guix-tribes/README.md

NBDE Channel

This repository provides the Guix-side pieces for network-bound disk encryption:

• nbde/packages/crypto.scm Package definitions for luksmeta, tang, and clevis.
• nbde/services/tang.scm A standalone Tang service for Guix systems.
• nbde/system/mapped-devices.scm A Clevis-backed mapped-device kind with manual cryptsetup fallback.
• nbde/system/initrd.scm A helper around raw-initrd for early-boot Clevis support.
• examples/phase0-system.scm Minimal reference system using the Clevis-backed mapped-device kind and custom initrd.

Current development status:

1. luksmeta, tang, and clevis build successfully on pguix.
2. A disposable Tang + LUKS smoke test passes.
3. A QEMU Phase-0 system with encrypted root now boots unattended through Clevis/Tang and reaches a login prompt.

For pinned bootstrap usage, generate a channels.scm that combines upstream Guix with this repository's current commit.

The deployment scripts default to the checked-in base-channel lock at ../pins/base-channels.scm, and only fall back to the current host's guix describe -f channels output when that file is absent. Refresh that lock intentionally with scripts/update-base-channels-pin.