NBDE Channel

This repository provides the Guix-side pieces for network-bound disk encryption:

• nbde/packages/crypto.scm Package definitions for luksmeta, tang, and clevis.
• nbde/services/tang.scm A standalone Tang service for Guix systems.
• nbde/system/mapped-devices.scm A Clevis-backed mapped-device kind with manual cryptsetup fallback.
• nbde/system/initrd.scm A helper around raw-initrd for early-boot Clevis support.
• examples/phase0-system.scm Minimal reference system using the Clevis-backed mapped-device kind and custom initrd.

It now also carries the first Tribes deployment substrate:

• tribes/packages/release.scm A deployment-bridge package wrapper for a prebuilt Tribes release tree.
• tribes/packages/source.scm A real source-built Tribes package that produces a production release from a vendored Mix dependency tree plus local Parrhesia source.
• tribes/services/tribes.scm Shepherd service, runtime environment wiring, and account/activation setup for a Tribes node.
• tribes/system/node.scm A higher-level service bundle that wires PostgreSQL plus the Tribes service.
• tribes/system/installer.scm Installer-facing OS constructor for NBDE-installed Tribes nodes.
• nbde/system/installed-base.scm Shared base installed-system constructor used by both the minimal NBDE flow and the Tribes-specific installer path.

Current development status:

1. luksmeta, tang, and clevis build successfully on pguix.
2. A disposable Tang + LUKS smoke test passes.
3. A QEMU Phase-0 system with encrypted root now boots unattended through Clevis/Tang and reaches a login prompt.

For pinned bootstrap usage, generate a channels.scm that combines upstream Guix with this repository's current commit.

The deployment scripts default to the checked-in base-channel lock at ../pins/base-channels.scm, and only fall back to the current host's guix describe -f channels output when that file is absent. Refresh that lock intentionally with scripts/update-base-channels-pin.