msgid "Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License''."
msgid "This document presents tutorials and detailed examples for GNU@tie{}Guix, a functional package management tool written for the GNU system. Please @pxref{Top,,, guix, GNU Guix reference manual} for details about the system, its API, and related concepts."
msgid "This manual is also available in French (@pxref{Top,,, guix-cookbook.fr, Livre de recettes de GNU Guix}), German (@pxref{Top,,, guix-cookbook.de, GNU-Guix-Kochbuch}) and Slovak (@pxref{Top,,, guix-cookbook.sk, Receptár GNU Guix}). If you would like to translate this document in your native language, consider joining @uref{https://translate.fedoraproject.org/projects/guix/documentation-cookbook, Weblate} (@pxref{Translating Guix,,, guix, GNU Guix reference manual})."
msgid "GNU@tie{}Guix is written in the general purpose programming language Scheme, and many of its features can be accessed and manipulated programmatically. You can use Scheme to generate package definitions, to modify them, to build them, to deploy whole operating systems, etc."
msgid "Knowing the basics of how to program in Scheme will unlock many of the advanced features Guix provides --- and you don't even need to be an experienced programmer to use them!"
msgid "Guix uses the Guile implementation of Scheme. To start playing with the language, install it with @code{guix install guile} and start a @dfn{REPL}---short for @uref{https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop, @dfn{read-eval-print loop}}---by running @code{guile} from the command line."
msgid "In the following examples, lines show what you would type at the REPL; lines starting with ``@result{}'' show evaluation results, while lines starting with ``@print{}'' show things that get printed. @xref{Using Guile Interactively,,, guile, GNU Guile Reference Manual}, for more details on the REPL."
msgid "Scheme syntax boils down to a tree of expressions (or @emph{s-expression} in Lisp lingo). An expression can be a literal such as numbers and strings, or a compound which is a parenthesized list of compounds and literals. @code{#true} and @code{#false} (abbreviated @code{#t} and @code{#f}) stand for the Booleans ``true'' and ``false'', respectively."
msgid "This last example is a function call nested in another function call. When a parenthesized expression is evaluated, the first term is the function and the rest are the arguments passed to the function. Every function returns the last evaluated expression as its return value."
msgid "The above procedure returns the square of its argument. Since everything is an expression, the @code{lambda} expression returns an anonymous procedure, which can in turn be applied to an argument:"
msgid "The @dfn{quote} disables evaluation of a parenthesized expression: the first term is not called over the other terms (@pxref{Expression Syntax, quote,, guile, GNU Guile Reference Manual}). Thus it effectively returns a list of terms."
msgid "The @dfn{quasiquote} disables evaluation of a parenthesized expression until @dfn{unquote} (a comma) re-enables it. Thus it provides us with fine-grained control over what is evaluated and what is not."
msgid "@dfn{Keywords} are typically used to identify the named parameters of a procedure. They are prefixed by @code{#:} (hash, colon) followed by alphanumeric characters: @code{#:like-this}. @xref{Keywords,,, guile, GNU Guile Reference Manual}."
msgid "The percentage @code{%} is typically used for read-only global variables in the build stage. Note that it is merely a convention, like @code{_} in C. Scheme treats @code{%} exactly the same as any other letter."
msgid "defines the module @code{guix build-system ruby} which must be located in @file{guix/build-system/ruby.scm} somewhere in the Guile load path. It depends on the @code{(guix store)} module and it exports two variables, @code{ruby-build} and @code{ruby-build-system}."
msgid "Scheme is a language that has been widely used to teach programming and you'll find plenty of material using it as a vehicle. Here's a selection of documents to learn more about Scheme:"
msgid "@uref{https://spritely.institute/static/papers/scheme-primer.html, @i{A Scheme Primer}}, by Christine Lemmer-Webber and the Spritely Institute."
msgid "@uref{https://sarabander.github.io/sicp/, @i{Structure and Interpretation of Computer Programs}}, by Harold Abelson and Gerald Jay Sussman, with Julie Sussman. Colloquially known as ``SICP'', this book is a reference."
msgid "This chapter is dedicated to teaching you how to add packages to the collection of packages that come with GNU Guix. This involves writing package definitions in Guile Scheme, organizing them in package modules, and building them."
msgid "GNU Guix stands out as the @emph{hackable} package manager, mostly because it uses @uref{https://www.gnu.org/software/guile/, GNU Guile}, a powerful high-level programming language, one of the @uref{https://en.wikipedia.org/wiki/Scheme_%28programming_language%29, Scheme} dialects from the @uref{https://en.wikipedia.org/wiki/Lisp_%28programming_language%29, Lisp family}."
msgid "Package definitions are also written in Scheme, which empowers Guix in some very unique ways, unlike most other package managers that use shell scripts or simple languages."
msgid "Batch processing: the whole package collection can be parsed, filtered and processed. Building a headless server with all graphical interfaces stripped out? It's possible. Want to rebuild everything from source using specific compiler optimization flags? Pass the @code{#:make-flags \"...\"} argument to the list of packages. It wouldn't be a stretch to think @uref{https://wiki.gentoo.org/wiki/USE_flag, Gentoo USE flags} here, but this goes even further: the changes don't have to be thought out beforehand by the packager, they can be @emph{programmed} by the user!"
msgid "The following tutorial covers all the basics around package creation with Guix. It does not assume much knowledge of the Guix system nor of the Lisp language. The reader is only expected to be familiar with the command line and to have some basic programming knowledge."
msgid "The ``Defining Packages'' section of the manual introduces the basics of Guix packaging (@pxref{Defining Packages,,, guix, GNU Guix Reference Manual}). In the following section, we will partly go over those basics again."
msgid "GNU@tie{}Hello is a dummy project that serves as an idiomatic example for packaging. It uses the GNU build system (@code{./configure && make && make install}). Guix already provides a package definition which is a perfect example to start with. You can look up its declaration with @code{guix edit hello} from the command line. Let's see how it looks:"
msgid "the special `mirror://gnu` refers to a set of well known locations, all of which can be used by Guix to fetch the source, should some of them fail."
msgid "This is where the power of abstraction provided by the Scheme language really shines: in this case, the @code{gnu-build-system} abstracts away the famous @code{./configure && make && make install} shell invocations. Other build systems include the @code{trivial-build-system} which does not do anything and requires from the packager to program all the build steps, the @code{python-build-system}, the @code{emacs-build-system}, and many more (@pxref{Build Systems,,, guix, GNU Guix Reference Manual})."
msgid "As with the ritualistic ``Hello World'' taught with most programming languages, this will possibly be the most ``manual'' approach. We will work out an ideal setup later; for now we will go the simplest route."
msgid "Feel free to play with the different values of the various fields. If you change the source, you'll need to update the checksum. Indeed, Guix refuses to build anything if the given checksum does not match the computed checksum of the source code. To obtain the correct checksum of the package declaration, we need to download the source, compute the sha256 checksum and convert it to base32."
msgid "In this specific case the output tells us which mirror was chosen. If the result of the above command is not the same as in the above snippet, update your @code{my-hello} declaration accordingly."
