summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorLiliana Marie Prikler <liliana.prikler@gmail.com>2024-02-03 14:39:49 +0100
committerLiliana Marie Prikler <liliana.prikler@gmail.com>2024-02-03 14:39:49 +0100
commite6c847defb6cb25c65172dec46a322e5d3d45088 (patch)
tree3d249dce1a1f58fcb3c83a41eaf9e1525d7b112e /doc
parent3aef72ec5bf1027bc557daab7010848d80711a28 (diff)
parent179bb57d2532ee6b81791e078b0f782cbf88cb84 (diff)
Merge branch 'master' into gnome-team
Diffstat (limited to 'doc')
-rw-r--r--doc/contributing.texi14
-rw-r--r--doc/guix.texi569
2 files changed, 520 insertions, 63 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 5707ff5cde..a7d91724fb 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -2111,9 +2111,15 @@ they are ready to become a committer. Commit access should not be
thought of as a ``badge of honor'' but rather as a responsibility a
contributor is willing to take to help the project. It is expected from
all contributors, and even more so from committers, to help build
-consensus and make decisions based on consensus. To learn what
-consensus decision making means and understand its finer details, you
-are encouraged to read
+consensus and make decisions based on consensus. By using consensus, we
+are committed to finding solutions that everyone can live with. It
+implies that no decision is made against significant concerns and these
+concerns are actively resolved with proposals that work for everyone. A
+contributor (which may or may not have commit access) wishing to block a
+proposal bears a special responsibility for finding alternatives,
+proposing ideas/code or explain the rationale for the status quo to
+resolve the deadlock. To learn what consensus decision making means and
+understand its finer details, you are encouraged to read
@url{https://www.seedsforchange.org.uk/consensus}.
The following sections explain how to get commit access, how to be ready
@@ -2328,7 +2334,7 @@ Perhaps the biggest action you can do to help GNU Guix grow as a project
is to review the work contributed by others. You do not need to be a
committer to do so; applying, reading the source, building, linting and
running other people's series and sharing your comments about your
-experience will give some confidence to committers. Basically, you gmust
+experience will give some confidence to committers. Basically, you must
ensure the check list found in the @ref{Submitting Patches} section has
been correctly followed. A reviewed patch series should give the best
chances for the proposed change to be merged faster, so if a change you
diff --git a/doc/guix.texi b/doc/guix.texi
index 37fce128d7..92d10ff6e5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -22,7 +22,7 @@
@set SUBSTITUTE-URLS https://@value{SUBSTITUTE-SERVER-1} https://@value{SUBSTITUTE-SERVER-2}
@copying
-Copyright @copyright{} 2012-2023 Ludovic Courtès@*
+Copyright @copyright{} 2012-2024 Ludovic Courtès@*
Copyright @copyright{} 2013, 2014, 2016 Andreas Enge@*
Copyright @copyright{} 2013 Nikita Karetnikov@*
Copyright @copyright{} 2014, 2015, 2016 Alex Kost@*
@@ -43,7 +43,7 @@ Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021 Christopher Baines@*
Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@*
Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@*
Copyright @copyright{} 2017 Federico Beffa@*
-Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
+Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@*
Copyright @copyright{} 2017 Thomas Danckaert@*
Copyright @copyright{} 2017 humanitiesNerd@*
Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
@@ -123,6 +123,7 @@ Copyright @copyright{} 2023 Foundation Devices, Inc.@*
Copyright @copyright{} 2023 Thomas Ieong@*
Copyright @copyright{} 2023 Saku Laesvuori@*
Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -4354,7 +4355,7 @@ There are several such multiple-output packages in the GNU distribution.
Other conventional output names include @code{lib} for libraries and
possibly header files, @code{bin} for stand-alone programs, and
@code{debug} for debugging information (@pxref{Installing Debugging
-Files}). The outputs of a packages are listed in the third column of
+Files}). The outputs of a package are listed in the third column of
the output of @command{guix package --list-available} (@pxref{Invoking
guix package}).
@@ -5002,7 +5003,8 @@ environment} command to spawn an environment in a container running
@command{guile} (@command{guix environment} has since been subsumed by
@command{guix shell}; @pxref{Invoking guix shell}). It's like driving a
DeLorean@footnote{If you don't know what a DeLorean is, consider
-traveling back to the 1980's.}! The first @command{guix time-machine}
+traveling back to the 1980's. (@uref{https://www.imdb.com/title/tt0088763/,
+Back to the Future (1985)})}! The first @command{guix time-machine}
invocation can be expensive: it may have to download or even build a
large number of packages; the result is cached though and subsequent
commands targeting the same commit are almost instantaneous.
