} action has completed. @xref{Slots of services,,,
35070 shepherd, The GNU Shepherd Manual}, for more info.
35072 @item @code{respawn?} (default: @code{#t})
35073 Whether to restart the service when it stops, for instance when the
35074 underlying process dies.
35077 @itemx @code{stop} (default: @code{#~(const #f)})
35078 The @code{start} and @code{stop} fields refer to the Shepherd's
35079 facilities to start and stop processes (@pxref{Service De- and
35080 Constructors,,, shepherd, The GNU Shepherd Manual}). They are given as
35081 G-expressions that get expanded in the Shepherd configuration file
35082 (@pxref{G-Expressions}).
35084 @item @code{actions} (default: @code{'()})
35085 @cindex actions, of Shepherd services
35086 This is a list of @code{shepherd-action} objects (see below) defining
35087 @dfn{actions} supported by the service, in addition to the standard
35088 @code{start} and @code{stop} actions. Actions listed here become available as
35089 @command{herd} sub-commands:
35092 herd @var{action} @var{service} [@var{arguments}@dots{}]
35095 @item @code{auto-start?} (default: @code{#t})
35096 Whether this service should be started automatically by the Shepherd. If it
35097 is @code{#f} the service has to be started manually with @code{herd start}.
35099 @item @code{documentation}
35100 A documentation string, as shown when running:
35103 herd doc @var{service-name}
35106 where @var{service-name} is one of the symbols in @code{provision}
35107 (@pxref{Invoking herd,,, shepherd, The GNU Shepherd Manual}).
35109 @item @code{modules} (default: @code{%default-modules})
35110 This is the list of modules that must be in scope when @code{start} and
35111 @code{stop} are evaluated.
35116 The example below defines a Shepherd service that spawns
35117 @command{syslogd}, the system logger from the GNU Networking Utilities
35118 (@pxref{syslogd invocation, @command{syslogd},, inetutils, GNU
35122 (let ((config (plain-file "syslogd.conf" "@dots{}")))
35124 (documentation "Run the syslog daemon (syslogd).")
35125 (provision '(syslogd))
35126 (requirement '(user-processes))
35127 (start #~(make-forkexec-constructor
35128 (list #$(file-append inetutils "/libexec/syslogd")
35129 "--rcfile" #$config)
35130 #:pid-file "/var/run/syslog.pid"))
35131 (stop #~(make-kill-destructor))))
35134 Key elements in this example are the @code{start} and @code{stop}
35135 fields: they are @dfn{staged} code snippets that use the
35136 @code{make-forkexec-constructor} procedure provided by the Shepherd and
35137 its dual, @code{make-kill-destructor} (@pxref{Service De- and
35138 Constructors,,, shepherd, The GNU Shepherd Manual}). The @code{start}
35139 field will have @command{shepherd} spawn @command{syslogd} with the
35140 given option; note that we pass @code{config} after @option{--rcfile},
35141 which is a configuration file declared above (contents of this file are
35142 omitted). Likewise, the @code{stop} field tells how this service is to
35143 be stopped; in this case, it is stopped by making the @code{kill} system
35144 call on its PID@. Code staging is achieved using G-expressions:
35145 @code{#~} stages code, while @code{#$} ``escapes'' back to host code
35146 (@pxref{G-Expressions}).
35148 @deftp {Data Type} shepherd-action
35149 This is the data type that defines additional actions implemented by a
35150 Shepherd service (see above).
35154 Symbol naming the action.
35156 @item documentation
35157 This is a documentation string for the action. It can be viewed by running:
35160 herd doc @var{service} action @var{action}
35164 This should be a gexp that evaluates to a procedure of at least one argument,
35165 which is the ``running value'' of the service (@pxref{Slots of services,,,
35166 shepherd, The GNU Shepherd Manual}).
35169 The following example defines an action called @code{say-hello} that kindly
35175 (documentation "Say hi!")
35176 (procedure #~(lambda (running . args)
35177 (format #t "Hello, friend! arguments: ~s\n"
35182 Assuming this action is added to the @code{example} service, then you can do:
35185 # herd say-hello example
35186 Hello, friend! arguments: ()
35187 # herd say-hello example a b c
35188 Hello, friend! arguments: ("a" "b" "c")
35191 This, as you can see, is a fairly sophisticated way to say hello.
35192 @xref{Service Convenience,,, shepherd, The GNU Shepherd Manual}, for more
35196 @defvr {Scheme Variable} shepherd-root-service-type
35197 The service type for the Shepherd ``root service''---i.e., PID@tie{}1.
35199 This is the service type that extensions target when they want to create
35200 shepherd services (@pxref{Service Types and Services}, for an example).
