···

       
14
       
14
       
 
       


     

       
15
       
15
       
 
       
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

     

       
16
       
16
       
 
       


     

       
17
       
17
       
+
       
- [Guix](https://guix.gnu.org), a functional package manager inspired by Nix. Available as [services.guix](#opt-services.guix.enable).

     

       
18
       
18
       
+
       


     

       
17
       
19
       
 
       
- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).

     

       
18
       
20
       
 
       


     

       
19
       
21
       
 
       
- [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).

     

···

       
683
       
683
       
 
       
  ./services/misc/gollum.nix

     

       
684
       
684
       
 
       
  ./services/misc/gpsd.nix

     

       
685
       
685
       
 
       
  ./services/misc/greenclip.nix

     

       
686
       
686
       
+
       
  ./services/misc/guix

     

       
686
       
687
       
 
       
  ./services/misc/headphones.nix

     

       
687
       
688
       
 
       
  ./services/misc/heisenbridge.nix

     

       
688
       
689
       
 
       
  ./services/misc/homepage-dashboard.nix

     

···

       
1
       
1
       
+
       
{ config, pkgs, lib, ... }:

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
let

     

       
4
       
4
       
+
       
  cfg = config.services.guix;

     

       
5
       
5
       
+
       


     

       
6
       
6
       
+
       
  package = cfg.package.override { inherit (cfg) stateDir storeDir; };

     

       
7
       
7
       
+
       


     

       
8
       
8
       
+
       
  guixBuildUser = id: {

     

       
9
       
9
       
+
       
    name = "guixbuilder${toString id}";

     

       
10
       
10
       
+
       
    group = cfg.group;

     

       
11
       
11
       
+
       
    extraGroups = [ cfg.group ];

     

       
12
       
12
       
+
       
    createHome = false;

     

       
13
       
13
       
+
       
    description = "Guix build user ${toString id}";

     

       
14
       
14
       
+
       
    isSystemUser = true;

     

       
15
       
15
       
+
       
  };

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
  guixBuildUsers = numberOfUsers:

     

       
18
       
18
       
+
       
    builtins.listToAttrs (map

     

       
19
       
19
       
+
       
      (user: {

     

       
20
       
20
       
+
       
        name = user.name;

     

       
21
       
21
       
+
       
        value = user;

     

       
22
       
22
       
+
       
      })

     

       
23
       
23
       
+
       
      (builtins.genList guixBuildUser numberOfUsers));

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
  # A set of Guix user profiles to be linked at activation.

     

       
26
       
26
       
+
       
  guixUserProfiles = {

     

       
27
       
27
       
+
       
    # The current Guix profile that is created through `guix pull`.

     

       
28
       
28
       
+
       
    "current-guix" = "\${XDG_CONFIG_HOME}/guix/current";

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
    # The default Guix profile similar to $HOME/.nix-profile from Nix.

     

       
31
       
31
       
+
       
    "guix-profile" = "$HOME/.guix-profile";

     

       
32
       
32
       
+
       
  };

     

       
33
       
33
       
+
       


     

       
34
       
34
       
+
       
  # All of the Guix profiles to be used.

     

       
35
       
35
       
+
       
  guixProfiles = lib.attrValues guixUserProfiles;

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
  serviceEnv = {

     

       
38
       
38
       
+
       
    GUIX_LOCPATH = "${cfg.stateDir}/guix/profiles/per-user/root/guix-profile/lib/locale";

     

       
39
       
39
       
+
       
    LC_ALL = "C.UTF-8";

     

       
40
       
40
       
+
       
  };

     

       
41
       
41
       
+
       
in

     

       
42
       
42
       
+
       
{

     

       
43
       
43
       
+
       
  meta.maintainers = with lib.maintainers; [ foo-dogsquared ];

     

       
44
       
44
       
+
       


     

       
45
       
45
       
+
       
  options.services.guix = with lib; {

     

       
46
       
46
       
+
       
    enable = mkEnableOption "Guix build daemon service";

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
    group = mkOption {

     

       
49
       
49
       
+
       
      type = types.str;

     

       
50
       
50
       
+
       
      default = "guixbuild";

     

       
51
       
51
       
+
       
      example = "guixbuild";

     

       
52
       
52
       
+
       
      description = ''

     

       
53
       
53
       
+
       
        The group of the Guix build user pool.

     

       
54
       
54
       
+
       
      '';

     

       
55
       
55
       
+
       
    };

     

       
56
       
56
       
+
       


     

       
57
       
57
       
+
       
    nrBuildUsers = mkOption {

     

       
58
       
58
       
+
       
      type = types.ints.unsigned;

     

       
59
       
59
       
+
       
      description = ''

     

       
60
       
60
       
+
       
        Number of Guix build users to be used in the build pool.

     

       
61
       
61
       
+
       
      '';

     

       
62
       
62
       
+
       
      default = 10;

     

       
63
       
63
       
+
       
      example = 20;

     

       
64
       
64
       
+
       
    };

     

       
65
       
65
       
+
       


     

       
66
       
66
       
+
       
    extraArgs = mkOption {

     

       
67
       
67
       
+
       
      type = with types; listOf str;

     

       
68
       
68
       
+
       
      default = [ ];

     

       
69
       
69
       
+
       
      example = [ "--max-jobs=4" "--debug" ];

     

       
70
       
70
       
+
       
      description = ''

     

       
71
       
71
       
+
       
        Extra flags to pass to the Guix daemon service.