@@ -7161,7 +7163,7 @@ What if the recipient of your pack does not have root privileges on
their machine, and thus cannot unpack it in the root file system? In
that case, you will want to use the @option{--relocatable} option (see
below). This option produces @dfn{relocatable binaries}, meaning they
-they can be placed anywhere in the file system hierarchy: in the example
+can be placed anywhere in the file system hierarchy: in the example
above, users can unpack your tarball in their home directory and
directly run @file{./opt/gnu/bin/guile}.
@@ -10193,8 +10195,8 @@ It also generates font metrics (i.e., @file{.tfm} files) out of Metafont
files whenever possible. Likewise, it can also create TeX formats
(i.e., @file{.fmt} files) listed in the @code{#:create-formats}
argument, and generate a symbolic link from @file{bin/} directory to any
-script located in located in @file{texmf-dist/scripts/}, provided its
-file name is listed in @code{#:link-scripts} argument.
+script located in @file{texmf-dist/scripts/}, provided its file name is
+listed in @code{#:link-scripts} argument.
The build system adds @code{texlive-bin} from @code{(gnu packages tex)}
to the native inputs. It can be overridden with the
@@ -13915,8 +13917,8 @@ happen because the daemon runs builds in containers where, unlike in our
environment above, network access is missing, @file{/bin/sh} does not
exist, etc. (@pxref{Build Environment Setup}).
-In such cases, you may need to run inspect the build process from within
-a container similar to the one the build daemon creates:
+In such cases, you may need to inspect the build process from within a
+container similar to the one the build daemon creates:
@example
$ guix build -K foo
@@ -14019,6 +14021,9 @@ the certificates of X.509 authorities from the directory pointed to by
the @env{SSL_CERT_DIR} environment variable (@pxref{X.509
Certificates}), unless @option{--no-check-certificate} is used.
+Alternatively, @command{guix download} can also retrieve a Git
+repository, possibly a specific commit, tag, or branch.
+
The following options are available:
@table @code
@@ -14043,6 +14048,26 @@ URL, which makes you vulnerable to ``man-in-the-middle'' attacks.
@itemx -o @var{file}
Save the downloaded file to @var{file} instead of adding it to the
store.
+
+@item --git
+@itemx -g
+Checkout the Git repository at the latest commit on the default branch.
+
+@item --commit=@var{commit-or-tag}
+Checkout the Git repository at @var{commit-or-tag}.
+
+@var{commit-or-tag} can be either a tag or a commit defined in the Git
+repository.
+
+@item --branch=@var{branch}
+Checkout the Git repository at @var{branch}.
+
+The repository will be checked out at the latest commit of @var{branch},
+which must be a valid branch of the Git repository.
+
+@item --recursive
+@itemx -r
+Recursively clone the Git repository.
@end table
@node Invoking guix hash
@@ -14294,8 +14319,7 @@ should be checked closely. If Perl is available in the store, then the
@code{corelist} utility will be used to filter core modules out of the
list of dependencies.
-The command command below imports metadata for the Acme::Boolean Perl
-module:
+The command below imports metadata for the Acme::Boolean Perl module:
@example
guix import cpan Acme::Boolean
@@ -15688,7 +15712,7 @@ Coreutils}).
When the given packages are @emph{not} in the store, @command{guix size}
reports information based on the available substitutes
-(@pxref{Substitutes}). This makes it possible it to profile disk usage of
+(@pxref{Substitutes}). This makes it possible to profile the disk usage of
store items that are not even on disk, only available remotely.
You can also specify several package names:
@@ -16720,6 +16744,20 @@ guix package}).
This option can be repeated several times, in which case the manifests
are concatenated.
+@item --expression=@var{expr}
+@itemx -e @var{expr}
+Consider the package @var{expr} evaluates to.
+
+A typical use case for this option is specifying a package that is
+hidden and thus cannot be referred to in the usual way, as in this
+example:
+
+@example
+guix weather -e '(@@@@ (gnu packages rust) rust-bootstrap)'
+@end example
+
+This option can be repeated.
+
@item --coverage[=@var{count}]
@itemx -c [@var{count}]
Report on substitute coverage for packages: list packages with at least
@@ -16792,7 +16830,7 @@ ChildCommand: guix offload x86_64-linux 7200 1 28800
@end example
In this example we see that @command{guix-daemon} has three clients:
-@command{guix environment}, @command{guix publish}, and the Cuirass continuous
+@command{guix shell}, @command{guix publish}, and the Cuirass continuous
integration tool; their process identifier (PID) is given by the
@code{ClientPID} field. The @code{SessionPID} field gives the PID of the
@command{guix-daemon} sub-process of this particular session.
