6 @documentencoding UTF-8
7 @settitle GNU Guix Reference Manual
12 @c Identifier of the OpenPGP key used to sign tarballs and such.
13 @set OPENPGP-SIGNING-KEY-ID 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
16 Copyright @copyright{} 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès@*
17 Copyright @copyright{} 2013, 2014, 2016 Andreas Enge@*
18 Copyright @copyright{} 2013 Nikita Karetnikov@*
19 Copyright @copyright{} 2014, 2015, 2016 Alex Kost@*
20 Copyright @copyright{} 2015, 2016 Mathieu Lirzin@*
21 Copyright @copyright{} 2014 Pierre-Antoine Rault@*
22 Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
23 Copyright @copyright{} 2015, 2016, 2017 Leo Famulari@*
24 Copyright @copyright{} 2015, 2016, 2017, 2018 Ricardo Wurmus@*
25 Copyright @copyright{} 2016 Ben Woodcroft@*
26 Copyright @copyright{} 2016, 2017 Chris Marusich@*
27 Copyright @copyright{} 2016, 2017 Efraim Flashner@*
28 Copyright @copyright{} 2016 John Darrington@*
29 Copyright @copyright{} 2016, 2017 ng0@*
30 Copyright @copyright{} 2016, 2017 Jan Nieuwenhuizen@*
31 Copyright @copyright{} 2016 Julien Lepiller@*
32 Copyright @copyright{} 2016 Alex ter Weele@*
33 Copyright @copyright{} 2017 Clément Lassieur@*
34 Copyright @copyright{} 2017 Mathieu Othacehe@*
35 Copyright @copyright{} 2017 Federico Beffa@*
36 Copyright @copyright{} 2017 Carlo Zancanaro@*
37 Copyright @copyright{} 2017 Thomas Danckaert@*
38 Copyright @copyright{} 2017 humanitiesNerd@*
39 Copyright @copyright{} 2017 Christopher Allan Webber@*
40 Copyright @copyright{} 2017 Marius Bakke@*
41 Copyright @copyright{} 2017 Hartmut Goebel@*
42 Copyright @copyright{} 2017 Maxim Cournoyer@*
43 Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@*
44 Copyright @copyright{} 2017 George Clemmer@*
45 Copyright @copyright{} 2017 Andy Wingo@*
46 Copyright @copyright{} 2017, 2018 Arun Isaac@*
47 Copyright @copyright{} 2017 nee@*
48 Copyright @copyright{} 2018 Rutger Helling
50 Permission is granted to copy, distribute and/or modify this document
51 under the terms of the GNU Free Documentation License, Version 1.3 or
52 any later version published by the Free Software Foundation; with no
53 Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
54 copy of the license is included in the section entitled ``GNU Free
55 Documentation License''.
58 @dircategory System administration
60 * Guix: (guix). Manage installed software and system configuration.
61 * guix package: (guix)Invoking guix package. Installing, removing, and upgrading packages.
62 * guix gc: (guix)Invoking guix gc. Reclaiming unused disk space.
63 * guix pull: (guix)Invoking guix pull. Update the list of available packages.
64 * guix system: (guix)Invoking guix system. Manage the operating system configuration.
67 @dircategory Software development
69 * guix environment: (guix)Invoking guix environment. Building development environments with Guix.
70 * guix build: (guix)Invoking guix build. Building packages.
71 * guix pack: (guix)Invoking guix pack. Creating binary bundles.
75 @title GNU Guix Reference Manual
76 @subtitle Using the GNU Guix Functional Package Manager
77 @author The GNU Guix Developers
80 @vskip 0pt plus 1filll
81 Edition @value{EDITION} @*
89 @c *********************************************************************
93 This document describes GNU Guix version @value{VERSION}, a functional
94 package management tool written for the GNU system.
97 * Introduction:: What is Guix about?
98 * Installation:: Installing Guix.
99 * Package Management:: Package installation, upgrade, etc.
100 * Programming Interface:: Using Guix in Scheme.
101 * Utilities:: Package management commands.
102 * GNU Distribution:: Software for your friendly GNU system.
103 * Contributing:: Your help needed!
105 * Acknowledgments:: Thanks!
106 * GNU Free Documentation License:: The license of this manual.
107 * Concept Index:: Concepts.
108 * Programming Index:: Data types, functions, and variables.
111 --- The Detailed Node Listing ---
115 * Binary Installation:: Getting Guix running in no time!
116 * Requirements:: Software needed to build and run Guix.
117 * Running the Test Suite:: Testing Guix.
118 * Setting Up the Daemon:: Preparing the build daemon's environment.
119 * Invoking guix-daemon:: Running the build daemon.
120 * Application Setup:: Application-specific setup.
122 Setting Up the Daemon
124 * Build Environment Setup:: Preparing the isolated build environment.
125 * Daemon Offload Setup:: Offloading builds to remote machines.
126 * SELinux Support:: Using an SELinux policy for the daemon.
130 * Features:: How Guix will make your life brighter.
131 * Invoking guix package:: Package installation, removal, etc.
132 * Substitutes:: Downloading pre-built binaries.
133 * Packages with Multiple Outputs:: Single source package, multiple outputs.
134 * Invoking guix gc:: Running the garbage collector.
135 * Invoking guix pull:: Fetching the latest Guix and distribution.
136 * Invoking guix pack:: Creating software bundles.
137 * Invoking guix archive:: Exporting and importing store files.
141 * Official Substitute Server:: One particular source of substitutes.
142 * Substitute Server Authorization:: How to enable or disable substitutes.
143 * Substitute Authentication:: How Guix verifies substitutes.
144 * Proxy Settings:: How to get substitutes via proxy.
145 * Substitution Failure:: What happens when substitution fails.
146 * On Trusting Binaries:: How can you trust that binary blob?
148 Programming Interface
150 * Defining Packages:: Defining new packages.
151 * Build Systems:: Specifying how packages are built.
152 * The Store:: Manipulating the package store.
153 * Derivations:: Low-level interface to package derivations.
154 * The Store Monad:: Purely functional interface to the store.
155 * G-Expressions:: Manipulating build expressions.
159 * package Reference :: The package data type.
160 * origin Reference:: The origin data type.
164 * Invoking guix build:: Building packages from the command line.
165 * Invoking guix edit:: Editing package definitions.
166 * Invoking guix download:: Downloading a file and printing its hash.
167 * Invoking guix hash:: Computing the cryptographic hash of a file.
168 * Invoking guix import:: Importing package definitions.
169 * Invoking guix refresh:: Updating package definitions.
170 * Invoking guix lint:: Finding errors in package definitions.
171 * Invoking guix size:: Profiling disk usage.
172 * Invoking guix graph:: Visualizing the graph of packages.
173 * Invoking guix environment:: Setting up development environments.
174 * Invoking guix publish:: Sharing substitutes.
175 * Invoking guix challenge:: Challenging substitute servers.
176 * Invoking guix copy:: Copying to and from a remote store.
177 * Invoking guix container:: Process isolation.
178 * Invoking guix weather:: Assessing substitute availability.
180 Invoking @command{guix build}
182 * Common Build Options:: Build options for most commands.
183 * Package Transformation Options:: Creating variants of packages.
184 * Additional Build Options:: Options specific to 'guix build'.
185 * Debugging Build Failures:: Real life packaging experience.
189 * System Installation:: Installing the whole operating system.
190 * System Configuration:: Configuring the operating system.
191 * Documentation:: Browsing software user manuals.
192 * Installing Debugging Files:: Feeding the debugger.
193 * Security Updates:: Deploying security fixes quickly.
194 * Package Modules:: Packages from the programmer's viewpoint.
195 * Packaging Guidelines:: Growing the distribution.
196 * Bootstrapping:: GNU/Linux built from scratch.
197 * Porting:: Targeting another platform or kernel.
201 * Limitations:: What you can expect.
202 * Hardware Considerations:: Supported hardware.
203 * USB Stick and DVD Installation:: Preparing the installation medium.
204 * Preparing for Installation:: Networking, partitioning, etc.
205 * Proceeding with the Installation:: The real thing.
206 * Installing GuixSD in a VM:: GuixSD playground.
207 * Building the Installation Image:: How this comes to be.
211 * Using the Configuration System:: Customizing your GNU system.
212 * operating-system Reference:: Detail of operating-system declarations.
213 * File Systems:: Configuring file system mounts.
214 * Mapped Devices:: Block device extra processing.
215 * User Accounts:: Specifying user accounts.
216 * Locales:: Language and cultural convention settings.
217 * Services:: Specifying system services.
218 * Setuid Programs:: Programs running with root privileges.
219 * X.509 Certificates:: Authenticating HTTPS servers.
220 * Name Service Switch:: Configuring libc's name service switch.
221 * Initial RAM Disk:: Linux-Libre bootstrapping.
222 * Bootloader Configuration:: Configuring the boot loader.
223 * Invoking guix system:: Instantiating a system configuration.
224 * Running GuixSD in a VM:: How to run GuixSD in a virtual machine.
225 * Defining Services:: Adding new service definitions.
229 * Base Services:: Essential system services.
230 * Scheduled Job Execution:: The mcron service.
231 * Log Rotation:: The rottlog service.
232 * Networking Services:: Network setup, SSH daemon, etc.
233 * X Window:: Graphical display.
234 * Printing Services:: Local and remote printer support.
235 * Desktop Services:: D-Bus and desktop services.
236 * Database Services:: SQL databases, key-value stores, etc.
237 * Mail Services:: IMAP, POP3, SMTP, and all that.
238 * Messaging Services:: Messaging services.
239 * Telephony Services:: Telephony services.
240 * Monitoring Services:: Monitoring services.
241 * Kerberos Services:: Kerberos services.
242 * Web Services:: Web servers.
243 * Certificate Services:: TLS certificates via Let's Encrypt.
244 * DNS Services:: DNS daemons.
245 * VPN Services:: VPN daemons.
246 * Network File System:: NFS related services.
247 * Continuous Integration:: The Cuirass service.
248 * Power management Services:: The TLP tool.
249 * Audio Services:: The MPD.
250 * Virtualization Services:: Virtualization services.
251 * Version Control Services:: Providing remote access to Git repositories.
252 * Game Services:: Game servers.
253 * Miscellaneous Services:: Other services.
257 * Service Composition:: The model for composing services.
258 * Service Types and Services:: Types and services.
259 * Service Reference:: API reference.
260 * Shepherd Services:: A particular type of service.
264 * Software Freedom:: What may go into the distribution.
265 * Package Naming:: What's in a name?
266 * Version Numbers:: When the name is not enough.
267 * Synopses and Descriptions:: Helping users find the right package.
268 * Python Modules:: A touch of British comedy.
269 * Perl Modules:: Little pearls.
270 * Java Packages:: Coffee break.
271 * Fonts:: Fond of fonts.
275 * Building from Git:: The latest and greatest.
276 * Running Guix Before It Is Installed:: Hacker tricks.
277 * The Perfect Setup:: The right tools.
278 * Coding Style:: Hygiene of the contributor.
279 * Submitting Patches:: Share your work.
283 * Programming Paradigm:: How to compose your elements.
284 * Modules:: Where to store your code?
285 * Data Types and Pattern Matching:: Implementing data structures.
286 * Formatting Code:: Writing conventions.
291 @c *********************************************************************
293 @chapter Introduction
296 GNU Guix@footnote{``Guix'' is pronounced like ``geeks'', or ``ɡiːks''
297 using the international phonetic alphabet (IPA).} is a package
298 management tool for the GNU system. Guix makes it easy for unprivileged
299 users to install, upgrade, or remove packages, to roll back to a
300 previous package set, to build packages from source, and generally
301 assists with the creation and maintenance of software environments.
303 @cindex user interfaces
304 Guix provides a command-line package management interface
305 (@pxref{Invoking guix package}), a set of command-line utilities
306 (@pxref{Utilities}), as well as Scheme programming interfaces
307 (@pxref{Programming Interface}).
309 Its @dfn{build daemon} is responsible for building packages on behalf of
310 users (@pxref{Setting Up the Daemon}) and for downloading pre-built
311 binaries from authorized sources (@pxref{Substitutes}).
313 @cindex extensibility of the distribution
314 @cindex customization, of packages
315 Guix includes package definitions for many GNU and non-GNU packages, all
316 of which @uref{https://www.gnu.org/philosophy/free-sw.html, respect the
317 user's computing freedom}. It is @emph{extensible}: users can write
318 their own package definitions (@pxref{Defining Packages}) and make them
319 available as independent package modules (@pxref{Package Modules}). It
320 is also @emph{customizable}: users can @emph{derive} specialized package
321 definitions from existing ones, including from the command line
322 (@pxref{Package Transformation Options}).
324 @cindex Guix System Distribution
326 You can install GNU@tie{}Guix on top of an existing GNU/Linux system
327 where it complements the available tools without interference
328 (@pxref{Installation}), or you can use it as part of the standalone
329 @dfn{Guix System Distribution} or GuixSD (@pxref{GNU Distribution}).
330 With GNU@tie{}GuixSD, you @emph{declare} all aspects of the operating
331 system configuration and Guix takes care of instantiating the
332 configuration in a transactional, reproducible, and stateless fashion
333 (@pxref{System Configuration}).
335 @cindex functional package management
336 Under the hood, Guix implements the @dfn{functional package management}
337 discipline pioneered by Nix (@pxref{Acknowledgments}).
338 In Guix, the package build and installation process is seen
339 as a @emph{function}, in the mathematical sense. That function takes inputs,
340 such as build scripts, a compiler, and libraries, and
341 returns an installed package. As a pure function, its result depends
342 solely on its inputs---for instance, it cannot refer to software or
343 scripts that were not explicitly passed as inputs. A build function
344 always produces the same result when passed a given set of inputs. It
345 cannot alter the environment of the running system in
346 any way; for instance, it cannot create, modify, or delete files outside
347 of its build and installation directories. This is achieved by running
348 build processes in isolated environments (or @dfn{containers}), where only their
349 explicit inputs are visible.
352 The result of package build functions is @dfn{cached} in the file
353 system, in a special directory called @dfn{the store} (@pxref{The
354 Store}). Each package is installed in a directory of its own in the
355 store---by default under @file{/gnu/store}. The directory name contains
356 a hash of all the inputs used to build that package; thus, changing an
357 input yields a different directory name.
359 This approach is the foundation for the salient features of Guix: support
360 for transactional package upgrade and rollback, per-user installation, and
361 garbage collection of packages (@pxref{Features}).
364 @c *********************************************************************
366 @chapter Installation
368 @cindex installing Guix
369 GNU Guix is available for download from its website at
370 @url{http://www.gnu.org/software/guix/}. This section describes the
371 software requirements of Guix, as well as how to install it and get
374 Note that this section is concerned with the installation of the package
375 manager, which can be done on top of a running GNU/Linux system. If,
376 instead, you want to install the complete GNU operating system,
377 @pxref{System Installation}.
379 @cindex foreign distro
380 When installed on a running GNU/Linux system---thereafter called a
381 @dfn{foreign distro}---GNU@tie{}Guix complements the available tools
382 without interference. Its data lives exclusively in two directories,
383 usually @file{/gnu/store} and @file{/var/guix}; other files on your
384 system, such as @file{/etc}, are left untouched.
386 Once installed, Guix can be updated by running @command{guix pull}
387 (@pxref{Invoking guix pull}).
390 * Binary Installation:: Getting Guix running in no time!
391 * Requirements:: Software needed to build and run Guix.
392 * Running the Test Suite:: Testing Guix.
393 * Setting Up the Daemon:: Preparing the build daemon's environment.
394 * Invoking guix-daemon:: Running the build daemon.
395 * Application Setup:: Application-specific setup.
398 @node Binary Installation
399 @section Binary Installation
401 @cindex installing Guix from binaries
402 This section describes how to install Guix on an arbitrary system from a
403 self-contained tarball providing binaries for Guix and for all its
404 dependencies. This is often quicker than installing from source, which
405 is described in the next sections. The only requirement is to have
409 @uref{https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh,
410 shell installer script}, which automates the download, installation, and
411 initial configuration of Guix. It should be run as the root user.
413 Installing goes along these lines:
417 @cindex downloading Guix binary
418 Download the binary tarball from
419 @indicateurl{ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{system}.tar.xz},
420 where @var{system} is @code{x86_64-linux} for an @code{x86_64} machine
421 already running the kernel Linux, and so on.
423 @c The following is somewhat duplicated in ``System Installation''.
424 Make sure to download the associated @file{.sig} file and to verify the
425 authenticity of the tarball against it, along these lines:
428 $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{system}.tar.xz.sig
429 $ gpg --verify guix-binary-@value{VERSION}.@var{system}.tar.xz.sig
432 If that command fails because you do not have the required public key,
433 then run this command to import it:
436 $ gpg --keyserver pgp.mit.edu --recv-keys @value{OPENPGP-SIGNING-KEY-ID}
440 and rerun the @code{gpg --verify} command.
441 @c end authentication part
448 # tar --warning=no-timestamp -xf \
449 guix-binary-@value{VERSION}.@var{system}.tar.xz
450 # mv var/guix /var/ && mv gnu /
453 This creates @file{/gnu/store} (@pxref{The Store}) and @file{/var/guix}.
454 The latter contains a ready-to-use profile for @code{root} (see next
457 Do @emph{not} unpack the tarball on a working Guix system since that
458 would overwrite its own essential files.
460 The @code{--warning=no-timestamp} option makes sure GNU@tie{}tar does
461 not emit warnings about ``implausibly old time stamps'' (such
462 warnings were triggered by GNU@tie{}tar 1.26 and older; recent
464 They stem from the fact that all the
465 files in the archive have their modification time set to zero (which
466 means January 1st, 1970.) This is done on purpose to make sure the
467 archive content is independent of its creation time, thus making it
471 Make @code{root}'s profile available under @file{~/.guix-profile}:
474 # ln -sf /var/guix/profiles/per-user/root/guix-profile \
478 Source @file{etc/profile} to augment @code{PATH} and other relevant
479 environment variables:
482 # GUIX_PROFILE=$HOME/.guix-profile ; \
483 source $GUIX_PROFILE/etc/profile
487 Create the group and user accounts for build users as explained below
488 (@pxref{Build Environment Setup}).
491 Run the daemon, and set it to automatically start on boot.
493 If your host distro uses the systemd init system, this can be achieved
496 @c Versions of systemd that supported symlinked service files are not
497 @c yet widely deployed, so we should suggest that users copy the service
500 @c See this thread for more information:
501 @c http://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
504 # cp ~root/.guix-profile/lib/systemd/system/guix-daemon.service \
506 # systemctl start guix-daemon && systemctl enable guix-daemon
509 If your host distro uses the Upstart init system:
512 # initctl reload-configuration
513 # cp ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/
517 Otherwise, you can still start the daemon manually with:
520 # ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild
524 Make the @command{guix} command available to other users on the machine,
528 # mkdir -p /usr/local/bin
530 # ln -s /var/guix/profiles/per-user/root/guix-profile/bin/guix
533 It is also a good idea to make the Info version of this manual available
537 # mkdir -p /usr/local/share/info
538 # cd /usr/local/share/info
539 # for i in /var/guix/profiles/per-user/root/guix-profile/share/info/* ;
543 That way, assuming @file{/usr/local/share/info} is in the search path,
544 running @command{info guix} will open this manual (@pxref{Other Info
545 Directories,,, texinfo, GNU Texinfo}, for more details on changing the
549 @cindex substitutes, authorization thereof
550 To use substitutes from @code{hydra.gnu.org} or one of its mirrors
551 (@pxref{Substitutes}), authorize them:
554 # guix archive --authorize < ~root/.guix-profile/share/guix/hydra.gnu.org.pub
558 Each user may need to perform a few additional steps to make their Guix
559 environment ready for use, @pxref{Application Setup}.
562 Voilà, the installation is complete!
564 You can confirm that Guix is working by installing a sample package into
568 # guix package -i hello
571 The @code{guix} package must remain available in @code{root}'s profile,
572 or it would become subject to garbage collection---in which case you
573 would find yourself badly handicapped by the lack of the @command{guix}
574 command. In other words, do not remove @code{guix} by running
575 @code{guix package -r guix}.
577 The binary installation tarball can be (re)produced and verified simply
578 by running the following command in the Guix source tree:
581 make guix-binary.@var{system}.tar.xz
585 ... which, in turn, runs:
588 guix pack -s @var{system} --localstatedir guix
591 @xref{Invoking guix pack}, for more info on this handy tool.
594 @section Requirements
596 This section lists requirements when building Guix from source. The
597 build procedure for Guix is the same as for other GNU software, and is
598 not covered here. Please see the files @file{README} and @file{INSTALL}
599 in the Guix source tree for additional details.
601 GNU Guix depends on the following packages:
604 @item @url{http://gnu.org/software/guile/, GNU Guile}, version 2.0.9 or
605 later, including 2.2.x;
606 @item @url{http://gnupg.org/, GNU libgcrypt};
608 @uref{http://gnutls.org/, GnuTLS}, specifically its Guile bindings
609 (@pxref{Guile Preparations, how to install the GnuTLS bindings for
610 Guile,, gnutls-guile, GnuTLS-Guile});
612 @c FIXME: Specify a version number once a release has been made.
613 @uref{https://gitlab.com/guile-git/guile-git, Guile-Git}, from August
615 @item @url{http://zlib.net, zlib};
616 @item @url{http://www.gnu.org/software/make/, GNU Make}.
619 The following dependencies are optional:
624 @url{http://savannah.nongnu.org/projects/guile-json/, Guile-JSON} will
625 allow you to use the @command{guix import pypi} command (@pxref{Invoking
626 guix import}). It is of
627 interest primarily for developers and not for casual users.
630 @c Note: We need at least 0.10.2 for 'channel-send-eof'.
631 Support for build offloading (@pxref{Daemon Offload Setup}) and
632 @command{guix copy} (@pxref{Invoking guix copy}) depends on
633 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH},
634 version 0.10.2 or later.
637 When @url{http://www.bzip.org, libbz2} is available,
638 @command{guix-daemon} can use it to compress build logs.
641 Unless @code{--disable-daemon} was passed to @command{configure}, the
642 following packages are also needed:
645 @item @url{http://sqlite.org, SQLite 3};
646 @item @url{http://gcc.gnu.org, GCC's g++}, with support for the
650 @cindex state directory
651 When configuring Guix on a system that already has a Guix installation,
652 be sure to specify the same state directory as the existing installation
653 using the @code{--localstatedir} option of the @command{configure}
654 script (@pxref{Directory Variables, @code{localstatedir},, standards,
655 GNU Coding Standards}). The @command{configure} script protects against
656 unintended misconfiguration of @var{localstatedir} so you do not
657 inadvertently corrupt your store (@pxref{The Store}).
659 @cindex Nix, compatibility
660 When a working installation of @url{http://nixos.org/nix/, the Nix package
661 manager} is available, you
662 can instead configure Guix with @code{--disable-daemon}. In that case,
663 Nix replaces the three dependencies above.
665 Guix is compatible with Nix, so it is possible to share the same store
666 between both. To do so, you must pass @command{configure} not only the
667 same @code{--with-store-dir} value, but also the same
668 @code{--localstatedir} value. The latter is essential because it
669 specifies where the database that stores metadata about the store is
670 located, among other things. The default values for Nix are
671 @code{--with-store-dir=/nix/store} and @code{--localstatedir=/nix/var}.
672 Note that @code{--disable-daemon} is not required if
673 your goal is to share the store with Nix.
675 @node Running the Test Suite
676 @section Running the Test Suite
679 After a successful @command{configure} and @code{make} run, it is a good
680 idea to run the test suite. It can help catch issues with the setup or
681 environment, or bugs in Guix itself---and really, reporting test
682 failures is a good way to help improve the software. To run the test
689 Test cases can run in parallel: you can use the @code{-j} option of
690 GNU@tie{}make to speed things up. The first run may take a few minutes
691 on a recent machine; subsequent runs will be faster because the store
692 that is created for test purposes will already have various things in
695 It is also possible to run a subset of the tests by defining the
696 @code{TESTS} makefile variable as in this example:
699 make check TESTS="tests/store.scm tests/cpio.scm"
702 By default, tests results are displayed at a file level. In order to
703 see the details of every individual test cases, it is possible to define
704 the @code{SCM_LOG_DRIVER_FLAGS} makefile variable as in this example:
707 make check TESTS="tests/base64.scm" SCM_LOG_DRIVER_FLAGS="--brief=no"
710 Upon failure, please email @email{bug-guix@@gnu.org} and attach the
711 @file{test-suite.log} file. Please specify the Guix version being used
712 as well as version numbers of the dependencies (@pxref{Requirements}) in
715 Guix also comes with a whole-system test suite that tests complete
716 GuixSD operating system instances. It can only run on systems where
717 Guix is already installed, using:
724 or, again, by defining @code{TESTS} to select a subset of tests to run:
727 make check-system TESTS="basic mcron"
730 These system tests are defined in the @code{(gnu tests @dots{})}
731 modules. They work by running the operating systems under test with
732 lightweight instrumentation in a virtual machine (VM). They can be
733 computationally intensive or rather cheap, depending on whether
734 substitutes are available for their dependencies (@pxref{Substitutes}).
735 Some of them require a lot of storage space to hold VM images.
737 Again in case of test failures, please send @email{bug-guix@@gnu.org}
740 @node Setting Up the Daemon
741 @section Setting Up the Daemon
744 Operations such as building a package or running the garbage collector
745 are all performed by a specialized process, the @dfn{build daemon}, on
746 behalf of clients. Only the daemon may access the store and its
747 associated database. Thus, any operation that manipulates the store
748 goes through the daemon. For instance, command-line tools such as
749 @command{guix package} and @command{guix build} communicate with the
750 daemon (@i{via} remote procedure calls) to instruct it what to do.
752 The following sections explain how to prepare the build daemon's
753 environment. See also @ref{Substitutes}, for information on how to allow
754 the daemon to download pre-built binaries.
757 * Build Environment Setup:: Preparing the isolated build environment.
758 * Daemon Offload Setup:: Offloading builds to remote machines.
759 * SELinux Support:: Using an SELinux policy for the daemon.
762 @node Build Environment Setup
763 @subsection Build Environment Setup
765 @cindex build environment
766 In a standard multi-user setup, Guix and its daemon---the
767 @command{guix-daemon} program---are installed by the system
768 administrator; @file{/gnu/store} is owned by @code{root} and
769 @command{guix-daemon} runs as @code{root}. Unprivileged users may use
770 Guix tools to build packages or otherwise access the store, and the
771 daemon will do it on their behalf, ensuring that the store is kept in a
772 consistent state, and allowing built packages to be shared among users.
775 When @command{guix-daemon} runs as @code{root}, you may not want package
776 build processes themselves to run as @code{root} too, for obvious
777 security reasons. To avoid that, a special pool of @dfn{build users}
778 should be created for use by build processes started by the daemon.
779 These build users need not have a shell and a home directory: they will
780 just be used when the daemon drops @code{root} privileges in build
781 processes. Having several such users allows the daemon to launch
782 distinct build processes under separate UIDs, which guarantees that they
783 do not interfere with each other---an essential feature since builds are
784 regarded as pure functions (@pxref{Introduction}).
786 On a GNU/Linux system, a build user pool may be created like this (using
787 Bash syntax and the @code{shadow} commands):
789 @c See http://lists.gnu.org/archive/html/bug-guix/2013-01/msg00239.html
790 @c for why `-G' is needed.
792 # groupadd --system guixbuild
793 # for i in `seq -w 1 10`;
795 useradd -g guixbuild -G guixbuild \
796 -d /var/empty -s `which nologin` \
797 -c "Guix build user $i" --system \
803 The number of build users determines how many build jobs may run in
804 parallel, as specified by the @option{--max-jobs} option
805 (@pxref{Invoking guix-daemon, @option{--max-jobs}}). To use
806 @command{guix system vm} and related commands, you may need to add the
807 build users to the @code{kvm} group so they can access @file{/dev/kvm},
808 using @code{-G guixbuild,kvm} instead of @code{-G guixbuild}
809 (@pxref{Invoking guix system}).
811 The @code{guix-daemon} program may then be run as @code{root} with the
812 following command@footnote{If your machine uses the systemd init system,
813 dropping the @file{@var{prefix}/lib/systemd/system/guix-daemon.service}
814 file in @file{/etc/systemd/system} will ensure that
815 @command{guix-daemon} is automatically started. Similarly, if your
816 machine uses the Upstart init system, drop the
817 @file{@var{prefix}/lib/upstart/system/guix-daemon.conf}
818 file in @file{/etc/init}.}:
821 # guix-daemon --build-users-group=guixbuild
826 This way, the daemon starts build processes in a chroot, under one of
827 the @code{guixbuilder} users. On GNU/Linux, by default, the chroot
828 environment contains nothing but:
830 @c Keep this list in sync with libstore/build.cc! -----------------------
833 a minimal @code{/dev} directory, created mostly independently from the
834 host @code{/dev}@footnote{``Mostly'', because while the set of files
835 that appear in the chroot's @code{/dev} is fixed, most of these files
836 can only be created if the host has them.};
839 the @code{/proc} directory; it only shows the processes of the container
840 since a separate PID name space is used;
843 @file{/etc/passwd} with an entry for the current user and an entry for
847 @file{/etc/group} with an entry for the user's group;
850 @file{/etc/hosts} with an entry that maps @code{localhost} to
854 a writable @file{/tmp} directory.
857 You can influence the directory where the daemon stores build trees
858 @i{via} the @code{TMPDIR} environment variable. However, the build tree
859 within the chroot is always called @file{/tmp/guix-build-@var{name}.drv-0},
860 where @var{name} is the derivation name---e.g., @code{coreutils-8.24}.
861 This way, the value of @code{TMPDIR} does not leak inside build
862 environments, which avoids discrepancies in cases where build processes
863 capture the name of their build tree.
866 The daemon also honors the @code{http_proxy} environment variable for
867 HTTP downloads it performs, be it for fixed-output derivations
868 (@pxref{Derivations}) or for substitutes (@pxref{Substitutes}).
870 If you are installing Guix as an unprivileged user, it is still possible
871 to run @command{guix-daemon} provided you pass @code{--disable-chroot}.
872 However, build processes will not be isolated from one another, and not
873 from the rest of the system. Thus, build processes may interfere with
874 each other, and may access programs, libraries, and other files
875 available on the system---making it much harder to view them as
876 @emph{pure} functions.
879 @node Daemon Offload Setup
880 @subsection Using the Offload Facility
884 When desired, the build daemon can @dfn{offload} derivation builds to
885 other machines running Guix, using the @code{offload} @dfn{build
886 hook}@footnote{This feature is available only when
887 @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH} is
889 feature is enabled, a list of user-specified build machines is read from
890 @file{/etc/guix/machines.scm}; every time a build is requested, for
891 instance via @code{guix build}, the daemon attempts to offload it to one
892 of the machines that satisfy the constraints of the derivation, in
893 particular its system type---e.g., @file{x86_64-linux}. Missing
894 prerequisites for the build are copied over SSH to the target machine,
895 which then proceeds with the build; upon success the output(s) of the
896 build are copied back to the initial machine.
898 The @file{/etc/guix/machines.scm} file typically looks like this:
902 (name "eightysix.example.org")
903 (system "x86_64-linux")
904 (host-key "ssh-ed25519 AAAAC3Nza@dots{}")
906 (speed 2.)) ;incredibly fast!
909 (name "meeps.example.org")
910 (system "mips64el-linux")
911 (host-key "ssh-rsa AAAAB3Nza@dots{}")
914 (string-append (getenv "HOME")
915 "/.ssh/identity-for-guix"))))
919 In the example above we specify a list of two build machines, one for
920 the @code{x86_64} architecture and one for the @code{mips64el}
923 In fact, this file is---not surprisingly!---a Scheme file that is
924 evaluated when the @code{offload} hook is started. Its return value
925 must be a list of @code{build-machine} objects. While this example
926 shows a fixed list of build machines, one could imagine, say, using
927 DNS-SD to return a list of potential build machines discovered in the
928 local network (@pxref{Introduction, Guile-Avahi,, guile-avahi, Using
929 Avahi in Guile Scheme Programs}). The @code{build-machine} data type is
932 @deftp {Data Type} build-machine
933 This data type represents build machines to which the daemon may offload
934 builds. The important fields are:
939 The host name of the remote machine.
942 The system type of the remote machine---e.g., @code{"x86_64-linux"}.
945 The user account to use when connecting to the remote machine over SSH.
946 Note that the SSH key pair must @emph{not} be passphrase-protected, to
947 allow non-interactive logins.
950 This must be the machine's SSH @dfn{public host key} in OpenSSH format.
951 This is used to authenticate the machine when we connect to it. It is a
952 long string that looks like this:
955 ssh-ed25519 AAAAC3NzaC@dots{}mde+UhL hint@@example.org
958 If the machine is running the OpenSSH daemon, @command{sshd}, the host
959 key can be found in a file such as
960 @file{/etc/ssh/ssh_host_ed25519_key.pub}.
962 If the machine is running the SSH daemon of GNU@tie{}lsh,
963 @command{lshd}, the host key is in @file{/etc/lsh/host-key.pub} or a
964 similar file. It can be converted to the OpenSSH format using
965 @command{lsh-export-key} (@pxref{Converting keys,,, lsh, LSH Manual}):
968 $ lsh-export-key --openssh < /etc/lsh/host-key.pub
969 ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV@dots{}
974 A number of optional fields may be specified:
978 @item @code{port} (default: @code{22})
979 Port number of SSH server on the machine.
981 @item @code{private-key} (default: @file{~root/.ssh/id_rsa})
982 The SSH private key file to use when connecting to the machine, in
985 Note that the default value is the private key @emph{of the root
986 account}. Make sure it exists if you use the default.
988 @item @code{compression} (default: @code{"zlib@@openssh.com,zlib"})
989 @itemx @code{compression-level} (default: @code{3})
990 The SSH-level compression methods and compression level requested.
992 Note that offloading relies on SSH compression to reduce bandwidth usage
993 when transferring files to and from build machines.
995 @item @code{daemon-socket} (default: @code{"/var/guix/daemon-socket/socket"})
996 File name of the Unix-domain socket @command{guix-daemon} is listening
999 @item @code{parallel-builds} (default: @code{1})
1000 The number of builds that may run in parallel on the machine.
1002 @item @code{speed} (default: @code{1.0})
1003 A ``relative speed factor''. The offload scheduler will tend to prefer
1004 machines with a higher speed factor.
1006 @item @code{features} (default: @code{'()})
1007 A list of strings denoting specific features supported by the machine.
1008 An example is @code{"kvm"} for machines that have the KVM Linux modules
1009 and corresponding hardware support. Derivations can request features by
1010 name, and they will be scheduled on matching build machines.
1015 The @code{guile} command must be in the search path on the build
1016 machines. In addition, the Guix modules must be in
1017 @code{$GUILE_LOAD_PATH} on the build machine---you can check whether
1018 this is the case by running:
1021 ssh build-machine guile -c "'(use-modules (guix config))'"
1024 There is one last thing to do once @file{machines.scm} is in place. As
1025 explained above, when offloading, files are transferred back and forth
1026 between the machine stores. For this to work, you first need to
1027 generate a key pair on each machine to allow the daemon to export signed
1028 archives of files from the store (@pxref{Invoking guix archive}):
1031 # guix archive --generate-key
1035 Each build machine must authorize the key of the master machine so that
1036 it accepts store items it receives from the master:
1039 # guix archive --authorize < master-public-key.txt
1043 Likewise, the master machine must authorize the key of each build machine.
1045 All the fuss with keys is here to express pairwise mutual trust
1046 relations between the master and the build machines. Concretely, when
1047 the master receives files from a build machine (and @i{vice versa}), its
1048 build daemon can make sure they are genuine, have not been tampered
1049 with, and that they are signed by an authorized key.
1051 @cindex offload test
1052 To test whether your setup is operational, run this command on the
1059 This will attempt to connect to each of the build machines specified in
1060 @file{/etc/guix/machines.scm}, make sure Guile and the Guix modules are
1061 available on each machine, attempt to export to the machine and import
1062 from it, and report any error in the process.
1064 If you want to test a different machine file, just specify it on the
1068 # guix offload test machines-qualif.scm
1071 Last, you can test the subset of the machines whose name matches a
1072 regular expression like this:
1075 # guix offload test machines.scm '\.gnu\.org$'
1078 @cindex offload status
1079 To display the current load of all build hosts, run this command on the
1083 # guix offload status
1087 @node SELinux Support
1088 @subsection SELinux Support
1090 @cindex SELinux, daemon policy
1091 @cindex mandatory access control, SELinux
1092 @cindex security, guix-daemon
1093 Guix includes an SELinux policy file at @file{etc/guix-daemon.cil} that
1094 can be installed on a system where SELinux is enabled, in order to label
1095 Guix files and to specify the expected behavior of the daemon. Since
1096 GuixSD does not provide an SELinux base policy, the daemon policy cannot
1099 @subsubsection Installing the SELinux policy
1100 @cindex SELinux, policy installation
1101 To install the policy run this command as root:
1104 semodule -i etc/guix-daemon.cil
1107 Then relabel the file system with @code{restorecon} or by a different
1108 mechanism provided by your system.
1110 Once the policy is installed, the file system has been relabeled, and
1111 the daemon has been restarted, it should be running in the
1112 @code{guix_daemon_t} context. You can confirm this with the following
1116 ps -Zax | grep guix-daemon
1119 Monitor the SELinux log files as you run a command like @code{guix build
1120 hello} to convince yourself that SELinux permits all necessary
1123 @subsubsection Limitations
1124 @cindex SELinux, limitations
1126 This policy is not perfect. Here is a list of limitations or quirks
1127 that should be considered when deploying the provided SELinux policy for
1132 @code{guix_daemon_socket_t} isn’t actually used. None of the socket
1133 operations involve contexts that have anything to do with
1134 @code{guix_daemon_socket_t}. It doesn’t hurt to have this unused label,
1135 but it would be preferrable to define socket rules for only this label.
1138 @code{guix gc} cannot access arbitrary links to profiles. By design,
1139 the file label of the destination of a symlink is independent of the
1140 file label of the link itself. Although all profiles under
1141 $localstatedir are labelled, the links to these profiles inherit the
1142 label of the directory they are in. For links in the user’s home
1143 directory this will be @code{user_home_t}. But for links from the root
1144 user’s home directory, or @file{/tmp}, or the HTTP server’s working
1145 directory, etc, this won’t work. @code{guix gc} would be prevented from
1146 reading and following these links.
1149 The daemon’s feature to listen for TCP connections might no longer work.
1150 This might require extra rules, because SELinux treats network sockets
1151 differently from files.
1154 Currently all files with a name matching the regular expression
1155 @code{/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon} are assigned the
1156 label @code{guix_daemon_exec_t}; this means that @emph{any} file with
1157 that name in any profile would be permitted to run in the
1158 @code{guix_daemon_t} domain. This is not ideal. An attacker could
1159 build a package that provides this executable and convince a user to
1160 install and run it, which lifts it into the @code{guix_daemon_t} domain.
1161 At that point SELinux could not prevent it from accessing files that are
1162 allowed for processes in that domain.
1164 We could generate a much more restrictive policy at installation time,
1165 so that only the @emph{exact} file name of the currently installed
1166 @code{guix-daemon} executable would be labelled with
1167 @code{guix_daemon_exec_t}, instead of using a broad regular expression.
1168 The downside is that root would have to install or upgrade the policy at
1169 installation time whenever the Guix package that provides the
1170 effectively running @code{guix-daemon} executable is upgraded.
1173 @node Invoking guix-daemon
1174 @section Invoking @command{guix-daemon}
1176 The @command{guix-daemon} program implements all the functionality to
1177 access the store. This includes launching build processes, running the
1178 garbage collector, querying the availability of a build result, etc. It
1179 is normally run as @code{root} like this:
1182 # guix-daemon --build-users-group=guixbuild
1186 For details on how to set it up, @pxref{Setting Up the Daemon}.
1189 @cindex container, build environment
1190 @cindex build environment
1191 @cindex reproducible builds
1192 By default, @command{guix-daemon} launches build processes under
1193 different UIDs, taken from the build group specified with
1194 @code{--build-users-group}. In addition, each build process is run in a
1195 chroot environment that only contains the subset of the store that the
1196 build process depends on, as specified by its derivation
1197 (@pxref{Programming Interface, derivation}), plus a set of specific
1198 system directories. By default, the latter contains @file{/dev} and
1199 @file{/dev/pts}. Furthermore, on GNU/Linux, the build environment is a
1200 @dfn{container}: in addition to having its own file system tree, it has
1201 a separate mount name space, its own PID name space, network name space,
1202 etc. This helps achieve reproducible builds (@pxref{Features}).
1204 When the daemon performs a build on behalf of the user, it creates a
1205 build directory under @file{/tmp} or under the directory specified by
1206 its @code{TMPDIR} environment variable; this directory is shared with
1207 the container for the duration of the build. Be aware that using a
1208 directory other than @file{/tmp} can affect build results---for example,
1209 with a longer directory name, a build process that uses Unix-domain
1210 sockets might hit the name length limitation for @code{sun_path}, which
1211 it would otherwise not hit.
1213 The build directory is automatically deleted upon completion, unless the
1214 build failed and the client specified @option{--keep-failed}
1215 (@pxref{Invoking guix build, @option{--keep-failed}}).
1217 The following command-line options are supported:
1220 @item --build-users-group=@var{group}
1221 Take users from @var{group} to run build processes (@pxref{Setting Up
1222 the Daemon, build users}).
1224 @item --no-substitutes
1226 Do not use substitutes for build products. That is, always build things
1227 locally instead of allowing downloads of pre-built binaries
1228 (@pxref{Substitutes}).
1230 When the daemon runs with @code{--no-substitutes}, clients can still
1231 explicitly enable substitution @i{via} the @code{set-build-options}
1232 remote procedure call (@pxref{The Store}).
1234 @item --substitute-urls=@var{urls}
1235 @anchor{daemon-substitute-urls}
1236 Consider @var{urls} the default whitespace-separated list of substitute
1237 source URLs. When this option is omitted,
1238 @indicateurl{https://mirror.hydra.gnu.org https://hydra.gnu.org} is used
1239 (@code{mirror.hydra.gnu.org} is a mirror of @code{hydra.gnu.org}).
1241 This means that substitutes may be downloaded from @var{urls}, as long
1242 as they are signed by a trusted signature (@pxref{Substitutes}).
1245 @item --no-build-hook
1246 Do not use the @dfn{build hook}.
1248 The build hook is a helper program that the daemon can start and to
1249 which it submits build requests. This mechanism is used to offload
1250 builds to other machines (@pxref{Daemon Offload Setup}).
1252 @item --cache-failures
1253 Cache build failures. By default, only successful builds are cached.
1255 When this option is used, @command{guix gc --list-failures} can be used
1256 to query the set of store items marked as failed; @command{guix gc
1257 --clear-failures} removes store items from the set of cached failures.
1258 @xref{Invoking guix gc}.
1260 @item --cores=@var{n}
1262 Use @var{n} CPU cores to build each derivation; @code{0} means as many
1265 The default value is @code{0}, but it may be overridden by clients, such
1266 as the @code{--cores} option of @command{guix build} (@pxref{Invoking
1269 The effect is to define the @code{NIX_BUILD_CORES} environment variable
1270 in the build process, which can then use it to exploit internal
1271 parallelism---for instance, by running @code{make -j$NIX_BUILD_CORES}.
1273 @item --max-jobs=@var{n}
1275 Allow at most @var{n} build jobs in parallel. The default value is
1276 @code{1}. Setting it to @code{0} means that no builds will be performed
1277 locally; instead, the daemon will offload builds (@pxref{Daemon Offload
1278 Setup}), or simply fail.
1280 @item --max-silent-time=@var{seconds}
1281 When the build or substitution process remains silent for more than
1282 @var{seconds}, terminate it and report a build failure.
1284 The default value is @code{0}, which disables the timeout.
1286 The value specified here can be overridden by clients (@pxref{Common
1287 Build Options, @code{--max-silent-time}}).
1289 @item --timeout=@var{seconds}
1290 Likewise, when the build or substitution process lasts for more than
1291 @var{seconds}, terminate it and report a build failure.
1293 The default value is @code{0}, which disables the timeout.
1295 The value specified here can be overridden by clients (@pxref{Common
1296 Build Options, @code{--timeout}}).
1298 @item --rounds=@var{N}
1299 Build each derivation @var{n} times in a row, and raise an error if
1300 consecutive build results are not bit-for-bit identical. Note that this
1301 setting can be overridden by clients such as @command{guix build}
1302 (@pxref{Invoking guix build}).
1304 When used in conjunction with @option{--keep-failed}, the differing
1305 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
1306 This makes it easy to look for differences between the two results.
1309 Produce debugging output.
1311 This is useful to debug daemon start-up issues, but then it may be
1312 overridden by clients, for example the @code{--verbosity} option of
1313 @command{guix build} (@pxref{Invoking guix build}).
1315 @item --chroot-directory=@var{dir}
1316 Add @var{dir} to the build chroot.
1318 Doing this may change the result of build processes---for instance if
1319 they use optional dependencies found in @var{dir} when it is available,
1320 and not otherwise. For that reason, it is not recommended to do so.
1321 Instead, make sure that each derivation declares all the inputs that it
1324 @item --disable-chroot
1325 Disable chroot builds.
1327 Using this option is not recommended since, again, it would allow build
1328 processes to gain access to undeclared dependencies. It is necessary,
1329 though, when @command{guix-daemon} is running under an unprivileged user
1332 @item --log-compression=@var{type}
1333 Compress build logs according to @var{type}, one of @code{gzip},
1334 @code{bzip2}, or @code{none}.
1336 Unless @code{--lose-logs} is used, all the build logs are kept in the
1337 @var{localstatedir}. To save space, the daemon automatically compresses
1338 them with bzip2 by default.
1340 @item --disable-deduplication
1341 @cindex deduplication
1342 Disable automatic file ``deduplication'' in the store.
1344 By default, files added to the store are automatically ``deduplicated'':
1345 if a newly added file is identical to another one found in the store,
1346 the daemon makes the new file a hard link to the other file. This can
1347 noticeably reduce disk usage, at the expense of slightly increased
1348 input/output load at the end of a build process. This option disables
1351 @item --gc-keep-outputs[=yes|no]
1352 Tell whether the garbage collector (GC) must keep outputs of live
1356 @cindex garbage collector roots
1357 When set to ``yes'', the GC will keep the outputs of any live derivation
1358 available in the store---the @code{.drv} files. The default is ``no'',
1359 meaning that derivation outputs are kept only if they are GC roots.
1360 @xref{Invoking guix gc}, for more on GC roots.
1362 @item --gc-keep-derivations[=yes|no]
1363 Tell whether the garbage collector (GC) must keep derivations
1364 corresponding to live outputs.
1366 When set to ``yes'', as is the case by default, the GC keeps
1367 derivations---i.e., @code{.drv} files---as long as at least one of their
1368 outputs is live. This allows users to keep track of the origins of
1369 items in their store. Setting it to ``no'' saves a bit of disk space.
1371 Note that when both @code{--gc-keep-derivations} and
1372 @code{--gc-keep-outputs} are used, the effect is to keep all the build
1373 prerequisites (the sources, compiler, libraries, and other build-time
1374 tools) of live objects in the store, regardless of whether these
1375 prerequisites are live. This is convenient for developers since it
1376 saves rebuilds or downloads.
1378 @item --impersonate-linux-2.6
1379 On Linux-based systems, impersonate Linux 2.6. This means that the
1380 kernel's @code{uname} system call will report 2.6 as the release number.
1382 This might be helpful to build programs that (usually wrongfully) depend
1383 on the kernel version number.
1386 Do not keep build logs. By default they are kept under
1387 @code{@var{localstatedir}/guix/log}.
1389 @item --system=@var{system}
1390 Assume @var{system} as the current system type. By default it is the
1391 architecture/kernel pair found at configure time, such as
1392 @code{x86_64-linux}.
1394 @item --listen=@var{endpoint}
1395 Listen for connections on @var{endpoint}. @var{endpoint} is interpreted
1396 as the file name of a Unix-domain socket if it starts with
1397 @code{/} (slash sign). Otherwise, @var{endpoint} is interpreted as a
1398 host name or host name and port to listen to. Here are a few examples:
1401 @item --listen=/gnu/var/daemon
1402 Listen for connections on the @file{/gnu/var/daemon} Unix-domain socket,
1403 creating it if needed.
1405 @item --listen=localhost
1406 @cindex daemon, remote access
1407 @cindex remote access to the daemon
1408 @cindex daemon, cluster setup
1409 @cindex clusters, daemon setup
1410 Listen for TCP connections on the network interface corresponding to
1411 @code{localhost}, on port 44146.
1413 @item --listen=128.0.0.42:1234
1414 Listen for TCP connections on the network interface corresponding to
1415 @code{128.0.0.42}, on port 1234.
1418 This option can be repeated multiple times, in which case
1419 @command{guix-daemon} accepts connections on all the specified
1420 endpoints. Users can tell client commands what endpoint to connect to
1421 by setting the @code{GUIX_DAEMON_SOCKET} environment variable
1422 (@pxref{The Store, @code{GUIX_DAEMON_SOCKET}}).
1425 The daemon protocol is @emph{unauthenticated and unencrypted}. Using
1426 @code{--listen=@var{host}} is suitable on local networks, such as
1427 clusters, where only trusted nodes may connect to the build daemon. In
1428 other cases where remote access to the daemon is needed, we recommend
1429 using Unix-domain sockets along with SSH.
1432 When @code{--listen} is omitted, @command{guix-daemon} listens for
1433 connections on the Unix-domain socket located at
1434 @file{@var{localstatedir}/guix/daemon-socket/socket}.
1438 @node Application Setup
1439 @section Application Setup
1441 @cindex foreign distro
1442 When using Guix on top of GNU/Linux distribution other than GuixSD---a
1443 so-called @dfn{foreign distro}---a few additional steps are needed to
1444 get everything in place. Here are some of them.
1448 @anchor{locales-and-locpath}
1449 @cindex locales, when not on GuixSD
1451 @vindex GUIX_LOCPATH
1452 Packages installed @i{via} Guix will not use the locale data of the
1453 host system. Instead, you must first install one of the locale packages
1454 available with Guix and then define the @code{GUIX_LOCPATH} environment
1458 $ guix package -i glibc-locales
1459 $ export GUIX_LOCPATH=$HOME/.guix-profile/lib/locale
1462 Note that the @code{glibc-locales} package contains data for all the
1463 locales supported by the GNU@tie{}libc and weighs in at around
1464 110@tie{}MiB. Alternatively, the @code{glibc-utf8-locales} is smaller but
1465 limited to a few UTF-8 locales.
1467 The @code{GUIX_LOCPATH} variable plays a role similar to @code{LOCPATH}
1468 (@pxref{Locale Names, @code{LOCPATH},, libc, The GNU C Library Reference
1469 Manual}). There are two important differences though:
1473 @code{GUIX_LOCPATH} is honored only by the libc in Guix, and not by the libc
1474 provided by foreign distros. Thus, using @code{GUIX_LOCPATH} allows you
1475 to make sure the programs of the foreign distro will not end up loading
1476 incompatible locale data.
1479 libc suffixes each entry of @code{GUIX_LOCPATH} with @code{/X.Y}, where
1480 @code{X.Y} is the libc version---e.g., @code{2.22}. This means that,
1481 should your Guix profile contain a mixture of programs linked against
1482 different libc version, each libc version will only try to load locale
1483 data in the right format.
1486 This is important because the locale data format used by different libc
1487 versions may be incompatible.
1489 @subsection Name Service Switch
1491 @cindex name service switch, glibc
1492 @cindex NSS (name service switch), glibc
1493 @cindex nscd (name service caching daemon)
1494 @cindex name service caching daemon (nscd)
1495 When using Guix on a foreign distro, we @emph{strongly recommend} that
1496 the system run the GNU C library's @dfn{name service cache daemon},
1497 @command{nscd}, which should be listening on the
1498 @file{/var/run/nscd/socket} socket. Failing to do that, applications
1499 installed with Guix may fail to look up host names or user accounts, or
1500 may even crash. The next paragraphs explain why.
1502 @cindex @file{nsswitch.conf}
1503 The GNU C library implements a @dfn{name service switch} (NSS), which is
1504 an extensible mechanism for ``name lookups'' in general: host name
1505 resolution, user accounts, and more (@pxref{Name Service Switch,,, libc,
1506 The GNU C Library Reference Manual}).
1508 @cindex Network information service (NIS)
1509 @cindex NIS (Network information service)
1510 Being extensible, the NSS supports @dfn{plugins}, which provide new name
1511 lookup implementations: for example, the @code{nss-mdns} plugin allow
1512 resolution of @code{.local} host names, the @code{nis} plugin allows
1513 user account lookup using the Network information service (NIS), and so
1514 on. These extra ``lookup services'' are configured system-wide in
1515 @file{/etc/nsswitch.conf}, and all the programs running on the system
1516 honor those settings (@pxref{NSS Configuration File,,, libc, The GNU C
1519 When they perform a name lookup---for instance by calling the
1520 @code{getaddrinfo} function in C---applications first try to connect to
1521 the nscd; on success, nscd performs name lookups on their behalf. If
1522 the nscd is not running, then they perform the name lookup by
1523 themselves, by loading the name lookup services into their own address
1524 space and running it. These name lookup services---the
1525 @file{libnss_*.so} files---are @code{dlopen}'d, but they may come from
1526 the host system's C library, rather than from the C library the
1527 application is linked against (the C library coming from Guix).
1529 And this is where the problem is: if your application is linked against
1530 Guix's C library (say, glibc 2.24) and tries to load NSS plugins from
1531 another C library (say, @code{libnss_mdns.so} for glibc 2.22), it will
1532 likely crash or have its name lookups fail unexpectedly.
1534 Running @command{nscd} on the system, among other advantages, eliminates
1535 this binary incompatibility problem because those @code{libnss_*.so}
1536 files are loaded in the @command{nscd} process, not in applications
1539 @subsection X11 Fonts
1542 The majority of graphical applications use Fontconfig to locate and
1543 load fonts and perform X11-client-side rendering. The @code{fontconfig}
1544 package in Guix looks for fonts in @file{$HOME/.guix-profile}
1545 by default. Thus, to allow graphical applications installed with Guix
1546 to display fonts, you have to install fonts with Guix as well.
1547 Essential font packages include @code{gs-fonts}, @code{font-dejavu}, and
1548 @code{font-gnu-freefont-ttf}.
1550 To display text written in Chinese languages, Japanese, or Korean in
1551 graphical applications, consider installing
1552 @code{font-adobe-source-han-sans} or @code{font-wqy-zenhei}. The former
1553 has multiple outputs, one per language family (@pxref{Packages with
1554 Multiple Outputs}). For instance, the following command installs fonts
1555 for Chinese languages:
1558 guix package -i font-adobe-source-han-sans:cn
1561 @cindex @code{xterm}
1562 Older programs such as @command{xterm} do not use Fontconfig and instead
1563 rely on server-side font rendering. Such programs require to specify a
1564 full name of a font using XLFD (X Logical Font Description), like this:
1567 -*-dejavu sans-medium-r-normal-*-*-100-*-*-*-*-*-1
1570 To be able to use such full names for the TrueType fonts installed in
1571 your Guix profile, you need to extend the font path of the X server:
1574 xset +fp ~/.guix-profile/share/fonts/truetype
1577 @cindex @code{xlsfonts}
1578 After that, you can run @code{xlsfonts} (from @code{xlsfonts} package)
1579 to make sure your TrueType fonts are listed there.
1581 @cindex @code{fc-cache}
1583 After installing fonts you may have to refresh the font cache to use
1584 them in applications. The same applies when applications installed via
1585 Guix do not seem to find fonts. To force rebuilding of the font cache
1586 run @code{fc-cache -f}. The @code{fc-cache} command is provided by the
1587 @code{fontconfig} package.
1589 @subsection X.509 Certificates
1591 @cindex @code{nss-certs}
1592 The @code{nss-certs} package provides X.509 certificates, which allow
1593 programs to authenticate Web servers accessed over HTTPS.
1595 When using Guix on a foreign distro, you can install this package and
1596 define the relevant environment variables so that packages know where to
1597 look for certificates. @xref{X.509 Certificates}, for detailed
1600 @subsection Emacs Packages
1602 @cindex @code{emacs}
1603 When you install Emacs packages with Guix, the elisp files may be placed
1604 either in @file{$HOME/.guix-profile/share/emacs/site-lisp/} or in
1606 @file{$HOME/.guix-profile/share/emacs/site-lisp/guix.d/}. The latter
1607 directory exists because potentially there may exist thousands of Emacs
1608 packages and storing all their files in a single directory may not be
1609 reliable (because of name conflicts). So we think using a separate
1610 directory for each package is a good idea. It is very similar to how
1611 the Emacs package system organizes the file structure (@pxref{Package
1612 Files,,, emacs, The GNU Emacs Manual}).
1614 By default, Emacs (installed with Guix) ``knows'' where these packages
1615 are placed, so you do not need to perform any configuration. If, for
1616 some reason, you want to avoid auto-loading Emacs packages installed
1617 with Guix, you can do so by running Emacs with @code{--no-site-file}
1618 option (@pxref{Init File,,, emacs, The GNU Emacs Manual}).
1620 @subsection The GCC toolchain
1625 Guix offers individual compiler packages such as @code{gcc} but if you
1626 are in need of a complete toolchain for compiling and linking source
1627 code what you really want is the @code{gcc-toolchain} package. This
1628 package provides a complete GCC toolchain for C/C++ development,
1629 including GCC itself, the GNU C Library (headers and binaries, plus
1630 debugging symbols in the @code{debug} output), Binutils, and a linker
1633 @cindex attempt to use impure library, error message
1635 The wrapper's purpose is to inspect the @code{-L} and @code{-l} switches
1636 passed to the linker, add corresponding @code{-rpath} arguments, and
1637 invoke the actual linker with this new set of arguments. By default,
1638 the linker wrapper refuses to link to libraries outside the store to
1639 ensure ``purity''. This can be annoying when using the toolchain to
1640 link with local libraries. To allow references to libraries outside the
1641 store you need to define the environment variable
1642 @code{GUIX_LD_WRAPPER_ALLOW_IMPURITIES}.
1646 @c *********************************************************************
1647 @node Package Management
1648 @chapter Package Management
1651 The purpose of GNU Guix is to allow users to easily install, upgrade, and
1652 remove software packages, without having to know about their build
1653 procedures or dependencies. Guix also goes beyond this obvious set of
1656 This chapter describes the main features of Guix, as well as the
1657 package management tools it provides. Along with the command-line
1658 interface described below (@pxref{Invoking guix package, @code{guix
1659 package}}), you may also use the Emacs-Guix interface (@pxref{Top,,,
1660 emacs-guix, The Emacs-Guix Reference Manual}), after installing
1661 @code{emacs-guix} package (run @kbd{M-x guix-help} command to start
1665 guix package -i emacs-guix
1669 * Features:: How Guix will make your life brighter.
1670 * Invoking guix package:: Package installation, removal, etc.
1671 * Substitutes:: Downloading pre-built binaries.
1672 * Packages with Multiple Outputs:: Single source package, multiple outputs.
1673 * Invoking guix gc:: Running the garbage collector.
1674 * Invoking guix pull:: Fetching the latest Guix and distribution.
1675 * Invoking guix pack:: Creating software bundles.
1676 * Invoking guix archive:: Exporting and importing store files.
1682 When using Guix, each package ends up in the @dfn{package store}, in its
1683 own directory---something that resembles
1684 @file{/gnu/store/xxx-package-1.2}, where @code{xxx} is a base32 string.
1686 Instead of referring to these directories, users have their own
1687 @dfn{profile}, which points to the packages that they actually want to
1688 use. These profiles are stored within each user's home directory, at
1689 @code{$HOME/.guix-profile}.
1691 For example, @code{alice} installs GCC 4.7.2. As a result,
1692 @file{/home/alice/.guix-profile/bin/gcc} points to
1693 @file{/gnu/store/@dots{}-gcc-4.7.2/bin/gcc}. Now, on the same machine,
1694 @code{bob} had already installed GCC 4.8.0. The profile of @code{bob}
1695 simply continues to point to
1696 @file{/gnu/store/@dots{}-gcc-4.8.0/bin/gcc}---i.e., both versions of GCC
1697 coexist on the same system without any interference.
1699 The @command{guix package} command is the central tool to manage
1700 packages (@pxref{Invoking guix package}). It operates on the per-user
1701 profiles, and can be used @emph{with normal user privileges}.
1703 @cindex transactions
1704 The command provides the obvious install, remove, and upgrade
1705 operations. Each invocation is actually a @emph{transaction}: either
1706 the specified operation succeeds, or nothing happens. Thus, if the
1707 @command{guix package} process is terminated during the transaction,
1708 or if a power outage occurs during the transaction, then the user's
1709 profile remains in its previous state, and remains usable.
1711 In addition, any package transaction may be @emph{rolled back}. So, if,
1712 for example, an upgrade installs a new version of a package that turns
1713 out to have a serious bug, users may roll back to the previous instance
1714 of their profile, which was known to work well. Similarly, the global
1715 system configuration on GuixSD is subject to
1716 transactional upgrades and roll-back
1717 (@pxref{Using the Configuration System}).
1719 All packages in the package store may be @emph{garbage-collected}.
1720 Guix can determine which packages are still referenced by user
1721 profiles, and remove those that are provably no longer referenced
1722 (@pxref{Invoking guix gc}). Users may also explicitly remove old
1723 generations of their profile so that the packages they refer to can be
1726 @cindex reproducibility
1727 @cindex reproducible builds
1728 Finally, Guix takes a @dfn{purely functional} approach to package
1729 management, as described in the introduction (@pxref{Introduction}).
1730 Each @file{/gnu/store} package directory name contains a hash of all the
1731 inputs that were used to build that package---compiler, libraries, build
1732 scripts, etc. This direct correspondence allows users to make sure a
1733 given package installation matches the current state of their
1734 distribution. It also helps maximize @dfn{build reproducibility}:
1735 thanks to the isolated build environments that are used, a given build
1736 is likely to yield bit-identical files when performed on different
1737 machines (@pxref{Invoking guix-daemon, container}).
1740 This foundation allows Guix to support @dfn{transparent binary/source
1741 deployment}. When a pre-built binary for a @file{/gnu/store} item is
1742 available from an external source---a @dfn{substitute}, Guix just
1743 downloads it and unpacks it;
1744 otherwise, it builds the package from source, locally
1745 (@pxref{Substitutes}). Because build results are usually bit-for-bit
1746 reproducible, users do not have to trust servers that provide
1747 substitutes: they can force a local build and @emph{challenge} providers
1748 (@pxref{Invoking guix challenge}).
1750 Control over the build environment is a feature that is also useful for
1751 developers. The @command{guix environment} command allows developers of
1752 a package to quickly set up the right development environment for their
1753 package, without having to manually install the dependencies of the
1754 package into their profile (@pxref{Invoking guix environment}).
1756 @node Invoking guix package
1757 @section Invoking @command{guix package}
1759 @cindex installing packages
1760 @cindex removing packages
1761 @cindex package installation
1762 @cindex package removal
1763 The @command{guix package} command is the tool that allows users to
1764 install, upgrade, and remove packages, as well as rolling back to
1765 previous configurations. It operates only on the user's own profile,
1766 and works with normal user privileges (@pxref{Features}). Its syntax
1770 guix package @var{options}
1772 @cindex transactions
1773 Primarily, @var{options} specifies the operations to be performed during
1774 the transaction. Upon completion, a new profile is created, but
1775 previous @dfn{generations} of the profile remain available, should the user
1778 For example, to remove @code{lua} and install @code{guile} and
1779 @code{guile-cairo} in a single transaction:
1782 guix package -r lua -i guile guile-cairo
1785 @command{guix package} also supports a @dfn{declarative approach}
1786 whereby the user specifies the exact set of packages to be available and
1787 passes it @i{via} the @option{--manifest} option
1788 (@pxref{profile-manifest, @option{--manifest}}).
1791 For each user, a symlink to the user's default profile is automatically
1792 created in @file{$HOME/.guix-profile}. This symlink always points to the
1793 current generation of the user's default profile. Thus, users can add
1794 @file{$HOME/.guix-profile/bin} to their @code{PATH} environment
1795 variable, and so on.
1796 @cindex search paths
1797 If you are not using the Guix System Distribution, consider adding the
1798 following lines to your @file{~/.bash_profile} (@pxref{Bash Startup
1799 Files,,, bash, The GNU Bash Reference Manual}) so that newly-spawned
1800 shells get all the right environment variable definitions:
1803 GUIX_PROFILE="$HOME/.guix-profile" ; \
1804 source "$HOME/.guix-profile/etc/profile"
1807 In a multi-user setup, user profiles are stored in a place registered as
1808 a @dfn{garbage-collector root}, which @file{$HOME/.guix-profile} points
1809 to (@pxref{Invoking guix gc}). That directory is normally
1810 @code{@var{localstatedir}/guix/profiles/per-user/@var{user}}, where
1811 @var{localstatedir} is the value passed to @code{configure} as
1812 @code{--localstatedir}, and @var{user} is the user name. The
1813 @file{per-user} directory is created when @command{guix-daemon} is
1814 started, and the @var{user} sub-directory is created by @command{guix
1817 The @var{options} can be among the following:
1821 @item --install=@var{package} @dots{}
1822 @itemx -i @var{package} @dots{}
1823 Install the specified @var{package}s.
1825 Each @var{package} may specify either a simple package name, such as
1826 @code{guile}, or a package name followed by an at-sign and version number,
1827 such as @code{guile@@1.8.8} or simply @code{guile@@1.8} (in the latter
1828 case, the newest version prefixed by @code{1.8} is selected.)
1830 If no version number is specified, the
1831 newest available version will be selected. In addition, @var{package}
1832 may contain a colon, followed by the name of one of the outputs of the
1833 package, as in @code{gcc:doc} or @code{binutils@@2.22:lib}
1834 (@pxref{Packages with Multiple Outputs}). Packages with a corresponding
1835 name (and optionally version) are searched for among the GNU
1836 distribution modules (@pxref{Package Modules}).
1838 @cindex propagated inputs
1839 Sometimes packages have @dfn{propagated inputs}: these are dependencies
1840 that automatically get installed along with the required package
1841 (@pxref{package-propagated-inputs, @code{propagated-inputs} in
1842 @code{package} objects}, for information about propagated inputs in
1843 package definitions).
1845 @anchor{package-cmd-propagated-inputs}
1846 An example is the GNU MPC library: its C header files refer to those of
1847 the GNU MPFR library, which in turn refer to those of the GMP library.
1848 Thus, when installing MPC, the MPFR and GMP libraries also get installed
1849 in the profile; removing MPC also removes MPFR and GMP---unless they had
1850 also been explicitly installed by the user.
1852 Besides, packages sometimes rely on the definition of environment
1853 variables for their search paths (see explanation of
1854 @code{--search-paths} below). Any missing or possibly incorrect
1855 environment variable definitions are reported here.
1857 @item --install-from-expression=@var{exp}
1859 Install the package @var{exp} evaluates to.
1861 @var{exp} must be a Scheme expression that evaluates to a
1862 @code{<package>} object. This option is notably useful to disambiguate
1863 between same-named variants of a package, with expressions such as
1864 @code{(@@ (gnu packages base) guile-final)}.
1866 Note that this option installs the first output of the specified
1867 package, which may be insufficient when needing a specific output of a
1868 multiple-output package.
1870 @item --install-from-file=@var{file}
1871 @itemx -f @var{file}
1872 Install the package that the code within @var{file} evaluates to.
1874 As an example, @var{file} might contain a definition like this
1875 (@pxref{Defining Packages}):
1878 @verbatiminclude package-hello.scm
1881 Developers may find it useful to include such a @file{guix.scm} file
1882 in the root of their project source tree that can be used to test
1883 development snapshots and create reproducible development environments
1884 (@pxref{Invoking guix environment}).
1886 @item --remove=@var{package} @dots{}
1887 @itemx -r @var{package} @dots{}
1888 Remove the specified @var{package}s.
1890 As for @code{--install}, each @var{package} may specify a version number
1891 and/or output name in addition to the package name. For instance,
1892 @code{-r glibc:debug} would remove the @code{debug} output of
1895 @item --upgrade[=@var{regexp} @dots{}]
1896 @itemx -u [@var{regexp} @dots{}]
1897 @cindex upgrading packages
1898 Upgrade all the installed packages. If one or more @var{regexp}s are
1899 specified, upgrade only installed packages whose name matches a
1900 @var{regexp}. Also see the @code{--do-not-upgrade} option below.
1902 Note that this upgrades package to the latest version of packages found
1903 in the distribution currently installed. To update your distribution,
1904 you should regularly run @command{guix pull} (@pxref{Invoking guix
1907 @item --do-not-upgrade[=@var{regexp} @dots{}]
1908 When used together with the @code{--upgrade} option, do @emph{not}
1909 upgrade any packages whose name matches a @var{regexp}. For example, to
1910 upgrade all packages in the current profile except those containing the
1911 substring ``emacs'':
1914 $ guix package --upgrade . --do-not-upgrade emacs
1917 @item @anchor{profile-manifest}--manifest=@var{file}
1918 @itemx -m @var{file}
1919 @cindex profile declaration
1920 @cindex profile manifest
1921 Create a new generation of the profile from the manifest object
1922 returned by the Scheme code in @var{file}.
1924 This allows you to @emph{declare} the profile's contents rather than
1925 constructing it through a sequence of @code{--install} and similar
1926 commands. The advantage is that @var{file} can be put under version
1927 control, copied to different machines to reproduce the same profile, and
1930 @c FIXME: Add reference to (guix profile) documentation when available.
1931 @var{file} must return a @dfn{manifest} object, which is roughly a list
1934 @findex packages->manifest
1936 (use-package-modules guile emacs)
1941 ;; Use a specific package output.
1942 (list guile-2.0 "debug")))
1945 @findex specifications->manifest
1946 In this example we have to know which modules define the @code{emacs}
1947 and @code{guile-2.0} variables to provide the right
1948 @code{use-package-modules} line, which can be cumbersome. We can
1949 instead provide regular package specifications and let
1950 @code{specifications->manifest} look up the corresponding package
1954 (specifications->manifest
1955 '("emacs" "guile@@2.2" "guile@@2.2:debug"))
1959 @cindex rolling back
1960 @cindex undoing transactions
1961 @cindex transactions, undoing
1962 Roll back to the previous @dfn{generation} of the profile---i.e., undo
1963 the last transaction.
1965 When combined with options such as @code{--install}, roll back occurs
1966 before any other actions.
1968 When rolling back from the first generation that actually contains
1969 installed packages, the profile is made to point to the @dfn{zeroth
1970 generation}, which contains no files apart from its own metadata.
1972 After having rolled back, installing, removing, or upgrading packages
1973 overwrites previous future generations. Thus, the history of the
1974 generations in a profile is always linear.
1976 @item --switch-generation=@var{pattern}
1977 @itemx -S @var{pattern}
1979 Switch to a particular generation defined by @var{pattern}.
1981 @var{pattern} may be either a generation number or a number prefixed
1982 with ``+'' or ``-''. The latter means: move forward/backward by a
1983 specified number of generations. For example, if you want to return to
1984 the latest generation after @code{--roll-back}, use
1985 @code{--switch-generation=+1}.
1987 The difference between @code{--roll-back} and
1988 @code{--switch-generation=-1} is that @code{--switch-generation} will
1989 not make a zeroth generation, so if a specified generation does not
1990 exist, the current generation will not be changed.
1992 @item --search-paths[=@var{kind}]
1993 @cindex search paths
1994 Report environment variable definitions, in Bash syntax, that may be
1995 needed in order to use the set of installed packages. These environment
1996 variables are used to specify @dfn{search paths} for files used by some
1997 of the installed packages.
1999 For example, GCC needs the @code{CPATH} and @code{LIBRARY_PATH}
2000 environment variables to be defined so it can look for headers and
2001 libraries in the user's profile (@pxref{Environment Variables,,, gcc,
2002 Using the GNU Compiler Collection (GCC)}). If GCC and, say, the C
2003 library are installed in the profile, then @code{--search-paths} will
2004 suggest setting these variables to @code{@var{profile}/include} and
2005 @code{@var{profile}/lib}, respectively.
2007 The typical use case is to define these environment variables in the
2011 $ eval `guix package --search-paths`
2014 @var{kind} may be one of @code{exact}, @code{prefix}, or @code{suffix},
2015 meaning that the returned environment variable definitions will either
2016 be exact settings, or prefixes or suffixes of the current value of these
2017 variables. When omitted, @var{kind} defaults to @code{exact}.
2019 This option can also be used to compute the @emph{combined} search paths
2020 of several profiles. Consider this example:
2023 $ guix package -p foo -i guile
2024 $ guix package -p bar -i guile-json
2025 $ guix package -p foo -p bar --search-paths
2028 The last command above reports about the @code{GUILE_LOAD_PATH}
2029 variable, even though, taken individually, neither @file{foo} nor
2030 @file{bar} would lead to that recommendation.
2033 @item --profile=@var{profile}
2034 @itemx -p @var{profile}
2035 Use @var{profile} instead of the user's default profile.
2038 Produce verbose output. In particular, emit the build log of the
2039 environment on the standard error port.
2042 Use the bootstrap Guile to build the profile. This option is only
2043 useful to distribution developers.
2047 In addition to these actions, @command{guix package} supports the
2048 following options to query the current state of a profile, or the
2049 availability of packages:
2053 @item --search=@var{regexp}
2054 @itemx -s @var{regexp}
2055 @cindex searching for packages
2056 List the available packages whose name, synopsis, or description matches
2057 @var{regexp}, sorted by relevance. Print all the metadata of matching packages in
2058 @code{recutils} format (@pxref{Top, GNU recutils databases,, recutils,
2059 GNU recutils manual}).
2061 This allows specific fields to be extracted using the @command{recsel}
2062 command, for instance:
2065 $ guix package -s malloc | recsel -p name,version,relevance
2079 Similarly, to show the name of all the packages available under the
2080 terms of the GNU@tie{}LGPL version 3:
2083 $ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"'
2090 It is also possible to refine search results using several @code{-s}
2091 flags. For example, the following command returns a list of board
2095 $ guix package -s '\<board\>' -s game | recsel -p name
2100 If we were to omit @code{-s game}, we would also get software packages
2101 that deal with printed circuit boards; removing the angle brackets
2102 around @code{board} would further add packages that have to do with
2105 And now for a more elaborate example. The following command searches
2106 for cryptographic libraries, filters out Haskell, Perl, Python, and Ruby
2107 libraries, and prints the name and synopsis of the matching packages:
2110 $ guix package -s crypto -s library | \
2111 recsel -e '! (name ~ "^(ghc|perl|python|ruby)")' -p name,synopsis
2115 @xref{Selection Expressions,,, recutils, GNU recutils manual}, for more
2116 information on @dfn{selection expressions} for @code{recsel -e}.
2118 @item --show=@var{package}
2119 Show details about @var{package}, taken from the list of available packages, in
2120 @code{recutils} format (@pxref{Top, GNU recutils databases,, recutils, GNU
2124 $ guix package --show=python | recsel -p name,version
2132 You may also specify the full name of a package to only get details about a
2133 specific version of it:
2135 $ guix package --show=python@@3.4 | recsel -p name,version
2142 @item --list-installed[=@var{regexp}]
2143 @itemx -I [@var{regexp}]
2144 List the currently installed packages in the specified profile, with the
2145 most recently installed packages shown last. When @var{regexp} is
2146 specified, list only installed packages whose name matches @var{regexp}.
2148 For each installed package, print the following items, separated by
2149 tabs: the package name, its version string, the part of the package that
2150 is installed (for instance, @code{out} for the default output,
2151 @code{include} for its headers, etc.), and the path of this package in
2154 @item --list-available[=@var{regexp}]
2155 @itemx -A [@var{regexp}]
2156 List packages currently available in the distribution for this system
2157 (@pxref{GNU Distribution}). When @var{regexp} is specified, list only
2158 installed packages whose name matches @var{regexp}.
2160 For each package, print the following items separated by tabs: its name,
2161 its version string, the parts of the package (@pxref{Packages with
2162 Multiple Outputs}), and the source location of its definition.
2164 @item --list-generations[=@var{pattern}]
2165 @itemx -l [@var{pattern}]
2167 Return a list of generations along with their creation dates; for each
2168 generation, show the installed packages, with the most recently
2169 installed packages shown last. Note that the zeroth generation is never
2172 For each installed package, print the following items, separated by
2173 tabs: the name of a package, its version string, the part of the package
2174 that is installed (@pxref{Packages with Multiple Outputs}), and the
2175 location of this package in the store.
2177 When @var{pattern} is used, the command returns only matching
2178 generations. Valid patterns include:
2181 @item @emph{Integers and comma-separated integers}. Both patterns denote
2182 generation numbers. For instance, @code{--list-generations=1} returns
2185 And @code{--list-generations=1,8,2} outputs three generations in the
2186 specified order. Neither spaces nor trailing commas are allowed.
2188 @item @emph{Ranges}. @code{--list-generations=2..9} prints the
2189 specified generations and everything in between. Note that the start of
2190 a range must be smaller than its end.
2192 It is also possible to omit the endpoint. For example,
2193 @code{--list-generations=2..}, returns all generations starting from the
2196 @item @emph{Durations}. You can also get the last @emph{N}@tie{}days, weeks,
2197 or months by passing an integer along with the first letter of the
2198 duration. For example, @code{--list-generations=20d} lists generations
2199 that are up to 20 days old.
2202 @item --delete-generations[=@var{pattern}]
2203 @itemx -d [@var{pattern}]
2204 When @var{pattern} is omitted, delete all generations except the current
2207 This command accepts the same patterns as @option{--list-generations}.
2208 When @var{pattern} is specified, delete the matching generations. When
2209 @var{pattern} specifies a duration, generations @emph{older} than the
2210 specified duration match. For instance, @code{--delete-generations=1m}
2211 deletes generations that are more than one month old.
2213 If the current generation matches, it is @emph{not} deleted. Also, the
2214 zeroth generation is never deleted.
2216 Note that deleting generations prevents rolling back to them.
2217 Consequently, this command must be used with care.
2221 Finally, since @command{guix package} may actually start build
2222 processes, it supports all the common build options (@pxref{Common Build
2223 Options}). It also supports package transformation options, such as
2224 @option{--with-source} (@pxref{Package Transformation Options}).
2225 However, note that package transformations are lost when upgrading; to
2226 preserve transformations across upgrades, you should define your own
2227 package variant in a Guile module and add it to @code{GUIX_PACKAGE_PATH}
2228 (@pxref{Defining Packages}).
2231 @section Substitutes
2234 @cindex pre-built binaries
2235 Guix supports transparent source/binary deployment, which means that it
2236 can either build things locally, or download pre-built items from a
2237 server, or both. We call these pre-built items @dfn{substitutes}---they
2238 are substitutes for local build results. In many cases, downloading a
2239 substitute is much faster than building things locally.
2241 Substitutes can be anything resulting from a derivation build
2242 (@pxref{Derivations}). Of course, in the common case, they are
2243 pre-built package binaries, but source tarballs, for instance, which
2244 also result from derivation builds, can be available as substitutes.
2247 * Official Substitute Server:: One particular source of substitutes.
2248 * Substitute Server Authorization:: How to enable or disable substitutes.
2249 * Substitute Authentication:: How Guix verifies substitutes.
2250 * Proxy Settings:: How to get substitutes via proxy.
2251 * Substitution Failure:: What happens when substitution fails.
2252 * On Trusting Binaries:: How can you trust that binary blob?
2255 @node Official Substitute Server
2256 @subsection Official Substitute Server
2260 The @code{mirror.hydra.gnu.org} server is a front-end to an official build farm
2261 that builds packages from Guix continuously for some
2262 architectures, and makes them available as substitutes. This is the
2263 default source of substitutes; it can be overridden by passing the
2264 @option{--substitute-urls} option either to @command{guix-daemon}
2265 (@pxref{daemon-substitute-urls,, @code{guix-daemon --substitute-urls}})
2266 or to client tools such as @command{guix package}
2267 (@pxref{client-substitute-urls,, client @option{--substitute-urls}
2270 Substitute URLs can be either HTTP or HTTPS.
2271 HTTPS is recommended because communications are encrypted; conversely,
2272 using HTTP makes all communications visible to an eavesdropper, who
2273 could use the information gathered to determine, for instance, whether
2274 your system has unpatched security vulnerabilities.
2276 Substitutes from the official build farm are enabled by default when
2277 using the Guix System Distribution (@pxref{GNU Distribution}). However,
2278 they are disabled by default when using Guix on a foreign distribution,
2279 unless you have explicitly enabled them via one of the recommended
2280 installation steps (@pxref{Installation}). The following paragraphs
2281 describe how to enable or disable substitutes for the official build
2282 farm; the same procedure can also be used to enable substitutes for any
2283 other substitute server.
2285 @node Substitute Server Authorization
2286 @subsection Substitute Server Authorization
2289 @cindex substitutes, authorization thereof
2290 @cindex access control list (ACL), for substitutes
2291 @cindex ACL (access control list), for substitutes
2292 To allow Guix to download substitutes from @code{hydra.gnu.org} or a
2294 must add its public key to the access control list (ACL) of archive
2295 imports, using the @command{guix archive} command (@pxref{Invoking guix
2296 archive}). Doing so implies that you trust @code{hydra.gnu.org} to not
2297 be compromised and to serve genuine substitutes.
2299 The public key for @code{hydra.gnu.org} is installed along with Guix, in
2300 @code{@var{prefix}/share/guix/hydra.gnu.org.pub}, where @var{prefix} is
2301 the installation prefix of Guix. If you installed Guix from source,
2302 make sure you checked the GPG signature of
2303 @file{guix-@value{VERSION}.tar.gz}, which contains this public key file.
2304 Then, you can run something like this:
2307 # guix archive --authorize < @var{prefix}/share/guix/hydra.gnu.org.pub
2311 Similarly, the @file{berlin.guixsd.org.pub} file contains the public key
2312 for the project's new build farm, reachable at
2313 @indicateurl{https://berlin.guixsd.org}.
2315 As of this writing @code{berlin.guixsd.org} is being upgraded so it can
2316 better scale up, but you might want to give it a try. It is backed by
2317 20 x86_64/i686 build nodes and may be able to provide substitutes more
2318 quickly than @code{mirror.hydra.gnu.org}.
2321 Once this is in place, the output of a command like @code{guix build}
2322 should change from something like:
2325 $ guix build emacs --dry-run
2326 The following derivations would be built:
2327 /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv
2328 /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv
2329 /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv
2330 /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv
2338 $ guix build emacs --dry-run
2339 112.3 MB would be downloaded:
2340 /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3
2341 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d
2342 /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16
2343 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7
2348 This indicates that substitutes from @code{hydra.gnu.org} are usable and
2349 will be downloaded, when possible, for future builds.
2351 @cindex substitutes, how to disable
2352 The substitute mechanism can be disabled globally by running
2353 @code{guix-daemon} with @code{--no-substitutes} (@pxref{Invoking
2354 guix-daemon}). It can also be disabled temporarily by passing the
2355 @code{--no-substitutes} option to @command{guix package}, @command{guix
2356 build}, and other command-line tools.
2358 @node Substitute Authentication
2359 @subsection Substitute Authentication
2361 @cindex digital signatures
2362 Guix detects and raises an error when attempting to use a substitute
2363 that has been tampered with. Likewise, it ignores substitutes that are
2364 not signed, or that are not signed by one of the keys listed in the ACL.
2366 There is one exception though: if an unauthorized server provides
2367 substitutes that are @emph{bit-for-bit identical} to those provided by
2368 an authorized server, then the unauthorized server becomes eligible for
2369 downloads. For example, assume we have chosen two substitute servers
2373 --substitute-urls="https://a.example.org https://b.example.org"
2377 @cindex reproducible builds
2378 If the ACL contains only the key for @code{b.example.org}, and if
2379 @code{a.example.org} happens to serve the @emph{exact same} substitutes,
2380 then Guix will download substitutes from @code{a.example.org} because it
2381 comes first in the list and can be considered a mirror of
2382 @code{b.example.org}. In practice, independent build machines usually
2383 produce the same binaries, thanks to bit-reproducible builds (see
2386 When using HTTPS, the server's X.509 certificate is @emph{not} validated
2387 (in other words, the server is not authenticated), contrary to what
2388 HTTPS clients such as Web browsers usually do. This is because Guix
2389 authenticates substitute information itself, as explained above, which
2390 is what we care about (whereas X.509 certificates are about
2391 authenticating bindings between domain names and public keys.)
2393 @node Proxy Settings
2394 @subsection Proxy Settings
2397 Substitutes are downloaded over HTTP or HTTPS.
2398 The @code{http_proxy} environment
2399 variable can be set in the environment of @command{guix-daemon} and is
2400 honored for downloads of substitutes. Note that the value of
2401 @code{http_proxy} in the environment where @command{guix build},
2402 @command{guix package}, and other client commands are run has
2403 @emph{absolutely no effect}.
2405 @node Substitution Failure
2406 @subsection Substitution Failure
2408 Even when a substitute for a derivation is available, sometimes the
2409 substitution attempt will fail. This can happen for a variety of
2410 reasons: the substitute server might be offline, the substitute may
2411 recently have been deleted, the connection might have been interrupted,
2414 When substitutes are enabled and a substitute for a derivation is
2415 available, but the substitution attempt fails, Guix will attempt to
2416 build the derivation locally depending on whether or not
2417 @code{--fallback} was given (@pxref{fallback-option,, common build
2418 option @code{--fallback}}). Specifically, if @code{--fallback} was
2419 omitted, then no local build will be performed, and the derivation is
2420 considered to have failed. However, if @code{--fallback} was given,
2421 then Guix will attempt to build the derivation locally, and the success
2422 or failure of the derivation depends on the success or failure of the
2423 local build. Note that when substitutes are disabled or no substitute
2424 is available for the derivation in question, a local build will
2425 @emph{always} be performed, regardless of whether or not
2426 @code{--fallback} was given.
2428 To get an idea of how many substitutes are available right now, you can
2429 try running the @command{guix weather} command (@pxref{Invoking guix
2430 weather}). This command provides statistics on the substitutes provided
2433 @node On Trusting Binaries
2434 @subsection On Trusting Binaries
2436 @cindex trust, of pre-built binaries
2437 Today, each individual's control over their own computing is at the
2438 mercy of institutions, corporations, and groups with enough power and
2439 determination to subvert the computing infrastructure and exploit its
2440 weaknesses. While using @code{hydra.gnu.org} substitutes can be
2441 convenient, we encourage users to also build on their own, or even run
2442 their own build farm, such that @code{hydra.gnu.org} is less of an
2443 interesting target. One way to help is by publishing the software you
2444 build using @command{guix publish} so that others have one more choice
2445 of server to download substitutes from (@pxref{Invoking guix publish}).
2447 Guix has the foundations to maximize build reproducibility
2448 (@pxref{Features}). In most cases, independent builds of a given
2449 package or derivation should yield bit-identical results. Thus, through
2450 a diverse set of independent package builds, we can strengthen the
2451 integrity of our systems. The @command{guix challenge} command aims to
2452 help users assess substitute servers, and to assist developers in
2453 finding out about non-deterministic package builds (@pxref{Invoking guix
2454 challenge}). Similarly, the @option{--check} option of @command{guix
2455 build} allows users to check whether previously-installed substitutes
2456 are genuine by rebuilding them locally (@pxref{build-check,
2457 @command{guix build --check}}).
2459 In the future, we want Guix to have support to publish and retrieve
2460 binaries to/from other users, in a peer-to-peer fashion. If you would
2461 like to discuss this project, join us on @email{guix-devel@@gnu.org}.
2463 @node Packages with Multiple Outputs
2464 @section Packages with Multiple Outputs
2466 @cindex multiple-output packages
2467 @cindex package outputs
2470 Often, packages defined in Guix have a single @dfn{output}---i.e., the
2471 source package leads to exactly one directory in the store. When running
2472 @command{guix package -i glibc}, one installs the default output of the
2473 GNU libc package; the default output is called @code{out}, but its name
2474 can be omitted as shown in this command. In this particular case, the
2475 default output of @code{glibc} contains all the C header files, shared
2476 libraries, static libraries, Info documentation, and other supporting
2479 Sometimes it is more appropriate to separate the various types of files
2480 produced from a single source package into separate outputs. For
2481 instance, the GLib C library (used by GTK+ and related packages)
2482 installs more than 20 MiB of reference documentation as HTML pages.
2483 To save space for users who do not need it, the documentation goes to a
2484 separate output, called @code{doc}. To install the main GLib output,
2485 which contains everything but the documentation, one would run:
2488 guix package -i glib
2491 @cindex documentation
2492 The command to install its documentation is:
2495 guix package -i glib:doc
2498 Some packages install programs with different ``dependency footprints''.
2499 For instance, the WordNet package installs both command-line tools and
2500 graphical user interfaces (GUIs). The former depend solely on the C
2501 library, whereas the latter depend on Tcl/Tk and the underlying X
2502 libraries. In this case, we leave the command-line tools in the default
2503 output, whereas the GUIs are in a separate output. This allows users
2504 who do not need the GUIs to save space. The @command{guix size} command
2505 can help find out about such situations (@pxref{Invoking guix size}).
