* bug#56669: enhancement: Link guix system and guix home @ 2022-07-20 10:47 Dale Mellor 2022-07-20 17:57 ` Andrew Tropin 0 siblings, 1 reply; 6+ messages in thread From: Dale Mellor @ 2022-07-20 10:47 UTC (permalink / raw) To: 56669 I would like to be able to create a rescue disk for my system in which the admin user's home directory contains a copy of an encrypted key, for manually unlocking encrypted disk drives. Following a short discussion in IRC, it appears the best route to achieve this would be to link *guix system* and *guix home* together, so that the system configuration file can specify (user-account ... (configuration (local-file "my-home-config.scm"))) for example (it should be possible to use either (home-configuration) or a file-like object here). Hopefully this is an easy thing to accomplish, but I don't know... Thanks, Dale ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home 2022-07-20 10:47 bug#56669: enhancement: Link guix system and guix home Dale Mellor @ 2022-07-20 17:57 ` Andrew Tropin 2022-07-21 17:13 ` Andrew Tropin 0 siblings, 1 reply; 6+ messages in thread From: Andrew Tropin @ 2022-07-20 17:57 UTC (permalink / raw) To: guix-bug-va9nk6, 56669; +Cc: Tissevert [-- Attachment #1: Type: text/plain, Size: 1124 bytes --] On 2022-07-20 11:47, Dale Mellor wrote: > I would like to be able to create a rescue disk for my system in which > the admin user's home directory contains a copy of an encrypted key, > for manually unlocking encrypted disk drives. > > Following a short discussion in IRC, it appears the best route to > achieve this would be to link *guix system* and *guix home* together, > so that the system configuration file can specify > > (user-account > ... > (configuration (local-file "my-home-config.scm"))) > > for example (it should be possible to use either (home-configuration) > or a file-like object here). > > Hopefully this is an easy thing to accomplish, but I don't know... > Hi Dale, it's not easy, but doable. This topic popups from time to time, but this feature is not implemented yet. https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/ I have spare time tomorrow and can try to implement it, however Idk how much time will it take and if I don't finish tomorrow, there is no guarantee that I'll finish it anytime soon. -- Best regards, Andrew Tropin [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home 2022-07-20 17:57 ` Andrew Tropin @ 2022-07-21 17:13 ` Andrew Tropin 2022-07-21 17:25 ` Maxime Devos 0 siblings, 1 reply; 6+ messages in thread From: Andrew Tropin @ 2022-07-21 17:13 UTC (permalink / raw) To: guix-bug-va9nk6, 56669; +Cc: Tissevert [-- Attachment #1.1: Type: text/plain, Size: 1652 bytes --] On 2022-07-20 20:57, Andrew Tropin wrote: > On 2022-07-20 11:47, Dale Mellor wrote: > >> I would like to be able to create a rescue disk for my system in which >> the admin user's home directory contains a copy of an encrypted key, >> for manually unlocking encrypted disk drives. >> >> Following a short discussion in IRC, it appears the best route to >> achieve this would be to link *guix system* and *guix home* together, >> so that the system configuration file can specify >> >> (user-account >> ... >> (configuration (local-file "my-home-config.scm"))) >> >> for example (it should be possible to use either (home-configuration) >> or a file-like object here). >> >> Hopefully this is an easy thing to accomplish, but I don't know... >> > > Hi Dale, > > it's not easy, but doable. > > This topic popups from time to time, but this feature is not implemented > yet. > > https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/ > > I have spare time tomorrow and can try to implement it, however Idk how > much time will it take and if I don't finish tomorrow, there is no > guarantee that I'll finish it anytime soon. I built home environment baked in operating system and sucessfully deployed it with guix deploy. I face some issues with the similiar setup on livecd, but I think I will figure out it soon and will publish results in a few days. The source code is here: https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9 It's drafty and will be rewritten, also there are a few local commits that I haven't sent to guix yet, but it should work without them if elogind is enabled. The usage example: [-- Attachment #1.2: config.scm --] [-- Type: application/octet-stream, Size: 3303 bytes --] ;; This is an operating system configuration generated ;; by the graphical installer. (use-modules (gnu) (gnu services home)) (use-service-modules cups desktop networking ssh xorg) (use-modules (gnu home) (gnu home services) (gnu home services shells) (gnu packages admin)) (define he (home-environment (packages (list htop)) (services (list (service home-bash-service-type (home-bash-configuration)))))) (define os (operating-system (locale "en_US.utf8") (timezone "Europe/Moscow") (keyboard-layout (keyboard-layout "us" "altgr-intl")) (host-name "tmp") (users (cons* (user-account (name "bob") (comment "Bob") (group "users") (home-directory "/home/bob") (supplementary-groups '("wheel" "netdev" "audio" "video"))) %base-user-accounts)) (sudoers-file (plain-file "sudoers" (string-append (plain-file-content %sudoers-specification) "%wheel ALL=(ALL) NOPASSWD: ALL"))) (packages (append (list (specification->package "nss-certs")) %base-packages)) (services (append (list (service dhcp-client-service-type) (service openssh-service-type (openssh-configuration (permit-root-login #t) (password-authentication? #f) (authorized-keys `(("root" ,(local-file "ssh.key")))))) ;; FIXME: Send two patches to make it work without elogind (service elogind-service-type) (service guix-home-service-type `(("bob" . ,he))) (service ntp-service-type)) (modify-services %base-services (guix-service-type config => (guix-configuration (inherit config) (substitute-urls '("http://ci.guix.trop.in" "https://bordeaux.guix.gnu.org")) (authorized-keys (append (list (local-file "/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))))) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets (list "/dev/sda")) (keyboard-layout keyboard-layout))) (swap-devices (list (swap-space (target (uuid "8b332a77-38ec-4abf-9cf4-c755f8f27805"))))) (file-systems (cons* (file-system (mount-point "/") (device (uuid "9382dc00-c702-4b70-955f-6c804c59b6c0" 'ext4)) (type "ext4")) %base-file-systems)))) (define host "qemu") (define user "bob") (list (machine (operating-system os) (environment managed-host-environment-type) (configuration (machine-ssh-configuration (host-name host) (allow-downgrades? #t) (system "x86_64-linux") (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKPj2X6gmxLzj956AE2YBihTibmpaXj+G51r4zkbQ+2") (user "root"))))) [-- Attachment #1.3: Type: text/plain, Size: 37 bytes --] -- Best regards, Andrew Tropin [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home 2022-07-21 17:13 ` Andrew Tropin @ 2022-07-21 17:25 ` Maxime Devos 2022-07-26 9:23 ` Andrew Tropin 0 siblings, 1 reply; 6+ messages in thread From: Maxime Devos @ 2022-07-21 17:25 UTC (permalink / raw) To: Andrew Tropin, guix-bug-va9nk6, 56669; +Cc: Tissevert [-- Attachment #1.1.1.1: Type: text/plain, Size: 2296 bytes --] On 21-07-2022 19:13, Andrew Tropin wrote: > The source code is here: > https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9 What's the 'guix-home-gc-roots' for? I would expect the reference #$(file-append he "/activate") to be sufficient to keep things from being gc'ed. > + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> > (start #~(make-forkexec-constructor + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> > '(#$(file-append he "/activate")) + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> > #:user #$user + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> > #:environment-variables + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> > (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> > #:group (group:name (getgrgid (passwd:gid (getpw #$user)))))) I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done already internally by /activate, you could consider doing it in a container to reduce potential irreproducibility, or insecurity on multi-user systems (I'd assume the #:user + #:group to be sufficient for security, especially if it appears sufficient for other system services, but I'm not some expert on what things need to be set). > + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> > (provision (list (symbol-append 'guix-home- (string->symbol user)))) + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> > (one-shot? #t) + > <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> > (auto-start? #f) Wouldn't it then be possible for the user to login via the login manager before initialisation has completed, as gdm etc don't wait for guix-home-... currently? Greetings, Maxime. [-- Attachment #1.1.1.2: Type: text/html, Size: 4323 bytes --] [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 929 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home 2022-07-21 17:25 ` Maxime Devos @ 2022-07-26 9:23 ` Andrew Tropin 2023-02-08 13:42 ` Andrew Tropin 0 siblings, 1 reply; 6+ messages in thread From: Andrew Tropin @ 2022-07-26 9:23 UTC (permalink / raw) To: Maxime Devos, guix-bug-va9nk6, 56669; +Cc: Tissevert [-- Attachment #1: Type: text/plain, Size: 3042 bytes --] On 2022-07-21 19:25, Maxime Devos wrote: > On 21-07-2022 19:13, Andrew Tropin wrote: > >> The source code is here: >> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9 > > What's the 'guix-home-gc-roots' for? I would expect the reference > #$(file-append he "/activate") to be sufficient to keep things from > being gc'ed. It was needed while I was testing manual activation without shepherd service, not needed anymore, already removed it locally. > >> + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> >> (start #~(make-forkexec-constructor + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> >> '(#$(file-append he "/activate")) + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> >> #:user #$user + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> >> #:environment-variables + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> >> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> >> #:group (group:name (getgrgid (passwd:gid (getpw #$user)))))) > I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done > already internally by /activate, you could consider doing it in a > container to reduce potential irreproducibility, or insecurity on > multi-user systems (I'd assume the #:user + #:group to be sufficient for > security, especially if it appears sufficient for other system services, > but I'm not some expert on what things need to be set). > It's not set by /activate. >> + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> >> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> >> (one-shot? #t) + >> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> >> (auto-start? #f) > Wouldn't