\input texinfo @c =========================================================================== @c @c This file was generated with po4a. Translate the source file. @c @c =========================================================================== @c -*-texinfo-*- @c %**start of header @setfilename guix.fr.info @documentencoding UTF-8 @documentlanguage fr @frenchspacing on @settitle Manuel de référence de GNU Guix @c %**end of header @include version-fr.texi @c Identifier of the OpenPGP key used to sign tarballs and such. @set OPENPGP-SIGNING-KEY-ID 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 @copying Copyright @copyright{} 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès@* Copyright @copyright{} 2013, 2014, 2016 Andreas Enge@* Copyright @copyright{} 2013 Nikita Karetnikov@* Copyright @copyright{} 2014, 2015, 2016 Alex Kost@* Copyright @copyright{} 2015, 2016 Mathieu Lirzin@* Copyright @copyright{} 2014 Pierre-Antoine Rault@* Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@* Copyright @copyright{} 2015, 2016, 2017 Leo Famulari@* Copyright @copyright{} 2015, 2016, 2017, 2018 Ricardo Wurmus@* Copyright @copyright{} 2016 Ben Woodcroft@* Copyright @copyright{} 2016, 2017, 2018 Chris Marusich@* Copyright @copyright{} 2016, 2017, 2018 Efraim Flashner@* Copyright @copyright{} 2016 John Darrington@* Copyright @copyright{} 2016, 2017 Nils Gillmann@* Copyright @copyright{} 2016, 2017 Jan Nieuwenhuizen@* Copyright @copyright{} 2016 Julien Lepiller@* Copyright @copyright{} 2016 Alex ter Weele@* Copyright @copyright{} 2017, 2018 Clément Lassieur@* Copyright @copyright{} 2017 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* Copyright @copyright{} 2017 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017 Christopher Allan Webber@* Copyright @copyright{} 2017, 2018 Marius Bakke@* Copyright @copyright{} 2017 Hartmut Goebel@* Copyright @copyright{} 2017 Maxim Cournoyer@* Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@* Copyright @copyright{} 2017 George Clemmer@* Copyright @copyright{} 2017 Andy Wingo@* Copyright @copyright{} 2017, 2018 Arun Isaac@* Copyright @copyright{} 2017 nee@* Copyright @copyright{} 2018 Rutger Helling@* Copyright @copyright{} 2018 Oleg Pykhalov@* Copyright @copyright{} 2018 Mike Gerwitz@* Copyright @copyright{} 2018 Pierre-Antoine Rouby Vous avez la permission de copier, distribuer ou modifier ce document sous les termes de la Licence GNU Free Documentation, version 1.3 ou toute version ultérieure publiée par la Free Software Foundation ; sans section invariante, texte de couverture et sans texte de quatrième de couverture. Une copie de la licence est incluse dans la section intitulée « GNU Free Documentation License ». @end copying @dircategory Administration système @direntry * Guix: (guix.fr). Gérer les logiciels installés et la configuration du système. * guix package : (guix.fr)Invoquer guix package. Intaller, supprimer et mettre à jour des paquets. * guix gc : (guix.fr)Invoquer guix gc. Récupérer de l'espace disque inutilisé. * guix pull : (guix.fr)Invoquer guix pull. Mettre à jour la liste des paquets disponibles. * guix system : (guix.fr)Invoquer guix system. Gérer la configuration du système d'exploitation. @end direntry @dircategory Développement logiciel @direntry * guix environment : (guix.fr)Invoquer guix environment. Construire des environnements de construction avec Guix. * guix build : (guix.fr)Invoquer guix build. Construire des paquets. * guix pack : (guix.fr) Invoquer guix pack. Créer des lots binaires. @end direntry @titlepage @title Manuel de référence de GNU Guix @subtitle Utiliser le gestionnaire de paquet fonctionnel GNU Guix @author Les développeurs de GNU Guix @page @vskip 0pt plus 1filll Édition @value{EDITION} @* @value{UPDATED} @* @insertcopying @end titlepage @contents @c ********************************************************************* @node Top @top GNU Guix Cette documentation décrit GNU Guix version @value{VERSION}, un outil de gestion de paquets fonctionnel écrit pour le système GNU@. @menu * Introduction:: Qu'est-ce que Guix ? * Installation:: Installer Guix. * Gestion de paquets:: Installation des paquets, mises à jour, etc. * Interface de programmation:: Utiliser Guix en Scheme. * Utilitaires:: Commandes de gestion de paquets. * Distribution GNU:: Des logiciels pour un système GNU convivial. * Contribuer:: Nous avons besoin de votre aide ! * Remerciements:: Merci ! * La licence GNU Free Documentation:: La licence de ce manuel. * Index des concepts:: Les concepts. * Index de programmation:: Types de données, fonctions et variables. @detailmenu --- Liste détaillée des nœuds --- Installation * Installation binaire:: Commencer à utiliser Guix en un rien de temps ! * Prérequis:: Logiciels requis pour construire et lancer Guix. * Lancer la suite de tests:: Tester Guix. * Paramétrer le démon:: Préparer l'environnement du démon de construction. * Invoquer guix-daemon:: Lancer le démon de construction. * Réglages applicatifs:: Réglages spécifiques pour les application. Paramétrer le démon * Réglages de l'environnement de construction:: Préparer l'environnement de construction isolé. * Réglages du délestage du démon:: Envoyer des constructions à des machines distantes. * Support de SELinux:: Utiliser une politique SELinux pour le démon. Gestion de paquets * Fonctionnalités:: Comment Guix va rendre votre vie plus heureuse. * Invoquer guix package:: Installation, suppression, etc.@: de paquets. * Substituts:: Télécharger des binaire déjà construits. * Des paquets avec plusieurs résultats:: Un seul paquet source, plusieurs résultats. * Invoquer guix gc:: Lancer le ramasse-miettes. * Invoquer guix pull:: Récupérer la dernière version de Guix et de la distribution. * Invoquer guix pack:: Créer des lots de logiciels. * Invoquer guix archive:: Exporter et importer des fichiers du dépôt. Substituts * Serveur de substituts officiel:: Une source particulière de substituts. * Autoriser un serveur de substituts:: Comment activer ou désactiver les substituts. * Authentification des substituts:: Coment Guix vérifie les substituts. * Paramètres de serveur mandataire:: Comment récupérer des substituts à travers un serveur mandataire. * Échec de substitution:: Qu'arrive-t-il quand la substitution échoue. * De la confiance en des binaires:: Comment pouvez-vous avoir confiance en un paquet binaire ? Interface de programmation * Définition des paquets:: Définir de nouveaux paquets. * Systèmes de construction:: Spécifier comment construire les paquets. * Le dépôt:: Manipuler le dépôt de paquets. * Dérivations:: Interface de bas-niveau avec les dérivations de paquets. * La monad du dépôt:: Interface purement fonctionnelle avec le dépôt. * G-Expressions:: Manipuler les expressions de construction. Définition des paquets * Référence de paquet :: Le type de donnée des paquets. * Référence d'origine:: Le type de données d'origine. Utilitaires * Invoquer guix build:: Construire des paquets depuis la ligne de commande. * Invoquer guix edit:: Modifier les définitions de paquets. * Invoquer guix download:: Télécharger un fichier et afficher son hash. * Invoquer guix hash:: Calculer le hash cryptographique d'un fichier. * Invoquer guix import:: Importer des définitions de paquets. * Invoquer guix refresh:: Mettre à jour les définitions de paquets. * Invoquer guix lint:: Trouver des erreurs dans les définitions de paquets. * Invoquer guix size:: Profiler l'utilisation du disque. * Invoquer guix graph:: Visualiser le graphe des paquets. * Invoquer guix environment:: Mettre en place des environnements de développement. * Invoquer guix publish:: Partager des substituts. * Invoquer guix challenge:: Défier les serveurs de substituts. * Invoquer guix copy:: Copier vers et depuis un dépôt distant. * Invoquer guix container:: Isolation de processus. * Invoquer guix weather:: Mesurer la disponibilité des substituts. Invoquer @command{guix build} * Options de construction communes:: Options de construction pour la plupart des commandes. * Options de transformation de paquets:: Créer des variantes de paquets. * Options de construction supplémentaires:: Options spécifiques à « guix build ». * Débogage des échecs de construction:: La vie d'un empaqueteur. Distribution GNU * Installation du système:: Installer le système d'exploitation complet. * Configuration système:: Configurer le système d'exploitation. * Documentation:: Visualiser les manuels d'utilisateur des logiciels. * Installer les fichiers de débogage:: Nourrir le débogueur. * Mises à jour de sécurité:: Déployer des correctifs de sécurité rapidement. * Modules de paquets:: Les paquets du point de vu du programmeur. * Consignes d'empaquetage:: Faire grandir la distribution. * Bootstrapping:: GNU/Linux depuis zéro. * Porter:: Cibler une autre plateforme ou un autre noyau. Installation du système * Limitations:: Ce à quoi vous attendre. * Considérations matérielles:: Matériel supporté. * Installation depuis une clef USB ou un DVD:: Préparer le média d'installation. * Préparer l'installation:: Réseau, partitionnement, etc. * Effectuer l'installation:: Pour de vrai. * Installer GuixSD dans une VM:: Jouer avec GuixSD@. * Construire l'image d'installation:: D'où vient tout cela. Configuration système * Utiliser le système de configuration:: Personnaliser votre système GNU@. * Référence de système d'exploitation:: Détail sur la déclaration de système d'exploitation. * Systèmes de fichiers:: Configurer les montages de systèmes de fichiers. * Périphériques mappés:: Gestion des périphériques de bloc. * Comptes utilisateurs:: Spécifier des comptes utilisateurs. * Régionalisation:: Paramétrer la langue et les conventions culturelles. * Services:: Spécifier les services du système. * Programmes setuid:: Programmes tournant avec les privilèges root. * Certificats X.509:: Authentifier les serveurs HTTPS@. * Name Service Switch:: Configurer le « name service switch » de la libc. * Disque de RAM initial:: Démarrage de Linux-Libre. * Configuration du chargeur d'amorçage:: Configurer le chargeur d'amorçage. * Invoquer guix system:: Instantier une configuration du système. * Lancer GuixSD dans une VM:: Comment lancer GuixSD dans une machine virtuelle. * Définir des services:: Ajouter de nouvelles définitions de services. Services * Services de base:: Services systèmes essentiels. * Exécution de tâches planifiées:: Le service mcron. * Rotation des journaux:: Le service rottlog. * Services réseau:: Paramétres réseau, démon SSH, etc. * Système de fenêtrage X:: Affichage graphique. * Services d'impression:: Support pour les imprimantes locales et distantes. * Services de bureaux:: D-Bus et les services de bureaux. * Services de son:: Services ALSA et Pulseaudio. * Services de bases de données:: Bases SQL, clefs-valeurs, etc. * Services de courriels:: IMAP, POP3, SMTP, et tout ça. * Services de messagerie:: Services de messagerie. * Services de téléphonie:: Services de téléphonie. * Services de surveillance:: Services de surveillance. * Services Kerberos:: Services Kerberos. * Services web:: Services web. * Services de certificats:: Certificats TLS via Let's Encrypt. * Services DNS:: Démons DNS@. * Services VPN:: Démons VPN * Système de fichiers en réseau:: Services liés à NFS@. * Intégration continue:: Le service Cuirass. * Services de gestion de l'énergie:: L'outil TLP@. * Services audio:: MPD@. * Services de virtualisation:: Services de virtualisation. * Services de contrôle de version:: Fournit des accès distants à des dépôts Git. * Services de jeu:: Serveurs de jeu. * Services divers:: D'autres services. Définir des services * Composition de services:: Le modèle de composition des services. * Types service et services:: Types et services. * Référence de service:: Référence de l'API@. * Services Shepherd:: Un type de service particulier. Consignes d'empaquetage * Liberté logiciel:: Ce que la distribution peut contenir. * Conventions de nommage:: Qu'est-ce qu'un bon nom ? * Numéros de version:: Lorsque le nom n'est pas suffisant. * Synopsis et descriptions:: Aider les utilisateurs à trouver le bon paquet. * Modules python:: Un peu de comédie anglaise. * Modules perl:: Petites perles. * Paquets java:: Pause café. * Polices de caractères:: À fond les fontes. Contribuer * Construire depuis Git:: toujours le plus récent. * Lancer Guix avant qu'il ne soit installé:: Astuces pour les hackers. * La configuration parfaite:: Les bons outils. * Style de code:: Hygiène du contributeur. * Envoyer des correctifs:: Partager votre travail. Style de code * Paradigme de programmation:: Comment composer vos éléments. * Modules:: Où stocker votre code ? * Types de données et reconnaissance de motif:: Implémenter des structures de données. * Formatage du code:: Conventions d'écriture. @end detailmenu @end menu @c ********************************************************************* @node Introduction @chapter Introduction @cindex but GNU Guix@footnote{« Guix » se prononce comme « geeks » (en prononçant le « s »), ou « ɡiːks » dans l'alphabet phonétique international (API).} est un outil de gestion de paquets pour le système GNU@. Guix facilite pour les utilisateurs non privilégiés l'installation, la mise à jour et la suppression de paquets, la restauration à un ensemble de paquets précédent, la construction de paquets depuis les sources et plus généralement aide à la création et à la maintenance d'environnements logiciels. @cindex interfaces utilisateurs Guix fournit une interface de gestion des paquets par la ligne de commande (@pxref{Invoquer guix package}), un ensemble d'utilitaires en ligne de commande (@pxref{Utilitaires}) ainsi que des interfaces de programmation Scheme (@pxref{Interface de programmation}). @cindex démon de construction Son @dfn{démon de construction} est responsable de la construction des paquets pour les utilisateurs (@pxref{Paramétrer le démon}) et du téléchargement des binaires pré-construits depuis les sources autorisées (@pxref{Substituts}). @cindex extensibilité de la distribution @cindex personnalisation, des paquets Guix contient de nombreuses définitions de paquet GNU et non-GNU qui respectent tous les @uref{https://www.gnu.org/philosophy/free-sw.fr.html, libertés de l'utilisateur}. Il est @emph{extensible} : les utilisateurs peuvent écrire leurs propres définitions de paquets (@pxref{Définition des paquets}) et les rendre disponibles dans des modules de paquets indépendants (@pxref{Modules de paquets}). Il est aussi @emph{personnalisable} : les utilisateurs peuvent @emph{dériver} des définitions de paquets spécialisées à partir de définitions existantes, même depuis la ligne de commande (@pxref{Options de transformation de paquets}). @cindex Distribution Système Guix @cindex GuixSD Vous pouvez installer GNU@tie{}Guix sur un système GNU/Linux existant pour compléter les outils disponibles sans interférence (@pxref{Installation}) ou vous pouvez l'utiliser à travers la @dfn{Distribution Système Guix} ou GuixSD (@pxref{Distribution GNU}) distincte. Avec GNU@tie{}GuixSD, vous @emph{déclarez} tous les aspects de la configuration du système d'exploitation et Guix s'occupe de créer la configuration d'une manière transactionnelle, reproductible et sans état (@pxref{Configuration système}). @cindex gestion de paquet fonctionnelle Sous le capot, Guix implémente la discipline de @dfn{gestion de paquet fonctionnel} inventé par Nix (@pxref{Remerciements}). Dans Guix le processus de construction et d'installation des paquets est vu comme une @emph{fonction} dans le sens mathématique du terme. Cette fonction a des entrées (comme des scripts de construction, un compilateur et des bibliothèques) et renvoie un paquet installé. En tant que fonction pure, son résultat ne dépend que de ses entrées. Par exemple, il ne peut pas faire référence à des logiciels ou des scripts qui n'ont pas été explicitement passés en entrée. Une fonction de construction produit toujours le même résultat quand on lui donne le même ensemble d'entrée. Elle ne peut pas modifier l'environnement du système en cours d'exécution d'aucune manière ; par exemple elle ne peut pas créer, modifier ou supprimer des fichiers en dehors de ses répertoires de construction et d'installation. Ce résultat s'obtient en lançant les processus de construction dans des environnements isolés (ou des @dfn{conteneurs}) où seules les entrées explicites sont visibles. @cindex dépôt Le résultat des fonctions de construction de paquets est mis en @dfn{cache} dans le système de fichier, dans répertoire spécial appelé le @dfn{dépôt} (@pxref{Le dépôt}). Chaque paquet est installé dans son répertoire propre dans le dépôt — par défaut dans @file{/gnu/store}. Le nom du répertoire contient un hash de toutes les entrées utilisées pour construire le paquet ; ainsi, changer une entrée donnera un nom de répertoire différent. Cette approche est le fondement des fonctionnalités les plus importante de Guix : le support des mises à jour des paquets et des retours en arrière transactionnels, l'installation différenciée par utilisateur et le ramassage de miettes pour les paquets (@pxref{Fonctionnalités}). @c ********************************************************************* @node Installation @chapter Installation @cindex installer Guix GNU Guix est disponible au téléchargement depuis son site web sur @url{http://www.gnu.org/software/guix/}. Cette section décrit les pré-requis logiciels de Guix ainsi que la manière de l'installer et de se préparer à l'utiliser. Remarquez que cette section concerne l'installation du gestionnaire de paquet, ce qui se fait sur un système GNU/Linux en cours d'exécution. Si vous souhaitez plutôt installer le système d'exploitation GNU complet, @pxref{Installation du système}. @cindex distro extérieure Lorsqu'il est installé sur an système GNU/Linux existant — ci-après nommé @dfn{distro extérieure} — GNU@tie{}Guix complète les outils disponibles sans interférence. Ses données se trouvent exclusivement dans deux répertoires, typiquement @file{/gnu/store} et @file{/var/guix} ; les autres fichiers de votre système comme @file{/etc} sont laissés intacts. Une fois installé, Guix peut être mis à jour en lançant @command{guix pull} (@pxref{Invoquer guix pull}). @menu * Installation binaire:: Commencer à utiliser Guix en un rien de temps ! * Prérequis:: Logiciels requis pour construire et lancer Guix. * Lancer la suite de tests:: Tester Guix. * Paramétrer le démon:: Préparer l'environnement du démon de construction. * Invoquer guix-daemon:: Lancer le démon de construction. * Réglages applicatifs:: Réglages spécifiques pour les application. @end menu @node Installation binaire @section Installation binaire @cindex installer Guix depuis les binaires Cette section décrit comment intaller Guix sur un système quelconque depuis un archive autonome qui fournit les binaires pour Guix et toutes ses dépendances. C'est souvent plus rapide que d'installer depuis les sources, ce qui est décrit dans les sections suivantes. Le seul pré-requis est d'avoir GNU@tie{}tar et Xz. Nous fournissons un script @uref{https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh, script d'intallation shell} qui automatise le téléchargement, l'installation et la configuration initiale de Guix. Il devrait être lancé en tant qu'utilisateur root. L'installation se comme ceci : @enumerate @item @cindex téléchargement du Guix binaire Téléchargez l'archive binaire depuis @indicateurl{ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{système}.tar.xz}, où @var{système} est @code{x86_64-linux} pour une machine @code{x86_64} sur laquelle tourne déjà le noyau Linux, etc. @c The following is somewhat duplicated in ``System Installation''. Assurez-vous de télécharger le fichier @file{.sig} associé et de vérifier l'authenticité de l'archive avec, comme ceci : @example $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{système}.tar.xz.sig $ gpg --verify guix-binary-@value{VERSION}.@var{système}.tar.xz.sig @end example Si cette commande échoue parce que vous n'avez pas la clef publique requise, lancez cette commande pour l'importer : @example $ gpg --keyserver pgp.mit.edu --recv-keys @value{OPENPGP-SIGNING-KEY-ID} @end example @noindent @c end authentication part et relancez la commande @code{gpg --verify}. @item Maintenant, vous devez devenir l'utilisateur @code{root}. En fonction de votre distribution, vous devrez lancer @code{su -} ou @code{sudo -i}. En tant que @code{root}, lancez : @example # cd /tmp # tar --warning=no-timestamp -xf \ guix-binary-@value{VERSION}.@var{système}.tar.xz # mv var/guix /var/ && mv gnu / @end example Cela crée @file{/gnu/store} (@pxref{Le dépôt}) and @file{/var/guix}. Ce deuxième dossier contient un profil pret à être utilisé pour @code{root} (voir les étapes suivantes). Ne décompressez @emph{pas} l'archive sur un système Guix lancé car cela écraserait ses propres fichiers essentiels. L'option @code{--warning=no-timestamp} s'assure que GNU@tie{}tar ne produise pas d'avertissement disant que « l'horodatage est trop vieux pour être plausible » (ces avertissements étaient produits par GNU@tie{}tar 1.26 et précédents ; les versions récentes n'ont pas ce problème). Cela vient du fait que les fichiers de l'archive ont pour date de modification zéro (ce qui signifie le 1er janvier 1970). C'est fait exprès pour s'assurer que le contenu de l'archive ne dépende pas de la date de création, ce qui la rend reproductible. @item Rendez le profil de @code{root} disponible sous @file{~root/.guix-profile} : @example # ln -sf /var/guix/profiles/per-user/root/guix-profile \ ~root/.guix-profile @end example Sourcez @file{etc/profile} pour augmenter @code{PATH} et les autres variables d'environnement nécessaires : @example # GUIX_PROFILE="`echo ~root`/.guix-profile" ; \ source $GUIX_PROFILE/etc/profile @end example @item Créez le groupe et les comptes utilisateurs pour les utilisateurs de construction comme expliqué plus loin (@pxref{Réglages de l'environnement de construction}). @item Lancez le démon et paramétrez-le pour démarrer automatiquement au démarrage. Si votre distribution hôte utilise le système d'initialisation systemd, cela peut se faire avec ces commandes : @c Versions of systemd that supported symlinked service files are not @c yet widely deployed, so we should suggest that users copy the service @c files into place. @c @c See this thread for more information: @c http://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html @example # cp ~root/.guix-profile/lib/systemd/system/guix-daemon.service \ /etc/systemd/system/ # systemctl start guix-daemon && systemctl enable guix-daemon @end example Si votre distribution hôte utilise le système d'initialisation Upstart : @example # initctl reload-configuration # cp ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/ # start guix-daemon @end example Sinon, vous pouvez toujours démarrer le démon manuellement avec : @example # ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild @end example @item Rendez la commande @command{guix} disponible pour les autres utilisateurs sur la machine, par exemple avec : @example # mkdir -p /usr/local/bin # cd /usr/local/bin # ln -s /var/guix/profiles/per-user/root/guix-profile/bin/guix @end example C'est aussi une bonne idée de rendre la version Info de ce manuel disponible ici : @example # mkdir -p /usr/local/share/info # cd /usr/local/share/info # for i in /var/guix/profiles/per-user/root/guix-profile/share/info/* ; do ln -s $i ; done @end example Comme cela, en supposant que @file{/usr/local/share/info} est dans le chemin de recherche, lancer @command{info guix} ouvrira ce manuel (@pxref{Other Info Directories,,, texinfo, GNU Texinfo}, pour plus de détails sur comment changer le chemin de recherche de Info). @item @cindex substituts, autorisations Pour utiliser les substituts de @code{hydra.gnu.org} ou l'un de ses mirroirs (@pxref{Substituts}), autorisez-les : @example # guix archive --authorize < ~root/.guix-profile/share/guix/hydra.gnu.org.pub @end example @item Chaque utilisateur peut avoir besoin d'effectuer des étapes supplémentaires pour que leur environnement Guix soit prêt à être utilisé, @pxref{Réglages applicatifs}. @end enumerate Voilà, l'installation est terminée ! Vous pouvez confirmer que Guix fonctionne en installant un paquet d'exemple dans le profil de root : @example # guix package -i hello @end example Le paquet @code{guix} doit rester disponible dans le profil de @code{root} ou il pourrait être sujet au ramassage de miettes — dans ce cas vous vous retrouveriez gravement handicapé par l'absence de la commande @command{guix}. En d'autres termes, ne supprimez pas @code{guix} en lançant @code{guix package -r guix}. L'archive d'installation binaire peut être (re)produite et vérifiée simplement en lançaint la commande suivante dans l'arborescence des sources de Guix : @example make guix-binary.@var{system}.tar.xz @end example @noindent … ce qui à son tour lance : @example guix pack -s @var{system} --localstatedir guix @end example @xref{Invoquer guix pack}, pour plus d'info sur cet outil pratique. @node Prérequis @section Prérequis Cette section dresse la liste des pré-requis pour la construction de Guix depuis les sources. La procédure de construction pour Guix est la même que pour les autres logiciels GNU, et n'est pas expliquée ici. Regardez les fichiers @file{README} et @file{INSTALL} dans l'arborescence des sources de Guix pour plus de détails. GNU Guix dépend des paquets suivants : @itemize @item @url{http://gnu.org/software/guile/, GNU Guile}, version 2.0.13 ou ultérieure, dont 2.2.x, @item @url{http://gnupg.org/, GNU libgcrypt}, @item @uref{http://gnutls.org/, GnuTLS}, en particulier ses liaisons Guile (@pxref{Guile Preparations, how to install the GnuTLS bindings for Guile,, gnutls-guile, GnuTLS-Guile}), @item @c FIXME: Specify a version number once a release has been made. @uref{https://notabug.org/civodul/guile-sqlite3, Guile-SQLite3} ; @item @c FIXME: Specify a version number once a release has been made. @uref{https://gitlab.com/guile-git/guile-git, Guile-Git}, d'août 2017 ou ultérieur, @item @url{http://zlib.net, zlib}, @item @url{http://www.gnu.org/software/make/, GNU Make}. @end itemize Les dépendances suivantes sont facultatives : @itemize @item Installer @url{http://savannah.nongnu.org/projects/guile-json/, Guile-JSON} vous permettra d'utiliser la commande @command{guix import pypi} (@pxref{Invoquer guix import}). Il est surtout utile pour les développeurs et pas pour les utilisateurs occasionnels. @item @c Note: We need at least 0.10.2 for 'channel-send-eof'. Le support pour la décharge de construction (@pxref{Réglages du délestage du démon}) et @command{guix copy} (@pxref{Invoquer guix copy}) dépend de @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH}, version 0.10.2 ou ulltérieure. @item Lorsque @url{http://www.bzip.org, libbz2} est disponible, @command{guix-daemon} peut l'utiliser pour compresser les journaux de construction. @end itemize À moins que @code{--disable-daemon} ne soit passé à @command{configure}, les paquets suivants sont aussi requis : @itemize @item @url{http://sqlite.org, SQLite 3}, @item @url{http://gcc.gnu.org, GCC's g++}, avec le support pour le standard C++11. @end itemize @cindex répertoire d'état Lorsque vous configurez Guix sur un système qui a déjà une installation de Guix, assurez-vous de spécifier le même répertoire d'état que l'installation existante avec l'option @code{--localstatedir} du script @command{configure} (@pxref{Directory Variables, @code{localstatedir},, standards, GNU Coding Standards}). Le script @command{configure} vous protège des mauvaises configurations involontaires de @var{localstatedir} pour éviter que vous ne corrompiez votre dépôt (@pxref{Le dépôt}). @cindex Nix, compatibilité Lorsque vous avez une installation fonctionnelle du @url{http://nixos.org/nix/, gestionnaire de paquets Nix}, vous pouvez configurer Guix avec @code{--disable-daemon}. Dan ce cas, Nix remplace les trois dépendances au dessus. Guix est compatible avec Nix, donc il est possible de partager le même dépôt entre les deux. Pour cela, vous devez passer à @command{configure} non seulement la même valeur de @code{--with-store-dir} mais aussi la même valeur de @code{--localstatedir}. Cette dernière est nécessaires car elle spécifie l'emplacement de la base de données qui stocke les métadonnées sur le dépôt, entre autres choses. Les valeurs par défaut pour Nix sont @code{--with-store-dir=/nix/store} et @code{--localstatedir=/nix/var}. Remarquez que @code{--disable-daemon} n'est pas requis si votre but est de partager le dépôt avec Nix. @node Lancer la suite de tests @section Lancer la suite de tests @cindex suite de tests Après avoir lancé @command{configure} et @code{make} correctement, c'est une bonne idée de lancer la suite de tests. Elle peut aider à trouver des erreurs avec la configuration ou l'environnement, ou des bogues dans Guix lui-même — et vraiment, rapporter des échecs de tests est une bonne manière d'aider à améliorer le logiciel. Pour lancer la suite de tests, tapez : @example make check @end example Les cas de tests peuvent être lancés en parallèle : vous pouvez utiliser l'option @code{-j} de GNU@tie{}make pour accélérer les choses. Le premier lancement peut prendre plusieurs minutes sur une machine récente ; les lancements suivants seront plus rapides car le dépôt créé pour les tests aura déjà plusieurs choses en cache. Il est aussi possible de lancer un sous-ensemble des tests en définissant la variable makefile @code{TESTS} comme dans cet exemple : @example make check TESTS="tests/store.scm tests/cpio.scm" @end example Par défaut, les résultats des tests sont affichés au niveau du fichier. Pour voir les détails de chaque cas de test individuel, il est possible de définire la variable makefile @code{SCM_LOG_DRIVER_FLAGS} comme dans cet exemple : @example make check TESTS="tests/base64.scm" SCM_LOG_DRIVER_FLAGS="--brief=no" @end example Après un échec, envoyez un courriel à @email{bug-guix@@gnu.org} et attachez le fichier @file{test-suite.log}. Précisez la version de Guix utilisée ainsi que les numéros de version de ses dépendances (@pxref{Prérequis}) dans votre message. Guix possède aussi une suite de tests de systèmes complets qui test des instances complètes du système d'exploitation GuixSD@. Elle ne peut être lancée qui sur un système où Guix est déjà installé, avec : @example make check-system @end example @noindent Ou, de nouveau, en définissant @code{TESTS} pour choisir un sous-ensemble des tests à lancer : @example make check-system TESTS="basic mcron" @end example Ces tests systèmes sont définis dans les modules @code{(gnu tests @dots{})}. Ils fonctionnent en lançant les systèmes d'exploitation sous test avec une instrumentation légère dans une machine virtuelle (VM). Ils peuvent être intenses en terme de calculs ou plutôt rapides en fonction de la disponibilité des substituts de leurs dépendances (@pxref{Substituts}). Certains requièrent beaucoup d'espace disque pour contenir les images des VM@. De nouveau, en cas d'échec, envoyez tous les détails à @email{bug-guix@@gnu.org}. @node Paramétrer le démon @section Paramétrer le démon @cindex démon Les opérations comme la construction d'un paquet ou le lancement du ramasse-miettes sont toutes effectuées par un processus spécialisé, le @dfn{démon de construction}, pour le compte des clients. Seul le démon peut accéder au dépôt et à sa base de données associée. Ainsi, toute opération manipulant le dépôt passe par le démon. Par exemple, les outils en ligne de commande comme @command{guix package} et @command{guix build} communiquent avec le démon (@i{via} des appels de procédures distantes) pour lui dire quoi faire. Les sections suivantes expliquent comment préparer l'environnement du démon de construction. Voir aussi @ref{Substituts} pour apprendre comment permettre le téléchargement de binaires pré-construits. @menu * Réglages de l'environnement de construction:: Préparer l'environnement de construction isolé. * Réglages du délestage du démon:: Envoyer des constructions à des machines distantes. * Support de SELinux:: Utiliser une politique SELinux pour le démon. @end menu @node Réglages de l'environnement de construction @subsection Réglages de l'environnement de construction @cindex environnement de construction Dans une installation standard multi-utilisateurs, Guix et son démon — le programme @command{guix-daemon} — sont installé par l'administrateur système ; @file{/gnu/store} appartient à @code{root} et @command{guix-daemon} est lancé en @code{root}. Les utilisateurs non-privilégiés peuvent utiliser les outils Guix pour construire des paquets ou accéder au dépôt et le démon le fera pour leur compte en s'assurant que le dépôt garde un état cohérent et permet le partage des paquets déjà construits entre les utilisateurs. @cindex utilisateurs de construction Alors que @command{guix-daemon} tourne en @code{root}, vous n'avez pas forcément envie que les processus de construction de paquets tournent aussi en @code{root}, pour des raisons de sécurité évidentes. Pour éviter cela, vous devriez créer une réserve spéciale d'@dfn{utilisateurs de construction} que les processus de construction démarrés par le démon utiliseront. Ces utilisateurs de construction n'ont pas besoin d'un shell ou d'un répertoire personnel ; ils seront seulement utilisés quand le démon délaissera ses privilèges @code{root} dans les processus de construction. En ayant plusieurs de ces utilisateurs, vous permettez au démon de lancer des processus de construction distincts sous des UID différent, ce qui garanti qu'aucune interférence n'ait lieu entre les uns et les autres — une fonctionnalité essentielle puisque les constructions sont supposées être des fonctions pures (@pxref{Introduction}). Sur un système GNU/Linux, on peut créer une réserve d'utilisateurs de construction comme ceci (avec la syntaxe Bash et les commandes @code{shadow}) : @c See http://lists.gnu.org/archive/html/bug-guix/2013-01/msg00239.html @c for why `-G' is needed. @example # groupadd --system guixbuild # for i in `seq -w 1 10`; do useradd -g guixbuild -G guixbuild \ -d /var/empty -s `which nologin` \ -c "Utilisateur de construction Guix $i" --system \ guixbuilder$i; done @end example @noindent Le nombre d'utilisateurs de construction détermine le nombre de tâches de constructions qui peuvent tourner en parallèle, tel que spécifié par l'option @option{--max-jobs} (@pxref{Invoquer guix-daemon, @option{--max-jobs}}). Pour utiliser @command{guix system vm} et les commandes liées, vous devrez ajouter les utilisateurs de construction au groupe @code{kvm} pour qu'ils puissent accéder à @file{/dev/kvm} avec @code{-G guixbuild,kvm} plutôt que @code{-G guixbuild} (@pxref{Invoquer guix system}). Le programme @code{guix-daemon} peut ensuite être lancé en @code{root} avec la commande suivante@footnote{Si votre machine utilise le système d'initialisation systemd, copiez le fichier @file{@var{prefix}/lib/systemd/system/guix-daemon.service} dans @file{/etc/systemd/system} pour vous assurer que @command{guix-daemon} est démarré automatiquement. De même, si votre machine utilise le système d'initialisation Upstart, copiez le fichier @file{@var{prefix}/lib/upstart/system/guix-daemon.conf} dans @file{/etc/init}.} : @example # guix-daemon --build-users-group=guixbuild @end example @cindex chroot @noindent De cette façon, le démon démarre les processus de construction dans un chroot, sous un des utilisateurs @code{guixbuilder}. Sur GNU/Linux par défaut, l'environnement chroot ne contient rien d'autre que : @c Keep this list in sync with libstore/build.cc! ----------------------- @itemize @item un répertoire @code{/dev} minimal, créé presque indépendamment du @code{/dev} de l'hôte@footnote{« presque », parce que même si l'ensemble des fichiers qui apparaissent dans le @code{/dev} du chroot sont déterminés à l'avance, la plupart de ces fichiers ne peut pas être créée si l'hôte ne les a pas.} ; @item le répertoire @code{/proc} ; il ne montre que les processus du conteneur car on utilise une espace de nom séparé pour les PID ; @item @file{/etc/passwd} avec une entrée pour l'utilisateur actuel et une entrée pour l'utilisateur @file{nobody} ; @item @file{/etc/group} avec une entrée pour le groupe de l'utilisateur ; @item @file{/etc/hosts} avec une entrée qui fait correspondre @code{localhost} à @code{127.0.0.1} ; @item un répertoire @file{/tmp} inscriptible. @end itemize Vous pouvez influencer le répertoire où le démon stocke les arbres de construction @i{via} la variable d'environnement @code{TMPDIR}. Cependant, l'arbre de construction dans le chroot sera toujours appelé @file{/tmp/guix-build-@var{nom}.drv-0}, où @var{nom} est le nom de la dérivation — p.@: ex.@: @code{coreutils-8.24}. De cette façon, la valeur de @code{TMPDIR} ne fuite pas à l'intérieur des environnements de construction, ce qui évite des différences lorsque le processus de construction retient le nom de leur répertoire de construction. @vindex http_proxy Le démon tient aussi compte de la variable d'environnement @code{http_proxy} pour ses téléchargements HTTP, que ce soit pour les dérivations à sortie fixes (@pxref{Dérivations}) ou pour les substituts (@pxref{Substituts}). Si vous installez Guix en tant qu'utilisateur non-privilégié, il est toujours possible de lancer @command{guix-daemon} si vous passez @code{--disable-chroot}. Cependant, les processus de construction ne seront pas isolés les uns des autres ni du reste du système. Ainsi les processus de construction peuvent interférer les uns avec les autres, et peuvent accéder à des programmes, des bibliothèques et d'autres fichiers présents sur le système — ce qui rend plus difficile de les voir comme des fonctions @emph{pures}. @node Réglages du délestage du démon @subsection Utiliser le dispositif de déchargement @cindex déchargement @cindex crochet de construction Si vous le souhaitez, le démon de construction peut @dfn{décharger} des constructions de dérivations sur d'autres machines Guix avec le @dfn{crochet de construction} @code{offload}@footnote{Cette fonctionnalité n'est disponible que si @uref{https://github.com/artyom-poptsov/guile-ssh, Guile-SSH} est présent.}. Lorsque cette fonctionnalité est activée, Guix lit une liste de machines de constructions spécifiée par l'utilisateur dans @file{/etc/guix/machines.scm} ; à chaque fois qu'une construction est demandée, par exemple par @code{guix build}, le démon essaie de la décharger sur une des machines qui satisfont les contraintes de la dérivation, en particulier le type de système, p.@: ex.@: @file{x86_64-linux}. Les prérequis manquants pour la construction sont copiés par SSH sur la machine de construction qui procède ensuite à la construction ; si elle réussi, les sorties de la construction sont copiés vers la machine de départ. Le fichier @file{/etc/guix/machines.scm} ressemble typiquement à cela : @example (list (build-machine (name "eightysix.example.org") (system "x86_64-linux") (host-key "ssh-ed25519 AAAAC3Nza@dots{}") (user "bob") (speed 2.)) ;très rapide ! (build-machine (name "meeps.example.org") (system "mips64el-linux") (host-key "ssh-rsa AAAAB3Nza@dots{}") (user "alice") (private-key (string-append (getenv "HOME") "/.ssh/identity-for-guix")))) @end example @noindent Dans l'exemple ci-dessus nous spécifions une liste de deux machines de construction, une pour l'architecture @code{x86_64} et une pour l'architecture @code{mips64el}. En fait, ce fichier est — et ça ne devrait pas vous surprendre ! — un fichier Scheme qui est évalué au démarrage du crochet @code{offload}. Sa valeur de retour doit être une liste d'objets @code{build-machine}. Même si cet exemple montre une liste fixée de machines de construction, on pourrait imaginer par exemple utiliser DNS-SD pour renvoyer une liste de machines de constructions potentielles découvertes sur le réseau local (@pxref{Introduction, Guile-Avahi,, guile-avahi, Using Avahi in Guile Scheme Programs}). Le type de données @code{build-machine} est détaillé plus bas. @deftp {Type de données} build-machine Ce type de données représente les machines de construction sur lesquelles le démon peut décharger des constructions. Les champs importants sont : @table @code @item name Le nom d'hôte de la machine distante. @item system Le type de système de la machine distante, p.@: ex.@: @code{"x86_64-linux"}. @item user Le compte utilisateur à utiliser lors de la connexion à la machine distante par SSH@. Remarquez que la paire de clef SSH ne doit @emph{pas} être protégée par mot de passe pour permettre des connexions non-interactives. @item host-key Cela doit être la @dfn{clef d'hôte SSH publique} de la machine au format OpenSSH@. Elle est utilisée pour authentifier la machine lors de la connexion. C'est une longue chaîne qui ressemble à cela : @example ssh-ed25519 AAAAC3NzaC@dots{}mde+UhL hint@@example.org @end example Si la machine utilise le démon OpenSSH, @command{sshd}, la clef d'hôte se trouve dans un fichier comme @file{/etc/ssh/ssh_host_ed25519_key.pub}. Si la machine utilise le démon SSH de GNU@tie{}lsh, la clef d'hôte est dans @file{/etc/lsh/host-key.pub} ou un fichier similaire. Elle peut être convertie au format OpenSSH avec @command{lsh-export-key} (@pxref{Converting keys,,, lsh, LSH Manual}) : @example $ lsh-export-key --openssh < /etc/lsh/host-key.pub ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV@dots{} @end example @end table Il y a un certain nombre de champs facultatifs que vous pouvez remplir : @table @asis @item @code{port} (par défaut : @code{22}) Numéro de port du serveur SSH sur la machine. @item @code{private-key} (par défaut : @file{~root/.ssh/id_rsa}) Le fichier de clef privée à utiliser lors de la connexion à la machine, au format OpenSSH@. Remarquez que la valeur par défaut est la clef privée @emph{du compte root}. Assurez-vous qu'elle existe si vous utilisez la valeur par défaut. @item @code{compression} (par défaut : @code{"zlib@@openssh.com,zlib"}) @itemx @code{compression-level} (par défaut : @code{3}) Les méthodes de compression au niveau SSH et le niveau de compression demandé. Remarquez que le déchargement utilise la compression SSH pour réduire la bande passante utilisée lors du transfert vers et depuis les machines de construction. @item @code{daemon-socket} (par défaut : @code{"/var/guix/daemon-socket/socket"}) Le nom de fichier du socket Unix-domain sur lequel @command{guix-daemon} écoute sur cette machine. @item @code{parallel-builds} (par défaut : @code{1}) Le nombre de constructions qui peuvent tourner simultanément sur la machine. @item @code{speed} (par défaut : @code{1.0}) Un « facteur de vitesse relatif ». L'ordonnanceur des constructions tendra à préférer les machines avec un plus grand facteur de vitesse. @item @code{features} (par défaut : @code{'()}) Une liste de chaînes qui contient les fonctionnalités spécifiques supportées par la machine. Un exemple est @code{"kvm"} pour les machines qui ont le module Linux KVM et le support matériel correspondant. Les dérivations peuvent demander des fonctionnalités par leur nom et seront orchestrées sur les machines de construction correspondantes. @end table @end deftp La commande @code{guile} doit être dans le chemin de recherche des machines de construction. En plus, les modules Guix doivent se trouver dans @code{$GUILE_LOAD_PATH} sur la machine de construction. Vous pouvez vérifier si c'est le cas en lançant : @example ssh build-machine guile -c "'(use-modules (guix config))'" @end example Il reste une dernière chose à faire maintenant que @file{machines.scm} est en place. Comme expliqué ci-dessus, lors du déchargement les fichiers sont transférés entre les dépôts des machines. Pour que cela fonctionne, vous devez d'abord générer une paire de clef sur chaque machine pour permettre au démon d'exporter des archives signées des fichiers de son dépôt (@pxref{Invoquer guix archive}) : @example # guix archive --generate-key @end example @noindent Chaque machine de construction doit autoriser la clef de la machine maîtresse pour qu'ils acceptent les éléments de dépôt de celle-ci : @example # guix archive --authorize < master-public-key.txt @end example @noindent De même, la machine maîtresse doit autoriser les clefs de chaque machine de construction. Toute cette histoire de clefs permet d'exprimer la confiance mutuelle deux-à-deux entre le maître et les machines de construction. Concrètement, lorsque le maître reçoit des fichiers d'une machine de construction (et vice-versa), son démon de construction s'assure qu'ils sont authentiques, n'ont pas été modifiés par un tiers et qu'il sont signés par un clef autorisée. @cindex test du déchargement Pour tester que votre paramétrage fonctionne, lancez cette commande sur le nœud maître : @example # guix offload test @end example Cela essaiera de se connecter à toutes les machines de construction spécifiées dans @file{/etc/guix/machines.scm}, s'assurera que Guile et les modules Guix sont disponibles sur toutes les machines et tentera d'exporter vers la machine et d'importer depuis elle, et rapportera toute erreur survenu pendant le processus. Si vous souhaitez tester un fichier de machines différent, spécifiez-le sur la ligne de commande : @example # guix offload test machines-qualif.scm @end example Enfin, vous pouvez tester un sous-ensemble de machines dont le nom correspond à une expression rationnelle comme ceci : @example # guix offload test machines.scm '\.gnu\.org$' @end example @cindex statut du déchargement Pour afficher la charge actuelle de tous les hôtes de construction, lancez cette commande sur le nœud principal : @example # guix offload status @end example @node Support de SELinux @subsection Support de SELinux @cindex SELinux, politique du démon @cindex contrôle d'accès obligatoire, SELinux @cindex sécurité, guix-daemon Guix inclus un fichier de politique SELniux dans @file{etc/guix-daemon.cil} qui peut être installé sur un système où SELinux est activé pour que les fichiers Guix soient étiquetés et pour spécifier le comportement attendu du démon. Comme GuixSD ne fournit pas de politique SELniux de base, la politique du démon ne peut pas être utilisée sur GuixSD@. @subsubsection Installer la politique SELinux @cindex SELinux, installation de la politique Pour installer la politique, lancez cette commande en root : @example semodule -i etc/guix-daemon.cil @end example Puis ré-étiquetez le système de fichier avec @code{restorecon} ou par un mécanisme différent fournit par votre système. Une fois la politique installée, le système de fichier ré-étiqueté et le démon redémarré, il devrait être lancé dans le contexte @code{guix_daemon_t}. Vous pouvez le confirmer avec la commande suivante : @example ps -Zax | grep guix-daemon @end example Surveillez les fichiers journaux de SELinux pendant que vous lancez une commande comme @code{guix build hello} pour vous convaincre que SELniux permet toutes les opérations nécessaires. @subsubsection Limitations @cindex SELinux, limites La politique n'et pas parfaite. Voici une liste de limitations et de bizarreries qui vous devriez prendre en compte avant de déployer la politique SELinux fournie pour le démon Guix. @enumerate @item @code{guix_daemon_socket_t} n'est pas vraiment utilisé. Aucune des opérations sur les sockets n'impliquent de contextes qui ont quoi que ce soit à voir avec @code{guix_daemon_socket_t}. Ça ne fait pas de mal d'avoir une étiquette inutilisée, mais il serait préférable de définir des règles sur les sockets uniquement pour cette étiquette. @item @code{guix gc} ne peut pas accéder à n'importe quel lien vers les profils. Par conception, l'étiquette de fichier de la destination d'un lien symbolique est indépendant de l'étiquette du lien lui-même. Bien que tous les profils sous $localstatedir aient une étiquette, les liens vers ces profils héritent de l'étiquette du répertoire dans lequel ils se trouvent. Pour les liens dans le répertoire personnel cela sera @code{user_home_t}. Mais pour les liens du répertoire personnel de l'utilisateur root, ou @file{/tmp}, ou du répertoire de travail du serveur HTTP, etc, cela ne fonctionnera pas. SELinux empêcherait @code{guix gc} de lire et de suivre ces liens. @item La fonctionnalité du démon d'écouter des connexions TCP pourrait ne plus fonctionner. Cela demande des règles supplémentaires car SELinux traite les sockets réseau différemment des fichiers. @item Actuellement tous les fichiers qui correspondent à l'expression rationnelle @code{/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon} reçoivent l'étiquette @code{guix_daemon_exec_t} ; cela signifie que @emph{tout} fichier avec ce nom dans n'importe quel profil serait autorisé à se lancer dans le domaine @code{guix_daemon_t}. Ce n'est pas idéal. Un attaquant pourrait construire un paquet qui fournit cet exécutable et convaincre un utilisateur de l'installer et de le lancer, ce qui l'élève dans le domaine @code{guix_daemon_t}. À ce moment SELinux ne pourrait pas l'empêcher d'accéder à des fichiers autorisés pour les processus de ce domaine. Nous pourrions générer une politique bien plus restrictive à l'installation, pour que seuls les noms de fichiers @emph{exacts} de l'exécutable @code{guix-daemon} actuellement installé soit étiqueté avec @code{guix_daemon_exec_t}, plutôt que d'utiliser une expression rationnelle plus large. L'inconvénient c'est que root devrait installer ou mettre à jour la politique à l'installation à chaque fois que le paquet Guix qui fournit l'exécutable @code{guix-daemon} effectivement exécuté est mis à jour. @end enumerate @node Invoquer guix-daemon @section Invoquer @command{guix-daemon} Le programme @command{guix-daemon} implémente toutes les fonctionnalités d'accès au dépôt. Cela inclus le lancement des processus de construction, le lancement du ramasse-miettes, la demande de disponibilité des résultats de construction, etc. Il tourne normalement en @code{root} comme ceci : @example # guix-daemon --build-users-group=guixbuild @end example @noindent Pour des détails sur son paramétrage, @pxref{Paramétrer le démon}. @cindex chroot @cindex conteneur, environnement de construction @cindex environnement de construction @cindex constructions reproductibles Par défaut, @command{guix-daemon} lance les processus de construction sous différents UID récupérés depuis le groupe de construction spécifié avec @code{--build-users-group}. En plus, chaque processus de construction est lancé dans un environnement chroot qui ne contient que le sous-ensemble du dépôt dont le processus de construction dépend, tel que spécifié par sa dérivation (@pxref{Interface de programmation, dérivation}), plus un ensemble de répertoires systèmes spécifiques. Par défaut ce dernier contient @file{/dev} et @file{/dev/pts}. De plus, sous GNU/Linux, l'environnement de construction est un @dfn{conteneur} : en plus d'avoir sa propre arborescence du système de fichier, elle a un espace de montage séparé, son propre espace de PID, son espace de réseau, etc. Cela aide à obtenir des constructions reproductibles (@pxref{Fonctionnalités}). Lorsque le démon effectue une construction pour le compte de l'utilisateur, il crée un répertoire sous @file{/tmp} ou sous le répertoire spécifié par sa variable d'environnement @code{TMPDIR}. Ce répertoire est partagé avec le conteneur pendant la durée de la construction. Soyez conscient qu'utiliser un répertoire différent de @file{/tmp} peut affecter les résultats de la construction — par exemple avec un nom de répertoire plus long, un processus de construction qui utiliserait des socket Unix-domain pourrait atteindre la limite de longueur de nom de fichier pour @code{sun_path}, qu'il n'aurait sinon pas atteinte. Le répertoire de construction est automatiquement supprimé à la fin, à moins que la construction n'ait échoué et que le client ait spécifié @option{--keep-failed} (@pxref{Invoquer guix build, @option{--keep-failed}}). Les options en ligne de commande suivantes sont disponibles : @table @code @item --build-users-group=@var{groupe} Prendre les utilisateurs de @var{group} pour lancer les processus de construction (@pxref{Paramétrer le démon, utilisateurs de construction}). @item --no-substitutes @cindex substituts Ne pas utiliser de substitut pour les résultats de la construction. C'est-à-dire, toujours construire localement plutôt que de permettre le téléchargement de binaires pré-construits (@pxref{Substituts}). Lorsque le démon tourne avec @code{--no-substitutes}, les clients peuvent toujours activer explicitement la substitution @i{via} l'appel de procédure distante @code{set-build-options} (@pxref{Le dépôt}). @item --substitute-urls=@var{urls} @anchor{daemon-substitute-urls} Considèrer @var{urls} comme la liste séparée par des espaces des URL des sources de substituts par défaut. Lorsque cette option est omise, @indicateurl{https://mirror.hydra.gnu.org https://hydra.gnu.org} est utilisé (@code{mirror.hydra.gnu.org} est un mirroire de @code{hydra.gnu.org}). Cela signifie que les substituts sont téléchargés depuis les @var{urls}, tant qu'ils sont signés par une signature de confiance (@pxref{Substituts}). @cindex crochet de construction @item --no-build-hook Ne pas utiliser le @dfn{crochet de construction}. Le crochet de construction est un programme d'aide qui le démon peut démarrer et auquel soumettre les requêtes de construction. Ce mécanisme est utilisé pour décharger les constructions à d'autres machines (@pxref{Réglages du délestage du démon}). @item --cache-failures Mettre les échecs de construction en cache. Par défaut, seules les constructions réussies sont mises en cache. Lorsque cette option est utilisée, @command{guix gc --list-failures} peut être utilisé pour demander l'ensemble des éléments du dépôt marqués comme échoués ; @command{guix gc --clear-failures} vide la liste des éléments aillant échoué. @xref{Invoquer guix gc}. @item --cores=@var{n} @itemx -c @var{n} Utiliser @var{n} cœurs CPU pour construire chaque dérivation ; @code{0} signifie autant que possible. La valeur par défaut est @code{0}, mais elle peut être modifiée par les clients comme avec l'option @code{--cores} de @command{guix build} (@pxref{Invoquer guix build}). L'effet est de définir la variable d'environnement @code{NIX_BUILD_CORES} dans le processus de construction, qui peut ensuite l'utiliser pour exploiter le parallélisme en interne — par exemple en lançant @code{make -j$NIX_BUILD_CORES}. @item --max-jobs=@var{n} @itemx -M @var{n} Permettre au plus @var{n} travaux de construction en parallèle. La valeur par défaut est @code{1}. La mettre à @code{0} signifie qu'aucune construction ne sera effectuée localement ; à la place, le démon déchargera les constructions (@pxref{Réglages du délestage du démon}) ou échouera. @item --max-silent-time=@var{secondes} Lorsque le processus de construction ou de substitution restent silencieux pendant plus de @var{secondes}, le terminer et rapporter une erreur de construction. La valeur par défaut est @code{0}, ce qui désactive le délai. La valeur spécifiée ici peut être modifiée par les clients (@pxref{Options de construction communes, @code{--max-silent-time}}). @item --timeout=@var{secondes} De même, lorsque le processus de construction ou de substitution dure plus de @var{secondes}, le terminer et rapporter une erreur de construction. La valeur par défaut est @code{0}, ce qui désactive le délai. La valeur spécifiée ici peut être modifiée par les clients (@pxref{Options de construction communes, @code{--timeout}}). @item --rounds=@var{N} Construire chaque dérivations @var{N} fois à la suite, et lever une erreur si les résultats de construction consécutifs ne sont pas identiques bit-à-bit. Remarquez que ce paramètre peut être modifié par les clients comme @command{guix build} (@pxref{Invoquer guix build}). Lorsqu'utilisé avec @option{--keep-failed}, la sourtie différente est gardée dans le dépôt sous @file{/gnu/store/@dots{}-check}. Cela rend plus facile l'étude des différences entre les deux résultats. @item --debug Produire une sortie de débogage. Cela est utile pour déboguer des problèmes de démarrage du démon, mais ensuite elle peut être modifiée par les clients, par exemple par l'option @code{--verbosity} de @command{guix build} (@pxref{Invoquer guix build}). @item --chroot-directory=@var{rép} Ajouter @var{rép} au chroot de construction Cela peut changer le résultat d'un processus de construction — par exemple s'il utilise une dépendance facultative trouvée dans @var{rép} lorsqu'elle est disponible ou pas sinon. Pour cette raison, il n'est pas recommandé d'utiliser cette option. À la place, assurez-vous que chaque dérivation déclare toutes les entrées dont elle a besoin. @item --disable-chroot Désactive les constructions dans un chroot. Utiliser cette option n'est pas recommandé car, de nouveau, elle permet aux processus de construction d'accéder à des dépendances non déclarées. Elle est nécessaire cependant lorsque @command{guix-daemon} tourne en tant qu'utilisateur non privilégié. @item --log-compression=@var{type} Compresser les journaux de construction suivant le @var{type}, parmi @code{gzip}, @code{bzip2} ou @code{none}. À moins que @code{--lose-logs} ne soit utilisé, tous les journaux de construction sont gardés dans @var{localstatedir}. Pour gagner de la place, le démon les compresse automatiquement avec bzip2 par défaut. @item --disable-deduplication @cindex déduplication Désactiver la « déduplication » automatique des fichiers dans le dépôt. Par défaut, les fichiers ajoutés au dépôt sont automatiquement « dédupliqués » : si un nouveau fichier est identique à un autre fichier trouvé dans le dépôt, le démon en fait un lien en dur vers l'autre fichier. Cela réduit considérablement l'utilisation de l'espace disque au prix d'une charge en entrée/sortie plus grande à la fin d'un processus de construction. Cette option désactive cette optimisation. @item --gc-keep-outputs[=yes|no] Dire si le ramasse-miettes (GC) doit garder les sorties des dérivations utilisées. @cindex racines du GC @cindex racines du ramasse-miettes Lorsqu'elle est à « yes », le GC gardera les sorties de toutes les dérivations — les fichiers @code{.drv} — utilisées dans le dépôt. La valeur par défaut est « no », ce qui signifie que les sorties des dérivations ne sont gardées que s'il s'agit de racines du GC@. @xref{Invoquer guix gc} pour plus d'informations sur les racines du GC@. @item --gc-keep-derivations[=yes|no] Dire si le ramasse-miettes (GC) doit garder les dérivations correspondant à des sorties utilisées. Lorsqu'elle est à « yes », comme c'est le cas par défaut, le GC garde les dérivations — c.-à-d.@: les fichiers @file{.drv} — tant qu'au moins une de leurs sorties est utilisée. Cela permet aux utilisateurs de garder une trace de l'origine des éléments du dépôt. Le mettre à « no » préserve un peu d'espace disque. Remarquez qu'avec @code{--gc-keep-derivations} et @code{--gc-keep-outputs}, le GC gardera tous les prérequis de construction (les sources, le compilateur, les bibliothèques, et les autres outils de construction) des objets utilisés dans le dépôt, indépendamment du fait qu'ils soient ou non utilisés. Cela est pratique pour les développeurs car ça leur fait gagner du temps de reconstruction et de téléchargement. @item --impersonate-linux-2.6 Sur les système basés sur Linux, se faire passer pour Linux 2.6. Cela signifie que l'appel système du noyau @code{uname} rapportera 2.6 comme numéro de version. Cela peut être utile pour construire des programmes qui dépendent (généralement sans fondement) du numéro de version du noyau. @item --lose-logs Ne pas garder les journaux de construction. Par défaut ils sont gardés dans @code{@var{localstatedir}/guix/log}. @item --system=@var{système} Supposer que @var{système} est le type de système actuel. Par défaut c'est la paire architecture-noyau trouvée à la configuration, comme @code{x86_64-linux}. @item --listen=@var{extrémité} Écouter les connexions sur @var{extrémité}. @var{extrémité} est interprété comme un nom de fichier d'un socket Unix-domain s'il commence par @code{/} (barre oblique). Sinon, @var{extrémité} est interprété comme un nom de domaine ou d'hôte et un port sur lequel écouter. Voici quelques exemples : @table @code @item --listen=/gnu/var/daemon Écouter les connexions sur le socket Unix-domain @file{/gnu/var/daemon} en le créant si besoin. @item --listen=localhost @cindex démon, accès distant @cindex accès distant au démon @cindex démon, paramètres de grappes @cindex grappes, paramètres du démon Écouter les connexions TCP sur l'interface réseau correspondant à @code{localhost} sur le port 44146. @item --listen=128.0.0.42:1234 Écouter les connexions TCP sur l'interface réseau correspondant à @code{128.0.0.42} sur le port 1234. @end table Cette option peut être répétée plusieurs fois, auquel cas @command{guix-daemon} accepte des connexions sur toutes les extrémités spécifiées. Les utilisateurs peuvent dire aux commandes clientes à quelle extrémité se connecter en paramétrant la variable d'environnement @code{GUIX_DAEMON_SOCKET} (@pxref{Le dépôt, @code{GUIX_DAEMON_SOCKET}}). @quotation Remarque Le protocole du démon est @emph{non authentifié et non chiffré}. Utiliser @code{--listen=@var{host}} est adapté sur des réseaux locaux, comme pour des grappes de serveurs, où seuls des nœuds de confiance peuvent se connecter au démon de construction. Dans les autres cas où l'accès à distance au démon est requis, nous conseillons d'utiliser un socket Unix-domain avec SSH@. @end quotation Lorsque @code{--listen} est omis, @command{guix-daemon} écoute les connexions sur le socket Unix-domain situé à @file{@var{localstatedir}/guix/daemon-socket/socket}. @end table @node Réglages applicatifs @section Réglages applicatifs @cindex distro extérieure Lorsque vous utilisez Guix par dessus une distribution GNU/Linux différente de GuixSD — ce qu'on appelle une @dfn{distro externe} — quelques étapes supplémentaires sont requises pour que tout soit en place. En voici certaines. @subsection Régionalisation @anchor{locales-and-locpath} @cindex régionalisation, en dehors de GuixSD @vindex LOCPATH @vindex GUIX_LOCPATH Les paquets installés @i{via} Guix n'utiliseront pas les données de régionalisation du système hôte. À la place, vous devrez d'abord installer l'un des paquets linguistiques disponibles dans Guix puis définir la variable d'environnement @code{GUIX_LOCPATH} : @example $ guix package -i glibc-locales $ export GUIX_LOCPATH=$HOME/.guix-profile/lib/locale @end example Remarquez que le paquet @code{glibc-locales} contient les données pour tous les environnement linguistiques supportés par la GNU@tie{}libc et pèse environ 110@tie{}Mo. Autrement, les @code{glibc-utf8-locales} est plus petit mais limité à quelques environnements UTF-8. La variable @code{GUIX_LOCPATH} joue un rôle similaire à @code{LOCPATH} (@pxref{Locale Names, @code{LOCPATH},, libc, The GNU C Library Reference Manual}). Il y a deux différences importantes cependant : @enumerate @item @code{GUIX_LOCPATH} n'est compris que par la libc dans Guix et pas par la libc fournie par les distros externes. Ainsi, utiliser @code{GUIX_LOCPATH} vous permet de vous assurer que les programmes de la distro externe ne chargeront pas de données linguistiques incompatibles. @item La libc ajoute un suffixe @code{/X.Y} à chaque entrée de @code{GUIX_LOCPATH}, où @code{X.Y} est la version de la libc — p.@: ex.@: @code{2.22}. Cela signifie que, si votre profile Guix contient un mélange de programmes liés avec des versions différentes de la libc, chaque version de la libc essaiera de charger les environnements linguistiques dans le bon format. @end enumerate Cela est important car le format des données linguistiques utilisés par différentes version de la libc peuvent être incompatibles. @subsection Name Service Switch @cindex name service switch, glibc @cindex NSS (name service switch), glibc @cindex nscd (name service caching daemon) @cindex name service caching daemon (nscd) Lorsque vous utilisez Guix sur une distro externe, nous @emph{recommandons fortement} que ce système fasse tourner le @dfn{démon de cache de service de noms} de la bibliothèque C de GNU, @command{nscd}, qui devrait écouter sur le socket @file{/var/run/nscd/socket}. Sans cela, les applications installées avec Guix peuvent échouer à résoudre des noms d'hôtes ou d'utilisateurs, ou même planter. Les paragraphes suivants expliquent pourquoi. @cindex @file{nsswitch.conf} La bibliothèque C de GNU implémente un @dfn{name service switch} (NSS), qui est un mécanisme d'extension pour les « résolutions de noms » en général : résolution de nom d'hôte, de compte utilisateur et plus (@pxref{Name Service Switch,,, libc, The GNU C Library Reference Manual}). @cindex Network information service (NIS) @cindex NIS (Network information service) Comme il est extensible, NSS supporte des @dfn{greffons} qui fournissent une nouvelle implémentation de résolution de nom : par exemple le greffon @code{nss-mdns} permet la résolution de noms d'hôtes en @code{.local}, le greffon @code{nis} permet la résolution de comptes utilisateurs avec le Network Information Service (NIS), etc. Ces « services de recherches » supplémentaires sont configurés au niveau du système dans @file{/etc/nsswitch.conf}, et tous les programmes qui tournent sur ce système honorent ces paramètres (@pxref{NSS Configuration File,,, libc, The GNU C Reference Manual}) Lorsqu'ils essayent d'effectuer une résolution de nom — par exemple en appelant la fonction @code{getaddrinfo} en C — les applications essayent d'abord de se connecter au nscd ; en cas de réussite, nscd effectue la résolution de nom pour eux. Si le nscd ne tourne pas, alors ils effectue la résolution eux-même, en changeant les service de résolution dans leur propre espace d'adressage et en le lançant. Ce services de résolution de noms — les fichiers @file{libnns_*.so} — sont @code{dlopen}és mais ils peuvent provenir de la bibliothèque C du système, plutôt que de la bibliothèque C à laquelle l'application est liée (la bibliothèque C de Guix). Et c'est là que se trouve le problème : si votre application est liée à la bibliothèque C de Guix (disons, glibc-2.24) et essaye de charger les greffons NSS d'une autre bibliothèque C (disons, @code{libnss_mdns.so} pour glibc-2.22), il est très probable qu'elle plante ou que sa résolution de nom échoue de manière inattendue. Lancer @command{nscd} sur le système, entre autres avantages, élimine ce problème d'incompatibilité binaire car ces fichiers @code{libnss_*.so} sont chargés par le processus @command{nscd}, pas par l'application elle-même. @subsection Polices X11 @cindex polices La majorité des applications graphiques utilisent fontconfig pour trouver et charger les police et effectuer le rendu côté client X11. Le paquet @code{fontconfig} dans Guix cherche les polices dans @file{$HOME/.guix-profile} par défaut. Ainsi, pour permettre aux applications graphiques installées avec Guix d'afficher des polices, vous devez aussi installer des polices avec Guix. Les paquets de polices essentiels sont @code{gs-fonts}, @code{font-dejavu} et @code{font-gnu-freefont-ttf}. Pour afficher des textes écrits en chinois, en japonais ou en coréen dans les applications graphiques, installez @code{font-adobe-source-han-sans} ou @code{font-wqy-zenhei}. Le premier a plusieurs sorties, une par famille de langue (@pxref{Des paquets avec plusieurs résultats}). Par exemple, la commande suivante installe les polices pour le chinois : @example guix package -i font-adobe-source-han-sans:cn @end example @cindex @code{xterm} Les vieux programmes comme @command{xterm} n'utilisent pas fontconfig et s'appuient sur le rendu du côté du serveur. Ces programmes ont besoin de spécifier le nom complet de la police en utlisant XLFD (X Logical Font Description), comme ceci : @example -*-dejavu sans-medium-r-normal-*-*-100-*-*-*-*-*-1 @end example Pour pouvoir utiliser ces noms complets avec les polices TrueType installées dans votre profil Guix, vous devez étendre le chemin des polices du serveur X : @c Note: 'xset' does not accept symlinks so the trick below arranges to @c get at the real directory. See . @example xset +fp $(dirname $(readlink -f ~/.guix-profile/share/fonts/truetype/fonts.dir)) @end example @cindex @code{xlsfonts} Ensuite, vous pouvez lancer @code{xlsfonts} (du paquet @code{xlsfonts}) pour vous assurer que vos polices TrueType y sont listées. @cindex @code{fc-cache} @cindex cache de polices Après l'installation des polices vous devrez peut-être rafraîchir le cache des polices pour pouvoir les utiliser dans les applications. Ça s'applique aussi lorsque les applications installées avec Guix n'ont pas l'air de trouver les polices. Pour forcer la reconstruction du cache de polices lancez @code{fc-cache -f}. La commande @code{fc-cache} est fournie par le paquet @code{fontconfig}. @subsection Certificats X.509 @cindex @code{nss-certs} Le paquet @code{nss-certs} fournit les certificats X.509 qui permettent aux programmes d'authentifier les serveurs web par HTTPS@. Lorsque vous utilisez Guix sur une distribution externe, vous pouvez installer ce paquet et définir les variables d'environnement adéquates pour que les paquets sachent où trouver les certificats. @xref{Certificats X.509}, pour des informations détaillées. @subsection Paquets emacs @cindex @code{emacs} Lorsque vous installez les paquets Emacs avec Guix, les fichiers elisp peuvent être placés soit dans @file{$HOME/.guix-profile/share/emacs/site-lisp/} soit dans des sous-répertoires de @file{$HOME/.guix-profile/share/emacs/site-lisp/guix.d/}. Ce dernier existe car il existe potentiellement des milliers de paquets Emacs et stocker leurs fichiers dans un seul répertoire peut ne pas être fiable (à cause de conflits de noms). Donc on pense qu'utiliser un répertoire séparé est une bonne idée. C'est très similaire à la manière dont le système de paquet d'Emacs organise la structure de fichiers (@pxref{Package Files,,, emacs, The GNU Emacs Manual}). Par défaut, Emacs (installé avec Guix) « sait » où ces paquets ce trouvent, donc vous n'avez pas besoin de le configurer. Si, pour quelque raison que ce soit, vous souhaitez éviter de charger automatiquement les paquets Emacs installés avec Guix, vous pouvez le faire en lançaint Emacs avec l'option @code{--no-site-file} (@pxref{Init File,,, emacs, The GNU Emacs Manual}). @subsection La chaîne d'outils GCC @cindex GCC @cindex ld-wrapper Guix offre des paquets de compilateurs individuels comme @code{gcc} mais si vous avez besoin d'une chaîne de compilation complète pour compiler et lier du code source, vous avez en fait besoin du paquet @code{gcc-toolchain}. Ce paquet fournit une chaîne d'outils GCC pour le développement C/C++, dont GCC lui-même, la bibliothèque C de GNU (les en-têtes et les binaires, plus les symboles de débogage dans la sortie @code{debug}), Binutils et une enveloppe pour l'éditeur de liens. @cindex tentative d'utiliser une bibliothèque impure, message d'erreur Le rôle de l'enveloppe est d'inspecter les paramètres @code{-L} et @code{-l} passés à l'éditeur de liens, d'ajouter des arguments @code{-rpath} correspondants et d'invoquer le véritable éditeur de liens avec ce nouvel ensemble d'arguments. Par défaut, l'enveloppe refuse de lier des bibliothèques en dehors du dépôt pour assure la « pureté ». Cela peut être embêtant lorsque vous utilisez la chaîne d'outils pour lier des bibliothèques locales. Pour permettre des références à des bibliothèques en dehors du dépôt, vous devrez définir la variable d'environnement @code{GUIX_LD_WRAPPER_ALLOW_IMPURITIES}. @c TODO What else? @c ********************************************************************* @node Gestion de paquets @chapter Gestion de paquets @cindex paquets Le but de GNU Guix est de permettre à ses utilisateurs d'installer, mettre à jour et supprimer facilement des paquets logiciels sans devoir connaître leur procédure de construction ou leurs dépendances. Guix va aussi plus loin que ces fonctionnalités évidentes. Ce chapitre décrit les principales fonctionnalités de Guix, ainsi que des outils de gestion des paquets qu'il fournit. En plus de l'interface en ligne de commande décrite en dessous de (@pxref{Invoquer guix package, @code{guix package}}), vous pouvez aussi utiliser l'interface Emacs-Guix (@pxref{Top,,, emacs-guix, Le manuel de référence de emacs-guix}), après avoir installé le paquet @code{emacs-guix} (lancez la commande @kbd{M-x guix-help} pour le démarrer) : @example guix package -i emacs-guix @end example @menu * Fonctionnalités:: Comment Guix va rendre votre vie plus heureuse. * Invoquer guix package:: Installation, suppression, etc.@: de paquets. * Substituts:: Télécharger des binaire déjà construits. * Des paquets avec plusieurs résultats:: Un seul paquet source, plusieurs résultats. * Invoquer guix gc:: Lancer le ramasse-miettes. * Invoquer guix pull:: Récupérer la dernière version de Guix et de la distribution. * Invoquer guix pack:: Créer des lots de logiciels. * Invoquer guix archive:: Exporter et importer des fichiers du dépôt. @end menu @node Fonctionnalités @section Fonctionnalités Lorsque vous utilisez Guix, chaque paquet arrive dans @dfn{dépôt des paquets}, dans son propre répertoire — quelque chose comme @file{/gnu/store/xxx-paquet-1.2}, où @code{xxx} est une chaîne en base32. Plutôt que de se rapporter à ces répertoires, les utilisateurs ont leur propre @dfn{profil} qui pointe vers les paquets qu'ils veulent vraiment utiliser. Ces profils sont stockés dans le répertoire personnel de chaque utilisateur dans @code{$HOME/.guix-profile}. Par exemple, @code{alice} installe GCC 4.7.2. Il en résulte que @file{/home/alice/.guix-profile/bin/gcc} pointe vers @file{/gnu/store/@dots{}-gcc-4.7.2/bin/gcc}. Maintenant, sur la même machine, @code{bob} a déjà intallé GCC 4.8.0. Le profil de @code{bob} continue simplement de pointer vers @file{/gnu/store/@dots{}-gcc-4.8.0/bin/gcc} — c.-à-d.@: les deux versions de GCC coexistent surs le même système sans aucune interférence. La commande @command{guix package} est l'outil central pour gérer les paquets (@pxref{Invoquer guix package}). Il opère sur les profils utilisateurs et peut être utilisé avec les @emph{privilèges utilisateurs normaux}. @cindex transactions La commande fournit les opérations évidentes d'installation, de suppression et de mise à jour. Chaque invocation est en fait une @emph{transaction} : soit l'opération demandée réussi, soit rien ne se passe. Ainsi, si le processus @command{guix package} est terminé pendant la transaction ou si une panne de courant arrive pendant la transaction, le profil de l'utilisateur reste dans son état précédent et reste utilisable. En plus, il est possible @emph{d'annuler} toute transaction sur les paquets. Donc si par exemple un mise à jour installe une nouvelle version d'un paquet qui révèle un bogue sérieux, les utilisateurs peuvent revenir en arrière à l'instance précédente de leur profil qui est connu pour bien fonctionner. De manière similaire, la configuration globale du système dans GuixSD est sujette aux mises à jour transactionnelles et aux annulations (@pxref{Utiliser le système de configuration}). Tous les paquets du dépôt des paquets peut être @emph{glané}. Guix peut déterminer quels paquets sont toujours référencés par les profils des utilisateurs et supprimer ceux qui ne sont plus référencés de manière prouvable (@pxref{Invoquer guix gc}). Les utilisateurs peuvent toujours explicitement supprimer les anciennes générations de leur profil pour que les paquets auxquels elles faisaient référence puissent être glanés. @cindex reproductibilité @cindex constructions reproductibles Finalement, Guix prend une approche @dfn{purement fonctionnelle} de la gestion de paquets, telle que décrite dans l'introduction (@pxref{Introduction}). Chaque nom de répertoire de paquet dans @file{/gnu/store} contient un hash de toutes les entrées qui ont été utilisées pendant la construction de ce paquet — le compilateur, les bibliothèques, les scripts de construction, etc. Cette correspondance directe permet aux utilisateurs de s'assurer que l'installation d'un paquet donné correspond à l'état actuel de leur distribution. Elle aide aussi à maximiser la @dfn{reproductibilité} : grâce aux environnements de construction utilisés, une construction donnée à de forte chances de donner des fichiers identiques bit-à-bit lorsqu'elle est effectuée sur des machines différents (@pxref{Invoquer guix-daemon, container}). @cindex substituts Ce fondement permet à Guix de supporter le @dfn{déploiement transparent de binaire ou source}. Lorsqu'une binaire pré-construit pour une entrée de @file{/gnu/store} est disponible depuis une source externe (un @dfn{substitut}), Guix le télécharge simplement et le décompresse ; sinon, il construit le paquet depuis les sources localement (@pxref{Substituts}). Comme les résultats des constructions sont généralement reproductibles au bit près, si vous n'avez pas besoin de faire confiance aux serveurs qui fournissent les substituts : vous pouvez forcer une construction locale et @emph{défier} les fournisseurs (@pxref{Invoquer guix challenge}). Le contrôle de l'environnement de construction est aussi une fonctionnalité utile pour les développeurs. La commande @command{guix environment} permet aux développeurs d'un paquet de mettre en place rapidement le bon environnement de développement pour leur paquet, sans avoir à installer manuellement les dépendances du paquet dans leur profil (@pxref{Invoquer guix environment}). @node Invoquer guix package @section Invoquer @command{guix package} @cindex installer des paquets @cindex supprimer des paquets @cindex installation de paquets @cindex suppression de paquets La commande @command{guix package} est l'outil qui permet d'installer, mettre à jour et supprimer les paquets ainsi que de revenir à une configuration précédente. Elle n'opère que dans le profil de l'utilisateur et fonctionne avec les privilèges utilisateurs normaux (@pxref{Fonctionnalités}). Sa syntaxe est : @example guix package @var{options} @end example @cindex transactions @var{options} spécifie d'abord les opérations à effectuer pendant la transaction. À la fin, une nouvelle génération du profil est créée mais les @dfn{générations} précédentes du profil restent disponibles si l'utilisateur souhaite y revenir. Par exemple, pour supprimer @code{lua} et installer @code{guile} et @code{guile-cairo} en une seule transaction : @example guix package -r lua -i guile guile-cairo @end example @command{guix package} supporte aussi une @dfn{approche déclarative} où l'utilisateur spécifie l'ensemble exact des paquets qui doivent être disponibles le passe @i{via} l'option @option{--manifest} (@pxref{profile-manifest, @option{--manifest}}). @cindex profil Pour chaque utilisateur, un lien symbolique vers le profil par défaut de cet utilisateur est automatiquement créé dans @file{$HOME/.guix-profile}. Ce lien symbolique pointe toujours vers la génération actuelle du profil par défaut de l'utilisateur. Ainsi, les utilisateurs peuvent ajouter @file{$HOME/.guix-profile/bin} à leur variable d'environnement @code{PATH} etc. @cindex chemins de recherche Si vous n'utilisez pas la distribution système Guix, vous devriez ajouter les lignes suivantes à votre @file{~/.bash_profile} (@pxref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}) pour que les shells créés ensuite aient les bonnes définitions des variables d'environnement : @example GUIX_PROFILE="$HOME/.guix-profile" ; \ source "$HOME/.guix-profile/etc/profile" @end example Dans un environnement multi-utilisateur, les profils utilisateurs sont stockés comme une @dfn{racine du ramasse-miettes}, vers laquelle pointe @file{$HOME/.guix-profile} (@pxref{Invoquer guix gc}). Ce répertoire est normalement @code{@var{localstatedir}/guix/profiles/per-user/@var{utilisateur}}, où @var{localstatedir} est la valeur passée à @code{configure} avec @code{--localstatedir} et @var{utilisateur} le nom d'utilisateur. Le répertoire @file{per-user} est créé lorsque @command{guix-daemon} est démarré et sous-répertoire @var{utilisateur} est créé par @command{guix package}. Les @var{options} peuvent être les suivante : @table @code @item --install=@var{paquet} @dots{} @itemx -i @var{paquet} @dots{} Installer les @var{paquet}s spécifiés. Chaque @var{paquet} peut spécifier soit un simple nom de paquet, comme @code{guile} ou un nom de paquet suivi d'un arobase et d'un numéro de version, comme @code{guile@@1.8.8} ou simplement @code{guile@@1.8} (dans ce dernier cas, la version la plus récente commençant par @code{1.8} est utilisée). Si aucun numéro de version n'est spécifié, la version la plus récente disponible est choisie. En plus, @var{paquet} peut contenir un deux-points, suivi du nom d'une des sorties du paquet, comme dans @code{gcc:doc} ou @code{binutils@@2.22:lib} (@pxref{Des paquets avec plusieurs résultats}). Des paquets avec un nom correspondant et (éventuellement une version) sont recherchés dans les modules de la distribution GNU (@pxref{Modules de paquets}). @cindex entrées propagées Parfois les paquets ont des @dfn{entrées propagées} : ce sont des dépendances qui sont installées automatiquement avec le paquet demandé (@pxref{package-propagated-inputs, @code{propagated-inputs} in @code{package} objects} pour plus d'informations sur les entrées propagées dans les définitions des paquets). @anchor{package-cmd-propagated-inputs} Un exemple est la bibliothèque MPC de GNU : ses fichiers d'en-tête C se réfèrent à ceux de la bibliothèque MPFR de GNU, qui se réfèrent en retour à ceux de la bibliothèque GMP. Ainsi, lorsqu'on installe MPC, les bibliothèques MPFR et GMP sont aussi installées dans le profil ; supprimer MPC supprimera aussi MPFR et GMP — à moins qu'ils n'aient été aussi installés explicitement par l'utilisateur. D'autre part, les paquets dépendent parfois de la définition de variables d'environnement pour leur chemin de recherche (voir les explications sur @code{--search-paths} plus bas). Toute définition de variable d'environnement manquante ou possiblement incorrecte est rapportée ici. @item --install-from-expression=@var{exp} @itemx -e @var{exp} Installer le paquet évalué par @var{exp} @var{exp} doit être une expression Scheme qui s'évalue en un objet @code{}. Cette option est notamment utile pour distinguer les variantes d'un paquet avec le même nom, avec des expressions comme @code{(@@ (gnu packages base) guile-final)}. Remarquez que cette option installe la première sortie du paquet, ce qui peut être insuffisant lorsque vous avez besoin d'une sortie spécifique d'un paquet à plusieurs sorties. @item --install-from-file=@var{fichier} @itemx -f @var{fichier} Installer le paquet évalué par le code dans le @var{fichier}. Par exemple, @var{fichier} peut contenir une définition comme celle-ci (@pxref{Définition des paquets}) : @example @verbatiminclude package-hello.scm @end example Les développeurs peuvent trouver utile d'inclure un tel fichier @file{guix.scm} à la racine de l'arborescence des sources de leur projet qui pourrait être utilisé pour tester des versions de développement et créer des environnements de développement reproductibles (@pxref{Invoquer guix environment}). @item --remove=@var{paquet} @dots{} @itemx -r @var{paquet} @dots{} Supprimer les @var{paquet}s spécifiés. Comme pour @code{--install}, chaque @var{paquet} peut spécifier un numéro de version ou un nom de sortie en plus du nom du paquet. Par exemple, @code{-r glibc:debug} supprimerait la sortie @code{debug} de @code{glibc}. @item --upgrade[=@var{regexp} @dots{}] @itemx -u [@var{regexp} @dots{}] @cindex mettre à jour des paquets Mettre à jour tous les paquets installés. Si une @var{regexp} ou plus est spécifiée, la mise à jour n'installera que les paquets dont le nom correspond à @var{regexp}. Voyez aussi l'option @code{--do-not-upgrade} en dessous. Remarquez que cela met à jour vers la dernière version des paquets trouvée dans la distribution actuellement installée. Pour mettre à jour votre distribution, vous devriez lancer régulièrement @command{guix pull} (@pxref{Invoquer guix pull}). @item --do-not-upgrade[=@var{regexp} @dots{}] Lorsqu'elle est utilisée avec l'option @code{--upgrade}, ne @emph{pas} mettre à jour les paquets dont le nom correspond à @var{regexp}. Par exemple, pour mettre à jour tous les paquets du profil actuel à l'exception de ceux qui contiennent la chaîne « emacs » : @example $ guix package --upgrade . --do-not-upgrade emacs @end example @item @anchor{profile-manifest}--manifest=@var{fichier} @itemx -m @var{fichier} @cindex déclaration de profil @cindex manifest de profil Créer une nouvelle génération du profil depuis l'objet manifeste renvoyé par le code Scheme dans @var{fichier}. Cela vous permet de @emph{déclarer} le contenu du profil plutôt que de le construire avec une série de @code{--install} et de commandes similaires. L'avantage étant que le @var{fichier} peut être placé sous contrôle de version, copié vers d'autres machines pour reproduire le même profil, etc. @c FIXME: Add reference to (guix profile) documentation when available. @var{fichier} doit retourner un objet @dfn{manifest} qui est en gros une liste de paquets : @findex packages->manifest @example (use-package-modules guile emacs) (packages->manifest (list emacs guile-2.0 ;; Utiliser une sortie spécifique d'un paquet. (list guile-2.0 "debug"))) @end example @findex specifications->manifest Dans cet exemple on doit savoir quels modules définissent les variables @code{emacs} et @code{guile-2.0} pour fournir la bonne ligne @code{use-package-modules} ce qui peut être embêtant. On peut à la place fournir des spécifications de paquets normales et laisser @code{specifications->manifest} rechercher les objets de paquets correspondants, comme ceci : @example (specifications->manifest '("emacs" "guile@@2.2" "guile@@2.2:debug")) @end example @item --roll-back @cindex revenir en arrière @cindex défaire des transactions @cindex transactions, défaire Revenir à la @dfn{génération} précédente du profil c.-à-d.@: défaire la dernière transaction. Lorsqu'elle est combinée avec des options comme @code{--install}, cette option revient en arrière avant toute autre action. Lorsque vous revenez de la première génération qui contient des fichiers, le profil pointera vers la @dfn{zéroième génération} qui ne contient aucun fichier en dehors de ses propres métadonnées. Après être revenu en arrière, l'installation, la suppression et la mise à jour de paquets réécrit les futures générations précédentes. Ainsi, l'historique des générations dans un profil est toujours linéaire. @item --switch-generation=@var{motif} @itemx -S @var{motif} @cindex générations Basculer vers une génération particulière définie par le @var{motif}. Le @var{motif} peut être soit un numéro de génération soit un nombre précédé de « + » ou « - ». Ce dernier signifie : se déplacer en avant ou en arrière d'un nombre donné de générations. Par exemple, si vous voulez retourner à la dernière génération après @code{--roll-back}, utilisez @code{--switch-generation=+1}. La différence entre @code{--roll-back} et @code{--switch-generation=-1} est que @code{--switch-generation} ne vous amènera pas à la zéroième génération, donc si la génération demandée n'existe pas la génération actuelle ne changera pas. @item --search-paths[=@var{genre}] @cindex chemins de recherche Rapporter les définitions des variables d'environnement dans la syntaxe Bash qui peuvent être requises pour utiliser l'ensemble des paquets installés. Ces variables d'environnement sont utilisées pour spécifier les @dfn{chemins de recherche} de fichiers utilisés par les paquets installés. Par exemple, GCC a besoin des variables d'environnement @code{CPATH} et @code{LIBRARY_PATH} pour trouver les en-têtes et les bibliothèques dans le profil de l'utilisateur (@pxref{Environment Variables,,, gcc, Using the GNU Compiler Collection (GCC)}). Si GCC et, disons, la bibliothèque C sont installés dans le profil, alors @code{--search-paths} suggérera d'initialiser ces variables à @code{@var{profil}/include} et @code{@var{profil}/lib}, respectivement. Le cas d'utilisation typique est de définir ces variables d'environnement dans le shell : @example $ eval `guix package --search-paths` @end example @var{genre} peut être l'une des valeurs @code{exact}, @code{prefix} ou @code{suffix}, ce qui signifie que les définitions des variables d'environnement retournées seront soit les paramètres exactes, ou placés avant ou après la valeur actuelle de ces paramètres. Lorsqu'il est omis, @var{genre} a pour valeur par défaut @code{exact}. Cette option peut aussi être utilisé pour calculer les chemins de recherche @emph{combinés} de plusieurs profils. Regardez cet exemple : @example $ guix package -p foo -i guile $ guix package -p bar -i guile-json $ guix package -p foo -p bar --search-paths @end example La dernière commande ci-dessus montre la variable @code{GUILE_LOAD_PATH} bien que, pris individuellement, ni @file{foo} ni @file{bar} n'auraient donné cette recommendation. @item --profile=@var{profil} @itemx -p @var{profil} Utiliser le @var{profil} à la place du profil par défaut de l'utilisateur. @cindex collisions, dans un profil @cindex faire des collisions de paquets dans des profils @cindex profil, collisions @item --allow-collisions Permettre des collisions de paquets dans le nouveau profil. À utiliser à vos risques et périls ! Par défaut, @command{guix package} rapporte les @dfn{collisions} dans le profil comme des erreurs. Les collisions ont lieu quand deux version ou variantes d'un paquet donné se retrouvent dans le profil. @item --verbose Produire une sortie verbeuse. En particulier, fournir les journaux de construction de l'environnement sur le port d'erreur standard. @item --bootstrap Utiliser le programme d'amorçage Guile pour compiler le profil. Cette option n'est utile que pour les développeurs de la distriibution. @end table En plus de ces actions, @command{guix package} supporte les options suivantes pour demander l'état actuel d'un profil ou la disponibilité des paquets : @table @option @item --search=@var{regexp} @itemx -s @var{regexp} @cindex chercher des paquets Lister les paquets disponibles dont le nom, le synopsis ou la description correspondent à la @var{regexp}, triés par pertinence. Afficher toutes les métadonnées des paquets correspondants au format @code{recutils} (@pxref{Top, GNU recutils databases,, recutils, GNU recutils manual}). Cela permet à des champs spécifiques d'être extraits avec la commande @command{recsel}, par exemple : @example $ guix package -s malloc | recsel -p name,version,relevance name: jemalloc version: 4.5.0 relevance: 6 name: glibc version: 2.25 relevance: 1 name: libgc version: 7.6.0 relevance: 1 @end example De manière similaire, pour montrer le nom de tous les paquets disponibles sous license GNU@tie{}LGPL version 3 : @example $ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"' name: elfutils name: gmp @dots{} @end example Il est aussi possible de raffiner les résultats de la recherche avec plusieurs options @code{-s}. Par exemple, la commande suivante renvoie la liste des jeux de plateau : @example $ guix package -s '\' -s game | recsel -p name name: gnubg @dots{} @end example Si on avait oublié @code{-s game}, on aurait aussi eu les paquets logiciels qui s'occupent de circuits imprimés (en anglais : circuit board) ; supprimer les chevrons autour de @code{board} aurait aussi ajouté les paquets qui parlent de clavier (en anglais : key@emph{board}). Et maintenant un exemple plus élaboré. La commande suivante recherche les bibliothèques cryptographiques, retire les bibliothèques Haskell, Perl, Python et Ruby et affiche le nom et le synopsis des paquets correspondants : @example $ guix package -s crypto -s library | \ recsel -e '! (name ~ "^(ghc|perl|python|ruby)")' -p name,synopsis @end example @noindent @xref{Selection Expressions,,, recutils, GNU recutils manual} pour plus d'information sur les @dfn{expressions de sélection} pour @code{recsel -e}. @item --show=@var{paquet} Afficher les détails du @var{paquet} dans la liste des paquets disponibles, au format @code{recutils} (@pxref{Top, GNU recutils databases,, recutils, GNU recutils manual}). @example $ guix package --show=python | recsel -p name,version name: python version: 2.7.6 name: python version: 3.3.5 @end example Vous pouvez aussi spécifier le nom complet d'un paquet pour n'avoir que les détails concernant une version spécifique : @example $ guix package --show=python@@3.4 | recsel -p name,version name: python version: 3.4.3 @end example @item --list-installed[=@var{regexp}] @itemx -I [@var{regexp}] Liste les paquets actuellement installés dans le profil spécifié, avec les paquets les plus récemment installés en dernier. Lorsque @var{regexp} est spécifié, liste uniquement les paquets installés dont le nom correspond à @var{regexp}. Pour chaque paquet installé, affiche les éléments suivants, séparés par des tabulations : le nom du paquet, sa version, la partie du paquet qui est installé (par exemple, @code{out} pour la sortie par défaut, @code{include} pour ses en-têtes, etc) et le chemin du paquet dans le dépôt. @item --list-available[=@var{regexp}] @itemx -A [@var{regexp}] Lister les paquets actuellement disponibles dans la distribution pour ce système (@pxref{Distribution GNU}). Lorsque @var{regexp} est spécifié, liste uniquement les paquets dont le nom correspond à @var{regexp}. Pour chaque paquet, affiche les éléments suivants séparés par des tabulations : son nom, sa version, les parties du paquet (@pxref{Des paquets avec plusieurs résultats}), et l'emplacement de sa définition. @item --list-generations[=@var{motif}] @itemx -l [@var{motif}] @cindex générations Renvoyer la liste des générations avec leur date de création ; pour chaque génération, montre les paquets installés avec les paquets installés les plus récemment en dernier. Remarquez que la zéroième génération n'est jamais montrée. Pour chaque paquet installé, afficher les éléments suivants, séparés par des tabulations : le nom du paquet, sa version, la partie du paquet qui a été installée (@pxref{Des paquets avec plusieurs résultats}), et l'emplacement du paquet dans le dépôt. Lorsque @var{motif} est utilisé, la commande ne renvoie que les générations correspondantes. Les motifs valides sont : @itemize @item @emph{Des entiers et des entiers séparés par des virgules}. Les deux motifs correspondent à des numéros de version. Par exemple, @code{--list-generations=1} renvoie la première. Et @code{--list-generations=1,8,2} renvoie les trois générations dans l'ordre spécifié. Aucune espace ni virgule surnuméraire n'est permise. @item @emph{Des interval}. @code{--list-generations=2..9} affiche les générations demandées et tout ce qui se trouvent entre elles. Remarquez que le début d'un interval doit être plus petit que sa fin. Il est aussi possible d'omettre le numéro final. Par exemple, @code{--list-generations=2..