Ryan Campbellhttps://campbellr.ca/feeds/tags/proxmox.xmlTag: proxmox2026-05-01T02:12:19ZInstalling Guix System on Proxmox LXChttps://campbellr.ca/blog/installing-guix-system-on-proxmox-lxc.htmlRyan Campbell2026-04-26T16:00:00Z<p>I use <a href="https://www.proxmox.com/en/">Proxmox</a> for hosting most of my personal
services, and since I've been writing a lot of <a href="https://www.gnu.org/software/guile/">Guile
Scheme</a> lately, I wanted a lightweight
Guix System container for hosting <a href="/projects/scrap.html">scrap</a>.</p><p>Specifically, I want a fully working Guix System inside an unprivileged LXC
container that behaves as close to a bare-metal install as possible. It's not
enough to just have a static image, <code>guix system reconfigure</code> and everything
else should work from inside the container.</p><p>There's not a lot of good information on how to do this, and what does exist
seems to be a bit stale.</p><p>It turned out to be <em>much</em> more work than I had anticipated.</p><p>Posting this all here for my future self, or in the off chance that someone
else stumbles upon this while trying to solve the same problem.</p><h2>Problem 1: Guix doesn't do FHS</h2><p>This isn't a surprise, and isn't really a <em>problem</em>, but it does mean that the
default Proxmox LXC configuration doesn't know how to boot a standard guix
image.</p><p>Most guides for running Guix in LXC (including <a href="https://www.thedroneely.com/posts/guix-in-a-linux-container/">this otherwise excellent
one</a>) hardcode
specific <code>/gnu/store/...</code> paths in the container config. They set
<code>lxc.init.cmd</code> to something like:</p><pre><code>/gnu/store/vbcdwklck7cd28j4jv9wchfw60abivfd-guile-3.0.9/bin/guile \
/gnu/store/hgi3i9ydjhi5bxnpz7zmzaqn60iw3ak1-boot</code></pre><p>This works fine, particularly if you are just spinning up a one-off container.</p><p>But it is something you need to remember to edit in <code>/etc/pve/lxc/<CTID>.conf</code>
<em>every time you spin up a new container</em>.</p><p>And as soon as you run <code>guix system reconfigure</code>, or update the
daemon and the store gets garbage collected -- the container refuses to start.</p><p><strong>Fix:</strong> use <code>program-file</code> to build a small Guile script that resolves
<code>/var/guix/profiles/system</code> at boot time, sets <code>GUIX_NEW_SYSTEM</code>, and <code>execl</code>s
the correct Shepherd boot script. Then use <code>special-files-service-type</code> to
symlink it to <code>/sbin/init</code>:</p><pre><code><span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%lxc-special-files</span>
<span class="syntax-symbol">`</span><span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-string">"/sbin/init"</span>
<span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">program-file</span> <span class="syntax-string">"lxc-init"</span>
<span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-special">begin</span>
<span class="syntax-open">(</span><span class="syntax-symbol">setenv</span> <span class="syntax-string">"HOME"</span> <span class="syntax-string">"/root"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">let*</span> <span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-symbol">system</span> <span class="syntax-open">(</span><span class="syntax-symbol">canonicalize-path</span>
<span class="syntax-string">"/var/guix/profiles/system"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guile</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">system</span>
<span class="syntax-string">"/profile/bin/guile"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">boot</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">system</span> <span class="syntax-string">"/boot"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">setenv</span> <span class="syntax-string">"GUIX_NEW_SYSTEM"</span> <span class="syntax-symbol">system</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">execl</span> <span class="syntax-symbol">guile</span> <span class="syntax-string">"guile"</span> <span class="syntax-symbol">boot</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"/bin/sh"</span> <span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">file-append</span> <span class="syntax-symbol">bash</span> <span class="syntax-string">"/bin/sh"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"/usr/bin/env"</span> <span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">file-append</span> <span class="syntax-symbol">coreutils</span> <span class="syntax-string">"/bin/env"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>From the outside the container now looks like any FHS-compatible distro:
Proxmox execs <code>/sbin/init</code>, which always resolves the <em>current</em> generation.
