From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id hgmEDx0WRmQaAAAASxT56A (envelope-from ) for ; Mon, 24 Apr 2023 07:39:41 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id +ySvDh0WRmS6tQAA9RJhRA (envelope-from ) for ; Mon, 24 Apr 2023 07:39:41 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A71D626C83 for ; Mon, 24 Apr 2023 07:39:40 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pqnUe-00054N-Ls; Mon, 24 Apr 2023 00:08:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pqlXe-0005IH-8l for help-guix@gnu.org; Sun, 23 Apr 2023 22:02:58 -0400 Received: from mail-pf1-x42b.google.com ([2607:f8b0:4864:20::42b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pqlXG-00055U-Bq for help-guix@gnu.org; Sun, 23 Apr 2023 22:02:44 -0400 Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-63d2ba63dddso3208081b3a.2 for ; Sun, 23 Apr 2023 19:02:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682301751; x=1684893751; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=czjK1BzndyuccWlnAsgRM+ijCtPI1ukGaTFONjtBPvU=; b=le2+6pJpmkjLmetkEImfG/rWdq6yYWm7HKB6M+iJcBw7bHIYA3hCS4Zq6oUNOM430k Ai8mkSecw3Bs7LUd/EKijWLiQQzgO/Eh50onYkbmyvnpkhx9bMS9CKkTcrW0+gYJ3sPB ID7vt3ChsEbhrVnoBwzGhh3V637BC/NpCjFRWhNS7C3P2w6twGQB8hQ37ORLgi9liilP BwPDyNumQOTZBRaWYk6MVmBoq2QvcNWuALewbj4JXVB4g5iuJ2cK1OpFb9P2196mejq5 irwXBAimdNMgQQDzCXy0AOGEwcRMMmP75J2K9H6xS3MCLsTMP4hK2OKUUf1EaAPxYra/ q4qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682301751; x=1684893751; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=czjK1BzndyuccWlnAsgRM+ijCtPI1ukGaTFONjtBPvU=; b=kJPs04tafvug53f2xFp0rxYpgewtXGKPokM7vsCSuY+7twBkHo5iJMcfWafEBzEg5N 3Q89uVUXZVJvUM0AOAw34n/+dBbtBV+9UH7fTaFVrA+er+lfa+a6yXrwAADi+syi6/Rz GaQdPxjFX13YkXhfunr+z3X4M/k8Q4+P/AwMtqm1SJZvseQxwfsEYG2jss4OD/MTYnIr 70We5De9ACPz7NleCluvzmzHOAGboArwQoxcfEJhxwTvIbZEEMJSqGyZd44tTdaiHx4n hIixTes8mIh/fCMjjyS5OBXVLoSGmhwQ6fvZYJ41ua+0DvftDUpZ45gGnqwEWNcpDDRM 6bbg== X-Gm-Message-State: AAQBX9cYnTBgWvO491UkZOOwzLgR18SJKiRqr7zNQtFl37iHBjEW0MP1 8m+4AiNOuhaMUJuMQF3rYW1AcljvEl1v/A== X-Google-Smtp-Source: AKy350aN4aH5RlBzL7VR26ybmk1DvQnLI6t8cd0KjU1ODDOwt+FS7x0P926AS2PraxgUXfCeue3eNg== X-Received: by 2002:a05:6a20:a11e:b0:eb:8833:c92f with SMTP id q30-20020a056a20a11e00b000eb8833c92fmr19002704pzk.5.1682301751077; Sun, 23 Apr 2023 19:02:31 -0700 (PDT) Received: from igor ([2601:646:8200:1ec0::cbc7]) by smtp.gmail.com with ESMTPSA id p2-20020a62b802000000b0063b8d21be5asm4920213pfe.147.2023.04.23.19.02.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Apr 2023 19:02:30 -0700 (PDT) From: Zacchaeus Scheffer To: help-guix@gnu.org Subject: =?utf-8?Q?Guix-=CE=BCSD=3A?= setting up Guix on a =?utf-8?Q?=CE=BCSD?= for the Librem 5 Date: Sun, 23 Apr 2023 19:02:29 -0700 Message-ID: <87a5yy11hm.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::42b; envelope-from=zaccysc@gmail.com; helo=mail-pf1-x42b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Mon, 24 Apr 2023 00:01:58 -0400 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Seal: i=1; s=key1; d=yhetil.org; t=1682314780; a=rsa-sha256; cv=none; b=BED6zGRMJdHSK4AOmTcWeqGTc94Qr+Q3UVOA9mT54W8kMEjNNMbT7w/AQnK4ZpPW4x/8Q8 fUlrCTQ6m3rMPnZUtmmtZ6eZEeOpHa3HG04VGGWI5XcOAQEPcDhA5KCPmDIYMmQkoryt4G PWanZkQ4nfrIg+cZS0WXPiwJzg/sHJizWknIDpurAFSOsPMZH9+tLFSLqHRHN06ctPEYL3 XXa0hrovQ+sVb48B0SKsXJ99v3Fkeb2boWZwe3TymaG9Htckj8riyMfADTiGryHMco/6Tr Fm0YxgE8bAZ8RJIrHZrXa0gpRnz4eZ/s17J17QNjQ7k1ZkzoguqJ4dx3BprWEw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=le2+6pJp; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1682314780; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=czjK1BzndyuccWlnAsgRM+ijCtPI1ukGaTFONjtBPvU=; b=LoHxKz+5/Bwizfq+iGVKfBgUGLWx5ZTsWlxvPMYMsmF/knnK5NHgl1e1aQAWf5kaQaLleC