guix - Wojtek's customized Guix

# GNU Guix --- Functional package management for GNU
# Copyright © 2014-2022, 2024 Ludovic Courtès <ludo@gnu.org>
# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
# Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

#
# Test 'guix system', mostly error reporting.
#

set -e

guix system --version

tmpfile="t-guix-system-$$"
errorfile="t-guix-system-error-$$"

# Note: This directory is chosen outside $builddir so that relative file name
# canonicalization doesn't mess up with 'current-source-directory', used by
# 'local-file' ('load' forces 'relative' for
# %FILE-PORT-NAME-CANONICALIZATION.)
tmpdir="${TMPDIR:-/tmp}/t-guix-system-$$"
mkdir "$tmpdir"

trap 'rm -f "$tmpfile" "$errorfile" "$tmpdir"/*; rmdir "$tmpdir"' EXIT

# Reporting of syntax errors.

cat > "$tmpfile"<<EOF
;; This is line 1, and the next one is line 2.
   (operating-system)
;; The 'T' is at column 3.
EOF

if guix system vm "$tmpfile" 2> "$errorfile"
then
    # This must not succeed.
    exit 1
else
    cat "$errorfile"
    grep "$tmpfile:2:3:.*missing.* initializers" "$errorfile"
fi


cat > "$tmpfile"<<EOF
;; This is line 1, and the next one is line 2.
   (operating-system
;; This is line 3, and there is no closing paren!
EOF

if guix system vm "$tmpfile" 2> "$errorfile"
then
    # This must not succeed.
    exit 1
else
    cat "$errorfile"

    # Guile 3.0.6 gets line/column numbers for 'read-error' wrong
    # (zero-indexed): <https://bugs.gnu.org/48089>.
    grep "$tmpfile:4:1: missing closing paren" "$errorfile" || \
    grep "$tmpfile:3:0: missing closing paren" "$errorfile"
fi


# Reporting of module not found errors.

cat > "$tmpfile" <<EOF
;; Line 1.
(use-modules (gnu))
  (use-service-modules openssh)
EOF

if guix system build "$tmpfile" -n 2> "$errorfile"
then false
else
    grep "$tmpfile:3:2: .*module .*openssh.*not found" "$errorfile"
    grep "Try.*use-service-modules ssh" "$errorfile"
fi

cat > "$tmpfile" <<EOF
;; Line 1.
(use-modules (gnu))
  (use-package-modules qemu)
EOF

if guix system build "$tmpfile" -n 2> "$errorfile"
then false
else
    grep "$tmpfile:3:2: .*module .*qemu.*not found" "$errorfile"
    grep "Try.*use-package-modules virtualization" "$errorfile"
fi

# Reporting of unbound variables.

cat > "$tmpfile" <<EOF
(use-modules (gnu))                                   ; 1
(use-service-modules networking)                      ; 2

(operating-system                                     ; 4
  (host-name "antelope")                              ; 5
  (timezone "Europe/Paris")                           ; 6
  (locale "en_US.UTF-8")                              ; 7

  (bootloader (GRUB-config (targets (list "/dev/sdX"))))        ; 9
  (file-systems (cons (file-system
                        (device (file-system-label "root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems)))
EOF

if guix system build "$tmpfile" -n 2> "$errorfile"
then false
else
    if test "`guile -c '(display (effective-version))'`" = 3.0
    then
	# FIXME: With Guile 3.3.0 the error is reported on line 11.
	# See <https://bugs.gnu.org/38388>.
	grep "$tmpfile:[0-9]\+:[0-9]\+:.*GRUB-config.*[Uu]nbound variable" "$errorfile"
    elif test "`guile -c '(display (effective-version))'`" = 2.2
    then
	# FIXME: With Guile 2.2.0 the error is reported on line 4.
	# See <http://bugs.gnu.org/26107>.
	grep "$tmpfile:[49]:[0-9]\+:.*GRUB-config.*[Uu]nbound variable" "$errorfile"
    else
	grep "$tmpfile:9:[0-9]\+:.*GRUB-config.*[Uu]nbound variable" "$errorfile"
    fi
fi

cat > "$tmpfile" <<EOF
(use-modules (gnu))                                    ; 1

