etc: Add AppArmor profile for the guix command.

* etc/apparmor.d/guix: New file.
* Makefile.am (nodist_apparmor_profile_DATA): Add it.

Change-Id: I3d61238203d7663ce582717f8e4eac4c6f679928
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

etc: Add AppArmor profile for the daemon.

* .gitignore: Add etc/apparmor.d/tunables/guix.
* Makefile.am (nodist_apparmor_profile_DATA)
(nodist_apparmor_profile_tunables_DATA): Define it.
* configure.ac: Generate etc/apparmor.d/tunables/guix. Add
--with-apparmor-profile-dir option.
* etc/apparmor.d/guix-daemon: New file.
* etc/apparmor.d/tunables/guix.in: New file.
* doc/guix.texi: Document AppArmor profiles.
* gnu/packages/package-management.scm (guix): Add future changes commented.

Change-Id: Iac7df9d642383cc46a2d450c3badef31199ab041
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

guix-daemon.service.in: Make service restartable.

Currently the service cannot be restarted, because the gnu store mount makes
it read-only. So fix this by removing the mount when starting the service.

"-" to accept failures, in case the command doesn't finish successfully,
chances are, the store can be mounted as RW, so continue.
"+" to run as root

Fixes: #4744

* etc/guix-daemon.service.in
(Service)<ExecStartPre>: Stop gnu-store.mount
(Service)<ExecStartPost>: Start gnu-store.mount

Change-Id: I296f5d8805497f8a7364b68d627eb6d4fc05dbff

gnu: pius: Update to 3.0.0-0.5f7c10b.

* gnu/packages/gnupg.scm (pius)[source]: Switch to git-fetch.
[build-system]: Switch to pyproject-build-system.
[arguments]<#:check>: Execute project test script.
[native-inputs]: Add python-setuptools.
[home-page]: Update url.

Change-Id: I8d1228789cde2de4dda67a07f9859bb47e510608
Signed-off-by: Cayetano Santos <csantosb@inventati.org>
Modified-by: Cayetano Santos <csantosb@inventati.org>

gnu: Add hare-mcron.

* gnu/packages/hare-apps.scm (hare-mcron): New variable.

Change-Id: I324f5711cf359ac996111f6adcb71db5ff68dda5

gnu: trealla: Update to 2.88.1.

* gnu/packages/prolog.scm (trealla): Update to 2.88.1.

Change-Id: I8770e77950a53ef0284fe50248bed5fab01d70a0

services: Modernize redis service.

* gnu/services/databases.scm
(redis-configuration): Rewrite using `define-configuration'.
(redis-shepherd-service): Honor it.
* doc/guix.texi (Database Services) <redis>: Regenerate
documentation.

Change-Id: I5b99822ca3d8d23fb5133497d00eada0336d0c65
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Merges: #2158

gnu: shepherd@1.0: Don't inherit package arguments.

Followup to e1038aee6da92263f0c3d2fdb91d46ee5b63d2ec.

Previously when cross compiling the fibers directory was reset to fibers 1.3
because evaluating the arguments of shepherd@0.10 with '(package-arguments
shepherd-0.10)' kept the reference to the fibers input of shepherd@0.10.

Work around this by not using 'substitute-keyword-arguments' and replacing
'this-package-input' with 'search-input-file'.

* gnu/packages/admin.scm (shepherd-1.0)[arguments]:
Replace 'substitute-keyword-arguments' with explicit arguments.
Use search-input-file in 'set-fibers-directory phase to search for the cross fibers.

Change-Id: Ia1061d8cea531569385f4a0136cfd22f27ce5a0e
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Merges: #4672

archive: Make /etc/guix/signing-key.* readable by ‘guix-daemon’.

The manual suggests running ‘guix archive --generate-key’ as root, but that
would lead to root-owned /etc/guix/signing-key.{pub,sec}, with the secret key
unreadable by the unprivileged guix-daemon.  This fixes it.

Reported in guix/guix#4844.

* guix/scripts/archive.scm (generate-key-pair)[ensure-daemon-ownership]: New
procedure.
Use it for ‘%public-key-file’, ‘%private-key-file’, and their parent
directory.

