* bug#56669: enhancement: Link guix system and guix home
@ 2022-07-20 10:47 Dale Mellor
2022-07-20 17:57 ` Andrew Tropin
0 siblings, 1 reply; 6+ messages in thread
From: Dale Mellor @ 2022-07-20 10:47 UTC (permalink / raw)
To: 56669
I would like to be able to create a rescue disk for my system in which
the admin user's home directory contains a copy of an encrypted key,
for manually unlocking encrypted disk drives.
Following a short discussion in IRC, it appears the best route to
achieve this would be to link *guix system* and *guix home* together,
so that the system configuration file can specify
(user-account
...
(configuration (local-file "my-home-config.scm")))
for example (it should be possible to use either (home-configuration)
or a file-like object here).
Hopefully this is an easy thing to accomplish, but I don't know...
Thanks,
Dale
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home
2022-07-20 10:47 bug#56669: enhancement: Link guix system and guix home Dale Mellor
@ 2022-07-20 17:57 ` Andrew Tropin
2022-07-21 17:13 ` Andrew Tropin
0 siblings, 1 reply; 6+ messages in thread
From: Andrew Tropin @ 2022-07-20 17:57 UTC (permalink / raw)
To: guix-bug-va9nk6, 56669; +Cc: Tissevert
[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]
On 2022-07-20 11:47, Dale Mellor wrote:
> I would like to be able to create a rescue disk for my system in which
> the admin user's home directory contains a copy of an encrypted key,
> for manually unlocking encrypted disk drives.
>
> Following a short discussion in IRC, it appears the best route to
> achieve this would be to link *guix system* and *guix home* together,
> so that the system configuration file can specify
>
> (user-account
> ...
> (configuration (local-file "my-home-config.scm")))
>
> for example (it should be possible to use either (home-configuration)
> or a file-like object here).
>
> Hopefully this is an easy thing to accomplish, but I don't know...
>
Hi Dale,
it's not easy, but doable.
This topic popups from time to time, but this feature is not implemented
yet.
https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/
I have spare time tomorrow and can try to implement it, however Idk how
much time will it take and if I don't finish tomorrow, there is no
guarantee that I'll finish it anytime soon.
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home
2022-07-20 17:57 ` Andrew Tropin
@ 2022-07-21 17:13 ` Andrew Tropin
2022-07-21 17:25 ` Maxime Devos
0 siblings, 1 reply; 6+ messages in thread
From: Andrew Tropin @ 2022-07-21 17:13 UTC (permalink / raw)
To: guix-bug-va9nk6, 56669; +Cc: Tissevert
[-- Attachment #1.1: Type: text/plain, Size: 1652 bytes --]
On 2022-07-20 20:57, Andrew Tropin wrote:
> On 2022-07-20 11:47, Dale Mellor wrote:
>
>> I would like to be able to create a rescue disk for my system in which
>> the admin user's home directory contains a copy of an encrypted key,
>> for manually unlocking encrypted disk drives.
>>
>> Following a short discussion in IRC, it appears the best route to
>> achieve this would be to link *guix system* and *guix home* together,
>> so that the system configuration file can specify
>>
>> (user-account
>> ...
>> (configuration (local-file "my-home-config.scm")))
>>
>> for example (it should be possible to use either (home-configuration)
>> or a file-like object here).
>>
>> Hopefully this is an easy thing to accomplish, but I don't know...
>>
>
> Hi Dale,
>
> it's not easy, but doable.
>
> This topic popups from time to time, but this feature is not implemented
> yet.
>
> https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/
>
> I have spare time tomorrow and can try to implement it, however Idk how
> much time will it take and if I don't finish tomorrow, there is no
> guarantee that I'll finish it anytime soon.
I built home environment baked in operating system and sucessfully
deployed it with guix deploy. I face some issues with the similiar
setup on livecd, but I think I will figure out it soon and will publish
results in a few days.
The source code is here:
https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
It's drafty and will be rewritten, also there are a few local commits
that I haven't sent to guix yet, but it should work without them if
elogind is enabled.
The usage example:
[-- Attachment #1.2: config.scm --]
[-- Type: application/octet-stream, Size: 3303 bytes --]
;; This is an operating system configuration generated
;; by the graphical installer.
