第六章 系统配置
第六章:系统配置
6.1 声明式系统配置概述
Guix System 的最大特点是**完全声明式(Declarative)**的系统配置。整个操作系统——从引导加载器到用户账户,从文件系统到网络服务——都由一个 Scheme 文件描述。
/etc/config.scm → guix system reconfigure → 完整的运行系统
(配置文件) (构建命令) (系统状态)
声明式 vs 命令式系统管理
| 特性 | 声明式(Guix System) | 命令式(传统 Linux) |
|---|
| 配置方式 | 编辑一个 Scheme 文件 | 运行各种命令 + 编辑多个配置文件 |
| 可重现性 | ✅ 完全可重现 | ❌ 操作顺序影响结果 |
| 可回滚 | ✅ guix system roll-back | ❌ 需要手动还原 |
| 版本控制 | ✅ 配置文件可 Git 管理 | ⚠️ 分散在多个位置 |
| 新机器部署 | 复制配置文件即可 | 需要编写自动化脚本 |
| 审计 | 配置变更有 Git 历史 | 难以追踪 |
6.2 系统配置文件结构
6.2.1 最小配置示例
;; /etc/config.scm — 最小 Guix System 配置
(use-modules (gnu)
(gnu system))
(use-service-modules networking ssh)
(use-package-modules admin certs)
(operating-system
(host-name "guix-pc")
(timezone "Asia/Shanghai")
(locale "zh_CN.utf8")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/sda"))
(keyboard-layout (keyboard-layout "cn"))))
(file-systems (cons* (file-system
(device "/dev/sda2")
(mount-point "/")
(type "ext4"))
%base-file-systems))
(packages (append (list nss-certs htop)
%base-packages))
(services (cons* (service dhcp-client-service-type)
%base-services)))
6.2.2 配置文件关键字段
| 字段 | 说明 | 示例 |
|---|
host-name | 主机名 | "guix-pc" |
timezone | 时区 | "Asia/Shanghai" |
locale | 系统 locale | "zh_CN.utf8" |
keyboard-layout | 键盘布局 | (keyboard-layout "cn") |
bootloader | 引导加载器配置 | grub-bootloader |
file-systems | 文件系统列表 | ext4, btrfs, tmpfs 等 |
users | 用户账户 | 用户名、组、Shell 等 |
packages | 系统级包 | vim, git, htop 等 |
services | 系统服务 | sshd, nginx, dhcp 等 |
6.3 引导加载器(Bootloader)
6.3.1 GRUB(BIOS 模式)
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/sda"))
(keyboard-layout (keyboard-layout "us"))))
6.3.2 GRUB-EFI(UEFI 模式)
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout (keyboard-layout "cn"))))
6.3.3 引导加载器对比
| 加载器 | 适用场景 | targets |
|---|
grub-bootloader | 传统 BIOS 启动 | 磁盘设备 /dev/sda |
grub-efi-bootloader | UEFI 启动 | EFI 分区 /boot/efi |
grub-efi-removable-bootloader | 可移动介质 | EFI 分区 |
extlinux-bootloader | 嵌入式 / 简单场景 | 磁盘设备 |
6.4 文件系统(File Systems)
6.4.1 基本文件系统配置
(file-systems
(cons* (file-system
(device "/dev/sda2")
(mount-point "/")
(type "ext4"))
(file-system
(device "/dev/sda1")
(mount-point "/boot/efi")
(type "vfat"))
(file-system
(device "/dev/sda3")
(mount-point "/home")
(type "ext4")
(flags '(relatime)))
%base-file-systems))
6.4.2 UUID 引用
推荐使用 UUID 而非设备名,避免设备编号变化导致问题:
(file-system
(device (uuid "abc12345-6789-def0-1234-567890abcdef"))
(mount-point "/")
(type "ext4"))
;; 对于 vfat 文件系统,使用 UUID 类型
(file-system
(device (uuid "ABCD-1234" 'fat32))
(mount-point "/boot/efi")
(type "vfat"))
6.4.3 常见文件系统类型
| 类型 | 说明 | 特点 |
|---|
ext4 | 第四代扩展文件系统 | 稳定、通用 |
btrfs | B-tree 文件系统 | 快照、压缩、子卷 |
xfs | XFS 文件系统 | 高性能大文件 |
vfat | FAT32 | EFI 分区必需 |
tmpfs | 内存文件系统 | /tmp 默认使用 |
overlayfs | 叠加文件系统 | 容器使用 |
f2fs | Flash-Friendly FS | SSD 优化 |
6.4.4 Btrfs 子卷配置
(file-system
(device (uuid "abc12345-..."))