35201 Each extension must pass a list of @code{<shepherd-service>}. Its
35202 value must be a @code{shepherd-configuration}, as described below.
35205 @deftp {Data Type} shepherd-configuration
35206 This data type represents the Shepherd's configuration.
35209 @item shepherd (default: @code{shepherd})
35210 The Shepherd package to use.
35212 @item services (default: @code{'()})
35213 A list of @code{<shepherd-service>} to start.
35214 You should probably use the service extension
35215 mechanism instead (@pxref{Shepherd Services}).
35219 The following example specifies the Shepherd package for the operating
35225 (services (append (list openssh-service-type))
35229 ;; Use own Shepherd package.
35230 (essential-services
35231 (modify-services (operating-system-default-essential-services
35232 this-operating-system)
35233 (shepherd-root-service-type config => (shepherd-configuration
35235 (shepherd my-shepherd))))))
35238 @defvr {Scheme Variable} %shepherd-root-service
35239 This service represents PID@tie{}1.
35243 @node Documentation
35244 @chapter Documentation
35246 @cindex documentation, searching for
35247 @cindex searching for documentation
35248 @cindex Info, documentation format
35250 @cindex manual pages
35251 In most cases packages installed with Guix come with documentation.
35252 There are two main documentation formats: ``Info'', a browsable
35253 hypertext format used for GNU software, and ``manual pages'' (or ``man
35254 pages''), the linear documentation format traditionally found on Unix.
35255 Info manuals are accessed with the @command{info} command or with Emacs,
35256 and man pages are accessed using @command{man}.
35258 You can look for documentation of software installed on your system by
35259 keyword. For example, the following command searches for information
35260 about ``TLS'' in Info manuals:
35264 "(emacs)Network Security" -- STARTTLS
35265 "(emacs)Network Security" -- TLS
35266 "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_flags
35267 "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_function
35272 The command below searches for the same keyword in man pages:
35276 SSL (7) - OpenSSL SSL/TLS library
35277 certtool (1) - GnuTLS certificate tool
35281 These searches are purely local to your computer so you have the
35282 guarantee that documentation you find corresponds to what you have
35283 actually installed, you can access it off-line, and your privacy is
35286 Once you have these results, you can view the relevant documentation by
35290 $ info "(gnutls)Core TLS API"
35300 Info manuals contain sections and indices as well as hyperlinks like
35301 those found in Web pages. The @command{info} reader (@pxref{Top, Info
35302 reader,, info-stnd, Stand-alone GNU Info}) and its Emacs counterpart
35303 (@pxref{Misc Help,,, emacs, The GNU Emacs Manual}) provide intuitive key
35304 bindings to navigate manuals. @xref{Getting Started,,, info, Info: An
35305 Introduction}, for an introduction to Info navigation.
35307 @node Installing Debugging Files
35308 @chapter Installing Debugging Files
35310 @cindex debugging files
35311 Program binaries, as produced by the GCC compilers for instance, are
35312 typically written in the ELF format, with a section containing
35313 @dfn{debugging information}. Debugging information is what allows the
35314 debugger, GDB, to map binary code to source code; it is required to
35315 debug a compiled program in good conditions.
35317 This chapter explains how to use separate debug info when packages
35318 provide it, and how to rebuild packages with debug info when it's
35322 * Separate Debug Info:: Installing 'debug' outputs.
35323 * Rebuilding Debug Info:: Building missing debug info.
35326 @node Separate Debug Info
35327 @section Separate Debug Info
35329 The problem with debugging information is that is takes up a fair amount
35330 of disk space. For example, debugging information for the GNU C Library
35331 weighs in at more than 60 MiB@. Thus, as a user, keeping all the
35332 debugging info of all the installed programs is usually not an option.
35333 Yet, space savings should not come at the cost of an impediment to
35334 debugging---especially in the GNU system, which should make it easier
35335 for users to exert their computing freedom (@pxref{GNU Distribution}).