msgid "Note that GNU package tarballs come with an OpenPGP signature, so you should definitely check the signature of this tarball with `gpg` to authenticate it before going further:"
msgid "We've gone as far as we could without any knowledge of Scheme. Before moving on to more complex packages, now is the right time to brush up on your Scheme knowledge. @pxref{A Scheme Crash Course} to get up to speed."
msgid "In the rest of this chapter we will rely on some basic Scheme programming knowledge. Now let's detail the different possible setups for working on Guix packages."
msgid "This is what we previously did with @samp{my-hello}. With the Scheme basics we've covered, we are now able to explain the leading chunks. As stated in @code{guix package --help}:"
msgid "The @code{use-modules} expression tells which of the modules we need in the file. Modules are a collection of values and procedures. They are commonly called ``libraries'' or ``packages'' in other programming languages."
msgid "Guix and its package collection can be extended through @dfn{channels}. A channel is a Git repository, public or not, containing @file{.scm} files that provide packages (@pxref{Defining Packages,,, guix, GNU Guix Reference Manual}) or services (@pxref{Defining Services,,, guix, GNU Guix Reference Manual})."
msgid "Note that we have assigned the package value to an exported variable name with @code{define-public}. This is effectively assigning the package to the @code{my-hello} variable so that it can be referenced, among other as dependency of other packages."
msgid "If you use @code{guix package --install-from-file=my-hello.scm} on the above file, it will fail because the last expression, @code{define-public}, does not return a package. If you want to use @code{define-public} in this use-case nonetheless, make sure the file ends with an evaluation of @code{my-hello}:"
msgid "Now how do you make that package visible to @command{guix} commands so you can test your packages? You need to add the directory to the search path using the @option{-L} command-line option, as in these examples:"
msgid "The final step is to turn @file{~/my-channel} into an actual channel, making your package collection seamlessly available @i{via} any @command{guix} command. To do that, you first need to make it a Git repository:"
msgid "And that's it, you have a channel! From there on, you can add this channel to your channel configuration in @file{~/.config/guix/channels.scm} (@pxref{Specifying Additional Channels,,, guix, GNU Guix Reference Manual}); assuming you keep your channel local for now, the @file{channels.scm} would look something like this:"
msgid "Next time you run @command{guix pull}, your channel will be picked up and the packages it defines will be readily available to all the @command{guix} commands, even if you do not pass @option{-L}. The @command{guix describe} command will show that Guix is, indeed, using both the @code{my-channel} and the @code{guix} channels."
msgid "Working directly on the Guix project is recommended: it reduces the friction when the time comes to submit your changes upstream to let the community benefit from your hard work!"
msgid "Unlike most software distributions, the Guix repository holds in one place both the tooling (including the package manager) and the package definitions. This choice was made so that it would give developers the flexibility to modify the API without breakage by updating all packages at the same time. This reduces development inertia."
msgid "The @samp{$GUIX_CHECKOUT/pre-inst-env} script lets you use @samp{guix} over the package collection of the repository (@pxref{Running Guix Before It Is Installed,,, guix, GNU Guix Reference Manual})."
msgid "Once you are happy with the result, you are welcome to send your contribution to make it part of Guix. This process is also detailed in the manual. (@pxref{Contributing,,, guix, GNU Guix Reference Manual})"
msgid "The above ``Hello World'' example is as simple as it goes. Packages can be more complex than that and Guix can handle more advanced scenarios. Let's look at another, more sophisticated package (slightly modified from the source):"
msgid "(In those cases were you only want to tweak a few fields from a package definition, you should rely on inheritance instead of copy-pasting everything. See below.)"
msgid "Unlike the @code{url-fetch} method, @code{git-fetch} expects a @code{git-reference} which takes a Git repository and a commit. The commit can be any Git reference such as tags, so if the @code{version} is tagged, then it can be used directly. Sometimes the tag is prefixed with a @code{v}, in which case you'd use @code{(commit (string-append \"v\" version))}."
msgid "To ensure that the source code from the Git repository is stored in a directory with a descriptive name, we use @code{(file-name (git-file-name name version))}."
msgid "The @code{git-version} procedure can be used to derive the version when packaging programs for a specific commit, following the Guix contributor guidelines (@pxref{Version Numbers,,, guix, GNU Guix Reference Manual})."
msgid "How does one obtain the @code{sha256} hash that's in there, you ask? By invoking @command{guix hash} on a checkout of the desired commit, along these lines:"
msgid "@command{guix hash -rx} computes a SHA256 hash over the whole directory, excluding the @file{.git} sub-directory (@pxref{Invoking guix hash,,, guix, GNU Guix Reference Manual})."
msgid "Snippets are quoted (i.e. non-evaluated) Scheme code that are a means of patching the source. They are a Guix-y alternative to the traditional @file{.patch} files. Because of the quote, the code in only evaluated when passed to the Guix daemon for building. There can be as many snippets as needed."
msgid "The distinction between the various inputs is important: if a dependency can be handled as an @emph{input} instead of a @emph{propagated input}, it should be done so, or else it ``pollutes'' the user profile for no good reason."
msgid "For instance, a user installing a graphical program that depends on a command line tool might only be interested in the graphical part, so there is no need to force the command line tool into the user profile. The dependency is a concern to the package, not to the user. @emph{Inputs} make it possible to handle dependencies without bugging the user by adding undesired executable files (or libraries) to their profile."
msgid "Same goes for @emph{native-inputs}: once the program is installed, build-time dependencies can be safely garbage-collected. It also matters when a substitute is available, in which case only the @emph{inputs} and @emph{propagated inputs} will be fetched: the @emph{native inputs} are not required to install a package from a substitute."
msgid "This is the ``old style'', where each input in the list is explicitly given a label (a string). It is still supported but we recommend using the style above instead. @xref{package Reference,,, guix, GNU Guix Reference Manual}, for more info."
msgid "The user can choose which output to install; this is useful to save space or to avoid polluting the user profile with unwanted executables or libraries."
msgid "Output separation is optional. When the @code{outputs} field is left out, the default and only output (the complete package) is referred to as @code{\"out\"}."
msgid "It's advised to separate outputs only when you've shown it's worth it: if the output size is significant (compare with @code{guix size}) or in case the package is modular."
msgid "The simplest argument @code{#:tests?} can be used to disable the test suite when building the package. This is mostly useful when the package does not feature any test suite. It's strongly recommended to keep the test suite on if there is one."
msgid "Another common argument is @code{:make-flags}, which specifies a list of flags to append when running make, as you would from the command line. For instance, the following flags"
msgid "This sets the C compiler to @code{gcc} and the @code{prefix} variable (the installation directory in Make parlance) to @code{(assoc-ref %outputs \"out\")}, which is a build-stage global variable pointing to the destination directory in the store (something like @file{/gnu/store/...-my-libgit2-20180408})."
msgid "The @code{phases} keyword lists the sequential steps of the build system. Typically phases include @code{unpack}, @code{configure}, @code{build}, @code{install} and @code{check}. To know more about those phases, you need to work out the appropriate build system definition in @samp{$GUIX_CHECKOUT/guix/build/gnu-build-system.scm}:"
msgid "Note the @code{chdir} call: it changes the working directory to where the source was unpacked. Thus every phase following the @code{unpack} will use the source as a working directory, which is why we can directly work on the source files. That is to say, unless a later phase changes the working directory to something else."