(operating-system                                      ; 3
  (file-systems (cons (file-system                     ; 4
                        (device (file-system-label "root"))
                        (mount-point "/")              ; 6
                        (type "ext4"))))               ; 7 (!!)
                      %base-file-systems)
EOF

if guix system build "$tmpfile" -n 2> "$errorfile"
then false
else
    # Here '%base-file-systems' appears as if it were a field specified of the
    # enclosing 'operating-system' form due to parenthesis mismatch.
    grep "$tmpfile:3:[0-9]\+:.*%base-file-system.*invalid field specifier" \
	 "$errorfile"
fi

OS_BASE='
  (host-name "antelope")
  (timezone "Europe/Paris")
  (locale "en_US.UTF-8")

  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets (list "/dev/sdX"))))
  (file-systems (cons (file-system
                        (device (file-system-label "root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))
'

# Reporting of duplicate service identifiers.

cat > "$tmpfile" <<EOF
(use-modules (gnu))
(use-service-modules networking)

(operating-system
  $OS_BASE
  (services (cons* (service dhcp-client-service-type)
                   (service dhcp-client-service-type) ;twice!
                   %base-services)))
EOF

if guix system vm "$tmpfile" 2> "$errorfile"
then
    # This must not succeed.
    exit 1
else
    grep "service 'networking'.*more than once" "$errorfile"
fi

# Reporting unmet shepherd requirements.

cat > "$tmpfile" <<EOF
(use-modules (gnu) (gnu services shepherd))
(use-service-modules networking)

(define buggy-service-type
  (shepherd-service-type
    'buggy
    (lambda _
      (shepherd-service
        (provision '(buggy!))
        (requirement '(does-not-exist))
        (start #t)))
    (description "Buggy.")))

(operating-system
  $OS_BASE
  (services (cons (service buggy-service-type #t)
                  %base-services)))
EOF

if guix system build "$tmpfile" 2> "$errorfile"
then
    exit 1
else
    grep "service 'buggy!'.*'does-not-exist'.*not provided" "$errorfile"
fi

# Reporting inconsistent user accounts.

make_user_config ()
{
    cat > "$tmpfile" <<EOF
(use-modules (gnu))
(use-service-modules networking)

(operating-system
  (host-name "antelope")
  (timezone "Europe/Paris")
  (locale "en_US.UTF-8")

  (bootloader (bootloader-configuration
                (bootloader grub-bootloader)
                (targets (list "/dev/sdX"))))
  (file-systems (cons (file-system
                        (device (file-system-label "root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))
  (users (list (user-account
                 (name "dave")
                 (home-directory "/home/dave")
                 (group "$1")
                 (supplementary-groups '("$2"))))))
EOF
}

make_user_config "users" "wheel"
guix system build "$tmpfile" -n       # succeeds

guix system build "$tmpfile" -d	      # succeeds
guix system build "$tmpfile" -d | grep '\.drv$'

guix system vm "$tmpfile" -d	      # succeeds
guix system vm "$tmpfile" -d | grep '\.drv$'

# Make sure the behavior is deterministic (<https://bugs.gnu.org/32652>).
drv1="`guix system vm "$tmpfile" -d`"
drv2="`guix system vm "$tmpfile" -d`"
test "$drv1" = "$drv2"
drv1="`guix system image -t iso9660 "$tmpfile" -d`"
drv2="`guix system image -t iso9660 "$tmpfile" -d`"
test "$drv1" = "$drv2"

# Check whether the graph commands work as expected.
guix system extension-graph "$tmpfile" | grep 'label = "file-systems"'
guix system shepherd-graph "$tmpfile" | grep 'label = "guix-daemon"'

make_user_config "group-that-does-not-exist" "users"
if guix system build "$tmpfile" -n 2> "$errorfile"
then false
else grep "primary group.*group-that-does-not-exist.*undeclared" "$errorfile"; fi

make_user_config "users" "group-that-does-not-exist"
if guix system build "$tmpfile" -n 2> "$errorfile"
then false
else grep "supplementary group.*group-that-does-not-exist.*undeclared" "$errorfile"; fi

# Try 'local-file' and relative file name resolution.

cat > "$tmpdir/config.scm"<<EOF
(use-modules (gnu))
(use-service-modules networking)

(operating-system
  $OS_BASE
  (services (cons (service tor-service-type
                           (tor-configuration
                             (config-file (local-file "my-torrc"))))
                  %base-services)))
EOF

cat > "$tmpdir/my-torrc"<<EOF
# This is an example file.
EOF

# In both cases 'my-torrc' should be properly resolved.
guix system build "$tmpdir/config.scm" -n
(cd "$tmpdir"; guix system build "config.scm" -n)

# Check that we get a warning when passing 'local-file' a non-literal relative
# file name.
cat > "$tmpdir/config.scm" <<EOF
(use-modules (guix))