} renvoie toutes les générations à partir de la deuxième. @item @emph{Des durées}. Vous pouvez aussi récupérer les derniers @emph{N}@tie{}jours, semaines, ou moins en passant un entier avec la première lettre de la durée (en anglais : d, w ou m). Par exemple @code{--list-generations=20d} liste les générations qui sont agées d'au plus 20 jours. @end itemize @item --delete-generations[=@var{motif}] @itemx -d [@var{motif}] Lorsque @var{motif} est omis, supprimer toutes les générations en dehors de l'actuelle. Cette commande accepte les même motifs que @option{--list-generations}. Lorsque @var{motif} est spécifié, supprimer les générations correspondante. Lorsque @var{motif} spécifie une durée, les générations @emph{plus vieilles} que la durée spécifiée correspondent. Par exemple @code{--delete-generations=1m} supprime les générations vieilles de plus d'un mois. Si la génération actuelle correspond, elle n'est @emph{pas} supprimée. La zéroième génération n'est elle non plus jamais supprimée. Remarquez que supprimer des générations empêche de revenir en arrière vers elles. Ainsi, cette commande doit être utilisée avec précaution. @end table Enfin, comme @command{guix package} peut démarrer des processus de construction, elle supporte les options de construction communes (@pxref{Options de construction communes}). Elle supporte aussi les options de transformation de paquets comme @option{--with-source} (@pxref{Options de transformation de paquets}). Cependant, remarquez que les transformations de paquets sont perdues à la mise à jour ; pour les préserver à travers les mises à jours, vous devriez définir vos propres variantes des paquets dans une module Guile et l'ajouter à @code{GUIX_PACKAGE_PATH} (@pxref{Définition des paquets}). @node Substituts @section Substituts @cindex substituts @cindex binaires pré-construits Guix gère le déploiement depuis des binaires ou des sources de manière transparente ce qui signifie qu'il peut aussi bien construire localement que télécharger des éléments pré-construits depuis un serveur ou les deux. Nous appelons ces éléments pré-construits des @dfn{substituts} — ils se substituent aux résultats des constructions locales. Dans la plupart des cas, télécharger un substitut est bien plus rapide que de construire les choses localement. Les substituts peuvent être tout ce qui résulte d'une construction de dérivation (@pxref{Dérivations}). Bien sûr dans le cas général, il s'agit de paquets binaires pré-construits, mais les archives des sources par exemple résultent aussi de la construction d'une dérivation qui peut aussi être disponible en tant que substitut. @menu * Serveur de substituts officiel:: Une source particulière de substituts. * Autoriser un serveur de substituts:: Comment activer ou désactiver les substituts. * Authentification des substituts:: Coment Guix vérifie les substituts. * Paramètres de serveur mandataire:: Comment récupérer des substituts à travers un serveur mandataire. * Échec de substitution:: Qu'arrive-t-il quand la substitution échoue. * De la confiance en des binaires:: Comment pouvez-vous avoir confiance en un paquet binaire ? @end menu @node Serveur de substituts officiel @subsection Serveur de substituts officiel @cindex hydra @cindex ferme de construction Le serveur @code{mirror.hydra.gnu.org} est une interface à la ferme de construction officielle qui construit des paquets pour Guix continuellement pour certaines architectures et les rend disponibles en tant que substituts. C'est la source par défaut des substituts ; elle peut être modifiée en passant l'option @option{--substitute-urls} soit à @command{guix-daemon} (@pxref{daemon-substitute-urls,, @code{guix-daemon --substitute-urls}}) soit aux outils clients comme @command{guix package} (@pxref{client-substitute-urls,, client @option{--substitute-urls} option}). Les URL des substituts peuvent être soit en HTTP soit en HTTPS. Le HTTPS est recommandé parce que les communications sont chiffrées ; à l'inverse HTTP rend les communications visibles pour un espion qui peut utiliser les informations accumulées sur vous pour déterminer par exemple si votre système a des vulnérabilités de sécurités non corrigées. Les substituts de la ferme de construction officielle sont activés par défaut dans la distribution système Guix (@pxref{Distribution GNU}). Cependant, ils sont désactivés par défaut lorsque vous utilisez Guix sur une distribution externe, à moins que vous ne les ayez explicitement activés via l'une des étapes d'installation recommandées (@pxref{Installation}). Les paragraphes suivants décrivent comment activer ou désactiver les substituts de la ferme de construction ; la même procédure peut être utilisée pour activer les substituts de n'importe quel autre serveur de substituts. @node Autoriser un serveur de substituts @subsection Autoriser un serveur de substituts @cindex sécurité @cindex substituts, autorisations @cindex liste de contrôle d'accès (ACL), pour les substituts @cindex ACL (liste de contrôle d'accès), pour les substituts Pour permettre à Guix de télécharger les substituts depuis @code{hydra.gnu.org} ou un mirroir, vous devez ajouter sa clef publique à la liste de contrôle d'accès (ACL) des imports d'archives, avec la commande @command{guix archive} (@pxref{Invoquer guix archive}). Cela implique que vous faîtes confiance à @code{hydra.gnu.org} pour ne pas être compromis et vous servir des substituts authentiques. La clef publique pour @code{hydra.gnu.org} est installée avec Guix, dans @code{@var{préfixe}/share/guix/hydra.gnu.org.pub}, où @var{préfixe} est le préfixe d'installation de Guix. Si vous avez installé Guix depuis les sources, assurez-vous d'avoir vérifié la signature GPG de @file{guix-@value{VERSION}.tar.gz} qui contient ce fichier de clef publique. Ensuite vous pouvez lancer quelque chose comme ceci : @example # guix archive --authorize < @var{préfixe}/share/guix/hydra.gnu.org.pub @end example @quotation Remarque De même, le fichier @file{berlin.guixsd.org.pub} contient la clef publique de la nouvelle ferme de construction du projet, disponible depuis @indicateurl{https://berlin.guixsd.org}. Au moment où ces lignes sont écrites, @code{berlin.guixsd.org} est mis à niveau pour mieux passer à l'échelle, mais vous pourriez vouloir le tester. Il est associé à 20 nœuds de construction x86_64/i686 et pourrait fournir des substituts plus rapidement que @code{mirror.hydra.gnu.org} @end quotation Une fois que cela est en place, la sortie d'une commande comme @code{guix build} devrait changer de quelque chose comme : @example $ guix build emacs --dry-run Les dérivations suivantes seraient construites : /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv @dots{} @end example @noindent à quelque chose comme : @example $ guix build emacs --dry-run 112.3 Mo seraient téléchargés : /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 @dots{} @end example @noindent Cela indique que les substituts de @code{hydra.gnu.org} sont utilisables et seront téléchargés, si possible, pour les futures constructions. @cindex substituts, comment les désactiver Le mécanisme de substitution peut être désactivé globalement en lançant @code{guix-daemon} avec @code{--no-substitutes} (@pxref{Invoquer guix-daemon}). Il peut aussi être désactivé temporairement en passant l'option @code{--no-substitutes} à @command{guix package}, @command{guix build} et aux autres outils en ligne de commande. @node Authentification des substituts @subsection Authentification des substituts @cindex signatures numériques Guix détecte et lève une erreur lorsqu'il essaye d'utiliser un substituts qui a été modifié. De même, il ignore les substituts qui ne sont pas signés ou qui ne sont pas signés par l'une des clefs listés dans l'ACL. Il y a une exception cependant : si un serveur non autorisé fournit des substituts qui sont @emph{identiques bit-à-bit} à ceux fournis par un serveur autorisé, alors le serveur non autorisé devient disponible pour les téléchargements. Par exemple en supposant qu'on a choisi deux serveurs de substituts avec cette option : @example --substitute-urls="https://a.example.org https://b.example.org" @end example @noindent @cindex constructions reproductibles Si l'ACL contient uniquement la clef de @code{b.example.org}, et si @code{a.example.org} sert @emph{exactement les mêmes} substituts, alors Guix téléchargera les substituts de @code{a.example.org} parce qu'il vient en premier dans la liste et peut être considéré comme un mirroir de @code{b.example.org}. En pratique, des machines de constructions produisent souvent les mêmes binaires grâce à des construction reproductibles au bit près (voir plus bas). Lorsque vous utilisez HTTPS, le certificat X.509 du serveur n'est @emph{pas} validé (en d'autre termes, le serveur n'est pas authentifié), contrairement à ce que des clients HTTPS comme des navigateurs web font habituellement. Cela est dû au fait que Guix authentifie les informations sur les substituts eux-même, comme expliqué plus haut, ce dont on se soucie réellement (alors que les certificats X.509 authentifie la relation entre nom de domaine et clef publique). @node Paramètres de serveur mandataire @subsection Paramètres de serveur mandataire @vindex http_proxy Les substituts sont téléchargés par HTTP ou HTTPS. La variable d'environnement @code{http_proxy} peut être initialisée dans l'environnement de @command{guix-daemon} et est respectée pour le téléchargement des substituts. Remarquez que la valeur de @code{http_proxy} dans l'environnement où tournent @command{guix build}, @command{guix package} et les autres clients n'a @emph{absolument aucun effet}. @node Échec de substitution @subsection Échec de substitution Même lorsqu'un substitut pour une dérivation est disponible, la substitution échoue parfois. Cela peut arriver pour plusieurs raisons : le serveur de substitut peut être hors ligne, le substitut a récemment été supprimé du serveur, la connexion peut avoir été interrompue, etc. Lorsque les substituts sont activés et qu'un substitut pour une dérivation est disponible, mais que la tentative de substitution échoue, Guix essaiera de construire la dérivation localement si @code{--fallback} a été passé en argument (@pxref{fallback-option,, common build option @code{--fallback}}). Plus spécifiquement, si cet option n'a pas été passée en argument, alors aucune construction locale n'est effectuée et la dérivation est considérée comme étant en échec. Cependant, si @code{--fallback} est passé en argument, alors Guix essaiera de construire la dérivation localement et l'échec ou le succès de la dérivation dépend de l'échec ou du succès de la construction locale. Remarquez que lorsque les substituts sont désactivés ou qu'aucun substitut n'est disponible pour la dérivation en question, une construction locale sera @emph{toujours} effectuée, indépendamment du fait que l'argument @code{--fallback} ait été ou non passé. Pour se donner une idée du nombre de substituts disponibles maintenant, vous pouvez essayer de lancer la commande @command{guix weather} (@pxref{Invoquer guix weather}). Cette command fournit des statistiques sur les substituts fournis par un serveur. @node De la confiance en des binaires @subsection De la confiance en des binaires @cindex confiance, en des binaires pré-construits De nos jours, le contrôle individuel sur son utilisation propre de l'informatique est à la merci d'institutions, de sociétés et de groupes avec assez de pouvoir et de détermination pour contourner les infrastructures informatiques et exploiter leurs faiblesses. Bien qu'utiliser les substituts de @code{hydra.gnu.org} soit pratique, nous encourageons les utilisateurs à construire aussi par eux-même, voir à faire tourner leur propre ferme de construction, pour que @code{hydra.gnu.org} devienne une cible moins intéressante. Une façon d'aider est de publier les logiciels que vous construisez avec @command{guix publish} pour que les autres aient plus de choix de serveurs où télécharger les substituts (@pxref{Invoquer guix publish}). Guix possède les fondations pour maximiser la reproductibilité logicielle (@pxref{Fonctionnalités}). Dans la plupart des cas, des constructions indépendantes d'un paquet donnée ou d'une dérivation devrait donner des résultats identiques au bit près. Ainsi, à travers un ensemble de constructions de paquets indépendantes il est possible de renforcer l'intégrité du système. La commande @command{guix challenge} a pour but d'aider les utilisateurs à tester les serveurs de substituts et à aider les développeurs à trouver les constructions de paquets non-déterministes (@pxref{Invoquer guix challenge}). De même, l'option @option{--check} de @command{guix build} permet aux utilisateurs de vérifier si les substituts précédemment installés sont authentiques en les reconstruisant localement (@pxref{build-check, @command{guix build --check}}). Dans le futur, nous aimerions que Guix puisse publier et recevoir des binaires d'autres utilisateurs, d'une manière pair-à-pair. Si vous voulez discuter de ce projet, rejoignez-nous sur @email{guix-devel@@gnu.org}. @node Des paquets avec plusieurs résultats @section Des paquets avec plusieurs résultats @cindex paquets avec plusieurs résultats @cindex sorties de paquets @cindex sorties Souvent, les paquets définis dans Guix ont une seule @dfn{sortie} — c.-à-d.@: que le paquet source conduit à exactement un répertoire dans le dépôt. Lorsque vous lancez @command{guix package -i glibc}, vous installez la sortie par défaut du paquet GNU libc ; la sortie par défaut est appelée @code{out} mais son nom peut être omis comme le montre cette commande. Dans ce cas particuliers, la sortie par défaut de @code{glibc} contient tous les fichiers d'en-tête C, les bibliothèques partagées, les bibliothèques statiques, la documentation Info et les autres fichiers de support. Parfois il est plus approprié de séparer les divers types de fichiers produits par un même paquet source en plusieurs sorties. Par exemple, la bibliothèque C GLib (utilisée par GTK+ et des paquets associés) installe plus de 20 Mo de documentation de référence dans des pages HTML. Pour préserver l'espace disque des utilisateurs qui n'en ont pas besoin, la documentation va dans une sortie séparée nommée @code{doc}. Pour installer la sortie principale de GLib, qui contient tout sauf la documentation, on devrait lancer : @example guix package -i glib @end example @cindex documentation La commande pour installer la documentation est : @example guix package -i glib:doc @end example Certains paquets installent des programmes avec des « empreintes dépendances » différentes. Par exemple le paquet WordNet installe à la fois les outils en ligne de commande et les interfaces graphiques (GUI). La première ne dépend que de la bibliothèque C, alors que cette dernière dépend de Tcl/Tk et des bibliothèques X sous-jacentes. Dans ce cas, nous laissons les outils en ligne de commande dans la sortie par défaut et l'interface graphique dans une sortie séparée. Cela permet aux utilisateurs qui n'ont pas besoin d'interface graphique de gagner de la place. La commande @command{guix size} peut aider à trouver ces situations (@pxref{Invoquer guix size}). @command{guix graph} peut aussi être utile (@pxref{Invoquer guix graph}). Il y a plusieurs paquets à sorties multiples dans la distribution GNU. D'autres noms de sorties conventionnels sont @code{lib} pour les bibliothèques et éventuellement les fichiers d'en-tête, @code{bin} pour les programmes indépendants et @code{debug} pour les informations de débogage (@pxref{Installer les fichiers de débogage}). Les sorties d'un paquet sont listés dans la troisième colonne de la sortie de @command{guix package --list-available} (@pxref{Invoquer guix package}). @node Invoquer guix gc @section Invoquer @command{guix gc} @cindex ramasse-miettes @cindex espace disque Les paquets qui sont installés mais pas utilisés peuvent être @dfn{glanés}. La commande @command{guix gc} permet aux utilisateurs de lancer explicitement le ramasse-miettes pour récupérer de l'espace dans le répertoire @file{/gnu/store}. C'est la @emph{seule} manière de supprimer des fichiers de @file{/gnu/store} — supprimer des fichiers ou des répertoires à la main peut le casser de manière impossible à réparer ! @cindex racines du GC @cindex racines du ramasse-miettes Le ramasse-miettes a un ensemble de @dfn{racines} connues : tout fichier dans @file{/gnu/store} atteignable depuis une racine est considéré comme @dfn{utilisé} et ne peut pas être supprimé ; tous les autres fichiers sont considérés comme @dfn{inutilisés} et peuvent être supprimés. L'ensemble des racines du ramasse-miettes (ou « racines du GC » pour faire court) inclue les profils par défaut des utilisateurs ; par défaut les liens symboliques sous @file{/var/guix/gcroots} représentent ces racines du GC. De nouvelles racines du GC peuvent être ajoutées avec la @command{guix build -- root} par exemple (@pxref{Invoquer guix build}). Avant de lancer @code{guix gc --collect-garbage} pour faire de la place, c'est souvent utile de supprimer les anciennes génération des profils utilisateurs ; de cette façon les anciennes constructions de paquets référencées par ces générations peuvent être glanées. Cela se fait en lançaint @code{guix package --delete-generations} (@pxref{Invoquer guix package}). Nous recommandons de lancer le ramasse-miettes régulièrement ou lorsque vous avez besoin d'espace disque. Par exemple pour garantir qu'au moins 5@tie{}Go d'espace reste libre sur votre disque, lancez simplement : @example guix gc -F 5G @end example Il est parfaitement possible de le lancer comme une tâche périodique non-interactive (@pxref{Exécution de tâches planifiées} pour apprendre comment paramétrer une telle tâche sur GuixSD). Lancer @command{guix gc} sans argument ramassera autant de miettes que possible mais ça n'est pas le plus pratique : vous pourriez vous retrouver à reconstruire ou re-télécharger des logiciels « inutilisés » du point de vu du GC mais qui sont nécessaires pour construire d'autres logiciels — p.@: ex.@: la chaîne de compilation. La command @command{guix gc} a trois modes d'opération : il peut être utilisé pour glaner des fichiers inutilisés (par défaut), pour supprimer des fichiers spécifiques (l'option @code{--delete}), pour afficher des informations sur le ramasse-miettes ou pour des requêtes plus avancées. Les options du ramasse-miettes sont : @table @code @item --collect-garbage[=@var{min}] @itemx -C [@var{min}] Ramasse les miettes — c.-à-d.@: les fichiers inaccessibles de @file{/gnu/store} et ses sous-répertoires. C'est l'opération par défaut lorsqu'aucune option n'est spécifiée. Lorsque @var{min} est donné, s'arrêter une fois que @var{min} octets ont été collectés. @var{min} pour être un nombre d'octets ou inclure un suffixe d'unité, comme @code{MiB} pour mébioctet et @code{GB} pour gigaoctet (@pxref{Block size, size specifications,, coreutils, GNU Coreutils}). Lorsque @var{min} est omis, tout glaner. @item --free-space=@var{libre} @itemx -F @var{libre} Glaner jusqu'à ce que @var{libre} espace soit disponible dans @file{/gnu/store} si possible ; @var{libre} est une quantité de stockage comme @code{500MiB} comme décrit ci-dessus. Lorsque @var{libre} ou plus est disponible dans @file{/gnu/store} ne rien faire et s'arrêter immédiatement. @item --delete @itemx -d Essayer de supprimer tous les fichiers et les répertoires du dépôt spécifiés en argument. Cela échoue si certains des fichiers ne sont pas dans le dépôt ou s'ils sont toujours utilisés. @item --list-failures Lister les éléments du dépôt qui correspondent à des échecs de construction Cela n'affiche rien à moins que le démon n'ait été démarré avec @option{--cache-failures} (@pxref{Invoquer guix-daemon, @option{--cache-failures}}). @item --clear-failures Supprimer les éléments du dépôt spécifiés du cache des constructions échouées. De nouveau, cette option ne fait de sens que lorsque le démon est démarré avec @option{--cache-failures}. Autrement elle ne fait rien. @item --list-dead Montrer la liste des fichiers et des répertoires inutilisés encore présents dans le dépôt — c.-à-d.@: les fichiers et les répertoires qui ne sont plus atteignables par aucune racine. @item --list-live Montrer la liste des fichiers et des répertoires du dépôt utilisés. @end table En plus, les références entre les fichiers existants du dépôt peuvent être demandés : @table @code @item --references @itemx --referrers @cindex dépendances des paquets Lister les références (respectivement les référents) des fichiers du dépôt en argument. @item --requisites @itemx -R @cindex closure Lister les prérequis des fichiers du dépôt passés en argument. Les prérequis sont le fichier du dépôt lui-même, leur références et les références de ces références, récursivement. En d'autre termes, la liste retournée est la @dfn{closure transitive} des fichiers du dépôt. @xref{Invoquer guix size} pour un outil pour surveiller la taille de la closure d'un élément. @xref{Invoquer guix graph} pour un outil pour visualiser le graphe des références. @item --derivers @cindex dérivation Renvoie les dérivations menant aux éléments du dépôt donnés (@pxref{Dérivations}). Par exemple cette commande : @example guix gc --derivers `guix package -I ^emacs$ | cut -f4` @end example @noindent renvoie les fichiers @file{.drv} menant au paquet @code{emacs} installé dans votre profil. Remarquez qu'il peut n'y avoir aucun fichier @file{.drv} par exemple quand ces fichiers ont été glanés. Il peut aussi y avoir plus d'un fichier @file{.drv} correspondant à cause de dérivations à sortie fixées. @end table Enfin, les options suivantes vous permettent de vérifier l'intégrité du dépôt et de contrôler l'utilisation du disque. @table @option @item --verify[=@var{options}] @cindex intégrité, du dépôt @cindex vérification d'intégrité Vérifier l'intégrité du dépôt. Par défaut, s'assurer que tous les éléments du dépôt marqués comme valides dans la base de données du démon existent bien dans @file{/gnu/store}. Lorsqu'elle est fournie, l'@var{option} doit être une liste séparée par des virgule de l'un ou plus parmi @code{contents} et @code{repair}. Lorsque vous passez @option{--verify=contents}, le démon calcul le hash du contenu de chaque élément du dépôt et le compare au hash de sa base de données. Les différences de hash sont rapportées comme des corruptions de données. Comme elle traverse @emph{tous les fichiers du dépôt}, cette commande peut prendre très longtemps pour terminer, surtout sur un système avec un disque lent. @cindex réparer le dépôt @cindex corruption, récupérer de Utiliser @option{--verify=repair} ou @option{--verify=contents,repair} fait que le démon essaie de réparer les objets du dépôt corrompus en récupérant leurs substituts (@pxref{Substituts}). Comme la réparation n'est pas atomique et donc potentiellement dangereuse, elle n'est disponible que pour l'administrateur système. Une alternative plus légère lorsque vous connaissez exactement quelle entrée est corrompue consiste à lancer @command{guix build --repair} (@pxref{Invoquer guix build}). @item --optimize @cindex déduplication Optimiser le dépôt en liant en dur les fichiers identiques — c'est la @dfn{déduplication}. Le démon effectue une déduplication à chaque construction réussie ou import d'archive à moins qu'il n'ait été démarré avec @code{--disable-deduplication} (@pxref{Invoquer guix-daemon, @code{--disable-deduplication}}). Ainsi, cette option est surtout utile lorsque le démon tourne avec @code{--disable-deduplication}. @end table @node Invoquer guix pull @section Invoquer @command{guix pull} @cindex mettre à niveau Guix @cindex mettre à jour Guix @cindex @command{guix pull} @cindex pull Les paquets sont installés ou mis à jour vers la dernière version disponible dans la distribution actuellement disponible sur votre machine locale. Pour mettre à jour cette distribution, en même temps que les outils Guix, vous devez lancer @command{guix pull} ; la commande télécharge le dernier code source de Guix et des descriptions de paquets et le déploie. Le code source est téléchargé depuis un dépôt @uref{https://git-scm.com, Git}. À la fin, @command{guix package} utilisera les paquets et les versions des paquets de la copie de Guix tout juste récupérée. Non seulement ça, mais toutes les commandes Guix et les modules Scheme seront aussi récupérés depuis la dernière version. Les nouvelles sous-commandes de @command{guix} ajoutés par la mise à jour sont aussi maintenant disponibles. Chaque utilisateur peut mettre à jour sa copie de Guix avec @command{guix pull} et l'effet est limité à l'utilisateur qui a lancé @command{guix pull}. Par exemple, lorsque l'utilisateur @code{root} lance @command{guix pull}, cela n'a pas d'effet sur la version de Guix que vois @code{alice} et vice-versa Le résultat après avoir lancé @command{guix pull} est un @dfn{profil} disponible sous @file{~/.config/guix/current} contenant la dernière version de Guix. Ainsi, assurez-vous de l'ajouter au début de votre chemin de recherche pour que vous utilisiez la dernière version. Le même conseil s'applique au manuel Info (@pxref{Documentation}) : @example export PATH="$HOME/.config/guix/current/bin:$PATH" export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH" @end example L'option @code{--list-generations} ou @code{-l} liste les anciennes générations produites par @command{guix pull}, avec des détails sur leur origine : @example $ guix pull -l Génération 1 10 juin 2018 00:18:18 guix 65956ad URL du dépôt : https://git.savannah.gnu.org/git/guix.git branche : origin/master commit : 65956ad3526ba09e1f7a40722c96c6ef7c0936fe Génération 2 11 juin 2018 11:02:49 guix e0cc7f6 URL du dépôt : https://git.savannah.gnu.org/git/guix.git branche : origin/master commit : e0cc7f669bec22c37481dd03a7941c7d11a64f1d Génération 3 13 juin 2018 23:31:07 (actuelle) guix 844cc1c URL du dépôt : https://git.savannah.gnu.org/git/guix.git branche : origin/master commit : 844cc1c8f394f03b404c5bb3aee086922373490c @end example Ce profil @code{~/.config/guix/current} fonctionne comme les autres profils créés par @command{guix package} (@pxref{Invoquer guix package}). C'est-à-dire que vous pouvez lister les générations, revenir en arrière à une génération précédente — c.-à-d.@: la version de Guix précédente — etc : @example $ guix package -p ~/.config/guix/current --roll-back passé de la génération 3 à 2 $ guix package -p ~/.config/guix/current --delete-generations=1 suppression de /home/charlie/.config/guix/current-1-link @end example La commande @command{guix pull} est typiquement invoquée sans arguments mais il supporte les options suivantes : @table @code @item --verbose Produire une sortie verbeuse, en écrivant les journaux de construction sur la sortie d'erreur standard. @item --url=@var{url} Télécharger Guix depuis le dépôt Git à @var{url}. @vindex GUIX_PULL_URL Par défaut, la source est récupérée depuis le dépôt Git canonique sur @code{gnu.org}, pour la branche stable de Guix. Pour utiliser une autre source, paramétrez la variable d'environnement @code{GUIX_PULL_URL}. @item --commit=@var{commit} Déployer de @var{commit}, un ID de commit Git valide représenté par une chaîne hexadécimale. @item --branch=@var{branche} Déployer le haut de la @var{branche}, le nom d'une branche Git disponible sur le répertoire à @var{url}. @item --list-generations[=@var{motif}] @itemx -l [@var{motif}] Liste toutes les générations de @file{~/.config/guix/current} ou, si @var{motif} est fournit, le sous-ensemble des générations qui correspondent à @var{motif}. La syntaxe de @var{motif} est la même qu'avec @code{guix package --list-generations} (@pxref{Invoquer guix package}). @item --bootstrap Utiliser le programme d'amorçage Guile pour construire la dernière version de Guix. Cette option n'est utile que pour les développeurs de Guix. @end table En plus, @command{guix pull} supporte toutes les options de construction communes (@pxref{Options de construction communes}). @node Invoquer guix pack @section Invoquer @command{guix pack} Parfois vous voulez passer un logiciel à des gens qui n'ont pas (encore !) la chance d'utiliser Guix. Vous leur diriez bien de lancer @command{guix package -i @var{quelque chose}} mais ce n'est pas possible dans ce cas. C'est là que @command{guix pack} entre en jeu. @quotation Remarque Si vous cherchez comment échanger des binaires entre des machines où Guix est déjà installé, @pxref{Invoquer guix copy}, @ref{Invoquer guix publish}, et @ref{Invoquer guix archive}. @end quotation @cindex pack @cindex lot @cindex lot d'applications @cindex lot de logiciels La commande @command{guix pack} crée un @dfn{pack} ou @dfn{lot de logiciels} : elle crée une archive tar ou un autre type d'archive contenunt les binaires pour le logiciel qui vous intéresse ainsi que ses dépendances. L'archive qui en résulte peut être utilisée sur toutes les machines qui n'ont pas Guix et les gens peuvent lancer exactement les mêmes binaires que ceux que vous avez avec Guix. Le pack lui-même est créé d'une manière reproductible au bit près, pour que n'importe qui puisse vérifier qu'il contient bien les résultats que vous prétendez proposer. Par exemple, pour créer un lot contenant Guile, Emacs, Geiser et toutes leurs dépendances, vous pouvez lancer : @example $ guix pack guile emacs geiser @dots{} /gnu/store/@dots{}-pack.tar.gz @end example Le résultat ici est une archive tar contenant un répertoire @file{/gnu/store} avec tous les paquets nécessaires. L'archive qui en résulte contient un @dfn{profil} avec les trois paquets qui vous intéressent ; le profil est le même qui celui qui aurait été créé avec @command{guix package -i}. C'est ce mécanisme qui est utilisé pour créer les archives tar binaires indépendantes de Guix (@pxref{Installation binaire}). Les utilisateurs de ce pack devraient lancer @file{/gnu/store/@dots{}-profile/bin/guile} pour lancer Guile, ce qui n'est pas très pratique. Pour éviter cela, vous pouvez créer, disons, un lien symbolique @file{/opt/gnu/bin} vers le profil : @example guix pack -S /opt/gnu/bin=bin guile emacs geiser @end example @noindent De cette façon, les utilisateurs peuvent joyeusement taper @file{/opt/gnu/bin/guile} et profiter. @cindex binaires repositionnables, avec @command{guix pack} Et si le destinataire de votre pack n'a pas les privilèges root sur sa machine, et ne peut donc pas le décompresser dans le système de fichiers racine ? Dans ce cas, vous pourriez utiliser l'option @code{--relocatable} (voir plus bas). Cette option produite des @dfn{binaire repositionnables}, ce qui signifie qu'ils peuvent être placés n'importe où dans l'arborescence du système de fichiers : dans l'exemple au-dessus, les utilisateurs peuvent décompresser votre archive dans leur répertoire personnel et lancer directement @file{./opt/gnu/bin/guile}. @cindex Docker, construire une image avec guix pack Autrement, vous pouvez produire un pack au format d'image Docker avec la commande suivante : @example guix pack -f docker guile emacs geiser @end example @noindent Le résultat est une archive tar qui peut être passée à la commande @command{docker load}. Voir la @uref{https://docs.docker.com/engine/reference/commandline/load/, documentation de Docker} pour plus d'informations. @cindex Singularity, construire une image avec guix pack @cindex SquashFS, construire une image avec guix pack Autrement, vous pouvez produire une image SquashFS avec la commande suivante : @example guix pack -f squashfs guile emacs geiser @end example @noindent Le résultat est une image de système de fichiers SquashFS qui peut soit être montée directement soit être utilisée comme image de conteneur de système de fichiers avec l'@uref{http://singularity.lbl.gov, environnement d'exécution conteneurisé Singularity}, avec des commandes comme @command{singularity shell} ou @command{singularity exec}. Diverses options en ligne de commande vous permettent de personnaliser votre pack : @table @code @item --format=@var{format} @itemx -f @var{format} Produire un pack dans le @var{format} donné. Les formats disponibles sont : @table @code @item tarball C'est le format par défaut. Il produit une archive tar contenant tous les binaires et les liens symboliques spécifiés. @item docker Cela produit une archive tar qui suit la @uref{https://github.com/docker/docker/blob/master/image/spec/v1.2.md, spécification des images Docker}. @item squashfs Cela produit une image SquashFS contenant tous les binaires et liens symboliques spécifiés, ainsi que des points de montages vides pour les systèmes de fichiers virtuels comme procfs. @end table @item --relocatable @itemx -R Produit des @dfn{binaires repositionnables} — c.-à-d.@: des binaires que vous pouvez placer n'importe où dans l'arborescence du système de fichiers et les lancer à partir de là. Par exemple, si vous créez un pack contenant Bash avec : @example guix pack -R -S /mybin=bin bash @end example @noindent … vous pouvez copier ce pack sur une machine qui n'a pas Guix et depuis votre répertoire personnel en tant qu'utilisateur non-privilégié, lancer : @example tar xf pack.tar.gz ./mybin/sh @end example @noindent Dans ce shell, si vous tapez @code{ls /gnu/store}, vous remarquerez que @file{/gnu/store} apparaît et contient toutes les dépendances de @code{bash}, même si la machine n'a pas du tout de @file{/gnu/store} ! C'est sans doute la manière la plus simple de déployer du logiciel construit avec Guix sur une machine sans Guix. Il y a un inconvénient cependant : cette technique repose sur les @dfn{espaces de noms} du noyau Linux qui permettent à des utilisateurs non-privilégiés de monter des systèmes de fichiers ou de changer de racine. Les anciennes versions de Linux ne le supportaient pas et certaines distributions GNU/Linux les désactivent ; sur ces système, les programme du pack @emph{ne fonctionneront pas} à moins qu'ils ne soient décompressés à la racine du système de fichiers. @item --expression=@var{expr} @itemx -e @var{expr} Considérer le paquet évalué par @var{expr}. Cela a le même but que l'option de même nom de @command{guix build} (@pxref{Options de construction supplémentaires, @code{--expression} dans @command{guix build}}). @item --manifest=@var{fichier} @itemx -m @var{fichier} Utiliser les paquets contenus dans l'objet manifeste renvoyé par le code Scheme dans @var{fichier} Elle a un but similaire à l'option de même nom dans @command{guix package} (@pxref{profile-manifest, @option{--manifest}}) et utilise les mêmes fichiers manifeste. Ils vous permettent de définir une collection de paquets une fois et de l'utiliser aussi bien pour créer des profils que pour créer des archives pour des machines qui n'ont pas Guix d'installé. Remarquez que vous pouvez spécifier @emph{soit} un fichier manifeste, @emph{soit} une liste de paquet, mais pas les deux. @item --system=@var{système} @itemx -s @var{système} Tenter de construire pour le @var{système} — p.@: ex.@: @code{i686-linux} — plutôt que pour le type de système de l'hôte de construction. @item --target=@var{triplet} @cindex compilation croisée Effectuer une compilation croisée pour @var{triplet} qui doit être un triplet GNU valide, comme @code{"mips64el-linux-gnu"} (@pxref{Specifying target triplets, GNU configuration triplets,, autoconf, Autoconf}). @item --compression=@var{outil} @itemx -C @var{outil} Compresser l'archive résultante avec @var{outil} — l'un des outils parmi @code{bzip2}, @code{xz}, @code{lzip} ou @code{none} pour aucune compression. @item --symlink=@var{spec} @itemx -S @var{spec} Ajouter les liens symboliques spécifiés par @var{spec} dans le pack. Cette option peut apparaître plusieurs fois. @var{spec} a la forme @code{@var{source}=@var{cible}}, où @var{source} est le lien symbolique qui sera créé et @var{cible} est la cible du lien. Par exemple, @code{-S /opt/gnu/bin=bin} crée un lien symbolique @file{/opt/gnu/bin} qui pointe vers le sous-répertoire @file{bin} du profil. @item --localstatedir Inclure le « répertoire d'état local », @file{/var/guix} dans le paquet résultant. @file{/var/guix} contient la base de données du dépôt (@pxref{Le dépôt}) ainsi que les racines du ramasse-miettes (@pxref{Invoquer guix gc}). Le fournir dans le pack signifie que le dépôt et « complet » et gérable par Guix ; ne pas le fournir dans le pack signifie que le dépôt est « mort » : aucun élément ne peut être ajouté ni enlevé après l'extraction du pack. Un cas d'utilisation est l'archive binaire indépendante de Guix (@pxref{Installation binaire}). @item --bootstrap Utiliser les programmes d'amorçage pour construire le pack. Cette option n'est utile que pour les développeurs de Guix. @end table En plus, @command{guix pack} supporte toutes les options de construction communes (@pxref{Options de construction communes}) et toutes les options de transformation de paquets (@pxref{Options de transformation de paquets}). @node Invoquer guix archive @section Invoquer @command{guix archive} @cindex @command{guix archive} @cindex archive La commande @command{guix archive} permet aux utilisateurs d'@dfn{exporter} des fichiers du dépôt dans une simple archive puis ensuite de les @dfn{importer} sur une machine qui fait tourner Guix. En particulier, elle permet de transférer des fichiers du dépôt d'une machine vers le dépôt d'une autre machine. @quotation Remarque Si vous chercher une manière de produire des archives dans un format adapté pour des outils autres que Guix, @pxref{Invoquer guix pack}. @end quotation @cindex exporter des éléments du dépôt Pour exporter des fichiers du dépôt comme une archive sur la sortie standard, lancez : @example guix archive --export @var{options} @var{spécifications}... @end example @var{spécifications} peut être soit des noms de fichiers soit des spécifications de paquets, comme pour @command{guix package} (@pxref{Invoquer guix package}). Par exemple, la commande suivante crée une archive contenant la sortie @code{gui} du paquet @code{git} et la sortie principale de @code{emacs} : @example guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar @end example Si les paquets spécifiés ne sont pas déjà construits, @command{guix archive} les construit automatiquement. Le processus de construction peut être contrôlé avec les options de construction communes (@pxref{Options de construction communes}). Pour transférer le paquet @code{emacs} vers une machine connectée en SSH, on pourrait lancer : @example guix archive --export -r emacs | ssh la-machine guix archive --import @end example @noindent De même, on peut transférer un profil utilisateur complet d'une machine à une autre comme cela : @example guix archive --export -r $(readlink -f ~/.guix-profile) | \ ssh la-machine guix-archive --import @end example @noindent Cependant, remarquez que, dans les deux exemples, le paquet @code{emacs}, le profil ainsi que toutes leurs dépendances sont transférées (à cause de @code{-r}), indépendamment du fait qu'ils soient disponibles dans le dépôt de la machine cible. L'option @code{--missing} peut vous aider à comprendre les éléments qui manquent dans le dépôt de la machine cible. La commande @command{guix copy} simplifie et optimise ce processus, c'est donc ce que vous devriez utiliser dans ce cas (@pxref{Invoquer guix copy}). @cindex nar, format d'archive @cindex archive normalisée (nar) Les archives sont stockées au format « archive normalisé » ou « nar », qui est comparable dans l'esprit à « tar » mais avec des différences qui le rendent utilisable pour ce qu'on veut faire. Tout d'abord, au lieu de stocker toutes les métadonnées Unix de chaque fichier, le format nar ne mentionne que le type de fichier (normal, répertoire ou lien symbolique) ; les permissions Unix, le groupe et l'utilisateur ne sont pas mentionnés. Ensuite, l'ordre dans lequel les entrées de répertoires sont stockés suit toujours l'ordre des noms de fichier dans l'environnement linguistique C. Cela rend la production des archives entièrement déterministe. @c FIXME: Add xref to daemon doc about signatures. Lors de l'export, le démon signe numériquement le contenu de l'archive et cette signature est ajoutée à la fin du fichier. Lors de l'import, le démon vérifie la signature et rejette l'import en cas de signature invalide ou si la clef de signature n'est pas autorisée. Les principales options sont : @table @code @item --export Exporter les fichiers ou les paquets du dépôt (voir plus bas). Écrire l'archive résultante sur la sortie standard. Les dépendances ne sont @emph{pas} incluses dans la sortie à moins que @code{--recursive} ne soit passé. @item -r @itemx --recursive En combinaison avec @code{--export}, cette option demande à @command{guix archive} d'inclure les dépendances des éléments donnés dans l'archive. Ainsi, l'archive résultante est autonome : elle contient la closure des éléments du dépôt exportés. @item --import Lire une archive depuis l'entrée standard et importer les fichiers inclus dans le dépôt. Annuler si l'archive a une signature invalide ou si elle est signée par une clef publique qui ne se trouve pas dans le clefs autorisées (voir @code{--authorize} plus bas.) @item --missing Liste une liste de noms de fichiers du dépôt sur l'entrée standard, un par ligne, et écrit sur l'entrée standard le sous-ensemble de ces fichiers qui manquent dans le dépôt. @item --generate-key[=@var{paramètres}] @cindex signature, archives Générer une nouvelle paire de clefs pour le démon. Cela est un prérequis avant que les archives ne puissent être exportées avec @code{--export}. Remarquez que cette opération prend généralement du temps parce qu'elle doit récupère suffisamment d'entropie pour générer la paire de clefs. La paire de clefs générée est typiquement stockée dans @file{/etc/guix}, dans @file{signing-key.pub} (clef publique) et @file{signing-key.sec} (clef privée, qui doit rester secrète). Lorsque @var{paramètres} est omis, une clef ECDSA utilisant la courbe Ed25519 est générée ou pour les version de libgcrypt avant 1.6.0, une clef RSA de 4096 bits. Autrement, @var{paramètres} peut spécifier les paramètres @code{genkey} adaptés pour libgcrypt (@pxref{General public-key related Functions, @code{gcry_pk_genkey},, gcrypt, The Libgcrypt Reference Manual}). @item --authorize @cindex autorisation, archives Autoriser les imports signés par la clef publique passée sur l'entrée standard. La clef publique doit être au « format avancé s-expression » — c.-à-d.@: le même format que le fichier @file{signing-key.pub}. La liste des clefs autorisées est gardée dans un fichier modifiable par des humains dans @file{/etc/guix/acl}. Le fichier contient des @url{http://people.csail.mit.edu/rivest/Sexp.txt, « s-expressions au format avancé »} et est structuré comme une liste de contrôle d'accès dans l'@url{http://theworld.com/~cme/spki.txt, infrastructure à clefs publiques simple (SPKI)}. @item --extract=@var{répertoire} @itemx -x @var{répertoire} Lit une archive à un seul élément telle que servie par un serveur de substituts (@pxref{Substituts}) et l'extrait dans @var{répertoire}. C'est une opération de bas niveau requise seulement dans de rares cas d'usage ; voir plus loin. Par exemple, la commande suivante extrait le substitut pour Emacs servi par @code{hydra.gnu.org} dans @file{/tmp/emacs} : @example $ wget -O - \ https://hydra.gnu.org/nar/@dots{}-emacs-24.5 \ | bunzip2 | guix archive -x /tmp/emacs @end example Les archives à un seul élément sont différentes des archives à plusieurs éléments produites par @command{guix archive --export} ; elles contiennent un seul élément du dépôt et elles n'embarquent @emph{pas} de signature. Ainsi cette opération ne vérifie @emph{pas} de signature et sa sortie devrait être considérée comme non sûre. Le but principal de cette opération est de faciliter l'inspection du contenu des archives venant de serveurs auxquels on ne fait potentiellement pas confiance. @end table @c ********************************************************************* @node Interface de programmation @chapter Interface de programmation GNU Guix fournit diverses interface de programmation Scheme (API) qui pour définir, construire et faire des requêtes sur des paquets. La première interface permet aux utilisateurs d'écrire des définitions de paquets de haut-niveau. Ces définitions se réfèrent à des concepts de création de paquets familiers, comme le nom et la version du paquet, son système de construction et ses dépendances. Ces définitions peuvent ensuite être transformées en actions concrètes lors de la construction. Les actions de construction sont effectuées par le démon Guix, pour le compte des utilisateurs. Dans un environnement standard, le démon possède les droits en écriture sur le dépôt — le répertoire @file{/gnu/store} — mais pas les utilisateurs. La configuration recommandée permet aussi au démon d'effectuer la construction dans des chroots, avec un utilisateur de construction spécifique pour minimiser les interférences avec le reste du système. @cindex dérivation Il y a des API de plus bas niveau pour interagir avec le démon et le dépôt. Pour demander au démon d'effectuer une action de construction, les utilisateurs lui donnent en fait une @dfn{dérivation}. Une dérivation est une représentation à bas-niveau des actions de construction à entreprendre et l'environnement dans lequel elles devraient avoir lieu — les dérivations sont aux définitions de paquets ce que l'assembleur est aux programmes C. Le terme de « dérivation » vient du fait que les résultats de la construction en @emph{dérivent}. Ce chapitre décrit toutes ces API tour à tour, à partir des définitions de paquets à haut-niveau. @menu * Définition des paquets:: Définir de nouveaux paquets. * Systèmes de construction:: Spécifier comment construire les paquets. * Le dépôt:: Manipuler le dépôt de paquets. * Dérivations:: Interface de bas-niveau avec les dérivations de paquets. * La monad du dépôt:: Interface purement fonctionnelle avec le dépôt. * G-Expressions:: Manipuler les expressions de construction. @end menu @node Définition des paquets @section Définition des paquets L'interface de haut-niveau pour les définitions de paquets est implémentée dans les modules @code{(guix packages)} et @code{(guix build-system)}. Par exemple, la définition du paquet, ou la @dfn{recette}, du paquet GNU Hello ressemble à cela : @example (define-module (gnu packages hello) #:use-module (guix packages) #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module (guix licenses) #:use-module (gnu packages gawk)) (define-public hello (package (name "hello") (version "2.10") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/hello/hello-" version ".tar.gz")) (sha256 (base32 "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--enable-silent-rules"))) (inputs `(("gawk" ,gawk))) (synopsis "Hello, GNU world: An example GNU package") (description "Guess what GNU Hello prints!") (home-page "http://www.gnu.org/software/hello/") (license gpl3+))) @end example @noindent Sans être un expert Scheme, le lecteur peut comprendre la signification des différents champs présents. Cette expression lie la variable @code{hello} à un objet @code{}, qui est essentiellement un enregistrement (@pxref{SRFI-9, Scheme records,, guile, GNU Guile Reference Manual}). On peut inspecter cet objet de paquet avec les procédures qui se trouvent dans le module @code{(guix packages)} ; par exemple, @code{(package-name hello)} renvoie — oh surprise ! — @code{"hello"}. Avec un peu de chance, vous pourrez importer tout ou partie de la définition du paquet qui vous intéresse depuis un autre répertoire avec la commande @code{guix import} (@pxref{Invoquer guix import}). Dans l'exemple précédent, @var{hello} est défini dans un module à part, @code{(gnu packages hello)}. Techniquement, cela n'est pas strictement nécessaire, mais c'est pratique : tous les paquets définis dans des modules sous @code{(gnu packages @dots{})} sont automatiquement connus des outils en ligne de commande (@pxref{Modules de paquets}). Il y a quelques points à remarquer dans la définition de paquet précédente : @itemize @item Le champ @code{source} du paquet est un objet @code{} (@pxref{Référence d'origine}, pour la référence complète). Ici, on utilise la méthode @code{url-fetch} de @code{(guix download)}, ce qui signifie que la source est un fichier à télécharger par FTP ou HTTP. Le préfixe @code{mirror://gnu} demande à @code{url-fetch} d'utiliser l'un des miroirs GNU définis dans @code{(guix download)}. Le champ @code{sha256} spécifie le hash SHA256 attendu pour le fichier téléchargé. Il est requis et permet à Guix de vérifier l'intégrité du fichier. La forme @code{(base32 @dots{})} introduit a représentation en base32 du hash. Vous pouvez obtenir cette information avec @code{guix download} (@pxref{Invoquer guix download}) et @code{guix hash} (@pxref{Invoquer guix hash}). @cindex correctifs Lorsque cela est requis, la forme @code{origin} peut aussi avec un champ @code{patches} qui liste les correctifs à appliquer et un champ @code{snippet} qui donne une expression Scheme pour modifier le code source. @item @cindex Système de construction GNU Le champ @code{build-system} spécifie la procédure pour construire le paquet (@pxref{Systèmes de construction}). Ici, @var{gnu-build-system} représente le système de construction GNU familier, où les paquets peuvent être configurés, construits et installés avec la séquence @code{./configure && make && make check && make install} habituelle. @item Le champ @code{arguments} spécifie des options pour le système de construction (@pxref{Systèmes de construction}). Ici il est interprété par @var{gnu-build-system} comme une demande de lancer @file{configure} avec le drapeau @code{--enable-silent-rules}. @cindex quote @cindex quoting @findex ' @findex quote Que sont ces apostrophes (@code{'}) ? C'est de la syntaxe Scheme pour introduire une liste ; @code{'} est synonyme de la fonction @code{quote}. @xref{Expression Syntax, quoting,, guile, GNU Guile Reference Manual}, pour des détails. Ice la valeur du champ @code{arguments} est une liste d'arguments passés au système de construction plus tard, comme avec @code{apply} (@pxref{Fly Evaluation, @code{apply},, guile, GNU Guile Reference Manual}). La séquence dièse-deux-points (@code{#:}) définie un @dfn{mot-clef} Scheme (@pxref{Keywords,,, guile, GNU Guile Reference Manual}), et @code{#:configure-flags} est un mot-clef utilisé pour passer un argument au système de construction (@pxref{Coding With Keywords,,, guile, GNU Guile Reference Manual}). @item Le champ @code{inputs} spécifie les entrées du processus de construction — c.-à-d.@: les dépendances à la construction ou à l'exécution du paquet. Ici on définie une entrée nommée @code{"gawk"} dont la valeur est la variable @var{gawk} ; @var{gawk} est elle-même liée à un objet @code{}. @cindex accent grave (quasiquote) @findex ` @findex quasiquote @cindex virgule (unquote) @findex , @findex unquote @findex ,@@ @findex unquote-splicing De nouveau, @code{`} (un accent grave, synonyme de la fonction @code{quasiquote}) nous permet d'introduire une liste litérale dans le champ @code{inputs}, tandis que @code{,} (une virgule, synonyme de la fonction @code{unquote}) nous permet d'insérer une valeur dans cette liste (@pxref{Expression Syntax, unquote,, guile, GNU Guile Reference Manual}). Remarquez que GCC, Coreutils, Bash et les autres outils essentiels n'ont pas besoin d'être spécifiés en tant qu'entrées ici. À la place, le @var{gnu-build-system} est en charge de s'assurer qu'ils sont présents (@pxref{Systèmes de construction}). Cependant, toutes les autres dépendances doivent être spécifiées dans le champ @code{inputs}. Toute dépendance qui ne serait pas spécifiée ici sera simplement indisponible pour le processus de construction, ce qui peut mener à un échec de la construction. @end itemize @xref{Référence de paquet}, pour une description complète des champs possibles. Lorsqu'une définition de paquet est en place, le paquet peut enfin être construit avec l'outil en ligne de commande @code{guix build} (@pxref{Invoquer guix build}), pour résoudre les échecs de construction que vous pourriez rencontrer (@pxref{Débogage des échecs de construction}). Vous pouvez aisément revenir à la définition du paquet avec la commande @command{guix edit} (@pxref{Invoquer guix edit}). @xref{Consignes d'empaquetage}, pour plus d'inforamtions sur la manière de tester des définitions de paquets et @ref{Invoquer guix lint}, pour des informations sur la manière de vérifier que la définition réspecte les conventions de style. @vindex GUIX_PACKAGE_PATH Enfin, @pxref{Modules de paquets} pour des informations sur la manière d'étendre la distribution en ajoutant vos propres définitions de paquets dans @code{GUIX_PACKAGE_PATH}. Finalement, la mise à jour de la définition du paquet à une nouvelle version amont peut en partie s'automatiser avec la commande @command{guix refresh} (@pxref{Invoquer guix refresh}). Sous le capot, une dérivation qui correspond à un objet @code{} est d'abord calculé par la procédure @code{package-derivation}. Cette dérivation est stockée dans un fichier @code{.drv} dans @file{/gnu/store}. Les actions de construction qu'il prescrit peuvent ensuite être réalisées par la procédure @code{build-derivation} (@pxref{Le dépôt}). @deffn {Procédure Scheme} package-derivation @var{dépôt} @var{paquet} [@var{système}] Renvoie l'objet @code{} du @var{paquet} pour le @var{système} (@pxref{Dérivations}). @var{paquet} doit être un objet @code{} valide et @var{système} une chaîne indiquant le type de système cible — p.ex.@: @code{"x86_64-linux"} pour un système GNU x86_64 basé sur Linux. @var{dépôt} doit être une connexion au démon, qui opère sur les dépôt (@pxref{Le dépôt}). @end deffn @noindent @cindex compilation croisée De manière identique, il est possible de calculer une dérivation qui effectue une compilation croisée d'un paquet pour un autre système : @deffn {Procédure Scheme} package-cross-derivation @var{dépôt} @ @var{paquet} @var{cible} [@var{système}] renvoie l'objet @code{} duof @var{paquet} construit depuis @var{système} pour @var{cible}. @var{cible} doit être un triplet GNU valide indiquant le matériel cible et le système d'exploitation, comme @code{"mips64el-linux-gnu"} (@pxref{Configuration Names, GNU configuration triplets,, configure, GNU Configure and Build System}). @end deffn @cindex transformations de paquets @cindex réécriture d'entrées @cindex réécriture de l'arbre des dépendances On peut manipuler les paquets de manière arbitraire. Une transformation utile est par exemple la @dfn{réécriture d'entrées} où l'arbre des dépendances d'un paquet est réécrit en replaçant des entrées spécifiques par d'autres : @deffn {Procédure Scheme} package-input-rewriting @var{remplacements} @ [@var{nom-réécrit}] Renvoie une procédure qui, lorsqu'on lui donne un paquet, remplace des dépendances directes et indirectes (mais pas ses entrées implicites) en fonction de @var{remplacements}. @var{remplacements} est une liste de paires de paquets ; le premier élément de chaque pair est le paquet à remplacer, le second son remplaçant. De manière facultative, @var{nom-réécrit} est une procédure à un argument qui prend le nom d'un paquet et renvoie son nouveau nom après l'avoir réécrit. @end deffn @noindent Regardez cet exemple : @example (define libressl-instead-of-openssl ;; Cette procédure remplace OPENSSL par LIBRESSL, ;; récursivement. (package-input-rewriting `((,openssl . ,libressl)))) (define git-with-libressl (libressl-instead-of-openssl git)) @end example @noindent Ici nous définissons d'abord une procédure de réécriture qui remplace @var{openssl} par @var{libressl}. Ensuite nous l'utilisons pour définir une @dfn{variante} du paquet @var{git} qui utilise @var{libressl} plutôt que @var{openssl}. cela est exactement ce que l'option en ligne de commande @option{--with-input} fait (@pxref{Options de transformation de paquets, @option{--with-input}}). Une procédure plus générique pour réécrire un graphe de dépendance d'un paquet est @code{package-mapping} : elle supporte n'importe quel changement dans les nœuds du graphe. @deffn {Procédure Scheme} package-mapping @var{proc} [@var{cut?}] Renvoie une procédure qui, avec un paquet, applique @var{proc} sur tous les paquets dont il dépend et renvoie le paquet qui en résulte. La procédure arrête la récursion là où @var{cut?} renvoie vrai pour un paquet donné. @end deffn @menu * Référence de paquet :: Le type de donnée des paquets. * Référence d'origine:: Le type de données d'origine. @end menu @node Référence de paquet @subsection Référence de @code{package} Cette section résume toutes les options disponibles dans les déclarations @code{package} (@pxref{Définition des paquets}). @deftp {Type de donnée} package C'est le type de donnée représentant une recette de paquets @table @asis @item @code{name} Le nom du paquet, comme une chaîne de caractères. @item @code{version} La version du paquet, comme une chaîne de caractères. @item @code{source} Un objet qui indique comment le code source du paquet devrait être récupéré. La plupart du temps, c'est un objet @code{origin} qui indique un fichier récupéré depuis internet (@pxref{Référence d'origine}). Il peut aussi s'agir de tout autre objet ``simili-fichier'' comme un @code{local-file} qui indique un fichier du système de fichier local (@pxref{G-Expressions, @code{local-file}}). @item @code{build-system} Le système de construction qui devrait être utilisé pour construire le paquet (@pxref{Systèmes de construction}). @item @code{arguments} (par défaut : @code{'()}) Les arguments à passer au système de construction. C'est une liste qui contient typiquement une séquence de paires de clefs-valeurs. @item @code{inputs} (par défaut : @code{'()}) @itemx @code{native-inputs} (par défaut : @code{'()}) @itemx @code{propagated-inputs} (par défaut : @code{'()}) @cindex entrées, des paquets Ces champs listent les dépendances du paquet. Chacune est une liste de tuples, où chaque tuple a une étiquette pour une entrée (une chaîne de caractères) comme premier élément, un paquet, une origine ou une dérivation comme deuxième élément et éventuellement le nom d'une sortie à utiliser qui est @code{"out"} par défaut (@pxref{Des paquets avec plusieurs résultats}, pour plus d'informations sur les sorties des paquets). Par exemple, la liste suivante spécifie trois entrées : @example `(("libffi" ,libffi) ("libunistring" ,libunistring) ("glib:bin" ,glib "bin")) ;la sortie "bin" de Glib @end example @cindex compilation croisée, dépendances des paquets La distinction entre @code{native-inputs} et @code{inputs} est nécessaire lorsqu'on considère la compilation croisée. Lors d'une compilation croisée, les dépendances listées dans @code{inputs} sont construites pour l'architecture @emph{cible} ; inversement, les dépendances listées dans @code{native-inputs} sont construites pour l'architecture de la machine de @emph{construction}. @code{native-inputs} est typiquement utilisé pour lister les outils requis à la construction mais pas à l'exécution, comme Autoconf, Automake, pkg-config, Gettext ou Bison. @command{guix lint} peut rapporter des erreurs de ce type (@pxref{Invoquer guix lint}). @anchor{package-propagated-inputs} Enfin, @code{propagated-inputs} est similaire à @code{inputs}, mais les paquets spécifiés seront automatiquement installés avec le paquet auquel ils appartiennent (@pxref{package-cmd-propagated-inputs, @command{guix package}}, pour des informations sur la manière dont @command{guix package} traite les entrées propagées). Par exemple cela est nécessaire lorsque des bibliothèques C/C++ ont besoin d'en-têtes d'une autre bibliothèque pour être compilé ou lorsqu'un fichier pkg-config se rapporte à un autre @i{via} son champ @code{Requires}. Un autre exemple où @code{propagated-inputs} est utile est pour les langages auxquels il manque un moyen de retenir le chemin de recherche comme c'est le cas du @code{RUNPATH} des fichiers ELF ; cela comprend Guile, Python, Perl et plus. Pour s'assurer que les bibliothèques écrites dans ces langages peuvent trouver le code des bibliothèques dont elles dépendent à l'exécution, les dépendances à l'exécution doivent être listées dans @code{propagated-inputs} plutôt que @code{inputs}. @item @code{self-native-input?} (par défaut : @code{#f}) C'est un champ booléen qui indique si le paquet devrait s'utiliser lui-même comme entrée native lors de la compilation croisée. @item @code{outputs} (par défaut : @code{'("out")}) La liste des noms de sorties du paquet. @xref{Des paquets avec plusieurs résultats}, pour des exemples typiques d'utilisation de sorties supplémentaires. @item @code{native-search-paths} (par défaut : @code{'()}) @itemx @code{search-paths} (par défaut : @code{'()}) Une liste d'objets @code{search-path-specification} décrivant les variables d'environnement de recherche de chemins que ce paquet utilise. @item @code{replacement} (par défaut : @code{#f}) Ce champ doit être soit @code{#f} soit un objet de paquet qui sera utilisé comme @dfn{remplaçant} de ce paquet. @xref{Mises à jour de sécurité, grafts}, pour plus de détails. @item @code{synopsis} Une description sur une ligne du paquet. @item @code{description} Une description plus détaillée du paquet. @item @code{license} @cindex licence, des paquets La licence du paquet ; une valeur tirée de @code{(guix licenses)} ou une liste de ces valeurs. @item @code{home-page} L'URL de la page d'accueil du paquet, en tant que chaîne de caractères. @item @code{supported-systems} (par défaut : @var{%supported-systems}) La liste des systèmes supportés par le paquet, comme des chaînes de caractères de la forme @code{architecture-noyau}, par exemple @code{"x86_64-linux"}. @item @code{maintainers} (par défaut : @code{'()}) La liste des mainteneurs du paquet, comme des objets @code{maintainer}. @item @code{location} (par défaut : emplacement de la source de la forme @code{package}) L'emplacement de la source du paquet. C'est utile de le remplacer lorsqu'on hérite d'un autre paquet, auquel cas ce champ n'est pas automatiquement corrigé. @end table @end deftp @node Référence d'origine @subsection Référence de @code{origin} Cette section résume toutes les options disponibles dans le déclarations @code{origin} (@pxref{Définition des paquets}). @deftp {Type de donnée} origin C'est le type de donnée qui représente l'origine d'un code source. @table @asis @item @code{uri} Un objet contenant l'URI de la source. Le type d'objet dépend de la @code{method} (voir plus bas). Par exemple, avec la méthode @var{url-fetch} de @code{(guix download)}, les valeurs valide d'@code{uri} sont : une URL représentée par une chaîne de caractères, ou une liste de chaînes de caractères. @item @code{method} Un procédure qui gère l'URI. Quelques exemples : @table @asis @item @var{url-fetch} de @code{(guix download)} télécharge un fichier depuis l'URL HTTP, HTTPS ou FTP spécifiée dans le champ @code{uri} ; @vindex git-fetch @item @var{git-fetch} de @code{(guix git-download)} clone le dépôt sous contrôle de version Git et récupère la révision spécifiée dans le champ @code{uri} en tant qu'objet @code{git-reference} ; un objet @code{git-reference} ressemble à cela : @example (git-reference (url "git://git.debian.org/git/pkg-shadow/shadow") (commit "v4.1.5.1")) @end example @end table @item @code{sha256} Un bytevector contenant le hash SHA-256 de la source. Typiquement la forme @code{base32} est utilisée ici pour générer le bytevector depuis une chaîne de caractères en base-32. Vous pouvez obtenir cette information avec @code{guix download} (@pxref{Invoquer guix download}) ou @code{guix hash} (@pxref{Invoquer guix hash}). @item @code{file-name} (par défaut : @code{#f}) Le nom de fichier à utiliser pour sauvegarder le fichier. Lorsqu'elle est à @code{#f}, une valeur par défaut raisonnable est utilisée dans la plupart des cas. Dans le cas où la source est récupérée depuis une URL, le nom de fichier est celui de l'URL. Pour les sources récupérées depuis un outil de contrôle de version, il est recommandé de fournir un nom de fichier explicitement parce que le nom par défaut n'est pas très descriptif. @item @code{patches} (par défaut : @code{'()}) Une liste de noms de fichiers, d'origines ou d'objets simili-fichiers (@pxref{G-Expressions, file-like objects}) qui pointent vers des correctifs à appliquer sur la source. Cette liste de correctifs doit être inconditionnelle. En particulier, elle ne peut pas dépendre des valeurs de @code{%current-system} ou @code{%current-target-system}. @item @code{snippet} (par défaut : @code{#f}) Une G-expression (@pxref{G-Expressions}) ou une S-expression qui sera lancée dans le répertoire des sources. C'est une manière pratique de modifier la source, parfois plus qu'un correctif. @item @code{patch-flags} (par défaut : @code{'("-p1")}) Une liste de drapeaux à passer à la commande @code{patch}. @item @code{patch-inputs} (par défaut : @code{#f}) Paquets d'entrées ou dérivations pour le processus de correction. Lorsqu'elle est à @code{#f}, l'ensemble d'entrées habituellement nécessaire pour appliquer des correctifs est fournit, comme GNU@tie{}Patch. @item @code{modules} (par défaut : @code{'()}) Une liste de modules Guile qui devraient être chargés pendant le processus de correction et pendant que le lancement du code du champ @code{snippet}. @item @code{patch-guile} (par défaut : @code{#f}) Le paquet Guile à utiliser dans le processus de correction. Lorsqu'elle est à @code{#f}, une valeur par défaut raisonnable est utilisée. @end table @end deftp @node Systèmes de construction @section Systèmes de construction @cindex système de construction Chaque définition de paquet définie un @dfn{système de construction} et des arguments pour ce système de construction (@pxref{Définition des paquets}). Ce champ @code{build-system} représente la procédure de construction du paquet, ainsi que des dépendances implicites pour cette procédure de construction. Les systèmes de construction sont des objets @code{}. L'interface pour les créer et les manipuler est fournie par le module @code{(guix build-system)} et les systèmes de construction eux-mêmes sont exportés par des modules spécifiques. @cindex sac (représentation à bas-niveau des paquets) Sous le capot, les systèmes de construction compilent d'abord des objets paquets en @dfn{sacs}. Un @dfn{sac} est comme un paquet, mais avec moins de décoration — en d'autres mots, un sac est une représentation à bas-niveau d'un paquet, qui inclus toutes les entrées de ce paquet, dont certaines ont été implicitement ajoutées par le système de construction. Cette représentation intermédiaire est ensuite compilée en une dérivation (@pxref{Dérivations}). Les systèmes de construction acceptent une liste d'@dfn{arguments} facultatifs. Dans les définitions de paquets, ils sont passés @i{via} le champ @code{arguments} (@pxref{Définition des paquets}). Ce sont typiquement des arguments par mot-clef (@pxref{Optional Arguments, keyword arguments in Guile,, guile, GNU Guile Reference Manual}). La valeur de ces arguments est habituellement évaluée dans la @dfn{strate de construction} — c.-à-d.@: par un processus Guile lancé par le démon (@pxref{Dérivations}). Le système de construction principal est le @var{gnu-build-system} qui implémente les procédures de construction standard pour les paquets GNU et de nombreux autres. Il est fournit par le module @code{(guix build-system gnu)}. @defvr {Variable Scheme} gnu-build-system @var{gnu-build-system} représente le système de construction GNU et ses variantes (@pxref{Configuration, configuration and makefile conventions,, standards, GNU Coding Standards}). @cindex phases de construction En résumé, les paquets qui l'utilisent sont configurés, construits et installés avec la séquence @code{./configure && make && make check && make install} habituelle. En pratique, des étapes supplémentaires sont souvent requises. Toutes ces étapes sont séparées dans des @dfn{phases} différentes, notamment@footnote{Regardez les modules @code{(guix build gnu-build-system)} pour plus de détails sur les phases de construction.}: @table @code @item unpack Décompresse l'archive des sources et se déplace dans l'arborescence des sources fraîchement extraites. Si la source est en fait un répertoire, le copie dans l'arborescence de construction et entre dans ce répertoire. @item patch-source-shebangs Corrige les shebangs (@code{#!}) rencontrés dans les fichiers pour qu'ils se réfèrent aux bons noms de fichiers. Par exemple, elle change @code{#!/bin/sh} en @code{#!/gnu/store/@dots{}-bash-4.3/bin/sh}. @item configure Lance le script @code{configure} avec un certain nombre d'options par défaut, comme @code{--prefix=/gnu/store/@dots{}}, ainsi que les options spécifiées par l'argument @code{#:configure-flags}. @item build Lance @code{make} avec la liste des drapeaux spécifiés avec @code{#:make-flags}. Si l'argument @code{#:parallel-build?} est vrai (par défaut), construit avec @code{make -j}. @item check Lance @code{make check}, ou une autre cible spécifiée par @code{#:test-target}, à moins que @code{#:tests? #f} ne soit passé. Si l'argument @code{#:parallel-tests?} est vrai (par défaut), lance @code{make check -j}. @item install Lance @code{make install} avec les drapeaux listés dans @code{#:make-flags}. @item patch-shebangs Corrige les shebangs des fichiers exécutables installés. @item strip Nettoie les symboles de débogage dans les fichiers ELF (à moins que @code{#:strip-binaries?} ne soit faux), les copie dans la sortie @code{debug} lorsqu'elle est disponible (@pxref{Installer les fichiers de débogage}). @end table @vindex %standard-phases Le module du côté du constructeur @code{(guix build gnu-build-system)} définie @var{%standard-phases} comme la liste par défaut des phases de construction. @var{%standard-phases} est une liste de paires de symboles et de procédures, où la procédure implémente la phase en question. La liste des phases utilisées par un paquet particulier peut être modifiée avec le paramètre @code{#:phases}. Par exemple, en passant : @example #:phases (modify-phases %standard-phases (delete 'configure)) @end example signifie que toutes les procédures décrites plus haut seront utilisées, sauf la phase @code{configure}. En plus, ce système de construction s'assure que l'environnement « standard » pour les paquets GNU est disponible. Cela inclus des outils comme GCC, libc, Coreutils, Bash, Make, Diffutils, grep et sed (voir le module @code{(guix build-system gnu)} pour une liste complète). Nous les appelons les @dfn{entrées implicites} d'un paquet parce que la définition du paquet ne les mentionne pas. @end defvr D'autres objets @code{} sont définis pour supporter d'autres conventions et outils utilisés par les paquets de logiciels libres. Ils héritent de la plupart de @var{gnu-build-system} et diffèrent surtout dans l'ensemble des entrées implicites ajoutées au processus de construction et dans la liste des phases exécutées. Certains de ces systèmes de construction sont listés ci-dessous. @defvr {Variable Scheme} ant-build-system Cette variable est exportée par @code{(guix build-system ant)}. Elle implémente la procédure de construction pour les paquets Java qui peuvent être construits avec @url{http://ant.apache.org/, l'outil de construction Ant}. Elle ajoute à la fois @code{ant} et the @dfn{kit de développement Java} (JDK) fournit par le paquet @code{icedtea} à l'ensemble des entrées. Des paquets différents peuvent être spécifiés avec les paramètres @code{#:ant} et @code{#:jdk} respectivement. Lorsque le paquet d'origine ne fournit pas de fichier de construction Ant acceptable, le paramètre @code{#:jar-name} peut être utilisé pour générer un fichier de construction Ant @file{build.xml} minimal, avec des tâches pour construire l'archive jar spécifiée. Dans ce cas, le paramètre @code{#:source-dir} peut être utilisé pour spécifier le sous-répertoire des sources, par défaut « src ». Le paramètre @code{#:main-class} peut être utilisé avec le fichier de construction minimal pour spécifier la classe principale du jar. Cela rend le fichier jar exécutable. Le paramètre @code{#:test-include} peut être utilisé pour spécifier la liste des tests junit à lancer. Il vaut par défaut @code{(list "**/*Test.java")}. Le paramètre @code{#:test-exclude} peut être utilisé pour désactiver certains tests. Sa valeur par défaut est @code{(list "**/Abstract*.java")}, parce que les classes abstraites ne peuvent pas être utilisées comme des tests. Le paramètre @code{#:build-target} peut être utilisé pour spécifier la tâche Ant qui devrait être lancée pendant la phase @code{build}. Par défaut la tâche « jar » sera lancée. @end defvr @defvr {Variable Scheme} android-ndk-build-system @cindex Distribution android @cindex système de construction Android NDK Cette variable est exportée par @code{(guix build-system android-ndk)}. Elle implémente une procédure de construction pour les paquets du NDK Android (@i{native development kit}) avec des processus de construction spécifiques à Guix. Le système de construction suppose que les paquets installent leur interface publique (les en-têtes) dans un sous-répertoire de « include » de la sortie « out » et leurs bibliothèques dans le sous-répertoire « lib » de la sortie « out ». Il est aussi supposé que l'union de toutes les dépendances d'un paquet n'a pas de fichiers en conflit. Pour l'instant, la compilation croisée n'est pas supportées — donc pour l'instant les bibliothèques et les fichiers d'en-têtes sont supposés être des outils de l'hôte. @end defvr @defvr {Variable Scheme} asdf-build-system/source @defvrx {Variable Scheme} asdf-build-system/sbcl @defvrx {Variable Scheme} asdf-build-system/ecl Ces variables, exportées par @code{(guix build-system asdf)}, implémentent les procédures de constructions pour les paquets en Common Lisp qui utilisent @url{https://common-lisp.net/project/asdf/, ``ASDF''}. ASDF est un dispositif de définition de systèmes pour les programmes et les bibliothèques en Common Lisp. Le système @code{asdf-build-system/source} installe les paquets au format source qui peuvent être chargés avec n'importe quelle implémentation de common lisp, via ASDF. Les autres, comme @code{asdf-build-system/sbcl}, installent des binaires au format qu'un implémentation particulière comprend. Ces systèmes de constructions peuvent aussi être utilisés pour produire des programmes exécutables ou des images lisp qui contiennent un ensemble de paquets pré-chargés. Le système de construction utilise des conventions de nommage. Pour les paquets binaires, le nom du paquet devrait être préfixé par l'implémentation lisp, comme @code{sbcl-} pour @code{asdf-build-system/sbcl}. En plus, le paquet source correspondant devrait étiquetté avec la même convention que les paquets python (voir @ref{Modules python}), avec le préfixe @code{cl-}. Pour les paquets binaires, chaque système devrait être défini comme un paquet Guix. Si un paquet @code{origine} contient plusieurs systèmes, on peut créer des variantes du paquet pour construire tous les systèmes. Les paquets sources, qui utilisent @code{asdf-build-system/source}, peuvent contenir plusieurs systèmes. Pour créer des programmes exécutables et des images, les procédures côté construction @code{build-program} et @code{build-image} peuvent être utilisées. Elles devraient être appelées dans une phase de construction après la phase @code{create-symlinks} pour que le système qui vient d'être construit puisse être utilisé dans l'image créée. @code{build-program} requiert une liste d'expressions Common Lisp dans l'argument @code{#:entry-program}. Si le système n'est pas défini dans son propre fichier @code{.asd} du même nom, alors le paramètre @code{#:asd-file} devrait être utilisé pour spécifier dans quel fichier le système est défini. De plus, si le paquet défini un système pour ses tests dans un fichier séparé, il sera chargé avant que les tests ne soient lancés s'il est spécifié par le paramètre @code{#:test-asd-file}. S'il n'est pas spécifié, les fichiers @code{-tests.asd}, @code{-test.asd}, @code{tests.asd} et @code{test.asd} seront testés. Si pour quelque raison que ce soit le paquet doit être nommé d'une manière différente de ce que la convention de nommage suggère, le paramètre @code{#:asd-system-name} peut être utilisé pour spécifier le nom du système. @end defvr @defvr {Variable Scheme} cargo-build-system @cindex Langage de programmation Rust @cindex Cargo (système de construction Rust) Cette variable est exportée par @code{(guix build-system cargo)}. Elle supporte les construction de paquets avec Cargo, le système de construction du @uref{https://www.rust-lang.org, langage de programmation Rust}. Dans sa phase @code{configure}, ce système de construction remplace les dépendances spécifiées dans le fichier @file{Cargo.toml} par des paquets Guix. La phase @code{install} installe les binaires et installe aussi le code source et le fichier @file{Cargo.toml}. @end defvr @defvr {Variable Scheme} cmake-build-system Cette variable est exportée par @code{(guix build-system cmake)}. Elle implémente la procédure de construction des paquets qui utilisent l'@url{http://www.cmake.org, outils de construction CMake}. Elle ajoute automatiquement le paquet @code{cmake} à l'ensemble des entrées. Le paquet utilisé peut être spécifié par le paramètre @code{#:cmake}. Le paramètre @code{#:configure-flags} est pris comme une liste de drapeaux à passer à la commande @command{cmake}. Le paramètre @code{#:build-type} spécifie en termes abstrait les drapeaux passés au compilateur ; sa valeur par défaut est @code{"RelWithDebInfo"} (ce qui veut dire « mode public avec les informations de débogage » en plus court), ce qui signifie en gros que le code sera compilé avec @code{-O2 -g} comme pour les paquets autoconf par défaut. @end defvr @defvr {Variable Scheme} go-build-system Cette variable est exportée par @code{(guix build-system go)}. Elle implémente la procédure pour les paquets Go utilisant les @url{https://golang.org/cmd/go/#hdr-Compile_packages_and_dependencies, mécanismes de construction Go} standard. L'utilisateur doit fournir une valeur à la clef @code{#:import-path} et, dans certains cas, @code{#:unpack-path}. Le @url{https://golang.org/doc/code.html#ImportPaths, chemin d'import} correspond au chemin dans le système de fichiers attendu par le script de construction du paquet et les paquets qui s'y réfèrent et fournit une manière unique de se référer à un paquet Go. Il est typiquement basé sur une combinaison de l'URI du code source du paquet et d'une structure hiérarchique du système de fichier. Dans certains cas, vous devrez extraire le code source du paquet dans une structure de répertoires différente que celle indiquée par le chemin d'import et @code{#:unpack-path} devrait être utilisé dans ces cas-là. Les paquets qui fournissent des bibliothèques Go devraient être installées avec leur code source. La clef @code{#:install-soruce?}, qui vaut @code{#t} par défaut, contrôle l'installation du code source. Elle peut être mise à @code{#f} pour les paquets qui ne fournissent que des fichiers exécutables. @end defvr @defvr {Variable Scheme} glib-or-gtk-build-system Cette variable est exportée par @code{(guix build-system glib-or-gtk)}. Elle est conçue pour être utilisée par des paquets qui utilisent GLib ou GTK+. Ce système de construction ajoute les deux phases suivantes à celles définies par @var{gnu-build-system} : @table @code @item glib-or-gtk-wrap La phase @code{glib-or-gtk-wrap} s'assure que les programmes dans @file{bin/} sont capable de trouver les « schemas » GLib et les @uref{https://developer.gnome.org/gtk3/stable/gtk-running.html, modules GTK+}. Ceci est fait en enveloppant les programmes dans des scripts de lancement qui initialisent correctement les variables d'environnement @code{XDG_DATA_DIRS} et @code{GTK_PATH}. Il est possible d'exclure des sorties spécifiques de ce processus d'enveloppage en listant leur nom dans le paramètre @code{#:glib-or-gtk-wrap-excluded-outputs}. C'est utile lorsqu'une sortie est connue pour ne pas contenir de binaires GLib ou GTK+, et où l'enveloppe ajouterait une dépendance inutile vers GLib et GTK+. @item glib-or-gtk-compile-schemas La phase @code{glib-or-gtk-compile-schemas} s'assure que tous les @uref{https://developer.gnome.org/gio/stable/glib-compile-schemas.html, schémas GSettings} de GLib sont compilés. La compilation est effectuée par le programme @command{glib-compile-schemas}. Il est fournit par le paquet @code{glib:bin} qui est automatiquement importé par le système de construction. Le paquet @code{glib} qui fournit @command{glib-compile-schemas} peut être spécifié avec le paramètre @code{#:glib}. @end table Ces deux phases sont exécutées après la phase @code{install}. @end defvr @defvr {Variable Scheme} minify-build-system Cette variable est exportée par @code{(guix build-system minify)}. Elle implémente une procédure de minification pour des paquets JavaScript simples. Elle ajoute @code{uglify-js} à l'ensemble des entrées et l'utilise pour compresser tous les fichiers JavaScript du répertoire @file{src}. Un minifieur différent peut être spécifié avec le paramètre @code{#:uglify-js} mais il est attendu que ce paquet écrive le code minifié sur la sortie standard. Lorsque les fichiers JavaScript d'entrée ne sont pas situés dans le répertoire @file{src}, le paramètre @code{#:javascript-files} peut être utilisé pour spécifier une liste de noms de fichiers à donner au minifieur. @end defvr @defvr {Variable Scheme} ocaml-build-system Cette variable est exportée par @code{(guix build-system ocaml)}. Elle implémente une procédure de construction pour les paquets @uref{https://ocaml.org, OCaml} qui consiste à choisir le bon ensemble de commande à lancer pour chaque paquet. Les paquets OCaml peuvent demander des commandes diverses pour être construit. Ce système de construction en essaye certaines. Lorsqu'un fichier @file{setup.ml} est présent dans le répertoire de plus haut niveau, elle lancera @code{ocaml setup.ml -configure}, @code{ocaml setup.ml -build} et @code{ocaml setup.ml -install}. Le système de construction supposera que ces fichiers ont été générés par @uref{http://oasis.forge.ocamlcore.org/, OASIS} et prendra soin d'initialiser le préfixe et d'activer les tests s'ils ne sont pas désactivés. Vous pouvez passer des drapeaux de configuration et de consturction avec @code{#:configure-flags} et @code{#:build-flags}. La clef @code{#:test-flags} peut être passée pour changer l'ensemble des drapeaux utilisés pour activer les tests. La clef @code{#:use-make?} peut être utilisée pour outrepasser ce système dans les phases de construction et d'installation. Lorsque le paquet a un fichier @file{configure}, il est supposé qu'il s'agit d'un script configure écrit à la main qui demande un format différent de celui de @code{gnu-build-system}. Vous pouvez ajouter plus de drapeaux avec la clef @code{#:configure-flags}. Lorsque le paquet a un fichier @file{Makefile} (ou @code{#:use-make?} vaut @code{#t}), il sera utilisé et plus de drapeaux peuvent être passés à la construction et l'installation avec la clef @code{#:make-flags}. Enfin, certains paquets n'ont pas ces fichiers mais utilisent un emplacement plus ou moins standard pour leur système de construction. Dans ce cas, le système de construction lancera @code{ocaml pkg/pkg.ml} ou @code{pkg/build.ml} et prendra soin de fournir le chemin du module findlib requis. Des drapeaux supplémentaires peuvent être passés via la clef @code{#:bulid-flags}. L'installation se fait avec @command{opam-installer}. Dans ce cas, le paquet @code{opam} doit être ajouté au champ @code{native-inputs} de la définition du paquet. Remarquez que la plupart des paquets OCaml supposent qu'ils seront installés dans le même répertoire qu'OCaml, ce qui n'est pas ce que nous voulons faire dans Guix. En particulier, ils installeront leurs fichiers @file{.so} dans leur propre répertoire de module, ce qui est normalement correct puisqu'il s'agit du répertoire du compilateur OCaml. Dans Guix en revanche, le bibliothèques ne peuvent pas y être trouvées et on utilise @code{CAML_LD_LIBRARY_PATH} à la place. Cette variable pointe vers @file{lib/ocaml/site-lib/stubslibs} et c'est là où les bibliothèques @file{.so} devraient être installées. @end defvr @defvr {Variable Scheme} python-build-system Cette variable est exportée par @code{(guix build-system python)}. Elle implémente la procédure de construction plus ou moins standarde utilisée pour les paquets Python, qui consiste à lancer @code{python setup.py build} puis @code{python setup.py install --prefix=/gnu/store/@dots{}}. Pour les paquets qui installent des programmes autonomes dans @code{bin/}, elle prend soin d'envelopper ces binaires pour que leur variable d'environnement @code{PYTHONPATH} pointe vers toutes les bibliothèques Python dont ils dépendent. Le paquet Python utilisé pour effectuer la construction peut être spécifié avec le paramètre @code{#:python}. C'est une manière utile de forcer un paquet à être construit avec une version particulière de l'interpréteur python, ce qui peut être nécessaire si le paquet n'est compatible qu'avec une version de l'interpréteur. Par défaut Guix appelle @code{setup.py} sous le contrôle de @code{setuptools}, comme le fait @command{pip}. Certains paquets ne sont pas compatibles avec setuptools (et pip), ainsi vous pouvez désactiver cela en mettant le paramètre @code{#:use-setuptools} à @code{#f}. @end defvr @defvr {Variable Scheme} perl-build-system Cette variable est exportée par @code{(guix build-system perl)}. Elle implémente la procédure de construction standarde des paquets Perl, qui consiste soit à lancer @code{perl Build.PL --prefix=/gnu/store/@dots{}}, suivi de @code{Build} et @code{Build install} ; ou à lancer @code{perl Makefile.PL PREFIX=/gnu/store/@dots{}}, suivi de @code{make} et @code{make install}, en fonction de la présence de @code{Build.PL} ou @code{Makefile.PL} dans la distribution du paquet. Le premier a la préférence si @code{Build.PL} et @code{Makefile.PL} existent tous deux dans la distribution du paquet. Cette préférence peut être inversée en spécifiant @code{#t} pour le paramètre @code{#:make-maker?}. L'invocation initiale de @code{perl Makefile.PL} ou @code{perl Build.PL} passe les drapeaux spécifiés par le paramètre @code{#:make-maker-flags} ou @code{#:module-build-flags}, respectivement. Le paquet Perl utilisé peut être spécifié avec @code{#:perl}. @end defvr @defvr {Variable Scheme} r-build-system Cette variable est exportée par @code{(guix build-system r)}. Elle implémente la procédure de construction utilisée par les paquets @uref{http://r-project.org, R} qui consiste à lancer à peine plus que @code{R CMD INSTALL --library=/gnu/store/@dots{}} dans un environnement où @code{R_LIBS_SITE} contient les chemins de toutes les entrées R. Les tests sont lancés après l'installation avec la fonction R @code{tools::testInstalledPackage}. @end defvr @defvr {Variable Scheme} texlive-build-system Cette variable est exportée par @code{(guix build-system texlive)}. Elle est utilisée pour construire des paquets TeX en mode batch avec le moteur spécifié. Le système de construction initialise la variable @code{TEXINPUTS} pour trouver tous les fichiers source TeX dans ses entrées. Par défaut, elle lance @code{luatex} sur tous les fichiers qui se terminent par @code{ins}. Un moteur et un format différent peuvent être spécifiés avec l'argument @code{#:tex-format}. Plusieurs cibles de constructions peuvent être indiquées avec l'argument @code{#:build-targets} qui attend une liste de noms de fichiers. Le système de construction ajoute uniquement @code{texlive-bin} et @code{texlive-latex-base} (de @code{(gnu packages tex)} à la liste des entrées. Les deux peuvent être remplacés avec les arguments @code{#:texlive-bin} et @code{#:texlive-latex-base}, respectivement. Le paramètre @code{#:tex-directory} dit au système de construction où installer les fichiers construit dans l'arbre texmf. @end defvr @defvr {Variable Scheme} ruby-build-system Cette variable est exportée par @code{(guix build-system ruby)}. Elle implémenter la procédure de construction RubyGems utilisée par les paquets Ruby qui consiste à lancer @code{gem build} suivi de @code{gem install}. Le champ @code{source} d'un paquet qui utilise ce système de construction référence le plus souvent une archive gem, puisque c'est le format utilisé par les développeurs Ruby quand ils publient leur logiciel. Le système de construction décompresse l'archive gem, éventuellement en corrigeant les sources, lance la suite de tests, recompresse la gemme et l'installe. En plus, des répertoires et des archives peuvent être référencés pour permettre de construire des gemmes qui n'ont pas été publiées depuis Git ou une archive de sources traditionnelle. Le paquet Ruby utilisé peut être spécifié avec le paramètre @code{#:ruby}. Une liste de drapeaux supplémentaires à passer à la commande @command{gem} peut être spécifiée avec le paramètre @code{#:gem-flags}. @end defvr @defvr {Variable Scheme} waf-build-system Cette variable est exportée par @code{(guix build-system waf)}. Elle implémente une procédure de construction autour du script @code{waf}. Les phases usuelles — @code{configure}, @code{build} et @code{install} — sont implémentée en passant leur nom en argument au script @code{waf}. Le script @code{waf} est exécuté par l'interpréteur Python. Le paquet Python utilisé pour lancer le script peut être spécifié avec le paramètre @code{#:python}. @end defvr @defvr {Variable Scheme} scons-build-system Cette variable est exportée par @code{(guix build-system scons)}. Elle implémente la procédure de construction utilisée par l'outil de construction SCons. Ce système de construction lance @code{scons} pour construire le paquet, @code{scons test} pour lancer les tests puis @code{scons install} pour installer le paquet. On peut passer des drapeaux supplémentaires à @code{scons} en les spécifiant avec le paramètre @code{#:scons-flags}. La version de python utilisée pour lancer SCons peut être spécifiée en sélectionnant le paquet SCons approprié avec le paramètre @code{#:scons}. @end defvr @defvr {Variable Scheme} haskell-build-system Cette variable est exportée par @code{(guix build-system haskell)}. Elle implémente la procédure de construction Cabal utilisée par les paquets Haskell, qui consiste à lancer @code{runhaskell Setup.hs configure --prefix=/gnu/store/@dots{}} et @code{runhaskell Setup.hs build}. Plutôt que d'installer le paquets en lançant @code{runhaskell Setup.hs install}, pour éviter d'essayer d'enregistrer les bibliothèques dans le répertoire du dépôt en lecture-seule du compilateur, le système de construction utilise @code{runhaskell Setup.hs copy}, suivi de @code{runhaskell Setup.hs register}. En plus, le système de construction génère la documentation du paquet en lançant @code{runhaskell Setup.hs haddock}, à moins que @code{#:haddock? #f} ne soit passé. Des paramètres facultatifs pour Haddock peuvent être passés à l'aide du paramètre @code{#:haddock-flags}. Si le fichier @code{Setup.hs} n'est pas trouvé, le système de construction cherchera @code{Setup.lhs} à la place. Le compilateur Haskell utilisé peut être spécifié avec le paramètre @code{#:haskell} qui a pour valeur par défaut @code{ghc}. @end defvr @defvr {Variable Scheme} dub-build-system Cette variable est exportée par @code{(guix build-system dub)}. Elle implémente la procédure de construction Dub utilisée par les paquets D qui consiste à lancer @code{dub build} et @code{dub run}. L'installation est effectuée en copiant les fichiers manuellement. Le compilateur D utilisé peut être spécifié avec le paramètre @code{#:ldc} qui vaut par défaut @code{ldc}. @end defvr @defvr {Variable Scheme} emacs-build-system Cette variable est exportée par @code{(guix build-system emacs)}. Elle implémente une procédure d'installation similaire au système de gestion de paquet d'Emacs lui-même (@pxref{Packages,,, emacs, The GNU Emacs Manual}). Elle crée d'abord le fichier @code{@var{package}-autoloads.el}, puis compile tous les fichiers Emacs Lisp en bytecode. Contrairement au système de gestion de paquets d'Emacs, les fichiers de documentation info sont déplacés dans le répertoire standard et le fichier @file{dir} est supprimé. Chaque paquet est installé dans son propre répertoire dans @file{share/emacs/site-lisp/guix.d}. @end defvr @defvr {Variable Scheme} font-build-system Cette variable est exportée par @code{(guix build-system font)}. Elle implémente une procédure d'installation pour les paquets de polices où des fichiers de polices TrueType, OpenType, etc sont fournis en amont et n'ont qu'à être copiés à leur emplacement final. Elle copie les fichiers de polices à l'emplacement standard dans le répertoire de sortie. @end defvr @defvr {Variable Scheme} meson-build-system Cette variable est exportée par @code{(guix build-system meson)}. Elle implémente la procédure de construction des paquets qui utilisent @url{http://mesonbuild.com, Meson} comme système de construction. Elle ajoute à la fois Meson et @uref{https://ninja-build.org/, Ninja} à l'ensemble des entrées, et ils peuvent être modifiés avec les paramètres @code{#:meson} et @code{#:ninja} si requis. Le Meson par défaut est @code{meson-for-build}, qui est spécial parce qu'il ne nettoie pas le @code{RUNPATH} des binaires et les bibliothèques qu'il installe. Ce système de construction est une extension de @var{gnu-build-system}, mais avec les phases suivantes modifiées pour Meson : @table @code @item configure La phase lance @code{meson} avec les drapeaux spécifiés dans @code{#:configure-flags}. Le drapeau @code{--build-type} est toujours initialisé à @code{plain} à moins que quelque chose d'autre ne soit spécifié dans @code{#:build-type}. @item build La phase lance @code{ninja} pour construire le paquet en parallèle par défaut, mais cela peut être changé avec @code{#:parallel-build?}. @item check La phase lance @code{ninja} avec la cible spécifiée dans @code{#:test-target}, qui est @code{"test"} par défaut. @item install La phase lance @code{ninja install} et ne peut pas être changée. @end table En dehors de cela, le système de construction ajoute aussi la phase suivante : @table @code @item fix-runpath Cette phase s'assure que tous les binaire peuvent trouver les bibliothèques dont ils ont besoin. Elle cherche les bibliothèques requises dans les sous-répertoires du paquet en construction et les ajoute au @code{RUNPATH} là où c'est nécessaire. Elle supprime aussi les références aux bibliothèques laissées là par la phase de construction par @code{meson-for-build} comme les dépendances des tests, qui ne sont pas vraiment requises pour le programme. @item glib-or-gtk-wrap Cette phase est la phase fournie par @code{glib-or-gtk-build-system} et n'est pas activée par défaut. Elle peut l'être avec @code{#:glib-or-gtk?}. @item glib-or-gtk-compile-schemas Cette phase est la phase fournie par @code{glib-or-gtk-build-system} et n'est pas activée par défaut. Elle peut l'être avec @code{#:glib-or-gtk?}. @end table @end defvr Enfin, pour les paquets qui n'ont pas besoin de choses sophistiquées, un système de construction « trivial » est disponible. Il est trivial dans le sens où il ne fournit en gros aucun support : il n'apporte pas de dépendance implicite, et n'a pas de notion de phase de construction. @defvr {Variable Scheme} trivial-build-system Cette variable est exportée par @code{(guix build-system trivial)}. Ce système de construction requiert un argument @code{#:builder}. Cet argument doit être une expression Scheme qui construit la sortie du paquet — comme avec @code{build-expression->derivation} (@pxref{Dérivations, @code{build-expression->derivation}}). @end defvr @node Le dépôt @section Le dépôt @cindex dépôt @cindex éléments du dépôt @cindex chemins dans le dépôt Conceptuellement, le @dfn{dépôt} est l'endroit où les dérivations qui ont bien été construites sont stockées — par défaut, @file{/gnu/store}. Les sous-répertoires dans le dépôt s'appellent des @dfn{éléments du dépôt} ou parfois des @dfn{chemins du dépôt}. Le dépôt a une base de données associée qui contient des informations comme les chemins du dépôt auxquels se réfèrent chaque chemin du dépôt et la liste des éléments du dépôt @emph{valides} — les résultats d'une construction réussie. Cette base de données se trouve dans @file{@var{localstatedir}/guix/db} où @var{localstatedir} est le répertoire d'états spécifié @i{via} @option {--localstatedir} à la configuration, typiquement @file{/var}. C'est @emph{toujours} le démon qui accède au dépôt pour le compte de ses clients (@pxref{Invoquer guix-daemon}). Pour manipuler le dépôt, les clients se connectent au démon par un socket Unix-domain, envoient une requête dessus et lisent le résultat — ce sont des appels de procédures distantes, ou RPC. @quotation Remarque Les utilisateurs ne doivent @emph{jamais} modifier les fichiers dans @file{/gnu/store} directement. Cela entraînerait des incohérences et casserait l'hypothèse d'immutabilité du modèle fonctionnel de Guix (@pxref{Introduction}). @xref{Invoquer guix gc, @command{guix gc --verify}}, pour des informations sur la manière de vérifier l'intégrité du dépôt et d'essayer de réparer des modifications accidentelles. @end quotation Le module @code{(guix store)} fournit des procédures pour se connecter au démon et pour effectuer des RPC. Elles sont décrites plus bas. Par défaut, @code{open-connection}, et donc toutes les commandes @command{guix} se connectent au démon local ou à l'URI spécifiée par la variable d'environnement @code{GUIX_DAEMON_SOCKET}. @defvr {Variable d'environnement} GUIX_DAEMON_SOCKET Lorsqu'elle est initialisée, la valeur de cette variable devrait être un nom de fichier ou une URI qui désigne l'extrémité du démon. Lorsque c'est un nom de fichier, il dénote un socket Unix-domain où se connecter. En plus des noms de fichiers, les schémas d'URI supportés sont : @table @code @item file @itemx unix Pour les sockets Unix-domain. @code{file:///var/guix/daemon-socket/socket} est équivalent à @file{/var/guix/daemon-socket/socket}. @item guix @cindex démon, accès distant @cindex accès distant au démon @cindex démon, paramètres de grappes @cindex grappes, paramètres du démon Ces URI dénotent des connexions par TCP/IP, sans chiffrement ni authentification de l'hôte distant. L'URI doit spécifier le nom d'hôte et éventuellement un numéro de port (par défaut 44146) : @example guix://master.guix.example.org:1234 @end example Ce paramétrage est adapté aux réseaux locaux, comme dans le cas de grappes de serveurs, où seuls des noms de confiance peuvent se connecter au démon de construction sur @code{master.guix.example.org}. L'option @code{--listen} de @command{guix-daemon} peut être utilisé pour lui dire d'écouter des connexions TCP (@pxref{Invoquer guix-daemon, @code{--listen}}). @item ssh @cindex accès SSH au démon de construction Ces URI vous permettent de vous connecter au démon à distance à travers SSH@footnote{Cette fonctionnalité requiert Guile-SSH (@pxref{Prérequis}).}. @example ssh://charlie@@guix.example.org:22 @end example Comme pour @command{guix copy}, les fichiers de configuration du client OpenSSH sont respectés (@pxref{Invoquer guix copy}). @end table Des schémas d'URI supplémentaires pourraient être supportés dans le futur. @c XXX: Remove this note when the protocol incurs fewer round trips @c and when (guix derivations) no longer relies on file system access. @quotation Remarque La capacité de se connecter à un démon de construction distant est considéré comme expérimental à la version @value{VERSION}. Contactez-nous pour partager vos problèmes ou des suggestions que vous pourriez avoir (@pxref{Contribuer}). @end quotation @end defvr @deffn {Procédure Scheme} open-connection [@var{uri}] [#:reserve-space? #t] Se connecte au démon à travers le socket Unix-domain à @var{uri} (une chaîne de caractères). Lorsque @var{reserve-space?} est vrai, cela demande de réserver un peu de place supplémentaire sur le système de fichiers pour que le ramasse-miette puisse opérer au cas où le disque serait plein. Renvoie un objet serveur. @var{file} a pour valeur par défaut @var{%default-socket-path}, qui est l'emplacement normal en fonction des options données à @command{configure}. @end deffn @deffn {Procédure Scheme} close-connection @var{serveur} Ferme la connexion au @var{serveur}. @end deffn @defvr {Variable Scheme} current-build-output-port Cette variable est liée à un paramètre SRFI-39, qui se réfère au port où les journaux de construction et d'erreur envoyés par le démon devraient être écrits. @end defvr Les procédures qui font des RPC prennent toutes un objet serveur comme premier argument. @deffn {Scheme Procedure} valid-path? @var{server} @var{path} @cindex éléments du dépôt invalides Renvoie @code{#t} lorsque @var{path} désigne un élément du dépôt valide et @code{#f} sinon (un élément invalide peut exister sur le disque mais rester invalide, par exemple parce que c'est le résultat d'une construction annulée ou échouée). Une condition @code{&nix-protocol-error} est levée si @var{path} n'est pas préfixée par le répertoire du dépôt (@file{/gnu/store}). @end deffn @deffn {Procédure Scheme} add-text-to-store @var{server} @var{name} @var{text} [@var{references}] Ajoute @var{text} dans le fichier @var{name} dans le dépôt et renvoie son chemin. @var{references} est la liste des chemins du dépôt référencés par le chemin du dépôt qui en résulte. @end deffn @deffn {Procédure Scheme} build-derivations @var{server} @var{derivations} Construit @var{derivaton} (ne liste d'objets @code{} ou de chemins de dérivations) et retourne quand le travailleur a fini de les construire. Renvoie @code{#t} en cas de réussite. @end deffn Remarque que le module @code{(guix monads)} fournit une monad ainsi que des version monadiques des procédures précédentes, avec le but de rendre plus facile de travailler avec le code qui accède au dépôt (@pxref{La monad du dépôt}). @c FIXME @i{Cette section est actuellement incomplète.} @node Dérivations @section Dérivations @cindex dérivations Les actions de construction à bas-niveau et l'environnement dans lequel elles sont effectuées sont représentés par des @dfn{dérivations}. Une dérivation contient cet ensemble d'informations : @itemize @item Les sorties de la dérivation — les dérivations produisent au moins un fichier ou répertoire dans le dépôt, mais peuvent en produire plus. @item Les entrées de la dérivation, qui peuvent être d'autres dérivations ou des fichiers dans le dépôt (correctifs, scripts de construction, etc). @item Le type de système ciblé par la dérivation — p.ex.