unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#56669: enhancement: Link guix system and guix home
@ 2022-07-20 10:47 Dale Mellor
  2022-07-20 17:57 ` Andrew Tropin
  0 siblings, 1 reply; 5+ messages in thread
From: Dale Mellor @ 2022-07-20 10:47 UTC (permalink / raw)
  To: 56669

I would like to be able to create a rescue disk for my system in which
the admin user's home directory contains a copy of an encrypted key,
for manually unlocking encrypted disk drives.

Following a short discussion in IRC, it appears the best route to
achieve this would be to link *guix system* and *guix home* together,
so that the system configuration file can specify

(user-account
   ...
   (configuration (local-file "my-home-config.scm")))

for example (it should be possible to use either (home-configuration)
or a file-like object here).

Hopefully this is an easy thing to accomplish, but I don't know...

Thanks,
Dale





^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56669: enhancement: Link guix system and guix home
  2022-07-20 10:47 bug#56669: enhancement: Link guix system and guix home Dale Mellor
@ 2022-07-20 17:57 ` Andrew Tropin
  2022-07-21 17:13   ` Andrew Tropin
  0 siblings, 1 reply; 5+ messages in thread
From: Andrew Tropin @ 2022-07-20 17:57 UTC (permalink / raw)
  To: guix-bug-va9nk6, 56669; +Cc: Tissevert

[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]

On 2022-07-20 11:47, Dale Mellor wrote:

> I would like to be able to create a rescue disk for my system in which
> the admin user's home directory contains a copy of an encrypted key,
> for manually unlocking encrypted disk drives.
>
> Following a short discussion in IRC, it appears the best route to
> achieve this would be to link *guix system* and *guix home* together,
> so that the system configuration file can specify
>
> (user-account
>    ...
>    (configuration (local-file "my-home-config.scm")))
>
> for example (it should be possible to use either (home-configuration)
> or a file-like object here).
>
> Hopefully this is an easy thing to accomplish, but I don't know...
>

Hi Dale,

it's not easy, but doable.

This topic popups from time to time, but this feature is not implemented
yet.

https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/

I have spare time tomorrow and can try to implement it, however Idk how
much time will it take and if I don't finish tomorrow, there is no
guarantee that I'll finish it anytime soon.

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56669: enhancement: Link guix system and guix home
  2022-07-20 17:57 ` Andrew Tropin
@ 2022-07-21 17:13   ` Andrew Tropin
  2022-07-21 17:25     ` Maxime Devos
  0 siblings, 1 reply; 5+ messages in thread
From: Andrew Tropin @ 2022-07-21 17:13 UTC (permalink / raw)
  To: guix-bug-va9nk6, 56669; +Cc: Tissevert


[-- Attachment #1.1: Type: text/plain, Size: 1652 bytes --]

On 2022-07-20 20:57, Andrew Tropin wrote:

> On 2022-07-20 11:47, Dale Mellor wrote:
>
>> I would like to be able to create a rescue disk for my system in which
>> the admin user's home directory contains a copy of an encrypted key,
>> for manually unlocking encrypted disk drives.
>>
>> Following a short discussion in IRC, it appears the best route to
>> achieve this would be to link *guix system* and *guix home* together,
>> so that the system configuration file can specify
>>
>> (user-account
>>    ...
>>    (configuration (local-file "my-home-config.scm")))
>>
>> for example (it should be possible to use either (home-configuration)
>> or a file-like object here).
>>
>> Hopefully this is an easy thing to accomplish, but I don't know...
>>
>
> Hi Dale,
>
> it's not easy, but doable.
>
> This topic popups from time to time, but this feature is not implemented
> yet.
>
> https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/
>
> I have spare time tomorrow and can try to implement it, however Idk how
> much time will it take and if I don't finish tomorrow, there is no
> guarantee that I'll finish it anytime soon.

I built home environment baked in operating system and sucessfully
deployed it with guix deploy.  I face some issues with the similiar
setup on livecd, but I think I will figure out it soon and will publish
results in a few days.

The source code is here:
https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

It's drafty and will be rewritten, also there are a few local commits
that I haven't sent to guix yet, but it should work without them if
elogind is enabled.

The usage example:

[-- Attachment #1.2: config.scm --]
[-- Type: application/octet-stream, Size: 3303 bytes --]

;; This is an operating system configuration generated
;; by the graphical installer.

(use-modules (gnu)
             (gnu services home))

(use-service-modules
  cups
  desktop
  networking
  ssh
  xorg)

(use-modules (gnu home)
             (gnu home services)
             (gnu home services shells)
             (gnu packages admin))

(define he
  (home-environment
   (packages (list htop))
   (services
    (list
     (service
      home-bash-service-type
      (home-bash-configuration))))))

(define os
  (operating-system
    (locale "en_US.utf8")
    (timezone "Europe/Moscow")
    (keyboard-layout
     (keyboard-layout "us" "altgr-intl"))
    (host-name "tmp")
    (users (cons* (user-account
                   (name "bob")
                   (comment "Bob")
                   (group "users")
                   (home-directory "/home/bob")
                   (supplementary-groups
                    '("wheel" "netdev" "audio" "video")))
                  %base-user-accounts))
    (sudoers-file
     (plain-file "sudoers"
                 (string-append (plain-file-content %sudoers-specification)
                                "%wheel  ALL=(ALL) NOPASSWD: ALL")))
    (packages
     (append
      (list (specification->package "nss-certs"))
      %base-packages))
    (services
     (append
      (list (service dhcp-client-service-type)
            (service openssh-service-type
                     (openssh-configuration
                      (permit-root-login #t)
                      (password-authentication? #f)
                      (authorized-keys
                       `(("root" ,(local-file "ssh.key"))))))
            ;; FIXME: Send two patches to make it work without elogind
            (service elogind-service-type)
            (service
             guix-home-service-type
             `(("bob" . ,he)))