HQ3ROwglO5C6+7r5nBllNV0hQU9LkKGcTphcY4PD+7ENApje7IgSDdNJ2Q4so0vGqGk3Dn 0YLE/C3chc3/hAYRHH/teI2KkGXmmWG/ryMbaocK7iPHrGHsyR8K9/+gxYp4j4PW9kmVNN TweoUXduIEmB4gVZUNxq44qbrt+HiK3LhPa8U77vYv/NSOl6jxF/ld3rUpVLHYSmXgCl1L +0VKZwns5tGrho6EQwr+eXrk5Tav8EcMfkvQT/vpPZo36HepK9qvn41gYDISEw== X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=le2+6pJp; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.44 X-Spam-Score: -6.44 X-Migadu-Queue-Id: A71D626C83 X-TUID: uBSHVf/Te0+/ The following is my first draft of Guix-=CE=BCSD, a literate program detailing an optimal setup of guix home on PureOS for the Librem 5 (best viewed in org-mode): #! emacs --script ;; -*- org -*- (find-file load-file-name) (org-mode) (org-babel-tangle) (kill-emacs) Copyright (=F0=9F=84=AF) 2023 Zacchae. Permission is granted to copy, distribute and/or modify these documents under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, no Back-Cover Texts, and no History section. Additionally, all code/functional structure contained in these documents is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. * Introduction This guide is a literate program to help you bootstrap a working guix home install onto your Librem 5 running PureOS. Guix system (Guix-SD) does not yet support the Librem 5, but you can still install the guix package manager on the Librem 5. This process is supposed to get you as close as possible to a Guix-SD system, putting everything on a =CE=BCSD card, thus I call this Guix-=CE=BCSD. I detail here everything I touched in PureOS, and leave the rest of the guix hacking to you. The Librem 5 has only ~30GiB of internal memory, so this process puts guix, as well as all of your personal files, on a =CE=BCSD, which I assume from here on that you have already inserted. There is no garuntee that it will work, especially as systems change and get updated, and you should understand/test each line before running it. In theory, you should be able to open your new Librem 5 and obtain this program by running (in ~): #+begin_src shell :tangle no sudo bash -c "apt update && apt upgrade -y && apt install git emacs -y" git clone https://zacchae.us/zmacs cd zmacs ./guid-usd.org ./guix-usd.bootstrap reboot #+end_src And follow the prompts. However, https://zacchae.us is currently down (check later for an updated version), and I have made some changes to code here which haven't been tested, so doing so is dangerous. After rebooting, you would finish setup with. #+begin_src shell :tangle no cd zmacs ./guix-usd.configure # and optionally: #./guix-usd.candy #+end_src Leaving you with a functional zmacs/home.scm which you can start from. However, you may end up with a bricked device that must be re-flashed, which is [[Re-flahsing from Guix][difficult to do from Guix]]= . There will be no warnings printed from the code, and I unashamedly pass "force" flags to make dangerous operations go through. I do try to highlight dangers in the text here, so it is "slightly" safer if you read along and do things manually. Additionally, some operations are performed (like appending to /etc/crypttab) that may break your system if run twice without reverting files. If by some miracle, you follow this guide and end up with a working device, you will have a setup like the following: - At boot, when you decrypt your Librem 5's eMMC memory (i.e. /), it will attempt to decrypt your =CE=BCSD using a key file located in /etc. - If the =CE=BCSD decrypts successfully, then it will mount btrfs subvolumes from the decrypted =CE=BCSD at /home, /gnu, and /var/guix. - This means your home, the guix store, and current state of guix are all stored on your =CE=BCSD. - If the =CE=BCSD fails to decrypt, then: - /gnu and /var/guix will fail to mount. - guix will be unusable - /home will be mounted from a file ** Final Warning This guide has you modify the following files: /etc/fstab /etc/crypttab Optionally modify the following: /lib/systemd/system/guix-daemon.service /etc/defaults/keyboard /etc/passwd Create the following files: /opt/usd/* /etc/luks-keys/* /gnu /var/guix And completely destroy any data on your =CE=BCSD. This is your final warning to do a back up and pray. * Initial setup We will be setting up the entire =CE=BCSD as a singular encrypted device with a btrfs filesystem and subvolumes to hold guix and your files #+begin_src shell :tangle guix-usd.bootstrap :shebang #!/bin/sh sudo bash -c "apt update && apt upgrade -y && apt install btrfs-progs g= uix" #+end_src The =CE=BCSD encryption keys will be in /etc/luks-keys, the special files for mounting /home will be in /opt/usd, and we will need mount points for guix folders /gnu and /var/guix #+begin_src shell :tangle guix-usd.bootstrap sudo mkdir /etc/luks-keys /opt/usd /gnu /var/guix #+end_src =20=20 * Encrypting your =CE=BCSD To my knowledge, there is no way to prompt the user for a second encryption passphrase for the =CE=BCSD at boot, hence the only way to decrypt the =CE=BCSD at boot is to have a key file stored in your file tree. This means that even if you remove your =CE=BCSD, if you unlock your phone, then the keys to your =CE=BCSD could be extracted from your phone. Additionally, the following will erase any data which was previously on the =CE=BCSD. #+begin_src shell :tangle guix-usd.bootstrap sudo dd if=3D/dev/urandom of=3D/etc/luks-keys/disk_secret_key bs=3D512 = count=3D8 echo Encrypting device. Enter passphrase below (a few times). echo This passphrase will be usable in addition to the key file at: echo /etc/luks-key/disk_secret_key sudo cryptsetup luksFormat /dev/sda --batch-mode sudo cryptsetup luksAddKey /dev/sda /etc/luks-keys/disk_secret_key #+end_src =20=20 * Setting up your btr file system Open (map) the encrypted =CE=BCSD, reformat the contents as btrfs (erases all data), mount the mapped device, and create subvolumes for /home, /gnu, and /var/guix. Additionally, copy over all files from your home directory as a starting point for your new home directory. #+begin_src shell :tangle guix-usd.bootstrap sudo cryptsetup open /dev/sda crypt_sd --key-file=3D/etc/luks-keys/disk= _secret_key sudo mkfs.btrfs --force /dev/mapper/crypt_sd -L btros sudo mount LABEL=3Dbtros /mnt sudo btrfs subvolume create /mnt/home sudo btrfs subvolume create /mnt/gnu sudo btrfs subvolume create /mnt/varguix sudo cp -a /home/purism /mnt/home/ sudo umount /mnt #+end_src * Setting up your backup /home As mentioned previously, /home must be mounted. If the =CE=BCSD does not exist, then mount it from elsewhere. In this case, a file. I allocate just 1GiB for the backup /home because I do not intend on using it often, but need a useable space to recover from if something (the =CE=BCSD) fails. Copy the contents of the current /home as well to be safe. #+begin_src shell :tangle guix-usd.bootstrap sudo dd if=3D/dev/zero of=3D/opt/usd/backup-home.btrfs bs=3D1MiB count= =3D1024 sudo mkfs.btrfs /opt/usd/backup-home.btrfs sudo mount /opt/usd/backup-home.btrfs /mnt sudo btrfs subvolume create /mnt/home cp -a /home/purism /mnt/home #+end_src * Decrypting/Mounting at boot The following describes the steps to decrypt and mount your now-set-up =CE=BCSD at boot. ** Decrypting the =CE=BCSD To decrypt at boot, append the necessary entry to /etc/crypttab #+begin_src shell :tangle guix-usd.bootstrap echo crypt_sd UUID=3D$(sudo cryptsetup luksUUID /dev/sda) \ /etc/luks-keys/disk_secret_key nofail,luks \ | sudo tee -a /etc/crypttab #+end_src This will use the luks UUID to identify the =CE=BCSD, and the 'nofail' flag ensures the system will still boot if =CE=BCSD is broken or missing. ** Mounting /var/guix and /gnu To mount your now-decrypted =CE=BCSD, append the necessary lines to /etc/fstab. /home will be treated in the [[Mounting /home][next section= ]]. /var/guix and /gnu do not need to be accessable (guix will break) if the =CE=BCSD is not present, so use nofail, and wait no more than 20s for the device to become available. #+begin_src shell :tangle guix-usd.bootstrap echo LABEL=3Dbtros /gnu btrfs \ nofail,x-systemd.device-timeout=3D15,subvol=3Dgnu 0 2 \ | sudo tee -a /etc/fstab echo LABEL=3Dbtros /var/guix btrfs \ nofail,x-systemd.device-timeout=3D15,subvol=3Dvarguix 0 2 \ | sudo tee -a /etc/fstab #+end_src =20=20=20 ** Mounting /home This step was very tricky. I found a thread on the purism forum of people trying to accomplish having a /home mounted from =CE=BCSD, with a fallback in case the =CE=BCSD is broken or missing. That thread died for a few years before I revived it with this hacky solution. Basically, as far as I can tell, neither /etc/fstab or .mount service units allow for any logic to determine if mount should occur. If you specify a /home mount, and that mount fails, even if nofail is specified, then the system will NOT let you try and access files under /home. This means that even if you have a perfectly fine home directory under the mount point, that you cannot access those files. This means, among other things, that Phosh will fail to start. However, though I couldn't figure out how to change IF a mount point is used, I could change WHAT device is used to mount. Specifically, .mount systemd units allow for variable expansion, and variables can be read from a file. Hence, my solution is to have a systemd service which is a dependency of home.mount which generates an environment file which is subsequently read by home.mount. The service checks if the =CE=BCSD was successfully decrypted, and if so, directs home.mount to mount from the =CE=BCSD. Otherwise, home is mounted from /opt/usd/home.btrfs. Put the following in /etc/systemd/system/find-home.service #+begin_src text :tangle /sudo::/etc/systemd/system/find-home.service [Unit] Description=3DCheck if sd card was found. If so, use that. [Service] ExecStart=3D/opt/usd/find-home.sh Type=3Doneshot RemainAfterExit=3Dyes [Install] RequiredBy=3Dhome.mount #+end_src Additionally, create the find-home.sh script which is to be run at /opt/usd/find-home.sh #+begin_src shell :shebang #!