(define (bad-local-file file)
  (local-file file))

(bad-local-file "whatever.scm")
EOF
guix system build "$tmpdir/config.scm" -n && false
guix system build "$tmpdir/config.scm" -n 2>&1 | \
    grep "config\.scm:4:2: warning:.*whatever.*relative to current directory"

# Searching.
guix system search tor | grep "^name: tor"
guix system search tor | grep "^shepherdnames: tor"
guix system search anonym network | grep "^name: tor"
guix system search . > "$tmpdir/search"
test $(wc -l < "$tmpdir/search") -gt 500
rm "$tmpdir/search"

# Below, use -n (--dry-run) for the tests because if we actually tried to
# build these images, the commands would take hours to run in the worst case.

# Verify that the examples can be built.
for example in gnu/system/examples/*.tmpl; do
    case "$example" in
	*hurd*)
            options="--target=i586-pc-gnu";;
	*asus*)
	    # 'asus-c201.tmpl' uses 'linux-libre-arm-generic', which is an
	    # ARM-only package.
            options="--system=armhf-linux";;
        *raspberry*)
	    # The Raspberry Pi templates 'linux-libre-arm64-generic', which is
	    # an ARM-only package.
            options="--system=aarch64-linux";;
        *plasma*)
            # Some architectures do not support all the packages Plasma
            # depends on so restrict to x86_64-linux.
            options="--system=x86_64-linux";;
	*vm-image*)
	    # The VM image tries to build 'current-guix' as per 'guix pull'.
	    # Skip it.
	    continue
	    ;;
	*desktop*)
	    # This image uses 'grub-efi-bootloader' so it needs a GPT
	    # partition.
	    options="-t efi-raw --system=x86_64-linux";;
	*)
	    options=""
	    ;;
    esac
    guix system -n image $options "$example"
done

# Make sure the desktop image can be built on major architectures.
for system in x86_64-linux aarch64-linux
do
    guix system -n image -s "$system" -t efi-raw \
	 gnu/system/examples/desktop.tmpl
done

# Verify that the images can be built.
guix system -n vm gnu/system/examples/bare-bones.tmpl
guix system -n image gnu/system/images/pinebook-pro.scm
guix system -n image -t qcow2 gnu/system/examples/bare-bones.tmpl
guix system -n image -t iso9660 gnu/system/examples/bare-bones.tmpl
guix system -n docker-image gnu/system/examples/docker-image.tmpl