2506 @command{guix graph} can also be helpful (@pxref{Invoking guix graph}).
2508 There are several such multiple-output packages in the GNU distribution.
2509 Other conventional output names include @code{lib} for libraries and
2510 possibly header files, @code{bin} for stand-alone programs, and
2511 @code{debug} for debugging information (@pxref{Installing Debugging
2512 Files}). The outputs of a packages are listed in the third column of
2513 the output of @command{guix package --list-available} (@pxref{Invoking
2517 @node Invoking guix gc
2518 @section Invoking @command{guix gc}
2520 @cindex garbage collector
2522 Packages that are installed, but not used, may be @dfn{garbage-collected}.
2523 The @command{guix gc} command allows users to explicitly run the garbage
2524 collector to reclaim space from the @file{/gnu/store} directory. It is
2525 the @emph{only} way to remove files from @file{/gnu/store}---removing
2526 files or directories manually may break it beyond repair!
2529 @cindex garbage collector roots
2530 The garbage collector has a set of known @dfn{roots}: any file under
2531 @file{/gnu/store} reachable from a root is considered @dfn{live} and
2532 cannot be deleted; any other file is considered @dfn{dead} and may be
2533 deleted. The set of garbage collector roots (``GC roots'' for short)
2534 includes default user profiles; by default, the symlinks under
2535 @file{/var/guix/gcroots} represent these GC roots. New GC roots can be
2536 added with @command{guix build --root}, for example (@pxref{Invoking
2539 Prior to running @code{guix gc --collect-garbage} to make space, it is
2540 often useful to remove old generations from user profiles; that way, old
2541 package builds referenced by those generations can be reclaimed. This
2542 is achieved by running @code{guix package --delete-generations}
2543 (@pxref{Invoking guix package}).
2545 Our recommendation is to run a garbage collection periodically, or when
2546 you are short on disk space. For instance, to guarantee that at least
2547 5@tie{}GB are available on your disk, simply run:
2553 It is perfectly safe to run as a non-interactive periodic job
2554 (@pxref{Scheduled Job Execution}, for how to set up such a job on
2555 GuixSD). Running @command{guix gc} with no arguments will collect as
2556 much garbage as it can, but that is often inconvenient: you may find
2557 yourself having to rebuild or re-download software that is ``dead'' from
2558 the GC viewpoint but that is necessary to build other pieces of
2559 software---e.g., the compiler tool chain.
2561 The @command{guix gc} command has three modes of operation: it can be
2562 used to garbage-collect any dead files (the default), to delete specific
2563 files (the @code{--delete} option), to print garbage-collector
2564 information, or for more advanced queries. The garbage collection
2565 options are as follows:
2568 @item --collect-garbage[=@var{min}]
2569 @itemx -C [@var{min}]
2570 Collect garbage---i.e., unreachable @file{/gnu/store} files and
2571 sub-directories. This is the default operation when no option is
2574 When @var{min} is given, stop once @var{min} bytes have been collected.
2575 @var{min} may be a number of bytes, or it may include a unit as a
2576 suffix, such as @code{MiB} for mebibytes and @code{GB} for gigabytes
2577 (@pxref{Block size, size specifications,, coreutils, GNU Coreutils}).
2579 When @var{min} is omitted, collect all the garbage.
2581 @item --free-space=@var{free}
2582 @itemx -F @var{free}
2583 Collect garbage until @var{free} space is available under
2584 @file{/gnu/store}, if possible; @var{free} denotes storage space, such
2585 as @code{500MiB}, as described above.
2587 When @var{free} or more is already available in @file{/gnu/store}, do
2588 nothing and exit immediately.
2592 Attempt to delete all the store files and directories specified as
2593 arguments. This fails if some of the files are not in the store, or if
2594 they are still live.
2596 @item --list-failures
2597 List store items corresponding to cached build failures.
2599 This prints nothing unless the daemon was started with
2600 @option{--cache-failures} (@pxref{Invoking guix-daemon,
2601 @option{--cache-failures}}).
2603 @item --clear-failures
2604 Remove the specified store items from the failed-build cache.
2606 Again, this option only makes sense when the daemon is started with
2607 @option{--cache-failures}. Otherwise, it does nothing.
2610 Show the list of dead files and directories still present in the
2611 store---i.e., files and directories no longer reachable from any root.
2614 Show the list of live store files and directories.
2618 In addition, the references among existing store files can be queried:
2624 @cindex package dependencies
2625 List the references (respectively, the referrers) of store files given
2631 List the requisites of the store files passed as arguments. Requisites
2632 include the store files themselves, their references, and the references
2633 of these, recursively. In other words, the returned list is the
2634 @dfn{transitive closure} of the store files.
2636 @xref{Invoking guix size}, for a tool to profile the size of the closure
2637 of an element. @xref{Invoking guix graph}, for a tool to visualize
2638 the graph of references.
2642 Lastly, the following options allow you to check the integrity of the
2643 store and to control disk usage.
2647 @item --verify[=@var{options}]
2648 @cindex integrity, of the store
2649 @cindex integrity checking
2650 Verify the integrity of the store.
2652 By default, make sure that all the store items marked as valid in the
2653 database of the daemon actually exist in @file{/gnu/store}.
2655 When provided, @var{options} must be a comma-separated list containing one
2656 or more of @code{contents} and @code{repair}.
2658 When passing @option{--verify=contents}, the daemon computes the
2659 content hash of each store item and compares it against its hash in the
2660 database. Hash mismatches are reported as data corruptions. Because it
2661 traverses @emph{all the files in the store}, this command can take a
2662 long time, especially on systems with a slow disk drive.
2664 @cindex repairing the store
2665 @cindex corruption, recovering from
2666 Using @option{--verify=repair} or @option{--verify=contents,repair}
2667 causes the daemon to try to repair corrupt store items by fetching
2668 substitutes for them (@pxref{Substitutes}). Because repairing is not
2669 atomic, and thus potentially dangerous, it is available only to the
2670 system administrator. A lightweight alternative, when you know exactly
2671 which items in the store are corrupt, is @command{guix build --repair}
2672 (@pxref{Invoking guix build}).
2675 @cindex deduplication
2676 Optimize the store by hard-linking identical files---this is
2677 @dfn{deduplication}.
2679 The daemon performs deduplication after each successful build or archive
2680 import, unless it was started with @code{--disable-deduplication}
2681 (@pxref{Invoking guix-daemon, @code{--disable-deduplication}}). Thus,
2682 this option is primarily useful when the daemon was running with
2683 @code{--disable-deduplication}.
2687 @node Invoking guix pull
2688 @section Invoking @command{guix pull}
2690 @cindex upgrading Guix
2691 @cindex updating Guix
2692 @cindex @command{guix pull}
2694 Packages are installed or upgraded to the latest version available in
2695 the distribution currently available on your local machine. To update
2696 that distribution, along with the Guix tools, you must run @command{guix
2697 pull}: the command downloads the latest Guix source code and package
2698 descriptions, and deploys it. Source code is downloaded from a
2699 @uref{https://git-scm.com, Git} repository.
2701 On completion, @command{guix package} will use packages and package
2702 versions from this just-retrieved copy of Guix. Not only that, but all
2703 the Guix commands and Scheme modules will also be taken from that latest
2704 version. New @command{guix} sub-commands added by the update also
2707 Any user can update their Guix copy using @command{guix pull}, and the
2708 effect is limited to the user who run @command{guix pull}. For
2709 instance, when user @code{root} runs @command{guix pull}, this has no
2710 effect on the version of Guix that user @code{alice} sees, and vice
2711 versa@footnote{Under the hood, @command{guix pull} updates the
2712 @file{~/.config/guix/latest} symbolic link to point to the latest Guix,
2713 and the @command{guix} command loads code from there. Currently, the
2714 only way to roll back an invocation of @command{guix pull} is to
2715 manually update this symlink to point to the previous Guix.}.
2717 The @command{guix pull} command is usually invoked with no arguments,
2718 but it supports the following options:
2722 Produce verbose output, writing build logs to the standard error output.
2724 @item --url=@var{url}
2725 Download Guix from the Git repository at @var{url}.
2727 @vindex GUIX_PULL_URL
2728 By default, the source is taken from its canonical Git repository at
2729 @code{gnu.org}, for the stable branch of Guix. To use a different source,
2730 set the @code{GUIX_PULL_URL} environment variable.
2732 @item --commit=@var{commit}
2733 Deploy @var{commit}, a valid Git commit ID represented as a hexadecimal
2736 @item --branch=@var{branch}
2737 Deploy the tip of @var{branch}, the name of a Git branch available on
2738 the repository at @var{url}.
2741 Use the bootstrap Guile to build the latest Guix. This option is only
2742 useful to Guix developers.
2745 In addition, @command{guix pull} supports all the common build options
2746 (@pxref{Common Build Options}).
2748 @node Invoking guix pack
2749 @section Invoking @command{guix pack}
2751 Occasionally you want to pass software to people who are not (yet!)
2752 lucky enough to be using Guix. You'd tell them to run @command{guix
2753 package -i @var{something}}, but that's not possible in this case. This
2754 is where @command{guix pack} comes in.
2757 If you are looking for ways to exchange binaries among machines that
2758 already run Guix, @pxref{Invoking guix copy}, @ref{Invoking guix
2759 publish}, and @ref{Invoking guix archive}.
2764 @cindex application bundle
2765 @cindex software bundle
2766 The @command{guix pack} command creates a shrink-wrapped @dfn{pack} or
2767 @dfn{software bundle}: it creates a tarball or some other archive
2768 containing the binaries of the software you're interested in, and all
2769 its dependencies. The resulting archive can be used on any machine that
2770 does not have Guix, and people can run the exact same binaries as those
2771 you have with Guix. The pack itself is created in a bit-reproducible
2772 fashion, so anyone can verify that it really contains the build results
2773 that you pretend to be shipping.
2775 For example, to create a bundle containing Guile, Emacs, Geiser, and all
2776 their dependencies, you can run:
2779 $ guix pack guile emacs geiser
2781 /gnu/store/@dots{}-pack.tar.gz
2784 The result here is a tarball containing a @file{/gnu/store} directory
2785 with all the relevant packages. The resulting tarball contains a
2786 @dfn{profile} with the three packages of interest; the profile is the
2787 same as would be created by @command{guix package -i}. It is this
2788 mechanism that is used to create Guix's own standalone binary tarball
2789 (@pxref{Binary Installation}).
2791 Users of this pack would have to run
2792 @file{/gnu/store/@dots{}-profile/bin/guile} to run Guile, which you may
2793 find inconvenient. To work around it, you can create, say, a
2794 @file{/opt/gnu/bin} symlink to the profile:
2797 guix pack -S /opt/gnu/bin=bin guile emacs geiser
2801 That way, users can happily type @file{/opt/gnu/bin/guile} and enjoy.
2803 Alternatively, you can produce a pack in the Docker image format using
2804 the following command:
2807 guix pack -f docker guile emacs geiser
2811 The result is a tarball that can be passed to the @command{docker load}
2813 @uref{https://docs.docker.com/engine/reference/commandline/load/, Docker
2814 documentation} for more information.
2816 Several command-line options allow you to customize your pack:
2819 @item --format=@var{format}
2820 @itemx -f @var{format}
2821 Produce a pack in the given @var{format}.
2823 The available formats are:
2827 This is the default format. It produces a tarball containing all the
2828 specified binaries and symlinks.
2831 This produces a tarball that follows the
2832 @uref{https://github.com/docker/docker/blob/master/image/spec/v1.2.md,
2833 Docker Image Specification}.
2836 @item --expression=@var{expr}
2837 @itemx -e @var{expr}
2838 Consider the package @var{expr} evaluates to.
2840 This has the same purpose as the same-named option in @command{guix
2841 build} (@pxref{Additional Build Options, @code{--expression} in
2842 @command{guix build}}).
2844 @item --manifest=@var{file}
2845 @itemx -m @var{file}
2846 Use the packages contained in the manifest object returned by the Scheme
2849 This has a similar purpose as the same-named option in @command{guix
2850 package} (@pxref{profile-manifest, @option{--manifest}}) and uses the
2851 same manifest files. It allows you to define a collection of packages
2852 once and use it both for creating profiles and for creating archives
2853 for use on machines that do not have Guix installed. Note that you can
2854 specify @emph{either} a manifest file @emph{or} a list of packages,
2857 @item --system=@var{system}
2858 @itemx -s @var{system}
2859 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
2860 the system type of the build host.
2862 @item --target=@var{triplet}
2863 @cindex cross-compilation
2864 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
2865 as @code{"mips64el-linux-gnu"} (@pxref{Specifying target triplets, GNU
2866 configuration triplets,, autoconf, Autoconf}).
2868 @item --compression=@var{tool}
2869 @itemx -C @var{tool}
2870 Compress the resulting tarball using @var{tool}---one of @code{gzip},
2871 @code{bzip2}, @code{xz}, @code{lzip}, or @code{none} for no compression.
2873 @item --symlink=@var{spec}
2874 @itemx -S @var{spec}
2875 Add the symlinks specified by @var{spec} to the pack. This option can
2876 appear several times.
2878 @var{spec} has the form @code{@var{source}=@var{target}}, where
2879 @var{source} is the symlink that will be created and @var{target} is the
2882 For instance, @code{-S /opt/gnu/bin=bin} creates a @file{/opt/gnu/bin}
2883 symlink pointing to the @file{bin} sub-directory of the profile.
2885 @item --localstatedir
2886 Include the ``local state directory'', @file{/var/guix}, in the
2889 @file{/var/guix} contains the store database (@pxref{The Store}) as well
2890 as garbage-collector roots (@pxref{Invoking guix gc}). Providing it in
2891 the pack means that the store is ``complete'' and manageable by Guix;
2892 not providing it pack means that the store is ``dead'': items cannot be
2893 added to it or removed from it after extraction of the pack.
2895 One use case for this is the Guix self-contained binary tarball
2896 (@pxref{Binary Installation}).
2899 In addition, @command{guix pack} supports all the common build options
2900 (@pxref{Common Build Options}) and all the package transformation
2901 options (@pxref{Package Transformation Options}).
2904 @node Invoking guix archive
2905 @section Invoking @command{guix archive}
2907 @cindex @command{guix archive}
2909 The @command{guix archive} command allows users to @dfn{export} files
2910 from the store into a single archive, and to later @dfn{import} them on
2911 a machine that runs Guix.
2912 In particular, it allows store files to be transferred from one machine
2913 to the store on another machine.
2916 If you're looking for a way to produce archives in a format suitable for
2917 tools other than Guix, @pxref{Invoking guix pack}.
2920 @cindex exporting store items
2921 To export store files as an archive to standard output, run:
2924 guix archive --export @var{options} @var{specifications}...
2927 @var{specifications} may be either store file names or package
2928 specifications, as for @command{guix package} (@pxref{Invoking guix
2929 package}). For instance, the following command creates an archive
2930 containing the @code{gui} output of the @code{git} package and the main
2931 output of @code{emacs}:
2934 guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar
2937 If the specified packages are not built yet, @command{guix archive}
2938 automatically builds them. The build process may be controlled with the
2939 common build options (@pxref{Common Build Options}).
2941 To transfer the @code{emacs} package to a machine connected over SSH,
2945 guix archive --export -r emacs | ssh the-machine guix archive --import
2949 Similarly, a complete user profile may be transferred from one machine
2950 to another like this:
2953 guix archive --export -r $(readlink -f ~/.guix-profile) | \
2954 ssh the-machine guix-archive --import
2958 However, note that, in both examples, all of @code{emacs} and the
2959 profile as well as all of their dependencies are transferred (due to
2960 @code{-r}), regardless of what is already available in the store on the
2961 target machine. The @code{--missing} option can help figure out which
2962 items are missing from the target store. The @command{guix copy}
2963 command simplifies and optimizes this whole process, so this is probably
2964 what you should use in this case (@pxref{Invoking guix copy}).
2966 @cindex nar, archive format
2967 @cindex normalized archive (nar)
2968 Archives are stored in the ``normalized archive'' or ``nar'' format, which is
2969 comparable in spirit to `tar', but with differences
2970 that make it more appropriate for our purposes. First, rather than
2971 recording all Unix metadata for each file, the nar format only mentions
2972 the file type (regular, directory, or symbolic link); Unix permissions
2973 and owner/group are dismissed. Second, the order in which directory
2974 entries are stored always follows the order of file names according to
2975 the C locale collation order. This makes archive production fully
2978 When exporting, the daemon digitally signs the contents of the archive,
2979 and that digital signature is appended. When importing, the daemon
2980 verifies the signature and rejects the import in case of an invalid
2981 signature or if the signing key is not authorized.
2982 @c FIXME: Add xref to daemon doc about signatures.
2984 The main options are:
2988 Export the specified store files or packages (see below.) Write the
2989 resulting archive to the standard output.
2991 Dependencies are @emph{not} included in the output, unless
2992 @code{--recursive} is passed.
2996 When combined with @code{--export}, this instructs @command{guix
2997 archive} to include dependencies of the given items in the archive.
2998 Thus, the resulting archive is self-contained: it contains the closure
2999 of the exported store items.
3002 Read an archive from the standard input, and import the files listed
3003 therein into the store. Abort if the archive has an invalid digital
3004 signature, or if it is signed by a public key not among the authorized
3005 keys (see @code{--authorize} below.)
3008 Read a list of store file names from the standard input, one per line,
3009 and write on the standard output the subset of these files missing from
3012 @item --generate-key[=@var{parameters}]
3013 @cindex signing, archives
3014 Generate a new key pair for the daemon. This is a prerequisite before
3015 archives can be exported with @code{--export}. Note that this operation
3016 usually takes time, because it needs to gather enough entropy to
3017 generate the key pair.
3019 The generated key pair is typically stored under @file{/etc/guix}, in
3020 @file{signing-key.pub} (public key) and @file{signing-key.sec} (private
3021 key, which must be kept secret.) When @var{parameters} is omitted,
3022 an ECDSA key using the Ed25519 curve is generated, or, for Libgcrypt
3023 versions before 1.6.0, it is a 4096-bit RSA key.
3024 Alternatively, @var{parameters} can specify
3025 @code{genkey} parameters suitable for Libgcrypt (@pxref{General
3026 public-key related Functions, @code{gcry_pk_genkey},, gcrypt, The
3027 Libgcrypt Reference Manual}).
3030 @cindex authorizing, archives
3031 Authorize imports signed by the public key passed on standard input.
3032 The public key must be in ``s-expression advanced format''---i.e., the
3033 same format as the @file{signing-key.pub} file.
3035 The list of authorized keys is kept in the human-editable file
3036 @file{/etc/guix/acl}. The file contains
3037 @url{http://people.csail.mit.edu/rivest/Sexp.txt, ``advanced-format
3038 s-expressions''} and is structured as an access-control list in the
3039 @url{http://theworld.com/~cme/spki.txt, Simple Public-Key Infrastructure
3042 @item --extract=@var{directory}
3043 @itemx -x @var{directory}
3044 Read a single-item archive as served by substitute servers
3045 (@pxref{Substitutes}) and extract it to @var{directory}. This is a
3046 low-level operation needed in only very narrow use cases; see below.
3048 For example, the following command extracts the substitute for Emacs
3049 served by @code{hydra.gnu.org} to @file{/tmp/emacs}:
3053 https://hydra.gnu.org/nar/@dots{}-emacs-24.5 \
3054 | bunzip2 | guix archive -x /tmp/emacs
3057 Single-item archives are different from multiple-item archives produced
3058 by @command{guix archive --export}; they contain a single store item,
3059 and they do @emph{not} embed a signature. Thus this operation does
3060 @emph{no} signature verification and its output should be considered
3063 The primary purpose of this operation is to facilitate inspection of
3064 archive contents coming from possibly untrusted substitute servers.
3068 @c *********************************************************************
3069 @node Programming Interface
3070 @chapter Programming Interface
3072 GNU Guix provides several Scheme programming interfaces (APIs) to
3073 define, build, and query packages. The first interface allows users to
3074 write high-level package definitions. These definitions refer to
3075 familiar packaging concepts, such as the name and version of a package,
3076 its build system, and its dependencies. These definitions can then be
3077 turned into concrete build actions.
3079 Build actions are performed by the Guix daemon, on behalf of users. In a
3080 standard setup, the daemon has write access to the store---the
3081 @file{/gnu/store} directory---whereas users do not. The recommended
3082 setup also has the daemon perform builds in chroots, under a specific
3083 build users, to minimize interference with the rest of the system.
3086 Lower-level APIs are available to interact with the daemon and the
3087 store. To instruct the daemon to perform a build action, users actually
3088 provide it with a @dfn{derivation}. A derivation is a low-level
3089 representation of the build actions to be taken, and the environment in
3090 which they should occur---derivations are to package definitions what
3091 assembly is to C programs. The term ``derivation'' comes from the fact
3092 that build results @emph{derive} from them.
3094 This chapter describes all these APIs in turn, starting from high-level
3095 package definitions.
3098 * Defining Packages:: Defining new packages.
3099 * Build Systems:: Specifying how packages are built.
3100 * The Store:: Manipulating the package store.
3101 * Derivations:: Low-level interface to package derivations.
3102 * The Store Monad:: Purely functional interface to the store.
3103 * G-Expressions:: Manipulating build expressions.
3106 @node Defining Packages
3107 @section Defining Packages
3109 The high-level interface to package definitions is implemented in the
3110 @code{(guix packages)} and @code{(guix build-system)} modules. As an
3111 example, the package definition, or @dfn{recipe}, for the GNU Hello
3112 package looks like this:
3115 (define-module (gnu packages hello)
3116 #:use-module (guix packages)
3117 #:use-module (guix download)
3118 #:use-module (guix build-system gnu)
3119 #:use-module (guix licenses)
3120 #:use-module (gnu packages gawk))
3122 (define-public hello
3128 (uri (string-append "mirror://gnu/hello/hello-" version
3132 "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
3133 (build-system gnu-build-system)
3134 (arguments '(#:configure-flags '("--enable-silent-rules")))
3135 (inputs `(("gawk" ,gawk)))
3136 (synopsis "Hello, GNU world: An example GNU package")
3137 (description "Guess what GNU Hello prints!")
3138 (home-page "http://www.gnu.org/software/hello/")
3143 Without being a Scheme expert, the reader may have guessed the meaning
3144 of the various fields here. This expression binds the variable
3145 @code{hello} to a @code{<package>} object, which is essentially a record
3146 (@pxref{SRFI-9, Scheme records,, guile, GNU Guile Reference Manual}).
3147 This package object can be inspected using procedures found in the
3148 @code{(guix packages)} module; for instance, @code{(package-name hello)}
3149 returns---surprise!---@code{"hello"}.
3151 With luck, you may be able to import part or all of the definition of
3152 the package you are interested in from another repository, using the
3153 @code{guix import} command (@pxref{Invoking guix import}).
3155 In the example above, @var{hello} is defined in a module of its own,
3156 @code{(gnu packages hello)}. Technically, this is not strictly
3157 necessary, but it is convenient to do so: all the packages defined in
3158 modules under @code{(gnu packages @dots{})} are automatically known to
3159 the command-line tools (@pxref{Package Modules}).
3161 There are a few points worth noting in the above package definition:
3165 The @code{source} field of the package is an @code{<origin>} object
3166 (@pxref{origin Reference}, for the complete reference).
3167 Here, the @code{url-fetch} method from @code{(guix download)} is used,
3168 meaning that the source is a file to be downloaded over FTP or HTTP.
3170 The @code{mirror://gnu} prefix instructs @code{url-fetch} to use one of
3171 the GNU mirrors defined in @code{(guix download)}.
3173 The @code{sha256} field specifies the expected SHA256 hash of the file
3174 being downloaded. It is mandatory, and allows Guix to check the
3175 integrity of the file. The @code{(base32 @dots{})} form introduces the
3176 base32 representation of the hash. You can obtain this information with
3177 @code{guix download} (@pxref{Invoking guix download}) and @code{guix
3178 hash} (@pxref{Invoking guix hash}).
3181 When needed, the @code{origin} form can also have a @code{patches} field
3182 listing patches to be applied, and a @code{snippet} field giving a
3183 Scheme expression to modify the source code.
3186 @cindex GNU Build System
3187 The @code{build-system} field specifies the procedure to build the
3188 package (@pxref{Build Systems}). Here, @var{gnu-build-system}
3189 represents the familiar GNU Build System, where packages may be
3190 configured, built, and installed with the usual @code{./configure &&
3191 make && make check && make install} command sequence.
3194 The @code{arguments} field specifies options for the build system
3195 (@pxref{Build Systems}). Here it is interpreted by
3196 @var{gnu-build-system} as a request run @file{configure} with the
3197 @code{--enable-silent-rules} flag.
3203 What about these quote (@code{'}) characters? They are Scheme syntax to
3204 introduce a literal list; @code{'} is synonymous with @code{quote}.
3205 @xref{Expression Syntax, quoting,, guile, GNU Guile Reference Manual},
3206 for details. Here the value of the @code{arguments} field is a list of
3207 arguments passed to the build system down the road, as with @code{apply}
3208 (@pxref{Fly Evaluation, @code{apply},, guile, GNU Guile Reference
3211 The hash-colon (@code{#:}) sequence defines a Scheme @dfn{keyword}
3212 (@pxref{Keywords,,, guile, GNU Guile Reference Manual}), and
3213 @code{#:configure-flags} is a keyword used to pass a keyword argument
3214 to the build system (@pxref{Coding With Keywords,,, guile, GNU Guile
3218 The @code{inputs} field specifies inputs to the build process---i.e.,
3219 build-time or run-time dependencies of the package. Here, we define an
3220 input called @code{"gawk"} whose value is that of the @var{gawk}
3221 variable; @var{gawk} is itself bound to a @code{<package>} object.
3223 @cindex backquote (quasiquote)
3226 @cindex comma (unquote)
3230 @findex unquote-splicing
3231 Again, @code{`} (a backquote, synonymous with @code{quasiquote}) allows
3232 us to introduce a literal list in the @code{inputs} field, while
3233 @code{,} (a comma, synonymous with @code{unquote}) allows us to insert a
3234 value in that list (@pxref{Expression Syntax, unquote,, guile, GNU Guile
3237 Note that GCC, Coreutils, Bash, and other essential tools do not need to
3238 be specified as inputs here. Instead, @var{gnu-build-system} takes care
3239 of ensuring that they are present (@pxref{Build Systems}).
3241 However, any other dependencies need to be specified in the
3242 @code{inputs} field. Any dependency not specified here will simply be
3243 unavailable to the build process, possibly leading to a build failure.
3246 @xref{package Reference}, for a full description of possible fields.
3248 Once a package definition is in place, the
3249 package may actually be built using the @code{guix build} command-line
3250 tool (@pxref{Invoking guix build}), troubleshooting any build failures
3251 you encounter (@pxref{Debugging Build Failures}). You can easily jump back to the
3252 package definition using the @command{guix edit} command
3253 (@pxref{Invoking guix edit}).
3254 @xref{Packaging Guidelines}, for
3255 more information on how to test package definitions, and
3256 @ref{Invoking guix lint}, for information on how to check a definition
3257 for style conformance.
3258 @vindex GUIX_PACKAGE_PATH
3259 Lastly, @pxref{Package Modules}, for information
3260 on how to extend the distribution by adding your own package definitions
3261 to @code{GUIX_PACKAGE_PATH}.
3263 Finally, updating the package definition to a new upstream version
3264 can be partly automated by the @command{guix refresh} command
3265 (@pxref{Invoking guix refresh}).
3267 Behind the scenes, a derivation corresponding to the @code{<package>}
3268 object is first computed by the @code{package-derivation} procedure.
3269 That derivation is stored in a @code{.drv} file under @file{/gnu/store}.
3270 The build actions it prescribes may then be realized by using the
3271 @code{build-derivations} procedure (@pxref{The Store}).
3273 @deffn {Scheme Procedure} package-derivation @var{store} @var{package} [@var{system}]
3274 Return the @code{<derivation>} object of @var{package} for @var{system}
3275 (@pxref{Derivations}).
3277 @var{package} must be a valid @code{<package>} object, and @var{system}
3278 must be a string denoting the target system type---e.g.,
3279 @code{"x86_64-linux"} for an x86_64 Linux-based GNU system. @var{store}
3280 must be a connection to the daemon, which operates on the store
3281 (@pxref{The Store}).
3285 @cindex cross-compilation
3286 Similarly, it is possible to compute a derivation that cross-builds a
3287 package for some other system:
3289 @deffn {Scheme Procedure} package-cross-derivation @var{store} @
3290 @var{package} @var{target} [@var{system}]
3291 Return the @code{<derivation>} object of @var{package} cross-built from
3292 @var{system} to @var{target}.
3294 @var{target} must be a valid GNU triplet denoting the target hardware
3295 and operating system, such as @code{"mips64el-linux-gnu"}
3296 (@pxref{Configuration Names, GNU configuration triplets,, configure, GNU
3297 Configure and Build System}).
3300 @cindex package transformations
3301 @cindex input rewriting
3302 @cindex dependency tree rewriting
3303 Packages can be manipulated in arbitrary ways. An example of a useful
3304 transformation is @dfn{input rewriting}, whereby the dependency tree of
3305 a package is rewritten by replacing specific inputs by others:
3307 @deffn {Scheme Procedure} package-input-rewriting @var{replacements} @
3308 [@var{rewrite-name}]
3309 Return a procedure that, when passed a package, replaces its direct and
3310 indirect dependencies (but not its implicit inputs) according to
3311 @var{replacements}. @var{replacements} is a list of package pairs; the
3312 first element of each pair is the package to replace, and the second one
3315 Optionally, @var{rewrite-name} is a one-argument procedure that takes
3316 the name of a package and returns its new name after rewrite.
3320 Consider this example:
3323 (define libressl-instead-of-openssl
3324 ;; This is a procedure to replace OPENSSL by LIBRESSL,
3326 (package-input-rewriting `((,openssl . ,libressl))))
3328 (define git-with-libressl
3329 (libressl-instead-of-openssl git))
3333 Here we first define a rewriting procedure that replaces @var{openssl}
3334 with @var{libressl}. Then we use it to define a @dfn{variant} of the
3335 @var{git} package that uses @var{libressl} instead of @var{openssl}.
3336 This is exactly what the @option{--with-input} command-line option does
3337 (@pxref{Package Transformation Options, @option{--with-input}}).
3339 A more generic procedure to rewrite a package dependency graph is
3340 @code{package-mapping}: it supports arbitrary changes to nodes in the
3343 @deffn {Scheme Procedure} package-mapping @var{proc} [@var{cut?}]
3344 Return a procedure that, given a package, applies @var{proc} to all the packages
3345 depended on and returns the resulting package. The procedure stops recursion
3346 when @var{cut?} returns true for a given package.
3350 * package Reference :: The package data type.
3351 * origin Reference:: The origin data type.
3355 @node package Reference
3356 @subsection @code{package} Reference
3358 This section summarizes all the options available in @code{package}
3359 declarations (@pxref{Defining Packages}).
3361 @deftp {Data Type} package
3362 This is the data type representing a package recipe.
3366 The name of the package, as a string.
3368 @item @code{version}
3369 The version of the package, as a string.
3372 An object telling how the source code for the package should be
3373 acquired. Most of the time, this is an @code{origin} object, which
3374 denotes a file fetched from the Internet (@pxref{origin Reference}). It
3375 can also be any other ``file-like'' object such as a @code{local-file},
3376 which denotes a file from the local file system (@pxref{G-Expressions,
3377 @code{local-file}}).
3379 @item @code{build-system}
3380 The build system that should be used to build the package (@pxref{Build
3383 @item @code{arguments} (default: @code{'()})
3384 The arguments that should be passed to the build system. This is a
3385 list, typically containing sequential keyword-value pairs.
3387 @item @code{inputs} (default: @code{'()})
3388 @itemx @code{native-inputs} (default: @code{'()})
3389 @itemx @code{propagated-inputs} (default: @code{'()})
3390 @cindex inputs, of packages
3391 These fields list dependencies of the package. Each one is a list of
3392 tuples, where each tuple has a label for the input (a string) as its
3393 first element, a package, origin, or derivation as its second element,
3394 and optionally the name of the output thereof that should be used, which
3395 defaults to @code{"out"} (@pxref{Packages with Multiple Outputs}, for
3396 more on package outputs). For example, the list below specifies three
3400 `(("libffi" ,libffi)
3401 ("libunistring" ,libunistring)
3402 ("glib:bin" ,glib "bin")) ;the "bin" output of Glib
3405 @cindex cross compilation, package dependencies
3406 The distinction between @code{native-inputs} and @code{inputs} is
3407 necessary when considering cross-compilation. When cross-compiling,
3408 dependencies listed in @code{inputs} are built for the @emph{target}
3409 architecture; conversely, dependencies listed in @code{native-inputs}
3410 are built for the architecture of the @emph{build} machine.
3412 @code{native-inputs} is typically used to list tools needed at
3413 build time, but not at run time, such as Autoconf, Automake, pkg-config,
3414 Gettext, or Bison. @command{guix lint} can report likely mistakes in
3415 this area (@pxref{Invoking guix lint}).
3417 @anchor{package-propagated-inputs}
3418 Lastly, @code{propagated-inputs} is similar to @code{inputs}, but the
3419 specified packages will be automatically installed alongside the package
3420 they belong to (@pxref{package-cmd-propagated-inputs, @command{guix
3421 package}}, for information on how @command{guix package} deals with
3424 For example this is necessary when a C/C++ library needs headers of
3425 another library to compile, or when a pkg-config file refers to another
3426 one @i{via} its @code{Requires} field.
3428 Another example where @code{propagated-inputs} is useful is for languages
3429 that lack a facility to record the run-time search path akin to the
3430 @code{RUNPATH} of ELF files; this includes Guile, Python, Perl, and
3431 more. To ensure that libraries written in those languages can find
3432 library code they depend on at run time, run-time dependencies must be
3433 listed in @code{propagated-inputs} rather than @code{inputs}.
3435 @item @code{self-native-input?} (default: @code{#f})
3436 This is a Boolean field telling whether the package should use itself as
3437 a native input when cross-compiling.
3439 @item @code{outputs} (default: @code{'("out")})
3440 The list of output names of the package. @xref{Packages with Multiple
3441 Outputs}, for typical uses of additional outputs.
3443 @item @code{native-search-paths} (default: @code{'()})
3444 @itemx @code{search-paths} (default: @code{'()})
3445 A list of @code{search-path-specification} objects describing
3446 search-path environment variables honored by the package.
3448 @item @code{replacement} (default: @code{#f})
3449 This must be either @code{#f} or a package object that will be used as a
3450 @dfn{replacement} for this package. @xref{Security Updates, grafts},
3453 @item @code{synopsis}
3454 A one-line description of the package.
3456 @item @code{description}
3457 A more elaborate description of the package.
3459 @item @code{license}
3460 @cindex license, of packages
3461 The license of the package; a value from @code{(guix licenses)},
3462 or a list of such values.
3464 @item @code{home-page}
3465 The URL to the home-page of the package, as a string.
3467 @item @code{supported-systems} (default: @var{%supported-systems})
3468 The list of systems supported by the package, as strings of the form
3469 @code{architecture-kernel}, for example @code{"x86_64-linux"}.
3471 @item @code{maintainers} (default: @code{'()})
3472 The list of maintainers of the package, as @code{maintainer} objects.
3474 @item @code{location} (default: source location of the @code{package} form)
3475 The source location of the package. It is useful to override this when
3476 inheriting from another package, in which case this field is not
3477 automatically corrected.
3482 @node origin Reference
3483 @subsection @code{origin} Reference
3485 This section summarizes all the options available in @code{origin}
3486 declarations (@pxref{Defining Packages}).
3488 @deftp {Data Type} origin
3489 This is the data type representing a source code origin.
3493 An object containing the URI of the source. The object type depends on
3494 the @code{method} (see below). For example, when using the
3495 @var{url-fetch} method of @code{(guix download)}, the valid @code{uri}
3496 values are: a URL represented as a string, or a list thereof.
3499 A procedure that handles the URI.
3504 @item @var{url-fetch} from @code{(guix download)}
3505 download a file from the HTTP, HTTPS, or FTP URL specified in the
3509 @item @var{git-fetch} from @code{(guix git-download)}
3510 clone the Git version control repository, and check out the revision
3511 specified in the @code{uri} field as a @code{git-reference} object; a
3512 @code{git-reference} looks like this:
3516 (url "git://git.debian.org/git/pkg-shadow/shadow")
3517 (commit "v4.1.5.1"))
3522 A bytevector containing the SHA-256 hash of the source. Typically the
3523 @code{base32} form is used here to generate the bytevector from a
3526 You can obtain this information using @code{guix download}
3527 (@pxref{Invoking guix download}) or @code{guix hash} (@pxref{Invoking
3530 @item @code{file-name} (default: @code{#f})
3531 The file name under which the source code should be saved. When this is
3532 @code{#f}, a sensible default value will be used in most cases. In case
3533 the source is fetched from a URL, the file name from the URL will be
3534 used. For version control checkouts, it is recommended to provide the
3535 file name explicitly because the default is not very descriptive.
3537 @item @code{patches} (default: @code{'()})
3538 A list of file names, origins, or file-like objects (@pxref{G-Expressions,
3539 file-like objects}) pointing to patches to be applied to the source.
3541 This list of patches must be unconditional. In particular, it cannot
3542 depend on the value of @code{%current-system} or
3543 @code{%current-target-system}.
3545 @item @code{snippet} (default: @code{#f})
3546 A G-expression (@pxref{G-Expressions}) or S-expression that will be run
3547 in the source directory. This is a convenient way to modify the source,
3548 sometimes more convenient than a patch.
3550 @item @code{patch-flags} (default: @code{'("-p1")})
3551 A list of command-line flags that should be passed to the @code{patch}
3554 @item @code{patch-inputs} (default: @code{#f})
3555 Input packages or derivations to the patching process. When this is
3556 @code{#f}, the usual set of inputs necessary for patching are provided,
3557 such as GNU@tie{}Patch.
3559 @item @code{modules} (default: @code{'()})
3560 A list of Guile modules that should be loaded during the patching
3561 process and while running the code in the @code{snippet} field.
3563 @item @code{patch-guile} (default: @code{#f})
3564 The Guile package that should be used in the patching process. When
3565 this is @code{#f}, a sensible default is used.
3571 @section Build Systems
3573 @cindex build system
3574 Each package definition specifies a @dfn{build system} and arguments for
3575 that build system (@pxref{Defining Packages}). This @code{build-system}
3576 field represents the build procedure of the package, as well as implicit
3577 dependencies of that build procedure.
3579 Build systems are @code{<build-system>} objects. The interface to
3580 create and manipulate them is provided by the @code{(guix build-system)}
3581 module, and actual build systems are exported by specific modules.
3583 @cindex bag (low-level package representation)
3584 Under the hood, build systems first compile package objects to
3585 @dfn{bags}. A @dfn{bag} is like a package, but with less
3586 ornamentation---in other words, a bag is a lower-level representation of
3587 a package, which includes all the inputs of that package, including some
3588 that were implicitly added by the build system. This intermediate
3589 representation is then compiled to a derivation (@pxref{Derivations}).
3591 Build systems accept an optional list of @dfn{arguments}. In package
3592 definitions, these are passed @i{via} the @code{arguments} field
3593 (@pxref{Defining Packages}). They are typically keyword arguments
3594 (@pxref{Optional Arguments, keyword arguments in Guile,, guile, GNU
3595 Guile Reference Manual}). The value of these arguments is usually
3596 evaluated in the @dfn{build stratum}---i.e., by a Guile process launched
3597 by the daemon (@pxref{Derivations}).
3599 The main build system is @var{gnu-build-system}, which implements the
3600 standard build procedure for GNU and many other packages. It
3601 is provided by the @code{(guix build-system gnu)} module.
3603 @defvr {Scheme Variable} gnu-build-system
3604 @var{gnu-build-system} represents the GNU Build System, and variants
3605 thereof (@pxref{Configuration, configuration and makefile conventions,,
3606 standards, GNU Coding Standards}).
3608 @cindex build phases
3609 In a nutshell, packages using it are configured, built, and installed with
3610 the usual @code{./configure && make && make check && make install}
3611 command sequence. In practice, a few additional steps are often needed.
3612 All these steps are split up in separate @dfn{phases},
3613 notably@footnote{Please see the @code{(guix build gnu-build-system)}
3614 modules for more details about the build phases.}:
3618 Unpack the source tarball, and change the current directory to the
3619 extracted source tree. If the source is actually a directory, copy it
3620 to the build tree, and enter that directory.
3622 @item patch-source-shebangs
3623 Patch shebangs encountered in source files so they refer to the right
3624 store file names. For instance, this changes @code{#!/bin/sh} to
3625 @code{#!/gnu/store/@dots{}-bash-4.3/bin/sh}.
3628 Run the @file{configure} script with a number of default options, such
3629 as @code{--prefix=/gnu/store/@dots{}}, as well as the options specified
3630 by the @code{#:configure-flags} argument.
3633 Run @code{make} with the list of flags specified with
3634 @code{#:make-flags}. If the @code{#:parallel-build?} argument is true
3635 (the default), build with @code{make -j}.
3638 Run @code{make check}, or some other target specified with
3639 @code{#:test-target}, unless @code{#:tests? #f} is passed. If the
3640 @code{#:parallel-tests?} argument is true (the default), run @code{make
3644 Run @code{make install} with the flags listed in @code{#:make-flags}.
3646 @item patch-shebangs
3647 Patch shebangs on the installed executable files.
3650 Strip debugging symbols from ELF files (unless @code{#:strip-binaries?}
3651 is false), copying them to the @code{debug} output when available
3652 (@pxref{Installing Debugging Files}).
3655 @vindex %standard-phases
3656 The build-side module @code{(guix build gnu-build-system)} defines
3657 @var{%standard-phases} as the default list of build phases.
3658 @var{%standard-phases} is a list of symbol/procedure pairs, where the
3659 procedure implements the actual phase.
3661 The list of phases used for a particular package can be changed with the
3662 @code{#:phases} parameter. For instance, passing:
3665 #:phases (modify-phases %standard-phases (delete 'configure))
3668 means that all the phases described above will be used, except the
3669 @code{configure} phase.
3671 In addition, this build system ensures that the ``standard'' environment
3672 for GNU packages is available. This includes tools such as GCC, libc,
3673 Coreutils, Bash, Make, Diffutils, grep, and sed (see the @code{(guix
3674 build-system gnu)} module for a complete list). We call these the
3675 @dfn{implicit inputs} of a package, because package definitions do not
3676 have to mention them.
3679 Other @code{<build-system>} objects are defined to support other
3680 conventions and tools used by free software packages. They inherit most
3681 of @var{gnu-build-system}, and differ mainly in the set of inputs
3682 implicitly added to the build process, and in the list of phases
3683 executed. Some of these build systems are listed below.
3685 @defvr {Scheme Variable} ant-build-system
3686 This variable is exported by @code{(guix build-system ant)}. It
3687 implements the build procedure for Java packages that can be built with
3688 @url{http://ant.apache.org/, Ant build tool}.
3690 It adds both @code{ant} and the @dfn{Java Development Kit} (JDK) as
3691 provided by the @code{icedtea} package to the set of inputs. Different
3692 packages can be specified with the @code{#:ant} and @code{#:jdk}
3693 parameters, respectively.
3695 When the original package does not provide a suitable Ant build file,
3696 the parameter @code{#:jar-name} can be used to generate a minimal Ant
3697 build file @file{build.xml} with tasks to build the specified jar
3698 archive. In this case the parameter @code{#:source-dir} can be used to
3699 specify the source sub-directory, defaulting to ``src''.
3701 The @code{#:main-class} parameter can be used with the minimal ant
3702 buildfile to specify the main class of the resulting jar. This makes the
3703 jar file executable. The @code{#:test-include} parameter can be used to
3704 specify the list of junit tests to run. It defaults to
3705 @code{(list "**/*Test.java")}. The @code{#:test-exclude} can be used to
3706 disable some tests. It defaults to @code{(list "**/Abstract*.java")},
3707 because abstract classes cannot be run as tests.
3709 The parameter @code{#:build-target} can be used to specify the Ant task
3710 that should be run during the @code{build} phase. By default the
3711 ``jar'' task will be run.
3715 @defvr {Scheme Variable} asdf-build-system/source
3716 @defvrx {Scheme Variable} asdf-build-system/sbcl
3717 @defvrx {Scheme Variable} asdf-build-system/ecl
3719 These variables, exported by @code{(guix build-system asdf)}, implement
3720 build procedures for Common Lisp packages using
3721 @url{https://common-lisp.net/project/asdf/, ``ASDF''}. ASDF is a system
3722 definition facility for Common Lisp programs and libraries.
3724 The @code{asdf-build-system/source} system installs the packages in
3725 source form, and can be loaded using any common lisp implementation, via
3726 ASDF. The others, such as @code{asdf-build-system/sbcl}, install binary
3727 systems in the format which a particular implementation understands.
3728 These build systems can also be used to produce executable programs, or
3729 lisp images which contain a set of packages pre-loaded.
3731 The build system uses naming conventions. For binary packages, the
3732 package name should be prefixed with the lisp implementation, such as
3733 @code{sbcl-} for @code{asdf-build-system/sbcl}.
3735 Additionally, the corresponding source package should be labeled using
3736 the same convention as python packages (see @ref{Python Modules}), using
3737 the @code{cl-} prefix.
3739 For binary packages, each system should be defined as a Guix package.
3740 If one package @code{origin} contains several systems, package variants
3741 can be created in order to build all the systems. Source packages,
3742 which use @code{asdf-build-system/source}, may contain several systems.
3744 In order to create executable programs and images, the build-side
3745 procedures @code{build-program} and @code{build-image} can be used.
3746 They should be called in a build phase after the @code{create-symlinks}
3747 phase, so that the system which was just built can be used within the
3748 resulting image. @code{build-program} requires a list of Common Lisp
3749 expressions to be passed as the @code{#:entry-program} argument.
3751 If the system is not defined within its own @code{.asd} file of the same
3752 name, then the @code{#:asd-file} parameter should be used to specify
3753 which file the system is defined in. Furthermore, if the package
3754 defines a system for its tests in a separate file, it will be loaded
3755 before the tests are run if it is specified by the
3756 @code{#:test-asd-file} parameter. If it is not set, the files
3757 @code{<system>-tests.asd}, @code{<system>-test.asd}, @code{tests.asd},
3758 and @code{test.asd} will be tried if they exist.
3760 If for some reason the package must be named in a different way than the
3761 naming conventions suggest, the @code{#:asd-system-name} parameter can
3762 be used to specify the name of the system.
3766 @defvr {Scheme Variable} cargo-build-system
3767 @cindex Rust programming language
3768 @cindex Cargo (Rust build system)
3769 This variable is exported by @code{(guix build-system cargo)}. It
3770 supports builds of packages using Cargo, the build tool of the
3771 @uref{https://www.rust-lang.org, Rust programming language}.
3773 In its @code{configure} phase, this build system replaces dependencies
3774 specified in the @file{Carto.toml} file with inputs to the Guix package.
3775 The @code{install} phase installs the binaries, and it also installs the
3776 source code and @file{Cargo.toml} file.
3779 @defvr {Scheme Variable} cmake-build-system
3780 This variable is exported by @code{(guix build-system cmake)}. It
3781 implements the build procedure for packages using the
3782 @url{http://www.cmake.org, CMake build tool}.
3784 It automatically adds the @code{cmake} package to the set of inputs.
3785 Which package is used can be specified with the @code{#:cmake}
3788 The @code{#:configure-flags} parameter is taken as a list of flags
3789 passed to the @command{cmake} command. The @code{#:build-type}
3790 parameter specifies in abstract terms the flags passed to the compiler;
3791 it defaults to @code{"RelWithDebInfo"} (short for ``release mode with
3792 debugging information''), which roughly means that code is compiled with
3793 @code{-O2 -g}, as is the case for Autoconf-based packages by default.
3796 @defvr {Scheme Variable} go-build-system
3797 This variable is exported by @code{(guix build-system go)}. It
3798 implements a build procedure for Go packages using the standard
3799 @url{https://golang.org/cmd/go/#hdr-Compile_packages_and_dependencies,
3800 Go build mechanisms}.
3802 The user is expected to provide a value for the key @code{#:import-path}
3803 and, in some cases, @code{#:unpack-path}. The
3804 @url{https://golang.org/doc/code.html#ImportPaths, import path}
3805 corresponds to the file system path expected by the package's build
3806 scripts and any referring packages, and provides a unique way to
3807 refer to a Go package. It is typically based on a combination of the
3808 package source code's remote URI and file system hierarchy structure. In
3809 some cases, you will need to unpack the package's source code to a
3810 different directory structure than the one indicated by the import path,
3811 and @code{#:unpack-path} should be used in such cases.
3813 Packages that provide Go libraries should be installed along with their
3814 source code. The key @code{#:install-source?}, which defaults to
3815 @code{#t}, controls whether or not the source code is installed. It can
3816 be set to @code{#f} for packages that only provide executable files.
3819 @defvr {Scheme Variable} glib-or-gtk-build-system
3820 This variable is exported by @code{(guix build-system glib-or-gtk)}. It
3821 is intended for use with packages making use of GLib or GTK+.
3823 This build system adds the following two phases to the ones defined by
3824 @var{gnu-build-system}:
3827 @item glib-or-gtk-wrap
3828 The phase @code{glib-or-gtk-wrap} ensures that programs in
3829 @file{bin/} are able to find GLib ``schemas'' and
3830 @uref{https://developer.gnome.org/gtk3/stable/gtk-running.html, GTK+
3831 modules}. This is achieved by wrapping the programs in launch scripts
3832 that appropriately set the @code{XDG_DATA_DIRS} and @code{GTK_PATH}
3833 environment variables.
3835 It is possible to exclude specific package outputs from that wrapping
3836 process by listing their names in the
3837 @code{#:glib-or-gtk-wrap-excluded-outputs} parameter. This is useful
3838 when an output is known not to contain any GLib or GTK+ binaries, and
3839 where wrapping would gratuitously add a dependency of that output on
3842 @item glib-or-gtk-compile-schemas
3843 The phase @code{glib-or-gtk-compile-schemas} makes sure that all
3844 @uref{https://developer.gnome.org/gio/stable/glib-compile-schemas.html,
3845 GSettings schemas} of GLib are compiled. Compilation is performed by the
3846 @command{glib-compile-schemas} program. It is provided by the package
3847 @code{glib:bin} which is automatically imported by the build system.
3848 The @code{glib} package providing @command{glib-compile-schemas} can be
3849 specified with the @code{#:glib} parameter.
3852 Both phases are executed after the @code{install} phase.
3855 @defvr {Scheme Variable} minify-build-system
3856 This variable is exported by @code{(guix build-system minify)}. It
3857 implements a minification procedure for simple JavaScript packages.
3859 It adds @code{uglify-js} to the set of inputs and uses it to compress
3860 all JavaScript files in the @file{src} directory. A different minifier
3861 package can be specified with the @code{#:uglify-js} parameter, but it
3862 is expected that the package writes the minified code to the standard
3865 When the input JavaScript files are not all located in the @file{src}
3866 directory, the parameter @code{#:javascript-files} can be used to
3867 specify a list of file names to feed to the minifier.
3870 @defvr {Scheme Variable} ocaml-build-system
3871 This variable is exported by @code{(guix build-system ocaml)}. It implements
3872 a build procedure for @uref{https://ocaml.org, OCaml} packages, which consists
3873 of choosing the correct set of commands to run for each package. OCaml
3874 packages can expect many different commands to be run. This build system will
3877 When the package has a @file{setup.ml} file present at the top-level, it will
3878 run @code{ocaml setup.ml -configure}, @code{ocaml setup.ml -build} and
3879 @code{ocaml setup.ml -install}. The build system will assume that this file
3880 was generated by @uref{http://oasis.forge.ocamlcore.org/, OASIS} and will take
3881 care of setting the prefix and enabling tests if they are not disabled. You
3882 can pass configure and build flags with the @code{#:configure-flags} and
3883 @code{#:build-flags}. The @code{#:test-flags} key can be passed to change the
3884 set of flags used to enable tests. The @code{#:use-make?} key can be used to
3885 bypass this system in the build and install phases.
3887 When the package has a @file{configure} file, it is assumed that it is a
3888 hand-made configure script that requires a different argument format than
3889 in the @code{gnu-build-system}. You can add more flags with the
3890 @code{#:configure-flags} key.
3892 When the package has a @file{Makefile} file (or @code{#:use-make?} is
3893 @code{#t}), it will be used and more flags can be passed to the build and
3894 install phases with the @code{#:make-flags} key.
3896 Finally, some packages do not have these files and use a somewhat standard
3897 location for its build system. In that case, the build system will run
3898 @code{ocaml pkg/pkg.ml} or @code{ocaml pkg/build.ml} and take care of
3899 providing the path to the required findlib module. Additional flags can
3900 be passed via the @code{#:build-flags} key. Install is taken care of by
3901 @command{opam-installer}. In this case, the @code{opam} package must
3902 be added to the @code{native-inputs} field of the package definition.
3904 Note that most OCaml packages assume they will be installed in the same
3905 directory as OCaml, which is not what we want in guix. In particular, they
3906 will install @file{.so} files in their module's directory, which is usually
3907 fine because it is in the OCaml compiler directory. In guix though, these
3908 libraries cannot be found and we use @code{CAML_LD_LIBRARY_PATH}. This
3909 variable points to @file{lib/ocaml/site-lib/stubslibs} and this is where
3910 @file{.so} libraries should be installed.
3913 @defvr {Scheme Variable} python-build-system
3914 This variable is exported by @code{(guix build-system python)}. It
3915 implements the more or less standard build procedure used by Python
3916 packages, which consists in running @code{python setup.py build} and
3917 then @code{python setup.py install --prefix=/gnu/store/@dots{}}.
3919 For packages that install stand-alone Python programs under @code{bin/},
3920 it takes care of wrapping these programs so that their @code{PYTHONPATH}
3921 environment variable points to all the Python libraries they depend on.
3923 Which Python package is used to perform the build can be specified with
3924 the @code{#:python} parameter. This is a useful way to force a package
3925 to be built for a specific version of the Python interpreter, which
3926 might be necessary if the package is only compatible with a single
3927 interpreter version.
3929 By default guix calls @code{setup.py} under control of
3930 @code{setuptools}, much like @command{pip} does. Some packages are not
3931 compatible with setuptools (and pip), thus you can disable this by
3932 setting the @code{#:use-setuptools} parameter to @code{#f}.
3935 @defvr {Scheme Variable} perl-build-system
3936 This variable is exported by @code{(guix build-system perl)}. It
3937 implements the standard build procedure for Perl packages, which either
3938 consists in running @code{perl Build.PL --prefix=/gnu/store/@dots{}},
3939 followed by @code{Build} and @code{Build install}; or in running
3940 @code{perl Makefile.PL PREFIX=/gnu/store/@dots{}}, followed by
3941 @code{make} and @code{make install}, depending on which of
3942 @code{Build.PL} or @code{Makefile.PL} is present in the package
3943 distribution. Preference is given to the former if both @code{Build.PL}
3944 and @code{Makefile.PL} exist in the package distribution. This
3945 preference can be reversed by specifying @code{#t} for the
3946 @code{#:make-maker?} parameter.
3948 The initial @code{perl Makefile.PL} or @code{perl Build.PL} invocation
3949 passes flags specified by the @code{#:make-maker-flags} or
3950 @code{#:module-build-flags} parameter, respectively.
3952 Which Perl package is used can be specified with @code{#:perl}.
3955 @defvr {Scheme Variable} r-build-system
3956 This variable is exported by @code{(guix build-system r)}. It
3957 implements the build procedure used by @uref{http://r-project.org, R}
3958 packages, which essentially is little more than running @code{R CMD
3959 INSTALL --library=/gnu/store/@dots{}} in an environment where
3960 @code{R_LIBS_SITE} contains the paths to all R package inputs. Tests
3961 are run after installation using the R function
3962 @code{tools::testInstalledPackage}.
3965 @defvr {Scheme Variable} texlive-build-system
3966 This variable is exported by @code{(guix build-system texlive)}. It is
3967 used to build TeX packages in batch mode with a specified engine. The
3968 build system sets the @code{TEXINPUTS} variable to find all TeX source
3969 files in the inputs.
3971 By default it runs @code{luatex} on all files ending on @code{ins}. A
3972 different engine and format can be specified with the
3973 @code{#:tex-format} argument. Different build targets can be specified
3974 with the @code{#:build-targets} argument, which expects a list of file
3975 names. The build system adds only @code{texlive-bin} and
3976 @code{texlive-latex-base} (both from @code{(gnu packages tex}) to the
3977 inputs. Both can be overridden with the arguments @code{#:texlive-bin}
3978 and @code{#:texlive-latex-base}, respectively.
3980 The @code{#:tex-directory} parameter tells the build system where to
3981 install the built files under the texmf tree.
3984 @defvr {Scheme Variable} ruby-build-system
3985 This variable is exported by @code{(guix build-system ruby)}. It
3986 implements the RubyGems build procedure used by Ruby packages, which
3987 involves running @code{gem build} followed by @code{gem install}.
3989 The @code{source} field of a package that uses this build system
3990 typically references a gem archive, since this is the format that Ruby
3991 developers use when releasing their software. The build system unpacks
3992 the gem archive, potentially patches the source, runs the test suite,
3993 repackages the gem, and installs it. Additionally, directories and
3994 tarballs may be referenced to allow building unreleased gems from Git or
3995 a traditional source release tarball.
3997 Which Ruby package is used can be specified with the @code{#:ruby}
3998 parameter. A list of additional flags to be passed to the @command{gem}
3999 command can be specified with the @code{#:gem-flags} parameter.
4002 @defvr {Scheme Variable} waf-build-system
4003 This variable is exported by @code{(guix build-system waf)}. It
4004 implements a build procedure around the @code{waf} script. The common
4005 phases---@code{configure}, @code{build}, and @code{install}---are
4006 implemented by passing their names as arguments to the @code{waf}
4009 The @code{waf} script is executed by the Python interpreter. Which
4010 Python package is used to run the script can be specified with the
4011 @code{#:python} parameter.
4014 @defvr {Scheme Variable} scons-build-system
4015 This variable is exported by @code{(guix build-system scons)}. It
4016 implements the build procedure used by the SCons software construction
4017 tool. This build system runs @code{scons} to build the package,
4018 @code{scons test} to run tests, and then @code{scons install} to install
4021 Additional flags to be passed to @code{scons} can be specified with the
4022 @code{#:scons-flags} parameter. The version of Python used to run SCons
4023 can be specified by selecting the appropriate SCons package with the
4024 @code{#:scons} parameter.
4027 @defvr {Scheme Variable} haskell-build-system
4028 This variable is exported by @code{(guix build-system haskell)}. It
4029 implements the Cabal build procedure used by Haskell packages, which
4030 involves running @code{runhaskell Setup.hs configure
4031 --prefix=/gnu/store/@dots{}} and @code{runhaskell Setup.hs build}.
4032 Instead of installing the package by running @code{runhaskell Setup.hs
4033 install}, to avoid trying to register libraries in the read-only
4034 compiler store directory, the build system uses @code{runhaskell
4035 Setup.hs copy}, followed by @code{runhaskell Setup.hs register}. In
4036 addition, the build system generates the package documentation by
4037 running @code{runhaskell Setup.hs haddock}, unless @code{#:haddock? #f}
4038 is passed. Optional Haddock parameters can be passed with the help of
4039 the @code{#:haddock-flags} parameter. If the file @code{Setup.hs} is
4040 not found, the build system looks for @code{Setup.lhs} instead.
4042 Which Haskell compiler is used can be specified with the @code{#:haskell}
4043 parameter which defaults to @code{ghc}.
4046 @defvr {Scheme Variable} dub-build-system
4047 This variable is exported by @code{(guix build-system dub)}. It
4048 implements the Dub build procedure used by D packages, which
4049 involves running @code{dub build} and @code{dub run}.
4050 Installation is done by copying the files manually.
4052 Which D compiler is used can be specified with the @code{#:ldc}
4053 parameter which defaults to @code{ldc}.
4056 @defvr {Scheme Variable} emacs-build-system
4057 This variable is exported by @code{(guix build-system emacs)}. It
4058 implements an installation procedure similar to the packaging system
4059 of Emacs itself (@pxref{Packages,,, emacs, The GNU Emacs Manual}).
4061 It first creates the @code{@var{package}-autoloads.el} file, then it
4062 byte compiles all Emacs Lisp files. Differently from the Emacs
4063 packaging system, the Info documentation files are moved to the standard
4064 documentation directory and the @file{dir} file is deleted. Each
4065 package is installed in its own directory under
4066 @file{share/emacs/site-lisp/guix.d}.
4069 @defvr {Scheme Variable} font-build-system
4070 This variable is exported by @code{(guix build-system font)}. It
4071 implements an installation procedure for font packages where upstream
4072 provides pre-compiled TrueType, OpenType, etc. font files that merely
4073 need to be copied into place. It copies font files to standard
4074 locations in the output directory.
4077 @defvr {Scheme Variable} meson-build-system
4078 This variable is exported by @code{(guix build-system meson)}. It
4079 implements the build procedure for packages that use
4080 @url{http://mesonbuild.com, Meson} as their build system.
4082 It adds both Meson and @uref{https://ninja-build.org/, Ninja} to the set
4083 of inputs, and they can be changed with the parameters @code{#:meson}
4084 and @code{#:ninja} if needed. The default Meson is
4085 @code{meson-for-build}, which is special because it doesn't clear the
4086 @code{RUNPATH} of binaries and libraries when they are installed.
4088 This build system is an extension of @var{gnu-build-system}, but with the
4089 following phases changed to some specific for Meson:
4094 The phase runs @code{meson} with the flags specified in
4095 @code{#:configure-flags}. The flag @code{--build-type} is always set to
4096 @code{plain} unless something else is specified in @code{#:build-type}.
4099 The phase runs @code{ninja} to build the package in parallel by default, but
4100 this can be changed with @code{#:parallel-build?}.
4103 The phase runs @code{ninja} with the target specified in @code{#:test-target},
4104 which is @code{"test"} by default.
4107 The phase runs @code{ninja install} and can not be changed.
4110 Apart from that, the build system also adds the following phases:
4115 This phase ensures that all binaries can find the libraries they need.
4116 It searches for required libraries in subdirectories of the package being
4117 built, and adds those to @code{RUNPATH} where needed. It also removes
4118 references to libraries left over from the build phase by
4119 @code{meson-for-build}, such as test dependencies, that aren't actually
4120 required for the program to run.
4122 @item glib-or-gtk-wrap
4123 This phase is the phase provided by @code{glib-or-gtk-build-system}, and it
4124 is not enabled by default. It can be enabled with @code{#:glib-or-gtk?}.
4126 @item glib-or-gtk-compile-schemas
4127 This phase is the phase provided by @code{glib-or-gtk-build-system}, and it
4128 is not enabled by default. It can be enabled with @code{#:glib-or-gtk?}.
4132 Lastly, for packages that do not need anything as sophisticated, a
4133 ``trivial'' build system is provided. It is trivial in the sense that
4134 it provides basically no support: it does not pull any implicit inputs,
4135 and does not have a notion of build phases.
4137 @defvr {Scheme Variable} trivial-build-system
4138 This variable is exported by @code{(guix build-system trivial)}.
4140 This build system requires a @code{#:builder} argument. This argument
4141 must be a Scheme expression that builds the package output(s)---as
4142 with @code{build-expression->derivation} (@pxref{Derivations,
4143 @code{build-expression->derivation}}).
4153 Conceptually, the @dfn{store} is the place where derivations that have
4154 been built successfully are stored---by default, @file{/gnu/store}.
4155 Sub-directories in the store are referred to as @dfn{store items} or
4156 sometimes @dfn{store paths}. The store has an associated database that
4157 contains information such as the store paths referred to by each store
4158 path, and the list of @emph{valid} store items---results of successful
4159 builds. This database resides in @file{@var{localstatedir}/guix/db},
4160 where @var{localstatedir} is the state directory specified @i{via}
4161 @option{--localstatedir} at configure time, usually @file{/var}.
4163 The store is @emph{always} accessed by the daemon on behalf of its clients
4164 (@pxref{Invoking guix-daemon}). To manipulate the store, clients
4165 connect to the daemon over a Unix-domain socket, send requests to it,
4166 and read the result---these are remote procedure calls, or RPCs.
4169 Users must @emph{never} modify files under @file{/gnu/store} directly.
4170 This would lead to inconsistencies and break the immutability
4171 assumptions of Guix's functional model (@pxref{Introduction}).
4173 @xref{Invoking guix gc, @command{guix gc --verify}}, for information on
4174 how to check the integrity of the store and attempt recovery from
4175 accidental modifications.
4178 The @code{(guix store)} module provides procedures to connect to the
4179 daemon, and to perform RPCs. These are described below. By default,
4180 @code{open-connection}, and thus all the @command{guix} commands,
4181 connect to the local daemon or to the URI specified by the
4182 @code{GUIX_DAEMON_SOCKET} environment variable.
4184 @defvr {Environment Variable} GUIX_DAEMON_SOCKET
4185 When set, the value of this variable should be a file name or a URI
4186 designating the daemon endpoint. When it is a file name, it denotes a
4187 Unix-domain socket to connect to. In addition to file names, the
4188 supported URI schemes are:
4193 These are for Unix-domain sockets.
4194 @code{file:///var/guix/daemon-socket/socket} is equivalent to
4195 @file{/var/guix/daemon-socket/socket}.
4198 @cindex daemon, remote access
4199 @cindex remote access to the daemon
4200 @cindex daemon, cluster setup
4201 @cindex clusters, daemon setup
4202 These URIs denote connections over TCP/IP, without encryption nor
4203 authentication of the remote host. The URI must specify the host name
4204 and optionally a port number (by default port 44146 is used):
4207 guix://master.guix.example.org:1234
4210 This setup is suitable on local networks, such as clusters, where only
4211 trusted nodes may connect to the build daemon at
4212 @code{master.guix.example.org}.
4214 The @code{--listen} option of @command{guix-daemon} can be used to
4215 instruct it to listen for TCP connections (@pxref{Invoking guix-daemon,
4219 @cindex SSH access to build daemons
4220 These URIs allow you to connect to a remote daemon over
4221 SSH@footnote{This feature requires Guile-SSH (@pxref{Requirements}).}.
4222 A typical URL might look like this:
4225 ssh://charlie@@guix.example.org:22
4228 As for @command{guix copy}, the usual OpenSSH client configuration files
4229 are honored (@pxref{Invoking guix copy}).
4232 Additional URI schemes may be supported in the future.
4234 @c XXX: Remove this note when the protocol incurs fewer round trips
4235 @c and when (guix derivations) no longer relies on file system access.
4237 The ability to connect to remote build daemons is considered
4238 experimental as of @value{VERSION}. Please get in touch with us to
4239 share any problems or suggestions you may have (@pxref{Contributing}).
4243 @deffn {Scheme Procedure} open-connection [@var{uri}] [#:reserve-space? #t]
4244 Connect to the daemon over the Unix-domain socket at @var{uri} (a string). When
4245 @var{reserve-space?} is true, instruct it to reserve a little bit of
4246 extra space on the file system so that the garbage collector can still
4247 operate should the disk become full. Return a server object.
4249 @var{file} defaults to @var{%default-socket-path}, which is the normal
4250 location given the options that were passed to @command{configure}.
4253 @deffn {Scheme Procedure} close-connection @var{server}
4254 Close the connection to @var{server}.
4257 @defvr {Scheme Variable} current-build-output-port
4258 This variable is bound to a SRFI-39 parameter, which refers to the port
4259 where build and error logs sent by the daemon should be written.
4262 Procedures that make RPCs all take a server object as their first
4265 @deffn {Scheme Procedure} valid-path? @var{server} @var{path}
4266 @cindex invalid store items
4267 Return @code{#t} when @var{path} designates a valid store item and
4268 @code{#f} otherwise (an invalid item may exist on disk but still be
4269 invalid, for instance because it is the result of an aborted or failed
4272 A @code{&nix-protocol-error} condition is raised if @var{path} is not
4273 prefixed by the store directory (@file{/gnu/store}).
4276 @deffn {Scheme Procedure} add-text-to-store @var{server} @var{name} @var{text} [@var{references}]
4277 Add @var{text} under file @var{name} in the store, and return its store
4278 path. @var{references} is the list of store paths referred to by the
4279 resulting store path.
4282 @deffn {Scheme Procedure} build-derivations @var{server} @var{derivations}
4283 Build @var{derivations} (a list of @code{<derivation>} objects or
4284 derivation paths), and return when the worker is done building them.
4285 Return @code{#t} on success.
4288 Note that the @code{(guix monads)} module provides a monad as well as
4289 monadic versions of the above procedures, with the goal of making it
4290 more convenient to work with code that accesses the store (@pxref{The
4294 @i{This section is currently incomplete.}
4297 @section Derivations
4300 Low-level build actions and the environment in which they are performed
4301 are represented by @dfn{derivations}. A derivation contains the
4302 following pieces of information:
4306 The outputs of the derivation---derivations produce at least one file or
4307 directory in the store, but may produce more.
4310 The inputs of the derivations, which may be other derivations or plain
4311 files in the store (patches, build scripts, etc.)
4314 The system type targeted by the derivation---e.g., @code{x86_64-linux}.
4317 The file name of a build script in the store, along with the arguments
4321 A list of environment variables to be defined.
4325 @cindex derivation path
4326 Derivations allow clients of the daemon to communicate build actions to
4327 the store. They exist in two forms: as an in-memory representation,
4328 both on the client- and daemon-side, and as files in the store whose
4329 name end in @code{.drv}---these files are referred to as @dfn{derivation
4330 paths}. Derivations paths can be passed to the @code{build-derivations}
4331 procedure to perform the build actions they prescribe (@pxref{The
4334 @cindex fixed-output derivations
4335 Operations such as file downloads and version-control checkouts for
4336 which the expected content hash is known in advance are modeled as
4337 @dfn{fixed-output derivations}. Unlike regular derivations, the outputs
4338 of a fixed-output derivation are independent of its inputs---e.g., a
4339 source code download produces the same result regardless of the download
4340 method and tools being used.
4342 The @code{(guix derivations)} module provides a representation of
4343 derivations as Scheme objects, along with procedures to create and
4344 otherwise manipulate derivations. The lowest-level primitive to create
4345 a derivation is the @code{derivation} procedure:
4347 @deffn {Scheme Procedure} derivation @var{store} @var{name} @var{builder} @
4348 @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
4349 [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @
4350 [#:system (%current-system)] [#:references-graphs #f] @
4351 [#:allowed-references #f] [#:disallowed-references #f] @
4352 [#:leaked-env-vars #f] [#:local-build? #f] @
4353 [#:substitutable? #t]
4354 Build a derivation with the given arguments, and return the resulting
4355 @code{<derivation>} object.
4357 When @var{hash} and @var{hash-algo} are given, a
4358 @dfn{fixed-output derivation} is created---i.e., one whose result is
4359 known in advance, such as a file download. If, in addition,
4360 @var{recursive?} is true, then that fixed output may be an executable
4361 file or a directory and @var{hash} must be the hash of an archive
4362 containing this output.
4364 When @var{references-graphs} is true, it must be a list of file
4365 name/store path pairs. In that case, the reference graph of each store
4366 path is exported in the build environment in the corresponding file, in
4367 a simple text format.
4369 When @var{allowed-references} is true, it must be a list of store items
4370 or outputs that the derivation's output may refer to. Likewise,
4371 @var{disallowed-references}, if true, must be a list of things the
4372 outputs may @emph{not} refer to.
4374 When @var{leaked-env-vars} is true, it must be a list of strings
4375 denoting environment variables that are allowed to ``leak'' from the
4376 daemon's environment to the build environment. This is only applicable
4377 to fixed-output derivations---i.e., when @var{hash} is true. The main
4378 use is to allow variables such as @code{http_proxy} to be passed to
4379 derivations that download files.
4381 When @var{local-build?} is true, declare that the derivation is not a
4382 good candidate for offloading and should rather be built locally
4383 (@pxref{Daemon Offload Setup}). This is the case for small derivations
4384 where the costs of data transfers would outweigh the benefits.
4386 When @var{substitutable?} is false, declare that substitutes of the
4387 derivation's output should not be used (@pxref{Substitutes}). This is
4388 useful, for instance, when building packages that capture details of the
4389 host CPU instruction set.
4393 Here's an example with a shell script as its builder, assuming
4394 @var{store} is an open connection to the daemon, and @var{bash} points
4395 to a Bash executable in the store:
4398 (use-modules (guix utils)
4402 (let ((builder ; add the Bash script to the store
4403 (add-text-to-store store "my-builder.sh"
4404 "echo hello world > $out\n" '())))
4405 (derivation store "foo"
4406 bash `("-e" ,builder)
4407 #:inputs `((,bash) (,builder))
4408 #:env-vars '(("HOME" . "/homeless"))))
4409 @result{} #<derivation /gnu/store/@dots{}-foo.drv => /gnu/store/@dots{}-foo>
4412 As can be guessed, this primitive is cumbersome to use directly. A
4413 better approach is to write build scripts in Scheme, of course! The
4414 best course of action for that is to write the build code as a
4415 ``G-expression'', and to pass it to @code{gexp->derivation}. For more
4416 information, @pxref{G-Expressions}.
4418 Once upon a time, @code{gexp->derivation} did not exist and constructing
4419 derivations with build code written in Scheme was achieved with
4420 @code{build-expression->derivation}, documented below. This procedure
4421 is now deprecated in favor of the much nicer @code{gexp->derivation}.
4423 @deffn {Scheme Procedure} build-expression->derivation @var{store} @
4424 @var{name} @var{exp} @
4425 [#:system (%current-system)] [#:inputs '()] @
4426 [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
4427 [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
4428 [#:references-graphs #f] [#:allowed-references #f] @
4429 [#:disallowed-references #f] @
4430 [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
4431 Return a derivation that executes Scheme expression @var{exp} as a
4432 builder for derivation @var{name}. @var{inputs} must be a list of
4433 @code{(name drv-path sub-drv)} tuples; when @var{sub-drv} is omitted,
4434 @code{"out"} is assumed. @var{modules} is a list of names of Guile
4435 modules from the current search path to be copied in the store,
4436 compiled, and made available in the load path during the execution of
4437 @var{exp}---e.g., @code{((guix build utils) (guix build
4438 gnu-build-system))}.
4440 @var{exp} is evaluated in an environment where @code{%outputs} is bound
4441 to a list of output/path pairs, and where @code{%build-inputs} is bound
4442 to a list of string/output-path pairs made from @var{inputs}.
4443 Optionally, @var{env-vars} is a list of string pairs specifying the name
4444 and value of environment variables visible to the builder. The builder
4445 terminates by passing the result of @var{exp} to @code{exit}; thus, when
4446 @var{exp} returns @code{#f}, the build is considered to have failed.
4448 @var{exp} is built using @var{guile-for-build} (a derivation). When
4449 @var{guile-for-build} is omitted or is @code{#f}, the value of the
4450 @code{%guile-for-build} fluid is used instead.
4452 See the @code{derivation} procedure for the meaning of
4453 @var{references-graphs}, @var{allowed-references},
4454 @var{disallowed-references}, @var{local-build?}, and
4455 @var{substitutable?}.
4459 Here's an example of a single-output derivation that creates a directory
4460 containing one file:
4463 (let ((builder '(let ((out (assoc-ref %outputs "out")))
4464 (mkdir out) ; create /gnu/store/@dots{}-goo
4465 (call-with-output-file (string-append out "/test")
4467 (display '(hello guix) p))))))
4468 (build-expression->derivation store "goo" builder))
4470 @result{} #<derivation /gnu/store/@dots{}-goo.drv => @dots{}>
4474 @node The Store Monad
4475 @section The Store Monad
4479 The procedures that operate on the store described in the previous
4480 sections all take an open connection to the build daemon as their first
4481 argument. Although the underlying model is functional, they either have
4482 side effects or depend on the current state of the store.
4484 The former is inconvenient: the connection to the build daemon has to be
4485 carried around in all those functions, making it impossible to compose
4486 functions that do not take that parameter with functions that do. The
4487 latter can be problematic: since store operations have side effects
4488 and/or depend on external state, they have to be properly sequenced.
4490 @cindex monadic values
4491 @cindex monadic functions
4492 This is where the @code{(guix monads)} module comes in. This module
4493 provides a framework for working with @dfn{monads}, and a particularly
4494 useful monad for our uses, the @dfn{store monad}. Monads are a
4495 construct that allows two things: associating ``context'' with values
4496 (in our case, the context is the store), and building sequences of
4497 computations (here computations include accesses to the store). Values
4498 in a monad---values that carry this additional context---are called
4499 @dfn{monadic values}; procedures that return such values are called
4500 @dfn{monadic procedures}.
4502 Consider this ``normal'' procedure:
4505 (define (sh-symlink store)
4506 ;; Return a derivation that symlinks the 'bash' executable.
4507 (let* ((drv (package-derivation store bash))
4508 (out (derivation->output-path drv))
4509 (sh (string-append out "/bin/bash")))
4510 (build-expression->derivation store "sh"
4511 `(symlink ,sh %output))))
4514 Using @code{(guix monads)} and @code{(guix gexp)}, it may be rewritten
4515 as a monadic function:
4518 (define (sh-symlink)
4519 ;; Same, but return a monadic value.
4520 (mlet %store-monad ((drv (package->derivation bash)))
4521 (gexp->derivation "sh"
4522 #~(symlink (string-append #$drv "/bin/bash")
4526 There are several things to note in the second version: the @code{store}
4527 parameter is now implicit and is ``threaded'' in the calls to the
4528 @code{package->derivation} and @code{gexp->derivation} monadic
4529 procedures, and the monadic value returned by @code{package->derivation}
4530 is @dfn{bound} using @code{mlet} instead of plain @code{let}.
4532 As it turns out, the call to @code{package->derivation} can even be
4533 omitted since it will take place implicitly, as we will see later
4534 (@pxref{G-Expressions}):
4537 (define (sh-symlink)
4538 (gexp->derivation "sh"
4539 #~(symlink (string-append #$bash "/bin/bash")
4544 @c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
4545 @c for the funny quote.
4546 Calling the monadic @code{sh-symlink} has no effect. As someone once
4547 said, ``you exit a monad like you exit a building on fire: by running''.
4548 So, to exit the monad and get the desired effect, one must use
4549 @code{run-with-store}:
4552 (run-with-store (open-connection) (sh-symlink))
4553 @result{} /gnu/store/...-sh-symlink
4556 Note that the @code{(guix monad-repl)} module extends the Guile REPL with
4557 new ``meta-commands'' to make it easier to deal with monadic procedures:
4558 @code{run-in-store}, and @code{enter-store-monad}. The former is used
4559 to ``run'' a single monadic value through the store:
4562 scheme@@(guile-user)> ,run-in-store (package->derivation hello)
4563 $1 = #<derivation /gnu/store/@dots{}-hello-2.9.drv => @dots{}>
4566 The latter enters a recursive REPL, where all the return values are
4567 automatically run through the store:
4570 scheme@@(guile-user)> ,enter-store-monad
4571 store-monad@@(guile-user) [1]> (package->derivation hello)
4572 $2 = #<derivation /gnu/store/@dots{}-hello-2.9.drv => @dots{}>
4573 store-monad@@(guile-user) [1]> (text-file "foo" "Hello!")
4574 $3 = "/gnu/store/@dots{}-foo"
4575 store-monad@@(guile-user) [1]> ,q
4576 scheme@@(guile-user)>
4580 Note that non-monadic values cannot be returned in the
4581 @code{store-monad} REPL.
4583 The main syntactic forms to deal with monads in general are provided by
4584 the @code{(guix monads)} module and are described below.
4586 @deffn {Scheme Syntax} with-monad @var{monad} @var{body} ...
4587 Evaluate any @code{>>=} or @code{return} forms in @var{body} as being
4591 @deffn {Scheme Syntax} return @var{val}
4592 Return a monadic value that encapsulates @var{val}.
4595 @deffn {Scheme Syntax} >>= @var{mval} @var{mproc} ...
4596 @dfn{Bind} monadic value @var{mval}, passing its ``contents'' to monadic
4597 procedures @var{mproc}@dots{}@footnote{This operation is commonly
4598 referred to as ``bind'', but that name denotes an unrelated procedure in
4599 Guile. Thus we use this somewhat cryptic symbol inherited from the
4600 Haskell language.}. There can be one @var{mproc} or several of them, as
4605 (with-monad %state-monad
4607 (lambda (x) (return (+ 1 x)))
4608 (lambda (x) (return (* 2 x)))))
4612 @result{} some-state
4616 @deffn {Scheme Syntax} mlet @var{monad} ((@var{var} @var{mval}) ...) @
4618 @deffnx {Scheme Syntax} mlet* @var{monad} ((@var{var} @var{mval}) ...) @
4620 Bind the variables @var{var} to the monadic values @var{mval} in
4621 @var{body}, which is a sequence of expressions. As with the bind
4622 operator, this can be thought of as ``unpacking'' the raw, non-monadic
4623 value ``contained'' in @var{mval} and making @var{var} refer to that
4624 raw, non-monadic value within the scope of the @var{body}. The form
4625 (@var{var} -> @var{val}) binds @var{var} to the ``normal'' value
4626 @var{val}, as per @code{let}. The binding operations occur in sequence
4627 from left to right. The last expression of @var{body} must be a monadic
4628 expression, and its result will become the result of the @code{mlet} or
4629 @code{mlet*} when run in the @var{monad}.
4631 @code{mlet*} is to @code{mlet} what @code{let*} is to @code{let}
4632 (@pxref{Local Bindings,,, guile, GNU Guile Reference Manual}).
4635 @deffn {Scheme System} mbegin @var{monad} @var{mexp} ...
4636 Bind @var{mexp} and the following monadic expressions in sequence,
4637 returning the result of the last expression. Every expression in the
4638 sequence must be a monadic expression.
4640 This is akin to @code{mlet}, except that the return values of the
4641 monadic expressions are ignored. In that sense, it is analogous to
4642 @code{begin}, but applied to monadic expressions.
4645 @deffn {Scheme System} mwhen @var{condition} @var{mexp0} @var{mexp*} ...
4646 When @var{condition} is true, evaluate the sequence of monadic
4647 expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When
4648 @var{condition} is false, return @code{*unspecified*} in the current
4649 monad. Every expression in the sequence must be a monadic expression.
4652 @deffn {Scheme System} munless @var{condition} @var{mexp0} @var{mexp*} ...
4653 When @var{condition} is false, evaluate the sequence of monadic
4654 expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When
4655 @var{condition} is true, return @code{*unspecified*} in the current
4656 monad. Every expression in the sequence must be a monadic expression.
4660 The @code{(guix monads)} module provides the @dfn{state monad}, which
4661 allows an additional value---the state---to be @emph{threaded} through
4662 monadic procedure calls.
4664 @defvr {Scheme Variable} %state-monad
4665 The state monad. Procedures in the state monad can access and change
4666 the state that is threaded.
4668 Consider the example below. The @code{square} procedure returns a value
4669 in the state monad. It returns the square of its argument, but also
4670 increments the current state value:
4674 (mlet %state-monad ((count (current-state)))
4675 (mbegin %state-monad
4676 (set-current-state (+ 1 count))
4679 (run-with-state (sequence %state-monad (map square (iota 3))) 0)
4684 When ``run'' through @var{%state-monad}, we obtain that additional state
4685 value, which is the number of @code{square} calls.
4688 @deffn {Monadic Procedure} current-state
4689 Return the current state as a monadic value.
4692 @deffn {Monadic Procedure} set-current-state @var{value}
4693 Set the current state to @var{value} and return the previous state as a
4697 @deffn {Monadic Procedure} state-push @var{value}
4698 Push @var{value} to the current state, which is assumed to be a list,
4699 and return the previous state as a monadic value.
4702 @deffn {Monadic Procedure} state-pop
4703 Pop a value from the current state and return it as a monadic value.
4704 The state is assumed to be a list.
4707 @deffn {Scheme Procedure} run-with-state @var{mval} [@var{state}]
4708 Run monadic value @var{mval} starting with @var{state} as the initial
4709 state. Return two values: the resulting value, and the resulting state.
4712 The main interface to the store monad, provided by the @code{(guix
4713 store)} module, is as follows.
4715 @defvr {Scheme Variable} %store-monad
4716 The store monad---an alias for @var{%state-monad}.
4718 Values in the store monad encapsulate accesses to the store. When its
4719 effect is needed, a value of the store monad must be ``evaluated'' by
4720 passing it to the @code{run-with-store} procedure (see below.)
4723 @deffn {Scheme Procedure} run-with-store @var{store} @var{mval} [#:guile-for-build] [#:system (%current-system)]
4724 Run @var{mval}, a monadic value in the store monad, in @var{store}, an
4725 open store connection.
4728 @deffn {Monadic Procedure} text-file @var{name} @var{text} [@var{references}]
4729 Return as a monadic value the absolute file name in the store of the file
4730 containing @var{text}, a string. @var{references} is a list of store items that the
4731 resulting text file refers to; it defaults to the empty list.
4734 @deffn {Monadic Procedure} interned-file @var{file} [@var{name}] @
4735 [#:recursive? #t] [#:select? (const #t)]
4736 Return the name of @var{file} once interned in the store. Use
4737 @var{name} as its store name, or the basename of @var{file} if
4738 @var{name} is omitted.
4740 When @var{recursive?} is true, the contents of @var{file} are added
4741 recursively; if @var{file} designates a flat file and @var{recursive?}
4742 is true, its contents are added, and its permission bits are kept.
4744 When @var{recursive?} is true, call @code{(@var{select?} @var{file}
4745 @var{stat})} for each directory entry, where @var{file} is the entry's
4746 absolute file name and @var{stat} is the result of @code{lstat}; exclude
4747 entries for which @var{select?} does not return true.
4749 The example below adds a file to the store, under two different names:
4752 (run-with-store (open-connection)
4753 (mlet %store-monad ((a (interned-file "README"))
4754 (b (interned-file "README" "LEGU-MIN")))
4755 (return (list a b))))
4757 @result{} ("/gnu/store/rwm@dots{}-README" "/gnu/store/44i@dots{}-LEGU-MIN")
4762 The @code{(guix packages)} module exports the following package-related
4765 @deffn {Monadic Procedure} package-file @var{package} [@var{file}] @
4766 [#:system (%current-system)] [#:target #f] @
4769 value in the absolute file name of @var{file} within the @var{output}
4770 directory of @var{package}. When @var{file} is omitted, return the name
4771 of the @var{output} directory of @var{package}. When @var{target} is
4772 true, use it as a cross-compilation target triplet.
4775 @deffn {Monadic Procedure} package->derivation @var{package} [@var{system}]
4776 @deffnx {Monadic Procedure} package->cross-derivation @var{package} @
4777 @var{target} [@var{system}]
4778 Monadic version of @code{package-derivation} and
4779 @code{package-cross-derivation} (@pxref{Defining Packages}).
4784 @section G-Expressions
4786 @cindex G-expression
4787 @cindex build code quoting
4788 So we have ``derivations'', which represent a sequence of build actions
4789 to be performed to produce an item in the store (@pxref{Derivations}).
4790 These build actions are performed when asking the daemon to actually
4791 build the derivations; they are run by the daemon in a container
4792 (@pxref{Invoking guix-daemon}).
4794 @cindex strata of code
4795 It should come as no surprise that we like to write these build actions
4796 in Scheme. When we do that, we end up with two @dfn{strata} of Scheme
4797 code@footnote{The term @dfn{stratum} in this context was coined by
4798 Manuel Serrano et al.@: in the context of their work on Hop. Oleg
4799 Kiselyov, who has written insightful
4800 @url{http://okmij.org/ftp/meta-programming/#meta-scheme, essays and code
4801 on this topic}, refers to this kind of code generation as
4802 @dfn{staging}.}: the ``host code''---code that defines packages, talks
4803 to the daemon, etc.---and the ``build code''---code that actually
4804 performs build actions, such as making directories, invoking
4805 @command{make}, etc.
4807 To describe a derivation and its build actions, one typically needs to
4808 embed build code inside host code. It boils down to manipulating build
4809 code as data, and the homoiconicity of Scheme---code has a direct
4810 representation as data---comes in handy for that. But we need more than
4811 the normal @code{quasiquote} mechanism in Scheme to construct build
4814 The @code{(guix gexp)} module implements @dfn{G-expressions}, a form of
4815 S-expressions adapted to build expressions. G-expressions, or
4816 @dfn{gexps}, consist essentially of three syntactic forms: @code{gexp},
4817 @code{ungexp}, and @code{ungexp-splicing} (or simply: @code{#~},
4818 @code{#$}, and @code{#$@@}), which are comparable to
4819 @code{quasiquote}, @code{unquote}, and @code{unquote-splicing},
4820 respectively (@pxref{Expression Syntax, @code{quasiquote},, guile,
4821 GNU Guile Reference Manual}). However, there are major differences:
4825 Gexps are meant to be written to a file and run or manipulated by other
4829 When a high-level object such as a package or derivation is unquoted
4830 inside a gexp, the result is as if its output file name had been
4834 Gexps carry information about the packages or derivations they refer to,
4835 and these dependencies are automatically added as inputs to the build
4836 processes that use them.
