system: Add the 'system?' field for user groups.

Suggested by Mark H. Weaver.

* gnu/system/shadow.scm (<user-group>)[system?]: New field.
  (%base-groups): Introduce 'system-group' macro, and use it.
* gnu/system.scm (user-group->gexp): Pass the 'system?' field.
* guix/build/activation.scm (add-group): Add #:system? and honor it.
  (activate-users+groups): Handle the 'system?' field.
* gnu/system/file-systems.scm (%tty-gid): Choose an ID below 1000.
* doc/guix.texi (User Accounts): Document the 'system?' field.

doc/guix.texi

@@ -3201,6 +3201,10 @@ The group's name.
 The group identifier (a number).  If @code{#f}, a new number is
 automatically allocated when the group is created.
 
+@item @code{system?} (default: @code{#f})
+This Boolean value indicates whether the group is a ``system'' group.
+System groups have low numerical IDs.
+
 @item @code{password} (default: @code{#f})
 What, user groups can have a password?  Well, apparently yes.  Unless
 @code{#f}, this field specifies the group's password.

gnu/system.scm

@@ -363,7 +363,8 @@ alias ll='ls -l'
 'active-groups'."
   #~(list #$(user-group-name group)
           #$(user-group-password group)
-          #$(user-group-id group)))
+          #$(user-group-id group)
+          #$(user-group-system? group)))
 
 (define (user-account->gexp account)
   "Turn ACCOUNT, a <user-account> object, into a list-valued gexp suitable for

gnu/system/file-systems.scm

@@ -95,7 +95,7 @@
 (define %tty-gid
   ;; ID of the 'tty' group.  Allocate it statically to make it easy to refer
   ;; to it from here and from the 'tty' group definitions.
-  1004)
+  996)
 
 (define %pseudo-terminal-file-system
   ;; The pseudo-terminal file system.  It needs to be mounted so that

gnu/system/shadow.scm

@@ -43,6 +43,7 @@
             user-group-name
             user-group-password
             user-group-id
+            user-group-system?
 
             default-skeletons
             skeleton-directory
@@ -75,28 +76,33 @@
   user-group?
   (name           user-group-name)
   (password       user-group-password (default #f))
-  (id             user-group-id (default #f)))
+  (id             user-group-id (default #f))
+  (system?        user-group-system?              ; Boolean
+                  (default #f)))
 
 (define %base-groups
   ;; Default set of groups.
-  (list (user-group (name "root") (id 0))
+  (let-syntax ((system-group (syntax-rules ()
-        (user-group (name "wheel"))               ; root-like users
+                               ((_ args ...)
-        (user-group (name "users"))               ; normal users
+                                (user-group (system? #t) args ...)))))
-        (user-group (name "nogroup"))             ; for daemons etc.
+    (list (system-group (name "root") (id 0))
+          (system-group (name "wheel"))              ; root-like users
+          (system-group (name "users"))              ; normal users
+          (system-group (name "nogroup"))            ; for daemons etc.
 
-        ;; The following groups are conventionally used by things like udev to
+          ;; The following groups are conventionally used by things like udev to
-        ;; control access to hardware devices.
+          ;; control access to hardware devices.
-        (user-group (name "tty") (id %tty-gid))
+          (system-group (name "tty") (id %tty-gid))
-        (user-group (name "dialout"))
+          (system-group (name "dialout"))
-        (user-group (name "kmem"))
+          (system-group (name "kmem"))
-        (user-group (name "video"))
+          (system-group (name "video"))
-        (user-group (name "audio"))
+          (system-group (name "audio"))
-        (user-group (name "netdev"))              ; used in avahi-dbus.conf
+          (system-group (name "netdev"))             ; used in avahi-dbus.conf
-        (user-group (name "lp"))
+          (system-group (name "lp"))
-        (user-group (name "disk"))
+          (system-group (name "disk"))
-        (user-group (name "floppy"))
+          (system-group (name "floppy"))
-        (user-group (name "cdrom"))
+          (system-group (name "cdrom"))
-        (user-group (name "tape"))))
+          (system-group (name "tape")))))
 
 (define (default-skeletons)
   "Return the default skeleton files for /etc/skel.  These files are copied by

guix/build/activation.scm

@@ -36,13 +36,14 @@
 ;;;
 ;;; Code:
 
-(define* (add-group name #:key gid password
+(define* (add-group name #:key gid password system?
                     (log-port (current-error-port)))
   "Add NAME as a user group, with the given numeric GID if specified."
   ;; Use 'groupadd' from the Shadow package.
   (format log-port "adding group '~a'...~%" name)
   (let ((args `(,@(if gid `("-g" ,(number->string gid)) '())
                 ,@(if password `("-p" ,password) '())
+                ,@(if system? `("--system") '())
                 ,name)))
     (zero? (apply system* "groupadd" args))))
 
@@ -128,9 +129,11 @@ numeric gid or #f."
 
   ;; Then create the groups.
   (for-each (match-lambda
-             ((name password gid)
+             ((name password gid system?)
               (unless (false-if-exception (getgrnam name))
-                (add-group name #:gid gid #:password password))))
+                (add-group name
+                           #:gid gid #:password password
+                           #:system? system?))))
             groups)
 
   ;; Finally create the other user accounts.