     

       
72
       
72
       
+
       
      '';

     

       
73
       
73
       
+
       
    };

     

       
74
       
74
       
+
       


     

       
75
       
75
       
+
       
    package = mkPackageOption pkgs "guix" {

     

       
76
       
76
       
+
       
      extraDescription = ''

     

       
77
       
77
       
+
       
        It should contain {command}`guix-daemon` and {command}`guix`

     

       
78
       
78
       
+
       
        executable.

     

       
79
       
79
       
+
       
      '';

     

       
80
       
80
       
+
       
    };

     

       
81
       
81
       
+
       


     

       
82
       
82
       
+
       
    storeDir = mkOption {

     

       
83
       
83
       
+
       
      type = types.path;

     

       
84
       
84
       
+
       
      default = "/gnu/store";

     

       
85
       
85
       
+
       
      description = ''

     

       
86
       
86
       
+
       
        The store directory where the Guix service will serve to/from. Take

     

       
87
       
87
       
+
       
        note Guix cannot take advantage of substitutes if you set it something

     

       
88
       
88
       
+
       
        other than {file}`/gnu/store` since most of the cached builds are

     

       
89
       
89
       
+
       
        assumed to be in there.

     

       
90
       
90
       
+
       


     

       
91
       
91
       
+
       
        ::: {.warning}

     

       
92
       
92
       
+
       
        This will also recompile all packages because the normal cache no

     

       
93
       
93
       
+
       
        longer applies.

     

       
94
       
94
       
+
       
        :::

     

       
95
       
95
       
+
       
      '';

     

       
96
       
96
       
+
       
    };

     

       
97
       
97
       
+
       


     

       
98
       
98
       
+
       
    stateDir = mkOption {

     

       
99
       
99
       
+
       
      type = types.path;

     

       
100
       
100
       
+
       
      default = "/var";

     

       
101
       
101
       
+
       
      description = ''

     

       
102
       
102
       
+
       
        The state directory where Guix service will store its data such as its

     

       
103
       
103
       
+
       
        user-specific profiles, cache, and state files.

     

       
104
       
104
       
+
       


     

       
105
       
105
       
+
       
        ::: {.warning}

     

       
106
       
106
       
+
       
        Changing it to something other than the default will rebuild the

     

       
107
       
107
       
+
       
        package.

     

       
108
       
108
       
+
       
        :::

     

       
109
       
109
       
+
       
      '';

     

       
110
       
110
       
+
       
      example = "/gnu/var";

     

       
111
       
111
       
+
       
    };

     

       
112
       
112
       
+
       


     

       
113
       
113
       
+
       
    publish = {

     

       
114
       
114
       
+
       
      enable = mkEnableOption "substitute server for your Guix store directory";

     

       
115
       
115
       
+
       


     

       
116
       
116
       
+
       
      generateKeyPair = mkOption {

     

       
117
       
117
       
+
       
        type = types.bool;

     

       
118
       
118
       
+
       
        description = ''

     

       
119
       
119
       
+
       
          Whether to generate signing keys in {file}`/etc/guix` which are

     

       
120
       
120
       
+
       
          required to initialize a substitute server. Otherwise,

     

       
121
       
121
       
+
       
          `--public-key=$FILE` and `--private-key=$FILE` can be passed in

     

       
122
       
122
       
+
       
          {option}`services.guix.publish.extraArgs`.

     

       
123
       
123
       
+
       
        '';

     

       
124
       
124
       
+
       
        default = true;

     

       
125
       
125
       
+
       
        example = false;

     

       
126
       
126
       
+
       
      };

     

       
127
       
127
       
+
       


     

       
128
       
128
       
+
       
      port = mkOption {

     

       
129
       
129
       
+
       
        type = types.port;

     

       
130
       
130
       
+
       
        default = 8181;

     

       
131
       
131
       
+
       
        example = 8200;

     

       
132
       
132
       
+
       
        description = ''

     

       
133
       
133
       
+
       
          Port of the substitute server to listen on.

     

       
134
       
134
       
+
       
        '';

     

       
135
       
135
       
+
       
      };

     

       
136
       
136
       
+
       


     

       
137
       
137
       
+
       
      user = mkOption {

     

       
138
       
138
       
+
       
        type = types.str;

     

       
139
       
139
       
+
       
        default = "guix-publish";

     

       
140
       
140
       
+
       
        description = ''

     

       
141
       
141
       
+
       
          Name of the user to change once the server is up.

     

       
142
       
142
       
+
       
        '';

     

       
143
       
143
       
+
       
      };

     

       
144
       
144
       
+
       


     

       
145
       
145
       
+
       
      extraArgs = mkOption {

     

       
146
       
146
       
+
       
        type = with types; listOf str;

     

       
147
       
147
       
+
       
        description = ''

     

       
148
       
148
       
+
       
          Extra flags to pass to the substitute server.