@@ -16902,6 +16940,7 @@ The available targets are:
- i686-linux-gnu
- i686-w64-mingw32
- mips64el-linux-gnu
+ - or1k-elf
- powerpc-linux-gnu
- powerpc64le-linux-gnu
- riscv64-linux-gnu
@@ -17992,6 +18031,30 @@ command from the package with the same name. It relies on the
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot. If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;; cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+ #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
@@ -19966,7 +20029,7 @@ in users, including:
Special variation of @code{pam-mount} to mount @code{XDG_RUNTIME_DIR}
@end itemize
-Here is example of switching from @code{mingetty-service-type} to
+Here is an example of switching from @code{mingetty-service-type} to
@code{greetd-service-type}, and how different terminals could be:
@lisp
@@ -20931,8 +20994,7 @@ package, which allows NetworkManager to manage VPNs @i{via} OpenVPN.
This is the service type to run @url{https://01.org/connman,Connman},
a network connection manager.
-Its value must be an
-@code{connman-configuration} record as in this example:
+Its value must be a @code{connman-configuration} record as in this example:
@lisp
(service connman-service-type
@@ -20959,7 +21021,212 @@ networks.
@item @code{disable-vpn?} (default: @code{#f})
When true, disable connman's vpn plugin.
+@item @code{general-configuration} (default: @code{(connman-general-configuration)})
+Configuration serialized to @file{main.conf} and passed as @option{--config}
+to @command{connmand}.
+
+@end table
+@end deftp
+
+@c %start of fragment
+
+@deftp {Data Type} connman-general-configuration
+Available @code{connman-general-configuration} fields are:
+
+@table @asis
+@item @code{input-request-timeout} (type: maybe-number)
+Set input request timeout. Default is 120 seconds. The request for
+inputs like passphrase will timeout after certain amount of time. Use
+this setting to increase the value in case of different user interface
+designs.
+
+@item @code{browser-launch-timeout} (type: maybe-number)
+Set browser launch timeout. Default is 300 seconds. The request for
+launching a browser for portal pages will timeout after certain amount
+of time. Use this setting to increase the value in case of different
+user interface designs.
+
+@item @code{background-scanning?} (type: maybe-boolean)
+Enable background scanning. Default is true. If wifi is disconnected,
+the background scanning will follow a simple back off mechanism from 3s
+up to 5 minutes. Then, it will stay in 5 minutes unless user
+specifically asks for scanning through a D-Bus call. If so, the
+mechanism will start again from 3s. This feature activates also the
+background scanning while being connected, which is required for roaming
+on wifi. When @code{background-scanning?} is false, ConnMan will not
+perform any scan regardless of wifi is connected or not, unless it is
+requested by the user through a D-Bus call.
+
+@item @code{use-gateways-as-timeservers?} (type: maybe-boolean)
+Assume that service gateways also function as timeservers. Default is
+false.
+
+@item @code{fallback-timeservers} (type: maybe-list)
+List of Fallback timeservers. These timeservers are used for NTP sync
+when there are no timeservers set by the user or by the service, and
+when @code{use-gateways-as-timeservers?} is @code{#f}. These can
+contain a mixed combination of fully qualified domain names, IPv4 and
+IPv6 addresses.
+
+@item @code{fallback-nameservers} (type: maybe-list)
+List of fallback nameservers appended to the list of nameservers given
+by the service. The nameserver entries must be in numeric format, host
+names are ignored.
+
+@item @code{default-auto-connect-technologies} (type: maybe-list)
+List of technologies that are marked autoconnectable by default. The
+default value for this entry when empty is @code{"ethernet"},
+@code{"wifi"}, @code{"cellular"}. Services that are automatically
+connected must have been set up and saved to storage beforehand.
+
+@item @code{default-favourite-technologies} (type: maybe-list)
+List of technologies that are marked favorite by default. The default
+value for this entry when empty is @code{"ethernet"}. Connects to
+services from this technology even if not setup and saved to storage.
+
+@item @code{always-connected-technologies} (type: maybe-list)
+List of technologies which are always connected regardless of
+preferred-technologies setting (@code{auto-connect?} @code{#t}). The
+default value is empty and this feature is disabled unless explicitly
+enabled.
+
+@item @code{preferred-technologies} (type: maybe-list)
+List of preferred technologies from the most preferred one to the least
+preferred one. Services of the listed technology type will be tried one
+by one in the order given, until one of them gets connected or they are
+all tried. A service of a preferred technology type in state 'ready'
+will get the default route when compared to another preferred type
+further down the list with state 'ready' or with a non-preferred type; a
+service of a preferred technology type in state 'online' will get the
+default route when compared to either a non-preferred type or a
+preferred type further down in the list.
+
+@item @code{network-interface-blacklist} (type: maybe-list)
+List of blacklisted network interfaces. Found interfaces will be
+compared to the list and will not be handled by ConnMan, if their first
+characters match any of the list entries. Default value is
+@code{"vmnet"}, @code{"vboxnet"}, @code{"virbr"}, @code{"ifb"}.