Reconfigure changes the profile symlink, and the next boot picks it up
automatically.</p><p><strong>Catch:</strong> <code>special-files-service-type</code> creates these symlinks during
activation. Activation runs <em>after</em> PID 1 starts. PID 1 <em>is</em> <code>/sbin/init</code>. So
on first boot, <code>/sbin/init</code> needs to exist before the thing that creates it can
run, which is a bit of chicken-and-egg situation.</p><p>We work around <em>that</em> by manually injecting a stub that gets replaced on first
boot.</p><h2>Problem 2: <code>guix system init</code> doesn't work in 2026 (for container images)</h2><p>Most instructions on the web suggest using <code>guix system init</code>. But
unfortunately as of 2026, it can no longer produce a usable LXC rootfs due to
the addition of some extra checks that require a valid filesystem, so filling
it in with a "dummy" filesystem fails.</p><p>The problem:</p><ol><li><p><code>store-file-system</code> (in <code>gnu/system.scm</code>) filters <code>file-systems</code> for
<code>(mount? #t)</code> and crashes with a match error if the result is empty. Any
<code>(mount? #f)</code> dummy root crashes before it does anything useful.</p></li><li><p>With <code>(mount? #t)</code>, <code>check-file-system-availability</code> tries to <code>stat()</code> the
device or look up the partition label against the <em>host's</em> block devices at
build-time. Nothing works: <code>/dev/null</code> errors, made-up paths error, labels
don't exist on the host.</p></li><li><p>Even past those checks, shepherd unconditionally calls <code>mount(2)</code> for every
<code>(mount? #t)</code> file-system. The container's <code>/</code> is already mounted by LXC --
it would either be clobbered (tmpfs) or the syscall would fail.</p></li></ol><p>There doesn't seem to be any way to provide a dummy/stub filesystem that will
satisfy <code>guix system init</code>.</p><p><strong>Fix:</strong> use <code>guix system image -t tarball</code> instead. It builds in a sandbox
where the root filesystem is synthesized (<code>image->root-file-system</code> in
<code>gnu/system/image.scm</code> rewrites the root type to <code>"dummy"</code>), so the host's
block devices never get involved.</p><p>We do still declare a root filesystem with <code>(mount-may-fail? #t)</code> in the config
because at boot shepherd will attempt the mount, fail (the host filesystem
isn't labelled <code>Guix</code>), and we don't want that to abort boot.</p><p>Why <code>tarball</code> and not <code>docker</code>? <code>image -t docker</code> applies
<code>containerized-operating-system</code> automatically -- it swaps the kernel, drops
console services, replaces networking with <code>dummy-networking-service-type</code>, and
wraps the output in a docker manifest.</p><p>That's too docker-specific though (as you would expect from the name). It
strips things we might actually want (like <code>/dev/shm</code> and <code>/gnu/store</code> mounts
that work fine in unprivileged LXC) and adds a manifest wrapper we'd have to
discard. <code>tarball</code> emits a flat rootfs directly usable by <code>pct create</code>.</p><p>So we have to replicate the relevant subset of <code>containerized-operating-system</code> by
hand.</p><h2>Problem 3: Hardware-related services need to be removed</h2><p>There are a bunch of things that aren't relevant to a container (firmware,
kernel, hardware-related services, etc...) that we have to remove:</p><ul><li><code>firmware-service-type</code> -- activation fails because <code>/proc</code> and <code>/sys</code> are
partially masked</li><li><code>%linux-bare-metal-service</code> -- tries to run <code>modprobe</code> etc.</li><li><code>host-name-service-type</code> -- would clobber the hostname Proxmox injects via
<code>lxc.uts.name</code></li><li><code>hosts-service-type</code> -- creates a read-only <code>/etc/hosts</code> with the "wrong"
hostname -- we want to pick up the hostname provided by Proxmox/LXC</li></ul><p><strong>Fix:</strong> delete them from <code>essential-services</code> using <code>modify-services</code>:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">essential-services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">modify-services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system-default-essential-services</span> <span class="syntax-symbol">this-operating-system</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-symbol">firmware-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-open">(</span><span class="syntax-symbol">service-kind</span> <span class="syntax-symbol">%linux-bare-metal-service</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-symbol">host-name-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-symbol">hosts-service-type</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>We also stub out <code>kernel</code>, <code>firmware</code>, and <code>initrd-modules</code>.</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-open">(</span><span class="syntax-symbol">firmware</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">initrd-modules</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">kernel</span> <span class="syntax-symbol">hello</span><span class="syntax-close">)</span>