msgid "We modify the list of @code{%standard-phases} of the build system with the @code{modify-phases} macro as per the list of specified modifications, which may have the following forms:"
msgid "The @var{procedure} supports the keyword arguments @code{inputs} and @code{outputs}. Each input (whether @emph{native}, @emph{propagated} or not) and output directory is referenced by their name in those variables. Thus @code{(assoc-ref outputs \"out\")} is the store directory of the main output of the package. A phase procedure may look like this:"
msgid "The procedure must return @code{#true} on success. It's brittle to rely on the return value of the last expression used to tweak the phase because there is no guarantee it would be a @code{#true}. Hence the trailing @code{#true} to ensure the right value is returned on success."
msgid "The astute reader may have noticed the quasi-quote and comma syntax in the argument field. Indeed, the build code in the package declaration should not be evaluated on the client side, but only when passed to the Guix daemon. This mechanism of passing code around two running processes is called @uref{https://arxiv.org/abs/1709.00833, code staging}."
msgid "When customizing @code{phases}, we often need to write code that mimics the equivalent system invocations (@code{make}, @code{mkdir}, @code{cp}, etc.)@: commonly used during regular ``Unix-style'' installations."
msgid "Some of those functions can be found in @samp{$GUIX_CHECKOUT/guix/guix/build/utils.scm}. Most of them mirror the behaviour of the traditional Unix system commands:"
msgid "Similar to @samp{install} when installing a file to a (possibly non-existing) directory. Guile has @code{copy-file} which works like @samp{cp}."
msgid "The license in our last example needs a prefix: this is because of how the @code{license} module was imported in the package, as @code{#:use-module ((guix licenses) #:prefix license:)}. The Guile module import mechanism (@pxref{Using Guile Modules,,, guile, Guile reference manual}) gives the user full control over namespacing: this is needed to avoid clashes between, say, the @samp{zlib} variable from @samp{licenses.scm} (a @emph{license} value) and the @samp{zlib} variable from @samp{compression.scm} (a @emph{package} value)."
msgid "What we've seen so far covers the majority of packages using a build system other than the @code{trivial-build-system}. The latter does not automate anything and leaves you to build everything manually. This can be more demanding and we won't cover it here for now, but thankfully it is rarely necessary to fall back on this system."
msgid "For the other build systems, such as ASDF, Emacs, Perl, Ruby and many more, the process is very similar to the GNU build system except for a few specialized arguments."
msgid "@xref{Build Systems,,, guix, GNU Guix Reference Manual}, for more information on build systems, or check the source code in the @samp{$GUIX_CHECKOUT/guix/build} and @samp{$GUIX_CHECKOUT/guix/build-system} directories."
msgid "We can't repeat it enough: having a full-fledged programming language at hand empowers us in ways that reach far beyond traditional package management."
msgid "You might find some build systems good enough that there is little to do at all to write a package, to the point that it becomes repetitive and tedious after a while. A @emph{raison d'être} of computers is to replace human beings at those boring tasks. So let's tell Guix to do this for us and create the package definition of an R package from CRAN (the output is trimmed for conciseness):"
msgid "Not all applications can be packaged this way, only those relying on a select number of supported systems. Read about the full list of importers in the guix import section of the manual (@pxref{Invoking guix import,,, guix, GNU Guix Reference Manual})."
msgid "In most cases, updating a package to a newer version requires little more than changing the version number and the checksum. Guix can do that automatically as well:"
msgid "If you've started browsing the existing package definitions, you might have noticed that a significant number of them have a @code{inherit} field:"
msgid "All unspecified fields are inherited from the parent package. This is very convenient to create alternative packages, for instance with different source, version or compilation options."
msgid "Sadly, some applications can be tough to package. Sometimes they need a patch to work with the non-standard file system hierarchy enforced by the store. Sometimes the tests won't run properly. (They can be skipped but this is not recommended.) Other times the resulting package won't be reproducible."
msgid "This tutorial was a showcase of the sophisticated package management that Guix boasts. At this point we have mostly restricted this introduction to the @code{gnu-build-system} which is a core abstraction layer on which more advanced abstractions are based."
msgid "Where do we go from here? Next we ought to dissect the innards of the build system by removing all abstractions, using the @code{trivial-build-system}: this should give us a thorough understanding of the process before investigating some more advanced packaging techniques and edge cases."
msgid "Those fancy features are completely optional and can wait; now is a good time to take a well-deserved break. With what we've introduced here you should be well armed to package lots of programs. You can get started right away and hopefully we will see your contributions soon!"
msgid "Guix offers a flexible language for declaratively configuring your Guix System. This flexibility can at times be overwhelming. The purpose of this chapter is to demonstrate some advanced configuration concepts."
msgid "While the Guix manual explains auto-login one user to @emph{all} TTYs ( @pxref{auto-login to TTY,,, guix, GNU Guix Reference Manual}), some might prefer a situation, in which one user is logged into one TTY with the other TTYs either configured to login different users or no one at all. Note that one can auto-login one user to any TTY, but it is usually advisable to avoid @code{tty1}, which, by default, is used to log warnings and errors."
msgid "One could also @code{compose} (@pxref{Higher-Order Functions,,, guile, The Guile Reference Manual}) @code{auto-login-to-tty} to login multiple users to multiple ttys."
msgid "Finally, here is a note of caution. Setting up auto login to a TTY, means that anyone can turn on your computer and run commands as your regular user. However, if you have an encrypted root partition, and thus already need to enter a passphrase when the system boots, auto-login might be a convenient option."
msgid "Guix is, at its core, a source based distribution with substitutes (@pxref{Substitutes,,, guix, GNU Guix Reference Manual}), and as such building packages from their source code is an expected part of regular package installations and upgrades. Given this starting point, it makes sense that efforts are made to reduce the amount of time spent compiling packages, and recent changes and upgrades to the building and distribution of substitutes continues to be a topic of discussion within Guix."
msgid "The kernel, while not requiring an overabundance of RAM to build, does take a rather long time on an average machine. The official kernel configuration, as is the case with many GNU/Linux distributions, errs on the side of inclusiveness, and this is really what causes the build to take such a long time when the kernel is built from source."
msgid "The Linux kernel, however, can also just be described as a regular old package, and as such can be customized just like any other package. The procedure is a little bit different, although this is primarily due to the nature of how the package definition is written."
msgid "Any keys which are not assigned values inherit their default value from the @code{make-linux-libre} definition. When comparing the two snippets above, notice the code comment that refers to @code{#:configuration-file}. Because of this, it is not actually easy to include a custom kernel configuration from the definition, but don't worry, there are other ways to work with what we do have."
msgid "There are two ways to create a kernel with a custom kernel configuration. The first is to provide a standard @file{.config} file during the build process by including an actual @file{.config} file as a native input to our custom kernel. The following is a snippet from the custom @code{'configure} phase of the @code{make-linux-libre} package definition:"
msgid "Below is a sample kernel package. The @code{linux-libre} package is nothing special and can be inherited from and have its fields overridden like any other package:"
msgid "In the same directory as the file defining @code{linux-libre-E2140} is a file named @file{E2140.config}, which is an actual kernel configuration file. The @code{defconfig} keyword of @code{make-linux-libre} is left blank here, so the only kernel configuration in the package is the one which was included in the @code{native-inputs} field."