     

       
149
       
149
       
+
       
        '';

     

       
150
       
150
       
+
       
        default = [];

     

       
151
       
151
       
+
       
        example = [

     

       
152
       
152
       
+
       
          "--compression=zstd:6"

     

       
153
       
153
       
+
       
          "--discover=no"

     

       
154
       
154
       
+
       
        ];

     

       
155
       
155
       
+
       
      };

     

       
156
       
156
       
+
       
    };

     

       
157
       
157
       
+
       


     

       
158
       
158
       
+
       
    gc = {

     

       
159
       
159
       
+
       
      enable = mkEnableOption "automatic garbage collection service for Guix";

     

       
160
       
160
       
+
       


     

       
161
       
161
       
+
       
      extraArgs = mkOption {

     

       
162
       
162
       
+
       
        type = with types; listOf str;

     

       
163
       
163
       
+
       
        default = [ ];

     

       
164
       
164
       
+
       
        description = ''

     

       
165
       
165
       
+
       
          List of arguments to be passed to {command}`guix gc`.

     

       
166
       
166
       
+
       


     

       
167
       
167
       
+
       
          When given no option, it will try to collect all garbage which is

     

       
168
       
168
       
+
       
          often inconvenient so it is recommended to set [some

     

       
169
       
169
       
+
       
          options](https://guix.gnu.org/en/manual/en/html_node/Invoking-guix-gc.html).

     

       
170
       
170
       
+
       
        '';

     

       
171
       
171
       
+
       
        example = [

     

       
172
       
172
       
+
       
          "--delete-generations=1m"

     

       
173
       
173
       
+
       
          "--free-space=10G"

     

       
174
       
174
       
+
       
          "--optimize"

     

       
175
       
175
       
+
       
        ];

     

       
176
       
176
       
+
       
      };

     

       
177
       
177
       
+
       


     

       
178
       
178
       
+
       
      dates = lib.mkOption {

     

       
179
       
179
       
+
       
        type = types.str;

     

       
180
       
180
       
+
       
        default = "03:15";

     

       
181
       
181
       
+
       
        example = "weekly";

     

       
182
       
182
       
+
       
        description = ''

     

       
183
       
183
       
+
       
          How often the garbage collection occurs. This takes the time format

     

       
184
       
184
       
+
       
          from {manpage}`systemd.time(7)`.

     

       
185
       
185
       
+
       
        '';

     

       
186
       
186
       
+
       
      };

     

       
187
       
187
       
+
       
    };

     

       
188
       
188
       
+
       
  };

     

       
189
       
189
       
+
       


     

       
190
       
190
       
+
       
  config = lib.mkIf cfg.enable (lib.mkMerge [

     

       
191
       
191
       
+
       
    {

     

       
192
       
192
       
+
       
      environment.systemPackages = [ package ];

     

       
193
       
193
       
+
       


     

       
194
       
194
       
+
       
      users.users = guixBuildUsers cfg.nrBuildUsers;

     

       
195
       
195
       
+
       
      users.groups.${cfg.group} = { };

     

       
196
       
196
       
+
       


     

       
197
       
197
       
+
       
      # Guix uses Avahi (through guile-avahi) both for the auto-discovering and

     

       
198
       
198
       
+
       
      # advertising substitute servers in the local network.

     

       
199
       
199
       
+
       
      services.avahi.enable = lib.mkDefault true;

     

       
200
       
200
       
+
       
      services.avahi.publish.enable = lib.mkDefault true;

     

       
201
       
201
       
+
       
      services.avahi.publish.userServices = lib.mkDefault true;

     

       
202
       
202
       
+
       


     

       
203
       
203
       
+
       
      # It's similar to Nix daemon so there's no question whether or not this

     

       
204
       
204
       
+
       
      # should be sandboxed.

     

       
205
       
205
       
+
       
      systemd.services.guix-daemon = {

     

       
206
       
206
       
+
       
        environment = serviceEnv;

     

       
207
       
207
       
+
       
        script = ''

     

       
208
       
208
       
+
       
          ${lib.getExe' package "guix-daemon"} \

     

       
209
       
209
       
+
       
            --build-users-group=${cfg.group} \

     

       
210
       
210
       
+
       
            ${lib.escapeShellArgs cfg.extraArgs}

     

       
211
       
211
       
+
       
        '';

     

       
212
       
212
       
+
       
        serviceConfig = {

     

       
213
       
213
       
+
       
          OOMPolicy = "continue";

     

       
214
       
214
       
+
       
          RemainAfterExit = "yes";

     

       
215
       
215
       
+
       
          Restart = "always";

     

       
216
       
216
       
+
       
          TasksMax = 8192;

     

       
217
       
217
       
+
       
        };

     

       
218
       
218
       
+
       
        unitConfig.RequiresMountsFor = [

     

       
219
       
219
       
+
       
          cfg.storeDir

     

       
220
       
220
       
+
       
          cfg.stateDir

     

       
221
       
221
       
+
       
        ];

     

       
222
       
222
       
+
       
        wantedBy = [ "multi-user.target" ];

     

       
223
       
223
       
+
       
      };

     

       
224
       
224
       
+
       


     

       
225
       
225
       
+
       
      # This is based from Nix daemon socket unit from upstream Nix package.

     

       
226
       
226
       
+
       
      # Guix build daemon has support for systemd-style socket activation.

     

       
227
       
227
       
+
       
      systemd.sockets.guix-daemon = {

     

       
228
       
228
       
+
       
        description = "Guix daemon socket";

     

       
229
       
229
       
+
       
        before = [ "multi-user.target" ];

     

       
230
       
230
       
+
       
        listenStreams = [ "${cfg.stateDir}/guix/daemon-socket/socket" ];