</code></pre><p>Deleting <code>host-name-service-type</code> causes more problems though: agetty's
shepherd service hardcodes <code>host-name</code> as a requirement. Without something
providing it, agetty won't start. So we have to replace it with a dummy service:</p><pre><code><span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%dummy-host-name</span>
<span class="syntax-open">(</span><span class="syntax-symbol">simple-service</span> <span class="syntax-symbol">'dummy-host-name</span> <span class="syntax-symbol">shepherd-root-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">shepherd-service</span>
<span class="syntax-open">(</span><span class="syntax-symbol">provision</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">host-name</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">one-shot?</span> <span class="syntax-symbol">#t</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">start</span> <span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-symbol">const</span> <span class="syntax-symbol">#t</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>We also need <code>(chroot? #f)</code> on <code>guix-service-type</code> if we want to use
unpriviledged containers, because unprivileged can't use <code>chroot()</code> and the
various mounts the daemon's build sandbox uses.</p><h2>Problem 4: <code>%base-file-systems</code></h2><p>You can't use <code>%base-file-systems</code> wholesale.</p><p><strong><code>%debug-file-system</code></strong> (debugfs at <code>/sys/kernel/debug</code>) -- mount gets blocked
by LXC and fails the shepherd service. That blocks the rest of the boot, which
blocks the rest of the boot process.</p><p><strong><code>%pseudo-terminal-file-system</code></strong> (devpts at <code>/dev/pts</code>) -- PVE pre-mounts a
healthy devpts with <code>ptmxmode=666</code> before PID 1 starts. Guix then mounts
<em>another</em> devpts on top with <code>ptmxmode=000</code>. Both succeed, but devpts has
per-instance slave-node namespaces. <code>/dev/ptmx</code> allocates PTYs on LXC's
instance; <code>/dev/pts/</code> now shows Guix's instance where those slaves don't exist.
<code>openpty(3)</code> returns ENOENT and sshd reports <code>PTY allocation request failed on channel 0</code> when you attempt to SSH into the container or use <code>pct console</code></p><p><strong><code>%efivars-file-system</code></strong> -- harmless (has <code>mount-may-fail?</code>), but pointless
in a container.</p><p><strong>Fix:</strong> declare a minimal set of file systems explicitly. We only really need
<code>%immutable-store</code> and <code>%shared-memory-file-system</code> (and even the latter is
questionable, but it doesn't cause any problems):</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">file-systems</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">file-system</span>
<span class="syntax-open">(</span><span class="syntax-symbol">device</span> <span class="syntax-open">(</span><span class="syntax-symbol">file-system-label</span> <span class="syntax-string">"Guix"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mount-point</span> <span class="syntax-string">"/"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">type</span> <span class="syntax-string">"ext4"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mount-may-fail?</span> <span class="syntax-symbol">#t</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">check?</span> <span class="syntax-symbol">#f</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-symbol">%shared-memory-file-system</span>
<span class="syntax-symbol">%immutable-store</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h2>Problem 5: mingetty doesn't work on <code>pct console</code></h2><p>I initially tried to use <code>mingetty-service-type</code> for the console login. Two problems:</p><ol><li><p>mingetty's <code>login-program</code> defaults to <code>#f</code>, which resolves to the
compile-time default <code>/bin/login</code>. That obviously doesn't exist on Guix.
