thisago's blog

Guix, I Missed You

Table of Contents

Inspired by the previous post I just wrote.

Context

My main system is QubesOS, a great system built on top of Xen, which provides seamless virtualized environments.

QubesOS provides a IaC API for orchestrating the qubes1 via SaltStack.

I like this stuff but managing the infra from Dom0 ("Xen's host") feels creepy.

Dom0 has no network, it is not intended to be personalized with custom apps, so the UX might not be the best.

Yeah, I can use Fedora's package manager on it, because Qubes implements a convenient proxy to connect it to a network provider qube, but still not the best scenario.

So I remembered about Guix.

How Guix Enters

Guix is pretty aligned on what I like:

  • Emacs
  • Libre software
  • Not mainstream
  • GNU

In some past, Guix was my main OS for some time. I ended replacing it back with the good old Debian because of the NVIDIA firmwares. (which BTW, Qubes brought me the same issue from the past. Can't run from this anymore)

Guix in QubesOS

I'm returning to Guix, to setup it in a TemplateVM at QubesOS, to make all my AppVMs (the "user's VM") be configured by Guix.

AppVMs have a persistent /home/user, but a disposable root filesystem, which is persisted by TemplateVM.

This would bring me a situation where all changes made on /gnu/store from AppVMs will be lost at reboot, and persisted only if changed from the TemplateVM.

Not a real issue to me because my VMs are pretty much the same with exception of the secrets managed with pass.
And right now, when I install something at system-level at AppVMs, for example with Fedora's package manager, it get lost at reboot. So I have to make persistent chages at system-level in the TemplateVM.

The only issue I am figuring out how to solve is the need of internet to install Guix and it's packages on the TemplateVM.

By design, TemplateVMs should have no internet access, and we should avoid executing things from there, because in the case of having a malicious a binary, it won't infect the TemplateVM, but only the AppVMs took from this TemplateVM, which could run this binary.

The other alternative I have is to install Guix at user-level on each AppVM, as Solene shown for Nix, but:

  • I'm not sure if Guix daemon works well without root. Still researching.
  • A substitution server would be needed because the same packages will be downloaded and/or built multiple times across the AppVMs.
  • The TemplateVM gets unused, as my main use for it is to manage system packages.

Outcome

My goal is build something like:

  • SaltStack setups VMs (Qubes only)
    • Guix setups subsystem (ie, bare Debian)
      • Chezmoi setups dotfiles (ie, Termux)

And after having this infrastructure, I will consider to replace Chezmoi by Guix home, but right now, Chezmoi is doing a nice job and fits very well.

Outro

I want to keep the blog more active. Despite it might be somewhat raw, it is human made :)

Thanks again for reading.

Edit: I gotcha

The plan was fulfilled haha

didTwoBlogPostsToday.svg

Figure 1: Today's plan at magit-blame mode.

Footnotes:

1

the VMs or DomU in Xen

See the source code here.
Generated at 2025-11-02 Sun 21:38 by Emacs 29.4 (Org mode 9.6.15)