35337 Thankfully, the GNU Binary Utilities (Binutils) and GDB provide a
35338 mechanism that allows users to get the best of both worlds: debugging
35339 information can be stripped from the binaries and stored in separate
35340 files. GDB is then able to load debugging information from those files,
35341 when they are available (@pxref{Separate Debug Files,,, gdb, Debugging
35344 The GNU distribution takes advantage of this by storing debugging
35345 information in the @code{lib/debug} sub-directory of a separate package
35346 output unimaginatively called @code{debug} (@pxref{Packages with
35347 Multiple Outputs}). Users can choose to install the @code{debug} output
35348 of a package when they need it. For instance, the following command
35349 installs the debugging information for the GNU C Library and for GNU
35353 guix install glibc:debug guile:debug
35356 GDB must then be told to look for debug files in the user's profile, by
35357 setting the @code{debug-file-directory} variable (consider setting it
35358 from the @file{~/.gdbinit} file, @pxref{Startup,,, gdb, Debugging with
35362 (gdb) set debug-file-directory ~/.guix-profile/lib/debug
35365 From there on, GDB will pick up debugging information from the
35366 @file{.debug} files under @file{~/.guix-profile/lib/debug}.
35368 In addition, you will most likely want GDB to be able to show the source
35369 code being debugged. To do that, you will have to unpack the source
35370 code of the package of interest (obtained with @code{guix build
35371 --source}, @pxref{Invoking guix build}), and to point GDB to that source
35372 directory using the @code{directory} command (@pxref{Source Path,
35373 @code{directory},, gdb, Debugging with GDB}).
35375 @c XXX: keep me up-to-date
35376 The @code{debug} output mechanism in Guix is implemented by the
35377 @code{gnu-build-system} (@pxref{Build Systems}). Currently, it is
35378 opt-in---debugging information is available only for the packages with
35379 definitions explicitly declaring a @code{debug} output. To check
35380 whether a package has a @code{debug} output, use @command{guix package
35381 --list-available} (@pxref{Invoking guix package}).
35383 Read on for how to deal with packages lacking a @code{debug} output.
35385 @node Rebuilding Debug Info
35386 @section Rebuilding Debug Info
35388 @cindex debugging info, rebuilding
35389 As we saw above, some packages, but not all, provide debugging info in a
35390 @code{debug} output. What can you do when debugging info is missing?
35391 The @option{--with-debug-info} option provides a solution to that: it
35392 allows you to rebuild the package(s) for which debugging info is
35393 missing---and only those---and to graft those onto the application
35394 you're debugging. Thus, while it's not as fast as installing a
35395 @code{debug} output, it is relatively inexpensive.
35397 Let's illustrate that. Suppose you're experiencing a bug in Inkscape
35398 and would like to see what's going on in GLib, a library that's deep
35399 down in its dependency graph. As it turns out, GLib does not have a
35400 @code{debug} output and the backtrace GDB shows is all sadness:
35404 #0 0x00007ffff5f92190 in g_getenv ()
35405 from /gnu/store/@dots{}-glib-2.62.6/lib/libglib-2.0.so.0
35406 #1 0x00007ffff608a7d6 in gobject_init_ctor ()
35407 from /gnu/store/@dots{}-glib-2.62.6/lib/libgobject-2.0.so.0
35408 #2 0x00007ffff7fe275a in call_init (l=<optimized out>, argc=argc@@entry=1, argv=argv@@entry=0x7fffffffcfd8,
35409 env=env@@entry=0x7fffffffcfe8) at dl-init.c:72
35410 #3 0x00007ffff7fe2866 in call_init (env=0x7fffffffcfe8, argv=0x7fffffffcfd8, argc=1, l=<optimized out>)
35414 To address that, you install Inkscape linked against a variant GLib that
35415 contains debug info:
35418 guix install inkscape --with-debug-info=glib
35421 This time, debugging will be a whole lot nicer:
35424 $ gdb --args sh -c 'exec inkscape'
35427 Function "g_getenv" not defined.
35428 Make breakpoint pending on future shared library load? (y or [n]) y
35429 Breakpoint 1 (g_getenv) pending.
35431 Starting program: /gnu/store/@dots{}-profile/bin/sh -c exec\ inkscape
35434 #0 g_getenv (variable=variable@@entry=0x7ffff60c7a2e "GOBJECT_DEBUG") at ../glib-2.62.6/glib/genviron.c:252
35435 #1 0x00007ffff608a7d6 in gobject_init () at ../glib-2.62.6/gobject/gtype.c:4380
35436 #2 gobject_init_ctor () at ../glib-2.62.6/gobject/gtype.c:4493
35437 #3 0x00007ffff7fe275a in call_init (l=<optimized out>, argc=argc@@entry=3, argv=argv@@entry=0x7fffffffd088,
35438 env=env@@entry=0x7fffffffd0a8) at dl-init.c:72
35444 Note that there can be packages for which @option{--with-debug-info}
35445 will not have the desired effect. @xref{Package Transformation Options,
35446 @option{--with-debug-info}}, for more information.