4839 @cindex lowering, of high-level objects in gexps
4840 This mechanism is not limited to package and derivation
4841 objects: @dfn{compilers} able to ``lower'' other high-level objects to
4842 derivations or files in the store can be defined,
4843 such that these objects can also be inserted
4844 into gexps. For example, a useful type of high-level objects that can be
4845 inserted in a gexp is ``file-like objects'', which make it easy to
4846 add files to the store and to refer to them in
4847 derivations and such (see @code{local-file} and @code{plain-file}
4850 To illustrate the idea, here is an example of a gexp:
4857 (symlink (string-append #$coreutils "/bin/ls")
4861 This gexp can be passed to @code{gexp->derivation}; we obtain a
4862 derivation that builds a directory containing exactly one symlink to
4863 @file{/gnu/store/@dots{}-coreutils-8.22/bin/ls}:
4866 (gexp->derivation "the-thing" build-exp)
4869 As one would expect, the @code{"/gnu/store/@dots{}-coreutils-8.22"} string is
4870 substituted to the reference to the @var{coreutils} package in the
4871 actual build code, and @var{coreutils} is automatically made an input to
4872 the derivation. Likewise, @code{#$output} (equivalent to @code{(ungexp
4873 output)}) is replaced by a string containing the directory name of the
4874 output of the derivation.
4876 @cindex cross compilation
4877 In a cross-compilation context, it is useful to distinguish between
4878 references to the @emph{native} build of a package---that can run on the
4879 host---versus references to cross builds of a package. To that end, the
4880 @code{#+} plays the same role as @code{#$}, but is a reference to a
4881 native package build:
4884 (gexp->derivation "vi"
4887 (system* (string-append #+coreutils "/bin/ln")
4889 (string-append #$emacs "/bin/emacs")
4890 (string-append #$output "/bin/vi")))
4891 #:target "mips64el-linux-gnu")
4895 In the example above, the native build of @var{coreutils} is used, so
4896 that @command{ln} can actually run on the host; but then the
4897 cross-compiled build of @var{emacs} is referenced.
4899 @cindex imported modules, for gexps
4900 @findex with-imported-modules
4901 Another gexp feature is @dfn{imported modules}: sometimes you want to be
4902 able to use certain Guile modules from the ``host environment'' in the
4903 gexp, so those modules should be imported in the ``build environment''.
4904 The @code{with-imported-modules} form allows you to express that:
4907 (let ((build (with-imported-modules '((guix build utils))
4909 (use-modules (guix build utils))
4910 (mkdir-p (string-append #$output "/bin"))))))
4911 (gexp->derivation "empty-dir"
4914 (display "success!\n")
4919 In this example, the @code{(guix build utils)} module is automatically
4920 pulled into the isolated build environment of our gexp, such that
4921 @code{(use-modules (guix build utils))} works as expected.
4923 @cindex module closure
4924 @findex source-module-closure
4925 Usually you want the @emph{closure} of the module to be imported---i.e.,
4926 the module itself and all the modules it depends on---rather than just
4927 the module; failing to do that, attempts to use the module will fail
4928 because of missing dependent modules. The @code{source-module-closure}
4929 procedure computes the closure of a module by looking at its source file
4930 headers, which comes in handy in this case:
4933 (use-modules (guix modules)) ;for 'source-module-closure'
4935 (with-imported-modules (source-module-closure
4936 '((guix build utils)
4938 (gexp->derivation "something-with-vms"
4940 (use-modules (guix build utils)
4945 The syntactic form to construct gexps is summarized below.
4947 @deffn {Scheme Syntax} #~@var{exp}
4948 @deffnx {Scheme Syntax} (gexp @var{exp})
4949 Return a G-expression containing @var{exp}. @var{exp} may contain one
4950 or more of the following forms:
4954 @itemx (ungexp @var{obj})
4955 Introduce a reference to @var{obj}. @var{obj} may have one of the
4956 supported types, for example a package or a
4957 derivation, in which case the @code{ungexp} form is replaced by its
4958 output file name---e.g., @code{"/gnu/store/@dots{}-coreutils-8.22}.
4960 If @var{obj} is a list, it is traversed and references to supported
4961 objects are substituted similarly.
4963 If @var{obj} is another gexp, its contents are inserted and its
4964 dependencies are added to those of the containing gexp.
4966 If @var{obj} is another kind of object, it is inserted as is.
4968 @item #$@var{obj}:@var{output}
4969 @itemx (ungexp @var{obj} @var{output})
4970 This is like the form above, but referring explicitly to the
4971 @var{output} of @var{obj}---this is useful when @var{obj} produces
4972 multiple outputs (@pxref{Packages with Multiple Outputs}).
4975 @itemx #+@var{obj}:output
4976 @itemx (ungexp-native @var{obj})
4977 @itemx (ungexp-native @var{obj} @var{output})
4978 Same as @code{ungexp}, but produces a reference to the @emph{native}
4979 build of @var{obj} when used in a cross compilation context.
4981 @item #$output[:@var{output}]
4982 @itemx (ungexp output [@var{output}])
4983 Insert a reference to derivation output @var{output}, or to the main
4984 output when @var{output} is omitted.
4986 This only makes sense for gexps passed to @code{gexp->derivation}.
4989 @itemx (ungexp-splicing @var{lst})
4990 Like the above, but splices the contents of @var{lst} inside the
4994 @itemx (ungexp-native-splicing @var{lst})
4995 Like the above, but refers to native builds of the objects listed in
5000 G-expressions created by @code{gexp} or @code{#~} are run-time objects
5001 of the @code{gexp?} type (see below.)
5004 @deffn {Scheme Syntax} with-imported-modules @var{modules} @var{body}@dots{}
5005 Mark the gexps defined in @var{body}@dots{} as requiring @var{modules}
5006 in their execution environment.
5008 Each item in @var{modules} can be the name of a module, such as
5009 @code{(guix build utils)}, or it can be a module name, followed by an
5010 arrow, followed by a file-like object:
5013 `((guix build utils)
5015 ((guix config) => ,(scheme-file "config.scm"
5016 #~(define-module @dots{}))))
5020 In the example above, the first two modules are taken from the search
5021 path, and the last one is created from the given file-like object.
5023 This form has @emph{lexical} scope: it has an effect on the gexps
5024 directly defined in @var{body}@dots{}, but not on those defined, say, in
5025 procedures called from @var{body}@dots{}.
5028 @deffn {Scheme Procedure} gexp? @var{obj}
5029 Return @code{#t} if @var{obj} is a G-expression.
5032 G-expressions are meant to be written to disk, either as code building
5033 some derivation, or as plain files in the store. The monadic procedures
5034 below allow you to do that (@pxref{The Store Monad}, for more
5035 information about monads.)
5037 @deffn {Monadic Procedure} gexp->derivation @var{name} @var{exp} @
5038 [#:system (%current-system)] [#:target #f] [#:graft? #t] @
5039 [#:hash #f] [#:hash-algo #f] @
5040 [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
5041 [#:module-path @var{%load-path}] @
5042 [#:references-graphs #f] [#:allowed-references #f] @
5043 [#:disallowed-references #f] @
5044 [#:leaked-env-vars #f] @
5045 [#:script-name (string-append @var{name} "-builder")] @
5046 [#:deprecation-warnings #f] @
5047 [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
5048 Return a derivation @var{name} that runs @var{exp} (a gexp) with
5049 @var{guile-for-build} (a derivation) on @var{system}; @var{exp} is
5050 stored in a file called @var{script-name}. When @var{target} is true,
5051 it is used as the cross-compilation target triplet for packages referred
5054 @var{modules} is deprecated in favor of @code{with-imported-modules}.
5056 make @var{modules} available in the evaluation context of @var{exp};
5057 @var{modules} is a list of names of Guile modules searched in
5058 @var{module-path} to be copied in the store, compiled, and made available in
5059 the load path during the execution of @var{exp}---e.g., @code{((guix
5060 build utils) (guix build gnu-build-system))}.
5062 @var{graft?} determines whether packages referred to by @var{exp} should be grafted when
5065 When @var{references-graphs} is true, it must be a list of tuples of one of the
5069 (@var{file-name} @var{package})
5070 (@var{file-name} @var{package} @var{output})
5071 (@var{file-name} @var{derivation})
5072 (@var{file-name} @var{derivation} @var{output})
5073 (@var{file-name} @var{store-item})
5076 The right-hand-side of each element of @var{references-graphs} is automatically made
5077 an input of the build process of @var{exp}. In the build environment, each
5078 @var{file-name} contains the reference graph of the corresponding item, in a simple
5081 @var{allowed-references} must be either @code{#f} or a list of output names and packages.
5082 In the latter case, the list denotes store items that the result is allowed to
5083 refer to. Any reference to another store item will lead to a build error.
5084 Similarly for @var{disallowed-references}, which can list items that must not be
5085 referenced by the outputs.
5087 @var{deprecation-warnings} determines whether to show deprecation warnings while
5088 compiling modules. It can be @code{#f}, @code{#t}, or @code{'detailed}.
5090 The other arguments are as for @code{derivation} (@pxref{Derivations}).
5093 @cindex file-like objects
5094 The @code{local-file}, @code{plain-file}, @code{computed-file},
5095 @code{program-file}, and @code{scheme-file} procedures below return
5096 @dfn{file-like objects}. That is, when unquoted in a G-expression,
5097 these objects lead to a file in the store. Consider this G-expression:
5100 #~(system* #$(file-append glibc "/sbin/nscd") "-f"
5101 #$(local-file "/tmp/my-nscd.conf"))
5104 The effect here is to ``intern'' @file{/tmp/my-nscd.conf} by copying it
5105 to the store. Once expanded, for instance @i{via}
5106 @code{gexp->derivation}, the G-expression refers to that copy under
5107 @file{/gnu/store}; thus, modifying or removing the file in @file{/tmp}
5108 does not have any effect on what the G-expression does.
5109 @code{plain-file} can be used similarly; it differs in that the file
5110 content is directly passed as a string.
5112 @deffn {Scheme Procedure} local-file @var{file} [@var{name}] @
5113 [#:recursive? #f] [#:select? (const #t)]
5114 Return an object representing local file @var{file} to add to the store; this
5115 object can be used in a gexp. If @var{file} is a relative file name, it is looked
5116 up relative to the source file where this form appears. @var{file} will be added to
5117 the store under @var{name}--by default the base name of @var{file}.
5119 When @var{recursive?} is true, the contents of @var{file} are added recursively; if @var{file}
5120 designates a flat file and @var{recursive?} is true, its contents are added, and its
5121 permission bits are kept.
5123 When @var{recursive?} is true, call @code{(@var{select?} @var{file}
5124 @var{stat})} for each directory entry, where @var{file} is the entry's
5125 absolute file name and @var{stat} is the result of @code{lstat}; exclude
5126 entries for which @var{select?} does not return true.
5128 This is the declarative counterpart of the @code{interned-file} monadic
5129 procedure (@pxref{The Store Monad, @code{interned-file}}).
5132 @deffn {Scheme Procedure} plain-file @var{name} @var{content}
5133 Return an object representing a text file called @var{name} with the given
5134 @var{content} (a string) to be added to the store.
5136 This is the declarative counterpart of @code{text-file}.
5139 @deffn {Scheme Procedure} computed-file @var{name} @var{gexp} @
5140 [#:options '(#:local-build? #t)]
5141 Return an object representing the store item @var{name}, a file or
5142 directory computed by @var{gexp}. @var{options}
5143 is a list of additional arguments to pass to @code{gexp->derivation}.
5145 This is the declarative counterpart of @code{gexp->derivation}.
5148 @deffn {Monadic Procedure} gexp->script @var{name} @var{exp}
5149 Return an executable script @var{name} that runs @var{exp} using
5150 @var{guile}, with @var{exp}'s imported modules in its search path.
5152 The example below builds a script that simply invokes the @command{ls}
5156 (use-modules (guix gexp) (gnu packages base))
5158 (gexp->script "list-files"
5159 #~(execl #$(file-append coreutils "/bin/ls")
5163 When ``running'' it through the store (@pxref{The Store Monad,
5164 @code{run-with-store}}), we obtain a derivation that produces an
5165 executable file @file{/gnu/store/@dots{}-list-files} along these lines:
5168 #!/gnu/store/@dots{}-guile-2.0.11/bin/guile -ds
5170 (execl "/gnu/store/@dots{}-coreutils-8.22"/bin/ls" "ls")
5174 @deffn {Scheme Procedure} program-file @var{name} @var{exp} @
5176 Return an object representing the executable store item @var{name} that
5177 runs @var{gexp}. @var{guile} is the Guile package used to execute that
5180 This is the declarative counterpart of @code{gexp->script}.
5183 @deffn {Monadic Procedure} gexp->file @var{name} @var{exp} @
5184 [#:set-load-path? #t]
5185 Return a derivation that builds a file @var{name} containing @var{exp}.
5186 When @var{set-load-path?} is true, emit code in the resulting file to
5187 set @code{%load-path} and @code{%load-compiled-path} to honor
5188 @var{exp}'s imported modules.
5190 The resulting file holds references to all the dependencies of @var{exp}
5191 or a subset thereof.
5194 @deffn {Scheme Procedure} scheme-file @var{name} @var{exp}
5195 Return an object representing the Scheme file @var{name} that contains
5198 This is the declarative counterpart of @code{gexp->file}.
5201 @deffn {Monadic Procedure} text-file* @var{name} @var{text} @dots{}
5202 Return as a monadic value a derivation that builds a text file
5203 containing all of @var{text}. @var{text} may list, in addition to
5204 strings, objects of any type that can be used in a gexp: packages,
5205 derivations, local file objects, etc. The resulting store file holds
5206 references to all these.
5208 This variant should be preferred over @code{text-file} anytime the file
5209 to create will reference items from the store. This is typically the
5210 case when building a configuration file that embeds store file names,
5214 (define (profile.sh)
5215 ;; Return the name of a shell script in the store that
5216 ;; initializes the 'PATH' environment variable.
5217 (text-file* "profile.sh"
5218 "export PATH=" coreutils "/bin:"
5219 grep "/bin:" sed "/bin\n"))
5222 In this example, the resulting @file{/gnu/store/@dots{}-profile.sh} file
5223 will reference @var{coreutils}, @var{grep}, and @var{sed}, thereby
5224 preventing them from being garbage-collected during its lifetime.
5227 @deffn {Scheme Procedure} mixed-text-file @var{name} @var{text} @dots{}
5228 Return an object representing store file @var{name} containing
5229 @var{text}. @var{text} is a sequence of strings and file-like objects,
5233 (mixed-text-file "profile"
5234 "export PATH=" coreutils "/bin:" grep "/bin")
5237 This is the declarative counterpart of @code{text-file*}.
5240 @deffn {Scheme Procedure} file-union @var{name} @var{files}
5241 Return a @code{<computed-file>} that builds a directory containing all of @var{files}.
5242 Each item in @var{files} must be a two-element list where the first element is the
5243 file name to use in the new directory, and the second element is a gexp
5244 denoting the target file. Here's an example:
5248 `(("hosts" ,(plain-file "hosts"
5249 "127.0.0.1 localhost"))
5250 ("bashrc" ,(plain-file "bashrc"
5251 "alias ls='ls --color'"))))
5254 This yields an @code{etc} directory containing these two files.
5257 @deffn {Scheme Procedure} directory-union @var{name} @var{things}
5258 Return a directory that is the union of @var{things}, where @var{things} is a list of
5259 file-like objects denoting directories. For example:
5262 (directory-union "guile+emacs" (list guile emacs))
5265 yields a directory that is the union of the @code{guile} and @code{emacs} packages.
5268 @deffn {Scheme Procedure} file-append @var{obj} @var{suffix} @dots{}
5269 Return a file-like object that expands to the concatenation of @var{obj}
5270 and @var{suffix}, where @var{obj} is a lowerable object and each
5271 @var{suffix} is a string.
5273 As an example, consider this gexp:
5276 (gexp->script "run-uname"
5277 #~(system* #$(file-append coreutils
5281 The same effect could be achieved with:
5284 (gexp->script "run-uname"
5285 #~(system* (string-append #$coreutils
5289 There is one difference though: in the @code{file-append} case, the
5290 resulting script contains the absolute file name as a string, whereas in
5291 the second case, the resulting script contains a @code{(string-append
5292 @dots{})} expression to construct the file name @emph{at run time}.
5296 Of course, in addition to gexps embedded in ``host'' code, there are
5297 also modules containing build tools. To make it clear that they are
5298 meant to be used in the build stratum, these modules are kept in the
5299 @code{(guix build @dots{})} name space.
5301 @cindex lowering, of high-level objects in gexps
5302 Internally, high-level objects are @dfn{lowered}, using their compiler,
5303 to either derivations or store items. For instance, lowering a package
5304 yields a derivation, and lowering a @code{plain-file} yields a store
5305 item. This is achieved using the @code{lower-object} monadic procedure.
5307 @deffn {Monadic Procedure} lower-object @var{obj} [@var{system}] @
5309 Return as a value in @var{%store-monad} the derivation or store item
5310 corresponding to @var{obj} for @var{system}, cross-compiling for
5311 @var{target} if @var{target} is true. @var{obj} must be an object that
5312 has an associated gexp compiler, such as a @code{<package>}.
5316 @c *********************************************************************
5320 This section describes Guix command-line utilities. Some of them are
5321 primarily targeted at developers and users who write new package
5322 definitions, while others are more generally useful. They complement
5323 the Scheme programming interface of Guix in a convenient way.
5326 * Invoking guix build:: Building packages from the command line.
5327 * Invoking guix edit:: Editing package definitions.
5328 * Invoking guix download:: Downloading a file and printing its hash.
5329 * Invoking guix hash:: Computing the cryptographic hash of a file.
5330 * Invoking guix import:: Importing package definitions.
5331 * Invoking guix refresh:: Updating package definitions.
5332 * Invoking guix lint:: Finding errors in package definitions.
5333 * Invoking guix size:: Profiling disk usage.
5334 * Invoking guix graph:: Visualizing the graph of packages.
5335 * Invoking guix environment:: Setting up development environments.
5336 * Invoking guix publish:: Sharing substitutes.
5337 * Invoking guix challenge:: Challenging substitute servers.
5338 * Invoking guix copy:: Copying to and from a remote store.
5339 * Invoking guix container:: Process isolation.
5340 * Invoking guix weather:: Assessing substitute availability.
5343 @node Invoking guix build
5344 @section Invoking @command{guix build}
5346 @cindex package building
5347 @cindex @command{guix build}
5348 The @command{guix build} command builds packages or derivations and
5349 their dependencies, and prints the resulting store paths. Note that it
5350 does not modify the user's profile---this is the job of the
5351 @command{guix package} command (@pxref{Invoking guix package}). Thus,
5352 it is mainly useful for distribution developers.
5354 The general syntax is:
5357 guix build @var{options} @var{package-or-derivation}@dots{}
5360 As an example, the following command builds the latest versions of Emacs
5361 and of Guile, displays their build logs, and finally displays the
5362 resulting directories:
5365 guix build emacs guile
5368 Similarly, the following command builds all the available packages:
5371 guix build --quiet --keep-going \
5372 `guix package -A | cut -f1,2 --output-delimiter=@@`
5375 @var{package-or-derivation} may be either the name of a package found in
5376 the software distribution such as @code{coreutils} or
5377 @code{coreutils@@8.20}, or a derivation such as
5378 @file{/gnu/store/@dots{}-coreutils-8.19.drv}. In the former case, a
5379 package with the corresponding name (and optionally version) is searched
5380 for among the GNU distribution modules (@pxref{Package Modules}).
5382 Alternatively, the @code{--expression} option may be used to specify a
5383 Scheme expression that evaluates to a package; this is useful when
5384 disambiguating among several same-named packages or package variants is
5387 There may be zero or more @var{options}. The available options are
5388 described in the subsections below.
5391 * Common Build Options:: Build options for most commands.
5392 * Package Transformation Options:: Creating variants of packages.
5393 * Additional Build Options:: Options specific to 'guix build'.
5394 * Debugging Build Failures:: Real life packaging experience.
5397 @node Common Build Options
5398 @subsection Common Build Options
5400 A number of options that control the build process are common to
5401 @command{guix build} and other commands that can spawn builds, such as
5402 @command{guix package} or @command{guix archive}. These are the
5407 @item --load-path=@var{directory}
5408 @itemx -L @var{directory}
5409 Add @var{directory} to the front of the package module search path
5410 (@pxref{Package Modules}).
5412 This allows users to define their own packages and make them visible to
5413 the command-line tools.
5417 Keep the build tree of failed builds. Thus, if a build fails, its build
5418 tree is kept under @file{/tmp}, in a directory whose name is shown at
5419 the end of the build log. This is useful when debugging build issues.
5420 @xref{Debugging Build Failures}, for tips and tricks on how to debug
5425 Keep going when some of the derivations fail to build; return only once
5426 all the builds have either completed or failed.
5428 The default behavior is to stop as soon as one of the specified
5429 derivations has failed.
5433 Do not build the derivations.
5435 @anchor{fallback-option}
5437 When substituting a pre-built binary fails, fall back to building
5438 packages locally (@pxref{Substitution Failure}).
5440 @item --substitute-urls=@var{urls}
5441 @anchor{client-substitute-urls}
5442 Consider @var{urls} the whitespace-separated list of substitute source
5443 URLs, overriding the default list of URLs of @command{guix-daemon}
5444 (@pxref{daemon-substitute-urls,, @command{guix-daemon} URLs}).
5446 This means that substitutes may be downloaded from @var{urls}, provided
5447 they are signed by a key authorized by the system administrator
5448 (@pxref{Substitutes}).
5450 When @var{urls} is the empty string, substitutes are effectively
5453 @item --no-substitutes
5454 Do not use substitutes for build products. That is, always build things
5455 locally instead of allowing downloads of pre-built binaries
5456 (@pxref{Substitutes}).
5459 Do not ``graft'' packages. In practice, this means that package updates
5460 available as grafts are not applied. @xref{Security Updates}, for more
5461 information on grafts.
5463 @item --rounds=@var{n}
5464 Build each derivation @var{n} times in a row, and raise an error if
5465 consecutive build results are not bit-for-bit identical.
5467 This is a useful way to detect non-deterministic builds processes.
5468 Non-deterministic build processes are a problem because they make it
5469 practically impossible for users to @emph{verify} whether third-party
5470 binaries are genuine. @xref{Invoking guix challenge}, for more.
5472 Note that, currently, the differing build results are not kept around,
5473 so you will have to manually investigate in case of an error---e.g., by
5474 stashing one of the build results with @code{guix archive --export}
5475 (@pxref{Invoking guix archive}), then rebuilding, and finally comparing
5478 @item --no-build-hook
5479 Do not attempt to offload builds @i{via} the ``build hook'' of the daemon
5480 (@pxref{Daemon Offload Setup}). That is, always build things locally
5481 instead of offloading builds to remote machines.
5483 @item --max-silent-time=@var{seconds}
5484 When the build or substitution process remains silent for more than
5485 @var{seconds}, terminate it and report a build failure.
5487 By default, the daemon's setting is honored (@pxref{Invoking
5488 guix-daemon, @code{--max-silent-time}}).
5490 @item --timeout=@var{seconds}
5491 Likewise, when the build or substitution process lasts for more than
5492 @var{seconds}, terminate it and report a build failure.
5494 By default, the daemon's setting is honored (@pxref{Invoking
5495 guix-daemon, @code{--timeout}}).
5497 @item --verbosity=@var{level}
5498 Use the given verbosity level. @var{level} must be an integer between 0
5499 and 5; higher means more verbose output. Setting a level of 4 or more
5500 may be helpful when debugging setup issues with the build daemon.
5502 @item --cores=@var{n}
5504 Allow the use of up to @var{n} CPU cores for the build. The special
5505 value @code{0} means to use as many CPU cores as available.
5507 @item --max-jobs=@var{n}
5509 Allow at most @var{n} build jobs in parallel. @xref{Invoking
5510 guix-daemon, @code{--max-jobs}}, for details about this option and the
5511 equivalent @command{guix-daemon} option.
5515 Behind the scenes, @command{guix build} is essentially an interface to
5516 the @code{package-derivation} procedure of the @code{(guix packages)}
5517 module, and to the @code{build-derivations} procedure of the @code{(guix
5518 derivations)} module.
5520 In addition to options explicitly passed on the command line,
5521 @command{guix build} and other @command{guix} commands that support
5522 building honor the @code{GUIX_BUILD_OPTIONS} environment variable.
5524 @defvr {Environment Variable} GUIX_BUILD_OPTIONS
5525 Users can define this variable to a list of command line options that
5526 will automatically be used by @command{guix build} and other
5527 @command{guix} commands that can perform builds, as in the example
5531 $ export GUIX_BUILD_OPTIONS="--no-substitutes -c 2 -L /foo/bar"
5534 These options are parsed independently, and the result is appended to
5535 the parsed command-line options.
5539 @node Package Transformation Options
5540 @subsection Package Transformation Options
5542 @cindex package variants
5543 Another set of command-line options supported by @command{guix build}
5544 and also @command{guix package} are @dfn{package transformation
5545 options}. These are options that make it possible to define @dfn{package
5546 variants}---for instance, packages built from different source code.
5547 This is a convenient way to create customized packages on the fly
5548 without having to type in the definitions of package variants
5549 (@pxref{Defining Packages}).
5553 @item --with-source=@var{source}
5554 @itemx --with-source=@var{package}=@var{source}
5555 @itemx --with-source=@var{package}@@@var{version}=@var{source}
5556 Use @var{source} as the source of @var{package}, and @var{version} as
5558 @var{source} must be a file name or a URL, as for @command{guix
5559 download} (@pxref{Invoking guix download}).
5561 When @var{package} is omitted,
5562 it is taken to be the package name specified on the
5563 command line that matches the base of @var{source}---e.g.,
5564 if @var{source} is @code{/src/guile-2.0.10.tar.gz}, the corresponding
5565 package is @code{guile}.
5567 Likewise, when @var{version} is omitted, the version string is inferred from
5568 @var{source}; in the previous example, it is @code{2.0.10}.
5570 This option allows users to try out versions of packages other than the
5571 one provided by the distribution. The example below downloads
5572 @file{ed-1.7.tar.gz} from a GNU mirror and uses that as the source for
5573 the @code{ed} package:
5576 guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz
5579 As a developer, @code{--with-source} makes it easy to test release
5583 guix build guile --with-source=../guile-2.0.9.219-e1bb7.tar.xz
5586 @dots{} or to build from a checkout in a pristine environment:
5589 $ git clone git://git.sv.gnu.org/guix.git
5590 $ guix build guix --with-source=guix@@1.0=./guix
5593 @item --with-input=@var{package}=@var{replacement}
5594 Replace dependency on @var{package} by a dependency on
5595 @var{replacement}. @var{package} must be a package name, and
5596 @var{replacement} must be a package specification such as @code{guile}
5597 or @code{guile@@1.8}.
5599 For instance, the following command builds Guix, but replaces its
5600 dependency on the current stable version of Guile with a dependency on
5601 the legacy version of Guile, @code{guile@@2.0}:
5604 guix build --with-input=guile=guile@@2.0 guix
5607 This is a recursive, deep replacement. So in this example, both
5608 @code{guix} and its dependency @code{guile-json} (which also depends on
5609 @code{guile}) get rebuilt against @code{guile@@2.0}.
5611 This is implemented using the @code{package-input-rewriting} Scheme
5612 procedure (@pxref{Defining Packages, @code{package-input-rewriting}}).
5614 @item --with-graft=@var{package}=@var{replacement}
5615 This is similar to @code{--with-input} but with an important difference:
5616 instead of rebuilding the whole dependency chain, @var{replacement} is
5617 built and then @dfn{grafted} onto the binaries that were initially
5618 referring to @var{package}. @xref{Security Updates}, for more
5619 information on grafts.
5621 For example, the command below grafts version 3.5.4 of GnuTLS onto Wget
5622 and all its dependencies, replacing references to the version of GnuTLS
5623 they currently refer to:
5626 guix build --with-graft=gnutls=gnutls@@3.5.4 wget
5629 This has the advantage of being much faster than rebuilding everything.
5630 But there is a caveat: it works if and only if @var{package} and
5631 @var{replacement} are strictly compatible---for example, if they provide
5632 a library, the application binary interface (ABI) of those libraries
5633 must be compatible. If @var{replacement} is somehow incompatible with
5634 @var{package}, then the resulting package may be unusable. Use with
5639 @node Additional Build Options
5640 @subsection Additional Build Options
5642 The command-line options presented below are specific to @command{guix
5649 Build quietly, without displaying the build log. Upon completion, the
5650 build log is kept in @file{/var} (or similar) and can always be
5651 retrieved using the @option{--log-file} option.
5653 @item --file=@var{file}
5654 @itemx -f @var{file}
5656 Build the package or derivation that the code within @var{file}
5659 As an example, @var{file} might contain a package definition like this
5660 (@pxref{Defining Packages}):
5663 @verbatiminclude package-hello.scm
5666 @item --expression=@var{expr}
5667 @itemx -e @var{expr}
5668 Build the package or derivation @var{expr} evaluates to.
5670 For example, @var{expr} may be @code{(@@ (gnu packages guile)
5671 guile-1.8)}, which unambiguously designates this specific variant of
5672 version 1.8 of Guile.
5674 Alternatively, @var{expr} may be a G-expression, in which case it is used
5675 as a build program passed to @code{gexp->derivation}
5676 (@pxref{G-Expressions}).
5678 Lastly, @var{expr} may refer to a zero-argument monadic procedure
5679 (@pxref{The Store Monad}). The procedure must return a derivation as a
5680 monadic value, which is then passed through @code{run-with-store}.
5684 Build the source derivations of the packages, rather than the packages
5687 For instance, @code{guix build -S gcc} returns something like
5688 @file{/gnu/store/@dots{}-gcc-4.7.2.tar.bz2}, which is the GCC
5691 The returned source tarball is the result of applying any patches and
5692 code snippets specified in the package @code{origin} (@pxref{Defining
5696 Fetch and return the source of @var{package-or-derivation} and all their
5697 dependencies, recursively. This is a handy way to obtain a local copy
5698 of all the source code needed to build @var{packages}, allowing you to
5699 eventually build them even without network access. It is an extension
5700 of the @code{--source} option and can accept one of the following
5701 optional argument values:
5705 This value causes the @code{--sources} option to behave in the same way
5706 as the @code{--source} option.
5709 Build the source derivations of all packages, including any source that
5710 might be listed as @code{inputs}. This is the default value.
5713 $ guix build --sources tzdata
5714 The following derivations will be built:
5715 /gnu/store/@dots{}-tzdata2015b.tar.gz.drv
5716 /gnu/store/@dots{}-tzcode2015b.tar.gz.drv
5720 Build the source derivations of all packages, as well of all transitive
5721 inputs to the packages. This can be used e.g. to
5722 prefetch package source for later offline building.
5725 $ guix build --sources=transitive tzdata
5726 The following derivations will be built:
5727 /gnu/store/@dots{}-tzcode2015b.tar.gz.drv
5728 /gnu/store/@dots{}-findutils-4.4.2.tar.xz.drv
5729 /gnu/store/@dots{}-grep-2.21.tar.xz.drv
5730 /gnu/store/@dots{}-coreutils-8.23.tar.xz.drv
5731 /gnu/store/@dots{}-make-4.1.tar.xz.drv
5732 /gnu/store/@dots{}-bash-4.3.tar.xz.drv
5738 @item --system=@var{system}
5739 @itemx -s @var{system}
5740 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
5741 the system type of the build host.
5744 The @code{--system} flag is for @emph{native} compilation and must not
5745 be confused with cross-compilation. See @code{--target} below for
5746 information on cross-compilation.
5749 An example use of this is on Linux-based systems, which can emulate
5750 different personalities. For instance, passing
5751 @code{--system=i686-linux} on an @code{x86_64-linux} system allows you
5752 to build packages in a complete 32-bit environment.
5754 Similarly, when transparent emulation with QEMU and @code{binfmt_misc}
5755 is enabled (@pxref{Virtualization Services,
5756 @code{qemu-binfmt-service-type}}), you can build for any system for
5757 which a QEMU @code{binfmt_misc} handler is installed.
5759 Builds for a system other than that of the machine you are using can
5760 also be offloaded to a remote machine of the right architecture.
5761 @xref{Daemon Offload Setup}, for more information on offloading.
5763 @item --target=@var{triplet}
5764 @cindex cross-compilation
5765 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
5766 as @code{"mips64el-linux-gnu"} (@pxref{Specifying target triplets, GNU
5767 configuration triplets,, autoconf, Autoconf}).
5769 @anchor{build-check}
5771 @cindex determinism, checking
5772 @cindex reproducibility, checking
5773 Rebuild @var{package-or-derivation}, which are already available in the
5774 store, and raise an error if the build results are not bit-for-bit
5777 This mechanism allows you to check whether previously installed
5778 substitutes are genuine (@pxref{Substitutes}), or whether the build result
5779 of a package is deterministic. @xref{Invoking guix challenge}, for more
5780 background information and tools.
5782 When used in conjunction with @option{--keep-failed}, the differing
5783 output is kept in the store, under @file{/gnu/store/@dots{}-check}.
5784 This makes it easy to look for differences between the two results.
5787 @cindex repairing store items
5788 @cindex corruption, recovering from
5789 Attempt to repair the specified store items, if they are corrupt, by
5790 re-downloading or rebuilding them.
5792 This operation is not atomic and thus restricted to @code{root}.
5796 Return the derivation paths, not the output paths, of the given
5799 @item --root=@var{file}
5800 @itemx -r @var{file}
5801 @cindex GC roots, adding
5802 @cindex garbage collector roots, adding
5803 Make @var{file} a symlink to the result, and register it as a garbage
5806 Consequently, the results of this @command{guix build} invocation are
5807 protected from garbage collection until @var{file} is removed. When
5808 that option is omitted, build results are eligible for garbage
5809 collection as soon as the build completes. @xref{Invoking guix gc}, for
5813 @cindex build logs, access
5814 Return the build log file names or URLs for the given
5815 @var{package-or-derivation}, or raise an error if build logs are
5818 This works regardless of how packages or derivations are specified. For
5819 instance, the following invocations are equivalent:
5822 guix build --log-file `guix build -d guile`
5823 guix build --log-file `guix build guile`
5824 guix build --log-file guile
5825 guix build --log-file -e '(@@ (gnu packages guile) guile-2.0)'
5828 If a log is unavailable locally, and unless @code{--no-substitutes} is
5829 passed, the command looks for a corresponding log on one of the
5830 substitute servers (as specified with @code{--substitute-urls}.)
5832 So for instance, imagine you want to see the build log of GDB on MIPS,
5833 but you are actually on an @code{x86_64} machine:
5836 $ guix build --log-file gdb -s mips64el-linux
5837 https://hydra.gnu.org/log/@dots{}-gdb-7.10
5840 You can freely access a huge library of build logs!
5843 @node Debugging Build Failures
5844 @subsection Debugging Build Failures
5846 @cindex build failures, debugging
5847 When defining a new package (@pxref{Defining Packages}), you will
5848 probably find yourself spending some time debugging and tweaking the
5849 build until it succeeds. To do that, you need to operate the build
5850 commands yourself in an environment as close as possible to the one the
5853 To that end, the first thing to do is to use the @option{--keep-failed}
5854 or @option{-K} option of @command{guix build}, which will keep the
5855 failed build tree in @file{/tmp} or whatever directory you specified as
5856 @code{TMPDIR} (@pxref{Invoking guix build, @code{--keep-failed}}).
5858 From there on, you can @command{cd} to the failed build tree and source
5859 the @file{environment-variables} file, which contains all the
5860 environment variable definitions that were in place when the build
5861 failed. So let's say you're debugging a build failure in package
5862 @code{foo}; a typical session would look like this:
5866 @dots{} @i{build fails}
5867 $ cd /tmp/guix-build-foo.drv-0
5868 $ source ./environment-variables
5872 Now, you can invoke commands as if you were the daemon (almost) and
5873 troubleshoot your build process.
5875 Sometimes it happens that, for example, a package's tests pass when you
5876 run them manually but they fail when the daemon runs them. This can
5877 happen because the daemon runs builds in containers where, unlike in our
5878 environment above, network access is missing, @file{/bin/sh} does not
5879 exist, etc. (@pxref{Build Environment Setup}).
5881 In such cases, you may need to run inspect the build process from within
5882 a container similar to the one the build daemon creates:
5887 $ cd /tmp/guix-build-foo.drv-0
5888 $ guix environment --no-grafts -C foo --ad-hoc strace gdb
5889 [env]# source ./environment-variables
5893 Here, @command{guix environment -C} creates a container and spawns a new
5894 shell in it (@pxref{Invoking guix environment}). The @command{--ad-hoc
5895 strace gdb} part adds the @command{strace} and @command{gdb} commands to
5896 the container, which would may find handy while debugging. The
5897 @option{--no-grafts} option makes sure we get the exact same
5898 environment, with ungrafted packages (@pxref{Security Updates}, for more
5901 To get closer to a container like that used by the build daemon, we can
5902 remove @file{/bin/sh}:
5908 (Don't worry, this is harmless: this is all happening in the throw-away
5909 container created by @command{guix environment}.)
5911 The @command{strace} command is probably not in the search path, but we
5915 [env]# $GUIX_ENVIRONMENT/bin/strace -f -o log make check
5918 In this way, not only you will have reproduced the environment variables
5919 the daemon uses, you will also be running the build process in a container
5920 similar to the one the daemon uses.
5923 @node Invoking guix edit
5924 @section Invoking @command{guix edit}
5926 @cindex @command{guix edit}
5927 @cindex package definition, editing
5928 So many packages, so many source files! The @command{guix edit} command
5929 facilitates the life of users and packagers by pointing their editor at
5930 the source file containing the definition of the specified packages.
5934 guix edit gcc@@4.9 vim
5938 launches the program specified in the @code{VISUAL} or in the
5939 @code{EDITOR} environment variable to view the recipe of GCC@tie{}4.9.3
5942 If you are using a Guix Git checkout (@pxref{Building from Git}), or
5943 have created your own packages on @code{GUIX_PACKAGE_PATH}
5944 (@pxref{Defining Packages}), you will be able to edit the package
5945 recipes. Otherwise, you will be able to examine the read-only recipes
5946 for packages currently in the store.
5949 @node Invoking guix download
5950 @section Invoking @command{guix download}
5952 @cindex @command{guix download}
5953 @cindex downloading package sources
5954 When writing a package definition, developers typically need to download
5955 a source tarball, compute its SHA256 hash, and write that
5956 hash in the package definition (@pxref{Defining Packages}). The
5957 @command{guix download} tool helps with this task: it downloads a file
5958 from the given URI, adds it to the store, and prints both its file name
5959 in the store and its SHA256 hash.
5961 The fact that the downloaded file is added to the store saves bandwidth:
5962 when the developer eventually tries to build the newly defined package
5963 with @command{guix build}, the source tarball will not have to be
5964 downloaded again because it is already in the store. It is also a
5965 convenient way to temporarily stash files, which may be deleted
5966 eventually (@pxref{Invoking guix gc}).
5968 The @command{guix download} command supports the same URIs as used in
5969 package definitions. In particular, it supports @code{mirror://} URIs.
5970 @code{https} URIs (HTTP over TLS) are supported @emph{provided} the
5971 Guile bindings for GnuTLS are available in the user's environment; when
5972 they are not available, an error is raised. @xref{Guile Preparations,
5973 how to install the GnuTLS bindings for Guile,, gnutls-guile,
5974 GnuTLS-Guile}, for more information.
5976 @command{guix download} verifies HTTPS server certificates by loading
5977 the certificates of X.509 authorities from the directory pointed to by
5978 the @code{SSL_CERT_DIR} environment variable (@pxref{X.509
5979 Certificates}), unless @option{--no-check-certificate} is used.
5981 The following options are available:
5984 @item --format=@var{fmt}
5986 Write the hash in the format specified by @var{fmt}. For more
5987 information on the valid values for @var{fmt}, @pxref{Invoking guix hash}.
5989 @item --no-check-certificate
5990 Do not validate the X.509 certificates of HTTPS servers.
5992 When using this option, you have @emph{absolutely no guarantee} that you
5993 are communicating with the authentic server responsible for the given
5994 URL, which makes you vulnerable to ``man-in-the-middle'' attacks.
5996 @item --output=@var{file}
5997 @itemx -o @var{file}
5998 Save the downloaded file to @var{file} instead of adding it to the
6002 @node Invoking guix hash
6003 @section Invoking @command{guix hash}
6005 @cindex @command{guix hash}
6006 The @command{guix hash} command computes the SHA256 hash of a file.
6007 It is primarily a convenience tool for anyone contributing to the
6008 distribution: it computes the cryptographic hash of a file, which can be
6009 used in the definition of a package (@pxref{Defining Packages}).
6011 The general syntax is:
6014 guix hash @var{option} @var{file}
6017 When @var{file} is @code{-} (a hyphen), @command{guix hash} computes the
6018 hash of data read from standard input. @command{guix hash} has the
6023 @item --format=@var{fmt}
6025 Write the hash in the format specified by @var{fmt}.
6027 Supported formats: @code{nix-base32}, @code{base32}, @code{base16}
6028 (@code{hex} and @code{hexadecimal} can be used as well).
6030 If the @option{--format} option is not specified, @command{guix hash}
6031 will output the hash in @code{nix-base32}. This representation is used
6032 in the definitions of packages.
6036 Compute the hash on @var{file} recursively.
6038 In this case, the hash is computed on an archive containing @var{file},
6039 including its children if it is a directory. Some of the metadata of
6040 @var{file} is part of the archive; for instance, when @var{file} is a
6041 regular file, the hash is different depending on whether @var{file} is
6042 executable or not. Metadata such as time stamps has no impact on the
6043 hash (@pxref{Invoking guix archive}).
6044 @c FIXME: Replace xref above with xref to an ``Archive'' section when
6049 When combined with @option{--recursive}, exclude version control system
6050 directories (@file{.bzr}, @file{.git}, @file{.hg}, etc.)
6053 As an example, here is how you would compute the hash of a Git checkout,
6054 which is useful when using the @code{git-fetch} method (@pxref{origin
6058 $ git clone http://example.org/foo.git
6064 @node Invoking guix import
6065 @section Invoking @command{guix import}
6067 @cindex importing packages
6068 @cindex package import
6069 @cindex package conversion
6070 @cindex Invoking @command{guix import}
6071 The @command{guix import} command is useful for people who would like to
6072 add a package to the distribution with as little work as
6073 possible---a legitimate demand. The command knows of a few
6074 repositories from which it can ``import'' package metadata. The result
6075 is a package definition, or a template thereof, in the format we know
6076 (@pxref{Defining Packages}).
6078 The general syntax is:
6081 guix import @var{importer} @var{options}@dots{}
6084 @var{importer} specifies the source from which to import package
6085 metadata, and @var{options} specifies a package identifier and other
6086 options specific to @var{importer}. Currently, the available
6091 Import metadata for the given GNU package. This provides a template
6092 for the latest version of that GNU package, including the hash of its
6093 source tarball, and its canonical synopsis and description.
6095 Additional information such as the package dependencies and its
6096 license needs to be figured out manually.
6098 For example, the following command returns a package definition for
6102 guix import gnu hello
6105 Specific command-line options are:
6108 @item --key-download=@var{policy}
6109 As for @code{guix refresh}, specify the policy to handle missing OpenPGP
6110 keys when verifying the package signature. @xref{Invoking guix
6111 refresh, @code{--key-download}}.
6116 Import metadata from the @uref{https://pypi.python.org/, Python Package
6117 Index}@footnote{This functionality requires Guile-JSON to be installed.
6118 @xref{Requirements}.}. Information is taken from the JSON-formatted
6119 description available at @code{pypi.python.org} and usually includes all
6120 the relevant information, including package dependencies. For maximum
6121 efficiency, it is recommended to install the @command{unzip} utility, so
6122 that the importer can unzip Python wheels and gather data from them.
6124 The command below imports metadata for the @code{itsdangerous} Python
6128 guix import pypi itsdangerous
6133 Import metadata from @uref{https://rubygems.org/,
6134 RubyGems}@footnote{This functionality requires Guile-JSON to be
6135 installed. @xref{Requirements}.}. Information is taken from the
6136 JSON-formatted description available at @code{rubygems.org} and includes
6137 most relevant information, including runtime dependencies. There are
6138 some caveats, however. The metadata doesn't distinguish between
6139 synopses and descriptions, so the same string is used for both fields.
6140 Additionally, the details of non-Ruby dependencies required to build
6141 native extensions is unavailable and left as an exercise to the
6144 The command below imports metadata for the @code{rails} Ruby package:
6147 guix import gem rails
6152 Import metadata from @uref{https://www.metacpan.org/, MetaCPAN}@footnote{This
6153 functionality requires Guile-JSON to be installed.
6154 @xref{Requirements}.}.
6155 Information is taken from the JSON-formatted metadata provided through
6156 @uref{https://fastapi.metacpan.org/, MetaCPAN's API} and includes most
6157 relevant information, such as module dependencies. License information
6158 should be checked closely. If Perl is available in the store, then the
6159 @code{corelist} utility will be used to filter core modules out of the
6160 list of dependencies.
6162 The command command below imports metadata for the @code{Acme::Boolean}
6166 guix import cpan Acme::Boolean
6171 @cindex Bioconductor
6172 Import metadata from @uref{https://cran.r-project.org/, CRAN}, the
6173 central repository for the @uref{http://r-project.org, GNU@tie{}R
6174 statistical and graphical environment}.
6176 Information is extracted from the @code{DESCRIPTION} file of the package.
6178 The command command below imports metadata for the @code{Cairo}
6182 guix import cran Cairo
6185 When @code{--recursive} is added, the importer will traverse the
6186 dependency graph of the given upstream package recursively and generate
6187 package expressions for all those packages that are not yet in Guix.
6189 When @code{--archive=bioconductor} is added, metadata is imported from
6190 @uref{https://www.bioconductor.org/, Bioconductor}, a repository of R
6191 packages for for the analysis and comprehension of high-throughput
6192 genomic data in bioinformatics.
6194 Information is extracted from the @code{DESCRIPTION} file of a package
6195 published on the web interface of the Bioconductor SVN repository.
6197 The command below imports metadata for the @code{GenomicRanges}
6201 guix import cran --archive=bioconductor GenomicRanges
6207 Import metadata from @uref{http://www.ctan.org/, CTAN}, the
6208 comprehensive TeX archive network for TeX packages that are part of the
6209 @uref{https://www.tug.org/texlive/, TeX Live distribution}.
6211 Information about the package is obtained through the XML API provided
6212 by CTAN, while the source code is downloaded from the SVN repository of
6213 the Tex Live project. This is done because the CTAN does not keep
6216 The command command below imports metadata for the @code{fontspec}
6220 guix import texlive fontspec
6223 When @code{--archive=DIRECTORY} is added, the source code is downloaded
6224 not from the @file{latex} sub-directory of the @file{texmf-dist/source}
6225 tree in the TeX Live SVN repository, but from the specified sibling
6226 directory under the same root.
6228 The command below imports metadata for the @code{ifxetex} package from
6229 CTAN while fetching the sources from the directory
6230 @file{texmf/source/generic}:
6233 guix import texlive --archive=generic ifxetex
6237 @cindex JSON, import
6238 Import package metadata from a local JSON file@footnote{This
6239 functionality requires Guile-JSON to be installed.
6240 @xref{Requirements}.}. Consider the following example package
6241 definition in JSON format:
6247 "source": "mirror://gnu/hello/hello-2.10.tar.gz",
6248 "build-system": "gnu",
6249 "home-page": "https://www.gnu.org/software/hello/",
6250 "synopsis": "Hello, GNU world: An example GNU package",
6251 "description": "GNU Hello prints a greeting.",
6252 "license": "GPL-3.0+",
6253 "native-inputs": ["gcc@@6"]
6257 The field names are the same as for the @code{<package>} record
6258 (@xref{Defining Packages}). References to other packages are provided
6259 as JSON lists of quoted package specification strings such as
6260 @code{guile} or @code{guile@@2.0}.
6262 The importer also supports a more explicit source definition using the
6263 common fields for @code{<origin>} records:
6269 "method": "url-fetch",
6270 "uri": "mirror://gnu/hello/hello-2.10.tar.gz",
6272 "base32": "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"
6279 The command below reads metadata from the JSON file @code{hello.json}
6280 and outputs a package expression:
6283 guix import json hello.json
6287 Import metadata from a local copy of the source of the
6288 @uref{http://nixos.org/nixpkgs/, Nixpkgs distribution}@footnote{This
6289 relies on the @command{nix-instantiate} command of
6290 @uref{http://nixos.org/nix/, Nix}.}. Package definitions in Nixpkgs are
6291 typically written in a mixture of Nix-language and Bash code. This
6292 command only imports the high-level package structure that is written in
6293 the Nix language. It normally includes all the basic fields of a
6296 When importing a GNU package, the synopsis and descriptions are replaced
6297 by their canonical upstream variant.
6299 Usually, you will first need to do:
6302 export NIX_REMOTE=daemon
6306 so that @command{nix-instantiate} does not try to open the Nix database.
6308 As an example, the command below imports the package definition of
6309 LibreOffice (more precisely, it imports the definition of the package
6310 bound to the @code{libreoffice} top-level attribute):
6313 guix import nix ~/path/to/nixpkgs libreoffice
6318 Import metadata from the Haskell community's central package archive
6319 @uref{https://hackage.haskell.org/, Hackage}. Information is taken from
6320 Cabal files and includes all the relevant information, including package
6323 Specific command-line options are:
6328 Read a Cabal file from standard input.
6329 @item --no-test-dependencies
6331 Do not include dependencies required only by the test suites.
6332 @item --cabal-environment=@var{alist}
6333 @itemx -e @var{alist}
6334 @var{alist} is a Scheme alist defining the environment in which the
6335 Cabal conditionals are evaluated. The accepted keys are: @code{os},
6336 @code{arch}, @code{impl} and a string representing the name of a flag.
6337 The value associated with a flag has to be either the symbol
6338 @code{true} or @code{false}. The value associated with other keys
6339 has to conform to the Cabal file format definition. The default value
6340 associated with the keys @code{os}, @code{arch} and @code{impl} is
6341 @samp{linux}, @samp{x86_64} and @samp{ghc}, respectively.
6344 The command below imports metadata for the latest version of the
6345 @code{HTTP} Haskell package without including test dependencies and
6346 specifying the value of the flag @samp{network-uri} as @code{false}:
6349 guix import hackage -t -e "'((\"network-uri\" . false))" HTTP
6352 A specific package version may optionally be specified by following the
6353 package name by an at-sign and a version number as in the following example:
6356 guix import hackage mtl@@2.1.3.1
6361 The @code{stackage} importer is a wrapper around the @code{hackage} one.
6362 It takes a package name, looks up the package version included in a
6363 long-term support (LTS) @uref{https://www.stackage.org, Stackage}
6364 release and uses the @code{hackage} importer to retrieve its metadata.
6365 Note that it is up to you to select an LTS release compatible with the
6366 GHC compiler used by Guix.
6368 Specific command-line options are:
6371 @item --no-test-dependencies
6373 Do not include dependencies required only by the test suites.
6374 @item --lts-version=@var{version}
6375 @itemx -r @var{version}
6376 @var{version} is the desired LTS release version. If omitted the latest
6380 The command below imports metadata for the @code{HTTP} Haskell package
6381 included in the LTS Stackage release version 7.18:
6384 guix import stackage --lts-version=7.18 HTTP
6389 Import metadata from an Emacs Lisp Package Archive (ELPA) package
6390 repository (@pxref{Packages,,, emacs, The GNU Emacs Manual}).
6392 Specific command-line options are:
6395 @item --archive=@var{repo}
6396 @itemx -a @var{repo}
6397 @var{repo} identifies the archive repository from which to retrieve the
6398 information. Currently the supported repositories and their identifiers
6402 @uref{http://elpa.gnu.org/packages, GNU}, selected by the @code{gnu}
6403 identifier. This is the default.
6405 Packages from @code{elpa.gnu.org} are signed with one of the keys
6406 contained in the GnuPG keyring at
6407 @file{share/emacs/25.1/etc/package-keyring.gpg} (or similar) in the
6408 @code{emacs} package (@pxref{Package Installation, ELPA package
6409 signatures,, emacs, The GNU Emacs Manual}).
6412 @uref{http://stable.melpa.org/packages, MELPA-Stable}, selected by the
6413 @code{melpa-stable} identifier.
6416 @uref{http://melpa.org/packages, MELPA}, selected by the @code{melpa}
6423 Import metadata from the crates.io Rust package repository
6424 @uref{https://crates.io, crates.io}.
6427 The structure of the @command{guix import} code is modular. It would be
6428 useful to have more importers for other package formats, and your help
6429 is welcome here (@pxref{Contributing}).
6431 @node Invoking guix refresh
6432 @section Invoking @command{guix refresh}
6434 @cindex @command {guix refresh}
6435 The primary audience of the @command{guix refresh} command is developers
6436 of the GNU software distribution. By default, it reports any packages
6437 provided by the distribution that are outdated compared to the latest
6438 upstream version, like this:
6442 gnu/packages/gettext.scm:29:13: gettext would be upgraded from 0.18.1.1 to 0.18.2.1
6443 gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0
6446 Alternately, one can specify packages to consider, in which case a
6447 warning is emitted for packages that lack an updater:
6450 $ guix refresh coreutils guile guile-ssh
6451 gnu/packages/ssh.scm:205:2: warning: no updater for guile-ssh
6452 gnu/packages/guile.scm:136:12: guile would be upgraded from 2.0.12 to 2.0.13
6455 @command{guix refresh} browses the upstream repository of each package and determines
6456 the highest version number of the releases therein. The command
6457 knows how to update specific types of packages: GNU packages, ELPA
6458 packages, etc.---see the documentation for @option{--type} below. There
6459 are many packages, though, for which it lacks a method to determine
6460 whether a new upstream release is available. However, the mechanism is
6461 extensible, so feel free to get in touch with us to add a new method!
6463 Sometimes the upstream name differs from the package name used in Guix,
6464 and @command{guix refresh} needs a little help. Most updaters honor the
6465 @code{upstream-name} property in package definitions, which can be used
6469 (define-public network-manager
6471 (name "network-manager")
6473 (properties '((upstream-name . "NetworkManager")))))
6476 When passed @code{--update}, it modifies distribution source files to
6477 update the version numbers and source tarball hashes of those package
6478 recipes (@pxref{Defining Packages}). This is achieved by downloading
6479 each package's latest source tarball and its associated OpenPGP
6480 signature, authenticating the downloaded tarball against its signature
6481 using @command{gpg}, and finally computing its hash. When the public
6482 key used to sign the tarball is missing from the user's keyring, an
6483 attempt is made to automatically retrieve it from a public key server;
6484 when this is successful, the key is added to the user's keyring; otherwise,
6485 @command{guix refresh} reports an error.
6487 The following options are supported:
6491 @item --expression=@var{expr}
6492 @itemx -e @var{expr}
6493 Consider the package @var{expr} evaluates to.
6495 This is useful to precisely refer to a package, as in this example:
6498 guix refresh -l -e '(@@@@ (gnu packages commencement) glibc-final)'
6501 This command lists the dependents of the ``final'' libc (essentially all
6506 Update distribution source files (package recipes) in place. This is
6507 usually run from a checkout of the Guix source tree (@pxref{Running
6508 Guix Before It Is Installed}):
6511 $ ./pre-inst-env guix refresh -s non-core -u
6514 @xref{Defining Packages}, for more information on package definitions.
6516 @item --select=[@var{subset}]
6517 @itemx -s @var{subset}
6518 Select all the packages in @var{subset}, one of @code{core} or
6521 The @code{core} subset refers to all the packages at the core of the
6522 distribution---i.e., packages that are used to build ``everything
6523 else''. This includes GCC, libc, Binutils, Bash, etc. Usually,
6524 changing one of these packages in the distribution entails a rebuild of
6525 all the others. Thus, such updates are an inconvenience to users in
6526 terms of build time or bandwidth used to achieve the upgrade.
6528 The @code{non-core} subset refers to the remaining packages. It is
6529 typically useful in cases where an update of the core packages would be
6532 @item --manifest=@var{file}
6533 @itemx -m @var{file}
6534 Select all the packages from the manifest in @var{file}. This is useful to
6535 check if any packages of the user manifest can be updated.
6537 @item --type=@var{updater}
6538 @itemx -t @var{updater}
6539 Select only packages handled by @var{updater} (may be a comma-separated
6540 list of updaters). Currently, @var{updater} may be one of:
6544 the updater for GNU packages;
6546 the updater for GNOME packages;
6548 the updater for KDE packages;
6550 the updater for X.org packages;
6552 the updater for packages hosted on kernel.org;
6554 the updater for @uref{http://elpa.gnu.org/, ELPA} packages;
6556 the updater for @uref{https://cran.r-project.org/, CRAN} packages;
6558 the updater for @uref{https://www.bioconductor.org/, Bioconductor} R packages;
6560 the updater for @uref{http://www.cpan.org/, CPAN} packages;
6562 the updater for @uref{https://pypi.python.org, PyPI} packages.
6564 the updater for @uref{https://rubygems.org, RubyGems} packages.
6566 the updater for @uref{https://github.com, GitHub} packages.
6568 the updater for @uref{https://hackage.haskell.org, Hackage} packages.
6570 the updater for @uref{https://www.stackage.org, Stackage} packages.
6572 the updater for @uref{https://crates.io, Crates} packages.
6575 For instance, the following command only checks for updates of Emacs
6576 packages hosted at @code{elpa.gnu.org} and for updates of CRAN packages:
6579 $ guix refresh --type=elpa,cran
6580 gnu/packages/statistics.scm:819:13: r-testthat would be upgraded from 0.10.0 to 0.11.0
6581 gnu/packages/emacs.scm:856:13: emacs-auctex would be upgraded from 11.88.6 to 11.88.9
6586 In addition, @command{guix refresh} can be passed one or more package
6587 names, as in this example:
6590 $ ./pre-inst-env guix refresh -u emacs idutils gcc@@4.8
6594 The command above specifically updates the @code{emacs} and
6595 @code{idutils} packages. The @code{--select} option would have no
6596 effect in this case.
6598 When considering whether to upgrade a package, it is sometimes
6599 convenient to know which packages would be affected by the upgrade and
6600 should be checked for compatibility. For this the following option may
6601 be used when passing @command{guix refresh} one or more package names:
6605 @item --list-updaters
6607 List available updaters and exit (see @option{--type} above.)
6609 For each updater, display the fraction of packages it covers; at the
6610 end, display the fraction of packages covered by all these updaters.
6612 @item --list-dependent
6614 List top-level dependent packages that would need to be rebuilt as a
6615 result of upgrading one or more packages.
6617 @xref{Invoking guix graph, the @code{reverse-package} type of
6618 @command{guix graph}}, for information on how to visualize the list of
6619 dependents of a package.
6623 Be aware that the @code{--list-dependent} option only
6624 @emph{approximates} the rebuilds that would be required as a result of
6625 an upgrade. More rebuilds might be required under some circumstances.
6628 $ guix refresh --list-dependent flex
6629 Building the following 120 packages would ensure 213 dependent packages are rebuilt:
6630 hop@@2.4.0 geiser@@0.4 notmuch@@0.18 mu@@0.9.9.5 cflow@@1.4 idutils@@4.6 @dots{}
6633 The command above lists a set of packages that could be built to check
6634 for compatibility with an upgraded @code{flex} package.
6636 The following options can be used to customize GnuPG operation:
6640 @item --gpg=@var{command}
6641 Use @var{command} as the GnuPG 2.x command. @var{command} is searched
6642 for in @code{$PATH}.
6644 @item --key-download=@var{policy}
6645 Handle missing OpenPGP keys according to @var{policy}, which may be one
6650 Always download missing OpenPGP keys from the key server, and add them
6651 to the user's GnuPG keyring.
6654 Never try to download missing OpenPGP keys. Instead just bail out.
6657 When a package signed with an unknown OpenPGP key is encountered, ask
6658 the user whether to download it or not. This is the default behavior.
6661 @item --key-server=@var{host}
6662 Use @var{host} as the OpenPGP key server when importing a public key.
6666 The @code{github} updater uses the
6667 @uref{https://developer.github.com/v3/, GitHub API} to query for new
6668 releases. When used repeatedly e.g. when refreshing all packages,
6669 GitHub will eventually refuse to answer any further API requests. By
6670 default 60 API requests per hour are allowed, and a full refresh on all
6671 GitHub packages in Guix requires more than this. Authentication with
6672 GitHub through the use of an API token alleviates these limits. To use
6673 an API token, set the environment variable @code{GUIX_GITHUB_TOKEN} to a
6674 token procured from @uref{https://github.com/settings/tokens} or
6678 @node Invoking guix lint
6679 @section Invoking @command{guix lint}
6681 @cindex @command{guix lint}
6682 @cindex package, checking for errors
6683 The @command{guix lint} command is meant to help package developers avoid
6684 common errors and use a consistent style. It runs a number of checks on
6685 a given set of packages in order to find common mistakes in their
6686 definitions. Available @dfn{checkers} include (see
6687 @code{--list-checkers} for a complete list):
6692 Validate certain typographical and stylistic rules about package
6693 descriptions and synopses.
6695 @item inputs-should-be-native
6696 Identify inputs that should most likely be native inputs.
6701 @itemx source-file-name
6702 Probe @code{home-page} and @code{source} URLs and report those that are
6703 invalid. Suggest a @code{mirror://} URL when applicable. Check that
6704 the source file name is meaningful, e.g. is not
6705 just a version number or ``git-checkout'', without a declared
6706 @code{file-name} (@pxref{origin Reference}).
6709 @cindex security vulnerabilities
6710 @cindex CVE, Common Vulnerabilities and Exposures
6711 Report known vulnerabilities found in the Common Vulnerabilities and
6712 Exposures (CVE) databases of the current and past year
6713 @uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US
6716 To view information about a particular vulnerability, visit pages such as:
6720 @indicateurl{https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-YYYY-ABCD}
6722 @indicateurl{https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-ABCD}
6726 where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
6727 @code{CVE-2015-7554}.
6729 Package developers can specify in package recipes the
6730 @uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
6731 name and version of the package when they differ from the name that Guix
6732 uses, as in this example:
6738 ;; CPE calls this package "grub2".
6739 (properties '((cpe-name . "grub2"))))
6743 Warn about obvious source code formatting issues: trailing white space,
6744 use of tabulations, etc.
6747 The general syntax is:
6750 guix lint @var{options} @var{package}@dots{}
6753 If no package is given on the command line, then all packages are checked.
6754 The @var{options} may be zero or more of the following:
6757 @item --list-checkers
6759 List and describe all the available checkers that will be run on packages
6764 Only enable the checkers specified in a comma-separated list using the
6765 names returned by @code{--list-checkers}.
6769 @node Invoking guix size
6770 @section Invoking @command{guix size}
6773 @cindex package size
6775 @cindex @command{guix size}
6776 The @command{guix size} command helps package developers profile the
6777 disk usage of packages. It is easy to overlook the impact of an
6778 additional dependency added to a package, or the impact of using a
6779 single output for a package that could easily be split (@pxref{Packages
6780 with Multiple Outputs}). Such are the typical issues that
6781 @command{guix size} can highlight.
6783 The command can be passed a package specification such as @code{gcc@@4.8}
6784 or @code{guile:debug}, or a file name in the store. Consider this
6788 $ guix size coreutils
6789 store item total self
6790 /gnu/store/@dots{}-coreutils-8.23 70.0 13.9 19.8%
6791 /gnu/store/@dots{}-gmp-6.0.0a 55.3 2.5 3.6%
6792 /gnu/store/@dots{}-acl-2.2.52 53.7 0.5 0.7%
6793 /gnu/store/@dots{}-attr-2.4.46 53.2 0.3 0.5%
6794 /gnu/store/@dots{}-gcc-4.8.4-lib 52.9 15.7 22.4%
6795 /gnu/store/@dots{}-glibc-2.21 37.2 37.2 53.1%
6799 The store items listed here constitute the @dfn{transitive closure} of
6800 Coreutils---i.e., Coreutils and all its dependencies, recursively---as
6801 would be returned by:
6804 $ guix gc -R /gnu/store/@dots{}-coreutils-8.23
6807 Here the output shows three columns next to store items. The first column,
6808 labeled ``total'', shows the size in mebibytes (MiB) of the closure of
6809 the store item---that is, its own size plus the size of all its
6810 dependencies. The next column, labeled ``self'', shows the size of the
6811 item itself. The last column shows the ratio of the size of the item
6812 itself to the space occupied by all the items listed here.
6814 In this example, we see that the closure of Coreutils weighs in at
6815 70@tie{}MiB, half of which is taken by libc. (That libc represents a
6816 large fraction of the closure is not a problem @i{per se} because it is
6817 always available on the system anyway.)
6819 When the package passed to @command{guix size} is available in the
6820 store, @command{guix size} queries the daemon to determine its
6821 dependencies, and measures its size in the store, similar to @command{du
6822 -ms --apparent-size} (@pxref{du invocation,,, coreutils, GNU
6825 When the given package is @emph{not} in the store, @command{guix size}
6826 reports information based on the available substitutes
6827 (@pxref{Substitutes}). This makes it possible it to profile disk usage of
6828 store items that are not even on disk, only available remotely.
6830 You can also specify several package names:
6833 $ guix size coreutils grep sed bash
6834 store item total self
6835 /gnu/store/@dots{}-coreutils-8.24 77.8 13.8 13.4%
6836 /gnu/store/@dots{}-grep-2.22 73.1 0.8 0.8%
6837 /gnu/store/@dots{}-bash-4.3.42 72.3 4.7 4.6%
6838 /gnu/store/@dots{}-readline-6.3 67.6 1.2 1.2%
6844 In this example we see that the combination of the four packages takes
6845 102.3@tie{}MiB in total, which is much less than the sum of each closure
6846 since they have a lot of dependencies in common.
6848 The available options are:
6852 @item --substitute-urls=@var{urls}
6853 Use substitute information from @var{urls}.
6854 @xref{client-substitute-urls, the same option for @code{guix build}}.
6856 @item --sort=@var{key}
6857 Sort lines according to @var{key}, one of the following options:
6861 the size of each item (the default);
6863 the total size of the item's closure.
6866 @item --map-file=@var{file}
6867 Write a graphical map of disk usage in PNG format to @var{file}.
6869 For the example above, the map looks like this:
6871 @image{images/coreutils-size-map,5in,, map of Coreutils disk usage
6872 produced by @command{guix size}}
6874 This option requires that
6875 @uref{http://wingolog.org/software/guile-charting/, Guile-Charting} be
6876 installed and visible in Guile's module search path. When that is not
6877 the case, @command{guix size} fails as it tries to load it.
6879 @item --system=@var{system}
6880 @itemx -s @var{system}
6881 Consider packages for @var{system}---e.g., @code{x86_64-linux}.
6885 @node Invoking guix graph
6886 @section Invoking @command{guix graph}
6889 @cindex @command{guix graph}
6890 @cindex package dependencies
6891 Packages and their dependencies form a @dfn{graph}, specifically a
6892 directed acyclic graph (DAG). It can quickly become difficult to have a
6893 mental model of the package DAG, so the @command{guix graph} command
6894 provides a visual representation of the DAG. By default,
6895 @command{guix graph} emits a DAG representation in the input format of
6896 @uref{http://www.graphviz.org/, Graphviz}, so its output can be passed
6897 directly to the @command{dot} command of Graphviz. It can also emit an
6898 HTML page with embedded JavaScript code to display a ``chord diagram''
6899 in a Web browser, using the @uref{https://d3js.org/, d3.js} library, or
6900 emit Cypher queries to construct a graph in a graph database supporting
6901 the @uref{http://www.opencypher.org/, openCypher} query language.
6902 The general syntax is:
6905 guix graph @var{options} @var{package}@dots{}
6908 For example, the following command generates a PDF file representing the
6909 package DAG for the GNU@tie{}Core Utilities, showing its build-time
6913 guix graph coreutils | dot -Tpdf > dag.pdf
6916 The output looks like this:
6918 @image{images/coreutils-graph,2in,,Dependency graph of the GNU Coreutils}
6920 Nice little graph, no?
6922 But there is more than one graph! The one above is concise: it is the
6923 graph of package objects, omitting implicit inputs such as GCC, libc,
6924 grep, etc. It is often useful to have such a concise graph, but
6925 sometimes one may want to see more details. @command{guix graph} supports
6926 several types of graphs, allowing you to choose the level of detail:
6930 This is the default type used in the example above. It shows the DAG of
6931 package objects, excluding implicit dependencies. It is concise, but
6932 filters out many details.
6934 @item reverse-package
6935 This shows the @emph{reverse} DAG of packages. For example:
6938 guix graph --type=reverse-package ocaml
6941 ... yields the graph of packages that depend on OCaml.
6943 Note that for core packages this can yield huge graphs. If all you want
6944 is to know the number of packages that depend on a given package, use
6945 @command{guix refresh --list-dependent} (@pxref{Invoking guix refresh,
6946 @option{--list-dependent}}).
6949 This is the package DAG, @emph{including} implicit inputs.
6951 For instance, the following command:
6954 guix graph --type=bag-emerged coreutils | dot -Tpdf > dag.pdf
6957 ... yields this bigger graph:
6959 @image{images/coreutils-bag-graph,,5in,Detailed dependency graph of the GNU Coreutils}
6961 At the bottom of the graph, we see all the implicit inputs of
6962 @var{gnu-build-system} (@pxref{Build Systems, @code{gnu-build-system}}).
6964 Now, note that the dependencies of these implicit inputs---that is, the
6965 @dfn{bootstrap dependencies} (@pxref{Bootstrapping})---are not shown
6966 here, for conciseness.
6969 Similar to @code{bag-emerged}, but this time including all the bootstrap
6972 @item bag-with-origins
6973 Similar to @code{bag}, but also showing origins and their dependencies.
6976 This is the most detailed representation: It shows the DAG of
6977 derivations (@pxref{Derivations}) and plain store items. Compared to
6978 the above representation, many additional nodes are visible, including
6979 build scripts, patches, Guile modules, etc.
6981 For this type of graph, it is also possible to pass a @file{.drv} file
6982 name instead of a package name, as in:
6985 guix graph -t derivation `guix system build -d my-config.scm`
6989 All the types above correspond to @emph{build-time dependencies}. The
6990 following graph type represents the @emph{run-time dependencies}:
6994 This is the graph of @dfn{references} of a package output, as returned
6995 by @command{guix gc --references} (@pxref{Invoking guix gc}).
6997 If the given package output is not available in the store, @command{guix
6998 graph} attempts to obtain dependency information from substitutes.
7000 Here you can also pass a store file name instead of a package name. For
7001 example, the command below produces the reference graph of your profile
7002 (which can be big!):
7005 guix graph -t references `readlink -f ~/.guix-profile`
7009 This is the graph of the @dfn{referrers} of a store item, as returned by
7010 @command{guix gc --referrers} (@pxref{Invoking guix gc}).
7012 This relies exclusively on local information from your store. For
7013 instance, let us suppose that the current Inkscape is available in 10
7014 profiles on your machine; @command{guix graph -t referrers inkscape}
7015 will show a graph rooted at Inkscape and with those 10 profiles linked
7018 It can help determine what is preventing a store item from being garbage
7023 The available options are the following:
7026 @item --type=@var{type}
7027 @itemx -t @var{type}
7028 Produce a graph output of @var{type}, where @var{type} must be one of
7029 the values listed above.
7032 List the supported graph types.
7034 @item --backend=@var{backend}
7035 @itemx -b @var{backend}
7036 Produce a graph using the selected @var{backend}.
7038 @item --list-backends
7039 List the supported graph backends.
7041 Currently, the available backends are Graphviz and d3.js.
7043 @item --expression=@var{expr}
7044 @itemx -e @var{expr}
7045 Consider the package @var{expr} evaluates to.
7047 This is useful to precisely refer to a package, as in this example:
7050 guix graph -e '(@@@@ (gnu packages commencement) gnu-make-final)'
7055 @node Invoking guix environment
7056 @section Invoking @command{guix environment}
7058 @cindex reproducible build environments
7059 @cindex development environments
7060 @cindex @command{guix environment}
7061 @cindex environment, package build environment
7062 The purpose of @command{guix environment} is to assist hackers in
7063 creating reproducible development environments without polluting their
7064 package profile. The @command{guix environment} tool takes one or more
7065 packages, builds all of their inputs, and creates a shell
7066 environment to use them.
7068 The general syntax is:
7071 guix environment @var{options} @var{package}@dots{}
7074 The following example spawns a new shell set up for the development of
7078 guix environment guile
7081 If the needed dependencies are not built yet, @command{guix environment}
7082 automatically builds them. The environment of the new shell is an augmented
7083 version of the environment that @command{guix environment} was run in.
7084 It contains the necessary search paths for building the given package
7085 added to the existing environment variables. To create a ``pure''
7086 environment, in which the original environment variables have been unset,
7087 use the @code{--pure} option@footnote{Users sometimes wrongfully augment
7088 environment variables such as @code{PATH} in their @file{~/.bashrc}
7089 file. As a consequence, when @code{guix environment} launches it, Bash
7090 may read @file{~/.bashrc}, thereby introducing ``impurities'' in these
7091 environment variables. It is an error to define such environment
7092 variables in @file{.bashrc}; instead, they should be defined in
7093 @file{.bash_profile}, which is sourced only by log-in shells.
7094 @xref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}, for
7095 details on Bash start-up files.}.
7097 @vindex GUIX_ENVIRONMENT
7098 @command{guix environment} defines the @code{GUIX_ENVIRONMENT}
7099 variable in the shell it spawns; its value is the file name of the
7100 profile of this environment. This allows users to, say, define a
7101 specific prompt for development environments in their @file{.bashrc}
7102 (@pxref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}):
7105 if [ -n "$GUIX_ENVIRONMENT" ]
7107 export PS1="\u@@\h \w [dev]\$ "
7112 ... or to browse the profile:
7115 $ ls "$GUIX_ENVIRONMENT/bin"
7118 Additionally, more than one package may be specified, in which case the
7119 union of the inputs for the given packages are used. For example, the
7120 command below spawns a shell where all of the dependencies of both Guile
7121 and Emacs are available:
7124 guix environment guile emacs
7127 Sometimes an interactive shell session is not desired. An arbitrary
7128 command may be invoked by placing the @code{--} token to separate the
7129 command from the rest of the arguments:
7132 guix environment guile -- make -j4
7135 In other situations, it is more convenient to specify the list of
7136 packages needed in the environment. For example, the following command
7137 runs @command{python} from an environment containing Python@tie{}2.7 and
7141 guix environment --ad-hoc python2-numpy python-2.7 -- python
7144 Furthermore, one might want the dependencies of a package and also some
7145 additional packages that are not build-time or runtime dependencies, but
7146 are useful when developing nonetheless. Because of this, the
7147 @code{--ad-hoc} flag is positional. Packages appearing before
7148 @code{--ad-hoc} are interpreted as packages whose dependencies will be
7149 added to the environment. Packages appearing after are interpreted as
7150 packages that will be added to the environment directly. For example,
7151 the following command creates a Guix development environment that
7152 additionally includes Git and strace:
7155 guix environment guix --ad-hoc git strace
7158 Sometimes it is desirable to isolate the environment as much as
7159 possible, for maximal purity and reproducibility. In particular, when
7160 using Guix on a host distro that is not GuixSD, it is desirable to
7161 prevent access to @file{/usr/bin} and other system-wide resources from
7162 the development environment. For example, the following command spawns
7163 a Guile REPL in a ``container'' where only the store and the current
7164 working directory are mounted:
7167 guix environment --ad-hoc --container guile -- guile
7171 The @code{--container} option requires Linux-libre 3.19 or newer.
7174 The available options are summarized below.
7177 @item --root=@var{file}
7178 @itemx -r @var{file}
7179 @cindex persistent environment
7180 @cindex garbage collector root, for environments
7181 Make @var{file} a symlink to the profile for this environment, and
7182 register it as a garbage collector root.
7184 This is useful if you want to protect your environment from garbage
7185 collection, to make it ``persistent''.
7187 When this option is omitted, the environment is protected from garbage
7188 collection only for the duration of the @command{guix environment}
7189 session. This means that next time you recreate the same environment,
7190 you could have to rebuild or re-download packages. @xref{Invoking guix
7191 gc}, for more on GC roots.
7193 @item --expression=@var{expr}
7194 @itemx -e @var{expr}
7195 Create an environment for the package or list of packages that
7196 @var{expr} evaluates to.
7198 For example, running:
7201 guix environment -e '(@@ (gnu packages maths) petsc-openmpi)'
7204 starts a shell with the environment for this specific variant of the
7210 guix environment --ad-hoc -e '(@@ (gnu) %base-packages)'
7213 starts a shell with all the GuixSD base packages available.
7215 The above commands only use the default output of the given packages.
7216 To select other outputs, two element tuples can be specified:
7219 guix environment --ad-hoc -e '(list (@@ (gnu packages bash) bash) "include")'
7222 @item --load=@var{file}
7223 @itemx -l @var{file}
7224 Create an environment for the package or list of packages that the code
7225 within @var{file} evaluates to.
7227 As an example, @var{file} might contain a definition like this
7228 (@pxref{Defining Packages}):
7231 @verbatiminclude environment-gdb.scm
7235 Include all specified packages in the resulting environment, as if an
7236 @i{ad hoc} package were defined with them as inputs. This option is
7237 useful for quickly creating an environment without having to write a
7238 package expression to contain the desired inputs.
7240 For instance, the command:
7243 guix environment --ad-hoc guile guile-sdl -- guile
7246 runs @command{guile} in an environment where Guile and Guile-SDL are
7249 Note that this example implicitly asks for the default output of
7250 @code{guile} and @code{guile-sdl}, but it is possible to ask for a
7251 specific output---e.g., @code{glib:bin} asks for the @code{bin} output
7252 of @code{glib} (@pxref{Packages with Multiple Outputs}).
7254 This option may be composed with the default behavior of @command{guix
7255 environment}. Packages appearing before @code{--ad-hoc} are interpreted
7256 as packages whose dependencies will be added to the environment, the
7257 default behavior. Packages appearing after are interpreted as packages
7258 that will be added to the environment directly.
7261 Unset existing environment variables when building the new environment.
7262 This has the effect of creating an environment in which search paths
7263 only contain package inputs.
7265 @item --search-paths
7266 Display the environment variable definitions that make up the
7269 @item --system=@var{system}
7270 @itemx -s @var{system}
7271 Attempt to build for @var{system}---e.g., @code{i686-linux}.
7276 Run @var{command} within an isolated container. The current working
7277 directory outside the container is mapped inside the container.
7278 Additionally, a dummy home directory is created that matches the current
7279 user's home directory, and @file{/etc/passwd} is configured accordingly.
7280 The spawned process runs as the current user outside the container, but
7281 has root privileges in the context of the container.
7285 For containers, share the network namespace with the host system.
7286 Containers created without this flag only have access to the loopback
7289 @item --expose=@var{source}[=@var{target}]
7290 For containers, expose the file system @var{source} from the host system
7291 as the read-only file system @var{target} within the container. If
7292 @var{target} is not specified, @var{source} is used as the target mount
7293 point in the container.
7295 The example below spawns a Guile REPL in a container in which the user's
7296 home directory is accessible read-only via the @file{/exchange}
7300 guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile
7303 @item --share=@var{source}[=@var{target}]
7304 For containers, share the file system @var{source} from the host system
7305 as the writable file system @var{target} within the container. If
7306 @var{target} is not specified, @var{source} is used as the target mount
7307 point in the container.
7309 The example below spawns a Guile REPL in a container in which the user's
7310 home directory is accessible for both reading and writing via the
7311 @file{/exchange} directory:
7314 guix environment --container --share=$HOME=/exchange --ad-hoc guile -- guile
7318 @command{guix environment}
7319 also supports all of the common build options that @command{guix
7320 build} supports (@pxref{Common Build Options}).
7323 @node Invoking guix publish
7324 @section Invoking @command{guix publish}
7326 @cindex @command{guix publish}
7327 The purpose of @command{guix publish} is to enable users to easily share
7328 their store with others, who can then use it as a substitute server
7329 (@pxref{Substitutes}).
7331 When @command{guix publish} runs, it spawns an HTTP server which allows
7332 anyone with network access to obtain substitutes from it. This means
7333 that any machine running Guix can also act as if it were a build farm,
7334 since the HTTP interface is compatible with Hydra, the software behind
7335 the @code{hydra.gnu.org} build farm.
7337 For security, each substitute is signed, allowing recipients to check
7338 their authenticity and integrity (@pxref{Substitutes}). Because
7339 @command{guix publish} uses the signing key of the system, which is only
7340 readable by the system administrator, it must be started as root; the
7341 @code{--user} option makes it drop root privileges early on.
7343 The signing key pair must be generated before @command{guix publish} is
7344 launched, using @command{guix archive --generate-key} (@pxref{Invoking
7347 The general syntax is:
7350 guix publish @var{options}@dots{}
7353 Running @command{guix publish} without any additional arguments will
7354 spawn an HTTP server on port 8080:
7360 Once a publishing server has been authorized (@pxref{Invoking guix
7361 archive}), the daemon may download substitutes from it:
7364 guix-daemon --substitute-urls=http://example.org:8080
7367 By default, @command{guix publish} compresses archives on the fly as it
7368 serves them. This ``on-the-fly'' mode is convenient in that it requires
7369 no setup and is immediately available. However, when serving lots of
7370 clients, we recommend using the @option{--cache} option, which enables
7371 caching of the archives before they are sent to clients---see below for
7372 details. The @command{guix weather} command provides a handy way to
7373 check what a server provides (@pxref{Invoking guix weather}).
7375 As a bonus, @command{guix publish} also serves as a content-addressed
7376 mirror for source files referenced in @code{origin} records
7377 (@pxref{origin Reference}). For instance, assuming @command{guix
7378 publish} is running on @code{example.org}, the following URL returns the
7379 raw @file{hello-2.10.tar.gz} file with the given SHA256 hash
7380 (represented in @code{nix-base32} format, @pxref{Invoking guix hash}):
7383 http://example.org/file/hello-2.10.tar.gz/sha256/0ssi1@dots{}ndq1i
7386 Obviously, these URLs only work for files that are in the store; in
7387 other cases, they return 404 (``Not Found'').
7389 @cindex build logs, publication
7390 Build logs are available from @code{/log} URLs like:
7393 http://example.org/log/gwspk@dots{}-guile-2.2.3
7397 When @command{guix-daemon} is configured to save compressed build logs,
7398 as is the case by default (@pxref{Invoking guix-daemon}), @code{/log}
7399 URLs return the compressed log as-is, with an appropriate
7400 @code{Content-Type} and/or @code{Content-Encoding} header. We recommend
7401 running @command{guix-daemon} with @code{--log-compression=gzip} since
7402 Web browsers can automatically decompress it, which is not the case with
7405 The following options are available:
7408 @item --port=@var{port}
7409 @itemx -p @var{port}
7410 Listen for HTTP requests on @var{port}.
7412 @item --listen=@var{host}
7413 Listen on the network interface for @var{host}. The default is to
7414 accept connections from any interface.
7416 @item --user=@var{user}
7417 @itemx -u @var{user}
7418 Change privileges to @var{user} as soon as possible---i.e., once the
7419 server socket is open and the signing key has been read.
7421 @item --compression[=@var{level}]
7422 @itemx -C [@var{level}]
7423 Compress data using the given @var{level}. When @var{level} is zero,
7424 disable compression. The range 1 to 9 corresponds to different gzip
7425 compression levels: 1 is the fastest, and 9 is the best (CPU-intensive).
7428 Unless @option{--cache} is used, compression occurs on the fly and
7429 the compressed streams are not
7430 cached. Thus, to reduce load on the machine that runs @command{guix
7431 publish}, it may be a good idea to choose a low compression level, to
7432 run @command{guix publish} behind a caching proxy, or to use
7433 @option{--cache}. Using @option{--cache} has the advantage that it
7434 allows @command{guix publish} to add @code{Content-Length} HTTP header
7437 @item --cache=@var{directory}
7438 @itemx -c @var{directory}
7439 Cache archives and meta-data (@code{.narinfo} URLs) to @var{directory}
7440 and only serve archives that are in cache.
7442 When this option is omitted, archives and meta-data are created
7443 on-the-fly. This can reduce the available bandwidth, especially when
7444 compression is enabled, since this may become CPU-bound. Another
7445 drawback of the default mode is that the length of archives is not known
7446 in advance, so @command{guix publish} does not add a
7447 @code{Content-Length} HTTP header to its responses, which in turn
7448 prevents clients from knowing the amount of data being downloaded.
7450 Conversely, when @option{--cache} is used, the first request for a store
7451 item (@i{via} a @code{.narinfo} URL) returns 404 and triggers a
7452 background process to @dfn{bake} the archive---computing its
7453 @code{.narinfo} and compressing the archive, if needed. Once the
7454 archive is cached in @var{directory}, subsequent requests succeed and
7455 are served directly from the cache, which guarantees that clients get
7456 the best possible bandwidth.
7458 The ``baking'' process is performed by worker threads. By default, one
7459 thread per CPU core is created, but this can be customized. See
7460 @option{--workers} below.
7462 When @option{--ttl} is used, cached entries are automatically deleted
7463 when they have expired.
7465 @item --workers=@var{N}
7466 When @option{--cache} is used, request the allocation of @var{N} worker
7467 threads to ``bake'' archives.
7469 @item --ttl=@var{ttl}
7470 Produce @code{Cache-Control} HTTP headers that advertise a time-to-live
7471 (TTL) of @var{ttl}. @var{ttl} must denote a duration: @code{5d} means 5
7472 days, @code{1m} means 1 month, and so on.
7474 This allows the user's Guix to keep substitute information in cache for
7475 @var{ttl}. However, note that @code{guix publish} does not itself
7476 guarantee that the store items it provides will indeed remain available
7477 for as long as @var{ttl}.
7479 Additionally, when @option{--cache} is used, cached entries that have
7480 not been accessed for @var{ttl} and that no longer have a corresponding
7481 item in the store, may be deleted.
7483 @item --nar-path=@var{path}
7484 Use @var{path} as the prefix for the URLs of ``nar'' files
7485 (@pxref{Invoking guix archive, normalized archives}).
7487 By default, nars are served at a URL such as
7488 @code{/nar/gzip/@dots{}-coreutils-8.25}. This option allows you to
7489 change the @code{/nar} part to @var{path}.
7491 @item --public-key=@var{file}
7492 @itemx --private-key=@var{file}
7493 Use the specific @var{file}s as the public/private key pair used to sign
7494 the store items being published.
7496 The files must correspond to the same key pair (the private key is used
7497 for signing and the public key is merely advertised in the signature
7498 metadata). They must contain keys in the canonical s-expression format
7499 as produced by @command{guix archive --generate-key} (@pxref{Invoking
7500 guix archive}). By default, @file{/etc/guix/signing-key.pub} and
7501 @file{/etc/guix/signing-key.sec} are used.
7503 @item --repl[=@var{port}]
7504 @itemx -r [@var{port}]
7505 Spawn a Guile REPL server (@pxref{REPL Servers,,, guile, GNU Guile
7506 Reference Manual}) on @var{port} (37146 by default). This is used
7507 primarily for debugging a running @command{guix publish} server.
7510 Enabling @command{guix publish} on a GuixSD system is a one-liner: just
7511 instantiate a @code{guix-publish-service-type} service in the @code{services} field
7512 of the @code{operating-system} declaration (@pxref{guix-publish-service-type,
7513 @code{guix-publish-service-type}}).
7515 If you are instead running Guix on a ``foreign distro'', follow these
7520 If your host distro uses the systemd init system:
7523 # ln -s ~root/.guix-profile/lib/systemd/system/guix-publish.service \
7524 /etc/systemd/system/
7525 # systemctl start guix-publish && systemctl enable guix-publish
7529 If your host distro uses the Upstart init system:
7532 # ln -s ~root/.guix-profile/lib/upstart/system/guix-publish.conf /etc/init/
7533 # start guix-publish
7537 Otherwise, proceed similarly with your distro's init system.
7540 @node Invoking guix challenge
7541 @section Invoking @command{guix challenge}
7543 @cindex reproducible builds
7544 @cindex verifiable builds
7545 @cindex @command{guix challenge}
7547 Do the binaries provided by this server really correspond to the source
7548 code it claims to build? Is a package build process deterministic?
7549 These are the questions the @command{guix challenge} command attempts to
7552 The former is obviously an important question: Before using a substitute
7553 server (@pxref{Substitutes}), one had better @emph{verify} that it
7554 provides the right binaries, and thus @emph{challenge} it. The latter
7555 is what enables the former: If package builds are deterministic, then
7556 independent builds of the package should yield the exact same result,
7557 bit for bit; if a server provides a binary different from the one
7558 obtained locally, it may be either corrupt or malicious.
7560 We know that the hash that shows up in @file{/gnu/store} file names is
7561 the hash of all the inputs of the process that built the file or
7562 directory---compilers, libraries, build scripts,
7563 etc. (@pxref{Introduction}). Assuming deterministic build processes,
7564 one store file name should map to exactly one build output.
7565 @command{guix challenge} checks whether there is, indeed, a single
7566 mapping by comparing the build outputs of several independent builds of
7567 any given store item.