msgid "The second way to create a custom kernel is to pass a new value to the @code{extra-options} keyword of the @code{make-linux-libre} procedure. The @code{extra-options} keyword works with another function defined right below it:"
msgid "So by not providing a configuration-file the @file{.config} starts blank, and then we write into it the collection of flags that we want. Here's another custom kernel:"
msgid "In the above example @code{%file-systems} is a collection of flags enabling different file system support, @code{%efi-support} enables EFI support and @code{%emulation} enables a x86_64-linux machine to act in 32-bit mode also. @code{%default-extra-linux-options} are the ones quoted above, which had to be added in since they were replaced in the @code{extra-options} keyword."
msgid "This all sounds like it should be doable, but how does one even know which modules are required for a particular system? Two places that can be helpful in trying to answer this question is the @uref{https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel, Gentoo Handbook} and the @uref{https://www.kernel.org/doc/html/latest/admin-guide/README.html?highlight=localmodconfig, documentation from the kernel itself}. From the kernel documentation, it seems that @code{make localmodconfig} is the command we want."
msgid "Once inside the directory containing the source code run @code{touch .config} to create an initial, empty @file{.config} to start with. @code{make localmodconfig} works by seeing what you already have in @file{.config} and letting you know what you're missing. If the file is blank then you're missing everything. The next step is to run:"
msgid "and note the output. Do note that the @file{.config} file is still empty. The output generally contains two types of warnings. The first start with \"WARNING\" and can actually be ignored in our case. The second read:"
msgid "For each of these lines, copy the @code{CONFIG_XXXX_XXXX} portion into the @file{.config} in the directory, and append @code{=m}, so in the end it looks like this:"
msgid "After copying all the configuration options, run @code{make localmodconfig} again to make sure that you don't have any output starting with ``module''. After all of these machine specific modules there are a couple more left that are also needed. @code{CONFIG_MODULES} is necessary so that you can build and load modules separately and not have everything built into the kernel. @code{CONFIG_BLK_DEV_SD} is required for reading from hard drives. It is possible that there are other modules which you will need."
msgid "This post does not aim to be a guide to configuring your own kernel however, so if you do decide to build a custom kernel you'll have to seek out other guides to create a kernel which is just right for your needs."
msgid "The second way to setup the kernel configuration makes more use of Guix's features and allows you to share configuration segments between different kernels. For example, all machines using EFI to boot have a number of EFI configuration flags that they need. It is likely that all the kernels will share a list of file systems to support. By using variables it is easier to see at a glance what features are enabled and to make sure you don't have features in one kernel but missing in another."
msgid "Left undiscussed however, is Guix's initrd and its customization. It is likely that you'll need to modify the initrd on a machine using a custom kernel, since certain modules which are expected to be built may not be available for inclusion into the initrd."
msgid "Historically, Guix System is centered around an @code{operating-system} structure. This structure contains various fields ranging from the bootloader and kernel declaration to the services to install."
msgid "Depending on the target machine, that can go from a standard @code{x86_64} machine to a small ARM single board computer such as the Pine64, the image constraints can vary a lot. The hardware manufacturers will impose different image formats with various partition sizes and offsets."
msgid "To create images suitable for all those machines, a new abstraction is necessary: that's the goal of the @code{image} record. This record contains all the required information to be transformed into a standalone image, that can be directly booted on any target machine."
msgid "This record contains the operating-system to instantiate. The @code{format} field defines the image type and can be @code{efi-raw}, @code{qcow2} or @code{iso9660} for instance. In the future, it could be extended to @code{docker} or other image types."
msgid "Let's have a look to @file{pine64.scm}. It contains the @code{pine64-barebones-os} variable which is a minimal definition of an operating-system dedicated to the @b{Pine A64 LTS} board."
msgid "The main purpose of this record is to associate a name to a procedure transforming an @code{operating-system} to an image. To understand why it is necessary, let's have a look to the command producing an image from an @code{operating-system} configuration file:"
msgid "This command expects an @code{operating-system} configuration but how should we indicate that we want an image targeting a Pine64 board? We need to provide an extra information, the @code{image-type}, by passing the @code{--image-type} or @code{-t} flag, this way:"
msgid "This @code{image-type} parameter points to the @code{pine64-image-type} defined above. Hence, the @code{operating-system} declared in @code{my-os.scm} will be applied the @code{(cut image-with-os arm64-disk-image <>)} procedure to turn it into an image."
msgid "and by writing an @code{operating-system} file based on @code{pine64-barebones-os}, you can customize your image to your preferences in a file (@file{my-pine-os.scm}) like this:"
msgid "The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase -- something that you know), reducing the risk of impersonation."
msgid "The example configuration detailed below showcases what minimal configuration needs to be made on your Guix System to allow the use of a Yubico security key. It is hoped the configuration can be useful for other security keys as well, with minor adjustments."
msgid "To be usable, the udev rules of the system should be extended with key-specific rules. The following shows how to extend your udev rules with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by the @code{libfido2} package from the @code{(gnu packages security-token)} module and add your user to the @samp{\"plugdev\"} group it uses:"
msgid "After re-configuring your system and re-logging in your graphical session so that the new group is in effect for your user, you can verify that your key is usable by launching:"
msgid "and validating that the security key can be reset via the ``Reset your security key'' menu. If it works, congratulations, your security key is ready to be used with applications supporting two-factor authentication (2FA)."
msgid "To connect to a Wireguard VPN server you need the kernel module to be loaded in memory and a package providing networking tools that support it (e.g. @code{wireguard-tools} or @code{network-manager})."
msgid "Here is a configuration example for Linux-Libre < 5.6, where the module is out of tree and need to be loaded manually---following revisions of the kernel have it built-in and so don't need such configuration:"
msgid "To test your Wireguard setup it is convenient to use @command{wg-quick}. Just give it a configuration file @command{wg-quick up ./wg0.conf}; or put that file in @file{/etc/wireguard} and run @command{wg-quick up wg0} instead."
msgid "Thanks to NetworkManager support for Wireguard we can connect to our VPN using @command{nmcli} command. Up to this point this guide assumes that you're using Network Manager service provided by @code{%desktop-services}. Ortherwise you need to adjust your services list to load @code{network-manager-service-type} and reconfigure your Guix system."
msgid "For more specific information about NetworkManager and wireguard @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see this post by thaller}."
msgid "You could install StumpWM with a Guix system by adding @code{stumpwm} and optionally @code{`(,stumpwm \"lib\")} packages to a system configuration file, e.g.@: @file{/etc/config.scm}."
msgid "By default StumpWM uses X11 fonts, which could be small or pixelated on your system. You could fix this by installing StumpWM contrib Lisp module @code{sbcl-ttf-fonts}, adding it to Guix system packages:"
msgid "Depending on your environment, locking the screen of your session might come built in or it might be something you have to set up yourself. If you use a desktop environment like GNOME or KDE, it's usually built in. If you use a plain window manager like StumpWM or EXWM, you might have to set it up yourself."