@: @code{x86_64-linux}. @item Le nom de fichier d'un script de construction dans le dépôt avec les arguments à lui passer. @item Une liste de variables d'environnement à définir. @end itemize @cindex chemin de dérivation Les dérivations permettent aux client du démon de communiquer des actions de construction dans le dépôt. Elles existent sous deux formes : en tant que représentation en mémoire, à la fois côté client et démon, et en tant que fichiers dans le dépôt dont le nom fini par @code{.drv} — on dit que ce sont des @dfn{chemins de dérivations}. Les chemins de dérivations peuvent être passés à la procédure @code{build-derivations} pour effectuer les actions de construction qu'ils prescrivent (@pxref{Le dépôt}). @cindex dérivations à sortie fixe Des opérations comme le téléchargement de fichiers et la récupération de sources gérés par un logiciel de contrôle de version pour lesquels le hash du contenu est connu à l'avance sont modélisés par des @dfn{dérivations à sortie fixe}. Contrairement aux dérivation habituelles, les sorties d'une dérivation à sortie fixe sont indépendantes de ses entrées — p.ex.@: un code source téléchargé produit le même résultat quelque soit la méthode de téléchargement utilisée. Le module @code{(guix derivations)} fournit une représentation des dérivations comme des objets Scheme, avec des procédures pour créer et manipuler des dérivations. La primitive de plus bas-niveau pour créer une dérivation est la procédure @code{derivation} : @deffn {Procédure Scheme} derivation @var{store} @var{name} @var{builder} @ @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @ [#:system (%current-system)] [#:references-graphs #f] @ [#:allowed-references #f] [#:disallowed-references #f] @ [#:leaked-env-vars #f] [#:local-build? #f] @ [#:substitutable? #t] Construit une dérivation avec les arguments donnés et renvie l'objet @code{} obtenu. Lorsque @var{hash} et @var{hash-algo} sont donnés, une @dfn{dérivation à sortie fixe} est créée — c.-à-d.@: une dérivation dont le résultat est connu à l'avance, comme dans le cas du téléchargement d'un fichier. Si, en plus, @var{recursive?} est vrai, alors la sortie fixe peut être un fichier exécutable ou un répertoire et @var{hash} doit être le hash d'une archive contenant la sortie. Lorsque @var{references-graphs} est vrai, il doit s'agir d'une liste de paires de noms de fichiers et de chemins du dépôt. Dans ce cas, le graphe des références de chaque chemin du dépôt est exporté dans l'environnement de construction dans le fichier correspondant, dans un simple format texte. Lorsque @var{allowed-references} est vrai, il doit s'agir d'une liste d'éléments du dépôt ou de sorties auxquelles la sortie de la dérivations peut faire référence. De même, @var{disallowed-references}, si vrai, doit être une liste de choses que la sortie ne doit @emph{pas} référencer. Lorsque @var{leaked-env-vars} est vrai, il doit s'agir d'une liste de chaînes de caractères qui désignent les variables d'environnements qui peuvent « fuiter » de l'environnement du démon dans l'environnement de construction. Ce n'est possible que pour les dérivations à sortie fixe — c.-à-d.@: lorsque @var{hash} est vrai. L'utilisation principale est de permettre à des variables comme @code{http_proxy} d'être passées aux dérivations qui téléchargent des fichiers. Lorsque @var{local-build?} est vrai, déclare que la dérivation n'est pas un bon candidat pour le déchargement et devrait plutôt être construit localement (@pxref{Réglages du délestage du démon}). C'est le cas des petites dérivations où le coût du transfert de données est plus important que les bénéfices. Lorsque que @var{substitutable?} est faux, déclare que les substituts de la sortie de la dérivation ne devraient pas être utilisés (@pxref{Substituts}). Cela est utile par exemple pour construire des paquets qui utilisent des détails du jeu d'instruction du CPU hôte. @end deffn @noindent Voici un exemple avec un script shell comme constructeur, en supposant que @var{store} est une connexion ouverte au démon et @var{bash} pointe vers un exécutable Bash dans le dépôt : @lisp (use-modules (guix utils) (guix store) (guix derivations)) (let ((builder ; ajoute le script Bash au dépôt (add-text-to-store store "my-builder.sh" "echo hello world > $out\n" '()))) (derivation store "foo" bash `("-e" ,builder) #:inputs `((,bash) (,builder)) #:env-vars '(("HOME" . "/homeless")))) @result{} # /gnu/store/@dots{}-foo> @end lisp Comme on pourrait s'en douter, cette primitive est difficile à utiliser directement. Une meilleure approche est d'écrire les scripts de construction en Scheme, bien sur ! Le mieux à faire pour cela est d'écrire le code de construction comme une « G-expression » et de la passer à @code{gexp->derivation}. Pour plus d'informations, @pxref{G-Expressions}. Once upon a time, @code{gexp->derivation} did not exist and constructing derivations with build code written in Scheme was achieved with @code{build-expression->derivation}, documented below. This procedure is now deprecated in favor of the much nicer @code{gexp->derivation}. @deffn {Scheme Procedure} build-expression->derivation @var{store} @ @var{name} @var{exp} @ [#:system (%current-system)] [#:inputs '()] @ [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:env-vars '()] [#:modules '()] @ [#:references-graphs #f] [#:allowed-references #f] @ [#:disallowed-references #f] @ [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f] Return a derivation that executes Scheme expression @var{exp} as a builder for derivation @var{name}. @var{inputs} must be a list of @code{(name drv-path sub-drv)} tuples; when @var{sub-drv} is omitted, @code{"out"} is assumed. @var{modules} is a list of names of Guile modules from the current search path to be copied in the store, compiled, and made available in the load path during the execution of @var{exp}---e.g., @code{((guix build utils) (guix build gnu-build-system))}. @var{exp} is evaluated in an environment where @code{%outputs} is bound to a list of output/path pairs, and where @code{%build-inputs} is bound to a list of string/output-path pairs made from @var{inputs}. Optionally, @var{env-vars} is a list of string pairs specifying the name and value of environment variables visible to the builder. The builder terminates by passing the result of @var{exp} to @code{exit}; thus, when @var{exp} returns @code{#f}, the build is considered to have failed. @var{exp} is built using @var{guile-for-build} (a derivation). When @var{guile-for-build} is omitted or is @code{#f}, the value of the @code{%guile-for-build} fluid is used instead. See the @code{derivation} procedure for the meaning of @var{references-graphs}, @var{allowed-references}, @var{disallowed-references}, @var{local-build?}, and @var{substitutable?}. @end deffn @noindent Here's an example of a single-output derivation that creates a directory containing one file: @lisp (let ((builder '(let ((out (assoc-ref %outputs "out"))) (mkdir out) ; create /gnu/store/@dots{}-goo (call-with-output-file (string-append out "/test") (lambda (p) (display '(hello guix) p)))))) (build-expression->derivation store "goo" builder)) @result{} # @dots{}> @end lisp @node La monad du dépôt @section La monad du dépôt @cindex monad The procedures that operate on the store described in the previous sections all take an open connection to the build daemon as their first argument. Although the underlying model is functional, they either have side effects or depend on the current state of the store. The former is inconvenient: the connection to the build daemon has to be carried around in all those functions, making it impossible to compose functions that do not take that parameter with functions that do. The latter can be problematic: since store operations have side effects and/or depend on external state, they have to be properly sequenced. @cindex monadic values @cindex monadic functions This is where the @code{(guix monads)} module comes in. This module provides a framework for working with @dfn{monads}, and a particularly useful monad for our uses, the @dfn{store monad}. Monads are a construct that allows two things: associating ``context'' with values (in our case, the context is the store), and building sequences of computations (here computations include accesses to the store). Values in a monad---values that carry this additional context---are called @dfn{monadic values}; procedures that return such values are called @dfn{monadic procedures}. Consider this ``normal'' procedure: @example (define (sh-symlink store) ;; Return a derivation that symlinks the 'bash' executable. (let* ((drv (package-derivation store bash)) (out (derivation->output-path drv)) (sh (string-append out "/bin/bash"))) (build-expression->derivation store "sh" `(symlink ,sh %output)))) @end example Using @code{(guix monads)} and @code{(guix gexp)}, it may be rewritten as a monadic function: @example (define (sh-symlink) ;; Same, but return a monadic value. (mlet %store-monad ((drv (package->derivation bash))) (gexp->derivation "sh" #~(symlink (string-append #$drv "/bin/bash") #$output)))) @end example There are several things to note in the second version: the @code{store} parameter is now implicit and is ``threaded'' in the calls to the @code{package->derivation} and @code{gexp->derivation} monadic procedures, and the monadic value returned by @code{package->derivation} is @dfn{bound} using @code{mlet} instead of plain @code{let}. As it turns out, the call to @code{package->derivation} can even be omitted since it will take place implicitly, as we will see later (@pxref{G-Expressions}): @example (define (sh-symlink) (gexp->derivation "sh" #~(symlink (string-append #$bash "/bin/bash") #$output))) @end example @c See @c @c for the funny quote. Calling the monadic @code{sh-symlink} has no effect. As someone once said, ``you exit a monad like you exit a building on fire: by running''. So, to exit the monad and get the desired effect, one must use @code{run-with-store}: @example (run-with-store (open-connection) (sh-symlink)) @result{} /gnu/store/...-sh-symlink @end example Note that the @code{(guix monad-repl)} module extends the Guile REPL with new ``meta-commands'' to make it easier to deal with monadic procedures: @code{run-in-store}, and @code{enter-store-monad}. The former is used to ``run'' a single monadic value through the store: @example scheme@@(guile-user)> ,run-in-store (package->derivation hello) $1 = # @dots{}> @end example The latter enters a recursive REPL, where all the return values are automatically run through the store: @example scheme@@(guile-user)> ,enter-store-monad store-monad@@(guile-user) [1]> (package->derivation hello) $2 = # @dots{}> store-monad@@(guile-user) [1]> (text-file "foo" "Hello!") $3 = "/gnu/store/@dots{}-foo" store-monad@@(guile-user) [1]> ,q scheme@@(guile-user)> @end example @noindent Note that non-monadic values cannot be returned in the @code{store-monad} REPL. The main syntactic forms to deal with monads in general are provided by the @code{(guix monads)} module and are described below. @deffn {Scheme Syntax} with-monad @var{monad} @var{body} ... Evaluate any @code{>>=} or @code{return} forms in @var{body} as being in @var{monad}. @end deffn @deffn {Scheme Syntax} return @var{val} Return a monadic value that encapsulates @var{val}. @end deffn @deffn {Scheme Syntax} >>= @var{mval} @var{mproc} ... @dfn{Bind} monadic value @var{mval}, passing its ``contents'' to monadic procedures @var{mproc}@dots{}@footnote{This operation is commonly referred to as ``bind'', but that name denotes an unrelated procedure in Guile. Thus we use this somewhat cryptic symbol inherited from the Haskell language.}. There can be one @var{mproc} or several of them, as in this example: @example (run-with-state (with-monad %state-monad (>>= (return 1) (lambda (x) (return (+ 1 x))) (lambda (x) (return (* 2 x))))) 'some-state) @result{} 4 @result{} some-state @end example @end deffn @deffn {Scheme Syntax} mlet @var{monad} ((@var{var} @var{mval}) ...) @ @var{body} ... @deffnx {Scheme Syntax} mlet* @var{monad} ((@var{var} @var{mval}) ...) @ @var{body} ... Bind the variables @var{var} to the monadic values @var{mval} in @var{body}, which is a sequence of expressions. As with the bind operator, this can be thought of as ``unpacking'' the raw, non-monadic value ``contained'' in @var{mval} and making @var{var} refer to that raw, non-monadic value within the scope of the @var{body}. The form (@var{var} -> @var{val}) binds @var{var} to the ``normal'' value @var{val}, as per @code{let}. The binding operations occur in sequence from left to right. The last expression of @var{body} must be a monadic expression, and its result will become the result of the @code{mlet} or @code{mlet*} when run in the @var{monad}. @code{mlet*} is to @code{mlet} what @code{let*} is to @code{let} (@pxref{Local Bindings,,, guile, GNU Guile Reference Manual}). @end deffn @deffn {Scheme System} mbegin @var{monad} @var{mexp} ... Bind @var{mexp} and the following monadic expressions in sequence, returning the result of the last expression. Every expression in the sequence must be a monadic expression. This is akin to @code{mlet}, except that the return values of the monadic expressions are ignored. In that sense, it is analogous to @code{begin}, but applied to monadic expressions. @end deffn @deffn {Scheme System} mwhen @var{condition} @var{mexp0} @var{mexp*} ... When @var{condition} is true, evaluate the sequence of monadic expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When @var{condition} is false, return @code{*unspecified*} in the current monad. Every expression in the sequence must be a monadic expression. @end deffn @deffn {Scheme System} munless @var{condition} @var{mexp0} @var{mexp*} ... When @var{condition} is false, evaluate the sequence of monadic expressions @var{mexp0}..@var{mexp*} as in an @code{mbegin}. When @var{condition} is true, return @code{*unspecified*} in the current monad. Every expression in the sequence must be a monadic expression. @end deffn @cindex state monad The @code{(guix monads)} module provides the @dfn{state monad}, which allows an additional value---the state---to be @emph{threaded} through monadic procedure calls. @defvr {Scheme Variable} %state-monad The state monad. Procedures in the state monad can access and change the state that is threaded. Consider the example below. The @code{square} procedure returns a value in the state monad. It returns the square of its argument, but also increments the current state value: @example (define (square x) (mlet %state-monad ((count (current-state))) (mbegin %state-monad (set-current-state (+ 1 count)) (return (* x x))))) (run-with-state (sequence %state-monad (map square (iota 3))) 0) @result{} (0 1 4) @result{} 3 @end example When ``run'' through @var{%state-monad}, we obtain that additional state value, which is the number of @code{square} calls. @end defvr @deffn {Monadic Procedure} current-state Return the current state as a monadic value. @end deffn @deffn {Monadic Procedure} set-current-state @var{value} Set the current state to @var{value} and return the previous state as a monadic value. @end deffn @deffn {Monadic Procedure} state-push @var{value} Push @var{value} to the current state, which is assumed to be a list, and return the previous state as a monadic value. @end deffn @deffn {Monadic Procedure} state-pop Pop a value from the current state and return it as a monadic value. The state is assumed to be a list. @end deffn @deffn {Scheme Procedure} run-with-state @var{mval} [@var{state}] Run monadic value @var{mval} starting with @var{state} as the initial state. Return two values: the resulting value, and the resulting state. @end deffn The main interface to the store monad, provided by the @code{(guix store)} module, is as follows. @defvr {Scheme Variable} %store-monad The store monad---an alias for @var{%state-monad}. Values in the store monad encapsulate accesses to the store. When its effect is needed, a value of the store monad must be ``evaluated'' by passing it to the @code{run-with-store} procedure (see below.) @end defvr @deffn {Scheme Procedure} run-with-store @var{store} @var{mval} [#:guile-for-build] [#:system (%current-system)] Run @var{mval}, a monadic value in the store monad, in @var{store}, an open store connection. @end deffn @deffn {Monadic Procedure} text-file @var{name} @var{text} [@var{references}] Return as a monadic value the absolute file name in the store of the file containing @var{text}, a string. @var{references} is a list of store items that the resulting text file refers to; it defaults to the empty list. @end deffn @deffn {Monadic Procedure} interned-file @var{file} [@var{name}] @ [#:recursive? #t] [#:select? (const #t)] Return the name of @var{file} once interned in the store. Use @var{name} as its store name, or the basename of @var{file} if @var{name} is omitted. When @var{recursive?} is true, the contents of @var{file} are added recursively; if @var{file} designates a flat file and @var{recursive?} is true, its contents are added, and its permission bits are kept. When @var{recursive?} is true, call @code{(@var{select?} @var{file} @var{stat})} for each directory entry, where @var{file} is the entry's absolute file name and @var{stat} is the result of @code{lstat}; exclude entries for which @var{select?} does not return true. The example below adds a file to the store, under two different names: @example (run-with-store (open-connection) (mlet %store-monad ((a (interned-file "README")) (b (interned-file "README" "LEGU-MIN"))) (return (list a b)))) @result{} ("/gnu/store/rwm@dots{}-README" "/gnu/store/44i@dots{}-LEGU-MIN") @end example @end deffn The @code{(guix packages)} module exports the following package-related monadic procedures: @deffn {Monadic Procedure} package-file @var{package} [@var{file}] @ [#:system (%current-system)] [#:target #f] @ [#:output "out"] Return as a monadic value in the absolute file name of @var{file} within the @var{output} directory of @var{package}. When @var{file} is omitted, return the name of the @var{output} directory of @var{package}. When @var{target} is true, use it as a cross-compilation target triplet. @end deffn @deffn {Monadic Procedure} package->derivation @var{package} [@var{system}] @deffnx {Monadic Procedure} package->cross-derivation @var{package} @ @var{target} [@var{system}] Monadic version of @code{package-derivation} and @code{package-cross-derivation} (@pxref{Définition des paquets}). @end deffn @node G-Expressions @section G-Expressions @cindex G-expression @cindex build code quoting So we have ``derivations'', which represent a sequence of build actions to be performed to produce an item in the store (@pxref{Dérivations}). These build actions are performed when asking the daemon to actually build the derivations; they are run by the daemon in a container (@pxref{Invoquer guix-daemon}). @cindex strata of code It should come as no surprise that we like to write these build actions in Scheme. When we do that, we end up with two @dfn{strata} of Scheme code@footnote{The term @dfn{stratum} in this context was coined by Manuel Serrano et al.@: in the context of their work on Hop. Oleg Kiselyov, who has written insightful @url{http://okmij.org/ftp/meta-programming/#meta-scheme, essays and code on this topic}, refers to this kind of code generation as @dfn{staging}.}: the ``host code''---code that defines packages, talks to the daemon, etc.---and the ``build code''---code that actually performs build actions, such as making directories, invoking @command{make}, etc. To describe a derivation and its build actions, one typically needs to embed build code inside host code. It boils down to manipulating build code as data, and the homoiconicity of Scheme---code has a direct representation as data---comes in handy for that. But we need more than the normal @code{quasiquote} mechanism in Scheme to construct build expressions. The @code{(guix gexp)} module implements @dfn{G-expressions}, a form of S-expressions adapted to build expressions. G-expressions, or @dfn{gexps}, consist essentially of three syntactic forms: @code{gexp}, @code{ungexp}, and @code{ungexp-splicing} (or simply: @code{#~}, @code{#$}, and @code{#$@@}), which are comparable to @code{quasiquote}, @code{unquote}, and @code{unquote-splicing}, respectively (@pxref{Expression Syntax, @code{quasiquote},, guile, GNU Guile Reference Manual}). However, there are major differences: @itemize @item Gexps are meant to be written to a file and run or manipulated by other processes. @item When a high-level object such as a package or derivation is unquoted inside a gexp, the result is as if its output file name had been introduced. @item Gexps carry information about the packages or derivations they refer to, and these dependencies are automatically added as inputs to the build processes that use them. @end itemize @cindex lowering, of high-level objects in gexps This mechanism is not limited to package and derivation objects: @dfn{compilers} able to ``lower'' other high-level objects to derivations or files in the store can be defined, such that these objects can also be inserted into gexps. For example, a useful type of high-level objects that can be inserted in a gexp is ``file-like objects'', which make it easy to add files to the store and to refer to them in derivations and such (see @code{local-file} and @code{plain-file} below.) To illustrate the idea, here is an example of a gexp: @example (define build-exp #~(begin (mkdir #$output) (chdir #$output) (symlink (string-append #$coreutils "/bin/ls") "list-files"))) @end example This gexp can be passed to @code{gexp->derivation}; we obtain a derivation that builds a directory containing exactly one symlink to @file{/gnu/store/@dots{}-coreutils-8.22/bin/ls}: @example (gexp->derivation "the-thing" build-exp) @end example As one would expect, the @code{"/gnu/store/@dots{}-coreutils-8.22"} string is substituted to the reference to the @var{coreutils} package in the actual build code, and @var{coreutils} is automatically made an input to the derivation. Likewise, @code{#$output} (equivalent to @code{(ungexp output)}) is replaced by a string containing the directory name of the output of the derivation. @cindex cross compilation In a cross-compilation context, it is useful to distinguish between references to the @emph{native} build of a package---that can run on the host---versus references to cross builds of a package. To that end, the @code{#+} plays the same role as @code{#$}, but is a reference to a native package build: @example (gexp->derivation "vi" #~(begin (mkdir #$output) (system* (string-append #+coreutils "/bin/ln") "-s" (string-append #$emacs "/bin/emacs") (string-append #$output "/bin/vi"))) #:target "mips64el-linux-gnu") @end example @noindent In the example above, the native build of @var{coreutils} is used, so that @command{ln} can actually run on the host; but then the cross-compiled build of @var{emacs} is referenced. @cindex imported modules, for gexps @findex with-imported-modules Another gexp feature is @dfn{imported modules}: sometimes you want to be able to use certain Guile modules from the ``host environment'' in the gexp, so those modules should be imported in the ``build environment''. The @code{with-imported-modules} form allows you to express that: @example (let ((build (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p (string-append #$output "/bin")))))) (gexp->derivation "empty-dir" #~(begin #$build (display "success!\n") #t))) @end example @noindent In this example, the @code{(guix build utils)} module is automatically pulled into the isolated build environment of our gexp, such that @code{(use-modules (guix build utils))} works as expected. @cindex module closure @findex source-module-closure Usually you want the @emph{closure} of the module to be imported---i.e., the module itself and all the modules it depends on---rather than just the module; failing to do that, attempts to use the module will fail because of missing dependent modules. The @code{source-module-closure} procedure computes the closure of a module by looking at its source file headers, which comes in handy in this case: @example (use-modules (guix modules)) ;for 'source-module-closure' (with-imported-modules (source-module-closure '((guix build utils) (gnu build vm))) (gexp->derivation "something-with-vms" #~(begin (use-modules (guix build utils) (gnu build vm)) @dots{}))) @end example @cindex extensions, for gexps @findex with-extensions In the same vein, sometimes you want to import not just pure-Scheme modules, but also ``extensions'' such as Guile bindings to C libraries or other ``full-blown'' packages. Say you need the @code{guile-json} package available on the build side, here's how you would do it: @example (use-modules (gnu packages guile)) ;for 'guile-json' (with-extensions (list guile-json) (gexp->derivation "something-with-json" #~(begin (use-modules (json)) @dots{}))) @end example The syntactic form to construct gexps is summarized below. @deffn {Scheme Syntax} #~@var{exp} @deffnx {Scheme Syntax} (gexp @var{exp}) Return a G-expression containing @var{exp}. @var{exp} may contain one or more of the following forms: @table @code @item #$@var{obj} @itemx (ungexp @var{obj}) Introduce a reference to @var{obj}. @var{obj} may have one of the supported types, for example a package or a derivation, in which case the @code{ungexp} form is replaced by its output file name---e.g., @code{"/gnu/store/@dots{}-coreutils-8.22}. If @var{obj} is a list, it is traversed and references to supported objects are substituted similarly. If @var{obj} is another gexp, its contents are inserted and its dependencies are added to those of the containing gexp. If @var{obj} is another kind of object, it is inserted as is. @item #$@var{obj}:@var{output} @itemx (ungexp @var{obj} @var{output}) This is like the form above, but referring explicitly to the @var{output} of @var{obj}---this is useful when @var{obj} produces multiple outputs (@pxref{Des paquets avec plusieurs résultats}). @item #+@var{obj} @itemx #+@var{obj}:output @itemx (ungexp-native @var{obj}) @itemx (ungexp-native @var{obj} @var{output}) Same as @code{ungexp}, but produces a reference to the @emph{native} build of @var{obj} when used in a cross compilation context. @item #$output[:@var{output}] @itemx (ungexp output [@var{output}]) Insert a reference to derivation output @var{output}, or to the main output when @var{output} is omitted. This only makes sense for gexps passed to @code{gexp->derivation}. @item #$@@@var{lst} @itemx (ungexp-splicing @var{lst}) Like the above, but splices the contents of @var{lst} inside the containing list. @item #+@@@var{lst} @itemx (ungexp-native-splicing @var{lst}) Like the above, but refers to native builds of the objects listed in @var{lst}. @end table G-expressions created by @code{gexp} or @code{#~} are run-time objects of the @code{gexp?} type (see below.) @end deffn @deffn {Scheme Syntax} with-imported-modules @var{modules} @var{body}@dots{} Mark the gexps defined in @var{body}@dots{} as requiring @var{modules} in their execution environment. Each item in @var{modules} can be the name of a module, such as @code{(guix build utils)}, or it can be a module name, followed by an arrow, followed by a file-like object: @example `((guix build utils) (guix gcrypt) ((guix config) => ,(scheme-file "config.scm" #~(define-module @dots{})))) @end example @noindent In the example above, the first two modules are taken from the search path, and the last one is created from the given file-like object. This form has @emph{lexical} scope: it has an effect on the gexps directly defined in @var{body}@dots{}, but not on those defined, say, in procedures called from @var{body}@dots{}. @end deffn @deffn {Scheme Syntax} with-extensions @var{extensions} @var{body}@dots{} Mark the gexps defined in @var{body}@dots{} as requiring @var{extensions} in their build and execution environment. @var{extensions} is typically a list of package objects such as those defined in the @code{(gnu packages guile)} module. Concretely, the packages listed in @var{extensions} are added to the load path while compiling imported modules in @var{body}@dots{}; they are also added to the load path of the gexp returned by @var{body}@dots{}. @end deffn @deffn {Scheme Procedure} gexp? @var{obj} Return @code{#t} if @var{obj} is a G-expression. @end deffn G-expressions are meant to be written to disk, either as code building some derivation, or as plain files in the store. The monadic procedures below allow you to do that (@pxref{La monad du dépôt}, for more information about monads.) @deffn {Monadic Procedure} gexp->derivation @var{name} @var{exp} @ [#:system (%current-system)] [#:target #f] [#:graft? #t] @ [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:env-vars '()] [#:modules '()] @ [#:module-path @var{%load-path}] @ [#:effective-version "2.2"] @ [#:references-graphs #f] [#:allowed-references #f] @ [#:disallowed-references #f] @ [#:leaked-env-vars #f] @ [#:script-name (string-append @var{name} "-builder")] @ [#:deprecation-warnings #f] @ [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f] Return a derivation @var{name} that runs @var{exp} (a gexp) with @var{guile-for-build} (a derivation) on @var{system}; @var{exp} is stored in a file called @var{script-name}. When @var{target} is true, it is used as the cross-compilation target triplet for packages referred to by @var{exp}. @var{modules} is deprecated in favor of @code{with-imported-modules}. Its meaning is to make @var{modules} available in the evaluation context of @var{exp}; @var{modules} is a list of names of Guile modules searched in @var{module-path} to be copied in the store, compiled, and made available in the load path during the execution of @var{exp}---e.g., @code{((guix build utils) (guix build gnu-build-system))}. @var{effective-version} determines the string to use when adding extensions of @var{exp} (see @code{with-extensions}) to the search path---e.g., @code{"2.2"}. @var{graft?} determines whether packages referred to by @var{exp} should be grafted when applicable. When @var{references-graphs} is true, it must be a list of tuples of one of the following forms: @example (@var{file-name} @var{package}) (@var{file-name} @var{package} @var{output}) (@var{file-name} @var{derivation}) (@var{file-name} @var{derivation} @var{output}) (@var{file-name} @var{store-item}) @end example The right-hand-side of each element of @var{references-graphs} is automatically made an input of the build process of @var{exp}. In the build environment, each @var{file-name} contains the reference graph of the corresponding item, in a simple text format. @var{allowed-references} must be either @code{#f} or a list of output names and packages. In the latter case, the list denotes store items that the result is allowed to refer to. Any reference to another store item will lead to a build error. Similarly for @var{disallowed-references}, which can list items that must not be referenced by the outputs. @var{deprecation-warnings} determines whether to show deprecation warnings while compiling modules. It can be @code{#f}, @code{#t}, or @code{'detailed}. The other arguments are as for @code{derivation} (@pxref{Dérivations}). @end deffn @cindex file-like objects The @code{local-file}, @code{plain-file}, @code{computed-file}, @code{program-file}, and @code{scheme-file} procedures below return @dfn{file-like objects}. That is, when unquoted in a G-expression, these objects lead to a file in the store. Consider this G-expression: @example #~(system* #$(file-append glibc "/sbin/nscd") "-f" #$(local-file "/tmp/my-nscd.conf")) @end example The effect here is to ``intern'' @file{/tmp/my-nscd.conf} by copying it to the store. Once expanded, for instance @i{via} @code{gexp->derivation}, the G-expression refers to that copy under @file{/gnu/store}; thus, modifying or removing the file in @file{/tmp} does not have any effect on what the G-expression does. @code{plain-file} can be used similarly; it differs in that the file content is directly passed as a string. @deffn {Scheme Procedure} local-file @var{file} [@var{name}] @ [#:recursive? #f] [#:select? (const #t)] Return an object representing local file @var{file} to add to the store; this object can be used in a gexp. If @var{file} is a relative file name, it is looked up relative to the source file where this form appears. @var{file} will be added to the store under @var{name}--by default the base name of @var{file}. When @var{recursive?} is true, the contents of @var{file} are added recursively; if @var{file} designates a flat file and @var{recursive?} is true, its contents are added, and its permission bits are kept. When @var{recursive?} is true, call @code{(@var{select?} @var{file} @var{stat})} for each directory entry, where @var{file} is the entry's absolute file name and @var{stat} is the result of @code{lstat}; exclude entries for which @var{select?} does not return true. This is the declarative counterpart of the @code{interned-file} monadic procedure (@pxref{La monad du dépôt, @code{interned-file}}). @end deffn @deffn {Scheme Procedure} plain-file @var{name} @var{content} Return an object representing a text file called @var{name} with the given @var{content} (a string) to be added to the store. This is the declarative counterpart of @code{text-file}. @end deffn @deffn {Scheme Procedure} computed-file @var{name} @var{gexp} @ [#:options '(#:local-build? #t)] Return an object representing the store item @var{name}, a file or directory computed by @var{gexp}. @var{options} is a list of additional arguments to pass to @code{gexp->derivation}. This is the declarative counterpart of @code{gexp->derivation}. @end deffn @deffn {Monadic Procedure} gexp->script @var{name} @var{exp} @ [#:guile (default-guile)] [#:module-path %load-path] Return an executable script @var{name} that runs @var{exp} using @var{guile}, with @var{exp}'s imported modules in its search path. Look up @var{exp}'s modules in @var{module-path}. The example below builds a script that simply invokes the @command{ls} command: @example (use-modules (guix gexp) (gnu packages base)) (gexp->script "list-files" #~(execl #$(file-append coreutils "/bin/ls") "ls")) @end example When ``running'' it through the store (@pxref{La monad du dépôt, @code{run-with-store}}), we obtain a derivation that produces an executable file @file{/gnu/store/@dots{}-list-files} along these lines: @example #!/gnu/store/@dots{}-guile-2.0.11/bin/guile -ds !# (execl "/gnu/store/@dots{}-coreutils-8.22"/bin/ls" "ls") @end example @end deffn @deffn {Scheme Procedure} program-file @var{name} @var{exp} @ [#:guile #f] [#:module-path %load-path] Return an object representing the executable store item @var{name} that runs @var{gexp}. @var{guile} is the Guile package used to execute that script. Imported modules of @var{gexp} are looked up in @var{module-path}. This is the declarative counterpart of @code{gexp->script}. @end deffn @deffn {Monadic Procedure} gexp->file @var{name} @var{exp} @ [#:set-load-path? #t] [#:module-path %load-path] @ [#:splice? #f] @ [#:guile (default-guile)] Return a derivation that builds a file @var{name} containing @var{exp}. When @var{splice?} is true, @var{exp} is considered to be a list of expressions that will be spliced in the resulting file. When @var{set-load-path?} is true, emit code in the resulting file to set @code{%load-path} and @code{%load-compiled-path} to honor @var{exp}'s imported modules. Look up @var{exp}'s modules in @var{module-path}. The resulting file holds references to all the dependencies of @var{exp} or a subset thereof. @end deffn @deffn {Scheme Procedure} derivation @var{store} @var{name} @var{builder} @ Return an object representing the Scheme file @var{name} that contains @var{exp}. This is the declarative counterpart of @code{gexp->file}. @end deffn @deffn {Monadic Procedure} text-file* @var{name} @var{text} @dots{} Return as a monadic value a derivation that builds a text file containing all of @var{text}. @var{text} may list, in addition to strings, objects of any type that can be used in a gexp: packages, derivations, local file objects, etc. The resulting store file holds references to all these. This variant should be preferred over @code{text-file} anytime the file to create will reference items from the store. This is typically the case when building a configuration file that embeds store file names, like this: @example (define (profile.sh) ;; Return the name of a shell script in the store that ;; initializes the 'PATH' environment variable. (text-file* "profile.sh" "export PATH=" coreutils "/bin:" grep "/bin:" sed "/bin\n")) @end example In this example, the resulting @file{/gnu/store/@dots{}-profile.sh} file will reference @var{coreutils}, @var{grep}, and @var{sed}, thereby preventing them from being garbage-collected during its lifetime. @end deffn @deffn {Scheme Procedure} mixed-text-file @var{name} @var{text} @dots{} Return an object representing store file @var{name} containing @var{text}. @var{text} is a sequence of strings and file-like objects, as in: @example (mixed-text-file "profile" "export PATH=" coreutils "/bin:" grep "/bin") @end example This is the declarative counterpart of @code{text-file*}. @end deffn @deffn {Scheme Procedure} file-union @var{name} @var{files} Return a @code{} that builds a directory containing all of @var{files}. Each item in @var{files} must be a two-element list where the first element is the file name to use in the new directory, and the second element is a gexp denoting the target file. Here's an example: @example (file-union "etc" `(("hosts" ,(plain-file "hosts" "127.0.0.1 localhost")) ("bashrc" ,(plain-file "bashrc" "alias ls='ls --color'")))) @end example This yields an @code{etc} directory containing these two files. @end deffn @deffn {Scheme Procedure} directory-union @var{name} @var{things} Return a directory that is the union of @var{things}, where @var{things} is a list of file-like objects denoting directories. For example: @example (directory-union "guile+emacs" (list guile emacs)) @end example yields a directory that is the union of the @code{guile} and @code{emacs} packages. @end deffn @deffn {Scheme Procedure} file-append @var{obj} @var{suffix} @dots{} Return a file-like object that expands to the concatenation of @var{obj} and @var{suffix}, where @var{obj} is a lowerable object and each @var{suffix} is a string. As an example, consider this gexp: @example (gexp->script "run-uname" #~(system* #$(file-append coreutils "/bin/uname"))) @end example The same effect could be achieved with: @example (gexp->script "run-uname" #~(system* (string-append #$coreutils "/bin/uname"))) @end example There is one difference though: in the @code{file-append} case, the resulting script contains the absolute file name as a string, whereas in the second case, the resulting script contains a @code{(string-append @dots{})} expression to construct the file name @emph{at run time}. @end deffn Of course, in addition to gexps embedded in ``host'' code, there are also modules containing build tools. To make it clear that they are meant to be used in the build stratum, these modules are kept in the @code{(guix build @dots{})} name space. @cindex lowering, of high-level objects in gexps Internally, high-level objects are @dfn{lowered}, using their compiler, to either derivations or store items. For instance, lowering a package yields a derivation, and lowering a @code{plain-file} yields a store item. This is achieved using the @code{lower-object} monadic procedure. @deffn {Monadic Procedure} lower-object @var{obj} [@var{system}] @ [#:target #f] Return as a value in @var{%store-monad} the derivation or store item corresponding to @var{obj} for @var{system}, cross-compiling for @var{target} if @var{target} is true. @var{obj} must be an object that has an associated gexp compiler, such as a @code{}. @end deffn @c ********************************************************************* @node Utilitaires @chapter Utilitaires cette section décrit les utilitaires en ligne de commande de Guix. certains sont surtout faits pour les développeurs qui écrivent de nouvelles définitions de paquets tandis que d'autres sont plus utiles pour une utilisation générale. Ils complètent l'interface de programmation Scheme de Guix d'une manière pratique. @menu * Invoquer guix build:: Construire des paquets depuis la ligne de commande. * Invoquer guix edit:: Modifier les définitions de paquets. * Invoquer guix download:: Télécharger un fichier et afficher son hash. * Invoquer guix hash:: Calculer le hash cryptographique d'un fichier. * Invoquer guix import:: Importer des définitions de paquets. * Invoquer guix refresh:: Mettre à jour les définitions de paquets. * Invoquer guix lint:: Trouver des erreurs dans les définitions de paquets. * Invoquer guix size:: Profiler l'utilisation du disque. * Invoquer guix graph:: Visualiser le graphe des paquets. * Invoquer guix environment:: Mettre en place des environnements de développement. * Invoquer guix publish:: Partager des substituts. * Invoquer guix challenge:: Défier les serveurs de substituts. * Invoquer guix copy:: Copier vers et depuis un dépôt distant. * Invoquer guix container:: Isolation de processus. * Invoquer guix weather:: Mesurer la disponibilité des substituts. @end menu @node Invoquer guix build @section Invoquer @command{guix build} @cindex construction de paquets @cindex @command{guix build} The @command{guix build} command builds packages or derivations and their dependencies, and prints the resulting store paths. Note that it does not modify the user's profile---this is the job of the @command{guix package} command (@pxref{Invoquer guix package}). Thus, it is mainly useful for distribution developers. La syntaxe générale est : @example guix build @var{options} @var{package-or-derivation}@dots{} @end example As an example, the following command builds the latest versions of Emacs and of Guile, displays their build logs, and finally displays the resulting directories: @example guix build emacs guile @end example Similarly, the following command builds all the available packages: @example guix build --quiet --keep-going \ `guix package -A | cut -f1,2 --output-delimiter=@@` @end example @var{package-or-derivation} may be either the name of a package found in the software distribution such as @code{coreutils} or @code{coreutils@@8.20}, or a derivation such as @file{/gnu/store/@dots{}-coreutils-8.19.drv}. In the former case, a package with the corresponding name (and optionally version) is searched for among the GNU distribution modules (@pxref{Modules de paquets}). Alternatively, the @code{--expression} option may be used to specify a Scheme expression that evaluates to a package; this is useful when disambiguating among several same-named packages or package variants is needed. There may be zero or more @var{options}. The available options are described in the subsections below. @menu * Options de construction communes:: Options de construction pour la plupart des commandes. * Options de transformation de paquets:: Créer des variantes de paquets. * Options de construction supplémentaires:: Options spécifiques à « guix build ». * Débogage des échecs de construction:: La vie d'un empaqueteur. @end menu @node Options de construction communes @subsection Options de construction communes A number of options that control the build process are common to @command{guix build} and other commands that can spawn builds, such as @command{guix package} or @command{guix archive}. These are the following: @table @code @item --load-path=@var{directory} @itemx -L @var{directory} Add @var{directory} to the front of the package module search path (@pxref{Modules de paquets}). This allows users to define their own packages and make them visible to the command-line tools. @item --keep-failed @itemx -K Keep the build tree of failed builds. Thus, if a build fails, its build tree is kept under @file{/tmp}, in a directory whose name is shown at the end of the build log. This is useful when debugging build issues. @xref{Débogage des échecs de construction}, for tips and tricks on how to debug build issues. @item --keep-going @itemx -k Keep going when some of the derivations fail to build; return only once all the builds have either completed or failed. The default behavior is to stop as soon as one of the specified derivations has failed. @item --dry-run @itemx -n Do not build the derivations. @anchor{fallback-option} @item --fallback When substituting a pre-built binary fails, fall back to building packages locally (@pxref{Échec de substitution}). @item --substitute-urls=@var{urls} @anchor{client-substitute-urls} Consider @var{urls} the whitespace-separated list of substitute source URLs, overriding the default list of URLs of @command{guix-daemon} (@pxref{daemon-substitute-urls,, @command{guix-daemon} URLs}). Cela signifie que les substituts peuvent être téléchargés depuis @var{urls}, tant qu'ils sont signés par une clef autorisée par l'administrateur système (@pxref{Substituts}). When @var{urls} is the empty string, substitutes are effectively disabled. @item --no-substitutes Ne pas utiliser de substitut pour les résultats de la construction. C'est-à-dire, toujours construire localement plutôt que de permettre le téléchargement de binaires pré-construits (@pxref{Substituts}). @item --no-grafts Do not ``graft'' packages. In practice, this means that package updates available as grafts are not applied. @xref{Mises à jour de sécurité}, for more information on grafts. @item --rounds=@var{n} Build each derivation @var{n} times in a row, and raise an error if consecutive build results are not bit-for-bit identical. This is a useful way to detect non-deterministic builds processes. Non-deterministic build processes are a problem because they make it practically impossible for users to @emph{verify} whether third-party binaries are genuine. @xref{Invoquer guix challenge}, for more. Note that, currently, the differing build results are not kept around, so you will have to manually investigate in case of an error---e.g., by stashing one of the build results with @code{guix archive --export} (@pxref{Invoquer guix archive}), then rebuilding, and finally comparing the two results. @item --no-build-hook Do not attempt to offload builds @i{via} the ``build hook'' of the daemon (@pxref{Réglages du délestage du démon}). That is, always build things locally instead of offloading builds to remote machines. @item --max-silent-time=@var{secondes} Lorsque le processus de construction ou de substitution restent silencieux pendant plus de @var{secondes}, le terminer et rapporter une erreur de construction. By default, the daemon's setting is honored (@pxref{Invoquer guix-daemon, @code{--max-silent-time}}). @item --timeout=@var{secondes} De même, lorsque le processus de construction ou de substitution dure plus de @var{secondes}, le terminer et rapporter une erreur de construction. By default, the daemon's setting is honored (@pxref{Invoquer guix-daemon, @code{--timeout}}). @item --verbosity=@var{level} Use the given verbosity level. @var{level} must be an integer between 0 and 5; higher means more verbose output. Setting a level of 4 or more may be helpful when debugging setup issues with the build daemon. @item --cores=@var{n} @itemx -c @var{n} Allow the use of up to @var{n} CPU cores for the build. The special value @code{0} means to use as many CPU cores as available. @item --max-jobs=@var{n} @itemx -M @var{n} Allow at most @var{n} build jobs in parallel. @xref{Invoquer guix-daemon, @code{--max-jobs}}, for details about this option and the equivalent @command{guix-daemon} option. @end table Behind the scenes, @command{guix build} is essentially an interface to the @code{package-derivation} procedure of the @code{(guix packages)} module, and to the @code{build-derivations} procedure of the @code{(guix derivations)} module. In addition to options explicitly passed on the command line, @command{guix build} and other @command{guix} commands that support building honor the @code{GUIX_BUILD_OPTIONS} environment variable. @defvr {Environment Variable} GUIX_BUILD_OPTIONS Users can define this variable to a list of command line options that will automatically be used by @command{guix build} and other @command{guix} commands that can perform builds, as in the example below: @example $ export GUIX_BUILD_OPTIONS="--no-substitutes -c 2 -L /foo/bar" @end example These options are parsed independently, and the result is appended to the parsed command-line options. @end defvr @node Options de transformation de paquets @subsection Options de transformation de paquets @cindex package variants Another set of command-line options supported by @command{guix build} and also @command{guix package} are @dfn{package transformation options}. These are options that make it possible to define @dfn{package variants}---for instance, packages built from different source code. This is a convenient way to create customized packages on the fly without having to type in the definitions of package variants (@pxref{Définition des paquets}). @table @code @item --with-source=@var{source} @itemx --with-source=@var{package}=@var{source} @itemx --with-source=@var{package}@@@var{version}=@var{source} Use @var{source} as the source of @var{package}, and @var{version} as its version number. @var{source} must be a file name or a URL, as for @command{guix download} (@pxref{Invoquer guix download}). When @var{package} is omitted, it is taken to be the package name specified on the command line that matches the base of @var{source}---e.g., if @var{source} is @code{/src/guile-2.0.10.tar.gz}, the corresponding package is @code{guile}. Likewise, when @var{version} is omitted, the version string is inferred from @var{source}; in the previous example, it is @code{2.0.10}. This option allows users to try out versions of packages other than the one provided by the distribution. The example below downloads @file{ed-1.7.tar.gz} from a GNU mirror and uses that as the source for the @code{ed} package: @example guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz @end example As a developer, @code{--with-source} makes it easy to test release candidates: @example guix build guile --with-source=../guile-2.0.9.219-e1bb7.tar.xz @end example @dots{} or to build from a checkout in a pristine environment: @example $ git clone git://git.sv.gnu.org/guix.git $ guix build guix --with-source=guix@@1.0=./guix @end example @item --with-input=@var{package}=@var{replacement} Replace dependency on @var{package} by a dependency on @var{replacement}. @var{package} must be a package name, and @var{replacement} must be a package specification such as @code{guile} or @code{guile@@1.8}. For instance, the following command builds Guix, but replaces its dependency on the current stable version of Guile with a dependency on the legacy version of Guile, @code{guile@@2.0}: @example guix build --with-input=guile=guile@@2.0 guix @end example This is a recursive, deep replacement. So in this example, both @code{guix} and its dependency @code{guile-json} (which also depends on @code{guile}) get rebuilt against @code{guile@@2.0}. This is implemented using the @code{package-input-rewriting} Scheme procedure (@pxref{Définition des paquets, @code{package-input-rewriting}}). @item --with-graft=@var{package}=@var{replacement} This is similar to @code{--with-input} but with an important difference: instead of rebuilding the whole dependency chain, @var{replacement} is built and then @dfn{grafted} onto the binaries that were initially referring to @var{package}. @xref{Mises à jour de sécurité}, for more information on grafts. For example, the command below grafts version 3.5.4 of GnuTLS onto Wget and all its dependencies, replacing references to the version of GnuTLS they currently refer to: @example guix build --with-graft=gnutls=gnutls@@3.5.4 wget @end example This has the advantage of being much faster than rebuilding everything. But there is a caveat: it works if and only if @var{package} and @var{replacement} are strictly compatible---for example, if they provide a library, the application binary interface (ABI) of those libraries must be compatible. If @var{replacement} is somehow incompatible with @var{package}, then the resulting package may be unusable. Use with care! @end table @node Options de construction supplémentaires @subsection Options de construction supplémentaires The command-line options presented below are specific to @command{guix build}. @table @code @item --quiet @itemx -q Build quietly, without displaying the build log. Upon completion, the build log is kept in @file{/var} (or similar) and can always be retrieved using the @option{--log-file} option. @item --file=@var{file} @itemx -f @var{fichier} Build the package or derivation that the code within @var{file} evaluates to. As an example, @var{file} might contain a package definition like this (@pxref{Définition des paquets}): @example @verbatiminclude package-hello.scm @end example @item --expression=@var{expr} @itemx -e @var{expr} Build the package or derivation @var{expr} evaluates to. For example, @var{expr} may be @code{(@@ (gnu packages guile) guile-1.8)}, which unambiguously designates this specific variant of version 1.8 of Guile. Alternatively, @var{expr} may be a G-expression, in which case it is used as a build program passed to @code{gexp->derivation} (@pxref{G-Expressions}). Lastly, @var{expr} may refer to a zero-argument monadic procedure (@pxref{La monad du dépôt}). The procedure must return a derivation as a monadic value, which is then passed through @code{run-with-store}. @item --source @itemx -S Build the source derivations of the packages, rather than the packages themselves. For instance, @code{guix build -S gcc} returns something like @file{/gnu/store/@dots{}-gcc-4.7.2.tar.bz2}, which is the GCC source tarball. The returned source tarball is the result of applying any patches and code snippets specified in the package @code{origin} (@pxref{Définition des paquets}). @item --sources Fetch and return the source of @var{package-or-derivation} and all their dependencies, recursively. This is a handy way to obtain a local copy of all the source code needed to build @var{packages}, allowing you to eventually build them even without network access. It is an extension of the @code{--source} option and can accept one of the following optional argument values: @table @code @item package This value causes the @code{--sources} option to behave in the same way as the @code{--source} option. @item all Build the source derivations of all packages, including any source that might be listed as @code{inputs}. This is the default value. @example $ guix build --sources tzdata The following derivations will be built: /gnu/store/@dots{}-tzdata2015b.tar.gz.drv /gnu/store/@dots{}-tzcode2015b.tar.gz.drv @end example @item transitive Build the source derivations of all packages, as well of all transitive inputs to the packages. This can be used e.g. to prefetch package source for later offline building. @example $ guix build --sources=transitive tzdata The following derivations will be built: /gnu/store/@dots{}-tzcode2015b.tar.gz.drv /gnu/store/@dots{}-findutils-4.4.2.tar.xz.drv /gnu/store/@dots{}-grep-2.21.tar.xz.drv /gnu/store/@dots{}-coreutils-8.23.tar.xz.drv /gnu/store/@dots{}-make-4.1.tar.xz.drv /gnu/store/@dots{}-bash-4.3.tar.xz.drv @dots{} @end example @end table @item --system=@var{système} @itemx -s @var{système} Tenter de construire pour le @var{système} — p.@: ex.@: @code{i686-linux} — plutôt que pour le type de système de l'hôte de construction. @quotation Remarque The @code{--system} flag is for @emph{native} compilation and must not be confused with cross-compilation. See @code{--target} below for information on cross-compilation. @end quotation An example use of this is on Linux-based systems, which can emulate different personalities. For instance, passing @code{--system=i686-linux} on an @code{x86_64-linux} system or @code{--system=armhf-linux} on an @code{aarch64-linux} system allows you to build packages in a complete 32-bit environment. @quotation Remarque Building for an @code{armhf-linux} system is unconditionally enabled on @code{aarch64-linux} machines, although certain aarch64 chipsets do not allow for this functionality, notably the ThunderX. @end quotation Similarly, when transparent emulation with QEMU and @code{binfmt_misc} is enabled (@pxref{Services de virtualisation, @code{qemu-binfmt-service-type}}), you can build for any system for which a QEMU @code{binfmt_misc} handler is installed. Builds for a system other than that of the machine you are using can also be offloaded to a remote machine of the right architecture. @xref{Réglages du délestage du démon}, for more information on offloading. @item --target=@var{triplet} @cindex compilation croisée Effectuer une compilation croisée pour @var{triplet} qui doit être un triplet GNU valide, comme @code{"mips64el-linux-gnu"} (@pxref{Specifying target triplets, GNU configuration triplets,, autoconf, Autoconf}). @anchor{build-check} @item --check @cindex déterminisme, vérification @cindex reproductibilité, vérification Rebuild @var{package-or-derivation}, which are already available in the store, and raise an error if the build results are not bit-for-bit identical. Ce mécanisme vous permet de vérifier si les substituts précédemment installés sont authentiques (@pxref{Substituts}) ou si le résultat de la construction d'un paquet est déterministe. @xref{Invoquer guix challenge} pour plus d'informations et pour les outils. Lorsqu'utilisé avec @option{--keep-failed}, la sourtie différente est gardée dans le dépôt sous @file{/gnu/store/@dots{}-check}. Cela rend plus facile l'étude des différences entre les deux résultats. @item --repair @cindex repairing store items @cindex corruption, récupérer de Attempt to repair the specified store items, if they are corrupt, by re-downloading or rebuilding them. This operation is not atomic and thus restricted to @code{root}. @item --derivations @itemx -d Return the derivation paths, not the output paths, of the given packages. @item --root=@var{file} @itemx -r @var{file} @cindex GC roots, adding @cindex garbage collector roots, adding Make @var{file} a symlink to the result, and register it as a garbage collector root. Consequently, the results of this @command{guix build} invocation are protected from garbage collection until @var{file} is removed. When that option is omitted, build results are eligible for garbage collection as soon as the build completes. @xref{Invoquer guix gc}, for more on GC roots. @item --log-file @cindex build logs, access Return the build log file names or URLs for the given @var{package-or-derivation}, or raise an error if build logs are missing. This works regardless of how packages or derivations are specified. For instance, the following invocations are equivalent: @example guix build --log-file `guix build -d guile` guix build --log-file `guix build guile` guix build --log-file guile guix build --log-file -e '(@@ (gnu packages guile) guile-2.0)' @end example If a log is unavailable locally, and unless @code{--no-substitutes} is passed, the command looks for a corresponding log on one of the substitute servers (as specified with @code{--substitute-urls}.) So for instance, imagine you want to see the build log of GDB on MIPS, but you are actually on an @code{x86_64} machine: @example $ guix build --log-file gdb -s mips64el-linux https://hydra.gnu.org/log/@dots{}-gdb-7.10 @end example You can freely access a huge library of build logs! @end table @node Débogage des échecs de construction @subsection Débogage des échecs de construction @cindex build failures, debugging When defining a new package (@pxref{Définition des paquets}), you will probably find yourself spending some time debugging and tweaking the build until it succeeds. To do that, you need to operate the build commands yourself in an environment as close as possible to the one the build daemon uses. To that end, the first thing to do is to use the @option{--keep-failed} or @option{-K} option of @command{guix build}, which will keep the failed build tree in @file{/tmp} or whatever directory you specified as @code{TMPDIR} (@pxref{Invoquer guix build, @code{--keep-failed}}). From there on, you can @command{cd} to the failed build tree and source the @file{environment-variables} file, which contains all the environment variable definitions that were in place when the build failed. So let's say you're debugging a build failure in package @code{foo}; a typical session would look like this: @example $ guix build foo -K @dots{} @i{build fails} $ cd /tmp/guix-build-foo.drv-0 $ source ./environment-variables $ cd foo-1.2 @end example Now, you can invoke commands as if you were the daemon (almost) and troubleshoot your build process. Sometimes it happens that, for example, a package's tests pass when you run them manually but they fail when the daemon runs them. This can happen because the daemon runs builds in containers where, unlike in our environment above, network access is missing, @file{/bin/sh} does not exist, etc. (@pxref{Réglages de l'environnement de construction}). In such cases, you may need to run inspect the build process from within a container similar to the one the build daemon creates: @example $ guix build -K foo @dots{} $ cd /tmp/guix-build-foo.drv-0 $ guix environment --no-grafts -C foo --ad-hoc strace gdb [env]# source ./environment-variables [env]# cd foo-1.2 @end example Here, @command{guix environment -C} creates a container and spawns a new shell in it (@pxref{Invoquer guix environment}). The @command{--ad-hoc strace gdb} part adds the @command{strace} and @command{gdb} commands to the container, which would may find handy while debugging. The @option{--no-grafts} option makes sure we get the exact same environment, with ungrafted packages (@pxref{Mises à jour de sécurité}, for more info on grafts). To get closer to a container like that used by the build daemon, we can remove @file{/bin/sh}: @example [env]# rm /bin/sh @end example (Don't worry, this is harmless: this is all happening in the throw-away container created by @command{guix environment}.) The @command{strace} command is probably not in the search path, but we can run: @example [env]# $GUIX_ENVIRONMENT/bin/strace -f -o log make check @end example In this way, not only you will have reproduced the environment variables the daemon uses, you will also be running the build process in a container similar to the one the daemon uses. @node Invoquer guix edit @section Invoking @command{guix edit} @cindex @command{guix edit} @cindex package definition, editing So many packages, so many source files! The @command{guix edit} command facilitates the life of users and packagers by pointing their editor at the source file containing the definition of the specified packages. For instance: @example guix edit gcc@@4.9 vim @end example @noindent launches the program specified in the @code{VISUAL} or in the @code{EDITOR} environment variable to view the recipe of GCC@tie{}4.9.3 and that of Vim. If you are using a Guix Git checkout (@pxref{Construire depuis Git}), or have created your own packages on @code{GUIX_PACKAGE_PATH} (@pxref{Définition des paquets}), you will be able to edit the package recipes. Otherwise, you will be able to examine the read-only recipes for packages currently in the store. @node Invoquer guix download @section Invoking @command{guix download} @cindex @command{guix download} @cindex downloading package sources When writing a package definition, developers typically need to download a source tarball, compute its SHA256 hash, and write that hash in the package definition (@pxref{Définition des paquets}). The @command{guix download} tool helps with this task: it downloads a file from the given URI, adds it to the store, and prints both its file name in the store and its SHA256 hash. The fact that the downloaded file is added to the store saves bandwidth: when the developer eventually tries to build the newly defined package with @command{guix build}, the source tarball will not have to be downloaded again because it is already in the store. It is also a convenient way to temporarily stash files, which may be deleted eventually (@pxref{Invoquer guix gc}). The @command{guix download} command supports the same URIs as used in package definitions. In particular, it supports @code{mirror://} URIs. @code{https} URIs (HTTP over TLS) are supported @emph{provided} the Guile bindings for GnuTLS are available in the user's environment; when they are not available, an error is raised. @xref{Guile Preparations, how to install the GnuTLS bindings for Guile,, gnutls-guile, GnuTLS-Guile}, for more information. @command{guix download} verifies HTTPS server certificates by loading the certificates of X.509 authorities from the directory pointed to by the @code{SSL_CERT_DIR} environment variable (@pxref{Certificats X.509}), unless @option{--no-check-certificate} is used. The following options are available: @table @code @item --format=@var{fmt} @itemx -f @var{fmt} Write the hash in the format specified by @var{fmt}. For more information on the valid values for @var{fmt}, @pxref{Invoquer guix hash}. @item --no-check-certificate Do not validate the X.509 certificates of HTTPS servers. When using this option, you have @emph{absolutely no guarantee} that you are communicating with the authentic server responsible for the given URL, which makes you vulnerable to ``man-in-the-middle'' attacks. @item --output=@var{file} @itemx -o @var{file} Save the downloaded file to @var{file} instead of adding it to the store. @end table @node Invoquer guix hash @section Invoking @command{guix hash} @cindex @command{guix hash} The @command{guix hash} command computes the SHA256 hash of a file. It is primarily a convenience tool for anyone contributing to the distribution: it computes the cryptographic hash of a file, which can be used in the definition of a package (@pxref{Définition des paquets}). La syntaxe générale est : @example guix hash @var{option} @var{file} @end example When @var{file} is @code{-} (a hyphen), @command{guix hash} computes the hash of data read from standard input. @command{guix hash} has the following options: @table @code @item --format=@var{fmt} @itemx -f @var{fmt} Write the hash in the format specified by @var{fmt}. Supported formats: @code{nix-base32}, @code{base32}, @code{base16} (@code{hex} and @code{hexadecimal} can be used as well). If the @option{--format} option is not specified, @command{guix hash} will output the hash in @code{nix-base32}. This representation is used in the definitions of packages. @item --recursive @itemx -r Compute the hash on @var{file} recursively. @c FIXME: Replace xref above with xref to an ``Archive'' section when @c it exists. In this case, the hash is computed on an archive containing @var{file}, including its children if it is a directory. Some of the metadata of @var{file} is part of the archive; for instance, when @var{file} is a regular file, the hash is different depending on whether @var{file} is executable or not. Metadata such as time stamps has no impact on the hash (@pxref{Invoquer guix archive}). @item --exclude-vcs @itemx -x When combined with @option{--recursive}, exclude version control system directories (@file{.bzr}, @file{.git}, @file{.hg}, etc.) @vindex git-fetch As an example, here is how you would compute the hash of a Git checkout, which is useful when using the @code{git-fetch} method (@pxref{Référence d'origine}): @example $ git clone http://example.org/foo.git $ cd foo $ guix hash -rx . @end example @end table @node Invoquer guix import @section Invoking @command{guix import} @cindex importing packages @cindex package import @cindex package conversion @cindex Invoking @command{guix import} The @command{guix import} command is useful for people who would like to add a package to the distribution with as little work as possible---a legitimate demand. The command knows of a few repositories from which it can ``import'' package metadata. The result is a package definition, or a template thereof, in the format we know (@pxref{Définition des paquets}). La syntaxe générale est : @example guix import @var{importer} @var{options}@dots{} @end example @var{importer} specifies the source from which to import package metadata, and @var{options} specifies a package identifier and other options specific to @var{importer}. Currently, the available ``importers'' are: @table @code @item gnu Import metadata for the given GNU package. This provides a template for the latest version of that GNU package, including the hash of its source tarball, and its canonical synopsis and description. Additional information such as the package dependencies and its license needs to be figured out manually. For example, the following command returns a package definition for GNU@tie{}Hello: @example guix import gnu hello @end example Specific command-line options are: @table @code @item --key-download=@var{policy} As for @code{guix refresh}, specify the policy to handle missing OpenPGP keys when verifying the package signature. @xref{Invoquer guix refresh, @code{--key-download}}. @end table @item pypi @cindex pypi Import metadata from the @uref{https://pypi.python.org/, Python Package Index}@footnote{This functionality requires Guile-JSON to be installed. @xref{Prérequis}.}. Information is taken from the JSON-formatted description available at @code{pypi.python.org} and usually includes all the relevant information, including package dependencies. For maximum efficiency, it is recommended to install the @command{unzip} utility, so that the importer can unzip Python wheels and gather data from them. The command below imports metadata for the @code{itsdangerous} Python package: @example guix import pypi itsdangerous @end example @item gem @cindex gem Import metadata from @uref{https://rubygems.org/, RubyGems}@footnote{This functionality requires Guile-JSON to be installed. @xref{Prérequis}.}. Information is taken from the JSON-formatted description available at @code{rubygems.org} and includes most relevant information, including runtime dependencies. There are some caveats, however. The metadata doesn't distinguish between synopses and descriptions, so the same string is used for both fields. Additionally, the details of non-Ruby dependencies required to build native extensions is unavailable and left as an exercise to the packager. The command below imports metadata for the @code{rails} Ruby package: @example guix import gem rails @end example @item cpan @cindex CPAN Import metadata from @uref{https://www.metacpan.org/, MetaCPAN}@footnote{This functionality requires Guile-JSON to be installed. @xref{Prérequis}.}. Information is taken from the JSON-formatted metadata provided through @uref{https://fastapi.metacpan.org/, MetaCPAN's API} and includes most relevant information, such as module dependencies. License information should be checked closely. If Perl is available in the store, then the @code{corelist} utility will be used to filter core modules out of the list of dependencies. The command command below imports metadata for the @code{Acme::Boolean} Perl module: @example guix import cpan Acme::Boolean @end example @item cran @cindex CRAN @cindex Bioconductor Import metadata from @uref{https://cran.r-project.org/, CRAN}, the central repository for the @uref{http://r-project.org, GNU@tie{}R statistical and graphical environment}. Information is extracted from the @code{DESCRIPTION} file of the package. The command command below imports metadata for the @code{Cairo} R package: @example guix import cran Cairo @end example When @code{--recursive} is added, the importer will traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix. When @code{--archive=bioconductor} is added, metadata is imported from @uref{https://www.bioconductor.org/, Bioconductor}, a repository of R packages for for the analysis and comprehension of high-throughput genomic data in bioinformatics. Information is extracted from the @code{DESCRIPTION} file of a package published on the web interface of the Bioconductor SVN repository. The command below imports metadata for the @code{GenomicRanges} R package: @example guix import cran --archive=bioconductor GenomicRanges @end example @item texlive @cindex TeX Live @cindex CTAN Import metadata from @uref{http://www.ctan.org/, CTAN}, the comprehensive TeX archive network for TeX packages that are part of the @uref{https://www.tug.org/texlive/, TeX Live distribution}. Information about the package is obtained through the XML API provided by CTAN, while the source code is downloaded from the SVN repository of the Tex Live project. This is done because the CTAN does not keep versioned archives. The command command below imports metadata for the @code{fontspec} TeX package: @example guix import texlive fontspec @end example When @code{--archive=DIRECTORY} is added, the source code is downloaded not from the @file{latex} sub-directory of the @file{texmf-dist/source} tree in the TeX Live SVN repository, but from the specified sibling directory under the same root. The command below imports metadata for the @code{ifxetex} package from CTAN while fetching the sources from the directory @file{texmf/source/generic}: @example guix import texlive --archive=generic ifxetex @end example @item json @cindex JSON, import Import package metadata from a local JSON file@footnote{This functionality requires Guile-JSON to be installed. @xref{Prérequis}.}. Consider the following example package definition in JSON format: @example @{ "name": "hello", "version": "2.10", "source": "mirror://gnu/hello/hello-2.10.tar.gz", "build-system": "gnu", "home-page": "https://www.gnu.org/software/hello/", "synopsis": "Hello, GNU world: An example GNU package", "description": "GNU Hello prints a greeting.", "license": "GPL-3.0+", "native-inputs": ["gcc@@6"] @} @end example The field names are the same as for the @code{} record (@xref{Définition des paquets}). References to other packages are provided as JSON lists of quoted package specification strings such as @code{guile} or @code{guile@@2.0}. The importer also supports a more explicit source definition using the common fields for @code{} records: @example @{ @dots{} "source": @{ "method": "url-fetch", "uri": "mirror://gnu/hello/hello-2.10.tar.gz", "sha256": @{ "base32": "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i" @} @} @dots{} @} @end example The command below reads metadata from the JSON file @code{hello.json} and outputs a package expression: @example guix import json hello.json @end example @item nix Import metadata from a local copy of the source of the @uref{http://nixos.org/nixpkgs/, Nixpkgs distribution}@footnote{This relies on the @command{nix-instantiate} command of @uref{http://nixos.org/nix/, Nix}.}. Package definitions in Nixpkgs are typically written in a mixture of Nix-language and Bash code. This command only imports the high-level package structure that is written in the Nix language. It normally includes all the basic fields of a package definition. When importing a GNU package, the synopsis and descriptions are replaced by their canonical upstream variant. Usually, you will first need to do: @example export NIX_REMOTE=daemon @end example @noindent so that @command{nix-instantiate} does not try to open the Nix database. As an example, the command below imports the package definition of LibreOffice (more precisely, it imports the definition of the package bound to the @code{libreoffice} top-level attribute): @example guix import nix ~/path/to/nixpkgs libreoffice @end example @item hackage @cindex hackage Import metadata from the Haskell community's central package archive @uref{https://hackage.haskell.org/, Hackage}. Information is taken from Cabal files and includes all the relevant information, including package dependencies. Specific command-line options are: @table @code @item --stdin @itemx -s Read a Cabal file from standard input. @item --no-test-dependencies @itemx -t Do not include dependencies required only by the test suites. @item --cabal-environment=@var{alist} @itemx -e @var{alist} @var{alist} is a Scheme alist defining the environment in which the Cabal conditionals are evaluated. The accepted keys are: @code{os}, @code{arch}, @code{impl} and a string representing the name of a flag. The value associated with a flag has to be either the symbol @code{true} or @code{false}. The value associated with other keys has to conform to the Cabal file format definition. The default value associated with the keys @code{os}, @code{arch} and @code{impl} is @samp{linux}, @samp{x86_64} and @samp{ghc}, respectively. @end table The command below imports metadata for the latest version of the @code{HTTP} Haskell package without including test dependencies and specifying the value of the flag @samp{network-uri} as @code{false}: @example guix import hackage -t -e "'((\"network-uri\" . false))" HTTP @end example A specific package version may optionally be specified by following the package name by an at-sign and a version number as in the following example: @example guix import hackage mtl@@2.1.3.1 @end example @item stackage @cindex stackage The @code{stackage} importer is a wrapper around the @code{hackage} one. It takes a package name, looks up the package version included in a long-term support (LTS) @uref{https://www.stackage.org, Stackage} release and uses the @code{hackage} importer to retrieve its metadata. Note that it is up to you to select an LTS release compatible with the GHC compiler used by Guix. Specific command-line options are: @table @code @item --no-test-dependencies @itemx -t Do not include dependencies required only by the test suites. @item --lts-version=@var{version} @itemx -r @var{version} @var{version} is the desired LTS release version. If omitted the latest release is used. @end table The command below imports metadata for the @code{HTTP} Haskell package included in the LTS Stackage release version 7.18: @example guix import stackage --lts-version=7.18 HTTP @end example @item elpa @cindex elpa Import metadata from an Emacs Lisp Package Archive (ELPA) package repository (@pxref{Packages,,, emacs, The GNU Emacs Manual}). Specific command-line options are: @table @code @item --archive=@var{repo} @itemx -a @var{repo} @var{repo} identifies the archive repository from which to retrieve the information. Currently the supported repositories and their identifiers are: @itemize - @item @uref{http://elpa.gnu.org/packages, GNU}, selected by the @code{gnu} identifier. This is the default. Packages from @code{elpa.gnu.org} are signed with one of the keys contained in the GnuPG keyring at @file{share/emacs/25.1/etc/package-keyring.gpg} (or similar) in the @code{emacs} package (@pxref{Package Installation, ELPA package signatures,, emacs, The GNU Emacs Manual}). @item @uref{http://stable.melpa.org/packages, MELPA-Stable}, selected by the @code{melpa-stable} identifier. @item @uref{http://melpa.org/packages, MELPA}, selected by the @code{melpa} identifier. @end itemize @item --recursive @itemx -r Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix. @end table @item crate @cindex crate Import metadata from the crates.io Rust package repository @uref{https://crates.io, crates.io}. @end table The structure of the @command{guix import} code is modular. It would be useful to have more importers for other package formats, and your help is welcome here (@pxref{Contribuer}). @node Invoquer guix refresh @section Invoking @command{guix refresh} @cindex @command{guix refresh} The primary audience of the @command{guix refresh} command is developers of the GNU software distribution. By default, it reports any packages provided by the distribution that are outdated compared to the latest upstream version, like this: @example $ guix refresh gnu/packages/gettext.scm:29:13: gettext would be upgraded from 0.18.1.1 to 0.18.2.1 gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0 @end example Alternately, one can specify packages to consider, in which case a warning is emitted for packages that lack an updater: @example $ guix refresh coreutils guile guile-ssh gnu/packages/ssh.scm:205:2: warning: no updater for guile-ssh gnu/packages/guile.scm:136:12: guile would be upgraded from 2.0.12 to 2.0.13 @end example @command{guix refresh} browses the upstream repository of each package and determines the highest version number of the releases therein. The command knows how to update specific types of packages: GNU packages, ELPA packages, etc.---see the documentation for @option{--type} below. There are many packages, though, for which it lacks a method to determine whether a new upstream release is available. However, the mechanism is extensible, so feel free to get in touch with us to add a new method! Sometimes the upstream name differs from the package name used in Guix, and @command{guix refresh} needs a little help. Most updaters honor the @code{upstream-name} property in package definitions, which can be used to that effect: @example (define-public network-manager (package (name "network-manager") ;; @dots{} (properties '((upstream-name . "NetworkManager"))))) @end example When passed @code{--update}, it modifies distribution source files to update the version numbers and source tarball hashes of those package recipes (@pxref{Définition des paquets}). This is achieved by downloading each package's latest source tarball and its associated OpenPGP signature, authenticating the downloaded tarball against its signature using @command{gpg}, and finally computing its hash. When the public key used to sign the tarball is missing from the user's keyring, an attempt is made to automatically retrieve it from a public key server; when this is successful, the key is added to the user's keyring; otherwise, @command{guix refresh} reports an error. The following options are supported: @table @code @item --expression=@var{expr} @itemx -e @var{expr} Considérer le paquet évalué par @var{expr}. This is useful to precisely refer to a package, as in this example: @example guix refresh -l -e '(@@@@ (gnu packages commencement) glibc-final)' @end example This command lists the dependents of the ``final'' libc (essentially all the packages.) @item --update @itemx -u Update distribution source files (package recipes) in place. This is usually run from a checkout of the Guix source tree (@pxref{Lancer Guix avant qu'il ne soit installé}): @example $ ./pre-inst-env guix refresh -s non-core -u @end example @xref{Définition des paquets}, for more information on package definitions. @item --select=[@var{subset}] @itemx -s @var{subset} Select all the packages in @var{subset}, one of @code{core} or @code{non-core}. The @code{core} subset refers to all the packages at the core of the distribution---i.e., packages that are used to build ``everything else''. This includes GCC, libc, Binutils, Bash, etc. Usually, changing one of these packages in the distribution entails a rebuild of all the others. Thus, such updates are an inconvenience to users in terms of build time or bandwidth used to achieve the upgrade. The @code{non-core} subset refers to the remaining packages. It is typically useful in cases where an update of the core packages would be inconvenient. @item --manifest=@var{fichier} @itemx -m @var{fichier} Select all the packages from the manifest in @var{file}. This is useful to check if any packages of the user manifest can be updated. @item --type=@var{updater} @itemx -t @var{updater} Select only packages handled by @var{updater} (may be a comma-separated list of updaters). Currently, @var{updater} may be one of: @table @code @item gnu the updater for GNU packages; @item gnome the updater for GNOME packages; @item kde the updater for KDE packages; @item xorg the updater for X.org packages; @item kernel.org the updater for packages hosted on kernel.org; @item elpa the updater for @uref{http://elpa.gnu.org/, ELPA} packages; @item cran the updater for @uref{https://cran.r-project.org/, CRAN} packages; @item bioconductor the updater for @uref{https://www.bioconductor.org/, Bioconductor} R packages; @item cpan the updater for @uref{http://www.cpan.org/, CPAN} packages; @item pypi the updater for @uref{https://pypi.python.org, PyPI} packages. @item gem the updater for @uref{https://rubygems.org, RubyGems} packages. @item github the updater for @uref{https://github.com, GitHub} packages. @item hackage the updater for @uref{https://hackage.haskell.org, Hackage} packages. @item stackage the updater for @uref{https://www.stackage.org, Stackage} packages. @item crate the updater for @uref{https://crates.io, Crates} packages. @end table For instance, the following command only checks for updates of Emacs packages hosted at @code{elpa.gnu.org} and for updates of CRAN packages: @example $ guix refresh --type=elpa,cran gnu/packages/statistics.scm:819:13: r-testthat would be upgraded from 0.10.0 to 0.11.0 gnu/packages/emacs.scm:856:13: emacs-auctex would be upgraded from 11.88.6 to 11.88.9 @end example @end table In addition, @command{guix refresh} can be passed one or more package names, as in this example: @example $ ./pre-inst-env guix refresh -u emacs idutils gcc@@4.8 @end example @noindent The command above specifically updates the @code{emacs} and @code{idutils} packages. The @code{--select} option would have no effect in this case. When considering whether to upgrade a package, it is sometimes convenient to know which packages would be affected by the upgrade and should be checked for compatibility. For this the following option may be used when passing @command{guix refresh} one or more package names: @table @code @item --list-updaters @itemx -L List available updaters and exit (see @option{--type} above.) For each updater, display the fraction of packages it covers; at the end, display the fraction of packages covered by all these updaters. @item --list-dependent @itemx -l List top-level dependent packages that would need to be rebuilt as a result of upgrading one or more packages. @xref{Invoquer guix graph, the @code{reverse-package} type of @command{guix graph}}, for information on how to visualize the list of dependents of a package. @end table Be aware that the @code{--list-dependent} option only @emph{approximates} the rebuilds that would be required as a result of an upgrade. More rebuilds might be required under some circumstances. @example $ guix refresh --list-dependent flex Building the following 120 packages would ensure 213 dependent packages are rebuilt: hop@@2.4.0 geiser@@0.4 notmuch@@0.18 mu@@0.9.9.5 cflow@@1.4 idutils@@4.6 @dots{} @end example The command above lists a set of packages that could be built to check for compatibility with an upgraded @code{flex} package. The following options can be used to customize GnuPG operation: @table @code @item --gpg=@var{command} Use @var{command} as the GnuPG 2.x command. @var{command} is searched for in @code{$PATH}. @item --key-download=@var{policy} Handle missing OpenPGP keys according to @var{policy}, which may be one of: @table @code @item always Always download missing OpenPGP keys from the key server, and add them to the user's GnuPG keyring. @item never Never try to download missing OpenPGP keys. Instead just bail out. @item interactive When a package signed with an unknown OpenPGP key is encountered, ask the user whether to download it or not. This is the default behavior. @end table @item --key-server=@var{host} Use @var{host} as the OpenPGP key server when importing a public key. @end table The @code{github} updater uses the @uref{https://developer.github.com/v3/, GitHub API} to query for new releases. When used repeatedly e.g. when refreshing all packages, GitHub will eventually refuse to answer any further API requests. By default 60 API requests per hour are allowed, and a full refresh on all GitHub packages in Guix requires more than this. Authentication with GitHub through the use of an API token alleviates these limits. To use an API token, set the environment variable @code{GUIX_GITHUB_TOKEN} to a token procured from @uref{https://github.com/settings/tokens} or otherwise. @node Invoquer guix lint @section Invoking @command{guix lint} @cindex @command{guix lint} @cindex package, checking for errors The @command{guix lint} command is meant to help package developers avoid common errors and use a consistent style. It runs a number of checks on a given set of packages in order to find common mistakes in their definitions. Available @dfn{checkers} include (see @code{--list-checkers} for a complete list): @table @code @item synopsis @itemx description Validate certain typographical and stylistic rules about package descriptions and synopses. @item inputs-should-be-native Identify inputs that should most likely be native inputs. @item source @itemx home-page @itemx mirror-url @itemx source-file-name Probe @code{home-page} and @code{source} URLs and report those that are invalid. Suggest a @code{mirror://} URL when applicable. Check that the source file name is meaningful, e.g. is not just a version number or ``git-checkout'', without a declared @code{file-name} (@pxref{Référence d'origine}). @item cve @cindex security vulnerabilities @cindex CVE, Common Vulnerabilities and Exposures Report known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) databases of the current and past year @uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US NIST}. To view information about a particular vulnerability, visit pages such as: @itemize @item @indicateurl{https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-YYYY-ABCD} @item @indicateurl{https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-ABCD} @end itemize @noindent where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g., @code{CVE-2015-7554}. Package developers can specify in package recipes the @uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} name and version of the package when they differ from the name or version that Guix uses, as in this example: @example (package (name "grub") ;; @dots{} ;; CPE calls this package "grub2". (properties '((cpe-name . "grub2") (cpe-version . "2.3"))) @end example @c See . Some entries in the CVE database do not specify which version of a package they apply to, and would thus ``stick around'' forever. Package developers who found CVE alerts and verified they can be ignored can declare them as in this example: @example (package (name "t1lib") ;; @dots{} ;; These CVEs no longer apply and can be safely ignored. (properties `((lint-hidden-cve . ("CVE-2011-0433" "CVE-2011-1553" "CVE-2011-1554" "CVE-2011-5244"))))) @end example @item formatting Warn about obvious source code formatting issues: trailing white space, use of tabulations, etc. @end table La syntaxe générale est : @example guix lint @var{options} @var{package}@dots{} @end example If no package is given on the command line, then all packages are checked. The @var{options} may be zero or more of the following: @table @code @item --list-checkers @itemx -l List and describe all the available checkers that will be run on packages and exit. @item --checkers @itemx -c Only enable the checkers specified in a comma-separated list using the names returned by @code{--list-checkers}. @end table @node Invoquer guix size @section Invoking @command{guix size} @cindex size @cindex package size @cindex closure @cindex @command{guix size} The @command{guix size} command helps package developers profile the disk usage of packages. It is easy to overlook the impact of an additional dependency added to a package, or the impact of using a single output for a package that could easily be split (@pxref{Des paquets avec plusieurs résultats}). Such are the typical issues that @command{guix size} can highlight. The command can be passed one or more package specifications such as @code{gcc@@4.8} or @code{guile:debug}, or a file name in the store. Consider this example: @example $ guix size coreutils store item total self /gnu/store/@dots{}-gcc-5.5.0-lib 60.4 30.1 38.1% /gnu/store/@dots{}-glibc-2.27 30.3 28.8 36.6% /gnu/store/@dots{}-coreutils-8.28 78.9 15.0 19.0% /gnu/store/@dots{}-gmp-6.1.2 63.1 2.7 3.4% /gnu/store/@dots{}-bash-static-4.4.12 1.5 1.5 1.9% /gnu/store/@dots{}-acl-2.2.52 61.1 0.4 0.5% /gnu/store/@dots{}-attr-2.4.47 60.6 0.2 0.3% /gnu/store/@dots{}-libcap-2.25 60.5 0.2 0.2% total: 78.9 MiB @end example @cindex closure The store items listed here constitute the @dfn{transitive closure} of Coreutils---i.e., Coreutils and all its dependencies, recursively---as would be returned by: @example $ guix gc -R /gnu/store/@dots{}-coreutils-8.23 @end example Here the output shows three columns next to store items. The first column, labeled ``total'', shows the size in mebibytes (MiB) of the closure of the store item---that is, its own size plus the size of all its dependencies. The next column, labeled ``self'', shows the size of the item itself. The last column shows the ratio of the size of the item itself to the space occupied by all the items listed here. In this example, we see that the closure of Coreutils weighs in at 79@tie{}MiB, most of which is taken by libc and GCC's run-time support libraries. (That libc and GCC's libraries represent a large fraction of the closure is not a problem @i{per se} because they are always available on the system anyway.) When the package(s) passed to @command{guix size} are available in the store@footnote{More precisely, @command{guix size} looks for the @emph{ungrafted} variant of the given package(s), as returned by @code{guix build @var{package} --no-grafts}. @xref{Mises à jour de sécurité}, for information on grafts.}, @command{guix size} queries the daemon to determine its dependencies, and measures its size in the store, similar to @command{du -ms --apparent-size} (@pxref{du invocation,,, coreutils, GNU Coreutils}). Lorsque les paquets donnés ne sont @emph{pas} dans le dépôt, @command{guix size} rapporte les informations en se basant sur les substituts disponibles (@pxref{Substituts}). Cela permet de profiler l'utilisation du disque des éléments du dépôt même s'ils ne sont pas sur le disque, mais disponibles à distance. You can also specify several package names: @example $ guix size coreutils grep sed bash store item total self /gnu/store/@dots{}-coreutils-8.24 77.8 13.8 13.4% /gnu/store/@dots{}-grep-2.22 73.1 0.8 0.8% /gnu/store/@dots{}-bash-4.3.42 72.3 4.7 4.6% /gnu/store/@dots{}-readline-6.3 67.6 1.2 1.2% @dots{} total: 102.3 MiB @end example @noindent In this example we see that the combination of the four packages takes 102.3@tie{}MiB in total, which is much less than the sum of each closure since they have a lot of dependencies in common. The available options are: @table @option @item --substitute-urls=@var{urls} Use substitute information from @var{urls}. @xref{client-substitute-urls, the same option for @code{guix build}}. @item --sort=@var{key} Sort lines according to @var{key}, one of the following options: @table @code @item self the size of each item (the default); @item closure the total size of the item's closure. @end table @item --map-file=@var{file} Write a graphical map of disk usage in PNG format to @var{file}. For the example above, the map looks like this: @image{images/coreutils-size-map,5in,, map of Coreutils disk usage produced by @command{guix size}} This option requires that @uref{http://wingolog.org/software/guile-charting/, Guile-Charting} be installed and visible in Guile's module search path. When that is not the case, @command{guix size} fails as it tries to load it. @item --system=@var{système} @itemx -s @var{système} Consider packages for @var{system}---e.g., @code{x86_64-linux}. @end table @node Invoquer guix graph @section Invoking @command{guix graph} @cindex DAG @cindex @command{guix graph} @cindex dépendances des paquets Packages and their dependencies form a @dfn{graph}, specifically a directed acyclic graph (DAG). It can quickly become difficult to have a mental model of the package DAG, so the @command{guix graph} command provides a visual representation of the DAG. By default, @command{guix graph} emits a DAG representation in the input format of @uref{http://www.graphviz.org/, Graphviz}, so its output can be passed directly to the @command{dot} command of Graphviz. It can also emit an HTML page with embedded JavaScript code to display a ``chord diagram'' in a Web browser, using the @uref{https://d3js.org/, d3.js} library, or emit Cypher queries to construct a graph in a graph database supporting the @uref{http://www.opencypher.org/, openCypher} query language. The general syntax is: @example guix graph @var{options} @var{package}@dots{} @end example For example, the following command generates a PDF file representing the package DAG for the GNU@tie{}Core Utilities, showing its build-time dependencies: @example guix graph coreutils | dot -Tpdf > dag.pdf @end example The output looks like this: @image{images/coreutils-graph,2in,,Dependency graph of the GNU Coreutils} Nice little graph, no? But there is more than one graph! The one above is concise: it is the graph of package objects, omitting implicit inputs such as GCC, libc, grep, etc. It is often useful to have such a concise graph, but sometimes one may want to see more details. @command{guix graph} supports several types of graphs, allowing you to choose the level of detail: @table @code @item package This is the default type used in the example above. It shows the DAG of package objects, excluding implicit dependencies. It is concise, but filters out many details. @item reverse-package This shows the @emph{reverse} DAG of packages. For example: @example guix graph --type=reverse-package ocaml @end example ... yields the graph of packages that depend on OCaml. Note that for core packages this can yield huge graphs. If all you want is to know the number of packages that depend on a given package, use @command{guix refresh --list-dependent} (@pxref{Invoquer guix refresh, @option{--list-dependent}}). @item bag-emerged This is the package DAG, @emph{including} implicit inputs. For instance, the following command: @example guix graph --type=bag-emerged coreutils | dot -Tpdf > dag.pdf @end example ... yields this bigger graph: @image{images/coreutils-bag-graph,,5in,Detailed dependency graph of the GNU Coreutils} At the bottom of the graph, we see all the implicit inputs of @var{gnu-build-system} (@pxref{Systèmes de construction, @code{gnu-build-system}}). Now, note that the dependencies of these implicit inputs---that is, the @dfn{bootstrap dependencies} (@pxref{Bootstrapping})---are not shown here, for conciseness. @item bag Similar to @code{bag-emerged}, but this time including all the bootstrap dependencies. @item bag-with-origins Similar to @code{bag}, but also showing origins and their dependencies. @item dérivation This is the most detailed representation: It shows the DAG of derivations (@pxref{Dérivations}) and plain store items. Compared to the above representation, many additional nodes are visible, including build scripts, patches, Guile modules, etc. For this type of graph, it is also possible to pass a @file{.drv} file name instead of a package name, as in: @example guix graph -t derivation `guix system build -d my-config.scm` @end example @item module This is the graph of @dfn{package modules} (@pxref{Modules de paquets}). For example, the following command shows the graph for the package module that defines the @code{guile} package: @example guix graph -t module guile | dot -Tpdf > module-graph.pdf @end example @end table All the types above correspond to @emph{build-time dependencies}. The following graph type represents the @emph{run-time dependencies}: @table @code @item references This is the graph of @dfn{references} of a package output, as returned by @command{guix gc --references} (@pxref{Invoquer guix gc}). If the given package output is not available in the store, @command{guix graph} attempts to obtain dependency information from substitutes. Here you can also pass a store file name instead of a package name. For example, the command below produces the reference graph of your profile (which can be big!): @example guix graph -t references `readlink -f ~/.guix-profile` @end example @item referrers This is the graph of the @dfn{referrers} of a store item, as returned by @command{guix gc --referrers} (@pxref{Invoquer guix gc}). This relies exclusively on local information from your store. For instance, let us suppose that the current Inkscape is available in 10 profiles on your machine; @command{guix graph -t referrers inkscape} will show a graph rooted at Inkscape and with those 10 profiles linked to it. It can help determine what is preventing a store item from being garbage collected. @end table The available options are the following: @table @option @item --type=@var{type} @itemx -t @var{type} Produce a graph output of @var{type}, where @var{type} must be one of the values listed above. @item --list-types List the supported graph types. @item --backend=@var{backend} @itemx -b @var{backend} Produce a graph using the selected @var{backend}. @item --list-backends List the supported graph backends. Currently, the available backends are Graphviz and d3.js. @item --expression=@var{expr} @itemx -e @var{expr} Considérer le paquet évalué par @var{expr}. This is useful to precisely refer to a package, as in this example: @example guix graph -e '(@@@@ (gnu packages commencement) gnu-make-final)' @end example @end table @node Invoquer guix environment @section Invoking @command{guix environment} @cindex reproducible build environments @cindex development environments @cindex @command{guix environment} @cindex environment, package build environment The purpose of @command{guix environment} is to assist hackers in creating reproducible development environments without polluting their package profile. The @command{guix environment} tool takes one or more packages, builds all of their inputs, and creates a shell environment to use them. La syntaxe générale est : @example guix environment @var{options} @var{package}@dots{} @end example The following example spawns a new shell set up for the development of GNU@tie{}Guile: @example guix environment guile @end example If the needed dependencies are not built yet, @command{guix environment} automatically builds them. The environment of the new shell is an augmented version of the environment that @command{guix environment} was run in. It contains the necessary search paths for building the given package added to the existing environment variables. To create a ``pure'' environment, in which the original environment variables have been unset, use the @code{--pure} option@footnote{Users sometimes wrongfully augment environment variables such as @code{PATH} in their @file{~/.bashrc} file. As a consequence, when @code{guix environment} launches it, Bash may read @file{~/.bashrc}, thereby introducing ``impurities'' in these environment variables. It is an error to define such environment variables in @file{.bashrc}; instead, they should be defined in @file{.bash_profile}, which is sourced only by log-in shells. @xref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}, for details on Bash start-up files.