7569 The command output looks like this:
7572 $ guix challenge --substitute-urls="https://hydra.gnu.org https://guix.example.org"
7573 updating list of substitutes from 'https://hydra.gnu.org'... 100.0%
7574 updating list of substitutes from 'https://guix.example.org'... 100.0%
7575 /gnu/store/@dots{}-openssl-1.0.2d contents differ:
7576 local hash: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
7577 https://hydra.gnu.org/nar/@dots{}-openssl-1.0.2d: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q
7578 https://guix.example.org/nar/@dots{}-openssl-1.0.2d: 1zy4fmaaqcnjrzzajkdn3f5gmjk754b43qkq47llbyak9z0qjyim
7579 /gnu/store/@dots{}-git-2.5.0 contents differ:
7580 local hash: 00p3bmryhjxrhpn2gxs2fy0a15lnip05l97205pgbk5ra395hyha
7581 https://hydra.gnu.org/nar/@dots{}-git-2.5.0: 069nb85bv4d4a6slrwjdy8v1cn4cwspm3kdbmyb81d6zckj3nq9f
7582 https://guix.example.org/nar/@dots{}-git-2.5.0: 0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73
7583 /gnu/store/@dots{}-pius-2.1.1 contents differ:
7584 local hash: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
7585 https://hydra.gnu.org/nar/@dots{}-pius-2.1.1: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax
7586 https://guix.example.org/nar/@dots{}-pius-2.1.1: 1cy25x1a4fzq5rk0pmvc8xhwyffnqz95h2bpvqsz2mpvlbccy0gs
7590 6,406 store items were analyzed:
7591 - 4,749 (74.1%) were identical
7592 - 525 (8.2%) differed
7593 - 1,132 (17.7%) were inconclusive
7597 In this example, @command{guix challenge} first scans the store to
7598 determine the set of locally-built derivations---as opposed to store
7599 items that were downloaded from a substitute server---and then queries
7600 all the substitute servers. It then reports those store items for which
7601 the servers obtained a result different from the local build.
7603 @cindex non-determinism, in package builds
7604 As an example, @code{guix.example.org} always gets a different answer.
7605 Conversely, @code{hydra.gnu.org} agrees with local builds, except in the
7606 case of Git. This might indicate that the build process of Git is
7607 non-deterministic, meaning that its output varies as a function of
7608 various things that Guix does not fully control, in spite of building
7609 packages in isolated environments (@pxref{Features}). Most common
7610 sources of non-determinism include the addition of timestamps in build
7611 results, the inclusion of random numbers, and directory listings sorted
7612 by inode number. See @uref{https://reproducible-builds.org/docs/}, for
7615 To find out what is wrong with this Git binary, we can do something along
7616 these lines (@pxref{Invoking guix archive}):
7619 $ wget -q -O - https://hydra.gnu.org/nar/@dots{}-git-2.5.0 \
7620 | guix archive -x /tmp/git
7621 $ diff -ur --no-dereference /gnu/store/@dots{}-git.2.5.0 /tmp/git
7624 This command shows the difference between the files resulting from the
7625 local build, and the files resulting from the build on
7626 @code{hydra.gnu.org} (@pxref{Overview, Comparing and Merging Files,,
7627 diffutils, Comparing and Merging Files}). The @command{diff} command
7628 works great for text files. When binary files differ, a better option
7629 is @uref{https://diffoscope.org/, Diffoscope}, a tool that helps
7630 visualize differences for all kinds of files.
7632 Once you have done that work, you can tell whether the differences are due
7633 to a non-deterministic build process or to a malicious server. We try
7634 hard to remove sources of non-determinism in packages to make it easier
7635 to verify substitutes, but of course, this is a process that
7636 involves not just Guix, but a large part of the free software community.
7637 In the meantime, @command{guix challenge} is one tool to help address
7640 If you are writing packages for Guix, you are encouraged to check
7641 whether @code{hydra.gnu.org} and other substitute servers obtain the
7642 same build result as you did with:
7645 $ guix challenge @var{package}
7649 where @var{package} is a package specification such as
7650 @code{guile@@2.0} or @code{glibc:debug}.
7652 The general syntax is:
7655 guix challenge @var{options} [@var{packages}@dots{}]
7658 When a difference is found between the hash of a locally-built item and
7659 that of a server-provided substitute, or among substitutes provided by
7660 different servers, the command displays it as in the example above and
7661 its exit code is 2 (other non-zero exit codes denote other kinds of
7664 The one option that matters is:
7668 @item --substitute-urls=@var{urls}
7669 Consider @var{urls} the whitespace-separated list of substitute source
7674 Show details about matches (identical contents) in addition to
7675 information about mismatches.
7679 @node Invoking guix copy
7680 @section Invoking @command{guix copy}
7682 @cindex copy, of store items, over SSH
7683 @cindex SSH, copy of store items
7684 @cindex sharing store items across machines
7685 @cindex transferring store items across machines
7686 The @command{guix copy} command copies items from the store of one
7687 machine to that of another machine over a secure shell (SSH)
7688 connection@footnote{This command is available only when Guile-SSH was
7689 found. @xref{Requirements}, for details.}. For example, the following
7690 command copies the @code{coreutils} package, the user's profile, and all
7691 their dependencies over to @var{host}, logged in as @var{user}:
7694 guix copy --to=@var{user}@@@var{host} \
7695 coreutils `readlink -f ~/.guix-profile`
7698 If some of the items to be copied are already present on @var{host},
7699 they are not actually sent.
7701 The command below retrieves @code{libreoffice} and @code{gimp} from
7702 @var{host}, assuming they are available there:
7705 guix copy --from=@var{host} libreoffice gimp
7708 The SSH connection is established using the Guile-SSH client, which is
7709 compatible with OpenSSH: it honors @file{~/.ssh/known_hosts} and
7710 @file{~/.ssh/config}, and uses the SSH agent for authentication.
7712 The key used to sign items that are sent must be accepted by the remote
7713 machine. Likewise, the key used by the remote machine to sign items you
7714 are retrieving must be in @file{/etc/guix/acl} so it is accepted by your
7715 own daemon. @xref{Invoking guix archive}, for more information about
7716 store item authentication.
7718 The general syntax is:
7721 guix copy [--to=@var{spec}|--from=@var{spec}] @var{items}@dots{}
7724 You must always specify one of the following options:
7727 @item --to=@var{spec}
7728 @itemx --from=@var{spec}
7729 Specify the host to send to or receive from. @var{spec} must be an SSH
7730 spec such as @code{example.org}, @code{charlie@@example.org}, or
7731 @code{charlie@@example.org:2222}.
7734 The @var{items} can be either package names, such as @code{gimp}, or
7735 store items, such as @file{/gnu/store/@dots{}-idutils-4.6}.
7737 When specifying the name of a package to send, it is first built if
7738 needed, unless @option{--dry-run} was specified. Common build options
7739 are supported (@pxref{Common Build Options}).
7742 @node Invoking guix container
7743 @section Invoking @command{guix container}
7745 @cindex @command{guix container}
7747 As of version @value{VERSION}, this tool is experimental. The interface
7748 is subject to radical change in the future.
7751 The purpose of @command{guix container} is to manipulate processes
7752 running within an isolated environment, commonly known as a
7753 ``container'', typically created by the @command{guix environment}
7754 (@pxref{Invoking guix environment}) and @command{guix system container}
7755 (@pxref{Invoking guix system}) commands.
7757 The general syntax is:
7760 guix container @var{action} @var{options}@dots{}
7763 @var{action} specifies the operation to perform with a container, and
7764 @var{options} specifies the context-specific arguments for the action.
7766 The following actions are available:
7770 Execute a command within the context of a running container.
7775 guix container exec @var{pid} @var{program} @var{arguments}@dots{}
7778 @var{pid} specifies the process ID of the running container.
7779 @var{program} specifies an executable file name within the root file
7780 system of the container. @var{arguments} are the additional options that
7781 will be passed to @var{program}.
7783 The following command launches an interactive login shell inside a
7784 GuixSD container, started by @command{guix system container}, and whose
7788 guix container exec 9001 /run/current-system/profile/bin/bash --login
7791 Note that the @var{pid} cannot be the parent process of a container. It
7792 must be PID 1 of the container or one of its child processes.
7796 @node Invoking guix weather
7797 @section Invoking @command{guix weather}
7799 Occasionally you're grumpy because substitutes are lacking and you end
7800 up building packages by yourself (@pxref{Substitutes}). The
7801 @command{guix weather} command reports on substitute availability on the
7802 specified servers so you can have an idea of whether you'll be grumpy
7803 today. It can sometimes be useful info as a user, but it is primarily
7804 useful to people running @command{guix publish} (@pxref{Invoking guix
7807 @cindex statistics, for substitutes
7808 @cindex availability of substitutes
7809 @cindex substitute availability
7810 @cindex weather, substitute availability
7811 Here's a sample run:
7814 $ guix weather --substitute-urls=https://guix.example.org
7815 computing 5,872 package derivations for x86_64-linux...
7816 looking for 6,128 store items on https://guix.example.org..
7817 updating list of substitutes from 'https://guix.example.org'... 100.0%
7818 https://guix.example.org
7819 43.4% substitutes available (2,658 out of 6,128)
7820 7,032.5 MiB of nars (compressed)
7821 19,824.2 MiB on disk (uncompressed)
7822 0.030 seconds per request (182.9 seconds in total)
7823 33.5 requests per second
7826 As you can see, it reports the fraction of all the packages for which
7827 substitutes are available on the server---regardless of whether
7828 substitutes are enabled, and regardless of whether this server's signing
7829 key is authorized. It also reports the size of the compressed archives
7830 (``nars'') provided by the server, the size the corresponding store
7831 items occupy in the store (assuming deduplication is turned off), and
7832 the server's throughput.
7834 To achieve that, @command{guix weather} queries over HTTP(S) meta-data
7835 (@dfn{narinfos}) for all the relevant store items. Like @command{guix
7836 challenge}, it ignores signatures on those substitutes, which is
7837 innocuous since the command only gathers statistics and cannot install
7840 Among other things, it is possible to query specific system types and
7841 specific package sets. The available options are listed below.
7844 @item --substitute-urls=@var{urls}
7845 @var{urls} is the space-separated list of substitute server URLs to
7846 query. When this option is omitted, the default set of substitute
7849 @item --system=@var{system}
7850 @itemx -s @var{system}
7851 Query substitutes for @var{system}---e.g., @code{aarch64-linux}. This
7852 option can be repeated, in which case @command{guix weather} will query
7853 substitutes for several system types.
7855 @item --manifest=@var{file}
7856 Instead of querying substitutes for all the packages, only ask for those
7857 specified in @var{file}. @var{file} must contain a @dfn{manifest}, as
7858 with the @code{-m} option of @command{guix package} (@pxref{Invoking
7863 @c *********************************************************************
7864 @node GNU Distribution
7865 @chapter GNU Distribution
7867 @cindex Guix System Distribution
7869 Guix comes with a distribution of the GNU system consisting entirely of
7870 free software@footnote{The term ``free'' here refers to the
7871 @url{http://www.gnu.org/philosophy/free-sw.html,freedom provided to
7872 users of that software}.}. The
7873 distribution can be installed on its own (@pxref{System Installation}),
7874 but it is also possible to install Guix as a package manager on top of
7875 an installed GNU/Linux system (@pxref{Installation}). To distinguish
7876 between the two, we refer to the standalone distribution as the Guix
7877 System Distribution, or GuixSD.
7879 The distribution provides core GNU packages such as GNU libc, GCC, and
7880 Binutils, as well as many GNU and non-GNU applications. The complete
7881 list of available packages can be browsed
7882 @url{http://www.gnu.org/software/guix/packages,on-line} or by
7883 running @command{guix package} (@pxref{Invoking guix package}):
7886 guix package --list-available
7889 Our goal is to provide a practical 100% free software distribution of
7890 Linux-based and other variants of GNU, with a focus on the promotion and
7891 tight integration of GNU components, and an emphasis on programs and
7892 tools that help users exert that freedom.
7894 Packages are currently available on the following platforms:
7899 Intel/AMD @code{x86_64} architecture, Linux-Libre kernel;
7902 Intel 32-bit architecture (IA32), Linux-Libre kernel;
7905 ARMv7-A architecture with hard float, Thumb-2 and NEON,
7906 using the EABI hard-float application binary interface (ABI),
7907 and Linux-Libre kernel.
7910 little-endian 64-bit ARMv8-A processors, Linux-Libre kernel. This is
7911 currently in an experimental stage, with limited support.
7912 @xref{Contributing}, for how to help!
7914 @item mips64el-linux
7915 little-endian 64-bit MIPS processors, specifically the Loongson series,
7916 n32 ABI, and Linux-Libre kernel.
7920 GuixSD itself is currently only available on @code{i686} and @code{x86_64}.
7923 For information on porting to other architectures or kernels,
7927 * System Installation:: Installing the whole operating system.
7928 * System Configuration:: Configuring the operating system.
7929 * Documentation:: Browsing software user manuals.
7930 * Installing Debugging Files:: Feeding the debugger.
7931 * Security Updates:: Deploying security fixes quickly.
7932 * Package Modules:: Packages from the programmer's viewpoint.
7933 * Packaging Guidelines:: Growing the distribution.
7934 * Bootstrapping:: GNU/Linux built from scratch.
7935 * Porting:: Targeting another platform or kernel.
7938 Building this distribution is a cooperative effort, and you are invited
7939 to join! @xref{Contributing}, for information about how you can help.
7941 @node System Installation
7942 @section System Installation
7944 @cindex installing GuixSD
7945 @cindex Guix System Distribution
7946 This section explains how to install the Guix System Distribution (GuixSD)
7947 on a machine. The Guix package manager can
7948 also be installed on top of a running GNU/Linux system,
7949 @pxref{Installation}.
7953 @c This paragraph is for people reading this from tty2 of the
7954 @c installation image.
7955 You are reading this documentation with an Info reader. For details on
7956 how to use it, hit the @key{RET} key (``return'' or ``enter'') on the
7957 link that follows: @pxref{Top, Info reader,, info-stnd, Stand-alone GNU
7958 Info}. Hit @kbd{l} afterwards to come back here.
7960 Alternately, run @command{info info} in another tty to keep the manual
7966 * Limitations:: What you can expect.
7967 * Hardware Considerations:: Supported hardware.
7968 * USB Stick and DVD Installation:: Preparing the installation medium.
7969 * Preparing for Installation:: Networking, partitioning, etc.
7970 * Proceeding with the Installation:: The real thing.
7971 * Installing GuixSD in a VM:: GuixSD playground.
7972 * Building the Installation Image:: How this comes to be.
7976 @subsection Limitations
7978 As of version @value{VERSION}, the Guix System Distribution (GuixSD) is
7979 not production-ready. It may contain bugs and lack important
7980 features. Thus, if you are looking for a stable production system that
7981 respects your freedom as a computer user, a good solution at this point
7982 is to consider @url{http://www.gnu.org/distros/free-distros.html, one of
7983 the more established GNU/Linux distributions}. We hope you can soon switch
7984 to the GuixSD without fear, of course. In the meantime, you can
7985 also keep using your distribution and try out the package manager on top
7986 of it (@pxref{Installation}).
7988 Before you proceed with the installation, be aware of the following
7989 noteworthy limitations applicable to version @value{VERSION}:
7993 The installation process does not include a graphical user interface and
7994 requires familiarity with GNU/Linux (see the following subsections to
7995 get a feel of what that means.)
7998 Support for the Logical Volume Manager (LVM) is missing.
8001 More and more system services are provided (@pxref{Services}), but some
8005 More than 6,500 packages are available, but you might
8006 occasionally find that a useful package is missing.
8009 GNOME, Xfce, LXDE, and Enlightenment are available (@pxref{Desktop Services}),
8010 as well as a number of X11 window managers. However, some graphical
8011 applications may be missing, as well as KDE.
8014 You have been warned! But more than a disclaimer, this is an invitation
8015 to report issues (and success stories!), and to join us in improving it.
8016 @xref{Contributing}, for more info.
8019 @node Hardware Considerations
8020 @subsection Hardware Considerations
8022 @cindex hardware support on GuixSD
8023 GNU@tie{}GuixSD focuses on respecting the user's computing freedom. It
8024 builds around the kernel Linux-libre, which means that only hardware for
8025 which free software drivers and firmware exist is supported. Nowadays,
8026 a wide range of off-the-shelf hardware is supported on
8027 GNU/Linux-libre---from keyboards to graphics cards to scanners and
8028 Ethernet controllers. Unfortunately, there are still areas where
8029 hardware vendors deny users control over their own computing, and such
8030 hardware is not supported on GuixSD.
8032 @cindex WiFi, hardware support
8033 One of the main areas where free drivers or firmware are lacking is WiFi
8034 devices. WiFi devices known to work include those using Atheros chips
8035 (AR9271 and AR7010), which corresponds to the @code{ath9k} Linux-libre
8036 driver, and those using Broadcom/AirForce chips (BCM43xx with
8037 Wireless-Core Revision 5), which corresponds to the @code{b43-open}
8038 Linux-libre driver. Free firmware exists for both and is available
8039 out-of-the-box on GuixSD, as part of @var{%base-firmware}
8040 (@pxref{operating-system Reference, @code{firmware}}).
8042 @cindex RYF, Respects Your Freedom
8043 The @uref{https://www.fsf.org/, Free Software Foundation} runs
8044 @uref{https://www.fsf.org/ryf, @dfn{Respects Your Freedom}} (RYF), a
8045 certification program for hardware products that respect your freedom
8046 and your privacy and ensure that you have control over your device. We
8047 encourage you to check the list of RYF-certified devices.
8049 Another useful resource is the @uref{https://www.h-node.org/, H-Node}
8050 web site. It contains a catalog of hardware devices with information
8051 about their support in GNU/Linux.
8054 @node USB Stick and DVD Installation
8055 @subsection USB Stick and DVD Installation
8057 An ISO-9660 installation image that can be written to a USB stick or
8058 burnt to a DVD can be downloaded from
8059 @indicateurl{ftp://alpha.gnu.org/gnu/guix/guixsd-install-@value{VERSION}.@var{system}.iso.xz},
8060 where @var{system} is one of:
8064 for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs;
8067 for a 32-bit GNU/Linux system on Intel-compatible CPUs.
8070 @c start duplication of authentication part from ``Binary Installation''
8071 Make sure to download the associated @file{.sig} file and to verify the
8072 authenticity of the image against it, along these lines:
8075 $ wget ftp://alpha.gnu.org/gnu/guix/guixsd-install-@value{VERSION}.@var{system}.iso.xz.sig
8076 $ gpg --verify guixsd-install-@value{VERSION}.@var{system}.iso.xz.sig
8079 If that command fails because you do not have the required public key,
8080 then run this command to import it:
8083 $ gpg --keyserver pgp.mit.edu --recv-keys @value{OPENPGP-SIGNING-KEY-ID}
8087 and rerun the @code{gpg --verify} command.
8090 This image contains the tools necessary for an installation.
8091 It is meant to be copied @emph{as is} to a large-enough USB stick or DVD.
8093 @unnumberedsubsubsec Copying to a USB Stick
8095 To copy the image to a USB stick, follow these steps:
8099 Decompress the image using the @command{xz} command:
8102 xz -d guixsd-install-@value{VERSION}.@var{system}.iso.xz
8106 Insert a USB stick of 1@tie{}GiB or more into your machine, and determine
8107 its device name. Assuming that the USB stick is known as @file{/dev/sdX},
8108 copy the image with:
8111 dd if=guixsd-install-@value{VERSION}.x86_64-linux.iso of=/dev/sdX
8115 Access to @file{/dev/sdX} usually requires root privileges.
8118 @unnumberedsubsubsec Burning on a DVD
8120 To copy the image to a DVD, follow these steps:
8124 Decompress the image using the @command{xz} command:
8127 xz -d guixsd-install-@value{VERSION}.@var{system}.iso.xz
8131 Insert a blank DVD into your machine, and determine
8132 its device name. Assuming that the DVD drive is known as @file{/dev/srX},
8133 copy the image with:
8136 growisofs -dvd-compat -Z /dev/srX=guixsd-install-@value{VERSION}.x86_64.iso
8139 Access to @file{/dev/srX} usually requires root privileges.
8142 @unnumberedsubsubsec Booting
8144 Once this is done, you should be able to reboot the system and boot from
8145 the USB stick or DVD. The latter usually requires you to get in the
8146 BIOS or UEFI boot menu, where you can choose to boot from the USB stick.
8148 @xref{Installing GuixSD in a VM}, if, instead, you would like to install
8149 GuixSD in a virtual machine (VM).
8152 @node Preparing for Installation
8153 @subsection Preparing for Installation
8155 Once you have successfully booted your computer using the installation medium,
8156 you should end up with a root prompt. Several console TTYs are configured
8157 and can be used to run commands as root. TTY2 shows this documentation,
8158 browsable using the Info reader commands (@pxref{Top,,, info-stnd,
8159 Stand-alone GNU Info}). The installation system runs the GPM mouse
8160 daemon, which allows you to select text with the left mouse button and
8161 to paste it with the middle button.
8164 Installation requires access to the Internet so that any missing
8165 dependencies of your system configuration can be downloaded. See the
8166 ``Networking'' section below.
8169 The installation system includes many common tools needed for this task.
8170 But it is also a full-blown GuixSD system, which means that you can
8171 install additional packages, should you need it, using @command{guix
8172 package} (@pxref{Invoking guix package}).
8174 @subsubsection Keyboard Layout
8176 @cindex keyboard layout
8177 The installation image uses the US qwerty keyboard layout. If you want
8178 to change it, you can use the @command{loadkeys} command. For example,
8179 the following command selects the Dvorak keyboard layout:
8185 See the files under @file{/run/current-system/profile/share/keymaps} for
8186 a list of available keyboard layouts. Run @command{man loadkeys} for
8189 @subsubsection Networking
8191 Run the following command see what your network interfaces are called:
8198 @dots{} or, using the GNU/Linux-specific @command{ip} command:
8204 @c http://cgit.freedesktop.org/systemd/systemd/tree/src/udev/udev-builtin-net_id.c#n20
8205 Wired interfaces have a name starting with @samp{e}; for example, the
8206 interface corresponding to the first on-board Ethernet controller is
8207 called @samp{eno1}. Wireless interfaces have a name starting with
8208 @samp{w}, like @samp{w1p2s0}.
8211 @item Wired connection
8212 To configure a wired network run the following command, substituting
8213 @var{interface} with the name of the wired interface you want to use.
8216 ifconfig @var{interface} up
8219 @item Wireless connection
8222 To configure wireless networking, you can create a configuration file
8223 for the @command{wpa_supplicant} configuration tool (its location is not
8224 important) using one of the available text editors such as
8228 zile wpa_supplicant.conf
8231 As an example, the following stanza can go to this file and will work
8232 for many wireless networks, provided you give the actual SSID and
8233 passphrase for the network you are connecting to:
8237 ssid="@var{my-ssid}"
8239 psk="the network's secret passphrase"
8243 Start the wireless service and run it in the background with the
8244 following command (substitute @var{interface} with the name of the
8245 network interface you want to use):
8248 wpa_supplicant -c wpa_supplicant.conf -i @var{interface} -B
8251 Run @command{man wpa_supplicant} for more information.
8255 At this point, you need to acquire an IP address. On a network where IP
8256 addresses are automatically assigned @i{via} DHCP, you can run:
8259 dhclient -v @var{interface}
8262 Try to ping a server to see if networking is up and running:
8268 Setting up network access is almost always a requirement because the
8269 image does not contain all the software and tools that may be needed.
8271 @cindex installing over SSH
8272 If you want to, you can continue the installation remotely by starting
8276 herd start ssh-daemon
8279 Make sure to either set a password with @command{passwd}, or configure
8280 OpenSSH public key authentication before logging in.
8282 @subsubsection Disk Partitioning
8284 Unless this has already been done, the next step is to partition, and
8285 then format the target partition(s).
8287 The installation image includes several partitioning tools, including
8288 Parted (@pxref{Overview,,, parted, GNU Parted User Manual}),
8289 @command{fdisk}, and @command{cfdisk}. Run it and set up your disk with
8290 the partition layout you want:
8296 If your disk uses the GUID Partition Table (GPT) format and you plan to
8297 install BIOS-based GRUB (which is the default), make sure a BIOS Boot
8298 Partition is available (@pxref{BIOS installation,,, grub, GNU GRUB
8301 @cindex EFI, installation
8302 @cindex UEFI, installation
8303 @cindex ESP, EFI system partition
8304 If you instead wish to use EFI-based GRUB, a FAT32 @dfn{EFI System Partition}
8305 (ESP) is required. This partition should be mounted at @file{/boot/efi} and
8306 must have the @code{esp} flag set. E.g., for @command{parted}:
8309 parted /dev/sda set 1 esp on
8312 Once you are done partitioning the target hard disk drive, you have to
8313 create a file system on the relevant partition(s)@footnote{Currently
8314 GuixSD only supports ext4 and btrfs file systems. In particular, code
8315 that reads file system UUIDs and labels only works for these file system
8316 types.}. For the ESP, if you have one and assuming it is
8317 @file{/dev/sda2}, run:
8320 mkfs.fat -F32 /dev/sda2
8323 Preferably, assign file systems a label so that you can easily and
8324 reliably refer to them in @code{file-system} declarations (@pxref{File
8325 Systems}). This is typically done using the @code{-L} option of
8326 @command{mkfs.ext4} and related commands. So, assuming the target root
8327 partition lives at @file{/dev/sda1}, a file system with the label
8328 @code{my-root} can be created with:
8331 mkfs.ext4 -L my-root /dev/sda1
8334 @cindex encrypted disk
8335 If you are instead planning to encrypt the root partition, you can use
8336 the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
8337 @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
8338 @code{man cryptsetup}} for more information.) Assuming you want to
8339 store the root partition on @file{/dev/sda1}, the command sequence would
8340 be along these lines:
8343 cryptsetup luksFormat /dev/sda1
8344 cryptsetup open --type luks /dev/sda1 my-partition
8345 mkfs.ext4 -L my-root /dev/mapper/my-partition
8348 Once that is done, mount the target file system under @file{/mnt}
8349 with a command like (again, assuming @code{my-root} is the label of the
8353 mount LABEL=my-root /mnt
8356 Also mount any other file systems you would like to use on the target
8357 system relative to this path. If you have @file{/boot} on a separate
8358 partition for example, mount it at @file{/mnt/boot} now so it is found
8359 by @code{guix system init} afterwards.
8361 Finally, if you plan to use one or more swap partitions (@pxref{Memory
8362 Concepts, swap space,, libc, The GNU C Library Reference Manual}), make
8363 sure to initialize them with @command{mkswap}. Assuming you have one
8364 swap partition on @file{/dev/sda2}, you would run:
8371 Alternatively, you may use a swap file. For example, assuming that in
8372 the new system you want to use the file @file{/swapfile} as a swap file,
8373 you would run@footnote{This example will work for many types of file
8374 systems (e.g., ext4). However, for copy-on-write file systems (e.g.,
8375 btrfs), the required steps may be different. For details, see the
8376 manual pages for @command{mkswap} and @command{swapon}.}:
8379 # This is 10 GiB of swap space. Adjust "count" to change the size.
8380 dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=10240
8381 # For security, make the file readable and writable only by root.
8382 chmod 600 /mnt/swapfile
8383 mkswap /mnt/swapfile
8384 swapon /mnt/swapfile
8387 Note that if you have encrypted the root partition and created a swap
8388 file in its file system as described above, then the encryption also
8389 protects the swap file, just like any other file in that file system.
8391 @node Proceeding with the Installation
8392 @subsection Proceeding with the Installation
8394 With the target partitions ready and the target root mounted on
8395 @file{/mnt}, we're ready to go. First, run:
8398 herd start cow-store /mnt
8401 This makes @file{/gnu/store} copy-on-write, such that packages added to it
8402 during the installation phase are written to the target disk on @file{/mnt}
8403 rather than kept in memory. This is necessary because the first phase of
8404 the @command{guix system init} command (see below) entails downloads or
8405 builds to @file{/gnu/store} which, initially, is an in-memory file system.
8407 Next, you have to edit a file and
8408 provide the declaration of the operating system to be installed. To
8409 that end, the installation system comes with three text editors: GNU nano
8410 (@pxref{Top,,, nano, GNU nano Manual}), GNU Zile (an Emacs clone), and
8411 nvi (a clone of the original BSD @command{vi} editor).
8412 We strongly recommend storing that file on the target root file system, say,
8413 as @file{/mnt/etc/config.scm}. Failing to do that, you will have lost your
8414 configuration file once you have rebooted into the newly-installed system.
8416 @xref{Using the Configuration System}, for an overview of the
8417 configuration file. The example configurations discussed in that
8418 section are available under @file{/etc/configuration} in the
8419 installation image. Thus, to get started with a system configuration
8420 providing a graphical display server (a ``desktop'' system), you can run
8421 something along these lines:
8425 # cp /etc/configuration/desktop.scm /mnt/etc/config.scm
8426 # zile /mnt/etc/config.scm
8429 You should pay attention to what your configuration file contains, and
8434 Make sure the @code{bootloader-configuration} form refers to the target
8435 you want to install GRUB on. It should mention @code{grub-bootloader} if
8436 you are installing GRUB in the legacy way, or @code{grub-efi-bootloader}
8437 for newer UEFI systems. For legacy systems, the @code{target} field
8438 names a device, like @code{/dev/sda}; for UEFI systems it names a path
8439 to a mounted EFI partition, like @code{/boot/efi}, and do make sure the
8440 path is actually mounted.
8443 Be sure that your file system labels match the value of their respective
8444 @code{device} fields in your @code{file-system} configuration, assuming
8445 your @code{file-system} configuration sets the value of @code{title} to
8449 If there are encrypted or RAID partitions, make sure to add a
8450 @code{mapped-devices} field to describe them (@pxref{Mapped Devices}).
8453 Once you are done preparing the configuration file, the new system must
8454 be initialized (remember that the target root file system is mounted
8458 guix system init /mnt/etc/config.scm /mnt
8462 This copies all the necessary files and installs GRUB on
8463 @file{/dev/sdX}, unless you pass the @option{--no-bootloader} option. For
8464 more information, @pxref{Invoking guix system}. This command may trigger
8465 downloads or builds of missing packages, which can take some time.
8467 Once that command has completed---and hopefully succeeded!---you can run
8468 @command{reboot} and boot into the new system. The @code{root} password
8469 in the new system is initially empty; other users' passwords need to be
8470 initialized by running the @command{passwd} command as @code{root},
8471 unless your configuration specifies otherwise
8472 (@pxref{user-account-password, user account passwords}).
8474 @cindex upgrading GuixSD
8475 From then on, you can update GuixSD whenever you want by running
8476 @command{guix pull} as @code{root} (@pxref{Invoking guix pull}), and
8477 then running @command{guix system reconfigure} to build a new system
8478 generation with the latest packages and services (@pxref{Invoking guix
8479 system}). We recommend doing that regularly so that your system
8480 includes the latest security updates (@pxref{Security Updates}).
8482 Join us on @code{#guix} on the Freenode IRC network or on
8483 @file{guix-devel@@gnu.org} to share your experience---good or not so
8486 @node Installing GuixSD in a VM
8487 @subsection Installing GuixSD in a Virtual Machine
8489 @cindex virtual machine, GuixSD installation
8490 @cindex virtual private server (VPS)
8491 @cindex VPS (virtual private server)
8492 If you'd like to install GuixSD in a virtual machine (VM) or on a
8493 virtual private server (VPS) rather than on your beloved machine, this
8496 To boot a @uref{http://qemu.org/,QEMU} VM for installing GuixSD in a
8497 disk image, follow these steps:
8501 First, retrieve and decompress the GuixSD installation image as
8502 described previously (@pxref{USB Stick and DVD Installation}).
8505 Create a disk image that will hold the installed system. To make a
8506 qcow2-formatted disk image, use the @command{qemu-img} command:
8509 qemu-img create -f qcow2 guixsd.img 50G
8512 The resulting file will be much smaller than 50 GB (typically less than
8513 1 MB), but it will grow as the virtualized storage device is filled up.
8516 Boot the USB installation image in an VM:
8519 qemu-system-x86_64 -m 1024 -smp 1 \
8520 -net user -net nic,model=virtio -boot menu=on \
8521 -drive file=guixsd-install-@value{VERSION}.@var{system}.iso \
8522 -drive file=guixsd.img
8525 The ordering of the drives matters.
8527 In the VM console, quickly press the @kbd{F12} key to enter the boot
8528 menu. Then press the @kbd{2} key and the @kbd{RET} key to validate your
8532 You're now root in the VM, proceed with the installation process.
8533 @xref{Preparing for Installation}, and follow the instructions.
8536 Once installation is complete, you can boot the system that's on your
8537 @file{guixsd.img} image. @xref{Running GuixSD in a VM}, for how to do
8540 @node Building the Installation Image
8541 @subsection Building the Installation Image
8543 @cindex installation image
8544 The installation image described above was built using the @command{guix
8545 system} command, specifically:
8548 guix system disk-image gnu/system/install.scm
8551 Have a look at @file{gnu/system/install.scm} in the source tree,
8552 and see also @ref{Invoking guix system} for more information
8553 about the installation image.
8555 @node System Configuration
8556 @section System Configuration
8558 @cindex system configuration
8559 The Guix System Distribution supports a consistent whole-system configuration
8560 mechanism. By that we mean that all aspects of the global system
8561 configuration---such as the available system services, timezone and
8562 locale settings, user accounts---are declared in a single place. Such
8563 a @dfn{system configuration} can be @dfn{instantiated}---i.e., effected.
8565 One of the advantages of putting all the system configuration under the
8566 control of Guix is that it supports transactional system upgrades, and
8567 makes it possible to roll back to a previous system instantiation,
8568 should something go wrong with the new one (@pxref{Features}). Another
8569 advantage is that it makes it easy to replicate the exact same configuration
8570 across different machines, or at different points in time, without
8571 having to resort to additional administration tools layered on top of
8572 the own tools of the system.
8573 @c Yes, we're talking of Puppet, Chef, & co. here. ↑
8575 This section describes this mechanism. First we focus on the system
8576 administrator's viewpoint---explaining how the system is configured and
8577 instantiated. Then we show how this mechanism can be extended, for
8578 instance to support new system services.
8581 * Using the Configuration System:: Customizing your GNU system.
8582 * operating-system Reference:: Detail of operating-system declarations.
8583 * File Systems:: Configuring file system mounts.
8584 * Mapped Devices:: Block device extra processing.
8585 * User Accounts:: Specifying user accounts.
8586 * Locales:: Language and cultural convention settings.
8587 * Services:: Specifying system services.
8588 * Setuid Programs:: Programs running with root privileges.
8589 * X.509 Certificates:: Authenticating HTTPS servers.
8590 * Name Service Switch:: Configuring libc's name service switch.
8591 * Initial RAM Disk:: Linux-Libre bootstrapping.
8592 * Bootloader Configuration:: Configuring the boot loader.
8593 * Invoking guix system:: Instantiating a system configuration.
8594 * Running GuixSD in a VM:: How to run GuixSD in a virtual machine.
8595 * Defining Services:: Adding new service definitions.
8598 @node Using the Configuration System
8599 @subsection Using the Configuration System
8601 The operating system is configured by providing an
8602 @code{operating-system} declaration in a file that can then be passed to
8603 the @command{guix system} command (@pxref{Invoking guix system}). A
8604 simple setup, with the default system services, the default Linux-Libre
8605 kernel, initial RAM disk, and boot loader looks like this:
8607 @findex operating-system
8609 @include os-config-bare-bones.texi
8612 This example should be self-describing. Some of the fields defined
8613 above, such as @code{host-name} and @code{bootloader}, are mandatory.
8614 Others, such as @code{packages} and @code{services}, can be omitted, in
8615 which case they get a default value.
8617 Below we discuss the effect of some of the most important fields
8618 (@pxref{operating-system Reference}, for details about all the available
8619 fields), and how to @dfn{instantiate} the operating system using
8620 @command{guix system}.
8622 @unnumberedsubsubsec Globally-Visible Packages
8624 @vindex %base-packages
8625 The @code{packages} field lists packages that will be globally visible
8626 on the system, for all user accounts---i.e., in every user's @code{PATH}
8627 environment variable---in addition to the per-user profiles
8628 (@pxref{Invoking guix package}). The @var{%base-packages} variable
8629 provides all the tools one would expect for basic user and administrator
8630 tasks---including the GNU Core Utilities, the GNU Networking Utilities,
8631 the GNU Zile lightweight text editor, @command{find}, @command{grep},
8632 etc. The example above adds GNU@tie{}Screen and OpenSSH to those,
8633 taken from the @code{(gnu packages screen)} and @code{(gnu packages ssh)}
8634 modules (@pxref{Package Modules}). The
8635 @code{(list package output)} syntax can be used to add a specific output
8639 (use-modules (gnu packages))
8640 (use-modules (gnu packages dns))
8644 (packages (cons (list bind "utils")
8648 @findex specification->package
8649 Referring to packages by variable name, like @code{bind} above, has
8650 the advantage of being unambiguous; it also allows typos and such to be
8651 diagnosed right away as ``unbound variables''. The downside is that one
8652 needs to know which module defines which package, and to augment the
8653 @code{use-package-modules} line accordingly. To avoid that, one can use
8654 the @code{specification->package} procedure of the @code{(gnu packages)}
8655 module, which returns the best package for a given name or name and
8659 (use-modules (gnu packages))
8663 (packages (append (map specification->package
8664 '("tcpdump" "htop" "gnupg@@2.0"))
8668 @unnumberedsubsubsec System Services
8671 @vindex %base-services
8672 The @code{services} field lists @dfn{system services} to be made
8673 available when the system starts (@pxref{Services}).
8674 The @code{operating-system} declaration above specifies that, in
8675 addition to the basic services, we want the @command{lshd} secure shell
8676 daemon listening on port 2222 (@pxref{Networking Services,
8677 @code{lsh-service}}). Under the hood,
8678 @code{lsh-service} arranges so that @code{lshd} is started with the
8679 right command-line options, possibly with supporting configuration files
8680 generated as needed (@pxref{Defining Services}).
8682 @cindex customization, of services
8683 @findex modify-services
8684 Occasionally, instead of using the base services as is, you will want to
8685 customize them. To do this, use @code{modify-services} (@pxref{Service
8686 Reference, @code{modify-services}}) to modify the list.
8688 For example, suppose you want to modify @code{guix-daemon} and Mingetty
8689 (the console log-in) in the @var{%base-services} list (@pxref{Base
8690 Services, @code{%base-services}}). To do that, you can write the
8691 following in your operating system declaration:
8694 (define %my-services
8695 ;; My very own list of services.
8696 (modify-services %base-services
8697 (guix-service-type config =>
8700 (use-substitutes? #f)
8701 (extra-options '("--gc-keep-derivations"))))
8702 (mingetty-service-type config =>
8703 (mingetty-configuration
8704 (inherit config)))))
8708 (services %my-services))
8711 This changes the configuration---i.e., the service parameters---of the
8712 @code{guix-service-type} instance, and that of all the
8713 @code{mingetty-service-type} instances in the @var{%base-services} list.
8714 Observe how this is accomplished: first, we arrange for the original
8715 configuration to be bound to the identifier @code{config} in the
8716 @var{body}, and then we write the @var{body} so that it evaluates to the
8717 desired configuration. In particular, notice how we use @code{inherit}
8718 to create a new configuration which has the same values as the old
8719 configuration, but with a few modifications.
8721 @cindex encrypted disk
8722 The configuration for a typical ``desktop'' usage, with an encrypted
8723 root partition, the X11 display
8724 server, GNOME and Xfce (users can choose which of these desktop
8725 environments to use at the log-in screen by pressing @kbd{F1}), network
8726 management, power management, and more, would look like this:
8729 @include os-config-desktop.texi
8733 A graphical UEFI system with a choice of lightweight window managers
8734 instead of full-blown desktop environments would look like this:
8737 @include os-config-lightweight-desktop.texi
8740 This example refers to the @file{/boot/efi} file system by its UUID,
8741 @code{1234-ABCD}. Replace this UUID with the right UUID on your system,
8742 as returned by the @command{blkid} command.
8744 @xref{Desktop Services}, for the exact list of services provided by
8745 @var{%desktop-services}. @xref{X.509 Certificates}, for background
8746 information about the @code{nss-certs} package that is used here.
8748 Again, @var{%desktop-services} is just a list of service objects. If
8749 you want to remove services from there, you can do so using the
8750 procedures for list filtering (@pxref{SRFI-1 Filtering and
8751 Partitioning,,, guile, GNU Guile Reference Manual}). For instance, the
8752 following expression returns a list that contains all the services in
8753 @var{%desktop-services} minus the Avahi service:
8756 (remove (lambda (service)
8757 (eq? (service-kind service) avahi-service-type))
8761 @unnumberedsubsubsec Instantiating the System
8763 Assuming the @code{operating-system} declaration
8764 is stored in the @file{my-system-config.scm}
8765 file, the @command{guix system reconfigure my-system-config.scm} command
8766 instantiates that configuration, and makes it the default GRUB boot
8767 entry (@pxref{Invoking guix system}).
8769 The normal way to change the system configuration is by updating this
8770 file and re-running @command{guix system reconfigure}. One should never
8771 have to touch files in @file{/etc} or to run commands that modify the
8772 system state such as @command{useradd} or @command{grub-install}. In
8773 fact, you must avoid that since that would not only void your warranty
8774 but also prevent you from rolling back to previous versions of your
8775 system, should you ever need to.
8777 @cindex roll-back, of the operating system
8778 Speaking of roll-back, each time you run @command{guix system
8779 reconfigure}, a new @dfn{generation} of the system is created---without
8780 modifying or deleting previous generations. Old system generations get
8781 an entry in the bootloader boot menu, allowing you to boot them in case
8782 something went wrong with the latest generation. Reassuring, no? The
8783 @command{guix system list-generations} command lists the system
8784 generations available on disk. It is also possible to roll back the
8785 system via the commands @command{guix system roll-back} and
8786 @command{guix system switch-generation}.
8788 Although the command @command{guix system reconfigure} will not modify
8789 previous generations, must take care when the current generation is not
8790 the latest (e.g., after invoking @command{guix system roll-back}), since
8791 the operation might overwrite a later generation (@pxref{Invoking guix
8794 @unnumberedsubsubsec The Programming Interface
8796 At the Scheme level, the bulk of an @code{operating-system} declaration
8797 is instantiated with the following monadic procedure (@pxref{The Store
8800 @deffn {Monadic Procedure} operating-system-derivation os
8801 Return a derivation that builds @var{os}, an @code{operating-system}
8802 object (@pxref{Derivations}).
8804 The output of the derivation is a single directory that refers to all
8805 the packages, configuration files, and other supporting files needed to
8806 instantiate @var{os}.
8809 This procedure is provided by the @code{(gnu system)} module. Along
8810 with @code{(gnu services)} (@pxref{Services}), this module contains the
8811 guts of GuixSD. Make sure to visit it!
8814 @node operating-system Reference
8815 @subsection @code{operating-system} Reference
8817 This section summarizes all the options available in
8818 @code{operating-system} declarations (@pxref{Using the Configuration
8821 @deftp {Data Type} operating-system
8822 This is the data type representing an operating system configuration.
8823 By that, we mean all the global system configuration, not per-user
8824 configuration (@pxref{Using the Configuration System}).
8827 @item @code{kernel} (default: @var{linux-libre})
8828 The package object of the operating system kernel to use@footnote{Currently
8829 only the Linux-libre kernel is supported. In the future, it will be
8830 possible to use the GNU@tie{}Hurd.}.
8832 @item @code{kernel-arguments} (default: @code{'()})
8833 List of strings or gexps representing additional arguments to pass on
8834 the command-line of the kernel---e.g., @code{("console=ttyS0")}.
8836 @item @code{bootloader}
8837 The system bootloader configuration object. @xref{Bootloader Configuration}.
8839 @item @code{initrd} (default: @code{base-initrd})
8841 @cindex initial RAM disk
8842 A two-argument monadic procedure that returns an initial RAM disk for
8843 the Linux kernel. @xref{Initial RAM Disk}.
8845 @item @code{firmware} (default: @var{%base-firmware})
8847 List of firmware packages loadable by the operating system kernel.
8849 The default includes firmware needed for Atheros- and Broadcom-based
8850 WiFi devices (Linux-libre modules @code{ath9k} and @code{b43-open},
8851 respectively). @xref{Hardware Considerations}, for more info on
8854 @item @code{host-name}
8857 @item @code{hosts-file}
8859 A file-like object (@pxref{G-Expressions, file-like objects}) for use as
8860 @file{/etc/hosts} (@pxref{Host Names,,, libc, The GNU C Library
8861 Reference Manual}). The default is a file with entries for
8862 @code{localhost} and @var{host-name}.
8864 @item @code{mapped-devices} (default: @code{'()})
8865 A list of mapped devices. @xref{Mapped Devices}.
8867 @item @code{file-systems}
8868 A list of file systems. @xref{File Systems}.
8870 @item @code{swap-devices} (default: @code{'()})
8871 @cindex swap devices
8872 A list of strings identifying devices or files to be used for ``swap
8873 space'' (@pxref{Memory Concepts,,, libc, The GNU C Library Reference
8874 Manual}). For example, @code{'("/dev/sda3")} or @code{'("/swapfile")}.
8875 It is possible to specify a swap file in a file system on a mapped
8876 device, provided that the necessary device mapping and file system are
8877 also specified. @xref{Mapped Devices} and @ref{File Systems}.
8879 @item @code{users} (default: @code{%base-user-accounts})
8880 @itemx @code{groups} (default: @var{%base-groups})
8881 List of user accounts and groups. @xref{User Accounts}.
8883 If the @code{users} list lacks a user account with UID@tie{}0, a
8884 ``root'' account with UID@tie{}0 is automatically added.
8886 @item @code{skeletons} (default: @code{(default-skeletons)})
8887 A list target file name/file-like object tuples (@pxref{G-Expressions,
8888 file-like objects}). These are the skeleton files that will be added to
8889 the home directory of newly-created user accounts.
8891 For instance, a valid value may look like this:
8894 `((".bashrc" ,(plain-file "bashrc" "echo Hello\n"))
8895 (".guile" ,(plain-file "guile"
8896 "(use-modules (ice-9 readline))
8897 (activate-readline)")))
8900 @item @code{issue} (default: @var{%default-issue})
8901 A string denoting the contents of the @file{/etc/issue} file, which is
8902 displayed when users log in on a text console.
8904 @item @code{packages} (default: @var{%base-packages})
8905 The set of packages installed in the global profile, which is accessible
8906 at @file{/run/current-system/profile}.
8908 The default set includes core utilities and it is good practice to
8909 install non-core utilities in user profiles (@pxref{Invoking guix
8912 @item @code{timezone}
8913 A timezone identifying string---e.g., @code{"Europe/Paris"}.
8915 You can run the @command{tzselect} command to find out which timezone
8916 string corresponds to your region. Choosing an invalid timezone name
8917 causes @command{guix system} to fail.
8919 @item @code{locale} (default: @code{"en_US.utf8"})
8920 The name of the default locale (@pxref{Locale Names,,, libc, The GNU C
8921 Library Reference Manual}). @xref{Locales}, for more information.
8923 @item @code{locale-definitions} (default: @var{%default-locale-definitions})
8924 The list of locale definitions to be compiled and that may be used at
8925 run time. @xref{Locales}.
8927 @item @code{locale-libcs} (default: @code{(list @var{glibc})})
8928 The list of GNU@tie{}libc packages whose locale data and tools are used
8929 to build the locale definitions. @xref{Locales}, for compatibility
8930 considerations that justify this option.
8932 @item @code{name-service-switch} (default: @var{%default-nss})
8933 Configuration of the libc name service switch (NSS)---a
8934 @code{<name-service-switch>} object. @xref{Name Service Switch}, for
8937 @item @code{services} (default: @var{%base-services})
8938 A list of service objects denoting system services. @xref{Services}.
8940 @item @code{pam-services} (default: @code{(base-pam-services)})
8942 @cindex pluggable authentication modules
8943 Linux @dfn{pluggable authentication module} (PAM) services.
8944 @c FIXME: Add xref to PAM services section.
8946 @item @code{setuid-programs} (default: @var{%setuid-programs})
8947 List of string-valued G-expressions denoting setuid programs.
8948 @xref{Setuid Programs}.
8950 @item @code{sudoers-file} (default: @var{%sudoers-specification})
8951 @cindex sudoers file
8952 The contents of the @file{/etc/sudoers} file as a file-like object
8953 (@pxref{G-Expressions, @code{local-file} and @code{plain-file}}).
8955 This file specifies which users can use the @command{sudo} command, what
8956 they are allowed to do, and what privileges they may gain. The default
8957 is that only @code{root} and members of the @code{wheel} group may use
8964 @subsection File Systems
8966 The list of file systems to be mounted is specified in the
8967 @code{file-systems} field of the operating system declaration
8968 (@pxref{Using the Configuration System}). Each file system is declared
8969 using the @code{file-system} form, like this:
8973 (mount-point "/home")
8974 (device "/dev/sda3")
8978 As usual, some of the fields are mandatory---those shown in the example
8979 above---while others can be omitted. These are described below.
8981 @deftp {Data Type} file-system
8982 Objects of this type represent file systems to be mounted. They
8983 contain the following members:
8987 This is a string specifying the type of the file system---e.g.,
8990 @item @code{mount-point}
8991 This designates the place where the file system is to be mounted.
8994 This names the ``source'' of the file system. By default it is the name
8995 of a node under @file{/dev}, but its meaning depends on the @code{title}
8996 field described below.
8998 @item @code{title} (default: @code{'device})
8999 This is a symbol that specifies how the @code{device} field is to be
9002 When it is the symbol @code{device}, then the @code{device} field is
9003 interpreted as a file name; when it is @code{label}, then @code{device}
9004 is interpreted as a file system label name; when it is @code{uuid},
9005 @code{device} is interpreted as a file system unique identifier (UUID).
9007 UUIDs may be converted from their string representation (as shown by the
9008 @command{tune2fs -l} command) using the @code{uuid} form@footnote{The
9009 @code{uuid} form expects 16-byte UUIDs as defined in
9010 @uref{https://tools.ietf.org/html/rfc4122, RFC@tie{}4122}. This is the
9011 form of UUID used by the ext2 family of file systems and others, but it
9012 is different from ``UUIDs'' found in FAT file systems, for instance.},
9017 (mount-point "/home")
9020 (device (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")))
9023 The @code{label} and @code{uuid} options offer a way to refer to file
9024 systems without having to hard-code their actual device
9025 name@footnote{Note that, while it is tempting to use
9026 @file{/dev/disk/by-uuid} and similar device names to achieve the same
9027 result, this is not recommended: These special device nodes are created
9028 by the udev daemon and may be unavailable at the time the device is
9031 However, when the source of a file system is a mapped device (@pxref{Mapped
9032 Devices}), its @code{device} field @emph{must} refer to the mapped
9033 device name---e.g., @file{/dev/mapper/root-partition}---and consequently
9034 @code{title} must be set to @code{'device}. This is required so that
9035 the system knows that mounting the file system depends on having the
9036 corresponding device mapping established.
9038 @item @code{flags} (default: @code{'()})
9039 This is a list of symbols denoting mount flags. Recognized flags
9040 include @code{read-only}, @code{bind-mount}, @code{no-dev} (disallow
9041 access to special files), @code{no-suid} (ignore setuid and setgid
9042 bits), and @code{no-exec} (disallow program execution.)
9044 @item @code{options} (default: @code{#f})
9045 This is either @code{#f}, or a string denoting mount options.
9047 @item @code{mount?} (default: @code{#t})
9048 This value indicates whether to automatically mount the file system when
9049 the system is brought up. When set to @code{#f}, the file system gets
9050 an entry in @file{/etc/fstab} (read by the @command{mount} command) but
9051 is not automatically mounted.
9053 @item @code{needed-for-boot?} (default: @code{#f})
9054 This Boolean value indicates whether the file system is needed when
9055 booting. If that is true, then the file system is mounted when the
9056 initial RAM disk (initrd) is loaded. This is always the case, for
9057 instance, for the root file system.
9059 @item @code{check?} (default: @code{#t})
9060 This Boolean indicates whether the file system needs to be checked for
9061 errors before being mounted.
9063 @item @code{create-mount-point?} (default: @code{#f})
9064 When true, the mount point is created if it does not exist yet.
9066 @item @code{dependencies} (default: @code{'()})
9067 This is a list of @code{<file-system>} or @code{<mapped-device>} objects
9068 representing file systems that must be mounted or mapped devices that
9069 must be opened before (and unmounted or closed after) this one.
9071 As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is
9072 a dependency of @file{/sys/fs/cgroup/cpu} and
9073 @file{/sys/fs/cgroup/memory}.
9075 Another example is a file system that depends on a mapped device, for
9076 example for an encrypted partition (@pxref{Mapped Devices}).
9080 The @code{(gnu system file-systems)} exports the following useful
9083 @defvr {Scheme Variable} %base-file-systems
9084 These are essential file systems that are required on normal systems,
9085 such as @var{%pseudo-terminal-file-system} and @var{%immutable-store} (see
9086 below.) Operating system declarations should always contain at least
9090 @defvr {Scheme Variable} %pseudo-terminal-file-system
9091 This is the file system to be mounted as @file{/dev/pts}. It supports
9092 @dfn{pseudo-terminals} created @i{via} @code{openpty} and similar
9093 functions (@pxref{Pseudo-Terminals,,, libc, The GNU C Library Reference
9094 Manual}). Pseudo-terminals are used by terminal emulators such as
9098 @defvr {Scheme Variable} %shared-memory-file-system
9099 This file system is mounted as @file{/dev/shm} and is used to support
9100 memory sharing across processes (@pxref{Memory-mapped I/O,
9101 @code{shm_open},, libc, The GNU C Library Reference Manual}).
9104 @defvr {Scheme Variable} %immutable-store
9105 This file system performs a read-only ``bind mount'' of
9106 @file{/gnu/store}, making it read-only for all the users including
9107 @code{root}. This prevents against accidental modification by software
9108 running as @code{root} or by system administrators.
9110 The daemon itself is still able to write to the store: it remounts it
9111 read-write in its own ``name space.''
9114 @defvr {Scheme Variable} %binary-format-file-system
9115 The @code{binfmt_misc} file system, which allows handling of arbitrary
9116 executable file types to be delegated to user space. This requires the
9117 @code{binfmt.ko} kernel module to be loaded.
9120 @defvr {Scheme Variable} %fuse-control-file-system
9121 The @code{fusectl} file system, which allows unprivileged users to mount
9122 and unmount user-space FUSE file systems. This requires the
9123 @code{fuse.ko} kernel module to be loaded.
9126 @node Mapped Devices
9127 @subsection Mapped Devices
9129 @cindex device mapping
9130 @cindex mapped devices
9131 The Linux kernel has a notion of @dfn{device mapping}: a block device,
9132 such as a hard disk partition, can be @dfn{mapped} into another device,
9133 usually in @code{/dev/mapper/},
9134 with additional processing over the data that flows through
9135 it@footnote{Note that the GNU@tie{}Hurd makes no difference between the
9136 concept of a ``mapped device'' and that of a file system: both boil down
9137 to @emph{translating} input/output operations made on a file to
9138 operations on its backing store. Thus, the Hurd implements mapped
9139 devices, like file systems, using the generic @dfn{translator} mechanism
9140 (@pxref{Translators,,, hurd, The GNU Hurd Reference Manual}).}. A
9141 typical example is encryption device mapping: all writes to the mapped
9142 device are encrypted, and all reads are deciphered, transparently.
9143 Guix extends this notion by considering any device or set of devices that
9144 are @dfn{transformed} in some way to create a new device; for instance,
9145 RAID devices are obtained by @dfn{assembling} several other devices, such
9146 as hard disks or partitions, into a new one that behaves as one partition.
9147 Other examples, not yet implemented, are LVM logical volumes.
9149 Mapped devices are declared using the @code{mapped-device} form,
9150 defined as follows; for examples, see below.
9152 @deftp {Data Type} mapped-device
9153 Objects of this type represent device mappings that will be made when
9154 the system boots up.
9158 This is either a string specifying the name of the block device to be mapped,
9159 such as @code{"/dev/sda3"}, or a list of such strings when several devices
9160 need to be assembled for creating a new one.
9163 This string specifies the name of the resulting mapped device. For
9164 kernel mappers such as encrypted devices of type @code{luks-device-mapping},
9165 specifying @code{"my-partition"} leads to the creation of
9166 the @code{"/dev/mapper/my-partition"} device.
9167 For RAID devices of type @code{raid-device-mapping}, the full device name
9168 such as @code{"/dev/md0"} needs to be given.
9171 This must be a @code{mapped-device-kind} object, which specifies how
9172 @var{source} is mapped to @var{target}.
9176 @defvr {Scheme Variable} luks-device-mapping
9177 This defines LUKS block device encryption using the @command{cryptsetup}
9178 command from the package with the same name. It relies on the
9179 @code{dm-crypt} Linux kernel module.
9182 @defvr {Scheme Variable} raid-device-mapping
9183 This defines a RAID device, which is assembled using the @code{mdadm}
9184 command from the package with the same name. It requires a Linux kernel
9185 module for the appropriate RAID level to be loaded, such as @code{raid456}
9186 for RAID-4, RAID-5 or RAID-6, or @code{raid10} for RAID-10.
9189 @cindex disk encryption
9191 The following example specifies a mapping from @file{/dev/sda3} to
9192 @file{/dev/mapper/home} using LUKS---the
9193 @url{https://gitlab.com/cryptsetup/cryptsetup,Linux Unified Key Setup}, a
9194 standard mechanism for disk encryption.
9195 The @file{/dev/mapper/home}
9196 device can then be used as the @code{device} of a @code{file-system}
9197 declaration (@pxref{File Systems}).
9201 (source "/dev/sda3")
9203 (type luks-device-mapping))
9206 Alternatively, to become independent of device numbering, one may obtain
9207 the LUKS UUID (@dfn{unique identifier}) of the source device by a
9211 cryptsetup luksUUID /dev/sda3
9214 and use it as follows:
9218 (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44"))
9220 (type luks-device-mapping))
9223 @cindex swap encryption
9224 It is also desirable to encrypt swap space, since swap space may contain
9225 sensitive data. One way to accomplish that is to use a swap file in a
9226 file system on a device mapped via LUKS encryption. In this way, the
9227 swap file is encrypted because the entire device is encrypted.
9228 @xref{Preparing for Installation,,Disk Partitioning}, for an example.
9230 A RAID device formed of the partitions @file{/dev/sda1} and @file{/dev/sdb1}
9231 may be declared as follows:
9235 (source (list "/dev/sda1" "/dev/sdb1"))
9237 (type raid-device-mapping))
9240 The @file{/dev/md0} device can then be used as the @code{device} of a
9241 @code{file-system} declaration (@pxref{File Systems}).
9242 Note that the RAID level need not be given; it is chosen during the
9243 initial creation and formatting of the RAID device and is determined
9244 automatically later.
9248 @subsection User Accounts
9252 @cindex user accounts
9253 User accounts and groups are entirely managed through the
9254 @code{operating-system} declaration. They are specified with the
9255 @code{user-account} and @code{user-group} forms:
9261 (supplementary-groups '("wheel" ;allow use of sudo, etc.
9263 "video" ;video devices such as webcams
9264 "cdrom")) ;the good ol' CD-ROM
9265 (comment "Bob's sister")
9266 (home-directory "/home/alice"))
9269 When booting or upon completion of @command{guix system reconfigure},
9270 the system ensures that only the user accounts and groups specified in
9271 the @code{operating-system} declaration exist, and with the specified
9272 properties. Thus, account or group creations or modifications made by
9273 directly invoking commands such as @command{useradd} are lost upon
9274 reconfiguration or reboot. This ensures that the system remains exactly
9277 @deftp {Data Type} user-account
9278 Objects of this type represent user accounts. The following members may
9283 The name of the user account.
9287 This is the name (a string) or identifier (a number) of the user group
9288 this account belongs to.
9290 @item @code{supplementary-groups} (default: @code{'()})
9291 Optionally, this can be defined as a list of group names that this
9294 @item @code{uid} (default: @code{#f})
9295 This is the user ID for this account (a number), or @code{#f}. In the
9296 latter case, a number is automatically chosen by the system when the
9299 @item @code{comment} (default: @code{""})
9300 A comment about the account, such as the account owner's full name.
9302 @item @code{home-directory}
9303 This is the name of the home directory for the account.
9305 @item @code{create-home-directory?} (default: @code{#t})
9306 Indicates whether the home directory of this account should be created
9307 if it does not exist yet.
9309 @item @code{shell} (default: Bash)
9310 This is a G-expression denoting the file name of a program to be used as
9311 the shell (@pxref{G-Expressions}).
9313 @item @code{system?} (default: @code{#f})
9314 This Boolean value indicates whether the account is a ``system''
9315 account. System accounts are sometimes treated specially; for instance,
9316 graphical login managers do not list them.
9318 @anchor{user-account-password}
9319 @item @code{password} (default: @code{#f})
9320 You would normally leave this field to @code{#f}, initialize user
9321 passwords as @code{root} with the @command{passwd} command, and then let
9322 users change it with @command{passwd}. Passwords set with
9323 @command{passwd} are of course preserved across reboot and
9326 If you @emph{do} want to have a preset password for an account, then
9327 this field must contain the encrypted password, as a string.
9328 @xref{crypt,,, libc, The GNU C Library Reference Manual}, for more information
9329 on password encryption, and @ref{Encryption,,, guile, GNU Guile Reference
9330 Manual}, for information on Guile's @code{crypt} procedure.
9336 User group declarations are even simpler:
9339 (user-group (name "students"))
9342 @deftp {Data Type} user-group
9343 This type is for, well, user groups. There are just a few fields:
9347 The name of the group.
9349 @item @code{id} (default: @code{#f})
9350 The group identifier (a number). If @code{#f}, a new number is
9351 automatically allocated when the group is created.
9353 @item @code{system?} (default: @code{#f})
9354 This Boolean value indicates whether the group is a ``system'' group.
9355 System groups have low numerical IDs.
9357 @item @code{password} (default: @code{#f})
9358 What, user groups can have a password? Well, apparently yes. Unless
9359 @code{#f}, this field specifies the password of the group.
9364 For convenience, a variable lists all the basic user groups one may
9367 @defvr {Scheme Variable} %base-groups
9368 This is the list of basic user groups that users and/or packages expect
9369 to be present on the system. This includes groups such as ``root'',
9370 ``wheel'', and ``users'', as well as groups used to control access to
9371 specific devices such as ``audio'', ``disk'', and ``cdrom''.
9374 @defvr {Scheme Variable} %base-user-accounts
9375 This is the list of basic system accounts that programs may expect to
9376 find on a GNU/Linux system, such as the ``nobody'' account.
9378 Note that the ``root'' account is not included here. It is a
9379 special-case and is automatically added whether or not it is specified.
9386 A @dfn{locale} defines cultural conventions for a particular language
9387 and region of the world (@pxref{Locales,,, libc, The GNU C Library
9388 Reference Manual}). Each locale has a name that typically has the form
9389 @code{@var{language}_@var{territory}.@var{codeset}}---e.g.,
9390 @code{fr_LU.utf8} designates the locale for the French language, with
9391 cultural conventions from Luxembourg, and using the UTF-8 encoding.
9393 @cindex locale definition
9394 Usually, you will want to specify the default locale for the machine
9395 using the @code{locale} field of the @code{operating-system} declaration
9396 (@pxref{operating-system Reference, @code{locale}}).
9398 The selected locale is automatically added to the @dfn{locale
9399 definitions} known to the system if needed, with its codeset inferred
9400 from its name---e.g., @code{bo_CN.utf8} will be assumed to use the
9401 @code{UTF-8} codeset. Additional locale definitions can be specified in
9402 the @code{locale-definitions} slot of @code{operating-system}---this is
9403 useful, for instance, if the codeset could not be inferred from the
9404 locale name. The default set of locale definitions includes some widely
9405 used locales, but not all the available locales, in order to save space.
9407 For instance, to add the North Frisian locale for Germany, the value of
9411 (cons (locale-definition
9412 (name "fy_DE.utf8") (source "fy_DE"))
9413 %default-locale-definitions)
9416 Likewise, to save space, one might want @code{locale-definitions} to
9417 list only the locales that are actually used, as in:
9420 (list (locale-definition
9421 (name "ja_JP.eucjp") (source "ja_JP")
9422 (charset "EUC-JP")))
9426 The compiled locale definitions are available at
9427 @file{/run/current-system/locale/X.Y}, where @code{X.Y} is the libc
9428 version, which is the default location where the GNU@tie{}libc provided
9429 by Guix looks for locale data. This can be overridden using the
9430 @code{LOCPATH} environment variable (@pxref{locales-and-locpath,
9431 @code{LOCPATH} and locale packages}).
9433 The @code{locale-definition} form is provided by the @code{(gnu system
9434 locale)} module. Details are given below.
9436 @deftp {Data Type} locale-definition
9437 This is the data type of a locale definition.
9442 The name of the locale. @xref{Locale Names,,, libc, The GNU C Library
9443 Reference Manual}, for more information on locale names.
9446 The name of the source for that locale. This is typically the
9447 @code{@var{language}_@var{territory}} part of the locale name.
9449 @item @code{charset} (default: @code{"UTF-8"})
9450 The ``character set'' or ``code set'' for that locale,
9451 @uref{http://www.iana.org/assignments/character-sets, as defined by
9457 @defvr {Scheme Variable} %default-locale-definitions
9458 A list of commonly used UTF-8 locales, used as the default
9459 value of the @code{locale-definitions} field of @code{operating-system}
9463 @cindex normalized codeset in locale names
9464 These locale definitions use the @dfn{normalized codeset} for the part
9465 that follows the dot in the name (@pxref{Using gettextized software,
9466 normalized codeset,, libc, The GNU C Library Reference Manual}). So for
9467 instance it has @code{uk_UA.utf8} but @emph{not}, say,
9471 @subsubsection Locale Data Compatibility Considerations
9473 @cindex incompatibility, of locale data
9474 @code{operating-system} declarations provide a @code{locale-libcs} field
9475 to specify the GNU@tie{}libc packages that are used to compile locale
9476 declarations (@pxref{operating-system Reference}). ``Why would I
9477 care?'', you may ask. Well, it turns out that the binary format of
9478 locale data is occasionally incompatible from one libc version to
9481 @c See <https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html>
9482 @c and <https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00737.html>.
9483 For instance, a program linked against libc version 2.21 is unable to
9484 read locale data produced with libc 2.22; worse, that program
9485 @emph{aborts} instead of simply ignoring the incompatible locale
9486 data@footnote{Versions 2.23 and later of GNU@tie{}libc will simply skip
9487 the incompatible locale data, which is already an improvement.}.
9488 Similarly, a program linked against libc 2.22 can read most, but not
9489 all, of the locale data from libc 2.21 (specifically, @code{LC_COLLATE}
9490 data is incompatible); thus calls to @code{setlocale} may fail, but
9491 programs will not abort.
9493 The ``problem'' in GuixSD is that users have a lot of freedom: They can
9494 choose whether and when to upgrade software in their profiles, and might
9495 be using a libc version different from the one the system administrator
9496 used to build the system-wide locale data.
9498 Fortunately, unprivileged users can also install their own locale data
9499 and define @var{GUIX_LOCPATH} accordingly (@pxref{locales-and-locpath,
9500 @code{GUIX_LOCPATH} and locale packages}).
9502 Still, it is best if the system-wide locale data at
9503 @file{/run/current-system/locale} is built for all the libc versions
9504 actually in use on the system, so that all the programs can access
9505 it---this is especially crucial on a multi-user system. To do that, the
9506 administrator can specify several libc packages in the
9507 @code{locale-libcs} field of @code{operating-system}:
9510 (use-package-modules base)
9514 (locale-libcs (list glibc-2.21 (canonical-package glibc))))
9517 This example would lead to a system containing locale definitions for
9518 both libc 2.21 and the current version of libc in
9519 @file{/run/current-system/locale}.
9523 @subsection Services
9525 @cindex system services
9526 An important part of preparing an @code{operating-system} declaration is
9527 listing @dfn{system services} and their configuration (@pxref{Using the
9528 Configuration System}). System services are typically daemons launched
9529 when the system boots, or other actions needed at that time---e.g.,
9530 configuring network access.
9532 GuixSD has a broad definition of ``service'' (@pxref{Service
9533 Composition}), but many services are managed by the GNU@tie{}Shepherd
9534 (@pxref{Shepherd Services}). On a running system, the @command{herd}
9535 command allows you to list the available services, show their status,
9536 start and stop them, or do other specific operations (@pxref{Jump
9537 Start,,, shepherd, The GNU Shepherd Manual}). For example:
9543 The above command, run as @code{root}, lists the currently defined
9544 services. The @command{herd doc} command shows a synopsis of the given
9549 Run libc's name service cache daemon (nscd).
9552 The @command{start}, @command{stop}, and @command{restart} sub-commands
9553 have the effect you would expect. For instance, the commands below stop
9554 the nscd service and restart the Xorg display server:
9558 Service nscd has been stopped.
9559 # herd restart xorg-server
9560 Service xorg-server has been stopped.
9561 Service xorg-server has been started.
9564 The following sections document the available services, starting with
9565 the core services, that may be used in an @code{operating-system}
9569 * Base Services:: Essential system services.
9570 * Scheduled Job Execution:: The mcron service.
9571 * Log Rotation:: The rottlog service.
9572 * Networking Services:: Network setup, SSH daemon, etc.
9573 * X Window:: Graphical display.
9574 * Printing Services:: Local and remote printer support.
9575 * Desktop Services:: D-Bus and desktop services.
9576 * Database Services:: SQL databases, key-value stores, etc.
9577 * Mail Services:: IMAP, POP3, SMTP, and all that.
9578 * Messaging Services:: Messaging services.
9579 * Telephony Services:: Telephony services.
9580 * Monitoring Services:: Monitoring services.
9581 * Kerberos Services:: Kerberos services.
9582 * Web Services:: Web servers.
9583 * Certificate Services:: TLS certificates via Let's Encrypt.
9584 * DNS Services:: DNS daemons.
9585 * VPN Services:: VPN daemons.
9586 * Network File System:: NFS related services.
9587 * Continuous Integration:: The Cuirass service.
9588 * Power management Services:: The TLP tool.
9589 * Audio Services:: The MPD.
9590 * Virtualization Services:: Virtualization services.
9591 * Version Control Services:: Providing remote access to Git repositories.
9592 * Game Services:: Game servers.
9593 * Miscellaneous Services:: Other services.
9597 @subsubsection Base Services
9599 The @code{(gnu services base)} module provides definitions for the basic
9600 services that one expects from the system. The services exported by
9601 this module are listed below.
9603 @defvr {Scheme Variable} %base-services
9604 This variable contains a list of basic services (@pxref{Service Types
9605 and Services}, for more information on service objects) one would
9606 expect from the system: a login service (mingetty) on each tty, syslogd,
9607 the libc name service cache daemon (nscd), the udev device manager, and
9610 This is the default value of the @code{services} field of
9611 @code{operating-system} declarations. Usually, when customizing a
9612 system, you will want to append services to @var{%base-services}, like
9616 (cons* (avahi-service) (lsh-service) %base-services)
9620 @defvr {Scheme Variable} special-files-service-type
9621 This is the service that sets up ``special files'' such as
9622 @file{/bin/sh}; an instance of it is part of @code{%base-services}.
9624 The value associated with @code{special-files-service-type} services
9625 must be a list of tuples where the first element is the ``special file''
9626 and the second element is its target. By default it is:
9628 @cindex @file{/bin/sh}
9629 @cindex @file{sh}, in @file{/bin}
9631 `(("/bin/sh" ,(file-append @var{bash} "/bin/sh")))
9634 @cindex @file{/usr/bin/env}
9635 @cindex @file{env}, in @file{/usr/bin}
9636 If you want to add, say, @code{/usr/bin/env} to your system, you can
9640 `(("/bin/sh" ,(file-append @var{bash} "/bin/sh"))
9641 ("/usr/bin/env" ,(file-append @var{coreutils} "/bin/env")))
9644 Since this is part of @code{%base-services}, you can use
9645 @code{modify-services} to customize the set of special files
9646 (@pxref{Service Reference, @code{modify-services}}). But the simple way
9647 to add a special file is @i{via} the @code{extra-special-file} procedure
9651 @deffn {Scheme Procedure} extra-special-file @var{file} @var{target}
9652 Use @var{target} as the ``special file'' @var{file}.
9654 For example, adding the following lines to the @code{services} field of
9655 your operating system declaration leads to a @file{/usr/bin/env}
9659 (extra-special-file "/usr/bin/env"
9660 (file-append coreutils "/bin/env"))
9664 @deffn {Scheme Procedure} host-name-service @var{name}
9665 Return a service that sets the host name to @var{name}.
9668 @deffn {Scheme Procedure} login-service @var{config}
9669 Return a service to run login according to @var{config}, a
9670 @code{<login-configuration>} object, which specifies the message of the day,
9674 @deftp {Data Type} login-configuration
9675 This is the data type representing the configuration of login.
9680 @cindex message of the day
9681 A file-like object containing the ``message of the day''.
9683 @item @code{allow-empty-passwords?} (default: @code{#t})
9684 Allow empty passwords by default so that first-time users can log in when
9685 the 'root' account has just been created.
9690 @deffn {Scheme Procedure} mingetty-service @var{config}
9691 Return a service to run mingetty according to @var{config}, a
9692 @code{<mingetty-configuration>} object, which specifies the tty to run, among
9696 @deftp {Data Type} mingetty-configuration
9697 This is the data type representing the configuration of Mingetty, which
9698 provides the default implementation of virtual console log-in.
9703 The name of the console this Mingetty runs on---e.g., @code{"tty1"}.
9705 @item @code{auto-login} (default: @code{#f})
9706 When true, this field must be a string denoting the user name under
9707 which the system automatically logs in. When it is @code{#f}, a
9708 user name and password must be entered to log in.
9710 @item @code{login-program} (default: @code{#f})
9711 This must be either @code{#f}, in which case the default log-in program
9712 is used (@command{login} from the Shadow tool suite), or a gexp denoting
9713 the name of the log-in program.
9715 @item @code{login-pause?} (default: @code{#f})
9716 When set to @code{#t} in conjunction with @var{auto-login}, the user
9717 will have to press a key before the log-in shell is launched.
9719 @item @code{mingetty} (default: @var{mingetty})
9720 The Mingetty package to use.
9725 @deffn {Scheme Procedure} agetty-service @var{config}
9726 Return a service to run agetty according to @var{config}, an
9727 @code{<agetty-configuration>} object, which specifies the tty to run,
9731 @deftp {Data Type} agetty-configuration
9732 This is the data type representing the configuration of agetty, which
9733 implements virtual and serial console log-in. See the @code{agetty(8)}
9734 man page for more information.
9739 The name of the console this agetty runs on, as a string---e.g.,
9740 @code{"ttyS0"}. This argument is optional, it will default to
9741 a reasonable default serial port used by the kernel Linux.
9743 For this, if there is a value for an option @code{agetty.tty} in the kernel
9744 command line, agetty will extract the device name of the serial port
9745 from it and use that.
9747 If not and if there is a value for an option @code{console} with a tty in
9748 the Linux command line, agetty will extract the device name of the
9749 serial port from it and use that.
9751 In both cases, agetty will leave the other serial device settings
9752 (baud rate etc.) alone---in the hope that Linux pinned them to the
9755 @item @code{baud-rate} (default: @code{#f})
9756 A string containing a comma-separated list of one or more baud rates, in
9759 @item @code{term} (default: @code{#f})
9760 A string containing the value used for the @code{TERM} environment
9763 @item @code{eight-bits?} (default: @code{#f})
9764 When @code{#t}, the tty is assumed to be 8-bit clean, and parity detection is
9767 @item @code{auto-login} (default: @code{#f})
9768 When passed a login name, as a string, the specified user will be logged
9769 in automatically without prompting for their login name or password.
9771 @item @code{no-reset?} (default: @code{#f})
9772 When @code{#t}, don't reset terminal cflags (control modes).
9774 @item @code{host} (default: @code{#f})
9775 This accepts a string containing the "login_host", which will be written
9776 into the @file{/var/run/utmpx} file.
9778 @item @code{remote?} (default: @code{#f})
9779 When set to @code{#t} in conjunction with @var{host}, this will add an
9780 @code{-r} fakehost option to the command line of the login program
9781 specified in @var{login-program}.
9783 @item @code{flow-control?} (default: @code{#f})
9784 When set to @code{#t}, enable hardware (RTS/CTS) flow control.
9786 @item @code{no-issue?} (default: @code{#f})
9787 When set to @code{#t}, the contents of the @file{/etc/issue} file will
9788 not be displayed before presenting the login prompt.
9790 @item @code{init-string} (default: @code{#f})
9791 This accepts a string that will be sent to the tty or modem before
9792 sending anything else. It can be used to initialize a modem.
9794 @item @code{no-clear?} (default: @code{#f})
9795 When set to @code{#t}, agetty will not clear the screen before showing
9798 @item @code{login-program} (default: (file-append shadow "/bin/login"))
9799 This must be either a gexp denoting the name of a log-in program, or
9800 unset, in which case the default value is the @command{login} from the
9803 @item @code{local-line} (default: @code{#f})
9804 Control the CLOCAL line flag. This accepts one of three symbols as
9805 arguments, @code{'auto}, @code{'always}, or @code{'never}. If @code{#f},
9806 the default value chosen by agetty is @code{'auto}.
9808 @item @code{extract-baud?} (default: @code{#f})
9809 When set to @code{#t}, instruct agetty to try to extract the baud rate
9810 from the status messages produced by certain types of modems.
9812 @item @code{skip-login?} (default: @code{#f})
9813 When set to @code{#t}, do not prompt the user for a login name. This
9814 can be used with @var{login-program} field to use non-standard login
9817 @item @code{no-newline?} (default: @code{#f})
9818 When set to @code{#t}, do not print a newline before printing the
9819 @file{/etc/issue} file.
9821 @c Is this dangerous only when used with login-program, or always?
9822 @item @code{login-options} (default: @code{#f})
9823 This option accepts a string containing options that are passed to the
9824 login program. When used with the @var{login-program}, be aware that a
9825 malicious user could try to enter a login name containing embedded
9826 options that could be parsed by the login program.
9828 @item @code{login-pause} (default: @code{#f})
9829 When set to @code{#t}, wait for any key before showing the login prompt.
9830 This can be used in conjunction with @var{auto-login} to save memory by
9831 lazily spawning shells.
9833 @item @code{chroot} (default: @code{#f})
9834 Change root to the specified directory. This option accepts a directory
9837 @item @code{hangup?} (default: @code{#f})
9838 Use the Linux system call @code{vhangup} to do a virtual hangup of the
9841 @item @code{keep-baud?} (default: @code{#f})
9842 When set to @code{#t}, try to keep the existing baud rate. The baud
9843 rates from @var{baud-rate} are used when agetty receives a @key{BREAK}
9846 @item @code{timeout} (default: @code{#f})
9847 When set to an integer value, terminate if no user name could be read
9848 within @var{timeout} seconds.
9850 @item @code{detect-case?} (default: @code{#f})
9851 When set to @code{#t}, turn on support for detecting an uppercase-only
9852 terminal. This setting will detect a login name containing only
9853 uppercase letters as indicating an uppercase-only terminal and turn on
9854 some upper-to-lower case conversions. Note that this will not support
9857 @item @code{wait-cr?} (default: @code{#f})
9858 When set to @code{#t}, wait for the user or modem to send a
9859 carriage-return or linefeed character before displaying
9860 @file{/etc/issue} or login prompt. This is typically used with the
9861 @var{init-string} option.
9863 @item @code{no-hints?} (default: @code{#f})
9864 When set to @code{#t}, do not print hints about Num, Caps, and Scroll
9867 @item @code{no-hostname?} (default: @code{#f})
9868 By default, the hostname is printed. When this option is set to
9869 @code{#t}, no hostname will be shown at all.
9871 @item @code{long-hostname?} (default: @code{#f})
9872 By default, the hostname is only printed until the first dot. When this
9873 option is set to @code{#t}, the fully qualified hostname by
9874 @code{gethostname} or @code{getaddrinfo} is shown.
9876 @item @code{erase-characters} (default: @code{#f})
9877 This option accepts a string of additional characters that should be
9878 interpreted as backspace when the user types their login name.
9880 @item @code{kill-characters} (default: @code{#f})
9881 This option accepts a string that should be interpreted to mean "ignore
9882 all previous characters" (also called a "kill" character) when the types
9885 @item @code{chdir} (default: @code{#f})
9886 This option accepts, as a string, a directory path that will be changed
9889 @item @code{delay} (default: @code{#f})
9890 This options accepts, as an integer, the number of seconds to sleep
9891 before opening the tty and displaying the login prompt.
9893 @item @code{nice} (default: @code{#f})
9894 This option accepts, as an integer, the nice value with which to run the
9895 @command{login} program.
9897 @item @code{extra-options} (default: @code{'()})
9898 This option provides an "escape hatch" for the user to provide arbitrary
9899 command-line arguments to @command{agetty} as a list of strings.
9904 @deffn {Scheme Procedure} kmscon-service-type @var{config}
9905 Return a service to run @uref{https://www.freedesktop.org/wiki/Software/kmscon,kmscon}
9906 according to @var{config}, a @code{<kmscon-configuration>} object, which
9907 specifies the tty to run, among other things.
9910 @deftp {Data Type} kmscon-configuration
9911 This is the data type representing the configuration of Kmscon, which
9912 implements virtual console log-in.
9916 @item @code{virtual-terminal}
9917 The name of the console this Kmscon runs on---e.g., @code{"tty1"}.
9919 @item @code{login-program} (default: @code{#~(string-append #$shadow "/bin/login")})
9920 A gexp denoting the name of the log-in program. The default log-in program is
9921 @command{login} from the Shadow tool suite.
9923 @item @code{login-arguments} (default: @code{'("-p")})
9924 A list of arguments to pass to @command{login}.
9926 @item @code{hardware-acceleration?} (default: #f)
9927 Whether to use hardware acceleration.
9929 @item @code{kmscon} (default: @var{kmscon})
9930 The Kmscon package to use.
9935 @cindex name service cache daemon
9937 @deffn {Scheme Procedure} nscd-service [@var{config}] [#:glibc glibc] @
9938 [#:name-services '()]
9939 Return a service that runs the libc name service cache daemon (nscd) with the
9940 given @var{config}---an @code{<nscd-configuration>} object. @xref{Name
9941 Service Switch}, for an example.
9944 @defvr {Scheme Variable} %nscd-default-configuration
9945 This is the default @code{<nscd-configuration>} value (see below) used
9946 by @code{nscd-service}. It uses the caches defined by
9947 @var{%nscd-default-caches}; see below.
9950 @deftp {Data Type} nscd-configuration
9951 This is the data type representing the name service cache daemon (nscd)
9956 @item @code{name-services} (default: @code{'()})
9957 List of packages denoting @dfn{name services} that must be visible to
9958 the nscd---e.g., @code{(list @var{nss-mdns})}.
9960 @item @code{glibc} (default: @var{glibc})
9961 Package object denoting the GNU C Library providing the @command{nscd}
9964 @item @code{log-file} (default: @code{"/var/log/nscd.log"})
9965 Name of the nscd log file. This is where debugging output goes when
9966 @code{debug-level} is strictly positive.
9968 @item @code{debug-level} (default: @code{0})
9969 Integer denoting the debugging levels. Higher numbers mean that more
9970 debugging output is logged.
9972 @item @code{caches} (default: @var{%nscd-default-caches})
9973 List of @code{<nscd-cache>} objects denoting things to be cached; see
9979 @deftp {Data Type} nscd-cache
9980 Data type representing a cache database of nscd and its parameters.
9984 @item @code{database}
9985 This is a symbol representing the name of the database to be cached.
9986 Valid values are @code{passwd}, @code{group}, @code{hosts}, and
9987 @code{services}, which designate the corresponding NSS database
9988 (@pxref{NSS Basics,,, libc, The GNU C Library Reference Manual}).
9990 @item @code{positive-time-to-live}
9991 @itemx @code{negative-time-to-live} (default: @code{20})
9992 A number representing the number of seconds during which a positive or
9993 negative lookup result remains in cache.
9995 @item @code{check-files?} (default: @code{#t})
9996 Whether to check for updates of the files corresponding to
9999 For instance, when @var{database} is @code{hosts}, setting this flag
10000 instructs nscd to check for updates in @file{/etc/hosts} and to take
10003 @item @code{persistent?} (default: @code{#t})
10004 Whether the cache should be stored persistently on disk.
10006 @item @code{shared?} (default: @code{#t})
10007 Whether the cache should be shared among users.
10009 @item @code{max-database-size} (default: 32@tie{}MiB)
10010 Maximum size in bytes of the database cache.
10012 @c XXX: 'suggested-size' and 'auto-propagate?' seem to be expert
10013 @c settings, so leave them out.
10018 @defvr {Scheme Variable} %nscd-default-caches
10019 List of @code{<nscd-cache>} objects used by default by
10020 @code{nscd-configuration} (see above).
10022 It enables persistent and aggressive caching of service and host name
10023 lookups. The latter provides better host name lookup performance,
10024 resilience in the face of unreliable name servers, and also better
10025 privacy---often the result of host name lookups is in local cache, so
10026 external name servers do not even need to be queried.
10029 @anchor{syslog-configuration-type}
10032 @deftp {Data Type} syslog-configuration
10033 This data type represents the configuration of the syslog daemon.
10036 @item @code{syslogd} (default: @code{#~(string-append #$inetutils "/libexec/syslogd")})
10037 The syslog daemon to use.
10039 @item @code{config-file} (default: @code{%default-syslog.conf})
10040 The syslog configuration file to use.
10045 @anchor{syslog-service}
10047 @deffn {Scheme Procedure} syslog-service @var{config}
10048 Return a service that runs a syslog daemon according to @var{config}.
10050 @xref{syslogd invocation,,, inetutils, GNU Inetutils}, for more
10051 information on the configuration file syntax.
10054 @anchor{guix-configuration-type}
10055 @deftp {Data Type} guix-configuration
10056 This data type represents the configuration of the Guix build daemon.
10057 @xref{Invoking guix-daemon}, for more information.
10060 @item @code{guix} (default: @var{guix})
10061 The Guix package to use.
10063 @item @code{build-group} (default: @code{"guixbuild"})
10064 Name of the group for build user accounts.
10066 @item @code{build-accounts} (default: @code{10})
10067 Number of build user accounts to create.
10069 @item @code{authorize-key?} (default: @code{#t})
10070 @cindex substitutes, authorization thereof
10071 Whether to authorize the substitute keys listed in
10072 @code{authorized-keys}---by default that of @code{hydra.gnu.org}
10073 (@pxref{Substitutes}).
10075 @vindex %default-authorized-guix-keys
10076 @item @code{authorized-keys} (default: @var{%default-authorized-guix-keys})
10077 The list of authorized key files for archive imports, as a list of
10078 string-valued gexps (@pxref{Invoking guix archive}). By default, it
10079 contains that of @code{hydra.gnu.org} (@pxref{Substitutes}).
10081 @item @code{use-substitutes?} (default: @code{#t})
10082 Whether to use substitutes.
10084 @item @code{substitute-urls} (default: @var{%default-substitute-urls})
10085 The list of URLs where to look for substitutes by default.
10087 @item @code{max-silent-time} (default: @code{0})
10088 @itemx @code{timeout} (default: @code{0})
10089 The number of seconds of silence and the number of seconds of activity,
10090 respectively, after which a build process times out. A value of zero
10091 disables the timeout.
10093 @item @code{log-compression} (default: @code{'bzip2})
10094 The type of compression used for build logs---one of @code{gzip},
10095 @code{bzip2}, or @code{none}.
10097 @item @code{extra-options} (default: @code{'()})
10098 List of extra command-line options for @command{guix-daemon}.
10100 @item @code{log-file} (default: @code{"/var/log/guix-daemon.log"})
10101 File where @command{guix-daemon}'s standard output and standard error
10104 @item @code{http-proxy} (default: @code{#f})
10105 The HTTP proxy used for downloading fixed-output derivations and
10108 @item @code{tmpdir} (default: @code{#f})
10109 A directory path where the @command{guix-daemon} will perform builds.
10114 @deffn {Scheme Procedure} guix-service @var{config}
10115 Return a service that runs the Guix build daemon according to
10119 @deffn {Scheme Procedure} udev-service [#:udev @var{eudev} #:rules @code{'()}]
10120 Run @var{udev}, which populates the @file{/dev} directory dynamically.
10121 udev rules can be provided as a list of files through the @var{rules}
10122 variable. The procedures @var{udev-rule} and @var{file->udev-rule} from
10123 @code{(gnu services base)} simplify the creation of such rule files.
10125 @deffn {Scheme Procedure} udev-rule [@var{file-name} @var{contents}]
10126 Return a udev-rule file named @var{file-name} containing the rules
10127 defined by the @var{contents} literal.
10129 In the following example, a rule for a USB device is defined to be
10130 stored in the file @file{90-usb-thing.rules}. The rule runs a script
10131 upon detecting a USB device with a given product identifier.
