This project implements secure, atomic, trustless secret provisioning with Guix. It works by putting encrypted secrets in the store and by adding a one-shot Shepherd service that decrypts them at startup in a ramfs/tmpfs filesystem. This means that clear text secrets never hit the disk and that you can (and actually are encouraged to) check in your SOPS secrets in the same version control system you use to track you Guix configurations.
This project aims at providing a community managed library of Guix services. Code from this channel implements a Guix native experience for services that are not yet guixable, through OCI backed
Shepherd services. In general it implements the ability to declare a set of OCI volumes, networks and containers and have them provisioned by Guix. This functionality is supposed to replace docker compose
: it integrates with the Shepherd (Guix System's PID 1) providing a consistent interface to manage OCI containers and allows to take advantage of Guix specific features such as atomic upgrades and rollbacks. This means that, contrary to docker compose
, users can always go back to a previous working state in case of problems due to a bad update.
The oci-service-type
's API is agnostic to the underlying OCI runtime: currently Docker and rootless Podman are supported.
My staging area for Guix. It holds stuff I plan to upstream somewhere may it be Guix mainline or a community channel like nonguix. Packages or services like the following were born here and with time contributed where suitable: Google Chrome, misc K8s stuff, OCI Services, subuids and subgids, rootless Podman, Restic-based backups, Guix Home dotfiles.
This package provides a simple Guile interface to .env
(or dotenv) files. It implements parsing of files and setting environment variables from them.
My contributions to the Guix project have been mostly revolving around implementing server functionalities for the Guix System. They range from automatic backups to declarative configuration of OCI resources such as networks, container and volumes.The first step to support rootless OCI containers was to implement a declarative interface for subordinate UIDs and subordinate GIDs in Guix. I implemented an allocation algorithm for subid ranges that allows users to avoid thinking about the specifics of subid ranges while still allowing them to request a certain amount of subids. With /etc/subuid
and /etc/subgid
in place, I was able to submit a patchset implementing rootless Podman support. In this way the OCI declarative interface is able to run containers in an unprivileged fashion.
I worked closely with the core team to implement a quality assurance process. The need was to have development supported through process improvements, CI and automation scripts directed to the goal of stabilizing the Bonfire umbrella app and extension codebases. I implemented a common pipeline for all extensions to guarantee that they all have the same level of quality and proposed process improvements on how to try to avoid regressions on the level of quality.
Supercharge your event promotion strategy as an organization by automating your social media publishing through an application that can be run on your server, giving you full control and privacy.
A SPARQL module for Guile Scheme to query an RDF store. Additionally, it provides an interface to write SPARQL queries using S-expressions.
Research project with the aim of creating a Rainbow agent (a specific kind of Deep Q-Network) that can accurately collect wooden blocks on Minecraft. It involved agent configuration and training, performance validation through standard metrics and generating explanations of adopted policies (i.e. saliency maps).