bug#56669: enhancement: Link guix system and guix home

[Andrew Tropin]

On 2022-07-26 12:23, Andrew Tropin wrote:

> On 2022-07-21 19:25, Maxime Devos wrote:
>
>> On 21-07-2022 19:13, Andrew Tropin wrote:
>>
>>> The source code is here:
>>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>>
>> What's the 'guix-home-gc-roots' for? I would expect the reference 
>> #$(file-append he "/activate") to be sufficient to keep things from 
>> being gc'ed.
>
> It was needed while I was testing manual activation without shepherd
> service, not needed anymore, already removed it locally.
>
>>
>>> + 
>>> 
>>>  
>>> (start #~(make-forkexec-constructor + 
>>> 
>>>  
>>> '(#$(file-append he "/activate")) + 
>>> 
>>>  
>>> #:user #$user + 
>>> 
>>>  
>>> #:environment-variables + 
>>> 
>>>  
>>> (list (string-append "HOME=" (passwd:dir (getpw #$user + 
>>> 
>>>  
>>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))
>> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
>> already internally by /activate, you could consider doing it in a 
>> container to reduce potential irreproducibility, or insecurity on 
>> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
>> security, especially if it appears sufficient for other system services, 
>> but I'm not some expert on what things need to be set).
>>
> It's not set by /activate.
>
>>> + 
>>> 
>>>  
>>> (provision (list (symbol-append 'guix-home- (string->symbol user + 
>>> 
>>>  
>>> (one-shot? #t) + 
>>> 
>>>  
>>> (auto-start? #f)
>> Wouldn't it then be possible for the user to login via the login manager 
>> before initialisation has completed, as gdm etc don't wait for 
>> guix-home-... currently?
>
> You are right, the same as the first one, needed for more manual
> approach, changed to #t, thank you.
>
> Three patches for this service to work is on the way on guix-patches.
> In the meantime, will try to build livecd with the home environment
> inside.
>
> P.S. Probably this system service is far from final version of this
> feature, I still think about making home-environment a part of
> user-account.  Will evaluate pros and cons, after I get livecd built
> successfully.

Sorry for the long status update, some life moments are happened.

Polished all the things on Guix Home side and I can confirm that the
service works correctly and it's possible to make home-environments a
part of operating-system record.

Current very simple implementation works relatively good.  It accepts a
list of ("user" . home-env) pairs and creates a shepherd services, which
activate respective home environments.
https://git.sr.ht/~abcdw/rde/tree/9175c7b37b6861095bae4a696aa1faadf9dc572a/src/gnu/services/home.scm#L1

This is how sway graphical environment activation is implemented in rde-live 
image.
http://files.trop.in/rde/

I still find it not completely satisfying because activation happens
when one-shot shepherd service get started and not during system
activation, which leads to the problem mentioned by Maxim: you can login
into user's shell before home-environment activated.  I would like to
just extend system activation with calls to home activation scripts, but
it's not that straightforward because we depend on user-homes (which is
a shepherd service).

That said the guix-home system service works fine and you can already
use it, but before merging it to Guix I would like to move home
activations into system activation, which requires some work on
user-homes.  It doesn't seem to be a big task, but still require some
dedication and IDK when I get spare time for it.  Let me know if this
feature blocks you in some way, otherwise I'll keep working on it in my
own pace.

-- 
Best regards,
Andrew Tropin


signature.asc
Description: PGP signature

bug#56669: enhancement: Link guix system and guix home

[Andrew Tropin]

On 2022-07-21 19:25, Maxime Devos wrote:

> On 21-07-2022 19:13, Andrew Tropin wrote:
>
>> The source code is here:
>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>
> What's the 'guix-home-gc-roots' for? I would expect the reference 
> #$(file-append he "/activate") to be sufficient to keep things from 
> being gc'ed.

It was needed while I was testing manual activation without shepherd
service, not needed anymore, already removed it locally.

>
>> + 
>> 
>>  
>> (start #~(make-forkexec-constructor + 
>> 
>>  
>> '(#$(file-append he "/activate")) + 
>> 
>>  
>> #:user #$user + 
>> 
>>  
>> #:environment-variables + 
>> 
>>  
>> (list (string-append "HOME=" (passwd:dir (getpw #$user + 
>> 
>>  
>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))
> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
> already internally by /activate, you could consider doing it in a 
> container to reduce potential irreproducibility, or insecurity on 
> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
> security, especially if it appears sufficient for other system services, 
> but I'm not some expert on what things need to be set).
>
It's not set by /activate.

>> + 
>> 
>>  
>> (provision (list (symbol-append 'guix-home- (string->symbol user + 
>> 
>>  
>> (one-shot? #t) + 
>> 
>>  
>> (auto-start? #f)
> Wouldn't it then be possible for the user to login via the login manager 
> before initialisation has completed, as gdm etc don't wait for 
> guix-home-... currently?

You are right, the same as the first one, needed for more manual
approach, changed to #t, thank you.

Three patches for this service to work is on the way on guix-patches.
In the meantime, will try to build livecd with the home environment
inside.

P.S. Probably this system service is far from final version of this
feature, I still think about making home-environment a part of
user-account.  Will evaluate pros and cons, after I get livecd built
successfully.

-- 
Best regards,
Andrew Tropin


signature.asc
Description: PGP signature

bug#56669: enhancement: Link guix system and guix home

[Maxime Devos]

On 21-07-2022 19:13, Andrew Tropin wrote:


The source code is here:
https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9


What's the 'guix-home-gc-roots' for? I would expect the reference 
#$(file-append he "/activate") to be sufficient to keep things from 
being gc'ed.


+ 
 
(start #~(make-forkexec-constructor + 
 
'(#$(file-append he "/activate")) + 
 
#:user #$user + 
 
#:environment-variables + 
 
(list (string-append "HOME=" (passwd:dir (getpw #$user + 
 
#:group (group:name (getgrgid (passwd:gid (getpw #$user))
I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
already internally by /activate, you could consider doing it in a 
container to reduce potential irreproducibility, or insecurity on 
multi-user systems (I'd assume the #:user + #:group to be sufficient for 
security, especially if it appears sufficient for other system services, 
but I'm not some expert on what things need to be set).


+ 
 
(provision (list (symbol-append 'guix-home- (string->symbol user + 
 
(one-shot? #t) + 
 
(auto-start? #f)
Wouldn't it then be possible for the user to login via the login manager 
before initialisation has completed, as gdm etc don't wait for 
guix-home-... currently?


Greetings,
Maxime.



OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

bug#56669: enhancement: Link guix system and guix home

[Andrew Tropin]

On 2022-07-20 20:57, Andrew Tropin wrote:

> On 2022-07-20 11:47, Dale Mellor wrote:
>
>> I would like to be able to create a rescue disk for my system in which
>> the admin user's home directory contains a copy of an encrypted key,
>> for manually unlocking encrypted disk drives.
>>
>> Following a short discussion in IRC, it appears the best route to
>> achieve this would be to link *guix system* and *guix home* together,
>> so that the system configuration file can specify
>>
>> (user-account
>>...
>>(configuration (local-file "my-home-config.scm")))
>>
>> for example (it should be possible to use either (home-configuration)
>> or a file-like object here).
>>
>> Hopefully this is an easy thing to accomplish, but I don't know...
>>
>
> Hi Dale,
>
> it's not easy, but doable.
>
> This topic popups from time to time, but this feature is not implemented
> yet.
>
> https://yhetil.org/guix-devel/20220706112011.77c71...@marvid.fr/
>
> I have spare time tomorrow and can try to implement it, however Idk how
> much time will it take and if I don't finish tomorrow, there is no
> guarantee that I'll finish it anytime soon.

I built home environment baked in operating system and sucessfully
deployed it with guix deploy.  I face some issues with the similiar
setup on livecd, but I think I will figure out it soon and will publish
results in a few days.

The source code is here:
https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

It's drafty and will be rewritten, also there are a few local commits
that I haven't sent to guix yet, but it should work without them if
elogind is enabled.

The usage example:


config.scm
Description: Binary data

-- 
Best regards,
Andrew Tropin


signature.asc
Description: PGP signature

bug#56669: enhancement: Link guix system and guix home

[Andrew Tropin]

On 2022-07-20 11:47, Dale Mellor wrote:

> I would like to be able to create a rescue disk for my system in which
> the admin user's home directory contains a copy of an encrypted key,
> for manually unlocking encrypted disk drives.
>
> Following a short discussion in IRC, it appears the best route to
> achieve this would be to link *guix system* and *guix home* together,
> so that the system configuration file can specify
>
> (user-account
>...
>(configuration (local-file "my-home-config.scm")))
>
> for example (it should be possible to use either (home-configuration)
> or a file-like object here).
>
> Hopefully this is an easy thing to accomplish, but I don't know...
>

Hi Dale,

it's not easy, but doable.

This topic popups from time to time, but this feature is not implemented
yet.

https://yhetil.org/guix-devel/20220706112011.77c71...@marvid.fr/

I have spare time tomorrow and can try to implement it, however Idk how
much time will it take and if I don't finish tomorrow, there is no
guarantee that I'll finish it anytime soon.

-- 
Best regards,
Andrew Tropin


signature.asc
Description: PGP signature

bug#56669: enhancement: Link guix system and guix home

[Dale Mellor]

I would like to be able to create a rescue disk for my system in which
the admin user's home directory contains a copy of an encrypted key,
for manually unlocking encrypted disk drives.

Following a short discussion in IRC, it appears the best route to
achieve this would be to link *guix system* and *guix home* together,
so that the system configuration file can specify

(user-account
   ...
   (configuration (local-file "my-home-config.scm")))

for example (it should be possible to use either (home-configuration)
or a file-like object here).

Hopefully this is an easy thing to accomplish, but I don't know...

Thanks,
Dale