     

       
231
       
231
       
+
       
        unitConfig = {

     

       
232
       
232
       
+
       
          RequiresMountsFor = [

     

       
233
       
233
       
+
       
            cfg.storeDir

     

       
234
       
234
       
+
       
            cfg.stateDir

     

       
235
       
235
       
+
       
          ];

     

       
236
       
236
       
+
       
          ConditionPathIsReadWrite = "${cfg.stateDir}/guix/daemon-socket";

     

       
237
       
237
       
+
       
        };

     

       
238
       
238
       
+
       
        wantedBy = [ "socket.target" ];

     

       
239
       
239
       
+
       
      };

     

       
240
       
240
       
+
       


     

       
241
       
241
       
+
       
      systemd.mounts = [{

     

       
242
       
242
       
+
       
        description = "Guix read-only store directory";

     

       
243
       
243
       
+
       
        before = [ "guix-daemon.service" ];

     

       
244
       
244
       
+
       
        what = cfg.storeDir;

     

       
245
       
245
       
+
       
        where = cfg.storeDir;

     

       
246
       
246
       
+
       
        type = "none";

     

       
247
       
247
       
+
       
        options = "bind,ro";

     

       
248
       
248
       
+
       


     

       
249
       
249
       
+
       
        unitConfig.DefaultDependencies = false;

     

       
250
       
250
       
+
       
        wantedBy = [ "guix-daemon.service" ];

     

       
251
       
251
       
+
       
      }];

     

       
252
       
252
       
+
       


     

       
253
       
253
       
+
       
      # Make transferring files from one store to another easier with the usual

     

       
254
       
254
       
+
       
      # case being of most substitutes from the official Guix CI instance.

     

       
255
       
255
       
+
       
      system.activationScripts.guix-authorize-keys = ''

     

       
256
       
256
       
+
       
        for official_server_keys in ${package}/share/guix/*.pub; do

     

       
257
       
257
       
+
       
          ${lib.getExe' package "guix"} archive --authorize < $official_server_keys

     

       
258
       
258
       
+
       
        done

     

       
259
       
259
       
+
       
      '';

     

       
260
       
260
       
+
       


     

       
261
       
261
       
+
       
      # Link the usual Guix profiles to the home directory. This is useful in

     

       
262
       
262
       
+
       
      # ephemeral setups where only certain part of the filesystem is

     

       
263
       
263
       
+
       
      # persistent (e.g., "Erase my darlings"-type of setup).

     

       
264
       
264
       
+
       
      system.userActivationScripts.guix-activate-user-profiles.text = let

     

       
265
       
265
       
+
       
        linkProfileToPath = acc: profile: location: let

     

       
266
       
266
       
+
       
          guixProfile = "${cfg.stateDir}/guix/profiles/per-user/\${USER}/${profile}";

     

       
267
       
267
       
+
       
          in acc + ''

     

       
268
       
268
       
+
       
            [ -d "${guixProfile}" ] && ln -sf "${guixProfile}" "${location}"

     

       
269
       
269
       
+
       
          '';

     

       
270
       
270
       
+
       


     

       
271
       
271
       
+
       
        activationScript = lib.foldlAttrs linkProfileToPath "" guixUserProfiles;

     

       
272
       
272
       
+
       
      in ''

     

       
273
       
273
       
+
       
        # Don't export this please! It is only expected to be used for this

     

       
274
       
274
       
+
       
        # activation script and nothing else.

     

       
275
       
275
       
+
       
        XDG_CONFIG_HOME=''${XDG_CONFIG_HOME:-$HOME/.config}

     

       
276
       
276
       
+
       


     

       
277
       
277
       
+
       
        # Linking the usual Guix profiles into the home directory.

     

       
278
       
278
       
+
       
        ${activationScript}

     

       
279
       
279
       
+
       
      '';

     

       
280
       
280
       
+
       


     

       
281
       
281
       
+
       
      # GUIX_LOCPATH is basically LOCPATH but for Guix libc which in turn used by

     

       
282
       
282
       
+
       
      # virtually every Guix-built packages. This is so that Guix-installed

     

       
283
       
283
       
+
       
      # applications wouldn't use incompatible locale data and not touch its host

     

       
284
       
284
       
+
       
      # system.

     

       
285
       
285
       
+
       
      environment.sessionVariables.GUIX_LOCPATH = lib.makeSearchPath "lib/locale" guixProfiles;

     

       
286
       
286
       
+
       


     

       
287
       
287
       
+
       
      # What Guix profiles export is very similar to Nix profiles so it is

     

       
288
       
288
       
+
       
      # acceptable to list it here. Also, it is more likely that the user would

     

       
289
       
289
       
+
       
      # want to use packages explicitly installed from Guix so we're putting it

     

       
290
       
290
       
+
       
      # first.

     

       
291
       
291
       
+
       
      environment.profiles = lib.mkBefore guixProfiles;

     

       
292
       
292
       
+
       
    }

     

       
293
       
293
       
+
       


     

       
294
       
294
       
+
       
    (lib.mkIf cfg.publish.enable {

     

       
295
       
295
       
+
       
      systemd.services.guix-publish = {

     

       
296
       
296
       
+
       
        description = "Guix remote store";

     

       
297
       
297
       
+
       
        environment = serviceEnv;