+
+@item @code{allow-hostname-updates?} (type: maybe-boolean)
+Allow ConnMan to change the system hostname. This can happen for
+example if we receive DHCP hostname option. Default value is @code{#t}.
+
+@item @code{allow-domainname-updates?} (type: maybe-boolean)
+Allow connman to change the system domainname. This can happen for
+example if we receive DHCP domainname option. Default value is
+@code{#t}.
+
+@item @code{single-connected-technology?} (type: maybe-boolean)
+Keep only a single connected technology at any time. When a new service
+is connected by the user or a better one is found according to
+preferred-technologies, the new service is kept connected and all the
+other previously connected services are disconnected. With this setting
+it does not matter whether the previously connected services are in
+'online' or 'ready' states, the newly connected service is the only one
+that will be kept connected. A service connected by the user will be
+used until going out of network coverage. With this setting enabled
+applications will notice more network breaks than normal. Note this
+options can't be used with VPNs. Default value is @code{#f}.
+
+@item @code{tethering-technologies} (type: maybe-list)
+List of technologies that are allowed to enable tethering. The default
+value is @code{"wifi"}, @code{"bluetooth"}, @code{"gadget"}. Only those
+technologies listed here are used for tethering. If one wants to tether
+ethernet, then add @code{"ethernet"} in the list. Note that if ethernet
+tethering is enabled, then a DHCP server is started on all ethernet
+interfaces. Tethered ethernet should never be connected to corporate or
+home network as it will disrupt normal operation of these networks. Due
+to this ethernet is not tethered by default. Do not activate ethernet
+tethering unless you really know what you are doing.
+
+@item @code{persistent-tethering-mode?} (type: maybe-boolean)
+Restore earlier tethering status when returning from offline mode,
+re-enabling a technology, and after restarts and reboots. Default value
+is @code{#f}.
+
+@item @code{enable-6to4?} (type: maybe-boolean)
+Automatically enable anycast 6to4 if possible. This is not recommended,
+as the use of 6to4 will generally lead to a severe degradation of
+connection quality. See RFC6343. Default value is @code{#f} (as
+recommended by RFC6343 section 4.1).
+
+@item @code{vendor-class-id} (type: maybe-string)
+Set DHCP option 60 (Vendor Class ID) to the given string. This option
+can be used by DHCP servers to identify specific clients without having
+to rely on MAC address ranges, etc.
+
+@item @code{enable-online-check?} (type: maybe-boolean)
+Enable or disable use of HTTP GET as an online status check. When a
+service is in a READY state, and is selected as default, ConnMan will
+issue an HTTP GET request to verify that end-to-end connectivity is
+successful. Only then the service will be transitioned to ONLINE state.
+If this setting is false, the default service will remain in READY
+state. Default value is @code{#t}.
+
+@item @code{online-check-ipv4-url} (type: maybe-string)
+IPv4 URL used during the online status check. Please refer to the
+README for more detailed information. Default value is
+@uref{http://ipv4.connman.net/online/status.html}.
+
+@item @code{online-check-ipv6-url} (type: maybe-string)
+IPv6 URL used during the online status check. Please refer to the
+README for more detailed information. Default value is
+@uref{http://ipv6.connman.net/online/status.html}.
+
+@item @code{online-check-initial-interval} (type: maybe-number)
+Range of intervals between two online check requests. Please refer to
+the README for more detailed information. Default value is @samp{1}.
+
+@item @code{online-check-max-interval} (type: maybe-number)
+Range of intervals between two online check requests. Please refer to
+the README for more detailed information. Default value is @samp{1}.
+
+@item @code{enable-online-to-ready-transition?} (type: maybe-boolean)
+WARNING: This is an experimental feature. In addition to
+@code{enable-online-check} setting, enable or disable use of HTTP GET to
+detect the loss of end-to-end connectivity. If this setting is
+@code{#f}, when the default service transitions to ONLINE state, the
+HTTP GET request is no more called until next cycle, initiated by a
+transition of the default service to DISCONNECT state. If this setting
+is @code{#t}, the HTTP GET request keeps being called to guarantee that
+end-to-end connectivity is still successful. If not, the default
+service will transition to READY state, enabling another service to
+become the default one, in replacement. Default value is @code{#f}.
+
+@item @code{auto-connect-roaming-services?} (type: maybe-boolean)
+Automatically connect roaming services. This is not recommended unless
+you know you won't have any billing problem. Default value is
+@code{#f}.