}. @vindex GUIX_ENVIRONMENT @command{guix environment} defines the @code{GUIX_ENVIRONMENT} variable in the shell it spawns; its value is the file name of the profile of this environment. This allows users to, say, define a specific prompt for development environments in their @file{.bashrc} (@pxref{Bash Startup Files,,, bash, The GNU Bash Reference Manual}): @example if [ -n "$GUIX_ENVIRONMENT" ] then export PS1="\u@@\h \w [dev]\$ " fi @end example @noindent ... or to browse the profile: @example $ ls "$GUIX_ENVIRONMENT/bin" @end example Additionally, more than one package may be specified, in which case the union of the inputs for the given packages are used. For example, the command below spawns a shell where all of the dependencies of both Guile and Emacs are available: @example guix environment guile emacs @end example Sometimes an interactive shell session is not desired. An arbitrary command may be invoked by placing the @code{--} token to separate the command from the rest of the arguments: @example guix environment guile -- make -j4 @end example In other situations, it is more convenient to specify the list of packages needed in the environment. For example, the following command runs @command{python} from an environment containing Python@tie{}2.7 and NumPy: @example guix environment --ad-hoc python2-numpy python-2.7 -- python @end example Furthermore, one might want the dependencies of a package and also some additional packages that are not build-time or runtime dependencies, but are useful when developing nonetheless. Because of this, the @code{--ad-hoc} flag is positional. Packages appearing before @code{--ad-hoc} are interpreted as packages whose dependencies will be added to the environment. Packages appearing after are interpreted as packages that will be added to the environment directly. For example, the following command creates a Guix development environment that additionally includes Git and strace: @example guix environment guix --ad-hoc git strace @end example Sometimes it is desirable to isolate the environment as much as possible, for maximal purity and reproducibility. In particular, when using Guix on a host distro that is not GuixSD, it is desirable to prevent access to @file{/usr/bin} and other system-wide resources from the development environment. For example, the following command spawns a Guile REPL in a ``container'' where only the store and the current working directory are mounted: @example guix environment --ad-hoc --container guile -- guile @end example @quotation Remarque The @code{--container} option requires Linux-libre 3.19 or newer. @end quotation The available options are summarized below. @table @code @item --root=@var{file} @itemx -r @var{file} @cindex persistent environment @cindex garbage collector root, for environments Make @var{file} a symlink to the profile for this environment, and register it as a garbage collector root. This is useful if you want to protect your environment from garbage collection, to make it ``persistent''. When this option is omitted, the environment is protected from garbage collection only for the duration of the @command{guix environment} session. This means that next time you recreate the same environment, you could have to rebuild or re-download packages. @xref{Invoquer guix gc}, for more on GC roots. @item --expression=@var{expr} @itemx -e @var{expr} Create an environment for the package or list of packages that @var{expr} evaluates to. For example, running: @example guix environment -e '(@@ (gnu packages maths) petsc-openmpi)' @end example starts a shell with the environment for this specific variant of the PETSc package. Running: @example guix environment --ad-hoc -e '(@@ (gnu) %base-packages)' @end example starts a shell with all the GuixSD base packages available. The above commands only use the default output of the given packages. To select other outputs, two element tuples can be specified: @example guix environment --ad-hoc -e '(list (@@ (gnu packages bash) bash) "include")' @end example @item --load=@var{file} @itemx -l @var{file} Create an environment for the package or list of packages that the code within @var{file} evaluates to. Par exemple, @var{fichier} peut contenir une définition comme celle-ci (@pxref{Définition des paquets}) : @example @verbatiminclude environment-gdb.scm @end example @item --manifest=@var{fichier} @itemx -m @var{fichier} Create an environment for the packages contained in the manifest object returned by the Scheme code in @var{file}. This is similar to the same-named option in @command{guix package} (@pxref{profile-manifest, @option{--manifest}}) and uses the same manifest files. @item --ad-hoc Include all specified packages in the resulting environment, as if an @i{ad hoc} package were defined with them as inputs. This option is useful for quickly creating an environment without having to write a package expression to contain the desired inputs. For instance, the command: @example guix environment --ad-hoc guile guile-sdl -- guile @end example runs @command{guile} in an environment where Guile and Guile-SDL are available. Note that this example implicitly asks for the default output of @code{guile} and @code{guile-sdl}, but it is possible to ask for a specific output---e.g., @code{glib:bin} asks for the @code{bin} output of @code{glib} (@pxref{Des paquets avec plusieurs résultats}). This option may be composed with the default behavior of @command{guix environment}. Packages appearing before @code{--ad-hoc} are interpreted as packages whose dependencies will be added to the environment, the default behavior. Packages appearing after are interpreted as packages that will be added to the environment directly. @item --pure Unset existing environment variables when building the new environment. This has the effect of creating an environment in which search paths only contain package inputs. @item --search-paths Display the environment variable definitions that make up the environment. @item --system=@var{système} @itemx -s @var{système} Attempt to build for @var{system}---e.g., @code{i686-linux}. @item --container @itemx -C @cindex container Run @var{command} within an isolated container. The current working directory outside the container is mapped inside the container. Additionally, unless overridden with @code{--user}, a dummy home directory is created that matches the current user's home directory, and @file{/etc/passwd} is configured accordingly. The spawned process runs as the current user outside the container, but has root privileges in the context of the container. @item --network @itemx -N For containers, share the network namespace with the host system. Containers created without this flag only have access to the loopback device. @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} within the container. This is equivalent to running the command @command{ln -s $GUIX_ENVIRONMENT ~/.guix-profile} within the container. Linking will fail and abort the environment if the directory already exists, which will certainly be the case if @command{guix environment} was invoked in the user's home directory. Certain packages are configured to look in @code{~/.guix-profile} for configuration files and data;@footnote{For example, the @code{fontconfig} package inspects @file{~/.guix-profile/share/fonts} for additional fonts.} @code{--link-profile} allows these programs to behave as expected within the environment. @item --user=@var{user} @itemx -u @var{user} For containers, use the username @var{user} in place of the current user. The generated @file{/etc/passwd} entry within the container will contain the name @var{user}; the home directory will be @file{/home/USER}; and no user GECOS data will be copied. @var{user} need not exist on the system. Additionally, any shared or exposed path (see @code{--share} and @code{--expose} respectively) whose target is within the current user's home directory will be remapped relative to @file{/home/USER}; this includes the automatic mapping of the current working directory. @example # will expose paths as /home/foo/wd, /home/foo/test, and /home/foo/target cd $HOME/wd guix environment --container --user=foo \ --expose=$HOME/test \ --expose=/tmp/target=$HOME/target @end example While this will limit the leaking of user identity through home paths and each of the user fields, this is only one useful component of a broader privacy/anonymity solution---not one in and of itself. @item --expose=@var{source}[=@var{target}] For containers, expose the file system @var{source} from the host system as the read-only file system @var{target} within the container. If @var{target} is not specified, @var{source} is used as the target mount point in the container. The example below spawns a Guile REPL in a container in which the user's home directory is accessible read-only via the @file{/exchange} directory: @example guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile @end example @item --share=@var{source}[=@var{target}] For containers, share the file system @var{source} from the host system as the writable file system @var{target} within the container. If @var{target} is not specified, @var{source} is used as the target mount point in the container. The example below spawns a Guile REPL in a container in which the user's home directory is accessible for both reading and writing via the @file{/exchange} directory: @example guix environment --container --share=$HOME=/exchange --ad-hoc guile -- guile @end example @end table @command{guix environment} also supports all of the common build options that @command{guix build} supports (@pxref{Options de construction communes}). @node Invoquer guix publish @section Invoking @command{guix publish} @cindex @command{guix publish} Le but de @command{guix publish} est de vous permettre de partager facilement votre dépôt avec d'autres personnes qui peuvent ensuite l'utiliser comme serveur de substituts (@pxref{Substituts}). When @command{guix publish} runs, it spawns an HTTP server which allows anyone with network access to obtain substitutes from it. This means that any machine running Guix can also act as if it were a build farm, since the HTTP interface is compatible with Hydra, the software behind the @code{hydra.gnu.org} build farm. Pour des raisons de sécurité, chaque substitut est signé, ce qui permet aux destinataires de vérifier leur authenticité et leur intégrité (@pxref{Substituts}). Comme @command{guix publish} utilise la clef de signature du système, qui n'est lisible que par l'administrateur système, il doit être lancé en root ; l'option @code{--user} lui fait baisser ses privilèges le plus tôt possible. The signing key pair must be generated before @command{guix publish} is launched, using @command{guix archive --generate-key} (@pxref{Invoquer guix archive}). La syntaxe générale est : @example guix publish @var{options}@dots{} @end example Running @command{guix publish} without any additional arguments will spawn an HTTP server on port 8080: @example guix publish @end example Once a publishing server has been authorized (@pxref{Invoquer guix archive}), the daemon may download substitutes from it: @example guix-daemon --substitute-urls=http://example.org:8080 @end example By default, @command{guix publish} compresses archives on the fly as it serves them. This ``on-the-fly'' mode is convenient in that it requires no setup and is immediately available. However, when serving lots of clients, we recommend using the @option{--cache} option, which enables caching of the archives before they are sent to clients---see below for details. The @command{guix weather} command provides a handy way to check what a server provides (@pxref{Invoquer guix weather}). As a bonus, @command{guix publish} also serves as a content-addressed mirror for source files referenced in @code{origin} records (@pxref{Référence d'origine}). For instance, assuming @command{guix publish} is running on @code{example.org}, the following URL returns the raw @file{hello-2.10.tar.gz} file with the given SHA256 hash (represented in @code{nix-base32} format, @pxref{Invoquer guix hash}): @example http://example.org/file/hello-2.10.tar.gz/sha256/0ssi1@dots{}ndq1i @end example Obviously, these URLs only work for files that are in the store; in other cases, they return 404 (``Not Found''). @cindex build logs, publication Build logs are available from @code{/log} URLs like: @example http://example.org/log/gwspk@dots{}-guile-2.2.3 @end example @noindent When @command{guix-daemon} is configured to save compressed build logs, as is the case by default (@pxref{Invoquer guix-daemon}), @code{/log} URLs return the compressed log as-is, with an appropriate @code{Content-Type} and/or @code{Content-Encoding} header. We recommend running @command{guix-daemon} with @code{--log-compression=gzip} since Web browsers can automatically decompress it, which is not the case with bzip2 compression. The following options are available: @table @code @item --port=@var{port} @itemx -p @var{port} Listen for HTTP requests on @var{port}. @item --listen=@var{host} Listen on the network interface for @var{host}. The default is to accept connections from any interface. @item --user=@var{user} @itemx -u @var{user} Change privileges to @var{user} as soon as possible---i.e., once the server socket is open and the signing key has been read. @item --compression[=@var{level}] @itemx -C [@var{level}] Compress data using the given @var{level}. When @var{level} is zero, disable compression. The range 1 to 9 corresponds to different gzip compression levels: 1 is the fastest, and 9 is the best (CPU-intensive). The default is 3. Unless @option{--cache} is used, compression occurs on the fly and the compressed streams are not cached. Thus, to reduce load on the machine that runs @command{guix publish}, it may be a good idea to choose a low compression level, to run @command{guix publish} behind a caching proxy, or to use @option{--cache}. Using @option{--cache} has the advantage that it allows @command{guix publish} to add @code{Content-Length} HTTP header to its responses. @item --cache=@var{directory} @itemx -c @var{directory} Cache archives and meta-data (@code{.narinfo} URLs) to @var{directory} and only serve archives that are in cache. When this option is omitted, archives and meta-data are created on-the-fly. This can reduce the available bandwidth, especially when compression is enabled, since this may become CPU-bound. Another drawback of the default mode is that the length of archives is not known in advance, so @command{guix publish} does not add a @code{Content-Length} HTTP header to its responses, which in turn prevents clients from knowing the amount of data being downloaded. Conversely, when @option{--cache} is used, the first request for a store item (@i{via} a @code{.narinfo} URL) returns 404 and triggers a background process to @dfn{bake} the archive---computing its @code{.narinfo} and compressing the archive, if needed. Once the archive is cached in @var{directory}, subsequent requests succeed and are served directly from the cache, which guarantees that clients get the best possible bandwidth. The ``baking'' process is performed by worker threads. By default, one thread per CPU core is created, but this can be customized. See @option{--workers} below. When @option{--ttl} is used, cached entries are automatically deleted when they have expired. @item --workers=@var{N} When @option{--cache} is used, request the allocation of @var{N} worker threads to ``bake'' archives. @item --ttl=@var{ttl} Produce @code{Cache-Control} HTTP headers that advertise a time-to-live (TTL) of @var{ttl}. @var{ttl} must denote a duration: @code{5d} means 5 days, @code{1m} means 1 month, and so on. This allows the user's Guix to keep substitute information in cache for @var{ttl}. However, note that @code{guix publish} does not itself guarantee that the store items it provides will indeed remain available for as long as @var{ttl}. Additionally, when @option{--cache} is used, cached entries that have not been accessed for @var{ttl} and that no longer have a corresponding item in the store, may be deleted. @item --nar-path=@var{path} Use @var{path} as the prefix for the URLs of ``nar'' files (@pxref{Invoquer guix archive, normalized archives}). By default, nars are served at a URL such as @code{/nar/gzip/@dots{}-coreutils-8.25}. This option allows you to change the @code{/nar} part to @var{path}. @item --public-key=@var{file} @itemx --private-key=@var{file} Use the specific @var{file}s as the public/private key pair used to sign the store items being published. The files must correspond to the same key pair (the private key is used for signing and the public key is merely advertised in the signature metadata). They must contain keys in the canonical s-expression format as produced by @command{guix archive --generate-key} (@pxref{Invoquer guix archive}). By default, @file{/etc/guix/signing-key.pub} and @file{/etc/guix/signing-key.sec} are used. @item --repl[=@var{port}] @itemx -r [@var{port}] Spawn a Guile REPL server (@pxref{REPL Servers,,, guile, GNU Guile Reference Manual}) on @var{port} (37146 by default). This is used primarily for debugging a running @command{guix publish} server. @end table Enabling @command{guix publish} on a GuixSD system is a one-liner: just instantiate a @code{guix-publish-service-type} service in the @code{services} field of the @code{operating-system} declaration (@pxref{guix-publish-service-type, @code{guix-publish-service-type}}). If you are instead running Guix on a ``foreign distro'', follow these instructions:” @itemize @item If your host distro uses the systemd init system: @example # ln -s ~root/.guix-profile/lib/systemd/system/guix-publish.service \ /etc/systemd/system/ # systemctl start guix-publish && systemctl enable guix-publish @end example @item Si votre distribution hôte utilise le système d'initialisation Upstart : @example # ln -s ~root/.guix-profile/lib/upstart/system/guix-publish.conf /etc/init/ # start guix-publish @end example @item Otherwise, proceed similarly with your distro's init system. @end itemize @node Invoquer guix challenge @section Invoking @command{guix challenge} @cindex constructions reproductibles @cindex verifiable builds @cindex @command{guix challenge} @cindex challenge Do the binaries provided by this server really correspond to the source code it claims to build? Is a package build process deterministic? These are the questions the @command{guix challenge} command attempts to answer. La première question est évidemment importante : avant d'utiliser un serveur de substituts (@pxref{Substituts}), il vaut mieux @emph{vérifier} qu'il fournit les bons binaires et donc le @emph{défier}. La deuxième est ce qui permet la première : si les constructions des paquets sont déterministes alors des constructions indépendantes du paquet devraient donner le même résultat, bit à bit ; si un serveur fournit un binaire différent de celui obtenu localement, il peut être soit corrompu, soit malveillant. We know that the hash that shows up in @file{/gnu/store} file names is the hash of all the inputs of the process that built the file or directory---compilers, libraries, build scripts, etc. (@pxref{Introduction}). Assuming deterministic build processes, one store file name should map to exactly one build output. @command{guix challenge} checks whether there is, indeed, a single mapping by comparing the build outputs of several independent builds of any given store item. The command output looks like this: @smallexample $ guix challenge --substitute-urls="https://hydra.gnu.org https://guix.example.org" updating list of substitutes from 'https://hydra.gnu.org'... 100.0% updating list of substitutes from 'https://guix.example.org'... 100.0% /gnu/store/@dots{}-openssl-1.0.2d contents differ: local hash: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q https://hydra.gnu.org/nar/@dots{}-openssl-1.0.2d: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q https://guix.example.org/nar/@dots{}-openssl-1.0.2d: 1zy4fmaaqcnjrzzajkdn3f5gmjk754b43qkq47llbyak9z0qjyim /gnu/store/@dots{}-git-2.5.0 contents differ: local hash: 00p3bmryhjxrhpn2gxs2fy0a15lnip05l97205pgbk5ra395hyha https://hydra.gnu.org/nar/@dots{}-git-2.5.0: 069nb85bv4d4a6slrwjdy8v1cn4cwspm3kdbmyb81d6zckj3nq9f https://guix.example.org/nar/@dots{}-git-2.5.0: 0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73 /gnu/store/@dots{}-pius-2.1.1 contents differ: local hash: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax https://hydra.gnu.org/nar/@dots{}-pius-2.1.1: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax https://guix.example.org/nar/@dots{}-pius-2.1.1: 1cy25x1a4fzq5rk0pmvc8xhwyffnqz95h2bpvqsz2mpvlbccy0gs @dots{} 6,406 store items were analyzed: - 4,749 (74.1%) were identical - 525 (8.2%) differed - 1,132 (17.7%) were inconclusive @end smallexample @noindent In this example, @command{guix challenge} first scans the store to determine the set of locally-built derivations---as opposed to store items that were downloaded from a substitute server---and then queries all the substitute servers. It then reports those store items for which the servers obtained a result different from the local build. @cindex non-determinism, in package builds As an example, @code{guix.example.org} always gets a different answer. Conversely, @code{hydra.gnu.org} agrees with local builds, except in the case of Git. This might indicate that the build process of Git is non-deterministic, meaning that its output varies as a function of various things that Guix does not fully control, in spite of building packages in isolated environments (@pxref{Fonctionnalités}). Most common sources of non-determinism include the addition of timestamps in build results, the inclusion of random numbers, and directory listings sorted by inode number. See @uref{https://reproducible-builds.org/docs/}, for more information. To find out what is wrong with this Git binary, we can do something along these lines (@pxref{Invoquer guix archive}): @example $ wget -q -O - https://hydra.gnu.org/nar/@dots{}-git-2.5.0 \ | guix archive -x /tmp/git $ diff -ur --no-dereference /gnu/store/@dots{}-git.2.5.0 /tmp/git @end example This command shows the difference between the files resulting from the local build, and the files resulting from the build on @code{hydra.gnu.org} (@pxref{Overview, Comparing and Merging Files,, diffutils, Comparing and Merging Files}). The @command{diff} command works great for text files. When binary files differ, a better option is @uref{https://diffoscope.org/, Diffoscope}, a tool that helps visualize differences for all kinds of files. Once you have done that work, you can tell whether the differences are due to a non-deterministic build process or to a malicious server. We try hard to remove sources of non-determinism in packages to make it easier to verify substitutes, but of course, this is a process that involves not just Guix, but a large part of the free software community. In the meantime, @command{guix challenge} is one tool to help address the problem. If you are writing packages for Guix, you are encouraged to check whether @code{hydra.gnu.org} and other substitute servers obtain the same build result as you did with: @example $ guix challenge @var{package} @end example @noindent where @var{package} is a package specification such as @code{guile@@2.0} or @code{glibc:debug}. La syntaxe générale est : @example guix challenge @var{options} [@var{packages}@dots{}] @end example When a difference is found between the hash of a locally-built item and that of a server-provided substitute, or among substitutes provided by different servers, the command displays it as in the example above and its exit code is 2 (other non-zero exit codes denote other kinds of errors.) The one option that matters is: @table @code @item --substitute-urls=@var{urls} Consider @var{urls} the whitespace-separated list of substitute source URLs to compare to. @item --verbose @itemx -v Show details about matches (identical contents) in addition to information about mismatches. @end table @node Invoquer guix copy @section Invoking @command{guix copy} @cindex copy, of store items, over SSH @cindex SSH, copy of store items @cindex sharing store items across machines @cindex transferring store items across machines The @command{guix copy} command copies items from the store of one machine to that of another machine over a secure shell (SSH) connection@footnote{This command is available only when Guile-SSH was found. @xref{Prérequis}, for details.}. For example, the following command copies the @code{coreutils} package, the user's profile, and all their dependencies over to @var{host}, logged in as @var{user}: @example guix copy --to=@var{user}@@@var{host} \ coreutils `readlink -f ~/.guix-profile` @end example If some of the items to be copied are already present on @var{host}, they are not actually sent. The command below retrieves @code{libreoffice} and @code{gimp} from @var{host}, assuming they are available there: @example guix copy --from=@var{host} libreoffice gimp @end example The SSH connection is established using the Guile-SSH client, which is compatible with OpenSSH: it honors @file{~/.ssh/known_hosts} and @file{~/.ssh/config}, and uses the SSH agent for authentication. The key used to sign items that are sent must be accepted by the remote machine. Likewise, the key used by the remote machine to sign items you are retrieving must be in @file{/etc/guix/acl} so it is accepted by your own daemon. @xref{Invoquer guix archive}, for more information about store item authentication. La syntaxe générale est : @example guix copy [--to=@var{spec}|--from=@var{spec}] @var{items}@dots{} @end example You must always specify one of the following options: @table @code @item --to=@var{spec} @itemx --from=@var{spec} Specify the host to send to or receive from. @var{spec} must be an SSH spec such as @code{example.org}, @code{charlie@@example.org}, or @code{charlie@@example.org:2222}. @end table The @var{items} can be either package names, such as @code{gimp}, or store items, such as @file{/gnu/store/@dots{}-idutils-4.6}. When specifying the name of a package to send, it is first built if needed, unless @option{--dry-run} was specified. Common build options are supported (@pxref{Options de construction communes}). @node Invoquer guix container @section Invoking @command{guix container} @cindex container @cindex @command{guix container} @quotation Remarque As of version @value{VERSION}, this tool is experimental. The interface is subject to radical change in the future. @end quotation The purpose of @command{guix container} is to manipulate processes running within an isolated environment, commonly known as a ``container'', typically created by the @command{guix environment} (@pxref{Invoquer guix environment}) and @command{guix system container} (@pxref{Invoquer guix system}) commands. La syntaxe générale est : @example guix container @var{action} @var{options}@dots{} @end example @var{action} specifies the operation to perform with a container, and @var{options} specifies the context-specific arguments for the action. The following actions are available: @table @code @item exec Execute a command within the context of a running container. The syntax is: @example guix container exec @var{pid} @var{program} @var{arguments}@dots{} @end example @var{pid} specifies the process ID of the running container. @var{program} specifies an executable file name within the root file system of the container. @var{arguments} are the additional options that will be passed to @var{program}. The following command launches an interactive login shell inside a GuixSD container, started by @command{guix system container}, and whose process ID is 9001: @example guix container exec 9001 /run/current-system/profile/bin/bash --login @end example Note that the @var{pid} cannot be the parent process of a container. It must be PID 1 of the container or one of its child processes. @end table @node Invoquer guix weather @section Invoking @command{guix weather} Vous pouvez parfois grogner lorsque les substituts ne sont pas disponibles et que vous devez construire les paquets vous-même (@pxref{Substituts}). La commande @command{guix weather} rapporte la disponibilité des substituts sur les serveurs spécifiés pour que vous sachiez si vous allez raller aujourd'hui. Cela peut parfois être une information utile pour les utilisateurs, mais elle est surtout utile pour les personnes qui font tourner @command{guix publish} (@pxref{Invoquer guix publish}). @cindex statistics, for substitutes @cindex availability of substitutes @cindex substitute availability @cindex weather, substitute availability Here's a sample run: @example $ guix weather --substitute-urls=https://guix.example.org computing 5,872 package derivations for x86_64-linux... looking for 6,128 store items on https://guix.example.org.. updating list of substitutes from 'https://guix.example.org'... 100.0% https://guix.example.org 43.4% substitutes available (2,658 out of 6,128) 7,032.5 MiB of nars (compressed) 19,824.2 MiB on disk (uncompressed) 0.030 seconds per request (182.9 seconds in total) 33.5 requests per second 9.8% (342 out of 3,470) of the missing items are queued 867 queued builds x86_64-linux: 518 (59.7%) i686-linux: 221 (25.5%) aarch64-linux: 128 (14.8%) build rate: 23.41 builds per hour x86_64-linux: 11.16 builds per hour i686-linux: 6.03 builds per hour aarch64-linux: 6.41 builds per hour @end example @cindex continuous integration, statistics As you can see, it reports the fraction of all the packages for which substitutes are available on the server---regardless of whether substitutes are enabled, and regardless of whether this server's signing key is authorized. It also reports the size of the compressed archives (``nars'') provided by the server, the size the corresponding store items occupy in the store (assuming deduplication is turned off), and the server's throughput. The second part gives continuous integration (CI) statistics, if the server supports it. To achieve that, @command{guix weather} queries over HTTP(S) meta-data (@dfn{narinfos}) for all the relevant store items. Like @command{guix challenge}, it ignores signatures on those substitutes, which is innocuous since the command only gathers statistics and cannot install those substitutes. Among other things, it is possible to query specific system types and specific package sets. The available options are listed below. @table @code @item --substitute-urls=@var{urls} @var{urls} is the space-separated list of substitute server URLs to query. When this option is omitted, the default set of substitute servers is queried. @item --system=@var{système} @itemx -s @var{système} Query substitutes for @var{system}---e.g., @code{aarch64-linux}. This option can be repeated, in which case @command{guix weather} will query substitutes for several system types. @item --manifest=@var{fichier} Instead of querying substitutes for all the packages, only ask for those specified in @var{file}. @var{file} must contain a @dfn{manifest}, as with the @code{-m} option of @command{guix package} (@pxref{Invoquer guix package}). @end table @c ********************************************************************* @node Distribution GNU @chapter Distribution GNU @cindex Distribution Système Guix @cindex GuixSD Guix comes with a distribution of the GNU system consisting entirely of free software@footnote{The term ``free'' here refers to the @url{http://www.gnu.org/philosophy/free-sw.html,freedom provided to users of that software}.}. The distribution can be installed on its own (@pxref{Installation du système}), but it is also possible to install Guix as a package manager on top of an installed GNU/Linux system (@pxref{Installation}). To distinguish between the two, we refer to the standalone distribution as the Guix System Distribution, or GuixSD. The distribution provides core GNU packages such as GNU libc, GCC, and Binutils, as well as many GNU and non-GNU applications. The complete list of available packages can be browsed @url{http://www.gnu.org/software/guix/packages,on-line} or by running @command{guix package} (@pxref{Invoquer guix package}): @example guix package --list-available @end example Our goal is to provide a practical 100% free software distribution of Linux-based and other variants of GNU, with a focus on the promotion and tight integration of GNU components, and an emphasis on programs and tools that help users exert that freedom. Packages are currently available on the following platforms: @table @code @item x86_64-linux Intel/AMD @code{x86_64} architecture, Linux-Libre kernel; @item i686-linux Intel 32-bit architecture (IA32), Linux-Libre kernel; @item armhf-linux ARMv7-A architecture with hard float, Thumb-2 and NEON, using the EABI hard-float application binary interface (ABI), and Linux-Libre kernel. @item aarch64-linux little-endian 64-bit ARMv8-A processors, Linux-Libre kernel. This is currently in an experimental stage, with limited support. @xref{Contribuer}, for how to help! @item mips64el-linux little-endian 64-bit MIPS processors, specifically the Loongson series, n32 ABI, and Linux-Libre kernel. @end table GuixSD itself is currently only available on @code{i686} and @code{x86_64}. @noindent For information on porting to other architectures or kernels, @pxref{Porter}. @menu * Installation du système:: Installer le système d'exploitation complet. * Configuration système:: Configurer le système d'exploitation. * Documentation:: Visualiser les manuels d'utilisateur des logiciels. * Installer les fichiers de débogage:: Nourrir le débogueur. * Mises à jour de sécurité:: Déployer des correctifs de sécurité rapidement. * Modules de paquets:: Les paquets du point de vu du programmeur. * Consignes d'empaquetage:: Faire grandir la distribution. * Bootstrapping:: GNU/Linux depuis zéro. * Porter:: Cibler une autre plateforme ou un autre noyau. @end menu Building this distribution is a cooperative effort, and you are invited to join! @xref{Contribuer}, for information about how you can help. @node Installation du système @section Installation du système @cindex installing GuixSD @cindex Distribution Système Guix This section explains how to install the Guix System Distribution (GuixSD) on a machine. The Guix package manager can also be installed on top of a running GNU/Linux system, @pxref{Installation}. @ifinfo @quotation Remarque @c This paragraph is for people reading this from tty2 of the @c installation image. You are reading this documentation with an Info reader. For details on how to use it, hit the @key{RET} key (``return'' or ``enter'') on the link that follows: @pxref{Top, Info reader,, info-stnd, Stand-alone GNU Info}. Hit @kbd{l} afterwards to come back here. Alternately, run @command{info info} in another tty to keep the manual available. @end quotation @end ifinfo @menu * Limitations:: Ce à quoi vous attendre. * Considérations matérielles:: Matériel supporté. * Installation depuis une clef USB ou un DVD:: Préparer le média d'installation. * Préparer l'installation:: Réseau, partitionnement, etc. * Effectuer l'installation:: Pour de vrai. * Installer GuixSD dans une VM:: Jouer avec GuixSD@. * Construire l'image d'installation:: D'où vient tout cela. @end menu @node Limitations @subsection Limitations As of version @value{VERSION}, the Guix System Distribution (GuixSD) is not production-ready. It may contain bugs and lack important features. Thus, if you are looking for a stable production system that respects your freedom as a computer user, a good solution at this point is to consider @url{http://www.gnu.org/distros/free-distros.html, one of the more established GNU/Linux distributions}. We hope you can soon switch to the GuixSD without fear, of course. In the meantime, you can also keep using your distribution and try out the package manager on top of it (@pxref{Installation}). Before you proceed with the installation, be aware of the following noteworthy limitations applicable to version @value{VERSION}: @itemize @item The installation process does not include a graphical user interface and requires familiarity with GNU/Linux (see the following subsections to get a feel of what that means.) @item Support for the Logical Volume Manager (LVM) is missing. @item More and more system services are provided (@pxref{Services}), but some may be missing. @item More than 6,500 packages are available, but you might occasionally find that a useful package is missing. @item GNOME, Xfce, LXDE, and Enlightenment are available (@pxref{Services de bureaux}), as well as a number of X11 window managers. However, some graphical applications may be missing, as well as KDE. @end itemize You have been warned! But more than a disclaimer, this is an invitation to report issues (and success stories!), and to join us in improving it. @xref{Contribuer}, for more info. @node Considérations matérielles @subsection Considérations matérielles @cindex hardware support on GuixSD GNU@tie{}GuixSD focuses on respecting the user's computing freedom. It builds around the kernel Linux-libre, which means that only hardware for which free software drivers and firmware exist is supported. Nowadays, a wide range of off-the-shelf hardware is supported on GNU/Linux-libre---from keyboards to graphics cards to scanners and Ethernet controllers. Unfortunately, there are still areas where hardware vendors deny users control over their own computing, and such hardware is not supported on GuixSD. @cindex WiFi, hardware support One of the main areas where free drivers or firmware are lacking is WiFi devices. WiFi devices known to work include those using Atheros chips (AR9271 and AR7010), which corresponds to the @code{ath9k} Linux-libre driver, and those using Broadcom/AirForce chips (BCM43xx with Wireless-Core Revision 5), which corresponds to the @code{b43-open} Linux-libre driver. Free firmware exists for both and is available out-of-the-box on GuixSD, as part of @var{%base-firmware} (@pxref{Référence de système d'exploitation, @code{firmware}}). @cindex RYF, Respects Your Freedom The @uref{https://www.fsf.org/, Free Software Foundation} runs @uref{https://www.fsf.org/ryf, @dfn{Respects Your Freedom}} (RYF), a certification program for hardware products that respect your freedom and your privacy and ensure that you have control over your device. We encourage you to check the list of RYF-certified devices. Another useful resource is the @uref{https://www.h-node.org/, H-Node} web site. It contains a catalog of hardware devices with information about their support in GNU/Linux. @node Installation depuis une clef USB ou un DVD @subsection Installation depuis une clef USB ou un DVD An ISO-9660 installation image that can be written to a USB stick or burnt to a DVD can be downloaded from @indicateurl{ftp://alpha.gnu.org/gnu/guix/guixsd-install-@value{VERSION}.@var{system}.iso.xz}, where @var{system} is one of: @table @code @item x86_64-linux for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs; @item i686-linux for a 32-bit GNU/Linux system on Intel-compatible CPUs. @end table @c start duplication of authentication part from ``Binary Installation'' Make sure to download the associated @file{.sig} file and to verify the authenticity of the image against it, along these lines: @example $ wget ftp://alpha.gnu.org/gnu/guix/guixsd-install-@value{VERSION}.@var{system}.iso.xz.sig $ gpg --verify guixsd-install-@value{VERSION}.@var{system}.iso.xz.sig @end example Si cette commande échoue parce que vous n'avez pas la clef publique requise, lancez cette commande pour l'importer : @example $ gpg --keyserver pgp.mit.edu --recv-keys @value{OPENPGP-SIGNING-KEY-ID} @end example @noindent @c end duplication et relancez la commande @code{gpg --verify}. This image contains the tools necessary for an installation. It is meant to be copied @emph{as is} to a large-enough USB stick or DVD. @unnumberedsubsubsec Copying to a USB Stick To copy the image to a USB stick, follow these steps: @enumerate @item Decompress the image using the @command{xz} command: @example xz -d guixsd-install-@value{VERSION}.@var{system}.iso.xz @end example @item Insert a USB stick of 1@tie{}GiB or more into your machine, and determine its device name. Assuming that the USB stick is known as @file{/dev/sdX}, copy the image with: @example dd if=guixsd-install-@value{VERSION}.x86_64-linux.iso of=/dev/sdX sync @end example Access to @file{/dev/sdX} usually requires root privileges. @end enumerate @unnumberedsubsubsec Burning on a DVD To copy the image to a DVD, follow these steps: @enumerate @item Decompress the image using the @command{xz} command: @example xz -d guixsd-install-@value{VERSION}.@var{system}.iso.xz @end example @item Insert a blank DVD into your machine, and determine its device name. Assuming that the DVD drive is known as @file{/dev/srX}, copy the image with: @example growisofs -dvd-compat -Z /dev/srX=guixsd-install-@value{VERSION}.x86_64.iso @end example Access to @file{/dev/srX} usually requires root privileges. @end enumerate @unnumberedsubsubsec Booting Once this is done, you should be able to reboot the system and boot from the USB stick or DVD. The latter usually requires you to get in the BIOS or UEFI boot menu, where you can choose to boot from the USB stick. @xref{Installer GuixSD dans une VM}, if, instead, you would like to install GuixSD in a virtual machine (VM). @node Préparer l'installation @subsection Préparer l'installation Once you have successfully booted your computer using the installation medium, you should end up with a root prompt. Several console TTYs are configured and can be used to run commands as root. TTY2 shows this documentation, browsable using the Info reader commands (@pxref{Top,,, info-stnd, Stand-alone GNU Info}). The installation system runs the GPM mouse daemon, which allows you to select text with the left mouse button and to paste it with the middle button. @quotation Remarque Installation requires access to the Internet so that any missing dependencies of your system configuration can be downloaded. See the ``Networking'' section below. @end quotation The installation system includes many common tools needed for this task. But it is also a full-blown GuixSD system, which means that you can install additional packages, should you need it, using @command{guix package} (@pxref{Invoquer guix package}). @subsubsection Keyboard Layout @cindex keyboard layout The installation image uses the US qwerty keyboard layout. If you want to change it, you can use the @command{loadkeys} command. For example, the following command selects the Dvorak keyboard layout: @example loadkeys dvorak @end example See the files under @file{/run/current-system/profile/share/keymaps} for a list of available keyboard layouts. Run @command{man loadkeys} for more information. @subsubsection Networking Run the following command see what your network interfaces are called: @example ifconfig -a @end example @noindent @dots{} or, using the GNU/Linux-specific @command{ip} command: @example ip a @end example @c http://cgit.freedesktop.org/systemd/systemd/tree/src/udev/udev-builtin-net_id.c#n20 Wired interfaces have a name starting with @samp{e}; for example, the interface corresponding to the first on-board Ethernet controller is called @samp{eno1}. Wireless interfaces have a name starting with @samp{w}, like @samp{w1p2s0}. @table @asis @item Wired connection To configure a wired network run the following command, substituting @var{interface} with the name of the wired interface you want to use. @example ifconfig @var{interface} up @end example @item Wireless connection @cindex wireless @cindex WiFi To configure wireless networking, you can create a configuration file for the @command{wpa_supplicant} configuration tool (its location is not important) using one of the available text editors such as @command{nano}: @example nano wpa_supplicant.conf @end example As an example, the following stanza can go to this file and will work for many wireless networks, provided you give the actual SSID and passphrase for the network you are connecting to: @example network=@{ ssid="@var{my-ssid}" key_mgmt=WPA-PSK psk="the network's secret passphrase" @} @end example Start the wireless service and run it in the background with the following command (substitute @var{interface} with the name of the network interface you want to use): @example wpa_supplicant -c wpa_supplicant.conf -i @var{interface} -B @end example Run @command{man wpa_supplicant} for more information. @end table @cindex DHCP At this point, you need to acquire an IP address. On a network where IP addresses are automatically assigned @i{via} DHCP, you can run: @example dhclient -v @var{interface} @end example Try to ping a server to see if networking is up and running: @example ping -c 3 gnu.org @end example Setting up network access is almost always a requirement because the image does not contain all the software and tools that may be needed. @cindex installing over SSH If you want to, you can continue the installation remotely by starting an SSH server: @example herd start ssh-daemon @end example Make sure to either set a password with @command{passwd}, or configure OpenSSH public key authentication before logging in. @subsubsection Disk Partitioning Unless this has already been done, the next step is to partition, and then format the target partition(s). The installation image includes several partitioning tools, including Parted (@pxref{Overview,,, parted, GNU Parted User Manual}), @command{fdisk}, and @command{cfdisk}. Run it and set up your disk with the partition layout you want: @example cfdisk @end example If your disk uses the GUID Partition Table (GPT) format and you plan to install BIOS-based GRUB (which is the default), make sure a BIOS Boot Partition is available (@pxref{BIOS installation,,, grub, GNU GRUB manual}). @cindex EFI, installation @cindex UEFI, installation @cindex ESP, EFI system partition If you instead wish to use EFI-based GRUB, a FAT32 @dfn{EFI System Partition} (ESP) is required. This partition should be mounted at @file{/boot/efi} and must have the @code{esp} flag set. E.g., for @command{parted}: @example parted /dev/sda set 1 esp on @end example Once you are done partitioning the target hard disk drive, you have to create a file system on the relevant partition(s)@footnote{Currently GuixSD only supports ext4 and btrfs file systems. In particular, code that reads file system UUIDs and labels only works for these file system types.}. For the ESP, if you have one and assuming it is @file{/dev/sda2}, run: @example mkfs.fat -F32 /dev/sda2 @end example Preferably, assign file systems a label so that you can easily and reliably refer to them in @code{file-system} declarations (@pxref{Systèmes de fichiers}). This is typically done using the @code{-L} option of @command{mkfs.ext4} and related commands. So, assuming the target root partition lives at @file{/dev/sda1}, a file system with the label @code{my-root} can be created with: @example mkfs.ext4 -L my-root /dev/sda1 @end example @cindex encrypted disk If you are instead planning to encrypt the root partition, you can use the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html, @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}}, @code{man cryptsetup}} for more information.) Assuming you want to store the root partition on @file{/dev/sda1}, the command sequence would be along these lines: @example cryptsetup luksFormat /dev/sda1 cryptsetup open --type luks /dev/sda1 my-partition mkfs.ext4 -L my-root /dev/mapper/my-partition @end example Once that is done, mount the target file system under @file{/mnt} with a command like (again, assuming @code{my-root} is the label of the root file system): @example mount LABEL=my-root /mnt @end example Also mount any other file systems you would like to use on the target system relative to this path. If you have @file{/boot} on a separate partition for example, mount it at @file{/mnt/boot} now so it is found by @code{guix system init} afterwards. Finally, if you plan to use one or more swap partitions (@pxref{Memory Concepts, swap space,, libc, The GNU C Library Reference Manual}), make sure to initialize them with @command{mkswap}. Assuming you have one swap partition on @file{/dev/sda2}, you would run: @example mkswap /dev/sda2 swapon /dev/sda2 @end example Alternatively, you may use a swap file. For example, assuming that in the new system you want to use the file @file{/swapfile} as a swap file, you would run@footnote{This example will work for many types of file systems (e.g., ext4). However, for copy-on-write file systems (e.g., btrfs), the required steps may be different. For details, see the manual pages for @command{mkswap} and @command{swapon}.}: @example # This is 10 GiB of swap space. Adjust "count" to change the size. dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=10240 # For security, make the file readable and writable only by root. chmod 600 /mnt/swapfile mkswap /mnt/swapfile swapon /mnt/swapfile @end example Note that if you have encrypted the root partition and created a swap file in its file system as described above, then the encryption also protects the swap file, just like any other file in that file system. @node Effectuer l'installation @subsection Effectuer l'installation With the target partitions ready and the target root mounted on @file{/mnt}, we're ready to go. First, run: @example herd start cow-store /mnt @end example This makes @file{/gnu/store} copy-on-write, such that packages added to it during the installation phase are written to the target disk on @file{/mnt} rather than kept in memory. This is necessary because the first phase of the @command{guix system init} command (see below) entails downloads or builds to @file{/gnu/store} which, initially, is an in-memory file system. Next, you have to edit a file and provide the declaration of the operating system to be installed. To that end, the installation system comes with three text editors. We recommend GNU nano (@pxref{Top,,, nano, GNU nano Manual}), which supports syntax highlighting and parentheses matching; other editors include GNU Zile (an Emacs clone), and nvi (a clone of the original BSD @command{vi} editor). We strongly recommend storing that file on the target root file system, say, as @file{/mnt/etc/config.scm}. Failing to do that, you will have lost your configuration file once you have rebooted into the newly-installed system. @xref{Utiliser le système de configuration}, for an overview of the configuration file. The example configurations discussed in that section are available under @file{/etc/configuration} in the installation image. Thus, to get started with a system configuration providing a graphical display server (a ``desktop'' system), you can run something along these lines: @example # mkdir /mnt/etc # cp /etc/configuration/desktop.scm /mnt/etc/config.scm # nano /mnt/etc/config.scm @end example You should pay attention to what your configuration file contains, and in particular: @itemize @item Make sure the @code{bootloader-configuration} form refers to the target you want to install GRUB on. It should mention @code{grub-bootloader} if you are installing GRUB in the legacy way, or @code{grub-efi-bootloader} for newer UEFI systems. For legacy systems, the @code{target} field names a device, like @code{/dev/sda}; for UEFI systems it names a path to a mounted EFI partition, like @code{/boot/efi}, and do make sure the path is actually mounted. @item Be sure that your file system labels match the value of their respective @code{device} fields in your @code{file-system} configuration, assuming your @code{file-system} configuration sets the value of @code{title} to @code{'label}. @item If there are encrypted or RAID partitions, make sure to add a @code{mapped-devices} field to describe them (@pxref{Périphériques mappés}). @end itemize Once you are done preparing the configuration file, the new system must be initialized (remember that the target root file system is mounted under @file{/mnt}): @example guix system init /mnt/etc/config.scm /mnt @end example @noindent This copies all the necessary files and installs GRUB on @file{/dev/sdX}, unless you pass the @option{--no-bootloader} option. For more information, @pxref{Invoquer guix system}. This command may trigger downloads or builds of missing packages, which can take some time. Once that command has completed---and hopefully succeeded!---you can run @command{reboot} and boot into the new system. The @code{root} password in the new system is initially empty; other users' passwords need to be initialized by running the @command{passwd} command as @code{root}, unless your configuration specifies otherwise (@pxref{user-account-password, user account passwords}). @cindex upgrading GuixSD From then on, you can update GuixSD whenever you want by running @command{guix pull} as @code{root} (@pxref{Invoquer guix pull}), and then running @command{guix system reconfigure} to build a new system generation with the latest packages and services (@pxref{Invoquer guix system}). We recommend doing that regularly so that your system includes the latest security updates (@pxref{Mises à jour de sécurité}). Join us on @code{#guix} on the Freenode IRC network or on @file{guix-devel@@gnu.org} to share your experience---good or not so good. @node Installer GuixSD dans une VM @subsection Installing GuixSD in a Virtual Machine @cindex virtual machine, GuixSD installation @cindex virtual private server (VPS) @cindex VPS (virtual private server) If you'd like to install GuixSD in a virtual machine (VM) or on a virtual private server (VPS) rather than on your beloved machine, this section is for you. To boot a @uref{http://qemu.org/,QEMU} VM for installing GuixSD in a disk image, follow these steps: @enumerate @item First, retrieve and decompress the GuixSD installation image as described previously (@pxref{Installation depuis une clef USB ou un DVD}). @item Create a disk image that will hold the installed system. To make a qcow2-formatted disk image, use the @command{qemu-img} command: @example qemu-img create -f qcow2 guixsd.img 50G @end example The resulting file will be much smaller than 50 GB (typically less than 1 MB), but it will grow as the virtualized storage device is filled up. @item Boot the USB installation image in an VM: @example qemu-system-x86_64 -m 1024 -smp 1 \ -net user -net nic,model=virtio -boot menu=on \ -drive file=guixsd-install-@value{VERSION}.@var{system}.iso \ -drive file=guixsd.img @end example The ordering of the drives matters. In the VM console, quickly press the @kbd{F12} key to enter the boot menu. Then press the @kbd{2} key and the @kbd{RET} key to validate your selection. @item You're now root in the VM, proceed with the installation process. @xref{Préparer l'installation}, and follow the instructions. @end enumerate Once installation is complete, you can boot the system that's on your @file{guixsd.img} image. @xref{Lancer GuixSD dans une VM}, for how to do that. @node Construire l'image d'installation @subsection Construire l'image d'installation @cindex installation image The installation image described above was built using the @command{guix system} command, specifically: @example guix system disk-image gnu/system/install.scm @end example Have a look at @file{gnu/system/install.scm} in the source tree, and see also @ref{Invoquer guix system} for more information about the installation image. @subsection Construire l'image d'installation pour les cartes ARM Many ARM boards require a specific variant of the @uref{http://www.denx.de/wiki/U-Boot/, U-Boot} bootloader. If you build a disk image and the bootloader is not available otherwise (on another boot drive etc), it's advisable to build an image that includes the bootloader, specifically: @example guix system disk-image --system=armhf-linux -e '((@@ (gnu system install) os-with-u-boot) (@@ (gnu system install) installation-os) "A20-OLinuXino-Lime2")' @end example @code{A20-OLinuXino-Lime2} is the name of the board. If you specify an invalid board, a list of possible boards will be printed. @node Configuration système @section Configuration système @cindex system configuration The Guix System Distribution supports a consistent whole-system configuration mechanism. By that we mean that all aspects of the global system configuration---such as the available system services, timezone and locale settings, user accounts---are declared in a single place. Such a @dfn{system configuration} can be @dfn{instantiated}---i.e., effected. @c Yes, we're talking of Puppet, Chef, & co. here. ↑ One of the advantages of putting all the system configuration under the control of Guix is that it supports transactional system upgrades, and makes it possible to roll back to a previous system instantiation, should something go wrong with the new one (@pxref{Fonctionnalités}). Another advantage is that it makes it easy to replicate the exact same configuration across different machines, or at different points in time, without having to resort to additional administration tools layered on top of the own tools of the system. This section describes this mechanism. First we focus on the system administrator's viewpoint---explaining how the system is configured and instantiated. Then we show how this mechanism can be extended, for instance to support new system services. @menu * Utiliser le système de configuration:: Personnaliser votre système GNU@. * Référence de système d'exploitation:: Détail sur la déclaration de système d'exploitation. * Systèmes de fichiers:: Configurer les montages de systèmes de fichiers. * Périphériques mappés:: Gestion des périphériques de bloc. * Comptes utilisateurs:: Spécifier des comptes utilisateurs. * Régionalisation:: Paramétrer la langue et les conventions culturelles. * Services:: Spécifier les services du système. * Programmes setuid:: Programmes tournant avec les privilèges root. * Certificats X.509:: Authentifier les serveurs HTTPS@. * Name Service Switch:: Configurer le « name service switch » de la libc. * Disque de RAM initial:: Démarrage de Linux-Libre. * Configuration du chargeur d'amorçage:: Configurer le chargeur d'amorçage. * Invoquer guix system:: Instantier une configuration du système. * Lancer GuixSD dans une VM:: Comment lancer GuixSD dans une machine virtuelle. * Définir des services:: Ajouter de nouvelles définitions de services. @end menu @node Utiliser le système de configuration @subsection Utiliser le système de configuration The operating system is configured by providing an @code{operating-system} declaration in a file that can then be passed to the @command{guix system} command (@pxref{Invoquer guix system}). A simple setup, with the default system services, the default Linux-Libre kernel, initial RAM disk, and boot loader looks like this: @findex operating-system @lisp @include os-config-bare-bones.texi @end lisp This example should be self-describing. Some of the fields defined above, such as @code{host-name} and @code{bootloader}, are mandatory. Others, such as @code{packages} and @code{services}, can be omitted, in which case they get a default value. Below we discuss the effect of some of the most important fields (@pxref{Référence de système d'exploitation}, for details about all the available fields), and how to @dfn{instantiate} the operating system using @command{guix system}. @unnumberedsubsubsec Globally-Visible Packages @vindex %base-packages The @code{packages} field lists packages that will be globally visible on the system, for all user accounts---i.e., in every user's @code{PATH} environment variable---in addition to the per-user profiles (@pxref{Invoquer guix package}). The @var{%base-packages} variable provides all the tools one would expect for basic user and administrator tasks---including the GNU Core Utilities, the GNU Networking Utilities, the GNU Zile lightweight text editor, @command{find}, @command{grep}, etc. The example above adds GNU@tie{}Screen and OpenSSH to those, taken from the @code{(gnu packages screen)} and @code{(gnu packages ssh)} modules (@pxref{Modules de paquets}). The @code{(list package output)} syntax can be used to add a specific output of a package: @lisp (use-modules (gnu packages)) (use-modules (gnu packages dns)) (operating-system ;; ... (packages (cons (list bind "utils") %base-packages))) @end lisp @findex specification->package Referring to packages by variable name, like @code{bind} above, has the advantage of being unambiguous; it also allows typos and such to be diagnosed right away as ``unbound variables''. The downside is that one needs to know which module defines which package, and to augment the @code{use-package-modules} line accordingly. To avoid that, one can use the @code{specification->package} procedure of the @code{(gnu packages)} module, which returns the best package for a given name or name and version: @lisp (use-modules (gnu packages)) (operating-system ;; ... (packages (append (map specification->package '("tcpdump" "htop" "gnupg@@2.0")) %base-packages))) @end lisp @unnumberedsubsubsec System Services @cindex services @vindex %base-services The @code{services} field lists @dfn{system services} to be made available when the system starts (@pxref{Services}). The @code{operating-system} declaration above specifies that, in addition to the basic services, we want the @command{lshd} secure shell daemon listening on port 2222 (@pxref{Services réseau, @code{lsh-service}}). Under the hood, @code{lsh-service} arranges so that @code{lshd} is started with the right command-line options, possibly with supporting configuration files generated as needed (@pxref{Définir des services}). @cindex customization, of services @findex modify-services Occasionally, instead of using the base services as is, you will want to customize them. To do this, use @code{modify-services} (@pxref{Référence de service, @code{modify-services}}) to modify the list. For example, suppose you want to modify @code{guix-daemon} and Mingetty (the console log-in) in the @var{%base-services} list (@pxref{Services de base, @code{%base-services}}). To do that, you can write the following in your operating system declaration: @lisp (define %my-services ;; My very own list of services. (modify-services %base-services (guix-service-type config => (guix-configuration (inherit config) (use-substitutes? #f) (extra-options '("--gc-keep-derivations")))) (mingetty-service-type config => (mingetty-configuration (inherit config))))) (operating-system ;; @dots{} (services %my-services)) @end lisp This changes the configuration---i.e., the service parameters---of the @code{guix-service-type} instance, and that of all the @code{mingetty-service-type} instances in the @var{%base-services} list. Observe how this is accomplished: first, we arrange for the original configuration to be bound to the identifier @code{config} in the @var{body}, and then we write the @var{body} so that it evaluates to the desired configuration. In particular, notice how we use @code{inherit} to create a new configuration which has the same values as the old configuration, but with a few modifications. @cindex encrypted disk The configuration for a typical ``desktop'' usage, with an encrypted root partition, the X11 display server, GNOME and Xfce (users can choose which of these desktop environments to use at the log-in screen by pressing @kbd{F1}), network management, power management, and more, would look like this: @lisp @include os-config-desktop.texi @end lisp @cindex UEFI A graphical UEFI system with a choice of lightweight window managers instead of full-blown desktop environments would look like this: @lisp @include os-config-lightweight-desktop.texi @end lisp This example refers to the @file{/boot/efi} file system by its UUID, @code{1234-ABCD}. Replace this UUID with the right UUID on your system, as returned by the @command{blkid} command. @xref{Services de bureaux}, for the exact list of services provided by @var{%desktop-services}. @xref{Certificats X.509}, for background information about the @code{nss-certs} package that is used here. Again, @var{%desktop-services} is just a list of service objects. If you want to remove services from there, you can do so using the procedures for list filtering (@pxref{SRFI-1 Filtering and Partitioning,,, guile, GNU Guile Reference Manual}). For instance, the following expression returns a list that contains all the services in @var{%desktop-services} minus the Avahi service: @example (remove (lambda (service) (eq? (service-kind service) avahi-service-type)) %desktop-services) @end example @unnumberedsubsubsec Instantiating the System Assuming the @code{operating-system} declaration is stored in the @file{my-system-config.scm} file, the @command{guix system reconfigure my-system-config.scm} command instantiates that configuration, and makes it the default GRUB boot entry (@pxref{Invoquer guix system}). The normal way to change the system configuration is by updating this file and re-running @command{guix system reconfigure}. One should never have to touch files in @file{/etc} or to run commands that modify the system state such as @command{useradd} or @command{grub-install}. In fact, you must avoid that since that would not only void your warranty but also prevent you from rolling back to previous versions of your system, should you ever need to. @cindex roll-back, of the operating system Speaking of roll-back, each time you run @command{guix system reconfigure}, a new @dfn{generation} of the system is created---without modifying or deleting previous generations. Old system generations get an entry in the bootloader boot menu, allowing you to boot them in case something went wrong with the latest generation. Reassuring, no? The @command{guix system list-generations} command lists the system generations available on disk. It is also possible to roll back the system via the commands @command{guix system roll-back} and @command{guix system switch-generation}. Although the command @command{guix system reconfigure} will not modify previous generations, must take care when the current generation is not the latest (e.g., after invoking @command{guix system roll-back}), since the operation might overwrite a later generation (@pxref{Invoquer guix system}). @unnumberedsubsubsec The Programming Interface At the Scheme level, the bulk of an @code{operating-system} declaration is instantiated with the following monadic procedure (@pxref{La monad du dépôt}): @deffn {Monadic Procedure} operating-system-derivation os Return a derivation that builds @var{os}, an @code{operating-system} object (@pxref{Dérivations}). The output of the derivation is a single directory that refers to all the packages, configuration files, and other supporting files needed to instantiate @var{os}. @end deffn This procedure is provided by the @code{(gnu system)} module. Along with @code{(gnu services)} (@pxref{Services}), this module contains the guts of GuixSD. Make sure to visit it! @node Référence de système d'exploitation @subsection @code{operating-system} Reference This section summarizes all the options available in @code{operating-system} declarations (@pxref{Utiliser le système de configuration}). @deftp {Data Type} operating-system This is the data type representing an operating system configuration. By that, we mean all the global system configuration, not per-user configuration (@pxref{Utiliser le système de configuration}). @table @asis @item @code{kernel} (default: @var{linux-libre}) The package object of the operating system kernel to use@footnote{Currently only the Linux-libre kernel is supported. In the future, it will be possible to use the GNU@tie{}Hurd.}. @item @code{kernel-arguments} (default: @code{'()}) List of strings or gexps representing additional arguments to pass on the command-line of the kernel---e.g., @code{("console=ttyS0")}. @item @code{bootloader} The system bootloader configuration object. @xref{Configuration du chargeur d'amorçage}. @item @code{initrd-modules} (default: @code{%base-initrd-modules}) @cindex initrd @cindex initial RAM disk The list of Linux kernel modules that need to be available in the initial RAM disk. @xref{Disque de RAM initial}. @item @code{initrd} (default: @code{base-initrd}) A monadic procedure that returns an initial RAM disk for the Linux kernel. This field is provided to support low-level customization and should rarely be needed for casual use. @xref{Disque de RAM initial}. @item @code{firmware} (default: @var{%base-firmware}) @cindex firmware List of firmware packages loadable by the operating system kernel. The default includes firmware needed for Atheros- and Broadcom-based WiFi devices (Linux-libre modules @code{ath9k} and @code{b43-open}, respectively). @xref{Considérations matérielles}, for more info on supported hardware. @item @code{host-name} The host name. @item @code{hosts-file} @cindex hosts file A file-like object (@pxref{G-Expressions, file-like objects}) for use as @file{/etc/hosts} (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). The default is a file with entries for @code{localhost} and @var{host-name}. @item @code{mapped-devices} (default: @code{'()}) A list of mapped devices. @xref{Périphériques mappés}. @item @code{file-systems} A list of file systems. @xref{Systèmes de fichiers}. @item @code{swap-devices} (default: @code{'()}) @cindex swap devices A list of strings identifying devices or files to be used for ``swap space'' (@pxref{Memory Concepts,,, libc, The GNU C Library Reference Manual}). For example, @code{'("/dev/sda3")} or @code{'("/swapfile")}. It is possible to specify a swap file in a file system on a mapped device, provided that the necessary device mapping and file system are also specified. @xref{Périphériques mappés} and @ref{Systèmes de fichiers}. @item @code{users} (default: @code{%base-user-accounts}) @itemx @code{groups} (default: @var{%base-groups}) List of user accounts and groups. @xref{Comptes utilisateurs}. If the @code{users} list lacks a user account with UID@tie{}0, a ``root'' account with UID@tie{}0 is automatically added. @item @code{skeletons} (default: @code{(default-skeletons)}) A list target file name/file-like object tuples (@pxref{G-Expressions, file-like objects}). These are the skeleton files that will be added to the home directory of newly-created user accounts. For instance, a valid value may look like this: @example `((".bashrc" ,(plain-file "bashrc" "echo Hello\n")) (".guile" ,(plain-file "guile" "(use-modules (ice-9 readline)) (activate-readline)"))) @end example @item @code{issue} (default: @var{%default-issue}) A string denoting the contents of the @file{/etc/issue} file, which is displayed when users log in on a text console. @item @code{packages} (default: @var{%base-packages}) The set of packages installed in the global profile, which is accessible at @file{/run/current-system/profile}. The default set includes core utilities and it is good practice to install non-core utilities in user profiles (@pxref{Invoquer guix package}). @item @code{timezone} A timezone identifying string---e.g., @code{"Europe/Paris"}. You can run the @command{tzselect} command to find out which timezone string corresponds to your region. Choosing an invalid timezone name causes @command{guix system} to fail. @item @code{locale} (default: @code{"en_US.utf8"}) The name of the default locale (@pxref{Locale Names,,, libc, The GNU C Library Reference Manual}). @xref{Régionalisation}, for more information. @item @code{locale-definitions} (default: @var{%default-locale-definitions}) The list of locale definitions to be compiled and that may be used at run time. @xref{Régionalisation}. @item @code{locale-libcs} (default: @code{(list @var{glibc})}) The list of GNU@tie{}libc packages whose locale data and tools are used to build the locale definitions. @xref{Régionalisation}, for compatibility considerations that justify this option. @item @code{name-service-switch} (default: @var{%default-nss}) Configuration of the libc name service switch (NSS)---a @code{} object. @xref{Name Service Switch}, for details. @item @code{services} (default: @var{%base-services}) A list of service objects denoting system services. @xref{Services}. @item @code{pam-services} (default: @code{(base-pam-services)}) @cindex PAM @cindex pluggable authentication modules @c FIXME: Add xref to PAM services section. Linux @dfn{pluggable authentication module} (PAM) services. @item @code{setuid-programs} (default: @var{%setuid-programs}) List of string-valued G-expressions denoting setuid programs. @xref{Programmes setuid}. @item @code{sudoers-file} (default: @var{%sudoers-specification}) @cindex sudoers file The contents of the @file{/etc/sudoers} file as a file-like object (@pxref{G-Expressions, @code{local-file} and @code{plain-file}}). This file specifies which users can use the @command{sudo} command, what they are allowed to do, and what privileges they may gain. The default is that only @code{root} and members of the @code{wheel} group may use @code{sudo}. @end table @end deftp @node Systèmes de fichiers @subsection Systèmes de fichiers The list of file systems to be mounted is specified in the @code{file-systems} field of the operating system declaration (@pxref{Utiliser le système de configuration}). Each file system is declared using the @code{file-system} form, like this: @example (file-system (mount-point "/home") (device "/dev/sda3") (type "ext4")) @end example As usual, some of the fields are mandatory---those shown in the example above---while others can be omitted. These are described below. @deftp {Data Type} file-system Objects of this type represent file systems to be mounted. They contain the following members: @table @asis @item @code{type} This is a string specifying the type of the file system---e.g., @code{"ext4"}. @item @code{mount-point} This designates the place where the file system is to be mounted. @item @code{device} This names the ``source'' of the file system. It can be one of three things: a file system label, a file system UUID, or the name of a @file{/dev} node. Labels and UUIDs offer a way to refer to file systems without having to hard-code their actual device name@footnote{Note that, while it is tempting to use @file{/dev/disk/by-uuid} and similar device names to achieve the same result, this is not recommended: These special device nodes are created by the udev daemon and may be unavailable at the time the device is mounted.}. @findex file-system-label File system labels are created using the @code{file-system-label} procedure, UUIDs are created using @code{uuid}, and @file{/dev} node are plain strings. Here's an example of a file system referred to by its label, as shown by the @command{e2label} command: @example (file-system (mount-point "/home") (type "ext4") (device (file-system-label "my-home"))) @end example @findex uuid UUIDs are converted from their string representation (as shown by the @command{tune2fs -l} command) using the @code{uuid} form@footnote{The @code{uuid} form expects 16-byte UUIDs as defined in @uref{https://tools.ietf.org/html/rfc4122, RFC@tie{}4122}. This is the form of UUID used by the ext2 family of file systems and others, but it is different from ``UUIDs'' found in FAT file systems, for instance.}, like this: @example (file-system (mount-point "/home") (type "ext4") (device (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb"))) @end example When the source of a file system is a mapped device (@pxref{Périphériques mappés}), its @code{device} field @emph{must} refer to the mapped device name---e.g., @file{"/dev/mapper/root-partition"}. This is required so that the system knows that mounting the file system depends on having the corresponding device mapping established. @item @code{flags} (default: @code{'()}) This is a list of symbols denoting mount flags. Recognized flags include @code{read-only}, @code{bind-mount}, @code{no-dev} (disallow access to special files), @code{no-suid} (ignore setuid and setgid bits), and @code{no-exec} (disallow program execution.) @item @code{options} (default: @code{#f}) This is either @code{#f}, or a string denoting mount options. @item @code{mount?} (default: @code{#t}) This value indicates whether to automatically mount the file system when the system is brought up. When set to @code{#f}, the file system gets an entry in @file{/etc/fstab} (read by the @command{mount} command) but is not automatically mounted. @item @code{needed-for-boot?} (default: @code{#f}) This Boolean value indicates whether the file system is needed when booting. If that is true, then the file system is mounted when the initial RAM disk (initrd) is loaded. This is always the case, for instance, for the root file system. @item @code{check?} (default: @code{#t}) This Boolean indicates whether the file system needs to be checked for errors before being mounted. @item @code{create-mount-point?} (default: @code{#f}) When true, the mount point is created if it does not exist yet. @item @code{dependencies} (default: @code{'()}) This is a list of @code{} or @code{} objects representing file systems that must be mounted or mapped devices that must be opened before (and unmounted or closed after) this one. As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is a dependency of @file{/sys/fs/cgroup/cpu} and @file{/sys/fs/cgroup/memory}. Another example is a file system that depends on a mapped device, for example for an encrypted partition (@pxref{Périphériques mappés}). @end table @end deftp The @code{(gnu system file-systems)} exports the following useful variables. @defvr {Scheme Variable} %base-file-systems These are essential file systems that are required on normal systems, such as @var{%pseudo-terminal-file-system} and @var{%immutable-store} (see below.) Operating system declarations should always contain at least these. @end defvr @defvr {Scheme Variable} %pseudo-terminal-file-system This is the file system to be mounted as @file{/dev/pts}. It supports @dfn{pseudo-terminals} created @i{via} @code{openpty} and similar functions (@pxref{Pseudo-Terminals,,, libc, The GNU C Library Reference Manual}). Pseudo-terminals are used by terminal emulators such as @command{xterm}. @end defvr @defvr {Scheme Variable} %shared-memory-file-system This file system is mounted as @file{/dev/shm} and is used to support memory sharing across processes (@pxref{Memory-mapped I/O, @code{shm_open},, libc, The GNU C Library Reference Manual}). @end defvr @defvr {Scheme Variable} %immutable-store This file system performs a read-only ``bind mount'' of @file{/gnu/store}, making it read-only for all the users including @code{root}. This prevents against accidental modification by software running as @code{root} or by system administrators. The daemon itself is still able to write to the store: it remounts it read-write in its own ``name space.'' @end defvr @defvr {Scheme Variable} %binary-format-file-system The @code{binfmt_misc} file system, which allows handling of arbitrary executable file types to be delegated to user space. This requires the @code{binfmt.ko} kernel module to be loaded. @end defvr @defvr {Scheme Variable} %fuse-control-file-system The @code{fusectl} file system, which allows unprivileged users to mount and unmount user-space FUSE file systems. This requires the @code{fuse.ko} kernel module to be loaded. @end defvr @node Périphériques mappés @subsection Périphériques mappés @cindex device mapping @cindex mapped devices The Linux kernel has a notion of @dfn{device mapping}: a block device, such as a hard disk partition, can be @dfn{mapped} into another device, usually in @code{/dev/mapper/}, with additional processing over the data that flows through it@footnote{Note that the GNU@tie{}Hurd makes no difference between the concept of a ``mapped device'' and that of a file system: both boil down to @emph{translating} input/output operations made on a file to operations on its backing store. Thus, the Hurd implements mapped devices, like file systems, using the generic @dfn{translator} mechanism (@pxref{Translators,,, hurd, The GNU Hurd Reference Manual}).}. A typical example is encryption device mapping: all writes to the mapped device are encrypted, and all reads are deciphered, transparently. Guix extends this notion by considering any device or set of devices that are @dfn{transformed} in some way to create a new device; for instance, RAID devices are obtained by @dfn{assembling} several other devices, such as hard disks or partitions, into a new one that behaves as one partition. Other examples, not yet implemented, are LVM logical volumes. Mapped devices are declared using the @code{mapped-device} form, defined as follows; for examples, see below. @deftp {Data Type} mapped-device Objects of this type represent device mappings that will be made when the system boots up. @table @code @item source This is either a string specifying the name of the block device to be mapped, such as @code{"/dev/sda3"}, or a list of such strings when several devices need to be assembled for creating a new one. @item target This string specifies the name of the resulting mapped device. For kernel mappers such as encrypted devices of type @code{luks-device-mapping}, specifying @code{"my-partition"} leads to the creation of the @code{"/dev/mapper/my-partition"} device. For RAID devices of type @code{raid-device-mapping}, the full device name such as @code{"/dev/md0"} needs to be given. @item type This must be a @code{mapped-device-kind} object, which specifies how @var{source} is mapped to @var{target}. @end table @end deftp @defvr {Scheme Variable} luks-device-mapping This defines LUKS block device encryption using the @command{cryptsetup} command from the package with the same name. It relies on the @code{dm-crypt} Linux kernel module. @end defvr @defvr {Scheme Variable} raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel module for the appropriate RAID level to be loaded, such as @code{raid456} for RAID-4, RAID-5 or RAID-6, or @code{raid10} for RAID-10. @end defvr @cindex disk encryption @cindex LUKS The following example specifies a mapping from @file{/dev/sda3} to @file{/dev/mapper/home} using LUKS---the @url{https://gitlab.com/cryptsetup/cryptsetup,Linux Unified Key Setup}, a standard mechanism for disk encryption. The @file{/dev/mapper/home} device can then be used as the @code{device} of a @code{file-system} declaration (@pxref{Systèmes de fichiers}). @example (mapped-device (source "/dev/sda3") (target "home") (type luks-device-mapping)) @end example Alternatively, to become independent of device numbering, one may obtain the LUKS UUID (@dfn{unique identifier}) of the source device by a command like: @example cryptsetup luksUUID /dev/sda3 @end example and use it as follows: @example (mapped-device (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) (target "home") (type luks-device-mapping)) @end example @cindex swap encryption It is also desirable to encrypt swap space, since swap space may contain sensitive data. One way to accomplish that is to use a swap file in a file system on a device mapped via LUKS encryption. In this way, the swap file is encrypted because the entire device is encrypted. @xref{Préparer l'installation,,Disk Partitioning}, for an example. A RAID device formed of the partitions @file{/dev/sda1} and @file{/dev/sdb1} may be declared as follows: @example (mapped-device (source (list "/dev/sda1" "/dev/sdb1")) (target "/dev/md0") (type raid-device-mapping)) @end example The @file{/dev/md0} device can then be used as the @code{device} of a @code{file-system} declaration (@pxref{Systèmes de fichiers}). Note that the RAID level need not be given; it is chosen during the initial creation and formatting of the RAID device and is determined automatically later. @node Comptes utilisateurs @subsection Comptes utilisateurs @cindex users @cindex accounts @cindex user accounts User accounts and groups are entirely managed through the @code{operating-system} declaration. They are specified with the @code{user-account} and @code{user-group} forms: @example (user-account (name "alice") (group "users") (supplementary-groups '("wheel" ;allow use of sudo, etc. "audio" ;sound card "video" ;video devices such as webcams "cdrom")) ;the good ol' CD-ROM (comment "Bob's sister") (home-directory "/home/alice")) @end example When booting or upon completion of @command{guix system reconfigure}, the system ensures that only the user accounts and groups specified in the @code{operating-system} declaration exist, and with the specified properties. Thus, account or group creations or modifications made by directly invoking commands such as @command{useradd} are lost upon reconfiguration or reboot. This ensures that the system remains exactly as declared. @deftp {Data Type} user-account Objects of this type represent user accounts. The following members may be specified: @table @asis @item @code{name} The name of the user account. @item @code{group} @cindex groups This is the name (a string) or identifier (a number) of the user group this account belongs to. @item @code{supplementary-groups} (default: @code{'()}) Optionally, this can be defined as a list of group names that this account belongs to. @item @code{uid} (default: @code{#f}) This is the user ID for this account (a number), or @code{#f}. In the latter case, a number is automatically chosen by the system when the account is created. @item @code{comment} (default: @code{""}) A comment about the account, such as the account owner's full name. @item @code{home-directory} This is the name of the home directory for the account. @item @code{create-home-directory?} (default: @code{#t}) Indicates whether the home directory of this account should be created if it does not exist yet. @item @code{shell} (default: Bash) This is a G-expression denoting the file name of a program to be used as the shell (@pxref{G-Expressions}). @item @code{system?} (default: @code{#f}) This Boolean value indicates whether the account is a ``system'' account. System accounts are sometimes treated specially; for instance, graphical login managers do not list them. @anchor{user-account-password} @item @code{password} (default: @code{#f}) You would normally leave this field to @code{#f}, initialize user passwords as @code{root} with the @command{passwd} command, and then let users change it with @command{passwd}. Passwords set with @command{passwd} are of course preserved across reboot and reconfiguration. If you @emph{do} want to have a preset password for an account, then this field must contain the encrypted password, as a string. @xref{crypt,,, libc, The GNU C Library Reference Manual}, for more information on password encryption, and @ref{Encryption,,, guile, GNU Guile Reference Manual}, for information on Guile's @code{crypt} procedure. @end table @end deftp @cindex groups User group declarations are even simpler: @example (user-group (name "students")) @end example @deftp {Data Type} user-group This type is for, well, user groups. There are just a few fields: @table @asis @item @code{name} The name of the group. @item @code{id} (default: @code{#f}) The group identifier (a number). If @code{#f}, a new number is automatically allocated when the group is created. @item @code{system?} (default: @code{#f}) This Boolean value indicates whether the group is a ``system'' group. System groups have low numerical IDs. @item @code{password} (default: @code{#f}) What, user groups can have a password? Well, apparently yes. Unless @code{#f}, this field specifies the password of the group. @end table @end deftp For convenience, a variable lists all the basic user groups one may expect: @defvr {Scheme Variable} %base-groups This is the list of basic user groups that users and/or packages expect to be present on the system. This includes groups such as ``root'', ``wheel'', and ``users'', as well as groups used to control access to specific devices such as ``audio'', ``disk'', and ``cdrom''. @end defvr @defvr {Scheme Variable} %base-user-accounts This is the list of basic system accounts that programs may expect to find on a GNU/Linux system, such as the ``nobody'' account. Note that the ``root'' account is not included here. It is a special-case and is automatically added whether or not it is specified. @end defvr @node Régionalisation @subsection Régionalisation @cindex locale A @dfn{locale} defines cultural conventions for a particular language and region of the world (@pxref{Régionalisation,,, libc, The GNU C Library Reference Manual}). Each locale has a name that typically has the form @code{@var{language}_@var{territory}.@var{codeset}}---e.g., @code{fr_LU.utf8} designates the locale for the French language, with cultural conventions from Luxembourg, and using the UTF-8 encoding. @cindex locale definition Usually, you will want to specify the default locale for the machine using the @code{locale} field of the @code{operating-system} declaration (@pxref{Référence de système d'exploitation, @code{locale}}). The selected locale is automatically added to the @dfn{locale definitions} known to the system if needed, with its codeset inferred from its name---e.g., @code{bo_CN.utf8} will be assumed to use the @code{UTF-8} codeset. Additional locale definitions can be specified in the @code{locale-definitions} slot of @code{operating-system}---this is useful, for instance, if the codeset could not be inferred from the locale name. The default set of locale definitions includes some widely used locales, but not all the available locales, in order to save space. For instance, to add the North Frisian locale for Germany, the value of that field may be: @example (cons (locale-definition (name "fy_DE.utf8") (source "fy_DE")) %default-locale-definitions) @end example Likewise, to save space, one might want @code{locale-definitions} to list only the locales that are actually used, as in: @example (list (locale-definition (name "ja_JP.eucjp") (source "ja_JP") (charset "EUC-JP"))) @end example @vindex LOCPATH The compiled locale definitions are available at @file{/run/current-system/locale/X.Y}, where @code{X.Y} is the libc version, which is the default location where the GNU@tie{}libc provided by Guix looks for locale data. This can be overridden using the @code{LOCPATH} environment variable (@pxref{locales-and-locpath, @code{LOCPATH} and locale packages}). The @code{locale-definition} form is provided by the @code{(gnu system locale)} module. Details are given below. @deftp {Data Type} locale-definition This is the data type of a locale definition. @table @asis @item @code{name} The name of the locale. @xref{Locale Names,,, libc, The GNU C Library Reference Manual}, for more information on locale names. @item @code{source} The name of the source for that locale. This is typically the @code{@var{language}_@var{territory}} part of the locale name. @item @code{charset} (default: @code{"UTF-8"}) The ``character set'' or ``code set'' for that locale, @uref{http://www.iana.org/assignments/character-sets, as defined by IANA}. @end table @end deftp @defvr {Scheme Variable} %default-locale-definitions A list of commonly used UTF-8 locales, used as the default value of the @code{locale-definitions} field of @code{operating-system} declarations. @cindex locale name @cindex normalized codeset in locale names These locale definitions use the @dfn{normalized codeset} for the part that follows the dot in the name (@pxref{Using gettextized software, normalized codeset,, libc, The GNU C Library Reference Manual}). So for instance it has @code{uk_UA.utf8} but @emph{not}, say, @code{uk_UA.UTF-8}. @end defvr @subsubsection Locale Data Compatibility Considerations @cindex incompatibility, of locale data @code{operating-system} declarations provide a @code{locale-libcs} field to specify the GNU@tie{}libc packages that are used to compile locale declarations (@pxref{Référence de système d'exploitation}). ``Why would I care?'', you may ask. Well, it turns out that the binary format of locale data is occasionally incompatible from one libc version to another. @c See @c and . For instance, a program linked against libc version 2.21 is unable to read locale data produced with libc 2.22; worse, that program @emph{aborts} instead of simply ignoring the incompatible locale data@footnote{Versions 2.23 and later of GNU@tie{}libc will simply skip the incompatible locale data, which is already an improvement.