     

       
298
       
298
       
+
       


     

       
299
       
299
       
+
       
        # Mounts will be required by the daemon service anyways so there's no

     

       
300
       
300
       
+
       
        # need add RequiresMountsFor= or something similar.

     

       
301
       
301
       
+
       
        requires = [ "guix-daemon.service" ];

     

       
302
       
302
       
+
       
        after = [ "guix-daemon.service" ];

     

       
303
       
303
       
+
       
        partOf = [ "guix-daemon.service" ];

     

       
304
       
304
       
+
       


     

       
305
       
305
       
+
       
        preStart = lib.mkIf cfg.publish.generateKeyPair ''

     

       
306
       
306
       
+
       
          # Generate the keypair if it's missing.

     

       
307
       
307
       
+
       
          [ -f "/etc/guix/signing-key.sec" ] && [ -f "/etc/guix/signing-key.pub" ] || \

     

       
308
       
308
       
+
       
            ${lib.getExe' package "guix"} archive --generate-key || {

     

       
309
       
309
       
+
       
              rm /etc/guix/signing-key.*;

     

       
310
       
310
       
+
       
              ${lib.getExe' package "guix"} archive --generate-key;

     

       
311
       
311
       
+
       
            }

     

       
312
       
312
       
+
       
        '';

     

       
313
       
313
       
+
       
        script = ''

     

       
314
       
314
       
+
       
          ${lib.getExe' package "guix"} publish \

     

       
315
       
315
       
+
       
            --user=${cfg.publish.user} --port=${builtins.toString cfg.publish.port} \

     

       
316
       
316
       
+
       
            ${lib.escapeShellArgs cfg.publish.extraArgs}

     

       
317
       
317
       
+
       
        '';

     

       
318
       
318
       
+
       


     

       
319
       
319
       
+
       
        serviceConfig = {

     

       
320
       
320
       
+
       
          Restart = "always";

     

       
321
       
321
       
+
       
          RestartSec = 10;

     

       
322
       
322
       
+
       


     

       
323
       
323
       
+
       
          ProtectClock = true;

     

       
324
       
324
       
+
       
          ProtectHostname = true;

     

       
325
       
325
       
+
       
          ProtectKernelTunables = true;

     

       
326
       
326
       
+
       
          ProtectKernelModules = true;

     

       
327
       
327
       
+
       
          ProtectControlGroups = true;

     

       
328
       
328
       
+
       
          SystemCallFilter = [

     

       
329
       
329
       
+
       
            "@system-service"

     

       
330
       
330
       
+
       
            "@debug"

     

       
331
       
331
       
+
       
            "@setuid"

     

       
332
       
332
       
+
       
          ];

     

       
333
       
333
       
+
       


     

       
334
       
334
       
+
       
          RestrictNamespaces = true;

     

       
335
       
335
       
+
       
          RestrictAddressFamilies = [

     

       
336
       
336
       
+
       
            "AF_UNIX"

     

       
337
       
337
       
+
       
            "AF_INET"

     

       
338
       
338
       
+
       
            "AF_INET6"

     

       
339
       
339
       
+
       
          ];

     

       
340
       
340
       
+
       


     

       
341
       
341
       
+
       
          # While the permissions can be set, it is assumed to be taken by Guix

     

       
342
       
342
       
+
       
          # daemon service which it has already done the setup.

     

       
343
       
343
       
+
       
          ConfigurationDirectory = "guix";

     

       
344
       
344
       
+
       


     

       
345
       
345
       
+
       
          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

     

       
346
       
346
       
+
       
          CapabilityBoundingSet = [

     

       
347
       
347
       
+
       
            "CAP_NET_BIND_SERVICE"

     

       
348
       
348
       
+
       
            "CAP_SETUID"

     

       
349
       
349
       
+
       
            "CAP_SETGID"

     

       
350
       
350
       
+
       
          ];

     

       
351
       
351
       
+
       
        };

     

       
352
       
352
       
+
       
        wantedBy = [ "multi-user.target" ];

     

       
353
       
353
       
+
       
      };

     

       
354
       
354
       
+
       


     

       
355
       
355
       
+
       
      users.users.guix-publish = lib.mkIf (cfg.publish.user == "guix-publish") {

     

       
356
       
356
       
+
       
        description = "Guix publish user";

     

       
357
       
357
       
+
       
        group = config.users.groups.guix-publish.name;

     

       
358
       
358
       
+
       
        isSystemUser = true;

     

       
359
       
359
       
+
       
      };

     

       
360
       
360
       
+
       
      users.groups.guix-publish = {};

     

       
361
       
361
       
+
       
    })

     

       
362
       
362
       
+
       


     

       
363
       
363
       
+
       
    (lib.mkIf cfg.gc.enable {

     

       
364
       
364
       
+
       
      # This service should be handled by root to collect all garbage by all

     

       
365
       
365
       
+
       
      # users.

     

       
366
       
366
       
+
       
      systemd.services.guix-gc = {

     

       
367
       
367
       
+
       
        description = "Guix garbage collection";

     

       
368
       
368
       
+
       
        startAt = cfg.gc.dates;

     

       
369
       
369
       
+
       
        script = ''

     

       
370
       
370
       
+
       
          ${lib.getExe' package "guix"} gc ${lib.escapeShellArgs cfg.gc.extraArgs}

     

