enhancement: Link guix system and guix home

Open

Details

3 participants

Andrew Tropin
Maxime Devos
Dale Mellor

Owner: unassigned

Submitted by: Dale Mellor

Severity: normal

Dale Mellor wrote on 20 Jul 2022 12:47

Recipients:(address . bug-guix@gnu.org)

Message-ID:63960cf762aec1ed2c4182f49cac66bc37fce2aa.camel@rdmp.org

I would like to be able to create a rescue disk for my system in which

the admin user's home directory contains a copy of an encrypted key,

for manually unlocking encrypted disk drives.

Following a short discussion in IRC, it appears the best route to

achieve this would be to link *guix system* and *guix home* together,

so that the system configuration file can specify

(user-account

...

(configuration (local-file "my-home-config.scm")))

for example (it should be possible to use either (home-configuration)

or a file-like object here).

Hopefully this is an easy thing to accomplish, but I don't know...

Thanks,

Dale

Andrew Tropin wrote on 20 Jul 2022 19:57

Recipients:(name . Tissevert)(address . tissevert+guix@marvid.fr)

Message-ID:87o7xjbrb1.fsf@trop.in

On 2022-07-20 11:47, Dale Mellor wrote:

Toggle quote (18 lines)> I would like to be able to create a rescue disk for my system in which
> the admin user's home directory contains a copy of an encrypted key,
> for manually unlocking encrypted disk drives.
>
> Following a short discussion in IRC, it appears the best route to
> achieve this would be to link *guix system* and *guix home* together,
> so that the system configuration file can specify
>
> (user-account
>    ...
>    (configuration (local-file "my-home-config.scm")))
>
> for example (it should be possible to use either (home-configuration)
> or a file-like object here).
>
> Hopefully this is an easy thing to accomplish, but I don't know...
>

Hi Dale,

it's not easy, but doable.

This topic popups from time to time, but this feature is not implemented

yet.

https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/

I have spare time tomorrow and can try to implement it, however Idk how

much time will it take and if I don't finish tomorrow, there is no

guarantee that I'll finish it anytime soon.

Best regards,

Andrew Tropin

Andrew Tropin wrote on 21 Jul 2022 19:13

Recipients:(name . Tissevert)(address . tissevert+guix@marvid.fr)

Message-ID:87k086crtr.fsf@trop.in

On 2022-07-20 20:57, Andrew Tropin wrote:

Toggle quote (33 lines)> On 2022-07-20 11:47, Dale Mellor wrote:
>
>> I would like to be able to create a rescue disk for my system in which
>> the admin user's home directory contains a copy of an encrypted key,
>> for manually unlocking encrypted disk drives.
>>
>> Following a short discussion in IRC, it appears the best route to
>> achieve this would be to link *guix system* and *guix home* together,
>> so that the system configuration file can specify
>>
>> (user-account
>>    ...
>>    (configuration (local-file "my-home-config.scm")))
>>
>> for example (it should be possible to use either (home-configuration)
>> or a file-like object here).
>>
>> Hopefully this is an easy thing to accomplish, but I don't know...
>>
>
> Hi Dale,
>
> it's not easy, but doable.
>
> This topic popups from time to time, but this feature is not implemented
> yet.
>
> https://yhetil.org/guix-devel/20220706112011.77c71a94@marvid.fr/
>
> I have spare time tomorrow and can try to implement it, however Idk how
> much time will it take and if I don't finish tomorrow, there is no
> guarantee that I'll finish it anytime soon.

I built home environment baked in operating system and sucessfully

deployed it with guix deploy. I face some issues with the similiar

setup on livecd, but I think I will figure out it soon and will publish

results in a few days.

The source code is here:

https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

It's drafty and will be rewritten, also there are a few local commits

that I haven't sent to guix yet, but it should work without them if

elogind is enabled.

The usage example:

Attachment: config.scm

-- 
Best regards,
Andrew Tropin

Maxime Devos wrote on 21 Jul 2022 19:25

Recipients:(name . Tissevert)(address . tissevert+guix@marvid.fr)

Message-ID:e9772bd4-f913-a22b-edbd-459c098e82f9@telenet.be

On 21-07-2022 19:13, Andrew Tropin wrote:

Toggle quote (2 lines)

> The source code is here:

> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

What's the 'guix-home-gc-roots' for? I would expect the reference 
#$(file-append he "/activate") to be sufficient to keep things from 
being gc'ed.

Toggle quote (13 lines)> + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
> (start #~(make-forkexec-constructor + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
> '(#$(file-append he "/activate")) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
> #:user #$user + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
> #:environment-variables + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))

I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
already internally by /activate, you could consider doing it in a 
container to reduce potential irreproducibility, or insecurity on 
multi-user systems (I'd assume the #:user + #:group to be sufficient for 
security, especially if it appears sufficient for other system services, 
but I'm not some expert on what things need to be set).

Toggle quote (7 lines)> + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
> (one-shot? #t) + 
> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
> (auto-start? #f)

Wouldn't it then be possible for the user to login via the login manager 
before initialisation has completed, as gdm etc don't wait for 
guix-home-... currently?

Greetings,
Maxime.