/bin/sh :tangle /sudo::/opt/usd/find-home.sh echo HOME_DEVICE=3D$(if [ -e /dev/mapper/crypt_sd ]; then echo /dev/mapper/crypt_sd; else echo /opt/usd/backup-home.btrfs; fi) > /opt/usd/mount_env #+end_src Finally, create the home.mount which will actually mount your home at /etc/systemd/system/home.mount #+begin_src text :tangle /sudo::/etc/systemd/system/home.mount [Unit] Description=3DMount Var Test Requires=3Dfind-home.service After=3Dfind-home.service [Install] RequiredBy=3Dphosh.service [Mount] EnvironmentFile=3D/opt/usd/mount_env What=3D${HOME_DEVICE} Where=3D/home Type=3Dbtrfs Options=3Dsubvol=3Dhome #+end_src Finally, enable the home.mount service #+begin_src shell :tangle guix-usd.bootstrap systemctl enable home.mount #+end_src After doing the above, it +should+ might be safe to reboot #+begin_src shell :tangle no reboot #+end_src * Setting up guix home This section assumes you have successfully done all the setps described above and rebooted. First, you should do a guix pull as your user, and additionally as root. #+begin_src shell :tangle guix-usd.configure :shebang #!/bin/sh guix pull sudo -i ~/.config/guix/current/bin/guix pull #+end_src Now that root's guix has been setup, you should modify the systemd unit file to use root's guix-daemon. #+begin_src shell :tangle guix-usd.configure sudo sed -i 's/\/usr\/bin\/guix-daemon/\/var\/guix\/profiles\/per-user\= /root\/current-guix\/bin\/guix-daemon/' /lib/systemd/system/guix-daemon.ser= vice systemctl daemon-reload systemctl restart guix-daemon #+end_src This isn't strictly necessary, but I like that I can update guix-daemon with sudo -i guix pull. This is also helpful because the current (as of this writing) version of guix installed by apt does not check bordeaux.guix.gnu.org for substitutes, something extremely necessary for tiny arm devices that have little RAM. You can, however, enable bordeaux.guix.gnu.org by adding "--substitute-urls=3D'https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'" to the "ExecStart" feild of /lib/systemd/system/guix-daemon.service instead. One other problem I came across is that guix home environment variable initialization fails to properly deal with empty variables. There are ways to fix this by modifying guix-home, but looking at https://issues.guix.gnu.org/61982, it seems that they have decided to make changes to how guix is installed on foreign distros. This means even if you guix pull after this is patched, guix home will probably not work properly until the next major release is adopted in your apt repo. Specifically, ~/.guix-home/setup-environment will assign to the empty XDG_CONFIG_DIRS variable without adding the default "/etc/xdg" value, so programs like phosh will not find /etc/xdg and fail to start. This means if you naively install guix home on your new Librem 5, you will get a black screen on boot... To address this, I add the following line to my shell environment to set XDG_CONFIG_DIRS to the default value in the case that it is empty. #+begin_src scheme :tangle no ("XDG_CONFIG_DIRS" . "$([ -z $XDG_CONFIG_DIRS ] 2> /dev/null && echo /e= tc/xdg || echo $XDG_CONFIG_DIRS)") #+end_src From here you should be able to use the following starter home.scm at ./home.scm (not tested with bash). #+begin_src scheme :tangle home.scm (home-environment (packages (map specification->package (list "emacs"))) (services (list (service home-bash-service-type (home-bash-configuration (environment-variables '(("XDG_CONFIG_DIRS" . "$([ -z $XDG_CONFIG_DIRS ] 2> /dev/nu= ll && echo /etc/xdg || echo $XDG_CONFIG_DIRS)"))))) (service home-zsh-service-type (home-zsh-configuration (environment-variables '(("XDG_CONFIG_DIRS" . "$([ -z $XDG_CONFIG_DIRS ] 2> /dev/nu= ll && echo /etc/xdg || echo $XDG_CONFIG_DIRS)")))))))) #+end_src And initialize your first home environment! #+begin_src shell :tangle guix-usd.configure guix home reconfigure home.scm #+end_src ** Another note on substitutes If trying to run guix home still results in many packages trying to build, it could be that