## NBDE Channel

This repository provides the Guix-side pieces for network-bound disk
encryption:

- `nbde/packages/crypto.scm`
  Package definitions for `luksmeta`, `tang`, and `clevis`.
- `nbde/services/tang.scm`
  A standalone Tang service for Guix systems.
- `nbde/system/mapped-devices.scm`
  A Clevis-backed mapped-device kind with manual `cryptsetup` fallback.
- `nbde/system/initrd.scm`
  A helper around `raw-initrd` for early-boot Clevis support.
- `examples/phase0-system.scm`
  Minimal reference system using the Clevis-backed mapped-device kind and
  custom initrd.

It now also carries the first Tribes deployment substrate:

- `tribes/packages/release.scm`
  A deployment-bridge package wrapper for a prebuilt Tribes release tree.
- `tribes/packages/source.scm`
  A real source-built Tribes package that produces a production release from a
  vendored Mix dependency tree plus local Parrhesia source.
- `tribes/services/tribes.scm`
  Shepherd service, runtime environment wiring, and account/activation setup
  for a Tribes node.
- `tribes/system/node.scm`
  A higher-level service bundle that wires PostgreSQL plus the Tribes service.
- `tribes/system/installer.scm`
  Installer-facing OS constructor for NBDE-installed Tribes nodes.
- `nbde/system/installed-base.scm`
  Shared base installed-system constructor used by both the minimal NBDE flow
  and the Tribes-specific installer path.

Current development status:

1. `luksmeta`, `tang`, and `clevis` build successfully on `pguix`.
2. A disposable Tang + LUKS smoke test passes.
3. A QEMU Phase-0 system with encrypted root now boots unattended through
   Clevis/Tang and reaches a login prompt.

For pinned bootstrap usage, generate a `channels.scm` that combines upstream
Guix with this repository's current commit.

The deployment scripts default to the checked-in base-channel lock at
`pins/base-channels.sexp`.  Refresh that lock intentionally with
`../guix-deploy/scripts/update-base-channels-pin`.