(mount-point "/")
(type "btrfs")
(options "subvol=@,compress=zstd"))
(file-system
(device (uuid "abc12345-..."))
(mount-point "/home")
(type "btrfs")
(options "subvol=@home,compress=zstd"))
(file-system
(device (uuid "abc12345-..."))
(mount-point "/snapshots")
(type "btrfs")
(options "subvol=@snapshots,compress=zstd"))
6.4.5 Tmpfs 挂载
(file-system
(device "tmpfs")
(mount-point "/tmp")
(type "tmpfs")
(flags '(no-dev no-suid))
(options "size=4G,mode=1777"))
6.4.6 NFS 挂载
(file-system
(device "nas-server:/shared")
(mount-point "/mnt/shared")
(type "nfs")
(flags '(no-dev))
(options "soft,timeo=10,retrans=3"))
6.5 用户管理
6.5.1 用户账户定义
(users
(cons* (user-account
(name "alice")
(comment "Alice Wang")
(group "users")
(home-directory "/home/alice")
(shell (file-append zsh "/bin/zsh"))
(supplementary-groups '("wheel" ; sudo 权限
"netdev" ; 网络设备
"audio" ; 音频
"video" ; 视频
"kvm" ; 虚拟化
"dialout"))) ; 串口
(user-account
(name "deploy")
(comment "Deployment User")
(group "users")
(home-directory "/home/deploy")
(shell (file-append bash "/bin/bash"))
(supplementary-groups '()))
%base-user-accounts))
6.5.2 用户账户字段
| 字段 | 说明 |
|---|
name | 用户名 |
comment | 描述信息(GECOS) |
group | 主组 |
home-directory | 家目录 |
shell | 登录 Shell |
supplementary-groups | 附加组列表 |
uid | 用户 ID(可选,自动分配) |
password | 密码哈希(可选) |
6.5.3 密码管理
;; 方法一:使用密码哈希
(user-account
(name "alice")
;; 使用 mkpasswd 或 openssl passwd -6 生成哈希
(password "$6$abc$XYZ..."))