Reported-by: Rutherther <rutherther@ditigal.xyz>
Change-Id: I7ae980bfd40078fb7ef27a193217b15f366d5d50
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Merges: #4958

authenticate: Report failure to load keys to the daemon.

Previously, when failing to load a signing key, ‘guix authenticate’ would
print a backtrace and exit with a non-zero code.  That, in turn, would lead
the guix-daemon child process to crash with:

  nix/libutil/serialise.cc:15: virtual nix::BufferedSink::~BufferedSink(): Assertion `!bufPos' failed.

This patch fixes it by reporting the error to the daemon as was intended.

* guix/scripts/authenticate.scm (guix-authenticate): Arrange to call
‘load-key-pair’ from within ‘with-reply’.
* tests/guix-authenticate.sh: Test it.

Fixes: guix/guix#4928
Reported-by: Rutherther <rutherther@ditigal.xyz>
Change-Id: I8654ad6fdfbe18c55e1e85647d0c49f408d0574a
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Merges: #4961

authenticate: Improve error replies.

* guix/scripts/authenticate.scm (guix-authenticate)[send-reply]: Wrap guard in
‘with-fluids’.  Call ‘string-trim-right’ on the message string of ‘c’.

Change-Id: I6ab5f645f2dc9d6f53bb57eabb4de1df8212892f
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

doc: Fix typo.

* doc/guix.texi (Mapped Devices): Fix typo.

Change-Id: I72a5e0e651e3926def0bd5fdb67ccc01cc8a2041
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

maint: Adjust final inputs self contained check for changes.

The check script has been failing, %final-inputs have been changed
to a procedure that takes the system.

* build-aux/check-final-inputs-self-contained.scm
(final-inputs): Call %final-inputs procedure with system.

Change-Id: Id4d40387e669c996a380f64c73432d916915ead5
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

scripts: system: Do not pull checkouts for same commit.

In case a user reconfigures to the same commit, do not
update cached checkout unnecessarily.

* guix/scripts/system/reconfigure.scm (channel-relations): Return early for
matching old and new commits.

Change-Id: Ia4b7300bbce40f7d809946dd3514715b74cd17f9
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

daemon: Ensure store is writable even as non-root.

If the store is read only, return an error early.
This is bit of a compromise. Not all operations of the daemon need the store
as writable. For example, if hello package is built already `guix build hello`
could previously succeed even if store is RO.

* nix/libstore/local-store.cc
(makeStoreWritable): Rename to ensureStoreWritable.
(ensureStoreWritable): As non-root, check that the store is writable and if
not, throw an error.
(LocalStore::LocalStore): Use it.

* nix/libstore/local-store.hh: Rename makeStoreWritable to ensureStoreWritable.

Change-Id: I94783ba7e32d57bfa77e37e84b6ac316f95e31e2
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

gnu: drawterm: Update to 20251123.

* gnu/packages/plan9.scm (drawterm): Update to 20251123.
(drawterm-wayland)[inputs]: Add libdecor.

Closes: guix/guix#4894
Change-Id: Ibd869ee9acfb5d6aef0d58c13f6477fc2ac8ba47
Signed-off-by: 宋文武 <iyzsong@member.fsf.org>

gnu: labwc: Update to 0.9.3.

* gnu/packages/wm.scm (labwc): Update to 0.9.3.

Closes: guix/guix#4981
Change-Id: I3f80aed5a365b2713dc9f5f0272bb225f3004c5e
Signed-off-by: 宋文武 <iyzsong@member.fsf.org>

gnu: nml: Update to 0.8.1.

* gnu/packages/game-development.scm (nml): Update to 0.8.1.
[arguments]: Fix test phase.

Closes: guix/guix#5004
Change-Id: I03b80af19d809295411b85df491d7423837e6f59
Signed-off-by: 宋文武 <iyzsong@member.fsf.org>

gnu: monado: update to 25.1.0.

* gnu/packages/graphics.scm (monado): Update to 25.1.0.

Change-Id: Idd4bc66f1fd03fb9805647424dec0d5cda8bc123
Signed-off-by: Cayetano Santos <csantosb@inventati.org>

teams: Update team status for Hilton Chain.

* etc/teams.scm (hako): Remove teams.

Change-Id: Ib563d084e2bc2d603c7968e04bed0d222f547a0d