35448 @node Security Updates
35449 @chapter Security Updates
35451 @cindex security updates
35452 @cindex security vulnerabilities
35453 Occasionally, important security vulnerabilities are discovered in software
35454 packages and must be patched. Guix developers try hard to keep track of
35455 known vulnerabilities and to apply fixes as soon as possible in the
35456 @code{master} branch of Guix (we do not yet provide a ``stable'' branch
35457 containing only security updates). The @command{guix lint} tool helps
35458 developers find out about vulnerable versions of software packages in the
35463 gnu/packages/base.scm:652:2: glibc@@2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547
35464 gnu/packages/gcc.scm:334:2: gcc@@4.9.3: probably vulnerable to CVE-2015-5276
35465 gnu/packages/image.scm:312:2: openjpeg@@2.1.0: probably vulnerable to CVE-2016-1923, CVE-2016-1924
35469 @xref{Invoking guix lint}, for more information.
35471 Guix follows a functional
35472 package management discipline (@pxref{Introduction}), which implies
35473 that, when a package is changed, @emph{every package that depends on it}
35474 must be rebuilt. This can significantly slow down the deployment of
35475 fixes in core packages such as libc or Bash, since basically the whole
35476 distribution would need to be rebuilt. Using pre-built binaries helps
35477 (@pxref{Substitutes}), but deployment may still take more time than
35481 To address this, Guix implements @dfn{grafts}, a mechanism that allows
35482 for fast deployment of critical updates without the costs associated
35483 with a whole-distribution rebuild. The idea is to rebuild only the
35484 package that needs to be patched, and then to ``graft'' it onto packages
35485 explicitly installed by the user and that were previously referring to
35486 the original package. The cost of grafting is typically very low, and
35487 order of magnitudes lower than a full rebuild of the dependency chain.
35489 @cindex replacements of packages, for grafts
35490 For instance, suppose a security update needs to be applied to Bash.
35491 Guix developers will provide a package definition for the ``fixed''
35492 Bash, say @code{bash-fixed}, in the usual way (@pxref{Defining
35493 Packages}). Then, the original package definition is augmented with a
35494 @code{replacement} field pointing to the package containing the bug fix:
35501 (replacement bash-fixed)))
35504 From there on, any package depending directly or indirectly on Bash---as
35505 reported by @command{guix gc --requisites} (@pxref{Invoking guix
35506 gc})---that is installed is automatically ``rewritten'' to refer to
35507 @code{bash-fixed} instead of @code{bash}. This grafting process takes
35508 time proportional to the size of the package, usually less than a
35509 minute for an ``average'' package on a recent machine. Grafting is
35510 recursive: when an indirect dependency requires grafting, then grafting
35511 ``propagates'' up to the package that the user is installing.
35513 Currently, the length of the name and version of the graft and that of
35514 the package it replaces (@code{bash-fixed} and @code{bash} in the example
35515 above) must be equal. This restriction mostly comes from the fact that
35516 grafting works by patching files, including binary files, directly.
35517 Other restrictions may apply: for instance, when adding a graft to a
35518 package providing a shared library, the original shared library and its
35519 replacement must have the same @code{SONAME} and be binary-compatible.
35521 The @option{--no-grafts} command-line option allows you to forcefully
35522 avoid grafting (@pxref{Common Build Options, @option{--no-grafts}}).
35526 guix build bash --no-grafts
35530 returns the store file name of the original Bash, whereas:
35537 returns the store file name of the ``fixed'', replacement Bash. This
35538 allows you to distinguish between the two variants of Bash.
35540 To verify which Bash your whole profile refers to, you can run
35541 (@pxref{Invoking guix gc}):
35544 guix gc -R $(readlink -f ~/.guix-profile) | grep bash
35548 @dots{} and compare the store file names that you get with those above.
35549 Likewise for a complete Guix system generation:
35552 guix gc -R $(guix system build my-config.scm) | grep bash
35555 Lastly, to check which Bash running processes are using, you can use the
35556 @command{lsof} command:
35559 lsof | grep /gnu/store/.*bash
35563 @node Bootstrapping
35564 @chapter Bootstrapping
35566 @c Adapted from the ELS 2013 paper.
35568 @cindex bootstrapping
35570 Bootstrapping in our context refers to how the distribution gets built
35571 ``from nothing''. Remember that the build environment of a derivation
35572 contains nothing but its declared inputs (@pxref{Introduction}). So
35573 there's an obvious chicken-and-egg problem: how does the first package
35574 get built? How does the first compiler get compiled?