msgid "If you use Xorg, you can use the utility @uref{https://www.mankier.com/1/xss-lock, xss-lock} to lock the screen of your session. xss-lock is triggered by DPMS which since Xorg 1.8 is auto-detected and enabled if ACPI is also enabled at kernel runtime."
msgid "To use xss-lock, you can simple execute it and put it into the background before you start your window manager from e.g. your @file{~/.xsession}:"
msgid "In this example, xss-lock uses @code{slock} to do the actual locking of the screen when it determines it's appropriate, like when you suspend your device."
msgid "For slock to be allowed to be a screen locker for the graphical session, it needs to be made setuid-root so it can authenticate users, and it needs a PAM service. This can be achieved by adding the following service to your @file{config.scm}:"
msgid "If you manually lock your screen, e.g. by directly calling slock when you want to lock your screen but not suspend it, it's a good idea to notify xss-lock about this so no confusion occurs. This can be done by executing @code{xset s activate} immediately before you execute slock."
msgid "To run Guix on a server hosted by @uref{https://www.linode.com, Linode}, start with a recommended Debian server. We recommend using the default distro as a way to bootstrap Guix. Create your SSH keys."
msgid "Be sure to add your SSH key for easy login to the remote server. This is trivially done via Linode's graphical interface for adding SSH keys. Go to your profile and click add SSH Key. Copy into it the output of:"
msgid "In the Linode's Storage tab, resize the Debian disk to be smaller. 30 GB free space is recommended. Then click \"Add a disk\", and fill out the form with the following:"
msgid "In the Configurations tab, press \"Edit\" on the default Debian profile. Under \"Block Device Assignment\" click \"Add a Device\". It should be @file{/dev/sdc} and you can select the \"Guix\" disk. Save Changes."
msgid "Now power it back up, booting with the Debian configuration. Once it's running, ssh to your server via @code{ssh root@@@var{<your-server-IP-here>}}. (You can find your server IP address in your Linode Summary section.) Now you can run the \"install guix from @pxref{Binary Installation,,, guix, GNU Guix}\" steps:"
msgid "The last line in the above example lets you log into the server as root and set the initial root password (see the note at the end of this recipe about root login). After you have done this, you may delete that line from your configuration and reconfigure to prevent root login."
msgid "Copy your ssh public key (eg: @file{~/.ssh/id_rsa.pub}) as @file{@var{<your-username-here>}_rsa.pub} and put @file{guix-config.scm} in the same directory. In a new terminal run these commands."
msgid "Due to the way we set up the bootloader section of the guix-config.scm, only the grub configuration file will be installed. So, we need to copy over some of the other GRUB stuff already installed on the Debian system:"
msgid "You may not be able to run the above commands at this point. If you have issues remotely logging into your linode box via SSH, then you may still need to set your root and user password initially by clicking on the ``Launch Console'' option in your linode. Choose the ``Glish'' instead of ``Weblish''. Now you should be able to ssh into the machine."
msgid "By the way, if you save it as a disk image right at this point, you'll have an easy time spinning up new Guix images! You may need to down-size the Guix image to 6144MB, to save it as an image. Then you can resize it again to the max size."
msgid "To bind mount a file system, one must first set up some definitions before the @code{operating-system} section of the system definition. In this example we will bind mount a folder from a spinning disk drive to @file{/tmp}, to save wear and tear on the primary SSD, without dedicating an entire partition to be mounted as @file{/tmp}."
msgid "@emph{Not all} Guix daemon's traffic will go through Tor! Only HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections will still go through the clearnet. Again, this configuration isn't foolproof some of your traffic won't get routed by Tor at all. Use it at your own risk."
msgid "Also note that the procedure described here applies only to package substitution. When you update your guix distribution with @command{guix pull}, you still need to use @command{torsocks} if you want to route the connection to guix's git repository servers through Tor."
msgid "Guix's substitute server is available as a Onion service, if you want to use it to get your substitutes through Tor configure your system as follow:"
msgid "This will keep a tor process running that provides a HTTP CONNECT tunnel which will be used by @command{guix-daemon}. The daemon can use other protocols than HTTP(S) to get remote resources, request using those protocols won't go through Tor since we are only setting a HTTP tunnel here. Note that @code{substitutes-urls} is using HTTPS and not HTTP or it won't work, that's a limitation of Tor's tunnel; you may want to use @command{privoxy} instead to avoid such limitations."
msgid "If you don't want to always get substitutes through Tor but using it just some of the times, then skip the @code{guix-configuration}. When you want to get a substitute from the Tor tunnel run:"
msgid "The following example demonstrates system definition with configuration to evaluate @file{index.lua} Lua script on HTTP request to @uref{http://localhost/hello} endpoint:"
msgid "MPD, the Music Player Daemon, is a flexible server-side application for playing music. Client programs on different machines on the network --- a mobile phone, a laptop, a desktop workstation --- can connect to it to control the playback of audio files from your local music collection. MPD decodes the audio files and plays them back on one or many outputs."
msgid "By default MPD will play to the default audio device. In the example below we make things a little more interesting by setting up a headless music server. There will be no graphical user interface, no Pulseaudio daemon, and no local audio output. Instead we will configure MPD with two outputs: a bluetooth speaker and a web server to serve audio streams to any streaming media player."
msgid "Bluetooth is often rather frustrating to set up. You will have to pair your Bluetooth device and make sure that the device is automatically connected as soon as it powers on. The Bluetooth system service returned by the @code{bluetooth-service} procedure provides the infrastructure needed to set this up."
msgid "Start the @code{bluetooth} service and then use @command{bluetoothctl} to scan for Bluetooth devices. Try to identify your Bluetooth speaker and pick out its device ID from the resulting list of devices that is indubitably dominated by a baffling smorgasbord of your neighbors' home automation gizmos. This only needs to be done once:"
msgid "It is now time to configure ALSA to use the @emph{bluealsa} Bluetooth module, so that you can define an ALSA pcm device corresponding to your Bluetooth speaker. For a headless server using @emph{bluealsa} with a fixed Bluetooth device is likely simpler than configuring Pulseaudio and its stream switching behavior. We configure ALSA by crafting a custom @code{alsa-configuration} for the @code{alsa-service-type}. The configuration will declare a @code{pcm} type @code{bluealsa} from the @code{bluealsa} module provided by the @code{bluez-alsa} package, and then define a @code{pcm} device of that type for your Bluetooth speaker."
msgid "All that is left then is to make MPD send audio data to this ALSA device. We also add a secondary MPD output that makes the currently played audio files available as a stream through a web server on port 8080. When enabled a device on the network could listen to the audio stream by connecting any capable media player to the HTTP server on port 8080, independent of the status of the Bluetooth speaker."
msgid "The kernel Linux provides a number of shared facilities that are available to processes in the system. These facilities include a shared view on the file system, other processes, network devices, user and group identities, and a few others. Since Linux 3.19 a user can choose to @emph{unshare} some of these shared facilities for selected processes, providing them (and their child processes) with a different view on the system."