(use-modules (gnu)
(gnu services home))
(use-service-modules
cups
desktop
networking
ssh
xorg)
(use-modules (gnu home)
(gnu home services)
(gnu home services shells)
(gnu packages admin))
(define he
(home-environment
(packages (list htop))
(services
(list
(service
home-bash-service-type
(home-bash-configuration))))))
(define os
(operating-system
(locale "en_US.utf8")
(timezone "Europe/Moscow")
(keyboard-layout
(keyboard-layout "us" "altgr-intl"))
(host-name "tmp")
(users (cons* (user-account
(name "bob")
(comment "Bob")
(group "users")
(home-directory "/home/bob")
(supplementary-groups
'("wheel" "netdev" "audio" "video")))
%base-user-accounts))
(sudoers-file
(plain-file "sudoers"
(string-append (plain-file-content %sudoers-specification)
"%wheel ALL=(ALL) NOPASSWD: ALL")))
(packages
(append
(list (specification->package "nss-certs"))
%base-packages))
(services
(append
(list (service dhcp-client-service-type)
(service openssh-service-type
(openssh-configuration
(permit-root-login #t)
(password-authentication? #f)
(authorized-keys
`(("root" ,(local-file "ssh.key"))))))
;; FIXME: Send two patches to make it work without elogind
(service elogind-service-type)
(service
guix-home-service-type
`(("bob" . ,he)))
(service ntp-service-type))
(modify-services %base-services
(guix-service-type
config =>
(guix-configuration
(inherit config)
(substitute-urls '("http://ci.guix.trop.in"
"https://bordeaux.guix.gnu.org"))
(authorized-keys
(append (list (local-file "/etc/guix/signing-key.pub"))
%default-authorized-guix-keys)))))))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(targets (list "/dev/sda"))
(keyboard-layout keyboard-layout)))
(swap-devices
(list (swap-space
(target
(uuid "8b332a77-38ec-4abf-9cf4-c755f8f27805")))))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "9382dc00-c702-4b70-955f-6c804c59b6c0"
'ext4))
(type "ext4"))
%base-file-systems))))
(define host "qemu")
(define user "bob")
(list (machine
(operating-system os)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name host)
(allow-downgrades? #t)
(system "x86_64-linux")
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKPj2X6gmxLzj956AE2YBihTibmpaXj+G51r4zkbQ+2")
(user "root")))))
[-- Attachment #1.3: Type: text/plain, Size: 37 bytes --]
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home
2022-07-21 17:13 ` Andrew Tropin
@ 2022-07-21 17:25 ` Maxime Devos
2022-07-26 9:23 ` Andrew Tropin
0 siblings, 1 reply; 6+ messages in thread
From: Maxime Devos @ 2022-07-21 17:25 UTC (permalink / raw)
To: Andrew Tropin, guix-bug-va9nk6, 56669; +Cc: Tissevert
[-- Attachment #1.1.1.1: Type: text/plain, Size: 2296 bytes --]
On 21-07-2022 19:13, Andrew Tropin wrote:
> The source code is here:
> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
What's the 'guix-home-gc-roots' for? I would expect the reference
#$(file-append he "/activate") to be sufficient to keep things from
being gc'ed.
> +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23>
> (start #~(make-forkexec-constructor +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24>
> '(#$(file-append he "/activate")) +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25>
> #:user #$user +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26>
> #:environment-variables +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27>
> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28>
> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done
already internally by /activate, you could consider doing it in a
container to reduce potential irreproducibility, or insecurity on
multi-user systems (I'd assume the #:user + #:group to be sufficient for
security, especially if it appears sufficient for other system services,
but I'm not some expert on what things need to be set).
> +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20>
> (provision (list (symbol-append 'guix-home- (string->symbol user)))) +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21>
> (one-shot? #t) +
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22>
> (auto-start? #f)
Wouldn't it then be possible for the user to login via the login manager
before initialisation has completed, as gdm etc don't wait for
guix-home-... currently?
Greetings,
Maxime.
[-- Attachment #1.1.1.2: Type: text/html, Size: 4323 bytes --]
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home
2022-07-21 17:25 ` Maxime Devos
@ 2022-07-26 9:23 ` Andrew Tropin
2023-02-08 13:42 ` Andrew Tropin
0 siblings, 1 reply; 6+ messages in thread
From: Andrew Tropin @ 2022-07-26 9:23 UTC (permalink / raw)
To: Maxime Devos, guix-bug-va9nk6, 56669; +Cc: Tissevert
[-- Attachment #1: Type: text/plain, Size: 3042 bytes --]
On 2022-07-21 19:25, Maxime Devos wrote:
> On 21-07-2022 19:13, Andrew Tropin wrote:
>
>> The source code is here:
>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>
> What's the 'guix-home-gc-roots' for? I would expect the reference
> #$(file-append he "/activate") to be sufficient to keep things from
> being gc'ed.
It was needed while I was testing manual activation without shepherd
service, not needed anymore, already removed it locally.