+
+@item @code{address-conflict-detection?} (type: maybe-boolean)
+Enable or disable the implementation of IPv4 address conflict detection
+according to RFC5227. ConnMan will send probe ARP packets to see if an
+IPv4 address is already in use before assigning the address to an
+interface. If an address conflict occurs for a statically configured
+address, an IPv4LL address will be chosen instead (according to
+RFC3927). If an address conflict occurs for an address offered via
+DHCP, ConnMan sends a DHCP DECLINE once and for the second conflict
+resorts to finding an IPv4LL address. Default value is @code{#f}.
+
+@item @code{localtime} (type: maybe-string)
+Path to localtime file. Defaults to @file{/etc/localtime}.
+
+@item @code{regulatory-domain-follows-timezone?} (type: maybe-boolean)
+Enable regulatory domain to be changed along timezone changes. With
+this option set to true each time the timezone changes the first present
+ISO3166 country code is read from
+@file{/usr/share/zoneinfo/zone1970.tab} and set as regulatory domain
+value. Default value is @code{#f}.
+
+@item @code{resolv-conf} (type: maybe-string)
+Path to resolv.conf file. If the file does not exist, but intermediate
+directories exist, it will be created. If this option is not set, it
+tries to write into @file{/var/run/connman/resolv.conf} if it fails
+(@file{/var/run/connman} does not exist or is not writeable). If you do
+not want to update resolv.conf, you can set @file{/dev/null}.
+
@end table
+
@end deftp
@cindex WPA Supplicant
@@ -21160,7 +21427,7 @@ The WiFi channel to use.
@item @code{driver} (default: @code{"nl80211"})
The driver interface type. @code{"nl80211"} is used with all Linux
mac80211 drivers. Use @code{"none"} if building hostapd as a standalone
-RADIUS server that does # not control any wireless/wired driver.
+RADIUS server that does not control any wireless/wired driver.
@item @code{extra-settings} (default: @code{""})
Extra settings to append as-is to the hostapd configuration file. See
@@ -22422,7 +22689,7 @@ private keys in it}. See the output of @code{yggdrasil -genconf} for a
quick overview of valid keys and their default values.
@item @code{autoconf?} (default: @code{#f})
-Whether to use automatic mode. Enabling it makes Yggdrasil use adynamic IP
+Whether to use automatic mode. Enabling it makes Yggdrasil use a dynamic IP
and peer with IPv6 neighbors.
@item @code{log-level} (default: @code{'info})
@@ -24936,7 +25203,7 @@ List of possible UUIDs:
@code{671b10b5-42c0-4696-9227-eb28d1b049d6}: BlueZ Experimental Simultaneous Central and Peripheral,
@item
-@code{"15c0a148-c273-11ea-b3de-0242ac130004}: BlueZ Experimental LL privacy,
+@code{15c0a148-c273-11ea-b3de-0242ac130004}: BlueZ Experimental LL privacy,
@item
@code{330859bc-7506-492d-9370-9a6f0614037f}: BlueZ Experimental Bluetooth Quality Report,
@@ -25566,6 +25833,9 @@ The @code{(gnu services databases)} module provides the following services.
@subsubheading PostgreSQL
+@defvar postgresql-service-type
+The service type for the PostgreSQL database server. Its value should
+be a valid @code{postgresql-configuration} object, documented below.
The following example describes a PostgreSQL service with the default
configuration.
@@ -25592,13 +25862,14 @@ sudo -u postgres -s /bin/sh
createuser --interactive
createdb $MY_USER_LOGIN # Replace appropriately.
@end example
+@end defvar
@deftp {Data Type} postgresql-configuration
Data type representing the configuration for the
@code{postgresql-service-type}.
@table @asis
-@item @code{postgresql}
+@item @code{postgresql} (default: @code{postgresql-10})
PostgreSQL package to use for the service.
@item @code{port} (default: @code{5432})
@@ -27899,7 +28170,7 @@ Prosodyctl will also help you to import certificates from the
them. See @url{https://prosody.im/doc/letsencrypt}.
@example
-prosodyctl --root cert import /etc/letsencrypt/live
+prosodyctl --root cert import /etc/certs
@end example
The available configuration parameters follow. Each parameter
@@ -28365,10 +28636,11 @@ services:
@subsubheading Jami
-@cindex jami, service
-
-This section describes how to configure a Jami server that can be used
-to host video (or audio) conferences, among other uses. The following
+@defvar jami-service-type
+The service type for running Jami as a service. It takes a
+@code{jami-configuration} object as a value, documented below. This
+section describes how to configure a Jami server that can be used to
+host video (or audio) conferences, among other uses. The following
example demonstrates how to specify Jami account archives (backups) to
be provisioned automatically:
@@ -28496,6 +28768,7 @@ Account_username: f3345f2775ddfe07a4b0d95daea111d15fbc1199
The remaining actions should be self-explanatory.