       
371
       
371
       
+
       
        '';

     

       
372
       
372
       
+
       


     

       
373
       
373
       
+
       
        serviceConfig = {

     

       
374
       
374
       
+
       
          Type = "oneshot";

     

       
375
       
375
       
+
       


     

       
376
       
376
       
+
       
          MemoryDenyWriteExecute = true;

     

       
377
       
377
       
+
       
          PrivateDevices = true;

     

       
378
       
378
       
+
       
          PrivateNetworks = true;

     

       
379
       
379
       
+
       
          ProtectControlGroups = true;

     

       
380
       
380
       
+
       
          ProtectHostname = true;

     

       
381
       
381
       
+
       
          ProtectKernelTunables = true;

     

       
382
       
382
       
+
       
          SystemCallFilter = [

     

       
383
       
383
       
+
       
            "@default"

     

       
384
       
384
       
+
       
            "@file-system"

     

       
385
       
385
       
+
       
            "@basic-io"

     

       
386
       
386
       
+
       
            "@system-service"

     

       
387
       
387
       
+
       
          ];

     

       
388
       
388
       
+
       
        };

     

       
389
       
389
       
+
       
      };

     

       
390
       
390
       
+
       


     

       
391
       
391
       
+
       
      systemd.timers.guix-gc.timerConfig.Persistent = true;

     

       
392
       
392
       
+
       
    })

     

       
393
       
393
       
+
       
  ]);

     

       
394
       
394
       
+
       
}

     

···

       
357
       
357
       
 
       
  grow-partition = runTest ./grow-partition.nix;

     

       
358
       
358
       
 
       
  grub = handleTest ./grub.nix {};

     

       
359
       
359
       
 
       
  guacamole-server = handleTest ./guacamole-server.nix {};

     

       
360
       
360
       
+
       
  guix = handleTest ./guix {};

     

       
360
       
361
       
 
       
  gvisor = handleTest ./gvisor.nix {};

     

       
361
       
362
       
 
       
  hadoop = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop; };

     

       
362
       
363
       
 
       
  hadoop_3_2 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop_3_2; };

     

···

       
1
       
1
       
+
       
# Take note the Guix store directory is empty. Also, we're trying to prevent

     

       
2
       
2
       
+
       
# Guix from trying to downloading substitutes because of the restricted

     

       
3
       
3
       
+
       
# access (assuming it's in a sandboxed environment).

     

       
4
       
4
       
+
       
#

     

       
5
       
5
       
+
       
# So this test is what it is: a basic test while trying to use Guix as much as

     

       
6
       
6
       
+
       
# we possibly can (including the API) without triggering its download alarm.

     

       
7
       
7
       
+
       


     

       
8
       
8
       
+
       
import ../make-test-python.nix ({ lib, pkgs, ... }: {

     

       
9
       
9
       
+
       
  name = "guix-basic";

     

       
10
       
10
       
+
       
  meta.maintainers = with lib.maintainers; [ foo-dogsquared ];

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
  nodes.machine = { config, ... }: {

     

       
13
       
13
       
+
       
    environment.etc."guix/scripts".source = ./scripts;

     

       
14
       
14
       
+
       
    services.guix.enable = true;

     

       
15
       
15
       
+
       
  };

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
  testScript = ''

     

       
18
       
18
       
+
       
    import pathlib

     

       
19
       
19
       
+
       


     

       
20
       
20
       
+
       
    machine.wait_for_unit("multi-user.target")

     

       
21
       
21
       
+
       
    machine.wait_for_unit("guix-daemon.service")

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
    # Can't do much here since the environment has restricted network access.

     

       
24
       
24
       
+
       
    with subtest("Guix basic package management"):

     

       
25
       
25
       
+
       
      machine.succeed("guix build --dry-run --verbosity=0 hello")

     

       
26
       
26
       
+
       
      machine.succeed("guix show hello")

     

       
27
       
27
       
+
       


     

       
28
       
28
       
+
       
    # This is to see if the Guix API is usable and mostly working.

     

       
29
       
29
       
+
       
    with subtest("Guix API scripting"):

     

       
30
       
30
       
+
       
      scripts_dir = pathlib.Path("/etc/guix/scripts")

     

       
31
       
31
       
+
       


     

       
32
       
32
       
+
       
      text_msg = "Hello there, NixOS!"

     

       
33
       
33
       
+
       
      text_store_file = machine.succeed(f"guix repl -- {scripts_dir}/create-file-to-store.scm '{text_msg}'")

     

       
34
       
34
       
+
       
      assert machine.succeed(f"cat {text_store_file}") == text_msg

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
      machine.succeed(f"guix repl -- {scripts_dir}/add-existing-files-to-store.scm {scripts_dir}")

     

       
37
       
37
       
+
       
  '';

     

       
38
       
38
       
+
       
})

     

···

       
1
       
1
       
+
       
{ system ? builtins.currentSystem

     

       
2
       
2
       
+
       
, pkgs ? import ../../.. { inherit system; }

     

       
3
       
3
       
+
       
}:

     

       
4
       
4
       
+
       


     

       
5
       
5
       
+
       
{

     

       
6
       
6
       
+
       
  basic = import ./basic.nix { inherit system pkgs; };

     

       
7
       
7
       
+
       
  publish = import ./publish.nix { inherit system pkgs; };

     