msgid "A process with an unshared @code{mount} namespace, for example, has its own view on the file system --- it will only be able to see directories that have been explicitly bound in its mount namespace. A process with its own @code{proc} namespace will consider itself to be the only process running on the system, running as PID 1."
msgid "Guix uses these kernel features to provide fully isolated environments and even complete Guix System containers, lightweight virtual machines that share the host system's kernel. This feature comes in especially handy when using Guix on a foreign distribution to prevent interference from foreign libraries or configuration files that are available system-wide."
msgid "The easiest way to get started is to use @command{guix shell} with the @option{--container} option. @xref{Invoking guix shell,,, guix, GNU Guix Reference Manual} for a reference of valid options."
msgid "The following snippet spawns a minimal shell process with most namespaces unshared from the system. The current working directory is visible to the process, but anything else on the file system is unavailable. This extreme isolation can be very useful when you want to rule out any sort of interference from environment variables, globally installed libraries, or configuration files."
msgid "It is a bleak environment, barren, desolate. You will find that not even the GNU coreutils are available here, so to explore this deserted wasteland you need to use built-in shell commands. Even the usually gigantic @file{/gnu/store} directory is reduced to a faint shadow of itself."
msgid "There isn't much you can do in an environment like this other than exiting it. You can use @key{^D} or @command{exit} to terminate this limited shell environment."
msgid "You can make other directories available inside of the container environment; use @option{--expose=DIRECTORY} to bind-mount the given directory as a read-only location inside the container, or use @option{--share=DIRECTORY} to make the location writable. With an additional mapping argument after the directory name you can control the name of the directory inside the container. In the following example we map @file{/etc} on the host system to @file{/the/host/etc} inside a container in which the GNU coreutils are installed."
msgid "Similarly, you can prevent the current working directory from being mapped into the container with the @option{--no-cwd} option. Another good idea is to create a dedicated directory that will serve as the container's home directory, and spawn the container shell from that directory."
msgid "On a foreign system a container environment can be used to compile software that cannot possibly be linked with system libraries or with the system's compiler toolchain. A common use-case in a research context is to install packages from within an R session. Outside of a container environment there is a good chance that the foreign compiler toolchain and incompatible system libraries are found first, resulting in incompatible binaries that cannot be used by R. In a container shell this problem disappears, as system libraries and executables simply aren't available due to the unshared @code{mount} namespace."
msgid "Let's use this to run R inside a container environment. For convenience we share the @code{net} namespace to use the host system's network interfaces. Now we can build R packages from source the traditional way without having to worry about ABI mismatch or incompatibilities."
msgid "Using container shells is fun, but they can become a little cumbersome when you want to go beyond just a single interactive process. Some tasks become a lot easier when they sit on the rock solid foundation of a proper Guix System and its rich set of system services. The next section shows you how to launch a complete Guix System inside of a container."
msgid "The Guix System provides a wide array of interconnected system services that are configured declaratively to form a dependable stateless GNU System foundation for whatever tasks you throw at it. Even when using Guix on a foreign distribution you can benefit from the design of Guix System by running a system instance as a container. Using the same kernel features of unshared namespaces mentioned in the previous section, the resulting Guix System instance is isolated from the host system and only shares file system locations that you explicitly declare."
msgid "A Guix System container differs from the shell process created by @command{guix shell --container} in a number of important ways. While in a container shell the containerized process is a Bash shell process, a Guix System container runs the Shepherd as PID 1. In a system container all system services (@pxref{Services,,, guix, GNU Guix Reference Manual}) are set up just as they would be on a Guix System in a virtual machine or on bare metal---this includes daemons managed by the GNU@tie{}Shepherd (@pxref{Shepherd Services,,, guix, GNU Guix Reference Manual}) as well as other kinds of extensions to the operating system (@pxref{Service Composition,,, guix, GNU Guix Reference Manual})."
msgid "The perceived increase in complexity of running a Guix System container is easily justified when dealing with more complex applications that have higher or just more rigid requirements on their execution contexts---configuration files, dedicated user accounts, directories for caches or log files, etc. In Guix System the demands of this kind of software are satisfied through the deployment of system services."
msgid "A good example might be a PostgreSQL database server. Much of the complexity of setting up such a database server is encapsulated in this deceptively short service declaration:"
msgid "With @code{postgresql-role-service-type} we define a role ``test'' and create a matching database, so that we can test right away without any further manual setup. The @code{postgresql-config-file} settings allow a client from IP address 10.0.0.1 to connect without requiring authentication---a bad idea in production systems, but convenient for this example."
msgid "Let's build a script that will launch an instance of this Guix System as a container. Write the @code{operating-system} declaration above to a file @file{os.scm} and then use @command{guix system container} to build the launcher. (@pxref{Invoking guix system,,, guix, GNU Guix Reference Manual})."
msgid "Now that we have a launcher script we can run it to spawn the new system with a running PostgreSQL service. Note that due to some as yet unresolved limitations we need to run the launcher as the root user, for example with @command{sudo}."
msgid "Background the process with @key{Ctrl-z} followed by @command{bg}. Note the process ID in the output; we will need it to connect to the container later. You know what? Let's try attaching to the container right now. We will use @command{nsenter}, a tool provided by the @code{util-linux} package:"
msgid "What good is a Guix System running a PostgreSQL database service as a container when we can only talk to it with processes originating in the container? It would be much better if we could talk to the database over the network."
msgid "The easiest way to do this is to create a pair of connected virtual Ethernet devices (known as @code{veth}). We move one of the devices (@code{ceth-test}) into the @code{net} namespace of the container and leave the other end (@code{veth-test}) of the connection on the host system."
msgid "At this point the host can reach the container at IP address 10.0.0.2, and the container can reach the host at IP 10.0.0.1. This is all we need to talk to the database server inside the container from the host system on the outside."
msgid "Guix is a functional package manager that offers many features beyond what more traditional package managers can do. To the uninitiated, those features might not have obvious use cases at first. The purpose of this chapter is to demonstrate some advanced package management concepts."
msgid "Guix provides a very useful feature that may be quite foreign to newcomers: @emph{profiles}. They are a way to group package installations together and all users on the same system are free to use as many profiles as they want."
msgid "Whether you're a developer or not, you may find that multiple profiles bring you great power and flexibility. While they shift the paradigm somewhat compared to @emph{traditional package managers}, they are very convenient to use once you've understood how to set them up."
msgid "If you are familiar with Python's @samp{virtualenv}, you can think of a profile as a kind of universal @samp{virtualenv} that can hold any kind of software whatsoever, not just Python software. Furthermore, profiles are self-sufficient: they capture all the runtime dependencies which guarantees that all programs within a profile will always work at any point in time."
msgid "Isolation: Programs from one profile will not use programs from the other, and the user can even install different versions of the same programs to the two profiles without conflict."
msgid "Reproducible: when used with declarative manifests, a profile can be fully specified by the Guix commit that was active when it was set up. This means that the exact same profile can be @uref{https://guix.gnu.org/blog/2018/multi-dimensional-transactions-and-rollbacks-oh-my/, set up anywhere and anytime}, with just the commit information. See the section on @ref{Reproducible profiles}."