The complete set of available configuration options is detailed below.
+@end defvar
@c TODO: Ideally, the following fragments would be auto-generated at
@c build time, so that they needn't be manually duplicated.
@@ -28592,6 +28865,12 @@ account fingerprint for a registered username.
This section describes how to set up and run a
@uref{https://mumble.info, Mumble} server (formerly known as Murmur).
+@defvar mumble-server-service-type
+
+This is the service to run a Mumble server. It takes a
+@code{mumble-server-configuration} object as its value, defined below.
+@end defvar
+
@deftp {Data Type} mumble-server-configuration
The service type for the Mumble server. An example configuration can
look like this:
@@ -28602,8 +28881,8 @@ look like this:
(welcome-text
"Welcome to this Mumble server running on Guix!")
(cert-required? #t) ;disallow text password logins
- (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
- (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
+ (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem")
+ (ssl-key "/etc/certs/mumble.example.com/privkey.pem")))
@end lisp
After reconfiguring your system, you can manually set the mumble-server
@@ -28721,12 +29000,12 @@ Should logged ips be obfuscated to protect the privacy of users.
File name of the SSL/TLS certificate used for encrypted connections.
@lisp
-(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
+(ssl-cert "/etc/certs/example.com/fullchain.pem")
@end lisp
@item @code{ssl-key} (default: @code{#f})
Filepath to the ssl private key used for encrypted connections.
@lisp
-(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
+(ssl-key "/etc/certs/example.com/privkey.pem")
@end lisp
@item @code{ssl-dh-params} (default: @code{#f})
@@ -31081,7 +31360,7 @@ the configuration.
(httpd-virtualhost
"*:80"
(list (string-join '("ServerName www.example.com"
- "DocumentRoot /srv/http/www.example.com")
+ "DocumentRoot /srv/http/www.example.com")
"\n")))))
@end lisp
@end defvar
@@ -32318,21 +32597,13 @@ A service type for the @code{certbot} Let's Encrypt client. Its value
must be a @code{certbot-configuration} record as in this example:
@lisp
-(define %certbot-deploy-hook
- (program-file "certbot-deploy-hook.scm"
- (with-imported-modules '((gnu services herd))
- #~(begin
- (use-modules (gnu services herd))
- (with-shepherd-action 'nginx ('reload) result result)))))
-
(service certbot-service-type
(certbot-configuration
(email "foo@@example.net")
(certificates
(list
(certificate-configuration
- (domains '("example.net" "www.example.net"))
- (deploy-hook %certbot-deploy-hook))
+ (domains '("example.net" "www.example.net")))
(certificate-configuration
(domains '("bar.example.net")))))))
@end lisp
@@ -32446,12 +32717,18 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
+@item @code{start-self-signed?} (default: @code{#t})
+Whether to generate an initial self-signed certificate during system
+activation. This option is particularly useful to allow @code{nginx} to
+start before @code{certbot} has run, because @code{certbot} relies on
+@code{nginx} running to perform HTTP challenges.
+
@end table
@end deftp
For each @code{certificate-configuration}, the certificate is saved to
-@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is
-saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}.
+@code{/etc/certs/@var{name}/fullchain.pem} and the key is
+saved to @code{/etc/certs/@var{name}/privkey.pem}.
@node DNS Services
@subsection DNS Services
@cindex DNS (domain name system)
@@ -35159,6 +35436,7 @@ Owner of the @command{mympd} process.
The default @code{%mympd-user} is a system user with the name ``mympd'',
who is a part of the group @var{group} (see below).
+
@item @code{group} (default: @code{%mympd-group}) (type: user-group)
Owner group of the @command{mympd} process.
@@ -37136,9 +37414,9 @@ serve the default @file{/srv/git} over HTTPS might be:
(listen '("443 ssl"))
(server-name "git.my-host.org")
(ssl-certificate
- "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
+ "/etc/certs/git.my-host.org/fullchain.pem")
(ssl-certificate-key
- "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
+ "/etc/certs/git.my-host.org/privkey.pem")
(locations
(list
(git-http-nginx-location-configuration
@@ -38263,9 +38541,9 @@ footers.
(nginx-server-block
(nginx-server-configuration
(ssl-certificate
- "/etc/letsencrypt/live/myweb.site/fullchain.pem")
+ "/etc/certs/myweb.site/fullchain.pem")
(ssl-certificate-key
- "/etc/letsencrypt/live/myweb.site/privkey.pem")
+ "/etc/certs/myweb.site/privkey.pem")
(listen '("443 ssl http2" "[::]:443 ssl http2"))
(locations
(list
@@ -40268,7 +40546,7 @@ Backend to use to detect changes in the @code{log-path}. The default is
@file{/etc/fail2ban/jail.conf} file of the @code{fail2ban} package.
