## NBDE Channel

This repository provides the Guix-side pieces for network-bound disk
encryption:

- `nbde/packages/crypto.scm`
  Package definitions for `luksmeta`, `tang`, and `clevis`.
- `nbde/services/tang.scm`
  A standalone Tang service for Guix systems.
- `nbde/system/mapped-devices.scm`
  A Clevis-backed mapped-device kind with manual `cryptsetup` fallback.
- `nbde/system/initrd.scm`
  A helper around `raw-initrd` for early-boot Clevis support.
- `examples/phase0-system.scm`
  Minimal reference system using the Clevis-backed mapped-device kind and
  custom initrd.

Current development status:

1. `luksmeta`, `tang`, and `clevis` build successfully on `pguix`.
2. A disposable Tang + LUKS smoke test passes.
3. A QEMU Phase-0 system with encrypted root now boots unattended through
   Clevis/Tang and reaches a login prompt.

For pinned bootstrap usage, generate a `channels.scm` that combines upstream
Guix with this repository's current commit.