GNU bug report logs - #56669
enhancement: Link guix system and guix home

Previous Next

To reply to this bug, email your comments to 56669 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Dale Mellor <no-reply <at> rdmp.org>
To: bug-guix <at> gnu.org
Subject: enhancement: Link guix system and guix home
Date: Wed, 20 Jul 2022 11:47:40 +0100

I would like to be able to create a rescue disk for my system in which
the admin user's home directory contains a copy of an encrypted key,
for manually unlocking encrypted disk drives.

Following a short discussion in IRC, it appears the best route to
achieve this would be to link *guix system* and *guix home* together,
so that the system configuration file can specify

(user-account
   ...
   (configuration (local-file "my-home-config.scm")))

for example (it should be possible to use either (home-configuration)
or a file-like object here).

Hopefully this is an easy thing to accomplish, but I don't know...

Thanks,
Dale

Message #8 received at 56669 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Tropin <andrew <at> trop.in>
To: guix-bug-va9nk6 <at> rdmp.org, 56669 <at> debbugs.gnu.org
Cc: Tissevert <tissevert+guix <at> marvid.fr>
Subject: Re: bug#56669: enhancement: Link guix system and guix home
Date: Wed, 20 Jul 2022 20:57:22 +0300

[Message part 1 (text/plain, inline)]

On 2022-07-20 11:47, Dale Mellor wrote:

> I would like to be able to create a rescue disk for my system in which
> the admin user's home directory contains a copy of an encrypted key,
> for manually unlocking encrypted disk drives.
>
> Following a short discussion in IRC, it appears the best route to
> achieve this would be to link *guix system* and *guix home* together,
> so that the system configuration file can specify
>
> (user-account
>    ...
>    (configuration (local-file "my-home-config.scm")))
>
> for example (it should be possible to use either (home-configuration)
> or a file-like object here).
>
> Hopefully this is an easy thing to accomplish, but I don't know...
>

Hi Dale,

it's not easy, but doable.

This topic popups from time to time, but this feature is not implemented
yet.

https://yhetil.org/guix-devel/20220706112011.77c71a94 <at> marvid.fr/

I have spare time tomorrow and can try to implement it, however Idk how
much time will it take and if I don't finish tomorrow, there is no
guarantee that I'll finish it anytime soon.

-- 
Best regards,
Andrew Tropin

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 56669 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Tropin <andrew <at> trop.in>
To: guix-bug-va9nk6 <at> rdmp.org, 56669 <at> debbugs.gnu.org
Cc: Tissevert <tissevert+guix <at> marvid.fr>
Subject: Re: bug#56669: enhancement: Link guix system and guix home
Date: Thu, 21 Jul 2022 20:13:04 +0300

[Message part 1 (text/plain, inline)]

On 2022-07-20 20:57, Andrew Tropin wrote:

> On 2022-07-20 11:47, Dale Mellor wrote:
>
>> I would like to be able to create a rescue disk for my system in which
>> the admin user's home directory contains a copy of an encrypted key,
>> for manually unlocking encrypted disk drives.
>>
>> Following a short discussion in IRC, it appears the best route to
>> achieve this would be to link *guix system* and *guix home* together,
>> so that the system configuration file can specify
>>
>> (user-account
>>    ...
>>    (configuration (local-file "my-home-config.scm")))
>>
>> for example (it should be possible to use either (home-configuration)
>> or a file-like object here).
>>
>> Hopefully this is an easy thing to accomplish, but I don't know...
>>
>
> Hi Dale,
>
> it's not easy, but doable.
>
> This topic popups from time to time, but this feature is not implemented
> yet.
>
> https://yhetil.org/guix-devel/20220706112011.77c71a94 <at> marvid.fr/
>
> I have spare time tomorrow and can try to implement it, however Idk how
> much time will it take and if I don't finish tomorrow, there is no
> guarantee that I'll finish it anytime soon.

I built home environment baked in operating system and sucessfully
deployed it with guix deploy.  I face some issues with the similiar
setup on livecd, but I think I will figure out it soon and will publish
results in a few days.

The source code is here:
https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

It's drafty and will be rewritten, also there are a few local commits
that I haven't sent to guix yet, but it should work without them if
elogind is enabled.

The usage example:

[config.scm (application/octet-stream, inline)]

[Message part 3 (text/plain, inline)]

-- 
Best regards,
Andrew Tropin

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 56669 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Andrew Tropin <andrew <at> trop.in>, guix-bug-va9nk6 <at> rdmp.org,
 56669 <at> debbugs.gnu.org
Cc: Tissevert <tissevert+guix <at> marvid.fr>
Subject: Re: bug#56669: enhancement: Link guix system and guix home
Date: Thu, 21 Jul 2022 19:25:11 +0200

[Message part 1 (text/plain, inline)]

On 21-07-2022 19:13, Andrew Tropin wrote:

> The source code is here:
> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

What's the 'guix-home-gc-roots' for? I would expect the reference 
#$(file-append he "/activate") to be sufficient to keep things from 
being gc'ed.

> + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
> (start #~(make-forkexec-constructor + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
> '(#$(file-append he "/activate")) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
> #:user #$user + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
> #:environment-variables + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
already internally by /activate, you could consider doing it in a 
container to reduce potential irreproducibility, or insecurity on 
multi-user systems (I'd assume the #:user + #:group to be sufficient for 
security, especially if it appears sufficient for other system services, 
but I'm not some expert on what things need to be set).

> + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
> (one-shot? #t) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
> (auto-start? #f)
Wouldn't it then be possible for the user to login via the login manager 
before initialisation has completed, as gdm etc don't wait for 
guix-home-... currently?

Greetings,
Maxime.

[Message part 2 (text/html, inline)]

[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #17 received at 56669 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Tropin <andrew <at> trop.in>
To: Maxime Devos <maximedevos <at> telenet.be>, guix-bug-va9nk6 <at> rdmp.org,
 56669 <at> debbugs.gnu.org
Cc: Tissevert <tissevert+guix <at> marvid.fr>
Subject: Re: bug#56669: enhancement: Link guix system and guix home
Date: Tue, 26 Jul 2022 12:23:02 +0300

[Message part 1 (text/plain, inline)]

On 2022-07-21 19:25, Maxime Devos wrote:

> On 21-07-2022 19:13, Andrew Tropin wrote:
>
>> The source code is here:
>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>
> What's the 'guix-home-gc-roots' for? I would expect the reference 
> #$(file-append he "/activate") to be sufficient to keep things from 
> being gc'ed.

It was needed while I was testing manual activation without shepherd
service, not needed anymore, already removed it locally.

>
>> + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
>> (start #~(make-forkexec-constructor + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
>> '(#$(file-append he "/activate")) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
>> #:user #$user + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
>> #:environment-variables + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
> already internally by /activate, you could consider doing it in a 
> container to reduce potential irreproducibility, or insecurity on 
> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
> security, especially if it appears sufficient for other system services, 
> but I'm not some expert on what things need to be set).
>
It's not set by /activate.

>> + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
>> (one-shot? #t) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
>> (auto-start? #f)
> Wouldn't it then be possible for the user to login via the login manager 
> before initialisation has completed, as gdm etc don't wait for 
> guix-home-... currently?

You are right, the same as the first one, needed for more manual
approach, changed to #t, thank you.

Three patches for this service to work is on the way on guix-patches.
In the meantime, will try to build livecd with the home environment
inside.

P.S. Probably this system service is far from final version of this
feature, I still think about making home-environment a part of
user-account.  Will evaluate pros and cons, after I get livecd built
successfully.

-- 
Best regards,
Andrew Tropin

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 56669 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Tropin <andrew <at> trop.in>
To: Maxime Devos <maximedevos <at> telenet.be>, guix-bug-va9nk6 <at> rdmp.org,
 56669 <at> debbugs.gnu.org
Cc: Tissevert <tissevert+guix <at> marvid.fr>
Subject: Re: bug#56669: enhancement: Link guix system and guix home
Date: Wed, 08 Feb 2023 17:42:51 +0400

[Message part 1 (text/plain, inline)]

On 2022-07-26 12:23, Andrew Tropin wrote:

> On 2022-07-21 19:25, Maxime Devos wrote:
>
>> On 21-07-2022 19:13, Andrew Tropin wrote:
>>
>>> The source code is here:
>>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>>
>> What's the 'guix-home-gc-roots' for? I would expect the reference 
>> #$(file-append he "/activate") to be sufficient to keep things from 
>> being gc'ed.
>
> It was needed while I was testing manual activation without shepherd
> service, not needed anymore, already removed it locally.
>
>>
>>> + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
>>> (start #~(make-forkexec-constructor + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
>>> '(#$(file-append he "/activate")) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
>>> #:user #$user + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
>>> #:environment-variables + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
>>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
>>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
>> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
>> already internally by /activate, you could consider doing it in a 
>> container to reduce potential irreproducibility, or insecurity on 
>> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
>> security, especially if it appears sufficient for other system services, 
>> but I'm not some expert on what things need to be set).
>>
> It's not set by /activate.
>
>>> + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
>>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
>>> (one-shot? #t) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
>>> (auto-start? #f)
>> Wouldn't it then be possible for the user to login via the login manager 
>> before initialisation has completed, as gdm etc don't wait for 
>> guix-home-... currently?
>
> You are right, the same as the first one, needed for more manual
> approach, changed to #t, thank you.
>
> Three patches for this service to work is on the way on guix-patches.
> In the meantime, will try to build livecd with the home environment
> inside.
>
> P.S. Probably this system service is far from final version of this
> feature, I still think about making home-environment a part of
> user-account.  Will evaluate pros and cons, after I get livecd built
> successfully.

Sorry for the long status update, some life moments are happened.

Polished all the things on Guix Home side and I can confirm that the
service works correctly and it's possible to make home-environments a
part of operating-system record.

Current very simple implementation works relatively good.  It accepts a
list of ("user" . home-env) pairs and creates a shepherd services, which
activate respective home environments.
https://git.sr.ht/~abcdw/rde/tree/9175c7b37b6861095bae4a696aa1faadf9dc572a/src/gnu/services/home.scm#L1

This is how sway graphical environment activation is implemented in rde-live image.
http://files.trop.in/rde/

I still find it not completely satisfying because activation happens
when one-shot shepherd service get started and not during system
activation, which leads to the problem mentioned by Maxim: you can login
into user's shell before home-environment activated.  I would like to
just extend system activation with calls to home activation scripts, but
it's not that straightforward because we depend on user-homes (which is
a shepherd service).

That said the guix-home system service works fine and you can already
use it, but before merging it to Guix I would like to move home
activations into system activation, which requires some work on
user-homes.  It doesn't seem to be a big task, but still require some
dedication and IDK when I get spare time for it.  Let me know if this
feature blocks you in some way, otherwise I'll keep working on it in my
own pace.

-- 
Best regards,
Andrew Tropin

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.