10134 (define %example-udev-rule
10136 "90-usb-thing.rules"
10137 (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
10138 "ATTR@{product@}==\"Example\", "
10139 "RUN+=\"/path/to/script\"")))
10143 Here we show how the default @var{udev-service} can be extended with it.
10149 (modify-services %desktop-services
10150 (udev-service-type config =>
10151 (udev-configuration (inherit config)
10152 (rules (append (udev-configuration-rules config)
10153 (list %example-udev-rule))))))))
10156 @deffn {Scheme Procedure} file->udev-rule [@var{file-name} @var{file}]
10157 Return a udev file named @var{file-name} containing the rules defined
10158 within @var{file}, a file-like object.
10160 The following example showcases how we can use an existing rule file.
10163 (use-modules (guix download) ;for url-fetch
10164 (guix packages) ;for origin
10167 (define %android-udev-rules
10169 "51-android-udev.rules"
10170 (let ((version "20170910"))
10173 (uri (string-append "https://raw.githubusercontent.com/M0Rf30/"
10174 "android-udev-rules/" version "/51-android.rules"))
10176 (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))
10180 Additionally, Guix package definitions can be included in @var{rules} in
10181 order to extend the udev rules with the definitions found under their
10182 @file{lib/udev/rules.d} sub-directory. In lieu of the previous
10183 @var{file->udev-rule} example, we could have used the
10184 @var{android-udev-rules} package which exists in Guix in the @code{(gnu
10185 packages android)} module.
10187 The following example shows how to use the @var{android-udev-rules}
10188 package so that the Android tool @command{adb} can detect devices
10189 without root privileges. It also details how to create the
10190 @code{adbusers} group, which is required for the proper functioning of
10191 the rules defined within the @var{android-udev-rules} package. To
10192 create such a group, we must define it both as part of the
10193 @var{supplementary-groups} of our @var{user-account} declaration, as
10194 well as in the @var{groups} field of the @var{operating-system} record.
10197 (use-modules (gnu packages android) ;for android-udev-rules
10198 (gnu system shadow) ;for user-group
10203 (users (cons (user-acount
10205 (supplementary-groups
10206 '("adbusers" ;for adb
10207 "wheel" "netdev" "audio" "video"))
10210 (groups (cons (user-group (system? #t) (name "adbusers"))
10216 (modify-services %desktop-services
10217 (udev-service-type config =>
10218 (udev-configuration (inherit config)
10219 (rules (cons* android-udev-rules
10220 (udev-configuration-rules config))))))))
10224 @defvr {Scheme Variable} urandom-seed-service-type
10225 Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
10226 when rebooting. It also tries to seed @file{/dev/urandom} from
10227 @file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
10231 @defvr {Scheme Variable} %random-seed-file
10232 This is the name of the file where some random bytes are saved by
10233 @var{urandom-seed-service} to seed @file{/dev/urandom} when rebooting.
10234 It defaults to @file{/var/lib/random-seed}.
10239 @deffn {Scheme Procedure} console-keymap-service @var{files} ...
10240 @cindex keyboard layout
10241 Return a service to load console keymaps from @var{files} using
10242 @command{loadkeys} command. Most likely, you want to load some default
10243 keymap, which can be done like this:
10246 (console-keymap-service "dvorak")
10249 Or, for example, for a Swedish keyboard, you may need to combine
10250 the following keymaps:
10252 (console-keymap-service "se-lat6" "se-fi-lat6")
10255 Also you can specify a full file name (or file names) of your keymap(s).
10256 See @code{man loadkeys} for details.
10262 @deffn {Scheme Procedure} gpm-service [#:gpm @var{gpm}] @
10264 Run @var{gpm}, the general-purpose mouse daemon, with the given
10265 command-line @var{options}. GPM allows users to use the mouse in the console,
10266 notably to select, copy, and paste text. The default value of @var{options}
10267 uses the @code{ps2} protocol, which works for both USB and PS/2 mice.
10269 This service is not part of @var{%base-services}.
10272 @anchor{guix-publish-service-type}
10273 @deffn {Scheme Variable} guix-publish-service-type
10274 This is the service type for @command{guix publish} (@pxref{Invoking
10275 guix publish}). Its value must be a @code{guix-configuration}
10276 object, as described below.
10278 This assumes that @file{/etc/guix} already contains a signing key pair as
10279 created by @command{guix archive --generate-key} (@pxref{Invoking guix
10280 archive}). If that is not the case, the service will fail to start.
10283 @deftp {Data Type} guix-publish-configuration
10284 Data type representing the configuration of the @code{guix publish}
10288 @item @code{guix} (default: @code{guix})
10289 The Guix package to use.
10291 @item @code{port} (default: @code{80})
10292 The TCP port to listen for connections.
10294 @item @code{host} (default: @code{"localhost"})
10295 The host (and thus, network interface) to listen to. Use
10296 @code{"0.0.0.0"} to listen on all the network interfaces.
10298 @item @code{compression-level} (default: @code{3})
10299 The gzip compression level at which substitutes are compressed. Use
10300 @code{0} to disable compression altogether, and @code{9} to get the best
10301 compression ratio at the expense of increased CPU usage.
10303 @item @code{nar-path} (default: @code{"nar"})
10304 The URL path at which ``nars'' can be fetched. @xref{Invoking guix
10305 publish, @code{--nar-path}}, for details.
10307 @item @code{cache} (default: @code{#f})
10308 When it is @code{#f}, disable caching and instead generate archives on
10309 demand. Otherwise, this should be the name of a directory---e.g.,
10310 @code{"/var/cache/guix/publish"}---where @command{guix publish} caches
10311 archives and meta-data ready to be sent. @xref{Invoking guix publish,
10312 @option{--cache}}, for more information on the tradeoffs involved.
10314 @item @code{workers} (default: @code{#f})
10315 When it is an integer, this is the number of worker threads used for
10316 caching; when @code{#f}, the number of processors is used.
10317 @xref{Invoking guix publish, @option{--workers}}, for more information.
10319 @item @code{ttl} (default: @code{#f})
10320 When it is an integer, this denotes the @dfn{time-to-live} in seconds
10321 of the published archives. @xref{Invoking guix publish, @option{--ttl}},
10322 for more information.
10326 @anchor{rngd-service}
10327 @deffn {Scheme Procedure} rngd-service [#:rng-tools @var{rng-tools}] @
10328 [#:device "/dev/hwrng"]
10329 Return a service that runs the @command{rngd} program from @var{rng-tools}
10330 to add @var{device} to the kernel's entropy pool. The service will fail if
10331 @var{device} does not exist.
10334 @anchor{pam-limits-service}
10335 @cindex session limits
10338 @deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}]
10340 Return a service that installs a configuration file for the
10341 @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html,
10342 @code{pam_limits} module}. The procedure optionally takes a list of
10343 @code{pam-limits-entry} values, which can be used to specify
10344 @code{ulimit} limits and nice priority limits to user sessions.
10346 The following limits definition sets two hard and soft limits for all
10347 login sessions of users in the @code{realtime} group:
10350 (pam-limits-service
10352 (pam-limits-entry "@@realtime" 'both 'rtprio 99)
10353 (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited)))
10356 The first entry increases the maximum realtime priority for
10357 non-privileged processes; the second entry lifts any restriction of the
10358 maximum address space that can be locked in memory. These settings are
10359 commonly used for real-time audio systems.
10362 @node Scheduled Job Execution
10363 @subsubsection Scheduled Job Execution
10367 @cindex scheduling jobs
10368 The @code{(gnu services mcron)} module provides an interface to
10369 GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,,
10370 mcron, GNU@tie{}mcron}). GNU@tie{}mcron is similar to the traditional
10371 Unix @command{cron} daemon; the main difference is that it is
10372 implemented in Guile Scheme, which provides a lot of flexibility when
10373 specifying the scheduling of jobs and their actions.
10375 The example below defines an operating system that runs the
10376 @command{updatedb} (@pxref{Invoking updatedb,,, find, Finding Files})
10377 and the @command{guix gc} commands (@pxref{Invoking guix gc}) daily, as
10378 well as the @command{mkid} command on behalf of an unprivileged user
10379 (@pxref{mkid invocation,,, idutils, ID Database Utilities}). It uses
10380 gexps to introduce job definitions that are passed to mcron
10381 (@pxref{G-Expressions}).
10384 (use-modules (guix) (gnu) (gnu services mcron))
10385 (use-package-modules base idutils)
10387 (define updatedb-job
10388 ;; Run 'updatedb' at 3AM every day. Here we write the
10389 ;; job's action as a Scheme procedure.
10390 #~(job '(next-hour '(3))
10392 (execl (string-append #$findutils "/bin/updatedb")
10394 "--prunepaths=/tmp /var/tmp /gnu/store"))))
10396 (define garbage-collector-job
10397 ;; Collect garbage 5 minutes after midnight every day.
10398 ;; The job's action is a shell command.
10399 #~(job "5 0 * * *" ;Vixie cron syntax
10402 (define idutils-job
10403 ;; Update the index database as user "charlie" at 12:15PM
10404 ;; and 19:15PM. This runs from the user's home directory.
10405 #~(job '(next-minute-from (next-hour '(12 19)) '(15))
10406 (string-append #$idutils "/bin/mkid src")
10411 (services (cons (mcron-service (list garbage-collector-job
10417 @xref{Guile Syntax, mcron job specifications,, mcron, GNU@tie{}mcron},
10418 for more information on mcron job specifications. Below is the
10419 reference of the mcron service.
10421 @deffn {Scheme Procedure} mcron-service @var{jobs} [#:mcron @var{mcron2}]
10422 Return an mcron service running @var{mcron} that schedules @var{jobs}, a
10423 list of gexps denoting mcron job specifications.
10425 This is a shorthand for:
10427 (service mcron-service-type
10428 (mcron-configuration (mcron mcron) (jobs jobs)))
10432 @defvr {Scheme Variable} mcron-service-type
10433 This is the type of the @code{mcron} service, whose value is an
10434 @code{mcron-configuration} object.
10436 This service type can be the target of a service extension that provides
10437 it additional job specifications (@pxref{Service Composition}). In
10438 other words, it is possible to define services that provide additional
10442 @deftp {Data Type} mcron-configuration
10443 Data type representing the configuration of mcron.
10446 @item @code{mcron} (default: @var{mcron2})
10447 The mcron package to use.
10450 This is a list of gexps (@pxref{G-Expressions}), where each gexp
10451 corresponds to an mcron job specification (@pxref{Syntax, mcron job
10452 specifications,, mcron, GNU@tie{}mcron}).
10458 @subsubsection Log Rotation
10461 @cindex log rotation
10463 Log files such as those found in @file{/var/log} tend to grow endlessly,
10464 so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
10465 their contents in separate files, possibly compressed. The @code{(gnu
10466 services admin)} module provides an interface to GNU@tie{}Rot[t]log, a
10467 log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}).
10469 The example below defines an operating system that provides log rotation
10470 with the default settings, for commonly encountered log files.
10473 (use-modules (guix) (gnu))
10474 (use-service-modules admin mcron)
10475 (use-package-modules base idutils)
10479 (services (cons (service rottlog-service-type)
10483 @defvr {Scheme Variable} rottlog-service-type
10484 This is the type of the Rottlog service, whose value is a
10485 @code{rottlog-configuration} object.
10487 Other services can extend this one with new @code{log-rotation} objects
10488 (see below), thereby augmenting the set of files to be rotated.
10490 This service type can define mcron jobs (@pxref{Scheduled Job
10491 Execution}) to run the rottlog service.
10494 @deftp {Data Type} rottlog-configuration
10495 Data type representing the configuration of rottlog.
10498 @item @code{rottlog} (default: @code{rottlog})
10499 The Rottlog package to use.
10501 @item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")})
10502 The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,,
10503 rottlog, GNU Rot[t]log Manual}).
10505 @item @code{rotations} (default: @code{%default-rotations})
10506 A list of @code{log-rotation} objects as defined below.
10509 This is a list of gexps where each gexp corresponds to an mcron job
10510 specification (@pxref{Scheduled Job Execution}).
10514 @deftp {Data Type} log-rotation
10515 Data type representing the rotation of a group of log files.
10517 Taking an example from the Rottlog manual (@pxref{Period Related File
10518 Examples,,, rottlog, GNU Rot[t]log Manual}), a log rotation might be
10524 (files '("/var/log/apache/*"))
10525 (options '("storedir apache-archives"
10531 The list of fields is as follows:
10534 @item @code{frequency} (default: @code{'weekly})
10535 The log rotation frequency, a symbol.
10538 The list of files or file glob patterns to rotate.
10540 @item @code{options} (default: @code{'()})
10541 The list of rottlog options for this rotation (@pxref{Configuration
10542 parameters,,, rottlog, GNU Rot[t]lg Manual}).
10544 @item @code{post-rotate} (default: @code{#f})
10545 Either @code{#f} or a gexp to execute once the rotation has completed.
10549 @defvr {Scheme Variable} %default-rotations
10550 Specifies weekly rotation of @var{%rotated-files} and
10551 a couple of other files.
10554 @defvr {Scheme Variable} %rotated-files
10555 The list of syslog-controlled files to be rotated. By default it is:
10556 @code{'("/var/log/messages" "/var/log/secure")}.
10559 @node Networking Services
10560 @subsubsection Networking Services
10562 The @code{(gnu services networking)} module provides services to configure
10563 the network interface.
10565 @cindex DHCP, networking service
10566 @deffn {Scheme Procedure} dhcp-client-service [#:dhcp @var{isc-dhcp}]
10567 Return a service that runs @var{dhcp}, a Dynamic Host Configuration
10568 Protocol (DHCP) client, on all the non-loopback network interfaces.
10571 @defvr {Scheme Variable} static-networking-service-type
10572 This is the type for statically-configured network interfaces.
10573 @c TODO Document <static-networking> data structures.
10576 @deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @
10577 [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}]
10578 [#:requirement @code{'(udev)}]
10579 Return a service that starts @var{interface} with address @var{ip}. If
10580 @var{netmask} is true, use it as the network mask. If @var{gateway} is true,
10581 it must be a string specifying the default network gateway. @var{requirement}
10582 can be used to declare a dependency on another service before configuring the
10585 This procedure can be called several times, one for each network
10586 interface of interest. Behind the scenes what it does is extend
10587 @code{static-networking-service-type} with additional network interfaces
10594 @cindex network management
10595 @deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}]
10596 Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
10597 management daemon that aims to simplify wired and wireless networking.
10599 This service adds the @var{wicd} package to the global profile, providing
10600 several commands to interact with the daemon and configure networking:
10601 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
10602 and @command{wicd-curses} user interfaces.
10605 @cindex NetworkManager
10607 @defvr {Scheme Variable} network-manager-service-type
10608 This is the service type for the
10609 @uref{https://wiki.gnome.org/Projects/NetworkManager, NetworkManager}
10610 service. The value for this service type is a
10611 @code{network-manager-configuration} record.
10613 This service is part of @code{%desktop-services} (@pxref{Desktop
10617 @deftp {Data Type} network-manager-configuration
10618 Data type representing the configuration of NetworkManager.
10621 @item @code{network-manager} (default: @code{network-manager})
10622 The NetworkManager package to use.
10624 @item @code{dns} (default: @code{"default"})
10625 Processing mode for DNS, which affects how NetworkManager uses the
10626 @code{resolv.conf} configuration file.
10630 NetworkManager will update @code{resolv.conf} to reflect the nameservers
10631 provided by currently active connections.
10634 NetworkManager will run @code{dnsmasq} as a local caching nameserver,
10635 using a "split DNS" configuration if you are connected to a VPN, and
10636 then update @code{resolv.conf} to point to the local nameserver.
10639 NetworkManager will not modify @code{resolv.conf}.
10642 @item @code{vpn-plugins} (default: @code{'()})
10643 This is the list of available plugins for virtual private networks
10644 (VPNs). An example of this is the @code{network-manager-openvpn}
10645 package, which allows NetworkManager to manage VPNs @i{via} OpenVPN.
10651 @deffn {Scheme Variable} connman-service-type
10652 This is the service type to run @url{https://01.org/connman,Connman},
10653 a network connection manager.
10655 Its value must be an
10656 @code{connman-configuration} record as in this example:
10659 (service connman-service-type
10660 (connman-configuration
10661 (disable-vpn? #t)))
10664 See below for details about @code{connman-configuration}.
10667 @deftp {Data Type} connman-configuration
10668 Data Type representing the configuration of connman.
10671 @item @code{connman} (default: @var{connman})
10672 The connman package to use.
10674 @item @code{disable-vpn?} (default: @code{#f})
10675 When true, enable connman's vpn plugin.
10679 @cindex WPA Supplicant
10680 @defvr {Scheme Variable} wpa-supplicant-service-type
10681 This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA
10682 supplicant}, an authentication daemon required to authenticate against
10683 encrypted WiFi or ethernet networks. It is configured to listen for
10686 The value of this service is the @code{wpa-supplicant} package to use.
10687 Thus, it can be instantiated like this:
10690 (use-modules (gnu services networking))
10692 (service wpa-supplicant-service-type)
10697 @cindex real time clock
10698 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @
10699 [#:servers @var{%ntp-servers}] @
10700 [#:allow-large-adjustment? #f]
10701 Return a service that runs the daemon from @var{ntp}, the
10702 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
10703 keep the system clock synchronized with that of @var{servers}.
10704 @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
10705 make an initial adjustment of more than 1,000 seconds.
10708 @defvr {Scheme Variable} %ntp-servers
10709 List of host names used as the default NTP servers.
10713 @deffn {Scheme variable} inetd-service-type
10714 This service runs the @command{inetd} (@pxref{inetd invocation,,,
10715 inetutils, GNU Inetutils}) daemon. @command{inetd} listens for
10716 connections on internet sockets, and lazily starts the specified server
10717 program when a connection is made on one of these sockets.
10719 The value of this service is an @code{inetd-configuration} object. The
10720 following example configures the @command{inetd} daemon to provide the
10721 built-in @command{echo} service, as well as an smtp service which
10722 forwards smtp traffic over ssh to a server @code{smtp-server} behind a
10723 gateway @code{hostname}:
10728 (inetd-configuration
10732 (socket-type 'stream)
10739 (socket-type 'stream)
10743 (program (file-append openssh "/bin/ssh"))
10745 '("ssh" "-qT" "-i" "/path/to/ssh_key"
10746 "-W" "smtp-server:25" "user@@hostname")))))
10749 See below for more details about @code{inetd-configuration}.
10752 @deftp {Data Type} inetd-configuration
10753 Data type representing the configuration of @command{inetd}.
10756 @item @code{program} (default: @code{(file-append inetutils "/libexec/inetd")})
10757 The @command{inetd} executable to use.
10759 @item @code{entries} (default: @code{'()})
10760 A list of @command{inetd} service entries. Each entry should be created
10761 by the @code{inetd-entry} constructor.
10765 @deftp {Data Type} inetd-entry
10766 Data type representing an entry in the @command{inetd} configuration.
10767 Each entry corresponds to a socket where @command{inetd} will listen for
10771 @item @code{node} (default: @code{#f})
10772 Optional string, a comma-separated list of local addresses
10773 @command{inetd} should use when listening for this service.
10774 @xref{Configuration file,,, inetutils, GNU Inetutils} for a complete
10775 description of all options.
10777 A string, the name must correspond to an entry in @code{/etc/services}.
10778 @item @code{socket-type}
10779 One of @code{'stream}, @code{'dgram}, @code{'raw}, @code{'rdm} or
10781 @item @code{protocol}
10782 A string, must correspond to an entry in @code{/etc/protocols}.
10783 @item @code{wait?} (default: @code{#t})
10784 Whether @command{inetd} should wait for the server to exit before
10785 listening to new service requests.
10787 A string containing the user (and, optionally, group) name of the user
10788 as whom the server should run. The group name can be specified in a
10789 suffix, separated by a colon or period, i.e. @code{"user"},
10790 @code{"user:group"} or @code{"user.group"}.
10791 @item @code{program} (default: @code{"internal"})
10792 The server program which will serve the requests, or @code{"internal"}
10793 if @command{inetd} should use a built-in service.
10794 @item @code{arguments} (default: @code{'()})
10795 A list strings or file-like objects, which are the server program's
10796 arguments, starting with the zeroth argument, i.e. the name of the
10797 program itself. For @command{inetd}'s internal services, this entry
10798 must be @code{'()} or @code{'("internal")}.
10801 @xref{Configuration file,,, inetutils, GNU Inetutils} for a more
10802 detailed discussion of each configuration field.
10806 @deffn {Scheme Procedure} tor-service [@var{config-file}] [#:tor @var{tor}]
10807 Return a service to run the @uref{https://torproject.org, Tor} anonymous
10810 The daemon runs as the @code{tor} unprivileged user. It is passed
10811 @var{config-file}, a file-like object, with an additional @code{User tor} line
10812 and lines for hidden services added via @code{tor-hidden-service}. Run
10813 @command{man tor} for information about the configuration file.
10816 @cindex hidden service
10817 @deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping}
10818 Define a new Tor @dfn{hidden service} called @var{name} and implementing
10819 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
10822 '((22 "127.0.0.1:22")
10823 (80 "127.0.0.1:8080"))
10826 In this example, port 22 of the hidden service is mapped to local port 22, and
10827 port 80 is mapped to local port 8080.
10829 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
10830 the @file{hostname} file contains the @code{.onion} host name for the hidden
10833 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
10834 project's documentation} for more information.
10837 The @code{(gnu services rsync)} module provides the following services:
10839 You might want an rsync daemon if you have files that you want available
10840 so anyone (or just yourself) can download existing files or upload new
10843 @deffn {Scheme Variable} rsync-service-type
10844 This is the type for the @uref{https://rsync.samba.org, rsync} rsync daemon,
10845 @command{rsync-configuration} record as in this example:
10848 (service rsync-service-type)
10851 See below for details about @code{rsync-configuration}.
10854 @deftp {Data Type} rsync-configuration
10855 Data type representing the configuration for @code{rsync-service}.
10858 @item @code{package} (default: @var{rsync})
10859 @code{rsync} package to use.
10861 @item @code{port-number} (default: @code{873})
10862 TCP port on which @command{rsync} listens for incoming connections. If port
10863 is less than @code{1024} @command{rsync} needs to be started as the
10864 @code{root} user and group.
10866 @item @code{pid-file} (default: @code{"/var/run/rsyncd/rsyncd.pid"})
10867 Name of the file where @command{rsync} writes its PID.
10869 @item @code{lock-file} (default: @code{"/var/run/rsyncd/rsyncd.lock"})
10870 Name of the file where @command{rsync} writes its lock file.
10872 @item @code{log-file} (default: @code{"/var/log/rsyncd.log"})
10873 Name of the file where @command{rsync} writes its log file.
10875 @item @code{use-chroot?} (default: @var{#t})
10876 Whether to use chroot for @command{rsync} shared directory.
10878 @item @code{share-path} (default: @file{/srv/rsync})
10879 Location of the @command{rsync} shared directory.
10881 @item @code{share-comment} (default: @code{"Rsync share"})
10882 Comment of the @command{rsync} shared directory.
10884 @item @code{read-only?} (default: @var{#f})
10885 Read-write permissions to shared directory.
10887 @item @code{timeout} (default: @code{300})
10888 I/O timeout in seconds.
10890 @item @code{user} (default: @var{"root"})
10891 Owner of the @code{rsync} process.
10893 @item @code{group} (default: @var{"root"})
10894 Group of the @code{rsync} process.
10896 @item @code{uid} (default: @var{"rsyncd"})
10897 User name or user ID that file transfers to and from that module should take
10898 place as when the daemon was run as @code{root}.
10900 @item @code{gid} (default: @var{"rsyncd"})
10901 Group name or group ID that will be used when accessing the module.
10906 Furthermore, @code{(gnu services ssh)} provides the following services.
10910 @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
10911 [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
10912 [#:allow-empty-passwords? #f] [#:root-login? #f] @
10913 [#:syslog-output? #t] [#:x11-forwarding? #t] @
10914 [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @
10915 [#:public-key-authentication? #t] [#:initialize? #t]
10916 Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}.
10917 @var{host-key} must designate a file containing the host key, and readable
10920 When @var{daemonic?} is true, @command{lshd} will detach from the
10921 controlling terminal and log its output to syslogd, unless one sets
10922 @var{syslog-output?} to false. Obviously, it also makes lsh-service
10923 depend on existence of syslogd service. When @var{pid-file?} is true,
10924 @command{lshd} writes its PID to the file called @var{pid-file}.
10926 When @var{initialize?} is true, automatically create the seed and host key
10927 upon service activation if they do not exist yet. This may take long and
10928 require interaction.
10930 When @var{initialize?} is false, it is up to the user to initialize the
10931 randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
10932 a key pair with the private key stored in file @var{host-key} (@pxref{lshd
10933 basics,,, lsh, LSH Manual}).
10935 When @var{interfaces} is empty, lshd listens for connections on all the
10936 network interfaces; otherwise, @var{interfaces} must be a list of host names
10939 @var{allow-empty-passwords?} specifies whether to accept log-ins with empty
10940 passwords, and @var{root-login?} specifies whether to accept log-ins as
10943 The other options should be self-descriptive.
10948 @deffn {Scheme Variable} openssh-service-type
10949 This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
10950 shell daemon, @command{sshd}. Its value must be an
10951 @code{openssh-configuration} record as in this example:
10954 (service openssh-service-type
10955 (openssh-configuration
10956 (x11-forwarding? #t)
10957 (permit-root-login 'without-password)
10959 `(("alice" ,(local-file "alice.pub"))
10960 ("bob" ,(local-file "bob.pub"))))))
10963 See below for details about @code{openssh-configuration}.
10965 This service can be extended with extra authorized keys, as in this
10969 (service-extension openssh-service-type
10970 (const `(("charlie"
10971 ,(local-file "charlie.pub")))))
10975 @deftp {Data Type} openssh-configuration
10976 This is the configuration record for OpenSSH's @command{sshd}.
10979 @item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
10980 Name of the file where @command{sshd} writes its PID.
10982 @item @code{port-number} (default: @code{22})
10983 TCP port on which @command{sshd} listens for incoming connections.
10985 @item @code{permit-root-login} (default: @code{#f})
10986 This field determines whether and when to allow logins as root. If
10987 @code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
10988 If it's the symbol @code{'without-password}, then root logins are
10989 permitted but not with password-based authentication.
10991 @item @code{allow-empty-passwords?} (default: @code{#f})
10992 When true, users with empty passwords may log in. When false, they may
10995 @item @code{password-authentication?} (default: @code{#t})
10996 When true, users may log in with their password. When false, they have
10997 other authentication methods.
10999 @item @code{public-key-authentication?} (default: @code{#t})
11000 When true, users may log in using public key authentication. When
11001 false, users have to use other authentication method.
11003 Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
11004 This is used only by protocol version 2.
11006 @item @code{x11-forwarding?} (default: @code{#f})
11007 When true, forwarding of X11 graphical client connections is
11008 enabled---in other words, @command{ssh} options @option{-X} and
11009 @option{-Y} will work.
11011 @item @code{challenge-response-authentication?} (default: @code{#f})
11012 Specifies whether challenge response authentication is allowed (e.g. via
11015 @item @code{use-pam?} (default: @code{#t})
11016 Enables the Pluggable Authentication Module interface. If set to
11017 @code{#t}, this will enable PAM authentication using
11018 @code{challenge-response-authentication?} and
11019 @code{password-authentication?}, in addition to PAM account and session
11020 module processing for all authentication types.
11022 Because PAM challenge response authentication usually serves an
11023 equivalent role to password authentication, you should disable either
11024 @code{challenge-response-authentication?} or
11025 @code{password-authentication?}.
11027 @item @code{print-last-log?} (default: @code{#t})
11028 Specifies whether @command{sshd} should print the date and time of the
11029 last user login when a user logs in interactively.
11031 @item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
11032 Configures external subsystems (e.g. file transfer daemon).
11034 This is a list of two-element lists, each of which containing the
11035 subsystem name and a command (with optional arguments) to execute upon
11038 The command @command{internal-sftp} implements an in-process SFTP
11039 server. Alternately, one can specify the @command{sftp-server} command:
11041 (service openssh-service-type
11042 (openssh-configuration
11044 `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
11047 @item @code{authorized-keys} (default: @code{'()})
11048 @cindex authorized keys, SSH
11049 @cindex SSH authorized keys
11050 This is the list of authorized keys. Each element of the list is a user
11051 name followed by one or more file-like objects that represent SSH public
11055 (openssh-configuration
11057 `(("rekado" ,(local-file "rekado.pub"))
11058 ("chris" ,(local-file "chris.pub"))
11059 ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
11063 registers the specified public keys for user accounts @code{rekado},
11064 @code{chris}, and @code{root}.
11066 Additional authorized keys can be specified @i{via}
11067 @code{service-extension}.
11069 Note that this does @emph{not} interfere with the use of
11070 @file{~/.ssh/authorized_keys}.
11074 @deffn {Scheme Procedure} dropbear-service [@var{config}]
11075 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
11076 daemon} with the given @var{config}, a @code{<dropbear-configuration>}
11079 For example, to specify a Dropbear service listening on port 1234, add
11080 this call to the operating system's @code{services} field:
11083 (dropbear-service (dropbear-configuration
11084 (port-number 1234)))
11088 @deftp {Data Type} dropbear-configuration
11089 This data type represents the configuration of a Dropbear SSH daemon.
11092 @item @code{dropbear} (default: @var{dropbear})
11093 The Dropbear package to use.
11095 @item @code{port-number} (default: 22)
11096 The TCP port where the daemon waits for incoming connections.
11098 @item @code{syslog-output?} (default: @code{#t})
11099 Whether to enable syslog output.
11101 @item @code{pid-file} (default: @code{"/var/run/dropbear.pid"})
11102 File name of the daemon's PID file.
11104 @item @code{root-login?} (default: @code{#f})
11105 Whether to allow @code{root} logins.
11107 @item @code{allow-empty-passwords?} (default: @code{#f})
11108 Whether to allow empty passwords.
11110 @item @code{password-authentication?} (default: @code{#t})
11111 Whether to enable password-based authentication.
11115 @defvr {Scheme Variable} %facebook-host-aliases
11116 This variable contains a string for use in @file{/etc/hosts}
11117 (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). Each
11118 line contains a entry that maps a known server name of the Facebook
11119 on-line service---e.g., @code{www.facebook.com}---to the local
11120 host---@code{127.0.0.1} or its IPv6 equivalent, @code{::1}.
11122 This variable is typically used in the @code{hosts-file} field of an
11123 @code{operating-system} declaration (@pxref{operating-system Reference,
11124 @file{/etc/hosts}}):
11127 (use-modules (gnu) (guix))
11130 (host-name "mymachine")
11133 ;; Create a /etc/hosts file with aliases for "localhost"
11134 ;; and "mymachine", as well as for Facebook servers.
11135 (plain-file "hosts"
11136 (string-append (local-host-aliases host-name)
11137 %facebook-host-aliases))))
11140 This mechanism can prevent programs running locally, such as Web
11141 browsers, from accessing Facebook.
11144 The @code{(gnu services avahi)} provides the following definition.
11146 @deffn {Scheme Procedure} avahi-service [#:avahi @var{avahi}] @
11147 [#:host-name #f] [#:publish? #t] [#:ipv4? #t] @
11148 [#:ipv6? #t] [#:wide-area? #f] @
11149 [#:domains-to-browse '()] [#:debug? #f]
11150 Return a service that runs @command{avahi-daemon}, a system-wide
11151 mDNS/DNS-SD responder that allows for service discovery and
11152 "zero-configuration" host name lookups (see @uref{http://avahi.org/}), and
11153 extends the name service cache daemon (nscd) so that it can resolve
11154 @code{.local} host names using
11155 @uref{http://0pointer.de/lennart/projects/nss-mdns/, nss-mdns}. Additionally,
11156 add the @var{avahi} package to the system profile so that commands such as
11157 @command{avahi-browse} are directly usable.
11159 If @var{host-name} is different from @code{#f}, use that as the host name to
11160 publish for this machine; otherwise, use the machine's actual host name.
11162 When @var{publish?} is true, publishing of host names and services is allowed;
11163 in particular, avahi-daemon will publish the machine's host name and IP
11164 address via mDNS on the local network.
11166 When @var{wide-area?} is true, DNS-SD over unicast DNS is enabled.
11168 Boolean values @var{ipv4?} and @var{ipv6?} determine whether to use IPv4/IPv6
11172 @deffn {Scheme Variable} openvswitch-service-type
11173 This is the type of the @uref{http://www.openvswitch.org, Open vSwitch}
11174 service, whose value should be an @code{openvswitch-configuration}
11178 @deftp {Data Type} openvswitch-configuration
11179 Data type representing the configuration of Open vSwitch, a multilayer
11180 virtual switch which is designed to enable massive network automation
11181 through programmatic extension.
11184 @item @code{package} (default: @var{openvswitch})
11185 Package object of the Open vSwitch.
11191 @subsubsection X Window
11194 @cindex X Window System
11195 @cindex login manager
11196 Support for the X Window graphical display system---specifically
11197 Xorg---is provided by the @code{(gnu services xorg)} module. Note that
11198 there is no @code{xorg-service} procedure. Instead, the X server is
11199 started by the @dfn{login manager}, by default SLiM.
11201 @cindex window manager
11202 To use X11, you must install at least one @dfn{window manager}---for
11203 example the @code{windowmaker} or @code{openbox} packages---preferably
11204 by adding it to the @code{packages} field of your operating system
11205 definition (@pxref{operating-system Reference, system-wide packages}).
11207 @defvr {Scheme Variable} slim-service-type
11208 This is the type for the SLiM graphical login manager for X11.
11210 @cindex session types (X11)
11211 @cindex X11 session types
11212 SLiM looks for @dfn{session types} described by the @file{.desktop} files in
11213 @file{/run/current-system/profile/share/xsessions} and allows users to
11214 choose a session from the log-in screen using @kbd{F1}. Packages such
11215 as @code{xfce}, @code{sawfish}, and @code{ratpoison} provide
11216 @file{.desktop} files; adding them to the system-wide set of packages
11217 automatically makes them available at the log-in screen.
11219 In addition, @file{~/.xsession} files are honored. When available,
11220 @file{~/.xsession} must be an executable that starts a window manager
11221 and/or other X clients.
11224 @deftp {Data Type} slim-configuration
11225 Data type representing the configuration of @code{slim-service-type}.
11228 @item @code{allow-empty-passwords?} (default: @code{#t})
11229 Whether to allow logins with empty passwords.
11231 @item @code{auto-login?} (default: @code{#f})
11232 @itemx @code{default-user} (default: @code{""})
11233 When @code{auto-login?} is false, SLiM presents a log-in screen.
11235 When @code{auto-login?} is true, SLiM logs in directly as
11236 @code{default-user}.
11238 @item @code{theme} (default: @code{%default-slim-theme})
11239 @itemx @code{theme-name} (default: @code{%default-slim-theme-name})
11240 The graphical theme to use and its name.
11242 @item @code{auto-login-session} (default: @code{#f})
11243 If true, this must be the name of the executable to start as the default
11244 session---e.g., @code{(file-append windowmaker "/bin/windowmaker")}.
11246 If false, a session described by one of the available @file{.desktop}
11247 files in @code{/run/current-system/profile} and @code{~/.guix-profile}
11251 You must install at least one window manager in the system profile or in
11252 your user profile. Failing to do that, if @code{auto-login-session} is
11253 false, you will be unable to log in.
11256 @item @code{startx} (default: @code{(xorg-start-command)})
11257 The command used to start the X11 graphical server.
11259 @item @code{xauth} (default: @code{xauth})
11260 The XAuth package to use.
11262 @item @code{shepherd} (default: @code{shepherd})
11263 The Shepherd package used when invoking @command{halt} and
11266 @item @code{slim} (default: @code{slim})
11267 The SLiM package to use.
11271 @defvr {Scheme Variable} %default-theme
11272 @defvrx {Scheme Variable} %default-theme-name
11273 The default SLiM theme and its name.
11277 @deftp {Data Type} sddm-configuration
11278 This is the data type representing the sddm service configuration.
11281 @item @code{display-server} (default: "x11")
11282 Select display server to use for the greeter. Valid values are "x11"
11285 @item @code{numlock} (default: "on")
11286 Valid values are "on", "off" or "none".
11288 @item @code{halt-command} (default @code{#~(string-apppend #$shepherd "/sbin/halt")})
11289 Command to run when halting.
11291 @item @code{reboot-command} (default @code{#~(string-append #$shepherd "/sbin/reboot")})
11292 Command to run when rebooting.
11294 @item @code{theme} (default "maldives")
11295 Theme to use. Default themes provided by SDDM are "elarun" or "maldives".
11297 @item @code{themes-directory} (default "/run/current-system/profile/share/sddm/themes")
11298 Directory to look for themes.
11300 @item @code{faces-directory} (default "/run/current-system/profile/share/sddm/faces")
11301 Directory to look for faces.
11303 @item @code{default-path} (default "/run/current-system/profile/bin")
11304 Default PATH to use.
11306 @item @code{minimum-uid} (default 1000)
11307 Minimum UID to display in SDDM.
11309 @item @code{maximum-uid} (default 2000)
11310 Maximum UID to display in SDDM
11312 @item @code{remember-last-user?} (default #t)
11313 Remember last user.
11315 @item @code{remember-last-session?} (default #t)
11316 Remember last session.
11318 @item @code{hide-users} (default "")
11319 Usernames to hide from SDDM greeter.
11321 @item @code{hide-shells} (default @code{#~(string-append #$shadow "/sbin/nologin")})
11322 Users with shells listed will be hidden from the SDDM greeter.
11324 @item @code{session-command} (default @code{#~(string-append #$sddm "/share/sddm/scripts/wayland-session")})
11325 Script to run before starting a wayland session.
11327 @item @code{sessions-directory} (default "/run/current-system/profile/share/wayland-sessions")
11328 Directory to look for desktop files starting wayland sessions.
11330 @item @code{xorg-server-path} (default @code{xorg-start-command})
11331 Path to xorg-server.
11333 @item @code{xauth-path} (default @code{#~(string-append #$xauth "/bin/xauth")})
11336 @item @code{xephyr-path} (default @code{#~(string-append #$xorg-server "/bin/Xephyr")})
11339 @item @code{xdisplay-start} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xsetup")})
11340 Script to run after starting xorg-server.
11342 @item @code{xdisplay-stop} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xstop")})
11343 Script to run before stopping xorg-server.
11345 @item @code{xsession-command} (default: @code{xinitr })
11346 Script to run before starting a X session.
11348 @item @code{xsessions-directory} (default: "/run/current-system/profile/share/xsessions")
11349 Directory to look for desktop files starting X sessions.
11351 @item @code{minimum-vt} (default: 7)
11354 @item @code{xserver-arguments} (default "-nolisten tcp")
11355 Arguments to pass to xorg-server.
11357 @item @code{auto-login-user} (default "")
11358 User to use for auto-login.
11360 @item @code{auto-login-session} (default "")
11361 Desktop file to use for auto-login.
11363 @item @code{relogin?} (default #f)
11364 Relogin after logout.
11369 @cindex login manager
11371 @deffn {Scheme Procedure} sddm-service config
11372 Return a service that spawns the SDDM graphical login manager for config of
11373 type @code{<sddm-configuration>}.
11376 (sddm-service (sddm-configuration
11377 (auto-login-user "Alice")
11378 (auto-login-session "xfce.desktop")))
11382 @deffn {Scheme Procedure} xorg-start-command [#:guile] @
11383 [#:modules %default-xorg-modules] @
11384 [#:fonts %default-xorg-fonts] @
11385 [#:configuration-file (xorg-configuration-file @dots{})] @
11386 [#:xorg-server @var{xorg-server}]
11387 Return a @code{startx} script in which @var{modules}, a list of X module
11388 packages, and @var{fonts}, a list of X font directories, are available. See
11389 @code{xorg-wrapper} for more details on the arguments. The result should be
11390 used in place of @code{startx}.
11392 Usually the X server is started by a login manager.
11395 @deffn {Scheme Procedure} xorg-configuration-file @
11396 [#:modules %default-xorg-modules] @
11397 [#:fonts %default-xorg-fonts] @
11398 [#:drivers '()] [#:resolutions '()] [#:extra-config '()]
11399 Return a configuration file for the Xorg server containing search paths for
11400 all the common drivers.
11402 @var{modules} must be a list of @dfn{module packages} loaded by the Xorg
11403 server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on.
11404 @var{fonts} must be a list of font directories to add to the server's
11407 @var{drivers} must be either the empty list, in which case Xorg chooses a
11408 graphics driver automatically, or a list of driver names that will be tried in
11409 this order---e.g., @code{("modesetting" "vesa")}.
11411 Likewise, when @var{resolutions} is the empty list, Xorg chooses an
11412 appropriate screen resolution; otherwise, it must be a list of
11413 resolutions---e.g., @code{((1024 768) (640 480))}.
11415 Last, @var{extra-config} is a list of strings or objects appended to the
11416 configuration file. It is used to pass extra text to be
11417 added verbatim to the configuration file.
11420 @deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}]
11421 Add @var{package}, a package for a screen locker or screen saver whose
11422 command is @var{program}, to the set of setuid programs and add a PAM entry
11423 for it. For example:
11426 (screen-locker-service xlockmore "xlock")
11429 makes the good ol' XlockMore usable.
11433 @node Printing Services
11434 @subsubsection Printing Services
11436 @cindex printer support with CUPS
11437 The @code{(gnu services cups)} module provides a Guix service definition
11438 for the CUPS printing service. To add printer support to a GuixSD
11439 system, add a @code{cups-service} to the operating system definition:
11441 @deffn {Scheme Variable} cups-service-type
11442 The service type for the CUPS print server. Its value should be a valid
11443 CUPS configuration (see below). To use the default settings, simply
11446 (service cups-service-type)
11450 The CUPS configuration controls the basic things about your CUPS
11451 installation: what interfaces it listens on, what to do if a print job
11452 fails, how much logging to do, and so on. To actually add a printer,
11453 you have to visit the @url{http://localhost:631} URL, or use a tool such
11454 as GNOME's printer configuration services. By default, configuring a
11455 CUPS service will generate a self-signed certificate if needed, for
11456 secure connections to the print server.
11458 Suppose you want to enable the Web interface of CUPS and also add
11459 support for Epson printers @i{via} the @code{escpr} package and for HP
11460 printers @i{via} the @code{hplip} package. You can do that directly,
11461 like this (you need to use the @code{(gnu packages cups)} module):
11464 (service cups-service-type
11465 (cups-configuration
11466 (web-interface? #t)
11468 (list cups-filters escpr hplip))))
11471 The available configuration parameters follow. Each parameter
11472 definition is preceded by its type; for example, @samp{string-list foo}
11473 indicates that the @code{foo} parameter should be specified as a list of
11474 strings. There is also a way to specify the configuration as a string,
11475 if you have an old @code{cupsd.conf} file that you want to port over
11476 from some other system; see the end for more details.
11478 @c The following documentation was initially generated by
11479 @c (generate-documentation) in (gnu services cups). Manually maintained
11480 @c documentation is better, so we shouldn't hesitate to edit below as
11481 @c needed. However if the change you want to make to this documentation
11482 @c can be done in an automated way, it's probably easier to change
11483 @c (generate-documentation) than to make it below and have to deal with
11484 @c the churn as CUPS updates.
11487 Available @code{cups-configuration} fields are:
11489 @deftypevr {@code{cups-configuration} parameter} package cups
11493 @deftypevr {@code{cups-configuration} parameter} package-list extensions
11494 Drivers and other extensions to the CUPS package.
11497 @deftypevr {@code{cups-configuration} parameter} files-configuration files-configuration
11498 Configuration of where to write logs, what directories to use for print
11499 spools, and related privileged configuration parameters.
11501 Available @code{files-configuration} fields are:
11503 @deftypevr {@code{files-configuration} parameter} log-location access-log
11504 Defines the access log filename. Specifying a blank filename disables
11505 access log generation. The value @code{stderr} causes log entries to be
11506 sent to the standard error file when the scheduler is running in the
11507 foreground, or to the system log daemon when run in the background. The
11508 value @code{syslog} causes log entries to be sent to the system log
11509 daemon. The server name may be included in filenames using the string
11510 @code{%s}, as in @code{/var/log/cups/%s-access_log}.
11512 Defaults to @samp{"/var/log/cups/access_log"}.
11515 @deftypevr {@code{files-configuration} parameter} file-name cache-dir
11516 Where CUPS should cache data.
11518 Defaults to @samp{"/var/cache/cups"}.
11521 @deftypevr {@code{files-configuration} parameter} string config-file-perm
11522 Specifies the permissions for all configuration files that the scheduler
11525 Note that the permissions for the printers.conf file are currently
11526 masked to only allow access from the scheduler user (typically root).
11527 This is done because printer device URIs sometimes contain sensitive
11528 authentication information that should not be generally known on the
11529 system. There is no way to disable this security feature.
11531 Defaults to @samp{"0640"}.
11534 @deftypevr {@code{files-configuration} parameter} log-location error-log
11535 Defines the error log filename. Specifying a blank filename disables
11536 access log generation. The value @code{stderr} causes log entries to be
11537 sent to the standard error file when the scheduler is running in the
11538 foreground, or to the system log daemon when run in the background. The
11539 value @code{syslog} causes log entries to be sent to the system log
11540 daemon. The server name may be included in filenames using the string
11541 @code{%s}, as in @code{/var/log/cups/%s-error_log}.
11543 Defaults to @samp{"/var/log/cups/error_log"}.
11546 @deftypevr {@code{files-configuration} parameter} string fatal-errors
11547 Specifies which errors are fatal, causing the scheduler to exit. The
11552 No errors are fatal.
11555 All of the errors below are fatal.
11558 Browsing initialization errors are fatal, for example failed connections
11559 to the DNS-SD daemon.
11562 Configuration file syntax errors are fatal.
11565 Listen or Port errors are fatal, except for IPv6 failures on the
11566 loopback or @code{any} addresses.
11569 Log file creation or write errors are fatal.
11572 Bad startup file permissions are fatal, for example shared TLS
11573 certificate and key files with world-read permissions.
11576 Defaults to @samp{"all -browse"}.
11579 @deftypevr {@code{files-configuration} parameter} boolean file-device?
11580 Specifies whether the file pseudo-device can be used for new printer
11581 queues. The URI @uref{file:///dev/null} is always allowed.
11583 Defaults to @samp{#f}.
11586 @deftypevr {@code{files-configuration} parameter} string group
11587 Specifies the group name or ID that will be used when executing external
11590 Defaults to @samp{"lp"}.
11593 @deftypevr {@code{files-configuration} parameter} string log-file-perm
11594 Specifies the permissions for all log files that the scheduler writes.
11596 Defaults to @samp{"0644"}.
11599 @deftypevr {@code{files-configuration} parameter} log-location page-log
11600 Defines the page log filename. Specifying a blank filename disables
11601 access log generation. The value @code{stderr} causes log entries to be
11602 sent to the standard error file when the scheduler is running in the
11603 foreground, or to the system log daemon when run in the background. The
11604 value @code{syslog} causes log entries to be sent to the system log
11605 daemon. The server name may be included in filenames using the string
11606 @code{%s}, as in @code{/var/log/cups/%s-page_log}.
11608 Defaults to @samp{"/var/log/cups/page_log"}.
11611 @deftypevr {@code{files-configuration} parameter} string remote-root
11612 Specifies the username that is associated with unauthenticated accesses
11613 by clients claiming to be the root user. The default is @code{remroot}.
11615 Defaults to @samp{"remroot"}.
11618 @deftypevr {@code{files-configuration} parameter} file-name request-root
11619 Specifies the directory that contains print jobs and other HTTP request
11622 Defaults to @samp{"/var/spool/cups"}.
11625 @deftypevr {@code{files-configuration} parameter} sandboxing sandboxing
11626 Specifies the level of security sandboxing that is applied to print
11627 filters, backends, and other child processes of the scheduler; either
11628 @code{relaxed} or @code{strict}. This directive is currently only
11629 used/supported on macOS.
11631 Defaults to @samp{strict}.
11634 @deftypevr {@code{files-configuration} parameter} file-name server-keychain
11635 Specifies the location of TLS certificates and private keys. CUPS will
11636 look for public and private keys in this directory: a @code{.crt} files
11637 for PEM-encoded certificates and corresponding @code{.key} files for
11638 PEM-encoded private keys.
11640 Defaults to @samp{"/etc/cups/ssl"}.
11643 @deftypevr {@code{files-configuration} parameter} file-name server-root
11644 Specifies the directory containing the server configuration files.
11646 Defaults to @samp{"/etc/cups"}.
11649 @deftypevr {@code{files-configuration} parameter} boolean sync-on-close?
11650 Specifies whether the scheduler calls fsync(2) after writing
11651 configuration or state files.
11653 Defaults to @samp{#f}.
11656 @deftypevr {@code{files-configuration} parameter} space-separated-string-list system-group
11657 Specifies the group(s) to use for @code{@@SYSTEM} group authentication.
11660 @deftypevr {@code{files-configuration} parameter} file-name temp-dir
11661 Specifies the directory where temporary files are stored.
11663 Defaults to @samp{"/var/spool/cups/tmp"}.
11666 @deftypevr {@code{files-configuration} parameter} string user
11667 Specifies the user name or ID that is used when running external
11670 Defaults to @samp{"lp"}.
11674 @deftypevr {@code{cups-configuration} parameter} access-log-level access-log-level
11675 Specifies the logging level for the AccessLog file. The @code{config}
11676 level logs when printers and classes are added, deleted, or modified and
11677 when configuration files are accessed or updated. The @code{actions}
11678 level logs when print jobs are submitted, held, released, modified, or
11679 canceled, and any of the conditions for @code{config}. The @code{all}
11680 level logs all requests.
11682 Defaults to @samp{actions}.
11685 @deftypevr {@code{cups-configuration} parameter} boolean auto-purge-jobs?
11686 Specifies whether to purge job history data automatically when it is no
11687 longer required for quotas.
11689 Defaults to @samp{#f}.
11692 @deftypevr {@code{cups-configuration} parameter} browse-local-protocols browse-local-protocols
11693 Specifies which protocols to use for local printer sharing.
11695 Defaults to @samp{dnssd}.
11698 @deftypevr {@code{cups-configuration} parameter} boolean browse-web-if?
11699 Specifies whether the CUPS web interface is advertised.
11701 Defaults to @samp{#f}.
11704 @deftypevr {@code{cups-configuration} parameter} boolean browsing?
11705 Specifies whether shared printers are advertised.
11707 Defaults to @samp{#f}.
11710 @deftypevr {@code{cups-configuration} parameter} string classification
11711 Specifies the security classification of the server. Any valid banner
11712 name can be used, including "classified", "confidential", "secret",
11713 "topsecret", and "unclassified", or the banner can be omitted to disable
11714 secure printing functions.
11716 Defaults to @samp{""}.
11719 @deftypevr {@code{cups-configuration} parameter} boolean classify-override?
11720 Specifies whether users may override the classification (cover page) of
11721 individual print jobs using the @code{job-sheets} option.
11723 Defaults to @samp{#f}.
11726 @deftypevr {@code{cups-configuration} parameter} default-auth-type default-auth-type
11727 Specifies the default type of authentication to use.
11729 Defaults to @samp{Basic}.
11732 @deftypevr {@code{cups-configuration} parameter} default-encryption default-encryption
11733 Specifies whether encryption will be used for authenticated requests.
11735 Defaults to @samp{Required}.
11738 @deftypevr {@code{cups-configuration} parameter} string default-language
11739 Specifies the default language to use for text and web content.
11741 Defaults to @samp{"en"}.
11744 @deftypevr {@code{cups-configuration} parameter} string default-paper-size
11745 Specifies the default paper size for new print queues. @samp{"Auto"}
11746 uses a locale-specific default, while @samp{"None"} specifies there is
11747 no default paper size. Specific size names are typically
11748 @samp{"Letter"} or @samp{"A4"}.
11750 Defaults to @samp{"Auto"}.
11753 @deftypevr {@code{cups-configuration} parameter} string default-policy
11754 Specifies the default access policy to use.
11756 Defaults to @samp{"default"}.
11759 @deftypevr {@code{cups-configuration} parameter} boolean default-shared?
11760 Specifies whether local printers are shared by default.
11762 Defaults to @samp{#t}.
11765 @deftypevr {@code{cups-configuration} parameter} non-negative-integer dirty-clean-interval
11766 Specifies the delay for updating of configuration and state files, in
11767 seconds. A value of 0 causes the update to happen as soon as possible,
11768 typically within a few milliseconds.
11770 Defaults to @samp{30}.
11773 @deftypevr {@code{cups-configuration} parameter} error-policy error-policy
11774 Specifies what to do when an error occurs. Possible values are
11775 @code{abort-job}, which will discard the failed print job;
11776 @code{retry-job}, which will retry the job at a later time;
11777 @code{retry-this-job}, which retries the failed job immediately; and
11778 @code{stop-printer}, which stops the printer.
11780 Defaults to @samp{stop-printer}.
11783 @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-limit
11784 Specifies the maximum cost of filters that are run concurrently, which
11785 can be used to minimize disk, memory, and CPU resource problems. A
11786 limit of 0 disables filter limiting. An average print to a
11787 non-PostScript printer needs a filter limit of about 200. A PostScript
11788 printer needs about half that (100). Setting the limit below these
11789 thresholds will effectively limit the scheduler to printing a single job
11792 Defaults to @samp{0}.
11795 @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-nice
11796 Specifies the scheduling priority of filters that are run to print a
11797 job. The nice value ranges from 0, the highest priority, to 19, the
11800 Defaults to @samp{0}.
11803 @deftypevr {@code{cups-configuration} parameter} host-name-lookups host-name-lookups
11804 Specifies whether to do reverse lookups on connecting clients. The
11805 @code{double} setting causes @code{cupsd} to verify that the hostname
11806 resolved from the address matches one of the addresses returned for that
11807 hostname. Double lookups also prevent clients with unregistered
11808 addresses from connecting to your server. Only set this option to
11809 @code{#t} or @code{double} if absolutely required.
11811 Defaults to @samp{#f}.
11814 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-kill-delay
11815 Specifies the number of seconds to wait before killing the filters and
11816 backend associated with a canceled or held job.
11818 Defaults to @samp{30}.
11821 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-interval
11822 Specifies the interval between retries of jobs in seconds. This is
11823 typically used for fax queues but can also be used with normal print
11824 queues whose error policy is @code{retry-job} or
11825 @code{retry-current-job}.
11827 Defaults to @samp{30}.
11830 @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-limit
11831 Specifies the number of retries that are done for jobs. This is
11832 typically used for fax queues but can also be used with normal print
11833 queues whose error policy is @code{retry-job} or
11834 @code{retry-current-job}.
11836 Defaults to @samp{5}.
11839 @deftypevr {@code{cups-configuration} parameter} boolean keep-alive?
11840 Specifies whether to support HTTP keep-alive connections.
11842 Defaults to @samp{#t}.
11845 @deftypevr {@code{cups-configuration} parameter} non-negative-integer keep-alive-timeout
11846 Specifies how long an idle client connection remains open, in seconds.
11848 Defaults to @samp{30}.
11851 @deftypevr {@code{cups-configuration} parameter} non-negative-integer limit-request-body
11852 Specifies the maximum size of print files, IPP requests, and HTML form
11853 data. A limit of 0 disables the limit check.
11855 Defaults to @samp{0}.
11858 @deftypevr {@code{cups-configuration} parameter} multiline-string-list listen
11859 Listens on the specified interfaces for connections. Valid values are
11860 of the form @var{address}:@var{port}, where @var{address} is either an
11861 IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to
11862 indicate all addresses. Values can also be file names of local UNIX
11863 domain sockets. The Listen directive is similar to the Port directive
11864 but allows you to restrict access to specific interfaces or networks.
11867 @deftypevr {@code{cups-configuration} parameter} non-negative-integer listen-back-log
11868 Specifies the number of pending connections that will be allowed. This
11869 normally only affects very busy servers that have reached the MaxClients
11870 limit, but can also be triggered by large numbers of simultaneous
11871 connections. When the limit is reached, the operating system will
11872 refuse additional connections until the scheduler can accept the pending
11875 Defaults to @samp{128}.
11878 @deftypevr {@code{cups-configuration} parameter} location-access-control-list location-access-controls
11879 Specifies a set of additional access controls.
11881 Available @code{location-access-controls} fields are:
11883 @deftypevr {@code{location-access-controls} parameter} file-name path
11884 Specifies the URI path to which the access control applies.
11887 @deftypevr {@code{location-access-controls} parameter} access-control-list access-controls
11888 Access controls for all access to this path, in the same format as the
11889 @code{access-controls} of @code{operation-access-control}.
11891 Defaults to @samp{()}.
11894 @deftypevr {@code{location-access-controls} parameter} method-access-control-list method-access-controls
11895 Access controls for method-specific access to this path.
11897 Defaults to @samp{()}.
11899 Available @code{method-access-controls} fields are:
11901 @deftypevr {@code{method-access-controls} parameter} boolean reverse?
11902 If @code{#t}, apply access controls to all methods except the listed
11903 methods. Otherwise apply to only the listed methods.
11905 Defaults to @samp{#f}.
11908 @deftypevr {@code{method-access-controls} parameter} method-list methods
11909 Methods to which this access control applies.
11911 Defaults to @samp{()}.
11914 @deftypevr {@code{method-access-controls} parameter} access-control-list access-controls
11915 Access control directives, as a list of strings. Each string should be
11916 one directive, such as "Order allow,deny".
11918 Defaults to @samp{()}.
11923 @deftypevr {@code{cups-configuration} parameter} non-negative-integer log-debug-history
11924 Specifies the number of debugging messages that are retained for logging
11925 if an error occurs in a print job. Debug messages are logged regardless
11926 of the LogLevel setting.
11928 Defaults to @samp{100}.
11931 @deftypevr {@code{cups-configuration} parameter} log-level log-level
11932 Specifies the level of logging for the ErrorLog file. The value
11933 @code{none} stops all logging while @code{debug2} logs everything.
11935 Defaults to @samp{info}.
11938 @deftypevr {@code{cups-configuration} parameter} log-time-format log-time-format
11939 Specifies the format of the date and time in the log files. The value
11940 @code{standard} logs whole seconds while @code{usecs} logs microseconds.
11942 Defaults to @samp{standard}.
11945 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients
11946 Specifies the maximum number of simultaneous clients that are allowed by
11949 Defaults to @samp{100}.
11952 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients-per-host
11953 Specifies the maximum number of simultaneous clients that are allowed
11954 from a single address.
11956 Defaults to @samp{100}.
11959 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-copies
11960 Specifies the maximum number of copies that a user can print of each
11963 Defaults to @samp{9999}.
11966 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-hold-time
11967 Specifies the maximum time a job may remain in the @code{indefinite}
11968 hold state before it is canceled. A value of 0 disables cancellation of
11971 Defaults to @samp{0}.
11974 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs
11975 Specifies the maximum number of simultaneous jobs that are allowed. Set
11976 to 0 to allow an unlimited number of jobs.
11978 Defaults to @samp{500}.
11981 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-printer
11982 Specifies the maximum number of simultaneous jobs that are allowed per
11983 printer. A value of 0 allows up to MaxJobs jobs per printer.
11985 Defaults to @samp{0}.
11988 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-user
11989 Specifies the maximum number of simultaneous jobs that are allowed per
11990 user. A value of 0 allows up to MaxJobs jobs per user.
11992 Defaults to @samp{0}.
11995 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-job-time
11996 Specifies the maximum time a job may take to print before it is
11997 canceled, in seconds. Set to 0 to disable cancellation of "stuck" jobs.
11999 Defaults to @samp{10800}.
12002 @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-log-size
12003 Specifies the maximum size of the log files before they are rotated, in
12004 bytes. The value 0 disables log rotation.
12006 Defaults to @samp{1048576}.
12009 @deftypevr {@code{cups-configuration} parameter} non-negative-integer multiple-operation-timeout
12010 Specifies the maximum amount of time to allow between files in a
12011 multiple file print job, in seconds.
12013 Defaults to @samp{300}.
12016 @deftypevr {@code{cups-configuration} parameter} string page-log-format
12017 Specifies the format of PageLog lines. Sequences beginning with percent
12018 (@samp{%}) characters are replaced with the corresponding information,
12019 while all other characters are copied literally. The following percent
12020 sequences are recognized:
12024 insert a single percent character
12027 insert the value of the specified IPP attribute
12030 insert the number of copies for the current page
12033 insert the current page number
12036 insert the current date and time in common log format
12042 insert the printer name
12045 insert the username
12048 A value of the empty string disables page logging. The string @code{%p
12049 %u %j %T %P %C %@{job-billing@} %@{job-originating-host-name@}
12050 %@{job-name@} %@{media@} %@{sides@}} creates a page log with the
12053 Defaults to @samp{""}.
12056 @deftypevr {@code{cups-configuration} parameter} environment-variables environment-variables
12057 Passes the specified environment variable(s) to child processes; a list
12060 Defaults to @samp{()}.
12063 @deftypevr {@code{cups-configuration} parameter} policy-configuration-list policies
12064 Specifies named access control policies.
12066 Available @code{policy-configuration} fields are:
12068 @deftypevr {@code{policy-configuration} parameter} string name
12069 Name of the policy.
12072 @deftypevr {@code{policy-configuration} parameter} string job-private-access
12073 Specifies an access list for a job's private values. @code{@@ACL} maps
12074 to the printer's requesting-user-name-allowed or
12075 requesting-user-name-denied values. @code{@@OWNER} maps to the job's
12076 owner. @code{@@SYSTEM} maps to the groups listed for the
12077 @code{system-group} field of the @code{files-config} configuration,
12078 which is reified into the @code{cups-files.conf(5)} file. Other
12079 possible elements of the access list include specific user names, and
12080 @code{@@@var{group}} to indicate members of a specific group. The
12081 access list may also be simply @code{all} or @code{default}.
12083 Defaults to @samp{"@@OWNER @@SYSTEM"}.
12086 @deftypevr {@code{policy-configuration} parameter} string job-private-values
12087 Specifies the list of job values to make private, or @code{all},
12088 @code{default}, or @code{none}.
12090 Defaults to @samp{"job-name job-originating-host-name
12091 job-originating-user-name phone"}.
12094 @deftypevr {@code{policy-configuration} parameter} string subscription-private-access
12095 Specifies an access list for a subscription's private values.
12096 @code{@@ACL} maps to the printer's requesting-user-name-allowed or
12097 requesting-user-name-denied values. @code{@@OWNER} maps to the job's
12098 owner. @code{@@SYSTEM} maps to the groups listed for the
12099 @code{system-group} field of the @code{files-config} configuration,
12100 which is reified into the @code{cups-files.conf(5)} file. Other
12101 possible elements of the access list include specific user names, and
12102 @code{@@@var{group}} to indicate members of a specific group. The
12103 access list may also be simply @code{all} or @code{default}.
12105 Defaults to @samp{"@@OWNER @@SYSTEM"}.
12108 @deftypevr {@code{policy-configuration} parameter} string subscription-private-values
12109 Specifies the list of job values to make private, or @code{all},
12110 @code{default}, or @code{none}.
12112 Defaults to @samp{"notify-events notify-pull-method notify-recipient-uri
12113 notify-subscriber-user-name notify-user-data"}.
12116 @deftypevr {@code{policy-configuration} parameter} operation-access-control-list access-controls
12117 Access control by IPP operation.
12119 Defaults to @samp{()}.
12123 @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-files
12124 Specifies whether job files (documents) are preserved after a job is
12125 printed. If a numeric value is specified, job files are preserved for
12126 the indicated number of seconds after printing. Otherwise a boolean
12127 value applies indefinitely.
12129 Defaults to @samp{86400}.
12132 @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-history
12133 Specifies whether the job history is preserved after a job is printed.
12134 If a numeric value is specified, the job history is preserved for the
12135 indicated number of seconds after printing. If @code{#t}, the job
12136 history is preserved until the MaxJobs limit is reached.
12138 Defaults to @samp{#t}.
12141 @deftypevr {@code{cups-configuration} parameter} non-negative-integer reload-timeout
12142 Specifies the amount of time to wait for job completion before
12143 restarting the scheduler.
12145 Defaults to @samp{30}.
12148 @deftypevr {@code{cups-configuration} parameter} string rip-cache
12149 Specifies the maximum amount of memory to use when converting documents
12150 into bitmaps for a printer.
12152 Defaults to @samp{"128m"}.
12155 @deftypevr {@code{cups-configuration} parameter} string server-admin
12156 Specifies the email address of the server administrator.
12158 Defaults to @samp{"root@@localhost.localdomain"}.
12161 @deftypevr {@code{cups-configuration} parameter} host-name-list-or-* server-alias
12162 The ServerAlias directive is used for HTTP Host header validation when
12163 clients connect to the scheduler from external interfaces. Using the
12164 special name @code{*} can expose your system to known browser-based DNS
12165 rebinding attacks, even when accessing sites through a firewall. If the
12166 auto-discovery of alternate names does not work, we recommend listing
12167 each alternate name with a ServerAlias directive instead of using
12170 Defaults to @samp{*}.
12173 @deftypevr {@code{cups-configuration} parameter} string server-name
12174 Specifies the fully-qualified host name of the server.
12176 Defaults to @samp{"localhost"}.
12179 @deftypevr {@code{cups-configuration} parameter} server-tokens server-tokens
12180 Specifies what information is included in the Server header of HTTP
12181 responses. @code{None} disables the Server header. @code{ProductOnly}
12182 reports @code{CUPS}. @code{Major} reports @code{CUPS 2}. @code{Minor}
12183 reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}.
12184 @code{OS} reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is
12185 the output of the @code{uname} command. @code{Full} reports @code{CUPS
12186 2.0.0 (@var{uname}) IPP/2.0}.
12188 Defaults to @samp{Minimal}.
12191 @deftypevr {@code{cups-configuration} parameter} string set-env
12192 Set the specified environment variable to be passed to child processes.
12194 Defaults to @samp{"variable value"}.
12197 @deftypevr {@code{cups-configuration} parameter} multiline-string-list ssl-listen
12198 Listens on the specified interfaces for encrypted connections. Valid
12199 values are of the form @var{address}:@var{port}, where @var{address} is
12200 either an IPv6 address enclosed in brackets, an IPv4 address, or
12201 @code{*} to indicate all addresses.
12203 Defaults to @samp{()}.
12206 @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
12207 Sets encryption options. By default, CUPS only supports encryption
12208 using TLS v1.0 or higher using known secure cipher suites. The
12209 @code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are
12210 required for some older clients that do not implement newer ones. The
12211 @code{AllowSSL3} option enables SSL v3.0, which is required for some
12212 older clients that do not support TLS v1.0.
12214 Defaults to @samp{()}.
12217 @deftypevr {@code{cups-configuration} parameter} boolean strict-conformance?
12218 Specifies whether the scheduler requires clients to strictly adhere to
12219 the IPP specifications.
12221 Defaults to @samp{#f}.
12224 @deftypevr {@code{cups-configuration} parameter} non-negative-integer timeout
12225 Specifies the HTTP request timeout, in seconds.
12227 Defaults to @samp{300}.
12231 @deftypevr {@code{cups-configuration} parameter} boolean web-interface?
12232 Specifies whether the web interface is enabled.
12234 Defaults to @samp{#f}.
12237 At this point you're probably thinking ``oh dear, Guix manual, I like
12238 you but you can stop already with the configuration options''. Indeed.
12239 However, one more point: it could be that you have an existing
12240 @code{cupsd.conf} that you want to use. In that case, you can pass an
12241 @code{opaque-cups-configuration} as the configuration of a
12242 @code{cups-service-type}.
12244 Available @code{opaque-cups-configuration} fields are:
12246 @deftypevr {@code{opaque-cups-configuration} parameter} package cups
12250 @deftypevr {@code{opaque-cups-configuration} parameter} string cupsd.conf
12251 The contents of the @code{cupsd.conf}, as a string.
12254 @deftypevr {@code{opaque-cups-configuration} parameter} string cups-files.conf
12255 The contents of the @code{cups-files.conf} file, as a string.
12258 For example, if your @code{cupsd.conf} and @code{cups-files.conf} are in
12259 strings of the same name, you could instantiate a CUPS service like
12263 (service cups-service-type
12264 (opaque-cups-configuration
12265 (cupsd.conf cupsd.conf)
12266 (cups-files.conf cups-files.conf)))
12270 @node Desktop Services
12271 @subsubsection Desktop Services
12273 The @code{(gnu services desktop)} module provides services that are
12274 usually useful in the context of a ``desktop'' setup---that is, on a
12275 machine running a graphical display server, possibly with graphical user
12276 interfaces, etc. It also defines services that provide specific desktop
12277 environments like GNOME, XFCE or MATE.
12279 To simplify things, the module defines a variable containing the set of
12280 services that users typically expect on a machine with a graphical
12281 environment and networking:
12283 @defvr {Scheme Variable} %desktop-services
12284 This is a list of services that builds upon @var{%base-services} and
12285 adds or adjusts services for a typical ``desktop'' setup.
12287 In particular, it adds a graphical login manager (@pxref{X Window,
12288 @code{slim-service}}), screen lockers, a network management tool
12289 (@pxref{Networking Services, @code{network-manager-service-type}}), energy and color
12290 management services, the @code{elogind} login and seat manager, the
12291 Polkit privilege service, the GeoClue location service, the
12292 AccountsService daemon that allows authorized users change system
12293 passwords, an NTP client (@pxref{Networking Services}), the Avahi
12294 daemon, and has the name service switch service configured to be able to
12295 use @code{nss-mdns} (@pxref{Name Service Switch, mDNS}).
12298 The @var{%desktop-services} variable can be used as the @code{services}
12299 field of an @code{operating-system} declaration (@pxref{operating-system
12300 Reference, @code{services}}).
12302 Additionally, the @code{gnome-desktop-service},
12303 @code{xfce-desktop-service} and @code{mate-desktop-service}
12304 procedures can add GNOME, XFCE and/or MATE to a system.
12305 To ``add GNOME'' means that system-level services like the
12306 backlight adjustment helpers and the power management utilities are
12307 added to the system, extending @code{polkit} and @code{dbus}
12308 appropriately, allowing GNOME to operate with elevated privileges on a
12309 limited number of special-purpose system interfaces. Additionally,
12310 adding a service made by @code{gnome-desktop-service} adds the GNOME
12311 metapackage to the system profile. Likewise, adding the XFCE service
12312 not only adds the @code{xfce} metapackage to the system profile, but it
12313 also gives the Thunar file manager the ability to open a ``root-mode''
12314 file management window, if the user authenticates using the
12315 administrator's password via the standard polkit graphical interface.
12316 To ``add MATE'' means that @code{polkit} and @code{dbus} are extended
12317 appropriately, allowing MATE to operate with elevated privileges on a
12318 limited number of special-purpose system interfaces. Additionally,
12319 adding a service made by @code{mate-desktop-service} adds the MATE
12320 metapackage to the system profile.
12322 The desktop environments in Guix use the Xorg display server by
12323 default. If you'd like to use the newer display server protocol
12324 called Wayland, you need to use the @code{sddm-service} instead of the
12325 @code{slim-service} for the graphical login manager. You should then
12326 select the ``GNOME (Wayland)'' session in SDDM. Alternatively you can
12327 also try starting GNOME on Wayland manually from a TTY with the
12328 command ``XDG_SESSION_TYPE=wayland exec dbus-run-session
12329 gnome-session``. Currently only GNOME has support for Wayland.
12331 @deffn {Scheme Procedure} gnome-desktop-service
12332 Return a service that adds the @code{gnome} package to the system
12333 profile, and extends polkit with the actions from
12334 @code{gnome-settings-daemon}.
12337 @deffn {Scheme Procedure} xfce-desktop-service
12338 Return a service that adds the @code{xfce} package to the system profile,
12339 and extends polkit with the ability for @code{thunar} to manipulate the
12340 file system as root from within a user session, after the user has
12341 authenticated with the administrator's password.
12344 @deffn {Scheme Procedure} mate-desktop-service
12345 Return a service that adds the @code{mate} package to the system
12346 profile, and extends polkit with the actions from
12347 @code{mate-settings-daemon}.
12350 Because the GNOME, XFCE and MATE desktop services pull in so many packages,
12351 the default @code{%desktop-services} variable doesn't include either of
12352 them by default. To add GNOME, XFCE or MATE, just @code{cons} them onto
12353 @code{%desktop-services} in the @code{services} field of your
12354 @code{operating-system}:
12357 (use-modules (gnu))
12358 (use-service-modules desktop)
12361 ;; cons* adds items to the list given as its last argument.
12362 (services (cons* (gnome-desktop-service)
12363 (xfce-desktop-service)
12364 %desktop-services))
12368 These desktop environments will then be available as options in the
12369 graphical login window.
12371 The actual service definitions included in @code{%desktop-services} and
12372 provided by @code{(gnu services dbus)} and @code{(gnu services desktop)}
12373 are described below.
12375 @deffn {Scheme Procedure} dbus-service [#:dbus @var{dbus}] [#:services '()]
12376 Return a service that runs the ``system bus'', using @var{dbus}, with
12377 support for @var{services}.
12379 @uref{http://dbus.freedesktop.org/, D-Bus} is an inter-process communication
12380 facility. Its system bus is used to allow system services to communicate
12381 and to be notified of system-wide events.
12383 @var{services} must be a list of packages that provide an
12384 @file{etc/dbus-1/system.d} directory containing additional D-Bus configuration
12385 and policy files. For example, to allow avahi-daemon to use the system bus,
12386 @var{services} must be equal to @code{(list avahi)}.
12389 @deffn {Scheme Procedure} elogind-service [#:config @var{config}]
12390 Return a service that runs the @code{elogind} login and
12391 seat management daemon. @uref{https://github.com/elogind/elogind,
12392 Elogind} exposes a D-Bus interface that can be used to know which users
12393 are logged in, know what kind of sessions they have open, suspend the
12394 system, inhibit system suspend, reboot the system, and other tasks.
12396 Elogind handles most system-level power events for a computer, for
12397 example suspending the system when a lid is closed, or shutting it down
12398 when the power button is pressed.
12400 The @var{config} keyword argument specifies the configuration for
12401 elogind, and should be the result of an @code{(elogind-configuration
12402 (@var{parameter} @var{value})...)} invocation. Available parameters and
12403 their default values are:
12406 @item kill-user-processes?
12408 @item kill-only-users
12410 @item kill-exclude-users
12412 @item inhibit-delay-max-seconds
12414 @item handle-power-key
12416 @item handle-suspend-key
12418 @item handle-hibernate-key
12420 @item handle-lid-switch
12422 @item handle-lid-switch-docked
12424 @item power-key-ignore-inhibited?
12426 @item suspend-key-ignore-inhibited?
12428 @item hibernate-key-ignore-inhibited?
12430 @item lid-switch-ignore-inhibited?
12432 @item holdoff-timeout-seconds
12436 @item idle-action-seconds
12438 @item runtime-directory-size-percent
12440 @item runtime-directory-size
12444 @item suspend-state
12445 @code{("mem" "standby" "freeze")}
12448 @item hibernate-state
12450 @item hibernate-mode
12451 @code{("platform" "shutdown")}
12452 @item hybrid-sleep-state
12454 @item hybrid-sleep-mode
12455 @code{("suspend" "platform" "shutdown")}
12459 @deffn {Scheme Procedure} accountsservice-service @
12460 [#:accountsservice @var{accountsservice}]
12461 Return a service that runs AccountsService, a system service that can
12462 list available accounts, change their passwords, and so on.
12463 AccountsService integrates with PolicyKit to enable unprivileged users
12464 to acquire the capability to modify their system configuration.
12465 @uref{https://www.freedesktop.org/wiki/Software/AccountsService/, the
12466 accountsservice web site} for more information.
12468 The @var{accountsservice} keyword argument is the @code{accountsservice}
12469 package to expose as a service.
12472 @deffn {Scheme Procedure} polkit-service @
12473 [#:polkit @var{polkit}]
12474 Return a service that runs the
12475 @uref{http://www.freedesktop.org/wiki/Software/polkit/, Polkit privilege
12476 management service}, which allows system administrators to grant access to
12477 privileged operations in a structured way. By querying the Polkit service, a
12478 privileged system component can know when it should grant additional
12479 capabilities to ordinary users. For example, an ordinary user can be granted
12480 the capability to suspend the system if the user is logged in locally.
12483 @deffn {Scheme Procedure} upower-service [#:upower @var{upower}] @
12484 [#:watts-up-pro? #f] @
12485 [#:poll-batteries? #t] @
12486 [#:ignore-lid? #f] @
12487 [#:use-percentage-for-policy? #f] @
12488 [#:percentage-low 10] @
12489 [#:percentage-critical 3] @
12490 [#:percentage-action 2] @
12491 [#:time-low 1200] @
12492 [#:time-critical 300] @
12493 [#:time-action 120] @
12494 [#:critical-power-action 'hybrid-sleep]
12495 Return a service that runs @uref{http://upower.freedesktop.org/,
12496 @command{upowerd}}, a system-wide monitor for power consumption and battery
12497 levels, with the given configuration settings. It implements the
12498 @code{org.freedesktop.UPower} D-Bus interface, and is notably used by
12502 @deffn {Scheme Procedure} udisks-service [#:udisks @var{udisks}]
12503 Return a service for @uref{http://udisks.freedesktop.org/docs/latest/,
12504 UDisks}, a @dfn{disk management} daemon that provides user interfaces with
12505 notifications and ways to mount/unmount disks. Programs that talk to UDisks
12506 include the @command{udisksctl} command, part of UDisks, and GNOME Disks.
12509 @deffn {Scheme Procedure} colord-service [#:colord @var{colord}]
12510 Return a service that runs @command{colord}, a system service with a D-Bus
12511 interface to manage the color profiles of input and output devices such as
12512 screens and scanners. It is notably used by the GNOME Color Manager graphical
12513 tool. See @uref{http://www.freedesktop.org/software/colord/, the colord web
12514 site} for more information.
12517 @deffn {Scheme Procedure} geoclue-application name [#:allowed? #t] [#:system? #f] [#:users '()]
12518 Return a configuration allowing an application to access GeoClue
12519 location data. @var{name} is the Desktop ID of the application, without
12520 the @code{.desktop} part. If @var{allowed?} is true, the application
12521 will have access to location information by default. The boolean
12522 @var{system?} value indicates whether an application is a system component
12523 or not. Finally @var{users} is a list of UIDs of all users for which
12524 this application is allowed location info access. An empty users list
12525 means that all users are allowed.
12528 @defvr {Scheme Variable} %standard-geoclue-applications
12529 The standard list of well-known GeoClue application configurations,
12530 granting authority to the GNOME date-and-time utility to ask for the
12531 current location in order to set the time zone, and allowing the
12532 IceCat and Epiphany web browsers to request location information.
12533 IceCat and Epiphany both query the user before allowing a web page to
12534 know the user's location.
12537 @deffn {Scheme Procedure} geoclue-service [#:colord @var{colord}] @
12538 [#:whitelist '()] @
12539 [#:wifi-geolocation-url "https://location.services.mozilla.com/v1/geolocate?key=geoclue"] @
12540 [#:submit-data? #f]
12541 [#:wifi-submission-url "https://location.services.mozilla.com/v1/submit?key=geoclue"] @
12542 [#:submission-nick "geoclue"] @
12543 [#:applications %standard-geoclue-applications]
12544 Return a service that runs the GeoClue location service. This service
12545 provides a D-Bus interface to allow applications to request access to a
12546 user's physical location, and optionally to add information to online
12547 location databases. See
12548 @uref{https://wiki.freedesktop.org/www/Software/GeoClue/, the GeoClue
12549 web site} for more information.
12552 @deffn {Scheme Procedure} bluetooth-service [#:bluez @var{bluez}] @
12553 [@w{#:auto-enable? #f}]
12554 Return a service that runs the @command{bluetoothd} daemon, which
12555 manages all the Bluetooth devices and provides a number of D-Bus
12556 interfaces. When AUTO-ENABLE? is true, the bluetooth controller is
12557 powered automatically at boot, which can be useful when using a
12558 bluetooth keyboard or mouse.
12560 Users need to be in the @code{lp} group to access the D-Bus service.
12563 @node Database Services
12564 @subsubsection Database Services
12568 The @code{(gnu services databases)} module provides the following services.
12570 @deffn {Scheme Procedure} postgresql-service [#:postgresql postgresql] @
12571 [#:config-file] [#:data-directory ``/var/lib/postgresql/data''] @
12572 [#:port 5432] [#:locale ``en_US.utf8'']
12573 Return a service that runs @var{postgresql}, the PostgreSQL database
12576 The PostgreSQL daemon loads its runtime configuration from @var{config-file},
12577 creates a database cluster with @var{locale} as the default
12578 locale, stored in @var{data-directory}. It then listens on @var{port}.
12581 @deffn {Scheme Procedure} mysql-service [#:config (mysql-configuration)]
12582 Return a service that runs @command{mysqld}, the MySQL or MariaDB
12585 The optional @var{config} argument specifies the configuration for
12586 @command{mysqld}, which should be a @code{<mysql-configuration>} object.
12589 @deftp {Data Type} mysql-configuration
12590 Data type representing the configuration of @var{mysql-service}.
12593 @item @code{mysql} (default: @var{mariadb})
12594 Package object of the MySQL database server, can be either @var{mariadb}
12597 For MySQL, a temporary root password will be displayed at activation time.
12598 For MariaDB, the root password is empty.
12600 @item @code{port} (default: @code{3306})
12601 TCP port on which the database server listens for incoming connections.
12605 @defvr {Scheme Variable} memcached-service-type
12606 This is the service type for the @uref{https://memcached.org/,
12607 Memcached} service, which provides a distributed in memory cache. The
12608 value for the service type is a @code{memcached-configuration} object.
12612 (service memcached-service-type)
12615 @deftp {Data Type} memcached-configuration
12616 Data type representing the configuration of memcached.
12619 @item @code{memcached} (default: @code{memcached})
12620 The Memcached package to use.
12622 @item @code{interfaces} (default: @code{'("0.0.0.0")})
12623 Network interfaces on which to listen.
12625 @item @code{tcp-port} (default: @code{11211})
12626 Port on which to accept connections on,
12628 @item @code{udp-port} (default: @code{11211})
12629 Port on which to accept UDP connections on, a value of 0 will disable
12630 listening on a UDP socket.
12632 @item @code{additional-options} (default: @code{'()})
12633 Additional command line options to pass to @code{memcached}.
12637 @defvr {Scheme Variable} mongodb-service-type
12638 This is the service type for @uref{https://www.mongodb.com/, MongoDB}.
12639 The value for the service type is a @code{mongodb-configuration} object.
12643 (service mongodb-service-type)
12646 @deftp {Data Type} mongodb-configuration
12647 Data type representing the configuration of mongodb.
12650 @item @code{mongodb} (default: @code{mongodb})
12651 The MongoDB package to use.
12653 @item @code{config-file} (default: @code{%default-mongodb-configuration-file})
12654 The configuration file for MongoDB.
12656 @item @code{data-directory} (default: @code{"/var/lib/mongodb"})
12657 This value is used to create the directory, so that it exists and is
12658 owned by the mongodb user. It should match the data-directory which
12659 MongoDB is configured to use through the configuration file.
12663 @defvr {Scheme Variable} redis-service-type
12664 This is the service type for the @uref{https://redis.io/, Redis}
12665 key/value store, whose value is a @code{redis-configuration} object.
12668 @deftp {Data Type} redis-configuration
12669 Data type representing the configuration of redis.
12672 @item @code{redis} (default: @code{redis})
12673 The Redis package to use.
12675 @item @code{bind} (default: @code{"127.0.0.1"})
12676 Network interface on which to listen.
12678 @item @code{port} (default: @code{6379})
12679 Port on which to accept connections on, a value of 0 will disable
12680 listening on a TCP socket.
12682 @item @code{working-directory} (default: @code{"/var/lib/redis"})
12683 Directory in which to store the database and related files.
12687 @node Mail Services
12688 @subsubsection Mail Services
12692 The @code{(gnu services mail)} module provides Guix service definitions
12693 for email services: IMAP, POP3, and LMTP servers, as well as mail
12694 transport agents (MTAs). Lots of acronyms! These services are detailed
12695 in the subsections below.
12697 @subsubheading Dovecot Service
12699 @deffn {Scheme Procedure} dovecot-service [#:config (dovecot-configuration)]
12700 Return a service that runs the Dovecot IMAP/POP3/LMTP mail server.
12703 By default, Dovecot does not need much configuration; the default
12704 configuration object created by @code{(dovecot-configuration)} will
12705 suffice if your mail is delivered to @code{~/Maildir}. A self-signed
12706 certificate will be generated for TLS-protected connections, though
12707 Dovecot will also listen on cleartext ports by default. There are a
12708 number of options, though, which mail administrators might need to change,
12709 and as is the case with other services, Guix allows the system
12710 administrator to specify these parameters via a uniform Scheme interface.
12712 For example, to specify that mail is located at @code{maildir~/.mail},
12713 one would instantiate the Dovecot service like this:
12716 (dovecot-service #:config
12717 (dovecot-configuration
12718 (mail-location "maildir:~/.mail")))
12721 The available configuration parameters follow. Each parameter
12722 definition is preceded by its type; for example, @samp{string-list foo}
12723 indicates that the @code{foo} parameter should be specified as a list of
12724 strings. There is also a way to specify the configuration as a string,
12725 if you have an old @code{dovecot.conf} file that you want to port over
12726 from some other system; see the end for more details.
12728 @c The following documentation was initially generated by
12729 @c (generate-documentation) in (gnu services mail). Manually maintained
12730 @c documentation is better, so we shouldn't hesitate to edit below as
12731 @c needed. However if the change you want to make to this documentation
12732 @c can be done in an automated way, it's probably easier to change
12733 @c (generate-documentation) than to make it below and have to deal with
12734 @c the churn as dovecot updates.
12736 Available @code{dovecot-configuration} fields are:
12738 @deftypevr {@code{dovecot-configuration} parameter} package dovecot
12739 The dovecot package.
12742 @deftypevr {@code{dovecot-configuration} parameter} comma-separated-string-list listen
12743 A list of IPs or hosts where to listen for connections. @samp{*}
12744 listens on all IPv4 interfaces, @samp{::} listens on all IPv6
12745 interfaces. If you want to specify non-default ports or anything more
12746 complex, customize the address and port fields of the
12747 @samp{inet-listener} of the specific services you are interested in.
12750 @deftypevr {@code{dovecot-configuration} parameter} protocol-configuration-list protocols
12751 List of protocols we want to serve. Available protocols include
12752 @samp{imap}, @samp{pop3}, and @samp{lmtp}.
12754 Available @code{protocol-configuration} fields are:
12756 @deftypevr {@code{protocol-configuration} parameter} string name
12757 The name of the protocol.
12760 @deftypevr {@code{protocol-configuration} parameter} string auth-socket-path
12761 UNIX socket path to the master authentication server to find users.
12762 This is used by imap (for shared users) and lda.
12763 It defaults to @samp{"/var/run/dovecot/auth-userdb"}.
12766 @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list mail-plugins
12767 Space separated list of plugins to load.
12770 @deftypevr {@code{protocol-configuration} parameter} non-negative-integer mail-max-userip-connections
12771 Maximum number of IMAP connections allowed for a user from each IP
12772 address. NOTE: The username is compared case-sensitively.
12773 Defaults to @samp{10}.
12778 @deftypevr {@code{dovecot-configuration} parameter} service-configuration-list services
12779 List of services to enable. Available services include @samp{imap},
12780 @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and
12783 Available @code{service-configuration} fields are:
12785 @deftypevr {@code{service-configuration} parameter} string kind
12786 The service kind. Valid values include @code{director},
12787 @code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap},
12788 @code{pop3}, @code{auth}, @code{auth-worker}, @code{dict},
12789 @code{tcpwrap}, @code{quota-warning}, or anything else.
12792 @deftypevr {@code{service-configuration} parameter} listener-configuration-list listeners
12793 Listeners for the service. A listener is either a
12794 @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or
12795 an @code{inet-listener-configuration}.
12796 Defaults to @samp{()}.
12798 Available @code{unix-listener-configuration} fields are:
12800 @deftypevr {@code{unix-listener-configuration} parameter} string path
12801 Path to the file, relative to @code{base-dir} field. This is also used as
12805 @deftypevr {@code{unix-listener-configuration} parameter} string mode
12806 The access mode for the socket.
12807 Defaults to @samp{"0600"}.
12810 @deftypevr {@code{unix-listener-configuration} parameter} string user
12811 The user to own the socket.
12812 Defaults to @samp{""}.
12815 @deftypevr {@code{unix-listener-configuration} parameter} string group
12816 The group to own the socket.
12817 Defaults to @samp{""}.
12821 Available @code{fifo-listener-configuration} fields are:
12823 @deftypevr {@code{fifo-listener-configuration} parameter} string path
12824 Path to the file, relative to @code{base-dir} field. This is also used as
12828 @deftypevr {@code{fifo-listener-configuration} parameter} string mode
12829 The access mode for the socket.
12830 Defaults to @samp{"0600"}.
12833 @deftypevr {@code{fifo-listener-configuration} parameter} string user
12834 The user to own the socket.
12835 Defaults to @samp{""}.
12838 @deftypevr {@code{fifo-listener-configuration} parameter} string group
12839 The group to own the socket.
12840 Defaults to @samp{""}.
12844 Available @code{inet-listener-configuration} fields are:
12846 @deftypevr {@code{inet-listener-configuration} parameter} string protocol
12847 The protocol to listen for.
12850 @deftypevr {@code{inet-listener-configuration} parameter} string address
12851 The address on which to listen, or empty for all addresses.
12852 Defaults to @samp{""}.
12855 @deftypevr {@code{inet-listener-configuration} parameter} non-negative-integer port
12856 The port on which to listen.
12859 @deftypevr {@code{inet-listener-configuration} parameter} boolean ssl?