35576 It is tempting to think of this question as one that only die-hard
35577 hackers may care about. However, while the answer to that question is
35578 technical in nature, its implications are wide-ranging. How the
35579 distribution is bootstrapped defines the extent to which we, as
35580 individuals and as a collective of users and hackers, can trust the
35581 software we run. It is a central concern from the standpoint of
35582 @emph{security} and from a @emph{user freedom} viewpoint.
35584 @cindex bootstrap binaries
35585 The GNU system is primarily made of C code, with libc at its core. The
35586 GNU build system itself assumes the availability of a Bourne shell and
35587 command-line tools provided by GNU Coreutils, Awk, Findutils, `sed', and
35588 `grep'. Furthermore, build programs---programs that run
35589 @code{./configure}, @code{make}, etc.---are written in Guile Scheme
35590 (@pxref{Derivations}). Consequently, to be able to build anything at
35591 all, from scratch, Guix relies on pre-built binaries of Guile, GCC,
35592 Binutils, libc, and the other packages mentioned above---the
35593 @dfn{bootstrap binaries}.
35595 These bootstrap binaries are ``taken for granted'', though we can also
35596 re-create them if needed (@pxref{Preparing to Use the Bootstrap
35600 * Reduced Binary Seed Bootstrap:: A Bootstrap worthy of GNU.
35601 * Preparing to Use the Bootstrap Binaries:: Building that what matters most.
35604 @node Reduced Binary Seed Bootstrap
35605 @section The Reduced Binary Seed Bootstrap
35607 Guix---like other GNU/Linux distributions---is traditionally bootstrapped from
35608 a set of bootstrap binaries: Bourne shell, command-line tools provided by GNU
35609 Coreutils, Awk, Findutils, `sed', and `grep' and Guile, GCC, Binutils, and the
35610 GNU C Library (@pxref{Bootstrapping}). Usually, these bootstrap binaries are
35611 ``taken for granted.''
35613 Taking the bootstrap binaries for granted means that we consider them to
35614 be a correct and trustworthy ``seed'' for building the complete system.
35615 Therein lies a problem: the combined size of these bootstrap binaries is
35616 about 250MB (@pxref{Bootstrappable Builds,,, mes, GNU Mes}). Auditing
35617 or even inspecting these is next to impossible.
35619 For @code{i686-linux} and @code{x86_64-linux}, Guix now features a
35620 ``Reduced Binary Seed'' bootstrap @footnote{We would like to say: ``Full
35621 Source Bootstrap'' and while we are working towards that goal it would
35622 be hyperbole to use that term for what we do now.}.
35624 The Reduced Binary Seed bootstrap removes the most critical tools---from a
35625 trust perspective---from the bootstrap binaries: GCC, Binutils and the GNU C
35626 Library are replaced by: @code{bootstrap-mescc-tools} (a tiny assembler and
35627 linker) and @code{bootstrap-mes} (a small Scheme Interpreter and a C compiler
35628 written in Scheme and the Mes C Library, built for TinyCC and for GCC).
35630 Using these new binary seeds the ``missing'' Binutils, GCC, and the GNU
35631 C Library are built from source. From here on the more traditional
35632 bootstrap process resumes. This approach has reduced the bootstrap
35633 binaries in size to about 145MB in Guix v1.1.
35635 The next step that Guix has taken is to replace the shell and all its
35636 utilities with implementations in Guile Scheme, the @emph{Scheme-only
35637 bootstrap}. Gash (@pxref{Gash,,, gash, The Gash manual}) is a
35638 POSIX-compatible shell that replaces Bash, and it comes with Gash Utils
35639 which has minimalist replacements for Awk, the GNU Core Utilities, Grep,
35640 Gzip, Sed, and Tar. The rest of the bootstrap binary seeds that were
35641 removed are now built from source.
35643 Building the GNU System from source is currently only possible by adding
35644 some historical GNU packages as intermediate steps@footnote{Packages
35645 such as @code{gcc-2.95.3}, @code{binutils-2.14}, @code{glibc-2.2.5},
35646 @code{gzip-1.2.4}, @code{tar-1.22}, and some others. For details, see
35647 @file{gnu/packages/commencement.scm}.}. As Gash and Gash Utils mature,
35648 and GNU packages become more bootstrappable again (e.g., new releases of
35649 GNU Sed will also ship as gzipped tarballs again, as alternative to the
35650 hard to bootstrap @code{xz}-compression), this set of added packages can
35651 hopefully be reduced again.
35653 The graph below shows the resulting dependency graph for
35654 @code{gcc-core-mesboot0}, the bootstrap compiler used for the
35655 traditional bootstrap of the rest of the Guix System.
