Transfer the sources you need by USB-drive
If you want to build everything from source on an air gapped CI/CD server, you must transfer:
- Updated package definitions (e.g., new Guix commit / channel state)
- All required source code (not binaries)
Step 1: On a networked (twin) machine
- Check for new versions
guix refresh PACKAGE-NAME
This will update the local package definition in your channel checkout (if you're maintaining your own channels or overlay packages).
- Build the package to pull source code into the store
guix build --source PACKAGE-NAME
This ensures that all source tarballs and patches are downloaded and cached.
- Export source code and channel state
Export the source derivation (not the binaries!):
guix archive --export -r $(guix build --source PACKAGE-NAME) > sources.nar
Also export the updated Guix channels or commit used:
guix describe --format=channels > channels.scm
Step 2: Transfer to the air-gapped CI/CD server
Copy the following files via USB or other air-gap-compliant method:
- sources.nar (the archive of source derivations)
- channels.scm (to sync channel state)
- Optionally: your custom channel checkout (if using overlays)
Step 3: On the CI/CD server
- Sync channel state
guix time-machine -C channels.scm -- build PACKAGE-NAME
Or, if you want to pull into your main Guix:
guix pull --channels=channels.scm
- Import the sources
guix archive --import < sources.nar
Now the CI/CD server has all it needs to build the package from source without network access.
Optional: Preload additional sources or dependencies
To avoid surprises, you may want to pre-fetch all sources recursively:
guix build --sources=transitive PACKAGE-NAME guix archive --export -r $(guix build --sources=transitive PACKAGE-NAME) > all-sources.nar
This ensures no source fetch attempts will occur during CI builds.