12860 Whether to use SSL for this service; @samp{yes}, @samp{no}, or
12862 Defaults to @samp{#t}.
12867 @deftypevr {@code{service-configuration} parameter} non-negative-integer service-count
12868 Number of connections to handle before starting a new process.
12869 Typically the only useful values are 0 (unlimited) or 1. 1 is more
12870 secure, but 0 is faster. <doc/wiki/LoginProcess.txt>.
12871 Defaults to @samp{1}.
12874 @deftypevr {@code{service-configuration} parameter} non-negative-integer process-min-avail
12875 Number of processes to always keep waiting for more connections.
12876 Defaults to @samp{0}.
12879 @deftypevr {@code{service-configuration} parameter} non-negative-integer vsz-limit
12880 If you set @samp{service-count 0}, you probably need to grow
12882 Defaults to @samp{256000000}.
12887 @deftypevr {@code{dovecot-configuration} parameter} dict-configuration dict
12888 Dict configuration, as created by the @code{dict-configuration}
12891 Available @code{dict-configuration} fields are:
12893 @deftypevr {@code{dict-configuration} parameter} free-form-fields entries
12894 A list of key-value pairs that this dict should hold.
12895 Defaults to @samp{()}.
12900 @deftypevr {@code{dovecot-configuration} parameter} passdb-configuration-list passdbs
12901 A list of passdb configurations, each one created by the
12902 @code{passdb-configuration} constructor.
12904 Available @code{passdb-configuration} fields are:
12906 @deftypevr {@code{passdb-configuration} parameter} string driver
12907 The driver that the passdb should use. Valid values include
12908 @samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and
12910 Defaults to @samp{"pam"}.
12913 @deftypevr {@code{passdb-configuration} parameter} space-separated-string-list args
12914 Space separated list of arguments to the passdb driver.
12915 Defaults to @samp{""}.
12920 @deftypevr {@code{dovecot-configuration} parameter} userdb-configuration-list userdbs
12921 List of userdb configurations, each one created by the
12922 @code{userdb-configuration} constructor.
12924 Available @code{userdb-configuration} fields are:
12926 @deftypevr {@code{userdb-configuration} parameter} string driver
12927 The driver that the userdb should use. Valid values include
12928 @samp{passwd} and @samp{static}.
12929 Defaults to @samp{"passwd"}.
12932 @deftypevr {@code{userdb-configuration} parameter} space-separated-string-list args
12933 Space separated list of arguments to the userdb driver.
12934 Defaults to @samp{""}.
12937 @deftypevr {@code{userdb-configuration} parameter} free-form-args override-fields
12938 Override fields from passwd.
12939 Defaults to @samp{()}.
12944 @deftypevr {@code{dovecot-configuration} parameter} plugin-configuration plugin-configuration
12945 Plug-in configuration, created by the @code{plugin-configuration}
12949 @deftypevr {@code{dovecot-configuration} parameter} list-of-namespace-configuration namespaces
12950 List of namespaces. Each item in the list is created by the
12951 @code{namespace-configuration} constructor.
12953 Available @code{namespace-configuration} fields are:
12955 @deftypevr {@code{namespace-configuration} parameter} string name
12956 Name for this namespace.
12959 @deftypevr {@code{namespace-configuration} parameter} string type
12960 Namespace type: @samp{private}, @samp{shared} or @samp{public}.
12961 Defaults to @samp{"private"}.
12964 @deftypevr {@code{namespace-configuration} parameter} string separator
12965 Hierarchy separator to use. You should use the same separator for
12966 all namespaces or some clients get confused. @samp{/} is usually a good
12967 one. The default however depends on the underlying mail storage
12969 Defaults to @samp{""}.
12972 @deftypevr {@code{namespace-configuration} parameter} string prefix
12973 Prefix required to access this namespace. This needs to be
12974 different for all namespaces. For example @samp{Public/}.
12975 Defaults to @samp{""}.
12978 @deftypevr {@code{namespace-configuration} parameter} string location
12979 Physical location of the mailbox. This is in the same format as
12980 mail_location, which is also the default for it.
12981 Defaults to @samp{""}.
12984 @deftypevr {@code{namespace-configuration} parameter} boolean inbox?
12985 There can be only one INBOX, and this setting defines which
12987 Defaults to @samp{#f}.
12990 @deftypevr {@code{namespace-configuration} parameter} boolean hidden?
12991 If namespace is hidden, it's not advertised to clients via NAMESPACE
12992 extension. You'll most likely also want to set @samp{list? #f}. This is mostly
12993 useful when converting from another server with different namespaces
12994 which you want to deprecate but still keep working. For example you can
12995 create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/}
12997 Defaults to @samp{#f}.
13000 @deftypevr {@code{namespace-configuration} parameter} boolean list?
13001 Show the mailboxes under this namespace with the LIST command. This
13002 makes the namespace visible for clients that do not support the NAMESPACE
13003 extension. The special @code{children} value lists child mailboxes, but
13004 hides the namespace prefix.
13005 Defaults to @samp{#t}.
13008 @deftypevr {@code{namespace-configuration} parameter} boolean subscriptions?
13009 Namespace handles its own subscriptions. If set to @code{#f}, the
13010 parent namespace handles them. The empty prefix should always have this
13012 Defaults to @samp{#t}.
13015 @deftypevr {@code{namespace-configuration} parameter} mailbox-configuration-list mailboxes
13016 List of predefined mailboxes in this namespace.
13017 Defaults to @samp{()}.
13019 Available @code{mailbox-configuration} fields are:
13021 @deftypevr {@code{mailbox-configuration} parameter} string name
13022 Name for this mailbox.
13025 @deftypevr {@code{mailbox-configuration} parameter} string auto
13026 @samp{create} will automatically create this mailbox.
13027 @samp{subscribe} will both create and subscribe to the mailbox.
13028 Defaults to @samp{"no"}.
13031 @deftypevr {@code{mailbox-configuration} parameter} space-separated-string-list special-use
13032 List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154.
13033 Valid values are @code{\All}, @code{\Archive}, @code{\Drafts},
13034 @code{\Flagged}, @code{\Junk}, @code{\Sent}, and @code{\Trash}.
13035 Defaults to @samp{()}.
13042 @deftypevr {@code{dovecot-configuration} parameter} file-name base-dir
13043 Base directory where to store runtime data.
13044 Defaults to @samp{"/var/run/dovecot/"}.
13047 @deftypevr {@code{dovecot-configuration} parameter} string login-greeting
13048 Greeting message for clients.
13049 Defaults to @samp{"Dovecot ready."}.
13052 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-trusted-networks
13053 List of trusted network ranges. Connections from these IPs are
13054 allowed to override their IP addresses and ports (for logging and for
13055 authentication checks). @samp{disable-plaintext-auth} is also ignored
13056 for these networks. Typically you would specify your IMAP proxy servers
13058 Defaults to @samp{()}.
13061 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-access-sockets
13062 List of login access check sockets (e.g. tcpwrap).
13063 Defaults to @samp{()}.
13066 @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-proctitle?
13067 Show more verbose process titles (in ps). Currently shows user name
13068 and IP address. Useful for seeing who is actually using the IMAP
13069 processes (e.g. shared mailboxes or if the same uid is used for multiple
13071 Defaults to @samp{#f}.
13074 @deftypevr {@code{dovecot-configuration} parameter} boolean shutdown-clients?
13075 Should all processes be killed when Dovecot master process shuts down.
13076 Setting this to @code{#f} means that Dovecot can be upgraded without
13077 forcing existing client connections to close (although that could also
13078 be a problem if the upgrade is e.g. due to a security fix).
13079 Defaults to @samp{#t}.
13082 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer doveadm-worker-count
13083 If non-zero, run mail commands via this many connections to doveadm
13084 server, instead of running them directly in the same process.
13085 Defaults to @samp{0}.
13088 @deftypevr {@code{dovecot-configuration} parameter} string doveadm-socket-path
13089 UNIX socket or host:port used for connecting to doveadm server.
13090 Defaults to @samp{"doveadm-server"}.
13093 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list import-environment
13094 List of environment variables that are preserved on Dovecot startup
13095 and passed down to all of its child processes. You can also give
13096 key=value pairs to always set specific settings.
13099 @deftypevr {@code{dovecot-configuration} parameter} boolean disable-plaintext-auth?
13100 Disable LOGIN command and all other plaintext authentications unless
13101 SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
13102 matches the local IP (i.e. you're connecting from the same computer),
13103 the connection is considered secure and plaintext authentication is
13104 allowed. See also ssl=required setting.
13105 Defaults to @samp{#t}.
13108 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-cache-size
13109 Authentication cache size (e.g. @samp{#e10e6}). 0 means it's disabled.
13110 Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set
13111 for caching to be used.
13112 Defaults to @samp{0}.
13115 @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-ttl
13116 Time to live for cached data. After TTL expires the cached record
13117 is no longer used, *except* if the main database lookup returns internal
13118 failure. We also try to handle password changes automatically: If
13119 user's previous authentication was successful, but this one wasn't, the
13120 cache isn't used. For now this works only with plaintext
13122 Defaults to @samp{"1 hour"}.
13125 @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-negative-ttl
13126 TTL for negative hits (user not found, password mismatch).
13127 0 disables caching them completely.
13128 Defaults to @samp{"1 hour"}.
13131 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-realms
13132 List of realms for SASL authentication mechanisms that need them.
13133 You can leave it empty if you don't want to support multiple realms.
13134 Many clients simply use the first one listed here, so keep the default
13136 Defaults to @samp{()}.
13139 @deftypevr {@code{dovecot-configuration} parameter} string auth-default-realm
13140 Default realm/domain to use if none was specified. This is used for
13141 both SASL realms and appending @@domain to username in plaintext
13143 Defaults to @samp{""}.
13146 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-chars
13147 List of allowed characters in username. If the user-given username
13148 contains a character not listed in here, the login automatically fails.
13149 This is just an extra check to make sure user can't exploit any
13150 potential quote escaping vulnerabilities with SQL/LDAP databases. If
13151 you want to allow all characters, set this value to empty.
13152 Defaults to @samp{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@@"}.
13155 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-translation
13156 Username character translations before it's looked up from
13157 databases. The value contains series of from -> to characters. For
13158 example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are
13159 translated to @samp{@@}.
13160 Defaults to @samp{""}.
13163 @deftypevr {@code{dovecot-configuration} parameter} string auth-username-format
13164 Username formatting before it's looked up from databases. You can
13165 use the standard variables here, e.g. %Lu would lowercase the username,
13166 %n would drop away the domain if it was given, or @samp{%n-AT-%d} would
13167 change the @samp{@@} into @samp{-AT-}. This translation is done after
13168 @samp{auth-username-translation} changes.
13169 Defaults to @samp{"%Lu"}.
13172 @deftypevr {@code{dovecot-configuration} parameter} string auth-master-user-separator
13173 If you want to allow master users to log in by specifying the master
13174 username within the normal username string (i.e. not using SASL
13175 mechanism's support for it), you can specify the separator character
13176 here. The format is then <username><separator><master username>.
13177 UW-IMAP uses @samp{*} as the separator, so that could be a good
13179 Defaults to @samp{""}.
13182 @deftypevr {@code{dovecot-configuration} parameter} string auth-anonymous-username
13183 Username to use for users logging in with ANONYMOUS SASL
13185 Defaults to @samp{"anonymous"}.
13188 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-worker-max-count
13189 Maximum number of dovecot-auth worker processes. They're used to
13190 execute blocking passdb and userdb queries (e.g. MySQL and PAM).
13191 They're automatically created and destroyed as needed.
13192 Defaults to @samp{30}.
13195 @deftypevr {@code{dovecot-configuration} parameter} string auth-gssapi-hostname
13196 Host name to use in GSSAPI principal names. The default is to use
13197 the name returned by gethostname(). Use @samp{$ALL} (with quotes) to
13198 allow all keytab entries.
13199 Defaults to @samp{""}.
13202 @deftypevr {@code{dovecot-configuration} parameter} string auth-krb5-keytab
13203 Kerberos keytab to use for the GSSAPI mechanism. Will use the
13204 system default (usually @file{/etc/krb5.keytab}) if not specified. You may
13205 need to change the auth service to run as root to be able to read this
13207 Defaults to @samp{""}.
13210 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-use-winbind?
13211 Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon
13212 and @samp{ntlm-auth} helper.
13213 <doc/wiki/Authentication/Mechanisms/Winbind.txt>.
13214 Defaults to @samp{#f}.
13217 @deftypevr {@code{dovecot-configuration} parameter} file-name auth-winbind-helper-path
13218 Path for Samba's @samp{ntlm-auth} helper binary.
13219 Defaults to @samp{"/usr/bin/ntlm_auth"}.
13222 @deftypevr {@code{dovecot-configuration} parameter} string auth-failure-delay
13223 Time to delay before replying to failed authentications.
13224 Defaults to @samp{"2 secs"}.
13227 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
13228 Require a valid SSL client certificate or the authentication
13230 Defaults to @samp{#f}.
13233 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-username-from-cert?
13234 Take the username from client's SSL certificate, using
13235 @code{X509_NAME_get_text_by_NID()} which returns the subject's DN's
13237 Defaults to @samp{#f}.
13240 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-mechanisms
13241 List of wanted authentication mechanisms. Supported mechanisms are:
13242 @samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5},
13243 @samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi},
13244 @samp{otp}, @samp{skey}, and @samp{gss-spnego}. NOTE: See also
13245 @samp{disable-plaintext-auth} setting.
13248 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-servers
13249 List of IPs or hostnames to all director servers, including ourself.
13250 Ports can be specified as ip:port. The default port is the same as what
13251 director service's @samp{inet-listener} is using.
13252 Defaults to @samp{()}.
13255 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-mail-servers
13256 List of IPs or hostnames to all backend mail servers. Ranges are
13257 allowed too, like 10.0.0.10-10.0.0.30.
13258 Defaults to @samp{()}.
13261 @deftypevr {@code{dovecot-configuration} parameter} string director-user-expire
13262 How long to redirect users to a specific server after it no longer
13263 has any connections.
13264 Defaults to @samp{"15 min"}.
13267 @deftypevr {@code{dovecot-configuration} parameter} string director-username-hash
13268 How the username is translated before being hashed. Useful values
13269 include %Ln if user can log in with or without @@domain, %Ld if mailboxes
13270 are shared within domain.
13271 Defaults to @samp{"%Lu"}.
13274 @deftypevr {@code{dovecot-configuration} parameter} string log-path
13275 Log file to use for error messages. @samp{syslog} logs to syslog,
13276 @samp{/dev/stderr} logs to stderr.
13277 Defaults to @samp{"syslog"}.
13280 @deftypevr {@code{dovecot-configuration} parameter} string info-log-path
13281 Log file to use for informational messages. Defaults to
13283 Defaults to @samp{""}.
13286 @deftypevr {@code{dovecot-configuration} parameter} string debug-log-path
13287 Log file to use for debug messages. Defaults to
13288 @samp{info-log-path}.
13289 Defaults to @samp{""}.
13292 @deftypevr {@code{dovecot-configuration} parameter} string syslog-facility
13293 Syslog facility to use if you're logging to syslog. Usually if you
13294 don't want to use @samp{mail}, you'll use local0..local7. Also other
13295 standard facilities are supported.
13296 Defaults to @samp{"mail"}.
13299 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-verbose?
13300 Log unsuccessful authentication attempts and the reasons why they
13302 Defaults to @samp{#f}.
13305 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-verbose-passwords?
13306 In case of password mismatches, log the attempted password. Valid
13307 values are no, plain and sha1. sha1 can be useful for detecting brute
13308 force password attempts vs. user simply trying the same password over
13309 and over again. You can also truncate the value to n chars by appending
13310 ":n" (e.g. sha1:6).
13311 Defaults to @samp{#f}.
13314 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug?
13315 Even more verbose logging for debugging purposes. Shows for example
13317 Defaults to @samp{#f}.
13320 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug-passwords?
13321 In case of password mismatches, log the passwords and used scheme so
13322 the problem can be debugged. Enabling this also enables
13324 Defaults to @samp{#f}.
13327 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-debug?
13328 Enable mail process debugging. This can help you figure out why
13329 Dovecot isn't finding your mails.
13330 Defaults to @samp{#f}.
13333 @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-ssl?
13334 Show protocol level SSL errors.
13335 Defaults to @samp{#f}.
13338 @deftypevr {@code{dovecot-configuration} parameter} string log-timestamp
13339 Prefix for each line written to log file. % codes are in
13340 strftime(3) format.
13341 Defaults to @samp{"\"%b %d %H:%M:%S \""}.
13344 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-log-format-elements
13345 List of elements we want to log. The elements which have a
13346 non-empty variable value are joined together to form a comma-separated
13350 @deftypevr {@code{dovecot-configuration} parameter} string login-log-format
13351 Login log format. %s contains @samp{login-log-format-elements}
13352 string, %$ contains the data we want to log.
13353 Defaults to @samp{"%$: %s"}.
13356 @deftypevr {@code{dovecot-configuration} parameter} string mail-log-prefix
13357 Log prefix for mail processes. See doc/wiki/Variables.txt for list
13358 of possible variables you can use.
13359 Defaults to @samp{"\"%s(%u)<%@{pid@}><%@{session@}>: \""}.
13362 @deftypevr {@code{dovecot-configuration} parameter} string deliver-log-format
13363 Format to use for logging mail deliveries. You can use variables:
13366 Delivery status message (e.g. @samp{saved to INBOX})
13378 Defaults to @samp{"msgid=%m: %$"}.
13381 @deftypevr {@code{dovecot-configuration} parameter} string mail-location
13382 Location for users' mailboxes. The default is empty, which means
13383 that Dovecot tries to find the mailboxes automatically. This won't work
13384 if the user doesn't yet have any mail, so you should explicitly tell
13385 Dovecot the full location.
13387 If you're using mbox, giving a path to the INBOX
13388 file (e.g. /var/mail/%u) isn't enough. You'll also need to tell Dovecot
13389 where the other mailboxes are kept. This is called the "root mail
13390 directory", and it must be the first path given in the
13391 @samp{mail-location} setting.
13393 There are a few special variables you can use, eg.:
13399 user part in user@@domain, same as %u if there's no domain
13401 domain part in user@@domain, empty if there's no domain
13406 See doc/wiki/Variables.txt for full list. Some examples:
13408 @item maildir:~/Maildir
13409 @item mbox:~/mail:INBOX=/var/mail/%u
13410 @item mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%
13412 Defaults to @samp{""}.
13415 @deftypevr {@code{dovecot-configuration} parameter} string mail-uid
13416 System user and group used to access mails. If you use multiple,
13417 userdb can override these by returning uid or gid fields. You can use
13418 either numbers or names. <doc/wiki/UserIds.txt>.
13419 Defaults to @samp{""}.
13422 @deftypevr {@code{dovecot-configuration} parameter} string mail-gid
13424 Defaults to @samp{""}.
13427 @deftypevr {@code{dovecot-configuration} parameter} string mail-privileged-group
13428 Group to enable temporarily for privileged operations. Currently
13429 this is used only with INBOX when either its initial creation or
13430 dotlocking fails. Typically this is set to "mail" to give access to
13432 Defaults to @samp{""}.
13435 @deftypevr {@code{dovecot-configuration} parameter} string mail-access-groups
13436 Grant access to these supplementary groups for mail processes.
13437 Typically these are used to set up access to shared mailboxes. Note
13438 that it may be dangerous to set these if users can create
13439 symlinks (e.g. if "mail" group is set here, ln -s /var/mail ~/mail/var
13440 could allow a user to delete others' mailboxes, or ln -s
13441 /secret/shared/box ~/mail/mybox would allow reading it).
13442 Defaults to @samp{""}.
13445 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-full-filesystem-access?
13446 Allow full file system access to clients. There's no access checks
13447 other than what the operating system does for the active UID/GID. It
13448 works with both maildir and mboxes, allowing you to prefix mailboxes
13449 names with e.g. /path/ or ~user/.
13450 Defaults to @samp{#f}.
13453 @deftypevr {@code{dovecot-configuration} parameter} boolean mmap-disable?
13454 Don't use mmap() at all. This is required if you store indexes to
13455 shared file systems (NFS or clustered file system).
13456 Defaults to @samp{#f}.
13459 @deftypevr {@code{dovecot-configuration} parameter} boolean dotlock-use-excl?
13460 Rely on @samp{O_EXCL} to work when creating dotlock files. NFS
13461 supports @samp{O_EXCL} since version 3, so this should be safe to use
13462 nowadays by default.
13463 Defaults to @samp{#t}.
13466 @deftypevr {@code{dovecot-configuration} parameter} string mail-fsync
13467 When to use fsync() or fdatasync() calls:
13470 Whenever necessary to avoid losing important data
13472 Useful with e.g. NFS when write()s are delayed
13474 Never use it (best performance, but crashes can lose data).
13476 Defaults to @samp{"optimized"}.
13479 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-storage?
13480 Mail storage exists in NFS. Set this to yes to make Dovecot flush
13481 NFS caches whenever needed. If you're using only a single mail server
13483 Defaults to @samp{#f}.
13486 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-index?
13487 Mail index files also exist in NFS. Setting this to yes requires
13488 @samp{mmap-disable? #t} and @samp{fsync-disable? #f}.
13489 Defaults to @samp{#f}.
13492 @deftypevr {@code{dovecot-configuration} parameter} string lock-method
13493 Locking method for index files. Alternatives are fcntl, flock and
13494 dotlock. Dotlocking uses some tricks which may create more disk I/O
13495 than other locking methods. NFS users: flock doesn't work, remember to
13496 change @samp{mmap-disable}.
13497 Defaults to @samp{"fcntl"}.
13500 @deftypevr {@code{dovecot-configuration} parameter} file-name mail-temp-dir
13501 Directory in which LDA/LMTP temporarily stores incoming mails >128
13503 Defaults to @samp{"/tmp"}.
13506 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-uid
13507 Valid UID range for users. This is mostly to make sure that users can't
13508 log in as daemons or other system users. Note that denying root logins is
13509 hardcoded to dovecot binary and can't be done even if @samp{first-valid-uid}
13511 Defaults to @samp{500}.
13514 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-uid
13516 Defaults to @samp{0}.
13519 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-gid
13520 Valid GID range for users. Users having non-valid GID as primary group ID
13521 aren't allowed to log in. If user belongs to supplementary groups with
13522 non-valid GIDs, those groups are not set.
13523 Defaults to @samp{1}.
13526 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-gid
13528 Defaults to @samp{0}.
13531 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-max-keyword-length
13532 Maximum allowed length for mail keyword name. It's only forced when
13533 trying to create new keywords.
13534 Defaults to @samp{50}.
13537 @deftypevr {@code{dovecot-configuration} parameter} colon-separated-file-name-list valid-chroot-dirs
13538 List of directories under which chrooting is allowed for mail
13539 processes (i.e. /var/mail will allow chrooting to /var/mail/foo/bar
13540 too). This setting doesn't affect @samp{login-chroot}
13541 @samp{mail-chroot} or auth chroot settings. If this setting is empty,
13542 "/./" in home dirs are ignored. WARNING: Never add directories here
13543 which local users can modify, that may lead to root exploit. Usually
13544 this should be done only if you don't allow shell access for users.
13545 <doc/wiki/Chrooting.txt>.
13546 Defaults to @samp{()}.
13549 @deftypevr {@code{dovecot-configuration} parameter} string mail-chroot
13550 Default chroot directory for mail processes. This can be overridden
13551 for specific users in user database by giving /./ in user's home
13552 directory (e.g. /home/./user chroots into /home). Note that usually
13553 there is no real need to do chrooting, Dovecot doesn't allow users to
13554 access files outside their mail directory anyway. If your home
13555 directories are prefixed with the chroot directory, append "/." to
13556 @samp{mail-chroot}. <doc/wiki/Chrooting.txt>.
13557 Defaults to @samp{""}.
13560 @deftypevr {@code{dovecot-configuration} parameter} file-name auth-socket-path
13561 UNIX socket path to master authentication server to find users.
13562 This is used by imap (for shared users) and lda.
13563 Defaults to @samp{"/var/run/dovecot/auth-userdb"}.
13566 @deftypevr {@code{dovecot-configuration} parameter} file-name mail-plugin-dir
13567 Directory where to look up mail plugins.
13568 Defaults to @samp{"/usr/lib/dovecot"}.
13571 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mail-plugins
13572 List of plugins to load for all services. Plugins specific to IMAP,
13573 LDA, etc. are added to this list in their own .conf files.
13574 Defaults to @samp{()}.
13577 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-cache-min-mail-count
13578 The minimum number of mails in a mailbox before updates are done to
13579 cache file. This allows optimizing Dovecot's behavior to do less disk
13580 writes at the cost of more disk reads.
13581 Defaults to @samp{0}.
13584 @deftypevr {@code{dovecot-configuration} parameter} string mailbox-idle-check-interval
13585 When IDLE command is running, mailbox is checked once in a while to
13586 see if there are any new mails or other changes. This setting defines
13587 the minimum time to wait between those checks. Dovecot can also use
13588 dnotify, inotify and kqueue to find out immediately when changes
13590 Defaults to @samp{"30 secs"}.
13593 @deftypevr {@code{dovecot-configuration} parameter} boolean mail-save-crlf?
13594 Save mails with CR+LF instead of plain LF. This makes sending those
13595 mails take less CPU, especially with sendfile() syscall with Linux and
13596 FreeBSD. But it also creates a bit more disk I/O which may just make it
13597 slower. Also note that if other software reads the mboxes/maildirs,
13598 they may handle the extra CRs wrong and cause problems.
13599 Defaults to @samp{#f}.
13602 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-stat-dirs?
13603 By default LIST command returns all entries in maildir beginning
13604 with a dot. Enabling this option makes Dovecot return only entries
13605 which are directories. This is done by stat()ing each entry, so it
13606 causes more disk I/O.
13607 (For systems setting struct @samp{dirent->d_type} this check is free
13608 and it's done always regardless of this setting).
13609 Defaults to @samp{#f}.
13612 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-copy-with-hardlinks?
13613 When copying a message, do it with hard links whenever possible.
13614 This makes the performance much better, and it's unlikely to have any
13616 Defaults to @samp{#t}.
13619 @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-very-dirty-syncs?
13620 Assume Dovecot is the only MUA accessing Maildir: Scan cur/
13621 directory only when its mtime changes unexpectedly or when we can't find
13622 the mail otherwise.
13623 Defaults to @samp{#f}.
13626 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-read-locks
13627 Which locking methods to use for locking mbox. There are four
13632 Create <mailbox>.lock file. This is the oldest and most NFS-safe
13633 solution. If you want to use /var/mail/ like directory, the users will
13634 need write access to that directory.
13636 Same as dotlock, but if it fails because of permissions or because there
13637 isn't enough disk space, just skip it.
13639 Use this if possible. Works with NFS too if lockd is used.
13641 May not exist in all systems. Doesn't work with NFS.
13643 May not exist in all systems. Doesn't work with NFS.
13646 You can use multiple locking methods; if you do the order they're declared
13647 in is important to avoid deadlocks if other MTAs/MUAs are using multiple
13648 locking methods as well. Some operating systems don't allow using some of
13649 them simultaneously.
13652 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-write-locks
13656 @deftypevr {@code{dovecot-configuration} parameter} string mbox-lock-timeout
13657 Maximum time to wait for lock (all of them) before aborting.
13658 Defaults to @samp{"5 mins"}.
13661 @deftypevr {@code{dovecot-configuration} parameter} string mbox-dotlock-change-timeout
13662 If dotlock exists but the mailbox isn't modified in any way,
13663 override the lock file after this much time.
13664 Defaults to @samp{"2 mins"}.
13667 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-dirty-syncs?
13668 When mbox changes unexpectedly we have to fully read it to find out
13669 what changed. If the mbox is large this can take a long time. Since
13670 the change is usually just a newly appended mail, it'd be faster to
13671 simply read the new mails. If this setting is enabled, Dovecot does
13672 this but still safely fallbacks to re-reading the whole mbox file
13673 whenever something in mbox isn't how it's expected to be. The only real
13674 downside to this setting is that if some other MUA changes message
13675 flags, Dovecot doesn't notice it immediately. Note that a full sync is
13676 done with SELECT, EXAMINE, EXPUNGE and CHECK commands.
13677 Defaults to @samp{#t}.
13680 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-very-dirty-syncs?
13681 Like @samp{mbox-dirty-syncs}, but don't do full syncs even with SELECT,
13682 EXAMINE, EXPUNGE or CHECK commands. If this is set,
13683 @samp{mbox-dirty-syncs} is ignored.
13684 Defaults to @samp{#f}.
13687 @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-lazy-writes?
13688 Delay writing mbox headers until doing a full write sync (EXPUNGE
13689 and CHECK commands and when closing the mailbox). This is especially
13690 useful for POP3 where clients often delete all mails. The downside is
13691 that our changes aren't immediately visible to other MUAs.
13692 Defaults to @samp{#t}.
13695 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mbox-min-index-size
13696 If mbox size is smaller than this (e.g. 100k), don't write index
13697 files. If an index file already exists it's still read, just not
13699 Defaults to @samp{0}.
13702 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mdbox-rotate-size
13703 Maximum dbox file size until it's rotated.
13704 Defaults to @samp{10000000}.
13707 @deftypevr {@code{dovecot-configuration} parameter} string mdbox-rotate-interval
13708 Maximum dbox file age until it's rotated. Typically in days. Day
13709 begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check
13711 Defaults to @samp{"1d"}.
13714 @deftypevr {@code{dovecot-configuration} parameter} boolean mdbox-preallocate-space?
13715 When creating new mdbox files, immediately preallocate their size to
13716 @samp{mdbox-rotate-size}. This setting currently works only in Linux
13717 with some file systems (ext4, xfs).
13718 Defaults to @samp{#f}.
13721 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-dir
13722 sdbox and mdbox support saving mail attachments to external files,
13723 which also allows single instance storage for them. Other backends
13724 don't support this for now.
13726 WARNING: This feature hasn't been tested much yet. Use at your own risk.
13728 Directory root where to store mail attachments. Disabled, if empty.
13729 Defaults to @samp{""}.
13732 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-attachment-min-size
13733 Attachments smaller than this aren't saved externally. It's also
13734 possible to write a plugin to disable saving specific attachments
13736 Defaults to @samp{128000}.
13739 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-fs
13740 File system backend to use for saving attachments:
13743 No SiS done by Dovecot (but this might help FS's own deduplication)
13745 SiS with immediate byte-by-byte comparison during saving
13746 @item sis-queue posix
13747 SiS with delayed comparison and deduplication.
13749 Defaults to @samp{"sis posix"}.
13752 @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-hash
13753 Hash format to use in attachment filenames. You can add any text and
13754 variables: @code{%@{md4@}}, @code{%@{md5@}}, @code{%@{sha1@}},
13755 @code{%@{sha256@}}, @code{%@{sha512@}}, @code{%@{size@}}. Variables can be
13756 truncated, e.g. @code{%@{sha256:80@}} returns only first 80 bits.
13757 Defaults to @samp{"%@{sha1@}"}.
13760 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-process-limit
13762 Defaults to @samp{100}.
13765 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-client-limit
13767 Defaults to @samp{1000}.
13770 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-vsz-limit
13771 Default VSZ (virtual memory size) limit for service processes.
13772 This is mainly intended to catch and kill processes that leak memory
13773 before they eat up everything.
13774 Defaults to @samp{256000000}.
13777 @deftypevr {@code{dovecot-configuration} parameter} string default-login-user
13778 Login user is internally used by login processes. This is the most
13779 untrusted user in Dovecot system. It shouldn't have access to anything
13781 Defaults to @samp{"dovenull"}.
13784 @deftypevr {@code{dovecot-configuration} parameter} string default-internal-user
13785 Internal user is used by unprivileged processes. It should be
13786 separate from login user, so that login processes can't disturb other
13788 Defaults to @samp{"dovecot"}.
13791 @deftypevr {@code{dovecot-configuration} parameter} string ssl?
13792 SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>.
13793 Defaults to @samp{"required"}.
13796 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert
13797 PEM encoded X.509 SSL/TLS certificate (public key).
13798 Defaults to @samp{"</etc/dovecot/default.pem"}.
13801 @deftypevr {@code{dovecot-configuration} parameter} string ssl-key
13802 PEM encoded SSL/TLS private key. The key is opened before
13803 dropping root privileges, so keep the key file unreadable by anyone but
13805 Defaults to @samp{"</etc/dovecot/private/default.pem"}.
13808 @deftypevr {@code{dovecot-configuration} parameter} string ssl-key-password
13809 If key file is password protected, give the password here.
13810 Alternatively give it when starting dovecot with -p parameter. Since
13811 this file is often world-readable, you may want to place this setting
13812 instead to a different.
13813 Defaults to @samp{""}.
13816 @deftypevr {@code{dovecot-configuration} parameter} string ssl-ca
13817 PEM encoded trusted certificate authority. Set this only if you
13818 intend to use @samp{ssl-verify-client-cert? #t}. The file should
13819 contain the CA certificate(s) followed by the matching
13820 CRL(s). (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).
13821 Defaults to @samp{""}.
13824 @deftypevr {@code{dovecot-configuration} parameter} boolean ssl-require-crl?
13825 Require that CRL check succeeds for client certificates.
13826 Defaults to @samp{#t}.
13829 @deftypevr {@code{dovecot-configuration} parameter} boolean ssl-verify-client-cert?
13830 Request client to send a certificate. If you also want to require
13831 it, set @samp{auth-ssl-require-client-cert? #t} in auth section.
13832 Defaults to @samp{#f}.
13835 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert-username-field
13836 Which field from certificate to use for username. commonName and
13837 x500UniqueIdentifier are the usual choices. You'll also need to set
13838 @samp{auth-ssl-username-from-cert? #t}.
13839 Defaults to @samp{"commonName"}.
13842 @deftypevr {@code{dovecot-configuration} parameter} string ssl-min-protocol
13843 Minimum SSL protocol version to accept.
13844 Defaults to @samp{"TLSv1"}.
13847 @deftypevr {@code{dovecot-configuration} parameter} string ssl-cipher-list
13848 SSL ciphers to use.
13849 Defaults to @samp{"ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@@STRENGTH"}.
13852 @deftypevr {@code{dovecot-configuration} parameter} string ssl-crypto-device
13853 SSL crypto device to use, for valid values run "openssl engine".
13854 Defaults to @samp{""}.
13857 @deftypevr {@code{dovecot-configuration} parameter} string postmaster-address
13858 Address to use when sending rejection mails.
13859 %d expands to recipient domain.
13860 Defaults to @samp{"postmaster@@%d"}.
13863 @deftypevr {@code{dovecot-configuration} parameter} string hostname
13864 Hostname to use in various parts of sent mails (e.g. in Message-Id)
13865 and in LMTP replies. Default is the system's real hostname@@domain.
13866 Defaults to @samp{""}.
13869 @deftypevr {@code{dovecot-configuration} parameter} boolean quota-full-tempfail?
13870 If user is over quota, return with temporary failure instead of
13872 Defaults to @samp{#f}.
13875 @deftypevr {@code{dovecot-configuration} parameter} file-name sendmail-path
13876 Binary to use for sending mails.
13877 Defaults to @samp{"/usr/sbin/sendmail"}.
13880 @deftypevr {@code{dovecot-configuration} parameter} string submission-host
13881 If non-empty, send mails via this SMTP host[:port] instead of
13883 Defaults to @samp{""}.
13886 @deftypevr {@code{dovecot-configuration} parameter} string rejection-subject
13887 Subject: header to use for rejection mails. You can use the same
13888 variables as for @samp{rejection-reason} below.
13889 Defaults to @samp{"Rejected: %s"}.
13892 @deftypevr {@code{dovecot-configuration} parameter} string rejection-reason
13893 Human readable error message for rejection mails. You can use
13906 Defaults to @samp{"Your message to <%t> was automatically rejected:%n%r"}.
13909 @deftypevr {@code{dovecot-configuration} parameter} string recipient-delimiter
13910 Delimiter character between local-part and detail in email
13912 Defaults to @samp{"+"}.
13915 @deftypevr {@code{dovecot-configuration} parameter} string lda-original-recipient-header
13916 Header where the original recipient address (SMTP's RCPT TO:
13917 address) is taken from if not available elsewhere. With dovecot-lda -a
13918 parameter overrides this. A commonly used header for this is
13920 Defaults to @samp{""}.
13923 @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autocreate?
13924 Should saving a mail to a nonexistent mailbox automatically create
13926 Defaults to @samp{#f}.
13929 @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autosubscribe?
13930 Should automatically created mailboxes be also automatically
13932 Defaults to @samp{#f}.
13935 @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer imap-max-line-length
13936 Maximum IMAP command line length. Some clients generate very long
13937 command lines with huge mailboxes, so you may need to raise this if you
13938 get "Too long argument" or "IMAP command line too large" errors
13940 Defaults to @samp{64000}.
13943 @deftypevr {@code{dovecot-configuration} parameter} string imap-logout-format
13944 IMAP logout format string:
13947 total number of bytes read from client
13949 total number of bytes sent to client.
13951 See @file{doc/wiki/Variables.txt} for a list of all the variables you can use.
13952 Defaults to @samp{"in=%i out=%o deleted=%@{deleted@} expunged=%@{expunged@} trashed=%@{trashed@} hdr_count=%@{fetch_hdr_count@} hdr_bytes=%@{fetch_hdr_bytes@} body_count=%@{fetch_body_count@} body_bytes=%@{fetch_body_bytes@}"}.
13955 @deftypevr {@code{dovecot-configuration} parameter} string imap-capability
13956 Override the IMAP CAPABILITY response. If the value begins with '+',
13957 add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
13958 Defaults to @samp{""}.
13961 @deftypevr {@code{dovecot-configuration} parameter} string imap-idle-notify-interval
13962 How long to wait between "OK Still here" notifications when client
13964 Defaults to @samp{"2 mins"}.
13967 @deftypevr {@code{dovecot-configuration} parameter} string imap-id-send
13968 ID field names and values to send to clients. Using * as the value
13969 makes Dovecot use the default value. The following fields have default
13970 values currently: name, version, os, os-version, support-url,
13972 Defaults to @samp{""}.
13975 @deftypevr {@code{dovecot-configuration} parameter} string imap-id-log
13976 ID fields sent by client to log. * means everything.
13977 Defaults to @samp{""}.
13980 @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list imap-client-workarounds
13981 Workarounds for various client bugs:
13984 @item delay-newmail
13985 Send EXISTS/RECENT new mail notifications only when replying to NOOP and
13986 CHECK commands. Some clients ignore them otherwise, for example OSX
13987 Mail (<v2.1). Outlook Express breaks more badly though, without this it
13988 may show user "Message no longer in server" errors. Note that OE6
13989 still breaks even with this workaround if synchronization is set to
13992 @item tb-extra-mailbox-sep
13993 Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
13994 adds extra @samp{/} suffixes to mailbox names. This option causes Dovecot to
13995 ignore the extra @samp{/} instead of treating it as invalid mailbox name.
13997 @item tb-lsub-flags
13998 Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
13999 This makes Thunderbird realize they aren't selectable and show them
14000 greyed out, instead of only later giving "not selectable" popup error.
14002 Defaults to @samp{()}.
14005 @deftypevr {@code{dovecot-configuration} parameter} string imap-urlauth-host
14006 Host allowed in URLAUTH URLs sent by client. "*" allows all.
14007 Defaults to @samp{""}.
14011 Whew! Lots of configuration options. The nice thing about it though is
14012 that GuixSD has a complete interface to Dovecot's configuration
14013 language. This allows not only a nice way to declare configurations,
14014 but also offers reflective capabilities as well: users can write code to
14015 inspect and transform configurations from within Scheme.
14017 However, it could be that you just want to get a @code{dovecot.conf} up
14018 and running. In that case, you can pass an
14019 @code{opaque-dovecot-configuration} as the @code{#:config} parameter to
14020 @code{dovecot-service}. As its name indicates, an opaque configuration
14021 does not have easy reflective capabilities.
14023 Available @code{opaque-dovecot-configuration} fields are:
14025 @deftypevr {@code{opaque-dovecot-configuration} parameter} package dovecot
14026 The dovecot package.
14029 @deftypevr {@code{opaque-dovecot-configuration} parameter} string string
14030 The contents of the @code{dovecot.conf}, as a string.
14033 For example, if your @code{dovecot.conf} is just the empty string, you
14034 could instantiate a dovecot service like this:
14037 (dovecot-service #:config
14038 (opaque-dovecot-configuration
14042 @subsubheading OpenSMTPD Service
14044 @deffn {Scheme Variable} opensmtpd-service-type
14045 This is the type of the @uref{https://www.opensmtpd.org, OpenSMTPD}
14046 service, whose value should be an @code{opensmtpd-configuration} object
14047 as in this example:
14050 (service opensmtpd-service-type
14051 (opensmtpd-configuration
14052 (config-file (local-file "./my-smtpd.conf"))))
14056 @deftp {Data Type} opensmtpd-configuration
14057 Data type representing the configuration of opensmtpd.
14060 @item @code{package} (default: @var{opensmtpd})
14061 Package object of the OpenSMTPD SMTP server.
14063 @item @code{config-file} (default: @var{%default-opensmtpd-file})
14064 File-like object of the OpenSMTPD configuration file to use. By default
14065 it listens on the loopback network interface, and allows for mail from
14066 users and daemons on the local machine, as well as permitting email to
14067 remote servers. Run @command{man smtpd.conf} for more information.
14072 @subsubheading Exim Service
14074 @cindex mail transfer agent (MTA)
14075 @cindex MTA (mail transfer agent)
14078 @deffn {Scheme Variable} exim-service-type
14079 This is the type of the @uref{https://exim.org, Exim} mail transfer
14080 agent (MTA), whose value should be an @code{exim-configuration} object
14081 as in this example:
14084 (service exim-service-type
14085 (exim-configuration
14086 (config-file (local-file "./my-exim.conf"))))
14090 In order to use an @code{exim-service-type} service you must also have a
14091 @code{mail-aliases-service-type} service present in your
14092 @code{operating-system} (even if it has no aliases).
14094 @deftp {Data Type} exim-configuration
14095 Data type representing the configuration of exim.
14098 @item @code{package} (default: @var{exim})
14099 Package object of the Exim server.
14101 @item @code{config-file} (default: @code{#f})
14102 File-like object of the Exim configuration file to use. If its value is
14103 @code{#f} then use the default configuration file from the package
14104 provided in @code{package}. The resulting configuration file is loaded
14105 after setting the @code{exim_user} and @code{exim_group} configuration
14111 @subsubheading Mail Aliases Service
14113 @cindex email aliases
14114 @cindex aliases, for email addresses
14116 @deffn {Scheme Variable} mail-aliases-service-type
14117 This is the type of the service which provides @code{/etc/aliases},
14118 specifying how to deliver mail to users on this system.
14121 (service mail-aliases-service-type
14122 '(("postmaster" "bob")
14123 ("bob" "bob@@example.com" "bob@@example2.com")))
14127 The configuration for a @code{mail-aliases-service-type} service is an
14128 association list denoting how to deliver mail that comes to this
14129 system. Each entry is of the form @code{(alias addresses ...)}, with
14130 @code{alias} specifying the local alias and @code{addresses} specifying
14131 where to deliver this user's mail.
14133 The aliases aren't required to exist as users on the local system. In
14134 the above example, there doesn't need to be a @code{postmaster} entry in
14135 the @code{operating-system}'s @code{user-accounts} in order to deliver
14136 the @code{postmaster} mail to @code{bob} (which subsequently would
14137 deliver mail to @code{bob@@example.com} and @code{bob@@example2.com}).
14139 @node Messaging Services
14140 @subsubsection Messaging Services
14145 The @code{(gnu services messaging)} module provides Guix service
14146 definitions for messaging services: currently only Prosody is supported.
14148 @subsubheading Prosody Service
14150 @deffn {Scheme Variable} prosody-service-type
14151 This is the type for the @uref{https://prosody.im, Prosody XMPP
14152 communication server}. Its value must be a @code{prosody-configuration}
14153 record as in this example:
14156 (service prosody-service-type
14157 (prosody-configuration
14158 (modules-enabled (cons "groups" "mam" %default-modules-enabled))
14161 (int-component-configuration
14162 (hostname "conference.example.net")
14164 (mod-muc (mod-muc-configuration)))))
14167 (virtualhost-configuration
14168 (domain "example.net"))))))
14171 See below for details about @code{prosody-configuration}.
14175 By default, Prosody does not need much configuration. Only one
14176 @code{virtualhosts} field is needed: it specifies the domain you wish
14179 You can perform various sanity checks on the generated configuration
14180 with the @code{prosodyctl check} command.
14182 Prosodyctl will also help you to import certificates from the
14183 @code{letsencrypt} directory so that the @code{prosody} user can access
14184 them. See @url{https://prosody.im/doc/letsencrypt}.
14187 prosodyctl --root cert import /etc/letsencrypt/live
14190 The available configuration parameters follow. Each parameter
14191 definition is preceded by its type; for example, @samp{string-list foo}
14192 indicates that the @code{foo} parameter should be specified as a list of
14193 strings. Types starting with @code{maybe-} denote parameters that won't
14194 show up in @code{prosody.cfg.lua} when their value is @code{'disabled}.
14196 There is also a way to specify the configuration as a string, if you
14197 have an old @code{prosody.cfg.lua} file that you want to port over from
14198 some other system; see the end for more details.
14200 @c The following documentation was initially generated by
14201 @c (generate-documentation) in (gnu services messaging). Manually maintained
14202 @c documentation is better, so we shouldn't hesitate to edit below as
14203 @c needed. However if the change you want to make to this documentation
14204 @c can be done in an automated way, it's probably easier to change
14205 @c (generate-documentation) than to make it below and have to deal with
14206 @c the churn as Prosody updates.
14208 Available @code{prosody-configuration} fields are:
14210 @deftypevr {@code{prosody-configuration} parameter} package prosody
14211 The Prosody package.
14214 @deftypevr {@code{prosody-configuration} parameter} file-name data-path
14215 Location of the Prosody data storage directory. See
14216 @url{https://prosody.im/doc/configure}.
14217 Defaults to @samp{"/var/lib/prosody"}.
14220 @deftypevr {@code{prosody-configuration} parameter} file-name-list plugin-paths
14221 Additional plugin directories. They are searched in all the specified
14222 paths in order. See @url{https://prosody.im/doc/plugins_directory}.
14223 Defaults to @samp{()}.
14226 @deftypevr {@code{prosody-configuration} parameter} file-name certificates
14227 Every virtual host and component needs a certificate so that clients and
14228 servers can securely verify its identity. Prosody will automatically load
14229 certificates/keys from the directory specified here.
14230 Defaults to @samp{"/etc/prosody/certs"}.
14233 @deftypevr {@code{prosody-configuration} parameter} string-list admins
14234 This is a list of accounts that are admins for the server. Note that you
14235 must create the accounts separately. See @url{https://prosody.im/doc/admins} and
14236 @url{https://prosody.im/doc/creating_accounts}.
14237 Example: @code{(admins '("user1@@example.com" "user2@@example.net"))}
14238 Defaults to @samp{()}.
14241 @deftypevr {@code{prosody-configuration} parameter} boolean use-libevent?
14242 Enable use of libevent for better performance under high load. See
14243 @url{https://prosody.im/doc/libevent}.
14244 Defaults to @samp{#f}.
14247 @deftypevr {@code{prosody-configuration} parameter} module-list modules-enabled
14248 This is the list of modules Prosody will load on startup. It looks for
14249 @code{mod_modulename.lua} in the plugins folder, so make sure that exists too.
14250 Documentation on modules can be found at:
14251 @url{https://prosody.im/doc/modules}.
14252 Defaults to @samp{("roster" "saslauth" "tls" "dialback" "disco" "carbons" "private" "blocklist" "vcard" "version" "uptime" "time" "ping" "pep" "register" "admin_adhoc")}.
14255 @deftypevr {@code{prosody-configuration} parameter} string-list modules-disabled
14256 @samp{"offline"}, @samp{"c2s"} and @samp{"s2s"} are auto-loaded, but
14257 should you want to disable them then add them to this list.
14258 Defaults to @samp{()}.
14261 @deftypevr {@code{prosody-configuration} parameter} file-name groups-file
14262 Path to a text file where the shared groups are defined. If this path is
14263 empty then @samp{mod_groups} does nothing. See
14264 @url{https://prosody.im/doc/modules/mod_groups}.
14265 Defaults to @samp{"/var/lib/prosody/sharedgroups.txt"}.
14268 @deftypevr {@code{prosody-configuration} parameter} boolean allow-registration?
14269 Disable account creation by default, for security. See
14270 @url{https://prosody.im/doc/creating_accounts}.
14271 Defaults to @samp{#f}.
14274 @deftypevr {@code{prosody-configuration} parameter} maybe-ssl-configuration ssl
14275 These are the SSL/TLS-related settings. Most of them are disabled so to
14276 use Prosody's defaults. If you do not completely understand these options, do
14277 not add them to your config, it is easy to lower the security of your server
14278 using them. See @url{https://prosody.im/doc/advanced_ssl_config}.
14280 Available @code{ssl-configuration} fields are:
14282 @deftypevr {@code{ssl-configuration} parameter} maybe-string protocol
14283 This determines what handshake to use.
14286 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name key
14287 Path to your private key file.
14290 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name certificate
14291 Path to your certificate file.
14294 @deftypevr {@code{ssl-configuration} parameter} file-name capath
14295 Path to directory containing root certificates that you wish Prosody to
14296 trust when verifying the certificates of remote servers.
14297 Defaults to @samp{"/etc/ssl/certs"}.
14300 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name cafile
14301 Path to a file containing root certificates that you wish Prosody to trust.
14302 Similar to @code{capath} but with all certificates concatenated together.
14305 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list verify
14306 A list of verification options (these mostly map to OpenSSL's
14307 @code{set_verify()} flags).
14310 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list options
14311 A list of general options relating to SSL/TLS. These map to OpenSSL's
14312 @code{set_options()}. For a full list of options available in LuaSec, see the
14316 @deftypevr {@code{ssl-configuration} parameter} maybe-non-negative-integer depth
14317 How long a chain of certificate authorities to check when looking for a
14318 trusted root certificate.
14321 @deftypevr {@code{ssl-configuration} parameter} maybe-string ciphers
14322 An OpenSSL cipher string. This selects what ciphers Prosody will offer to
14323 clients, and in what order.
14326 @deftypevr {@code{ssl-configuration} parameter} maybe-file-name dhparam
14327 A path to a file containing parameters for Diffie-Hellman key exchange. You
14328 can create such a file with:
14329 @code{openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048}
14332 @deftypevr {@code{ssl-configuration} parameter} maybe-string curve
14333 Curve for Elliptic curve Diffie-Hellman. Prosody's default is
14334 @samp{"secp384r1"}.
14337 @deftypevr {@code{ssl-configuration} parameter} maybe-string-list verifyext
14338 A list of "extra" verification options.
14341 @deftypevr {@code{ssl-configuration} parameter} maybe-string password
14342 Password for encrypted private keys.
14347 @deftypevr {@code{prosody-configuration} parameter} boolean c2s-require-encryption?
14348 Whether to force all client-to-server connections to be encrypted or not.
14349 See @url{https://prosody.im/doc/modules/mod_tls}.
14350 Defaults to @samp{#f}.
14353 @deftypevr {@code{prosody-configuration} parameter} string-list disable-sasl-mechanisms
14354 Set of mechanisms that will never be offered. See
14355 @url{https://prosody.im/doc/modules/mod_saslauth}.
14356 Defaults to @samp{("DIGEST-MD5")}.
14359 @deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption?
14360 Whether to force all server-to-server connections to be encrypted or not.
14361 See @url{https://prosody.im/doc/modules/mod_tls}.
14362 Defaults to @samp{#f}.
14365 @deftypevr {@code{prosody-configuration} parameter} boolean s2s-secure-auth?
14366 Whether to require encryption and certificate authentication. This
14367 provides ideal security, but requires servers you communicate with to support
14368 encryption AND present valid, trusted certificates. See
14369 @url{https://prosody.im/doc/s2s#security}.
14370 Defaults to @samp{#f}.
14373 @deftypevr {@code{prosody-configuration} parameter} string-list s2s-insecure-domains
14374 Many servers don't support encryption or have invalid or self-signed
14375 certificates. You can list domains here that will not be required to
14376 authenticate using certificates. They will be authenticated using DNS. See
14377 @url{https://prosody.im/doc/s2s#security}.
14378 Defaults to @samp{()}.
14381 @deftypevr {@code{prosody-configuration} parameter} string-list s2s-secure-domains
14382 Even if you leave @code{s2s-secure-auth?} disabled, you can still require
14383 valid certificates for some domains by specifying a list here. See
14384 @url{https://prosody.im/doc/s2s#security}.
14385 Defaults to @samp{()}.
14388 @deftypevr {@code{prosody-configuration} parameter} string authentication
14389 Select the authentication backend to use. The default provider stores
14390 passwords in plaintext and uses Prosody's configured data storage to store the
14391 authentication data. If you do not trust your server please see
14392 @url{https://prosody.im/doc/modules/mod_auth_internal_hashed} for information
14393 about using the hashed backend. See also
14394 @url{https://prosody.im/doc/authentication}
14395 Defaults to @samp{"internal_plain"}.
14398 @deftypevr {@code{prosody-configuration} parameter} maybe-string log
14399 Set logging options. Advanced logging configuration is not yet supported
14400 by the GuixSD Prosody Service. See @url{https://prosody.im/doc/logging}.
14401 Defaults to @samp{"*syslog"}.
14404 @deftypevr {@code{prosody-configuration} parameter} file-name pidfile
14405 File to write pid in. See @url{https://prosody.im/doc/modules/mod_posix}.
14406 Defaults to @samp{"/var/run/prosody/prosody.pid"}.
14409 @deftypevr {@code{prosody-configuration} parameter} maybe-non-negative-integer http-max-content-size
14410 Maximum allowed size of the HTTP body (in bytes).
14413 @deftypevr {@code{prosody-configuration} parameter} maybe-string http-external-url
14414 Some modules expose their own URL in various ways. This URL is built
14415 from the protocol, host and port used. If Prosody sits behind a proxy, the
14416 public URL will be @code{http-external-url} instead. See
14417 @url{https://prosody.im/doc/http#external_url}.
14420 @deftypevr {@code{prosody-configuration} parameter} virtualhost-configuration-list virtualhosts
14421 A host in Prosody is a domain on which user accounts can be created. For
14422 example if you want your users to have addresses like
14423 @samp{"john.smith@@example.com"} then you need to add a host
14424 @samp{"example.com"}. All options in this list will apply only to this host.
14426 Note: the name "virtual" host is used in configuration to avoid confusion with
14427 the actual physical host that Prosody is installed on. A single Prosody
14428 instance can serve many domains, each one defined as a VirtualHost entry in
14429 Prosody's configuration. Conversely a server that hosts a single domain would
14430 have just one VirtualHost entry.
14432 See @url{https://prosody.im/doc/configure#virtual_host_settings}.
14434 Available @code{virtualhost-configuration} fields are:
14436 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
14437 @deftypevr {@code{virtualhost-configuration} parameter} string domain
14438 Domain you wish Prosody to serve.
14443 @deftypevr {@code{prosody-configuration} parameter} int-component-configuration-list int-components
14444 Components are extra services on a server which are available to clients,
14445 usually on a subdomain of the main server (such as
14446 @samp{"mycomponent.example.com"}). Example components might be chatroom
14447 servers, user directories, or gateways to other protocols.
14449 Internal components are implemented with Prosody-specific plugins. To add an
14450 internal component, you simply fill the hostname field, and the plugin you wish
14451 to use for the component.
14453 See @url{https://prosody.im/doc/components}.
14454 Defaults to @samp{()}.
14456 Available @code{int-component-configuration} fields are:
14458 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
14459 @deftypevr {@code{int-component-configuration} parameter} string hostname
14460 Hostname of the component.
14463 @deftypevr {@code{int-component-configuration} parameter} string plugin
14464 Plugin you wish to use for the component.
14467 @deftypevr {@code{int-component-configuration} parameter} maybe-mod-muc-configuration mod-muc
14468 Multi-user chat (MUC) is Prosody's module for allowing you to create
14469 hosted chatrooms/conferences for XMPP users.
14471 General information on setting up and using multi-user chatrooms can be found
14472 in the "Chatrooms" documentation (@url{https://prosody.im/doc/chatrooms}),
14473 which you should read if you are new to XMPP chatrooms.
14475 See also @url{https://prosody.im/doc/modules/mod_muc}.
14477 Available @code{mod-muc-configuration} fields are:
14479 @deftypevr {@code{mod-muc-configuration} parameter} string name
14480 The name to return in service discovery responses.
14481 Defaults to @samp{"Prosody Chatrooms"}.
14484 @deftypevr {@code{mod-muc-configuration} parameter} string-or-boolean restrict-room-creation
14485 If @samp{#t}, this will only allow admins to create new chatrooms.
14486 Otherwise anyone can create a room. The value @samp{"local"} restricts room
14487 creation to users on the service's parent domain. E.g. @samp{user@@example.com}
14488 can create rooms on @samp{rooms.example.com}. The value @samp{"admin"}
14489 restricts to service administrators only.
14490 Defaults to @samp{#f}.
14493 @deftypevr {@code{mod-muc-configuration} parameter} non-negative-integer max-history-messages
14494 Maximum number of history messages that will be sent to the member that has
14495 just joined the room.
14496 Defaults to @samp{20}.
14503 @deftypevr {@code{prosody-configuration} parameter} ext-component-configuration-list ext-components
14504 External components use XEP-0114, which most standalone components
14505 support. To add an external component, you simply fill the hostname field. See
14506 @url{https://prosody.im/doc/components}.
14507 Defaults to @samp{()}.
14509 Available @code{ext-component-configuration} fields are:
14511 all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus:
14512 @deftypevr {@code{ext-component-configuration} parameter} string component-secret
14513 Password which the component will use to log in.
14516 @deftypevr {@code{ext-component-configuration} parameter} string hostname
14517 Hostname of the component.
14522 @deftypevr {@code{prosody-configuration} parameter} non-negative-integer-list component-ports
14523 Port(s) Prosody listens on for component connections.
14524 Defaults to @samp{(5347)}.
14527 @deftypevr {@code{prosody-configuration} parameter} string component-interface
14528 Interface Prosody listens on for component connections.
14529 Defaults to @samp{"127.0.0.1"}.
14532 @deftypevr {@code{prosody-configuration} parameter} maybe-raw-content raw-content
14533 Raw content that will be added to the configuration file.
14536 It could be that you just want to get a @code{prosody.cfg.lua}
14537 up and running. In that case, you can pass an
14538 @code{opaque-prosody-configuration} record as the value of
14539 @code{prosody-service-type}. As its name indicates, an opaque configuration
14540 does not have easy reflective capabilities.
14541 Available @code{opaque-prosody-configuration} fields are:
14543 @deftypevr {@code{opaque-prosody-configuration} parameter} package prosody
14544 The prosody package.
14547 @deftypevr {@code{opaque-prosody-configuration} parameter} string prosody.cfg.lua
14548 The contents of the @code{prosody.cfg.lua} to use.
14551 For example, if your @code{prosody.cfg.lua} is just the empty
14552 string, you could instantiate a prosody service like this:
14555 (service prosody-service-type
14556 (opaque-prosody-configuration
14557 (prosody.cfg.lua "")))
14560 @subsubheading BitlBee Service
14562 @cindex IRC (Internet Relay Chat)
14563 @cindex IRC gateway
14564 @url{http://bitlbee.org,BitlBee} is a gateway that provides an IRC
14565 interface to a variety of messaging protocols such as XMPP.
14567 @defvr {Scheme Variable} bitlbee-service-type
14568 This is the service type for the @url{http://bitlbee.org,BitlBee} IRC
14569 gateway daemon. Its value is a @code{bitlbee-configuration} (see
14572 To have BitlBee listen on port 6667 on localhost, add this line to your
14576 (service bitlbee-service-type)
14580 @deftp {Data Type} bitlbee-configuration
14581 This is the configuration for BitlBee, with the following fields:
14584 @item @code{interface} (default: @code{"127.0.0.1"})
14585 @itemx @code{port} (default: @code{6667})
14586 Listen on the network interface corresponding to the IP address
14587 specified in @var{interface}, on @var{port}.
14589 When @var{interface} is @code{127.0.0.1}, only local clients can
14590 connect; when it is @code{0.0.0.0}, connections can come from any
14591 networking interface.
14593 @item @code{package} (default: @code{bitlbee})
14594 The BitlBee package to use.
14596 @item @code{extra-settings} (default: @code{""})
14597 Configuration snippet added as-is to the BitlBee configuration file.
14602 @node Telephony Services
14603 @subsubsection Telephony Services
14605 @cindex Murmur (VoIP server)
14606 @cindex VoIP server
14607 This section describes how to set up and run a Murmur server. Murmur is
14608 the server of the @uref{https://mumble.info, Mumble} voice-over-IP
14611 @deftp {Data Type} murmur-configuration
14612 The service type for the Murmur server. An example configuration can
14616 (service murmur-service-type
14617 (murmur-configuration
14619 "Welcome to this Mumble server running on GuixSD!")
14620 (cert-required? #t) ;disallow text password logins
14621 (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
14622 (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
14625 After reconfiguring your system, you can manually set the murmur @code{SuperUser}
14626 password with the command that is printed during the activation phase.
14628 It is recommended to register a normal Mumble user account
14629 and grant it admin or moderator rights.
14630 You can use the @code{mumble} client to
14631 login as new normal user, register yourself, and log out.
14632 For the next step login with the name @code{SuperUser} use
14633 the @code{SuperUser} password that you set previously,
14634 and grant your newly registered mumble user administrator or moderator
14635 rights and create some channels.
14637 Available @code{murmur-configuration} fields are:
14640 @item @code{package} (default: @code{mumble})
14641 Package that contains @code{bin/murmurd}.
14643 @item @code{user} (default: @code{"murmur"})
14644 User who will run the Murmur server.
14646 @item @code{group} (default: @code{"murmur"})
14647 Group of the user who will run the murmur server.
14649 @item @code{port} (default: @code{64738})
14650 Port on which the server will listen.
14652 @item @code{welcome-text} (default: @code{""})
14653 Welcome text sent to clients when they connect.
14655 @item @code{server-password} (default: @code{""})
14656 Password the clients have to enter in order to connect.
14658 @item @code{max-users} (default: @code{100})
14659 Maximum of users that can be connected to the server at once.
14661 @item @code{max-user-bandwidth} (default: @code{#f})
14662 Maximum voice traffic a user can send per second.
14664 @item @code{database-file} (default: @code{"/var/lib/murmur/db.sqlite"})
14665 File name of the sqlite database.
14666 The service's user will become the owner of the directory.
14668 @item @code{log-file} (default: @code{"/var/log/murmur/murmur.log"})
14669 File name of the log file.
14670 The service's user will become the owner of the directory.
14672 @item @code{autoban-attempts} (default: @code{10})
14673 Maximum number of logins a user can make in @code{autoban-timeframe}
14674 without getting auto banned for @code{autoban-time}.
14676 @item @code{autoban-timeframe} (default: @code{120})
14677 Timeframe for autoban in seconds.
14679 @item @code{autoban-time} (default: @code{300})
14680 Amount of time in seconds for which a client gets banned
14681 when violating the autoban limits.
14683 @item @code{opus-threshold} (default: @code{100})
14684 Percentage of clients that need to support opus
14685 before switching over to opus audio codec.
14687 @item @code{channel-nesting-limit} (default: @code{10})
14688 How deep channels can be nested at maximum.
14690 @item @code{channelname-regex} (default: @code{#f})
14691 A string in from of a Qt regular expression that channel names must conform to.
14693 @item @code{username-regex} (default: @code{#f})
14694 A string in from of a Qt regular expression that user names must conform to.
14696 @item @code{text-message-length} (default: @code{5000})
14697 Maximum size in bytes that a user can send in one text chat message.
14699 @item @code{image-message-length} (default: @code{(* 128 1024)})
14700 Maximum size in bytes that a user can send in one image message.
14702 @item @code{cert-required?} (default: @code{#f})
14703 If it is set to @code{#t} clients that use weak password authentification
14704 will not be accepted. Users must have completed the certificate wizard to join.
14706 @item @code{remember-channel?} (defualt @code{#f})
14707 Should murmur remember the last channel each user was in when they disconnected
14708 and put them into the remembered channel when they rejoin.
14710 @item @code{allow-html?} (default: @code{#f})
14711 Should html be allowed in text messages, user comments, and channel descriptions.
14713 @item @code{allow-ping?} (default: @code{#f})
14714 Setting to true exposes the current user count, the maximum user count, and
14715 the server's maximum bandwidth per client to unauthenticated users. In the
14716 Mumble client, this information is shown in the Connect dialog.
14718 Disabling this setting will prevent public listing of the server.
14720 @item @code{bonjour?} (default: @code{#f})
14721 Should the server advertise itself in the local network through the bonjour protocol.
14723 @item @code{send-version?} (default: @code{#f})
14724 Should the murmur server version be exposed in ping requests.
14726 @item @code{log-days} (default: @code{31})
14727 Murmur also stores logs in the database, which are accessible via RPC.
14728 The default is 31 days of months, but you can set this setting to 0 to keep logs forever,
14729 or -1 to disable logging to the database.
14731 @item @code{obfuscate-ips?} (default @code{#t})
14732 Should logged ips be obfuscated to protect the privacy of users.
14734 @item @code{ssl-cert} (default: @code{#f})
14735 File name of the SSL/TLS certificate used for encrypted connections.
14738 (ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
14740 @item @code{ssl-key} (default: @code{#f})
14741 Filepath to the ssl private key used for encrypted connections.
14743 (ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
14746 @item @code{ssl-dh-params} (default: @code{#f})
14747 File name of a PEM-encoded file with Diffie-Hellman parameters
14748 for the SSL/TLS encryption. Alternatively you set it to
14749 @code{"@@ffdhe2048"}, @code{"@@ffdhe3072"}, @code{"@@ffdhe4096"}, @code{"@@ffdhe6144"}
14750 or @code{"@@ffdhe8192"} to use bundled parameters from RFC 7919.
14752 @item @code{ssl-ciphers} (default: @code{#f})
14753 The @code{ssl-ciphers} option chooses the cipher suites to make available for use
14756 This option is specified using
14757 @uref{https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT,
14758 OpenSSL cipher list notation}.
14760 It is recommended that you try your cipher string using 'openssl ciphers <string>'
14761 before setting it here, to get a feel for which cipher suites you will get.
14762 After setting this option, it is recommend that you inspect your Murmur log
14763 to ensure that Murmur is using the cipher suites that you expected it to.
14765 Note: Changing this option may impact the backwards compatibility of your
14766 Murmur server, and can remove the ability for older Mumble clients to be able
14769 @item @code{public-registration} (default: @code{#f})
14770 Must be a @code{<murmur-public-registration-configuration>} record or @code{#f}.
14772 You can optionally register your server in the public server list that the
14773 @code{mumble} client shows on startup.
14774 You cannot register your server if you have set a @code{server-password},
14775 or set @code{allow-ping} to @code{#f}.
14777 It might take a few hours until it shows up in the public list.
14779 @item @code{file} (default: @code{#f})
14780 Optional alternative override for this configuration.
14784 @deftp {Data Type} murmur-public-registration-configuration
14785 Configuration for public registration of a murmur service.
14789 This is a display name for your server. Not to be confused with the hostname.
14791 @item @code{password}
14792 A password to identify your registration.
14793 Subsequent updates will need the same password. Don't lose your password.
14796 This should be a @code{http://} or @code{https://} link to your web
14799 @item @code{hostname} (default: @code{#f})
14800 By default your server will be listed by its IP address.
14801 If it is set your server will be linked by this host name instead.
14807 @node Monitoring Services
14808 @subsubsection Monitoring Services
14810 @subsubheading Tailon Service
14812 @uref{https://tailon.readthedocs.io/, Tailon} is a web application for
14813 viewing and searching log files.
14815 The following example will configure the service with default values.
14816 By default, Tailon can be accessed on port 8080 (@code{http://localhost:8080}).
14819 (service tailon-service-type)
14822 The following example customises more of the Tailon configuration,
14823 adding @command{sed} to the list of allowed commands.
14826 (service tailon-service-type
14827 (tailon-configuration
14829 (tailon-configuration-file
14830 (allowed-commands '("tail" "grep" "awk" "sed"))))))
14834 @deftp {Data Type} tailon-configuration
14835 Data type representing the configuration of Tailon.
14836 This type has the following parameters:
14839 @item @code{config-file} (default: @code{(tailon-configuration-file)})
14840 The configuration file to use for Tailon. This can be set to a
14841 @dfn{tailon-configuration-file} record value, or any gexp
14842 (@pxref{G-Expressions}).
14844 For example, to instead use a local file, the @code{local-file} function
14848 (service tailon-service-type
14849 (tailon-configuration
14850 (config-file (local-file "./my-tailon.conf"))))
14853 @item @code{package} (default: @code{tailon})
14854 The tailon package to use.
14859 @deftp {Data Type} tailon-configuration-file
14860 Data type representing the configuration options for Tailon.
14861 This type has the following parameters:
14864 @item @code{files} (default: @code{(list "/var/log")})
14865 List of files to display. The list can include strings for a single file
14866 or directory, or a list, where the first item is the name of a
14867 subsection, and the remaining items are the files or directories in that
14870 @item @code{bind} (default: @code{"localhost:8080"})
14871 Address and port to which Tailon should bind on.
14873 @item @code{relative-root} (default: @code{#f})
14874 URL path to use for Tailon, set to @code{#f} to not use a path.
14876 @item @code{allow-transfers?} (default: @code{#t})
14877 Allow downloading the log files in the web interface.
14879 @item @code{follow-names?} (default: @code{#t})
14880 Allow tailing of not-yet existent files.
14882 @item @code{tail-lines} (default: @code{200})
14883 Number of lines to read initially from each file.
14885 @item @code{allowed-commands} (default: @code{(list "tail" "grep" "awk")})
14886 Commands to allow running. By default, @code{sed} is disabled.
14888 @item @code{debug?} (default: @code{#f})
14889 Set @code{debug?} to @code{#t} to show debug messages.
14891 @item @code{wrap-lines} (default: @code{#t})
14892 Initial line wrapping state in the web interface. Set to @code{#t} to
14893 initially wrap lines (the default), or to @code{#f} to initially not
14896 @item @code{http-auth} (default: @code{#f})
14897 HTTP authentication type to use. Set to @code{#f} to disable
14898 authentication (the default). Supported values are @code{"digest"} or
14901 @item @code{users} (default: @code{#f})
14902 If HTTP authentication is enabled (see @code{http-auth}), access will be
14903 restricted to the credentials provided here. To configure users, use a
14904 list of pairs, where the first element of the pair is the username, and
14905 the 2nd element of the pair is the password.
14908 (tailon-configuration-file
14909 (http-auth "basic")
14910 (users '(("user1" . "password1")
14911 ("user2" . "password2"))))
14918 @subsubheading Darkstat Service
14920 Darkstat is a packet sniffer that captures network traffic, calculates
14921 statistics about usage, and serves reports over HTTP.
14923 @defvar {Scheme Variable} darkstat-service-type
14924 This is the service type for the
14925 @uref{https://unix4lyfe.org/darkstat/, darkstat}
14926 service, its value must be a @code{darkstat-configuration} record as in
14930 (service darkstat-service-type
14931 (darkstat-configuration
14932 (interface "eno1")))
14936 @deftp {Data Type} darkstat-configuration
14937 Data type representing the configuration of @command{darkstat}.
14940 @item @code{package} (default: @code{darkstat})
14941 The darkstat package to use.
14943 @item @code{interface}
14944 Capture traffic on the specified network interface.
14946 @item @code{port} (default: @code{"667"})
14947 Bind the web interface to the specified port.
14949 @item @code{bind-address} (default: @code{"127.0.0.1"})
14950 Bind the web interface to the specified address.
14952 @item @code{base} (default: @code{"/"})
14953 Specify the path of the base URL. This can be useful if
14954 @command{darkstat} is accessed via a reverse proxy.
14960 @node Kerberos Services
14961 @subsubsection Kerberos Services
14964 The @code{(gnu services kerberos)} module provides services relating to
14965 the authentication protocol @dfn{Kerberos}.
14967 @subsubheading Krb5 Service
14969 Programs using a Kerberos client library normally
14970 expect a configuration file in @file{/etc/krb5.conf}.
14971 This service generates such a file from a definition provided in the
14972 operating system declaration.
14973 It does not cause any daemon to be started.
14975 No ``keytab'' files are provided by this service---you must explicitly create them.
14976 This service is known to work with the MIT client library, @code{mit-krb5}.
14977 Other implementations have not been tested.
14979 @defvr {Scheme Variable} krb5-service-type
14980 A service type for Kerberos 5 clients.
14984 Here is an example of its use:
14986 (service krb5-service-type
14987 (krb5-configuration
14988 (default-realm "EXAMPLE.COM")
14989 (allow-weak-crypto? #t)
14992 (name "EXAMPLE.COM")
14993 (admin-server "groucho.example.com")
14994 (kdc "karl.example.com"))
14997 (admin-server "kerb-admin.argrx.edu")
14998 (kdc "keys.argrx.edu"))))))
15002 This example provides a Kerberos@tie{}5 client configuration which:
15004 @item Recognizes two realms, @i{viz:} ``EXAMPLE.COM'' and ``ARGRX.EDU'', both
15005 of which have distinct administration servers and key distribution centers;
15006 @item Will default to the realm ``EXAMPLE.COM'' if the realm is not explicitly
15007 specified by clients;
15008 @item Accepts services which only support encryption types known to be weak.
15011 The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
15012 Only the most commonly used ones are described here.
15013 For a full list, and more detailed explanation of each, see the MIT
15014 @uref{http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
15018 @deftp {Data Type} krb5-realm
15019 @cindex realm, kerberos
15022 This field is a string identifying the name of the realm.
15023 A common convention is to use the fully qualified DNS name of your organization,
15024 converted to upper case.
15026 @item @code{admin-server}
15027 This field is a string identifying the host where the administration server is
15031 This field is a string identifying the key distribution center
15036 @deftp {Data Type} krb5-configuration
15039 @item @code{allow-weak-crypto?} (default: @code{#f})
15040 If this flag is @code{#t} then services which only offer encryption algorithms
15041 known to be weak will be accepted.
15043 @item @code{default-realm} (default: @code{#f})
15044 This field should be a string identifying the default Kerberos
15045 realm for the client.
15046 You should set this field to the name of your Kerberos realm.
15047 If this value is @code{#f}
15048 then a realm must be specified with every Kerberos principal when invoking programs
15049 such as @command{kinit}.
15051 @item @code{realms}
15052 This should be a non-empty list of @code{krb5-realm} objects, which clients may
15054 Normally, one of them will have a @code{name} field matching the @code{default-realm}
15060 @subsubheading PAM krb5 Service
15063 The @code{pam-krb5} service allows for login authentication and password
15064 management via Kerberos.
15065 You will need this service if you want PAM enabled applications to authenticate
15066 users using Kerberos.
15068 @defvr {Scheme Variable} pam-krb5-service-type
15069 A service type for the Kerberos 5 PAM module.
15072 @deftp {Data Type} pam-krb5-configuration
15073 Data type representing the configuration of the Kerberos 5 PAM module
15074 This type has the following parameters:
15076 @item @code{pam-krb5} (default: @code{pam-krb5})
15077 The pam-krb5 package to use.
15079 @item @code{minimum-uid} (default: @code{1000})
15080 The smallest user ID for which Kerberos authentications should be attempted.
15081 Local accounts with lower values will silently fail to authenticate.
15087 @subsubsection Web Services
15092 The @code{(gnu services web)} module provides the Apache HTTP Server,
15093 the nginx web server, and also a fastcgi wrapper daemon.
15095 @subsubheading Apache HTTP Server
15097 @deffn {Scheme Variable} httpd-service-type
15098 Service type for the @uref{https://httpd.apache.org/,Apache HTTP} server
15099 (@dfn{httpd}). The value for this service type is a
15100 @code{https-configuration} record.
15102 A simple example configuration is given below.
15105 (service httpd-service-type
15106 (httpd-configuration
15109 (server-name "www.example.com")
15110 (document-root "/srv/http/www.example.com")))))
15113 Other services can also extend the @code{httpd-service-type} to add to
15117 (simple-service 'my-extra-server httpd-service-type
15121 (list (string-append
15122 "ServerName "www.example.com
15123 DocumentRoot \"/srv/http/www.example.com\"")))))
15127 The details for the @code{httpd-configuration}, @code{httpd-module},
15128 @code{httpd-config-file} and @code{httpd-virtualhost} record types are
15131 @deffn {Data Type} httpd-configuration
15132 This data type represents the configuration for the httpd service.
15135 @item @code{package} (default: @code{httpd})
15136 The httpd package to use.
15138 @item @code{pid-file} (default: @code{"/var/run/httpd"})
15139 The pid file used by the shepherd-service.
15141 @item @code{config} (default: @code{(httpd-config-file)})
15142 The configuration file to use with the httpd service. The default value
15143 is a @code{httpd-config-file} record, but this can also be a different
15144 G-expression that generates a file, for example a @code{plain-file}. A
15145 file outside of the store can also be specified through a string.
15150 @deffn {Data Type} httpd-module
15151 This data type represents a module for the httpd service.
15155 The name of the module.
15158 The file for the module. This can be relative to the httpd package being
15159 used, the absolute location of a file, or a G-expression for a file
15160 within the store, for example @code{(file-append mod-wsgi
15161 "/modules/mod_wsgi.so")}.
15166 @deffn {Data Type} httpd-config-file
15167 This data type represents a configuration file for the httpd service.
15170 @item @code{modules} (default: @code{%default-httpd-modules})
15171 The modules to load. Additional modules can be added here, or loaded by
15172 additional configuration.
15174 @item @code{server-root} (default: @code{httpd})
15175 The @code{ServerRoot} in the configuration file, defaults to the httpd
15176 package. Directives including @code{Include} and @code{LoadModule} are
15177 taken as relative to the server root.
15179 @item @code{server-name} (default: @code{#f})
15180 The @code{ServerName} in the configuration file, used to specify the
15181 request scheme, hostname and port that the server uses to identify
15184 This doesn't need to be set in the server config, and can be specifyed
15185 in virtual hosts. The default is @code{#f} to not specify a
15188 @item @code{document-root} (default: @code{"/srv/http"})
15189 The @code{DocumentRoot} from which files will be served.
15191 @item @code{listen} (default: @code{'("80")})
15192 The list of values for the @code{Listen} directives in the config
15193 file. The value should be a list of strings, when each string can
15194 specify the port number to listen on, and optionally the IP address and
15197 @item @code{pid-file} (default: @code{"/var/run/httpd"})
15198 The @code{PidFile} to use. This should match the @code{pid-file} set in
15199 the @code{httpd-configuration} so that the Shepherd service is
15200 configured correctly.
15202 @item @code{error-log} (default: @code{"/var/log/httpd/error_log"})
15203 The @code{ErrorLog} to which the server will log errors.
15205 @item @code{user} (default: @code{"httpd"})
15206 The @code{User} which the server will answer requests as.
15208 @item @code{group} (default: @code{"httpd"})
15209 The @code{Group} which the server will answer requests as.
15211 @item @code{extra-config} (default: @code{(list "TypesConfig etc/httpd/mime.types")})
15212 A flat list of strings and G-expressions which will be added to the end
15213 of the configuration file.
15215 Any values which the service is extended with will be appended to this
15221 @deffn {Data Type} httpd-virtualhost
15222 This data type represents a virtualhost configuration block for the httpd service.
15224 These should be added to the extra-config for the httpd-service.
15227 (simple-service 'my-extra-server httpd-service-type
15231 (list (string-append
15232 "ServerName "www.example.com
15233 DocumentRoot \"/srv/http/www.example.com\"")))))
15237 @item @code{addresses-and-ports}
15238 The addresses and ports for the @code{VirtualHost} directive.
15240 @item @code{contents}
15241 The contents of the @code{VirtualHost} directive, this should be a list
15242 of strings and G-expressions.
15247 @subsubheading NGINX
15249 @deffn {Scheme Variable} nginx-service-type
15250 Service type for the @uref{https://nginx.org/,NGinx} web server. The
15251 value for this service type is a @code{<nginx-configuration>} record.
15253 A simple example configuration is given below.
15256 (service nginx-service-type
15257 (nginx-configuration
15259 (list (nginx-server-configuration
15260 (server-name '("www.example.com"))
15261 (root "/srv/http/www.example.com"))))))
15264 In addition to adding server blocks to the service configuration
15265 directly, this service can be extended by other services to add server
15266 blocks, as in this example:
15269 (simple-service 'my-extra-server nginx-service-type
15270 (list (nginx-server-configuration
15271 (root "/srv/http/extra-website")
15272 (try-files (list "$uri" "$uri/index.html")))))
15276 At startup, @command{nginx} has not yet read its configuration file, so
15277 it uses a default file to log error messages. If it fails to load its
15278 configuration file, that is where error messages are logged. After the
15279 configuration file is loaded, the default error log file changes as per
15280 configuration. In our case, startup error messages can be found in
15281 @file{/var/run/nginx/logs/error.log}, and after configuration in
15282 @file{/var/log/nginx/error.log}. The second location can be changed
15283 with the @var{log-directory} configuration option.
15285 @deffn {Data Type} nginx-configuration
15286 This data type represents the configuration for NGinx. Some
15287 configuration can be done through this and the other provided record
15288 types, or alternatively, a config file can be provided.
15291 @item @code{nginx} (default: @code{nginx})
15292 The nginx package to use.
15294 @item @code{log-directory} (default: @code{"/var/log/nginx"})
15295 The directory to which NGinx will write log files.
15297 @item @code{run-directory} (default: @code{"/var/run/nginx"})
15298 The directory in which NGinx will create a pid file, and write temporary
15301 @item @code{server-blocks} (default: @code{'()})
15302 A list of @dfn{server blocks} to create in the generated configuration
15303 file, the elements should be of type
15304 @code{<nginx-server-configuration>}.
15306 The following example would setup NGinx to serve @code{www.example.com}
15307 from the @code{/srv/http/www.example.com} directory, without using
15310 (service nginx-service-type
15311 (nginx-configuration
15313 (list (nginx-server-configuration
15314 (server-name '("www.example.com"))
15315 (root "/srv/http/www.example.com"))))))
15318 @item @code{upstream-blocks} (default: @code{'()})
15319 A list of @dfn{upstream blocks} to create in the generated configuration
15320 file, the elements should be of type
15321 @code{<nginx-upstream-configuration>}.
15323 Configuring upstreams through the @code{upstream-blocks} can be useful
15324 when combined with @code{locations} in the
15325 @code{<nginx-server-configuration>} records. The following example
15326 creates a server configuration with one location configuration, that
15327 will proxy requests to a upstream configuration, which will handle
15328 requests with two servers.
15333 (nginx-configuration
15335 (list (nginx-server-configuration
15336 (server-name '("www.example.com"))
15337 (root "/srv/http/www.example.com")
15340 (nginx-location-configuration
15342 (body '("proxy_pass http://server-proxy;"))))))))
15344 (list (nginx-upstream-configuration
15345 (name "server-proxy")
15346 (servers (list "server1.example.com"
15347 "server2.example.com")))))))
15350 @item @code{file} (default: @code{#f})
15351 If a configuration @var{file} is provided, this will be used, rather than
15352 generating a configuration file from the provided @code{log-directory},
15353 @code{run-directory}, @code{server-blocks} and @code{upstream-blocks}. For
15354 proper operation, these arguments should match what is in @var{file} to ensure
15355 that the directories are created when the service is activated.
15357 This can be useful if you have an existing configuration file, or it's
15358 not possible to do what is required through the other parts of the
15359 nginx-configuration record.
15361 @item @code{server-names-hash-bucket-size} (default: @code{#f})
15362 Bucket size for the server names hash tables, defaults to @code{#f} to
15363 use the size of the processors cache line.
15365 @item @code{server-names-hash-bucket-max-size} (default: @code{#f})
15366 Maximum bucket size for the server names hash tables.
15371 @deftp {Data Type} nginx-server-configuration
15372 Data type representing the configuration of an nginx server block.
15373 This type has the following parameters:
15376 @item @code{listen} (default: @code{'("80" "443 ssl")})
15377 Each @code{listen} directive sets the address and port for IP, or the
15378 path for a UNIX-domain socket on which the server will accept requests.
15379 Both address and port, or only address or only port can be specified.
15380 An address may also be a hostname, for example:
15383 '("127.0.0.1:8000" "127.0.0.1" "8000" "*:8000" "localhost:8000")
15386 @item @code{server-name} (default: @code{(list 'default)})
15387 A list of server names this server represents. @code{'default} represents the
15388 default server for connections matching no other server.
15390 @item @code{root} (default: @code{"/srv/http"})
15391 Root of the website nginx will serve.
15393 @item @code{locations} (default: @code{'()})
15394 A list of @dfn{nginx-location-configuration} or
15395 @dfn{nginx-named-location-configuration} records to use within this
15398 @item @code{index} (default: @code{(list "index.html")})
15399 Index files to look for when clients ask for a directory. If it cannot be found,
15400 Nginx will send the list of files in the directory.
15402 @item @code{try-files} (default: @code{'()})
15403 A list of files whose existence is checked in the specified order.
15404 @code{nginx} will use the first file it finds to process the request.
15406 @item @code{ssl-certificate} (default: @code{#f})
15407 Where to find the certificate for secure connections. Set it to @code{#f} if
15408 you don't have a certificate or you don't want to use HTTPS.
15410 @item @code{ssl-certificate-key} (default: @code{#f})
15411 Where to find the private key for secure connections. Set it to @code{#f} if
15412 you don't have a key or you don't want to use HTTPS.
15414 @item @code{server-tokens?} (default: @code{#f})
15415 Whether the server should add its configuration to response.
15417 @item @code{raw-content} (default: @code{'()})
15418 A list of raw lines added to the server block.
15423 @deftp {Data Type} nginx-upstream-configuration
15424 Data type representing the configuration of an nginx @code{upstream}
15425 block. This type has the following parameters:
15429 Name for this group of servers.
15431 @item @code{servers}
15432 Specify the addresses of the servers in the group. The address can be
15433 specified as a IP address (e.g. @samp{127.0.0.1}), domain name
15434 (e.g. @samp{backend1.example.com}) or a path to a UNIX socket using the
15435 prefix @samp{unix:}. For addresses using an IP address or domain name,
15436 the default port is 80, and a different port can be specified
15442 @deftp {Data Type} nginx-location-configuration
15443 Data type representing the configuration of an nginx @code{location}
15444 block. This type has the following parameters:
15448 URI which this location block matches.
15450 @anchor{nginx-location-configuration body}
15452 Body of the location block, specified as a list of strings. This can contain
15454 configuration directives. For example, to pass requests to a upstream
15455 server group defined using an @code{nginx-upstream-configuration} block,
15456 the following directive would be specified in the body @samp{(list "proxy_pass
15457 http://upstream-name;")}.
15462 @deftp {Data Type} nginx-named-location-configuration
15463 Data type representing the configuration of an nginx named location
15464 block. Named location blocks are used for request redirection, and not
15465 used for regular request processing. This type has the following
15470 Name to identify this location block.
15473 @xref{nginx-location-configuration body}, as the body for named location
15474 blocks can be used in a similar way to the
15475 @code{nginx-location-configuration body}. One restriction is that the
15476 body of a named location block cannot contain location blocks.
15483 FastCGI is an interface between the front-end and the back-end of a web
15484 service. It is a somewhat legacy facility; new web services should
15485 generally just talk HTTP between the front-end and the back-end.
15486 However there are a number of back-end services such as PHP or the
15487 optimized HTTP Git repository access that use FastCGI, so we have
15488 support for it in Guix.
15490 To use FastCGI, you configure the front-end web server (e.g., nginx) to
15491 dispatch some subset of its requests to the fastcgi backend, which
15492 listens on a local TCP or UNIX socket. There is an intermediary
15493 @code{fcgiwrap} program that sits between the actual backend process and
15494 the web server. The front-end indicates which backend program to run,
15495 passing that information to the @code{fcgiwrap} process.
15497 @defvr {Scheme Variable} fcgiwrap-service-type
15498 A service type for the @code{fcgiwrap} FastCGI proxy.
15501 @deftp {Data Type} fcgiwrap-configuration
15502 Data type representing the configuration of the @code{fcgiwrap} serice.
15503 This type has the following parameters:
15505 @item @code{package} (default: @code{fcgiwrap})
15506 The fcgiwrap package to use.
15508 @item @code{socket} (default: @code{tcp:127.0.0.1:9000})
15509 The socket on which the @code{fcgiwrap} process should listen, as a
15510 string. Valid @var{socket} values include
15511 @code{unix:@var{/path/to/unix/socket}},
15512 @code{tcp:@var{dot.ted.qu.ad}:@var{port}} and
15513 @code{tcp6:[@var{ipv6_addr}]:port}.