35657 @c ./pre-inst-env guix graph -e '(@@ (gnu packages commencement) gcc-core-mesboot0)' | sed -re 's,((bootstrap-mescc-tools|bootstrap-mes|guile-bootstrap).*shape =) box,\1 ellipse,' > doc/images/gcc-core-mesboot0-graph.dot
35658 @image{images/gcc-core-mesboot0-graph,6in,,Dependency graph of gcc-core-mesboot0}
35660 The only significant binary bootstrap seeds that remain@footnote{
35661 Ignoring the 68KB @code{mescc-tools}; that will be removed later,
35662 together with @code{mes}.} are a Scheme interpreter and a Scheme
35663 compiler: GNU Mes and GNU Guile@footnote{Not shown in this graph are the
35664 static binaries for @file{bash}, @code{tar}, and @code{xz} that are used
35665 to get Guile running.}.
35667 This further reduction has brought down the size of the binary seed to
35668 about 60MB for @code{i686-linux} and @code{x86_64-linux}.
35670 Work is ongoing to remove all binary blobs from our free software
35671 bootstrap stack, working towards a Full Source Bootstrap. Also ongoing
35672 is work to bring these bootstraps to the @code{arm-linux} and
35673 @code{aarch64-linux} architectures and to the Hurd.
35675 If you are interested, join us on @samp{#bootstrappable} on the Freenode
35676 IRC network or discuss on @email{bug-mes@@gnu.org} or
35677 @email{gash-devel@@nongnu.org}.
35679 @node Preparing to Use the Bootstrap Binaries
35680 @section Preparing to Use the Bootstrap Binaries
35682 @c As of Emacs 24.3, Info-mode displays the image, but since it's a
35683 @c large image, it's hard to scroll. Oh well.
35684 @image{images/bootstrap-graph,6in,,Dependency graph of the early bootstrap derivations}
35686 The figure above shows the very beginning of the dependency graph of the
35687 distribution, corresponding to the package definitions of the @code{(gnu
35688 packages bootstrap)} module. A similar figure can be generated with
35689 @command{guix graph} (@pxref{Invoking guix graph}), along the lines of:
35692 guix graph -t derivation \
35693 -e '(@@@@ (gnu packages bootstrap) %bootstrap-gcc)' \
35694 | dot -Tps > gcc.ps
35697 or, for the further Reduced Binary Seed bootstrap
35700 guix graph -t derivation \
35701 -e '(@@@@ (gnu packages bootstrap) %bootstrap-mes)' \
35702 | dot -Tps > mes.ps
35705 At this level of detail, things are
35706 slightly complex. First, Guile itself consists of an ELF executable,
35707 along with many source and compiled Scheme files that are dynamically
35708 loaded when it runs. This gets stored in the @file{guile-2.0.7.tar.xz}
35709 tarball shown in this graph. This tarball is part of Guix's ``source''
35710 distribution, and gets inserted into the store with @code{add-to-store}
35711 (@pxref{The Store}).
35713 But how do we write a derivation that unpacks this tarball and adds it
35714 to the store? To solve this problem, the @code{guile-bootstrap-2.0.drv}
35715 derivation---the first one that gets built---uses @code{bash} as its
35716 builder, which runs @code{build-bootstrap-guile.sh}, which in turn calls
35717 @code{tar} to unpack the tarball. Thus, @file{bash}, @file{tar},
35718 @file{xz}, and @file{mkdir} are statically-linked binaries, also part of
35719 the Guix source distribution, whose sole purpose is to allow the Guile
35720 tarball to be unpacked.
35722 Once @code{guile-bootstrap-2.0.drv} is built, we have a functioning
35723 Guile that can be used to run subsequent build programs. Its first task
35724 is to download tarballs containing the other pre-built binaries---this
35725 is what the @file{.tar.xz.drv} derivations do. Guix modules such as
35726 @code{ftp-client.scm} are used for this purpose. The
35727 @code{module-import.drv} derivations import those modules in a directory
35728 in the store, using the original layout. The
35729 @code{module-import-compiled.drv} derivations compile those modules, and
35730 write them in an output directory with the right layout. This
35731 corresponds to the @code{#:modules} argument of
35732 @code{build-expression->derivation} (@pxref{Derivations}).
35734 Finally, the various tarballs are unpacked by the derivations
35735 @code{gcc-bootstrap-0.drv}, @code{glibc-bootstrap-0.drv}, or
35736 @code{bootstrap-mes-0.drv} and @code{bootstrap-mescc-tools-0.drv}, at which
35737 point we have a working C tool chain.