}. Similarly, a program linked against libc 2.22 can read most, but not all, of the locale data from libc 2.21 (specifically, @code{LC_COLLATE} data is incompatible); thus calls to @code{setlocale} may fail, but programs will not abort. The ``problem'' in GuixSD is that users have a lot of freedom: They can choose whether and when to upgrade software in their profiles, and might be using a libc version different from the one the system administrator used to build the system-wide locale data. Fortunately, unprivileged users can also install their own locale data and define @var{GUIX_LOCPATH} accordingly (@pxref{locales-and-locpath, @code{GUIX_LOCPATH} and locale packages}). Still, it is best if the system-wide locale data at @file{/run/current-system/locale} is built for all the libc versions actually in use on the system, so that all the programs can access it---this is especially crucial on a multi-user system. To do that, the administrator can specify several libc packages in the @code{locale-libcs} field of @code{operating-system}: @example (use-package-modules base) (operating-system ;; @dots{} (locale-libcs (list glibc-2.21 (canonical-package glibc)))) @end example This example would lead to a system containing locale definitions for both libc 2.21 and the current version of libc in @file{/run/current-system/locale}. @node Services @subsection Services @cindex system services An important part of preparing an @code{operating-system} declaration is listing @dfn{system services} and their configuration (@pxref{Utiliser le système de configuration}). System services are typically daemons launched when the system boots, or other actions needed at that time---e.g., configuring network access. GuixSD has a broad definition of ``service'' (@pxref{Composition de services}), but many services are managed by the GNU@tie{}Shepherd (@pxref{Services Shepherd}). On a running system, the @command{herd} command allows you to list the available services, show their status, start and stop them, or do other specific operations (@pxref{Jump Start,,, shepherd, The GNU Shepherd Manual}). For example: @example # herd status @end example The above command, run as @code{root}, lists the currently defined services. The @command{herd doc} command shows a synopsis of the given service: @example # herd doc nscd Run libc's name service cache daemon (nscd). @end example The @command{start}, @command{stop}, and @command{restart} sub-commands have the effect you would expect. For instance, the commands below stop the nscd service and restart the Xorg display server: @example # herd stop nscd Service nscd has been stopped. # herd restart xorg-server Service xorg-server has been stopped. Service xorg-server has been started. @end example The following sections document the available services, starting with the core services, that may be used in an @code{operating-system} declaration. @menu * Services de base:: Services systèmes essentiels. * Exécution de tâches planifiées:: Le service mcron. * Rotation des journaux:: Le service rottlog. * Services réseau:: Paramétres réseau, démon SSH, etc. * Système de fenêtrage X:: Affichage graphique. * Services d'impression:: Support pour les imprimantes locales et distantes. * Services de bureaux:: D-Bus et les services de bureaux. * Services de son:: Services ALSA et Pulseaudio. * Services de bases de données:: Bases SQL, clefs-valeurs, etc. * Services de courriels:: IMAP, POP3, SMTP, et tout ça. * Services de messagerie:: Services de messagerie. * Services de téléphonie:: Services de téléphonie. * Services de surveillance:: Services de surveillance. * Services Kerberos:: Services Kerberos. * Services web:: Services web. * Services de certificats:: Certificats TLS via Let's Encrypt. * Services DNS:: Démons DNS@. * Services VPN:: Démons VPN * Système de fichiers en réseau:: Services liés à NFS@. * Intégration continue:: Le service Cuirass. * Services de gestion de l'énergie:: L'outil TLP@. * Services audio:: MPD@. * Services de virtualisation:: Services de virtualisation. * Services de contrôle de version:: Fournit des accès distants à des dépôts Git. * Services de jeu:: Serveurs de jeu. * Services divers:: D'autres services. @end menu @node Services de base @subsubsection Services de base The @code{(gnu services base)} module provides definitions for the basic services that one expects from the system. The services exported by this module are listed below. @defvr {Scheme Variable} %base-services This variable contains a list of basic services (@pxref{Types service et services}, for more information on service objects) one would expect from the system: a login service (mingetty) on each tty, syslogd, the libc name service cache daemon (nscd), the udev device manager, and more. This is the default value of the @code{services} field of @code{operating-system} declarations. Usually, when customizing a system, you will want to append services to @var{%base-services}, like this: @example (cons* (avahi-service) (lsh-service) %base-services) @end example @end defvr @defvr {Scheme Variable} special-files-service-type This is the service that sets up ``special files'' such as @file{/bin/sh}; an instance of it is part of @code{%base-services}. The value associated with @code{special-files-service-type} services must be a list of tuples where the first element is the ``special file'' and the second element is its target. By default it is: @cindex @file{/bin/sh} @cindex @file{sh}, in @file{/bin} @example `(("/bin/sh" ,(file-append @var{bash} "/bin/sh"))) @end example @cindex @file{/usr/bin/env} @cindex @file{env}, in @file{/usr/bin} If you want to add, say, @code{/usr/bin/env} to your system, you can change it to: @example `(("/bin/sh" ,(file-append @var{bash} "/bin/sh")) ("/usr/bin/env" ,(file-append @var{coreutils} "/bin/env"))) @end example Since this is part of @code{%base-services}, you can use @code{modify-services} to customize the set of special files (@pxref{Référence de service, @code{modify-services}}). But the simple way to add a special file is @i{via} the @code{extra-special-file} procedure (see below.) @end defvr @deffn {Scheme Procedure} extra-special-file @var{file} @var{target} Use @var{target} as the ``special file'' @var{file}. For example, adding the following lines to the @code{services} field of your operating system declaration leads to a @file{/usr/bin/env} symlink: @example (extra-special-file "/usr/bin/env" (file-append coreutils "/bin/env")) @end example @end deffn @deffn {Scheme Procedure} host-name-service @var{name} Return a service that sets the host name to @var{name}. @end deffn @deffn {Scheme Procedure} login-service @var{config} Return a service to run login according to @var{config}, a @code{} object, which specifies the message of the day, among other things. @end deffn @deftp {Data Type} login-configuration This is the data type representing the configuration of login. @table @asis @item @code{motd} @cindex message of the day A file-like object containing the ``message of the day''. @item @code{allow-empty-passwords?} (default: @code{#t}) Allow empty passwords by default so that first-time users can log in when the 'root' account has just been created. @end table @end deftp @deffn {Scheme Procedure} mingetty-service @var{config} Return a service to run mingetty according to @var{config}, a @code{} object, which specifies the tty to run, among other things. @end deffn @deftp {Data Type} mingetty-configuration This is the data type representing the configuration of Mingetty, which provides the default implementation of virtual console log-in. @table @asis @item @code{tty} The name of the console this Mingetty runs on---e.g., @code{"tty1"}. @item @code{auto-login} (default: @code{#f}) When true, this field must be a string denoting the user name under which the system automatically logs in. When it is @code{#f}, a user name and password must be entered to log in. @item @code{login-program} (default: @code{#f}) This must be either @code{#f}, in which case the default log-in program is used (@command{login} from the Shadow tool suite), or a gexp denoting the name of the log-in program. @item @code{login-pause?} (default: @code{#f}) When set to @code{#t} in conjunction with @var{auto-login}, the user will have to press a key before the log-in shell is launched. @item @code{mingetty} (default: @var{mingetty}) The Mingetty package to use. @end table @end deftp @deffn {Scheme Procedure} agetty-service @var{config} Return a service to run agetty according to @var{config}, an @code{} object, which specifies the tty to run, among other things. @end deffn @deftp {Data Type} agetty-configuration This is the data type representing the configuration of agetty, which implements virtual and serial console log-in. See the @code{agetty(8)} man page for more information. @table @asis @item @code{tty} The name of the console this agetty runs on, as a string---e.g., @code{"ttyS0"}. This argument is optional, it will default to a reasonable default serial port used by the kernel Linux. For this, if there is a value for an option @code{agetty.tty} in the kernel command line, agetty will extract the device name of the serial port from it and use that. If not and if there is a value for an option @code{console} with a tty in the Linux command line, agetty will extract the device name of the serial port from it and use that. In both cases, agetty will leave the other serial device settings (baud rate etc.) alone---in the hope that Linux pinned them to the correct values. @item @code{baud-rate} (default: @code{#f}) A string containing a comma-separated list of one or more baud rates, in descending order. @item @code{term} (default: @code{#f}) A string containing the value used for the @code{TERM} environment variable. @item @code{eight-bits?} (default: @code{#f}) When @code{#t}, the tty is assumed to be 8-bit clean, and parity detection is disabled. @item @code{auto-login} (default: @code{#f}) When passed a login name, as a string, the specified user will be logged in automatically without prompting for their login name or password. @item @code{no-reset?} (default: @code{#f}) When @code{#t}, don't reset terminal cflags (control modes). @item @code{host} (default: @code{#f}) This accepts a string containing the "login_host", which will be written into the @file{/var/run/utmpx} file. @item @code{remote?} (default: @code{#f}) When set to @code{#t} in conjunction with @var{host}, this will add an @code{-r} fakehost option to the command line of the login program specified in @var{login-program}. @item @code{flow-control?} (default: @code{#f}) When set to @code{#t}, enable hardware (RTS/CTS) flow control. @item @code{no-issue?} (default: @code{#f}) When set to @code{#t}, the contents of the @file{/etc/issue} file will not be displayed before presenting the login prompt. @item @code{init-string} (default: @code{#f}) This accepts a string that will be sent to the tty or modem before sending anything else. It can be used to initialize a modem. @item @code{no-clear?} (default: @code{#f}) When set to @code{#t}, agetty will not clear the screen before showing the login prompt. @item @code{login-program} (default: (file-append shadow "/bin/login")) This must be either a gexp denoting the name of a log-in program, or unset, in which case the default value is the @command{login} from the Shadow tool suite. @item @code{local-line} (default: @code{#f}) Control the CLOCAL line flag. This accepts one of three symbols as arguments, @code{'auto}, @code{'always}, or @code{'never}. If @code{#f}, the default value chosen by agetty is @code{'auto}. @item @code{extract-baud?} (default: @code{#f}) When set to @code{#t}, instruct agetty to try to extract the baud rate from the status messages produced by certain types of modems. @item @code{skip-login?} (default: @code{#f}) When set to @code{#t}, do not prompt the user for a login name. This can be used with @var{login-program} field to use non-standard login systems. @item @code{no-newline?} (default: @code{#f}) When set to @code{#t}, do not print a newline before printing the @file{/etc/issue} file. @c Is this dangerous only when used with login-program, or always? @item @code{login-options} (default: @code{#f}) This option accepts a string containing options that are passed to the login program. When used with the @var{login-program}, be aware that a malicious user could try to enter a login name containing embedded options that could be parsed by the login program. @item @code{login-pause} (default: @code{#f}) When set to @code{#t}, wait for any key before showing the login prompt. This can be used in conjunction with @var{auto-login} to save memory by lazily spawning shells. @item @code{chroot} (default: @code{#f}) Change root to the specified directory. This option accepts a directory path as a string. @item @code{hangup?} (default: @code{#f}) Use the Linux system call @code{vhangup} to do a virtual hangup of the specified terminal. @item @code{keep-baud?} (default: @code{#f}) When set to @code{#t}, try to keep the existing baud rate. The baud rates from @var{baud-rate} are used when agetty receives a @key{BREAK} character. @item @code{timeout} (default: @code{#f}) When set to an integer value, terminate if no user name could be read within @var{timeout} seconds. @item @code{detect-case?} (default: @code{#f}) When set to @code{#t}, turn on support for detecting an uppercase-only terminal. This setting will detect a login name containing only uppercase letters as indicating an uppercase-only terminal and turn on some upper-to-lower case conversions. Note that this will not support Unicode characters. @item @code{wait-cr?} (default: @code{#f}) When set to @code{#t}, wait for the user or modem to send a carriage-return or linefeed character before displaying @file{/etc/issue} or login prompt. This is typically used with the @var{init-string} option. @item @code{no-hints?} (default: @code{#f}) When set to @code{#t}, do not print hints about Num, Caps, and Scroll locks. @item @code{no-hostname?} (default: @code{#f}) By default, the hostname is printed. When this option is set to @code{#t}, no hostname will be shown at all. @item @code{long-hostname?} (default: @code{#f}) By default, the hostname is only printed until the first dot. When this option is set to @code{#t}, the fully qualified hostname by @code{gethostname} or @code{getaddrinfo} is shown. @item @code{erase-characters} (default: @code{#f}) This option accepts a string of additional characters that should be interpreted as backspace when the user types their login name. @item @code{kill-characters} (default: @code{#f}) This option accepts a string that should be interpreted to mean "ignore all previous characters" (also called a "kill" character) when the types their login name. @item @code{chdir} (default: @code{#f}) This option accepts, as a string, a directory path that will be changed to before login. @item @code{delay} (default: @code{#f}) This options accepts, as an integer, the number of seconds to sleep before opening the tty and displaying the login prompt. @item @code{nice} (default: @code{#f}) This option accepts, as an integer, the nice value with which to run the @command{login} program. @item @code{extra-options} (default: @code{'()}) This option provides an "escape hatch" for the user to provide arbitrary command-line arguments to @command{agetty} as a list of strings. @end table @end deftp @deffn {Scheme Procedure} kmscon-service-type @var{config} Return a service to run @uref{https://www.freedesktop.org/wiki/Software/kmscon,kmscon} according to @var{config}, a @code{} object, which specifies the tty to run, among other things. @end deffn @deftp {Data Type} kmscon-configuration This is the data type representing the configuration of Kmscon, which implements virtual console log-in. @table @asis @item @code{virtual-terminal} The name of the console this Kmscon runs on---e.g., @code{"tty1"}. @item @code{login-program} (default: @code{#~(string-append #$shadow "/bin/login")}) A gexp denoting the name of the log-in program. The default log-in program is @command{login} from the Shadow tool suite. @item @code{login-arguments} (default: @code{'("-p")}) A list of arguments to pass to @command{login}. @item @code{hardware-acceleration?} (default: #f) Whether to use hardware acceleration. @item @code{kmscon} (default: @var{kmscon}) The Kmscon package to use. @end table @end deftp @cindex name service cache daemon @cindex nscd @deffn {Scheme Procedure} nscd-service [@var{config}] [#:glibc glibc] @ [#:name-services '()] Return a service that runs the libc name service cache daemon (nscd) with the given @var{config}---an @code{} object. @xref{Name Service Switch}, for an example. @end deffn @defvr {Scheme Variable} %nscd-default-configuration This is the default @code{} value (see below) used by @code{nscd-service}. It uses the caches defined by @var{%nscd-default-caches}; see below. @end defvr @deftp {Data Type} nscd-configuration This is the data type representing the name service cache daemon (nscd) configuration. @table @asis @item @code{name-services} (default: @code{'()}) List of packages denoting @dfn{name services} that must be visible to the nscd---e.g., @code{(list @var{nss-mdns})}. @item @code{glibc} (default: @var{glibc}) Package object denoting the GNU C Library providing the @command{nscd} command. @item @code{log-file} (default: @code{"/var/log/nscd.log"}) Name of the nscd log file. This is where debugging output goes when @code{debug-level} is strictly positive. @item @code{debug-level} (default: @code{0}) Integer denoting the debugging levels. Higher numbers mean that more debugging output is logged. @item @code{caches} (default: @var{%nscd-default-caches}) List of @code{} objects denoting things to be cached; see below. @end table @end deftp @deftp {Data Type} nscd-cache Data type representing a cache database of nscd and its parameters. @table @asis @item @code{database} This is a symbol representing the name of the database to be cached. Valid values are @code{passwd}, @code{group}, @code{hosts}, and @code{services}, which designate the corresponding NSS database (@pxref{NSS Basics,,, libc, The GNU C Library Reference Manual}). @item @code{positive-time-to-live} @itemx @code{negative-time-to-live} (default: @code{20}) A number representing the number of seconds during which a positive or negative lookup result remains in cache. @item @code{check-files?} (default: @code{#t}) Whether to check for updates of the files corresponding to @var{database}. For instance, when @var{database} is @code{hosts}, setting this flag instructs nscd to check for updates in @file{/etc/hosts} and to take them into account. @item @code{persistent?} (default: @code{#t}) Whether the cache should be stored persistently on disk. @item @code{shared?} (default: @code{#t}) Whether the cache should be shared among users. @item @code{max-database-size} (default: 32@tie{}MiB) Maximum size in bytes of the database cache. @c XXX: 'suggested-size' and 'auto-propagate?' seem to be expert @c settings, so leave them out. @end table @end deftp @defvr {Scheme Variable} %nscd-default-caches List of @code{} objects used by default by @code{nscd-configuration} (see above). It enables persistent and aggressive caching of service and host name lookups. The latter provides better host name lookup performance, resilience in the face of unreliable name servers, and also better privacy---often the result of host name lookups is in local cache, so external name servers do not even need to be queried. @end defvr @anchor{syslog-configuration-type} @cindex syslog @cindex logging @deftp {Data Type} syslog-configuration This data type represents the configuration of the syslog daemon. @table @asis @item @code{syslogd} (default: @code{#~(string-append #$inetutils "/libexec/syslogd")}) The syslog daemon to use. @item @code{config-file} (default: @code{%default-syslog.conf}) The syslog configuration file to use. @end table @end deftp @anchor{syslog-service} @cindex syslog @deffn {Scheme Procedure} syslog-service @var{config} Return a service that runs a syslog daemon according to @var{config}. @xref{syslogd invocation,,, inetutils, GNU Inetutils}, for more information on the configuration file syntax. @end deffn @anchor{guix-configuration-type} @deftp {Data Type} guix-configuration This data type represents the configuration of the Guix build daemon. @xref{Invoquer guix-daemon}, for more information. @table @asis @item @code{guix} (default: @var{guix}) The Guix package to use. @item @code{build-group} (default: @code{"guixbuild"}) Name of the group for build user accounts. @item @code{build-accounts} (default: @code{10}) Number of build user accounts to create. @item @code{authorize-key?} (default: @code{#t}) @cindex substituts, autorisations Autoriser ou non les clefs de substituts listées dans @code{authorize-keys} — par défaut celle de @code{hydra.gny.org} (@pxref{Substituts}). @vindex %default-authorized-guix-keys @item @code{authorized-keys} (default: @var{%default-authorized-guix-keys}) La liste des fichiers de clefs autorisées pour les imports d'archives, en tant que liste de gexps sous forme de chaînes (@pxref{Invoquer guix archive}). Par défaut, elle contient celle de @code{hydra.gnu.org} (@pxref{Substituts}). @item @code{use-substitutes?} (default: @code{#t}) Whether to use substitutes. @item @code{substitute-urls} (default: @var{%default-substitute-urls}) The list of URLs where to look for substitutes by default. @item @code{max-silent-time} (default: @code{0}) @itemx @code{timeout} (default: @code{0}) The number of seconds of silence and the number of seconds of activity, respectively, after which a build process times out. A value of zero disables the timeout. @item @code{log-compression} (default: @code{'bzip2}) The type of compression used for build logs---one of @code{gzip}, @code{bzip2}, or @code{none}. @item @code{extra-options} (default: @code{'()}) List of extra command-line options for @command{guix-daemon}. @item @code{log-file} (default: @code{"/var/log/guix-daemon.log"}) File where @command{guix-daemon}'s standard output and standard error are written. @item @code{http-proxy} (default: @code{#f}) The HTTP proxy used for downloading fixed-output derivations and substitutes. @item @code{tmpdir} (default: @code{#f}) A directory path where the @command{guix-daemon} will perform builds. @end table @end deftp @deffn {Scheme Procedure} guix-service @var{config} Return a service that runs the Guix build daemon according to @var{config}. @end deffn @deffn {Scheme Procedure} udev-service [#:udev @var{eudev} #:rules @code{'()}] Run @var{udev}, which populates the @file{/dev} directory dynamically. udev rules can be provided as a list of files through the @var{rules} variable. The procedures @var{udev-rule} and @var{file->udev-rule} from @code{(gnu services base)} simplify the creation of such rule files. @deffn {Scheme Procedure} udev-rule [@var{file-name} @var{contents}] Return a udev-rule file named @var{file-name} containing the rules defined by the @var{contents} literal. In the following example, a rule for a USB device is defined to be stored in the file @file{90-usb-thing.rules}. The rule runs a script upon detecting a USB device with a given product identifier. @example (define %example-udev-rule (udev-rule "90-usb-thing.rules" (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", " "ATTR@{product@}==\"Example\", " "RUN+=\"/path/to/script\""))) @end example @end deffn Here we show how the default @var{udev-service} can be extended with it. @example (operating-system ;; @dots{} (services (modify-services %desktop-services (udev-service-type config => (udev-configuration (inherit config) (rules (append (udev-configuration-rules config) (list %example-udev-rule)))))))) @end example @deffn {Scheme Procedure} file->udev-rule [@var{file-name} @var{file}] Return a udev file named @var{file-name} containing the rules defined within @var{file}, a file-like object. The following example showcases how we can use an existing rule file. @example (use-modules (guix download) ;for url-fetch (guix packages) ;for origin ;; @dots{}) (define %android-udev-rules (file->udev-rule "51-android-udev.rules" (let ((version "20170910")) (origin (method url-fetch) (uri (string-append "https://raw.githubusercontent.com/M0Rf30/" "android-udev-rules/" version "/51-android.rules")) (sha256 (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003")))))) @end example @end deffn Additionally, Guix package definitions can be included in @var{rules} in order to extend the udev rules with the definitions found under their @file{lib/udev/rules.d} sub-directory. In lieu of the previous @var{file->udev-rule} example, we could have used the @var{android-udev-rules} package which exists in Guix in the @code{(gnu packages android)} module. The following example shows how to use the @var{android-udev-rules} package so that the Android tool @command{adb} can detect devices without root privileges. It also details how to create the @code{adbusers} group, which is required for the proper functioning of the rules defined within the @var{android-udev-rules} package. To create such a group, we must define it both as part of the @var{supplementary-groups} of our @var{user-account} declaration, as well as in the @var{groups} field of the @var{operating-system} record. @example (use-modules (gnu packages android) ;for android-udev-rules (gnu system shadow) ;for user-group ;; @dots{}) (operating-system ;; @dots{} (users (cons (user-acount ;; @dots{} (supplementary-groups '("adbusers" ;for adb "wheel" "netdev" "audio" "video")) ;; @dots{}))) (groups (cons (user-group (system? #t) (name "adbusers")) %base-groups)) ;; @dots{} (services (modify-services %desktop-services (udev-service-type config => (udev-configuration (inherit config) (rules (cons* android-udev-rules (udev-configuration-rules config)))))))) @end example @end deffn @defvr {Scheme Variable} urandom-seed-service-type Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom} when rebooting. It also tries to seed @file{/dev/urandom} from @file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is readable. @end defvr @defvr {Scheme Variable} %random-seed-file This is the name of the file where some random bytes are saved by @var{urandom-seed-service} to seed @file{/dev/urandom} when rebooting. It defaults to @file{/var/lib/random-seed}. @end defvr @cindex keymap @cindex keyboard @deffn {Scheme Procedure} console-keymap-service @var{files} ... @cindex keyboard layout Return a service to load console keymaps from @var{files} using @command{loadkeys} command. Most likely, you want to load some default keymap, which can be done like this: @example (console-keymap-service "dvorak") @end example Or, for example, for a Swedish keyboard, you may need to combine the following keymaps: @example (console-keymap-service "se-lat6" "se-fi-lat6") @end example Also you can specify a full file name (or file names) of your keymap(s). See @code{man loadkeys} for details. @end deffn @cindex mouse @cindex gpm @defvr {Variable Scheme} gpm-service-type This is the type of the service that runs GPM, the @dfn{general-purpose mouse daemon}, which provides mouse support to the Linux console. GPM allows users to use the mouse in the console, notably to select, copy, and paste text. The value for services of this type must be a @code{gpm-configuration} (see below). This service is not part of @var{%base-services}. @end defvr @deftp {Type de donnée} gpm-configuration Type de données représentant la configuration de GPM. @table @asis @item @code{options} (par défaut : @code{%default-gpm-options}) Command-line options passed to @command{gpm}. The default set of options instruct @command{gpm} to listen to mouse events on @file{/dev/input/mice}. @xref{Command Line,,, gpm, gpm manual}, for more information. @item @code{gpm} (par défaut : @code{gpm}) Le paquet GPM à utiliser. @end table @end deftp @anchor{guix-publish-service-type} @deffn {Scheme Variable} guix-publish-service-type This is the service type for @command{guix publish} (@pxref{Invoquer guix publish}). Its value must be a @code{guix-configuration} object, as described below. This assumes that @file{/etc/guix} already contains a signing key pair as created by @command{guix archive --generate-key} (@pxref{Invoquer guix archive}). If that is not the case, the service will fail to start. @end deffn @deftp {Data Type} guix-publish-configuration Data type representing the configuration of the @code{guix publish} service. @table @asis @item @code{guix} (default: @code{guix}) The Guix package to use. @item @code{port} (default: @code{80}) The TCP port to listen for connections. @item @code{host} (default: @code{"localhost"}) The host (and thus, network interface) to listen to. Use @code{"0.0.0.0"} to listen on all the network interfaces. @item @code{compression-level} (par défaut : @code{3}) The gzip compression level at which substitutes are compressed. Use @code{0} to disable compression altogether, and @code{9} to get the best compression ratio at the expense of increased CPU usage. @item @code{nar-path} (default: @code{"nar"}) The URL path at which ``nars'' can be fetched. @xref{Invoquer guix publish, @code{--nar-path}}, for details. @item @code{cache} (default: @code{#f}) When it is @code{#f}, disable caching and instead generate archives on demand. Otherwise, this should be the name of a directory---e.g., @code{"/var/cache/guix/publish"}---where @command{guix publish} caches archives and meta-data ready to be sent. @xref{Invoquer guix publish, @option{--cache}}, for more information on the tradeoffs involved. @item @code{workers} (default: @code{#f}) When it is an integer, this is the number of worker threads used for caching; when @code{#f}, the number of processors is used. @xref{Invoquer guix publish, @option{--workers}}, for more information. @item @code{ttl} (default: @code{#f}) When it is an integer, this denotes the @dfn{time-to-live} in seconds of the published archives. @xref{Invoquer guix publish, @option{--ttl}}, for more information. @end table @end deftp @anchor{rngd-service} @deffn {Scheme Procedure} rngd-service [#:rng-tools @var{rng-tools}] @ [#:device "/dev/hwrng"] Return a service that runs the @command{rngd} program from @var{rng-tools} to add @var{device} to the kernel's entropy pool. The service will fail if @var{device} does not exist. @end deffn @anchor{pam-limits-service} @cindex session limits @cindex ulimit @cindex priority @cindex realtime @cindex jackd @deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}] Return a service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, @code{pam_limits} module}. The procedure optionally takes a list of @code{pam-limits-entry} values, which can be used to specify @code{ulimit} limits and nice priority limits to user sessions. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @example (pam-limits-service (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) @end example The first entry increases the maximum realtime priority for non-privileged processes; the second entry lifts any restriction of the maximum address space that can be locked in memory. These settings are commonly used for real-time audio systems. @end deffn @node Exécution de tâches planifiées @subsubsection Exécution de tâches planifiées @cindex cron @cindex mcron @cindex scheduling jobs The @code{(gnu services mcron)} module provides an interface to GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,, mcron, GNU@tie{}mcron}). GNU@tie{}mcron is similar to the traditional Unix @command{cron} daemon; the main difference is that it is implemented in Guile Scheme, which provides a lot of flexibility when specifying the scheduling of jobs and their actions. The example below defines an operating system that runs the @command{updatedb} (@pxref{Invoking updatedb,,, find, Finding Files}) and the @command{guix gc} commands (@pxref{Invoquer guix gc}) daily, as well as the @command{mkid} command on behalf of an unprivileged user (@pxref{mkid invocation,,, idutils, ID Database Utilities}). It uses gexps to introduce job definitions that are passed to mcron (@pxref{G-Expressions}). @lisp (use-modules (guix) (gnu) (gnu services mcron)) (use-package-modules base idutils) (define updatedb-job ;; Run 'updatedb' at 3AM every day. Here we write the ;; job's action as a Scheme procedure. #~(job '(next-hour '(3)) (lambda () (execl (string-append #$findutils "/bin/updatedb") "updatedb" "--prunepaths=/tmp /var/tmp /gnu/store")))) (define garbage-collector-job ;; Collect garbage 5 minutes after midnight every day. ;; The job's action is a shell command. #~(job "5 0 * * *" ;Vixie cron syntax "guix gc -F 1G")) (define idutils-job ;; Update the index database as user "charlie" at 12:15PM ;; and 19:15PM. This runs from the user's home directory. #~(job '(next-minute-from (next-hour '(12 19)) '(15)) (string-append #$idutils "/bin/mkid src") #:user "charlie")) (operating-system ;; @dots{} (services (cons (mcron-service (list garbage-collector-job updatedb-job idutils-job)) %base-services))) @end lisp @xref{Guile Syntax, mcron job specifications,, mcron, GNU@tie{}mcron}, for more information on mcron job specifications. Below is the reference of the mcron service. @deffn {Scheme Procedure} mcron-service @var{jobs} [#:mcron @var{mcron}] Return an mcron service running @var{mcron} that schedules @var{jobs}, a list of gexps denoting mcron job specifications. This is a shorthand for: @example (service mcron-service-type (mcron-configuration (mcron mcron) (jobs jobs))) @end example @end deffn @defvr {Scheme Variable} mcron-service-type This is the type of the @code{mcron} service, whose value is an @code{mcron-configuration} object. This service type can be the target of a service extension that provides it additional job specifications (@pxref{Composition de services}). In other words, it is possible to define services that provide additional mcron jobs to run. @end defvr @deftp {Data Type} mcron-configuration Data type representing the configuration of mcron. @table @asis @item @code{mcron} (default: @var{mcron}) The mcron package to use. @item @code{jobs} This is a list of gexps (@pxref{G-Expressions}), where each gexp corresponds to an mcron job specification (@pxref{Syntax, mcron job specifications,, mcron, GNU@tie{}mcron}). @end table @end deftp @node Rotation des journaux @subsubsection Rotation des journaux @cindex rottlog @cindex log rotation @cindex logging Log files such as those found in @file{/var/log} tend to grow endlessly, so it's a good idea to @dfn{rotate} them once in a while---i.e., archive their contents in separate files, possibly compressed. The @code{(gnu services admin)} module provides an interface to GNU@tie{}Rot[t]log, a log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}). The example below defines an operating system that provides log rotation with the default settings, for commonly encountered log files. @lisp (use-modules (guix) (gnu)) (use-service-modules admin mcron) (use-package-modules base idutils) (operating-system ;; @dots{} (services (cons (service rottlog-service-type) %base-services))) @end lisp @defvr {Scheme Variable} rottlog-service-type This is the type of the Rottlog service, whose value is a @code{rottlog-configuration} object. Other services can extend this one with new @code{log-rotation} objects (see below), thereby augmenting the set of files to be rotated. This service type can define mcron jobs (@pxref{Exécution de tâches planifiées}) to run the rottlog service. @end defvr @deftp {Data Type} rottlog-configuration Data type representing the configuration of rottlog. @table @asis @item @code{rottlog} (default: @code{rottlog}) The Rottlog package to use. @item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")}) The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,, rottlog, GNU Rot[t]log Manual}). @item @code{rotations} (default: @code{%default-rotations}) A list of @code{log-rotation} objects as defined below. @item @code{jobs} This is a list of gexps where each gexp corresponds to an mcron job specification (@pxref{Exécution de tâches planifiées}). @end table @end deftp @deftp {Data Type} log-rotation Data type representing the rotation of a group of log files. Taking an example from the Rottlog manual (@pxref{Period Related File Examples,,, rottlog, GNU Rot[t]log Manual}), a log rotation might be defined like this: @example (log-rotation (frequency 'daily) (files '("/var/log/apache/*")) (options '("storedir apache-archives" "rotate 6" "notifempty" "nocompress"))) @end example The list of fields is as follows: @table @asis @item @code{frequency} (default: @code{'weekly}) The log rotation frequency, a symbol. @item @code{files} The list of files or file glob patterns to rotate. @item @code{options} (default: @code{'()}) The list of rottlog options for this rotation (@pxref{Configuration parameters,,, rottlog, GNU Rot[t]lg Manual}). @item @code{post-rotate} (default: @code{#f}) Either @code{#f} or a gexp to execute once the rotation has completed. @end table @end deftp @defvr {Scheme Variable} %default-rotations Specifies weekly rotation of @var{%rotated-files} and a couple of other files. @end defvr @defvr {Scheme Variable} %rotated-files The list of syslog-controlled files to be rotated. By default it is: @code{'("/var/log/messages" "/var/log/secure")}. @end defvr @node Services réseau @subsubsection Services réseau The @code{(gnu services networking)} module provides services to configure the network interface. @cindex DHCP, networking service @deffn {Scheme Procedure} dhcp-client-service [#:dhcp @var{isc-dhcp}] Return a service that runs @var{dhcp}, a Dynamic Host Configuration Protocol (DHCP) client, on all the non-loopback network interfaces. @end deffn @deffn {Scheme Procedure} dhcpd-service-type This type defines a service that runs a DHCP daemon. To create a service of this type, you must supply a @code{}. For example: @example (service dhcpd-service-type (dhcpd-configuration (config-file (local-file "my-dhcpd.conf")) (interfaces '("enp0s25")))) @end example @end deffn @deftp {Data Type} dhcpd-configuration @table @asis @item @code{package} (default: @code{isc-dhcp}) The package that provides the DHCP daemon. This package is expected to provide the daemon at @file{sbin/dhcpd} relative to its output directory. The default package is the @uref{http://www.isc.org/products/DHCP, ISC's DHCP server}. @item @code{config-file} (default: @code{#f}) The configuration file to use. This is required. It will be passed to @code{dhcpd} via its @code{-cf} option. This may be any ``file-like'' object (@pxref{G-Expressions, file-like objects}). See @code{man dhcpd.conf} for details on the configuration file syntax. @item @code{version} (default: @code{"4"}) The DHCP version to use. The ISC DHCP server supports the values ``4'', ``6'', and ``4o6''. These correspond to the @code{dhcpd} program options @code{-4}, @code{-6}, and @code{-4o6}. See @code{man dhcpd} for details. @item @code{run-directory} (default: @code{"/run/dhcpd"}) The run directory to use. At service activation time, this directory will be created if it does not exist. @item @code{pid-file} (default: @code{"/run/dhcpd/dhcpd.pid"}) The PID file to use. This corresponds to the @code{-pf} option of @code{dhcpd}. See @code{man dhcpd} for details. @item @code{interfaces} (default: @code{'()}) The names of the network interfaces on which dhcpd should listen for broadcasts. If this list is not empty, then its elements (which must be strings) will be appended to the @code{dhcpd} invocation when starting the daemon. It may not be necessary to explicitly specify any interfaces here; see @code{man dhcpd} for details. @end table @end deftp @defvr {Scheme Variable} static-networking-service-type @c TODO Document data structures. This is the type for statically-configured network interfaces. @end defvr @deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @ [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}] [#:requirement @code{'(udev)}] Return a service that starts @var{interface} with address @var{ip}. If @var{netmask} is true, use it as the network mask. If @var{gateway} is true, it must be a string specifying the default network gateway. @var{requirement} can be used to declare a dependency on another service before configuring the interface. This procedure can be called several times, one for each network interface of interest. Behind the scenes what it does is extend @code{static-networking-service-type} with additional network interfaces to handle. @end deffn @cindex wicd @cindex wireless @cindex WiFi @cindex network management @deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}] Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network management daemon that aims to simplify wired and wireless networking. This service adds the @var{wicd} package to the global profile, providing several commands to interact with the daemon and configure networking: @command{wicd-client}, a graphical user interface, and the @command{wicd-cli} and @command{wicd-curses} user interfaces. @end deffn @cindex ModemManager @defvr {Variable Scheme} modem-manager-service-type This is the service type for the @uref{https://wiki.gnome.org/Projects/ModemManager, ModemManager} service. The value for this service type is a @code{modem-manager-configuration} record. This service is part of @code{%desktop-services} (@pxref{Services de bureaux}). @end defvr @deftp {Type de donnée} modem-manager-configuration Type de donnée représentant la configuration de ModemManager. @table @asis @item @code{modem-manager} (par défaut : @code{modem-manager}) Le paquet ModemManager à utiliser. @end table @end deftp @cindex NetworkManager @defvr {Scheme Variable} network-manager-service-type This is the service type for the @uref{https://wiki.gnome.org/Projects/NetworkManager, NetworkManager} service. The value for this service type is a @code{network-manager-configuration} record. This service is part of @code{%desktop-services} (@pxref{Services de bureaux}). @end defvr @deftp {Data Type} network-manager-configuration Data type representing the configuration of NetworkManager. @table @asis @item @code{network-manager} (default: @code{network-manager}) The NetworkManager package to use. @item @code{dns} (default: @code{"default"}) Processing mode for DNS, which affects how NetworkManager uses the @code{resolv.conf} configuration file. @table @samp @item default NetworkManager will update @code{resolv.conf} to reflect the nameservers provided by currently active connections. @item dnsmasq NetworkManager will run @code{dnsmasq} as a local caching nameserver, using a "split DNS" configuration if you are connected to a VPN, and then update @code{resolv.conf} to point to the local nameserver. @item none NetworkManager will not modify @code{resolv.conf}. @end table @item @code{vpn-plugins} (default: @code{'()}) This is the list of available plugins for virtual private networks (VPNs). An example of this is the @code{network-manager-openvpn} package, which allows NetworkManager to manage VPNs @i{via} OpenVPN. @end table @end deftp @cindex Connman @deffn {Scheme Variable} connman-service-type This is the service type to run @url{https://01.org/connman,Connman}, a network connection manager. Its value must be an @code{connman-configuration} record as in this example: @example (service connman-service-type (connman-configuration (disable-vpn? #t))) @end example See below for details about @code{connman-configuration}. @end deffn @deftp {Data Type} connman-configuration Data Type representing the configuration of connman. @table @asis @item @code{connman} (default: @var{connman}) The connman package to use. @item @code{disable-vpn?} (default: @code{#f}) When true, enable connman's vpn plugin. @end table @end deftp @cindex WPA Supplicant @defvr {Scheme Variable} wpa-supplicant-service-type This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA supplicant}, an authentication daemon required to authenticate against encrypted WiFi or ethernet networks. It is configured to listen for requests on D-Bus. The value of this service is the @code{wpa-supplicant} package to use. Thus, it can be instantiated like this: @lisp (use-modules (gnu services networking)) (service wpa-supplicant-service-type) @end lisp @end defvr @cindex NTP @cindex real time clock @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @ [#:servers @var{%ntp-servers}] @ [#:allow-large-adjustment? #f] Return a service that runs the daemon from @var{ntp}, the @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will keep the system clock synchronized with that of @var{servers}. @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to make an initial adjustment of more than 1,000 seconds. @end deffn @defvr {Scheme Variable} %ntp-servers List of host names used as the default NTP servers. @end defvr @cindex OpenNTPD @deffn {Scheme Procedure} openntpd-service-type Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The daemon will keep the system clock synchronized with that of the given servers. @example (service openntpd-service-type (openntpd-configuration (listen-on '("127.0.0.1" "::1")) (sensor '("udcf0 correction 70000")) (constraint-from '("www.gnu.org")) (constraints-from '("https://www.google.com/")) (allow-large-adjustment? #t))) @end example @end deffn @deftp {Data Type} openntpd-configuration @table @asis @item @code{openntpd} (default: @code{(file-append openntpd "/sbin/ntpd")}) The openntpd executable to use. @item @code{listen-on} (default: @code{'("127.0.0.1" "::1")}) A list of local IP addresses or hostnames the ntpd daemon should listen on. @item @code{query-from} (default: @code{'()}) A list of local IP address the ntpd daemon should use for outgoing queries. @item @code{sensor} (default: @code{'()}) Specify a list of timedelta sensor devices ntpd should use. @code{ntpd} will listen to each sensor that acutally exists and ignore non-existant ones. See @uref{https://man.openbsd.org/ntpd.conf, upstream documentation} for more information. @item @code{server} (default: @var{%ntp-servers}) Specify a list of IP addresses or hostnames of NTP servers to synchronize to. @item @code{servers} (default: @code{'()}) Specify a list of IP addresses or hostnames of NTP pools to synchronize to. @item @code{constraint-from} (default: @code{'()}) @code{ntpd} can be configured to query the ‘Date’ from trusted HTTPS servers via TLS. This time information is not used for precision but acts as an authenticated constraint, thereby reducing the impact of unauthenticated NTP man-in-the-middle attacks. Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide a constraint. @item @code{constraints-from} (default: @code{'()}) As with constraint from, specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide a constraint. Should the hostname resolve to multiple IP addresses, @code{ntpd} will calculate a median constraint from all of them. @item @code{allow-large-adjustment?} (default: @code{#f}) Determines if @code{ntpd} is allowed to make an initial adjustment of more than 180 seconds. @end table @end deftp @cindex inetd @deffn {Scheme variable} inetd-service-type This service runs the @command{inetd} (@pxref{inetd invocation,,, inetutils, GNU Inetutils}) daemon. @command{inetd} listens for connections on internet sockets, and lazily starts the specified server program when a connection is made on one of these sockets. The value of this service is an @code{inetd-configuration} object. The following example configures the @command{inetd} daemon to provide the built-in @command{echo} service, as well as an smtp service which forwards smtp traffic over ssh to a server @code{smtp-server} behind a gateway @code{hostname}: @example (service inetd-service-type (inetd-configuration (entries (list (inetd-entry (name "echo") (socket-type 'stream) (protocol "tcp") (wait? #f) (user "root")) (inetd-entry (node "127.0.0.1") (name "smtp") (socket-type 'stream) (protocol "tcp") (wait? #f) (user "root") (program (file-append openssh "/bin/ssh")) (arguments '("ssh" "-qT" "-i" "/path/to/ssh_key" "-W" "smtp-server:25" "user@@hostname"))))) @end example See below for more details about @code{inetd-configuration}. @end deffn @deftp {Data Type} inetd-configuration Data type representing the configuration of @command{inetd}. @table @asis @item @code{program} (default: @code{(file-append inetutils "/libexec/inetd")}) The @command{inetd} executable to use. @item @code{entries} (default: @code{'()}) A list of @command{inetd} service entries. Each entry should be created by the @code{inetd-entry} constructor. @end table @end deftp @deftp {Data Type} inetd-entry Data type representing an entry in the @command{inetd} configuration. Each entry corresponds to a socket where @command{inetd} will listen for requests. @table @asis @item @code{node} (default: @code{#f}) Optional string, a comma-separated list of local addresses @command{inetd} should use when listening for this service. @xref{Configuration file,,, inetutils, GNU Inetutils} for a complete description of all options. @item @code{name} A string, the name must correspond to an entry in @code{/etc/services}. @item @code{socket-type} One of @code{'stream}, @code{'dgram}, @code{'raw}, @code{'rdm} or @code{'seqpacket}. @item @code{protocol} A string, must correspond to an entry in @code{/etc/protocols}. @item @code{wait?} (default: @code{#t}) Whether @command{inetd} should wait for the server to exit before listening to new service requests. @item @code{user} A string containing the user (and, optionally, group) name of the user as whom the server should run. The group name can be specified in a suffix, separated by a colon or period, i.e. @code{"user"}, @code{"user:group"} or @code{"user.group"}. @item @code{program} (default: @code{"internal"}) The server program which will serve the requests, or @code{"internal"} if @command{inetd} should use a built-in service. @item @code{arguments} (par défaut : @code{'()}) A list strings or file-like objects, which are the server program's arguments, starting with the zeroth argument, i.e. the name of the program itself. For @command{inetd}'s internal services, this entry must be @code{'()} or @code{'("internal")}. @end table @xref{Configuration file,,, inetutils, GNU Inetutils} for a more detailed discussion of each configuration field. @end deftp @cindex Tor @deffn {Scheme Procedure} tor-service [@var{config-file}] [#:tor @var{tor}] Return a service to run the @uref{https://torproject.org, Tor} anonymous networking daemon. The daemon runs as the @code{tor} unprivileged user. It is passed @var{config-file}, a file-like object, with an additional @code{User tor} line and lines for hidden services added via @code{tor-hidden-service}. Run @command{man tor} for information about the configuration file. @end deffn @cindex hidden service @deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping} Define a new Tor @dfn{hidden service} called @var{name} and implementing @var{mapping}. @var{mapping} is a list of port/host tuples, such as: @example '((22 "127.0.0.1:22") (80 "127.0.0.1:8080")) @end example In this example, port 22 of the hidden service is mapped to local port 22, and port 80 is mapped to local port 8080. This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where the @file{hostname} file contains the @code{.onion} host name for the hidden service. See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor project's documentation} for more information. @end deffn The @code{(gnu services rsync)} module provides the following services: You might want an rsync daemon if you have files that you want available so anyone (or just yourself) can download existing files or upload new files. @deffn {Scheme Variable} rsync-service-type This is the type for the @uref{https://rsync.samba.org, rsync} rsync daemon, @command{rsync-configuration} record as in this example: @example (service rsync-service-type) @end example See below for details about @code{rsync-configuration}. @end deffn @deftp {Data Type} rsync-configuration Data type representing the configuration for @code{rsync-service}. @table @asis @item @code{package} (default: @var{rsync}) @code{rsync} package to use. @item @code{port-number} (default: @code{873}) TCP port on which @command{rsync} listens for incoming connections. If port is less than @code{1024} @command{rsync} needs to be started as the @code{root} user and group. @item @code{pid-file} (default: @code{"/var/run/rsyncd/rsyncd.pid"}) Name of the file where @command{rsync} writes its PID. @item @code{lock-file} (default: @code{"/var/run/rsyncd/rsyncd.lock"}) Name of the file where @command{rsync} writes its lock file. @item @code{log-file} (default: @code{"/var/log/rsyncd.log"}) Name of the file where @command{rsync} writes its log file. @item @code{use-chroot?} (default: @var{#t}) Whether to use chroot for @command{rsync} shared directory. @item @code{share-path} (default: @file{/srv/rsync}) Location of the @command{rsync} shared directory. @item @code{share-comment} (default: @code{"Rsync share"}) Comment of the @command{rsync} shared directory. @item @code{read-only?} (default: @var{#f}) Read-write permissions to shared directory. @item @code{timeout} (default: @code{300}) I/O timeout in seconds. @item @code{user} (default: @var{"root"}) Owner of the @code{rsync} process. @item @code{group} (default: @var{"root"}) Group of the @code{rsync} process. @item @code{uid} (default: @var{"rsyncd"}) User name or user ID that file transfers to and from that module should take place as when the daemon was run as @code{root}. @item @code{gid} (default: @var{"rsyncd"}) Group name or group ID that will be used when accessing the module. @end table @end deftp Furthermore, @code{(gnu services ssh)} provides the following services. @cindex SSH @cindex SSH server @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @ [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @ [#:allow-empty-passwords? #f] [#:root-login? #f] @ [#:syslog-output? #t] [#:x11-forwarding? #t] @ [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @ [#:public-key-authentication? #t] [#:initialize? #t] Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}. @var{host-key} must designate a file containing the host key, and readable only by root. When @var{daemonic?} is true, @command{lshd} will detach from the controlling terminal and log its output to syslogd, unless one sets @var{syslog-output?} to false. Obviously, it also makes lsh-service depend on existence of syslogd service. When @var{pid-file?} is true, @command{lshd} writes its PID to the file called @var{pid-file}. When @var{initialize?} is true, automatically create the seed and host key upon service activation if they do not exist yet. This may take long and require interaction. When @var{initialize?} is false, it is up to the user to initialize the randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create a key pair with the private key stored in file @var{host-key} (@pxref{lshd basics,,, lsh, LSH Manual}). When @var{interfaces} is empty, lshd listens for connections on all the network interfaces; otherwise, @var{interfaces} must be a list of host names or addresses. @var{allow-empty-passwords?} specifies whether to accept log-ins with empty passwords, and @var{root-login?} specifies whether to accept log-ins as root. The other options should be self-descriptive. @end deffn @cindex SSH @cindex SSH server @deffn {Scheme Variable} openssh-service-type This is the type for the @uref{http://www.openssh.org, OpenSSH} secure shell daemon, @command{sshd}. Its value must be an @code{openssh-configuration} record as in this example: @example (service openssh-service-type (openssh-configuration (x11-forwarding? #t) (permit-root-login 'without-password) (authorized-keys `(("alice" ,(local-file "alice.pub")) ("bob" ,(local-file "bob.pub")))))) @end example See below for details about @code{openssh-configuration}. This service can be extended with extra authorized keys, as in this example: @example (service-extension openssh-service-type (const `(("charlie" ,(local-file "charlie.pub"))))) @end example @end deffn @deftp {Data Type} openssh-configuration This is the configuration record for OpenSSH's @command{sshd}. @table @asis @item @code{pid-file} (default: @code{"/var/run/sshd.pid"}) Name of the file where @command{sshd} writes its PID. @item @code{port-number} (default: @code{22}) TCP port on which @command{sshd} listens for incoming connections. @item @code{permit-root-login} (default: @code{#f}) This field determines whether and when to allow logins as root. If @code{#f}, root logins are disallowed; if @code{#t}, they are allowed. If it's the symbol @code{'without-password}, then root logins are permitted but not with password-based authentication. @item @code{allow-empty-passwords?} (default: @code{#f}) When true, users with empty passwords may log in. When false, they may not. @item @code{password-authentication?} (default: @code{#t}) When true, users may log in with their password. When false, they have other authentication methods. @item @code{public-key-authentication?} (default: @code{#t}) When true, users may log in using public key authentication. When false, users have to use other authentication method. Authorized public keys are stored in @file{~/.ssh/authorized_keys}. This is used only by protocol version 2. @item @code{x11-forwarding?} (default: @code{#f}) When true, forwarding of X11 graphical client connections is enabled---in other words, @command{ssh} options @option{-X} and @option{-Y} will work. @item @code{challenge-response-authentication?} (default: @code{#f}) Specifies whether challenge response authentication is allowed (e.g. via PAM). @item @code{use-pam?} (default: @code{#t}) Enables the Pluggable Authentication Module interface. If set to @code{#t}, this will enable PAM authentication using @code{challenge-response-authentication?} and @code{password-authentication?}, in addition to PAM account and session module processing for all authentication types. Because PAM challenge response authentication usually serves an equivalent role to password authentication, you should disable either @code{challenge-response-authentication?} or @code{password-authentication?}. @item @code{print-last-log?} (default: @code{#t}) Specifies whether @command{sshd} should print the date and time of the last user login when a user logs in interactively. @item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))}) Configures external subsystems (e.g. file transfer daemon). This is a list of two-element lists, each of which containing the subsystem name and a command (with optional arguments) to execute upon subsystem request. The command @command{internal-sftp} implements an in-process SFTP server. Alternately, one can specify the @command{sftp-server} command: @example (service openssh-service-type (openssh-configuration (subsystems `(("sftp" ,(file-append openssh "/libexec/sftp-server")))))) @end example @item @code{accepted-environment} (default: @code{'()}) List of strings describing which environment variables may be exported. Each string gets on its own line. See the @code{AcceptEnv} option in @code{man sshd_config}. This example allows ssh-clients to export the @code{COLORTERM} variable. It is set by terminal emulators, which support colors. You can use it in your shell's ressource file to enable colors for the prompt and commands if this variable is set. @example (service openssh-service-type (openssh-configuration (accepted-environment '("COLORTERM")))) @end example @item @code{authorized-keys} (default: @code{'()}) @cindex authorized keys, SSH @cindex SSH authorized keys This is the list of authorized keys. Each element of the list is a user name followed by one or more file-like objects that represent SSH public keys. For example: @example (openssh-configuration (authorized-keys `(("rekado" ,(local-file "rekado.pub")) ("chris" ,(local-file "chris.pub")) ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub"))))) @end example @noindent registers the specified public keys for user accounts @code{rekado}, @code{chris}, and @code{root}. Additional authorized keys can be specified @i{via} @code{service-extension}. Note that this does @emph{not} interfere with the use of @file{~/.ssh/authorized_keys}. @end table @end deftp @deffn {Scheme Procedure} dropbear-service [@var{config}] Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{} object. For example, to specify a Dropbear service listening on port 1234, add this call to the operating system's @code{services} field: @example (dropbear-service (dropbear-configuration (port-number 1234))) @end example @end deffn @deftp {Data Type} dropbear-configuration This data type represents the configuration of a Dropbear SSH daemon. @table @asis @item @code{dropbear} (default: @var{dropbear}) The Dropbear package to use. @item @code{port-number} (default: 22) The TCP port where the daemon waits for incoming connections. @item @code{syslog-output?} (default: @code{#t}) Whether to enable syslog output. @item @code{pid-file} (default: @code{"/var/run/dropbear.pid"}) File name of the daemon's PID file. @item @code{root-login?} (default: @code{#f}) Whether to allow @code{root} logins. @item @code{allow-empty-passwords?} (default: @code{#f}) Whether to allow empty passwords. @item @code{password-authentication?} (default: @code{#t}) Whether to enable password-based authentication. @end table @end deftp @defvr {Scheme Variable} %facebook-host-aliases This variable contains a string for use in @file{/etc/hosts} (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). Each line contains a entry that maps a known server name of the Facebook on-line service---e.g., @code{www.facebook.com}---to the local host---@code{127.0.0.1} or its IPv6 equivalent, @code{::1}. This variable is typically used in the @code{hosts-file} field of an @code{operating-system} declaration (@pxref{Référence de système d'exploitation, @file{/etc/hosts}}): @example (use-modules (gnu) (guix)) (operating-system (host-name "mymachine") ;; ... (hosts-file ;; Create a /etc/hosts file with aliases for "localhost" ;; and "mymachine", as well as for Facebook servers. (plain-file "hosts" (string-append (local-host-aliases host-name) %facebook-host-aliases)))) @end example This mechanism can prevent programs running locally, such as Web browsers, from accessing Facebook. @end defvr The @code{(gnu services avahi)} provides the following definition. @deffn {Scheme Procedure} avahi-service [#:avahi @var{avahi}] @ [#:host-name #f] [#:publish? #t] [#:ipv4? #t] @ [#:ipv6? #t] [#:wide-area? #f] @ [#:domains-to-browse '()] [#:debug? #f] Return a service that runs @command{avahi-daemon}, a system-wide mDNS/DNS-SD responder that allows for service discovery and "zero-configuration" host name lookups (see @uref{http://avahi.org/}), and extends the name service cache daemon (nscd) so that it can resolve @code{.local} host names using @uref{http://0pointer.de/lennart/projects/nss-mdns/, nss-mdns}. Additionally, add the @var{avahi} package to the system profile so that commands such as @command{avahi-browse} are directly usable. If @var{host-name} is different from @code{#f}, use that as the host name to publish for this machine; otherwise, use the machine's actual host name. When @var{publish?} is true, publishing of host names and services is allowed; in particular, avahi-daemon will publish the machine's host name and IP address via mDNS on the local network. When @var{wide-area?} is true, DNS-SD over unicast DNS is enabled. Boolean values @var{ipv4?} and @var{ipv6?} determine whether to use IPv4/IPv6 sockets. @end deffn @deffn {Scheme Variable} openvswitch-service-type This is the type of the @uref{http://www.openvswitch.org, Open vSwitch} service, whose value should be an @code{openvswitch-configuration} object. @end deffn @deftp {Data Type} openvswitch-configuration Data type representing the configuration of Open vSwitch, a multilayer virtual switch which is designed to enable massive network automation through programmatic extension. @table @asis @item @code{package} (default: @var{openvswitch}) Package object of the Open vSwitch. @end table @end deftp @node Système de fenêtrage X @subsubsection Système de fenêtrage X @cindex X11 @cindex X Window System @cindex login manager Support for the X Window graphical display system---specifically Xorg---is provided by the @code{(gnu services xorg)} module. Note that there is no @code{xorg-service} procedure. Instead, the X server is started by the @dfn{login manager}, by default SLiM. @cindex window manager To use X11, you must install at least one @dfn{window manager}---for example the @code{windowmaker} or @code{openbox} packages---preferably by adding it to the @code{packages} field of your operating system definition (@pxref{Référence de système d'exploitation, system-wide packages}). @defvr {Scheme Variable} slim-service-type This is the type for the SLiM graphical login manager for X11. @cindex session types (X11) @cindex X11 session types SLiM looks for @dfn{session types} described by the @file{.desktop} files in @file{/run/current-system/profile/share/xsessions} and allows users to choose a session from the log-in screen using @kbd{F1}. Packages such as @code{xfce}, @code{sawfish}, and @code{ratpoison} provide @file{.desktop} files; adding them to the system-wide set of packages automatically makes them available at the log-in screen. In addition, @file{~/.xsession} files are honored. When available, @file{~/.xsession} must be an executable that starts a window manager and/or other X clients. @end defvr @deftp {Data Type} slim-configuration Data type representing the configuration of @code{slim-service-type}. @table @asis @item @code{allow-empty-passwords?} (default: @code{#t}) Whether to allow logins with empty passwords. @item @code{auto-login?} (default: @code{#f}) @itemx @code{default-user} (default: @code{""}) When @code{auto-login?} is false, SLiM presents a log-in screen. When @code{auto-login?} is true, SLiM logs in directly as @code{default-user}. @item @code{theme} (default: @code{%default-slim-theme}) @itemx @code{theme-name} (default: @code{%default-slim-theme-name}) The graphical theme to use and its name. @item @code{auto-login-session} (default: @code{#f}) If true, this must be the name of the executable to start as the default session---e.g., @code{(file-append windowmaker "/bin/windowmaker")}. If false, a session described by one of the available @file{.desktop} files in @code{/run/current-system/profile} and @code{~/.guix-profile} will be used. @quotation Remarque You must install at least one window manager in the system profile or in your user profile. Failing to do that, if @code{auto-login-session} is false, you will be unable to log in. @end quotation @item @code{startx} (default: @code{(xorg-start-command)}) The command used to start the X11 graphical server. @item @code{xauth} (default: @code{xauth}) The XAuth package to use. @item @code{shepherd} (default: @code{shepherd}) The Shepherd package used when invoking @command{halt} and @command{reboot}. @item @code{sessreg} (default: @code{sessreg}) The sessreg package used in order to register the session. @item @code{slim} (default: @code{slim}) The SLiM package to use. @end table @end deftp @defvr {Scheme Variable} %default-theme @defvrx {Scheme Variable} %default-theme-name The default SLiM theme and its name. @end defvr @deftp {Data Type} sddm-configuration This is the data type representing the sddm service configuration. @table @asis @item @code{display-server} (default: "x11") Select display server to use for the greeter. Valid values are "x11" or "wayland". @item @code{numlock} (default: "on") Valid values are "on", "off" or "none". @item @code{halt-command} (default @code{#~(string-apppend #$shepherd "/sbin/halt")}) Command to run when halting. @item @code{reboot-command} (default @code{#~(string-append #$shepherd "/sbin/reboot")}) Command to run when rebooting. @item @code{theme} (default "maldives") Theme to use. Default themes provided by SDDM are "elarun" or "maldives". @item @code{themes-directory} (default "/run/current-system/profile/share/sddm/themes") Directory to look for themes. @item @code{faces-directory} (default "/run/current-system/profile/share/sddm/faces") Directory to look for faces. @item @code{default-path} (default "/run/current-system/profile/bin") Default PATH to use. @item @code{minimum-uid} (default 1000) Minimum UID to display in SDDM. @item @code{maximum-uid} (default 2000) Maximum UID to display in SDDM @item @code{remember-last-user?} (default #t) Remember last user. @item @code{remember-last-session?} (default #t) Remember last session. @item @code{hide-users} (default "") Usernames to hide from SDDM greeter. @item @code{hide-shells} (default @code{#~(string-append #$shadow "/sbin/nologin")}) Users with shells listed will be hidden from the SDDM greeter. @item @code{session-command} (default @code{#~(string-append #$sddm "/share/sddm/scripts/wayland-session")}) Script to run before starting a wayland session. @item @code{sessions-directory} (default "/run/current-system/profile/share/wayland-sessions") Directory to look for desktop files starting wayland sessions. @item @code{xorg-server-path} (default @code{xorg-start-command}) Path to xorg-server. @item @code{xauth-path} (default @code{#~(string-append #$xauth "/bin/xauth")}) Path to xauth. @item @code{xephyr-path} (default @code{#~(string-append #$xorg-server "/bin/Xephyr")}) Path to Xephyr. @item @code{xdisplay-start} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xsetup")}) Script to run after starting xorg-server. @item @code{xdisplay-stop} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xstop")}) Script to run before stopping xorg-server. @item @code{xsession-command} (par défaut : @code{xinitrc}) Script to run before starting a X session. @item @code{xsessions-directory} (default: "/run/current-system/profile/share/xsessions") Directory to look for desktop files starting X sessions. @item @code{minimum-vt} (default: 7) Minimum VT to use. @item @code{xserver-arguments} (default "-nolisten tcp") Arguments to pass to xorg-server. @item @code{auto-login-user} (default "") User to use for auto-login. @item @code{auto-login-session} (default "") Desktop file to use for auto-login. @item @code{relogin?} (default #f) Relogin after logout. @end table @end deftp @cindex login manager @cindex X11 login @deffn {Scheme Procedure} sddm-service config Return a service that spawns the SDDM graphical login manager for config of type @code{}. @example (sddm-service (sddm-configuration (auto-login-user "Alice") (auto-login-session "xfce.desktop"))) @end example @end deffn @deffn {Scheme Procedure} xorg-start-command [#:guile] @ [#:modules %default-xorg-modules] @ [#:fonts %default-xorg-fonts] @ [#:configuration-file (xorg-configuration-file @dots{})] @ [#:xorg-server @var{xorg-server}] Return a @code{startx} script in which @var{modules}, a list of X module packages, and @var{fonts}, a list of X font directories, are available. See @code{xorg-wrapper} for more details on the arguments. The result should be used in place of @code{startx}. Usually the X server is started by a login manager. @end deffn @deffn {Scheme Procedure} xorg-configuration-file @ [#:modules %default-xorg-modules] @ [#:fonts %default-xorg-fonts] @ [#:drivers '()] [#:resolutions '()] [#:extra-config '()] Return a configuration file for the Xorg server containing search paths for all the common drivers. @var{modules} must be a list of @dfn{module packages} loaded by the Xorg server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on. @var{fonts} must be a list of font directories to add to the server's @dfn{font path}. @var{drivers} must be either the empty list, in which case Xorg chooses a graphics driver automatically, or a list of driver names that will be tried in this order---e.g., @code{("modesetting" "vesa")}. Likewise, when @var{resolutions} is the empty list, Xorg chooses an appropriate screen resolution; otherwise, it must be a list of resolutions---e.g., @code{((1024 768) (640 480))}. Last, @var{extra-config} is a list of strings or objects appended to the configuration file. It is used to pass extra text to be added verbatim to the configuration file. @cindex keymap @cindex keyboard layout This procedure is especially useful to configure a different keyboard layout than the default US keymap. For instance, to use the ``bépo'' keymap by default on the display manager: @example (define bepo-evdev "Section \"InputClass\" Identifier \"evdev keyboard catchall\" Driver \"evdev\" MatchIsKeyboard \"on\" Option \"xkb_layout\" \"fr\" Option \"xkb_variant\" \"bepo\" EndSection") (operating-system ... (services (modify-services %desktop-services (slim-service-type config => (slim-configuration (inherit config) (startx (xorg-start-command #:configuration-file (xorg-configuration-file #:extra-config (list bepo-evdev))))))))) @end example The @code{MatchIsKeyboard} line specifies that we only apply the configuration to keyboards. Without this line, other devices such as touchpad may not work correctly because they will be attached to the wrong driver. In this example, the user typically used @code{setxkbmap fr bepo} to set their favorite keymap once logged in. The first argument corresponds to the layout, while the second argument corresponds to the variant. The @code{xkb_variant} line can be omitted to select the default variant. @end deffn @deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}] Add @var{package}, a package for a screen locker or screen saver whose command is @var{program}, to the set of setuid programs and add a PAM entry for it. For example: @lisp (screen-locker-service xlockmore "xlock") @end lisp makes the good ol' XlockMore usable. @end deffn @node Services d'impression @subsubsection Services d'impression @cindex printer support with CUPS The @code{(gnu services cups)} module provides a Guix service definition for the CUPS printing service. To add printer support to a GuixSD system, add a @code{cups-service} to the operating system definition: @deffn {Scheme Variable} cups-service-type The service type for the CUPS print server. Its value should be a valid CUPS configuration (see below). To use the default settings, simply write: @example (service cups-service-type) @end example @end deffn The CUPS configuration controls the basic things about your CUPS installation: what interfaces it listens on, what to do if a print job fails, how much logging to do, and so on. To actually add a printer, you have to visit the @url{http://localhost:631} URL, or use a tool such as GNOME's printer configuration services. By default, configuring a CUPS service will generate a self-signed certificate if needed, for secure connections to the print server. Suppose you want to enable the Web interface of CUPS and also add support for Epson printers @i{via} the @code{escpr} package and for HP printers @i{via} the @code{hplip} package. You can do that directly, like this (you need to use the @code{(gnu packages cups)} module): @example (service cups-service-type (cups-configuration (web-interface? #t) (extensions (list cups-filters escpr hplip)))) @end example The available configuration parameters follow. Each parameter definition is preceded by its type; for example, @samp{string-list foo} indicates that the @code{foo} parameter should be specified as a list of strings. There is also a way to specify the configuration as a string, if you have an old @code{cupsd.conf} file that you want to port over from some other system; see the end for more details. @c The following documentation was initially generated by @c (generate-documentation) in (gnu services cups). Manually maintained @c documentation is better, so we shouldn't hesitate to edit below as @c needed. However if the change you want to make to this documentation @c can be done in an automated way, it's probably easier to change @c (generate-documentation) than to make it below and have to deal with @c the churn as CUPS updates. Available @code{cups-configuration} fields are: @deftypevr {@code{cups-configuration} parameter} package cups The CUPS package. @end deftypevr @deftypevr {@code{cups-configuration} parameter} package-list extensions Drivers and other extensions to the CUPS package. @end deftypevr @deftypevr {@code{cups-configuration} parameter} files-configuration files-configuration Configuration of where to write logs, what directories to use for print spools, and related privileged configuration parameters. Available @code{files-configuration} fields are: @deftypevr {@code{files-configuration} parameter} log-location access-log Defines the access log filename. Specifying a blank filename disables access log generation. The value @code{stderr} causes log entries to be sent to the standard error file when the scheduler is running in the foreground, or to the system log daemon when run in the background. The value @code{syslog} causes log entries to be sent to the system log daemon. The server name may be included in filenames using the string @code{%s}, as in @code{/var/log/cups/%s-access_log}. Defaults to @samp{"/var/log/cups/access_log"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} file-name cache-dir Where CUPS should cache data. Defaults to @samp{"/var/cache/cups"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} string config-file-perm Specifies the permissions for all configuration files that the scheduler writes. Note that the permissions for the printers.conf file are currently masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature. Defaults to @samp{"0640"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} log-location error-log Defines the error log filename. Specifying a blank filename disables access log generation. The value @code{stderr} causes log entries to be sent to the standard error file when the scheduler is running in the foreground, or to the system log daemon when run in the background. The value @code{syslog} causes log entries to be sent to the system log daemon. The server name may be included in filenames using the string @code{%s}, as in @code{/var/log/cups/%s-error_log}. Defaults to @samp{"/var/log/cups/error_log"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} string fatal-errors Specifies which errors are fatal, causing the scheduler to exit. The kind strings are: @table @code @item none No errors are fatal. @item all All of the errors below are fatal. @item browse Browsing initialization errors are fatal, for example failed connections to the DNS-SD daemon. @item config Configuration file syntax errors are fatal. @item listen Listen or Port errors are fatal, except for IPv6 failures on the loopback or @code{any} addresses. @item log Log file creation or write errors are fatal. @item permissions Bad startup file permissions are fatal, for example shared TLS certificate and key files with world-read permissions. @end table Defaults to @samp{"all -browse"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} boolean file-device? Specifies whether the file pseudo-device can be used for new printer queues. The URI @uref{file:///dev/null} is always allowed. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{files-configuration} parameter} string group Specifies the group name or ID that will be used when executing external programs. Defaults to @samp{"lp"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} string log-file-perm Specifies the permissions for all log files that the scheduler writes. Defaults to @samp{"0644"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} log-location page-log Defines the page log filename. Specifying a blank filename disables access log generation. The value @code{stderr} causes log entries to be sent to the standard error file when the scheduler is running in the foreground, or to the system log daemon when run in the background. The value @code{syslog} causes log entries to be sent to the system log daemon. The server name may be included in filenames using the string @code{%s}, as in @code{/var/log/cups/%s-page_log}. Defaults to @samp{"/var/log/cups/page_log"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} string remote-root Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. The default is @code{remroot}. Defaults to @samp{"remroot"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} file-name request-root Specifies the directory that contains print jobs and other HTTP request data. Defaults to @samp{"/var/spool/cups"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} sandboxing sandboxing Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler; either @code{relaxed} or @code{strict}. This directive is currently only used/supported on macOS. Defaults to @samp{strict}. @end deftypevr @deftypevr {@code{files-configuration} parameter} file-name server-keychain Specifies the location of TLS certificates and private keys. CUPS will look for public and private keys in this directory: a @code{.crt} files for PEM-encoded certificates and corresponding @code{.key} files for PEM-encoded private keys. Defaults to @samp{"/etc/cups/ssl"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} file-name server-root Specifies the directory containing the server configuration files. Defaults to @samp{"/etc/cups"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} boolean sync-on-close? Specifies whether the scheduler calls fsync(2) after writing configuration or state files. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{files-configuration} parameter} space-separated-string-list system-group Specifies the group(s) to use for @code{@@SYSTEM} group authentication. @end deftypevr @deftypevr {@code{files-configuration} parameter} file-name temp-dir Specifies the directory where temporary files are stored. Defaults to @samp{"/var/spool/cups/tmp"}. @end deftypevr @deftypevr {@code{files-configuration} parameter} string user Specifies the user name or ID that is used when running external programs. Defaults to @samp{"lp"}. @end deftypevr @end deftypevr @deftypevr {@code{cups-configuration} parameter} access-log-level access-log-level Specifies the logging level for the AccessLog file. The @code{config} level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated. The @code{actions} level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for @code{config}. The @code{all} level logs all requests. Defaults to @samp{actions}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean auto-purge-jobs? Specifies whether to purge job history data automatically when it is no longer required for quotas. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} browse-local-protocols browse-local-protocols Specifies which protocols to use for local printer sharing. Defaults to @samp{dnssd}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean browse-web-if? Specifies whether the CUPS web interface is advertised. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean browsing? Specifies whether shared printers are advertised. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string classification Specifies the security classification of the server. Any valid banner name can be used, including "classified", "confidential", "secret", "topsecret", and "unclassified", or the banner can be omitted to disable secure printing functions. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean classify-override? Specifies whether users may override the classification (cover page) of individual print jobs using the @code{job-sheets} option. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} default-auth-type default-auth-type Specifies the default type of authentication to use. Defaults to @samp{Basic}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} default-encryption default-encryption Specifies whether encryption will be used for authenticated requests. Defaults to @samp{Required}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string default-language Specifies the default language to use for text and web content. Defaults to @samp{"en"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string default-paper-size Specifies the default paper size for new print queues. @samp{"Auto"} uses a locale-specific default, while @samp{"None"} specifies there is no default paper size. Specific size names are typically @samp{"Letter"} or @samp{"A4"}. Defaults to @samp{"Auto"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string default-policy Specifies the default access policy to use. Defaults to @samp{"default"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean default-shared? Specifies whether local printers are shared by default. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer dirty-clean-interval Specifies the delay for updating of configuration and state files, in seconds. A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds. Defaults to @samp{30}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} error-policy error-policy Specifies what to do when an error occurs. Possible values are @code{abort-job}, which will discard the failed print job; @code{retry-job}, which will retry the job at a later time; @code{retry-this-job}, which retries the failed job immediately; and @code{stop-printer}, which stops the printer. Defaults to @samp{stop-printer}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-limit Specifies the maximum cost of filters that are run concurrently, which can be used to minimize disk, memory, and CPU resource problems. A limit of 0 disables filter limiting. An average print to a non-PostScript printer needs a filter limit of about 200. A PostScript printer needs about half that (100). Setting the limit below these thresholds will effectively limit the scheduler to printing a single job at any time. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-nice Specifies the scheduling priority of filters that are run to print a job. The nice value ranges from 0, the highest priority, to 19, the lowest priority. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} host-name-lookups host-name-lookups Specifies whether to do reverse lookups on connecting clients. The @code{double} setting causes @code{cupsd} to verify that the hostname resolved from the address matches one of the addresses returned for that hostname. Double lookups also prevent clients with unregistered addresses from connecting to your server. Only set this option to @code{#t} or @code{double} if absolutely required. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-kill-delay Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job. Defaults to @samp{30}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-interval Specifies the interval between retries of jobs in seconds. This is typically used for fax queues but can also be used with normal print queues whose error policy is @code{retry-job} or @code{retry-current-job}. Defaults to @samp{30}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-limit Specifies the number of retries that are done for jobs. This is typically used for fax queues but can also be used with normal print queues whose error policy is @code{retry-job} or @code{retry-current-job}. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean keep-alive? Specifies whether to support HTTP keep-alive connections. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer keep-alive-timeout Specifies how long an idle client connection remains open, in seconds. Defaults to @samp{30}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer limit-request-body Specifies the maximum size of print files, IPP requests, and HTML form data. A limit of 0 disables the limit check. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} multiline-string-list listen Listens on the specified interfaces for connections. Valid values are of the form @var{address}:@var{port}, where @var{address} is either an IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to indicate all addresses. Values can also be file names of local UNIX domain sockets. The Listen directive is similar to the Port directive but allows you to restrict access to specific interfaces or networks. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer listen-back-log Specifies the number of pending connections that will be allowed. This normally only affects very busy servers that have reached the MaxClients limit, but can also be triggered by large numbers of simultaneous connections. When the limit is reached, the operating system will refuse additional connections until the scheduler can accept the pending ones. Defaults to @samp{128}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} location-access-control-list location-access-controls Specifies a set of additional access controls. Available @code{location-access-controls} fields are: @deftypevr {@code{location-access-controls} parameter} file-name path Specifies the URI path to which the access control applies. @end deftypevr @deftypevr {@code{location-access-controls} parameter} access-control-list access-controls Access controls for all access to this path, in the same format as the @code{access-controls} of @code{operation-access-control}. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{location-access-controls} parameter} method-access-control-list method-access-controls Access controls for method-specific access to this path. Defaults to @samp{()}. Available @code{method-access-controls} fields are: @deftypevr {@code{method-access-controls} parameter} boolean reverse? If @code{#t}, apply access controls to all methods except the listed methods. Otherwise apply to only the listed methods. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{method-access-controls} parameter} method-list methods Methods to which this access control applies. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{method-access-controls} parameter} access-control-list access-controls Access control directives, as a list of strings. Each string should be one directive, such as "Order allow,deny". Defaults to @samp{()}. @end deftypevr @end deftypevr @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer log-debug-history Specifies the number of debugging messages that are retained for logging if an error occurs in a print job. Debug messages are logged regardless of the LogLevel setting. Defaults to @samp{100}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} log-level log-level Specifies the level of logging for the ErrorLog file. The value @code{none} stops all logging while @code{debug2} logs everything. Defaults to @samp{info}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} log-time-format log-time-format Specifies the format of the date and time in the log files. The value @code{standard} logs whole seconds while @code{usecs} logs microseconds. Defaults to @samp{standard}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients Specifies the maximum number of simultaneous clients that are allowed by the scheduler. Defaults to @samp{100}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients-per-host Specifies the maximum number of simultaneous clients that are allowed from a single address. Defaults to @samp{100}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-copies Specifies the maximum number of copies that a user can print of each job. Defaults to @samp{9999}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-hold-time Specifies the maximum time a job may remain in the @code{indefinite} hold state before it is canceled. A value of 0 disables cancellation of held jobs. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs Specifies the maximum number of simultaneous jobs that are allowed. Set to 0 to allow an unlimited number of jobs. Defaults to @samp{500}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-printer Specifies the maximum number of simultaneous jobs that are allowed per printer. A value of 0 allows up to MaxJobs jobs per printer. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-user Specifies the maximum number of simultaneous jobs that are allowed per user. A value of 0 allows up to MaxJobs jobs per user. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-job-time Specifies the maximum time a job may take to print before it is canceled, in seconds. Set to 0 to disable cancellation of "stuck" jobs. Defaults to @samp{10800}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer max-log-size Specifies the maximum size of the log files before they are rotated, in bytes. The value 0 disables log rotation. Defaults to @samp{1048576}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer multiple-operation-timeout Specifies the maximum amount of time to allow between files in a multiple file print job, in seconds. Defaults to @samp{300}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string page-log-format Specifies the format of PageLog lines. Sequences beginning with percent (@samp{%}) characters are replaced with the corresponding information, while all other characters are copied literally. The following percent sequences are recognized: @table @samp @item %% insert a single percent character @item %@{name@} insert the value of the specified IPP attribute @item %C insert the number of copies for the current page @item %P insert the current page number @item %T insert the current date and time in common log format @item %j insert the job ID @item %p insert the printer name @item %u insert the username @end table A value of the empty string disables page logging. The string @code{%p %u %j %T %P %C %@{job-billing@} %@{job-originating-host-name@} %@{job-name@} %@{media@} %@{sides@}} creates a page log with the standard items. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} environment-variables environment-variables Passes the specified environment variable(s) to child processes; a list of strings. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} policy-configuration-list policies Specifies named access control policies. Available @code{policy-configuration} fields are: @deftypevr {@code{policy-configuration} parameter} string name Name of the policy. @end deftypevr @deftypevr {@code{policy-configuration} parameter} string job-private-access Specifies an access list for a job's private values. @code{@@ACL} maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values. @code{@@OWNER} maps to the job's owner. @code{@@SYSTEM} maps to the groups listed for the @code{system-group} field of the @code{files-config} configuration, which is reified into the @code{cups-files.conf(5)} file. Other possible elements of the access list include specific user names, and @code{@@@var{group}} to indicate members of a specific group. The access list may also be simply @code{all} or @code{default}. Defaults to @samp{"@@OWNER @@SYSTEM"}. @end deftypevr @deftypevr {@code{policy-configuration} parameter} string job-private-values Specifies the list of job values to make private, or @code{all}, @code{default}, or @code{none}. Defaults to @samp{"job-name job-originating-host-name job-originating-user-name phone"}. @end deftypevr @deftypevr {@code{policy-configuration} parameter} string subscription-private-access Specifies an access list for a subscription's private values. @code{@@ACL} maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values. @code{@@OWNER} maps to the job's owner. @code{@@SYSTEM} maps to the groups listed for the @code{system-group} field of the @code{files-config} configuration, which is reified into the @code{cups-files.conf(5)} file. Other possible elements of the access list include specific user names, and @code{@@@var{group}} to indicate members of a specific group. The access list may also be simply @code{all} or @code{default}. Defaults to @samp{"@@OWNER @@SYSTEM"}. @end deftypevr @deftypevr {@code{policy-configuration} parameter} string subscription-private-values Specifies the list of job values to make private, or @code{all}, @code{default}, or @code{none}. Defaults to @samp{"notify-events notify-pull-method notify-recipient-uri notify-subscriber-user-name notify-user-data"}. @end deftypevr @deftypevr {@code{policy-configuration} parameter} operation-access-control-list access-controls Access control by IPP operation. Defaults to @samp{()}. @end deftypevr @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-files Specifies whether job files (documents) are preserved after a job is printed. If a numeric value is specified, job files are preserved for the indicated number of seconds after printing. Otherwise a boolean value applies indefinitely. Defaults to @samp{86400}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-history Specifies whether the job history is preserved after a job is printed. If a numeric value is specified, the job history is preserved for the indicated number of seconds after printing. If @code{#t}, the job history is preserved until the MaxJobs limit is reached. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer reload-timeout Specifies the amount of time to wait for job completion before restarting the scheduler. Defaults to @samp{30}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string rip-cache Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer. Defaults to @samp{"128m"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string server-admin Specifies the email address of the server administrator. Defaults to @samp{"root@@localhost.localdomain"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} host-name-list-or-* server-alias The ServerAlias directive is used for HTTP Host header validation when clients connect to the scheduler from external interfaces. Using the special name @code{*} can expose your system to known browser-based DNS rebinding attacks, even when accessing sites through a firewall. If the auto-discovery of alternate names does not work, we recommend listing each alternate name with a ServerAlias directive instead of using @code{*}. Defaults to @samp{*}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string server-name Specifies the fully-qualified host name of the server. Defaults to @samp{"localhost"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} server-tokens server-tokens Specifies what information is included in the Server header of HTTP responses. @code{None} disables the Server header. @code{ProductOnly} reports @code{CUPS}. @code{Major} reports @code{CUPS 2}. @code{Minor} reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}. @code{OS} reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is the output of the @code{uname} command. @code{Full} reports @code{CUPS 2.0.0 (@var{uname}) IPP/2.0}. Defaults to @samp{Minimal}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} string set-env Set the specified environment variable to be passed to child processes. Defaults to @samp{"variable value"}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} multiline-string-list ssl-listen Listens on the specified interfaces for encrypted connections. Valid values are of the form @var{address}:@var{port}, where @var{address} is either an IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to indicate all addresses. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. The @code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The @code{AllowSSL3} option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean strict-conformance? Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} non-negative-integer timeout Specifies the HTTP request timeout, in seconds. Defaults to @samp{300}. @end deftypevr @deftypevr {@code{cups-configuration} parameter} boolean web-interface? Specifies whether the web interface is enabled. Defaults to @samp{#f}. @end deftypevr At this point you're probably thinking ``oh dear, Guix manual, I like you but you can stop already with the configuration options''. Indeed. However, one more point: it could be that you have an existing @code{cupsd.conf} that you want to use. In that case, you can pass an @code{opaque-cups-configuration} as the configuration of a @code{cups-service-type}. Available @code{opaque-cups-configuration} fields are: @deftypevr {@code{opaque-cups-configuration} parameter} package cups The CUPS package. @end deftypevr @deftypevr {@code{opaque-cups-configuration} parameter} string cupsd.conf The contents of the @code{cupsd.conf}, as a string. @end deftypevr @deftypevr {@code{opaque-cups-configuration} parameter} string cups-files.conf The contents of the @code{cups-files.conf} file, as a string. @end deftypevr For example, if your @code{cupsd.conf} and @code{cups-files.conf} are in strings of the same name, you could instantiate a CUPS service like this: @example (service cups-service-type (opaque-cups-configuration (cupsd.conf cupsd.conf) (cups-files.conf cups-files.conf))) @end example @node Services de bureaux @subsubsection Services de bureaux The @code{(gnu services desktop)} module provides services that are usually useful in the context of a ``desktop'' setup---that is, on a machine running a graphical display server, possibly with graphical user interfaces, etc. It also defines services that provide specific desktop environments like GNOME, XFCE or MATE. To simplify things, the module defines a variable containing the set of services that users typically expect on a machine with a graphical environment and networking: @defvr {Scheme Variable} %desktop-services This is a list of services that builds upon @var{%base-services} and adds or adjusts services for a typical ``desktop'' setup. In particular, it adds a graphical login manager (@pxref{Système de fenêtrage X, @code{slim-service}}), screen lockers, a network management tool (@pxref{Services réseau, @code{network-manager-service-type}}), energy and color management services, the @code{elogind} login and seat manager, the Polkit privilege service, the GeoClue location service, the AccountsService daemon that allows authorized users change system passwords, an NTP client (@pxref{Services réseau}), the Avahi daemon, and has the name service switch service configured to be able to use @code{nss-mdns} (@pxref{Name Service Switch, mDNS}). @end defvr The @var{%desktop-services} variable can be used as the @code{services} field of an @code{operating-system} declaration (@pxref{Référence de système d'exploitation, @code{services}}). Additionally, the @code{gnome-desktop-service}, @code{xfce-desktop-service}, @code{mate-desktop-service} and @code{enlightenment-desktop-service-type} procedures can add GNOME, XFCE, MATE and/or Enlightenment to a system. To ``add GNOME'' means that system-level services like the backlight adjustment helpers and the power management utilities are added to the system, extending @code{polkit} and @code{dbus} appropriately, allowing GNOME to operate with elevated privileges on a limited number of special-purpose system interfaces. Additionally, adding a service made by @code{gnome-desktop-service} adds the GNOME metapackage to the system profile. Likewise, adding the XFCE service not only adds the @code{xfce} metapackage to the system profile, but it also gives the Thunar file manager the ability to open a ``root-mode'' file management window, if the user authenticates using the administrator's password via the standard polkit graphical interface. To ``add MATE'' means that @code{polkit} and @code{dbus} are extended appropriately, allowing MATE to operate with elevated privileges on a limited number of special-purpose system interfaces. Additionally, adding a service made by @code{mate-desktop-service} adds the MATE metapackage to the system profile. ``Adding ENLIGHTENMENT'' means that @code{dbus} is extended appropriately, and several of Enlightenment's binaries are set as setuid, allowing Enlightenment's screen locker and other functionality to work as expetected. The desktop environments in Guix use the Xorg display server by default. If you'd like to use the newer display server protocol called Wayland, you need to use the @code{sddm-service} instead of the @code{slim-service} for the graphical login manager. You should then select the ``GNOME (Wayland)'' session in SDDM. Alternatively you can also try starting GNOME on Wayland manually from a TTY with the command ``XDG_SESSION_TYPE=wayland exec dbus-run-session gnome-session``. Currently only GNOME has support for Wayland. @deffn {Scheme Procedure} gnome-desktop-service Return a service that adds the @code{gnome} package to the system profile, and extends polkit with the actions from @code{gnome-settings-daemon}. @end deffn @deffn {Scheme Procedure} xfce-desktop-service Return a service that adds the @code{xfce} package to the system profile, and extends polkit with the ability for @code{thunar} to manipulate the file system as root from within a user session, after the user has authenticated with the administrator's password. @end deffn @deffn {Scheme Procedure} mate-desktop-service Return a service that adds the @code{mate} package to the system profile, and extends polkit with the actions from @code{mate-settings-daemon}. @end deffn @deffn {Procédure Scheme} enlightenment-desktop-service-type Return a service that adds the @code{enlightenment} package to the system profile, and extends dbus with actions from @code{efl}. @end deffn @deftp {Data Type} enlightenment-desktop-service-configuration @table @asis @item @code{enlightenment} (par défaut : @code{enlightenment}) Le paquet enlightenment à utiliser. @end table @end deftp Because the GNOME, XFCE and MATE desktop services pull in so many packages, the default @code{%desktop-services} variable doesn't include any of them by default. To add GNOME, XFCE or MATE, just @code{cons} them onto @code{%desktop-services} in the @code{services} field of your @code{operating-system}: @example (use-modules (gnu)) (use-service-modules desktop) (operating-system ... ;; cons* adds items to the list given as its last argument. (services (cons* (gnome-desktop-service) (xfce-desktop-service) %desktop-services)) ...) @end example These desktop environments will then be available as options in the graphical login window. The actual service definitions included in @code{%desktop-services} and provided by @code{(gnu services dbus)} and @code{(gnu services desktop)} are described below. @deffn {Scheme Procedure} dbus-service [#:dbus @var{dbus}] [#:services '()] Return a service that runs the ``system bus'', using @var{dbus}, with support for @var{services}. @uref{http://dbus.freedesktop.org/, D-Bus} is an inter-process communication facility. Its system bus is used to allow system services to communicate and to be notified of system-wide events. @var{services} must be a list of packages that provide an @file{etc/dbus-1/system.d} directory containing additional D-Bus configuration and policy files. For example, to allow avahi-daemon to use the system bus, @var{services} must be equal to @code{(list avahi)}. @end deffn @deffn {Scheme Procedure} elogind-service [#:config @var{config}] Return a service that runs the @code{elogind} login and seat management daemon. @uref{https://github.com/elogind/elogind, Elogind} exposes a D-Bus interface that can be used to know which users are logged in, know what kind of sessions they have open, suspend the system, inhibit system suspend, reboot the system, and other tasks. Elogind handles most system-level power events for a computer, for example suspending the system when a lid is closed, or shutting it down when the power button is pressed. The @var{config} keyword argument specifies the configuration for elogind, and should be the result of an @code{(elogind-configuration (@var{parameter} @var{value})...)} invocation. Available parameters and their default values are: @table @code @item kill-user-processes? @code{#f} @item kill-only-users @code{()} @item kill-exclude-users @code{("root")} @item inhibit-delay-max-seconds @code{5} @item handle-power-key @code{poweroff} @item handle-suspend-key @code{suspend} @item handle-hibernate-key @code{hibernate} @item handle-lid-switch @code{suspend} @item handle-lid-switch-docked @code{ignore} @item power-key-ignore-inhibited? @code{#f} @item suspend-key-ignore-inhibited? @code{#f} @item hibernate-key-ignore-inhibited? @code{#f} @item lid-switch-ignore-inhibited? @code{#t} @item holdoff-timeout-seconds @code{30} @item idle-action @code{ignore} @item idle-action-seconds @code{(* 30 60)} @item runtime-directory-size-percent @code{10} @item runtime-directory-size @code{#f} @item remove-ipc? @code{#t} @item suspend-state @code{("mem" "standby" "freeze")} @item suspend-mode @code{()} @item hibernate-state @code{("disk")} @item hibernate-mode @code{("platform" "shutdown")} @item hybrid-sleep-state @code{("disk")} @item hybrid-sleep-mode @code{("suspend" "platform" "shutdown")} @end table @end deffn @deffn {Scheme Procedure} accountsservice-service @ [#:accountsservice @var{accountsservice}] Return a service that runs AccountsService, a system service that can list available accounts, change their passwords, and so on. AccountsService integrates with PolicyKit to enable unprivileged users to acquire the capability to modify their system configuration. @uref{https://www.freedesktop.org/wiki/Software/AccountsService/, the accountsservice web site} for more information. The @var{accountsservice} keyword argument is the @code{accountsservice} package to expose as a service. @end deffn @deffn {Scheme Procedure} polkit-service @ [#:polkit @var{polkit}] Return a service that runs the @uref{http://www.freedesktop.org/wiki/Software/polkit/, Polkit privilege management service}, which allows system administrators to grant access to privileged operations in a structured way. By querying the Polkit service, a privileged system component can know when it should grant additional capabilities to ordinary users. For example, an ordinary user can be granted the capability to suspend the system if the user is logged in locally. @end deffn @deffn {Scheme Procedure} upower-service [#:upower @var{upower}] @ [#:watts-up-pro? #f] @ [#:poll-batteries? #t] @ [#:ignore-lid? #f] @ [#:use-percentage-for-policy? #f] @ [#:percentage-low 10] @ [#:percentage-critical 3] @ [#:percentage-action 2] @ [#:time-low 1200] @ [#:time-critical 300] @ [#:time-action 120] @ [#:critical-power-action 'hybrid-sleep] Return a service that runs @uref{http://upower.freedesktop.org/, @command{upowerd}}, a system-wide monitor for power consumption and battery levels, with the given configuration settings. It implements the @code{org.freedesktop.UPower} D-Bus interface, and is notably used by GNOME. @end deffn @deffn {Scheme Procedure} udisks-service [#:udisks @var{udisks}] Return a service for @uref{http://udisks.freedesktop.org/docs/latest/, UDisks}, a @dfn{disk management} daemon that provides user interfaces with notifications and ways to mount/unmount disks. Programs that talk to UDisks include the @command{udisksctl} command, part of UDisks, and GNOME Disks. @end deffn @deffn {Scheme Procedure} colord-service [#:colord @var{colord}] Return a service that runs @command{colord}, a system service with a D-Bus interface to manage the color profiles of input and output devices such as screens and scanners. It is notably used by the GNOME Color Manager graphical tool. See @uref{http://www.freedesktop.org/software/colord/, the colord web site} for more information. @end deffn @deffn {Scheme Procedure} geoclue-application name [#:allowed? #t] [#:system? #f] [#:users '()] Return a configuration allowing an application to access GeoClue location data. @var{name} is the Desktop ID of the application, without the @code{.desktop} part. If @var{allowed?} is true, the application will have access to location information by default. The boolean @var{system?} value indicates whether an application is a system component or not. Finally @var{users} is a list of UIDs of all users for which this application is allowed location info access. An empty users list means that all users are allowed. @end deffn @defvr {Scheme Variable} %standard-geoclue-applications The standard list of well-known GeoClue application configurations, granting authority to the GNOME date-and-time utility to ask for the current location in order to set the time zone, and allowing the IceCat and Epiphany web browsers to request location information. IceCat and Epiphany both query the user before allowing a web page to know the user's location. @end defvr @deffn {Scheme Procedure} geoclue-service [#:colord @var{colord}] @ [#:whitelist '()] @ [#:wifi-geolocation-url "https://location.services.mozilla.com/v1/geolocate?key=geoclue"] @ [#:submit-data? #f] [#:wifi-submission-url "https://location.services.mozilla.com/v1/submit?key=geoclue"] @ [#:submission-nick "geoclue"] @ [#:applications %standard-geoclue-applications] Return a service that runs the GeoClue location service. This service provides a D-Bus interface to allow applications to request access to a user's physical location, and optionally to add information to online location databases. See @uref{https://wiki.freedesktop.org/www/Software/GeoClue/, the GeoClue web site} for more information. @end deffn @deffn {Scheme Procedure} bluetooth-service [#:bluez @var{bluez}] @ [@w{#:auto-enable? #f}] Return a service that runs the @command{bluetoothd} daemon, which manages all the Bluetooth devices and provides a number of D-Bus interfaces. When AUTO-ENABLE? is true, the bluetooth controller is powered automatically at boot, which can be useful when using a bluetooth keyboard or mouse. Users need to be in the @code{lp} group to access the D-Bus service. @end deffn @node Services de son @subsubsection Services de son @cindex sound support @cindex ALSA @cindex PulseAudio, sound support The @code{(gnu services sound)} module provides an @code{alsa-service-type} service to generate an ALSA @file{/etc/asound.conf} configuration file. This configuration file is what allows applications that produce sound using ALSA to be correctly handled. @deffn {Variable Scheme} alsa-service-type This is the type for the @uref{https://alsa-project.org/, ALSA}, @command{alsa-configuration} record as in this example: @example (service alsa-service-type) @end example See below for details about @code{alsa-configuration}. @end deffn @deftp {Type de donnée} alsa-configuration Data type representing the configuration for @code{alsa-service}. @table @asis @item @code{pulseaudio?} (par défaut : @code{#t}) Whether ALSA applications should transparently be made to use the @uref{http://www.pulseaudio.org/, PulseAudio} sound server. Using PulseAudio allows you to run several sound-producing applications at the same time and to individual control them @i{via} @command{pavucontrol}, among other things. @item @code{extra-options} (par défaut : @code{""}) String to append to the @file{asound.conf} file. @end table @end deftp @node Services de bases de données @subsubsection Services de bases de données @cindex database @cindex SQL The @code{(gnu services databases)} module provides the following services. @deffn {Scheme Procedure} postgresql-service [#:postgresql postgresql] @ [#:config-file] [#:data-directory ``/var/lib/postgresql/data''] @ [#:port 5432] [#:locale ``en_US.utf8''] Return a service that runs @var{postgresql}, the PostgreSQL database server. The PostgreSQL daemon loads its runtime configuration from @var{config-file}, creates a database cluster with @var{locale} as the default locale, stored in @var{data-directory}. It then listens on @var{port}. @end deffn @deffn {Scheme Procedure} mysql-service [#:config (mysql-configuration)] Return a service that runs @command{mysqld}, the MySQL or MariaDB database server. The optional @var{config} argument specifies the configuration for @command{mysqld}, which should be a @code{} object. @end deffn @deftp {Data Type} mysql-configuration Data type representing the configuration of @var{mysql-service}. @table @asis @item @code{mysql} (default: @var{mariadb}) Package object of the MySQL database server, can be either @var{mariadb} or @var{mysql}. For MySQL, a temporary root password will be displayed at activation time. For MariaDB, the root password is empty. @item @code{port} (default: @code{3306}) TCP port on which the database server listens for incoming connections. @end table @end deftp @defvr {Scheme Variable} memcached-service-type This is the service type for the @uref{https://memcached.org/, Memcached} service, which provides a distributed in memory cache. The value for the service type is a @code{memcached-configuration} object. @end defvr @example (service memcached-service-type) @end example @deftp {Data Type} memcached-configuration Data type representing the configuration of memcached. @table @asis @item @code{memcached} (default: @code{memcached}) The Memcached package to use. @item @code{interfaces} (default: @code{'("0.0.0.0")}) Network interfaces on which to listen. @item @code{tcp-port} (default: @code{11211}) Port on which to accept connections on, @item @code{udp-port} (default: @code{11211}) Port on which to accept UDP connections on, a value of 0 will disable listening on a UDP socket. @item @code{additional-options} (default: @code{'()}) Additional command line options to pass to @code{memcached}. @end table @end deftp @defvr {Scheme Variable} mongodb-service-type This is the service type for @uref{https://www.mongodb.com/, MongoDB}. The value for the service type is a @code{mongodb-configuration} object. @end defvr @example (service mongodb-service-type) @end example @deftp {Data Type} mongodb-configuration Data type representing the configuration of mongodb. @table @asis @item @code{mongodb} (default: @code{mongodb}) The MongoDB package to use. @item @code{config-file} (default: @code{%default-mongodb-configuration-file}) The configuration file for MongoDB. @item @code{data-directory} (default: @code{"/var/lib/mongodb"}) This value is used to create the directory, so that it exists and is owned by the mongodb user. It should match the data-directory which MongoDB is configured to use through the configuration file. @end table @end deftp @defvr {Scheme Variable} redis-service-type This is the service type for the @uref{https://redis.io/, Redis} key/value store, whose value is a @code{redis-configuration} object. @end defvr @deftp {Data Type} redis-configuration Data type representing the configuration of redis. @table @asis @item @code{redis} (default: @code{redis}) The Redis package to use. @item @code{bind} (default: @code{"127.0.0.1"}) Network interface on which to listen. @item @code{port} (default: @code{6379}) Port on which to accept connections on, a value of 0 will disable listening on a TCP socket. @item @code{working-directory} (default: @code{"/var/lib/redis"}) Directory in which to store the database and related files. @end table @end deftp @node Services de courriels @subsubsection Services de courriels @cindex mail @cindex email The @code{(gnu services mail)} module provides Guix service definitions for email services: IMAP, POP3, and LMTP servers, as well as mail transport agents (MTAs). Lots of acronyms! These services are detailed in the subsections below. @subsubheading Dovecot Service @deffn {Scheme Procedure} dovecot-service [#:config (dovecot-configuration)] Return a service that runs the Dovecot IMAP/POP3/LMTP mail server. @end deffn By default, Dovecot does not need much configuration; the default configuration object created by @code{(dovecot-configuration)} will suffice if your mail is delivered to @code{~/Maildir}. A self-signed certificate will be generated for TLS-protected connections, though Dovecot will also listen on cleartext ports by default. There are a number of options, though, which mail administrators might need to change, and as is the case with other services, Guix allows the system administrator to specify these parameters via a uniform Scheme interface. For example, to specify that mail is located at @code{maildir~/.mail}, one would instantiate the Dovecot service like this: @example (dovecot-service #:config (dovecot-configuration (mail-location "maildir:~/.mail"))) @end example The available configuration parameters follow. Each parameter definition is preceded by its type; for example, @samp{string-list foo} indicates that the @code{foo} parameter should be specified as a list of strings. There is also a way to specify the configuration as a string, if you have an old @code{dovecot.conf} file that you want to port over from some other system; see the end for more details. @c The following documentation was initially generated by @c (generate-documentation) in (gnu services mail). Manually maintained @c documentation is better, so we shouldn't hesitate to edit below as @c needed. However if the change you want to make to this documentation @c can be done in an automated way, it's probably easier to change @c (generate-documentation) than to make it below and have to deal with @c the churn as dovecot updates. Available @code{dovecot-configuration} fields are: @deftypevr {@code{dovecot-configuration} parameter} package dovecot The dovecot package. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} comma-separated-string-list listen A list of IPs or hosts where to listen for connections. @samp{*} listens on all IPv4 interfaces, @samp{::} listens on all IPv6 interfaces. If you want to specify non-default ports or anything more complex, customize the address and port fields of the @samp{inet-listener} of the specific services you are interested in. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} protocol-configuration-list protocols List of protocols we want to serve. Available protocols include @samp{imap}, @samp{pop3}, and @samp{lmtp}. Available @code{protocol-configuration} fields are: @deftypevr {@code{protocol-configuration} parameter} string name The name of the protocol. @end deftypevr @deftypevr {@code{protocol-configuration} parameter} string auth-socket-path UNIX socket path to the master authentication server to find users. This is used by imap (for shared users) and lda. It defaults to @samp{"/var/run/dovecot/auth-userdb"}. @end deftypevr @deftypevr {@code{protocol-configuration} parameter} space-separated-string-list mail-plugins Space separated list of plugins to load. @end deftypevr @deftypevr {@code{protocol-configuration} parameter} non-negative-integer mail-max-userip-connections Maximum number of IMAP connections allowed for a user from each IP address. NOTE: The username is compared case-sensitively. Defaults to @samp{10}. @end deftypevr @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} service-configuration-list services List of services to enable. Available services include @samp{imap}, @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and @samp{lmtp}. Available @code{service-configuration} fields are: @deftypevr {@code{service-configuration} parameter} string kind The service kind. Valid values include @code{director}, @code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap}, @code{pop3}, @code{auth}, @code{auth-worker}, @code{dict}, @code{tcpwrap}, @code{quota-warning}, or anything else. @end deftypevr @deftypevr {@code{service-configuration} parameter} listener-configuration-list listeners Listeners for the service. A listener is either a @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or an @code{inet-listener-configuration}. Defaults to @samp{()}. Available @code{unix-listener-configuration} fields are: @deftypevr {@code{unix-listener-configuration} parameter} string path Path to the file, relative to @code{base-dir} field. This is also used as the section name. @end deftypevr @deftypevr {@code{unix-listener-configuration} parameter} string mode The access mode for the socket. Defaults to @samp{"0600"}. @end deftypevr @deftypevr {@code{unix-listener-configuration} parameter} string user The user to own the socket. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{unix-listener-configuration} parameter} string group The group to own the socket. Defaults to @samp{""}. @end deftypevr Available @code{fifo-listener-configuration} fields are: @deftypevr {@code{fifo-listener-configuration} parameter} string path Path to the file, relative to @code{base-dir} field. This is also used as the section name. @end deftypevr @deftypevr {@code{fifo-listener-configuration} parameter} string mode The access mode for the socket. Defaults to @samp{"0600"}. @end deftypevr @deftypevr {@code{fifo-listener-configuration} parameter} string user The user to own the socket. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{fifo-listener-configuration} parameter} string group The group to own the socket. Defaults to @samp{""}. @end deftypevr Available @code{inet-listener-configuration} fields are: @deftypevr {@code{inet-listener-configuration} parameter} string protocol The protocol to listen for. @end deftypevr @deftypevr {@code{inet-listener-configuration} parameter} string address The address on which to listen, or empty for all addresses. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{inet-listener-configuration} parameter} non-negative-integer port The port on which to listen. @end deftypevr @deftypevr {@code{inet-listener-configuration} parameter} boolean ssl? Whether to use SSL for this service; @samp{yes}, @samp{no}, or @samp{required}. Defaults to @samp{#t}. @end deftypevr @end deftypevr @deftypevr {@code{service-configuration} parameter} non-negative-integer service-count Number of connections to handle before starting a new process. Typically the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 is faster. . Defaults to @samp{1}. @end deftypevr @deftypevr {@code{service-configuration} parameter} non-negative-integer process-min-avail Number of processes to always keep waiting for more connections. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{service-configuration} parameter} non-negative-integer vsz-limit If you set @samp{service-count 0}, you probably need to grow this. Defaults to @samp{256000000}. @end deftypevr @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} dict-configuration dict Dict configuration, as created by the @code{dict-configuration} constructor. Available @code{dict-configuration} fields are: @deftypevr {@code{dict-configuration} parameter} free-form-fields entries A list of key-value pairs that this dict should hold. Defaults to @samp{()}. @end deftypevr @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} passdb-configuration-list passdbs A list of passdb configurations, each one created by the @code{passdb-configuration} constructor. Available @code{passdb-configuration} fields are: @deftypevr {@code{passdb-configuration} parameter} string driver The driver that the passdb should use. Valid values include @samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and @samp{static}. Defaults to @samp{"pam"}. @end deftypevr @deftypevr {@code{passdb-configuration} parameter} space-separated-string-list args Space separated list of arguments to the passdb driver. Defaults to @samp{""}. @end deftypevr @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} userdb-configuration-list userdbs List of userdb configurations, each one created by the @code{userdb-configuration} constructor. Available @code{userdb-configuration} fields are: @deftypevr {@code{userdb-configuration} parameter} string driver The driver that the userdb should use. Valid values include @samp{passwd} and @samp{static}. Defaults to @samp{"passwd"}. @end deftypevr @deftypevr {@code{userdb-configuration} parameter} space-separated-string-list args Space separated list of arguments to the userdb driver. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{userdb-configuration} parameter} free-form-args override-fields Override fields from passwd. Defaults to @samp{()}. @end deftypevr @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} plugin-configuration plugin-configuration Plug-in configuration, created by the @code{plugin-configuration} constructor. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} list-of-namespace-configuration namespaces List of namespaces. Each item in the list is created by the @code{namespace-configuration} constructor. Available @code{namespace-configuration} fields are: @deftypevr {@code{namespace-configuration} parameter} string name Name for this namespace. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} string type Namespace type: @samp{private}, @samp{shared} or @samp{public}. Defaults to @samp{"private"}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} string separator Hierarchy separator to use. You should use the same separator for all namespaces or some clients get confused. @samp{/} is usually a good one. The default however depends on the underlying mail storage format. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} string prefix Prefix required to access this namespace. This needs to be different for all namespaces. For example @samp{Public/}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} string location Physical location of the mailbox. This is in the same format as mail_location, which is also the default for it. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} boolean inbox? There can be only one INBOX, and this setting defines which namespace has it. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} boolean hidden? If namespace is hidden, it's not advertised to clients via NAMESPACE extension. You'll most likely also want to set @samp{list? #f}. This is mostly useful when converting from another server with different namespaces which you want to deprecate but still keep working. For example you can create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/} and @samp{mail/}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} boolean list? Show the mailboxes under this namespace with the LIST command. This makes the namespace visible for clients that do not support the NAMESPACE extension. The special @code{children} value lists child mailboxes, but hides the namespace prefix. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} boolean subscriptions? Namespace handles its own subscriptions. If set to @code{#f}, the parent namespace handles them. The empty prefix should always have this as @code{#t}). Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{namespace-configuration} parameter} mailbox-configuration-list mailboxes List of predefined mailboxes in this namespace. Defaults to @samp{()}. Available @code{mailbox-configuration} fields are: @deftypevr {@code{mailbox-configuration} parameter} string name Name for this mailbox. @end deftypevr @deftypevr {@code{mailbox-configuration} parameter} string auto @samp{create} will automatically create this mailbox. @samp{subscribe} will both create and subscribe to the mailbox. Defaults to @samp{"no"}. @end deftypevr @deftypevr {@code{mailbox-configuration} parameter} space-separated-string-list special-use List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154. Valid values are @code{\All}, @code{\Archive}, @code{\Drafts}, @code{\Flagged}, @code{\Junk}, @code{\Sent}, and @code{\Trash}. Defaults to @samp{()}. @end deftypevr @end deftypevr @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} file-name base-dir Base directory where to store runtime data. Defaults to @samp{"/var/run/dovecot/"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string login-greeting Greeting message for clients. Defaults to @samp{"Dovecot ready."}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-trusted-networks List of trusted network ranges. Connections from these IPs are allowed to override their IP addresses and ports (for logging and for authentication checks). @samp{disable-plaintext-auth} is also ignored for these networks. Typically you would specify your IMAP proxy servers here. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-access-sockets List of login access check sockets (e.g. tcpwrap). Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-proctitle? Show more verbose process titles (in ps). Currently shows user name and IP address. Useful for seeing who is actually using the IMAP processes (e.g. shared mailboxes or if the same uid is used for multiple accounts). Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean shutdown-clients? Should all processes be killed when Dovecot master process shuts down. Setting this to @code{#f} means that Dovecot can be upgraded without forcing existing client connections to close (although that could also be a problem if the upgrade is e.g. due to a security fix). Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer doveadm-worker-count If non-zero, run mail commands via this many connections to doveadm server, instead of running them directly in the same process. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string doveadm-socket-path UNIX socket or host:port used for connecting to doveadm server. Defaults to @samp{"doveadm-server"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list import-environment List of environment variables that are preserved on Dovecot startup and passed down to all of its child processes. You can also give key=value pairs to always set specific settings. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean disable-plaintext-auth? Disable LOGIN command and all other plaintext authentications unless SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP matches the local IP (i.e. you're connecting from the same computer), the connection is considered secure and plaintext authentication is allowed. See also ssl=required setting. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-cache-size Authentication cache size (e.g. @samp{#e10e6}). 0 means it's disabled. Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set for caching to be used. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-ttl Time to live for cached data. After TTL expires the cached record is no longer used, *except* if the main database lookup returns internal failure. We also try to handle password changes automatically: If user's previous authentication was successful, but this one wasn't, the cache isn't used. For now this works only with plaintext authentication. Defaults to @samp{"1 hour"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-cache-negative-ttl TTL for negative hits (user not found, password mismatch). 0 disables caching them completely. Defaults to @samp{"1 hour"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-realms List of realms for SASL authentication mechanisms that need them. You can leave it empty if you don't want to support multiple realms. Many clients simply use the first one listed here, so keep the default realm first. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-default-realm Default realm/domain to use if none was specified. This is used for both SASL realms and appending @@domain to username in plaintext logins. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-username-chars List of allowed characters in username. If the user-given username contains a character not listed in here, the login automatically fails. This is just an extra check to make sure user can't exploit any potential quote escaping vulnerabilities with SQL/LDAP databases. If you want to allow all characters, set this value to empty. Defaults to @samp{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@@"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-username-translation Username character translations before it's looked up from databases. The value contains series of from -> to characters. For example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are translated to @samp{@@}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-username-format Username formatting before it's looked up from databases. You can use the standard variables here, e.g. %Lu would lowercase the username, %n would drop away the domain if it was given, or @samp{%n-AT-%d} would change the @samp{@@} into @samp{-AT-}. This translation is done after @samp{auth-username-translation} changes. Defaults to @samp{"%Lu"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-master-user-separator If you want to allow master users to log in by specifying the master username within the normal username string (i.e. not using SASL mechanism's support for it), you can specify the separator character here. The format is then . UW-IMAP uses @samp{*} as the separator, so that could be a good choice. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-anonymous-username Username to use for users logging in with ANONYMOUS SASL mechanism. Defaults to @samp{"anonymous"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-worker-max-count Maximum number of dovecot-auth worker processes. They're used to execute blocking passdb and userdb queries (e.g. MySQL and PAM). They're automatically created and destroyed as needed. Defaults to @samp{30}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-gssapi-hostname Host name to use in GSSAPI principal names. The default is to use the name returned by gethostname(). Use @samp{$ALL} (with quotes) to allow all keytab entries. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-krb5-keytab Kerberos keytab to use for the GSSAPI mechanism. Will use the system default (usually @file{/etc/krb5.keytab}) if not specified. You may need to change the auth service to run as root to be able to read this file. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-use-winbind? Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and @samp{ntlm-auth} helper. . Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} file-name auth-winbind-helper-path Path for Samba's @samp{ntlm-auth} helper binary. Defaults to @samp{"/usr/bin/ntlm_auth"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string auth-failure-delay Time to delay before replying to failed authentications. Defaults to @samp{"2 secs"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert? Require a valid SSL client certificate or the authentication fails. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-username-from-cert? Take the username from client's SSL certificate, using @code{X509_NAME_get_text_by_NID()} which returns the subject's DN's CommonName. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-mechanisms List of wanted authentication mechanisms. Supported mechanisms are: @samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5}, @samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi}, @samp{otp}, @samp{skey}, and @samp{gss-spnego}. NOTE: See also @samp{disable-plaintext-auth} setting. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-servers List of IPs or hostnames to all director servers, including ourself. Ports can be specified as ip:port. The default port is the same as what director service's @samp{inet-listener} is using. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-mail-servers List of IPs or hostnames to all backend mail servers. Ranges are allowed too, like 10.0.0.10-10.0.0.30. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string director-user-expire How long to redirect users to a specific server after it no longer has any connections. Defaults to @samp{"15 min"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string director-username-hash How the username is translated before being hashed. Useful values include %Ln if user can log in with or without @@domain, %Ld if mailboxes are shared within domain. Defaults to @samp{"%Lu"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string log-path Log file to use for error messages. @samp{syslog} logs to syslog, @samp{/dev/stderr} logs to stderr. Defaults to @samp{"syslog"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string info-log-path Log file to use for informational messages. Defaults to @samp{log-path}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string debug-log-path Log file to use for debug messages. Defaults to @samp{info-log-path}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string syslog-facility Syslog facility to use if you're logging to syslog. Usually if you don't want to use @samp{mail}, you'll use local0..local7. Also other standard facilities are supported. Defaults to @samp{"mail"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-verbose? Log unsuccessful authentication attempts and the reasons why they failed. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-verbose-passwords? In case of password mismatches, log the attempted password. Valid values are no, plain and sha1. sha1 can be useful for detecting brute force password attempts vs. user simply trying the same password over and over again. You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug? Even more verbose logging for debugging purposes. Shows for example SQL queries. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean auth-debug-passwords? In case of password mismatches, log the passwords and used scheme so the problem can be debugged. Enabling this also enables @samp{auth-debug}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mail-debug? Enable mail process debugging. This can help you figure out why Dovecot isn't finding your mails. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean verbose-ssl? Show protocol level SSL errors. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string log-timestamp Prefix for each line written to log file. % codes are in strftime(3) format. Defaults to @samp{"\"%b %d %H:%M:%S \""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-log-format-elements List of elements we want to log. The elements which have a non-empty variable value are joined together to form a comma-separated string. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string login-log-format Login log format. %s contains @samp{login-log-format-elements} string, %$ contains the data we want to log. Defaults to @samp{"%$: %s"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-log-prefix Log prefix for mail processes. See doc/wiki/Variables.txt for list of possible variables you can use. Defaults to @samp{"\"%s(%u)<%@{pid@}><%@{session@}>: \""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string deliver-log-format Format to use for logging mail deliveries. You can use variables: @table @code @item %$ Delivery status message (e.g. @samp{saved to INBOX}) @item %m Message-ID @item %s Subject @item %f From address @item %p Physical size @item %w Virtual size. @end table Defaults to @samp{"msgid=%m: %$"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-location Location for users' mailboxes. The default is empty, which means that Dovecot tries to find the mailboxes automatically. This won't work if the user doesn't yet have any mail, so you should explicitly tell Dovecot the full location. If you're using mbox, giving a path to the INBOX file (e.g. /var/mail/%u) isn't enough. You'll also need to tell Dovecot where the other mailboxes are kept. This is called the "root mail directory", and it must be the first path given in the @samp{mail-location} setting. There are a few special variables you can use, eg.: @table @samp @item %u username @item %n user part in user@@domain, same as %u if there's no domain @item %d domain part in user@@domain, empty if there's no domain @item %h home director @end table See doc/wiki/Variables.txt for full list. Some examples: @table @samp @item maildir:~/Maildir @item mbox:~/mail:INBOX=/var/mail/%u @item mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/% @end table Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-uid System user and group used to access mails. If you use multiple, userdb can override these by returning uid or gid fields. You can use either numbers or names. . Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-gid Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-privileged-group Group to enable temporarily for privileged operations. Currently this is used only with INBOX when either its initial creation or dotlocking fails. Typically this is set to "mail" to give access to /var/mail. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-access-groups Grant access to these supplementary groups for mail processes. Typically these are used to set up access to shared mailboxes. Note that it may be dangerous to set these if users can create symlinks (e.g. if "mail" group is set here, ln -s /var/mail ~/mail/var could allow a user to delete others' mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mail-full-filesystem-access? Allow full file system access to clients. There's no access checks other than what the operating system does for the active UID/GID. It works with both maildir and mboxes, allowing you to prefix mailboxes names with e.g. /path/ or ~user/. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mmap-disable? Don't use mmap() at all. This is required if you store indexes to shared file systems (NFS or clustered file system). Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean dotlock-use-excl? Rely on @samp{O_EXCL} to work when creating dotlock files. NFS supports @samp{O_EXCL} since version 3, so this should be safe to use nowadays by default. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-fsync When to use fsync() or fdatasync() calls: @table @code @item optimized Whenever necessary to avoid losing important data @item always Useful with e.g. NFS when write()s are delayed @item never Never use it (best performance, but crashes can lose data). @end table Defaults to @samp{"optimized"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-storage? Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches whenever needed. If you're using only a single mail server this isn't needed. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mail-nfs-index? Mail index files also exist in NFS. Setting this to yes requires @samp{mmap-disable? #t} and @samp{fsync-disable? #f}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string lock-method Locking method for index files. Alternatives are fcntl, flock and dotlock. Dotlocking uses some tricks which may create more disk I/O than other locking methods. NFS users: flock doesn't work, remember to change @samp{mmap-disable}. Defaults to @samp{"fcntl"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} file-name mail-temp-dir Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. Defaults to @samp{"/tmp"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-uid Valid UID range for users. This is mostly to make sure that users can't log in as daemons or other system users. Note that denying root logins is hardcoded to dovecot binary and can't be done even if @samp{first-valid-uid} is set to 0. Defaults to @samp{500}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-uid Defaults to @samp{0}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer first-valid-gid Valid GID range for users. Users having non-valid GID as primary group ID aren't allowed to log in. If user belongs to supplementary groups with non-valid GIDs, those groups are not set. Defaults to @samp{1}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer last-valid-gid Defaults to @samp{0}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-max-keyword-length Maximum allowed length for mail keyword name. It's only forced when trying to create new keywords. Defaults to @samp{50}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} colon-separated-file-name-list valid-chroot-dirs List of directories under which chrooting is allowed for mail processes (i.e. /var/mail will allow chrooting to /var/mail/foo/bar too). This setting doesn't affect @samp{login-chroot} @samp{mail-chroot} or auth chroot settings. If this setting is empty, "/./" in home dirs are ignored. WARNING: Never add directories here which local users can modify, that may lead to root exploit. Usually this should be done only if you don't allow shell access for users. . Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-chroot Default chroot directory for mail processes. This can be overridden for specific users in user database by giving /./ in user's home directory (e.g. /home/./user chroots into /home). Note that usually there is no real need to do chrooting, Dovecot doesn't allow users to access files outside their mail directory anyway. If your home directories are prefixed with the chroot directory, append "/." to @samp{mail-chroot}. . Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} file-name auth-socket-path UNIX socket path to master authentication server to find users. This is used by imap (for shared users) and lda. Defaults to @samp{"/var/run/dovecot/auth-userdb"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} file-name mail-plugin-dir Directory where to look up mail plugins. Defaults to @samp{"/usr/lib/dovecot"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mail-plugins List of plugins to load for all services. Plugins specific to IMAP, LDA, etc. are added to this list in their own .conf files. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-cache-min-mail-count The minimum number of mails in a mailbox before updates are done to cache file. This allows optimizing Dovecot's behavior to do less disk writes at the cost of more disk reads. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mailbox-idle-check-interval When IDLE command is running, mailbox is checked once in a while to see if there are any new mails or other changes. This setting defines the minimum time to wait between those checks. Dovecot can also use dnotify, inotify and kqueue to find out immediately when changes occur. Defaults to @samp{"30 secs"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mail-save-crlf? Save mails with CR+LF instead of plain LF. This makes sending those mails take less CPU, especially with sendfile() syscall with Linux and FreeBSD. But it also creates a bit more disk I/O which may just make it slower. Also note that if other software reads the mboxes/maildirs, they may handle the extra CRs wrong and cause problems. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-stat-dirs? By default LIST command returns all entries in maildir beginning with a dot. Enabling this option makes Dovecot return only entries which are directories. This is done by stat()ing each entry, so it causes more disk I/O. (For systems setting struct @samp{dirent->d_type} this check is free and it's done always regardless of this setting). Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-copy-with-hardlinks? When copying a message, do it with hard links whenever possible. This makes the performance much better, and it's unlikely to have any side effects. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean maildir-very-dirty-syncs? Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only when its mtime changes unexpectedly or when we can't find the mail otherwise. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-read-locks Which locking methods to use for locking mbox. There are four available: @table @code @item dotlock Create .lock file. This is the oldest and most NFS-safe solution. If you want to use /var/mail/ like directory, the users will need write access to that directory. @item dotlock-try Same as dotlock, but if it fails because of permissions or because there isn't enough disk space, just skip it. @item fcntl Use this if possible. Works with NFS too if lockd is used. @item flock May not exist in all systems. Doesn't work with NFS. @item lockf May not exist in all systems. Doesn't work with NFS. @end table You can use multiple locking methods; if you do the order they're declared in is important to avoid deadlocks if other MTAs/MUAs are using multiple locking methods as well. Some operating systems don't allow using some of them simultaneously. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list mbox-write-locks @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mbox-lock-timeout Maximum time to wait for lock (all of them) before aborting. Defaults to @samp{"5 mins"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mbox-dotlock-change-timeout If dotlock exists but the mailbox isn't modified in any way, override the lock file after this much time. Defaults to @samp{"2 mins"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-dirty-syncs? When mbox changes unexpectedly we have to fully read it to find out what changed. If the mbox is large this can take a long time. Since the change is usually just a newly appended mail, it'd be faster to simply read the new mails. If this setting is enabled, Dovecot does this but still safely fallbacks to re-reading the whole mbox file whenever something in mbox isn't how it's expected to be. The only real downside to this setting is that if some other MUA changes message flags, Dovecot doesn't notice it immediately. Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK commands. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-very-dirty-syncs? Like @samp{mbox-dirty-syncs}, but don't do full syncs even with SELECT, EXAMINE, EXPUNGE or CHECK commands. If this is set, @samp{mbox-dirty-syncs} is ignored. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mbox-lazy-writes? Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK commands and when closing the mailbox). This is especially useful for POP3 where clients often delete all mails. The downside is that our changes aren't immediately visible to other MUAs. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mbox-min-index-size If mbox size is smaller than this (e.g. 100k), don't write index files. If an index file already exists it's still read, just not updated. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mdbox-rotate-size Maximum dbox file size until it's rotated. Defaults to @samp{10000000}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mdbox-rotate-interval Maximum dbox file age until it's rotated. Typically in days. Day begins from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. Defaults to @samp{"1d"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean mdbox-preallocate-space? When creating new mdbox files, immediately preallocate their size to @samp{mdbox-rotate-size}. This setting currently works only in Linux with some file systems (ext4, xfs). Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-dir sdbox and mdbox support saving mail attachments to external files, which also allows single instance storage for them. Other backends don't support this for now. WARNING: This feature hasn't been tested much yet. Use at your own risk. Directory root where to store mail attachments. Disabled, if empty. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer mail-attachment-min-size Attachments smaller than this aren't saved externally. It's also possible to write a plugin to disable saving specific attachments externally. Defaults to @samp{128000}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-fs File system backend to use for saving attachments: @table @code @item posix No SiS done by Dovecot (but this might help FS's own deduplication) @item sis posix SiS with immediate byte-by-byte comparison during saving @item sis-queue posix SiS with delayed comparison and deduplication. @end table Defaults to @samp{"sis posix"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string mail-attachment-hash Hash format to use in attachment filenames. You can add any text and variables: @code{%@{md4@}}, @code{%@{md5@}}, @code{%@{sha1@}}, @code{%@{sha256@}}, @code{%@{sha512@}}, @code{%@{size@}}. Variables can be truncated, e.g. @code{%@{sha256:80@}} returns only first 80 bits. Defaults to @samp{"%@{sha1@}"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-process-limit Defaults to @samp{100}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-client-limit Defaults to @samp{1000}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer default-vsz-limit Default VSZ (virtual memory size) limit for service processes. This is mainly intended to catch and kill processes that leak memory before they eat up everything. Defaults to @samp{256000000}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string default-login-user Login user is internally used by login processes. This is the most untrusted user in Dovecot system. It shouldn't have access to anything at all. Defaults to @samp{"dovenull"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string default-internal-user Internal user is used by unprivileged processes. It should be separate from login user, so that login processes can't disturb other processes. Defaults to @samp{"dovecot"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string ssl? SSL/TLS support: yes, no, required. . Defaults to @samp{"required"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string ssl-cert PEM encoded X.509 SSL/TLS certificate (public key). Defaults to @samp{" was automatically rejected:%n%r"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string recipient-delimiter Delimiter character between local-part and detail in email address. Defaults to @samp{"+"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string lda-original-recipient-header Header where the original recipient address (SMTP's RCPT TO: address) is taken from if not available elsewhere. With dovecot-lda -a parameter overrides this. A commonly used header for this is X-Original-To. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autocreate? Should saving a mail to a nonexistent mailbox automatically create it?. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} boolean lda-mailbox-autosubscribe? Should automatically created mailboxes be also automatically subscribed?. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} non-negative-integer imap-max-line-length Maximum IMAP command line length. Some clients generate very long command lines with huge mailboxes, so you may need to raise this if you get "Too long argument" or "IMAP command line too large" errors often. Defaults to @samp{64000}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string imap-logout-format IMAP logout format string: @table @code @item %i total number of bytes read from client @item %o total number of bytes sent to client. @end table See @file{doc/wiki/Variables.txt} for a list of all the variables you can use. Defaults to @samp{"in=%i out=%o deleted=%@{deleted@} expunged=%@{expunged@} trashed=%@{trashed@} hdr_count=%@{fetch_hdr_count@} hdr_bytes=%@{fetch_hdr_bytes@} body_count=%@{fetch_body_count@} body_bytes=%@{fetch_body_bytes@}"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string imap-capability Override the IMAP CAPABILITY response. If the value begins with '+', add the given capabilities on top of the defaults (e.g. +XFOO XBAR). Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string imap-idle-notify-interval How long to wait between "OK Still here" notifications when client is IDLEing. Defaults to @samp{"2 mins"}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string imap-id-send ID field names and values to send to clients. Using * as the value makes Dovecot use the default value. The following fields have default values currently: name, version, os, os-version, support-url, support-email. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} string imap-id-log ID fields sent by client to log. * means everything. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list imap-client-workarounds Workarounds for various client bugs: @table @code @item delay-newmail Send EXISTS/RECENT new mail notifications only when replying to NOOP and CHECK commands. Some clients ignore them otherwise, for example OSX Mail (' before setting it here, to get a feel for which cipher suites you will get. After setting this option, it is recommend that you inspect your Murmur log to ensure that Murmur is using the cipher suites that you expected it to. Note: Changing this option may impact the backwards compatibility of your Murmur server, and can remove the ability for older Mumble clients to be able to connect to it. @item @code{public-registration} (default: @code{#f}) Must be a @code{} record or @code{#f}. You can optionally register your server in the public server list that the @code{mumble} client shows on startup. You cannot register your server if you have set a @code{server-password}, or set @code{allow-ping} to @code{#f}. It might take a few hours until it shows up in the public list. @item @code{file} (default: @code{#f}) Optional alternative override for this configuration. @end table @end deftp @deftp {Data Type} murmur-public-registration-configuration Configuration for public registration of a murmur service. @table @asis @item @code{name} This is a display name for your server. Not to be confused with the hostname. @item @code{password} A password to identify your registration. Subsequent updates will need the same password. Don't lose your password. @item @code{url} This should be a @code{http://} or @code{https://} link to your web site. @item @code{hostname} (default: @code{#f}) By default your server will be listed by its IP address. If it is set your server will be linked by this host name instead. @end table @end deftp @node Services de surveillance @subsubsection Services de surveillance @subsubheading Tailon Service @uref{https://tailon.readthedocs.io/, Tailon} is a web application for viewing and searching log files. The following example will configure the service with default values. By default, Tailon can be accessed on port 8080 (@code{http://localhost:8080}). @example (service tailon-service-type) @end example The following example customises more of the Tailon configuration, adding @command{sed} to the list of allowed commands. @example (service tailon-service-type (tailon-configuration (config-file (tailon-configuration-file (allowed-commands '("tail" "grep" "awk" "sed")))))) @end example @deftp {Data Type} tailon-configuration Data type representing the configuration of Tailon. This type has the following parameters: @table @asis @item @code{config-file} (default: @code{(tailon-configuration-file)}) The configuration file to use for Tailon. This can be set to a @dfn{tailon-configuration-file} record value, or any gexp (@pxref{G-Expressions}). For example, to instead use a local file, the @code{local-file} function can be used: @example (service tailon-service-type (tailon-configuration (config-file (local-file "./my-tailon.conf")))) @end example @item @code{package} (default: @code{tailon}) The tailon package to use. @end table @end deftp @deftp {Data Type} tailon-configuration-file Data type representing the configuration options for Tailon. This type has the following parameters: @table @asis @item @code{files} (default: @code{(list "/var/log")}) List of files to display. The list can include strings for a single file or directory, or a list, where the first item is the name of a subsection, and the remaining items are the files or directories in that subsection. @item @code{bind} (default: @code{"localhost:8080"}) Address and port to which Tailon should bind on. @item @code{relative-root} (default: @code{#f}) URL path to use for Tailon, set to @code{#f} to not use a path. @item @code{allow-transfers?} (default: @code{#t}) Allow downloading the log files in the web interface. @item @code{follow-names?} (default: @code{#t}) Allow tailing of not-yet existent files. @item @code{tail-lines} (default: @code{200}) Number of lines to read initially from each file. @item @code{allowed-commands} (default: @code{(list "tail" "grep" "awk")}) Commands to allow running. By default, @code{sed} is disabled. @item @code{debug?} (default: @code{#f}) Set @code{debug?} to @code{#t} to show debug messages. @item @code{wrap-lines} (default: @code{#t}) Initial line wrapping state in the web interface. Set to @code{#t} to initially wrap lines (the default), or to @code{#f} to initially not wrap lines. @item @code{http-auth} (default: @code{#f}) HTTP authentication type to use. Set to @code{#f} to disable authentication (the default). Supported values are @code{"digest"} or @code{"basic"}. @item @code{users} (default: @code{#f}) If HTTP authentication is enabled (see @code{http-auth}), access will be restricted to the credentials provided here. To configure users, use a list of pairs, where the first element of the pair is the username, and the 2nd element of the pair is the password. @example (tailon-configuration-file (http-auth "basic") (users '(("user1" . "password1") ("user2" . "password2")))) @end example @end table @end deftp @subsubheading Darkstat Service @cindex darkstat Darkstat is a packet sniffer that captures network traffic, calculates statistics about usage, and serves reports over HTTP. @defvar {Scheme Variable} darkstat-service-type This is the service type for the @uref{https://unix4lyfe.org/darkstat/, darkstat} service, its value must be a @code{darkstat-configuration} record as in this example: @example (service darkstat-service-type (darkstat-configuration (interface "eno1"))) @end example @end defvar @deftp {Data Type} darkstat-configuration Data type representing the configuration of @command{darkstat}. @table @asis @item @code{package} (default: @code{darkstat}) The darkstat package to use. @item @code{interface} Capture traffic on the specified network interface. @item @code{port} (default: @code{"667"}) Bind the web interface to the specified port. @item @code{bind-address} (default: @code{"127.0.0.1"}) Bind the web interface to the specified address. @item @code{base} (default: @code{"/"}) Specify the path of the base URL. This can be useful if @command{darkstat} is accessed via a reverse proxy. @end table @end deftp @node Services Kerberos @subsubsection Services Kerberos @cindex Kerberos The @code{(gnu services kerberos)} module provides services relating to the authentication protocol @dfn{Kerberos}. @subsubheading Krb5 Service Programs using a Kerberos client library normally expect a configuration file in @file{/etc/krb5.conf}. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started. No ``keytab'' files are provided by this service---you must explicitly create them. This service is known to work with the MIT client library, @code{mit-krb5}. Other implementations have not been tested. @defvr {Scheme Variable} krb5-service-type A service type for Kerberos 5 clients. @end defvr @noindent Here is an example of its use: @lisp (service krb5-service-type (krb5-configuration (default-realm "EXAMPLE.COM") (allow-weak-crypto? #t) (realms (list (krb5-realm (name "EXAMPLE.COM") (admin-server "groucho.example.com") (kdc "karl.example.com")) (krb5-realm (name "ARGRX.EDU") (admin-server "kerb-admin.argrx.edu") (kdc "keys.argrx.edu")))))) @end lisp @noindent This example provides a Kerberos@tie{}5 client configuration which: @itemize @item Recognizes two realms, @i{viz:} ``EXAMPLE.COM'' and ``ARGRX.EDU'', both of which have distinct administration servers and key distribution centers; @item Will default to the realm ``EXAMPLE.COM'' if the realm is not explicitly specified by clients; @item Accepts services which only support encryption types known to be weak. @end itemize The @code{krb5-realm} and @code{krb5-configuration} types have many fields. Only the most commonly used ones are described here. For a full list, and more detailed explanation of each, see the MIT @uref{http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf} documentation. @deftp {Data Type} krb5-realm @cindex realm, kerberos @table @asis @item @code{name} This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case. @item @code{admin-server} This field is a string identifying the host where the administration server is running. @item @code{kdc} This field is a string identifying the key distribution center for the realm. @end table @end deftp @deftp {Data Type} krb5-configuration @table @asis @item @code{allow-weak-crypto?} (default: @code{#f}) If this flag is @code{#t} then services which only offer encryption algorithms known to be weak will be accepted. @item @code{default-realm} (default: @code{#f}) This field should be a string identifying the default Kerberos realm for the client. You should set this field to the name of your Kerberos realm. If this value is @code{#f} then a realm must be specified with every Kerberos principal when invoking programs such as @command{kinit}. @item @code{realms} This should be a non-empty list of @code{krb5-realm} objects, which clients may access. Normally, one of them will have a @code{name} field matching the @code{default-realm} field. @end table @end deftp @subsubheading PAM krb5 Service @cindex pam-krb5 The @code{pam-krb5} service allows for login authentication and password management via Kerberos. You will need this service if you want PAM enabled applications to authenticate users using Kerberos. @defvr {Scheme Variable} pam-krb5-service-type A service type for the Kerberos 5 PAM module. @end defvr @deftp {Data Type} pam-krb5-configuration Data type representing the configuration of the Kerberos 5 PAM module This type has the following parameters: @table @asis @item @code{pam-krb5} (default: @code{pam-krb5}) The pam-krb5 package to use. @item @code{minimum-uid} (default: @code{1000}) The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate. @end table @end deftp @node Services web @subsubsection Services web @cindex web @cindex www @cindex HTTP The @code{(gnu services web)} module provides the Apache HTTP Server, the nginx web server, and also a fastcgi wrapper daemon. @subsubheading Apache HTTP Server @deffn {Scheme Variable} httpd-service-type Service type for the @uref{https://httpd.apache.org/,Apache HTTP} server (@dfn{httpd}). The value for this service type is a @code{https-configuration} record. A simple example configuration is given below. @example (service httpd-service-type (httpd-configuration (config (httpd-config-file (server-name "www.example.com") (document-root "/srv/http/www.example.com"))))) @end example Other services can also extend the @code{httpd-service-type} to add to the configuration. @example (simple-service 'my-extra-server httpd-service-type (list (httpd-virtualhost "*:80" (list (string-append "ServerName "www.example.com DocumentRoot \"/srv/http/www.example.com\""))))) @end example @end deffn The details for the @code{httpd-configuration}, @code{httpd-module}, @code{httpd-config-file} and @code{httpd-virtualhost} record types are given below. @deffn {Data Type} httpd-configuration This data type represents the configuration for the httpd service. @table @asis @item @code{package} (default: @code{httpd}) The httpd package to use. @item @code{pid-file} (default: @code{"/var/run/httpd"}) The pid file used by the shepherd-service. @item @code{config} (default: @code{(httpd-config-file)}) The configuration file to use with the httpd service. The default value is a @code{httpd-config-file} record, but this can also be a different G-expression that generates a file, for example a @code{plain-file}. A file outside of the store can also be specified through a string. @end table @end deffn @deffn {Data Type} httpd-module This data type represents a module for the httpd service. @table @asis @item @code{name} The name of the module. @item @code{file} The file for the module. This can be relative to the httpd package being used, the absolute location of a file, or a G-expression for a file within the store, for example @code{(file-append mod-wsgi "/modules/mod_wsgi.so")}. @end table @end deffn @deffn {Data Type} httpd-config-file This data type represents a configuration file for the httpd service. @table @asis @item @code{modules} (default: @code{%default-httpd-modules}) The modules to load. Additional modules can be added here, or loaded by additional configuration. @item @code{server-root} (default: @code{httpd}) The @code{ServerRoot} in the configuration file, defaults to the httpd package. Directives including @code{Include} and @code{LoadModule} are taken as relative to the server root. @item @code{server-name} (default: @code{#f}) The @code{ServerName} in the configuration file, used to specify the request scheme, hostname and port that the server uses to identify itself. This doesn't need to be set in the server config, and can be specifyed in virtual hosts. The default is @code{#f} to not specify a @code{ServerName}. @item @code{document-root} (default: @code{"/srv/http"}) The @code{DocumentRoot} from which files will be served. @item @code{listen} (default: @code{'("80")}) The list of values for the @code{Listen} directives in the config file. The value should be a list of strings, when each string can specify the port number to listen on, and optionally the IP address and protocol to use. @item @code{pid-file} (default: @code{"/var/run/httpd"}) The @code{PidFile} to use. This should match the @code{pid-file} set in the @code{httpd-configuration} so that the Shepherd service is configured correctly. @item @code{error-log} (default: @code{"/var/log/httpd/error_log"}) The @code{ErrorLog} to which the server will log errors. @item @code{user} (default: @code{"httpd"}) The @code{User} which the server will answer requests as. @item @code{group} (default: @code{"httpd"}) The @code{Group} which the server will answer requests as. @item @code{extra-config} (default: @code{(list "TypesConfig etc/httpd/mime.types")}) A flat list of strings and G-expressions which will be added to the end of the configuration file. Any values which the service is extended with will be appended to this list. @end table @end deffn @deffn {Data Type} httpd-virtualhost This data type represents a virtualhost configuration block for the httpd service. These should be added to the extra-config for the httpd-service. @example (simple-service 'my-extra-server httpd-service-type (list (httpd-virtualhost "*:80" (list (string-append "ServerName "www.example.com DocumentRoot \"/srv/http/www.example.com\""))))) @end example @table @asis @item @code{addresses-and-ports} The addresses and ports for the @code{VirtualHost} directive. @item @code{contents} The contents of the @code{VirtualHost} directive, this should be a list of strings and G-expressions. @end table @end deffn @subsubheading NGINX @deffn {Scheme Variable} nginx-service-type Service type for the @uref{https://nginx.org/,NGinx} web server. The value for this service type is a @code{} record. A simple example configuration is given below. @example (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) (root "/srv/http/www.example.com")))))) @end example In addition to adding server blocks to the service configuration directly, this service can be extended by other services to add server blocks, as in this example: @example (simple-service 'my-extra-server nginx-service-type (list (nginx-server-configuration (root "/srv/http/extra-website") (try-files (list "$uri" "$uri/index.html"))))) @end example @end deffn At startup, @command{nginx} has not yet read its configuration file, so it uses a default file to log error messages. If it fails to load its configuration file, that is where error messages are logged. After the configuration file is loaded, the default error log file changes as per configuration. In our case, startup error messages can be found in @file{/var/run/nginx/logs/error.log}, and after configuration in @file{/var/log/nginx/error.log}. The second location can be changed with the @var{log-directory} configuration option. @deffn {Data Type} nginx-configuration This data type represents the configuration for NGinx. Some configuration can be done through this and the other provided record types, or alternatively, a config file can be provided. @table @asis @item @code{nginx} (default: @code{nginx}) The nginx package to use. @item @code{log-directory} (default: @code{"/var/log/nginx"}) The directory to which NGinx will write log files. @item @code{run-directory} (default: @code{"/var/run/nginx"}) The directory in which NGinx will create a pid file, and write temporary files. @item @code{server-blocks} (default: @code{'()}) A list of @dfn{server blocks} to create in the generated configuration file, the elements should be of type @code{}. The following example would setup NGinx to serve @code{www.example.com} from the @code{/srv/http/www.example.com} directory, without using HTTPS. @example (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) (root "/srv/http/www.example.com")))))) @end example @item @code{upstream-blocks} (default: @code{'()}) A list of @dfn{upstream blocks} to create in the generated configuration file, the elements should be of type @code{}. Configuring upstreams through the @code{upstream-blocks} can be useful when combined with @code{locations} in the @code{} records. The following example creates a server configuration with one location configuration, that will proxy requests to a upstream configuration, which will handle requests with two servers. @example (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) (root "/srv/http/www.example.com") (locations (list (nginx-location-configuration (uri "/path1") (body '("proxy_pass http://server-proxy;")))))))) (upstream-blocks (list (nginx-upstream-configuration (name "server-proxy") (servers (list "server1.example.com" "server2.example.com"))))))) @end example @item @code{file} (default: @code{#f}) If a configuration @var{file} is provided, this will be used, rather than generating a configuration file from the provided @code{log-directory}, @code{run-directory}, @code{server-blocks} and @code{upstream-blocks}. For proper operation, these arguments should match what is in @var{file} to ensure that the directories are created when the service is activated. This can be useful if you have an existing configuration file, or it's not possible to do what is required through the other parts of the nginx-configuration record. @item @code{server-names-hash-bucket-size} (default: @code{#f}) Bucket size for the server names hash tables, defaults to @code{#f} to use the size of the processors cache line. @item @code{server-names-hash-bucket-max-size} (default: @code{#f}) Maximum bucket size for the server names hash tables. @item @code{extra-content} (par défaut : @code{""}) Extra content for the @code{http} block. Should be string or a string valued G-expression. @end table @end deffn @deftp {Data Type} nginx-server-configuration Data type representing the configuration of an nginx server block. This type has the following parameters: @table @asis @item @code{listen} (default: @code{'("80" "443 ssl")}) Each @code{listen} directive sets the address and port for IP, or the path for a UNIX-domain socket on which the server will accept requests. Both address and port, or only address or only port can be specified. An address may also be a hostname, for example: @example '("127.0.0.1:8000" "127.0.0.1" "8000" "*:8000" "localhost:8000") @end example @item @code{server-name} (default: @code{(list 'default)}) A list of server names this server represents. @code{'default} represents the default server for connections matching no other server. @item @code{root} (default: @code{"/srv/http"}) Root of the website nginx will serve. @item @code{locations} (default: @code{'()}) A list of @dfn{nginx-location-configuration} or @dfn{nginx-named-location-configuration} records to use within this server block. @item @code{index} (default: @code{(list "index.html")}) Index files to look for when clients ask for a directory. If it cannot be found, Nginx will send the list of files in the directory. @item @code{try-files} (default: @code{'()}) A list of files whose existence is checked in the specified order. @code{nginx} will use the first file it finds to process the request. @item @code{ssl-certificate} (default: @code{#f}) Where to find the certificate for secure connections. Set it to @code{#f} if you don't have a certificate or you don't want to use HTTPS. @item @code{ssl-certificate-key} (default: @code{#f}) Where to find the private key for secure connections. Set it to @code{#f} if you don't have a key or you don't want to use HTTPS. @item @code{server-tokens?} (default: @code{#f}) Whether the server should add its configuration to response. @item @code{raw-content} (default: @code{'()}) A list of raw lines added to the server block. @end table @end deftp @deftp {Data Type} nginx-upstream-configuration Data type representing the configuration of an nginx @code{upstream} block. This type has the following parameters: @table @asis @item @code{name} Name for this group of servers. @item @code{servers} Specify the addresses of the servers in the group. The address can be specified as a IP address (e.g. @samp{127.0.0.1}), domain name (e.g. @samp{backend1.example.com}) or a path to a UNIX socket using the prefix @samp{unix:}. For addresses using an IP address or domain name, the default port is 80, and a different port can be specified explicitly. @end table @end deftp @deftp {Data Type} nginx-location-configuration Data type representing the configuration of an nginx @code{location} block. This type has the following parameters: @table @asis @item @code{uri} URI which this location block matches. @anchor{nginx-location-configuration body} @item @code{body} Body of the location block, specified as a list of strings. This can contain many configuration directives. For example, to pass requests to a upstream server group defined using an @code{nginx-upstream-configuration} block, the following directive would be specified in the body @samp{(list "proxy_pass http://upstream-name;")}. @end table @end deftp @deftp {Data Type} nginx-named-location-configuration Data type representing the configuration of an nginx named location block. Named location blocks are used for request redirection, and not used for regular request processing. This type has the following parameters: @table @asis @item @code{name} Name to identify this location block. @item @code{body} @xref{nginx-location-configuration body}, as the body for named location blocks can be used in a similar way to the @code{nginx-location-configuration body}. One restriction is that the body of a named location block cannot contain location blocks. @end table @end deftp @cindex fastcgi @cindex fcgiwrap FastCGI is an interface between the front-end and the back-end of a web service. It is a somewhat legacy facility; new web services should generally just talk HTTP between the front-end and the back-end. However there are a number of back-end services such as PHP or the optimized HTTP Git repository access that use FastCGI, so we have support for it in Guix. To use FastCGI, you configure the front-end web server (e.g., nginx) to dispatch some subset of its requests to the fastcgi backend, which listens on a local TCP or UNIX socket. There is an intermediary @code{fcgiwrap} program that sits between the actual backend process and the web server. The front-end indicates which backend program to run, passing that information to the @code{fcgiwrap} process. @defvr {Scheme Variable} fcgiwrap-service-type A service type for the @code{fcgiwrap} FastCGI proxy. @end defvr @deftp {Data Type} fcgiwrap-configuration Data type representing the configuration of the @code{fcgiwrap} serice. This type has the following parameters: @table @asis @item @code{package} (default: @code{fcgiwrap}) The fcgiwrap package to use. @item @code{socket} (default: @code{tcp:127.0.0.1:9000}) The socket on which the @code{fcgiwrap} process should listen, as a string. Valid @var{socket} values include @code{unix:@var{/path/to/unix/socket}}, @code{tcp:@var{dot.ted.qu.ad}:@var{port}} and @code{tcp6:[@var{ipv6_addr}]:port}. @item @code{user} (default: @code{fcgiwrap}) @itemx @code{group} (default: @code{fcgiwrap}) The user and group names, as strings, under which to run the @code{fcgiwrap} process. The @code{fastcgi} service will ensure that if the user asks for the specific user or group names @code{fcgiwrap} that the corresponding user and/or group is present on the system. It is possible to configure a FastCGI-backed web service to pass HTTP authentication information from the front-end to the back-end, and to allow @code{fcgiwrap} to run the back-end process as a corresponding local user. To enable this capability on the back-end., run @code{fcgiwrap} as the @code{root} user and group. Note that this capability also has to be configured on the front-end as well. @end table @end deftp @cindex php-fpm PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size. These features include: @itemize @bullet @item Adaptive process spawning @item Basic statistics (similar to Apache's mod_status) @item Advanced process management with graceful stop/start @item Ability to start workers with different uid/gid/chroot/environment and different php.ini (replaces safe_mode) @item Stdout & stderr logging @item Emergency restart in case of accidental opcode cache destruction @item Accelerated upload support @item Support for a "slowlog" @item Enhancements to FastCGI, such as fastcgi_finish_request() - a special function to finish request & flush all data while continuing to do something time-consuming (video converting, stats processing, etc.) @end itemize ... and much more. @defvr {Scheme Variable} php-fpm-service-type A Service type for @code{php-fpm}. @end defvr @deftp {Data Type} php-fpm-configuration Data Type for php-fpm service configuration. @table @asis @item @code{php} (default: @code{php}) The php package to use. @item @code{socket} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock")}) The address on which to accept FastCGI requests. Valid syntaxes are: @table @asis @item @code{"ip.add.re.ss:port"} Listen on a TCP socket to a specific address on a specific port. @item @code{"port"} Listen on a TCP socket to all addresses on a specific port. @item @code{"/path/to/unix/socket"} Listen on a unix socket. @end table @item @code{user} (default: @code{php-fpm}) User who will own the php worker processes. @item @code{group} (default: @code{php-fpm}) Group of the worker processes. @item @code{socket-user} (default: @code{php-fpm}) User who can speak to the php-fpm socket. @item @code{socket-group} (default: @code{php-fpm}) Group that can speak to the php-fpm socket. @item @code{pid-file} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid")}) The process id of the php-fpm process is written to this file once the service has started. @item @code{log-file} (default: @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.log")}) Log for the php-fpm master process. @item @code{process-manager} (default: @code{(php-fpm-dynamic-process-manager-configuration)}) Detailed settings for the php-fpm process manager. Must be either: @table @asis @item @code{} @item @code{} @item @code{} @end table @item @code{display-errors} (default @code{#f}) Determines whether php errors and warning should be sent to clients and displayed in their browsers. This is useful for local php development, but a security risk for public sites, as error messages can reveal passwords and personal data. @item @code{workers-logfile} (default @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.www.log")}) This file will log the @code{stderr} outputs of php worker processes. Can be set to @code{#f} to disable logging. @item @code{file} (default @code{#f}) An optional override of the whole configuration. You can use the @code{mixed-text-file} function or an absolute filepath for it. @end table @end deftp @deftp {Data type} php-fpm-dynamic-process-manager-configuration Data Type for the @code{dynamic} php-fpm process manager. With the @code{dynamic} process manager, spare worker processes are kept around based on it's configured limits. @table @asis @item @code{max-children} (default: @code{5}) Maximum of worker processes. @item @code{start-servers} (default: @code{2}) How many worker processes should be started on start-up. @item @code{min-spare-servers} (default: @code{1}) How many spare worker processes should be kept around at minimum. @item @code{max-spare-servers} (default: @code{3}) How many spare worker processes should be kept around at maximum. @end table @end deftp @deftp {Data type} php-fpm-static-process-manager-configuration Data Type for the @code{static} php-fpm process manager. With the @code{static} process manager, an unchanging number of worker processes are created. @table @asis @item @code{max-children} (default: @code{5}) Maximum of worker processes. @end table @end deftp @deftp {Data type} php-fpm-on-demand-process-manager-configuration Data Type for the @code{on-demand} php-fpm process manager. With the @code{on-demand} process manager, worker processes are only created as requests arrive. @table @asis @item @code{max-children} (default: @code{5}) Maximum of worker processes. @item @code{process-idle-timeout} (default: @code{10}) The time in seconds after which a process with no requests is killed. @end table @end deftp @deffn {Scheme Procedure} nginx-php-fpm-location @ [#:nginx-package nginx] @ [socket (string-append "/var/run/php" @ (version-major (package-version php)) @ "-fpm.sock")] A helper function to quickly add php to an @code{nginx-server-configuration}. @end deffn A simple services setup for nginx with php can look like this: @example (services (cons* (dhcp-client-service) (service php-fpm-service-type) (service nginx-service-type (nginx-server-configuration (server-name '("example.com")) (root "/srv/http/") (locations (list (nginx-php-location))) (https-port #f) (ssl-certificate #f) (ssl-certificate-key #f))) %base-services)) @end example @cindex cat-avatar-generator The cat avatar generator is a simple service to demonstrate the use of php-fpm in @code{Nginx}. It is used to generate cat avatar from a seed, for instance the hash of a user's email address. @deffn {Scheme Procedure} cat-avatar-generator-serice @ [#:cache-dir "/var/cache/cat-avatar-generator"] @ [#:package cat-avatar-generator] @ [#:configuration (nginx-server-configuration)] Returns an nginx-server-configuration that inherits @code{configuration}. It extends the nginx configuration to add a server block that serves @code{package}, a version of cat-avatar-generator. During execution, cat-avatar-generator will be able to use @code{cache-dir} as its cache directory. @end deffn A simple setup for cat-avatar-generator can look like this: @example (services (cons* (cat-avatar-generator-service #:configuration (nginx-server-configuration (server-name '("example.com")))) ... %base-services)) @end example @subsubheading Hpcguix-web @cindex hpcguix-web The @uref{hpcguix-web, https://github.com/UMCUGenetics/hpcguix-web/} program is a customizable web interface to browse Guix packages, initially designed for users of high-performance computing (HPC) clusters. @defvr {Variable Scheme} hpcguix-web-service-type The service type for @code{hpcguix-web}. @end defvr @deftp {Type de donnée} hpcguix-web-configuration Data type for the hpcguix-web service configuration. @table @asis @item @code{specs} A gexp (@pxref{G-Expressions}) specifying the hpcguix-web service configuration. The main items available in this spec are: @table @asis @item @code{title-prefix} (par défaut : @code{"hpcguix | "}) Le préfixe du titre des pages. @item @code{guix-command} (par défaut : @code{"guix"}) La commande @command{guix} @item @code{package-filter-proc} (par défaut : @code{(const #t)}) Une procédure qui spécifie comment filtrer les paquets qui seront affichés. @item @code{package-page-extension-procinputs} (par défaut : @code{(const '())}) Extension package for @code{hpcguix-web}. @item @code{menu} (par défaut : @code{'()}) Additional entry in page @code{menu}. @end table See the hpcguix-web repository for a @uref{https://github.com/UMCUGenetics/hpcguix-web/blob/master/hpcweb-configuration.scm, complete example}. @item @code{packages} (par défaut : @code{hpcguix-web}) Le paquet hpcguix-web à utiliser. @end table @end deftp A typical hpcguix-web service declaration looks like this: @example (service hpcguix-web-service-type (hpcguix-web-configuration (specs #~(define site-config (hpcweb-configuration (title-prefix "Guix-HPC - ") (menu '(("/about" "ABOUT")))))))) @end example @node Services de certificats @subsubsection Services de certificats @cindex Web @cindex HTTP, HTTPS @cindex Let's Encrypt @cindex TLS certificates The @code{(gnu services certbot)} module provides a service to automatically obtain a valid TLS certificate from the Let's Encrypt certificate authority. These certificates can then be used to serve content securely over HTTPS or other TLS-based protocols, with the knowledge that the client will be able to verify the server's authenticity. @url{https://letsencrypt.org/, Let's Encrypt} provides the @code{certbot} tool to automate the certification process. This tool first securely generates a key on the server. It then makes a request to the Let's Encrypt certificate authority (CA) to sign the key. The CA checks that the request originates from the host in question by using a challenge-response protocol, requiring the server to provide its response over HTTP. If that protocol completes successfully, the CA signs the key, resulting in a certificate. That certificate is valid for a limited period of time, and therefore to continue to provide TLS services, the server needs to periodically ask the CA to renew its signature. The certbot service automates this process: the initial key generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the certificate to disk, the automated periodic renewals, and the deployment tasks associated with the renewal (e.g. reloading services, copying keys with different permissions). Certbot is run twice a day, at a random minute within the hour. It won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your service a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason. By using this service, you agree to the ACME Subscriber Agreement, which can be found there: @url{https://acme-v01.api.letsencrypt.org/directory}. @defvr {Scheme Variable} certbot-service-type A service type for the @code{certbot} Let's Encrypt client. Its value must be a @code{certbot-configuration} record as in this example: @example (define %nginx-deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration (domains '("example.net" "www.example.net")) (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("bar.example.net"))))))) @end example See below for details about @code{certbot-configuration}. @end defvr @deftp {Data Type} certbot-configuration Data type representing the configuration of the @code{certbot} service. This type has the following parameters: @table @asis @item @code{package} (default: @code{certbot}) The certbot package to use. @item @code{webroot} (default: @code{/var/www}) The directory from which to serve the Let's Encrypt challenge/response files. @item @code{certificates} (default: @code{()}) A list of @code{certificates-configuration}s for which to generate certificates and request signatures. Each certificate has a @code{name} and several @code{domains}. @item @code{email} Mandatory email used for registration, recovery contact, and important account notifications. @item @code{rsa-key-size} (default: @code{2048}) Size of the RSA key. @item @code{default-location} (default: @i{see below}) The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able to run a web server. It does so by extending the @code{nginx} web service with an @code{nginx-server-configuration} listening on the @var{domains} on port 80, and which has a @code{nginx-location-configuration} for the @code{/.well-known/} URI path subspace used by Let's Encrypt. @xref{Services web}, for more on these nginx configuration data types. Requests to other URL paths will be matched by the @code{default-location}, which if present is added to all @code{nginx-server-configuration}s. By default, the @code{default-location} will issue a redirect from @code{http://@var{domain}/...} to @code{https://@var{domain}/...}, leaving you to define what to serve on your site via @code{https}. Pass @code{#f} to not issue a default location. @end table @end deftp @deftp {Data Type} certificate-configuration Data type representing the configuration of a certificate. This type has the following parameters: @table @asis @item @code{name} (default: @i{see below}) This name is used by Certbot for housekeeping and in file paths; it doesn't affect the content of the certificate itself. To see certificate names, run @code{certbot certificates}. Its default is the first provided domain. @item @code{domains} (default: @code{()}) The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. @item @code{deploy-hook} (default: @code{#f}) Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. @end table @end deftp For each @code{certificate-configuration}, the certificate is saved to @code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. @node Services DNS @subsubsection Services DNS @cindex DNS (domain name system) @cindex domain name system (DNS) The @code{(gnu services dns)} module provides services related to the @dfn{domain name system} (DNS). It provides a server service for hosting an @emph{authoritative} DNS server for multiple zones, slave or master. This service uses @uref{https://www.knot-dns.cz/, Knot DNS}. And also a caching and forwarding DNS server for the LAN, which uses @uref{http://www.thekelleys.org.uk/dnsmasq/doc.html, dnsmasq}. @subsubheading Service Knot An example configuration of an authoritative server for two zones, one master and one slave, is: @lisp (define-zone-entries example.org.zone ;; Name TTL Class Type Data ("@@" "" "IN" "A" "127.0.0.1") ("@@" "" "IN" "NS" "ns") ("ns" "" "IN" "A" "127.0.0.1")) (define master-zone (knot-zone-configuration (domain "example.org") (zone (zone-file (origin "example.org") (entries example.org.zone))))) (define slave-zone (knot-zone-configuration (domain "plop.org") (dnssec-policy "default") (master (list "plop-master")))) (define plop-master (knot-remote-configuration (id "plop-master") (address (list "208.76.58.171")))) (operating-system ;; ... (services (cons* (service knot-service-type (knot-configuration (remotes (list plop-master)) (zones (list master-zone slave-zone)))) ;; ... %base-services))) @end lisp @deffn {Scheme Variable} knot-service-type This is the type for the Knot DNS server. Knot DNS is an authoritative DNS server, meaning that it can serve multiple zones, that is to say domain names you would buy from a registrar. This server is not a resolver, meaning that it can only resolve names for which it is authoritative. This server can be configured to serve zones as a master server or a slave server as a per-zone basis. Slave zones will get their data from masters, and will serve it as an authoritative server. From the point of view of a resolver, there is no difference between master and slave. The following data types are used to configure the Knot DNS server: @end deffn @deftp {Data Type} knot-key-configuration Data type representing a key. This type has the following parameters: @table @asis @item @code{id} (default: @code{""}) An identifier for other configuration fields to refer to this key. IDs must be unique and must not be empty. @item @code{algorithm} (default: @code{#f}) The algorithm to use. Choose between @code{#f}, @code{'hmac-md5}, @code{'hmac-sha1}, @code{'hmac-sha224}, @code{'hmac-sha256}, @code{'hmac-sha384} and @code{'hmac-sha512}. @item @code{secret} (default: @code{""}) The secret key itself. @end table @end deftp @deftp {Data Type} knot-acl-configuration Data type representing an Access Control List (ACL) configuration. This type has the following parameters: @table @asis @item @code{id} (default: @code{""}) An identifier for ether configuration fields to refer to this key. IDs must be unique and must not be empty. @item @code{address} (default: @code{'()}) An ordered list of IP addresses, network subnets, or network ranges represented with strings. The query must match one of them. Empty value means that address match is not required. @item @code{key} (default: @code{'()}) An ordered list of references to keys represented with strings. The string must match a key ID defined in a @code{knot-key-configuration}. No key means that a key is not require to match that ACL. @item @code{action} (default: @code{'()}) An ordered list of actions that are permitted or forbidden by this ACL. Possible values are lists of zero or more elements from @code{'transfer}, @code{'notify} and @code{'update}. @item @code{deny?