msgid "A Guix profile can be set up @i{via} a @dfn{manifest}. A manifest is a snippet of Scheme code that specifies the set of packages you want to have in your profile; it looks like this:"
msgid "Here we set an arbitrary variable @samp{GUIX_EXTRA_PROFILES} to point to the directory where we will store our profiles in the rest of this article."
msgid "Placing all your profiles in a single directory, with each profile getting its own sub-directory, is somewhat cleaner. This way, each sub-directory will contain all the symlinks for precisely one profile. Besides, ``looping over profiles'' becomes obvious from any programming language (e.g.@: a shell script) by simply looping over the sub-directories of @samp{$GUIX_EXTRA_PROFILES}."
msgid "Note to Guix System users: the above reflects how your default profile @file{~/.guix-profile} is activated from @file{/etc/profile}, that latter being loaded by @file{~/.bashrc} by default."
msgid "The key to enabling a profile is to @emph{source} its @samp{etc/profile} file. This file contains shell code that exports the right environment variables necessary to activate the software contained in the profile. It is built automatically by Guix and meant to be sourced. It contains the same variables you would get if you ran:"
msgid "To upgrade all profiles, it's easy enough to loop over them. For instance, assuming your manifest specifications are stored in @file{~/.guix-manifests/guix-$profile-manifest.scm}, with @samp{$profile} being the name of the profile (e.g.@: \"project1\"), you could do the following in Bourne shell:"
msgid "Activating a profile essentially boils down to exporting a bunch of environmental variables. This is the role of the @samp{etc/profile} within the profile."
msgid "For instance, @samp{MANPATH} won't be set if there is no consumer application for man pages within the profile. So if you need to transparently access man pages once the profile is loaded, you've got two options:"
msgid "Alternatively, you could keep it ``manifest-less'' for throw-away packages that you would just use for a couple of days. This way makes it convenient to run"
msgid "Manifests are a convenient way to keep your package lists around and, say, to synchronize them across multiple machines using a version control system."
msgid "A common complaint about manifests is that they can be slow to install when they contain large number of packages. This is especially cumbersome when you just want get an upgrade for one package within a big manifest."
msgid "This is one more reason to use multiple profiles, which happen to be just perfect to break down manifests into multiple sets of semantically connected packages. Using multiple, small profiles provides more flexibility and usability."
msgid "When a profile is set up from a manifest, the manifest itself is self-sufficient to keep a ``package listing'' around and reinstall the profile later or on a different system. For ad-hoc profiles, we would need to generate a manifest specification manually and maintain the package versions for the packages that don't use the default version."
msgid "@code{guix package --upgrade} always tries to update the packages that have propagated inputs, even if there is nothing to do. Guix manifests remove this problem."
msgid "When partially upgrading a profile, conflicts may arise (due to diverging dependencies between the updated and the non-updated packages) and they can be annoying to resolve manually. Manifests remove this problem altogether since all packages are always upgraded at once."
msgid "As mentioned above, manifests allow for reproducible profiles, while the imperative @code{guix install}, @code{guix upgrade}, etc. do not, since they produce different profiles every time even when they hold the same packages. See @uref{https://issues.guix.gnu.org/issue/33285, the related discussion on the matter}."
msgid "Manifest specifications are usable by other @samp{guix} commands. For example, you can run @code{guix weather -m manifest.scm} to see how many substitutes are available, which can help you decide whether you want to try upgrading today or wait a while. Another example: you can run @code{guix pack -m manifest.scm} to create a pack containing all the packages in the manifest (and their transitive references)."
msgid "Finally, manifests have a Scheme representation, the @samp{<manifest>} record type. They can be manipulated in Scheme and passed to the various Guix @uref{https://en.wikipedia.org/wiki/Api, APIs}."
msgid "It's important to understand that while manifests can be used to declare profiles, they are not strictly equivalent: profiles have the side effect that they ``pin'' packages in the store, which prevents them from being garbage-collected (@pxref{Invoking guix gc,,, guix, GNU Guix Reference Manual}) and ensures that they will still be available at any point in the future."
msgid "We have an environment for hacking on a project for which there isn't a Guix package yet. We build the environment using a manifest, and then run @code{guix environment -m manifest.scm}. So far so good."
msgid "Many weeks pass and we have run a couple of @code{guix pull} in the mean time. Maybe a dependency from our manifest has been updated; or we may have run @code{guix gc} and some packages needed by our manifest have been garbage-collected."
msgid "Eventually, we set to work on that project again, so we run @code{guix shell -m manifest.scm}. But now we have to wait for Guix to build and install stuff!"
msgid "Ideally, we could spare the rebuild time. And indeed we can, all we need is to install the manifest to a profile and use @code{GUIX_PROFILE=/the/profile; . \"$GUIX_PROFILE\"/etc/profile} as explained above: this guarantees that our hacking environment will be available at all times."
msgid "@emph{Security warning:} While keeping old profiles around can be convenient, keep in mind that outdated packages may not have received the latest security fixes."
msgid "Indeed, manifests alone might not be enough: different Guix versions (or different channels) can produce different outputs for a given manifest."
msgid "Guix provides a @samp{direnv} package, which could extend shell after directory change. This tool could be used to prepare a pure Guix environment."
msgid "The following example provides a shell function for @file{~/.direnvrc} file, which could be used from Guix Git repository in @file{~/src/guix/.envrc} file to setup a build environment similar to described in @pxref{Building from Git,,, guix, GNU Guix Reference Manual}."
msgid "Guix is appealing to scientists and @acronym{HPC, high-performance computing} practitioners: it makes it easy to deploy potentially complex software stacks, and it lets you do so in a reproducible fashion---you can redeploy the exact same software on different machines and at different points in time."
msgid "In this chapter we look at how a cluster sysadmin can install Guix for system-wide use, such that it can be used on all the cluster nodes, and discuss the various tradeoffs@footnote{This chapter is adapted from a @uref{https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/, blog post published on the Guix-HPC web site in 2017}.}."
msgid "The recommended approach is to set up one @emph{head node} running @command{guix-daemon} and exporting @file{/gnu/store} over NFS to compute nodes."
msgid "Remember that @command{guix-daemon} is responsible for spawning build processes and downloads on behalf of clients (@pxref{Invoking guix-daemon,,, guix, GNU Guix Reference Manual}), and more generally accessing @file{/gnu/store}, which contains all the package binaries built by all the users (@pxref{The Store,,, guix, GNU Guix Reference Manual}). ``Client'' here refers to all the Guix commands that users see, such as @code{guix install}. On a cluster, these commands may be running on the compute nodes and we'll want them to talk to the head node's @code{guix-daemon} instance."
msgid "To begin with, the head node can be installed following the usual binary installation instructions (@pxref{Binary Installation,,, guix, GNU Guix Reference Manual}). Thanks to the installation script, this should be quick. Once installation is complete, we need to make some adjustments."
msgid "Since we want @code{guix-daemon} to be reachable not just from the head node but also from the compute nodes, we need to arrange so that it listens for connections over TCP/IP. To do that, we'll edit the systemd startup file for @command{guix-daemon}, @file{/etc/systemd/system/guix-daemon.service}, and add a @code{--listen} argument to the @code{ExecStart} line so that it looks something like this:"
msgid "The @code{--listen=0.0.0.0} bit means that @code{guix-daemon} will process @emph{all} incoming TCP connections on port 44146 (@pxref{Invoking guix-daemon,,, guix, GNU Guix Reference Manual}). This is usually fine in a cluster setup where the head node is reachable exclusively from the cluster's local area network---you don't want that to be exposed to the Internet!"