       
8
       
8
       
+
       
}

     

···

       
1
       
1
       
+
       
# Testing out the substitute server with two machines in a local network. As a

     

       
2
       
2
       
+
       
# bonus, we'll also test a feature of the substitute server being able to

     

       
3
       
3
       
+
       
# advertise its service to the local network with Avahi.

     

       
4
       
4
       
+
       


     

       
5
       
5
       
+
       
import ../make-test-python.nix ({ pkgs, lib, ... }: let

     

       
6
       
6
       
+
       
  publishPort = 8181;

     

       
7
       
7
       
+
       
  inherit (builtins) toString;

     

       
8
       
8
       
+
       
in {

     

       
9
       
9
       
+
       
  name = "guix-publish";

     

       
10
       
10
       
+
       


     

       
11
       
11
       
+
       
  meta.maintainers = with lib.maintainers; [ foo-dogsquared ];

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
  nodes = let

     

       
14
       
14
       
+
       
    commonConfig = { config, ... }: {

     

       
15
       
15
       
+
       
      # We'll be using '--advertise' flag with the

     

       
16
       
16
       
+
       
      # substitute server which requires Avahi.

     

       
17
       
17
       
+
       
      services.avahi = {

     

       
18
       
18
       
+
       
        enable = true;

     

       
19
       
19
       
+
       
        nssmdns = true;

     

       
20
       
20
       
+
       
        publish = {

     

       
21
       
21
       
+
       
          enable = true;

     

       
22
       
22
       
+
       
          userServices = true;

     

       
23
       
23
       
+
       
        };

     

       
24
       
24
       
+
       
      };

     

       
25
       
25
       
+
       
    };

     

       
26
       
26
       
+
       
  in {

     

       
27
       
27
       
+
       
    server = { config, lib, pkgs, ... }: {

     

       
28
       
28
       
+
       
      imports = [ commonConfig ];

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
      services.guix = {

     

       
31
       
31
       
+
       
        enable = true;

     

       
32
       
32
       
+
       
        publish = {

     

       
33
       
33
       
+
       
          enable = true;

     

       
34
       
34
       
+
       
          port = publishPort;

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
          generateKeyPair = true;

     

       
37
       
37
       
+
       
          extraArgs = [ "--advertise" ];

     

       
38
       
38
       
+
       
        };

     

       
39
       
39
       
+
       
      };

     

       
40
       
40
       
+
       


     

       
41
       
41
       
+
       
      networking.firewall.allowedTCPPorts = [ publishPort ];

     

       
42
       
42
       
+
       
    };

     

       
43
       
43
       
+
       


     

       
44
       
44
       
+
       
    client = { config, lib, pkgs, ... }: {

     

       
45
       
45
       
+
       
      imports = [ commonConfig ];

     

       
46
       
46
       
+
       


     

       
47
       
47
       
+
       
      services.guix = {

     

       
48
       
48
       
+
       
        enable = true;

     

       
49
       
49
       
+
       


     

       
50
       
50
       
+
       
        extraArgs = [

     

       
51
       
51
       
+
       
          # Force to only get all substitutes from the local server. We don't

     

       
52
       
52
       
+
       
          # have anything in the Guix store directory and we cannot get

     

       
53
       
53
       
+
       
          # anything from the official substitute servers anyways.

     

       
54
       
54
       
+
       
          "--substitute-urls='http://server.local:${toString publishPort}'"

     

       
55
       
55
       
+
       


     

       
56
       
56
       
+
       
          # Enable autodiscovery of the substitute servers in the local

     

       
57
       
57
       
+
       
          # network. This machine shouldn't need to import the signing key from

     

       
58
       
58
       
+
       
          # the substitute server since it is automatically done anyways.

     

       
59
       
59
       
+
       
          "--discover=yes"

     

       
60
       
60
       
+
       
        ];

     

       
61
       
61
       
+
       
      };

     

       
62
       
62
       
+
       
    };

     

       
63
       
63
       
+
       
  };

     

       
64
       
64
       
+
       


     

       
65
       
65
       
+
       
  testScript = ''

     

       
66
       
66
       
+
       
    import pathlib

     

       
67
       
67
       
+
       


     

       
68
       
68
       
+
       
    start_all()

     

       
69
       
69
       
+
       


     

       
70
       
70
       
+
       
    scripts_dir = pathlib.Path("/etc/guix/scripts")

     

       
71
       
71
       
+
       


     

       
72
       
72
       
+
       
    for machine in machines:

     

       
73
       
73
       
+
       
      machine.wait_for_unit("multi-user.target")

     

       
74
       
74
       
+
       
      machine.wait_for_unit("guix-daemon.service")

     

       
75
       
75
       
+
       
      machine.wait_for_unit("avahi-daemon.service")

     

       
76
       
76
       
+
       


     

       
77
       
77
       
+
       
    server.wait_for_unit("guix-publish.service")

     

       
78
       
78
       
+
       
    server.wait_for_open_port(${toString publishPort})

     

       
79
       
79
       
+
       
    server.succeed("curl http://localhost:${toString publishPort}/")

     

       
80
       
80
       
+
       


     

       
81
       
81
       
+
       
    # Now it's the client turn to make use of it.

     

       
82
       
82
       
+
       
    substitute_server = "http://server.local:${toString publishPort}"

     