15515 @item @code{user} (default: @code{fcgiwrap})
15516 @itemx @code{group} (default: @code{fcgiwrap})
15517 The user and group names, as strings, under which to run the
15518 @code{fcgiwrap} process. The @code{fastcgi} service will ensure that if
15519 the user asks for the specific user or group names @code{fcgiwrap} that
15520 the corresponding user and/or group is present on the system.
15522 It is possible to configure a FastCGI-backed web service to pass HTTP
15523 authentication information from the front-end to the back-end, and to
15524 allow @code{fcgiwrap} to run the back-end process as a corresponding
15525 local user. To enable this capability on the back-end., run
15526 @code{fcgiwrap} as the @code{root} user and group. Note that this
15527 capability also has to be configured on the front-end as well.
15532 PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation
15533 with some additional features useful for sites of any size.
15535 These features include:
15537 @item Adaptive process spawning
15538 @item Basic statistics (similar to Apache's mod_status)
15539 @item Advanced process management with graceful stop/start
15540 @item Ability to start workers with different uid/gid/chroot/environment
15541 and different php.ini (replaces safe_mode)
15542 @item Stdout & stderr logging
15543 @item Emergency restart in case of accidental opcode cache destruction
15544 @item Accelerated upload support
15545 @item Support for a "slowlog"
15546 @item Enhancements to FastCGI, such as fastcgi_finish_request() -
15547 a special function to finish request & flush all data while continuing to do
15548 something time-consuming (video converting, stats processing, etc.)
15552 @defvr {Scheme Variable} php-fpm-service-type
15553 A Service type for @code{php-fpm}.
15556 @deftp {Data Type} php-fpm-configuration
15557 Data Type for php-fpm service configuration.
15559 @item @code{php} (default: @code{php})
15560 The php package to use.
15561 @item @code{socket} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock")})
15562 The address on which to accept FastCGI requests. Valid syntaxes are:
15564 @item @code{"ip.add.re.ss:port"}
15565 Listen on a TCP socket to a specific address on a specific port.
15566 @item @code{"port"}
15567 Listen on a TCP socket to all addresses on a specific port.
15568 @item @code{"/path/to/unix/socket"}
15569 Listen on a unix socket.
15572 @item @code{user} (default: @code{php-fpm})
15573 User who will own the php worker processes.
15574 @item @code{group} (default: @code{php-fpm})
15575 Group of the worker processes.
15576 @item @code{socket-user} (default: @code{php-fpm})
15577 User who can speak to the php-fpm socket.
15578 @item @code{socket-group} (default: @code{php-fpm})
15579 Group that can speak to the php-fpm socket.
15580 @item @code{pid-file} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid")})
15581 The process id of the php-fpm process is written to this file
15582 once the service has started.
15583 @item @code{log-file} (default: @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.log")})
15584 Log for the php-fpm master process.
15585 @item @code{process-manager} (default: @code{(php-fpm-dynamic-process-manager-configuration)})
15586 Detailed settings for the php-fpm process manager.
15589 @item @code{<php-fpm-dynamic-process-manager-configuration>}
15590 @item @code{<php-fpm-static-process-manager-configuration>}
15591 @item @code{<php-fpm-on-demand-process-manager-configuration>}
15593 @item @code{display-errors} (default @code{#f})
15594 Determines wether php errors and warning should be sent to clients
15595 and displayed in their browsers.
15596 This is useful for local php development, but a security risk for public sites,
15597 as error messages can reveal passwords and personal data.
15598 @item @code{workers-logfile} (default @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.www.log")})
15599 This file will log the @code{stderr} outputs of php worker processes.
15600 Can be set to @code{#f} to disable logging.
15601 @item @code{file} (default @code{#f})
15602 An optional override of the whole configuration.
15603 You can use the @code{mixed-text-file} function or an absolute filepath for it.
15607 @deftp {Data type} php-fpm-dynamic-process-manager-configuration
15608 Data Type for the @code{dynamic} php-fpm process manager. With the
15609 @code{dynamic} process manager, spare worker processes are kept around
15610 based on it's configured limits.
15612 @item @code{max-children} (default: @code{5})
15613 Maximum of worker processes.
15614 @item @code{start-servers} (default: @code{2})
15615 How many worker processes should be started on start-up.
15616 @item @code{min-spare-servers} (default: @code{1})
15617 How many spare worker processes should be kept around at minimum.
15618 @item @code{max-spare-servers} (default: @code{3})
15619 How many spare worker processes should be kept around at maximum.
15623 @deftp {Data type} php-fpm-static-process-manager-configuration
15624 Data Type for the @code{static} php-fpm process manager. With the
15625 @code{static} process manager, an unchanging number of worker processes
15628 @item @code{max-children} (default: @code{5})
15629 Maximum of worker processes.
15633 @deftp {Data type} php-fpm-on-demand-process-manager-configuration
15634 Data Type for the @code{on-demand} php-fpm process manager. With the
15635 @code{on-demand} process manager, worker processes are only created as
15638 @item @code{max-children} (default: @code{5})
15639 Maximum of worker processes.
15640 @item @code{process-idle-timeout} (default: @code{10})
15641 The time in seconds after which a process with no requests is killed.
15646 @deffn {Scheme Procedure} nginx-php-fpm-location @
15647 [#:nginx-package nginx] @
15648 [socket (string-append "/var/run/php" @
15649 (version-major (package-version php)) @
15651 A helper function to quickly add php to an @code{nginx-server-configuration}.
15654 A simple services setup for nginx with php can look like this:
15656 (services (cons* (dhcp-client-service)
15657 (service php-fpm-service-type)
15658 (service nginx-service-type
15659 (nginx-server-configuration
15660 (server-name '("example.com"))
15661 (root "/srv/http/")
15663 (list (nginx-php-location)))
15665 (ssl-certificate #f)
15666 (ssl-certificate-key #f)))
15670 @cindex cat-avatar-generator
15671 The cat avatar generator is a simple service to demonstrate the use of php-fpm
15672 in @code{Nginx}. It is used to generate cat avatar from a seed, for instance
15673 the hash of a user's email address.
15675 @deffn {Scheme Procedure} cat-avatar-generator-serice @
15676 [#:cache-dir "/var/cache/cat-avatar-generator"] @
15677 [#:package cat-avatar-generator] @
15678 [#:configuration (nginx-server-configuration)]
15679 Returns an nginx-server-configuration that inherits @code{configuration}. It
15680 extends the nginx configuration to add a server block that serves @code{package},
15681 a version of cat-avatar-generator. During execution, cat-avatar-generator will
15682 be able to use @code{cache-dir} as its cache directory.
15685 A simple setup for cat-avatar-generator can look like this:
15687 (services (cons* (cat-avatar-generator-service
15689 (nginx-server-configuration
15690 (server-name '("example.com"))))
15695 @node Certificate Services
15696 @subsubsection Certificate Services
15699 @cindex HTTP, HTTPS
15700 @cindex Let's Encrypt
15701 @cindex TLS certificates
15702 The @code{(gnu services certbot)} module provides a service to
15703 automatically obtain a valid TLS certificate from the Let's Encrypt
15704 certificate authority. These certificates can then be used to serve
15705 content securely over HTTPS or other TLS-based protocols, with the
15706 knowledge that the client will be able to verify the server's
15709 @url{https://letsencrypt.org/, Let's Encrypt} provides the
15710 @code{certbot} tool to automate the certification process. This tool
15711 first securely generates a key on the server. It then makes a request
15712 to the Let's Encrypt certificate authority (CA) to sign the key. The CA
15713 checks that the request originates from the host in question by using a
15714 challenge-response protocol, requiring the server to provide its
15715 response over HTTP. If that protocol completes successfully, the CA
15716 signs the key, resulting in a certificate. That certificate is valid
15717 for a limited period of time, and therefore to continue to provide TLS
15718 services, the server needs to periodically ask the CA to renew its
15721 The certbot service automates this process: the initial key
15722 generation, the initial certification request to the Let's Encrypt
15723 service, the web server challenge/response integration, writing the
15724 certificate to disk, and the automated periodic renewals.
15726 @defvr {Scheme Variable} certbot-service-type
15727 A service type for the @code{certbot} Let's Encrypt client.
15730 @deftp {Data Type} certbot-configuration
15731 Data type representing the configuration of the @code{certbot} serice.
15732 This type has the following parameters:
15735 @item @code{package} (default: @code{certbot})
15736 The certbot package to use.
15738 @item @code{webroot} (default: @code{/var/www})
15739 The directory from which to serve the Let's Encrypt challenge/response
15742 @item @code{hosts} (default: @code{()})
15743 A list of hosts for which to generate certificates and request
15746 @item @code{default-location} (default: @i{see below})
15747 The default @code{nginx-location-configuration}. Because @code{certbot}
15748 needs to be able to serve challenges and responses, it needs to be able
15749 to run a web server. It does so by extending the @code{nginx} web
15750 service with an @code{nginx-server-configuration} listening on the
15751 @var{hosts} on port 80, and which has a
15752 @code{nginx-location-configuration} for the @code{/.well-known/} URI
15753 path subspace used by Let's Encrypt. @xref{Web Services}, for more on
15754 these nginx configuration data types.
15756 Requests to other URL paths will be matched by the
15757 @code{default-location}, which if present is added to all
15758 @code{nginx-server-configuration}s.
15760 By default, the @code{default-location} will issue a redirect from
15761 @code{http://@var{host}/...} to @code{https://@var{host}/...}, leaving
15762 you to define what to serve on your site via @code{https}.
15764 Pass @code{#f} to not issue a default location.
15768 The public key and its signatures will be written to
15769 @code{/etc/letsencrypt/live/@var{host}/fullchain.pem}, for each
15770 @var{host} in the configuration. The private key is written to
15771 @code{/etc/letsencrypt/live/@var{host}/privkey.pem}.
15775 @subsubsection DNS Services
15776 @cindex DNS (domain name system)
15777 @cindex domain name system (DNS)
15779 The @code{(gnu services dns)} module provides services related to the
15780 @dfn{domain name system} (DNS). It provides a server service for hosting
15781 an @emph{authoritative} DNS server for multiple zones, slave or master.
15782 This service uses @uref{https://www.knot-dns.cz/, Knot DNS}.
15784 An example configuration of an authoritative server for two zones, one master
15788 (define-zone-entries example.org.zone
15789 ;; Name TTL Class Type Data
15790 ("@@" "" "IN" "A" "127.0.0.1")
15791 ("@@" "" "IN" "NS" "ns")
15792 ("ns" "" "IN" "A" "127.0.0.1"))
15794 (define master-zone
15795 (knot-zone-configuration
15796 (domain "example.org")
15798 (origin "example.org")
15799 (entries example.org.zone)))))
15802 (knot-zone-configuration
15803 (domain "plop.org")
15804 (dnssec-policy "default")
15805 (master (list "plop-master"))))
15807 (define plop-master
15808 (knot-remote-configuration
15810 (address (list "208.76.58.171"))))
15814 (services (cons* (service knot-service-type
15815 (knot-configuration
15816 (remotes (list plop-master))
15817 (zones (list master-zone slave-zone))))
15822 @deffn {Scheme Variable} knot-service-type
15823 This is the type for the Knot DNS server.
15825 Knot DNS is an authoritative DNS server, meaning that it can serve multiple
15826 zones, that is to say domain names you would buy from a registrar. This server
15827 is not a resolver, meaning that it can only resolve names for which it is
15828 authoritative. This server can be configured to serve zones as a master server
15829 or a slave server as a per-zone basis. Slave zones will get their data from
15830 masters, and will serve it as an authoritative server. From the point of view
15831 of a resolver, there is no difference between master and slave.
15833 The following data types are used to configure the Knot DNS server:
15836 @deftp {Data Type} knot-key-configuration
15837 Data type representing a key.
15838 This type has the following parameters:
15841 @item @code{id} (default: @code{""})
15842 An identifier for other configuration fields to refer to this key. IDs must
15843 be unique and must not be empty.
15845 @item @code{algorithm} (default: @code{#f})
15846 The algorithm to use. Choose between @code{#f}, @code{'hmac-md5},
15847 @code{'hmac-sha1}, @code{'hmac-sha224}, @code{'hmac-sha256}, @code{'hmac-sha384}
15848 and @code{'hmac-sha512}.
15850 @item @code{secret} (default: @code{""})
15851 The secret key itself.
15856 @deftp {Data Type} knot-acl-configuration
15857 Data type representing an Access Control List (ACL) configuration.
15858 This type has the following parameters:
15861 @item @code{id} (default: @code{""})
15862 An identifier for ether configuration fields to refer to this key. IDs must be
15863 unique and must not be empty.
15865 @item @code{address} (default: @code{'()})
15866 An ordered list of IP addresses, network subnets, or network ranges represented
15867 with strings. The query must match one of them. Empty value means that
15868 address match is not required.
15870 @item @code{key} (default: @code{'()})
15871 An ordered list of references to keys represented with strings. The string
15872 must match a key ID defined in a @code{knot-key-configuration}. No key means
15873 that a key is not require to match that ACL.
15875 @item @code{action} (default: @code{'()})
15876 An ordered list of actions that are permitted or forbidden by this ACL. Possible
15877 values are lists of zero or more elements from @code{'transfer}, @code{'notify}
15878 and @code{'update}.
15880 @item @code{deny?} (default: @code{#f})
15881 When true, the ACL defines restrictions. Listed actions are forbidden. When
15882 false, listed actions are allowed.
15887 @deftp {Data Type} zone-entry
15888 Data type represnting a record entry in a zone file.
15889 This type has the following parameters:
15892 @item @code{name} (default: @code{"@@"})
15893 The name of the record. @code{"@@"} refers to the origin of the zone. Names
15894 are relative to the origin of the zone. For example, in the @code{example.org}
15895 zone, @code{"ns.example.org"} actually refers to @code{ns.example.org.example.org}.
15896 Names ending with a dot are absolute, which means that @code{"ns.example.org."}
15897 refers to @code{ns.example.org}.
15899 @item @code{ttl} (default: @code{""})
15900 The Time-To-Live (TTL) of this record. If not set, the default TTL is used.
15902 @item @code{class} (default: @code{"IN"})
15903 The class of the record. Knot currently supports only @code{"IN"} and
15904 partially @code{"CH"}.
15906 @item @code{type} (default: @code{"A"})
15907 The type of the record. Common types include A (IPv4 address), AAAA (IPv6
15908 address), NS (Name Server) and MX (Mail eXchange). Many other types are
15911 @item @code{data} (default: @code{""})
15912 The data contained in the record. For instance an IP address associated with
15913 an A record, or a domain name associated with an NS record. Remember that
15914 domain names are relative to the origin unless they end with a dot.
15919 @deftp {Data Type} zone-file
15920 Data type representing the content of a zone file.
15921 This type has the following parameters:
15924 @item @code{entries} (default: @code{'()})
15925 The list of entries. The SOA record is taken care of, so you don't need to
15926 put it in the list of entries. This list should probably contain an entry
15927 for your primary authoritative DNS server. Other than using a list of entries
15928 directly, you can use @code{define-zone-entries} to define a object containing
15929 the list of entries more easily, that you can later pass to the @code{entries}
15930 field of the @code{zone-file}.
15932 @item @code{origin} (default: @code{""})
15933 The name of your zone. This parameter cannot be empty.
15935 @item @code{ns} (default: @code{"ns"})
15936 The domain of your primary authoritative DNS server. The name is relative to
15937 the origin, unless it ends with a dot. It is mandatory that this primary
15938 DNS server corresponds to an NS record in the zone and that it is associated
15939 to an IP address in the list of entries.
15941 @item @code{mail} (default: @code{"hostmaster"})
15942 An email address people can contact you at, as the owner of the zone. This
15943 is translated as @code{<mail>@@<origin>}.
15945 @item @code{serial} (default: @code{1})
15946 The serial number of the zone. As this is used to keep track of changes by
15947 both slaves and resolvers, it is mandatory that it @emph{never} decreases.
15948 Always increment it when you make a change in your zone.
15950 @item @code{refresh} (default: @code{(* 2 24 3600)})
15951 The frequency at which slaves will do a zone transfer. This value is a number
15952 of seconds. It can be computed by multiplications or with
15953 @code{(string->duration)}.
15955 @item @code{retry} (default: @code{(* 15 60)})
15956 The period after which a slave will retry to contact its master when it fails
15957 to do so a first time.
15959 @item @code{expiry} (default: @code{(* 14 24 3600)})
15960 Default TTL of records. Existing records are considered correct for at most
15961 this amount of time. After this period, resolvers will invalidate their cache
15962 and check again that it still exists.
15964 @item @code{nx} (default: @code{3600})
15965 Default TTL of inexistant records. This delay is usually short because you want
15966 your new domains to reach everyone quickly.
15971 @deftp {Data Type} knot-remote-configuration
15972 Data type representing a remote configuration.
15973 This type has the following parameters:
15976 @item @code{id} (default: @code{""})
15977 An identifier for other configuration fields to refer to this remote. IDs must
15978 be unique and must not be empty.
15980 @item @code{address} (default: @code{'()})
15981 An ordered list of destination IP addresses. Addresses are tried in sequence.
15982 An optional port can be given with the @@ separator. For instance:
15983 @code{(list "1.2.3.4" "2.3.4.5@@53")}. Default port is 53.
15985 @item @code{via} (default: @code{'()})
15986 An ordered list of source IP addresses. An empty list will have Knot choose
15987 an appropriate source IP. An optional port can be given with the @@ separator.
15988 The default is to choose at random.
15990 @item @code{key} (default: @code{#f})
15991 A reference to a key, that is a string containing the identifier of a key
15992 defined in a @code{knot-key-configuration} field.
15997 @deftp {Data Type} knot-keystore-configuration
15998 Data type representing a keystore to hold dnssec keys.
15999 This type has the following parameters:
16002 @item @code{id} (default: @code{""})
16003 The id of the keystore. It must not be empty.
16005 @item @code{backend} (default: @code{'pem})
16006 The backend to store the keys in. Can be @code{'pem} or @code{'pkcs11}.
16008 @item @code{config} (default: @code{"/var/lib/knot/keys/keys"})
16009 The configuration string of the backend. An example for the PKCS#11 is:
16010 @code{"pkcs11:token=knot;pin-value=1234 /gnu/store/.../lib/pkcs11/libsofthsm2.so"}.
16011 For the pem backend, the string reprensents a path in the file system.
16016 @deftp {Data Type} knot-policy-configuration
16017 Data type representing a dnssec policy. Knot DNS is able to automatically
16018 sign your zones. It can either generate and manage your keys automatically or
16019 use keys that you generate.
16021 Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that is
16022 used to sign the second, and a Zone Signing Key (ZSK) that is used to sign the
16023 zone. In order to be trusted, the KSK needs to be present in the parent zone
16024 (usually a top-level domain). If your registrar supports dnssec, you will
16025 have to send them your KSK's hash so they can add a DS record in their zone.
16026 This is not automated and need to be done each time you change your KSK.
16028 The policy also defines the lifetime of keys. Usually, ZSK can be changed
16029 easily and use weaker cryptographic functions (they use lower parameters) in
16030 order to sign records quickly, so they are changed often. The KSK however
16031 requires manual interaction with the registrar, so they are changed less often
16032 and use stronger parameters because they sign only one record.
16034 This type has the following parameters:
16037 @item @code{id} (default: @code{""})
16038 The id of the policy. It must not be empty.
16040 @item @code{keystore} (default: @code{"default"})
16041 A reference to a keystore, that is a string containing the identifier of a
16042 keystore defined in a @code{knot-keystore-configuration} field. The
16043 @code{"default"} identifier means the default keystore (a kasp database that
16044 was setup by this service).
16046 @item @code{manual?} (default: @code{#f})
16047 Whether the key management is manual or automatic.
16049 @item @code{single-type-signing?} (default: @code{#f})
16050 When @code{#t}, use the Single-Type Signing Scheme.
16052 @item @code{algorithm} (default: @code{"ecdsap256sha256"})
16053 An algorithm of signing keys and issued signatures.
16055 @item @code{ksk-size} (default: @code{256})
16056 The length of the KSK. Note that this value is correct for the default
16057 algorithm, but would be unsecure for other algorithms.
16059 @item @code{zsk-size} (default: @code{256})
16060 The length of the ZSK. Note that this value is correct for the default
16061 algorithm, but would be unsecure for other algorithms.
16063 @item @code{dnskey-ttl} (default: @code{'default})
16064 The TTL value for DNSKEY records added into zone apex. The special
16065 @code{'default} value means same as the zone SOA TTL.
16067 @item @code{zsk-lifetime} (default: @code{(* 30 24 3600)})
16068 The period between ZSK publication and the next rollover initiation.
16070 @item @code{propagation-delay} (default: @code{(* 24 3600)})
16071 An extra delay added for each key rollover step. This value should be high
16072 enough to cover propagation of data from the master server to all slaves.
16074 @item @code{rrsig-lifetime} (default: @code{(* 14 24 3600)})
16075 A validity period of newly issued signatures.
16077 @item @code{rrsig-refresh} (default: @code{(* 7 24 3600)})
16078 A period how long before a signature expiration the signature will be refreshed.
16080 @item @code{nsec3?} (default: @code{#f})
16081 When @code{#t}, NSEC3 will be used instead of NSEC.
16083 @item @code{nsec3-iterations} (default: @code{5})
16084 The number of additional times the hashing is performed.
16086 @item @code{nsec3-salt-length} (default: @code{8})
16087 The length of a salt field in octets, which is appended to the original owner
16088 name before hashing.
16090 @item @code{nsec3-salt-lifetime} (default: @code{(* 30 24 3600)})
16091 The validity period of newly issued salt field.
16096 @deftp {Data Type} knot-zone-configuration
16097 Data type representing a zone served by Knot.
16098 This type has the following parameters:
16101 @item @code{domain} (default: @code{""})
16102 The domain served by this configuration. It must not be empty.
16104 @item @code{file} (default: @code{""})
16105 The file where this zone is saved. This parameter is ignored by master zones.
16106 Empty means default location that depends on the domain name.
16108 @item @code{zone} (default: @code{(zone-file)})
16109 The content of the zone file. This parameter is ignored by slave zones. It
16110 must contain a zone-file record.
16112 @item @code{master} (default: @code{'()})
16113 A list of master remotes. When empty, this zone is a master. When set, this
16114 zone is a slave. This is a list of remotes identifiers.
16116 @item @code{ddns-master} (default: @code{#f})
16117 The main master. When empty, it defaults to the first master in the list of
16120 @item @code{notify} (default: @code{'()})
16121 A list of slave remote identifiers.
16123 @item @code{acl} (default: @code{'()})
16124 A list of acl identifiers.
16126 @item @code{semantic-checks?} (default: @code{#f})
16127 When set, this adds more semantic checks to the zone.
16129 @item @code{disable-any?} (default: @code{#f})
16130 When set, this forbids queries of the ANY type.
16132 @item @code{zonefile-sync} (default: @code{0})
16133 The delay between a modification in memory and on disk. 0 means immediate
16136 @item @code{serial-policy} (default: @code{'increment})
16137 A policy between @code{'increment} and @code{'unixtime}.
16142 @deftp {Data Type} knot-configuration
16143 Data type representing the Knot configuration.
16144 This type has the following parameters:
16147 @item @code{knot} (default: @code{knot})
16150 @item @code{run-directory} (default: @code{"/var/run/knot"})
16151 The run directory. This directory will be used for pid file and sockets.
16153 @item @code{listen-v4} (default: @code{"0.0.0.0"})
16154 An ip address on which to listen.
16156 @item @code{listen-v6} (default: @code{"::"})
16157 An ip address on which to listen.
16159 @item @code{listen-port} (default: @code{53})
16160 A port on which to listen.
16162 @item @code{keys} (default: @code{'()})
16163 The list of knot-key-configuration used by this configuration.
16165 @item @code{acls} (default: @code{'()})
16166 The list of knot-acl-configuration used by this configuration.
16168 @item @code{remotes} (default: @code{'()})
16169 The list of knot-remote-configuration used by this configuration.
16171 @item @code{zones} (default: @code{'()})
16172 The list of knot-zone-configuration used by this configuration.
16179 @subsubsection VPN Services
16180 @cindex VPN (virtual private network)
16181 @cindex virtual private network (VPN)
16183 The @code{(gnu services vpn)} module provides services related to
16184 @dfn{virtual private networks} (VPNs). It provides a @emph{client} service for
16185 your machine to connect to a VPN, and a @emph{servire} service for your machine
16186 to host a VPN. Both services use @uref{https://openvpn.net/, OpenVPN}.
16188 @deffn {Scheme Procedure} openvpn-client-service @
16189 [#:config (openvpn-client-configuration)]
16191 Return a service that runs @command{openvpn}, a VPN daemon, as a client.
16194 @deffn {Scheme Procedure} openvpn-server-service @
16195 [#:config (openvpn-server-configuration)]
16197 Return a service that runs @command{openvpn}, a VPN daemon, as a server.
16199 Both can be run simultaneously.
16202 @c %automatically generated documentation
16204 Available @code{openvpn-client-configuration} fields are:
16206 @deftypevr {@code{openvpn-client-configuration} parameter} package openvpn
16207 The OpenVPN package.
16211 @deftypevr {@code{openvpn-client-configuration} parameter} string pid-file
16212 The OpenVPN pid file.
16214 Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.
16218 @deftypevr {@code{openvpn-client-configuration} parameter} proto proto
16219 The protocol (UDP or TCP) used to open a channel between clients and
16222 Defaults to @samp{udp}.
16226 @deftypevr {@code{openvpn-client-configuration} parameter} dev dev
16227 The device type used to represent the VPN connection.
16229 Defaults to @samp{tun}.
16233 @deftypevr {@code{openvpn-client-configuration} parameter} string ca
16234 The certificate authority to check connections against.
16236 Defaults to @samp{"/etc/openvpn/ca.crt"}.
16240 @deftypevr {@code{openvpn-client-configuration} parameter} string cert
16241 The certificate of the machine the daemon is running on. It should be
16242 signed by the authority given in @code{ca}.
16244 Defaults to @samp{"/etc/openvpn/client.crt"}.
16248 @deftypevr {@code{openvpn-client-configuration} parameter} string key
16249 The key of the machine the daemon is running on. It must be the key whose
16250 certificate is @code{cert}.
16252 Defaults to @samp{"/etc/openvpn/client.key"}.
16256 @deftypevr {@code{openvpn-client-configuration} parameter} boolean comp-lzo?
16257 Whether to use the lzo compression algorithm.
16259 Defaults to @samp{#t}.
16263 @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-key?
16264 Don't re-read key files across SIGUSR1 or --ping-restart.
16266 Defaults to @samp{#t}.
16270 @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-tun?
16271 Don't close and reopen TUN/TAP device or run up/down scripts across
16272 SIGUSR1 or --ping-restart restarts.
16274 Defaults to @samp{#t}.
16278 @deftypevr {@code{openvpn-client-configuration} parameter} number verbosity
16281 Defaults to @samp{3}.
16285 @deftypevr {@code{openvpn-client-configuration} parameter} tls-auth-client tls-auth
16286 Add an additional layer of HMAC authentication on top of the TLS control
16287 channel to protect against DoS attacks.
16289 Defaults to @samp{#f}.
16293 @deftypevr {@code{openvpn-client-configuration} parameter} key-usage verify-key-usage?
16294 Whether to check the server certificate has server usage extension.
16296 Defaults to @samp{#t}.
16300 @deftypevr {@code{openvpn-client-configuration} parameter} bind bind?
16301 Bind to a specific local port number.
16303 Defaults to @samp{#f}.
16307 @deftypevr {@code{openvpn-client-configuration} parameter} resolv-retry resolv-retry?
16308 Retry resolving server address.
16310 Defaults to @samp{#t}.
16314 @deftypevr {@code{openvpn-client-configuration} parameter} openvpn-remote-list remote
16315 A list of remote servers to connect to.
16317 Defaults to @samp{()}.
16319 Available @code{openvpn-remote-configuration} fields are:
16321 @deftypevr {@code{openvpn-remote-configuration} parameter} string name
16324 Defaults to @samp{"my-server"}.
16328 @deftypevr {@code{openvpn-remote-configuration} parameter} number port
16329 Port number the server listens to.
16331 Defaults to @samp{1194}.
16336 @c %end of automatic openvpn-client documentation
16338 @c %automatically generated documentation
16340 Available @code{openvpn-server-configuration} fields are:
16342 @deftypevr {@code{openvpn-server-configuration} parameter} package openvpn
16343 The OpenVPN package.
16347 @deftypevr {@code{openvpn-server-configuration} parameter} string pid-file
16348 The OpenVPN pid file.
16350 Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.
16354 @deftypevr {@code{openvpn-server-configuration} parameter} proto proto
16355 The protocol (UDP or TCP) used to open a channel between clients and
16358 Defaults to @samp{udp}.
16362 @deftypevr {@code{openvpn-server-configuration} parameter} dev dev
16363 The device type used to represent the VPN connection.
16365 Defaults to @samp{tun}.
16369 @deftypevr {@code{openvpn-server-configuration} parameter} string ca
16370 The certificate authority to check connections against.
16372 Defaults to @samp{"/etc/openvpn/ca.crt"}.
16376 @deftypevr {@code{openvpn-server-configuration} parameter} string cert
16377 The certificate of the machine the daemon is running on. It should be
16378 signed by the authority given in @code{ca}.
16380 Defaults to @samp{"/etc/openvpn/client.crt"}.
16384 @deftypevr {@code{openvpn-server-configuration} parameter} string key
16385 The key of the machine the daemon is running on. It must be the key whose
16386 certificate is @code{cert}.
16388 Defaults to @samp{"/etc/openvpn/client.key"}.
16392 @deftypevr {@code{openvpn-server-configuration} parameter} boolean comp-lzo?
16393 Whether to use the lzo compression algorithm.
16395 Defaults to @samp{#t}.
16399 @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-key?
16400 Don't re-read key files across SIGUSR1 or --ping-restart.
16402 Defaults to @samp{#t}.
16406 @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-tun?
16407 Don't close and reopen TUN/TAP device or run up/down scripts across
16408 SIGUSR1 or --ping-restart restarts.
16410 Defaults to @samp{#t}.
16414 @deftypevr {@code{openvpn-server-configuration} parameter} number verbosity
16417 Defaults to @samp{3}.
16421 @deftypevr {@code{openvpn-server-configuration} parameter} tls-auth-server tls-auth
16422 Add an additional layer of HMAC authentication on top of the TLS control
16423 channel to protect against DoS attacks.
16425 Defaults to @samp{#f}.
16429 @deftypevr {@code{openvpn-server-configuration} parameter} number port
16430 Specifies the port number on which the server listens.
16432 Defaults to @samp{1194}.
16436 @deftypevr {@code{openvpn-server-configuration} parameter} ip-mask server
16437 An ip and mask specifying the subnet inside the virtual network.
16439 Defaults to @samp{"10.8.0.0 255.255.255.0"}.
16443 @deftypevr {@code{openvpn-server-configuration} parameter} cidr6 server-ipv6
16444 A CIDR notation specifying the IPv6 subnet inside the virtual network.
16446 Defaults to @samp{#f}.
16450 @deftypevr {@code{openvpn-server-configuration} parameter} string dh
16451 The Diffie-Hellman parameters file.
16453 Defaults to @samp{"/etc/openvpn/dh2048.pem"}.
16457 @deftypevr {@code{openvpn-server-configuration} parameter} string ifconfig-pool-persist
16458 The file that records client IPs.
16460 Defaults to @samp{"/etc/openvpn/ipp.txt"}.
16464 @deftypevr {@code{openvpn-server-configuration} parameter} gateway redirect-gateway?
16465 When true, the server will act as a gateway for its clients.
16467 Defaults to @samp{#f}.
16471 @deftypevr {@code{openvpn-server-configuration} parameter} boolean client-to-client?
16472 When true, clients are allowed to talk to each other inside the VPN.
16474 Defaults to @samp{#f}.
16478 @deftypevr {@code{openvpn-server-configuration} parameter} keepalive keepalive
16479 Causes ping-like messages to be sent back and forth over the link so
16480 that each side knows when the other side has gone down. @code{keepalive}
16481 requires a pair. The first element is the period of the ping sending,
16482 and the second element is the timeout before considering the other side
16487 @deftypevr {@code{openvpn-server-configuration} parameter} number max-clients
16488 The maximum number of clients.
16490 Defaults to @samp{100}.
16494 @deftypevr {@code{openvpn-server-configuration} parameter} string status
16495 The status file. This file shows a small report on current connection.
16496 It is truncated and rewritten every minute.
16498 Defaults to @samp{"/var/run/openvpn/status"}.
16502 @deftypevr {@code{openvpn-server-configuration} parameter} openvpn-ccd-list client-config-dir
16503 The list of configuration for some clients.
16505 Defaults to @samp{()}.
16507 Available @code{openvpn-ccd-configuration} fields are:
16509 @deftypevr {@code{openvpn-ccd-configuration} parameter} string name
16512 Defaults to @samp{"client"}.
16516 @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask iroute
16519 Defaults to @samp{#f}.
16523 @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask ifconfig-push
16526 Defaults to @samp{#f}.
16533 @c %end of automatic openvpn-server documentation
16536 @node Network File System
16537 @subsubsection Network File System
16540 The @code{(gnu services nfs)} module provides the following services,
16541 which are most commonly used in relation to mounting or exporting
16542 directory trees as @dfn{network file systems} (NFS).
16544 @subsubheading RPC Bind Service
16547 The RPC Bind service provides a facility to map program numbers into
16548 universal addresses.
16549 Many NFS related services use this facility. Hence it is automatically
16550 started when a dependent service starts.
16552 @defvr {Scheme Variable} rpcbind-service-type
16553 A service type for the RPC portmapper daemon.
16557 @deftp {Data Type} rpcbind-configuration
16558 Data type representing the configuration of the RPC Bind Service.
16559 This type has the following parameters:
16561 @item @code{rpcbind} (default: @code{rpcbind})
16562 The rpcbind package to use.
16564 @item @code{warm-start?} (default: @code{#t})
16565 If this parameter is @code{#t}, then the daemon will read a
16566 state file on startup thus reloading state information saved by a previous
16572 @subsubheading Pipefs Pseudo File System
16576 The pipefs file system is used to transfer NFS related data
16577 between the kernel and user space programs.
16579 @defvr {Scheme Variable} pipefs-service-type
16580 A service type for the pipefs pseudo file system.
16583 @deftp {Data Type} pipefs-configuration
16584 Data type representing the configuration of the pipefs pseudo file system service.
16585 This type has the following parameters:
16587 @item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"})
16588 The directory to which the file system is to be attached.
16593 @subsubheading GSS Daemon Service
16596 @cindex global security system
16598 The @dfn{global security system} (GSS) daemon provides strong security for RPC
16600 Before exchanging RPC requests an RPC client must establish a security
16601 context. Typically this is done using the Kerberos command @command{kinit}
16602 or automatically at login time using PAM services (@pxref{Kerberos Services}).
16604 @defvr {Scheme Variable} gss-service-type
16605 A service type for the Global Security System (GSS) daemon.
16608 @deftp {Data Type} gss-configuration
16609 Data type representing the configuration of the GSS daemon service.
16610 This type has the following parameters:
16612 @item @code{nfs-utils} (default: @code{nfs-utils})
16613 The package in which the @command{rpc.gssd} command is to be found.
16615 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
16616 The directory where the pipefs file system is mounted.
16622 @subsubheading IDMAP Daemon Service
16624 @cindex name mapper
16626 The idmap daemon service provides mapping between user IDs and user names.
16627 Typically it is required in order to access file systems mounted via NFSv4.
16629 @defvr {Scheme Variable} idmap-service-type
16630 A service type for the Identity Mapper (IDMAP) daemon.
16633 @deftp {Data Type} idmap-configuration
16634 Data type representing the configuration of the IDMAP daemon service.
16635 This type has the following parameters:
16637 @item @code{nfs-utils} (default: @code{nfs-utils})
16638 The package in which the @command{rpc.idmapd} command is to be found.
16640 @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
16641 The directory where the pipefs file system is mounted.
16643 @item @code{domain} (default: @code{#f})
16644 The local NFSv4 domain name.
16645 This must be a string or @code{#f}.
16646 If it is @code{#f} then the daemon will use the host's fully qualified domain name.
16651 @node Continuous Integration
16652 @subsubsection Continuous Integration
16654 @cindex continuous integration
16655 @uref{https://notabug.org/mthl/cuirass, Cuirass} is a continuous
16656 integration tool for Guix. It can be used both for development and for
16657 providing substitutes to others (@pxref{Substitutes}).
16659 The @code{(gnu services cuirass)} module provides the following service.
16661 @defvr {Scheme Procedure} cuirass-service-type
16662 The type of the Cuirass service. Its value must be a
16663 @code{cuirass-configuration} object, as described below.
16666 To add build jobs, you have to set the @code{specifications} field of
16667 the configuration. Here is an example of a service defining a build job
16668 based on a specification that can be found in Cuirass source tree. This
16669 service polls the Guix repository and builds a subset of the Guix
16670 packages, as prescribed in the @file{gnu-system.scm} example spec:
16673 (let ((spec #~((#:name . "guix")
16674 (#:url . "git://git.savannah.gnu.org/guix.git")
16675 (#:load-path . ".")
16676 (#:file . "build-aux/cuirass/gnu-system.scm")
16677 (#:proc . cuirass-jobs)
16678 (#:arguments (subset . "hello"))
16679 (#:branch . "master"))))
16680 (service cuirass-service-type
16681 (cuirass-configuration
16682 (specifications #~(list '#$spec)))))
16685 While information related to build jobs is located directly in the
16686 specifications, global settings for the @command{cuirass} process are
16687 accessible in other @code{cuirass-configuration} fields.
16689 @deftp {Data Type} cuirass-configuration
16690 Data type representing the configuration of Cuirass.
16693 @item @code{log-file} (default: @code{"/var/log/cuirass.log"})
16694 Location of the log file.
16696 @item @code{cache-directory} (default: @code{"/var/cache/cuirass"})
16697 Location of the repository cache.
16699 @item @code{user} (default: @code{"cuirass"})
16700 Owner of the @code{cuirass} process.
16702 @item @code{group} (default: @code{"cuirass"})
16703 Owner's group of the @code{cuirass} process.
16705 @item @code{interval} (default: @code{60})
16706 Number of seconds between the poll of the repositories followed by the
16709 @item @code{database} (default: @code{"/var/run/cuirass/cuirass.db"})
16710 Location of sqlite database which contains the build results and previously
16711 added specifications.
16713 @item @code{port} (default: @code{8081})
16714 Port number used by the HTTP server.
16716 @item --listen=@var{host}
16717 Listen on the network interface for @var{host}. The default is to
16718 accept connections from localhost.
16720 @item @code{specifications} (default: @code{#~'()})
16721 A gexp (@pxref{G-Expressions}) that evaluates to a list of specifications,
16722 where a specification is an association list
16723 (@pxref{Associations Lists,,, guile, GNU Guile Reference Manual}) whose
16724 keys are keywords (@code{#:keyword-example}) as shown in the example
16727 @item @code{use-substitutes?} (default: @code{#f})
16728 This allows using substitutes to avoid building every dependencies of a job
16731 @item @code{one-shot?} (default: @code{#f})
16732 Only evaluate specifications and build derivations once.
16734 @item @code{fallback?} (default: @code{#f})
16735 When substituting a pre-built binary fails, fall back to building
16738 @item @code{load-path} (default: @code{'()})
16739 This allows users to define their own packages and make them visible to
16740 cuirass as in @command{guix build} command.
16742 @item @code{cuirass} (default: @code{cuirass})
16743 The Cuirass package to use.
16747 @node Power management Services
16748 @subsubsection Power management Services
16750 @cindex power management with TLP
16751 The @code{(gnu services pm)} module provides a Guix service definition
16752 for the Linux power management tool TLP.
16754 TLP enables various powersaving modes in userspace and kernel.
16755 Contrary to @code{upower-service}, it is not a passive,
16756 monitoring tool, as it will apply custom settings each time a new power
16757 source is detected. More information can be found at
16758 @uref{http://linrunner.de/en/tlp/tlp.html, TLP home page}.
16760 @deffn {Scheme Variable} tlp-service-type
16761 The service type for the TLP tool. Its value should be a valid
16762 TLP configuration (see below). To use the default settings, simply
16765 (service tlp-service-type)
16769 By default TLP does not need much configuration but most TLP parameters
16770 can be tweaked using @code{tlp-configuration}.
16772 Each parameter definition is preceded by its type; for example,
16773 @samp{boolean foo} indicates that the @code{foo} parameter
16774 should be specified as a boolean. Types starting with
16775 @code{maybe-} denote parameters that won't show up in TLP config file
16776 when their value is @code{'disabled}.
16778 @c The following documentation was initially generated by
16779 @c (generate-tlp-documentation) in (gnu services pm). Manually maintained
16780 @c documentation is better, so we shouldn't hesitate to edit below as
16781 @c needed. However if the change you want to make to this documentation
16782 @c can be done in an automated way, it's probably easier to change
16783 @c (generate-documentation) than to make it below and have to deal with
16784 @c the churn as TLP updates.
16786 Available @code{tlp-configuration} fields are:
16788 @deftypevr {@code{tlp-configuration} parameter} package tlp
16793 @deftypevr {@code{tlp-configuration} parameter} boolean tlp-enable?
16794 Set to true if you wish to enable TLP.
16796 Defaults to @samp{#t}.
16800 @deftypevr {@code{tlp-configuration} parameter} string tlp-default-mode
16801 Default mode when no power supply can be detected. Alternatives are AC
16804 Defaults to @samp{"AC"}.
16808 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-ac
16809 Number of seconds Linux kernel has to wait after the disk goes idle,
16810 before syncing on AC.
16812 Defaults to @samp{0}.
16816 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-bat
16817 Same as @code{disk-idle-ac} but on BAT mode.
16819 Defaults to @samp{2}.
16823 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-ac
16824 Dirty pages flushing periodicity, expressed in seconds.
16826 Defaults to @samp{15}.
16830 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-bat
16831 Same as @code{max-lost-work-secs-on-ac} but on BAT mode.
16833 Defaults to @samp{60}.
16837 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-ac
16838 CPU frequency scaling governor on AC mode. With intel_pstate driver,
16839 alternatives are powersave and performance. With acpi-cpufreq driver,
16840 alternatives are ondemand, powersave, performance and conservative.
16842 Defaults to @samp{disabled}.
16846 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-bat
16847 Same as @code{cpu-scaling-governor-on-ac} but on BAT mode.
16849 Defaults to @samp{disabled}.
16853 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-ac
16854 Set the min available frequency for the scaling governor on AC.
16856 Defaults to @samp{disabled}.
16860 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-ac
16861 Set the max available frequency for the scaling governor on AC.
16863 Defaults to @samp{disabled}.
16867 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-bat
16868 Set the min available frequency for the scaling governor on BAT.
16870 Defaults to @samp{disabled}.
16874 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-bat
16875 Set the max available frequency for the scaling governor on BAT.
16877 Defaults to @samp{disabled}.
16881 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-ac
16882 Limit the min P-state to control the power dissipation of the CPU, in AC
16883 mode. Values are stated as a percentage of the available performance.
16885 Defaults to @samp{disabled}.
16889 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-ac
16890 Limit the max P-state to control the power dissipation of the CPU, in AC
16891 mode. Values are stated as a percentage of the available performance.
16893 Defaults to @samp{disabled}.
16897 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-bat
16898 Same as @code{cpu-min-perf-on-ac} on BAT mode.
16900 Defaults to @samp{disabled}.
16904 @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-bat
16905 Same as @code{cpu-max-perf-on-ac} on BAT mode.
16907 Defaults to @samp{disabled}.
16911 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-ac?
16912 Enable CPU turbo boost feature on AC mode.
16914 Defaults to @samp{disabled}.
16918 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-bat?
16919 Same as @code{cpu-boost-on-ac?} on BAT mode.
16921 Defaults to @samp{disabled}.
16925 @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-ac?
16926 Allow Linux kernel to minimize the number of CPU cores/hyper-threads
16927 used under light load conditions.
16929 Defaults to @samp{#f}.
16933 @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-bat?
16934 Same as @code{sched-powersave-on-ac?} but on BAT mode.
16936 Defaults to @samp{#t}.
16940 @deftypevr {@code{tlp-configuration} parameter} boolean nmi-watchdog?
16941 Enable Linux kernel NMI watchdog.
16943 Defaults to @samp{#f}.
16947 @deftypevr {@code{tlp-configuration} parameter} maybe-string phc-controls
16948 For Linux kernels with PHC patch applied, change CPU voltages. An
16949 example value would be @samp{"F:V F:V F:V F:V"}.
16951 Defaults to @samp{disabled}.
16955 @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-ac
16956 Set CPU performance versus energy saving policy on AC. Alternatives are
16957 performance, normal, powersave.
16959 Defaults to @samp{"performance"}.
16963 @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-bat
16964 Same as @code{energy-perf-policy-ac} but on BAT mode.
16966 Defaults to @samp{"powersave"}.
16970 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disks-devices
16975 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-ac
16976 Hard disk advanced power management level.
16980 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-bat
16981 Same as @code{disk-apm-bat} but on BAT mode.
16985 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-ac
16986 Hard disk spin down timeout. One value has to be specified for each
16987 declared hard disk.
16989 Defaults to @samp{disabled}.
16993 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-bat
16994 Same as @code{disk-spindown-timeout-on-ac} but on BAT mode.
16996 Defaults to @samp{disabled}.
17000 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-iosched
17001 Select IO scheduler for disk devices. One value has to be specified for
17002 each declared hard disk. Example alternatives are cfq, deadline and
17005 Defaults to @samp{disabled}.
17009 @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-ac
17010 SATA aggressive link power management (ALPM) level. Alternatives are
17011 min_power, medium_power, max_performance.
17013 Defaults to @samp{"max_performance"}.
17017 @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-bat
17018 Same as @code{sata-linkpwr-ac} but on BAT mode.
17020 Defaults to @samp{"min_power"}.
17024 @deftypevr {@code{tlp-configuration} parameter} maybe-string sata-linkpwr-blacklist
17025 Exclude specified SATA host devices for link power management.
17027 Defaults to @samp{disabled}.
17031 @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-ac?
17032 Enable Runtime Power Management for AHCI controller and disks on AC
17035 Defaults to @samp{disabled}.
17039 @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-bat?
17040 Same as @code{ahci-runtime-pm-on-ac} on BAT mode.
17042 Defaults to @samp{disabled}.
17046 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer ahci-runtime-pm-timeout
17047 Seconds of inactivity before disk is suspended.
17049 Defaults to @samp{15}.
17053 @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-ac
17054 PCI Express Active State Power Management level. Alternatives are
17055 default, performance, powersave.
17057 Defaults to @samp{"performance"}.
17061 @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-bat
17062 Same as @code{pcie-aspm-ac} but on BAT mode.
17064 Defaults to @samp{"powersave"}.
17068 @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-ac
17069 Radeon graphics clock speed level. Alternatives are low, mid, high,
17072 Defaults to @samp{"high"}.
17076 @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-bat
17077 Same as @code{radeon-power-ac} but on BAT mode.
17079 Defaults to @samp{"low"}.
17083 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-ac
17084 Radeon dynamic power management method (DPM). Alternatives are battery,
17087 Defaults to @samp{"performance"}.
17091 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-bat
17092 Same as @code{radeon-dpm-state-ac} but on BAT mode.
17094 Defaults to @samp{"battery"}.
17098 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-ac
17099 Radeon DPM performance level. Alternatives are auto, low, high.
17101 Defaults to @samp{"auto"}.
17105 @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-bat
17106 Same as @code{radeon-dpm-perf-ac} but on BAT mode.
17108 Defaults to @samp{"auto"}.
17112 @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-ac?
17113 Wifi power saving mode.
17115 Defaults to @samp{#f}.
17119 @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-bat?
17120 Same as @code{wifi-power-ac?} but on BAT mode.
17122 Defaults to @samp{#t}.
17126 @deftypevr {@code{tlp-configuration} parameter} y-n-boolean wol-disable?
17127 Disable wake on LAN.
17129 Defaults to @samp{#t}.
17133 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-ac
17134 Timeout duration in seconds before activating audio power saving on
17135 Intel HDA and AC97 devices. A value of 0 disables power saving.
17137 Defaults to @samp{0}.
17141 @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-bat
17142 Same as @code{sound-powersave-ac} but on BAT mode.
17144 Defaults to @samp{1}.
17148 @deftypevr {@code{tlp-configuration} parameter} y-n-boolean sound-power-save-controller?
17149 Disable controller in powersaving mode on Intel HDA devices.
17151 Defaults to @samp{#t}.
17155 @deftypevr {@code{tlp-configuration} parameter} boolean bay-poweroff-on-bat?
17156 Enable optical drive in UltraBay/MediaBay on BAT mode. Drive can be
17157 powered on again by releasing (and reinserting) the eject lever or by
17158 pressing the disc eject button on newer models.
17160 Defaults to @samp{#f}.
17164 @deftypevr {@code{tlp-configuration} parameter} string bay-device
17165 Name of the optical drive device to power off.
17167 Defaults to @samp{"sr0"}.
17171 @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-ac
17172 Runtime Power Management for PCI(e) bus devices. Alternatives are on
17175 Defaults to @samp{"on"}.
17179 @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-bat
17180 Same as @code{runtime-pm-ac} but on BAT mode.
17182 Defaults to @samp{"auto"}.
17186 @deftypevr {@code{tlp-configuration} parameter} boolean runtime-pm-all?
17187 Runtime Power Management for all PCI(e) bus devices, except blacklisted
17190 Defaults to @samp{#t}.
17194 @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list runtime-pm-blacklist
17195 Exclude specified PCI(e) device addresses from Runtime Power Management.
17197 Defaults to @samp{disabled}.
17201 @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list runtime-pm-driver-blacklist
17202 Exclude PCI(e) devices assigned to the specified drivers from Runtime
17207 @deftypevr {@code{tlp-configuration} parameter} boolean usb-autosuspend?
17208 Enable USB autosuspend feature.
17210 Defaults to @samp{#t}.
17214 @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-blacklist
17215 Exclude specified devices from USB autosuspend.
17217 Defaults to @samp{disabled}.
17221 @deftypevr {@code{tlp-configuration} parameter} boolean usb-blacklist-wwan?
17222 Exclude WWAN devices from USB autosuspend.
17224 Defaults to @samp{#t}.
17228 @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-whitelist
17229 Include specified devices into USB autosuspend, even if they are already
17230 excluded by the driver or via @code{usb-blacklist-wwan?}.
17232 Defaults to @samp{disabled}.
17236 @deftypevr {@code{tlp-configuration} parameter} maybe-boolean usb-autosuspend-disable-on-shutdown?
17237 Enable USB autosuspend before shutdown.
17239 Defaults to @samp{disabled}.
17243 @deftypevr {@code{tlp-configuration} parameter} boolean restore-device-state-on-startup?
17244 Restore radio device state (bluetooth, wifi, wwan) from previous
17245 shutdown on system startup.
17247 Defaults to @samp{#f}.
17252 The @code{(gnu services pm)} module provides an interface to
17253 thermald, a CPU frequency scaling service which helps prevent overheating.
17255 @defvr {Scheme Variable} thermald-service-type
17256 This is the service type for
17257 @uref{https://01.org/linux-thermal-daemon/, thermald}, the Linux
17258 Thermal Daemon, which is responsible for controlling the thermal state
17259 of processors and preventing overheating.
17262 @deftp {Data Type} thermald-configuration
17263 Data type representing the configuration of @code{thermald-service-type}.
17266 @item @code{ignore-cpuid-check?} (default: @code{#f})
17267 Ignore cpuid check for supported CPU models.
17269 @item @code{thermald} (default: @var{thermald})
17270 Package object of thermald.
17275 @node Audio Services
17276 @subsubsection Audio Services
17278 The @code{(gnu services audio)} module provides a service to start MPD
17279 (the Music Player Daemon).
17282 @subsubheading Music Player Daemon
17284 The Music Player Daemon (MPD) is a service that can play music while
17285 being controlled from the local machine or over the network by a variety
17288 The following example shows how one might run @code{mpd} as user
17289 @code{"bob"} on port @code{6666}. It uses pulseaudio for output.
17292 (service mpd-service-type
17298 @defvr {Scheme Variable} mpd-service-type
17299 The service type for @command{mpd}
17302 @deftp {Data Type} mpd-configuration
17303 Data type representing the configuration of @command{mpd}.
17306 @item @code{user} (default: @code{"mpd"})
17307 The user to run mpd as.
17309 @item @code{music-dir} (default: @code{"~/Music"})
17310 The directory to scan for music files.
17312 @item @code{playlist-dir} (default: @code{"~/.mpd/playlists"})
17313 The directory to store playlists.
17315 @item @code{port} (default: @code{"6600"})
17316 The port to run mpd on.
17318 @item @code{address} (default: @code{"any"})
17319 The address that mpd will bind to. To use a Unix domain socket,
17320 an absolute path can be specified here.
17325 @node Virtualization Services
17326 @subsubsection Virtualization services
17328 The @code{(gnu services virtualization)} module provides services for
17329 the libvirt and virtlog daemons, as well as other virtualization-related
17332 @subsubheading Libvirt daemon
17333 @code{libvirtd} is the server side daemon component of the libvirt
17334 virtualization management system. This daemon runs on host servers
17335 and performs required management tasks for virtualized guests.
17337 @deffn {Scheme Variable} libvirt-service-type
17338 This is the type of the @uref{https://libvirt.org, libvirt daemon}.
17339 Its value must be a @code{libvirt-configuration}.
17342 (service libvirt-service-type
17343 (libvirt-configuration
17344 (unix-sock-group "libvirt")
17345 (tls-port "16555")))
17349 @c Auto-generated with (generate-libvirt-documentation)
17350 Available @code{libvirt-configuration} fields are:
17352 @deftypevr {@code{libvirt-configuration} parameter} package libvirt
17357 @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tls?
17358 Flag listening for secure TLS connections on the public TCP/IP port.
17359 must set @code{listen} for this to have any effect.
17361 It is necessary to setup a CA and issue server certificates before using
17364 Defaults to @samp{#t}.
17368 @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tcp?
17369 Listen for unencrypted TCP connections on the public TCP/IP port. must
17370 set @code{listen} for this to have any effect.
17372 Using the TCP socket requires SASL authentication by default. Only SASL
17373 mechanisms which support data encryption are allowed. This is
17374 DIGEST_MD5 and GSSAPI (Kerberos5)
17376 Defaults to @samp{#f}.
17380 @deftypevr {@code{libvirt-configuration} parameter} string tls-port
17381 Port for accepting secure TLS connections This can be a port number, or
17384 Defaults to @samp{"16514"}.
17388 @deftypevr {@code{libvirt-configuration} parameter} string tcp-port
17389 Port for accepting insecure TCP connections This can be a port number,
17392 Defaults to @samp{"16509"}.
17396 @deftypevr {@code{libvirt-configuration} parameter} string listen-addr
17397 IP address or hostname used for client connections.
17399 Defaults to @samp{"0.0.0.0"}.
17403 @deftypevr {@code{libvirt-configuration} parameter} boolean mdns-adv?
17404 Flag toggling mDNS advertisement of the libvirt service.
17406 Alternatively can disable for all services on a host by stopping the
17409 Defaults to @samp{#f}.
17413 @deftypevr {@code{libvirt-configuration} parameter} string mdns-name
17414 Default mDNS advertisement name. This must be unique on the immediate
17417 Defaults to @samp{"Virtualization Host <hostname>"}.
17421 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-group
17422 UNIX domain socket group ownership. This can be used to allow a
17423 'trusted' set of users access to management capabilities without
17426 Defaults to @samp{"root"}.
17430 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-ro-perms
17431 UNIX socket permissions for the R/O socket. This is used for monitoring
17434 Defaults to @samp{"0777"}.
17438 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-rw-perms
17439 UNIX socket permissions for the R/W socket. Default allows only root.
17440 If PolicyKit is enabled on the socket, the default will change to allow
17441 everyone (eg, 0777)
17443 Defaults to @samp{"0770"}.
17447 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-admin-perms
17448 UNIX socket permissions for the admin socket. Default allows only owner
17449 (root), do not change it unless you are sure to whom you are exposing
17452 Defaults to @samp{"0777"}.
17456 @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-dir
17457 The directory in which sockets will be found/created.
17459 Defaults to @samp{"/var/run/libvirt"}.
17463 @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-ro
17464 Authentication scheme for UNIX read-only sockets. By default socket
17465 permissions allow anyone to connect
17467 Defaults to @samp{"polkit"}.
17471 @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-rw
17472 Authentication scheme for UNIX read-write sockets. By default socket
17473 permissions only allow root. If PolicyKit support was compiled into
17474 libvirt, the default will be to use 'polkit' auth.
17476 Defaults to @samp{"polkit"}.
17480 @deftypevr {@code{libvirt-configuration} parameter} string auth-tcp
17481 Authentication scheme for TCP sockets. If you don't enable SASL, then
17482 all TCP traffic is cleartext. Don't do this outside of a dev/test
17485 Defaults to @samp{"sasl"}.
17489 @deftypevr {@code{libvirt-configuration} parameter} string auth-tls
17490 Authentication scheme for TLS sockets. TLS sockets already have
17491 encryption provided by the TLS layer, and limited authentication is done
17494 It is possible to make use of any SASL authentication mechanism as well,
17495 by using 'sasl' for this option
17497 Defaults to @samp{"none"}.
17501 @deftypevr {@code{libvirt-configuration} parameter} optional-list access-drivers
17502 API access control scheme.
17504 By default an authenticated user is allowed access to all APIs. Access
17505 drivers can place restrictions on this.
17507 Defaults to @samp{()}.
17511 @deftypevr {@code{libvirt-configuration} parameter} string key-file
17512 Server key file path. If set to an empty string, then no private key is
17515 Defaults to @samp{""}.
17519 @deftypevr {@code{libvirt-configuration} parameter} string cert-file
17520 Server key file path. If set to an empty string, then no certificate is
17523 Defaults to @samp{""}.
17527 @deftypevr {@code{libvirt-configuration} parameter} string ca-file
17528 Server key file path. If set to an empty string, then no CA certificate
17531 Defaults to @samp{""}.
17535 @deftypevr {@code{libvirt-configuration} parameter} string crl-file
17536 Certificate revocation list path. If set to an empty string, then no
17539 Defaults to @samp{""}.
17543 @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-sanity-cert
17544 Disable verification of our own server certificates.
17546 When libvirtd starts it performs some sanity checks against its own
17549 Defaults to @samp{#f}.
17553 @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-verify-cert
17554 Disable verification of client certificates.
17556 Client certificate verification is the primary authentication mechanism.
17557 Any client which does not present a certificate signed by the CA will be
17560 Defaults to @samp{#f}.
17564 @deftypevr {@code{libvirt-configuration} parameter} optional-list tls-allowed-dn-list
17565 Whitelist of allowed x509 Distinguished Name.
17567 Defaults to @samp{()}.
17571 @deftypevr {@code{libvirt-configuration} parameter} optional-list sasl-allowed-usernames
17572 Whitelist of allowed SASL usernames. The format for username depends on
17573 the SASL authentication mechanism.
17575 Defaults to @samp{()}.
17579 @deftypevr {@code{libvirt-configuration} parameter} string tls-priority
17580 Override the compile time default TLS priority string. The default is
17581 usually "NORMAL" unless overridden at build time. Only set this is it
17582 is desired for libvirt to deviate from the global default settings.
17584 Defaults to @samp{"NORMAL"}.
17588 @deftypevr {@code{libvirt-configuration} parameter} integer max-clients
17589 Maximum number of concurrent client connections to allow over all
17592 Defaults to @samp{5000}.
17596 @deftypevr {@code{libvirt-configuration} parameter} integer max-queued-clients
17597 Maximum length of queue of connections waiting to be accepted by the
17598 daemon. Note, that some protocols supporting retransmission may obey
17599 this so that a later reattempt at connection succeeds.
17601 Defaults to @samp{1000}.
17605 @deftypevr {@code{libvirt-configuration} parameter} integer max-anonymous-clients
17606 Maximum length of queue of accepted but not yet authenticated clients.
17607 Set this to zero to turn this feature off
17609 Defaults to @samp{20}.
17613 @deftypevr {@code{libvirt-configuration} parameter} integer min-workers
17614 Number of workers to start up initially.
17616 Defaults to @samp{5}.
17620 @deftypevr {@code{libvirt-configuration} parameter} integer max-workers
17621 Maximum number of worker threads.
17623 If the number of active clients exceeds @code{min-workers}, then more
17624 threads are spawned, up to max_workers limit. Typically you'd want
17625 max_workers to equal maximum number of clients allowed.
17627 Defaults to @samp{20}.
17631 @deftypevr {@code{libvirt-configuration} parameter} integer prio-workers
17632 Number of priority workers. If all workers from above pool are stuck,
17633 some calls marked as high priority (notably domainDestroy) can be
17634 executed in this pool.
17636 Defaults to @samp{5}.
17640 @deftypevr {@code{libvirt-configuration} parameter} integer max-requests
17641 Total global limit on concurrent RPC calls.
17643 Defaults to @samp{20}.
17647 @deftypevr {@code{libvirt-configuration} parameter} integer max-client-requests
17648 Limit on concurrent requests from a single client connection. To avoid
17649 one client monopolizing the server this should be a small fraction of
17650 the global max_requests and max_workers parameter.
17652 Defaults to @samp{5}.
17656 @deftypevr {@code{libvirt-configuration} parameter} integer admin-min-workers
17657 Same as @code{min-workers} but for the admin interface.
17659 Defaults to @samp{1}.
17663 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-workers
17664 Same as @code{max-workers} but for the admin interface.
17666 Defaults to @samp{5}.
17670 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-clients
17671 Same as @code{max-clients} but for the admin interface.
17673 Defaults to @samp{5}.
17677 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-queued-clients
17678 Same as @code{max-queued-clients} but for the admin interface.
17680 Defaults to @samp{5}.
17684 @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-client-requests
17685 Same as @code{max-client-requests} but for the admin interface.
17687 Defaults to @samp{5}.
17691 @deftypevr {@code{libvirt-configuration} parameter} integer log-level
17692 Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
17694 Defaults to @samp{3}.
17698 @deftypevr {@code{libvirt-configuration} parameter} string log-filters
17701 A filter allows to select a different logging level for a given category
17702 of logs The format for a filter is one of:
17713 where @code{name} is a string which is matched against the category
17714 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
17715 file, e.g., "remote", "qemu", or "util.json" (the name in the filter can
17716 be a substring of the full category name, in order to match multiple
17717 similar categories), the optional "+" prefix tells libvirt to log stack
17718 trace for each message matching name, and @code{x} is the minimal level
17719 where matching messages should be logged:
17736 Multiple filters can be defined in a single filters statement, they just
17737 need to be separated by spaces.
17739 Defaults to @samp{"3:remote 4:event"}.
17743 @deftypevr {@code{libvirt-configuration} parameter} string log-outputs
17746 An output is one of the places to save logging information The format
17747 for an output can be:
17751 output goes to stderr
17753 @item x:syslog:name
17754 use syslog for the output and use the given name as the ident
17756 @item x:file:file_path
17757 output to a file, with the given filepath
17760 output to journald logging system
17764 In all case the x prefix is the minimal level, acting as a filter
17781 Multiple outputs can be defined, they just need to be separated by
17784 Defaults to @samp{"3:stderr"}.
17788 @deftypevr {@code{libvirt-configuration} parameter} integer audit-level
17789 Allows usage of the auditing subsystem to be altered
17793 0: disable all auditing
17796 1: enable auditing, only if enabled on host
17799 2: enable auditing, and exit if disabled on host.
17803 Defaults to @samp{1}.
17807 @deftypevr {@code{libvirt-configuration} parameter} boolean audit-logging
17808 Send audit messages via libvirt logging infrastructure.
17810 Defaults to @samp{#f}.
17814 @deftypevr {@code{libvirt-configuration} parameter} optional-string host-uuid
17815 Host UUID. UUID must not have all digits be the same.
17817 Defaults to @samp{""}.
17821 @deftypevr {@code{libvirt-configuration} parameter} string host-uuid-source
17822 Source to read host UUID.
17826 @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
17829 @code{machine-id}: fetch the UUID from @code{/etc/machine-id}
17833 If @code{dmidecode} does not provide a valid UUID a temporary UUID will
17836 Defaults to @samp{"smbios"}.
17840 @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-interval
17841 A keepalive message is sent to a client after @code{keepalive_interval}
17842 seconds of inactivity to check if the client is still responding. If
17843 set to -1, libvirtd will never send keepalive requests; however clients
17844 can still send them and the daemon will send responses.
17846 Defaults to @samp{5}.
17850 @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-count
17851 Maximum number of keepalive messages that are allowed to be sent to the
17852 client without getting any response before the connection is considered
17855 In other words, the connection is automatically closed approximately
17856 after @code{keepalive_interval * (keepalive_count + 1)} seconds since
17857 the last message received from the client. When @code{keepalive-count}
17858 is set to 0, connections will be automatically closed after
17859 @code{keepalive-interval} seconds of inactivity without sending any
17860 keepalive messages.
17862 Defaults to @samp{5}.
17866 @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-interval
17867 Same as above but for admin interface.
17869 Defaults to @samp{5}.
17873 @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-count
17874 Same as above but for admin interface.
17876 Defaults to @samp{5}.
17880 @deftypevr {@code{libvirt-configuration} parameter} integer ovs-timeout
17881 Timeout for Open vSwitch calls.
17883 The @code{ovs-vsctl} utility is used for the configuration and its
17884 timeout option is set by default to 5 seconds to avoid potential
17885 infinite waits blocking libvirt.
17887 Defaults to @samp{5}.
17891 @c %end of autogenerated docs
17893 @subsubheading Virtlog daemon
17894 The virtlogd service is a server side daemon component of libvirt that is
17895 used to manage logs from virtual machine consoles.
17897 This daemon is not used directly by libvirt client applications, rather it
17898 is called on their behalf by @code{libvirtd}. By maintaining the logs in a
17899 standalone daemon, the main @code{libvirtd} daemon can be restarted without
17900 risk of losing logs. The @code{virtlogd} daemon has the ability to re-exec()
17901 itself upon receiving @code{SIGUSR1}, to allow live upgrades without downtime.
17903 @deffn {Scheme Variable} virtlog-service-type
17904 This is the type of the virtlog daemon.
17905 Its value must be a @code{virtlog-configuration}.
17908 (service virtlog-service-type
17909 (virtlog-configuration
17910 (max-clients 1000)))
17914 @deftypevr {@code{virtlog-configuration} parameter} integer log-level
17915 Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
17917 Defaults to @samp{3}.
17921 @deftypevr {@code{virtlog-configuration} parameter} string log-filters
17924 A filter allows to select a different logging level for a given category
17925 of logs The format for a filter is one of:
17936 where @code{name} is a string which is matched against the category
17937 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
17938 file, e.g., "remote", "qemu", or "util.json" (the name in the filter can
17939 be a substring of the full category name, in order to match multiple
17940 similar categories), the optional "+" prefix tells libvirt to log stack
17941 trace for each message matching name, and @code{x} is the minimal level
17942 where matching messages should be logged:
17959 Multiple filters can be defined in a single filters statement, they just
17960 need to be separated by spaces.
17962 Defaults to @samp{"3:remote 4:event"}.
17966 @deftypevr {@code{virtlog-configuration} parameter} string log-outputs
17969 An output is one of the places to save logging information The format
17970 for an output can be:
17974 output goes to stderr
17976 @item x:syslog:name
17977 use syslog for the output and use the given name as the ident
17979 @item x:file:file_path
17980 output to a file, with the given filepath
17983 output to journald logging system
17987 In all case the x prefix is the minimal level, acting as a filter
18004 Multiple outputs can be defined, they just need to be separated by
18007 Defaults to @samp{"3:stderr"}.
18011 @deftypevr {@code{virtlog-configuration} parameter} integer max-clients
18012 Maximum number of concurrent client connections to allow over all
18015 Defaults to @samp{1024}.
18019 @deftypevr {@code{virtlog-configuration} parameter} integer max-size
18020 Maximum file size before rolling over.
18022 Defaults to @samp{2MB}
18026 @deftypevr {@code{virtlog-configuration} parameter} integer max-backups
18027 Maximum number of backup files to keep.
18029 Defaults to @samp{3}
18033 @subsubheading Transparent Emulation with QEMU
18036 @cindex @code{binfmt_misc}
18037 @code{qemu-binfmt-service-type} provides support for transparent
18038 emulation of program binaries built for different architectures---e.g.,
18039 it allows you to transparently execute an ARMv7 program on an x86_64
18040 machine. It achieves this by combining the @uref{https://www.qemu.org,
18041 QEMU} emulator and the @code{binfmt_misc} feature of the kernel Linux.
18043 @defvr {Scheme Variable} qemu-binfmt-service-type
18044 This is the type of the QEMU/binfmt service for transparent emulation.
18045 Its value must be a @code{qemu-binfmt-configuration} object, which
18046 specifies the QEMU package to use as well as the architecture we want to
18050 (service qemu-binfmt-service-type
18051 (qemu-binfmt-configuration
18052 (platforms (lookup-qemu-platforms "arm" "aarch64" "ppc"))))
18055 In this example, we enable transparent emulation for the ARM and aarch64
18056 platforms. Running @code{herd stop qemu-binfmt} turns it off, and
18057 running @code{herd start qemu-binfmt} turns it back on (@pxref{Invoking
18058 herd, the @command{herd} command,, shepherd, The GNU Shepherd Manual}).
18061 @deftp {Data Type} qemu-binfmt-configuration
18062 This is the configuration for the @code{qemu-binfmt} service.
18065 @item @code{platforms} (default: @code{'()})
18066 The list of emulated QEMU platforms. Each item must be a @dfn{platform
18067 object} as returned by @code{lookup-qemu-platforms} (see below).
18069 @item @code{guix-support?} (default: @code{#f})
18070 When it is true, QEMU and all its dependencies are added to the build
18071 environment of @command{guix-daemon} (@pxref{Invoking guix-daemon,
18072 @code{--chroot-directory} option}). This allows the @code{binfmt_misc}
18073 handlers to be used within the build environment, which in turn means
18074 that you can transparently build programs for another architecture.
18076 For example, let's suppose you're on an x86_64 machine and you have this
18080 (service qemu-binfmt-service-type
18081 (qemu-binfmt-configuration
18082 (platforms (lookup-qemu-platforms "arm"))
18083 (guix-support? #t)))
18089 guix build -s armhf-linux inkscape
18093 and it will build Inkscape for ARMv7 @emph{as if it were a native
18094 build}, transparently using QEMU to emulate the ARMv7 CPU. Pretty handy
18095 if you'd like to test a package build for an architecture you don't have
18098 @item @code{qemu} (default: @code{qemu})
18099 The QEMU package to use.
18103 @deffn {Scheme Procedure} lookup-qemu-platforms @var{platforms}@dots{}
18104 Return the list of QEMU platform objects corresponding to
18105 @var{platforms}@dots{}. @var{platforms} must be a list of strings
18106 corresponding to platform names, such as @code{"arm"}, @code{"sparc"},
18107 @code{"mips64el"}, and so on.
18110 @deffn {Scheme Procedure} qemu-platform? @var{obj}
18111 Return true if @var{obj} is a platform object.
18114 @deffn {Scheme Procedure} qemu-platform-name @var{platform}
18115 Return the name of @var{platform}---a string such as @code{"arm"}.
18118 @node Version Control Services
18119 @subsubsection Version Control Services
18121 The @code{(gnu services version-control)} module provides a service to
18122 allow remote access to local Git repositories. There are two options:
18123 the @code{git-daemon-service}, which provides access to repositories via
18124 the @code{git://} unsecured TCP-based protocol, or extending the
18125 @code{nginx} web server to proxy some requests to
18126 @code{git-http-backend}.
18128 @deffn {Scheme Procedure} git-daemon-service [#:config (git-daemon-configuration)]
18130 Return a service that runs @command{git daemon}, a simple TCP server to
18131 expose repositories over the Git protocol for anonymous access.
18133 The optional @var{config} argument should be a
18134 @code{<git-daemon-configuration>} object, by default it allows read-only
18135 access to exported@footnote{By creating the magic file
18136 "git-daemon-export-ok" in the repository directory.} repositories under
18141 @deftp {Data Type} git-daemon-configuration
18142 Data type representing the configuration for @code{git-daemon-service}.
18145 @item @code{package} (default: @var{git})
18146 Package object of the Git distributed version control system.
18148 @item @code{export-all?} (default: @var{#f})
18149 Whether to allow access for all Git repositories, even if they do not
18150 have the @file{git-daemon-export-ok} file.
18152 @item @code{base-path} (default: @file{/srv/git})
18153 Whether to remap all the path requests as relative to the given path.
18154 If you run git daemon with @var{(base-path "/srv/git")} on example.com,
18155 then if you later try to pull @code{git://example.com/hello.git}, git
18156 daemon will interpret the path as @code{/srv/git/hello.git}.
18158 @item @code{user-path} (default: @var{#f})
18159 Whether to allow @code{~user} notation to be used in requests. When
18160 specified with empty string, requests to @code{git://host/~alice/foo} is
18161 taken as a request to access @code{foo} repository in the home directory
18162 of user @code{alice}. If @var{(user-path "path")} is specified, the
18163 same request is taken as a request to access @code{path/foo} repository
18164 in the home directory of user @code{alice}.
18166 @item @code{listen} (default: @var{'()})
18167 Whether to listen on specific IP addresses or hostnames, defaults to
18170 @item @code{port} (default: @var{#f})
18171 Whether to listen on an alternative port, which defaults to 9418.
18173 @item @code{whitelist} (default: @var{'()})
18174 If not empty, only allow access to this list of directories.
18176 @item @code{extra-options} (default: @var{'()})
18177 Extra options will be passed to @code{git daemon}, please run
18178 @command{man git-daemon} for more information.
18183 The @code{git://} protocol lacks authentication. When you pull from a
18184 repository fetched via @code{git://}, you don't know that the data you
18185 receive was modified is really coming from the specified host, and you
18186 have your connection is subject to eavesdropping. It's better to use an
18187 authenticated and encrypted transport, such as @code{https}. Although Git allows you
18188 to serve repositories using unsophisticated file-based web servers,
18189 there is a faster protocol implemented by the @code{git-http-backend}
18190 program. This program is the back-end of a proper Git web service. It
18191 is designed to sit behind a FastCGI proxy. @xref{Web Services}, for more
18192 on running the necessary @code{fcgiwrap} daemon.
18194 Guix has a separate configuration data type for serving Git repositories
18197 @deftp {Data Type} git-http-configuration
18198 Data type representing the configuration for @code{git-http-service}.
18201 @item @code{package} (default: @var{git})
18202 Package object of the Git distributed version control system.
18204 @item @code{git-root} (default: @file{/srv/git})
18205 Directory containing the Git repositories to expose to the world.
18207 @item @code{export-all?} (default: @var{#f})
18208 Whether to expose access for all Git repositories in @var{git-root},
18209 even if they do not have the @file{git-daemon-export-ok} file.
18211 @item @code{uri-path} (default: @file{/git/})
18212 Path prefix for Git access. With the default @code{/git/} prefix, this
18213 will map @code{http://@var{server}/git/@var{repo}.git} to
18214 @code{/srv/git/@var{repo}.git}. Requests whose URI paths do not begin
18215 with this prefix are not passed on to this Git instance.
18217 @item @code{fcgiwrap-socket} (default: @code{127.0.0.1:9000})
18218 The socket on which the @code{fcgiwrap} daemon is listening. @xref{Web
18223 There is no @code{git-http-service-type}, currently; instead you can
18224 create an @code{nginx-location-configuration} from a
18225 @code{git-http-configuration} and then add that location to a web
18228 @deffn {Scheme Procedure} git-http-nginx-location-configuration @
18229 [config=(git-http-configuration)]
18230 Compute an @code{nginx-location-configuration} that corresponds to the
18231 given Git http configuration. An example nginx service definition to
18232 serve the default @file{/srv/git} over HTTPS might be:
18235 (service nginx-service-type
18236 (nginx-configuration
18239 (nginx-server-configuration
18240 (listen '("443 ssl"))
18241 (server-name "git.my-host.org")
18243 "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
18244 (ssl-certificate-key
18245 "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
18248 (git-http-nginx-location-configuration
18249 (git-http-configuration (uri-path "/"))))))))))
18252 This example assumes that you are using Let's Encrypt to get your TLS
18253 certificate. @xref{Certificate Services}. The default @code{certbot}
18254 service will redirect all HTTP traffic on @code{git.my-host.org} to
18255 HTTPS. You will also need to add an @code{fcgiwrap} proxy to your
18256 system services. @xref{Web Services}.
18259 @node Game Services
18260 @subsubsection Game Services
18262 @subsubheading The Battle for Wesnoth Service
18264 @uref{https://wesnoth.org, The Battle for Wesnoth} is a fantasy, turn
18265 based tactical strategy game, with several single player campaigns, and
18266 multiplayer games (both networked and local).
18268 @defvar {Scheme Variable} wesnothd-service-type
18269 Service type for the wesnothd service. Its value must be a
18270 @code{wesnothd-configuration} object. To run wesnothd in the default
18271 configuration, instantiate it as:
18274 (service wesnothd-service-type)
18278 @deftp {Data Type} wesnothd-configuration
18279 Data type representing the configuration of @command{wesnothd}.
18282 @item @code{package} (default: @code{wesnoth-server})
18283 The wesnoth server package to use.
18285 @item @code{port} (default: @code{15000})
18286 The port to bind the server to.
18290 @node Miscellaneous Services
18291 @subsubsection Miscellaneous Services
18294 @subsubheading System Control Service
18296 The @code{(gnu services sysctl)} provides a service to configure kernel
18297 parameters at boot.
18299 @defvr {Scheme Variable} sysctl-service-type
18300 The service type for @command{sysctl}, which modifies kernel parameters
18301 under @file{/proc/sys/}. To enable IPv4 forwarding, it can be
18305 (service sysctl-service-type
18306 (sysctl-configuration
18307 (settings '(("net.ipv4.ip_forward" . "1")))))
18311 @deftp {Data Type} sysctl-configuration
18312 The data type representing the configuration of @command{sysctl}.
18315 @item @code{sysctl} (default: @code{(file-append procps "/sbin/sysctl"})
18316 The @command{sysctl} executable to use.
18318 @item @code{settings} (default: @code{'()})
18319 An association list specifies kernel parameters and their values.
18324 @subsubheading Lirc Service
18326 The @code{(gnu services lirc)} module provides the following service.
18328 @deffn {Scheme Procedure} lirc-service [#:lirc lirc] @
18329 [#:device #f] [#:driver #f] [#:config-file #f] @
18330 [#:extra-options '()]
18331 Return a service that runs @url{http://www.lirc.org,LIRC}, a daemon that
18332 decodes infrared signals from remote controls.
18334 Optionally, @var{device}, @var{driver} and @var{config-file}
18335 (configuration file name) may be specified. See @command{lircd} manual
18338 Finally, @var{extra-options} is a list of additional command-line options
18339 passed to @command{lircd}.
18343 @subsubheading Spice Service
18345 The @code{(gnu services spice)} module provides the following service.
18347 @deffn {Scheme Procedure} spice-vdagent-service [#:spice-vdagent]
18348 Returns a service that runs @url{http://www.spice-space.org,VDAGENT}, a daemon
18349 that enables sharing the clipboard with a vm and setting the guest display
18350 resolution when the graphical console window resizes.
18353 @subsubsection Dictionary Services
18355 The @code{(gnu services dict)} module provides the following service:
18357 @deffn {Scheme Procedure} dicod-service [#:config (dicod-configuration)]
18358 Return a service that runs the @command{dicod} daemon, an implementation
18359 of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}).
18361 The optional @var{config} argument specifies the configuration for
18362 @command{dicod}, which should be a @code{<dicod-configuration>} object, by
18363 default it serves the GNU Collaborative International Dictonary of English.
18365 You can add @command{open localhost} to your @file{~/.dico} file to make
18366 @code{localhost} the default server for @command{dico} client
18367 (@pxref{Initialization File,,, dico, GNU Dico Manual}).
18370 @deftp {Data Type} dicod-configuration
18371 Data type representing the configuration of dicod.
18374 @item @code{dico} (default: @var{dico})
18375 Package object of the GNU Dico dictionary server.
18377 @item @code{interfaces} (default: @var{'("localhost")})
18378 This is the list of IP addresses and ports and possibly socket file
18379 names to listen to (@pxref{Server Settings, @code{listen} directive,,
18380 dico, GNU Dico Manual}).
18382 @item @code{handlers} (default: @var{'()})
18383 List of @code{<dicod-handler>} objects denoting handlers (module instances).
18385 @item @code{databases} (default: @var{(list %dicod-database:gcide)})
18386 List of @code{<dicod-database>} objects denoting dictionaries to be served.
18390 @deftp {Data Type} dicod-handler
18391 Data type representing a dictionary handler (module instance).
18395 Name of the handler (module instance).
18397 @item @code{module} (default: @var{#f})
18398 Name of the dicod module of the handler (instance). If it is @code{#f},
18399 the module has the same name as the handler.
18400 (@pxref{Modules,,, dico, GNU Dico Manual}).
18402 @item @code{options}
18403 List of strings or gexps representing the arguments for the module handler
18407 @deftp {Data Type} dicod-database
18408 Data type representing a dictionary database.
18412 Name of the database, will be used in DICT commands.
18414 @item @code{handler}
18415 Name of the dicod handler (module instance) used by this database
18416 (@pxref{Handlers,,, dico, GNU Dico Manual}).
18418 @item @code{complex?} (default: @var{#f})
18419 Whether the database configuration complex. The complex configuration
18420 will need a corresponding @code{<dicod-handler>} object, otherwise not.
18422 @item @code{options}
18423 List of strings or gexps representing the arguments for the database
18424 (@pxref{Databases,,, dico, GNU Dico Manual}).
18428 @defvr {Scheme Variable} %dicod-database:gcide
18429 A @code{<dicod-database>} object serving the GNU Collaborative International
18430 Dictionary of English using the @code{gcide} package.
18433 The following is an example @code{dicod-service} configuration.
18436 (dicod-service #:config
18437 (dicod-configuration
18438 (handlers (list (dicod-handler
18442 (list #~(string-append "dbdir=" #$wordnet))))))
18443 (databases (list (dicod-database
18446 (handler "wordnet")
18447 (options '("database=wn")))
18448 %dicod-database:gcide))))
18452 @subsubheading Cgit Service
18454 @cindex Cgit service
18455 @cindex Git, web interface
18456 @uref{https://git.zx2c4.com/cgit/, Cgit} is a web frontend for Git
18457 repositories written in C.
18459 The following example will configure the service with default values.
18460 By default, Cgit can be accessed on port 80 (@code{http://localhost:80}).
18463 (service cgit-service-type)
18466 @deftp {Data Type} cgit-configuration
18467 Data type representing the configuration of Cgit.
18468 This type has the following parameters:
18471 @item @code{config-file} (default: @code{(cgit-configuration-file)})
18472 The configuration file to use for Cgit. This can be set to a
18473 @dfn{cgit-configuration-file} record value, or any gexp
18474 (@pxref{G-Expressions}).
18476 For example, to instead use a local file, the @code{local-file} function
18480 (service cgit-service-type
18481 (cgit-configuration
18482 (config-file (local-file "./my-cgitrc.conf"))))
18485 @item @code{package} (default: @code{cgit})
18486 The Cgit package to use.
18491 @deftp {Data Type} cgit-configuration-file
18492 Data type representing the configuration options for Cgit.
18493 This type has the following parameters:
18496 @item @code{css} (default: @code{"/share/cgit/cgit.css"})
18497 URL which specifies the css document to include in all Cgit pages.
18499 @item @code{logo} (default: @code{"/share/cgit/cgit.png"})
18500 URL which specifies the source of an image which will be used as a logo
18503 @item @code{virtual-root} (default: @code{"/"})
18504 URL which, if specified, will be used as root for all Cgit links.
18506 @item @code{repository-directory} (default: @code{"/srv/git"})
18507 Name of the directory to scan for repositories.
18509 @item @code{robots} (default: @code{(list "noindex" "nofollow")})
18510 Text used as content for the ``robots'' meta-tag.
18515 @node Setuid Programs
18516 @subsection Setuid Programs
18518 @cindex setuid programs
18519 Some programs need to run with ``root'' privileges, even when they are
18520 launched by unprivileged users. A notorious example is the
18521 @command{passwd} program, which users can run to change their
18522 password, and which needs to access the @file{/etc/passwd} and
18523 @file{/etc/shadow} files---something normally restricted to root, for
18524 obvious security reasons. To address that, these executables are
18525 @dfn{setuid-root}, meaning that they always run with root privileges
18526 (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual},
18527 for more info about the setuid mechanism.)
18529 The store itself @emph{cannot} contain setuid programs: that would be a
18530 security issue since any user on the system can write derivations that
18531 populate the store (@pxref{The Store}). Thus, a different mechanism is
18532 used: instead of changing the setuid bit directly on files that are in
18533 the store, we let the system administrator @emph{declare} which programs
18534 should be setuid root.
18536 The @code{setuid-programs} field of an @code{operating-system}
18537 declaration contains a list of G-expressions denoting the names of
18538 programs to be setuid-root (@pxref{Using the Configuration System}).
18539 For instance, the @command{passwd} program, which is part of the Shadow
18540 package, can be designated by this G-expression (@pxref{G-Expressions}):
18543 #~(string-append #$shadow "/bin/passwd")
18546 A default set of setuid programs is defined by the
18547 @code{%setuid-programs} variable of the @code{(gnu system)} module.
18549 @defvr {Scheme Variable} %setuid-programs
18550 A list of G-expressions denoting common programs that are setuid-root.
18552 The list includes commands such as @command{passwd}, @command{ping},
18553 @command{su}, and @command{sudo}.
18556 Under the hood, the actual setuid programs are created in the
18557 @file{/run/setuid-programs} directory at system activation time. The
18558 files in this directory refer to the ``real'' binaries, which are in the
18561 @node X.509 Certificates
18562 @subsection X.509 Certificates
18564 @cindex HTTPS, certificates
18565 @cindex X.509 certificates
18567 Web servers available over HTTPS (that is, HTTP over the transport-layer
18568 security mechanism, TLS) send client programs an @dfn{X.509 certificate}
18569 that the client can then use to @emph{authenticate} the server. To do
18570 that, clients verify that the server's certificate is signed by a
18571 so-called @dfn{certificate authority} (CA). But to verify the CA's
18572 signature, clients must have first acquired the CA's certificate.
18574 Web browsers such as GNU@tie{}IceCat include their own set of CA
18575 certificates, such that they are able to verify CA signatures
18578 However, most other programs that can talk HTTPS---@command{wget},
18579 @command{git}, @command{w3m}, etc.---need to be told where CA
18580 certificates can be found.
18582 @cindex @code{nss-certs}
18583 In GuixSD, this is done by adding a package that provides certificates
18584 to the @code{packages} field of the @code{operating-system} declaration
18585 (@pxref{operating-system Reference}). GuixSD includes one such package,
18586 @code{nss-certs}, which is a set of CA certificates provided as part of
18587 Mozilla's Network Security Services.
18589 Note that it is @emph{not} part of @var{%base-packages}, so you need to
18590 explicitly add it. The @file{/etc/ssl/certs} directory, which is where
18591 most applications and libraries look for certificates by default, points
18592 to the certificates installed globally.
18594 Unprivileged users, including users of Guix on a foreign distro,
18595 can also install their own certificate package in
18596 their profile. A number of environment variables need to be defined so
18597 that applications and libraries know where to find them. Namely, the
18598 OpenSSL library honors the @code{SSL_CERT_DIR} and @code{SSL_CERT_FILE}
18599 variables. Some applications add their own environment variables; for
18600 instance, the Git version control system honors the certificate bundle
18601 pointed to by the @code{GIT_SSL_CAINFO} environment variable. Thus, you
18602 would typically run something like:
18605 $ guix package -i nss-certs
18606 $ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
18607 $ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
18608 $ export GIT_SSL_CAINFO="$SSL_CERT_FILE"
18611 As another example, R requires the @code{CURL_CA_BUNDLE} environment
18612 variable to point to a certificate bundle, so you would have to run
18613 something like this:
18616 $ guix package -i nss-certs
18617 $ export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
18620 For other applications you may want to look up the required environment
18621 variable in the relevant documentation.
18624 @node Name Service Switch
18625 @subsection Name Service Switch
18627 @cindex name service switch
18629 The @code{(gnu system nss)} module provides bindings to the
18630 configuration file of the libc @dfn{name service switch} or @dfn{NSS}
18631 (@pxref{NSS Configuration File,,, libc, The GNU C Library Reference
18632 Manual}). In a nutshell, the NSS is a mechanism that allows libc to be
18633 extended with new ``name'' lookup methods for system databases, which
18634 includes host names, service names, user accounts, and more (@pxref{Name
18635 Service Switch, System Databases and Name Service Switch,, libc, The GNU
18636 C Library Reference Manual}).
18638 The NSS configuration specifies, for each system database, which lookup
18639 method is to be used, and how the various methods are chained
18640 together---for instance, under which circumstances NSS should try the
18641 next method in the list. The NSS configuration is given in the
18642 @code{name-service-switch} field of @code{operating-system} declarations
18643 (@pxref{operating-system Reference, @code{name-service-switch}}).