;; 方法二:交互式设置(推荐)
;; 安装后运行 passwd 命令设置密码
;; 不在配置文件中存储明文密码
# 生成密码哈希
openssl passwd -6
# 输入密码后输出哈希字符串
6.6 网络配置
6.6.1 DHCP 客户端
;; 使用 DHCP 自动获取 IP
(services
(cons* (service dhcp-client-service-type)
%base-services))
6.6.2 静态网络配置
(services
(cons* (service static-networking-service-type
(list (static-networking
(addresses
(list (network-address
(device "eth0")
(value "192.168.1.100/24"))))
(routes
(list (network-route
(destination "default")
(gateway "192.168.1.1"))))
(name-servers '("8.8.8.8" "8.8.4.4")))))
%base-services))
6.6.3 NetworkManager
(use-service-modules networking)
(services
(cons* (service network-manager-service-type)
(service wpa-supplicant-service-type)
%base-services))
6.6.4 防火墙(iptables/nftables)
(services
(cons* (service iptables-service-type
(iptables-configuration
(rules (list
;; 允许 SSH
(iptables-rule
(table "filter")
(chain "INPUT")
(rule "-p tcp --dport 22 -j ACCEPT"))
;; 允许 HTTP
(iptables-rule
(table "filter")
(chain "INPUT")
(rule "-p tcp --dport 80 -j ACCEPT"))
;; 允许 HTTPS
(iptables-rule
(table "filter")
(chain "INPUT")
(rule "-p tcp --dport 443 -j ACCEPT"))
;; 默认拒绝
(iptables-rule
(table "filter")
(chain "INPUT")
(rule "-j DROP"))))))
%base-services))
6.7 完整的桌面系统配置
(use-modules (gnu)
(gnu system nss)
(gnu system locale))
(use-service-modules desktop networking ssh xorg)
(use-package-modules certs gnome admin fonts
version-control shells
text-editors)
(operating-system
(host-name "guix-desktop")
(timezone "Asia/Shanghai")
(locale "zh_CN.utf8")
;; Locale 定义
(locale-definitions
(list (locale-definition (source "zh_CN")
(name "zh_CN.utf8"))
(locale-definition (source "en_US")
(name "en_US.utf8"))))
;; 键盘布局
(keyboard-layout (keyboard-layout "cn" #:options '("ctrl:nocaps")))
;; 引导加载器
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
;; 文件系统
(file-systems (cons* (file-system
(device (uuid "abc12345-..."))
(mount-point "/")
(type "ext4"))
(file-system
(device (uuid "ABCD-1234" 'fat32))
(mount-point "/boot/efi")
(type "vfat"))
%base-file-systems))
;; 用户
(users (cons* (user-account
(name "user")
(comment "Main User")
(group "users")
(home-directory "/home/user")
(shell (file-append zsh "/bin/zsh"))
(supplementary-groups '("wheel" "netdev"
"audio" "video"
"kvm" "lp")))
%base-user-accounts))
;; 系统级软件包
(packages (append (list
;; 基础工具
nss-certs
gvfs ; 文件管理器后端
vim
git
htop
tree
curl
wget
openssh
;; 中文字体
font-google-noto
font-google-noto-serif-cjk
font-google-noto-sans-cjk
font-wqy-microhei
;; GNOME 组件
gnome-terminal
gnome-tweaks)
%base-packages))
;; 系统服务
(services
(append
(list
;; GNOME 桌面环境
(service gnome-desktop-service-type)
;; SSH 服务
(service openssh-service-type
(openssh-configuration
(permit-root-login 'prohibit-password)
(password-authentication? #t)))
;; 网络管理
(service network-manager-service-type)
(service wpa-supplicant-service-type))
;; 修改默认服务
(modify-services %desktop-services
;; 禁用 GDM(如果使用 LightDM 或其他)
;; (delete gdm-service-type)
))))
6.8 服务器系统配置
(use-modules (gnu)
(gnu system nss))
(use-service-modules networking ssh web
databases admin)
(use-package-modules admin certs
version-control python
web databases)
(operating-system
(host-name "prod-server")
(timezone "Asia/Shanghai")
(locale "zh_CN.utf8")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/sda"))))
(file-systems (cons* (file-system
(device "/dev/sda1")
(mount-point "/")
(type "ext4"))
%base-file-systems))
;; 服务器用户(无 GUI 组)
(users (cons* (user-account
(name "deploy")
