GNU Guix Reference Manual

Table of Contents

Next: , Up: (dir)   [Contents][Index]

GNU Guix

This document describes GNU Guix version 1.3.0, a functional package management tool written for the GNU system.

This manual is also available in Simplified Chinese (see GNU Guix参考手册), French (see Manuel de référence de GNU Guix), German (see Referenzhandbuch zu GNU Guix), Spanish (see Manual de referencia de GNU Guix), and Russian (see Руководство GNU Guix). If you would like to translate it in your native language, consider joining Weblate.

Next: , Previous: , Up: Top   [Contents][Index]

1 Introduction

GNU Guix1 is a package management tool for and distribution of the GNU system. Guix makes it easy for unprivileged users to install, upgrade, or remove software packages, to roll back to a previous package set, to build packages from source, and generally assists with the creation and maintenance of software environments.

You can install GNU Guix on top of an existing GNU/Linux system where it complements the available tools without interference (see Installation), or you can use it as a standalone operating system distribution, Guix System2. See GNU Distribution.

Next: , Up: Introduction   [Contents][Index]

1.1 Managing Software the Guix Way

Guix provides a command-line package management interface (see Package Management), tools to help with software development (see Development), command-line utilities for more advanced usage (see Utilities), as well as Scheme programming interfaces (see Programming Interface). Its build daemon is responsible for building packages on behalf of users (see Setting Up the Daemon) and for downloading pre-built binaries from authorized sources (see Substitutes).

Guix includes package definitions for many GNU and non-GNU packages, all of which respect the user’s computing freedom. It is extensible: users can write their own package definitions (see Defining Packages) and make them available as independent package modules (see Package Modules). It is also customizable: users can derive specialized package definitions from existing ones, including from the command line (see Package Transformation Options).

Under the hood, Guix implements the functional package management discipline pioneered by Nix (see Acknowledgments). In Guix, the package build and installation process is seen as a function, in the mathematical sense. That function takes inputs, such as build scripts, a compiler, and libraries, and returns an installed package. As a pure function, its result depends solely on its inputs—for instance, it cannot refer to software or scripts that were not explicitly passed as inputs. A build function always produces the same result when passed a given set of inputs. It cannot alter the environment of the running system in any way; for instance, it cannot create, modify, or delete files outside of its build and installation directories. This is achieved by running build processes in isolated environments (or containers), where only their explicit inputs are visible.

The result of package build functions is cached in the file system, in a special directory called the store (see The Store). Each package is installed in a directory of its own in the store—by default under /gnu/store. The directory name contains a hash of all the inputs used to build that package; thus, changing an input yields a different directory name.

This approach is the foundation for the salient features of Guix: support for transactional package upgrade and rollback, per-user installation, and garbage collection of packages (see Features).

Previous: , Up: Introduction   [Contents][Index]

1.2 GNU Distribution

Guix comes with a distribution of the GNU system consisting entirely of free software3. The distribution can be installed on its own (see System Installation), but it is also possible to install Guix as a package manager on top of an installed GNU/Linux system (see Installation). When we need to distinguish between the two, we refer to the standalone distribution as Guix System.

The distribution provides core GNU packages such as GNU libc, GCC, and Binutils, as well as many GNU and non-GNU applications. The complete list of available packages can be browsed on-line or by running guix package (see Invoking guix package):

guix package --list-available

Our goal is to provide a practical 100% free software distribution of Linux-based and other variants of GNU, with a focus on the promotion and tight integration of GNU components, and an emphasis on programs and tools that help users exert that freedom.

Packages are currently available on the following platforms:


Intel/AMD x86_64 architecture, Linux-Libre kernel.


Intel 32-bit architecture (IA32), Linux-Libre kernel.


ARMv7-A architecture with hard float, Thumb-2 and NEON, using the EABI hard-float application binary interface (ABI), and Linux-Libre kernel.


little-endian 64-bit ARMv8-A processors, Linux-Libre kernel.


GNU/Hurd on the Intel 32-bit architecture (IA32).

This configuration is experimental and under development. The easiest way for you to give it a try is by setting up an instance of hurd-vm-service-type on your GNU/Linux machine (see hurd-vm-service-type). See Contributing, on how to help!

mips64el-linux (deprecated)

little-endian 64-bit MIPS processors, specifically the Loongson series, n32 ABI, and Linux-Libre kernel. This configuration is no longer fully supported; in particular, there is no ongoing work to ensure that this architecture still works. Should someone decide they wish to revive this architecture then the code is still available.


little-endian 64-bit Power ISA processors, Linux-Libre kernel. This includes POWER9 systems such as the RYF Talos II mainboard. This platform is available as a "technology preview": although it is supported, substitutes are not yet available from the build farm (see Substitutes), and some packages may fail to build (see Tracking Bugs and Patches). That said, the Guix community is actively working on improving this support, and now is a great time to try it and get involved!

With Guix System, you declare all aspects of the operating system configuration and Guix takes care of instantiating the configuration in a transactional, reproducible, and stateless fashion (see System Configuration). Guix System uses the Linux-libre kernel, the Shepherd initialization system (see Introduction in The GNU Shepherd Manual), the well-known GNU utilities and tool chain, as well as the graphical environment or system services of your choice.

Guix System is available on all the above platforms except mips64el-linux and powerpc64le-linux.

For information on porting to other architectures or kernels, see Porting.

Building this distribution is a cooperative effort, and you are invited to join! See Contributing, for information about how you can help.

Next: , Previous: , Up: Top   [Contents][Index]

2 Installation

Note: We recommend the use of this shell installer script to install Guix on top of a running GNU/Linux system, thereafter called a foreign distro.4 The script automates the download, installation, and initial configuration of Guix. It should be run as the root user.

When installed on a foreign distro, GNU Guix complements the available tools without interference. Its data lives exclusively in two directories, usually /gnu/store and /var/guix; other files on your system, such as /etc, are left untouched.

Once installed, Guix can be updated by running guix pull (see Invoking guix pull).

If you prefer to perform the installation steps manually or want to tweak them, you may find the following subsections useful. They describe the software requirements of Guix, as well as how to install it manually and get ready to use it.

Next: , Up: Installation   [Contents][Index]

2.1 Binary Installation

This section describes how to install Guix on an arbitrary system from a self-contained tarball providing binaries for Guix and for all its dependencies. This is often quicker than installing from source, which is described in the next sections. The only requirement is to have GNU tar and Xz.

Note: We recommend the use of this shell installer script. The script automates the download, installation, and initial configuration steps described below. It should be run as the root user. As root, you can thus run this:

cd /tmp
chmod +x

When you’re done, see Application Setup for extra configuration you might need, and Getting Started for your first steps!

Installing goes along these lines:

  1. Download the binary tarball from ‘’, where x86_64-linux can be replaced with i686-linux for an i686 (32-bits) machine already running the kernel Linux, and so on (see GNU Distribution).

    Make sure to download the associated .sig file and to verify the authenticity of the tarball against it, along these lines:

    $ wget
    $ gpg --verify guix-binary-1.3.0.x86_64-linux.tar.xz.sig

    If that command fails because you do not have the required public key, then run this command to import it:

    $ wget '' \
          -qO - | gpg --import -

    and rerun the gpg --verify command.

    Take note that a warning like “This key is not certified with a trusted signature!” is normal.

  2. Now, you need to become the root user. Depending on your distribution, you may have to run su - or sudo -i. As root, run:
    # cd /tmp
    # tar --warning=no-timestamp -xf \
    # mv var/guix /var/ && mv gnu /

    This creates /gnu/store (see The Store) and /var/guix. The latter contains a ready-to-use profile for root (see next step).

    Do not unpack the tarball on a working Guix system since that would overwrite its own essential files.

    The --warning=no-timestamp option makes sure GNU tar does not emit warnings about “implausibly old time stamps” (such warnings were triggered by GNU tar 1.26 and older; recent versions are fine). They stem from the fact that all the files in the archive have their modification time set to 1 (which means January 1st, 1970). This is done on purpose to make sure the archive content is independent of its creation time, thus making it reproducible.

  3. Make the profile available under ~root/.config/guix/current, which is where guix pull will install updates (see Invoking guix pull):
    # mkdir -p ~root/.config/guix
    # ln -sf /var/guix/profiles/per-user/root/current-guix \

    Source etc/profile to augment PATH and other relevant environment variables:

    # GUIX_PROFILE="`echo ~root`/.config/guix/current" ; \
      source $GUIX_PROFILE/etc/profile
  4. Create the group and user accounts for build users as explained below (see Build Environment Setup).
  5. Run the daemon, and set it to automatically start on boot.

    If your host distro uses the systemd init system, this can be achieved with these commands:

    # cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
         ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
    # systemctl enable --now gnu-store.mount guix-daemon

    If your host distro uses the Upstart init system:

    # initctl reload-configuration
    # cp ~root/.config/guix/current/lib/upstart/system/guix-daemon.conf \
    # start guix-daemon

    Otherwise, you can still start the daemon manually with:

    # ~root/.config/guix/current/bin/guix-daemon \
  6. Make the guix command available to other users on the machine, for instance with:
    # mkdir -p /usr/local/bin
    # cd /usr/local/bin
    # ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix

    It is also a good idea to make the Info version of this manual available there:

    # mkdir -p /usr/local/share/info
    # cd /usr/local/share/info
    # for i in /var/guix/profiles/per-user/root/current-guix/share/info/* ;
      do ln -s $i ; done

    That way, assuming /usr/local/share/info is in the search path, running info guix will open this manual (see Other Info Directories in GNU Texinfo, for more details on changing the Info search path).

  7. To use substitutes from or one of its mirrors (see Substitutes), authorize them:
    # guix archive --authorize < \
  8. Each user may need to perform a few additional steps to make their Guix environment ready for use, see Application Setup.

Voilà, the installation is complete!

You can confirm that Guix is working by installing a sample package into the root profile:

# guix install hello

The binary installation tarball can be (re)produced and verified simply by running the following command in the Guix source tree:

make guix-binary.system.tar.xz

... which, in turn, runs:

guix pack -s system --localstatedir \
  --profile-name=current-guix guix

See Invoking guix pack, for more info on this handy tool.

Next: , Previous: , Up: Installation   [Contents][Index]

2.2 Requirements

This section lists requirements when building Guix from source. The build procedure for Guix is the same as for other GNU software, and is not covered here. Please see the files README and INSTALL in the Guix source tree for additional details.

GNU Guix is available for download from its website at

GNU Guix depends on the following packages:

The following dependencies are optional:

Unless --disable-daemon was passed to configure, the following packages are also needed:

When configuring Guix on a system that already has a Guix installation, be sure to specify the same state directory as the existing installation using the --localstatedir option of the configure script (see localstatedir in GNU Coding Standards). Usually, this localstatedir option is set to the value /var. The configure script protects against unintended misconfiguration of localstatedir so you do not inadvertently corrupt your store (see The Store).

Next: , Previous: , Up: Installation   [Contents][Index]

2.3 Running the Test Suite

After a successful configure and make run, it is a good idea to run the test suite. It can help catch issues with the setup or environment, or bugs in Guix itself—and really, reporting test failures is a good way to help improve the software. To run the test suite, type:

make check

Test cases can run in parallel: you can use the -j option of GNU make to speed things up. The first run may take a few minutes on a recent machine; subsequent runs will be faster because the store that is created for test purposes will already have various things in cache.

It is also possible to run a subset of the tests by defining the TESTS makefile variable as in this example:

make check TESTS="tests/store.scm tests/cpio.scm"

By default, tests results are displayed at a file level. In order to see the details of every individual test cases, it is possible to define the SCM_LOG_DRIVER_FLAGS makefile variable as in this example:

make check TESTS="tests/base64.scm" SCM_LOG_DRIVER_FLAGS="--brief=no"

The underlying SRFI 64 custom Automake test driver used for the ’check’ test suite (located at build-aux/test-driver.scm) also allows selecting which test cases to run at a finer level, via its --select and --exclude options. Here’s an example, to run all the test cases from the tests/packages.scm test file whose names start with “transaction-upgrade-entry”:

export SCM_LOG_DRIVER_FLAGS="--select=^transaction-upgrade-entry"
make check TESTS="tests/packages.scm"

Those wishing to inspect the results of failed tests directly from the command line can add the --errors-only=yes option to the SCM_LOG_DRIVER_FLAGS makefile variable and set the VERBOSE Automake makefile variable, as in:

make check SCM_LOG_DRIVER_FLAGS="--brief=no --errors-only=yes" VERBOSE=1

The --show-duration=yes option can be used to print the duration of the individual test cases, when used in combination with --brief=no:

make check SCM_LOG_DRIVER_FLAGS="--brief=no --show-duration=yes"

See Parallel Test Harness in GNU Automake for more information about the Automake Parallel Test Harness.

Upon failure, please email and attach the test-suite.log file. Please specify the Guix version being used as well as version numbers of the dependencies (see Requirements) in your message.

Guix also comes with a whole-system test suite that tests complete Guix System instances. It can only run on systems where Guix is already installed, using:

make check-system

or, again, by defining TESTS to select a subset of tests to run:

make check-system TESTS="basic mcron"

These system tests are defined in the (gnu tests …) modules. They work by running the operating systems under test with lightweight instrumentation in a virtual machine (VM). They can be computationally intensive or rather cheap, depending on whether substitutes are available for their dependencies (see Substitutes). Some of them require a lot of storage space to hold VM images.

Again in case of test failures, please send all the details.

Next: , Previous: , Up: Installation   [Contents][Index]

2.4 Setting Up the Daemon

Operations such as building a package or running the garbage collector are all performed by a specialized process, the build daemon, on behalf of clients. Only the daemon may access the store and its associated database. Thus, any operation that manipulates the store goes through the daemon. For instance, command-line tools such as guix package and guix build communicate with the daemon (via remote procedure calls) to instruct it what to do.

The following sections explain how to prepare the build daemon’s environment. See also Substitutes, for information on how to allow the daemon to download pre-built binaries.

Next: , Up: Setting Up the Daemon   [Contents][Index]

2.4.1 Build Environment Setup

In a standard multi-user setup, Guix and its daemon—the guix-daemon program—are installed by the system administrator; /gnu/store is owned by root and guix-daemon runs as root. Unprivileged users may use Guix tools to build packages or otherwise access the store, and the daemon will do it on their behalf, ensuring that the store is kept in a consistent state, and allowing built packages to be shared among users.

When guix-daemon runs as root, you may not want package build processes themselves to run as root too, for obvious security reasons. To avoid that, a special pool of build users should be created for use by build processes started by the daemon. These build users need not have a shell and a home directory: they will just be used when the daemon drops root privileges in build processes. Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other—an essential feature since builds are regarded as pure functions (see Introduction).

On a GNU/Linux system, a build user pool may be created like this (using Bash syntax and the shadow commands):

# groupadd --system guixbuild
# for i in $(seq -w 1 10);
    useradd -g guixbuild -G guixbuild           \
            -d /var/empty -s $(which nologin)   \
            -c "Guix build user $i" --system    \

The number of build users determines how many build jobs may run in parallel, as specified by the --max-jobs option (see --max-jobs). To use guix system vm and related commands, you may need to add the build users to the kvm group so they can access /dev/kvm, using -G guixbuild,kvm instead of -G guixbuild (see Invoking guix system).

The guix-daemon program may then be run as root with the following command5:

# guix-daemon --build-users-group=guixbuild

This way, the daemon starts build processes in a chroot, under one of the guixbuilder users. On GNU/Linux, by default, the chroot environment contains nothing but:

You can influence the directory where the daemon stores build trees via the TMPDIR environment variable. However, the build tree within the chroot is always called /tmp/guix-build-name.drv-0, where name is the derivation name—e.g., coreutils-8.24. This way, the value of TMPDIR does not leak inside build environments, which avoids discrepancies in cases where build processes capture the name of their build tree.

The daemon also honors the http_proxy and https_proxy environment variables for HTTP and HTTPS downloads it performs, be it for fixed-output derivations (see Derivations) or for substitutes (see Substitutes).

If you are installing Guix as an unprivileged user, it is still possible to run guix-daemon provided you pass --disable-chroot. However, build processes will not be isolated from one another, and not from the rest of the system. Thus, build processes may interfere with each other, and may access programs, libraries, and other files available on the system—making it much harder to view them as pure functions.

Next: , Previous: , Up: Setting Up the Daemon   [Contents][Index]

2.4.2 Using the Offload Facility

When desired, the build daemon can offload derivation builds to other machines running Guix, using the offload build hook7. When that feature is enabled, a list of user-specified build machines is read from /etc/guix/machines.scm; every time a build is requested, for instance via guix build, the daemon attempts to offload it to one of the machines that satisfy the constraints of the derivation, in particular its system types—e.g., x86_64-linux. A single machine can have multiple system types, either because its architecture natively supports it, via emulation (see Transparent Emulation with QEMU), or both. Missing prerequisites for the build are copied over SSH to the target machine, which then proceeds with the build; upon success the output(s) of the build are copied back to the initial machine. The offload facility comes with a basic scheduler that attempts to select the best machine. The best machine is chosen among the available machines based on criteria such as:

  1. The availability of a build slot. A build machine can have as many build slots (connections) as the value of the parallel-builds field of its build-machine object.
  2. Its relative speed, as defined via the speed field of its build-machine object.
  3. Its load. The normalized machine load must be lower than a threshold value, configurable via the overload-threshold field of its build-machine object.
  4. Disk space availability. More than a 100 MiB must be available.

The /etc/guix/machines.scm file typically looks like this:

(list (build-machine
        (name "")
        (systems (list "x86_64-linux" "i686-linux"))
        (host-key "ssh-ed25519 AAAAC3Nza…")
        (user "bob")
        (speed 2.))     ;incredibly fast!

        (name "")
        (systems (list "aarch64-linux"))
        (host-key "ssh-rsa AAAAB3Nza…")
        (user "alice")
         (string-append (getenv "HOME")

In the example above we specify a list of two build machines, one for the x86_64 and i686 architectures and one for the aarch64 architecture.

In fact, this file is—not surprisingly!—a Scheme file that is evaluated when the offload hook is started. Its return value must be a list of build-machine objects. While this example shows a fixed list of build machines, one could imagine, say, using DNS-SD to return a list of potential build machines discovered in the local network (see Guile-Avahi in Using Avahi in Guile Scheme Programs). The build-machine data type is detailed below.

Data Type: build-machine

This data type represents build machines to which the daemon may offload builds. The important fields are:


The host name of the remote machine.


The system types the remote machine supports—e.g., (list "x86_64-linux" "i686-linux").


The user account to use when connecting to the remote machine over SSH. Note that the SSH key pair must not be passphrase-protected, to allow non-interactive logins.


This must be the machine’s SSH public host key in OpenSSH format. This is used to authenticate the machine when we connect to it. It is a long string that looks like this:

ssh-ed25519 AAAAC3NzaC…mde+UhL

If the machine is running the OpenSSH daemon, sshd, the host key can be found in a file such as /etc/ssh/

If the machine is running the SSH daemon of GNU lsh, lshd, the host key is in /etc/lsh/ or a similar file. It can be converted to the OpenSSH format using lsh-export-key (see Converting keys in LSH Manual):

$ lsh-export-key --openssh < /etc/lsh/

A number of optional fields may be specified:

port (default: 22)

Port number of SSH server on the machine.

private-key (default: ~root/.ssh/id_rsa)

The SSH private key file to use when connecting to the machine, in OpenSSH format. This key must not be protected with a passphrase.

Note that the default value is the private key of the root account. Make sure it exists if you use the default.

compression (default: ",zlib")
compression-level (default: 3)

The SSH-level compression methods and compression level requested.

Note that offloading relies on SSH compression to reduce bandwidth usage when transferring files to and from build machines.

daemon-socket (default: "/var/guix/daemon-socket/socket")

File name of the Unix-domain socket guix-daemon is listening to on that machine.

overload-threshold (default: 0.6)

The load threshold above which a potential offload machine is disregarded by the offload scheduler. The value roughly translates to the total processor usage of the build machine, ranging from 0.0 (0%) to 1.0 (100%). It can also be disabled by setting overload-threshold to #f.

parallel-builds (default: 1)

The number of builds that may run in parallel on the machine.

speed (default: 1.0)

A “relative speed factor”. The offload scheduler will tend to prefer machines with a higher speed factor.

features (default: '())

A list of strings denoting specific features supported by the machine. An example is "kvm" for machines that have the KVM Linux modules and corresponding hardware support. Derivations can request features by name, and they will be scheduled on matching build machines.

The guix command must be in the search path on the build machines. You can check whether this is the case by running:

ssh build-machine guix repl --version

There is one last thing to do once machines.scm is in place. As explained above, when offloading, files are transferred back and forth between the machine stores. For this to work, you first need to generate a key pair on each machine to allow the daemon to export signed archives of files from the store (see Invoking guix archive):

# guix archive --generate-key

Each build machine must authorize the key of the master machine so that it accepts store items it receives from the master:

# guix archive --authorize < master-public-key.txt

Likewise, the master machine must authorize the key of each build machine.

All the fuss with keys is here to express pairwise mutual trust relations between the master and the build machines. Concretely, when the master receives files from a build machine (and vice versa), its build daemon can make sure they are genuine, have not been tampered with, and that they are signed by an authorized key.

To test whether your setup is operational, run this command on the master node:

# guix offload test

This will attempt to connect to each of the build machines specified in /etc/guix/machines.scm, make sure Guix is available on each machine, attempt to export to the machine and import from it, and report any error in the process.

If you want to test a different machine file, just specify it on the command line:

# guix offload test machines-qualif.scm

Last, you can test the subset of the machines whose name matches a regular expression like this:

# guix offload test machines.scm '\.gnu\.org$'

To display the current load of all build hosts, run this command on the main node:

# guix offload status

Previous: , Up: Setting Up the Daemon   [Contents][Index]

2.4.3 SELinux Support

Guix includes an SELinux policy file at etc/guix-daemon.cil that can be installed on a system where SELinux is enabled, in order to label Guix files and to specify the expected behavior of the daemon. Since Guix System does not provide an SELinux base policy, the daemon policy cannot be used on Guix System. Installing the SELinux policy

To install the policy run this command as root:

semodule -i etc/guix-daemon.cil

Then relabel the file system with restorecon or by a different mechanism provided by your system.

Once the policy is installed, the file system has been relabeled, and the daemon has been restarted, it should be running in the guix_daemon_t context. You can confirm this with the following command:

ps -Zax | grep guix-daemon

Monitor the SELinux log files as you run a command like guix build hello to convince yourself that SELinux permits all necessary operations. Limitations

This policy is not perfect. Here is a list of limitations or quirks that should be considered when deploying the provided SELinux policy for the Guix daemon.

  1. guix_daemon_socket_t isn’t actually used. None of the socket operations involve contexts that have anything to do with guix_daemon_socket_t. It doesn’t hurt to have this unused label, but it would be preferable to define socket rules for only this label.
  2. guix gc cannot access arbitrary links to profiles. By design, the file label of the destination of a symlink is independent of the file label of the link itself. Although all profiles under $localstatedir are labelled, the links to these profiles inherit the label of the directory they are in. For links in the user’s home directory this will be user_home_t. But for links from the root user’s home directory, or /tmp, or the HTTP server’s working directory, etc, this won’t work. guix gc would be prevented from reading and following these links.
  3. The daemon’s feature to listen for TCP connections might no longer work. This might require extra rules, because SELinux treats network sockets differently from files.
  4. Currently all files with a name matching the regular expression /gnu/store/.+-(guix-.+|profile)/bin/guix-daemon are assigned the label guix_daemon_exec_t; this means that any file with that name in any profile would be permitted to run in the guix_daemon_t domain. This is not ideal. An attacker could build a package that provides this executable and convince a user to install and run it, which lifts it into the guix_daemon_t domain. At that point SELinux could not prevent it from accessing files that are allowed for processes in that domain.

    You will need to relabel the store directory after all upgrades to guix-daemon, such as after running guix pull. Assuming the store is in /gnu, you can do this with restorecon -vR /gnu, or by other means provided by your operating system.

    We could generate a much more restrictive policy at installation time, so that only the exact file name of the currently installed guix-daemon executable would be labelled with guix_daemon_exec_t, instead of using a broad regular expression. The downside is that root would have to install or upgrade the policy at installation time whenever the Guix package that provides the effectively running guix-daemon executable is upgraded.

Next: , Previous: , Up: Installation   [Contents][Index]

2.5 Invoking guix-daemon

The guix-daemon program implements all the functionality to access the store. This includes launching build processes, running the garbage collector, querying the availability of a build result, etc. It is normally run as root like this:

# guix-daemon --build-users-group=guixbuild

For details on how to set it up, see Setting Up the Daemon.

By default, guix-daemon launches build processes under different UIDs, taken from the build group specified with --build-users-group. In addition, each build process is run in a chroot environment that only contains the subset of the store that the build process depends on, as specified by its derivation (see derivation), plus a set of specific system directories. By default, the latter contains /dev and /dev/pts. Furthermore, on GNU/Linux, the build environment is a container: in addition to having its own file system tree, it has a separate mount name space, its own PID name space, network name space, etc. This helps achieve reproducible builds (see Features).

When the daemon performs a build on behalf of the user, it creates a build directory under /tmp or under the directory specified by its TMPDIR environment variable. This directory is shared with the container for the duration of the build, though within the container, the build tree is always called /tmp/guix-build-name.drv-0.

The build directory is automatically deleted upon completion, unless the build failed and the client specified --keep-failed (see --keep-failed).

The daemon listens for connections and spawns one sub-process for each session started by a client (one of the guix sub-commands). The guix processes command allows you to get an overview of the activity on your system by viewing each of the active sessions and clients. See Invoking guix processes, for more information.

The following command-line options are supported:


Take users from group to run build processes (see build users).


Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries (see Substitutes).

When the daemon runs with --no-substitutes, clients can still explicitly enable substitution via the set-build-options remote procedure call (see The Store).


Consider urls the default whitespace-separated list of substitute source URLs. When this option is omitted, ‘’ is used.

This means that substitutes may be downloaded from urls, as long as they are signed by a trusted signature (see Substitutes).

See Getting Substitutes from Other Servers, for more information on how to configure the daemon to get substitutes from other servers.


Do not use offload builds to other machines (see Daemon Offload Setup). That is, always build things locally instead of offloading builds to remote machines.


Cache build failures. By default, only successful builds are cached.

When this option is used, guix gc --list-failures can be used to query the set of store items marked as failed; guix gc --clear-failures removes store items from the set of cached failures. See Invoking guix gc.

-c n

Use n CPU cores to build each derivation; 0 means as many as available.

The default value is 0, but it may be overridden by clients, such as the --cores option of guix build (see Invoking guix build).

The effect is to define the NIX_BUILD_CORES environment variable in the build process, which can then use it to exploit internal parallelism—for instance, by running make -j$NIX_BUILD_CORES.

-M n

Allow at most n build jobs in parallel. The default value is 1. Setting it to 0 means that no builds will be performed locally; instead, the daemon will offload builds (see Daemon Offload Setup), or simply fail.


When the build or substitution process remains silent for more than seconds, terminate it and report a build failure.

The default value is 0, which disables the timeout.

The value specified here can be overridden by clients (see --max-silent-time).


Likewise, when the build or substitution process lasts for more than seconds, terminate it and report a build failure.

The default value is 0, which disables the timeout.

The value specified here can be overridden by clients (see --timeout).


Build each derivation n times in a row, and raise an error if consecutive build results are not bit-for-bit identical. Note that this setting can be overridden by clients such as guix build (see Invoking guix build).

When used in conjunction with --keep-failed, the differing output is kept in the store, under /gnu/store/…-check. This makes it easy to look for differences between the two results.


Produce debugging output.

This is useful to debug daemon start-up issues, but then it may be overridden by clients, for example the --verbosity option of guix build (see Invoking guix build).


Add dir to the build chroot.

Doing this may change the result of build processes—for instance if they use optional dependencies found in dir when it is available, and not otherwise. For that reason, it is not recommended to do so. Instead, make sure that each derivation declares all the inputs that it needs.


Disable chroot builds.

Using this option is not recommended since, again, it would allow build processes to gain access to undeclared dependencies. It is necessary, though, when guix-daemon is running under an unprivileged user account.


Compress build logs according to type, one of gzip, bzip2, or none.

Unless --lose-logs is used, all the build logs are kept in the localstatedir. To save space, the daemon automatically compresses them with Bzip2 by default.


Whether to discover substitute servers on the local network using mDNS and DNS-SD.

This feature is still experimental. However, here are a few considerations.

  1. It might be faster/less expensive than fetching from remote servers;
  2. There are no security risks, only genuine substitutes will be used (see Substitute Authentication);
  3. An attacker advertising guix publish on your LAN cannot serve you malicious binaries, but they can learn what software you’re installing;
  4. Servers may serve substitute over HTTP, unencrypted, so anyone on the LAN can see what software you’re installing.

It is also possible to enable or disable substitute server discovery at run-time by running:

herd discover guix-daemon on
herd discover guix-daemon off

Disable automatic file “deduplication” in the store.

By default, files added to the store are automatically “deduplicated”: if a newly added file is identical to another one found in the store, the daemon makes the new file a hard link to the other file. This can noticeably reduce disk usage, at the expense of slightly increased input/output load at the end of a build process. This option disables this optimization.


Tell whether the garbage collector (GC) must keep outputs of live derivations.

When set to yes, the GC will keep the outputs of any live derivation available in the store—the .drv files. The default is no, meaning that derivation outputs are kept only if they are reachable from a GC root. See Invoking guix gc, for more on GC roots.


Tell whether the garbage collector (GC) must keep derivations corresponding to live outputs.

When set to yes, as is the case by default, the GC keeps derivations—i.e., .drv files—as long as at least one of their outputs is live. This allows users to keep track of the origins of items in their store. Setting it to no saves a bit of disk space.

In this way, setting --gc-keep-derivations to yes causes liveness to flow from outputs to derivations, and setting --gc-keep-outputs to yes causes liveness to flow from derivations to outputs. When both are set to yes, the effect is to keep all the build prerequisites (the sources, compiler, libraries, and other build-time tools) of live objects in the store, regardless of whether these prerequisites are reachable from a GC root. This is convenient for developers since it saves rebuilds or downloads.


On Linux-based systems, impersonate Linux 2.6. This means that the kernel’s uname system call will report 2.6 as the release number.

This might be helpful to build programs that (usually wrongfully) depend on the kernel version number.


Do not keep build logs. By default they are kept under localstatedir/guix/log.


Assume system as the current system type. By default it is the architecture/kernel pair found at configure time, such as x86_64-linux.


Listen for connections on endpoint. endpoint is interpreted as the file name of a Unix-domain socket if it starts with / (slash sign). Otherwise, endpoint is interpreted as a host name or host name and port to listen to. Here are a few examples:


Listen for connections on the /gnu/var/daemon Unix-domain socket, creating it if needed.


Listen for TCP connections on the network interface corresponding to localhost, on port 44146.


Listen for TCP connections on the network interface corresponding to, on port 1234.

This option can be repeated multiple times, in which case guix-daemon accepts connections on all the specified endpoints. Users can tell client commands what endpoint to connect to by setting the GUIX_DAEMON_SOCKET environment variable (see GUIX_DAEMON_SOCKET).

Note: The daemon protocol is unauthenticated and unencrypted. Using --listen=host is suitable on local networks, such as clusters, where only trusted nodes may connect to the build daemon. In other cases where remote access to the daemon is needed, we recommend using Unix-domain sockets along with SSH.

When --listen is omitted, guix-daemon listens for connections on the Unix-domain socket located at localstatedir/guix/daemon-socket/socket.

Next: , Previous: , Up: Installation   [Contents][Index]

2.6 Application Setup

When using Guix on top of GNU/Linux distribution other than Guix System—a so-called foreign distro—a few additional steps are needed to get everything in place. Here are some of them.

2.6.1 Locales

Packages installed via Guix will not use the locale data of the host system. Instead, you must first install one of the locale packages available with Guix and then define the GUIX_LOCPATH environment variable:

$ guix install glibc-locales
$ export GUIX_LOCPATH=$HOME/.guix-profile/lib/locale

Note that the glibc-locales package contains data for all the locales supported by the GNU libc and weighs in at around 917 MiB. Alternatively, the glibc-utf8-locales is smaller but limited to a few UTF-8 locales.

The GUIX_LOCPATH variable plays a role similar to LOCPATH (see LOCPATH in The GNU C Library Reference Manual). There are two important differences though:

  1. GUIX_LOCPATH is honored only by the libc in Guix, and not by the libc provided by foreign distros. Thus, using GUIX_LOCPATH allows you to make sure the programs of the foreign distro will not end up loading incompatible locale data.
  2. libc suffixes each entry of GUIX_LOCPATH with /X.Y, where X.Y is the libc version—e.g., 2.22. This means that, should your Guix profile contain a mixture of programs linked against different libc version, each libc version will only try to load locale data in the right format.

This is important because the locale data format used by different libc versions may be incompatible.

2.6.2 Name Service Switch

When using Guix on a foreign distro, we strongly recommend that the system run the GNU C library’s name service cache daemon, nscd, which should be listening on the /var/run/nscd/socket socket. Failing to do that, applications installed with Guix may fail to look up host names or user accounts, or may even crash. The next paragraphs explain why.

The GNU C library implements a name service switch (NSS), which is an extensible mechanism for “name lookups” in general: host name resolution, user accounts, and more (see Name Service Switch in The GNU C Library Reference Manual).

Being extensible, the NSS supports plugins, which provide new name lookup implementations: for example, the nss-mdns plugin allow resolution of .local host names, the nis plugin allows user account lookup using the Network information service (NIS), and so on. These extra “lookup services” are configured system-wide in /etc/nsswitch.conf, and all the programs running on the system honor those settings (see NSS Configuration File in The GNU C Reference Manual).

When they perform a name lookup—for instance by calling the getaddrinfo function in C—applications first try to connect to the nscd; on success, nscd performs name lookups on their behalf. If the nscd is not running, then they perform the name lookup by themselves, by loading the name lookup services into their own address space and running it. These name lookup services—the libnss_*.so files—are dlopen’d, but they may come from the host system’s C library, rather than from the C library the application is linked against (the C library coming from Guix).

And this is where the problem is: if your application is linked against Guix’s C library (say, glibc 2.24) and tries to load NSS plugins from another C library (say, for glibc 2.22), it will likely crash or have its name lookups fail unexpectedly.

Running nscd on the system, among other advantages, eliminates this binary incompatibility problem because those libnss_*.so files are loaded in the nscd process, not in applications themselves.

2.6.3 X11 Fonts

The majority of graphical applications use Fontconfig to locate and load fonts and perform X11-client-side rendering. The fontconfig package in Guix looks for fonts in $HOME/.guix-profile by default. Thus, to allow graphical applications installed with Guix to display fonts, you have to install fonts with Guix as well. Essential font packages include gs-fonts, font-dejavu, and font-gnu-freefont.

Once you have installed or removed fonts, or when you notice an application that does not find fonts, you may need to install Fontconfig and to force an update of its font cache by running:

guix install fontconfig
fc-cache -rv

To display text written in Chinese languages, Japanese, or Korean in graphical applications, consider installing font-adobe-source-han-sans or font-wqy-zenhei. The former has multiple outputs, one per language family (see Packages with Multiple Outputs). For instance, the following command installs fonts for Chinese languages:

guix install font-adobe-source-han-sans:cn

Older programs such as xterm do not use Fontconfig and instead rely on server-side font rendering. Such programs require to specify a full name of a font using XLFD (X Logical Font Description), like this:

-*-dejavu sans-medium-r-normal-*-*-100-*-*-*-*-*-1

To be able to use such full names for the TrueType fonts installed in your Guix profile, you need to extend the font path of the X server:

xset +fp $(dirname $(readlink -f ~/.guix-profile/share/fonts/truetype/fonts.dir))

After that, you can run xlsfonts (from xlsfonts package) to make sure your TrueType fonts are listed there.

2.6.4 X.509 Certificates

The nss-certs package provides X.509 certificates, which allow programs to authenticate Web servers accessed over HTTPS.

When using Guix on a foreign distro, you can install this package and define the relevant environment variables so that packages know where to look for certificates. See X.509 Certificates, for detailed information.

2.6.5 Emacs Packages

When you install Emacs packages with Guix, the Elisp files are placed under the share/emacs/site-lisp/ directory of the profile in which they are installed. The Elisp libraries are made available to Emacs through the EMACSLOADPATH environment variable, which is set when installing Emacs itself.

Additionally, autoload definitions are automatically evaluated at the initialization of Emacs, by the Guix-specific guix-emacs-autoload-packages procedure. If, for some reason, you want to avoid auto-loading the Emacs packages installed with Guix, you can do so by running Emacs with the --no-site-file option (see Init File in The GNU Emacs Manual).

Previous: , Up: Installation   [Contents][Index]

2.7 Upgrading Guix

To upgrade Guix, run:

guix pull

See Invoking guix pull, for more information.

On a foreign distro, you can upgrade the build daemon by running:

sudo -i guix pull

followed by (assuming your distro uses the systemd service management tool):

systemctl restart guix-daemon.service

On Guix System, upgrading the daemon is achieved by reconfiguring the system (see guix system reconfigure).

Next: , Previous: , Up: Top   [Contents][Index]

3 System Installation

This section explains how to install Guix System on a machine. Guix, as a package manager, can also be installed on top of a running GNU/Linux system, see Installation.

Next: , Up: System Installation   [Contents][Index]

3.1 Limitations

We consider Guix System to be ready for a wide range of “desktop” and server use cases. The reliability guarantees it provides—transactional upgrades and rollbacks, reproducibility—make it a solid foundation.

Nevertheless, before you proceed with the installation, be aware of the following noteworthy limitations applicable to version 1.3.0:

More than a disclaimer, this is an invitation to report issues (and success stories!), and to join us in improving it. See Contributing, for more info.

Next: , Previous: , Up: System Installation   [Contents][Index]

3.2 Hardware Considerations

GNU Guix focuses on respecting the user’s computing freedom. It builds around the kernel Linux-libre, which means that only hardware for which free software drivers and firmware exist is supported. Nowadays, a wide range of off-the-shelf hardware is supported on GNU/Linux-libre—from keyboards to graphics cards to scanners and Ethernet controllers. Unfortunately, there are still areas where hardware vendors deny users control over their own computing, and such hardware is not supported on Guix System.

One of the main areas where free drivers or firmware are lacking is WiFi devices. WiFi devices known to work include those using Atheros chips (AR9271 and AR7010), which corresponds to the ath9k Linux-libre driver, and those using Broadcom/AirForce chips (BCM43xx with Wireless-Core Revision 5), which corresponds to the b43-open Linux-libre driver. Free firmware exists for both and is available out-of-the-box on Guix System, as part of %base-firmware (see firmware).

The Free Software Foundation runs Respects Your Freedom (RYF), a certification program for hardware products that respect your freedom and your privacy and ensure that you have control over your device. We encourage you to check the list of RYF-certified devices.

Another useful resource is the H-Node web site. It contains a catalog of hardware devices with information about their support in GNU/Linux.

Next: , Previous: , Up: System Installation   [Contents][Index]

3.3 USB Stick and DVD Installation

An ISO-9660 installation image that can be written to a USB stick or burnt to a DVD can be downloaded from ‘’, where you can replace x86_64-linux with one of:


for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs;


for a 32-bit GNU/Linux system on Intel-compatible CPUs.

Make sure to download the associated .sig file and to verify the authenticity of the image against it, along these lines:

$ wget
$ gpg --verify guix-system-install-1.3.0.x86_64-linux.iso.sig

If that command fails because you do not have the required public key, then run this command to import it:

$ wget \
      -qO - | gpg --import -

and rerun the gpg --verify command.

Take note that a warning like “This key is not certified with a trusted signature!” is normal.

This image contains the tools necessary for an installation. It is meant to be copied as is to a large-enough USB stick or DVD.

Copying to a USB Stick

Insert a USB stick of 1 GiB or more into your machine, and determine its device name. Assuming that the USB stick is known as /dev/sdX, copy the image with:

dd if=guix-system-install-1.3.0.x86_64-linux.iso of=/dev/sdX status=progress

Access to /dev/sdX usually requires root privileges.

Burning on a DVD

Insert a blank DVD into your machine, and determine its device name. Assuming that the DVD drive is known as /dev/srX, copy the image with:

growisofs -dvd-compat -Z /dev/srX=guix-system-install-1.3.0.x86_64-linux.iso

Access to /dev/srX usually requires root privileges.


Once this is done, you should be able to reboot the system and boot from the USB stick or DVD. The latter usually requires you to get in the BIOS or UEFI boot menu, where you can choose to boot from the USB stick. In order to boot from Libreboot, switch to the command mode by pressing the c key and type search_grub usb.

See Installing Guix in a VM, if, instead, you would like to install Guix System in a virtual machine (VM).

Next: , Previous: , Up: System Installation   [Contents][Index]

3.4 Preparing for Installation

Once you have booted, you can use the guided graphical installer, which makes it easy to get started (see Guided Graphical Installation). Alternatively, if you are already familiar with GNU/Linux and if you want more control than what the graphical installer provides, you can choose the “manual” installation process (see Manual Installation).

The graphical installer is available on TTY1. You can obtain root shells on TTYs 3 to 6 by hitting ctrl-alt-f3, ctrl-alt-f4, etc. TTY2 shows this documentation and you can reach it with ctrl-alt-f2. Documentation is browsable using the Info reader commands (see Stand-alone GNU Info). The installation system runs the GPM mouse daemon, which allows you to select text with the left mouse button and to paste it with the middle button.

Note: Installation requires access to the Internet so that any missing dependencies of your system configuration can be downloaded. See the “Networking” section below.

Next: , Previous: , Up: System Installation   [Contents][Index]

3.5 Guided Graphical Installation

The graphical installer is a text-based user interface. It will guide you, with dialog boxes, through the steps needed to install GNU Guix System.

The first dialog boxes allow you to set up the system as you use it during the installation: you can choose the language, keyboard layout, and set up networking, which will be used during the installation. The image below shows the networking dialog.

networking setup with the graphical installer

Later steps allow you to partition your hard disk, as shown in the image below, to choose whether or not to use encrypted file systems, to enter the host name and root password, and to create an additional account, among other things.

partitioning with the graphical installer

Note that, at any time, the installer allows you to exit the current installation step and resume at a previous step, as show in the image below.

resuming the installation process

Once you’re done, the installer produces an operating system configuration and displays it (see Using the Configuration System). At that point you can hit “OK” and installation will proceed. On success, you can reboot into the new system and enjoy. See After System Installation, for what’s next!

Next: , Previous: , Up: System Installation   [Contents][Index]

3.6 Manual Installation

This section describes how you would “manually” install GNU Guix System on your machine. This option requires familiarity with GNU/Linux, with the shell, and with common administration tools. If you think this is not for you, consider using the guided graphical installer (see Guided Graphical Installation).

The installation system provides root shells on TTYs 3 to 6; press ctrl-alt-f3, ctrl-alt-f4, and so on to reach them. It includes many common tools needed to install the system. But it is also a full-blown Guix System, which means that you can install additional packages, should you need it, using guix package (see Invoking guix package).

Next: , Up: Manual Installation   [Contents][Index]

3.6.1 Keyboard Layout, Networking, and Partitioning

Before you can install the system, you may want to adjust the keyboard layout, set up networking, and partition your target hard disk. This section will guide you through this. Keyboard Layout

The installation image uses the US qwerty keyboard layout. If you want to change it, you can use the loadkeys command. For example, the following command selects the Dvorak keyboard layout:

loadkeys dvorak

See the files under /run/current-system/profile/share/keymaps for a list of available keyboard layouts. Run man loadkeys for more information. Networking

Run the following command to see what your network interfaces are called:

ifconfig -a

… or, using the GNU/Linux-specific ip command:

ip address

Wired interfaces have a name starting with ‘e’; for example, the interface corresponding to the first on-board Ethernet controller is called ‘eno1’. Wireless interfaces have a name starting with ‘w’, like ‘w1p2s0’.

Wired connection

To configure a wired network run the following command, substituting interface with the name of the wired interface you want to use.

ifconfig interface up

… or, using the GNU/Linux-specific ip command:

ip link set interface up
Wireless connection

To configure wireless networking, you can create a configuration file for the wpa_supplicant configuration tool (its location is not important) using one of the available text editors such as nano:

nano wpa_supplicant.conf

As an example, the following stanza can go to this file and will work for many wireless networks, provided you give the actual SSID and passphrase for the network you are connecting to:

  psk="the network's secret passphrase"

Start the wireless service and run it in the background with the following command (substitute interface with the name of the network interface you want to use):

wpa_supplicant -c wpa_supplicant.conf -i interface -B

Run man wpa_supplicant for more information.

At this point, you need to acquire an IP address. On a network where IP addresses are automatically assigned via DHCP, you can run:

dhclient -v interface

Try to ping a server to see if networking is up and running:

ping -c 3

Setting up network access is almost always a requirement because the image does not contain all the software and tools that may be needed.

If you need HTTP and HTTPS access to go through a proxy, run the following command:

herd set-http-proxy guix-daemon URL

where URL is the proxy URL, for example

If you want to, you can continue the installation remotely by starting an SSH server:

herd start ssh-daemon

Make sure to either set a password with passwd, or configure OpenSSH public key authentication before logging in. Disk Partitioning

Unless this has already been done, the next step is to partition, and then format the target partition(s).

The installation image includes several partitioning tools, including Parted (see Overview in GNU Parted User Manual), fdisk, and cfdisk. Run it and set up your disk with the partition layout you want:


If your disk uses the GUID Partition Table (GPT) format and you plan to install BIOS-based GRUB (which is the default), make sure a BIOS Boot Partition is available (see BIOS installation in GNU GRUB manual).

If you instead wish to use EFI-based GRUB, a FAT32 EFI System Partition (ESP) is required. This partition can be mounted at /boot/efi for instance and must have the esp flag set. E.g., for parted:

parted /dev/sda set 1 esp on

Note: Unsure whether to use EFI- or BIOS-based GRUB? If the directory /sys/firmware/efi exists in the installation image, then you should probably perform an EFI installation, using grub-efi-bootloader. Otherwise you should use the BIOS-based GRUB, known as grub-bootloader. See Bootloader Configuration, for more info on bootloaders.

Once you are done partitioning the target hard disk drive, you have to create a file system on the relevant partition(s)8. For the ESP, if you have one and assuming it is /dev/sda1, run:

mkfs.fat -F32 /dev/sda1

For the root file system, ext4 is the most widely used format. Other file systems, such as Btrfs, support compression, which is reported to nicely complement file deduplication that the daemon performs independently of the file system (see deduplication).

Preferably, assign file systems a label so that you can easily and reliably refer to them in file-system declarations (see File Systems). This is typically done using the -L option of mkfs.ext4 and related commands. So, assuming the target root partition lives at /dev/sda2, a file system with the label my-root can be created with:

mkfs.ext4 -L my-root /dev/sda2

If you are instead planning to encrypt the root partition, you can use the Cryptsetup/LUKS utilities to do that (see man cryptsetup for more information). Assuming you want to store the root partition on /dev/sda2, the command sequence would be along these lines:

cryptsetup luksFormat /dev/sda2
cryptsetup open --type luks /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition

Once that is done, mount the target file system under /mnt with a command like (again, assuming my-root is the label of the root file system):

mount LABEL=my-root /mnt

Also mount any other file systems you would like to use on the target system relative to this path. If you have opted for /boot/efi as an EFI mount point for example, mount it at /mnt/boot/efi now so it is found by guix system init afterwards.

Finally, if you plan to use one or more swap partitions (see swap space in The GNU C Library Reference Manual), make sure to initialize them with mkswap. Assuming you have one swap partition on /dev/sda3, you would run:

mkswap /dev/sda3
swapon /dev/sda3

Alternatively, you may use a swap file. For example, assuming that in the new system you want to use the file /swapfile as a swap file, you would run9:

# This is 10 GiB of swap space.  Adjust "count" to change the size.
dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=10240
# For security, make the file readable and writable only by root.
chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile

Note that if you have encrypted the root partition and created a swap file in its file system as described above, then the encryption also protects the swap file, just like any other file in that file system.

Previous: , Up: Manual Installation   [Contents][Index]

3.6.2 Proceeding with the Installation

With the target partitions ready and the target root mounted on /mnt, we’re ready to go. First, run:

herd start cow-store /mnt

This makes /gnu/store copy-on-write, such that packages added to it during the installation phase are written to the target disk on /mnt rather than kept in memory. This is necessary because the first phase of the guix system init command (see below) entails downloads or builds to /gnu/store which, initially, is an in-memory file system.

Next, you have to edit a file and provide the declaration of the operating system to be installed. To that end, the installation system comes with three text editors. We recommend GNU nano (see GNU nano Manual), which supports syntax highlighting and parentheses matching; other editors include GNU Zile (an Emacs clone), and nvi (a clone of the original BSD vi editor). We strongly recommend storing that file on the target root file system, say, as /mnt/etc/config.scm. Failing to do that, you will have lost your configuration file once you have rebooted into the newly-installed system.

See Using the Configuration System, for an overview of the configuration file. The example configurations discussed in that section are available under /etc/configuration in the installation image. Thus, to get started with a system configuration providing a graphical display server (a “desktop” system), you can run something along these lines:

# mkdir /mnt/etc
# cp /etc/configuration/desktop.scm /mnt/etc/config.scm
# nano /mnt/etc/config.scm

You should pay attention to what your configuration file contains, and in particular:

Once you are done preparing the configuration file, the new system must be initialized (remember that the target root file system is mounted under /mnt):

guix system init /mnt/etc/config.scm /mnt

This copies all the necessary files and installs GRUB on /dev/sdX, unless you pass the --no-bootloader option. For more information, see Invoking guix system. This command may trigger downloads or builds of missing packages, which can take some time.

Once that command has completed—and hopefully succeeded!—you can run reboot and boot into the new system. The root password in the new system is initially empty; other users’ passwords need to be initialized by running the passwd command as root, unless your configuration specifies otherwise (see user account passwords). See After System Installation, for what’s next!

Next: , Previous: , Up: System Installation   [Contents][Index]

3.7 After System Installation

Success, you’ve now booted into Guix System! From then on, you can update the system whenever you want by running, say:

guix pull
sudo guix system reconfigure /etc/config.scm

This builds a new system generation with the latest packages and services (see Invoking guix system). We recommend doing that regularly so that your system includes the latest security updates (see Security Updates).

Note: Note that sudo guix runs your user’s guix command and not root’s, because sudo leaves PATH unchanged. To explicitly run root’s guix, type sudo -i guix ….

The difference matters here, because guix pull updates the guix command and package definitions only for the user it is run as. This means that if you choose to use guix system reconfigure in root’s login shell, you’ll need to guix pull separately.

Now, see Getting Started, and join us on #guix on the Libera Chat IRC network or on to share your experience!

Next: , Previous: , Up: System Installation   [Contents][Index]

3.8 Installing Guix in a Virtual Machine

If you’d like to install Guix System in a virtual machine (VM) or on a virtual private server (VPS) rather than on your beloved machine, this section is for you.

To boot a QEMU VM for installing Guix System in a disk image, follow these steps:

  1. First, retrieve and decompress the Guix system installation image as described previously (see USB Stick and DVD Installation).
  2. Create a disk image that will hold the installed system. To make a qcow2-formatted disk image, use the qemu-img command:
    qemu-img create -f qcow2 guix-system.img 50G

    The resulting file will be much smaller than 50 GB (typically less than 1 MB), but it will grow as the virtualized storage device is filled up.

  3. Boot the USB installation image in an VM:
    qemu-system-x86_64 -m 1024 -smp 1 -enable-kvm \
      -nic user,model=virtio-net-pci -boot menu=on,order=d \
      -drive file=guix-system.img \
      -drive media=cdrom,file=guix-system-install-1.3.0.system.iso

    -enable-kvm is optional, but significantly improves performance, see Running Guix in a VM.

  4. You’re now root in the VM, proceed with the installation process. See Preparing for Installation, and follow the instructions.

Once installation is complete, you can boot the system that’s on your guix-system.img image. See Running Guix in a VM, for how to do that.

Previous: , Up: System Installation   [Contents][Index]

3.9 Building the Installation Image

The installation image described above was built using the guix system command, specifically:

guix system image -t iso9660 gnu/system/install.scm

Have a look at gnu/system/install.scm in the source tree, and see also Invoking guix system for more information about the installation image.

3.10 Building the Installation Image for ARM Boards

Many ARM boards require a specific variant of the U-Boot bootloader.

If you build a disk image and the bootloader is not available otherwise (on another boot drive etc), it’s advisable to build an image that includes the bootloader, specifically:

guix system image --system=armhf-linux -e '((@ (gnu system install) os-with-u-boot) (@ (gnu system install) installation-os) "A20-OLinuXino-Lime2")'

A20-OLinuXino-Lime2 is the name of the board. If you specify an invalid board, a list of possible boards will be printed.

Next: , Previous: , Up: Top   [Contents][Index]

4 Getting Started

Presumably, you’ve reached this section because either you have installed Guix on top of another distribution (see Installation), or you’ve installed the standalone Guix System (see System Installation). It’s time for you to get started using Guix and this section aims to help you do that and give you a feel of what it’s like.

Guix is about installing software, so probably the first thing you’ll want to do is to actually look for software. Let’s say you’re looking for a text editor, you can run:

guix search text editor

This command shows you a number of matching packages, each time showing the package’s name, version, a description, and additional info. Once you’ve found out the one you want to use, let’s say Emacs (ah ha!), you can go ahead and install it (run this command as a regular user, no need for root privileges!):

guix install emacs

You’ve installed your first package, congrats! The package is now visible in your default profile, $HOME/.guix-profile—a profile is a directory containing installed packages. In the process, you’ve probably noticed that Guix downloaded pre-built binaries; or, if you explicitly chose to not use pre-built binaries, then probably Guix is still building software (see Substitutes, for more info).

Unless you’re using Guix System, the guix install command must have printed this hint:

hint: Consider setting the necessary environment variables by running:

     . "$GUIX_PROFILE/etc/profile"

Alternately, see `guix package --search-paths -p "$HOME/.guix-profile"'.

Indeed, you must now tell your shell where emacs and other programs installed with Guix are to be found. Pasting the two lines above will do just that: it will add $HOME/.guix-profile/bin—which is where the installed package is—to the PATH environment variable. You can paste these two lines in your shell so they take effect right away, but more importantly you should add them to ~/.bash_profile (or equivalent file if you do not use Bash) so that environment variables are set next time you spawn a shell. You only need to do this once and other search paths environment variables will be taken care of similarly—e.g., if you eventually install python and Python libraries, PYTHONPATH will be defined.

You can go on installing packages at your will. To list installed packages, run:

guix package --list-installed

To remove a package, you would unsurprisingly run guix remove. A distinguishing feature is the ability to roll back any operation you made—installation, removal, upgrade—by simply typing:

guix package --roll-back

This is because each operation is in fact a transaction that creates a new generation. These generations and the difference between them can be displayed by running:

guix package --list-generations

Now you know the basics of package management!

Going further: See Package Management, for more about package management. You may like declarative package management with guix package --manifest, managing separate profiles with --profile, deleting old generations, collecting garbage, and other nifty features that will come in handy as you become more familiar with Guix. If you are a developer, see Development for additional tools. And if you’re curious, see Features, to peek under the hood.

Once you’ve installed a set of packages, you will want to periodically upgrade them to the latest and greatest version. To do that, you will first pull the latest revision of Guix and its package collection:

guix pull

The end result is a new guix command, under ~/.config/guix/current/bin. Unless you’re on Guix System, the first time you run guix pull, be sure to follow the hint that the command prints and, similar to what we saw above, paste these two lines in your terminal and .bash_profile:

. "$GUIX_PROFILE/etc/profile"

You must also instruct your shell to point to this new guix:

hash guix

At this point, you’re running a brand new Guix. You can thus go ahead and actually upgrade all the packages you previously installed:

guix upgrade

As you run this command, you will see that binaries are downloaded (or perhaps some packages are built), and eventually you end up with the upgraded packages. Should one of these upgraded packages not be to your liking, remember you can always roll back!

You can display the exact revision of Guix you’re currently using by running:

guix describe

The information it displays is all it takes to reproduce the exact same Guix, be it at a different point in time or on a different machine.

Going further: See Invoking guix pull, for more information. See Channels, on how to specify additional channels to pull packages from, how to replicate Guix, and more. You may also find time-machine handy (see Invoking guix time-machine).

If you installed Guix System, one of the first things you’ll want to do is to upgrade your system. Once you’ve run guix pull to get the latest Guix, you can upgrade the system like this:

sudo guix system reconfigure /etc/config.scm

Upon completion, the system runs the latest versions of its software packages. When you eventually reboot, you’ll notice a sub-menu in the bootloader that reads “Old system generations”: it’s what allows you to boot an older generation of your system, should the latest generation be “broken” or otherwise unsatisfying. Just like for packages, you can always roll back to a previous generation of the whole system:

sudo guix system roll-back

There are many things you’ll probably want to tweak on your system: adding new user accounts, adding new system services, fiddling with the configuration of those services, etc. The system configuration is entirely described in the /etc/config.scm file. See Using the Configuration System, to learn how to change it.

Now you know enough to get started!

Resources: The rest of this manual provides a reference for all things Guix. Here are some additional resources you may find useful:

We hope you will enjoy Guix as much as the community enjoys building it!

Next: , Previous: , Up: Top   [Contents][Index]

5 Package Management

The purpose of GNU Guix is to allow users to easily install, upgrade, and remove software packages, without having to know about their build procedures or dependencies. Guix also goes beyond this obvious set of features.

This chapter describes the main features of Guix, as well as the package management tools it provides. Along with the command-line interface described below (see guix package), you may also use the Emacs-Guix interface (see The Emacs-Guix Reference Manual), after installing emacs-guix package (run M-x guix-help command to start with it):

guix install emacs-guix

Next: , Up: Package Management   [Contents][Index]

5.1 Features

Here we assume you’ve already made your first steps with Guix (see Getting Started) and would like to get an overview about what’s going on under the hood.

When using Guix, each package ends up in the package store, in its own directory—something that resembles /gnu/store/xxx-package-1.2, where xxx is a base32 string.

Instead of referring to these directories, users have their own profile, which points to the packages that they actually want to use. These profiles are stored within each user’s home directory, at $HOME/.guix-profile.

For example, alice installs GCC 4.7.2. As a result, /home/alice/.guix-profile/bin/gcc points to /gnu/store/…-gcc-4.7.2/bin/gcc. Now, on the same machine, bob had already installed GCC 4.8.0. The profile of bob simply continues to point to /gnu/store/…-gcc-4.8.0/bin/gcc—i.e., both versions of GCC coexist on the same system without any interference.

The guix package command is the central tool to manage packages (see Invoking guix package). It operates on the per-user profiles, and can be used with normal user privileges.

The command provides the obvious install, remove, and upgrade operations. Each invocation is actually a transaction: either the specified operation succeeds, or nothing happens. Thus, if the guix package process is terminated during the transaction, or if a power outage occurs during the transaction, then the user’s profile remains in its previous state, and remains usable.

In addition, any package transaction may be rolled back. So, if, for example, an upgrade installs a new version of a package that turns out to have a serious bug, users may roll back to the previous instance of their profile, which was known to work well. Similarly, the global system configuration on Guix is subject to transactional upgrades and roll-back (see Using the Configuration System).

All packages in the package store may be garbage-collected. Guix can determine which packages are still referenced by user profiles, and remove those that are provably no longer referenced (see Invoking guix gc). Users may also explicitly remove old generations of their profile so that the packages they refer to can be collected.

Guix takes a purely functional approach to package management, as described in the introduction (see Introduction). Each /gnu/store package directory name contains a hash of all the inputs that were used to build that package—compiler, libraries, build scripts, etc. This direct correspondence allows users to make sure a given package installation matches the current state of their distribution. It also helps maximize build reproducibility: thanks to the isolated build environments that are used, a given build is likely to yield bit-identical files when performed on different machines (see container).

This foundation allows Guix to support transparent binary/source deployment. When a pre-built binary for a /gnu/store item is available from an external source—a substitute, Guix just downloads it and unpacks it; otherwise, it builds the package from source, locally (see Substitutes). Because build results are usually bit-for-bit reproducible, users do not have to trust servers that provide substitutes: they can force a local build and challenge providers (see Invoking guix challenge).

Control over the build environment is a feature that is also useful for developers. The guix environment command allows developers of a package to quickly set up the right development environment for their package, without having to manually install the dependencies of the package into their profile (see Invoking guix environment).

All of Guix and its package definitions is version-controlled, and guix pull allows you to “travel in time” on the history of Guix itself (see Invoking guix pull). This makes it possible to replicate a Guix instance on a different machine or at a later point in time, which in turn allows you to replicate complete software environments, while retaining precise provenance tracking of the software.

Next: , Previous: , Up: Package Management   [Contents][Index]

5.2 Invoking guix package

The guix package command is the tool that allows users to install, upgrade, and remove packages, as well as rolling back to previous configurations. These operations work on a user profile—a directory of installed packages. Each user has a default profile in $HOME/.guix-profile. The command operates only on the user’s own profile, and works with normal user privileges (see Features). Its syntax is:

guix package options

Primarily, options specifies the operations to be performed during the transaction. Upon completion, a new profile is created, but previous generations of the profile remain available, should the user want to roll back.

For example, to remove lua and install guile and guile-cairo in a single transaction:

guix package -r lua -i guile guile-cairo

For your convenience, we also provide the following aliases:

These aliases are less expressive than guix package and provide fewer options, so in some cases you’ll probably want to use guix package directly.

guix package also supports a declarative approach whereby the user specifies the exact set of packages to be available and passes it via the --manifest option (see --manifest).

For each user, a symlink to the user’s default profile is automatically created in $HOME/.guix-profile. This symlink always points to the current generation of the user’s default profile. Thus, users can add $HOME/.guix-profile/bin to their PATH environment variable, and so on. If you are not using Guix System, consider adding the following lines to your ~/.bash_profile (see Bash Startup Files in The GNU Bash Reference Manual) so that newly-spawned shells get all the right environment variable definitions:

GUIX_PROFILE="$HOME/.guix-profile" ; \
source "$GUIX_PROFILE/etc/profile"

In a multi-user setup, user profiles are stored in a place registered as a garbage-collector root, which $HOME/.guix-profile points to (see Invoking guix gc). That directory is normally localstatedir/guix/profiles/per-user/user, where localstatedir is the value passed to configure as --localstatedir, and user is the user name. The per-user directory is created when guix-daemon is started, and the user sub-directory is created by guix package.

The options can be among the following:

-i package

Install the specified packages.

Each package may specify either a simple package name, such as guile, or a package name followed by an at-sign and version number, such as guile@1.8.8 or simply guile@1.8 (in the latter case, the newest version prefixed by 1.8 is selected).

If no version number is specified, the newest available version will be selected. In addition, package may contain a colon, followed by the name of one of the outputs of the package, as in gcc:doc or binutils@2.22:lib (see Packages with Multiple Outputs). Packages with a corresponding name (and optionally version) are searched for among the GNU distribution modules (see Package Modules).

Sometimes packages have propagated inputs: these are dependencies that automatically get installed along with the required package (see propagated-inputs in package objects, for information about propagated inputs in package definitions).

An example is the GNU MPC library: its C header files refer to those of the GNU MPFR library, which in turn refer to those of the GMP library. Thus, when installing MPC, the MPFR and GMP libraries also get installed in the profile; removing MPC also removes MPFR and GMP—unless they had also been explicitly installed by the user.

Besides, packages sometimes rely on the definition of environment variables for their search paths (see explanation of --search-paths below). Any missing or possibly incorrect environment variable definitions are reported here.

-e exp

Install the package exp evaluates to.

exp must be a Scheme expression that evaluates to a <package> object. This option is notably useful to disambiguate between same-named variants of a package, with expressions such as (@ (gnu packages base) guile-final).

Note that this option installs the first output of the specified package, which may be insufficient when needing a specific output of a multiple-output package.

-f file

Install the package that the code within file evaluates to.

As an example, file might contain a definition like this (see Defining Packages):

(use-modules (guix)
             (guix build-system gnu)
             (guix licenses))

  (name "hello")
  (version "2.10")
  (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/hello/hello-" version
  (build-system gnu-build-system)
  (synopsis "Hello, GNU world: An example GNU package")
  (description "Guess what GNU Hello prints!")
  (home-page "")
  (license gpl3+))

Developers may find it useful to include such a guix.scm file in the root of their project source tree that can be used to test development snapshots and create reproducible development environments (see Invoking guix environment).

The file may also contain a JSON representation of one or more package definitions. Running guix package -f on hello.json with the following contents would result in installing the package greeter after building myhello:

    "name": "myhello",
    "version": "2.10",
    "source": "mirror://gnu/hello/hello-2.10.tar.gz",
    "build-system": "gnu",
    "arguments": {
      "tests?": false
    "home-page": "",
    "synopsis": "Hello, GNU world: An example GNU package",
    "description": "GNU Hello prints a greeting.",
    "license": "GPL-3.0+",
    "native-inputs": ["gettext"]
    "name": "greeter",
    "version": "1.0",
    "source": "",
    "build-system": "gnu",
    "arguments": {
      "test-target": "foo",
      "parallel-build?": false,
    "home-page": "",
    "synopsis": "Greeter using GNU Hello",
    "description": "This is a wrapper around GNU Hello.",
    "license": "GPL-3.0+",
    "inputs": ["myhello", "hello"]
-r package

Remove the specified packages.

As for --install, each package may specify a version number and/or output name in addition to the package name. For instance, ‘-r glibc:debug’ would remove the debug output of glibc.

--upgrade[=regexp …]
-u [regexp …]

Upgrade all the installed packages. If one or more regexps are specified, upgrade only installed packages whose name matches a regexp. Also see the --do-not-upgrade option below.

Note that this upgrades package to the latest version of packages found in the distribution currently installed. To update your distribution, you should regularly run guix pull (see Invoking guix pull).

When upgrading, package transformations that were originally applied when creating the profile are automatically re-applied (see Package Transformation Options). For example, assume you first installed Emacs from the tip of its development branch with:

guix install emacs-next --with-branch=emacs-next=master

Next time you run guix upgrade, Guix will again pull the tip of the Emacs development branch and build emacs-next from that checkout.

Note that transformation options such as --with-branch and --with-source depend on external state; it is up to you to ensure that they work as expected. You can also discard a transformations that apply to a package by running:

guix install package
--do-not-upgrade[=regexp …]

When used together with the --upgrade option, do not upgrade any packages whose name matches a regexp. For example, to upgrade all packages in the current profile except those containing the substring “emacs”:

$ guix package --upgrade . --do-not-upgrade emacs
-m file

Create a new generation of the profile from the manifest object returned by the Scheme code in file. This option can be repeated several times, in which case the manifests are concatenated.

This allows you to declare the profile’s contents rather than constructing it through a sequence of --install and similar commands. The advantage is that file can be put under version control, copied to different machines to reproduce the same profile, and so on.

file must return a manifest object, which is roughly a list of packages:

(use-package-modules guile emacs)

 (list emacs
       ;; Use a specific package output.
       (list guile-2.0 "debug")))

In this example we have to know which modules define the emacs and guile-2.0 variables to provide the right use-package-modules line, which can be cumbersome. We can instead provide regular package specifications and let specifications->manifest look up the corresponding package objects, like this:

 '("emacs" "guile@2.2" "guile@2.2:debug"))

See --export-manifest, to learn how to obtain a manifest file from an existing profile.


Roll back to the previous generation of the profile—i.e., undo the last transaction.

When combined with options such as --install, roll back occurs before any other actions.

When rolling back from the first generation that actually contains installed packages, the profile is made to point to the zeroth generation, which contains no files apart from its own metadata.

After having rolled back, installing, removing, or upgrading packages overwrites previous future generations. Thus, the history of the generations in a profile is always linear.

-S pattern

Switch to a particular generation defined by pattern.

pattern may be either a generation number or a number prefixed with “+” or “-”. The latter means: move forward/backward by a specified number of generations. For example, if you want to return to the latest generation after --roll-back, use --switch-generation=+1.

The difference between --roll-back and --switch-generation=-1 is that --switch-generation will not make a zeroth generation, so if a specified generation does not exist, the current generation will not be changed.


Report environment variable definitions, in Bash syntax, that may be needed in order to use the set of installed packages. These environment variables are used to specify search paths for files used by some of the installed packages.

For example, GCC needs the CPATH and LIBRARY_PATH environment variables to be defined so it can look for headers and libraries in the user’s profile (see Environment Variables in Using the GNU Compiler Collection (GCC)). If GCC and, say, the C library are installed in the profile, then --search-paths will suggest setting these variables to profile/include and profile/lib, respectively.

The typical use case is to define these environment variables in the shell:

$ eval `guix package --search-paths`

kind may be one of exact, prefix, or suffix, meaning that the returned environment variable definitions will either be exact settings, or prefixes or suffixes of the current value of these variables. When omitted, kind defaults to exact.

This option can also be used to compute the combined search paths of several profiles. Consider this example:

$ guix package -p foo -i guile
$ guix package -p bar -i guile-json
$ guix package -p foo -p bar --search-paths

The last command above reports about the GUILE_LOAD_PATH variable, even though, taken individually, neither foo nor bar would lead to that recommendation.

-p profile

Use profile instead of the user’s default profile.

profile must be the name of a file that will be created upon completion. Concretely, profile will be a mere symbolic link (“symlink”) pointing to the actual profile where packages are installed:

$ guix install hello -p ~/code/my-profile
$ ~/code/my-profile/bin/hello
Hello, world!

All it takes to get rid of the profile is to remove this symlink and its siblings that point to specific generations:

$ rm ~/code/my-profile ~/code/my-profile-*-link

List all the user’s profiles:

$ guix package --list-profiles

When running as root, list all the profiles of all the users.


Allow colliding packages in the new profile. Use at your own risk!

By default, guix package reports as an error collisions in the profile. Collisions happen when two or more different versions or variants of a given package end up in the profile.


Use the bootstrap Guile to build the profile. This option is only useful to distribution developers.

In addition to these actions, guix package supports the following options to query the current state of a profile, or the availability of packages:

-s regexp

List the available packages whose name, synopsis, or description matches regexp (in a case-insensitive fashion), sorted by relevance. Print all the metadata of matching packages in recutils format (see GNU recutils databases in GNU recutils manual).

This allows specific fields to be extracted using the recsel command, for instance:

$ guix package -s malloc | recsel -p name,version,relevance
name: jemalloc
version: 4.5.0
relevance: 6

name: glibc
version: 2.25
relevance: 1

name: libgc
version: 7.6.0
relevance: 1

Similarly, to show the name of all the packages available under the terms of the GNU LGPL version 3:

$ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"'
name: elfutils

name: gmp

It is also possible to refine search results using several -s flags to guix package, or several arguments to guix search. For example, the following command returns a list of board games (this time using the guix search alias):

$ guix search '\<board\>' game | recsel -p name
name: gnubg

If we were to omit -s game, we would also get software packages that deal with printed circuit boards; removing the angle brackets around board would further add packages that have to do with keyboards.

And now for a more elaborate example. The following command searches for cryptographic libraries, filters out Haskell, Perl, Python, and Ruby libraries, and prints the name and synopsis of the matching packages:

$ guix search crypto library | \
    recsel -e '! (name ~ "^(ghc|perl|python|ruby)")' -p name,synopsis

See Selection Expressions in GNU recutils manual, for more information on selection expressions for recsel -e.


Show details about package, taken from the list of available packages, in recutils format (see GNU recutils databases in GNU recutils manual).

$ guix package --show=python | recsel -p name,version
name: python
version: 2.7.6

name: python
version: 3.3.5

You may also specify the full name of a package to only get details about a specific version of it (this time using the guix show alias):

$ guix show python@3.4 | recsel -p name,version
name: python
version: 3.4.3
-I [regexp]

List the currently installed packages in the specified profile, with the most recently installed packages shown last. When regexp is specified, list only installed packages whose name matches regexp.

For each installed package, print the following items, separated by tabs: the package name, its version string, the part of the package that is installed (for instance, out for the default output, include for its headers, etc.), and the path of this package in the store.

-A [regexp]

List packages currently available in the distribution for this system (see GNU Distribution). When regexp is specified, list only available packages whose name matches regexp.

For each package, print the following items separated by tabs: its name, its version string, the parts of the package (see Packages with Multiple Outputs), and the source location of its definition.

-l [pattern]

Return a list of generations along with their creation dates; for each generation, show the installed packages, with the most recently installed packages shown last. Note that the zeroth generation is never shown.

For each installed package, print the following items, separated by tabs: the name of a package, its version string, the part of the package that is installed (see Packages with Multiple Outputs), and the location of this package in the store.

When pattern is used, the command returns only matching generations. Valid patterns include:

-d [pattern]

When pattern is omitted, delete all generations except the current one.

This command accepts the same patterns as --list-generations. When pattern is specified, delete the matching generations. When pattern specifies a duration, generations older than the specified duration match. For instance, --delete-generations=1m deletes generations that are more than one month old.

If the current generation matches, it is not deleted. Also, the zeroth generation is never deleted.

Note that deleting generations prevents rolling back to them. Consequently, this command must be used with care.


Write to standard output a manifest suitable for --manifest corresponding to the chosen profile(s).

This option is meant to help you migrate from the “imperative” operating mode—running guix install, guix upgrade, etc.—to the declarative mode that --manifest offers.

Be aware that the resulting manifest approximates what your profile actually contains; for instance, depending on how your profile was created, it can refer to packages or package versions that are not exactly what you specified.

Keep in mind that a manifest is purely symbolic: it only contains package names and possibly versions, and their meaning varies over time. If you wish to “pin” channels to the revisions that were used to build the profile(s), see --export-channels below.


Write to standard output the list of channels used by the chosen profile(s), in a format suitable for guix pull --channels or guix time-machine --channels (see Channels).

Together with --export-manifest, this option provides information allowing you to replicate the current profile (see Replicating Guix).

However, note that the output of this command approximates what was actually used to build this profile. In particular, a single profile might have been built from several different revisions of the same channel. In that case, --export-manifest chooses the last one and writes the list of other revisions in a comment. If you really need to pick packages from different channel revisions, you can use inferiors in your manifest to do so (see Inferiors).

Together with --export-manifest, this is a good starting point if you are willing to migrate from the “imperative” model to the fully declarative model consisting of a manifest file along with a channels file pinning the exact channel revision(s) you want.

Finally, since guix package may actually start build processes, it supports all the common build options (see Common Build Options). It also supports package transformation options, such as --with-source, and preserves them across upgrades (see Package Transformation Options).

Next: , Previous: , Up: Package Management   [Contents][Index]

5.3 Substitutes

Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server, or both. We call these pre-built items substitutes—they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally.

Substitutes can be anything resulting from a derivation build (see Derivations). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result from derivation builds, can be available as substitutes.

Next: , Up: Substitutes   [Contents][Index]

5.3.1 Official Substitute Server

The server is a front-end to an official build farm that builds packages from Guix continuously for some architectures, and makes them available as substitutes. This is the default source of substitutes; it can be overridden by passing the --substitute-urls option either to guix-daemon (see guix-daemon --substitute-urls) or to client tools such as guix package (see client --substitute-urls option).

Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended because communications are encrypted; conversely, using HTTP makes all communications visible to an eavesdropper, who could use the information gathered to determine, for instance, whether your system has unpatched security vulnerabilities.

Substitutes from the official build farm are enabled by default when using Guix System (see GNU Distribution). However, they are disabled by default when using Guix on a foreign distribution, unless you have explicitly enabled them via one of the recommended installation steps (see Installation). The following paragraphs describe how to enable or disable substitutes for the official build farm; the same procedure can also be used to enable substitutes for any other substitute server.

Next: , Previous: , Up: Substitutes   [Contents][Index]

5.3.2 Substitute Server Authorization

To allow Guix to download substitutes from or a mirror thereof, you must add its public key to the access control list (ACL) of archive imports, using the guix archive command (see Invoking guix archive). Doing so implies that you trust to not be compromised and to serve genuine substitutes.

Note: If you are using Guix System, you can skip this section: Guix System authorizes substitutes from by default.

The public key for is installed along with Guix, in prefix/share/guix/, where prefix is the installation prefix of Guix. If you installed Guix from source, make sure you checked the GPG signature of guix-1.3.0.tar.gz, which contains this public key file. Then, you can run something like this:

# guix archive --authorize < prefix/share/guix/

Once this is in place, the output of a command like guix build should change from something like:

$ guix build emacs --dry-run
The following derivations would be built:

to something like:

$ guix build emacs --dry-run
112.3 MB would be downloaded:

The text changed from “The following derivations would be built” to “112.3 MB would be downloaded”. This indicates that substitutes from are usable and will be downloaded, when possible, for future builds.

The substitute mechanism can be disabled globally by running guix-daemon with --no-substitutes (see Invoking guix-daemon). It can also be disabled temporarily by passing the --no-substitutes option to guix package, guix build, and other command-line tools.

Next: , Previous: , Up: Substitutes   [Contents][Index]

5.3.3 Getting Substitutes from Other Servers

Guix can look up and fetch substitutes from several servers. This is useful when you are using packages from additional channels for which the official server does not have substitutes but another server provides them. Another situation where this is useful is when you would prefer to download from your organization’s substitute server, resorting to the official server only as a fallback or dismissing it altogether.

You can give Guix a list of substitute server URLs and it will check them in the specified order. You also need to explicitly authorize the public keys of substitute servers to instruct Guix to accept the substitutes they sign.

On Guix System, this is achieved by modifying the configuration of the guix service. Since the guix service is part of the default lists of services, %base-services and %desktop-services, you can use modify-services to change its configuration and add the URLs and substitute keys that you want (see modify-services).

As an example, suppose you want to fetch substitutes from and to authorize the signing key of that server, in addition to the default The resulting operating system configuration will look something like:

  ;; …
    ;; Assume we're starting from '%desktop-services'.  Replace it
    ;; with the list of services you're actually using.
    (modify-services %desktop-services
      (guix-service-type config =>
                          (inherit config)
                            (append (list "")
                            (append (list (local-file "./"))

This assumes that the file contains the signing key of With this change in place in your operating system configuration file (say /etc/config.scm), you can reconfigure and restart the guix-daemon service or reboot so the changes take effect:

$ sudo guix system reconfigure /etc/config.scm
$ sudo herd restart guix-daemon

If you’re running Guix on a “foreign distro”, you would instead take the following steps to get substitutes from additional servers:

  1. Edit the service configuration file for guix-daemon; when using systemd, this is normally /etc/systemd/system/guix-daemon.service. Add the --substitute-urls option on the guix-daemon command line and list the URLs of interest (see guix-daemon --substitute-urls):
    … --substitute-urls=''
  2. Restart the daemon. For systemd, it goes like this:
    systemctl daemon-reload
    systemctl restart guix-daemon.service
  3. Authorize the key of the new server (see Invoking guix archive):
    guix archive --authorize <

    Again this assumes contains the public key that uses to sign substitutes.

Now you’re all set! Substitutes will be preferably taken from, using as a fallback. Of course you can list as many substitute servers as you like, with the caveat that substitute lookup can be slowed down if too many servers need to be contacted.

Note that there are also situations where one may want to add the URL of a substitute server without authorizing its key. See Substitute Authentication, to understand this fine point.

Next: , Previous: , Up: Substitutes   [Contents][Index]

5.3.4 Substitute Authentication

Guix detects and raises an error when attempting to use a substitute that has been tampered with. Likewise, it ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL.

There is one exception though: if an unauthorized server provides substitutes that are bit-for-bit identical to those provided by an authorized server, then the unauthorized server becomes eligible for downloads. For example, assume we have chosen two substitute servers with this option:


If the ACL contains only the key for ‘’, and if ‘’ happens to serve the exact same substitutes, then Guix will download substitutes from ‘’ because it comes first in the list and can be considered a mirror of ‘’. In practice, independent build machines usually produce the same binaries, thanks to bit-reproducible builds (see below).

When using HTTPS, the server’s X.509 certificate is not validated (in other words, the server is not authenticated), contrary to what HTTPS clients such as Web browsers usually do. This is because Guix authenticates substitute information itself, as explained above, which is what we care about (whereas X.509 certificates are about authenticating bindings between domain names and public keys).

Next: , Previous: , Up: Substitutes   [Contents][Index]

5.3.5 Proxy Settings

Substitutes are downloaded over HTTP or HTTPS. The http_proxy and https_proxy environment variables can be set in the environment of guix-daemon and are honored for downloads of substitutes. Note that the value of those environment variables in the environment where guix build, guix package, and other client commands are run has absolutely no effect.

Next: , Previous: , Up: Substitutes   [Contents][Index]

5.3.6 Substitution Failure

Even when a substitute for a derivation is available, sometimes the substitution attempt will fail. This can happen for a variety of reasons: the substitute server might be offline, the substitute may recently have been deleted, the connection might have been interrupted, etc.

When substitutes are enabled and a substitute for a derivation is available, but the substitution attempt fails, Guix will attempt to build the derivation locally depending on whether or not --fallback was given (see common build option --fallback). Specifically, if --fallback was omitted, then no local build will be performed, and the derivation is considered to have failed. However, if --fallback was given, then Guix will attempt to build the derivation locally, and the success or failure of the derivation depends on the success or failure of the local build. Note that when substitutes are disabled or no substitute is available for the derivation in question, a local build will always be performed, regardless of whether or not --fallback was given.

To get an idea of how many substitutes are available right now, you can try running the guix weather command (see Invoking guix weather). This command provides statistics on the substitutes provided by a server.

Previous: , Up: Substitutes   [Contents][Index]

5.3.7 On Trusting Binaries

Today, each individual’s control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that is less of an interesting target. One way to help is by publishing the software you build using guix publish so that others have one more choice of server to download substitutes from (see Invoking guix publish).

Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. The guix challenge command aims to help users assess substitute servers, and to assist developers in finding out about non-deterministic package builds (see Invoking guix challenge). Similarly, the --check option of guix build allows users to check whether previously-installed substitutes are genuine by rebuilding them locally (see guix build --check).

In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on

Next: , Previous: , Up: Package Management   [Contents][Index]

5.4 Packages with Multiple Outputs

Often, packages defined in Guix have a single output—i.e., the source package leads to exactly one directory in the store. When running guix install glibc, one installs the default output of the GNU libc package; the default output is called out, but its name can be omitted as shown in this command. In this particular case, the default output of glibc contains all the C header files, shared libraries, static libraries, Info documentation, and other supporting files.

Sometimes it is more appropriate to separate the various types of files produced from a single source package into separate outputs. For instance, the GLib C library (used by GTK+ and related packages) installs more than 20 MiB of reference documentation as HTML pages. To save space for users who do not need it, the documentation goes to a separate output, called doc. To install the main GLib output, which contains everything but the documentation, one would run:

guix install glib

The command to install its documentation is:

guix install glib:doc

Some packages install programs with different “dependency footprints”. For instance, the WordNet package installs both command-line tools and graphical user interfaces (GUIs). The former depend solely on the C library, whereas the latter depend on Tcl/Tk and the underlying X libraries. In this case, we leave the command-line tools in the default output, whereas the GUIs are in a separate output. This allows users who do not need the GUIs to save space. The guix size command can help find out about such situations (see Invoking guix size). guix graph can also be helpful (see Invoking guix graph).

There are several such multiple-output packages in the GNU distribution. Other conventional output names include lib for libraries and possibly header files, bin for stand-alone programs, and debug for debugging information (see Installing Debugging Files). The outputs of a packages are listed in the third column of the output of guix package --list-available (see Invoking guix package).

Next: , Previous: , Up: Package Management   [Contents][Index]

5.5 Invoking guix gc

Packages that are installed, but not used, may be garbage-collected. The guix gc command allows users to explicitly run the garbage collector to reclaim space from the /gnu/store directory. It is the only way to remove files from /gnu/store—removing files or directories manually may break it beyond repair!

The garbage collector has a set of known roots: any file under /gnu/store reachable from a root is considered live and cannot be deleted; any other file is considered dead and may be deleted. The set of garbage collector roots (“GC roots” for short) includes default user profiles; by default, the symlinks under /var/guix/gcroots represent these GC roots. New GC roots can be added with guix build --root, for example (see Invoking guix build). The guix gc --list-roots command lists them.

Prior to running guix gc --collect-garbage to make space, it is often useful to remove old generations from user profiles; that way, old package builds referenced by those generations can be reclaimed. This is achieved by running guix package --delete-generations (see Invoking guix package).

Our recommendation is to run a garbage collection periodically, or when you are short on disk space. For instance, to guarantee that at least 5 GB are available on your disk, simply run:

guix gc -F 5G

It is perfectly safe to run as a non-interactive periodic job (see Scheduled Job Execution, for how to set up such a job). Running guix gc with no arguments will collect as much garbage as it can, but that is often inconvenient: you may find yourself having to rebuild or re-download software that is “dead” from the GC viewpoint but that is necessary to build other pieces of software—e.g., the compiler tool chain.

The guix gc command has three modes of operation: it can be used to garbage-collect any dead files (the default), to delete specific files (the --delete option), to print garbage-collector information, or for more advanced queries. The garbage collection options are as follows:

-C [min]

Collect garbage—i.e., unreachable /gnu/store files and sub-directories. This is the default operation when no option is specified.

When min is given, stop once min bytes have been collected. min may be a number of bytes, or it may include a unit as a suffix, such as MiB for mebibytes and GB for gigabytes (see size specifications in GNU Coreutils).

When min is omitted, collect all the garbage.

-F free

Collect garbage until free space is available under /gnu/store, if possible; free denotes storage space, such as 500MiB, as described above.

When free or more is already available in /gnu/store, do nothing and exit immediately.

-d [duration]

Before starting the garbage collection process, delete all the generations older than duration, for all the user profiles; when run as root, this applies to all the profiles of all the users.

For example, this command deletes all the generations of all your profiles that are older than 2 months (except generations that are current), and then proceeds to free space until at least 10 GiB are available:

guix gc -d 2m -F 10G

Attempt to delete all the store files and directories specified as arguments. This fails if some of the files are not in the store, or if they are still live.


List store items corresponding to cached build failures.

This prints nothing unless the daemon was started with --cache-failures (see --cache-failures).


List the GC roots owned by the user; when run as root, list all the GC roots.


List store items in use by currently running processes. These store items are effectively considered GC roots: they cannot be deleted.


Remove the specified store items from the failed-build cache.

Again, this option only makes sense when the daemon is started with --cache-failures. Otherwise, it does nothing.


Show the list of dead files and directories still present in the store—i.e., files and directories no longer reachable from any root.


Show the list of live store files and directories.

In addition, the references among existing store files can be queried:


List the references (respectively, the referrers) of store files given as arguments.


List the requisites of the store files passed as arguments. Requisites include the store files themselves, their references, and the references of these, recursively. In other words, the returned list is the transitive closure of the store files.

See Invoking guix size, for a tool to profile the size of the closure of an element. See Invoking guix graph, for a tool to visualize the graph of references.


Return the derivation(s) leading to the given store items (see Derivations).

For example, this command:

guix gc --derivers $(guix package -I ^emacs$ | cut -f4)

returns the .drv file(s) leading to the emacs package installed in your profile.

Note that there may be zero matching .drv files, for instance because these files have been garbage-collected. There can also be more than one matching .drv due to fixed-output derivations.

Lastly, the following options allow you to check the integrity of the store and to control disk usage.


Verify the integrity of the store.

By default, make sure that all the store items marked as valid in the database of the daemon actually exist in /gnu/store.

When provided, options must be a comma-separated list containing one or more of contents and repair.

When passing --verify=contents, the daemon computes the content hash of each store item and compares it against its hash in the database. Hash mismatches are reported as data corruptions. Because it traverses all the files in the store, this command can take a long time, especially on systems with a slow disk drive.

Using --verify=repair or --verify=contents,repair causes the daemon to try to repair corrupt store items by fetching substitutes for them (see Substitutes). Because repairing is not atomic, and thus potentially dangerous, it is available only to the system administrator. A lightweight alternative, when you know exactly which items in the store are corrupt, is guix build --repair (see Invoking guix build).


Optimize the store by hard-linking identical files—this is deduplication.

The daemon performs deduplication after each successful build or archive import, unless it was started with --disable-deduplication (see --disable-deduplication). Thus, this option is primarily useful when the daemon was running with --disable-deduplication.

Next: , Previous: , Up: Package Management   [Contents][Index]

5.6 Invoking guix pull

Packages are installed or upgraded to the latest version available in the distribution currently available on your local machine. To update that distribution, along with the Guix tools, you must run guix pull: the command downloads the latest Guix source code and package descriptions, and deploys it. Source code is downloaded from a Git repository, by default the official GNU Guix repository, though this can be customized. guix pull ensures that the code it downloads is authentic by verifying that commits are signed by Guix developers.

Specifically, guix pull downloads code from the channels (see Channels) specified by one of the followings, in this order:

  1. the --channels option;
  2. the user’s ~/.config/guix/channels.scm file;
  3. the system-wide /etc/guix/channels.scm file;
  4. the built-in default channels specified in the %default-channels variable.

On completion, guix package will use packages and package versions from this just-retrieved copy of Guix. Not only that, but all the Guix commands and Scheme modules will also be taken from that latest version. New guix sub-commands added by the update also become available.

Any user can update their Guix copy using guix pull, and the effect is limited to the user who ran guix pull. For instance, when user root runs guix pull, this has no effect on the version of Guix that user alice sees, and vice versa.

The result of running guix pull is a profile available under ~/.config/guix/current containing the latest Guix. Thus, make sure to add it to the beginning of your search path so that you use the latest version, and similarly for the Info manual (see Documentation):

export PATH="$HOME/.config/guix/current/bin:$PATH"
export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"

The --list-generations or -l option lists past generations produced by guix pull, along with details about their provenance:

$ guix pull -l
Generation 1	Jun 10 2018 00:18:18
  guix 65956ad
    repository URL:
    branch: origin/master
    commit: 65956ad3526ba09e1f7a40722c96c6ef7c0936fe

Generation 2	Jun 11 2018 11:02:49
  guix e0cc7f6
    repository URL:
    branch: origin/master
    commit: e0cc7f669bec22c37481dd03a7941c7d11a64f1d
  2 new packages: keepalived, libnfnetlink
  6 packages upgraded: emacs-nix-mode@2.0.4,
    guile2.0-guix@0.14.0-12.77a1aac, guix@0.14.0-12.77a1aac,
    heimdal@7.5.0, milkytracker@1.02.00, nix@2.0.4

Generation 3	Jun 13 2018 23:31:07	(current)
  guix 844cc1c
    repository URL:
    branch: origin/master
    commit: 844cc1c8f394f03b404c5bb3aee086922373490c
  28 new packages: emacs-helm-ls-git, emacs-helm-mu, …
  69 packages upgraded: borg@1.1.6, cheese@3.28.0, …

See guix describe, for other ways to describe the current status of Guix.

This ~/.config/guix/current profile works exactly like the profiles created by guix package (see Invoking guix package). That is, you can list generations, roll back to the previous generation—i.e., the previous Guix—and so on:

$ guix pull --roll-back
switched from generation 3 to 2
$ guix pull --delete-generations=1
deleting /var/guix/profiles/per-user/charlie/current-guix-1-link

You can also use guix package (see Invoking guix package) to manage the profile by naming it explicitly:

$ guix package -p ~/.config/guix/current --roll-back
switched from generation 3 to 2
$ guix package -p ~/.config/guix/current --delete-generations=1
deleting /var/guix/profiles/per-user/charlie/current-guix-1-link

The guix pull command is usually invoked with no arguments, but it supports the following options:


Download code for the guix channel from the specified url, at the given commit (a valid Git commit ID represented as a hexadecimal string), or branch.

These options are provided for convenience, but you can also specify your configuration in the ~/.config/guix/channels.scm file or using the --channels option (see below).

-C file

Read the list of channels from file instead of ~/.config/guix/channels.scm or /etc/guix/channels.scm. file must contain Scheme code that evaluates to a list of channel objects. See Channels, for more information.


Display the list of packages added or upgraded since the previous generation, as well as, occasionally, news written by channel authors for their users (see Writing Channel News).

The package information is the same as displayed upon guix pull completion, but without ellipses; it is also similar to the output of guix pull -l for the last generation (see below).

-l [pattern]

List all the generations of ~/.config/guix/current or, if pattern is provided, the subset of generations that match pattern. The syntax of pattern is the same as with guix package --list-generations (see Invoking guix package).


Roll back to the previous generation of ~/.config/guix/current—i.e., undo the last transaction.

-S pattern

Switch to a particular generation defined by pattern.

pattern may be either a generation number or a number prefixed with “+” or “-”. The latter means: move forward/backward by a specified number of generations. For example, if you want to return to the latest generation after --roll-back, use --switch-generation=+1.

-d [pattern]

When pattern is omitted, delete all generations except the current one.

This command accepts the same patterns as --list-generations. When pattern is specified, delete the matching generations. When pattern specifies a duration, generations older than the specified duration match. For instance, --delete-generations=1m deletes generations that are more than one month old.

If the current generation matches, it is not deleted.

Note that deleting generations prevents rolling back to them. Consequently, this command must be used with care.

See Invoking guix describe, for a way to display information about the current generation only.

-p profile

Use profile instead of ~/.config/guix/current.


Show which channel commit(s) would be used and what would be built or substituted but do not actually do it.


Allow pulling older or unrelated revisions of channels than those currently in use.

By default, guix pull protects against so-called “downgrade attacks” whereby the Git repository of a channel would be reset to an earlier or unrelated revision of itself, potentially leading you to install older, known-vulnerable versions of software packages.

Note: Make sure you understand its security implications before using --allow-downgrades.


Allow pulling channel code without authenticating it.

By default, guix pull authenticates code downloaded from channels by verifying that its commits are signed by authorized developers, and raises an error if this is not the case. This option instructs it to not perform any such verification.

Note: Make sure you understand its security implications before using --disable-authentication.

-s system

Attempt to build for system—e.g., i686-linux—instead of the system type of the build host.


Use the bootstrap Guile to build the latest Guix. This option is only useful to Guix developers.

The channel mechanism allows you to instruct guix pull which repository and branch to pull from, as well as additional repositories containing package modules that should be deployed. See Channels, for more information.

In addition, guix pull supports all the common build options (see Common Build Options).

Next: , Previous: , Up: Package Management   [Contents][Index]

5.7 Invoking guix time-machine

The guix time-machine command provides access to other revisions of Guix, for example to install older versions of packages, or to reproduce a computation in an identical environment. The revision of Guix to be used is defined by a commit or by a channel description file created by guix describe (see Invoking guix describe).

The general syntax is:

guix time-machine options… -- command arg

where command and arg… are passed unmodified to the guix command of the specified revision. The options that define this revision are the same as for guix pull (see Invoking guix pull):


Use the guix channel from the specified url, at the given commit (a valid Git commit ID represented as a hexadecimal string), or branch.

-C file

Read the list of channels from file. file must contain Scheme code that evaluates to a list of channel objects. See Channels for more information.

As for guix pull, the absence of any options means that the latest commit on the master branch will be used. The command

guix time-machine -- build hello

will thus build the package hello as defined in the master branch, which is in general a newer revision of Guix than you have installed. Time travel works in both directions!

Note that guix time-machine can trigger builds of channels and their dependencies, and these are controlled by the standard build options (see Common Build Options).

Next: , Previous: , Up: Package Management   [Contents][Index]

5.8 Inferiors

Note: The functionality described here is a “technology preview” as of version 1.3.0. As such, the interface is subject to change.

Sometimes you might need to mix packages from the revision of Guix you’re currently running with packages available in a different revision of Guix. Guix inferiors allow you to achieve that by composing different Guix revisions in arbitrary ways.

Technically, an “inferior” is essentially a separate Guix process connected to your main Guix process through a REPL (see Invoking guix repl). The (guix inferior) module allows you to create inferiors and to communicate with them. It also provides a high-level interface to browse and manipulate the packages that an inferior provides—inferior packages.

When combined with channels (see Channels), inferiors provide a simple way to interact with a separate revision of Guix. For example, let’s assume you want to install in your profile the current guile package, along with the guile-json as it existed in an older revision of Guix—perhaps because the newer guile-json has an incompatible API and you want to run your code against the old API. To do that, you could write a manifest for use by guix package --manifest (see Invoking guix package); in that manifest, you would create an inferior for that old Guix revision you care about, and you would look up the guile-json package in the inferior:

(use-modules (guix inferior) (guix channels)
             (srfi srfi-1))   ;for 'first'

(define channels
  ;; This is the old revision from which we want to
  ;; extract guile-json.
  (list (channel
         (name 'guix)
         (url "")

(define inferior
  ;; An inferior representing the above revision.
  (inferior-for-channels channels))

;; Now create a manifest with the current "guile" package
;; and the old "guile-json" package.
 (list (first (lookup-inferior-packages inferior "guile-json"))
       (specification->package "guile")))

On its first run, guix package --manifest might have to build the channel you specified before it can create the inferior; subsequent runs will be much faster because the Guix revision will be cached.

The (guix inferior) module provides the following procedures to open an inferior:

Scheme Procedure: inferior-for-channels channels [#:cache-directory] [#:ttl]

Return an inferior for channels, a list of channels. Use the cache at cache-directory, where entries can be reclaimed after ttl seconds. This procedure opens a new connection to the build daemon.

As a side effect, this procedure may build or substitute binaries for channels, which can take time.

Scheme Procedure: open-inferior directory [#:command "bin/guix"]

Open the inferior Guix in directory, running directory/command repl or equivalent. Return #f if the inferior could not be launched.

The procedures listed below allow you to obtain and manipulate inferior packages.

Scheme Procedure: inferior-packages inferior

Return the list of packages known to inferior.

Scheme Procedure: lookup-inferior-packages inferior name [version]

Return the sorted list of inferior packages matching name in inferior, with highest version numbers first. If version is true, return only packages with a version number prefixed by version.

Scheme Procedure: inferior-package? obj

Return true if obj is an inferior package.

Scheme Procedure: inferior-package-name package
Scheme Procedure: inferior-package-version package
Scheme Procedure: inferior-package-synopsis package
Scheme Procedure: inferior-package-description package
Scheme Procedure: inferior-package-home-page package
Scheme Procedure: inferior-package-location package
Scheme Procedure: inferior-package-inputs package
Scheme Procedure: inferior-package-native-inputs package
Scheme Procedure: inferior-package-propagated-inputs package
Scheme Procedure: inferior-package-transitive-propagated-inputs package
Scheme Procedure: inferior-package-native-search-paths package
Scheme Procedure: inferior-package-transitive-native-search-paths package
Scheme Procedure: inferior-package-search-paths package

These procedures are the counterpart of package record accessors (see package Reference). Most of them work by querying the inferior package comes from, so the inferior must still be live when you call these procedures.

Inferior packages can be used transparently like any other package or file-like object in G-expressions (see G-Expressions). They are also transparently handled by the packages->manifest procedure, which is commonly used in manifests (see the --manifest option of guix package). Thus you can insert an inferior package pretty much anywhere you would insert a regular package: in manifests, in the packages field of your operating-system declaration, and so on.

Next: , Previous: , Up: Package Management   [Contents][Index]

5.9 Invoking guix describe

Often you may want to answer questions like: “Which revision of Guix am I using?” or “Which channels am I using?” This is useful information in many situations: if you want to replicate an environment on a different machine or user account, if you want to report a bug or to determine what change in the channels you are using caused it, or if you want to record your system state for reproducibility purposes. The guix describe command answers these questions.

When run from a guix pulled guix, guix describe displays the channel(s) that it was built from, including their repository URL and commit IDs (see Channels):

$ guix describe
Generation 10	Sep 03 2018 17:32:44	(current)
  guix e0fa68c
    repository URL:
    branch: master
    commit: e0fa68c7718fffd33d81af415279d6ddb518f727

If you’re familiar with the Git version control system, this is similar in spirit to git describe; the output is also similar to that of guix pull --list-generations, but limited to the current generation (see the --list-generations option). Because the Git commit ID shown above unambiguously refers to a snapshot of Guix, this information is all it takes to describe the revision of Guix you’re using, and also to replicate it.

To make it easier to replicate Guix, guix describe can also be asked to return a list of channels instead of the human-readable description above:

$ guix describe -f channels
(list (channel
        (name 'guix)
        (url "")
              "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")))))

You can save this to a file and feed it to guix pull -C on some other machine or at a later point in time, which will instantiate this exact Guix revision (see the -C option). From there on, since you’re able to deploy the same revision of Guix, you can just as well replicate a complete software environment. We humbly think that this is awesome, and we hope you’ll like it too!

The details of the options supported by guix describe are as follows:

-f format

Produce output in the specified format, one of:


produce human-readable output;


produce a list of channel specifications that can be passed to guix pull -C or installed as ~/.config/guix/channels.scm (see Invoking guix pull);


like channels, but omit the introduction field; use it to produce a channel specification suitable for Guix version 1.1.0 or earlier—the introduction field has to do with channel authentication (see Channel Authentication) and is not supported by these older versions;


produce a list of channel specifications in JSON format;


produce a list of channel specifications in Recutils format.


Display available formats for --format option.

-p profile

Display information about profile.

Previous: , Up: Package Management   [Contents][Index]

5.10 Invoking guix archive

The guix archive command allows users to export files from the store into a single archive, and to later import them on a machine that runs Guix. In particular, it allows store files to be transferred from one machine to the store on another machine.

Note: If you’re looking for a way to produce archives in a format suitable for tools other than Guix, see Invoking guix pack.

To export store files as an archive to standard output, run:

guix archive --export options specifications...

specifications may be either store file names or package specifications, as for guix package (see Invoking guix package). For instance, the following command creates an archive containing the gui output of the git package and the main output of emacs:

guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar

If the specified packages are not built yet, guix archive automatically builds them. The build process may be controlled with the common build options (see Common Build Options).

To transfer the emacs package to a machine connected over SSH, one would run:

guix archive --export -r emacs | ssh the-machine guix archive --import

Similarly, a complete user profile may be transferred from one machine to another like this:

guix archive --export -r $(readlink -f ~/.guix-profile) | \
  ssh the-machine guix archive --import

However, note that, in both examples, all of emacs and the profile as well as all of their dependencies are transferred (due to -r), regardless of what is already available in the store on the target machine. The --missing option can help figure out which items are missing from the target store. The guix copy command simplifies and optimizes this whole process, so this is probably what you should use in this case (see Invoking guix copy).

Each store item is written in the normalized archive or nar format (described below), and the output of guix archive --export (and input of guix archive --import) is a nar bundle.

The nar format is comparable in spirit to ‘tar’, but with differences that make it more appropriate for our purposes. First, rather than recording all Unix metadata for each file, the nar format only mentions the file type (regular, directory, or symbolic link); Unix permissions and owner/group are dismissed. Second, the order in which directory entries are stored always follows the order of file names according to the C locale collation order. This makes archive production fully deterministic.

That nar bundle format is essentially the concatenation of zero or more nars along with metadata for each store item it contains: its file name, references, corresponding derivation, and a digital signature.

When exporting, the daemon digitally signs the contents of the archive, and that digital signature is appended. When importing, the daemon verifies the signature and rejects the import in case of an invalid signature or if the signing key is not authorized.

The main options are:


Export the specified store files or packages (see below). Write the resulting archive to the standard output.

Dependencies are not included in the output, unless --recursive is passed.


When combined with --export, this instructs guix archive to include dependencies of the given items in the archive. Thus, the resulting archive is self-contained: it contains the closure of the exported store items.


Read an archive from the standard input, and import the files listed therein into the store. Abort if the archive has an invalid digital signature, or if it is signed by a public key not among the authorized keys (see --authorize below).


Read a list of store file names from the standard input, one per line, and write on the standard output the subset of these files missing from the store.


Generate a new key pair for the daemon. This is a prerequisite before archives can be exported with --export. This operation is usually instantaneous but it can take time if the system’s entropy pool needs to be refilled. On Guix System, guix-service-type takes care of generating this key pair the first boot.

The generated key pair is typically stored under /etc/guix, in (public key) and signing-key.sec (private key, which must be kept secret). When parameters is omitted, an ECDSA key using the Ed25519 curve is generated, or, for Libgcrypt versions before 1.6.0, it is a 4096-bit RSA key. Alternatively, parameters can specify genkey parameters suitable for Libgcrypt (see gcry_pk_genkey in The Libgcrypt Reference Manual).


Authorize imports signed by the public key passed on standard input. The public key must be in “s-expression advanced format”—i.e., the same format as the file.

The list of authorized keys is kept in the human-editable file /etc/guix/acl. The file contains “advanced-format s-expressions” and is structured as an access-control list in the Simple Public-Key Infrastructure (SPKI).

-x directory

Read a single-item archive as served by substitute servers (see Substitutes) and extract it to directory. This is a low-level operation needed in only very narrow use cases; see below.

For example, the following command extracts the substitute for Emacs served by to /tmp/emacs:

$ wget -O - \…-emacs-24.5 \
  | gunzip | guix archive -x /tmp/emacs

Single-item archives are different from multiple-item archives produced by guix archive --export; they contain a single store item, and they do not embed a signature. Thus this operation does no signature verification and its output should be considered unsafe.

The primary purpose of this operation is to facilitate inspection of archive contents coming from possibly untrusted substitute servers (see Invoking guix challenge).


Read a single-item archive as served by substitute servers (see Substitutes) and print the list of files it contains, as in this example:

$ wget -O - \…-emacs-26.3 \
  | lzip -d | guix archive -t

Next: , Previous: , Up: Top   [Contents][Index]

6 Channels

Guix and its package collection are updated by running guix pull (see Invoking guix pull). By default guix pull downloads and deploys Guix itself from the official GNU Guix repository. This can be customized by defining channels in the ~/.config/guix/channels.scm file. A channel specifies a URL and branch of a Git repository to be deployed, and guix pull can be instructed to pull from one or more channels. In other words, channels can be used to customize and to extend Guix, as we will see below. Guix is able to take into account security concerns and deal with authenticated updates.

Next: , Up: Channels   [Contents][Index]

6.1 Specifying Additional Channels

You can specify additional channels to pull from. To use a channel, write ~/.config/guix/channels.scm to instruct guix pull to pull from it in addition to the default Guix channel(s):

;; Add variant packages to those Guix provides.
(cons (channel
        (name 'variant-packages)
        (url ""))

Note that the snippet above is (as always!) Scheme code; we use cons to add a channel the list of channels that the variable %default-channels is bound to (see cons and lists in GNU Guile Reference Manual). With this file in place, guix pull builds not only Guix but also the package modules from your own repository. The result in ~/.config/guix/current is the union of Guix with your own package modules:

$ guix pull --list-generations
Generation 19	Aug 27 2018 16:20:48
  guix d894ab8
    repository URL:
    branch: master
    commit: d894ab8e9bfabcefa6c49d9ba2e834dd5a73a300
  variant-packages dd3df5e
    repository URL:
    branch: master
    commit: dd3df5e2c8818760a8fc0bd699e55d3b69fef2bb
  11 new packages: variant-gimp, variant-emacs-with-cool-features, …
  4 packages upgraded: emacs-racket-mode@0.0.2-2.1b78827, …

The output of guix pull above shows that Generation 19 includes both Guix and packages from the variant-personal-packages channel. Among the new and upgraded packages that are listed, some like variant-gimp and variant-emacs-with-cool-features might come from variant-packages, while others come from the Guix default channel.

Next: , Previous: , Up: Channels   [Contents][Index]

6.2 Using a Custom Guix Channel

The channel called guix specifies where Guix itself—its command-line tools as well as its package collection—should be downloaded. For instance, suppose you want to update from another copy of the Guix repository at, and specifically the super-hacks branch, you can write in ~/.config/guix/channels.scm this specification:

;; Tell 'guix pull' to use another repo.
(list (channel
        (name 'guix)
        (url "")
        (branch "super-hacks")))

From there on, guix pull will fetch code from the super-hacks branch of the repository at The authentication concern is addressed below ((see Channel Authentication).

Next: , Previous: , Up: Channels   [Contents][Index]

6.3 Replicating Guix

The guix pull --list-generations output above shows precisely which commits were used to build this instance of Guix. We can thus replicate it, say, on another machine, by providing a channel specification in ~/.config/guix/channels.scm that is “pinned” to these commits:

;; Deploy specific commits of my channels of interest.
(list (channel
       (name 'guix)
       (url "")
       (commit "6298c3ffd9654d3231a6f25390b056483e8f407c"))
       (name 'variant-packages)
       (url "")
       (commit "dd3df5e2c8818760a8fc0bd699e55d3b69fef2bb")))

The guix describe --format=channels command can even generate this list of channels directly (see Invoking guix describe). The resulting file can be used with the -C options of guix pull (see Invoking guix pull) or guix time-machine (see Invoking guix time-machine).

At this point the two machines run the exact same Guix, with access to the exact same packages. The output of guix build gimp on one machine will be exactly the same, bit for bit, as the output of the same command on the other machine. It also means both machines have access to all the source code of Guix and, transitively, to all the source code of every package it defines.

This gives you super powers, allowing you to track the provenance of binary artifacts with very fine grain, and to reproduce software environments at will—some sort of “meta reproducibility” capabilities, if you will. See Inferiors, for another way to take advantage of these super powers.

Next: , Previous: , Up: Channels   [Contents][Index]

6.4 Channel Authentication

The guix pull and guix time-machine commands authenticate the code retrieved from channels: they make sure each commit that is fetched is signed by an authorized developer. The goal is to protect from unauthorized modifications to the channel that would lead users to run malicious code.

As a user, you must provide a channel introduction in your channels file so that Guix knows how to authenticate its first commit. A channel specification, including its introduction, looks something along these lines:

  (name 'some-channel)
  (url "")
     "CABB A931 C0FF EEC6 900D  0CFB 090B 1199 3D9A EBB5"))))

The specification above shows the name and URL of the channel. The call to make-channel-introduction above specifies that authentication of this channel starts at commit 6f0d8cc…, which is signed by the OpenPGP key with fingerprint CABB A931….

For the main channel, called guix, you automatically get that information from your Guix installation. For other channels, include the channel introduction provided by the channel authors in your channels.scm file. Make sure you retrieve the channel introduction from a trusted source since that is the root of your trust.

If you’re curious about the authentication mechanics, read on!

Next: , Previous: , Up: Channels   [Contents][Index]

6.5 Channels with Substitutes

When running guix pull, Guix will first compile the definitions of every available package. This is an expensive operation for which substitutes (see Substitutes) may be available. The following snippet in channels.scm will ensure that guix pull uses the latest commit with available substitutes for the package definitions: this is done by querying the continuous integration server at

(use-modules (guix ci))

(list (channel-with-substitutes-available

Note that this does not mean that all the packages that you will install after running guix pull will have available substitutes. It only ensures that guix pull will not try to compile package definitions. This is particularly useful when using machines with limited resources.

Next: , Previous: , Up: Channels   [Contents][Index]

6.6 Creating a Channel

Let’s say you have a bunch of custom package variants or personal packages that you think would make little sense to contribute to the Guix project, but would like to have these packages transparently available to you at the command line. You would first write modules containing those package definitions (see Package Modules), maintain them in a Git repository, and then you and anyone else can use it as an additional channel to get packages from. Neat, no?

Warning: Before you, dear user, shout—“woow this is soooo coool!”—and publish your personal channel to the world, we would like to share a few words of caution:

You’ve been warned! Having said this, we believe external channels are a practical way to exert your freedom to augment Guix’ package collection and to share your improvements, which are basic tenets of free software. Please email us at if you’d like to discuss this.

To create a channel, create a Git repository containing your own package modules and make it available. The repository can contain anything, but a useful channel will contain Guile modules that export packages. Once you start using a channel, Guix will behave as if the root directory of that channel’s Git repository has been added to the Guile load path (see Load Paths in GNU Guile Reference Manual). For example, if your channel contains a file at my-packages/my-tools.scm that defines a Guile module, then the module will be available under the name (my-packages my-tools), and you will be able to use it like any other module (see Modules in GNU Guile Reference Manual).

As a channel author, consider bundling authentication material with your channel so that users can authenticate it. See Channel Authentication, and Specifying Channel Authorizations, for info on how to do it.

Next: , Previous: , Up: Channels   [Contents][Index]

6.7 Package Modules in a Sub-directory

As a channel author, you may want to keep your channel modules in a sub-directory. If your modules are in the sub-directory guix, you must add a meta-data file .guix-channel that contains:

  (version 0)
  (directory "guix"))

Next: , Previous: , Up: Channels   [Contents][Index]

6.8 Declaring Channel Dependencies

Channel authors may decide to augment a package collection provided by other channels. They can declare their channel to be dependent on other channels in a meta-data file .guix-channel, which is to be placed in the root of the channel repository.

The meta-data file should contain a simple S-expression like this:

 (version 0)
   (name some-collection)
   (url "")

   ;; The 'introduction' bit below is optional: you would
   ;; provide it for dependencies that can be authenticated.
      (version 0)
      (commit "a8883b58dc82e167c96506cf05095f37c2c2c6cd")
      (signer "CABB A931 C0FF EEC6 900D  0CFB 090B 1199 3D9A EBB5"))))
   (name some-other-collection)
   (url "")
   (branch "testing"))))

In the above example this channel is declared to depend on two other channels, which will both be fetched automatically. The modules provided by the channel will be compiled in an environment where the modules of all these declared channels are available.

For the sake of reliability and maintainability, you should avoid dependencies on channels that you don’t control, and you should aim to keep the number of dependencies to a minimum.

Next: , Previous: , Up: Channels   [Contents][Index]

6.9 Specifying Channel Authorizations

As we saw above, Guix ensures the source code it pulls from channels comes from authorized developers. As a channel author, you need to specify the list of authorized developers in the .guix-authorizations file in the channel’s Git repository. The authentication rule is simple: each commit must be signed by a key listed in the .guix-authorizations file of its parent commit(s)10 The .guix-authorizations file looks like this:

;; Example '.guix-authorizations' file.

 (version 0)               ;current file format version

 (("AD17 A21E F8AE D8F1 CC02  DBD9 F8AE D8F1 765C 61E3"
   (name "alice"))
  ("2A39 3FFF 68F4 EF7A 3D29  12AF 68F4 EF7A 22FB B2D5"
   (name "bob"))
  ("CABB A931 C0FF EEC6 900D  0CFB 090B 1199 3D9A EBB5"
   (name "charlie"))))

Each fingerprint is followed by optional key/value pairs, as in the example above. Currently these key/value pairs are ignored.

This authentication rule creates a chicken-and-egg issue: how do we authenticate the first commit? Related to that: how do we deal with channels whose repository history contains unsigned commits and lack .guix-authorizations? And how do we fork existing channels?

Channel introductions answer these questions by describing the first commit of a channel that should be authenticated. The first time a channel is fetched with guix pull or guix time-machine, the command looks up the introductory commit and verifies that it is signed by the specified OpenPGP key. From then on, it authenticates commits according to the rule above.

Additionally, your channel must provide all the OpenPGP keys that were ever mentioned in .guix-authorizations, stored as .key files, which can be either binary or “ASCII-armored”. By default, those .key files are searched for in the branch named keyring but you can specify a different branch name in .guix-channel like so:

  (version 0)
  (keyring-reference "my-keyring-branch"))

To summarize, as the author of a channel, there are three things you have to do to allow users to authenticate your code:

  1. Export the OpenPGP keys of past and present committers with gpg --export and store them in .key files, by default in a branch named keyring (we recommend making it an orphan branch).
  2. Introduce an initial .guix-authorizations in the channel’s repository. Do that in a signed commit (see Commit Access, for information on how to sign Git commits.)
  3. Advertise the channel introduction, for instance on your channel’s web page. The channel introduction, as we saw above, is the commit/key pair—i.e., the commit that introduced .guix-authorizations, and the fingerprint of the OpenPGP used to sign it.

Before pushing to your public Git repository, you can run guix git-authenticate to verify that you did sign all the commits you are about to push with an authorized key:

guix git authenticate commit signer

where commit and signer are your channel introduction. See Invoking guix git authenticate, for details.

Publishing a signed channel requires discipline: any mistake, such as an unsigned commit or a commit signed by an unauthorized key, will prevent users from pulling from your channel—well, that’s the whole point of authentication! Pay attention to merges in particular: merge commits are considered authentic if and only if they are signed by a key present in the .guix-authorizations file of both branches.

Next: , Previous: , Up: Channels   [Contents][Index]

6.10 Primary URL

Channel authors can indicate the primary URL of their channel’s Git repository in the .guix-channel file, like so:

  (version 0)
  (url ""))

This allows guix pull to determine whether it is pulling code from a mirror of the channel; when that is the case, it warns the user that the mirror might be stale and displays the primary URL. That way, users cannot be tricked into fetching code from a stale mirror that does not receive security updates.

This feature only makes sense for authenticated repositories, such as the official guix channel, for which guix pull ensures the code it fetches is authentic.

Previous: , Up: Channels   [Contents][Index]

6.11 Writing Channel News

Channel authors may occasionally want to communicate to their users information about important changes in the channel. You’d send them all an email, but that’s not convenient.

Instead, channels can provide a news file; when the channel users run guix pull, that news file is automatically read and guix pull --news can display the announcements that correspond to the new commits that have been pulled, if any.

To do that, channel authors must first declare the name of the news file in their .guix-channel file:

  (version 0)
  (news-file "etc/news.txt"))

The news file itself, etc/news.txt in this example, must look something like this:

  (version 0)
  (entry (tag "the-bug-fix")
         (title (en "Fixed terrible bug")
                (fr "Oh la la"))
         (body (en "@emph{Good news}!  It's fixed!")
               (eo "Certe ĝi pli bone funkcias nun!")))
  (entry (commit "bdcabe815cd28144a2d2b4bc3c5057b051fa9906")
         (title (en "Added a great package")
                (ca "Què vol dir guix?"))
         (body (en "Don't miss the @code{hello} package!"))))

While the news file is using the Scheme syntax, avoid naming it with a .scm extension or else it will get picked up when building the channel and yield an error since it is not a valid module. Alternatively, you can move the channel module to a subdirectory and store the news file in another directory.

The file consists of a list of news entries. Each entry is associated with a commit or tag: it describes changes made in this commit, possibly in preceding commits as well. Users see entries only the first time they obtain the commit the entry refers to.

The title field should be a one-line summary while body can be arbitrarily long, and both can contain Texinfo markup (see Overview in GNU Texinfo). Both the title and body are a list of language tag/message tuples, which allows guix pull to display news in the language that corresponds to the user’s locale.

If you want to translate news using a gettext-based workflow, you can extract translatable strings with xgettext (see xgettext Invocation in GNU Gettext Utilities). For example, assuming you write news entries in English first, the command below creates a PO file containing the strings to translate:

xgettext -o news.po -l scheme -ken etc/news.txt

To sum up, yes, you could use your channel as a blog. But beware, this is not quite what your users might expect.

Next: , Previous: , Up: Top   [Contents][Index]

7 Development

If you are a software developer, Guix provides tools that you should find helpful—independently of the language you’re developing in. This is what this chapter is about.

The guix environment command provides a convenient way to set up development environments containing all the dependencies and tools necessary to work on the software package of your choice. The guix pack command allows you to create application bundles that can be easily distributed to users who do not run Guix.

Next: , Up: Development   [Contents][Index]

7.1 Invoking guix environment

The purpose of guix environment is to assist hackers in creating reproducible development environments without polluting their package profile. The guix environment tool takes one or more packages, builds all of their inputs, and creates a shell environment to use them.

The general syntax is:

guix environment options package

The following example spawns a new shell set up for the development of GNU Guile:

guix environment guile

If the needed dependencies are not built yet, guix environment automatically builds them. The environment of the new shell is an augmented version of the environment that guix environment was run in. It contains the necessary search paths for building the given package added to the existing environment variables. To create a “pure” environment, in which the original environment variables have been unset, use the --pure option11.

Exiting from a Guix environment is the same as exiting from the shell, and will place the user back in the old environment before guix environment was invoked. The next garbage collection (see Invoking guix gc) will clean up packages that were installed from within the environment and are no longer used outside of it.

guix environment defines the GUIX_ENVIRONMENT variable in the shell it spawns; its value is the file name of the profile of this environment. This allows users to, say, define a specific prompt for development environments in their .bashrc (see Bash Startup Files in The GNU Bash Reference Manual):

    export PS1="\u@\h \w [dev]\$ "

... or to browse the profile:


Additionally, more than one package may be specified, in which case the union of the inputs for the given packages are used. For example, the command below spawns a shell where all of the dependencies of both Guile and Emacs are available:

guix environment guile emacs

Sometimes an interactive shell session is not desired. An arbitrary command may be invoked by placing the -- token to separate the command from the rest of the arguments:

guix environment guile -- make -j4

In other situations, it is more convenient to specify the list of packages needed in the environment. For example, the following command runs python from an environment containing Python 2.7 and NumPy:

guix environment --ad-hoc python2-numpy python-2.7 -- python

Furthermore, one might want the dependencies of a package and also some additional packages that are not build-time or runtime dependencies, but are useful when developing nonetheless. Because of this, the --ad-hoc flag is positional. Packages appearing before --ad-hoc are interpreted as packages whose dependencies will be added to the environment. Packages appearing after are interpreted as packages that will be added to the environment directly. For example, the following command creates a Guix development environment that additionally includes Git and strace:

guix environment --pure guix --ad-hoc git strace

Sometimes it is desirable to isolate the environment as much as possible, for maximal purity and reproducibility. In particular, when using Guix on a host distro that is not Guix System, it is desirable to prevent access to /usr/bin and other system-wide resources from the development environment. For example, the following command spawns a Guile REPL in a “container” where only the store and the current working directory are mounted:

guix environment --ad-hoc --container guile -- guile

Note: The --container option requires Linux-libre 3.19 or newer.

Another typical use case for containers is to run security-sensitive applications such as a web browser. To run Eolie, we must expose and share some files and directories; we include nss-certs and expose /etc/ssl/certs/ for HTTPS authentication; finally we preserve the DISPLAY environment variable since containerized graphical applications won’t display without it.

guix environment --preserve='^DISPLAY$' --container --network \
  --expose=/etc/machine-id \
  --expose=/etc/ssl/certs/ \
  --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
  --ad-hoc eolie nss-certs dbus --  eolie

The available options are summarized below.

-r file

Make file a symlink to the profile for this environment, and register it as a garbage collector root.

This is useful if you want to protect your environment from garbage collection, to make it “persistent”.

When this option is omitted, the environment is protected from garbage collection only for the duration of the guix environment session. This means that next time you recreate the same environment, you could have to rebuild or re-download packages. See Invoking guix gc, for more on GC roots.

-e expr

Create an environment for the package or list of packages that expr evaluates to.

For example, running:

guix environment -e '(@ (gnu packages maths) petsc-openmpi)'

starts a shell with the environment for this specific variant of the PETSc package.


guix environment --ad-hoc -e '(@ (gnu) %base-packages)'

starts a shell with all the base system packages available.

The above commands only use the default output of the given packages. To select other outputs, two element tuples can be specified:

guix environment --ad-hoc -e '(list (@ (gnu packages bash) bash) "include")'
-l file

Create an environment for the package or list of packages that the code within file evaluates to.

As an example, file might contain a definition like this (see Defining Packages):

(use-modules (guix)
             (gnu packages gdb)
             (gnu packages autotools)
             (gnu packages texinfo))

;; Augment the package definition of GDB with the build tools
;; needed when developing GDB (and which are not needed when
;; simply installing it.)
(package (inherit gdb)
  (native-inputs `(("autoconf" ,autoconf-2.64)
                   ("automake" ,automake)
                   ("texinfo" ,texinfo)
                   ,@(package-native-inputs gdb))))
-m file

Create an environment for the packages contained in the manifest object returned by the Scheme code in file. This option can be repeated several times, in which case the manifests are concatenated.

This is similar to the same-named option in guix package (see --manifest) and uses the same manifest files.


Include all specified packages in the resulting environment, as if an ad hoc package were defined with them as inputs. This option is useful for quickly creating an environment without having to write a package expression to contain the desired inputs.

For instance, the command:

guix environment --ad-hoc guile guile-sdl -- guile

runs guile in an environment where Guile and Guile-SDL are available.

Note that this example implicitly asks for the default output of guile and guile-sdl, but it is possible to ask for a specific output—e.g., glib:bin asks for the bin output of glib (see Packages with Multiple Outputs).

This option may be composed with the default behavior of guix environment. Packages appearing before --ad-hoc are interpreted as packages whose dependencies will be added to the environment, the default behavior. Packages appearing after are interpreted as packages that will be added to the environment directly.


Unset existing environment variables when building the new environment, except those specified with --preserve (see below). This has the effect of creating an environment in which search paths only contain package inputs.

-E regexp

When used alongside --pure, preserve the environment variables matching regexp—in other words, put them on a “white list” of environment variables that must be preserved. This option can be repeated several times.

guix environment --pure --preserve=^SLURM --ad-hoc openmpi … \
  -- mpirun …

This example runs mpirun in a context where the only environment variables defined are PATH, environment variables whose name starts with ‘SLURM’, as well as the usual “precious” variables (HOME, USER, etc.).


Display the environment variable definitions that make up the environment.

-s system

Attempt to build for system—e.g., i686-linux.


Run command within an isolated container. The current working directory outside the container is mapped inside the container. Additionally, unless overridden with --user, a dummy home directory is created that matches the current user’s home directory, and /etc/passwd is configured accordingly.

The spawned process runs as the current user outside the container. Inside the container, it has the same UID and GID as the current user, unless --user is passed (see below).


For containers, share the network namespace with the host system. Containers created without this flag only have access to the loopback device.


For containers, link the environment profile to ~/.guix-profile within the container and set GUIX_ENVIRONMENT to that. This is equivalent to making ~/.guix-profile a symlink to the actual profile within the container. Linking will fail and abort the environment if the directory already exists, which will certainly be the case if guix environment was invoked in the user’s home directory.

Certain packages are configured to look in ~/.guix-profile for configuration files and data;12 --link-profile allows these programs to behave as expected within the environment.

-u user

For containers, use the username user in place of the current user. The generated /etc/passwd entry within the container will contain the name user, the home directory will be /home/user, and no user GECOS data will be copied. Furthermore, the UID and GID inside the container are 1000. user need not exist on the system.

Additionally, any shared or exposed path (see --share and --expose respectively) whose target is within the current user’s home directory will be remapped relative to /home/USER; this includes the automatic mapping of the current working directory.

# will expose paths as /home/foo/wd, /home/foo/test, and /home/foo/target
cd $HOME/wd
guix environment --container --user=foo \
     --expose=$HOME/test \

While this will limit the leaking of user identity through home paths and each of the user fields, this is only one useful component of a broader privacy/anonymity solution—not one in and of itself.


For containers, the default behavior is to share the current working directory with the isolated container and immediately change to that directory within the container. If this is undesirable, --no-cwd will cause the current working directory to not be automatically shared and will change to the user’s home directory within the container instead. See also --user.


For containers, --expose (resp. --share) exposes the file system source from the host system as the read-only (resp. writable) file system target within the container. If target is not specified, source is used as the target mount point in the container.

The example below spawns a Guile REPL in a container in which the user’s home directory is accessible read-only via the /exchange directory:

guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile

guix environment also supports all of the common build options that guix build supports (see Common Build Options) as well as package transformation options (see Package Transformation Options).

Next: , Previous: , Up: Development   [Contents][Index]

7.2 Invoking guix pack

Occasionally you want to pass software to people who are not (yet!) lucky enough to be using Guix. You’d tell them to run guix package -i something, but that’s not possible in this case. This is where guix pack comes in.

Note: If you are looking for ways to exchange binaries among machines that already run Guix, see Invoking guix copy, Invoking guix publish, and Invoking guix archive.

The guix pack command creates a shrink-wrapped pack or software bundle: it creates a tarball or some other archive containing the binaries of the software you’re interested in, and all its dependencies. The resulting archive can be used on any machine that does not have Guix, and people can run the exact same binaries as those you have with Guix. The pack itself is created in a bit-reproducible fashion, so anyone can verify that it really contains the build results that you pretend to be shipping.

For example, to create a bundle containing Guile, Emacs, Geiser, and all their dependencies, you can run:

$ guix pack guile emacs geiser

The result here is a tarball containing a /gnu/store directory with all the relevant packages. The resulting tarball contains a profile with the three packages of interest; the profile is the same as would be created by guix package -i. It is this mechanism that is used to create Guix’s own standalone binary tarball (see Binary Installation).

Users of this pack would have to run /gnu/store/…-profile/bin/guile to run Guile, which you may find inconvenient. To work around it, you can create, say, a /opt/gnu/bin symlink to the profile:

guix pack -S /opt/gnu/bin=bin guile emacs geiser

That way, users can happily type /opt/gnu/bin/guile and enjoy.

What if the recipient of your pack does not have root privileges on their machine, and thus cannot unpack it in the root file system? In that case, you will want to use the --relocatable option (see below). This option produces relocatable binaries, meaning they they can be placed anywhere in the file system hierarchy: in the example above, users can unpack your tarball in their home directory and directly run ./opt/gnu/bin/guile.

Alternatively, you can produce a pack in the Docker image format using the following command:

guix pack -f docker -S /bin=bin guile guile-readline

The result is a tarball that can be passed to the docker load command, followed by docker run:

docker load < file
docker run -ti guile-guile-readline /bin/guile

where file is the image returned by guix pack, and guile-guile-readline is its “image tag”. See the Docker documentation for more information.

Yet another option is to produce a SquashFS image with the following command:

guix pack -f squashfs bash guile emacs geiser

The result is a SquashFS file system image that can either be mounted or directly be used as a file system container image with the Singularity container execution environment, using commands like singularity shell or singularity exec.

Several command-line options allow you to customize your pack:

-f format

Produce a pack in the given format.

The available formats are:


This is the default format. It produces a tarball containing all the specified binaries and symlinks.


This produces a tarball that follows the Docker Image Specification. The “repository name” as it appears in the output of the docker images command is computed from package names passed on the command line or in the manifest file.


This produces a SquashFS image containing all the specified binaries and symlinks, as well as empty mount points for virtual file systems like procfs.

Note: Singularity requires you to provide /bin/sh in the image. For that reason, guix pack -f squashfs always implies -S /bin=bin. Thus, your guix pack invocation must always start with something like:

guix pack -f squashfs bash …

If you forget the bash (or similar) package, singularity run and singularity exec will fail with an unhelpful “no such file or directory” message.


Produce relocatable binaries—i.e., binaries that can be placed anywhere in the file system hierarchy and run from there.

When this option is passed once, the resulting binaries require support for user namespaces in the kernel Linux; when passed twice13, relocatable binaries fall to back to other techniques if user namespaces are unavailable, and essentially work anywhere—see below for the implications.

For example, if you create a pack containing Bash with:

guix pack -RR -S /mybin=bin bash

... you can copy that pack to a machine that lacks Guix, and from your home directory as a normal user, run:

tar xf pack.tar.gz

In that shell, if you type ls /gnu/store, you’ll notice that /gnu/store shows up and contains all the dependencies of bash, even though the machine actually lacks /gnu/store altogether! That is probably the simplest way to deploy Guix-built software on a non-Guix machine.

Note: By default, relocatable binaries rely on the user namespace feature of the kernel Linux, which allows unprivileged users to mount or change root. Old versions of Linux did not support it, and some GNU/Linux distributions turn it off.

To produce relocatable binaries that work even in the absence of user namespaces, pass --relocatable or -R twice. In that case, binaries will try user namespace support and fall back to another execution engine if user namespaces are not supported. The following execution engines are supported:


Try user namespaces and fall back to PRoot if user namespaces are not supported (see below).


Try user namespaces and fall back to Fakechroot if user namespaces are not supported (see below).


Run the program through user namespaces and abort if they are not supported.


Run through PRoot. The PRoot program provides the necessary support for file system virtualization. It achieves that by using the ptrace system call on the running program. This approach has the advantage to work without requiring special kernel support, but it incurs run-time overhead every time a system call is made.


Run through Fakechroot. Fakechroot virtualizes file system accesses by intercepting calls to C library functions such as open, stat, exec, and so on. Unlike PRoot, it incurs very little overhead. However, it does not always work: for example, some file system accesses made from within the C library are not intercepted, and file system accesses made via direct syscalls are not intercepted either, leading to erratic behavior.

When running a wrapped program, you can explicitly request one of the execution engines listed above by setting the GUIX_EXECUTION_ENGINE environment variable accordingly.


Use command as the entry point of the resulting pack, if the pack format supports it—currently docker and squashfs (Singularity) support it. command must be relative to the profile contained in the pack.

The entry point specifies the command that tools like docker run or singularity run automatically start by default. For example, you can do:

guix pack -f docker --entry-point=bin/guile guile

The resulting pack can easily be loaded and docker run with no extra arguments will spawn bin/guile:

docker load -i pack.tar.gz
docker run image-id
-e expr

Consider the package expr evaluates to.

This has the same purpose as the same-named option in guix build (see --expression in guix build).

-m file

Use the packages contained in the manifest object returned by the Scheme code in file. This option can be repeated several times, in which case the manifests are concatenated.

This has a similar purpose as the same-named option in guix package (see --manifest) and uses the same manifest files. It allows you to define a collection of packages once and use it both for creating profiles and for creating archives for use on machines that do not have Guix installed. Note that you can specify either a manifest file or a list of packages, but not both.

-s system

Attempt to build for system—e.g., i686-linux—instead of the system type of the build host.


Cross-build for triplet, which must be a valid GNU triplet, such as "aarch64-linux-gnu" (see GNU configuration triplets in Autoconf).

-C tool

Compress the resulting tarball using tool—one of gzip, zstd, bzip2, xz, lzip, or none for no compression.

-S spec

Add the symlinks specified by spec to the pack. This option can appear several times.

spec has the form source=target, where source is the symlink that will be created and target is the symlink target.

For instance, -S /opt/gnu/bin=bin creates a /opt/gnu/bin symlink pointing to the bin sub-directory of the profile.


Save provenance information for the packages passed on the command line. Provenance information includes the URL and commit of the channels in use (see Channels).

Provenance information is saved in the /gnu/store/…-profile/manifest file in the pack, along with the usual package metadata—the name and version of each package, their propagated inputs, and so on. It is useful information to the recipient of the pack, who then knows how the pack was (supposedly) obtained.

This option is not enabled by default because, like timestamps, provenance information contributes nothing to the build process. In other words, there is an infinity of channel URLs and commit IDs that can lead to the same pack. Recording such “silent” metadata in the output thus potentially breaks the source-to-binary bitwise reproducibility property.

-r file

Make file a symlink to the resulting pack, and register it as a garbage collector root.


Include the “local state directory”, /var/guix, in the resulting pack, and notably the /var/guix/profiles/per-user/root/name profile—by default name is guix-profile, which corresponds to ~root/.guix-profile.

/var/guix contains the store database (see The Store) as well as garbage-collector roots (see Invoking guix gc). Providing it in the pack means that the store is “complete” and manageable by Guix; not providing it pack means that the store is “dead”: items cannot be added to it or removed from it after extraction of the pack.

One use case for this is the Guix self-contained binary tarball (see Binary Installation).


Print the name of the derivation that builds the pack.


Use the bootstrap binaries to build the pack. This option is only useful to Guix developers.

In addition, guix pack supports all the common build options (see Common Build Options) and all the package transformation options (see Package Transformation Options).

Next: , Previous: , Up: Development   [Contents][Index]

7.3 The GCC toolchain

If you need a complete toolchain for compiling and linking C or C++ source code, use the gcc-toolchain package. This package provides a complete GCC toolchain for C/C++ development, including GCC itself, the GNU C Library (headers and binaries, plus debugging symbols in the debug output), Binutils, and a linker wrapper.

The wrapper’s purpose is to inspect the -L and -l switches passed to the linker, add corresponding -rpath arguments, and invoke the actual linker with this new set of arguments. You can instruct the wrapper to refuse to link against libraries not in the store by setting the GUIX_LD_WRAPPER_ALLOW_IMPURITIES environment variable to no.

The package gfortran-toolchain provides a complete GCC toolchain for Fortran development. For other languages, please use ‘guix search gcc toolchain’ (see Invoking guix package).

Previous: , Up: Development   [Contents][Index]

7.4 Invoking guix git authenticate

The guix git authenticate command authenticates a Git checkout following the same rule as for channels (see channel authentication). That is, starting from a given commit, it ensures that all subsequent commits are signed by an OpenPGP key whose fingerprint appears in the .guix-authorizations file of its parent commit(s).

You will find this command useful if you maintain a channel. But in fact, this authentication mechanism is useful in a broader context, so you might want to use it for Git repositories that have nothing to do with Guix.

The general syntax is:

guix git authenticate commit signer [options…]

By default, this command authenticates the Git checkout in the current directory; it outputs nothing and exits with exit code zero on success and non-zero on failure. commit above denotes the first commit where authentication takes place, and signer is the OpenPGP fingerprint of public key used to sign commit. Together, they form a “channel introduction” (see channel introduction). The options below allow you to fine-tune the process.

-r directory

Open the Git repository in directory instead of the current directory.

-k reference

Load OpenPGP keyring from reference, the reference of a branch such as origin/keyring or my-keyring. The branch must contain OpenPGP public keys in .key files, either in binary form or “ASCII-armored”. By default the keyring is loaded from the branch named keyring.


Display commit signing statistics upon completion.


Previously-authenticated commits are cached in a file under ~/.cache/guix/authentication. This option forces the cache to be stored in file key in that directory.


By default, any commit whose parent commit(s) lack the .guix-authorizations file is considered inauthentic. In contrast, this option considers the authorizations in file for any commit that lacks .guix-authorizations. The format of file is the same as that of .guix-authorizations (see .guix-authorizations format).

Next: , Previous: , Up: Top   [Contents][Index]

8 Programming Interface

GNU Guix provides several Scheme programming interfaces (APIs) to define, build, and query packages. The first interface allows users to write high-level package definitions. These definitions refer to familiar packaging concepts, such as the name and version of a package, its build system, and its dependencies. These definitions can then be turned into concrete build actions.

Build actions are performed by the Guix daemon, on behalf of users. In a standard setup, the daemon has write access to the store—the /gnu/store directory—whereas users do not. The recommended setup also has the daemon perform builds in chroots, under specific build users, to minimize interference with the rest of the system.

Lower-level APIs are available to interact with the daemon and the store. To instruct the daemon to perform a build action, users actually provide it with a derivation. A derivation is a low-level representation of the build actions to be taken, and the environment in which they should occur—derivations are to package definitions what assembly is to C programs. The term “derivation” comes from the fact that build results derive from them.

This chapter describes all these APIs in turn, starting from high-level package definitions.

Next: , Up: Programming Interface   [Contents][Index]

8.1 Package Modules

From a programming viewpoint, the package definitions of the GNU distribution are provided by Guile modules in the (gnu packages …) name space14 (see Guile modules in GNU Guile Reference Manual). For instance, the (gnu packages emacs) module exports a variable named emacs, which is bound to a <package> object (see Defining Packages).

The (gnu packages …) module name space is automatically scanned for packages by the command-line tools. For instance, when running guix install emacs, all the (gnu packages …) modules are scanned until one that exports a package object whose name is emacs is found. This package search facility is implemented in the (gnu packages) module.

Users can store package definitions in modules with different names—e.g., (my-packages emacs)15. There are two ways to make these package definitions visible to the user interfaces:

  1. By adding the directory containing your package modules to the search path with the -L flag of guix package and other commands (see Common Build Options), or by setting the GUIX_PACKAGE_PATH environment variable described below.
  2. By defining a channel and configuring guix pull so that it pulls from it. A channel is essentially a Git repository containing package modules. See Channels, for more information on how to define and use channels.

GUIX_PACKAGE_PATH works similarly to other search path variables:

Environment Variable: GUIX_PACKAGE_PATH

This is a colon-separated list of directories to search for additional package modules. Directories listed in this variable take precedence over the own modules of the distribution.

The distribution is fully bootstrapped and self-contained: each package is built based solely on other packages in the distribution. The root of this dependency graph is a small set of bootstrap binaries, provided by the (gnu packages bootstrap) module. For more information on bootstrapping, see Bootstrapping.

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.2 Defining Packages

The high-level interface to package definitions is implemented in the (guix packages) and (guix build-system) modules. As an example, the package definition, or recipe, for the GNU Hello package looks like this:

(define-module (gnu packages hello)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix build-system gnu)
  #:use-module (guix licenses)
  #:use-module (gnu packages gawk))

(define-public hello
    (name "hello")
    (version "2.10")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/hello/hello-" version
    (build-system gnu-build-system)
    (arguments '(#:configure-flags '("--enable-silent-rules")))
    (inputs `(("gawk" ,gawk)))
    (synopsis "Hello, GNU world: An example GNU package")
    (description "Guess what GNU Hello prints!")
    (home-page "")
    (license gpl3+)))

Without being a Scheme expert, the reader may have guessed the meaning of the various fields here. This expression binds the variable hello to a <package> object, which is essentially a record (see Scheme records in GNU Guile Reference Manual). This package object can be inspected using procedures found in the (guix packages) module; for instance, (package-name hello) returns—surprise!—"hello".

With luck, you may be able to import part or all of the definition of the package you are interested in from another repository, using the guix import command (see Invoking guix import).

In the example above, hello is defined in a module of its own, (gnu packages hello). Technically, this is not strictly necessary, but it is convenient to do so: all the packages defined in modules under (gnu packages …) are automatically known to the command-line tools (see Package Modules).

There are a few points worth noting in the above package definition:

See package Reference, for a full description of possible fields.

Once a package definition is in place, the package may actually be built using the guix build command-line tool (see Invoking guix build), troubleshooting any build failures you encounter (see Debugging Build Failures). You can easily jump back to the package definition using the guix edit command (see Invoking guix edit). See Packaging Guidelines, for more information on how to test package definitions, and Invoking guix lint, for information on how to check a definition for style conformance. Lastly, see Channels, for information on how to extend the distribution by adding your own package definitions in a “channel”.

Finally, updating the package definition to a new upstream version can be partly automated by the guix refresh command (see Invoking guix refresh).

Behind the scenes, a derivation corresponding to the <package> object is first computed by the package-derivation procedure. That derivation is stored in a .drv file under /gnu/store. The build actions it prescribes may then be realized by using the build-derivations procedure (see The Store).

Scheme Procedure: package-derivation store package [system]

Return the <derivation> object of package for system (see Derivations).

package must be a valid <package> object, and system must be a string denoting the target system type—e.g., "x86_64-linux" for an x86_64 Linux-based GNU system. store must be a connection to the daemon, which operates on the store (see The Store).

Similarly, it is possible to compute a derivation that cross-builds a package for some other system:

Scheme Procedure: package-cross-derivation store package target [system]

Return the <derivation> object of package cross-built from system to target.

target must be a valid GNU triplet denoting the target hardware and operating system, such as "aarch64-linux-gnu" (see Specifying Target Triplets in Autoconf).

Once you have package definitions, you can easily define variants of those packages. See Defining Package Variants, for more on that.

Next: , Up: Defining Packages   [Contents][Index]

8.2.1 package Reference

This section summarizes all the options available in package declarations (see Defining Packages).

Data Type: package

This is the data type representing a package recipe.


The name of the package, as a string.


The version of the package, as a string.


An object telling how the source code for the package should be acquired. Most of the time, this is an origin object, which denotes a file fetched from the Internet (see origin Reference). It can also be any other “file-like” object such as a local-file, which denotes a file from the local file system (see local-file).


The build system that should be used to build the package (see Build Systems).

arguments (default: '())

The arguments that should be passed to the build system. This is a list, typically containing sequential keyword-value pairs.

inputs (default: '())
native-inputs (default: '())
propagated-inputs (default: '())

These fields list dependencies of the package. Each one is a list of tuples, where each tuple has a label for the input (a string) as its first element, a package, origin, or derivation as its second element, and optionally the name of the output thereof that should be used, which defaults to "out" (see Packages with Multiple Outputs, for more on package outputs). For example, the list below specifies three inputs:

`(("libffi" ,libffi)
  ("libunistring" ,libunistring)
  ("glib:bin" ,glib "bin"))  ;the "bin" output of Glib

The distinction between native-inputs and inputs is necessary when considering cross-compilation. When cross-compiling, dependencies listed in inputs are built for the target architecture; conversely, dependencies listed in native-inputs are built for the architecture of the build machine.

native-inputs is typically used to list tools needed at build time, but not at run time, such as Autoconf, Automake, pkg-config, Gettext, or Bison. guix lint can report likely mistakes in this area (see Invoking guix lint).

Lastly, propagated-inputs is similar to inputs, but the specified packages will be automatically installed to profiles (see the role of profiles in Guix) alongside the package they belong to (see guix package, for information on how guix package deals with propagated inputs).

For example this is necessary when packaging a C/C++ library that needs headers of another library to compile, or when a pkg-config file refers to another one via its Requires field.

Another example where propagated-inputs is useful is for languages that lack a facility to record the run-time search path akin to the RUNPATH of ELF files; this includes Guile, Python, Perl, and more. When packaging libraries written in those languages, ensure they can find library code they depend on at run time by listing run-time dependencies in propagated-inputs rather than inputs.

outputs (default: '("out"))

The list of output names of the package. See Packages with Multiple Outputs, for typical uses of additional outputs.

native-search-paths (default: '())
search-paths (default: '())

A list of search-path-specification objects describing search-path environment variables honored by the package.

replacement (default: #f)

This must be either #f or a package object that will be used as a replacement for this package. See grafts, for details.


A one-line description of the package.


A more elaborate description of the package.


The license of the package; a value from (guix licenses), or a list of such values.


The URL to the home-page of the package, as a string.

supported-systems (default: %supported-systems)

The list of systems supported by the package, as strings of the form architecture-kernel, for example "x86_64-linux".

location (default: source location of the package form)

The source location of the package. It is useful to override this when inheriting from another package, in which case this field is not automatically corrected.

Scheme Syntax: this-package

When used in the lexical scope of a package field definition, this identifier resolves to the package being defined.

The example below shows how to add a package as a native input of itself when cross-compiling:

  (name "guile")
  ;; ...

  ;; When cross-compiled, Guile, for example, depends on
  ;; a native version of itself.  Add it here.
  (native-inputs (if (%current-target-system)
                     `(("self" ,this-package))

It is an error to refer to this-package outside a package definition.

Because packages are regular Scheme objects that capture a complete dependency graph and associated build procedures, it is often useful to write procedures that take a package and return a modified version thereof according to some parameters. Below are a few examples.

Scheme Procedure: package-with-c-toolchain package toolchain

Return a variant of package that uses toolchain instead of the default GNU C/C++ toolchain. toolchain must be a list of inputs (label/package tuples) providing equivalent functionality, such as the gcc-toolchain package.

The example below returns a variant of the hello package built with GCC 10.x and the rest of the GNU tool chain (Binutils and the GNU C Library) instead of the default tool chain:

(let ((toolchain (specification->package "gcc-toolchain@10")))
  (package-with-c-toolchain hello `(("toolchain" ,toolchain))))

The build tool chain is part of the implicit inputs of packages—it’s usually not listed as part of the various “inputs” fields and is instead pulled in by the build system. Consequently, this procedure works by changing the build system of package so that it pulls in toolchain instead of the defaults. Build Systems, for more on build systems.

Previous: , Up: Defining Packages   [Contents][Index]

8.2.2 origin Reference

This section documents origins. An origin declaration specifies data that must be “produced”—downloaded, usually—and whose content hash is known in advance. Origins are primarily used to represent the source code of packages (see Defining Packages). For that reason, the origin form allows you to declare patches to apply to the original source code as well as code snippets to modify it.

Data Type: origin

This is the data type representing a source code origin.


An object containing the URI of the source. The object type depends on the method (see below). For example, when using the url-fetch method of (guix download), the valid uri values are: a URL represented as a string, or a list thereof.


A monadic procedure that handles the given URI. The procedure must accept at least three arguments: the value of the uri field and the hash algorithm and hash value specified by the hash field. It must return a store item or a derivation in the store monad (see The Store Monad); most methods return a fixed-output derivation (see Derivations).

Commonly used methods include url-fetch, which fetches data from a URL, and git-fetch, which fetches data from a Git repository (see below).


A bytevector containing the SHA-256 hash of the source. This is equivalent to providing a content-hash SHA256 object in the hash field described below.


The content-hash object of the source—see below for how to use content-hash.

You can obtain this information using guix download (see Invoking guix download) or guix hash (see Invoking guix hash).

file-name (default: #f)

The file name under which the source code should be saved. When this is #f, a sensible default value will be used in most cases. In case the source is fetched from a URL, the file name from the URL will be used. For version control checkouts, it is recommended to provide the file name explicitly because the default is not very descriptive.

patches (default: '())

A list of file names, origins, or file-like objects (see file-like objects) pointing to patches to be applied to the source.

This list of patches must be unconditional. In particular, it cannot depend on the value of %current-system or %current-target-system.

snippet (default: #f)

A G-expression (see G-Expressions) or S-expression that will be run in the source directory. This is a convenient way to modify the source, sometimes more convenient than a patch.

patch-flags (default: '("-p1"))

A list of command-line flags that should be passed to the patch command.

patch-inputs (default: #f)

Input packages or derivations to the patching process. When this is #f, the usual set of inputs necessary for patching are provided, such as GNU Patch.

modules (default: '())

A list of Guile modules that should be loaded during the patching process and while running the code in the snippet field.

patch-guile (default: #f)

The Guile package that should be used in the patching process. When this is #f, a sensible default is used.

Data Type: content-hash value [algorithm]

Construct a content hash object for the given algorithm, and with value as its hash value. When algorithm is omitted, assume it is sha256.

value can be a literal string, in which case it is base32-decoded, or it can be a bytevector.

The following forms are all equivalent:

(content-hash "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj")
(content-hash "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj"
(content-hash (base32
(content-hash (base64 "kkb+RPaP7uyMZmu4eXPVkM4BN8yhRd8BTHLslb6f/Rc=")

Technically, content-hash is currently implemented as a macro. It performs sanity checks at macro-expansion time, when possible, such as ensuring that value has the right size for algorithm.

As we have seen above, how exactly the data an origin refers to is retrieved is determined by its method field. The (guix download) module provides the most common method, url-fetch, described below.

Scheme Procedure: url-fetch url hash-algo hash [name] [#:executable? #f]

Return a fixed-output derivation that fetches data from url (a string, or a list of strings denoting alternate URLs), which is expected to have hash hash of type hash-algo (a symbol). By default, the file name is the base name of URL; optionally, name can specify a different file name. When executable? is true, make the downloaded file executable.

When one of the URL starts with mirror://, then its host part is interpreted as the name of a mirror scheme, taken from %mirror-file.

Alternatively, when URL starts with file://, return the corresponding file name in the store.

Likewise, the (guix git-download) module defines the git-fetch origin method, which fetches data from a Git version control repository, and the git-reference data type to describe the repository and revision to fetch.

Scheme Procedure: git-fetch ref hash-algo hash

Return a fixed-output derivation that fetches ref, a <git-reference> object. The output is expected to have recursive hash hash of type hash-algo (a symbol). Use name as the file name, or a generic name if #f.

Data Type: git-reference

This data type represents a Git reference for git-fetch to retrieve.


The URL of the Git repository to clone.


This string denotes either the commit to fetch (a hexadecimal string, either the full SHA1 commit or a “short” commit string; the latter is not recommended) or the tag to fetch.

recursive? (default: #f)

This Boolean indicates whether to recursively fetch Git sub-modules.

The example below denotes the v2.10 tag of the GNU Hello repository:

  (url "")
  (commit "v2.10"))

This is equivalent to the reference below, which explicitly names the commit:

  (url "")
  (commit "dc7dc56a00e48fe6f231a58f6537139fe2908fb9"))

For Mercurial repositories, the module (guix hg-download) defines the hg-fetch origin method and hg-reference data type for support of the Mercurial version control system.

Scheme Procedure: hg-fetch ref hash-algo hash [name]

Return a fixed-output derivation that fetches ref, a <hg-reference> object. The output is expected to have recursive hash hash of type hash-algo (a symbol). Use name as the file name, or a generic name if #false.

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.3 Defining Package Variants

One of the nice things with Guix is that, given a package definition, you can easily derive variants of that package—for a different upstream version, with different dependencies, different compilation options, and so on. Some of these custom packages can be defined straight from the command line (see Package Transformation Options). This section describes how to define package variants in code. This can be useful in “manifests” (see --manifest) and in your own package collection (see Creating a Channel), among others!

As discussed earlier, packages are first-class objects in the Scheme language. The (guix packages) module provides the package construct to define new package objects (see package Reference). The easiest way to define a package variant is using the inherit keyword together with package. This allows you to inherit from a package definition while overriding the fields you want.

For example, given the hello variable, which contains a definition for the current version of GNU Hello, here’s how you would define a variant for version 2.2 (released in 2006, it’s vintage!):

(use-modules (gnu packages base))    ;for 'hello'

(define hello-2.2
    (inherit hello)
    (version "2.2")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/hello/hello-" version

The example above corresponds to what the --with-source package transformation option does. Essentially hello-2.2 preserves all the fields of hello, except version and source, which it overrides. Note that the original hello variable is still there, in the (gnu packages base) module, unchanged. When you define a custom package like this, you are really adding a new package definition; the original one remains available.

You can just as well define variants with a different set of dependencies than the original package. For example, the default gdb package depends on guile, but since that is an optional dependency, you can define a variant that removes that dependency like so:

(use-modules (gnu packages gdb)    ;for 'gdb'
             (srfi srfi-1))        ;for 'alist-delete'

(define gdb-sans-guile
    (inherit gdb)
    (inputs (alist-delete "guile"
                          (package-inputs gdb)))))

The alist-delete call above removes the tuple from the inputs field that has "guile" as its first element (see SRFI-1 Association Lists in GNU Guile Reference Manual).

In some cases, you may find it useful to write functions (“procedures”, in Scheme parlance) that return a package based on some parameters. For example, consider the luasocket library for the Lua programming language. We want to create luasocket packages for major versions of Lua. One way to do that is to define a procedure that takes a Lua package and returns a luasocket package that depends on it:

(define (make-lua-socket name lua)
  ;; Return a luasocket package built with LUA.
    (name name)
    (version "3.0")
    ;; several fields omitted
     `(("lua" ,lua)))
    (synopsis "Socket library for Lua")))

(define-public lua5.1-socket
  (make-lua-socket "lua5.1-socket" lua-5.1))

(define-public lua5.2-socket
  (make-lua-socket "lua5.2-socket" lua-5.2))

Here we have defined packages lua5.1-socket and lua5.2-socket by calling make-lua-socket with different arguments. See Procedures in GNU Guile Reference Manual, for more info on procedures. Having top-level public definitions for these two packages means that they can be referred to from the command line (see Package Modules).

These are pretty simple package variants. As a convenience, the (guix transformations) module provides a high-level interface that directly maps to the more sophisticated package transformation options (see Package Transformation Options):

Scheme Procedure: options->transformation opts

Return a procedure that, when passed an object to build (package, derivation, etc.), applies the transformations specified by opts and returns the resulting objects. opts must be a list of symbol/string pairs such as:

((with-branch . "guile-gcrypt=master")
 (without-tests . "libgcrypt"))

Each symbol names a transformation and the corresponding string is an argument to that transformation.

For instance, a manifest equivalent to this command:

guix build guix \
  --with-branch=guile-gcrypt=master \

... would look like this:

(use-modules (guix transformations))

(define transform
  ;; The package transformation procedure.
   '((with-branch . "guile-gcrypt=master")
     (with-debug-info . "zlib"))))

 (list (transform (specification->package "guix"))))

The options->transformation procedure is convenient, but it’s perhaps also not as flexible as you may like. How is it implemented? The astute reader probably noticed that most package transformation options go beyond the superficial changes shown in the first examples of this section: they involve input rewriting, whereby the dependency graph of a package is rewritten by replacing specific inputs by others.

Dependency graph rewriting, for the purposes of swapping packages in the graph, is what the package-input-rewriting procedure in (guix packages) implements.

Scheme Procedure: package-input-rewriting replacements [rewrite-name] [#:deep? #t]

Return a procedure that, when passed a package, replaces its direct and indirect dependencies, including implicit inputs when deep? is true, according to replacements. replacements is a list of package pairs; the first element of each pair is the package to replace, and the second one is the replacement.

Optionally, rewrite-name is a one-argument procedure that takes the name of a package and returns its new name after rewrite.

Consider this example:

(define libressl-instead-of-openssl
  ;; This is a procedure to replace OPENSSL by LIBRESSL,
  ;; recursively.
  (package-input-rewriting `((,openssl . ,libressl))))

(define git-with-libressl
  (libressl-instead-of-openssl git))

Here we first define a rewriting procedure that replaces openssl with libressl. Then we use it to define a variant of the git package that uses libressl instead of openssl. This is exactly what the --with-input command-line option does (see --with-input).

The following variant of package-input-rewriting can match packages to be replaced by name rather than by identity.

Scheme Procedure: package-input-rewriting/spec replacements [#:deep? #t]

Return a procedure that, given a package, applies the given replacements to all the package graph, including implicit inputs unless deep? is false. replacements is a list of spec/procedures pair; each spec is a package specification such as "gcc" or "guile@2", and each procedure takes a matching package and returns a replacement for that package.

The example above could be rewritten this way:

(define libressl-instead-of-openssl
  ;; Replace all the packages called "openssl" with LibreSSL.
  (package-input-rewriting/spec `(("openssl" . ,(const libressl)))))

The key difference here is that, this time, packages are matched by spec and not by identity. In other words, any package in the graph that is called openssl will be replaced.

A more generic procedure to rewrite a package dependency graph is package-mapping: it supports arbitrary changes to nodes in the graph.

Scheme Procedure: package-mapping proc [cut?] [#:deep? #f]

Return a procedure that, given a package, applies proc to all the packages depended on and returns the resulting package. The procedure stops recursion when cut? returns true for a given package. When deep? is true, proc is applied to implicit inputs as well.

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.4 Build Systems

Each package definition specifies a build system and arguments for that build system (see Defining Packages). This build-system field represents the build procedure of the package, as well as implicit dependencies of that build procedure.

Build systems are <build-system> objects. The interface to create and manipulate them is provided by the (guix build-system) module, and actual build systems are exported by specific modules.

Under the hood, build systems first compile package objects to bags. A bag is like a package, but with less ornamentation—in other words, a bag is a lower-level representation of a package, which includes all the inputs of that package, including some that were implicitly added by the build system. This intermediate representation is then compiled to a derivation (see Derivations). The package-with-c-toolchain is an example of a way to change the implicit inputs that a package’s build system pulls in (see package-with-c-toolchain).

Build systems accept an optional list of arguments. In package definitions, these are passed via the arguments field (see Defining Packages). They are typically keyword arguments (see keyword arguments in Guile in GNU Guile Reference Manual). The value of these arguments is usually evaluated in the build stratum—i.e., by a Guile process launched by the daemon (see Derivations).

The main build system is gnu-build-system, which implements the standard build procedure for GNU and many other packages. It is provided by the (guix build-system gnu) module.

Scheme Variable: gnu-build-system

gnu-build-system represents the GNU Build System, and variants thereof (see configuration and makefile conventions in GNU Coding Standards).

In a nutshell, packages using it are configured, built, and installed with the usual ./configure && make && make check && make install command sequence. In practice, a few additional steps are often needed. All these steps are split up in separate phases. See Build Phases, for more info on build phases and ways to customize them.

In addition, this build system ensures that the “standard” environment for GNU packages is available. This includes tools such as GCC, libc, Coreutils, Bash, Make, Diffutils, grep, and sed (see the (guix build-system gnu) module for a complete list). We call these the implicit inputs of a package, because package definitions do not have to mention them.

This build system supports a number of keyword arguments, which can be passed via the arguments field of a package. Here are some of the main parameters:


This argument specifies build-side code that evaluates to an alist of build phases. See Build Phases, for more information.


This is a list of flags (strings) passed to the configure script. See Defining Packages, for an example.


This list of strings contains flags passed as arguments to make invocations in the build, check, and install phases.


This Boolean, #f by default, indicates whether to run builds in a build directory separate from the source tree.

When it is true, the configure phase creates a separate build directory, changes to that directory, and runs the configure script from there. This is useful for packages that require it, such as glibc.


This Boolean, #t by default, indicates whether the check phase should run the package’s test suite.


This string, "check" by default, gives the name of the makefile target used by the check phase.


These Boolean values specify whether to build, respectively run the test suite, in parallel, with the -j flag of make. When they are true, make is passed -jn, where n is the number specified as the --cores option of guix-daemon or that of the guix client command (see --cores).


This Boolean, #t by default, determines whether to “validate” the RUNPATH of ELF binaries (.so shared libraries as well as executables) previously installed by the install phase.

This validation step consists in making sure that all the shared libraries needed by an ELF binaries, which are listed as DT_NEEDED entries in its PT_DYNAMIC segment, appear in the DT_RUNPATH entry of that binary. In other words, it ensures that running or using those binaries will not result in a “file not found” error at run time. See -rpath in The GNU Linker, for more information on RUNPATH.


This Boolean, #t by default, tells whether the package outputs should be substitutable—i.e., whether users should be able to obtain substitutes for them instead of building locally (see Substitutes).


When true, these arguments must be a list of dependencies that must not appear among the references of the build results. If, upon build completion, some of these references are retained, the build process fails.

This is useful to ensure that a package does not erroneously keep a reference to some of it build-time inputs, in cases where doing so would, for example, unnecessarily increase its size (see Invoking guix size).

Most other build systems support these keyword arguments.

Other <build-system> objects are defined to support other conventions and tools used by free software packages. They inherit most of gnu-build-system, and differ mainly in the set of inputs implicitly added to the build process, and in the list of phases executed. Some of these build systems are listed below.

Scheme Variable: ant-build-system

This variable is exported by (guix build-system ant). It implements the build procedure for Java packages that can be built with Ant build tool.

It adds both ant and the Java Development Kit (JDK) as provided by the icedtea package to the set of inputs. Different packages can be specified with the #:ant and #:jdk parameters, respectively.

When the original package does not provide a suitable Ant build file, the parameter #:jar-name can be used to generate a minimal Ant build file build.xml with tasks to build the specified jar archive. In this case the parameter #:source-dir can be used to specify the source sub-directory, defaulting to “src”.

The #:main-class parameter can be used with the minimal ant buildfile to specify the main class of the resulting jar. This makes the jar file executable. The #:test-include parameter can be used to specify the list of junit tests to run. It defaults to (list "**/*"). The #:test-exclude can be used to disable some tests. It defaults to (list "**/Abstract*.java"), because abstract classes cannot be run as tests.

The parameter #:build-target can be used to specify the Ant task that should be run during the build phase. By default the “jar” task will be run.

Scheme Variable: android-ndk-build-system

This variable is exported by (guix build-system android-ndk). It implements a build procedure for Android NDK (native development kit) packages using a Guix-specific build process.

The build system assumes that packages install their public interface (header) files to the subdirectory include of the out output and their libraries to the subdirectory lib the out output.

It’s also assumed that the union of all the dependencies of a package has no conflicting files.

For the time being, cross-compilation is not supported - so right now the libraries and header files are assumed to be host tools.

Scheme Variable: asdf-build-system/source
Scheme Variable: asdf-build-system/sbcl
Scheme Variable: asdf-build-system/ecl

These variables, exported by (guix build-system asdf), implement build procedures for Common Lisp packages using “ASDF”. ASDF is a system definition facility for Common Lisp programs and libraries.

The asdf-build-system/source system installs the packages in source form, and can be loaded using any common lisp implementation, via ASDF. The others, such as asdf-build-system/sbcl, install binary systems in the format which a particular implementation understands. These build systems can also be used to produce executable programs, or lisp images which contain a set of packages pre-loaded.

The build system uses naming conventions. For binary packages, the package name should be prefixed with the lisp implementation, such as sbcl- for asdf-build-system/sbcl.

Additionally, the corresponding source package should be labeled using the same convention as python packages (see Python Modules), using the cl- prefix.

In order to create executable programs and images, the build-side procedures build-program and build-image can be used. They should be called in a build phase after the create-asdf-configuration phase, so that the system which was just built can be used within the resulting image. build-program requires a list of Common Lisp expressions to be passed as the #:entry-program argument.

By default, all the .asd files present in the sources are read to find system definitions. The #:asd-files parameter can be used to specify the list of .asd files to read. Furthermore, if the package defines a system for its tests in a separate file, it will be loaded before the tests are run if it is specified by the #:test-asd-file parameter. If it is not set, the files <system>-tests.asd, <system>-test.asd, tests.asd, and test.asd will be tried if they exist.

If for some reason the package must be named in a different way than the naming conventions suggest, or if several systems must be compiled, the #:asd-systems parameter can be used to specify the list of system names.

Scheme Variable: cargo-build-system

This variable is exported by (guix build-system cargo). It supports builds of packages using Cargo, the build tool of the Rust programming language.

It adds rustc and cargo to the set of inputs. A different Rust package can be specified with the #:rust parameter.

Regular cargo dependencies should be added to the package definition similarly to other packages; those needed only at build time to native-inputs, others to inputs. If you need to add source-only crates then you should add them to via the #:cargo-inputs parameter as a list of name and spec pairs, where the spec can be a package or a source definition. Note that the spec must evaluate to a path to a gzipped tarball which includes a Cargo.toml file at its root, or it will be ignored. Similarly, cargo dev-dependencies should be added to the package definition via the #:cargo-development-inputs parameter.

In its configure phase, this build system will make any source inputs specified in the #:cargo-inputs and #:cargo-development-inputs parameters available to cargo. It will also remove an included Cargo.lock file to be recreated by cargo during the build phase. The package phase will run cargo package to create a source crate for future use. The install phase installs the binaries defined by the crate. Unless install-source? #f is defined it will also install a source crate repository of itself and unpacked sources, to ease in future hacking on rust packages.

Scheme Variable: chicken-build-system

This variable is exported by (guix build-system chicken). It builds CHICKEN Scheme modules, also called “eggs” or “extensions”. CHICKEN generates C source code, which then gets compiled by a C compiler, in this case GCC.

This build system adds chicken to the package inputs, as well as the packages of gnu-build-system.

The build system can’t (yet) deduce the egg’s name automatically, so just like with go-build-system and its #:import-path, you should define #:egg-name in the package’s arguments field.

For example, if you are packaging the srfi-1 egg:

(arguments '(#:egg-name "srfi-1"))

Egg dependencies must be defined in propagated-inputs, not inputs because CHICKEN doesn’t embed absolute references in compiled eggs. Test dependencies should go to native-inputs, as usual.

Scheme Variable: copy-build-system

This variable is exported by (guix build-system copy). It supports builds of simple packages that don’t require much compiling, mostly just moving files around.

It adds much of the gnu-build-system packages to the set of inputs. Because of this, the copy-build-system does not require all the boilerplate code often needed for the trivial-build-system.

To further simplify the file installation process, an #:install-plan argument is exposed to let the packager specify which files go where. The install plan is a list of (source target [filters]). filters are optional.


Scheme Variable: clojure-build-system

This variable is exported by (guix build-system clojure). It implements a simple build procedure for Clojure packages using plain old compile in Clojure. Cross-compilation is not supported yet.

It adds clojure, icedtea and zip to the set of inputs. Different packages can be specified with the #:clojure, #:jdk and #:zip parameters, respectively.

A list of source directories, test directories and jar names can be specified with the #:source-dirs, #:test-dirs and #:jar-names parameters, respectively. Compile directory and main class can be specified with the #:compile-dir and #:main-class parameters, respectively. Other parameters are documented below.

This build system is an extension of ant-build-system, but with the following phases changed:


This phase calls compile in Clojure to compile source files and runs jar to create jars from both source files and compiled files according to the include list and exclude list specified in #:aot-include and #:aot-exclude, respectively. The exclude list has priority over the include list. These lists consist of symbols representing Clojure libraries or the special keyword #:all representing all Clojure libraries found under the source directories. The parameter #:omit-source? decides if source should be included into the jars.


This phase runs tests according to the include list and exclude list specified in #:test-include and #:test-exclude, respectively. Their meanings are analogous to that of #:aot-include and #:aot-exclude, except that the special keyword #:all now stands for all Clojure libraries found under the test directories. The parameter #:tests? decides if tests should be run.


This phase installs all jars built previously.

Apart from the above, this build system also contains an additional phase:


This phase installs all top-level files with base name matching %doc-regex. A different regex can be specified with the #:doc-regex parameter. All files (recursively) inside the documentation directories specified in #:doc-dirs are installed as well.

Scheme Variable: cmake-build-system

This variable is exported by (guix build-system cmake). It implements the build procedure for packages using the CMake build tool.

It automatically adds the cmake package to the set of inputs. Which package is used can be specified with the #:cmake parameter.

The #:configure-flags parameter is taken as a list of flags passed to the cmake command. The #:build-type parameter specifies in abstract terms the flags passed to the compiler; it defaults to "RelWithDebInfo" (short for “release mode with debugging information”), which roughly means that code is compiled with -O2 -g, as is the case for Autoconf-based packages by default.

Scheme Variable: dune-build-system

This variable is exported by (guix build-system dune). It supports builds of packages using Dune, a build tool for the OCaml programming language. It is implemented as an extension of the ocaml-build-system which is described below. As such, the #:ocaml and #:findlib parameters can be passed to this build system.

It automatically adds the dune package to the set of inputs. Which package is used can be specified with the #:dune parameter.

There is no configure phase because dune packages typically don’t need to be configured. The #:build-flags parameter is taken as a list of flags passed to the dune command during the build.

The #:jbuild? parameter can be passed to use the jbuild command instead of the more recent dune command while building a package. Its default value is #f.

The #:package parameter can be passed to specify a package name, which is useful when a package contains multiple packages and you want to build only one of them. This is equivalent to passing the -p argument to dune.

Scheme Variable: go-build-system

This variable is exported by (guix build-system go). It implements a build procedure for Go packages using the standard Go build mechanisms.

The user is expected to provide a value for the key #:import-path and, in some cases, #:unpack-path. The import path corresponds to the file system path expected by the package’s build scripts and any referring packages, and provides a unique way to refer to a Go package. It is typically based on a combination of the package source code’s remote URI and file system hierarchy structure. In some cases, you will need to unpack the package’s source code to a different directory structure than the one indicated by the import path, and #:unpack-path should be used in such cases.

Packages that provide Go libraries should install their source code into the built output. The key #:install-source?, which defaults to #t, controls whether or not the source code is installed. It can be set to #f for packages that only provide executable files.

Scheme Variable: glib-or-gtk-build-system

This variable is exported by (guix build-system glib-or-gtk). It is intended for use with packages making use of GLib or GTK+.

This build system adds the following two phases to the ones defined by gnu-build-system:


The phase glib-or-gtk-wrap ensures that programs in bin/ are able to find GLib “schemas” and GTK+ modules. This is achieved by wrapping the programs in launch scripts that appropriately set the XDG_DATA_DIRS and GTK_PATH environment variables.

It is possible to exclude specific package outputs from that wrapping process by listing their names in the #:glib-or-gtk-wrap-excluded-outputs parameter. This is useful when an output is known not to contain any GLib or GTK+ binaries, and where wrapping would gratuitously add a dependency of that output on GLib and GTK+.


The phase glib-or-gtk-compile-schemas makes sure that all GSettings schemas of GLib are compiled. Compilation is performed by the glib-compile-schemas program. It is provided by the package glib:bin which is automatically imported by the build system. The glib package providing glib-compile-schemas can be specified with the #:glib parameter.

Both phases are executed after the install phase.

Scheme Variable: guile-build-system

This build system is for Guile packages that consist exclusively of Scheme code and that are so lean that they don’t even have a makefile, let alone a configure script. It compiles Scheme code using guild compile (see Compilation in GNU Guile Reference Manual) and installs the .scm and .go files in the right place. It also installs documentation.

This build system supports cross-compilation by using the --target option of ‘guild compile’.

Packages built with guile-build-system must provide a Guile package in their native-inputs field.

Scheme Variable: julia-build-system

This variable is exported by (guix build-system julia). It implements the build procedure used by julia packages, which essentially is similar to running ‘julia -e 'using Pkg; Pkg.add(package)'’ in an environment where JULIA_LOAD_PATH contains the paths to all Julia package inputs. Tests are run by calling /test/runtests.jl.

The Julia package name is read from the file Project.toml. This value can be overridden by passing the argument #:julia-package-name (which must be correctly capitalized).

Julia packages usually manage their binary dependencies via JLLWrappers.jl, a Julia package that creates a module (named after the wrapped library followed by _jll.jl.

To add the binary path _jll.jl packages, you need to patch the files under src/wrappers/, replacing the call to the macro JLLWrappers.@generate_wrapper_header, adding as a second argument containing the store path the binary.

As an example, in the MbedTLS Julia package, we add a build phase (see Build Phases) to insert the absolute file name of the wrapped MbedTLS package:

(add-after 'unpack 'override-binary-path
  (lambda* (#:key inputs #:allow-other-keys)
    (for-each (lambda (wrapper)
                (substitute* wrapper
                    "generate_wrapper_header(\"MbedTLS\", \""
                    (assoc-ref inputs "mbedtls-apache") "\")\n"))))
              ;; There's a Julia file for each platform, override them all.
              (find-files "src/wrappers/" "\\.jl$"))))

Some older packages that aren’t using Package.toml yet, will require this file to be created, too. The function julia-create-package-toml helps creating the file. You need to pass the outputs and the source of the package, it’s name (the same as the file-name parameter), the package uuid, the package version, and a list of dependencies specified by their name and their uuid.

Scheme Variable: maven-build-system

This variable is exported by (guix build-system maven). It implements a build procedure for Maven packages. Maven is a dependency and lifecycle management tool for Java. A user of Maven specifies dependencies and plugins in a pom.xml file that Maven reads. When Maven does not have one of the dependencies or plugins in its repository, it will download them and use them to build the package.

The maven build system ensures that maven will not try to download any dependency by running in offline mode. Maven will fail if a dependency is missing. Before running Maven, the pom.xml (and subprojects) are modified to specify the version of dependencies and plugins that match the versions available in the guix build environment. Dependencies and plugins must be installed in the fake maven repository at lib/m2, and are symlinked into a proper repository before maven is run. Maven is instructed to use that repository for the build and installs built artifacts there. Changed files are copied to the lib/m2 directory of the package output.

You can specify a pom.xml file with the #:pom-file argument, or let the build system use the default pom.xml file in the sources.

In case you need to specify a dependency’s version manually, you can use the #:local-packages argument. It takes an association list where the key is the groupId of the package and its value is an association list where the key is the artifactId of the package and its value is the version you want to override in the pom.xml.

Some packages use dependencies or plugins that are not useful at runtime nor at build time in Guix. You can alter the pom.xml file to remove them using the #:exclude argument. Its value is an association list where the key is the groupId of the plugin or dependency you want to remove, and the value is a list of artifactId you want to remove.

You can override the default jdk and maven packages with the corresponding argument, #:jdk and #:maven.

The #:maven-plugins argument is a list of maven plugins used during the build, with the same format as the inputs fields of the package declaration. Its default value is (default-maven-plugins) which is also exported.

Scheme Variable: minify-build-system

This variable is exported by (guix build-system minify). It implements a minification procedure for simple JavaScript packages.

It adds uglify-js to the set of inputs and uses it to compress all JavaScript files in the src directory. A different minifier package can be specified with the #:uglify-js parameter, but it is expected that the package writes the minified code to the standard output.

When the input JavaScript files are not all located in the src directory, the parameter #:javascript-files can be used to specify a list of file names to feed to the minifier.

Scheme Variable: ocaml-build-system

This variable is exported by (guix build-system ocaml). It implements a build procedure for OCaml packages, which consists of choosing the correct set of commands to run for each package. OCaml packages can expect many different commands to be run. This build system will try some of them.

When the package has a file present at the top-level, it will run ocaml -configure, ocaml -build and ocaml -install. The build system will assume that this file was generated by OASIS and will take care of setting the prefix and enabling tests if they are not disabled. You can pass configure and build flags with the #:configure-flags and #:build-flags. The #:test-flags key can be passed to change the set of flags used to enable tests. The #:use-make? key can be used to bypass this system in the build and install phases.

When the package has a configure file, it is assumed that it is a hand-made configure script that requires a different argument format than in the gnu-build-system. You can add more flags with the #:configure-flags key.

When the package has a Makefile file (or #:use-make? is #t), it will be used and more flags can be passed to the build and install phases with the #:make-flags key.

Finally, some packages do not have these files and use a somewhat standard location for its build system. In that case, the build system will run ocaml pkg/ or ocaml pkg/ and take care of providing the path to the required findlib module. Additional flags can be passed via the #:build-flags key. Install is taken care of by opam-installer. In this case, the opam package must be added to the native-inputs field of the package definition.

Note that most OCaml packages assume they will be installed in the same directory as OCaml, which is not what we want in guix. In particular, they will install .so files in their module’s directory, which is usually fine because it is in the OCaml compiler directory. In guix though, these libraries cannot be found and we use CAML_LD_LIBRARY_PATH. This variable points to lib/ocaml/site-lib/stubslibs and this is where .so libraries should be installed.

Scheme Variable: python-build-system

This variable is exported by (guix build-system python). It implements the more or less standard build procedure used by Python packages, which consists in running python build and then python install --prefix=/gnu/store/….

For packages that install stand-alone Python programs under bin/, it takes care of wrapping these programs so that their PYTHONPATH environment variable points to all the Python libraries they depend on.

Which Python package is used to perform the build can be specified with the #:python parameter. This is a useful way to force a package to be built for a specific version of the Python interpreter, which might be necessary if the package is only compatible with a single interpreter version.

By default guix calls under control of setuptools, much like pip does. Some packages are not compatible with setuptools (and pip), thus you can disable this by setting the #:use-setuptools? parameter to #f.

Scheme Variable: perl-build-system

This variable is exported by (guix build-system perl). It implements the standard build procedure for Perl packages, which either consists in running perl Build.PL --prefix=/gnu/store/…, followed by Build and Build install; or in running perl Makefile.PL PREFIX=/gnu/store/…, followed by make and make install, depending on which of Build.PL or Makefile.PL is present in the package distribution. Preference is given to the former if both Build.PL and Makefile.PL exist in the package distribution. This preference can be reversed by specifying #t for the #:make-maker? parameter.

The initial perl Makefile.PL or perl Build.PL invocation passes flags specified by the #:make-maker-flags or #:module-build-flags parameter, respectively.

Which Perl package is used can be specified with #:perl.

Scheme Variable: renpy-build-system

This variable is exported by (guix build-system renpy). It implements the more or less standard build procedure used by Ren’py games, which consists of loading #:game once, thereby creating bytecode for it.

It further creates a wrapper script in bin/ and a desktop entry in share/applications, both of which can be used to launch the game.

Which Ren’py package is used can be specified with #:renpy. Games can also be installed in outputs other than “out” by using #:output.

Scheme Variable: qt-build-system

This variable is exported by (guix build-system qt). It is intended for use with applications using Qt or KDE.

This build system adds the following two phases to the ones defined by cmake-build-system:


The phase check-setup prepares the environment for running the checks as commonly used by Qt test programs. For now this only sets some environment variables: QT_QPA_PLATFORM=offscreen, DBUS_FATAL_WARNINGS=0 and CTEST_OUTPUT_ON_FAILURE=1.

This phase is added before the check phase. It’s a separate phase to ease adjusting if necessary.


The phase qt-wrap searches for Qt5 plugin paths, QML paths and some XDG in the inputs and output. In case some path is found, all programs in the output’s bin/, sbin/, libexec/ and lib/libexec/ directories are wrapped in scripts defining the necessary environment variables.

It is possible to exclude specific package outputs from that wrapping process by listing their names in the #:qt-wrap-excluded-outputs parameter. This is useful when an output is known not to contain any Qt binaries, and where wrapping would gratuitously add a dependency of that output on Qt, KDE, or such.

This phase is added after the install phase.

Scheme Variable: r-build-system

This variable is exported by (guix build-system r). It implements the build procedure used by R packages, which essentially is little more than running ‘R CMD INSTALL --library=/gnu/store/…’ in an environment where R_LIBS_SITE contains the paths to all R package inputs. Tests are run after installation using the R function tools::testInstalledPackage.

Scheme Variable: rakudo-build-system

This variable is exported by (guix build-system rakudo). It implements the build procedure used by Rakudo for Perl6 packages. It installs the package to /gnu/store/…/NAME-VERSION/share/perl6 and installs the binaries, library files and the resources, as well as wrap the files under the bin/ directory. Tests can be skipped by passing #f to the tests? parameter.

Which rakudo package is used can be specified with rakudo. Which perl6-tap-harness package used for the tests can be specified with #:prove6 or removed by passing #f to the with-prove6? parameter. Which perl6-zef package used for tests and installing can be specified with #:zef or removed by passing #f to the with-zef? parameter.

Scheme Variable: texlive-build-system

This variable is exported by (guix build-system texlive). It is used to build TeX packages in batch mode with a specified engine. The build system sets the TEXINPUTS variable to find all TeX source files in the inputs.

By default it runs luatex on all files ending on ins. A different engine and format can be specified with the #:tex-format argument. Different build targets can be specified with the #:build-targets argument, which expects a list of file names. The build system adds only texlive-bin and texlive-latex-base (both from (gnu packages tex) to the inputs. Both can be overridden with the arguments #:texlive-bin and #:texlive-latex-base, respectively.

The #:tex-directory parameter tells the build system where to install the built files under the texmf tree.

Scheme Variable: ruby-build-system

This variable is exported by (guix build-system ruby). It implements the RubyGems build procedure used by Ruby packages, which involves running gem build followed by gem install.

The source field of a package that uses this build system typically references a gem archive, since this is the format that Ruby developers use when releasing their software. The build system unpacks the gem archive, potentially patches the source, runs the test suite, repackages the gem, and installs it. Additionally, directories and tarballs may be referenced to allow building unreleased gems from Git or a traditional source release tarball.

Which Ruby package is used can be specified with the #:ruby parameter. A list of additional flags to be passed to the gem command can be specified with the #:gem-flags parameter.

Scheme Variable: waf-build-system

This variable is exported by (guix build-system waf). It implements a build procedure around the waf script. The common phases—configure, build, and install—are implemented by passing their names as arguments to the waf script.

The waf script is executed by the Python interpreter. Which Python package is used to run the script can be specified with the #:python parameter.

Scheme Variable: scons-build-system

This variable is exported by (guix build-system scons). It implements the build procedure used by the SCons software construction tool. This build system runs scons to build the package, scons test to run tests, and then scons install to install the package.

Additional flags to be passed to scons can be specified with the #:scons-flags parameter. The default build and install targets can be overridden with #:build-targets and #:install-targets respectively. The version of Python used to run SCons can be specified by selecting the appropriate SCons package with the #:scons parameter.

Scheme Variable: haskell-build-system

This variable is exported by (guix build-system haskell). It implements the Cabal build procedure used by Haskell packages, which involves running runhaskell Setup.hs configure --prefix=/gnu/store/… and runhaskell Setup.hs build. Instead of installing the package by running runhaskell Setup.hs install, to avoid trying to register libraries in the read-only compiler store directory, the build system uses runhaskell Setup.hs copy, followed by runhaskell Setup.hs register. In addition, the build system generates the package documentation by running runhaskell Setup.hs haddock, unless #:haddock? #f is passed. Optional Haddock parameters can be passed with the help of the #:haddock-flags parameter. If the file Setup.hs is not found, the build system looks for Setup.lhs instead.

Which Haskell compiler is used can be specified with the #:haskell parameter which defaults to ghc.

Scheme Variable: dub-build-system

This variable is exported by (guix build-system dub). It implements the Dub build procedure used by D packages, which involves running dub build and dub run. Installation is done by copying the files manually.

Which D compiler is used can be specified with the #:ldc parameter which defaults to ldc.

Scheme Variable: emacs-build-system

This variable is exported by (guix build-system emacs). It implements an installation procedure similar to the packaging system of Emacs itself (see Packages in The GNU Emacs Manual).

It first creates the package-autoloads.el file, then it byte compiles all Emacs Lisp files. Differently from the Emacs packaging system, the Info documentation files are moved to the standard documentation directory and the dir file is deleted. The Elisp package files are installed directly under share/emacs/site-lisp.

Scheme Variable: font-build-system

This variable is exported by (guix build-system font). It implements an installation procedure for font packages where upstream provides pre-compiled TrueType, OpenType, etc. font files that merely need to be copied into place. It copies font files to standard locations in the output directory.

Scheme Variable: meson-build-system

This variable is exported by (guix build-system meson). It implements the build procedure for packages that use Meson as their build system.

It adds both Meson and Ninja to the set of inputs, and they can be changed with the parameters #:meson and #:ninja if needed. The default Meson is meson-for-build, which is special because it doesn’t clear the RUNPATH of binaries and libraries when they are installed.

This build system is an extension of gnu-build-system, but with the following phases changed to some specific for Meson:


The phase runs meson with the flags specified in #:configure-flags. The flag --buildtype is always set to debugoptimized unless something else is specified in #:build-type.


The phase runs ninja to build the package in parallel by default, but this can be changed with #:parallel-build?.


The phase runs ninja with the target specified in #:test-target, which is "test" by default.


The phase runs ninja install and can not be changed.

Apart from that, the build system also adds the following phases:


This phase ensures that all binaries can find the libraries they need. It searches for required libraries in subdirectories of the package being built, and adds those to RUNPATH where needed. It also removes references to libraries left over from the build phase by meson-for-build, such as test dependencies, that aren’t actually required for the program to run.


This phase is the phase provided by glib-or-gtk-build-system, and it is not enabled by default. It can be enabled with #:glib-or-gtk?.


This phase is the phase provided by glib-or-gtk-build-system, and it is not enabled by default. It can be enabled with #:glib-or-gtk?.

Scheme Variable: linux-module-build-system

linux-module-build-system allows building Linux kernel modules.

This build system is an extension of gnu-build-system, but with the following phases changed:


This phase configures the environment so that the Linux kernel’s Makefile can be used to build the external kernel module.


This phase uses the Linux kernel’s Makefile in order to build the external kernel module.


This phase uses the Linux kernel’s Makefile in order to install the external kernel module.

It is possible and useful to specify the Linux kernel to use for building the module (in the arguments form of a package using the linux-module-build-system, use the key #:linux to specify it).

Scheme Variable: node-build-system

This variable is exported by (guix build-system node). It implements the build procedure used by Node.js, which implements an approximation of the npm install command, followed by an npm test command.

Which Node.js package is used to interpret the npm commands can be specified with the #:node parameter which defaults to node.

Lastly, for packages that do not need anything as sophisticated, a “trivial” build system is provided. It is trivial in the sense that it provides basically no support: it does not pull any implicit inputs, and does not have a notion of build phases.

Scheme Variable: trivial-build-system

This variable is exported by (guix build-system trivial).

This build system requires a #:builder argument. This argument must be a Scheme expression that builds the package output(s)—as with build-expression->derivation (see build-expression->derivation).

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.5 Build Phases

Almost all package build systems implement a notion build phases: a sequence of actions that the build system executes, when you build the package, leading to the installed byproducts in the store. A notable exception is the “bare-bones” trivial-build-system (see Build Systems).

As discussed in the previous section, those build systems provide a standard list of phases. For gnu-build-system, the main build phases are the following:


Unpack the source tarball, and change the current directory to the extracted source tree. If the source is actually a directory, copy it to the build tree, and enter that directory.


Patch shebangs encountered in source files so they refer to the right store file names. For instance, this changes #!/bin/sh to #!/gnu/store/…-bash-4.3/bin/sh.


Run the configure script with a number of default options, such as --prefix=/gnu/store/…, as well as the options specified by the #:configure-flags argument.


Run make with the list of flags specified with #:make-flags. If the #:parallel-build? argument is true (the default), build with make -j.


Run make check, or some other target specified with #:test-target, unless #:tests? #f is passed. If the #:parallel-tests? argument is true (the default), run make check -j.


Run make install with the flags listed in #:make-flags.


Patch shebangs on the installed executable files.


Strip debugging symbols from ELF files (unless #:strip-binaries? is false), copying them to the debug output when available (see Installing Debugging Files).

Other build systems have similar phases, with some variations. For example, cmake-build-system has same-named phases but its configure phases runs cmake instead of ./configure. Others, such as python-build-system, have a wholly different list of standard phases. All this code runs on the build side: it is evaluated when you actually build the package, in a dedicated build process spawned by the build daemon (see Invoking guix-daemon).

Build phases are represented as association lists or “alists” (see Association Lists in GNU Guile Reference Manual) where each key is a symbol for the name of the phase and the associated value is a procedure that accepts an arbitrary number of arguments. By convention, those procedures receive information about the build in the form of keyword parameters, which they can use or ignore.

For example, here is how (guix build gnu-build-system) defines %standard-phases, the variable holding its alist of build phases16:

;; The build phases of 'gnu-build-system'.

(define* (unpack #:key source #:allow-other-keys)
  ;; Extract the source tarball.
  (invoke "tar" "xvf" source))

(define* (configure #:key outputs #:allow-other-keys)
  ;; Run the 'configure' script.  Install to output "out".
  (let ((out (assoc-ref outputs "out")))
    (invoke "./configure"
            (string-append "--prefix=" out))))

(define* (build #:allow-other-keys)
  ;; Compile.
  (invoke "make"))

(define* (check #:key (test-target "check") (tests? #true)
  ;; Run the test suite.
  (if tests?
      (invoke "make" test-target)
      (display "test suite not run\n")))

(define* (install #:allow-other-keys)
  ;; Install files to the prefix 'configure' specified.
  (invoke "make" "install"))

(define %standard-phases
  ;; The list of standard phases (quite a few are omitted
  ;; for brevity).  Each element is a symbol/procedure pair.
  (list (cons 'unpack unpack)
        (cons 'configure configure)
        (cons 'build build)
        (cons 'check check)
        (cons 'install install)))

This shows how %standard-phases is defined as a list of symbol/procedure pairs (see Pairs in GNU Guile Reference Manual). The first pair associates the unpack procedure with the unpack symbol—a name; the second pair defines the configure phase similarly, and so on. When building a package that uses gnu-build-system with its default list of phases, those phases are executed sequentially. You can see the name of each phase started and completed in the build log of packages that you build.

Let’s now look at the procedures themselves. Each one is defined with define*: #:key lists keyword parameters the procedure accepts, possibly with a default value, and #:allow-other-keys specifies that other keyword parameters are ignored (see Optional Arguments in GNU Guile Reference Manual).

The unpack procedure honors the source parameter, which the build system uses to pass the file name of the source tarball (or version control checkout), and it ignores other parameters. The configure phase only cares about the outputs parameter, an alist mapping package output names to their store file name (see Packages with Multiple Outputs). It extracts the file name of for out, the default output, and passes it to ./configure as the installation prefix, meaning that make install will eventually copy all the files in that directory (see configuration and makefile conventions in GNU Coding Standards). build and install ignore all their arguments. check honors the test-target argument, which specifies the name of the Makefile target to run tests; it prints a message and skips tests when tests? is false.

The list of phases used for a particular package can be changed with the #:phases parameter of the build system. Changing the set of build phases boils down to building a new alist of phases based on the %standard-phases alist described above. This can be done with standard alist procedures such as alist-delete (see SRFI-1 Association Lists in GNU Guile Reference Manual); however, it is more convenient to do so with modify-phases (see modify-phases).

Here is an example of a package definition that removes the configure phase of %standard-phases and inserts a new phase before the build phase, called set-prefix-in-makefile:

(define-public example
    (name "example")
    ;; other fields omitted
    (build-system gnu-build-system)
     '(#:phases (modify-phases %standard-phases
                  (delete 'configure)
                  (add-before 'build 'set-prefix-in-makefile
                    (lambda* (#:key outputs #:allow-other-keys)
                      ;; Modify the makefile so that its
                      ;; 'PREFIX' variable points to "out".
                      (let ((out (assoc-ref outputs "out")))
                        (substitute* "Makefile"
                          (("PREFIX =.*")
                           (string-append "PREFIX = "
                                          out "\n")))

The new phase that is inserted is written as an anonymous procedure, introduced with lambda*; it honors the outputs parameter we have seen before. See Build Utilities, for more about the helpers used by this phase, and for more examples of modify-phases.

Keep in mind that build phases are code evaluated at the time the package is actually built. This explains why the whole modify-phases expression above is quoted (it comes after the ' or apostrophe): it is staged for later execution. See G-Expressions, for an explanation of code staging and the code strata involved.

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.6 Build Utilities

As soon as you start writing non-trivial package definitions (see Defining Packages) or other build actions (see G-Expressions), you will likely start looking for helpers for “shell-like” actions—creating directories, copying and deleting files recursively, manipulating build phases, and so on. The (guix build utils) module provides such utility procedures.

Most build systems load (guix build utils) (see Build Systems). Thus, when writing custom build phases for your package definitions, you can usually assume those procedures are in scope.

When writing G-expressions, you can import (guix build utils) on the “build side” using with-imported-modules and then put it in scope with the use-modules form (see Using Guile Modules in GNU Guile Reference Manual):

(with-imported-modules '((guix build utils))  ;import it
  (computed-file "empty-tree"
                     ;; Put it in scope.
                     (use-modules (guix build utils))

                     ;; Happily use its 'mkdir-p' procedure.
                     (mkdir-p (string-append #$output "/a/b/c")))))

The remainder of this section is the reference for most of the utility procedures provided by (guix build utils).

8.6.1 Dealing with Store File Names

This section documents procedures that deal with store file names.

Scheme Procedure: %store-directory

Return the directory name of the store.

Scheme Procedure: store-file-name? file

Return true if file is in the store.

Scheme Procedure: strip-store-file-name file

Strip the /gnu/store and hash from file, a store file name. The result is typically a "package-version" string.

Scheme Procedure: package-name->name+version name

Given name, a package name like "foo-0.9.1b", return two values: "foo" and "0.9.1b". When the version part is unavailable, name and #f are returned. The first hyphen followed by a digit is considered to introduce the version part.

8.6.2 File Types

The procedures below deal with files and file types.

Scheme Procedure: directory-exists? dir

Return #t if dir exists and is a directory.

Scheme Procedure: executable-file? file

Return #t if file exists and is executable.

Return #t if file is a symbolic link (aka. a “symlink”).

Scheme Procedure: elf-file? file
Scheme Procedure: ar-file? file
Scheme Procedure: gzip-file? file

Return #t if file is, respectively, an ELF file, an ar archive (such as a .a static library), or a gzip file.

Scheme Procedure: reset-gzip-timestamp file [#:keep-mtime? #t]

If file is a gzip file, reset its embedded timestamp (as with gzip --no-name) and return true. Otherwise return #f. When keep-mtime? is true, preserve file’s modification time.

8.6.3 File Manipulation

The following procedures and macros help create, modify, and delete files. They provide functionality comparable to common shell utilities such as mkdir -p, cp -r, rm -r, and sed. They complement Guile’s extensive, but low-level, file system interface (see POSIX in GNU Guile Reference Manual).

Scheme Syntax: with-directory-excursion directory body

Run body with directory as the process’s current directory.

Essentially, this macro changes the current directory to directory before evaluating body, using chdir (see Processes in GNU Guile Reference Manual). It changes back to the initial directory when the dynamic extent of body is left, be it via normal procedure return or via a non-local exit such as an exception.

Scheme Procedure: mkdir-p dir

Create directory dir and all its ancestors.

Scheme Procedure: install-file file directory

Create directory if it does not exist and copy file in there under the same name.

Scheme Procedure: make-file-writable file

Make file writable for its owner.

Scheme Procedure: copy-recursively source destination [#:log (current-output-port)] [#:follow-symlinks? #f] [#:keep-mtime? #f]

Copy source directory to destination. Follow symlinks if follow-symlinks? is true; otherwise, just preserve them. When keep-mtime? is true, keep the modification time of the files in source on those of destination. Write verbose output to the log port.

Scheme Procedure: delete-file-recursively dir [#:follow-mounts? #f]

Delete dir recursively, like rm -rf, without following symlinks. Don’t follow mount points either, unless follow-mounts? is true. Report but ignore errors.

Scheme Syntax: substitute* file ((regexp match-var…) body…) …

Substitute regexp in file by the string returned by body. body is evaluated with each match-var bound to the corresponding positional regexp sub-expression. For example:

(substitute* file
   "good morning\n")
  (("foo([a-z]+)bar(.*)$" all letters end)
   (string-append "baz" letter end)))

Here, anytime a line of file contains hello, it is replaced by good morning. Anytime a line of file matches the second regexp, all is bound to the complete match, letters is bound to the first sub-expression, and end is bound to the last one.

When one of the match-var is _, no variable is bound to the corresponding match substring.

Alternatively, file may be a list of file names, in which case they are all subject to the substitutions.

Be careful about using $ to match the end of a line; by itself it won’t match the terminating newline of a line.

8.6.4 File Search

This section documents procedures to search and filter files.

Scheme Procedure: file-name-predicate regexp

Return a predicate that returns true when passed a file name whose base name matches regexp.

Scheme Procedure: find-files dir [pred] [#:stat lstat] [#:directories? #f] [#:fail-on-error? #f]

Return the lexicographically sorted list of files under dir for which pred returns true. pred is passed two arguments: the absolute file name, and its stat buffer; the default predicate always returns true. pred can also be a regular expression, in which case it is equivalent to (file-name-predicate pred). stat is used to obtain file information; using lstat means that symlinks are not followed. If directories? is true, then directories will also be included. If fail-on-error? is true, raise an exception upon error.

Here are a few examples where we assume that the current directory is the root of the Guix source tree:

;; List all the regular files in the current directory.
(find-files ".")
 ("./.dir-locals.el" "./.gitignore" )

;; List all the .scm files under gnu/services.
(find-files "gnu/services" "\\.scm$")
 ("gnu/services/admin.scm" "gnu/services/audio.scm" )

;; List ar files in the current directory.
(find-files "." (lambda (file stat) (ar-file? file)))
 ("./libformat.a" "./libstore.a" )
Scheme Procedure: which program

Return the complete file name for program as found in $PATH, or #f if program could not be found.

8.6.5 Build Phases

The (guix build utils) also contains tools to manipulate build phases as used by build systems (see Build Systems). Build phases are represented as association lists or “alists” (see Association Lists in GNU Guile Reference Manual) where each key is a symbol naming the phase and the associated value is a procedure (see Build Phases).

Guile core and the (srfi srfi-1) module both provide tools to manipulate alists. The (guix build utils) module complements those with tools written with build phases in mind.

Scheme Syntax: modify-phases phases clause

Modify phases sequentially as per each clause, which may have one of the following forms:

(delete old-phase-name)
(replace old-phase-name new-phase)
(add-before old-phase-name new-phase-name new-phase)
(add-after old-phase-name new-phase-name new-phase)

Where every phase-name above is an expression evaluating to a symbol, and new-phase an expression evaluating to a procedure.

The example below is taken from the definition of the grep package. It adds a phase to run after the install phase, called fix-egrep-and-fgrep. That phase is a procedure (lambda* is for anonymous procedures) that takes a #:outputs keyword argument and ignores extra keyword arguments (see Optional Arguments in GNU Guile Reference Manual, for more on lambda* and optional and keyword arguments.) The phase uses substitute* to modify the installed egrep and fgrep scripts so that they refer to grep by its absolute file name:

(modify-phases %standard-phases
  (add-after 'install 'fix-egrep-and-fgrep
    ;; Patch 'egrep' and 'fgrep' to execute 'grep' via its
    ;; absolute file name instead of searching for it in $PATH.
    (lambda* (#:key outputs #:allow-other-keys)
      (let* ((out (assoc-ref outputs "out"))
             (bin (string-append out "/bin")))
        (substitute* (list (string-append bin "/egrep")
                           (string-append bin "/fgrep"))
          (("^exec grep")
           (string-append "exec " bin "/grep")))

In the example below, phases are modified in two ways: the standard configure phase is deleted, presumably because the package does not have a configure script or anything similar, and the default install phase is replaced by one that manually copies the executable files to be installed:

(modify-phases %standard-phases
  (delete 'configure)      ;no 'configure' script
  (replace 'install
    (lambda* (#:key outputs #:allow-other-keys)
      ;; The package's Makefile doesn't provide an "install"
      ;; rule so do it by ourselves.
      (let ((bin (string-append (assoc-ref outputs "out")
        (install-file "footswitch" bin)
        (install-file "scythe" bin)

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.7 The Store

Conceptually, the store is the place where derivations that have been built successfully are stored—by default, /gnu/store. Sub-directories in the store are referred to as store items or sometimes store paths. The store has an associated database that contains information such as the store paths referred to by each store path, and the list of valid store items—results of successful builds. This database resides in localstatedir/guix/db, where localstatedir is the state directory specified via --localstatedir at configure time, usually /var.

The store is always accessed by the daemon on behalf of its clients (see Invoking guix-daemon). To manipulate the store, clients connect to the daemon over a Unix-domain socket, send requests to it, and read the result—these are remote procedure calls, or RPCs.

Note: Users must never modify files under /gnu/store directly. This would lead to inconsistencies and break the immutability assumptions of Guix’s functional model (see Introduction).

See guix gc --verify, for information on how to check the integrity of the store and attempt recovery from accidental modifications.

The (guix store) module provides procedures to connect to the daemon, and to perform RPCs. These are described below. By default, open-connection, and thus all the guix commands, connect to the local daemon or to the URI specified by the GUIX_DAEMON_SOCKET environment variable.

Environment Variable: GUIX_DAEMON_SOCKET

When set, the value of this variable should be a file name or a URI designating the daemon endpoint. When it is a file name, it denotes a Unix-domain socket to connect to. In addition to file names, the supported URI schemes are:


These are for Unix-domain sockets. file:///var/guix/daemon-socket/socket is equivalent to /var/guix/daemon-socket/socket.


These URIs denote connections over TCP/IP, without encryption nor authentication of the remote host. The URI must specify the host name and optionally a port number (by default port 44146 is used):


This setup is suitable on local networks, such as clusters, where only trusted nodes may connect to the build daemon at

The --listen option of guix-daemon can be used to instruct it to listen for TCP connections (see --listen).


These URIs allow you to connect to a remote daemon over SSH. This feature requires Guile-SSH (see Requirements) and a working guile binary in PATH on the destination machine. It supports public key and GSSAPI authentication. A typical URL might look like this:


As for guix copy, the usual OpenSSH client configuration files are honored (see Invoking guix copy).

Additional URI schemes may be supported in the future.

Note: The ability to connect to remote build daemons is considered experimental as of 1.3.0. Please get in touch with us to share any problems or suggestions you may have (see Contributing).

Scheme Procedure: open-connection [uri] [#:reserve-space? #t]

Connect to the daemon over the Unix-domain socket at uri (a string). When reserve-space? is true, instruct it to reserve a little bit of extra space on the file system so that the garbage collector can still operate should the disk become full. Return a server object.

file defaults to %default-socket-path, which is the normal location given the options that were passed to configure.

Scheme Procedure: close-connection server

Close the connection to server.

Scheme Variable: current-build-output-port

This variable is bound to a SRFI-39 parameter, which refers to the port where build and error logs sent by the daemon should be written.

Procedures that make RPCs all take a server object as their first argument.

Scheme Procedure: valid-path? server path

Return #t when path designates a valid store item and #f otherwise (an invalid item may exist on disk but still be invalid, for instance because it is the result of an aborted or failed build).

A &store-protocol-error condition is raised if path is not prefixed by the store directory (/gnu/store).

Scheme Procedure: add-text-to-store server name text [references]

Add text under file name in the store, and return its store path. references is the list of store paths referred to by the resulting store path.

Scheme Procedure: build-derivations store derivations [mode]

Build derivations, a list of <derivation> objects, .drv file names, or derivation/output pairs, using the specified mode(build-mode normal) by default.

Note that the (guix monads) module provides a monad as well as monadic versions of the above procedures, with the goal of making it more convenient to work with code that accesses the store (see The Store Monad).

This section is currently incomplete.

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.8 Derivations

Low-level build actions and the environment in which they are performed are represented by derivations. A derivation contains the following pieces of information:

Derivations allow clients of the daemon to communicate build actions to the store. They exist in two forms: as an in-memory representation, both on the client- and daemon-side, and as files in the store whose name end in .drv—these files are referred to as derivation paths. Derivations paths can be passed to the build-derivations procedure to perform the build actions they prescribe (see The Store).

Operations such as file downloads and version-control checkouts for which the expected content hash is known in advance are modeled as fixed-output derivations. Unlike regular derivations, the outputs of a fixed-output derivation are independent of its inputs—e.g., a source code download produces the same result regardless of the download method and tools being used.

The outputs of derivations—i.e., the build results—have a set of references, as reported by the references RPC or the guix gc --references command (see Invoking guix gc). References are the set of run-time dependencies of the build results. References are a subset of the inputs of the derivation; this subset is automatically computed by the build daemon by scanning all the files in the outputs.

The (guix derivations) module provides a representation of derivations as Scheme objects, along with procedures to create and otherwise manipulate derivations. The lowest-level primitive to create a derivation is the derivation procedure:

Scheme Procedure: derivation store name builder args [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] [#:recursive? #f] [#:inputs '()] [#:env-vars '()] [#:system (%current-system)] [#:references-graphs #f] [#:allowed-references #f] [#:disallowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] [#:substitutable? #t] [#:properties '()]

Build a derivation with the given arguments, and return the resulting <derivation> object.

When hash and hash-algo are given, a fixed-output derivation is created—i.e., one whose result is known in advance, such as a file download. If, in addition, recursive? is true, then that fixed output may be an executable file or a directory and hash must be the hash of an archive containing this output.

When references-graphs is true, it must be a list of file name/store path pairs. In that case, the reference graph of each store path is exported in the build environment in the corresponding file, in a simple text format.

When allowed-references is true, it must be a list of store items or outputs that the derivation’s output may refer to. Likewise, disallowed-references, if true, must be a list of things the outputs may not refer to.

When leaked-env-vars is true, it must be a list of strings denoting environment variables that are allowed to “leak” from the daemon’s environment to the build environment. This is only applicable to fixed-output derivations—i.e., when hash is true. The main use is to allow variables such as http_proxy to be passed to derivations that download files.

When local-build? is true, declare that the derivation is not a good candidate for offloading and should rather be built locally (see Daemon Offload Setup). This is the case for small derivations where the costs of data transfers would outweigh the benefits.

When substitutable? is false, declare that substitutes of the derivation’s output should not be used (see Substitutes). This is useful, for instance, when building packages that capture details of the host CPU instruction set.

properties must be an association list describing “properties” of the derivation. It is kept as-is, uninterpreted, in the derivation.

Here’s an example with a shell script as its builder, assuming store is an open connection to the daemon, and bash points to a Bash executable in the store:

(use-modules (guix utils)
             (guix store)
             (guix derivations))

(let ((builder   ; add the Bash script to the store
        (add-text-to-store store ""
                           "echo hello world > $out\n" '())))
  (derivation store "foo"
              bash `("-e" ,builder)
              #:inputs `((,bash) (,builder))
              #:env-vars '(("HOME" . "/homeless"))))
 #<derivation /gnu/store/…-foo.drv => /gnu/store/…-foo>

As can be guessed, this primitive is cumbersome to use directly. A better approach is to write build scripts in Scheme, of course! The best course of action for that is to write the build code as a “G-expression”, and to pass it to gexp->derivation. For more information, see G-Expressions.

Once upon a time, gexp->derivation did not exist and constructing derivations with build code written in Scheme was achieved with build-expression->derivation, documented below. This procedure is now deprecated in favor of the much nicer gexp->derivation.

Scheme Procedure: build-expression->derivation store name exp [#:system (%current-system)] [#:inputs '()] [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] [#:recursive? #f] [#:env-vars '()] [#:modules '()] [#:references-graphs #f] [#:allowed-references #f] [#:disallowed-references #f] [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]

Return a derivation that executes Scheme expression exp as a builder for derivation name. inputs must be a list of (name drv-path sub-drv) tuples; when sub-drv is omitted, "out" is assumed. modules is a list of names of Guile modules from the current search path to be copied in the store, compiled, and made available in the load path during the execution of exp—e.g., ((guix build utils) (guix build gnu-build-system)).

exp is evaluated in an environment where %outputs is bound to a list of output/path pairs, and where %build-inputs is bound to a list of string/output-path pairs made from inputs. Optionally, env-vars is a list of string pairs specifying the name and value of environment variables visible to the builder. The builder terminates by passing the result of exp to exit; thus, when exp returns #f, the build is considered to have failed.

exp is built using guile-for-build (a derivation). When guile-for-build is omitted or is #f, the value of the %guile-for-build fluid is used instead.

See the derivation procedure for the meaning of references-graphs, allowed-references, disallowed-references, local-build?, and substitutable?.

Here’s an example of a single-output derivation that creates a directory containing one file:

(let ((builder '(let ((out (assoc-ref %outputs "out")))
                  (mkdir out)    ; create /gnu/store/…-goo
                  (call-with-output-file (string-append out "/test")
                    (lambda (p)
                      (display '(hello guix) p))))))
  (build-expression->derivation store "goo" builder))

 #<derivation /gnu/store/…-goo.drv => …>

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.9 The Store Monad

The procedures that operate on the store described in the previous sections all take an open connection to the build daemon as their first argument. Although the underlying model is functional, they either have side effects or depend on the current state of the store.

The former is inconvenient: the connection to the build daemon has to be carried around in all those functions, making it impossible to compose functions that do not take that parameter with functions that do. The latter can be problematic: since store operations have side effects and/or depend on external state, they have to be properly sequenced.

This is where the (guix monads) module comes in. This module provides a framework for working with monads, and a particularly useful monad for our uses, the store monad. Monads are a construct that allows two things: associating “context” with values (in our case, the context is the store), and building sequences of computations (here computations include accesses to the store). Values in a monad—values that carry this additional context—are called monadic values; procedures that return such values are called monadic procedures.

Consider this “normal” procedure:

(define (sh-symlink store)
  ;; Return a derivation that symlinks the 'bash' executable.
  (let* ((drv (package-derivation store bash))
         (out (derivation->output-path drv))
         (sh  (string-append out "/bin/bash")))
    (build-expression->derivation store "sh"
                                  `(symlink ,sh %output))))

Using (guix monads) and (guix gexp), it may be rewritten as a monadic function:

(define (sh-symlink)
  ;; Same, but return a monadic value.
  (mlet %store-monad ((drv (package->derivation bash)))
    (gexp->derivation "sh"
                      #~(symlink (string-append #$drv "/bin/bash")

There are several things to note in the second version: the store parameter is now implicit and is “threaded” in the calls to the package->derivation and gexp->derivation monadic procedures, and the monadic value returned by package->derivation is bound using mlet instead of plain let.

As it turns out, the call to package->derivation can even be omitted since it will take place implicitly, as we will see later (see G-Expressions):

(define (sh-symlink)
  (gexp->derivation "sh"
                    #~(symlink (string-append #$bash "/bin/bash")

Calling the monadic sh-symlink has no effect. As someone once said, “you exit a monad like you exit a building on fire: by running”. So, to exit the monad and get the desired effect, one must use run-with-store:

(run-with-store (open-connection) (sh-symlink))

Note that the (guix monad-repl) module extends the Guile REPL with new “meta-commands” to make it easier to deal with monadic procedures: run-in-store, and enter-store-monad. The former is used to “run” a single monadic value through the store:

scheme@(guile-user)> ,run-in-store (package->derivation hello)
$1 = #<derivation /gnu/store/…-hello-2.9.drv => …>

The latter enters a recursive REPL, where all the return values are automatically run through the store:

scheme@(guile-user)> ,enter-store-monad
store-monad@(guile-user) [1]> (package->derivation hello)
$2 = #<derivation /gnu/store/…-hello-2.9.drv => …>
store-monad@(guile-user) [1]> (text-file "foo" "Hello!")
$3 = "/gnu/store/…-foo"
store-monad@(guile-user) [1]> ,q

Note that non-monadic values cannot be returned in the store-monad REPL.

The main syntactic forms to deal with monads in general are provided by the (guix monads) module and are described below.

Scheme Syntax: with-monad monad body ...

Evaluate any >>= or return forms in body as being in monad.

Scheme Syntax: return val

Return a monadic value that encapsulates val.

Scheme Syntax: >>= mval mproc ...

Bind monadic value mval, passing its “contents” to monadic procedures mproc17. There can be one mproc or several of them, as in this example:

    (with-monad %state-monad
      (>>= (return 1)
           (lambda (x) (return (+ 1 x)))
           (lambda (x) (return (* 2 x)))))

Scheme Syntax: mlet monad ((var mval) ...) body ...
Scheme Syntax: mlet* monad ((var mval) ...) body ...

Bind the variables var to the monadic values mval in body, which is a sequence of expressions. As with the bind operator, this can be thought of as “unpacking” the raw, non-monadic value “contained” in mval and making var refer to that raw, non-monadic value within the scope of the body. The form (var -> val) binds var to the “normal” value val, as per let. The binding operations occur in sequence from left to right. The last expression of body must be a monadic expression, and its result will become the result of the mlet or mlet* when run in the monad.

mlet* is to mlet what let* is to let (see Local Bindings in GNU Guile Reference Manual).

Scheme System: mbegin monad mexp ...

Bind mexp and the following monadic expressions in sequence, returning the result of the last expression. Every expression in the sequence must be a monadic expression.

This is akin to mlet, except that the return values of the monadic expressions are ignored. In that sense, it is analogous to begin, but applied to monadic expressions.

Scheme System: mwhen condition mexp0 mexp* ...

When condition is true, evaluate the sequence of monadic expressions mexp0..mexp* as in an mbegin. When condition is false, return *unspecified* in the current monad. Every expression in the sequence must be a monadic expression.

Scheme System: munless condition mexp0 mexp* ...

When condition is false, evaluate the sequence of monadic expressions mexp0..mexp* as in an mbegin. When condition is true, return *unspecified* in the current monad. Every expression in the sequence must be a monadic expression.

The (guix monads) module provides the state monad, which allows an additional value—the state—to be threaded through monadic procedure calls.

Scheme Variable: %state-monad

The state monad. Procedures in the state monad can access and change the state that is threaded.

Consider the example below. The square procedure returns a value in the state monad. It returns the square of its argument, but also increments the current state value:

(define (square x)
  (mlet %state-monad ((count (current-state)))
    (mbegin %state-monad
      (set-current-state (+ 1 count))
      (return (* x x)))))

(run-with-state (sequence %state-monad (map square (iota 3))) 0)
 (0 1 4)

When “run” through %state-monad, we obtain that additional state value, which is the number of square calls.

Monadic Procedure: current-state

Return the current state as a monadic value.

Monadic Procedure: set-current-state value

Set the current state to value and return the previous state as a monadic value.

Monadic Procedure: state-push value

Push value to the current state, which is assumed to be a list, and return the previous state as a monadic value.

Monadic Procedure: state-pop

Pop a value from the current state and return it as a monadic value. The state is assumed to be a list.

Scheme Procedure: run-with-state mval [state]

Run monadic value mval starting with state as the initial state. Return two values: the resulting value, and the resulting state.

The main interface to the store monad, provided by the (guix store) module, is as follows.

Scheme Variable: %store-monad

The store monad—an alias for %state-monad.

Values in the store monad encapsulate accesses to the store. When its effect is needed, a value of the store monad must be “evaluated” by passing it to the run-with-store procedure (see below).

Scheme Procedure: run-with-store store mval [#:guile-for-build] [#:system (%current-system)]

Run mval, a monadic value in the store monad, in store, an open store connection.

Monadic Procedure: text-file name text [references]

Return as a monadic value the absolute file name in the store of the file containing text, a string. references is a list of store items that the resulting text file refers to; it defaults to the empty list.

Monadic Procedure: binary-file name data [references]

Return as a monadic value the absolute file name in the store of the file containing data, a bytevector. references is a list of store items that the resulting binary file refers to; it defaults to the empty list.

Monadic Procedure: interned-file file [name] [#:recursive? #t] [#:select? (const #t)]

Return the name of file once interned in the store. Use name as its store name, or the basename of file if name is omitted.

When recursive? is true, the contents of file are added recursively; if file designates a flat file and recursive? is true, its contents are added, and its permission bits are kept.

When recursive? is true, call (select? file stat) for each directory entry, where file is the entry’s absolute file name and stat is the result of lstat; exclude entries for which select? does not return true.

The example below adds a file to the store, under two different names:

(run-with-store (open-connection)
  (mlet %store-monad ((a (interned-file "README"))
                      (b (interned-file "README" "LEGU-MIN")))
    (return (list a b))))

 ("/gnu/store/rwm…-README" "/gnu/store/44i…-LEGU-MIN")

The (guix packages) module exports the following package-related monadic procedures:

Monadic Procedure: package-file package [file] [#:system (%current-system)] [#:target #f] [#:output "out"]

Return as a monadic value in the absolute file name of file within the output directory of package. When file is omitted, return the name of the output directory of package. When target is true, use it as a cross-compilation target triplet.

Note that this procedure does not build package. Thus, the result might or might not designate an existing file. We recommend not using this procedure unless you know what you are doing.

Monadic Procedure: package->derivation package [system]
Monadic Procedure: package->cross-derivation package target [system]

Monadic version of package-derivation and package-cross-derivation (see Defining Packages).

Next: , Previous: , Up: Programming Interface   [Contents][Index]

8.10 G-Expressions

So we have “derivations”, which represent a sequence of build actions to be performed to produce an item in the store (see Derivations). These build actions are performed when asking the daemon to actually build the derivations; they are run by the daemon in a container (see Invoking guix-daemon).

It should come as no surprise that we like to write these build actions in Scheme. When we do that, we end up with two strata of Scheme code18: the “host code”—code that defines packages, talks to the daemon, etc.—and the “build code”—code that actually performs build actions, such as making directories, invoking make, and so on (see Build Phases).

To describe a derivation and its build actions, one typically needs to embed build code inside host code. It boils down to manipulating build code as data, and the homoiconicity of Scheme—code has a direct representation as data—comes in handy for that. But we need more than the normal quasiquote mechanism in Scheme to construct build expressions.

The (guix gexp) module implements G-expressions, a form of S-expressions adapted to build expressions. G-expressions, or gexps, consist essentially of three syntactic forms: gexp, ungexp, and ungexp-splicing (or simply: #~, #$, and #$@), which are comparable to quasiquote, unquote, and unquote-splicing, respectively (see quasiquote in GNU Guile Reference Manual). However, there are major differences:

This mechanism is not limited to package and derivation objects: compilers able to “lower” other high-level objects to derivations or files in the store can be defined, such that these objects can also be inserted into gexps. For example, a useful type of high-level objects that can be inserted in a gexp is “file-like objects”, which make it easy to add files to the store and to refer to them in derivations and such (see local-file and plain-file below).

To illustrate the idea, here is an example of a gexp:

(define build-exp
      (mkdir #$output)
      (chdir #$output)
      (symlink (string-append #$coreutils "/bin/ls")

This gexp can be passed to gexp->derivation; we obtain a derivation that builds a directory containing exactly one symlink to /gnu/store/…-coreutils-8.22/bin/ls:

(gexp->derivation "the-thing" build-exp)

As one would expect, the "/gnu/store/…-coreutils-8.22" string is substituted to the reference to the coreutils package in the actual build code, and coreutils is automatically made an input to the derivation. Likewise, #$output (equivalent to (ungexp output)) is replaced by a string containing the directory name of the output of the derivation.

In a cross-compilation context, it is useful to distinguish between references to the native build of a package—that can run on the host—versus references to cross builds of a package. To that end, the #+ plays the same role as #$, but is a reference to a native package build:

(gexp->derivation "vi"
       (mkdir #$output)
       (mkdir (string-append #$output "/bin"))
       (system* (string-append #+coreutils "/bin/ln")
                (string-append #$emacs "/bin/emacs")
                (string-append #$output "/bin/vi")))
   #:target "aarch64-linux-gnu")

In the example above, the native build of coreutils is used, so that ln can actually run on the host; but then the cross-compiled build of emacs is referenced.

Another gexp feature is imported modules: sometimes you want to be able to use certain Guile modules from the “host environment” in the gexp, so those modules should be imported in the “build environment”. The with-imported-modules form allows you to express that:

(let ((build (with-imported-modules '((guix build utils))
                   (use-modules (guix build utils))
                   (mkdir-p (string-append #$output "/bin"))))))
  (gexp->derivation "empty-dir"
                        (display "success!\n")

In this example, the (guix build utils) module is automatically pulled into the isolated build environment of our gexp, such that (use-modules (guix build utils)) works as expected.

Usually you want the closure of the module to be imported—i.e., the module itself and all the modules it depends on—rather than just the module; failing to do that, attempts to use the module will fail because of missing dependent modules. The source-module-closure procedure computes the closure of a module by looking at its source file headers, which comes in handy in this case:

(use-modules (guix modules))   ;for 'source-module-closure'

(with-imported-modules (source-module-closure
                         '((guix build utils)
                           (gnu build vm)))
  (gexp->derivation "something-with-vms"
                        (use-modules (guix build utils)
                                     (gnu build vm))

In the same vein, sometimes you want to import not just pure-Scheme modules, but also “extensions” such as Guile bindings to C libraries or other “full-blown” packages. Say you need the guile-json package available on the build side, here’s how you would do it:

(use-modules (gnu packages guile))  ;for 'guile-json'

(with-extensions (list guile-json)
  (gexp->derivation "something-with-json"
                        (use-modules (json))

The syntactic form to construct gexps is summarized below.

Scheme Syntax: #~exp
Scheme Syntax: (gexp exp)

Return a G-expression containing exp. exp may contain one or more of the following forms:

(ungexp obj)

Introduce a reference to obj. obj may have one of the supported types, for example a package or a derivation, in which case the ungexp form is replaced by its output file name—e.g., "/gnu/store/…-coreutils-8.22.

If obj is a list, it is traversed and references to supported objects are substituted similarly.

If obj is another gexp, its contents are inserted and its dependencies are added to those of the containing gexp.

If obj is another kind of object, it is inserted as is.

(ungexp obj output)

This is like the form above, but referring explicitly to the output of obj—this is useful when obj produces multiple outputs (see Packages with Multiple Outputs).

(ungexp-native obj)
(ungexp-native obj output)

Same as ungexp, but produces a reference to the native build of obj when used in a cross compilation context.

(ungexp output [output])

Insert a reference to derivation output output, or to the main output when output is omitted.

This only makes sense for gexps passed to gexp->derivation.

(ungexp-splicing lst)

Like the above, but splices the contents of lst inside the containing list.

(ungexp-native-splicing lst)

Like the above, but refers to native builds of the objects listed in lst.

G-expressions created by gexp or #~ are run-time objects of the gexp? type (see below).

Scheme Syntax: with-imported-modules modules body

Mark the gexps defined in body… as requiring modules in their execution environment.

Each item in modules can be the name of a module, such as (guix build utils), or it can be a module name, followed by an arrow, followed by a file-like object:

`((guix build utils)
  (guix gcrypt)
  ((guix config) => ,(scheme-file "config.scm"
                                  #~(define-module ))))

In the example above, the first two modules are taken from the search path, and the last one is created from the given file-like object.

This form has lexical scope: it has an effect on the gexps directly defined in body…, but not on those defined, say, in procedures called from body….

Scheme Syntax: with-extensions extensions body

Mark the gexps defined in body… as requiring extensions in their build and execution environment. extensions is typically a list of package objects such as those defined in the (gnu packages guile) module.

Concretely, the packages listed in extensions are added to the load path while compiling imported modules in body…; they are also added to the load path of the gexp returned by body….

Scheme Procedure: gexp? obj

Return #t if obj is a G-expression.

G-expressions are meant to be written to disk, either as code building some derivation, or as plain files in the store. The monadic procedures below allow you to do that (see The Store Monad, for more information about monads).

Monadic Procedure: gexp->derivation name exp [#:system (%current-system)] [#:target #f] [#:graft? #t] [#:hash #f] [#:hash-algo #f] [#:recursive? #f] [#:env-vars '()] [#:modules '()] [#:module-path %load-path] [#:effective-version "2.2"] [#:references-graphs #f] [#:allowed-references #f] [#:disallowed-references #f] [#:leaked-env-vars #f] [#:script-name (string-append name "-builder")] [#:deprecation-warnings #f] [#:local-build? #f] [#:substitutable? #t] [#:properties '()] [#:guile-for-build #f]

Return a derivation name that runs exp (a gexp) with guile-for-build (a derivation) on system; exp is stored in a file called script-name. When target is true, it is used as the cross-compilation target triplet for packages referred to by exp.

modules is deprecated in favor of with-imported-modules. Its meaning is to make modules available in the evaluation context of exp; modules is a list of names of Guile modules searched in module-path to be copied in the store, compiled, and made available in the load path during the execution of exp—e.g., ((guix build utils) (guix build gnu-build-system)).

effective-version determines the string to use when adding extensions of exp (see with-extensions) to the search path—e.g., "2.2".

graft? determines whether packages referred to by exp should be grafted when applicable.

When references-graphs is true, it must be a list of tuples of one of the following forms:

(file-name package)
(file-name package output)
(file-name derivation)
(file-name derivation output)
(file-name store-item)

The right-hand-side of each element of references-graphs is automatically made an input of the build process of exp. In the build environment, each file-name contains the reference graph of the corresponding item, in a simple text format.

allowed-references must be either #f or a list of output names and packages. In the latter case, the list denotes store items that the result is allowed to refer to. Any reference to another store item will lead to a build error. Similarly for disallowed-references, which can list items that must not be referenced by the outputs.

deprecation-warnings determines whether to show deprecation warnings while compiling modules. It can be #f, #t, or 'detailed.

The other arguments are as for derivation (see Derivations).

The local-file, plain-file, computed-file, program-file, and scheme-file procedures below return file-like objects. That is, when unquoted in a G-expression, these objects lead to a file in the store. Consider this G-expression:

#~(system* #$(file-append glibc "/sbin/nscd") "-f"
           #$(local-file "/tmp/my-nscd.conf"))

The effect here is to “intern” /tmp/my-nscd.conf by copying it to the store. Once expanded, for instance via gexp->derivation, the G-expression refers to that copy under /gnu/store; thus, modifying or removing the file in /tmp does not have any effect on what the G-expression does. plain-file can be used similarly; it differs in that the file content is directly passed as a string.

Scheme Procedure: local-file file [name] [#:recursive? #f] [#:select? (const #t)]

Return an object representing local file file to add to the store; this object can be used in a gexp. If file is a literal string denoting a relative file name, it is looked up relative to the source file where it appears; if file is not a literal string, it is looked up relative to the current working directory at run time. file will be added to the store under name–by default the base name of file.

When recursive? is true, the contents of file are added recursively; if file designates a flat file and recursive? is true, its contents are added, and its permission bits are kept.

When recursive? is true, call (select? file stat) for each directory entry, where file is the entry’s absolute file name and stat is the result of lstat; exclude entries for which select? does not return true.

This is the declarative counterpart of the interned-file monadic procedure (see interned-file).

Scheme Procedure: plain-file name content

Return an object representing a text file called name with the given content (a string or a bytevector) to be added to the store.

This is the declarative counterpart of text-file.

Scheme Procedure: computed-file name gexp [#:local-build? #t]

[#:options ’()] Return an object representing the store item name, a file or directory computed by gexp. When local-build? is true (the default), the derivation is built locally. options is a list of additional arguments to pass to gexp->derivation.

This is the declarative counterpart of gexp->derivation.

Monadic Procedure: gexp->script name exp [#:guile (default-guile)] [#:module-path %load-path] [#:system (%current-system)] [#:target #f]

Return an executable script name that runs exp using guile, with exp’s imported modules in its search path. Look up exp’s modules in module-path.

The example below builds a script that simply invokes the ls command:

(use-modules (guix gexp) (gnu packages base))

(gexp->script "list-files"
              #~(execl #$(file-append coreutils "/bin/ls")

When “running” it through the store (see run-with-store), we obtain a derivation that produces an executable file /gnu/store/…-list-files along these lines:

#!/gnu/store/…-guile-2.0.11/bin/guile -ds
(execl "/gnu/store/…-coreutils-8.22"/bin/ls" "ls")
Scheme Procedure: program-file name exp [#:guile #f] [#:module-path %load-path]

Return an object representing the executable store item name that runs gexp. guile is the Guile package used to execute that script. Imported modules of gexp are looked up in module-path.

This is the declarative counterpart of gexp->script.

Monadic Procedure: gexp->file name exp [#:set-load-path? #t] [#:module-path %load-path] [#:splice? #f] [#:guile (default-guile)]

Return a derivation that builds a file name containing exp. When splice? is true, exp is considered to be a list of expressions that will be spliced in the resulting file.

When set-load-path? is true, emit code in the resulting file to set %load-path and %load-compiled-path to honor exp’s imported modules. Look up exp’s modules in module-path.

The resulting file holds references to all the dependencies of exp or a subset thereof.

Scheme Procedure: scheme-file name exp [#:splice? #f] [#:set-load-path? #t]

Return an object representing the Scheme file name that contains exp.

This is the declarative counterpart of gexp->file.

Monadic Procedure: text-file* name text

Return as a monadic value a derivation that builds a text file containing all of text. text may list, in addition to strings, objects of any type that can be used in a gexp: packages, derivations, local file objects, etc. The resulting store file holds references to all these.

This variant should be preferred over text-file anytime the file to create will reference items from the store. This is typically the case when building a configuration file that embeds store file names, like this:

(define (
  ;; Return the name of a shell script in the store that
  ;; initializes the 'PATH' environment variable.
  (text-file* ""
              "export PATH=" coreutils "/bin:"
              grep "/bin:" sed "/bin\n"))

In this example, the resulting /gnu/store/… file will reference coreutils, grep, and sed, thereby preventing them from being garbage-collected during its lifetime.

Scheme Procedure: mixed-text-file name text

Return an object representing store file name containing text. text is a sequence of strings and file-like objects, as in:

(mixed-text-file "profile"
                 "export PATH=" coreutils "/bin:" grep "/bin")

This is the declarative counterpart of text-file*.

Scheme Procedure: file-union name files

Return a <computed-file> that builds a directory containing all of files. Each item in files must be a two-element list where the first element is the file name to use in the new directory, and the second element is a gexp denoting the target file. Here’s an example:

(file-union "etc"
            `(("hosts" ,(plain-file "hosts"
                                    " localhost"))
              ("bashrc" ,(plain-file "bashrc"
                                     "alias ls='ls --color=auto'"))))

This yields an etc directory containing these two files.

Scheme Procedure: directory-union name things

Return a directory that is the union of things, where things is a list of file-like objects denoting directories. For example:

(directory-union "guile+emacs" (list guile emacs))

yields a directory that is the union of the guile and emacs packages.

Scheme Procedure: file-append obj suffix

Return a file-like object that expands to the concatenation of obj and suffix, where obj is a lowerable object and each suffix is a string.

As an example, consider this gexp:

(gexp->script "run-uname"
              #~(system* #$(file-append coreutils

The same effect could be achieved with:

(gexp->script "run-uname"
              #~(system* (string-append #$coreutils

There is one difference though: in the file-append case, the resulting script contains the absolute file name as a string, whereas in the second case, the resulting script contains a (string-append …) expression to construct the file name at run time.

Scheme Syntax: let-system system body
Scheme Syntax: let-system (system target) body

Bind system to the currently targeted system—e.g., "x86_64-linux"—within body.

In the second case, additionally bind target to the current cross-compilation target—a GNU triplet such as "arm-linux-gnueabihf"—or #f if we are not cross-compiling.

let-system is useful in the occasional case where the object spliced into the gexp depends on the target system, as in this example:

   #+(let-system system
       (cond ((string-prefix? "armhf-" system)
              (file-append qemu "/bin/qemu-system-arm"))
             ((string-prefix? "x86_64-" system)
              (file-append qemu "/bin/qemu-system-x86_64"))
              (error "dunno!"))))
   "-net" "user" #$image)
Scheme Syntax: with-parameters ((parameter value) …) exp

This macro is similar to the parameterize form for dynamically-bound parameters (see Parameters in GNU Guile Reference Manual). The key difference is that it takes effect when the file-like object returned by exp is lowered to a derivation or store item.

A typical use of with-parameters is to force the system in effect for a given object:

(with-parameters ((%current-system "i686-linux"))

The example above returns an object that corresponds to the i686 build of Coreutils, regardless of the current value of %current-system.

Of course, in addition to gexps embedded in “host” code, there are also modules containing build tools. To make it clear that they are meant to be used in the build stratum, these modules are kept in the (guix build …) name space.

Internally, high-level objects are lowered, using their compiler, to either derivations or store items. For instance, lowering a package yields a derivation, and lowering a plain-file yields a store item. This is achieved using the lower-object monadic procedure.

Monadic Procedure: lower-object obj [system] [#:target #f]

Return as a value in %store-monad the derivation or store item corresponding to obj for system, cross-compiling for target if target is true. obj must be an object that has an associated gexp compiler, such as a <package>.

Previous: , Up: Programming Interface   [Contents][Index]

8.11 Invoking guix repl

The guix repl command makes it easier to program Guix in Guile by launching a Guile read-eval-print loop (REPL) for interactive programming (see Using Guile Interactively in GNU Guile Reference Manual), or by running Guile scripts (see Running Guile Scripts in GNU Guile Reference Manual). Compared to just launching the guile command, guix repl guarantees that all the Guix modules and all its dependencies are available in the search path.

The general syntax is:

guix repl options [file args]

When a file argument is provided, file is executed as a Guile scripts:

guix repl my-script.scm

To pass arguments to the script, use -- to prevent them from being interpreted as arguments to guix repl itself:

guix repl -- my-script.scm --input=foo.txt

To make a script executable directly from the shell, using the guix executable that is on the user’s search path, add the following two lines at the top of the script:

#!/usr/bin/env -S guix repl --

Without a file name argument, a Guile REPL is started:

$ guix repl
scheme@(guile-user)> ,use (gnu packages base)
scheme@(guile-user)> coreutils
$1 = #<package coreutils@8.29 gnu/packages/base.scm:327 3e28300>

In addition, guix repl implements a simple machine-readable REPL protocol for use by (guix inferior), a facility to interact with inferiors, separate processes running a potentially different revision of Guix.

The available options are as follows:

-t type

Start a REPL of the given TYPE, which can be one of the following:


This is default, and it spawns a standard full-featured Guile REPL.


Spawn a REPL that uses the machine-readable protocol. This is the protocol that the (guix inferior) module speaks.


By default, guix repl reads from standard input and writes to standard output. When this option is passed, it will instead listen for connections on endpoint. Here are examples of valid options:


Accept connections on localhost on port 37146.


Accept connections on the Unix-domain socket /tmp/socket.

-L directory

Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the script or REPL.


Inhibit loading of the ~/.guile file. By default, that configuration file is loaded when spawning a guile REPL.

Next: , Previous: , Up: Top   [Contents][Index]

9 Utilities

This section describes Guix command-line utilities. Some of them are primarily targeted at developers and users who write new package definitions, while others are more generally useful. They complement the Scheme programming interface of Guix in a convenient way.

Next: , Up: Utilities   [Contents][Index]

9.1 Invoking guix build

The guix build command builds packages or derivations and their dependencies, and prints the resulting store paths. Note that it does not modify the user’s profile—this is the job of the guix package command (see Invoking guix package). Thus, it is mainly useful for distribution developers.

The general syntax is:

guix build options package-or-derivation

As an example, the following command builds the latest versions of Emacs and of Guile, displays their build logs, and finally displays the resulting directories:

guix build emacs guile

Similarly, the following command builds all the available packages:

guix build --quiet --keep-going \
  $(guix package -A | cut -f1,2 --output-delimiter=@)

package-or-derivation may be either the name of a package found in the software distribution such as coreutils or coreutils@8.20, or a derivation such as /gnu/store/…-coreutils-8.19.drv. In the former case, a package with the corresponding name (and optionally version) is searched for among the GNU distribution modules (see Package Modules).

Alternatively, the --expression option may be used to specify a Scheme expression that evaluates to a package; this is useful when disambiguating among several same-named packages or package variants is needed.

There may be zero or more options. The available options are described in the subsections below.

Next: , Up: Invoking guix build   [Contents][Index]

9.1.1 Common Build Options

A number of options that control the build process are common to guix build and other commands that can spawn builds, such as guix package or guix archive. These are the following:

-L directory

Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the command-line tools.


Keep the build tree of failed builds. Thus, if a build fails, its build tree is kept under /tmp, in a directory whose name is shown at the end of the build log. This is useful when debugging build issues. See Debugging Build Failures, for tips and tricks on how to debug build issues.

This option implies --no-offload, and it has no effect when connecting to a remote daemon with a guix:// URI (see the GUIX_DAEMON_SOCKET variable).


Keep going when some of the derivations fail to build; return only once all the builds have either completed or failed.

The default behavior is to stop as soon as one of the specified derivations has failed.


Do not build the derivations.


When substituting a pre-built binary fails, fall back to building packages locally (see Substitution Failure).


Consider urls the whitespace-separated list of substitute source URLs, overriding the default list of URLs of guix-daemon (see guix-daemon URLs).

This means that substitutes may be downloaded from urls, provided they are signed by a key authorized by the system administrator (see Substitutes).

When urls is the empty string, substitutes are effectively disabled.


Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries (see Substitutes).


Do not “graft” packages. In practice, this means that package updates available as grafts are not applied. See Security Updates, for more information on grafts.


Build each derivation n times in a row, and raise an error if consecutive build results are not bit-for-bit identical.

This is a useful way to detect non-deterministic builds processes. Non-deterministic build processes are a problem because they make it practically impossible for users to verify whether third-party binaries are genuine. See Invoking guix challenge, for more.

When used in conjunction with --keep-failed, the differing output is kept in the store, under /gnu/store/…-check. This makes it easy to look for differences between the two results.


Do not use offload builds to other machines (see Daemon Offload Setup). That is, always build things locally instead of offloading builds to remote machines.


When the build or substitution process remains silent for more than seconds, terminate it and report a build failure.

By default, the daemon’s setting is honored (see --max-silent-time).


Likewise, when the build or substitution process lasts for more than seconds, terminate it and report a build failure.

By default, the daemon’s setting is honored (see --timeout).

-v level

Use the given verbosity level, an integer. Choosing 0 means that no output is produced, 1 is for quiet output; 2 is similar to 1 but it additionally displays download URLs; 3 shows all the build log output on standard error.

-c n

Allow the use of up to n CPU cores for the build. The special value 0 means to use as many CPU cores as available.

-M n

Allow at most n build jobs in parallel. See --max-jobs, for details about this option and the equivalent guix-daemon option.


Produce debugging output coming from the build daemon. level must be an integer between 0 and 5; higher means more verbose output. Setting a level of 4 or more may be helpful when debugging setup issues with the build daemon.

Behind the scenes, guix build is essentially an interface to the package-derivation procedure of the (guix packages) module, and to the build-derivations procedure of the (guix derivations) module.

In addition to options explicitly passed on the command line, guix build and other guix commands that support building honor the GUIX_BUILD_OPTIONS environment variable.

Environment Variable: GUIX_BUILD_OPTIONS

Users can define this variable to a list of command line options that will automatically be used by guix build and other guix commands that can perform builds, as in the example below:

$ export GUIX_BUILD_OPTIONS="--no-substitutes -c 2 -L /foo/bar"

These options are parsed independently, and the result is appended to the parsed command-line options.

Next: , Previous: , Up: Invoking guix build   [Contents][Index]

9.1.2 Package Transformation Options

Another set of command-line options supported by guix build and also guix package are package transformation options. These are options that make it possible to define package variants—for instance, packages built from different source code. This is a convenient way to create customized packages on the fly without having to type in the definitions of package variants (see Defining Packages).

Package transformation options are preserved across upgrades: guix upgrade attempts to apply transformation options initially used when creating the profile to the upgraded packages.

The available options are listed below. Most commands support them and also support a --help-transform option that lists all the available options and a synopsis (these options are not shown in the --help output for brevity).


Use source as the source of package, and version as its version number. source must be a file name or a URL, as for guix download (see Invoking guix download).

When package is omitted, it is taken to be the package name specified on the command line that matches the base of source—e.g., if source is /src/guile-2.0.10.tar.gz, the corresponding package is guile.

Likewise, when version is omitted, the version string is inferred from source; in the previous example, it is 2.0.10.

This option allows users to try out versions of packages other than the one provided by the distribution. The example below downloads ed-1.7.tar.gz from a GNU mirror and uses that as the source for the ed package:

guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz

As a developer, --with-source makes it easy to test release candidates:

guix build guile --with-source=../guile-

… or to build from a checkout in a pristine environment:

$ git clone git://
$ guix build guix --with-source=guix@1.0=./guix

Replace dependency on package by a dependency on replacement. package must be a package name, and replacement must be a package specification such as guile or guile@1.8.

For instance, the following command builds Guix, but replaces its dependency on the current stable version of Guile with a dependency on the legacy version of Guile, guile@2.0:

guix build --with-input=guile=guile@2.0 guix

This is a recursive, deep replacement. So in this example, both guix and its dependency guile-json (which also depends on guile) get rebuilt against guile@2.0.

This is implemented using the package-input-rewriting Scheme procedure (see package-input-rewriting).


This is similar to --with-input but with an important difference: instead of rebuilding the whole dependency chain, replacement is built and then grafted onto the binaries that were initially referring to package. See Security Updates, for more information on grafts.

For example, the command below grafts version 3.5.4 of GnuTLS onto Wget and all its dependencies, replacing references to the version of GnuTLS they currently refer to:

guix build --with-graft=gnutls=gnutls@3.5.4 wget

This has the advantage of being much faster than rebuilding everything. But there is a caveat: it works if and only if package and replacement are strictly compatible—for example, if they provide a library, the application binary interface (ABI) of those libraries must be compatible. If replacement is somehow incompatible with package, then the resulting package may be unusable. Use with care!


Build package in a way that preserves its debugging info and graft it onto packages that depend on it. This is useful if package does not already provide debugging info as a debug output (see Installing Debugging Files).

For example, suppose you’re experiencing a crash in Inkscape and would like to see what’s up in GLib, a library deep down in Inkscape’s dependency graph. GLib lacks a debug output, so debugging is tough. Fortunately, you rebuild GLib with debugging info and tack it on Inkscape:

guix install inkscape --with-debug-info=glib

Only GLib needs to be recompiled so this takes a reasonable amount of time. See Installing Debugging Files, for more info.

Note: Under the hood, this option works by passing the ‘#:strip-binaries? #f’ to the build system of the package of interest (see Build Systems). Most build systems support that option but some do not. In that case, an error is raised.

Likewise, if a C/C++ package is built without -g (which is rarely the case), debugging info will remain unavailable even when #:strip-binaries? is false.


This option changes the compilation of package and everything that depends on it so that they get built with toolchain instead of the default GNU tool chain for C/C++.

Consider this example:

guix build octave-cli \
  --with-c-toolchain=fftw=gcc-toolchain@10 \

The command above builds a variant of the fftw and fftwf packages using version 10 of gcc-toolchain instead of the default tool chain, and then builds a variant of the GNU Octave command-line interface using them. GNU Octave itself is also built with gcc-toolchain@10.

This other example builds the Hardware Locality (hwloc) library and its dependents up to intel-mpi-benchmarks with the Clang C compiler:

guix build --with-c-toolchain=hwloc=clang-toolchain \

Note: There can be application binary interface (ABI) incompatibilities among tool chains. This is particularly true of the C++ standard library and run-time support libraries such as that of OpenMP. By rebuilding all dependents with the same tool chain, --with-c-toolchain minimizes the risks of incompatibility but cannot entirely eliminate them. Choose package wisely.


Build package from the latest commit of the master branch of the Git repository at url. Git sub-modules of the repository are fetched, recursively.

For example, the following command builds the NumPy Python library against the latest commit of the master branch of Python itself:

guix build python-numpy \

This option can also be combined with --with-branch or --with-commit (see below).

Obviously, since it uses the latest commit of the given branch, the result of such a command varies over time. Nevertheless it is a convenient way to rebuild entire software stacks against the latest commit of one or more packages. This is particularly useful in the context of continuous integration (CI).

Checkouts are kept in a cache under ~/.cache/guix/checkouts to speed up consecutive accesses to the same repository. You may want to clean it up once in a while to save disk space.


Build package from the latest commit of branch. If the source field of package is an origin with the git-fetch method (see origin Reference) or a git-checkout object, the repository URL is taken from that source. Otherwise you have to use --with-git-url to specify the URL of the Git repository.

For instance, the following command builds guile-sqlite3 from the latest commit of its master branch, and then builds guix (which depends on it) and cuirass (which depends on guix) against this specific guile-sqlite3 build:

guix build --with-branch=guile-sqlite3=master cuirass

This is similar to --with-branch, except that it builds from commit rather than the tip of a branch. commit must be a valid Git commit SHA1 identifier or a tag.


Add file to the list of patches applied to package, where package is a spec such as python@3.8 or glibc. file must contain a patch; it is applied with the flags specified in the origin of package (see origin Reference), which by default includes -p1 (see patch Directories in Comparing and Merging Files).

As an example, the command below rebuilds Coreutils with the GNU C Library (glibc) patched with the given patch:

guix build coreutils --with-patch=glibc=./glibc-frob.patch

In this example, glibc itself as well as everything that leads to Coreutils in the dependency graph is rebuilt.


So you like living on the bleeding edge? This option is for you! It replaces occurrences of package in the dependency graph with its latest upstream version, as reported by guix refresh (see Invoking guix refresh).

It does so by determining the latest upstream release of package (if possible), downloading it, and authenticating it if it comes with an OpenPGP signature.

As an example, the command below builds Guix against the latest version of Guile-JSON:

guix build guix --with-latest=guile-json

There are limitations. First, in cases where the tool cannot or does not know how to authenticate source code, you are at risk of running malicious code; a warning is emitted in this case. Second, this option simply changes the source used in the existing package definitions, which is not always sufficient: there might be additional dependencies that need to be added, patches to apply, and more generally the quality assurance work that Guix developers normally do will be missing.

You’ve been warned! In all the other cases, it’s a snappy way to stay on top. We encourage you to submit patches updating the actual package definitions once you have successfully tested an upgrade (see Contributing).


Build package without running its tests. This can be useful in situations where you want to skip the lengthy test suite of a intermediate package, or if a package’s test suite fails in a non-deterministic fashion. It should be used with care because running the test suite is a good way to ensure a package is working as intended.

Turning off tests leads to a different store item. Consequently, when using this option, anything that depends on package must be rebuilt, as in this example:

guix install --without-tests=python python-notebook

The command above installs python-notebook on top of python built without running its test suite. To do so, it also rebuilds everything that depends on python, including python-notebook itself.

Internally, --without-tests relies on changing the #:tests? option of a package’s check phase (see Build Systems). Note that some packages use a customized check phase that does not respect a #:tests? #f setting. Therefore, --without-tests has no effect on these packages.

Wondering how to achieve the same effect using Scheme code, for example in your manifest, or how to write your own package transformation? See Defining Package Variants, for an overview of the programming interfaces available.

Next: , Previous: , Up: Invoking guix build   [Contents][Index]

9.1.3 Additional Build Options

The command-line options presented below are specific to guix build.


Build quietly, without displaying the build log; this is equivalent to --verbosity=0. Upon completion, the build log is kept in /var (or similar) and can always be retrieved using the --log-file option.

-f file

Build the package, derivation, or other file-like object that the code within file evaluates to (see file-like objects).

As an example, file might contain a package definition like this (see Defining Packages):

(use-modules (guix)
             (guix build-system gnu)
             (guix licenses))

  (name "hello")
  (version "2.10")
  (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/hello/hello-" version
  (build-system gnu-build-system)
  (synopsis "Hello, GNU world: An example GNU package")
  (description "Guess what GNU Hello prints!")
  (home-page "")
  (license gpl3+))

The file may also contain a JSON representation of one or more package definitions. Running guix build -f on hello.json with the following contents would result in building the packages myhello and greeter:

    "name": "myhello",
    "version": "2.10",
    "source": "mirror://gnu/hello/hello-2.10.tar.gz",
    "build-system": "gnu",
    "arguments": {
      "tests?": false
    "home-page": "",
    "synopsis": "Hello, GNU world: An example GNU package",
    "description": "GNU Hello prints a greeting.",
    "license": "GPL-3.0+",
    "native-inputs": ["gettext"]
    "name": "greeter",
    "version": "1.0",
    "source": "",
    "build-system": "gnu",
    "arguments": {
      "test-target": "foo",
      "parallel-build?": false,
    "home-page": "",
    "synopsis": "Greeter using GNU Hello",
    "description": "This is a wrapper around GNU Hello.",
    "license": "GPL-3.0+",
    "inputs": ["myhello", "hello"]
-m manifest

Build all packages listed in the given manifest (see --manifest).

-e expr

Build the package or derivation expr evaluates to.

For example, expr may be (@ (gnu packages guile) guile-1.8), which unambiguously designates this specific variant of version 1.8 of Guile.

Alternatively, expr may be a G-expression, in which case it is used as a build program passed to gexp->derivation (see G-Expressions).

Lastly, expr may refer to a zero-argument monadic procedure (see The Store Monad). The procedure must return a derivation as a monadic value, which is then passed through run-with-store.


Build the source derivations of the packages, rather than the packages themselves.

For instance, guix build -S gcc returns something like /gnu/store/…-gcc-4.7.2.tar.bz2, which is the GCC source tarball.

The returned source tarball is the result of applying any patches and code snippets specified in the package origin (see Defining Packages).

As with other derivations, the result of building a source derivation can be verified using the --check option (see build-check). This is useful to validate that a (potentially already built or substituted, thus cached) package source matches against its declared hash.

Note that guix build -S compiles the sources only of the specified packages. They do not include the sources of statically linked dependencies and by themselves are insufficient for reproducing the packages.


Fetch and return the source of package-or-derivation and all their dependencies, recursively. This is a handy way to obtain a local copy of all the source code needed to build packages, allowing you to eventually build them even without network access. It is an extension of the --source option and can accept one of the following optional argument values:


This value causes the --sources option to behave in the same way as the --source option.


Build the source derivations of all packages, including any source that might be listed as inputs. This is the default value.

$ guix build --sources tzdata
The following derivations will be built:

Build the source derivations of all packages, as well of all transitive inputs to the packages. This can be used e.g. to prefetch package source for later offline building.

$ guix build --sources=transitive tzdata
The following derivations will be built:
-s system

Attempt to build for system—e.g., i686-linux—instead of the system type of the build host. The guix build command allows you to repeat this option several times, in which case it builds for all the specified systems; other commands ignore extraneous -s options.

Note: The --system flag is for native compilation and must not be confused with cross-compilation. See --target below for information on cross-compilation.

An example use of this is on Linux-based systems, which can emulate different personalities. For instance, passing --system=i686-linux on an x86_64-linux system or --system=armhf-linux on an aarch64-linux system allows you to build packages in a complete 32-bit environment.

Note: Building for an armhf-linux system is unconditionally enabled on aarch64-linux machines, although certain aarch64 chipsets do not allow for this functionality, notably the ThunderX.

Similarly, when transparent emulation with QEMU and binfmt_misc is enabled (see qemu-binfmt-service-type), you can build for any system for which a QEMU binfmt_misc handler is installed.

Builds for a system other than that of the machine you are using can also be offloaded to a remote machine of the right architecture. See Daemon Offload Setup, for more information on offloading.


Cross-build for triplet, which must be a valid GNU triplet, such as "aarch64-linux-gnu" (see GNU configuration triplets in Autoconf).


Rebuild package-or-derivation, which are already available in the store, and raise an error if the build results are not bit-for-bit identical.

This mechanism allows you to check whether previously installed substitutes are genuine (see Substitutes), or whether the build result of a package is deterministic. See Invoking guix challenge, for more background information and tools.

When used in conjunction with --keep-failed, the differing output is kept in the store, under /gnu/store/…-check. This makes it easy to look for differences between the two results.


Attempt to repair the specified store items, if they are corrupt, by re-downloading or rebuilding them.

This operation is not atomic and thus restricted to root.


Return the derivation paths, not the output paths, of the given packages.

-r file

Make file a symlink to the result, and register it as a garbage collector root.

Consequently, the results of this guix build invocation are protected from garbage collection until file is removed. When that option is omitted, build results are eligible for garbage collection as soon as the build completes. See Invoking guix gc, for more on GC roots.


Return the build log file names or URLs for the given package-or-derivation, or raise an error if build logs are missing.

This works regardless of how packages or derivations are specified. For instance, the following invocations are equivalent:

guix build --log-file $(guix build -d guile)
guix build --log-file $(guix build guile)
guix build --log-file guile
guix build --log-file -e '(@ (gnu packages guile) guile-2.0)'

If a log is unavailable locally, and unless --no-substitutes is passed, the command looks for a corresponding log on one of the substitute servers (as specified with --substitute-urls).

So for instance, imagine you want to see the build log of GDB on MIPS, but you are actually on an x86_64 machine:

$ guix build --log-file gdb -s aarch64-linux…-gdb-7.10

You can freely access a huge library of build logs!

Previous: , Up: Invoking guix build   [Contents][Index]

9.1.4 Debugging Build Failures

When defining a new package (see Defining Packages), you will probably find yourself spending some time debugging and tweaking the build until it succeeds. To do that, you need to operate the build commands yourself in an environment as close as possible to the one the build daemon uses.

To that end, the first thing to do is to use the --keep-failed or -K option of guix build, which will keep the failed build tree in /tmp or whatever directory you specified as TMPDIR (see --keep-failed).

From there on, you can cd to the failed build tree and source the environment-variables file, which contains all the environment variable definitions that were in place when the build failed. So let’s say you’re debugging a build failure in package foo; a typical session would look like this:

$ guix build foo -K
… build fails
$ cd /tmp/guix-build-foo.drv-0
$ source ./environment-variables
$ cd foo-1.2

Now, you can invoke commands as if you were the daemon (almost) and troubleshoot your build process.

Sometimes it happens that, for example, a package’s tests pass when you run them manually but they fail when the daemon runs them. This can happen because the daemon runs builds in containers where, unlike in our environment above, network access is missing, /bin/sh does not exist, etc. (see Build Environment Setup).

In such cases, you may need to run inspect the build process from within a container similar to the one the build daemon creates:

$ guix build -K foo
$ cd /tmp/guix-build-foo.drv-0
$ guix environment --no-grafts -C foo --ad-hoc strace gdb
[env]# source ./environment-variables
[env]# cd foo-1.2

Here, guix environment -C creates a container and spawns a new shell in it (see Invoking guix environment). The --ad-hoc strace gdb part adds the strace and gdb commands to the container, which you may find handy while debugging. The --no-grafts option makes sure we get the exact same environment, with ungrafted packages (see Security Updates, for more info on grafts).

To get closer to a container like that used by the build daemon, we can remove /bin/sh:

[env]# rm /bin/sh

(Don’t worry, this is harmless: this is all happening in the throw-away container created by guix environment.)

The strace command is probably not in the search path, but we can run:

[env]# $GUIX_ENVIRONMENT/bin/strace -f -o log make check

In this way, not only you will have reproduced the environment variables the daemon uses, you will also be running the build process in a container similar to the one the daemon uses.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.2 Invoking guix edit

So many packages, so many source files! The guix edit command facilitates the life of users and packagers by pointing their editor at the source file containing the definition of the specified packages. For instance:

guix edit gcc@4.9 vim

launches the program specified in the VISUAL or in the EDITOR environment variable to view the recipe of GCC 4.9.3 and that of Vim.

If you are using a Guix Git checkout (see Building from Git), or have created your own packages on GUIX_PACKAGE_PATH (see Package Modules), you will be able to edit the package recipes. In other cases, you will be able to examine the read-only recipes for packages currently in the store.

Instead of GUIX_PACKAGE_PATH, the command-line option --load-path=directory (or in short -L directory) allows you to add directory to the front of the package module search path and so make your own packages visible.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.3 Invoking guix download

When writing a package definition, developers typically need to download a source tarball, compute its SHA256 hash, and write that hash in the package definition (see Defining Packages). The guix download tool helps with this task: it downloads a file from the given URI, adds it to the store, and prints both its file name in the store and its SHA256 hash.

The fact that the downloaded file is added to the store saves bandwidth: when the developer eventually tries to build the newly defined package with guix build, the source tarball will not have to be downloaded again because it is already in the store. It is also a convenient way to temporarily stash files, which may be deleted eventually (see Invoking guix gc).

The guix download command supports the same URIs as used in package definitions. In particular, it supports mirror:// URIs. https URIs (HTTP over TLS) are supported provided the Guile bindings for GnuTLS are available in the user’s environment; when they are not available, an error is raised. See how to install the GnuTLS bindings for Guile in GnuTLS-Guile, for more information.

guix download verifies HTTPS server certificates by loading the certificates of X.509 authorities from the directory pointed to by the SSL_CERT_DIR environment variable (see X.509 Certificates), unless --no-check-certificate is used.

The following options are available:

-H algorithm

Compute a hash using the specified algorithm. See Invoking guix hash, for more information.

-f fmt

Write the hash in the format specified by fmt. For more information on the valid values for fmt, see Invoking guix hash.


Do not validate the X.509 certificates of HTTPS servers.

When using this option, you have absolutely no guarantee that you are communicating with the authentic server responsible for the given URL, which makes you vulnerable to “man-in-the-middle” attacks.

-o file

Save the downloaded file to file instead of adding it to the store.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.4 Invoking guix hash

The guix hash command computes the hash of a file. It is primarily a convenience tool for anyone contributing to the distribution: it computes the cryptographic hash of a file, which can be used in the definition of a package (see Defining Packages).

The general syntax is:

guix hash option file

When file is - (a hyphen), guix hash computes the hash of data read from standard input. guix hash has the following options:

-H algorithm

Compute a hash using the specified algorithm, sha256 by default.

algorithm must the name of a cryptographic hash algorithm supported by Libgcrypt via Guile-Gcrypt—e.g., sha512 or sha3-256 (see Hash Functions in Guile-Gcrypt Reference Manual).

-f fmt

Write the hash in the format specified by fmt.

Supported formats: base64, nix-base32, base32, base16 (hex and hexadecimal can be used as well).

If the --format option is not specified, guix hash will output the hash in nix-base32. This representation is used in the definitions of packages.


Compute the hash on file recursively.

In this case, the hash is computed on an archive containing file, including its children if it is a directory. Some of the metadata of file is part of the archive; for instance, when file is a regular file, the hash is different depending on whether file is executable or not. Metadata such as time stamps has no impact on the hash (see Invoking guix archive).


When combined with --recursive, exclude version control system directories (.bzr, .git, .hg, etc.).

As an example, here is how you would compute the hash of a Git checkout, which is useful when using the git-fetch method (see origin Reference):

$ git clone
$ cd foo
$ guix hash -rx .

Next: , Previous: , Up: Utilities   [Contents][Index]

9.5 Invoking guix import

The guix import command is useful for people who would like to add a package to the distribution with as little work as possible—a legitimate demand. The command knows of a few repositories from which it can “import” package metadata. The result is a package definition, or a template thereof, in the format we know (see Defining Packages).

The general syntax is:

guix import importer options

importer specifies the source from which to import package metadata, and options specifies a package identifier and other options specific to importer.

Some of the importers rely on the ability to run the gpgv command. For these, GnuPG must be installed and in $PATH; run guix install gnupg if needed.

Currently, the available “importers” are:


Import metadata for the given GNU package. This provides a template for the latest version of that GNU package, including the hash of its source tarball, and its canonical synopsis and description.

Additional information such as the package dependencies and its license needs to be figured out manually.

For example, the following command returns a package definition for GNU Hello:

guix import gnu hello

Specific command-line options are:


As for guix refresh, specify the policy to handle missing OpenPGP keys when verifying the package signature. See --key-download.


Import metadata from the Python Package Index. Information is taken from the JSON-formatted description available at and usually includes all the relevant information, including package dependencies. For maximum efficiency, it is recommended to install the unzip utility, so that the importer can unzip Python wheels and gather data from them.

The command below imports metadata for the itsdangerous Python package:

guix import pypi itsdangerous

Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.


Import metadata from RubyGems. Information is taken from the JSON-formatted description available at and includes most relevant information, including runtime dependencies. There are some caveats, however. The metadata doesn’t distinguish between synopses and descriptions, so the same string is used for both fields. Additionally, the details of non-Ruby dependencies required to build native extensions is unavailable and left as an exercise to the packager.

The command below imports metadata for the rails Ruby package:

guix import gem rails

Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.


Import metadata from MetaCPAN. Information is taken from the JSON-formatted metadata provided through MetaCPAN’s API and includes most relevant information, such as module dependencies. License information should be checked closely. If Perl is available in the store, then the corelist utility will be used to filter core modules out of the list of dependencies.

The command command below imports metadata for the Acme::Boolean Perl module:

guix import cpan Acme::Boolean

Import metadata from CRAN, the central repository for the GNU R statistical and graphical environment.

Information is extracted from the DESCRIPTION file of the package.

The command command below imports metadata for the Cairo R package:

guix import cran Cairo

When --recursive is added, the importer will traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.

When --style=specification is added, the importer will generate package definitions whose inputs are package specifications instead of references to package variables. This is useful when generated package definitions are to be appended to existing user modules, as the list of used package modules need not be changed. The default is --style=variable.

When --archive=bioconductor is added, metadata is imported from Bioconductor, a repository of R packages for the analysis and comprehension of high-throughput genomic data in bioinformatics.

Information is extracted from the DESCRIPTION file contained in the package archive.

The command below imports metadata for the GenomicRanges R package:

guix import cran --archive=bioconductor GenomicRanges

Finally, you can also import R packages that have not yet been published on CRAN or Bioconductor as long as they are in a git repository. Use --archive=git followed by the URL of the git repository:

guix import cran --archive=git

Import metadata from CTAN, the comprehensive TeX archive network for TeX packages that are part of the TeX Live distribution.

Information about the package is obtained through the XML API provided by CTAN, while the source code is downloaded from the SVN repository of the Tex Live project. This is done because the CTAN does not keep versioned archives.

The command command below imports metadata for the fontspec TeX package:

guix import texlive fontspec

When --archive=directory is added, the source code is downloaded not from the latex sub-directory of the texmf-dist/source tree in the TeX Live SVN repository, but from the specified sibling directory under the same root.

The command below imports metadata for the ifxetex package from CTAN while fetching the sources from the directory texmf/source/generic:

guix import texlive --archive=generic ifxetex

Import package metadata from a local JSON file. Consider the following example package definition in JSON format:

  "name": "hello",
  "version": "2.10",
  "source": "mirror://gnu/hello/hello-2.10.tar.gz",
  "build-system": "gnu",
  "home-page": "",
  "synopsis": "Hello, GNU world: An example GNU package",
  "description": "GNU Hello prints a greeting.",
  "license": "GPL-3.0+",
  "native-inputs": ["gettext"]

The field names are the same as for the <package> record (See Defining Packages). References to other packages are provided as JSON lists of quoted package specification strings such as guile or guile@2.0.

The importer also supports a more explicit source definition using the common fields for <origin> records:

  "source": {
    "method": "url-fetch",
    "uri": "mirror://gnu/hello/hello-2.10.tar.gz",
    "sha256": {
      "base32": "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"

The command below reads metadata from the JSON file hello.json and outputs a package expression:

guix import json hello.json

Import metadata from the Haskell community’s central package archive Hackage. Information is taken from Cabal files and includes all the relevant information, including package dependencies.

Specific command-line options are:


Read a Cabal file from standard input.


Do not include dependencies required only by the test suites.

-e alist

alist is a Scheme alist defining the environment in which the Cabal conditionals are evaluated. The accepted keys are: os, arch, impl and a string representing the name of a flag. The value associated with a flag has to be either the symbol true or false. The value associated with other keys has to conform to the Cabal file format definition. The default value associated with the keys os, arch and impl is ‘linux’, ‘x86_64’ and ‘ghc’, respectively.


Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.

The command below imports metadata for the latest version of the HTTP Haskell package without including test dependencies and specifying the value of the flag ‘network-uri’ as false:

guix import hackage -t -e "'((\"network-uri\" . false))" HTTP

A specific package version may optionally be specified by following the package name by an at-sign and a version number as in the following example:

guix import hackage mtl@

The stackage importer is a wrapper around the hackage one. It takes a package name, looks up the package version included in a long-term support (LTS) Stackage release and uses the hackage importer to retrieve its metadata. Note that it is up to you to select an LTS release compatible with the GHC compiler used by Guix.

Specific command-line options are:


Do not include dependencies required only by the test suites.

-l version

version is the desired LTS release version. If omitted the latest release is used.


Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.

The command below imports metadata for the HTTP Haskell package included in the LTS Stackage release version 7.18:

guix import stackage --lts-version=7.18 HTTP

Import metadata from an Emacs Lisp Package Archive (ELPA) package repository (see Packages in The GNU Emacs Manual).

Specific command-line options are:

-a repo

repo identifies the archive repository from which to retrieve the information. Currently the supported repositories and their identifiers are:

  • - GNU, selected by the gnu identifier. This is the default.

    Packages from are signed with one of the keys contained in the GnuPG keyring at share/emacs/25.1/etc/package-keyring.gpg (or similar) in the emacs package (see ELPA package signatures in The GNU Emacs Manual).

  • - MELPA-Stable, selected by the melpa-stable identifier.
  • - MELPA, selected by the melpa identifier.

Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.


Import metadata from the Rust package repository, as in this example:

guix import crate blake2-rfc

The crate importer also allows you to specify a version string:

guix import crate constant-time-eq@0.1.0

Additional options include:


Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.


Import metadata from the OPAM package repository used by the OCaml community.

Additional options include:


Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.


Select the given repository (a repository name). Possible values include:

  • opam, the default opam repository,
  • coq or coq-released, the stable repository for coq packages,
  • coq-core-dev, the repository that contains development versions of coq,
  • coq-extra-dev, the repository that contains development versions of coq packages.

Import metadata for a Go module using

guix import go

It is possible to use a package specification with a @VERSION suffix to import a specific version.

Additional options include:


Traverse the dependency graph of the given upstream package recursively and generate package expressions for all those packages that are not yet in Guix.


When using this option, the importer preserves the exact versions of the Go modules dependencies instead of using their latest available versions. This can be useful when attempting to import packages that recursively depend on former versions of themselves to build. When using this mode, the symbol of the package is made by appending the version to its name, so that multiple versions of the same package can coexist.

The structure of the guix import code is modular. It would be useful to have more importers for other package formats, and your help is welcome here (see Contributing).

Next: , Previous: , Up: Utilities   [Contents][Index]

9.6 Invoking guix refresh

The primary audience of the guix refresh command is packagers. As a user, you may be interested in the --with-latest option, which can bring you package update superpowers built upon guix refresh (see --with-latest). By default, guix refresh reports any packages provided by the distribution that are outdated compared to the latest upstream version, like this:

$ guix refresh
gnu/packages/gettext.scm:29:13: gettext would be upgraded from to
gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0

Alternatively, one can specify packages to consider, in which case a warning is emitted for packages that lack an updater:

$ guix refresh coreutils guile guile-ssh
gnu/packages/ssh.scm:205:2: warning: no updater for guile-ssh
gnu/packages/guile.scm:136:12: guile would be upgraded from 2.0.12 to 2.0.13

guix refresh browses the upstream repository of each package and determines the highest version number of the releases therein. The command knows how to update specific types of packages: GNU packages, ELPA packages, etc.—see the documentation for --type below. There are many packages, though, for which it lacks a method to determine whether a new upstream release is available. However, the mechanism is extensible, so feel free to get in touch with us to add a new method!


Consider the packages specified, and all the packages upon which they depend.

$ guix refresh --recursive coreutils
gnu/packages/acl.scm:40:13: acl would be upgraded from 2.2.53 to 2.3.1
gnu/packages/m4.scm:30:12: 1.4.18 is already the latest version of m4
gnu/packages/xml.scm:68:2: warning: no updater for expat
gnu/packages/multiprecision.scm:40:12: 6.1.2 is already the latest version of gmp

Sometimes the upstream name differs from the package name used in Guix, and guix refresh needs a little help. Most updaters honor the upstream-name property in package definitions, which can be used to that effect:

(define-public network-manager
    (name "network-manager")
    ;; …
    (properties '((upstream-name . "NetworkManager")))))

When passed --update, it modifies distribution source files to update the version numbers and source tarball hashes of those package recipes (see Defining Packages). This is achieved by downloading each package’s latest source tarball and its associated OpenPGP signature, authenticating the downloaded tarball against its signature using gpgv, and finally computing its hash—note that GnuPG must be installed and in $PATH; run guix install gnupg if needed.

When the public key used to sign the tarball is missing from the user’s keyring, an attempt is made to automatically retrieve it from a public key server; when this is successful, the key is added to the user’s keyring; otherwise, guix refresh reports an error.

The following options are supported:

-e expr

Consider the package expr evaluates to.

This is useful to precisely refer to a package, as in this example:

guix refresh -l -e '(@@ (gnu packages commencement) glibc-final)'

This command lists the dependents of the “final” libc (essentially all the packages).


Update distribution source files (package recipes) in place. This is usually run from a checkout of the Guix source tree (see Running Guix Before It Is Installed):

$ ./pre-inst-env guix refresh -s non-core -u

See Defining Packages, for more information on package definitions.

-s subset

Select all the packages in subset, one of core or non-core.

The core subset refers to all the packages at the core of the distribution—i.e., packages that are used to build “everything else”. This includes GCC, libc, Binutils, Bash, etc. Usually, changing one of these packages in the distribution entails a rebuild of all the others. Thus, such updates are an inconvenience to users in terms of build time or bandwidth used to achieve the upgrade.

The non-core subset refers to the remaining packages. It is typically useful in cases where an update of the core packages would be inconvenient.

-m file

Select all the packages from the manifest in file. This is useful to check if any packages of the user manifest can be updated.

-t updater

Select only packages handled by updater (may be a comma-separated list of updaters). Currently, updater may be one of:


the updater for GNU packages;


the updater for packages hosted at Savannah;


the updater for packages hosted at SourceForge;


the updater for GNOME packages;


the updater for KDE packages;


the updater for packages;

the updater for packages hosted on;


the updater for ELPA packages;


the updater for CRAN packages;


the updater for Bioconductor R packages;


the updater for CPAN packages;


the updater for PyPI packages.


the updater for RubyGems packages.


the updater for GitHub packages.


the updater for Hackage packages.


the updater for Stackage packages.


the updater for Crates packages.


the updater for Launchpad packages.


a generic updater that crawls the HTML page where the source tarball of the package is hosted, when applicable.

For instance, the following command only checks for updates of Emacs packages hosted at and for updates of CRAN packages:

$ guix refresh --type=elpa,cran
gnu/packages/statistics.scm:819:13: r-testthat would be upgraded from 0.10.0 to 0.11.0
gnu/packages/emacs.scm:856:13: emacs-auctex would be upgraded from 11.88.6 to 11.88.9

List available updaters and exit (see --type above).

For each updater, display the fraction of packages it covers; at the end, display the fraction of packages covered by all these updaters.

In addition, guix refresh can be passed one or more package names, as in this example:

$ ./pre-inst-env guix refresh -u emacs idutils gcc@4.8

The command above specifically updates the emacs and idutils packages. The --select option would have no effect in this case. You might also want to update definitions that correspond to the packages installed in your profile:

$ ./pre-inst-env guix refresh -u \
       $(guix package --list-installed | cut -f1)

When considering whether to upgrade a package, it is sometimes convenient to know which packages would be affected by the upgrade and should be checked for compatibility. For this the following option may be used when passing guix refresh one or more package names:


List top-level dependent packages that would need to be rebuilt as a result of upgrading one or more packages.

See the reverse-package type of guix graph, for information on how to visualize the list of dependents of a package.

Be aware that the --list-dependent option only approximates the rebuilds that would be required as a result of an upgrade. More rebuilds might be required under some circumstances.

$ guix refresh --list-dependent flex
Building the following 120 packages would ensure 213 dependent packages are rebuilt:
hop@2.4.0 geiser@0.4 notmuch@0.18 mu@ cflow@1.4 idutils@4.6 …

The command above lists a set of packages that could be built to check for compatibility with an upgraded flex package.


List all the packages which one or more packages depend upon.

$ guix refresh --list-transitive flex
flex@2.6.4 depends on the following 25 packages: perl@5.28.0 help2man@1.47.6
bison@3.0.5 indent@2.2.10 tar@1.30 gzip@1.9 bzip2@1.0.6 xz@5.2.4 file@5.33 …

The command above lists a set of packages which, when changed, would cause flex to be rebuilt.

The following options can be used to customize GnuPG operation:


Use command as the GnuPG 2.x command. command is searched for in $PATH.


Use file as the keyring for upstream keys. file must be in the keybox format. Keybox files usually have a name ending in .kbx and the GNU Privacy Guard (GPG) can manipulate these files (see kbxutil in Using the GNU Privacy Guard, for information on a tool to manipulate keybox files).

When this option is omitted, guix refresh uses ~/.config/guix/upstream/trustedkeys.kbx as the keyring for upstream signing keys. OpenPGP signatures are checked against keys from this keyring; missing keys are downloaded to this keyring as well (see --key-download below).

You can export keys from your default GPG keyring into a keybox file using commands like this one:

gpg --export | kbxutil --import-openpgp >> mykeyring.kbx

Likewise, you can fetch keys to a specific keybox file like this:

gpg --no-default-keyring --keyring mykeyring.kbx \
  --recv-keys 27D586A4F8900854329FF09F1260E46482E63562

See --keyring in Using the GNU Privacy Guard, for more information on GPG’s --keyring option.


Handle missing OpenPGP keys according to policy, which may be one of:


Always download missing OpenPGP keys from the key server, and add them to the user’s GnuPG keyring.


Never try to download missing OpenPGP keys. Instead just bail out.


When a package signed with an unknown OpenPGP key is encountered, ask the user whether to download it or not. This is the default behavior.


Use host as the OpenPGP key server when importing a public key.


Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the command-line tools.

The github updater uses the GitHub API to query for new releases. When used repeatedly e.g. when refreshing all packages, GitHub will eventually refuse to answer any further API requests. By default 60 API requests per hour are allowed, and a full refresh on all GitHub packages in Guix requires more than this. Authentication with GitHub through the use of an API token alleviates these limits. To use an API token, set the environment variable GUIX_GITHUB_TOKEN to a token procured from or otherwise.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.7 Invoking guix lint

The guix lint command is meant to help package developers avoid common errors and use a consistent style. It runs a number of checks on a given set of packages in order to find common mistakes in their definitions. Available checkers include (see --list-checkers for a complete list):


Validate certain typographical and stylistic rules about package descriptions and synopses.


Identify inputs that should most likely be native inputs.


Probe home-page and source URLs and report those that are invalid. Suggest a mirror:// URL when applicable. If the source URL redirects to a GitHub URL, recommend usage of the GitHub URL. Check that the source file name is meaningful, e.g. is not just a version number or “git-checkout”, without a declared file-name (see origin Reference).


Parse the source URL to determine if a tarball from GitHub is autogenerated or if it is a release tarball. Unfortunately GitHub’s autogenerated tarballs are sometimes regenerated.


Check that the derivation of the given packages can be successfully computed for all the supported systems (see Derivations).


Check whether installing the given packages in a profile would lead to collisions. Collisions occur when several packages with the same name but a different version or a different store file name are propagated. See propagated-inputs, for more information on propagated inputs.


Checks whether the package’s source code is archived at Software Heritage.

When the source code that is not archived comes from a version-control system (VCS)—e.g., it’s obtained with git-fetch, send Software Heritage a “save” request so that it eventually archives it. This ensures that the source will remain available in the long term, and that Guix can fall back to Software Heritage should the source code disappear from its original host. The status of recent “save” requests can be viewed on-line.

When source code is a tarball obtained with url-fetch, simply print a message when it is not archived. As of this writing, Software Heritage does not allow requests to save arbitrary tarballs; we are working on ways to ensure that non-VCS source code is also archived.

Software Heritage limits the request rate per IP address. When the limit is reached, guix lint prints a message and the archival checker stops doing anything until that limit has been reset.


Report known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) databases of the current and past year published by the US NIST.

To view information about a particular vulnerability, visit pages such as:

where CVE-YYYY-ABCD is the CVE identifier—e.g., CVE-2015-7554.

Package developers can specify in package recipes the Common Platform Enumeration (CPE) name and version of the package when they differ from the name or version that Guix uses, as in this example:

  (name "grub")
  ;; …
  ;; CPE calls this package "grub2".
  (properties '((cpe-name . "grub2")
                (cpe-version . "2.3"))))

Some entries in the CVE database do not specify which version of a package they apply to, and would thus “stick around” forever. Package developers who found CVE alerts and verified they can be ignored can declare them as in this example:

  (name "t1lib")
  ;; …
  ;; These CVEs no longer apply and can be safely ignored.
  (properties `((lint-hidden-cve . ("CVE-2011-0433"

Warn about obvious source code formatting issues: trailing white space, use of tabulations, etc.

The general syntax is:

guix lint options package

If no package is given on the command line, then all packages are checked. The options may be zero or more of the following:


List and describe all the available checkers that will be run on packages and exit.


Only enable the checkers specified in a comma-separated list using the names returned by --list-checkers.


Only disable the checkers specified in a comma-separated list using the names returned by --list-checkers.


Only enable the checkers that do not depend on Internet access.

-L directory

Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the command-line tools.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.8 Invoking guix size

The guix size command helps package developers profile the disk usage of packages. It is easy to overlook the impact of an additional dependency added to a package, or the impact of using a single output for a package that could easily be split (see Packages with Multiple Outputs). Such are the typical issues that guix size can highlight.

The command can be passed one or more package specifications such as gcc@4.8 or guile:debug, or a file name in the store. Consider this example:

$ guix size coreutils
store item                               total    self
/gnu/store/…-gcc-5.5.0-lib           60.4    30.1  38.1%
/gnu/store/…-glibc-2.27              30.3    28.8  36.6%
/gnu/store/…-coreutils-8.28          78.9    15.0  19.0%
/gnu/store/…-gmp-6.1.2               63.1     2.7   3.4%
/gnu/store/…-bash-static-4.4.12       1.5     1.5   1.9%
/gnu/store/…-acl-2.2.52              61.1     0.4   0.5%
/gnu/store/…-attr-2.4.47             60.6     0.2   0.3%
/gnu/store/…-libcap-2.25             60.5     0.2   0.2%
total: 78.9 MiB

The store items listed here constitute the transitive closure of Coreutils—i.e., Coreutils and all its dependencies, recursively—as would be returned by:

$ guix gc -R /gnu/store/…-coreutils-8.23

Here the output shows three columns next to store items. The first column, labeled “total”, shows the size in mebibytes (MiB) of the closure of the store item—that is, its own size plus the size of all its dependencies. The next column, labeled “self”, shows the size of the item itself. The last column shows the ratio of the size of the item itself to the space occupied by all the items listed here.

In this example, we see that the closure of Coreutils weighs in at 79 MiB, most of which is taken by libc and GCC’s run-time support libraries. (That libc and GCC’s libraries represent a large fraction of the closure is not a problem per se because they are always available on the system anyway.)

Since the command also accepts store file names, assessing the size of a build result is straightforward:

guix size $(guix system build config.scm)

When the package(s) passed to guix size are available in the store19, guix size queries the daemon to determine its dependencies, and measures its size in the store, similar to du -ms --apparent-size (see du invocation in GNU Coreutils).

When the given packages are not in the store, guix size reports information based on the available substitutes (see Substitutes). This makes it possible it to profile disk usage of store items that are not even on disk, only available remotely.

You can also specify several package names:

$ guix size coreutils grep sed bash
store item                               total    self
/gnu/store/…-coreutils-8.24          77.8    13.8  13.4%
/gnu/store/…-grep-2.22               73.1     0.8   0.8%
/gnu/store/…-bash-4.3.42             72.3     4.7   4.6%
/gnu/store/…-readline-6.3            67.6     1.2   1.2%
total: 102.3 MiB

In this example we see that the combination of the four packages takes 102.3 MiB in total, which is much less than the sum of each closure since they have a lot of dependencies in common.

When looking at the profile returned by guix size, you may find yourself wondering why a given package shows up in the profile at all. To understand it, you can use guix graph --path -t references to display the shortest path between the two packages (see Invoking guix graph).

The available options are:


Use substitute information from urls. See the same option for guix build.


Sort lines according to key, one of the following options:


the size of each item (the default);


the total size of the item’s closure.


Write a graphical map of disk usage in PNG format to file.

For the example above, the map looks like this:

map of Coreutils disk usage
produced by guix size

This option requires that Guile-Charting be installed and visible in Guile’s module search path. When that is not the case, guix size fails as it tries to load it.

-s system

Consider packages for system—e.g., x86_64-linux.

-L directory

Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the command-line tools.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.9 Invoking guix graph

Packages and their dependencies form a graph, specifically a directed acyclic graph (DAG). It can quickly become difficult to have a mental model of the package DAG, so the guix graph command provides a visual representation of the DAG. By default, guix graph emits a DAG representation in the input format of Graphviz, so its output can be passed directly to the dot command of Graphviz. It can also emit an HTML page with embedded JavaScript code to display a “chord diagram” in a Web browser, using the d3.js library, or emit Cypher queries to construct a graph in a graph database supporting the openCypher query language. With --path, it simply displays the shortest path between two packages. The general syntax is:

guix graph options package

For example, the following command generates a PDF file representing the package DAG for the GNU Core Utilities, showing its build-time dependencies:

guix graph coreutils | dot -Tpdf > dag.pdf

The output looks like this:

Dependency graph of the GNU Coreutils

Nice little graph, no?

You may find it more pleasant to navigate the graph interactively with xdot (from the xdot package):

guix graph coreutils | xdot -

But there is more than one graph! The one above is concise: it is the graph of package objects, omitting implicit inputs such as GCC, libc, grep, etc. It is often useful to have such a concise graph, but sometimes one may want to see more details. guix graph supports several types of graphs, allowing you to choose the level of detail:


This is the default type used in the example above. It shows the DAG of package objects, excluding implicit dependencies. It is concise, but filters out many details.


This shows the reverse DAG of packages. For example:

guix graph --type=reverse-package ocaml

... yields the graph of packages that explicitly depend on OCaml (if you are also interested in cases where OCaml is an implicit dependency, see reverse-bag below).

Note that for core packages this can yield huge graphs. If all you want is to know the number of packages that depend on a given package, use guix refresh --list-dependent (see --list-dependent).


This is the package DAG, including implicit inputs.

For instance, the following command:

guix graph --type=bag-emerged coreutils

... yields this bigger graph:

Detailed dependency graph of the GNU Coreutils

At the bottom of the graph, we see all the implicit inputs of gnu-build-system (see gnu-build-system).

Now, note that the dependencies of these implicit inputs—that is, the bootstrap dependencies (see Bootstrapping)—are not shown here, for conciseness.


Similar to bag-emerged, but this time including all the bootstrap dependencies.


Similar to bag, but also showing origins and their dependencies.


This shows the reverse DAG of packages. Unlike reverse-package, it also takes implicit dependencies into account. For example:

guix graph -t reverse-bag dune

... yields the graph of all packages that depend on Dune, directly or indirectly. Since Dune is an implicit dependency of many packages via dune-build-system, this shows a large number of packages, whereas reverse-package would show very few if any.


This is the most detailed representation: It shows the DAG of derivations (see Derivations) and plain store items. Compared to the above representation, many additional nodes are visible, including build scripts, patches, Guile modules, etc.

For this type of graph, it is also possible to pass a .drv file name instead of a package name, as in:

guix graph -t derivation $(guix system build -d my-config.scm)

This is the graph of package modules (see Package Modules). For example, the following command shows the graph for the package module that defines the guile package:

guix graph -t module guile | xdot -

All the types above correspond to build-time dependencies. The following graph type represents the run-time dependencies:


This is the graph of references of a package output, as returned by guix gc --references (see Invoking guix gc).

If the given package output is not available in the store, guix graph attempts to obtain dependency information from substitutes.

Here you can also pass a store file name instead of a package name. For example, the command below produces the reference graph of your profile (which can be big!):

guix graph -t references $(readlink -f ~/.guix-profile)

This is the graph of the referrers of a store item, as returned by guix gc --referrers (see Invoking guix gc).

This relies exclusively on local information from your store. For instance, let us suppose that the current Inkscape is available in 10 profiles on your machine; guix graph -t referrers inkscape will show a graph rooted at Inkscape and with those 10 profiles linked to it.

It can help determine what is preventing a store item from being garbage collected.

Often, the graph of the package you are interested in does not fit on your screen, and anyway all you want to know is why that package actually depends on some seemingly unrelated package. The --path option instructs guix graph to display the shortest path between two packages (or derivations, or store items, etc.):

$ guix graph --path emacs libunistring
$ guix graph --path -t derivation emacs libunistring
$ guix graph --path -t references emacs libunistring

The available options are the following:

-t type

Produce a graph output of type, where type must be one of the values listed above.


List the supported graph types.

-b backend

Produce a graph using the selected backend.


List the supported graph backends.

Currently, the available backends are Graphviz and d3.js.


Display the shortest path between two nodes of the type specified by --type. The example below shows the shortest path between libreoffice and llvm according to the references of libreoffice:

$ guix graph --path -t references libreoffice llvm
-e expr

Consider the package expr evaluates to.

This is useful to precisely refer to a package, as in this example:

guix graph -e '(@@ (gnu packages commencement) gnu-make-final)'
-s system

Display the graph for system—e.g., i686-linux.

The package dependency graph is largely architecture-independent, but there are some architecture-dependent bits that this option allows you to visualize.

-L directory

Add directory to the front of the package module search path (see Package Modules).

This allows users to define their own packages and make them visible to the command-line tools.

On top of that, guix graph supports all the usual package transformation options (see Package Transformation Options). This makes it easy to view the effect of a graph-rewriting transformation such as --with-input. For example, the command below outputs the graph of git once openssl has been replaced by libressl everywhere in the graph:

guix graph git --with-input=openssl=libressl

So many possibilities, so much fun!

Next: , Previous: , Up: Utilities   [Contents][Index]

9.10 Invoking guix publish

The purpose of guix publish is to enable users to easily share their store with others, who can then use it as a substitute server (see Substitutes).

When guix publish runs, it spawns an HTTP server which allows anyone with network access to obtain substitutes from it. This means that any machine running Guix can also act as if it were a build farm, since the HTTP interface is compatible with Cuirass, the software behind the build farm.

For security, each substitute is signed, allowing recipients to check their authenticity and integrity (see Substitutes). Because guix publish uses the signing key of the system, which is only readable by the system administrator, it must be started as root; the --user option makes it drop root privileges early on.

The signing key pair must be generated before guix publish is launched, using guix archive --generate-key (see Invoking guix archive).

When the --advertise option is passed, the server advertises its availability on the local network using multicast DNS (mDNS) and DNS service discovery (DNS-SD), currently via Guile-Avahi (see Using Avahi in Guile Scheme Programs).

The general syntax is:

guix publish options

Running guix publish without any additional arguments will spawn an HTTP server on port 8080:

guix publish

Once a publishing server has been authorized, the daemon may download substitutes from it. See Getting Substitutes from Other Servers.

By default, guix publish compresses archives on the fly as it serves them. This “on-the-fly” mode is convenient in that it requires no setup and is immediately available. However, when serving lots of clients, we recommend using the --cache option, which enables caching of the archives before they are sent to clients—see below for details. The guix weather command provides a handy way to check what a server provides (see Invoking guix weather).

As a bonus, guix publish also serves as a content-addressed mirror for source files referenced in origin records (see origin Reference). For instance, assuming guix publish is running on, the following URL returns the raw hello-2.10.tar.gz file with the given SHA256 hash (represented in nix-base32 format, see Invoking guix hash):…ndq1i

Obviously, these URLs only work for files that are in the store; in other cases, they return 404 (“Not Found”).

Build logs are available from /log URLs like:…-guile-2.2.3

When guix-daemon is configured to save compressed build logs, as is the case by default (see Invoking guix-daemon), /log URLs return the compressed log as-is, with an appropriate Content-Type and/or Content-Encoding header. We recommend running guix-daemon with --log-compression=gzip since Web browsers can automatically decompress it, which is not the case with Bzip2 compression.

The following options are available:

-p port

Listen for HTTP requests on port.


Listen on the network interface for host. The default is to accept connections from any interface.

-u user

Change privileges to user as soon as possible—i.e., once the server socket is open and the signing key has been read.

-C [method[:level]]

Compress data using the given method and level. method is one of lzip, zstd, and gzip; when method is omitted, gzip is used.

When level is zero, disable compression. The range 1 to 9 corresponds to different compression levels: 1 is the fastest, and 9 is the best (CPU-intensive). The default is 3.

Usually, lzip compresses noticeably better than gzip for a small increase in CPU usage; see benchmarks on the lzip Web page. However, lzip achieves low decompression throughput (on the order of 50 MiB/s on modern hardware), which can be a bottleneck for someone who downloads over a fast network connection.

The compression ratio of zstd is between that of lzip and that of gzip; its main advantage is a high decompression speed.

Unless --cache is used, compression occurs on the fly and the compressed streams are not cached. Thus, to reduce load on the machine that runs guix publish, it may be a good idea to choose a low compression level, to run guix publish behind a caching proxy, or to use --cache. Using --cache has the advantage that it allows guix publish to add Content-Length HTTP header to its responses.

This option can be repeated, in which case every substitute gets compressed using all the selected methods, and all of them are advertised. This is useful when users may not support all the compression methods: they can select the one they support.

-c directory

Cache archives and meta-data (.narinfo URLs) to directory and only serve archives that are in cache.

When this option is omitted, archives and meta-data are created on-the-fly. This can reduce the available bandwidth, especially when compression is enabled, since this may become CPU-bound. Another drawback of the default mode is that the length of archives is not known in advance, so guix publish does not add a Content-Length HTTP header to its responses, which in turn prevents clients from knowing the amount of data being downloaded.

Conversely, when --cache is used, the first request for a store item (via a .narinfo URL) triggers a background process to bake the archive—computing its .narinfo and compressing the archive, if needed. Once the archive is cached in directory, subsequent requests succeed and are served directly from the cache, which guarantees that clients get the best possible bandwidth.

That first .narinfo request nonetheless returns 200, provided the requested store item is “small enough”, below the cache bypass threshold—see --cache-bypass-threshold below. That way, clients do not have to wait until the archive is baked. For larger store items, the first .narinfo request returns 404, meaning that clients have to wait until the archive is baked.

The “baking” process is performed by worker threads. By default, one thread per CPU core is created, but this can be customized. See --workers below.

When --ttl is used, cached entries are automatically deleted when they have expired.


When --cache is used, request the allocation of N worker threads to “bake” archives.


Produce Cache-Control HTTP headers that advertise a time-to-live (TTL) of ttl. ttl must denote a duration: 5d means 5 days, 1m means 1 month, and so on.

This allows the user’s Guix to keep substitute information in cache for ttl. However, note that guix publish does not itself guarantee that the store items it provides will indeed remain available for as long as ttl.

Additionally, when --cache is used, cached entries that have not been accessed for ttl and that no longer have a corresponding item in the store, may be deleted.


When used in conjunction with --cache, store items smaller than size are immediately available, even when they are not yet in cache. size is a size in bytes, or it can be suffixed by M for megabytes and so on. The default is 10M.

“Cache bypass” allows you to reduce the publication delay for clients at the expense of possibly additional I/O and CPU use on the server side: depending on the client access patterns, those store items can end up being baked several times until a copy is available in cache.

Increasing the threshold may be useful for sites that have few users, or to guarantee that users get substitutes even for store items that are not popular.


Use path as the prefix for the URLs of “nar” files (see normalized archives).

By default, nars are served at a URL such as /nar/gzip/…-coreutils-8.25. This option allows you to change the /nar part to path.


Use the specific files as the public/private key pair used to sign the store items being published.

The files must correspond to the same key pair (the private key is used for signing and the public key is merely advertised in the signature metadata). They must contain keys in the canonical s-expression format as produced by guix archive --generate-key (see Invoking guix archive). By default, /etc/guix/ and /etc/guix/signing-key.sec are used.

-r [port]

Spawn a Guile REPL server (see REPL Servers in GNU Guile Reference Manual) on port (37146 by default). This is used primarily for debugging a running guix publish server.

Enabling guix publish on Guix System is a one-liner: just instantiate a guix-publish-service-type service in the services field of the operating-system declaration (see guix-publish-service-type).

If you are instead running Guix on a “foreign distro”, follow these instructions:

Next: , Previous: , Up: Utilities   [Contents][Index]

9.11 Invoking guix challenge

Do the binaries provided by this server really correspond to the source code it claims to build? Is a package build process deterministic? These are the questions the guix challenge command attempts to answer.

The former is obviously an important question: Before using a substitute server (see Substitutes), one had better verify that it provides the right binaries, and thus challenge it. The latter is what enables the former: If package builds are deterministic, then independent builds of the package should yield the exact same result, bit for bit; if a server provides a binary different from the one obtained locally, it may be either corrupt or malicious.

We know that the hash that shows up in /gnu/store file names is the hash of all the inputs of the process that built the file or directory—compilers, libraries, build scripts, etc. (see Introduction). Assuming deterministic build processes, one store file name should map to exactly one build output. guix challenge checks whether there is, indeed, a single mapping by comparing the build outputs of several independent builds of any given store item.

The command output looks like this:

$ guix challenge --substitute-urls=""
updating list of substitutes from ''... 100.0%
updating list of substitutes from ''... 100.0%
/gnu/store/…-openssl-1.0.2d contents differ:
  local hash: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q…-openssl-1.0.2d: 0725l22r5jnzazaacncwsvp9kgf42266ayyp814v7djxs7nk963q…-openssl-1.0.2d: 1zy4fmaaqcnjrzzajkdn3f5gmjk754b43qkq47llbyak9z0qjyim
  differing files:

/gnu/store/…-git-2.5.0 contents differ:
  local hash: 00p3bmryhjxrhpn2gxs2fy0a15lnip05l97205pgbk5ra395hyha…-git-2.5.0: 069nb85bv4d4a6slrwjdy8v1cn4cwspm3kdbmyb81d6zckj3nq9f…-git-2.5.0: 0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73
  differing file:

/gnu/store/…-pius-2.1.1 contents differ:
  local hash: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax…-pius-2.1.1: 0k4v3m9z1zp8xzzizb7d8kjj72f9172xv078sq4wl73vnq9ig3ax…-pius-2.1.1: 1cy25x1a4fzq5rk0pmvc8xhwyffnqz95h2bpvqsz2mpvlbccy0gs
  differing file:


6,406 store items were analyzed:
  - 4,749 (74.1%) were identical
  - 525 (8.2%) differed
  - 1,132 (17.7%) were inconclusive

In this example, guix challenge first scans the store to determine the set of locally-built derivations—as opposed to store items that were downloaded from a substitute server—and then queries all the substitute servers. It then reports those store items for which the servers obtained a result different from the local build.

As an example, always gets a different answer. Conversely, agrees with local builds, except in the case of Git. This might indicate that the build process of Git is non-deterministic, meaning that its output varies as a function of various things that Guix does not fully control, in spite of building packages in isolated environments (see Features). Most common sources of non-determinism include the addition of timestamps in build results, the inclusion of random numbers, and directory listings sorted by inode number. See, for more information.

To find out what is wrong with this Git binary, the easiest approach is to run:

guix challenge git \
  --diff=diffoscope \

This automatically invokes diffoscope, which displays detailed information about files that differ.

Alternatively, we can do something along these lines (see Invoking guix archive):

$ wget -q -O -…-git-2.5.0 \
   | lzip -d | guix archive -x /tmp/git
$ diff -ur --no-dereference /gnu/store/…-git.2.5.0 /tmp/git

This command shows the difference between the files resulting from the local build, and the files resulting from the build on (see Comparing and Merging Files in Comparing and Merging Files). The diff command works great for text files. When binary files differ, a better option is Diffoscope, a tool that helps visualize differences for all kinds of files.

Once you have done that work, you can tell whether the differences are due to a non-deterministic build process or to a malicious server. We try hard to remove sources of non-determinism in packages to make it easier to verify substitutes, but of course, this is a process that involves not just Guix, but a large part of the free software community. In the meantime, guix challenge is one tool to help address the problem.

If you are writing packages for Guix, you are encouraged to check whether and other substitute servers obtain the same build result as you did with:

$ guix challenge package

where package is a package specification such as guile@2.0 or glibc:debug.

The general syntax is:

guix challenge options [packages…]

When a difference is found between the hash of a locally-built item and that of a server-provided substitute, or among substitutes provided by different servers, the command displays it as in the example above and its exit code is 2 (other non-zero exit codes denote other kinds of errors).

The one option that matters is:


Consider urls the whitespace-separated list of substitute source URLs to compare to.


Upon mismatches, show differences according to mode, one of:

simple (the default)

Show the list of files that differ.


Invoke Diffoscope, passing it two directories whose contents do not match.

When command is an absolute file name, run command instead of Diffoscope.


Do not show further details about the differences.

Thus, unless --diff=none is passed, guix challenge downloads the store items from the given substitute servers so that it can compare them.


Show details about matches (identical contents) in addition to information about mismatches.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.12 Invoking guix copy

The guix copy command copies items from the store of one machine to that of another machine over a secure shell (SSH) connection20. For example, the following command copies the coreutils package, the user’s profile, and all their dependencies over to host, logged in as user:

guix copy --to=user@host \
          coreutils $(readlink -f ~/.guix-profile)

If some of the items to be copied are already present on host, they are not actually sent.

The command below retrieves libreoffice and gimp from host, assuming they are available there:

guix copy --from=host libreoffice gimp

The SSH connection is established using the Guile-SSH client, which is compatible with OpenSSH: it honors ~/.ssh/known_hosts and ~/.ssh/config, and uses the SSH agent for authentication.

The key used to sign items that are sent must be accepted by the remote machine. Likewise, the key used by the remote machine to sign items you are retrieving must be in /etc/guix/acl so it is accepted by your own daemon. See Invoking guix archive, for more information about store item authentication.

The general syntax is:

guix copy [--to=spec|--from=spec] items

You must always specify one of the following options:


Specify the host to send to or receive from. spec must be an SSH spec such as,, or

The items can be either package names, such as gimp, or store items, such as /gnu/store/…-idutils-4.6.

When specifying the name of a package to send, it is first built if needed, unless --dry-run was specified. Common build options are supported (see Common Build Options).

Next: , Previous: , Up: Utilities   [Contents][Index]

9.13 Invoking guix container

Note: As of version 1.3.0, this tool is experimental. The interface is subject to radical change in the future.

The purpose of guix container is to manipulate processes running within an isolated environment, commonly known as a “container”, typically created by the guix environment (see Invoking guix environment) and guix system container (see Invoking guix system) commands.

The general syntax is:

guix container action options

action specifies the operation to perform with a container, and options specifies the context-specific arguments for the action.

The following actions are available:


Execute a command within the context of a running container.

The syntax is:

guix container exec pid program arguments

pid specifies the process ID of the running container. program specifies an executable file name within the root file system of the container. arguments are the additional options that will be passed to program.

The following command launches an interactive login shell inside a Guix system container, started by guix system container, and whose process ID is 9001:

guix container exec 9001 /run/current-system/profile/bin/bash --login

Note that the pid cannot be the parent process of a container. It must be PID 1 of the container or one of its child processes.

Next: , Previous: , Up: Utilities   [Contents][Index]

9.14 Invoking guix weather

Occasionally you’re grumpy because substitutes are lacking and you end up building packages by yourself (see Substitutes). The guix weather command reports on substitute availability on the specified servers so you can have an idea of whether you’ll be grumpy today. It can sometimes be useful info as a user, but it is primarily useful to people running guix publish (see Invoking guix publish).

Here’s a sample run:

$ guix weather --substitute-urls=
computing 5,872 package derivations for x86_64-linux...
looking for 6,128 store items on
updating list of substitutes from ''... 100.0%
  43.4% substitutes available (2,658 out of 6,128)
  7,032.5 MiB of nars (compressed)
  19,824.2 MiB on disk (uncompressed)
  0.030 seconds per request (182.9 seconds in total)
  33.5 requests per second

  9.8% (342 out of 3,470) of the missing items are queued
  867 queued builds
      x86_64-linux: 518 (59.7%)
      i686-linux: 221 (25.5%)
      aarch64-linux: 128 (14.8%)
  build rate: 23.41 builds per hour
      x86_64-linux: 11.16 builds per hour
      i686-linux: 6.03 builds per hour
      aarch64-linux: 6.41 builds per hour

As you can see, it reports the fraction of all the packages for which substitutes are available on the server—regardless of whether substitutes are enabled, and regardless of whether this server’s signing key is authorized. It also reports the size of the compressed archives (“nars”) provided by the server, the size the corresponding store items occupy in the store (assuming deduplication is turned off), and the server’s throughput. The second part gives continuous integration (CI) statistics, if the server supports it. In addition, using the --coverage option, guix weather can list “important” package substitutes missing on the server (see below).

To achieve that, guix weather queries over HTTP(S) meta-data (narinfos) for all the relevant store items. Like guix challenge, it ignores signatures on those substitutes, which is innocuous since the command only gathers statistics and cannot install those substitutes.

The general syntax is:

guix weather options… [packages…]

When packages is omitted, guix weather checks the availability of substitutes for all the packages, or for those specified with --manifest; otherwise it only considers the specified packages. It is also possible to query specific system types with --system. guix weather exits with a non-zero code when the fraction of available substitutes is below 100%.

The available options are listed below.


urls is the space-separated list of substitute server URLs to query. When this option is omitted, the default set of substitute servers is queried.

-s system

Query substitutes for system—e.g., aarch64-linux. This option can be repeated, in which case guix weather will query substitutes for several system types.


Instead of querying substitutes for all the packages, only ask for those specified in file. file must contain a manifest, as with the -m option of guix package (see Invoking guix package).

This option can be repeated several times, in which case the manifests are concatenated.

-c [count]

Report on substitute coverage for packages: list packages with at least count dependents (zero by default) for which substitutes are unavailable. Dependent packages themselves are not listed: if b depends on a and a has no substitutes, only a is listed, even though b usually lacks substitutes as well. The result looks like this:

$ guix weather --substitute-urls= -c 10
computing 8,983 package derivations for x86_64-linux...
looking for 9,343 store items on
updating substitutes from ''... 100.0%
  64.7% substitutes available (6,047 out of 9,343)
2502 packages are missing from '' for 'x86_64-linux', among which:
    58  kcoreaddons@5.49.0      /gnu/store/…-kcoreaddons-5.49.0
    46  qgpgme@1.11.1           /gnu/store/…-qgpgme-1.11.1
    37  perl-http-cookiejar@0.008  /gnu/store/…-perl-http-cookiejar-0.008

What this example shows is that kcoreaddons and presumably the 58 packages that depend on it have no substitutes at; likewise for qgpgme and the 46 packages that depend on it.

If you are a Guix developer, or if you are taking care of this build farm, you’ll probably want to have a closer look at these packages: they may simply fail to build.


Display the list of store items for which substitutes are missing.

Previous: , Up: Utilities   [Contents][Index]

9.15 Invoking guix processes

The guix processes command can be useful to developers and system administrators, especially on multi-user machines and on build farms: it lists the current sessions (connections to the daemon), as well as information about the processes involved21. Here’s an example of the information it returns:

$ sudo guix processes
SessionPID: 19002
ClientPID: 19090
ClientCommand: guix environment --ad-hoc python

SessionPID: 19402
ClientPID: 19367
ClientCommand: guix publish -u guix-publish -p 3000 -C 9 …

SessionPID: 19444
ClientPID: 19419
ClientCommand: cuirass --cache-directory /var/cache/cuirass …
LockHeld: /gnu/store/…-perl-ipc-cmd-0.96.lock
LockHeld: /gnu/store/…-python-six-bootstrap-1.11.0.lock
LockHeld: /gnu/store/…-libjpeg-turbo-2.0.0.lock
ChildPID: 20495
ChildCommand: guix offload x86_64-linux 7200 1 28800
ChildPID: 27733
ChildCommand: guix offload x86_64-linux 7200 1 28800
ChildPID: 27793
ChildCommand: guix offload x86_64-linux 7200 1 28800

In this example we see that guix-daemon has three clients: guix environment, guix publish, and the Cuirass continuous integration tool; their process identifier (PID) is given by the ClientPID field. The SessionPID field gives the PID of the guix-daemon sub-process of this particular session.

The LockHeld fields show which store items are currently locked by this session, which corresponds to store items being built or substituted (the LockHeld field is not displayed when guix processes is not running as root). Last, by looking at the ChildPID and ChildCommand fields, we understand that these three builds are being offloaded (see Daemon Offload Setup).

The output is in Recutils format so we can use the handy recsel command to select sessions of interest (see Selection Expressions in GNU recutils manual). As an example, the command shows the command line and PID of the client that triggered the build of a Perl package:

$ sudo guix processes | \
    recsel -p ClientPID,ClientCommand -e 'LockHeld ~ "perl"'
ClientPID: 19419
ClientCommand: cuirass --cache-directory /var/cache/cuirass …

Additional options are listed below.

-f format

Produce output in the specified format, one of:


The default option. It outputs a set of Session recutils records that include each ChildProcess as a field.


Normalize the output records into record sets (see Record Sets in GNU recutils manual). Normalizing into record sets allows joins across record types. The example below lists the PID of each ChildProcess and the associated PID for Session that spawned the ChildProcess where the Session was started using guix build.

$ guix processes --format=normalized | \
    recsel \
    -j Session \
    -t ChildProcess \
    -p Session.PID,PID \
    -e 'Session.ClientCommand ~ "guix build"'
PID: 4435
Session_PID: 4278

PID: 4554
Session_PID: 4278

PID: 4646
Session_PID: 4278

Next: , Previous: , Up: Top   [Contents][Index]

10 System Configuration

Guix System supports a consistent whole-system configuration mechanism. By that we mean that all aspects of the global system configuration—such as the available system services, timezone and locale settings, user accounts—are declared in a single place. Such a system configuration can be instantiated—i.e., effected.

One of the advantages of putting all the system configuration under the control of Guix is that it supports transactional system upgrades, and makes it possible to roll back to a previous system instantiation, should something go wrong with the new one (see Features). Another advantage is that it makes it easy to replicate the exact same configuration across different machines, or at different points in time, without having to resort to additional administration tools layered on top of the own tools of the system.

This section describes this mechanism. First we focus on the system administrator’s viewpoint—explaining how the system is configured and instantiated. Then we show how this mechanism can be extended, for instance to support new system services.

Next: , Up: System Configuration   [Contents][Index]

10.1 Using the Configuration System

The operating system is configured by providing an operating-system declaration in a file that can then be passed to the guix system command (see Invoking guix system). A simple setup, with the default system services, the default Linux-Libre kernel, initial RAM disk, and boot loader looks like this:

;; This is an operating system configuration template
;; for a "bare bones" setup, with no X11 display server.

(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh)

  (host-name "komputilo")
  (timezone "Europe/Berlin")
  (locale "en_US.utf8")

  ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
  ;; target hard disk, and "my-root" is the label of the target
  ;; root file system.
  (bootloader (bootloader-configuration
                (bootloader grub-bootloader)
                (target "/dev/sdX")))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))

  ;; This is where user accounts are specified.  The "root"
  ;; account is implicit, and is initially created with the
  ;; empty password.
  (users (cons (user-account
                (name "alice")
                (comment "Bob's sister")
                (group "users")

                ;; Adding the account to the "wheel" group
                ;; makes it a sudoer.  Adding it to "audio"
                ;; and "video" allows the user to play sound
                ;; and access the webcam.
                (supplementary-groups '("wheel"
                                        "audio" "video")))

  ;; Globally-installed packages.
  (packages (cons screen %base-packages))

  ;; Add services to the baseline: a DHCP client and
  ;; an SSH server.
  (services (append (list (service dhcp-client-service-type)
                          (service openssh-service-type
                                    (openssh openssh-sans-x)
                                    (port-number 2222))))

This example should be self-describing. Some of the fields defined above, such as host-name and bootloader, are mandatory. Others, such as packages and services, can be omitted, in which case they get a default value.

Below we discuss the effect of some of the most important fields (see operating-system Reference, for details about all the available fields), and how to instantiate the operating system using guix system.


The bootloader field describes the method that will be used to boot your system. Machines based on Intel processors can boot in “legacy” BIOS mode, as in the example above. However, more recent machines rely instead on the Unified Extensible Firmware Interface (UEFI) to boot. In that case, the bootloader field should contain something along these lines:

  (bootloader grub-efi-bootloader)
  (target "/boot/efi"))

See Bootloader Configuration, for more information on the available configuration options.

Globally-Visible Packages

The packages field lists packages that will be globally visible on the system, for all user accounts—i.e., in every user’s PATH environment variable—in addition to the per-user profiles (see Invoking guix package). The %base-packages variable provides all the tools one would expect for basic user and administrator tasks—including the GNU Core Utilities, the GNU Networking Utilities, the GNU Zile lightweight text editor, find, grep, etc. The example above adds GNU Screen to those, taken from the (gnu packages screen) module (see Package Modules). The (list package output) syntax can be used to add a specific output of a package:

(use-modules (gnu packages))
(use-modules (gnu packages dns))

  ;; ...
  (packages (cons (list bind "utils")

Referring to packages by variable name, like bind above, has the advantage of being unambiguous; it also allows typos and such to be diagnosed right away as “unbound variables”. The downside is that one needs to know which module defines which package, and to augment the use-package-modules line accordingly. To avoid that, one can use the specification->package procedure of the (gnu packages) module, which returns the best package for a given name or name and version:

(use-modules (gnu packages))

  ;; ...
  (packages (append (map specification->package
                         '("tcpdump" "htop" "gnupg@2.0"))

System Services

The services field lists system services to be made available when the system starts (see Services). The operating-system declaration above specifies that, in addition to the basic services, we want the OpenSSH secure shell daemon listening on port 2222 (see openssh-service-type). Under the hood, openssh-service-type arranges so that sshd is started with the right command-line options, possibly with supporting configuration files generated as needed (see Defining Services).

Occasionally, instead of using the base services as is, you will want to customize them. To do this, use modify-services (see modify-services) to modify the list.

For example, suppose you want to modify guix-daemon and Mingetty (the console log-in) in the %base-services list (see %base-services). To do that, you can write the following in your operating system declaration:

(define %my-services
  ;; My very own list of services.
  (modify-services %base-services
    (guix-service-type config =>
                        (inherit config)
                        ;; Fetch substitutes from
                          (list ""
    (mingetty-service-type config =>
                            (inherit config)
                            ;; Automatially log in as "guest".
                            (auto-login "guest")))))

  ;; …
  (services %my-services))

This changes the configuration—i.e., the service parameters—of the guix-service-type instance, and that of all the mingetty-service-type instances in the %base-services list. Observe how this is accomplished: first, we arrange for the original configuration to be bound to the identifier config in the body, and then we write the body so that it evaluates to the desired configuration. In particular, notice how we use inherit to create a new configuration which has the same values as the old configuration, but with a few modifications.

The configuration for a typical “desktop” usage, with an encrypted root partition, the X11 display server, GNOME and Xfce (users can choose which of these desktop environments to use at the log-in screen by pressing F1), network management, power management, and more, would look like this:

;; This is an operating system configuration template
;; for a "desktop" setup with GNOME and Xfce where the
;; root partition is encrypted with LUKS.

(use-modules (gnu) (gnu system nss))
(use-service-modules desktop xorg)
(use-package-modules certs gnome)

  (host-name "antelope")
  (timezone "Europe/Paris")
  (locale "en_US.utf8")

  ;; Choose US English keyboard layout.  The "altgr-intl"
  ;; variant provides dead keys for accented characters.
  (keyboard-layout (keyboard-layout "us" "altgr-intl"))

  ;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader)
                (target "/boot/efi")
                (keyboard-layout keyboard-layout)))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
   (list (mapped-device
          (source (uuid "12345678-1234-1234-1234-123456789abc"))
          (target "my-root")
          (type luks-device-mapping))))

  (file-systems (append
                 (list (file-system
                         (device (file-system-label "my-root"))
                         (mount-point "/")
                         (type "ext4")
                         (dependencies mapped-devices))
                         (device (uuid "1234-ABCD" 'fat))
                         (mount-point "/boot/efi")
                         (type "vfat")))

  ;; Create user `bob' with `alice' as its initial password.
  (users (cons (user-account
                (name "bob")
                (comment "Alice's brother")
                (password (crypt "alice" "$6$abc"))
                (group "users")
                (supplementary-groups '("wheel" "netdev"
                                        "audio" "video")))

  ;; This is where we specify system-wide packages.
  (packages (append (list
                     ;; for HTTPS access
                     ;; for user mounts

  ;; Add GNOME and Xfce---we can choose at the log-in screen
  ;; by clicking the gear.  Use the "desktop" services, which
  ;; include the X11 log-in service, networking with
  ;; NetworkManager, and more.
  (services (append (list (service gnome-desktop-service-type)
                          (service xfce-desktop-service-type)
                            (keyboard-layout keyboard-layout))))

  ;; Allow resolution of '.local' host names with mDNS.
  (name-service-switch %mdns-host-lookup-nss))

A graphical system with a choice of lightweight window managers instead of full-blown desktop environments would look like this:

;; This is an operating system configuration template
;; for a "desktop" setup without full-blown desktop
;; environments.

(use-modules (gnu) (gnu system nss))
(use-service-modules desktop)
(use-package-modules bootloaders certs emacs emacs-xyz ratpoison suckless wm

  (host-name "antelope")
  (timezone "Europe/Paris")
  (locale "en_US.utf8")

  ;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader)
                (target "/boot/efi")))

  ;; Assume the target root file system is labelled "my-root",
  ;; and the EFI System Partition has UUID 1234-ABCD.
  (file-systems (append
                 (list (file-system
                         (device (file-system-label "my-root"))
                         (mount-point "/")
                         (type "ext4"))
                         (device (uuid "1234-ABCD" 'fat))
                         (mount-point "/boot/efi")
                         (type "vfat")))

  (users (cons (user-account
                (name "alice")
                (comment "Bob's sister")
                (group "users")
                (supplementary-groups '("wheel" "netdev"
                                        "audio" "video")))

  ;; Add a bunch of window managers; we can choose one at
  ;; the log-in screen with F1.
  (packages (append (list
                     ;; window managers
                     ratpoison i3-wm i3status dmenu
                     emacs emacs-exwm emacs-desktop-environment
                     ;; terminal emulator
                     ;; for HTTPS access

  ;; Use the "desktop" services, which include the X11
  ;; log-in service, networking with NetworkManager, and more.
  (services %desktop-services)

  ;; Allow resolution of '.local' host names with mDNS.
  (name-service-switch %mdns-host-lookup-nss))

This example refers to the /boot/efi file system by its UUID, 1234-ABCD. Replace this UUID with the right UUID on your system, as returned by the blkid command.

See Desktop Services, for the exact list of services provided by %desktop-services. See X.509 Certificates, for background information about the nss-certs package that is used here.

Again, %desktop-services is just a list of service objects. If you want to remove services from there, you can do so using the procedures for list filtering (see SRFI-1 Filtering and Partitioning in GNU Guile Reference Manual). For instance, the following expression returns a list that contains all the services in %desktop-services minus the Avahi service:

(remove (lambda (service)
          (eq? (service-kind service) avahi-service-type))

Alternatively, the modify-services macro can be used:

(modify-services %desktop-services
  (delete avahi-service-type))

Instantiating the System

Assuming the operating-system declaration is stored in the my-system-config.scm file, the guix system reconfigure my-system-config.scm command instantiates that configuration, and makes it the default GRUB boot entry (see Invoking guix system).

The normal way to change the system configuration is by updating this file and re-running guix system reconfigure. One should never have to touch files in /etc or to run commands that modify the system state such as useradd or grub-install. In fact, you must avoid that since that would not only void your warranty but also prevent you from rolling back to previous versions of your system, should you ever need to.

Speaking of roll-back, each time you run guix system reconfigure, a new generation of the system is created—without modifying or deleting previous generations. Old system generations get an entry in the bootloader boot menu, allowing you to boot them in case something went wrong with the latest generation. Reassuring, no? The guix system list-generations command lists the system generations available on disk. It is also possible to roll back the system via the commands guix system roll-back and guix system switch-generation.

Although the guix system reconfigure command will not modify previous generations, you must take care when the current generation is not the latest (e.g., after invoking guix system roll-back), since the operation might overwrite a later generation (see Invoking guix system).

The Programming Interface

At the Scheme level, the bulk of an operating-system declaration is instantiated with the following monadic procedure (see The Store Monad):

Monadic Procedure: operating-system-derivation os

Return a derivation that builds os, an operating-system object (see Derivations).

The output of the derivation is a single directory that refers to all the packages, configuration files, and other supporting files needed to instantiate os.

This procedure is provided by the (gnu system) module. Along with (gnu services) (see Services), this module contains the guts of Guix System. Make sure to visit it!

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.2 operating-system Reference

This section summarizes all the options available in operating-system declarations (see Using the Configuration System).

Data Type: operating-system

This is the data type representing an operating system configuration. By that, we mean all the global system configuration, not per-user configuration (see Using the Configuration System).

kernel (default: linux-libre)

The package object of the operating system kernel to use22.

hurd (default: #f)

The package object of the Hurd to be started by the kernel. When this field is set, produce a GNU/Hurd operating system. In that case, kernel must also be set to the gnumach package—the microkernel the Hurd runs on.

Warning: This feature is experimental and only supported for disk images.

kernel-loadable-modules (default: ’())

A list of objects (usually packages) to collect loadable kernel modules from–e.g. (list ddcci-driver-linux).

kernel-arguments (default: %default-kernel-arguments)

List of strings or gexps representing additional arguments to pass on the command-line of the kernel—e.g., ("console=ttyS0").


The system bootloader configuration object. See Bootloader Configuration.


This is the label (a string) as it appears in the bootloader’s menu entry. The default label includes the kernel name and version.

keyboard-layout (default: #f)

This field specifies the keyboard layout to use in the console. It can be either #f, in which case the default keyboard layout is used (usually US English), or a <keyboard-layout> record. See Keyboard Layout, for more information.

This keyboard layout is in effect as soon as the kernel has booted. For instance, it is the keyboard layout in effect when you type a passphrase if your root file system is on a luks-device-mapping mapped device (see Mapped Devices).

Note: This does not specify the keyboard layout used by the bootloader, nor that used by the graphical display server. See Bootloader Configuration, for information on how to specify the bootloader’s keyboard layout. See X Window, for information on how to specify the keyboard layout used by the X Window System.

initrd-modules (default: %base-initrd-modules)

The list of Linux kernel modules that need to be available in the initial RAM disk. See Initial RAM Disk.

initrd (default: base-initrd)

A procedure that returns an initial RAM disk for the Linux kernel. This field is provided to support low-level customization and should rarely be needed for casual use. See Initial RAM Disk.

firmware (default: %base-firmware)

List of firmware packages loadable by the operating system kernel.

The default includes firmware needed for Atheros- and Broadcom-based WiFi devices (Linux-libre modules ath9k and b43-open, respectively). See Hardware Considerations, for more info on supported hardware.


The host name.


A file-like object (see file-like objects) for use as /etc/hosts (see Host Names in The GNU C Library Reference Manual). The default is a file with entries for localhost and host-name.

mapped-devices (default: '())

A list of mapped devices. See Mapped Devices.


A list of file systems. See File Systems.

swap-devices (default: '())

A list of UUIDs, file system labels, or strings identifying devices or files to be used for “swap space” (see Memory Concepts in The GNU C Library Reference Manual). Here are some examples:

(list (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb"))

Use the swap partition with the given UUID. You can learn the UUID of a Linux swap partition by running swaplabel device, where device is the /dev file name of that partition.

(list (file-system-label "swap"))

Use the partition with label swap. Again, the swaplabel command allows you to view and change the label of a Linux swap partition.

(list "/swapfile")

Use the file /swapfile as swap space.

(list "/dev/sda3" "/dev/sdb2")

Use the /dev/sda3 and /dev/sdb2 partitions as swap space. We recommend referring to swap devices by UUIDs or labels as shown above instead.

It is possible to specify a swap file in a file system on a mapped device (under /dev/mapper), provided that the necessary device mapping and file system are also specified. See Mapped Devices and File Systems.

users (default: %base-user-accounts)
groups (default: %base-groups)

List of user accounts and groups. See User Accounts.

If the users list lacks a user account with UID 0, a “root” account with UID 0 is automatically added.

skeletons (default: (default-skeletons))

A list of target file name/file-like object tuples (see file-like objects). These are the skeleton files that will be added to the home directory of newly-created user accounts.

For instance, a valid value may look like this:

`((".bashrc" ,(plain-file "bashrc" "echo Hello\n"))
  (".guile" ,(plain-file "guile"
                         "(use-modules (ice-9 readline))
issue (default: %default-issue)

A string denoting the contents of the /etc/issue file, which is displayed when users log in on a text console.

packages (default: %base-packages)

A list of packages to be installed in the global profile, which is accessible at /run/current-system/profile. Each element is either a package variable or a package/output tuple. Here’s a simple example of both:

(cons* git                     ; the default "out" output
       (list git "send-email") ; another output of git
       %base-packages)         ; the default set

The default set includes core utilities and it is good practice to install non-core utilities in user profiles (see Invoking guix package).


A timezone identifying string—e.g., "Europe/Paris".

You can run the tzselect command to find out which timezone string corresponds to your region. Choosing an invalid timezone name causes guix system to fail.

locale (default: "en_US.utf8")

The name of the default locale (see Locale Names in The GNU C Library Reference Manual). See Locales, for more information.

locale-definitions (default: %default-locale-definitions)

The list of locale definitions to be compiled and that may be used at run time. See Locales.

locale-libcs (default: (list glibc))

The list of GNU libc packages whose locale data and tools are used to build the locale definitions. See Locales, for compatibility considerations that justify this option.

name-service-switch (default: %default-nss)

Configuration of the libc name service switch (NSS)—a <name-service-switch> object. See Name Service Switch, for details.

services (default: %base-services)

A list of service objects denoting system services. See Services.

essential-services (default: ...)

The list of “essential services”—i.e., things like instances of system-service-type and host-name-service-type (see Service Reference), which are derived from the operating system definition itself. As a user you should never need to touch this field.

pam-services (default: (base-pam-services))

Linux pluggable authentication module (PAM) services.

setuid-programs (default: %setuid-programs)

List of string-valued G-expressions denoting setuid programs. See Setuid Programs.

sudoers-file (default: %sudoers-specification)

The contents of the /etc/sudoers file as a file-like object (see local-file and plain-file).

This file specifies which users can use the sudo command, what they are allowed to do, and what privileges they may gain. The default is that only root and members of the wheel group may use sudo.

Scheme Syntax: this-operating-system

When used in the lexical scope of an operating system field definition, this identifier resolves to the operating system being defined.

The example below shows how to refer to the operating system being defined in the definition of the label field:

(use-modules (gnu) (guix))

  ;; ...
  (label (package-full-name
          (operating-system-kernel this-operating-system))))

It is an error to refer to this-operating-system outside an operating system definition.

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.3 File Systems

The list of file systems to be mounted is specified in the file-systems field of the operating system declaration (see Using the Configuration System). Each file system is declared using the file-system form, like this:

  (mount-point "/home")
  (device "/dev/sda3")
  (type "ext4"))

As usual, some of the fields are mandatory—those shown in the example above—while others can be omitted. These are described below.

Data Type: file-system

Objects of this type represent file systems to be mounted. They contain the following members:


This is a string specifying the type of the file system—e.g., "ext4".


This designates the place where the file system is to be mounted.


This names the “source” of the file system. It can be one of three things: a file system label, a file system UUID, or the name of a /dev node. Labels and UUIDs offer a way to refer to file systems without having to hard-code their actual device name23.

File system labels are created using the file-system-label procedure, UUIDs are created using uuid, and /dev node are plain strings. Here’s an example of a file system referred to by its label, as shown by the e2label command:

  (mount-point "/home")
  (type "ext4")
  (device (file-system-label "my-home")))

UUIDs are converted from their string representation (as shown by the tune2fs -l command) using the uuid form24, like this:

  (mount-point "/home")
  (type "ext4")
  (device (uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")))

When the source of a file system is a mapped device (see Mapped Devices), its device field must refer to the mapped device name—e.g., "/dev/mapper/root-partition". This is required so that the system knows that mounting the file system depends on having the corresponding device mapping established.

flags (default: '())

This is a list of symbols denoting mount flags. Recognized flags include read-only, bind-mount, no-dev (disallow access to special files), no-suid (ignore setuid and setgid bits), no-atime (do not update file access times), strict-atime (update file access time), lazy-time (only update time on the in-memory version of the file inode), and no-exec (disallow program execution). See Mount-Unmount-Remount in The GNU C Library Reference Manual, for more information on these flags.

options (default: #f)

This is either #f, or a string denoting mount options passed to the file system driver. See Mount-Unmount-Remount in The GNU C Library Reference Manual, for details and run man 8 mount for options for various file systems. Note that the file-system-options->alist and alist->file-system-options procedures from (gnu system file-systems) can be used to convert file system options given as an association list to the string representation, and vice-versa.

mount? (default: #t)

This value indicates whether to automatically mount the file system when the system is brought up. When set to #f, the file system gets an entry in /etc/fstab (read by the mount command) but is not automatically mounted.

needed-for-boot? (default: #f)

This Boolean value indicates whether the file system is needed when booting. If that is true, then the file system is mounted when the initial RAM disk (initrd) is loaded. This is always the case, for instance, for the root file system.

check? (default: #t)

This Boolean indicates whether the file system needs to be checked for errors before being mounted.

create-mount-point? (default: #f)

When true, the mount point is created if it does not exist yet.

mount-may-fail? (default: #f)

When true, this indicates that mounting this file system can fail but that should not be considered an error. This is useful in unusual cases; an example of this is efivarfs, a file system that can only be mounted on EFI/UEFI systems.

dependencies (default: '())

This is a list of <file-system> or <mapped-device> objects representing file systems that must be mounted or mapped devices that must be opened before (and unmounted or closed after) this one.

As an example, consider a hierarchy of mounts: /sys/fs/cgroup is a dependency of /sys/fs/cgroup/cpu and /sys/fs/cgroup/memory.

Another example is a file system that depends on a mapped device, for example for an encrypted partition (see Mapped Devices).

Scheme Procedure: file-system-label str

This procedure returns an opaque file system label from str, a string:

(file-system-label "home")
 #<file-system-label "home">

File system labels are used to refer to file systems by label rather than by device name. See above for examples.

The (gnu system file-systems) exports the following useful variables.

Scheme Variable: %base-file-systems

These are essential file systems that are required on normal systems, such as %pseudo-terminal-file-system and %immutable-store (see below). Operating system declarations should always contain at least these.

Scheme Variable: %pseudo-terminal-file-system

This is the file system to be mounted as /dev/pts. It supports pseudo-terminals created via openpty and similar functions (see Pseudo-Terminals in The GNU C Library Reference Manual). Pseudo-terminals are used by terminal emulators such as xterm.

Scheme Variable: %shared-memory-file-system

This file system is mounted as /dev/shm and is used to support memory sharing across processes (see shm_open in The GNU C Library Reference Manual).

Scheme Variable: %immutable-store

This file system performs a read-only “bind mount” of /gnu/store, making it read-only for all the users including root. This prevents against accidental modification by software running as root or by system administrators.

The daemon itself is still able to write to the store: it remounts it read-write in its own “name space.”

Scheme Variable: %binary-format-file-system

The binfmt_misc file system, which allows handling of arbitrary executable file types to be delegated to user space. This requires the binfmt.ko kernel module to be loaded.

Scheme Variable: %fuse-control-file-system

The fusectl file system, which allows unprivileged users to mount and unmount user-space FUSE file systems. This requires the fuse.ko kernel module to be loaded.

The (gnu system uuid) module provides tools to deal with file system “unique identifiers” (UUIDs).

Scheme Procedure: uuid str [type]

Return an opaque UUID (unique identifier) object of the given type (a symbol) by parsing str (a string):

(uuid "4dab5feb-d176-45de-b287-9b0a6e4c01cb")
 #<<uuid> type: dce bv: …>

(uuid "1234-ABCD" 'fat)
 #<<uuid> type: fat bv: …>

type may be one of dce, iso9660, fat, ntfs, or one of the commonly found synonyms for these.

UUIDs are another way to unambiguously refer to file systems in operating system configuration. See the examples above.

Up: File Systems   [Contents][Index]

10.3.1 Btrfs file system

The Btrfs has special features, such as subvolumes, that merit being explained in more details. The following section attempts to cover basic as well as complex uses of a Btrfs file system with the Guix System.

In its simplest usage, a Btrfs file system can be described, for example, by:

  (mount-point "/home")
  (type "btrfs")
  (device (file-system-label "my-home")))

The example below is more complex, as it makes use of a Btrfs subvolume, named rootfs. The parent Btrfs file system is labeled my-btrfs-pool, and is located on an encrypted device (hence the dependency on mapped-devices):

  (device (file-system-label "my-btrfs-pool"))
  (mount-point "/")
  (type "btrfs")
  (options "subvol=rootfs")
  (dependencies mapped-devices))

Some bootloaders, for example GRUB, only mount a Btrfs partition at its top level during the early boot, and rely on their configuration to refer to the correct subvolume path within that top level. The bootloaders operating in this way typically produce their configuration on a running system where the Btrfs partitions are already mounted and where the subvolume information is readily available. As an example, grub-mkconfig, the configuration generator command shipped with GRUB, reads /proc/self/mountinfo to determine the top-level path of a subvolume.

The Guix System produces a bootloader configuration using the operating system configuration as its sole input; it is therefore necessary to extract the subvolume name on which /gnu/store lives (if any) from that operating system configuration. To better illustrate, consider a subvolume named ’rootfs’ which contains the root file system data. In such situation, the GRUB bootloader would only see the top level of the root Btrfs partition, e.g.:

/                   (top level)
├── rootfs          (subvolume directory)
    ├── gnu         (normal directory)
        ├── store   (normal directory)

Thus, the subvolume name must be prepended to the /gnu/store path of the kernel, initrd binaries and any other files referred to in the GRUB configuration that must be found during the early boot.

The next example shows a nested hierarchy of subvolumes and directories:

/                   (top level)
├── rootfs          (subvolume)
    ├── gnu         (normal directory)
        ├── store   (subvolume)

This scenario would work without mounting the ’store’ subvolume. Mounting ’rootfs’ is sufficient, since the subvolume name matches its intended mount point in the file system hierarchy. Alternatively, the ’store’ subvolume could be referred to by setting the subvol option to either /rootfs/gnu/store or rootfs/gnu/store.

Finally, a more contrived example of nested subvolumes:

/                           (top level)
├── root-snapshots          (subvolume)
    ├── root-current        (subvolume)
        ├── guix-store      (subvolume)

Here, the ’guix-store’ subvolume doesn’t match its intended mount point, so it is necessary to mount it. The subvolume must be fully specified, by passing its file name to the subvol option. To illustrate, the ’guix-store’ subvolume could be mounted on /gnu/store by using a file system declaration such as:

  (device (file-system-label "btrfs-pool-1"))
  (mount-point "/gnu/store")
  (type "btrfs")
  (options "subvol=root-snapshots/root-current/guix-store,\

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.4 Mapped Devices

The Linux kernel has a notion of device mapping: a block device, such as a hard disk partition, can be mapped into another device, usually in /dev/mapper/, with additional processing over the data that flows through it25. A typical example is encryption device mapping: all writes to the mapped device are encrypted, and all reads are deciphered, transparently. Guix extends this notion by considering any device or set of devices that are transformed in some way to create a new device; for instance, RAID devices are obtained by assembling several other devices, such as hard disks or partitions, into a new one that behaves as one partition.

Mapped devices are declared using the mapped-device form, defined as follows; for examples, see below.

Data Type: mapped-device

Objects of this type represent device mappings that will be made when the system boots up.


This is either a string specifying the name of the block device to be mapped, such as "/dev/sda3", or a list of such strings when several devices need to be assembled for creating a new one. In case of LVM this is a string specifying name of the volume group to be mapped.


This string specifies the name of the resulting mapped device. For kernel mappers such as encrypted devices of type luks-device-mapping, specifying "my-partition" leads to the creation of the "/dev/mapper/my-partition" device. For RAID devices of type raid-device-mapping, the full device name such as "/dev/md0" needs to be given. LVM logical volumes of type lvm-device-mapping need to be specified as "VGNAME-LVNAME".


This list of strings specifies names of the resulting mapped devices in case there are several. The format is identical to target.


This must be a mapped-device-kind object, which specifies how source is mapped to target.

Scheme Variable: luks-device-mapping

This defines LUKS block device encryption using the cryptsetup command from the package with the same name. It relies on the dm-crypt Linux kernel module.

Scheme Variable: raid-device-mapping

This defines a RAID device, which is assembled using the mdadm command from the package with the same name. It requires a Linux kernel module for the appropriate RAID level to be loaded, such as raid456 for RAID-4, RAID-5 or RAID-6, or raid10 for RAID-10.

Scheme Variable: lvm-device-mapping

This defines one or more logical volumes for the Linux Logical Volume Manager (LVM). The volume group is activated by the vgchange command from the lvm2 package.

The following example specifies a mapping from /dev/sda3 to /dev/mapper/home using LUKS—the Linux Unified Key Setup, a standard mechanism for disk encryption. The /dev/mapper/home device can then be used as the device of a file-system declaration (see File Systems).

  (source "/dev/sda3")
  (target "home")
  (type luks-device-mapping))

Alternatively, to become independent of device numbering, one may obtain the LUKS UUID (unique identifier) of the source device by a command like:

cryptsetup luksUUID /dev/sda3

and use it as follows:

  (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44"))
  (target "home")
  (type luks-device-mapping))

It is also desirable to encrypt swap space, since swap space may contain sensitive data. One way to accomplish that is to use a swap file in a file system on a device mapped via LUKS encryption. In this way, the swap file is encrypted because the entire device is encrypted. See Disk Partitioning, for an example.

A RAID device formed of the partitions /dev/sda1 and /dev/sdb1 may be declared as follows:

  (source (list "/dev/sda1" "/dev/sdb1"))
  (target "/dev/md0")
  (type raid-device-mapping))

The /dev/md0 device can then be used as the device of a file-system declaration (see File Systems). Note that the RAID level need not be given; it is chosen during the initial creation and formatting of the RAID device and is determined automatically later.

LVM logical volumes “alpha” and “beta” from volume group “vg0” can be declared as follows:

  (source "vg0")
  (targets (list "vg0-alpha" "vg0-beta"))
  (type lvm-device-mapping))

Devices /dev/mapper/vg0-alpha and /dev/mapper/vg0-beta can then be used as the device of a file-system declaration (see File Systems).

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.5 User Accounts

User accounts and groups are entirely managed through the operating-system declaration. They are specified with the user-account and user-group forms:

  (name "alice")
  (group "users")
  (supplementary-groups '("wheel"   ;allow use of sudo, etc.
                          "audio"   ;sound card
                          "video"   ;video devices such as webcams
                          "cdrom")) ;the good ol' CD-ROM
  (comment "Bob's sister"))

Here’s a user account that uses a different shell and a custom home directory (the default would be "/home/bob"):

  (name "bob")
  (group "users")
  (comment "Alice's bro")
  (shell (file-append zsh "/bin/zsh"))
  (home-directory "/home/robert"))

When booting or upon completion of guix system reconfigure, the system ensures that only the user accounts and groups specified in the operating-system declaration exist, and with the specified properties. Thus, account or group creations or modifications made by directly invoking commands such as useradd are lost upon reconfiguration or reboot. This ensures that the system remains exactly as declared.

Data Type: user-account

Objects of this type represent user accounts. The following members may be specified:


The name of the user account.


This is the name (a string) or identifier (a number) of the user group this account belongs to.

supplementary-groups (default: '())

Optionally, this can be defined as a list of group names that this account belongs to.

uid (default: #f)

This is the user ID for this account (a number), or #f. In the latter case, a number is automatically chosen by the system when the account is created.

comment (default: "")

A comment about the account, such as the account owner’s full name.


This is the name of the home directory for the account.

create-home-directory? (default: #t)

Indicates whether the home directory of this account should be created if it does not exist yet.

shell (default: Bash)

This is a G-expression denoting the file name of a program to be used as the shell (see G-Expressions). For example, you would refer to the Bash executable like this:

(file-append bash "/bin/bash")

... and to the Zsh executable like that:

(file-append zsh "/bin/zsh")
system? (default: #f)

This Boolean value indicates whether the account is a “system” account. System accounts are sometimes treated specially; for instance, graphical login managers do not list them.

password (default: #f)

You would normally leave this field to #f, initialize user passwords as root with the passwd command, and then let users change it with passwd. Passwords set with passwd are of course preserved across reboot and reconfiguration.

If you do want to set an initial password for an account, then this field must contain the encrypted password, as a string. You can use the crypt procedure for this purpose:

  (name "charlie")
  (group "users")

  ;; Specify a SHA-512-hashed initial password.
  (password (crypt "InitialPassword!" "$6$abc")))

Note: The hash of this initial password will be available in a file in /gnu/store, readable by all the users, so this method must be used with care.

See Passphrase Storage in The GNU C Library Reference Manual, for more information on password encryption, and Encryption in GNU Guile Reference Manual, for information on Guile’s crypt procedure.

User group declarations are even simpler:

(user-group (name "students"))
Data Type: user-group

This type is for, well, user groups. There are just a few fields:


The name of the group.

id (default: #f)

The group identifier (a number). If #f, a new number is automatically allocated when the group is created.

system? (default: #f)

This Boolean value indicates whether the group is a “system” group. System groups have low numerical IDs.

password (default: #f)

What, user groups can have a password? Well, apparently yes. Unless #f, this field specifies the password of the group.

For convenience, a variable lists all the basic user groups one may expect:

Scheme Variable: %base-groups

This is the list of basic user groups that users and/or packages expect to be present on the system. This includes groups such as “root”, “wheel”, and “users”, as well as groups used to control access to specific devices such as “audio”, “disk”, and “cdrom”.

Scheme Variable: %base-user-accounts

This is the list of basic system accounts that programs may expect to find on a GNU/Linux system, such as the “nobody” account.

Note that the “root” account is not included here. It is a special-case and is automatically added whether or not it is specified.

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.6 Keyboard Layout

To specify what each key of your keyboard does, you need to tell the operating system what keyboard layout you want to use. The default, when nothing is specified, is the US English QWERTY layout for 105-key PC keyboards. However, German speakers will usually prefer the German QWERTZ layout, French speakers will want the AZERTY layout, and so on; hackers might prefer Dvorak or bépo, and they might even want to further customize the effect of some of the keys. This section explains how to get that done.

There are three components that will want to know about your keyboard layout:

Guix allows you to configure all three separately but, fortunately, it allows you to share the same keyboard layout for all three components.

Keyboard layouts are represented by records created by the keyboard-layout procedure of (gnu system keyboard). Following the X Keyboard extension (XKB), each layout has four attributes: a name (often a language code such as “fi” for Finnish or “jp” for Japanese), an optional variant name, an optional keyboard model name, and a possibly empty list of additional options. In most cases the layout name is all you care about.

Scheme Procedure: keyboard-layout name [variant] [#:model] [#:options '()]

Return a new keyboard layout with the given name and variant.

name must be a string such as "fr"; variant must be a string such as "bepo" or "nodeadkeys". See the xkeyboard-config package for valid options.

Here are a few examples:

;; The German QWERTZ layout.  Here we assume a standard
;; "pc105" keyboard model.
(keyboard-layout "de")

;; The bépo variant of the French layout.
(keyboard-layout "fr" "bepo")

;; The Catalan layout.
(keyboard-layout "es" "cat")

;; Arabic layout with "Alt-Shift" to switch to US layout.
(keyboard-layout "ar,us" #:options '("grp:alt_shift_toggle"))

;; The Latin American Spanish layout.  In addition, the
;; "Caps Lock" key is used as an additional "Ctrl" key,
;; and the "Menu" key is used as a "Compose" key to enter
;; accented letters.
(keyboard-layout "latam"
                 #:options '("ctrl:nocaps" "compose:menu"))

;; The Russian layout for a ThinkPad keyboard.
(keyboard-layout "ru" #:model "thinkpad")

;; The "US international" layout, which is the US layout plus
;; dead keys to enter accented characters.  This is for an
;; Apple MacBook keyboard.
(keyboard-layout "us" "intl" #:model "macbook78")

See the share/X11/xkb directory of the xkeyboard-config package for a complete list of supported layouts, variants, and models.

Let’s say you want your system to use the Turkish keyboard layout throughout your system—bootloader, console, and Xorg. Here’s what your system configuration would look like:

;; Using the Turkish layout for the bootloader, the console,
;; and for Xorg.

  ;; ...
  (keyboard-layout (keyboard-layout "tr"))  ;for the console
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader)
                (target "/boot/efi")
                (keyboard-layout keyboard-layout))) ;for GRUB
  (services (cons (set-xorg-configuration
                    (xorg-configuration             ;for Xorg
                      (keyboard-layout keyboard-layout)))

In the example above, for GRUB and for Xorg, we just refer to the keyboard-layout field defined above, but we could just as well refer to a different layout. The set-xorg-configuration procedure communicates the desired Xorg configuration to the graphical log-in manager, by default GDM.

We’ve discussed how to specify the default keyboard layout of your system when it starts, but you can also adjust it at run time:

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.7 Locales

A locale defines cultural conventions for a particular language and region of the world (see Locales in The GNU C Library Reference Manual). Each locale has a name that typically has the form language_territory.codeset—e.g., fr_LU.utf8 designates the locale for the French language, with cultural conventions from Luxembourg, and using the UTF-8 encoding.

Usually, you will want to specify the default locale for the machine using the locale field of the operating-system declaration (see locale).

The selected locale is automatically added to the locale definitions known to the system if needed, with its codeset inferred from its name—e.g., bo_CN.utf8 will be assumed to use the UTF-8 codeset. Additional locale definitions can be specified in the locale-definitions slot of operating-system—this is useful, for instance, if the codeset could not be inferred from the locale name. The default set of locale definitions includes some widely used locales, but not all the available locales, in order to save space.

For instance, to add the North Frisian locale for Germany, the value of that field may be:

(cons (locale-definition
        (name "fy_DE.utf8") (source "fy_DE"))

Likewise, to save space, one might want locale-definitions to list only the locales that are actually used, as in:

(list (locale-definition
        (name "ja_JP.eucjp") (source "ja_JP")
        (charset "EUC-JP")))

The compiled locale definitions are available at /run/current-system/locale/X.Y, where X.Y is the libc version, which is the default location where the GNU libc provided by Guix looks for locale data. This can be overridden using the LOCPATH environment variable (see LOCPATH and locale packages).

The locale-definition form is provided by the (gnu system locale) module. Details are given below.

Data Type: locale-definition

This is the data type of a locale definition.


The name of the locale. See Locale Names in The GNU C Library Reference Manual, for more information on locale names.


The name of the source for that locale. This is typically the language_territory part of the locale name.

charset (default: "UTF-8")

The “character set” or “code set” for that locale, as defined by IANA.

Scheme Variable: %default-locale-definitions

A list of commonly used UTF-8 locales, used as the default value of the locale-definitions field of operating-system declarations.

These locale definitions use the normalized codeset for the part that follows the dot in the name (see normalized codeset in The GNU C Library Reference Manual). So for instance it has uk_UA.utf8 but not, say, uk_UA.UTF-8.

10.7.1 Locale Data Compatibility Considerations

operating-system declarations provide a locale-libcs field to specify the GNU libc packages that are used to compile locale declarations (see operating-system Reference). “Why would I care?”, you may ask. Well, it turns out that the binary format of locale data is occasionally incompatible from one libc version to another.

For instance, a program linked against libc version 2.21 is unable to read locale data produced with libc 2.22; worse, that program aborts instead of simply ignoring the incompatible locale data26. Similarly, a program linked against libc 2.22 can read most, but not all, of the locale data from libc 2.21 (specifically, LC_COLLATE data is incompatible); thus calls to setlocale may fail, but programs will not abort.

The “problem” with Guix is that users have a lot of freedom: They can choose whether and when to upgrade software in their profiles, and might be using a libc version different from the one the system administrator used to build the system-wide locale data.

Fortunately, unprivileged users can also install their own locale data and define GUIX_LOCPATH accordingly (see GUIX_LOCPATH and locale packages).

Still, it is best if the system-wide locale data at /run/current-system/locale is built for all the libc versions actually in use on the system, so that all the programs can access it—this is especially crucial on a multi-user system. To do that, the administrator can specify several libc packages in the locale-libcs field of operating-system:

(use-package-modules base)

  ;; …
  (locale-libcs (list glibc-2.21 (canonical-package glibc))))

This example would lead to a system containing locale definitions for both libc 2.21 and the current version of libc in /run/current-system/locale.

Next: , Previous: , Up: System Configuration   [Contents][Index]

10.8 Services

An important part of preparing an operating-system declaration is listing system services and their configuration (see Using the Configuration System). System services are typically daemons launched when the system boots, or other actions needed at that time—e.g., configuring network access.

Guix has a broad definition of “service” (see Service Composition), but many services are managed by the GNU Shepherd (see Shepherd Services). On a running system, the herd command allows you to list the available services, show their status, start and stop them, or do other specific operations (see Jump Start in The GNU Shepherd Manual). For example:

# herd status

The above command, run as root, lists the currently defined services. The herd doc command shows a synopsis of the given service and its associated actions:

# herd doc nscd
Run libc's name service cache daemon (nscd).

# herd doc nscd action invalidate
invalidate: Invalidate the given cache--e.g., 'hosts' for host name lookups.

The start, stop, and restart sub-commands have the effect you would expect. For instance, the commands below stop the nscd service and restart the Xorg display server:

# herd stop nscd
Service nscd has been stopped.
# herd restart xorg-server
Service xorg-server has been stopped.
Service xorg-server has been started.

The following sections document the available services, starting with the core services, that may be used in an operating-system declaration.

Next: , Up: Services   [Contents][Index]

10.8.1 Base Services

The (gnu services base) module provides definitions for the basic services that one expects from the system. The services exported by this module are listed below.

Scheme Variable: %base-services

This variable contains a list of basic services (see Service Types and Services, for more information on service objects) one would expect from the system: a login service (mingetty) on each tty, syslogd, the libc name service cache daemon (nscd), the udev device manager, and more.

This is the default value of the services field of operating-system declarations. Usually, when customizing a system, you will want to append services to %base-services, like this:

Scheme Variable: special-files-service-type

This is the service that sets up “special files” such as /bin/sh; an instance of it is part of %base-services.

The value associated with special-files-service-type services must be a list of tuples where the first element is the “special file” and the second element is its target. By default it is:

`(("/bin/sh" ,(file-append bash "/bin/sh")))

If you want to add, say, /usr/bin/env to your system, you can change it to:

`(("/bin/sh" ,(file-append bash "/bin/sh"))
  ("/usr/bin/env" ,(file-append coreutils "/bin/env")))

Since this is part of %base-services, you can use modify-services to customize the set of special files (see modify-services). But the simple way to add a special file is via the extra-special-file procedure (see below).

Scheme Procedure: extra-special-file file target

Use target as the “special file” file.

For example, adding the following lines to the services field of your operating system declaration leads to a /usr/bin/env symlink:

(extra-special-file "/usr/bin/env"
                    (file-append coreutils "/bin/env"))
Scheme Procedure: host-name-service name

Return a service that sets the host name to name.

Scheme Variable: console-font-service-type

Install the given fonts on the specified ttys (fonts are per virtual console on the kernel Linux). The value of this service is a list of tty/font pairs. The font can be the name of a font provided by the kbd package or any valid argument to setfont, as in this example:

`(("tty1" . "LatGrkCyr-8x16")
  ("tty2" . ,(file-append
  ("tty3" . ,(file-append
                "/share/consolefonts/ter-132n"))) ; for HDPI
Scheme Procedure: login-service config

Return a service to run login according to config, a <login-configuration> object, which specifies the message of the day, among other things.

Data Type: login-configuration

This is the data type representing the configuration of login.


A file-like object containing the “message of the day”.

allow-empty-passwords? (default: #t)

Allow empty passwords by default so that first-time users can log in when the ’root’ account has just been created.

Scheme Procedure: mingetty-service config

Return a service to run mingetty according to config, a <mingetty-configuration> object, which specifies the tty to run, among other things.

Data Type: mingetty-configuration

This is the data type representing the configuration of Mingetty, which provides the default implementation of virtual console log-in.


The name of the console this Mingetty runs on—e.g., "tty1".

auto-login (default: #f)

When true, this field must be a string denoting the user name under which the system automatically logs in. When it is #f, a user name and password must be entered to log in.

login-program (default: #f)

This must be either #f, in which case the default log-in program is used (login from the Shadow tool suite), or a gexp denoting the name of the log-in program.

login-pause? (default: #f)

When set to #t in conjunction with auto-login, the user will have to press a key before the log-in shell is launched.

clear-on-logout? (default: #t)

When set to #t, the screen will be cleared after logout.

mingetty (default: mingetty)

The Mingetty package to use.

Scheme Procedure: agetty-service config

Return a service to run agetty according to config, an <agetty-configuration> object, which specifies the tty to run, among other things.

Data Type: agetty-configuration

This is the data type representing the configuration of agetty, which implements virtual and serial console log-in. See the agetty(8) man page for more information.


The name of the console this agetty runs on, as a string—e.g., "ttyS0". This argument is optional, it will default to a reasonable default serial port used by the kernel Linux.

For this, if there is a value for an option agetty.tty in the kernel command line, agetty will extract the device name of the serial port from it and use that.

If not and if there is a value for an option console with a tty in the Linux command line, agetty will extract the device name of the serial port from it and use that.

In both cases, agetty will leave the other serial device settings (baud rate etc.) alone—in the hope that Linux pinned them to the correct values.

baud-rate (default: #f)

A string containing a comma-separated list of one or more baud rates, in descending order.

term (default: #f)

A string containing the value used for the TERM environment variable.

eight-bits? (default: #f)

When #t, the tty is assumed to be 8-bit clean, and parity detection is disabled.

auto-login (default: #f)

When passed a login name, as a string, the specified user will be logged in automatically without prompting for their login name or password.

no-reset? (default: #f)

When #t, don’t reset terminal cflags (control modes).

host (default: #f)

This accepts a string containing the “login_host”, which will be written into the /var/run/utmpx file.

remote? (default: #f)

When set to #t in conjunction with host, this will add an -r fakehost option to the command line of the login program specified in login-program.

flow-control? (default: #f)

When set to #t, enable hardware (RTS/CTS) flow control.

no-issue? (default: #f)

When set to #t, the contents of the /etc/issue file will not be displayed before presenting the login prompt.

init-string (default: #f)

This accepts a string that will be sent to the tty or modem before sending anything else. It can be used to initialize a modem.

no-clear? (default: #f)

When set to #t, agetty will not clear the screen before showing the login prompt.

login-program (default: (file-append shadow "/bin/login"))

This must be either a gexp denoting the name of a log-in program, or unset, in which case the default value is the login from the Shadow tool suite.

local-line (default: #f)

Control the CLOCAL line flag. This accepts one of three symbols as arguments, 'auto, 'always, or 'never. If #f, the default value chosen by agetty is 'auto.

extract-baud? (default: #f)

When set to #t, instruct agetty to try to extract the baud rate from the status messages produced by certain types of modems.

skip-login? (default: #f)

When set to #t, do not prompt the user for a login name. This can be used with login-program field to use non-standard login systems.

no-newline? (default: #f)

When set to #t, do not print a newline before printing the /etc/issue file.

login-options (default: #f)

This option accepts a string containing options that are passed to the login program. When used with the login-program, be aware that a malicious user could try to enter a login name containing embedded options that could be parsed by the login program.

login-pause (default: #f)

When set to #t, wait for any key before showing the login prompt. This can be used in conjunction with auto-login to save memory by lazily spawning shells.

chroot (default: #f)

Change root to the specified directory. This option accepts a directory path as a string.

hangup? (default: #f)

Use the Linux system call vhangup to do a virtual hangup of the specified terminal.

keep-baud? (default: #f)

When set to #t, try to keep the existing baud rate. The baud rates from baud-rate are used when agetty receives a BREAK character.

timeout (default: #f)

When set to an integer value, terminate if no user name could be read within timeout seconds.

detect-case? (default: #f)

When set to #t, turn on support for detecting an uppercase-only terminal. This setting will detect a login name containing only uppercase letters as indicating an uppercase-only terminal and turn on some upper-to-lower case conversions. Note that this will not support Unicode characters.

wait-cr? (default: #f)

When set to #t, wait for the user or modem to send a carriage-return or linefeed character before displaying /etc/issue or login prompt. This is typically used with the init-string option.

no-hints? (default: #f)

When set to #t, do not print hints about Num, Caps, and Scroll locks.

no-hostname? (default: #f)

By default, the hostname is printed. When this option is set to #t, no hostname will be shown at all.

long-hostname? (default: #f)

By default, the hostname is only printed until the first dot. When this option is set to #t, the fully qualified hostname by gethostname or getaddrinfo is shown.

erase-characters (default: #f)

This option accepts a string of additional characters that should be interpreted as backspace when the user types their login name.

kill-characters (default: #f)

This option accepts a string that should be interpreted to mean “ignore all previous characters” (also called a “kill” character) when the user types their login name.

chdir (default: #f)

This option accepts, as a string, a directory path that will be changed to before login.

delay (default: #f)

This options accepts, as an integer, the number of seconds to sleep before opening the tty and displaying the login prompt.

nice (default: #f)

This option accepts, as an integer, the nice value with which to run the login program.

extra-options (default: '())

This option provides an “escape hatch” for the user to provide arbitrary command-line arguments to agetty as a list of strings.

Scheme Procedure: kmscon-service-type config

Return a service to run kmscon according to config, a <kmscon-configuration> object, which specifies the tty to run, among other things.

Data Type: kmscon-configuration

This is the data type representing the configuration of Kmscon, which implements virtual console log-in.


The name of the console this Kmscon runs on—e.g., "tty1".

login-program (default: #~(string-append #$shadow "/bin/login"))

A gexp denoting the name of the log-in program. The default log-in program is login from the Shadow tool suite.

login-arguments (default: '("-p"))

A list of arguments to pass to login.

auto-login (default: #f)

When passed a login name, as a string, the specified user will be logged in automatically without prompting for their login name or password.

hardware-acceleration? (default: #f)

Whether to use hardware acceleration.

font-engine (default: "pango")

Font engine used in Kmscon.

font-size (default: 12)

Font size used in Kmscon.

kmscon (default: kmscon)

The Kmscon package to use.

Scheme Procedure: nscd-service [config] [#:glibc glibc] [#:name-services '()]

Return a service that runs the libc name service cache daemon (nscd) with the given config—an <nscd-configuration> object. See Name Service Switch, for an example.

For convenience, the Shepherd service for nscd provides the following actions:


This invalidate the given cache. For instance, running:

herd invalidate nscd hosts

invalidates the host name lookup cache of nscd.


Running herd statistics nscd displays information about nscd usage and caches.

Scheme Variable: %nscd-default-configuration

This is the default <nscd-configuration> value (see below) used by nscd-service. It uses the caches defined by %nscd-default-caches; see below.

Data Type: nscd-configuration

This is the data type representing the name service cache daemon (nscd) configuration.

name-services (default: '())

List of packages denoting name services that must be visible to the nscd—e.g., (list nss-mdns).

glibc (default: glibc)

Package object denoting the GNU C Library providing the nscd command.

log-file (default: "/var/log/nscd.log")

Name of the nscd log file. This is where debugging output goes when debug-level is strictly positive.

debug-level (default: 0)

Integer denoting the debugging levels. Higher numbers mean that more debugging output is logged.

caches (default: %nscd-default-caches)

List of <nscd-cache> objects denoting things to be cached; see below.

Data Type: nscd-cache

Data type representing a cache database of nscd and its parameters.


This is a symbol representing the name of the database to be cached. Valid values are passwd, group, hosts, and services, which designate the corresponding NSS database (see NSS Basics in The GNU C Library Reference Manual).

negative-time-to-live (default: 20)

A number representing the number of seconds during which a positive or negative lookup result remains in cache.

check-files? (default: #t)

Whether to check for updates of the files corresponding to database.

For instance, when database is hosts, setting this flag instructs nscd to check for updates in /etc/hosts and to take them into account.

persistent? (default: #t)

Whether the cache should be stored persistently on disk.

shared? (default: #t)

Whether the cache should be shared among users.

max-database-size (default: 32 MiB)

Maximum size in bytes of the database cache.

Scheme Variable: %nscd-default-caches

List of <nscd-cache> objects used by default by nscd-configuration (see above).

It enables persistent and aggressive caching of service and host name lookups. The latter provides better host name lookup performance, resilience in the face of unreliable name servers, and also better privacy—often the result of host name lookups is in local cache, so external name servers do not even need to be queried.

Data Type: syslog-configuration

This data type represents the configuration of the syslog daemon.

syslogd (default: #~(string-append #$inetutils "/libexec/syslogd"))

The syslog daemon to use.

config-file (default: %default-syslog.conf)

The syslog configuration file to use.

Scheme Procedure: syslog-service config

Return a service that runs a syslog daemon according to config.

See syslogd invocation in GNU Inetutils, for more information on the configuration file syntax.

Scheme Variable: guix-service-type

This is the type of the service that runs the build daemon, guix-daemon (see Invoking guix-daemon). Its value must be a guix-configuration record as described below.

Data Type: guix-configuration

This data type represents the configuration of the Guix build daemon. See Invoking guix-daemon, for more information.

guix (default: guix)

The Guix package to use.

build-group (default: "guixbuild")

Name of the group for build user accounts.

build-accounts (default: 10)

Number of build user accounts to create.

authorize-key? (default: #t)

Whether to authorize the substitute keys listed in authorized-keys—by default that of (see Substitutes).

When authorize-key? is true, /etc/guix/acl cannot be changed by invoking guix archive --authorize. You must instead adjust guix-configuration as you wish and reconfigure the system. This ensures that your operating system configuration file is self-contained.

Note: When booting or reconfiguring to a system where authorize-key? is true, the existing /etc/guix/acl file is backed up as /etc/guix/acl.bak if it was determined to be a manually modified file. This is to facilitate migration from earlier versions, which allowed for in-place modifications to /etc/guix/acl.

authorized-keys (default: %default-authorized-guix-keys)

The list of authorized key files for archive imports, as a list of string-valued gexps (see Invoking guix archive). By default, it contains that of (see Substitutes). See substitute-urls below for an example on how to change it.

use-substitutes? (default: #t)

Whether to use substitutes.

substitute-urls (default: %default-substitute-urls)

The list of URLs where to look for substitutes by default.

Suppose you would like to fetch substitutes from in addition to You will need to do two things: (1) add to substitute-urls, and (2) authorize its signing key, having done appropriate checks (see Substitute Server Authorization). The configuration below does exactly that:

   (append (list "")
   (append (list (local-file "./"))

This example assumes that the file ./ contains the public key that uses to sign substitutes.

max-silent-time (default: 0)
timeout (default: 0)

The number of seconds of silence and the number of seconds of activity, respectively, after which a build process times out. A value of zero disables the timeout.

log-compression (default: 'bzip2)

The type of compression used for build logs—one of gzip, bzip2, or none.

discover? (default: #f)

Whether to discover substitute servers on the local network using mDNS and DNS-SD.

extra-options (default: '())

List of extra command-line options for guix-daemon.

log-file (default: "/var/log/guix-daemon.log")

File where guix-daemon’s standard output and standard error are written.

http-proxy (default: #f)

The URL of the HTTP and HTTPS proxy used for downloading fixed-output derivations and substitutes.

It is also possible to change the daemon’s proxy at run time through the set-http-proxy action, which restarts it:

herd set-http-proxy guix-daemon http://localhost:8118

To clear the proxy settings, run:

herd set-http-proxy guix-daemon
tmpdir (default: #f)

A directory path where the guix-daemon will perform builds.

Scheme Procedure: udev-service [#:udev eudev #:rules '()]

Run udev, which populates the /dev directory dynamically. udev rules can be provided as a list of files through the rules variable. The procedures udev-rule, udev-rules-service and file->udev-rule from (gnu services base) simplify the creation of such rule files.

The herd rules udev command, as root, returns the name of the directory containing all the active udev rules.

Scheme Procedure: udev-rule [file-name contents]

Return a udev-rule file named file-name containing the rules defined by the contents literal.

In the following example, a rule for a USB device is defined to be stored in the file 90-usb-thing.rules. The rule runs a script upon detecting a USB device with a given product identifier.

(define %example-udev-rule
    (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
                   "ATTR{product}==\"Example\", "
Scheme Procedure: udev-rules-service [name rules] [#:groups groups]

Return a service that extends udev-service-type with rules and account-service-type with groups as system groups. This works by creating a singleton service type name-udev-rules, of which the returned service is an instance.

Here we show how it can be used to extend udev-service-type with the previously defined rule %example-udev-rule.

 ;; …
   (cons (udev-rules-service 'usb-thing %example-udev-rule)
Scheme Procedure: file->udev-rule [file-name file]

Return a udev file named file-name containing the rules defined within file, a file-like object.

The following example showcases how we can use an existing rule file.

(use-modules (guix download)     ;for url-fetch
             (guix packages)     ;for origin

(define %android-udev-rules
    (let ((version "20170910"))
       (method url-fetch)
       (uri (string-append ""
                           "android-udev-rules/" version "/51-android.rules"))
        (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))

Additionally, Guix package definitions can be included in rules in order to extend the udev rules with the definitions found under their lib/udev/rules.d sub-directory. In lieu of the previous file->udev-rule example, we could have used the android-udev-rules package which exists in Guix in the (gnu packages android) module.

The following example shows how to use the android-udev-rules package so that the Android tool adb can detect devices without root privileges. It also details how to create the adbusers group, which is required for the proper functioning of the rules defined within the android-udev-rules package. To create such a group, we must define it both as part of the supplementary-groups of our user-account declaration, as well as in the groups of the udev-rules-service procedure.

(use-modules (gnu packages android)  ;for android-udev-rules
             (gnu system shadow)     ;for user-group

  ;; …
  (users (cons (user-account
                ;; …
                 '("adbusers"   ;for adb
                   "wheel" "netdev" "audio" "video")))))
  ;; …
    (cons (udev-rules-service 'android android-udev-rules
                              #:groups '("adbusers"))
Scheme Variable: urandom-seed-service-type

Save some entropy in %random-seed-file to seed /dev/urandom when rebooting. It also tries to seed /dev/urandom from /dev/hwrng while booting, if /dev/hwrng exists and is readable.

Scheme Variable: %random-seed-file

This is the name of the file where some random bytes are saved by urandom-seed-service to seed /dev/urandom when rebooting. It defaults to /var/lib/random-seed.

Scheme Variable: gpm-service-type

This is the type of the service that runs GPM, the general-purpose mouse daemon, which provides mouse support to the Linux console. GPM allows users to use the mouse in the console, notably to select, copy, and paste text.

The value for services of this type must be a gpm-configuration (see below). This service is not part of %base-services.

Data Type: gpm-configuration

Data type representing the configuration of GPM.

options (default: %default-gpm-options)

Command-line options passed to gpm. The default set of options instruct gpm to listen to mouse events on /dev/input/mice. See Command Line in gpm manual, for more information.

gpm (default: gpm)

The GPM package to use.

Scheme Variable: guix-publish-service-type

This is the service type for guix publish (see Invoking guix publish). Its value must be a guix-publish-configuration object, as described below.

This assumes that /etc/guix already contains a signing key pair as created by guix archive --generate-key (see Invoking guix archive). If that is not the case, the service will fail to start.

Data Type: guix-publish-configuration

Data type representing the configuration of the guix publish service.

guix (default: guix)

The Guix package to use.

port (default: 80)

The TCP port to listen for connections.

host (default: "localhost")

The host (and thus, network interface) to listen to. Use "" to listen on all the network interfaces.

advertise? (default: #f)

When true, advertise the service on the local network via the DNS-SD protocol, using Avahi.

This allows neighboring Guix devices with discovery on (see guix-configuration above) to discover this guix publish instance and to automatically download substitutes from it.

compression (default: '(("gzip" 3) ("zstd" 3)))

This is a list of compression method/level tuple used when compressing substitutes. For example, to compress all substitutes with both lzip at level 7 and gzip at level 9, write:

'(("lzip" 7) ("gzip" 9))

Level 9 achieves the best compression ratio at the expense of increased CPU usage, whereas level 1 achieves fast compression. See Invoking guix publish, for more information on the available compression methods and the tradeoffs involved.

An empty list disables compression altogether.

nar-path (default: "nar")

The URL path at which “nars” can be fetched. See --nar-path, for details.

cache (default: #f)

When it is #f, disable caching and instead generate archives on demand. Otherwise, this should be the name of a directory—e.g., "/var/cache/guix/publish"—where guix publish caches archives and meta-data ready to be sent. See --cache, for more information on the tradeoffs involved.

workers (default: #f)

When it is an integer, this is the number of worker threads used for caching; when #f, the number of processors is used. See --workers, for more information.

cache-bypass-threshold (default: 10 MiB)

When cache is true, this is the maximum size in bytes of a store item for which guix publish may bypass its cache in case of a cache miss. See --cache-bypass-threshold, for more information.

ttl (default: #f)

When it is an integer, this denotes the time-to-live in seconds of the published archives. See --ttl, for more information.

Scheme Procedure: rngd-service [#:rng-tools rng-tools] [#:device "/dev/hwrng"]

Return a service that runs the rngd program from rng-tools to add device to the kernel’s entropy pool. The service will fail if device does not exist.

Scheme Procedure: pam-limits-service [#:limits '()]

Return a service that installs a configuration file for the pam_limits module. The procedure optionally takes a list of pam-limits-entry values, which can be used to specify ulimit limits and nice priority limits to user sessions.

The following limits definition sets two hard and soft limits for all login sessions of users in the realtime group:

  (pam-limits-entry "@realtime" 'both 'rtprio 99)
  (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))

The first entry increases the maximum realtime priority for non-privileged processes; the second entry lifts any restriction of the maximum address space that can be locked in memory. These settings are commonly used for real-time audio systems.

Another useful example is raising the maximum number of open file descriptors that can be used:

  (pam-limits-entry "*" 'both 'nofile 100000)))

In the above example, the asterisk means the limit should apply to any user. It is important to ensure the chosen value doesn’t exceed the maximum system value visible in the