(agetty defaults to <code>(file-append shadow "/bin/login")</code>, which works). This
might be worth filing as a Guix bug...</p></li><li><p>Even after fixing that, every login attempt produced <code>tty1: too long login name</code>. At this point I was getting too exhausted to dig into exactly why,
so it's still a mystery.</p></li></ol><p><strong>Fix:</strong> use <code>agetty-service-type</code>. It seems to "Just Work", is what
<code>%base-services</code> uses on bare metal anyway. I can't even remember why I
initially picked mingetty. I probably just copied it from another LXC example...</p><h2>Problem 6: <code>guix system reconfigure</code> fails inside the container</h2><p>Once I finally got a working container, I struggled a bit getting <code>guix system reconfigure</code> to work:</p><ul><li><p><strong><code>--skip-checks</code> needed:</strong> <code>check-file-system-availability</code> walks
<code>/proc/partitions</code> looking for a block device with the fake/dummy <code>Guix</code> label.
Inside the LXC container, <code>/proc/partitions</code> shows the <em>host's</em> block devices
but the container's <code>/dev/</code> is its own tmpfs, so every probe fails. The
template build doesn't hit this because <code>image -t tarball</code> rewrites the root
type to <code>"dummy"</code> in its sandbox; <code>reconfigure</code> reads the config as-is.</p></li><li><p><strong><code>--no-bootloader</code> needed:</strong> grub-install inspects the host's mount table,
finds PVE's ZFS subvolume name, and can't canonicalize it from inside the
container. The template build doesn't hit this because <code>image -t tarball</code>
skips the bootloader installer entirely.</p></li></ul><p><strong>Fix:</strong></p><pre><code>sudo -i guix system reconfigure --skip-checks --no-bootloader /etc/config.scm</code></pre><h2>The End Result</h2><p>This is the <code>config.scm</code> I ended up with</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">system</span> <span class="syntax-symbol">locale</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">system</span> <span class="syntax-symbol">shadow</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">channels</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">gexp</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">packages</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">download</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">use-service-modules</span> <span class="syntax-symbol">networking</span> <span class="syntax-symbol">ssh</span> <span class="syntax-symbol">admin</span> <span class="syntax-symbol">shepherd</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">use-package-modules</span> <span class="syntax-symbol">ssh</span> <span class="syntax-symbol">bash</span> <span class="syntax-symbol">package-management</span> <span class="syntax-symbol">admin</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%lxc-special-files</span>
<span class="syntax-symbol">`</span><span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-string">"/sbin/init"</span>
<span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">program-file</span> <span class="syntax-string">"lxc-init"</span>
<span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-special">begin</span>
<span class="syntax-open">(</span><span class="syntax-symbol">setenv</span> <span class="syntax-string">"HOME"</span> <span class="syntax-string">"/root"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">let*</span> <span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-symbol">system</span> <span class="syntax-open">(</span><span class="syntax-symbol">canonicalize-path</span>
<span class="syntax-string">"/var/guix/profiles/system"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guile</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">system</span>
<span class="syntax-string">"/profile/bin/guile"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">boot</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">system</span> <span class="syntax-string">"/boot"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">setenv</span> <span class="syntax-string">"GUIX_NEW_SYSTEM"</span> <span class="syntax-symbol">system</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">execl</span> <span class="syntax-symbol">guile</span> <span class="syntax-string">"guile"</span> <span class="syntax-symbol">boot</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"/bin/sh"</span> <span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">file-append</span> <span class="syntax-symbol">bash</span> <span class="syntax-string">"/bin/sh"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"/usr/bin/env"</span> <span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">file-append</span> <span class="syntax-symbol">coreutils</span> <span class="syntax-string">"/bin/env"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%dynamic-hosts</span>
<span class="syntax-open">(</span><span class="syntax-symbol">simple-service</span> <span class="syntax-symbol">'dynamic-hosts-file</span> <span class="syntax-symbol">activation-service-type</span>
<span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-special">let</span> <span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-symbol">hostname</span> <span class="syntax-open">(</span><span class="syntax-symbol">gethostname</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">call-with-output-file</span> <span class="syntax-string">"/etc/hosts"</span>