# Verify that at least the raw image type is available.
guix system --list-image-types | grep "raw"

;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2021, 2023 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (gnu build accounts) #:use-module (guix records) #:use-module (guix combinators) #:use-module (gnu system accounts) #:use-module (srfi srfi-1) #:use-module (srfi srfi-11) #:use-module (srfi srfi-19) #:use-module (srfi srfi-26) #:use-module (ice-9 match) #:use-module (ice-9 vlist) #:use-module (ice-9 rdelim) #:export (password-entry password-entry? password-entry-name password-entry-uid password-entry-gid password-entry-real-name password-entry-directory password-entry-shell shadow-entry shadow-entry? shadow-entry-name shadow-entry-minimum-change-period shadow-entry-maximum-change-period shadow-entry-change-warning-time shadow-entry-maximum-inactivity shadow-entry-expiration group-entry group-entry? group-entry-name group-entry-gid group-entry-members %password-lock-file write-group write-passwd write-shadow read-group read-passwd read-shadow %id-min %id-max %system-id-min %system-id-max user+group-databases)) ;;; Commentary: ;;; ;;; This modules provides functionality equivalent to the C library's ;;; <shadow.h>, <pwd.h>, and <grp.h> routines, as well as a subset of the ;;; functionality of the Shadow command-line tools. It can parse and write ;;; /etc/passwd, /etc/shadow, and /etc/group. It can also take care of UID ;;; and GID allocation in a way similar to what 'useradd' does. ;;; ;;; The benefit is twofold: less code is involved, and the ID allocation ;;; strategy and state preservation is made explicit. ;;; ;;; Code: ;;; ;;; Machinery to define user and group databases. ;;; (define-syntax serialize-field (syntax-rules (serialization) ((_ entry (field get (serialization ->string string->) _ ...)) (->string (get entry))) ((_ entry (field get _ ...)) (get entry)))) (define-syntax deserialize-field (syntax-rules (serialization) ((_ str (field get (serialization ->string string->) _ ...)) (string-> str)) ((_ str (field get _ ...)) str))) (define-syntax let/fields (syntax-rules () ((_ (((name get attributes ...) rest ...) lst) body ...) (let ((l lst)) (let ((name (deserialize-field (car l) (name get attributes ...)))) (let/fields ((rest ...) (cdr l)) body ...)))) ((_ (() lst) body ...) (begin body ...)))) (define-syntax define-database-entry (syntax-rules (serialization) "Define a record data type, as per 'define-record-type*', with additional information on how to serialize and deserialize the whole database as well as each field." ((_ <record> record make-record record? (serialization separator entry->string string->entry) fields ...) (let-syntax ((field-name (syntax-rules () ((_ (name _ (... ...))) name)))) (define-record-type* <record> record make-record record? fields ...) (define (entry->string entry) (string-join (list (serialize-field entry fields) ...) (string separator))) (define (string->entry str) (let/fields ((fields ...) (string-split str #\:)) (make-record (field-name fields) ...))))))) (define number->string* (match-lambda ((? number? number) (number->string number)) (_ ""))) (define (false-if-string=? false-string) (lambda (str) (if (string=? str false-string) #f str))) (define (string-if-false str) (lambda (obj) (if (not obj) str obj))) (define (comma-separated->list str) (string-tokenize str (char-set-complement (char-set #\,)))) (define (list->comma-separated lst) (string-join lst ",")) ;;; ;;; Database definitions. ;;; (define-database-entry <password-entry> ;<pwd.h> password-entry make-password-entry password-entry? (serialization #\: password-entry->string string->password-entry) (name password-entry-name) (password password-entry-password (serialization (const "x") (const #f)) (default "x")) (uid password-entry-uid (serialization number->string string->number)) (gid password-entry-gid (serialization number->string string->number)) (real-name password-entry-real-name (default "")) (directory password-entry-directory) (shell password-entry-shell (default "/bin/sh"))) (define-database-entry <shadow-entry> ;<shadow.h> shadow-entry make-shadow-entry shadow-entry? (serialization #\: shadow-entry->string string->shadow-entry) (name shadow-entry-name) ;string (password shadow-entry-password ;string | #f (serialization (string-if-false "!") (false-if-string=? "!")) (default #f)) (last-change shadow-entry-last-change ;days since 1970-01-01 (serialization number->string* string->number) (default 0)) (minimum-change-period shadow-entry-minimum-change-period (serialization number->string* string->number) (default #f)) ;days | #f (maximum-change-period shadow-entry-maximum-change-period (serialization number->string* string->number) (default #f)) ;days | #f (change-warning-time shadow-entry-change-warning-time (serialization number->string* string->number) (default #f)) ;days | #f (maximum-inactivity shadow-entry-maximum-inactivity (serialization number->string* string->number) (default #f)) ;days | #f (expiration shadow-entry-expiration (serialization number->string* string->number) (default #f)) ;days since 1970-01-01 | #f (flags shadow-entry-flags ;"reserved" (serialization number->string* string->number) (default #f))) (define-database-entry <group-entry> ;<grp.h> group-entry make-group-entry group-entry? (serialization #\: group-entry->string string->group-entry) (name group-entry-name) (password group-entry-password (serialization (string-if-false "x") (false-if-string=? "x")) (default #f)) (gid group-entry-gid (serialization number->string string->number)) (members group-entry-members (serialization list->comma-separated comma-separated->list) (default '()))) (define %password-lock-file ;; The password database lock file used by libc's 'lckpwdf'. Users should ;; grab this lock with 'with-file-lock' when they access the databases. "/etc/.pwd.lock") (define (database-writer file mode entry->string) (lambda* (entries #:optional (file-or-port file)) "Write ENTRIES to FILE-OR-PORT. When FILE-OR-PORT is a file name, write to it atomically and set the appropriate permissions." (define (write-entries port) (for-each (lambda (entry) (display (entry->string entry) port) (newline port)) (delete-duplicates entries))) (if (port? file-or-port) (write-entries file-or-port) (let* ((template (string-append file-or-port ".XXXXXX")) (port (mkstemp! template))) (dynamic-wind (const #t) (lambda () (chmod port mode) (write-entries port) (fsync port) (close-port port) (rename-file template file-or-port)) (lambda () (unless (port-closed? port) (close-port port)) (when (file-exists? template) (delete-file template)))))))) (define write-passwd (database-writer "/etc/passwd" #o644 password-entry->string)) (define write-shadow (database-writer "/etc/shadow" #o600 shadow-entry->string)) (define write-group (database-writer "/etc/group" #o644 group-entry->string)) (define (database-reader file string->entry) (lambda* (#:optional (file-or-port file)) (define (read-entries port) (let loop ((entries '())) (match (read-line port) ((? eof-object?) (reverse entries)) (line (loop (cons (string->entry line) entries)))))) (if (port? file-or-port) (read-entries file-or-port) (call-with-input-file file-or-port read-entries)))) (define read-passwd (database-reader "/etc/passwd" string->password-entry)) (define read-shadow (database-reader "/etc/shadow" string->shadow-entry)) (define read-group (database-reader "/etc/group" string->group-entry)) ;;; ;;; Building databases. ;;; (define-record-type* <allocation> allocation make-allocation allocation? (ids allocation-ids (default vlist-null)) (next-id allocation-next-id (default %id-min)) (next-system-id allocation-next-system-id (default %system-id-max))) ;; Trick to avoid name clashes... (define-syntax %allocation (identifier-syntax allocation)) ;; Minimum and maximum UIDs and GIDs (from find_new_uid.c and find_new_gid.c ;; in Shadow.) (define %id-min 1000) (define %id-max 60000) (define %system-id-min 100) (define %system-id-max 999) (define (system-id? id) (and (> id %system-id-min) (<= id %system-id-max))) (define (user-id? id) (and (>= id %id-min) (< id %id-max))) (define* (allocate-id assignment #:key system?) "Return two values: a newly allocated ID, and an updated <allocation> record based on ASSIGNMENT. If SYSTEM? is true, return a system ID." (define next ;; Return the next available ID, looping if necessary. (if system? (lambda (id) (let ((next-id (- id 1))) (if (< next-id %system-id-min) %system-id-max next-id))) (lambda (id) (let ((next-id (+ id 1))) (if (>= next-id %id-max) %id-min next-id))))) (let loop ((id (if system? (allocation-next-system-id assignment) (allocation-next-id assignment)))) (if (vhash-assv id (allocation-ids assignment)) (loop (next id)) (let ((taken (vhash-consv id #t (allocation-ids assignment)))) (values (if system? (allocation (inherit assignment) (next-system-id (next id)) (ids taken)) (allocation (inherit assignment) (next-id (next id)) (ids taken))) id))))) (define* (reserve-ids allocation ids #:key (skip? #t)) "Mark the numbers listed in IDS as reserved in ALLOCATION. When SKIP? is true, start allocation after the highest (or lowest, depending on whether it's a system ID allocation) number among IDS." (%allocation (inherit allocation) (next-id (if skip? (+ (reduce max (- (allocation-next-id allocation) 1) (filter user-id? ids)) 1) (allocation-next-id allocation))) (next-system-id (if skip? (- (reduce min (+ 1 (allocation-next-system-id allocation)) (filter system-id? ids)) 1) (allocation-next-system-id allocation))) (ids (fold (cut vhash-consv <> #t <>) (allocation-ids allocation) ids)))) (define (allocated? allocation id) "Return true if ID is already allocated as part of ALLOCATION." (->bool (vhash-assv id (allocation-ids allocation)))) (define (lookup-procedure lst key) "Return a lookup procedure for the elements of LST, calling KEY to obtain the key of each element." (let ((table (fold (lambda (obj table) (vhash-cons (key obj) obj table)) vlist-null lst))) (lambda (key) (match (vhash-assoc key table) (#f #f) ((_ . value) value))))) (define* (allocate-groups groups members #:optional (current-groups '())) "Return a list of group entries for GROUPS, a list of <user-group>. Members for each group are taken from MEMBERS, a vhash that maps group names to member names. GIDs and passwords found in CURRENT-GROUPS, a list of group entries, are reused." (define gids ;; Mark all the currently-used GIDs and the explicitly requested GIDs as ;; reserved. (reserve-ids (reserve-ids (allocation) (map group-entry-gid current-groups)) (filter-map user-group-id groups) #:skip? #f)) (define previous-entry (lookup-procedure current-groups group-entry-name)) (reverse (fold2 (lambda (group result allocation) (let ((name (user-group-name group)) (password (user-group-password group)) (requested-id (user-group-id group)) (system? (user-group-system? group))) (let*-values (((previous) (previous-entry name)) ((allocation id) (cond ((number? requested-id) (values (reserve-ids allocation (list requested-id)) requested-id)) (previous (values allocation (group-entry-gid previous))) (else (allocate-id allocation #:system? system?))))) (values (cons (group-entry (name name) (password (if previous (group-entry-password previous) password)) (gid id) (members (vhash-fold* cons '() name members))) result) allocation)))) '() gids groups))) (define* (allocate-passwd users groups #:optional (current-passwd '())) "Return a list of password entries for USERS, a list of <user-account>. Take GIDs from GROUPS, a list of group entries. Reuse UIDs from CURRENT-PASSWD, a list of password entries, when possible; otherwise allocate new UIDs." (define uids (reserve-ids (reserve-ids (allocation) (map password-entry-uid current-passwd)) (filter-map user-account-uid users) #:skip? #f)) (define previous-entry (lookup-procedure current-passwd password-entry-name)) (define (group-id name) (or (any (lambda (entry) (and (string=? (group-entry-name entry) name) (group-entry-gid entry))) groups) (error "group not found" name))) (reverse (fold2 (lambda (user result allocation) (let ((name (user-account-name user)) (requested-id (user-account-uid user)) (group (user-account-group user)) (real-name (user-account-comment user)) (directory (user-account-home-directory user)) (shell (user-account-shell user)) (system? (user-account-system? user))) (let*-values (((previous) (previous-entry name)) ((allocation id) (cond ((number? requested-id) (values (reserve-ids allocation (list requested-id)) requested-id)) (previous (values allocation (password-entry-uid previous))) (else (allocate-id allocation #:system? system?))))) (values (cons (password-entry (name name) (uid id) (directory directory) (gid (if (number? group) group (group-id group))) ;; Users might change their name to something ;; other than what the sysadmin chose, with ;; 'chfn'. Thus consider it "stateful". (real-name (if (and previous (not system?)) (password-entry-real-name previous) real-name)) ;; Do not reuse the shell of PREVIOUS since (1) ;; that could lead to confusion, and (2) the ;; shell might have been GC'd. See ;; <https://lists.gnu.org/archive/html/guix-devel/2019-04/msg00478.html>. (shell shell)) result) allocation)))) '() uids users))) (define* (days-since-epoch #:optional (current-time current-time)) "Return the number of days elapsed since the 1st of January, 1970." (let* ((now (current-time time-utc)) (epoch (make-time time-utc 0 0)) (diff (time-difference now epoch))) (quotient (time-second diff) (* 24 3600)))) (define* (passwd->shadow users passwd #:optional (current-shadow '()) #:key (current-time current-time)) "Return a list of shadow entries for the password entries listed in PASSWD. Reuse shadow entries from CURRENT-SHADOW when they exist, and take the initial password from USERS." (define previous-entry (lookup-procedure current-shadow shadow-entry-name)) (define now ;; On machines without a real-time clock (typically Arm SBCs), the system ;; clock may be at 1970-01-01 while booting, which would lead us to define ;; NOW as zero. ;; ;; However, the 'isexpired' function in Shadow interprets the combination ;; uninitialized password + last-change = 0 as "The password has expired, ;; it must be changed", which prevents logins altogether. To avoid that, ;; never set 'last-change' to zero. (max (days-since-epoch current-time) 1)) (map (lambda (user passwd) (or (previous-entry (password-entry-name passwd)) (shadow-entry (name (password-entry-name passwd)) (password (user-account-password user)) (last-change now)))) users passwd)) (define (empty-if-not-found thunk) "Call THUNK and return the empty list if that throws to ENOENT." (catch 'system-error thunk (lambda args (if (= ENOENT (system-error-errno args)) '() (apply throw args))))) (define* (user+group-databases users groups #:key (current-passwd (empty-if-not-found read-passwd)) (current-groups (empty-if-not-found read-group)) (current-shadow (empty-if-not-found read-shadow)) (current-time current-time)) "Return three values: the list of group entries, the list of password entries, and the list of shadow entries corresponding to USERS and GROUPS. Preserve stateful bits from CURRENT-PASSWD, CURRENT-GROUPS, and CURRENT-SHADOW: UIDs, GIDs, passwords, user shells, etc." (define members ;; Map group name to user names. (fold (lambda (user members) (fold (cute vhash-cons <> (user-account-name user) <>) members (user-account-supplementary-groups user))) vlist-null users)) (define group-entries (allocate-groups groups members current-groups)) (define passwd-entries (allocate-passwd users group-entries current-passwd)) (define shadow-entries (passwd->shadow users passwd-entries current-shadow #:current-time current-time)) (values group-entries passwd-entries shadow-entries))