msgid "The next step is to define our NFS exports in @uref{https://linux.die.net/man/5/exports,@file{/etc/exports}} by adding something along these lines:"
msgid "The @file{/gnu/store} directory can be exported read-only since only @command{guix-daemon} on the master node will ever modify it. @file{/var/guix} contains @emph{user profiles} as managed by @code{guix package}; thus, to allow users to install packages with @code{guix package}, this must be read-write."
msgid "Users can create as many profiles as they like in addition to the default profile, @file{~/.guix-profile}. For instance, @code{guix package -p ~/dev/python-dev -i python} installs Python in a profile reachable from the @code{~/dev/python-dev} symlink. To make sure that this profile is protected from garbage collection---i.e., that Python will not be removed from @file{/gnu/store} while this profile exists---, @emph{home directories should be mounted on the head node} as well so that @code{guix-daemon} knows about these non-standard profiles and avoids collecting software they refer to."
msgid "It may be a good idea to periodically remove unused bits from @file{/gnu/store} by running @command{guix gc} (@pxref{Invoking guix gc,,, guix, GNU Guix Reference Manual}). This can be done by adding a crontab entry on the head node:"
msgid "First of all, we need compute nodes to mount those NFS directories that the head node exports. This can be done by adding the following lines to @uref{https://linux.die.net/man/5/fstab,@file{/etc/fstab}}:"
msgid "... where @var{head-node} is the name or IP address of your head node. From there on, assuming the mount points exist, you should be able to mount each of these on the compute nodes."
msgid "Next, we need to provide a default @command{guix} command that users can run when they first connect to the cluster (eventually they will invoke @command{guix pull}, which will provide them with their ``own'' @command{guix} command). Similar to what the binary installation script did on the head node, we'll store that in @file{/usr/local/bin}:"
msgid "To avoid warnings and make sure @code{guix} uses the right locale, we need to tell it to use locale data provided by Guix (@pxref{Application Setup,,, guix, GNU Guix Reference Manual}):"
msgid "For convenience, @code{guix package} automatically generates @file{~/.guix-profile/etc/profile}, which defines all the environment variables necessary to use the packages---@code{PATH}, @code{C_INCLUDE_PATH}, @code{PYTHONPATH}, etc. Thus it's a good idea to source it from @code{/etc/profile}:"
msgid "The daemon on the head node should download pre-built binaries on your behalf and unpack them in @file{/gnu/store}, and @command{guix install} should create @file{~/.guix-profile} containing the @file{~/.guix-profile/bin/hello} command."
msgid "Guix requires network access to download source code and pre-built binaries. The good news is that only the head node needs that since compute nodes simply delegate to it."
msgid "It is customary for cluster nodes to have access at best to a @emph{white list} of hosts. Our head node needs at least @code{ci.guix.gnu.org} in this white list since this is where it gets pre-built binaries from by default, for all the packages that are in Guix proper."
msgid "Incidentally, @code{ci.guix.gnu.org} also serves as a @emph{content-addressed mirror} of the source code of those packages. Consequently, it is sufficient to have @emph{only} @code{ci.guix.gnu.org} in that white list."
msgid "Software packages maintained in a separate repository such as one of the various @uref{https://hpc.guix.info/channels, HPC channels} are of course unavailable from @code{ci.guix.gnu.org}. For these packages, you may want to extend the white list such that source and pre-built binaries (assuming this-party servers provide binaries for these packages) can be downloaded. As a last resort, users can always download source on their workstation and add it to the cluster's @file{/gnu/store}, like this:"
msgid "Air-gapped clusters require more work. At the moment, our suggestion would be to download all the necessary source code on a workstation running Guix. For instance, using the @option{--sources} option of @command{guix build} (@pxref{Invoking guix build,,, guix, GNU Guix Reference Manual}), the example below downloads all the source code the @code{openmpi} package depends on:"
msgid "As we write this, the research institutes involved in Guix-HPC do not have air-gapped clusters though. If you have experience with such setups, we would like to hear feedback and suggestions."
msgid "A common concern of sysadmins' is whether this is all going to eat a lot of disk space. If anything, if something is going to exhaust disk space, it's going to be scientific data sets rather than compiled software---that's our experience with almost ten years of Guix usage on HPC clusters. Nevertheless, it's worth taking a look at how Guix contributes to disk usage."
msgid "First, having several versions or variants of a given package in @file{/gnu/store} does not necessarily cost much, because @command{guix-daemon} implements deduplication of identical files, and package variants are likely to have a number of common files."
msgid "As mentioned above, we recommend having a cron job to run @code{guix gc} periodically, which removes @emph{unused} software from @file{/gnu/store}. However, there's always a possibility that users will keep lots of software in their profiles, or lots of old generations of their profiles, which is ``live'' and cannot be deleted from the viewpoint of @command{guix gc}."
msgid "The solution to this is for users to regularly remove old generations of their profile. For instance, the following command removes generations that are more than two-month old:"
msgid "Likewise, it's a good idea to invite users to regularly upgrade their profile, which can reduce the number of variants of a given piece of software stored in @file{/gnu/store}:"
msgid "As a last resort, it is always possible for sysadmins to do some of this on behalf of their users. Nevertheless, one of the strengths of Guix is the freedom and control users get on their software environment, so we strongly recommend leaving users in control."
msgid "On an HPC cluster, Guix is typically used to manage scientific software. Security-critical software such as the operating system kernel and system services such as @code{sshd} and the batch scheduler remain under control of sysadmins."
msgid "The Guix project has a good track record delivering security updates in a timely fashion (@pxref{Security Updates,,, guix, GNU Guix Reference Manual}). To get security updates, users have to run @code{guix pull && guix upgrade}."
msgid "Because Guix uniquely identifies software variants, it is easy to see if a vulnerable piece of software is in use. For instance, to check whether the glibc@ 2.25 variant without the mitigation patch against ``@uref{https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt,Stack Clash}'', one can check whether user profiles refer to it at all:"
msgid "Guix is based on the @uref{https://nixos.org/nix/, Nix package manager}, which was designed and implemented by Eelco Dolstra, with contributions from other people (see the @file{nix/AUTHORS} file in Guix.) Nix pioneered functional package management, and promoted unprecedented features, such as transactional package upgrades and rollbacks, per-user profiles, and referentially transparent build processes. Without this work, Guix would not exist."
msgid "GNU@tie{}Guix itself is a collective work with contributions from a number of people. See the @file{AUTHORS} file in Guix for more information on these fine people. The @file{THANKS} file lists people who have helped by reporting bugs, taking care of the infrastructure, providing artwork and themes, making suggestions, and more---thank you!"
msgid "This document includes adapted sections from articles that have previously been published on the Guix blog at @uref{https://guix.gnu.org/blog} and on the Guix-HPC blog at @uref{https://hpc.guix.info/blog}."