@item @code{max-retry} (type: maybe-integer)
-The number of failures before a host get banned (e.g. @code{(max-retry
+The number of failures before a host gets banned (e.g. @code{(max-retry
5)}).
@item @code{max-matches} (type: maybe-integer)
@@ -41080,6 +41358,55 @@ This option in enabled by default. In some cases involving the
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot. It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk. However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys. You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+ ...
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ ;; Load the initrd with a key file
+ (extra-initrd "/key-file.cpio")))
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "my-root")
+ (type (luks-device-mapping-with-options
+ ;; And use it to unlock the root device
+ #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table
@end deftp
@@ -41180,7 +41507,7 @@ Of course, these options can be combined:
'("console=com0" "noide")
@end lisp
-+@item @code{multiboot-modules} (default: @code{'()})
+@item @code{multiboot-modules} (default: @code{'()})
The list of commands for loading Multiboot modules. For example:
@lisp
@@ -42849,6 +43176,15 @@ shepherd, The GNU Shepherd Manual}, for more info.
Whether to restart the service when it stops, for instance when the
underlying process dies.
+@item @code{respawn-limit} (default: @code{#f})
+Set a limit on how many times and how frequently a service may be
+restarted by Shepherd before it is disabled. @xref{Defining
+Services,,, shepherd, The GNU Shepherd Manual}, for details.
+
+@item @code{respawn-delay} (default: @code{#f})
+When true, this is the delay in seconds before restarting a failed
+service.
+
@item @code{start}
@itemx @code{stop} (default: @code{#~(const #f)})
The @code{start} and @code{stop} fields refer to the Shepherd's
@@ -43081,7 +43417,7 @@ A clause has the following form:
the generated record.
@var{type-decl} is either @code{@var{type}} for fields that require a
-value to be set or @code{(@var{type} @var{default})} otherwise.
+value to be set or @code{(@var{type} @var{default-value})} otherwise.
@var{type} is the type of the value corresponding to @var{field-name};
since Guile is untyped, a predicate
@@ -43922,6 +44258,116 @@ to use alternative services to implement more advanced use cases like
read-only home. Feel free to experiment and share your results.
@end defvar
+@cindex dot files in Guix Home
+It is often the case that Guix Home users already have a setup for versioning
+their user configuration files (also known as @emph{dot files}) in a single
+directory, and some way of automatically deploy changes to their user home.
+
+@cindex Stow-like dot file management
+The @code{home-dotfiles-service-type} from @code{(gnu home services dotfiles)}
+is designed to ease the way into using Guix Home for this kind of users,
+allowing them to point the service to their dotfiles directory, which must
+follow the layout suggested by
+@uref{https://www.gnu.org/software/stow/, GNU Stow},
+and have their dotfiles automatically deployed to their user home, without
+migrating them to Guix native configurations.
+
+The dotfiles directory layout is expected to be structured as follows. Please
+keep in mind that it is advisable to keep your dotfiles directories under
+version control, for example in the same repository where you'd track your
+Guix Home configuration.
+
+@example
+~$ tree -a ./dotfiles/
+dotfiles/
+├── git
+│ └── .gitconfig
+├── gpg
+│ └── .gnupg
+│ ├── gpg-agent.conf
+│ └── gpg.conf
+├── guile
+│ └── .guile
+├── guix
+│ └── .config
+│ └── guix
+│ └── channels.scm
+├── nix
+│ ├── .config
+│ │ └── nixpkgs
+│ │ └── config.nix
+│ └── .nix-channels
+├── tmux
+│ └── .tmux.conf
+└── vim
+ └── .vimrc
+
+13 directories, 10 files
+@end example
+
+For an informal specification please refer to the Stow manual
+(@pxref{Top,,, stow, Introduction}). A suitable configuration would then
+be:
+
+@lisp
+(home-environment
+ ;; @dots{}
+ (services
+ (service home-dotfiles-service-type
+ (home-dotfiles-configuration
+ (directories (list "./dotfiles"))))))
+@end lisp
+
+The expected home directory state would then be:
+
+@example
+.
+├── .config
+│ ├── guix
+│ │ └── channels.scm
+│ └── nixpkgs
+│ └── config.nix
+├── .gitconfig
+├── .gnupg
+│ ├── gpg-agent.conf
+│ └── gpg.conf
+├── .guile
+├── .nix-channels
+├── .tmux.conf
+└── .vimrc
+@end example
+
+@defvar home-dotfiles-service-type
+Return a service which is very similiar to @code{home-files-service-type}
+(and actually extends it), but designed to ease the way into using Guix
+Home for users that already track their dotfiles under some kind of version
+control. This service allows users to point Guix Home to their dotfiles
+directory and have their files automatically deployed to their home directory
+just like Stow would, without migrating all of their dotfiles to Guix native
+configurations.