<span class="syntax-open">(</span><span class="syntax-special">lambda</span> <span class="syntax-open">(</span><span class="syntax-symbol">port</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">display</span> <span class="syntax-string">"127.0.0.1 localhost\n"</span> <span class="syntax-symbol">port</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">display</span> <span class="syntax-string">"::1 localhost\n"</span> <span class="syntax-symbol">port</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">display</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span>
<span class="syntax-string">"127.0.1.1 "</span> <span class="syntax-symbol">hostname</span> <span class="syntax-string">"\n"</span><span class="syntax-close">)</span> <span class="syntax-symbol">port</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%dummy-host-name</span>
<span class="syntax-open">(</span><span class="syntax-symbol">simple-service</span> <span class="syntax-symbol">'dummy-host-name</span> <span class="syntax-symbol">shepherd-root-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">shepherd-service</span>
<span class="syntax-open">(</span><span class="syntax-symbol">documentation</span> <span class="syntax-string">"No-op host-name service for LXC."</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">provision</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">host-name</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">one-shot?</span> <span class="syntax-symbol">#t</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">start</span> <span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-symbol">const</span> <span class="syntax-symbol">#t</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-open">(</span><span class="syntax-symbol">host-name</span> <span class="syntax-string">"localhost"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">timezone</span> <span class="syntax-string">"America/Edmonton"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">locale</span> <span class="syntax-string">"en_US.utf8"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">firmware</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">initrd-modules</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">kernel</span> <span class="syntax-symbol">hello</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">packages</span> <span class="syntax-open">(</span><span class="syntax-symbol">cons*</span> <span class="syntax-symbol">guix</span> <span class="syntax-symbol">sudo</span> <span class="syntax-symbol">%base-packages</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">users</span> <span class="syntax-open">(</span><span class="syntax-symbol">cons*</span> <span class="syntax-open">(</span><span class="syntax-symbol">user-account</span>
<span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-string">"ryan"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">comment</span> <span class="syntax-string">"Ryan"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">supplementary-groups</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"wheel"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">home-directory</span> <span class="syntax-string">"/home/ryan"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">password</span> <span class="syntax-string">"$6$..."</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-comment">;; mkpasswd -m sha-512
</span> <span class="syntax-symbol">%base-user-accounts</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">essential-services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">modify-services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system-default-essential-services</span> <span class="syntax-symbol">this-operating-system</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-symbol">firmware-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-open">(</span><span class="syntax-symbol">service-kind</span> <span class="syntax-symbol">%linux-bare-metal-service</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-symbol">host-name-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">delete</span> <span class="syntax-symbol">hosts-service-type</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">locale-definitions</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">locale-definition</span>
<span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-string">"en_US.utf8"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">source</span> <span class="syntax-string">"en_US"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">charset</span> <span class="syntax-string">"UTF-8"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">bootloader</span>
<span class="syntax-open">(</span><span class="syntax-symbol">bootloader-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">bootloader</span> <span class="syntax-symbol">grub-bootloader</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">targets</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"/dev/null"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file-systems</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">file-system</span>