} (default: @code{#f}) When true, the ACL defines restrictions. Listed actions are forbidden. When false, listed actions are allowed. @end table @end deftp @deftp {Data Type} zone-entry Data type represnting a record entry in a zone file. This type has the following parameters: @table @asis @item @code{name} (default: @code{"@@"}) The name of the record. @code{"@@"} refers to the origin of the zone. Names are relative to the origin of the zone. For example, in the @code{example.org} zone, @code{"ns.example.org"} actually refers to @code{ns.example.org.example.org}. Names ending with a dot are absolute, which means that @code{"ns.example.org."} refers to @code{ns.example.org}. @item @code{ttl} (default: @code{""}) The Time-To-Live (TTL) of this record. If not set, the default TTL is used. @item @code{class} (default: @code{"IN"}) The class of the record. Knot currently supports only @code{"IN"} and partially @code{"CH"}. @item @code{type} (default: @code{"A"}) The type of the record. Common types include A (IPv4 address), AAAA (IPv6 address), NS (Name Server) and MX (Mail eXchange). Many other types are defined. @item @code{data} (default: @code{""}) The data contained in the record. For instance an IP address associated with an A record, or a domain name associated with an NS record. Remember that domain names are relative to the origin unless they end with a dot. @end table @end deftp @deftp {Data Type} zone-file Data type representing the content of a zone file. This type has the following parameters: @table @asis @item @code{entries} (default: @code{'()}) The list of entries. The SOA record is taken care of, so you don't need to put it in the list of entries. This list should probably contain an entry for your primary authoritative DNS server. Other than using a list of entries directly, you can use @code{define-zone-entries} to define a object containing the list of entries more easily, that you can later pass to the @code{entries} field of the @code{zone-file}. @item @code{origin} (default: @code{""}) The name of your zone. This parameter cannot be empty. @item @code{ns} (default: @code{"ns"}) The domain of your primary authoritative DNS server. The name is relative to the origin, unless it ends with a dot. It is mandatory that this primary DNS server corresponds to an NS record in the zone and that it is associated to an IP address in the list of entries. @item @code{mail} (default: @code{"hostmaster"}) An email address people can contact you at, as the owner of the zone. This is translated as @code{@@}. @item @code{serial} (default: @code{1}) The serial number of the zone. As this is used to keep track of changes by both slaves and resolvers, it is mandatory that it @emph{never} decreases. Always increment it when you make a change in your zone. @item @code{refresh} (default: @code{(* 2 24 3600)}) The frequency at which slaves will do a zone transfer. This value is a number of seconds. It can be computed by multiplications or with @code{(string->duration)}. @item @code{retry} (default: @code{(* 15 60)}) The period after which a slave will retry to contact its master when it fails to do so a first time. @item @code{expiry} (default: @code{(* 14 24 3600)}) Default TTL of records. Existing records are considered correct for at most this amount of time. After this period, resolvers will invalidate their cache and check again that it still exists. @item @code{nx} (default: @code{3600}) Default TTL of inexistant records. This delay is usually short because you want your new domains to reach everyone quickly. @end table @end deftp @deftp {Data Type} knot-remote-configuration Data type representing a remote configuration. This type has the following parameters: @table @asis @item @code{id} (default: @code{""}) An identifier for other configuration fields to refer to this remote. IDs must be unique and must not be empty. @item @code{address} (default: @code{'()}) An ordered list of destination IP addresses. Addresses are tried in sequence. An optional port can be given with the @@ separator. For instance: @code{(list "1.2.3.4" "2.3.4.5@@53")}. Default port is 53. @item @code{via} (default: @code{'()}) An ordered list of source IP addresses. An empty list will have Knot choose an appropriate source IP. An optional port can be given with the @@ separator. The default is to choose at random. @item @code{key} (default: @code{#f}) A reference to a key, that is a string containing the identifier of a key defined in a @code{knot-key-configuration} field. @end table @end deftp @deftp {Data Type} knot-keystore-configuration Data type representing a keystore to hold dnssec keys. This type has the following parameters: @table @asis @item @code{id} (default: @code{""}) The id of the keystore. It must not be empty. @item @code{backend} (default: @code{'pem}) The backend to store the keys in. Can be @code{'pem} or @code{'pkcs11}. @item @code{config} (default: @code{"/var/lib/knot/keys/keys"}) The configuration string of the backend. An example for the PKCS#11 is: @code{"pkcs11:token=knot;pin-value=1234 /gnu/store/.../lib/pkcs11/libsofthsm2.so"}. For the pem backend, the string reprensents a path in the file system. @end table @end deftp @deftp {Data Type} knot-policy-configuration Data type representing a dnssec policy. Knot DNS is able to automatically sign your zones. It can either generate and manage your keys automatically or use keys that you generate. Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that is used to sign the second, and a Zone Signing Key (ZSK) that is used to sign the zone. In order to be trusted, the KSK needs to be present in the parent zone (usually a top-level domain). If your registrar supports dnssec, you will have to send them your KSK's hash so they can add a DS record in their zone. This is not automated and need to be done each time you change your KSK. The policy also defines the lifetime of keys. Usually, ZSK can be changed easily and use weaker cryptographic functions (they use lower parameters) in order to sign records quickly, so they are changed often. The KSK however requires manual interaction with the registrar, so they are changed less often and use stronger parameters because they sign only one record. This type has the following parameters: @table @asis @item @code{id} (default: @code{""}) The id of the policy. It must not be empty. @item @code{keystore} (default: @code{"default"}) A reference to a keystore, that is a string containing the identifier of a keystore defined in a @code{knot-keystore-configuration} field. The @code{"default"} identifier means the default keystore (a kasp database that was setup by this service). @item @code{manual?} (default: @code{#f}) Whether the key management is manual or automatic. @item @code{single-type-signing?} (default: @code{#f}) When @code{#t}, use the Single-Type Signing Scheme. @item @code{algorithm} (default: @code{"ecdsap256sha256"}) An algorithm of signing keys and issued signatures. @item @code{ksk-size} (default: @code{256}) The length of the KSK. Note that this value is correct for the default algorithm, but would be unsecure for other algorithms. @item @code{zsk-size} (default: @code{256}) The length of the ZSK. Note that this value is correct for the default algorithm, but would be unsecure for other algorithms. @item @code{dnskey-ttl} (default: @code{'default}) The TTL value for DNSKEY records added into zone apex. The special @code{'default} value means same as the zone SOA TTL. @item @code{zsk-lifetime} (default: @code{(* 30 24 3600)}) The period between ZSK publication and the next rollover initiation. @item @code{propagation-delay} (default: @code{(* 24 3600)}) An extra delay added for each key rollover step. This value should be high enough to cover propagation of data from the master server to all slaves. @item @code{rrsig-lifetime} (default: @code{(* 14 24 3600)}) A validity period of newly issued signatures. @item @code{rrsig-refresh} (default: @code{(* 7 24 3600)}) A period how long before a signature expiration the signature will be refreshed. @item @code{nsec3?} (default: @code{#f}) When @code{#t}, NSEC3 will be used instead of NSEC. @item @code{nsec3-iterations} (default: @code{5}) The number of additional times the hashing is performed. @item @code{nsec3-salt-length} (default: @code{8}) The length of a salt field in octets, which is appended to the original owner name before hashing. @item @code{nsec3-salt-lifetime} (default: @code{(* 30 24 3600)}) The validity period of newly issued salt field. @end table @end deftp @deftp {Data Type} knot-zone-configuration Data type representing a zone served by Knot. This type has the following parameters: @table @asis @item @code{domain} (default: @code{""}) The domain served by this configuration. It must not be empty. @item @code{file} (default: @code{""}) The file where this zone is saved. This parameter is ignored by master zones. Empty means default location that depends on the domain name. @item @code{zone} (default: @code{(zone-file)}) The content of the zone file. This parameter is ignored by slave zones. It must contain a zone-file record. @item @code{master} (default: @code{'()}) A list of master remotes. When empty, this zone is a master. When set, this zone is a slave. This is a list of remotes identifiers. @item @code{ddns-master} (default: @code{#f}) The main master. When empty, it defaults to the first master in the list of masters. @item @code{notify} (default: @code{'()}) A list of slave remote identifiers. @item @code{acl} (default: @code{'()}) A list of acl identifiers. @item @code{semantic-checks?} (default: @code{#f}) When set, this adds more semantic checks to the zone. @item @code{disable-any?} (default: @code{#f}) When set, this forbids queries of the ANY type. @item @code{zonefile-sync} (default: @code{0}) The delay between a modification in memory and on disk. 0 means immediate synchronization. @item @code{serial-policy} (default: @code{'increment}) A policy between @code{'increment} and @code{'unixtime}. @end table @end deftp @deftp {Data Type} knot-configuration Data type representing the Knot configuration. This type has the following parameters: @table @asis @item @code{knot} (default: @code{knot}) The Knot package. @item @code{run-directory} (default: @code{"/var/run/knot"}) The run directory. This directory will be used for pid file and sockets. @item @code{listen-v4} (default: @code{"0.0.0.0"}) An ip address on which to listen. @item @code{listen-v6} (default: @code{"::"}) An ip address on which to listen. @item @code{listen-port} (default: @code{53}) A port on which to listen. @item @code{keys} (default: @code{'()}) The list of knot-key-configuration used by this configuration. @item @code{acls} (default: @code{'()}) The list of knot-acl-configuration used by this configuration. @item @code{remotes} (default: @code{'()}) The list of knot-remote-configuration used by this configuration. @item @code{zones} (default: @code{'()}) The list of knot-zone-configuration used by this configuration. @end table @end deftp @subsubheading Services Dnsmasq @deffn {Variable Scheme} dnsmasq-service-type This is the type of the dnsmasq service, whose value should be an @code{dnsmasq-configuration} object as in this example: @example (service dnsmasq-service-type (dnsmasq-configuration (no-resolv? #t) (servers '("192.168.1.1")))) @end example @end deffn @deftp {Type de donnée} dnsmasq-configuration Type de données qui représente la configuration de dnsmasq. @table @asis @item @code{package} (par défaut : @code{dnsmasq}) Package object of the dnsmasq server. @item @code{no-hosts?} (par défaut : @code{#f}) When true, don't read the hostnames in /etc/hosts. @item @code{port} (par défaut : @code{53}) The port to listen on. Setting this to zero completely disables DNS funtion, leaving only DHCP and/or TFTP. @item @code{local-service?} (par défaut : @code{#t}) Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. @item @code{listen-addresses} (par défaut : @code{'()}) Listen on the given IP addresses. @item @code{resolv-file} (par défaut : @code{"/etc/resolv.conf"}) The file to read the IP address of the upstream nameservers from. @item @code{no-resolv?} (par défaut : @code{#f}) When true, don't read @var{resolv-file}. @item @code{servers} (default: @code{'()}) Specify IP address of upstream servers directly. @item @code{cache-size} (par défaut : @code{150}) Set the size of dnsmasq's cache. Setting the cache size to zero disables caching. @item @code{negative-cache?} (par défaut : @code{#t}) When false, disable negative caching. @end table @end deftp @node Services VPN @subsubsection Services VPN @cindex VPN (virtual private network) @cindex virtual private network (VPN) The @code{(gnu services vpn)} module provides services related to @dfn{virtual private networks} (VPNs). It provides a @emph{client} service for your machine to connect to a VPN, and a @emph{servire} service for your machine to host a VPN. Both services use @uref{https://openvpn.net/, OpenVPN}. @deffn {Scheme Procedure} openvpn-client-service @ [#:config (openvpn-client-configuration)] Return a service that runs @command{openvpn}, a VPN daemon, as a client. @end deffn @deffn {Scheme Procedure} openvpn-server-service @ [#:config (openvpn-server-configuration)] Return a service that runs @command{openvpn}, a VPN daemon, as a server. Both can be run simultaneously. @end deffn @c %automatically generated documentation Available @code{openvpn-client-configuration} fields are: @deftypevr {@code{openvpn-client-configuration} parameter} package openvpn The OpenVPN package. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} string pid-file The OpenVPN pid file. Defaults to @samp{"/var/run/openvpn/openvpn.pid"}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} proto proto The protocol (UDP or TCP) used to open a channel between clients and servers. Defaults to @samp{udp}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} dev dev The device type used to represent the VPN connection. Defaults to @samp{tun}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} string ca The certificate authority to check connections against. Defaults to @samp{"/etc/openvpn/ca.crt"}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} string cert The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}. Defaults to @samp{"/etc/openvpn/client.crt"}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} string key The key of the machine the daemon is running on. It must be the key whose certificate is @code{cert}. Defaults to @samp{"/etc/openvpn/client.key"}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} boolean comp-lzo? Whether to use the lzo compression algorithm. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-key? Don't re-read key files across SIGUSR1 or --ping-restart. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-tun? Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} number verbosity Verbosity level. Defaults to @samp{3}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} tls-auth-client tls-auth Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} key-usage verify-key-usage? Whether to check the server certificate has server usage extension. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} bind bind? Bind to a specific local port number. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} resolv-retry resolv-retry? Retry resolving server address. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-client-configuration} parameter} openvpn-remote-list remote A list of remote servers to connect to. Defaults to @samp{()}. Available @code{openvpn-remote-configuration} fields are: @deftypevr {@code{openvpn-remote-configuration} parameter} string name Server name. Defaults to @samp{"my-server"}. @end deftypevr @deftypevr {@code{openvpn-remote-configuration} parameter} number port Port number the server listens to. Defaults to @samp{1194}. @end deftypevr @end deftypevr @c %end of automatic openvpn-client documentation @c %automatically generated documentation Available @code{openvpn-server-configuration} fields are: @deftypevr {@code{openvpn-server-configuration} parameter} package openvpn The OpenVPN package. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string pid-file The OpenVPN pid file. Defaults to @samp{"/var/run/openvpn/openvpn.pid"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} proto proto The protocol (UDP or TCP) used to open a channel between clients and servers. Defaults to @samp{udp}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} dev dev The device type used to represent the VPN connection. Defaults to @samp{tun}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string ca The certificate authority to check connections against. Defaults to @samp{"/etc/openvpn/ca.crt"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string cert The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}. Defaults to @samp{"/etc/openvpn/client.crt"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string key The key of the machine the daemon is running on. It must be the key whose certificate is @code{cert}. Defaults to @samp{"/etc/openvpn/client.key"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} boolean comp-lzo? Whether to use the lzo compression algorithm. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-key? Don't re-read key files across SIGUSR1 or --ping-restart. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-tun? Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} number verbosity Verbosity level. Defaults to @samp{3}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} tls-auth-server tls-auth Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} number port Specifies the port number on which the server listens. Defaults to @samp{1194}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} ip-mask server An ip and mask specifying the subnet inside the virtual network. Defaults to @samp{"10.8.0.0 255.255.255.0"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} cidr6 server-ipv6 A CIDR notation specifying the IPv6 subnet inside the virtual network. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string dh The Diffie-Hellman parameters file. Defaults to @samp{"/etc/openvpn/dh2048.pem"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string ifconfig-pool-persist The file that records client IPs. Defaults to @samp{"/etc/openvpn/ipp.txt"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} gateway redirect-gateway? When true, the server will act as a gateway for its clients. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} boolean client-to-client? When true, clients are allowed to talk to each other inside the VPN. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} keepalive keepalive Causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. @code{keepalive} requires a pair. The first element is the period of the ping sending, and the second element is the timeout before considering the other side down. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} number max-clients The maximum number of clients. Defaults to @samp{100}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} string status The status file. This file shows a small report on current connection. It is truncated and rewritten every minute. Defaults to @samp{"/var/run/openvpn/status"}. @end deftypevr @deftypevr {@code{openvpn-server-configuration} parameter} openvpn-ccd-list client-config-dir The list of configuration for some clients. Defaults to @samp{()}. Available @code{openvpn-ccd-configuration} fields are: @deftypevr {@code{openvpn-ccd-configuration} parameter} string name Client name. Defaults to @samp{"client"}. @end deftypevr @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask iroute Client own network Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask ifconfig-push Client VPN IP. Defaults to @samp{#f}. @end deftypevr @end deftypevr @c %end of automatic openvpn-server documentation @node Système de fichiers en réseau @subsubsection Système de fichiers en réseau @cindex NFS The @code{(gnu services nfs)} module provides the following services, which are most commonly used in relation to mounting or exporting directory trees as @dfn{network file systems} (NFS). @subsubheading RPC Bind Service @cindex rpcbind The RPC Bind service provides a facility to map program numbers into universal addresses. Many NFS related services use this facility. Hence it is automatically started when a dependent service starts. @defvr {Scheme Variable} rpcbind-service-type A service type for the RPC portmapper daemon. @end defvr @deftp {Data Type} rpcbind-configuration Data type representing the configuration of the RPC Bind Service. This type has the following parameters: @table @asis @item @code{rpcbind} (default: @code{rpcbind}) The rpcbind package to use. @item @code{warm-start?} (default: @code{#t}) If this parameter is @code{#t}, then the daemon will read a state file on startup thus reloading state information saved by a previous instance. @end table @end deftp @subsubheading Pipefs Pseudo File System @cindex pipefs @cindex rpc_pipefs The pipefs file system is used to transfer NFS related data between the kernel and user space programs. @defvr {Scheme Variable} pipefs-service-type A service type for the pipefs pseudo file system. @end defvr @deftp {Data Type} pipefs-configuration Data type representing the configuration of the pipefs pseudo file system service. This type has the following parameters: @table @asis @item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"}) The directory to which the file system is to be attached. @end table @end deftp @subsubheading GSS Daemon Service @cindex GSSD @cindex GSS @cindex global security system The @dfn{global security system} (GSS) daemon provides strong security for RPC based protocols. Before exchanging RPC requests an RPC client must establish a security context. Typically this is done using the Kerberos command @command{kinit} or automatically at login time using PAM services (@pxref{Services Kerberos}). @defvr {Scheme Variable} gss-service-type A service type for the Global Security System (GSS) daemon. @end defvr @deftp {Data Type} gss-configuration Data type representing the configuration of the GSS daemon service. This type has the following parameters: @table @asis @item @code{nfs-utils} (default: @code{nfs-utils}) The package in which the @command{rpc.gssd} command is to be found. @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"}) The directory where the pipefs file system is mounted. @end table @end deftp @subsubheading IDMAP Daemon Service @cindex idmapd @cindex name mapper The idmap daemon service provides mapping between user IDs and user names. Typically it is required in order to access file systems mounted via NFSv4. @defvr {Scheme Variable} idmap-service-type A service type for the Identity Mapper (IDMAP) daemon. @end defvr @deftp {Data Type} idmap-configuration Data type representing the configuration of the IDMAP daemon service. This type has the following parameters: @table @asis @item @code{nfs-utils} (default: @code{nfs-utils}) The package in which the @command{rpc.idmapd} command is to be found. @item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"}) The directory where the pipefs file system is mounted. @item @code{domain} (default: @code{#f}) The local NFSv4 domain name. This must be a string or @code{#f}. If it is @code{#f} then the daemon will use the host's fully qualified domain name. @end table @end deftp @node Intégration continue @subsubsection Intégration continue @cindex continuous integration @uref{https://notabug.org/mthl/cuirass, Cuirass} est un outil d'intégration continue pour Guix. On peut l'utiliser aussi bien pour le développement que pour fournir des substituts à d'autres (@pxref{Substituts}). The @code{(gnu services cuirass)} module provides the following service. @defvr {Scheme Procedure} cuirass-service-type The type of the Cuirass service. Its value must be a @code{cuirass-configuration} object, as described below. @end defvr To add build jobs, you have to set the @code{specifications} field of the configuration. Here is an example of a service defining a build job based on a specification that can be found in Cuirass source tree. This service polls the Guix repository and builds a subset of the Guix packages, as prescribed in the @file{gnu-system.scm} example spec: @example (let ((spec #~((#:name . "guix") (#:url . "git://git.savannah.gnu.org/guix.git") (#:load-path . ".") (#:file . "build-aux/cuirass/gnu-system.scm") (#:proc . cuirass-jobs) (#:arguments (subset . "hello")) (#:branch . "master")))) (service cuirass-service-type (cuirass-configuration (specifications #~(list '#$spec))))) @end example While information related to build jobs is located directly in the specifications, global settings for the @command{cuirass} process are accessible in other @code{cuirass-configuration} fields. @deftp {Data Type} cuirass-configuration Data type representing the configuration of Cuirass. @table @asis @item @code{log-file} (default: @code{"/var/log/cuirass.log"}) Location of the log file. @item @code{cache-directory} (default: @code{"/var/cache/cuirass"}) Location of the repository cache. @item @code{user} (default: @code{"cuirass"}) Owner of the @code{cuirass} process. @item @code{group} (default: @code{"cuirass"}) Owner's group of the @code{cuirass} process. @item @code{interval} (default: @code{60}) Number of seconds between the poll of the repositories followed by the Cuirass jobs. @item @code{database} (default: @code{"/var/run/cuirass/cuirass.db"}) Location of sqlite database which contains the build results and previously added specifications. @item @code{port} (default: @code{8081}) Port number used by the HTTP server. @item --listen=@var{host} Listen on the network interface for @var{host}. The default is to accept connections from localhost. @item @code{specifications} (default: @code{#~'()}) A gexp (@pxref{G-Expressions}) that evaluates to a list of specifications, where a specification is an association list (@pxref{Associations Lists,,, guile, GNU Guile Reference Manual}) whose keys are keywords (@code{#:keyword-example}) as shown in the example above. @item @code{use-substitutes?} (default: @code{#f}) This allows using substitutes to avoid building every dependencies of a job from source. @item @code{one-shot?} (default: @code{#f}) Only evaluate specifications and build derivations once. @item @code{fallback?} (default: @code{#f}) When substituting a pre-built binary fails, fall back to building packages locally. @item @code{load-path} (default: @code{'()}) This allows users to define their own packages and make them visible to cuirass as in @command{guix build} command. @item @code{cuirass} (default: @code{cuirass}) The Cuirass package to use. @end table @end deftp @node Services de gestion de l'énergie @subsubsection Services de gestion de l'énergie @cindex power management with TLP The @code{(gnu services pm)} module provides a Guix service definition for the Linux power management tool TLP. TLP enables various powersaving modes in userspace and kernel. Contrary to @code{upower-service}, it is not a passive, monitoring tool, as it will apply custom settings each time a new power source is detected. More information can be found at @uref{http://linrunner.de/en/tlp/tlp.html, TLP home page}. @deffn {Scheme Variable} tlp-service-type The service type for the TLP tool. Its value should be a valid TLP configuration (see below). To use the default settings, simply write: @example (service tlp-service-type) @end example @end deffn By default TLP does not need much configuration but most TLP parameters can be tweaked using @code{tlp-configuration}. Each parameter definition is preceded by its type; for example, @samp{boolean foo} indicates that the @code{foo} parameter should be specified as a boolean. Types starting with @code{maybe-} denote parameters that won't show up in TLP config file when their value is @code{'disabled}. @c The following documentation was initially generated by @c (generate-tlp-documentation) in (gnu services pm). Manually maintained @c documentation is better, so we shouldn't hesitate to edit below as @c needed. However if the change you want to make to this documentation @c can be done in an automated way, it's probably easier to change @c (generate-documentation) than to make it below and have to deal with @c the churn as TLP updates. Available @code{tlp-configuration} fields are: @deftypevr {@code{tlp-configuration} parameter} package tlp The TLP package. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean tlp-enable? Set to true if you wish to enable TLP. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string tlp-default-mode Default mode when no power supply can be detected. Alternatives are AC and BAT. Defaults to @samp{"AC"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-ac Number of seconds Linux kernel has to wait after the disk goes idle, before syncing on AC. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer disk-idle-secs-on-bat Same as @code{disk-idle-ac} but on BAT mode. Defaults to @samp{2}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-ac Dirty pages flushing periodicity, expressed in seconds. Defaults to @samp{15}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer max-lost-work-secs-on-bat Same as @code{max-lost-work-secs-on-ac} but on BAT mode. Defaults to @samp{60}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-ac CPU frequency scaling governor on AC mode. With intel_pstate driver, alternatives are powersave and performance. With acpi-cpufreq driver, alternatives are ondemand, powersave, performance and conservative. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list cpu-scaling-governor-on-bat Same as @code{cpu-scaling-governor-on-ac} but on BAT mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-ac Set the min available frequency for the scaling governor on AC. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-ac Set the max available frequency for the scaling governor on AC. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-min-freq-on-bat Set the min available frequency for the scaling governor on BAT. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-scaling-max-freq-on-bat Set the max available frequency for the scaling governor on BAT. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-ac Limit the min P-state to control the power dissipation of the CPU, in AC mode. Values are stated as a percentage of the available performance. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-ac Limit the max P-state to control the power dissipation of the CPU, in AC mode. Values are stated as a percentage of the available performance. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-min-perf-on-bat Same as @code{cpu-min-perf-on-ac} on BAT mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-non-negative-integer cpu-max-perf-on-bat Same as @code{cpu-max-perf-on-ac} on BAT mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-ac? Enable CPU turbo boost feature on AC mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-boolean cpu-boost-on-bat? Same as @code{cpu-boost-on-ac?} on BAT mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-ac? Allow Linux kernel to minimize the number of CPU cores/hyper-threads used under light load conditions. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean sched-powersave-on-bat? Same as @code{sched-powersave-on-ac?} but on BAT mode. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean nmi-watchdog? Enable Linux kernel NMI watchdog. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-string phc-controls For Linux kernels with PHC patch applied, change CPU voltages. An example value would be @samp{"F:V F:V F:V F:V"}. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-ac Set CPU performance versus energy saving policy on AC. Alternatives are performance, normal, powersave. Defaults to @samp{"performance"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string energy-perf-policy-on-bat Same as @code{energy-perf-policy-ac} but on BAT mode. Defaults to @samp{"powersave"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disks-devices Hard disk devices. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-ac Hard disk advanced power management level. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list disk-apm-level-on-bat Same as @code{disk-apm-bat} but on BAT mode. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-ac Hard disk spin down timeout. One value has to be specified for each declared hard disk. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-spindown-timeout-on-bat Same as @code{disk-spindown-timeout-on-ac} but on BAT mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list disk-iosched Select IO scheduler for disk devices. One value has to be specified for each declared hard disk. Example alternatives are cfq, deadline and noop. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-ac SATA aggressive link power management (ALPM) level. Alternatives are min_power, medium_power, max_performance. Defaults to @samp{"max_performance"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string sata-linkpwr-on-bat Same as @code{sata-linkpwr-ac} but on BAT mode. Defaults to @samp{"min_power"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-string sata-linkpwr-blacklist Exclude specified SATA host devices for link power management. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-ac? Enable Runtime Power Management for AHCI controller and disks on AC mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-on-off-boolean ahci-runtime-pm-on-bat? Same as @code{ahci-runtime-pm-on-ac} on BAT mode. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer ahci-runtime-pm-timeout Seconds of inactivity before disk is suspended. Defaults to @samp{15}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-ac PCI Express Active State Power Management level. Alternatives are default, performance, powersave. Defaults to @samp{"performance"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string pcie-aspm-on-bat Same as @code{pcie-aspm-ac} but on BAT mode. Defaults to @samp{"powersave"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-ac Radeon graphics clock speed level. Alternatives are low, mid, high, auto, default. Defaults to @samp{"high"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string radeon-power-profile-on-bat Same as @code{radeon-power-ac} but on BAT mode. Defaults to @samp{"low"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-ac Radeon dynamic power management method (DPM). Alternatives are battery, performance. Defaults to @samp{"performance"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-state-on-bat Same as @code{radeon-dpm-state-ac} but on BAT mode. Defaults to @samp{"battery"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-ac Radeon DPM performance level. Alternatives are auto, low, high. Defaults to @samp{"auto"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string radeon-dpm-perf-level-on-bat Same as @code{radeon-dpm-perf-ac} but on BAT mode. Defaults to @samp{"auto"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-ac? Wifi power saving mode. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} on-off-boolean wifi-pwr-on-bat? Same as @code{wifi-power-ac?} but on BAT mode. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} y-n-boolean wol-disable? Disable wake on LAN. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-ac Timeout duration in seconds before activating audio power saving on Intel HDA and AC97 devices. A value of 0 disables power saving. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} non-negative-integer sound-power-save-on-bat Same as @code{sound-powersave-ac} but on BAT mode. Defaults to @samp{1}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} y-n-boolean sound-power-save-controller? Disable controller in powersaving mode on Intel HDA devices. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean bay-poweroff-on-bat? Enable optical drive in UltraBay/MediaBay on BAT mode. Drive can be powered on again by releasing (and reinserting) the eject lever or by pressing the disc eject button on newer models. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string bay-device Name of the optical drive device to power off. Defaults to @samp{"sr0"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-ac Runtime Power Management for PCI(e) bus devices. Alternatives are on and auto. Defaults to @samp{"on"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} string runtime-pm-on-bat Same as @code{runtime-pm-ac} but on BAT mode. Defaults to @samp{"auto"}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean runtime-pm-all? Runtime Power Management for all PCI(e) bus devices, except blacklisted ones. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-space-separated-string-list runtime-pm-blacklist Exclude specified PCI(e) device addresses from Runtime Power Management. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} space-separated-string-list runtime-pm-driver-blacklist Exclude PCI(e) devices assigned to the specified drivers from Runtime Power Management. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean usb-autosuspend? Enable USB autosuspend feature. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-blacklist Exclude specified devices from USB autosuspend. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean usb-blacklist-wwan? Exclude WWAN devices from USB autosuspend. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-string usb-whitelist Include specified devices into USB autosuspend, even if they are already excluded by the driver or via @code{usb-blacklist-wwan?}. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} maybe-boolean usb-autosuspend-disable-on-shutdown? Enable USB autosuspend before shutdown. Defaults to @samp{disabled}. @end deftypevr @deftypevr {@code{tlp-configuration} parameter} boolean restore-device-state-on-startup? Restore radio device state (bluetooth, wifi, wwan) from previous shutdown on system startup. Defaults to @samp{#f}. @end deftypevr The @code{(gnu services pm)} module provides an interface to thermald, a CPU frequency scaling service which helps prevent overheating. @defvr {Scheme Variable} thermald-service-type This is the service type for @uref{https://01.org/linux-thermal-daemon/, thermald}, the Linux Thermal Daemon, which is responsible for controlling the thermal state of processors and preventing overheating. @end defvr @deftp {Data Type} thermald-configuration Data type representing the configuration of @code{thermald-service-type}. @table @asis @item @code{ignore-cpuid-check?} (default: @code{#f}) Ignore cpuid check for supported CPU models. @item @code{thermald} (default: @var{thermald}) Package object of thermald. @end table @end deftp @node Services audio @subsubsection Services audio The @code{(gnu services audio)} module provides a service to start MPD (the Music Player Daemon). @cindex mpd @subsubheading Music Player Daemon The Music Player Daemon (MPD) is a service that can play music while being controlled from the local machine or over the network by a variety of clients. The following example shows how one might run @code{mpd} as user @code{"bob"} on port @code{6666}. It uses pulseaudio for output. @example (service mpd-service-type (mpd-configuration (user "bob") (port "6666"))) @end example @defvr {Scheme Variable} mpd-service-type The service type for @command{mpd} @end defvr @deftp {Data Type} mpd-configuration Data type representing the configuration of @command{mpd}. @table @asis @item @code{user} (default: @code{"mpd"}) The user to run mpd as. @item @code{music-dir} (default: @code{"~/Music"}) The directory to scan for music files. @item @code{playlist-dir} (default: @code{"~/.mpd/playlists"}) The directory to store playlists. @item @code{port} (default: @code{"6600"}) The port to run mpd on. @item @code{address} (default: @code{"any"}) The address that mpd will bind to. To use a Unix domain socket, an absolute path can be specified here. @end table @end deftp @node Services de virtualisation @subsubsection Virtualization services The @code{(gnu services virtualization)} module provides services for the libvirt and virtlog daemons, as well as other virtualization-related services. @subsubheading Libvirt daemon @code{libvirtd} is the server side daemon component of the libvirt virtualization management system. This daemon runs on host servers and performs required management tasks for virtualized guests. @deffn {Scheme Variable} libvirt-service-type This is the type of the @uref{https://libvirt.org, libvirt daemon}. Its value must be a @code{libvirt-configuration}. @example (service libvirt-service-type (libvirt-configuration (unix-sock-group "libvirt") (tls-port "16555"))) @end example @end deffn @c Auto-generated with (generate-libvirt-documentation) Available @code{libvirt-configuration} fields are: @deftypevr {@code{libvirt-configuration} parameter} package libvirt Libvirt package. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tls? Flag listening for secure TLS connections on the public TCP/IP port. must set @code{listen} for this to have any effect. It is necessary to setup a CA and issue server certificates before using this capability. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} boolean listen-tcp? Listen for unencrypted TCP connections on the public TCP/IP port. must set @code{listen} for this to have any effect. Using the TCP socket requires SASL authentication by default. Only SASL mechanisms which support data encryption are allowed. This is DIGEST_MD5 and GSSAPI (Kerberos5) Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string tls-port Port for accepting secure TLS connections This can be a port number, or service name Defaults to @samp{"16514"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string tcp-port Port for accepting insecure TCP connections This can be a port number, or service name Defaults to @samp{"16509"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string listen-addr IP address or hostname used for client connections. Defaults to @samp{"0.0.0.0"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} boolean mdns-adv? Flag toggling mDNS advertisement of the libvirt service. Alternatively can disable for all services on a host by stopping the Avahi daemon. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string mdns-name Default mDNS advertisement name. This must be unique on the immediate broadcast network. Defaults to @samp{"Virtualization Host "}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-group UNIX domain socket group ownership. This can be used to allow a 'trusted' set of users access to management capabilities without becoming root. Defaults to @samp{"root"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-ro-perms UNIX socket permissions for the R/O socket. This is used for monitoring VM status only. Defaults to @samp{"0777"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-rw-perms UNIX socket permissions for the R/W socket. Default allows only root. If PolicyKit is enabled on the socket, the default will change to allow everyone (eg, 0777) Defaults to @samp{"0770"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-admin-perms UNIX socket permissions for the admin socket. Default allows only owner (root), do not change it unless you are sure to whom you are exposing the access to. Defaults to @samp{"0777"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string unix-sock-dir The directory in which sockets will be found/created. Defaults to @samp{"/var/run/libvirt"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-ro Authentication scheme for UNIX read-only sockets. By default socket permissions allow anyone to connect Defaults to @samp{"polkit"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string auth-unix-rw Authentication scheme for UNIX read-write sockets. By default socket permissions only allow root. If PolicyKit support was compiled into libvirt, the default will be to use 'polkit' auth. Defaults to @samp{"polkit"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string auth-tcp Authentication scheme for TCP sockets. If you don't enable SASL, then all TCP traffic is cleartext. Don't do this outside of a dev/test scenario. Defaults to @samp{"sasl"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string auth-tls Authentication scheme for TLS sockets. TLS sockets already have encryption provided by the TLS layer, and limited authentication is done by certificates. It is possible to make use of any SASL authentication mechanism as well, by using 'sasl' for this option Defaults to @samp{"none"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} optional-list access-drivers API access control scheme. By default an authenticated user is allowed access to all APIs. Access drivers can place restrictions on this. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string key-file Server key file path. If set to an empty string, then no private key is loaded. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string cert-file Server key file path. If set to an empty string, then no certificate is loaded. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string ca-file Server key file path. If set to an empty string, then no CA certificate is loaded. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string crl-file Certificate revocation list path. If set to an empty string, then no CRL is loaded. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-sanity-cert Disable verification of our own server certificates. When libvirtd starts it performs some sanity checks against its own certificates. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-verify-cert Disable verification of client certificates. Client certificate verification is the primary authentication mechanism. Any client which does not present a certificate signed by the CA will be rejected. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} optional-list tls-allowed-dn-list Whitelist of allowed x509 Distinguished Name. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} optional-list sasl-allowed-usernames Whitelist of allowed SASL usernames. The format for username depends on the SASL authentication mechanism. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string tls-priority Override the compile time default TLS priority string. The default is usually "NORMAL" unless overridden at build time. Only set this is it is desired for libvirt to deviate from the global default settings. Defaults to @samp{"NORMAL"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer max-clients Maximum number of concurrent client connections to allow over all sockets combined. Defaults to @samp{5000}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer max-queued-clients Maximum length of queue of connections waiting to be accepted by the daemon. Note, that some protocols supporting retransmission may obey this so that a later reattempt at connection succeeds. Defaults to @samp{1000}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer max-anonymous-clients Maximum length of queue of accepted but not yet authenticated clients. Set this to zero to turn this feature off Defaults to @samp{20}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer min-workers Number of workers to start up initially. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer max-workers Maximum number of worker threads. If the number of active clients exceeds @code{min-workers}, then more threads are spawned, up to max_workers limit. Typically you'd want max_workers to equal maximum number of clients allowed. Defaults to @samp{20}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer prio-workers Number of priority workers. If all workers from above pool are stuck, some calls marked as high priority (notably domainDestroy) can be executed in this pool. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer max-requests Total global limit on concurrent RPC calls. Defaults to @samp{20}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer max-client-requests Limit on concurrent requests from a single client connection. To avoid one client monopolizing the server this should be a small fraction of the global max_requests and max_workers parameter. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-min-workers Same as @code{min-workers} but for the admin interface. Defaults to @samp{1}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-workers Same as @code{max-workers} but for the admin interface. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-clients Same as @code{max-clients} but for the admin interface. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-queued-clients Same as @code{max-queued-clients} but for the admin interface. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-max-client-requests Same as @code{max-client-requests} but for the admin interface. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer log-level Logging level. 4 errors, 3 warnings, 2 information, 1 debug. Defaults to @samp{3}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string log-filters Logging filters. A filter allows to select a different logging level for a given category of logs The format for a filter is one of: @itemize @bullet @item x:name @item x:+name @end itemize where @code{name} is a string which is matched against the category given in the @code{VIR_LOG_INIT()} at the top of each libvirt source file, e.g., "remote", "qemu", or "util.json" (the name in the filter can be a substring of the full category name, in order to match multiple similar categories), the optional "+" prefix tells libvirt to log stack trace for each message matching name, and @code{x} is the minimal level where matching messages should be logged: @itemize @bullet @item 1: DEBUG @item 2: INFO @item 3: WARNING @item 4: ERROR @end itemize Multiple filters can be defined in a single filters statement, they just need to be separated by spaces. Defaults to @samp{"3:remote 4:event"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string log-outputs Logging outputs. An output is one of the places to save logging information The format for an output can be: @table @code @item x:stderr output goes to stderr @item x:syslog:name use syslog for the output and use the given name as the ident @item x:file:file_path output to a file, with the given filepath @item x:journald output to journald logging system @end table In all case the x prefix is the minimal level, acting as a filter @itemize @bullet @item 1: DEBUG @item 2: INFO @item 3: WARNING @item 4: ERROR @end itemize Multiple outputs can be defined, they just need to be separated by spaces. Defaults to @samp{"3:stderr"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer audit-level Allows usage of the auditing subsystem to be altered @itemize @bullet @item 0: disable all auditing @item 1: enable auditing, only if enabled on host @item 2: enable auditing, and exit if disabled on host. @end itemize Defaults to @samp{1}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} boolean audit-logging Send audit messages via libvirt logging infrastructure. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} optional-string host-uuid Host UUID. UUID must not have all digits be the same. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} string host-uuid-source Source to read host UUID. @itemize @bullet @item @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid} @item @code{machine-id}: fetch the UUID from @code{/etc/machine-id} @end itemize If @code{dmidecode} does not provide a valid UUID a temporary UUID will be generated. Defaults to @samp{"smbios"}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-interval A keepalive message is sent to a client after @code{keepalive_interval} seconds of inactivity to check if the client is still responding. If set to -1, libvirtd will never send keepalive requests; however clients can still send them and the daemon will send responses. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer keepalive-count Maximum number of keepalive messages that are allowed to be sent to the client without getting any response before the connection is considered broken. In other words, the connection is automatically closed approximately after @code{keepalive_interval * (keepalive_count + 1)} seconds since the last message received from the client. When @code{keepalive-count} is set to 0, connections will be automatically closed after @code{keepalive-interval} seconds of inactivity without sending any keepalive messages. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-interval Same as above but for admin interface. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-count Same as above but for admin interface. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{libvirt-configuration} parameter} integer ovs-timeout Timeout for Open vSwitch calls. The @code{ovs-vsctl} utility is used for the configuration and its timeout option is set by default to 5 seconds to avoid potential infinite waits blocking libvirt. Defaults to @samp{5}. @end deftypevr @c %end of autogenerated docs @subsubheading Virtlog daemon The virtlogd service is a server side daemon component of libvirt that is used to manage logs from virtual machine consoles. This daemon is not used directly by libvirt client applications, rather it is called on their behalf by @code{libvirtd}. By maintaining the logs in a standalone daemon, the main @code{libvirtd} daemon can be restarted without risk of losing logs. The @code{virtlogd} daemon has the ability to re-exec() itself upon receiving @code{SIGUSR1}, to allow live upgrades without downtime. @deffn {Scheme Variable} virtlog-service-type This is the type of the virtlog daemon. Its value must be a @code{virtlog-configuration}. @example (service virtlog-service-type (virtlog-configuration (max-clients 1000))) @end example @end deffn @deftypevr {@code{virtlog-configuration} parameter} integer log-level Logging level. 4 errors, 3 warnings, 2 information, 1 debug. Defaults to @samp{3}. @end deftypevr @deftypevr {@code{virtlog-configuration} parameter} string log-filters Logging filters. A filter allows to select a different logging level for a given category of logs The format for a filter is one of: @itemize @bullet @item x:name @item x:+name @end itemize where @code{name} is a string which is matched against the category given in the @code{VIR_LOG_INIT()} at the top of each libvirt source file, e.g., "remote", "qemu", or "util.json" (the name in the filter can be a substring of the full category name, in order to match multiple similar categories), the optional "+" prefix tells libvirt to log stack trace for each message matching name, and @code{x} is the minimal level where matching messages should be logged: @itemize @bullet @item 1: DEBUG @item 2: INFO @item 3: WARNING @item 4: ERROR @end itemize Multiple filters can be defined in a single filters statement, they just need to be separated by spaces. Defaults to @samp{"3:remote 4:event"}. @end deftypevr @deftypevr {@code{virtlog-configuration} parameter} string log-outputs Logging outputs. An output is one of the places to save logging information The format for an output can be: @table @code @item x:stderr output goes to stderr @item x:syslog:name use syslog for the output and use the given name as the ident @item x:file:file_path output to a file, with the given filepath @item x:journald output to journald logging system @end table In all case the x prefix is the minimal level, acting as a filter @itemize @bullet @item 1: DEBUG @item 2: INFO @item 3: WARNING @item 4: ERROR @end itemize Multiple outputs can be defined, they just need to be separated by spaces. Defaults to @samp{"3:stderr"}. @end deftypevr @deftypevr {@code{virtlog-configuration} parameter} integer max-clients Maximum number of concurrent client connections to allow over all sockets combined. Defaults to @samp{1024}. @end deftypevr @deftypevr {@code{virtlog-configuration} parameter} integer max-size Maximum file size before rolling over. Defaults to @samp{2MB} @end deftypevr @deftypevr {@code{virtlog-configuration} parameter} integer max-backups Maximum number of backup files to keep. Defaults to @samp{3} @end deftypevr @subsubheading Transparent Emulation with QEMU @cindex emulation @cindex @code{binfmt_misc} @code{qemu-binfmt-service-type} provides support for transparent emulation of program binaries built for different architectures---e.g., it allows you to transparently execute an ARMv7 program on an x86_64 machine. It achieves this by combining the @uref{https://www.qemu.org, QEMU} emulator and the @code{binfmt_misc} feature of the kernel Linux. @defvr {Scheme Variable} qemu-binfmt-service-type This is the type of the QEMU/binfmt service for transparent emulation. Its value must be a @code{qemu-binfmt-configuration} object, which specifies the QEMU package to use as well as the architecture we want to emulated: @example (service qemu-binfmt-service-type (qemu-binfmt-configuration (platforms (lookup-qemu-platforms "arm" "aarch64" "ppc")))) @end example In this example, we enable transparent emulation for the ARM and aarch64 platforms. Running @code{herd stop qemu-binfmt} turns it off, and running @code{herd start qemu-binfmt} turns it back on (@pxref{Invoking herd, the @command{herd} command,, shepherd, The GNU Shepherd Manual}). @end defvr @deftp {Data Type} qemu-binfmt-configuration This is the configuration for the @code{qemu-binfmt} service. @table @asis @item @code{platforms} (default: @code{'()}) The list of emulated QEMU platforms. Each item must be a @dfn{platform object} as returned by @code{lookup-qemu-platforms} (see below). @item @code{guix-support?} (default: @code{#f}) When it is true, QEMU and all its dependencies are added to the build environment of @command{guix-daemon} (@pxref{Invoquer guix-daemon, @code{--chroot-directory} option}). This allows the @code{binfmt_misc} handlers to be used within the build environment, which in turn means that you can transparently build programs for another architecture. For example, let's suppose you're on an x86_64 machine and you have this service: @example (service qemu-binfmt-service-type (qemu-binfmt-configuration (platforms (lookup-qemu-platforms "arm")) (guix-support? #t))) @end example You can run: @example guix build -s armhf-linux inkscape @end example @noindent and it will build Inkscape for ARMv7 @emph{as if it were a native build}, transparently using QEMU to emulate the ARMv7 CPU. Pretty handy if you'd like to test a package build for an architecture you don't have access to! @item @code{qemu} (default: @code{qemu}) The QEMU package to use. @end table @end deftp @deffn {Scheme Procedure} lookup-qemu-platforms @var{platforms}@dots{} Return the list of QEMU platform objects corresponding to @var{platforms}@dots{}. @var{platforms} must be a list of strings corresponding to platform names, such as @code{"arm"}, @code{"sparc"}, @code{"mips64el"}, and so on. @end deffn @deffn {Scheme Procedure} qemu-platform? @var{obj} Return true if @var{obj} is a platform object. @end deffn @deffn {Scheme Procedure} qemu-platform-name @var{platform} Return the name of @var{platform}---a string such as @code{"arm"}. @end deffn @node Services de contrôle de version @subsubsection Services de contrôle de version The @code{(gnu services version-control)} module provides a service to allow remote access to local Git repositories. There are three options: the @code{git-daemon-service}, which provides access to repositories via the @code{git://} unsecured TCP-based protocol, extending the @code{nginx} web server to proxy some requests to @code{git-http-backend}, or providing a web interface with @code{cgit-service-type}. @deffn {Scheme Procedure} git-daemon-service [#:config (git-daemon-configuration)] Return a service that runs @command{git daemon}, a simple TCP server to expose repositories over the Git protocol for anonymous access. The optional @var{config} argument should be a @code{} object, by default it allows read-only access to exported@footnote{By creating the magic file "git-daemon-export-ok" in the repository directory.} repositories under @file{/srv/git}. @end deffn @deftp {Data Type} git-daemon-configuration Data type representing the configuration for @code{git-daemon-service}. @table @asis @item @code{package} (default: @var{git}) Package object of the Git distributed version control system. @item @code{export-all?} (default: @var{#f}) Whether to allow access for all Git repositories, even if they do not have the @file{git-daemon-export-ok} file. @item @code{base-path} (default: @file{/srv/git}) Whether to remap all the path requests as relative to the given path. If you run git daemon with @var{(base-path "/srv/git")} on example.com, then if you later try to pull @code{git://example.com/hello.git}, git daemon will interpret the path as @code{/srv/git/hello.git}. @item @code{user-path} (default: @var{#f}) Whether to allow @code{~user} notation to be used in requests. When specified with empty string, requests to @code{git://host/~alice/foo} is taken as a request to access @code{foo} repository in the home directory of user @code{alice}. If @var{(user-path "path")} is specified, the same request is taken as a request to access @code{path/foo} repository in the home directory of user @code{alice}. @item @code{listen} (default: @var{'()}) Whether to listen on specific IP addresses or hostnames, defaults to all. @item @code{port} (default: @var{#f}) Whether to listen on an alternative port, which defaults to 9418. @item @code{whitelist} (default: @var{'()}) If not empty, only allow access to this list of directories. @item @code{extra-options} (default: @var{'()}) Extra options will be passed to @code{git daemon}, please run @command{man git-daemon} for more information. @end table @end deftp The @code{git://} protocol lacks authentication. When you pull from a repository fetched via @code{git://}, you don't know that the data you receive was modified is really coming from the specified host, and you have your connection is subject to eavesdropping. It's better to use an authenticated and encrypted transport, such as @code{https}. Although Git allows you to serve repositories using unsophisticated file-based web servers, there is a faster protocol implemented by the @code{git-http-backend} program. This program is the back-end of a proper Git web service. It is designed to sit behind a FastCGI proxy. @xref{Services web}, for more on running the necessary @code{fcgiwrap} daemon. Guix has a separate configuration data type for serving Git repositories over HTTP. @deftp {Data Type} git-http-configuration Data type representing the configuration for @code{git-http-service}. @table @asis @item @code{package} (default: @var{git}) Package object of the Git distributed version control system. @item @code{git-root} (default: @file{/srv/git}) Directory containing the Git repositories to expose to the world. @item @code{export-all?} (default: @var{#f}) Whether to expose access for all Git repositories in @var{git-root}, even if they do not have the @file{git-daemon-export-ok} file. @item @code{uri-path} (default: @file{/git/}) Path prefix for Git access. With the default @code{/git/} prefix, this will map @code{http://@var{server}/git/@var{repo}.git} to @code{/srv/git/@var{repo}.git}. Requests whose URI paths do not begin with this prefix are not passed on to this Git instance. @item @code{fcgiwrap-socket} (default: @code{127.0.0.1:9000}) The socket on which the @code{fcgiwrap} daemon is listening. @xref{Services web}. @end table @end deftp There is no @code{git-http-service-type}, currently; instead you can create an @code{nginx-location-configuration} from a @code{git-http-configuration} and then add that location to a web server. @deffn {Scheme Procedure} git-http-nginx-location-configuration @ [config=(git-http-configuration)] Compute an @code{nginx-location-configuration} that corresponds to the given Git http configuration. An example nginx service definition to serve the default @file{/srv/git} over HTTPS might be: @example (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration (git-http-configuration (uri-path "/")))))))))) @end example This example assumes that you are using Let's Encrypt to get your TLS certificate. @xref{Services de certificats}. The default @code{certbot} service will redirect all HTTP traffic on @code{git.my-host.org} to HTTPS. You will also need to add an @code{fcgiwrap} proxy to your system services. @xref{Services web}. @end deffn @subsubheading Cgit Service @cindex Cgit service @cindex Git, web interface @uref{https://git.zx2c4.com/cgit/, Cgit} is a web frontend for Git repositories written in C. The following example will configure the service with default values. By default, Cgit can be accessed on port 80 (@code{http://localhost:80}). @example (service cgit-service-type) @end example The @code{file-object} type designates either a file-like object (@pxref{G-Expressions, file-like objects}) or a string. @c %start of fragment Available @code{cgit-configuration} fields are: @deftypevr {@code{cgit-configuration} parameter} package package The CGIT package. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} nginx-server-configuration-list nginx NGINX configuration. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object about-filter Specifies a command which will be invoked to format the content of about pages (both top-level and for each repository). Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string agefile Specifies a path, relative to each repository path, which can be used to specify the date and time of the youngest commit in the repository. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object auth-filter Specifies a command that will be invoked for authenticating repository access. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string branch-sort Flag which, when set to @samp{age}, enables date ordering in the branch ref list, and when set @samp{name} enables ordering by branch name. Defaults to @samp{"name"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string cache-root Path used to store the cgit cache entries. Defaults to @samp{"/var/cache/cgit"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-static-ttl Number which specifies the time-to-live, in minutes, for the cached version of repository pages accessed with a fixed SHA1. Defaults to @samp{-1}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-dynamic-ttl Number which specifies the time-to-live, in minutes, for the cached version of repository pages accessed without a fixed SHA1. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-repo-ttl Number which specifies the time-to-live, in minutes, for the cached version of the repository summary page. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-root-ttl Number which specifies the time-to-live, in minutes, for the cached version of the repository index page. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-scanrc-ttl Number which specifies the time-to-live, in minutes, for the result of scanning a path for Git repositories. Defaults to @samp{15}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-about-ttl Number which specifies the time-to-live, in minutes, for the cached version of the repository about page. Defaults to @samp{15}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-snapshot-ttl Number which specifies the time-to-live, in minutes, for the cached version of snapshots. Defaults to @samp{5}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer cache-size The maximum number of entries in the cgit cache. When set to @samp{0}, caching is disabled. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean case-sensitive-sort? Sort items in the repo list case sensitively. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} list clone-prefix List of common prefixes which, when combined with a repository URL, generates valid clone URLs for the repository. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} list clone-url List of @code{clone-url} templates. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object commit-filter Command which will be invoked to format commit messages. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string commit-sort Flag which, when set to @samp{date}, enables strict date ordering in the commit log, and when set to @samp{topo} enables strict topological ordering. Defaults to @samp{"git log"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object css URL which specifies the css document to include in all cgit pages. Defaults to @samp{"/share/cgit/cgit.css"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object email-filter Specifies a command which will be invoked to format names and email address of committers, authors, and taggers, as represented in various places throughout the cgit interface. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean embedded? Flag which, when set to @samp{#t}, will make cgit generate a HTML fragment suitable for embedding in other HTML pages. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-commit-graph? Flag which, when set to @samp{#t}, will make cgit print an ASCII-art commit history graph to the left of the commit messages in the repository log page. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-filter-overrides? Flag which, when set to @samp{#t}, allows all filter settings to be overridden in repository-specific cgitrc files. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-follow-links? Flag which, when set to @samp{#t}, allows users to follow a file in the log view. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-http-clone? If set to @samp{#t}, cgit will act as an dumb HTTP endpoint for Git clones. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-index-links? Flag which, when set to @samp{#t}, will make cgit generate extra links "summary", "commit", "tree" for each repo in the repository index. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-index-owner? Flag which, when set to @samp{#t}, will make cgit display the owner of each repo in the repository index. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-log-filecount? Flag which, when set to @samp{#t}, will make cgit print the number of modified files for each commit on the repository log page. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-log-linecount? Flag which, when set to @samp{#t}, will make cgit print the number of added and removed lines for each commit on the repository log page. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-remote-branches? Flag which, when set to @code{#t}, will make cgit display remote branches in the summary and refs views. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-subject-links? Flag which, when set to @code{1}, will make cgit use the subject of the parent commit as link text when generating links to parent commits in commit view. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-html-serving? Flag which, when set to @samp{#t}, will make cgit use the subject of the parent commit as link text when generating links to parent commits in commit view. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-tree-linenumbers? Flag which, when set to @samp{#t}, will make cgit generate linenumber links for plaintext blobs printed in the tree view. Defaults to @samp{#t}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean enable-git-config? Flag which, when set to @samp{#f}, will allow cgit to use Git config to set any repo specific settings. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object favicon URL used as link to a shortcut icon for cgit. Defaults to @samp{"/favicon.ico"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string footer The content of the file specified with this option will be included verbatim at the bottom of all pages (i.e. it replaces the standard "generated by..." message). Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string head-include The content of the file specified with this option will be included verbatim in the HTML HEAD section on all pages. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string header The content of the file specified with this option will be included verbatim at the top of all pages. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object include Name of a configfile to include before the rest of the current config- file is parsed. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string index-header The content of the file specified with this option will be included verbatim above the repository index. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string index-info The content of the file specified with this option will be included verbatim below the heading on the repository index page. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean local-time? Flag which, if set to @samp{#t}, makes cgit print commit and tag times in the servers timezone. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object logo URL which specifies the source of an image which will be used as a logo on all cgit pages. Defaults to @samp{"/share/cgit/cgit.png"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string logo-link URL loaded when clicking on the cgit logo image. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object owner-filter Command which will be invoked to format the Owner column of the main page. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer max-atom-items Number of items to display in atom feeds view. Defaults to @samp{10}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer max-commit-count Number of entries to list per page in "log" view. Defaults to @samp{50}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer max-message-length Number of commit message characters to display in "log" view. Defaults to @samp{80}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer max-repo-count Specifies the number of entries to list per page on the repository index page. Defaults to @samp{50}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer max-repodesc-length Specifies the maximum number of repo description characters to display on the repository index page. Defaults to @samp{80}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer max-blob-size Specifies the maximum size of a blob to display HTML for in KBytes. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string max-stats Maximum statistics period. Valid values are @samp{week},@samp{month}, @samp{quarter} and @samp{year}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} mimetype-alist mimetype Mimetype for the specified filename extension. Defaults to @samp{((gif "image/gif") (html "text/html") (jpg "image/jpeg") (jpeg "image/jpeg") (pdf "application/pdf") (png "image/png") (svg "image/svg+xml"))}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object mimetype-file Specifies the file to use for automatic mimetype lookup. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string module-link Text which will be used as the formatstring for a hyperlink when a submodule is printed in a directory listing. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean nocache? If set to the value @samp{#t} caching will be disabled. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean noplainemail? If set to @samp{#t} showing full author email addresses will be disabled. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean noheader? Flag which, when set to @samp{#t}, will make cgit omit the standard header on all pages. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} project-list project-list A list of subdirectories inside of @code{repository-directory}, relative to it, that should loaded as Git repositories. An empty list means that all subdirectories will be loaded. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object readme Text which will be used as default value for @code{cgit-repo-readme}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean remove-suffix? If set to @code{#t} and @code{repository-directory} is enabled, if any repositories are found with a suffix of @code{.git}, this suffix will be removed for the URL and name. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer renamelimit Maximum number of files to consider when detecting renames. Defaults to @samp{-1}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string repository-sort The way in which repositories in each section are sorted. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} robots-list robots Text used as content for the @code{robots} meta-tag. Defaults to @samp{("noindex" "nofollow")}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string root-desc Text printed below the heading on the repository index page. Defaults to @samp{"a fast webinterface for the git dscm"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string root-readme The content of the file specified with this option will be included verbatim below thef "about" link on the repository index page. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string root-title Text printed as heading on the repository index page. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean scan-hidden-path If set to @samp{#t} and repository-directory is enabled, repository-directory will recurse into directories whose name starts with a period. Otherwise, repository-directory will stay away from such directories, considered as "hidden". Note that this does not apply to the ".git" directory in non-bare repos. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} list snapshots Text which specifies the default set of snapshot formats that cgit generates links for. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} repository-directory repository-directory Name of the directory to scan for repositories (represents @code{scan-path}). Defaults to @samp{"/srv/git"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string section The name of the current repository section - all repositories defined after this option will inherit the current section name. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string section-sort Flag which, when set to @samp{1}, will sort the sections on the repository listing by name. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer section-from-path A number which, if defined prior to repository-directory, specifies how many path elements from each repo path to use as a default section name. Defaults to @samp{0}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} boolean side-by-side-diffs? If set to @samp{#t} shows side-by-side diffs instead of unidiffs per default. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} file-object source-filter Specifies a command which will be invoked to format plaintext blobs in the tree view. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer summary-branches Specifies the number of branches to display in the repository "summary" view. Defaults to @samp{10}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer summary-log Specifies the number of log entries to display in the repository "summary" view. Defaults to @samp{10}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} integer summary-tags Specifies the number of tags to display in the repository "summary" view. Defaults to @samp{10}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string strict-export Filename which, if specified, needs to be present within the repository for cgit to allow access to that repository. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} string virtual-root URL which, if specified, will be used as root for all cgit links. Defaults to @samp{"/"}. @end deftypevr @deftypevr {@code{cgit-configuration} parameter} repository-cgit-configuration-list repositories A list of @dfn{cgit-repo} records to use with config. Defaults to @samp{()}. Available @code{repository-cgit-configuration} fields are: @deftypevr {@code{repository-cgit-configuration} parameter} repo-list snapshots A mask of snapshot formats for this repo that cgit generates links for, restricted by the global @code{snapshots} setting. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object source-filter Override the default @code{source-filter}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string url The relative URL used to access the repository. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object about-filter Override the default @code{about-filter}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string branch-sort Flag which, when set to @samp{age}, enables date ordering in the branch ref list, and when set to @samp{name} enables ordering by branch name. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-list clone-url A list of URLs which can be used to clone repo. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object commit-filter Override the default @code{commit-filter}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string commit-sort Flag which, when set to @samp{date}, enables strict date ordering in the commit log, and when set to @samp{topo} enables strict topological ordering. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string defbranch The name of the default branch for this repository. If no such branch exists in the repository, the first branch name (when sorted) is used as default instead. By default branch pointed to by HEAD, or "master" if there is no suitable HEAD. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string desc The value to show as repository description. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string homepage The value to show as repository homepage. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object email-filter Override the default @code{email-filter}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean enable-commit-graph? A flag which can be used to disable the global setting @code{enable-commit-graph?}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean enable-log-filecount? A flag which can be used to disable the global setting @code{enable-log-filecount?}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean enable-log-linecount? A flag which can be used to disable the global setting @code{enable-log-linecount?}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean enable-remote-branches? Flag which, when set to @code{#t}, will make cgit display remote branches in the summary and refs views. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean enable-subject-links? A flag which can be used to override the global setting @code{enable-subject-links?}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean enable-html-serving? A flag which can be used to override the global setting @code{enable-html-serving?}. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean hide? Flag which, when set to @code{#t}, hides the repository from the repository index. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-boolean ignore? Flag which, when set to @samp{#t}, ignores the repository. Defaults to @samp{#f}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object logo URL which specifies the source of an image which will be used as a logo on this repo’s pages. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string logo-link URL loaded when clicking on the cgit logo image. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-file-object owner-filter Override the default @code{owner-filter}. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string module-link Text which will be used as the formatstring for a hyperlink when a submodule is printed in a directory listing. The arguments for the formatstring are the path and SHA1 of the submodule commit. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} module-link-path module-link-path Text which will be used as the formatstring for a hyperlink when a submodule with the specified subdirectory path is printed in a directory listing. Defaults to @samp{()}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string max-stats Override the default maximum statistics period. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string name The value to show as repository name. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string owner A value used to identify the owner of the repository. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string path An absolute path to the repository directory. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string readme A path (relative to repo) which specifies a file to include verbatim as the "About" page for this repo. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-string section The name of the current repository section - all repositories defined after this option will inherit the current section name. Defaults to @samp{""}. @end deftypevr @deftypevr {@code{repository-cgit-configuration} parameter} repo-list extra-options Extra options will be appended to cgitrc file. Defaults to @samp{()}. @end deftypevr @end deftypevr @deftypevr {@code{cgit-configuration} parameter} list extra-options Extra options will be appended to cgitrc file. Defaults to @samp{()}. @end deftypevr @c %end of fragment However, it could be that you just want to get a @code{cgitrc} up and running. In that case, you can pass an @code{opaque-cgit-configuration} as a record to @code{cgit-service-type}. As its name indicates, an opaque configuration does not have easy reflective capabilities. Available @code{opaque-cgit-configuration} fields are: @deftypevr {@code{opaque-cgit-configuration} parameter} package cgit The cgit package. @end deftypevr @deftypevr {@code{opaque-cgit-configuration} parameter} string string The contents of the @code{cgitrc}, as a string. @end deftypevr For example, if your @code{cgitrc} is just the empty string, you could instantiate a cgit service like this: @example (service cgit-service-type (opaque-cgit-configuration (cgitrc ""))) @end example @node Services de jeu @subsubsection Services de jeu @subsubheading The Battle for Wesnoth Service @cindex wesnothd @uref{https://wesnoth.org, The Battle for Wesnoth} is a fantasy, turn based tactical strategy game, with several single player campaigns, and multiplayer games (both networked and local). @defvar {Scheme Variable} wesnothd-service-type Service type for the wesnothd service. Its value must be a @code{wesnothd-configuration} object. To run wesnothd in the default configuration, instantiate it as: @example (service wesnothd-service-type) @end example @end defvar @deftp {Data Type} wesnothd-configuration Data type representing the configuration of @command{wesnothd}. @table @asis @item @code{package} (default: @code{wesnoth-server}) The wesnoth server package to use. @item @code{port} (default: @code{15000}) The port to bind the server to. @end table @end deftp @node Services divers @subsubsection Services divers @cindex fingerprint @subsubheading Fingerprint Service The @code{(gnu services fingerprint)} module provides a DBus service to read and identify fingerprints via a fingerprint sensor. @defvr {Scheme Variable} fprintd-service-type The service type for @command{fprintd}, which provides the fingerprint reading capability. @example (service fprintd-service-type) @end example @end defvr @cindex sysctl @subsubheading System Control Service The @code{(gnu services sysctl)} provides a service to configure kernel parameters at boot. @defvr {Scheme Variable} sysctl-service-type The service type for @command{sysctl}, which modifies kernel parameters under @file{/proc/sys/}. To enable IPv4 forwarding, it can be instantiated as: @example (service sysctl-service-type (sysctl-configuration (settings '(("net.ipv4.ip_forward" . "1"))))) @end example @end defvr @deftp {Data Type} sysctl-configuration The data type representing the configuration of @command{sysctl}. @table @asis @item @code{sysctl} (default: @code{(file-append procps "/sbin/sysctl"}) The @command{sysctl} executable to use. @item @code{settings} (default: @code{'()}) An association list specifies kernel parameters and their values. @end table @end deftp @cindex lirc @subsubheading Lirc Service The @code{(gnu services lirc)} module provides the following service. @deffn {Scheme Procedure} lirc-service [#:lirc lirc] @ [#:device #f] [#:driver #f] [#:config-file #f] @ [#:extra-options '()] Return a service that runs @url{http://www.lirc.org,LIRC}, a daemon that decodes infrared signals from remote controls. Optionally, @var{device}, @var{driver} and @var{config-file} (configuration file name) may be specified. See @command{lircd} manual for details. Finally, @var{extra-options} is a list of additional command-line options passed to @command{lircd}. @end deffn @cindex spice @subsubheading Spice Service The @code{(gnu services spice)} module provides the following service. @deffn {Scheme Procedure} spice-vdagent-service [#:spice-vdagent] Returns a service that runs @url{http://www.spice-space.org,VDAGENT}, a daemon that enables sharing the clipboard with a vm and setting the guest display resolution when the graphical console window resizes. @end deffn @subsubsection Dictionary Services @cindex dictionary The @code{(gnu services dict)} module provides the following service: @deffn {Scheme Procedure} dicod-service [#:config (dicod-configuration)] Return a service that runs the @command{dicod} daemon, an implementation of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}). The optional @var{config} argument specifies the configuration for @command{dicod}, which should be a @code{} object, by default it serves the GNU Collaborative International Dictonary of English. You can add @command{open localhost} to your @file{~/.dico} file to make @code{localhost} the default server for @command{dico} client (@pxref{Initialization File,,, dico, GNU Dico Manual}). @end deffn @deftp {Data Type} dicod-configuration Data type representing the configuration of dicod. @table @asis @item @code{dico} (default: @var{dico}) Package object of the GNU Dico dictionary server. @item @code{interfaces} (default: @var{'("localhost")}) This is the list of IP addresses and ports and possibly socket file names to listen to (@pxref{Server Settings, @code{listen} directive,, dico, GNU Dico Manual}). @item @code{handlers} (default: @var{'()}) List of @code{} objects denoting handlers (module instances). @item @code{databases} (default: @var{(list %dicod-database:gcide)}) List of @code{} objects denoting dictionaries to be served. @end table @end deftp @deftp {Data Type} dicod-handler Data type representing a dictionary handler (module instance). @table @asis @item @code{name} Name of the handler (module instance). @item @code{module} (default: @var{#f}) Name of the dicod module of the handler (instance). If it is @code{#f}, the module has the same name as the handler. (@pxref{Modules,,, dico, GNU Dico Manual}). @item @code{options} List of strings or gexps representing the arguments for the module handler @end table @end deftp @deftp {Data Type} dicod-database Data type representing a dictionary database. @table @asis @item @code{name} Name of the database, will be used in DICT commands. @item @code{handler} Name of the dicod handler (module instance) used by this database (@pxref{Handlers,,, dico, GNU Dico Manual}). @item @code{complex?} (default: @var{#f}) Whether the database configuration complex. The complex configuration will need a corresponding @code{} object, otherwise not. @item @code{options} List of strings or gexps representing the arguments for the database (@pxref{Databases,,, dico, GNU Dico Manual}). @end table @end deftp @defvr {Scheme Variable} %dicod-database:gcide A @code{} object serving the GNU Collaborative International Dictionary of English using the @code{gcide} package. @end defvr The following is an example @code{dicod-service} configuration. @example (dicod-service #:config (dicod-configuration (handlers (list (dicod-handler (name "wordnet") (module "dictorg") (options (list #~(string-append "dbdir=" #$wordnet)))))) (databases (list (dicod-database (name "wordnet") (complex? #t) (handler "wordnet") (options '("database=wn"))) %dicod-database:gcide)))) @end example @node Programmes setuid @subsection Programmes setuid @cindex setuid programs Some programs need to run with ``root'' privileges, even when they are launched by unprivileged users. A notorious example is the @command{passwd} program, which users can run to change their password, and which needs to access the @file{/etc/passwd} and @file{/etc/shadow} files---something normally restricted to root, for obvious security reasons. To address that, these executables are @dfn{setuid-root}, meaning that they always run with root privileges (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual}, for more info about the setuid mechanism.) The store itself @emph{cannot} contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (@pxref{Le dépôt}). Thus, a different mechanism is used: instead of changing the setuid bit directly on files that are in the store, we let the system administrator @emph{declare} which programs should be setuid root. The @code{setuid-programs} field of an @code{operating-system} declaration contains a list of G-expressions denoting the names of programs to be setuid-root (@pxref{Utiliser le système de configuration}). For instance, the @command{passwd} program, which is part of the Shadow package, can be designated by this G-expression (@pxref{G-Expressions}): @example #~(string-append #$shadow "/bin/passwd") @end example A default set of setuid programs is defined by the @code{%setuid-programs} variable of the @code{(gnu system)} module. @defvr {Scheme Variable} %setuid-programs A list of G-expressions denoting common programs that are setuid-root. The list includes commands such as @command{passwd}, @command{ping}, @command{su}, and @command{sudo}. @end defvr Under the hood, the actual setuid programs are created in the @file{/run/setuid-programs} directory at system activation time. The files in this directory refer to the ``real'' binaries, which are in the store. @node Certificats X.509 @subsection Certificats X.509 @cindex HTTPS, certificates @cindex X.509 certificates @cindex TLS Web servers available over HTTPS (that is, HTTP over the transport-layer security mechanism, TLS) send client programs an @dfn{X.509 certificate} that the client can then use to @emph{authenticate} the server. To do that, clients verify that the server's certificate is signed by a so-called @dfn{certificate authority} (CA). But to verify the CA's signature, clients must have first acquired the CA's certificate. Web browsers such as GNU@tie{}IceCat include their own set of CA certificates, such that they are able to verify CA signatures out-of-the-box. However, most other programs that can talk HTTPS---@command{wget}, @command{git}, @command{w3m}, etc.