>
>> +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23>
>> (start #~(make-forkexec-constructor +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24>
>> '(#$(file-append he "/activate")) +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25>
>> #:user #$user +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26>
>> #:environment-variables +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27>
>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28>
>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done
> already internally by /activate, you could consider doing it in a
> container to reduce potential irreproducibility, or insecurity on
> multi-user systems (I'd assume the #:user + #:group to be sufficient for
> security, especially if it appears sufficient for other system services,
> but I'm not some expert on what things need to be set).
>
It's not set by /activate.
>> +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20>
>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21>
>> (one-shot? #t) +
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22>
>> (auto-start? #f)
> Wouldn't it then be possible for the user to login via the login manager
> before initialisation has completed, as gdm etc don't wait for
> guix-home-... currently?
You are right, the same as the first one, needed for more manual
approach, changed to #t, thank you.
Three patches for this service to work is on the way on guix-patches.
In the meantime, will try to build livecd with the home environment
inside.
P.S. Probably this system service is far from final version of this
feature, I still think about making home-environment a part of
user-account. Will evaluate pros and cons, after I get livecd built
successfully.
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home
2022-07-26 9:23 ` Andrew Tropin
@ 2023-02-08 13:42 ` Andrew Tropin
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Tropin @ 2023-02-08 13:42 UTC (permalink / raw)
To: Maxime Devos, guix-bug-va9nk6, 56669; +Cc: Tissevert
[-- Attachment #1: Type: text/plain, Size: 4694 bytes --]
On 2022-07-26 12:23, Andrew Tropin wrote:
> On 2022-07-21 19:25, Maxime Devos wrote:
>
>> On 21-07-2022 19:13, Andrew Tropin wrote:
>>
>>> The source code is here:
>>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>>
>> What's the 'guix-home-gc-roots' for? I would expect the reference
>> #$(file-append he "/activate") to be sufficient to keep things from
>> being gc'ed.
>
> It was needed while I was testing manual activation without shepherd
> service, not needed anymore, already removed it locally.
>
>>
>>> +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23>
>>> (start #~(make-forkexec-constructor +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24>
>>> '(#$(file-append he "/activate")) +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25>
>>> #:user #$user +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26>
>>> #:environment-variables +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27>
>>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28>
>>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
>> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done
>> already internally by /activate, you could consider doing it in a
>> container to reduce potential irreproducibility, or insecurity on
>> multi-user systems (I'd assume the #:user + #:group to be sufficient for
>> security, especially if it appears sufficient for other system services,
>> but I'm not some expert on what things need to be set).
>>
> It's not set by /activate.
>
>>> +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20>
>>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21>
>>> (one-shot? #t) +
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22>
>>> (auto-start? #f)
>> Wouldn't it then be possible for the user to login via the login manager
>> before initialisation has completed, as gdm etc don't wait for
>> guix-home-... currently?
>
> You are right, the same as the first one, needed for more manual
> approach, changed to #t, thank you.
>
> Three patches for this service to work is on the way on guix-patches.
> In the meantime, will try to build livecd with the home environment
> inside.
>
> P.S. Probably this system service is far from final version of this
> feature, I still think about making home-environment a part of
> user-account. Will evaluate pros and cons, after I get livecd built
> successfully.
Sorry for the long status update, some life moments are happened.
Polished all the things on Guix Home side and I can confirm that the
service works correctly and it's possible to make home-environments a
part of operating-system record.
Current very simple implementation works relatively good. It accepts a
list of ("user" . home-env) pairs and creates a shepherd services, which
activate respective home environments.
https://git.sr.ht/~abcdw/rde/tree/9175c7b37b6861095bae4a696aa1faadf9dc572a/src/gnu/services/home.scm#L1
This is how sway graphical environment activation is implemented in rde-live image.
http://files.trop.in/rde/
I still find it not completely satisfying because activation happens
when one-shot shepherd service get started and not during system
activation, which leads to the problem mentioned by Maxim: you can login
into user's shell before home-environment activated. I would like to
just extend system activation with calls to home activation scripts, but
it's not that straightforward because we depend on user-homes (which is
a shepherd service).
That said the guix-home system service works fine and you can already
use it, but before merging it to Guix I would like to move home
activations into system activation, which requires some work on
user-homes. It doesn't seem to be a big task, but still require some
dedication and IDK when I get spare time for it. Let me know if this
feature blocks you in some way, otherwise I'll keep working on it in my
own pace.
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-08 13:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-20 10:47 bug#56669: enhancement: Link guix system and guix home Dale Mellor
2022-07-20 17:57 ` Andrew Tropin
2022-07-21 17:13 ` Andrew Tropin
2022-07-21 17:25 ` Maxime Devos
2022-07-26 9:23 ` Andrew Tropin
2023-02-08 13:42 ` Andrew Tropin
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.