+@end defvar
+
+@deftp {Data Type} home-dotfiles-configuration
+Available @code{home-dotfiles-configuration} fields are:
+
+@table @asis
+@item @code{source-directory} (default: @code{(current-source-directory)})
+The path where dotfile directories are resolved. By default dotfile directories
+are resolved relative the source location where
+@code{home-dotfiles-configuration} appears.
+
+@item @code{directories} (type: list-of-strings)
+The list of dotfiles directories where @code{home-dotfiles-service-type} will
+look for application dotfiles.
+
+@item @code{exclude} (default: @code{'(".*~" ".*\\.swp" "\\.git" "\\.gitignore")})
+The list of file patterns @code{home-dotfiles-service-type} will exclude while
+visiting each one of the @code{directories}.
+
+@end table
+
+@end deftp
+
@defvar home-xdg-configuration-files-service-type
The service is very similar to @code{home-files-service-type} (and
actually extends it), but used for defining files, which will go to
@@ -44599,19 +45045,19 @@ running on this machine, then it @emph{may} take this file into account:
this is what @command{sshd} does by default, but be aware that it can
also be configured to ignore it.
-@item @code{add-keys-to-agent} (default: @code{``no''})
+@item @code{add-keys-to-agent} (default: @code{no})
This string specifies whether keys should be automatically added to a
-running ssh-agent. If this option is set to @code{``yes''} and a key is
+running ssh-agent. If this option is set to @code{yes} and a key is
loaded from a file, the key and its passphrase are added to the agent
with the default lifetime, as if by @code{ssh-add}. If this option is
-set to @code{``ask''}, @code{ssh} will require confirmation. If this
-option is set to @code{``confirm''}, each use of the key must be
-confirmed. If this option is set to @code{``no''}, no keys are added to
+set to @code{ask}, @code{ssh} will require confirmation. If this
+option is set to @code{confirm}, each use of the key must be
+confirmed. If this option is set to @code{no}, no keys are added to
the agent. Alternately, this option may be specified as a time interval
to specify the key's lifetime in @code{ssh-agent}, after which it will
-automatically be removed. The argument must be @code{``no''},
-@code{``yes''}, @code{``confirm''} (optionally followed by a time
-interval), @code{``ask''} or a time interval.
+automatically be removed. The argument must be @code{no},
+@code{yes}, @code{confirm} (optionally followed by a time
+interval), @code{ask} or a time interval.
@end table
@end deftp
@@ -46128,6 +46574,11 @@ Platform targeting AVR CPUs without an operating system, with run-time support
from AVR Libc.
@end defvar
+@defvar or1k-elf
+Platform targeting OpenRISC 1000 CPU without an operating system and without a
+C standard library.
+@end defvar
+
@node System Images
@chapter Creating System Images
@@ -46687,7 +47138,7 @@ missing.
@node Separate Debug Info
@section Separate Debug Info
-The problem with debugging information is that is takes up a fair amount
+The problem with debugging information is that it takes up a fair amount
of disk space. For example, debugging information for the GNU C Library
weighs in at more than 60 MiB@. Thus, as a user, keeping all the
debugging info of all the installed programs is usually not an option.
@@ -47170,7 +47621,7 @@ traditional bootstrap of the rest of the Guix System.
@c ./pre-inst-env guix graph -e '(@@ (gnu packages commencement) gcc-core-mesboot0)' | sed -re 's,((bootstrap-seeds|guile-bootstrap).*shape =) box,\1 ellipse,' > doc/images/gcc-core-mesboot0-graph.dot
@image{images/gcc-core-mesboot0-graph,6in,,Dependency graph of gcc-core-mesboot0}
-Work is ongoing to to bring these bootstraps to the @code{arm-linux} and
+Work is ongoing to bring these bootstraps to the @code{arm-linux} and
@code{aarch64-linux} architectures and to the Hurd.
If you are interested, join us on @samp{#bootstrappable} on the Libera.Chat
@@ -47341,7 +47792,7 @@ bootstrap GCC with a sequence of assemblers, interpreters, and compilers
of increasing complexity, which could be built from source starting from
a simple and auditable assembler.
-Our first major achievement is the replacement of of GCC, the GNU C Library
+Our first major achievement is the replacement of GCC, the GNU C Library
and Binutils by MesCC-Tools (a simple hex linker and macro assembler) and Mes
(@pxref{Top, GNU Mes Reference Manual,, mes, GNU Mes}, a Scheme interpreter
and C compiler in Scheme). Neither MesCC-Tools nor Mes can be fully