---need to be told where CA certificates can be found. @cindex @code{nss-certs} In GuixSD, this is done by adding a package that provides certificates to the @code{packages} field of the @code{operating-system} declaration (@pxref{Référence de système d'exploitation}). GuixSD includes one such package, @code{nss-certs}, which is a set of CA certificates provided as part of Mozilla's Network Security Services. Note that it is @emph{not} part of @var{%base-packages}, so you need to explicitly add it. The @file{/etc/ssl/certs} directory, which is where most applications and libraries look for certificates by default, points to the certificates installed globally. Unprivileged users, including users of Guix on a foreign distro, can also install their own certificate package in their profile. A number of environment variables need to be defined so that applications and libraries know where to find them. Namely, the OpenSSL library honors the @code{SSL_CERT_DIR} and @code{SSL_CERT_FILE} variables. Some applications add their own environment variables; for instance, the Git version control system honors the certificate bundle pointed to by the @code{GIT_SSL_CAINFO} environment variable. Thus, you would typically run something like: @example $ guix package -i nss-certs $ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs" $ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt" $ export GIT_SSL_CAINFO="$SSL_CERT_FILE" @end example As another example, R requires the @code{CURL_CA_BUNDLE} environment variable to point to a certificate bundle, so you would have to run something like this: @example $ guix package -i nss-certs $ export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt" @end example For other applications you may want to look up the required environment variable in the relevant documentation. @node Name Service Switch @subsection Name Service Switch @cindex name service switch @cindex NSS The @code{(gnu system nss)} module provides bindings to the configuration file of the libc @dfn{name service switch} or @dfn{NSS} (@pxref{NSS Configuration File,,, libc, The GNU C Library Reference Manual}). In a nutshell, the NSS is a mechanism that allows libc to be extended with new ``name'' lookup methods for system databases, which includes host names, service names, user accounts, and more (@pxref{Name Service Switch, System Databases and Name Service Switch,, libc, The GNU C Library Reference Manual}). The NSS configuration specifies, for each system database, which lookup method is to be used, and how the various methods are chained together---for instance, under which circumstances NSS should try the next method in the list. The NSS configuration is given in the @code{name-service-switch} field of @code{operating-system} declarations (@pxref{Référence de système d'exploitation, @code{name-service-switch}}). @cindex nss-mdns @cindex .local, host name lookup As an example, the declaration below configures the NSS to use the @uref{http://0pointer.de/lennart/projects/nss-mdns/, @code{nss-mdns} back-end}, which supports host name lookups over multicast DNS (mDNS) for host names ending in @code{.local}: @example (name-service-switch (hosts (list %files ;first, check /etc/hosts ;; If the above did not succeed, try ;; with 'mdns_minimal'. (name-service (name "mdns_minimal") ;; 'mdns_minimal' is authoritative for ;; '.local'. When it returns "not found", ;; no need to try the next methods. (reaction (lookup-specification (not-found => return)))) ;; Then fall back to DNS. (name-service (name "dns")) ;; Finally, try with the "full" 'mdns'. (name-service (name "mdns"))))) @end example Do not worry: the @code{%mdns-host-lookup-nss} variable (see below) contains this configuration, so you will not have to type it if all you want is to have @code{.local} host lookup working. Note that, in this case, in addition to setting the @code{name-service-switch} of the @code{operating-system} declaration, you also need to use @code{avahi-service} (@pxref{Services réseau, @code{avahi-service}}), or @var{%desktop-services}, which includes it (@pxref{Services de bureaux}). Doing this makes @code{nss-mdns} accessible to the name service cache daemon (@pxref{Services de base, @code{nscd-service}}). For convenience, the following variables provide typical NSS configurations. @defvr {Scheme Variable} %default-nss This is the default name service switch configuration, a @code{name-service-switch} object. @end defvr @defvr {Scheme Variable} %mdns-host-lookup-nss This is the name service switch configuration with support for host name lookup over multicast DNS (mDNS) for host names ending in @code{.local}. @end defvr The reference for name service switch configuration is given below. It is a direct mapping of the configuration file format of the C library , so please refer to the C library manual for more information (@pxref{NSS Configuration File,,, libc, The GNU C Library Reference Manual}). Compared to the configuration file format of libc NSS, it has the advantage not only of adding this warm parenthetic feel that we like, but also static checks: you will know about syntax errors and typos as soon as you run @command{guix system}. @deftp {Data Type} name-service-switch This is the data type representation the configuration of libc's name service switch (NSS). Each field below represents one of the supported system databases. @table @code @item aliases @itemx ethers @itemx group @itemx gshadow @itemx hosts @itemx initgroups @itemx netgroup @itemx networks @itemx password @itemx public-key @itemx rpc @itemx services @itemx shadow The system databases handled by the NSS. Each of these fields must be a list of @code{} objects (see below). @end table @end deftp @deftp {Data Type} name-service This is the data type representing an actual name service and the associated lookup action. @table @code @item name A string denoting the name service (@pxref{Services in the NSS configuration,,, libc, The GNU C Library Reference Manual}). Note that name services listed here must be visible to nscd. This is achieved by passing the @code{#:name-services} argument to @code{nscd-service} the list of packages providing the needed name services (@pxref{Services de base, @code{nscd-service}}). @item reaction An action specified using the @code{lookup-specification} macro (@pxref{Actions in the NSS configuration,,, libc, The GNU C Library Reference Manual}). For example: @example (lookup-specification (unavailable => continue) (success => return)) @end example @end table @end deftp @node Disque de RAM initial @subsection Disque de RAM initial @cindex initrd @cindex initial RAM disk For bootstrapping purposes, the Linux-Libre kernel is passed an @dfn{initial RAM disk}, or @dfn{initrd}. An initrd contains a temporary root file system as well as an initialization script. The latter is responsible for mounting the real root file system, and for loading any kernel modules that may be needed to achieve that. The @code{initrd-modules} field of an @code{operating-system} declaration allows you to specify Linux-libre kernel modules that must be available in the initrd. In particular, this is where you would list modules needed to actually drive the hard disk where your root partition is---although the default value of @code{initrd-modules} should cover most use cases. For example, assuming you need the @code{megaraid_sas} module in addition to the default modules to be able to access your root file system, you would write: @example (operating-system ;; @dots{} (initrd-modules (cons "megaraid_sas" %base-initrd-modules))) @end example @defvr {Scheme Variable} %base-initrd-modules This is the list of kernel modules included in the initrd by default. @end defvr Furthermore, if you need lower-level customization, the @code{initrd} field of an @code{operating-system} declaration allows you to specify which initrd you would like to use. The @code{(gnu system linux-initrd)} module provides three ways to build an initrd: the high-level @code{base-initrd} procedure and the low-level @code{raw-initrd} and @code{expression->initrd} procedures. The @code{base-initrd} procedure is intended to cover most common uses. For example, if you want to add a bunch of kernel modules to be loaded at boot time, you can define the @code{initrd} field of the operating system declaration like this: @example (initrd (lambda (file-systems . rest) ;; Create a standard initrd but set up networking ;; with the parameters QEMU expects by default. (apply base-initrd file-systems #:qemu-networking? #t rest))) @end example The @code{base-initrd} procedure also handles common use cases that involves using the system as a QEMU guest, or as a ``live'' system with volatile root file system. The @code{base-initrd} procedure is built from @code{raw-initrd} procedure. Unlike @code{base-initrd}, @code{raw-initrd} doesn't do anything high-level, such as trying to guess which kernel modules and packages should be included to the initrd. An example use of @code{raw-initrd} is when a user has a custom Linux kernel configuration and default kernel modules included by @code{base-initrd} are not available. The initial RAM disk produced by @code{base-initrd} or @code{raw-initrd} honors several options passed on the Linux kernel command line (that is, arguments passed @i{via} the @code{linux} command of GRUB, or the @code{-append} option of QEMU), notably: @table @code @item --load=@var{boot} Tell the initial RAM disk to load @var{boot}, a file containing a Scheme program, once it has mounted the root file system. GuixSD uses this option to yield control to a boot program that runs the service activation programs and then spawns the GNU@tie{}Shepherd, the initialization system. @item --root=@var{root} Mount @var{root} as the root file system. @var{root} can be a device name like @code{/dev/sda1}, a file system label, or a file system UUID. @item --system=@var{système} Have @file{/run/booted-system} and @file{/run/current-system} point to @var{system}. @item modprobe.blacklist=@var{modules}@dots{} @cindex module, black-listing @cindex black list, of kernel modules Instruct the initial RAM disk as well as the @command{modprobe} command (from the kmod package) to refuse to load @var{modules}. @var{modules} must be a comma-separated list of module names---e.g., @code{usbkbd,9pnet}. @item --repl Start a read-eval-print loop (REPL) from the initial RAM disk before it tries to load kernel modules and to mount the root file system. Our marketing team calls it @dfn{boot-to-Guile}. The Schemer in you will love it. @xref{Using Guile Interactively,,, guile, GNU Guile Reference Manual}, for more information on Guile's REPL. @end table Now that you know all the features that initial RAM disks produced by @code{base-initrd} and @code{raw-initrd} provide, here is how to use it and customize it further. @cindex initrd @cindex initial RAM disk @deffn {Monadic Procedure} raw-initrd @var{file-systems} @ [#:linux-modules '()] [#:mapped-devices '()] @ [#:helper-packages '()] [#:qemu-networking? #f] [#:volatile-root? #f] Return a monadic derivation that builds a raw initrd. @var{file-systems} is a list of file systems to be mounted by the initrd, possibly in addition to the root file system specified on the kernel command line via @code{--root}. @var{linux-modules} is a list of kernel modules to be loaded at boot time. @var{mapped-devices} is a list of device mappings to realize before @var{file-systems} are mounted (@pxref{Périphériques mappés}). @var{helper-packages} is a list of packages to be copied in the initrd. It may include @code{e2fsck/static} or other packages needed by the initrd to check the root file system. When @var{qemu-networking?} is true, set up networking with the standard QEMU parameters. When @var{virtio?} is true, load additional modules so that the initrd can be used as a QEMU guest with para-virtualized I/O drivers. When @var{volatile-root?} is true, the root file system is writable but any changes to it are lost. @end deffn @deffn {Monadic Procedure} base-initrd @var{file-systems} @ [#:mapped-devices '()] [#:qemu-networking? #f] [#:volatile-root? #f]@ [#:linux-modules '()] Return a monadic derivation that builds a generic initrd, with kernel modules taken from @var{linux}. @var{file-systems} is a list of file-systems to be mounted by the initrd, possibly in addition to the root file system specified on the kernel command line via @code{--root}. @var{mapped-devices} is a list of device mappings to realize before @var{file-systems} are mounted. @var{qemu-networking?} and @var{volatile-root?} behaves as in @code{raw-initrd}. The initrd is automatically populated with all the kernel modules necessary for @var{file-systems} and for the given options. Additional kernel modules can be listed in @var{linux-modules}. They will be added to the initrd, and loaded at boot time in the order in which they appear. @end deffn Needless to say, the initrds we produce and use embed a statically-linked Guile, and the initialization program is a Guile program. That gives a lot of flexibility. The @code{expression->initrd} procedure builds such an initrd, given the program to run in that initrd. @deffn {Monadic Procedure} expression->initrd @var{exp} @ [#:guile %guile-static-stripped] [#:name "guile-initrd"] Return a derivation that builds a Linux initrd (a gzipped cpio archive) containing @var{guile} and that evaluates @var{exp}, a G-expression, upon booting. All the derivations referenced by @var{exp} are automatically copied to the initrd. @end deffn @node Configuration du chargeur d'amorçage @subsection Configuration du chargeur d'amorçage @cindex bootloader @cindex boot loader The operating system supports multiple bootloaders. The bootloader is configured using @code{bootloader-configuration} declaration. All the fields of this structure are bootloader agnostic except for one field, @code{bootloader} that indicates the bootloader to be configured and installed. Some of the bootloaders do not honor every field of @code{bootloader-configuration}. For instance, the extlinux bootloader does not support themes and thus ignores the @code{theme} field. @deftp {Data Type} bootloader-configuration The type of a bootloader configuration declaration. @table @asis @item @code{bootloader} @cindex EFI, bootloader @cindex UEFI, bootloader @cindex BIOS, bootloader The bootloader to use, as a @code{bootloader} object. For now @code{grub-bootloader}, @code{grub-efi-bootloader}, @code{extlinux-bootloader} and @code{u-boot-bootloader} are supported. @code{grub-efi-bootloader} allows to boot on modern systems using the @dfn{Unified Extensible Firmware Interface} (UEFI). Available bootloaders are described in @code{(gnu bootloader @dots{})} modules. @item @code{target} This is a string denoting the target onto which to install the bootloader. The exact interpretation depends on the bootloader in question; for @code{grub-bootloader}, for example, it should be a device name understood by the bootloader @command{installer} command, such as @code{/dev/sda} or @code{(hd0)} (for GRUB, @pxref{Invoking grub-install,,, grub, GNU GRUB Manual}). For @code{grub-efi-bootloader}, it should be the path to a mounted EFI file system. @item @code{menu-entries} (default: @code{()}) A possibly empty list of @code{menu-entry} objects (see below), denoting entries to appear in the bootloader menu, in addition to the current system entry and the entry pointing to previous system generations. @item @code{default-entry} (default: @code{0}) The index of the default boot menu entry. Index 0 is for the entry of the current system. @item @code{timeout} (default: @code{5}) The number of seconds to wait for keyboard input before booting. Set to 0 to boot immediately, and to -1 to wait indefinitely. @item @code{theme} (default: @var{#f}) The bootloader theme object describing the theme to use. If no theme is provided, some bootloaders might use a default theme, that's true for GRUB. @item @code{terminal-outputs} (default: @code{'gfxterm}) The output terminals used for the bootloader boot menu, as a list of symbols. GRUB accepts the values: @code{console}, @code{serial}, @code{serial_@{0-3@}}, @code{gfxterm}, @code{vga_text}, @code{mda_text}, @code{morse}, and @code{pkmodem}. This field corresponds to the GRUB variable GRUB_TERMINAL_OUTPUT (@pxref{Simple configuration,,, grub,GNU GRUB manual}). @item @code{terminal-inputs} (default: @code{'()}) The input terminals used for the bootloader boot menu, as a list of symbols. For GRUB, the default is the native platform terminal as determined at run-time. GRUB accepts the values: @code{console}, @code{serial}, @code{serial_@{0-3@}}, @code{at_keyboard}, and @code{usb_keyboard}. This field corresponds to the GRUB variable GRUB_TERMINAL_INPUT (@pxref{Simple configuration,,, grub,GNU GRUB manual}). @item @code{serial-unit} (default: @code{#f}) The serial unit used by the bootloader, as an integer from 0 to 3. For GRUB, it is chosen at run-time; currently GRUB chooses 0, which corresponds to COM1 (@pxref{Serial terminal,,, grub,GNU GRUB manual}). @item @code{serial-speed} (default: @code{#f}) The speed of the serial interface, as an integer. For GRUB, the default value is chosen at run-time; currently GRUB chooses 9600@tie{}bps (@pxref{Serial terminal,,, grub,GNU GRUB manual}). @end table @end deftp @cindex dual boot @cindex boot menu Should you want to list additional boot menu entries @i{via} the @code{menu-entries} field above, you will need to create them with the @code{menu-entry} form. For example, imagine you want to be able to boot another distro (hard to imagine!), you can define a menu entry along these lines: @example (menu-entry (label "The Other Distro") (linux "/boot/old/vmlinux-2.6.32") (linux-arguments '("root=/dev/sda2")) (initrd "/boot/old/initrd")) @end example Details below. @deftp {Data Type} menu-entry The type of an entry in the bootloader menu. @table @asis @item @code{label} The label to show in the menu---e.g., @code{"GNU"}. @item @code{linux} The Linux kernel image to boot, for example: @example (file-append linux-libre "/bzImage") @end example For GRUB, it is also possible to specify a device explicitly in the file path using GRUB's device naming convention (@pxref{Naming convention,,, grub, GNU GRUB manual}), for example: @example "(hd0,msdos1)/boot/vmlinuz" @end example If the device is specified explicitly as above, then the @code{device} field is ignored entirely. @item @code{linux-arguments} (default: @code{()}) The list of extra Linux kernel command-line arguments---e.g., @code{("console=ttyS0")}. @item @code{initrd} A G-Expression or string denoting the file name of the initial RAM disk to use (@pxref{G-Expressions}). @item @code{device} (default: @code{#f}) The device where the kernel and initrd are to be found---i.e., for GRUB, @dfn{root} for this menu entry (@pxref{root,,, grub, GNU GRUB manual}). This may be a file system label (a string), a file system UUID (a bytevector, @pxref{Systèmes de fichiers}), or @code{#f}, in which case the bootloader will search the device containing the file specified by the @code{linux} field (@pxref{search,,, grub, GNU GRUB manual}). It must @emph{not} be an OS device name such as @file{/dev/sda1}. @end table @end deftp @c FIXME: Write documentation once it's stable. Fow now only GRUB has theme support. GRUB themes are created using the @code{grub-theme} form, which is not documented yet. @defvr {Scheme Variable} %default-theme This is the default GRUB theme used by the operating system if no @code{theme} field is specified in @code{bootloader-configuration} record. It comes with a fancy background image displaying the GNU and Guix logos. @end defvr @node Invoquer guix system @subsection Invoking @code{guix system} Once you have written an operating system declaration as seen in the previous section, it can be @dfn{instantiated} using the @command{guix system} command. The synopsis is: @example guix system @var{options}@dots{} @var{action} @var{file} @end example @var{file} must be the name of a file containing an @code{operating-system} declaration. @var{action} specifies how the operating system is instantiated. Currently the following values are supported: @table @code @item search Display available service type definitions that match the given regular expressions, sorted by relevance: @example $ guix system search console font name: console-fonts location: gnu/services/base.scm:729:2 extends: shepherd-root description: Install the given fonts on the specified ttys (fonts are + per virtual console on GNU/Linux). The value of this service is a list + of tty/font pairs like: + + '(("tty1" . "LatGrkCyr-8x16")) relevance: 20 name: mingetty location: gnu/services/base.scm:1048:2 extends: shepherd-root description: Provide console login using the `mingetty' program. relevance: 2 name: login location: gnu/services/base.scm:775:2 extends: pam description: Provide a console log-in service as specified by its + configuration value, a `login-configuration' object. relevance: 2 @dots{} @end example As for @command{guix package --search}, the result is written in @code{recutils} format, which makes it easy to filter the output (@pxref{Top, GNU recutils databases,, recutils, GNU recutils manual}). @item reconfigure Build the operating system described in @var{file}, activate it, and switch to it@footnote{This action (and the related actions @code{switch-generation} and @code{roll-back}) are usable only on systems already running GuixSD.}. This effects all the configuration specified in @var{file}: user accounts, system services, global package list, setuid programs, etc. The command starts system services specified in @var{file} that are not currently running; if a service is currently running, it does not attempt to upgrade it since this would not be possible without stopping it first. This command creates a new generation whose number is one greater than the current generation (as reported by @command{guix system list-generations}). If that generation already exists, it will be overwritten. This behavior mirrors that of @command{guix package} (@pxref{Invoquer guix package}). It also adds a bootloader menu entry for the new OS configuration, ---unless @option{--no-bootloader} is passed. For GRUB, it moves entries for older configurations to a submenu, allowing you to choose an older system generation at boot time should you need it. @quotation Remarque @c The paragraph below refers to the problem discussed at @c . It is highly recommended to run @command{guix pull} once before you run @command{guix system reconfigure} for the first time (@pxref{Invoquer guix pull}). Failing to do that you would see an older version of Guix once @command{reconfigure} has completed. @end quotation @item switch-generation @cindex générations Switch to an existing system generation. This action atomically switches the system profile to the specified system generation. It also rearranges the system's existing bootloader menu entries. It makes the menu entry for the specified system generation the default, and it moves the entries for the other generatiors to a submenu, if supported by the bootloader being used. The next time the system boots, it will use the specified system generation. The bootloader itself is not being reinstalled when using this command. Thus, the installed bootloader is used with an updated configuration file. The target generation can be specified explicitly by its generation number. For example, the following invocation would switch to system generation 7: @example guix system switch-generation 7 @end example The target generation can also be specified relative to the current generation with the form @code{+N} or @code{-N}, where @code{+3} means ``3 generations ahead of the current generation,'' and @code{-1} means ``1 generation prior to the current generation.'' When specifying a negative value such as @code{-1}, you must precede it with @code{--} to prevent it from being parsed as an option. For example: @example guix system switch-generation -- -1 @end example Currently, the effect of invoking this action is @emph{only} to switch the system profile to an existing generation and rearrange the bootloader menu entries. To actually start using the target system generation, you must reboot after running this action. In the future, it will be updated to do the same things as @command{reconfigure}, like activating and deactivating services. This action will fail if the specified generation does not exist. @item roll-back @cindex revenir en arrière Switch to the preceding system generation. The next time the system boots, it will use the preceding system generation. This is the inverse of @command{reconfigure}, and it is exactly the same as invoking @command{switch-generation} with an argument of @code{-1}. Currently, as with @command{switch-generation}, you must reboot after running this action to actually start using the preceding system generation. @item build Build the derivation of the operating system, which includes all the configuration files and programs needed to boot and run the system. This action does not actually install anything. @item init Populate the given directory with all the files necessary to run the operating system specified in @var{file}. This is useful for first-time installations of GuixSD. For instance: @example guix system init my-os-config.scm /mnt @end example copies to @file{/mnt} all the store items required by the configuration specified in @file{my-os-config.scm}. This includes configuration files, packages, and so on. It also creates other essential files needed for the system to operate correctly---e.g., the @file{/etc}, @file{/var}, and @file{/run} directories, and the @file{/bin/sh} file. This command also installs bootloader on the target specified in @file{my-os-config}, unless the @option{--no-bootloader} option was passed. @item vm @cindex virtual machine @cindex VM @anchor{guix system vm} Build a virtual machine that contains the operating system declared in @var{file}, and return a script to run that virtual machine (VM). Arguments given to the script are passed to QEMU as in the example below, which enables networking and requests 1@tie{}GiB of RAM for the emulated machine: @example $ /gnu/store/@dots{}-run-vm.sh -m 1024 -net user @end example The VM shares its store with the host system. Additional file systems can be shared between the host and the VM using the @code{--share} and @code{--expose} command-line options: the former specifies a directory to be shared with write access, while the latter provides read-only access to the shared directory. The example below creates a VM in which the user's home directory is accessible read-only, and where the @file{/exchange} directory is a read-write mapping of @file{$HOME/tmp} on the host: @example guix system vm my-config.scm \ --expose=$HOME --share=$HOME/tmp=/exchange @end example On GNU/Linux, the default is to boot directly to the kernel; this has the advantage of requiring only a very tiny root disk image since the store of the host can then be mounted. The @code{--full-boot} option forces a complete boot sequence, starting with the bootloader. This requires more disk space since a root image containing at least the kernel, initrd, and bootloader data files must be created. The @code{--image-size} option can be used to specify the size of the image. @cindex System images, creation in various formats @cindex Creating system images in various formats @item vm-image @itemx disk-image @itemx docker-image Return a virtual machine, disk image, or Docker image of the operating system declared in @var{file} that stands alone. By default, @command{guix system} estimates the size of the image needed to store the system, but you can use the @option{--image-size} option to specify a value. Docker images are built to contain exactly what they need, so the @option{--image-size} option is ignored in the case of @code{docker-image}. You can specify the root file system type by using the @option{--file-system-type} option. It defaults to @code{ext4}. When using @code{vm-image}, the returned image is in qcow2 format, which the QEMU emulator can efficiently use. @xref{Lancer GuixSD dans une VM}, for more information on how to run the image in a virtual machine. When using @code{disk-image}, a raw disk image is produced; it can be copied as is to a USB stick, for instance. Assuming @code{/dev/sdc} is the device corresponding to a USB stick, one can copy the image to it using the following command: @example # dd if=$(guix system disk-image my-os.scm) of=/dev/sdc @end example When using @code{docker-image}, a Docker image is produced. Guix builds the image from scratch, not from a pre-existing Docker base image. As a result, it contains @emph{exactly} what you define in the operating system configuration file. You can then load the image and launch a Docker container using commands like the following: @example image_id="$(docker load < guixsd-docker-image.tar.gz)" docker run -e GUIX_NEW_SYSTEM=/var/guix/profiles/system \\ --entrypoint /var/guix/profiles/system/profile/bin/guile \\ $image_id /var/guix/profiles/system/boot @end example This command starts a new Docker container from the specified image. It will boot the GuixSD system in the usual manner, which means it will start any services you have defined in the operating system configuration. Depending on what you run in the Docker container, it may be necessary to give the container additional permissions. For example, if you intend to build software using Guix inside of the Docker container, you may need to pass the @option{--privileged} option to @code{docker run}. @item container Return a script to run the operating system declared in @var{file} within a container. Containers are a set of lightweight isolation mechanisms provided by the kernel Linux-libre. Containers are substantially less resource-demanding than full virtual machines since the kernel, shared objects, and other resources can be shared with the host system; this also means they provide thinner isolation. Currently, the script must be run as root in order to support more than a single user and group. The container shares its store with the host system. As with the @code{vm} action (@pxref{guix system vm}), additional file systems to be shared between the host and container can be specified using the @option{--share} and @option{--expose} options: @example guix system container my-config.scm \ --expose=$HOME --share=$HOME/tmp=/exchange @end example @quotation Remarque This option requires Linux-libre 3.19 or newer. @end quotation @end table @var{options} can contain any of the common build options (@pxref{Options de construction communes}). In addition, @var{options} can contain one of the following: @table @option @item --expression=@var{expr} @itemx -e @var{expr} Consider the operating-system @var{expr} evaluates to. This is an alternative to specifying a file which evaluates to an operating system. This is used to generate the GuixSD installer @pxref{Construire l'image d'installation}). @item --system=@var{système} @itemx -s @var{système} Attempt to build for @var{system} instead of the host system type. This works as per @command{guix build} (@pxref{Invoquer guix build}). @item --derivation @itemx -d Return the derivation file name of the given operating system without building anything. @item --file-system-type=@var{type} @itemx -t @var{type} For the @code{disk-image} action, create a file system of the given @var{type} on the image. When this option is omitted, @command{guix system} uses @code{ext4}. @cindex ISO-9660 format @cindex CD image format @cindex DVD image format @code{--file-system-type=iso9660} produces an ISO-9660 image, suitable for burning on CDs and DVDs. @item --image-size=@var{size} For the @code{vm-image} and @code{disk-image} actions, create an image of the given @var{size}. @var{size} may be a number of bytes, or it may include a unit as a suffix (@pxref{Block size, size specifications,, coreutils, GNU Coreutils}). When this option is omitted, @command{guix system} computes an estimate of the image size as a function of the size of the system declared in @var{file}. @item --root=@var{file} @itemx -r @var{file} Make @var{file} a symlink to the result, and register it as a garbage collector root. @item --skip-checks Skip pre-installation safety checks. By default, @command{guix system init} and @command{guix system reconfigure} perform safety checks: they make sure the file systems that appear in the @code{operating-system} declaration actually exist (@pxref{Systèmes de fichiers}), and that any Linux kernel modules that may be needed at boot time are listed in @code{initrd-modules} (@pxref{Disque de RAM initial}). Passing this option skips these tests altogether. @item --on-error=@var{strategy} Apply @var{strategy} when an error occurs when reading @var{file}. @var{strategy} may be one of the following: @table @code @item nothing-special Report the error concisely and exit. This is the default strategy. @item backtrace Likewise, but also display a backtrace. @item debug Report the error and enter Guile's debugger. From there, you can run commands such as @code{,bt} to get a backtrace, @code{,locals} to display local variable values, and more generally inspect the state of the program. @xref{Debug Commands,,, guile, GNU Guile Reference Manual}, for a list of available debugging commands. @end table @end table @quotation Remarque All the actions above, except @code{build} and @code{init}, can use KVM support in the Linux-libre kernel. Specifically, if the machine has hardware virtualization support, the corresponding KVM kernel module should be loaded, and the @file{/dev/kvm} device node must exist and be readable and writable by the user and by the build users of the daemon (@pxref{Réglages de l'environnement de construction}). @end quotation Once you have built, configured, re-configured, and re-re-configured your GuixSD installation, you may find it useful to list the operating system generations available on disk---and that you can choose from the bootloader boot menu: @table @code @item list-generations List a summary of each generation of the operating system available on disk, in a human-readable way. This is similar to the @option{--list-generations} option of @command{guix package} (@pxref{Invoquer guix package}). Optionally, one can specify a pattern, with the same syntax that is used in @command{guix package --list-generations}, to restrict the list of generations displayed. For instance, the following command displays generations that are up to 10 days old: @example $ guix system list-generations 10d @end example @end table The @command{guix system} command has even more to offer! The following sub-commands allow you to visualize how your system services relate to each other: @anchor{system-extension-graph} @table @code @item extension-graph Emit in Dot/Graphviz format to standard output the @dfn{service extension graph} of the operating system defined in @var{file} (@pxref{Composition de services}, for more information on service extensions.) The command: @example $ guix system extension-graph @var{file} | dot -Tpdf > services.pdf @end example produces a PDF file showing the extension relations among services. @anchor{system-shepherd-graph} @item shepherd-graph Emit in Dot/Graphviz format to standard output the @dfn{dependency graph} of shepherd services of the operating system defined in @var{file}. @xref{Services Shepherd}, for more information and for an example graph. @end table @node Lancer GuixSD dans une VM @subsection Running GuixSD in a Virtual Machine @cindex virtual machine To run GuixSD in a virtual machine (VM), one can either use the pre-built GuixSD VM image distributed at @indicateurl{ftp://alpha.gnu.org/guix/guixsd-vm-image-@value{VERSION}.@var{system}.tar.xz} , or build their own virtual machine image using @command{guix system vm-image} (@pxref{Invoquer guix system}). The returned image is in qcow2 format, which the @uref{http://qemu.org/, QEMU emulator} can efficiently use. @cindex QEMU If you built your own image, you must copy it out of the store (@pxref{Le dépôt}) and give yourself permission to write to the copy before you can use it. When invoking QEMU, you must choose a system emulator that is suitable for your hardware platform. Here is a minimal QEMU invocation that will boot the result of @command{guix system vm-image} on x86_64 hardware: @example $ qemu-system-x86_64 \ -net user -net nic,model=virtio \ -enable-kvm -m 256 /tmp/qemu-image @end example Here is what each of these options means: @table @code @item qemu-system-x86_64 This specifies the hardware platform to emulate. This should match the host. @item -net user Enable the unprivileged user-mode network stack. The guest OS can access the host but not vice versa. This is the simplest way to get the guest OS online. @item -net nic,model=virtio You must create a network interface of a given model. If you do not create a NIC, the boot will fail. Assuming your hardware platform is x86_64, you can get a list of available NIC models by running @command{qemu-system-x86_64 -net nic,model=help}. @item -enable-kvm If your system has hardware virtualization extensions, enabling the virtual machine support (KVM) of the Linux kernel will make things run faster. @item -m 256 RAM available to the guest OS, in mebibytes. Defaults to 128@tie{}MiB, which may be insufficient for some operations. @item /tmp/qemu-image The file name of the qcow2 image. @end table The default @command{run-vm.sh} script that is returned by an invocation of @command{guix system vm} does not add a @command{-net user} flag by default. To get network access from within the vm add the @code{(dhcp-client-service)} to your system definition and start the VM using @command{`guix system vm config.scm` -net user}. An important caveat of using @command{-net user} for networking is that @command{ping} will not work, because it uses the ICMP protocol. You'll have to use a different command to check for network connectivity, for example @command{guix download}. @subsubsection Connecting Through SSH @cindex SSH @cindex SSH server To enable SSH inside a VM you need to add a SSH server like @code{(dropbear-service)} or @code{(lsh-service)} to your VM. The @code{(lsh-service}) doesn't currently boot unsupervised. It requires you to type some characters to initialize the randomness generator. In addition you need to forward the SSH port, 22 by default, to the host. You can do this with @example `guix system vm config.scm` -net user,hostfwd=tcp::10022-:22 @end example To connect to the VM you can run @example ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 @end example The @command{-p} tells @command{ssh} the port you want to connect to. @command{-o UserKnownHostsFile=/dev/null} prevents @command{ssh} from complaining every time you modify your @command{config.scm} file and the @command{-o StrictHostKeyChecking=no} prevents you from having to allow a connection to an unknown host every time you connect. @subsubsection Using @command{virt-viewer} with Spice As an alternative to the default @command{qemu} graphical client you can use the @command{remote-viewer} from the @command{virt-viewer} package. To connect pass the @command{-spice port=5930,disable-ticketing} flag to @command{qemu}. See previous section for further information on how to do this. Spice also allows you to do some nice stuff like share your clipboard with your VM. To enable that you'll also have to pass the following flags to @command{qemu}: @example -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -chardev spicevmc,name=vdagent,id=vdagent -device virtserialport,nr=1,bus=virtio-serial0.0,chardev=vdagent, name=com.redhat.spice.0 @end example You'll also need to add the @pxref{Services divers, Spice service}. @node Définir des services @subsection Définir des services The previous sections show the available services and how one can combine them in an @code{operating-system} declaration. But how do we define them in the first place? And what is a service anyway? @menu * Composition de services:: Le modèle de composition des services. * Types service et services:: Types et services. * Référence de service:: Référence de l'API@. * Services Shepherd:: Un type de service particulier. @end menu @node Composition de services @subsubsection Composition de services @cindex services @cindex daemons Here we define a @dfn{service} as, broadly, something that extends the functionality of the operating system. Often a service is a process---a @dfn{daemon}---started when the system boots: a secure shell server, a Web server, the Guix build daemon, etc. Sometimes a service is a daemon whose execution can be triggered by another daemon---e.g., an FTP server started by @command{inetd} or a D-Bus service activated by @command{dbus-daemon}. Occasionally, a service does not map to a daemon. For instance, the ``account'' service collects user accounts and makes sure they exist when the system runs; the ``udev'' service collects device management rules and makes them available to the eudev daemon; the @file{/etc} service populates the @file{/etc} directory of the system. @cindex service extensions GuixSD services are connected by @dfn{extensions}. For instance, the secure shell service @emph{extends} the Shepherd---the GuixSD initialization system, running as PID@tie{}1---by giving it the command lines to start and stop the secure shell daemon (@pxref{Services réseau, @code{lsh-service}}); the UPower service extends the D-Bus service by passing it its @file{.service} specification, and extends the udev service by passing it device management rules (@pxref{Services de bureaux, @code{upower-service}}); the Guix daemon service extends the Shepherd by passing it the command lines to start and stop the daemon, and extends the account service by passing it a list of required build user accounts (@pxref{Services de base}). All in all, services and their ``extends'' relations form a directed acyclic graph (DAG). If we represent services as boxes and extensions as arrows, a typical system might provide something like this: @image{images/service-graph,,5in,Typical service extension graph.} @cindex system service At the bottom, we see the @dfn{system service}, which produces the directory containing everything to run and boot the system, as returned by the @command{guix system build} command. @xref{Référence de service}, to learn about the other service types shown here. @xref{system-extension-graph, the @command{guix system extension-graph} command}, for information on how to generate this representation for a particular operating system definition. @cindex service types Technically, developers can define @dfn{service types} to express these relations. There can be any number of services of a given type on the system---for instance, a system running two instances of the GNU secure shell server (lsh) has two instances of @var{lsh-service-type}, with different parameters. The following section describes the programming interface for service types and services. @node Types service et services @subsubsection Types service et services A @dfn{service type} is a node in the DAG described above. Let us start with a simple example, the service type for the Guix build daemon (@pxref{Invoquer guix-daemon}): @example (define guix-service-type (service-type (name 'guix) (extensions (list (service-extension shepherd-root-service-type guix-shepherd-service) (service-extension account-service-type guix-accounts) (service-extension activation-service-type guix-activation))) (default-value (guix-configuration)))) @end example @noindent It defines three things: @enumerate @item A name, whose sole purpose is to make inspection and debugging easier. @item A list of @dfn{service extensions}, where each extension designates the target service type and a procedure that, given the parameters of the service, returns a list of objects to extend the service of that type. Every service type has at least one service extension. The only exception is the @dfn{boot service type}, which is the ultimate service. @item Optionally, a default value for instances of this type. @end enumerate In this example, @var{guix-service-type} extends three services: @table @var @item shepherd-root-service-type The @var{guix-shepherd-service} procedure defines how the Shepherd service is extended. Namely, it returns a @code{} object that defines how @command{guix-daemon} is started and stopped (@pxref{Services Shepherd}). @item account-service-type This extension for this service is computed by @var{guix-accounts}, which returns a list of @code{user-group} and @code{user-account} objects representing the build user accounts (@pxref{Invoquer guix-daemon}). @item activation-service-type Here @var{guix-activation} is a procedure that returns a gexp, which is a code snippet to run at ``activation time''---e.g., when the service is booted. @end table A service of this type is instantiated like this: @example (service guix-service-type (guix-configuration (build-accounts 5) (use-substitutes? #f))) @end example The second argument to the @code{service} form is a value representing the parameters of this specific service instance. @xref{guix-configuration-type, @code{guix-configuration}}, for information about the @code{guix-configuration} data type. When the value is omitted, the default value specified by @code{guix-service-type} is used: @example (service guix-service-type) @end example @var{guix-service-type} is quite simple because it extends other services but is not extensible itself. @c @subsubsubsection Extensible Service Types The service type for an @emph{extensible} service looks like this: @example (define udev-service-type (service-type (name 'udev) (extensions (list (service-extension shepherd-root-service-type udev-shepherd-service))) (compose concatenate) ;concatenate the list of rules (extend (lambda (config rules) (match config (($ udev initial-rules) (udev-configuration (udev udev) ;the udev package to use (rules (append initial-rules rules))))))))) @end example This is the service type for the @uref{https://wiki.gentoo.org/wiki/Project:Eudev, eudev device management daemon}. Compared to the previous example, in addition to an extension of @var{shepherd-root-service-type}, we see two new fields: @table @code @item compose This is the procedure to @dfn{compose} the list of extensions to services of this type. Services can extend the udev service by passing it lists of rules; we compose those extensions simply by concatenating them. @item extend This procedure defines how the value of the service is @dfn{extended} with the composition of the extensions. Udev extensions are composed into a list of rules, but the udev service value is itself a @code{} record. So here, we extend that record by appending the list of rules it contains to the list of contributed rules. @item description This is a string giving an overview of the service type. The string can contain Texinfo markup (@pxref{Overview,,, texinfo, GNU Texinfo}). The @command{guix system search} command searches these strings and displays them (@pxref{Invoquer guix system}). @end table There can be only one instance of an extensible service type such as @var{udev-service-type}. If there were more, the @code{service-extension} specifications would be ambiguous. Still here? The next section provides a reference of the programming interface for services. @node Référence de service @subsubsection Référence de service We have seen an overview of service types (@pxref{Types service et services}). This section provides a reference on how to manipulate services and service types. This interface is provided by the @code{(gnu services)} module. @deffn {Scheme Procedure} service @var{type} [@var{value}] Return a new service of @var{type}, a @code{} object (see below.) @var{value} can be any object; it represents the parameters of this particular service instance. When @var{value} is omitted, the default value specified by @var{type} is used; if @var{type} does not specify a default value, an error is raised. For instance, this: @example (service openssh-service-type) @end example @noindent is equivalent to this: @example (service openssh-service-type (openssh-configuration)) @end example In both cases the result is an instance of @code{openssh-service-type} with the default configuration. @end deffn @deffn {Scheme Procedure} service? @var{obj} Return true if @var{obj} is a service. @end deffn @deffn {Scheme Procedure} service-kind @var{service} Return the type of @var{service}---i.e., a @code{} object. @end deffn @deffn {Scheme Procedure} service-value @var{service} Return the value associated with @var{service}. It represents its parameters. @end deffn Here is an example of how a service is created and manipulated: @example (define s (service nginx-service-type (nginx-configuration (nginx nginx) (log-directory log-directory) (run-directory run-directory) (file config-file)))) (service? s) @result{} #t (eq? (service-kind s) nginx-service-type) @result{} #t @end example The @code{modify-services} form provides a handy way to change the parameters of some of the services of a list such as @var{%base-services} (@pxref{Services de base, @code{%base-services}}). It evaluates to a list of services. Of course, you could always use standard list combinators such as @code{map} and @code{fold} to do that (@pxref{SRFI-1, List Library,, guile, GNU Guile Reference Manual}); @code{modify-services} simply provides a more concise form for this common pattern. @deffn {Scheme Syntax} modify-services @var{services} @ (@var{type} @var{variable} => @var{body}) @dots{} Modify the services listed in @var{services} according to the given clauses. Each clause has the form: @example (@var{type} @var{variable} => @var{body}) @end example where @var{type} is a service type---e.g., @code{guix-service-type}---and @var{variable} is an identifier that is bound within the @var{body} to the service parameters---e.g., a @code{guix-configuration} instance---of the original service of that @var{type}. The @var{body} should evaluate to the new service parameters, which will be used to configure the new service. This new service will replace the original in the resulting list. Because a service's service parameters are created using @code{define-record-type*}, you can write a succinct @var{body} that evaluates to the new service parameters by using the @code{inherit} feature that @code{define-record-type*} provides. @xref{Utiliser le système de configuration}, for example usage. @end deffn Next comes the programming interface for service types. This is something you want to know when writing new service definitions, but not necessarily when simply looking for ways to customize your @code{operating-system} declaration. @deftp {Data Type} service-type @cindex service type This is the representation of a @dfn{service type} (@pxref{Types service et services}). @table @asis @item @code{name} This is a symbol, used only to simplify inspection and debugging. @item @code{extensions} A non-empty list of @code{} objects (see below). @item @code{compose} (default: @code{#f}) If this is @code{#f}, then the service type denotes services that cannot be extended---i.e., services that do not receive ``values'' from other services. Otherwise, it must be a one-argument procedure. The procedure is called by @code{fold-services} and is passed a list of values collected from extensions. It may return any single value. @item @code{extend} (default: @code{#f}) If this is @code{#f}, services of this type cannot be extended. Otherwise, it must be a two-argument procedure: @code{fold-services} calls it, passing it the initial value of the service as the first argument and the result of applying @code{compose} to the extension values as the second argument. It must return a value that is a valid parameter value for the service instance. @end table @xref{Types service et services}, for examples. @end deftp @deffn {Scheme Procedure} service-extension @var{target-type} @ @var{compute} Return a new extension for services of type @var{target-type}. @var{compute} must be a one-argument procedure: @code{fold-services} calls it, passing it the value associated with the service that provides the extension; it must return a valid value for the target service. @end deffn @deffn {Scheme Procedure} service-extension? @var{obj} Return true if @var{obj} is a service extension. @end deffn Occasionally, you might want to simply extend an existing service. This involves creating a new service type and specifying the extension of interest, which can be verbose; the @code{simple-service} procedure provides a shorthand for this. @deffn {Scheme Procedure} simple-service @var{name} @var{target} @var{value} Return a service that extends @var{target} with @var{value}. This works by creating a singleton service type @var{name}, of which the returned service is an instance. For example, this extends mcron (@pxref{Exécution de tâches planifiées}) with an additional job: @example (simple-service 'my-mcron-job mcron-service-type #~(job '(next-hour (3)) "guix gc -F 2G")) @end example @end deffn At the core of the service abstraction lies the @code{fold-services} procedure, which is responsible for ``compiling'' a list of services down to a single directory that contains everything needed to boot and run the system---the directory shown by the @command{guix system build} command (@pxref{Invoquer guix system}). In essence, it propagates service extensions down the service graph, updating each node parameters on the way, until it reaches the root node. @deffn {Scheme Procedure} fold-services @var{services} @ [#:target-type @var{system-service-type}] Fold @var{services} by propagating their extensions down to the root of type @var{target-type}; return the root service adjusted accordingly. @end deffn Lastly, the @code{(gnu services)} module also defines several essential service types, some of which are listed below. @defvr {Scheme Variable} system-service-type This is the root of the service graph. It produces the system directory as returned by the @command{guix system build} command. @end defvr @defvr {Scheme Variable} boot-service-type The type of the ``boot service'', which produces the @dfn{boot script}. The boot script is what the initial RAM disk runs when booting. @end defvr @defvr {Scheme Variable} etc-service-type The type of the @file{/etc} service. This service is used to create files under @file{/etc} and can be extended by passing it name/file tuples such as: @example (list `("issue" ,(plain-file "issue" "Welcome!\n"))) @end example In this example, the effect would be to add an @file{/etc/issue} file pointing to the given file. @end defvr @defvr {Scheme Variable} setuid-program-service-type Type for the ``setuid-program service''. This service collects lists of executable file names, passed as gexps, and adds them to the set of setuid-root programs on the system (@pxref{Programmes setuid}). @end defvr @defvr {Scheme Variable} profile-service-type Type of the service that populates the @dfn{system profile}---i.e., the programs under @file{/run/current-system/profile}. Other services can extend it by passing it lists of packages to add to the system profile. @end defvr @node Services Shepherd @subsubsection Services Shepherd @cindex shepherd services @cindex PID 1 @cindex init system The @code{(gnu services shepherd)} module provides a way to define services managed by the GNU@tie{}Shepherd, which is the GuixSD initialization system---the first process that is started when the system boots, also known as PID@tie{}1 (@pxref{Introduction,,, shepherd, The GNU Shepherd Manual}). Services in the Shepherd can depend on each other. For instance, the SSH daemon may need to be started after the syslog daemon has been started, which in turn can only happen once all the file systems have been mounted. The simple operating system defined earlier (@pxref{Utiliser le système de configuration}) results in a service graph like this: @image{images/shepherd-graph,,5in,Typical shepherd service graph.} You can actually generate such a graph for any operating system definition using the @command{guix system shepherd-graph} command (@pxref{system-shepherd-graph, @command{guix system shepherd-graph}}). The @var{%shepherd-root-service} is a service object representing PID@tie{}1, of type @var{shepherd-root-service-type}; it can be extended by passing it lists of @code{} objects. @deftp {Data Type} shepherd-service The data type representing a service managed by the Shepherd. @table @asis @item @code{provision} This is a list of symbols denoting what the service provides. These are the names that may be passed to @command{herd start}, @command{herd status}, and similar commands (@pxref{Invoking herd,,, shepherd, The GNU Shepherd Manual}). @xref{Slots of services, the @code{provides} slot,, shepherd, The GNU Shepherd Manual}, for details. @item @code{requirements} (default: @code{'()}) List of symbols denoting the Shepherd services this one depends on. @item @code{respawn?} (default: @code{#t}) Whether to restart the service when it stops, for instance when the underlying process dies. @item @code{start} @itemx @code{stop} (default: @code{#~(const #f)}) The @code{start} and @code{stop} fields refer to the Shepherd's facilities to start and stop processes (@pxref{Service De- and Constructors,,, shepherd, The GNU Shepherd Manual}). They are given as G-expressions that get expanded in the Shepherd configuration file (@pxref{G-Expressions}). @item @code{documentation} A documentation string, as shown when running: @example herd doc @var{service-name} @end example where @var{service-name} is one of the symbols in @var{provision} (@pxref{Invoking herd,,, shepherd, The GNU Shepherd Manual}). @item @code{modules} (default: @var{%default-modules}) This is the list of modules that must be in scope when @code{start} and @code{stop} are evaluated. @end table @end deftp @defvr {Scheme Variable} shepherd-root-service-type The service type for the Shepherd ``root service''---i.e., PID@tie{}1. This is the service type that extensions target when they want to create shepherd services (@pxref{Types service et services}, for an example). Each extension must pass a list of @code{}. @end defvr @defvr {Scheme Variable} %shepherd-root-service This service represents PID@tie{}1. @end defvr @node Documentation @section Documentation @cindex documentation, searching for @cindex searching for documentation @cindex Info, documentation format @cindex man pages @cindex manual pages In most cases packages installed with Guix come with documentation. There are two main documentation formats: ``Info'', a browseable hypertext format used for GNU software, and ``manual pages'' (or ``man pages''), the linear documentation format traditionally found on Unix. Info manuals are accessed with the @command{info} command or with Emacs, and man pages are accessed using @command{man}. You can look for documentation of software installed on your system by keyword. For example, the following command searches for information about ``TLS'' in Info manuals: @example $ info -k TLS "(emacs)Network Security" -- STARTTLS "(emacs)Network Security" -- TLS "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_flags "(gnutls)Core TLS API" -- gnutls_certificate_set_verify_function @dots{} @end example @noindent The command below searches for the same keyword in man pages: @example $ man -k TLS SSL (7) - OpenSSL SSL/TLS library certtool (1) - GnuTLS certificate tool @dots {} @end example These searches are purely local to your computer so you have the guarantee that documentation you find corresponds to what you have actually installed, you can access it off-line, and your privacy is respected. Once you have these results, you can view the relevant documentation by running, say: @example $ info "(gnutls)Core TLS API" @end example @noindent or: @example $ man certtool @end example Info manuals contain sections and indices as well as hyperlinks like those found in Web pages. The @command{info} reader (@pxref{Top, Info reader,, info-stnd, Stand-alone GNU Info}) and its Emacs counterpart (@pxref{Misc Help,,, emacs, The GNU Emacs Manual}) provide intuitive key bindings to navigate manuals. @xref{Getting Started,,, info, Info: An Introduction}, for an introduction to Info navigation. @node Installer les fichiers de débogage @section Installer les fichiers de débogage @cindex debugging files Program binaries, as produced by the GCC compilers for instance, are typically written in the ELF format, with a section containing @dfn{debugging information}. Debugging information is what allows the debugger, GDB, to map binary code to source code; it is required to debug a compiled program in good conditions. Le problème avec les informations de débogage est qu'elles prennent pas mal de place sur le disque. Par exemple, les informations de débogage de la bibliothèque C de GNU prend plus de 60 Mo. Ainsi, en tant qu'utilisateur, garder toutes les informations de débogage de tous les programmes installés n'est souvent pas une possibilité. Cependant, l'économie d'espace ne devrait pas empêcher le débogage — en particulier, dans le système GNU, qui devrait faciliter pour ses utilisateurs l'exercice de leurs libertés (@pxref{Distribution GNU}). Thankfully, the GNU Binary Utilities (Binutils) and GDB provide a mechanism that allows users to get the best of both worlds: debugging information can be stripped from the binaries and stored in separate files. GDB is then able to load debugging information from those files, when they are available (@pxref{Separate Debug Files,,, gdb, Debugging with GDB}). The GNU distribution takes advantage of this by storing debugging information in the @code{lib/debug} sub-directory of a separate package output unimaginatively called @code{debug} (@pxref{Des paquets avec plusieurs résultats}). Users can choose to install the @code{debug} output of a package when they need it. For instance, the following command installs the debugging information for the GNU C Library and for GNU Guile: @example guix package -i glibc:debug guile:debug @end example GDB must then be told to look for debug files in the user's profile, by setting the @code{debug-file-directory} variable (consider setting it from the @file{~/.gdbinit} file, @pxref{Startup,,, gdb, Debugging with GDB}): @example (gdb) set debug-file-directory ~/.guix-profile/lib/debug @end example From there on, GDB will pick up debugging information from the @code{.debug} files under @file{~/.guix-profile/lib/debug}. In addition, you will most likely want GDB to be able to show the source code being debugged. To do that, you will have to unpack the source code of the package of interest (obtained with @code{guix build --source}, @pxref{Invoquer guix build}), and to point GDB to that source directory using the @code{directory} command (@pxref{Source Path, @code{directory},, gdb, Debugging with GDB}). @c XXX: keep me up-to-date The @code{debug} output mechanism in Guix is implemented by the @code{gnu-build-system} (@pxref{Systèmes de construction}). Currently, it is opt-in---debugging information is available only for the packages with definitions explicitly declaring a @code{debug} output. This may be changed to opt-out in the future if our build farm servers can handle the load. To check whether a package has a @code{debug} output, use @command{guix package --list-available} (@pxref{Invoquer guix package}). @node Mises à jour de sécurité @section Mises à jour de sécurité @cindex security updates @cindex security vulnerabilities Occasionally, important security vulnerabilities are discovered in software packages and must be patched. Guix developers try hard to keep track of known vulnerabilities and to apply fixes as soon as possible in the @code{master} branch of Guix (we do not yet provide a ``stable'' branch containing only security updates.) The @command{guix lint} tool helps developers find out about vulnerable versions of software packages in the distribution: @smallexample $ guix lint -c cve gnu/packages/base.scm:652:2: glibc@@2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547 gnu/packages/gcc.scm:334:2: gcc@@4.9.3: probably vulnerable to CVE-2015-5276 gnu/packages/image.scm:312:2: openjpeg@@2.1.0: probably vulnerable to CVE-2016-1923, CVE-2016-1924 @dots{} @end smallexample @xref{Invoquer guix lint}, for more information. @quotation Remarque As of version @value{VERSION}, the feature described below is considered ``beta''. @end quotation Guix suit une discipline de gestion de paquets fonctionnelle (@pxref{Introduction}), ce qui implique que lorsqu'un paquet change, @emph{tous les paquets qui en dépendent} doivent être reconstruits. Cela peut grandement ralentir le déploiement de corrections dans les paquets du cœur comme libc ou bash comme presque toute la distribution aurait besoin d'être reconstruite. Cela aide d'utiliser des binaires pré-construits (@pxref{Substituts}), mais le déploiement peut toujours prendre plus de temps de souhaité. @cindex grafts To address this, Guix implements @dfn{grafts}, a mechanism that allows for fast deployment of critical updates without the costs associated with a whole-distribution rebuild. The idea is to rebuild only the package that needs to be patched, and then to ``graft'' it onto packages explicitly installed by the user and that were previously referring to the original package. The cost of grafting is typically very low, and order of magnitudes lower than a full rebuild of the dependency chain. @cindex replacements of packages, for grafts For instance, suppose a security update needs to be applied to Bash. Guix developers will provide a package definition for the ``fixed'' Bash, say @var{bash-fixed}, in the usual way (@pxref{Définition des paquets}). Then, the original package definition is augmented with a @code{replacement} field pointing to the package containing the bug fix: @example (define bash (package (name "bash") ;; @dots{} (replacement bash-fixed))) @end example From there on, any package depending directly or indirectly on Bash---as reported by @command{guix gc --requisites} (@pxref{Invoquer guix gc})---that is installed is automatically ``rewritten'' to refer to @var{bash-fixed} instead of @var{bash}. This grafting process takes time proportional to the size of the package, usually less than a minute for an ``average'' package on a recent machine. Grafting is recursive: when an indirect dependency requires grafting, then grafting ``propagates'' up to the package that the user is installing. Currently, the length of the name and version of the graft and that of the package it replaces (@var{bash-fixed} and @var{bash} in the example above) must be equal. This restriction mostly comes from the fact that grafting works by patching files, including binary files, directly. Other restrictions may apply: for instance, when adding a graft to a package providing a shared library, the original shared library and its replacement must have the same @code{SONAME} and be binary-compatible. The @option{--no-grafts} command-line option allows you to forcefully avoid grafting (@pxref{Options de construction communes, @option{--no-grafts}}). Thus, the command: @example guix build bash --no-grafts @end example @noindent returns the store file name of the original Bash, whereas: @example guix build bash @end example @noindent returns the store file name of the ``fixed'', replacement Bash. This allows you to distinguish between the two variants of Bash. To verify which Bash your whole profile refers to, you can run (@pxref{Invoquer guix gc}): @example guix gc -R `readlink -f ~/.guix-profile` | grep bash @end example @noindent @dots{} and compare the store file names that you get with those above. Likewise for a complete GuixSD system generation: @example guix gc -R `guix system build my-config.scm` | grep bash @end example Lastly, to check which Bash running processes are using, you can use the @command{lsof} command: @example lsof | grep /gnu/store/.*bash @end example @node Modules de paquets @section Modules de paquets From a programming viewpoint, the package definitions of the GNU distribution are provided by Guile modules in the @code{(gnu packages @dots{})} name space@footnote{Note that packages under the @code{(gnu packages @dots{})} module name space are not necessarily ``GNU packages''. This module naming scheme follows the usual Guile module naming convention: @code{gnu} means that these modules are distributed as part of the GNU system, and @code{packages} identifies modules that define packages.} (@pxref{Modules, Guile modules,, guile, GNU Guile Reference Manual}). For instance, the @code{(gnu packages emacs)} module exports a variable named @code{emacs}, which is bound to a @code{} object (@pxref{Définition des paquets}). The @code{(gnu packages @dots{})} module name space is automatically scanned for packages by the command-line tools. For instance, when running @code{guix package -i emacs}, all the @code{(gnu packages @dots{})} modules are scanned until one that exports a package object whose name is @code{emacs} is found. This package search facility is implemented in the @code{(gnu packages)} module. @cindex personnalisation, des paquets @cindex package module search path Users can store package definitions in modules with different names---e.g., @code{(my-packages emacs)}@footnote{Note that the file name and module name must match. For instance, the @code{(my-packages emacs)} module must be stored in a @file{my-packages/emacs.scm} file relative to the load path specified with @option{--load-path} or @code{GUIX_PACKAGE_PATH}. @xref{Modules and the File System,,, guile, GNU Guile Reference Manual}, for details.}. These package definitions will not be visible by default. Users can invoke commands such as @command{guix package} and @command{guix build} with the @code{-e} option so that they know where to find the package. Better yet, they can use the @code{-L} option of these commands to make those modules visible (@pxref{Invoquer guix build, @code{--load-path}}), or define the @code{GUIX_PACKAGE_PATH} environment variable. This environment variable makes it easy to extend or customize the distribution and is honored by all the user interfaces. @defvr {Environment Variable} GUIX_PACKAGE_PATH This is a colon-separated list of directories to search for additional package modules. Directories listed in this variable take precedence over the own modules of the distribution. @end defvr The distribution is fully @dfn{bootstrapped} and @dfn{self-contained}: each package is built based solely on other packages in the distribution. The root of this dependency graph is a small set of @dfn{bootstrap binaries}, provided by the @code{(gnu packages bootstrap)} module. For more information on bootstrapping, @pxref{Bootstrapping}. @node Consignes d'empaquetage @section Consignes d'empaquetage @cindex packages, creating The GNU distribution is nascent and may well lack some of your favorite packages. This section describes how you can help make the distribution grow. @xref{Contribuer}, for additional information on how you can help. Free software packages are usually distributed in the form of @dfn{source code tarballs}---typically @file{tar.gz} files that contain all the source files. Adding a package to the distribution means essentially two things: adding a @dfn{recipe} that describes how to build the package, including a list of other packages required to build it, and adding @dfn{package metadata} along with that recipe, such as a description and licensing information. In Guix all this information is embodied in @dfn{package definitions}. Package definitions provide a high-level view of the package. They are written using the syntax of the Scheme programming language; in fact, for each package we define a variable bound to the package definition, and export that variable from a module (@pxref{Modules de paquets}). However, in-depth Scheme knowledge is @emph{not} a prerequisite for creating packages. For more information on package definitions, @pxref{Définition des paquets}. Once a package definition is in place, stored in a file in the Guix source tree, it can be tested using the @command{guix build} command (@pxref{Invoquer guix build}). For example, assuming the new package is called @code{gnew}, you may run this command from the Guix build tree (@pxref{Lancer Guix avant qu'il ne soit installé}): @example ./pre-inst-env guix build gnew --keep-failed @end example Using @code{--keep-failed} makes it easier to debug build failures since it provides access to the failed build tree. Another useful command-line option when debugging is @code{--log-file}, to access the build log. If the package is unknown to the @command{guix} command, it may be that the source file contains a syntax error, or lacks a @code{define-public} clause to export the package variable. To figure it out, you may load the module from Guile to get more information about the actual error: @example ./pre-inst-env guile -c '(use-modules (gnu packages gnew))' @end example Once your package builds correctly, please send us a patch (@pxref{Contribuer}). Well, if you need help, we will be happy to help you too. Once the patch is committed in the Guix repository, the new package automatically gets built on the supported platforms by @url{http://hydra.gnu.org/jobset/gnu/master, our continuous integration system}. @cindex substituter On peut obtenir la nouvelle définition du paquet simplement en lançant @command{guix pull} (@pxref{Invoquer guix pull}). Lorsque @code{hydra.gnu.org} a fini de construire le paquet, l'installation du paquet y télécharge automatiquement les binaires (@pxref{Substituts}). La seule intervention humaine requise est pendant la revue et l'application du correctif. @menu * Liberté logiciel:: Ce que la distribution peut contenir. * Conventions de nommage:: Qu'est-ce qu'un bon nom ? * Numéros de version:: Lorsque le nom n'est pas suffisant. * Synopsis et descriptions:: Aider les utilisateurs à trouver le bon paquet. * Modules python:: Un peu de comédie anglaise. * Modules perl:: Petites perles. * Paquets java:: Pause café. * Polices de caractères:: À fond les fontes. @end menu @node Liberté logiciel @subsection Liberté logiciel @c Adapted from http://www.gnu.org/philosophy/philosophy.html. @cindex free software The GNU operating system has been developed so that users can have freedom in their computing. GNU is @dfn{free software}, meaning that users have the @url{http://www.gnu.org/philosophy/free-sw.html,four essential freedoms}: to run the program, to study and change the program in source code form, to redistribute exact copies, and to distribute modified versions. Packages found in the GNU distribution provide only software that conveys these four freedoms. In addition, the GNU distribution follow the @url{http://www.gnu.org/distros/free-system-distribution-guidelines.html,free software distribution guidelines}. Among other things, these guidelines reject non-free firmware, recommendations of non-free software, and discuss ways to deal with trademarks and patents. Some otherwise free upstream package sources contain a small and optional subset that violates the above guidelines, for instance because this subset is itself non-free code. When that happens, the offending items are removed with appropriate patches or code snippets in the @code{origin} form of the package (@pxref{Définition des paquets}). This way, @code{guix build --source} returns the ``freed'' source rather than the unmodified upstream source. @node Conventions de nommage @subsection Conventions de nommage @cindex package name A package has actually two names associated with it: First, there is the name of the @emph{Scheme variable}, the one following @code{define-public}. By this name, the package can be made known in the Scheme code, for instance as input to another package. Second, there is the string in the @code{name} field of a package definition. This name is used by package management commands such as @command{guix package} and @command{guix build}. Both are usually the same and correspond to the lowercase conversion of the project name chosen upstream, with underscores replaced with hyphens. For instance, GNUnet is available as @code{gnunet}, and SDL_net as @code{sdl-net}. We do not add @code{lib} prefixes for library packages, unless these are already part of the official project name. But @pxref{Modules python} and @ref{Modules perl} for special rules concerning modules for the Python and Perl languages. Font package names are handled differently, @pxref{Polices de caractères}. @node Numéros de version @subsection Numéros de version @cindex package version We usually package only the latest version of a given free software project. But sometimes, for instance for incompatible library versions, two (or more) versions of the same package are needed. These require different Scheme variable names. We use the name as defined in @ref{Conventions de nommage} for the most recent version; previous versions use the same name, suffixed by @code{-} and the smallest prefix of the version number that may distinguish the two versions. The name inside the package definition is the same for all versions of a package and does not contain any version number. For instance, the versions 2.24.20 and 3.9.12 of GTK+ may be packaged as follows: @example (define-public gtk+ (package (name "gtk+") (version "3.9.12") ...)) (define-public gtk+-2 (package (name "gtk+") (version "2.24.20") ...)) @end example If we also wanted GTK+ 3.8.2, this would be packaged as @example (define-public gtk+-3.8 (package (name "gtk+") (version "3.8.2") ...)) @end example @c See , @c for a discussion of what follows. @cindex version number, for VCS snapshots Occasionally, we package snapshots of upstream's version control system (VCS) instead of formal releases. This should remain exceptional, because it is up to upstream developers to clarify what the stable release is. Yet, it is sometimes necessary. So, what should we put in the @code{version} field? Clearly, we need to make the commit identifier of the VCS snapshot visible in the version string, but we also need to make sure that the version string is monotonically increasing so that @command{guix package --upgrade} can determine which version is newer. Since commit identifiers, notably with Git, are not monotonically increasing, we add a revision number that we increase each time we upgrade to a newer snapshot. The resulting version string looks like this: @example 2.0.11-3.cabba9e ^ ^ ^ | | `-- upstream commit ID | | | `--- Guix package revision | latest upstream version @end example It is a good idea to strip commit identifiers in the @code{version} field to, say, 7 digits. It avoids an aesthetic annoyance (assuming aesthetics have a role to play here) as well as problems related to OS limits such as the maximum shebang length (127 bytes for the Linux kernel.) It is best to use the full commit identifiers in @code{origin}s, though, to avoid ambiguities. A typical package definition may look like this: @example (define my-package (let ((commit "c3f29bc928d5900971f65965feaae59e1272a3f7") (revision "1")) ;révision du paquet Guix (package (version (git-version "0.9" revision commit)) (source (origin (method git-fetch) (uri (git-reference (url "git://example.org/my-package.git") (commit commit))) (sha256 (base32 "1mbikn@dots{}")) (file-name (git-file-name name version)))) ;; @dots{} ))) @end example @node Synopsis et descriptions @subsection Synopsis et descriptions @cindex package description @cindex package synopsis As we have seen before, each package in GNU@tie{}Guix includes a synopsis and a description (@pxref{Définition des paquets}). Synopses and descriptions are important: They are what @command{guix package --search} searches, and a crucial piece of information to help users determine whether a given package suits their needs. Consequently, packagers should pay attention to what goes into them. Synopses must start with a capital letter and must not end with a period. They must not start with ``a'' or ``the'', which usually does not bring anything; for instance, prefer ``File-frobbing tool'' over ``A tool that frobs files''. The synopsis should say what the package is---e.g., ``Core GNU utilities (file, text, shell)''---or what it is used for---e.g., the synopsis for GNU@tie{}grep is ``Print lines matching a pattern''. Keep in mind that the synopsis must be meaningful for a very wide audience. For example, ``Manipulate alignments in the SAM format'' might make sense for a seasoned bioinformatics researcher, but might be fairly unhelpful or even misleading to a non-specialized audience. It is a good idea to come up with a synopsis that gives an idea of the application domain of the package. In this example, this might give something like ``Manipulate nucleotide sequence alignments'', which hopefully gives the user a better idea of whether this is what they are looking for. Descriptions should take between five and ten lines. Use full sentences, and avoid using acronyms without first introducing them. Please avoid marketing phrases such as ``world-leading'', ``industrial-strength'', and ``next-generation'', and avoid superlatives like ``the most advanced''---they are not helpful to users looking for a package and may even sound suspicious. Instead, try to be factual, mentioning use cases and features. @cindex Texinfo markup, in package descriptions Descriptions can include Texinfo markup, which is useful to introduce ornaments such as @code{@@code} or @code{@@dfn}, bullet lists, or hyperlinks (@pxref{Overview,,, texinfo, GNU Texinfo}). However you should be careful when using some characters for example @samp{@@} and curly braces which are the basic special characters in Texinfo (@pxref{Special Characters,,, texinfo, GNU Texinfo}). User interfaces such as @command{guix package --show} take care of rendering it appropriately. Synopses and descriptions are translated by volunteers @uref{http://translationproject.org/domain/guix-packages.html, at the Translation Project} so that as many users as possible can read them in their native language. User interfaces search them and display them in the language specified by the current locale. To allow @command{xgettext} to extract them as translatable strings, synopses and descriptions @emph{must be literal strings}. This means that you cannot use @code{string-append} or @code{format} to construct these strings: @lisp (package ;; @dots{} (synopsis "This is translatable") (description (string-append "This is " "*not*" " translatable."))) @end lisp Translation is a lot of work so, as a packager, please pay even more attention to your synopses and descriptions as every change may entail additional work for translators. In order to help them, it is possible to make recommendations or instructions visible to them by inserting special comments like this (@pxref{xgettext Invocation,,, gettext, GNU Gettext}): @example ;; TRANSLATORS: "X11 resize-and-rotate" should not be translated. (description "ARandR is designed to provide a simple visual front end for the X11 resize-and-rotate (RandR) extension. @dots{}") @end example @node Modules python @subsection Modules python @cindex python We currently package Python 2 and Python 3, under the Scheme variable names @code{python-2} and @code{python} as explained in @ref{Numéros de version}. To avoid confusion and naming clashes with other programming languages, it seems desirable that the name of a package for a Python module contains the word @code{python}. Some modules are compatible with only one version of Python, others with both. If the package Foo compiles only with Python 3, we name it @code{python-foo}; if it compiles only with Python 2, we name it @code{python2-foo}. If it is compatible with both versions, we create two packages with the corresponding names. If a project already contains the word @code{python}, we drop this; for instance, the module python-dateutil is packaged under the names @code{python-dateutil} and @code{python2-dateutil}. If the project name starts with @code{py} (e.g. @code{pytz}), we keep it and prefix it as described above. @subsubsection Specifying Dependencies @cindex inputs, for Python packages Dependency information for Python packages is usually available in the package source tree, with varying degrees of accuracy: in the @file{setup.py} file, in @file{requirements.txt}, or in @file{tox.ini}. Your mission, when writing a recipe for a Python package, is to map these dependencies to the appropriate type of ``input'' (@pxref{Référence de paquet, inputs}). Although the @code{pypi} importer normally does a good job (@pxref{Invoquer guix import}), you may want to check the following check list to determine which dependency goes where. @itemize @item We currently package Python 2 with @code{setuptools} and @code{pip} installed like Python 3.4 has per default. Thus you don't need to specify either of these as an input. @command{guix lint} will warn you if you do. @item Python dependencies required at run time go into @code{propagated-inputs}. They are typically defined with the @code{install_requires} keyword in @file{setup.py}, or in the @file{requirements.txt} file. @item Python packages required only at build time---e.g., those listed with the @code{setup_requires} keyword in @file{setup.py}---or only for testing---e.g., those in @code{tests_require}---go into @code{native-inputs}. The rationale is that (1) they do not need to be propagated because they are not needed at run time, and (2) in a cross-compilation context, it's the ``native'' input that we'd want. Examples are the @code{pytest}, @code{mock}, and @code{nose} test frameworks. Of course if any of these packages is also required at run-time, it needs to go to @code{propagated-inputs}. @item Anything that does not fall in the previous categories goes to @code{inputs}, for example programs or C libraries required for building Python packages containing C extensions. @item If a Python package has optional dependencies (@code{extras_require}), it is up to you to decide whether to add them or not, based on their usefulness/overhead ratio (@pxref{Envoyer des correctifs, @command{guix size}}). @end itemize @node Modules perl @subsection Modules perl @cindex perl Perl programs standing for themselves are named as any other package, using the lowercase upstream name. For Perl packages containing a single class, we use the lowercase class name, replace all occurrences of @code{::} by dashes and prepend the prefix @code{perl-}. So the class @code{XML::Parser} becomes @code{perl-xml-parser}. Modules containing several classes keep their lowercase upstream name and are also prepended by @code{perl-}. Such modules tend to have the word @code{perl} somewhere in their name, which gets dropped in favor of the prefix. For instance, @code{libwww-perl} becomes @code{perl-libwww}. @node Paquets java @subsection Paquets java @cindex java Java programs standing for themselves are named as any other package, using the lowercase upstream name. To avoid confusion and naming clashes with other programming languages, it is desirable that the name of a package for a Java package is prefixed with @code{java-}. If a project already contains the word @code{java}, we drop this; for instance, the package @code{ngsjava} is packaged under the name @code{java-ngs}. For Java packages containing a single class or a small class hierarchy, we use the lowercase class name, replace all occurrences of @code{.} by dashes and prepend the prefix @code{java-}. So the class @code{apache.commons.cli} becomes package @code{java-apache-commons-cli}. @node Polices de caractères @subsection Polices de caractères @cindex polices For fonts that are in general not installed by a user for typesetting purposes, or that are distributed as part of a larger software package, we rely on the general packaging rules for software; for instance, this applies to the fonts delivered as part of the X.Org system or fonts that are part of TeX Live. To make it easier for a user to search for fonts, names for other packages containing only fonts are constructed as follows, independently of the upstream package name. The name of a package containing only one font family starts with @code{font-}; it is followed by the foundry name and a dash @code{-} if the foundry is known, and the font family name, in which spaces are replaced by dashes (and as usual, all upper case letters are transformed to lower case). For example, the Gentium font family by SIL is packaged under the name @code{font-sil-gentium}. For a package containing several font families, the name of the collection is used in the place of the font family name. For instance, the Liberation fonts consist of three families, Liberation Sans, Liberation Serif and Liberation Mono. These could be packaged separately under the names @code{font-liberation-sans} and so on; but as they are distributed together under a common name, we prefer to package them together as @code{font-liberation}. In the case where several formats of the same font family or font collection are packaged separately, a short form of the format, prepended by a dash, is added to the package name. We use @code{-ttf} for TrueType fonts, @code{-otf} for OpenType fonts and @code{-type1} for PostScript Type 1 fonts. @node Bootstrapping @section Bootstrapping @c Adapted from the ELS 2013 paper. @cindex bootstrapping Bootstrapping in our context refers to how the distribution gets built ``from nothing''. Remember that the build environment of a derivation contains nothing but its declared inputs (@pxref{Introduction}). So there's an obvious chicken-and-egg problem: how does the first package get built? How does the first compiler get compiled? Note that this is a question of interest only to the curious hacker, not to the regular user, so you can shamelessly skip this section if you consider yourself a ``regular user''. @cindex bootstrap binaries The GNU system is primarily made of C code, with libc at its core. The GNU build system itself assumes the availability of a Bourne shell and command-line tools provided by GNU Coreutils, Awk, Findutils, `sed', and `grep'. Furthermore, build programs---programs that run @code{./configure}, @code{make}, etc.---are written in Guile Scheme (@pxref{Dérivations}). Consequently, to be able to build anything at all, from scratch, Guix relies on pre-built binaries of Guile, GCC, Binutils, libc, and the other packages mentioned above---the @dfn{bootstrap binaries}. These bootstrap binaries are ``taken for granted'', though we can also re-create them if needed (more on that later). @unnumberedsubsec Preparing to Use the Bootstrap Binaries @c As of Emacs 24.3, Info-mode displays the image, but since it's a @c large image, it's hard to scroll. Oh well. @image{images/bootstrap-graph,6in,,Dependency graph of the early bootstrap derivations} The figure above shows the very beginning of the dependency graph of the distribution, corresponding to the package definitions of the @code{(gnu packages bootstrap)} module. A similar figure can be generated with @command{guix graph} (@pxref{Invoquer guix graph}), along the lines of: @example guix graph -t derivation \ -e '(@@@@ (gnu packages bootstrap) %bootstrap-gcc)' \ | dot -Tps > t.ps @end example At this level of detail, things are slightly complex. First, Guile itself consists of an ELF executable, along with many source and compiled Scheme files that are dynamically loaded when it runs. This gets stored in the @file{guile-2.0.7.tar.xz} tarball shown in this graph. This tarball is part of Guix's ``source'' distribution, and gets inserted into the store with @code{add-to-store} (@pxref{Le dépôt}). But how do we write a derivation that unpacks this tarball and adds it to the store? To solve this problem, the @code{guile-bootstrap-2.0.drv} derivation---the first one that gets built---uses @code{bash} as its builder, which runs @code{build-bootstrap-guile.sh}, which in turn calls @code{tar} to unpack the tarball. Thus, @file{bash}, @file{tar}, @file{xz}, and @file{mkdir} are statically-linked binaries, also part of the Guix source distribution, whose sole purpose is to allow the Guile tarball to be unpacked. Once @code{guile-bootstrap-2.0.drv} is built, we have a functioning Guile that can be used to run subsequent build programs. Its first task is to download tarballs containing the other pre-built binaries---this is what the @code{.tar.xz.drv} derivations do. Guix modules such as @code{ftp-client.scm} are used for this purpose. The @code{module-import.drv} derivations import those modules in a directory in the store, using the original layout. The @code{module-import-compiled.drv} derivations compile those modules, and write them in an output directory with the right layout. This corresponds to the @code{#:modules} argument of @code{build-expression->derivation} (@pxref{Dérivations}). Finally, the various tarballs are unpacked by the derivations @code{gcc-bootstrap-0.drv}, @code{glibc-bootstrap-0.drv}, etc., at which point we have a working C tool chain. @unnumberedsubsec Building the Build Tools Bootstrapping is complete when we have a full tool chain that does not depend on the pre-built bootstrap tools discussed above. This no-dependency requirement is verified by checking whether the files of the final tool chain contain references to the @file{/gnu/store} directories of the bootstrap inputs. The process that leads to this ``final'' tool chain is described by the package definitions found in the @code{(gnu packages commencement)} module. The @command{guix graph} command allows us to ``zoom out'' compared to the graph above, by looking at the level of package objects instead of individual derivations---remember that a package may translate to several derivations, typically one derivation to download its source, one to build the Guile modules it needs, and one to actually build the package from source. The command: @example guix graph -t bag \ -e '(@@@@ (gnu packages commencement) glibc-final-with-bootstrap-bash)' | dot -Tps > t.ps @end example @noindent produces the dependency graph leading to the ``final'' C library@footnote{You may notice the @code{glibc-intermediate} label, suggesting that it is not @emph{quite} final, but as a good approximation, we will consider it final.}, depicted below. @image{images/bootstrap-packages,6in,,Dependency graph of the early packages} @c See . The first tool that gets built with the bootstrap binaries is GNU@tie{}Make---noted @code{make-boot0} above---which is a prerequisite for all the following packages. From there Findutils and Diffutils get built. Then come the first-stage Binutils and GCC, built as pseudo cross tools---i.e., with @code{--target} equal to @code{--host}. They are used to build libc. Thanks to this cross-build trick, this libc is guaranteed not to hold any reference to the initial tool chain. From there the final Binutils and GCC (not shown above) are built. GCC uses @code{ld} from the final Binutils, and links programs against the just-built libc. This tool chain is used to build the other packages used by Guix and by the GNU Build System: Guile, Bash, Coreutils, etc. And voilà! At this point we have the complete set of build tools that the GNU Build System expects. These are in the @code{%final-inputs} variable of the @code{(gnu packages commencement)} module, and are implicitly used by any package that uses @code{gnu-build-system} (@pxref{Systèmes de construction, @code{gnu-build-system}}). @unnumberedsubsec Building the Bootstrap Binaries @cindex bootstrap binaries Because the final tool chain does not depend on the bootstrap binaries, those rarely need to be updated. Nevertheless, it is useful to have an automated way to produce them, should an update occur, and this is what the @code{(gnu packages make-bootstrap)} module provides. The following command builds the tarballs containing the bootstrap binaries (Guile, Binutils, GCC, libc, and a tarball containing a mixture of Coreutils and other basic command-line tools): @example guix build bootstrap-tarballs @end example The generated tarballs are those that should be referred to in the @code{(gnu packages bootstrap)} module mentioned at the beginning of this section. Still here? Then perhaps by now you've started to wonder: when do we reach a fixed point? That is an interesting question! The answer is unknown, but if you would like to investigate further (and have significant computational and storage resources to do so), then let us know. @unnumberedsubsec Reducing the Set of Bootstrap Binaries Our bootstrap binaries currently include GCC, Guile, etc. That's a lot of binary code! Why is that a problem? It's a problem because these big chunks of binary code are practically non-auditable, which makes it hard to establish what source code produced them. Every unauditable binary also leaves us vulnerable to compiler backdoors as described by Ken Thompson in the 1984 paper @emph{Reflections on Trusting Trust}. This is mitigated by the fact that our bootstrap binaries were generated from an earlier Guix revision. Nevertheless it lacks the level of transparency that we get in the rest of the package dependency graph, where Guix always gives us a source-to-binary mapping. Thus, our goal is to reduce the set of bootstrap binaries to the bare minimum. The @uref{http://bootstrappable.org, Bootstrappable.org web site} lists on-going projects to do that. One of these is about replacing the bootstrap GCC with a sequence of assemblers, interpreters, and compilers of increasing complexity, which could be built from source starting from a simple and auditable assembler. Your help is welcome! @node Porter @section Porting to a New Platform As discussed above, the GNU distribution is self-contained, and self-containment is achieved by relying on pre-built ``bootstrap binaries'' (@pxref{Bootstrapping}). These binaries are specific to an operating system kernel, CPU architecture, and application binary interface (ABI). Thus, to port the distribution to a platform that is not yet supported, one must build those bootstrap binaries, and update the @code{(gnu packages bootstrap)} module to use them on that platform. Fortunately, Guix can @emph{cross compile} those bootstrap binaries. When everything goes well, and assuming the GNU tool chain supports the target platform, this can be as simple as running a command like this one: @example guix build --target=armv5tel-linux-gnueabi bootstrap-tarballs @end example For this to work, the @code{glibc-dynamic-linker} procedure in @code{(gnu packages bootstrap)} must be augmented to return the right file name for libc's dynamic linker on that platform; likewise, @code{system->linux-architecture} in @code{(gnu packages linux)} must be taught about the new platform. Once these are built, the @code{(gnu packages bootstrap)} module needs to be updated to refer to these binaries on the target platform. That is, the hashes and URLs of the bootstrap tarballs for the new platform must be added alongside those of the currently supported platforms. The bootstrap Guile tarball is treated specially: it is expected to be available locally, and @file{gnu/local.mk} has rules do download it for the supported architectures; a rule for the new platform must be added as well. In practice, there may be some complications. First, it may be that the extended GNU triplet that specifies an ABI (like the @code{eabi} suffix above) is not recognized by all the GNU tools. Typically, glibc recognizes some of these, whereas GCC uses an extra @code{--with-abi} configure flag (see @code{gcc.scm} for examples of how to handle this). Second, some of the required packages could fail to build for that platform. Lastly, the generated binaries could be broken for some reason. @c ********************************************************************* @include contributing.fr.texi @c ********************************************************************* @node Remerciements @chapter Remerciements Guix se base sur le @uref{http://nixos.org/nix/, gestionnaire de paquets Nix} conçu et implémenté par Eelco Dolstra, avec des constributions d'autres personnes (voir le fichier @file{nix/AUTHORS} dans Guix). Nix a inventé la gestion de paquet fonctionnelle et promu des fonctionnalités sans précédents comme les mises à jour de paquets transactionnelles et les retours en arrière, les profils par utilisateurs et les processus de constructions transparents pour les références. Sans ce travail, Guix n'existerait pas. Les distributions logicielles basées sur Nix, Nixpkgs et NixOS, ont aussi été une inspiration pour Guix. GNU@tie{}Guix lui-même est un travail collectif avec des contributions d'un grand nombre de personnes. Voyez le fichier @file{AUTHORS} dans Guix pour plus d'information sur ces personnes de qualité. Le fichier @file{THANKS} liste les personnes qui ont aidé en rapportant des bogues, en prenant soin de l'infrastructure, en fournissant des images et des thèmes, en faisant des suggestions et bien plus. Merci ! @c ********************************************************************* @node La licence GNU Free Documentation @appendix La licence GNU Free Documentation @cindex license, GNU Free Documentation License @include fdl-1.3.texi @c ********************************************************************* @node Index des concepts @unnumbered Index des concepts @printindex cp @node Index de programmation @unnumbered Index de programmation @syncodeindex tp fn @syncodeindex vr fn @printindex fn @bye @c Local Variables: @c ispell-local-dictionary: "american"; @c End: