This guide is a literate program to help you bootstrap a working guix home install onto your Librem 5 running PureOS. Guix System does not yet support the Librem 5, but you can still install the guix package manager on the Librem 5. I detail here everything I touched in PureOS, and leave the rest of the guix hacking to you. The Librem 5 has only ~30GiB of internal memory, so this process puts guix, as well as all of your personal files, on a μSD, which I assume from here on that you have already inserted. There is no garuntee that it will work, especially as systems change and get updated, and you should understand/test each line before running it. In theory, you should be able to open your new Librem 5 and obtain this program by running (in ~):

sudo bash -c "apt update && apt upgrade -y && apt install emacs -y"
emacs --eval '(eww "zacchae.us/guix-usd.org")' -f org-mode

Convenience blocks for getting more screen realestate in gui (use C-c C-c).

(tool-bar-mode -1)
(menu-bar-mode -1)
(toggle-frame-fullscreen)

or tui (launching emacs with -nw)

(xterm-mouse-mode)
(menu-bar-mode -1)

Make this buffer a local copy and enable edits

(write-file "~/guix-usd.org")
(kill-buffer "guix-usd.org")
(find-file "~/guix-usd.org")

and generate the script files

(org-babel-tangle)

In theory, you should be able to run the following to get a working guix home, but this is not recommended until a later, more stable version of guix-usd.org. For now, this file is more of a reference.

./guix-usd.org
./guix-usd.bootstrap
./guix-usd.configure

This should leave you with a functional home.scm which you can start from. However, you may end up with a bricked device that must be re-flashed, which is difficult to do from Guix. There will be no warnings printed from the code, and I unashamedly pass "force" flags to make dangerous operations go through. I do try to highlight dangers in the text here, so it is "slightly" safer if you read along and do things manually. Additionally, some operations are performed (like appending to /etc/crypttab) that may break your system if run twice without reverting files. If by some miracle, you follow this guide and end up with a working device, you will have a setup like the following:

• At boot, when you decrypt your Librem 5's eMMC memory (i.e. /), it will attempt to decrypt your μSD using a key file located in /etc.
• If the μSD decrypts successfully, then it will mount btrfs subvolumes from the decrypted μSD at /home, /gnu, and /var/guix.
• This means your home, the guix store, and current state of guix are all stored on your μSD.
• If the μSD fails to decrypt, then:
  • /gnu and /var/guix will fail to mount.
    • guix will be unusable
  • /home will be mounted from a file

We will be setting up the entire μSD as a singular encrypted device with a btrfs filesystem and subvolumes to hold guix and your files

sudo bash -c "apt update && apt upgrade -y && apt install btrfs-progs guix"

The μSD encryption keys will be in /etc/luks-keys, and we will need mount points for guix folders /gnu and /var/guix

sudo mkdir /etc/luks-keys /gnu /var/guix
sudo chmod o-rwx /etc/luks-keys

To my knowledge, there is no way to prompt the user for a second encryption passphrase for the μSD at boot, hence the only way to decrypt the μSD at boot is to have a key file stored in your file tree. This means that even if you remove your μSD, if you unlock your phone, then the keys to your μSD could be extracted from your phone. Additionally, the following will erase any data which was previously on the μSD.

sudo dd if=/dev/urandom of=/etc/luks-keys/disk_secret_key bs=512 count=8
echo Encrypting device.  Enter passphrase below (a few times).
echo This passphrase will be usable in addition to the key file at:
echo /etc/luks-key/disk_secret_key
sudo umount /dev/sda*
sudo cryptsetup luksFormat /dev/sda --batch-mode
sudo cryptsetup luksAddKey /dev/sda /etc/luks-keys/disk_secret_key

Open (map) the encrypted μSD, reformat the contents as btrfs, mount the mapped device, and create subvolumes for /home, /gnu, and /var/guix. Additionally, copy over all files from your home directory as a starting point for your new home directory.

sudo cryptsetup open /dev/sda crypt_sd --key-file=/etc/luks-keys/disk_secret_key
sudo mkfs.btrfs --force /dev/mapper/crypt_sd -L btros
sudo mount LABEL=btros /mnt
sudo btrfs subvolume create /mnt/home
sudo btrfs subvolume create /mnt/gnu
sudo btrfs subvolume create /mnt/varguix
sudo cp -a /home/purism /mnt/home/
sudo umount /mnt

The following describes the steps to decrypt and mount your now-set-up μSD at boot.

This section assumes you have successfully done all the steps described above and rebooted. First, you should do a guix pull as your user, and additionally as root.

su -c "guix pull" purism
/home/purism/.config/guix/current/bin/guix pull
guix archive --authorize < \
    ~root/.config/guix/current/share/guix/bordeaux.guix.gnu.org.pub

Now that root's guix has been setup, you should modify the systemd unit file to use root's guix-daemon.

sed -i 's/\/usr\/bin\/guix-daemon/\/var\/guix\/profiles\/per-user\/root\/current-guix\/bin\/guix-daemon/' /lib/systemd/system/guix-daemon.service
systemctl daemon-reload
systemctl restart guix-daemon

This isn't strictly necessary, but I like that I can update guix-daemon with sudo -i guix pull. This is also helpful because the current (as of this writing) version of guix installed by apt does not check bordeaux.guix.gnu.org for substitutes, something extremely necessary for tiny arm devices that have little RAM. You can, however, enable bordeaux.guix.gnu.org by adding "–substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'" to the "ExecStart" feild of /lib/systemd/system/guix-daemon.service instead.

One other problem I came across is that guix home environment variable initialization fails to properly deal with empty variables. There are ways to fix this by modifying guix-home, but looking at https://issues.guix.gnu.org/61982, it seems that they have decided to make changes to how guix is installed on foreign distros. This means even if you guix pull after this is patched, guix home will probably not work properly until the next major release is adopted in your apt repo.

Specifically, ~/.guix-home/setup-environment will assign to the empty XDG_CONFIGDIRS variable without adding the default "/etc/xdg" value, so programs like phosh will not find /etc/xdg and fail to start. This means if you naively install guix home on your new Librem 5, you will get a black screen on boot…

To address this, I add the following line to my shell environment to set XDG_CONFIGDIRS to the default value in the case that it is empty.

("XDG_CONFIG_DIRS" . "$([ -z $XDG_CONFIG_DIRS ] 2> /dev/null && echo /etc/xdg || echo $XDG_CONFIG_DIRS)")

From here you should be able to use the following starter home.scm at ./home.scm (not tested with bash).

(use-modules (gnu packages)
                 (gnu services)
                 (gnu home services shells)
                 (guix gexp))
(home-environment
  (packages (map specification->package (list "emacs" "screen" "glibc-locales" "syncthing" "guile")))
  (services
        (list
          (service
            home-bash-service-type
            (home-bash-configuration
              (environment-variables
               '(("XDG_CONFIG_DIRS" . "$([ -z $XDG_CONFIG_DIRS ] 2> /dev/null && echo /etc/xdg || echo $XDG_CONFIG_DIRS)")))))
          (service
            home-zsh-service-type
            (home-zsh-configuration
              (environment-variables
               '(("GUIX_LOCPATH" . "$HOME/.guix-home/profile/lib/locale")))
              ;(zshrc (list (plain-file "zshrc" "source $HOME/.guix-home/setup-environment\n")))
              (zlogin (list (plain-file "zlogin" "XDG_CONFIG_DIRS=\"$XDG_CONFIG_DIRS\":/etc/xdg\n"))))))))

And initialize your first home environment!

su -c 'guix home reconfigure home.scm' purism

If you messed something up, and know what you did, you may want to try fixing your problem using Jumpdrive instead: https://github.com/dreemurrs-embedded/Jumpdrive This will allow you to mount your powered off Librem like a flash drive and make changes to fix your device.

I don't have any automated solution for flashing a librem from guix, but I have figured out how to do it. To do so, I mostly followed the instructions at https://developer.puri.sm/Librem5/Development_Environment/Phone/Troubleshooting/Reflashing_the_Phone.html. First, I cloned the librem 5 flash image repository

git clone https://source.puri.sm/Librem5/librem5-flash-image

The main hiccup here is that the jenkins package required by the flashing script has not been packaged for guix. To make it work, I manually made changes to scripts/librem5-flash-image: comment lines 23-27, 461-484, and add `uboot<sub>board</sub> = 'librem5'` to line 485 (line numbers may have changed since).

Then, I manually tried to traverse https://arm01.puri.sm/ to find some images, and downloaded the necessary images

mkdir imdir
wget https://arm01.puri.sm/job/Images/job/Image%20Build/14006/artifact/librem5r4.img.xz
xz -d librem5r4.img.xz
mv librem5r4.img imdir
wget https://arm01.puri.sm/job/u-boot_builds/job/uboot_librem5_build/lastSuccessfulBuild/artifact/output/uboot-librem5/u-boot-librem5.imx
mv u-boot-librem5.imx imdir/

Then, from a ROOT SHELL, I activated a guix shell, and downloaded necessary packages from pip:

cd librem5-flash-image
guix shel python gcc musl python-requests binutils usbutils uuu --pure
python3 -m venv venv --upgrade-deps --system-site-packages
source ./venv/bin/activate
pip3 install tqdm pyyaml
./scripts/librem5-flash-image --skip-download --dir ./imdir

Now spawn a syncthing daemon, and take note of the

syncthing

• better syncthing automation
• changing username
• fewer apt dependencies
  • switch to guix installer from apt
• auto screen change
• change screen timout
• exwm?
• guix usd service extends syncthing service
  • controls pureos install
• make syncthing useable as root. Make user passeable?