18646 @cindex .local, host name lookup
18647 As an example, the declaration below configures the NSS to use the
18648 @uref{http://0pointer.de/lennart/projects/nss-mdns/, @code{nss-mdns}
18649 back-end}, which supports host name lookups over multicast DNS (mDNS)
18650 for host names ending in @code{.local}:
18653 (name-service-switch
18654 (hosts (list %files ;first, check /etc/hosts
18656 ;; If the above did not succeed, try
18657 ;; with 'mdns_minimal'.
18659 (name "mdns_minimal")
18661 ;; 'mdns_minimal' is authoritative for
18662 ;; '.local'. When it returns "not found",
18663 ;; no need to try the next methods.
18664 (reaction (lookup-specification
18665 (not-found => return))))
18667 ;; Then fall back to DNS.
18671 ;; Finally, try with the "full" 'mdns'.
18676 Do not worry: the @code{%mdns-host-lookup-nss} variable (see below)
18677 contains this configuration, so you will not have to type it if all you
18678 want is to have @code{.local} host lookup working.
18680 Note that, in this case, in addition to setting the
18681 @code{name-service-switch} of the @code{operating-system} declaration,
18682 you also need to use @code{avahi-service} (@pxref{Networking Services,
18683 @code{avahi-service}}), or @var{%desktop-services}, which includes it
18684 (@pxref{Desktop Services}). Doing this makes @code{nss-mdns} accessible
18685 to the name service cache daemon (@pxref{Base Services,
18686 @code{nscd-service}}).
18688 For convenience, the following variables provide typical NSS
18691 @defvr {Scheme Variable} %default-nss
18692 This is the default name service switch configuration, a
18693 @code{name-service-switch} object.
18696 @defvr {Scheme Variable} %mdns-host-lookup-nss
18697 This is the name service switch configuration with support for host name
18698 lookup over multicast DNS (mDNS) for host names ending in @code{.local}.
18701 The reference for name service switch configuration is given below. It
18702 is a direct mapping of the configuration file format of the C library , so
18703 please refer to the C library manual for more information (@pxref{NSS
18704 Configuration File,,, libc, The GNU C Library Reference Manual}).
18705 Compared to the configuration file format of libc NSS, it has the advantage
18706 not only of adding this warm parenthetic feel that we like, but also
18707 static checks: you will know about syntax errors and typos as soon as you
18708 run @command{guix system}.
18710 @deftp {Data Type} name-service-switch
18712 This is the data type representation the configuration of libc's name
18713 service switch (NSS). Each field below represents one of the supported
18730 The system databases handled by the NSS. Each of these fields must be a
18731 list of @code{<name-service>} objects (see below).
18735 @deftp {Data Type} name-service
18737 This is the data type representing an actual name service and the
18738 associated lookup action.
18742 A string denoting the name service (@pxref{Services in the NSS
18743 configuration,,, libc, The GNU C Library Reference Manual}).
18745 Note that name services listed here must be visible to nscd. This is
18746 achieved by passing the @code{#:name-services} argument to
18747 @code{nscd-service} the list of packages providing the needed name
18748 services (@pxref{Base Services, @code{nscd-service}}).
18751 An action specified using the @code{lookup-specification} macro
18752 (@pxref{Actions in the NSS configuration,,, libc, The GNU C Library
18753 Reference Manual}). For example:
18756 (lookup-specification (unavailable => continue)
18757 (success => return))
18762 @node Initial RAM Disk
18763 @subsection Initial RAM Disk
18766 @cindex initial RAM disk
18767 For bootstrapping purposes, the Linux-Libre kernel is passed an
18768 @dfn{initial RAM disk}, or @dfn{initrd}. An initrd contains a temporary
18769 root file system as well as an initialization script. The latter is
18770 responsible for mounting the real root file system, and for loading any
18771 kernel modules that may be needed to achieve that.
18773 The @code{initrd} field of an @code{operating-system} declaration allows
18774 you to specify which initrd you would like to use. The @code{(gnu
18775 system linux-initrd)} module provides three ways to build an initrd: the
18776 high-level @code{base-initrd} procedure and the low-level
18777 @code{raw-initrd} and @code{expression->initrd} procedures.
18779 The @code{base-initrd} procedure is intended to cover most common uses.
18780 For example, if you want to add a bunch of kernel modules to be loaded
18781 at boot time, you can define the @code{initrd} field of the operating
18782 system declaration like this:
18785 (initrd (lambda (file-systems . rest)
18786 ;; Create a standard initrd that has modules "foo.ko"
18787 ;; and "bar.ko", as well as their dependencies, in
18788 ;; addition to the modules available by default.
18789 (apply base-initrd file-systems
18790 #:extra-modules '("foo" "bar")
18794 The @code{base-initrd} procedure also handles common use cases that
18795 involves using the system as a QEMU guest, or as a ``live'' system with
18796 volatile root file system.
18798 The @code{base-initrd} procedure is built from @code{raw-initrd} procedure.
18799 Unlike @code{base-initrd}, @code{raw-initrd} doesn't do anything high-level,
18800 such as trying to guess which kernel modules and packages should be included
18801 to the initrd. An example use of @code{raw-initrd} is when a user has
18802 a custom Linux kernel configuration and default kernel modules included by
18803 @code{base-initrd} are not available.
18805 The initial RAM disk produced by @code{base-initrd} or @code{raw-initrd}
18806 honors several options passed on the Linux kernel command line
18807 (that is, arguments passed @i{via} the @code{linux} command of GRUB, or the
18808 @code{-append} option of QEMU), notably:
18811 @item --load=@var{boot}
18812 Tell the initial RAM disk to load @var{boot}, a file containing a Scheme
18813 program, once it has mounted the root file system.
18815 GuixSD uses this option to yield control to a boot program that runs the
18816 service activation programs and then spawns the GNU@tie{}Shepherd, the
18817 initialization system.
18819 @item --root=@var{root}
18820 Mount @var{root} as the root file system. @var{root} can be a
18821 device name like @code{/dev/sda1}, a file system label, or a file system
18824 @item --system=@var{system}
18825 Have @file{/run/booted-system} and @file{/run/current-system} point to
18828 @item modprobe.blacklist=@var{modules}@dots{}
18829 @cindex module, black-listing
18830 @cindex black list, of kernel modules
18831 Instruct the initial RAM disk as well as the @command{modprobe} command
18832 (from the kmod package) to refuse to load @var{modules}. @var{modules}
18833 must be a comma-separated list of module names---e.g.,
18834 @code{usbkbd,9pnet}.
18837 Start a read-eval-print loop (REPL) from the initial RAM disk before it
18838 tries to load kernel modules and to mount the root file system. Our
18839 marketing team calls it @dfn{boot-to-Guile}. The Schemer in you will
18840 love it. @xref{Using Guile Interactively,,, guile, GNU Guile Reference
18841 Manual}, for more information on Guile's REPL.
18845 Now that you know all the features that initial RAM disks produced by
18846 @code{base-initrd} and @code{raw-initrd} provide,
18847 here is how to use it and customize it further.
18850 @cindex initial RAM disk
18851 @deffn {Monadic Procedure} raw-initrd @var{file-systems} @
18852 [#:linux-modules '()] [#:mapped-devices '()] @
18853 [#:helper-packages '()] [#:qemu-networking? #f] [#:volatile-root? #f]
18854 Return a monadic derivation that builds a raw initrd. @var{file-systems} is
18855 a list of file systems to be mounted by the initrd, possibly in addition to
18856 the root file system specified on the kernel command line via @code{--root}.
18857 @var{linux-modules} is a list of kernel modules to be loaded at boot time.
18858 @var{mapped-devices} is a list of device mappings to realize before
18859 @var{file-systems} are mounted (@pxref{Mapped Devices}).
18860 @var{helper-packages} is a list of packages to be copied in the initrd. It may
18861 include @code{e2fsck/static} or other packages needed by the initrd to check
18862 the root file system.
18864 When @var{qemu-networking?} is true, set up networking with the standard QEMU
18865 parameters. When @var{virtio?} is true, load additional modules so that the
18866 initrd can be used as a QEMU guest with para-virtualized I/O drivers.
18868 When @var{volatile-root?} is true, the root file system is writable but any changes
18872 @deffn {Monadic Procedure} base-initrd @var{file-systems} @
18873 [#:mapped-devices '()] [#:qemu-networking? #f] [#:volatile-root? #f]@
18874 [#:virtio? #t] [#:extra-modules '()]
18875 Return a monadic derivation that builds a generic initrd. @var{file-systems} is
18876 a list of file systems to be mounted by the initrd like for @code{raw-initrd}.
18877 @var{mapped-devices}, @var{qemu-networking?} and @var{volatile-root?}
18878 also behaves as in @code{raw-initrd}.
18880 When @var{virtio?} is true, load additional modules so that the
18881 initrd can be used as a QEMU guest with para-virtualized I/O drivers.
18883 The initrd is automatically populated with all the kernel modules necessary
18884 for @var{file-systems} and for the given options. However, additional kernel
18885 modules can be listed in @var{extra-modules}. They will be added to the initrd, and
18886 loaded at boot time in the order in which they appear.
18889 Needless to say, the initrds we produce and use embed a
18890 statically-linked Guile, and the initialization program is a Guile
18891 program. That gives a lot of flexibility. The
18892 @code{expression->initrd} procedure builds such an initrd, given the
18893 program to run in that initrd.
18895 @deffn {Monadic Procedure} expression->initrd @var{exp} @
18896 [#:guile %guile-static-stripped] [#:name "guile-initrd"]
18897 Return a derivation that builds a Linux initrd (a gzipped cpio archive)
18898 containing @var{guile} and that evaluates @var{exp}, a G-expression,
18899 upon booting. All the derivations referenced by @var{exp} are
18900 automatically copied to the initrd.
18903 @node Bootloader Configuration
18904 @subsection Bootloader Configuration
18907 @cindex boot loader
18909 The operating system supports multiple bootloaders. The bootloader is
18910 configured using @code{bootloader-configuration} declaration. All the
18911 fields of this structure are bootloader agnostic except for one field,
18912 @code{bootloader} that indicates the bootloader to be configured and
18915 Some of the bootloaders do not honor every field of
18916 @code{bootloader-configuration}. For instance, the extlinux
18917 bootloader does not support themes and thus ignores the @code{theme}
18920 @deftp {Data Type} bootloader-configuration
18921 The type of a bootloader configuration declaration.
18925 @item @code{bootloader}
18926 @cindex EFI, bootloader
18927 @cindex UEFI, bootloader
18928 @cindex BIOS, bootloader
18929 The bootloader to use, as a @code{bootloader} object. For now
18930 @code{grub-bootloader}, @code{grub-efi-bootloader},
18931 @code{extlinux-bootloader} and @code{u-boot-bootloader} are supported.
18932 @code{grub-efi-bootloader} allows to boot on modern systems using the
18933 @dfn{Unified Extensible Firmware Interface} (UEFI).
18935 Available bootloaders are described in @code{(gnu bootloader @dots{})}
18938 @item @code{target}
18939 This is a string denoting the target onto which to install the
18940 bootloader. The exact interpretation depends on the bootloader in
18941 question; for @code{grub-bootloader}, for example, it should be a device
18942 name understood by the bootloader @command{installer} command, such as
18943 @code{/dev/sda} or @code{(hd0)} (for GRUB, @pxref{Invoking
18944 grub-install,,, grub, GNU GRUB Manual}). For
18945 @code{grub-efi-bootloader}, it should be the path to a mounted EFI file
18948 @item @code{menu-entries} (default: @code{()})
18949 A possibly empty list of @code{menu-entry} objects (see below), denoting
18950 entries to appear in the bootloader menu, in addition to the current
18951 system entry and the entry pointing to previous system generations.
18953 @item @code{default-entry} (default: @code{0})
18954 The index of the default boot menu entry. Index 0 is for the entry of the
18957 @item @code{timeout} (default: @code{5})
18958 The number of seconds to wait for keyboard input before booting. Set to
18959 0 to boot immediately, and to -1 to wait indefinitely.
18961 @item @code{theme} (default: @var{#f})
18962 The bootloader theme object describing the theme to use. If no theme
18963 is provided, some bootloaders might use a default theme, that's true
18966 @item @code{terminal-outputs} (default: @code{'gfxterm})
18967 The output terminals used for the bootloader boot menu, as a list of
18968 symbols. GRUB accepts the values: @code{console}, @code{serial},
18969 @code{serial_@{0-3@}}, @code{gfxterm}, @code{vga_text},
18970 @code{mda_text}, @code{morse}, and @code{pkmodem}. This field
18971 corresponds to the GRUB variable GRUB_TERMINAL_OUTPUT (@pxref{Simple
18972 configuration,,, grub,GNU GRUB manual}).
18974 @item @code{terminal-inputs} (default: @code{'()})
18975 The input terminals used for the bootloader boot menu, as a list of
18976 symbols. For GRUB, the default is the native platform terminal as
18977 determined at run-time. GRUB accepts the values: @code{console},
18978 @code{serial}, @code{serial_@{0-3@}}, @code{at_keyboard}, and
18979 @code{usb_keyboard}. This field corresponds to the GRUB variable
18980 GRUB_TERMINAL_INPUT (@pxref{Simple configuration,,, grub,GNU GRUB
18983 @item @code{serial-unit} (default: @code{#f})
18984 The serial unit used by the bootloader, as an integer from 0 to 3.
18985 For GRUB, it is chosen at run-time; currently GRUB chooses 0, which
18986 corresponds to COM1 (@pxref{Serial terminal,,, grub,GNU GRUB manual}).
18988 @item @code{serial-speed} (default: @code{#f})
18989 The speed of the serial interface, as an integer. For GRUB, the
18990 default value is chosen at run-time; currently GRUB chooses
18991 9600@tie{}bps (@pxref{Serial terminal,,, grub,GNU GRUB manual}).
18998 Should you want to list additional boot menu entries @i{via} the
18999 @code{menu-entries} field above, you will need to create them with the
19000 @code{menu-entry} form. For example, imagine you want to be able to
19001 boot another distro (hard to imagine!), you can define a menu entry
19006 (label "The Other Distro")
19007 (linux "/boot/old/vmlinux-2.6.32")
19008 (linux-arguments '("root=/dev/sda2"))
19009 (initrd "/boot/old/initrd"))
19014 @deftp {Data Type} menu-entry
19015 The type of an entry in the bootloader menu.
19020 The label to show in the menu---e.g., @code{"GNU"}.
19023 The Linux kernel image to boot, for example:
19026 (file-append linux-libre "/bzImage")
19029 For GRUB, it is also possible to specify a device explicitly in the
19030 file path using GRUB's device naming convention (@pxref{Naming
19031 convention,,, grub, GNU GRUB manual}), for example:
19034 "(hd0,msdos1)/boot/vmlinuz"
19037 If the device is specified explicitly as above, then the @code{device}
19038 field is ignored entirely.
19040 @item @code{linux-arguments} (default: @code{()})
19041 The list of extra Linux kernel command-line arguments---e.g.,
19042 @code{("console=ttyS0")}.
19044 @item @code{initrd}
19045 A G-Expression or string denoting the file name of the initial RAM disk
19046 to use (@pxref{G-Expressions}).
19047 @item @code{device} (default: @code{#f})
19048 The device where the kernel and initrd are to be found---i.e., for GRUB,
19049 @dfn{root} for this menu entry (@pxref{root,,, grub, GNU GRUB manual}).
19051 This may be a file system label (a string), a file system UUID (a
19052 bytevector, @pxref{File Systems}), or @code{#f}, in which case
19053 the bootloader will search the device containing the file specified by
19054 the @code{linux} field (@pxref{search,,, grub, GNU GRUB manual}). It
19055 must @emph{not} be an OS device name such as @file{/dev/sda1}.
19060 @c FIXME: Write documentation once it's stable.
19061 Fow now only GRUB has theme support. GRUB themes are created using
19062 the @code{grub-theme} form, which is not documented yet.
19064 @defvr {Scheme Variable} %default-theme
19065 This is the default GRUB theme used by the operating system if no
19066 @code{theme} field is specified in @code{bootloader-configuration}
19069 It comes with a fancy background image displaying the GNU and Guix
19074 @node Invoking guix system
19075 @subsection Invoking @code{guix system}
19077 Once you have written an operating system declaration as seen in the
19078 previous section, it can be @dfn{instantiated} using the @command{guix
19079 system} command. The synopsis is:
19082 guix system @var{options}@dots{} @var{action} @var{file}
19085 @var{file} must be the name of a file containing an
19086 @code{operating-system} declaration. @var{action} specifies how the
19087 operating system is instantiated. Currently the following values are
19092 Display available service type definitions that match the given regular
19093 expressions, sorted by relevance:
19096 $ guix system search console font
19097 name: console-fonts
19098 location: gnu/services/base.scm:729:2
19099 extends: shepherd-root
19100 description: Install the given fonts on the specified ttys (fonts are
19101 + per virtual console on GNU/Linux). The value of this service is a list
19102 + of tty/font pairs like:
19104 + '(("tty1" . "LatGrkCyr-8x16"))
19108 location: gnu/services/base.scm:1048:2
19109 extends: shepherd-root
19110 description: Provide console login using the `mingetty' program.
19114 location: gnu/services/base.scm:775:2
19116 description: Provide a console log-in service as specified by its
19117 + configuration value, a `login-configuration' object.
19123 As for @command{guix package --search}, the result is written in
19124 @code{recutils} format, which makes it easy to filter the output
19125 (@pxref{Top, GNU recutils databases,, recutils, GNU recutils manual}).
19128 Build the operating system described in @var{file}, activate it, and
19129 switch to it@footnote{This action (and the related actions
19130 @code{switch-generation} and @code{roll-back}) are usable only on
19131 systems already running GuixSD.}.
19133 This effects all the configuration specified in @var{file}: user
19134 accounts, system services, global package list, setuid programs, etc.
19135 The command starts system services specified in @var{file} that are not
19136 currently running; if a service is currently running, it does not
19137 attempt to upgrade it since this would not be possible without stopping it
19140 This command creates a new generation whose number is one greater than
19141 the current generation (as reported by @command{guix system
19142 list-generations}). If that generation already exists, it will be
19143 overwritten. This behavior mirrors that of @command{guix package}
19144 (@pxref{Invoking guix package}).
19146 It also adds a bootloader menu entry for the new OS configuration,
19147 ---unless @option{--no-bootloader} is passed. For GRUB, it moves
19148 entries for older configurations to a submenu, allowing you to choose
19149 an older system generation at boot time should you need it.
19152 @c The paragraph below refers to the problem discussed at
19153 @c <http://lists.gnu.org/archive/html/guix-devel/2014-08/msg00057.html>.
19154 It is highly recommended to run @command{guix pull} once before you run
19155 @command{guix system reconfigure} for the first time (@pxref{Invoking
19156 guix pull}). Failing to do that you would see an older version of Guix
19157 once @command{reconfigure} has completed.
19160 @item switch-generation
19161 @cindex generations
19162 Switch to an existing system generation. This action atomically
19163 switches the system profile to the specified system generation. It
19164 also rearranges the system's existing bootloader menu entries. It
19165 makes the menu entry for the specified system generation the default,
19166 and it moves the entries for the other generatiors to a submenu, if
19167 supported by the bootloader being used. The next time the system
19168 boots, it will use the specified system generation.
19170 The bootloader itself is not being reinstalled when using this
19171 command. Thus, the installed bootloader is used with an updated
19172 configuration file.
19174 The target generation can be specified explicitly by its generation
19175 number. For example, the following invocation would switch to system
19179 guix system switch-generation 7
19182 The target generation can also be specified relative to the current
19183 generation with the form @code{+N} or @code{-N}, where @code{+3} means
19184 ``3 generations ahead of the current generation,'' and @code{-1} means
19185 ``1 generation prior to the current generation.'' When specifying a
19186 negative value such as @code{-1}, you must precede it with @code{--} to
19187 prevent it from being parsed as an option. For example:
19190 guix system switch-generation -- -1
19193 Currently, the effect of invoking this action is @emph{only} to switch
19194 the system profile to an existing generation and rearrange the
19195 bootloader menu entries. To actually start using the target system
19196 generation, you must reboot after running this action. In the future,
19197 it will be updated to do the same things as @command{reconfigure},
19198 like activating and deactivating services.
19200 This action will fail if the specified generation does not exist.
19203 @cindex rolling back
19204 Switch to the preceding system generation. The next time the system
19205 boots, it will use the preceding system generation. This is the inverse
19206 of @command{reconfigure}, and it is exactly the same as invoking
19207 @command{switch-generation} with an argument of @code{-1}.
19209 Currently, as with @command{switch-generation}, you must reboot after
19210 running this action to actually start using the preceding system
19214 Build the derivation of the operating system, which includes all the
19215 configuration files and programs needed to boot and run the system.
19216 This action does not actually install anything.
19219 Populate the given directory with all the files necessary to run the
19220 operating system specified in @var{file}. This is useful for first-time
19221 installations of GuixSD. For instance:
19224 guix system init my-os-config.scm /mnt
19227 copies to @file{/mnt} all the store items required by the configuration
19228 specified in @file{my-os-config.scm}. This includes configuration
19229 files, packages, and so on. It also creates other essential files
19230 needed for the system to operate correctly---e.g., the @file{/etc},
19231 @file{/var}, and @file{/run} directories, and the @file{/bin/sh} file.
19233 This command also installs bootloader on the target specified in
19234 @file{my-os-config}, unless the @option{--no-bootloader} option was
19238 @cindex virtual machine
19240 @anchor{guix system vm}
19241 Build a virtual machine that contains the operating system declared in
19242 @var{file}, and return a script to run that virtual machine (VM).
19243 Arguments given to the script are passed to QEMU as in the example
19244 below, which enables networking and requests 1@tie{}GiB of RAM for the
19248 $ /gnu/store/@dots{}-run-vm.sh -m 1024 -net user
19251 The VM shares its store with the host system.
19253 Additional file systems can be shared between the host and the VM using
19254 the @code{--share} and @code{--expose} command-line options: the former
19255 specifies a directory to be shared with write access, while the latter
19256 provides read-only access to the shared directory.
19258 The example below creates a VM in which the user's home directory is
19259 accessible read-only, and where the @file{/exchange} directory is a
19260 read-write mapping of @file{$HOME/tmp} on the host:
19263 guix system vm my-config.scm \
19264 --expose=$HOME --share=$HOME/tmp=/exchange
19267 On GNU/Linux, the default is to boot directly to the kernel; this has
19268 the advantage of requiring only a very tiny root disk image since the
19269 store of the host can then be mounted.
19271 The @code{--full-boot} option forces a complete boot sequence, starting
19272 with the bootloader. This requires more disk space since a root image
19273 containing at least the kernel, initrd, and bootloader data files must
19274 be created. The @code{--image-size} option can be used to specify the
19279 Return a virtual machine or disk image of the operating system declared
19280 in @var{file} that stands alone. By default, @command{guix system}
19281 estimates the size of the image needed to store the system, but you can
19282 use the @option{--image-size} option to specify a value.
19284 You can specify the root file system type by using the
19285 @option{--file-system-type} option. It defaults to @code{ext4}.
19287 When using @code{vm-image}, the returned image is in qcow2 format, which
19288 the QEMU emulator can efficiently use. @xref{Running GuixSD in a VM},
19289 for more information on how to run the image in a virtual machine.
19291 When using @code{disk-image}, a raw disk image is produced; it can be
19292 copied as is to a USB stick, for instance. Assuming @code{/dev/sdc} is
19293 the device corresponding to a USB stick, one can copy the image to it
19294 using the following command:
19297 # dd if=$(guix system disk-image my-os.scm) of=/dev/sdc
19301 Return a script to run the operating system declared in @var{file}
19302 within a container. Containers are a set of lightweight isolation
19303 mechanisms provided by the kernel Linux-libre. Containers are
19304 substantially less resource-demanding than full virtual machines since
19305 the kernel, shared objects, and other resources can be shared with the
19306 host system; this also means they provide thinner isolation.
19308 Currently, the script must be run as root in order to support more than
19309 a single user and group. The container shares its store with the host
19312 As with the @code{vm} action (@pxref{guix system vm}), additional file
19313 systems to be shared between the host and container can be specified
19314 using the @option{--share} and @option{--expose} options:
19317 guix system container my-config.scm \
19318 --expose=$HOME --share=$HOME/tmp=/exchange
19322 This option requires Linux-libre 3.19 or newer.
19327 @var{options} can contain any of the common build options (@pxref{Common
19328 Build Options}). In addition, @var{options} can contain one of the
19332 @item --expression=@var{expr}
19333 @itemx -e @var{expr}
19334 Consider the operating-system @var{expr} evaluates to.
19335 This is an alternative to specifying a file which evaluates to an
19337 This is used to generate the GuixSD installer @pxref{Building the
19338 Installation Image}).
19340 @item --system=@var{system}
19341 @itemx -s @var{system}
19342 Attempt to build for @var{system} instead of the host system type.
19343 This works as per @command{guix build} (@pxref{Invoking guix build}).
19347 Return the derivation file name of the given operating system without
19350 @item --file-system-type=@var{type}
19351 @itemx -t @var{type}
19352 For the @code{disk-image} action, create a file system of the given
19353 @var{type} on the image.
19355 When this option is omitted, @command{guix system} uses @code{ext4}.
19357 @cindex ISO-9660 format
19358 @cindex CD image format
19359 @cindex DVD image format
19360 @code{--file-system-type=iso9660} produces an ISO-9660 image, suitable
19361 for burning on CDs and DVDs.
19363 @item --image-size=@var{size}
19364 For the @code{vm-image} and @code{disk-image} actions, create an image
19365 of the given @var{size}. @var{size} may be a number of bytes, or it may
19366 include a unit as a suffix (@pxref{Block size, size specifications,,
19367 coreutils, GNU Coreutils}).
19369 When this option is omitted, @command{guix system} computes an estimate
19370 of the image size as a function of the size of the system declared in
19373 @item --root=@var{file}
19374 @itemx -r @var{file}
19375 Make @var{file} a symlink to the result, and register it as a garbage
19378 @item --on-error=@var{strategy}
19379 Apply @var{strategy} when an error occurs when reading @var{file}.
19380 @var{strategy} may be one of the following:
19383 @item nothing-special
19384 Report the error concisely and exit. This is the default strategy.
19387 Likewise, but also display a backtrace.
19390 Report the error and enter Guile's debugger. From there, you can run
19391 commands such as @code{,bt} to get a backtrace, @code{,locals} to
19392 display local variable values, and more generally inspect the state of the
19393 program. @xref{Debug Commands,,, guile, GNU Guile Reference Manual}, for
19394 a list of available debugging commands.
19399 All the actions above, except @code{build} and @code{init},
19400 can use KVM support in the Linux-libre kernel. Specifically, if the
19401 machine has hardware virtualization support, the corresponding
19402 KVM kernel module should be loaded, and the @file{/dev/kvm} device node
19403 must exist and be readable and writable by the user and by the
19404 build users of the daemon (@pxref{Build Environment Setup}).
19407 Once you have built, configured, re-configured, and re-re-configured
19408 your GuixSD installation, you may find it useful to list the operating
19409 system generations available on disk---and that you can choose from the
19410 bootloader boot menu:
19414 @item list-generations
19415 List a summary of each generation of the operating system available on
19416 disk, in a human-readable way. This is similar to the
19417 @option{--list-generations} option of @command{guix package}
19418 (@pxref{Invoking guix package}).
19420 Optionally, one can specify a pattern, with the same syntax that is used
19421 in @command{guix package --list-generations}, to restrict the list of
19422 generations displayed. For instance, the following command displays
19423 generations that are up to 10 days old:
19426 $ guix system list-generations 10d
19431 The @command{guix system} command has even more to offer! The following
19432 sub-commands allow you to visualize how your system services relate to
19435 @anchor{system-extension-graph}
19438 @item extension-graph
19439 Emit in Dot/Graphviz format to standard output the @dfn{service
19440 extension graph} of the operating system defined in @var{file}
19441 (@pxref{Service Composition}, for more information on service
19447 $ guix system extension-graph @var{file} | dot -Tpdf > services.pdf
19450 produces a PDF file showing the extension relations among services.
19452 @anchor{system-shepherd-graph}
19453 @item shepherd-graph
19454 Emit in Dot/Graphviz format to standard output the @dfn{dependency
19455 graph} of shepherd services of the operating system defined in
19456 @var{file}. @xref{Shepherd Services}, for more information and for an
19461 @node Running GuixSD in a VM
19462 @subsection Running GuixSD in a Virtual Machine
19464 @cindex virtual machine
19465 To run GuixSD in a virtual machine (VM), one can either use the
19466 pre-built GuixSD VM image distributed at
19467 @indicateurl{ftp://alpha.gnu.org/guix/guixsd-vm-image-@value{VERSION}.@var{system}.tar.xz}
19468 , or build their own virtual machine image using @command{guix system
19469 vm-image} (@pxref{Invoking guix system}). The returned image is in
19470 qcow2 format, which the @uref{http://qemu.org/, QEMU emulator} can
19474 If you built your own image, you must copy it out of the store
19475 (@pxref{The Store}) and give yourself permission to write to the copy
19476 before you can use it. When invoking QEMU, you must choose a system
19477 emulator that is suitable for your hardware platform. Here is a minimal
19478 QEMU invocation that will boot the result of @command{guix system
19479 vm-image} on x86_64 hardware:
19482 $ qemu-system-x86_64 \
19483 -net user -net nic,model=virtio \
19484 -enable-kvm -m 256 /tmp/qemu-image
19487 Here is what each of these options means:
19490 @item qemu-system-x86_64
19491 This specifies the hardware platform to emulate. This should match the
19495 Enable the unprivileged user-mode network stack. The guest OS can
19496 access the host but not vice versa. This is the simplest way to get the
19499 @item -net nic,model=virtio
19500 You must create a network interface of a given model. If you do not
19501 create a NIC, the boot will fail. Assuming your hardware platform is
19502 x86_64, you can get a list of available NIC models by running
19503 @command{qemu-system-x86_64 -net nic,model=help}.
19506 If your system has hardware virtualization extensions, enabling the
19507 virtual machine support (KVM) of the Linux kernel will make things run
19511 RAM available to the guest OS, in mebibytes. Defaults to 128@tie{}MiB,
19512 which may be insufficient for some operations.
19514 @item /tmp/qemu-image
19515 The file name of the qcow2 image.
19518 The default @command{run-vm.sh} script that is returned by an invocation of
19519 @command{guix system vm} does not add a @command{-net user} flag by default.
19520 To get network access from within the vm add the @code{(dhcp-client-service)}
19521 to your system definition and start the VM using
19522 @command{`guix system vm config.scm` -net user}. An important caveat of using
19523 @command{-net user} for networking is that @command{ping} will not work, because
19524 it uses the ICMP protocol. You'll have to use a different command to check for
19525 network connectivity, for example @command{guix download}.
19527 @subsubsection Connecting Through SSH
19531 To enable SSH inside a VM you need to add a SSH server like @code{(dropbear-service)}
19532 or @code{(lsh-service)} to your VM. The @code{(lsh-service}) doesn't currently
19533 boot unsupervised. It requires you to type some characters to initialize the
19534 randomness generator. In addition you need to forward the SSH port, 22 by
19535 default, to the host. You can do this with
19538 `guix system vm config.scm` -net user,hostfwd=tcp::10022-:22
19541 To connect to the VM you can run
19544 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022
19547 The @command{-p} tells @command{ssh} the port you want to connect to.
19548 @command{-o UserKnownHostsFile=/dev/null} prevents @command{ssh} from complaining
19549 every time you modify your @command{config.scm} file and the
19550 @command{-o StrictHostKeyChecking=no} prevents you from having to allow a
19551 connection to an unknown host every time you connect.
19553 @subsubsection Using @command{virt-viewer} with Spice
19555 As an alternative to the default @command{qemu} graphical client you can
19556 use the @command{remote-viewer} from the @command{virt-viewer} package. To
19557 connect pass the @command{-spice port=5930,disable-ticketing} flag to
19558 @command{qemu}. See previous section for further information on how to do this.
19560 Spice also allows you to do some nice stuff like share your clipboard with your
19561 VM. To enable that you'll also have to pass the following flags to @command{qemu}:
19564 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5
19565 -chardev spicevmc,name=vdagent,id=vdagent
19566 -device virtserialport,nr=1,bus=virtio-serial0.0,chardev=vdagent,
19567 name=com.redhat.spice.0
19570 You'll also need to add the @pxref{Miscellaneous Services, Spice service}.
19572 @node Defining Services
19573 @subsection Defining Services
19575 The previous sections show the available services and how one can combine
19576 them in an @code{operating-system} declaration. But how do we define
19577 them in the first place? And what is a service anyway?
19580 * Service Composition:: The model for composing services.
19581 * Service Types and Services:: Types and services.
19582 * Service Reference:: API reference.
19583 * Shepherd Services:: A particular type of service.
19586 @node Service Composition
19587 @subsubsection Service Composition
19591 Here we define a @dfn{service} as, broadly, something that extends the
19592 functionality of the operating system. Often a service is a process---a
19593 @dfn{daemon}---started when the system boots: a secure shell server, a
19594 Web server, the Guix build daemon, etc. Sometimes a service is a daemon
19595 whose execution can be triggered by another daemon---e.g., an FTP server
19596 started by @command{inetd} or a D-Bus service activated by
19597 @command{dbus-daemon}. Occasionally, a service does not map to a
19598 daemon. For instance, the ``account'' service collects user accounts
19599 and makes sure they exist when the system runs; the ``udev'' service
19600 collects device management rules and makes them available to the eudev
19601 daemon; the @file{/etc} service populates the @file{/etc} directory
19604 @cindex service extensions
19605 GuixSD services are connected by @dfn{extensions}. For instance, the
19606 secure shell service @emph{extends} the Shepherd---the GuixSD
19607 initialization system, running as PID@tie{}1---by giving it the command
19608 lines to start and stop the secure shell daemon (@pxref{Networking
19609 Services, @code{lsh-service}}); the UPower service extends the D-Bus
19610 service by passing it its @file{.service} specification, and extends the
19611 udev service by passing it device management rules (@pxref{Desktop
19612 Services, @code{upower-service}}); the Guix daemon service extends the
19613 Shepherd by passing it the command lines to start and stop the daemon,
19614 and extends the account service by passing it a list of required build
19615 user accounts (@pxref{Base Services}).
19617 All in all, services and their ``extends'' relations form a directed
19618 acyclic graph (DAG). If we represent services as boxes and extensions
19619 as arrows, a typical system might provide something like this:
19621 @image{images/service-graph,,5in,Typical service extension graph.}
19623 @cindex system service
19624 At the bottom, we see the @dfn{system service}, which produces the
19625 directory containing everything to run and boot the system, as returned
19626 by the @command{guix system build} command. @xref{Service Reference},
19627 to learn about the other service types shown here.
19628 @xref{system-extension-graph, the @command{guix system extension-graph}
19629 command}, for information on how to generate this representation for a
19630 particular operating system definition.
19632 @cindex service types
19633 Technically, developers can define @dfn{service types} to express these
19634 relations. There can be any number of services of a given type on the
19635 system---for instance, a system running two instances of the GNU secure
19636 shell server (lsh) has two instances of @var{lsh-service-type}, with
19637 different parameters.
19639 The following section describes the programming interface for service
19640 types and services.
19642 @node Service Types and Services
19643 @subsubsection Service Types and Services
19645 A @dfn{service type} is a node in the DAG described above. Let us start
19646 with a simple example, the service type for the Guix build daemon
19647 (@pxref{Invoking guix-daemon}):
19650 (define guix-service-type
19654 (list (service-extension shepherd-root-service-type guix-shepherd-service)
19655 (service-extension account-service-type guix-accounts)
19656 (service-extension activation-service-type guix-activation)))
19657 (default-value (guix-configuration))))
19661 It defines three things:
19665 A name, whose sole purpose is to make inspection and debugging easier.
19668 A list of @dfn{service extensions}, where each extension designates the
19669 target service type and a procedure that, given the parameters of the
19670 service, returns a list of objects to extend the service of that type.
19672 Every service type has at least one service extension. The only
19673 exception is the @dfn{boot service type}, which is the ultimate service.
19676 Optionally, a default value for instances of this type.
19679 In this example, @var{guix-service-type} extends three services:
19682 @item shepherd-root-service-type
19683 The @var{guix-shepherd-service} procedure defines how the Shepherd
19684 service is extended. Namely, it returns a @code{<shepherd-service>}
19685 object that defines how @command{guix-daemon} is started and stopped
19686 (@pxref{Shepherd Services}).
19688 @item account-service-type
19689 This extension for this service is computed by @var{guix-accounts},
19690 which returns a list of @code{user-group} and @code{user-account}
19691 objects representing the build user accounts (@pxref{Invoking
19694 @item activation-service-type
19695 Here @var{guix-activation} is a procedure that returns a gexp, which is
19696 a code snippet to run at ``activation time''---e.g., when the service is
19700 A service of this type is instantiated like this:
19703 (service guix-service-type
19704 (guix-configuration
19706 (use-substitutes? #f)))
19709 The second argument to the @code{service} form is a value representing
19710 the parameters of this specific service instance.
19711 @xref{guix-configuration-type, @code{guix-configuration}}, for
19712 information about the @code{guix-configuration} data type. When the
19713 value is omitted, the default value specified by
19714 @code{guix-service-type} is used:
19717 (service guix-service-type)
19720 @var{guix-service-type} is quite simple because it extends other
19721 services but is not extensible itself.
19723 @c @subsubsubsection Extensible Service Types
19725 The service type for an @emph{extensible} service looks like this:
19728 (define udev-service-type
19729 (service-type (name 'udev)
19731 (list (service-extension shepherd-root-service-type
19732 udev-shepherd-service)))
19734 (compose concatenate) ;concatenate the list of rules
19735 (extend (lambda (config rules)
19737 (($ <udev-configuration> udev initial-rules)
19738 (udev-configuration
19739 (udev udev) ;the udev package to use
19740 (rules (append initial-rules rules)))))))))
19743 This is the service type for the
19744 @uref{https://wiki.gentoo.org/wiki/Project:Eudev, eudev device
19745 management daemon}. Compared to the previous example, in addition to an
19746 extension of @var{shepherd-root-service-type}, we see two new fields:
19750 This is the procedure to @dfn{compose} the list of extensions to
19751 services of this type.
19753 Services can extend the udev service by passing it lists of rules; we
19754 compose those extensions simply by concatenating them.
19757 This procedure defines how the value of the service is @dfn{extended} with
19758 the composition of the extensions.
19760 Udev extensions are composed into a list of rules, but the udev service
19761 value is itself a @code{<udev-configuration>} record. So here, we
19762 extend that record by appending the list of rules it contains to the
19763 list of contributed rules.
19766 This is a string giving an overview of the service type. The string can
19767 contain Texinfo markup (@pxref{Overview,,, texinfo, GNU Texinfo}). The
19768 @command{guix system search} command searches these strings and displays
19769 them (@pxref{Invoking guix system}).
19772 There can be only one instance of an extensible service type such as
19773 @var{udev-service-type}. If there were more, the
19774 @code{service-extension} specifications would be ambiguous.
19776 Still here? The next section provides a reference of the programming
19777 interface for services.
19779 @node Service Reference
19780 @subsubsection Service Reference
19782 We have seen an overview of service types (@pxref{Service Types and
19783 Services}). This section provides a reference on how to manipulate
19784 services and service types. This interface is provided by the
19785 @code{(gnu services)} module.
19787 @deffn {Scheme Procedure} service @var{type} [@var{value}]
19788 Return a new service of @var{type}, a @code{<service-type>} object (see
19789 below.) @var{value} can be any object; it represents the parameters of
19790 this particular service instance.
19792 When @var{value} is omitted, the default value specified by @var{type}
19793 is used; if @var{type} does not specify a default value, an error is
19796 For instance, this:
19799 (service openssh-service-type)
19803 is equivalent to this:
19806 (service openssh-service-type
19807 (openssh-configuration))
19810 In both cases the result is an instance of @code{openssh-service-type}
19811 with the default configuration.
19814 @deffn {Scheme Procedure} service? @var{obj}
19815 Return true if @var{obj} is a service.
19818 @deffn {Scheme Procedure} service-kind @var{service}
19819 Return the type of @var{service}---i.e., a @code{<service-type>} object.
19822 @deffn {Scheme Procedure} service-value @var{service}
19823 Return the value associated with @var{service}. It represents its
19827 Here is an example of how a service is created and manipulated:
19831 (service nginx-service-type
19832 (nginx-configuration
19834 (log-directory log-directory)
19835 (run-directory run-directory)
19836 (file config-file))))
19841 (eq? (service-kind s) nginx-service-type)
19845 The @code{modify-services} form provides a handy way to change the
19846 parameters of some of the services of a list such as
19847 @var{%base-services} (@pxref{Base Services, @code{%base-services}}). It
19848 evaluates to a list of services. Of course, you could always use
19849 standard list combinators such as @code{map} and @code{fold} to do that
19850 (@pxref{SRFI-1, List Library,, guile, GNU Guile Reference Manual});
19851 @code{modify-services} simply provides a more concise form for this
19854 @deffn {Scheme Syntax} modify-services @var{services} @
19855 (@var{type} @var{variable} => @var{body}) @dots{}
19857 Modify the services listed in @var{services} according to the given
19858 clauses. Each clause has the form:
19861 (@var{type} @var{variable} => @var{body})
19864 where @var{type} is a service type---e.g.,
19865 @code{guix-service-type}---and @var{variable} is an identifier that is
19866 bound within the @var{body} to the service parameters---e.g., a
19867 @code{guix-configuration} instance---of the original service of that
19870 The @var{body} should evaluate to the new service parameters, which will
19871 be used to configure the new service. This new service will replace the
19872 original in the resulting list. Because a service's service parameters
19873 are created using @code{define-record-type*}, you can write a succinct
19874 @var{body} that evaluates to the new service parameters by using the
19875 @code{inherit} feature that @code{define-record-type*} provides.
19877 @xref{Using the Configuration System}, for example usage.
19881 Next comes the programming interface for service types. This is
19882 something you want to know when writing new service definitions, but not
19883 necessarily when simply looking for ways to customize your
19884 @code{operating-system} declaration.
19886 @deftp {Data Type} service-type
19887 @cindex service type
19888 This is the representation of a @dfn{service type} (@pxref{Service Types
19893 This is a symbol, used only to simplify inspection and debugging.
19895 @item @code{extensions}
19896 A non-empty list of @code{<service-extension>} objects (see below).
19898 @item @code{compose} (default: @code{#f})
19899 If this is @code{#f}, then the service type denotes services that cannot
19900 be extended---i.e., services that do not receive ``values'' from other
19903 Otherwise, it must be a one-argument procedure. The procedure is called
19904 by @code{fold-services} and is passed a list of values collected from
19905 extensions. It must return a value that is a valid parameter value for
19906 the service instance.
19908 @item @code{extend} (default: @code{#f})
19909 If this is @code{#f}, services of this type cannot be extended.
19911 Otherwise, it must be a two-argument procedure: @code{fold-services}
19912 calls it, passing it the initial value of the service as the first argument
19913 and the result of applying @code{compose} to the extension values as the
19917 @xref{Service Types and Services}, for examples.
19920 @deffn {Scheme Procedure} service-extension @var{target-type} @
19922 Return a new extension for services of type @var{target-type}.
19923 @var{compute} must be a one-argument procedure: @code{fold-services}
19924 calls it, passing it the value associated with the service that provides
19925 the extension; it must return a valid value for the target service.
19928 @deffn {Scheme Procedure} service-extension? @var{obj}
19929 Return true if @var{obj} is a service extension.
19932 Occasionally, you might want to simply extend an existing service. This
19933 involves creating a new service type and specifying the extension of
19934 interest, which can be verbose; the @code{simple-service} procedure
19935 provides a shorthand for this.
19937 @deffn {Scheme Procedure} simple-service @var{name} @var{target} @var{value}
19938 Return a service that extends @var{target} with @var{value}. This works
19939 by creating a singleton service type @var{name}, of which the returned
19940 service is an instance.
19942 For example, this extends mcron (@pxref{Scheduled Job Execution}) with
19946 (simple-service 'my-mcron-job mcron-service-type
19947 #~(job '(next-hour (3)) "guix gc -F 2G"))
19951 At the core of the service abstraction lies the @code{fold-services}
19952 procedure, which is responsible for ``compiling'' a list of services
19953 down to a single directory that contains everything needed to boot and
19954 run the system---the directory shown by the @command{guix system build}
19955 command (@pxref{Invoking guix system}). In essence, it propagates
19956 service extensions down the service graph, updating each node parameters
19957 on the way, until it reaches the root node.
19959 @deffn {Scheme Procedure} fold-services @var{services} @
19960 [#:target-type @var{system-service-type}]
19961 Fold @var{services} by propagating their extensions down to the root of
19962 type @var{target-type}; return the root service adjusted accordingly.
19965 Lastly, the @code{(gnu services)} module also defines several essential
19966 service types, some of which are listed below.
19968 @defvr {Scheme Variable} system-service-type
19969 This is the root of the service graph. It produces the system directory
19970 as returned by the @command{guix system build} command.
19973 @defvr {Scheme Variable} boot-service-type
19974 The type of the ``boot service'', which produces the @dfn{boot script}.
19975 The boot script is what the initial RAM disk runs when booting.
19978 @defvr {Scheme Variable} etc-service-type
19979 The type of the @file{/etc} service. This service is used to create
19980 files under @file{/etc} and can be extended by
19981 passing it name/file tuples such as:
19984 (list `("issue" ,(plain-file "issue" "Welcome!\n")))
19987 In this example, the effect would be to add an @file{/etc/issue} file
19988 pointing to the given file.
19991 @defvr {Scheme Variable} setuid-program-service-type
19992 Type for the ``setuid-program service''. This service collects lists of
19993 executable file names, passed as gexps, and adds them to the set of
19994 setuid-root programs on the system (@pxref{Setuid Programs}).
19997 @defvr {Scheme Variable} profile-service-type
19998 Type of the service that populates the @dfn{system profile}---i.e., the
19999 programs under @file{/run/current-system/profile}. Other services can
20000 extend it by passing it lists of packages to add to the system profile.
20004 @node Shepherd Services
20005 @subsubsection Shepherd Services
20007 @cindex shepherd services
20009 @cindex init system
20010 The @code{(gnu services shepherd)} module provides a way to define
20011 services managed by the GNU@tie{}Shepherd, which is the GuixSD
20012 initialization system---the first process that is started when the
20013 system boots, also known as PID@tie{}1
20014 (@pxref{Introduction,,, shepherd, The GNU Shepherd Manual}).
20016 Services in the Shepherd can depend on each other. For instance, the
20017 SSH daemon may need to be started after the syslog daemon has been
20018 started, which in turn can only happen once all the file systems have
20019 been mounted. The simple operating system defined earlier (@pxref{Using
20020 the Configuration System}) results in a service graph like this:
20022 @image{images/shepherd-graph,,5in,Typical shepherd service graph.}
20024 You can actually generate such a graph for any operating system
20025 definition using the @command{guix system shepherd-graph} command
20026 (@pxref{system-shepherd-graph, @command{guix system shepherd-graph}}).
20028 The @var{%shepherd-root-service} is a service object representing
20029 PID@tie{}1, of type @var{shepherd-root-service-type}; it can be extended
20030 by passing it lists of @code{<shepherd-service>} objects.
20032 @deftp {Data Type} shepherd-service
20033 The data type representing a service managed by the Shepherd.
20036 @item @code{provision}
20037 This is a list of symbols denoting what the service provides.
20039 These are the names that may be passed to @command{herd start},
20040 @command{herd status}, and similar commands (@pxref{Invoking herd,,,
20041 shepherd, The GNU Shepherd Manual}). @xref{Slots of services, the
20042 @code{provides} slot,, shepherd, The GNU Shepherd Manual}, for details.
20044 @item @code{requirements} (default: @code{'()})
20045 List of symbols denoting the Shepherd services this one depends on.
20047 @item @code{respawn?} (default: @code{#t})
20048 Whether to restart the service when it stops, for instance when the
20049 underlying process dies.
20052 @itemx @code{stop} (default: @code{#~(const #f)})
20053 The @code{start} and @code{stop} fields refer to the Shepherd's
20054 facilities to start and stop processes (@pxref{Service De- and
20055 Constructors,,, shepherd, The GNU Shepherd Manual}). They are given as
20056 G-expressions that get expanded in the Shepherd configuration file
20057 (@pxref{G-Expressions}).
20059 @item @code{documentation}
20060 A documentation string, as shown when running:
20063 herd doc @var{service-name}
20066 where @var{service-name} is one of the symbols in @var{provision}
20067 (@pxref{Invoking herd,,, shepherd, The GNU Shepherd Manual}).
20069 @item @code{modules} (default: @var{%default-modules})
20070 This is the list of modules that must be in scope when @code{start} and
20071 @code{stop} are evaluated.
20076 @defvr {Scheme Variable} shepherd-root-service-type
20077 The service type for the Shepherd ``root service''---i.e., PID@tie{}1.
20079 This is the service type that extensions target when they want to create
20080 shepherd services (@pxref{Service Types and Services}, for an example).
20081 Each extension must pass a list of @code{<shepherd-service>}.
20084 @defvr {Scheme Variable} %shepherd-root-service
20085 This service represents PID@tie{}1.
20089 @node Documentation
20090 @section Documentation
20092 @cindex documentation, searching for
20093 @cindex searching for documentation
20094 @cindex Info, documentation format
20096 @cindex manual pages
20097 In most cases packages installed with Guix come with documentation.
20098 There are two main documentation formats: ``Info'', a browseable
20099 hypertext format used for GNU software, and ``manual pages'' (or ``man
20100 pages''), the linear documentation format traditionally found on Unix.
20101 Info manuals are accessed with the @command{info} command or with Emacs,
20102 and man pages are accessed using @command{man}.
20104 You can look for documentation of software installed on your system by
20105 keyword. For example, the following command searches for information
20106 about ``TLS'' in Info manuals:
20110 "(emacs)Network Security" -- STARTTLS
20111 "(emacs)Network Security" -- TLS
20112 "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_flags
20113 "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_function
20118 The command below searches for the same keyword in man pages:
20122 SSL (7) - OpenSSL SSL/TLS library
20123 certtool (1) - GnuTLS certificate tool
20127 These searches are purely local to your computer so you have the
20128 guarantee that documentation you find corresponds to what you have
20129 actually installed, you can access it off-line, and your privacy is
20132 Once you have these results, you can view the relevant documentation by
20136 $ info "(gnutls)Core TLS API"
20146 Info manuals contain sections and indices as well as hyperlinks like
20147 those found in Web pages. The @command{info} reader (@pxref{Top, Info
20148 reader,, info-stnd, Stand-alone GNU Info}) and its Emacs counterpart
20149 (@pxref{Misc Help,,, emacs, The GNU Emacs Manual}) provide intuitive key
20150 bindings to navigate manuals. @xref{Getting Started,,, info, Info: An
20151 Introduction}, for an introduction to Info navigation.
20153 @node Installing Debugging Files
20154 @section Installing Debugging Files
20156 @cindex debugging files
20157 Program binaries, as produced by the GCC compilers for instance, are
20158 typically written in the ELF format, with a section containing
20159 @dfn{debugging information}. Debugging information is what allows the
20160 debugger, GDB, to map binary code to source code; it is required to
20161 debug a compiled program in good conditions.
20163 The problem with debugging information is that is takes up a fair amount
20164 of disk space. For example, debugging information for the GNU C Library
20165 weighs in at more than 60 MiB. Thus, as a user, keeping all the
20166 debugging info of all the installed programs is usually not an option.
20167 Yet, space savings should not come at the cost of an impediment to
20168 debugging---especially in the GNU system, which should make it easier
20169 for users to exert their computing freedom (@pxref{GNU Distribution}).
20171 Thankfully, the GNU Binary Utilities (Binutils) and GDB provide a
20172 mechanism that allows users to get the best of both worlds: debugging
20173 information can be stripped from the binaries and stored in separate
20174 files. GDB is then able to load debugging information from those files,
20175 when they are available (@pxref{Separate Debug Files,,, gdb, Debugging
20178 The GNU distribution takes advantage of this by storing debugging
20179 information in the @code{lib/debug} sub-directory of a separate package
20180 output unimaginatively called @code{debug} (@pxref{Packages with
20181 Multiple Outputs}). Users can choose to install the @code{debug} output
20182 of a package when they need it. For instance, the following command
20183 installs the debugging information for the GNU C Library and for GNU
20187 guix package -i glibc:debug guile:debug
20190 GDB must then be told to look for debug files in the user's profile, by
20191 setting the @code{debug-file-directory} variable (consider setting it
20192 from the @file{~/.gdbinit} file, @pxref{Startup,,, gdb, Debugging with
20196 (gdb) set debug-file-directory ~/.guix-profile/lib/debug
20199 From there on, GDB will pick up debugging information from the
20200 @code{.debug} files under @file{~/.guix-profile/lib/debug}.
20202 In addition, you will most likely want GDB to be able to show the source
20203 code being debugged. To do that, you will have to unpack the source
20204 code of the package of interest (obtained with @code{guix build
20205 --source}, @pxref{Invoking guix build}), and to point GDB to that source
20206 directory using the @code{directory} command (@pxref{Source Path,
20207 @code{directory},, gdb, Debugging with GDB}).
20209 @c XXX: keep me up-to-date
20210 The @code{debug} output mechanism in Guix is implemented by the
20211 @code{gnu-build-system} (@pxref{Build Systems}). Currently, it is
20212 opt-in---debugging information is available only for the packages
20213 with definitions explicitly declaring a @code{debug} output. This may be
20214 changed to opt-out in the future if our build farm servers can handle
20215 the load. To check whether a package has a @code{debug} output, use
20216 @command{guix package --list-available} (@pxref{Invoking guix package}).
20219 @node Security Updates
20220 @section Security Updates
20222 @cindex security updates
20223 @cindex security vulnerabilities
20224 Occasionally, important security vulnerabilities are discovered in software
20225 packages and must be patched. Guix developers try hard to keep track of
20226 known vulnerabilities and to apply fixes as soon as possible in the
20227 @code{master} branch of Guix (we do not yet provide a ``stable'' branch
20228 containing only security updates.) The @command{guix lint} tool helps
20229 developers find out about vulnerable versions of software packages in the
20234 gnu/packages/base.scm:652:2: glibc@@2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547
20235 gnu/packages/gcc.scm:334:2: gcc@@4.9.3: probably vulnerable to CVE-2015-5276
20236 gnu/packages/image.scm:312:2: openjpeg@@2.1.0: probably vulnerable to CVE-2016-1923, CVE-2016-1924
20240 @xref{Invoking guix lint}, for more information.
20243 As of version @value{VERSION}, the feature described below is considered
20247 Guix follows a functional
20248 package management discipline (@pxref{Introduction}), which implies
20249 that, when a package is changed, @emph{every package that depends on it}
20250 must be rebuilt. This can significantly slow down the deployment of
20251 fixes in core packages such as libc or Bash, since basically the whole
20252 distribution would need to be rebuilt. Using pre-built binaries helps
20253 (@pxref{Substitutes}), but deployment may still take more time than
20257 To address this, Guix implements @dfn{grafts}, a mechanism that allows
20258 for fast deployment of critical updates without the costs associated
20259 with a whole-distribution rebuild. The idea is to rebuild only the
20260 package that needs to be patched, and then to ``graft'' it onto packages
20261 explicitly installed by the user and that were previously referring to
20262 the original package. The cost of grafting is typically very low, and
20263 order of magnitudes lower than a full rebuild of the dependency chain.
20265 @cindex replacements of packages, for grafts
20266 For instance, suppose a security update needs to be applied to Bash.
20267 Guix developers will provide a package definition for the ``fixed''
20268 Bash, say @var{bash-fixed}, in the usual way (@pxref{Defining
20269 Packages}). Then, the original package definition is augmented with a
20270 @code{replacement} field pointing to the package containing the bug fix:
20277 (replacement bash-fixed)))
20280 From there on, any package depending directly or indirectly on Bash---as
20281 reported by @command{guix gc --requisites} (@pxref{Invoking guix
20282 gc})---that is installed is automatically ``rewritten'' to refer to
20283 @var{bash-fixed} instead of @var{bash}. This grafting process takes
20284 time proportional to the size of the package, usually less than a
20285 minute for an ``average'' package on a recent machine. Grafting is
20286 recursive: when an indirect dependency requires grafting, then grafting
20287 ``propagates'' up to the package that the user is installing.
20289 Currently, the length of the name and version of the graft and that of
20290 the package it replaces (@var{bash-fixed} and @var{bash} in the example
20291 above) must be equal. This restriction mostly comes from the fact that
20292 grafting works by patching files, including binary files, directly.
20293 Other restrictions may apply: for instance, when adding a graft to a
20294 package providing a shared library, the original shared library and its
20295 replacement must have the same @code{SONAME} and be binary-compatible.
20297 The @option{--no-grafts} command-line option allows you to forcefully
20298 avoid grafting (@pxref{Common Build Options, @option{--no-grafts}}).
20302 guix build bash --no-grafts
20306 returns the store file name of the original Bash, whereas:
20313 returns the store file name of the ``fixed'', replacement Bash. This
20314 allows you to distinguish between the two variants of Bash.
20316 To verify which Bash your whole profile refers to, you can run
20317 (@pxref{Invoking guix gc}):
20320 guix gc -R `readlink -f ~/.guix-profile` | grep bash
20324 @dots{} and compare the store file names that you get with those above.
20325 Likewise for a complete GuixSD system generation:
20328 guix gc -R `guix system build my-config.scm` | grep bash
20331 Lastly, to check which Bash running processes are using, you can use the
20332 @command{lsof} command:
20335 lsof | grep /gnu/store/.*bash
20339 @node Package Modules
20340 @section Package Modules
20342 From a programming viewpoint, the package definitions of the
20343 GNU distribution are provided by Guile modules in the @code{(gnu packages
20344 @dots{})} name space@footnote{Note that packages under the @code{(gnu
20345 packages @dots{})} module name space are not necessarily ``GNU
20346 packages''. This module naming scheme follows the usual Guile module
20347 naming convention: @code{gnu} means that these modules are distributed
20348 as part of the GNU system, and @code{packages} identifies modules that
20349 define packages.} (@pxref{Modules, Guile modules,, guile, GNU Guile
20350 Reference Manual}). For instance, the @code{(gnu packages emacs)}
20351 module exports a variable named @code{emacs}, which is bound to a
20352 @code{<package>} object (@pxref{Defining Packages}).
20354 The @code{(gnu packages @dots{})} module name space is
20355 automatically scanned for packages by the command-line tools. For
20356 instance, when running @code{guix package -i emacs}, all the @code{(gnu
20357 packages @dots{})} modules are scanned until one that exports a package
20358 object whose name is @code{emacs} is found. This package search
20359 facility is implemented in the @code{(gnu packages)} module.
20361 @cindex customization, of packages
20362 @cindex package module search path
20363 Users can store package definitions in modules with different
20364 names---e.g., @code{(my-packages emacs)}@footnote{Note that the file
20365 name and module name must match. For instance, the @code{(my-packages
20366 emacs)} module must be stored in a @file{my-packages/emacs.scm} file
20367 relative to the load path specified with @option{--load-path} or
20368 @code{GUIX_PACKAGE_PATH}. @xref{Modules and the File System,,,
20369 guile, GNU Guile Reference Manual}, for details.}. These package definitions
20370 will not be visible by default. Users can invoke commands such as
20371 @command{guix package} and @command{guix build} with the
20372 @code{-e} option so that they know where to find the package. Better
20373 yet, they can use the
20374 @code{-L} option of these commands to make those modules visible
20375 (@pxref{Invoking guix build, @code{--load-path}}), or define the
20376 @code{GUIX_PACKAGE_PATH} environment variable. This environment
20377 variable makes it easy to extend or customize the distribution and is
20378 honored by all the user interfaces.
20380 @defvr {Environment Variable} GUIX_PACKAGE_PATH
20381 This is a colon-separated list of directories to search for additional
20382 package modules. Directories listed in this variable take precedence
20383 over the own modules of the distribution.
20386 The distribution is fully @dfn{bootstrapped} and @dfn{self-contained}:
20387 each package is built based solely on other packages in the
20388 distribution. The root of this dependency graph is a small set of
20389 @dfn{bootstrap binaries}, provided by the @code{(gnu packages
20390 bootstrap)} module. For more information on bootstrapping,
20391 @pxref{Bootstrapping}.
20393 @node Packaging Guidelines
20394 @section Packaging Guidelines
20396 @cindex packages, creating
20397 The GNU distribution is nascent and may well lack some of your favorite
20398 packages. This section describes how you can help make the distribution
20399 grow. @xref{Contributing}, for additional information on how you can
20402 Free software packages are usually distributed in the form of
20403 @dfn{source code tarballs}---typically @file{tar.gz} files that contain
20404 all the source files. Adding a package to the distribution means
20405 essentially two things: adding a @dfn{recipe} that describes how to
20406 build the package, including a list of other packages required to build
20407 it, and adding @dfn{package metadata} along with that recipe, such as a
20408 description and licensing information.
20410 In Guix all this information is embodied in @dfn{package definitions}.
20411 Package definitions provide a high-level view of the package. They are
20412 written using the syntax of the Scheme programming language; in fact,
20413 for each package we define a variable bound to the package definition,
20414 and export that variable from a module (@pxref{Package Modules}).
20415 However, in-depth Scheme knowledge is @emph{not} a prerequisite for
20416 creating packages. For more information on package definitions,
20417 @pxref{Defining Packages}.
20419 Once a package definition is in place, stored in a file in the Guix
20420 source tree, it can be tested using the @command{guix build} command
20421 (@pxref{Invoking guix build}). For example, assuming the new package is
20422 called @code{gnew}, you may run this command from the Guix build tree
20423 (@pxref{Running Guix Before It Is Installed}):
20426 ./pre-inst-env guix build gnew --keep-failed
20429 Using @code{--keep-failed} makes it easier to debug build failures since
20430 it provides access to the failed build tree. Another useful
20431 command-line option when debugging is @code{--log-file}, to access the
20434 If the package is unknown to the @command{guix} command, it may be that
20435 the source file contains a syntax error, or lacks a @code{define-public}
20436 clause to export the package variable. To figure it out, you may load
20437 the module from Guile to get more information about the actual error:
20440 ./pre-inst-env guile -c '(use-modules (gnu packages gnew))'
20443 Once your package builds correctly, please send us a patch
20444 (@pxref{Contributing}). Well, if you need help, we will be happy to
20445 help you too. Once the patch is committed in the Guix repository, the
20446 new package automatically gets built on the supported platforms by
20447 @url{http://hydra.gnu.org/jobset/gnu/master, our continuous integration
20450 @cindex substituter
20451 Users can obtain the new package definition simply by running
20452 @command{guix pull} (@pxref{Invoking guix pull}). When
20453 @code{hydra.gnu.org} is done building the package, installing the
20454 package automatically downloads binaries from there
20455 (@pxref{Substitutes}). The only place where human intervention is
20456 needed is to review and apply the patch.
20460 * Software Freedom:: What may go into the distribution.
20461 * Package Naming:: What's in a name?
20462 * Version Numbers:: When the name is not enough.
20463 * Synopses and Descriptions:: Helping users find the right package.
20464 * Python Modules:: A touch of British comedy.
20465 * Perl Modules:: Little pearls.
20466 * Java Packages:: Coffee break.
20467 * Fonts:: Fond of fonts.
20470 @node Software Freedom
20471 @subsection Software Freedom
20473 @c Adapted from http://www.gnu.org/philosophy/philosophy.html.
20474 @cindex free software
20475 The GNU operating system has been developed so that users can have
20476 freedom in their computing. GNU is @dfn{free software}, meaning that
20477 users have the @url{http://www.gnu.org/philosophy/free-sw.html,four
20478 essential freedoms}: to run the program, to study and change the program
20479 in source code form, to redistribute exact copies, and to distribute
20480 modified versions. Packages found in the GNU distribution provide only
20481 software that conveys these four freedoms.
20483 In addition, the GNU distribution follow the
20484 @url{http://www.gnu.org/distros/free-system-distribution-guidelines.html,free
20485 software distribution guidelines}. Among other things, these guidelines
20486 reject non-free firmware, recommendations of non-free software, and
20487 discuss ways to deal with trademarks and patents.
20489 Some otherwise free upstream package sources contain a small and optional
20490 subset that violates the above guidelines, for instance because this subset
20491 is itself non-free code. When that happens, the offending items are removed
20492 with appropriate patches or code snippets in the @code{origin} form of the
20493 package (@pxref{Defining Packages}). This way, @code{guix
20494 build --source} returns the ``freed'' source rather than the unmodified
20498 @node Package Naming
20499 @subsection Package Naming
20501 @cindex package name
20502 A package has actually two names associated with it:
20503 First, there is the name of the @emph{Scheme variable}, the one following
20504 @code{define-public}. By this name, the package can be made known in the
20505 Scheme code, for instance as input to another package. Second, there is
20506 the string in the @code{name} field of a package definition. This name
20507 is used by package management commands such as
20508 @command{guix package} and @command{guix build}.
20510 Both are usually the same and correspond to the lowercase conversion of
20511 the project name chosen upstream, with underscores replaced with
20512 hyphens. For instance, GNUnet is available as @code{gnunet}, and
20513 SDL_net as @code{sdl-net}.
20515 We do not add @code{lib} prefixes for library packages, unless these are
20516 already part of the official project name. But @pxref{Python
20517 Modules} and @ref{Perl Modules} for special rules concerning modules for
20518 the Python and Perl languages.
20520 Font package names are handled differently, @pxref{Fonts}.
20523 @node Version Numbers
20524 @subsection Version Numbers
20526 @cindex package version
20527 We usually package only the latest version of a given free software
20528 project. But sometimes, for instance for incompatible library versions,
20529 two (or more) versions of the same package are needed. These require
20530 different Scheme variable names. We use the name as defined
20531 in @ref{Package Naming}
20532 for the most recent version; previous versions use the same name, suffixed
20533 by @code{-} and the smallest prefix of the version number that may
20534 distinguish the two versions.
20536 The name inside the package definition is the same for all versions of a
20537 package and does not contain any version number.
20539 For instance, the versions 2.24.20 and 3.9.12 of GTK+ may be packaged as follows:
20542 (define-public gtk+
20547 (define-public gtk+-2
20550 (version "2.24.20")
20553 If we also wanted GTK+ 3.8.2, this would be packaged as
20555 (define-public gtk+-3.8
20562 @c See <https://lists.gnu.org/archive/html/guix-devel/2016-01/msg00425.html>,
20563 @c for a discussion of what follows.
20564 @cindex version number, for VCS snapshots
20565 Occasionally, we package snapshots of upstream's version control system
20566 (VCS) instead of formal releases. This should remain exceptional,
20567 because it is up to upstream developers to clarify what the stable
20568 release is. Yet, it is sometimes necessary. So, what should we put in
20569 the @code{version} field?
20571 Clearly, we need to make the commit identifier of the VCS snapshot
20572 visible in the version string, but we also need to make sure that the
20573 version string is monotonically increasing so that @command{guix package
20574 --upgrade} can determine which version is newer. Since commit
20575 identifiers, notably with Git, are not monotonically increasing, we add
20576 a revision number that we increase each time we upgrade to a newer
20577 snapshot. The resulting version string looks like this:
20582 | | `-- upstream commit ID
20584 | `--- Guix package revision
20586 latest upstream version
20589 It is a good idea to strip commit identifiers in the @code{version}
20590 field to, say, 7 digits. It avoids an aesthetic annoyance (assuming
20591 aesthetics have a role to play here) as well as problems related to OS
20592 limits such as the maximum shebang length (127 bytes for the Linux
20593 kernel.) It is best to use the full commit identifiers in
20594 @code{origin}s, though, to avoid ambiguities. A typical package
20595 definition may look like this:
20599 (let ((commit "c3f29bc928d5900971f65965feaae59e1272a3f7")
20600 (revision "1")) ;Guix package revision
20602 (version (git-version "0.9" revision commit))
20605 (uri (git-reference
20606 (url "git://example.org/my-package.git")
20608 (sha256 (base32 "1mbikn@dots{}"))
20609 (file-name (git-file-name name version))))
20614 @node Synopses and Descriptions
20615 @subsection Synopses and Descriptions
20617 @cindex package description
20618 @cindex package synopsis
20619 As we have seen before, each package in GNU@tie{}Guix includes a
20620 synopsis and a description (@pxref{Defining Packages}). Synopses and
20621 descriptions are important: They are what @command{guix package
20622 --search} searches, and a crucial piece of information to help users
20623 determine whether a given package suits their needs. Consequently,
20624 packagers should pay attention to what goes into them.
20626 Synopses must start with a capital letter and must not end with a
20627 period. They must not start with ``a'' or ``the'', which usually does
20628 not bring anything; for instance, prefer ``File-frobbing tool'' over ``A
20629 tool that frobs files''. The synopsis should say what the package
20630 is---e.g., ``Core GNU utilities (file, text, shell)''---or what it is
20631 used for---e.g., the synopsis for GNU@tie{}grep is ``Print lines
20632 matching a pattern''.
20634 Keep in mind that the synopsis must be meaningful for a very wide
20635 audience. For example, ``Manipulate alignments in the SAM format''
20636 might make sense for a seasoned bioinformatics researcher, but might be
20637 fairly unhelpful or even misleading to a non-specialized audience. It
20638 is a good idea to come up with a synopsis that gives an idea of the
20639 application domain of the package. In this example, this might give
20640 something like ``Manipulate nucleotide sequence alignments'', which
20641 hopefully gives the user a better idea of whether this is what they are
20644 Descriptions should take between five and ten lines. Use full
20645 sentences, and avoid using acronyms without first introducing them.
20646 Please avoid marketing phrases such as ``world-leading'',
20647 ``industrial-strength'', and ``next-generation'', and avoid superlatives
20648 like ``the most advanced''---they are not helpful to users looking for a
20649 package and may even sound suspicious. Instead, try to be factual,
20650 mentioning use cases and features.
20652 @cindex Texinfo markup, in package descriptions
20653 Descriptions can include Texinfo markup, which is useful to introduce
20654 ornaments such as @code{@@code} or @code{@@dfn}, bullet lists, or
20655 hyperlinks (@pxref{Overview,,, texinfo, GNU Texinfo}). However you
20656 should be careful when using some characters for example @samp{@@} and
20657 curly braces which are the basic special characters in Texinfo
20658 (@pxref{Special Characters,,, texinfo, GNU Texinfo}). User interfaces
20659 such as @command{guix package --show} take care of rendering it
20662 Synopses and descriptions are translated by volunteers
20663 @uref{http://translationproject.org/domain/guix-packages.html, at the
20664 Translation Project} so that as many users as possible can read them in
20665 their native language. User interfaces search them and display them in
20666 the language specified by the current locale.
20668 To allow @command{xgettext} to extract them as translatable strings,
20669 synopses and descriptions @emph{must be literal strings}. This means
20670 that you cannot use @code{string-append} or @code{format} to construct
20676 (synopsis "This is translatable")
20677 (description (string-append "This is " "*not*" " translatable.")))
20680 Translation is a lot of work so, as a packager, please pay even more
20681 attention to your synopses and descriptions as every change may entail
20682 additional work for translators. In order to help them, it is possible
20683 to make recommendations or instructions visible to them by inserting
20684 special comments like this (@pxref{xgettext Invocation,,, gettext, GNU
20688 ;; TRANSLATORS: "X11 resize-and-rotate" should not be translated.
20689 (description "ARandR is designed to provide a simple visual front end
20690 for the X11 resize-and-rotate (RandR) extension. @dots{}")
20694 @node Python Modules
20695 @subsection Python Modules
20698 We currently package Python 2 and Python 3, under the Scheme variable names
20699 @code{python-2} and @code{python} as explained in @ref{Version Numbers}.
20700 To avoid confusion and naming clashes with other programming languages, it
20701 seems desirable that the name of a package for a Python module contains
20702 the word @code{python}.
20704 Some modules are compatible with only one version of Python, others with both.
20705 If the package Foo compiles only with Python 3, we name it
20706 @code{python-foo}; if it compiles only with Python 2, we name it
20707 @code{python2-foo}. If it is compatible with both versions, we create two
20708 packages with the corresponding names.
20710 If a project already contains the word @code{python}, we drop this;
20711 for instance, the module python-dateutil is packaged under the names
20712 @code{python-dateutil} and @code{python2-dateutil}. If the project name
20713 starts with @code{py} (e.g. @code{pytz}), we keep it and prefix it as
20716 @subsubsection Specifying Dependencies
20717 @cindex inputs, for Python packages
20719 Dependency information for Python packages is usually available in the
20720 package source tree, with varying degrees of accuracy: in the
20721 @file{setup.py} file, in @file{requirements.txt}, or in @file{tox.ini}.
20723 Your mission, when writing a recipe for a Python package, is to map
20724 these dependencies to the appropriate type of ``input'' (@pxref{package
20725 Reference, inputs}). Although the @code{pypi} importer normally does a
20726 good job (@pxref{Invoking guix import}), you may want to check the
20727 following check list to determine which dependency goes where.
20732 We currently package Python 2 with @code{setuptools} and @code{pip}
20733 installed like Python 3.4 has per default. Thus you don't need to
20734 specify either of these as an input. @command{guix lint} will warn you
20738 Python dependencies required at run time go into
20739 @code{propagated-inputs}. They are typically defined with the
20740 @code{install_requires} keyword in @file{setup.py}, or in the
20741 @file{requirements.txt} file.
20744 Python packages required only at build time---e.g., those listed with
20745 the @code{setup_requires} keyword in @file{setup.py}---or only for
20746 testing---e.g., those in @code{tests_require}---go into
20747 @code{native-inputs}. The rationale is that (1) they do not need to be
20748 propagated because they are not needed at run time, and (2) in a
20749 cross-compilation context, it's the ``native'' input that we'd want.
20751 Examples are the @code{pytest}, @code{mock}, and @code{nose} test
20752 frameworks. Of course if any of these packages is also required at
20753 run-time, it needs to go to @code{propagated-inputs}.
20756 Anything that does not fall in the previous categories goes to
20757 @code{inputs}, for example programs or C libraries required for building
20758 Python packages containing C extensions.
20761 If a Python package has optional dependencies (@code{extras_require}),
20762 it is up to you to decide whether to add them or not, based on their
20763 usefulness/overhead ratio (@pxref{Submitting Patches, @command{guix
20770 @subsection Perl Modules
20773 Perl programs standing for themselves are named as any other package,
20774 using the lowercase upstream name.
20775 For Perl packages containing a single class, we use the lowercase class name,
20776 replace all occurrences of @code{::} by dashes and prepend the prefix
20778 So the class @code{XML::Parser} becomes @code{perl-xml-parser}.
20779 Modules containing several classes keep their lowercase upstream name and
20780 are also prepended by @code{perl-}. Such modules tend to have the word
20781 @code{perl} somewhere in their name, which gets dropped in favor of the
20782 prefix. For instance, @code{libwww-perl} becomes @code{perl-libwww}.
20785 @node Java Packages
20786 @subsection Java Packages
20789 Java programs standing for themselves are named as any other package,
20790 using the lowercase upstream name.
20792 To avoid confusion and naming clashes with other programming languages,
20793 it is desirable that the name of a package for a Java package is
20794 prefixed with @code{java-}. If a project already contains the word
20795 @code{java}, we drop this; for instance, the package @code{ngsjava} is
20796 packaged under the name @code{java-ngs}.
20798 For Java packages containing a single class or a small class hierarchy,
20799 we use the lowercase class name, replace all occurrences of @code{.} by
20800 dashes and prepend the prefix @code{java-}. So the class
20801 @code{apache.commons.cli} becomes package
20802 @code{java-apache-commons-cli}.
20809 For fonts that are in general not installed by a user for typesetting
20810 purposes, or that are distributed as part of a larger software package,
20811 we rely on the general packaging rules for software; for instance, this
20812 applies to the fonts delivered as part of the X.Org system or fonts that
20813 are part of TeX Live.
20815 To make it easier for a user to search for fonts, names for other packages
20816 containing only fonts are constructed as follows, independently of the
20817 upstream package name.
20819 The name of a package containing only one font family starts with
20820 @code{font-}; it is followed by the foundry name and a dash @code{-}
20821 if the foundry is known, and the font family name, in which spaces are
20822 replaced by dashes (and as usual, all upper case letters are transformed
20824 For example, the Gentium font family by SIL is packaged under the name
20825 @code{font-sil-gentium}.
20827 For a package containing several font families, the name of the collection
20828 is used in the place of the font family name.
20829 For instance, the Liberation fonts consist of three families,
20830 Liberation Sans, Liberation Serif and Liberation Mono.
20831 These could be packaged separately under the names
20832 @code{font-liberation-sans} and so on; but as they are distributed together
20833 under a common name, we prefer to package them together as
20834 @code{font-liberation}.
20836 In the case where several formats of the same font family or font collection
20837 are packaged separately, a short form of the format, prepended by a dash,
20838 is added to the package name. We use @code{-ttf} for TrueType fonts,
20839 @code{-otf} for OpenType fonts and @code{-type1} for PostScript Type 1
20844 @node Bootstrapping
20845 @section Bootstrapping
20847 @c Adapted from the ELS 2013 paper.
20849 @cindex bootstrapping
20851 Bootstrapping in our context refers to how the distribution gets built
20852 ``from nothing''. Remember that the build environment of a derivation
20853 contains nothing but its declared inputs (@pxref{Introduction}). So
20854 there's an obvious chicken-and-egg problem: how does the first package
20855 get built? How does the first compiler get compiled? Note that this is
20856 a question of interest only to the curious hacker, not to the regular
20857 user, so you can shamelessly skip this section if you consider yourself
20858 a ``regular user''.
20860 @cindex bootstrap binaries
20861 The GNU system is primarily made of C code, with libc at its core. The
20862 GNU build system itself assumes the availability of a Bourne shell and
20863 command-line tools provided by GNU Coreutils, Awk, Findutils, `sed', and
20864 `grep'. Furthermore, build programs---programs that run
20865 @code{./configure}, @code{make}, etc.---are written in Guile Scheme
20866 (@pxref{Derivations}). Consequently, to be able to build anything at
20867 all, from scratch, Guix relies on pre-built binaries of Guile, GCC,
20868 Binutils, libc, and the other packages mentioned above---the
20869 @dfn{bootstrap binaries}.
20871 These bootstrap binaries are ``taken for granted'', though we can also
20872 re-create them if needed (more on that later).
20874 @unnumberedsubsec Preparing to Use the Bootstrap Binaries
20876 @c As of Emacs 24.3, Info-mode displays the image, but since it's a
20877 @c large image, it's hard to scroll. Oh well.
20878 @image{images/bootstrap-graph,6in,,Dependency graph of the early bootstrap derivations}
20880 The figure above shows the very beginning of the dependency graph of the
20881 distribution, corresponding to the package definitions of the @code{(gnu
20882 packages bootstrap)} module. A similar figure can be generated with
20883 @command{guix graph} (@pxref{Invoking guix graph}), along the lines of:
20886 guix graph -t derivation \
20887 -e '(@@@@ (gnu packages bootstrap) %bootstrap-gcc)' \
20891 At this level of detail, things are
20892 slightly complex. First, Guile itself consists of an ELF executable,
20893 along with many source and compiled Scheme files that are dynamically
20894 loaded when it runs. This gets stored in the @file{guile-2.0.7.tar.xz}
20895 tarball shown in this graph. This tarball is part of Guix's ``source''
20896 distribution, and gets inserted into the store with @code{add-to-store}
20897 (@pxref{The Store}).
20899 But how do we write a derivation that unpacks this tarball and adds it
20900 to the store? To solve this problem, the @code{guile-bootstrap-2.0.drv}
20901 derivation---the first one that gets built---uses @code{bash} as its
20902 builder, which runs @code{build-bootstrap-guile.sh}, which in turn calls
20903 @code{tar} to unpack the tarball. Thus, @file{bash}, @file{tar},
20904 @file{xz}, and @file{mkdir} are statically-linked binaries, also part of
20905 the Guix source distribution, whose sole purpose is to allow the Guile
20906 tarball to be unpacked.
20908 Once @code{guile-bootstrap-2.0.drv} is built, we have a functioning
20909 Guile that can be used to run subsequent build programs. Its first task
20910 is to download tarballs containing the other pre-built binaries---this
20911 is what the @code{.tar.xz.drv} derivations do. Guix modules such as
20912 @code{ftp-client.scm} are used for this purpose. The
20913 @code{module-import.drv} derivations import those modules in a directory
20914 in the store, using the original layout. The
20915 @code{module-import-compiled.drv} derivations compile those modules, and
20916 write them in an output directory with the right layout. This
20917 corresponds to the @code{#:modules} argument of
20918 @code{build-expression->derivation} (@pxref{Derivations}).
20920 Finally, the various tarballs are unpacked by the
20921 derivations @code{gcc-bootstrap-0.drv}, @code{glibc-bootstrap-0.drv},
20922 etc., at which point we have a working C tool chain.
20925 @unnumberedsubsec Building the Build Tools
20927 Bootstrapping is complete when we have a full tool chain that does not
20928 depend on the pre-built bootstrap tools discussed above. This
20929 no-dependency requirement is verified by checking whether the files of
20930 the final tool chain contain references to the @file{/gnu/store}
20931 directories of the bootstrap inputs. The process that leads to this
20932 ``final'' tool chain is described by the package definitions found in
20933 the @code{(gnu packages commencement)} module.
20935 The @command{guix graph} command allows us to ``zoom out'' compared to
20936 the graph above, by looking at the level of package objects instead of
20937 individual derivations---remember that a package may translate to
20938 several derivations, typically one derivation to download its source,
20939 one to build the Guile modules it needs, and one to actually build the
20940 package from source. The command:
20943 guix graph -t bag \
20944 -e '(@@@@ (gnu packages commencement)
20945 glibc-final-with-bootstrap-bash)' | dot -Tps > t.ps
20949 produces the dependency graph leading to the ``final'' C
20950 library@footnote{You may notice the @code{glibc-intermediate} label,
20951 suggesting that it is not @emph{quite} final, but as a good
20952 approximation, we will consider it final.}, depicted below.
20954 @image{images/bootstrap-packages,6in,,Dependency graph of the early packages}
20956 @c See <http://lists.gnu.org/archive/html/gnu-system-discuss/2012-10/msg00000.html>.
20957 The first tool that gets built with the bootstrap binaries is
20958 GNU@tie{}Make---noted @code{make-boot0} above---which is a prerequisite
20959 for all the following packages. From there Findutils and Diffutils get
20962 Then come the first-stage Binutils and GCC, built as pseudo cross
20963 tools---i.e., with @code{--target} equal to @code{--host}. They are
20964 used to build libc. Thanks to this cross-build trick, this libc is
20965 guaranteed not to hold any reference to the initial tool chain.
20967 From there the final Binutils and GCC (not shown above) are built.
20969 from the final Binutils, and links programs against the just-built libc.
20970 This tool chain is used to build the other packages used by Guix and by
20971 the GNU Build System: Guile, Bash, Coreutils, etc.
20973 And voilà! At this point we have the complete set of build tools that
20974 the GNU Build System expects. These are in the @code{%final-inputs}
20975 variable of the @code{(gnu packages commencement)} module, and are
20976 implicitly used by any package that uses @code{gnu-build-system}
20977 (@pxref{Build Systems, @code{gnu-build-system}}).
20980 @unnumberedsubsec Building the Bootstrap Binaries
20982 @cindex bootstrap binaries
20983 Because the final tool chain does not depend on the bootstrap binaries,
20984 those rarely need to be updated. Nevertheless, it is useful to have an
20985 automated way to produce them, should an update occur, and this is what
20986 the @code{(gnu packages make-bootstrap)} module provides.
20988 The following command builds the tarballs containing the bootstrap
20989 binaries (Guile, Binutils, GCC, libc, and a tarball containing a mixture
20990 of Coreutils and other basic command-line tools):
20993 guix build bootstrap-tarballs
20996 The generated tarballs are those that should be referred to in the
20997 @code{(gnu packages bootstrap)} module mentioned at the beginning of
21000 Still here? Then perhaps by now you've started to wonder: when do we
21001 reach a fixed point? That is an interesting question! The answer is
21002 unknown, but if you would like to investigate further (and have
21003 significant computational and storage resources to do so), then let us
21006 @unnumberedsubsec Reducing the Set of Bootstrap Binaries
21008 Our bootstrap binaries currently include GCC, Guile, etc. That's a lot
21009 of binary code! Why is that a problem? It's a problem because these
21010 big chunks of binary code are practically non-auditable, which makes it
21011 hard to establish what source code produced them. Every unauditable
21012 binary also leaves us vulnerable to compiler backdoors as described by
21013 Ken Thompson in the 1984 paper @emph{Reflections on Trusting Trust}.
21015 This is mitigated by the fact that our bootstrap binaries were generated
21016 from an earlier Guix revision. Nevertheless it lacks the level of
21017 transparency that we get in the rest of the package dependency graph,
21018 where Guix always gives us a source-to-binary mapping. Thus, our goal
21019 is to reduce the set of bootstrap binaries to the bare minimum.
21021 The @uref{http://bootstrappable.org, Bootstrappable.org web site} lists
21022 on-going projects to do that. One of these is about replacing the
21023 bootstrap GCC with a sequence of assemblers, interpreters, and compilers
21024 of increasing complexity, which could be built from source starting from
21025 a simple and auditable assembler. Your help is welcome!
21029 @section Porting to a New Platform
21031 As discussed above, the GNU distribution is self-contained, and
21032 self-containment is achieved by relying on pre-built ``bootstrap
21033 binaries'' (@pxref{Bootstrapping}). These binaries are specific to an
21034 operating system kernel, CPU architecture, and application binary
21035 interface (ABI). Thus, to port the distribution to a platform that is
21036 not yet supported, one must build those bootstrap binaries, and update
21037 the @code{(gnu packages bootstrap)} module to use them on that platform.
21039 Fortunately, Guix can @emph{cross compile} those bootstrap binaries.
21040 When everything goes well, and assuming the GNU tool chain supports the
21041 target platform, this can be as simple as running a command like this
21045 guix build --target=armv5tel-linux-gnueabi bootstrap-tarballs
21048 For this to work, the @code{glibc-dynamic-linker} procedure in
21049 @code{(gnu packages bootstrap)} must be augmented to return the right
21050 file name for libc's dynamic linker on that platform; likewise,
21051 @code{system->linux-architecture} in @code{(gnu packages linux)} must be
21052 taught about the new platform.
21054 Once these are built, the @code{(gnu packages bootstrap)} module needs
21055 to be updated to refer to these binaries on the target platform. That
21056 is, the hashes and URLs of the bootstrap tarballs for the new platform
21057 must be added alongside those of the currently supported platforms. The
21058 bootstrap Guile tarball is treated specially: it is expected to be
21059 available locally, and @file{gnu/local.mk} has rules do download it for
21060 the supported architectures; a rule for the new platform must be added
21063 In practice, there may be some complications. First, it may be that the
21064 extended GNU triplet that specifies an ABI (like the @code{eabi} suffix
21065 above) is not recognized by all the GNU tools. Typically, glibc
21066 recognizes some of these, whereas GCC uses an extra @code{--with-abi}
21067 configure flag (see @code{gcc.scm} for examples of how to handle this).
21068 Second, some of the required packages could fail to build for that
21069 platform. Lastly, the generated binaries could be broken for some
21072 @c *********************************************************************
21073 @include contributing.texi
21075 @c *********************************************************************
21076 @node Acknowledgments
21077 @chapter Acknowledgments
21079 Guix is based on the @uref{http://nixos.org/nix/, Nix package manager},
21080 which was designed and
21081 implemented by Eelco Dolstra, with contributions from other people (see
21082 the @file{nix/AUTHORS} file in Guix.) Nix pioneered functional package
21083 management, and promoted unprecedented features, such as transactional
21084 package upgrades and rollbacks, per-user profiles, and referentially
21085 transparent build processes. Without this work, Guix would not exist.
21087 The Nix-based software distributions, Nixpkgs and NixOS, have also been
21088 an inspiration for Guix.
21090 GNU@tie{}Guix itself is a collective work with contributions from a
21091 number of people. See the @file{AUTHORS} file in Guix for more
21092 information on these fine people. The @file{THANKS} file lists people
21093 who have helped by reporting bugs, taking care of the infrastructure,
21094 providing artwork and themes, making suggestions, and more---thank you!
21097 @c *********************************************************************
21098 @node GNU Free Documentation License
21099 @appendix GNU Free Documentation License
21100 @cindex license, GNU Free Documentation License
21101 @include fdl-1.3.texi
21103 @c *********************************************************************
21104 @node Concept Index
21105 @unnumbered Concept Index
21108 @node Programming Index
21109 @unnumbered Programming Index
21110 @syncodeindex tp fn
21111 @syncodeindex vr fn
21116 @c Local Variables:
21117 @c ispell-local-dictionary: "american";