35739 @unnumberedsec Building the Build Tools
35741 Bootstrapping is complete when we have a full tool chain that does not
35742 depend on the pre-built bootstrap tools discussed above. This
35743 no-dependency requirement is verified by checking whether the files of
35744 the final tool chain contain references to the @file{/gnu/store}
35745 directories of the bootstrap inputs. The process that leads to this
35746 ``final'' tool chain is described by the package definitions found in
35747 the @code{(gnu packages commencement)} module.
35749 The @command{guix graph} command allows us to ``zoom out'' compared to
35750 the graph above, by looking at the level of package objects instead of
35751 individual derivations---remember that a package may translate to
35752 several derivations, typically one derivation to download its source,
35753 one to build the Guile modules it needs, and one to actually build the
35754 package from source. The command:
35757 guix graph -t bag \
35758 -e '(@@@@ (gnu packages commencement)
35759 glibc-final-with-bootstrap-bash)' | xdot -
35763 displays the dependency graph leading to the ``final'' C
35764 library@footnote{You may notice the @code{glibc-intermediate} label,
35765 suggesting that it is not @emph{quite} final, but as a good
35766 approximation, we will consider it final.}, depicted below.
35768 @image{images/bootstrap-packages,6in,,Dependency graph of the early packages}
35770 @c See <https://lists.gnu.org/archive/html/gnu-system-discuss/2012-10/msg00000.html>.
35771 The first tool that gets built with the bootstrap binaries is
35772 GNU@tie{}Make---noted @code{make-boot0} above---which is a prerequisite
35773 for all the following packages. From there Findutils and Diffutils get
35776 Then come the first-stage Binutils and GCC, built as pseudo cross
35777 tools---i.e., with @option{--target} equal to @option{--host}. They are
35778 used to build libc. Thanks to this cross-build trick, this libc is
35779 guaranteed not to hold any reference to the initial tool chain.
35781 From there the final Binutils and GCC (not shown above) are built. GCC
35782 uses @command{ld} from the final Binutils, and links programs against
35783 the just-built libc. This tool chain is used to build the other
35784 packages used by Guix and by the GNU Build System: Guile, Bash,
35787 And voilà! At this point we have the complete set of build tools that
35788 the GNU Build System expects. These are in the @code{%final-inputs}
35789 variable of the @code{(gnu packages commencement)} module, and are
35790 implicitly used by any package that uses @code{gnu-build-system}
35791 (@pxref{Build Systems, @code{gnu-build-system}}).
35794 @unnumberedsec Building the Bootstrap Binaries
35796 @cindex bootstrap binaries
35797 Because the final tool chain does not depend on the bootstrap binaries,
35798 those rarely need to be updated. Nevertheless, it is useful to have an
35799 automated way to produce them, should an update occur, and this is what
35800 the @code{(gnu packages make-bootstrap)} module provides.
35802 The following command builds the tarballs containing the bootstrap binaries
35803 (Binutils, GCC, glibc, for the traditional bootstrap and linux-libre-headers,
35804 bootstrap-mescc-tools, bootstrap-mes for the Reduced Binary Seed bootstrap,
35805 and Guile, and a tarball containing a mixture of Coreutils and other basic
35806 command-line tools):
35809 guix build bootstrap-tarballs
35812 The generated tarballs are those that should be referred to in the
35813 @code{(gnu packages bootstrap)} module mentioned at the beginning of
35816 Still here? Then perhaps by now you've started to wonder: when do we
35817 reach a fixed point? That is an interesting question! The answer is
35818 unknown, but if you would like to investigate further (and have
35819 significant computational and storage resources to do so), then let us
35822 @unnumberedsec Reducing the Set of Bootstrap Binaries
35824 Our traditional bootstrap includes GCC, GNU Libc, Guile, etc. That's a lot of
35825 binary code! Why is that a problem? It's a problem because these big chunks
35826 of binary code are practically non-auditable, which makes it hard to establish
35827 what source code produced them. Every unauditable binary also leaves us
35828 vulnerable to compiler backdoors as described by Ken Thompson in the 1984
35829 paper @emph{Reflections on Trusting Trust}.
35831 This is mitigated by the fact that our bootstrap binaries were generated
35832 from an earlier Guix revision. Nevertheless it lacks the level of
35833 transparency that we get in the rest of the package dependency graph,
35834 where Guix always gives us a source-to-binary mapping. Thus, our goal
35835 is to reduce the set of bootstrap binaries to the bare minimum.
35837 The @uref{https://bootstrappable.org, Bootstrappable.org web site} lists
35838 on-going projects to do that. One of these is about replacing the
35839 bootstrap GCC with a sequence of assemblers, interpreters, and compilers
35840 of increasing complexity, which could be built from source starting from
35841 a simple and auditable assembler.