it then be possible for the user to login via the login manager > before initialisation has completed, as gdm etc don't wait for > guix-home-... currently? You are right, the same as the first one, needed for more manual approach, changed to #t, thank you. Three patches for this service to work is on the way on guix-patches. In the meantime, will try to build livecd with the home environment inside. P.S. Probably this system service is far from final version of this feature, I still think about making home-environment a part of user-account. Will evaluate pros and cons, after I get livecd built successfully. -- Best regards, Andrew Tropin [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#56669: enhancement: Link guix system and guix home 2022-07-26 9:23 ` Andrew Tropin @ 2023-02-08 13:42 ` Andrew Tropin 0 siblings, 0 replies; 6+ messages in thread From: Andrew Tropin @ 2023-02-08 13:42 UTC (permalink / raw) To: Maxime Devos, guix-bug-va9nk6, 56669; +Cc: Tissevert [-- Attachment #1: Type: text/plain, Size: 4694 bytes --] On 2022-07-26 12:23, Andrew Tropin wrote: > On 2022-07-21 19:25, Maxime Devos wrote: > >> On 21-07-2022 19:13, Andrew Tropin wrote: >> >>> The source code is here: >>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9 >> >> What's the 'guix-home-gc-roots' for? I would expect the reference >> #$(file-append he "/activate") to be sufficient to keep things from >> being gc'ed. > > It was needed while I was testing manual activation without shepherd > service, not needed anymore, already removed it locally. > >> >>> + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> >>> (start #~(make-forkexec-constructor + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> >>> '(#$(file-append he "/activate")) + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> >>> #:user #$user + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> >>> #:environment-variables + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> >>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> >>> #:group (group:name (getgrgid (passwd:gid (getpw #$user)))))) >> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done >> already internally by /activate, you could consider doing it in a >> container to reduce potential irreproducibility, or insecurity on >> multi-user systems (I'd assume the #:user + #:group to be sufficient for >> security, especially if it appears sufficient for other system services, >> but I'm not some expert on what things need to be set). >> > It's not set by /activate. > >>> + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> >>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> >>> (one-shot? #t) + >>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> >>> (auto-start? #f) >> Wouldn't it then be possible for the user to login via the login manager >> before initialisation has completed, as gdm etc don't wait for >> guix-home-... currently? > > You are right, the same as the first one, needed for more manual > approach, changed to #t, thank you. > > Three patches for this service to work is on the way on guix-patches. > In the meantime, will try to build livecd with the home environment > inside. > > P.S. Probably this system service is far from final version of this > feature, I still think about making home-environment a part of > user-account. Will evaluate pros and cons, after I get livecd built > successfully. Sorry for the long status update, some life moments are happened. Polished all the things on Guix Home side and I can confirm that the service works correctly and it's possible to make home-environments a part of operating-system record. Current very simple implementation works relatively good. It accepts a list of ("user" . home-env) pairs and creates a shepherd services, which activate respective home environments. https://git.sr.ht/~abcdw/rde/tree/9175c7b37b6861095bae4a696aa1faadf9dc572a/src/gnu/services/home.scm#L1 This is how sway graphical environment activation is implemented in rde-live image. http://files.trop.in/rde/ I still find it not completely satisfying because activation happens when one-shot shepherd service get started and not during system activation, which leads to the problem mentioned by Maxim: you can login into user's shell before home-environment activated. I would like to just extend system activation with calls to home activation scripts, but it's not that straightforward because we depend on user-homes (which is a shepherd service). That said the guix-home system service works fine and you can already use it, but before merging it to Guix I would like to move home activations into system activation, which requires some work on user-homes. It doesn't seem to be a big task, but still require some dedication and IDK when I get spare time for it. Let me know if this feature blocks you in some way, otherwise I'll keep working on it in my own pace. -- Best regards, Andrew Tropin [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-08 13:44 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-07-20 10:47 bug#56669: enhancement: Link guix system and guix home Dale Mellor 2022-07-20 17:57 ` Andrew Tropin 2022-07-21 17:13 ` Andrew Tropin 2022-07-21 17:25 ` Maxime Devos 2022-07-26 9:23 ` Andrew Tropin 2023-02-08 13:42 ` Andrew Tropin
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.