there was a recent push to the guix repo which caused a lot of rebuilds that the build farm can't keep up with. The only solution I know of is to manually check https://ci.guix.gnu.org/jobset/master. Go there and find a commit COMMIT right before a commit which resulted in a large number of builds. Then run #+begin_src shell :tangle no guix pull --commit=3DCOMMIT --allow-downgrades #+end_src This should revert your guix version to one with more substitutes available. * Finishing Touches ** Changing UI scaling I do a lot of things at a terminal or emacs. I want my phone screen to be like a real screen. For this, I change the UI scaling of the builtin screen from 2 to 1 like so: #+begin_src shell :tangle guix-usd.candy echo '[output:DSI-1] scale =3D 1' >> /usr/share/phosh/phoc.ini #+end_src ** Changing console keyboard layout I like to use the dvorak layout with caps-lock as another control key. For the gui, you need to change your layout in settings, download gnome-tweaks: #+begin_src shell :tangle no apt install gnome-tweaks #+end_src And enable "Caps Lock is also Ctrl" in gnome-tweaks>Keyboard & Mouse>additional Layout Options>Caps Lock behavior. To make the same layout available from a tty, I ran: #+begin_src shell :tangle guix-usd.candy sudo apt install console-data echo ' XKBMODEL=3D"pc105" XKBLAYOUT=3D"us" XKBVARIANT=3D"dvorak" XKBOPTIONS=3D"ctrl:nocaps" BACKSPACE=3D"guess" ' > /etc/default/keyboard #+end_src ** Using zsh I personally like zsh over bash for interactive prompts. To change to zsh, run: #+begin_src shell :tangle guix-usd.candy sudo apt install zsh echo Need user passwd to change shell to zsh chsh -s /bin/zsh #+end_src * Re-flashing from Guix If you messed something up, and know what you did, you may want to try fi= xing your problem using Jumpdrive instead: https://github.com/dreemurrs-embedded/Jumpdrive This will allow you to mount your powered off Librem like a flash drive a= nd make changes to fix your device. I don't have any automated solution for flashing a librem from guix, but = I have figured out how to do it. To do so, I mostly followed the instructi= ons at https://developer.puri.sm/Librem5/Development_Environment/Phone/Trou= bleshooting/Reflashing_the_Phone.html. First, I cloned the librem 5 flash = image repository #+begin_src shell :tangle no git clone https://source.puri.sm/Librem5/librem5-flash-image #+end_src The main hiccup here is that the jenkins package required by the flashing script has not been packaged for guix. To make it work, I manually made changes to scripts/librem5-flash-image: comment lines 23-27, 461-484, and add `uboot_board =3D 'librem5'` to line 485 (line numbers may have changed since). Then, I manually tried to traverse https://arm01.puri.sm/ to find some images, and downloaded the necessary images #+begin_src shell :tangle no mkdir imdir wget https://arm01.puri.sm/job/Images/job/Image%20Build/14006/artifact/= librem5r4.img.xz xz -d librem5r4.img.xz mv librem5r4.img imdir wget https://arm01.puri.sm/job/u-boot_builds/job/uboot_librem5_build/la= stSuccessfulBuild/artifact/output/uboot-librem5/u-boot-librem5.imx mv u-boot-librem5.imx imdir/ #+end_src Then, from a *ROOT SHELL*, I activated a guix shell, and downloaded necessary packages from pip: #+begin_src shell cd librem5-flash-image guix shel python gcc musl python-requests binutils usbutils uuu --pure python3 -m venv venv --upgrade-deps --system-site-packages source ./venv/bin/activate pip3 install tqdm pyyaml ./scripts/librem5-flash-image --skip-download --dir ./imdir #+end_src