<span class="syntax-open">(</span><span class="syntax-symbol">device</span> <span class="syntax-open">(</span><span class="syntax-symbol">file-system-label</span> <span class="syntax-string">"Guix"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mount-point</span> <span class="syntax-string">"/"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">type</span> <span class="syntax-string">"ext4"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mount-may-fail?</span> <span class="syntax-symbol">#t</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">check?</span> <span class="syntax-symbol">#f</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-symbol">%shared-memory-file-system</span>
<span class="syntax-symbol">%immutable-store</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dhcpcd-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">syslog-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">agetty-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">agetty-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">tty</span> <span class="syntax-string">"tty1"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">term</span> <span class="syntax-string">"linux"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">extra-options</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"-L"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">user-processes</span> <span class="syntax-symbol">udev</span> <span class="syntax-symbol">syslogd</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">login-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">guix-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">guix-configuration</span> <span class="syntax-open">(</span><span class="syntax-symbol">chroot?</span> <span class="syntax-symbol">#f</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">static-networking-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-symbol">%loopback-static-networking</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">special-files-service-type</span> <span class="syntax-symbol">%lxc-special-files</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">udev-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">udev-configuration</span> <span class="syntax-open">(</span><span class="syntax-symbol">rules</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-symbol">%dynamic-hosts</span>
<span class="syntax-symbol">%dummy-host-name</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">openssh-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">openssh-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">password-authentication?</span> <span class="syntax-symbol">#f</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">authorized-keys</span>
<span class="syntax-symbol">`</span><span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-string">"ryan"</span> <span class="syntax-symbol">,</span><span class="syntax-open">(</span><span class="syntax-symbol">local-file</span> <span class="syntax-string">"keys/ryan.pub"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>We can build it with:</p><pre><code>guix system image -t tarball config.scm</code></pre><p>Unfortunately, as mentioned above, we can't use the image as-is.</p><p>The tarball from <code>guix system image</code> doesn't have <code>/sbin/init</code>, <code>/bin/sh</code>, or
<code>/usr/bin/env</code> because activation hasn't run yet (see Problem 1). Since we're
already messing with the image, we also want to inject the source <code>config.scm</code>
so reconfigure works out of the box without having to manually <code>scp</code> it over
later.</p><p>Here's the shell script that handles it:</p><pre><code>#!/usr/bin/env bash
set -euo pipefail
CONFIG=config.scm
OUTPUT=guix-lxc-template.tar.zst
BUILDDIR=build
# 1. Build the rootfs tarball.
image_path=$(guix system image -t tarball "$CONFIG")
# 2. Decompress and extract.
rm -rf "$BUILDDIR/rootfs"
mkdir -p "$BUILDDIR/rootfs"
case "$image_path" in
*.tar.gz) gzip -dc "$image_path" | tar -xC "$BUILDDIR/rootfs" ;;
*.tar.xz) xz -dc "$image_path" | tar -xC "$BUILDDIR/rootfs" ;;
*.tar.zst) zstd -dc "$image_path" | tar -xC "$BUILDDIR/rootfs" ;;
*.tar) tar -xf "$image_path" -C "$BUILDDIR/rootfs" ;;
*) echo "unexpected extension: $image_path"; exit 1 ;;
esac
# 3. Seed /sbin/init, /bin/sh, /usr/bin/env.
# The activation script in the store contains the link targets.
# Parse them out and create the symlinks directly in the rootfs.
activate=$(find "$BUILDDIR/rootfs/gnu/store" -name '*-activate-service.scm' \
-exec grep -l activate-special-files {} + | head -1)
if [ -z "$activate" ]; then
echo "no activate-special-files script found"; exit 1
fi
# Extract pairs: "/sbin/init" "/gnu/store/...-lxc-init" etc.
grep -oP '"/([^"]+)"\s+"/gnu/store/[^"]+"' "$activate" |
while read -r line; do
link=$(echo "$line" | grep -oP '^"/[^"]+"' | tr -d '"')
target=$(echo "$line" | grep -oP '"/gnu/store/[^"]+"' | tr -d '"')
dest="$BUILDDIR/rootfs${link}"
mkdir -p "$(dirname "$dest")"
ln -sf "$target" "$dest"
echo " $link -> $target"
done
# 4. Inject config.scm for in-container reconfigure.
cp "$CONFIG" "$BUILDDIR/rootfs/etc/config.scm"
chmod 600 "$BUILDDIR/rootfs/etc/config.scm"
# 5. Repack as zstd with root ownership, because zstd is better than gzip.
ZSTD_CLEVEL=19 tar -C "$BUILDDIR/rootfs" --zstd \
--numeric-owner --owner=0 --group=0 -cf "$OUTPUT" .
