NBDE Channel

This repository provides the Guix-side pieces for network-bound disk encryption:

• nbde/packages/crypto.scm Package definitions for luksmeta, tang, and clevis.
• nbde/services/tang.scm A standalone Tang service for Guix systems.
• nbde/system/mapped-devices.scm A Clevis-backed mapped-device kind with manual cryptsetup fallback.
• nbde/system/initrd.scm A helper around raw-initrd for early-boot Clevis support.
• examples/phase0-system.scm Minimal reference system using the Clevis-backed mapped-device kind and custom initrd.

It now also carries the first Tribes deployment substrate:

• tribes/packages/release.scm A deployment-bridge package wrapper for a prebuilt Tribes release tree.
• tribes/packages/source.scm A real source-built Tribes package that produces a production release from vendored Mix and npm dependency trees plus local Parrhesia source. Local-source builds accept hash overrides via TRIBES_MIX_DEPS_SHA256, TRIBES_RAW_MIX_DEPS_SHA256, and TRIBES_NPM_DEPS_SHA256.
• tribes/services/tribes.scm Shepherd service, runtime environment wiring, and account/activation setup for a Tribes node.
• tribes/system/node.scm A higher-level service bundle that wires PostgreSQL plus the Tribes service.
• tribes/system/installer.scm Installer-facing OS constructor for NBDE-installed Tribes nodes.
• nbde/system/installed-base.scm Shared base installed-system constructor used by both the minimal NBDE flow and the Tribes-specific installer path.

Current development status:

1. luksmeta, tang, and clevis build successfully on pguix.
2. A disposable Tang + LUKS smoke test passes.
3. A QEMU Phase-0 system with encrypted root now boots unattended through Clevis/Tang and reaches a login prompt.

For pinned bootstrap usage, generate a channels.scm that combines the pinned upstream Guix channel with this repository's current commit.

Two checked-in channel files serve different purposes:

• pins/base-channels.sexp: upstream Guix pin only, used for guix pull -C and related bootstrap tooling
• pins/legion-channels.sexp: Legion/builder default channel set, containing the pinned upstream Guix channel plus the default tribes channel metadata

Refresh the upstream Guix pin intentionally with ./scripts/update-base-channels-pin, then update pins/legion-channels.sexp to keep its guix entry aligned.

The current Legion kexec image path is based on:

• examples/build-host-kexec-installer.scm
• nbde/system/build-host-kexec-installer.scm

That build-host installer is the active kexec image definition used for Legion deployment bootstrapping.