bug#56669: enhancement: Link guix system and guix home

[Andrew Tropin <andrew@trop.in>]

[-- Attachment #1.1: Type: text/plain, Size: 1652 bytes --]

On 2022-07-20 20:57, Andrew Tropin wrote:

> On 2022-07-20 11:47, Dale Mellor wrote:
>
>> I would like to be able to create a rescue disk for my system in which
>> the admin user's home directory contains a copy of an encrypted key,
>> for manually unlocking encrypted disk drives.
>>
>> Following a short discussion in IRC, it appears the best route to
>> achieve this would be to link *guix system* and *guix home* together,
>> so that the system configuration file can specify
>>
>> (user-account
>>    ...
>>    (configuration (local-file "my-home-config.scm")))
>>
>> for example (it should be possible to use either (home-configuration)
>> or a file-like object here).
>>
>> Hopefully this is an easy thing to accomplish, but I don't know...
>>
>
> Hi Dale,
>
> it's not easy, but doable.
>
> This topic popups from time to time, but this feature is not implemented
> yet.
>
> https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/
>
> I have spare time tomorrow and can try to implement it, however Idk how
> much time will it take and if I don't finish tomorrow, there is no
> guarantee that I'll finish it anytime soon.

I built home environment baked in operating system and sucessfully
deployed it with guix deploy.  I face some issues with the similiar
setup on livecd, but I think I will figure out it soon and will publish
results in a few days.

The source code is here:
https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

It's drafty and will be rewritten, also there are a few local commits
that I haven't sent to guix yet, but it should work without them if
elogind is enabled.

The usage example:

[-- Attachment #1.2: config.scm --]
[-- Type: application/octet-stream, Size: 3303 bytes --]

;; This is an operating system configuration generated
;; by the graphical installer.

(use-modules (gnu)
             (gnu services home))

(use-service-modules
  cups
  desktop
  networking
  ssh
  xorg)

(use-modules (gnu home)
             (gnu home services)
             (gnu home services shells)
             (gnu packages admin))

(define he
  (home-environment
   (packages (list htop))
   (services
    (list
     (service
      home-bash-service-type
      (home-bash-configuration))))))

(define os
  (operating-system
    (locale "en_US.utf8")
    (timezone "Europe/Moscow")
    (keyboard-layout
     (keyboard-layout "us" "altgr-intl"))
    (host-name "tmp")
    (users (cons* (user-account
                   (name "bob")
                   (comment "Bob")
                   (group "users")
                   (home-directory "/home/bob")
                   (supplementary-groups
                    '("wheel" "netdev" "audio" "video")))
                  %base-user-accounts))
    (sudoers-file
     (plain-file "sudoers"
                 (string-append (plain-file-content %sudoers-specification)
                                "%wheel  ALL=(ALL) NOPASSWD: ALL")))
    (packages
     (append
      (list (specification->package "nss-certs"))
      %base-packages))
    (services
     (append
      (list (service dhcp-client-service-type)
            (service openssh-service-type
                     (openssh-configuration
                      (permit-root-login #t)
                      (password-authentication? #f)
                      (authorized-keys
                       `(("root" ,(local-file "ssh.key"))))))
            ;; FIXME: Send two patches to make it work without elogind
            (service elogind-service-type)
            (service
             guix-home-service-type
             `(("bob" . ,he)))

            (service ntp-service-type))
      (modify-services %base-services
        (guix-service-type
         config =>
         (guix-configuration
          (inherit config)
          (substitute-urls '("http://ci.guix.trop.in"
                             "https://bordeaux.guix.gnu.org"))
          (authorized-keys
           (append (list (local-file "/etc/guix/signing-key.pub"))
                   %default-authorized-guix-keys)))))))
    (bootloader
     (bootloader-configuration
      (bootloader grub-bootloader)
      (targets (list "/dev/sda"))
      (keyboard-layout keyboard-layout)))
    (swap-devices
     (list (swap-space
            (target
             (uuid "8b332a77-38ec-4abf-9cf4-c755f8f27805")))))
    (file-systems
     (cons* (file-system
              (mount-point "/")
              (device
               (uuid "9382dc00-c702-4b70-955f-6c804c59b6c0"
                     'ext4))
              (type "ext4"))
            %base-file-systems))))

(define host "qemu")
(define user "bob")

(list (machine
       (operating-system os)
       (environment managed-host-environment-type)
       (configuration (machine-ssh-configuration
                       (host-name host)
                       (allow-downgrades? #t)
                       (system "x86_64-linux")
                       (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKPj2X6gmxLzj956AE2YBihTibmpaXj+G51r4zkbQ+2")
                       (user "root")))))

[-- Attachment #1.3: Type: text/plain, Size: 37 bytes --]


-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]