(comment "Deploy User")
(group "deploy")
(home-directory "/home/deploy")
(supplementary-groups '("wheel")))
(user-account
(name "www")
(comment "Web Server")
(group "www")
(home-directory "/var/www")
(shell (file-append shadow "/sbin/nologin")))
%base-user-accounts))
(groups (cons* (user-group (name "deploy"))
(user-group (name "www"))
%base-groups))
;; 服务器包(最小化)
(packages (append (list nss-certs
vim git htop
curl wget
openssh)
%base-packages))
;; 服务器服务
(services
(cons*
;; SSH
(service openssh-service-type
(openssh-configuration
(permit-root-login 'prohibit-password)
(password-authentication? #f)
(port-number 22)))
;; Nginx
(service nginx-service-type
(nginx-configuration
(server-blocks
(list (nginx-server-configuration
(server-name '("example.com"))
(root "/var/www/example.com")
(listen '("443 ssl"))
(ssl-certificate "/etc/ssl/certs/example.com.pem")
(ssl-certificate-key "/etc/ssl/private/example.com.key"))))))
;; PostgreSQL
(service postgresql-service-type
(postgresql-configuration
(postgresql postgresql-15)
(port 5432)))
;; 系统日志
(service syslog-service-type)
;; NTP 时间同步
(service ntp-service-type)
%base-services)))
6.9 系统配置管理操作
6.9.1 应用配置
# 应用新的系统配置
sudo guix system reconfigure /etc/config.scm
# 测试配置(不设为默认启动项)
sudo guix system reconfigure /etc/config.scm --no-bootloader
# 仅验证配置(不实际应用)
sudo guix system build /etc/config.scm
6.9.2 系统回滚
# 查看系统 generation
guix system list-generations
# 回滚到上一个系统配置
sudo guix system roll-back
# 切换到特定 generation
sudo guix system switch-generation 3
6.9.3 配置版本控制
# 推荐:将 /etc/config.scm 软链接到 Git 仓库
sudo mkdir -p /etc/guix-config
sudo ln -sf /etc/guix-config/config.scm /etc/config.scm
cd /etc/guix-config
sudo git init
sudo git add config.scm
sudo git commit -m "Initial system configuration"
# 配置变更时
sudo vim /etc/config.scm
sudo git add config.scm
sudo git commit -m "feat: add nginx service"
sudo guix system reconfigure /etc/config.scm
6.10 常见配置模式
6.10.1 配置继承与组合
;; 定义基础服务器配置
(define %base-server-config
(operating-system
(timezone "Asia/Shanghai")
(locale "zh_CN.utf8")
(bootloader ...)
(file-systems ...)
(packages ...)
(services ...)))
;; 扩展为 Web 服务器
(define %web-server
(operating-system
(inherit %base-server-config)
(host-name "web-01")
(services (append
(list (service nginx-service-type ...))
(operating-system-services %base-server-config)))))
;; 扩展为数据库服务器
(define %db-server
(operating-system
(inherit %base-server-config)
(host-name "db-01")
(services (append
(list (service postgresql-service-type ...))
(operating-system-services %base-server-config)))))
6.10.2 使用 G-Expression 动态配置
(use-modules (guix gexp))
;; 在配置中使用表达式
(operating-system
;; ...
(services
(cons* (service openssh-service-type
(openssh-configuration
(port-number
(if (string=? (gethostname) "prod")
2222
22))))
%base-services)))
6.11 配置文件字段速查表
| 任务 | 对应字段/服务 |
|---|
| 设置主机名 | (host-name "name") |
| 设置时区 | (timezone "Asia/Shanghai") |
| 设置语言 | (locale "zh_CN.utf8") |
| UEFI 启动 | (bootloader grub-efi-bootloader) |
| 挂载分区 | (file-systems ...) |
| 创建用户 | (users ...) |
| 安装软件 | (packages ...) |
| SSH 服务 | (service openssh-service-type) |
| Web 服务 | (service nginx-service-type) |
| 数据库 | (service postgresql-service-type) |
| 桌面环境 | (service gnome-desktop-service-type) |
6.12 总结
本章讲解了 Guix System 的声明式配置:
- 配置文件结构——operating-system 各字段含义
- 引导加载器——BIOS 和 UEFI 配置
- 文件系统——ext4、btrfs、tmpfs 等配置
- 用户管理——声明式用户和组定义
- 网络配置——DHCP、静态 IP、防火墙
- 完整示例——桌面和服务器系统配置
- 配置管理——应用、回滚、版本控制
下一章我们将深入服务管理。
扩展阅读