            (service ntp-service-type))
      (modify-services %base-services
        (guix-service-type
         config =>
         (guix-configuration
          (inherit config)
          (substitute-urls '("http://ci.guix.trop.in"
                             "https://bordeaux.guix.gnu.org"))
          (authorized-keys
           (append (list (local-file "/etc/guix/signing-key.pub"))
                   %default-authorized-guix-keys)))))))
    (bootloader
     (bootloader-configuration
      (bootloader grub-bootloader)
      (targets (list "/dev/sda"))
      (keyboard-layout keyboard-layout)))
    (swap-devices
     (list (swap-space
            (target
             (uuid "8b332a77-38ec-4abf-9cf4-c755f8f27805")))))
    (file-systems
     (cons* (file-system
              (mount-point "/")
              (device
               (uuid "9382dc00-c702-4b70-955f-6c804c59b6c0"
                     'ext4))
              (type "ext4"))
            %base-file-systems))))

(define host "qemu")
(define user "bob")

(list (machine
       (operating-system os)
       (environment managed-host-environment-type)
       (configuration (machine-ssh-configuration
                       (host-name host)
                       (allow-downgrades? #t)
                       (system "x86_64-linux")
                       (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKPj2X6gmxLzj956AE2YBihTibmpaXj+G51r4zkbQ+2")
                       (user "root")))))

[-- Attachment #1.3: Type: text/plain, Size: 37 bytes --]


-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56669: enhancement: Link guix system and guix home
  2022-07-21 17:13   ` Andrew Tropin
@ 2022-07-21 17:25     ` Maxime Devos
  2022-07-26  9:23       ` Andrew Tropin
  0 siblings, 1 reply; 5+ messages in thread
From: Maxime Devos @ 2022-07-21 17:25 UTC (permalink / raw)
  To: Andrew Tropin, guix-bug-va9nk6, 56669; +Cc: Tissevert


[-- Attachment #1.1.1.1: Type: text/plain, Size: 2296 bytes --]

On 21-07-2022 19:13, Andrew Tropin wrote:

> The source code is here:
> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

What's the 'guix-home-gc-roots' for? I would expect the reference 
#$(file-append he "/activate") to be sufficient to keep things from 
being gc'ed.

> + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
> (start #~(make-forkexec-constructor + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
> '(#$(file-append he "/activate")) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
> #:user #$user + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
> #:environment-variables + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
already internally by /activate, you could consider doing it in a 
container to reduce potential irreproducibility, or insecurity on 
multi-user systems (I'd assume the #:user + #:group to be sufficient for 
security, especially if it appears sufficient for other system services, 
but I'm not some expert on what things need to be set).

> + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
> (one-shot? #t) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
> (auto-start? #f)
Wouldn't it then be possible for the user to login via the login manager 
before initialisation has completed, as gdm etc don't wait for 
guix-home-... currently?

Greetings,
Maxime.


[-- Attachment #1.1.1.2: Type: text/html, Size: 4323 bytes --]

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56669: enhancement: Link guix system and guix home
  2022-07-21 17:25     ` Maxime Devos
@ 2022-07-26  9:23       ` Andrew Tropin
  0 siblings, 0 replies; 5+ messages in thread
From: Andrew Tropin @ 2022-07-26  9:23 UTC (permalink / raw)
  To: Maxime Devos, guix-bug-va9nk6, 56669; +Cc: Tissevert

[-- Attachment #1: Type: text/plain, Size: 3042 bytes --]

On 2022-07-21 19:25, Maxime Devos wrote:

> On 21-07-2022 19:13, Andrew Tropin wrote:
>
>> The source code is here:
>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>
> What's the 'guix-home-gc-roots' for? I would expect the reference 
> #$(file-append he "/activate") to be sufficient to keep things from 
> being gc'ed.

It was needed while I was testing manual activation without shepherd
service, not needed anymore, already removed it locally.

>
>> + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
>> (start #~(make-forkexec-constructor + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
>> '(#$(file-append he "/activate")) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
>> #:user #$user + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
>> #:environment-variables + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
> already internally by /activate, you could consider doing it in a 
> container to reduce potential irreproducibility, or insecurity on 
> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
> security, especially if it appears sufficient for other system services, 
> but I'm not some expert on what things need to be set).
>
It's not set by /activate.

>> + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
>> (one-shot? #t) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
>> (auto-start? #f)
> Wouldn't it then be possible for the user to login via the login manager 
> before initialisation has completed, as gdm etc don't wait for 
> guix-home-... currently?

You are right, the same as the first one, needed for more manual
approach, changed to #t, thank you.

Three patches for this service to work is on the way on guix-patches.
In the meantime, will try to build livecd with the home environment
inside.

P.S. Probably this system service is far from final version of this
feature, I still think about making home-environment a part of
user-account.  Will evaluate pros and cons, after I get livecd built
successfully.

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-07-26  9:53 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-20 10:47 bug#56669: enhancement: Link guix system and guix home Dale Mellor
2022-07-20 17:57 ` Andrew Tropin
2022-07-21 17:13   ` Andrew Tropin
2022-07-21 17:25     ` Maxime Devos
2022-07-26  9:23       ` Andrew Tropin

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).