       
83
       
83
       
+
       
    client.wait_for_unit("network-online.target")

     

       
84
       
84
       
+
       
    response = client.succeed(f"curl {substitute_server}")

     

       
85
       
85
       
+
       
    assert "Guix Substitute Server" in response

     

       
86
       
86
       
+
       


     

       
87
       
87
       
+
       
    # Authorizing the server to be used as a substitute server.

     

       
88
       
88
       
+
       
    client.succeed(f"curl -O {substitute_server}/signing-key.pub")

     

       
89
       
89
       
+
       
    client.succeed("guix archive --authorize < ./signing-key.pub")

     

       
90
       
90
       
+
       


     

       
91
       
91
       
+
       
    # Since we're using the substitute server with the `--advertise` flag, we

     

       
92
       
92
       
+
       
    # might as well check it.

     

       
93
       
93
       
+
       
    client.succeed("avahi-browse --resolve --terminate _guix_publish._tcp | grep '_guix_publish._tcp'")

     

       
94
       
94
       
+
       
  '';

     

       
95
       
95
       
+
       
})

     

···

       
1
       
1
       
+
       
;; A simple script that adds each file given from the command-line into the

     

       
2
       
2
       
+
       
;; store and checks them if it's the same.

     

       
3
       
3
       
+
       
(use-modules (guix)

     

       
4
       
4
       
+
       
             (srfi srfi-1)

     

       
5
       
5
       
+
       
             (ice-9 ftw)

     

       
6
       
6
       
+
       
             (rnrs io ports))

     

       
7
       
7
       
+
       


     

       
8
       
8
       
+
       
;; This is based from tests/derivations.scm from Guix source code.

     

       
9
       
9
       
+
       
(define* (directory-contents dir #:optional (slurp get-bytevector-all))

     

       
10
       
10
       
+
       
         "Return an alist representing the contents of DIR"

     

       
11
       
11
       
+
       
         (define prefix-len (string-length dir))

     

       
12
       
12
       
+
       
         (sort (file-system-fold (const #t)

     

       
13
       
13
       
+
       
                                 (lambda (path stat result)

     

       
14
       
14
       
+
       
                                   (alist-cons (string-drop path prefix-len)

     

       
15
       
15
       
+
       
                                               (call-with-input-file path slurp)

     

       
16
       
16
       
+
       
                                               result))

     

       
17
       
17
       
+
       
                                 (lambda (path stat result) result)

     

       
18
       
18
       
+
       
                                 (lambda (path stat result) result)

     

       
19
       
19
       
+
       
                                 (lambda (path stat result) result)

     

       
20
       
20
       
+
       
                                 (lambda (path stat errno result) result)

     

       
21
       
21
       
+
       
                                 '()

     

       
22
       
22
       
+
       
                                 dir)

     

       
23
       
23
       
+
       
               (lambda (e1 e2)

     

       
24
       
24
       
+
       
                 (string<? (car e1) (car e2)))))

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
(define* (check-if-same store drv path)

     

       
27
       
27
       
+
       
         "Check if the given path and its store item are the same"

     

       
28
       
28
       
+
       
         (let* ((filetype (stat:type (stat drv))))

     

       
29
       
29
       
+
       
           (case filetype

     

       
30
       
30
       
+
       
             ((regular)

     

       
31
       
31
       
+
       
              (and (valid-path? store drv)

     

       
32
       
32
       
+
       
                   (equal? (call-with-input-file path get-bytevector-all)

     

       
33
       
33
       
+
       
                           (call-with-input-file drv get-bytevector-all))))

     

       
34
       
34
       
+
       
             ((directory)

     

       
35
       
35
       
+
       
              (and (valid-path? store drv)

     

       
36
       
36
       
+
       
                   (equal? (directory-contents path)

     

       
37
       
37
       
+
       
                           (directory-contents drv))))

     

       
38
       
38
       
+
       
             (else #f))))

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
(define* (add-and-check-item-to-store store path)

     

       
41
       
41
       
+
       
         "Add PATH to STORE and check if the contents are the same"

     

       
42
       
42
       
+
       
         (let* ((store-item (add-to-store store

     

       
43
       
43
       
+
       
                                          (basename path)

     

       
44
       
44
       
+
       
                                          #t "sha256" path))

     

       
45
       
45
       
+
       
                (is-same (check-if-same store store-item path)))

     

       
46
       
46
       
+
       
           (if (not is-same)

     

       
47
       
47
       
+
       
             (exit 1))))

     

       
48
       
48
       
+
       


     

       
49
       
49
       
+
       
(with-store store

     

       
50
       
50
       
+
       
            (map (lambda (path)

     

       
51
       
51
       
+
       
                   (add-and-check-item-to-store store (readlink* path)))

     

       
52
       
52
       
+
       
                 (cdr (command-line))))

     

···

       
1
       
1
       
+
       
;; A script that creates a store item with the given text and prints the

     

       
2
       
2
       
+
       
;; resulting store item path.

     

       
3
       
3
       
+
       
(use-modules (guix))

     

       
4
       
4
       
+
       


     

       
5
       
5
       
+
       
(with-store store

     

       
6
       
6
       
+
       
            (display (add-text-to-store store "guix-basic-test-text"

     

       
7
       
7
       
+
       
                                        (string-join

     

       
8
       
8
       
+
       
                                          (cdr (command-line))))))