echo "Built $OUTPUT ($(du -h "$OUTPUT" | cut -f1))"</code></pre><p>Deploy to Proxmox:</p><pre><code>scp guix-lxc-template.tar.zst <proxmox-host>:/var/lib/vz/template/cache/
pct create <vmid> local:vztmpl/guix-lxc-template.tar.zst \
--hostname guix \
--rootfs local-zfs:20 \
--memory 2048 \
--net0 name=eth0,bridge=vmbr0,ip=dhcp,ip6=auto \
--features nesting=1,keyctl=1 \
--ostype unmanaged \
--unprivileged 1</code></pre><p><code>ostype unmanaged</code> because Proxmox doesn't know about Guix.</p><p><code>nesting=1</code> relaxes user-namespace restrictions enough for shepherd,
guix-daemon, and activation.</p><p>As I'm writing this I'm realizing that I didn't even confirm whether or not
either <code>nesting=1</code> or <code>keyctl=1</code> is required after setting <code>(chroot #f)</code>. I'll
have to revisit that.</p><h2>Niceties</h2><p>A few optional but handy things in the config:</p><ul><li><p><strong>DHCP inside the container</strong> via <code>dhcpcd-service-type</code>.</p></li><li><p><strong>Dynamic <code>/etc/hosts</code></strong> generated from the Proxmox-assigned hostname at
boot, rather than hardcoding a hostname in <code>config.scm</code>:</p><pre><code><span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%dynamic-hosts</span>
<span class="syntax-open">(</span><span class="syntax-symbol">simple-service</span> <span class="syntax-symbol">'dynamic-hosts-file</span> <span class="syntax-symbol">activation-service-type</span>
<span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-special">let</span> <span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-symbol">hostname</span> <span class="syntax-open">(</span><span class="syntax-symbol">gethostname</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">call-with-output-file</span> <span class="syntax-string">"/etc/hosts"</span>
<span class="syntax-open">(</span><span class="syntax-special">lambda</span> <span class="syntax-open">(</span><span class="syntax-symbol">port</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">display</span> <span class="syntax-string">"127.0.0.1 localhost\n"</span> <span class="syntax-symbol">port</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">display</span> <span class="syntax-string">"::1 localhost\n"</span> <span class="syntax-symbol">port</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">display</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span>
<span class="syntax-string">"127.0.1.1 "</span> <span class="syntax-symbol">hostname</span> <span class="syntax-string">"\n"</span><span class="syntax-close">)</span> <span class="syntax-symbol">port</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre></li><li><p><strong>SSH public keys from SourceHut</strong> at build time so that we don't have to
manage key files manually.</p></li></ul><h2>References</h2><ul><li><a href="https://www.thedroneely.com/posts/guix-in-a-linux-container/">Guix in a Linux Container -- Thedro Neely</a> -- the article that got me started</li><li><a href="https://lists.gnu.org/archive/html/guix-devel/2017-06/msg00078.html">GuixSD in LXD -- Eddy Pronk</a> -- 2017 thread exploring /sbin/init shims</li><li><a href="https://lists.gnu.org/archive/html/help-guix/2025-09/msg00128.html">Init command setup for Incus</a> -- Sept 2025, still manually updating store hashes</li><li><a href="https://lists.gnu.org/archive/html/help-guix/2025-11/msg00020.html">System containers workflow</a> -- Nov 2025, the immutable rebuild-and-replace default</li><li><a href="https://lists.gnu.org/archive/html/help-guix/2018-10/msg00057.html">AppArmor and guix-daemon</a></li><li><a href="https://pve.proxmox.com/wiki/Linux_Container">Proxmox LXC documentation</a></li></ul>