Attachment: file

Attachment: OpenPGP_0x49E3EE22191725EE.asc

Attachment: OpenPGP_signature

Andrew Tropin wrote on 26 Jul 2022 11:23

Recipients:(name . Tissevert)(address . tissevert+guix@marvid.fr)

Message-ID:87sfmo8byh.fsf@trop.in

On 2022-07-21 19:25, Maxime Devos wrote:

Toggle quote (9 lines)

> On 21-07-2022 19:13, Andrew Tropin wrote:

>> The source code is here:

>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9

> What's the 'guix-home-gc-roots' for? I would expect the reference

> #$(file-append he "/activate") to be sufficient to keep things from

> being gc'ed.

It was needed while I was testing manual activation without shepherd

service, not needed anymore, already removed it locally.

Toggle quote (21 lines)>
>> + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
>> (start #~(make-forkexec-constructor + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
>> '(#$(file-append he "/activate")) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
>> #:user #$user + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
>> #:environment-variables + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
> already internally by /activate, you could consider doing it in a 
> container to reduce potential irreproducibility, or insecurity on 
> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
> security, especially if it appears sufficient for other system services, 
> but I'm not some expert on what things need to be set).
>

It's not set by /activate.

Toggle quote (11 lines)>> + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
>> (one-shot? #t) + 
>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
>> (auto-start? #f)
> Wouldn't it then be possible for the user to login via the login manager 
> before initialisation has completed, as gdm etc don't wait for 
> guix-home-... currently?

You are right, the same as the first one, needed for more manual

approach, changed to #t, thank you.

Three patches for this service to work is on the way on guix-patches.

In the meantime, will try to build livecd with the home environment

inside.

P.S. Probably this system service is far from final version of this

feature, I still think about making home-environment a part of

user-account. Will evaluate pros and cons, after I get livecd built

successfully.

Best regards,

Andrew Tropin

Andrew Tropin wrote on 8 Feb 2023 14:42

Recipients:(name . Tissevert)(address . tissevert+guix@marvid.fr)

Message-ID:87h6vw1des.fsf@trop.in

On 2022-07-26 12:23, Andrew Tropin wrote:

Toggle quote (60 lines)> On 2022-07-21 19:25, Maxime Devos wrote:
>
>> On 21-07-2022 19:13, Andrew Tropin wrote:
>>
>>> The source code is here:
>>> https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9
>>
>> What's the 'guix-home-gc-roots' for? I would expect the reference 
>> #$(file-append he "/activate") to be sufficient to keep things from 
>> being gc'ed.
>
> It was needed while I was testing manual activation without shepherd
> service, not needed anymore, already removed it locally.
>
>>
>>> + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-23> 
>>> (start #~(make-forkexec-constructor + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-24> 
>>> '(#$(file-append he "/activate")) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-25> 
>>> #:user #$user + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-26> 
>>> #:environment-variables + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-27> 
>>> (list (string-append "HOME=" (passwd:dir (getpw #$user)))) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-28> 
>>> #:group (group:name (getgrgid (passwd:gid (getpw #$user))))))
>> I'm wondering if GUIX_LOCPATH is needed as well. Anyway, if not done 
>> already internally by /activate, you could consider doing it in a 
>> container to reduce potential irreproducibility, or insecurity on 
>> multi-user systems (I'd assume the #:user + #:group to be sufficient for 
>> security, especially if it appears sufficient for other system services, 
>> but I'm not some expert on what things need to be set).
>>
> It's not set by /activate.
>
>>> + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-20> 
>>> (provision (list (symbol-append 'guix-home- (string->symbol user)))) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-21> 
>>> (one-shot? #t) + 
>>> <https://git.sr.ht/~abcdw/rde/commit/c5b4097ab99309ace23e40d957e9fa1f938f97e9#gnu/services/home.scm-1-22> 
>>> (auto-start? #f)
>> Wouldn't it then be possible for the user to login via the login manager 
>> before initialisation has completed, as gdm etc don't wait for 
>> guix-home-... currently?
>
> You are right, the same as the first one, needed for more manual
> approach, changed to #t, thank you.
>
> Three patches for this service to work is on the way on guix-patches.
> In the meantime, will try to build livecd with the home environment
> inside.
>
> P.S. Probably this system service is far from final version of this
> feature, I still think about making home-environment a part of
> user-account.  Will evaluate pros and cons, after I get livecd built
> successfully.

Sorry for the long status update, some life moments are happened.

Polished all the things on Guix Home side and I can confirm that the
service works correctly and it's possible to make home-environments a
part of operating-system record.

Current very simple implementation works relatively good.  It accepts a
list of ("user" . home-env) pairs and creates a shepherd services, which
activate respective home environments.
https://git.sr.ht/~abcdw/rde/tree/9175c7b37b6861095bae4a696aa1faadf9dc572a/src/gnu/services/home.scm#L1

This is how sway graphical environment activation is implemented in rde-live image.
http://files.trop.in/rde/

I still find it not completely satisfying because activation happens
when one-shot shepherd service get started and not during system
activation, which leads to the problem mentioned by Maxim: you can login
into user's shell before home-environment activated.  I would like to
just extend system activation with calls to home activation scripts, but
it's not that straightforward because we depend on user-homes (which is
a shepherd service).

That said the guix-home system service works fine and you can already
use it, but before merging it to Guix I would like to move home
activations into system activation, which requires some work on
user-homes.  It doesn't seem to be a big task, but still require some
dedication and IDK when I get spare time for it.  Let me know if this
feature blocks you in some way, otherwise I'll keep working on it in my
own pace.

-- 
Best regards,
Andrew Tropin

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 56669@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 56669

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date