35843 Our first major achievement is the replacement of of GCC, the GNU C Library
35844 and Binutils by MesCC-Tools (a simple hex linker and macro assembler) and Mes
35845 (@pxref{Top, GNU Mes Reference Manual,, mes, GNU Mes}, a Scheme interpreter
35846 and C compiler in Scheme). Neither MesCC-Tools nor Mes can be fully
35847 bootstrapped yet and thus we inject them as binary seeds. We call this the
35848 Reduced Binary Seed bootstrap, as it has halved the size of our bootstrap
35849 binaries! Also, it has eliminated the C compiler binary; i686-linux and
35850 x86_64-linux Guix packages are now bootstrapped without any binary C compiler.
35852 Work is ongoing to make MesCC-Tools and Mes fully bootstrappable and we are
35853 also looking at any other bootstrap binaries. Your help is welcome!
35856 @chapter Porting to a New Platform
35858 As discussed above, the GNU distribution is self-contained, and
35859 self-containment is achieved by relying on pre-built ``bootstrap
35860 binaries'' (@pxref{Bootstrapping}). These binaries are specific to an
35861 operating system kernel, CPU architecture, and application binary
35862 interface (ABI). Thus, to port the distribution to a platform that is
35863 not yet supported, one must build those bootstrap binaries, and update
35864 the @code{(gnu packages bootstrap)} module to use them on that platform.
35866 Fortunately, Guix can @emph{cross compile} those bootstrap binaries.
35867 When everything goes well, and assuming the GNU tool chain supports the
35868 target platform, this can be as simple as running a command like this
35872 guix build --target=armv5tel-linux-gnueabi bootstrap-tarballs
35875 For this to work, the @code{glibc-dynamic-linker} procedure in
35876 @code{(gnu packages bootstrap)} must be augmented to return the right
35877 file name for libc's dynamic linker on that platform; likewise,
35878 @code{system->linux-architecture} in @code{(gnu packages linux)} must be
35879 taught about the new platform.
35881 Once these are built, the @code{(gnu packages bootstrap)} module needs
35882 to be updated to refer to these binaries on the target platform. That
35883 is, the hashes and URLs of the bootstrap tarballs for the new platform
35884 must be added alongside those of the currently supported platforms. The
35885 bootstrap Guile tarball is treated specially: it is expected to be
35886 available locally, and @file{gnu/local.mk} has rules to download it for
35887 the supported architectures; a rule for the new platform must be added
35890 In practice, there may be some complications. First, it may be that the
35891 extended GNU triplet that specifies an ABI (like the @code{eabi} suffix
35892 above) is not recognized by all the GNU tools. Typically, glibc
35893 recognizes some of these, whereas GCC uses an extra @option{--with-abi}
35894 configure flag (see @code{gcc.scm} for examples of how to handle this).
35895 Second, some of the required packages could fail to build for that
35896 platform. Lastly, the generated binaries could be broken for some
35899 @c *********************************************************************
35900 @include contributing.texi
35902 @c *********************************************************************
35903 @node Acknowledgments
35904 @chapter Acknowledgments
35906 Guix is based on the @uref{https://nixos.org/nix/, Nix package manager},
35907 which was designed and
35908 implemented by Eelco Dolstra, with contributions from other people (see
35909 the @file{nix/AUTHORS} file in Guix). Nix pioneered functional package
35910 management, and promoted unprecedented features, such as transactional
35911 package upgrades and rollbacks, per-user profiles, and referentially
35912 transparent build processes. Without this work, Guix would not exist.
35914 The Nix-based software distributions, Nixpkgs and NixOS, have also been
35915 an inspiration for Guix.
35917 GNU@tie{}Guix itself is a collective work with contributions from a
35918 number of people. See the @file{AUTHORS} file in Guix for more
35919 information on these fine people. The @file{THANKS} file lists people
35920 who have helped by reporting bugs, taking care of the infrastructure,
35921 providing artwork and themes, making suggestions, and more---thank you!
35924 @c *********************************************************************
35925 @node GNU Free Documentation License
35926 @appendix GNU Free Documentation License
35927 @cindex license, GNU Free Documentation License
35928 @include fdl-1.3.texi
35930 @c *********************************************************************
35931 @node Concept Index
35932 @unnumbered Concept Index
35935 @node Programming Index
35936 @unnumbered Programming Index
35937 @syncodeindex tp fn
35938 @syncodeindex vr fn
35943 @c Local Variables:
35944 @c ispell-local-dictionary: "american";